**2.1. Definition and behavior**

A time Petri net [14] is a Petri net augmented with time intervals associated with transitions. Among the different semantics proposed for time Petri nets [18], here we focus on the classical one, called intermediate semantics in [18], in the context of mono-server and strong-semantics [7].

Formally, a *TPN* is a tuple (*P*, *T*, *Pre*, *Post*, *M*0, *Is*) where:





In a controllable time Petri net, transitions are partitioned into controllable and uncontrollable transitions, denoted *Tc* and *Tu*, respectively (with *Tc* ∩ *Tu* = ∅ and *T* = *Tc* ∪ *Tu*). For the sake of simplicity and clarification, in this manuscript the controllable transitions are depicted as white bars, while the uncontrollable ones as black bars.

<sup>A</sup> *TPN*, is called bounded if for every reachable marking *<sup>M</sup>*, there is a bound *<sup>b</sup>* <sup>∈</sup> **<sup>N</sup>***<sup>p</sup>* where *M* ≤ *b* holds. In this condition *p* stands for the number of places in *P*.

Let *M* be a marking and *t* a transition. Transition *t* is enabled for *M* iff all required tokens for firing *t* are present in *M*, i.e., ∀*p* ∈ *P*, *M*(*p*) ≥ *Pre*(*p*, *t*). In this case, the firing of *t* leads to the marking *M*� defined by: ∀*p* ∈ *P*, *M*� (*p*) = *M*(*p*) − *Pre*(*p*, *t*) + *Post*(*p*, *t*). We denote *En*(*M*) the set of transitions enabled for *M*:

2 Will-be-set-by-IN-TECH

are based on computing controllable predecessors of abstract states (state zones). This computation involves some expensive operations such as computing differences between

In this chapter, we discuss an efficient approach to check whether a safety / reachability controller in time Petri nets exists or not [13]. Our approach is a completely forward on-the-fly algorithm based on the state class graph method. Unlike approaches proposed in [10, 11, 20] based on the state zone graph method, our approach does not need to compute controllable predecessors. It consists of exploring the state class graph while extracting sequences leading to undesired states and determining subclasses to be avoided. The state class graph is a suitable choice for the forward on-the-fly exploration. Using the state class graph method, the exploration algorithm converges fast and does not need any over-approximation operation to

This chapter is organized as follows: The definition of time Petri nets and its semantics as well as the state graph method come in Section 2. In Section 3, after a short survey on the control theory, previous algorithms and related work are discussed. The algorithm proposed in this chapter is developed in Section 4. Finally, Section 5 presents the conclusion and future work.

A time Petri net [14] is a Petri net augmented with time intervals associated with transitions. Among the different semantics proposed for time Petri nets [18], here we focus on the classical one, called intermediate semantics in [18], in the context of mono-server and strong-semantics



In a controllable time Petri net, transitions are partitioned into controllable and uncontrollable transitions, denoted *Tc* and *Tu*, respectively (with *Tc* ∩ *Tu* = ∅ and *T* = *Tc* ∪ *Tu*). For the sake of simplicity and clarification, in this manuscript the controllable transitions are depicted as

<sup>A</sup> *TPN*, is called bounded if for every reachable marking *<sup>M</sup>*, there is a bound *<sup>b</sup>* <sup>∈</sup> **<sup>N</sup>***<sup>p</sup>* where

Let *M* be a marking and *t* a transition. Transition *t* is enabled for *M* iff all required tokens for firing *t* are present in *M*, i.e., ∀*p* ∈ *P*, *M*(*p*) ≥ *Pre*(*p*, *t*). In this case, the firing of *t* leads to the

abstract states (state zones).

enforce the convergence.

**2. Time Petri nets**

[7].

**2.1. Definition and behavior**

**N**, **N** is the set of nonnegative integers), - *M*<sup>0</sup> is the initial marking (*M*<sup>0</sup> : *P* → **N**), and

maximum firing delays of *t*.

Formally, a *TPN* is a tuple (*P*, *T*, *Pre*, *Post*, *M*0, *Is*) where:

white bars, while the uncontrollable ones as black bars.

*M* ≤ *b* holds. In this condition *p* stands for the number of places in *P*.


$$\operatorname{En}(M) = t \in T | \forall p \in \operatorname{P}\_{\prime} \operatorname{Pre}(p, t) \le M(p). \tag{1}$$

For *t* ∈ *En*(*M*), we denote *CF*(*M*,*t*) the set of transitions enabled in *M* but in conflict with *t*:

$$\text{CF}(M, t) = t' \in \text{En}(M) | t' = t \vee \exists p \in P, M(p) < P \text{re}(p, t') + P \text{re}(p, t). \tag{2}$$

Let *t* ∈ *En*(*M*) and *M*� the successor marking of *M* by *t*, a transition *t* � is said to be newly enabled in *M*� iff *t* � is not enabled in the intermediate marking (i.e., *M* − *Pre*(., *t*)) or *t*� = *t*. We denote *New*(*M*� , *t*) the set of transitions newly enabled *M*� , by firing *t* from *M*:

$$New(M',t) = \{ t' \in En(M') | t = t' \lor \exists p \in P, M'(p) - Post(p,t) < Pre(p,t') \}.\tag{3}$$

There are two known characterizations for the TPN state. The first one, based on clocks, associates with each transition *ti* of the model a *clock* to measure the time elapsed since *ti* became enabled most recently. The TPN clock state is a couple (*M*, *ν*), where M is a marking and *<sup>ν</sup>* is a clock valuation function, *<sup>ν</sup>* : *En*(*M*) <sup>→</sup> **<sup>R</sup>**+. For a clock state (*M*, *<sup>ν</sup>*) and *ti* <sup>∈</sup> *En*(*M*), *ν*(*ti*) is the value of the clock associated with transition *ti*. The initial clock state is *q*<sup>0</sup> = (*M*0, *ν*0) where *ν*0(*ti*) = 0, for all *ti* ∈ *En*(*M*0). The TPN clock state evolves either by time progression or by firing transitions. When a transition *ti* becomes enabled, its clock is initialized to zero. The value of this clock increases synchronously with time until *ti* is fired or disabled by the firing of another transition. *ti* can fire, if the value of its clock is inside its static firing interval *Is*(*ti*). It must be fired immediately, without any additional delay, when the clock reaches ↑ *Is*(*ti*). The firing of a transition takes no time, but may lead to another marking (required tokens disappear while produced ones appear).

Let *<sup>q</sup>* = (*M*, *<sup>ν</sup>*) and *<sup>q</sup>*<sup>0</sup> = (*M*0, *<sup>ν</sup>*0) be two clock states of the TPN model, *<sup>θ</sup>* <sup>∈</sup> **<sup>R</sup>**<sup>+</sup> and *tf* ∈ *T*. We write *q θ* → *q*� , also denoted *q* + *θ*, iff state *q*� is reachable from state *q* after a time progression of *θ* time units, i.e.:

$$\bigwedge\_{t' \in \operatorname{En}(M)} \nu(t) + \theta \le \uparrow Id(t\_i),\\M' = M,\\ \operatorname{and} \forall t\_j \in \operatorname{En}(M'),\\ \nu'(t\_j) = \nu(t\_j) + \theta. \tag{4}$$

We write *q tf* → *q*� iff state *q*� is immediately reachable from state *q* by firing transition *tf* , i.e.: *tf* ∈ *En*(*M*), *ν*(*tf*) ≥↓ *Is*(*tf*), ∀*p* ∈ *P*, *M*� (*p*) = *M*(*p*) − *Pre*(*p*, *tf*) + *Post*(*p*, *tf*), and ∀*ti* ∈ *En*(*M*� ), *ν*� (*ti*) = 0, if *ti* ∈ *New*(*M*� , *tf*), *ν*� (*ti*) = *ν*(*ti*) otherwise.

The second characterization, based on intervals, defines the TPN state as a marking and a function which associates with each enabled transition the time interval in which the transition can fire [5].

The TPN state is defined as a pair (*M*, *Id*), where *M* is a marking and *Id* is a firing interval function (*Id* : *En*(*M*) <sup>→</sup> **<sup>Q</sup>**<sup>+</sup> <sup>×</sup> (**Q**<sup>+</sup> ∪ {∞})). The initial state is (*M*0, *Id*0) where *<sup>M</sup>*<sup>0</sup> is the initial marking and *Id*0(*t*) = *Is*(*t*), for *t* ∈ *En*(*M*0).

Let (*M*, *Id*) and (*M*� , *Id*� ) be two states of the TPN model, *<sup>θ</sup>* <sup>∈</sup> **<sup>R</sup>**<sup>+</sup> and *<sup>t</sup>* <sup>∈</sup> *<sup>T</sup>*. The transition relation −→ over states is defined as follows:


of each enabled transition for *M* is represented by a variable with the same name. The domain of *FZ* is convex and has a unique canonical form represented by the pair (*M*, *Z*), where *Z* is a DBM of order <sup>|</sup>*En*(*M*) ∪ {*o*} defined by: <sup>∀</sup>(*x*, *<sup>y</sup>*) <sup>∈</sup> (*En*(*M*) ∪ {*o*})2, *zxy* <sup>=</sup> *SupFZ*(*<sup>x</sup>* <sup>−</sup> *<sup>y</sup>*),

A Forward On-The-Fly Approach in Controller Synthesis of Time Petri Nets 443

The initial state zone is the pair *β*<sup>0</sup> = (*M*0, *FZ*0), where *M*<sup>0</sup> is the initial marking and *FZ*<sup>0</sup> =

As an example, consider the TPN given in [11] and reported at Figure 1, its state zone graph

In this document, we consider the state class method and study the possibility to enforce the behavior of a given TPN so that to satisfy a safety / reachability property. The idea is to construct on-the-fly the reachable state classes of the TPN while collecting progressively firing

In the state class graph method [4], all states reachable by the same firing sequence from the initial state are agglomerated in the same node and considered modulo the relation of equivalence defined by: Two sets of states are equivalent iff they have the same marking and the same firing domain. The firing domain of a set of states is the union of the firing domains of its states. All equivalent sets are agglomerated in the same node called a *state class* defined as a pair *α* = (*M*, *F*), where *M* is a marking and *F* is a formula which characterizes the firing domain of *α*. For each transition *ti* enabled in *M*, there is a variable *ti*, in *F*, representing its firing delay. *<sup>F</sup>* can be rewritten as a set of atomic constraints of the form1: *ti* <sup>−</sup> *tj* <sup>≤</sup> *<sup>c</sup>*, *ti* <sup>≤</sup> *<sup>c</sup>* or

−*tj* ≤ *c*, where *ti*, *tj* are transitions, *c* ∈ **Q** ∪ {∞} and **Q** is the set of rational numbers.

Though the same domain may be expressed by different conjunctions of atomic constraints (i.e., different formulas), all equivalent formulas have a unique form, called canonical form that is usually encoded by a difference bound matrix (DBM) [3]. The canonical form of *F* is encoded by the DBM *D* (a square matrix) of order |*En*(*M*)| + 1 defined by: ∀*ti*, *tj* ∈ *En*(*M*) ∪ {*t*0}, *dij* = (≤, *SupF*(*ti* − *tj*)), where *t*<sup>0</sup> (*t*<sup>0</sup> ∈/ *T*) represents a fictitious transition whose delay is always equal to 0 and *SupF*(*ti* − *tj*) is the largest value of *ti* − *tj* in the domain of *F*. Its computation is based on the shortest path *Floyd-Warshall*'s algorithm and is considered as the most costly operation (cubic in the number of variables in *F*). The canonical form of a DBM makes easier some operations over formulas like the test of equivalence. Two formulas are

Let *α* = (*M*, *F*) be a state class and *tf* a transition and *succ*(*α*, *tf*) the set of states defined by:

*succ*(*α*, *tf*) = {*q*� ∈Q|∃*<sup>q</sup>* <sup>∈</sup> *<sup>α</sup>*, <sup>∃</sup>*<sup>θ</sup>* <sup>∈</sup> **<sup>R</sup>**<sup>+</sup> s.t. *<sup>q</sup>*

*ti*∈*En*(*M*0)

*θ* −→ *q* + *θ*

↓ *Is*(*ti*) ≤ *ti* ≤↑ *Is*(*ti*).

*tf* −→ *q*�

} (5)

where *o* represents the value 0. State zones of the ZBG are in relaxed form.

*Is*(*tu*).

is reported at Figure 2 and its state zones are reported in Table 1.

subintervals to be avoided so that to satisfy the properties of interest.

equivalent iff the canonical forms of their DBMs are identical.

The initial state class is *α*<sup>0</sup> = (*M*0, *F*0), where *F*<sup>0</sup> =

<sup>1</sup> For economy of notation, we use operator <sup>≤</sup> even if *<sup>c</sup>* <sup>=</sup> <sup>∞</sup>.

 *ti*,*tj*∈*En*(*M*0)

0 ≤ *ti* = *tj* ≤ ↑

**2.3. The state class graph method**

*tu*∈*En*(*M*0)

∀*t*�� ∈ *En*(*M*� (*t*��)=[*Max*(↓ *Id*(*t*��) − *θ*, 0), ↑ *Id*(*t*��) − *θ*]. - (*M*, *Id*) *<sup>t</sup>* −→ (*M*� , *Id*� ) iff the state (*M*� , *Id*� ) is reachable from state (*M*, *Id*) by firing immediately transition *t* , i.e., *t* ∈ *En*(*M*), ↓ *Id*(*t*) = 0, ∀*p* ∈ *P*, *M*� (*p*) = *M*(*p*) − *Pre*(*p*, *t*) + *Post*(*p*, *t*), and ∀*t*� ∈ *En*(*M*� ), *Id*� (*t*� ) = *Is*(*t*� ), if *t* � ∈ *New*(*M*� , *t*), *Id*� (*t*� ) = *Id*(*t*� ), otherwise.

The TPN state space is the structure (Q, −→, *q*0), where *q*<sup>0</sup> = (*M*0, *Id*0) is the initial state of the TPN and <sup>Q</sup> <sup>=</sup> {*q*|*q*<sup>0</sup> <sup>∗</sup> −→ *<sup>q</sup>*}( <sup>∗</sup> −→ being the reflexive and transitive closure of the relation −→ defined above) is the set of reachable states of the model.

A *run* in the TPN state space (Q, −→, *q*0), of a state *q* ∈ Q, is a maximal sequence *ρ* = *q*<sup>1</sup> *θ*1 −→ *q*<sup>1</sup> + *θ*<sup>1</sup> *<sup>t</sup>*<sup>1</sup> −→ *<sup>q</sup>*<sup>2</sup> *<sup>θ</sup>*<sup>2</sup> −→ *<sup>q</sup>*<sup>2</sup> <sup>+</sup> *<sup>θ</sup>*<sup>2</sup> *<sup>t</sup>*<sup>2</sup> −→ *<sup>q</sup>*3..., such that *<sup>q</sup>*<sup>1</sup> <sup>=</sup> *<sup>q</sup>*. By convention, for any state *qi*, relation *qi* 0 → *qi* holds. The sequence *θ*1*t*1*θ*2*t*2... is called the timed trace of *ρ*. The sequence *t*1*t*2... is called the firing sequence (untimed trace) of *ρ*. A marking *M* is reachable iff ∃*q* ∈ Q s.t. its marking is *M*. Runs (resp. timed / untimed traces) of the TPN are all runs (resp. timed / untimed traces) of the initial state *q*0.

To use enumerative analysis techniques with time Petri nets, an extra effort is required to abstract their generally infinite state spaces. Abstraction techniques aim to construct by removing some irrelevant details, a finite contraction of the state space of the model, which preserves properties of interest. For best performances, the contraction should also be the smallest possible and computed with minor resources too (time and space). The preserved properties are usually verified using standard analysis techniques on the abstractions [16].

Several state space abstraction methods have been proposed, in the literature, for time Petri nets like the *state class graph (SCG)* [4], the *zone based graph (ZBG)* [6], and etc. These abstractions may differ mainly in the characterization of states (interval states or clock states), the agglomeration criteria of states, the representation of the agglomerated states (abstract states), the kind of properties they preserve (markings, linear or branching properties) and their size.

These abstractions are finite for all bounded time Petri nets. However, if only linear properties are of interest, abstractions based on clocks are less interesting than the interval based abstractions. Indeed, abstractions based on intervals are finite for bounded TPN with unbounded intervals, while this is not true for abstraction based on clocks. The finiteness is enforced using an approximation operation, which may involve some overhead computation.
