Forward Analysis and Model Checking for Trace Bounded WSTS

We investigate a subclass of well-structured transition systems (WSTS), the bounded---in the sense of Ginsburg and Spanier (Trans. AMS 1964)---complete deterministic ones, which we claim provide an adequate basis for the study of forward analyses as developed by Finkel and Goubault-Larrecq (Logic. Meth. Comput. Sci. 2012). Indeed, we prove that, unlike other conditions considered previously for the termination of forward analysis, boundedness is decidable. Boundedness turns out to be a valuable restriction for WSTS verification, as we show that it further allows to decide all $\omega$-regular properties on the set of infinite traces of the system

Dense-Timed Petri Nets: Checking Zenoness, Token liveness and Boundedness

We consider Dense-Timed Petri Nets (TPN), an extension of Petri nets in which each token is equipped with a real-valued clock and where the semantics is lazy (i.e., enabled transitions need not fire; time can pass and disable transitions). We consider the following verification problems for TPNs. (i) Zenoness: whether there exists a zeno-computation from a given marking, i.e., an infinite computation which takes only a finite amount of time. We show decidability of zenoness for TPNs, thus solving an open problem from [Escrig et al.]. Furthermore, the related question if there exist arbitrarily fast computations from a given marking is also decidable. On the other hand, universal zenoness, i.e., the question if all infinite computations from a given marking are zeno, is undecidable. (ii) Token liveness: whether a token is alive in a marking, i.e., whether there is a computation from the marking which eventually consumes the token. We show decidability of the problem by reducing it to the coverability problem, which is decidable for TPNs. (iii) Boundedness: whether the size of the reachable markings is bounded. We consider two versions of the problem; namely semantic boundedness where only live tokens are taken into consideration in the markings, and syntactic boundedness where also dead tokens are considered. We show undecidability of semantic boundedness, while we prove that syntactic boundedness is decidable through an extension of the Karp-Miller algorithm.Comment: 61 pages, 18 figure

Reliability models for dataflow computer systems

The demands for concurrent operation within a computer system and the representation of parallelism in programming languages have yielded a new form of program representation known as data flow (DENN 74, DENN 75, TREL 82a). A new model based on data flow principles for parallel computations and parallel computer systems is presented. Necessary conditions for liveness and deadlock freeness in data flow graphs are derived. The data flow graph is used as a model to represent asynchronous concurrent computer architectures including data flow computers

Supervisory Control and Analysis of Partially-observed Discrete Event Systems

Nowadays, a variety of real-world systems fall into discrete event systems (DES). In practical scenarios, due to facts like limited sensor technique, sensor failure, unstable network and even the intrusion of malicious agents, it might occur that some events are unobservable, multiple events are indistinguishable in observations, and observations of some events are nondeterministic. By considering various practical scenarios, increasing attention in the DES community has been paid to partially-observed DES, which in this thesis refer broadly to those DES with partial and/or unreliable observations. In this thesis, we focus on two topics of partially-observed DES, namely, supervisory control and analysis. The first topic includes two research directions in terms of system models. One is the supervisory control of DES with both unobservable and uncontrollable events, focusing on the forbidden state problem; the other is the supervisory control of DES vulnerable to sensor-reading disguising attacks (SD-attacks), which is also interpreted as DES with nondeterministic observations, addressing both the forbidden state problem and the liveness-enforcing problem. Petri nets (PN) are used as a reference formalism in this topic. First, we study the forbidden state problem in the framework of PN with both unobservable and uncontrollable transitions, assuming that unobservable transitions are uncontrollable. For ordinary PN subject to an admissible Generalized Mutual Exclusion Constraint (GMEC), an optimal on-line control policy with polynomial complexity is proposed provided that a particular subnet, called observation subnet, satisfies certain conditions in structure. It is then discussed how to obtain an optimal on-line control policy for PN subject to an arbitrary GMEC. Next, we still consider the forbidden state problem but in PN vulnerable to SD-attacks. Assuming the control specification in terms of a GMEC, we propose three methods to derive on-line control policies. The first two lead to an optimal policy but are computationally inefficient for large-size systems, while the third method computes a policy with timely response even for large-size systems but at the expense of optimality. Finally, we investigate the liveness-enforcing problem still assuming that the system is vulnerable to SD-attacks. In this problem, the plant is modelled as a bounded PN, which allows us to off-line compute a supervisor starting from constructing the reachability graph of the PN. Then, based on repeatedly computing a more restrictive liveness-enforcing supervisor under no attack and constructing a basic supervisor, an off-line method that synthesizes a liveness-enforcing supervisor tolerant to an SD-attack is proposed. In the second topic, we care about the verification of properties related to system security. Two properties are considered, i.e., fault-predictability and event-based opacity. The former is a property in the literature, characterizing the situation that the occurrence of any fault in a system is predictable, while the latter is a newly proposed property in the thesis, which describes the fact that secret events of a system cannot be revealed to an external observer within their critical horizons. In the case of fault-predictability, DES are modeled by labeled PN. A necessary and sufficient condition for fault-predictability is derived by characterizing the structure of the Predictor Graph. Furthermore, two rules are proposed to reduce the size of a PN, which allow us to analyze the fault-predictability of the original net by verifying that of the reduced net. When studying event-based opacity, we use deterministic finite-state automata as the reference formalism. Considering different scenarios, we propose four notions, namely, K-observation event-opacity, infinite-observation event-opacity, event-opacity and combinational event-opacity. Moreover, verifiers are proposed to analyze these properties

Contributions to the deadlock problem in multithreaded software applications observed as Resource Allocation Systems

Desde el punto de vista de la competencia por recursos compartidos sucesivamente reutilizables, se dice que un sistema concurrente compuesto por procesos secuenciales está en situación de bloqueo si existe en él un conjunto de procesos que están indefinidamente esperando la liberación de ciertos recursos retenidos por miembros del mismo conjunto de procesos. En sistemas razonablemente complejos o distribuidos, establecer una política de asignación de recursos que sea libre de bloqueos puede ser un problema muy difícil de resolver de forma eficiente. En este sentido, los modelos formales, y particularmente las redes de Petri, se han ido afianzando como herramientas fructíferas que permiten abstraer el problema de asignación de recursos en este tipo de sistemas, con el fin de abordarlo analíticamente y proveer métodos eficientes para la correcta construcción o corrección de estos sistemas. En particular, la teoría estructural de redes de Petri se postula como un potente aliado para lidiar con el problema de la explosión de estados inherente a aquéllos. En este fértil contexto han florecido una serie de trabajos que defienden una propuesta metodológica de diseño orientada al estudio estructural y la correspondiente corrección física del problema de asignación de recursos en familias de sistemas muy significativas en determinados contextos de aplicación, como el de los Sistemas de Fabricación Flexible. Las clases de modelos de redes de Petri resultantes asumen ciertas restricciones, con significado físico en el contexto de aplicación para el que están destinadas, que alivian en buena medida la complejidad del problema. En la presente tesis, se intenta acercar ese tipo de aproximación metodológica al diseño de aplicaciones software multihilo libres de bloqueos. A tal efecto, se pone de manifiesto cómo aquellas restricciones procedentes del mundo de los Sistemas de Fabricación Flexible se muestran demasiado severas para aprehender la versatilidad inherente a los sistemas software en lo que respecta a la interacción de los procesos con los recursos compartidos. En particular, se han de resaltar dos necesidades de modelado fundamentales que obstaculizan la mera adopción de antiguas aproximaciones surgidas bajo el prisma de otros dominios: (1) la necesidad de soportar el anidamiento de bucles no desplegables en el interior de los procesos, y (2) la posible compartición de recursos no disponibles en el arranque del sistema pero que son creados o declarados por un proceso en ejecución. A resultas, se identifica una serie de requerimientos básicos para la definición de un tipo de modelos orientado al estudio de sistemas software multihilo y se presenta una clase de redes de Petri, llamada PC2R, que cumple dicha lista de requerimientos, manteniéndose a su vez respetuosa con la filosofía de diseño de anteriores subclases enfocadas a otros contextos de aplicación. Junto con la revisión e integración de anteriores resultados en el nuevo marco conceptual, se aborda el estudio de propiedades inherentes a los sistemas resultantes y su relación profunda con otros tipos de modelos, la confección de resultados y algoritmos eficientes para el análisis estructural de vivacidad en la nueva clase, así como la revisión y propuesta de métodos de resolución de los problemas de bloqueo adaptadas a las particularidades físicas del dominio de aplicación. Asimismo, se estudia la complejidad computacional de ciertas vertientes relacionadas con el problema de asignación de recursos en el nuevo contexto, así como la traslación de los resultados anteriormente mencionados sobre el dominio de la ingeniería de software multihilo, donde la nueva clase de redes permite afrontar problemas inabordables considerando el marco teórico y las herramientas suministradas para subclases anteriormente explotadas

A System for Deduction-based Formal Verification of Workflow-oriented Software Models

The work concerns formal verification of workflow-oriented software models using deductive approach. The formal correctness of a model's behaviour is considered. Manually building logical specifications, which are considered as a set of temporal logic formulas, seems to be the significant obstacle for an inexperienced user when applying the deductive approach. A system, and its architecture, for the deduction-based verification of workflow-oriented models is proposed. The process of inference is based on the semantic tableaux method which has some advantages when compared to traditional deduction strategies. The algorithm for an automatic generation of logical specifications is proposed. The generation procedure is based on the predefined workflow patterns for BPMN, which is a standard and dominant notation for the modeling of business processes. The main idea for the approach is to consider patterns, defined in terms of temporal logic,as a kind of (logical) primitives which enable the transformation of models to temporal logic formulas constituting a logical specification. Automation of the generation process is crucial for bridging the gap between intuitiveness of the deductive reasoning and the difficulty of its practical application in the case when logical specifications are built manually. This approach has gone some way towards supporting, hopefully enhancing our understanding of, the deduction-based formal verification of workflow-oriented models.Comment: International Journal of Applied Mathematics and Computer Scienc

The complexity of Petri net transformations

Bibliography: pages 124-127.This study investigates the complexity of various reduction and synthesis Petri net transformations. Transformations that preserve liveness and boundedness are considered. Liveness and boundedness are possibly the two most important properties in the analysis of Petri nets. Unfortunately, although decidable, determining such properties is intractable in the general Petri net. The thesis shows that the complexity of these properties imposes limitations on the power of any reduction transformations to solve the problems of liveness and boundedness. Reduction transformations and synthesis transformations from the literature are analysed from an algorithmic point of view and their complexity established. Many problems regarding the applicability of the transformations are shown to be intractable. For reduction transformations this confirms the limitations of such transformations on the general Petri net. The thesis suggests that synthesis transformations may enjoy better success than reduction transformations, and because of problems establishing suitable goals, synthesis transformations are best suited to interactive environments. The complexity of complete reducibility, by reduction transformation, of certain classes of Petri nets, as proposed in the literature, is also investigated in this thesis. It is concluded that these transformations are tractable and that reduction transformation theory can provide insight into the analysis of liveness and boundedness problems, particularly in subclasses of Petri nets

Methods and Formal Models for Healthcare Systems Management

A healthcare system is an organization of people, institutions, and resources that deliver healthcare services to meet the health needs of target populations. The size of the systems, the huge number of agents involved and their different expectations make the management of healthcare systems a tough task which could be alleviated through the use of technology. In this thesis, new methods and formal models for healthcare system management are presented. Particularly, the thesis is divided in two main parts: the first one has to do with the modeling and analysis in hospitals by the use of clinical pathways while the second one deals with the planning and scheduling of patients in the operation rooms.Regarding the modeling and analysis of healthcare systems, depending on different visions and expectations, the system can be treated from different perspectives called facets. In chapter 2, the formal definition and characterization of two facets are given: (1) facet of resource management and (2) handshake between clinical pathways facet. They are obtained by applying to Stochastic Well-formed Nets (colored Petri Nets) modeling the healthcare system a set of relaxations, abstraction and modifications. In the first facet the subclass of S4PR is obtained which is a characteristic model of the resource allocation systems while in the second facet Deterministically Synchronized Sequential Process (DSSP) are considered. Both nets (S4PR and DSSP) are formal subclasses of Petri Nets where net level techniques can be applied.In chapters 3 and 4, we will focus on the liveness of the DSSP systems resulting from the facet of communication between clinical pathways. These kinds of nets are composed by agents (modeling clinical pathways) cooperating in a distributed way by the asynchronous messaging passing through the buffers (modeling the communication channels). In particular two approaches have been proposed.The idea behind the first approach is to advance the buffer consumption to the first conflict transition in the agents. Considering healthcare systems modeled by a DSSP, this means that before a patient starts a clinical pathway, all required information must be available. Unfortunately, this pre-assignment method only works in some particular DSSP structures which are characterized. A more general approach (than buffer pre-assignment) for liveness enforcing in non-live DSSP is given in Chapter. 4. The approach is formalized on two levels: execution and control. The execution level uses the original DSSP structure while for the control level we compute a new net system called the control PN. This net system is obtained from the original DSSP and has a predefined type of structure. The control PN will evolve synchronously with the non-live DSSP ensuring that the deadlock states will not be reached. The states (marking) of the control PN will enable or disable some transitions in the original DSSP, while some transitions in the control PN should fire synchronously with some transitions of the original DSSP.The second part of the thesis deals with surgery scheduling of patients in a hospital department. The Operating Rooms (ORs) are one of the most expensive material resources in hospitals, being the bottleneck of surgical services. Moreover, the aging population together with the improvement in surgical techniques are producing an increase in the demand for surgeries. So, the optimal use of the ORs time is crucial inhealthcare service management. We focus on the planning and scheduling of patients in Spanish hospital departments considering its organizational structure particularities as well as the concerns and specifications of their doctors.In chapter 5, the scheduling of elective patients under ORs block booking is considered. The first criterion is to optimize the use of the OR, the second criterion is to prevent that the total available time in a block will be exceeded and the third criterion is to respect the preference order of the patient in the waiting list. Three different mathematical programming models for the scheduling of elective patients are proposed. These are combinatorial problems with high computational complexity, so three different heuristic solution methods are proposed and compared. The results show that a Mixed Integer Linear Programming (MILP) problem solved by Receding Horizon Strategy (RHS)obtains better scheduling in lowest time.Doctors using the MILP problem must fix an appropriate occupation rate for optimizing the use of the ORs but without exceeding the available time. This has two main problems: i) inexperienced doctors could find difficult to fix an appropriate occupation rate, and ii) the uncertain in the surgery durations (large standard deviation) could results in scheduling with an over/under utilization. In order to overcome these problems, a New Mixed-Integer Quadratic Constrained Programming (N-MIQCP) model is proposed. Considering some probabilistic concepts, quadratic constraints are included in N-MIQCP model to prevent the scheduling of blocks with a high risk of exceeding the available time. Two heuristic methods for solving the N-MIQCP problem are proposed and compared with other chance-constrained approaches in bibliography. The results conclude that the best schedulings are achieved using our Specific Heuristic Algorithm (SHA) due to similar occupation rates than using other approaches are obtained but our SHA respects much more the order of the patients in the waiting list.In chapter 6, a three steps approach is proposed for the combined scheduling of elective and urgent patients. In the first step, the elective patients are scheduled for a target Elective Surgery Time (EST) in the ORs, trying to respect the order of the patients on the waiting list. In the second one, the urgent patients are scheduled in the remaining time ensuring that an urgent patient does not wait more than 48 hours. Finally, in the third step, the surgeries assigned to each OR (elective and urgent) are sequenced in such a way that the maximum time that an emergency patient should wait is minimized. Considering realistic data, different policies of time reserved in the ORs for elective and urgent patients are evaluated. The results show that all ORs must be used to perform elective and urgent surgeries instead of reserving some ORs exclusively for one type of patient.Finally, in chapter 7 a software solution for surgery service management is given. A Decision Support System for elective surgery scheduling and a software tool called CIPLAN are proposed. The DSS use as core the SHA for the scheduling of elective patients, but it has other features related to the management of a surgery department. A software tool called CIPLAN which is based on the DSS is explained. The software tool has a friendly interface which has been developed in collaboration with doctors in the “Lozano Blesa” Hospital in Zaragoza. A real case study comparing the scheduling using the manual method with the scheduling obtained by using CIPLAN is discussed. The results show that 128.000 euros per year could be saved using CIPLAN in the mentioned hospital. Moreover, the use of the tool allows doctors to reduce the time spent in scheduling to use it medical tasks.<br /

Forward Analysis for WSTS, Part III: Karp-Miller Trees

This paper is a sequel of "Forward Analysis for WSTS, Part I: Completions" [STACS 2009, LZI Intl. Proc. in Informatics 3, 433-444] and "Forward Analysis for WSTS, Part II: Complete WSTS" [Logical Methods in Computer Science 8(3), 2012]. In these two papers, we provided a framework to conduct forward reachability analyses of WSTS, using finite representations of downward-closed sets. We further develop this framework to obtain a generic Karp-Miller algorithm for the new class of very-WSTS. This allows us to show that coverability sets of very-WSTS can be computed as their finite ideal decompositions. Under natural effectiveness assumptions, we also show that LTL model checking for very-WSTS is decidable. The termination of our procedure rests on a new notion of acceleration levels, which we study. We characterize those domains that allow for only finitely many accelerations, based on ordinal ranks