Cpn Slides 96

8/22/2019 Cpn Slides 96

1/100

Coloured Petri Nets

Kurt Jensen

Computer Science DepartmentUniversity of Aarhus

Ny Munkegade, Building 540DK-8000 Aarhus C, Denmark

Phone: +45 89 42 32 34Telefax: +45 89 42 32 55

E-mail:[email protected]:http://www.daimi.aau.dk/~kjensen

TOOLS

editing

simulation

verificationTHEORY

models basic concepts

verification methods

PRACTICAL USE

specification

investigation

verification

implementation

8/22/2019 Cpn Slides 96

2/100

Coloured Petri Nets2

Part 1: Introduction to CP-nets

An ordinary Petri net (PT-net) has no types and nomodules:

Only one kind of tokens and the net is flat.

With Coloured Petri Nets (CP-nets) it is possible touse data types and complex data manipulation:

Each token has attached a data value called thetoken colour.

The token colours can be investigatedandmodifiedby the occurring transitions.

With CP-nets it is possible to make hierarchicaldescriptions:

A large model can be obtained by combining aset ofsubmodels.

Well-defined interfaces between the submodels.

Well-defined semantics of the combined model.

Submodels can be reused.

8/22/2019 Cpn Slides 96

3/100


Resource allocation example

AP

3`(q,0)

BP

2`(p,0)

CP

DP

EP

T1 [x=q]

T2

T3

T4

T5

R

E

1è

Declarations:

type U = with p | q;

type I = int;

type P = product U * I;

type E = with e;

var x : U;

var i : I;

S

E

3è

T

E

2è

(x,i)

(x,i)

(x,i)

(x,i)

(x,i)

(x,i)

(x,i)

(x,i)

(x,i)

if x=q

then 1`(x,i+1)

else empty

e

if x=q then 1è

else empty

case x of

p => 2è

| q => 1è

2è

e

if x=p then 1è

else empty

e

case x of

p => 2è

| q => 1è

if x=p

then 1`(x,i+1)

else empty

8/22/2019 Cpn Slides 96

4/100


Occurrence of enabled binding

SE

3 3è

BP

2 2`(p,0)

T2

CP

SE

3 3è

BP2 2`(p,0)

T2

CP

Binding:

SE

1 1è

BP1 1`(p,0)

T2

CP

1 1`(p,0)

New Marking

(x,i)

case x of

p => 2è

| q => 1è

(x,i)

1

1`(p,0)(x,i)

case x of

p => 2è| q => 1è

2 2è

11`(p,0)(x,i)

(x,i)

case x of

p => 2è

| q => 1è

(x,i)

8/22/2019 Cpn Slides 96

5/100


Binding which is not enabled

SE

3 3è

BP2 2`(p,0)

T2

CP

SE

3 3è

BP2 2`(p,0)

T2

CP

Binding:

(x,i)

case x of

p => 2è

| q => 1è

(x,i)

1

1`(q,2)(x,i)

case x ofp => 2è

| q => 1è

1 1è

11`(q,2)(x,i)

Binding cannot occur

8/22/2019 Cpn Slides 96

6/100


A more complex example

SE3 3è

BP

3 1`(p,2)+1`(p,4)+1`(q,3)

T2

CP

SE

3 3è

BP3 1`(p,2)+1`(p,4)+1`(q,3)

T2

CP

Binding:

SE

3 3è

BP3 1`(p,2)+1`(p,4)+1`(q,3)

T2

CP

Binding:

(x,i)

case x of

p => 2è

| q => 1è

(x,i)

1

1`(p,2)(x,i)

case x of

p => 2è| q => 1è

2 2è

11`(p,2)(x,i)

11`(q,3)

(x,i)

case x of

p => 2è

| q => 1è

1 1è

1

1`(q,3)(x,i)

8/22/2019 Cpn Slides 96

7/100


Concurrency

SE

3 3è

BP3 1`(p,2)+1`(p,4)+1`(q,3)

T2

CP

Binding:

SE

BP1 1`(p,4)

T2

CP

2 1`(p,2)+1`(q,3)

Binding:

21`(p,2)+1`(q,3)

(x,i)

case x of

p => 2è| q => 1è

3 3è

2

1`(p,2)+1`(q,3)(x,i)

(x,i)

case x of

p => 2è

| q => 1è

(x,i)

The two bindings may occur concurrently.

This is possible because they use differenttokens.

8/22/2019 Cpn Slides 96

8/100


Conflict

SE

3 3è

BP3 1`(p,2)+1`(p,4)+1`(q,3)

T2

CP

Binding:

SE

3 3è

BP3 1`(p,2)+1`(p,4)+1`(q,3)

T2

CP

Binding:

11`(p,2)

(x,i)

case x of

p => 2è

| q => 1è

2 2è

11`(p,2)(x,i)

11`(p,4)

(x,i)

case x ofp => 2è

| q => 1è

2 2è

11`(p,4)

(x,i)

These two bindings cannot occur concurrently.

The reason is that they need the same tokens.

8/22/2019 Cpn Slides 96

9/100


Resource allocation system

Two kinds ofprocesses: Three cyclic q-processes (states A,B,C,D and E).

Two cyclic p-processes (states B,C,D and E).

Three kinds ofresources:

Represented by the places R, S and T.

During a cycle a process reserves some resourcesand releases them again:

Tokens are removedfrom and addedto the

resource places R, S and T.

A cycle counteris increased each time a processcompletes a full cycle.

It is rather straightforward to prove that the

resource allocation system cannot deadlock.

What happens if we add an additional token toplace S i.e., if we start with four S-resourcesinstead of three?

8/22/2019 Cpn Slides 96

10/100


Coloured Petri Nets

Declarations: Types, functions, operations and variables.

Eachplace has the following inscriptions:

Name (for identification).

Colour set(specifying the type of tokens whichmay reside on the place).

Initial marking (multi-set of token colours).

Each transition has the following inscriptions:

Name (for identification).

Guard(boolean expression containing some ofthe variables).

Each arc has the following inscriptions:

Arc expression (containing some of the variables).When the arc expression is evaluated it yields amulti-set of token colours.

8/22/2019 Cpn Slides 96

11/100


Enabling and occurrence

A binding assigns a colour(i.e., a value) to eachvariable of a transition.

A binding elementis a pair (t,b) where t is atransition while b is a binding for the variablesof t. Example: (T2,).

A binding element is enabledif and only if:

There are enough tokens (of the correct colours oneach input-place).

The guardevaluates to true.

When a binding element is enabled it may occur:

A multi-set of tokens is removedfrom eachinput-place.

A multi-set of tokens is addedto each

output-place.

A binding element may occur concurrently to otherbinding elements iff there are so many tokensthat each binding element can get its "own share".

8/22/2019 Cpn Slides 96

12/100


Main characteristics of CP-nets

Combination oftextand graphics.

Declarations and net inscriptions are specified bymeans of a formal language, e.g., aprogramminglanguage.

Types, functions, operations, variables andexpressions.

Net structure consists of places, transitions andarcs (forming a bi-partite graph).

To make a CP-net readable it is important to

make a nice graphical layout. The graphical layout has no formal meaning.

CP-nets have the same kind ofconcurrencyproperties as Place/Transition Nets.

8/22/2019 Cpn Slides 96

13/100


Formal definition of CP-nets

Definition:A Coloured Petri Net is a tuple CPN= (, P, T, A, N,

C, G, E, I)satisfying the following requirements:

(i) is a finite set of non-empty types, called colour sets.

(ii) P is a finite set ofplaces.

(iii) T is a finite set oftransitions.

(iv) A is a finite set ofarcs such that: PT=PA=TA=.

(v) N is a node function. It is defined from A into P TTP.

(vi) C is a colour function. It is defined from P into .

(vii) G is a guard function. It is defined from T into expressions

such that:

tT:[Type(G(t))=BoolType(Var(G(t)))].

(viii) E is an arc expression function. It is defined from A into

expressions such that:

aA:[Type(E(a)) = C(p(a))MS Type(Var(E(a))) ]

where p(a) is the place of N(a).

(ix) I is an initialization function. It is defined from P into

closed expressions such that: pP:[Type(I(p))=C(p)MS].

8/22/2019 Cpn Slides 96

14/100


Formal definition of behaviour

Definition:A step is a multi-set of binding elements.

A step Y is enabled in a marking M iff the following property is

satisfied:

pP: (t,b) Y

E(p,t)M(p).

When a step Y is enabled in a marking M 1 it may occur, changingthe marking M1 to another marking M2, defined by:

pP:M2(p) = (M1(p) (t,b) Y

E(p,t)) + (t,b) Y

E(t,p).

The first sum is called the removed tokens while the second is

called the added tokens. Moreover we say that M2 is directly

reachable from M1 by the occurrence of the step Y, which we alsodenote: M1[YM2.

An occurrence sequence is a sequence of markings and steps:

M1[Y1M2[Y2M3 Mn[YnMn+1such thatMi[YiMi+1for all i 1..n. We then say that Mn+1 isreachable from M1.We use [M to denote the set of markingswhich are reachable from M.

8/22/2019 Cpn Slides 96

15/100


Formal definition

The existence of aformal definition is veryimportant:

It is the basis for simulation, i.e., execution of theCP-net.

It is also the basis for theformal verification

methods (e.g., state spaces and place invariants). Without the formal definition, it would have

been impossible to obtain a soundnet class.

It is not necessary for a userto know the formaldefinition of CP-nets:

The correct syntax is checked by the CPN editor,i.e., the computer tool by which CP-nets areconstructed.

The correct use of the semantics (i.e., theenabling rule and the occurrence rule) is

guaranteed by the CPN simulator and theCPN tools for formal verification.

8/22/2019 Cpn Slides 96

16/100


High-level contra low-level nets

The relationship between CP-nets andPlace/Transition Nets (PT-nets) is analogous tothe relationship between high-level programminglanguages and assembly code.

In theory, the two levels have exactly the samecomputational power.

In practice, high-level languages have muchmore modelling power because they have betterstructuring facilities, e.g., types and modules.

Each CP-net has an equivalentPT-net and vice

versa. This equivalence is used to derive the definition

ofbasic properties and to establish theverification methods.

In practice, we nevertranslate a CP-net into aPT-net or vice versa.

Description, simulation and verification are donedirectly in terms of CP-nets.

8/22/2019 Cpn Slides 96

17/100


Other kinds of high-level nets

CP-nets have been developed fromPredicate/Transition Nets.

Hartmann Genrich & Kurt Lautenbach.

With respect to description and simulation thetwo models are nearly identical.

With respect toformal verification there aresome differences.

Several other kinds of high-level Petri Nets exist.

They all build upon the same basic ideas, but use

different languages for declarations andinscriptions.

A detailed comparison is outside the scope ofthis talk.

8/22/2019 Cpn Slides 96

18/100


Simple protocol

Send

PacketTransmit

Packet

Receive

Packet

Receive

Acknow.

Transmit

Acknow.

Send

INTxDATA1`(1,"Modellin")+1`(2,"g and An")+

1`(3,"alysis b")+

1`(4,"y Means ")+

1`(5,"of Colou")+

1`(6,"red Petr")+

1`(7,"i Nets##")+

1`(8,"########")

NextSendINT

1

DINT

A

INTxDATA

Received

DATA

""

NextRec

INT

1

B

INTxDATA

CINT

RP8

Int_0_10

RAInt_0_10

8

Sender Network Receiver

type INT = int;

type BOOL = bool;

type DATA = string;type INTxDATA = product INT * DATA;

var n, k : INT;

var p,str : DATA;

val stop = "########";

type Int_0_10 = int with 0..10;

type Int_1_10 = int with 1..10;

var s : Int_0_10;

var r : Int_1_10;

fun Ok(s : Int_0_10, r : Int_1_10) = (rs);

(n,p) (n,p)

if Ok(s,r)

then 1`(n,p)

else empty

(n,p)

(n,p)

if n=k

andalso

pstop

then str^p

else str

if n=k

then k+1

else k

n

k

if n=k

then k+1

else k

if Ok(s,r)

then 1`n

else empty

n

k n

str

s

sn

8/22/2019 Cpn Slides 96

19/100


Send packet

Send

INTxDATA8

1`(1,"Modellin")+ 1`(2,"g and An")

+ 1`(3,"alysis b")

+ 1`(4,"y Means ")

+ 1`(5,"of Colou")

+ 1`(6,"red Petr")

+ 1`(7,"i Nets##")

+ 1`(8,"########")

Send

Packet A

INTxDATA

NextSendINT

1

1 1`1

(n,p)

(n,p)

n

Only the binding is enabled.

When the binding occurs it adds a token to

place A. The token represents that the packet(1,"Modellin") is sent to the network.

The packet is notremoved from place SendandtheNextSendcounter is notchanged.

8/22/2019 Cpn Slides 96

20/100


Transmit packet

A

INTxDATA

1 1 (1,"Modellin")

Transmit

Packet

RP8

Int_0_10

1 1`8

B

INTxDATA

(n,p)

if Ok(s,r)then 1`(n,p)

else empty

s

There are now 10 enabled bindings:

They are all of the form.

The variable r can take 10 different values,because the type of r is defined to contain theintegers 1. .10.

Thefunction Ok(s,r) checks whether r s.

For r1..8, Ok(s,r) = true. This means that thetoken is moved from A to B, i.e., that the packet issuccessfully transmittedover the network.

For r9..10, Ok(s,r) = false. This means that notoken is added to B, i.e., that the packet is lost.

The CPN simulator make random choicesbetween enabled bindings. Hence there is 80%chance for successful transfer.

8/22/2019 Cpn Slides 96

21/100


Receive packet

B

INTxDATA

1 1 (1,"Modellin")

Receive

Packet

NextRecINT

1

1 1`1

Received

DATA

""1 1`""

C

INT

(n,p)

if n=k

andalso

pstop

then str^pelse str

if n=k

then k+1

else k

k

if n=k

then k+1

else k

str

It is checked whether the number of the incomingpacket n matches the number of the expectedpacket k.

8/22/2019 Cpn Slides 96

22/100


Correct packet number

B

1 1`(3,"alysis b")

Receive

PacketNextRec

1 1`3

Received 1 1`"Modelling and An"

C

(n,p)1

1`(3,"alysis b")

if n=k

andalso

pstop

then str^p

else str

11`"Modelling and Analysis b"

if n=k

then k+1

else k

1

1`4

k

1

1`3

if n=k

then k+1else k

11`4

str

1

1`"Modelling and An"

The data in the packet is concatenatedto the dataalready received.

TheNextRec counter is increased by one.

An acknowledgement message is sent. It containsthe number of the next packet which the receiverwants to get.

8/22/2019 Cpn Slides 96

23/100


Wrong packet number

B

1 1`(2,"g and An")

Receive

Packet

NextRec

1

1 1`3


C

(n,p)

1

1`(2,"g and An")

if n=k

andalso

pstop

then str^p

else str


if n=k

then k+1

else k

1

1`3

k

1

1`3

if n=k

then k+1

else k

1

1`3

str

1


The data in the packet is ignored.

TheNextRec counter is unchanged.

An acknowledgement message is sent. It containsthe number of the next packet which the receiver

wants to get.

8/22/2019 Cpn Slides 96

24/100


Transmit acknowledgement

C

INT

1 1`2

Transmit

Acknow.D

INT

RAInt_0_10

81 1`8

nif Ok(s,r)

then 1`n

else empty

s

This transition works in a similar way asTransmit Packet.

The token on placeRA determines the success

rate for transmission of acknowledgements. WhenRA contains a token with value 8, the

success rate is 80%.

WhenRA contains a token with value 10, noacknowledgements are lost.

WhenRA contains a token with value 0, allacknowledgements are lost.

8/22/2019 Cpn Slides 96

25/100


Receive acknowledgement

Receive

Acknow.

NextSendINT

1

1 1`1

DINT

1 1`2

n

k n

When an acknowledgement arrives to the Senderitis used to update theNextSendcounter.

In this case the counter value becomes 2, andhence the Senderwill begin to send packetnumber 2.

8/22/2019 Cpn Slides 96

26/100


Intermediate state

Send

Packet

Transmit

Packet

Receive

Packet

Receive

Acknow.

Transmit

Acknow.

Send

INTxDATA

8


+ 1`(3,"alysis b")

+ 1`(4,"y Means ")

+ 1`(5,"of Colou")

+ 1`(6,"red Petr")

+ 1`(7,"i Nets##")

+ 1`(8,"########")

NextSendINT

1

1 1`5

D

INT

1 1`6

A

INTxDATA

Received

DATA

""1 1`"Modelling and

Analysis by Means

of Colou"

NextRec

INT

1

1 1`6

B

INTxDATA

1 1`(5,"of Colou")

C

INT

1 1`6


RP8

Int_0_10

1 1`8

RAInt_0_10

81 1`8

(n,p) (n,p)

if Ok(s,r)

then 1`(n,p)

else empty

(n,p)

(n,p)

if n=k

andalso

pstop

then str^p

else str

if n=k

then k+1

else k

n

k

if n=k

then k+1

else k

if Ok(s,r)then 1`n

else empty

n

k n

n

str

s

s

TheReceiveris expecting package no. 6. This

means that it has successfully received the first 5packets.

The Senderis still sending packet no. 5. In amoment it will receive an acknowledgementcontaining a request for packet no. 6.

When the acknowledgement is received theNextSendcounter is updated and the Senderwillstart sending packet no. 6.

8/22/2019 Cpn Slides 96

27/100


Final state

Send

Packet

Transmit

Packet

Receive

Packet

Receive

Acknow.

Transmit

Acknow.

Send

INTxDATA

8


+ 1`(3,"alysis b")

+ 1`(4,"y Means ")

+ 1`(5,"of Colou")

+ 1`(6,"red Petr")

+ 1`(7,"i Nets##")

+ 1`(8,"########")

NextSendINT

1

1 1`9

D

INT

A

INTxDATA

Received

DATA


Analysis by Means

of Coloured Petri

Nets##"

NextRec

INT

1

1 1`9

B

INTxDATA

C

INT


RP8

Int_0_10

1 1`8

RAInt_0_10

81 1`8

(n,p) (n,p)

if Ok(s,r)

then 1`(n,p)

else empty

(n,p)

(n,p)

if n=k

andalso

pstop

then str^p

else str

if n=k

then k+1

else k

n

k

if n=k

then k+1

else k

if Ok(s,r)then 1`n

else empty

n

k n

n

str

s

s

When the last packet, i.e., packet no. 8 reaches

theReceiveran acknowledgement with value 9 issent.

When this acknowledgement reaches the SendertheNextSendcounter is updated to 9.

This means that the Send Packettransition nolonger can occur, and hence the transmissionstops.

8/22/2019 Cpn Slides 96

28/100


Part 2: Hierarchical CP-nets

A hierarchical CP-net contains a number ofinterrelated subnets calledpages.

D

INTxINT

A

INTxDATA

Received

DATA

""

B

INTxDATA

C

INT

Sender

HS

Sender

Network

HS

Network

Receiver

HS

Receiver

Simple Protocol

Send

Packet

NextSendINT

1

Receive

Acknow.

Send

INTxDATA

D

INTxINT

A

INTxDATA

Transmit

Packet

RP8

Int_0_10

RAInt_0_10

8

Transmit

Acknow.D

INTxINT

C

INT

A

INTxDATA

B

INTxDATA

NextRec

INT

1

Receive

Packet

C

INT

Received

DATA

""

B

INTxDATA

Sender ReceiverNetwork

Out

Out

Out

In

In

InOut

In

I/O

(n,p)

k min(n1,n2)

n

(n,p)

1`(n1,1)+

1`(n2,2)

s

s

(n,p)

n

if Ok(s,r)

then 1`nelse empty

if Ok(s,r)then 1`(n,p)

else empty

k

if n=k

then k+1

else k

(n,p)

if n=k

andalsopstop

then str^p

else str

if n=k

then k+1else k

str

8/22/2019 Cpn Slides 96

29/100


Substitution transitions

A page may contain one ore more substitutiontransitions.

Each substitution transition is related to apage,i.e., a subnetproviding a more detaileddescription than the transition itself.

The page is a subpage of the substitutiontransition.

There is a well-defined interface between asubstitution transition and its subpage:

The places surrounding the substitution transition

are socket places.

The subpage contains a number ofport places.

Socket places are relatedto port places in asimilar way as actual parameters are related toformal parameters in a procedure call.

A socket place has always the same marking asthe related port place. The two places are justdifferent views of the same place.

Substitution transitions work in a similar way as

the refinement primitives found in many systemdescription languages e.g., SADT diagrams.

8/22/2019 Cpn Slides 96

30/100


Pages can be used more than once

D

INTxINT

A

INTxDATA

Received

DATA

""

B1

INTxDATA

C1

INT

Sender

HS

Sender

Network

HS

Network

RecNo1

HS

Receiver

B1->B

C1->C

B2

INTxDATA

C2

INT

RecNo2HS

Receiver

B2->B

C2->C

Received

DATA

""

Simple Protocol with 2 Receivers

Send

Packet

NextSendINT

1

Receive

Acknow.

Send

INTxDATA

D

INTxINT

A

INTxDATA

Transmit

Packet

RP8

Int_0_10

RA1Int_0_10

8

TransmitAcknow.

D

INTxINT

C1

INT

B2

INTxDATA

A

INTxDATA

B1

INTxDATA

RA2Int_0_10

8

Transmit

Acknow.C2

INT

NextRec

INT

1

Receive

Packet

C

INT

Received

DATA

""

B

INTxDATA

Sender ReceiverNetwork

Out

Out

Out

Out

In

In

In

Out

In

In

I/O

(n,p)

k min(n1,n2)

n

(n,p)

1`(n1,1)+

1`(n2,2)

s

s

(n,p)

if Ok(s,r2)

then 1`(n,p)else empty

n

if Ok(s,r)

then 1`(n,1)else empty

if Ok(s,r1)then 1`(n,p)

else empty

s

nif Ok(s,r)

then 1`(n,2)

else empty

k

if n=k

then k+1else k

(n,p)

if n=k

andalsopstop

then str^pelse str

if n=kthen k+1

else k

str

There are two different instances of theReceiverpage. Each instance has its own marking.

8/22/2019 Cpn Slides 96

31/100


Ring network

4to1PACK

1to2

PACK

Site1

HS

Site

4to1->Incoming

1to2->Outgoing

2to3 PACK

Site2

HS

Site

1to2->Incoming

2to3->Outgoing

3to4

PACK

Site3HS

Site

2to3->Incoming

3to4->Outgoing

Site4HS

Site

3to4->Incoming

4to1->Outgoing

Ring Network

NewPack

PackNo

INT 1

Package

PACK

Send

Outgoing

PACK

Out

Incoming

PACKIn

Receive

Site

Received

PACK

n+1n

{se=this(), re=r, no=n}

p

if #re p this()

then 1`p

else empty

p

if #re p this()

then 1`p

else empty

if #re p = this()

then 1`p

else empty

if #re p = this()

then 1`p

else empty

8/22/2019 Cpn Slides 96

32/100


Formal definition of hierarchical

CP-netsThe syntax and semantics of hierarchical CP-netshaveformal definitions similar to the definitionsfor non-hierarchical CP-nets

Each hierarchical CP-net has an equivalentnon-hierarchical CP-net and vice versa.

The two kinds of nets have the samecomputational power but hierarchical CP-netshave much more modelling power.

The equivalence is used for theoretical purposes.

In practice, we nevertranslate a hierarchicalCP-net into a non-hierarchical CP-net or viceversa.

8/22/2019 Cpn Slides 96

33/100


CP-nets may be large

A typical industrial application of CP-netscontains:

10-200pages.

50-1000places and transitions.

10-200 colour sets.

This corresponds to thousands/millions of nodes ina Place/Transition Net.

Most of the industrial applications would be totallyimpossible without:

Colours.

Hierarchies.

Computer tools.

8/22/2019 Cpn Slides 96

34/100


Protocol for telephone network

Transport layer of a protocol for digital telephonecommunication.

ISDN#1

USER_TOP#2

NULL#3

DECLARE#4

CALL_REC#11

CONNECT#12

INCOMING#13

HIERARCHY#10010

CALL_INI#6

OVERLAP#9

OUTGOING#15

CALL_DEL#16

NULL_SET#5

ACTIVE#7

DISCONNE#8

RELEASE#17

DISC_IND#18

NET_TOP#19

NULL#20 U_SETUP#21

N_SETUP#22ROUTING#24

OUTGOING#26

N_E_PART#27

CALL_DEL#28

OVERLAP#29

CONNECT#30

N_D_PART#31

CALL_REC#32

DISCONNE#33

DISCONNE#34

RELEASE#35

ACTIVE#36

INCOMING#37

CALL_PRE#38

UREQ_GEN#39

U_DISC#23

U_REL#25

U_REL_CO#40

U_PROG#41

U_INFO#42

N_HOLD#44

U_HOLD#45

{

Users

U1

U7

U8

U9

U0

U2

U3

U4

U10

U11

U19

U12

N0

N3

N4

N2

N8

N7

N11

N12

N19

N10

N9

N6

Networks

Overview of the hierarchy structure:

Each node represents apage, i.e., a subnet.

Each arc represents a transition substitution.

8/22/2019 Cpn Slides 96

35/100


Two of the most abstract pages

UserToNetworkMessage

NetworkToUser

Message

Users Networks

------------------------------------------------------------------------------------------------------------

NetworkToUser

Message

UserToNetwork

Message

IntUserReq

UIntReq

U1 U2 U3 U4 U7 U8 U9 U10 U11 U12 U19U0

UREQ

In

Out

8/22/2019 Cpn Slides 96

36/100


Typical page for the user site

(u,{mt=DISC,

cr=cref,

ai=null})

(u,{mt = REL_COM,

cr = cref,

ai = null})

(u, {mt=STATUS,

cr=cref,

ai=Status 8})

(u,m)

(u,m)

(u,cref,b,s) (u,cref,b,s) (u,cref,b,s)

(u,0,none,s)

(u,{mt=CLEAR_REQ,

ai=Callref cref})

U8UserState

NetworkToUser

Message

In

[#mt m =

STATUS_ENQ,

cref= #cr m]

[#mt m =

REL_COM,

cref= #cr m]

[#mt m = DISC,

cref= #cr m]

[#mt m =

CONN_ACK,

cref= #cr m]

UserToNetwork

Message

Out

U11 U10 U12 U0

[#mt m = REL,

cref= #cr m]

CLEAR_REQ

InternalUserReq

UIntReq

In (u,cref,b,s)

This page describes thepossible actions that canhappen when the user site is in state U8:

From the networkfive different kinds ofmessages may be received.

In addition there is one kind ofinternal userrequest.

In three of the cases a new message is sent to thenetwork site.

8/22/2019 Cpn Slides 96

37/100


Typical transition

(u, {mt=STATUS,

cr=cref,

ai=Status 8})

(u,m)

(u,cref,b,s)

NetworkToUserMessage

[#mt m =

STATUS_ENQ,

cref= #cr m]

UserToNetwork

Messa e

U8

UserState

type UserState =

product User* CallRef

* BChanName

* HoldStatus;

type MessageRec =

record mt : MessageType

* cr : CallReference

* ai : MessageData;

type Message =product User * MessageRec;

This transition describes the actions that are takenwhen a Status Enquiry message is received in stateU8:

The guard checks that the message is a StatusEnquiry message. It also checks that the CallReference is correct (i.e., matches the one in theUser State token at place U8).

A Status message is sent to the network site. Ittells that the user site is in state U8.

8/22/2019 Cpn Slides 96

38/100


SDL description of user page

CONN

ACKDISC REL

REL

COM

STATUS

ENQ

ANY

OTHER

MESSAGE

CLEAR

REQUEST

8 CONNECT

REQUEST

DISC

11

CONNECT

B-CHANNEL

TO USER

10

12RELEASE

CRV

RELEASE

CRV

REL

COM

0

0

FORM CAUSE

CALL STATE

(U8 OR U10)

STATUS

8

OPTION

Each vertical string of SDL symbols describes asequence of actions which is translated into asingle CPN transition.

The translation from SDL to CPN was donemanually.

The translation is straightforward and it couldeasily be automated.

The graphical shape of a node has a well-definedmeaning in SDL.

In the CP-net the shape is retained to improvethe readability. It has no formal meaning.

8/22/2019 Cpn Slides 96

39/100


Typical page for the network site

N6

NetState

NetFromNet

NIntReq

UserToNetwork

Message

"E"

[#mt m =

ALERT,

cref= #cr m]

NetToNet

NIntReq

NetworkToUser

Message

"D"

FIRST

TIMEOUT

T303

T303

NTimerCount

NBC

BChan

N0NetState

N7NetState

[#mt m =

CALL_PROC,

cref= #cr m]

[#mt m =

REL_COM,

cref= #cr m]

T310

NTimer

N9NetState

TimeOutEnab

SECOND

TIMEOUT

T303

NBC

BChan

In

In

Out

Out

[count=

first]%

(n,{mt=

N_ALERT,

ai=nnull},nnr)

(n,{mt=

N_PROG,

ai=nnull},

nnr)

(n,cref,first)

(n,cref,count)

(n,u,cref,

b,nnr)(n,no,0,

none,0)(n,u,cref,

b,nnr)

(n,u,cref,b,nnr)

(u,m)

(n,cref,count)

(n,cref)

(u,m)

(n,b,

0,free)

(u,{mt=

SETUP,

cr=cref,

ai=null})

(n,cref,second)

(n,b,cref,

in_use)

(n,{mt=N_PROG,

ai=nnull},nnr)

e

(n,{mt=

N_PROG,

ai=nnull},

nnr)

(n,b,

0,free)

(n,cref,second)

(n,u,cref,b,nnr)

(n,b,cref,

in_use)

Similar structure as for the user page but slightlymore complex.

8/22/2019 Cpn Slides 96

40/100


SDL description of network page

CALL

PROCALERT

REL

COMP

T303EXPIRES

D E

6 CALLPRESENT

STOP

T303

START

T310

PT.MULT.

RETAIN CAUSE

FROM FIRST

REL COMP

SEND PROG

WITH SIG = AUD.

RING AND

RETAINED CALLS TO

CALLING USER

STOP

T303

RELEASEB-CHANNEL

AND CRV

0NULL

RECORD

INDICATED

TERMINAL

STOP

T303

FIRSTALERT

SENDCALLING

USER ALERT

7 CALLRECEIVED

6 CALLPRESENT

SEND PROG TO

CALLING USER

WITH CAUSE =

NO USER

RESPONDING

SEND PROG TO

CALLING USER

WITH SIG = AUD.

RING AND IN-BAND

AUDIBLE RING

9 INCOMINGCALL PROCEEDING

NO

YES

FIRSTTIMEOUT

RELEASE

B-CHANNEL

AND CRV

SETUP

START

T303

0NULL

NO

NO

YES

YES

Similar structure as for the user page but slightlymore complex.

It is easy to see that there is a very straightforwardrelationship between the SDL page and thecorresponding CPN page.

8/22/2019 Cpn Slides 96

41/100


Some pages are used many times

ISDN#1

USER_TOP#2

NULL#3

DECLARE#4

CALL_REC#11

CONNECT#12

INCOMING#13

HIERARCHY#10010

CALL_INI#6

OVERLAP#9

OUTGOING#15

CALL_DEL#16

NULL_SET#5

ACTIVE#7

DISCONNE#8

RELEASE#17

DISC_IND#18

NET_TOP#19

NULL#20 U_SETUP#21

N_SETUP#22ROUTING#24

OUTGOING#26

N_E_PART#27

CALL_DEL#28

OVERLAP#29

CONNECT#30

N_D_PART#31

CALL_REC#32

DISCONNE#33

DISCONNE#34

RELEASE#35

ACTIVE#36

INCOMING#37

CALL_PRE#38

UREQ_GEN#39

U_DISC#23

U_REL#25

U_REL_CO#40

U_PROG#41

U_INFO#42

N_HOLD#44

U_HOLD#45

{

Users

U1

U7

U8

U9

U0

U2

U3

U4

U10

U11

U19

U12

N0

N3

N4

N2

N8

N7

N11

N12

N19

N10

N9

N6

Networks

43 pages with more than 100 page instances.

The entire modelling of this fairly complex

protocol was made in only 3 weeks (by a singleperson).

According to engineers at the participatingtelecommunications company, the CPN modelwas the most detailedbehavioural model thatthey had ever seen for such protocols.

8/22/2019 Cpn Slides 96

42/100


Practical use of CP-nets

CP-nets are used in many different areas. A fewselected examples are:

Communication protocols (BRI, DQDB, ATM).

VLSI chips (clocked and self-timed).

Banking procedures (check processing and funds

transfer). Correctness of ADA programs (rendezvous

structure).

Teleshopping systems.

Military systems (radar control post and navalvessel).

Security systems (intrusion alarms, etc.).

Flexible manufacturing.

8/22/2019 Cpn Slides 96

43/100


Summary of practical experiences

Graphical representation and executability areextremely important.

Most practical models are large.

They cannot be constructed without thehierarchy concepts.

Neither can they be constructed or verifiedwithout the computer tools.

CP-nets are often used togetherwith othergraphical description languages, such as SADT,

SDL and block diagrams. This means that the user does not have to learn a

completely new language.

CP-nets are well-suited for verification of existingdesigns in particular concurrent systems.

CP-nets can also be used to design new systems.

Then it is possible to use the insightgainedthrough the modelling, simulation andverification activities to improve the designitself.

8/22/2019 Cpn Slides 96

44/100


Part 3: Construction and

Simulation of CP-netsCP-nets have an integratedset ofrobustcomputertools with reliable support:

Construction and modification of CPN models.

Syntax checking (e.g., types and module

interfaces). Interactive simulation, e.g., to gain additional

understanding of the modelled system. Can alsobe used for debugging.

Automatic simulations, e.g., to obtain

performance measures. Can also be used forprototyping.

Verification toprove behavioural properties.

State spaces (also called reachability graphsand occurrence graphs).

Place invariants.

The computer tools are available on differentplatforms:

Sun Sparc with Solaris.

Macintosh with Mac OS.

8/22/2019 Cpn Slides 96

45/100


CPN editor

Eachpage is shown in its own window.

The user performs an operation by selecting anobjectand a commandfor it, e.g.:

Select a transition (by pointing with the mouse).

Select the desired command(by pointing in the

corresponding drop-down menu).Commands can be performed on a set of objects.

8/22/2019 Cpn Slides 96

46/100


Editor knows syntax of CP-nets

Some kinds of errors are impossible, e.g.: An arc between two places or two transitions.

A place with two colour sets or an arc with twoarc expressions.

A transition with a colour set.

Port assignment involving a place which is anon-socketor a non-port.

A cyclic set ofsubstitution transitions.

The editor behaves intelligently:

AU

B

U

Trans[xy]

AU

B

U

Trans[xy]

AU

BU

Trans

[xy]

AU

BU

(x,y)

f(x,y)

(x,y)

f(x,y)

(x,y)

f(x,y)

When a node is repositionedor resizedthesurrounding arcs and inscriptions areautomatically adjusted.

When a node is deletedthe surrounding arcs areautomatically deleted.

8/22/2019 Cpn Slides 96

47/100


Attributes

Each graphical object has its own attributes.They determine how the object appears on thescreen/print-outs:

Transition TTTTTTrrrrrraaaaaannnnnnssssssiiiiiittttttiiiiiioooooonnnnnn Transition Text attributes Graphical attributes Shape attributes

Each kind of objects has its own defaults:

Place Name

Colour Set

Initial Marking

Transition

Name[Guard]

Arc Expression

Defaults can be changedand they can beoverwritten (for individual objects).

8/22/2019 Cpn Slides 96

48/100


Easy to experiment

[not(locked(r))]

C

Get Record Lock

@+CPUlock()

TRANSP7Out

TRANS_REQ

P1In

LOCK_DB

Lock Table

FG

TRANS_REQ

P2

[i>1]Reserve Page

C

@+CPUreserve()

APP_REQ

P4

APP_REQ

P6

Read DataFrom Buffer

@+CPUread()

C

[buffered(r)]

Bypass Disk Access

C

@+CPUbypass()

Record Read

HS DiskAccess

APP_REQP5

C@+CPUupdate()

Update Buffer

BUFFER_DB

Buffer Table

FG

TRANS_REQ_QUEUE

( [ ] , [ ] )P3

[need_disk_read(r),page_clean_proc()]

Queue RequestC

In Line Cleaning

HS

PageCleaning

(t,r)

(t,r)

ldb

(TAPP t,dr)

(TAPP t,DiskReqOfRec(r))

(t,r)


t

i

(ap,dr)

(ap,dr)

i

tq

((t,r)::trl1,trl2)

(t,r)

tq

(trl1,trl2)

i

i

i

i -1

Can we improve the layoutof this page?

8/22/2019 Cpn Slides 96

49/100


Improved layout

[not(locked(r))]

C

Get Record Lock

@+CPUlock()

TRANSP7Out

TRANS_REQ

P1In

LOCK_DB

Lock Table

FG

TRANS_REQ

P2

[i>1]Reserve Page

C@+CPUreserve()

APP_REQ

P4

APP_REQ

P6

Read DataFrom Buffer

@+CPUread()C

[buffered(r)]

Bypass Disk Access

C

@+CPUbypass()

Record Read

HS DiskAccess

APP_REQP5

C @+CPUupdate()

Update Buffer

BUFFER_DB

Buffer Table

FG

TRANS_REQ_QUEUE

( [ ] , [ ] )P3

[need_disk_read(r),

page_clean_proc()]

Queue Request

C

In Line Cleaning

HS

PageCleaning

(t,r)

(t,r)

ldb

(TAPP t,dr)


(t,r)


t

i

(ap,dr)

(ap,dr)

i

tq

((t,r)::trl1,trl2)

(t,r)

tq

(trl1,trl2)

i

i

i

i -1

8/22/2019 Cpn Slides 96

50/100


How to make a new subpage

Receive all

Acknowledg-

ments

Update

and

Send Messages

Send an

Acknowledg-

ment

Receive

a

Message

Performing

DBM

InactiveDBM

DBMWaiting

DBM

Unused

MES

MES

Sent

MES

Received

MES

Acknowledged

MES

Active

E

Passive

E

e

DataBase#1

Mes(s) (s,r)

(s,r)

(s,r)

(s,r)Mes(s)

Mes(s)

Mes(s)

ss

s s

r r

rr

e

e e

e

We want to move the four selected nodes to a newpage and replace them by a substitutiontransition:

This is done by a single command calledMoveto Subpage.

8/22/2019 Cpn Slides 96

51/100


Result of Move to Subpage

Receive all

Acknowledg-

ments

Update

and

Send Messages

InactiveDBM

DBM

Waiting

DBM

Unused

MES

MES

Sent

MES

Acknowledged

MES

Active

E

Passive

E

e

HS

New#2

DataBase#1

Receive

a

Message

Received

MES

Send an

Acknowledg-

ment

Performing

DBM

InactiveDBM

DBM

I/O

AcknowledgedMES

Out

Sent

MES

In

New#2

Mes(s)

(s,r)

(s,r)

Mes(s)

Mes(s)

Mes(s)

ss

s s

r

r

e

e e

e

(s,r)

(s,r)

r

r

(s,r)

(s,r)

r

r

8/22/2019 Cpn Slides 96

52/100


Move to Subpage is complex

TheMove to Subpage command is complex. Thecommand:

Checks the legality of the selection (all bordernodes must be transitions).

Creates the new page.

Moves the subnetto the new page. Prompts the userto create a new transition which

becomes the supernode for the new subpage.

Creates theport places by copying those placeswhich were next to the selected subnet.

Calculates theport types (in, out or in/out).

Creates the correspondingport inscriptions.

Constructs the necessary arcs between the portnodes and the selected subnet.

Draws the arcs surrounding the new transition. Creates a hierarchy inscription for the new

transition.

Updates the hierarchy page.

All these things are done in afew seconds.

8/22/2019 Cpn Slides 96

53/100


Top-down and bottom-up

Move to Subpage supports top-down development.However, it is also possible to workbottom-up oruse a mixture of top-down and bottom-up.

The Substitution Transition command is used torelate a substitution transition to an existing page.The command:

Makes the hierarchy page active.

Prompts the userto select the desired subpage;when the mouse is moved over a page node itblinks, unless it is illegal (because selecting itwould make the page hierarchy cyclic).

Waits until a blinkingpage node has beenselected.

Tries to deduce theport assignmentby means ofa set of rules which looks at the port/socketnames and the port/socket types.

Creates the hierarchy inscription with the nameand number of the subpage and with those partsof the port assignment which could beautomatically deduced.

Updates the hierarchy page.

8/22/2019 Cpn Slides 96

54/100


Syntax checking

When a CPN diagram has been constructed it canbe syntax checked.

The most common errors are:

Syntax errors in the declarations.

Syntax errors in arc expressions or guards. Type mismatch between arc expressions and

colour sets.

Syntax checking is incremental:

When a colour set, guard or an arc expression ischanged, it is sufficientto recheck the nearestsurroundings.

Analogously, if an arc is added or removed.

All CPN diagrams in this set of lecture notes aremade by means of the CPN editor.

8/22/2019 Cpn Slides 96

55/100


CPN simulator

When a syntactical correctCPN diagram has beenconstructed, the CPN tool generates the necessarycode to perform simulations.

The simulation code:

Calculates whether the individual transitions and

bindings are enabled. Calculates the effect of occurring transitionsand

bindings.

The code generation is incremental. Hence it is fastto make small changes to the CPN diagram.

We distinguish between two kinds of simulations:

In an interactive simulation the user is in control,but most of the work is done by the system.

In an automatic simulation the system does allthe work.

8/22/2019 Cpn Slides 96

56/100


Interactive simulation

Send

Packet

Transmit

Packet

Receive

Packet

Receive

Acknow.Transmit

Acknow.

Send

INTxDATA

8


+ 1`(3,"alysis b")

+ 1`(4,"y Means ")

+ 1`(5,"of Colou")

+ 1`(6,"red Petr")

+ 1`(7,"i Nets##")

+ 1`(8,"########")

NextSendINT

1

1 1`5

D

INT

1 1`6

A

INTxDATA

Received

DATA


Analysis by Means

of Colou"

NextRec

INT

1

1 1`6

B

INTxDATA

1 1`(5,"of Colou")

C

INT

1 1`6


RP8

Int_0_10

1 1`8

RAInt_0_10

81 1`8

(n,p) (n,p)

if Ok(s,r)

then 1`(n,p)

else empty

(n,p)

(n,p)

if n=k

andalso

pstop

then str^p

else str

if n=k

then k+1

else k

n

k

if n=k

then k+1

else k

if Ok(s,r)

then 1`n

else empty

n

k n

n

str

s

s

Simulation results are shown directly on the CP-net:

The user can see the enabled transitions and themarkings of the individual places.

To execute a step, the user:

Selects one of the enabled transitions.

Then he eitherenters a binding or asks the

simulator to calculate all the enabled bindings, sothat he can select one.

8/22/2019 Cpn Slides 96

57/100


Execution of a step

The simulator: Checks the legality and enabling of the binding.

Calculates the result of the execution.

The userdetermines whether the simulator

displays the tokens which are added/removed:

B

1 1`(3,"alysis b")

ReceivePacket

NextRec

1 1`3


C

(n,p)1

1`(3,"alysis b")

if n=k

andalso

pstop

then str^p

else str

11`"Modelling and Analysis b"

if n=k

then k+1

else k

1

1`4

k

1

1`3

if n=k

then k+1

else k

11`4

str

1


8/22/2019 Cpn Slides 96

58/100


Interactive simulation with

random selection of stepsThe simulator chooses between conflictingtransitions and bindings (by means of a randomnumber generator).

The user can observe all details, e.g., the markings

the enabling and the added/removed tokens. The simulator shows the page on which each step

is executed by moving the correspondingwindow to the top of the screen.

The user can set breakpoints so that he has thenecessary time to inspect markings, enablings,etc.

A simulation with this amount of graphical feedbackis slow (typically a few transitions per minute):

It takes a lot of time to update the graphics.

A user has no chance to follow a fast simulation.

It is possible to turn offselected parts of thegraphical feedback, e.g.:

Added and removed tokens.

Observation ofuninteresting pages.

8/22/2019 Cpn Slides 96

59/100


Automatic simulation

The simulator chooses between conflictingtransitions and bindings (by means of a randomnumber generator).

The user does notintend to follow the simulation:

The simulation can be very fast several

hundred steps per second. The user specifies some stop criteria, which

determine the duration of the simulation.

When the simulation stops the graphics of theCP-net is updated.

Then the user can inspect all details of thegraphics, e.g., the enabling and the marking.

Automatic simulations can be mixedwithinteractive simulations.

To find out what happens during an automaticsimulation the user has a number of choices.

8/22/2019 Cpn Slides 96

60/100


Simulation report

1 SendPack@(1:Top#1) {n = 1, p = "Modellin"}2 TranPack@(1:Top#1) {n = 1, p = "Modellin", r = 6, s = 8}3 SendPack@(1:Top#1) {n = 1, p = "Modellin"}4 TranPack@(1:Top#1) {n = 1, p = "Modellin", r = 3, s = 8}5 RecPack@(1:Top#1) {k = 1, n = 1, p = "Modellin",

str = ""}6 SendPack@(1:Top#1) {n = 1, p = "Modellin"}7 SendPack@(1:Top#1) {n = 1, p = "Modellin"}8 TranAck@(1:Top#1) {n = 2, r = 2, s = 8}9 TranPack@(1:Top#1) {n = 1, p = "Modellin", r = 7, s = 8}10 RecPack@(1:Top#1) {k = 2, n = 1, p = "Modellin",

str = "Modellin"}11 RecAck@(1:Top#1) {k = 1, n = 2}12 RecPack@(1:Top#1) {k = 2, n = 1, p = "Modellin",

str = "Modellin"}13 TranAck@(1:Top#1) {n = 2, r = 7, s = 8}14 TranPack@(1:Top#1) {n = 1, p = "Modellin", r = 6, s = 8}

15 RecAck@(1:Top#1) {k = 2, n = 2}16 SendPack@(1:Top#1) {n = 2, p = "g and An"}17 TranAck@(1:Top#1) {n = 2, r = 6, s = 8}18 RecPack@(1:Top#1) {k = 2, n = 1, p = "Modellin",

str = "Modellin"}19 RecAck@(1:Top#1) {k = 2, n = 2}20 SendPack@(1:Top#1) {n = 2, p = "g and An"}

The simulation reportshows the transitions whichhave occurred. The user determines whether healso wants to see the bindings.

8/22/2019 Cpn Slides 96

61/100


Charts

Packets Received

Step No.

0 20 40 60 80 100 120 140 160 180 200

Packet No

0

1

2

3

4

5

6

7

8

9

10

Packetspack1pack2

pack3

pack4

pack5

pack6

pack7

pack8

5

5

7

5

4

0 1 2 3 4 5 6 7 8 9 10

0 1 2 3 4 5 6 7 8 9 10

Successes

Failures

Lost

Enroute

These charts are used to show theprogress of asimulation of the simple protocol:

The upper chart is updated each time a new

packet is successfully received. The lower chart is updated for each 50 steps.

8/22/2019 Cpn Slides 96

62/100


Other kinds of graphics

u(1)

Short

u(3)

Short

u(4)

Inac

u(6)

Ring

u(10)

NoTo

u(9)

Inac

u(8)

Conn

u(7)

Conn

u(5)

Short

u(2)

Long

This graphic is used to display the state of a simpletelephone system. The graphics is updated eachtime one of the telephones changes to a new state:

Telephones u(7) and u(8) are connected.

Telephone u(2) is calling u(6) which is ringing.

Telephone u(10) is calling u(2). This call will notsucceedbecause u(2) already is engaged.

8/22/2019 Cpn Slides 96

63/100


Code segments

Each transition may have a code segment, i.e., asequence ofprogram instructions which areexecuted each time the transition occurs.

NoToneU

LongU

Free C

input (x,y);action

UpdateState(x,Long);

UpdateState(y,Ringing);

UpdateConn(x,y,Call);

RingingU

RequestUxU

CallUxU

EngagedU

InactiveU

x

x

y

(x,y)

(x,y)

y

y

The instructions in code segment are used toupdate charts and graphics.

This is done by calling a number oflibraryfunctions.

Usually, the code segment does notinfluence thebehaviourof the CP-net (i.e., the enabling andoccurrence).

However, a code segment may read and writefrom files.

In this way it is possible to input values to beused during the simulation, or to outputsimulation results.

8/22/2019 Cpn Slides 96

64/100


Standard ML

Declarations, net inscriptions and code segmentsare specified in aprogramming language calledStandard ML.

Strongly typed,functional language.

Data types can be:

Atomic (integers, reals, strings, booleans andenumerations).

Structured(products, records, unions, lists andsubsets).

Arbitrary complexfunctions and operations canbe defined (polymorphism and overloading).

Computational power of expressions areequivalent to lambda calculus (and hence toTuring machines).

Developed atEdinburgh University by RobinMilner and his group.

Standard ML is well-known, well-tested and verygeneral. Several text books are available.

8/22/2019 Cpn Slides 96

65/100


Time analysis

CP-nets can be extended with a time concept.Thismeans that the same language can be used toinvestigate:

Logical correctness.Desired functionality, absence of deadlocks, etc.

Performance.Remove bottlenecks. Predict mean waiting timesand average throughput. Compare differentstrategies.

In a timed CP-net each token carries a colour(data

value) and a time stamp (telling when it can beused).

Time stamps are specified by expressions:

Time stamps can depend upon colour values.

Time stamps can be specified byprobabilitydistributions.

This means that we, e.g., can specifyfixeddelays, interval delays and exponential delays.

8/22/2019 Cpn Slides 96

66/100


A timed CP-net for protocol

Send

Packet

@+9

Transmit

Packet

@+Delay()

Receive

Packet

@+17

Receive

Acknow.

@+7

Transmit

Acknow.

@+Delay()

Send

INTxDATA

NextSendINT

1

D

INT

A

INTxDATA

Received

DATA

""

NextRecINT

1

B

INTxDATA

C

INT


RP8Int_0_10

RAInt_0_10

8

Wait

TIME

100(n,p) (n,p)

if OK(s,r)

then 1`(n,p)

else empty (n,p)

if n=k

andalso

pstop

then str^p

else str

if n=k

then k+1

else kn

k

if n=k

then k+1

else k

if OK(s,r)

then 1`n

else empty

n

k n

n

str

(n,p) (n,p)@+wait

s

s

wait

For the three SendandReceive operations wespecify afixed delay.

For the networkwe specify an interval delay, i.e.,

random delay between 25 and 75 time units. The token colour on place Waitspecifies the

delay between two retransmissions of the samepacket.

The computer tools for CP-nets also support

simulation oftimedCP-nets.

8/22/2019 Cpn Slides 96

67/100


Timed simulation of protocol

Time: 570

SendPacket

@+9

TransmitPacket

@+Delay()

Receive

Packet

@+17

ReceiveAcknow.

@+7

TransmitAcknow.

@+Delay()

Send

INTxDATA

8 1`(1,"Modellin")@[218]+

1`(2,"g and An")@[670]+

1`(3,"alysis b")@[0]+ 1`(4,"y

Means ")@[0]+ 1`(5,"of

Colou")@[0]+ 1`(6,"red

Petr")@[0]+ 1`(7,"i

Nets##")@[0]+

1`(8,"########")@[0]

NextSendINT

1

1 1`2@[570]

D

INT

1 1`3@[593]

A

INTxDATA

1

1`(2,"g and

"

Received

DATA

1 1`"Modelling and An"

""

NextRecINT

1

1 1`3@[548]

B

INTxDATA

C

INT


RP8

Int_0_10 1 1`8

RAInt_0_10

1 1`88

WaitTIME

1 1`100(n,p) (n,p)

if OK(s,r)

then 1`(n,p)

else empty (n,p)

if n=k

andalso

pstop

then str^pelse str

if n=k

then k+1

else kn

k

if n=k

then k+1

else k

if OK(s,r)

then 1`n

else empty

n

k n

n

str

(n,p) (n,p)@+wait

s

s

wait

Model time is now 570.

Send Packethas sent a copy of packet no. 2 attime 570.

If no acknowledgement arrives another copy ofpacket no. 2 will be sent at time 670.

The only transition which is enabled at time 570

is Transmit Packet.

8/22/2019 Cpn Slides 96

68/100


Timed simulations

Timed simulations have the same facilities asuntimed simulations, e.g.:

We can switch between interactive andautomatic simulation.

Simulation reports tell the time at which the

individual transitions occurred. We can use charts and other kinds ofreportingfacilities.

It is easy to switch between a timedand an untimedsimulation.

8/22/2019 Cpn Slides 96

69/100


Charts for a timed simulation

Time

Time

0 500 1000 1500 2000 2500 3000 3500 4000

Run No.

1

2

3

4

5

6

7

8

9

Step

Step

0 20 40 60 80 100 120 140 160

Run No.

1

2

3

4

5

67

8

9

25 : 1080

100 : 1576

200 : 2014

25 : 119

100 : 78

200 : 53

Short interval between retransmisions impliesfast transmission with heavy use of the network.

Long interval between retransmisions impliesslow transmission with less use of the network.

To get reliable results it is necessary to make alarge numberoflengthy simulation runs.

8/22/2019 Cpn Slides 96

70/100


Part 4: VerificationofCP-nets

In this part of the talk we describe the two mostimportant methods for verification of CP-nets:

State spaces (also called reachability graphs andoccurrence graphs).

Place invariants.

We also describe how the verification methods aresupported by computer tools.

8/22/2019 Cpn Slides 96

71/100


State space analysis

AU

3`q

BU

2`p

CU

DU

EU

T1

T2

T3

T4

T5

R

E

1è

color U = with p | q;

color E = with e;

var x : U;

S

E

3è

T

E

2è

x

x

x

x

x

x

x

x

x

if x=q

then 1`q

else empty

e

if x=q then 1è

else empty

case x of

p => 2è

| q => 1è

2è

e

if x=p then 1èelse empty

e

case x of

p => 2è| q => 1è

if x=pthen 1`p

else empty

To obtain afinite state space we remove the cyclecounters. Otherwise there would be an infinitenumber of reachable markings.

8/22/2019 Cpn Slides 96

72/100


State space for resource allocation

0

2

2

QQ

PPQ

#5

1

3

2

QQQ

PP

#1

1

12

QQQ

P

P

#2

0

1

2

QQ

PP

Q

#9

1

1

2

QQ

PP

Q

#10

1

1

1

QQ

PP

Q#12

1

1

1

QQQ

P

P

#3

1

1

0

QQQ

P

P

#4

0

0

2

QQ

PQ

P

#6

0

01

QQ

PQ

P

#7

0

0

0

QQ

PQ

P

#8

0

0

2

QPPQ

Q

#11

0

0

1

Q

PPQ

Q

#13

(T1,Q)

(T2,P)

(T2,Q)

(T3,Q)

(T4,Q)

(T5,Q)

(T3,P)

(T4,P)

(T1,Q)

(T2,P)

(T3,P)

(T5,P)

(T1,Q)

(T1,Q)

(T4,P)

(T5,P)

(T1,Q) (T4,Q)

(T1,Q)

(T5,Q)

Directed graph with:

A node for each reachable marking (i.e., state).

An arc for each occurring binding element.

8/22/2019 Cpn Slides 96

73/100


Some questions that can be

answered from state spacesBoundedness properties:

What is the maximal numberof tokens on thedifferent places?

What is the minimal numberof tokens on the

different places? What are thepossible token colours?

Home properties:

Is it always possible to return to the initial

marking?

Liveness properties:

Are all transitions live, i.e., can they alwaysbecome enabled again?

8/22/2019 Cpn Slides 96

74/100


State space report for resource

allocation systemStatistics

Occurrence Graph

Nodes: 13Arcs: 20Secs: 1

Status: Full

Scc Graph


Boundedness Properties

Upper Integer Bounds

A: 3B: 3C: 1D: 1E: 1

R: 1S: 3T: 2

Upper Multi-set Bounds

A: 3`qB: 2`p+ 1`qC: 1`p+ 1`qD: 1`p+ 1`qE: 1`p+ 1`q

R: 1èS: 3èT: 2è

Lower Integer Bounds

A: 1B: 1C: 0D: 0E: 0

R: 0S: 0T: 0

Lower Multi-set Bounds

A: 1`qB: 1`pC: emptyD: emptyE: empty

R: emptyS: emptyT: empty

8/22/2019 Cpn Slides 96

75/100


State space report (continued)

Home PropertiesHome Markings: All

Liveness Properties

Dead Markings: None

Live Transitions: All

Fairness Properties

T1: No FairnessT2: ImpartialT3: Impartial

T4: ImpartialT5: Impartial

Generation of the state space report takes only afew seconds.

The report contains a lot ofuseful informationabout the behaviourof the CP-net.

The report is excellent for locating errors or toincrease our confidence in the correctness of thesystem.

8/22/2019 Cpn Slides 96

76/100


Strongly connected components

Subgraph where all nodes are reachable fromeach other.

Maximal subgraph with this property.

8/22/2019 Cpn Slides 96

77/100


Strongly connected components

are very usefulThere are often much fewerstrongly connectedcomponents than nodes:

A cyclic system has only one strongly connectedcomponent.

This is, e.g., the case for the resource allocationsystem.

The strongly connected components can bedetermined in linear time, e.g., by Tarjansalgorithm.

Strongly connected components can be used toanswer questions about home properties andliveness properties.

8/22/2019 Cpn Slides 96

78/100


State space for simple protocol

Send

Packet

Transmit

Packet

Receive

Packet

Receive

Acknow.Transmit

Acknow.

Send

INTxDATA 1`(1,"Coloured")+1`(2," Petri N")+

1`(3,"ets#####")+

1`(4,"########")

NextSendINT

1

D

INT

A

INTxDATA

Received

DATA

""

NextRec

INT

1

B

INTxDATA

C

INT


RP1

Int_0_2

RAInt_0_2

1

Max 2 tokens

Max 1 token Max 2 tokens

Max 1 token

(n,p) (n,p)

if Ok(s,r)

then 1`(n,p)

else empty

(n,p)

(n,p)

if n=k

andalso

pstop

then str^p

else str

if n=k

then k+1

else k

n

k

if n=k

then k+1

else k

if Ok(s,r)

then 1`nelse empty

n

k n

n

str

s

s

To obtain afinite state space we limit the numberof tokens on the buffer places A, B, C and D.Otherwise there would be an infinite number ofreachable markings.

Moreover, we now only have 4 packets and abinary choice between success and failure.

8/22/2019 Cpn Slides 96

79/100


State space report for protocol

StatisticsOccurrence Graph

Nodes: 4298Arcs: 15887Secs: 53Status: Full

Scc Graph


Boundedness Properties

Upper Integer Bounds

A: 1B: 2C: 1D: 2

NextRec: 1NextSend: 1

RA: 1RP: 1

Received: 1Send: 4

Lower Integer Bounds

A: 0B: 0C: 0D: 0

NextRec: 1NextSend: 1

RA: 1RP: 1

Received: 1Send: 4

8/22/2019 Cpn Slides 96

80/100



Upper Multi-set BoundsA: 1`(1,"Coloured")+ 1`(2," Petri N")+

1`(3,"ets#####")+ 1`(4,"########")B: 2`(1,"Coloured")+ 2`(2," Petri N")+

2`(3,"ets#####")+ 2`(4,"########")C: 1`2+ 1`3+ 1`4+ 1`5D: 2`2+ 2`3+ 2`4+ 2`5

NextRec: 1`1+1`2+1`3+1`4+1`5

NextSend: 1`1+1`2+1`3+1`4+1`5RA: 1`1RP: 1`1

Received: 1`""+ 1`"Coloured"+ 1`"Coloured Petri N"+1`"Coloured Petri Nets#####"

Send: 1`(1,"Coloured")+ 1`(2," Petri N")+1`(3,"ets#####")+ 1`(4,"########")

Lower Multi-set Bounds

A: emptyB: emptyC: emptyD: empty

NextRec: emptyNextSend: empty

RA: 1`1RP: 1`1

Received: emptySend: 1`(1,"Coloured")+ 1`(2," Petri N")+

1`(3,"ets#####")+ 1`(4,"########")

8/22/2019 Cpn Slides 96

81/100



Home PropertiesHome Markings: 1 [452]

Liveness Properties

Dead Markings: 1 [452]

Live Transitions: None

Fairness Properties

Send Packet: ImpartialTransmit Packet: ImpartialReceive Packet: No Fairness

Transmit Acknow: No FairnessReceive Acknow: No Fairness

Generation of the state space report takes only afew seconds.

The report contains a lot ofuseful informationabout the behaviourof the CP-net.

The report is excellent for locating errors or toincrease our confidence in the correctness of thesystem.

8/22/2019 Cpn Slides 96

82/100


Investigation of dead marking

We ask the system to display marking number 452.

4528:0

452

NextSend = 5

NextRec = 5

Received = "Coloured Petri Nets#####"

Marking no. 452 is the desired final marking (allpackets has been received in the correct order)

Marking 452 is dead:

This implies that the protocol ispartially correct(if execution stops it stops in the desired finalmarking).

Marking 452 is a home marking:

This implies that we always have a chance tofinish correctly (it is impossible to reach a statefrom which we cannot reach the desired finalmarking).

8/22/2019 Cpn Slides 96

83/100


Investigation of shortest path

We ask the system to calculate one of the shortestpaths from the initial marking to the dead marking:

val path =

NodesInPath(1,452);

> val path =

[1,2,3,5,8,11,15,20,27,38,50,

64,80,102,133,164,199,243,

301,375,452] : Node list

Length(path); > 20 : int

The calculated path contains 20 transitions.

This is as expected because there are 4 packetswhich each need 5 transitions to occur.

8/22/2019 Cpn Slides 96

84/100


Drawing of shortest path

We ask the system to draw thefirst six nodes in thecalculated shortest path:

DisplayNodePath; [1,2,3,5,8,11]; > () : unit

11:1

1

NextSend = 1

NextRec = 1

Received = ""

2

1:2

2

NextSend = 1

NextRec = 1

Received = ""

A = 1`(1,"Coloured")

3

2:2

3

NextSend = 1`1

NextRec = 1`1

Received = ""

B = 1`(1,"Coloured")

5

3:3

5

NextSend = 1

NextRec = 2

Received = "Coloured"

C = 1`2

83:2

8

NextSend = 1

NextRec = 2


D = 1`2

11

5:1

11

NextSend = 2

NextRec = 2


1->2

SendPack

{p="Coloured",n=1}

2->3

TranPack

{s=1,r=1,p="Coloured",n=1}

3->5

RecPack

{str="",p="Coloured",n=1,k=1}

5->8

TranAck

{s=1,r=1,n=2}

8->11

RecAck

{n=2,k=1}

8/22/2019 Cpn Slides 96

85/100


Draw subgraph

11:1

NextSend = 1NextRec = 1

Received = ""

21:2

NextSend = 1

NextRec = 1

Received = ""


32:2

NextSend = 1

NextRec = 1

Received = ""


4

1:3

5

3:3

NextSend = 1

NextRec = 2


C = 1`2

9

2:2

6

3:4

7

2:1

8

3:2

NextSend = 1NextRec = 2


D = 1`2

141:2

NextSend = 1

NextRec = 1

Received = ""



134:3

122:2

103:3

NextSend = 1

NextRec = 2



D = 1`2

115:1

SendPack

LoosePack

TranPack

SendPackRecPack

LoosePack

TranPack

RecPack

LooseAck

TranAck

SendPack

RecPack

LoosePack

SendPack

TranPack

LooseAck TranAck

SendPack SendPack

RecAck

8/22/2019 Cpn Slides 96

86/100


Non-standard questions

We ask the system to search all arcs in the entiregraph and return thefirst 10 arcs whereNextSendhas a largervalue in the source marking than it hasin the destination marking.

PredArcs

(EntireGraph,fn a => ((ms_to_col(Mark.NextSend 1

(SourceNode a))) >

(ms_to_col(Mark.NextSend 1

(DestNode a)))),

10)

end;

>[10179,10167,10165,10159,10055,10052,10035,

10031,10019,10007] : Arc list

28061:4

NextSend = 4

NextRec = 5

Received = "Coloured Petri

Nets#####"

A = 1`(4,"########")

B = 2`(4,"########")

C = 1`5

D = 1`2+ 1`5

30751:4

NextSend = 2

NextRec = 5

Received = "Coloured

Petri Nets#####"

A = 1`(4,"########")

B = 2`(4,"########")

C = 1`5

D = 1`5

10179:2806->3075

RecAck = {n=2,k=4}

8/22/2019 Cpn Slides 96

87/100


Temporal logic

It is also possible to make questions by means of aCTL-like temporal logic.

Usually CTL focuses on queries about stateproperties, e.g.:

Inv(Pos(M))checks whether M is a home marking.

Ev(dead)checks whether there are any infinite occurrencesequences.

Our version of CTL also allows queries abouttransitions and binding elements.

Inv(Pos(t in Arc))checks whether transition t is live.

Timed CP-netsThe computer tools for CP-nets also support statespace analysis oftimedCP-nets.

8/22/2019 Cpn Slides 96

88/100


State spaces pro/contra

State spaces arepowerful and easy to use. The main drawback is the state explosion, i.e.,

the size of the state space.

The present version of our tool handles graphswith 100,000 nodes and 500,000 arcs. For many

systems this is not sufficient.

Fortunately, it is sometimes possible to constructmuch more compactstate spaces without loosinginformation.

This is done by exploiting the inherent

symmetries of the modelled system.

We define two equivalence relations (one formarkings and one for binding elements).

The condensed state spaces are often muchsmaller(polynomial size instead of exponential).

The condensed state spaces contain the sameinformation as the full state spaces.

8/22/2019 Cpn Slides 96

89/100


Place invariants analysis

The basic idea is similar to the use ofinvariants inprogram verification.

A place invariant is an expression which issatisfied for all reachable markings.

The expression counts the tokens of the marking

using a specified set of weights.

We first constructa set of place invariants.

Then we check whether they arefulfilled.

This is done by showing that each occurringbinding element respects the invariants.

The removedset of tokens must be identical tothe addedset of tokens when the weights aretaken into account.

Finally, we use the place invariants toprovebehavioural properties of the CP-net.

This is done by a mathematical proof.

8/22/2019 Cpn Slides 96

90/100


Example of place invariants

(x,i)

(x,i)

(x,i)

(x,i)

(x,i)

(x,i)

(x,i)

(x,i)

(x,i)

e

if x=q then 1è

else empty

case x of

p => 2è

| q => 1è

2è

e

if x=p then 1è

else empty

e

case x of

p => 2è

| q => 1è

AP

3`(q,0)

BP

2`(p,0)

CP

DP

EP

T1

T2

T3

T4

T5

R

E

1è

S

E

3è

T

E

2è

INV

1: PR1

INV

1: PR1

2: Q

3: 2*P+2*Q

INV

1: PR1

3: 2*P+2*Q

4: P

INV

1: PR1

3: 2*P+2*Q

4: 2*P+Q

INV

2: ID

INV3: ID

INV

4: ID

INVARIANTS

1: 2`p+3`q : U

2: 1è : E

3: 3è : E

4: 2è : E

INV

1: PR1

2: Q3: Q

8/22/2019 Cpn Slides 96

91/100


Place invariants for resource

allocation systemTo specify the weights we use three functions:

PR1 is aprojection function: (x,i) --> x.

P is an indicatorfunction: (p,i) --> 1è; (q,i) -->.

Q is an indicatorfunction: (p,i) --> ; (q,i) -->1è. P and Q counts the number of p and q tokens.

PR1(M(A)+M(B)+M(C)+M(D)+M(E))=2`p+3`q

M(R) + Q(M(B)+M(C))=1è

M(S) + Q(M(B)) +(2*P+2*Q)(M(C)+M(D)+M(E))=3è

M(T) + P(M(D)) + (2*P+Q)(M(E))=2è

8/22/2019 Cpn Slides 96

92/100


A more readable version of the

place invariantsPR1(A+B+C+D+E)=2`p+3`q

R + Q(B+C)=1è

S + Q(B) + (2*P+2*Q)(C+D+E)=3è

T + P(D) + (2*P+Q)(E)=2è

The place invariants can be used toproveproperties of the resource allocation system, e.g.,

that it is impossible to reach a dead marking.

8/22/2019 Cpn Slides 96

93/100


Tool support for place invariants

Checkof place invaritans: The userproposes a set of weights.

The tool checks whether the weights constitute aplace invariant.

Automatic calculation of all place invariants: This is possible, but it is a very complex task.

Moreover, it is difficult to represent the resultson a useful form, i.e., a form which can be usedby the system designer.

Interactive calculation of place invaritans:

The userproposes some of the weights.

The tool calculates the remaining weights if possible.

Interactive calculation of place invariants is mucheasierthan a fully automatic calculation.

8/22/2019 Cpn Slides 96

94/100


How to use place invariants

Invariants in ordinaryprogramming languages: No one would construct a large program

and then expect afterwards to be able tocalculate invariants.

Instead invariants are constructed togetherwith

the program.

For CP-nets we should do the same:

During the system specification and modellingthe designer gets a lot ofknowledge about thesystem.

Some of this knowledge can easily be formulatedasplace invariants.

The invariants can be checkedand in this way itis possible to find errors.

It can be seen where the errors are.

Someprototypes of computer tools for invariantsanalysis do exist. However, none of them are at astate where they can be widely used.

8/22/2019 Cpn Slides 96

95/100


Place invariants pro/contra

From place invariants it is possible to prove manykinds ofbehavioural properties.

Invariants can be used to make modularverification because it is possible to combineinvariants of the individual pages.

Invariants can be used to verify large systemswithout computational problems.

The user needs some ingenuity to constructinvariants. This can be supported by computertools interactive process.

The user also needs some ingenuity to useinvariants. This can also be supported bycomputer tools interactive process.

Invariants can be used to verify a systemwithout fixing the system parameters (such asthe number of sites in the data base system).

8/22/2019 Cpn Slides 96

96/100


Conclusion

One of the main reasons for the success of CP-netsis the fact that we simultaneously have workedwith:

TOOLS

editing simulation

verificationTHEORY

models

basic concepts

verification methods

PRACTICAL USE

specification

investigation

verification

implementation

8/22/2019 Cpn Slides 96

97/100


More information on CP-nets

The following WWW pages contain a lot of in-formation about CP-nets and their computer tools:

http://www.daimi.aau.dk/CPnets/

A detailed introduction to CP-nets can be found inthe following papers/books:

K. Jensen: Coloured Petri Nets: A High-level Language for SystemDesign and Analysis. In: G.Rozenberg (ed.): Advances in Petri Nets1990, Lecture Notes in Computer Science Vol. 483, Springer-Verlag 1991, 342 416. Also in K. Jensen, G. Rozenberg (eds.):High-level Petri Nets. Theory and Application. Springer-Verlag,1991, 44 122.

K. Jensen:An Introduction to the Theoretical Aspects of ColouredPetri Nets. In: J.W. de Bakker, W.-P. de Roever, G.Rozenberg(eds.): A Decade of Concurrency, Lecture Notes in ComputerScience vol. 803, Springer-Verlag 1994, 230-272.

K. Jensen: Coloured Petri Nets. Basic Concepts, Analysis Methodsand Practical Use. Monographs in Theoretical Computer Science,Springer-Verlag.

Vol. 1: Basic Concepts, 1992, ISBN: 3-540-60943-1.

Vol. 2: Analysis Methods, 1994, ISBN: 3-540-58276-2. Vol. 3: Practical Use, 1996.

Some of the most important papers on high-levelnets, their verification methods and applicationshave been reprinted in:

K. Jensen, G. Rozenberg (eds.): High-level Petri Nets. Theory andApplication. Springer-Verlag, 1991, ISBN: 3-540-54125-X.

8/22/2019 Cpn Slides 96

98/100


Different examples of the industrial use of CP-netscan be found in:

G. Balbo, S.C. Bruell, P. Chen, G. Chiola:An Example of Modellingand Evaluation of a Concurrent Program Using Colored StochasticPetri Nets: Lamports Fast Mutual Exclusion Algorithm. IEEETransactions on Parallel and Distributed Systems, 3 (1992). Also inK.Jensen, G. Rozenberg (eds.): High-level Petri Nets. Theory andApplication. Springer-Verlag, 1991, 533559.

J. Berger, L. Lamontagne: A Colored Petri Net Model for a NavalCommand and Control System. In: M.Ajmone-Marsan (ed.):Application and Theory of Petri Nets 1993. Proceedings of the 14thInternational Petri Net Conference, Chicago 1993, Lecture Notes inComputer Science Vol. 691, Springer-Verlag 1993, 532541.

C. Capellmann, H. Dibold: Petri Net Based Specifications ofServices in an Intelligent Network. Experiences Gained from a TestCase Application. In:M.Ajmone-Marsan (ed.): Application andTheory of Petri Nets 1993. Proceedings of the 14th International

Petri Net Conference, Chicago 1993, Lecture Notes in ComputerScience Vol. 691, Springer-Verlag 1993, 542551.

L. Cherkasova, V. Kotov, T. Rokicki: On Net Modelling ofIndustrial Size Concurrent Systems. In: M.Ajmone-Marsan (ed.):Application and Theory of Petri Nets 1993. Proceedings of the 14thInternational Petri Net Conference, Chicago 1993, Lecture Notes inComputer Science Vol. 691, Springer-Verlag 1993, 552561.

L. Cherkasova, V. Kotov, T. Rokicki: On Scalable Net Modeling ofOLTP. In PNPM93: Petri Nets and Performance Models.Proceedings of the 5th International Workshop, Toulouse, France1993, IEEE Computer Society Press, 270279.

S. Christensen, L.O. Jepsen:Modelling and Simulation of a NetworkManagement System Using Hierarchical Coloured Petri Nets.In:E.Mosekilde (ed.): Modelling and Simulation 1991. Proceedingsof the 1991 European Simulation Multiconference, Copenhagen,1991, Society for Computer Simulation 1991, 4752.

8/22/2019 Cpn Slides 96

99/100


H. Clausen, P.R. Jensen: Validation and Performance Analysis ofNetwork Algorithms by Coloured Petri Nets. In PNPM93: Petri Netsand Performance Models. Proceedings of the 5th International

Workshop, Toulouse, France 1993, IEEE Computer Society Press,280289.

G. Florin, C. Kaiser, S. Natkin: Petri Net Models of a DistributedElection Protocol on Undirectional Ring. Proceedings of the 10thInternational Conference on Application and Theory of Petri Nets,Bonn 1989, 154 173.

H.J. Genrich, R.M. Shapiro: Formal Verification of an Arbiter

Cascade. In: K. Jensen (ed.): Application and Theory of Petri Nets1992. Proceedings of the 13th International Petri Net Conference,Sheffield 1992, Lecture Notes in Computer Science Vol. 616,Springer-Verlag 1992, 205223.

P. Huber, V.O. Pinci: A Formal Executable Specification of theISDN Basic Rate Interface. Proceedings of the 12th InternationalConference on Application and Theory of Petri Nets, Aarhus 1991,121.

W.W. McLendon, R.F. Vidale: Analysis of an Ada System UsingColoured Petri Nets and Occurrence Graphs. In: K. Jensen (ed.):Application and Theory of Petri Nets 1992. Proceedings of the 13thInternational Petri Net Conference, Sheffield 1992, Lecture Notes inComputer Science Vol. 616, Springer-Verlag 1992, 384388.

K.H. Mortensen, V. Pinci: Modelling the Work Flow of a NuclearWaste Management Program. Proceedings of the 15th International

Petri Net Conference, Zaragoza 1994, Lecture Notes in ComputerScience, Springer-Verlag 1994

V.O. Pinci, R.M. Shapiro: An Integrated Software DevelopmentMethodology Based on Hierarchical Colored Petri Nets. In:G.Rozenberg (ed.): Advances in Petri Nets 1991, Lecture Notes inComputer Science Vol. 524, Springer-Verlag 1991, 227252. Alsoin K. Jensen, G. Rozenberg (eds.): High-level Petri Nets. Theory

and Application. Springer-Verlag, 1991, 649 667.

8/22/2019 Cpn Slides 96

100/100


G. Scheschonk, M. Timpe: Simulation and Analysis of a DocumentStorage System. In: R. Valette (ed.): Application and Theory of PetriNets 1994. Proceedings of the 15th International Petri Net

Conference, Zaragoza 1994, Lecture Notes in Computer Sciencevol. 815, Springer-Verlag 1992, 454470.

R.M. Shapiro: Validation of a VLSI Chip Using HierarchicalColoured Petri Nets. Journal of Microelectronics and Reliability,Special Issue on Petri Nets, Pergamon Press, 1991. Also in K.Jensen, G. Rozenberg (eds.): High-level Petri Nets. Theory andApplication. Springer-Verlag, 1991, 667 687.

Documents

Cpn Slides 96