Logics for Petri Nets with Propagating Failures

. Petri nets play a central role in the formal modelling of a wide range of complex systems and scenarios. Their ability to handle with both concurrency and resource awareness justiﬁes their spread in the current formal development practices. On the logic side, Dynamic Logics are widely accepted as the de facto formalisms to reason about computational systems. However, as usual, the application to new situations raises new challenges and issues. The ubiquity of failures in the execution of current systems, interpreted in these models as triggered events that are not followed by the corresponding transition, entails not only the adjustment of these structures to deal with this reality, but also the introduction of new logics adequate to this emerging phenomenon. This paper contributes to this challenge by exploring a combination of two previous works of the authors, namely the Propositional Dynamic Logic for Petri Nets [1] and a parametric construction of multi-valued dynamic logics presented in [13]. This exercise results in a new family of Dynamic Logics for Petri Nets suitable to deal with ﬁring failures.


Introduction
Petri nets are semantic structures widely used in computer science.Their adequacy to model, specify and analyze complex systems dealing with concurrency and resource awareness is well known.At the core of this success is their rich and intuitive graphical syntax.Nevertheless, for property oriented specification and verification purposes, it is useful to consider logic systems having this structure as a semantics.The first attempt in such direction was done by the linear logic community (e.g.[6]).A number of other logics were then proposed in the literature for standard and timed versions of Petri nets eg.[3].
Propositional dynamic logic (PDL) [8], a very versatile logic for verification of computational systems, was also explored in this context.Particularly, Petri-PDL [12] was introduced as an extention of PDL to give logical semantics to Petri nets.In such variant, the programs are marked Petri nets expressed by a textual syntax (with a choice and a composition operators).Another approach was taken in [5], where the well established theory of modal semirings was used to develop a generic modal algebra for reasoning about reachability properties in Petri nets.The BI resource based semantics presented in [16] introduces another proposal to allow comparison of "amounts of information" modelled by the possible worlds of the model.In this work, Petri nets are presented as concrete instances of this semantics.Later, the work of [12] was extended [1] to include the iteration operator.This logic is expressive enough to describe properties of systems like the one shown in the example below: Example 1.Let us present the following situation, based on the example presented in [1], which illustrates the behaviour of a chocolate vending machine.The system works as follows: we turn the machine on (l) and put one coin (m) and then it releases the chocolate (c).
Its behaviour can be specified by the Petri net of Figure 1.The upper left place ( ) is the power button of a vending machine; the bottom left is the coin inserted (m) and the bottom right is the chocolate output (c); if the vending machine is powered on, always when a coin is inserted you will have a chocolate released.We can express that once we turn the machine on and put one coin we can obtain a chocolate by the formula ( , m), ( mt 2 x xt 3 yc) , meaning that, if we are in a state were states and m are marked, after executing the Petri net program mt 2 x xt 3 yc, we reach a state were is satisfied.The above formula can be proved using the proof system presented in [1].
The complexity of modern systems, namely the heterogeneity of the environments where they live, entails a more demanding approach in their design and building processes.The inevitability that human beings eventually make mistakes in such processes extols the advantage of adopting formalisms which deal with the possibility of failures at the outset.Recalling again the previous example, we would bet that the reader already experienced undesirable situations like after putting a coin in a vending machine, the desired chocolate gets stuck behind of the glass.The analysis of such kinds of failures would require a formalism able to express statements like once we turn the machine on and put one coin we have an assurance α that we will obtain a chocolate.A possible model for handling theses scenarios would be a variation of the classical definition of Petri nets, where the triggering of a transition happens with some reliability degree.The resulting assurance would depend on two aspects: on one side, the reliability degree associated to the execution of a program; on the other, an appropriate evaluation of a formula in a many-valued truth space.Despite their adequacy in the reasoning about several properties of Petri nets, none of the approaches presented in [11], [5] or [16] aim to formalise the attribution of such degrees.
In order to achieve a Dynamic Logic analogous to [1], but suitable to this scenario, we base this work on the construction of multi-valued dynamic logics introduced in [14,13].First, we introduce a new variant of the Petri Nets, the Petri nets with A-failures, which explicitly assumes that the modelled system may eventually fail, supporting a claim of reliability to each firing of a transition.In the case where a failure occurs, the firing event is consumed without the occurrence of the expected transition.Depending on the system modelled, it would make sense to measure these reliability degrees in a discrete scale, in a continuous interval, or simply in an universe only with the values true and false.Hence, instead of fixing the domain of the assurances degrees as the usual real interval [0, 1], we will be more generic: the proposed models are parametric to the nature of the reliability degrees that are most suitable for each concrete situation.This flexibility is realised by assuming, as parameter, an (action) lattice A. Some additional considerations on this parameter are in order.
As in standard PDL, the interpretation of programs in Petri-PDL [11] relies on the Kleene algebra of relations (as we will see in the next section, firing functions are interpreted as binary relations).However, firing functions in Petri nets with A-failures are based on reliability degrees given by elements of an action lattice, and not on the interpretation of classic binary relations.
To give meaning to Petri net programs in this new formalism, this paper adopts a class of Kleene algebras, parameterised by an action lattice A. These algebraic structures base the interpretation of (composed) programs in Petri nets with A-failures, by reflecting how failures in transitions are propagated into the whole execution of a program.This is also reflected in the kind of assertions we can express in the logic, as well as in the outcome we expect for the validity of a Dynamic Logic formula in a Petri net with A-failures.For that purpose, we follow a strategy similar to that used in [14,13], where an action lattice will follow a similar role in our method, namely as a computational model (by representing weighted fails) and as a truth universe (by giving a (possible) many-valued truth space to the addressed logics).The proposed method for constructing graded dynamic logics is parametric on whatever truth/computational domain is the most suitable to the system under consideration.
Outline.The remaining of this paper is organized as follows.Section 2 presents all the background needed about the Petri-PDL formalism and the concept of action lattice.Section 3 is devoted to Petri Net with A-failures, as well as, to suitable Kleene Algebras to interpret programs in these structures.In Section 4, we introduce a parametric construction of dynamic logics for Petri nets with A-failures, and proper illustrations for such a method.Finally, Section 5 concludes the paper with some final remarks on future work.

Background
In this section, we present a brief overview of two topics on which the later development is based.First, we review the syntax and semantics of Petri-PDL [1].Second, we recall the main notions behind the method introduced in [13], for the generation of many-valued dynamic logics parametrized by an action lattice.This parameter supports both the (possible non-bivalent) truth spaces and the base computational model.

Propositional Dynamic Logic for Petri nets with Iteration
This subsection recalls the syntax and semantics of Petri-PDL , as presented in [1].The language of Petri-PDL consists of The definitions of frame, model and satisfaction, that we recall below, are adapted from PDL to deal with the firing of basic Petri nets.
for some η i , ∃u such that s i ∈ M (u) and wR ηi u and uR ηi v} where s = M (w), η i are Petri net programs and s i = f (s, η i ), for all 1 ≤ i ≤ n.
Definition 5. A model for Petri-PDL is a pair M = F, V , where F is a Petri-PDL frame and V is a valuation function from a set of propositions Prop, The semantical notion of satisfaction for Petri-PDL is defined below.Definition 6.Let M = (F, V) be a model.The notion of satisfaction of a formula ρ in a model M at a state w, notation M, w |= ρ, can be inductively defined as follows:

Kleene algebras and Action Lattice
We review in this section the notion of Action Lattice [10] as it was used in [13].
Definition 7 (Kleene Algebra and Action lattice).An action lattice is a tuple A = (A, +, ; , 0, 1, * , →, •), where A is a set, 0 and 1 are constants, * is an unary operation in A and +, ; , → and • are binary operations in A satisfying the axioms enumerated in Figure 2, where the relation ≤ is induced by +: a ≤ b iff a + b = b.An integral action lattice consists of an action lattice satisfying a ≤ 1, for all a ∈ A. A Kleene Algebra is a structure (A, +, ; , 0, 1, * ) satisfying ( 1)- (13). a; a; 0 = 0; a = 0 (9) x; a As stated in the introduction, the structure of an action lattice is explored in this paper along a double dimension: as a computational model and as a truth space.The intuitions for some of its operations shall be taken from both of these perspectives.Such is the case of operation +, which plays the role of non-deterministic choice, in the interpretation of programs, and of logical disjunction, in the interpretation of sentences.However, there are operations whose intuition is borrowed from just in one of these domains.For instance, while operations * and ; are taken as iterative execution and sequential composition of actions, operations → and • play the role of logical implication and conjunction, respectively.
The following structures are examples of action lattices: Example 2 (2 -linear two-values lattice.).As a first action lattice example, we consider the two valued boolean lattice 2 = ({ , ⊥}, ∨, ∧, ⊥, , * , →, ∧) with the standard boolean connectives defined as follows: Example 3 (W k finite Wajsberg hoops).We consider now an action lattice endowing the finite Wajsberg hoops [2] with a suitable star operation.Hence, for a fix natural k > 0 and a generator a, we define the structure W k = (W k , + , ; , 0, 1, * , →, •), where W k = {a 0 , a 1 , • • • , a k }, 1 = a 0 and 0 = a k , and for any m, n ≤ k: a m + a n = a min{m,n} , a m ; a n = a min{m+n,k} , (a m ) * = a 0 , a m → a n = a max{n−m,0} and a m • a n = a max{m,n} .

Petri nets with failures
This section introduces the notion of Petri net with A-failures, as well as suitable Kleene algebras to interpret (composed) programs.As referred in the introduction, the use of an action lattice A as parameter is due to the necessity of supporting a double dimension: (i) attribute a reliability degree to the firing of a transition, referring to the interpretation of Petri net programs; (ii) state a degree for a specific property of a Petri net, on the logical side.As stated, this work is concerned with Petri nets where transitions between markings may fail.This assumption entails adjusting the system dynamics of classical Petri nets: while, in such case, we argue that a system evolves to another markings if a transition is enabled, in our approach, a transition to a new marking occurs with a reliability degree α, where α is an element of the lattice A. In cases where the Petri net does not transit to another marking, the transition is still consumed.Formally: Definition 8. Given an action lattice A = (A, +, ; , 0, 1, * , →, •), a set S of markings (over a set of place names P ) and a basic Petri net program π ∈ Π 0 , an α-firing function, for α ∈ A, is a function f α π : S × S → A defined as where Π i (P ) are the following partitions of the atomic programs: Note that, in this work, we do not take into consideration the order of the tokens in the markings.Hence, those are represented as multisets, instead of sequences as done for Petri-PDL [1].Now, we have conditions to introduce the intended model.
Definition 9 (Petri net with A-failures).Let A = (A, +, ; , 0, 1, * , →, •) be an action lattice.A Petri net with A-failures consists of a tuple P = P, S, Π 0 , I, M 0 where P is a set of places; S ⊆ P * is the set of (admissible) markings; Π 0 ⊆ Π(P ) is the set of atomic programs; I : Π 0 → A is the atomic programs reliability degree and M 0 ∈ S is the initial marking.The interpretation of an atomic program π ∈ Π 0 is given by the firing function f .
In this work, as in [13], the underlying Kleene algebra of A (c.f.Defn 7) provides a generic computational model for interpreting programs.However, differently form such work, we interpret computations as α-firing functions of Definition 8, which carry the information about their effect when executed.Hence, we define the following algebra: Definition 10.Let A = (A, +, ; , 0, 1, * , →, •) be an action lattice and S be a finite set.The algebra of A-firing functions is the structure F = (F, ∪, •, ∅, χ, * ) where: -F is the universe of all the α-firing functions, for all The next theorem states that F represents an adequate structure to interpret Petri net programs for Petri nets with A-failures4 .

Theorem 1. F is a Kleene Algebra
Proof.This proof is analogous to the proof of the classical result [4], stating that the algebra of n × n matrices over a Kleene algebra is a Kleene algebra.
With this Kleene algebra, we are able to interpret regular programs in Petri nets with A-failures, i.e. regular expressions of atomic transitions in A:

Definition 11 (A-interpretations of programs).
Let A = (A, +, ; , 0, 1, * , →, •) be an action lattice and P, S, Π 0 , I, M 0 a Petri net with A-failures.The interpretation of a Petri net program η is a firing function recursively defined as follows: for any atomic program π ∈ Π 0 , π (s, s ) = f The interpretation of Petri Net composed programs, as presented in Definition 1, where the global composition is considered rather than the sequential composition ;, can be handled in our logic indirectly by defining as where η and η are Petri net programs.

Parametric construction of dynamic logics for Petri nets with failures
This section introduces a parametric method to build Petri-PDL to reason about Petri nets with A-failures, inspired by the construction proposed in [13].The semantic and satisfaction of these logics are built on top of an arbitrary action lattice A = (A, +, ; , 0, 1, * , →, •) (c.f.Definition 7).Hence, the resulting logics will be denoted by GP(A).Petri-PDL , as introduced in [12], is captured as an instance of this construction (by using, as parameter, the lattice 2 of Example 2).Beyond the reliability degrees for transitions, the action lattice also supports the truth space for the (possible multi-valued) outcomes of the logic.The language for GP(A) is the same of Petri-PDL , except for formulae, that we define below.Definition 12. Let Prop be a set of propositions.The set of GP(A) formulas for the set of propositions Prop and for the set of place names P , denoted by Fm GP(A) (Prop, P ), is defined by the grammar Observe that we denoted the regular programs (with the sequential composition ;) by letter ξ instead of η used for the Petri-net programs (with global composition ).However, in the sequel, we will relax this convention by using η for both cases.The symbol will also be used as meta-syntax of our logic, to be interpreted according to (20).For instance, the expression η η ϕ is just notation for the formula η; (η + η ) * + η ; (η + η ) * ϕ.
Note that, differently from previous work [1], we do not include the negation as a primitive operator, and use, instead, the defined negation ¬x ≡ x → ⊥.Actually, as stated, we intend to deal with generic truth spaces for possible non bivalent interpretation of assertions (e.g.we are not requiring negative involution).
Definition 13.A model for GP(A) is a pair M = P, V , where P is a Petri net with A-failures and V is a valuation function over a set of propositions Prop, defined as V : Prop × S → A. Now, we define the semantic notion of satisfaction for GP(A).Definition 14.Let A = (A, +, ; , 0, 1, * , →, •) be an action lattice.The (graded) satisfaction |= : (M×S)×Fm GP(A) (Prop) → A for GP(A) is recursively defined for each model M, any marking s ∈ S and for any formula ρ ∈ Fm GP(A) (Prop) as follows: Assume now that this machine has a technical problem and it can not assure with total reliability the release of a chocolate every time a coin is inserted.Suppose also that we can express such reliability degrees in a 1 . . . 10 discrete scale.Hence, using GP(W 10 ) (see Ex.3), we can express that the machine transits from marking lm to x with a reliability 8 and from x to yc with 9, i.e. a = 8 and b = 9.Now, the verification of the property once we turn the machine on and put one coin we have a reliability 7 out of 10 that we will obtain a chocolate, from the marking m, can be computed by M, m |= mt 2 x; xt 3 yc = 8; 9 + (8 → 0); 0 ; 10 + (8 → 0); 0 ; 10 + 8; (9 → 0) + (8 → 0); 0 ; 10 = 7.
Nevertheless, for some situations, it could be more appropriate to use a continuous scale.Suppose, for instance, that we want to be more precise, by stating that the reliability degree of the machine to evolve from marking lm to x is 0.78 and from x to yc is 0.93, which corresponds to a = 0.78 and b = 0.93.This can be expressed using GP( L) (see Ex.

Conclusions and further work
In this work, we contributed with the generalisation of the logic presented in [1], by considering that the firing of a Petri net may fail.The approach taken in order to handle this variation was based on previous work done in [13], where an action lattice is considered to model both the notion of reliability degree of transitions in models and to support the (possible) multi-valued truth degree of a formula.This goal was accomplished by introducing: (i) a new definition of Petri net, where transitions between markings may fail; (ii) an underlying class of Kleene algebras (parametric on an action lattice), suitable for interpreting (composed) Petri net programs; (iii) a parametric method to build Dynamic logics with these semantics.The extension of this work can be done in several directions.First, the necessity to have supporting computational tools for these logics suggests the development of a proof calculi and model checking algorithms, with their computational complexity.In this line, we expect to obtain characterizations, parametric to the base action lattice adopted in each situation.Moreover, comparing these logics with the literature is also in our agenda, namely to establish a formal relation between the models of GP( L) and the Fuzzy Petri nets [17].
The behaviour of Petri nets is concurrent by nature, being defined by the simultaneous firing of sets of transitions.However, in the method introduced, global composition is presented as a derived operator from the base (sequential composition, choice and reflexive transitive closure) Kleene operations.Hence, in future, we intend to adapt the presented construction to another parameter supporting a concurrent computational model like, for instance, a Concurrent Kleene Algebra [9].An approach in this direction was already addressed in [5], which is based on the well known work on modal semirings [15].Note however that, although such approach is capable of handling concurrency, it lacks the expressiveness for generating a logic able to reason in a multi-valued truth space.

Fig. 1 .
Fig. 1.Execution of the program mt2x xt3yc in the chocolate machine

Definition 1 .Definition 2 .
Propositional symbols: P rop = {p, q, . ..}Place names: a, b, c, d, . . .Transition types: T 1 : xt 1 y, T 2 : xyt 2 z and T 3 : xt 3 yz Petri net Composition symbol: PDL operator: (iteration) Markings: S = { , s 1 , s 2 , . ..},where is the empty sequence.The notation a ∈ s is used to denote that the place name a occurs in s.The expression #(s, a) is the number of occurrences of place name a in s.It is said that a sequence r is a subsequence of s, denoted r s, if for any place name a, if a ∈ r implies a ∈ s.Petri-PDL Programs for a set of places P Basic programs: set Π 0 (P ) defined by the grammar π ::= at 1 b | abt 2 c | at 3 bc where t i is of type T i , i = 1, 2, 3 and a, b, c ∈ P .Petri net Programs: set Π(P ) defined by the grammar η ::= π | π η | η for π ∈ Π 0 (P ) Let Prop be a set of propositions.The set of Petri-PDL formulas for Prop, denoted by Fm Petri−PDL (A) , is defined by the grammar ρ ::= p | | ¬ρ | ρ ∧ ρ | s, η ρ where p ∈ Prop.We use the standard abbreviations ⊥ ≡ ¬ , ρ ∨ ρ ≡ ¬(¬ρ ∧ ¬ρ), ρ → ρ ≡ ¬(ρ ∧ ¬ρ) and [s, η]ρ ≡ ¬ s, η ¬ρ.The definition below introduces the firing function.It defines how the marking of a basic Petri net changes after a firing.Definition 3.For a set of markings S, we define the firing function f : S × Π 0 → S as follows

Definition 4 .
A frame for Petri-PDL is a triple W, R π , M , where -W is a non-empty set of states; -M : W → S; -R π is a binary relation over W , for each basic program π, satisfying the following condition: let s