Formal models are a collection of well-defined mathematically-based tech- niques. Their theoretical support makes it possible to verify system designs. A complete definition of a formal modelling language consists of a description of its well-defined syntax and semantics that enhance the readability and the expressiveness of the language.
There is a growing acceptance that formal methods form an essential part of the design of any reliable software system [Ribeiro et al., ,Bowles and Bord- bar, 2007, Milner, 2009, Hillston and Kloul, 2006, Cimatti et al., 2011, Mosbahi et al., 2011, Moschoyiannis et al., 2005, Benmerzoug et al., 2008, Y.Yang et al., 2005,Jensen et al., 2007]. This is because formal methods have the potential to
eliminate ambiguities, and design faults and thereby avoid the associated sys- tem failures. In particular, formal model of a system can be used to prove sys- tem properties such as performance, reachability, consistency and correctness, mathematically [Gilmore et al., 2003a, Bowles and Kloul, 2010, Hillston and Kloul, 2006,Hinton et al., 2006,Kwiatkowska et al., 2007,Katoen, 2008,Grum- berg and Long, 1991]. Moreover, formal models and methods make software designs more tangible by allowing rigorous validation and verification [Silva and dos Santos, 2004, Jensen et al., 2007, Jensen and Kristensen, 2009, Cabot et al., 2008, de Alfaro et al., 1998, Rafe et al., 2009]. Validation provides as- surance that the design specifies the right system, whereas verification assures the end system satisfies the specification.
General-purpose formal methods such as Z [Spivey, 1992], and VDM [Jones, 1990] were introduced before the advent of object-oriented modelling. As a consequence, they do not explicitly consider a semantic notion of object- orientation or other MDD-based high-level software concepts such as abstrac- tion. Even though there are object-oriented extensions of such as Object-Z they are not sufficient for behavioural modelling [Derrick and Wehrheim, 2010]. In order to satisfy modern requirements of distributed and concurrent soft- ware systems, various formalisms have been developed for modelling and verifi- cation of such system [Radjenovic and Paige, 2010,Fern´andez et al., 2011,Dang et al., 2010, Buyya et al., 2009]. A variety of formal models including Event structures [Winskel and Nielsen, 1995, Bowles and Bordbar, 2007, Winskel and Saunders-Evans, 2007, Moschoyiannis et al., 2010], Bi-graph [Milner, 2009], Petri-nets [Petri, 1962,M. Nielsen, 1980,Orejas et al., 2010,Benmerzoug et al., 2008], PEPA [Hillston and Kloul, 2006], PEPA-nets [Kloul and Kuster-Filipe, 2006, Gilmore et al., 2003b, Gilmore et al., 2003a, Bowles and Kloul, 2010] among others are used in software development process.
Event structures model a system scenario as a set of event occurrences to- gether with binary relations for expressing causal dependency of events (called causality) or pair of events that are exclude from occurring in the same execu- tion (conflict) [Winskel and Nielsen, 1995, Bowles and Bordbar, 2007, Winskel and Saunders-Evans, 2007]. Other relations can be derived from causality and conflict, namely concurrency (any pair of events not related by causality or conflict is necessarily concurrent). Many variations of event structures have been defined essentially defining different kinds of relations between events. Prime event structures can be used to provide a semantics to Petri nets and can be understood as the unfolding of a net in this case.
A Bigraph is a mathematical structure consisting of two graphs, a place graph and a link graph, intended for modelling applications such as distributed and mobile systems. The main idea of bigraphs is to treat the placing and the linking of their nodes as independently as possible. Bigraphs have evolved from process calculi and are based on standard notions in graph theory [Milner, 2009].
PEPA (Performance Evaluation Process Algebra) is an extension of the well-known process algebra CCS with stochastic aspects to be able to capture performance [Hillston and Kloul, 2006]. In order to address mobile systems PEPA nets [Kloul and Kuster-Filipe, 2006,Gilmore et al., 2003b,Gilmore et al., 2003a, Bowles and Kloul, 2010] were introduced as a combination of coloured Petri nets [Vicario et al., 2009] and the stochastic process algebra formalism PEPA.
Among these, Petri nets have been widely adopted as behavioural models, because of their powerful representation capabilities, relatively cheap solution techniques and model verification capabilities [Murata, 1989, Vanit-Anunchai, 2010, Christensen and Petrucci, 2000]. Also there are a variety of Petri nets
with the ability of extensions [Billington, 2004] and integration with available tools [Kounev and Dutz, 2007, TU-Eindhoven, , Jensen et al., 2007, Delatour and Lamotte, 2003, Kounev et al., 2010] that evaluate system properties. This section, describes Petri nets, in particular coloured Petri nets in detail, which is the main formal model used in this thesis.
Petri-nets are a well-established set of formal models used by many re- searchers [Murata, 1989, Uzam et al., 2009, Vanit-Anunchai, 2010, Christensen and Petrucci, 2000,Benmerzoug et al., 2008,Bernardi et al., 2002,Kounev et al., 2006,Hamadi and Benatallah, 2003]. The origin of the Petri-net concept comes from Carl Adams Petri’s dissertation in 1962 [Petri, 1962]. A Petri-net is a directed, connected, bipartite graph, where each node is a place or a transi- tion. A transition is enabled, when there is at least one token in each place connected to a transition. An enabled transition can fire removing one token from each input place, and depositing one token in each output place [Murata, 1989, Bobbio, 1990].
Different types of high-level Petri-nets are available to model the event flow and object flow of diverse behaviours including asynchronous, concurrent, hierarchical, stochastic and real-time aspects [Murata, 1989, Billington, 2004, Thomas et al., 1996]. A High level Petri-net permits to follow the behaviour of a token in the Petri-net, so that any single token can be tracked within the PN [van der Aals, 1994, Billington, 2004]. These types include Coloured Petri- nets (CPN) [Jensen, 1981,Jensen et al., 2007,Christensen, 2002], Timed Petri- nets (TPN) [Vicario et al., 2009, Carnevali et al., 2008, van der Aalst, 1993], Stochastic Petri-nets (SPN) [Bobbio, 1990,Zimmermann, 2008,Carnevali et al., 2009, Haas, 2002], Queuing Petri-nets (QPN) [Kounev and Buchmann, 2006], Hierarchical Petri-nets (HPN) [van der Aals, 1994, Fehling, 1993, Elkoutbi and Keller, 1998] and Automation Petri-nets (APN) [Thomas et al., 1996, Uzam
et al., 2009].
We have used coloured Petri nets (CPNs) as the main synthesised formal model in this thesis. CPN is a well-known formal model rich in theory and practice [Jensen, 1990, Jensen et al., 2007, Vanit-Anunchai, 2010, Christensen and Petrucci, 2000]. CPNs are successfully used to model applications such as network protocols, security protocols, multi-agent applications, business processes, railway systems, distributed systems, and many industrial systems [Jensen, 1998,Kristensen et al., 2004,Benmerzoug et al., 2008,Vanit-Anunchai, 2010].
As described by Jensen [Jensen, 1981], CPN is a formal, graphical, and executable technique for the specification and analysis of concurrent, discrete event-based dynamic system. As a Petri net, a CPN too consists of places, transitions, arcs and coloured tokens. Places describe the state of the system, whereas the transitions describe the actions of the system. Arcs are used to connect places and transitions and states are changed when a transition fires. Tokens are used to fire a transition, and each token has a given type, also known as token colour. Thus tokens are distinguishable. We describe CPNs in Chapter 4.
CPNs are suitable for our approach of transforming object-oriented models, because the colours associated with the model can be used to distinguish be- tween object types. Moreover, there are several well-established analysis tools for automatically verifying CPNs including their extensions of timed CPNs or stochastic CPNs [Benatallah et al., 2003,Kounev and Buchmann, 2006,Kounev et al., 2010,Vicario et al., 2009]. One such tool is CPNTools [Jensen and Kris- tensen, 2009] for editing, simulating and analysing CPN models.
In particular, CPNs have been extensively used in several application do- mains [Jensen et al., 2007, Jensen, 1997b, Jensen, 1998, Vanit-Anunchai, 2010,
Genrich and Lautenbach, 1981]. In [Jensen et al., 2007, Jensen, 1997b, Jensen, 1998], Jensen has used Petri-nets as a primitive to describe the synchroniza- tion of concurrent processes in a packet transferring protocol over an unreliable network. It discusses the Petri-net representation using automation simulation and model verifying methods such as state space and place invariant. As an extension for the above work, in [Kristensen et al., 2004], Kristensen et al. have discussed different case studies on modelling mobility and communica- tion networks, healthcare systems and state space analysis. They have used CPN tools to model, analyse and simulate the systems.
Moreover, in [Hamadi and Benatallah, 2003], Hamadi and Benatallah have expressed a web service based system using Petri-net based algebra, specifying different types of services such as empty, sequence, parallel, etc. Further- more, in [Silva and dos Santos, 2004], Silva and Santos have used Petri-nets as a formal model to represent system behaviour and have performed system validations using simulations. They have used Petri-nets not only as a case tool to model and analyse the system but also as a framework to express the requirements based on system use cases of a banking application.
Petri-nets can be used not only to model system behavioural aspects but also to ensure system non-functional properties such as liveliness and dead- lock avoidance [Christensen and Petrucci, 2000, Merseguer and Campos, 2004, van der Aalst, 1993,Jensen and Kristensen, 2009]. For example, in [Chrzastowski- Wachtel et al., 2003], Wachtel et al. have introduced refinement rules to avoid dead-locks in a Petri-net representation. They have proposed rules such as, parallel split followed by a parallel synchronization. Also they modelled a top-down work flow using hierarchical Petri nets for a flight ticket booking application and have used the HiWord tool [Benatallah et al., 2003] as a sup- porting tool.