Petri Net Model Verification Methods

The objectives of model verification are to check correctness, completeness and consistency of the developed model ensuring that the physical system, i.e. PN model, works properly, performing the required functions as specified. These characteristics can be checked through:

 Static verification which checks behavioural and structural properties of PNs via:

o Reachability graph analysis that relies on the initial state of PN models, examining their behavioural properties; and

o Place/Transition invariants method that relies on the topology of PN models, examining their structural properties.

For a complete static verification, both behavioural and structural properties should be checked.

 Dynamic verification which checks the correct execution of model paths via simulation analysis examining the PN model logic.

 Comparing PN models via bi-simulation methods.

In this section, an overview of static, dynamic and bi-simulation PN model verification methods is carried out.

5.2.1 Static Verification Methods

Petri Net models can be analysed statically checking their behavioural and structural properties by either applying the reachability graph and the place/transition invariants method respectively.

The behavioural properties of PNs are dependent on the initial marking M0 (Li &

Zhou, 2009) and listed below:

 Reachability or deadlock-free indicates that each reachable marking enables a

transition. A marking M΄ is reachable from a marking M in a Petri Net N, if there is a firing sequence σ from M΄ to M.

 Behavioural liveness defines that each transition is enabled by at least one

97

 Behavioural boundedness shows that the number of tokens in each place does

not exceed a finite number n from any marking reachable from the initial marking (M0).

 Safeness is related to the bounded memory capacity. A PN is safe if it is 1-

bounded, i.e. if the places always contain at most one token.

 Reversibility (home marking) shows that the initial marking is reachable from

all possible reachable markings.

 Persistence defines that for any two enabled transitions, the firing of one transition will not disable the other.

The types of behavioural properties, which should be checked for the verification of a PN model, are defined according to the sub-class to which the examined PN belongs (Murata, 1989) hence not all properties need to be satisfied to be behaviourally verified.

The reachability graph is used to check the PN behavioural properties that serve as measures of effectiveness of the PN (Aalst, 1998). A reachability graph, an acyclic graph, indicates all possible future markings at some point in a PN model. It consists of nodes, which represent the possible system states, and arcs, which represent the possible state change. The graph starts from the initial marking and each possible reachable marking is listed and then connected with directed arcs, which are labelled with the corresponding transition needed to reach the marking.

A simple example of a reachability graph and its behavioural properties is presented in Figure 5.2 (Aalst, 2011). The PN, presented on the left side of the figure, consists of seven places (p1 – p7) and 6 transitions (t1 – t6). Places p1, p4 and p7 are marked with one token each. The corresponding reachability graph has been created and presented on the right side of Figure 5.2. The graph has five reachable states, defined in the bracketed terms in Figure 5.2. It starts with the initial marking of the PN, placed in the centre of the graph, and then according to the enabled transition the marking changes respectively. For instance, the initial marking (1, 0, 0, 1, 0, 0, 1) shows that places p1, p4 and p7 have one token each, whereas places p3, p4 and p5 are empty. Once t1 fires, the marking changes from (1, 0, 0, 1, 0, 0, 1) to (0, 1, 0, 1, 0, 0, 0), as can be seen in Figure 5.2, indicating that places p1 and p7 move one token each to place p2, whereas no further token movement is observed through the places.

98

Figure 5.2 Reachability Graph Example (Aalst, 2011)

The remaining markings have been created following the same concept. Once the reachability graph has been developed, the behavioural PN properties are checked for model verification. Hence, according to Figure 5.2, the reachability graph is deadlock-

free, and, by extension, reachable, because each reachable marking enables at least

one transition to fire. For instance, the initial marking, presented as (1, 0, 0, 1, 0, 0, 1) in Figure 5.2, enables the transitions t1 and t4. The graph is also live since it is possible to fire any transition, by progressing through a firing sequence. For instance, the initial marking (1, 0, 0, 1, 0, 0, 1) enables a firing sequence containing all the transitions. Additionally, the PN is 1-bounded, because the number of tokens included in each place does not exceed the finite number one for any marking reachable from the initial marking. Since the PN is 1-bounded, it is also safe. Finally, the graph is

reversible since the initial/home marking can be reached from any reachable marking

following the arcs presented in the reachability graph.

Although the reachability graph is the most common used method for the verification of PN behavioural properties, it lacks applicability due to its state-space explosion problem once applied to large and complex PN systems.

The structural PN model properties that depend on the incidence matrix (Proth & Xie., 1996; Cassandras & Lafortune, 2008) are listed below:

 A PN is characterised structurally bounded if it is (behaviourally) bounded for any initial marking M0. A PN, which is structurally bounded, is also

99

 A PN N is structurally live if there exists an initial marking M0 such that the

net is live. A PN, which is behaviourally live, is also structurally live, but the reciprocal is not true.

 A PN is conservative if there is at least one set of places with all the places equal to zero.

 A PN is repetitive if there exists an initial marking M0 and a firing sequence σ from

M0 back to M0 such that every transition fires infinitely often in σ.

 A PN is consistent if there exists an initial marking M0 and a firing sequence σ

from M0 back to M0 such that every transition fires at least once in σ.

The place/transition invariants method can be used to check the PN structural properties, which depend on the topological structure of PN models, applying linear algebraic techniques (Colom & Silva, 1991; Desel & Reisig, 1998; Recalde et al., 1998). There are two kinds of invariants: the P-invariants, related to places, which are the sets of places for which the sum of tokens remains unchanged for every marking; and the T-invariants, related to transitions, which are the sets of transitions for which the PN marking remains unchanged after firing each transition. Similar to the behavioural properties, the types of structural properties that should be verified each time are selected according to the sub-class to which the corresponding PN belongs. Large PNs can lead to infinite invariants, rendering it impossible to solve the equations by hand. Therefore, software that applies linear algebraic techniques can be used to obtain all the possible solutions of the equations (Colom & Silva, 1991; Desel & Reisig, 1998; Recalde et al., 1998).

5.2.2 Dynamic Verification Method

Petri Net models can also be verified dynamically, analysing the logic and behaviour of systems. Dynamic verification is performed via model simulation in order to check that system paths have been executed properly, detecting any possible undesirable behaviour and incorrect or omitted logic. However, this method lacks the ability to check if PNs satisfy a desired set of properties, as static verification does, and cannot guarantee that all possible simulation paths of the system have been covered (Mhairi, 2009). Therefore, although model simulation can verify the logic of Petri Net elements, it is not an exhaustive means of proving model correctness (Obaidat & Boudriga, 2010).

100

5.2.3 Comparison of PN Models (Bi-simulation) for Verification

Another method, identified for PN model verification, is PN model comparison via bi- simulation equivalence, which can be used to verify whether two models have equivalent behaviours. Hence, two PNs are characterised bi-similar if one can simulate the other and vice-versa (Jančar et al., 1999). According to Girault and Valk (2003), two nets are considered bi-similar if and only if a correspondence between their markings can be identified such that in corresponding markings every firing transition in one net can be matched by a similar firing transition in the other net, leading to corresponding markings.