T S A V IT S

BUDAPEST UNIVERSITY OF TECHNOLOGY AND ECONOMICS DEPARTMENT OF MEASUREMENTAND INFORMATION SYSTEMS

TRAJECTORY SET APPROXIMATION FOROPTIMIZATION AND VERIFICATION OF IT SYSTEMS

PHD THESIS

SZILVIA VARRÓ-GYAPAY

ADVISOR:PROF. ANDRÁS PATARICZA

DSC

BUDAPEST, SEPTEMBER, 2014.

Nyilatkozat önálló munkáról, hivatkozások átvételérol

Alulírott Varró-Gyapay Szilvia kijelentem, hogy ezt a doktori értekezést magam készítettem és abbancsak a megadott forrásokat használtam fel. Minden olyan részt, amelyet szó szerint, vagy azonostartalomban, de átfogalmazva más forrásból átvettem, egyértelmuen, a forrás megadásával megjelöltem.

Declaration of own work and references

I, Szilvia Varró-Gyapay, hereby declare, that this thesis, and all results claimed therein are my ownwork, and rely solely on the references given. All segments taken word-by-word, or in the samemeaning from others have been clearly marked as citations and included in the references.

Budapest, 2014. 09. 12.

Varró-Gyapay Szilvia

Acknowledgement

I am very much grateful to my supervisor Professor András Pataricza for his support, ideas, and help during myPhD studies and later on. I am also very grateful to all of my colleagues and earlier supervisors at TU Budapest,TU Berlin, University of Paderborn and ELTE for their valuable help, and comments according to my work,especially to Reiko Heckel who was the supervisor of my master thesis.

I would like to thank my husband for his continuous support both in the professional activities and in themanagement of our family. I thank my parents, my parents in law and my children for their tolerance and helpduring writing my dissertation. I would like to thank all the people around me for their continuous encouragementto write this thesis.

My work was supported by the OTKA T038027 Hungarian National Research Foundation Grants, SEG-RAVIS European Research Training Network, DECOS (IST-511764, FP6) and SENSORIA (IST-3-016004, FP6)European research projects.

Summary

With the continuous increase of IT systems both in size and complexity, their quality of service becomes anissue in different application fields. For business critical systems that control the infrastructure of an internationalcompany with world–wide locations a service failure may cause serious financial losses while for safety criticalsystems like automotive or avionics a failure in the delivery of a service may result in critical damages or evencasualties.

In order to deliver a high quality of service a system has to fulfill several functional, extra-functional andoptimality requirements. A functionally correct service calculates its output for any input exactly as prescribedby its specification. Furthermore, service delivery needs to be completed within certain deadlines with highreliability and availability. Finally, if there are multiple design variants for delivering a service, one needs toselect the cheapest option or the one which guarantees the shortest time to market.

The fulfillment of these requirements can frequently be expressed as a reachability problem with quantitativeor qualitative measurements, which is called an optimal trajectory problem: find an optimal path (if such exists)starting from an initial state to a target state that satisfies all the given requirements. Such a problem can besolved by using verification and validation (V&V) methods to assure the correctness of a system model, andoptimization methods to provide the efficient operation of the system. However, it is a challenging question howto combine the best practices of the two fields.

The objective of the research presented in this thesis is to propose (i) mathematical models in which theoptimal trajectory problem can be formally expressed and (ii) strategies and algorithms to solve the optimaltrajectory problem by combining verification and optimization techniques. Due to its modeling expressivenessand its rich mathematical background I use an extension of Petri nets and graph transformation systems as a targetmathematical platform in my thesis.

The thesis focuses on the solution of the cost–, and time–optimal trajectory problems in Petri nets and graphtransformation systems. I gave two solutions for the Petri net cost–optimal trajectory (OT) problem with cost.(1) One is based on the ILP problem abstraction of the Petri net optimal trajectory problem that is solved byusing Process Network Synthesis algorithms. Since the solution of the ILP problem may be not fireable in thePetri net it is called a candidate Parikh vector and its feasibility is checked in two subsequent steps using thereachability function of the Petri net and the model checker SPIN, respectively. If any of the two checks fails thenext best solution of the ILP problem is delivered and is checked again until a solution or no solution is found. (2)The other algorithm directly encodes the optimal trajectory problem into the SPIN model checker with on-the-flyoptimization during verification embedding the optimality criteria into the linear temporal logic formula of theverification condition.

I gave two solutions for the time-optimal trajectory problem. (1) The first one is based on the ILP model of thePetri net that (i) represents the token change in the places in some time instants and (ii) encodes the enablednesscondition of the transitions in these time instant. (2) The second solution is a direct method for the time-optimaltrajectory problem using the SPIN model checker.

Based in the strong correspondence between Petri nets and graph transformation systems (GTS), I generalizedthe optimal trajectory problems of Petri nets over graph transformation systems with cost and time. I introducedboth cost and time into graph transformation systems as the cost and duration of a rule application and I definedformal semantics for evaluating graph transformation rules with cost and time. Then the optimal trajectoryproblem in GTSs is solved using the Petri net based solutions: (1) the GTS and the optimal trajectory problemis transformed into a cardinality Petri net and a corresponding optimal trajectory problem, (2) then the Petrinet optimal trajectory problem is solved, (3) the result is back annotated into the GTS and (4) the trajectory isgenerated in the GTS if it exists. If not, the next best solution of the Petri net optimal trajectory problem isgenerated and checked until a solution is found.

The main advantage of the solutions is that Petri nets and graph transformation systems can be generatedautomatically from high-level modeling languages (like UML, or BPMN) thus the introduced solutions can beused in the simultaneous optimization and verification of high-level modeling languages.

Összefoglaló

Napjainkban az információs rendszerek komplexitásának növekedésével egyre inkább elotérbe került a rendsze-rek magas szintu szolgáltatásminoségének biztosítása. Biztonságkritikus rendszereknél mint az autóipari vagyrepülogépipari szoftverek a szolgáltatás minoségének biztosítása elengedhetetlen, hiszen akár egy apró hiba ishatalmas károkat okozhat mind a rendszerben, mind emberéletben. Az üzleti élet területén a nagy nemzetközicégek szolgáltatásminoség biztosításának célja azon szolgáltatás kiesésének vagy a rendszer meghibásodásánakelkerülése, amelyek következtében a cégeknek anyagi veszteséggel kell számolnia.

Ahhoz, hogy egy rendszer megfelelo minoségu szolgáltatást tudjon nyújtani, különbözo követelményeknekkell megfelelnie, melyek lehetnek funkcionális, extrafunkcionális vagy optimalizálási követelmények. Egyfunkcionálisan helyes szolgáltatásnak például a specifikáció által eloírt kimenetet kell eloállítása az adottbemenetbol, illetve a szolgáltatás teljesítésére vonatkozó határidoket betartania nagy megbízhatóság és ren-delkezésre állás mellett. Ugyanakkor elvárás, hogy a szolgáltatás nyújtása optimális legyen, amely jelentheti akára költséghatékony megoldást, akár a minél rövidebb ido alatti teljesítést. Ezen követelmények együttes kielégítésegyakran olyan elérhetoségi problémaként írható le, amelyet optimális trajektória problémaként nevezhetünk meg:adott kezdoállapotból kiindulva keresünk egy olyan optimális utat, amely megfelel a rendszerrel szemben tá-masztott követelményeknek. Tipikus példák a gyártórendszerek és üzleti folyamatok, melyek esetén központiprobléma az olyan megoldás kidolgozása, amely optimális költség-, illetve ido szempontjából. Ezen kihívásra aformális analízis és optimalizálási módszerek kombinálása adhat megoldást.

Kutatásom célja (i) olyan matematikai modellek megadása volt, amelyekben az optimális trajektória problémaformálisan leírható, valamint (ii) stratégiák és algoritmusok kidolgozása az optimális trajektória megoldásáraverifikációs és optimalizálási módszerek kombinálásával.

Jelen disszertáció a költséggel, illetve idovel kiterjesztett Petri hálókkal és gráftranszformációs rendszerekkelfoglalkozik. A Petri háló költségoptimális trajektória problémára két megoldást adtam. (1) Az elso megoldás aPetri háló optimális trajektória problémájának ILP absztrakcióját oldja meg PNS algoritmusok segítségével. Akapott tüzelési szám vektor (Parikh vektor) megoldás azonban nem minden esetben végrehajtható, így annak amegvalósíthatóságát két lépésben ellenorzöm. Az elso fázisban a Parikh vektorból származtatott állapotnak azelérhetoségét vizsgálom meg az úgynevezett elérhetoségi függvénnyel. Az elérhetoségi ellenorzést követi a tüzel-hetoségi ellenorzés, amely egyúttal elo is állítja az optimális trajektóriát a SPIN modellellenorzo segítségével.Ha bármelyik ellenorzés negatív választ ad, az ILP probléma következo legjobb Parikh vektor megoldását ge-neráljuk, és azon végezzük el az ellenorzéseket, amíg megoldást nem találunk. (2) A másik algoritmus a SPIN

modellellenorzo eszközt felhasználva az optimális trajektória problémát közvetlenül a modellellenorzo segít-ségével generálja. Ezen megközelítés elonye, hogy az optimalitási feltétel az ellenorizendo lineáris temporálislogikai kifejezésbe beágyazva dinamikusan változik a Petri háló állapotterének bejárása során, vagyis a menny-iségi kritériumot is a modellenorzés során vesszük figyelembe.

Két megoldást adtam a minimális idotartamú trajektóriák keresésére. Az elso megoldásban az ILP probléma(i) a tokenáramlást az egyes helyeken idoegységenként írja le ezen az idohorizonton belül, és (ii) a tranzíciótüzelési feltételét is belekódolja az ILP problémába. Ezen megoldás révén az ILP probléma megoldása egybentüzelheto megoldást határoz meg. A második megoldásban a SPIN modellellenorzot használja fel az optimálistrajektória generálására a mennyiségi kritérium LTL kifejezésbe történo beágyazásával.

A gráftranszformációs (GT) rendszerek optimális trajektória problémái visszavezethetok a Petri háló opti-mális trajektória problémáinak megoldására: a GT rendszerek és az ún. számossági Petri háló közötti megfelel-tetés alapján a GT rendszert Petri hálóvá transzformálom, melyen a fent bemutatott módon elvégzem az opti-malizálást, majd annak eredményét visszavetítem az eredeti GT rendszerbe, amely a GT rendszer állapotterénekbejárásának irányításához felhasználható.

Mivel az irodalomban számos automatikus transzformáció létezik magasszintu modellezési nyelvekrol (mintpéldául UML vagy BPMN) Petri hálókra, így a magasszintu modellezési nyelven definiált optimális trajektóriaprobléma ezen transzformációkkal Petri háló optimális trajektóriává transzformálható, és az ott kapott optimálistrajektória visszavetítheto az eredeti modellbe.

Contents

1 Introduction 31.1 Simultaneous Verification and Optimization of System Models . . . . . . . . . . . . . . . . . . 3

1.1.1 Critical systems design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1.2 Model driven engineering of critical systems . . . . . . . . . . . . . . . . . . . . . . . 31.1.3 Formal methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.1.4 Optimization techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.2 The Optimal Trajectory Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.2.1 Objectives of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.2.2 Cost-optimal trajectory for Petri nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.2.3 Time-optimal trajectory of Petri nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.2.4 Optimal trajectory problem in graph transformation systems . . . . . . . . . . . . . . . 8

1.3 The Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Petri Nets 112.1 Place/Transition Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.1.1 Reachability and coverability in Petri nets . . . . . . . . . . . . . . . . . . . . . . . . . 132.1.2 State equation and state inequality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.2 Petri Net Extensions and Reduction Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.3 Petri Net Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.3.1 Timed Petri nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.3.2 Continuous token flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.4 Optimal Firing Sequences in Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.4.1 Petri nets with cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.4.2 Petri nets with duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3 Process Network Synthesis 233.1 Process Network Synthesis Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.1.1 Process Network Synthesis problem definition . . . . . . . . . . . . . . . . . . . . . . 243.1.2 Maximal Structure Generation algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 263.1.3 Decision mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.1.4 Solution Structure Generation algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 293.1.5 Combinatorially Accelerated Branch and Bound algorithm . . . . . . . . . . . . . . . . 30

4 System Modeling with Graph Transformation Systems 334.1 Graphs and Typed Graphs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334.2 Typed Graph Transformations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

CONTENTS

5 Petri Nets and Process Network Synthesis 375.1 Comparison of the Petri Net Trajectory Problem and the PNS Problem . . . . . . . . . . . . . . 38

5.1.1 Comparison of Petri nets and P–graph structures . . . . . . . . . . . . . . . . . . . . . 385.1.2 Petri net trajectory problems and PNS problems . . . . . . . . . . . . . . . . . . . . . . 395.1.3 Spanned Petri net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.2 From PNS problems to Petri net reachability problems . . . . . . . . . . . . . . . . . . . . . . 415.3 From Petri Net Reachability Problems to PNS Problems . . . . . . . . . . . . . . . . . . . . . 41

5.3.1 PNS axioms and an (A2)–conform transformation of initially marked places . . . . . . . 425.4 Reduction rules for PNS problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.5.1 PNS problem reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485.6 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

6 Optimal Trajectory Problem with Cost 536.1 MSG Algorithm for the OT Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546.2 Solution Structure based Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

6.2.1 Generation of structurally valid solutions . . . . . . . . . . . . . . . . . . . . . . . . . 556.2.2 Mapping of structurally valid solutions into the ILP problem . . . . . . . . . . . . . . . 566.2.3 One binary variable for one structurally valid solution . . . . . . . . . . . . . . . . . . 566.2.4 One binary variable for each basis structurally valid solution . . . . . . . . . . . . . . . 58

6.3 Accelerated Branch and Bound Algorithm for the OT Problem . . . . . . . . . . . . . . . . . . 596.4 Spurious Solutions and Fireability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626.6 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

7 Fireability Check and Trajectory Generation for the OT Problem 657.1 Reachability Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

7.1.1 Calculation of the a priori bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687.1.2 Reachability function generation algorithm . . . . . . . . . . . . . . . . . . . . . . . . 687.1.3 Extension of the reachability function . . . . . . . . . . . . . . . . . . . . . . . . . . . 687.1.4 Reachability function as a binary decision diagram . . . . . . . . . . . . . . . . . . . . 69

7.2 Trajectory Generation and Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707.2.1 Finite model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717.2.2 Petri net as a Promela transition system . . . . . . . . . . . . . . . . . . . . . . . . . . 717.2.3 Typical verification issues as LTL expressions . . . . . . . . . . . . . . . . . . . . . . . 72

7.3 Optimal Trajectory Generation by SPINco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747.5 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

8 Time-Optimal Trajectory Problem 758.1 Time–instant based ILP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758.2 Trajectory Generation by Solving Only ILP Problems . . . . . . . . . . . . . . . . . . . . . . . 788.3 Optimal Trajectory Generation by LTL Expression in SPIN . . . . . . . . . . . . . . . . . . . . 798.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808.5 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

9 Optimization in Graph Transformation Systems 819.1 Optimization in Graph Transformation Systems with cost . . . . . . . . . . . . . . . . . . . . . 81

9.1.1 Application of cost-OT problem techniques to graph transformation with cost . . . . . . 839.1.2 GTSs with cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839.1.3 A Petri net abstraction of a GTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

CONTENTS 1

9.1.4 Cost-optimal trajectory problem for GTSs . . . . . . . . . . . . . . . . . . . . . . . . . 869.1.5 Guiding exploration of the GT state space . . . . . . . . . . . . . . . . . . . . . . . . . 879.1.6 Example: solving a cost-optimal trajectory problem . . . . . . . . . . . . . . . . . . . . 879.1.7 Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

9.2 Optimization in Graph Transformation Systems with Time . . . . . . . . . . . . . . . . . . . . 899.2.1 Time-optimal trajectory problem for GTS with time . . . . . . . . . . . . . . . . . . . . 919.2.2 Guiding exploration of the GT state space . . . . . . . . . . . . . . . . . . . . . . . . . 92

9.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 949.4 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

10 Comparison and Evaluation of the Algorithms 95

11 Conclusion 9711.1 Fulfillment of the Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

11.1.1 Mathematical model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9711.1.2 Strategies and algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

11.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

12 Appendix 9912.1 Petri Net Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

12.1.1 Liveness and deadlock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9912.1.2 Invariants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

12.2 Petri Net Subclasses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10012.2.1 Extensions with structured tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

12.3 Reachability Function of Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10212.3.1 Boolean function representation of reachable markings . . . . . . . . . . . . . . . . . . 10212.3.2 State space representation by Binary Decision Diagrams . . . . . . . . . . . . . . . . . 103

12.4 Petri Nets and Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10312.4.1 Transition system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10512.4.2 Petri nets into Promela . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

12.5 Linear Programming Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10812.5.1 MILP Formulation of PNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

12.6 Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11012.7 Petri Net Properties and Analysis Techniques in PNS Problems . . . . . . . . . . . . . . . . . . 115

12.7.1 T–invariants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11512.8 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11512.9 Promela Code of the Optimal Trajectory Problem . . . . . . . . . . . . . . . . . . . . . . . . . 126

2 CONTENTS

Chapter 1

Introduction

1.1 Simultaneous Verification and Optimization of System Models

1.1.1 Critical systems design

With the continuous increase of IT systems both in size and complexity, their quality of service becomes anissue in different application fields. For business critical systems that control the infrastructure of an internationalcompany with world–wide locations a service failure may cause serious financial losses. For safety criticalsystems like automotive or avionics a failure in the delivery of a service may result in critical damages or evencasualties.

Certification standards like DO-178C (for avionics) or ISO 26262 (for automotive) prescribe rigorous safetyrequirements on the entire design process of a critical system including requirements specification, analysis,design verification and validation (V&V), and documentation, in order to assure safe operation throughout theentire lifecycle of such a system. Due to this rigour, the certification costs of a new safety-critical product arehorrendously high nowadays. Recent surveys demonstrated that verification and validation costs may contributeas much as 70-80% of the total certification costs. Finding innovative V&V techniques which simultaneouslyimproves the quality of the system while reducing certification costs is a major challenge.

A service delivery compliant with certification standards needs to meet different kind of requirements. Afunctionally correct service calculates its output for any input exactly as prescribed by its specification (i.e.without side effects). Furthermore, service delivery needs to be completed within certain deadlines with highreliability and availability. Finally, if there are multiple design variants for delivering a service, one needs toselect the cheapest option or the one which guarantees the shortest time to market. In this respect, critical systemsdesign distinguishes between functional, extra-functional and optimality requirements.

1.1.2 Model driven engineering of critical systems

Model-driven engineering (MDE) has become a key technique for critical systems design with rapidly increasingnumber of applications, for instance, in avionics or automotive systems [95, 96]. MDE facilitates the systematicuse of models from an early phase of the design cycle. System requirements and design are captured by high-level,visual engineering models. Early systematic formal analysis of design models can be carried out by generatingvarious mathematical models by automated model transformations (MTs) to eliminate conceptual flaws [38]. Thesource code of the target system is derived by code generator transformations [58, 118, 124].

MDE promises to simultaneously increase productivity and quality while reducing development costs. Earlydetection of design flaws saves costly re-design (compared to detecting the same problem by traditional testing).Automated (and qualified) code generators improve productivity by synthesizing provenly correct source code ofa safety-critical application from a validated model. In addition to source code generation, MDE tools could helpsynthesize other design artifacts as well (such as configuration tables, fault trees, test cases, documentation) andprovide fine-grained support for traceability [31].

3

4 CHAPTER 1. INTRODUCTION

Figure 1.1: Model driven analysis of critical systems

1.1.3 Formal methods

Formal methods (such as statecharts, Petri nets, dataflow nets, process algebras, or timed automaton) offer formalmodels with precisely defined semantics and mathematical algorithms to exhaustively cover all potential exe-cutions. They are primary means to carry out early analysis in model-driven engineering by analyzing systemmodels having with mathematical scrutiny.

While traditional testing primarily aims at highlighting flaws in the system (i.e. the presence of faults), inmany cases, one can prove the correctness of the system (i.e. the absence of errors) by using formal methods.In this respect, formal methods are accepted verification and validation techniques in most safety-critical certi-fication standards. In real development scenarios, a combined use of traditional testing and formal methods arewidely used nowadays, especially, in the avionics domain.

Semi–formal techniques like the Unified Modeling Language (UML) [59], the System Modeling Language(SysML) [26] or Business Process Modeling Notation (BPMN) [27] provide an easy-to-understand and compre-hensive language for system engineers with precisely defined structure to model the system at a high-level ofabstraction. Using a standard modeling language improves communication between different stakeholders anddevelopment teams. However, these languages can be ambiguous due to the lack of formal semantics, therefore,one cannot establish a safety argument directly at this level. Furthermore, certain requirements (such as temporalbehavior in UML) cannot easily be captured in these semi-formal languages. In contrast, formal methods alwaysbuild on precise requirements and mathematical models with formal semantics to specify a system model, whichenables formal verification of the model wrt. the requirements (properties). While these formal methods arerigorous and does not allow ambiguity in specifications, they are much more difficult to understand and their useneeds a strong mathematical background from the designer. Model-driven engineering closes the gap betweensemi–formal and formal methods by enabling the precise formal verification of high-level system models whilestill offering visual notations to system engineers.

Studies [28] have demonstrated that the combined use of formal methods and model driven engineeringsimultaneously improves quality and reduces V&V costs by one order of magnitude (compared to traditionalV&V without formal methods).

1.1. SIMULTANEOUS VERIFICATION AND OPTIMIZATION OF SYSTEM MODELS 5

Petri nets The current thesis focuses on Petri nets, which is a well-known and widely used formal method intro-duced by Carl Adam Petri in 1962 [105] for the modeling the communication of processes. Petri nets provide anintuitive graphical yet mathematically expressive language to capture nondeterminism and concurrency in systemmodels. Several extensions of the core Petri net formalism exist to precisely capture time, cost, dependability orother properties of systems.

Petri nets can be generated automatically from high-level modeling languages (like UML, or BPMN) [103,130]. Furthermore, there is a wide range of tools (like INA, PetriDotNet, CPNTools, GreatSPN, PEP, etc.,see [23]) to carry out subsequent formal analysis of Petri nets or the Petri net is translated into the input of somemodel checker and the model checker verifies the underlying Petri net model as shown in the current thesis. Petrinets are directed bipartite graphs with nodes places and transitions where places represent the state variables ofthe system and may contain tokens while transitions stand for the tasks or activities in the system describing thesystem control. The system dynamics is modeled by the token transfer between places by firing transitions: atransition is enabled and it may fire if there are enough tokens on its input places. During its firing the transitionremoves these tokens and produces as many tokens to its output places as required. The number of removed andproduced tokens are defined by a weight function interpreted on the edges of the graph. The potential behaviorof the system is identified by trajectories in the form of transition firing sequences in the system state space. (Seean example Petri net in Fig. 2.1.)

Model checking Model checking means the automatic check of the fulfillment of some properties [32] by anexhaustive traversal of the state space. The aim of model checking is to either prove that a given property issatisfied in a system model or to constructively retrieve a counterexample leading to a violation. The input modelof a model checker is a finite labelled transition system that captures the behaviour of the underlying system bya directed graph where the nodes are the states of the system and the edges represent the state transitions. Theproperties that has to be satisfied by the system are formalized as temporal logical expressions that are composedof temporal logical operators and state variables. A(n explicit state) model checker (like SPIN [81]) translates aproperty into an automaton that accepts only those paths where the property is evaluated to true. Then the productautomaton of the negation of this property automaton and the automaton of the transition system is analyzed. Ifthere is no execution sequence in the product automaton leading to an accept state (i.e. the product automataaccepts the empty language) then there is no sequence in the transition system that satisfies the negation of theproperty. In other words the original property holds in the system. Otherwise, the corresponding sequence isretrieved as a counterexample.

Graph transformation systems Graph transformation [111] provides another mathematical model where thesystem is modeled by typed and attributed graph models while its behaviour is represented by rule and patternbased manipulation. The application of a rule, also known as a rewriting step, consists of the matching of aninstance graph against the left hand side graph pattern of the rule and the replacing of that part in accordance withthe right hand side pattern.

Due to their expressiveness, graph transformation systems are widely used in compiler construction, databasemanagement, software engineering, visual modeling, logic programming and in many other fields [54]. Thegraph based representation and the use of types, labels and attributes facilitate an easy-to-understand graphicalmodeling of complex systems. Furthermore, the formal analysis of graph transformation systems has a strongtheoretical background that enables the check of typical properties in graph transformation systems.

1.1.4 Optimization techniques

In the current thesis, we focus on the research challenge when the system model has to be optimized and verifiedsimultaneously according to the system requirements in order to assure an efficient and correct operation. Forinstance, the delivery of a cost– or time–optimal solution is a core problem in business processes or productionsystems in order to satisfy the prescribed quantitative requirements. The application of both formal analysis and


optimization can assure that the system will function properly and also fulfills its quantitative constraints in anoptimal way (with respect to some objectives).

Linear programming (shortly LP) methods are known as efficient solution techniques for optimization prob-lems [129]. LP problems consist of some variables, linear constraints over these variables and an objectivefunction, which is a linear combination of the variables that has to be either minimized or maximized respectingthe constraints.

An LP problem is called integer linear programming (ILP) problem if all variables are constrained to beintegers while an LP problem is called mixed integer linear programming (MILP) problem if some (but notnecessarily all) variables are forced to be integer.

There were developed several techniques to solve LP problems such as simplex method [129] or interior pointmethods [87]. A well–known method to solve MILP problems is the so–called Branch and Bound (shortly B&B)method [129]. The idea of the B&B algorithm is to apply the steps branching and bounding after each other tothe current (sub)problem in order to separate and restrict the solution space to subproblems .

Bounding and relaxation The solution of integer problems is much more complex and time consuming thanthe solution of continuous problems (with arbitrary real values for variables). The idea of relaxation is to usetechniques defined for continuous problems to bound the objective value of the integer problem. Usually interiorpoint methods (like the algorithm in [87]) are used to solve LP problems.

A lower bound for the minimum of an ILP problem is derived by the solution of the LP problem that is thesame as the ILP problem except that the variables are relaxed to continuous ones. On the one hand, if there isno solution for the relaxed LP problem there is also no solution for the integer problem. Moreover, the objectivevalue of an optimal solution of the relaxed problem is a lower bound (in case of minimization) for all optimalinteger solutions since all of those are included in the solution space of the relaxed problem. This way the searchspace is restricted by the approximation for the objective value of the optimal solution.

There are several engineering problems that can be mapped to (MI)LP problems like process network syn-thesis in manufacturing, transportation, chemical engineering or VLSI design.

Process Network Synthesis The current thesis uses Process Network Synthesis (PNS) solutions that wereelaborated by Friedler et. al. [61, 65] to deliver an optimal solution for production of some materials in chemicalengineering. A process network is represented by a Process-graph (P-graph). A P-graph describes a productionproblem that aims at producing some products from given raw materials using operating units. Operating unitstransform their input materials into their output materials.

Friedler et. al. proposed efficient algorithms that exploit the combinatorial properties of the problems. Theyshowed that the P-graph structure of a solution has to conform to five axioms. Such a P–graph is called a com-binatorially feasible solution structure that forms a recipe describing what materials (ingredients) and operatingunits (tools) are necessary to “cook” the desired products. The Accelerated Branch and Bound algorithm deliversan optimal solution for the PNS problem using the traditional Branch and Bound algorithm over the set of theserecipes.

Problem statement Verification and validation methods aim to assure the correctness of a system model, whileoptimization may serve to calculate the quantitative performance characteristics of a system by estimating itsquantitative boundaries and to minimize operation costs. However, it is a challenging question how to combinethe best practices of the two fields.

1.2 The Optimal Trajectory Problem:Simultaneous Optimization and Verification

Combined optimization and V&V problems can frequently be expressed as a reachability problem with quanti-tative or qualitative measurements, which is called an optimal trajectory problem: find an optimal path (if such

1.2. THE OPTIMAL TRAJECTORY PROBLEM 7

exists) starting from an initial state to a target state that satisfies all the given requirements. The traditional reach-ability problem is to answer the question whether a given state is reachable from an initial state in the system.However the optimal trajectory problem requires also the generation of a path leading from the initial state to thetarget state. A target state may be concrete, i.e. all state variables have a desired value in the target state or partialif we focus on the desired value of only a subset of variables.

Similar problems are investigated in planning and scheduling algorithms [39, 98, 112], various strategies ingame theory [43], design space exploration in system engineering [35].

1.2.1 Objectives of the thesis

The objective of the research presented in this thesis is to propose (i) mathematical models in which the optimaltrajectory problem can be formally expressed and (ii) strategies and algorithms to solve the optimal trajectoryproblem by combining verification and optimization techniques. Due to its modeling expressiveness and itsrich mathematical background I use an extension of Petri nets and graph transformation systems as a targetmathematical platform in my thesis. Figure 1.2 shows the approaches in the thesis where C1-C4 denote thenumber of the corresponding contribution.

Figure 1.2: Overview of the contributions

An optimal trajectory of a Petri net is a path in the state space of the Petri net that is optimal with respectto a given metrics. The main challenge of finding an optimal path is that the state space of a Petri net may beinfinite which cannot directly be traversed exhaustively. However, the search space can be reduced to be finite by


filtering certain paths or taking into account upper bounds for the metrics.

1.2.2 Cost-optimal trajectory for Petri nets

I give two solutions for the Petri net optimal trajectory (OT) problem with cost.The first solution is based on the ILP problem abstraction of the cost-optimal trajectory problem (see Fig. 1.3).

The ILP abstraction overapproximates the original OT problem, i.e. the solution space of the ILP problemincludes the solution space of the trajectory problem.

Optimal candidate by ILP An optimal solution for the ILP problem is delivered by customizing the PNSalgorithms to Petri nets. If there exists no solution for the ILP problem then there is no solution for the optimaltrajectory problem. However, if there exists an optimal solution σ vector for the ILP problem it may happen thatit does not have a corresponding executable (fireable) trajectory in the Petri net.

Reachability check Therefore a subsequent check is performed using the reachability function of Petri nets tocheck the reachability of a marking compliant with the candidate solution σ vector. The reachability functionencodes the (finite) transitive closure of the one-step transition function parametrized by the initial state in theform of Binary Decision Diagrams (BDDs), thus providing a fast and reusable filtering of candidate solutions.

Fireability check and trajectory retrieval If the marking compliant with the candidate vector is proven to bereachable, its fireability (executability) still needs to be checked. I propose to use the SPIN model checker toolfor fireability checks, completing additional verification tasks and the derivation of an optimal trajectory.

If either the reachability check or the fireability check fails the next best solution vector of the ILP problemis generated and it is checked again until a solution is found or all branches are pruned and there is no solution.

Direct encoding approach. The second algorithm directly encodes the optimal trajectory problem of boundedPetri nets into the SPIN model checker with on-the-fly optimization during verification. In this technique, thenumerical criteria of the Branch and Bound algorithm is also embedded into the linear temporal logic formulaof the verification condition, thus state space exploration simultaneously checks both the logical and numericalconditions.

1.2.3 Time-optimal trajectory of Petri nets

Similarly to the cost-optimal case, I give two solutions for the time-optimal trajectory problem. The first onecalculates an upper bound for the maximal duration of an optimal Petri net trajectory and delivers a fireabletrajectory as a solution for the ILP model that (1) represents the token change in the places in any time instantwithin this upper bound and (2) encodes the enabledness condition of the transitions in each time instant.

The second solution is a direct method for the time-optimal trajectory problem that uses the same upper boundto constrain the verification run of the SPIN model checker in order to deliver an optimal trajectory on-the-fly byencoding the optimality criteria into an LTL expression.

1.2.4 Optimal trajectory problem in graph transformation systems

Since there is a strong correspondence between Petri nets and graph transformation systems (shortly GTS) [45,89, 91], I generalized the optimal trajectory problems of Petri nets over graph transformation systems with costand time. I introduced both cost and time into graph transformation systems as the cost and duration of a ruleapplication and I defined formal semantics for evaluating graph transformation rules with cost and time.

The optimal trajectory problem in GTSs is solved using the Petri net based solutions: the GTS is transformedinto a Petri net such that all the valid trajectories of the GTS are simulated by a Petri net trajectory. However,

1.3. THE STRUCTURE OF THE THESIS 9

Figure 1.3: Workflow of the approach

it is not a bisimulation, i.e. trajectories may exist in the Petri net that have no compliant trajectory in the GTS.Therefore the executability of the Petri net solution has to be checked in the original GTS after back-annotation.

1.3 The Structure of the Thesis

The thesis is organized as shown in Fig. 1.4. The label Theoretical background denotes the chapters that introducethe basics of the used paradigms. The C1-4 labels denote the contributions at the chapters where the results ofthe given contribution are discussed.

• Chapter 2 overviews the basic notations, definitions and theorems of Petri nets including the reduction rulesand extensions.

• The Process Network Synthesis paradigm is introduced in Chapter 3.

• An introduction into graph transformation systems is given in Chapter 4.

• Chapter 5 compares the Petri net cost-optimal trajectory problem and PNS problems together with the com-parison of the reduction techniques in the two paradigms. The results are summarized in Contribution 1.

• I discuss the conditions of the adaptation of PNS algorithms to the Petri net cost-optimal trajectory prob-lem and give the corresponding algorithms for Petri nets in Chapter 6. The results are summarized inContribution 2.


Figure 1.4: Structure of the thesis: theoretical backgrounds, contributions

• The reachability and the fireability checks are discussed in Chapter 7 followed by the direct encodingapproach. The results are summarized in Contribution 3.

• I propose two methods for the Petri net time–optimal trajectory problem in Chapter 8. The results aresummarized in Contribution 4/1-2.

• Chapter 9 discusses optimal trajectory problems in graph transformation systems (GTSs) both with costand time. The results are summarized in Contribution 4/3-5.

• Chapter 10 compares the discussed algorithms, and finally, Chapter 11 overviews the results and lists someissues of future work.

• The Appendix contains the pseudo code of the algorithms, additional examples and theoretical sections forthe better understanding of the theory, and parts of the Promela code. Furthermore, the Petri net relatedmethods used in the thesis like reachability function and transition system representation are also discussedin this chapter.

Related work. Related work is discussed at the end of the individual chapters. As most of my research wascarried out between 2000 and 2006, I primarily assess related papers published before my results to help assessthe novelty of my contributions. However, I also include some recent developments in each direction from thepast five years.

Chapter 2

Petri Nets

Having a rich mathematical background with precise semantics in addition to their attractive, visual notation, Petrinets are frequently used as an underlying framework to formalize and verify systems. The following introductioninto P/T (Place/Transition) nets is based on the fundamental tutorial paper of Murata [97]. The expression Petrine refers in the following to this kind of Petri nets.

2.1 Place/Transition Nets

A Place/Transition net, shortly P/T net (in the following Petri net) is a directed, bipartite graph together with aninitial state. The two types of nodes are called places and transitions, such that arcs are drawn either from a placeto a transition or from a transition to a place. Graphically, places and transitions are denoted by circles and eitherhorizontal or vertical bars, respectively. Places can contain tokens, represented by black dots, while transitionsmay fire removing and producing tokens from places to places. Two example Petri nets are shown in Fig. 2.1.

Definition 1 (Place/Transition (P/T) net) A Petri net is represented by a five-tuple PN = (P, T, F,w,M0),where P and T are the finite disjoint sets of place and transition nodes, respectively. F ⊆ (P × T ) ∪ (T × P )is the set of arcs between the place and transition nodes (where no arc connects two places or two transitions),M0 : P → N is the initial marking mapping places to nonnegative integers denoting the number of tokens at theplaces, while w : F → N+ maps arcs to positive integers.

A marking is a |P |-dimensional vector over the naturals N, where the i-th component M(pi) is the numberof tokens contained in place pi ∈ P .

Furthermore •t = {p | (p, t) ∈ F} denotes the input places, while t• = {p | (t, p) ∈ F} denotes the outputplaces of transition t. Finally, •p = {t | (t, p) ∈ F} are the incoming transitions while p• = {t | (p, t) ∈ F} arethe outgoing transitions of place p.

The token distribution in the places describes the state of the Petri net and the corresponding vector is calleda marking. The state of the net is changed by firing transitions. A transition may fire if there are at least as manytokens in all its input places as required by the weight of the corresponding arc. Please, note, that no weightdrawn on the arc means weight 1. The firing of a transition removes the defined number of tokens from its inputplaces and produces as many tokens to its output places as defined by the weight of the corresponding arc.

Definition 2 (Firing a transition) A transition t is enabled, i.e. it may fire at marking M if each of its inputplaces contains at least as many tokens as is specified by the weight function, i.e. ∀p ∈ •t : M(p) ≥ w(p, t).The firing of an enabled transition t removes w(p, t) tokens from its corresponding input places p, and w(t, p)tokens are produced for the output places, i.e. ∀p ∈ P : M ′(p) = M(p)−w(p, t) +w(t, p) where M ′ is the newmarking yielded after firing transition t. The firing of the transition is denoted by M [t > M ′.

Two enabled transitions are in conflict if the firing of one transition disables the firing of the other, i.e. theyhave common input places such that there is not enough token to fire both transitions. Transitions may fireconcurrently if they are not in conflict.

11

12 CHAPTER 2. PETRI NETS

Example 1 An example Petri net is shown in Fig. 2.1 on the left depicting the testing of storages. There are twotypes of storages R4A and R4B that can be reconfigured to each other. At the beginning, each storage is untested:two and three untested storages are available of types R4A, and R4B, respectively, represented by tokens at placesR4A_untested and R4B_untested .

The aim is to ship tested storages to the customers according to their requests. The testing of storages R4Aand R4B are represented by transitions test_R4A and test_R4B: their firing removes one untested storage, andproduces a tested one of the same type. The test operations also need a test cell resource that is modeled by theplace test_cell: transitions test_R4A and test_R4B have an incoming and an outgoing arc from and to this placeindicating that the test cell is used, i.e. it is removed only for the test event, and after finishing the test it will beavailable for testing again.

A storage also can be produced by reconfiguring a storage of the other type. The reconfiguration of untestedstorages are denoted by transitions reco_ut_R4A and reco_ut_R4B, while the reconfiguration of tested storagesare carried out by firing transitions reco_R4A and reco_R4B.

Figure 2.1: Example Petri net: storage testing

The initial marking M0 counts the number of tokens at the corresponding places:M0 = (2, 3, 0, 0, 1), where the places are listed in the following order: P ={R4A_untested,R4B_untested,R4A_tested,R4B_tested, test_cell}. At the beginning we have twoand three untested storages of types R4A, and R4B, respectively, and one test cell.

In the example, transitions reco_ut_R4A, reco_ut_R4B, test_R4A, and test_R4B are enabled at markingM0. The marking M ′ = (1, 3, 1, 0, 1) is reached by firing transition test_R4A shown in the same figure on theright: one untested storage of type R4A is removed and one tested storage of type R4A is produced, while thenumber of the available test cells remains unchanged (however it is used during the test).

The effect of the firing of a transition t in marking M reaching marking M ′ can be described formally by theso–called incidence matrix.

Definition 3 (Incidence matrix) The incidence matrix W of a P/T net describes the net token change at eachplaces caused by firing of a transition: the (i, j)–th components of the incidence matrix denotes the token changeat place pi after firing transition tj . Formally, W is a |P | × |T |–dimensional matrix of nonnegative integers suchthatWij = −w(pi, tj)+w(tj , pi), where 1 ≤ i ≤ |P |, 1 ≤ j ≤ |T |. In the following, an element of the incidencematrix is denoted either by Wij ,W (i, j) or W [pi][tj ].

Firing transition t from marking M , the yielded marking M ′ = M + W · et, where et is a |T |-dimensionalunit vector, i.e. et(tj) = 1⇔ tj = t and et(tj) = 0 otherwise.

2.1. PLACE/TRANSITION NETS 13

Example 2 The following matrix is the incidence matrix of the Petri net in Example 1. The rows representthe places in the order P = {R4A_untested,R4B_untested,R4A_tested,R4B_tested, test_cell},while the columns represent the transitions of the Petri net in the order T ={reco_ut_R4A, reco_ut_R4B, test_R4A, test_R4B, reco_R4A, reco_R4B}. For instance,W [R4A_untested][reco_ut_R4A] = −w(R4A_untested, reco_ut_R4A) = −1 since the firing oftransition reco_ut_R4A reduces the number of tokens at place R4A_untested by 1. Since the firing oftransition test_R4B removes one token from the place test_cell and it also produces one token to the sameplace the corresponding value W [test_cell][test_R4B] in the incidence matrix is equal to 0.

W =

R4A_untestedR4B_untestedR4A_testedR4B_testedtest_cell

reco_ut_R4A reco_ut_R4B test_R4A test_R4B reco_R4A reco_R4B-1 1 -1 0 0 01 -1 0 -1 0 00 0 1 0 -1 10 0 0 1 1 -10 0 0 0 0 0

(2.1)

Definition 4 (Firing sequence, trajectory) A transition firing sequence or trajectory s = 〈ti1 , ti2 , . . . , tik〉 be-tween states M0 and Mk is denoted as M0[s > Mk where 〈M0,M1, . . . ,Mk〉 is a sequence of subsequentmarkings, such that all 1 ≤ j ≤ k : Mj−1[tij > Mj (i.e. the trajectory is compliant in each individual step withthe firing condition of tij ).

Definition 5 (Parikh vector) The transition occurrence vector or Parikh vector ~σs of a trajectory s =〈ti1 , . . . , tik〉 is a |T |-dimensional vector, in which the jth component counts the occurrences of the individualtransitions in the firing sequence, i.e. σ(tj) = |{il|il = j, l = 1..k}|.

A vector ~σ ∈ N|T | is called fireable if there exists a firing sequence s = 〈ti1 , ti2 , . . . , tik〉 such that ~σs = ~σ,i.e. ~σ is the Parikh vector of s.

The characteristic vector ch~σ of Parikh vector ~σ is a |T |–dimensional vector with 0, 1 elements, such that∀t ∈ T : ch~σ(t) = (0 < σ(t)), i.e. the characteristic vector encodes the presence of a transition in theParikh vector. Since the Parikh vector of a trajectory s counts the transition occurrences in the trajectory, thecharacteristic vector chs of the trajectory is equal to the characteristic vector of its Parikh vector, i.e. chs = ch~σs .

Example 3 A sample trajectory in the Petri net of Example 1 starting from the initial marking (2, 3, 0, 0, 1) is s =〈reco_ut_R4A, test_R4B, test_R4B, test_R4A, reco_R4B〉 leading to the token distribution (0, 2, 2, 1, 1).

Since transitions reco_ut_R4A, reco_ut_R4B, test_R4A, test_R4B, reco_R4A, reco_R4B are fired inthe trajectory 1, 0, 1, 2, 0, 1 times, respectively, the Parikh vector of s is ~σs = (1, 0, 1, 2, 0, 1) while its char-acteristic vector is equal to chs = (1, 0, 1, 1, 0, 1).

2.1.1 Reachability and coverability in Petri nets

Definition 6 (Reachable states) A marking M is reachable from a state M0 if there is a transition firing se-quence s = 〈ti1 , . . . , tik〉 from M0 to M , denoted by M0[s > M . The set of reachable markings from an initialmarking M0 in a Petri net PN is denoted by R(PN,M0).

The token change after firing a transition can be calculated by the incidence matrix (see Definition 3). Thetoken change after firing a transition sequence can be calculated as the sum of the token changes yielded by theindividual transition firings: M0 +W · eti1 + . . .+W · etik = M0 +W · ~σs = M .

Frequently, in engineering problems only the marking of a subset of places is relevant from practical point ofview. The notion of partial reachability or coverability defines this case.


Definition 7 (Coverability) Let a Petri net PN = (P, T, F,w,M0) be given. Then a marking M ′ covers amarking M if the number of tokens in each places in M ′ is at least as many as in M , i.e. M ′ ≥M .

A marking Mpartial is coverable or partially reachable from marking M0 if there exists a reachable markingM such that M covers the desired (partial) state Mpartial, i.e. ∃s : M0[s > M and M ≥Mp.

The existence or non-existence of a trajectory between two states is a core problem in several system models.For instance, an unwanted state has to be proved to be unreachable in critical systems or one has to show how acertain state can be reached during the operation of an information system. The previous case is called reacha-bility problem and one is interested only in whether the target state is reachable but the presentation of an exacttrajectory is not desired. In the latter case also the trajectory has to be generated between the two states.

Frequently, such an unwanted or required state is given only partially: only a subset of the places in the Petrinet is defined to be marked by at least a certain amount of tokens and the token number in other places do not care.In other words, the target partial state has to be covered. The partial reachability problem is to decide whether apartial target state can be covered starting from an initial state.

Definition 8 (Reachability problem, coverability problem) The reachability problem is to decide whether agiven marking is reachable from another marking. Formally, let a Petri net PN = (P, T, F,w,M0) be giventogether with a target marking M ′, then the reachability problem is to decide whether M ′ ∈ R(PN,M0).

The partial reachability or coverability problem is to decide whether a given marking can be covered startingfrom another marking. Formally, let a Petri net PN = (P, T, F,w,M0) be given together with a partial targetmarking Mpartial, then the reachability problem is to decide whether ∃M ′ ∈ R(PN,M0) : M ′ ≥Mpartial.

The following definition is called trajectory problem when the problem is not only to decide whether thegiven marking is reachable or coverable from the initial marking but an exact trajectory starting from the initialmarking to the given marking or to a marking that covers the given marking is searched for.

Definition 9 (Trajectory problem) Let a Petri net PN = (P, T, F,w,M0) and a (potentially partial) markingMpartial be given. Then the Petri net trajectory problem is to show a trajectory s that starts from the initialmarking M0 and leads to a marking M ′ that covers Mpartial. Formally, give a trajectory s : M0[s > M ′ whereM ′ ≥Mpartial.

One way to give an answer for the reachability (coverability) or the trajectory problems is to represent thereachable states, i.e. the state space of the Petri net. Such a representation is the so–called reachability graph.

Definition 10 (Reachability graph) The reachability graph is a directed labeled graph where the nodes are la-beled by the reachable markings and the arcs are labeled by transitions. An arc labeled by transition t ∈ T leadsfrom a node labeled with markingM to another node labeled with markingM ′ ifM ′ is reached fromM by firingtransition t.

The construction of the reachability graph starts from the initial marking as the only node in the graph. Thenarcs are drawn for all transitions that are enabled from the initial marking leading to either to the initial node backor to new nodes representing the reached markings. Then a new marking is selected and the enabled transitionsare processed again. The procedure is continued until some transitions are enabled at some markings that werenot processed yet.

If the reachability graph is finite then the Petri net is said to be bounded. Usually IT systems has to satisfysuch a criteria, that is formalized as follows.

Definition 11 (Boundedness) A Petri net is bounded if there is a number k ∈ N such that in each reachablemarking the number of tokens at places is less than or equal to k, i.e. ∀p ∈ P,M ∈ R(PN,M0) : M(p) ≤ k.

A Petri net is called safe if this upper bound is equal to 1.

2.1. PLACE/TRANSITION NETS 15

Figure 2.2: Reachability graph of the storage example production with initial marking M0 = (1, 1, 0, 0, 1)

Example 4 Let us revisit Example 1 and build the reachability graph of the Petri net starting from the initial state(1, 1, 0, 0, 1) where one R4A storage, one R4B storage and one test_cell are available. The reachability graphof the running example is depicted in Fig. 2.2.

Since the number of storages is always constant and does not increase, therefore the reachable states of thePetri net starting from a given initial marking is always finite, in other words, the Petri net is bounded.

In case of an unbounded Petri net the reachability graph is infinite. The so–called coverability tree gives asolution in these cases to represent the state space of the Petri net. In order to denote infinity, a special symbol ωis introduced. The coverability tree is a labeled directed tree where the nodes are labeled by markings that coverthe reachable markings of the Petri net. The arcs of the coverability tree are labeled by the fireable transitions.The ω symbol approaches in a place pi in a marking M ′ if there is another marking M in the path from the rootnode to marking M ′ such that M ′ covers M , i.e. the token numbers in pi can be increased repeating the firingsequence from M to M ′. The algorithm for coverability tree generation is described in details in [97].

Once the reachability graph of a Petri net is constructed both the reachability and the coverability problemcan be decided, moreover also a trajectory that leads to a given target marking can be shown. On the contrary,these problems cannot be decided using only the coverability tree since it may happen that two Petri nets havethe same coverability tree but the reachability graph of the two Petri nets are not the same.

In addition, the construction of the reachability graph or the coverability tree may lead easily to state spaceexplosion. Mayr proved in [93] that the problem is decidable but EXSPACE-hard.

In order to avoid state space explosion semi–decision methods can be used to reduce the Petri net state space.Semi–decision methods give usually necessary but not sufficient conditions for a problem: if the condition is notsatisfied then the answer is “no” for the problem, otherwise the answer is “do not know". Such a technique isbased on the so–called state equation.


2.1.2 State equation and state inequality

A proof for the reachability of a marking M ′ from an initial marking M is a trajectory s. The marking M ′ thatis reached from M0 by a trajectory s can be calculated by the equation M ′ = M0 + W · ~σs (see Definition 5).Thus if there exists no solution ~σ for the state equation M ′ = M0 +W · ~σ then the marking M ′ is not reachable.However, if there exists a solution, it still may happen that this marking is not reachable.

If we speak about a coverability problem the state equation becomes an inequality according to the definitionof coverability (see Definition 7).

Definition 12 (State equation) If a marking M is reachable from state M0 by a transition sequence s then theso–called state equation holds: M = M0 +W · ~σs, where ~σs is the Parikh vector of s.

Definition 13 (State inequality) If a marking Mpartial is partially reachable or coverable from a state M0 bytransition firing sequence s, then the following state inequality holds: Mpartial ≤ M0 +W · ~σs, where ~σs is theParikh vector of s.

Example 5 Let us revisit Example 1 and decide whether the state (0, 0, 3, 2, 0) is reachable from the initialstate (2, 3, 0, 0, 0). In other words, there are 2 untested R4A and 3 untested R4B storages available with-out any test cells and we would like to produce 3 tested R4A and 2 tested R4B storages. The matrix inthe following state equation is the incidence matrix of the example Petri net, such that the rows representthe places in the order P = {R4A_untested,R4B_untested,R4A_tested,R4B_tested, test_cell},while the columns represent the transitions of the Petri net in the order T ={reco_ut_R4A, reco_ut_R4B, test_R4A, test_R4B, reco_R4A, reco_R4B}.

(0, 0, 3, 2, 0)T = (2, 3, 0, 0, 0)T +

-1 1 -1 0 0 01 -1 0 -1 0 00 0 1 0 -1 10 0 0 1 1 -10 0 0 0 0 0

· ~σ (2.2)

The above state equation has several solution Parikh vectors, e.g. ~σ = (0, 1, 2, 3, 0, 0) (where the order oftransitions is the same as in the incidence matrix). In order to prove the fireability of this Parikh vector, we haveto find such a transition sequence in which 2 R4A untested and 3 untested R4B storages are tested and 1 R4Auntested storage is reconfigured into an untested R4B storage. However, since there is no test cell for testing atthe beginning, there exists no corresponding firing sequence (and there exists no corresponding firing sequencefor any other solution Parikh vector). Therefore solution ~σ is called a spurious solution.

The reason of this situation is that the calculation of a Parikh vector solving the state equation takes intoaccount only the change of the token numbers at the corresponding places without regarding the fireability. Sinceplace test_cell constitutes a self–loop to the test transitions, the firing of these transitions yield 0 change in thenumber of tokens at this place. In this case the initial state can be changed to have one or more tokens at placetest_cell then for the transition occurrence vector ~σ = (1, 0, 2, 3, 0, 0) already exists a transition firing sequence,e.g. s =< test_R4A, test_R4A, test_R4B, test_R4B, reco_ut_R4B, test_R4A >.

This way the state equation (the state inequality in the partial reachability case) provides a necessary but notsufficient condition for the reachability (coverability) problem: if a marking is reachable from another one thenthe state equation (state inequality) has a solution. However, a solution Parikh vector ~σ of the state equation(the state inequality) for two given markings does not guarantee the existence of a corresponding trajectory asillustrated by our running example.

Nevertheless, it was proved that in case of acyclic Petri nets the state equation gives a sufficient condition: ifthere is a solution for the state equation (state inequality) then the target (partial) state is reachable (coverable)from the initial state [97]. The state equation (state inequality) corresponding to a reachability (coverability)problem can be seen as an abstraction or overapproximation since (i) each trajectory in the Petri net has a corre-sponding solution of the state equation (state inequality) but (ii) it may exist a solution of the state equation (state

2.2. PETRI NET EXTENSIONS AND REDUCTION RULES 17

inequality) such that there exists no corresponding trajectory (transition firing sequence) in the Petri net. Fig-ure 2.3 shows the correspondence between solution trajectories for a coverability problem and the Parikh vectorsolutions of the corresponding state inequality.

Figure 2.3: Reachability problem abstraction: correspondence between solution trajectories and solution Parikhvectors

A related problem in Petri nets is the so–called legal firing sequence problem [126].

Definition 14 (Legal Firing Sequence Problem (LFS)) Let a Petri net PN = (P, T, F,w,M0) be given to-gether with an occurrence transition vector ~σ. Then the legal firing sequence problem is to find a firing sequences starting from M0 such that its Parikh vector is exactly ~σ. Then the trajectory s is called to be compliant withthe Parikh vector ~σ.

The trajectory problem strongly relates to the LFS problem. Let a (partial) reachability problem be given.At first, solve the state equation (inequality): if there is no solution then there exists no trajectory. If there is asolution the solution yields an occurrence transition vector. This vector and the Petri net then formulate a legalfiring sequence problem: if there is a solution for the LFS problem then the solution firing sequence is also asolution for the trajectory problem.

Frequently, the search for a trajectory between two states can be extended by some requirements: the solutiontrajectory has either to fulfill special requirements or it has to be optimal according to some metrics. In therunning example only the structure of the testing and reconfiguration was modeled without any metrics althoughboth cost and time parameters are usually critical in such systems. In the following, the most frequently usedPetri net extensions are overviewed to show how special features and metrics can be modelled in Petri nets.

2.2 Petri Net Extensions and Reduction Rules

Petri net models can be categorized into several classes based on their modeling purpose. There are several Petrinet subclasses like state machines, marked graphs, free-choice nets, extended free-choice nets and assimmetricchoice nets (for more details see Section 12.2). There are theoretical results and algorithms elaborated for thesesubclasses that improve the analysis of system models that fall into one of these subclasses (see e.g. [51]). Reduc-tion techniques may simplify the structure of the Petri net that also facilitate the analysis of large systems. Thefollowing reduction rules depicted in Fig. 2.4 preserve the system properties liveness, safeness and boundedness(see [97]). Moreover, if there is a trajectory between the initial state and a (partial) target state in the reducedPetri net then there is also a trajectory between the two states in the original Petri net.

1. Fusion of serial places. If the net contains two places such that one of them is the only input place of atransition and the other place is the only output place of this transition, then the two places can be merged


Figure 2.4: Six reduction rule preserving boundedness, liveness, and safeness

into one place omitting the transition. The input transitions of the new place will be the input transitions ofboth places (except the omitted transition) while its output transitions will be the output transitions of bothplaces (except the omitted transition).

2. Fusion of serial transitions. The same can be done for serial transitions.

3. Fusion of parallel places. Two places are parallel if they have exactly one input and one output transitionsand they are the same for both places. Then the two places can be merged into one place such that thecommon input (output) transition will be the input (output) transition of the new place.

4. Fusion of parallel transitions. The same can be done for parallel transitions.

5. Elimination of self–loop places. If there is a place that is both the input and output place of a transition andthe place is connected only to this transition, then the place can be eliminated if it contains one token. Thepresence of the token is needed: if there is no token and the place is eliminated then the transition may firehowever it may not fire if the empty place is present in the Petri net.

6. Elimination of self–loop transitions. A transition is a self–loop transition if it has exactly one input andoutput place and this is one place. Since the firing does not change the state of the net the transition can beeliminated without changing the properties liveness, safeness and boundedness of the Petri net.

These reduction rules give a method how to reduce the size of the analyzed oridnary Petri net.The P/T net introduced above contains only unstructured tokens, i.e. the places may contain natural number

of tokens, but the tokens are not distinguished from each other. However, not all aspects or behavior of a complex

2.3. PETRI NET EXTENSIONS 19

system can be modeled by P/T nets, or some can be modeled only in a very inconvenient way. In order to makePetri nets much more expressive several extensions were defined that are widely used not only in the field ofcomputer science but also of biology, chemistry, etc.

2.3 Petri Net Extensions

2.3.1 Timed Petri nets

In order to model dynamic systems by Petri nets, time was introduced as delays on places, transitions, and/ortokens. These variants may differ from each other in the semantics of transition firings where the main questionis that if a transition becomes enabled then the input tokens are (i) immediately removed from the input places ofthe transition or (ii) they are removed only after the time of the transition is counted down.

For more details see [125] that gives an overview of the variants of timed Petri nets.

• Deterministic Timed Transitions Petri nets (DTTPNs). In [108] deterministic time labels are attached toeach transition to denote the duration of its firing while the firing semantics and the structure of the net isthe same as in case of P/T nets.

In DTTPNs if a transition is enabled and it is selected to fire, the tokens are removed from its input placesat the beginning of the firing and the duration of the transition starts to be counted down. After the elapseof the duration time, the required tokens are put into its output places. This way, conflicting transitionscannot disable each other by stealing of tokens during the firing of a transition.

• Priced Timed Petri nets. In real systems not only the time or duration but also the cost of the systemoperation is crucial in modeling. Cost is introduced into timed Petri nets in [30] as a cost function fromplaces and transitions to natural numbers: the cost of a place is the cost of the storaging of a token per timeunits while the cost of a transition is the cost of performing a transition. Abdulla and Mayr show in thesame paper that the infimum of the costs to reach a partial target state (called control state in the paper) iscomputable if the costs are non–negative.

Daniel D. Sleator investigated the termination of priced Petri nets where he called transitions to reactionsand assigned costs to these reactions in the same way [116].

• Time Environment–Relationship Nets. Time was introduced into ER nets in [70] as a distinguished datatype: time values are (i) associated with individual tokens, (ii) read and manipulated like other tokenattributes when firing transitions. The time attribute of a token is its time stamp, the time of the creationof the token. In order to ensure a proper semantics of time like time monotonicity and the definition of thetime of a transition firing constraints are specified by the action relation associated to the transitions.

2.3.2 Continuous token flow

There are several fields where the flow of a continuous amount of tokens is desired. The following Petri nets wereintroduced to relax the integer condition of the token numbers.

• Continuous Petri nets. Continuous Petri nets [114] were defined to enable the places to have a large numberof tokens. The definition of this structure was motivated by the simplification of the reachability graph ofthe P/T net that was too large to carry out the analysis of the system in case of P/T nets. The markings ofplaces are real numbers in continuous Petri nets and an enabled transition may fire in any real amount if ithas enough input token. The weights of the net are nonnegative integers as in case of P/T nets.

• Hybrid Petri nets. Hybrid Petri nets [47] may contain both continuous and discrete places. In addition,there can be both discrete and continuous transitions in hybrid Petri nets in contrast to continuous Petrinets.


As Desel and Esparza mention in [51] there is a “clear trade–off between expressive power and the analyz-ability”: increasing the expressive power of Petri nets by extending the basic structure the efficient basic analysistools cannot be easily applied to the new structure. The literature about decidability and complexity results inPetri nets has intensively grown in the last two decades and it was proved that even for some special subclassesthere are no efficient algorithms for instance to solve the reachability problem. In case of Petri nets with cost ortime functions a core problem is to deliver an optimal transition sequence in the Petri net, which was addressedin some related papers overviewed in the following.

2.4 Optimal Firing Sequences in Petri Nets

The problem of an optimal firing sequence is the extension of the partial reachability trajectory problem (seeDefinition 9) by some metrics. Let a Petri net be given together with a partial target marking and a function thatassociates values of a metric to transitions. Then the problem is to find a firing sequence that is optimal withrespect to the analyzed metrics. For instance, if a cost value is assigned to each transition firings then the solutionfor this problem is a trajectory with minimal cost, i.e. the sum of the cost of the transitions fired in the trajectoryhas to be minimal. If durations are attached to transitions then a trajectory is optimal if there exists no other firingsequence with less duration. Since transitions may fire in parallel the duration of a trajectory cannot be definedas the sum of the duration of the firings in the trajectory.

Abdulla and Mayr showed in [29] that the problem of minimal cost reachability and coverability in PricedTimed Petri nets is decidable and gave a method for computing the infimum of the costs of trajectories that startsfrom a given initial marking and ends in a marking that covers a given (potentially partial) marking.

The delivery of a weighted shortest path in Petri nets was investigated in [110] in case of state machines andmarked graphs. The author added costs to the transitions as in case of Priced Timed Petri nets: a nonnegativereal number is attached to each transition as the cost of the firing of the transition. The shortest path with respectto the cost of the transitions was searched in the reachability graph of state machines and marked graphs usinggraph theory based methods.

The problem of shortest path in the reachability graph of the Petri net is the case of the optimal trajectoryproblem if each transition has the cost 1. In [50] the authors gave numerical overapproximation for the length ofthe shortest path between two markings (if it does exist) in safe conflict–free and safe extended free–choice Petrinets that is polynomial in the number of the transitions.

The current thesis gives a solution for the search of a trajectory starting from an initial state to a (partial)target state that is optimal with respect to some metrics in P/T nets. Quantitative parameters are added to P/Tnets as a function on transitions similarly to the cost function in Priced Timed Petri nets. There are two metricsconsidered in the thesis: cost and deterministic time.

2.4.1 Petri nets with cost

Cost parameters are modeled as in Priced Timed Petri nets: a function is defined on transitions associatingnonnegative real numbers to them. Then a cheapest solution is searched for a trajectory problem where the costof the trajectory is the sum of the fired transitions in the trajectory. In addition, a costLimit limit is given for thecost of a trajectory as the cost budget of the system.

Definition 15 A Petri net with cost parameters PNc = 〈PN, c〉 is a Petri net together with a cost functionc : T → R+ ∪ 0 that assigns costs to each transition denoting the cost of the firing of the transition.

Then the cost of a firing sequence s is the sum of the cost of the transitions fired in the sequence, formally,c(s) =

∑t∈T c(t) · ~σs(t), where ~σs is the Parikh vector of the firing sequence s.

Then the cost–optimal trajectory problem can be defined as follows.

Definition 16 (Cost–optimal trajectory problem) Let a Petri net with cost parameters PNc =〈(P, T, F,w,M0), c〉, together with a partial target marking Mpartial and a costLimit ∈ R+ be given. Then the

2.4. OPTIMAL FIRING SEQUENCES IN PETRI NETS 21

cost–optimal trajectory problem (shortly cost–OT problem) denoted by OTc = 〈PNc,Mpartial, costLimit〉 is tofind a trajectory s starting from M0 such that (i) it covers Mpartial, (ii) the cost of all other trajectories that startsfrom M0 and covers Mpartial is not smaller than the cost of s and (iii) the cost of the trajectory does not exceedthe cost budget, i.e. c(s) <= costLimit.

Formally, find a trajectory s such that M0[s > M,Mpartial ≤ M , and ∀s′,M0[s′ > Ms′ ,Ms′ ≥ Mpartial :c(s′) ≥ c(s) ∧ c(s) ≤ costLimit.

The state inequality abstraction of the solution trajectories for a coverability problem (see Section 2.1.2) canbe extended to an ILP problem as an abstraction of the optimal solutions for the cost-OT problem.

Definition 17 (ILP abstraction of the cost–optimal trajectory problem) Let a cost–optimal trajectory prob-lem OTc = 〈PNc,Mpartial, costLimit〉 be given. Then the following ILP problem is an abstraction of theOT problem, i.e. if an optimal solution Parikh vector ~σ for the ILP problem is fireable then the correspondingtrajectory s in the Petri net is a cost-optimal trajectory.

min c · ~σs

subject to Mpartial ≤ M0 +W · ~σs

c · ~σs ≤ costLimit

Example 6 Let us add the following cost parameters to the Petri net in Example 1 in Section 2.1:c(reco_ut_R4A) = 87.5, c(reco_ut_R4B) = 66, c(test_R4A) = 57.2, c(test_R4B) = 36.5,c(reco_R4A) = 42, c(reco_R4B) = 46.7, i.e. c = (87.5, 66, 57.2, 36.5, 42, 46.7). Let be the initial mark-ing M0 = (2, 3, 0, 0, 1), with two untested R4A and three untested R4B storages, and one test cell. The aim isto produce three tested R4A and two tested R4B storages, i.e. to reach Mp = (0, 0, 3, 2, 0) with minimal costaccording to the costLimit = 400.

The reachability graph of the state space of the Petri net consists of 55 states and there exist severalroutes leading to a desired end state. All these appropriate paths in the reachability graph reach the stateM ′ = (0, 0, 3, 2, 1) since the sum of the storages and the number of the test cells are always equal to 5 and1, respectively.

The firing of transitions reco_ut_R4A and reco_ut_R4B, or reco_R4A and reco_R4B after each other leadsto the same state, therefore infinitely many trajectories exist between M0 and M ′. Since each transition has non-negative cost the firing of these transitions after each other yields unnecessary cost. Accordin to the initial and thetarget marking one test per storage and one reconfiguration of an R4B–typed storage is desired. All additionaltest or reconfiguration activities result in additional cost (see the costs of the reconfiguration operation: it doesnot worth reconfiguring a storage for the smaller test cost and then re–reconfigure the storage). The followingtable lists some of the feasible trajectories together with their cost.

trajectory cost<2*test_R4A,3*test_R4B, reco_R4B> 270.6<reco_ut_R4B, 3*test_R4A,2*test_R4B> 310.6<2*test_R4A,reco_ut_R4B,test_R4A, 2*test_R4B> 310.6<2*test_R4A,2*test_R4B,reco_ut_R4B,test_R4A> 310.6

The solution of the ILP problem delivers the Parikh vector 0, 0, 2, 3, 0, 1. Thus an optimal trajectory is atransition firing sequence in which transition test_R4A fires two times, transition test_R4B fires three times,and transition reco_R4B fires once like the first trajectory in the table. The corresponding minimal cost is 270.6units that does not exceed the cost budget.

While cost metric is additive, the duration of the operation of a Petri net is not additive since transitions mayfire in parallel. In the following Petri nets with duration and the definition of time-optimal trajectories are givento deliver an optimal trajectory in timed Petri nets.


2.4.2 Petri nets with duration

I model time in Petri nets as discrete time: Deterministic Timed Transitions Petri nets are used (based on [108])where the duration of the transitions are expressed by natural numbers.

Definition 18 A Petri net with duration parameters is a tuple PNd = 〈PN, d〉, where the duration functiond : T → N assigns durations to transitions denoting the duration of the firing of the transition.

The introduction of time into Petri nets requires also the redefinition of the transition firing.

Definition 19 Let τ ∈ N be an instant of time and M(τ) be the marking of the net in this instant time. Inaddition, let M(τ, p), p ∈ P denote the number of tokens in place p in the time instant τ .

Then a transition t ∈ T is said to be enabled at time τ if and only if t is enabled in M(τ), i.e. ∀p ∈ P :M(τ, p) ≥ w(p, t).

When a transition is enabled it can be initiated. Once a transition is initiated, then as many tokens are removedfrom the input places of the transition as defined by the weight function and the transition is said to be executing.After the duration time d(t) of the transition elapsed as many tokens are produced into the output places of thetransition as defined by the weight function and the firing of the transition terminates.

Then the duration d(s) of a firing sequence s is equal to the termination time of the finally ended transitionsupposing that the starting time of the firing sequence was 0.

Then the time–optimal trajectory problem can be defined as follows where timeLimit is a limit for the timeof a trajectory as a global time constraint of the system.

Definition 20 (Time–optimal trajectory problem) Let a Petri net with duration parameters PNd =〈(P, T, F,w,M0), d〉 together with a partial target marking Mpartial and timeLimit ∈ N be given. Then thetime–optimal trajectory problem (shortly time–OT problem) denoted by OTd = 〈PNd,Mpartial, timeLimit〉 isto find a trajectory s starting from M0 such that (i) it covers Mpartial, (ii) the duration of all other trajectory s′

that starts from M0 and coversMpartial is not smaller than the duration of s and (iii) the duration of the trajectorydoes not exceed the global time limit, i.e. d(s) ≤ timeLimit.

Formally, find a trajectory s such that M0[s > M,Mpartial ≤ M , and ∀s′,M0[s′ > Ms′ ,Ms′ ≥ Mpartial :d(s′) ≥ d(s) ∧ d(s) ≤ timeLimit.

If there are no transitions that fire in parallel the duration of a trajectory can be calculated as the sum ofthe duration of the fired transitions as in case of cost-OT problems. If some transitions are fired in parallel theduration of the firing sequence will be less than the sum of the duration of the fired transitions. In other words,the sum of the duration of the transitions in a firing sequence yields an upper bound for the duration of the firingsequence.

The aim of my thesis is to give a solution for the optimal trajectory problem that is to deliver a (cost-, or time-) optimal trajectory starting from the initial state to a (partial) target state in Petri nets. The optimal trajectoryproblem is tackled by several steps aiming the restriction of the state space. Petri net analysis methods are usedin several abstract levels in this process (see Figure 2.3): a candidate transition occurrence vector is selected inthe first step as the solution for the integer linear programming problem of the optimization problem. The secondstep checks whether the target state that is yielded by the candidate Parikh vector is reachable from the initialstate. This step is performed by the so-called reachability function that is the abstraction of the set of reachablestates of the Petri net parameterized with the initial and the target marking. The theoretical background of thegeneration of the reachability function and model checking of Petri nets is shortly introduced in Section 12.3 andSection 12.4.

Chapter 3

Process Network Synthesis

The solution of the Petri net cost–optimal trajectory problem is based on the integer linear programming problemabstraction of the Petri net: if there is a solution trajectory, then its Parikh vector has to satisfy an integer linearprogramming (ILP) problem that is an abstraction of the optimal trajectory problem. Process Network Synthesis(PNS) algorithms help to accelerate the traditional methods by completing the solution of the state equation basedILP problem with a structural check.

The ILP problem of the Petri net cost–optimal trajectory problem was described in Definition 17. This ILPproblem is integer because the variables ~σ(t) : t ∈ T of the inequality system represent how many times atransition has to be fired in the corresponding trajectory (if it exists) and that number is integer. The problem islinear because both the constraints of the problem and the objective function of the problem are linear.

Since the structure and the objective of a Process Network Synthesis problem is similar to the cost-optimaltrajectory problem in Petri nets, the adaptability of the elaborated PNS algorithms were investigated. However,Process Network Synthesis problems formulate originally either mixed integer linear or mixed integer nonlinearprogramming problems. Since the optimization of the Petri net optimal trajectory problem requires the solutionof a linear programming problem, only the solutions of linear PNS problems were analyzed. Hereafter a PNSproblem means a linear PNS problem. A PNS problem is mixed because noninteger variables are also allowed inthe problem: an operating unit may operate real time unit times.

In order to solve the cost–optimal trajectory problem in Petri nets the accelerated B&B process is adaptedthat was developed for Process Network Synthesis (PNS) problems that form MILP problems. In the following,the PNS paradigm and its solution methods are introduced. (For more details in linear programming problemssee Section 12.5.)

3.1 Process Network Synthesis Problems

The so–called Process Network Synthesis (PNS) problem was introduced in [61, 62] in the beginning of the1990’s. The paradigm of PNS was motivated by chemical engineering production problems. The Center forAdvanced Process Optimization, the research group headed by Professor Ferenc Friedler has elaborated efficientcombinatorial algorithms and tool support for PNS problems and several other problems like separation-networksynthesis or integration of process and heat exchanger–network syntheses. These dedicated algorithms solvetypical network problems that arise in chemical processes and aim at determining an optimal resource allocationand scheduling of materials and operating units described by bipartite graphs. These algorithms exploit thecombinatorial properties of such problems reaching a significant reduction in the computation time in contraryto the general methods used in the field of network problems. The algorithms were used in several fields likebusiness processes and workflows [120], transportation [40], supply chains [36, 123], evacuation route planning[68] or reliability [78].

Their efficiency and the strong resemblance both in their graphical representation and their purpose of PNSproblems and the Petri net cost–optimal trajectory problem motivated the use of PNS methods in the solution of

23

24 CHAPTER 3. PROCESS NETWORK SYNTHESIS

the optimal trajectory problem. In the following a short introduction is given into Process Network Synthesis,while the comparison of the two problems and the use of PNS algorithms in the cost–optimal trajectory problemis discussed in Section 5.1.

3.1.1 Process Network Synthesis problem definition

A PNS problem is a production problem where some desired products have to be produced (i) starting from rawmaterials (ii) by using available operating units that transforms their input materials into their output materials(iii) with minimal cost. A PNS problem is represented by the so-called Process–graph [60].

Definition 21 (Process graph, PNS problem.) The structure of a process network synthesis problem is de-scribed by a process graph (shortly P-graph). A P-graph (Mat,Op) is a bipartite graph where the two setsof disjoint nodes are materials Mat and operating units Op ⊆ P(Mat) × P(Mat), respectively, such thatMat∩Op = ∅. Materials can be either raw materialsRaw ⊂Mat, products Prod ⊂Mat, such thatR∩P = ∅(i.e. a raw material cannot be a desired product at the same time) or intermediate materials that are neither rawmaterials or products.

An operating unit op = (α, β) : α, β ⊆Mat transforms its input materials mat ∈ α into its output materialsmat ∈ β. An operating unit oj needs a(mati, oj) unit of its input material mati and produces a(oj ,matk) unitof its output material matk. An operating unit has two types of costs: the fix cost fc(o) of an operating unito occurs if the operating unit is used during the production. The proportional cost pc(o) is the cost of one unitoperation of the operating unit o. In other words if an operating unit o works for 3.2 time unit then the connectedcost of the operating unit is fc(o) + 3.2 · pc(o).

The available amount of a raw material can be bounded by an upper bound Urawmat for a raw materialrawmat ∈ Raw. At the same time, the required amount of a product is given by the lower bound Lprod for aproduct prod ∈ Prod.

Then a Process Network Synthesis (shortly PNS) problem (Prod,Raw,Op) of a process graph (Mat,Op)is to find a production plan such that all products in Prod are produced in the required amount from availableraw materials Raw by the defined operating units Op of minimal overall cost, i.e. the sum of the fix and theproportional cost of the used operating units has to be minimal.

Example 7 In Fig. 3.1 an example P-graph is shown on the left recalling [61]. Materialsand operating units are Mat = {A,B,C,D,E, F,G,H}, Op = {Op1, Op2, Op3, Op4, Op5} ={({C}, {A,E}), ({D}, {A,B}), ({E,F}, {C}), (G}, {C,D}), ({B}, {H})}. Product Prod = {A} has to beproduced by the Op = {Op1, Op2, Op3, Op4, Op5} operating units, from raw materials Raw = {F,G}. Therest of the materials B,C,D,E,H are intermediate materials.

The structure of a solution is a sub-P-graph (Mat′, Op′) of the problem P-graph : Mat′ ⊆ Mat,Op′ ⊆ Opsuch that all products are produced by some (defined) operating units from some available raw materials. Acombinatorially feasible solution network has to satisfy certain properties. These requirements are expressed bythe following five axioms [62] and a corresponding network is called a solution structure.

Definition 22 (Solution structure axioms.) A sub-P-graph (Mat′, Op′) of (Mat,Op) (Mat′ ⊆ Mat,Op′ ⊆Op) is called combinatorially feasible solution structure for a PNS problem (Prod,Raw,Op), if it satisfies thefollowing five axioms [62]:

• (A1) every final product is present in the graph,

• (A2) a material has no input operating units if and only if it is a raw material,

• (A3) every operating unit is defined in the synthesis problem,

• (A4) every operating unit has at least one path leading to a final product, and

3.1. PROCESS NETWORK SYNTHESIS PROBLEMS 25

Figure 3.1: Example P-graph

• (A5) if a material belongs to the graph, it must be an input to or output from at least one operating unit inthe graph.

The set of combinatorially feasible solution structures is denoted by S(Prod,Raw,Op), and this set is closedunder union. The superstructure of these solution structures is called Maximal Structure and is denoted byµ(Prod,Raw,Op).

The whole search space of a PNS problem contains 2{|Op|} − 1 structures if the axioms are not taken intoaccount only the MILP problem is solved. However, the search space of an application in chemical engineeringproblem with 35 operating units was reduced from the 235−1 possible networks to 3465 combinatorially feasiblenetworks (see [64]). The ratio of the reduction however strongly depends on the nature of the problem.

Friedler et. al. elaborated the so-called Maximal Structure Generation (MSG), Solution Structure Generation(SSG) and Accelerated Branch and Bound (ABB) algorithms to deliver an optimal solution for the PNS problem.The MSG algorithm generates the superstructure of the combinatorially feasible solution structures excludingthe materials and operating units that violates the five axioms. This maximal structure serves as the input ofalgorithms SSG and ABB. The SSG algorithm generates all solution structures while the ABB algorithm deliversan optimal solution for the PNS problem.

These algorithms are described in details in the following using the denotations below.

• the set of input operating units of a set of materialsφ−(Mat′) = {(α, β) ∈ Op|∃m ∈Mat′ : m ∈ β}, where Mat′ ⊆Mat: φ− : P(Mat)→ P(Op),


• the set of output operating units of a set of materialsφ+(Mat′) = {(α, β) ∈ Op|∃m ∈Mat′ : m ∈ α}, where Mat′ ⊆Mat: φ+ : P(Mat)→ P(Op),

• the set of output operating units connected to a set of materialsΦ(Mat′) = φ−(Mat′) ∪ φ+(Mat′), where Mat′ ⊆Mat: Φ : P(Mat)→ P(Op),

• the set of input materials of a set of operating unitsψ−(Op′) = {m ∈Mat|∃(α, β) ∈ Op′ : m ∈ α}, where Op′ ⊆ Op: ψ− : P(Op)→ P(Mat),

• the set of output materials of a set of operating unitsψ+(Op′) = {m ∈Mat|∃(α, β) ∈ Op′ : m ∈ β}, where Op′ ⊆ Op: ψ+ : P(Op)→ P(Mat),

• the set of materials connected to a set of operating unitsΨ(Op′) = ψ−(Op′) ∪ ψ+(Op′), where Op′ ⊆ Op: Ψ : P(Op)→ P(Mat).

3.1.2 Maximal Structure Generation algorithm

During the mapping of a large–scale process network into a P–graph some unnecessary operating units andmaterials may involved that does not satisfy the five axioms (or they were already present in the original model).The main advantage of allowing redundant problem formulations is on the engineering side as the engineer cansimply formulate all the production possibilities without dealing with the extra constraints confining the solutionspace.

The MSG algorithm (see [63]) generates the superstructure of the combinatorially feasible solution structuresthat is itself a solution structure eliminating the unnecessary materials and operating units.

Definition 23 (Maximal Structure.) The union of all solution structure, µ(Prod,Raw,Op), is defined to be itsmaximal structure, i.e. µ(Prod,Raw,Op) = Uγ∈S(Prod,Raw,Op)γ.

The Maximal Structure Generation algorithm (shortly MSG) generates the maximal structure of the combi-natorially feasible solution structures in polynomial time by excluding those materials and operating units fromthe initial P-graph that violate any of the five axioms. The algorithm consists of a reduction and a compositionpart.

• At first, the algorithm excludes the operating units that produce raw materials according to axiom (A2).

• Then materials are omitted that are not connected to any operating unit in Op according to axiom (A5).

• The last step of the reduction part is the elimination of such materials and operating units to which there isno path from some raw materials, i.e. they cannot be produced or carried out in the network.

• The composition of the maximal structure starts from the set of products that have to be in all solutionstructure according to axiom (A1).

• In each step a material from the current structure is selected and the current structure is extended with theinput operating units of this material and the input materials of these operating units. This way all operatingunits in the current structure satisfy axiom (A4).

• If the current structure cannot be further extended then the current structure is itself the maximal structure.

The MSG algorithm is given in details in the Algorithm 5.

Example 8 The maximal structure of the example in Section 3.1.1 is depicted in Fig. 3.1 on the right: operatingunit Op5 is excluded from the structure because it does not satisfy axiom (A4): there is no path from operatingunit Op5 to the desired product A.


Since the excluded materials and operating units cannot be involved in a combinatorially feasible solutionstructure, the maximal structure is used as the input of the solution process instead of the original PNS problem.In the following two algorithms are shortly described: the Solution Structure Generation (SSG) algorithm gen-erates all combinatorially feasible solution structures while the Accelerated Branch and Bound (ABB) algorithmdelivers an optimal solution of the PNS problem. The branching procedure of the ABB algorithm is based on theSSG algorithm: it takes into account only those branches in the B&B tree that may lead to an optimal solutionwith a combinatorially feasible solution structure.

3.1.3 Decision mappings

Algorithms SSG and ABB use decision mappings [64,65] to build the combinatorially feasible solution structures.A decision mapping is the assignment of a subset of its producing operating units to a material, i.e. the decisionmapping represent the selection of some operating units that produce a material in the solution network. Since aP–graph can be described by the assignments of the involved materials and a subset of their producing operatingunits a solution structure can be described by a decision mapping.

The building of a solution structure by means of decision mapping is carried out as follows. The initialstructure involves only all products that have to be produced by some operating units. These products are denotedas ’to be produced’. Then a product is selected from the ’to be produced’ set and a subset of its producingoperating units is assigned to this product. This assignment is added to the decision mapping (that is empty,initially) and the selected operating units are added to the current structure. Moreover, the input materials of theselected operating units are denoted as ’to be produced’, i.e. the decision mapping has to be extended to thesematerials, too (if they are not already produced). This step is applied iteratively until no materials left denoted as’to be produced’. Obviously, raw materials do not have to be produced.

This process leads to a solution structure only if (i) each materials in the ’to be produced’ set can be producedby some operating units and (ii) the decision mapping is consistent, i.e. there is no operating unit in the structurethat produces a material but this operating unit was not selected for this material by its decision mapping.

Definition 24 (Decision mapping.) Let the PNS problem (Prod,Raw,Op) of process graph (Mat,Op) begiven. Then the decision mapping of a material m ∈ Mat is (m, δ(m)) where δ(m) ⊆ φ−(m). The decisionmapping of a set of materials mats ⊆Mat is defined as δ[mats] such that δ[mats] = {(X, δ(X))|X ∈ mats}.

In order to define consistent decision mapping, the notion of the complement of a decision mapping has to beintroduced.

Definition 25 (Complement of a decision mapping.) The complement of a decision mapping (m, δ(m)) of ma-terial m ∈Mat is defined by δ∗(m) = φ−(m) \ δ(m). The complement of a decision mapping δ[mats] of a setof materials mats ⊆Mat is defined by δ∗[mats] = {(X, δ∗(X))|X ∈ mats}.

Informally, the operating units in the complement of a decision mapping are those operating units that werenot selected to produce a material.

If each operating unit is selected either for all of its output materials or for none of its output materials inthe decision mapping then the decision mapping is consistent. In other words a decision mapping is consistentif there exists no operating unit in the structure which is not selected in the decision mapping for all its outputmaterials.

Definition 26 (Consistent decision mapping, P–graph of a consistent decision mapping.) A decision map-ping δ[mats] is said to be consistent if |mats| ≤ 1, or ∀X,Y ∈ mats : (δ(X) ∩ δ(Y )) ∪ (δ∗(X) ∩ δ∗(Y )) =φ−(X) ∩ φ−(Y ).

The P–graph of a consistent decision mapping δ[mats′] is graph(δ[mats′]) = (mats, opunits), whereopunits = ∪x∈mats′{c|(x, c) ∈ δ[mats′]}, and mats = Ψ(opunits) ∪ mats′. Informally, the P–graph of aconsistent decision mapping is the spanned P–graph of the selected operating units in the decision mapping.


On the other way around, the decision mapping of a P–graph (Mat,Op) is defined as δ[Mat] ={(X, δ(X))|X ∈ Mat, δ(X) = φ−(X)} of a P–graph (Mat,Op). Formally, the decision mapping of a P–graph consists of decision mappings where exactly the set of its input operating units is assigned to a material.Moreover, the decision mapping of a P–graph is consistent.

The building of a solution structure is the same as the composition part of the maximal structure exceptthat not the whole set but a subset of the producing operating units is added for the selected material. Theseassignments formulate a set of decision mappings. Algorithm SSG and ABB deliver the solution structures orthe optimal solution by extending a current consistent decision mapping such that it remains consistent and maylead to some solution structure. As a solution structure (since it is a sub-P–graph) represents a consistent decisionmapping we can speak about the combinatorially feasible solution structures of a consistent decision mapping asdefined in the following.

Definition 27 (Combinatorially feasible solution structures of a consistent decision mapping.) The set ofcombinatorially feasible solution structures of a consistent decision mapping δ[matsi] is S(δ[matsi]): the set ofsolution structures that are consistent extensions of δ[matsi]. Formally, S(δ[matsi]) := {δ[matsk]|δ[matsk] ≥δ[matsi] ∧ graph(δ[matsk]) ∈ S(P,R,Op)} where δ[matsk] ≥ δ[matsi] denotes the consistent extension ofdecision mapping δ[matsi].

Let a consistent decision mapping δ[mats] be given such that this decision mapping can be extended to atleast one combinatorially solution structure. Then the extension of the current decision mapping by the decisionmapping (x, d) (d 6= ∅) is called a direct neutral consistent decision mappings if (i) the extended decisionmapping δ[mats] ∪ (x, d) can be still extended to a combinatorially feasible solution, and (ii) all other selectionof operating units that produce material x would lead no combinatorially feasible solution.

Definition 28 (Direct neutral extension of consistent decision mapping.) Let S(δ[mats]) 6= ∅ be the set ofsolution structures of a PNS problem. Then δ′[mats ∪ {x}] = δ[mats] ∪ {(x, d)} is a direct neutral extensionof consistent decision mapping δ[mats], if x ∈ (∪m∈mats{ψ−(c)|(m, c) ∈ δ[mats]} ∪ Prod) \ (mats ∪Raw),d ⊆ ψ−(x), and S(δ[mats] ∪ {(x, c)}) = ∅ for all c ∈ P(ψ−(x)) \ {∅, d}.

A direct neutral extension of a consistent decision mapping takes action if there exist a material x for which

• either for all its input operating units it is already determined by the decision mapping whether it is includedinto the structure or not, i.e. ∀opunit ∈ φ−(x) : ∃mat ∈ m, opunit ∈ δ(mat) ∨ opunit ∈ δ∗(mat).Then the set d is exactly the set of the already selected operating units of the input operating units of x, i.e.d = φ−(x) ∩ {opunit ∈ Op|∃mat ∈ m : opunit ∈ δ(mat)}. Then it holds that the selection for x ofany other nonempty subset of its input operating units would lead to an inconsistent decision mapping, i.eit would lead no solution structure.

• or there is exactly one input operating unit of material x: since x has to be produced this operating unit hasto be included into the structure.

The sequence of consistent direct neutral extensions is a maximal neutral extension if it has no further directneutral extension of it. It can be easily shown that the set of combinatorially feasible solution structures of aconsistent decision mapping and its maximal neutral extension is the same, since the direct neutral extensionsrepresent straightforward extensions to a solution structure.

Definition 29 (Maximal neutral extension.) Decision mapping δn[matsn] : n = 0, 1, . . . is a neutral ex-tension of consistent decision mapping δ0[mats0] if there exists a sequence of consistent decision mappingsδ0[mats0], δ1[mats1], . . . , δn[matsn] such that δi[matsi] is the direct neutral extension of δi−1[matsi−1], ∀i =1, 2, . . . , n. Consistent decision mapping δ[ ˆmats] is the maximal neutral extension of consistent decisionmapping δ[mats] if it is a neutral extension of δ[mats] and it has no direct neutral extension. Obviously,S(δ[mats]) = S(δ[ ˆmats]).


Example 9 Let δ[A] = {(A,Op2)} be given a decision mapping of the PNS problem described in Example 7.Then its maximal neutral extension δ[A] = {(A,Op2), (D,Op4)}. The P–graph of this maximal neutral exten-sion is represented by solution structure S4 in Fig. 12.5.

The use of consistent decision mapping supports to avoid the unnecessary generation of redundant solutionstructures in the Solution Structure Generation algorithm, while the generation of a maximal neutral extensionof a decision mapping reduces the number of lower bound computations in the Accelerated Branch and Boundalgorithm.

3.1.4 Solution Structure Generation algorithm

The search for the optimal process network is a numeric search on the combinatorially feasible solution struc-tures. Since the underlying P–graph structure of an optimal structure is combinatorially feasible, the numericMILP model of the problem is based on the maximal structure that comprises all combinatorially feasible solu-tion structures. In the following the generation of all solution structures is presented by the so–called SolutionStructure Generation algorithm.

The input of the algorithm is the maximal structure of the PNS problem. The algorithm generates all solutionstructures: only solution structures and each of them exactly once in the form of consistent decision mappings.

The algorithm maintains

• a set of materials to_be_produced that contains those materials that are not covered by the actual decisionmapping but have to be produced by some operating units, i.e. the decision mapping has to be extended tothese materials,

• a set of materials prod_mats that contains the materials that are already produced by some operating unitsin the decision mapping,

• and a decision mapping δ for the set prod_mats that will represent a solution structure when the procedureterminates.

Since each solution structure has to contain all products (according to Axiom (A1)) the set to_be_producedis initialized to the set of products. In each step a material mat of this set is selected to be produced: each subsetproducers of the possible operating units that produce this material is checked. If the decision mapping togetherwith the Cartesian product of the selected material and the producer set remains consistent then

• the selected material is excluded from the set to_be_produced and it is added to the set prod_mats,

• the Cartesian product of the selected material and its producer set (mat, producers) is added to the actualdecision mapping, and

• the input materials ψ−(producer) of the operating units in the producer set has to be produced, i.e. theyare added to the to_be_produced if (i) they are not already produced, or (ii) they are not already in this setor (iii) they are not raw materials.

Then the algorithm calls the same procedure recursively for the extended decision mapping and the updatedsets as its parameters until the set to_be_produced is nonempty.

Due to the construction, the resulted decision mappings satisfy all the axioms, i.e. each of them represent asolution structure. Since all possible mappings are taken into consideration, all of them are generated. The use ofconsistent decision mapping and the selection mechanism of the materials to_be_produced guarantee that eachsolution structure is generated exactly once.

The SSG algorithm is given in details together with an example in Algorithm 2.A PNS problem consists not only of a structure but also cost parameters and flow amounts of materials that

are consumed and produced by the operating units.


In Table 3.1 the input and output flow amounts of materials of each operating unit are shown together withtheir fix and proportional cost. For instance, operating unit Op1 consumes 5 unit of material C and produces 4,and 1 unit of materials A and E, respectively. The price of raw materials F,G is 0.8, 1.6, respectively. Thereare only 10 unit is available from raw material F , while the use of raw material G is unrestricted. The aim is toproduce at least 4 units of material A.

Operating unit Input materials Output materials Fix cost Proportional costOp1 C (5) A (4), E (1) 4 1Op2 D (9) A (8), B (1) 3 1Op3 E (1), F(4) C (5) 2 1Op4 G (10) C (1), D (9) 2 0.5Op5 B (2) H (1) 3 0.5

Table 3.1: Data of operating units

Both the consumption of raw materials and the operation of the operating units have costs. The PNS problemis to deliver a process with minimal cost that produces the products in the required amount from raw materialsusing the defined operating units. The overall cost of a process is the sum of (i) the cost of the consumed rawmaterials, (ii) the fix cost of operating units that were selected for the production, and (iii) the cost of the operatingunits that is proportional to the use of the operating units.

Algorithm SSG computes only the solution structures but does not deliver an optimal solution for the op-timization problem. Nevertheless, the idea of SSG to build the solution structures along consistent decisionmappings can be used to accelerate the traditional Branch and Bound method.

3.1.5 Combinatorially Accelerated Branch and Bound algorithm

The optimal solution of a PNS problem is generated by the so–called Accelerated Branch and Bound algorithm(shortly ABB algorithm). The mathematical model of the PNS problem is formulated as a mixed integer linearprogramming problem that can be solved for example by the Branch and Bound algorithm shown in Section 12.5.However, in a typical chemical engineering example the traditional B&Bound algorithm could lead to a hugenumber of branching and therefore lower bound calculation. The acceleration in the ABB algorithm is reached byexploiting the special structure of the problem using the maximal neutral extension of a given decision mapping.

The PNS problem formulates a MILP problem as follows.

• For each operating units op two variables are introduced: a binary (integer) variable yop that is equal to 1 ifthe operating unit is included in the given structure and is equal to 0 if the operating unit is excluded fromthe structure, and a continuous variable xop that represents the amount of the use of the operating unit.

• The constraints of the problem are the mass balance constraints for each materials: the consumed amountof a material must not exceed the sum of the available amount and the produced amount of the samematerial. The consumed (produced) amount of a material is calculated as the sum of the products of thecontinuous variable of the output (input) operating units of the material and the defined correspondingmaterial flow. The amount of the consumed material m by an operating unit op is denoted by a(m, op),while the produced amount of a material m by an operating unit op is denoted by a(op,m).

• Furthermore, the relation between the binary and the continuous variable of an operating unit is describedby two inequalities xop ≤ K · yop and yop ≤ K · xop using number K big enough, i.e. if yop = 0 thenxop = 0 and if yop = 1 then 0 < xop.

• Additional constraints are given (i) for the consumption of the raw materials in the form of upper boundfor the use of the output operating units of the raw materials and (ii) for the production of the products aslower bound to reach the desired amount of them.


• The objective function is to minimize the overall cost of the production that consists of the cost of the rawmaterials, and the fix and proportional cost of the operating units.

The problem is a mixed integer one because the binary variables are restricted to be integer while the othervariables are not restricted to have only integer values (MILP problem is shown in Section 12.5.1).

The ABB algorithm is based on the SSG algorithm (see Sec. 3.1.4). The input of the algorithm is the maximalstructure of the PNS problem together with the MILP problem that describes the material flow in the P–graph. Theoutput of the algorithm is a vector ~r ∈ R|Op| representing the contained operating units in the optimal networktogether with their operating rate. This vector determines the production of the required products: the operatingunits that has a not null valued variable span the P–graph of the optimal solution while the corresponding ratesdefine the use of these operating units thus the whole production.

The ABB algorithm maintains

• a set of materials to_be_produced that contains those materials that are not covered by the actual decisionmapping but have to be produced by some operating units, i.e. the decision mapping has to be extended tothese materials,

• a set of materials prod_mats that contains the materials that are already produced by some operating unitsin the decision mapping,

• and a decision mapping δ for the set prod_mats that will represent a solution structure when the procedureterminates.

The ABB algorithm is a modification of the traditional Branch and Bound algorithm (see Section 12.5).

Bounding. The bounding step or numerical cut is performed by some conventional methods (e.g. an interiorpoint method): a lower bound is calculated for the relaxation of a subproblem (see the BOUND function inAlg. 3). In other words, the objective value of each solution for the current subproblem exceeds this lower bound.Thus the current subproblem is pruned if there is another solution with a lower objective value than this boundand only other subproblems with lower value are taken into consideration.

Branching. Branching or logical cut is performed along the possible extensions of the current consistent deci-sion mapping. The extension of the decision mapping follows the same approach as in case of algorithm SSG: amaterial mat is selected from the to_be_produced set and each subset producers of the possible operating unitsthat produce this material is checked. If the decision mapping together with the Cartesian product of the selectedmaterial and the producer set remains consistent then

• the selected material is excluded from the set to_be_produced and it is added to the set prod_mats,

• the Cartesian product of the selected material and its producer set (mat, producers) is added to the actualstructure, and

• the neutral extension of the new decision mapping is checked whether it may lead to a solution structure.If it does not lead to any solution structure the current branch is pruned. Otherwise a new branch isstarted calling the same procedure recursively for the extended decision mapping and the updated sets asits parameters until the set to_be_produced is nonempty (see procedure ABBD()).

Initially, the set to_be_produced contains the materials that are involved in the neutral extension of the emptymaterial set, i.e. those materials that have to be produced in each solution structures. This decision mapping iscalculated from the set of products since they have to be present in each solution structure.

The initial problem consists of this initial to_be_produced set, the corresponding material set that are in-volved in the decision mapping prod_mats and the decision mapping δ[ prod_mats]). If it is a solution structure


(i.e. there are no more materials to be produced in the set to_be_produced) with a finite objective value thenthere is only one solution for the PNS problem and the algorithm terminates.

If it is not a solution structure the ABBD procedure is called with the above parameters (see the ABBD()procedure call in Line 14 in Alg. 3). The ABBD algorithm applies the bounding and branching steps to thecurrent problem.

If the set to_be_produced becomes empty on a branch (i.e. a leaf is reached in the Branch and Bound tree)a solution structure is found together with a rate vector that is a candidate for the optimal solution. If there is nomore branches to be traversed the candidate solution with the lowest objective value is the optimum of the PNSproblem.

Algorithm 3 realizes algorithm ABB with depth–first search strategy.

Example 10 The optimal solution of our running example in Example 7 is (0, 0.5, 0, 0.5), i.e. the optimal solu-tion involves only operating units Op2 and Op4, that both operates 0.5 time unit. The cost of this solution is 5.75since there is no cost for the raw materials. The P–graph of the solution is depicted in Fig. 12.5 as S4.

Chapter 4

System Modeling with Graph TransformationSystems

Graph transformation systems (GTSs) are widely used in modeling complex systems. In the last decade severalextensions of GTSs arose that contain quantitative metrics like in case of Petri nets. These kind of GTSs moti-vated the formalization of the optimal trajectory problem in GTSs. Hereafter an introduction is given into graphtransformation systems (GTSs) following double-pushout (DPO) approach [46].

4.1 Graphs and Typed Graphs.

The distinction between schema and instance level was first introduced in database models like the relational orthe entity-relationship model and it is fundamental to object-oriented modeling. In the DPO approach to graphtransformation, this distinction is formalized by the notions of type and instance graph.

Definition 30 (Graphs and graph morphisms) A graphs are directed unlabeled graphs G =(N,E, srcG, trgG) with a set N of nodes, a set E of edges, a source and a target function srcG, trgG : E → Nassociating with each edge its source and target nodes.

A graph homomorphism f : G → H between two graphs is a pair of functions {fN : N → HN , fE : E →HE} preserving source and target, that is, srcHfE = fNsrc

G and tarHfE = fN tarG.

Definition 31 (Typed graphs) Given a graph TG, called type graph, a TG-typed (instance) graph consists of agraph G together with a typing homomorphism g : G→ TG associating with each node and edge x of G its typeg(x) = t in TG. In this case, we also write x : t ∈ G. A TG-typed graph morphism between two TG-typedinstance graphs< G, g > and< H,h > is a graph morphism f : G→ H which preserves types, that is, hf = g.

Example 11 Let us revisit the storage example in Example 1 and model it as a graph transformation system.Fig. 4.1 shows the type graph TG and a corresponding instance graph G0 for the storage example. Hereafter

UML notation [99] is used such that the type and isntance graphs are represented as class and object diagrams,respectively. Thus, v : t denotes a vertex v of type t. If not of interest, the name of the vertex is omitted.

The type graph introduces the vertex types R4A, R4B and Test_cell. The edge types R4A_tested fromR4A to R4A as well as R4B_tested from R4B to R4B represent the state of a storage: if there is no testededge connected to the node then the storage is not tested, if there exists a tested edge connected to the storagethen the storage is tested. The reserved edge type from Test_cell to Test_cell represent the state of the test cellwhether is in use or not, while the edge types test_R4A and test_R4B edge types from R4A to Test_cell andfrom R4B to Test_cell model the testing of the corresponding storages: if there is a test_R4A edge between anR4A typed storage and a Test_cell the storage is under testing.

An instance graphG0 typed by TG is shown on the right with storages s1 and s2 of typeR4A, s3 of typeR4Band a test cell t1 with type Test_cell. The storage s1 is under testing by test cell t1, i.e. there is an test_R4A–typed edge connecting s1 and t1. Storage s2 is already tested and storage s3 have not tested yet. Formally, the

33

34 CHAPTER 4. SYSTEM MODELING WITH GRAPH TRANSFORMATION SYSTEMS

typing homomorphism g : G0 → TG is g(s1) = g(s2) = R4A, g(s3) = R4B, g(t1) = Test_cell. Since therecould exist at most one edge between two nodes with one edge type the typing homomorphism of the edges isgiven by writing the edge type on the edge in the instance graph.

Figure 4.1: An example type and instance graph

4.2 Typed Graph Transformations

The instance graph can be changed by using graph transformation rules.

Definition 32 (Graph transformation rule.) A graph transformation (GT) rule typed over a type graph TG isgiven by r = (L

l←− Kr−→ R) where L (left-hand side), K (context) and R (right-hand side) graphs are typed

over TG and graph morphisms l, r are injective. The negative application conditions (NAC) of a GT rule is a(potentially empty) set of pairs (N,n) with N being a graph also typed over TG and n : L → N an injectivegraph morphism. In addition, a rule may have several NACs.

During the application of a rule an occurrence of the left-hand side in the instance graph is replaced by theright-hand side. The left-hand side L of the rule contains the items that must be present for the application of therule, while the right-hand side R contains those that are present afterwards. The context graph K specifies the“gluing items”, i.e. the objects which are read during the rule application, but are not consumed. A rule can beapplied if all negative conditions are satisfied. Negative application conditions represent forbidden pre-conditionsfor the application of a rule, i.e. structures that must not be present for the application of the rule.

Definition 33 (Rule application, graph transformation step and sequence.) The application of a rule r =

(Ll←− K

r−→ R) to a host graph G alters the model graph by replacing the pattern defined by L with thepattern of the R. This is performed by (i) finding a match of the L pattern in model G; (ii) checking the negativeapplication conditionsN , i.e. the rule may be applied only if there is no match ofN in L prohibiting the presenceof certain elements; (iii) removing a part of the model that can be mapped to the L pattern but not the R patternyielding an intermediate graph D; (iv) adding new elements to the intermediate graph D which exist in the R butnot in L yielding the derived graph H .

The application of a rule to a graph G resulting in graph H is called a graph transformation step (shortly GTstep) and is denoted as G

r,o=⇒ H , where o : L→ G defines the match of the elements in L to G.

A graph transformation sequence (GT sequence) is a sequence of GT steps, i.e., a sequence of rule appli-cations: G0

r1=⇒ G1r2=⇒ G2

.=⇒ ... A GT sequence starting from graph G yielding G′ is denoted shortly by

G∗

=⇒ G′ where ∗ denotes that more than one GT step may belong to the GT sequence.

4.2. TYPED GRAPH TRANSFORMATIONS 35

A core problem in the applying a rule to an instance graph is how to handle the edges connected to a node thathas to be deleted and whether the matching morphism has to be injective or not. If these issues are not handledin the rule definitions the application of a rule may result in a structure that is not a graph. Two approches, theSingle Pushout and the Double Pushout approaches are distinguished in the literature to handle this problem []that differs from each other by the definition of the identification and the dangling edge conditions.

The identification condition states that objects from the left-hand side may only be identified as the same bythe match if they also belong to the context graph K, i.e. they are preserved. This condition avoids the conflictwhen a node has to be deleted and preserved at the same time according to the matching of the left-hand side ofa rule. In DPO approach this condition has to be satisfied while in the SPO approach the conflict is resolved suchthat the corresponding node is deleted.

The dangling condition ensures that the structure obtained by removing from the instance graph all objectsthat are to be deleted is indeed a graph, that is, no edges are left “dangling” without source or target node. Inthe SPO approach the possible dangling edges are deleted implicitly, i.e. if a node is deleted, all the connectededges are deleted implicitly. At the same time, in the DPO approach all edges have to be deleted explicitly by thedefinition of the rule. Otherwise, the rule cannot be applied in case of a dangling edge.

In the thesis I follow the Double Pushout Approach. Finally, the definition of the graph transformation systemis given that is followed by an example.

Definition 34 (Graph transformation system.) A graph transformation system GTS = (R, TG) consists of atype graph TG and a finite set of graph transformation rules R typed over TG.

Example 12 Figure 4.2 shows four rules reco_ut_R4A, start_test_R4A, test_R4A, reco_R4Atyped over the type graph in Fig. 4.1 for the storage example. The rulesreco_ut_R4B, start_test_R4B, test_R4B, reco_R4B are not depicted here however they are the samefor the storage type R4B). The rules reco_ut_R4A and reco_ut_R4B describe the reconfiguration of theuntested storages, rules reco_R4A and reco_R4B describe the reconfiguration of the tested storages, whilerules start_test_R4A, test_R4A, start_test_R4B, test_R4B describe the testing of storages. Hereafter onlythe testing of an R4A–typed storage is discussed in details.

Figure 4.2: Storage example rules

36 CHAPTER 4. SYSTEM MODELING WITH GRAPH TRANSFORMATION SYSTEMS

The testing here is different from the test transition in the Petri net model. The testing of an untested storageconsists of two steps. At first the test is started: a free test cell is reserved for the test of an untested storage.The second step is the execution of the test. These steps are described by rules start_test_R4A and test_R4A,respectively.

A storage can be tested if (i) it is not tested yet, i.e. there is no R4A_tested edge connected to it, (ii) itstest has not started yet, i.e. there is no test cell connected to it by a test_R4A edge, and (iii) there exists a freetest cell, i.e. there is no reserved edge connected to the test cell node. These conditions are described by thenegative application conditions NAC1-3, respectively, where test cells tc1 and tc2 can be the same test cell. Ifthere exists such a storage st1 and test cell tc1 rule start_test_R4A is applied: a test_R4A edge is drawn from st1to st1 representing the start of the test, and tc1 gets an edge reserved denoting its allocation for the test of st1.

The test of a storage is carried out by applying rule test_R4A: the rule searches for an R4A–typed storagethat has a test_R4A edge to a test cell that has a reserved edge connected to itself. After the test is carried out,a self–loop edge tested_R4A is created for the storage denoting its state and the other edges are deleted, i.e. thetest cell becomes again free and the storage is no more under test. The formal representation of rule test_R4A isshown in Fig. 4.3 together with the context graph K, the NAC graphs and the corresponding morphisms.

Figure 4.3: Formal representation of rule test_R4A

There are three rules test_R4A, reco_R4B and reco_ut_R4B that can be applied to the instance graph G0

in Fig. 4.1. The application of rule test_R4A to the instance graph G0 leads to the instance graph G1 depicted

together with the GT step G0test_R4A,o

=⇒ G1 in Fig. 12.7.The graph transformation system of the storage example consists of the type graph TG, and the eight rules

R = {reco_ut_R4A, start_test_R4A, test_R4A, reco_R4A, reco_ut_R4B, start_test_R4B, test_R4B, reco_R4B}.A graph transformation sequence in the storage example is shown in Fig. 12.8 in the Appendix starting from theinstance graph G0 rules test_R4A, start_test_R4B, test_R4B are applied after each other leading to graphG3.

Chapter 5

Petri Nets and Process Network Synthesis

The current chapter focuses on the comparison of Petri net cost–optimal trajectory problems and PNS problems.Petri nets and P-graphs have similar graphics: both structures are designated as bipartite graphs with nodesplaces and transitions, and materials and operating units, respectively. In addition, transitions have the sametask as operating units: they transform their input objects into their output objects. Also the aim of the Petri netoptimal trajectory problem and PNS problems resembles: how to reach a given state starting from an initial statein an optimal way.

However there are some basic differences between the chemical engineering models and the modeling ofinformation systems according to their different modeling purposes. In chemical engineering the materials areusually produced by a sequence of operations and they are circulated only in a few, a priori defined processes. Theprocess may use catalyst materials that are used and also produced in the same amount. In chemical engineeringthese catalysts are supposed to be available although they are not denoted as raw materials, i.e. they can be’borrowed’ from somewhere else to make possible the production. At the same time information or resourceslike machines in an information system can be the input of arbitrary many processes such that these informationor resources are not consumed. In contrast to the catalyst materials these information or resources have to bepresent a priori in the information system and cannot be ’borrowed’.

Another difference is the handling of the byproducts. Byproducts can be produced in both models. Usuallyin production systems the condition of the storage of a byproduct depends on its type: either it has to be stored,i.e. there is a constraint for the amount of the byproduct or it has not to be stored, i.e. the storage can be seen asinfinite. In information systems, an entity (that can be also a byproduct) modeled by a place either can be storedor has to be deleted like temporary files or some contents at the end of the process.

Thus PNS problems form partial reachability problems as they focus only on the production of the desired endproducts without taking into account the unused amount of intermediate materials and byproducts. In informationsystems, it may occur that places have to be emptied at the end of the process, i.e. the required amount of thetokens at these places is 0. If there is an exact required amount of tokens for all places in the Petri net then thetrajectory problem forms a reachability problem instead of a partial reachability problem.

A Petri net optimal trajectory problem can be described as a PNS problem, and a PNS problem can bedescribed as a Petri net OT problem with some modifications. Since both the modeling purpose and the problemstructure of the two paradigms are different, the correspondence between the elements need some modification.

• A place that is marked in the initial marking is a raw material in PNS (with some modification),

• a place that has to be marked at the target marking is a product,

• the rest of the places are intermediate materials.

• A transition is an operating unit mapping the pre– and post–set of the transition into the input and outputmaterials of the corresponding operating unit, respectively (preserving the weight function),

• the cost of a transition is the proportional cost of the corresponding operating unit.

37

38 CHAPTER 5. PETRI NETS AND PROCESS NETWORK SYNTHESIS

• The characteristic vector of an optimal trajectory corresponds to a solution structure P–graph for the PNSproblem.

• An optimal solution Parikh vector of the ILP abstraction (see Definition 17 in Section 2.4.1) is a solutionfor the MILP problem of the PNS problem.

• A Parikh vector of an optimal trajectory is an integer solution for the MILP problem of the PNS problemwith a solution structure.

Table 5.1 below summarizes the above assignments of the elements of Petri reachability problem and PNSproblems.

Petri Net optimal trajectory problem PNS problemplaces material containers

transitions operating unitsplaces marked in M0 available raw materials

places marked in Mpartial required productscost of transitions proportional cost of operating unitsweight of edges consumption and production rate for operating unitstokens at a place current amount of a material

characteristic vector of a trajectory a set of the corresponding operating unitsspanned Petri net of a characteristic vector P–graph of the corresponding set of operating units

Parikh vector of a trajectory integer solution with a solution structureof the OT problem of the MILP problem

Table 5.1: Petri net OT problem as a PNS problem

Although the above assignments are obvious because of the resemblance of the two paradigms, there aresome differences. In Place/Transition (shortly P/T) nets both the number of consumed and produced tokens arenonnegative integers and each transition may fire only in integer times. In contrast to P/T nets, an operating unitmay operate in any real amount and the materials may be available, consumed, and produced also in any realamount in PNS problems. According to these differences, PNS problems are similar to Fluid Petri nets [82]).

However, the aim of the thesis is (i) to model (partial) reachability problems in information systems with P/Tnets where places and transitions represent (discrete) resources, objects, and operations and (ii) to optimize theseproblems by adapting PNS algorithms. Therefore P/T nets are compared to PNS problems in the following wherethe expression optimal trajectory problem refers to a the cost–optimal general (i.e. a reachability problem withsome metrics) optimal trajectory problem in case of the structural comparison, the generation of the maximalPetri net and the generation of the structurally valid solutions. However, sometimes cost–optimal trajectory prob-lem is used to demonstrate corresponding approaches as a simplification. Nevertheless, cost–optimal trajectoryproblems are only considered in case of the customization of the ABB algorithm.

5.1 Comparison of the Petri Net Trajectory Problem and the PNS Problem

5.1.1 Comparison of Petri nets and P–graph structures

Since a material in a P-graph represents not one unit material but some materials of a given type, in the followingboth the expression material and container will be used for material. This notion is also appropriate to expressthe similarity between the token numbers in a place and the amount of materials in a material container.

The structure of both Petri nets and P–graphs (that is the structure of PNS problems, see Section 3.1.1) is adirected bipartite graph thus a straightforward correspondence can be established between the two formalisms.

5.1. COMPARISON OF THE PETRI NET TRAJECTORY PROBLEM AND THE PNS PROBLEM 39

A mapping from Petri nets to P-graphs can be defined by a homomorphism between the places and transitionsof the Petri net and the material containers and operating units of the P–graph, respectively such that whenevera place is an input (output) of a transitions, the corresponding material is an input (output) of the correspondingoperating unit.

Formally, let a Petri net PN = (P, T, F,w,M0) be given. Then a corresponding P-graph (Mat,Op) can bedefined by an injective homomorphism F : P ∪ T →Mat ∪Op as follows.

• FP : P →Mat is the restriction of the homomorphism to places,

• FT : T → Op is the restriction of the homomorphism to transitions, such that

– ∀(p, t) ∈ F, p ∈ P, t ∈ T : FP (p) ∈ ψ−(F(t)), and

– ∀(t, p) ∈ F, p ∈ P, t ∈ T : F(p) ∈ ψ+(F(t)).

The other way around the transformation of a P–graph into a Petri net can be formalized similarly using F−1.This assignment refers only to the basic structure of the P/T net and the P–graph. However, concerning

the production process of PNS problems where operating units may consume and produce materials in any realamount, the P–graph together with the material flow and costs can be seen as a Fluid Petri net (see Section 2.3.2)without time but with fix and proportional costs.

Since the aim of the thesis is to apply PNS algorithms to the optimal trajectory problem of Petri nets thatis also a partial reachability and a trajectory problem, the Petri net trajectory problem and the PNS problem arecompared in details in the following.

5.1.2 Petri net trajectory problems and PNS problems

In case of P/T nets, transitions may fire only integer many times and markings get their value from nonnegativeintegers. Thus although their structures are similar, the semantics of the optimal trajectory problem and the PNSproblem cannot be mapped directly into each other because of the difference between the modeling purpose ofthe two paradigms. On the one hand, the representation of the initial states of the two problems are different. Theinitial marking in the Petri net represent the starting state of a system where any place in the net may be marked.In case of a PNS problem, the initial state may refer to the available raw materials that are supposed to have noinput operating units.

Another difference is the execution of a solution: a trajectory starts from the given initial state and leads toa target state that satisfies some requirements. In PNS problems, the execution of a production plan (if it exists)starts from a stationary state. A stationary state is a state where the required amount of catalyst materials arealready available in order to realize a solution.

The mathematical representation of the Petri net optimal trajectory problem and the PNS problem is similar:the previous one can be represented as an integer linear programming (ILP) problem, while the latter one as amixed integer linear programming (MILP) problem (for more details see Sections 2.4.1 and 3.1.5).

However, the solution of the ILP problem of the Petri net optimal trajectory problem may not be fireable fromthe given initial marking while the starting of a solution for the PNS problem from a stationary state is alwaysrealizable. A solution Parikh vector of the ILP problem is not fireable if there exists a cycle with a place in thatthe token change is 0 after the firing of a trajectory with the given Parikh vector, but there is no token initiallytherefore the trajectory is not fireable. Such a place represents a catalyst material in PNS problems.

Nevertheless, the application of the ABB algorithm to the Petri net optimal trajectory problem acceleratesthe generation of a candidate Parikh vector whose fireability is checked afterwards. In order to apply the ABBalgorithm either an appropriate translation of the optimal trajectory problem into a PNS problem is required orthe ABB algorithm has to be modified accordingly to the optimal trajectory problem.

Since an optimal trajectory problem is a partial reachability problem, at first tbhe correspondence betweenPetri net reachability problems and PNS problems are analyzed. Then the application of the ABB algorithm ischaracterized in Chapter 6.


The proof of the reachability of a (partial) target state from a given initial state is the trajectory that leads fromthe initial state to the (partial) target state. A trajectory is a firing sequence of transitions. An abstract representa-tion of the trajectory is its Parikh vector that counts the number of firings of the individual transitions. Anotherabstraction of the trajectory (Parikh vector) is its characteristic vector that has component 1 if the correspondingtransition is (fired) in the trajectory (Parikh vector), and 0 if not (see Def. 5 in Section 2.1). According to thedefinitions of a trajectory, a Parikh vector and a characteristic vector, a trajectory and its Parikh vector has thesame characteristic vector. At the same time, a characteristic vector represents exactly the membership functionof a set of transitions: the corresponding component of a transition is 1 if and only if the transition is in the set.

5.1.3 Spanned Petri net

In order to compare the solutions of Petri net reachability problems and PNS problems the corresponding notionof the PNS solution structure is defined in Petri nets. As a solution structure of a PNS problem is the spannedP-graph of some selected operating units, the corresponding structure in Petri nets is called as the spanned Petrinet of a transition set. The spanned Petri net of a set of transitions is the restriction of the Petri net to thesetransitions, i.e. it is a sub-Petri net that contains only these transitions together with their input and output places.

Definition 35 (Spanned Petri net of a set of transitions.) Formally, let PN = 〈P, T, F,w,M0〉 be given aPetri net together with a set of transitions tset ⊆ T .

Then the spanned Petri net of tset is PN tset = (P tset, T tset, F tset, wtset,M tset0 ) such that

• T tset = tset, i.e. transitions are restricted to the transitions in tset,

• P tset = •T tset ∪ T tset•, the places of the spanned Petri net are defined as the connected places of thetransitions in tset,

• F tset = F|T tset∪P tset = {(p, t)|(p, t) ∈ F : p ∈ P tset ∧ t ∈ T tset} ∪ {(t, p)|(t, p) ∈ F : p ∈ P tset ∧ t ∈T tset}, i.e. only those arcs are considered that link the involved transitions and places,

• wtset : F tset → N+ such that ∀f ∈ F tset : wtset(f) = w(f), i.e. the weight of the involved arcs is as inthe original Petri net,

• M tset0 : P tset → N,M tset

0 (p) = M0(p),∀p ∈ P tset, i.e. M tset0 is the restriction of M0 to places in P tset.

The spanned Petri net of a characteristic vector is the spanned Petri net of the set of those transitions for whichthe corresponding component of the characteristic vector is equal to 1. The spanned Petri net of a Parikh vectoris the spanned Petri net of the set of transitions for which the corresponding component in the Parikh vector isgreater than 0, and the spanned Petri net of a trajectory is the spanned Petri net of the set of those transitions thatare fired in the trajectory.

Since the characteristic vector of a trajectory and its Parikh vector are the same the spanned Petri net of atrajectory, its Parikh vector and its characteristic vector are also the same.

In addition, the spanned Petri net of a firing sequence is the smallest sub–Petri net of the original Petri net inwhich the firing sequence can be fired, since it contains all the transitions and connected places that are neededto fire this sequence.

Example 13 Let us revisit Example 3. The spanned Petri net of the trajectory s =〈reco_ut_R4A, test_R4B, test_R4B, test_R4A, reco_R4B〉, the Parikh vector ~σs = (1, 0, 1, 2, 0, 1) and thecharacteristic vector chs = (1, 0, 1, 1, 0, 1) is the spanned Petri net of {reco_ut_R4A, test_R4B, test_R4A,and reco_R4B} depicted in Fig.5.1.

The reachability problem in Petri net (see Definition 8) is to find a trajectory between a given initial stateinto a given target state. Partial reachability problem is to find a trajectory between a given initial state into astate where only a subset of the places is targeted to be marked by a given number of tokens and the number of

5.2. FROM PNS PROBLEMS TO PETRI NET REACHABILITY PROBLEMS 41

Figure 5.1: Spanned Petri net of a trajectory, its Parikh vector and its characteristic vector

tokens in the other places are not relevant, i.e. the reached marking covers the given partial target state. Since thetarget is to produce the desired products in the PNS problem the PNS problem is similar to the partial reachabilityproblem in Petri net: the initially marked places could be mapped into the raw material containers while theplaces marked in the partial target marking could refer to the product containers.

However, a PNS problem takes into account only those solutions where raw materials are well defined, i.e.they have no input operating units (see Axiom (A2)) while a reachability problem in Petri nets allows an initiallymarked place to have input transitions. At first, PNS problems as Petri net reachability problems are discussed toresolve these differences.

5.2 From PNS problems to Petri net reachability problems

Let a PNS problem (Raw,Prod,Op) be given. Then a corresponding Petri net partial reachability problem couldbe formalized as follows assuming the same bipartite graph as described above. Then all places corresponding toa raw material in the PNS problem are marked initially, and the number of tokens is equal to the available amountof the raw material, i.e. 0 < M0(F−1(mat)) ⇐⇒ mat ∈ Raw and M0(F−1(mat)) = Umat , while the placescorresponding to the products have to be only marked in the target state, i.e. 0 < Mpartial(F

−1(mat)) ⇐⇒mat ∈ Prod and Mpartial(F

−1(mat) = Lmat.However, the set of solutions for this Petri net reachability problem is a subset of the set of solutions for the

PNS problem. One reason is that the P/T net definition is restricted to integer token flow and integer firing numberof transitions. The other reason is that a solution for the Petri net reachability problem has to be fireable fromthe given initial state while a solution for the PNS problem is required to be executable starting from a stationarystate. This way the corresponding Petri net optimal trajectory problem is a restriction of the PNS problem suchthat each solution for the Petri net optimal trajectory problem is also a solution for the PNS problem.

On the other way around, the characterization of a solution in PNS differs from a solution in the Petri netbecause PNS problems have production specific requirements for a solution that is much more restricted than incase of Petri nets.

5.3 From Petri Net Reachability Problems to PNS Problems

At first let us concentrate on the translation of a Petri net reachability problem into a PNS problem disregardingfrom the quantitative parameters associated to the transitions.

Let a Petri net PN = 〈P, T, F,w,M0〉 be given together with a partial target state Mpartial. Then the partialreachability problem is to reach a state from the initial state M0 that covers Mpartial. A straightforward way


to translate the partial reachability problem into a PNS problem is that the material containers assigned to theinitially marked places are the raw materials, and the material containers assigned to the places marked in thepartial target marking are the products.

In PNS a solution is characterized by a recipe or solution structure that describes which operating unitsare needed to produce the desired products from which raw materials. Now let us recall the definition of PNSproblems and the five axioms (introduced in Section 3.1.1) that are to be fulfilled by a combinatorially feasiblenetwork (solution structure).

Raw materials and products In PNS problems, there are materials to be produced called products, and rawmaterials from that these products have to be produced, and they cannot be desired products at the same time. Incontrast to PNS, a place in Petri nets may be marked both in the initial and the target marking. In the followingwe will add new places and transitions to the Petri net structure to be conform to the PNS requirement Axiom(A2) that the sets of raw materials and products are disjoint.

5.3.1 PNS axioms and an (A2)–conform transformation of initially marked places

Our aim is to deliver an optimal solution for the Petri net cost–optimal trajectory problem. If one shows that aPetri net cost–optimal trajectory problem can be described as a PNS problem the PNS algorithms can be adaptedto the Petri net. The PNS algorithms deliver only solutions that satisfy the five PNS axioms. In the following Ishow that an optimal trajectory for an (A2)–conform Petri net optimal trajectory problem also has to satisfy theseaxioms, i.e. the PNS algorithms can be applied to this problem.

Let a cost–optimal trajectory problem OTc = 〈PNc,Mpartial, costLimit〉 be given. Then the spanned Petrinet of a solution trajectory has to satisfy the following axioms that correspond to the PNS axioms.

• (PN_A1) Every place marked at the target partial marking have to be represented in the spanned Petri net.

• (PN_A3) Every transition represents a transition defined in the OT problem.

• (PN_A4) Every transition has at least one path leading to a place that is marked in the desirable targetmarking.

• (PN_A5) If a place belongs to the spanned Petri net, it must be an input to or an output from at least onetransition in spanned Petri net.

It is obvious, that places and transitions that violate axioms (PN_A3), (PN_A4) and (PN_A5) are redundantin the solution of the OT problem due to its minimization objective. (However, the elimination of such elementsmay indicate some modeling problems.)

Also the requirements of the inclusion of the places to be reached into the solution Petri net in axiom (PN_A1)is essential: if our aim is to reach (cover) a certain state (marking) then all the state variables (places) have to bein the model, otherwise the target marking is unreachable.

The (A2) axiom in PNS states that a material is a raw material if and only if it has no input operating unit.This axiom is responsible for the termination of the PNS algorithms that start from the products and build astructure to the raw materials.

The translation of the PNS Axiom (A2) for Petri nets would say:

• (PN_A2) A place has no input if and only if it is marked at the initial marking

(PN_A2) states that there are no transitions with outgoing edges to a place marked at the initial state. Sincegeneral Petri nets model not only materials but also explicit resources like test cells in our running example, therecould be several places marked at the initial state that have input transitions. In order to avoid this inconveniencein the adaptation of the PNS algorithms, the Petri net is extended by one place and one transition with 0 cost foreach place that are marked at the initial state. The old places will have no tokens (causing no further violation

5.3. FROM PETRI NET REACHABILITY PROBLEMS TO PNS PROBLEMS 43

of axiom (PN_A2)) while all the new places get one token and will have no input transition satisfying axiom(PN_A2). Also the set of initially marked places and places that are marked in the target marking becomedisjoint.

A new transition connects a new place with one token and an old place such these places are the only inputand output places of the transition. The transition is enabled by the one token at the new place and the firing ofthe transition puts as many tokens into the old place as it is defined in the initial marking. Structurally, the weightof the arc from the new place to the new transition is 1, while the weight of the arc from the new transition to theold place is equal to the token number of the old place in the initial marking.

Example 14 In the running example all the initially marked places R4A_untested , R4B_untested and test_cellhave input transitions. In Figure 5.2 the example Petri net and the new Petri net is shown: a place and a transitionare added for each initially marked place, such that the new transitions have cost 0, the new places have onetoken, and the weights of the new arcs are 1 from the new places to the new transitions and 2, 3, 1 according tothe initial marking from the new transitions to the old places. Since the example Petri net has neither redundantplaces nor redundant transitions the modified Petri net already satisfies the five axioms.

Figure 5.2: Adding new transitions and places for initially marked places

In the following the formal definition of the initialization transformation is given.

Definition 36 (OT problem initialization for PNS algorithms.) Let OTc = 〈PNc,M, costLimit〉 a cost–optimal trajectory problem, with Petri net with cost parameters PNc = 〈(P, T, F,w,M0), c〉 begiven. Then the new Petri net optimal trajectory problem called A2–conform OT problem OT init =〈〈PN init, cinit〉,M init

target, costLimit〉 is created as follows.

• PN init = (P ∪ P init, T ∪ T init, F ∪ F init, w ∪ winit,M init0 ) called an A2–conform Petri net, where

• P init = {ppi |pi ∈ P : 0 < M0(pi)}

• T init = {tpi |pi ∈ P : 0 < M0(pi)}

• F init =⋃{(ppi , tpi), (tpi , pi)|pi ∈ P : 0 < M0(pi)},

• winit : F init → N+ such that ∀(ppi , tpi) ∈ F init : winit((ppi , tpi)) = 1, and ∀(tpi , pi) ∈ F init :winit((tpi , pi)) = M0(pi),


• M init0 : P ∪ P init → N such that ∀p ∈ P : 0 < M0(p) : M init

0 (p) = 0, ∀p ∈ P : M0(p) = 0 ⇒M init

0 (p) = 0 and ∀ppi ∈ P init : M init0 (ppi) = M0(pi),

• M inittarget : P ∪P init → N such that ∀p ∈ P : M init

target(p) = Mtarget(p), and ∀ppi ∈ P init : M inittarget(ppi) =

0, and finally,

• cinit : T ∪ T init → N such that ∀t ∈ T : cinit(t) = c(t), and ∀t ∈ T init : cinit(t) = 0.

Firing sequences of an A2–conform Petri net. Since the firing of the new transitions puts back tokens in theold places delivering the original Petri net, if there exists a firing sequences in the A2–conform Petri net thenthere is also a trajectory in the original Petri net such that the trajectories differ from each other only in the firingof the new transitions. This statement is formalized and proved in the following lemma.

Lemma 1 Let a transition firing sequence s =< ti1 , . . . , tin >, tij ∈ T in PNc be given , then there existsa transition firing sequence sinit =< tj1 , . . . , tjm >, tjk ∈ T ∪ T init in PN init

c , such that sinit|T = s, i.e. iftransitions in T init are eliminated from sinit the rest of the trajectory is equal to s.

PROOF 1. Due to the transformation of the initial places, all transitions in T init are fireable but no transitionin T is fireable at marking M init

0 .

2. The firing of all transitions tpr ∈ T init in any order yields markingM ′ such that ∀p ∈ P : M ′(p) = M0(p),and ∀p ∈ P init : M ′(p) = 0.

3. Since trajectory s is fireable in PNc, where ∀p ∈ P : M0(p) = M ′(p) therefore s is also fireable in PN initc

at marking M ′.

4. This way the transition firing sequence sinit =< tpr1 , . . . , tpr|Tinit|, s > such that ∀0 ≤ l ≤ |T init| : prl ∈

T init ∧ (l1 6= l2 ⇒ rl1 6= rl2) is fireable in PN initc and sinit|T = s.

Now the definition of a structurally valid Petri net for the optimal trajectory problem can be given as follows.

Definition 37 (Structurally valid Petri net, Parikh vector and characteristic vector, set of transitions.) Letan OT problem OT init = 〈〈PN init, cinit〉,M init〉 and a set of transitions tsol ⊆ T ∪ T init be given. Then theset tsol is structurally valid for the OT problem if its spanned Petri net satisfies the five axioms. A Petri net, aParikh vector and a characteristic vector are called structurally valid if their spanned Petri net satisfies the fiveaxioms.

The definition of a structurally valid Petri net aims the elimination of those firing sequences, and Parikhvectors that involve redundant elements, e.g. a trajectory that fires a transition that does not lead any places thathave to be reached in the target marking is not structurally valid. The following theorem states that the spannedPetri net of an optimal trajectory is structurally valid, i.e. the search space of the OT problem can be restricted tothe structurally valid solutions as in case of PNS problems.

Theorem 1 The spanned Petri net of an optimal trajectory is structurally valid.

PROOF A set tsol is structurally valid if its spanned Petri net satisfies the five axioms. The spanned Petri net ofan optimal trajectory involves only the transitions that are fired in the trajectory.

• Since the trajectory is a solution for the OT problem each place that has to be marked in the target partialmarking are present in the Petri net hence (PN_A1) holds.

• The solution trajectory is a solution for the OT problem that was transformed into the (A2)–conformedPetri net hence (PN_A2) holds, i.e. each place that has no input transition is marked initially.

5.4. REDUCTION RULES FOR PNS PROBLEMS 45

• Transitions included in the solution trajectory are transitions of the Petri net of the OT problem thus(PN_A3) holds.

• The firing of a transition is unnecessary in an optimal trajectory if it does not lead to a place marked in thetarget marking. Hence (PN_A4) holds.

• Since the analyzed Petri net is the spanned Petri net of the optimal trajectory the places are involved into thePetri net by the included transitions, i.e. each place is an input or an output of a transition. Thus (PN_A5)holds.

The initialization transformation of the Petri net enables the generation of structurally valid solutions usingPNS algorithms MSG and SSG (see Sections 3.1.2 and 3.1.4).

Moreover, the optimal trajectory problem can be translated into a PNS problem together with the followingremarks.

1. The cost of a transition in the optimal trajectory problem is a proportional cost in the PNS problem.

2. The customization of the ABB algorithm covers the domain modification in the MILP problem: all op-erating units may operate only in integer amount that results in some additional calls of branching andbounding after reached a solution structure to get the exact number of the transition firings.

In the following the comparison of Petri nets and PNS problems is continued: the reduction rules for Petrinets are discussed for PNS problems.

5.4 Reduction rules for PNS problems

Petri net reduction rules aim at reducing the size of the Petri net and hence the size of its reachability graph.The reduction rules in Sec. 2.2 were defined for ordinary Petri nets where the weight of each arc is equal to 1.Since Petri net transitions may fire only in integer times and the transitions move only integer number of tokensthese reduction rules cannot be applied to any Petri net with cost, only to ordinary Petri nets. However, thesereduction rules can be applied to a PNS problem (with some modifications) because they allow the operation ofan operating unit in any real amount.

The modified reduction rules deliver a reduced PNS problem such that the solutions of the original and thereduced problems can be mapped to each other by a bijective mapping. In other words there exists a correspondingsolution for an optimal solution of the reduced problem with the same objective value such that they differ fromeach other only in the omitted materials and operating units.

The reduction rules are applied to the following PNS problem that is itself a maximal structure.

• (Prod,Raw,Op) with the P–graph (Mat,Op),

• where the desired amount of products is given by lower constraints L(prod) (∀prod ∈ Prod)

• the available amount of raw materials are given by upper bound constraints U(mat) (∀mat ∈Mat), and

• the material flow is referred as follows: ∀mat ∈ Mat, opunit ∈ Op : a(mat, opunit) ∈ R denotes theconsumed amount of material mat by the operating unit opunit, while ∀mat ∈ Mat, opunit ∈ Op :a(opunit,mat) ∈ R denotes the produced amount of material mat by the operating unit opunit,

• the cost of one unit of a raw material is c(rawmat) ∈ R (∀rawmat ∈ R),

• the fix cost of an operating unit is fc(opunit) (∀opunit ∈ Op), and

• the proportional cost of an operating is pc(opunit) (∀opunit ∈ Op).

The rules for PNS problems are depicted in Fig. 5.3.


Figure 5.3: Six reduction rule for PNS problems preserving the optimal solution

• Fusion of serial materials.

This reduction rule cannot be applied directly to PNS problems because of cost calculation. Nevertheless,the rule can be applied if material mat2 has only one input operating unit. Let us suppose that the P–graphcontains two materials mat1,mat2 ∈M \Prod such that mat1 is the only input material of an operatingunit opunit and mat2 is the only output material of it, moreover, material mat1 has exactly one outputoperating unit opunit and materialmat2 has exactly one input operating unit opunit then the two materialscan be merged into one material newmat omitting the operating unit opunit such that

– if mat1 was a raw material then the new material newmat will be a raw material with the sameavailable amount U(newmat) = U(mat1)

– if mat1 is not a raw material then the input operating units of the new material will be the inputoperating units of material mat1 with the same material flow, and

– the output operating units of the new material will be the output operating units of materialmat2 such that the material flow is changed to a(newmat, opunit′) = a(mat2, opunit′) ·a(mat1, opunit)/a(opunit,mat2), ∀opunit′ ∈ φ+(mat2).

– In addition, the sum of the fix cost of the output operating units increases with the fix cost of thedeleted operating unit, and

– the proportional cost of the output operating units increases witha(mat2, opunit′)/a(opunit,mat2) · pc(opunit).

The solution structures of the original and the resulted PNS problems coincide since the Cartesian product(mat2, opunit) is a direct neutral extension of the decision mapping that includes at least one outputoperating unit of material mat2. Furthermore, if an optimal solution of the resulted PNS problem containsthe merged material then there exists a corresponding solution in the original PNS problem such that it has

5.4. REDUCTION RULES FOR PNS PROBLEMS 47

the same solution structure plus the omitted operating unit and it has the same cost due to the constructionof the merged material.

• Fusion of serial operating units. This reduction rule cannot be applied directly to PNS problems becauseof the cost calculation of the new operating unit. Nevertheless, the rule can be applied if operating unitopunit1 has only one output material.

Thus if the P–graph contains two operating units opunit1, opunit2 ∈ O such that opunit1 is the only inputoperating unit of a materialmat1 and opunit2 is the only output operating unit of the same materialmat1,where material mat1 is not a product. Moreover, operating unit opunit1 has exactly one output materialmat1 while the operating unit opunit2 has exactly one input material mat1. Then the two operating unitscan be merged omitting the material mat1 such that

– each input material matin of the operating unit opunit1 will be the input material of thenew operating unit opunit′ with the material flow a(matin, opunit′) = a(matin, opunit1) ·a(opunit1,mat1)/a(mat1, opunit2), and

– each output material matout of the operating unit opunit2 will be the output material of the newoperating unit opunit′ with the same material flow a(opunit′,matout) = a(opunit2,matout).

– In addition, the fix cost of the new operating unit opunit′ is equal to fc(opunit′) = fc(opunit1) +fc(opunit2), and

– the proportional cost of the new operating unit opunit′ is equal to pc(opunit′) = pc(opunit2) +pc(opunit1) · a(mat1, opunit2)/a(opunit1,mat1).

The solution structures of the original and the resulted PNS problems coincide since the Cartesian product(mat1, opunit1) is a direct neutral extension of the decision mapping that includes operating unit opunit2.Furthermore, if an optimal solution of the resulted PNS problem contains the merged operating unit thenthere exists a corresponding solution in the original PNS problem such that it has the same solution structureplus the omitted material and it has the same cost due to the construction of the merged operating unit.

• Fusion of parallel materials.This reduction rule cannot be applied directly to PNS problems because of the cost calculation of the outputoperating unit of the two materials. Nevertheless, the rule can be applied if the set of the output materialsof operating unit opunit1 is the same as the set of the input materials of operating unit opunit2.

Thus if two materialsmat1,mat2 that are not products have the same input operating unit opunit1 and out-put operating unit opunit2 as their only input and output operating units, i.e. φ−(mat1) = φ−(mat2) =opunit1, φ+(mat1) = φ+(mat2) = opunit2 and they are the only output materials for the operating unitopunit1 and the only input materials for operating unit opunit2 then the two materials can be merged intoone material mat′ and the materials mat1,mat2 are omitted such that

– the only input and output operating unit of the new material are operating units opunit1 and opunit2,respectively, with the material flows a(opunit1,mat′) = a(opunit1,mat1) and a(mat′, opunit2) =a(mat1, opunit2) if a(opunit1,mat1)/a(mat1, opunit2) ≥ a(opunit1,mat2)/a(mat2, opunit2).

– The cost of the transitions does not change.

The merging reduction can be extended also to more than two parallel materials.

The solution structures of the original and the resulted PNS problems coincide since the set of Cartesianproducts {(mat1, opunit1), (mat2, opunit1)} is a direct neutral extension of the decision mapping thatincludes operating unit opunit2. Furthermore, if an optimal solution of the resulted PNS problem containsthe merged material then there exists a corresponding solution in the original PNS problem such that it hasthe same solution structure with the two merged materials instead of the new one.


• Fusion of parallel operating units. Two operating units opunit1 and opunit2 are parallel if their in-put and output materials mat1 and mat2 are the same. Formally, φ−(opunit1) = φ−(opunit2) ={mat1}, φ+(opunit1) = φ+(opunit2) = {mat2}.If mat2 has to be produced according to a decision mapping either opunit1 or opunit2 or both can beselected to produce mat2. If the fix cost of the two operating units is equal then that operating unit hasto be selected for which the ratio pc(opunit)/a(opunit,mat2) is lower and the other operating unit isomitted from the structure in order to minimize the costs. However, if the fix costs are not equal it cannotbe determined a priori which one will be selected for the optimal solution.

Thus if two parallel operating units opunit1 and opunit2 have the same fix cost and the inequalitypc(opunit1)/a(opunit1,mat2) < pc(opunit2)/a(opunit2,mat2) holds then opunit2 can be omitted.

• Elimination of self–loop materials. Let us suppose that there is a material that is both the input andoutput material of an operating unit, moreover this material has only this operating unit as its input andoutput operating unit, and the operating unit produces and consumes the same amount of this material. Ifthe operating unit is in the decision mapping then this material is automatically mapped to this operatingunit, i.e. it is a direct neutral extension of the decision mapping. Thus the elimination of this material doesinfluence neither the cost of the optimal solution nor the structure of the solution.

• Elimination of self–loop operating units. Let us suppose that there exists an operating unit that producesand consumes a material at the same time and this operating unit is connected only to this material. Fur-thermore, the operating unit produces and consumes the same amount of this material. Since the operatingunit consumes and produces a material in the same amount then this operating unit is unnecessary and willbe never used in the optimal production therefore it can be eliminated.

If the operating unit consumes a greater amount of the material than it produces to it, then it will be againnever used thus it can be omitted. Otherwise it may be used during the production if the cost of the materialincrease is less than the cost of another possibility to produce this material.

5.5 Related Work

According to the similar graphics and problem definition of Petri nets and PNS problems, there are works in thefield of plant design [42] and workflow modeling [120] that focus on a specific field and mention both Petri netsand Process Network Synthesis as a solution platform without a comparison.

5.5.1 PNS problem reduction

Merging reduction algorithm for PNS problems with fix cost. In [79] a merging reduction algorithm is in-troduced for PNS problems where (i) the operating units have only fix cost, and (ii) each operating unit consumesand produces 1 unit of its input and output materials, respectively.

The reduction algorithm is based on an equivalence relation on operating units: two operating units are inthe same equivalence class if either both of them are included in a solution structure or both are excluded from asolution structure. Then the operating units in an equivalence class are substituted by one operating unit such that(i) the set of its input (output) materials is the union of the sets of the input (output) materials of the operatingunits in the equivalence class and (ii) the fix cost of the new operating unit is the sum of the fix cost of the mergedoperating units.

The authors showed in [79] that there is a bijective mapping between the solution structures of the originalproblem and the reduced problem, hence an optimal solution of the reduced problem determines unambiougouslyan optimal solution of the original problem.

In order to compare the reduction rules for PNS problems and the merging reduction algorithm let us supposethat the PNS problem is in the form as described in [79], i.e. all the consumed and produced amount of materialsare 1 unit and the operating units have only fix cost.

5.5. RELATED WORK 49

• Fusion of serial operating units. In the reduction rule the operating unit opunit2 has only one input materialtherefore it is involved in a solution structure if and only if material mat1 is needed for the production.Since materialmat1 is not a raw material it has to be produced. Materialmat1 has only one input operatingunit opunit1 therefore operating unit opunit1 has to be also involved in the solution structure.

If operating unit opunit2 is not in the solution structure the material mat1 does not need to be produced,i.e. operating unit opunit1 is also excluded from the solution structure according to the SSG and ABBalgorithm (see Sections 3.1.4,3.1.5).

This way both operating units are either in a solution structure or not in the solution structure, i.e. theyare in the same equivalence class hence they are merged into one operating unit by the merging reduction.However, the resulted structures are not the same since in case of the PNS reduction rules the commonmaterial is excluded from the structure while the merging reduction preserves all materials, see Fig. 5.4 .

• Fusion of parallel operating units. An operating unit can be used during the production in any amountaccording to the available amount of its input materials. Since the parallel operating units opunit1 andopunit2 (i) has the same input material mat1, (ii) this material is their only input material, and (iii) bothoperating units consume 1 unit from material mat1 a feasible solution structure may contain only one ofthem. In other words, they are not in the same equivalence class therefore they are not merged into oneoperating unit during the merging reduction.

• Fusion of parallel materials. In this case the two operating units opunit1 and opunit2 will become serialafter the application of the reduction rule fusion of parallel materials. Thus the two serial operating unitsare substituted by one operating unit applying the reduction rule fusion of serial transitions.

At the same time, the two operating units are in the same equivalence class, and the merging reduction canbe applied to them. Again, the two resulted structure are not the same, see Fig. 5.5.

• Fusion of serial places. This rule merges two materials into one material that is out of scope of the mergingreduction since it focuses on the elimination of operating units and not of materials.

• Elimination of self-loop materials and operating units. The merging reduction does not handle these typesof reduction.

• Although the merging reduction does not cover the results of all the reduction rules, the merging reductionmay merge operating units together that are not connected to each other by one material in the structure,i.e. the merging reduction may result in more reduction in the number of the operating units.

Advanced reduction algorithm for PNS problems with fix cost. In [80] an advanced reduction algorithm wasgiven that delivers an optimal solution by reducing the PNS problem. The algorithm consists of a selection anda deletion step that are applied iteratively to the maximal solution structure of the current (reduced) problem. Inthe selection step a product is selected that is produced exactly by one operating unit. Since this product has tobe produced the selected operating unit has to be involved in each solution structure. Therefore this operatingunit is eliminated from the PNS problem and a new PNS problem is created where (i) the input materials of theselected operating unit become products as they have to be produced by some operating units in order to enablethe use of the eliminated operating unit and (ii) the output materials of the selected operating unit are denoted asraw materials since they have to be available in each solution structure since the eliminated operating unit has tobe used in each solution production. Then the maximal solution structure of the new PNS problem is generatedand the selection step is applied again if it is possible.

If there is no more product that is produced by only one operating unit the deletion step can be applied: ifthere is an operating unit opunit1 and a set of operating units O such that (i) all the input materials of O arealso input materials of opunit1 and all the output materials of opunit1 are also output materials of O then theoperating unit opunit1 is substituted by the set O if the overall cost of the operating unit set is less than the cost


Figure 5.4: Fusion of serial operating units and merging reduction

of opunit1. Then the maximal structure of the reduced problem is performed and the selection step is carried outagain. The algorithm terminates if either none of the selection and the deletion step can be applied to the currentPNS problem or there is no more operating units in the structure after the last deletion step. In the latter case anoptimal solution is found.

The selection step performs the fusion of serial materials if the selected operating unit has only one outputmaterial that is a product and the operating unit has exactly one input material. Similarly, the deletion step isrelated to the fusion of parallel operating unit. However, the rest of the reduction rules are not covered by theadvanced reduction algorithm.

The two reduction algorithms can be applied after each other that can result in additional reduction in the sizeof the problem (see [80]). The reduction algorithms can be applied to PNS problems with fix cost and do notcare about the available amount of the raw materials, the required amount of products and the consumption andproduction rates of materials of an operating unit. If the available amount of raw materials is infinite, 1 unit hasto be produced from each product and the consumption and production rates are 1 in the PNS problem then thereduction algorithms deliver an optimal solution. However, in case of other parameters the reduction algorithmcannot be used to reduce the structure. Example 32 in the Appendix illustrates how the reduction rules for PNSproblems and the reduction algorithms are related.

5.6 Contribution

The results in the adaptation of PNS algorithms to Petri nets discussed in this Chapter are summarized in Contri-bution 1.

Contribution 1 I analyzed the similarities and differences between Petri nets and PNS problems in order tocharacterize the application conditions of PNS algorithms for optimal trajectory problems over Petri nets.

1/1 I defined a structural mapping from any Petri net to a P–graph representation. I defined a mapping, whichderives a PNS problem from a Petri net optimal trajectory problem.

5.6. CONTRIBUTION 51

Figure 5.5: Fusion of parallel materials, serial operating units and merging reduction

1/2 I provided a structurally valid Petri net interpretation of the five PNS axioms that characterize the combi-natorially feasible networks of a PNS problem.

1/3 I elaborated an algorithm to reduce the size of the PNS problem by adapting the Petri net reduction rules.I proved that the application of the reduction algorithm to the PNS problem preserves the reachabilityproperty and the cost of the production.

The corresponding publications are [4, 7–9].

Chapter 6

Optimal Trajectory Problem with Cost

Recently, the increasing complexity of information systems provokes the development of methods that guaranteetheir correctness and quality of service. These requirements can be regarded as a set of logical and numericalconditions, where logical requirements can be typically formulated as (partial) reachability problems satisfyingpredefined conditions, while numerical conditions often draw up an optimization problem.

Such problems can be modeled by Petri nets that are extended by quantitative parameters. However, due to thelarge complexity of the reachability graph of a Petri net the optimal trajectory problem is reduced to the search foran optimal Parikh vector problem: instead of the generation of an optimal trajectory a candidate optimal Parikhvector is generated for the ILP problem abstraction of the OT problem (see Definition 17) accelerated by PNSalgorithms and the fireability of the Parikh vector is checked afterwards. The process is shown in Fig. 6.1.

However, the ABB algorithm delivers a solution with continuous values since the usage of an operating unitis continuous while Petri net transitions may fire only integer many times. This difference will be considered inthe adaptation of the ABB algorithm searching for an optimal solution with integer variables. As I showed inSection 5.3.1 a Petri net optimal trajectory problem can be transformed into a form for which PNS algorithmscan be already applied delivering structurally valid solutions for the optimal trajectory problem.

In the current chapter I introduce a modification of the ABB algorithm for the cost–optimal trajectory problemin Petri nets that delivers a candidate optimal Parikh vector (solution σ) for the problem. Since the fireability ofthe candidate Parikh vector is not proved according to its abstraction level its fireability is checked afterwards(see Chapter 7).

• The ABB algorithm generates a solution (in the form of a vector) for PNS problems with a solution structurebut potentially with noninteger components. Thus there are solutions of the ABB algorithm that are notParikh vectors.

• Since both the ILP problem abstraction of the OT problem and the MILP problem of the PNS problemtakes into account the mass balance in the corresponding network, there are no Parikh vectors that is asolution for the ABB algorithm but it is not a solution for the ILP problem.

• However, algorithm ABB delivers structurally valid solutions, i.e. there may exist solution Parikh vectorsof the ILP problem that are not structurally valid.

• Nevertheless, the Parikh vector of an optimal trajectory is an optimal fireable Parikh vector that satisfiesthe ILP problem abstraction (see Section 2.1.2).

• Moreover, the spanned Petri net of the Parikh vector of an optimal trajectory is structurally valid, i.e. theParikh vector can be delivered by the ABB algorithm.

According to these properties of the Parikh vector of an optimal trajectory I modified the ABB algorithm tobe suitable to deliver an optimal, structurally valid Parikh vector for the ILP problem and its fireability is checkedafterwards. Such a Parikh vector is called a candidate Parikh vector. If the solution is proved nonfireable, the

53

54 CHAPTER 6. OPTIMAL TRAJECTORY PROBLEM WITH COST

Figure 6.1: ILP based generation of a candidate Parikh vector

modified ABB algorithm is used to deliver the next best solution and its fireablity is checked again. These stepsare repeated either until a solution is found or there is no more candidate solution.

6.1 Modification of the MSG Algorithm for the Petri Net OT Problem

In order to define the corresponding structure a in Petri net of a solution structure of the PNS problem an initial-ization transformation of Petri nets was given and the five axioms were defined for the Petri net OT problem asnecessary conditions for a solution in Section 5.3.1.

As an optimal trajectory has to fulfill the five axioms the unnecessary elements in Petri nets can be eliminatedby generating the Maximal Structure of a Petri net with respect to the OT problem. In addition, the size of thePetri net can be reduced by applying the reduction rules in Section 5.4.

The algorithm was applied to the Petri net OT problem with the following modifications: (i) the initializa-tion transformation was applied to the input Petri net at first, (ii) the algorithm was customized to the Petri netstructure, and (iii) the maximal structure is reached by applying the reduction rules to reduce the size of the Petrinet.

The input of the algorithm is the modified OT problemOT init = 〈〈PN init, cinit〉,M init〉 (see Section 5.3.1).Then the algorithm delivers the structurally valid maximal structure of the OT problem in the form of the set ofinvolved transitions and places Pmax, Tmax, such that the structurally valid maximal structure of the Petri net isthe spanned Petri net of the transition set Tmax, where the maximal structure of the Petri net is a superstructureof all structurally valid solutions. Then the reduction rules described in Section 5.4 are applied that reduces themaximal structure if it is possible. The resulted structure is called then the maximal Petri net of the OT problem.

The maximal structure of the Petri net is generated by the algorithm described in Algorithm 5 in the Appendix.

6.2. SOLUTION STRUCTURE BASED OPTIMIZATION 55

The algorithm consists of the same reduction and composition parts as in case of the MSG algorithm for PNSproblems. However, since the transformed Petri net contains only such initially marked places that have no inputtransitions the first step is omitted.

• At first, places are eliminated that are not connected to any transitions according to axiom (PN_A5).

• The second and last step of the reduction part is the elimination of such places and transitions to whichthere is no path from some initially marked places, i.e. they cannot be marked or fired in the Petri net.

• The composition of the maximal structure starts from the structure of the set of places that have to bemarked in the target state therefore they have to be part of all structurally valid solutions according toaxiom (PN_A1).

• In each step a place from the current structure is selected and the current structure is extended with theinput transitions of this place and the input places of these transitions. This way all transitions in thecurrent structure satisfy axiom (PN_A4).

• If the current structure cannot be further extended then the current structure is itself the maximal structureof the Petri net called also as maximal Petri net.

Due to the construction of the maximal Petri net in the algorithm, the derived Petri net is itself structurallyvalid and covers all structurally valid Petri nets. Since a solution for the Petri net OT problem is structurally valid,the optimal solution is also a solution of the OT problem with the maximal structure of the Petri net.

In the following the SSG algorithm is adapted to the OT problem to show how the structurally valid solutionscan be generated for the problem.

6.2 Solution Structure based Optimization

The state inequality based search for an optimal trajectory exploits the structural features of the Petri net onlydescribing the token balance at the places. However, the adaptation of algorithm SSG to Petri nets restricts thesearch space to the structurally valid solutions.

Since all structurally valid solution Petri nets are covered by the maximal structure of the Petrinet, the input of the structurally valid Petri net generation algorithm is the OT problem OTmax =〈〈PNmax, cmax〉,Mmax, costLimit〉.

6.2.1 Generation of structurally valid solutions

The generation of the structurally valid solutions is given in Algorithm 6 in the Appendix that is the same as theSSG algorithm in PNS (see Algorithm 2) with the translation of the criteria of consistent decision mapping to thePetri net terminology.

The input of the algorithm is the maximal structure of the Petri net OTmax =〈〈PNmax, cmax〉,Mmax, costLimit〉. The algorithm builds the structurally valid solutions by a back-ward traversal of the Petri net starting from the places that have to be marked in the partial target marking to theinitially marked places.

The algorithm maintains a set of places Pto_be_reached that have to be reached. Initially this set is bound tothe set of places that have to be reached in the target partial marking. A structurally valid solution is delivered bybuilding a set of places Psol and a set of transitions Tsol. These sets are initialized to the empty set. The algorithmcalls the SSGPN (Pto_be_reached, Psol, Tsol) procedure recursively to extend the current structure to a structurallyvalid solution.

A current Petri net structure Psol, Tsol is extended towards a structurally valid solution by selecting a placep from the set Pto_be_reached and a set S from the power set of the input transitions of place p, i.e. S is a set of


transitions that may put tokens into the place p. Each of these sets are checked whether they are appropriate toextend the current structure, i.e. the structure still remains consistent (as in case of the PNS SSG algorithm).

A set of transitions S for a place p in the set Pto_be_reached is an appropriate selection if each input transition ofp is involved in this set, i.e. •p∩Tsol ⊆ S. If an appropriate extension is found the sets Psol and Tsol are extendedby p and S, respectively, and the set of places Pto_be_reached is updated excluding p and including the new inputplaces of the new transitions except the places that are initially marked. If the set Pto_be_reached becomes emptythen a structurally valid solution is found. Otherwise the SSGPN procedure is called again with the updated sets.

Note, that if an originally marked place has an input transition then it may occur that some solution structurescontaining this place differ from each other only in the inclusion of the additional initial places. However, thesesolutions cannot be seen as the same solution because all the weights of the arcs, the cost of the transitions andthe token number in the initial marking have influence on the exact solution of the OT problem.

There are 128 structurally valid solutions for our running storage example in Example 14 generated by themodified algorithm (see Example 29 in the Appendix).

Algorithm ABB ensures the structurally validness of a solution through the branching conditions where thebranching condition is the same as the subset selection of a selected material in the SSG algorithm. If thestructurally valid solutions are generated a priori their structure can be mapped into the ILP problem by additionalvariables and constraints on these variables. This mapping ensures that a solution is structurally valid and thecorresponding branching condition can be omitted.

Nevertheless, the union of two structurally valid solutions is the union of the transition sets of the two solu-tions that is also structurally valid. Thus it would be enough to generate a basis of structurally valid transitionsets to represent all structurally valid solutions. A set of structurally valid transition sets is called basis if eachstructurally valid transition sets can be described as the union of some structurally valid transition sets in thebasis.

If there are several alternative paths in the Petri net the size of such a basis may be much smaller than thenumber of all structurally valid transition sets. Similarly to the set of all structurally valid solutions the basis forthe structurally valid transition sets can be generated a priori. Then the elements of the basis are mapped intothe ILP problem of the OT problem requiring a solution to have a support transition set that is the union of somebasis elements. Since the basis elements are delivered a priori, the solution of the new ILP problem is proved tobe structurally valid. Since the variables have to be integer, the ILP problem is solved either directly by a solverto deliver an integral solution, or by a user–defined Branch and Bound technique where the solver calculates onlythe non–integral solutions and branching is done by some heuristic.

6.2.2 Mapping of structurally valid solutions into the ILP problem

• In the first solution, all structurally valid solutions are generated by algorithm SSG in the form of character-istic vectors that represent structurally valid transition sets. These structures are mapped into the inequalitysystem introducing one binary variable for each structurally valid solution that is equal to 1 only if it is thecharacteristic vector of the candidate Parikh vector. Moreover, additional constraints force the variables ofthe Parikh vector to be conformed to exactly one characteristic vector of the structurally valid transitionsets. This way it is ensured that the candidate optimal trajectory represent a structurally valid solution.

• Since the set of structurally valid solutions is closed under union, a minimal basis of structurally validtransition sets is generated. A set of structurally valid transition sets is called basis if all structurally validtransition sets can be determined as the union of some basis elements. Then binary variables are addedonly for the basis elements in the ILP problem and the additional constraints ensure that the characteristicvector of a solution is the logical union of some basis elements, i.e. it is structurally valid.

6.2.3 One binary variable for one structurally valid solution

Theorem 2 Let OTc = 〈〈PN, c〉,M, costLimit〉, where PN is already the maximal Petri net, a cost–OT prob-lem be given together with the set of structurally valid solutions Tsol = {θk} generated by the modified SSG

6.2. SOLUTION STRUCTURE BASED OPTIMIZATION 57

algorithm such that θk is the characteristic vector of the corresponding structurally valid solution solk ∈ Tsol.Then the Parikh vector ~σs of an optimal solution trajectory s for the OT problem satisfies the following integerlinear programming problem.

min c · ~σs

subject to M ≤ M0 +W · ~σs

~σs ≤ K ·∑

sol∈Tsolα(sol) · θsol

∑sol∈Tsol

α(sol) · θsol ≤ ~σs ·K

∑sol∈Tsol

α(sol) = 1,

c · ~σs ≤ costLimit

where~σs ∈ N|T |, α ∈ B|Tsol|,B = {0, 1}, andθsol ∈ B|T | is the characteristic vector of the corresponding structurally validsolution, and K ∈ N is an big enough number to restrict the binary variables to 0, and 1.

PROOF Let s be an optimal solution trajectory for the OT problem, and ~σs its Parikh vector. Since s is anoptimal trajectory for the defined OT problem, ~σs satisfies the first inequality in the ILP problem according to thereachability criteria of the OT problem.

At the same time, according to Theorem 1, the spanned Petri net of the trajectory is a structurally validsolution, i.e. its characteristic vector is included in set Tsol. Let soli denote this structurally valid solution thenthe characteristic vector of ~σs is equal to θsoli , α(soli) = 1, and all α(solj) = 0 for all other structurally validsolutions. With this evaluation of the variables all inequalities become true.

Example 15 The above mixed integer linear programming problem can be formulated for the storage productionexample as follows with M0 = (0, 0, 0, 0, 0, 1, 1, 1),M = (2, 3, 0, 0, 1, 0, 0, 0), costLimit = 5000.

min (87.5, 66, 57.2, 36.5, 42, 46.7, 0, 0, 0) · ~σ

subject to

(2, 3, 0, 0, 1, 0, 0, 0) ≤ (0, 0, 0, 0, 0, 1, 1, 1) +

-1 1 -1 0 0 0 2 0 01 -1 0 -1 0 0 0 3 00 0 1 0 -1 1 0 0 00 0 0 1 1 -1 0 0 00 0 0 0 0 0 0 0 10 0 0 0 0 0 -1 0 00 0 0 0 0 0 0 -1 00 0 0 0 0 0 0 0 -1

· ~σ, (6.1)


(87.5, 66, 57.2, 36.5, 42, 46.7, 0, 0, 0) · ~σ ≤ 5000

~σ ≤ 1000 · αT · SSMstorage

αT · SSMstorage ≤ 1000 · ~σ

αT · (1, . . . , 1) = 1,

where~σ ∈ N9, α ∈ B29, SSMstorage ∈ B129×9,B = {0, 1}.

An optimal solution occurrence transition vector ~σ = (0, 0, 2, 3, 0, 1, 0, 0, 0) with cost 270.6 is computedby the solver CPLEX. The yielded solution structure is s19 = (0, 0, 1, 1, 0, 1, 0, 0, 0) depicted in Fig. 6.2. Forthis occurrence transition vector there are several trajectories that has the optimal solution as their occurrencetransition vectors, one of them is s =< test_R4A, test_R4A, test_R4B, test_R4B, test_R4B, reco_R4B >.

Figure 6.2: Optimal solution of the example OT problem

6.2.4 One binary variable for each basis structurally valid solution

Since the set of structurally valid solutions is closed under union, another approach is (i) to select a basis of thesolution structures such that each solution structure can be expressed as the union of some basis elements, and(ii) the ILP model needs as many binary variables as the cardinality of the basis. This approach is encoded in thefollowing ILP model.

min c · ~σs

subject to M ≤ M0 +W · ~σs

~σs ≤ K ·∑

bsol∈Bsolα(bsol) · θbsol

∑bsol∈Bsol α(bsol) · θbsol

K≤ ~σs

∑bsol∈Bsol

α(sol) ≥ 1,

6.3. ACCELERATED BRANCH AND BOUND ALGORITHM FOR THE OT PROBLEM 59

where ~σs ∈ N|T |, α ∈ B|Bsol|,B = {0, 1}, andBsol is the set of the characteristic vectors of structurally valid basis solutions,θbsol ∈ B|T | is the characteristic vector of the corresponding basis structures, andK ∈ N is an enough big number to restrict the binary variables to 0, and 1.

Example 16 The 29 structures of the running example can be derived as logical combination (disjunction) orunion of other solution structures, e.g. s27 = (1, 0, 1, 1, 1, 1) = s5 ∨ s16 = (0, 0, 1, 0, 1, 0) + (1, 0, 0, 1, 1, 1) =s5 + s20 = (0, 0, 1, 0, 1, 0) + (1, 0, 1, 1, 0, 1).

Since the set of solution structures is closed under union, a minimum set of solution structures can be deter-mined. One minimum set basis of the above solution structures is {s1, s2, s3, s5, s6, s7, s12, s13, s14, s18}.

The drawback of the calculation based on solution structure generation is that the computation of all struc-turally valid solution in advance may take exponential time due to the subset selection in the generation algorithm.

However, the branching condition in the ABB algorithm may be much more efficient if there are branchesthat can be pruned in an early phase by numerical cuts. In other words, the objective value of the best knownstructurally valid solution in the process provides an upper bound for any other branches, i.e. if there is a branchwith a lower bound that is greater than this objective value it can be pruned as it does not lead to any bettersolution. However, all structurally valid transition sets are visited in the worst case.

I modified the ABB algorithm to be suitable to deliver a candidate optimal solution for the Petri net OTproblem. The algorithm is modified (i) such that the initialization transformation is applied to the Petri net, andthe reduction rules are applied to the maximal Petri net of the transformed Petri net. This Petri net is the input ofthe algorithm. (ii) The branching condition imposed on the structure of the Petri is the same as in the Petri netSSG algorithm and (iii) the algorithm is extended by traditional Branch and Bound steps that aim at the integralityof the solution Parikh vector.

6.3 Accelerated Branch and Bound Algorithm for the OT Problem

The ABB algorithm uses the structurally valid transition sets to guide the branching instead of map-ping them into the ILP problem. The input of the algorithm is the maximal OT problem OTmax =〈〈PNmax, cmax〉,Mmax, costLimit〉 of the OT problem OT init = 〈〈PN init, cinit〉,M init, costLimit〉.

During the Branch and Bound algorithm the initial/current ILP problem will be separated into subproblemsadding constraints in the following forms: σ(t) = 0, or 1 ≤ σ(t) to indicate the presence of the correspondingtransition in the solution structure. In addition, constraints in forms σ(t) ≤ a, a ≤ σ(t) : a ∈ N, 2 ≤ a will beused to separate the value domain of ~σ eliminating the non–integral values.

In the main phase of the algorithm an LP relaxation of the current subproblem is solved and then the branch-ing decides about the containment of some transitions according to the generation of structurally valid solutions(see Procedure ABB in Algorithm 8 in the Appendix), i.e. a subset of the input transitions of a material to beproduced is selected. However, it may happen that the extension leads to the same solutions, i.e. the calcula-tion of the relaxed problem of the new branch with the same solution is unnecessary. In this case ProcedureABB_process_next (see Algorithm 9) is called to deliver new subproblems.

If a structurally valid solution is reached but its solution is not integral, Procedure ABB_int (see Algorithm 10)continues the Branch and Bound algorithm preserving the reached solution structure until an integral solution isfound or it is proven that there is no integral solution. The branching is done by restricting the value domain ofsome σ(t) adding the above constraints to the ILP problem. Bounding is performed by the value of the objectivefunction in the relaxed problem: a branch is pruned if the objective value of the subproblem is greater than theobjective value of the best known integral solution.

The steps of the algorithm are described in the following.

• ILP = (obj, const) denotes the current ILP problem, such that obj is the objective function, const is theset of constraints.


• relILP = (objILP , ~σILP ) denotes the solution of the relaxation of an ILP problem.

• currentbest stores the current best solution, and U is the objective value of the solution currentbest.

• The algorithm builds a solution using a (i) set of places To_reach that have to be reached, and they are notprocessed yet, (ii) a set of transitions Trans representing the selected transitions into the current structure,and (iii) a set of places Places that contains the places that are already taken into the current structure.

The set To_reach is initialized to the set of products, the Trans and Places sets are set to be empty. Theupper bound is initialized to costLimit+ 1 since the cost of any solution does not have to exceed the cost limit.

The algorithm is illustrated by the following example.

Figure 6.3: An OT problem together with a solution Parikh vector that is not fireable

Example 17 Let an OT problem OTmax = 〈〈PNmax, cmax〉,Mmax, costLimit〉 (the maximal structure ofOT init = 〈〈PN init, cinit〉,M init, costLimit〉) be given, where

• the Petri net structure and the initial marking are shown in Fig. 6.3 on the left. The structure of this Petrinet is the same as in the storage example but the edge weights were changed, according to the elements ofthe incidence matrix in the ILP problem below.

• The target (partial) marking isM = (0, 0, 8, 11, 0, 0, 0, 0), where the order of the places isR4A_untested,R4B_untested, R4A_tested,R4B_tested, test_cell, pR4A_untested, pR4B_untested, ptest_cell.

• Also the cost of the transitions were changed, c = (10.2, 50.1, 50.7, 50.8, 50.9, 50, 0, 0, 0) (wherethe order of the transitions is reco_ut_R4A, reco_ut_R4B, test_R4A, test_R4B, reco_R4A,reco_R4B,tR4A_untested, tR4B_untested, ttest_cell).

6.3. ACCELERATED BRANCH AND BOUND ALGORITHM FOR THE OT PROBLEM 61

Then the ILP problem to solve is as follows.

min (10.2, 50.1, 50.7, 50.8, 50.9, 50, 0, 0, 0) · ~σ, (6.2)

subject to (0, 0, 8, 11, 0, 0, 0, 0) ≤ (0, 0, 0, 0, 0, 1, 1, 1) +

-2 4 -1 0 0 0 12 0 03 -2 0 -1 0 0 0 7 00 0 1 0 -1 1 0 0 00 0 0 1 1 -1 0 0 00 0 0 0 0 0 0 0 770 0 0 0 0 0 -1 0 00 0 0 0 0 0 0 -1 00 0 0 0 0 0 0 0 -1

· ~σ,

(6.3)

where ~σ ∈ N9. (6.4)

The solution of the ILP problem is shown in Figure 6.4 in the form of a Branch and Bound tree. The aboveinitial problem is the root of the tree denoted by P0. At first, the relaxation of P0 (~σ ∈ R9) is solved by the sim-plex method (using the ILOP CPLEX solver). Since its solution ~σP0 is not integral, a structurally valid solutionis searched for, by selecting place R4A_tested from the initial set To_reach = {R4A_tested,R4B_tested} tobe traversed by the algorithm.

Two transitions may produce tokens to the selected place: transitions reco_R4B and test_R4A. Due tothe ABB algorithm, the execution path is branched into three direction according to the three subset of thesetransitions: either one of the transitions is included and the other is excluded from the structure or both of thetransitions are in the structure. In the ILP P1, transition reco_R4B is involved and transition test_R4A isexcluded from the solution, i.e. constraints 1 ≤ σ(reco_R4B) and σ(test_R4A) = 0 are added. The solutionof the relaxed problem P1 is ~σP1 = (4, 0, 0, 19, 0, 8, 1, 1, 0), which is integral with objective value 1406. Sincean integral solution is found, the upper value U and the currently best solution currentbest are set to 1406 and~σP1, respectively.

In the ILP P2, transition test_R4A is involved and transition reco_R4B is excluded from the solution, i.e.constraints 1 ≤ σ(test_R4A) and σ(reco_R4B) = 0 are added. Since σP0(test_R4A) = 1.333 > 1 andσP0(reco_R4B) = 0, the solution would be the same for the restricted problem P2 as for P0 therefore nocalculation is needed and the next place can be selected from the set To_reach.

The Branch and Bound tree is built by repeating these steps: select a place and incoming transitions, thensolve the ILPs until the set To_reach becomes empty, i.e. a structurally valid solution is found.

If a branch is found with a greater objective value then the current upper value U , the branch is pruned sinceit cannot lead a better solution, and the execution backtracks to the last choice and selects another unprocessedset of incoming transitions. If a structurally valid solution is found, but it is not integral like in case of problemP8, a variable is selected to separate its value domain to try to get an integral solution.

Problem P2 is separated into problems P3, P16, and P17 along the incoming transitions of placeR4B_tested. Problem P3 is then branched into problems P4, P14, and P15.

Problem P4 leads to two integral solutions with the same objective value 984.8 that is better than the current1406. Therefore the upper value U and the currently best solution currentbest are set to 984.8 and ~σP10 =(2, 0, 8, 11, 0, 0, 1, 1, 0), respectively.

These two solutions differ from each other only in the transition occurrence of transition ttest_cell. Theother branches do not deliver better solutions, so the best two solutions are ~σP10 = (2, 0, 8, 11, 0, 0, 1, 1, 0), and~σP13 = (2, 0, 8, 11, 0, 0, 1, 1, 1).


6.4 Spurious Solutions and Fireability

Although the solution of the ABB algorithm is structurally valid its fireability is not proved. Therefore the Parikhvector delivered by the ABB algorithm is called a candidate solution for the optimal trajectory and its fireabilityhas to be proved.

Let us analyzing the derived solution ~σP10 = (2, 0, 8, 11, 0, 0, 1, 1, 0) (see the corresponding solution struc-ture in Fig. 6.3 on the right). In the solution trajectory, both transitions test_R4A and test_R4B should befired requiring tokens from place test_cell. However, no tokens can be produced into the place test_cell, sinceσ(ttest_cell) = 0. Hence, the solution ~σ is not fireable and ~σ is called spurious.

Let us investigate the other optimal solution P13. This solution ~σ = (2, 0, 8, 11, 0, 0, 1, 1, 1)already contains transition ttest_cell: the solution is fireable with a firing sequence s =<tR4A_untested, tR4B_untested, ttest_cell, reco_ut_R4A, reco_ut_R4A, 8× test_R4A, 11× test_R4B >.

Note, that if there is no cycle in the Petri net, there exists a proper trajectory with the solution Parikh vector.If there is a cycle in the solution structure there could be some places in the cycle that will be never marked(or never marked with the required amount of tokens) regarding to the given initial marking although they arestructurally valid. It may happen for example in case of a place that is in a cycle such that it has both incomingand outgoing transitions, i.e. the place has a self–loop, such that tokens can be produced into the cycle only ifthis place gets a token.

Such a problem does not occur in PNS problems because the PNS processes are supposed to be in a stationarystate where the “catalyst” materials are assumed implicitly to be available in the required amount in PNS problemshowever they cannot be assessed based upon material bill like equation like those used in the PNS model. Sucha catalyst place is place test_cell in our running example: if it contains no token, none of the test transitions canfire.

In the Petri net optimal trajectory problem catalysts are tokens in places that participate in a cycle. In contraryto PNS problems, these catalysts may be required to the fireability of a sequence.

As shown in Section 5.3.1, if the initialization transformation is applied to the Petri net OT problem, thetransformed Petri net is already in the form to which the PNS algorithms can be applied only customizing thealgorithm to the Petri net terminology and all theorems in PNS hold for the Petri net case.

6.5 Related Work

The use of integer programming methods in the analysis of Petri nets is not a novel idea in itself. In [94]deadlock detection was reduced to a mixed integer linear programming problem. In [88] the authors presenteda further development of this approach to prove deadlock detection, mutual exclusion, and marking reachabilityand coverability. In contrary to our approach, this solution was based on the unfolding of the Petri net. Anotherunfolding-based solution is discussed for safe Petri nets in [56].

[74] extended the counterexample guided abstraction refinement for Petri net reachability problem by meansof T–invariants published in [128] to a larger set of problems. However, the algorithm still remained incomplete.

Linear algebraic algorithms were used to solve the Petri net reachability problem without state space explo-sion in [49,115]. Although these techniques are powerful, in general they provide only semi–decision techniquesto decide the reachability of a given marking. The authors used linear programming methods to solve diagnosticproblems modeled by Petri nets in [104].

Several papers [72, 75] use stochastic Petri nets or timed Petri nets to model and solve scheduling and op-timization problems (e.g. in the field of manufacturing systems). These approaches use mainly simulation andperformance evaluation in order to solve the problem (for instance, in [131] profit function values are representedas a function according to some given restrictions using simulation of stochastic Petri nets). Since we do not onlywant to solve the optimal trajectory problem (where we have fixed parameters assigned to the transitions), but wealso aim at simultaneous verification and optimization, these techniques are not appropriate for our purposes.

In [84] the author analyzed the executability of a given process network solution, where operating unitsconsume exactly one unit of their input materials and produce exactly one unit of their output materials. This

6.6. CONTRIBUTION 63

modified PNS problem was solved using an automata theory such that the problem is transformed into a problemto find the shortest path in the weighted transition graph of the automaton constructed from the PNS problem.In case of Petri nets where the weights of the arcs are restricted to one, the fireability of the candidate solutiontransition occurrence vector can be proved using this method.

There are some Petri net subclasses that always provide feasible solution nets in case of the satisfaction of thefive axioms. Some of them are state machines, acyclic Petri nets and sound workflow nets [122].

The elaborated algorithms are novel with respect to the existing solutions (back in 2006) in the sense that (i)the existing solutions are either restricted to specific subclasses of Petri nets, (ii) they tackle different verificationproblems (e.g. deadlocks) and (iii) other solutions did not investigate the use of PNS methods for Petri net basedoptimization problems.

6.6 Contribution

The results in the adaptation of PNS algorithms to Petri nets discussed in this Chapter are summarized in Contri-bution 2.

Contribution 2 I adapted various PNS algorithms to derive candidate Parikh vectors for the optimal trajectoryproblem over Petri nets.

2/1 I customized the PNS MSG algorithm to generate the maximal structure of a Petri net optimal trajectoryproblem. I interpreted the PNS SSG algorithm for Petri nets to generate the structurally valid solutions ofa Petri net optimal trajectory problem. The corresponding publications are [4, 12, 13, 15–17].

2/2 I elaborated an algorithm which takes the set of all structurally valid solutions of a Petri net as inputand calculates a candidate for an optimal Parikh vector as output. I elaborated another algorithm thatgenerates the same output from a minimal basis of all structurally valid solutions of a Petri net as input.The corresponding publication is [4].

2/3 By adapting the PNS ABB algorithm to the Petri net optimal trajectory problem, I elaborated an algorithmwhich takes the maximal structure of a Petri net as input and calculates a candidate for an optimal Parikhvector as output by continuously checking the structural validity of the candidates. The correspondingpublications are [4, 12, 13, 15–17].


Figure 6.4: Branch and Bound tree of the example OT problem

Chapter 7

Fireability Check and Trajectory Generationfor the OT Problem

As shown in Section 6.4, the modified ABB algorithm and the SSG–based solutions provide only a semi–decisiontechnique for the cost-OT problem since the derived solution Parikh vector is structurally valid but it is not provento be fireable. In order to eliminate spurious solutions, the fireability of the candidate Parikh vector has to bechecked and the corresponding trajectory has to be generated. Fig. 7.1 and Fig. 7.2 show the processes of thesubsequent checks Reachability check , Fireability check and trajectory generation that is discussed in details inthis chapter.

Figure 7.1: Reachability function generation and reachability check

The analysis of an information system model frequently consists of subsequent reachability checks fromdifferent initial and to different target markings. This holds also for those information system models that containmany cycles. Therefore, a fast reachability check parameterized by the initial and the target marking is desired.The main advantage of such a check is that it is reusable in the analysis, i.e. the function has to be generated

65

66 CHAPTER 7. FIREABILITY CHECK AND TRAJECTORY GENERATION FOR THE OT PROBLEM

Figure 7.2: Fireability check and trajectory generation

only once but used several times. This function is intended to give an answer, whether a given target marking isreachable from a given initial marking, i.e., whether the target marking is a member of the state space imposedby the given initial state. Such a function can be generated as the transitive closure of the one–step transitionrelation and is called the reachability function (see Section 12.3).

The main problem of such a reachability function is that

• usually the state space of an information system model is infinite therefore the size of the input parametersof the function cannot be calculated a priori and

• also the generation of the transitive closure consists of exponential number of iterations.

However the reachability function can be still generated with the restriction that it represents only a part ofthe whole state space that can be later extended to represent a bigger part. This smaller part is the state space ofthe Petri net up to a certain point in the Petri net that can be continued later if it is needed.

In case of the cost-optimal trajectory problem the aim of the reachability function based check is that it mayfilter some spurious solutions that are not fireable: if the reachability function delivers a negative answer forthe initial marking and the Parikh vector compliant marking (i.e. the marking that is yielded by the candidateParikh vector, called also target marking in the following) then the Parikh vector is not fireable. However, since amarking may be reached through several trajectories with different Parikh vectors in a Petri net a positive answerdoes not guarantee the fireability of the candidate Parikh vector.

The target marking can be calculated by the state equation (see Def. 12) as the initial marking and the Parikhvector are known. Based on the state equation also an upper bound can be calculated for the number of tokens ateach places in the markings that are reached along a trajectory from the given initial marking to the target marking(if it exists). At the same time the number of firings in the Parikh vector yields an upper bound for the number ofiterations in the generation of the reachability function. If the given Parikh vector is proved to be spurious thenthis function can be extended according to a next best solution.

7.1. REACHABILITY FUNCTION 67

If the target marking is not reachable, then the next best solution is generated by the ABB algorithm forthe cost-OT problem, and the reachability function is updated according to the possibly greater upper bounds.This way, the reachability function does not have to be newly generated, only extended in the required size ofparameters or depth.

If the target marking is proven to be reachable the last step is the generation of the exact trajectory if it exists.The state space traversal is guided by the candidate Parikh vector: the search space is restricted only to the thosepaths in which only those transitions and only as many times fire as defined in the Parikh vector. In addition, thefurther logical conditions to be satisfied are checked in this step.

The verification of the constraints and requirements for a system can be performed by model checking tools.Furthermore, a model checker is appropriate to deliver a trajectory according to the candidate Parikh vector if itexists. Hereafter the model checker SPIN is used.

The next sections discuss these steps in details.

7.1 Reachability Function

The generation of the reachability function is based on the logical representation of the dynamic behaviour ofPetri nets described in [101]. In Section 12.3 the so–called reachability function of bounded Petri nets wasdiscussed.

The reachability function is used to check not directly the fireability of the candidate Parikh vector but thereachability of the target marking. The following definition clarifies the relationship between a solution trajectory,and the reachability function.

Definition 38 (Reachability function compliance.) Let a Petri net cost-optimal trajectory problem OTc =〈〈PN, c〉,M〉 be given. Then a Parikh vector ~σ is compliant with a marking Mtarget if M0 + W · ~σ ≥ Mand M0 +W · ~σ = Mtarget.

Then a trajectory s is compliant with the reachability function if its Parikh vector ~σs is compliant with amarking Mtarget and M0[s > Mtarget, i.e. this marking is reachable by trajectory s starting from the initialmarking M0.

Since our Petri net may have an infinite state space the reachability function of the Petri net is extended stepby step starting from an initial bounded part of the Petri net state space.

1. In order to compute the reachability function at first an a priori bound is calculated for the size of thereachable markings based on the candidate Parikh vector. Thus the input Petri net (part) is bounded.

2. Then the Petri net is transformed into a 1–bounded Petri net and the reachability function is generated forthis Petri net.

3. The sum of the components of the candidate Parikh vector provides the necessary number of iterations togenerate the reachability function as the transitive closure of the one-step transition relation. Thus, afterexceeding this number of iterations, the computation of the reachability function is stopped, and can becontinued later reusing the computed function.

4. If the reachability function is evaluated to true for the given markings then a corresponding trajectory issearched for the candidate Parikh vector.

5. If the reachability function is evaluated to false a new Parikh vector is generated by the adapted ABBalgorithm described in Section 6.3 and the reachability function is extended due to the newly calculatedbound.

Thus the reachability function is reusable in the sense that if the initial conditions are changed in an informa-tion system, i.e. the initial state is changed then the existing reachability function can be extended to representthe state space of the new marking instead of its completely newly generation (although in this case the candidateParikh vector has to be generated again).


7.1.1 Calculation of the a priori bound

Let a (potentially not bounded) Petri net PN = (P, T, F,w,M0) together with a candidate Parikh vector ~σ begiven and let |~σ| =

∑tj∈T σ(tj) denote the number of the transitions in the Parikh vector. Then the reachability

function is calculated until the first |~σ| iteration, i.e. at most |~σ| firings effect the token number in a place.This way the token number in a place pi may be increased in each iteration at most with the maximum tokenchangemaxtj∈TW (pi, tj) (yielded by a transition). Since the reachability function is calculated until the first |~σ|iteration the number of tokens in a place pi may not exceed the upper bound M0(pi) +maxtj∈TW (pi, tj) · |~σ|.

Based on this upper bound the Petri net can be transformed into a corresponding safe Petri net and thereachability function can be computed.

7.1.2 Reachability function generation algorithm

The following algorithm was described in [101]: the algorithm generates the reachability function as the transitiveclosure of the single–step relation function that is the disjunction of the transition relations (see Section 12.3).

The generation algorithm (see Algorithm 11) starts from the parametrical initial marking (see line 5 in theAlgorithm) f0 : B|P | × B|P | → {0, 1}, such that f0(v1, . . . , vn, w1, . . . , wn) = 1 ⇐⇒ M0 = (v1, . . . , vn) =(w1, . . . , wn). Then R0(PN,M0) = {M |f0(M0,M) = 1} = {M0}. The reachability function fi(M0,M)after the i-th iteration is evaluated to true if marking M is reachable from M0 by a firing sequence with maximallength of i. Then the next reachability function fi+1 is derived from fi as the disjunction of

• fi, since the markings that can be reached by firing at most i transitions can be also reached by firing atmost i+ 1 transitions, and

• the conjunction of the transition relation and the enabledness condition, encoding by function g, such thatg “simulates" the firing of one arbitrary enabled transition at M = (v1, . . . , vn):

g(v1, . . . , vn, w1, . . . , wn) = 1 ⇐⇒ ∃t ∈ T : ∀i : 1 ≤ i ≤ n : δti(vi) ≡ wi ∧ Et (7.1)

More formally,

g(v1, . . . , vn, w1, . . . , wn) =∨∀t∈T

[n∧i=1

(wi ≡ δti(vi)

)]∧ Et. (7.2)

This way, fi+1 can be formalized as follows:

fi+1(M0,M) = fi(M0,M) ∨ fi(M0,M′) ∧ g(M ′,M) (7.3)

for some M ′ ∈ B|P | markings. In other words, a marking M is reachable from M0 by firing at most i + 1transitions if it is either reachable by firing at most i transitions from M0 (fi(M0,M) ≡ 1) or there exists amarking M ′ such that M ′ is reachable by firing at most i transitions from M0 (fi(M0,M

′) ≡ 1 and M isreachable from M ′ by firing one transition (g(M0,M

′) ≡ 1).The transitive closure of the transition relation is then f , such that the function remains unchanged after

applying the transition relation again and again: f := fk, where ∀i ∈ N : fk+i = fk, and fk 6= fk−1. Then theset of reachable markings are derived as R(PN,M0) = {M |f(M0,M) = 1}.

7.1.3 Extension of the reachability function

The reachability function can be reused either if a new Parikh vector is generated or the initial or the (partial)target marking is changed.

7.1. REACHABILITY FUNCTION 69

New Parikh vector If a target state was proven not to be reachable from the initial marking a new candidateParikh vector is generated. If the new Parikh vector yields a greater number of transition firings and a greaterupper bound for the token number in the places the reachability function has to be extended (otherwise the samereachability function can be used). As the previous upper bound was calculated by the number of the firedtransitions the previous upper bound may be exceeded only in the subsequent transition firings. This way theiteration has to be continued until the new number of transition firing is reached. At the same time new variablesare introduced for the places where the token number may exceed the previous upper bound. The new variablesare involved only in the further iterations in the same way as before.

New initial marking In case of a new initial or a new (partial) target marking a new candidate Parikh vectorhas to be derived. If the upper bound for the new candidate Parikh vector and the new markings is less or equalthan the previous one, the reachability function does not have to be extended. In case of a greater upper bound ithas to be calculated again and the reachability function has to be extended accordingly.

Binary Decision Diagrams (BDDs) provide an efficient tool for Boolean function representation. BDDs weresuccessfully applied in several fields and their application yielded a significant reduction in the size of the statespace (e.g. in quantum circuit synthesis). Another advantage of the use of BDDs is that binary operations can becalculated in polynomial time in the size of the input BDDs [102].

The state space of a bounded Petri net can be characterized by its reachable markings. A marking can berepresented by a set of Boolean variables using an encoding scheme of the token numbers in the places while thedynamic behaviour is mapped into Boolean functions on these variables [100–102].

Since the reachability function generation contains binary operations on Boolean functions BDDs provide anappropriate choice to represent the reachability function.

7.1.4 Reachability function as a binary decision diagram

As Binary Decision Diagrams (BDDs) [41] provide an efficient form to manipulate Boolean functions, we ex-press the above Boolean functions Et, δ, fi, and g by Reduced Order Binary Decision Diagrams (ROBDDs)during the computation of the reachability function (for the definition of ROBDDS see Section 12.3.2). Thenthe disjunction and conjunction operations in the calculation of g, f0, and fi+1 can be directly executed on theROBDD representations. The algorithm of the reachability function generation is given in Algorithm 11 in theAppendix.

In the generation of the next function fi+i, not only the input parameters v1, . . . vn, w1, . . . , wn are used butalso auxiliary variables r1, . . . , rn arise to relate the already reached markings given by fi, and the new ones thatare calculated from fi by applying the one–step transition relation function g. In each iteration, after computedfi+1, these auxiliary variables are omitted since they are determined unambiguously by the other variables, i.e.if these auxiliary variables are the last nodes in the ROBDD, then there is at most one path from the last non–auxiliary node to the 1 leaf.

Since the generation of the reachability function does not store the order of the transition firings to savestoring space, the described method is appropriate only to check the reachability of the target marking calculatedby the candidate Parikh vector but it cannot generate a corresponding trajectory.

An example safe Petri net and its membership function is shown in the Example 30 in the Appendix.

Example 18 Let us recall the storage production example. In Example 17 the ABB algorithm deliveredtwo optimal solutions ~σP10 = (2, 0, 8, 11, 0, 0, 1, 1, 0), and ~σP13 = (2, 0, 8, 11, 0, 0, 1, 1, 1). At first,the reachability function is generated in 23 iterations according to the candidate Parikh vector ~σP10 =(2, 0, 8, 11, 0, 0, 1, 1, 0). The a priori upper bounds for the tokens in the places are M0 + (12, 7, 1, 1, 77, 0, 0, 0) ·23 = (276, 161, 23, 23, 1771, 0, 0, 0).

The marking yielded by the state equation is M ′ = (0, 2, 8, 11, 0, 0, 0, 1) (i.e. if ~σP10 is fireable then thereached marking is M ′). The reachability function is evaluated to false for M0 = (0, 0, 0, 0, 0, 0, 1, 1, 1) andM ′ = (0, 2, 8, 11, 0, 0, 0, 1), i.e. M ′ is not reachable from the initial marking by firing at most 23 transitions.


The next step is to analyze the next solution ~σP13 = (2, 0, 8, 11, 0, 0, 1, 1, 1) as a candidate Parikh vector.Since there are 24 transitions firing in ~σP13 the reachability function has to be extended by one iteration and thenew a priori upper bounds are M0 + (12, 7, 1, 1, 77, 0, 0, 0) · 24 = (288, 168, 24, 24, 1848, 0, 0, 0).

The marking yielded by the state equation is M ′ = (0, 2, 8, 11, 77, 0, 0, 0) (i.e. if ~σP13 is fireable then thereached marking is M ′). The reachability function is evaluated to true for M0 = (0, 0, 0, 0, 0, 0, 1, 1, 1) andM ′ = (0, 2, 8, 11, 77, 0, 0, 0), i.e. M ′ is reachable from the initial marking by firing at most 24 transitions.

Note, that if a marking is proven to be reachable, it may happen that the trajectory that leads to this markinghas another Parikh vector than the candidate one. In other words, although a marking M can be calculated byseveral ~σ Parikh vectors as M = M0 +W · ~σ, not all of them are fireable.

Thus the reachability function still does not give a proof but provides a filtering step, a semi–decision tech-nique. A corresponding trajectory can be generated by the traversal of the state space. Although it could lead to astate space explosion, the candidate Parikh vector reduces the search space to those trajectories that correspond tothis Parikh vector, i.e. (i) only those transitions are considered to be fired that are present in the Parikh vector and(ii) only as many times as it is stated in the Parikh vector. Such a guided traversal can be performed by severaltools. In the following the search for such a trajectory is described using the SPIN model checker.

7.2 Trajectory Generation and Verification

If the candidate target marking is reachable the last step is to generate a trajectory (see Fig. 7.1) (i) that corre-sponds to the candidate Parikh vector and (ii) it satisfies the given constraints. The generation of such a trajectoryneeds the efficient discovery of the state space and the check of the given properties of the modeled system.

Model checking in computer science means the automatic check of the fulfillment of some properties ina model [32]. The aim of model checking is to give efficient techniques to find a proof automatically for thesatisfaction of a property.

I use the model checker SPIN both to verify the system model and to generate an optimal trajectory. The inputof the model checker is a transition system in the Promela language. (For details see Section 12.4.)

I transformed the Petri net of the cost-OT problem into Promela as follows.

• The input of the model checker is (i) the number of the tokens at the initial marking, (ii) the transitionoccurrences in the candidate Parikh vector, and (iii) the structure of the Petri net.

• The variables of the system are the place variables that are nonnegative integers counting the token numberin the places, and nonnegative integer transition variables that counts that how many times a PN transitionwas fired until the current state.

• Then a functionally equivalent transition system in the Promela language of the Petri net is derived basedon the structure of the Petri net. Each PN transition is modeled by a Promela transition where the guard re-quires at least as many tokens in the input places of the PN transition as defined by the weight function, andthe post condition of the Promela transition updates the place variables according to the weight function.

• Then the trajectory generation is accelerated by using the candidate Parikh vector to guide the explorationof the sate space: the branches are pruned if the number of firings of a transition would exceed the corre-sponding transition occurrence number in the input candidate Parikh vector. The negation of this guidingcriteria is embedded into the linear temporal logic expression together with those initial constraints thatcannot be modeled explicitly in the Petri net. This way an optimal trajectory (if it exists) is delivered as acounterexample.

• Since the transition system has to be bounded, an upper value for the place variables and the number oftransition firing is calculated according to the candidate Parikh vector.

In the following the steps of the encoding of the Petri net into a transition system are discussed in details.

7.2. TRAJECTORY GENERATION AND VERIFICATION 71

7.2.1 Finite model

Since Promela requires each variable to have a finite range an a priori upper bound for the variables have to becalculated based on the candidate Parikh vector.

Let an OTc = 〈PNc,M〉 cost-optimal trajectory problem, with Petri net PNc = 〈〈P, T, F,w,M0〉, c〉 to-gether with a candidate Parikh vector ~σ = (σ1, . . . , σm) be given. Since we know the exact number of firingsof the individual transitions, the upper bound vector upper~σ = (ub1, . . . , ubn) is appropriate to restrict the val-ues of the transition occurrence variables. Also the token numbers of the Petri net places is are calculated bymeans of this vector: the sum of the increase in the token number in the individual places imposed by the firedtransitions plus the tokens in the initial marking overapproximates the number of tokens in the places. Formally,∀pi ∈ P : ubi = M0(pi) +

∑tj∈T :0<w(tj ,pi)

W (pi, tj) · σj , that cannot be exceeded during the firing of ~σ.

7.2.2 Petri net as a Promela transition system

The aim of the use of the model checker is to generate the optimal trajectory compliant with the given Parikhvector. The SPIN model checker traverses the state space of the underlying system analyzing the satisfaction ofthe LTL formula on each execution path. If the formula is violated by a trajectory, the run of the model checkeris stopped and the violating trajectory as a counterexample is delivered.

In case of the cost-optimal trajectory problem, the LTL formula expresses the proposition that there is notrajectory that corresponds to the given Parikh vector. If this formula is violated then exactly a fireable transitionsequence is found that is an optimal one.

In SPIN, LTL formulae are translated into special Promela processes (automata) with high-priority duringthe compilation. In fact, the desired property can be interpreted as a special error transition (called never claim)which interrupts the run of the model checker if fired at any time and retrieves the error trace.

Promela model Promela models consist of three types of objects: processes, message channels, and variables.Processes are global objects, while message channels and variables can be declared either globally or locallywithin a process. Processes specify behavior, channels and global variables define the environment in which theprocesses run.

In case of the Petri net, the corresponding transition system has to simulate the token change in the net, andthe firing of transitions. The structure of a Petri net is encoded in Promela (based on [71])

• by declaring nonnegative integer place (transition) variables that store the actual token numbers at theindividual places (current number of the firing of the corresponding transition), and

• describing the firing of Petri net transitions as a transition system.

The firing rules are encoded into behaviorally equivalent transitions of the corresponding transition system(TS) in Promela where a transition of a TS is composed of a guard and state variable updates. Behavioralequivalence means that whenever a Petri net transition is enabled, the guard of a corresponding transition in theTS should evaluate to true thus the transition can be fired (and vice versa).

The effects of firing a transition are encoded as state variable updates. These updates describe the tokenchange at the individual places.

LTL expression In the cost-OT problem, the LTL expression is evaluated to true if there is no trace such thatits Parikh vector is equal to the candidate Parikh vector: the number of firings of the individual transitions in thetrace is counted and is compared to the candidate Parikh vector.

In LTL terms, the candidate Parikh vector becomes fireable, if the LTL term of the form G ¬ p, where p isthe property describing the desired situation and G means “always” is violated. Then the model checker reportsa counterexample trace that is exactly a desired trajectory. If the property G ¬p is found valid by the modelchecker, then the candidate transition occurrence vector is not fireable.


The Promela encoding of a Petri net is discussed in details in Section 12.9 in the Appendix.The run of the model checker is finished either (i) if the above LTL property is violated, i.e. a counterexample,

a valid trajectory is found, or (ii) all other branches are pruned. If the model checker does not deliver any validtrajectory, then the next best solution is computed for the cost-optimal trajectory problem solving the ILP problem(that is extended by a constraint that eliminates the previous candidate transition occurrence vector). Then thereachability of the target marking is tested, and if it is reachable, the Promela model is modified according to thecurrent candidate Parikh vector, and the optimal trajectory is generated if it exists, and so on.

Example 19 Let us recall the storage production example. In Example 18 the reachability function wasevaluated to true for the the candidate Parikh vector ~σP13 = (2, 0, 8, 11, 0, 0, 1, 1, 1) and for the markingsM0 = (0, 0, 0, 0, 0, 0, 1, 1, 1) and M ′ = (0, 2, 8, 11, 77, 0, 0, 0).

The Promela model for the ~σP13 has the upper bounds for the transition firings (2, 0, 8, 11, 0, 0, 1, 1, 1) whilethe upper bounds for the places are (12, 13, 8, 11, 77, 0, 0, 0).

The SPIN model checker returns a fireable trajectory tR4A_untested, ttest_cell, 8 · testR4A, tR4B_untested, 7 ·testR4B, 2 · reco_ut_R4A, 4 · testR4B as a counterexample for the LTL expression that encodes the transitionfiring numbers of the candidate Parikh vector.

If ~σP13 is would have been not fireable the next best solution is generated by the modified ABB algorithm asa candidate Parikh vector and the checks are performed again.

SPIN is used also to verify those logical constraints that cannot be modeled explicitly in the Petri net. Inthe following some typical requirements are listed that have to be proved frequently in critical systems in theterminology of Petri nets.

7.2.3 Typical verification issues as LTL expressions

Typical Petri net analysis questions are listed in [97]. The analyzed properties can be separated into two groups:dynamic and structural ones. Structural properties depend on the topological structure of the net and are inde-pendent from the initial marking while dynamic properties depend on the initial marking. The latter ones can bechecked by the SPIN model checkers using LTL temporal logic expressions.

In the following the most frequently used properties are described as LTL expressions for a Petri net PN =(P, T, F,w,M0). The number of tokens in a place pi ∈ P is denoted by the integer variable Placei in theexpressions.

• Deadlock A system is in deadlock if there is no more action to be carried out. The guarantee of the absenceof deadlock is crucial in safety critical systems e.g. in a car or an air traffic control system.

A Petri net has deadlock if there is a reachable state such that there is no enabled transition. A correspondingLTL formula is G(DEADLOCK = 0) where DEADLOCK is a Boolean variable with the initial value 0 thatis changed into 1 by an additional transition in the Promela code whose guard becomes true if there is noother enabled transition.

In order to check the above expression, i.e. whether the model is always free from deadlock SPIN tries tofind a trace leading to deadlock. If there exists no such a trace, the property is satisfied. Otherwise thecounterexample delivered by SPIN is exactly a trace from the initial marking to a dead state.

• Reachability, coverability The reachability check of a state means that the system will reach eventually thisstate.

In case of a Petri net the reachability problem is to decide whether a marking M can be reached frommarking M0 while the coverability problem is to answer whether there is a trajectory from the initialmarking M0 to a marking M such that it covers a given marking Mpartial, i.e. M ≥Mpartial.

The LTL formula of the reachability criteria compares the token number in the places and the token numberin the marking to be reached. Formally, F((Place1 = M(p1))(Place2 = M(p2))...(Placen = M(pn))).

7.3. OPTIMAL TRAJECTORY GENERATION BY SPINCO 73

The coverability problem compares the token number in the places and in the partial marking that has tobe covered, i.e. exceeded. Formally,

F((Place1 > M(p1))(Place2 > M(p2))...(Placen > M(pn))).

An example problem is when the reachability of an unwanted state has to be checked or a desired state hasto be reached.

• Reversibility and home state A Petri net is reversible if the initial marking is reachable from each reachablemarking, i.e. the Petri net can return to the initial state. If there is a state (not necessarily the initial state)such that this state is reachable from each reachable state, i.e. the Petri net can return to this state than thisstate is called a home state. Such a state can be a safe state in the system, e.g. the red traffic light after apower-cut or a restart state in case of an elevator.

• Liveness Liveness means that something “good” will eventually happen and this statement is true in eachtime moment. Such an example could be a traffic light system where the “green light is on” is the goodthing or an elevator that returns always back to the ground floor if there is no request. A correspondingLTL expression is GF (good thing happens).

In this case SPIN tries to find a(n infinite) loop in which the “good thing” does not happen as a counterex-ample. In Petri nets the liveness problem is to decide whether the net is live, i.e. whether each transitionwill be eventually enabled starting from any reachable marking.

In addition, quantitative questions can be also answered either using global or local variables. Including aquantitative variable in the LTL expression, the change in this variable changes also the LTL expression itselfgenerating a new LTL expression. This dynamic tracking of quantitative variables enables an efficient guidanceof the state traversal.

7.3 Optimal Trajectory Generation using Dynamic LTL Expression in theModel Checker SPIN

The combined optimization and reachability analysis approach can be performed by directly using only the SPIN

model checker. The combined technique is a customization to the Petri net optimal trajectory problem of [112]where optimal scheduling problems are solved by embedding Branch and Bound techniques into the modelchecker SPIN. The main advantage of this solution is that the numerical constraints are encoded into the dynamicLTL formula to cut off suboptimal paths violating the Branch and Bound heuristics.

The algorithm is adapted to the cost-optimal trajectory problem following [3] where the same approach wasdiscussed for graph transformation systems with time.

1. First, a functionally equivalent transition system (TS) of the Petri net in the Promela language is derived asshown in Section 7.2.2 together with the declaration of the global variable cost , that is changed by firing atransition in the d_step statements according to the cost parameters of the transitions in cost-OT problem.

2. The partial reachability property, i.e., the covering of the partial target marking is encoded as a separatePromela process (instead of encoding the candidate Parikh vector since it is not calculated in this approach).If the desired marking is reached on an execution path and the cost of this solution is better than the cost ofthe best solution found up to this certain point the value of the optimal cost global variable is substitutedby this better value.

3. To find the optimal solution with a single exhaustive run of the model checker, the state space is pruned byBranch and Bound techniques at suboptimal solutions. The bounding criteria is encoded into the propertyto be verified stating that the current cost will eventually become larger than or equal to the best cost oneach execution path changing dynamically during the model checking process.


The main disadvantage of this approach is that the model checker requires a finite transition system, i.e. an apriori upper bound should be calculated for the token number in the individual places. Otherwise the declarationof the Petri net in the model checker is difficult, and the increased size of the traversed state space may causethe crash of the model checker. Such an upper bound can be calculated by means of the upper limit costLimitbudget of the cost-OT problem.

7.4 Related Work

The idea to use a model checker to deliver an optimal solution for an optimization or scheduling problem hasappeared in several papers. In the following related work, the objective of the problem is translated into areachability condition that is encoded into a temporal logic expression to be verified by a model checking tool.For such problems timed automata was used in [57] to model a steel plant and the corresponding schedulingproblem. The scheduling problem was solved using the UPPAAL tool, which is a model checker for networks oftimed automata. In [39] the design of PLC controller was verified and the PLC control schedule was optimizedusing the SPIN model checker. However these approaches were developed to solve domain specific problems andare difficult to use in case of the cost-optimal Petri net trajectory problem.

The introduced algorithms are compared in Chapter 10. The results show that the sole use of the modelchecker to deliver an optimal solution may be faster in certain cases however it fails with timeout if the Petri netOT problem has too many cycles.

7.5 Contribution

The results in the fireability check of the candidate optimal Parikh vector discussed in this Chapter are summa-rized in Contribution 3.

Contribution 3 I proposed various state space exploration and reduction techniques for Petri nets to deliverfireable trajectories relying on various upper bounds (such as candidate Parikh vectors or explicit limits onexploration depth) on the structure of the state space used as exploration hints.

3/1 I proposed the use of reachability function of Petri nets to check the reachability of a marking compliantwith a candidate optimal Parikh vector. Reachability function encodes the (finite) transitive closure ofthe one-step transition function parametrized by the initial state in the form of Binary Decision Diagrams(BDDs), thus providing a fast and reusable filtering of candidate Parikh vectors. The results of this thesiswere published in [4, 12–16].

3/2 I elaborated an algorithm using the SPIN model checker tool for the generation of a fireable trajectoryfrom an initial marking that is compliant with (1) a candidate optimal Parikh vector, (2) the reachabilityfunction of the Petri net and (3) additional temporal logic expressions. The results of this thesis werepublished in [4, 12–14, 16, 19].

3/3 I proposed a direct encoding of the optimal trajectory problem of bounded Petri nets into the SPIN modelchecker with on-the-fly optimization during verification customizing the solution in [112] for the Petrinet optimization trajectory problem. In this technique, the numerical criteria of the Branch and Boundalgorithm is also embedded into the linear temporal logic formula of the verification condition, thus statespace exploration simultaneously checks both the logical and numerical conditions. The correspondingpublications are [3, 4].

Chapter 8

Time-Optimal Trajectory Problem

IT systems have to satisfy frequently time critical requirements as deadlines or limit for response time. Theinclusion of time into the model requires the modeling of time and how time elapses. Time can be either discreteor continuous, and time elapse may be imposed by a global clock or only by the execution of tasks, etc.

The overall time of a process or the operation of the system is the time that elapses between the start ofthe process and the end of the last task executed in the process. Since some tasks can be executed in parallelthe calculation of the elapsed time is not additive like in case of cost. However, the sum of the duration of theinvolved tasks is an upper bound for the elapsed time.

As an analogy to the cost–optimal trajectory problem time–optimal trajectory problem can be defined in caseof timed systems.

There are several Petri net variants that model time (see Section 2.3.1). Hereafter the optimal trajectoryproblem is discussed in case of Petri net with duration parameters (see Section 2.4.2) where duration is assignedto each transition. In this case the aim is to find an appropriate trajectory with minimal duration where theduration of the trajectory is defined as the elapsed time between the starting of the firing of the first transition inthe trajectory and the end time of the transition in the sequence that ends at last.

The main idea of the approach is the time instant-based marking representation and the time–instant basedcounting of the firing.

8.1 Time–instant based ILP

In order to describe the time–optimal trajectory problem in the form of an ILP programming problem, let usconsider the difference between the calculation of the cost and time of a trajectory. The cost of a trajectory is thesum of the cost of the involved transitions that is independent from the order of the firing of the transitions. Incase of time, the overall duration of the trajectory depends on the order of the firing of transitions: for instance iftwo non–conflicting transitions fire after each other than the joint time of their firing is the sum of the transitiondurations. However, the joint time of their firing is shorter if they fire concurrently.

The base of the cost optimal ILP program is the token balance of the places together with the initial andtarget markings. If there exists a time–optimal trajectory, then this trajectory also has to satisfy the same stateinequalities. However, the objective function has to be modified to deliver a time–optimal solution: the end timeof firing sequence (i.e. the earliest time for which time all firings are finished) has to be minimized. Then thereare several possibilities to deliver the optimal trajectory that are discussed in details in the following.

Let us at first recall the definition of at time–optimal trajectory Def. 20. Let a Petri net with duration pa-rameters PNd = 〈(P, T, F,w,M0), d〉, a partial target marking Mpartial and timeLimit ∈ N be given. Thenthe time–optimal trajectory problem (shortly OT problem) denoted by OTd = 〈PNd,Mpartial, timeLimit〉 is tofind a trajectory s starting from M0 such that (i) it covers Mpartial, (ii) the duration of all other trajectory s′ thatstarts from M0 and covers Mpartial is not smaller than the duration of s and (iii) the duration of the trajectorydoes not exceed the global time limit, i.e. d(s) ≤ timeLimit.

75

76 CHAPTER 8. TIME-OPTIMAL TRAJECTORY PROBLEM

Figure 8.1: Solving the Petri net time-OT problem

In order to formulate an integer linear programming problem for the above OT problem I use discrete time,i.e. the token balance is established in each time instant: state equations per each time instant have to be satisfiedwithin a time horizon. The formulation of such equations is given as follows.

• Let the variable token[pi][`] denote the number of tokens at place pi at the time instant `. (This variable isdenoted by M(`, pi) in [108]). The dynamic behaviour of a Petri net is described by the transition firings.In case of untimed Petri nets a transition sequence shows the order of transition firings. In case of timedPetri nets a transition tj may be fired more than once at the same time instant if there are enough tokens onits input places for each firing. Then these firings are executed concurrently. σ[tj ][`][`+ d(tj)] shows howmany times transition tj started to fire at time instant `. The parameters [`] and [`+ d(tj)] denotes the startand the end time of the transition firing, respectively, where d(tj) is the duration of transition tj . The tag`+ d(tj) is not necessary because it can be calculated from the starting time, however, its usage facilitatesthe further indexing of inequalities.The token change in place pi at a time instant ` can be calculated by

– extracting the number of tokens that are removed by transitions starting their firing at time instant `:∑tj∈T

σ[tj ][`][`+ d(tj)] · w(pi, tj), and

– adding tokens by transitions that end their firing at time instant `:∑tj∈T

σ[tj ][`− d(tj)][`] · w(tj , pi).

• Then the duration of a trajectory is the end of the transitions firings, i.e. the time after that there is no moretransition ending its firing. Formally, the duration of the trajectory is `, if∃tj ∈ T : 0 < σ[tj ][`− d(tj)][`], such that∀tk ∈ T, ∀r ∈ N, ` < r : σ[tk][r − d(tk)][r] = 0.

8.1. TIME–INSTANT BASED ILP 77

• The initial state of the Petri net is defined as the state of the Petri net at 0, i.e.M0 = (token[p1][0], . . . , token[pn][0]), |P | = n.

• In case of timed Petri nets a trajectory is optimal if it is minimal. In order to formulate the reachability ofthe (potentially partial) target marking the time horizon is set to the timeLimit value.

• The target (partial) marking is reached, if there exists a time instant within the timeLimit such thatthe marking at that time instant covers that partial target marking and there is no transition firing un-der execution. Formally, ∃r, 0 ≤ r ≤ timeLimit : ∀pi : token[pi][r] ≥ Mpartial(pi) ∧ @tj ∈T : 0 < σ[tj ][v][v + d(j)], v ≤ r ∧ r ≤ v + d(j). If there is no transition firing after the par-tial target marking is covered then the marking remains unchanged until timeLimit is reached, i.e.token[pi][timeLimit] ≥Mpartial(pi) for all places pi.

• The sum of the firing occurrences of a transition tj at time instants ` : 0 ≤ ` ≤ timeLimit is thecorresponding component of the Parikh vector ~σ:~σ(tj) =

∑σ[tj ][`][`+ d(tj)].

• As in case of cost–optimal trajectory problems the structure of a valid solution for the time–optimal trajec-tory problem has also conform to a solution structure that satisfies the five axioms. Thus the characteristicvector ch~σ of the Parikh vector ~σ is compliant with a structurally valid solution (see Section 6.2.3).

This way, if there exists a time–optimal trajectory s =< ti1 , . . . , tik >, tij ∈ T its Parikh vector satisfiesthe following programming problem. (See Section 6.2.2 for details of the solution structure based part of theprogramming problem.) Please note, that the following problem is not linear because of the objective functionbut it can be reformulated as an ILP problem (see Section 8.2).

min max0<σ[tj ][r−d(tj)][r]

r

subject to token[pi][`] = token[pi][`− 1]+

+∑tj∈T

σ[tj ][`− d(tj)][`] · w(tj , pi)−

−∑tj∈T

σ[tj ][`][`+ d(tj)] · w(pi, tj) ∀pi ∈ P, l

token[pi][0] = M0(pi), ∀pi ∈ P

token[pi][timeLimit] ≥ Mpartial(pi), ∀pi ∈ P

~σ(tj) =

timeLimit−d(tj)∑`=1

σ[tj ][`][`+ d(tj)], ∀tj ∈ T

ch(~σ) =∨

bsol∈Bsolα(bsol) · chbsol,

where 1 ≤ `, r ≤ timeLimit, token[pi][`] ∈ N, σ[tj ][`][`+ d(tj)] ∈ N, B = {0, 1}, ~σ ∈ N|T |,Bsol is a basis set of the structurally valid solutions, α ∈ B|Bsol|.

The solution of the above linear programming problem may be spurious due to the possible cycles in the Petrinet. Therefore a subsequent fireability check has to be carried out. Since the σ[tj ][`][`+ d(tj)] values determine


the time of the firing of each transition in the trajectory a simple check is performed whether each transition canbe fired at the given time instant. If each transition can be fired in the solution the resulted trajectory is the optimalone. Otherwise, there is no trajectory compliant with the σ[tj ][`][`+ d(tj)] values thus the next best solution hasto be taken.

An abstraction of the ILP problem In case of a large timeLimit value the number of the variables is alsovery large. Hence new variables can be introduced that are a ”snapshot” of the model not at each time instant butfor instance at each 100 time unit. The solution of such an abstraction ILP problem is an overapproximation forthe optimal solution: if there is no solution for the abstraction ILP problem there is no solution for the originalproblem. Otherwise, the solution has to be checked whether it is fireable or the 100 time unit has to be reducedand the ILP problem has to be solved again.

Nevertheless, the encoding of the enabledness of the transitions into the ILP problem leads to a solution thatis already proved to be fireable.

8.2 Trajectory Generation by Solving Only ILP Problems

Some transitions may start its firing concurrently at the same instant if all of them are enabled, i.e. there areenough tokens in their input places at that time instant. This enabledness condition can be included a priori intothe ILP problem in the form of inequalities. Thus the solution of the extended ILP program is already provento be fireable since the presence of tokens in the input places pi of a transition tj that has to fire in a given timeinstant is available in the required amount w(pi, tj) .

The enabledness condition is composed of the following set of inequalities (where pi ∈ P, 1 ≤ ` ≤timeLimit):

token[pi][`− 1] ≥∑tj∈T

σ[tj ][`][`+ d(tj)] · w(pi, tj)

Objective Function Reformulation The problem of the non–linearness of the objective function can be elim-inated by the introduction of a sink transition tsink together with duration 1, that becomes enabled if Mpartial

is reached. Formally, •tsink = {pi|0 < Mpartial(pi)}, w(pi, tsink) = Mpartial(pi), d(tsink) = 1, i.e. the sinktransition is enabled if there are at least as many tokens at the target places as required inMpartial and its durationis 1 time unit.

Then the ILP problem is modified (i) by extending the token balance inequalities and the enabledness condi-tions to the new transition, (ii) by adding the constraint that the sink transition has to be fired at least once, and(iii) the constraint that no transition is fired at the same time and after the firing of the sink transition. Then anappropriate objective function is to minimize the firing time of the sink transition as shown in the following.

Boolean variables σ[tsink][`][` + 1] are defined for the sink transition such that it is equal to 1 for a timeinstance ` if and only if the sink transition fires in `. Since the sink transition fires exactly once in the trajectory,timeLimit∑

l=0

σ[tsink][`][` + 1] = 1 holds. Furthermore, the sink transition may fire in time instant ` if there are

enough tokens at its input places, i.e. ∀pi ∈ •tsink : Mpartial[i] ≤ token[i][`− 1].Since the sink transition fires at last, all other transitions have to be finish their firing before the sink transition

fires. Adding a big enough number K to the problem, all σ[tj ][`][` + d(tj)] components are restricted to 0 after

the firing of the sink transition at time instant ` by the following inequalities:∑tj∈T

timeLimit∑r=`

σ[tj ][r − d(tj)][r] ≤

K · (1−∑r=0

σ[tsink][r][r + d(tsink)]).

8.3. OPTIMAL TRAJECTORY GENERATION BY LTL EXPRESSION IN SPIN 79

Then a linear objective function is formulated as mintimeLimit∑

=0

(σ[tsink][`][`+ d(tsink)] · (`− 1)) that yields

k if and only if the sink transition fires at time instant k. This objective function is already linear.As in case of the cost–optimal trajectory a time–optimal trajectory can be also delivered only using the model

checker SPIN.

8.3 Optimal Trajectory Generation by LTL Expression in SPIN

A time–optimal trajectory can be delivered also by using SPIN directly to solve the OT problem OTd =〈PNd,Mpartial, timeLimit〉 similarly to the cost–optimal case in Section 7.3. The Promela model consistsof place variables per time instants as in the ILP based solution and a global clock variable that models the elapseof time.

• Tokens are counted per time instant as in case of the time–optimal ILP problem, i.e. token[pi][`] ∈ N.

• The Promela model has to be finite therefore upper values for the token numbers are needed. The upperbounds in Section 7.2.1 give an appropriate estimation together with an estimation for the number of firedtransitions. This number is delivered by solving the ILP problem that minimizes the sum of the duration ofthe transitions in the candidate Parikh vector that satisfies the state inequalities. This value can be calculatedby changing the objective function min c·~σ to min d·~σ in the ILP problem in Section 6.2.3 since an optimalsolution of the timed programming problem is also a solution for this modified ILP problem.

• Then the upper bounds for the token number in the individual places can be estimated as ∀pi ∈ P : ubi =M0(pi) +

∑tj∈T :0<w(tj ,pi)

W (pi, tj) · σj , that cannot be exceeded during the firing of ~σ (see Section 7.2.1).

• A global variable global_clock ∈ N, global_clock ≤ timeLimit is introduced.

• The guard of a transition and the update section of the transition are

modified according to the new token variables: the removal of tokens results in the change of token numberin the starting time of the transition firing while the production of the output tokens takes action at the endof the transition firing.

Let the duration d(Test_R4A) of the firing of transition Test_R4A be 15 time units (see Fig. 12.13for the original Promela transition). Then the modified Promela transition is executable at time instantglobal_clock if there is at least 1 token in places R4A_untested and Test_cell at the same time instant,i.e. token[R4A_untested][global_clock] ≥ 1 ∧ token[Test_cell][global_clock] ≥ 1. If the transition isenabled at this time instant also the guard of the Promela transition is evaluated to true.

The execution of the Promela transition updates the token numbers: the removal of tokens is done in thesame time instant while the produced tokens are added to the token number at the end of the transitionfiring, i.e. the variables token[pi][global_clock + 15] are updated.

• In order to simulate the elapsing of time there is a special transition that increases the time of the variableglobal_clock .

• The LTL expression is extended by the constraint such that the value of global_clock is less than thetimeLimit value.

• If more than one guard is executable SPIN selects non–deterministically the next transition to be executed.Thus SPIN traverses the state space taking into account all possible orders of transition firings and anappropriate time–optimal trajectory is found if it exists.


8.4 Related Work

Timed Petri nets, timed automata, priced timed automata, stochastic Petri nets and other Petri net extensions arewidely used for scheduling problems and performance analysis (see Section 2.3.1 for details). In [127] priority-list scheduling algorithms were used to deliver an optimal schedule for timed Petri nets while other schedulingand optimization problems (e.g. in manufacturing systems) were solved by means of simulation and performanceevaluation in [72, 75]. [131] represents profit function values as a function according to some given restrictionson stochastic Petri nets and uses simulation techniques as well. In [92] the authors propose a recursive algorithmto find a firing sequence in a labeled Petri net with unobservable transitions that (i) is consistent to a givenobservable label sequence, and (ii) it is minimal with respect to the sum of the cost of the involved transitions.

[132] presents invariant analysis and throughput analysis to schedule flexible manufacturing cells in conflict-free nets. In [119] the authors elaborated a so–called OP+LP process based on both linear algebraic and dynamicprogramming methods to derive an optimal trajectory if (i) both the initial and the target markings are defined, (ii)also the Parikh vector of the trajectory is given, and (iii) the objective is to minimize the total transfer of tokensmoved by the transition firings.

My contribution is more general with respect to existing solutions in the sense that (i) it is applicable forarbitrary Petri nets with duration and I do not assume the existence of additional input parameters (such as Parikhvector).

8.5 Contribution

The results in the timed optimal trajectory problem discussed in this Chapter are summarized in Contribution 4.

Contribution 4 I proposed two solutions for the time-optimal trajectory problem of Petri nets relying on the up-per bound taken from the cost-optimal ILP problem and the state equations evaluated at dedicated time instants.

4/1 I proposed an algorithm for the time-optimal trajectory problem that calculates an upper bound for themaximal duration of an optimal Petri net trajectory and delivers a fireable trajectory as a solution for theILP model that (1) represents the token change in the places in any time instant within this upper boundand (2) encodes the enabledness condition of the transitions in each time instant.

4/2 I proposed a direct method for the time-optimal trajectory problem that uses the same upper bound toconstrain the verification run of the SPIN model checker in order to deliver an optimal trajectory on-the-flyby encoding the optimality criteria into an LTL expression.

The results of this thesis were published in [6].

Chapter 9

Optimization in Graph TransformationSystems

Some properties of complex systems are difficult to analyze in the system itself according to their size or com-plexity. Therefore they are transformed into a lower–level model like Petri nets that have a rich repertoire ofanalysis tools. After carrying out the analysis the results are back–annotated into the original system.

Graph transformation systems (GTSs) are widely used in modeling complex systems. In the last decadeseveral extensions of GTSs arose that contain quantitative metrics like in case of Petri nets. These kind of GTSsmotivated the formalization of the optimal trajectory problem in GTSs.

The GTS optimal trajectory problems are solved by means of the cardinality Petri net abstraction of the GTS.The GTS is abstracted to its cardinality Petri net, where the GTS optimal trajectory problem can be expressed asa Petri net optimal trajectory problem. Then a candidate Parikh vector or trajectory is generated by the introducedtechniques for the Petri net OT problem that is used as a guess in the GTS state space exploration. The process isshown in Fig. 9.1.

At first, the optimization in GTSs with cost is introduced followed by the discussion of optimization in GTSswith time. (For an introduction into graph transformation systems see Section 4.)

9.1 Optimization in Graph Transformation Systems with cost

Example 20 As a motivating example, let us assume a reliable service which is composed of individual services.The state of a service can be up, down, active or standby. A certain quality of service (QoS) is required such asthroughput or availability, e.g. at least 3 services have to be up at the same time in order to provide sufficientperformance when serving requests. Such a system is shown in Fig. 9.2.

To satisfy this constraint the service configuration has to be designed in an appropriate way. We assumethat regular health checks are issued by some middleware service broker. If the current health state of servicesimplies that the required QoS parameters cannot be satisfied by the actual service configuration, reconfigurationoperations are to be initiated which lead the system into a state where all QoS constraints are met. However, theseoperations have costs that have to be taken into consideration, i.e. we need to find a reconfiguration plan withminimal cost.

The reconfiguration actions of services will be captured by a graph transformation system that is definedsubsequently. An overview on using graph transformations for software architecture reconfigurations can befound in [34].

An example type graph is shown in Fig. 9.3. The type graph contains only one Service node designatedgraphically as a rectangle. The edges active, standby, down, and up are used to denote the state of the servicesuch that the source and the target node of this edge is the same node. Edge backup connect two different services:when an active node goes down a standby node has to substitute the active service.

81

82 CHAPTER 9. OPTIMIZATION IN GRAPH TRANSFORMATION SYSTEMS

Figure 9.1: Solution process of GTS optimal trajectory problem

Example 21 The ongoing example is captured by a set of graph transformation rules in Fig. 9.4. In order tosimplify the self–loops to denote the state of the services we simply write the state of the service on the servicenode (which is denoted by a server symbol). In addition, we also omit the backup labels from the edges (sinceonly this edge type remains).

1. on adds a new service to the configuration that is initially up.

2. off removes an up service from the configuration.

3. repair makes a down service become up.

4. failover assumes that there is a down service connected by a backup edge to a standby service: the effectof the rule is that the standby service becomes active and the backup edge is deleted.

Figure 9.2: An example system providing reliable service

9.1. OPTIMIZATION IN GRAPH TRANSFORMATION SYSTEMS WITH COST 83

Figure 9.3: Type graph

Figure 9.4: Rules

5. standby creates a backup edge between an active and an up service such that the up service becomesstandby .

6. detach removes the backup edge between an active and a standby service such that the standby servicewill be up.

7. register changes the state of service from up to active.

8. Finally, unregister changes the state of a service from active to up in case there is no standby serviceconnected to the service.

9.1.1 Application of cost-OT problem techniques to graph transformation with cost

Due to the strong theoretical correspondence between Petri nets and graph transformation systems (investigated in[45,89,91]) the elaborated algorithms for the cost-OT problem can be adapted also to GTSs facilitating another in–front design framework for simultaneous optimization and verification. The advantage behind such an adaptationis that solving the optimization problem on the Petri net level is of much lower complexity than solving theproblem directly on the GTS-level using algebraic optimization techniques.

In the following the representation of the cost of a GT system transformation rule is defined together with thenotation of the state space and the path in a graph grammar. Then the Petri net abstraction of GTSs is discussedthat enables the application of the Petri net based method for the solution of optimal trajectory problems togenerate the optimal path (transformation) between two given graphs.

9.1.2 GTSs with cost

Graph transformation systems with cost A graph transformation system GTS = (R, TG) consists of a typegraph TG and a finite set of graph transformation rules typed over TG.


A graph transformation system with cost GTSc = (R, TG, c : R → R+) is a GTS where a cost parameterc(ri) is added to each GT rule denoting the cost of firing that rule. Graphically, the cost of a rule is denoted by acircled number over the arrow of the rule. A graph grammar with cost GGc = (GTSc, G0) consists of a graphtransformation system GTS = (R, TG, c) and a so-called start (model) graph G0 typed over TG. The cost ofa GT sequence is equal to the sum of the cost of the contained GT steps, i.e. the sum of the cost of the appliedrules.

State space of a graph grammar The graph transition system (state space) of a graph grammar GG =(GTS,G0) is defined as a graph where nodes are instance graphs, and edges are graph transformation stepsG

r,c=⇒ H such that the source and target nodes of the edge are graphs G and H , respectively. Starting from G0

the state space (i.e. the reachable instance graphs) of the GG is represented taking into account all applicablerules from a given host graph.

A path in the graph transition system of a GG is a GT sequence denoted by p = (G0r1,c1=⇒ G1

r2,c2=⇒

. . .rn−1,cn−1

=⇒ Gn) and it is called also as a trajectory between two graphs. Then we say that a graph G isreachable from G0 if and only if there is a path in the GTS. The cost of the path denoted by c(p) is equal to thesum of the cost of the rules applied in the trajectory, i.e. c(p) = (G0

r1,c1=⇒ G1 =⇒ Gn)) =

∑c(ri).

Example 22 Let us revisit the graph transformation example in Section 9.1. The cost of the rules are10, 4, 8, 1, 2, 1, 3, 3 units, respectively, denoted by circled numbers on the GT rule arrow in Fig. 9.4.

An example start graph G0 is shown in Fig. 9.5 on the left: the system configuration contains two active, twostandby , and one down services.

In Fig. 9.5 an extract of the graph transition system of our running example is shown. On the left the root ofthe graph transition system is the start graphG0 where the system configuration contains two active, two standby ,and one down services. Rules failover , on, repair , detach, and unregister are applicable to G0, here we followonly the application of the first three rules. The cost of the individual paths (starting fromG0 to the current graph)is shown on the right of the graph.

Figure 9.5: A part of the graph transition system


9.1.3 A Petri net abstraction of a GTS

The essence of this abstraction technique is to derive a cardinality Petri net (which simulates the original GTSby abstracting from the structure of instance graphs and only counting the number of elements (nodes or edges)of a certain type by placing tokens to a corresponding place. These tokens are circulated by transitions derivedfrom each GT rule which simulate the effect of the rule on the number of elements of certain types by adding andremoving tokens from corresponding places.

Let card(G, x) denote the cardinality (i.e. the number of graph objects) of type x ∈ TG in graphG. Formally,card(G, x) = |{n | n ∈ N ∪ E ∧ type(n) = x}|. Then the mapping F() from a graph to a Petri net is definedas follows.

• Types into places. For each node and edge y ∈ NTG ∪ ETG in the type graph TG, a corresponding placepy = F(y) is defined in the cardinality Petri net.

• Instances into tokens. For each node and edge x ∈ NG∪EG in an instance graphGwith type y = type(x),a token is generated in the corresponding marking MG = F(G) of the target Petri net. Formally, for allplaces py = F(y), the marking of the net is defined as MG(py) = card(G, y).

• Rules into transitions. For each rule r in the graph transformation system GTS, a transition tr = F(r) isgenerated in the cardinality Petri net such that

– Left-hand side: If there is a graph object x of type y = type(x) in the L, then an incoming arc (py, tr)is generated in the Petri net where py = F(y) and the weight of the arc w(py, tr) is equal to thenumber of graph objects in L of the same type y. Formally, if ∀x, y : x ∈ L∧ y = type(x)∧F(y) =py =⇒ (py, tr) ∈ E ∧ w(py, tr) = card(L, y).

– Right-hand side: If there is a graph object x of type y = type(x) in R, then an outgoing arc (tr, p) isgenerated in the Petri net where py = F(y) and the weight of the arc w(tr, py) is equal to the numberof graph objects inR of the same type y. Formally, if ∀x, y : x ∈ R∧y = type(x)∧F(y) = py =⇒(tr, py) ∈ E ∧ w(tr, py) = card(R, y).

– Cost of a rule. For each rule r the cost of the corresponding transition is equal to the cost of the rule,i.e. c(F(r)) = c(r).

Example 23 In Fig. 9.6 rule failover (see Example 21 in Section 9.1) is shown on the left with the correspondingtype graph. The Petri net abstraction is shown on the right. According to the type graph of the example, thecorresponding cardinality Petri net has a place for all node type, type Service, and edge types, namely backup,standby , down, active, and up.

Figure 9.6: Rule failover and the corresponding cardinality Petri net

For instance, the left–hand side L of rule failover contains two services and edges backup, standby and down.Thus the corresponding transition with the same name has four incoming arcs starting from the correspondingplaces, where arc (Service, failover) has weight 2 since 2 services are present in L. Similarly, the right–hand


side of the rule consists of two services and edges active, and down thus there are three outgoing arcs to placesService, active, and down with weights 2, 1, 1, respectively.

In this way whenever rule failover is applied the number of the tokens at the involved places changes accordingto the cardinality of the graph types.

Note that it was proved that the mapping F() is a proper abstraction in the sense that the derived Petri netsimulates the original GTS as shown in [22]. In other terms, whenever a rewriting step is executed in the GTS onan instance graph, then the corresponding transition can always be fired in the corresponding marking in the Petrinet, furthermore, the result marking is an abstraction of the result graph. In this respect, for all firing sequence inthe GTS there is a firing sequence in the cardinality Petri net but not the other way around. Moreover, the costof the two sequences are equal. Then the cost optimal solution on the Petri net level can be used as a hint whenexploring the state space of the original GTS.

A detailed description is provided how to carry out optimization of graph transformation systems by using astate space traversal strategy guided by optimal solutions of the Petri net abstraction of the GTS.

9.1.4 Cost-optimal trajectory problem for GTSs

The optimal trajectory problem in case of GTSs is to find a path starting from the initial graph to a graph Gthat covers a desired (partial) graph Gpartial, i.e. there is a subgraph of graph G that is isomorphic to Gpartial(denoted by G ⊇ Gpartial). Then we also say that Gpartial is partially reachable from G0, which is denoted by

G0∗,partial

=⇒ Gpartial.Then the optimal trajectory problem of GTSs with cost can be described as follows. Given a graph grammar

GG = (GTS,G0), a graph Gpartial, and a set of constraints Const, find a trajectory (path) tr from graph G0 to

graph G (G0p

=⇒ G) such that G ⊇ Gpartial, and it is optimal, i.e. ∀tr′ : G0tr′,partial

=⇒ Gpartial : c(tr) ≤ c(tr′),and it satisfies all the requirements in Const. We denote this problem as OT = ((GTS,G0), Gpartial, Const).An upper limit for the overall cost is given in Const according to the costLimit bound in the cost–OT problemin Petri nets (see Def. 16 in Section 2.4.1).

An obvious way to solve the optimal trajectory problem for GTS is to traverse the entire state space of thegraph grammar, e.g. using DFS or BFS search strategies. However, there is no guarantee when the best costsolution is found, thus the size of the explored state space may explode easily. In order to be able to handle thesize of the explored state space, we define additional cuts to drive the state space traversal. These cuts can beeither predefined constraints like limited cost budget or an approximate optimal cost that can prune the searchspace during the exploration.

1. At first, the GTS is abstracted into the cardinality Petri net with the cost parameters as described inSec. 9.1.3.

2. Then subsequent integer programming problems are formulated (in the same way as the ILP is formulatedin Section 6.2.3 for the Petri net OT problem) of the Petri net embedded the following elements. (i)Numerical and logical constraints are encoded into the ILP problem as inequalities. The violation of theseconstraints result in the pruning of the state space along a certain path. (ii) The goal state or graph Gpartialis translated into a marking Mpartial that is encoded into the ILP problem. (iii) The objective function ofthe ILP is given by the minimization of the overall cost of the trajectory.

3. The best cost candidate Parikh vector to the ILP problem is derived. Since the Petri net abstraction does notguarantee that there is an executable rule application sequence on the GT level for this candidate Parikhvector, its fireability is investigated directly on the GT level.

A candidate Parikh vector counts the number of rule applications, and thus provide a guaranteed minimalcost (i.e. an underapproximation) for the cost-OT problem by using the modified ABB algorithm (seeSec. 6.3).


4. The best cost candidate, and the candidate Parikh vector is used as a hint to guide the search strategy duringthe exploration of the GTS state space as discussed in Sec. 9.1.5).

5. If the traversal of the state space fails on the remaining paths, the next best cost Parikh vector is derivedand the state space exploration is continued.

9.1.5 Guiding exploration of the GT state space

The idea to use the candidate Parikh vector is to drive the state space traversal to the direction of the best costtrajectory in the GTS. The exploration of the graph grammar state space is driven by heuristics like constraintsand by the candidate Parikh vector in the form of logical and numerical cuts as in case of the Petri net cost-OTproblem.

If there is a candidate Parikh vector we can perform the following checks on the state space in order to reduceits size.

1. The traversal of a branch of the graph transition graph is suspended, i.e. the discovery of the unpromisingpaths is postponed

(a) if the cost of the path from the initial graph to the current graph exceeds the cost of the candidatesolution Parikh vector, or

(b) if a GT rule was applied more times then the corresponding transition was fired in the candidateParikh vector.

2. If a constraint is violated along a path, then the graph transition system is permanently pruned along thatpath.

During the exploration of the state space the newly generated instance graphs are analyzed whether (i) theysatisfy all the constraints, or (ii) the goal state is reached, i.e. the required partial graph is covered by the currentstate (graph) in the graph transition system. If the cost of a path equals to the algebraic optimum, and it also leadsto a goal state, then the optimal trajectory is found.

If there are no branches to continue the state space traversal (according to the defined cuts based on the currentcandidate solution vector), the next best solution to the ILP problem is generated and is taken into account in thesearch strategy during the exploration of the previously unpromising paths.

9.1.6 Example: solving a cost-optimal trajectory problem

Let a GT optimal trajectory problem be as follows. Let the GG be given as described in Example 21 in Section 9.1.Then our aim is to find an optimal trajectory from the given initial graph to a goal state where at least 4 servicesare active in order to serve 4 requests simultaneously, i.e. there are at least 4 services in the instance graph withlabel active. An additional constraint is that our budget is limited: maximum 20 units of cost is available for thereconfiguration of services. For instance, the path on, register , on in Fig. 9.5 is invalid because its operation cost(23) exceeds our budget.

The abstracted cardinality Petri net and the corresponding (initial and partial) markings are generated asdefined in Section 9.1.3. The one constraint can be given in a numerical form added to the core ILP problem asfollows (where W is the incidence matrix of the cardinality Petri net).

minimize(10, 4, 8, 1, 2, 1, 3, 3) · σ

subject to(4, 4, 0, 0, 0, 0) ≤ (5, 2, 2, 0, 1, 2) +W · σ,(10, 4, 8, 1, 2, 1, 3, 3) · σ ≤ 20, σ ∈ N|8|.

The first optimal algebraic solution is (0, 0, 0, 2, 0, 0, 0, 0), and its cost is 2 cost units. Now let us start toconstruct the graph transition system of the GG. Since only one transition is fired in the solution Parikh vector, in


the GG only rule failover is applied (see Fig. 9.7). However, rule failover cannot be applied subsequently twice,because the left–hand side of the rule cannot be matched after the first rule application. Therefore the next bestsolution is generated.

Figure 9.7: State space of GG

The next best solution is (0, 0, 0, 1, 0, 1, 1, 0), and its cost is 5 cost units. Thus the search strategy is thatonly these three rules failover , detach, and register are applied exactly once (if they are applicable). In thisway, we omit the traversal those paths where other rules are applied. Since there is an appropriate GT sequence〈failover, detach, register〉, we terminate the traversal of the state space as the optimal trajectory is found, seeFigure 9.8.

Figure 9.8: State space of GG

9.1.7 Measurements

The guided traversal of the GTS state space was implemented in the VIATRA2 framework [25] and it waspublished in [76]. The authors measured the average runtime of the delivery of the shortest solution trajectory(which coincides the case if all rules have cost 1) in some graph transformation systems. They used three guidingmethods: the guidance by the Petri net Parikh vector, the guidance by rule priorities, and guidance by consideringrule dependencies. The runtimes, the length of the optimal trajectory and the number of visited states are shownin Table 9.1 that was taken from [76]. The table shows the results for (i) the rule priority based traversal, (ii)the Parikh vector guided traversal and (iii) the traversal where both the Parikh vector and rule dependencies wereconsidered called full guidance. (DT means that the exploration did not terminate.) These results show that the useof the Parikh vector to guide the state space traversal is efficient in those cases where the optimization techniquefinds a feasible Parikh vector within a small number of iterations. If there are several infeasible solutions theParikh vector based guidance may lead to a worse runtime and number of visited states.

As the solution technique for the Petri net cost-OT problem was applied to optimize GTSs with cost theadaptation of the solution techniques for timed Petri nets are discussed in case of GTSs with time.

9.2. OPTIMIZATION IN GRAPH TRANSFORMATION SYSTEMS WITH TIME 89

Problem Exploration Optimal trajectory Visited Runtimestrategy found (length) states (ms)

PowerOn Priority 23 205 393 108 408Small Occurrence 23 715 676

Full guidance 23 23 77PowerOn Priority 66 154 669 94 902

Large Occurrence (DT) - - -Full guidance 56 56 147

Clustered Priority 28 662 425 360 418Databases Occurrence 27 39 096 22 444

Full guidance 27 6 543 4 533Reconfigure Priority 5 372 451

Small Occurrence 5 52 271Full guidance 5 5 170

Reconfigure Priority 9 34 639 17 312Medium Occurrence 9 1 475 1 318

Full guidance 9 607 759Reconfigure Priority 21 441 640 203 122

Large Occurrence 21 716 671 359 152Full guidance 21 558 976 268 042

Table 9.1: Results for exploration until optimal solution [76]

9.2 Optimization in Graph Transformation Systems with Time

In Section 9.1.2 graph transformation with cost was used to bring a high–level model of optimization and veri-fication problems. This technique is adapted hereafter to deliver a time–optimal trajectory in a GTS with time.The resulted time–optimal trajectory problem is solved by the Petri net based solution (see Chapter 8).

As in case of Petri nets with cost and Petri nets with time a major conceptual difference is between costand time optimization such that while the cost of a GT rule sequence always equals to the sum of the cost ofthe involved GT rules, the concurrent application of GT rules may reduce the minimal duration of a GT rulesequence.

Typed graph transformation with time To incorporate time into typed graph transformation, time data typeis introduced as domain for time-valued attributes. In [2, 10] we followed the approach of time environment–relationship (TER) nets to define the semantics of graph transformation with time. TER nets are high–levelPetri nets where tokens are environments such that time is a distinguished environment that assigns values tovariables [70].

A type graph with time TG is a type graph with attribute time. An instance graph with time over TG forthe data type T = 〈Dtime,+, 0,≥〉 is an instance graph 〈G, type : G → TG〉 over TG such that the data typesort time is interpreted by Dtime, that is, Dtime = {x ∈ GN |type(x) = time}. Ordinary nodes are connectedto the time attribute nodes by chronos edges representing the time attribute declaration, i.e. chronos ∈ TGE :src(chronos) = TGN \ {T}, trg(chronos) = T . The time attribute of a graph element is also called as thetimestamp of the element, i.e. the time of its creation or its last modification or its last usage.

A graph transformation system with time consists of a type graph such that the above defined time attributeis included in it, and the rules manipulate the time attributes in the graphs such that

• Condition 1. Local monotonicity: for all vertices x ∈ L and y ∈ R, the timestamp of x is smaller orequal to the timestamp of y, and


• Condition 2. Uniform timestamps: for all vertices x, y ∈ R the timestamp of x equals to the timestampof y.

These conditions ensure a behaviour of time such that (i) an operation or transaction specified by a rulecannot take negative time, i.e., it cannot decrease the timestamps of the nodes it is applied to, and (ii) each ruleapplication is atomic, that is, all effects specified in the RHS are observed at the same time, called the firing timeof the rule.

Duration of a transformation sequence In analogy with TER nets [70], for each transformation sequences using only rules that satisfy the above two conditions, there exists an equivalent sequence s′ such that s′ istime-ordered, that is, timestamps are monotonically non-decreasing as the sequence advances. The duration ofa transformation sequence p is the firing time of the last rule in a corresponding time–ordered path denoted byd(p).

Example 24

Figure 9.9: Type and instance graph

An example GTS with time is illustrated by a storage testing and reconfiguration line based on the Petri netstorage example Example 1 in Section 2.1. The type graph of the example is shown in Fig. 9.9 on the left as aUML class diagram. There are two types of storages Storage_type1 and Storage_type2. A storage with typeStorage_type1 (Storage_type2) is tested if there is a tested1 (tested2) edge connected to the storage node. Ifthere is no tested edge connected to the storage node the storage is untested.

An untested storage can be tested by a testcell. The testing of an untested storage requires a non–reservedtest cell. A test cell is modeled by a graph node with type Test_cell . A test cell is reserved if there is an edgereserved connected to the test cellnode. If there is no such a reserved edge connected to the test cell then the testcell is free. A storage is under test if there is an test_1 (test_1) typed edge between a storage and a testcell. Aftera storage is tested, it is ready to ship to the customers. A shipped storage with type Storage_type1 is modeled bya graph node with type Shipped_t1.

An instance graph is shown in Fig. 9.9 on the right described as a UML object diagram: there is an untestedstorage s1 with type Storage_type1 that is under test (connected by a test1 edge to a reserved test cell t1), a testedstorage s2 with type1, and an untested storage s3 with type2.

In Fig. 9.10 rules manipulating a storage with type1 are presented. The name and the time of the rule arewritten over and below the blue rule arrow, respectively. The timestamp (chronos) of an edge is written after thetype of the edge separated by a /. Since the current example does not allow multiple edges with the same typebetween two nodes, the identifiers of the edges are omitted.

The time of a rule equals the maximum of the timestamps in the LHS plus the duration of the rule, and allgraph elements in the RHS get this time as its timestamp. It is easy to check that conditions Local monotonicityand Uniform timestamp hold for all rules.


Figure 9.10: GT rules

For space consideration only the testing of a storage is described in details. A storage can be tested if (i) it isnot tested yet, (ii) its test has not started yet, i.e. there is no test cell connected to it, and (iii) there exists a free testcell. These conditions are described by the negative application conditions NAC1-3, respectively. If there existssuch a storage s1 and test cell t1 rule start_test_1 is applied: a test1 edge is drawn from s1 to t1 representing thestart of the test, and t1 gets an edge reserved denoting its allocation for s1. The duration of the rule is 1 time unit.

The test of a storage is carried out by applying rule test_1: the rule searches for a storage that has a test1 edgeto a reserved test cell. After the test is carried out, a self–loop edge tested1 is created for the storage denotingits state and the other edges are deleted, i.e. the test cell becomes again free. The duration of the test is 21 timeunit. The rules for a storage with type2 are similar such that the durations are 1, 23, 16, 13, and 1 for the rulesstart_test2, test_2, reco_2, reco_2_tested , and ship_2, respectively.

Both untested and tested storages can be reconfigured into another untested or tested storages with the othertype modeled by the rules reco and reco_tested . Moreover, a tested storage can be shippes modeled by the ruleship.

Note that the example can be modeled in several ways using attributes, or edges to denote the type of astorage. However, the current version provides the easy construction of the reachability statement.

9.2.1 Time-optimal trajectory problem for GTS with time

Definition 39 (Optimal Trajectory Problem for GTS with Time) Given a graph transformation system GTSwith time together with an initial instance graph G0, and a graph Gpartial, find a trajectory (path) tr from graph

G0 to a graph G (G0tr

=⇒ G) such that G ⊇ Gpartial, and it is optimal, i.e. ∀tr′ : G0tr′

=⇒ G′, G′ ⊇ Gpartial :d(tr) ≤ d(tr′). Furthermore, the duration of the optimal trajectory does not exceed an upper bound timeLimit.We denote this problem as OT = ((GTS,G0), Gpartial, timeLimit).


The mapping F() of a graph transformation system with time GTSt =(Rules, TG), G0, Gpartial, timeLimit into a cardinality Petri net with duration PNd := 〈(P, T,E,w,M0), d〉is the same than the mapping from GTS with cost into PN with cost (see Section 9.1.3) such that the duration ofthe PN transition F(r) according to the GTS rule r ∈ Rules is d(F(r)) = d(r).

The mapping F() is then a proper abstraction of the GTS with time in the sense that the derived Petri net withtime simulates the original GTS with time. The Petri net construction ensures that whenever a GT rule is appliedat time instance l, the corresponding transition in the Petri net can be also fired at time instance l. Moreover,the duration of the two sequences are equal according to the equal duration of the GT rules and their abstractiontransition. As the complexity of the derived abstraction is lower than the complexity of the original GTS, thesolution of the corresponding optimal trajectory problem in the Petri net can be used as a hint when exploring thestate space of the original GTS.

Example 25 Let us revisit our ongoing example. In Fig. 9.11, a part of its cardinality Petri net is shown: theplaces of the Petri net and the abstraction transition of rule test_1 (see Fig. 9.10). The tokens in the placesrepresent the instance graph in Fig. 9.9 on the right.

The LHS of the rule contains two nodes with types St_t1 and Test_cell , and two edges with types test1 andreserved . Thus the corresponding transition has four incoming arcs from the corresponding places. Since theRHS consists of two nodes with types St_t1, and Test_cell , and one edge with type tested1, the transition hasthree outgoing arcs to the corresponding places. The duration of the transition is equal to 21.

Figure 9.11: The cardinality Petri net of rule start_test_1

9.2.2 Guiding exploration of the GT state space

In Chapter 8 the optimal trajectory problem for timed Petri nets was defined and solved. This solution technique isapplied to the derived cardinality Petri net to generate a candidate Parikh vector to guide the state space traversalof the GTS (similarly to the cost optimization in GTSs). In this case the Parikh vector encodes not only thenumber of the fired transitions but also the firing time of the transitions. This way, if there is a candidate Parikhvector, the strategy of the search for an optimal GT sequence is to try to apply the GT rules to the instancegraph in the same time instant in which the corresponding transition fires. Then the traversal of a branch of thetransition graph is suspended, i.e. the discovery of the unpromising paths is postponed, (i) if a GT rule cannotbe applied in the given time instant as many times as it is counted in the solution Parikh vector, or (ii) the graphyielded by applying the last rule (according to the solution Parikh vector) does not cover the target graph pattern.It may occur, for instance, if the rules create edges between nodes, and the target graph pattern contains edgesconnected to the same node: then the required rules are applicable to the model graph in the required order butthe created edges are not connected.

If all the GT rules can be applied according to the candidate Parikh vector and the resulted graph covers therequired partial graph, then an optimal trajectory is found. Otherwise, if there are no branches to continue thestate space traversal, the next best solution to the ILP problem (of the cardinality Petri net) is generated and istaken into account in the search strategy during the exploration of the previously unpromising paths.


Note that the simulation property of the Petri net abstraction and the strategy of the state space traversalensures that (i) the duration of a GT sequence during the state space traversal cannot exceed the duration of thesolution Parikh vector, and (ii) the target graph will not be covered with less duration before applying all the rulescorresponding to the candidate transition occurrence vector. Otherwise there should have been another solutionParikh vector with less duration determining this path.

Figure 9.12: An optimal GT sequence

Example 26 Let us revisit our storage example. Let an instance graph G0 be given consisting of two stor-ages with type St_t1, one storage with type St_t2, and two Test_cells in Fig. 9.12 such that the times-tamp of all nodes is equal to 0. The target graph to be covered consists of one node with type Shipped1and two nodes with Shipped2. Let the timeLimit be 100. Then the following optimal Parikh vector isdelivered at first: start_test_t1/0, start_test_2/0, start_test_2/1, start_test_t1/3, test_1/1, test_2/4,ship_2/28,reco_1_tested/22, ship_2/33, test_1/22, ship_1/43, t_last/44. The duration of this firing se-quence is 44 defined by the firing time of the sink transition.

Now let us start to construct a corresponding GT sequence. Since the optimal Parikh vector defines a time–ordered transition sequence, the search strategy is to try to apply the GT rules in the same time instant. At time0 two rules have to be applied: start_test_t1 and start_test_t2 both with duration 1. Since these rules make bothtest cells reserved, the rule start_test_t2 cannot be applied at time 1. This pseudo solution is delivered because theNACs of the rule that prohibit the application of the rule in this case are not encoded into the Petri net. Thereforethe state space traversal is stopped, and the next best solution is generated.

The next best solutions with durations 44 time units fail to retrieve a valid GT sequence because of thesame problem. However, the next best solution with duration 45 time units is already fireable thus an opti-mal solution is found: start_test_t1/0, start_test_2/0, test_1/1, start_test_t1/22, test_2/1, ship_2/24,reco_1_tested/22, ship_2/33, test_1/23, ship_1/44,t_last/45. A corresponding GT sequence is depicted in Fig. 9.12 (where the application of the last two rulesship_1 and ship_2 are not depicted). The match of the LHS of the rules are drawn with green, and due to somespace consideration independent rules are applied in one step.


9.3 Related Work

Model checking tools for GTS. There are several model checking approaches to analyze graph transformationsystems. One can categorize them as interpreted approaches like [33,90,109], which store system states as graphsand directly apply transformation rules to explore the state space, and compiled approaches such as [52, 53, 113]which translate graphs and graph transformation rules into off-the-shelf model checkers to carry out verification.(My solution belongs to this category.)

These approaches can potentially be extended to handle cost attributes as well for optimization and verifica-tion (e.g. exposed by temporal constraints) purposes. In fact, GROOVE [109] has been extended in [66] towardsthis direction. And unfoldings based cuts and optimization is also an interesting direction for the future extensionsto AUGUR [90].

Rule-based design state exploration (DSE). Design space exploration aims to find optimal design candidatesof a domain with respect to different objectives where design candidates are constrained by complex structuraland numerical restrictions. Rule-based DSE [48, 66, 76] aims to find such candidates that are reachable froman initial model by applying a sequence of exploration rules. Solving a rule-based DSE problem is a difficultchallenge due to the inherently dynamic nature of the problem.

In [48] the T-Core framework is used for implementing typical meta-heuristic exploration strategies, such ashill climbing and simulated annealing using the transformation primitives of the framework while the operationsare specified as graph transformation rules.

Some state space exploration strategies of [76, 83] build directly upon my work, see Section 9.1.7.

Reachability in GTS with time. In [73] GTS with time was optimized using the SPIN model checker. In thatapproach the GTS was directly optimized and not mapped into a Petri net. However the SPIN based optimizationrequired the GTS model to be finite in the sense that all elements of the GTS had to be known a priori, i.e. no newelements can be generated in the GTS. Since many applications need the creation of new elements the currentapproach is novel that only an upper limit has to be given for the number of the model elements of one type. Thisway the GTS is not limited to a static structure but also new elements are allowed to be created.

A Timed Story Driven Modeling based framework is introduced in [77] to carry out reachability analysis. Theapproach uses real-time statecharts and Timed Story Diagrams from which the graphs and rules are originated.The reachability analysis is carried out as the verification of a derived timed graph transition system.

9.4 Contribution

Contribution 4 I generalized the optimal trajectory problems of Petri nets over graph transformation systemswith cost and time.

4/3 I introduced cost into graph transformation systems as the cost of a rule application. I defined formalsemantics for evaluating graph transformation rules with cost. The corresponding publications are [5, 21,22].

4/4 I introduced time into graph transformation systems as the a time attribute (time stamp) of graph elements.I defined formal semantics for evaluating graph transformation rules with duration. The results of thiscontribution were published in [2, 3, 10, 11].

4/5 I defined the optimal trajectory problem for graph transformation systems by generalizing its Petri netbased definition. The corresponding publication is [6].

The mapping of a GTS into Petri nets is the contribution of my co–author Dániel Varró. The introductionof time to graph transformation systems was a result of an international collaboration under the supervision ofProf. Reiko Heckel (at Univ. Paderborn) and Daniel Varró (at TU Budapest). The adaptation of Petri net basedoptimization techniques to GTS optimization is my own contribution both in case of GTS with cost and GTSwith time.

Chapter 10

Comparison and Evaluation of the Algorithms

Hereafter the performance of the following algorithms is analyzed.

Solution of the ILP abstraction of OT problem + fireability check. This algorithm called ILPAlg consists oftwo parts: at first, the ILP abstraction of the cost optimal trajectory problem (see Definition 17 in Section 2.4.1)is solved and the fireability of the delivered Parikh vector is checked by the SPIN model checker. Since the Parikhvector of a trajectory is a solution of the inequalities of the ILP problem and the solution Parikh vector of theinequalities is fireable if there is no cycle in the Petri net, the preformance of the ILPAlg strongly relies on theperformance of the ILP solver if there is no cycle in the Petri net. If several cycles exist in the Petri net the numberof the spurious solutions is increasing thus the algorithm takes more time to be carried out.

Solution Structure Generation (SSG) + fireability check. This algorithm called SSGAlg is described in Sec-tion 6.2.3: all valid solution Petri nets are generated a priori and an ILP programming problem is formulatedwith the solution structures as variables. The optimization is followed by the fireability check. Obviously, theperformance of this algorithm depends on the number of the solution structures that is increasing together withthe size of the Petri net (number of places and transitions) so the SSGAlg is supposed to have better performancein case of smaller examples. Since the algorithm generates all solution structures a priori the memory usage ofthe algorithm also increases in case of big Petri nets.

Accelerated Branch and Bound (ABB) based optimization followed by fireability check. The algorithmshown in Alg. 7 in Section 6.3 is followed by fireability check by the SPIN model checker is referred shortly asABBAlg. Since the algorithm calculates all the solution structures in the worst case its time performance alsodepends on the number of the solution structures. However it does not store all of them as in case of SSGAlg soit consumes less spaces than the SSGAlg.

SPIN based optimization. The SPIN based optimization is described in Section 7.3 and is referred shortly asSPINAlg. In this case the performance of the model checker depends mainly on the number of the states of thePetri net that are visited to find an optimal trajectory. Since SPINAlg traverses all paths from the initial markingto a possible end marking both the runtime and the memory usage increase in the number of the reachable statesof the Petri net that could be large in case of an unbounded Petri net. In addition, the SPIN model checker storesalso the cost of the current trajectory in the state vector so there are state vectors that are handled as different butthe corresponding reachable states of the Petri net are the same. This way if the costLimit is much more higherthan the optimum value, the SPINAlg can easily fail to deliver a solution in time. The reason is that if the statespace traversal is stuck in a cycle it can move to another reachable state forward only if the costLimit is reached.

The algorithms were implemented in Java 1.7.0_55 and uses CPLEX 12.6 to solve the LP and the ILP pro-gramming problems. The SPIN6.32 model checker was used to carry out the fireability check in the algorithms.The algorithms were run in 64-bit server with Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, 32 GB memory

95

96 CHAPTER 10. COMPARISON AND EVALUATION OF THE ALGORITHMS

under Red Hat 4.5.1-4 Linux. The following table Table 10.1 shows the results for the following benchmarkexamples:

• The storage ex. is the running storage testing example with several cycles (see Example 6) of the Thesis,

• the 17P/16T is a sample process with 17 places and 16 transitions having also several cycles,

• the 22P/25T, 47P/43T, 60P/125T are randomly generated examples with respective number of places andtransitions, such that example 22P/25T has no maximal structure, and examples 47P/43T and 60P/125Thas many structurally valid solutions,

• the 85P/83T is a business process example with 85 places and 83 transitions without any cycles.

The following performance aspects were analyzed: (i) the runtime of the algorithms is given is ms and itis denoted as RT , such that TO stands for the timeout of the algorithm: after 30 minutes the computation wasstopped, (ii) the memory consumption is given in Mb and it is denoted as Mem, and (iii) the number of thefireablity checks performed during the computation is denoted by FC.

ILPAlg SSGAlg ABBAlg SPINAlg|P| |T| RT Mem FC RT Mem FC RT Mem FC RT Mem

storage ex. 5 6 1073 19 1 3019 13 2 1925 929 28 TO -17P/16T 17 16 1238 19 1 16632 51 16 1179 33 10 TO -22P/25T 22 25 189 11 0 42 5 0 42 5 0 4199 747P/43T 47 43 21546 81 16 1114008 51 11 1437 1912 43 252812 6460P/125T 60 125 TO - - TO - - 5093 25 72 TO -85P/83T 85 83 1343 26 3 TO - - 11738 1194 543 2317 41

Table 10.1: Comparison of algorithms (time in ms, memory consumption in Mb)

The main findings of the measurements are the following:

• If there are several cycles in the Petri net, SPINAlg may fail to find a solution within 30 minutes as in caseof the storage example with costLimit 10000.

• If there exists no maximal structure for the example as in case of 22P/25T the runtime of ILPAlg andSPINAlg is higher than the computation time of SSGAlg and ABBAlg since the latter ones fails to start theoptimization or the state space traversal.

• If there is a large number of structurally valid solutions for a given problem the number of the solutionstructures may even increases exponentially in the size of the example. Since the SSGAlg computes allsolution structures, its runtime reaches the timeout (30 minutes) as in case of the example 60P/125T.

• If there is no cycle in the Petri net then the candidate Parikh vector of the ILP abstraction of the OT problemis fireable thus the ILPAlg algorithm is the fastest among the others as in case 85Pl83Trans.

The implementation of the current algorithms excludes the reachability check described in Section 7.1 sinceno efficient off-the-shelf BDD packages were available written in or adapted to Java. Thus the implementationof this check needs more investigation. However, the above results indicate that reachability checks should becarried out only when the Petri net contains several cycles.

The evaluation of the solution structure basis based solution (see Section 6.2.4) is omitted hereafter since itstrongly resembles to the SSGAlg, i.e. it can deliver a solution faster than the other algorithms only if there existnot so many solution structure basis elements.

Many thanks to the PNS Studio developer team at the Pannon University for the PNS model generator pro-gram that generated the examples 17P/T, 22P/25T, 47P/63T, 60P/25T and to the the PetriDotNet [24] developersfor the 85P/83T example.

Chapter 11

Conclusion

11.1 Fulfillment of the Objectives

The objective of this thesis was to propose (i) mathematical models in which the optimal trajectory problem canbe formally expressed and (ii) strategies and algorithms to solve the optimal trajectory problem by combiningverification and optimization techniques.

11.1.1 Mathematical model

I proposed the use of Petri nets and graph transformation systems with cost and time to model cost– and time–optimal trajectory problems. Both the cost and time parameters are added to Petri nets and graph transformationsystems (GTSs) as the cost and the duration of the transition firing and the rule applications. In addition, time isincluded as graph element attribute in GTSs denoting the time of the creation or modification of a graph element.However, the time elapse is different in Petri nets and GTSs. In Petri nets the exact time is modeled by the timeof the firing: its start time and its end time according to a global clock. In GTSs the time of a rule is calculatedfrom the time attributes of the graph elements.

The same way can be used to model other metrics (e.g. probabilities of the firing of a transition or theapplication of a rule) and carry out optimization in both modeling framework.

11.1.2 Strategies and algorithms

Strategies and algorithms for the cost–optimal trajectory problem. The combination of verification andoptimization required the use of both optimization techniques and verification techniques.

• ILP based optimization. I proposed optimization techniques based on the state inequality-based formula-tion of the Petri net coverability problem. I extended the state inequalities with (i) an objective functionaccording to the optimization purposes (cost or time) and (ii) I proposed solutions for the problem usingPNS algorithms that accelerate the traditional solutions by exploiting the structural properties of the Petrinet. The optimization techniques deliver a candidate Parikh vector as an abstraction of the optimal tra-jectory for the OT problem. However the executability of the candidate has to be check afterwards anda corresponding trajectory has to be delivered. Therefore a reachability function is generated that provesthe reachability of the marking yielded by the Parikh vector while the fireability check is performed bythe model checker SPIN. Furthermore, SPIN is used also to verify the additional requirements. If one ofthe checks fails the next best optimal Parikh vector is calculated from the ILP problem and the subsequentchecks are performed again.

• Verification and trajectory generation.

Several logical constraints can be expressed within the structure of the Petri net. However, requirements,that cannot be expressed directly structurally, are verified simultaneously with the executability check by

97

98 CHAPTER 11. CONCLUSION

the model checker SPIN. The candidate Parikh vector is used to guide the traversal of the state space and atrajectory is delivered as a counterexample if it exist.

• I also gave a solution by directly translating the Petri net into the Promela language of the SPIN modelchecker and encoding the optimality criteria into the LTL expression to be verified.

Strategies and algorithms for the Petri net time–optimal trajectory problem The time–optimal trajectoryproblem differs from the cost–optimal case in the handling of transitions that may be fired in parallel.

• I proposed an ILP based solution for the time–optimal trajectory problem counting the tokens in the indi-vidual places in each time moment. As the enabledness of the transitions is encoded directly into the ILPproblem the delivered solution represents an executable solution, i.e. an optimal trajectory (instead of acandidate Parikh vector in the cost–optimal case).

• I also gave a solution by directly translating the Petri net into the Promela language of the SPIN modelchecker and encoding the optimality criteria into the LTL expression to be verified.

Strategies and algorithms for the time–optimal trajectory problem in graph transformation systems Dueto the strong relationship between graph transformation systems and Petri nets, the elaborated methods were usedin the Petri net abstraction of GTSs with cost parameters and the result was back–annotated into the GTS to guidethe state space traversal.

11.2 Future Work

BDD–guided state space traversal. Both the solution structures of the PNS problem and the graph structureof the Petri net OT problem can be described as a boolean function, i.e. it can be represented by a binary decisiondiagram. Since the logical representation of the connection between places and transitions is similar to the neutralextension of a decision mapping an interesting issue is to analyze how the BDD of the Petri net OT problem canbe used in the guidance of the branching in the adaptation of the ABB algorithm.

Maximum likelihood diagnostics. Petri nets are also used to model diagnostic problems. A Petri net describingthe fault propagation [107] in some models can be extended by the likelihood of the corresponding fault. Then thelikelihood of the reachability of a state can be calculated by the likelihood parameters assigned to the transitions.

The question is whether the search for a path between two states with maximum likelihood can be reformu-lated as an OT problem. Another exciting question is how the approach in [106] (where the syndrome decodingproblem was reformulated as a P-Graph) can be extended to the same maximum likelihood diagnostic problemsolved by only PNS methods.

Upper bound for the number of fired of transitions. Let OT = 〈〈PN, c〉,Mpartial〉 be a cost–optimal tra-jectory problem. Then it is an open problem whether there is an upper bound such that if there is no solution forthe ILP abstraction of the OT problem with less transitions than this upper bound then there exists no solutiontrajectory with more transition that this upper bound. The existence of such an upper bound would constrain thesearch space of the OT problem.

Chapter 12

Appendix

12.1 Petri Net Properties

In the following, liveness properties and invariants are discussed that are another core definitions in the Petri netanalysis (based on [97]).

12.1.1 Liveness and deadlock

A system is in deadlock if the system is in a dead state, i.e. there is no more action to be carried out. A state ofthe Petri net is dead if there is no enabled transition.

Liveness is related to deadlock–freedom: a Petri net is live if from each reachable marking any transition ofthe net can be fired through some firing sequences. If a Petri net is live then there is no deadlock in the Petrinet according to the definition of liveness. However, liveness and deadlock–freedom are not equivalent: a Petrinet may be deadlock–free but not live. Since many systems require only the satisfaction of a weaker livenessproperty for their operation liveness classes were defined.

Let a Petri net PN = (P, T, F,w,M0) be given. Then a transition t ∈ T is said to be

• dead (L0–live) if t can never be fired in any firing sequences.

• L1–live (potentially fireable) if it can be fired at least once in some firing sequences.

• L2–live if given any positive integer k, t can be fired at least k–times in some firing sequencess.

• L3–live if t appears infinitely often in some firing sequences.

• L4–live or live if t is L1–live in every reachable marking.

A Petri net is said to be Lk–live if every transition in the Petri net is Lk–live.

12.1.2 Invariants

There are two types of invariants in Petri nets: place and transition invariants. A place invariant, shortly P–invariant is a weighted subset of places such that the weighted sum of the tokens in these places is always thesame. A transition invariant, shortly T–invariant is a weighted set of transitions that represent a cycle in thereachability graph of the net. If there is a corresponding transition sequence in the Petri net then the firing of thissequence does not change the state of the Petri net.

Definition 40 (P–, and T–invariant) A |T |–dimensional vector ~x ∈ Z|T | is a T–invariant if W · ~x = 0. AT-invariant ~x is fireable if there exists a trajectory that is compliant with this T-invariant, i.e. ~σs = ~x.

A |P |–dimensional vector ~y ∈ Z|P | is a P–invariant if W T · ~y = 0.

99

100 CHAPTER 12. APPENDIX

The set of transitions (places) with non–zero components in a T–invariant (P–invariant) is called the supportof the T–invariant (P–invariant). A support is said to be minimal if there is no proper subset of this support that isalso support of another invariant.

An invariant ~x is said to be minimal if there is no other invariant ~x1 such that ~x1 ≤ ~x for all components.An invariant is called minimal–support invariant if it is minimal and it corresponds to a minimal support. Such

a minimal–support invariant is unique with respect to the minimal support. Moreover, the set of all minimal–support invariants is a generator of invariants: all invariant can be generated as a linear combination of thegenerator invariants.

Based on the definition, if there exists a trajectory s that leads back to the initial state, i.e. fromM0 to markingM = M0, then the Parikh vector ~σs of the trajectory is a T–invariant since the state equation M0 + W · ~σs =M = M0 holds from which W · ~σs = 0 that is the definition of a T–invariant.

In contrary, the backward direction does not hold. If there exists a T-invariant there may be no correspondingtrajectory, i.e. the T–invariant is not fireable. However a weaker theorem is proved in [97]. A |T |–dimensionalvector ~x ≥ 0 is a T–invariant if and only if there exists a marking M0 and a firing sequence s from M0 back toM0 with its Parikh vector ~σs equal to ~x. This means that there exists always such a big enough marking such thateach transition can be fired in the in the T–invariant.

Example 27 In Example 5 a trajectory was shown that was not fireable although its Parikh vector satisfied thecorresponding state equation.

The T–invariants of the example, i.e. the solution Parikh vectors of the state equation W · ~x = 0 withminimal support are ~σ1 = (1, 1, 0, 0, 0, 0) and ~σ2 = (0, 0, 0, 0, 1, 1). These solutions represent the subsequentreconfiguration of the untested or the tested storages.

The T–invariant ~σ1 is fireable if there is at least one untested storage in the Petri net while the fireability of ~σ2

requires at least one tested storage.

Invariants are used in the characterization of Petri net properties. For instance P–invariants are used to provethe boundedness of a Petri net: if there is a P–invariant in which all components are positive integers then thePetri net is bounded (for more information see [97]) or an upper bound is given by the equation for a place p ∈ P :M(p) ≤ min

~yi{M0·~yi~yi(p)} where ~yi is a nonnegative minimal–support P–invariant.

12.2 Petri Net Subclasses

Petri net models can be categorized into several classes based on their modeling purpose. A Petri net is calledordinary if the weight of each arc is 1. All Petri nets in this section are ordinary. Due to their restricted structureefficient algorithms were elaborated for several problems of these subclasses (see e.g. [51]) while there are noefficient algorithms in case of arbitrary Petri nets (PNs).

• State machines or S–systems (SMs). A state machine is an ordinary Petri net such that each transitionhas exactly one input and one output place. A state machine models a finite automaton: a transition withexactly one input and output place corresponds to the transition arrow in the finite automaton.

• Marked graphs or T–systems (MGs). A marked graph is an ordinary Petri net such that each place has ex-actly one incoming and one outgoing transition. A marked graph realizes concurrent operations in the Petrinet without conflicts: firing a transition that have several output places splits the operation into concurrentexecution threads. The definition that a place has only one outgoing transition assures that no situationoccurs when an enabled transition becomes disabled by firing another transition.

• Free–choice nets (FCs). A free choice–net is an ordinary Petri net such that every arc from a place to atransition is a unique outgoing arc from the place or a unique incoming arc to the transition.

12.2. PETRI NET SUBCLASSES 101

• Extended free–choice nets (EFCs). An extended free–choice net is an ordinary Petri net such that if twoplaces have at least one common outgoing transition then all of their outgoing transitions are the same.

• Assimmetric choice nets (ACs). An extended free–choice net is an ordinary Petri net such that if two placeshave at least one common outgoing transition then each outgoing transition of one place of the two placesis an outgoing transition of the other place.

The relation and containment of the above subclasses is shown in Fig. 12.1 [97].

Figure 12.1: P/T net subclasses

12.2.1 Extensions with structured tokens

Structured tokens are used in Petri net modeling to represent high-level data as tokens in the places, i.e. placesare marked by a multi-set of structured tokens.

• Coloured Petri nets (CPNs). In order to represent complex data structures a finite, non–empty set of coloursis defined in coloured Petri nets [85]. In case of P/T nets each token is unstructured and the state of thenet is described by the number of tokens in the individual places. In coloured Petri nets the tokens aredistinguished by their value getting from the colour set and the multisets of tokens in the individual placesdescribe the state of the net.

In P/T nets the weight of the arc determines how many tokens have to be removed by firing a transition.In coloured Petri nets arc expressions describe what tokens are required by a transition in its input placesin order to be enabled. In addition, a guard can be added to a transition that binds the variables in arcexpressions. A transition is enabled if the guard is evaluated to true and the required tokens are present inthe input places of the transition. When the transition fires the required tokens are removed and tokens areproduced into the output places of the transition as defined by the corresponding arc expressions.

A coloured Petri net can be flattened into a P/T net where the traditional analysis techniques can be used.However this transformation results in an exponential increase in the number of places, transitions andstates. In order to save space in the representation of the state space of a coloured Petri net the so–calledsymbolic reachability graph (SRG) is used where one node represents a class of states.

• Well-formed Petri nets. The class of well–formed Petri nets [44] is a syntactically restricted class ofcoloured Petri nets such that the definition of colour classes and functions is formally restricted to thelinear composition of a few basic functions. This formalization of colour classes and functions enables thedefinition of symbolic markings and symbolic firing rules.


In a well–formed Petri net a colour domain has to be in the form of a Cartesian product of object classessuch that the elements of a class have the same behavior. These symmetries in the Petri net are definedby functions on the object classes: if a class is ordered the function is a rotation otherwise it can be anypermutation.

A dynamic subclass is a representation for an object set that have the same token distribution in a marking.Then the symbolic marking of this marking represents all ordinary markings that are yielded by the possiblebindings of objects of the colour class in which the dynamic subclass is included.

A symbolic firing rule then binds dynamic subclasses: after firing a rule the resulted dynamic subclassesare mapped by some operations into a symbolic marking. This way not only the size of the reachabilitygraph is reduced but also the operations on the graph nodes are simplified. (For more details see [44].)

• Environment–Relationship Nets Environment–Relationship (ER) nets [70] are high–level Petri nets wheretokens are environments and transitions are associated with actions. Given a set of values and a set ofidentifiers an environment is a function from identifiers to values. An action associated to a transition is arelationship between its input environments and its output environments.

12.3 Reachability Function of Petri Nets

Pastor et al. showed in [101] how the state space and the dynamic behaviour of a bounded Petri net can berepresented by Boolean functions and Binary Decision Diagrams (BDDs).

12.3.1 Boolean function representation of reachable markings

Since a k–bounded Petri net can be translated into a safe Petri net in polynomial time in the size of the Petrinet O(|P | + |T | + |F |) [37] only the Boolean representation of safe Petri nets is discussed hereafter. Similarrepresentations of the Petri net state space exist by Multi–Valued Decision Diagrams MDDs) [117] and IntervalDiagrams [121] that are also appropriate to use for the required analysis of the input Petri net.

Let a safe Petri net PN = 〈P, T, F,w,M0〉 be given. Since the Petri net is safe, i.e. there is either 0 or 1token in each place in each reachable marking a a reachable marking can be represented by a |P |–dimensionalvector over binaries. Then the characteristic function of a marking M ∈ B|P | is CM : B|P | → B, such thatCM (u1, . . . , un) = 1 if and only if ∀i, 1 ≤ i ≤ |P | = n : ui ≡ M(pi). In other words, CM is evaluated to trueif and only if each place variable has value 1 if the corresponding place is marked in M and 0 otherwise.

Then a set of markings {Mj} can be represented by the disjunction (union) of the characteristic function ofthe contained markings:

∨CMj .

A transition t is enabled at marking M if all places are marked in M that are in the pre–set of transition t, i.e.the condition Et((u1, . . . , un)) =

∧pi∈•t

(ui ≡ 1) is evaluated to true.

The firing of a transition t in a marking M ∈ B|P |, M = (u1, . . . , un), n = |P | is described by the transitionrelation function of the transition: δt : B|P | → B|P |. The transition relation function is calculated as δt(M) =(δt1(M), . . . , δtn(M)) where δti(M) is the number of tokens at place pi ∈ P after firing transition t. Since theunderlying Petri net is supposed to be safe, the number of tokens ui in place pi is changed (i) to 0 if the transitionremoves a token from that place, (ii) to 1 if the transition produces a token to place pi or (iii) the number of thetokens remains the same ui if the transition neither consumes or produces a token from or to place pi. Formally,

δti((u1, . . . , un)) =

1 if pi ∈ t•0 if pi ∈ •t \ t•ui otherwise.

Thus if transition t is enabled at marking M = (u1, . . . , un) then the firing of the transition leads tomarking M ′ = (δt1(M), . . . , δtn(M)). Then a marking M ′ = (v1, . . . , vn) is reachable from the marking

12.4. PETRI NETS AND MODEL CHECKING 103

M = (u1, . . . , un) by firing transition t if and only if the following Boolean function is evaluated to true:Rt(u1, . . . , un, v1, . . . , vn) = CM ∧ Et ∧

∧1≤i≤n

(vi ≡ δti(M)).

Then the set of reachable markings starting from an initial marking M0 can be defined recursively as aBoolean function: R(PN,M0) = {M |∃k : Rk(M0,M) ≡ 1}, where R0(M0,M) ≡ 1 ⇐⇒ M0 = M , andRk+1(M0,M) = Rk(M0,M) ∨ (Rk(M0,M

′) ∧ (∨t∈T

Rt(M′,M))) (where Rk(M,M ′) is evaluated to true if

M ′ is reachable from M by firing at most k transitions).A so–called reachability function R(M1,M2) is a function that is evaluated to true if and only if M2 is

reachable from M1, where M1,M2 are parameters. R(M1,M2) can be computed as the fix point of the iterativeapplication of the disjunction of the functions Rt. In other words, R(M1,M2) is the transitive closure of thisdisjunction: R(M1,M2) = Rk(M0,M) if ∃k ∈ Nat : Rk+1(M0,M) = Rk(M0,M).

Since the reachability function may be very large it is represented by Binary Decision Diagrams.

12.3.2 State space representation by Binary Decision Diagrams

The decision of a property on a set of states necessitates the efficient representation of the state space. The so–called symbolic techniques provide a solution to store the state space: the basic idea is to use the characteristicfunction of the set of states for the representation and the manipulation of the state space.

Hereafter only the most important notations are given only based on [1].A Binary Decision Diagram (shortly BDD) is a special directed binary graph, that represent a Boolean func-

tion. A Binary Decision Diagram has one root node, intermediate nodes, that have exactly two child nodes, andtwo leaves. The root node and intermediate nodes are labeled by the variables of the function, and the outgoingedges show the evaluation of the variable: a dashed/solid edge starting from a variable v means that v = 0/v = 1.A path starting from the root node to a leaf delivers the evaluation of the function along the edge values.

In Fig. 12.2 on the left, the Boolean function f(x1, x2, x3) = (x1 ∧ ¬x2 ∧ x3), f : B3 → B is represented asa Binary Decision Diagram.

The diagram on the left shows the evaluation of the underlying Boolean function for all possible variableassignments explicitly, e.g. in case of evaluation x1 = 0, x2 = 1, x3 = 1 one has to follow at first the dashed lineand then the solid line twice. This path leads to the leaf 0 that means that the Boolean function is evaluated tofalse in this case. This BDD is called Ordered Binary Decision Diagram because all variables arise in the sameorder in the paths from the root to the leaves.

The Reduced Ordered Binary Decision Diagram of function f is shown on the right of the figure. Here, thosebranches are pruned that does not influence the value of the function: if we give the value 0 for variable x1 then itis no matter what values the other variables have, the function is evaluated to 0. This way the storing of the samefunction needs four nodes less. In case of a fix variable order the ROBDD of a function is unique.

Boolean operations like conjunction and disjunction can be effectively performed in polynomial time in thesize of the BDD. Also satisfiability and complementation are solved in constant time using BDDs.

Due to these properties, ROBDDs provide an efficient tool to store and manipulate Boolean functions, suchas the state space of safe Petri nets in the form of the disjunction of the ROBDDs of the characteristic vectors ofthe reachable markings of the Petri net. Since the the enabledness function, and the transition function can berepresented by BDDs also the reachability function of a safe Petri net can be represented a BDDs.

12.4 Petri Nets and Model Checking

Verification is a core task in several fields especially in safety critical systems already in the early phase in thesystem design. Such systems have to satisfy several constraints and requirements in order to provide a serviceat a required quality level. Model checking tools became very popular in the verification due to their efficienttechniques to store and traverse large state spaces.

Model checking means in computer science the automatic check of the fulfillment of some properties [32] ina model. The need for model checking arose from the verification of some properties that need the exhaustive


Figure 12.2: Example Binary Decision Diagrams

traversal of the state space. The aim of model checking is to give efficient techniques to find a proof automaticallyfor the satisfaction of a property.

The process of model checking is shown in Fig. 12.3. The input of a model checker is a transition system andthe properties that has to be fulfilled by the system.

• A finite labeled transition system models the behaviour of the underlying system by a directed graph wherethe system states are modeled by nodes and the edges represent the transitions, i.e. state changes.

• The properties that have to be satisfied by the system are formalized as temporal logical expressions thatare composed of temporal logical operators and state variables.

The model checker translates a property into an automaton that accepts only those paths on that the expressionis evaluated to true. Then the product automaton of the negation of this property automaton and the automaton ofthe transition system is analyzed. If there is no sequence in the product automaton leading to an accept state, i.e.the product automaton accepts the empty language then there is no sequence in the transition system that satisfiesthe negation of the property. In other words the original property holds in the system.

If a large model has to be verified one can choose the use of off–the–shelf analysis tools like model checkersor theorem provers or may decide to develop a (usually dedicated) new tool. The model checking tool SPIN waschosen for the analyis of the Petri net since it provides (i) the efficient handling of the quantitative parameterseven in the LTL expression, (ii) interactive, guided, and random simulations together with a graphical interfaceXSPIN, and (iii) there are existing transformations from Petri nets to the input language called Promela of theSPIN model checker.

I use the SPIN model checker in two solutions that I gave for the optimal trajectory problem. SPIN is usedto check the given requirements and to deliver an optimal trajectory (if it exists) traversing only the state spacethat is reduced to a candidate Parikh vector in the gradual filtering solution. The second approach uses SPIN asthe only tool to solve the optimal trajectory problem such that the optimality criteria is encoded into the LTLproperty.


Figure 12.3: Model checking process

In the following, the automaton based theory behind the model checking concept of the SPIN model checkeris shortly discussed that is followed by the encoding of Petri nets into the input format of the SPIN model checker.

12.4.1 Transition system

Transition systems (TS) are a common mathematical formalism that serves as the input specification of vari-ous model checker tools where the system is evolving by executing non-deterministic conditional like rules tomanipulate state variables.

Definition 41 (Transition System) A TS is a 6–tuple 〈S,Act,→, I, AP,L〉 (see [32]), where

• S is a set of states

• Act is a set of actions

• →⊆ S ×Act× S is a transition relation

• I ⊆ S is the set of initial states

• AP is a set of atomic propositions and

• L : S → 2AP is labeling function.

A TS is called finite if S,Act and AP are finite.

The behaviour of the transition system can be described by the states and the transitions as follows. Thesystem starts in an initial state s0 ∈ I . Then the state of the system changes according to the transition relationwritten in the form s0

act→ s, act ∈ Act. Both the initial state and a transition from a state is selected non–deterministically (if there are more than one). Moreover, L(s) is the set of atomic propositions that are satisfiedin state s.

There are several system properties that have to be checked along the operation of a system and not onlyin one state. Temporal operators enable the expression of a requirement in time, i.e. a temporal formulae canrepresent a logical constraint that has to be satisfied e.g. always (in each state) or in the future (at least in onestate in the path).

In the following LTL formulae are defined (based on [55]).


Definition 42 (Linear–time Temporal Logic (LTL)) Let Σ be a finite alphabet, and let Π be a set of atomicpropositions over Σ where Π is a set of mappings with domain Σ and the range set {true, false}. Then a linear–time propositional temporal logic (LTL) formula over the set Π is either φ if φ ∈ Π or an expression in the formφ ∧ ψ, ¬φ, Xφ or φUψ if φ and ψ are formulae.

The interpretation of an LTL formula is an infinite word ξ ∈ Σω. Let ξ(0) denote the first element of ξ, and letξ(i) denote the suffix of η starting at position i. Then the semantics of LTL formulae is given by the satisfactionrelation |= as follows.

• ξ |= π for π ∈ Π if π(ξ(0)) = true.

• ξ |= ¬φ if not ξ |= φ.

• ξ |= φ ∧ ψ if ξ |= φ and ξ |= ψ.

• ξ |= Xφ if ξ(1) |= φ.

• ξ |= φUψ if ∃i ∈ N : ξ(i) |= ψ and ∀j ≤ i : ξ(j) |= φ.

The language L(φ) of a formula φ over Π is the set of all words of Σω that satisfy φ.

Informally, Xφ means that φ is satisfied in the next state while φUψ means that φ is satisfied until ψ issatisfied. The often used F – eventually, G – always, and B – before operators can be derived from the abovedefined operators as follows:

• Fφ is evaluated to true in the cases when φwill be evaluated to true some time in the future, i.e. {true}Uφ.

• Gφ means that φ has to be true in each state, i.e. ¬φ is never satisfied: ¬F (¬φ).

• φBψ means that φ has to be satisfied some time before ψ is satisfied, i.e. ¬((¬φ)Uψ) ∧ Fφ.

One approach to check the satisfaction of a property in a transition system is when both the transition systemand the negation of the LTL formulae are translated into Büchi automata (see Fig. 12.4).

• The Büchi automaton of the transition system accepts exactly those words that correspond to a path in thetransition system.

• The Büchi automaton of the negation of the LTL formulae accepts exactly those words that violate thegiven LTL property.

• Then the product of the two automata is constructed such that the product automaton accepts those words(sequences) that are valid run in the transition system and satisfy the negation of the LTL formula. Such anaccepted run in the product automaton represents a counterexample for the system model, i.e. it violatesthe given property, thus the property is not satisfied in the system model. If the accepted language of theproduct automaton is empty, then the property is hold in the system model.

Definition 43 (Büchi automaton.) Let φ be an LTL formula over a set of propositions Π. A labeled Büchiautomaton over Π is a tuple A = (2Π, Q,∆, q0, F ) where Q is a finite set of states, ∆ ⊆ Q × 2Π × ∆ is thetransition relation, q0 ∈ Q is the initial state, and F ⊆ Q is the set of accepting states. An accepting run of A isan infinite sequence as = q0Π0q1Π1q2 . . . such that ∀i, 0 ≤ i : (qi,Πi, qi+1) ∈ ∆ and some state of F appearsinfinitely often in this sequence. A accepts an infinite word a0a1a2 . . . ∈ (2Π)ω if there exists an accepting runq0Π0q1Π1q2 . . . such that ∀i, 0 ≤ i : ai satisfies every predicate of Πi.

Fig. 12.4 shows the model checking process on the left and two Büchi automaton A1 = (2Π, Q,∆, q0, F1)and A2 = (2Π, Q,∆, q0, F2) on the right such that


Figure 12.4: Example Büchi automaton

• Π = {{}, {r}, {v}, {r, v}},

• Q = {s1, s2, s3}, ∆ = {(s1, {{v}}, s1), (s1, {{r, v}}, s2)}, (s1, {{}, {r}}, s3),(s2, {{v}, {r, v}}, s2), (s2, {{}, {r}}, s3), (s3, {{}, {r}, {v}, {r, v}}, s2)},

• q0 = s1, and

• F1 = {s2}, F2 = {s1, s3}.

Starting from the initial state s1 the automatonA1 (in Fig. 12.4 on the top right) accepts those runs where v isalways satisfied and r is satisfied at least once during the run. Thus the Büchi automaton A1 represents the LTLexpression Gv ∧ Fr. The automaton A2 differs from automaton A1 in the accepting states: the accepting statesof A2 exactly those states that are not accepting states A1. Thus the accepting runs of A2 are exactly those runsthat are not accepted by A1, i.e. A2 represents the negation of the LTL expression Gv ∧ Fr. The construction ofthe Büchi automaton of an LTL expression and the product of Büchi automaton is described in details in [69].

12.4.2 Petri nets into Promela

The SPIN model checker [81] (Simple Promela INterpreter) provides an efficient verification tool for a widerange of distributed, concurrent software systems. SPIN was developed to detect design errors in system modelsby analyzing the logical consistency of the system. SPIN verifies the correctness of a system according to LinearTemporal Logic (LTL) formulae that express the requirements against the system.

A system model is described in the form of a transition system (TS) in SPIN using the verification languageProcess or Protocol MEta LAnguage, shortly Promela. The concurrency of a system is described by processesthat communicate via message channels. The communication can be either synchronous or asynchronous through


the channels and global state variables. Since the whole state space has to be traversed by the model checker inthe worst case each components (state variables, channels) of Promela has to be finite.

The states of a transition system are defined by the variables and the channel contents while transitions aredefined within processes. A process may contain local variables and a set of transitions that are composed of aguard section and an update section. The guard of a transition is related to the preconditions of a TS transitionwhile the update section defines the change in the variables and the channels, i.e. the effect of the transition.

The use of the SPIN model checker in the simulation and verification of Petri nets is not a novel idea: thereare two ways in the literature to encode the behaviour of Petri nets into a Promela model.

• The transformation of Petri nets into Promela code is based on the semantics of Petri net transitions in [67].This approach transforms each PN transition into one Promela process while places are mapped to channels.Then the enabledness check of a PN transition refer to the content of the channel and the effect of the PNtransition firing, i.e. the change of the token number in a place is modeled by the update of the channelcontent.

• In [71] 1–bounded Petri nets are transformed into Promela models. In this approach one process is definedfor the Petri net itself and Boolean variables are defined for each places to denote whether there is a token ornot in the corresponding place. Then one transition of the TS is assigned to each PN transition where (i) theenabledness condition of the PN transition is the guard of the TS transition, i.e. each Boolean variable hasto be true that are assigned to a place in the pre–set of the transition and (ii) the firing of this TS transitionresults in the update of the Boolean variables according to effect of the original PN transition, i.e.

– the Boolean variables representing places in the pre–set of the transition are set to false,

– the Boolean variables representing places in the post–set of the transition are set to true,

– the Boolean variables representing places both in the pre– and the post–set of the transition are set totrue, and

– the Boolean variables representing places that are neither in the pre–set nor in the post–set of thetransition are not changed.

I use the second approach in my thesis as follows.

• Nonnegative integer place (transition) state variables are declared that store the actual token numbers at theindividual places (current number of the firing of the corresponding transition), these variables constituethe state of the system.

• The firing rules of the Petri net are encoded into behaviorally equivalent transitions of the correspondingtransition system (TS) in Promela such that whenever a Petri net transition is enabled, the guard of thecorresponding transition in the TS should evaluate to true thus the transition can be fired (and vice versa).The effects of firing a transition are encoded as state variable updates. These updates describe the tokenchange at the individual places and the change in the number of transition occurrences.

The main disadvantage of Promela is that the model has to be finite, i.e. each variable has to have a finiterange and the number of processes has to be bounded in order to result in a finite state space that have to betraversed by the model checker. However, the boundedness of the underlying Petri net is not assured in manycases. This problem is resolved by estimating an upper bound for the token numbers in the places in the optimaltrajectory problem.

12.5 Linear Programming Problems

The standard form of a linear programming (LP) problem is given as a maximization problem in the literature[129]. However, minimization problems can be easily transformed into maximization form by multiplying the

12.5. LINEAR PROGRAMMING PROBLEMS 109

system inequalities by−1. Since the cost–optimal trajectory problem is about minimization, the standard form isgiven herafter as a minimization problem.

• linear objective function:

minimize∑

1≤j≤mcjxj ,

• linear constraints:

subject to∑1≤j≤m

a1jxj ≥ b1,

. . . ,∑1≤j≤m

anjxj ≥ bn

• where

aij ∈ R, bi ∈ R, cj ∈ R are the parameters, and 0 ≤ xj ∈ R, are the variables ∀i, j ∈ N : 1 ≤ i ≤n, 1 ≤ j ≤ m.

Then the standard matrix form can be formulated shortly as

min cT · xsubject to A · x ≥ bwhere

A ∈ Rn×m, b ∈ Rn, and c ∈ Rm are parameters, and 0 ≤ x ∈ Rm are the variables.

Then x is called the vector of variables, c is the vector of cost parameters assigned to the variables, and theelements of matrix A are the parameters of the constraints.

In case of the cost–optimal trajectory problem the problem is to minimize the overall cost of firing transitions.Let x denote the Parikh vector of the underlying trajectory, c be the vector of the costs of the transitions, matrixWbe the incidence matrix, M0 the initial marking and Mpartial the partial marking to be reached. Then the Parikhvector x of an optimal trajectory has to satisfy the following LP problem, where the variables are the elements ofthe Parikh vector, i.e. x):

min cT · xsubject to W · x ≥ b = Mpartial −M0

cT · x ≤ costLimitwhere

W ∈ R|P |×|T |, 0 ≤ x ∈ N|T |, M0,Mpartial ∈ N|P |, c ∈ R|T |.

Since the transitions in a Petri net may fire integer number times, the variables are bound to be integer. Thiskind of linear programming problems are called integer linear programming problems, shortly ILP problems.

ILP problems and the Branch and Bound Method A well–known method to solve ILP problems is theso–called Branch and Bound (shortly B&B) method [129]. The idea of the B&B algorithm is to apply stepsbranching and bounding several times after each other to the initial problem in order to separate a problem intosubproblems and bound these subproblems to get an optimal solution.


Bounding and relaxation The solution of integer problems is much more time consuming than the solutionof continuous problems. The idea of relaxation is to use the methods for continuous problems to bound theobjective value of the integer problem. Usually this method is the so–called simplex method that was introducedby Dantzig in 1963 to solve LP problems. Although an LP problem can be solved in polynomial time (accordingto the size of the input problem) ILP problems are NP-hard [86].

A lower bound for the problem minimum is derived by the solution of the LP problem that is the same as theILP problem except that the variables are relaxed to continuous ones. On the one hand, if there is no solutionfor the relaxed LP problem there is also no solution for the integer problem. On the other hand, the objectivevalue of an optimal solution of the relaxed problem is a lower bound (in case of minimization) for all optimalinteger solution since all optimal integer solution is involved in the solution space of the relaxed problem. Inother words, integer solutions with lower objective value cannot be found. This way the search space is restrictedby the approximation for the objective value of the optimal solution.

Mixed Integer Linear programming problem A mixed integer linear programming problem (shortly MILPproblem) is a linear programming problem where only a subset of the variables are restricted to be integer whilethe others are allowed to bound also to non–integer values. Such a problem can be solved also by the B&Bmethod where the process is branched only along those variables that has to be integer.

12.5.1 MILP Formulation of PNS

min∑op∈Op

(yop · fc(op) + pc(op) · xop) +∑

rm∈Raw(c(rm) ·

∑op∈φ+(rm)

a(rm, op) · xop)

subject to∑

op∈φ−(mat)

xop · a(op,mat)−∑

op∈φ+(mat)

xop · a(mat, op) ≥ 0 ∀mat ∈Mat

∑op∈φ+(rm)

xop · a(rm, op) ≤ U(rm) ∀rm ∈ Raw

yop ≤ xop ·K ∀op ∈ Op

xop ≤ yop ·K ∀op ∈ Op∑op∈φ−(prod)

xop · a(op, prod)−∑

op∈φ+(prod)

xop · a(prod, op) ≥ L(prod) ∀prod ∈ Prod

where yop ∈ N|Op|, xop ∈ R|Op| are the variables, and ,K ∈ N is a number big enough.

12.6 Algorithms

12.6. ALGORITHMS 111

Algorithm 1 Maximal Structure Generation AlgorithmInput: Mat, Prod,Raw,Op: sets of materials, products, raw materials, and operating unitsInput: Prod ⊆Mat,Raw ⊆Mat,Op ⊆ P(Mat)× P(Mat), Op ∩Mat = ∅, P rod ∩Raw = ∅Output: maximal structure (mat, op) of synthesis problem (Prod,Raw,Op)

1: begin2: {reduction part of the algorithm};3: Op := Op \ φ−(R);4: {operating units that producing raw materials are excluded (A2)};5: Mat := Ψ(Op);6: {r is the current set of materials involving materials connecting to the operating units in Op};7: r := Ψ−(Op) \ (Ψ+(Op) ∪R);8: {the elements of r and the connected elements to them have to be eliminated from the structure since there

is no path from them to some products};9: while r 6= ∅ do

10: let x ∈ r;11: Mat := Mat \ {x};12: o := φ+{x};13: Op := Op \ o;14: r := (r ∪ (ψ+(o) \ ψ+(Op))) \ {x}15: end while16: if Prod ∩Mat 6= Prod then17: {if not all products are involved in the structure then there is no appropriate maximal solution structure

(A1)};18: stop19: end if20: composition part of the algorithm21: {starting from the products the maximal structure is constructed such that the maximal structure satisfies

the five axioms};22: p := Prod;m := ∅; o := ∅;23: while p 6= ∅ do24: {p is the set of materials to be produced currently during the construction};25: {m and o are the sets of materials and operating units from which there exists a path to a product,

respectively};26: let x ∈ p;27: m := m ∪ {x};28: ox := φ−({x});29: Op := Op ∪ ox;30: p := (p ∪Ψ−(ox)) \ (R ∪m)31: {update the set of materials that have to be produced by some operating units};32: end while33: m := ψ(Op);34: {the maximal solution structure is m, o};35: end


Algorithm 2 Solution Structure Generation AlgorithmInput: maximal structure µ(Prod,Raw,Op) together with its P–graph (Mat,Op), sets of materials, products,

raw materials, and operating units;Prod ⊆Mat,Raw ⊆Mat,Op ⊆ P(Mat)×P(Mat), Op∩Mat = ∅, P rod∩Raw = ∅, δ[m] is decisionmapping on Mat;

Output: set solStructures of all solution structures (m′, o′) of synthesis problem (Prod,Raw,Op);1: begin2: if Prod = ∅ then3: stop; {there is no product to be produced}4: else5: solStructures := ∅;6: SSG(Prod, ∅, ∅);7: end if8: end9: procedure SSG(to_be_produced, prod_mats, δ[prod_mats]):

10: begin11: if to_be_produced = ∅ then12: {δ[prod_mats] defines a solution structure (m′, o′) = graph(δ[prod_mats];}13: solStructures := solStructures ∪ (m′, o′);14: else15: let x ∈ to_be_produced;16: {select a material to be produced}17: C := P(φ−(x)) \ {∅};18: {all operating units that produce x}19: for ∀producer ∈ C do20: {producer is a subset of operating units that produce x};21: if ∀y ∈ prod_mats : producer ∩ (φ−(y) \ δ(y)) = ∅ ∧ (φ−(x) \ producer) ∩ δ(y) = ∅ then22: {if the extension of δ with (x, producer) remains consistent}23: SSG(to_be_produced ∪ (

⋃{α|(α, β) ∈ producer}) \ (Raw ∪ prod_mats ∪ x), prod_mats ∪

x, δ[prod_mats] ∪ {(x, producer)});24: {the sets are updated}25: end if26: end for27: end if28: end

12.6. ALGORITHMS 113

Algorithm 3 Accelerated Branch and Bound AlgorithmInput: sets Mat, Prod,Raw,Op, where (Mat,Op) is the maximal structure of the original problem;

Prod ⊆Mat,Raw ⊆Mat,Op ⊆ P(Mat)× P(Mat), Op ∩Mat = ∅, P rod ∩Raw = ∅,δ[m] is a decision mapping on Mat,procedureBOUND(OT , OF ), OT , OF ∈ Op computes a lower bound for a subproblem where the operatingunits in OT (OF ) are included (excluded) into (from) the solution.δ[m] is the maximal neutral extension of δ[m]; currentbest is the current best solution

Output: optimal rate vector ~r ∈ R|Op|1: begin2: U :=∞;3: {the objective value of the current best solution is an upper bound for any other solution}4: currentbest := (∞, . . . ,∞);5: {the current best solution}6: prod_mats := ∅;7: to_be_produced := ψ−(δ[ prod_mats]) ∪ Prod) \ ( prod_mats ∪Raw);8: {set of materials that have to be present in each solution structure, i.e. in the neutral extension of the empty

set, except the materials already produced or raw materials}9: if to_be_produced = ∅ then

10: {there is no more material to be produced, i.e. a solution structure is found}11: (U,~r) := BOUND(Op, ∅);12: else13: {the initial problem is analyzed}14: ~r := ABBD(to_be_produced, prod_mats, δ[ prod_mats]);15: end if16: if U <∞ then17: {the current upper bound is finite, an optimal solution is found}18: ~r is the optimal rate vector19: else20: there is no solution;21: end if22: end


Algorithm 4 ABB - continued1: procedure ABBD (to_be_produced, prod_mats, δ[prod_mats]):2: begin3: x ∈ prod_mats;4: {selects material x to be produced}5: C := P(φ−(x)) \ ∅;6: for ∀producer ∈ C do7: if ∀y ∈ prod_mats, producer ∩ δ(y) = ∅&(φ−(x) \ producer) ∩ δ(y) = ∅ then8: {if the decision mapping extended by (x, producer) remains consistent then (x, producer) is added

to the decision mapping}9: prod_mats′ := prod_mats ∪ x;

10: δ[prod_mats′] := δ[prod_mats] ∪ (x, producer);11: if S(δ[m′]) 6= ∅ then12: {if the new decision mapping can be still extended to a solution structure then an optimal one is

searched for}13: to_be_produced′ := (ψ−(δ[ prod_mats′]) ∪ Prod) \ ( prod_mats′ ∪R);14: {the to_be_produced set is updated with the materials that are involved into the structure according

to the new decision mapping and has to be produced}15: OpT := φ( prod_mats′]);16: {the operating units included in the current decision mapping}17: OpF :=

⋃mj∈ prod_mats′

δ∗(mj);

18: {the operating units that are excluded from the current decision mapping}19: (bound,~r) := BOUND(OpT , OpF );20: {a candidate solution is computed for the new MILP problem }21: if U ≤ bound then22: {this branch may lead to a solution with better value, i.e. it is not pruned}23: if to_be_produced′ = ∅ then24: {a solution structure is found}25: U := bound;26: {a new upper bound is found}27: currentbest := ~r;28: {a better solution is found}29: else30: {there are still materials to be produced}31: ~r := ABBD(to_be_produced′, prod_mats′, δ[ prod_mats′])32: {the current problem is separated into subproblems according to the current decision map-

ping}33: end if34: end if35: end if36: end if37: end for38: return currentbest39: end

12.7. PETRI NET PROPERTIES AND ANALYSIS TECHNIQUES IN PNS PROBLEMS 115

12.7 Petri Net Properties and Analysis Techniques in PNS Problems

Due to the similar graphical structure of Petri nets and P-graphs the T–invariants in a Petri net can be representedas a production plan in PNS problems and the reduction rules for Petri nets can be used also in PNS problems.

12.7.1 T–invariants

A |T |–dimensional vector x ∈ Z|T | is a T–invariant if W · x = 0. A T–invariant refers to a trajectory in the Petrinet that does not change the state of the net.

As in case of workflow nets [122] a new operating unit can be added to the P-graph such that

• it is the input operating unit of each raw material,

• it is the output operating unit of each products such that

• the flow from a product to the new operating unit is equal to the desired amount of the product, while

• the flow from the new operating unit to a raw material is equal to the available amount of the raw material.

If there exists a (possibly non-integer) solution x for the equation W · x = 0, i.e. a (possibly non-integer)T–invariant in the Petri net with the above structure then there exists a corresponding production plan in the PNSproblem such that (i) all available raw materials are consumed, (ii) all the required products are produced exactlyin the required amount and (iii) no byproducts are left in the network.

The existence of such T–invariants can prove the soundness of a process in the modeling of business processes.If the raw materials represent the input entities to be processed while a byproduct is a document that is producedduring the process a non–empty T-invariant represents an execution of the process where the process of an entitywill always terminate without generating any unnecessary documents (a byproduct). (For more information aboutworkflow soundness see [122] in the field of Petri nets.)

12.8 Examples

Solution structure examples

Example 28 The PNS problem described in Example 7 has 6 solution structures depicted in Fig. 12.5.

Example 29 Now, let us examine what structural solutions are generated by the modified algorithm for ourrunning storage example in Example 14. Since both storages R4A,R4B have to be produced, both representingplaces have to be included in the structure. There are all together 128 structurally valid solutions. Some of themdiffer from each other only in the inclusion of the initialization transitions. Disregarded from the last three ini-tialization transition, there are 29 different structurally valid solutions listed in the form of characteristic vectorsin the order of transitions {reco_ut_R4A, reco_ut_R4B, test_R4A, test_R4B, reco_R4A, reco_R4B}.

s1 = (0, 0, 1, 1, 0, 0)s2 = (1, 0, 1, 1, 0, 0)s3 = (0, 1, 1, 1, 0, 0)s4 = (1, 1, 1, 1, 0, 0)s5 = (0, 0, 1, 0, 1, 0)s6 = (0, 1, 1, 0, 1, 0)s7 = (1, 1, 1, 0, 1, 0)s8 = (0, 0, 1, 1, 1, 0)s9 = (1, 0, 1, 1, 1, 0)s10 = (0, 1, 1, 1, 1, 0)


Algorithm 5 Maximal Structure Generation algorithm for the OT problemInput: OT init = 〈〈PN init, cinit〉,M init, costLimit〉Output: Pmax, Tmax

1: begin2: {reduction part of the algorithm};3: Tmax := T ∪ T init;4: {all defined transitions in the Petri net};5: Pmax := •Tmax ∪ Tmax•;6: {set of places connected to the transitions in Tmax};7: r := •Tmax \ (P init ∪ Tmax•);8: {set of places that will be never marked by firing a transition in Tmax}9: while r 6= ∅ do

10: let x ∈ r;11: Pmax := Pmax \ {x};12: Tmax := Tmax \ x•;13: {since x will be never marked, transitions in x• will be never enabled therefore they are excluded};14: r := (r ∪ (x•• \ Tmax•)) \ x15: end while16: if {p|p ∈ P : 0 < M(p)} * Pmax then17: stop;18: {if some places that have to be marked at the target marking are excluded from the structure then there

is no valid maximal structure};19: end if20: {composition part of the algorithm: MS is constructed starting from places that has to be marked at the

target marking since they have to be present in the maximal structure};21: to_be_reached := {p|p ∈ P : 0 < M init(p)};22: {set of places that have to be reached}23: reached := ∅;24: {set of places that are already in the current structure, i.e. there exists a path from these places to the target

places}25: producer := ∅;26: {current set of transitions that may produce tokens into the places in the set reached, i.e. there exists a

path from these transitions to some target places}27: while to_be_reached 6= ∅ do28: {while there exist some places to be reached select one of them}29: let x ∈ to_be_reached;30: reached := reached ∪ {x}; new_tr := •x ∩ Tmax;31: {input transitions of place x that can produce tokens to x}32: producer := producer ∪ new_tr;33: to_be_reached = (to_be_reached ∪ •new_tr) \ (P init ∪ reached);34: {update the set of places from which a path to the target places exists}35: end while36: Tmax := producer; Pmax := •Tmax ∪ Tmax•;37: end

12.8. EXAMPLES 117

Algorithm 6 Structurally valid solution generation algorithm for the OT problemInput: the maximal OT problem OTmax = 〈〈PNmax, cmax〉,Mmax, costLimit〉 of the OT problem OT init =〈〈PN init, cinit〉,M init, costLimit〉

Output: solSet = {tsol|tsol ⊆ T}, such that each tsol represents a structurally valid solution1: begin2: Pto_be_reached := {p|p ∈ P : M init(p) > 0}3: {places that have to be reached, initially the places marked in the partial target marking}4: Psol := ∅;5: {set of places in the structurally valid solution}6: Tsol := ∅;7: {set of transitions in the structurally valid solution}8: solSet := ∅;9: SSG_PN(Pto_be_reached, Psol, Tsol);

10: end11:

12: procedure SSG_PN(Pto_be_reached, Psol, Tsol)13: begin14: if Pto_be_reached = ∅ then15: solSet := solSet ∪ Tsol;16: {the spanned Petri net of Tsol is a solution Petri net}17: return18: else19: let p ∈ Pto_be_reached;20: {the next place to be reached}21: Tset := P(•p) \ ∅;22: {the input transitions of the place that can put tokens into that place}23: for ∀S ∈ Tset : •p ∩ Tsol ⊆ S do24: if (S \ Tsol) ∩ •Psol = ∅ then25: {S is a consistent transition set}26: Psol := Psol ∪ p;27: {place p is added to the current structure}28: Tsol := Tsol ∪ S;29: {transitions in S are added to the current structure}30: Pto_be_reached := (Pto_be_reached ∪ •S) \ Psol) \ P init;31: {the input places of the transitions in S have to be reached except if they are already in the structure

of they are initially marked}32: SSGpn(Pto_be_reached, Psol, Tsol);33: else34: {there is no proper solution structure};35: return36: end if37: end for38: end if39: return40: end


Algorithm 7 Accelerated Branch and Bound Algorithm for the OT problemInput: the maximal OT problem OTmax = 〈〈PNmax, cmax〉,Mmax, costLimit〉 of the OT problem OT init =〈〈PN init, cinit〉,M init, costLimit〉 and its ILP problemILP0 = (obj, const) containing the objective function and the inequality constraints.U is a global variable that stores the current best optimal value,currentbest is a global variable that is the current best Parikh vector.

Output: a structurally valid optimal Parikh vector ~σ of the ILP problem.1: begin2: U := costLimit+ 1;3: currentbest := (∞, . . . ,∞);4: currentproblem := ILP0 = (obj, const);5: To_reach := {p|p ∈ P : M init(p) > 0};6: Places := ∅;7: Trans := ∅8: if To_reach = ∅ then9: stop;

10: { there is no optimization problem}11: else12: currentbest = ABB(ILP0, T o_reach, Trans, P laces);13: end if14: if U ≤ costLimit then15: ~σ = currentbest is an optimal solution16: else17: there is no solution;18: end if19: end

12.8. EXAMPLES 119

Algorithm 8 Procedure ABB1: procedure ABB (ILP, To_reach, Trans, P laces):2: begin3: relILP = (objILP , ~σILP );4: {compute the solution of the relaxed problem of ILP}5: if objILP < U then6: if To_reach 6= ∅ then7: let p ∈ To_reach;8: Tset := P(•p) \ {∅};9: for ∀S ∈ Tset : •p ∩ Trans ⊆ S do

10: if (S \ Trans) ∩ •Places = ∅ then11: Places′ := Places ∪ p;12: To_reach′ := To_reach ∪ •S \ Places \ P init;13: Trans′ := Trans ∪ S;14: const′ = const ∪ {1 ≤ ~σ(t)|∀t ∈ S} ∪ {~σ(t) = 0|∀t ∈ •p \ S};15: ILP ′ = (obj, const′);16: if (∀t ∈ S : 1 ≤ ~σILP (t)) ∧ (∀t ∈ •p \ S : ~σILP (t) = 0) then17: {all bound variable values satisfy the previous ILP , thus no ILP calculation is needed, and a

new place from To_reach′ is processed}18: currentbest := ABB_process_next(ILP ′, objILP , ~σILP , T o_reach′, T rans′, P laces′);19: else20: currentbest := ABB(ILP ′, T o_reach′, T rans′, P laces′);21: end if22: end if23: end for24: else25: {a structurally valid solution is reached}26: if ~σILP ∈ N|Tmax| then27: {a new integer solution is found}28: U := objILP ;29: currentbest := ~σILP ;30: else31: {the solution is not integer}32: let t ∈ Trans : ~σILP (t) 6∈ N33: const′ := const ∪ {~σ(t) ≤ b~σILP (t)c};34: ILP ′ := (obj, const′);35: ABB_int(ILP ′);36: const′′ := const ∪ {d~σILP (t)e ≤ ~σ(t)};37: ILP ′′ := (obj, const′′);38: ABB_int(ILP ′′);39: end if40: end if41: else42: return43: {this branch is pruned because it does not lead any better solution}44: end if45: end


Algorithm 9 Procedure ABB_process_next1: procedure ABB_process_next (ILP, objILP , ~σILP , T o_reach, Trans, P laces):2: begin3: if objILP < U then4: if To_reach 6= ∅ then5: let p ∈ To_reach;6: Tset := P(•p) \ {∅};7: for ∀S ∈ Tset : •p ∩ Trans ⊆ S do8: if (S \ Trans) ∩ •Places = ∅ then9: Places′ := Places ∪ p;

10: To_reach′ := To_reach ∪ •S \ Places \ P init;11: Trans′ := Trans ∪ S;12: const′ = const ∪ {1 ≤ ~σ(t)|∀t ∈ S} ∪ {~σ(t) = 0|∀t ∈ •p \ S};13: ILP ′ = (obj, const′);14: if (∀t ∈ S : 1 ≤ ~σILP (t)) ∧ (∀t ∈ •p \ S : ~σILP (t) = 0) then15: {all bound variable values satisfy the previous ILP , thus no ILP calculation is needed, and a

new place from To_reach′ is processed}16: currentbest := ABB_process_next(ILP ′, objILP , ~σILP , T o_reach′, T rans′, P laces′);17: else18: currentbest := ABB(ILP ′, T o_reach′, T rans′, P laces′);19: end if20: end if21: end for22: else23: {a structurally valid solution is reached}24: if ~σILP ∈ N|Tmax| then25: {a new integer solution is found}26: U := objILP ;27: currentbest := ~σILP ;28: else29: {the solution is not integer}30: let t ∈ Trans : ~σILP (t) 6∈ N31: const′ := const ∪ {~σ(t) ≤ b~σILP (t)c};32: ILP ′ := (obj, const′);33: ABB_int(ILP ′);34: const′′ := const ∪ {d~σILP (t)e ≤ ~σ(t)};35: ILP ′′ := (obj, const′′);36: ABB_int(ILP ′′);37: end if38: end if39: else40: return41: {this branch is pruned because it does not lead any better solution}42: end if43: end

12.8. EXAMPLES 121

Algorithm 10 Procedure ABB_int1: procedure ABB_int (ILP ):2: begin3: let relILP = (objILP , ~σILP ) be the solution of the current ILP problem;4: if objILP < U then5: if ~σILP is integer then6: U := objILP ;7: currentbest := ~σILP ;8: else9: let t ∈ Trans : σILP (t) 6∈ N;

10: const′ = const ∪ {~σ(t) ≤ b~σILP (t)c};11: ILP ′ = (obj, const′);12: ABB_int(ILP ′);13: const′′ = const ∪ {d~σILP (t)e ≤ ~σ(t)};14: ILP ′′ = (obj, const′′);15: ABB_int(ILP ′′);16: end if17: end if18: end

Algorithm 11 Reachability function generation1: Let be a safe Petri net PN = 〈P, T,w,M0〉 given.2: {Compute the ROBDD of the transition function g:}

3: g(v1, . . . , vn, w1, . . . , wn) =∨∀t∈T

[n∧i=1

(wi ≡ δti(vi)

)∧ Et

];

4: {Compute the ROBDD of the 0-th iteration of the reachability function:}

5: f0(v1, . . . , vn, w1, . . . , wn) =n∧i=1

(vi ≡ wi)

6: i← 07: repeat8: {Compute the ROBDD of fi+1 using the ROBDDs of fi, g, and auxiliary variables r1, . . . , rn are substi-

tuted if needed:}9: fi+1(v1, . . . , vn, w1, . . . , wn) = fi(v1, . . . , vn, w1, . . . , wn) ∨(fi(v1, . . . , vn, r1, . . . , rn)∧

∧g(r1, . . . , rn, w1, . . . , wn))10: {the reachability function fi(M0,M) is evaluated to true if and only ifM is reachable fromM0 by a firing

sequence with maximal length of i};11: fi+1 ← fi+1restricted to variables {v1, . . . , vn, w1, . . . , wn}12: i← i+ 113: until fi ≡ fi+1


Figure 12.5: Solution structures of the example P-graph in Fig. 3.1

12.8. EXAMPLES 123

s11 = (1, 1, 1, 1, 1, 0)s12 = (0, 0, 0, 1, 0, 1)s13 = (1, 0, 0, 1, 0, 1)s14 = (1, 1, 0, 1, 0, 1)s15 = (0, 0, 0, 1, 1, 1)s16 = (1, 0, 0, 1, 1, 1)s17 = (1, 1, 0, 1, 1, 1)s18 = (0, 0, 0, 0, 1, 1)s19 = (0, 0, 1, 1, 0, 1)s20 = (1, 0, 1, 1, 0, 1)s21 = (0, 1, 1, 1, 0, 1)s22 = (1, 1, 1, 1, 0, 1)s23 = (0, 0, 1, 0, 1, 1)s24 = (0, 1, 1, 0, 1, 1)s25 = (1, 1, 1, 0, 1, 1)s26 = (0, 0, 1, 1, 1, 1)s27 = (1, 0, 1, 1, 1, 1)s28 = (0, 1, 1, 1, 1, 1)s29 = (1, 1, 1, 1, 1, 1).

Reachability function example

Example 30 In order to illustrate the reachability function, a safe Petri net shown in Fig. 12.6 is analyzed. In theunderlying Petri net, transition t1 is enabled if there is a token in p1. Thus, the enabledness of transition t1 can beexpressed as follows: Et1 = p1 = (p1 ≡ 1). The firing of transition t1 removes the token from p1 and producesone token to place p3, while the marking of places p2 and p4 do not change. Namely, the transition function fort1 is δt1(p1, p2, p3, p4) = (0, p2, 1, p4).

Figure 12.6: An example Petri net

According to the above algorithm, in our running example functions f0, g, and the reachability function f arethe following.

f0(v1v2v3v4, w1w2w3w4) = (w1w2w3w4 ≡ v1v2v3v4) (12.1)


g(v1v2v3v4, w1w2w3w4) = (w1w2w3w4 ≡ 0v21v4) ∧ (v1 ≡ 1) ∨ (12.2)

(w1w2w3w4 ≡ v10v31) ∧ (v2 ≡ 1) ∨ (12.3)

(w1w2w3w4 ≡ v1011) ∧ (v2 ≡ 1) ∧ (v3 ≡ 1) (12.4)

f1(v1v2v3v4, w1w2w3w4) = (12.5)

(w1w2w3w4 ≡ v1v2v3v4) ∨ (12.6)

(w1w2w3w4 ≡ 0v21v4) ∧ (v1 ≡ 1) ∨ (12.7)

(w1w2w3w4 ≡ v10v31) ∧ (v2 ≡ 1) ∨ (12.8)

(w1w2w3w4 ≡ v1011) ∧ (v2 ≡ 1) ∧ (v3 ≡ 1) (12.9)

(12.10)

f2(v1v2v3v4, w1w2w3w4) = (12.11)

(w1w2w3w4 ≡ v1v2v3v4) ∨ (12.12)

(w1w2w3w4 ≡ 0v21v4) ∧ (v1 ≡ 1) ∨ (12.13)

(w1w2w3w4 ≡ v10v31) ∧ (v2 ≡ 1) ∨ (12.14)

(w1w2w3w4 ≡ v1011) ∧ (v2 ≡ 1) ∧ (v3 ≡ 1) ∧ (12.15)

(w1w2w3w4 ≡ 0011) ∧ (v1 ≡ 1) ∧ (v2 ≡ 1) ∧ (12.16)

(w1w2w3w4 ≡ 0011) ∧ (v1 ≡ 1) ∧ (v2 ≡ 1) ∧ (v3 ≡ 1) (12.17)

f3 = f2 = f (12.18)

Example GT Step and GT Sequence

Example 31 (Example GT step and GT sequence.) Fig. 12.7 and Fig. 12.8 show an example GT step and GTsequence in the example GTS in Example 12 in Section 4.2.

Figure 12.7: A GT step from G0 to G1

12.8. EXAMPLES 125

Figure 12.8: A GT sequence from G0 to G3

Example for the Reduction Rules and the Reduction Algorithms

Example 32 Let a PNS problem M = {m0,m1,m2,m3,m4,m5,m6,m7}, O = {o0, o1, o2, o3, o4, o5}, P ={m7}, R = {m1,m2} together with the conspumtion and production rates 1 and the fix cost of the operatingunits 3, 2, 4, 2, 3, 4 (shown next to the operating units) be given (see Fig. 12.9 on the left).

The merging reduction algorithm in [79] delivers the PNS problem on the right: the operating units o0 ando3, and o4 and o5 are in the same equivalence class therefore they are merged into operating unit o0, 3 and o4, 5,respectively such that (i) the cost of the new operating unit is the sum of the cost of the merged operating units,(ii) the input materials of the new operating unit are the input materials of the merged operating units, and (iii)the output materials of the new operating unit are the output materials of the deleted operating units.

The advanced reduction algorithm delivers the optimal solution shown in Fig. 12.10 on the left. The operatingunit o2 was deleted because it has the same input and output materials as o1 but with higher cost therefore it willbe never selected to the optimal solution. Since the operating unit o4 has to be involved in the optimal solutionbecause material m6 is needed for the production of product m7, and o4 is the only operating unit that producesthis material, and it produces also material m5, operating unit o3 is unnecessary for the optimal production.Therefore the operating unit o3 is deleted together with operating unit o0 that cannot be in the structure if o3 isnot present.

The reduction rules for PNS problems can be applied as follows. The materials m0 and m3 are merged intoa new material m0, 3, and the cost of the operating unit is updated to 5 according to the rule Fusion of serialmaterials. The Fusion of parallel operating units can be applied to the operating units o1 and o2 merging theminto one operating unit with cost 2. Then the rule Fusion of serial materials can be applied again to materials m1,m4 and the new operating unit resulted in a new material m1, 4 and the cost of the operating units o3 and o4 arechanged to 7 and 5, respectively. After applying these rules we get the new PNS problem depicted on the right inFig. 12.10.

The merging reduction can be still applied to the optimal solution delivered by the advanced reduction algo-rithm that results in the PNS problem in Fig. 12.11 on the left. Also the advanced reduction can be still appliedafter the merging reduction algorithm that results in the PNS problem in Fig. 12.11 on the right.

The optimal solution for all the reduced PNS problems consists of the operating units o1, o4, o5 with the


Figure 12.9: An example PNS problem and the reduced PNS problem after applying the merging reductionalgorithm

optimal cost 9.

12.9 Promela Code of the Optimal Trajectory Problem

In the following, the Promela encoding is discussed through the storage production example shown in Fig. 12.12.The state (marking) of the Petri net and the number of firings of the individual transitions is modeled in

Promela by the set of integer variables Place and Transition. The value of a place variable refers to the tokennumber in the corresponding place while the value of a transition variable counts the firing of the correspondingtransition. The Promela code of the variable declaration is given below according to Fig. 12.12.

The initial marking is defined by adding an initial value to the variables: PR4A_untested = 1, PR4B_untested =1, Ptest_cell = 1. The variables with no predefined value get value 0 at the initialization. Note that the upperbounds are not given here since the state space is supposed to be within the range of the variable integer.

#define Transition int#define Place int

Place R4A_untested, R4B_untested, R4A, R4B, Test_cell,

12.9. PROMELA CODE OF THE OPTIMAL TRAJECTORY PROBLEM 127

Figure 12.10: The reduced PNS problem after applying the advanced reduction algorithm, and the reduced PNSproblem after applying the reduction rules

P_R4A_untested = 1,P_R4B_untested = 1,P_test_cell = 1;

Transition Reco_ut_R4A, Reco_ut_R4B,Test_R4A, Test_R4B,Reco_R4A, Reco_R4B,T_R4A_untested, T_R4B_untested, T_test_cell;

The behaviour of the Petri net is described in Promela by the transitions of the corresponding transitionsystem. A transition of a TS is composed of a guard and state variable updates. Fig. 12.13 shows the PNtransition test_R4A and the corresponding Promela code.

Transition test_R4A is enabled if the number of tokens in its input places test_cell and R4A_untested isgreater or equal than 1. Thus the guard of the equivalent Promela transition is the same: the guard is evaluated totrue if the corresponding place variables are greater than 1.

If a transition is taken in the TS the place variables have to be updated according to the effect of the transitionfiring: the token number in the place R4A_untested is decreased by one, in place R4A_tested is increased by one,while the token number in place test_cell does not change. In addition if a transition is fired the firing counter ofthe transition is increased by one: Test_R4A = Test_R4A+ 1.

As the transition firing in the Petri net is atomic, i.e. there is no other transition firing that could preventthis firing (e.g. by stealing some input tokens) the corresponding transition in Promela has to be also atomic.The indivisible d_step and atomic constructions ensure the atomicity of a Promela transition. The differencebetween the two construction is that the execution of a d_step construction is one step in the system state (currenttrace), while the execution of all commands within an atomic construction appear as subsequent system states inthe current trace. Since we do not need the intermediate states within the firing of a transition the construction


Figure 12.11: The structures resulted by the application of the reduction algorithms after each other

d_step is used in the translation of the Petri net into the Promela code.The candidate Parikh vector ~σP13 = (2, 0, 8, 11, 0, 0, 1, 1, 1), is stored to constrain the state space traversal

as a set of constants defined by a C–style macro definition below.

#define sigma_reco_ut_R4A 2#define sigma_reco_ut_R4B 0#define sigma_test_R4A 8#define sigma_test_R4B 11#define sigma_reco_R4A 0#define sigma_reco_R4B 0#define sigma_t_R4A_untested 1#define sigma_t_R4B_untested 1#define sigma_t_test_cell 1

Since we search for a firing sequence that corresponds to the Parikh vector of the optimal solution the compu-tation is broken if at least one component of this Parikh vector is exceeded and the state space traversal is prunedin that direction. This criteria is defined by the expression HIGHER_SIGMA. The notation || stands for the ”or”operation.

#define HIGHER_SIGMA (Reco_ut_R4A > sigma_reco_ut_R4A ||Reco_ut_R4B > sigma_reco_ut_R4B ||Test_R4A > sigma_test_R4A ||Test_R4B > sigma_test_R4B ||Reco_R4A > sigma_reco_R4A ||Reco_R4B > sigma_reco_R4B ||T_R4A_untested > sigma_t_R4A_untested ||T_R4B_untested > sigma_t_R4B_untested ||T_R4A_untested > sigma_t_test_cell)

12.9. PROMELA CODE OF THE OPTIMAL TRAJECTORY PROBLEM 129

Figure 12.12: Storage production example

A trajectory for the candidate Parikh vector is found if the number of the firings of the individual transitions isequal to the corresponding component of the Parikh vector. This requirement can be expressed by the followingREACHED LTL expression.

#define REACHED (Reco_ut_R4A =sigma_reco_ut_R4A && Reco_ut_R4B = sigma_reco_ut_R4B &&Test_R4A = sigma_test_R4A && Test_R4B = sigma_test_R4B &&Reco_R4A = sigma_reco_R4A && Reco_R4B = sigma_reco_R4B &&T_R4A_untested = sigma_t_R4A_untested && T_R4B_untested =sigma_t_R4B_untested &&T_test_cell = sigma_t_test_cell)

The LTL expression G ¬ REACHED is violated if the criteria REACHED becomes true on a trace, i.e. thecandidate Parikh vector is fired and the SPIN model checker delivers an optimal trajectory as a counterexample.

The behaviour of the Petri net is modeled by the process proctype trajectory_generation() that is instantiatedin the init process. The process contains the transitions and the Parikh vector of the current trace such thatchecks are executed in advance while the operation of the model checker ensures the nondeterministic firing ofthe enabled transitions. This way all possible traces are analyzed until a solution is found (if it exists).


Figure 12.13: A PN transition and the corresponding Promela transition

List of own publications

Number of publications: 22Number of peer-reviewed publications: 13Approximate number of independent citations: 107

Book chapter and journal papers

[1] A. Pataricza, T. Bartha, G. Csertán, S. Gyapay, I. Majzik, and D. Varró, Formális módszerek az infor-matikában. Typotex, 2004. In Hungarian.

[2] S. Gyapay, D. Varró, and R. Heckel, “Graph transformation with time,” Fundam. Inform., vol. 58, no. 1,pp. 1–22, 2003.

[3] S. Gyapay, A. Schmidt, and D. Varró, “Joint optimization and reachability analysis in graph transformationsystems with time,” Electronic Notes in Theoretical Computer Science, vol. 109, pp. 137–147, 2004.

[4] S. Gyapay and A. Pataricza, “Optimal trajectory generation for Petri nets,” Acta Cybernetica, vol. 17,pp. 225–245, January 2005.

[5] S. Varró-Gyapay and D. Varró, “Optimization in graph transformation systems using Petri net based tech-niques,” Electronic Communications of the EASST (ECEASST), vol. 2, 2006. Selected papers of Workshopon Petri Nets and Graph Transformations.

[6] S. Varró-Gyapay, “Optimization in graph transformation systems with time using Petri net based tech-niques,” Electronic Communications of the EASST, vol. 51, pp. 1–12, 2012.

Conferences and workshops

[7] S. Gyapay, “Operation research methods in Petri net–based models of IT systems,” in Mini–Symposium2002, (Budapest University of Technology and Economics, Department of Measurement and InformationSystems), pp. 38–39, IEEE Hungary Section (BUTE Student Branch), February 4–5 2002.

[8] S. Gyapay, “Operation research methods in Petri net–based analysis of IT systems,” in The Third Confer-ence of PhD Students in Computer Science (T. Csendes, ed.), (Szeged, Hungary), p. 36, July 1–4 2002.

[9] S. Gyapay, A. Pataricza, J. Sziray, and F. Friedler, “Petri net-based optimization of production systems,”in 6th IEEE International Conference on Intelligent Engineering Systems (A. Lovrencic and I. J. Rudas,eds.), pp. 465–469, Organized and published by Faculty of Organization end Informatics, University ofZagrev, Croatia, May 26–28 2002.

[10] S. Gyapay, R. Heckel, and D. Varró, “Graph transformation with time: Causality and logical clocks,” inProc. ICGT 2002: 1st International Conference on Graph Transformation (H.-J. Kreowski and P. Knirsch,eds.), LNCS, (Barcelona, Spain), pp. 120–134, Springer-Verlag, October 7–12 2002.

131

132 BIBLIOGRAPHY

[11] S. Gyapay and R. Heckel, “Towards graph transformation with time,” in Proc. AGT 2002: Workshop onApplied Graph Transformation (H.-J. Kreowski and P. Knirsch, eds.), (Grenoble, France), pp. 131–140,2002.

[12] S. Gyapay, “Process Network Synthesis-based analysis of Petri net models,” in Mini–Symposium 2003,(Budapest University of Technology and Economics, Department of Measurement and Information Sys-tems), pp. 20–21, IEEE Hungary Section (BUTE Student Branch), February 4–5 2003.

[13] S. Gyapay and A. Pataricza, “A gradual filtering method for simultaneous verification and optimizationof Petri nets,” in The John von Neumann PhD Conference, (Budapest University of Technology and Eco-nomics, Faculty of Electrical Engineering and Informatics), pp. 27–30, October 2 2003.

[14] S. Gyapay and A. Pataricza, “A combination of Petri nets and Process Network Synthesis,” in 2003 IEEEInternational Conference on Systems, Man & Cybernetics, Invited Sessions/Track on "Petri Nets and Dis-crete Event Systems", (Washington, D.C., USA), pp. 1167–1174, IEEE Press, October 5-8 2003.

[15] S. Gyapay and A. Pataricza, “Optimization methods for reachability analysis of Petri net models,” inFormal Methods for Railway Operation and Control Systems (Proceedings of Symposium FORMS-2003,Budapest, Hungary, May 15-16) (G. Tarnai and E. Schneider, eds.), pp. 53–60, L’ Harmattan, Budapest,May 17–23 2003.

[16] S. Gyapay and A. Pataricza, “Eine Kombination von Petrinetzen und Optimierun,” in WissenschaftlichenMitteilungen der 15. Frühlingsakademie, Balatonfüred, Hungary, pp. 24–29, 2003.

[17] S. Gyapay, “Petri háló modellek folyamatszintézis–alapú analízise,” in Fiatal Muszakiak TudományosÜlésszaka, (Cluj-Napoca, Romania), March 2003.

[18] S. Gyapay, “Solving the optimal trajectory problem using SPIN,” in Mini–Symposium 2004, (BudapestUniversity of Technology and Economics, Department of Measurement and Information Systems), pp. 18–19, IEEE Hungary Section (BUTE Student Branch), February 2004.

[19] S. Varró-Gyapay, A. Pataricza, and Á. Nagy, “Optimization of production nets under temporal constraints,”in Veszprém Optimization Conference: Advanced Algorithms, (Veszprém, Hungary), December 13-152004.

[20] S. Gyapay, “Model–based optimization and verification of IT systems,” in Conference of PhD Students inComputer Science (T. Csendes, ed.), (Szeged, Hungary), p. 52, July 1–4 2004.

[21] H. Ehrig, K. Ehrig, J. de Lara, G. Taentzer, D. Varró, and S. Varró-Gyapay, “Termination criteria for modeltransformation,” in Proc. FASE 2005: Internation Conference on Fundamental Approaches to SoftwareEngineering (M. Cerioli, ed.), vol. 3442 of LNCS, (Edinburgh, UK,), pp. 49–63, Springer, April 2005.

[22] D. Varró, S. Varró-Gyapay, H. Ehrig, U. Prange, and G. Taentzer, “Termination analysis of model trans-formations by Petri nets,” in Proc. Third International Conference on Graph Transformation (ICGT 2006)(A. Corradini, H. Ehrig, U. Montanari, L. Ribeiro, and G. Rozenberg, eds.), vol. 4178 of LNCS, (Natal,Brazil), pp. 260–274, Springer, 2006.

Bibliography

[23] Petri nets tools database quick overview. http://www.informatik.uni-hamburg.de/TGI/PetriNets/tools/quick.html.

[24] PetriDotNet. https://inf.mit.bme.hu/research/tools/petridotnet.

BIBLIOGRAPHY 133

[25] VIATRA2 Model Transformation Framework, an Eclipse project. http://www.eclipse.org/viatra2/.

[26] OMG Systems Modeling Language, 2007. http://www.omgsysml.org.

[27] Business Process Model and Notation, 2011. http://www.bpmn.org.

[28] A. Pataricza and O. Dobán and Á. Szoke. Costs/benefits of using formal methods. In Proceedings of theInternational Conference on Dependable Systems and Networks, pages 104–105, 2004.

[29] P. A. Abdulla and R. Mayr. Minimal cost reachability/coverability in priced timed Petri nets. In FOSSACS,pages 348–363, 2009.

[30] P. A. Abdulla and R. Mayr. Petri nets with time and cost. In Infinity, pages 9–24, 2012.

[31] N. Aizenbud-Reshef, B. T. Nolan, and Y. S.-G. J. Rubin. Model traceability. IBM Systems Journal,45:515–526, 2006.

[32] C. Baier and J.-P. Katoen. Principles of Model Checking (Representation and Mind Series). The MITPress, 2008.

[33] P. Baldan and B. König. Approximating the behaviour of graph transformation systems. In A. Corradini,H. Ehrig, H.-J. Kreowski, and G. Rozenberg, editors, Proc. ICGT 2002: First International Conferenceon Graph Transformation, volume 2505 of LNCS, pages 14–29, Barcelona, Spain, October 7–12 2002.Springer.

[34] L. Baresi, R. Heckel, S. Thöne, and D. Varró. Style-based modeling and refinement of service-orientedarchitectures. Journal of Software and Systems Modelling, 5(2):187–207, 2006.

[35] G. Bergmann, Á. Hegedüs, Á. Horváth, I. Ráth, Z. Ujhelyi, and D. Varró. Implementing efficient modelvalidation in EMF tools: Tool demonstration. In 26th IEEE/ACM International Conference on AutomatedSoftware Engineering (ASE 2011), Lawrence, Kansas, USA, 11/2011 2011. IEEE Computer Society.

[36] B. Bertók, K. Kalauz, Z. Süle, and F. Friedler. Combinatorial algorithm for synthesizing redundant struc-tures to increase reliability of supply chains: Application to biodisel supply. Industrial EngineeringChemistry Research, 52(1):181–186, 2013.

[37] E. Best and H. Wimmel. Reducing k-safe Petri nets to pomset-equivalent 1-safe Petri nets. In ICATPN,pages 63–82, 2000.

[38] A. Bondavalli, M. D. Cin, D. Latella, I. Majzik, A. Pataricza, and G. Savoia. Dependability analysis in theearly phases of UML-based system design. Comput. Syst. Sci. Eng., 16(5):265 – 275, 2001.

[39] E. Brinksma and A. Mader. Verification and optimization of a PLC control schedule. In SPIN ModelChecking and Software Verification, volume 1885 of Lecture Notes in Computer Science, pages 73–92,Berlin, Germany, 2000. Springer.

[40] M. Bárány, B. Bertók, Z. Kovács, F. Friedler, and L. T. Fan. Solving vehicle assignment problems by Pro-cess Network Synthesis to minimize cost and environmental impact of transportation. Clean Technologiesand Environmental Policy, 13(4):637–642, 2011.

[41] R. Bryant. Symbolic boolean manipulation with Ordered Binary Decision Diagrams. ACM ComputingSurveys, 24(3):293–318, 1992.

[42] S. Bumble. Computer Simulated Plant Design for Waste Minimization/Pollution Prevention. ComputerModeling for Environmental Management. 2000.

134 BIBLIOGRAPHY

[43] C. F. Camerer. Behavioral game theory. experiments in strategic interaction. The Journal of Socio-Economics, 32(6):717–720, 2003.

[44] G. Chiola, C. Dutheillet, G. Franceschinis, and S. Haddad. On well-formed coloured nets and their sym-bolic reachability graph. In K. Jensen and G. Rozenberg, editors, High-level Petri nets, pages 373–396.1991.

[45] A. Corradini and U. Montanari. Specification of concurrent systems: from Petri nets to graph grammars.Quality of Communication-Based Systems, pages 35–52, 1995.

[46] A. Corradini, U. Montanari, F. Rossi, H. Ehrig, R. Heckel, and M. Löwe. In [111], chapter AlgebraicApproaches to Graph Transformation — Part I: Basic Concepts and Double Pushout Approach, pages163–245. World Scientific, 1997.

[47] R. David and H. Alla. On hybrid Petri nets. Discrete Event Dynamic Systems, 11(1-2):9–40, 2001.

[48] J. Denil, M. Jukss, C. Verbrugge, and H. Vangheluwe. Search-based model optimization using modeltransformations. Technical report, McGill University, Canada, 2014.

[49] J. Desel. Petrinetze, Lineare Algebra und lineare Programmierung, volume 26 of Teubner-Texte zur Infor-matik. B. G. Teubner Stuttgart-Leipzig, 1998.

[50] J. Desel and J. Esparza. Shortest paths in reachability graphs. In Application and Theory of Petri Nets,pages 224–241, 1993.

[51] J. Desel and J. Esparza. Free Choice Petri Nets. Cambridge tracts in theoretical computer science 40.Cambridge University Press, 1995.

[52] O. M. dos Santos, F. L. Dotti, and L. Ribeiro. Verifying object-based graph grammars. Electr. Notes Theor.Comput. Sci., 109:125–136, 2004.

[53] S. Edelkamp, S. Jabbar, and A. Lluch-Lafuente. Heuristic search for the analysis of graph transitionsystems. In Proc. Third International Conference on Graph Transformation, volume 4178 of LNCS, pages414–429, Natal, Brazil, 2006. Springer.

[54] H. Ehrig, G. Engels, H.-J. Kreowski, and G. Rozenberg, editors. Handbook on Graph Grammars andComputing by Graph Transformation, volume 2: Applications, Languages and Tools. World Scientific,1999.

[55] J. Esparza and S. Melzer. Model checking LTL using constraint programming. In Proceedings of Appli-cation and Theory of Petri Nets, pages 1–20, 1997.

[56] J. Esparza and C. Schröter. Unfolding based algorithms for the reachability problem. Fundamenta Infor-maticae, 46:1–17, 2001.

[57] A. Fehnker. Scheduling a steel plant with timed automata. In Sixth International Conference on Real-TimeComputing Systems and Applications (RTCSA’99). IEEE Computer Society Press, 1999.

[58] F. Fleurey, B. Baudry, P.-A. Muller, and Y. L. Traon. Qualifying input test data for model transformations.Software and Systems Modeling, pages 185–203, 2009.

[59] M. Fowler and K. Scott. UML Distilled. Applying the Standard Object Modeling Language. Addison-Wesley, 1997.

[60] F. Friedler, L. T. Fan, and B. Imreh. Process Network Synthesis: Problem definition. Networks, 28(2):119–124, 1998.

BIBLIOGRAPHY 135

[61] F. Friedler, K. Tarjan, Y. W. Huang, and L. Fan. Combinatorial algorithms for Process Synthesis. Comput-ers Chemical Engineering, 16:313–320, 1992.

[62] F. Friedler, K. Tarjan, Y. W. Huang, and L. Fan. Graph-theoretic approach to Process Synthesis: Axiomsand theorems. Chemical Engineering Science, 47(8):1973–1988, 1992.

[63] F. Friedler, K. Tarjan, Y. W. Huang, and L. Fan. Graph-theoretic approach to Process Synthesis: Poly-nomial algorithms for maximal structure generation. Computers Chemical Engineering, 17(9):929–942,1993.

[64] F. Friedler, J. B. Varga, and L. T. Fan. Decision–mapping: A tool for consistent and complete decisions inProcess Synthesis. Computers Chemical Engineering, 50(11):1755–1768, 1995.

[65] F. Friedler, J. B. Varga, E. Feher, and L. T. Fan. Combinatorially accelerated Branch–and–Bound methodfor solving MIP model of Process Network Synthesis, nonconvex optimization and its applications. Stateof the Arts in Global Opimization, Computational Methods and Applications, pages 609–626, 1996.

[66] I. Galvão, E. Zambon, A. Rensink, L. Wevers, and M. Aksit. Knowledge-based graph exploration analysis.In A. Schürr, D. Varró, and G. Varró, editors, Applications of Graph Transformations with IndustrialRelevance - 4th International Symposium, AGTIVE 2011, Budapest, Hungary, October 4-7, 2011, RevisedSelected and Invited Papers, volume 7233 of Lecture Notes in Computer Science, pages 105–120. Springer,2011.

[67] G. C. Gannod and S. Gupta. An automated tool for analyzing Petri nets using Spin. In Proc. 16th IEEEInternational Conference on Automated Software Engineering, pages 404–407, San Diego, California,USA, November 26–29 2001.

[68] J. C. Garcia-Ojeda, B. Bertók, and F. Friedler. Planning evacuation routes with the P-graph framework.Chemical Engineering Transactions, 29:1531–1536, 2012.

[69] R. Gerth, D. Peled, M. Y. Vardi, and P. Wolper. Simple on-the-fly automatic verification of linear temporallogic. In Protocol Specification, Testing and Verification XV, Proceedings of the Fifteenth IFIP WG6.1International Symposium on Protocol Specification, Testing and Verification, Warsaw, Poland, June 1995,pages 3–18, 1995.

[70] C. Ghezzi, D. Mandrioli, S. Morasca, and M. Pezzè. A unified high-level Petri net formalism for time-critical systems. IEEE Transactions on Software Engineering, 17(2):160–172, February 1991.

[71] B. Grahlmann and C. Pohl. Profiting from SPIN in PEP. In SPIN’98 Workshop, 1998.

[72] T. Gu, P. A. Bahri, and G. Cai. Timed Petri-net based formulation and an algorithm for the optimal schedul-ing of batch plants. International Journal of Applied Mathematics and Computer Science, 13(4):527–536,2003.

[73] S. Gyapay, Á. Schmidt, and D. Varró. Joint optimization and reachability analysis in graph transformationsystems with time. Electr. Notes Theor. Comput. Sci., 109:137–147, 2004.

[74] Á. Hajdu, A. Vörös, T. Bartha, and Z. Mártonka. Extensions to the CEGAR approach on Petri nets. In In:The 13th Symposium on Programming Languages and Software Tools (SPLST’13), pages 274–288, 2013.

[75] I. Hatono, K. Yamagata, and H. Tamura. Modeling and online scheduling of flexible manufacturing sys-tems using stochastic Petri nets. IEEE Trans. Softw. Eng., 17(2):126–132, 1991.

[76] Á. Hegedüs, Á. Horváth, I. Ráth, and D. Varró. A model-driven framework for guided design space ex-ploration. In 26th IEEE/ACM International Conference on Automated Software Engineering (ASE 2011),pages 173–182, 2011.

136 BIBLIOGRAPHY

[77] C. Heinzemann, J. Suck, and T. Eckardt. Reachability analysis on timed graph transformation systems.ECEASST, 32, 2010.

[78] C. Holló. Reliability considerations for Process Network Synthesis problems. Central European Journalof Operations Research, 2013.

[79] C. Holló, Z. Blázsik, C. Imreh, and Z. Kovács. On a merging reduction of the Process Network SythesisProblem. Acta Cybernetica, 14:251–261, 1999.

[80] C. Holló, B. Imreh, and C. Imreh. Reduction techniques for the PNS problems: A novel technique and areview. Optimization and Engineering, 10(3):351–361, 2009.

[81] G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279–295,1997.

[82] G. Horton, V. G. Kulkarni, D. M. Nicol, and K. S. Trivedi. Fluid stochastic Petri nets: Theory applicationsand solution techniques. European Journal of Operational Research, pages 184–201, 1998.

[83] Á. Horváth and D. Varró. CSP(M): Constraint Satisfaction Problem over Models. In A. Schürr and B. Selic,editors, Model Driven Engineering Languages and Systems, volume 5795 of Lecture Notes in ComputerScience, pages 107–121. Springer Berlin Heidelberg, 2009.

[84] B. Imreh. Automaton theory approach for solving modified PNS problems. Acta Cybernetica, 15(3):327–338, 2002.

[85] K. Jensen. Coloured petri nets: A high level language for system design and analysis. In Applications andTheory of Petri Nets, pages 342–416, 1989.

[86] T. Jordán, A. Recski, and D. Szeszlér. Rendszeroptimalizálás. Typotex, 2004.

[87] N. Karmarkar. A new polynomial-time algorithm for linear programming. In Proceedings of the SixteenthAnnual ACM Symposium on Theory of Computing, STOC ’84, pages 302–311, New York, NY, USA, 1984.ACM.

[88] V. Khomenko and M. Koutny. Verification of bounded Petri nets using integer programming. Technicalreport, Department of Computing Science, University of Newcastle upon Tyne, 2000. Technical ReportCS-TR-711.

[89] H. G. Knehler. Transformation von Graph-Grammatiken in Petri-Netze. TU Berlin, FB Informatik, BerichtNr. 88-02, September 1987. NewsletterInfo: 30.

[90] B. König and V. Kozioura. Counterexample-guided abstraction refinement for the analysis of graph trans-formation systems. In TACAS, pages 197–211, 2006.

[91] H.-J. Kreowski. A comparison between Petri-nets and graph grammars. In Proceedings of the InternationalWorkshop on Graph theoretic Concepts in Computer Science, WG ’80, pages 306–317, London, UK, 1981.Springer-Verlag.

[92] L. Li and C. N. Hadjicostis. Least-cost transition firing sequence estimation in labeled Petri nets withunobservable transitions. IEEE T. Automation Science and Engineering, 8(2):394–403, 2011.

[93] E. W. Mayr. An algorithm for the general Petri net reachability problem. In Proceedings of the thirteenthannual ACM symposium on Theory of computing, STOC ’81, pages 238–246, New York, NY, USA, 1981.ACM.

[94] S. Melzer and S. Römer. Deadlock checking using net unfoldings. In CAV ’97: Proceedings of the 9thInternational Conference on Computer Aided Verification, pages 352–363. Springer-Verlag, 1997.

BIBLIOGRAPHY 137

[95] S. P. Miller. Certification issues in model based development. Technical report, Advanced TechnologyCenter, Rockwell Collins, 2006.

[96] S. P. Miller. Proving the shalls: Requirements, proofs, and model-based development. In 14th IEEE Int.Requirements Engineering Conference (RE’06), page 266, 2006.

[97] T. Murata. Petri nets: Properties, analysis and applications. In Proc. IEEE, volume 77, pages 541–580,1989.

[98] D. Nau, M. Ghallab, and P. Traverso. Automated Planning: Theory & Practice. Morgan KaufmannPublishers Inc., 2004.

[99] Object Management Group. UML Notation Guide Version 1.1, September 1997. http://www.rational.com/uml.

[100] E. Pastor, J. Cortadella, and J. Cortadella. Efficient encoding schemes for the symbolic analysis of Petrinets. In In Proc. Design, Automation and Test in Europe, pages 790–795. IEEE Computer Society Press,1998.

[101] E. Pastor, J. Cortadella, and O. Roig. Symbolic analysis of bounded Petri nets. IEEE Transactions onComputers, 50(5):432–448, 2001.

[102] E. Pastor, O. Roig, J. Cortadella, and R. M. Badia. Petri Net Analysis Using Boolean Manipulation. InValette, R., editor, Lecture Notes in Computer Science; Application and Theory of Petri Nets 1994, Pro-ceedings 15th International Conference, Zaragoza, Spain, volume 815, pages 416–435. Springer-Verlag,1994.

[103] A. Pataricza, A. Balogh, and L. Göczy. Verification and validation of nonfunctional aspects in enterprisemodeling. Enterprise Modeling and Computing with UML, Idea Group, pages 261–303, 2006.

[104] A. Pataricza and P. Urbán. A combination of Petri nets and linear programming in design for dependability.Technical report, Budapest University of Technology and Economics, 1998.

[105] C. A. Petri. Kommunikation mit Automaten. PhD thesis, Darmstadt University of Technology, 1962.

[106] B. Polgár, S. Nováki, A. Pataricza, and F.Friedler. A Process-graph based formulation of the syndromedecoding problem. In IEEE DDECS, pages 267–272, 2001.

[107] L. Portinale. Exploiting T-invariant analysis in diagnostic reasoning on a Petri net model. In Applicationand Theory of Petri Nets, pages 339–356, 1993.

[108] C. Ramchandani. Analysis of asynchronous concurrent systems by timed Petri nets. Technical report,Cambridge, MA, USA, 1974.

[109] A. Rensink. The simulator: An tool for state space generation. In M. Nagl, J. Pfalz, and B. Böhlen,editors, Applications of Graph Transformations with Industrial Relevance (AGTIVE), volume 3063 ofLNCS. Springer-Verlag, 2004.

[110] P. Richard. Optimal shortest path in reachability graph. In 7th IEEE Emerging Technologies and FactoryAutomation, pages 303–312, 1999.

[111] G. Rozenberg, editor. Handbook of Graph Grammars and Computing by Graph Transformations: Foun-dations. World Scientific, 1997.

[112] T. C. Ruys. Optimal scheduling using Branch-and-Bound with SPIN 4.0. In Proc. 10th International SPINWorkshop, volume 2648 of LNCS, pages 1–17, Portland, Oregon, USA, May 9–10 2003. Springer.

138 BIBLIOGRAPHY

[113] Á. Schmidt and D. Varró. CheckVML: A tool for model checking visual modeling languages. In P. Stevens,J. Whittle, and G. Booch, editors, Proc. UML 2003: 6th International Conference on the Unified ModelingLanguage, volume 2863 of LNCS, pages 92–95, San Francisco, CA, USA, October 20-24 2003. Springer.

[114] M. Silva and L. Recalde. On fluidification of Petri nets: from discrete to hybrid and continuous models.Annual Reviews in Control, 28(2):253 – 266, 2004.

[115] M. Silva, E. Teurel, and J. M. Colom. Linear algebraic and linear programming techniques for the analysisof Place/Transition net systems. In G. R. W. Reisig, editor, Lectures on Petri Nets I:Basic Models, volume1791 of LNCS, pages 309–373. Springer, 1998.

[116] D. D. Sleator. Data structures and terminating Petri nets. In LATIN, pages 488–497, 1992.

[117] A. Srinivasan, T. Ham, S. Malik, and R. K. Brayton. Algorithms for discrete function manipulation. InICCAD, pages 92–95, 1990.

[118] I. Stürmer, M. Conrad, H. Dörr, and P. Pepper. Systematic testing of model-based code generators. IEEETrans. Software Eng., pages 622–634, 2007.

[119] A. Tarek and N. Lopez-Benitez. Optimal legal firing sequence of Petri nets using linear programming.Optimization and Engineering, 5(1):25–43, 2004.

[120] J. Tick. P-graph-based workflow modelling. Acta Polytechnica Hungarica, 4(1):75–88, 2007.

[121] A. Tovchigrechko. Model checking of bounded petri nets using Interval Diagrams. Technical Report I-05/2004, Brandenburg University of Technology Cottbus, Department of Computer Science, November2004.

[122] W. van der Aalst. Structural Characterizations of Sound Workflow Nets. Technical Report ComputingScience Reports 96/23, Eindhoven University of Technology, 1996.

[123] L. Vance, H. Cabezas, I. Heckl, B. Bertók, and F. Friedler. Synthesis of sustainable energy supply chainby the P-graph framework. Industrial & Engineering Chemistry Research, 52(1):266–274, 2013.

[124] D. Varró. Design and analysis techniques for precise model transformations in model-driven development,2013. DSc Thesis.

[125] J. Wang. Timed Petri Nets, Theory and Application. Boston: Kluwer Academic Publishers, 1998.

[126] T. Watanabe, Y. Mizobata, and K. Onaga. Legal firing sequence and related problems of Petri nets. InPNPM, pages 277–286, 1989.

[127] T. Watanabe and M. Yamauchi. New priority-lists for scheduling in timed Petri nets. In M. Ajmone Marsan,editor, Application and Theory of Petri Nets 1993, volume 691 of Lecture Notes in Computer Science,pages 493–512. Springer Berlin Heidelberg, 1993.

[128] H. Wimmel and K. Wolf. Applying CEGAR to the Petri net state equation. In TACAS, pages 224–238,2011.

[129] W. L. Winston. Operációkutatás, módszerek és alkalmazások, volume 1. Aula Kiadó, 2003.

[130] M. Wirsing, M. Hölzl, L. Acciai, F. Banti, A. Clark, A. Fantechi, S. Gilmore, S. Gnesi, L. Gönczy, N. Koch,et al. Sensoria patterns: Augmenting service engineering with formal analysis, transformation and dynam-icity. In Leveraging Applications of Formal Methods, Verification and Validation, pages 170–190. Springer,2009.

BIBLIOGRAPHY 139

[131] A. Zimmermann, D. Rodríguez, and M. Silva. Modelling and optimization of manufacturing systems:Petri nets and simulated annealing. In Proceedings of the 1999 European Control Conference ECC99,Karlsruhe, Germany, August 1999.

[132] W. M. Zuberek and W. Kubiak. Timed Petri nets in modeling and analysis of simple schedules for manu-facturing cells. Computers Mathematics with Applications, 37(11-12):191–206, 1999.

T S A V IT S

Documents

Transcript of T S A V IT S