**4.3. SPNOZ semantics**

The semantic integration is made by translating both languages towards the same semantic domain. The semantic entity associated to a given class takes the form of a transition system, in two possible versions, timed or untimed. As the approach proposed in [10], rather thaninsert one language into the other produces their semantic integration by adopting a common semantic domain, i.e., transition systems. The semantic description of a SPNOZ class C consists in representing the set of computations that C can take. Computations are sequences of states subject to causal restrictions imposed by the structure and the elements of C. The state of class C, which we call a situation, is essentially a pair *s* = (*v*, *m*). Symbol *v* : *VC* → *D* denotes a estimation of all the variables of C, with *D* denoting the super domain where all the variables take values, each one according to its type. Symbol *m* represents a state configuration of the behavior Stochastic Petri Nets. A state configuration is a state that can be active multiple transitions. The initial situation *s*<sup>0</sup> = (*v*0, *m*0), is determined as follows. The initial valuation *v*<sup>0</sup> is a valuation that satisfies the predicates of the INIT scheme. Variables that do not appear in the INIT scheme usually are given default values *m*<sup>0</sup> is the initial state configuration. The basic evolution stage is the situation change, called firing, which we describe now. Step *i* + 1 takes the system from situation *i* to situation *i* + 1 and is noted

**Figure 13.** IMC-Part system specification based on SPNOZ syntax

45

Specifying and Verifying Holonic Multi-Agent Systems

Using Stochastic Petri Net and Object-Z: Application to Industrial Maintenance Organizations

Specifying and Verifying Holonic Multi-Agent Systems

18 Will-be-set-by-IN-TECH

of a behaviour schema, which includes a SPN. The IMC-Part class on Figure 13 specifies a part of the IMC system. The class IMC-Part includes an abbreviation declaration and the behaviour schema which containing SPN. The state system is presented with class schema IMC-Part. In the initial state, all the MMT are available and the spare parts stock level is at its maximum (*m*

In Figure 13, transitions in dotted lines (T1, T2, T"1 and T"2) are transition that interact with

Formally, an SPNOZ class C is defined by giving a triple (*VC*, *BC*,*OC*). The set *VC* includes the variables of the class, as named in the state schema. *BC* is the behaviour SPN and *OC* is the set of operations of the class, the names of the operation schemas of the class. For the IMC-Part

*VIMC*−*Part* = {*S*, *tDMMT*1, *tDMMT*2, *tRepMMT*1, *tRepMMT*2, *tRepCMT*, *tSD*, *<sup>C</sup>*1, *<sup>C</sup>*2, *Cmin*1, *Cmin*2}

*OIMC*−*Part* = {*SelectTeam*1, *SelectTeam*2}

Operation Select Team1 and Select Team2 can select a mobile team to involve on a production site. This selection will be made according to predefines criteria (availability of MMT, the average time Displacement of MMT and his spare parts stock level). If a team meets the different criteria, it will be chosen and its associated SPN model will be instantiated with

and its associated model will be blocked (Pre(MTAi �→ *Ti*)=∞) and second team will be solicited. Finally, Select Team1 and Select Team2 expressions translate the fact that if the level of the inventories of MMTi teams with reached critical level, it will not have the possibility of

The semantic integration is made by translating both languages towards the same semantic domain. The semantic entity associated to a given class takes the form of a transition system, in two possible versions, timed or untimed. As the approach proposed in [10], rather thaninsert one language into the other produces their semantic integration by adopting a common semantic domain, i.e., transition systems. The semantic description of a SPNOZ class C consists in representing the set of computations that C can take. Computations are sequences of states subject to causal restrictions imposed by the structure and the elements of C. The state of class C, which we call a situation, is essentially a pair *s* = (*v*, *m*). Symbol *v* : *VC* → *D* denotes a estimation of all the variables of C, with *D* denoting the super domain where all the variables take values, each one according to its type. Symbol *m* represents a state configuration of the behavior Stochastic Petri Nets. A state configuration is a state that can be active multiple transitions. The initial situation *s*<sup>0</sup> = (*v*0, *m*0), is determined as follows. The initial valuation *v*<sup>0</sup> is a valuation that satisfies the predicates of the INIT scheme. Variables that do not appear in the INIT scheme usually are given default values *m*<sup>0</sup> is the initial state configuration. The basic evolution stage is the situation change, called firing, which we describe now. Step *i* + 1 takes the system from situation *i* to situation *i* + 1 and is noted

intervening on any site of production (probably it will turn over to IMC).

*i* , *λ*��

*<sup>i</sup>* ). Otherwise MMT will not be selected

and *n*). The initial state is presented with Init\_IMC-Part schema.

MMT forwarding and Tasks Planning organizations.

different values for the new crossing rates (*λi*, *λ*�

*4.2.2. SPNOZ syntax*

class, variables and operations are:

**4.3. SPNOZ semantics**

**Figure 13.** IMC-Part system specification based on SPNOZ syntax

#### 20 Will-be-set-by-IN-TECH 46 Petri Nets – Manufacturing and Computer Science Specifying and Verifying Holonic Multi-Agent Systems Using Stochastic Petri Net and Object-Z: Application to Industrial Maintenance Organizations <sup>21</sup>

(*vi*, *mi*) *<sup>T</sup>*(*mi*) <sup>→</sup> (*vi*+1, *mi*<sup>+</sup>1) where *<sup>T</sup>*(*mi*) is the set of transitions activated at step *<sup>i</sup>*. (marking *mi*). The step occurs when at least one of the SPN's transitions is enable. To describe the situation transformation produced by a step, we adopt the formalism of transition systems, particularly the Mana and Pnueli notation style by means of predicates. With class C, we associate the transition system *Trsys* = (*V*, *φ*, *Tsys*). Symbol *V* = *VC* ∪ {*m*} represents the set of variables. Variable *m* takes value in the graph of markings. The states of the transition system *Trsys* are the situations of *C*, i.e., valuations of the variables in *V*. If *s* denote a state of *Trsys*, we simplify notation as follows: for all *v* ∈ *V*,*s*[*v*] denotes the value of *v* at *s*. Symbol *φ* represents the initial state predicate. Any valuation of *V* that satisfies *φ* is an initial state of the system: *s* is an initial state if *s*[*φ*] = *true* (where *s*[*φ*] denotes the valuation of formula *φ* from the value of its variables in *s*). Symbol *Tsys* = *TBC* ∪ *TOC* represents the set of transitions of PNOZ class where *TBC* represent the set of *PN* shown in behavior scheme of the class and *TOC* represent the set of transition generated from the operation liste *OC* of the class C. A transition *Ti* ∈ *Tsys* defines an elementary change of the state of the transition system. Such a change is described by a transition relation: *ρ<sup>i</sup>* = *V* × *V*� → {*TRUE*, *FALSE*}. To the set *V* of variable symbols we add the set *V*� of variable symbols decorated with a prime character ('). For any *x* ∈ *V*, an occurrence of symbol *x* in *ρ<sup>i</sup>* represents the valuation of *x* in the source state of transition *Ti* and an occurrence of *x*� the valuation of *x* in the destination state of *Ti*. The couple of states (*s*,*s*� ) can be a couple (source; destination) of transition *Ti* if *ρi*(*s*[*V*],*s*� [*V*� ]) = *true* , where *s*[*V*] denotes the valuation of unprimed variables in the state *s* and *s*� [*V*� ] the valuation of primed variables in state *s*� .

Concerning Timed transition system (TTS) associated to the SPNOZ class C, from the transition system the transition system *Trsys* = (*V*, *φ*, *Tsys*) previously defined, we define *TTSsys* = (*V<sup>t</sup>* , *φ<sup>t</sup>* , *T<sup>t</sup> sys*) obtained as follows: (a) Augment variables set V with time variable t;*V<sup>t</sup>* <sup>=</sup> *<sup>V</sup>* ∪ {*t*} which takes value in some totally ordered set with a lowest bound. Typically, **N** (the natural integers) is used to model discrete time and **R**<sup>+</sup> to model dense time, (b) Let *<sup>φ</sup><sup>t</sup>* <sup>=</sup> *<sup>φ</sup>* <sup>∧</sup> (*<sup>t</sup>* <sup>=</sup> <sup>0</sup>), (c) For each transition *Ti* <sup>∈</sup> *<sup>T</sup><sup>t</sup> sys*, add a variable that represents the real-time in the system. Next, we define the set of computations that a timed transition system can yield,

which is to be considered as the timed semantics of a SPNOZ classes. We note *mi* → *Ti mi*<sup>+</sup><sup>1</sup> to assert that the transition system goes from state *mi* to state *mi*<sup>+</sup><sup>1</sup> by means of transition *Ti* and take time *t* = 1/*λi*, (with *λ<sup>i</sup>* : firing rate of *Ti*). We define a finite macro-step to be a finite succession *<sup>m</sup>*0, *<sup>m</sup>*1,..., *mn* of state that: (a) *<sup>m</sup>*<sup>0</sup> <sup>|</sup><sup>=</sup> *<sup>φ</sup><sup>t</sup>* , (b) For every state *mi* of *TTSsys*, there is a transition *Ti* <sup>∈</sup> *<sup>T</sup><sup>t</sup> sys* such that *mi* |= *Pre*(*Ti*) and *mi* |= *Post*(*Ti*) and *t* = 1/*λi*.

In [19], more details about the full semantic integration is presented.

#### **4.4. Validation and simulation of SPNOZ specification**

SALenv contains a symbolic model checker called sal-smc allows users to specify properties in Linear Temporal Logic (LTL), and Computation Tree Logic (CTL). However, in the current version, SALenv does not print counter examples for CTL properties. When users specify an invalid property in LTL, a counter example is produced. LTL formulas state properties about each linear path induced by a module. For instance, the formula G(p⇒F(q)) states that whenever p holds, q will eventually hold. The formula G(F(p)) states that p often holds infinitely. The example illustrated by Figure 14 shows some properties of the system written in the form of theorems with the LTL and CTL formulas. The SAL language includes the clause theorem for declaring that a property is valid with respect to a modeled system by a

**Figure 14.** SAL CONTEXT associated to the SPNOZ IMC

47

Specifying and Verifying Holonic Multi-Agent Systems

Using Stochastic Petri Net and Object-Z: Application to Industrial Maintenance Organizations

46 Petri Nets – Manufacturing and Computer Science Specifying and Verifying Holonic Multi-Agent Systems Using Stochastic Petri Net and Object-Z: Application to Industrial Maintenance Organizations <sup>21</sup> 47 Using Stochastic Petri Net and Object-Z: Application to Industrial Maintenance Organizations

**Figure 14.** SAL CONTEXT associated to the SPNOZ IMC

20 Will-be-set-by-IN-TECH

(*vi*, *mi*) *<sup>T</sup>*(*mi*) <sup>→</sup> (*vi*+1, *mi*<sup>+</sup>1) where *<sup>T</sup>*(*mi*) is the set of transitions activated at step *<sup>i</sup>*. (marking *mi*). The step occurs when at least one of the SPN's transitions is enable. To describe the situation transformation produced by a step, we adopt the formalism of transition systems, particularly the Mana and Pnueli notation style by means of predicates. With class C, we associate the transition system *Trsys* = (*V*, *φ*, *Tsys*). Symbol *V* = *VC* ∪ {*m*} represents the set of variables. Variable *m* takes value in the graph of markings. The states of the transition system *Trsys* are the situations of *C*, i.e., valuations of the variables in *V*. If *s* denote a state of *Trsys*, we simplify notation as follows: for all *v* ∈ *V*,*s*[*v*] denotes the value of *v* at *s*. Symbol *φ* represents the initial state predicate. Any valuation of *V* that satisfies *φ* is an initial state of the system: *s* is an initial state if *s*[*φ*] = *true* (where *s*[*φ*] denotes the valuation of formula *φ* from the value of its variables in *s*). Symbol *Tsys* = *TBC* ∪ *TOC* represents the set of transitions of PNOZ class where *TBC* represent the set of *PN* shown in behavior scheme of the class and *TOC* represent the set of transition generated from the operation liste *OC* of the class C. A transition *Ti* ∈ *Tsys* defines an elementary change of the state of the transition system. Such a change is described by a transition relation: *ρ<sup>i</sup>* = *V* × *V*� → {*TRUE*, *FALSE*}. To the set *V* of variable symbols we add the set *V*� of variable symbols decorated with a prime character ('). For any *x* ∈ *V*, an occurrence of symbol *x* in *ρ<sup>i</sup>* represents the valuation of *x* in the source state of transition *Ti* and an occurrence of *x*� the valuation of *x* in the destination state of *Ti*. The couple of states

[*V*�

*sys*, add a variable that represents the real-time

, (b) For every state *mi* of *TTSsys*, there is a

[*V*�

]) = *true* , where *s*[*V*]

*Ti mi*<sup>+</sup><sup>1</sup> to

] the valuation of primed

) can be a couple (source; destination) of transition *Ti* if *ρi*(*s*[*V*],*s*�

Concerning Timed transition system (TTS) associated to the SPNOZ class C, from the transition system the transition system *Trsys* = (*V*, *φ*, *Tsys*) previously defined, we define

t;*V<sup>t</sup>* <sup>=</sup> *<sup>V</sup>* ∪ {*t*} which takes value in some totally ordered set with a lowest bound. Typically, **N** (the natural integers) is used to model discrete time and **R**<sup>+</sup> to model dense time, (b) Let

in the system. Next, we define the set of computations that a timed transition system can yield,

assert that the transition system goes from state *mi* to state *mi*<sup>+</sup><sup>1</sup> by means of transition *Ti* and take time *t* = 1/*λi*, (with *λ<sup>i</sup>* : firing rate of *Ti*). We define a finite macro-step to be a finite

*sys* such that *mi* |= *Pre*(*Ti*) and *mi* |= *Post*(*Ti*) and *t* = 1/*λi*.

SALenv contains a symbolic model checker called sal-smc allows users to specify properties in Linear Temporal Logic (LTL), and Computation Tree Logic (CTL). However, in the current version, SALenv does not print counter examples for CTL properties. When users specify an invalid property in LTL, a counter example is produced. LTL formulas state properties about each linear path induced by a module. For instance, the formula G(p⇒F(q)) states that whenever p holds, q will eventually hold. The formula G(F(p)) states that p often holds infinitely. The example illustrated by Figure 14 shows some properties of the system written in the form of theorems with the LTL and CTL formulas. The SAL language includes the clause theorem for declaring that a property is valid with respect to a modeled system by a

which is to be considered as the timed semantics of a SPNOZ classes. We note *mi* →

*sys*) obtained as follows: (a) Augment variables set V with time variable

denotes the valuation of unprimed variables in the state *s* and *s*�

(*s*,*s*�

variables in state *s*�

*TTSsys* = (*V<sup>t</sup>*

transition *Ti* <sup>∈</sup> *<sup>T</sup><sup>t</sup>*

.

*<sup>φ</sup><sup>t</sup>* <sup>=</sup> *<sup>φ</sup>* <sup>∧</sup> (*<sup>t</sup>* <sup>=</sup> <sup>0</sup>), (c) For each transition *Ti* <sup>∈</sup> *<sup>T</sup><sup>t</sup>*

succession *<sup>m</sup>*0, *<sup>m</sup>*1,..., *mn* of state that: (a) *<sup>m</sup>*<sup>0</sup> <sup>|</sup><sup>=</sup> *<sup>φ</sup><sup>t</sup>*

In [19], more details about the full semantic integration is presented.

**4.4. Validation and simulation of SPNOZ specification**

, *φ<sup>t</sup>* , *T<sup>t</sup>* CONTEXT. The first theorem th1 can be interpreted as whenever the system in state S\_MTA and Select Team1 is true, transition holds, the system will probably in S\_MTPS state. The following command line is used:

**Author details** Belhassen Mazigh

**6. References**

Abdeljalil Abbas-Turki

Verlag, pp. 214-230.

Software, Elsevier Science.

Conference, Gatlinburg, USA.

Kingdom, 2nd Revised edition.

Man, and Cybernetics, IEEE 4, 2499-2504.

ESAW, LNAI (No. 1972), Springer Verlag.

[12] Koestler, A. (1967) The Ghost in the Machine, Hutchinson.

*Faculty of sciences, Department of Computer Sciences, 5000, Monastir, Tunisia*

*Laboratoire SET, Université de Technologie de Belfort Montbéliard, Belfort, France*

1991 Z User Meeting, Springer Verlag.

USA: Idea Group Publishing, Chap. IV, pp. 79-106.

Agent Oriented Software Engineering, 1(1), pp. 91-121.

[1] Arthan, R.D. (1992) On Free Type Definitions in Z, Published in the Proceedings of the

Using Stochastic Petri Net and Object-Z: Application to Industrial Maintenance Organizations

49

Specifying and Verifying Holonic Multi-Agent Systems

[2] Burckert, H.-J., Fischer, K., Vierke, G. (1998) Transportation scheduling with holonic MAS-the teletruck approach, Proceedings of the Third International Conference on

[3] Cossentino, M. (2005) From requirements to code with the PASSI methodology, In B. Henderson-Sellers & P. Giorgini (Eds.), Agent-oriented methodologies, Hershey, PA,

[4] Cossentino, M., Gaglio, S., Garro, A., Seidita, V. (2007) Method fragments for agent design methodologies: From standardization to research, In international Journal on

[5] Cossentino, M., Gaud, N., Hilaire, V., Galland, S., Koukam, A. (2010) ASPECS: an agent-oriented software process for engineering complex systems How to design agent

[6] Duke, R., Rose, G., Smith, G. (1995) Object-Z: A specification Language Advocated for Description of Standards, Technical report Software Verification Research Center,

[8] Gaud, N. (2007) Systèmes Multi-Agents Holoniques : de l'analyse à l'implantation,

[9] Gruer, J.P., Hilaire, V., Koukam, A. (2001) Multi-agent approach to modeling and simulation of urban transportation systems, IEEE International Conference on Systems,

[10] Gruer, P., Hilaire, V., Koukam, A., Rovarini, P. (2003) Heterogeneous formal specification based on Object-Z and statecharts: semantics and verification, In journal Systems and

[11] Hilaire, V., Koukam, A., Gruer, P., Müller, J.-P. (2000) Formal specification and prototyping of multi-agent systems, In A. Omicini, R. Tolksdorf, & F. Zambonelli (Eds.),

[13] Lebold, M., Thurston, M. (2001) Open standards for Condition-Based Maintenance and Prognostic Systems, In Proceedings Of 5th Annual Maintenance and Reliability

[14] Lightfoot, D. (2000) Formal Specification Using Z, Palgrave MacMillan, United

Practical Applications of Intelligent Agents and Multi-agent, pp. 577-590.

societies under a holonic perspective, Auton Agent Multi-Agent System.

Ph.D. thesis, Université de Technologie de Belfort-Montbéliard, France.

Departement of Computer Science, University of Queensland, AUSTRALIA. [7] Ferber, J., Gutknecht, O., Michel, F. (2004) From agents to organizations: an organizational view of multi-agent systems, In Agent-Oriented Software Engineering 4th International Workshop, volume 2935 of LNCS, Melbourne, Australia, Springer

./sal-smc IMC th1 proved.

SALenv also contains a Bounded Model Checker called sal-bmc. This model checker only supports LTL formulas, and it is basically used for refutation, although it can produce proofs by induction of safety properties. The following command line is used:

./sal-bmc IMC th1 no counterexample between depths [0, 10]

Remark: The default behavior is to look for counterexample up to depth 10. The option -depth=<num> can be used to control the depth of the search. The option -iterative forces the model checker to use iterative deepening, and it is useful to find the shortest counterexample for a given property. Before proving a liveness property, we must check if the transition relation is total, that is, if every state has at least one successor. The model checker may produce unsound result when the transition relation is not total. The totality property can be verified using the sal-deadlock-checker. The following command line is used:

/sal-deadlock-checker IMC IMC-Part Ok (module does NOT contain deadlock state).

The liveness theorem can be interpreted as always, the quantity of stock of piece is not null in the two teams. Now, we use sal-smc to check the property liveness with the following command line:

./sal-smc -v 3 IMC-Part liveness proved.

The Boundedness theorem can be interpreted as always, the state space system is bounded. Now, we use sal-bmc to check the property Boundedness with the following command line:

./sal-bmc IMC Boundedness no counterexample between depths [0, 10]
