Monitoring Distributed Systems using Knowledge

. In this paper, we use knowledge-based control theory to monitor global properties in a distributed system: we control the system so as to enforce that if a given global property is violated, at least one process knows this fact — and therefore may report it. Our approach uses knowledge properties which are precalculated based on model checking. As local knowledge is not always suﬃcient to monitor a global property in a concurrent system, we allow adding temporary synchronizations be-tween two or more processes to achieve suﬃcient knowledge. As such synchronizations are expensive, we aim at minimizing their number us-ing the knowledge analysis.


Introduction
The goal of this paper is to transform a distributed system such that it can detect and report violations of invariants. Such properties can be described by a predicate ψ on global states in distributed systems, which may express for example that the overall power in the system is below a certain threshold. When a violation is detected, some activity to adjust the situation may be triggered. There is no global observer that can decide whether a global state violating the given property ψ has been reached. On the other hand, the processes may not have locally enough information to decide this and thus need sometimes to communicate with each other to obtain more information.
Our solution for controlling a system to detect global failure is based on precalculating knowledge properties of the distributed system [5,12]. We first calculate in which local states a process has enough information to identify that ψ is violated: in each reachable global state in which ψ becomes false, at least one process must detect this situation. This process may then react, e.g. by informing the other processes or by launching some repair action. Furthermore, we do not want false alarms. Because of the way the execution of the program is distributed among the processes, and the limited information available in each process, there can be states where firing a transition t would lead to a state in which no process knows (alone) whether ψ has been violated. In that case, additional knowledge is necessary to fire t. We achieve this by adding synchronizations that allow temporarily combining the knowledge of a set of processes. To realize the synchronizations needed to achieve conditions for executing transitions while the property Ψ is monitorable, as precalculated using the knowledge analysis, we employ at runtime a synchronization algorithm such as α-core [14]. Such an algorithm allows processes to temporarily coordinate by means of the execution of a synchronization. Of course, the goal is to minimize both the number of additional synchronizations and the number of participants in each synchronization. The reason is that we want to reduce the communication overhead.
This work is related to the knowledge based control method of [2,7]. There, knowledge obtained by model checking is used to control the system in order to enforce some property, which may be a state invariant ψ. Here, we want to control the system to enforce that there is always at least one process with knowledge to detect a violation of such a property as soon as it happens. Controlling the system to avoid property violation is a different task from controlling the system to detect it. In some cases, controlling for avoidance may lead to restricting the system behavior much more severely than controlling for detection. Note also that for an application such as runtime verification, prevention is not needed while detection is required (e.g., it is acceptable that the temperature raises above its maximal expected level, but whenever this happens, some specific intervention is required).
Monitoring is a simpler task than controlling as it is nonblocking. Attempting to enforce a property ψ may result in being blocked in a state where any continuation will violate ψ. This may require strengthening ψ in order not to reach such states, through an expensive global state search, which may consequently imply a severe reduction in nondeterministic choice. On the other hand, monitoring is nonblocking: from the global state, one knows exactly how to continue and whether the monitored property holds or not; at worst, this may lead to a synchronization between processes.
As an alternative to monitoring one may use snapshot algorithms such as those of Chandy and Lamport [4] or Apt and Francez [1]. However, snapshot algorithms only report about some sampled global states. If the property ψ is not stable -that is, if ψ ⇒ ψ is not guaranteed -then the fact that ψ has been true at some global state may go undetected.

Preliminaries
We represent distributed systems as Petri nets, but the method and algorithms developed here can equally apply to other models, e.g., communicating automata or transition systems.
-P is a finite set of places. The set of states (markings) is defined as S = 2 P . -T is a finite set of transitions.
-E ⊆ (P × T ) ∪ (T × P ) is a bipartite relation between the places and the transitions. s 0 ⊆ 2 P is the initial state (initial marking).
For a transition t ∈ T , we define the set of input places • t as {p ∈ P |(p, t) ∈ E}, and the set of output places t • as {p ∈ P |(t, p) ∈ E}.
We denote the fact that t is enabled from s by s[t .
A state s is in deadlock if there is no enabled transition from it. Definition 3. The execution (firing) of a transition t leads from state s to state s , which is denoted by s[t s , when t is enabled in s and s = ( We use the Petri net of Figure 1 as a running example. As usual, transitions are represented as segments, places as circles, and the relation E as a set of arrows from transitions to places and from places to transitions. The Petri net of Figure 1 has places named p 1 , p 2 , . . . , p 8 and transitions a, b, . . . , e. We represent a state s by putting tokens inside the places of s. In the example of Figure 1, the depicted initial state s 0 is {p 1 , p 4 }. The transitions enabled in s 0 are a and b. Firing a from s 0 means removing the token from p 1 and adding one to p 3 . Note that in our case there cannot be more than one token in any place. Indeed, according to Definition 2, a transition t is enabled in a state s only if (after removing the tokens from the input places of t) there is no token in any of the output places of t. That is, using usual vocabulary for Petri nets, our Petri nets are safe by construction. Definition 4. An execution is a maximal (i.e., it cannot be extended) alternating sequence of states and transitions s 0 t 1 s 1 t 2 s 2 . . . with s 0 the initial state of the Petri net, such that for each state s i in the sequence with i > 0, it holds that We denote the set of executions of a Petri net N by exec(N ). The set of prefixes of the executions in a set X is denoted by pref (X). A state is reachable in N if it appears in at least one execution of N . We denote the set of reachable states of N by reach(N A Petri net can be seen as a distributed system, consisting of a set of concurrently executing and temporarily synchronizing processes. There are several options for defining the notion of process in Petri nets: we choose to consider transition sets as processes.

Definition 5.
A process π of a Petri net N is a subset of the transitions of N , i.e., π ⊆ T .
We assume a given set of processes Π N that covers all the transitions of N , i.e., π∈Π N π = T . A transition can belong to several processes, e.g., when it models a synchronization between processes. The set of processes to which t belongs is denoted proc(t). Note that we do not require our processes to be sequential, i.e., to hold no more than a single token at any time.
In this section, all the notions and notations related to processes extend naturally to sets of processes. Thus, we usually provide definitions directly for sets of processes. Then, when a formula refers to a set of processes Π, we will often replace writing the singleton process set {π} by writing π instead.
The neighborhood of a process π describes the places of the system whose state π can observe. Note that our definition of neighborhood is only one among others, and all our results apply also to other notions of neighborhood. Definition 6. The neighborhood ngb(π) of a process π is the set of places . For a set of processes Π, ngb(Π) = π∈Π ngb(π). Definition 7. The local state of a set of processes Π in a (global) state s ∈ S is defined as s| Π = s ∩ ngb(Π). A local state s Π of Π is part of a global state s ∈ S if and only if s| Π = s Π .
That is, the local state of a process π in a global state s consists of the restriction of s to the neighborhood of π. It describes what π can see of s based on its limited view. In particular, according to this definition, any process π can see whether one of its transitions is enabled. The local state of a set of processes Π containing more than one process is called a joint local state.
Thus, if t ∈ π∈Π π and s ≡ Π s then s[t if and only if s [t . Figure 2 represents one possible distribution of our running example. We represent processes by drawing dashed lines between them. Here, the left process π l consists of transitions a, c and d while the right process π r consists of transitions b, c and e. The neighborhood of π l contains all the places of the Petri net except p 2 and p 8 . The local state s 0 | π l corresponding to the initial state We identify properties with the sets of states in which they hold. Formally, a state property is a Boolean formula in which places in P are used as atomic predicates. Then, given a state s ∈ S and a place p i ∈ P , we have s |= p i if and only if p i ∈ s. For a state s, we denote by ϕ s the conjunction of the places that are in s and the negated places that are not in s. Thus, ϕ s is satisfied by state s and by no other state. A set of states Q ⊆ S can be characterized by a property ϕ Q = s∈Q ϕ s or any equivalent Boolean formula. For the Petri net of Figure 2, the initial state s is characterized by ϕ s = p 1 ∧p 2 ∧¬p 3 ∧¬p 4 ∧¬p 5 ∧¬p 6 ∧¬p 7 ∧¬p 8 .
Our approach for achieving a local or semi-local decision on which transitions may be fired is based on the knowledge of processes [5] or sets of processes. Basically, the (joint) knowledge of a set of processes Π in a given state s is defined by the set of reachable global states s that are equivalent to s with respect to Π, i.e., such that s ≡ Π s . For example, in the initial state represented in Figure 2, the left process π l knows that the current global state is {p 1 , p 2 }, because it is the only reachable state that projects onto local state Definition 9. Given a set of processes Π and a property ϕ, we define the property K Π ϕ as the set of global states s such that for each reachable s with s ≡ Π s , s |= ϕ. Whenever s |= K Π ϕ for some state s, we say that Π (jointly) knows ϕ in s.
We easily obtain that if s |= K Π ϕ and s ≡ Π s , then s |= K Π ϕ. Hence we can write s| Π |= K Π ϕ rather than s |= K Π ϕ to emphasize that this knowledge property is calculated based on the local state of Π. Given a Petri net and a property ϕ, one can perform model checking in order to decide whether s |= K Π ϕ for some state s. The knowledge of a set of processes Π in a given local state s| Π is the set of properties ϕ such that s| Π |= K Π ϕ. If Π contains more than one process, we call it joint knowledge.
Note that when a process π needs to know and distinguish whether η or µ holds, we write K π η ∨ K π µ. When we do not need to distinguish between these cases but only need to know whether at least one of them holds, we use the weaker K π (η ∨ µ).

Knowledge Properties for Monitoring
Our goal is to control the system, i.e., restrict its possible choice of firing transitions, in order to enforce that if a given property ψ becomes false, at least one process knows it. This should interfere minimally with the execution of the system in order to monitor when ψ is violated. To detect the occurrence of a failure, we need the following notion of a "weakest precondition": Remember that in a Petri net, there is exactly one state s such that s[t s for a given state s and transition t.
We take into account, with an increasing degree of complication: -Whether it is allowed to report the same violation of ψ multiple times.
-Whether there exists one or several types of property violation. That is, ¬ψ may be of the form ϕ 1 ∨ ϕ 2 ∨ . . . ∨ ϕ n , where each ϕ i represents a certain kind of failure to satisfy ψ. Then, whenever ψ is violated, we may need to identify and report which failure occurred. -Whether a single transition may cause several failures to occur at the same time (and each one of them needs to be identified).
First, we assume that ψ consists of only one type of failure, and furthermore, that there is no harm in reporting it several times; it is the responsibility of the recovery algorithm to take care of resolving the situation and ignore duplicate reports. For a transition t ∈ T and a set of processes Π ⊆ proc(t), we define a property δ(Π, t) as follows: if t is fired and ψ is falsified by the execution of t, Π will jointly know it. Formally: In other words, δ 1 (Π, t) holds if and only if the processes in Π either jointly know that after firing t property ψ will be violated; or they know that firing t cannot make ψ become false: either it is already false or it will be true after firing t. Note that the knowledge operators separate the case where ¬ψ will hold in the next state from the other two cases. There is no need to distinguish between the latter two cases, hence we could use the weaker requirement, where both of them appear inside a single knowledge operator K Π (¬ψ ∨ wp t (ψ)).
Now, suppose that we should not report that ψ is violated again, when it was already violated before the execution of t, and therefore has already been or will be reported. This requires strengthening the knowledge: For the case where failure of ψ means one out of several failures ϕ 1 , . . . , ϕ n , but firing one transition cannot cause more than only one particular failure, we need to consider stronger knowledge: Finally, if one single transition may cause multiple failures, we need even stronger knowledge: Note that in δ j (Π, t), for 1 ≤ j ≤ 4, the left disjunct, when holding, is responsible for identifying the occurrence of the failure, and also for j ∈ {3, 4}, identifying its type. In the following, δ(Π, t) stands for δ j (Π, t), where 1 ≤ j ≤ 4.
Definition 11. A knowledgeable step for a set of processes Π ⊆ Π N is a pair (s| Π , t) such that s| Π |= δ(Π, t) and there is at least one process π ∈ Π with t ∈ π.
We require that t be part of at least one process in Π because there must be one process to initiate the transition at the coordination level handled by the α-core algorithm, as explained in Section 5.
Note that for any transition t, (s| Π N , t) is a knowledgeable step. This means that if all processes synchronize at every step, a violation of Ψ can always be detected as soon as it happens. Of course, the additional synchronizations required to achieve joint knowledge induce some communication overhead, which we have to minimize. We explain how we do this in the next section.

Building the Knowledge Table
We use model checking to identify knowledgeable steps following a method similar to [7]. The basic principle of our monitoring policy is the following: a transition t may be fired in a state s if and only if, in addition to its original enabledness condition, (s| π , t) is a knowledgeable step for at least one process π containing t. However, there may be some state in which no individual process has enough knowledge to take a knowledgeable step. In that case, we consider knowledgeable steps for pairs of processes, then triples etc. until we can prove that no deadlock is introduced by the monitoring policy.
The monitoring policy is based on a knowledge table ∆ which indicates, for a process or a set of processes Π in a given reachable (joint) local state s| Π , whether there exists a knowledgeable step (s| Π , t), and then which transition t may thus be safely fired. When building such a table, two issues must be considered: first, the monitoring policy should not introduce deadlocks with respect to the original Petri net N . This means that we have to check that for every reachable nondeadlock global state of N , there is at least one corresponding knowledgeable step in ∆. Second, achieving joint knowledge requires additional synchronization, which induces some communication overhead, as will be explained in the next section. Therefore we must add as few knowledgeable steps involving several processes as possible.
Definition 12. For a given Petri net N , a knowledge table ∆ is a set of knowledgeable steps. We denote by S ∆ the set of (joint) local states which are part of at least one knowledgeable step in ∆.
To avoid introduce new deadlocks, we require that the table ∆ contains enough joint local states to cover all reachable global states. This is done by requiring the following invariant.
Definition 13. A knowledge table ∆ is an invariant 1 if for each reachable nondeadlock state s of N , there is at least one (joint) local state in S ∆ that is part of s. Given a Petri net N and a property ψ, the corresponding knowledge table ∆ is built iteratively as follows: The first iteration includes in ∆, for every process π ∈ Π N , all knowledgeable steps (s| π , t) where s| π is a reachable local state of π, i.e., it is part of some reachable global state of N . If ∆ is an invariant after the first iteration, then taking only knowledgeable steps appearing in ∆ does not introduce deadlocks. If ∆ is not an invariant, we proceed to a second iteration. Let U be the set of reachable non-deadlock global states s of N for which there is no (joint) local state in S ∆ that is part of s.
In a second iteration, we add to ∆ knowledgeable steps (s| {π,ρ} , t) such that s| {π,ρ} is part of some global state in U . For a given local state s| {π,ρ} , all corresponding knowledgeable steps are added together to the knowledge table. The second iteration terminates as soon as ∆ becomes an invariant or if all knowledgeable steps for pairs of processes have been added to the table.
If ∆ is still not an invariant, then we perform further iterations where we consider knowledgeable steps for triples of processes, and so forth. Eventually, ∆ becomes an invariant, in the worst case by adding knowledgeable steps involving all processes.

Monitoring using a Knowledge Table
As in [7], we use the knowledge table ∆ to control (restrict) the executions of N so as to allow only knowledgeable steps. Formally, this can be represented as an extended Petri net [6,8] N ∆ where processes may have local variables, and transitions have an enabling condition and a data transformation. We also explain how this extended Petri net is implemented in a distributed manner. Definition 14. An extended Petri net N consists of (1) a Petri net N (2) a finite set of variables V with given initial values and (3) for each transition t ∈ T , an enabling condition en t and a transformation predicate f t on variables in V . In order to fire t, en t must hold in addition to the usual Petri net enabling condition on the input and output places of t. When t is executed, in addition to the usual changes to the tokens, the variables in V are updated according to f t .
A Petri net N extends N if N is an extended Petri net obtained from N according to Definition 14. The comparison between the original Petri net N and N extending it is based only on places and transitions. That is, we project out the additional variables. Proof. The extended Petri net N strengthens the enabling conditions, thus it can only restrict the executions. However, these restrictions may result in new deadlocks.
Furthermore, we have the following monotonicity property. Theorem 1. Let N be a Petri net and N an extension of N according to Definition 14 and ϕ a state predicate for N . If s |= K π ϕ in N , then s |= K π ϕ also in N .
Proof. The extended Petri net N restricts the set of executions, and possibly the set of reachable states, of N . Each local state s| π is part of fewer global states, and thus the knowledge in s| π can only increase.
These two results show that the additional variables used to extend a Petri net N define a controller for N .
Definition 15. Given a Petri net N and a property Ψ , from which a knowledge table ∆ has been precalculated, the extended Petri net N ∆ is obtained as follows: -Encode in a set of Boolean variables en Π t for Π ⊆ Π N and t ∈ T the knowledge properties calculated in ∆ such that en Π t is true if and only if (s| Π , t) is a knowledgeable step, where s| Π is the current local state of Π.
-Encode in each f t the update of variables as t is fired and local states modified.
-Define each en t as Π⊆Π N en Π t . That is, t can be fired if at least one set of processes knows that it is part of a knowledgeable step.
In practice, we obtain joint knowledge by adding synchronizations amongst the processes involved. Such synchronizations are achieved by using an algorithm like α-core [14], which allows processes to notify, using asynchronous message passing, a set of coordinators about their wish to be involved in a joint action. This is encoded into the extended Petri net. Once a coordinator has been notified by all the participants in the synchronization it is in charge of, it checks whether some conflicting synchronization is already under way (a process may have notified several coordinators but may not be part of several synchronizations at the same time). If this is not the case, the synchronization takes place. The correctness of the algorithm guarantees the atomic-like behavior of the coordination process, allowing us to reason at a higher level of abstraction where we treat the synchronizations provided by α-core (or any similar algorithm) as transitions that are joint between several participating processes.
Thus, each process π of N is equipped with a local table ∆ π containing the knowledgeable steps (s| π , t) that appear in the knowledge table ∆ and the knowledgeable steps (s| Π , t) such that π ∈ Π. Before firing a transition in a given local state s| π , process π consults its local table ∆ π . It ∆ π contains a knowledgeable step (s| π , t), then π notifies α-core about its wish to initiate t, so that the coordinator algorithm will handle potential conflicts with other knowledgeable steps. If ∆ π contains a knowledgeable step (s| Π , t) such that s| π is part of s| Π , then π notifies α-core about its wish to achieve joint knowledge through synchronization with the other processes in Π. If the synchronization takes place, then any process in Π and containing t may initiate it. The processes in Π remain synchronized until t has been fired or disabled by some other knowledgeable step.

Implementation and Experimental Results
In this section we apply our approach to a concrete example that we have implemented in a modified version of the prototype presented in [7]. We have implemented properties δ 1 to δ 3 as defined in Section 3. Property δ 4 is not relevant here because a single transition may never cause multiple failures. The prototype implementation computes the knowledge table ∆ based on the local knowledge of processes, as described in Section 4.
The example presented here is a Petri net representing the following scenario: trains enter and exit a train station such as the one represented in Figure 3 (trains that are outside the train station are not represented), evolving between track segments (numbered from 1 to 12). A track segment can accept at most one train at a time, therefore there must be some mechanism to detect and resolve conflicts amongst trains trying to access the same track segment. Trains enter and exit the station on the left, i.e. entry segments are tracks 1 to 4. After entering the station, a train moves from left to right until it reaches one of the platforms (tracks 9 to 12); then it starts moving from right to left until it exits the station on one of the entry segment. A train leaving the station on a given track segment may reenter the station only on this segment.
We monitor a property Ψ which we call absence of partial gridlock. A partial gridlock is a situation where some trains are blocking each other at a given intersection. These trains cannot follow their normal schedule and must inform a supervisor process which will initiate some specific repair action, e.g. requesting some trains to backtrack. For each intersection where n track segments meet, a partial gridlock is reached when there is one train on each of these segments that is moving toward the intersection. A global state satisfies Ψ if and only if it does not contain any partial gridlock. Transitions describe how trains can enter, exit and move within the station. Processes correspond to track segments. That is, the process associated with a segment σ, denoted π σ , consists of all the transitions involving σ (a train arriving on σ or leaving it). In particular, this means that transitions corresponding to a train moving from one segment σ 1 to another segment σ 2 belong to π σ1 and π σ2 while transitions representing a train entering or exiting the train station belong to exactly one process namely the entry segment on which the train is entering or leaving. Furthermore, according to the definition of neighborhood, a process π σ knows if there is a train on segment σ and also on the neighbors of σ, i.e., the track segments from which a train may reach σ. Interestingly, no additional synchronization is needed to enforce that only knowledgeable steps are taken in this example, independently of the choice of the knowledge property δ i . The reason for this is twofold. First, partial gridlock (a) of Figure 4 is always detected by the track segment on the right, which knows that there is a train on all three segments. Second, partial gridlock (b) of Figure 4 is not reachable, as we explain below which implies that the knowledge table is an invariant as explained in Footnote 1. Hence no additional synchronization is needed. Intuitively, partial gridlock (b) is not reachable for the following reason: whenever train station TS 1 reaches a global state similar to that represented in Figure 3, segment 8 cannot be entered by the train on segment 12. Indeed, this move is a knowledgeable step neither for process π 12 nor for process π 8 , since none of them knows whether this move would introduce a partial gridlock or not. Remember that π 8 does not know whether there is a train or not on segment 7. However, moves from the trains on segments 5 and 6 to 8 are knowledgeable steps for π 8 , as π 8 knows they do not introduce any partial gridlock.  Table 1 presents some results about the influence of our monitoring policy on the behavior of the system. The notation NR indicates that some information is irrelevant for the uncontrolled system. A first conclusion is that the behavior of the system is not dramatically affected by the monitoring policy: whatever the knowledge property δ j used to define the monitoring policy, very few global states become unreachable compared to the uncontrolled system. Also, the ratio of supported transitions to inhibited transitions is around 150:1 for δ 1 and δ 3 , and 75:1 for δ 2 . Finally, the fact that a partial gridlock is reached on average after 56 steps in the uncontrolled system shows that monitoring the system does not drive it into states in which the property under study Ψ is violated.
Furthermore, note that δ 1 and δ 3 yield similar results in contrast with δ 2 . This is due to the fact that every process knows exactly whether it is creating a given partial gridlock, but it does not always know whether it is creating the first partial gridlock in the system. As a result, the ratio of transitions inhibitedthat is, transitions enabled but not part of a knowledgeable step -is higher when the system is monitored according to δ 2 than when it is monitored according to δ 1 and δ 3 .
Example 2. Figure 5 shows another train station TS 2 and a global reachable non-deadlock state in which there is no knowledgeable step for a single process. As a result, an additional synchronization must be added. Our experiments on train station TS 2 consider 7 trains. There are 1,173,822 reachable global states in the corresponding Petri net, among which 9,302 contain a partial gridlock. Besides, there are 27 global deadlock states. However, there is only one global reachable non-deadlock state for which there is no corresponding knowledgeable step for a process alone. This state, which we denote s dl , is represented in Figure 5. A synchronization between processes π 3 and π 6 is sufficient to ensure that no deadlock is introduced by the monitoring policy, as there are three transitions t such that (s dl , t) is a knowledgeable step for {π 3 , π 6 }.
We have also performed some experiments to evaluate the number of synchronizations added by the monitoring policy as well as the number of transitions inhibited at runtime. All δ j yield similar results, so we present them together. Interestingly, the number of synchronizations due to the monitoring policy is very low and although the only progress property that we preserve is deadlockfreedom, few transitions are inhibited in this example. Besides, only 1,972 global states are not actually reachable in the controlled system. Thus, in this example, controlling the system in order to preserve the knowledge about absence of partial gridlock hardly induces any communication overhead and does not alter significantly the behavior of the global system.  Note that it is sufficient here to add one temporary synchronization between two processes in order to detect that a partial gridlock occurred, whereas knowledge about absence of a partial gridlock would require an almost global synchronization. Besides, controlling the system in order to enforce absence of partial gridlocks (instead of monitoring it) would require that processes avoid states in which every possible move leads (inevitably) to a partial gridlock. That is, it requires look-ahead.

Conclusion
In this paper, we have proposed an alternative approach to distributed runtime monitoring that guarantees by a combination of monitoring and control (property enforcement) that (1) the fact that some property ψ becomes false is always detected instantaneously when the corresponding transition is fired, and (2) there are no "false alarms", that is whenever ψ is detected, it does hold at least in the state reached at that instant. In other words, we use control as introduced in [2, 7, 3] to enforce a strong form of local monitorability of ψ, rather than to enforce ψ itself.
We use synchronizations amongst a set of processes -which are realized by a coordinator algorithm such as α-core -in order to reliably detect that: either (1) ψ will be false after the transition or (2) the transition does not change the status of ψ. We use model checking to calculate whether (joint) local states have the required knowledge to fire a given transition. We control the system by allowing only such knowledgeable steps and we add as many synchronizations as necessary to enforce absence of global deadlocks which do not already appear in the original system.
We have applied this approach to a nontrivial example, showing the interest of enforcing some knowledge about the property instead of the property itself. Future work now includes enforcing other progress criteria than deadlockfreedom.