Faults and timing analysis in real-time distributed systems: A fuzzy time Petri-net-based approach
34
Transcript of Faults and timing analysis in real-time distributed systems: A fuzzy time Petri-net-based approach
1
Faults and Timing Analysis in Real-Time DistributedSystems: A Fuzzy Time Petri-Net-Based ApproachJorge C.A. de Figueiredoy and Angelo PerkusichzyDepartamento de Sistemas e Computa�c~aoUniversidade Federal da Para��baCaixa Postal 1010658109-970 - Campina Grande - PB - BrazilTelephone: +55 83 333 1929, Fax: +55 83 333 1698e-mail: [email protected] de Engenharia El�etricaUniversidade Federal da Para��baCaixa Postal 1010558109-970 - Campina Grande - PB - BrazilTelephone: +55 83 333 1000 R-412, Fax: +55 83 333 1650e-mail: [email protected] this paper we present a Petri-net-based approach to consider faults and timinganalysis in real-time distributed systems. The proposed approach is based on FuzzyTime G-Nets which is the integration of two Petri Nets extensions: Fuzzy Time PetriNet (timing Petri net extension) and G-Nets (Petri net extended with object orientedconcepts). We show how to perform timing analysis using the proposed approach. Wealso show that Fuzzy Time G-Nets can be used to represent fault-tolerant techniquesand to consider anticipated faults.Keywords: fuzzy time intervals, Petri nets, fault-tolerance, distributed real-time sys-tems.�Published in: International Journal Fuzzy Sets and Systems, Vol. 83, Num. 3, 1996, North-Holland, pp.143{168.
1 IntroductionThe development of large and complex systems requires powerful modeling and analysis tools in order to treatthe inherent complexity of such systems. For several reasons, as for example �rm mathematical foundationand graphical representation, Petri nets have been widely used in the modeling and analysis of complexsystems [28]. In the case of complex real-time systems, both logical and timing aspects must be considered.Since the original Petri net model does not allow representation of timing constraints, several extensionshave been proposed in order to incorporate of timing aspects into Petri nets. Generally speaking, Petri netswere extended using either a deterministic [19, 25, 34, 40] or stochastic [1, 20, 26] approach. Each extensionhas its own advantages and limitations.The natural trend of the computing world is moving toward the concept of distributed systems [37].As a consequence of the increasing popularity of computing systems in complex critical applications, issuesrelated to safety and fault tolerance of systems have gained importance in the past years. A system isfault-tolerant if it maintains full performance and functional capabilities in the presence of faults. Severalfault-tolerant techniques have been proposed in order to address di�erent types of failures [3, 5, 21, 22, 38].Those techniques can be widely classi�ed as backward or forward fault-tolerant techniques.In the case of real-time distributed system (RTDS), a high degree of reliability, availability, and safetyis required. The system must guarantee performance as speci�ed in the domains of value and time [23,31]. Considering the above requirements, the designer of a RTDS must adopt an approach that supportsthe systematic introduction of time dependent and non-time dependent fault-tolerant properties into acomponent. The well-known fault-tolerant techniques, when applied to real-time systems, present severaldrawbacks since we must take into consideration the recovery latency that can cause the violation of timingconstraints. Thus, the consideration of anticipated faults and operational conditions arises as a trend offault tolerance in real-time systems [27].The purpose of this paper is twofold. First we introduce an approach to perform timing analysis ofcomplex real-time systems. Second, we apply the proposed approach in order to de�ne fault-tolerant schemesand to treat anticipated faults.The proposed approach named Fuzzy Time G-Nets (FTG-Nets) is based on two Petri Nets extensions:Fuzzy Time Petri Nets [13, 14] and G-Nets [16, 29, 17]. Fuzzy Time Petri Net (FTPN) is a timing extensionwhich uses a fuzzy approach to introduce time into Petri nets. The utilization of fuzzy sets theory allows thegeneralization of the deterministic timing Petri nets extensions. Also, it provides means to compute someperformance indices. Thus, it is possible to combine the positive aspects of deterministic and stochasticPetri nets extensions in a unique extension.Numerous references address the integration of fuzzy approach and Petri nets [6, 7, 8, 11, 24, 41, 45].Fuzzy Petri nets are suitable for speci�c kinds of applications. For example, the fuzzy Petri net proposed byLooney [24] is a modi�ed Petri net applied to fuzzy rule-based reasoning using propositional logic. Chen atal [11] have proposed a Fuzzy Petri net model to represent the fuzzy production rules of a rule-based system.Focusing on the timing extensions proposed to the Petri net model, they do not take in considerationthe uncertainty and imprecision of the events that we face when considering real systems. The �rst attemptto consider imprecision was proposed by Merlin [25]. In his work, the �ring time of transitions are de�nedby an interval. Valette and Cardoso [8, 45] introduced the concept of uncertainty and imprecision in Petrinets to monitor and to control a exible manufacturing system, where some aspects about uncertain timeare considered. However, there is no consideration about timing analysis.G-Net is a Petri net multi-level executable speci�cation model which uses object oriented concepts. Theintegration between FTPN and G-Nets allows the support of several characteristics which are inherent toreal-time distributed systems: distribution, concurrency, synchronization, real-time constraints and faulttolerance. Distribution, concurrency and synchronization arise naturally from the G-Net concept. Real-timeconstraints and fault tolerance can be achieved by means of FTPN as shown later.The rest of this paper is organized as follows. In Section 2, we introduce Fuzzy Time Petri Nets. InSection 3, we present a modi�ed reachability graph for FTPN model to perform timing analysis. In Section3
4, we introduce G-Net systems followed by a decomposition approach in Section 5. In Section 6, we presentthe integration between Fuzzy Time Petri Nets and G-Nets. In Section 7, we show how the FTG-Nets canbe applied in the design of RTDS with fault-tolerant characteristics. In this section, we also present thetreatment of anticipated faults by means of FTG-Nets. Finally, we present some conclusions in Section 8.2 Fuzzy Time Petri NetFuzzy Time Petri Nets are an extension of Petri nets which use a fuzzy approach to introduce time intoPetri nets. The model is intended to serve as a tool which is suitable for modeling real-time systems andfor computing selected performance indices, i.e., this model combines the ability to model real-time systemsof the deterministic extensions and the ability to make performance evaluation of stochastic extensions. Asshown later, this is accomplished through the combination of time intervals and fuzzy set theory [18].In the FTPN model, tokens carry a fuzzy time function representing the possibility of there being a tokenin a given place from a reference set. Besides the fuzzy time function, two fuzzy intervals are associatedwith each transition. The enable interval E represents the minimum and maximum time that must elapsebetween the enabling of a transition and its �ring time. The delay interval D represents the �ring time, i.e.,the delay necessary to execute the action represented by the corresponding transition. The existence of thesetime intervals associated with transitions is necessary in order to allow the modeling of two di�erent timingconcepts: time-outs and processing delays. Moreover, these two types of intervals are important when dealingwith real-time systems. We can represent three general categories of timing constraints for real-time systems,that are: maximum timing constraints, minimum timing constraints and durational timing constraints [12].2.1 De�nition and Firing RuleIn what follows, we introduce some important concepts necessary to formally de�ne a FTPN.De�nition 2.1 TS is the Time Scale set. TS = fx 2 IR j x � 0g, i.e., the set of all non-negative realnumbers.De�nition 2.2 Consider that y and z are two fuzzy dates in time scale TS, i.e., y; z 2 TS; 8�y(t); �z(t) 2[0; 1]. A fuzzy time interval, FINT = f[y; z] 2 TS � TS j z � yg, of time points which are greater thany and smaller than z, is de�ned by the membership function �(FINT ) = �[y;z](t) = sup min(�y(s); �z(s0 ))where t; s; s0 2 TS and �y(s); �z(s0 ) delimit the fuzzy set of possible values of y and z, respectively.A FTF is also de�ned as an ill-known date which is assigned for each token in a place. The FTF s ofthe tokens are combined in order to determine or update the FTF s of the subsequent tokens.De�nition 2.3 Suppose that p is a place and x is an ill-known date representing the time that there existsa token in place p. So, the fuzzy time function, associated with the token in place p is FTFx(p) = �x(TS),where �x(TS) delimits the fuzzy set of the possible values of x.A fuzzy token is a token which carries a fuzzy time function.De�nition 2.4 A FTPN, is de�ned as a seven-tuple (P; T; I;O; E ;D;M0), where:P is a �nite set of places.T is a �nite set of transitions.I : T ! P1 is the input function for transitions.O : T ! P1 is the output function for transitions. 4
E : T ! E([e1; e2]) is a set of fuzzy enable intervals, where E is a FINT .D : T ! D([d1; d2]) is a set of fuzzy delay intervals, where D is a FINT .M0 : P ! FTF� (P ) is the initial marking of the net, where FTF� (P ) is a fuzzy time function characterizingthe possibility distribution of there being a token in a place P in a given time � , where � 2 TS.Similarly to the Petri net de�nition, P \ T = ; and P [ T 6= ;. Also, for the sake of simplicity, let usconsider that the preset (set of input places) of a transition t, t 2 T , is represented by �t and the postset ofa transition t by t�.Once in this model each token carries a FTF which is de�ned after �ring a transition, the dynamicbehavior of a FTPN di�ers from the behavior of the underlying Petri net. The dynamic behavior of a FTPNdepends on the FTF s of the tokens and the fuzzy intervals which will modify the so-called �ring rules. Inwhat follows, we present the �ring rules of the FTPN model:a) A transition t is said enabled to �re if there is at least one token in each of its input places, assumingweight 1 for each arc, at the same point of the time scale. That is, given a transition t and the set of itsinput places (P1; P2; :::; Pn) with fuzzy time functions FTF (P1); FTF (P2); :::; FTF (Pn), respectively,the transition t is enabled to �re i�:\FTF (�t) = (FTF (P1) \FTF (P2) \ :::\ FTF (Pn)) (1)b) If, in a given time, more than one transition is enabled to �re, a non-deterministic choice determinesthe next transition to �re. However, it is important to remember that, in some cases dependingof its bounds, the enable intervals can contribute to the choice of the next transition to �re. Thisnon-deterministic choice re ects the time-out situation.c) The transition remains enabled for a period E before it can �re.d) The transition begins �ring and continues to �re for a period D.e) As a result of the �ring, a token carrying the new fuzzy time function is assigned to each output place.This new fuzzy time function is obtained from the composition of the fuzzy tokens of the input placesand the fuzzy time intervals associated with the transition. The computation of the new fuzzy timefunction is described in the next section.2.2 Fuzzy Function Computation RuleIn this section, we show how to compute the FTF s of the tokens created during the execution of a FTPN. Thefuzzy time function associated to the output token created after �ring a transition depends upon the fuzzytime function of the input tokens and the fuzzy time intervals associated with the �red transition. Generallyspeaking, this computation can be performed in two basic steps. In the �rst step, the fuzzy time functionsof the input tokens are combined in order to verify the possibility of the tokens in the input places in thesame instant of time. In the second step, the resultant fuzzy time function from the combination performedin the �rst step is compounded with the fuzzy time intervals of the �red transition. In the remainder of thissection, we detail these two steps. 5
Step 1: Computation of Fuzzy TokensConsidering the time scale TS, de�ned in Section 2.1, as a referential set. The possibility of the availabilityof a token in a place P in an instant �; � 2 TS, is given by the characteristic function or membership function�: 8� 2 TS : �P (� ) 2 [0; 1] (2)Supposing that transition has more than one input place, as shown in Figure 2. In this case, to �re atransition, the resultant fuzzy time function, �R(� ), is the intersection of the tokens. In Figure 2, FTF (P1),FTF (P2), ..., FTF (Pn) are the fuzzy time functions associated with tokens in places P1, P2, ..., Pn,respectively. Let us consider that FTF (P1), FTF (P2), ..., FTF (Pn) are represented by the membershipfunctions �P1(� ); �P2(� ); :::; �Pn(� ), respectively. The resultant fuzzy time function, �R(� ), is given by:�R(� ) = n\i=0�Pn(� ) =MIN (�P1(� ); �P2(� ); :::; �Pn(� )): (3)De�nition 2.5 The operator � represents the operation as de�ned in Equation 3.Step 2: Final Fuzzy Time FunctionIn this step, the resultant fuzzy time function obtained from the fuzzy input tokens is combined with thefuzzy time intervals associated with the �red transition. Suppose that �R(� ) represents the resultant fuzzytime function considering the fuzzy input tokens of transition t1 in Figure 2. Initially, considering thatthe delay interval D associated to transition t1 is given by the interval [0; 0] (instantaneous �ring). In thiscase, when a token reaches Pk, the membership function representing the associated fuzzy time function inplace Pk, �Pk(� ), is the combination between the resultant time function �R(� ) and the enable interval Eassociated with transition t1. This combination is determined by the addition of fuzzy variables using themembership functions: �(A(+)B)(z) = MAXz=x+yMIN (�A(x); �B(y)): (4)where z, x and y 2 TS, �A(x), �B(y) and �(A(+)B)(z) represent the resultant fuzzy time function, the enableinterval and the �nal fuzzy time function associated with the token in place Pk, respectively.De�nition 2.6 The operator � represents the operation as de�ned in Equation 4To consider the delay interval D associated with the transition, the same method for addition of fuzzyvariables is used, i.e., in this case the �nal fuzzy time function is the combination between the resultantfuzzy time function and the enable and delay fuzzy time intervals E and D, respectively.2.3 Generalization of the Deterministic Timing ExtensionsThe major feature of the FTPN model is its strength in model real-time systems and to make performanceevaluation of systems. Actually, the FTPN model is more general than the deterministic timing extensionsalready proposed to the Petri net model since it is possible to represent them by a FTPN. These extensionscan be modeled using a FTPN by imposing some restrictions to the enable and delay intervals of the FTPN6
model by setting their fuzzy characterization accordingly. In this section, we show how some extensions asTPN [25] and TdPN [34] can be modeled by means of FTPN.In the uni�cation, we consider two aspects which distinguish FTPN from the others timing extensions:the fuzzy time function associated with the token and the fuzzy time intervals associated with transitions.In the classical timing extensions, the token does not have an availability or validity period and, once itarrives in a place, it remains in the place until be removed by the �ring of a transition.Lemma 2.1 A token in a classical Petri net can be represented by means of a fuzzy token de�ned in theFTPN model.ProofTo represent a classical token by a fuzzy token, it is necessary to consider that a token does not have aperiod of validity. Let us suppose that a token arrives in a place in time � . It is clear to see that, the FTFcorresponding to the traditional token is represented by the fuzzy interval [�;1], where �(x) = 1, 8xjx > � .For the initial tokens � = 0. 2Lemma 2.2 A fuzzy delay interval can model a �xed duration of time.ProofThis can be directly done by setting the upper and lower bounds of the fuzzy delay interval to the valueof the �xed duration. In this case, there is no imprecision about the values. Thus, D = [d; d], �(d) = 1. 2The Time Petri net model (TPN) proposed by Merlin is characterized by assigning a time intervalTI = [tmin; tmax] to each transition.Lemma 2.3 The timing interval TI associated with transitions in the TPN model can be modeled by thefuzzy enable interval E of the FTPN model.ProofThe de�nition of both intervals are equivalents, i.e., they represent the same kind of timing restrictions.They have a minimum time that must elapse before enable the transition as well as a maximum valuethat transition must wait to �re, after which the transition must �re. The di�erence is that in the fuzzyinterval there are di�erent degrees of membership associated with the points of the interval. So, the intervalTI = [tmin; tmax] can be represented by the enable interval assuming that all the points of the interval havethe same degree of possibility, i.e., E = [tmin; tmax], �(t) = 1; 8T; tmin � T � tmax. 2Theorem 2.1 A TPN can be modeled by a FTPN .ProofThe TPN model is characterized by two time values tmin and tmax. These times are relative to themoment � at which all place in the preset of transition t is marked. Assuming that, this happens at time� then, transition t cannot �re before � + tmin, and must �re within � + tmax. This concept can be easilyrepresented by the enable interval. From Lemma 2.1 and Lemma 2.3 we guarantee that we can representthe tokens and timing intervals of a TPN. It is necessary to consider no �ring delay. This is can be directlydone by using Lemma 2.2 setting the value of the duration to 0. That is,7
1. E = [tmin; tmax], �(e) = 1, tmin � e � tmax.2. D = [0; 0], �(0) = 1. 2Figure 3 shows how the fuzzy time function and fuzzy time intervals are characterized to represent aTPN.Theorem 2.2 A TdPN can be modeled by a FTPN .ProofIn this model, a �xed duration d is assigned to each transition. Also, once the input tokens arrive in theinput places, the transition is enabled instantaneously. These two conditions can be expressed by means ofa FTPN (Lemma 2.2 and Lemma 2.3). That is,1. E = [0; 0], �(0) = 1.2. D = [d; d], �(d) = 1. 2Similarly, the graphical representation for the fuzzy values of a FTPN in order to represent a TdPN isshown in Figure 4.Theorem 2.3 A classical (non-temporal) Petri net can be modeled by a FTPN .ProofThis Theorem can be proved by using Lemmas 2.1, 2.2 and 2.3. Lemma 2.1 indicates the modeling of aclassical token. By Lemmas 2.2 and 2.3 we guarantee no timing dependence in the �ring rule, which can berepresented by:1. D = [0; 0] with membership value �(0) = 1.2. E = [0;1], �(t) = 1; 8t; 0 � t � 1. 2The characterization of the fuzzy elements to represent a classical Petri net is depicted in Figure 5.3 Fuzzy Reachability GraphOne of the well-known methods to analyze Petri nets is the reachability tree. The reachability tree is avery useful analysis tool for many properties of Petri nets. However, its application is in general limitedby the fact that, in most cases, the reachability tree of a Petri net is an in�nite tree for a given initialmarking. A very simple way to reduce the reachability tree is to construct a graph such that equivalentstates correspond to only one node in the graph. The reachability graph is a directed graph which enumeratesall the reachable states of a system, and describes all possible transitions between states [36]. Unfortunately,the state explosion problem is still present, specially when there are more than one token in a place. In ourstudy, we consider that the nets are 1-safe, i.e., nets that support no more than one token in a place.Reachability graph analysis technique have been used for many people in order to prove di�erent kinds ofproperties [46, 47, 4, 28, 33, 36, 42, 48]. In what follows, we introduce a modi�ed reachability graph namedFuzzy Reachability Graph for the timing analysis of FTPNs.8
3.1 De�nition and Construction of the Fuzzy Reachability GraphThe fuzzy reachability graph is a modi�ed reachability graph which incorporates the time concepts de�nedin the FTPN model. The basic idea is to extend the concept of reachability graph to include the FuzzyTime Function (FTF ) carried by the token, which is computed after each transition �ring, starting fromthe initial marking. Also, the modi�ed reachability graph considers the fuzzy time intervals associated withthe transitions. Thus, the fuzzy reachability graph is characterized by:1) Assigning a FTF to each token on places in a given state. This follows from the de�nition of the FuzzyTime Petri Net model in which tokens carry fuzzy characteristic functions.2) Attaching to each edge of the graph the timing intervals associated with the corresponding �ring transitionrepresenting the time restrictions when �ring a transition in the FTPN model.Before formally introduce the concept of fuzzy reachability graph, we introduce the concept of fuzzy timefunction set of a state (FSET ). A state in a FTPN is de�ned as its marking S = [m(p1);m(p2); :::;m(pn)g.Where m(pi) represents the amount of tokens in place pi.De�nition 3.1 A fuzzy time function set, FSET , is the set of FTF s considering a given state i.e.,FSET (S) = fFTF (p1); FTF (p2); :::; FTF (pn)g.De�nition 3.2 The fuzzy reachability graph, FRG, is de�ned as a labeled graph FRG = (N;A). N is callednode set which is the set of all possible states or markings. A FSET related to the state represented by thenode is associated to it. A is called the arc set which is the set of arcs labeled with the fuzzy time intervalsrepresenting all possible single transition �rings.De�nition 3.3 A given state S is de�ned as an immediate reachable state (irs) from an initial state S0, ifS is reachable from S0 after �ring only one transition.De�nition 3.4 An immediate reachable state set for a given state S, IRS(S), is the set of all immediatereachable states of S.The fuzzy reachability graph is constructed by recursively calculating the successors of every reachablestate, starting from an initial state. The procedure for compute successors of a state is shown in Figure 1.To illustrate the construction of the reachability graph let us consider the FTPN shown in 6(a). Assumingan initial marking of one fuzzy token in place P1 with fuzzy time function FTF (P1), there are six possiblereachable states for the net as shown in Table 1. The fuzzy reachability graph is constructed accordingto the procedure presented above, and is shown in Figure 6(b). According to its de�nition, to each node(representing state) is associated its corresponding FSET . Thus, to the node representing the state S0which is composed by one token in place P1, it is associated the fuzzy time function set fF1g. For sake ofsimplicity we represent FTF (P1) by F1, FTF (P2) by F2 and so on. Similarly, fF2; F3g is associated withstate S1, fF3; F4g to state S2, fF2; F5g to state S3, fF4; F5g to state S4 and fF6g to state S5. Moreover,the fuzzy time intervals are assigned to the arcs. For example, considering the state S0, only one transitionmay �re (transition t1) and its �ring leads to state S1. This is observed in the reachability graph by the9
1. Given a state S2. Determine the set of �rable transitions FT3. For all transitions t 2 FT do4. Generate a successor state S 0 from S after �ring t5. Associate to the edge that connect S to S 0 its corresponding time intervals6. Assign to the node its corresponding FSET7. enddo Figure 1: Procedure to compute successors of a statePLACESSTATES P1 P2 P3 P4 P5 P6S0 1 0 0 0 0 0S1 0 1 1 0 0 0S2 0 0 1 1 0 0S3 0 1 0 0 1 0S4 0 0 0 1 1 0S5 0 0 0 0 0 1Table 1: Possible states for the net depicted in Figure 6(a)arc connecting states S0 and S1, where E1 and D1 are the fuzzy time intervals associated with transition t1.The fuzzy time intervals E2 and D2 are associated with the arc connecting S1 to S2 and S3 to S4, the fuzzytime intervals E3 and D3 are associated with the arc connecting S1 to S3 and S2 to S4. Finally, the fuzzytime intervals E4 and D4 are associated with the arc connecting S4 to S5.3.2 Timing Analysis IssuesThe timing analysis is based on the fuzzy time function associated with the tokens. The idea is to use thefuzzy reachability graph, where we have the complete state space, in order to compute the FTF s. We assumethat the FTF s associated with the initial tokens are known1 and de�ned in the fuzzy reachability graph bythe FSET assigned to the root (initial state). Thus, from the initial state in the fuzzy reachability graphand the initial fuzzy time functions, we can compute the FTF s in the others states of the fuzzy reachabilitygraph. Informally speaking, to compute these functions, it is necessary identify di�erences among the FSET sof immediate reachable states. Considering two connected states in the FRG and their respective FSET s,we have to consider two cases during the analysis:1. common elements between FSET s.2. di�erent elements between FSET s.1The initial FTF can be set to compute speci�c indices or may represent some di�erent situations.10
Focusing on the dynamic behavior of a FTPN, item 1 indicates that tokens were not removed after �ringa transition. Item 2 may represent two things: tokens removed from input places and tokens depositedin output places. According to the fuzzy function computation rule presented previously, input tokens arecombined to determine the FTF of the output tokens. In what follows, we present the timing analysis ruleswhich are based on the FRG analysis.Let S and S0 be two states in the FRG with respective fuzzy time function set FSET (S) and FSET (S0),where S0 2 IRS(S). Suppose that n is the number of places of the related FTPN and a is the arc connectingS to S0.De�nition 3.5 The set of common FTF s, SCF , is the set of all elements FTF (pi), where FTF (pi) 2FSET (S); FSET (S0) and 1 � i � n.De�nition 3.6 The set of generated FTF s, SGF , is the set of all elements FTF (pj), where FTF (pj) 2FSET (S0), FTF (pj) 2/ FSET (S) and 1 � j � n.De�nition 3.7 The set of in uent FTF s, SIF , is the set of all elements FTF (pk), where FTF (pk) 2FSET (S), FTF (pk) 2/ FSET (S0) and 1 � k � n.The timing analysis is performed based on the following rules:R1 The FTF values for the elements in SCF are not modi�ed.R2 Combine the FTF values of elements in SIF using operation � de�ned in Section 2.2.R3 The value obtained in rule R2 is combined with the fuzzy time intervals associated to a, using operation� de�ned in Section 2.2. The result is the FTF value for all elements in SGF .In the fuzzy reachability graph depicted in Figure 6(b), the initial state (S0) is composed by a token inplace P1. Assuming that the initial FTF , F1, is known and following the rules presented above, we cancompute the remaining FTF s. The remaining FTF s are:a) From state S0 to S1:In this case, it is easy to see that SGF = fF2; F3g, SIF = fF1g and E1; D1 are the fuzzy intervalsassociated with arc connecting S0 to S1. Then, we have:F2 = F3 = F1 � E1 �D1: (5)b) From state S1 to S2:In this case, SGF = fF4g, SIF = fF2g, SCF = fF3g and E2; D2 are the fuzzy intervals associatedwith arc connecting S1 to S2. Then, we have:F4 = F2 � E2 �D2: (6)Similar computation is performed in the remaining state changes.c) From state S1 to S3: 11
F5 = F3 � E3 �D3: (7)d) From state S2 to S4: F5 = F3 � E3 �D3: (8)e) From state S3 to S4: F4 = F2 � E2 �D2: (9)f) From state S4 to S5: F6 = (F4 � F5)� E4 �D4: (10)Note that, the results obtained in 7 and 8 are identical as well as the results in 6 and 9. These values arecorrect once they represent the FTF of the same token which belongs to two di�erent states.4 G-Nets and G-Net Systems4.1 Basic ConceptsIn [17] the concept ofG-Nets and G-Net systems were introduced. G-Nets are a Petri net based framework forthe modular design and speci�cation of distributed information systems. The framework is an integration ofPetri net theory with the object oriented software engineering approach for system design. The motivation ofthis integration is to bridge the gap between the formal treatment of Petri nets and a modular, object-orientedapproach for the speci�cation and prototyping of complex software systems. The G-Net notation incorporatesthe notions of module and system structure into Petri nets; and promotes abstraction, encapsulation andloose coupling among the modules.A speci�cation or design based on G-Nets consists of a set of independent and loosely-coupled modules(G-Nets) organized in terms of various system structures. A G-Net is encapsulated in such a way that amodule can only access another module through a well de�ned mechanism called G-Net abstraction, avoidinginterference in the internal structure of another module.A G-Net G, is composed of two parts: a special place called Generic Switch Place (GSP) and an InternalStructure (IS). The GSP provides the abstraction of the module, and serves as an interface between the G-Net and other modules. The internal structure is a modi�ed Petri net, and represents the detailed internalrealization of the modeled application. The notation for G-Nets is very close to the Petri net notation[28]. Among other features this notation allows the user to indicate communication among G-Nets andtermination. The notation for G-Nets is shown in Figure 7. The IS of the net is enclosed by a roundedcorner rectangle, de�ning the internal structure boundary. The GSP is indicated by the ellipse in the leftupper corner of the rectangle de�ning the IS boundary. The inscription GSP (net name) de�nes the nameof the net to be referred by other G-Nets. The rounded corner rectangle in the upper right corner of the ISboundary is used to identify the methods and attributes for the net, where: hattribute namei = fhtypeig12
de�nes the attribute for the net where: hattribute namei is the name of the attributes, and htypei is a typefor the attribute; hmethod namei is the name for a method; hdescriptioni is a description for the method,hp1 : description; � � � ; pn : descriptioni is a list of arguments for the method. Finally, hspi is the name ofthe initial place for the method. A circle represents a normal place. An ellipse in the internal structurerepresents an instantiated switching place (isp). The isp is used to provide inter-G-Net communication.The inscription isp(G0:mi) indicates the invocation of the net G0 with method mi. A rectangle represents atransition, that may have an inscription associated with it. This inscriptions may be either an attribution or a�ring restriction. We will use the standard Language C notation for both attributions and �ring restrictions.A double circle represents the termination place or goal place. Places and transitions are connected througharcs that may carry an expression.The GSP of a G-Net G, denoted by GSP (net name) in the ellipse of Figure 7, uniquely identi�es themodule. The rounded-corner rectangle in the GSP side contains a description of one or more methods,which specify the functions, operations or services de�ned by the net, and a set of attributes specifying thepassive properties of the module (if any). The detailed structures and information ows of each methodare de�ned by a modi�ed high-level net in the internal structure. More speci�cally, a method de�nes theinput parameters, the initial marking of the corresponding internal high-level net (the initial state of theexecution). The collection of the methods and the attributes (if any) provides the abstraction or the externalview of the module.In the internal structure, places represent primitives, and transitions, together with arcs, represent con-nections or relations among the primitives. These primitives may be actions, predicates, data entities, andinstantiated switch places (isp's). A set of special places called Goal Places represents the �nal state of theexecution, and the results (if any) to be returned. A transition, together with arcs, de�nes the synchroniza-tion and coordinates the information transfer between its input and output places. A formal introductionto G-Nets can be found in [17].Given a G-Net G, an isp of G is denoted by isp(Gname:mtd) (or simply isp(G) if no ambiguity occurs),where Gname is the unique identi�cation of G, and mtd is a de�ned method for G. An isp(Gname:mtd)denotes an instantiation of the G-Net G, i.e., an instance of invocation of G based on the method mtd.Therefore, executing the isp primitive implies invoking G (by sending a token to G) based on the speci�edmethod. This token contains the parameters needed to de�ne the tokens for the initial marking of theinvoked net. This interaction between G-Nets can be compared to the mechanism of remote procedure call.The isp notation serves as the primary mechanism for specifying the connections or relationships betweendi�erent G-Nets (modules). Embedding an isp of a lower level G-Net into the internal structure of a higherlevel G-Net speci�es a hierarchical con�guration.4.2 An Example Based on the Producer/Consumer ProblemThe producer/consumer problem is a well known problem. It consists of the synchronization between oneor more producers and one or more consumers. In the example that will be shown we assume, initially, thatone producer is capable of producing n items, and that a consumer is able to consume one item at a time.In Figure 8 the G-Net model G(P ) for the producer is shown. For this net one method is de�ned13
and named mp. The function of the method mp is to produce n items to be consumed. When G(P ) isinvoked through GSP(P) one token together with a �eld n, expressing the number of items to be produced,is deposited in place PR. The action associated with this place simply decrements the �eld n. If n < 0,transition pr �res and the invocation of G(P ) returns when the goal place GP is reached. Otherwise, thatis n � 0, transition rs �res, the token reaches isp(C.ms), and the net C is invoked using method ms. Thisinvocation is to inquire net G(C) to ascertain whether it is ready consume an item or not. If G(C) isnot ready, transition nr �res, and the net G(C) is inquired again. Otherwise, the consumer is ready andtransition cr �res. After the �ring of cr a token is deposited in isp(C.mc) and net C is invoked with themethod mc together with the item to be consumed. When the token is returned from net C transition co�res and a token is put in place PR again.The G-Net for the consumer G(C), is presented in Figure 9. Two methods are de�ned for G(C): methodstatus (ms), and method consume (mc). When G(C) is invoked through GSP(C), if the method is ms atoken is put on place IN. Depending on the state of G(C), which could be either consuming or ready toconsume, transitions na or sa will �re. The choice between na and sa is based on the states represented byplace RC (ready to consume) and place CO (consuming). If RC is marked, transition sa �res and a tokenreaches the goal place GPS with an acknowledge associated with the returning token r (r = ack). Otherwise,a �eld not acknowledge is associated with the token (r = nak). After �ring of sa, a token is put in placeWP, and the consumer is ready to consume. When G(C) is invoked with a method consume, mc, a token isput in place TC. Since WP was previously marked after a successful execution of method ms, transition sc�res and place CO is marked. At this point G(C) indicates to the consumer that the requested action maybe either �nished or in processing. This is because when transition sc �res a token is deposited in place COand other in the goal place GPC. It must be noted that transition ac can or can not �re before the producerreceives the returning token from GPC. After �ring ac, a token is removed from CO and another one fromRC', and one token is deposited in RC. And G(C) is ready to consume another item.4.3 G-Net DecompositionThe objective to decompose a G-Net is to provide a clear structural coupling among G-Nets. This struc-tural coupling imposes restrictions in the communication among G-Nets. Also with the decomposition ofthe interface elements we allow the designer to incrementally design and analyze a system by adding newcomponents. To do so the composition of G-Nets must be a stable operation. Therefore, the composition ofa requester G-Net with a service G-Net must, after the composition, still be a requester-service G-Net. Thiscan be accomplished through the preservation of the general properties of the components, G-Nets, so thatthe properties of the whole system may be deduced from the properties of its components.The elements used as the basis for the decomposition of a G-Net are the GSP , isp and goal places.A decomposition for each one of these elements is introduced. We also de�ne the concept of reentrancefor a decomposed G-Net. The decomposition approach not only allows the introduction of the concept ofreentrance, but it also allows the possibility to apply formal analysis to verify the behavior of a G-Net anda G-Net system.The approach we will introduce to decompose G-Nets follows the basic principles of the object oriented14
approach. Hence, the functional unity of the nets may be de�ned during their design, in such a way thatthey are components providing some services to other nets, and apply to other nets the services they o�er.As discussed before, the GSP of a G-Net provides the abstraction with explicit de�nition of the methods(services) available to other nets. Also the isp and the goal places provide means by which a G-Net can beinvoked and the processed result (if any) is returned. The general principles that must be satis�ed whenG-Nets are communicating is very similar to the client-server protocol [39], and consists of the followingsteps:1. The requester G-Net requests a service.2. The called G-Net accepts or not the requested service.3. Upon acceptance of the service, the called G-Net attends the request and provides the results, otherwisethe requester G-Net must issue another request.4. The requester G-Net retrieves the result.An isp(G0:m), representing the invocation of net G0 using methodm is decomposed as shown in Figure 10.Place RI receives the token from the input transition(s), not represented in Figure 10, then transition si �resand the propagation sequence of the token is updated based on the integer value n, where n 2 IN, of thetoken in place SI, which is increased by one each time si �res. The output token will be put in RIm. Thistoken will have a unique sequence identi�er together with the set of tokens de�ning the initial marking of netG0. Also, a token will be put in Wi. Transition G' then can �re. This �ring corresponds to the invocation ofnet G0. When net G0 reaches its goal place the returning token(s) is(are) then put in place RC and transitionsa �res resulting in a token in place RR. The place Wi also is used to maintain state information about thenet, which can be used for fault-tolerance and error-recovery [31, 9, 15].For the GSP (G0) the decomposition is shown in Figure 11. The starting place, SP receives all thetokens that will correspond to the initial marking for the places corresponding to method n. The transitioncorresponding to the speci�ed method will �re and the tokens will be put in the set of initial places, this setof places is represented by the dotted rectangles in Figure 11.5 Fuzzy Time G-Nets5.1 Integration IssuesIn this section, we describe the integration between G-Net and FTPN. The objective of this integrationis to allow a modular timing analysis for complex systems. Each G-Net in a G-Net system is studied inisolation and the results are combined to determine the �nal solution. Since the concept of G-Net does nottake in consideration timing aspects and, due to the exibility of its internal structure, we will consider theinternal structure as being a FTPN. To do so and to allow a modular analysis, the integration is performedby considering the decomposed G-Net. In the modular analysis, the most important thing is to know howto correctly combine the results obtained from the individual analysis of each module. The combination of15
the results is determined by how the modules are connected. In the following, we present details about theintegration.When one G-Net invokes another G-Net with a given method m, this method de�nes the initial markingfor the invoked net. Since the internal structure is a Fuzzy Time Petri Net, the token that arrives in an isp isa fuzzy token. Thus, the initial marking for the invoked net should be composed by fuzzy tokens. Once ourmain objective is the modular analysis, we have to have conditions to study each G-Net in isolation, i.e., theindividual G-Net timing analysis must be independent of the analysis of the G-Net which is invoking it. Dueto the commutativity and distributivity properties of fuzzy sets, it is possible to study each invoked G-Netconsidering that the tokens of the initial marking for the invoked net are not fuzzy. The results are thencombined via the decomposed isp, i.e., a fuzzy interval that corresponds to the minimum and maximumexecution time of the invoked net is computed by combining the enable and delay intervals attached toits transitions, as de�ned previously. The computation of this fuzzy interval resumes when a goal place isreached, indicating that the invocation �nished. Finally, this fuzzy interval is combined with the fuzzy timefunction assigned to the isp0s token. The analysis of the invoked net depends of the method used in theinvocation. However, to guarantee correct results, we have to make some assumptions as for example thatthe set of transitions of di�erent methods are con ict-free, i.e., the set of transitions of two di�erent methodsare con ict-free if the �ring of transitions in one method does not depend on �ring any transition in theother method.In order to de�ne the Fuzzy Time G-Net { FTG-Net, the decomposition of the isp and the GSP (aspresented in Section 4.3) is integrated together with the fuzzy time intervals associated with the transitions.Some considerations must be made in order to allow the integration and consequently the performanceanalysis. These considerations concern about some special places and transitions which were de�ned in thedecomposed model in order to guarantee some properties of the original de�nition of G-Nets.Focusing on the performance analysis, what is important to know is the fuzzy token in the isp andthe analysis of the invoked net. Thus, the integration of the decomposed isp and the timing intervals isconsidered in the following way:1. Places SI and Wi in the decomposed isp do not receive fuzzy tokens.2. The time intervals associated with transitions si and ra are both [0,0], i.e., the �ring of these transitionsare instantaneous.3. A time interval is associated with transition G' corresponding to the minimumand maximumexecutiontime of the net invoked by the isp, as described above.4. place RIm maintains the fuzzy time function of the isp0s token.5. the token deposited in place RR after �ring ra is a fuzzy token which carries the resultant fuzzy timefunction considering the invoked net.Actually, for the sake of timing analysis, the decomposed isp integrated with fuzzy time intervals can besimpli�ed, based on the �ve assumptions enumerated above.16
PLACESSTATES SC IN RC RC' WP TC CO GP GPCS0 1 0 1 0 0 0 0 0 0S1 0 1 1 0 0 0 0 0 0S2 0 0 0 1 1 0 0 1 0Table 2: Possible states for the invocation of Gd(C) with method msFor the decomposed GSP no special consideration is taken. The transition which is connected to the startplace SP can be used in order to represent the communication delay between the communicating G-nets. Inthis case, for transitions tm1, tm2, .., and tmn a fuzzy delay interval is associated with each transition inorder to represent the communicating delay. The fuzzy delay intervals are the same since they represent thesame communication and are only de�ned to determine which method will be executed.5.2 Timing Analysis Using Fuzzy Time G-NetsIn order to perform a modular timing analysis of a FTG-Net, we have to consider the following steps:1. Analyze the invoked FTG-Net. If the invoked FTG-Net invokes another FTG-Net, the latter must beanalyzed �rst.2. Embed the result in the invoking FTG-Net by assigning it to the decomposed isp.3. Analyze the invoking FTG-Net.As result of the analysis of an invoked FTG-Net, we are interested in determine the delay to execute amethod. Thus, we have to set the initial FTF s accordingly, i.e., the initial FTF s are set to [0; 0]. The delayto execute the invoked net is represented by the FTF carried by the token in the goal place.Returning to the producer/consumer example introduced in the last Section, before analyze the producerwe have �rst to analyze the consumer. The FTG-Net System representing the producer/consumer problem iscomposed by one FTG-Netmodeling the producer and one FTG-Netmodeling the consumer. The FTG-Netsare obtained from the decomposition of the original G-Nets and by introducing the fuzzy time intervals. TheG-Nets for the consumer and producer are decomposed as shown in Figures 12 and 13, respectively. Let usconsider that Gd(P ) and Gd(C) are the resultant decomposed G-Nets for the producer and for the consumer,respectively. Also, fuzzy time intervals are associated with each transition in the decomposed G-Net . Forthe sake of simplicity, the fuzzy enable intervals are not depicted in the Figure 12. Thus, in Figure 12,DC.ms is the delay interval associated with transition C.ms, Dra1 is the delay interval to transition ra1, andso on.When the decomposed G-Net, Gd(C), is invoked using method ms, two states are possible: Gd(C) iseither busy (token in place RC') or ready to consume (token in place RC).Considering the ready to consume state, the decomposed G-Net Gd(C) is invoked twice. First, Gd(C) isinvoked with method ms and after with method mc. Each invocation is studied in isolation and the results17
PLACESSTATES SC IN RC RC' WP TC CO GP GPCS0 1 0 0 1 1 0 0 0 0S1 0 0 0 1 1 1 0 0 0S2 0 0 0 1 0 0 1 0 1Table 3: Possible states for the invocation of Gd(C) with method mcPLACESSTATES SP PR RI1 SI1 RIs RC1 W1 RR1 RI2 SI2 RIc RC2 W2 RR2 GPS0 1 0 0 1 0 0 0 0 0 1 0 0 0 0 0S1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 0S2 0 0 1 1 0 0 0 0 0 1 0 0 0 0 0S3 0 0 0 1 1 0 1 0 0 1 0 0 0 0 0S4 0 0 0 1 0 1 1 0 0 1 0 0 0 0 0S5 0 0 0 1 0 0 0 1 0 1 0 0 0 0 0S6 0 0 0 1 0 0 0 0 1 1 0 0 0 0 0S7 0 0 0 1 0 0 0 0 0 1 1 0 0 0 0S8 0 0 0 1 0 0 0 0 0 1 0 1 1 0 0S9 0 0 0 1 0 0 0 0 0 1 0 0 0 1 0S10 0 0 0 1 0 0 0 0 0 1 0 0 0 0 1Table 4: Possible states for the decomposed G-Net Gd(P ) considering invocationsare embedded in Gd(P ), i.e., they are assigned to transitions C.ms and C.mc (see Figure 12), respectively.In the case of method ms, three reachable states are possible as shown in Table 2. Figure 14 shows thefuzzy reachability graph for decomposed G-Net Gd(C) invoked using method ms. Similarly, as presented inSection 3.2, the following FTF s are computed:FIN = FSC �Dms: (11)FWP = FGP = FRC 0 = (FIN � FRC)�Dsa: (12)The fuzzy interval corresponding to this invocation is given by the fuzzy time function carried by the tokenin the goal place GP. Considering that the FTF values of the initial marking are not fuzzy (FSC = [0; 0]),from Expressions (11) and (12) we compute the FTF associated with the token in GP (Expression (13).The fuzzy interval is assigned to transition C.ms in Gd(P ).FGP = Dms �Dsa: (13)Table 3 and Figure 15 shows the possible reachable states and the fuzzy reachability graph for theinvocation of Gd(C) using method mc, respectively. In a similar way, the fuzzy time function equations aredetermined and the fuzzy interval corresponding to this invocation, expression (16), is assigned to transitionC.mc in Gd(P ). FTC = FSC �Dmc: (14)FCO = FGPC = (FWP � FTC)�Dsc: (15)FGPC = ((Dms �Dsa) �Dmc) �Dsc: (16)18
PLACESSTATES PR RIs RC1 RIc RC2 GPS0 1 0 0 0 0 0S1' 0 1 0 0 0 0S1" 0 0 1 0 0 0S2' 0 0 0 1 0 0S2" 0 0 0 0 1 0S3 0 0 0 0 0 1Table 5: Possible states for the simpli�ed G-Net for the producerConsidering the ready to consume state and the fuzzy time intervals determined above by studying eachinvocation of G-Net Gd(C) in separate, the timing properties of decomposed G-Net Gd(P ) can be studied.Table 4 shows possible reachable states for the producer and Figure 16 shows its fuzzy reachability graph.The fuzzy time functions of the producer are identically determined.In the case of timing analysis, the decomposed isp can be simpli�ed as shown in Figure 17, where G' isthe transition representing the execution of the invoked net. This is true because we are only interested inthe execution time of the invoked net which value is attached to G'. Also, we are considering that there isno timing restrictions associated with the transitions in the decomposed GSP .Then, using the simpli�ed version of the decomposed isp, the simpli�ed G-Net representing the produceris shown in Figure 18. The simpli�ed isp0s are represented in the dotted lines. The isp related to method msis composed by the places RIs and RC1, and by transition C.ms. The isp related to method mc is composedby places RIc and RC2, and by transition C.ms. Where transitions C.ms and C.mc represent the invocationof the consumer with methods ms and mc, respectively.Since we are not considering any kind of timing restriction on the transition mp, the initial state iscomposed by one token in place PR. For this initial marking, there are six possible states as shown in Table5. The complete fuzzy reachability graph for the simpli�ed net is depicted in Figure 19.The analysis of the simpli�ed G-Net can be executed in the same way as de�ned earlier. Although thesimpli�ed decomposed isp is enough for timing analysis, the original decomposed isp is necessary to beapplied in many �elds as fault-tolerance an real-time distributed systems [10].6 Faults in Real-Time Distributed Systems6.1 Fault Tolerance AspectsIn real-time systems, most faults are due to synchronization and performance errors that manifest themselvesas transient system failures. We can di�erentiate two kind of failures: time-dependent or non-time-dependent.In the case of non-time-dependent failures we can say that:� a required event does not occur; 19
� an undesired event occurs; and/or,� two incompatible events occurs simultaneously.On the other hand, there are three kind of time-dependent failures in a system that can lead to a faultybehavior. These failures include:� violation of maximum timing constraints between events;� violation of minimum time constraints between events; and/or,� durational failures (for example, a condition or set of conditions fails to hold for a particular amountof time).Di�erent techniques addressing di�erent types of failures can be adopted to enhance fault tolerance.Major fault-tolerance techniques include: recovery blocks [22], N-version programming [3], rollback recoverywith checkpoint [43], conversation [38] and exchange [2]. Rollback recovery with checkpoints, exchange andconversation are classi�ed as backward fault-tolerant techniques while recovery blocks and N-version arecalled forward fault-tolerant techniques.Focusing on real-time systems where performance has to be guaranteed as speci�ed in the domains ofvalue and time, it is necessary to analyze the temporal behavior of the system to verify if timing constraintsand performance indices are met. By analyzing temporal behavior, it is possible to investigate the occurrenceof timing faults. Backward fault-tolerant techniques, are often not appropriate to real-time environments.The applicability of fault-tolerant techniques in real-time systems must take into consideration the recoverylatency that can cause the violation of timing constraints [27].Considering formalmethods to analyze and introduce fault-tolerant properties in computer systems, Petrinets are among the most applicable. This is because, using Petri nets, it is possible to unify the modeling ofsoftware, hardware and environmental aspects by using one formalism. The integration between FTPN andG-Net model can be used in order to tolerate the time-dependent faults.In Figures 20 and 21, we present two fault tolerance techniques modeled by a FTG-Net. Actually,since the isp is the only notational element in G-Net that starts a communication between nets, we presenthow the decomposed isp is used to represent a fault-tolerant technique. The idea is to add, to each isp,timing constraints corresponding to the encapsulated time related with the invoked G-Net, in this case theworst execution time. Since we have to specify timing constraints, we use Fuzzy Time G-Nets where timingconstraints are represented by time intervals. Also, the performance analysis can be carried out by usingthe approach described in [10]. The performance analysis can be carried out at run time based on how longthe invocation of an object needs to resume. Therefore, it is necessary to provide means to measure thetime elapsed between an invocation and its completion. In Figure 20, we present a backward fault-toleranttechnique named Timed Rollback with Checkpoints. Figure 21 depicts a forward fault-tolerant technique. In[10], the functioning for those fault-tolerant FTG-Nets is detailed.20
6.2 Fuzzy Time G-Nets and Timing Polymorphic InvocationThe application of the well-known fault-tolerant techniques to real-time systems presents certain drawbacks.A natural trend of fault tolerance in the real-time �eld, is the consideration of anticipated faults and opera-tional conditions. This means that when the system moves outside some de�ned limits, it must be able to stillfunction within its speci�cations. Considering real-time systems, there are di�erent techniques to enforcethe fault-tolerant requirements of the systems and applications. Such techniques include recon�guration,graceful degradation, and load shedding. The basic idea of the recon�guration technique, is the re-allocationof applications running on a failed component to fail use free components. In the load shedding technique, aset of static priorities are de�ned in order to determine which applications will be dropped in case of failures[35]. Graceful degradation is de�ned when the results obtained are degraded and sometimes acceptable bythe users. The degradation of the results can be determined by reducing execution times or by executingsome alternative computation with much less requirements [27].Following the natural trend of anticipated faults, we present a technique which employs some conceptsrelated to graceful degradation and load shedding techniques. The idea was adopted from the de�nition oftime polymorphic invocation de�ned in [44]. According to [44], for a distributed real-time system the invokedobject cannot statically decide its timing constraints, i.e., the communicating objects should try their bestto achieve the required operations within a limited time. To accomplish this, we introduce the concept oftiming polymorphic G-Net invocation.The invocation of a G-Net G' is performed through the isp by using a de�ned method. In the case ofthe time polymorphic G-Net invocation, the isp uses a set of methods to invoke G'. Also, a distinct timingconstraint is speci�ed for each method. These timing constraints will be used in the invoked net to determinewhich method should be executed. The methods have a priority order which is determined by the timingconstraints associated with them. These priorities are important to guarantee that the system will functioncorrectly and the time restrictions will be met. In many cases, the results may be degraded but acceptable.De�nition 6.1 In a time polymorphic G-Net invocation, an isp invokes a G-Net with a composed methodCM . CM = f< m1; T c1 >;< m2; T c2 >; :::; < mn; T cn >g where m1, m2, .., mn are methods and Tc1,Tc2, ..., Tcn (Tc1 < Tc2 < ::: < Tcn) are timing constraints associated with the corresponding method.In G', the worst case execution time for each method is known, once it can be determined performing thetiming analysis as described in the previous chapter. Thus, according to the timing constraints associatedwith the methods and the worst case execution time for the methods, only one method is selected to beexecuted. We are not considering the load of the node running G'. To consider this case, it is necessary tohave mechanisms to specify it. For example, we can use a fake place together with a token which carriesa FTF specifying the load of the node. When the fake token is combined with the initial tokens, di�erentresults (execution time) are produced re ecting the results considering the load of the node.According to the de�nition of time polymorphic G-Net invocation, both isp and invoked GSP are re-sponsible to maintain a fault-tolerant behavior of the system. In Figure 22 we show the decomposed ispconsidering the time polymorphic G-Net invocation. The timing polymorphic isp is similar to those decom-posed fault-tolerant isps. The di�erence is that the enable intervals associated with transitions are knowna priori (this follows from the anticipated faults trend). Tcn is the timing constraint associated to the nth21
method, i.e., the method with lower priority. If this timing constraint can not be met, an exception handlingroutine is triggered by �ring transition to. Places EM and RE, and transition cm treat the returned tokenfrom the failed time polymorphic G-Net invocation.Since the polymorphic G-Net invocation is executed using several methods, it is necessary mechanismsto assing priorities to methods, considering the decomposed GSP of the invoked G-Net G'. Since the timingconstraints associated with the methods in the polymorphic G-Net invocation are distinct, it is possible touse them in order to assign prioritiesto the execution of methods. Figure 23 shows the decomposed timingpolymorphic GSP . Each output arc of starting place SP has an expression corresponding to a speci�cmethod. Also, transitions are augmented with inscriptions to compare the timing constraints and the worstcase execution time. The enable intervals associated with transitions provide a way to assign priorities toselect the correct method to be executed. For example, let us suppose that the G-Net G0 is invoked ina polymorphic way with methods < m1; T c1 > and < m2; T c2 >, Tc1 < Tc2. Then, if the inscriptionsof transitions tm1 and tm2 are satis�ed, both transitions are enabled. Since Tc1 < Tc2, method m1 haspriority over method m2 and transition tm1 is selected to �re. Firing transition tm1, tokens are depositedin initial places for method m1 (in Figure 23 represented by the dotted boxes) and method m2 is disabled.7 ConclusionIn this paper a fuzzy approach to introduce time in Petri nets was presented. The major motivation ofthis approach is the lack of generality of timing Petri net extensions. This approach, Fuzzy Time Petri Net(FTPN), integrates in a complementary fashion the strength of the deterministic and stochastic extensions.We extended the concept of reachability graph by incorporating the fuzzy time aspects of the model inorder to perform timing analysis. We also de�ned an analysis technique based on the reachability graph.Moreover, in order to deal with large complex systems, we integrated the FTPN model with G-Nets. Theintegration allows the modular timing analysis of complex systems by considering the internal structure of aG-Net as being a FTPN, and using a decomposition approach. Thus, we can divide a system in subsystems,study them in isolation and integrate their results to get the global solution.We have presented how FTG-Nets can help the introduction of forward and backward fault-tolerantmechanisms in a system modeled by a set of FTG-Nets. Timed rollback technique and recovery blocks weremodeled by using FTG-Nets as introduced by Perkusich et al [31]. Moreover, a novel approach to treatanticipated faults in real-time distributed systems was introduced. Since FTG-Nets are suitable to real-time distributed system design, it allows the support of many relevant aspects as distribution, concurrency,synchronization, real-time constraints and fault tolerance. By using FTG-Nets, the treatment of anticipatedfaults is accomplished by the de�nition of time polymorphic G-Net invocation. We are investigating theapplication of FTG-Nets to the control of track vehicle problem [30] and real-time databases [32].Also, we are investigating the application of the FTPN model to introduce temporal auto-protection andauto-detection for faults in the design of G-Net systems.22
References[1] M. Ajmone Marsan, D. Balbo, and G. Conte. A class of generalised stochastic petri nets for theperformance evaluation of multiprocessor systems. ACM Transactions on Computer Systems, 2(2):93{122, May 1984.[2] T. Anderson and J.C. Knight. A framework for software fault tolerance in real-time systems. IEEETransactions on Software Engineering, SE-9(3):355{364, May 1983.[3] A. Avizienis. The N-version approach to fault-tolerant software. IEEE Transactions on Software Engi-neering, SE-11(12):1491{1506, December 1985.[4] B. Berthomieu and M. Diaz. Modeling and veri�cation of time dependent systems using time petri nets.IEEE Transactions on Software Engineering, 17(3):259{273, March 1991.[5] K.P. Birmam, T.A. Joseph, T. Raeuchle, R. Abadi, A.E.Koo, and S. Toueg. Checkpointing and rollback{recovery for distributed system. IEEE Transactions on Software Engineering, SE-13(1):23{31, January1987.[6] T. Cao and A.C. Sanderson. Task sequence planning using fuzzy petri nets. In International Conferenceon Systems, Man, and Cybernetics, pages 349 { 354, 1991.[7] T. Cao and A.C. Sanderson. Variable reasoning and analysis about uncertainty with fuzzy petri nets.In M. Ajmone Marsan, editor, Application and Theory of Petri Nets 1993, volume 691 of Lecture Notesin Computer Science, pages 126 { 145. Springer-Verlag, June 1993.[8] J. Cardoso, R. Valette, and D. Dubois. Petri nets with uncertain markings. In G. Rozenberg, editor,Advances in Petri Nets 1990, volume 483 of Lecture Notes in Computer Science, pages 64{78. Springer-Verlag, June 1990.[9] S.K. Chang, A. Perkusich, J.C.A. de Figueiredo, B. Yu, and M.J. Ehrenberger. The design of real-timedistributed information systems with object-oriented and fault-tolerant characteristics. In Proc. of TheFifth International Conference on Software Engineering and Knowledge Engineering, San Francisco,California, June 1993.[10] S.K. Chang, A. Perkusich, J.C.A. de Figueiredo, B. Yu, and M.J. Ehrenberger. The design of real-timedistributed information systems with object-oriented and fault-tolerant characteristics. In Proc. of TheFifth International Conference on Software Engineering and Knowledge Engineering, San Francisco,California, June 1993.[11] S.M. Chen, J.S. Ke, and J.F. Chang. Knowledge representation using fuzzy petri nets. IEEE Transac-tions on Knowledge and Data Engineering, 2(3):311{319, 1990.[12] B. Dasarathy. Timing constraints of real-time systems: Constructs for expressing them, methods ofvalidating them. IEEE Transactions on Software Engineering, 11(1):80 { 86, January 1985.23
[13] J.C.A. de Figueiredo. Fuzzy Time Petri Net. PhD thesis, Departamento de Sistemas e Computa�c~ao,Universidade Federal da Para��ba, 1994.[14] J.C.A. de Figueiredo, A. Perkusich, and S.K. Chang. Timing analisys of real-time software systemsusing fuzzy time petri nets. In Proc. of The Sixth International Conference on Software Engineeringand Knowledge Engineering, pages 243{253, Riga, Latvia, June 1994.[15] J.C.A de Figueiredo, A. Perkusich, and S.K. Chang. Anticipated faults in real-time distributed systems.In Proc. of The Seventh International Conference on Software Engineering and Knowledge Engineering,SEKE'95, pages 411{418, Washington, USA, June 1995.[16] Y. Deng. A Uni�ed Framework for the Modeling, Prototyping and Design of Distributed InformationSystems. PhD thesis, Department of Computer Science, University of Pittsburgh, 1992.[17] Y. Deng, S.K. Chang, J.C.A. de Figueiredo, and A. Perkusich. Integrating software engineering methodsand petri nets for the speci�cation and prototyping of complex software systems. In M. Ajmone Marsan,editor, Application and Theory of Petri Nets 1993, volume 691 of Lecture Notes in Computer Science,pages 206 { 223. Springer-Verlag, Chicago, USA, June 1993.[18] D. Dubois and H. Prade. Processing fuzzy temporal knowledge. IEEE Transactions on Systems, Man,and Cybernetics, 19(4):729{744, July 1989.[19] C. Ghezzi, D. Mandrioli, S. Morasca, and M. Pezze. A general way to put time in petri net. In 5thInternational Workshop on Software Speci�cations and Design, pages 60{66, May 1989.[20] P.J. Haas and G.S. Shedler. Regenerative stochastic petri nets. Performance Evaluation, 6(3):189{204,September 1986.[21] J.P.J. Kelly, T.I. McVittie, and W.I. Yamamoto. Implementing design diversity to achieve fault-tolerance. IEEE Software, 8(3):61{71, July 1991.[22] R. Koo and S. Toueg. Checkpointing and rollback-recovery for distributed systems. IEEE Transactionson Software Engineering, SE-13(3):23{31, January 1987.[23] H. Kopetz, A. Damm, C. Koza, M. Mulazzani, W. Schwabl, C. Senft, and R. Zailinger. Distributedfault-tolerant real-time systems: The mars approach. IEEE Micro, 9(1):25{40, February 1989.[24] C.G. Looney. Fuzzy petri nets for rule-based decisionmaking. IEEE Transactions on Systems, Man,and Cybernetics, 18(1):178 { 183, January 1988.[25] P.M. Merlin and D.J. Farber. Recoverability of communication protocols - implications of a theoreticalstudy. IEEE Transactions on Communication, COM-24(9):1036{1043, September 1976.[26] M.K. Molloy. Performance analysis using stochastic petri nets. IEEE Transactions on Computers,c-31(9):913{917, September 1982. 24
[27] D. Moss�e. Design, Development, and Deployment of Fault-Tolerant Applications for Distributed Real-Time Systems. PhD thesis, University of Maryland, College Park, 1993.[28] T. Murata. Petri nets: Properties, analysis and applications. Proc. of the IEEE, 77(4):541{580, April1989.[29] A. Perkusich. Analysis of G-Net Systems Based Upon Decomposition. PhD thesis, Department ofElectrical Engineering, Federal University of Para��ba, Campina Grande, PB, Brazil, August 1994.[30] A. Perkusich and J.C.A de Figueiredo. Object oriented design of a track-vehicle system. In Proc. ofThe Seventh International Conference on Software Engineering and Knowledge Engineering, SEKE'95,pages 283{290, Washington, USA, June 1995.[31] A. Perkusich, J.C.A. de Figueiredo, and S.K Chang. Embedding fault-tolerant properties in the designof complex systems. Journal of Systems and Software, 2(25):23{37, 1994.[32] M.L.B Perkusich, A. Perkusich, and U. Schiel. Integrated design of object-oriented real-time controland database systems. In Proc. of The Seventh International Conference on Software Engineering andKnowledge Engineering, SEKE'95, pages 150{152, Washington, USA, June 1995.[33] J.L. Peterson. Petri Net Theory and Modeling of Systems. Prentice-Hall, 1981.[34] C. Ramchandani. Analysis of asynchronous concurrent systems by petri nets. Technical Report ProjectMAC-TR120, M.I.T., Cambridge, MA, 1974.[35] J.K. Ramos-Thuel, S. Strosnider. The transient server approach to scheduling time-critical recoveryoperations. In IEEE Real-Time Systems Symposium, pages 286 { 295, San Antonio, Texas, December1991.[36] R.R. Razouk. The derivation of performance expressions for communication protocols from timed petrinet models. In ACM - SIGCOMM '84 Tutorials & Symposium: Communications, Architectures &Protocols, pages 210{217, June 1984.[37] S.M. Shatz. Development of Distributed Software. Macmillan Publishing Company, New York, 1993.[38] Y. Shieh, D. Ghosal, P.R. Chintamaneni, and K. Tripathi. Application of petri net models for theevaluation of fault-tolerant techniques in distributed systems. Technical Report Series CS-TR-2128,University of Maryland, College Park, Maryland, 20742, USA, October 1988.[39] C. Sibertin-Blanc. Client-server protocol for high-level nets. In M. Ajmone Marsan, editor, Applicationand Theory of Petri Nets 1993, volume 691 of Lecture Notes in Computer Science, pages 353 { 372.Springer-Verlag, Chicago, USA, June 1993.[40] J. Sifakis. Performance evaluation of systems using nets. In Net Theory and Applications, volume 84 ofLecture Notes in Computer Science. Springer-Verlag, 1980.25
t1
Pk
P1 P2 Pn
E, DFigure 2: n input places[41] P. Srinivasan and D. Gracanin. Approximate reasoning with fuzzy petri nets. In Second IEEE Conferenceon Fuzzy Systems, volume 1, pages 396 { 401, March 1993.[42] V.S. Srinivasan and M.A. Jafari. Fault detection/monitoring using time petri nets. submitted to IEEETransactions on Systems, Man and Cybernetics, 1992.[43] L. Svobodova. Resilient distributed computing. IEEE Tans. on Software Engineering, SE-10(3):257{268,May 1984.[44] K. Takashio and M. Tokoro. DROL: An object-oriented programming language for distributed real-timesystems. In Proc. of OOPSLA'92, pages 276{294, Vancouver, British Columbia, Canada, 18-22, October1992.[45] R. Valette, J. Cardoso, and D. Dubois. Monitoring manufacturing systems by means of petri nets withimprecise markings. In IEEE International Symposium on Intelligent Control, pages 233 { 238, Albany,NY, September 1989.[46] W.M.P. van der Aalst. Timed Coloured Petri Nets and Their Application to Logistic Systems. PhDthesis, Eindhoven University of Technology, 1992.[47] W.M.P. van der Aalst. Interval timed coloured petri nets and their analysis. In M. Ajmone Marsan,editor, Application and Theory of Petri Nets 1993, volume 691 of Lecture Notes in Computer Science,pages 453 { 472. Springer-Verlag, June 1993.[48] W.M. Zuberek. Timed petri nets and preliminary performance evaluation. In 7th Annual Symposiumon Computer Architecture, pages 88{96, May 1980.26
(a) (b) (c)
1 1 1
T T
µ µ µ
Ttmin tmax0 0 0
token delay interval
enabled
intervalFigure 3: Generalization of a TPN1
T
µ
(a) (b) (c)
1
T
µ
1
T
µ
d0
token delay interval enabled interval
0 0Figure 4: Generalization of TdPN1
T
µ
1
T
µ
(a) (b) (c)
1
T
µ
0
token delay interval enabled interval
0 0Figure 5: Generalization of a classical Petri net27
t2
F2, F3
F2, F5 F3, F4
F4, F5
F6
t1
P2 P3
P4 P5
t3
t4
P1
P6F1=FTF(P1), F2=FTF(P2), etc.
(a) (b)
F1
E1, D1
E2, D2 E3, D3
E4, D4
E1, D1
E2, D2E3, D3
E4, D4
E3, D3E2, D2
S0
S1
S3 S2
S4
S5Figure 6: (a) Simple net and (b) Its reachability graphGSP(net_name)
GOAL PLACE NAME
PLACE NAME
transition name
inscriptions
<method_name><description>={[<p1:description,...,pn:desc>](<sp>)}<attribute_name>={<type>}
isp(G’.mi)
OTHER ELEMENTS
OF THE INTERNAL
STRUCTURE
internal structure boundary
<arc expression>
Figure 7: Notations used to represent a G-NetGSP(P)
PR: producer ready
GP: goal place
rs: request status consumer
nr: consumer not ready
cr: send to consumer
co: consumed
pr: producer resumes
PR
GP
nr
pr co rs
cr
n=n-1
isp(C.ms)isp(C.mc) r==nak
r==ack
n >=0n<0
mp:produce={[n:integer number of items](PR)}
<n> <n>
<n>
<n>
<n>
<n,r><n,r>
<n><n>Figure 8: G(P ) G-Net modeling the producer28
GSP(C)
RC’IN RC WP TC ready to consume
IN : inquire net C
RC:
trigger consumerTC:
WP: waiting producer
GPS: end status
GPC: item accepted
CO: consuming
<ret>
COGPS
GPC
na sa sc acack=F ack=T
<ack>
ms:status={[nil](IN)}
<ack>
ac: already consumed
sc: start consuming
na: not available
sa: send acknowledge
mc:consume={[item:data](TC)}
Figure 9: G(C) G-Net modeling the consumerG’ : invoke net G’
si: start invocation
ra: reply acknowledged
RI
rasi
RIm RRRC
SI
G’
isp(G’m)
Wi
RI: ready to invoke
SI: sequence id generator
RIm: ready to invoke with method m
RR: reply received
Wi: waiting invocation reply
RC: returned from net invokedFigure 10: Decomposition of an isp(G0m)tm1 tm2 tmn
initial placesfor method m2 for method mn
initial places
SP
GSP(G’)
for method m1initial places
<m1><m2>
<mn>Figure 11: Decomposition of a GSP (G0)29
mp
co pr rs
nr
mp: method produce
C: invoke net C
ra1,ra2: reply acknowledged
nr: consumer not ready
cr: send to consumer
co: consumed
rs: request status consumer
si1,si2: startanting invocation net C
pr: producer resumes
SP: start place net P
RR1,RR2: reply received
RI1,RI2: ready to invoke
RC1,RC2: returned from consumer
PR: producer ready
GP: goal place
RIs: ready to invoke using method s
RIc: ready to invoke using method c
SI1,SI2: sequence id generator
W1,W2: waiting invocation replyra2
si2
cr ra1
si1
GSP(P)SP
GP
isp(C.ms)
SI1
RC1
RI1
RR1
<ack>
<nak>
RC2
R Ic
SI2isp(C.mc)
RI2
RR2
RIs
W2
W1
Dmp
Dco Dpr Drs
Dra2
DC.mc
Dsi2
Dcr
Dnr
Dra1
DC.ms
Dsi1
C.mc
C.ms
PR
Figure 12: Decomposed G-net, Gd(P ), for the producer including timing on transitionssc acna
ms mc
ac: already consumed
sc: start consuming
na: not available
mc: method consume
sa: send acknowledge
ms: method status
GSP(C)
<ret>
CO
IN TC
SC
WP
<ack><nak>
SC: start net C
IN : inquire net C<ms> <mc>
sa
Dms Dmc
DscDsaDna Dac
GPGPC
RCRC’
RC: ready to consume
RC’: consumer busy
trigger consumerTC:
WP: waiting producer
CO: consuming
GPS: end status
GPC: item acceptedFigure 13: Decomposed G-net, Gd(C), for the consumer including timing on transitions30
S2
S1
S0
Dms
Dsa
FWP, FGP,
FRC’
FIN, FRC
FSC, FRC
Figure 14: Reachability graph for the consumer considering method msS2
S1
S0
Dmc
Dsc
FRC’
FRC’
FWP, FTC,
FSC, FWP,
FRC’
FCO, FGPC,Figure 15: Reachability graph for the consumer considering method mcFGP
FSP
FRR2
FRC2,FW2
FRI2
FRI1
FRC1,FW1 FRR1
S0
S2
S1
S10
S3 S4 S5S6
S7
S8
S9
FRIs,FW1
FRIc,FW2
Dpr
Dmp
DcrDra1DC.ms
Dsi1
Drs
Dco Dra2
DC.mc
Dsi2
FPR
Figure 16: Reachability graph for the producer31
G’ : invoke net G’
si: start invocation
ra: reply acknowledged
RIm RC
G’
RIm RC
G’
RI
rasi
RR
SIWi
RI: ready to invoke
SI: sequence id generator
RIm: ready to invoke with method m
RR: reply received
Wi: waiting invocation reply
RC: returned from net invoked
Figure 17: Simpli�ed decomposed isp for timing analysis purposemp
pr rs
cr
nr nr: consumer not ready
cr: send to consumer
co: consumed
pr: producer resumes
GSP(P)SP
GP
co
<ack>
<nak>
isp(C.ms)isp(C.mc)
RIs
RC1
RC2
RIc
C.msC.mc
Dcr
DC.mc
Dco Dpr Drs
Dnr
DC.ms
Dmp
PR
SP: start place net P
PR: producer ready
RC1,RC2: returned from consumer
GP: goal place
mp: method produce
rs: request status consumer
RIs: ready to invoke using method ms
RIc: ready to invoke using method mc
C.ms: invoke net C using method ms
C.mc: invoke net C using method mcFigure 18: Simpli�ed decomposed G-Net for the producer32
S0
FGPFRIs
FRC1
FRIc
FRC2
Drs
DC.ms
Dcr
DC.mc
Dco
Dnr
Dpr
S1’
S1’’
S2’
S2’’
S3
S1
S2
FPR
Figure 19: Fuzzy reachability graph for the simpli�ed decomposed producerτ(ta, ]
RI
SI
RIm
si
Wi
[ti,ta]
RC
ra
RR
G’
checkpoint
to
rbt
t’
PC
CI
EM
cm
REisp(G’.r)
Figure 20: Timed rollback technique33
oo(ta, ]
RI
SI
RIm
si
Wi
[ti,ta]
to
RC
ra
RR
block
G’
standby
primary blockFigure 21: Recovery block techniqueooE=(tcn, ]
RI
SI
RIm
si
Wi
RC
ra
RR
G’
to
E=[tc1,tcn]
exception
handling
EM RE
cm
timing polymorphic ispFigure 22: Timing polymorphic ispinitial places
for method m2 for method mninitial places
SP
GSP(G’)
for method m1initial places
<m1>
Tc1>w1 Tc2>w2 Tcn>wntm1 tm2
E=[Tc1,Tc1] E= [Tc2,Tc2]
<m2>
<mn>
tmn
E=[Tcn,Tcn]Figure 23: Timing polymorphic GSP34
