Constructing and Refining Large Scale Railway Models Represented by Petri Nets
advertisement
1
Constructing and Refining Large Scale Railway
Models Represented by Petri Nets
Anders M. Hagalisletto, Joakim Bjørk, Ingrid C. Yu, Pål Enger
Abstract— A new method for rapid construction of largescale executable railway models is presented. Computer systems
for railway systems suffer from poor integration and lack of
explicit understanding of the large amount of static and dynamic
information in the railway. In this paper we give solutions to
both problems. It is shown how a component-oriented approach
makes it easy to construct and refine basic railway models by
effective methods, such that a variety of models with important
properties can be maintained within the same framework. Basic
railway nets are refined into several new kinds; nets that are
safe, permit collision detection, include time, and are sensitive to
its surroundings. Since the underlying implementation language
is Petri Nets, large expressibility is combined with simplicity, and
in addition the analysis of the behaviour of railway models come
gently.
Index Terms— Adaptive and intuitive interfaces, railway systems, Petri Nets, refinement, maintenance
I. I NTRODUCTION
Public transport and particularly subway systems, play an
increasingly important role worldwide. The population in the
cities grows but the capacity for private transport, can not be
extended accordingly. Therefore, confronted with significant
growth in the passenger flows, the need for safe and efficient
transport increases. Subway systems and trams have attained
a particularly important role, since their capacity is high and
does not contaminate. It is a difficult practical problem to plan
and analyze a subway system such that traveling is both safe
and efficient. Many of the subway systems in the world are
old. Although most of them have been modernized, the subway
companies must maintain and integrate hybrid technology
from various epochs of the railway history. Therefore, computerized support for simulating, monitoring and analyzing
such systems is often lacking or is poorly integrated with
the infrastructure. Thus, it is important to be able to rapidly
construct reliable and reusable models that provide as much
static and dynamic information as possible, being as efficient
and flexible as possible. Questions that might be addressed in
our model are: Where is the train now? Is there a dangerous
route for a train? How is the most efficient scheduling of trains
during the day? Do parts of the line create a bottleneck? How
can bottlenecks be avoided? What happens to the traffic if a
new line is added? Are there possible dangerous situations
that may occur in the future? Can collisions occur on a given
scheduling of trains? How should lines with the most traffic be
organized? How will a train-leader respond to an unexpected
situation?
At the moment, there exist several first-person simulators of
locomotives driving particular routes, but few enterprise indus-
trial simulators are available to the public, if any1 . The reasons
are that such applications impose challenging requirements
on efficiency both with respect to time and space. Both for
travelers and the providers of public transport it is important
to have reliable information about the trains at runtime, and
understanding the behaviour of the system off-line. Our Petri
net models provide such information. The models support
simulation, monitoring, controlling and analysis of the railway
system. The same model can be used to perform off-line
simulation of the traffic for the next day, as a train-leader
simulator, the monitor for train-leaders, an automatic train
controller, and as the basis for model-checking both safety
and capacity properties.
A Petri net is a graphical modeling language that has proven
to provide a good formal framework for modeling a variety
of systems with complex dependencies and true concurrency,
as demonstrated in many papers (the collection [14] is a good
starting point). This paper investigates mainly the problem of
rapid construction and refinement of railway models by using
Petri Nets. Railway systems are large and complex concurrent
systems, with trains and signals acting in parallel [13].
There are several advantages of applying Petri Nets to model
the different aspects of a railway system. Petri Nets is both a
formal and graphical language. First, with a formal model, we
may investigate and verify different safety operations within
the modeled system. This is particularly important for systems
where failures may cost human lives. Second, railway systems
often undergo development, due to changes in the population,
and higher demands on the quality of transport services. It is
therefore necessary to model and explore potential extensions
of the system before it is built. By preliminary simulation
and analysis, one can gain critical knowledge about the future
behaviour, and prepare in advance the optimal design of tracks
and scheduling of trains in the revised railway. Third, with a
Petri net model it is possible to communicate precisely the
requirements and properties of the underlying implementation
to non-experts in Petri Nets modeling.In this paper we shall see
how close the graphical Petri net representation resembles real
railway components. Some characteristic features of railways,
are:
1) a fixed number of basic components,
2) precise and numerous engineering rules for how to
design proper railroad tracks,
3) many copies of the basic components,
1 Microsoft Train Simulator and Trainz Railway Simulator are the most
well-known first person simulators. The railway industry is dominated by few
actors that keep their technology closed to the public.
2
4) precise rules for operation and control of the trains on
the railroad.
Each of these features indicate that automatic construction,
simulation and analysis of railway systems should be promising: Feature 1) makes computer-guided construction possible,
2) can be represented as knowledge basis for railway engineers, 3) and 4) are obvious arguments for computer assisted
modeling. Since Petri Nets is a small, formal and graphical
language, with true concurrency built-in, it seems particularly
well-suited to model railway systems.
But although Petri Nets is an appropriate language for
modeling railways that scale well for several application
domains, the models by themselves are so large, that details
must be hidden. A solution given in the literature is to
introduce hierarchies of Petri Nets ([16], [8]). A better highlevel representation of railroad nets than high level Petri
Nets (see for instance [16] and [8]) are the railroad-layout
themselves. The layouts result from constructing circuits based
on a simple graphical language resembling the monitors of
the train-leader central and the technical layouts of lines. Our
work is motivated by the demands of the railway industry.
For large-scale applications with tens of thousands of Petri net
components, the common tools like Design/CPN ([8], [9]) 2 do
not apply gently or at all. It is therefore an important problem
with scalability to ease both construction and observation of
such large nets, and to build appropriate engines for executing
huge Petri nets.
In [10] techniques were introduced for extracting high level
information at runtime from a large underlying executing Petri
net. In this paper we introduce a simple specification language
for railway systems specially designed for railway engineers.
The railways are modeled by Petri Nets in a systematic component oriented way. Moreover it is shown how the modeling
time can be reduced dramatically by automated construction
of the railroad nets from the specification. A correctness
result for the underlying software engineering method is given
in detail, a generalization of the result presented in [5].
Techniques for speeding up the process of refining railroad
nets are introduced by (semi) automated mappings, so that it
is possible to maintain and recursively generate models with
various properties, as for example; safe nets, nets with collision
detection, sensitive (or intelligent) nets. Since the refinement is
performed recursively on the basic components, the topology
of the railway is maintained through possibly many steps of
refinement, resulting in distinct models that can be used for
monitoring, collision detection, traffic planning, and so on.
Our work is inspired by Wil van der Aalst’s approach to
Workflow ([20], [18]) where Petri nets were used to precisely
define, simulate, execute and analyze workflows. The longterm goal of the research is to do the same for railway systems,
decompose the application domain into its constituents and
then show how Petri Nets can be used to enrich the software
engineering of railway systems. A few papers devoted to
work on modeling and analyzing railways using Petri Nets
are available ([17], [6], [22], [3], [11]), but the papers are
2 See a complete list of 56 tools at http://www.daimi.au.dk/
PetriNets/tools/complete_db.html.
Fig. 1.
The end segment, track segment and the turnout.
concerned with modeling and analysis of isolated phenomena.
Two significant papers investigate the scheduling and analysis
of movements on railway stations [19], and optimal behaviour
on the meeting points on single-track railways with sidings
[15]. Safe control of train movements is investigated in [4].
A deadlock prevention method is introduced by augmenting
railway network systems with monitor places. Our work differs
from the other works in several respects: The models proposed
in the paper are designed bottom up, the executable Petri
net resemble the actual physical hardware tracks closely. The
effect of this choice is that the model can be executed, in
practical, concrete railway software. Although the approach is
industrially relevant in a strong sense (a software tool based
on the approach is presented at the end), the approach enjoys
the power of formal analysis techniques, well known to the
Petri Nets community.
The paper is organized as follows: In section II, we give
a short introduction to railway systems and present a sample
of basic railway components. Section III presents a toolkit of
basic mathematical concepts required for the paper. Section IV
discusses how Petri Nets can be used to model the railroad
primitives. Section V presents the high level specification language, and shows how this language can be used to construct
correct railway models based on the components constructed
in section IV, by the mapping called saturation. In section VI
it is shown how the basic specifications and railroad nets can
be successively and automatically refined, such that a variety
of different models is maintained.
II. R AILWAY
SYSTEMS
As a case-study the complete layout of Oslo Subway has
been represented, based on both electronic layouts of the
circuits and standard maps [21]. Based on careful investigation
of this subway system, we have identified the most commonly
used basic and composite railway components. Figure 1, 2
and 3 depict the layout of these components. The track
segment is the main building block for constructing physical
extensions of a line while the end segment is used to stop
trains. A turnout component is equipped with movable points
and makes it possible for trains to be routed to either of two
tracks whenever they enter the component from the stem. This
routing is determined by the positions of points which are often
operated automatically by a point machine. A double slip is a
crossing with a turnout on both sides so that at each entry point
of the double slip, trains may be routed to either one of two
tracks. A rigid crossing is a crossing with no movable points,
permitting trains to run without any external influences. This
component together with four turnouts can compose a scissor.
A single consists of two turnouts, and is often used to provide
a connection between two parallel tracks. In section IV we
3
0
1
1
0
0
1
0
0 1
1
1
1 0
0
10
01101010 1010
01 0101
Fig. 2.
The rigid crossing and the double slip.
1
0
1
0
01
1
0
01
1
0
11
0 1
1 0
0
0
0
1
0
0 1
1
0
1
0
1 1
00
1
0
01
1
1
0
1
0
Fig. 3.
1
0
1
0
The single and the scissor.
shall see how one can map these railroad components to basic
Petri net patterns.
III. T ECHNICAL PRELIMINARIES
In this section we summarize the mathematical prerequisites
for the paper. The reader might skip this section for now and
return to it, whenever it is needed. If A and B are sets, then
their symmetrical difference is defined by A ∆ B pA Y
B q pA X B q. We write finite sequences as xX1 , . . . , Xn y.
The empty sequence is denoted x y. The projection function,
π returns the i’th element of a sequence, πi pxX1 , . . . , Xn yq Xi , where 1 ¤ i ¤ n. We define that π0 pX q K and hence
π0 px yq K. The push-last function $, extends a sequence by
putting an element to the end, hence xX1 , . . . , Xn y$ Xn 1 xX1 , . . . , Xn , Xn 1 y. If X and Y are sequences and Yj is a an
element, then concatenation function, denoted $%, is defined
by X $
%x y xX y and X $%pY $ Yj q pX $%Y q $ Yj . The
length of a sequence lh pX q, is given by lh px yq 0 and
lh pX $ Xj q lh pX q 1. If lh pX q ¥ 1, then the final
element in a sequence X is given by; lastpX q πlh pX q pX q
and the rest of X xX1 , . . . , Xn , Xn 1 y, is defined by
restpX q xX1 , . . . , Xn y.
Two sequences X and Y are equal, written X Y , if
lh pX q lh pY q, and ip1 ¤ i ¤ n Ñ Xi Yi q. The
sequence Y xY1 , . . . , Ym y is an extension of the sequence
X xX1 , . . . , Xn y, written X E Y , iff m ¥ n and
i P r1, . . . , ns Yi Xi _ Xi E Yi (by recursion).
Let X xX1 , . . . , Xn y and Y xY1 , . . . , Yn y be two
sequences of equal length n. Let Xi ’s and Yj ’s be sets.
Then the flat union of X and Y , is given by X \ Y xX1 Y Y1 , . . . , Xn Y Yny. The sequence X and Y are disjoint,
written X d Y , if i P r1, . . . , ns Xi X Yi H.
A multiset Z is a pair Z xA, f y, where A is a set and f is
a function f : A ÞÝÑ . Let Z1 xA1 , f1 y and Z2 xA2 , f2 y
be two multi-sets. We say that Z1 is a multi-set subset of Z2 ,
written Z1 M Z2 , iff A1 A2 and x P f1 y P f2 pπ1 pxq π1 py q Ñ π2 pxq ¤ π2 py qq3 .
N
3 Note
x P f1 means that x is (a pair) in the extension of the function f1 .
A graph is a pair G xN, F y, where N is a set of nodes,
and F N N is a set of arcs. A path from a node x1 to a
node xn is a sequence xx1 , . . . , xn y, such that xxi , xi 1 y P F
for 1 ¤ i ¤ n. If there is a path from x to y we write x y.
A graph is strongly connected, (see [18]) iff for every pair of
nodes xx, y y, there is a path from x to y (written x y). A
graph is connected, iff for every pair of nodes xx, y y, x
y _ y x _ Dz px z ^ y z q.
IV. R AILWAY
MODELING USING
P ETRI N ETS
We shall now introduce a limited version of Coloured Petri
Nets (CPN) (see [8], [9]) applied to railway modeling. A
complete definition of Coloured Petri Nets is not required,
for a careful introduction to CPN see for instance [8]. In this
section we first recapitulate the definition of Petri Nets, then
we shall define our specific class of Petri Nets, the railroad
nets, and then finally we present some of the basic components
modeled by railroad nets.
A Petri net is a triple, xP, T, Ay, where P is a finite set of
places, T is a finite set of transitions and A is a finite set of
arcs, A pP T E q ∆ pT P E q. By E we denote the
set of expressions that can either be boolean, assignments and
time inscriptions. Boolean tests are written t x, assignments
are written t : x, while delays are denoted @
x. The
empty expression is denoted by nil, and is usually omitted.
Subexpression is defined by recursion: Every expression E
is a subexpression of itself, nil is a subexpression of every
expression, E is a subexpression of both E ^ E 1 and E 1 ^ E,
where E 1 is an expression. A node in a Petri net is either a
place or a transition, i.e x is a node if x P P Y T , while
arcs connect places and transitions. A transition is a 4-tuple
xTransId, Name, Sort, Expry , where TransId is its unique
identity, Name its name, Sort specifies the sort, and Expr is
an expression, also called guard in [8]. A place is a triple
xPlaceId, Colour, Sorty, that contains a unique identity, a
colour and a sort. Tokens might inhabit places. The distribution
of tokens over places gives a marking. Let ∅PN xH, H, Hy
denote the empty Petri net. Then we define the simplest notion
of composition of nets, the flat union of two Petri nets: If N1 xP1 , T1 , A1 y and N2 xP2 , T2 , A2 y are two Petri nets, then a
new net can be composed by taking the flat union of N1 and
N2 ; N1 \ N2 xP1 Y P2 , T1 Y T2 , A1 Y A2 y. Two observations
show that this is a rather weak notion of composition: First,
no connections between the two nets are specified as for
instance the composition of nets through fusion places of
[8]. Therefore the resulting net might not be connected even
though the original ones might be connected. Second, since
the composition is flat, overlapping names of transitions and
places might give unwanted nets if name conflicts are not
treated properly.
Now we introduce the basic definitions of the particular
class of Petri Nets used to model the railroad. To distinguish
various syntactic parts of a Petri net, we introduce the concept
of sort. The two basic sorts in a railroad are track and control.
The notation Nt xP t , T t , At y emphasizes that the net is
the track part, where each of P t , T t and At have sort Track.
Intuitively the Nt part of the railroad net models the movement
4
Train.dir = +
P1
P3
Move−
End
P4
Move+
P6
P2
P7
Train.dir = x
Train.dir = −
Fig. 4.
Specification with unreachable node.
Fig. 5.
of train on the line. The notation Nc xP c , T c , Ac y is used
to indicate that the net is a control part, where each P c ,
T c and Ac have sort Control. The control part participates
in the routing of trains over tracks. We assume that there
are functions trackpNq Nt and controlpNq Nc . The
function can be specialized also to work on the sets of places,
transitions and arcs. The distinction will be comprehensible
later in this section when the basic railroad components are
presented as Petri nets.
Definition 1: A basic unmarked railroad net is a connected
Petri net N, such that N Nt \ Nc , where Nt d Nc , Nt ∅PN ,
and Nt is strongly connected.
The requirement that railroad nets are strongly connected rules
out disconnected railroad tracks. But the requirement does not
imply that it is possible to find a drivable route from two
arbitrary positions on the railroad. An example is the track
layout in figure 4, where the positions P1 and P2 are not
reachable from P3-P7 and vice versa.
The railroad components represented by Petri Nets are
equipped with initial markings, particular semaphore tokens
and control tokens. Information about the initial marking is
therefore treated as a proper part of the basic components.
Let C denote a finite set of colours, C tC1 , . . . , Cn u. Let
CBRW tTrack, Controlu denote the basic railway sorts. A
basic Coloured token is a pair xCj , atry, where Cj is the
main colour of the token, and atr is a sequence of colourattributes or lists of such, xCk1 , . . . , Ckm y, j R tk1 , . . . , km u.
Note that atr can be empty; x y. If This is a coloured token
then its attributes are typically written This.attr. This is
a bit different from Design/CPN syntax, which makes our
description a bit easier to read. If This has the attributes
attr1 . attr2 , then the corresponding Design/CPN expression
reads Thispattr1 , attr2 q. We shall also not explicitly write
the colour of the places, and sometimes arc expressions are
skipped in the Petri net figures, when they can be extracted
from the context. Composite expressions are permitted only
as conjunctions. A marking M of a Petri net PN xP, T, Ay
is a distribution of tokens over places. Let
denote the set
of possible multi-sets over the available tokens. Formally, a
marking of PN is set of pairs of places and multi-sets of
tokens, txp, my|p P P ^ m P u. Given a marking M then
we define pp, M q xp, my such that xp, my P M , if there
is any, else its undefined.
The construction of railroad tracks in the model is done
without trains. But some tokens occur already in the basic
railroad components, the control-tokens Sem (semaphore). The
semaphore token can be thought of as a kind of uncoloured
token, since its attribute list is empty; xSem, x yy. The process
of putting trains in the railroad net is called arrangement
M
m
Train.dir = +
Train.dir = Change(x)
P5
M
Train.dir
=−
.
End segments (B1 ) and the basic track (B2 ) as Petri Nets.
of the railroad. Trains are equipped with train-id’s, uniquely
identifying the train, and with a given initial direction. The
most primitive train is given by xTrain, xTrainId, Diryy, where
the colours TrainId and Dir denote the unique identity of the
train, e.g., a natural number, and the direction the train is
driving at the moment, t , u.
Definition 2: A basic railroad net, denoted R is a pair
xN, M y where N is a basic unmarked railroad net and M
is a marking over a set of railroad-colours C RW .
Now we present a set of labeled basic railroad components.
Trains are represented by tokens and railroads are divided
into block sections. A Petri net road component consists of
two places representing physical track sections and two move
transitions, one for each direction, for moving trains from
one place to the other. The job of the track transition is to
move train-tokens from one position to the next. End and
road components (figure 5) are used as basic structures when
forming more complex railroad components.
For controlling the routing of trains over branches, point
machines are explicitly modeled. A point machine is a manual
or automatic device for routing trains in branching tracks
[13]. A point machine consists of two semaphore places L
and R for routing tokens to the left or right branch. Each
point machine has an initial position, either left or right as
indicated by the mutex pair of states L and R. For changing
the state or position of the point machine, a token is required
to inhabit the Change place, simulating external controls.
Railroad components like turnouts, double slips, singles and
scissors consist of road components and point machines. This
can be seen by considering the turnout component. In figure 6
the point machine is in the position L, each token that enters
from the stem (place join) of the turnout will be routed to
the left branch (place Left) until the point machine’s position
has been altered. The rigid crossing, figure 7, consists of two
track-sections one for each direction, and a semaphore token in
the middle, securing that the cross is visited by only one train
at a time. The semaphore has colour NoTrain. The double slip
consists of the combination of two turnouts into one, therefore
it is equipped with two point machines as seen in figure 8. A
right-oriented single as depicted in figure 9 is a composite
component essentially built up of two turnouts without an
interface. The pattern is so common that it is represented as
an atomic component, together with its left-oriented version.
In figure 10 the basic scissor is depicted, with its four point
machines and the crossing. It combines the effect of a single
left and single right in one component. A nice feature of these
components is that they are refinable components, an important
property we shall investigate further in section VI.
5
Train.dir = +
Left
Train.dir = −
Left
Up
The point machine
Ldir+
Ldir−
L
URdir+
ULdir+
The point machine
SetR
Train.dir = +
Right
Up
ULdir−
SetUL
Train.dir = −
The point machine
URdir−
RU
UL
SetUR
Join
Join
Train.dir = −
Change1
Change
Train.dir = +
SetL
R
Rdir−
Change2
SetDL
DL
DRdir−
DLdir−
DR
DRdir+
DLdir+
Rdir+
Left
Down
Train.dir = −
Right
Train.dir = +
Fig. 6.
Right
Down
Fig. 8.
The double slip (B5 ) as a Petri net.
The turnout (B3 ) with its point machine.
U
Train.dir = +
Train.dir = −
Ldir1+
Join1
Train.dir = −
Left1
Ldir
Ldir1−
Train.dir = −
Point machine
L1
SetR1
Point machine
Udir
L
S
Ddir
R
SetL2
Change1
R2
Cdir12
Train.dir = +
Train.dir = +
R1
Change2
Rdir
SetR2
Train.dir = −
L2
Rdir2+
Train.dir = +
Join2
Left2
Ldir2−
D
Fig. 7.
The rigid crossing (B4 ) as a Petri net.
SetL1
Cdir21
Fig. 9.
The single right (B6 ) as a Petri net.
V. C ONSTRUCTING P ETRI NETS AUTOMATICALLY
A simple graphical specification language for railroads
is given by the language L consisting of a set of nodes
N tn1 , n2 , . . .u, and a rule expressing that nodes can be
connected to obtain a set of lines. The lines L characterize
the high level structure of a component, indicating how nodes
are connected. Different components can be connected by their
interfaces as explained below.
An interface is based on a finite set of distinct interface
types I tI1 , . . . , In u. Components can then be connected
according to rules for connection that prescribe legal ways
to construct composite components. A composition rule is a
pair, xIj , Ik y, indicating that interface nodes of type Ij can
be connected to interface nodes of type Ik . The interface
types and a set of composition rules must be defined for
each specification. The composition rules define the valid
interconnections.
Definition 3: A set of composition-rules B over a set of
interfaces I for a railroad, is a connected set of pairs of
interface types, closed under symmetry, in other words
piq B txIj , Ik y | Ij , Ik P I u
piiq xIj , Ik y P B ùñ xIk , Ij y P B
piiiq xI, By is connected.
Udir+
UL
UR
Udir−
C1 C2
DLUR
ULDR
Join
ULDR
DLUR
C3 C4
Ddir+
DL
DR
Ddir−
Fig. 10.
The scissor (B8 ) as a Petri net.
SetDR
6
TU−1
SC
L−1
Components
Turnout
Track
End segment
Scissor
Rigid crossing
Double slip
Single right
Single left
SC
L−2
TU−2
END
SC
TU−1
CR−2
DS−1
DS−2
SR−1
SR−1
SC
SL−1
SL−1
CR−1
CR−1
DS−2
DS−1
CR−2
Fig. 11.
SR−2
SR−2
SL−2
SL−2
Atomic specifications.
Observation 1: xI, By is strongly connected.
Proof: Immediate from the fact that xI, By is connected
and that the set B is closed under symmetry.
The restriction to pairs restricts composition to an event
between two components only. Closure under symmetry means
that the order of two connected components is irrelevant. The
requirement that B is strongly connected, ensures that every
component can participate in a connected railroad. If there are
no restrictions on how to connect the components, then we take
B txIj , Ik y | Ij , Ik P I u. In such a case the designer of the
railroad model is free to connect the components in any ways,
there are no engineering-specific rules imposing limitations on
the possible topologies.
A. Atomic specifications
Specification is a process in which we start out with
an initial set of basic components and rules for connecting
these components, called the atomic specification. An atomic
specification S A is a triple S A xC A , I, By, where C A is a
finite set of atomic components, I is a finite set of interface
types and B is a finite set of interface rules. An atomic
component, C xL, fI , N I y, consists of a set of lines L
and nodes equipped with types N I N I constructed over
a specification language L , where L N N and fI is
a function from nodes to types fI : N ÞÝÑ I. Nodes in an
atomic component are either structural or interface nodes.
Figure 11 shows an example of an atomic specification of
the components for constructing railroads, where the types of
the interface nodes are denoted by colours and names. The
structural nodes are internal nodes that represents the internal
structure of the component and have the empty type Θ.
Interface nodes are nodes that can participate in bindings with
other components. Composite specification is then obtained
by joining atomic components. The definition of the turnout
I
y, where;
component is then given by CTU xLTU , fI , NTU
I
txn1 , TU 2y, xn2, Θy, xn3, TU 1y, xn4 , TU 1yu
NTU
and LTU txn1 , n2 y, xn2 , n3 y, xn2 , n4 yu.
I
Type assignment is given in the set NTU
. There is one
internal node, n2 that has the empty type Θ. The turnout is
an example of an atomic component that is a router. A router
is an atomic component that contains more than two interface
nodes. The set of interfaces is shown in Figure 12.
Fig. 12.
Types
TU-1
L-1
END
SC
CR-1
DS-1
SR-1
SL-1
TU-2
L-2
CR-2
DS-2
SR-2
SL-2
Interface types.
In our railway case we avoid anomalies by prohibiting
the user from constructing unsound railroads patterns. For
instance, two switches can not be connected in arbitrary ways,
without resulting in unsound arrangement of tracks. It is not
allowed to connect two turnouts by their TU-1 interfaces. An
end segment should only connect to a track segment, since
trains need space to decelerate and stop. The track interface
types L-1 and L-2 can be connected in order to construct
arbitrary large railroad tracks. An example of a complete
specification of rules is given in the appendix .
B. Composite specifications
Composite specifications can be built from atomic specifications. A general specification S is a pair S xG, S A y,
where G is a connected graph, called the structure of the
specification S and S A is an atomic specification such that
S is syntactically correct based on the rules in S A . Two
specifications can be joined if there are matching free interfaces in the specifications. Informally, an interface occurs
free in a specification if it is not involved in a binding.
We consider uniform component construction; components
constructed over one atomic specification. The definitions can
easily be generalized to construction of arbitrary components
of distinct atomic specifications. To be able to combine several
instances of one atomic component and avoid confusion of
names in the composition of distinct components, we introduce
the notion of freshness. Let N be an infinite set of distinct
names. Given a finite structure (set or sequence) A, with
names from N , then let n7 denote a fresh name not in A.
It will always be clear from the context when fresh names are
introduced.
The empty specification is a specification where nothing
has been done yet. The empty name is denoted ǫ. The empty
specification, denoted ∅S , over an atomic specification S A is
the pair ∅S xH, S A y. Two specifications S1 xG1 , S A y
and S2 xG2 , S A y over an atomic specification S A xC A, I, By are joinable, if there exist free occurrences of
interfaces i1 P G1 and i2 P G2 such that xπ2 pi1 q, π2 pi2 qy P B.
The empty specification ∅S is joinable with every specification
using the empty name ǫ.
The result of joining two atomic specifications S1 and S2
gives a new composite specification over a concrete binding b.
Since nodes G are distinct, there is a function sub that takes
a node n in G and replaces this node by m. This function is
called the replacement function subpn, m, G, N I q, and returns
7
a specification. The parameter N I is carried along the recursion to ensure that the composite nodes get composite types.
The type-extraction function ty takes a name and a set of nodes
and returns the type of this node, typn, N I q x if xn, xy P
N I , otherwise ty is undefined. The function typespS q is
used to access the set of type assignments N I from a given
specification S, defined by typespS q π2 pπ1 pS qq.
Definition 4: Let n, m, x and y denote names or interfaces,
and let xLs , NsI y be a component with lines Ls and nodes
NsI . Let S1 and S2 be specifications and N I be a proper
extension of NsI . Then substitution is defined by;
1. subpn, m, n, N I q m
2. subpn, m, x, N I q x
if n x
3. subpn, m, xx, y y, N I q xsubpn, m, x, N I q, subpn, m, y, N I qy
4. subpn, xn1 , n2 y, xLs , NsI y, N I q xsubpn, xn1, n2 y, Ls , N I q, subpxn, typn, N I qy,
xxn1, n2 y, xtypn1 , N I q, typn2 , N I qyy, NsI , N I qy
if n P tn1 , n2 u
5. subpn, m, txx, y yu, N I q tsubpn, m, xx, y y, N I qu
6. subpn, m, S1 \ S2 , N I q subpn, m, S1 , N I q \ subpn, m, S2 , N I q
7. subpn, m, xG, S A yq xsubpn, m, G q, S A y
Part 4 of definition 4, performs a replacement in a component
xLs, NsI y. The lines Ls are relabeled and the typed nodes NsI
are equipped with composite types, by searching in the typed
nodes N I . Part 7 states that the replacement is performed in
the structure of the component. Two names n1 and n2 can
be combined by concatenation to a composite name n1 n2 ,
thus preserving information about the composition. Observe
that in definition 4, the name n1 n2 was represented by the
pair xn1 , n2 y.
Definition 5: Let S1 and S2 be two specifications, joinable
with the binding b xn1 , n2 y over an atomic specification. Let
N I typespS1 qY typespS2 q. The composition of S1 and S2 ,
denoted S1 [b S2 or S1 [xn1 ,n2 y S2 , is given by subpn1 , n1 n2 , S1 , N I q \ subpn2 , n1 n2 , S2 , N I q.
In addition, the empty specification can be composed with any
specification S, independent of whether S has free interfaces
or not. The new name n1 n2 connects the structure of S1
with S2 into a connected graph. The interfaces n1 and n2 do
not occur free in the new specification S1 [b S2 . Composition
of specifications can be considered as a very weak algebra,
what we call a partial monoid:
Definition 6: A partial monoid is a 4-tuple xA , Æ , B, J y,
such that A is a set, Æ is a set of parametrized binary
operators, Æ tÆb | b P Bu, B is a connected set of pairs, and
J (joinable) is a ternary relation over A A B ÞÑ Bool,
such that:
piq If A1 , A2 P A and J pA1 , A2 , bq then A1 Æb A2 P A
piiq pA1 Æb A2 q Æb A3 A1 Æb pA2 Æb A3 q
piiiq D E P A De P B A P A A Æe E A E Æe A
1
2
1
2
This weaker notion of monoid used here, is called partial for
two reasons: First, the closure criteria restricts Æb -composition
to a subset of A , given by restricting relation J . Second, the
operator Æb is parametrized by the label b, giving rise to a
potential infinite number of operators.
Lemma 1: Sequential composition of joinable specifications forms a partial monoid.
Proof: The restriction relation joinable railroad net,
ensures that the closure criteria is fulfilled by definition. Associativity follows by definition 5 and since union is distributive
and graph replacement distributes over union. Note also that
we must assume that the two bindings are disjoint. The details
can be found in [5]. In case of the unit clause, let ∅S be
the unit, and ǫ serve as the binding. Let S xG, S A y be a
specification. Then S1 [ǫ ∅S subpǫ, ǫ, S1 q \ subpǫ, ǫ, ∅S q
S1 \∅S xG, S A y\xH, S Ay xG, S A y S ∅S [ǫ S1 .
Fortunately, the railroad nets also forms a partial monoid, as
we shall see in the next section.
C. Composition of railroad nets
Composition of railroad nets is defined in a similar way
as composition specifications. Nets are combined through
particular interface places4 . Let R1 xxP1 , T1 , A1 y, M1 y and
R2 xxP2 , T2 , A2 y, M2 y be two basic railroad nets. Then we
say that: R1 and R2 are joinable over a set of interface rules
B, if there exists free interface places p1 P trackpP1 q and
p2 P trackpP2 q, of interface types I1 and I2 respectively, with
piq xI1 , I2 y P B, and
piiq π2 p pp1, M1 qq π2 p pp2, M2qq.
Observe that clause piq expresses that the binding is valid
according to the type-rules, while piiq ensures that if the net is
a marked net, then the tokens inhabiting the interface-places
are indistinguishable.
If R1 and R2 are joinable with the binding b, we write
JoinN pR1 , R2 , bq. The replacement of a place p by the place
s in the railroad net R xP, T, Ay, follows by modifying
definition 4, by generalizing part 6, by permitting S1 and S2
to be railroad nets, and by adding
subpp, s, R q xxsubpp, s, P q, T, subpp, s, Aqy, subpp, s, M qy
if R xxP, T, Ay, M y is a railroad net. The transitions are
left unchanged, since replacement only changes the name of
one place and then redirect the arcs from the transitions to
the new place. Since types are constructed on the level of
specifications, they are inherited to the Petri net level.
Definition 7: If R1 and R2 are joinable over the binding
b xp1 , p2 y, where p1 P trackpP1 q and p2 P trackpP2 q, then
the composition of R1 and R2 , is given by
R1 'b R2 subpp1 , p1 p2 , R1 q \ subpp2 , p1 p2 , R2 q.
In addition we define the empty net ∅PN xH, H, Hy. The
empty net can be composed with any railroad net with respect
to the empty name ǫ.
Lemma 2: Sequential composition of joinable railroad nets
forms a partial monoid.
Proof: Let R denote the set of railroad nets. Then we
must prove the following three facts:
m
m
piq R1 and R2 are joinable over b ùñ R1 'b R2 P R
piiq pR1 'b R2 q 'b1 R3 R1 'b pR2 'b1 R3 q
piiiq D E P R De P B R P R R 'e E R E 'e R
4 Or
fusion places according to [8].
8
The restriction relation joinable railroad net, guarantees closure. The unit follows by a similar argument as in lemma 1.
Associativity splits into two; either one of b and b1 equals the
empty binding, or b xp1 , p2 y and b1 xp12 , p3 y. Let us first
discuss the former and apply clause piiiq: If R1 ∅PN , then
b ǫ, such that;
An atomic saturation is performed manually by first constructing a library of atomic specifications, then a library of
Petri nets and finally making an explicit assignment between
them. Each specification and railroad net can be given with
a separate atomic saturations, depending on the engineering
principle for each net. But in practice this is rare. A composed
specification S can be measured by the number of interface
pR1 'b R2 q 'b1 R3 p∅PN 'ǫ R2 q 'b1 R3 piiiq
bindings, denoted pS q. We consider first components built
R2 'b1 R3 piiiq ∅PN 'ǫ pR2 'b1 R3 q R1 'ǫ pR2 'b1 R3 q. up sequentially from 1-step interface bindings.
Definition 9: By recursion we define the size of a sequential
In case R3 ∅PN , the proof is similar. The only strange
pS q as follows:
specification
case is R2 ∅PN , and where R1 , R3 ∅PN . Assume
p
iq
If S is an atomic specification, then pS q 0
for contradiction that both the left and right-hand side of
If S is a composite specification, S S1 [b S2 ,
piiq exists. Then both b ǫ and b1 ǫ. But then by piiiq piiq then
pS1 [b S2 q pS1 q pS2 q 1.
R2 'ǫ R3 , which is absurd, hence neither pR1 'b ∅PN q ' R3
Definition 10: Let S be a sequential specification and S A
nor R1 'e p∅PN ' R3 q exists. Informally this means that
Then satp,) is defined by
indecisiveness with respect to which component to choose in an atomic specification.
p
iq
satpS A , Aq ApS A q
a design of a railroad-net, can only occur at loose ends in a
piiq satpS [b S A , Aq satpS, Aq 'Apbq satpS A , Aq.
railroad-net.
piiiq satpS A [b S, Aq satpS A , Aq 'Apbq satpS, Aq.
Finally, suppose that b xp1 , p2 y and b1 xp12 , p3 y. The The next lemma captures the actual process
of recursively
following equations proves associativity in the general case:
constructing
a
large
Petri
net
from
its
specification
using
R1 'xp1 ,p2 y pR2 'xp12 ,p3 y R3 q 1
saturation.
subpp1 , p1 p2 , R1 q \ subpp2 , p1 p2 , R2 'xp12 ,p3 y R3 q 2
Lemma 3: Let S1A , . . . , SnA 1 be atomic components. Then
subpp1 , p1 p2 , R1 q \ subpp2 , p1 p2 ,
satpS1A [b1 [bn SnA 1 , Aq subpp12 , p12 p3 , R2 q\ subpp3 , p12 p3 , R3 qq3
satpS1A , Aq 'Apb1 q 'Apbn q satpSnA 1 , Aq
subpp12 , p12 p3 , subpp1 , p1 p2 , R1 q \ subpp2 , p1 p2 , R2 qq
Proof: Induction over the size of fresh bindings in S \ subpp3 , p12 p3 , R3 q 4
S1A [b1 [bn SnA 1 , that is pS q n. Immediate from
subpp12 , p12 p3 , R1 'xp1 ,p2 y R2 q \ subpp3 , p12 p3 , R3 q
definition 10.
5 pR1 'xp1,p2y R2 q 'xp12,p3y R3
Lemma 4: (Sequential composition)
Let
S1 and S2 be two distinct sequential specifications that are
Equations 1, 2, 4 and 5 follow immediately by Definition 7.
joinable
over a binding b w.r.t. an atomic saturation A, such
Equation 3 is the delicate one and the justification splits in
that
the
resulting
specification S1 [b S2 is sequential. Then
two: First, set union is distributive and graph replacement
1
p
S
[
q
satpS1 , Aq 'Apbq satpS1 , Aq.
sat
S
,
A
1
b
2
distributes over union. Second, the interface p2 does not occur
Proof:
Induction
over the size of both S1 and S2 . The
free in the specification subpp1 , p1 p2 , R1 q and the interface
1
basis
is
obvious,
so
consider
the induction step: Let pS1 q
p2 does not occur free in the specification subpp3 , p2 p3 , R3 q.
pS2 q k 1. Then either S1 or S2 are composite or both.
Observation 2: The composition of two connected railroad Without loss of generality we consider the two cases, (a) S1 S1A [e S11 or (b) S2 [e S2A for atomic components S1A , S2A .
nets is a connected railroad net.
We prove (b) and leave (a) to the reader:
n
n
n
n
n
n
n
n
n
D. Saturation of a sequential specification
A saturation of a composite sequential specification is an
automatic construction of a railroad implementation from a
given specification. The saturation takes a specification and
produces one “refinement”. Properties at the specification or
abstract level correspond to properties at the concrete or
refined level, following [7]. Our main example of such a
property is the railroad topology, which is a purely syntactical
property. If S is a specification and Ni is a Petri net, then let
pS q and pNi q denote the free interfaces of S and the free
interface places in Ni respectively.
Saturations can be decomposed into successive compositions of atomic saturations. An atomic saturation is an
assignment of an atomic specification to a set of Petri nets.
Definition 8: Let S A tC A , I, Bu be an atomic specification. An atomic saturation, written A, is a map from the
set of specifications to the set of Petri nets N, such that
C P C A D!P P N pApC q P q.
i
i
satpS1 [b S2 , Aq satpS1 [b pS21 [e S2A q, Aq 1
satppS1 [b S21 q [e S2A q, Aq 2
satpS1 [b S21 , Aq 'Apeq satpS2A q, Aq 3
psatpS1 , Aq 'Apbq satpS21 , Aqq 'Apeq satpS2A q, Aq 4
satpS1 , Aq 'Apbq psatpS21 , Aq 'Apeq satpS2A q, Aqq 5
satpS1 , Aq 'Apbq satpS21 [e S2A , Aq satpS1 , Aq 'Apbq satpS2 , Aq
Equation 1 and 4 follow by associativity of [ and ' , equation
2 and 5 by definition 10, and the 3rd by induction hypothesis,
since pS1 [b S21 q k.
The previous lemma states informally that sequential specifications can be saturated, and the result of generating implementations of joinable specifications is the same as saturating
the composite specification and then composing them.
n
E. Saturation of general specifications
In the previous section we proved the correctness of saturation of sequential specifications. But the overall problem
9
SA
[
A
Fig. 13.
Imaginary journey.
?
RA
still remains: Do we know that the saturation algorithm is
correct for arbitrary specifications that are not sequential? In
this section we shall give an affirmative answer to the question.
In order to show that construction of arbitrary specification
is compositional, specifications are divided into sets of serial
(sequential) specifications. An imaginary sequential railroad
journey is a sequential traversal of a specification. It is called
imaginary for two reasons: First, it is permitted to travel
through specifications that are not finished, intermediate specifications. Second, it is permitted to travel routes that a train
can not travel, as exemplified in figure 13, the components
are connected by a rigid crossing through a path no train
can follow. is an example of an imaginary journey. For the
rest of the paper we interpret pS q as applying to general
specifications, counting every free and bound node in S. Given
a specification S and an interface node n we construct the
set of imaginary sequential railroad journeys in S starting
in n, denoted seqrS, ns, as follows: Let fj pS, B, J , nq be
a function that takes a specification S, a set of nodes B in
S (the free nodes and bindings in S), generated journeys J
and an initial interface-node n as arguments an returns a set
of journeys. The generated journeys J is a sequence of pairs
xJ, U y, where J is one journey and U is the set of nodes in
a specification that is not visited yet in J. Then we define
seqrS, ns fj pS, pS q tnu, x y, nq where fj is given by:
i
i
piq
piiq
piiiq
pivq
pvq
pviq
pviiq
pviiiq
Fig. 14.
- S
sat
'
?
- R
Diagram of saturation.
of unvisited routers in the first tour x y. The language of
specifications is extended temporarily with a symbol g,
which marks the end of one journey. Clause piq returns the set
of journeys, when every node in the specification is visited,
since B H and throws away the stack of unvisited routers.
piiq starts a new imaginary journey, by throwing away the
end-symbol g, pushing the finished journey into J and
beginning a new tour from n. Clause piiiq stops a journey J
if it risks running over nodes previously visited in J. In piv q a
journey is stopped in an END segment. Clause pv q visits and
ensures that the journey stops in the unfinished ends in the
specification (the single name b). pviq traverses line segments
visited or not. In pviiq if we are inside a router with at least
one exit path that is not visited, that path is followed. Finally,
in pviiiq if every exit node in a given router is visited before
by other previous journeys in J , then the most promising
path is chosen. The function fpathpJ , xbi , Sj y, B q finds
the path through the router that contains the highest number
of unvisited nodes by comparing the previous journeys and
updating the results of the current set of unvisited nodes B.
The appendix contains the full implementation of fpath.
fj pS, H, J , nq tJ | xJ, U y P J u
Observation 3: The algorithm seqrS, ns terminates with a
fj pS, B, J $xJ $g, U y, nq finite set that covers S.
fj pS, B, J $xxJ, U y, xn, tuyy, nq
Theorem 1: (The theorem of construction)
fj pS, B, J $xJ $ Sj , U y, nq Let S1 and S2 be two arbitrary specifications that are joinable
fj pS, B, J $xJ $
%xSj , gy, U y, nq
over a binding b w.r.t. an atomic saturation A. Then
if Sj [b Sk P S ^ Sk P J.
satpS1 [b S2 , Aq satpS1 , Aq 'Apbq satpS1 , Aq.
fj pS, B, J $xJ $ Sj , U y, nq fj pS, B tbk u, J $xJ $
%xSj , bk , Sk , gy, U y, nq Proof: Let b xn1 , n2 y. Then n1 P pS1 q and n2 P
pS2 q. Both S1 and S2 can be sequentialized into two finite
if Sj [bk Sk P S ^ typepπ2 pbk qq END.
sets of imaginary journeys seqrS1 , n1 s and seqrS2 , n2 s. By
fj pS, B, J $xJ $ Sj , U y, nq fj pS, B tbu,
lemma 4 applied |seqrS1 , n1 s||seqrS2 , n2 s| times, we know
J $xJ $
%xSj , b, gy, U Y U ey, nq where
e
that for any pair s1 P seqrS1 , n1 s and s2 P seqrS2 , n2 s,
U pSj qXpB tbuq, if b P p pSj qX N q B.
satps1 [b s2 , Aq satps1 , Aq 'Apbq satps1 , Aq. But since
fj pS, B, J $xJ $ Sj , U y, nq fj pS, B tbk u, J $xJ $
%xSj , bk , Sk y, U y, nq seqrS1 , n1 s and seqrS2 , n2 s covers S1 and S2 respectively,
if Sj [bk Sk P S ^ | pSj q| 2 ^ Sk R J. the result follows.
fj pS, B, J $xJ $
%xbj , Sj y, U y, nq fj pS, B tbku, To conclude this section, the theorem of construction can
J $xJ $
%xbj , Sj , bk , Sk y, U tbkuy, nq
be illustrated by the following diagram depicted in figure 14,
if bk R B ^ |p pSj qX Bqtbj u|¥ 1 ^ Sj [bk Sk P S. where the atomic saturation is given by the leftmost arrow
fj pS, B, J $xJ $
%xbi, Sj y, U y, nq A, while the construction of composite nets is given by
fj pS, B, J $xJ $
%xbi, Sj y$%K, U y, nq.
the rightmost arrow sat. An atomic saturation is performed
where K fpathpJ , xbi , Sj y, B q
manually while sat gives an automatic construction of a net.
if p pSj q tbi uq B ^ | pSj q| ¥ 3 ^ Sk R J. Then by considering the previous diagram it should be no
i
i
i
i
i
i
i
i
Let us explain the algorithm in more detail: Initially B
contains all the nodes in S except n, with a empty set
surprise that category theory is lurking in the shadows of what
we have done so far.
10
F. The Categories of railroad modeling
Specifications and railroad nets were both described as
partial monoids. This rather weak notion of algebra can be
resolved by reformulating the structure of composition within
category theory [2]. A category is a triple C xOb, M, y,
where Ob denotes the class of objects of the category, M
denote a set of morphisms, and is a composition operator.
MpA, B q denotes the set of morphisms from A to B. If f is
a morphism in MpA, B q, A is called the domain of f , and B
is called the codomain of f . Then for every A, B, C P Ob
with codompMpA, B qq dompMpB, C qq, such that :
MpA, B q MpB, C q ÞÑ MpA, C q and such that;
piq If f P MpA, B q, g P MpB, C q and h P MpC, Dq,
then f pg hq pf g q h
piiq A P Ob DidA P M idA : A ÞÑ A f f : A ÞÑ B
idB f f f idA
Let us return to the partial monoids to see how category theory
fits into the picture: Suppose that M xA , Æ , B, J y is a
partial monoid, with the identity element E and a distinguished
finite set of basic objects B tB1 , . . . , Bn u A . A
binding x encapsulates another binding y, written x e y, if
x y _ x π1 py q_ x π2 py q. An object Bi encapsulates Bj
(Bi , Bj P B), written Bi e Bj , if there is a bijection between
pBi q and pBj q such that x P pBi qD!y P pBj qpx e yq.
We say that object A encapsulates object C, written A e C
if either piq both A E and C E or piiq A Bi Æb1 A1
and C Bj Æb2 C 1 where Bi e Bj and A1 e C 1 and
Æb1 , Æb2 P Æ .
Definition 11: We say that A can be sequentially embedded
into B if either A e B, B C Æb1 A1 , B A1 Æb1 C or
B C Æb1 A1 Æb2 D, where A e A1 and C, D E.
Lemma 5: Sequential embedding is a partial order.
Proof: Reflexivity is immediate, since A e A. Antisymmetry follows by considering 16 cases where one gives
the identity, while the remaining are absurd. Transitivity is
proven by exhaustion of cases.
Now we have provided enough tools to understand how the
partial monoids relate to categories:
Theorem 2: Any partial monoid is a category.
Proof: Let M xA , Æ , B, J y be a partial monoid.
Define a structure CM from M as follows: CM xA , M, y,
where the objects in CM are the objects in M while the
morphisms in CM , M , are embeddings in M . The composition operator in CM is interpreted as composition of
sequential embeddings. Composition Æ in the partial monoid
is then reformulated as A and B are embeddings into A Æb B
if the relation J pA, B, bq holds. Then CM is a category, since
lemma 5 tells us that sequential embedding is a partial order.
The identity function id works for every embedding M 1 in M .
i
i
i
i
Corollary 1: Sequential specifications and railroad nets
form two categories.
Proof: Immediate from theorem 2 and lemma 1 and 2.
In order to show that there are categories of general specifications and railroad nets, we must extend the notion of
sequential embeddings to general embeddings on graphs. This
is done by relaxing the composition operator of the sequence
of imaginary railroad journeys. A graph G1 is an embedding
into a graph G2 , if there exists a node n in G1 for one m in G2
such that n e m and for any sequence imaginary journeys
J1 seqrG1 , ns there exists a sequence of journeys J2 of G2 ,
such that each journey in J1 is a sequential embedding of a
journey in J2 .
Lemma 6: General specifications and railroad nets forms
two categories.
Proof: The proof follows by constructing categories for
specifications CS xS, MS , S y and railroad nets CR xR, MR, R y, with the morphisms interpreted as general embeddings on specifications an railroad nets, and composition
is interpreted as composition of embeddings.
Now we can prove the main theorem, which validates the
semantics of our software engineering method:
Theorem 3: sat is a functor ([2]) from the category of
specifications to the category of railroad nets. Moreover sat
is an isomorphism.
Proof: The fact that the functor sat from CS to CR is
an homomorphism, is just what theorem 1 says:
satpS1 [b S2 , Aq satpS1 , Aq 'Apbq satpS1 , Aq. In addition we stipulate that satp∅S , Aq ∅PN , and observe
that each specification (morphism in CS ) correspond to a
railroad net (morphism in CR ). In order to prove that sat
is an isomorphism, we observe that the inverse sat1 is also
a homomorphism. Since Apxn1 , n2 yq xApn1 q, Apn2 qy is a
bijection, the inverse A1 exists and we can reconstruct the
specifications of two railroad nets R1 and R2 uniquely. Hence
therefore sat1 exists and
sat1 pR1 'b R2 , Aq sat1 pR1 , Aq [A1 pbq sat1 pR2 , Aq.
VI. R EFINEMENT AND
MAINTENANCE
The role of refinement in our work is somewhat different from the standard notion in computer science (see for
instance [1] and [12]). The standard process of developing
an application is thought of as starting from a specification,
leaving several details of the implementation open. Then,
during successive refinement steps, more details are added.
Finally, a specification is reached that either (i) can serve
as the implementation or (ii) is detailed enough to start
implementing the application. In our case the specification
language is always kept separate from the implementation,
marked Petri nets. The distinction is highlighted in the sense
that the railroad specifications and railroad models belong to
two different categories. The railroad topology is preserved
from the specification to the implementation using saturation.
Refinement in our case is purely syntactic, more syntactic
elements are added to the structures.
In railway modeling it is important to be able to perform
controlled refinements and thereby maintain sets of relatively
large data structures. In our case we are interested in keeping
the basic structures, both the simplest atomic specifications,
and the basic components, and gradually build new libraries
of specifications and railroad nets. There are many orthogonal
problems to be investigated through simulation and analysis of
a given railroad like the Oslo subway. Examples of problems
that require various properties of the underlying executable
11
A
S
F1
S1
- S2A
[ - S2
A
S1
S
F1
sat
?
- RA
2
R
F1
-
R
F1
S3
sat
?
- RA
3
R
F2
' ?
- R2
R
F2
'
?
R1
Fig. 15.
A
S
F2
sat
?
A
R1
' -
- S3A
[
[ -
A
S
F2
-
?
R3
Cube relating refinements and saturation.
Petri net are; making schedules for the train, performance
analysis of traffic in general, simulation and analysis of safety
on the railroad, simulators for train-leaders, control and monitoring trains on the line. Since the model is relatively large,
adding details to it will have a computational cost. Therefore
it is important to maintain the more basic specifications and
railroad nets whenever possible. In the light of the previous
section, stepwise refinements of specifications and railroad
nets are related through the saturation functors as illustrated
by the extended cube in figure 15. where S1A , S2A , S3A is
a sequence of specifications starting with the atomic specification S1A , and F1S , F2S are the functions performing the
A A
refinements of these specifications, while RA
1 , R2 , R3 is
a sequence of refined railroad components, refined by the
functions F1R , F2R . The outer diagram is the result of applying
the theorem of construction. Hence Si denotes possibly large
composite specifications, while Ri denotes generated railroad
nets. Refinement of specifications will seldom be non-trivial,
since the specification language is intended to be a high level
language that should hide information. Only in the case of
time, the specification is extended with parameters modeling
the delay for each direction. For the rest of the paper we shall
therefore focus on refinements of Petri nets, the “floor” of the
previous diagram.
A. Refining Railroad Nets
Refinements of railroad nets is considered as purely syntactic refinement, the refined net contains more Petri net elements
than its ancestor. The refinement process is therefore twofold,
both the Petri net and the marking might be refined. The first
notion of refinement is called weak refinement, where new
places, transitions and arcs might be augmented in addition
to extra tokens: Let R1 xxP1 , T1 , A1 y, M1 y and R2 xxP2 , T2, A1 y, M2y be two railroad nets. A transition t2 is
a weak refinement of a transition t1 , denoted t1 R t2 , if
restpt1 q restpt2 q and lastpt1 q is a subsentence of lastpt2 q.
A set of transitions T2 is a weak refinement of T1 , denoted
T1 R T2 , if t1 P T1 D! t2 P T2 pt1 R t2 q. An arc a2
is a weak refinement of an arc a1 , denoted a1 R a2 , if
restpa1 q restpa2 q and lastpa1 q is a subsentence of lastpa2 q.
Furthermore a set of arcs A2 is a weak refinement of a set of
arcs A1 , denoted A1 R A2 iff a1 P A1 D!a2 P A2 pa1 R
a2 q. We say that the marking M1 is dominated by the marking
M2 iff ppxp, m1 y P M1 ^xp, m2y P M2 Ñ m1 M m2 q. We
say that the railroad net R2 is a weak refinement of a railroad
net R1 , denoted R1 WR R2 , iff P1 P2 , A1 R A2 ,
T1 R T2 and M1 is dominated by M2 .
Theorem 4: Weak refinement, WR , is a partial order.
xxP, T, Ay, M y WR xxP, T, Ay, M y folProof:
lows since each expression E is a subexpression of itself and m M m for any m. For antisymmetry suppose that xxP1 , T1 , A1 y, M1 y WR xxP2 , T2 , A2 y, M2 y and
xxP2, T2 , A2 y, M2y WR xxP1 , T1 , A1 y, M1y. Then every t1 P
T1 is one to one with sufficient t2 P T2 such that t2 R t1 and
t1 R t2 , but then t1 t2 , hence T1 T2 . A similar argument
entails that A1 A2 . Since m1 M m2 and m2 M m1 , we
have m1 m2 , hence M1 M2 . Finally WR is transitive,
since subsentence, domination and M is transitive.
We say that a collection of railroad nets CR2 is a weak
syntactic refinement of another collection CR1 , if |CR1 | |CR2 | and R1 P CR1 D!R2 P CR2 pR1 WR R2 q.
A stronger notion of refinement is one, where we permit
the user to refine the structure of the token, by extending
its attributes with more details. If t xCi , atri y is a token,
then we say that tR xCi , atrj y is a refinement of t,
written t R tR , iff t E tR . But since the structure of
the token might be changed, we need a more fine grained
notion of multi-set subset and domination. A multi-set m1 is
a unclean subset of m2 , written m1 m1 iff x P m1 D!y P
m2 pπ1 py q R π1 pxq ^ π2 pxq ¤ π2 py qq. A marking M1
is strongly dominated by a marking M2 iff ppxp, m1 y P
M1 ^ xp, m2 y P M2 Ñ m1 m1 q. Finally we define that
the railroad net R2 xxP2 , T2 , A2 y, M2 y is a refinement of a
railroad net R1 xxP1 , T1 , A1 y, M1 y, denoted R1 R R2 , iff
P1 P2 ,
T1 R T2 , A1 R A2 and M1 is strongly dominated by M2 .
Theorem 5: The refinement relation R is a partial order.
Proof: We can show that R is reflexive, transitive and
anti-symmetric, from the definition of R . The proof is an
obvious extension of theorem 4 and is therefore omitted.
Observation 4: R WR
The basic railroad net-components B, given previously can be
refined into railroad systems with time, traveling plan, safe
tracks and collision detection. An important property of the
Basic Railroad Nets, is that the process of syntactic refinement
can be automated.
B. Strong safety
The basic railroad net can be refined systematically by
adding tokens to each track-place, and by augmenting the
track-transitions with new arcs, that require that NoTrain
token in the proceeding track-place is enabled. Figure 16
shows how the basic road-track is refined to a safe road track.
For the purpose of this paper the basic railroad nets are
given by the eight components defined previously; B tB1 , . . . , B8 u. By convenience we use the symbols t and no to
denote the expressions Train and noTrain. B can be refined
to the corresponding safety components through the function
Fsafe pBq as follows:
Definition 12: Let B be a set of basic components. Then
12
Train.dir = +
Train.dir = −
Move−
Point machine
Ldir+
Move+
Ldir−
NoTrain
L
T
Join
Change
The safe road-track.
piiiq
pivq
SetL
R
Rdir−
piq
piiq
SetR
Train.dir = +
Train.dir = +
Fig. 16.
Left
NoTrain
NoTrain
NoTrain
T
Rdir+
Fsafe pBq tFsafe pB1 q, . . . , Fsafe pB|B| qu
Fsafe pBi q xxP, T, FsafepAqy, Fsafe pM qy
i 1 ¤ i ¤ |B| where Bi xxP, T, Ay, M y
Fsafe pAq A Y txp, t, noy|xt, p, tyP A ^ p P trackpP qu
Fig. 17.
Ytxt, p, noy|xp, t, tyP A ^ p P trackpP qu
Fsafe pM q t pp, M q|p R trackpP quY
txp, tnuy| pp, M q xp, myu
¤m
P
p q
p track P
m
T
Right
The safe turnout.
UR
UL
ULdir+
Observe that piv q requires that the track-places are not marked,
hence the noTrain token n is the sole member of the set.
Lemma 7: B WR Fsafe pBq
Proof: The refinement relation R is proper with respect to the refinement Fsafe pBq, since for every railroad
net component xxP, T, Ay, M y, we have A Fsafe pAq and
M M Fsafe pM q.
We say that a railroad net is strongly safe iff two trains
never can inhabit the same track place. The property that
the places in a Petri net contains at most one token in any
reachable marking is called 1-safeness. Any 1-safe railroad
net is therefore strongly safe.
Theorem 6: Any railroad net R over Fsafe pBq is strongly
safe.
Proof: Observe first that we only need to examine
potential local collisions. By induction over the size of the
specification S that specifies the model, pS q we prove that
R is strongly safe. The proof is split into cases both in the
basis step and in the induction step. Consider the induction
basis: pS q 0. This means that S consists of no binding
elements, and therefore that R can only be one of the basic
components in Fsafe pBq. An examination of |FsafepBq| number of components shows that when we prepare each Petri net
component with the maximal number of trains, they remain
strongly safe. We shall give an argument for the turnout, and
leave the rest to the reader. The maximal arrangement of the
safe turnout component is putting three trains into it, as seen
in figure 17. Let the trains in the track places Left and right
be directed towards Join. Independent of the movements of
the train in Join, the net remains 1-safe because of the lack
of noTrain tokens to enable any of the transitions. Consider
the induction step: Suppose that pS 1 q k. Then there are
two cases: Either S is connected to a new component (a) or
S is connected internally (b) by a new binding. We show (a)
since the proof (b) will be symmetrical. There are at most
|B| cases to consider. Suppose that S is connected to the
atomic component double slip through a track section as in
figure 18. By the induction hypothesis satpS 1 , Aq is strongly
n
n
n
URdir−
ULdir−
URdir+
SetUR
SetUL
Change
Change
SetDR
DRdir+
DLdir−
SetDL
DLdir+
DRdir−
dir−
T
T
DR
dir+
DL
sat(S’)
Fig. 18.
The safe double slip connected to a track segment.
safe. But the composition of the safe double slip with the track
segment is also strongly safe. If the two trains are driving on a
collision course, they are prevented from inhabiting the same
place since the interface preserves 1-safeness and there are no
noTrain token to enable the track transitions in figure 18.
Observation 5: Any strongly safe railroad net Rs is connected.
Proof: By induction on the size of the specification S
generating Rs . In case pS q 0, Rs is one of the safe railroad
net components, which is connected by construction. If R R1 'b Bi where pR1 q k 1 the induction hypothesis gives
that R1 is connected. The connection between a constructed
two interface (track) places gives locally a connected net.
Hence since Bi is connected by ind. basis, the result follows
by using observation 2 to conclude that R1 'b Bi is connected.
n
n
In strong safety trains can not crash at all. In real railway
systems safety systems often permit that two trains driving on
the same direction bump into each other at low speed. The
train from behind might have slightly higher speed than the
former train.
C. Local collision detection
It is interesting that the components of the strongly safe
railroad net, Fsafe pBq S, can be further refined into railroad
13
Train.dir = −
Train.dir = −
Move−
NoTrain
NoTrain
Move+
Move−
NoTrain
NoTrain
NoTrain
NoTrain
Train.dir = +
Train.dir = +
Train.state := C
Train.dir = −
Train.dir = −
@ + delay 1
Move+
NoTrain
NoTrain
@ + delay 2
Train.dir = +
Train.dir = +
Train.state := C
Train.dir=+
Train.dir=−
Fig. 20.
Road track with delay.
Crash
Alarm
Fig. 19.
Road track with weak local collision detection.
nets with collision detection (C). This emphasizes why the
refinement in this paper is called purely syntactical refinement.
In a standard approach, semantical properties like safety,
collision should be preserved by refinement! In nets with
collision detection front-to-front collisions are detected and
the trains are stopped in the line, in a state of having collided.
Trains that are prepared for a railroad with collision detection
is extended with a state, telling whether the train is working
or not.
xTrain, xTrainId, Dir, Stateyy
The colour State permits two values ttrue, falseu, where
true means the train is working and false means that it has
collided. If N xP, T, Ay is an unmarked railroad net with
trackpN q xP t , T t , At y, then we say that p1 and p1 is
a trackpair in N, written trackpairpp1 , p2 , N q, iff p1 , p2 P
P t Dt P T t pxp1 , ty, xt, p2 y P At q.
Definition 13: Let S be a collection of safety components
refined by B. Then Fcoll pSq is defined by
piq FcollpSq tFcollpS1 q, . . . , FcollpS8 qu
piiq i 1 ¤ i ¤ 8 where Si xxP, T, Ay, M y :
tp txp1 , p2 y|trackpairpp1 , p2 , xxP, T, Ay, M yqu Y A1
Fcoll pSi q Fcoll pSi , tpq
Fcoll pxxP, T, Ay, M y, tuq xxP, T, Ay, M y
Fcoll pxxP, T, Ay, M y, txp1, p2 yu Y tp1 q Fcoll pxxP Y ta7 u, T Y tc7 u, A Y Ac y, M y, tp1 q,
where Ac txp1 , c7 , t.dir y,
xp2 , c7 , t.dir y, xc7, p1 , t.state : Cy,
xc7 , p2 , t.state : Cy, xc7, a7 , ayu
The only exception in this function is the rigid crossing
component, S4 , where extra checks for collisions must be
performed on the diagonal, hence to handle S4 we set; A1 txp1, p2 y|p1, p2 P trackpP q^ i 4 ^ trackpairpp1 , p2 , S4 qu
Lemma 8: S WR Fcoll pSq
Proof: For each component Si xxP, T, Ay, M y, we
have Si WR Fcoll pSi q since; P Fcoll pP q, T Fcoll pT q
implies for each t1 P T there exists only one t2 P Fcoll pT q
such that t1 R t2 , with a similar argument for A Fcoll pAq
and finally the fact that M Fcoll pM q gives the result.
But then we know that the resulting railroad net with collision
detection is a refinement of the basic railroad net:
Observation 6: The components with local collision detection is a weak syntactic refinement of the basic railroad net.
Proof: We must prove B WR Fcoll pSq. Note that
B WR Fsafe pBq by lemma 7 and S WR Fcoll pSq by
lemma 8, and finally S Fsafe pBq. Then the result follows
by theorem 4. Hence B WR Fcoll pFsafe pBqq.
Observation 7: Any railroad net Rc constructed over
Fcoll pFsafe pBqq is connected.
The alarm place is an output place that informs the user
precisely where the collision occurred. Without the alarm place
the track part of collision detection nets would have been
strongly connected.
Theorem 7: Any correct construction of a railroad net over
Fcoll pFsafe pBqq permits local collision detection.
Proof: By induction over the size of the specification S
that specifies the model R, pS q it is proven that R permits
local collision detection. The proof follows the same line as
theorem 6. All the cases are easy and therefore omitted.
n
D. Time
A timed railroad net ( [9]) is a railroad net where a global
clock is introduced. The clock represent time in the model.
Tokens may contain a time stamp in addition to the values
they may contain in an untimed net. This time stamp is the
earliest point in time at which the token can be included in the
firing of a transition. Arcs may contain delays. The delays will
be inherited from the specification level. Transitions that have
outgoing timed arcs are called timed transitions. Figure 20
shows how the safe track is refined, with time. The basic
railroad net components or the safe railroad net components
may be refined to timed railroad net components by the
refining function Ftime pSq. The function augment the trackarcs with time inscriptions, by using a fresh variable and also
adding a time stamp to all train tokens and noTrain tokens.
The time stamp will be added to the tokens attribute list. To
refine the train that suits the basic components simply means to
extend the attribute list of the train with slots for timestamps;
xTrain, xTrainId, Dir, TimeStampyy
The delay will be added to the expression of the arc xe1 , e2 , E y
by a fresh variable, that later on will be instantiated by an
integer value or a function: xe1 , e2 , E ^ @ x7 y.
Definition 14: Let S be a collection of components. Then
Ftime pSq is defined by:
14
piq FtimepS q tFtimepS1 q, . . . FtimepS8 qu
piiq i 1 ¤ i ¤ 8 where Si xxP, T, Ay, M y
Ftime pSi q xxP, T, Ftime pAqy, Ftime pM qy
Ftime pAq ta|a R trackpAquY
txe1, e2 , E ^ @ x7 y | xe1, e2 , E y P trackpAqu
Ftime pM q tm|m R trackpM quY
txp, xColour, xxTimeStampy$%atryyy|
xp, xColour, xatryyy P trackpM qu
Note that the timestamps of the tokens will get their values
in the initialization of the net. The variable Colour may have
the two values tTrain, noTrainu. The concrete delay on the
arcs will be inherited from the specification after saturating
a specification that contains information details about delays.
Finally we conclude that;
Lemma 9: S R Ftime pSq
Proof: For each of the components Si xxP, T, Ay, M y,
1 ¤ i ¤ 8; Ftime pP q P , Ftime pT q T . Obviously A R Ftime pAq since E is a subsentence of
x7 . Moreover since both xp, xCol, xatryyy P M
E ^@
and xp, xCol, xTSy$
%xatryyy P FtimepM q gives that M
Ftime pM q, we conclude that M is strongly dominated by
Ftime pM q.
Train.sS := true
xNoTrain, xTimeStamp, distance, sendSignal,
distance, sendSignalyy
The distance is the number of places in the positive direction
to the next obstacle. The sendSignal can have the values
ttrue, falseu. If the value is true it means that, if there
is a noTrain token in the negative direction, tell it your
distance. The same applies to distance and sendSignal.
the { sendSignal is to prevent signals from running back
and forth uncontrollably. The train tokens have to inform the
token in front of it of its presence. Therefore the train tokens
must have a sendSignal variable as well.
xTrain, xTrainId, Dir, TimeStamp, SendSignalyy
Figure 21 shows how a safe track with time is refined with
sensitivity. In the figure distance is shortened to dis and
sendSignal is shortened to sS. The two middle transitions
show the recursion step of the information update. The four
other transitions show the start step sending information
noTrain.−dis := 0
noTrain.−sS := true
noTrain.+sS = false
noTrain.+dis := 0
noTrain.+sS := true
noTrain.−sS := false
Train.dir = −
Train.sS = false
nt−tr+
Train.dir = −
Train.sS := false
noTrain
noTrain.+dis := n+1
noTrain.+sS := true
noTrain.+dis = n
noTrain.+sS = true
nt−ant+
NoTrain
noTrain.sS := false
noTrain.−sS := false
noTrain.−dis = n
noTrain.−sS = true
noTrain
ant−nt+
noTrain.−dis := n+1
noTrain.−sS := true
Train:sS:=false
Train.dir = +
Train.sS = true
noTrain
tr−nt+
noTrain.−dis := 0
noTrain.−sS := true
noTrain.+sS = false
noTrain.+dis := 0
noTrain.+sS := true
noTrain:−sS=false
Train.dir = +
Train.sS = false
Fig. 21.
E. Signal and safety
Although we shall not represent the complete signal and
security system, we shall present how sensitive railroad components can be constructed, and explain how they work. By
sensitivity we mean that the components have local knowledge
of the distance to the next obstacle in both directions.
Since modularity of the components is a desirably property,
we let information travel along the track. The main idea is that
the noTrain tokens is extended to contain information about
the distance to the next obstacle. Such an obstacle may be
another train, the end of the track or something else which
occupies the tracks. The noTrain tokens should update each
other recursively, but not more than necessary. The update
of this information is performed by untimed transitions. The
noTrain token will now be of the form:
move−
@ + delay 1
Train.sS := true
@ + delay 2
move+
Sensitive road track.
Sem @+1
noTrain. −sS = true
Bounce
noTrain. −sS := false
noTrain. +dis := 0
noTrain. +sS:=true
Sem
Sem
Stop
Fig. 22.
Sensitive end segment.
about a train in one of the two places. Every time the train
moves, information will be sent both ways. The moving train
puts a new noTrain token backwards, and sends information
forwards. Other obstacles behave similarly. Light signals and
switches sends information when they change.
End segments, on the other hand, never change. Thus, when
a train moves away from an end segment we will never
update how far it is to the end segment unless we do a
little trick. The train sends a signal backward by dropping
a noTrain token with one of the sendSignal values to true.
When this signal hits an end segment we have to let the end
segment send a signal back. To prevent two end segments
from continually sending signals to each other we introduce a
semaphore place which makes sure that each end segment can
send only one such signal each tick. Figure 22 shows the end
segment refined with sensitivity. In figure 23 we have depicted
the sensitive turnout. The transitions connected to the point
machine ensures that when the point state of the point machine
changes, the old direction is updated with the turnout as the
obstacle, and the new direction is updated with the current
join obstacle, and by a recursive investigation of possible
direction). An algorithm
obstacles in the opened line (the
for systematic construction of sensitive components can be
15
noTrain. +dis := n3
noTrain. +sS := false
noTrain. −dis := 0
noTrain. −sS := true
Left
noTrain. +dis = n3
noTrain. −dis = n4
Point Machine
noTrain. +dis = n3
L
noTrain. +dis := n3
noTrain. +sS := true
noTrain. −dis := n2
noTrain. −sS := true
Join
SetR
Change
noTrain. +dis := n1
noTrain. +sS := true
noTrain. −dis := n4
noTrain. −sS := true
R
SetL
noTrain.+dis = n1
Right
noTrain. +dis = n1
noTrain. −dis = n2
noTrain. +dis := n1
noTrain. +sS := false
noTrain. −dis := 0
noTrain. −sS:=true
Fig. 23.
The sensitive turnout.
ss
FS sss
CB KKK
KKKK
KKKF
KKKT
KK
!)
s
ss
yss
CBT
CBS K
KKKK
s
u
FS sss
FC uuu
KKKKFKT
s
u
KKKKK
ss
uu
K !)
yss
zuu
CBSCI
CBST K
IIII
KKKK
ss
IIIIIFT
F
KKKF
C ss
s
IIIIII
KKKKIK
ss
KK
s
II (
s
!)
ys
CBST I
CBSCTK
KKKK
s
FC sss
KKKKFKI
s
s
KKKKKK
s
yss
!)
CBSCT I
Fig. 24.
The relation between the libraries.
made as a refinement of collision detection nets, Fsens pCq.
Every track triple pp1 , t, p2 q in a component is refined with
extra transitions, one set for each direction, with arcs for
administrating the movement of trains, and for updating the
noTrain tokens. Then after the tracks are refined, new arcs
between point machines and tracks are added. The function
takes a track-refined net and the set of turnout patterns inside
R, and adds arrows between the new transitions and the point
machine, and from the two transitions in the point machine
and the splitting track places.
described above. As a case study we chose to specify entirely
the Oslo Subway system, a subway that consists of 5 lines and a
total of 103 stations, serving a population of 700 000 people.
The ancestor of the company started 1875, using horses to
pull the wagons. During the last hundred years there has
been several phases of upgrading the system, by extensions
of the line as well as splitting the company into trams and
subway. The Figure 25 shows the existing railroad tracks June
2005, and planned new tracks (the inner circle) to be finished
during 2006. One of the tasks we have investigated is the
impact the new cyclic line will have on the traffic flow. The
complete layout of tracks has been specified in the RWS
Editor according to technical drawings from Oslo Subway
Corporation. The drawings were partially in electronic format
and partially on standard maps. Figure 26 shows details of the
technical drawings, the railroad layout of the station Tøyen.
The drawing contains information about the block sections,
the signals and the circuit for power supply. These layouts
and maps were used as the basis for the specification in the
tool. The specification process of the complete topology of
Oslo Subway took approximately 10 hours for an experienced
user of the tool. The final specification based on 8 atomic
specifications, resulted in 918 components in the full circuit.
From the specification of Oslo Subway and railroad nets
components with safety, explained in section VI, Petri net code
for the entire Oslo Subway has been generated.
Figure 27 shows a detail of the net specified, based on the
atomic specification (the leftmost table in the tool), and the
technical drawing Figure 26.
F. Relating the refinements
The specific chains of refinements suggested are somewhat
arbitrary. Since both refinement relations are partial orders,
we can depict the possible processes of refinement as paths
F
in the graph depicted in figure 24. The single arrow C1 ÝÑ
F
C2 indicates C1 WR C2 , while C1 ùñ C2 indicates C1 R
C2 . F denotes the refining function, while the subscripts of
C indicates the property of the components at hand; B reads
basic, S reads safety, C reads collision and I reads sensitive.
VII. C ASE
STUDY
Fig. 25.
Oslo Subway.
Fig. 26.
Technical drawing of railroad topology - Oslo Subway.
- O SLO S UBWAY
A tool called RWS Editor was implemented ([21], [5])
based on the theory of constructing nets from specifications
16
VIII. C ONCLUSION
Petri Nets give an excellent language for building and
reasoning about application domains with several restrictions,
like the railroad case. We have shown that Petri Nets scale
well, systems that might be too large or complex for other
specification and implementation languages have a good representation in Petri Nets. At each step in the process of modeling
the developer has techniques to evaluate the adequacy and
soundness of the models at hand. Petri Nets provide techniques
that ease both manual and automatic verification.
ACKNOWLEDGMENTS
Fig. 27.
Specification of Oslo Subway in the tool.
MoveCL112
Status
P311
MoveCL212
MoveCL312
Status
P411
Status
P212
1‘NoTrain
MoveACL311
[member((sID,Right),r)]
Status
Status
joinU14
leftU13
1‘NoTrain
1‘NoTrain
Rdir3CL14
UpperCL13
MoveCL221
Status
P221
1‘NoTrain
1‘NoTrain
MoveACL312
MoveCL321
Status
MoveCL122
P421
P321
MoveACL321
MoveCL222
Status
Status
P222
1‘NoTrain
1‘NoTrain
MoveACL221
MoveACL121
MoveCL322
Status
1‘NoTrain
MoveACL222
MoveCL123
Status
MoveACL123
1‘NoTrain
Status
MoveCL223
MoveCL323
Status
Status
Rdir3ACL26
Status
MoveACL140
Status
P425
joinU26
1‘NoTrain
MoveACL125
UpperCL24
1‘NoTrain
MoveCL325
P325
1‘NoTrain
1‘NoTrain
1‘NoTrain
MoveACL223
MoveCL225
P225
P423
P422
1‘NoTrain
MoveACL322
Status
Status
leftU24
P323
P223
P322
1‘NoTrain
MoveACL122
MoveCL125
Status
UpperACL24
MoveCL121
Rdir3ACL14
Status
P412
1‘NoTrain
MoveACL212
UpperACL13
Status
P312
1‘NoTrain
MoveACL112
[member((sID,Right),r)]
[member((sID,Left),r)]
[member((sID,Left),r)]
MoveCL311
Status
1‘NoTrain
1‘NoTrain
MoveACL225
P240
Rdir3CL26
1‘NoTrain
MoveACL325
MoveCL140
1‘NoTrain
MoveACL323
SwitchNo
SwitchNo
SwitchNo
Switch
Switch
SwitchU_ID13
Switch3_ID26
SwitchU_ID24
SwitchNo
L_U13
Switch3_ID14
RdirACL13
Switch
ExtControl
1‘switch
ExtControl
SetL326
ExtControl
SetL314
R_U24
R314
SetLU24
[member((sID,Left),r)] [member((sID,Left),r)]
1‘switch
Switch
Change326
[member((sID,Right),r)]
[member((sID,Right),r)]
LdirACL14
1‘switch
Change314
R326
ExtControl
Switch
[member((sID,Left),r)]
SetLU13
ChangeU24
Switch
ChangeU13
Switch
[member((sID,Right),r)]
R_U13
RdirCL13
SetRU24
L_U24
SetRU13
1‘switch
[member((sID,Right),r)]
RdirACL24
Switch
[member((sID,Left),r)]
L314
LdirCL14
LdirCL26
LdirACL26
L326
SetR326
Switch
RdirCL24
L426
Switch
SetRL13
SetR314
Switch
SetRL24
L414
SwitchL_ID13
R426
SetL426
SwitchNo
ExtControl
ChangeL24
Switch
Switch4_ID14
L_L13
R_L24
ExtControl
SetR414
SwitchNo
Switch
SetLL13
Change426
Switch
ExtControl
ChangeL13
ExtControl
Switch4_ID26
Switch
SwitchNo
SetR426
SwitchNo
R_L13
1‘switch
SwitchL_ID24
Change414
Switch
SetLL24
L_L24
1‘switch
R414
[member((sID,Right),r)]
Status
MoveCL115
Status
MoveCL215
Status
MoveCL315
Status
LowerCL13
Status
SetL414
MoveACL115
1‘NoTrain
P315
MoveACL215
1‘NoTrain
MoveACL315
leftL13
[member((sID,Left),r)]
1‘NoTrain
LowerACL13
1‘switch
Status
joinL13
[member((sID,Right),r)]
[member((sID,Left),r)]
1‘switch
Rdir4CL14
P215
P115
1‘NoTrain
Status
MoveCL136
right414
Status
MoveCL236
P236
MoveCL336
P336
Status
[if(dir <&gt; STOP)]
P137
Status
MoveACL131
MoveCL231
Status
Status
MoveCL331
Status
UpperCL28
LowerACL24
Rdir3CL27
Status
Status
1‘NoTrain
Rdir4ACL14
1‘NoTrain
MoveACL136
MoveACL236
1‘NoTrain
MoveACL336
1‘NoTrain
1‘NoTrain
MoveCL131
1‘NoTrain
MoveACL231
1‘NoTrain
MoveCL129
MoveACL331
P129
1‘NoTrain
1‘NoTrain
1‘NoTrain
Rdir3ACL27
Status
MoveACL129
MoveACL329
SetL327
R327
MoveCL229
1‘NoTrain
UpperACL28
Status
MoveACL132
Status
right426
Rdir4ACL26
1‘NoTrain
P232
MoveCL132
1‘NoTrain
MoveCL329
Switch
SwitchNo
1‘switch Switch3_ID27
Switch
Change327
Rdir4CL26
joinL26
[member((sID,Left),r)]
1‘NoTrain
1‘NoTrain
Switch
ExtControl
Status
Status
joinU28
1‘NoTrain
P329
P229
[member((sID,Right),r)]
LowerCL24
MoveACL229
Status
leftL24
P331
P231
P131
Stop33
joinL24
1‘NoTrain
SwitchNo
L_U28
SwitchU_ID28
1‘switch
SetRU28
ExtControl
ChangeU28
Switch
SetR327
L327
R_U28
SetLU28
[member((sID,Right),r)]
[member((sID,Left),r)]
MoveCL137
[member((sID,Right),r)]RdirCL28
[member((sID,Left),r)]
LdirCL27
Switch
RdirACL28
LdirACL27
MoveACL137
SetLL28
R_L28
Switch
SwitchNo
ExtControl
SetR427
L427
SwitchNo
SwitchL_ID28
ExtControl
Switch4_ID27
Switch
ChangeL28
Change427
R427
Switch
L_L28
SetRL28
SetL427
1‘switch
[member((sID,Right),r)]
Status
MoveCL237
P237
1‘NoTrain
Fig. 28.
Status
MoveCL337
P337
MoveACL237
1‘NoTrain
Status
MoveCL138
P138
MoveACL337
1‘NoTrain
Status
MoveCL238
P238
MoveACL138
1‘NoTrain
Status
MoveCL338
P338
MoveACL238
1‘NoTrain
Status
Rdir4CL27
joinL27
MoveACL338
1‘NoTrain
1‘switch
Status
MoveACL130
right427
Rdir4ACL27
1‘NoTrain
Status
MoveACL230
P230
MoveCL130
1‘NoTrain
MoveCL330
Status
P330
MoveCL230
1‘NoTrain
MoveACL330
LowerCL28
Status
MoveACL146
Status
leftL28
[member((sID,Left),r)]
joinL28
1‘NoTrain
LowerACL28
1‘NoTrain
Status
P246
MoveCL146
1‘NoTrain
Automatically generated Petri Net from specification in Figure 27.
Thanks to Atle Refsdal, Mass Soldal Lund, Jon Haugsand,
Olaf Owe, Dag Normann, Thor Kristoffersen, Arild B. Torjussen, Bjarte M. Østvold, Steinar Kristoffersen, Wolfgang
Leister, Dines Bjørner and Yuri Gurevich for comments on
earlier drafts of this paper, and to Dag Langmyhr for help
with LATEX. The authors would also like to thank Trygve
Kaasa, Willy Ulseth and Thor Georg Sælid from Oslo Subway
Company, for comprehensive knowledge about railroad engineering and the railroad layouts for Oslo Subway. Finally we
would like to thank three anonymous referees, and additionally MengChu Zhou and Robin Qiu for good advice, which
hopefully improved the final version significantly.
R EFERENCES
From the specification of Oslo Subway in Figure 27 and Petri
net components introduced in section IV, the Petri net code
for the whole Oslo Subway may be generated. The saturation
algorithm does this automatically, based on Lemma 3 and
Theorem 1. The result in terms of Petri Nets exported to Design/CPN, is shown in Figure 28. The resulting automatically
generated Petri net contains 3455 places, 5726 transitions and
23850 arcs, with an initial marking (before trains are put on
the net) containing 2753 tokens. Both the specifications and
the Petri nets are represented as XML. The specification above
takes 496 Kilobytes, while the railroad net is 13.9 Megabytes.
Neither Design/CPN nor CPN Tools are able to represent or
execute the models, although standard CPN formats were used
in the implementation, The amount of data was too big.
Our group collaborated with chief engineers within railroad infrastructure and traffic. Although none were specialists
neither in Petri Nets nor formal methods in general, they
understood the semantics of Petri Nets quickly, and suggested
improvements on the models. Oslo Subway has several problems they want to explore. It is a difficult practical problem
to plan the optimal route for the trains, the most cost effective
way to place the train on the track. As can be seen from
Figure 25, many lines use the same physical track, causing
bottlenecks. In the future we expect that simulation by the
timed railroad models can give better understanding of traffic
flow on the critical parts of the tracks. Tool support for subway
simulation is poor, and it seems particularly fruitful to develop
and experiment with Petri nets as the main underlying datastructure, since the semantics of the model is clear and the
models are executable.
[1] R. Back. Correctness Preserving Program Refinements: Proof Theory
and Applications. Number 131 in Mathematical Center Tracts. Mathematical Centre, Amsterdam, 1980.
[2] M. Barr and C. Wells. Category Theory for Computing Science. Prentice
Hall, 1990.
[3] D. Decknatel. Modelling Train Movement with Hybrid Petri Nets. In
FMRail Workshop 4, 1999.
[4] Maria Pia Fanti, Alessandro Giua, and Carla Seatzu. A Deadlock
Prevention Method for Railway Networks using Monitors for Colored
Petri Nets. In Proc. 2003 IEEE Int. Conf. Systems, Man, and Cybernetics
(Washington, D.C., USA), pages 1866–1873, October 2003.
[5] A. M. Hagalisletto and I. C. Yu. Large scale construction of railroad
models from specifications. In Wil Thissen, Peter Wieringa, Maja Pantic,
and Marcel Ludema, editors, IEEE SMC’2004. Conference Proceedings
2004 Systems Man and Cybernetics, pages 6212 – 6219. IEEE, October
2004.
[6] W. Hielscher, L. Urbszat, C. Reinke, and W. Kluge. On Modelling Train
Traffic in a Model Train System. In Workshop and Tutorial on Practical
Use of Coloured Petri Nets and Design/CPN, June 8-12, 1998, Aarhus
Denmark, 1998.
[7] C. A. R. Hoare. Proof of correctness of data representations. Acta
Informatica, 1(4):271–281, 1972.
[8] K. Jensen. Coloured Petri Nets - Basic Concepts, Analysis Methods
and Practical Use, volume 1 of EATCS, Monographs on Theoretical
Computer Science. Springer-Verlag, 1997. Basic Concepts.
[9] K. Jensen. Coloured Petri Nets - Basic Concepts, Analysis Methods
and Practical Use, volume 2 of EATCS, Monographs on Theoretical
Computer Science. Springer-Verlag, 1997. Analysis Methods.
[10] T. Kristoffersen, A. M. Hagalisletto, and H. A. Hansen. Extracting
High-Level Information from Petri Nets: A Railroad Case. Proceedings
of the Estonian Academy of Physics and Mathematics, 52(4):378 – 393,
December 2003.
[11] Gabrielle Malavasi and Stefano Ricci. Petri nets theory in the railway
signalling models. In FMRail Workshop 5, 1999.
[12] J. M. Morris. A theoretical basis for stepwise refinement and the
programming calculus. Science of Computer Programming, 9(3):287
– 306, 1987.
[13] J. Pachl. Railway Operation and Control. VTD Rail Publishing, 2002.
[14] Wolfgang Reisig and Grzegorz Rozenberg. Lectures on Petri Nets II:
Applications. Number 1492 in Lecture Notes in Computer Science.
Springer-Verlag, 1998. Part 2.
17
[15] X. Ren and M. C Zhou. Scheduling of Rail Operation: A Petri Net
Approach. In Proc. of 1995 IEEE Int. Conf. on Systems, Man, and
Cybernetics, Vancouver, Canada, Vol. 4, pages 3087–3092, October
1995.
[16] E. Smith. Principles of High Level Net Theory. In Lectures on Petri Nets
II: Applications, number 1491 in Lecture Notes in Computer Science.
Springer-Verlag, 1998. Part 1.
[17] L. Tang, T. Chen, and J. Xiao. Analysis of the concurrent model of train
station based on Petri net. In Proc. 2000 Int. Workshop on Autonomous
Decentralized Systems, 21-23 September 2000, Chengdu, China, pages
92–96, 2000.
[18] W.M.P. van der Aalst. The Application of Petri Nets to Workflow
Management. The Journal of Circuits, Systems and Computers, 8(1):21–
66, 1998.
[19] W.M.P. van der Aalst and M.A. Odijk. Analysis of railway stations
by means of interval timed coloured petri nets. Real Time Systems,
9(3):1–23, November 1995.
[20] W.M.P. van der Aalst, K. M. van Hee, and G. J. Houben. Modelling
and Analyzing Workflow using a Petrinet based Approach. In G. De
Michelis, C. Ellis, and G. Memmi, editors, Proceedings of the second
Workshop on Computer-Supported Cooperative Work, Petri nets and
related formalisms, pages 31–50, 1994.
[21] I. C. Yu. A Layered Approach to Automatic Construction of Large
Scale Petri Nets. Master’s thesis, Department of Informatics, University
of Oslo, September 2004.
[22] M. Meyer zu Hörste. Modelling and Simulation of Train Control
Systems using Petri Nets. In FMRail Workshop 3, 1999.
A PPENDIX I
C OMPOSITION RULES FOR O SLO S UBWAY
The complete table of rules for composition of the specification Oslo Subway from [21] is given below:
xSR-2, SL-2y
xSR-2, SL-1y
xSL-2, TU-2y
xSL-2, TU-1y
xL-1, SR-1y
xL-1, TU-1y
xTU-2, L-2y
xSR-1, L-2y
xL-2, RCy
xSR-2, SR-1y
xL-1, ENDy
xSR-1, SL-1y
xTU-1, RCy
xSR-2, L-1y
xSR-2, L-2y
xSL-2, SR-1y
xL-1, SCy
xL-1, SL-1y
xSC, L-2y
xTU-2, TU-1y
xSR-1, TU-1y
xL-2, TU-1y
xSL-2, L-1y
xL-1, RCy
xSL-1, TU-1y
x TU-1, TU-1y
xSR-2, TU-2y
xSR-2, TU-1y
xSL-2, SL-1y
xL-1, TU-2y
xL-1, L-2y
xTU-2, SR-1y
xEND, L-2y
xSL-1, L-2y
xRC, RCy
xSL-2, L-2y
xTU-2, RCy
xRC, TU-1y
A PPENDIX II
T HE IMPLEMENTATION OF
MOST- PROMISING - PATH
Below we give a detailed explanation of the functions
needed to execute the algorithm for finding the most
promising path, fpath: collectpX, xq finds every pair in
Z xxX1 , U1 y, . . . , xXn , Un yy and returns the sets of pairs
txXi, Uiy P Z | where x xy, z y is a subsequence in Xi u.
collectpx y, xq x y,
collectpZ $xY, U y, xq collectpZ, xq$xY, U y if is px, Y q
collectpZ $xY, U y, xq collectpZ, xq if not is px, Y q
collectpX, xq applies the function is pxx, y y, X q that takes a
sequence and decides whether xx, y y is a subsequence in X.
is pxx, y y, X $
%xx, yyq J
is pxx, y y, x yq K
is pxx, y y, X $
%xu, vyq is pxx, yy, X q if x u or y v.
The function maxSpZ, X, B q takes Z, the set of promising
journeys, and finds the pair in Z with largest second projection,
relative to the set B (the most promising journey updated with
the current set of bindings B).
maxSpx y, X, B q X
maxSpZ $xX, U1y, xY, U2 y, B q maxSpZ, maxpxX, U1 X B y, xY, U2 X B yq, B q
maxpxX, U1 y, xY, U2yq xY, U2 y if |U1 | ¤ |U2 |
maxpxX, U1 y, xY, U2yq xX, U1 y if |U1 | ¡ |U2 |
What remains now is to find the next steps in the path of the
journeys already traveled. This is taken care of by the function
next2pX, xx, y yq that presupposes both the existence of xx, y y
as a subsequence of X, and returns the next two elements after
xx, yy:
next2pxx, y y$
%X, xx, yyq xπ1 pX q, π2 pX qy
next2pxu, v y$
%X, xx, yyq next2pX, xx, yyq
if x u or y v
This finally gives us the function that finds the most clever
route to follow next, by using the historical knowledge of
previous journeys and updated with the unvisited nodes B.
fpathpJ, xx, y y, B q next2pmaxSpcollectpJ, xx, y yq, nil, B q, xx, y yq
Anders Moen Hagalisletto was born in 1969 and
received his Bachelor’s degree in mathematics and
philosophy in 1993, Master’s degree in philosophy
in 1997, and Master’s degree in computer science
in 1999. He is currently working toward the Ph.D.
degree. He has been working on topics in mathematical logic, in particular provability logic, and
was cofounder and coeditor of Nordic Journal of
Philosophical Logic. From 1999 to 2002 he was empoyed as research scientist at Norwegian Computing
Center, and in 2001 he held a position as university
lecturer at the Institute for Computer Science, University of Oslo. His
current research interests include industrial appilcations of formal methods,
in particular automated software engineering; Petri Nets models of railway
systems and tools for testing and analyzing security protocols.
Joakim Bjørk was born in 1974 and received his
Bachelor’s degree in computer science and biology
in 2002, and is currently working toward his master
thesis in computer science at the University of Oslo.
His current research interests include railroad simulation using formal methods, in particular execution
of large scale Petri Nets, with a special focus on
timed nets.
Ingrid Chieh Yu was born in 1979 and received her
Bachelor’s degree in computer science and mathematics in 2002. In 2004 she received her Master’s
degree in computer science and is currently working
toward the Ph.D. degree at the University of Oslo.
She has been working on railroad modelling using
Petri Nets and automated software engineering of
large scale Petri Nets. Her current research interests
include formal methods, object-oriented open distributed systems, and programming constructs.
Pål Enger was born in 1980. He recieved his Bachelor’s degree in computer science and mathematics
in 2003 at the University of Oslo, and is currently
working toward his Master’s degree in computer
science. His current research interests include modelling and simulating railroad nets using Petri Nets.
