Synthesizing a Global Net State from
Synchronized Local Pieces*
P. David Stottst
Department of Computer and
Information Sciences
University of Florida
Gainesville, FL 32611
J. Cyrano Ruizt
Department of Reliability Engineering
University of Maryland
College park, MD 20742
Abstract
A traditional problem with state space analysis for concurrent systems has been the expo-
nential explosion in the size of the state space relative to the size of the system. This explosion
not only consumes an exponential amount of time in generating a state space, but an exponen-
tial amount of storage space as well. In this report we show a technique that attacks both the
storage half and the time half of this problem. A synchronous net set is a collection of Petri
nets that together model a system of concurrent processes. Rather than combine the process
models into a large net for analysis, we keep the nets separate and allow special transitions to
synchronize their respective executions implicitly. Analysis is done by computing and storing
the state spaces for the individual nets, and then virtually combining the state spaces when a
system-wide state query is performed. This approach saves a large amount of storage space over
using a global net state space, and for certain conditions requires less time for querying the state
space. In addition, it promotes modular models, in that a change to one net model requires
recomputation of only the corresponding (relatively small) individual state space, rather than
recomputation of the entire system-wide state space.
Key words: Petri nets, modular representation, decomposition, state space compaction, reuse.
CR categories:
F.1.1 (Petri nets) D.2.4 (verification)
*This work is based upon work supported by the National Science Foundation under grant numbers IRI-9007746
and IRI-9015439.
tInternet electronic mail address: pds@cis.ufl.edu.
tInternet electronic mail address: ruiz@cs.umd.edu.
1 Background
The problem of state-space explosion in the analysis of concurrent systems is an old and still-
troublesome problem. Several advances have recently been made in alleviating some of this problem
in the context of Petri net system models. Specifically, Valmari has worked on an approach [9, 10]
that uses hueristics specific to the question being asked to pre-prune sections of a state space that
are likely to be unimportant in the context of the analyses. This approach reduces the space to be
generated and subsequently analyzed, but it also possibly removes from consideration states that
would need to be represented for other analysis questions. That is, the method builds reduced
spaces based on specific features of the questions to be answered. Other methods for dealing with
state explosion are similarly tailored to specific questions [2]. Still other methods [3, 4, 1] are
hierarchical in nature, that is, a place or a transition can be expanded into a more detailed net
-i 1I. I ii-e". State analyses can be performed at various I. I- of expansion or reduction, entailing
varying amounts of time and storage space, according to the level of detail required by the question
to be answered.
1.1 Summary of report
This report outlines a conservative approach to state-space compaction. To represent a global
system state space, the method requires far less storage than traditional approaches, and for certain
circumstances required less time to search as well. The result, however, is a full analysis structure
containing the information of the traditional coverability graph. Its structure is not otherwise
specific to any particular problem or conditions. Though the method works for any arbitrary
net model, its 'V.-.- -I savings are realized for a highly structured class of model. In essence, the
approach takes advantage of model structure to reduce the storage and time requirements that
traditional coverability analysis (ignoring the special structure) would require.
The basic approach is combinational. We implicitly construct a gl.l.1Il" system model as a
set of interacting "local" processes and model each process as a separate place/transition net. A
state space is computed for each local net, and the global space is inferred from the local spaces.
Unlike the Valmari approach, the conservative nature of this method means that any valid global
state will be represented in the local collection, but at the expense of storing some extraneous
local states that must be weeded out during a query on the state space. The method also differs
from compositional approaches in that it is not hierarchical, but rather is an intrinsic (as opposed
to explicit) component "attachment" method. Though we present the work in a flat, one-level
context, the method should work in ..,/.i,,. I'",, with hierarchical composition methods. It is not
a substitute for hierarchy.
2 Synchronous net sets
Before giving formal definitions, consider an informal explanation of the structures we are work-
ing with. A system consists of a set of Petri nets. Structurally the nets are disjoint, but be-
haviorally they are implicitly linked via certain distinguished i. I,.lonizing" transitions, termed
a-transitions, that are shared (through common naming) among nets in the set. Execution of the
global system proceeds by firing one transition at a time from among those collectively enabled in
the nets of the set, with the exception that an a-transition, when legally fired, causes synchronized
net 2
net 1
Figure 1: Set of two Petri nets sharing an a-transition.
simultaneous activity in two (or more) nets.
For example, consider the two nets shown in Figure 1. Each net contains the synchronizing
transition a. When interpreting these individual nets collectively as a global system, a actually
represents one event. This virtual global net, termed the synchronous combination of the set of
nets, is shown in Figure 2; a has been used to "hook together" the two nets as a synchronizing
event.1 The places and the normal transitions each net have remained distinct in the combination;
each has been renamed, with the superscript indicating its net of orgin.
Since global execution of a set proceeds by selecting an enabled transition in one of the nets
and firing it, a possible next state for Figure 1 is shown in Figure 3. Here, tl in net 1 has been
fired resulting in the token distribution as shown. Activity has been limited to net 1. A different
possible next state, though, is shown in Figure 4. Since the synchronizing transition a is enabled
in all the nets containing it (both of them), it may be fired to give the indicated token distribution.
Activity has taken place in both nets.
A slightly larger example is given in Figure 5. Here a set of three nets is shown, containing the
three synchronizing transitions a, ), and 7. The synchronous combination of these nets is shown
in Figure 6.
Any state that can be obtained in a combination net by normal Petri net execution can also
be obtained by executing the set of structurally disjoint nets with the distributed execution rule
as given. The main contribution of this paper is a method for inferring the state space of the
combination net from the individual state spaces for the individual nets in the set. The collection
of individual state spaces requires far less storage (average case) than the single state space for
the synchronous combination of the individual nets. We also show that inferring Jlnial state from
the individual collection often takes less time than searching the corresponding global space would
require.
Following are formal definitions of these concepts, using both a structural perspective and an
executional perspective. At times in the paper we use subscripted notation to denote the collection
of a-transitions appearing in a set of nets: Q = {oa, 02, C3, * ).g} At other times, we will find
1Note that the method described herein does not construct the synchronous combination net; it is shown simply
as an aid in understanding the execution behavior of a set of nets.
Figure 2: Synchronous combination of nets in Figure 1.
it more convenient to use lower case Greek letters, instead of subscripts, to refer to synchronizing
transitions: Q = {f, /, 7, 6, e,... }. The context for each use should prevent confusion.
2.1 A structural perspective
Let N1 =< S1, T1, F1 >, N2 =< S2, T2, F2 >, ... Nk =< Sk, Tk, Fk > be k Petri nets.
Suppose that for each of these Petri nets its set of transitions Ti contains 'normal transitions' and
a subset of Q of a-transitions. That is, for each i between 1 and k, Ti = { t,t2, ., t",} U Qi,
where each of the tj, is a non a-transition, and Q0 is a subset of Q. We refer to these Petri nets
N ... Nk as a-subnets, or a-nets.
Now we define the virtual global system of these a-subnets, termed their synchronous combi-
nation:
Definition 1 Let Ni =< S1, Ti, >, N2 =< S2, T2, F2 >, ... Nk =< Sk, Tk, Fk >
be k a-subnets. Their synchronous combination is NA =< 7, T, F > where:
1. p is the ,'-.;I',, union2 of the Si. If mi represents the cardinality of each Si, P is
given by:
p {2 2 k
PP 1, P2, ,PPo1,),)2, I P 1m, ,1"'i,'i I
2. T is the disjoint union of all non a-transitions plus the set Q of a-transitions. If
ni is the number of non a-transitions in each set Ti, we may write:
t .. t* I 2 t1. . n l t, . nk f f U Q
have in mind the mathematical definition of disjoint union, namely the coproduct of a family of sets in the
category of sets. This is normally defined as a set of pairs in which the first component is an element of the (usual)
union of the sets, and the second component is an index. In this context however, it seems more natural to utilize
subscripts and superscripts.
Figure 3: Next state, after firing tl in net 1 of Figure 1
3. The relation F is obtained by extending in a natural way the relations Fi to the
sets P and T. For instance, (pi, tj) E Fk implies that (pi, t ) E F (whenever tj is
not one of the a-transitions). Furthermore, for 1 < j
of aj E Q are given by:
*c = {pk I (ps, aj) E P4
cJ= {pk I (aj, pi) C P4
2.2 An executional perspective
An executional or dynamic interpretation of a synchronous combination of a-subnets can be had
by specifying the next-state function 6 of this virtual global net. By "state" we mean the common
interpretation: a vector of integers indicating the number of tokens in each net place at a given
point of execution. As in common automata notation, 6(p, t) produces a next state p' by firing
transition t in current state p.3 Note that it is convenient in our use of this notation to define (pu, t)
to be p unchanged when t is not enabled in p (or does not exist in the net). 6 is easily extendible
to operate on a string of transitions, known as a "firing sequence."
For each i between 1 and k, let 6i be the next-state transition function of the a-subnet Ni.
Let N be the synchronous combination of the k Petri nets Ni. The function 6 for N may be
defined in terms of the 5i. First, notice that a state in the synchronous combination, termed a
i1l,,,l state, may be treated as the concatenation of the individual states of the smaller a-nets. Let
p = p ... pj ... p, be an arbitrary global state of N, with 1 < j < n, and with each pu being a
marking for the corresponding a-net Ni. Let e refer generically to a transition which may be either
normal or an a-transition.
3We use the older 6(p,t) = p' notation rather than the often preferred p[t > p' found in Reisig [8]. The 6
functional format is more convenient and clear for manipulating the concatenations of states required by a set of nets,
as explained following.
Figure 4: Next state, after firing a in both nets of Figure 1
Definition 2 The next-state transition function 6 of AN is given by:
6(ti [t ) ... 6 .( j, ti) ... y" if e = ti
1' [ tl(i, aj) ... .(p/,, aj) if e = j E Q
Intuitively, the first case states that if a non a-transition is fired, then no synchronization among
subnets occurs. The effect may be understood by firing the corresponding transition in the a-subnet
to which it belonged originally, ignoring the others. The second case states that if an a-transition
is fired, then the global effect may be recovered by concatenating the states obtained by firing that
a-transition in each of the a-subnets. Remember that i((pi, aj) is defined to be pi if ca is not part
of Ni.
For a firing sequence w = ele2...e n, it is easy to define the extended function 6* recursively.
The base case is given by the previous definition, and the inductive one is:
6*([l ... Yj ... ele2 ...e n) = 6*(6([ ... uj ... n eCI) e2 ...e Cn)
3 Piecewise coverability analysis
The coverability tree4 of a Petri net plays a central role in the analysis of its execution. In this
section, we describe how to use the individual coverability trees of the nets in a set to answer global
coverability questions about the synchronous composition of the nets. The method does not require
computation of the coverability tree for the global net. It is important to note that in computing
the coverability tree of an individual a-net in a set, any a-transitions in it are treated in normal
execution fashion, and the synchronizing effects they have in conjunction with the other nets in
the set are ignored. This treatment of a-transitions means that each individual coverability tree
will most likely contain states that the corresponding a-net will never enter when the synchronous
4We use the expression "coverability tree" interchangably with "coverability graph." In the implementation
however, we construct trees to take advantage of their properties.
P3 t
p3 3
P2
net 1 net 2 net 3
Figure 5: Example net set with three a-transitions.
set is executed. When a global coverability query is performed, the global synchronizations are
reconstructed as needed and these extraneous states are ... 1.. out."
Let N1, ... ,Nk be a-nets with coverability trees T1, ... ,Tk, respectively. Let AN be the
synchronous combination of the a-nets with T being the global coverability tree for AN. Given an
arbitrary global state iu, one would like to know if p is covered by some state in T. We wish to
solve this problem based solely on the coverability trees T1, T2, ... Tk. The storage savings of
this approach, and other advantages, are discussed in section 5.
Recall that a global state can be treated as a concatenation of a local state from each of the
a-subnets. That is, if p is a state in T, then p = l/12 ... / k where pi is a state in Ti. A few
supporting definitions are needed before stating a global coverability theorem.
Definition 3 Let N, and Nj be two arbitrary a-nets with coverability trees Ti and Tj
respectively. We write Ti and Tj to denote their respective sets of transitions. As defined
in section 2.1, let
Ti= t {t, t,..., t, }UOi
where ni represents the number of normal transitions in N, and Q0 is a subset of 0,
containing all a-transitions physically present in Ni; nj and Qj have similar meanings.
We use lower case Greek letters to refer to a-transitions.
1. Given a global state ip = l/12 .. .lk, we write Fi to denote the set of all firing
sequences in Ti from its initial state to some state covering pi.
2. If r is an arbitrary firing sequence, and T is an arbitrary set of transitions, we
write (r)T to refer to the restriction of r to the set T. This restriction is obtained
by dropping the transitions appearing in r but not belonging to T. For instance,
suppose t refers to any non a-transition, then:
If T = {a,, ,7} and r = ttPtat then (r)T def a
F2 3
t1
2
2 P 2
ti
Figure 6: Synchronous combination of nets in Figure 5.
3. Let r and a be two firing sequences belonging to F, and Fj respectively. Let Qj
stand for Q n Qj. We define
S- a (mod Q) if and only if (-r)nj = ('a)~,
For example, suppose that Q0 = {a, B,7} and that Qj = {/,7}. Let r =
tatatttat37t be a firing sequence in T, and let sigma = PttttPtt'tttt be a firing
sequence in Tj. Let t stand for any non a-transition. Then (r)n, = (a)n,, = P7
and therefore r and a are, by definition, congruent to each other modulo Q.
Informally, if two firing sequences from two individual nets are congruent modulo Q, then the a-
transitions common to the two nets occur in the firing sequences with the same frequency and in
the same relative order. For example, let two nets share synchronizing transitions 3 and 7. How
could two firing sequences from these two nets be compatible if one has transition / firing before 7,
but the other has 7 before P? Synchronizing transitions are assumed to fire simultaneously in the
nets containing them. Similarly, two sequences are incompatible if one has two 7 firings, say, and
the other only has one 7 firing. Note also that congruence modulo Q is not transitive. For example,
consider Q = {oa,p/,7}, Q2 = {a,/3}, and Q3 = {f,7}; let T1 = aC3, T2 = a67 and T3 = a73.
Then T1 72, and T2 7T3, but it is not the case that T71 T3.
Theorem 1 Let N1, ... Nk be a-nets with coverability trees T1, ... Tk respectively.
Let AN be their synchronous combination with global coverability tree T. Let ip =
P1l12 ... k be an arbitrary global state. State p is coverable in T if and only if every
Fi contains some ri such that
VI, 1
where 1 < i < k. In other words, a collection of pairwise congruent modulo Q firing
sequences must be found, one from each Fi (remember that Fi is computed specifically
for pi).
PROOF: The theorem requires a bidirectional proof. The proof is in fact constructive
in the sense that we will be able to recover the firing sequences.
First suppose that p is coverable in T. We need to show the existence of pairwise con-
gruent firing sequences, each one covering its portion of p within its respective subnet.
This is almost immediate from definitions 2.1 and 2.2. Suppose we are trying to con-
struct k firing sequences (for the k a-subnets) given a global firing sequence ele2 ... e,
(where each ei is either an a-transition or a non a-transition). Let 71, T2,..., r k be the
k firing sequences to be constructed; initially they are all empty. We read through the
sequence of ei and consider for each two mutually exclusive and exhaustive cases (for
i = 1,..., k):
e = Ca for some j. Then concatenate aj to all the r, corresponding to a-subnets
physically containing aj.
ei = t. for some j and p. In that case, concatenate tj to Tp corresponding to the
firing sequence of the a-subnet N,.
It is clear that each firing sequence Ti covers its portion pi of the global state, and that
they are also pairwise congruent modulo Q.
Conversely, suppose we have the ri as specified in the theorem. To show that p is
coverable in T, it suffices to show that there is a feasible firing sequence covering p in
the synchronous combination.
First, given a firing sequence 7r, we need to distinguish among the possibly various
occurrences of a same a-transition within T,. We use a superscript or a subscript
depending on the notation to refer to instances of a-transitions within a firing sequence.
For example, using the lower case Greek letter notation, if ri = l3a3a, we will write
ir = l171l13202; using the a-subscript notation however, the firing sequence Ti =
0203010201 will be written as Tr = -oaa30ao00.
Secondly, we define a partial ordering on the occurrences of both the a-transitions and
the non a-transitions. In this definition, we are assuming a global state ,u = i112 ... k,
and FT is the set of firing sequences by means of which the individual net Np covers pp,
its portion of the global state (for p = 1,..., k).
k def f a 3 r E F, for some p, s.t. ac and a appear in r, and
a >c ac if and only if d n
u J Ia directly precedes a in r
For non a-transitions, we define their partial ordering similarly. Let t be a non a-
transition and e an arbitrary transition (either a or non a-transition). The superscript
j indicates that tj belongs to subnet Nj.
i def oEr E Fj, s.t. ti and e appear in r, and
t\ > e if and only if <
t i directly precedes e in r
The fact of '>' being well defined is clear in virtue of the pairwise congruency of the
Tr. Indeed, suppose for instance that, using our definition, we get an inconsistency like
a> > a- and a1 > ao. In this case the two firing sequences 7-1 and 7r, whose
existence is guaranteed by the definition, clearly could not be congruent modulo 0,
contradicting our assumption on the 7r (i = 1,..., k). The case of non a-transitions is
even simpler since in this case the the partial order is induced by the sequential ordering
of the transitions within a single firing sequence. This is essentially the reason we do
not need to distinguish between occurrences of non a-transitions.
Any partial ordering can be 'completed' (in a consistent way) into a total ordering, for
instance via a topological sort [7]. In our case, transforming this partial ordering of the
occurrences of the a-transitions into a total ordering, can be interpreted as consistently
'merging' the individual firing sequences 7r into a global firing sequence. Because we
have respected the partial ordering, this global firing sequence is indeed feasible.
As an example of the non trivial direction, suppose there are three a-subnets N1, N2, N3, with
respective sets of transitions:
1. Ti= {r,s,t}U{a,B),7}
2. T2 = u, v, w}U {f, }
3. T3= x,y,z}U{a,p,6,(}
Now, for the three firing sequences in the a-subnets, say, for instance, that:
71 = arsp3asyt (= alrsPai2si7t)
T2 = u663w6v (= US6162Si63v)
73 = x((6yayx3(z6a (= x161(26'" [1 yxl(3zS302)
First, notice that 71, T2, and T3 are readily seen to be pairwise congruent modulo Q. The partial
ordering induced by these firing sequences on the transitions is shown in Figure 7. By i..pl. i ing"
this partial ordering, we can obtain a feasible global firing sequence. One possible total orders
induced by the partial order in Figure 7 is
7 = xuC(1C1(2-, ,'"[rysx{Iw(3zt3va28S1t (= xu(6(6yarysx)3w(z6vaswt)
For completeness, we now formulate the result we were originally seeking about piecewise cov-
erability.
x u 2
1 S
p1 _ 4- x_---- y 1
w 2 s t
z v
Figure 7: Partial ordering induced by Tr,T2 and T3. In the figure, we write: 'a- B' to
mean: 'a >- /.'
Theorem 2 Let N,..., Nk be a-nets with coverability trees T1, ... T respectively.
Let A be their synchronous combination with coverability tree T. It is possible to
determine whether an arbitrary global state iP = 112 ... k is coverable or not, based
solely on the Ti, ... Tk.
PROOF: The sets of firing sequences F1,..., Fk are computable, given each Ni and
each corresponding p/u, as explained for example in [6]. All these Fi sets are finite, so
we may apply the necessary and sufficient conditions of theorem 1 to obtain the desired
global coverability results.
4 An algorithm for bounded Petri nets
The coverability problem is answered by searching the nodes in a coverability tree for a covering
state. Assuming the tree is threaded into a list, the cost of this checking is, on the average, a visit
to half the nodes in the coverability tree (assuming that the state we are checking is coverable, that
is, a state can be found in the tree without exhausting the list).
Let mi be the number of places in a-nets Ni. Clearly, the number of places in the synchronous
combination of a set of nets is the sum of all the mi. Call this sum M. By definition, a B-bounded
Petri net is one in which no place will contain more than B tokens during execution. From net
theory, we know that in the case of bounded nets, the size (number of states) in a coverability tree
is in general exponential in the number of places in a net, on the order of (B + 1)"' (where mT is
the number of places). In the special case of a safe Petri net, the number of nodes in a coverability
tree is on the order of 2'.
For the sake of simplicity, in the rest of this section, we assume that we are dealing with
safe Petri nets. We present an efficient algorithm to check global coverability for the synchronous
combination of a set of safe a-nets. The algorithm requires the coverability tree of each individual
a-net.
Given the previous size estimates for reachability trees, if we were given the coverability tree T
of the synchronous combination containing M states it would cost5 on the average
2M
that is: 2M-1 (1)
2
to check if a global state is covered by synchronous combination of the subnets. This reflects a
search over a list of states.
For each i, let 6i be the depth of the tree Ti, let A = max(ti,..., k) and let g =IQ 0 be
the total number of a-transitions. On the average, each of the 6i is a logarithmic function of the
number of nodes in its respective coverability tree. If ni represents the number of transitions, and
mi the number of places in each subnet, then
6i = logz (2")
These numbers 6i may be obtained "for free" when constructing the coverability trees.
Let ma be the number of nodes in the (or maybe one of the) a-subnet with coverability tree
having depth A. We will show that the algorithm that we propose here has a cost of:
k
S6i2m' + kgm^ (2)
i=l
For large values of M, and where these M nodes are divided over more than a small number (4)
of subnets, the cost shown in expression (1) is much higher than the cost shown in expression (2).
This may be appreciated in table (4). For simplicity, to compute this table we assume the following:
The synchronous combination net as well as the subnets have worst-case coverability trees.
Each a-subnet has a coverability tree of the same size.
In each a-subnet, the number of places is equal to the number of transitions.
All the nets are safe Petri nets (as explained previously).
We now give the algorithm. We first define a "bit hypercube." Remember from definition 3 that
given a global state i/ = /1/12 .../ lk, I denotes the set of all firing sequences in Ti, from its initial
state to some state covering p/. This bit hypercube will encode the firing sequences contained in
the Fi sets. For technical reasons which shall soon be clear, ao denotes the empty string.
Definition 4 Let Ti,..., Tk be the coverability trees of k a-nets. For each state p =
P[1/2 ... -k of their synchronous combination, we define a hypercube ), whose elements
are boolean arrays, each one having k bits. This hypercube has A dimensions (one for
each transition in the longest firing sequence), with each subscript having a value from
0 to g (representing each a-transition in Q, plus 0 for no transition), and
V(i1, i2, ..., ia)[j] = ON if and only if 3 rE Fj : (r)n = ai a2 ...a,
5When we use the word "cost," we mean cost in searching time.
M 1 net 4 subnets 8 subnets 16 subnets
10 512 4,124
20 524;-' 4,194,624 262,182
30 -..1.-70,912 4,294,970,011 47,453,267 524,316
40 549,755,813,1- 4 .;'', 1146,531,584 8,58'",.'. 119 16,777,273
Table 1: Table showing the relative costs of checking coverability for safe Petri nets.
M is the number of places in the net produced by synchronous combination.
Notice that we allow some of the ij to be zero. In this case, by the remark preceding this definition,
the corresponding ai, would be the empty string.
We also need to define a k x g bit matrix representing in the obvious way whether or not the
net Ni physically contains transition aj. We call this matrix the a-cross matrix, and refer to it as
D. Its rows indicate a-transitions, and its columns a-subnets. The matrix D may be considered
as given for all practical purposes. More specifically:
Definition 5 The a-cross matrix D is defined by:
V i, 1 *
*
Having defined these matrices, we now propose a more efficient algorithm containing two phases.
In the first step, we construct the hypercube. This may be considered the expensive part, and we
will show that it actually costs the first summand shown in (2). Secondly, based on the above
hypercube, we answer the coverability question at a cost equal to the second summand of (2).
COVERABLE (Pu = Pi/2 ... lk T1, ... Tk)
Part I: Constructing 4,.
Initialize ~< to OFF's;
FOR i = 1 TO k BEGIN
FOR each node r in Ti BEGIN
IF r covers pi THEN BEGIN
recover the path r from r to the root of Ti;
Say: (r)Q = a0l ai2 ... ai
REM Because some of the ij may be zero, there would be many possible
REM ways to write the above sequence. However, to have uniqueness, we
REM required that if some ij is zero, then all subsequent indexes be also zero.
4)(il, i2, ... A)[i] ON;
END
END
END
Part II: Examining t4
FOR each 4,(il, i2, iA) BEGIN
b true;
FOR j = 1 TO k BEGIN
b ,(il*D(1,j), i2D(2,j),..., i *D(g,j))[j] A b;
END
IF b THEN BEGIN
OUTPUT yes;
EXIT;
END
END
OUTPUT false;
The integer-boolean multiplication: is defined in the obvious way, namely:
(t, f it if D(t,j) = ON
0 if D(t,j) = OFF
The analysis of this algorithm is straightforward. Part I clearly has a cost of:
k
i=1
Similarly, part II takes:
kg A
Therefore, in total, the coverability checking can be done in a cost as indicated by expression (2).
5 Discussion and conclusions
The time-cost estimates in this analysis seem to say that the piecewise coverability algorithm is
faster than the traditional coverability checking algorithm on one large system tree. Actually,
what the results most likely say is that for large systems that can be described as a collection of
loosely coupled pi .... - the bounds we give are far better estimates of the time-cost than those
obtained from worst case estimates of the size of a global coverability tree. Since the system is
highly partitioned, the worst case tree is almost certainly not going to be realized.
The storage saving, however, are real. The total size of the coverability trees for a collection of
small nets will be very much smaller than the size of the tree for an equivalent global system net.
This savings is practical and significant.
In addition to storage savings, some time saving is realized during the construction of a system
model, when the structure is being changed frequently. When a subnet is altered, only the individual
coverability tree for that subnet must be recomputed, and the trees for all other subnets can remain
unchanged. Since an individual state space is small compared to the global system state space, far
less time will be required to reclaim an accurate representation of the global state space after a
structural change. Petri nets in this manner are reusable, or modular.
Our analysis technique assumes the process structure of the total system is created a priori,
as if it were derived, say, from a parallel program or other system description (like CSP [5]). An
interesting problem that we have not yet worked on is to try and identify processes within existing
global nets, thereby making this technique applicable to existing large models. The technique
would be to identify loosely connected subnets, and make the connecting transitions a-transitions.
The resulting net set would gain for the system modeler the space and time advantages we have
outlined.
References
[1] G. Berthelot, G. Roucairol, and R. Valk. reductions of nets and parallel programs. In
W. Brauer, editor, LNCS 84: Net Theory and Applications, pages 277-290. Springer-Verlag,
1980.
[2] J. Billington. Protocol engineering and nets. In Proceedings of the '/i European Workshop on
Application and Theory of Petri Nets, pages 137-156, 1', -.
[3] G. Comparin, G. A. Lanzarone, K. Lautenbach, A. Pagnoni, W. Panzeri, and A. Torgano.
Guidelines on using net analysis techniques with large specifications. In G. Rozenberg, editor,
LNCS 222: Advances in Petri Nets 1985, pages 142-161. Springer-Verlag, 1'-".
[4] L. Czaja. Making nets abstract and structured. In G. Rozenberg, editor, LNCS 222: Advances
in Petri Nets 1985, pages 181-202. Springer-Verlag, 1',".
[5] C. A. R. Hoare. Communicating sequential processes. Communications of the AC I1, 21(8):666
677, 1978.
[6] Richard M. Karp and Raymond E. Miller. Parallel program schemata. Journal of Computer
and System Sciences, 3:147-195, May 1969.
[7] Donald Knuth. The Art of Computer PI
Addison Wesley, 1970.
[8] Wolfgang Reisig. Petri Nets: An Introduction. Springer-Verlag, 1',".
[9] Antti Valmari. State Space Generation: Efficiency and Practicality. Ph.D. dissertation, Tam-
pere University of Technology, Tampere, Finland, 1''"- Issued as Technical Publication No.
55.
[10] Antti Valmari. Stubborn sets for reduced state space generation. In G. Rozenberg, editor,
LNCS 483: Advances in Petri Nets 1990, pages 491-515. Springer-Verlag, 1990.
*
* |