Predictability Verification with Parallel LTL-X Model Checking Based on Petri Net Unfoldings by Madalinski A & Khomenko V
  
COMPUTING 
SCIENCE 
Predictability Verification with Parallel LTL-X Model Checking Based 
on Petri Net Unfoldings 
 
 
Agnes Madalinski and Victor Khomenko 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
TECHNICAL REPORT SERIES 
 
No. CS-TR-1276 September 2011 
TECHNICAL REPORT SERIES 
              
 
No. CS-TR-1276  September , 2011 
 
Predictability Verification with Parallel LTL-X Model 
Checking Based on Petri Net Unfoldings 
 
A. Madalinski, V. Khomenko 
 
Abstract 
 
We show that the predictability problem for a Petri net can be reduced to LTL-X 
model checking. The advantage of this is that existing efficient methods and tools can 
be employed, in particular parallel model checking based on Petri net unfoldings. The 
experimental results show that this approach is efficient, and a good level of 
parallelisation can be achieved. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
© 2011 Newcastle University. 
Printed and published by Newcastle University, 
Computing Science, Claremont Tower, Claremont Road, 
Newcastle upon Tyne, NE1 7RU, England. 
Bibliographical details 
 
MADALINSKI. A., KHOMENKO, V. 
 
Predictability Verification with Parallel LTL-X Model Checking Based on Petri Net Unfoldings  
[By]  A. Madalinski, V. Khomenko 
Newcastle upon Tyne: Newcastle University: Computing Science, 2011. 
 
(Newcastle University, Computing Science, Technical Report Series, No. CS-TR-1276) 
 
Added entries 
 
NEWCASTLE UNIVERSITY 
Computing Science. Technical Report Series.  CS-TR-1276 
 
Abstract 
 
We show that the predictability problem for a Petri net can be reduced to LTL-X model checking. The advantage 
of this is that existing efficient methods and tools can be employed, in particular parallel model checking based on 
Petri net unfoldings. The experimental results show that this approach is efficient, and a good level of 
parallelisation can be achieved. 
 
About the authors 
 
Agnes Madalinski obtained an MSc in Parallel and Scientific Computation from the University of Liverpool, UK, 
in 2000, and a PhD in Electronic and Computer Engineering in 2005 from the University of Newcastle upon Tyne, 
UK. She completed two post-docs in France, in DistribCom Research Group at INRIA Rennes and in Gemo Team 
at INRIA Saclay. Since 2008 she is an associate professor in the Faculty of Science and Engineering at the 
University of Austral de Chile, Valdivia, Chile. She is interested in verification of system with Petri net unfoldings 
applied to fault diagnosis and asynchronous (self-timed) circuits. 
 
Victor Khomenko obtained his MSc with distinction in Computer Science, Applied Mathematics and Teaching of 
Mathematics and Computer Science in 1998 from Kiev Taras Shevchenko University, and PhD in Computing 
Science in 2003 from Newcastle University. He was a Program Committee Chair for the International Conference 
on Application of Concurrency to System Design (ACSD'10). He also organised the Workshop on UnFOlding and 
partial order techniques (UFO'07) and Workshop on BALSA Re-Synthesis (RESYN'09). In January 2005 Victor 
became a Lecturer in the School of Computing Science, Newcastle University, and in September 2005 he obtained 
a Royal Academy of Engineering / EPSRC Post-doctoral Research Fellowship and worked on the Design and 
Verification of Asynchronous Circuits (DAVAC) project. After the end of this award, in September 2010, he 
switched back to Lectureship. Victor’s research interests include model checking of Petri nets, Petri net unfolding 
techniques, verification and synthesis of self-timed (asynchronous) circuits. 
 
 
Suggested keywords 
 
PREDICTABILITY 
FAULT DIAGNOSIS 
PETRI NET UNFOLDINGS 
PARALLEL LTL-X MODEL CHECKING 
Predictability Verification with Parallel LTL-X
Model Checking Based on Petri Net Unfoldings
Agnes Madalinski1 and Victor Khomenko2
1Faculty of Engineering Science, University Austral de Chile, Valdivia, Chile
2School of Computing Science, Newcastle University, Newcastle upon Tyne, UK
Abstract
We show that the predictability problem for a Petri
net can be reduced to LTL-X model checking. The ad-
vantage of this is that existing efficient methods and
tools can be employed, in particular parallel model
checking based on Petri net unfoldings. The experimen-
tal results show that this approach is efficient, and a
good level of parallelisation can be achieved.
Keywords: Predictability, Fault diagnosis, Petri net un-
foldings, parallel LTL-X model checking.
1. Introduction
Fault diagnosis consists in detecting abnormal be-
haviours of a physical system. Within the fault diag-
nosis framework, predictability is a property describing
the possibility of predicting a fault before it actually oc-
curs by monitoring the observable behaviour of the sys-
tem. Predictability implies diagnosability — an impor-
tant property that determines the possibility of detecting
faults by monitoring the observable behaviour. The dif-
ference is that diagnosability ensures that the fault can
be eventually detected, maybe long time after its oc-
currence, while predictability allows to detect the fault
before it actually occur. Predictability makes it possible
to react before the fault causes the system to malfunc-
tion, e.g. by issuing a warning or taking some prevent-
ing measures.
Predictability has been introduced in [5]. It is based
on the seminal work [15], which presents a formal lan-
guage framework for diagnosis and analysis of diag-
nosability properties of discrete event systems repre-
sented by finite automata. The system’s actions are
partitioned into observable and unobservable; further-
more, some of the unobservable actions are designated
as faults. The proposed method for diagnosability ver-
ification was based on the construction of a diagnoser
— an automaton with only observable transitions which
allows one to estimate the current state of the system by
observing its visible actions. Improvements based on
the twin plant method have been introduced in [8, 17],
where the basic idea was to build a verifier by con-
structing the synchronous product of the system with
itself on observable transitions. Then, violations of di-
agnosability can be detected by inspecting execution of
the verifier. The diagnoser and verifier approaches have
been also used to verify the predictability property in [5]
and [6], respectively.
Naturally, the state-based twin plant method suffers
from the combinatorial state space explosion problem.
That is, even a relatively small system specification can
(and often does) yield a very large state space. To alle-
viate this problem Petri net (PN) unfolding techniques
appear promising. The system is modelled as a PN,
where each transitions is labelled with the performed
action. A finite and complete prefix of a PN unfolding
gives a compact representation of all reachable mark-
ings of this PN. Executions are considered as partially
ordered sets of transitions rather than sequences, which
often results in memory savings. Since the introduction
of the unfolding technique in [11], it was improved [2],
parallelised [7], and applied to various practical applica-
tions such as distributed diagnosis [3] and LTL-X model
checking [1]. Also, the problem of diagnosability verifi-
cation based on the twin plant method has been studied
in [10] in the context of parallel LTL-X model checking
based on PN unfoldings.
This paper adapts the twin plant method deplo-
yed in [10] (where an existing parallel LTL-X model
checker PUNF [13, 16] based on PN unfoldings is ap-
plied) to predictability verification. A verifier is built
in such a way that it can produce a witness of non-
predictability if it exist. Then, predictability can be
expressed as an LTL-X property of the verifier, and
to model-check it, a synchronised net is constructed
from the verifier and an appropriate Bu¨chi automa-
ton. Finally, the unfolding-based LTL-X model check-
ing [1, 16] is applied to carry out the verification. Ex-
periments show that the proposed approach is quite ef-
ficient, and good parallelisation can be achieved.
2. Basic notions
Petri nets. A Petri net is a quadruple N = (P,T,F,MN)
such that P and T are disjoint sets of places and tran-
sitions, respectively, F ⊆ (P× T )∪ (T × P) is a flow
relation, and MN is the initial marking, where a mark-
ing is a multiset of places, i.e. a function M : P → N=
{0,1,2, . . .} assigning a number of tokens to each place.
We adopt the standard rules about drawing nets, viz.
places are represented as circles, transitions as boxes,
the flow relation by arcs, and the marking is shown by
placing tokens within circles. As usual, •z df= {y | (y,z) ∈
F} and z• df= {y | (z,y) ∈ F} denote the pre- and postset
of z ∈ P∪T . In this paper, the presets of transitions are
restricted to be non-empty, i.e. •t 6= /0 for every t ∈ T .
A transition t ∈ T is enabled at a marking M, de-
noted M[t〉, if for every p ∈ •t, M(p) ≥ 1. Such a tran-
sition can fire, leading to a marking M′ df= M− •t + t•,
where ‘−’ and ‘+’ stand for the multiset difference and
sum, respectively. We denote this by M[t〉M′. For a fi-
nite sequence of transitions σ = t1 . . . tk (k≥ 0), we write
M[σ〉M′ if there are markings M1, . . . ,Mk+1 such that
M1 = M, Mk+1 = M′ and Mi[ti〉Mi+1, for i = 1, . . . ,k. If
M = MN , we call σ an execution of N. Analogously,
infinite executions can be defined.
The set of reachable markings of N is the smallest
(w.r.t. ⊂) set [MN〉 containing MN and such that if M ∈
[MN〉 and M[t〉M′ for some t ∈ T then M′ ∈ [MN〉. A
PN N is k-bounded if, for every reachable marking M
and every place p ∈ P, M(p) ≤ k, and safe if it is 1-
bounded. In what follows, we assume that the PNs we
deal with are safe. A marking of N is called a deadlock
if it enables no transitions. N is deadlock-free if none of
its reachable markings is a deadlock.
A labelled PN N = (N,O,U, ℓ) extends a PN N
with disjoint sets O and U of observable and unobserv-
able transition labels and a labelling function ℓ : T →
O∪U . N inherits the operational semantics of the un-
derlying net N. We lift the notion of enabledness and
firing to transition labels: M[ℓ(t)〉M′ if M[t〉M′. More-
over, the domain of ℓ can be extended to finite and infi-
nite sequences of transitions in a natural way, and ℓ(σ)
is called a trace of N if M[σ〉, where σ is a finite or
infinite execution. N is divergency-free if none of its
reachable markings enables an infinite trace comprised
of unobservable actions. For a (finite or infinite) trace ς
we denote by Obs(ς) the projection of ς onto O.
Predictability. The predictability problem is formu-
lated on a labelled Petri net N that is assumed to be
deadlock-free and divergence-free. Intuitively, its ob-
servable actions correspond to controller commands
and sensor readings, while the unobservable ones cor-
respond to some internal activity that is not recorded
by sensors. Some actions are designated as faults, and,
w.l.o.g., the set of faults F ⊆ U (for predictability to
hold, one should be able to predict faults before they oc-
cur, and so making fault transitions observable does not
affect this property). As an example, consider Fig. 1,
where O = {a,b,c}, U = {u, f} and F = { f}.
0p
1
p
3p2p
a
cb
fu
Figure 1: An example net N .
The following definition of predictability is based
on the one in [6]. (We have simplified it somewhat;
the given definition coincides with that in [6] on finite
state systems.) Intuitively, a system is predictable w.r.t.
a fault f if it does not have a pair of traces whose ini-
tial parts have the same projection onto the observable
actions and do not contain occurrences of f , and the
continuation (which can be finite or infinite) of one of
these traces starts with f while the continuation of the
other is infinite and does not contain occurrences of f .
For example, the system in Fig. 1 is not predictable, as
it has a pair of traces (a f ,(aub)ω) whose initial parts
have the same projection a onto the observable actions,
the first trace is continued with f , and the second one
is infinite and does not contain occurrences of f ; hence,
after the first occurrence of a, it is not possible to predict
whether the fault will occur or not.
Formally, a deadlock-free and divergence-free la-
belled Petri net N is predictable w.r.t. a fault f if it
does not have a pair of traces of the form (ς1 f ς2,ς ′1ς ′2),
where:
1. ς1 and ς ′1 are finite traces containing no occur-
rences of f and satisfying Obs(ς1) = Obs(ς ′1); and
2. ς2 and ς ′2 contain no occurrences of f ; and
3. ς ′2 is infinite.
A pair of traces satisfying the above conditions
constitutes a witness of predictability violation, see
Fig 2. Such a witness is returned by our unfolding based
LTL-X model checking approach in case the property
does not hold, and it can be used for debugging.
Note that some non-essential choices have been
made in the above definition. First, one could allow ς2
a cb
synchronisation on
observable, no faults
the continuation of this trace after
is not important
no synchronisation required, no faults
...
f
f
∞
Figure 2: Witness of non-predictability: the visible ac-
tions are shown by solid lines, and the invisible ones (in-
cluding the fault f ) by dotted grey lines. The two traces
initially synchronise on observable actions, but after f
fires, the synchronisation is no longer required. The first
trace contains a single occurrence of f , whereas the sec-
ond one contains none. The first trace can be infinite or
not, while the second one is infinite.
to contain further occurrences of f ; however, any such
witness can be converted to the form required by the
above definition by truncating the first trace so that it
contains a single occurrence of f . Second, no restric-
tion is placed on the length of ς2 — it can be infinite,
finite or even empty. In fact, it is possible to simplify
the definition by requiring that ς2 is empty. It is easy
to show that any combination of these choices yields
the same class of systems. The actual choices that have
been made were motivated by technical convenience —
the witnesses of this form is exactly the one returned by
our method.
LTL-X and Bu¨chi automata. There are two orthog-
onal views on system computation. According to the
state-based view, a computation is a potentially infinite
sequence of states s0s1s2 . . ., such that for each i, si+1 is
reachable from si in one step. According to the action-
based view, a computation is a potentially infinite se-
quence of actions a0a1a2 . . . performed by the system.
Linear time temporal logic (LTL) [12] is a logic
allowing to specify the properties of computations. LTL
is built up from: (i) a set AP of atomic propositions; (ii)
the usual Boolean connectives ¬, ∧ and ∨; and (iii) the
temporal modalities © (next-state) and U (until).
In the case of state-based computations the atomic
propositions correspond to state predicates, e.g. for safe
PNs they are usually chosen as follows: for each place
pi, the corresponding atomic proposition, also denoted
by pi, is true for a computation s0s1s2 . . . iff at state s0
place pi contains a token. In the action-based case, the
atomic propositions usually corresponds to the actions
of the system, e.g. the atomic proposition a is true for a
computation a0a1a2 . . . iff a0 = a.
In this paper only the derived modality eventually
♦ (that can be defined via U) will be needed: ♦ϕ is true
iff there exists i such that ϕ is true for the computation
sisi+1si+2 . . . (and similarly for the action-based case).
The logic LTL-X is the © -free fragment of LTL.
LTL-X plays a very prominent role in formal verifica-
tion. In fact, Lamport has famously argued that every
‘sensible’ LTL specification must be expressible with-
out the © operator [9].
A Bu¨chi automaton is an extension of a non-de-
terministic finite state automaton to infinite inputs. It
accepts an infinite input sequence iff some correspond-
ing execution visits any of the designated final states
infinitely many times. The language of a Bu¨chi automa-
ton is defined as the set of all infinite inputs that can be
accepted.
The following technique is often used to formally
verify whether a system S satisfies an LTL property ϕ
[18]. Deciding whether all computations of S satisfy ϕ
is equivalent to deciding whether some computation of
S satisfies ¬ϕ . To complete the latter task, ¬ϕ is con-
verted into a Bu¨chi automaton A¬ϕ accepting the com-
putations satisfying ¬ϕ [4]. Then, S and A¬ϕ are syn-
chronised in such a way that the language of the result-
ing Bu¨chi automaton S×A¬ϕ is the intersection of the
language of A¬ϕ and the set of all the possible computa-
tions of S. Hence, in this way one can reduce the origi-
nal verification problem to checking if the language ac-
cepted by the Bu¨chi automaton S×A¬ϕ is empty, which
is the case iff no final state is both reachable from the
initial state and lies on a cycle.
Unfolding prefixes. The unfolding of a PN N is a (po-
tentially infinite) acyclic net that can be obtained by
starting from the initial marking of N and successively
firing its transitions, as follows: (a) for each new fir-
ing a fresh transition (called an event) is generated; (b)
for each newly produced token a fresh place (called a
condition) is generated.
Due to its structural properties (such as acyclicity),
the reachable markings of N can be represented using
configurations of the unfolding. A configuration κ is a
downward-closed set of events (it means that if e ∈ κ
and f is a causal predecessor of e, then f ∈ κ) without
choices (i.e. for all distinct events e, f ∈ κ , •e∩ • f = /0).
Intuitively, a configuration is a partially ordered exe-
cution, i.e. an execution where the order of firing of
concurrent events is not important. The local config-
uration of an event e, denoted by [e], is the smallest
(w.r.t. set inclusion) configuration containing e (it con-
sists of e and its causal predecessors); Mark(κ) denotes
the marking of N reached by any execution correspond-
ing to the events in κ (note that there can be several such
executions, but they only differ by the order of firing of
concurrent transitions, and reach the same marking).
The unfolding is infinite whenever N has an infi-
nite execution; however, if N is bounded (and thus has
finitely many reachable states) then the unfolding even-
tually starts to repeat itself and can be truncated (by
identifying a set of cut-off events) without loss of infor-
mation, yielding a finite and complete prefix. Intuitively,
e is a cut-off if the already build part of the prefix con-
tains a (in some sense) smaller configuration κ such that
Mark([e]) = Mark(κ). (The precise definition of a cut-
off is application-dependent: the built prefix should be
sufficiently large to decide the given property.)
We denote by C, E and Ecut the sets of conditions,
events and cut-off events of the prefix, respectively, and
by h : E∪C → T ∪P the mapping from the nodes of the
prefix to the corresponding nodes of N.
Finite and complete prefixes are often exponen-
tially smaller than the corresponding state graphs, espe-
cially for highly concurrent PNs, because they represent
concurrency directly rather than by multidimensional
interleaving ‘diamonds’ as it is done in state graphs.
For example, if the original PN consists of 100 tran-
sitions which can fire once in parallel, the state graph
will be a 100-dimensional hypercube with 2100 vertices,
whereas the complete prefix will coincide with the net
itself. Hence it is not surprising that they are advanta-
geous for formal verification.
Unfolding based LTL-X model checking. In [1] an
efficient approach to model checking state-based LTL-
X properties of PN based on unfolding prefixes was pro-
posed. Its main differences from the automata-based
approach outlined above are as follows. The Bu¨chi au-
tomaton A¬ϕ for the LTL-X property ϕ is translated into
a PN N¬ϕ , called Bu¨chi net (simply by replacing the
automaton states by PN places and automaton transi-
tion by Petri net transitions). Then its synchronisation
with the PN model of the system S is performed at the
level of PNs rather than reachability graphs, resulting
in another Bu¨chi net. The synchronisation is defined in
such a way that as much concurrency present in S as
possible is preserved, which is important for the subse-
quent unfolding. Then the result of synchronisation is
unfolded, and the cut-off events are defined in such a
way that the resulting finite and complete prefix can be
viewed as a tableau proof, and from it is easy either to
conclude that the property holds or to find a trace of S
violating the property. Experiments show that this ap-
proach can significantly outperform methods based on
explicit construction of reachability graphs in case of
highly concurrent systems.
The approach of [1] has been parallelised and ex-
tended to high-level PNs in [16]; the resulting approach
was implemented in PUNF tool [13]. Hence, though in
this paper we are mostly concerned with predictability
of systems modelled as low-level PNs, and our bench-
marks are low-level PNs, all the results can be trivially
generalised to high-level PNs.
3. Predictability via LTL-X verification
In this section we show how checking predictabil-
ity can be reduced to LTL-X model checking. Then, the
unfolding based method outlined above can be used to
solve the problem.
Building a verifier. A verifier V is a labelled Petri net
that is obtained as a hybrid product (defined later) of
the original system N with itself. The key property of
V is that whenever it has an infinite trace containing an
occurrence of f , the projection of this execution onto
the pair of composed nets yields a pair of traces con-
stituting a witness of predictability violation, and vice
versa, whenever such a witness exists, the correspond-
ing pair of traces can be converted into an infinite trace
of V containing an occurrence of f . Hence, N is not
predictable iff the corresponding V has an infinite trace
containing f , and the latter can be expressed as a simple
LTL-X property of V . We now explain the construction
of V and prove its relevant properties.
Recall that a witness of predictability violation is
comprised of two traces of N , which are initially syn-
chronised on observable action, and then become de-
synchronised when f occurs, cf. Fig. 2. In order to con-
struct V , two replicas of N are taken (to reason about a
pair of traces); we will denote these two nets byN 1 and
N 2. Since f is not supposed to fire in the second trace
of the witness, the transitions labelled with f are re-
moved fromN 2. ThenN 1 andN 2 are synchronised us-
ing the following hybrid construction, which combines
the properties of the usual synchronous product and the
interleaving composition (the latter simply places the
nets being composed side-by-side, forming thus one net
whose parts do not interact with each other).
First, we follow the usual synchronous product
construction. Intuitively, N 1 and N 2 are put side-by-
side, and then each observable transition in N 1 is fused
with each transition in N 2 that has the same label (each
fusion produces a new transition, inheriting the com-
mon label); however, in contrast to the synchronous
product construction, which removes the original visi-
ble transitions, we remove only the ones in N 1, while
preserving those in N 2. Fig. 3(a) shows the result of
this step for the example net in Fig. 1. The superscript
is used to distinguish nodes belonging toN 1 from those
belonging to N 2, e.g. there are two copies of u in V ,
p1
  0
p1
  1
p1
  2 p1
  3
u1 f 1
a
p2
  0
f 2
p2
  1
p2
  2 p2
  3
u2
b1 c1
a1
b2 c2
a2
b c
(a) the first step of the hybrid product construc-
tion: two replicas of N (with the fault f re-
moved from the second replica) are put side-
by-side, their observable transitions having the
same label are fused, and the original observ-
able transitions in the first replica removed.
p1
  0
p1
  1
p1
  2 p1
  3
u1 f 1
a
p2
  0
a2
p2
  1
p2
  2 p2
  3
c2
u2p f
b c
p f
b2
(b) the second step of the hybrid product con-
struction, yielding the verifier V : places p f and
p f are added and connected to f , and p f is con-
nected by read arcs to the observable transitions
of second replica; optionally, p f is connected
by read arcs to the fusion transitions.
Figure 3: The hybrid product construction of a verifier
for the example net in Fig. 1.
u1 and u2; the fusion transitions do not have super-
scripts — they are considered ‘common’. The greyed
out transitions correspond to the removed observable
transitions in N 1.
N 1 andN 2 should be de-synchronised as soon as f
fires in N 1. This is implemented by a switch consisting
of two mutually exclusive places, p f and p f , as illus-
trated in Fig. 3(b) in bold (if there are several transitions
labelled by f in N , these places are shared by all such
transitions). Initially, the place p f is marked and p f is
not, indicating that the two nets should synchronise on
observable actions — the absence of a token on p f pre-
vents the instances of the observable transitions belong-
ing to the second net from firing, due to the read arcs
between p f and these instances. However, once f has
fired, the token moves from p f to p f , enabling thus the
visible transitions belonging toN 2, and allowingN 2 to
run unrestrictedly, without synchronising with N 1.
Note that though the fusion transitions are not dis-
abled by firing of f and so synchronisation remains pos-
sible, this synchronisation is no longer required, andN 2
can run unrestrictedly; moreover, firing a fusion transi-
tion has the same effect on the marking of N 2 as firing
the corresponding original visible transition. Alterna-
tively, one can forbid firing the fusion transitions after
an occurrence of f , by adding read arcs between p f and
them, which are shown as dashed lines in Fig. 3b.
On the other hand, since after an occurrence of f
the behaviour of N 1 does not matter (it will not contain
any further occurrences of f as p f becomes empty and
will never contain a token again), the original observ-
able transitions of N 1 are not needed (and are removed
by our construction).
Having defined the verifier V , we establish the cor-
respondence between its executions and pairs of execu-
tions of N . The idea is to project any execution of V ,
transition-by-transition, as follows:
• if the fired transition is not a fusion transition and
belongs to N 1 (resp. N 2) then the corresponding
transition of N is appended to the first (resp. sec-
ond) element of the pair;
• if the fired transition is a fusion transition obtained
by fusing transition t1 of N 1 and t ′2 of N 2 then t
and t ′ are appended to the first and second elements
of the pair, respectively.
Obviously, by applying the labelling function ℓ, this
correspondence can be lifted to traces. Furthermore, it
is easy to see that any pair of traces of N constituting a
witness of predictability violation can be converted into
an infinite trace of V containing an occurrence of f .
There is a subtle point in this construction that is
nevertheless important for the correctness of the pro-
posed method: one has to ensure that whenever the trace
of the verifier is infinite and contains an occurrence of
f , the second element of the pair of projected traces is
infinite (i.e. the situation when the first element is in-
finite while the second is finite is impossible). Fortu-
nately, this is always the case due to the assumption
that N is divergence-free. Indeed, if the first element
of the projection is infinite, N 1 must have executed in-
finitely many fusion transitions (as other visible transi-
tions are removed from N 1 by the hybrid product con-
struction, and it is possible to execute only finitely many
invisible transitions before firing a visible one due to
the divergence-freeness assumption). Hence, the sec-
ond projection must be also infinite.
LTL-X model checking for non-predictability. As
explained above, given the verifier V , checking the
complement pred of predictability property can be re-
duced to checking the existence of an infinite trace of V
p fq0 q1
p f true
  0x
  1q
  0q
  2x
  1x
pf pf
Figure 4: The Bu¨chi automaton for the LTL-X property
♦ p f (left) and the corresponding Bu¨chi net (right).
containing an occurrence of f (note that it is not nec-
essary to express the predictability property itself, as
the Bu¨chi automaton is built for the complement of the
property). In state-based LTL-X it can be expressed as
pred df= ♦ p f ,
(recall that p f is one of the two ‘switch’ places in V).
The Bu¨chi automaton Apred for pred and the corre-
sponding Bu¨chi net Npred are shown in Fig. 4. This net
is then synchronised with the verifier V , and we will de-
note the result by Vsync. Note that the kind of synchro-
nisation proposed in [1] is non-standard, and is aimed
at preserving as much concurrency as possible in order
to keep the unfolding prefix small. This is achieved by
synchronising the net with the Bu¨chi net only on transi-
tions that add or remove tokens from places which ap-
pear in the LTL-X formula (in Fig. 3(b), these are f 1),
see [1] for more detail. Vsync can be fed to PUNF un-
folder [16], which finds an infinite trace of V satisfying
the pred property (a f 1(u2b2a2)ω in the running exam-
ple), if there is one.
4. Experimental results
In order to test the efficiency of the proposed ap-
proach to predictability verification, we constructed
several series of scalable benchmarks, by modifying
those coming from the area of diagnosability in such a
way as to make them interesting from the predictability
point of view. They are explained below.
PCCONCSAME(n) and PCCONCDIFF(n) These ben-
chmarks series (see Fig. 5(top)) were inspired by a
similar series in [14]. They model a producer-con-
sumer system with an n-slot buffer, where the slots
can be accessed concurrently, i.e. the producer, af-
ter producing an item (transition produce), non-deter-
ministically chooses an empty slot to deposit the pro-
duced item (transitions depositi), and the consumer
non-deterministically chooses a non-empty slot to take
an item from (transitions takei) and then consumes it
(transition consume). However, the location of the
fault transition has been changed from that in [14], to
empty 2
empty 1
empty 3
full3
full2
full1
de
po
sit
3
ta
ke
1
de
po
sit
1
f
de
po
sit
2
ta
ke
3
ta
ke
2
producer consumer
produce
ready_to_consume
ready_to_takeready_to_produce
consume
ready_to_deposit
3 slot concurrent buffer
empty 1 empty 2 empty 3
full3full2
m
o
v
e
12
m
o
v
e
23
full1
f
ready_to_produce
ready_to_consume
ready_to_take
consumer
3 slot sequential buffer
producer
ta
ke
de
po
sit
ready_to_deposit
produce consume
Figure 5: The producer-consumer system with a 3-slot
concurrent (top) and sequential (bottom) buffer.
make the fault interesting from the point of view of pre-
dictability. The fault transition f is enabled when all the
buffer slots are full (note the read arcs between f and the
places fulli) and the producer is ready to deposit a new
item into the buffer (we call the system’s states satisfy-
ing these properties critical). In a critical state this new
item can be lost, which is modelled by the fault transi-
tion f . In this system, the only observable transitions
are produce and takei, and the only difference between
the PCCONCSAME(n) and PCCONCDIFF(n) series is
that in the former transitions takei have the same ob-
servable label, while in the latter they have different ob-
servable labels.
PCSEQ(n) This benchmarks series (see Fig. 5(bottom))
is similar to the ones described above, but the buffer
is sequential. The producer deposits newly produced
items into the first slot, items propagate from slot to slot
in a pipeline manner, and the consumer takes items from
the last slot. The semantics of the fault transition is the
same (if all the slots are full and the producer is ready to
deposit a new item, i.e. the system is in a critical state,
then this item can be lost), and the only observable tran-
sitions are produce and take.
These benchmarks series are not predictable. In-
tuitively, whenever the system is in a critical state, two
scenarios are possible — either to fire f , or to consume
an item from the buffer, disabling f . Hence it is not
possible to know in advance if f will occur.
In order to test our method on predictable bench-
marks, we constructed the predictable versions of these
Size of N Size of V
Benchmark |P| |T | |R(N )| |P| |T | |R(V)| |R(Vsync)|
Non-predictable
PCCONCSAME(n) 2(n+2) 2n+3 2n+2 4n+10 n2 +3n+5 4Cn+12(n+1)+2
n+3 3(4Cn+12(n+1)+2
n+3)
PCCONCSAME(3) 10 9 32 22 23 344 1032
PCCONCSAME(4) 12 11 64 26 33 1136 3408
PCCONCSAME(5) 14 13 128 30 45 3952 11856
PCCONCSAME(6) 16 15 256 34 59 14240 42720
PCCONCSAME(7) 18 17 512 38 75 52504 157512
PCCONCSAME(8) 20 19 1024 42 93 196528 589584
PCCONCSAME(9) 22 21 2048 46 113 743120 2229360
PCCONCDIFF(n) 2(n+2) 2n+3 2n+2 4n+10 4n+5 4Cn+12(n+1)+2
n+3 3(4Cn+12(n+1)+2
n+3)
PCCONCDIFF(3) 10 9 32 22 17 344 1032
PCCONCDIFF(4) 12 11 64 26 21 1136 3408
PCCONCDIFF(5) 14 13 128 30 25 3952 11856
PCCONCDIFF(6) 16 15 256 34 29 14240 42720
PCCONCDIFF(7) 18 17 512 38 33 52504 157512
PCCONCDIFF(8) 20 19 1024 42 37 196528 589584
PCCONCDIFF(9) 22 21 2048 46 41 743120 2229360
PCSEQ(n) 2(n+2) n+4 2n+2 4n+10 2n+7 4Cn+12(n+1)+2
n+3 3(4Cn+12(n+1)+2
n+3)
PCSEQ(3) 10 7 32 22 13 344 1032
PCSEQ(4) 12 8 64 26 15 1136 3408
PCSEQ(5) 14 9 128 30 17 3952 11856
PCSEQ(6) 16 10 256 34 19 14240 42720
PCSEQ(7) 18 11 512 38 21 52504 157512
PCSEQ(8) 20 12 1024 42 23 196528 589584
PCSEQ(9) 22 13 2048 46 25 743120 2229360
Predictable
PCCONCSAME(n) 2(n+2) n2 +n+3 2n+2 4n+10 n4 +n2 +2n+5 4Cn+12(n+1)+4 3(4C
n+1
2(n+1)+4)
PCCONCSAME(3) 10 15 32 22 101 284 852
PCCONCSAME(4) 12 23 64 26 285 1012 3036
PCCONCSAME(5) 14 33 128 30 665 3700 11100
PCCONCSAME(6) 16 45 256 34 1349 13732 41196
PCCONCSAME(7) 18 59 512 38 2469 51484 154452
PCCONCSAME(8) 20 75 1024 42 4181 194484 583452
PCCONCSAME(9) 22 93 2048 46 6665 739028 2217084
PCCONCDIFF(n) 2(n+2) n2 +n+3 2n+2 4n+10 n3 +n2 +2n+5 4Cn+12(n+1)+4 3(4C
n+1
2(n+1)+4)
PCCONCDIFF(3) 10 15 32 22 47 284 852
PCCONCDIFF(4) 12 23 64 26 93 1012 3036
PCCONCDIFF(5) 14 33 128 30 165 3700 11100
PCCONCDIFF(6) 16 45 256 34 269 13732 41196
PCCONCDIFF(7) 18 59 512 38 411 51484 154452
PCCONCDIFF(8) 20 75 1024 42 597 194484 583452
PCCONCDIFF(9) 22 93 2048 46 833 739028 2217084
PCSEQ(n) 2(n+2) 2n+3 2n+2 4n+10 n2 +3n+5 4Cn+12(n+1)+4 3(4C
n+1
2(n+1)+4)
PCSEQ(3) 10 9 32 22 23 284 852
PCSEQ(4) 12 11 64 26 33 1012 3036
PCSEQ(5) 14 13 128 30 45 3700 11100
PCSEQ(6) 16 15 256 34 59 13732 41196
PCSEQ(7) 18 17 512 38 75 51484 154452
PCSEQ(8) 20 19 1024 42 93 194484 583452
PCSEQ(9) 22 21 2048 46 113 739028 2217084
Table 1: Benchmarks statistics.
benchmark series. The key idea is to eliminate the
choices between f and the transitions taking an item
from the buffer (takei in the former series and take in
the latter one), by giving priority to f (intuitively, f is
considered ‘faster’ than any such transition).
In the PCCONCSAME(n) and PCCONCDIFF(n)
benchmarks the predictability is achieved by replicating
each transition takei so that there are n replicas takei j
of it. Each takei j inherits the label of the original tran-
sition takei, takes tokens from ready to take and fulli
Non-predictable Predictable
LTL-X tableaux for Vsync Time LTL-X tableaux for Vsync Time
Benchmark |C| |E| (sec) |C| |E| (sec)
PCCONCSAME(3) 380 148 <1 472 166 <1
PCCONCSAME(4) 1201 494 <1 1558 580 <1
PCCONCSAME(5) 4213 1773 <1 5528 2106 <1
PCCONCSAME(6) 15438 6555 <1 20272 7794 6
PCCONCSAME(7) 57686 24584 8 75588 29178 109
PCCONCSAME(8) 217803 92988 497 284662 110116 3207
PCCONCSAME(9) 827867 353827 8927 memory overflow
PCCONCDIFF(3) 394 154 <1 418 148 <1
PCCONCDIFF(4) 1197 492 <1 1396 526 <1
PCCONCDIFF(5) 4105 1725 <1 5078 1956 <1
PCCONCDIFF(6) 14864 6301 <1 19012 7374 1
PCCONCDIFF(7) 55218 23492 5 72060 28002 20
PCCONCDIFF(8) 207829 88572 381 274708 106798 803
PCCONCDIFF(9) 788415 336347 6917 1051222 408724 15838
PCSEQ(3) 134 47 <1 236 80 <1
PCSEQ(4) 182 68 <1 587 217 <1
PCSEQ(5) 235 91 <1 1808 696 <1
PCSEQ(6) 301 120 <1 6219 2427 <1
PCSEQ(7) 370 151 <1 22670 8878 1
PCSEQ(8) 452 189 <1 85177 33373 12
PCSEQ(9) 537 228 <1 325394 127504 1319
Table 2: Experimental results.
and puts tokens on ready to consume and emptyi (just
as the original transition takei did). Moreover, if j 6= i,
takei j tests that j-th slot is empty (by a read arc be-
tween takei j and empty j), and if j = i the transition
tests that the producer is not ready to deposit a new
item into the buffer (by a read arc between takei j and
ready to produce).1 Observe that whenever the system
is in a critical state (and so f is enabled) none of takei j
can be enabled, and in all other states at least one of
takei j is enabled (provided ready to take is marked and
the buffer is not empty), which makes the system pre-
dictable: Intuitively, the observer can deduce whether
the system is in a critical state by checking if the num-
ber of firings of produce minus the total number firings
of the takei j transitions is n+ 1, and all the traces start-
ing at a critical state contain f .
In the PCSEQ(n) benchmarks the predictability is
achieved in a similar way, by replicating transition take.
Each replica take j inherits the label of the original tran-
sition take, takes tokens from ready to take and fulln
and puts tokens on ready to consume and emptyn (just
as the original transition take did). Moreover, if j 6= n,
take j tests that j-th slot is empty (by a read arc be-
tween take j and empty j), and if j = n the transition
tests that the producer is not ready to deposit a new
item into the buffer (by a read arc between take j and
ready to produce).
These benchmarks are available from the authors
1There is no need to test the status of i-th slot by a read arc —
takei j can only be enabled if it is full, as it takes a token from fulli.
upon request. It should be noted that we experienced
some difficulty in finding relevant benchmarks, as it
seems so far only theoretical work has been done in
the area of predictability, but very few, if any, practical
experiments conducted (we did not find any non-trivial
publicly available predictability benchmarks). This is
also the reason why the results are not compared against
other tools — we simply could not find any comparable
public domain tools.
The benchmarks statistics is shown in Table 1,
where the meaning of the columns is as follows (from
left to right): name of the benchmark; the numbers
of places, transitions and reachable markings in the
original PN; and the numbers of places, transitions
and reachable markings in V ; the number of reachable
markings in Vsync. Since the benchmarks have a regular
structure, all these numbers can be obtained using the
formulae given in the table.
The experimental results are summarised in Ta-
ble 2, where the meaning of the columns is as follows
(from left to right): name of the benchmark; the num-
bers of conditions and non-cut-off events in the LTL-X
tableaux (i.e. unfolding prefix) built for the net obtained
by synchronising the corresponding verifier with the
Bu¨chi automaton shown in Fig. 4; and the verification
runtime. These results were obtained with the help of
the unfolding based LTL-X model-checker PUNF [13].
All experiments were conducted on a PC with 64-bit
Windows 7 operating system, an Intel Core i7 2.8GHz
Processor with 8 cores and 4GB RAM. No parallelisa-
Time (sec) and speedup for N cores
Benchmark 1 2 3 4 5 6 7 8
PCCONCSAME(8) 3207 1689 (1.9) 1243 (2.6) 957 (3.4) 909 (3.5) 853 (3.8) 811 (4.0) 776 (4.1)
PCCONCDIFF(8) 803 422 (1.9) 307 (2.6) 246 (3.3) 224 (3.6) 202 (4.0) 189 (4.2) 178 (4.5)
PCCONCDIFF(9) 15838 8989 (1.8) 6893 (2.3) 5625 (2.8) 5230 (3.0) 4959 (3.2) 4764 (3.3) 4693 (3.4)
Table 3: Experimental results for the parallel mode on large predictable benchmarks.
tion was used for the results in this table.
In the PCCONCSAME(n) and PCCONCDIFF(n)
system, the producer and consumer have concurrent ac-
cess to n buffer slots, and so there are many arbitrating
choices in the resulting behaviour. The unfolding pre-
fixes tend to be large for such systems, and so the cor-
responding runtimes are much larger than those for the
PCSEQ(n) benchmarks. However, this makes it conve-
nient to demonstrate the effect of parallelisation. The
experimental results presented in Table 3 demonstrate
the effect of deploying several processor cores on the
runtime. One can see that good speedups have been
achieved for large benchmarks (up to a factor of 1.9 on
two cores and 4.5 on eight cores).
5. Conclusions
One can see that the developed method for pre-
dictability verification performs quite well, especially
on highly concurrent systems like the PCSEQ(n) se-
ries. Furthermore, a good level of parallelisation can be
achieved. However, the used benchmarks are rather ar-
tificial, and so these results should be treated with cau-
tion. Larger and more practical benchmarks would al-
low to draw better conclusions about the performance of
the method, but there is a severe lack of public domain
benchmarks in the predictability community.
We also note that the proposed approach can be
trivially generalised to systems modelled by high-level
PNs, as the parallel unfolding-based LTL-X model
checking works for them as well [16].
Acknowledgements. This research was supported by
the EPSRC grant EP/G037809/1 (VERDAD) and FON-
DECYT project N°11090257.
References
[1] J. Esparza and K. Heljanko. Unfoldings: A Partial-Or-
der Approach to Model Checking. Springer, 2008.
[2] J. Esparza, S. Ro¨mer, and W. Vogler. An Improvement of
McMillan’s Unfolding Algorithm. Form. Methods Syst.
Des., 20(3):285–310, 2002.
[3] E. Fabre, A. Benveniste, S. Haar, and C. Jard. Dis-
tributed Monitoring of Concurrent and Asynchronous
Systems. J. Discrete Event Systems, special issue, pages
33–84, May 2005.
[4] P. Gastin and D. Oddoux. Fast LTL to Bu¨chi automata
translation. In Proc. of CAV’01, volume 2102 of LNCS,
pages 53–65. Springer, 2001.
[5] S. Genc and S. Lafortune. Predictability in discrete-
event systems under partial observation. In IFAC Symp.
on Fault Detection, Supervision and Safety of Technical
Processes, 2006.
[6] S. Genc and S. Lafortune. Predictability of event oc-
currences in partially-observed discrete-event systems.
Automatica, 45:301–311, February 2009.
[7] K. Heljanko, V. Khomenko, and M. Koutny. Parallelisa-
tion of the Petri net unfolding algorithm. In Proc. of
TACAS’2002, volume 2280 of LNCS, pages 371–385.
Springer, 2002.
[8] S. Jiang, Z. Huang, V. Chandra, and R. Kumar. A poly-
nomial algorithm for testing diagnosability of discrete
event systems. In IEEE Trans. on Autom. Control, 2001.
[9] L. Lamport. What good is temporal logic? In R. Ma-
son, editor, Proc. of IFIP Congress’83, pages 657–668.
Elsevier, 1983.
[10] A. Madalinski and V. Khomenko. Diagnosability veri-
fication with parallel LTL-X model checking based on
Petri net unfoldings. In Proc. of SysTol’10, pages 398–
403, 2010.
[11] K. L. McMillan. Using unfoldings to avoid the state
explosion problem in the verification of asynchronous
circuits. In Proc. of CAV’92, pages 164–177, July 1992.
[12] A. Pnueli. The temporal logic of programs. In Proc. of
FOCS’77, pages 46–57, 1977.
[13] PUNF home page. URL: http://homepages.cs.
ncl.ac.uk/victor.khomenko/tools/punf.
[14] A. Ramı´rez-Trevin˜o, E. Ruiz-Beltra´n, I. Rivera-Rangel,
and E. Lo´pez-Mellado. Online Fault Diagnosis of
Discrete Event Systems. A Petri Net-Based Approach.
IEEE Trans. on Automation Science and Engineering,
4(1):31–39, 2007.
[15] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamo-
hideen, and D. Teneketzis. Diagnosability of Discrete
Events Systems. IEEE Trans. on Automatic Control,
40(9):1555–1575, 1995.
[16] C. Schro¨ter and V. Khomenko. Parallel LTL-X model
checking of high-level Petri nets based on unfoldings.
In Proc. of CAV’04, volume 3114 of LNCS, pages 109–
121. Springer, 2004.
[17] A. Schumann and Y. Pencole´. Scalable diagnosability
checking of event-driven systems. In Proc. of IJCAI’07,
pages 575–580, 2007.
[18] M. Vardi and P. Wolper. An automata theoretic approach
to automatic program verification. In Proc. of 1st IEEE
LICS, pages 332–345, 1986.
