A Methodology for Constructing Predicate Transition Net Specifications

SOFTWARE—PRACTICE AND EXPERIENCE, VOL. 21 (8), 845–875 (AUGUST 1991)

A Methodology for Constructing PredicateTransition Net Specifications

XUDONG HEDepartment of Computer Science, North Dakota State University, Fargo, ND 58105,

U.S.A.

AND

JOHN A. N. LEEDepartment of Computer Science, Virginia Polytechnic Institute & State University,

Blacksburg, VA 24061, U.S.A.

SUMMARY

In this paper, a methodology for constructing hierarchical and structured predicate transition netspecifications is developed, which includes new systematic notation extensions for supporting varioustransformation techniques upon predicate transition nets and several rules for applying such transform-ation techniques. The levelling technique in data-flow diagrams is adapted in the refinement and theabstraction techniques, and the state decomposition idea in state-charts is employed in designing variouslabel formulation operators. The methodology is illustrated through the specification of a lift system.The methodology can significantly reduce the constructing complexity and enhance the comprehensibilityof large predicate transition net specifications.

KEY WORDS Petri netsanalysis

Petri nets are an

Predicate transition nets Formal specification Transformation techniques Structured

INTRODUCTION

excellent model for studying parallel and distributed systems. Petrinets have a simple visual notation for specifying the structural aspect and the causalrelationships among various modules of a parallel or distributed system. Petri netssupport both the data flow abstraction and the control flow abstraction. Despitetheir advantages and wide applications, 1,2 Petri nets have the distinct disadvantage ofproducing very large and unstructured specifications for the systems being modelled. 3

Although the introduction of predicate transition nets 4 (PrT nets in the sequel) hasdrastically enhanced the expressive power of Petri nets and greatly alleviated theabove problems, to specify a very large system in terms of a PrT net is still aformidable task and can result in a huge net too complicated to be readily understood.In order to overcome these problems, a methodology for introducing hierarchiesinto PrT nets and for constructing structured PrT net specifications is needed.

The hierarchical and modular design of programs is a well-known programmingmethodology 5,6 and has been widely applied in practical software development. The

0038–0644/91/080845–31$15.50 Received 5 May 1989© 1991 by John Wiley & Sons, Ltd. Revised 15 February 1991 and 26 March 1991

846 X. HE AND J. A. N. LEE

same kind of methodology is also sought by the software specification communityin order to make writing specifications for large systems feasible and understandable.Stepwise refinement and abstraction techniques for Petri nets have been exploredby several researchers. 7-9 In Reference 7, a design method for place transition nets(PT nets in the sequel), which are a class of low-level Petri nets, was presented, butunfortunately it could not be directly applied to PrT nets. In References 8 and 9,several heuristic principles were identified and illustrated in developing large PrTnet specifications; however, a systematic methodology was not given. This researchis based on some results in Reference 8 and further explores the transformationtechniques for constructing hierarchical and structured PrT nets. This paper presentsa new methodology for constructing hierarchical and structured PrT net specifi-cations. The methodology consists of powerful refinement, abstraction, synthesis,and decomposition techniques. A new systematic notation is proposed for suchtransformation techniques so that a PrT net specification can be developed hier-archically and understood stepwisely. The levelling technique in data-flow diagrams 10

is adapted in the refinement and the abstraction techniques, and the state decompo-sition idea in state-charts 11 is employed in designing various label formulation oper-ators. The methodology is illustrated through a PrT net specification of a lift system.The methodology can significantly reduce the complexity of constructing large PrTnet specifications, as well as enhance the comprehensibility of PrT net specificationsof large parallel and distributed systems.

PREDICATE TRANSITION PETRI NETS

In this section, the basic concepts and examples of PrT nets are informally introducedto motivate the development of the design methodology for PrT nets. Since, amongthe various components of Petri nets, the structural aspect and causal relationships,i.e. the static semantics, are the main concern of the design methodology, thedynamic semantics, i.e. the firing of enabled transitions, of Petri nets is not discussed.The five dining philosophers problem is first specified by using a PT net and thenrespecified by using a PrT net. The expressive power enhanced by using PrT netsover PT nets should be clear from these examples.

A net structure is a directed bipartite graph ( P, T ;F ) where P ∪ T is the set ofnodes with P ∩ T= and F is the set of directed edges. In Petri nets terminology,P is called the set of places represented by circles; T is called the set of transitionsrepresented by bars (or boxes); and F ⊆ ( P × T ) ∪ ( T × P) is called the flow relationrepresented by directed arcs.

A PT net has a finite net structure (P, T; F), where each place in P may containa finite number of tokens represented by dots, and each arc in F is inscribed by apositive integer number indicating the flow capacity.

The five dining philosophers problem is specified by the PT net shown in Figure1 where places p 1 to p 5 hold thinking philosophers, p 6 to p 10) contain availablechopsticks, p 1, to p,5 hold eating philosophers, t l to t 5 stand for the actions of pickingup chopsticks, and t 6 to t 10 stand for the actions of putting down chopsticks. Theflow capacity for each arc is one by default. The initial marking assigns a token toeach of the places p 1 to p 10.

The major problem of PT nets is that the resulting specifications of systems areusually huge, complicated and unstructured. It can be seen from the above example

CONSTRUCTING PREDICATE TRANSITION NET SPECIFICATIONS

847

Figure 1. A PT net specification of the five philosophers problem

that even for simple systems the resulting PT net specifications are large. One canimagine that there will be hundreds or even thousands of places and transitions ina PT net specification of a medium-sized system. The second problem of PT nets isthe structural inflexibility, which makes modifying an existing PT net extremelydifficult. For example, if a new philosopher needs to be added to the diningphilosophers problem, the structure of the PT net shown in Figure 1 has to bechanged. The third problem of PT nets is their inability to identify individual tokens,since simple tokens are lack of information. For instance, there is no way todistinguish a specific philosopher from the others in the above example.

To solve the above problems, high-level Petri nets, which include predicate tran-sition nets 12 and coloured Petri nets, 13 have been developed. High-level Petri netshave the following properties: (1) using a single place or transition to represent anidentical net structure, which not only significantly reduces the number of placesand transitions but also greatly improves the structural flexibility of resulting Petrinet specifications, which effectively overcomes the first two problems; and (2)employing individualized and structured tokens, which effectively overcomes thethird problem.

A PrT net is a five-tuple ( P, T, F,L,R ) where P is the set of predicates, which areparametrized places, T is the set of transitions and F is the set of arcs representingthe flow relation; L is a mapping that associates each arc in F with a label. Eachlabel is a set of tuples with the same arity and of the form (t 1,...,tn), and each ti canbe either a constant or an individual variable. Finally, R is another mapping thatassociates some transition in T with a relational expression to restrict the firing of, the transition. All arcs incident with the same predicate must have the same arity,and the arity of the predicate is defined to be the arity of its incident arcs.

The above definition of a PrT net is different from the original definition of a PrTnet, 4 where labels were symbolic sums. The definition for labels is extended through


the new label constructing operators introduced in the following section. The newlabels are as expressive as those defined in Reference 4.

The five dining philosophers problem is respecified by a PrT net shown in Figure2, where p 1 is the predicate for holding thinking philosophers, p 2 is the predicatecontaining available chopsticks, p 3 is the predicate for holding eating philosophers,and transitions t l and t 2 stand for the actions of picking up and putting downchopsticks, respectively. The relational expression y = x ⊕ l specifies the constraintbetween a philosopher and the chopsticks that the philosopher can use, and ⊕ isthe modulo 5 addition operator. For example, philosopher 2 can only use chopsticks2 and 3.

The advantages of PrT net specifications over PT net specifications are obviousfrom the above examples. Not only is the number of components drastically reducedfrom 15 places and 10 transitions in Figure 1 to three predicates and two transitionsin Figure 2, but also the structure of the PrT net specification is more stable withrespect to the number of philosophers and chopsticks, i.e. when more philosophersand chopsticks need to be added, only the initial marking needs to be changed,whereas the net structure remains essentially the same.

TRANSFORMATION TECHNIQUES FOR PREDICATE TRANSITIONNETS

From PT nets to PrT nets, great progress has been made within the formalism itself,i.e. by enhancing the underlying theory of Petri nets. However, a correspondingmethodology for applying PrT nets to the specification of parallel and distributedsystems is still lacking. The methodology should solve the following two problemsin constructing a PrT net specification. First, it is very difficult for users to constructa complete PrT net specification for a system as a single design step, especially whenthe given system is large and complicated. Thus the methodology should includetransformation techniques and guidelines for applying the transformation techniquesto construct PrT net specifications. Secondly, it is impossible to represent a completespecification for a large system in a single PrT net that would have the size of afootball field. Such a flat PrT net specification is usually incomprehensible andunstructured. Therefore the methodology should provide mechanisms and notations

Figure 2. A PrT net specification of the five philosophers problem

CONSTRUCTING PREDICATE TRANSITION NET SPECIFICATIONS 849

for introducing hierarchies and modularity into PrT net specifications.Our methodology includes four kinds of transformation techniques: refinement,

abstraction, synthesis and decomposition. Refinement adds details to an existing PrTnet by replacing a component of the PrT net with another PrT net. Abstractionshrinks an existing PrT net by substituting a subnet of the PrT net with a singlecomponent. Synthesis introduces additional components into an existing PrT net.Decomposition separates a PrT net into several smaller PrT nets. The concepts ofthe above transformation techniques were initially proposed in Reference 8. In thispaper, these transformation techniques are formalized, especially with regarding tothe formulation of labels.

The methodology introduces hierarchies and modularity into PrT net specificationsby providing new graphical notations for predicates, transitions and arcs, new oper-ators for formulating labels and a systematic approach for incorporating these newextensions into PrT nets during the specification process. Dotted components areemployed to denote hierarchies in a PrT net. Non-terminating arcs and new typesof labels inspired by the state decomposition idea in state-charts 14 are used to reflectcorrect control flows between a parent PrT net and its children nets. The levellingtechnique in data-flow diagrams 10 is adapted as a general guideline for constructingPrT net specifications.

In the following subsections, the new extensions and the rules of the transformationtechniques are given, and the results of applying the transformation techniques areillustrated through various examples.

Extensions to predicate transition nets

In this paper, PrT nets are extended both graphically and algebraically to supportvarious transformation techniques.

Predicates (transitions) are represented by either solid or dotted circles (boxes).A solid circle (box) indicates an elementary predicate (transition) at the currentabstraction level, and a dotted, super, circle (box) stands for either the abstractionof an existing P-subnet (T-subnet) or the refinement of a predicate (transition). Foreach dotted circle or box, there is a corresponding lower level net—a child net—associated with it. The child net is either enclosed by a dotted counterpart andconnected to the parent net or enclosed by a dotted counterpart and separated fromthe parent net. Figure 3 shows an example of separated abstraction/refinement. Thenet enclosed by a dotted component represents a refinement of the enclosing dottedcomponent. The introduction of this new notation, which was inspired by the levellingtechnique in data-flow diagrams, 10 enables the hierarchical development of PrT netspecifications.

Non-terminating arcs with inscribing labels, which were adapted from the state-chart, 14 are allowed in the child net to indicate the flow relation between the childnet and its outside environment. Figure 4 represents an example of a child net withnon-terminating arcs. Non-terminating arcs may be omitted when all of the samekind of components in the child net are connected by non-terminating arcs with thesame label to or from the environment as illustrated in Figure 5.

The above graphical notation extensions have great effects on the flow relation.Although without a new notation, an arc can now denote a group of data and controlflows. To reflect this change, a set of new label formulation operators are designed.


Figure 3. An example of abstraction/refinement

Figure 4. Non-terminating arcs in the child net

Labels in a PrT net are extended to include those formulated by using the followinglabel construction operators. Two data flows inscribed by two labels L 1 and L 2 in aPrT

1.

2.

net can occur in the following different ways:

Two data flows may occur either sequentially or concurrently, which is resolvednon-deterministically based on the availability of tokens, and exhibits an inclus-ive OR relationship-called an OR flow relation in the sequel. The algebraicsymbol + is adopted to represent this relationship. The new label describingthis kind of combined data flow is L 1 + L 2. Figures 6(a) to 6(d) representexamples of the OR flow relation.Both of data flows always occur at the same time, which specifies an ANDrelationship-called an AND flow relation in the sequel. The algebraic symbol* is used to represent this relationship. The new label describing this kind of


p2

pl

p3

(a) A PrT net

tlps p4

{x) {x)

(b) An abstraction of (a) (c) The lower level letfor predicate p5

Figure 5. An example of default flow relation in the child net

combined data flow is L 1* L 2. Figures 6(e) and 6(f) are examples of the ANDflow relation.

The above label formulation operators have the following algebraic properties (.x,y, w and z are labels):

1. + and * are commutative: x+y=y+x, x*y=y*x.2. + and * are associative: (x+y)+z=x+(y+z), (x*y)*z=x*(y*z).

The above properties are fairly obvious from the examples in Figure 6.

3. * has precedence over +. Figures 7 and 8 are two examples illustrating thisproperty, where the label x*w+y*z is a correct characterization of the causalrelationships, whereas the label (x+y)*(w+z) is incorrect in Figure 7, and thelabel x*y+ W*Z is a correct characterization of the causal relationships whereasthe label ( x+ w )*( y+z ) is incorrect in Figure 8. Parentheses may be employedto specify the priority explicitly when some combination of the above situationsoccurs.

4. * is distributive over +: x*( y + z) =x*y +x*z. This property can be derivedfrom (3) by identifying y with x in Figure 7 and w with x in Figure 8, respectively.

Figure 6 shows six basic patterns in which two data flows can be combined andthe resulting labels. More complicated patterns can be synthesized from these sixbasic patterns.

Initial development of predicate transition net specifications

There are two kinds of components explicitly and graphically represented in a PrTnet: predicates and transitions. Predicates and transitions are treated equally in PrTnets where predicates and transitions model the passive components and the active

852 X. HE AND J. A. N L E E

Figure 6. Basic obstruction patterns

components of a system, respectively. This is a major difference between PrT netsand other structured analysis and specification models such as data-flow diagrams, 10

where only active processing components—bubbles—of a system are representedgraphically, and state transition diagrams 10

where only passive components—states—of a system are shown graphically, whereas active components—state transitions—are implicit functions and represented textually. The above characteristic of PrT netsprovides the following guidelines for constructing an initial PrT net specification ofa system:

1. Analyse the system to distinguish the major passive and active components of


Figure 7. An example showing the precedence of operator * over +

Figure 8. Another example showing the precedence of operator * over +

the system: passive components are those capturing the distinct states, andactive components are those making transitions from one state to another.Represent passive and active components by predicates and transitions, respect-ively.Create only one predicate for a class of similar passive components.Connect the predicates and transitions with directed arcs.Inscribe arcs with appropriate labels to reflect data flows.

2.

3.4.5.


6. Construct relational expressions to restrict the firing conditions of transitionsif necessary.

In the five dining philosophers problem, the following distinct states can berecognized: (1) a philosopher is thinking, (2) a philosopher is eating and (3) achopstick is available; and the following actions changing the above states can alsobe identified: (1) a philosopher picks up two chopsticks and starts eating and (2) aphilosopher puts down two chopsticks and returns to thinking. Since all philosophershave the same patterns of behaviour, only one predicate for thinking philosophersand one predicate for eating philosophers need to be represented in the PrT net.Similarly, only one predicate for available chopsticks needs to be represented in thePrT net. Since a philosopher can only use his adjacent chopsticks, the relationalexpression y=x ⊕ l is thus used to specify this condition.

Hierarchical development of predicate transition net specifications

In this section, two kinds of hierarchical transformation techniques—refinementand abstraction—are presented, which support top-down and bottom-up develop-ment paradigms, respectively. Refinement adds details to an existing PrT net byeither introducing another lower level description for a component of the PrT netor expanding a component of the PrT net with a new PrT net at the currentabstraction level; the result of a refinement is a more detailed PrT net specification,which normally consists of a set of hierarchical PrT nets. Abstraction is the reverseprocess of refinement and replaces a subnet of a PrT net with a single component—either a predicate or a transition; the result of an abstraction is a more abstract PrTnet specification.

The formal treatment of the hierarchical transformation techniques for PrT netsis the most important contribution of this paper. By using the hierarchical transform-ation techniques, we are able to write well-structured and understandable PrT netspecifications for large software systems in a controllable and manageable way. Theresulting PrT specification for a software system normally consists of a hierarchy ofPrT nets instead of a single flat football size PrT net specification created by usingthe conventional techniques.

The idea of introducing hierarchies into PrT nets was inspired by (1) the modernmodular programming languages such as Ada, * (2) the state-chart 14 visual specifi-cation technique, (3) the structured analysis technique of data-flow diagrams 10 and(4) the analysis that there is still a lack of structured development technique forPetri nets. 3 Recently, a similar effort towards introducing hierarchies into colouredPetri nets, 15 which are another kind of high-level Petri nets, was learned.

In order to introduce hierarchies into PrT nets, not only do new notation extensionsneed to be invented but also new theories need to be established to ensure (1) theappropriate conditions for applying hierarchical transformation techniques, (2) thewell-definedness of both the graphical representations and the algebraic definitionsof PrT nets after such transformations, and (3) the balance of both data and controlflows between a parent net and its child nets. The new notation extensions havebeen introduced in the previous sections. In this section, the rules of applyingabstraction and refinement transformation techniques in developing hierarchical PrT

*Ada is a trademark of the Department of Defense of the U.S.A


net specifications are presented, discussed and illustrated through various examples.Let N = ( P, T; F,L,R ) be a PrT net, then a subnet N s = ( P s, T s;F s,L s,R s ) of N is

defined as follows:

P s PT S ⊆ TF s = F ∩ (( Ps × T s ) ∪ ( T s × P s))L s = { ( x,y) L ( x,y )|( x,y ) ∈ F s}R s= { x R(x) | x ∈ T s }

The border of N s in N is the set of components in N s that connects to the componentsin N–N s, and is formally defined as

bd (Ns ) = { x | x Ps ∪ T s ∧ ∃ y ( P ∪ T–Ps ∪ T s)(( y,x ) ∈ F ∨( x,y )∈ F )}

N, is called a P -subnet iff bd( N s) ⊆ P; and N s is called a T -subnet iff bd( N s) ⊆ T.Figure 9 shows an example of a PrT net N and one of its subnets N s, which has

a border bd( N s) = { p 2,p 3} and thus is a P -subnet.The preset (postset) of a net component x consists of all the net components

incident with x through its incoming (outgoing) arcs and is denoted by ● x ( x ● ). Forexample, ● t l = { p 1}, t l

● = { p 2} and p l ● = { t l,t 2} in Figure 9.

Abstraction rule for P-subnets

Let N = ( P, T; F,L,R ) be a PrT net, and N s = ( P s, T s; F s, L s, R s) be a P-subnet ofN with all predicates in bd( N s) having the same arity to ensure a well-definedinterpretation of the new resulting predicate.

1. Destructive abstraction (the subnet is discarded). The result of replacing N s bya new predicate p with { p } ∩ ( P ∪ T ) = ∅ is a new PrT net N ′ = ( P ′, T ′ ;F ′, L, ′ R ′ ),algebraically defined as

Figure 9. A PrT net and one of its subnets

∧ ∃ y ∈ P s(( y,x ) ∈ F ))


P ′ = ( P–P s) ∪ { p }T ′ = T–T s

F ′ = {( x,y )| x,y ∈ ( P -P s) ∪ ( T– T s) ∧ ( x,y ) ∈ F }∪{( x,p )| x ∈ ( T- T s) ∧∃ y ∈ P s (( x,y ) ∈ F )} ∪ {( p,x )| x ∈ ( T- T s)

L ′ = {( x,y ) → L ( x,y ) | x,y ∈ ( P–P s) ∪ (T-T s ) ∧ ( x,y ) ∈ F } ∪{( x,p ) → L ( x,y 1 )*...* L ( x,yn) |x ∈ ( T-T s ) ∧ x is solid ∧

{( x,y 1),...,( x,yn) | y i ∈ P s} ⊆ F }∪{( x,p ) → L ( x,y 1)+ . . . +L ( x,yn ) | x ∈ ( T- T s) ∧ x is dotted ∧

{( x,y 1 ),.., ( x, yn ) | y ι∈ P s } ⊆ F }∪{( p,x ) → L ( y 1 ,x )*... *L ( yn ,x ) | x ∈ ( T– T s) ∧ x is solid ∧

{( y l ,x ),..., ( yn, x ) | y i ∈ P s} ⊆ F } ∪{( p,x ) → L ( y 1, x ) +... + L ( y n,x ) | x ∈ ( s ) ∧ x is dotted ∧

{( y 1, x ),...,(yn, x ) | yi ∈ P s} ⊆ F }R ′ = { x → R ( x ) | x ∈ T ′ }

where the components in the subnet N s are deleted and the new predicate p isconnected to the transitions in the remaining part of N according to original existingconnections. The arcs connecting a transition x in the remaining part of N to the setof predicates { y 1,...,yn } in N s are combined to form a new arc ( x,p ) with a new labelL ( x,y 1) *... * L ( x,yn ) representing an AND flow relation when the transition x issolid (see Figure 6(f)), or with a new label L ( x,y 1)+ . . . +L ( x,yn) representing an ORflow relation when the transition x is dotted (see Figure 6(d) ). The arcs connectingthe set of predicates { y 1, . . . ,yn} in N s to a transition x in N are combined to form anew arc ( p, x ) with a new label L ( y 1, x ) *... * L ( y 1, x ) representing an AND flowrelation when the transition x is solid (see Figure 6(e) ), or with a new label L ( y 1,x )+... + L ( yn, x ) representing an OR flow relation when the transition x is dotted(see Figure 6(c) ).

Graphically, N ′ is obtained by replacing the subnet N s with a solid circle denotedby p, and by connecting p to the transitions in the remaining part of N through thearcs defined in F ′.

Semantically, the new labels to and from the new predicate p have correctlypreserved both the data and control flows; therefore the behavioral and causalrelationship between the replaced subnet and the remaining part of N remainsunchanged.

This kind of abstraction is useful when some part of an existing PrT net specifi-cation needs to be changed and rewritten.

2. Non-destructive abstraction (the subnet is saved as a lower level net ). The resultof replacing N s by a new predicate p with { p } ∩ ( P ∪ T ) = ∅ is a new PrT netspecification consisting of an upper level parent PrT net N ′ = ( P ′, T ′ ;F ′ ,L ′ ,R ′ ) anda lower level child PrT net N ′ s = ( P ′ s, T ′ s ;F ′ s , L ′ s ,R ′ s ). N ′ is defined as in destructiveabstraction and N ′ s is defined by introducing a special new transition @t to denotethe outside environment, and as follows:

P ′ s = P s

T ′ s = T s ∪ { @ t }F ′ s= F s ∪ {( x, @ t )| x ∈ P s ∧ ∃ y ∈ T– T s (( x,y ) ∈ F )}∪

{( @ t,x )| x ∈ P s ∧ ∃ y ∈ T - T s(( y,x ) ∈ F )}


L ′ s = L s ∪{( x,@t ) → L ( x,y 1) +...+ L ( x,yn )| x ∈ ∧ { y 1,..., yn }⊆ T– T s ∧ ( x,yi ) ∈ F } ∪{( @t,x ) → L ( y 1,x ) +...+ L ( yn,x )| x ∈ P s ∧ { y 1,..., yn }⊆ T– T s ∧ ( yi,x ) ∈ F }

R ′ s = R s

Graphically, N ′ s is obtained by replacing the subnet N s with a dotted circle denotedby p and by connecting p to the transitions in the remaining part of N through thearcs defined in F ′; and N ′ s is obtained by enclosing N s with a dotted circle, and bycreating non-terminating arcs for those involving the special transition @t and byinscribing such non-terminating arcs with the corresponding labels defined in L ′ s.Figure 1 0 shows an example of a non-destructive P -subnet abstraction.

Semantically, the new labels to and from the new predicate p have correctlypreserved both the data and control flows; therefore the behavioural and causalrelationship between the replaced subnet and the remaining part of N remainsunchanged. The balance of the data and controls flows between N ′ and N ′ s has beenkept correctly by the non-terminating arcs and their associated labels: the controlinformation is recorded in the label operator + to represent the OR flow relationship.The causal relationship between the parent net and the child net is like a mainprogram and its subprogram in a typical procedural programming language. Thepredicate p in the parent net acts like a program unit specification and the correspond-ing child net acts like a program unit body definition as in Ada.

The usefulness of this kind of abstraction is to transform an existing flat PrT netinto a set of hierarchical PrT nets such that each of them has a small and manageable

Figure 10. An example of a non-destructive P-subnet abstraction


size, and to create an understandable PrT net overview appropriate for a specificpurpose at some abstraction level. This kind of abstraction introduces hierarchiesinto a PrT net specification in a bottom-up approach.

Abstraction rule for T-subnets

Let N = (P, T; F,L,R) be a PrT net and N s = (P s ,T s ;F s, L s,R s ) be a T -subnet of N.

1. Destructive abstraction ( the subnet is discarded ). The result of replacing N s bya new transition t with { t } ∩ (P ∪ T) = ∅ is a new PrT net N ′ = ( P ′, T ′; F ′, L ′, R ′ )algebraically defined as

P ′ = P–P s

T ′ = ( T-T s) ∪ { t }F ′ = {( x,y ) | x,y ∈ ( P– P s) ∪ (T– T s) ∧ ( x,y ) ∈ F } ∪

{( x,t ) | x ∈ ( P-P s) ∧ y ∈ T s (( x,y ) ∈ F )} ∪ {( t,x )| x ∈ ( P-P s)∧ ∃ y ∈ s (( y,x ) ∈ F )}

L ′ = {( x,y ) → L ( x,y )| x,y ∈ ( P–P s ) ∪ ( T– T s) ∧ ( x,y ) ∈ F } ∪{( x,t ) → L ( x,y 1)+ . ..+ L ( x,y n)| x ∈ ( P-P s ) ∧ {( x,y l),..., ( x,yn )| yi ∈ T s} ⊆ F } ∪{( t,x ) → L ( y 1 ,x )+ . . . + L ( yn,x )|x ∈ (P–P s) ∧ {( y 1,x ),...,( yn,x ) | yi ∈ T s} ⊆ F }R ′ = { x → R ( x )| x ∈ ( T-T s)}

where the components in the subnet N s are deleted and the new transition t isconnected to the predicates in the remaining part of N according to original existingconnections. The arcs connecting a predicate x in the remaining part of N to the setof transitions { y l,. . . ,yn } in N s are combined to form a new arc ( x,t ) with a new labelL ( x,y 1) +... + L ( x,yn ) representing an OR flow relation when the predicate x iseither solid (see Figure 6(a) ) or dotted (see Figure 6(c) ). The arcs connecting theset of transitions { y 1, . . . , yn } in N s to a predicate x in N are combined to form anew arc ( t, x ) with a new label L ( y 1 ,x) +... + L ( yn, x ) representing an OR flowrelation since information flow along those replaced arcs can occur either sequentiallyor concurrently (see Figure 6(b) ).

Graphically, N ′ is obtained by replacing the subnet N s with a solid box denotedby t, and by connecting t to the predicates in the remaining part of N through thearcs defined in F ′.

The semantics and usefulness of this kind of abstraction for T -subnets are thesame as those for P -subnets.

2. Non-destructive abstraction (the subnet is saved as a lower level net). The resultof replacing N s by a new transition t with { t } ∩ ( P ∪ T ) = ∅ is a new PrT netconsisting of an upper level PrT net N ′ = ( P ′, T ′; F ′, L ′, R ′ ) and a lower level PrT netN ′ s = ( P ′ s, T ′ s; F ′ s, L ′ s , R ′ s ). N ′ is defined as in destructive abstraction and N ′ s is definedby introducing a special new predicate @p to denote the outside environment, andas follows:

P ′ s =P s ∪ { @p }T ′ s = T s

F ′ s = F s ∪ {( x,@p )| x ∈ T s ∧ ∃ y ∈ P–P s (( x,y ) ∈ F )}∪{( @p,x ) | x ∈ T s ∧ ∃ y ∈ P-P s(( y,x ) ∈ F )}


L ′ s = L s ∪{( x,@p ) → L ( x,y l) *...* L ( x,yn )| x ∈ T s ∧ { y l, . . ., y n } P-P s ∧ ( x,yi ) ∈ F }∪{( @p,x ) → L ( y 1,x ) *...* L ( yn,x ) |x ∈ T s ∧ { y 1,..., yn} ⊆ P-P s ∧ ( yi,x ) ∈ F }R ′ s = R s

Graphically, N ′ is obtained by replacing the subnet N. with a dotted box denotedby t and by connecting t to the predicates in the remaining part of N through thearcs defined in F ′; and N ′ s is obtained by enclosing N s with a dotted box, and bycreating non-terminating arcs for those involving the special predicate @p and byinscribing such non-terminating arcs with the corresponding labels defined in L ′ s.Figure 11 shows an example of a non-destructive T -subnet abstraction.

The semantics and usefulness of this kind of abstraction for T -subnets are thesame as those for P -subnets.

Refinement rule for predicates

Let N = ( P, T; F,L,R ) be a PrT net; a single predicate p of N can be refined byusing a new prT net N s = ( P s, T s; F s, L s, R s) along a subset sub( P s) of P. with allpredicates in sub( P s) having the same arity and ( P ∪ T ) ∩ ( P s ∪ T s) = ∅.

1. Connected refinement. The resulting PrT net ′ = ( P ′ ,T ′ ;F ′ ,L ′ ,R ′ ) is algebraic-ally defined as

P ′ = ( P– { p }) ∪ P s

T ′ = T ∪ T s

Figure 11. An example of a non-destructive T-subnet obstruction


F ′ = {( x,y )| x,y ∈ ( P– { p }) ∪ T ∧ ( x,y ) ∈ F } ∪ F s ∪{( x,y )| x ∈ T ∧ ( x,p ) ∈ F ∧ ∃ y ∈ sub( P s )} ∪ {( y,x )| x ∈ T ∧ ( p,x ) ∈ F ∧ ∃ y ∈ sub( P s)}

L ′ = {( x,y ) → L ( x,y )| x,y ∈ ( P– { p })∪ ∧ ( x,y ) ∈ F }∪ L s ∪{( x,y ) → L ( x,p )| x ∈ T ∧ ( x,p )∈ F ∧ ∃ y ∈ sub ( P s )} ∪ {( y,x ) → L ( p,x )| ∈ T ∧ ( p,x ) ∈ F ∧ ∃ y ∈ sub ( P s)}

Ρ′ = R ∪ R s

Graphically, the predicate p of N is deleted, and the arcs connecting p in N arenow connected to predicates in the subset sub( P s) of P s. Figure 12 shows an exampleof a connected refinement of a predicate.

Semantically, the behavioral and causal relationships between the replacing sub-net and the rest of N remain the same as those between the replaced predicate pand the rest of N. The meaning of this kind of refinement is similar to that of amacro expansion.

The usefulness of this kind of refinement is to develop a PrT net specification ina stepwise fashion by adding a little more detail at each time.

2. Separated refinement. The resulting PrT net specification consists of anupper level parent PrT net N ′ = N and a lower level child PrT netN ′ s = ( P ′ s,T ′ s; F ′ s, L ′ s, R ′ s ), where

P ′ s = P s

T ′ s = T ′ s ∪ {@t }F ′ s = F s ( @t,y )| y ∈ sub( P s)} ∪ {( y,@t )| y ∈ sub( P s )}

where @t is a new transition introduced to denote the outside environment.Graphically, the solid circle for the predicate p is now replaced by a dotted circle

in the parent net N ′. The child net N ′ s is enclosed by a dotted circle associated with

Figure 12. A connected refinement of the predicate p1

CONSTRUCTING PREDICATE TRANSITION NET SPEC1FICATIONS 861

the name p. Non-terminating arcs are created for each predicate in the subset sub( P s)and are inscribed with corresponding labels in L ′ s to reflect the correct flows betweenN ′ s and N ′. Figure 13 shows an example of a separated refinement of a predicate.

Semantically, the behavioral and causal relationships between the replacing sub-net and the rest of N remain the same as those between the replaced predicate pand the rest of N. The data flows between N ′ s and N ′ have been kept correctly bythe non-terminating arcs and their associated labels. The causal relationship betweenN ′ s and N ′ is like a main program and its subprogram in a typical proceduralprogramming language. The predicate p in the parent net acts like a program unitspecification and the corresponding child net acts like a program unit body definitionas in Ada.

The usefulness of this kind of refinement is to transform an initial simple PrT netspecification into a set of hierarchical PrT nets such that each of them has a smalland manageable size, and to create an understandable PrT net overview appropriatefor a specific purpose at some abstraction level. This kind of refinement introduceshierarchies into a PrT net specification in a stepwise top-down approach.

Refinement rule for transitions

Let N = (P, T; F, L, R ) be a PrT net, a single transition t of N can be refinedby using a new PrT net N s = ( P s, T s; F s, L s,R s) along a subset sub( T s) of T s with( P ∪ T ) ∩ ( P s ∪ Ts) = ∅.

1. Connected refinement. The resulting PrT net N ′ = ( P ′, T ′ ;F ′ ,L ′ , R ′ ) is algebraic-ally defined as

P ′ = P ∪ P s

T ′ = ( T–{ t }) ∪ T s

F ′� = {( x,y )| x,y ∈ ( T– { t }) ∪ P ∧ ( x,y ) ∈ F } ∪ F s ∪{( x,y )| x ∈ P ∧ ( x,t ) ∈ F ∧ y ∈ sub( T s ))} ∪ {( y,x )|x ∈ P ( t,x )∈ F ∧ ∃ y ∈ sub( T s))}

L ′ = {( x,y ) → L ( x,y )|x,y ∈ (T– { t })∪ P ∧ ( x,y ) ∈ F } ∪ L s ∪ {( x,y ) → L ( x,t )| x ∈ P ∧ ( x, t ) ∈ F ∧ ∃ y ∈ sub( T s)} ∪{( y,x ) → L ( t,x )|x ∈ P ∧ ( t,x ) ∈ F ∧ ∃ y ∈ sub( T s)}

Figure 13. A separated refinement of the predicute p1


R ′ = { x → R ( x ) | x ∈ ( T- { t })}∪ R s

Graphically, the transition t of N is deleted, and the arcs connecting t in N areconnected to transitions in the subset sub( T s) of T s. Figure 14 shows an example ofa connected refinement of a transition.

The semantics and usefulness of this kind of refinement for a transition are thesame as those for a predicate.

2. Separated refinement. The resulting PrT net consists of an upper level parentPrT net N ′ = N and a lower level child PrT net N ′ s = ( P ′ s ,T ′ s; F ′ s ,L ′ s, R ′ s ), where

P ′ s =P s ∪{ @p }Τ ′ s = T s

F ′ s = F s ∪ {( @p,y )| y ∈ sub( T s)} ∪ {( y,@p )| y ∈ sub( T s)}L ′ s = L s ∪ {( @p,y ) → L ( x,t )| x ∈ P ∧ ( x,t ) ∈ F ∃ y ∈ sub( T s)} ∪

{( y,@p ) → L ( t,x )| x ∈ P ∧ ( t,x ) ∈ F ∧ ∃ y ∈ sub( T s)}R ′ s

= { x R ( x )| x ∈ ( T– { t })} ∪ R s

where @p is a new predicate introduced to denote the outside environment.Graphically, the solid box for the transition t is now replaced by a dotted box in

the parent net N ′. The child net N ′ s is enclosed by a dotted box associated with thename t. Non-terminating arcs are created for each transition in the subset sub( T s)and are inscribed with corresponding labels in L ′ s to reflect the correct flows betweenthe child net Ν′ s and the parent net N ′. Figure 15 shows an example of a separatedrefinement of a transition.

The semantics and usefulness of this kind of refinement for a transition are thesame as those for a predicate.

It is easy to see that abstraction and refinement transformation techniques areboth transitive. Therefore, such transformations can be performed in a stepwise andhierarchical fashion so that the most important part of a PrT net specification ofcurrent interest can be focused on and studied separately. The above rules guarantee

t2 p2(y)

p3

p l(x)

t3

Figure 14. A connected refinement of the transition t1


Figure 15. A separated refinement of the transition t1

both the algebraic and the graphical well-definedness as well as the consistency ofa PrT net specification under every single transformation step. The consistency ofthe development of a complete PrT net specification with more than one transform-ation step is discussed in a later section.

Modular development of predicate transition net specifications

In this section, two modular transformation techniques—synthesis anddecomposition—are presented, which are quite different from the hierarchical trans-formation techniques. Synthesis and decomposition are used to transform a PrT netat the same abstraction level; therefore they are horizontal transformation techniqueswhereas abstraction and refinement are vertical transformation techniques. Synthesisand decomposition change the domain of the system being modelled, whereasabstraction and refinement do not. Synthesis either connects two existing PrT netsinto a new PrT net or adds additional components to an existing PrT net; thus itenlarges the domain of the system being modelled. Decomposition divides an existingPrT net into two subnets; therefore it reduces the domain of the system beingmodelled.

Synthesis and decomposition are general useful techniques akin to the modularprogramming and divide-and-conquer techniques. Decomposition is the most usefulapproach to divide a large PrT net specification into many small manageable andunderstandable PrT net specifications and to deal with them separately. Synthesis isthe most useful approach to construct a larger PrT net specification from existingsmaller PrT net specifications and to analyse the global properties of a larger systemfrom the properties of its component specifications. Therefore the synthesis techniquemakes PrT net specifications reusable and compositional.

The decomposition and refinement techniques can be used together as a top-downmethodology for developing PrT net specifications. The synthesis and abstractiontechniques can be employed together as a bottom-up methodology for building PrTnet specifications.

In this section, the rules for applying decomposition and synthesis transformationtechniques in developing PrT net specifications are presented, discussed and illus-trated through examples.


Decomposition rule

Let N = ( P, T; F,L,R ) be a net, N 1 = ( P 1, T 1; F 1, L 1, R 1) be its subnet and bd( N 1 )be the border of N 1 in N; a bd( N 1)-division of N results in two subnets: N 1 andN 2 = ( P 2,T 2;F 2,L 2,R 2), where

P 2 = ( P–P 1) ∪ ( P ∩ bd( N 1))T 2 = ( T– T 1) ∪ ( T ∩ bd( N 1))F 2 = F– F 1

L2 = {( x,y ) → L ( x,y )|( x,y ) ∈ F 2}R 2 =R– R1

1. Destructive decomposition (the subnet N2 is discarded). Graphically, the subnetN 2 is deleted from the PrT net N. Semantically, only the behaviour of the subnetN 1 matters. This kind of transformation is useful when only a part of a PrT specifi-cation for a large system is of current interest and the remainder of the specificationcan be neglected.

2. Non-destructive decomposition (the subnet N2 is saved for other purposes).Graphically, the PrT net N is divided along the border bd( N 1) into two subnets N 1

and N 2 as defined above. Figure 16 shows an example of this kind of decomposition.Semantically, an execution of the subnet N 1 can extend to the subnet N 2 and viceverse. This kind of decomposition is useful when a PrT net specification is toocomplicated to be studied as a whole.

Synthesis rule

Let N 1 = ( P 1, T1;F1,L I,R1) and N 2 = ( P 2, T2;F2,L2,R2) be two PrT nets with( P 1 ∪ T 1) ∩ ( P 2∪ T2) = ∅, F be the set of new arcs to connect N 1 and N 2 such that

Figure 16. An example of a non-destructive decomposition of N along bd ( N 1 ) = { t1 }


( x,y ) ∈ F ⊃ ( x,y ) ∈ (P 1× T 2) ∪ ( P 2× T 1) ∪ ( T 2× P 1) ∪ ( T 1 P 2), and L be the set of newlabels inscribing arcs in F. The new PrT net N ′ = ( P ′, T ′ ;F ′ ,L ′ R ′ ) obtained fromsynthesizing N 1 and N 2 is algebraically defined as follows:

P ′ P 1∪ P 2

T ′ =T 1∪ T2

F ′ =F 1∪ F 2∪ FL ′ = L 1∪ L 2∪ LR ′ = R 1∪ R 2

1. Consumable synthesis (the subnets N 1 and N 2 are consumed). Graphically, thenew PrT net N ′ is obtained by connecting N l and N 2 with the new arcs in F and byinscribing the new arcs with the corresponding labels in L. The subnets N 1 and N 2

are discarded. Figure 17 shows an example of this kind of synthesis. Semantically,an execution of N ′ involves components in both N l and N 2 through the set of newarcs in F. The usefulness of this kind of synthesis is to construct a large PrT netspecification modularly from existing small PrT net specifications.

2. Non-consumable synthesis (the subnets N, and N2 are saved for other purposes).Graphically, the new PrT net N ′ is obtained by connecting N 1 and N 2 with the newarcs in F and by inscribing the new arcs with the corresponding labels in L. Bothsubnets N 1 and N 2 are saved for other uses. Semantically, an execution of N ′ involvescomponents in both N 1 and N 2 through the set of new arcs in F, and the semanticsof subnets remains unchanged. The usefulness of this kind of synthesis is to constructa PrT net specification from existing small PrT net specifications and to save thosesmall PrT specifications for reuse.

Figure 17. An example of consumable synthesis of N1 and N2 with F = { (t1,p3), (t2,p3) } and L = { (t1,p3) { w }, (t2,p3) { z }}


THE CONSISTENCY OF THE TRANSFORMATION TECHNIQUES

Three different types of consistency are distinguished in this paper: (1) the resultingPrT net(s) after a transformation is(are) graphically and structurally well-defined,(2) the resulting PrT net(s) after a transformation is(are) algebraically well-defined,and (3) the resulting PrT net(s) is(are) behaviorally well-defined such that the dataflows and control flows between a parent PrT net and its child PrT nets are balanced.Although every single transformation rule ensures the consistency between theresulting net(s) and its immediate predecessor, the consistency of the developmentof a complete PrT net specification still needs to be validated. There are 16 differentcombinations of applying the four different transformation techniques—abstraction,refinement, decomposition and synthesis—introduced in a previous section. In thissection, the consistency of successive transformations is discussed.

1. Refinement-refinement

Connected refinement-connected refinement and connected refinement-separatedrefinement

The consistency is ensured from the definitions of the above transformations.However, too many connected refinement–connected refinement transformationsmake a PrT net grow too large and should be restricted.

Separated refinement-connected refinement

If the net component under the connected refinement is a solid component,then such successive transformation ensures the consistency since the two kinds oftransformation do not affect each other.

If the net component under the connected refinement is a dotted component, thenthe connected refinement replaces the dotted component and all its descendant PrTnet(s) with a new PrT net. The dotted component in the upper level PrT net andall its descendant PrT net(s) are discarded. Thus the consistency is ensured.

Separated refinement-separated refinement

If the net component under the second separated refinement is a solid component,then such successive transformation ensures the consistency because the two trans-formations do not affect each other.

If the net component under the second separated refinement is a dotted compon-ent, then the results of the first separated refinement are completely—graphically,algebraically and semantically—replaced by the results of the second separatedrefinement. Thus the consistency is ensured.

2. Abstraction-abstraction

Destructive abstraction–destructive abstraction and destructive abstraction–non-destructive abstraction

The consistency is ensured from the definitions of the above transformations.


Non-destructive abstraction–destructive abstraction

If the subnet under the destructive abstraction does not contain any dottedcomponent, then such successive transformation ensures the consistency since thetwo kinds of transformation do not affect each other.

If the subnet under the destructive abstraction contains some dotted component,then the subnet is replaced by a single component of the same type with new arcsand labels as defined in the destructive abstraction rule. All descendant PrT nets ofthe dotted components in the subnet are discarded. Thus the consistency is ensured.The destructive abstraction should be applied very carefully since it destroys lowerlevel PrT nets.

Non-destructive abstraction–non-destructive abstraction

The consistency is ensured from the definition of the non-destructive abstraction.

3. Refinement-abstraction

Connected refinement-destructive abstraction and connected refinement-non-destructive refinement

The consistency is ensured as in non-destructive abstraction–destructive abstrac-tion.

Separated refinement-non-destructive abstraction

The consistency is ensured as in non-destructive abstraction–non-destructiveabstraction.

4. Abstraction-refinement

Destructive abstraction-connected refinement and destructive abstraction–separatedrefinement


Non-destructive abstraction-connected refinement

The consistency is ensured as in separated refinement-connected refinement.

Non-destructive abstraction–separated refinement

The consistency is ensured as in separated refinement-separated refinement.

5. Decomposition-decomposition

The consistency is ensured from the definition of the transformation.


6. Synthesis–synthesis

The consistency is ensured from the definition of the transformation.

7. Decomposition-synthesis

Destructive decomposition–synthesis


Non-destructive decomposition–synthesis

If two nets under the synthesis are the result of the non-destructive decomposition,then the result of synthesis is the net before the decomposition. Thus the consistencyis ensured.

If two nets under the synthesis are not the result of the non-destructive decompo-sition, then all components in the new added net must be different from those inboth nets obtained from the non-destructive decomposition to ensure the consistency.

8. Synthesis-decomposition

Consumable synthesis–decomposition


Non-consumable synthesis–destructive decomposition


Non-consumable synthesis–non-destructive decomposition


9. Refinement-decomposition

To ensure the consistency, the decomposition is only allowed to a net without anenclosed dotted component; otherwise, the balance between a parent net and itschild net may be destroyed.

10. Abstraction-decomposition

To ensure the consistency, the decomposition is only allowed to a net without anenclosed dotted component; otherwise, the balance between a parent net and itschild net may be destroyed.

CONSTRUCTING PREDICATE TRANSITION NET SPECIFICATIONS

11. Decomposition-refinement

869

Destructive decomposition–refinement

The consistency is ensured by the definitions of the above transformations.

Non-destructive decomposition–refinement

The components introduced during the refinement must be different from thosein both nets obtained from the non-destructive decomposition. Thus the consistencyis ensured.

12. Decomposition-abstraction

Destructive decomposition–abstraction

The consistency is ensured by the definitions of the above transformations.

Non-destructive decomposition–abstraction

The consistency is ensured by requiring the components introduced during theabstraction to be different from those in both nets obtained from the decomposition.

13. Refinement-synthesis

In order to ensure consistency, the components in both nets during the synthesismust be different, and no new arcs connect any dotted components; otherwise, thebalance between a parent net and its child net would be destroyed.

14. Abstraction-synthesis

The consistency is ensured as in refinement-synthesis.

15. Synthesis-refinement


16. Synthesis-abstraction


The development of a complete PrT net specification consists of a series oftransformations of the above 16 different patterns. The consistency of the completedevelopment is thus ensured from the consistency of each of the above 16 differentcombinations of transformations.


A PREDICATE TRANSITION NET SPECIFICATION OF A LIFT SYSTEM

In this section, the application of the transformation techniques of PrT nets isillustrated through the specification of a lift system revised from Reference 16.

A lift system with n lifts is to be installed in a building with m floors. The internalcontrol mechanisms of the lift system are assumed. The problem concerns the logicto move lifts between floors according to the following constraints.

1.

2.

3.

4.

5.

Each life has a set of buttons, one for each floor. The buttons illuminate whenpressed and cause the lift to visit the corresponding floor. The illumination iscancelled when the corresponding floor is visited by the lift.Each floor has two summon buttons (except ground and top floor), one torequest an up-lift and one to cause down-lift. These buttons illuminate whenpressed. The illumination is cancelled when a lift visits the floor with the desiredmoving direction, or has no outstanding requests.When a lift has no requests to service, it should remain at its final destinationwith its door closed and await further requests.All destination requests for lifts from the floors must be served eventually withall floors given equal priority.All summon requests for floors within the lift must be serviced eventually, withfloors being serviced sequentially in the direction of travel.

Initially, the lift system is abstracted as a set of lifts and a set of floors whichinteract with a control system. Since requests for service are originated either fromfloors and/or from within lifts, it is natural to view floors and lifts as two high-leveltransitions and the control system as a predicate for recording current status ofvarious lifts. Therefore the highest level abstraction of the lift system is shown inFigure 18, where the transitions and the predicate are to be further refined, andthus are represented by dotted symbols.

The possible data flow from each lift to the control system is represented by atuple ( l,f ) where l and f denote the lift number and the destination floor number,respectively. Correspondingly, the possible data flow from the control system to theset of lifts is also represented by a tuple ( l,f ) where l and f represent a lift numberand the floor number reached by the lift 1, respectively. This information is used tocancel the illuminating button. The lift number can be omitted when there is onlyone lift in the lift system.

The possible data flow from a floor to the control system is represented by a tuple( f,d ) where f and d stand for the summoning floor number, and the desired movingdirection from the floor f, respectively. The possible data flow is also representedby a tuple ( f,d ) where f and d stand for the floor number reached by a lift and the

Figure 18. The top level abstraction of the lift system


Figure 19. A refinement of Lifts

moving direction of the lift, respectively. The informationcorresponding illuminating summon button on the floor f.

is used to cancel the

The-semantics of PrT nets allows the concurrent flows of data information throughthe labels ( l,f ) and ( f,d ) by instantiating l and f with different constants, respectively.For example, destination requests from lift 2 to floor 6 and from lift 4 to floor 1 canpass through the channel labelled by ( l,f ) at the same time.

A refinement of the transition Lifts in Figure 18 is shown in Figure 19, where thetransition Press-Button captures the action of pressing a button in a set of buttonseach corresponding to a floor. The state that a specific button is pressed andilluminated is captured in the predicate Light with a token indicating the destinationfloor number. Once a destination floor is reached, the transition Turn-off-Light cancelsthe illuminating button by consuming the corresponding token. The relationalexpression 1 ≤ l ≤ n ∧ l ≤ f ≤ m specifies the domain of token values representing liftsand floors, respectively.

A refinement of the transition Floors is shown in Figure 20, where the transitionPress-Button captures the action of pressing a floor button. The relational expressioninside the transition Press-Button specifies the domain of the direction-either Up orDown—and the domain of token values representing floors. For floor m the relationalexpression only contains x = Down and for floor 1 the relational expression onlycontains x = Up.

Further refinement of a single lift or a floor will not reveal any interestinginformation, and therefore should stop.

Figure 20. A refinement of Floors


Figure 21. A refinement of the control system

The predicate Control-System can naturally be refined as in Figure 21, where fourpredicates correspond to the pools of two different kinds of requesting information—destination requests from lifts and summon requests from floors, and two kinds ofindication information to lifts and floors, respectively. The transition Schedule-Systemreceives the requests, and sends the reached floor information to each lift and/orfloor.

A further refinement of the transition Schedule-System is shown in Figure 22,where the transition Control-Lifts represents the actual mechanism for detecting thefloors and for moving the lifts. The transition Select-Summon selects a summon

Figure 22. A refinement of the Schedule-System


request as the next floor to be visited by a lift according to the current status ofeach lift. The strategy for selecting a lift can be defined by writing a proceduralspecification for the predicate Select-Summon. Similarly, the transition Select-Desti-nation selects the next floor to be visited by a lift according to its current status.The strategy for selecting the next floor can also be defined by writing a proceduralspecification for the predicate Select-Destination. Further refinements of the abovetransitions are possible, but not very desirable, for the comprehension reason. Thepredicate Lift-Status stores the current status of all lifts. The status of a lift is changedonce the lift has visited the next floor indicated by a data flow from the transitionControl-Lift. The selected requests stored in the predicate Next-Floors are sent to thepredicate Control-Lift to guide the movement of a selected lift.

Thus far, a high-level hierarchical PrT net specification of the lift system has beendescribed. A top-down transformation approach is employed by successively usingthe refinement technique. Alternatively, a bottom-up approach could also be usedin developing a PrT net specification hierarchically. Through this example, it is clearthat the applications of such transformation techniques not only overcome thecomplexity problem of specifying a large and complicated system, but also improvethe comprehensibility of the resulting PrT net specifications.

DISCUSSION AND CONCLUSION

The modelling power of Petri nets has long been recognized and widely studiedand applied; however, a systematic methodology for constructing structural andhierarchical Petri net specifications is still lacking. The major contribution of thispaper is to shed some light on such a systematic developing methodology for PrTnets. In this paper, a methodology for constructing PrT net specifications hasbeen developed. The methodology consists of various transformation techniques—abstraction, refinement, decomposition and synthesis—which support both top-downand bottom-up development approaches.

In order to build structural and hierarchical Petri net specifications, both newgraphical notations and algebraic extensions are needed. The new graphical notationsemployed in this paper were inspired by other graphical structured analysis andspecification models, mainly data-flow diagrams 10 and state-charts. 11 The introduc-tion of hierarchies into PrT nets was based on the levelling techniques of data-flowdiagrams, and the adaptation of non-terminating arcs was from state-charts. Thealgebraic extensions to the definition of arcs were based on the analysis of theunderlying operational semantics of PrT nets. The dynamic semantics—behaviour—of a hierarchical PrT net is interpreted as a concurrent program written in a concur-rent programming language such as Ada.

The construction of a structured PrT net specification has the following majorsteps:

1. Identify active agents and passive objects. These agents and objects can be high-level ones and low-level ones. From the successful experience and principles ofdata-flow diagrams, the best approach to the PrT net specification of a largesystem is the mid-out approach, i.e. to start at the medium abstraction level,then to work upwards and downwards.

2. Connect the initial identified agents and objects, and derive any necessary onesto obtain a first-cut PrT net.


3. Refine and abstract the first-cut PrT net repeatedly by adding more details andpresenting a higher level view, respectively. The balance of data flows andcontrol flows between a parent PrT net and its children PrT nets must alwaysbe preserved. The number of net components of each PrT net in the hierarchyshould be limited to under 10 to improve comprehensibility.

4. Decompose and synthesize the obtained structured PrT net(s) in order to breakdown a large system into a set of smaller systems and to integrate smallersystems into a larger system, respectively.

5. Stop further transformations when all major concurrent agents have beenidentified and included in the structured and hierarchical PrT net specification.The advantages of PrT nets are for modelling concurrent systems. Furthertransformations will result in PrT net descriptions of the sequential componentsof systems, which are not appropriate and not desirable, and thus should beavoided.

We have recently learned of a similar research effort towards the introduction ofhierarchies into high-level Petri nets. In Reference 15, the coloured Petri net modelwas employed: five different kinds of hierarchy constructs were informally introducedand incorporated into the execution model of coloured Petri nets. Considerablecomputer-aided software tools have been built to support the construction andexecution of hierarchical coloured Petri nets. Although this research and ours weremotivated by similar reasons and goals—to make Petri nets more structural andcomprehensible and to make the process of constructing PrT nets more manageable—and started independently at almost the same time; the emphases are different—thework in Reference 15 emphasizes the modelling and the simulation (dynamicexecution) power of hierarchical coloured Petri nets, whereas ours emphasizes thestructural analysis and specification power of PrT nets. We believe that the powerof the five hierarchy constructs in Reference 15 can be effectively captured by ourrefinement and abstraction transformation techniques with the exception of recursiveinvocation transitions. A formal analysis and comparison is needed in order todetermine the relationships between these two different approaches.

The future work of this research includes:

1. To build a set of computer-aided tools to support the application of varioustransformation techniques for building structured and hierarchical PrT netspecifications.

2. To incorporate a different formalism to write specifications for the lowest levelcomponents of a PrT net specification, which will be based on our paradigmfor integrating various formal specification and verification methods. 17

3. To investigate verification techniques for such structured and hierarchical PrTnet specifications, which will also be based on our results of verifying flat PrTnet specifications. 18

ACKNOWLEDGEMENTS

We would like to thank anonymous referees for pointing out several errors in theearlier versions of this paper and their suggestions for helping us to improve thequality of this paper greatly.


REFERENCES

1. W. Brauer, W. Reisig and G. Rozenberg (eds), Petri Nets: I—Central Models and Their Propertiesand II—Applications and Relationships to Other Models of Concurrency; Lecture Notes in ComputerScience, 254 and 255, Springer-Verlag, 1987.

2. J. L. Peterson, Petri Net Theory and the Modelling of Systems, Prentice-Hall, 1981.3. H. Barringer, ‘Formal specification techniques for parallel and distributed systems—a short review’,

in J. Teller (cd. ) Proceedings of the 3rd Joint Ada Europe/Ada TEC Conference, Brussels, 1984,pp. 281–294.

4. H. J. Genrich and K. Lautenbach, ‘System modelling with high level Petri nets’, TheoreticalComputer Science, 13, 109–136 (1981).

5. O. J. Dahl, W. Dijkstra and C. A. R. Hoare, Structured Programming, Academic Press, N. Y.,1972.

6. N. Wirth, ‘Program development by stepwise refinement’, Communications of the ACM, 14,221–227 (1971).

7. I. Suzuki and T. Murata, ‘A method for stepwise refinement and abstraction of Petri nets’, Journalof Computer and System Sciences, 27, 5 1–76 (1983).

8. W. Reisig, ‘Petri nets in software engineering’, Lecture Notes in Computer Science, 255, Springer-Verlag, 1987.

9. W. Reisig, ‘Embedded system description using Petri nets’, in A. Kundig, R. E. Buhrer and J.Dahler (eds) Embedded Systems, Springer-Verlag, 1987, pp. 18–62.

10. E. Yourdon, Modern Structured Analysis, Yourdon Press, 1990.11. D. Harei, ‘On visual formalisms’, Communications of the ACM, 31, 514–530 (1988).12. H. J. Genrich, ‘Predicate transition nets’, in Lecture Notes in Computer Science, 254, Springer-

Verlag, 1987, pp. 207–247.13. K. Jensen, ‘Colored Petri nets’, in Lecture Notes in Computer Science, 254, Springer-Verlag, 1987,

pp. 248–299.14. D. Harel, ‘Statechart: a visual formalism for complex systems’, Science of Computer Programming,

8, 231–274 (1987).15. P. Huber, K. Jensen and R. M. Shapiro, ‘Hierarchies in colored Petri nets’, in Lecture Notes on

Computer Science, 483, Springer-Verlag, 1990, pp. 313–341.16. N. Davis, ‘The lift problem’, Proceedings of the 4th International Workshop on Software Specification

and Design, Monterey, California, 1987.17. X. He and J. A. N. Lee, ‘A strategy for integrating formalisms in software development’,

Proceedings of the 6th Annual CIPS Edmonton Computer Conference, Edmonton, Canada, 1988,pp. 33–42.

18. X. He and J. A. N. Lee, ‘Integrating predicate transition nets with first order temporal logic inthe specification and verification of concurrent systems’, Formal Aspects of Computing, 2, 226–246(1990).

https://www.researchgate.net/publication/220270256_Embedded_System_Description_Using_Petri_Nets?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/220270256_Embedded_System_Description_Using_Petri_Nets?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/238710945_Petri_Net_Theory_and_Modelling_of_Systems?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/220425363_Program_Development_by_Stepwise_Refinement?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/220425363_Program_Development_by_Stepwise_Refinement?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/262726678_Statecharts_A_Visual_Formalism_For_Complex_Systems?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/262726678_Statecharts_A_Visual_Formalism_For_Complex_Systems?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/220102320_Integrating_Predicate_Transition_Nets_with_First_Order_Temporal_Logic_in_the_Specification_and_Verification_of_Concurrent_Systems?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=



https://www.researchgate.net/publication/234819548_Modern_Structured_Analysis?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/221621733_PredicateTransition_Nets?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/221621733_PredicateTransition_Nets?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/221621674_Petri_Nets_in_Software_Engineering?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/221621674_Petri_Nets_in_Software_Engineering?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/220573553_A_Method_for_Stepwise_Refinement_and_Abstraction_of_Petri_Nets?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

https://www.researchgate.net/publication/220573553_A_Method_for_Stepwise_Refinement_and_Abstraction_of_Petri_Nets?el=1_x_8&enrichId=rgreq-7f459f1d74fc92e28c65d5ea5e350b1a-XXX&enrichSource=Y292ZXJQYWdlOzI0NzY3MzU7QVM6MTAyNjk3NTQ2MDI3MDE1QDE0MDE0OTY0MTE4NDE=

A Methodology for Constructing Predicate Transition Net Specifications

Documents

Transcript of A Methodology for Constructing Predicate Transition Net Specifications