**4. Heterogeneous formal specification and verification of holonic organisation based on SPN and object-Z language**

12 Will-be-set-by-IN-TECH

group). Holon H11, of the Maintenance Policies organization, is also a super-holon which acts

in the Research & Development group g8.

**Figure 10.** Holonic Structure of the IMC

In this section, we present an integration method of Stochastic Petri Nest (SPN) and Object-Z (OZ) by define coherent formalism called SPNOZ. This formalism is an extension of our formalism which was first defined and based on Z language [14] and GSPN called ZGSPN [19]. Petri nets (PN) are an excellent graphic formal model for describing the control structures and dynamic behaviour of concurrent and distributed systems, but Petri nets lack modelling power and mechanisms for data abstraction and refinement [22, 28].

OZ [6] is a formal notation for specifying the functionality of sequential systems. It is based on typed set theory and first order logic and thus offers rich type definition facility and supports formal reasoning. However, OZ does not support the effective definition of concurrent and distributed systems and OZ specifications often do not have an explicit operational semantics. The benefits of integrating SPN with OZ include: (a) a unified formal model for specifying different aspects of a system (structure, control flow, data types and functionality), (b) a unified formal model for specifying different types of systems (sequential, concurrent and distributed systems), (c) a rich set of complementary specification development and analysis techniques. Our approach consists in giving a syntactic and semantic integration of both languages. Syntactic integration is done by introducing a behaviour schema into OZ schema. The semantic integration is made by translating both languages towards the same semantic domain as shown in (Figure 11). An operational semantics is aimed to the description of how the system evolves along the time.

The semantic entity associated to a given specification can be seen as an abstract machine capable of producing a set of computations. Because of this, we believe that an operational semantics is a suitable representation for verification and simulation purposes. The approach consists in using a pre-existent model checker rather than developing a specific one. Both transition system models of a SPNOZ class can be used for verification purposes by model checking. In this work, the resulting specification is model-checked by using the Symbolic Analysis Laboratory (SAL) [23]. One of the reasons for choosing SAL is that it also includes verification tools and procedures that support from deductive techniques and theorem proving.

**Figure 11.** Composition formalisms Approach

#### **4.1. Our syntactic integration method**

To be able to build a multi-formalisms specification system, it is necessary to establish a relation of composition between partial specifications. Indeed, any whole of partial specifications must at one moment or another indicates or calls upon part of the system specified by another whole of partial specifications. As the process of composition that we use is based in type integration, the formalism of the Petri Nets is integrated into Object-Z formalism to specify schema with dynamic aspects. This composition can be expressed in several ways: sharing variables with the constraints expressed on the same entity or with translation into a single formalism for all formalisms used. SPN formalism is integrated into the formalism Object-Z to specify classes with behavioral aspects. This integration from the syntactically point of view, is based on a shared syntactic domain which consists of two parts: (a) A set of types and classes Object-Z specifying the main aspects of the SPN, (b) A function that converts a SPN in syntactic elements of the shared domain. This syntactic domain does not share instead of translation of Petri nets to Object-Z but is used to reference within the class Object-Z the elements of the Petri nets included. For instance, the approach presented here assigns to Object-Z the description of data structures and functions, and to the Stochastic Petri Nets the description of behavioral aspects. This section presents a simplified description of the operational semantics of SPNOZ [20] specification models. To express the aspects of SPN in Object-Z, we must have rules to translate a SPN into syntactic elements of the domain. For this, we use a function like relationship between PN and Object-Z scheme.

selected among the enabled transitions, a lot of research effort has been made to exploit the modeling power of PNs. Most efforts were concerned with embedding PN models into timed environments. Stochastic Petri Nets (SPN) was introduced independently by [21, 24]. Both efforts shared the common idea of associating an exponentially distributed firing time with

Using Stochastic Petri Net and Object-Z: Application to Industrial Maintenance Organizations

This random variable expresses the delay from the enabling to the firing of the transition. A

Basically, a Stochastic PN may be considered as a timed PN in which the timings have stochastic values. The firing of transition *Tj* will occur when a time *dj* has elapsed after its enabling and this time is a random value. In this basic model, usually called stochastic PN, the random variable *dj* follows an exponential law of rate *<sup>λ</sup><sup>j</sup>* <sup>∈</sup> *<sup>λ</sup>*(*<sup>λ</sup>* <sup>=</sup> {*λ*1, *<sup>λ</sup>*2,..., *<sup>λ</sup>*|*<sup>T</sup>*|}). Noted that firing rates may depend on places markings, and in this case, firing rate expression is used. This means that: *Pr*[*dj* ≤ *t* + *dt*|*dj* > *t*] = *λj*.*dt*. The probability density and the distribution function of this law are, respectively, *<sup>h</sup>*(*t*) = *<sup>λ</sup>je*<sup>−</sup>*λjt* and *<sup>H</sup>*(*t*) = *Pr*[*dj* <sup>≤</sup> *<sup>t</sup>*] =

equations, that this law is completely defined by the parameter *λj*. A fundamental feature of an exponential law is the memoryless property, i.e.: *Pr*[*dj* ≤ *t*<sup>0</sup> + *t*|*dj* > *t*0] = *Pr*[(*dj* ≤ *t*). This property may be interpreted in the following way: let *dj* be a random variable exponentially distributed, representing for example the service time of a customer. The service of this customer begins at time *t* = 0. If at time *t*<sup>0</sup> the service is not yet completed, the distribution law of the residual service time is exponential with the same rate as the

*m*(*Pi*)/*Pre*(*Pi*, *Pj*)

<sup>0</sup>*Tj* is the set of input places of *Tj*, then *Pr*[*λ<sup>j</sup>* will be fired between *t* and *t* + *dt*] = *q*.*λj*.*dt*, independently of the times when the *q* enabling occurred (simultaneously or not). The product *q*.*λ<sup>j</sup>* = *λj*(*m*) is the firing rate associated with *Tj* for marking m. It results from the previous property, that the marking *m*(*t*) of the stochastic PN is an homogeneous Markovian process, and thus an homogeneous Markov chain can be associated with every SPN. From the graph of reachable markings, the Markov chain isomorphic to SPN is obtained. A state of the Markov

< *q* + 1

distribution law of *dj*. This property is important since it implies the following one. **Property:** If transition *Tj*, whose firing rate is *λj*, is q-enabled at time *t* and if *q* > 0:

*<sup>j</sup>* . It is clear, from the previous

Specifying and Verifying Holonic Multi-Agent Systems

41

each transition in a PN, but differed in delays.

*SPN* = (*P*, *T*, *Pre*, *Post*, *C*, *Ih*, *R*, *m*0); where

<sup>1</sup> <sup>−</sup> *<sup>e</sup>*−*λjt* .

formal definition of a SPN is given by the following 8-tuple [18]:

*P* = {*P*1, *P*2, ..., *Pn*} is a finite, not empty, set of places; *T* = {*T*1, *T*2, ..., *Tm*} is a finite, not empty, set of transitions; *P* ∩ *T* = � is the sets *P* and *T* are disjointed; *Pre* : *P* × *T* −→ *N* is the input incidence application; *Post* : *P* × *T* −→ *N* is the output incidence application;

The average value of this law is 1/*λ<sup>j</sup>* and its variance 1/*λ*<sup>2</sup>

*<sup>q</sup>* ≤ *mini*:*Pi*∈<sup>0</sup>*Tj*

*R* : *T* → {firing rate expressions} associated with timed transitions; *m*<sup>0</sup> = {*m*01, *m*02, ., *m*0*n*} is the initial marking , with *m*0*<sup>i</sup>* = *m*0(*Pi*).

*<sup>C</sup>* : *<sup>P</sup>* −→ *<sup>N</sup>*<sup>+</sup> ∪ {∞} is the capacity of places; *Ih* ⊂ {*P* × *T*} is the set of k-inhibitor arcs;

#### *4.1.1. From PN to SPN*

In [19], we proposed some syntactic integration of different classes of Petri Nets with abbreviations and extensions. We remind here that corresponding to SPN after recalling the semantic of ordinary PN. Inherently, the basic components of a Petri net, the concepts of marking and firing. Petri nets (PNs) introduced by C. A. Petri [27] were originally intended as a means for the representation of the interaction, logical sequence and synchronization among activities which are only of a logical nature [26]. A PN is a directed bipartite graph which comprises a set of places P, a set of transitions T, and a set of directed arcs defined by input and output incidence application (Pre and Post). Each place contains an integer (positive or zero) number of tokens or marks. The number of tokens contained in a place *Pi* will be called either *m*(*Pi*) or *mi*. The net marking, *m*, is defined by the vector of these markings, i.e., *<sup>m</sup>* <sup>=</sup> {*m*1, *<sup>m</sup>*2,..., *<sup>m</sup>*|*<sup>P</sup>*|}. The marking defines the state of the PN, or more precisely the state of the system described by the PN. The evolution of the state thus corresponds to an evolution of the marking, an evolution which is caused by firing of transitions, as we shall see. Generalized PN is a PN in which weights (noted by *w*, strictly positive integers) are associated with the arcs. When an arc *Pi* → *Tj* has a weight *w*, this means that transition *Tj* will only be enabled (or firable) if place *Pi* contains at least *w* tokens. When this transition is fired, *w* tokens will be removed from place *Pi*. When an arc *Ti* → *Pj* has a weight *w*, this means that when *Tj* is fired; *w* tokens will be added to place *Pi*.

The graph of markings (or reachability graph) is made up of summits which correspond to reachable markings and of arcs corresponding to firing of transitions resulting in the passing from one marking to another. The specification of a PN is completed by the initial marking m0. Since standard Petri nets did not convey any information about the duration of each activity or about the way in which the transition, which will fire next in a given marking, is actually selected among the enabled transitions, a lot of research effort has been made to exploit the modeling power of PNs. Most efforts were concerned with embedding PN models into timed environments. Stochastic Petri Nets (SPN) was introduced independently by [21, 24]. Both efforts shared the common idea of associating an exponentially distributed firing time with each transition in a PN, but differed in delays.

This random variable expresses the delay from the enabling to the firing of the transition. A formal definition of a SPN is given by the following 8-tuple [18]:

*SPN* = (*P*, *T*, *Pre*, *Post*, *C*, *Ih*, *R*, *m*0); where *P* = {*P*1, *P*2, ..., *Pn*} is a finite, not empty, set of places; *T* = {*T*1, *T*2, ..., *Tm*} is a finite, not empty, set of transitions; *P* ∩ *T* = � is the sets *P* and *T* are disjointed; *Pre* : *P* × *T* −→ *N* is the input incidence application; *Post* : *P* × *T* −→ *N* is the output incidence application; *<sup>C</sup>* : *<sup>P</sup>* −→ *<sup>N</sup>*<sup>+</sup> ∪ {∞} is the capacity of places; *Ih* ⊂ {*P* × *T*} is the set of k-inhibitor arcs; *R* : *T* → {firing rate expressions} associated with timed transitions; *m*<sup>0</sup> = {*m*01, *m*02, ., *m*0*n*} is the initial marking , with *m*0*<sup>i</sup>* = *m*0(*Pi*).

14 Will-be-set-by-IN-TECH

To be able to build a multi-formalisms specification system, it is necessary to establish a relation of composition between partial specifications. Indeed, any whole of partial specifications must at one moment or another indicates or calls upon part of the system specified by another whole of partial specifications. As the process of composition that we use is based in type integration, the formalism of the Petri Nets is integrated into Object-Z formalism to specify schema with dynamic aspects. This composition can be expressed in several ways: sharing variables with the constraints expressed on the same entity or with translation into a single formalism for all formalisms used. SPN formalism is integrated into the formalism Object-Z to specify classes with behavioral aspects. This integration from the syntactically point of view, is based on a shared syntactic domain which consists of two parts: (a) A set of types and classes Object-Z specifying the main aspects of the SPN, (b) A function that converts a SPN in syntactic elements of the shared domain. This syntactic domain does not share instead of translation of Petri nets to Object-Z but is used to reference within the class Object-Z the elements of the Petri nets included. For instance, the approach presented here assigns to Object-Z the description of data structures and functions, and to the Stochastic Petri Nets the description of behavioral aspects. This section presents a simplified description of the operational semantics of SPNOZ [20] specification models. To express the aspects of SPN in Object-Z, we must have rules to translate a SPN into syntactic elements of the domain.

For this, we use a function like relationship between PN and Object-Z scheme.

In [19], we proposed some syntactic integration of different classes of Petri Nets with abbreviations and extensions. We remind here that corresponding to SPN after recalling the semantic of ordinary PN. Inherently, the basic components of a Petri net, the concepts of marking and firing. Petri nets (PNs) introduced by C. A. Petri [27] were originally intended as a means for the representation of the interaction, logical sequence and synchronization among activities which are only of a logical nature [26]. A PN is a directed bipartite graph which comprises a set of places P, a set of transitions T, and a set of directed arcs defined by input and output incidence application (Pre and Post). Each place contains an integer (positive or zero) number of tokens or marks. The number of tokens contained in a place *Pi* will be called either *m*(*Pi*) or *mi*. The net marking, *m*, is defined by the vector of these markings, i.e., *<sup>m</sup>* <sup>=</sup> {*m*1, *<sup>m</sup>*2,..., *<sup>m</sup>*|*<sup>P</sup>*|}. The marking defines the state of the PN, or more precisely the state of the system described by the PN. The evolution of the state thus corresponds to an evolution of the marking, an evolution which is caused by firing of transitions, as we shall see. Generalized PN is a PN in which weights (noted by *w*, strictly positive integers) are associated with the arcs. When an arc *Pi* → *Tj* has a weight *w*, this means that transition *Tj* will only be enabled (or firable) if place *Pi* contains at least *w* tokens. When this transition is fired, *w* tokens will be removed from place *Pi*. When an arc *Ti* → *Pj* has a weight *w*, this means that when *Tj* is fired;

The graph of markings (or reachability graph) is made up of summits which correspond to reachable markings and of arcs corresponding to firing of transitions resulting in the passing from one marking to another. The specification of a PN is completed by the initial marking m0. Since standard Petri nets did not convey any information about the duration of each activity or about the way in which the transition, which will fire next in a given marking, is actually

**4.1. Our syntactic integration method**

*4.1.1. From PN to SPN*

*w* tokens will be added to place *Pi*.

Basically, a Stochastic PN may be considered as a timed PN in which the timings have stochastic values. The firing of transition *Tj* will occur when a time *dj* has elapsed after its enabling and this time is a random value. In this basic model, usually called stochastic PN, the random variable *dj* follows an exponential law of rate *<sup>λ</sup><sup>j</sup>* <sup>∈</sup> *<sup>λ</sup>*(*<sup>λ</sup>* <sup>=</sup> {*λ*1, *<sup>λ</sup>*2,..., *<sup>λ</sup>*|*<sup>T</sup>*|}). Noted that firing rates may depend on places markings, and in this case, firing rate expression is used. This means that: *Pr*[*dj* ≤ *t* + *dt*|*dj* > *t*] = *λj*.*dt*. The probability density and the distribution function of this law are, respectively, *<sup>h</sup>*(*t*) = *<sup>λ</sup>je*<sup>−</sup>*λjt* and *<sup>H</sup>*(*t*) = *Pr*[*dj* <sup>≤</sup> *<sup>t</sup>*] = <sup>1</sup> <sup>−</sup> *<sup>e</sup>*−*λjt* .

The average value of this law is 1/*λ<sup>j</sup>* and its variance 1/*λ*<sup>2</sup> *<sup>j</sup>* . It is clear, from the previous equations, that this law is completely defined by the parameter *λj*. A fundamental feature of an exponential law is the memoryless property, i.e.: *Pr*[*dj* ≤ *t*<sup>0</sup> + *t*|*dj* > *t*0] = *Pr*[(*dj* ≤ *t*).

This property may be interpreted in the following way: let *dj* be a random variable exponentially distributed, representing for example the service time of a customer. The service of this customer begins at time *t* = 0. If at time *t*<sup>0</sup> the service is not yet completed, the distribution law of the residual service time is exponential with the same rate as the distribution law of *dj*. This property is important since it implies the following one.

**Property:** If transition *Tj*, whose firing rate is *λj*, is q-enabled at time *t* and if *q* > 0:

$$q \le \min\_{i: P\_{i} \in ^0T\_{\!\_{\!}}} \left( m(P\_{i}) / \operatorname{Pre}(P\_{i}, P\_{\!\_{\!}}) \right) < q + 1$$

<sup>0</sup>*Tj* is the set of input places of *Tj*, then *Pr*[*λ<sup>j</sup>* will be fired between *t* and *t* + *dt*] = *q*.*λj*.*dt*, independently of the times when the *q* enabling occurred (simultaneously or not). The product *q*.*λ<sup>j</sup>* = *λj*(*m*) is the firing rate associated with *Tj* for marking m. It results from the previous property, that the marking *m*(*t*) of the stochastic PN is an homogeneous Markovian process, and thus an homogeneous Markov chain can be associated with every SPN. From the graph of reachable markings, the Markov chain isomorphic to SPN is obtained. A state of the Markov

#### 16 Will-be-set-by-IN-TECH 42 Petri Nets – Manufacturing and Computer Science Specifying and Verifying Holonic Multi-Agent Systems Using Stochastic Petri Net and Object-Z: Application to Industrial Maintenance Organizations <sup>17</sup>

chain is associated with every reachable marking and the transition rates of the Markov chain are obtained from the previous property. Note that there is no actual conflict in a SPN. For example, the probability that firing transition *Ti* occurs simultaneously with transition *Tj* is zero since continuous time is considered. One approach may be used to analyze a SPN consists of analyzing a continuous time, discrete state space Markov process (bounded PN). Let *T*(*m*), denote the set of transitions enabled by *m*. If *Tk* ∈ *T*(*m*), the conditional firing probability of *Tk* from *<sup>m</sup>* is: *Pr*[*Tk* will be fired <sup>|</sup>*m*] = *<sup>λ</sup>k*(*m*)/ <sup>∑</sup>*j*:*Tj*∈*T*(*m*) *<sup>λ</sup>j*(*m*); the dwelling time *<sup>λ</sup>*(*m*) follows an exponential law, and the mean dwelling time in marking *m* is 1/*λ*(*m*) with *λ*(*m*) = <sup>∑</sup>*j*:*Tj*∈*T*(*m*) *<sup>λ</sup>j*(*m*).
