Time Petri Nets Analysis with TINA

Bernard Berthomieu and François Vernadat

LAAS / CNRS
7 avenue du Colonel Roche, 31077 Toulouse, France
Email: [Link]
[Link]  @[Link]
Telephone: +33/(0) 5 61 33 63 00
Fax: +33/(0) 5 61 33 64 11

Abstract— Beside the usual graphic editing and simulation of properties to be preserved. The second implements the
facilities, the software tool Tina may build a number of state “covering steps” technique, in which one fires “steps”, or
space abstractions for Petri nets or Time Petri nets, preserving sets of independent transitions fired simultaneously, rather
certain classes of properties. For Petri nets, these abstractions
help preventing combinatorial explosion and rely on so-called than simple transitions. These techniques preserve deadlock
partial order techniques such as covering steps and/or persistent freeness, and, under certain conditions, the linear structure
sets. For Time Petri nets, that have in general infinite state spaces, of state spaces. Combining these two techniques yields the
they provide finite representation of their behavior, in terms of method of persistent steps [3].
state class graphs. c) State class graphs: The last group of constructions
I. I NTRODUCTION
are in general infinite, state space abstractions for

 ’s
concerns Time Petri nets. The state spaces of Time Petri nets

Tina (TIme Petri Net Analyzer, [Link] is a preserving various classes of properties can be computed in
software environment to edit and analyze Petri Nets and Time terms of so-called state classes [4] [5] [6]. State classes group
Petri Nets. This paper overviews its capabilities, architecture, possibly infinite sets of states, represented by a marking and
and main applications. More details can be found in [1]. a polyhedron capturing temporal information.
Time Petri nets [2] are one of the most widely used model Different state class constructions are available, preserving
for the specification and verification of real-time systems. different families of properties of the state space. The well
They extend Petri nets with temporal intervals associated with known State class graph construction of [4] [5] preserves
transitions, specifying firing delay ranges for the transitions.
In addition to the usual editing and analysis facilities of  
markings of the TPN and all its properties one can express
in linear time temporal logics like
. Two more recent
similar environments, Tina offers various abstract state space constructions, explained in [6], are also supported: the Strong
constructions that preserve specific classes of properties of state classes graph preserving the states (a state associates a
the state spaces of nets, like absence of deadlocks, linear
time temporal properties, or bisimilarity. For untimed systems, 
 properties,
marking with time information for the enabled transitions) and
and the Atomic state class graph, preserving
abstract state spaces helps to prevent combinatorial explosion.
For timed systems, abstractions are mandatory as their state
states and bisimilarity with the state graph.
Realtime properties, like those expressed in logic


 are
spaces are typically infinite, Tina implements various abstrac- checked using the standard technique of observers. The tech-
tions based on state classes. nique is applicable to a large class of realtime properties and
Tina
  accepts input in graphical or textual formats, including
(an XML based exchange format for Petri nets).
can be used to analyze most of the “timeliness” requirements
found in practice. An alternative is provided by path analysis,
Transition system outputs can be produced in a number of for which Tina provides a dedicated tool, plan, able to
textual or binary formats, for external checkers. computes all firing schedules over some firing sequence.
II. C ONSTRUCTIONS III. M ODEL -C HECKING
a) Classical methods: A first group of tools provided by Tina can present its results in a variety of formats,
Tina implement “classical” constructions and methods for understood by model checkers like MEC [7], a  -calculus
Petri nets: reachability graphs, coverability graphs (determin-
ing unbounded places) and structural analysis (invariants).
 toolset [8]. In addition, several model-
formula checker, or behavior equivalence checkers like Bcg,
part of the 
b) Partial order abstractions: A second group of tools checkers are being developed specifically for Tina. The first
available, selt, is a model-checker

 [9], a linear time temporal logic
implement so-called “partial-order” reduction techniques, for an enriched version
aimed at preventing combinatorial explosion due to represen- of  !"
tation of parallelism by interleaving. Two families of methods supporting both state and transition properties. The logic is
are provided. The first, based on “stubborn”, or “persistent”, rich enough to encode marking invariants like #%$'&)(+*%&-,/.0
sets, consists, under certain conditions, of exploring only ,21 . For the properties found false, a timed counter example is
one path among all equivalent possible paths w.r.t. the class computed and can be replayed by the simulator.
 IV. A RCHITECTURE V. P ROJECTS
The Tina toolbox is currently used in several indus-
The functional architecture of Tina is shown Figure 1. The trial projects such as TOPCASED (Toolkit in OPen-
kernel of Tina is the exploration engine, parameterized by the source for Critical Application & SystEms Development,
class of properties to be preserved. [Link] and OpenEmbeDD. TOP-
CASED proposes to build a toolkit for the development of real
time embedded systems, from specification to implementation,
including formal verification, in an integrated ”Model Driven
Engineering” approach. OpenEmbeDD is a national RNTL
project also promoting an MDE approach, addressing the
different aspects of the design process of real time embedded
software. SPICES - an ITEA project - focuses on AADL (Ar-
chitecture and Analysis Description Language) descriptions.
VI. P ROSPECTIVE
A number of developments are ongoing for Tina, con-
cerning new tools, new front-ends, and new back-ends. A  -
calculus model checker is in progress, as well as a version of

notably for 4
5"
76  68 and New
selt operating “on-the-fly”. front-ends are scheduled,
a realtime language developed
within project TOPCASED.
Fig. 1. TINA Architecture
Addition to Time Petri nets of suspension/resumption of
actions, of a great value for modeling scheduled real-time

(abstract timed transition systems). An abstract 

3 is avail-
The front-ends convert models into internal representation systems, has been investigated by several authors, notably [10],
[11]. A major extension of Tina is being experimented that
able, so that users wishing to use Tina for analyzing their
specific models can develop their own front-end. That 
3 will support such features, based on the “Stopwatch Time Petri
Nets” described in [12].
abstractly implements a class of “Time Predicate/Action nets”,
adding to TPN’s the capabilities of manipulating data. R EFERENCES
Similarly, several back-ends convert the Kripke transition [1] B. Berthomieu, P.-O. Ribet, and F. Vernadat, “The tool TINA – con-
struction of abstract state spaces for Petri nets and time Petri nets,” Int.
systems obtained as the result of the various constructions into J. of Production Research, vol. 42, no. 14, pp. 2741–2756, 15 July 2004.
physical representations readable by the proprietary or external [2] P. M. Merlin and D. J. Farber, “Recoverability of communication
model checkers and transition system analyzers. protocols: Implications of a theoretical study.” IEEE Tr. Comm., vol. 24,
no. 9, pp. 1036–1043, Sept. 1976.

Figure 2, showing a

 being edited and its state class

A screen snapshot of a typical Tina session is shown in [3] P.-O. Ribet, F. Vernadat, and B. Berthomieu, “On combining the
persistent sets method with the covering steps graph method,” in Proc.
graph in verbose and graphical representations. of FORTE 2002, Springer LNCS 2529, 2002, pp. 344–359.
[4] B. Berthomieu and M. Menasche, “An enumerative approach for ana-
lyzing time Petri nets.” IFIP Congress Series, vol. 9, pp. 41–46, 1983.
[5] B. Berthomieu and M. Diaz, “Modeling and verification of time
dependent systems using time Petri nets.” IEEE Trans. on Software
Engineering, vol. 17, no. 3, pp. 259–273, 1991.
[6] B. Berthomieu and F. Vernadat, “State class constructions for branching
analysis of time Petri nets,” in Proc. Tools and Algorithms for the
Construction and Analysis of Systems, Springer LNCS 2619, 2003.
[7] A. Arnold, Systmes de transitions finis et smantique des processus
communicants. Masson, Paris, 1974.
[8] J.-C. Fernandez, H. Garavel, R. Mateescu, L. Mounier, and M. Sighire-
anu, “Cadp, a protocol validation and verification toolbox,” in 8th Conf.
Computer-Aided Verification, Springer LNCS 1102, 1996, pp. 437–440.
[9] S. Chaki, M. E, Clarke, J. Ouaknine, N. Sharygina, and N. Sinha,
“State/event-based software model checking,” in 4th Int. Conf. on
Integrated Formal Methods, Springer LNCS 2999, 2004, pp. 128–147.
[10] G. Bucci, A. Fedeli, L. Sassoli, and E. Vicario, “Time state space
analysis of real-time preemptive systems,” IEEE Trans. on Software
Engineering, vol. 30, no. 2, pp. 97–111, February 2004.
[11] D. Lime and O. H. Roux, “Expressiveness and analysis of scheduling
extended time Petri nets,” in 5th IFAC Int. Conf. on Fieldbus Systems
and their Applications. Elsevier Science, July 2003.
[12] B. Berthomieu, D. Lime, O. Roux, and F. Vernadat, “Reachability
problems and abstract state spaces for time Petri nets with stopwatches.”
Fig. 2. TINA Screen snapshot Journal of Discrete Event Dynamic Systems, 2007 (to appear).