When we started our research on testing the first computer systems, including computer peripherals, which were already rather complex to understand and design, we were using hardware and logical descriptions. Later when the complexity increased, it became obvious to us that a formal behavioural description would be of great help. Looking at the existing proposals we discovered Petri Nets (PNs) and it appeared to us that they would provide an excellent model and very useful support to represent the systems’ behaviours, as they include intrinsic parallelism and synchronisation. We then designed Petri-net-based simulators to derive test sequences. Still later, the behaviours of communicating systems depending on time and delays proved to be more and more important, making the designs more complex, and so we devoted a part of our research to the description of systems whose behaviour depends on explicit values of time. Again, we found that Petri Nets provide an excellent basic model to represent and handle behaviours based on explicit values of time.

During our research we actually met Carl Adam Petri and discussed with him our ideas for modelling systems and the selected ways to extend Petri Nets to represent and handle explicit values of time. He was really quite interested in these new efficient extensions of the basic model and he found them quite simple, elegant and attractive.

We will now discuss how these models can express fundamental and complex temporal requirements by extending Place-Transition (PT) PNs. To represent and analyse systems relying on explicit values of time, three of the proposed extensions of PTs will be briefly discussed, viz., Timed PNs, Time PNs and Timely Synchronised PNs.

1 Timed PNs

In their basic semantics PNs do not have time values. Nevertheless, when going from a marking to a successor marking the model assumes the indivisibility of the firing of transitions, which means that a firing takes no (i.e. zero) time. In PTs the behaviour of a timed system is represented in an ad hoc way, for instance in protocols by adding a place that is marked when a message is lost. Such a simple solution allows the validation of rather complex algorithms, such as a virtual ring protocol, e.g. showing that its logical design is correct not only with respect to the loss of messages, but also when an interface cannot send any message and when an interface cannot receive any message [1].

The first time extension of PTs was called Timed PNs [2] and used for performance analysis. This model added to PTs a time value for each transition, to represent the time needed for a firing. Here a transition is fired as soon as it enabled.

2 Time PNs (TPN)

A more general definition was given by [3]. It defines Time Petri Nets by adding a two-valued time interval [τ imin, τ imax] to each transition t i, (Fig. 1). The semantics is that when a transition t i becomes enabled, for instance at time θ, it cannot be fired before the time (θ + τ imin) and it must be fired by the time (θ + τ imax). Also here, firing a transition takes zero time.

Fig. 1
figure 1

A Time PN

Full size image

Note that any significant time values in the system must be explicitly represented in the model.

Clearly, Time PNs are able to exactly express real timers, i.e. a delay value together with its potential maximum drift, but also the min and max times of a given computation. The formal analysis of the behaviours of TPNs is given in [4, 5].

We had an opportunity to discuss the TPN model with Carl Adam Petri, twice, during two PN conferences. Although he was not working on time representation and analysis, he found this approach quite appealing and easy to use and understand. Unfortunately, we had no opportunity to discuss with Carl Adam our next model, TSPN.

3 Timely Synchronised PNs (TSPNs)

When carefully considering TPNs, it appears that the behaviour of a transition can be decomposed into two steps. Step 1: The transition waits to be enabled, i.e., there exists, for instance between the first token and the last token marking the input places of the transition, an undefined waiting time. Step 2: At the time when the transition becomes enabled, the model starts counting the time (of the time interval). These two steps imply a subtle underspecification that must be well understood: the time behaviours of the enabling input places are not explicitly handled before the enabling of the transition, as counting the time starts only at the moment when the transition is enabled. Consequently, as the input places do not have an explicit temporal behaviour, fully autonomous behaviours cannot be modelled.

This led to the definition of temporal synchronisation and composition in [6,7,8]. The idea is that, as counting time is local to all behaviours, when a place is marked, its temporal behaviour has to be enabled. It follows then that the [min, max] value intervals must be assigned, not to the synchronisation transition, but rather to the arcs connecting places with transitions. In such a model, the time interval related to the place can start as soon as it is marked. As a consequence, the temporal synchronisation begins as soon as the first place of a given transition receives a token, and continues until all the places receive a token, of course together with their arc-related intervals.

As can be seen from Fig. 2, the time arcs can lead to very different semantics for the firing of transitions in TSPNs, and many cases are possible.

Fig. 2
figure 2

A TSPN

Full size image

For instance, it may happen, with just two places p 1 and p 2 and θ i being the time at which place p i is marked, that the time value (θ 1 + τ 1max) is smaller than (θ 2 + τ 2min). In such a case, the transition is then not really enabled (Fig. 3), as the second token has not arrived before the end of the time existence of the first token. Of course, one possible semantics is to state that there is an error in the modelled behaviour, and the simulation or verification can be stopped.

Fig. 3
figure 3

Missed timed synchronisation

Full size image

Nevertheless, in real life, missing a time synchronisation (rendezvous) often does not stop the behaviour, for instance of the first arrived token. This shows that this simple error semantics has to be refined, for instance by tagging the transition to be temporally Possibly Missed (PM), and by sending in such a case a warning message, while still continuing the simulation or validation.

Furthermore, even for the classical enabling behaviour, in which all places enable the transition, it appears that different semantics are still possible and acceptable. As an example, Fig. 4 gives four different temporal firing semantics that were proposed for multimedia systems (in the papers [6,7,8] cited already): AND from max of the min to min of the max (all arcs enabled), WEAK-AND, STRONG-OR, OR from min of the min to max of the max (at least one arc enabled).

Fig. 4
figure 4

Possible firing semantics for TSPNs

Full size image

This shows that several relevant semantics of composition can be defined, in particular in different application areas. A paramount aspect of these different semantics is that temporal synchronisation cannot be defined a priori. In fact, the semantics to be selected depends on the meaning of the composition, defined by the application context in which the composition occurs. The semantics will depend on the (higher) identity of the tokens, as the waiting time for the tokens may depend on the context. For instance, to represent the reality, if the synchronisation concerns two people, then a token representing the behaviour of one person may stay (wait) longer or shorter, depending on the other person that the first arrived is waiting for.

These different semantics have a very important implication: The choice of the semantics of a temporal synchronisation is a pragmatic decision (in the chain syntax, semantics, pragmatics), as it comes from a higher design level than the considered level, e.g., from the application level.

This implies that a simple automatic (programmed) composition semantics cannot be used for defining full time synchronisation, for instance in contradistinction to the normal non-timed rendezvous that is defined by merging related transitions, independently of the higher levels.

4 Conclusion

Nowadays, there exist more and more systems, such as real-time systems and embedded systems, whose behaviours depend on explicit values of time.

Of course, present autonomous temporal behaviours greatly complicate the models and the specifications of these systems.

Nevertheless, it has been shown that simple, easy to understand models are able to represent and analyse sophisticated and complex time behaviours, showing again the potential descriptive power and relevance of PNs in this area.