Faults and timing analysis in real-time distributed systems: A fuzzy time Petri-net-based approach

FUZ2'Y

sets and systems ELSEVIER

Fuzzy Sets and Systems 83 (1996) 143-168

Faults and timing analysis in real-time distributed systems: A fuzzy time Petri-net-based approach J o r g e C . A . de F i g u e i r e d o a, A n g e l o P e r k u s i c h b,* a Departamento de Sistemas e Cornputafgto, Universidade Federal da Paraiba, Caixa Postal 10106, 58109-970 Campina Grande - PB, Brazil b Departamento de En.qenharia El~trica, Universidade Federal da Paraiba, Caixa Postal 10105, 58109-970 Campina Grande - PB, Brazil

Received November 1995

Abstract In this paper we present a Petri-net-based approach to consider faults and timing analysis in real-time distributed systems. The proposed approach is based on f u z z y time G-nets which is the integration of two Petri nets extensions: f u z z ) ' time P e t r i net (timing Petri net extension) and G-nets (Petri net extended with object-oriented concepts). We show how to perform timing analysis using the proposed approach. We also show that f u z z y time G-nets can be used to represent fault-tolerant techniques and to consider anticipated faults. Ke),words." Fuzzy time intervals; Petri nets; Fault-tolerance; Distributed real-time systems

1. Introduction

The development of large and complex systems requires powerful modeling and analysis tools in order to treat the inherent complexity of such systems. For several reasons, as for example firm mathematical foundation and graphical representation, Petri nets have been widely used in the modeling and analysis of complex systems [27]. In the case of complex realtime systems, both logical and timing aspects must be considered. Since the original Petri net model does not allow representation of timing constraints, several extensions have been proposed in order to incorporate the timing aspects into Petri nets. Generally speaking, Petri nets were extended using either a determi-

* Corresponding author. Tel.: +55 83 333 1000 R-412, fax: +55 83 333 1650; e-mail: [email protected].

nistic [18,24,33,39] or stochastic [1,19,25] approach. Each extension has its own advantages and limitations. The natural trend of the computing world is moving toward the concept of distributed systems [36]. As a consequence of the increasing popularity of computing systems in complex critical applications, issues related to safety and fault tolerance of systems have gained importance in the past years. A system is faulttolerant if it maintains full performance and functional capabilities in the presence of faults. Several faulttolerant techniques have been proposed in order to address different types of failures [3, 5, 20, 21,37]. Those techniques can be widely classified as backward or forward fault-tolerant techniques. In the case of real-time distributed system (RTDS), a high degree of reliability, availability, and safety is required. The system must guarantee performance as specified in the domains of value and time [22, 30].

0165-0114/96/$15.00 Copyright @ 1996 Elsevier Science B.V. All rights reserved S S D I 0165-01 1 4 ( 9 5 ) 0 0 3 8 7 - 8

144

J. C.A. de Fi(lueiredo. A. Perkusich/ Fuzzy Sets and Systems 83 (1996) 143 168

Considering the above requirements, the designer of a RTDS must adopt an approach that supports the systematic introduction of time-dependent and nontime-dependent fault-tolerant properties into a component. The well-known fault-tolerant techniques, when applied to real-time systems, present several drawbacks since we must take into consideration the recovery latency that can cause the violation of timing constraints. Thus, the consideration of anticipated faults and operational conditions arises as a trend of fault tolerance in real-time systems [26]. The purpose of this paper is twofold. First we introduce an approach to perform timing analysis of complex real-time systems. Second, we apply the proposed approach in order to define fault-tolerant schemes and to treat anticipated faults. The proposed approach named Ji~z~v time G-nets (FTG-nets) is based on two Petri nets extensions: j u z z y time petri nets [13, 14] and G-nets [15, 16, 28]. Fuczy time Petri net ( F T P N ) is a timing extension which uses a fuzzy approach to introduce time into Petri nets. The utilization of fuzzy sets theory allows the generalization of the deterministic timing Petri nets extensions. Also, it provides means to compute some performance indices. Thus, it is possible to combine the positive aspects of deterministic and stochastic Petri nets extensions in a unique extension. Numerous references address the integration of fuzzy approach and Petri nets [6 8, 10,23,40,44]. Fuzzy Petri nets are suitable for specific kinds of applications. For example, the fuzzy Petri net proposed by Looney [23] is a modified Petri net applied to fuzzy rule-based reasoning using propositional logic. Chen et al. [10] have proposed a fuzzy Petri net model to represent the fuzzy production rules of a rule-based system. Focusing on the timing extensions proposed to the Petri net model, they do not take into consideration the uncertainty and imprecision of the events that we face when considering real systems. The first attempt to consider imprecision was proposed by Merlin [24]. In his work, the firing time of transitions are defined by an interval. Valette and Cardoso [8, 44] introduced the concept of uncertainty and imprecision in Petri nets to monitor and to control a flexible manufacturing system, where some aspects about uncertain time are considered. However, there is no consideration about timing analysis.

G-net is a Petri net multilevel executable specification model which uses object-oriented concepts. The integration between F T P N and G-nets allows the support of several characteristics which are inherent to real-time distributed systems: distribution, concurrency, synchronization, real-time constraints and fault tolerance. Distribution, concurrency and synchronization arise naturally from the G-net concept. Real-time constraints and fault tolerance can be achieved by means of F T P N as shown later. The rest of this paper is organized as follows. In Section 2, we introduce f u z z y thne Petri nets. In Section 3, we present a modified reachability graph for F T P N model to perform timing analysis. In Section 4, we introduce G-net systems followed by a decomposition approach in Section 5. In Section 6, we present the integration between J u z z y t#ne Petri nets and Gnets. In Section 7, we show how the FTG-nets can be applied in the design of RTDS with fault-tolerant characteristics. In this section, we also present the treatment of anticipated faults by means of FTG-nets. Finally, we present some conclusions in Section 8.

2. Fuzzy time Petri net Fuzzy time Petri nets are an extension of Petri nets which use a fuzzy approach to introduce time into Petri nets. The model is intended to serve as a tool which is suitable for modeling real-time systems and for computing selected performance indices, i.e., this model combines the ability to model real-time systems of the deterministic extensions and the ability to make performance evaluation of stochastic extensions. As shown later, this is accomplished through the combination of time intervals and fuzzy set theory [ 17]. In the F T P N model, tokens carry a fuzzy time function representing the possibility of there being a token in a given place from a reference set. Besides the fuzzy time function, two fuzzy intervals are associated with each transition. The enable interval E represents the minimum and maximum time that must elapse between the enabling of a transition and its firing time. The delay interval D represents the firing time, i.e., the delay necessary to execute the action represented by the corresponding transition. The existence of these time intervals associated with transitions is necessary in order to allow the modeling

J.C.A. de Fi.queiredo, A. Perkusich/Fu:--y Sets and Systems 83 (1996) 143-168

145

of two different timing concepts: time-outs and processing delays. Moreover, these two types of intervals are important when dealing with real-time systems. We can represent three general categories o f timing constraints for real-time systems, that are: maximum timing constraints, minimum timing constraints and durational timing constraints [11].

•

2.1. Definition and firing rule

Similar to the Petri net definition, P ~ T = (~ and P U T ¢ 13. Also, for the sake of simplicity, let us consider that the preset (set o f input places) of a transition t, t c T, is represented by ot and the postset o f a transition t by te. Once in this model each token carries a F T F which is defined after firing a transition, the dynamic behavior of a F T P N differs from the behavior of the underlying Petri net. The dynamic behavior of a F T P N depends on the FTFs of the tokens and the fuzzy intervals which will modify the so-called firing rules. In what follows, we present the firing rules o f the F T P N model. (a) A transition t is said enabled to fire if there is at least one token in each of its input places, assuming weight 1 for each arc, at the same point of the time scale. That is, given a transition t and the set of its input places (P1, P2 . . . . . P,,) with fuzzy time functions FTF(PI ), FTF(P2) . . . . . FTF(P,, ), respectively, the transition t is enabled to fire iff:

In what follows, we introduce some important concepts necessary to formally define a F T P N . Definition 2.1. TS is the time scale set. TS = {x E N I x~>0}, i.e., the set o f all non-negative real numbers. Definition 2.2. Consider that y and z are two fuzzy dates in time scale TS, i.e., y , z E TS, Vl~),(t),l~:(t ) C [0, 1]. A fuzzy time interval, F I N T = {[y,z] E TS × TS I z >~y}, o f time points which are greater than y and smaller than z, is defined by the membership function I~(FINT) ---- #b' z](t) = sup min(r~v(s),~ lr,(s'~ )) where t,s,s' E TS and ~y(S),~z(s') delimit the fuzzy set of possible values of y and z, respectively. A F T F is also defined as an ill-known date which is assigned for each token in a place. The FTFs of the tokens are combined in order to determine or update the FTFs of the subsequent tokens. Definition 2.3. Suppose that p is a place and x is an ill-known date representing the time that there exists a token in place p. So, the fuzzy time function, associated with the token in place p is F T F x ( p ) =- ~x(TS), where ~x(TS) delimits the fuzzy set of the possible values of x. A fuzzy token is a token which carries a fuzzy time function. Definition 2.4. A F T P N , is defined as a seven-tuple (P, 7,1, O, ~, ~ , MO), where: • P is a finite set of places. • T is a finite set o f transitions. • I : T ---+P ~ is the input function for transitions. • O : T --~ P"~ is the output function for transitions.

d ~ : T ~ E([el,e2]) is a set of fuzzy enable intervals, where E is a FINT. • ~ : T ~ D([dl,d2]) is a set of fuzzy delay intervals, where D is a FINT. • MO : P -+ F T F r ( P ) is the initial marking of the net, where FTF~(P) is a fuzzy time function characterizing the possibility distribution of there being a token in a place P in a given time ~, where z E TS.

NFTF(et) = ( F T F ( P I ) N FTF(P2 ) A . . . A FTF(P,, )).

( 1)

(b) If, in a given time, more than one transition is enabled to fire, a non-deterministic choice determines the next transition to fire. However, it is important to remember that, in some cases depending on their bounds, the enable intervals can contribute to the choice of the next transition to fire. This nondeterministic choice reflects the time-out situation. (c) The transition remains enabled for a period E before it can fire. (d) The transition begins firing and continues to fire for a period D. (e) As a result of the firing, a token carrying the new fuzzy time function is assigned to each output place. This new fuzzy time function is obtained from the composition of the fuzzy tokens of the input places and

146

,L C A. de Figueiredo, A. Perkusich / Fuzzy Sets and Systems 83 (1996) 143 168

the fuzzy time intervals associated with the transition. The computation of the new fuzzy time function is described in the next section.

P k ~ E,D

2.2. Fuzzy fimction computation rule In this section, we show how to compute the FTFs of the tokens created during the execution o f a FTPN. The fuzzy time function associated with the output token created after firing a transition depends upon the fuzzy time function of the input tokens and the fuzzy time intervals associated with the fired transition. Generally speaking, this computation can be performed in two basic steps. In the first step, the fuzzy time functions of the input tokens are combined in order to verify the possibility of the tokens in the input places in the same instant of time..In the second step, the resultant fuzzy time function from the combination performed in the first step is compounded with the fuzzy time intervals of the fired transition. In the remainder of this section, we detail these two steps. Step 1: Computation or fuzzy tokens. Considering the time scale TS, defined in Section 2.1, as a referential set, the possibility of the availability of a token in a place P in an instant r, ~ E TS, is given by the characteristic Junction or membership Junction I~:

Fig. 1. n input places.

Step 2: Final juzzy time fimction. In this step, the resultant fuzzy time function obtained from the fuzzy input tokens is combined with the fuzzy time intervals associated with the fired transition. Suppose that/~R(r) represents the resultant fuzzy time function considering the fuzzy input tokens of transition tl in Fig. 1. Initially, considering that the delay interval D associated with transition tl is given by the interval [0, 0] (instantaneous firing). In this case, when a token reaches Pk, the membership function representing the associated fuzzy time function in place Pk,/lpk(r), is the combination between the resultant time function ]~R(r) and the enable interval E associated with transition tl. This combination is determined by the addition of fuzzy variables using the membership functions #c4~+)a)(z) = MAXz x+.~,MIN(l~.4(x),#B(y)),

VT C T S ; lip(T) ~ [0, 1].

(4)

(2)

Supposing that transition has more than one input place, as shown in Fig. 1. In this case, to fire a transition, the resultant fuzzy time function, pR(z), is the intersection of the tokens. In Fig. 1, FTF(P1), FTF(P2) . . . . . FTF(Pn) are the fuzzy time functions associated with tokens in places P1, P2,..., Pn, respectively. Let us consider that FTF(P1 ), FTF(P2 ) ..... FTF(Pn ) are represented by the membership functions PPI( ~), I~p2('c ) ..... #p,,( ~), respectively. The resultant fuzzy time function, PR(r), is given by ~R(r)

where z, x and y E TS, ].,/A(X), }lB(y ) and [,I(A(+)B)(Z ) represent the resultant fuzzy time function, the enable interval and the final fuzzy time function associated with the token in place Pk, respectively.

Definition2.6.

The operator @ represents the operation as defined in Eq. (4). To consider the delay interval D associated with the transition, the same method for addition of fuzzy variables is used, i.e., in this case the final fuzzy time function is the combination between the resultant fuzzy time function and the enable and delay fuzzy time intervals E and D, respectively.

= (~ #p,,(v) = MIN(,upI(r),tO2(z) ..... /~e,,('r)). i 0

(3)

Definition2.5.

The operator o represents the operation as defined in Eq. (3).

2.3. Generalization oJ the deterministic timing extensions The major feature of the F T P N model is its strength in model real-time systems and to make performance

J. (Z A. de Fiyueiredo, A. Perkusich/ Fuzzy Sets anti Systems 83 (1996) 143 168

evaluation of systems. Actually, the F T P N model is more general than the deterministic timing extensions already proposed to the Petri net model since it is possible to represent them by a F T P N . These extensions can be modeled using a F T P N by imposing some restrictions to the enable and delay intervals of the F T P N model by setting their fuzzy characterization accordingly. In this section, we show how some extensions as T P N [24] and T d P N [33] can be modeled by means o f F T P N . In the unification, we consider two aspects which distinguish F T P N from the other timing extensions: the fuzzy time function associated with the token and the fuzzy time intervals associated with transitions. In the classical timing extensions, the token does not have an availability or validity period and, once it arrives in a place, it remains in the place until it is removed by the firing of a transition. L e m m a 2.1. A token in a classical Petri net can be represented by means o f a f u z z y token defined in the F T P N model

Proof. To represent a classical token by a fuzzy token, it is necessary to consider that a token does not have a period o f validity. Let us suppose that a token arrives in a place in time v. It is clear to see that, the F T F corresponding to the traditional token is represented by the fuzzy interval [r, ~c], where /~(x) = 1, Vx Ix > r. For the initial tokens z = 0. [] L e m m a 2.2. A f u z z y delay interval can model a f i x e d duration oJ time.

Proof. This can be directly done by setting the upper and lower bounds of the fuzzy delay interval to the value of the fixed duration. In this case, there is no imprecision about the values. Thus, D = [d,d], /~(d) = 1. []

Proof. The definition o f both intervals are equivalents, i.e., they represent the same kind of timing restrictions. They have a minimum time that must elapse before the transition is enabled to fire as well as a maximum value that transition must wait to fire, after which the transition must fire. The difference is that in the fuzzy interval there are different degrees of membership associated with the points o f the interval. So, the interval TI = [ t m i n , / m a x ] can be represented by the enable interval assuming that all the points of the interval have the same degree of possibility, i.e., E = [train,/max], p(t) = 1,'7'T, tmin ~< T<~tmax. [] Theorem 2.1. A T P N can be modeled by a F T P N .

Proof. The T P N model is characterized by two time values tmin and tmax. These times are relative to the moment z at which all place in the preset o f transition t is marked. Assuming that this happens at time z, then transition t cannot fire before z + train, and must fire within z + tmax. This concept can be easily represented by the enable interval. From Lemmas 2.1 and 2.3 we guarantee that we can represent the tokens and timing intervals o f a TPN. It is necessary to consider no firing delay. This can be directly done by using Lemma 2.2 setting the value o f the duration to 0. That is, 1. E =[tmin, tmax], kt(e) = 1, tmin ~
P r o o L In this model, a fixed duration d is assigned to each transition. Also, once the input tokens arrive in the input places, the transition is enabled instantaneously. These two conditions can be expressed by means o f a F T P N (Lemmas 2.2 and 2.3). That is, 1. g ---- [0, 0], Ft(O) = 1. 2. D = [d,d], #(d) -- I.

The time Petri net model ( T P N ) proposed by Merlin is characterized by assigning a time interval TI = [train, tmax] to each transition.

147

[]

Similarly, the graphical representation for the fuzzy values of a F T P N in order to represent a T d P N is shown in Fig 3.

Lemma 2.3. The timing interval TI associated with transitions in the T P N model can be modeled by the J u z z y enable interval E o f the F T P N m o d e l

Theorem 2.3. A classical (non-temporal) Petri net can be modeled by a F T P N .

J.C.A. de Figueiredo, A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168

148

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

1

.

.

.

.

.

.

.

.

.

.

1

enabled

delay interval

token 0

T

interval

T

(a)

0

T

(b)

(c)

Fig. 2. Generalization of a TPN.

Ix

I*

g

token

enabledinterval

delay in~rval

T

0

(a)

d

(b)

T

T

(c)

Fig. 3. Generalization of TdPN.

Proof. The theorem can be proved by using Lemmas 2.1-2.3. Lemma 2.1 indicates the modeling o f a classical token. By Lemmas 2.2 and 2.3 we guarantee no timing dependence in the firing rule, which can be represented by 1. D = [0, 0] with membership value/~(0) = 1. 2. E = [0, oc],/t(t) = 1,Vt,0~
3. Fuzzy reachability graph One of the well-known methods to analyze Petri nets is the reachability tree. The reachability tree is a very useful analysis tool for many properties o f Petri nets. However, its application is in general limited

by the fact that, in most cases, the reachability tree of a Petri net is an infinite tree for a given initial marking. A very simple way to reduce the reachability tree is to construct a graph such that equivalent states correspond to only one node in the graph. The reachability graph is a directed graph which enumerates all the reachable states o f a system, and describes all possible transitions between states [35]. Unfortunately, the state explosion problem is still present, specially when there are more than one token in a place. In our study, we consider that the nets are 1safe, i.e., nets that support no more than one token in a place. Reachability graph analysis technique have been used for many people in order to prove different kinds o f properties [4, 27, 32, 35, 4 1 , 4 5 - 4 7 ] . In what follows, we introduce a modified reachability graph named f u z z y reachability 9raph for the timing analysis o f F T P N s .

J. CA. de Figueiredo, A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168

149

g

delay interval

token

enabled interval =a-

T

0

(a)

T (b)

0

T

(c)

Fig. 4. Generalization of a classical Petri net. 3.1. Definition and construction o f the f u z z y reachability graph The fuzzy reachability graph is a modified reachability graph which incorporates the time concepts defined in the F T P N model. The basic idea is to extend the concept of reachability graph to include the fuzzy time function (FTF) carried by the token, which is computed after each transition firing, starting from the initial marking. Also, the modified reachability graph considers the fuzzy time intervals associated with the transitions. Thus, the fuzzy reachability graph is characterized by (1) Assigning a FTF to each token on places in a given state. This follows from the definition of the f u z z y time Petri net model in which tokens carry fuzzy characteristic functions. (2) Attaching to each edge of the graph the timing intervals associated with the corresponding firing transition representing the time restrictions when firing a transition in the F T P N model. Before formally introducing the concept of fuzzy reachability graph, we introduce the concept of fuzzy time function set of a state (FSET). A state in a F T P N is defined as its marking S = [m( p 1), m( p 2 ) . . . . . m( pn ) }, where m( pi ) represents the amount of tokens in place pi. Definition 3.1. A fuzzy time function set, FSET, is the set of FTFs considering a given state i.e., FSET(S) = { F T F ( p l ) , F T F ( p 2 ) . . . . . FTF(pn)}. Definition 3.2. The fuzzy reachability graph, FRG, is defined as a labeled graph FRG = (N,A). N is called

node set which is the set of all possible states or markings. A FSET related to the state represented by the node is associated with it. A is called the arc set which is the set of arcs labeled with the fuzzy time intervals representing all possible single transition firings. Definition 3.3. A given state S is defined as an immediate reachable state (irs) from an initial state SO, i f S is reachable from SO after firing only one transition. Definition 3.4. An immediate reachable state set for a given state S, IRS(S), is the set of all immediate reachable states of S.

The fuzzy reachability graph is constructed by recursively calculating the successors of every reachable state, starting from an initial state. The procedure for compute successors of a state is shown in Fig. 5. To illustrate the construction of the reachability graph, let us consider the F T P N shown in Fig. 6(a). Assuming an initial marking of one fuzzy token in place P1 with fuzzy time function FTF(Pt ), there are six possible reachable states for the net as shown in Table 1. The fuzzy reachability graph is constructed according to the procedure presented above, and is shown in Fig. 6(b). According to its definition, to each node (representing state) is associated its corresponding FSET. Thus, the node representing the state SO which is composed by one token in place P1, is associated with the fuzzy time function set {F1 }. For sake of simplicity we represent FTF(P 1 ) by F 1, FTF(P2) by F2 and so on. Similarly, {F2,F3} is associated with state $1, {F3,F4} to state $2, {F2,F5} to state $3, {F4,F5} to state $4 and {F6} to state $5. More-

J.C.A. de Fi,queiredo, A. Perkusich/ Fuzzy Sets and Systems 83 (1996) 143 168

150 1. 2.

3. 4. 5. 6.

Given a state S Determine the set of firable transitions F T For all transitions t E F T do Generate a successor state S' from S after firing t Associate to the edge that connect S to S' its corresponding time intervals Assign to the node its corresponding FSET

7. enddo Fig. 5. Procedure to compute successors of a state.

~E1

s° , DI

P3

S

~

S2

E2,D2 ~ E 4 ,

S~4

E3, D 3

\2)

s"

83

'] E3, D3

)

( )P5 E4, D4

F1=FTF(P1),F2=FTF(P2), etc. (b)

(a)

Fig. 6. (a) Simple net and (b) its reachability graph.

over, the fuzzy time intervals are assigned to the arcs. For example, considering the state SO, only one transition may fire (transition t l ) and its firing leads to state S1. This is observed in the reachability graph by the arc connecting states SO and S1, where E1 and D1 are the fuzzy time intervals associated with transition tl. The fuzzy time intervals E2 and D2 are associated with the arc connecting S1 to $2 and $3 to $4, the fuzzy time intervals E3 and D3 are associated with the arc connecting S1 to $3 and $2 to $4. Finally, the fuzzy time intervals E4 and D4 are associated with the arc connecting $4 to $5.

3.2. Timing analysis is'sues The t i m i n g a n a l y s i s is b a s e d o n the f u z z y t i m e f u n c tion a s s o c i a t e d w i t h the tokens. The idea is to use the f u z z y r e a c h a b i l i t y graph, w h e r e w e h a v e the c o m p l e t e

Table 1 Possible states for the net depicted in Fig. 6(a) Places States

PI

P2

P3

P4

P5

P6

so s1 $2 $3 $4 $5

1 0 0 0 0 0

0 1 0 1 0 0

0 I 1 0 0 0

0 0 1 0 1 0

0 0 0 1 1 0

0 0 0 0 0 1

state space, in o r d e r to c o m p u t e the FTFs. W e a s s u m e that the FTFs a s s o c i a t e d w i t h the initial t o k e n s are k n o w n 1 a n d d e f i n e d in the f u z z y r e a c h a b i l i t y g r a p h I The initial FTF can be set to compute specific indices or may represent some different situations.

J. CA. de Fiyueiredo. A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168 by the FSET assigned to the root (initial state). Thus, from the initial state in the fuzzy reachability graph and the initial fuzzy time functions, we can compute the FTFs in the others states of the fuzzy reachability graph. Informally speaking, to compute these functions, it is necessary to identify differences among the FSETs of immediate reachable states. Considering two connected states in the FRG and their respective FSETs, we have to consider two cases during the analysis: 1. common elements between FSETs, 2. different elements between FSETs. Focusing on the dynamic behavior of a FTPN, item 1 indicates that tokens were not removed after firing a transition. Item 2 may represent two things: tokens removed from input places and tokens deposited in output places. According to the fuzzy function computation rule presented previously, input tokens are combined to determine the FTF of the output tokens. In what follows, we present the timing analysis rules which are based on the FRG analysis. Let S and S' be two states in the FRG with respective fuzzy time function set FSET(S) and FSET(S'), where S' C IRS(S). Suppose that n is the number of places of the related FTPN and a is the arc connecting S to S ~. Definition 3.5. The set of common FTFs, SCF, is the set of all elements FTF(pi), where FTF(pi) C FSET( S),FSET( S') and 1 <~i <~n. Definition 3.6. The set of generated FTFs, SGF, is the set of all elements F T F ( p i), where F T F ( p j ) E FSET(S'), F T F ( p j ) ({ FSET(S) and 1 <<.j<~n. Definition 3.7. The set of influent FTFs, SIF, is the set of all elements FTF(pk), where FTF(pk) E FSET(S), FTF(pk ) ~ FSET(S') and 1 <~k <<.n. The timing analysis is performed based on the following rules: R1 The FTF values for the elements in SCF are not modified. R2 Combine the FTF values of elements in SIF using operation ~ defined in Section 2.2. R3 The value obtained in rule R2 is combined with the fuzzy time intervals associated with a, using operation @ defined in Section 2.2. The result is the FTF value for all elements in SGF.

151

In the fuzzy reachability graph depicted in Fig. 6(b), the initial state (SO) is composed by a token in place P1. Assuming that the initial FTF, F1, is known and following the rules presented above, we can compute the remaining FTFs. The remaining FTFs are: (a) From state SO to SI: In this case, it is easy to see that SGF = {F2,F3}, SIF = {F1} and E I , D I are the fuzzy intervals associated with arc connecting SO to S1. Then, we have F2 = F 3 = F l ©El ~,D1.

(5)

(b) From state S1 to $2: In this case, SGF = {Y4}, SIF = {F2}, SCF = {F3} and E2,D2 are the fuzzy intervals associated with arc connecting S1 to $2. Then, we have F4 = F2 ~, E2 QD2.

(6)

Similar computation is performed in the remaining state changes. (c) From state S1 to $3: Fs = F 3 @E3 @D3.

(7)

(d) From state $2 to $4: F5 = F3 @ E3 @ D3.

(8)

(e) From state $3 to $4: F4 = F2 @E2 ~ D2.

(9)

(f) From state $4 to $5: F6 = (F4 oFs)(/)E4 @D4.

(10)

Note that the results obtained in (7) and (8) are identical as well as the results in (6) and (9). These values are correct once they represent the FTF of the same token which belongs to two different states.

4. G-nets and G-net systems 4. 1. Basic concepts In [16] the concept of G-nets and G-net systems were introduced. G-nets are a Petri-net-based framework for the modular design and specification of distributed information systems. The framework is

152

J.(ZA. de Fiyueiredo, A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168

an integration of Petri net theory with the objectoriented software engineering approach for system design. The motivation o f this integration is to bridge the gap between the formal treatment of Petri nets and a modular, object-oriented approach for the specification and prototyping o f complex software systems. The G-net notation incorporates the notions o f module and system structure into Petri nets; and promotes abstraction, encapsulation and loose coupling among the modules. A specification or design based on G-nets consists o f a set of independent and loosely-coupled modules (G-nets) organized in terms of various system structures. A G-net is encapsulated in such a way that a module can only access another module through a well-defined mechanism called G-net abstraction, avoiding interference in the internal structure o f another module. A G-net G is composed of two parts: a special place called 9enerie switch place ( GSP) and an internal structure (IS). The GSP provides the abstraction of the module, and serves as an interface between the G-net and other modules. The internal structure is a modified Petri net, and represents the detailed internal realization of the modeled application. The notation for G-nets is very close to the Petri net notation [27]. Among other features this notation allows the user to indicate communication among G-nets and termination. The notation for G-nets is shown in Fig. 7. The IS of the net is enclosed by a rounded comer rectangle, defining the internal structure boundary. The GSP is indicated by the ellipse in the left upper comer of the rectangle defining the IS boundary. The inscription GSP(net-name) defines the name of the net to be referred by other G-nets. The rounded comer rectangle in the upper right comer of the IS boundary is used to identify the methods and attributes for the net, where (attribute-name) = {(type)} defines the attribute for the net in which (attribute_name) is the name of the attributes, and (type) is a type for the attribute; (method name) is the name for a method; (description) is a description for the method, (pl : description ..... pn :description) is a list of arguments for the method. Finally, (sp) is the name of the initial place for the method. A circle represents a normal place. An ellipse in the internal structure represents an instantiated switch&# place ( isp ). The isp is used to provide inter-G-net communication. The

inscription isp(G I . mi) indicates the invocation of the net G I with method mi. A rectangle represents a transition that may have an inscription associated with it. This inscription may be either an attribution or a firing restriction. We will use the standard Language C notation for both attributions and firing restrictions. A double circle represents the termination place or goal place. Places and transitions are connected through arcs that may carry an expression. The GSP of a G-net G, denoted by GSP(ne~ name) in the ellipse of Fig. 7, uniquely identifies the module. The rounded-comer rectangle in the GSP side contains a description of one or more methods, which specify the functions, operations or services defined by the net, and a set of attributes specifying the passive properties of the module (if any). The detailed structures and information flows of each method are defined by a modified high-level net in the internal structure. More specifically, a method defines the input parameters, the initial marking of the corresponding internal high-level net (the initial state of the execution). The collection o f the methods and the attributes (if any) provides the abstraction or the external view of the module. In the internal structure, places represent primilives, and transitions, together with arcs, represent connections or relations among the primitives. These primitives may be actions, predicates, data entities, and instantiated switch places (isp's). A set o f special places called #oalplaces represents the final state of the execution, and the results (if any) to be returned. A transition, together with arcs, defines the synchronization and coordinates the information transfer between its input and output places. A formal introduction to G-nets can be found in [16]. Given a G-net G, an isp of G is denoted by isp(Gname.mtd) (or simply isp(G) if no ambiguity occurs), where Gname is the unique identification of G, and mtd is a defined method for G. An isp(Gname, mtd) denotes an instantiation of the G-net G, i.e., an instance of invocation of G based on the method mtd. Therefore, executing the isp primitive implies invoking G (by sending a token to G) based on the specified method. This token contains the parameters needed to define the tokens for the initial marking of the invoked net. This interaction between G-nets can be compared with the mechanism o f remote procedure call. The isp notation serves as the

J.C.A. de Figueiredo, A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168

153

I <'~etr~bde-n-~m~°}n>= {[]()} 1

f

insc

Fig. 7. Notations used to represent a G-net.

~

Imp:produce={[n:integer numborof items](PR)}]

f

PR

~


GP: goalplace

GP

roquest statusconsumer nr: consumernot re~dy or: send to cortsumer co: consullled pr: producerresumes



~

13:

J

Fig. 8. G(P) G-net modeling the producer. primary mechanism for specifying the connections or relationships between different G-nets (modules). Embedding an isp o f a lower level G-net into the internal structure o f a higher level G-net specifies a hierarchical configuration.

4.2. An example based on the producer~consumer problem The producer/consumer problem is a well-known problem. It consists o f the synchronization between one or more producers and one or more consumers. In

the example that will be shown we assume, initially, that one producer is capable o f producing n items, and that a consumer is able to consume one item at a time. In Fig. 8 the G-net model G(P) for the producer is shown. For this net one method is defined and named mp. The function o f the method mp is to produce n items to be consumed. When G(P) is invoked through GSP(P) one token together with a field n, expressing the number o f items to be produced, is deposited in place PR. The action associated with this place simply decrements the field n. I f n < O, transitionpr fires and the invocation o f G(P) returns when the ~loal place

154

J.C.A. de Fi,queiredo, A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168

I ms:statusffi{[nil]ON)} me:consume={[item:data](TC)} I

f

IN : inquire net C IN

na

Re'

RC /

WP

TC

Re:ready to c o n s u m e TC: trigger consumer GPS: end status CO: consuming WP: waiting produeor GPC: item accepted

sa

<1

na:

not available

sc: start c o n s m n h l g ac: a l r e a d y c o n s u m e d

J

sa:

send acknowledge

Fig. 9. G(C) G-net modeling the consumer.

GP is reached. Otherwise, that is n ~>0, transition rs fires, the token reaches i,v~(C, ms), and the net C is invoked using method ms. This invocation is to inquire net G(C) to ascertain whether it is ready to consume an item or not. If G(C) is not ready, transition nr fires, and the net G(C) is inquired again. Otherwise, the consumer is ready and transition cr fires. After the firing o f cr a token is deposited in i,sp(C, mc) and net C is invoked with the method mc together with the item to be consumed. When the token is returned from net C transition co fires and a token is put in place PR again. The G-net for the consumer G(C) is presented in Fig. 9. Two methods are defined for G ( C ) : method status (ms), and method consume (me). When G(C) is invoked through GSP(C), if the method is ms a token is put on place IN. Depending on the state o f G(C), which could be either consuming or ready to consume, transitions na or sa will fire. The choice between na and sa is based on the states represented by place R C (ready to consume) and place CO (consuming). I f R C is marked, transition sa fires and a token reaches the cjoalplace GPS with an acknowled.qe associated with the retuming token r (r = ack). Otherwise, a field not acknowled,qe is associated with the token (r = nak). After firing o f sa, a token is put in place WP, and the consumer is ready to consume. When G(C) is invoked with a method consume, mc, a token is put in place TC. Since WP was previously marked after a successful execution o f method ms, transition sc fires

and place CO is marked. At this point G(C) indicates to the consumer that the requested action may be either finished or in processing. This is because when transition sc fires a token is deposited in place CO and other in the ,qoal place GPC. It must be noted that transition ac can or cannot fire before the producer receives the returning token from GPC. After firing ac, a token is removed from CO and another one from RC', and one token is deposited in RC. A n d G(C) is ready to consume another item.

4.3. G-net decomposition The objective to decompose a G-net is to provide a clear structural coupling among G-nets. This structural coupling imposes restrictions in the communication among G-nets. Also with the decomposition o f the interface elements we allow the designer to incrementally design and analyze a system by adding new components. To do so the composition o f G-nets must be a stable operation. Therefore, the composition o f a requester G-net with a service G-net must, after the composition, still be a requester-service Gnet. This can be accomplished through the preservation o f the general properties o f the components, G-nets, so that the properties o f the whole system may be deduced from the properties o f its components. The elements used as the basis for the decomposition o f a G-net are the GSP, isp and #oal places.

,LC.A. de Figueiredo, A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168

155

RI: ready to invoke SI: sequence id generator Rim: ready to invoke with method m RC: returned from net invoked RR: reply received Wi: waiting invocation reply G' : invoke net G' si: start invocation ra: reply acknowledged

Fig. 10. Decomposition of an isp(GIm).

@ SP

initial places for method m l ,.

. . . . . . . . . . . . . . . . . . . . . .

initial places for method m2 i

: ,'

.

. . . . . . . . . . . . . . . . . . . . .

,;

initial places for method nan ,

. . . . . . . . . . . . . . . . . . . . .

.

Fig. 11. Decomposition of a GSP(GI).

A decomposition for each one of these elements is introduced. We also define the concept ofreentrance for a decomposed G-net. The decomposition approach not only allows the introduction of the concept of reentrance, but it also allows the possibility to apply formal analysis to verify the behavior of a G-net and a G-net system. The approach we will introduce to decompose Gnets follows the basic principles of the object-oriented approach. Hence, the functional unity of the nets may be defined during their design, in such a way that they are components providing some services to other nets, and apply to other nets the services they offer. As discussed before, the GSP of a G-net provides the abstraction with explicit definition of the methods

(services) available to other nets. Also the isp and the goalplaces provide means by which a G-net can be invoked and the processed result (if any) is returned. The general principles that must be satisfied when G-nets are communicating is very similar to the client-server protocol [38], and consists of the following steps: 1. The requester G-net requests a service. 2. The called G-net accepts or not the requested service. 3. Upon acceptance of the service, the called G-net attends the request and provides the results, otherwise the requester G-net must issue another request. 4. The requester G-net retrieves the result.

156

J.c.A. de Fifueiredo, A. Perkusich / Fuzz), Sets and 3:vstems 83 (1996) 143 168

An isp(G ~ . m), representing the invocation of net G' using method m is decomposed as shown in Fig. 10. Place R I receives the token from the input transition(s), not represented in Fig. 10, then transition si fires and the propagation sequence of the token is updated based on the integer value n, where n E N, of the token in place SI, which is increased by one each time si fires. The output token will be put in R i m . This token will have a unique sequence identifier together with the set of tokens defining the initial marking of net G t. Also, a token will be put in Wi. Transition G' then can fire. This firing corresponds to the invocation of net G t. When net G' reaches its goal place the returning token(s) is (are) then put in place R C and transition sa fires resulting in a token in place RR. The place Wi is also used to maintain state information about the net, which can be used for fault-tolerance and error-recovery [9, 12, 30] For the GSP(G ~) the decomposition is shown in Fig. 11. The starting place, S P receives all the tokens that will correspond to the initial marking for the places corresponding to method n. The transition corresponding to the specified method will fire and the tokens will be put in the set of initial places, this set of places is represented by the dotted rectangles in Fig. 1 1.

5. Fuzzy time G-nets 5.1. Integration issues

In this section, we describe the integration between G-net and F T P N . The objective of this integration is to allow a modular timing analysis for complex systems. Each G-net in a G-net system is studied in isolation and the results are combined to determine the final solution. Since the concept of G-net does not take into consideration timing aspects and, due to the flexibility of its internal structure, we will consider the internal structure as being a F T P N . To do so and to allow a modular analysis, the integration is performed by considering the decomposed G-net. In the modular analysis, the most important thing is to know how to combine correctly the results obtained from the individual analysis of each module. The combination of the results is determined by how the modules are connected. In the following, we present details about the integration.

When one G-net invokes another G-net with a given method m, this method defines the initial marking for the invoked net. Since the internal structure is a f u z z y time Petri net, the token that arrives in an isp is a fuzzy token. Thus, the initial marking for the invoked net should be composed by fuzzy tokens. Once our main objective is the modular analysis, we have to have conditions to study each G-net in isolation, i.e., the individual G-net timing analysis must be independent of the analysis of the G-net which is invoking it. Due to the commutativity and distributivity properties of fuzzy sets, it is possible to study each invoked G-net considering that the tokens of the initial marking for the invoked net are not fuzzy. The results are then combined via the decomposed i.v), i.e., a fuzzy interval that corresponds to the minimum and maximum execution time of the invoked net is computed by combining the enable and delay intervals attached to its transitions, as defined previously. The computation of this fuzzy interval resumes when a 9oal place is reached, indicating that the invocation finished. Finally, this fuzzy interval is combined with the fuzzy time function assigned to the ispts token. The analysis of the invoked net depends on the method used in the invocation. However, to guarantee correct results, we have to make some assumptions as, for example, that the set of transitions of different methods are conflict-free, i.e., the set of transitions of two different methods are conflict-free if the firing of transitions in one method does not depend on firing any transition in the other method. In order to define the j u z z y time G-net, FTG-net, the decomposition of the i,~ip and the GSP (as presented in Section 4.3) is integrated together with the fuzzy time intervals associated with the transitions. Some considerations must be made in order to allow the integration and consequently the performance analysis. These considerations concern about some special places and transitions which were defined in the decomposed model in order to guarantee some properties of the original definition of G-nets. Focusing on the performance analysis, what is important to know is the fuzzy token in the isp and the analysis of the invoked net. Thus, the integration of the decomposed i~sp and the timing intervals are considered in the following way: 1. Places S I and Wi in the decomposed isp do not receive fuzzy tokens.

J.C.A. de Figueiredo. A. PerkusichIFuzzy Sets and Systems 83 (1996) 143-168

2. The time intervals associated with transitions si and ra are both [0, 0], i.e., the firing of these transitions are instantaneous. 3. A time interval is associated with transition G' corresponding to the minimum and maximum execution time of the net invoked by the isp, as described above. 4. Place R i m maintains the fuzzy time function of the isp~s token. 5. The token deposited in place R R after firing ra is a fuzzy token which carries the resultant fuzzy time function considering the invoked net. Actually, for the sake of timing analysis, the decomposed isp integrated with fuzzy time intervals can be simplified, based on the five assumptions enumerated above. For the decomposed GSP no special consideration is taken. The transition which is connected to the start place S P can be used in order to represent the communication delay between the communicating G-nets. In this case, for transitions t m l , t m 2 , . . . , and tmn a fuzzy delay interval is associated with each transition in order to represent the communication delay. The fuzzy delay intervals are the same since they represent the same communication and are only defined to determine which method will be executed. 5.2. Timing analysis using f u z z y time G-nets

In order to perform a modular timing analysis of a FTG-net, we have to consider the following steps: 1. Analyze the invoked FTG-net. If the invoked FTG-net invokes another FTG-net, the latter must be analyzed first. 2. Embed the result in the invoking FTG-net by assigning it to the decomposed isp. 3. Analyze the invoking FTG-net. As result of the analysis of an invoked FTG-net, we are interested in determining the delay to execute a method. Thus, we have to set the initial FTFs accordingly, i.e., the initial F T F s are set to [0, 0]. The delay to execute the invoked net is represented by the F T F carried by the token in the goal place. Returning to the producer/consumer example introduced in the last section, before analyzing the producer we have to first analyze the consumer. The FTG-net system representing the producer/consumer problem is composed by one FTG-net modeling the

157

producer and one FTG-net modeling the consumer. The FTG-nets are obtained from the decomposition of the original G-nets and by introducing the fuzzy time intervals. The G-nets for the consumer and producer are decomposed as shown in Figs. 12 and 13, respectively. Let us consider that G d ( P ) and G d ( C ) are the resultant decomposed G-nets for the producer and for the consumer, respectively. Also, fuzzy time intervals are associated with each transition in the decomposed G-net. For the sake of simplicity, the fuzzy enable intervals are not depicted in the Fig. 12. Thus, in Fig. 12, D C . ms is the delay interval associated with transition C. ms, Dral is the delay interval to transition ral, and so on. When the decomposed G-net, Gd(C), is invoked using method ms, two states are possible: G d ( C ) is either busy (token in place R C ' ) or ready to consume (token in place RC). Considering the ready to consume state, the decomposed G-net G d ( C ) is invoked twice. First, G d ( C ) is invoked with method ms and after with method inc. Each invocation is studied in isolation and the results are embedded in Gd(P), i.e., they are assigned to transitions C. ms and C. mc (see Fig. 12), respectively. In the case of method ms, three reachable states are possible as shown in Table 2. Fig. 14 shows the fuzzy reachability graph for decomposed G-net G d ( C ) invoked using method ms. Similarly, as presented in Section 3.2, the following F T F s are computed: F I N = FSC Q Dms,

( 11 )

F W P =- F G P = FRC' = ( F I N • F R C ) ~ Dsa.

(12)

The fuzzy interval corresponding to this invocation is given by the fuzzy time function carried by the token in the goalplace GP. Considering that the F T F values of the initial marking are not fuzzy (FSC = [0, 0]), from expressions ( 11 ) and (12) we compute the F T F associated with the token in GP (expression (13)). The fuzzy interval is assigned to transition C. ms in Gd(P): F G P = Dms @ Dsa.

(13)

Table 3 and Fig. 15 show the possible reachable states and the fuzzy reachability graph for the invocation of G d ( C ) using method mc, respectively. In a similar way, the fuzzy time function equations are determined and the fuzzy interval corresponding to this

158

J.C.A. de Fi(lueiredo, A. Perkusich / Fuzzy Sets and S)'stems 83 (1996) 143-168

i

()

sP °sPP'¸ t

t PR

....................................................... ?Re2 i Dra.2~

Dsl2

":i

i

~G~p

\

~

:.i- .................................................. Sll

~ "

~\

/

I ~'~"~ I DC.ms

SP: start place net P PR: producer ready RR1,RR2: replyreceived RIs: ready to invoke using method s RIc: ready to invokeusing method c SI 1,SI2: sequenceid generator RC1,RC2: returnexlfrom consumer RI1,RI2: ready to invoke GP: goal place W l,W2: waiting invocationreply rap: method produce rs: request status consumer sil,si2: startanting invocationnet C C: invoke riotC ral,ra2: reply acknowledged nr: consumernot ready cr: send to consumer co: consumed pr: producer resumes

Fig. 12. Decomposed G-net, Gd(P), for the producer including timing on transitions•

SC: start net C IN : inquire net C RC: ready to consume RC': consumer busy TC: trigger consumer GPS: end status

CO: consuming WP: waiting producer GPC: item accepted ms: method status mc: method consume na: not available so: start consuming ac: already consumed sa: send acknowledge Fig. 13. Decomposed G-net, Gd(C), for the consumer including timing on transitions.

J. C.A. de Figueiredo, A. Perkusich / Fuzz)' Sets and Systems 83 (1996) 143-168

159

Table 2 Possible states for the invocation of Gd(C) with method ms Places States

SC

IN

RC

RC'

WP

TC

CO

GP

GPC

SO S1 $2

I 0 0

0 I 0

1 1 0

0 0 1

0 0 1

0 0 0

0 0 0

0 0 1

0 0 0

Table 3 Possible states for the invocation of Gd(C) with method mc Places States

SC

IN

RC

SO

1

0

0

SI $2

0 0

0 0

0 0

RC'

WP

TC

CO

GP

GPC

1

1

0

0

0

0

1 1

l 0

1 0

0 1

0 0

0 1

Dmc

Dins ,

$1

Dsc

Fig. 14. Reachability graph for the consumer considering method

Fig. 15. Reachability graph for the consumer considering method

m e ,-.

mc.

invocation, expression (16), is assigned to transition C. mc in G d ( P ) :

each invocation o f G - n e t G d ( C ) in separate, the timing properties o f decomposed G - n e t G d ( P ) can be studied. Table 4 shows the possible reachable states for the producer and Fig. 16 shows its fuzzy reachability graph. The fuzzy time functions o f the producer are identically determined. In the case o f timing analysis, the decomposed isp can be simplified as shown in Fig. 17, where G' is the transition representing the execution o f the invoked net. This is true because we are only interested in

F T C = F S C :3 D m c , FCO = FGPC FGPC

= (FWP o FTC)

(14) 2D D s c ,

(15)

= ( ( D m s ~, D s a ) o D m c ) ~ D s c .

(16)

Considering the ready to consume state and the fuzzy time intervals determined above by studying

160

J.(ZA. de Figueiredo, A. P e r k u s i c h / F u z z y Sets and Systems 83 (1996) 143 168

Table 4 Possible states for the decomposed G-net G d ( P ) considering invocations Places States

SP

PR

RI1

SO S1 $2 $3 $4 $5 $6 S7 $8 $9 SIO

1 0 0 0 0 0 0 0 0 0 0

0 1 0 0 0 0 0 0 0 0 0

0 0 1 0 0 0 0 0 0 0 0

Sll

RIs

RCI

W1

RR1

RI2

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

1

0

1

0

0

0 0 0 0 0 0 0

1 0 0 0 0 0 0

1 0 0 0 0 0 0

0 1 0 0 0 0 0

0 0 1 0 0 0 0

S12

RIc

RC2

W2

RR2

GP

0 0 0 0 0 0 0

0 0 0 0 0 0 0

0 0 0 0 0 0 0

0 0 0 0 0 0 0

0 0 0 0 0 0 0

1

0

0

0

0

0 0 0

1 0 0

1 0 0

0 1 0

0 0 1

Dm~,

810

81

88

Dsil

Dsi2 83

84

85

Fig. 16. Reachability graph for the producer.

the execution time of the invoked net whose value is attached to G'. Also, we are considering that there is no timing restrictions associated with the transitions in the decomposed GSP. Then, using the simplified version of the decomposed isp, the simplified G-net representing the producer is shown in Fig. 18. The simplified ispts are represented in the dotted lines. The isp related to method ms is composed by the places RIs and R C 1 ,

and by transition C . ms. The isp related to method mc is composed by places RIc and R C 2 , and by transition C . ms. Where transitions C . ms and C . m c represent the invocation of the consumer with methods ms and mc, respectively. Since we are not considering any kind of timing restriction on the transition mp, the initial state is composed by one token in place P R . For this initial marking, there are six possible states

J. C A. de Fioueiredo, A. Perkusich / Fuzzy Sets and Systems 83 (1996) 143-168 RI: ready to invoke SI: sequence id generator Rim: ready to invoke with method in

SI

RC: relm'ned from net invoked RR: reply received Wi: waiting invocation reply G' : invoke net G' si: start invocation ra: reply acknowledged

Rim

RC

Fig. 17. Simplified decomposed isp for timing analysis purpose.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b

SP

GSP(P) i SP: start place net P

Imp

::

I~np

PR: producer ready RIs: ready to invoke using method ms RIe: ready to invoke using method me

. . . . . . . . . . . . . . .P . R

..............

"

RC 1,RC2: returned from consumer GP: goal place rap: method produce rs: request status consumer C.ms: invoke net C using method ms C.me: invoke net C using method me nr: consumer not ready ~r: send to consumer co: consumed pr: producer resumes Der Fig. 18. Simplified decomposed G-net for the producer

161

162

J.C.A. de Figueiredo, A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168

Table 5 Possible states for the simplified G-net for the producer Places States

PR

Rls

RCI

Rlc

RC2

GP

SO SI' SI" $2' $2" $3

I 0 0 0 0 0

0 1 0 0 0 0

0 0 1 0 0 0

0 0 0 1 0 0

0 0 0 0 1 0

0 0 0 0 0 1

6. Faults in real-time distributed systems 6.1.

as shown in Table 5. The complete fuzzy reachability graph for the simplified net is depicted in Fig. 19. The analysis o f the simplified G - n e t can be executed in the same way as defined earlier. Although the

~r Dr8

81' 83

Dnr DC.n~

81 Dco

Ocr i

i

, 82 i i I I i I t

i

simplified decomposed isp is enough for timing analysis, the original decomposed isp is necessary to be applied in many fields as fault-tolerance and real-time distributed systems [9].

DC.me

i i

s2

Fig. 19. Fuzzy reachability graph for the simplified decomposed producer.

Fault-tolerance

aspects

In real-time systems, most faults are due to synchronization and performance errors that manifest themselves as transient system failures. We can differentiate two kind o f failures: time-dependent or nontime-dependent. In the case o f non-time-dependent failures we can say that • a required event does not occur; • an undesired event occurs; and/or, • two incompatible events occur simultaneously. On the other hand, there are three kind o f timedependent failures in a system that can lead to a faulty behavior. These failures include: • violation o f maximum timing constraints between events; • violation o f minimum time constraints between events; and/or, • durational failures (for example, a condition or set o f conditions fails to hold for a particular amount o f time). Different techniques addressing different types o f failures can be adopted to enhance fault tolerance. Major fault-tolerance techniques include: recovery blocks [21], N-version programming [3], rollback recovery with checkpoint [42], conversation [37] and exchange [2]. Rollback recovery with checkpoints, exchange and conversation are classified as backward fault-tolerant techniques while recovery blocks and N-version are called forward fault-tolerant techniques. Focusing on real-time systems where performance has to be guaranteed as specified in the domains o f value and time, it is necessary to analyze the temporal behavior o f the system to verify if timing constraints and performance indices are met. By analyzing temporal behavior, it is possible to investigate the occurrence o f timing faults. Backward fault-tolerant techniques, are often not appropriate to real-time environments. The applicability o f fault-tolerant techniques in real-time systems must take into

J.C.A. de Figueiredo, A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168

163

EM

: ' " ' ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : isp(G'.r).:'~..... . ,,.-'., :..... : RE .... irbt ! ..--. ............. ' "~ .'..........~ ' ':............ ~ ,'...... ' "': CI ,'-'....... '-.. ....... ..' ! cmi....... ~ : -~'. " (ta,~ ' to : .4 ..... i ' ...... " IN ~

m m

i' :

- ..... ! ........................ : SI

",~. . . . . . . . . . . . . . :

:

'

/'

Wi

-,2_ . . . . . . . . . . . ""

i : .

.

.

.

PC

.

RI

.

.

.

, ,

.

.

.

.

.

.

.

.

I . , -71~-

'

,,

[ti,ta]

(

checkpoint

.

',

t\

,,., • . . . . . . . . . . .

'"

.," 2~ ' 7 , , - . . . . . . . . . . . . . . . . . . . . . .

.-1 ' ~

•. .

. . . . . . . . . . . . . . . . . . .

•

.....

. ..........................

.""

Fig. 20. Timed rollback technique.

i..... i •

...--~,-'to :....... ~

/'

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

'. . . . . .

':

I

(ta, co]

: I :

standby block

" ....................

',_ . . . . . . . . . . . . . . . . . . . . . . . . . . .

SI

wi

[~ ,tal

', 1

primary block

j

Fig. 21. Recovery block technique.

c o n s i d e r a t i o n t h e r e c o v e r y l a t e n c y that c a n c a u s e t h e v i o l a t i o n o f t i m i n g c o n s t r a i n t s [26]. C o n s i d e r i n g f o r m a l m e t h o d s to a n a l y z e a n d i n t r o d u c e f a u l t - t o l e r a n t p r o p e r t i e s in c o m p u t e r s y s t e m s , P e t r i n e t s a r e a m o n g t h e m o s t a p p l i c a b l e . T h i s is b e c a u s e , u s i n g P e t r i n e t s , it is p o s s i b l e to u n i f y t h e modeling of software, hardware and environmental a s p e c t s b y u s i n g o n e f o r m a l i s m . T h e i n t e g r a t i o n b e t w e e n F T P N a n d G - n e t m o d e l c a n b e u s e d in o r d e r to t o l e r a t e t h e t i m e - d e p e n d e n t faults.

In F i g s . 20 a n d 21, w e p r e s e n t t w o fault t o l e r a n c e techniques modeled by a FTG-net. Actually, since the isp is t h e o n l y n o t a t i o n a l e l e m e n t in G - n e t that starts a communication between nets, we present how the d e c o m p o s e d isp is u s e d to r e p r e s e n t a f a u l t - t o l e r a n t t e c h n i q u e • T h e i d e a is to a d d , to e a c h isp, t i m i n g c o n s t r a i n t s c o r r e s p o n d i n g to t h e e n c a p s u l a t e d t i m e r e l a t e d to t h e i n v o k e d G - n e t , in this c a s e t h e w o r s t e x e c u t i o n t i m e . S i n c e w e h a v e to s p e c i f y t i m i n g c o n s t r a i n t s , w e u s e j u z z y t i m e G - n e t s w h e r e t i m i n g c o n s t r a i n t s are

164

J.C.A. de Figueiredo, A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168

represented by time intervals. Also, the performance analysis can be carried out by using the approach described in [9]. The performance analysis can be carried out at run time based on how long the invocation of an object needs to resume. Therefore, it is necessary to provide means to measure the time elapsed between an invocation and its completion. In Fig. 20, we present a backward fault-tolerant technique named timed rollback with checkpoints. Fig. 21 depicts a forward fault-tolerant technique. In [9], the functioning for those fault-tolerant FTG-nets is detailed.

6.2. Fuzzy time G-nets and timing polymorphic invocation The application of the well-known fault-tolerant techniques to real-time systems presents certain drawbacks. A natural trend of fault tolerance in the realtime field, is the consideration of anticipated faults and operational conditions. This means that when the system moves outside some defined limits, it must be able to still function within its specifications. Considering real-time systems, there are different techniques to enforce the fault-tolerant requirements of the systems and applications. Such techniques include reconfiguration, graceful degradation, and load shedding. The basic idea of the reconfiguration technique, is the reallocation of applications running on a failed component to failure free components. In the load-shedding technique, a set of static priorities is defined in order to determine which applications will be dropped in case of failures [34]. Graceful degradation is defined when the results obtained are degraded and sometimes acceptable by the users. The degradation of the results can be determined by reducing execution times or by executing some alternative computation with much less requirements [26]. Following the natural trend of anticipated faults, we present a technique which employs some concepts related to graceful degradation and load-shedding techniques. The idea was adopted from the definition of time polymorphic invocation defined in [43]. According to [43], for a distributed real-time system the invoked object cannot statically decide its timing constraints, i.e., the communicating objects should try their best to achieve the required operations within a limited time. To accomplish this, we introduce the concept of timing polymorphic G-net invocation.

The invocation of a G-net G" is performed through the isp by using a defined method. In the case of the time polymorphic G-net invocation, the isp uses a set of methods to invoke G'. Also, a distinct timing constraint is specified for each method. These timing constraints will be used in the invoked net to determine which method should be executed. The methods have a priority order which is determined by the timing constraints associated with them. These priorities are important to guarantee that the system will function correctly and the time restrictions will be met. In many cases, the results may be degraded but acceptable. Definition 6.1. In a time polymorphic G-net invocation, an i~p invokes a G-net with a composed method

CM. CM = {(ml, Tcl),(m2, Tc2),...,(mn, rcn)} ml, m2 .... ,mn are methods and Tcl, Tc2 .... ,Tcn (Tcl < Tc2 < ... < Tcn) are timing constraints associated with the corresponding method. where

In G', the worst-case execution time for each method is known, once it can be determined performing the timing analysis as described in the previous section. Thus, according to the timing constraints associated with the methods and the worst-case execution time for the methods, only one method is selected to be executed. We are not considering the load of the node running G'. To consider this case, it is necessary to have mechanisms to specify it. For example, we can use a fake place together with a token which carries a FTF specifying the load of the node. When the fake token is combined with the initial tokens, different results (execution time) are produced reflecting the results considering the load of the node. According to the definition of time polymorphic G-net invocation, both isp and invoked GSP are responsible to maintain a fault-tolerant behavior of the system. In Fig. 22 we show the decomposed isp considering the time polymorphic G-net invocation. The timing polymorphic isp is similar to those decomposed fault-tolerant isps. The difference is that the enable intervals associated with transitions are known a priori (this follows from the anticipated faults trend). Tcn is the timing constraint associated with the nth method, i.e., the method with lower priority. If this timing constraint cannot be met, an exception handling routine is

J. CA. de Fioueiredo, A. Perkusich/Fuzzy Sets and Systems 83 (1996) 143 168

165

exception handling

A EM

RE

tO !....... ~" ~.cm I....... :~.' ,....,~ ...... ,......,":....... ,.._.~,' : ',

F_,=(tcn, co] i

,

sI

...

,'.

',

!

wi

E.,[tc 1,tca] timing polymorphic isp

Fig. 22. Timing polymorphic isp.

sP

..1

~.

•

for method ml

1] ~'/

"

~

~ "

" ' "

'?

for method m2 i

"

:

"

]

i

for method nm i

Fig. 23. Timing polymorphic GSP.

triggered by firing transition to. Places E M and R E , and transition cm treat the returned token from the failed time polymorphic G-net invocation. Since the polymorphic G-net invocation is executed using several methods, mechanisms to assess priorities to methods, are necessary considering the decomposed G S P of the invoked G-net G'. Since the timing constraints associated with the methods in the

polymorphic G-net invocation are distinct, it is possible to use them in order to assign priorities to the execution o f methods. Fig. 23 shows the decomposed timing polymorphie GSP. Each output arc o f starting place S P has an expression corresponding to a specific method. Also, transitions are augmented with inscriptions to compare the timing constraints and the worst-case execution time. The enable

166

Z C A. de Fiyueiredo, A. Perkusich ~Fuzzy Sets and Systems 83 (19961 143 168

intervals associated with transitions provide a way to assign priorities to select the correct method to be executed. For example, let us suppose that the G-net G' is invoked in a polymorphic way with methods (ml,Tcl) and (m2, Tc2), Tel < Tc2. Then, if the inscriptions of transitions tml and tin2 are satisfied, both transitions are enabled. Since Tel < To2, method m l has priority over method m2 and transition tml is selected to fire. Firing transition tml, tokens are deposited in initial places for method m l (in Fig. 23 representeby the dotted boxes) and method m2 is disabled.

7. Conclusion In this paper a fuzzy approach to introduce time in Petri nets was presented. The major motivation of this approach is the lack of generality of timing Petri net extensions. This approach, ./itzzy time Petri net (FTPN), integrates in a complementary fashion the strength of the deterministic and stochastic extensions. We extended the concept of reachability graph by incorporating the fuzzy time aspects of the model in order to perform timing analysis. We also defined an analysis technique based on the reachability graph. Moreover, in order to deal with large complex systems, we integrated the F T P N model with G-nets. The integration allows the modular timing analysis of complex systems by considering the internal structure of a G-net as being a FTPN, and using a decomposition approach. Thus, we can divide a system into subsystems, study them in isolation and integrate their results to get the global solution. We have presented how FTG-nets can help the introduction of forward and backward fault-tolerant mechanisms in a system modeled by a set of FTGnets. Timed rollback technique and recovery blocks were modeled by using FTG-nets as introduced by Perkusich et al. [30]. Moreover, a novel approach to treat anticipated faults in real-time distributed systems was introduced. Since FTG-nets are suitable to real-time distributed system design, it allows the support of many relevant aspects as distribution, concurrency, synchronization, real-time constraints and fault tolerance. By using FTG-nets, the treatment of anticipated faults is accomplished by the definition of

time polymorphic G-net invocation. We are investigating the application of FTG-nets to the control of track vehicle problem [29] and real-time databases [31]. Also, we are investigating the application of the F T P N model to introduce temporal autoprotection and autodetection for faults in the design of G-net systems.

References [1] M. Ajmone Marsan, D. Balbo and G. Conte, A class of generalised stochastic petri nets for the performance evaluation of multiprocessor systems, A CM Trans. Comput. 5),stems 2 (1984) 93 122. [2] T. Anderson and J.C. Knight, A framework for software fault tolerance in real-time systems, 1EEE Trans. Sojtware Eny. SE-9(1983) 355 364. [3] A. Avizienis, The N-version approach to fault-tolerant software, 1EEE Trans. Sojh~are Eng. S E - l l (1985) 1491 1506. [4] B. 13erthomieu and M. Diaz, Modeling and verification of time dependent systems using time petri nets, IEEE Trans. Sq/h~'are Enq. 17 (1991) 259 273. [5] K.P. 13innam, T.A. Joseph, T. Raeuchle, R. Abadi, A.E. Koo and S. Toueg, Checkpointing and rollback-recovery for distributed system, IEEE Trans. SoJhvare Enq. SE-13 (19871 23-31. [6] T. Cao and A.C. Sanderson, Task sequence planning using fuzzy petri nets, Proc. h~ternat. Con/: on 5~,stems Man and Cybernetics ( 1991 ) 349 354. [7] T. Cao and A.C. Sanderson, Variable reasoning and analysis about uncertainty with fuzzy petri nets, in: M. Ajmone Marsan, Ed., Applicathm and Theory o/ Petri Nets 1993, Lecture Notes in Computer Science, Vol. 691 (Springer, Bcrlin, 19931 126 145. [8] J. Cardoso, R. Valette and D. Dubois, Petri nets with uncertain markings, in: G. Rozenberg, Ed., Advances in Petri Nets 1990, Lecture Notes in Computer Science, Voh 483 (Springer, Berlin, 1990)64 78. [9] S.K. Chang, A. Perkusich, J.C.A. de Figueiredo, t3. Yu and M.J. Ehrcnberger, The design of real-time distributed information systems with object-oriented and fault-tolerant characteristics, Proe. 5th lnternat. Conf on Soj?ware En¢lineering and Knowledge Engineeriml, San Francisco, CA (1993). [10] S.M. Chen, J.S. Ke and J.F. Chang, Knowledge representation using fuzzy petri nets, IEEE Trans. Knowled.qe Data En~t. 2 (1990) 311 319. [11] 13. Dasarathy, Timing constraints of real-time systems: constructs tbr expressing them, methods of validating them, IEEE Trans. S~/?ware En9. It (1985) 80 86.

J. CA. de Fi(lueiredo, A. Perkusieh/Fuz.zv Sets and Systems 83 (1996) 143 168 [12] J.C.A. de Figueiredo, Fuzzy time Petri net, Ph.D. Thesis, Departamento de Sistemas e Computavfio, Universidade Federal da Paraiba (1994). [13] J.C.A. de Figueiredo, A. Perkusich and S.K. Chang, Timing analysis of real-time software systems using fuzzy time petri nets, Proc. 6th lnternat. Cot~/~ on So/tware En.qineerin9 and Knowled,qe Enyineerin#, Riga, Latvia (1994) 243 253. [14] J.C.A de Figueiredo, A. Perkusich and S.K. Chang, Anticipated faults in real-time distributed systems, Proc. 7th lnternat. Ebn[. on SoJ?ware Enqineeriny and Knowled,qe Enoineerin¢t, SEKE "95 ( 1995 ), to appear. [15] Y. Deng, A Unified framework tbr the modeling, prototyping and design of distributed information systems, Ph.D. Thesis, Department of Computer Science, University of Pittsburgh (1992). [16] Y. Deng, S.K. Chang, J.C.A. de Figueiredo and A. Perkusich, Integrating software engineering methods and Petri nets fbr the specification and prototyping of complex software systems, in: M. Ajmone Marsan, Ed., Application and Theory of Petri Nets 1993, Lecture Notes in Computer Science, Vol. 691 (Springer, Chicago, USA, 1993) 206~23. [17] D. Dubois and H. Prade, Processing fuzzy temporal knowledge, 1EEE Trans. Systems Man atut Cybernetics 19 (1989) 729 744. [18] C. Ghezzi, D. Mandrioli, S. Morasca and M. Pezze, A general way to put time in petri net, Pro('. 5th lnternat. Workshop on So/tware St)ec~Iications and Design (1989) 60-66. [l 9] P.J. Haas and G.S. Shedler, Regenerative stochastic petri nets, PelJbrm. Evaluation 6 (1986) 189 204. [20] J.P.J. Kelly, T.I. McVittie and W.I. Yamamoto, Implementing design diversity to achieve fault-tolerance, IEEE Soj~ware 8 (1991) 61 71. [21] R. Koo and S. Toueg, Checkpointing and rollback-recovery for distributed systems, IEEE Trans. SoJtware Eng. SE-13 (1987) 23 31. [22] H. Kopetz, A. Damm, C. Koza, M. Mulazzani, W. Schwabl, C. Senft and R. Zailinger, Distributed fault-tolerant real-time systems: the mars approach, IEEE Micro 9 (1989) 25-40. [23] C.G. Looney, Fuzzy petri nets for rule-based decisiomnaking, IEEE Trans. Systems Matt and Cybernetics 18 (1988) 178 183. [24] P.M. Merlin and D.J. Farber, Recoverability of communication protocols implications of a theoretical study, IEEE Trans. Commun. COM-24 (1976) 1036 1043. [25] M.K. Molloy, Performance analysis using stochastic petri nets, IEEE Trans. Comput. C-31 (1982) 913-917. [26] D. Moss6, Design, development, and deployment of fault-tolerant applications for distributed real-time systems, Ph.D. Thesis, University of Maryland, College Park (1993). [27] T. Murata, Petri nets: Properties, analysis and applications, Pro('. IEEE 77 (1989) 541 580. [28] A. Perkusich, Analysis of G-net systems based upon decomposition, Ph.D. Thesis, Department of Electrical Engineering, Federal University of Paraiba, Campina Grande, PB, Brazil (1994).

167

[29] A. Perkusich and J.C.A de Figueiredo, Object oriented design of a track-vehicle system, Pro('. 7th lnternat. Conf on So[?n'are En(tineerinq and Knowled~le Englineer#l~l, SEKE '95 (1995), to appear. [30] A. Perkusich, J.C.A. de Figueiredo and S.K Chang, Embedding fault-tolerant properties in the design of complex systems, J. Systems SoItware 2 (1994) 23-37. [31] M.L.B Perkusich, A. Perkusich and U. Schiel, Integrated design of object-oriented real-time control and database systems, Proc. 7th hTternat. ()tn/~ on SoJ?ware En~lineermy and Knowled,qe En~t#Teerim.t, SEKE'95 (1995), to appear. [32] J.L. Peterson, Petri Net Theorr and Modelin9 q[ Systems (Prentice-Hall, Englewood Cliffs, N J, 1981 ). [33] C. Ramchandani, Analysis of asynchronous concurrent systems by petri nets, Tech. Report Project MAC-TRI20, MIT, Cambridge, MA, (1974). [34] J.K. Ramos-Thuel and S. Strosnider, The transient server approach to scheduling tfine-critical recovery operations, 1EEE Real-Time Systems Symposium, San Antonio, TX, (1991) 286 295. [35] R.R. Razouk, The derivation of pertbrmance expressions for communication protocols from timed petri net models, A CM S1GCOMM '84 Tutorials & Symposium. Communications, Architectures & Protocols (1984) 210 217. [36] S.M. Shatz, Development of Distributed SoJtware (Macmillan, New York, 1993). [37] Y. Shieh, D. Ghosal, P.R. Chintamaneni and K. Tripathi, Application of Petri net models fbr the evaluation of faulttolerant techniques in distributed systems, Technical Report Series CS-TR-2128, University of Maryland, College Park, Maryland, 20742, USA (1988). [38] C. Sibertin-Blanc, Client-server protocol lbr high-level nets, in: M. Ajmone Marsan, Ed., Application and TheoJ3, of Petri Nets 1993, Lecture Notes in Computer Science, Vol. 691 (Springer, Chicago, USA, 1993) 353 372. [39] J. Sithkis, Performance evaluation of systems using nets, Net Theory and Applications, Lecture Notes in Computer Science, Vol. 84 (Springer, Berlin, 1980). [40] P. Srinivasan and D. Gracanin, Approximate reasoning with fuzzy petri nets, Proc. 2nd IEEE Col~[~ on Fuzzy Systems, Vol. 1 (1993)396 401. [41] V.S. Srinivasan and M.A. Jafari, Fault detection/monitoring using time petri nets, IEEE Trans. Systems Man and Cybernetics, submitted. [42] L. Svobodova, Resilient distributed computing, IEEE Trans. SoJtware Eng. SE-IO (1984) 257-268. [43] K. Takashio and M. Tokoro, DROL: an object-oriented programming language for distributed real-time systems, Proc. OOPSLA '92, Vancouver, British Columbia, Canada, 18-22 October (1992) 276 294. [44] R. Valette, J. Cardoso and D. Dubois, Monitoring manufacturing systems by means of petri nets with imprecise markings, 1EEE hTternat. Syrup. on Intelli~lent Control, Albany, NY (1989) 233 238.

168

J.C.A. de Fiyueiredo, A. PerkusichlFuzzy Sets and Systems 83 (1996) 143-168

[45] W.M.P. van der Aalst, Timed coloured Petri nets and their application to logistic systems, Ph.D. Thesis, Eindhoven University of Technology (1992). [46] W.M.P. van der Aalst, Interval timed coloured petri nets and their analysis, in: M. Ajmone Marsan, Ed., Application

and Theory of Petri Nets 1993, Lecture Notes in Computer Science, Vol. 691 (Springer, Berlin, 1993) 453 472. [47] W.M. Zuberek, Timed petri nets and preliminary performance evaluation, Proc. 7th Ann. Symp. on Computer Architecture (1980) 88-96.