Proving properties of real-time systems through logical specifications and Petri net models
IEEE Transactions on Software Engineering
The problem of formally analyzing properties of real-time systems is addressed. A method is proposed that allows specifying system properties in the TRIO language (an extension of temporal logic suitable to deal explicitly with the "time" variable and to measure it) and modeling the system as a timed Petri net. It is argued that such an approach is more general than analyzing program properties. The proof method is based on an axiomatization of timed Petri nets in terms of TRIO so that their
... perties can be derived as suitable theorems in much the same spirit as classical Hoare's method allows proving properties of programs coded in a Pascal-like language. The method is then exemplified through two classical "benchmarks" of the literature on concurrent and real-time systems, namely an elevator system and the dining philosophers problem. A thorough review of the related literature and a comparison thereof with the new method is also provided. Possible alternative methods, theoretical extensions, and practical applications are briefly discussed. highest reliability requirements so that they could strongly benefit from rigorous analysis of their properties. Rather recently, a number of models has been developed for a formal description and analysis of real-time systems. Among them, we focus here our attention on Petri nets [79, 84] and temporal logic . Both formalisms, in their original formulation, have been proved quite effective for the analysis of concurrent systems but do not deal explicitly and quantitatively with time, what makes them unsuitable to model and specify strict real-time systems. It has been possible, however, to extend them in such a way to overcome this-and other-drawbacks. For instance, Petri nets have been augmented in several ways to allow the description of time dependent phenomena    ; TRIO [71, 37] and [54, 55, 76] are examples of extensions of pure temporal logic towards the same direction. As far as it concerns system property analysis, its power and difficulty highly depend on the formalism that is chosen as system model. For instance, finite state machines are quite simple to use as a model, their properties are easy to prove, in general, but they often result far too simple to adequately describe complex systems in detail. Petri nets are certainly deeper to model concurrent systems but most of their properties-say reachability, liveness-are of intractable computational complexity or even undecidable. Things are even worse when the formalism is extended to cope with time or in other ways (in most cases extended Petri nets reach the computational power of Turing machines.) In general, the present methods-whether algorithmic or not-to perform system analysis on the basis of Petri net models are not yet quite satisfactory: either they are ad hoc methods to analyze a specific property in terms of a specialized model (for instance [10, 11] provide an algorithm to build the reachability graph of Timed Petri nets), or they are computationally intractable, or, when the property to be analyzed is undecidable, there is no systematic method to drive the human derivation of the proof. Recently, a few proposals appeared in the literature suggesting proof methods for concurrent systems that are modelled in terms of Petri nets or other operational formalisms.  specifies the properties of a system modeled by a bounded Petri net in terms of temporal logic. Then, such properties are proved by building regular expressions. The method is exemplified through the classical alternating bit protocol.  introduces augmented finite state automata with time and predicates on system variables to adequately describe real life systems in an operational way. Then, he defines a language suitable to describe their properties in a temporal logic framework and proposes a method to proof such properties.  does a similar job with an operational formalism that is strongly based on Petri nets. These approaches somewhat complement previous literature that followed more closely Hoare's method for the analysis of sequential programs. Among these, let us mention  which are all based on proof rules associated with some programming language provided with concurrency constructs (monitors, guarded commands, remote procedure calls, etc.). Haase  (see also  for complements) performs a temporal analysis of programs based on Dijkstra's guarded commands. 2. Dist(β, x) ∧ (Dist(β, x) → Dist(α, x)) 1, Ax2, MP, Ax9÷10 3. Dist(α, x) 2, TAUT, MP 4. Alw(α) 3, GEN An important corollary of TG is obtained by taking Γ=∅. In this case TG reduces to: if α then Alw(α). This corresponds to the intuitive fact that if property α is derived without making any assumption about the current time instant, then α holds at every time instant. Another consequence of TG is that any theorem τ of first-order logic is not only inherited as such in TRIO, but its temporal generalization, Alw(τ) is also a theorem. For instance, Alw(α(t)→∃z α(z)) holds by the fact that α(t)→∃z α(z) is a theorem in any first-order logic: in the following we will make use of this theorem in TRIO proofs, referring to it as ∃-intro.