IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING

1

Reachability Graph of Finite and Deterministic DEVS Networks Moon Ho Hwang, Member, IEEE, and Bernard P. Zeigler, Fellow, IEEE

Abstract—This paper shows how to generate a finite-vertex graph, called a reachability graph for discrete-event system specification (DEVS) network. The reachability graph is isomorphic to a given original DEVS network in terms of behavior but the number of vertices as well as the number of edges of the reachability graph are finite. To obtain the finite-vertex reachability graph of a DEVS network, this paper uses a subclass of DEVS, called finite and deterministic DEVS (FD-DEVS). For abstracting the infinite-state behavior of FD-DEVS network, we use the concept of time zone, invented by Dill (1989), that is a conjunction of inequalities of elapsed times. Based-on time zone abstraction, an algorithm for generating the reachability graph of a FD-DEVS network is proposed and its completeness and complexity are investigated. In addition, a modular monorail system is exemplified for showing reachability graph application for checking safety and liveness study. Note to Practitioners—Modular and hierarchical modeling and analysis becomes more important as systems are increasingly complicated (Sargent et al., 1993). DEVS formalism is a modular and hierarchical formalism in which the user builds a system by connecting system components, and the system can be a component in a bigger system. In addition, the practitioners can use all source codes of the algorithm and the verification example proposed in this paper which are available at http://xsy-csharp.sourceforge.net/DEVSsharp. User friendly interfaces for the expression of FD-DEVS and its translation to XML and DEVSJAVA can be found at http://www.u.arizona.edu/%7Esaurabh/fddevs/FD-DEVS.html. Index Terms—Discrete-event system specification (DEVS), finite-vertex reachability graph, time abstraction, verification.

I. INTRODUCTION

V

ERIFICATION of discrete-event systems has been researched based on the assumption that the target system has a finite state space [3]. However, when analyzing a dense-time system in which a state transition is able to occur at any real-valued time instance, we can encounter an infinite state problem. To analyze its infinite-state of time-dependent state transition systems, use of an finite-vertex isomorphic graph, called reachability graph, whose behavior is equivalent to that of the original transition systems has been considered as a

Manuscript received September 25, 2007. This paper was recommended for publication by Associate Editor M. P. Fanti and Editor Y. Narahari upon evaluation of the reviewers’ comments. M. H. Hwang is with the Department of Electrical and Computer Engineering, University of Arizona, Tucson, AZ 85721 USA (e-mail: [email protected]; [email protected]). B. P. Zeigler is with the Department of Electrical and Computer Engineering, University of Arizona, Tucson, AZ 85721 USA (e-mail: [email protected]. edu). Digital Object Identifier 10.1109/TASE.2009.2021352

general method for qualitative and quantitative system analysis [1], [2], [13]. In the same context, several papers have been also published on the problem of obtaining a finite-vertex reachability graph of DEVS networks. Reference [14] developed a symbolic representation of the time advance mechanism of the DEVS formalism and proposed a reachability tree for such symbolic DEVS networks. Reference [6] showed how to get a timed state reachability graph from an ordinary DEVS network. Reference [12] used real-time DEVS (RT-DEVS) [5] whose time advance is a mapping from states to intervals of real numbers. All of the above, however, assume that the target system is a closed system that is not interacting with external influences. Therefore, achieving finiteness with real-valued time is an open problem in DEVS. Dropping the closed system assumption, schedule-preserving DEVS (SP-DEVS) [10] characterizes an open system whose external state transitions are allowed at any time. One advantage of coupled SP-DEVS is that a finite number of vertices for its reachability can be obtained by a time abstracting technique, called the time-line abstraction. This property enables decidability of qualitative analysis (such as deadlock, livelock, and fairness) as well as quantitative analysis (such as processing time bounds). However, there is also a critical limitation on modeling expressiveness: “once an SP-DEVS model becomes passive, it never returns to become active (OPNA)” [7]. In this paper, we define a class of DEVS, called finite and deterministic DEVS (FD-DEVS). This class is defined by the following: 1) the sets of events and states are finite; 2) the time advance is a mapping from states to nonnegative rational numbers; and 3) an external input event can either reschedule or continue processing.1 The main restriction imposed here is that there can be no use of the time that has elapsed in a state to determine its transition to another state. (A characteristic of the general DEVS formalism is that such elapsed time information can be employed in a unrestricted manner.) FD-DEVS represents just the “right” abstraction for high-level design of automated command and control systems since it retains the essential features of DEVS time management while restricting the states to finite sets, which can be treated as phases or control substates. FD-DEVS is finding critical application in expressing behavioral requirements stated in natural language where large numbers of such requirements must be capturing and managed. An automated mapping from FD-DEVS to DEVSJAVA (http://www.u.arizona.edu/%7Esaurabh/fddevs/FD-DEVS.html) allows an 1Why we introduce the restrictions 1)–3) will be explained at footnote 9 in Section IV-C.

1545-5955/$25.00 © 2009 IEEE

2

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING

initially expressed FD-DEVS model to serve as a skeleton for later elaboration into full DEVS expression. Consequently, the main contribution of this paper is finding a DEVS subclass whose network behavior can be abstracted as a finite-vertex reachability graph, in the context of no restriction on the occurrences of external events. This subclass can be seen as a relaxation of SP-DEVS but it has no longer OPNA problem. Due to its existence of a finite-vertex reachability graph, this class can also provide a foundation of both qualitative and quantitative analysis for modular and hierarchical systems. This paper is organized as follows. Section II introduces FD-DEVS network and its behavior. A set of time zone abstraction operations for FD-DEVS are introduced in Section III. Section IV introduces algorithms for generating a reachability graph. Section V illustrates an example of a reachability graph application for analyzing system qualitative properties. Finally, conclusions and further research directions are given in Section VI. II. FD-DEVS NETWORK A FD-DEVS network provides a hierarchical structure of a system in which each leaf node has a special structure, call atomic FD-DEVS which is introduced first in this section. A. Atomic FD-DEVS In FD-DEVS, the modifier “finite” means that the sets of events and states are finite while “deterministic” indicates that all characteristic functions associated are deterministic. Definition 1: An atomic FD-DEVS is a 7-tuple

where events);

(res. ) is a finite set of input events (res. output is a finite set of states; is the initial state; is the time advance function, where is the set of nonnegative rational numbers plus infinity. This function is used to determine the lifespan of a state; is the external state transition function that defines how an input event changes a state, and whether the is internal schedule will be updated or not; the output and internal state transition function, where and denotes the silent event. This output and internal state transition function defines how a state generates an output event and, at the same time, how it changes the state internally. This function can be invoked when the elapsed time reaches the lifespan which is scheduled by .2 Dynamics of an atomic FD-DEVS model can be defined on the time base, denoted by which is the set of nonnegative . An elapsed time is real numbers, i.e.,

!

2 can be split into two functions: the output function  : S S as in [15]. internal transition function  : S

! Y and the

Fig. 1. (a) One-slot toaster and (b) atomic FD-DEVS model.

continuously increasing and its value denotes the time passage . since In addition to , we need to consider one more internal state variable, called a lifespan or a schedule time span which is de. When we consider as a upper noted by limit of , the existing range of is defined by the function s.t. if if .3 Let be the set of legal states, and be the set of illegal states s.t. . Then, total state set is defined as . . Then, the total Let the total event set of be state function defines state transitions over all combinations of states and events such that for , see (1) at the bottom of the page. Example 1 (Atomic Model for Toaster): Let us consider a toaster, as shown in Fig. 1(a). This toaster has one slot of bread and a start knob. Initially, the knob is not pushed. But if we push the knob, the toaster starts toasting for 20 s, and then it pops up. We can model the push-knob event as an input event ?push and the pop-up event as an output event !pop. A FD-DEVS model, , for the one-slot toaster is as follows: such that , where and stand for “Idle” and “Toast,” respectively, . . in Fig. 1(b) illustrates an atomic FD-DEVS model for , which a circle denotes a state and its lifespan given by and a directed arc indicates a state transition either caused by an input event or accompanied by an output event. For simplicity, such as and the cases of , where such as are omitted in the diagram. We will use this drawing convention throughout this paper. Let us take a look at the dynamics of this toaster . If has its current total state , 43), it means has been idling for 43 s, and the remaining time to change to the next

1; t

3“[“

t

=

and “]” are closed boundaries, while “)” is an open boundary. Thus, if cannot reach t.

(1)

HWANG AND ZEIGLER: REACHABILITY GRAPH OF FINITE AND DETERMINISTIC DEVS NETWORKS

state internally is . Suppose that we push the . Then, the next knob when the total state is total state is determined by as the first condition of (1). On the other hand, if we push the , the next state is knob when the total state is as the second condition of (1). If the state is and its elapsed time reaches the lifespan 20, then the output and the next state can be described by as the third condition of (1). Since it is impossible to execute an output and internal state as transition when the last condition of (1). B. FD-DEVS Network 1) Structure of FD-DEVS Network: Definition 2: A FD-DEVS network (also called a coupled FD-DEVS model) is a 6-tuple

3

where is the input event set of is the sum of all output events set (including the silent is a set of event) of subcomponents; is the set of legal states of component states where is the initial state; The time advance function is for . The external state transition is for and (2) where (2a) and (2b) are shown at the bottom of the page). The output and internal state transition function is defined as follows. Given , let be the set of imminent components of . If s.t. (3)

where and are finite sets of input and output events, reis a finite set of names spectively, such that of subcomponents; is an index set of FD-DEVS models, . can be either an atomic FD-DEVS model or where is an set of a coupled FD-DEVS model; is the set of input events of subcominput couplings, where , where ponent is an set of output couplings, where is the set of output events . of subcomponent Notice that the FD-DEVS network has a hierarchical structure because its subcomponents can be FD-DEVS network itself. Since we can get a flattened FD-DEVS network from a hierarchical FD-DEVS network [9], we would restrict each subto be an atomic FD-DEVS model without component loss of generality. 2) Behavior of FD-DEVS Network: Definition 3: Given a FD-DEVS network, , its behavioral structure is defined as a 7-tuple:

where (3a) is shown at the bottom of the page.4 Let be the total event set, be the set of legal states, be the set of illegal states s.t. . Then, the total state set of is . is defined The total state transition function that for and are shown in (4) at the bottom of the next page. and in (4) are the functions defined Notice that in (2) and (3), respectively. In addition, in the third statement of implies that and . (4), To define a sequence of state changes associated with events, we need to introduce a timed event and its sequence. A timed event is a pair of an event and its occurrence time thus it is denoted as . Concatenation of two events and is denoted by , which can be defined . The identity of the concatenation operation is the if 4Unlike the strict modular form used in [15], since the flattened model is Y Y is omitted in (3). assumed in this paper,

2

(2a)

(2b)

(3a)

4

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING

null-event, denoted by .5 The null-event sequence over a time is denoted by . Given an event set interval and a time interval , the set of total event sequences , and is defined by is denoted by which is the set of concatenations of finite ) over and .6 Given or infinite timed events (plus where is equivalent to . Given a total state of component at is denoted by time , its time passage over , and is defined as . of FD-DEVS Similarly, given a total state , its network at time where is denoted by , and is defined time passage over by (5) where for all . Notice that in the time passage operation, nothing can change but the elapsed times. by Let us define the state trajectory function of . Let using a function be a total state at time . Suppose that has either no event or one event at time . Then, the state trajectory of associated with is defined as

Fig. 2. (a) Two-slot toaster and (b) FD-DEVS network.

Example 2 (FD-DEVS Network of Two-Slot Toaster): Consider a two-slot toaster, as shown in Fig. 2(a) whose first slot has its 20 s toasting time, while the second slot has the time as 40 s. We can build a FD-DEVS , as shown in Fig. 2(b) such that network, named , where and are drawn in Fig. 2(b), . Given a timed event sequence because . However, if is

(6)

(7) The infinite-observation length behavior or language of noted by , is

, de(8)

5(; t) indicates no event at t 2 but (; t) denotes there is an silent (so unobservable) event at t. 6We assume that the number of events in an event sequence can be infinite only if we observe the system infinitely long over [t ; 1). In other word, in a finite-long observation over [t ; t ], where t 0 t < 1, the number of events must be finite.

in

because

. In other words, it is impossible to occurs

The state trajectory associated with a sequence of multiple events (for example, where ) can be computed by applying a sequence of “null-or-one-event sequence”s (for example, and ), repeatedly. Based on this state trajectory function, the behavior of is defined as the all possible event sequences with which the state does not enter to the illegal state . Formally, the beof , havior or language of over a finite observation length denoted by , is

not

in

.

III. TIME ZONE ABSTRACTION FOR FD-DEVS NETWORK We seek to abstract uncountably many combinations of elapsed times into a time zone which was introduced by Dill [4], and used for abstracting real-time in Timed Automata [1], [3]. We review the time zone and its basic operations first, and introduce the operations for tracing the FD-DEVS behavior which will be used in an algorithm in the next section. A. Review of Time Zone and Its Basic Operations of is a nonnegative real Recall the elapsed time number. For describing the bounds of in FD-DEVS, we use a real-number interval denoted by , which is bounded by two rational numbers such that if where .7 The difference bound of two and are also defined in the same way such that if . By its definition, if then . Similarly, if , then . 7The boundary condition can be either open or closed. But for simplicity, we would use the closed conditions here. Thus, for t 2 [0; 1), we will write t 2 [0; 1] instead.

(4)

HWANG AND ZEIGLER: REACHABILITY GRAPH OF FINITE AND DETERMINISTIC DEVS NETWORKS

5

Fig. 3. Six tightening cases.

If , we can think -dimensional Euclidean space of . A time nonnegative real numbers plus infinity, denoted by zone is a convex polyhedron that is represented by a conjunction of bounds of (1) all elapsed times and (2) differences of between elapsed times. Formally

For example, the initial elapsed time zone of in Example 2 is which means that and keep increasing forever with no time difference of them (if there is no push events). In this section, we will use for unary operations, and two time zones and for binary operations. 1) Tightening: A time zone is tight if

where and (resp. and ) are the upper bound and the lower bound of (resp. ), respectively. Fig. 3 illustrates six tightening cases in which dashed lines indicate loose bounds. The reader can refer to [4] for a tightening algorithm which is based on all-pair shortest paths algorithm. 2) Equality: Given two intervals and if and . Given two time zones and if for all and for all . 3) Resetting: The resetting operation of w.r.t. a name set resets to zero for each but preserves the rest other bounds

where denotes Fig. 4(a) shows

operation.

, where . The resetting can happen if ?push1 occurs when the first slot is empty and the second slot is toasting in toaster . 4) Sliding: The sliding operation is used for letting every pass infinitely long from a given time zone. This operation sets each upper bound of infinity, but preserves the rest other bounds so

Fig. 4. Successor(' = (0  t  20; 0 0); R = f1g; ( ; ) = ((T; 20); (T; 40))).

 t  40; 0  t 0 t 

, where . 5) Intersection: The intersection of two intervals . Given two time zone and , the intersection of and is defined as Fig. 4(b) shows

Fig. 4(d) illustrates an intersection between and . B. Time Zone Operations for Tracing FD-DEVS Behavior To introduce operations for tracing FD-DEVS behavior, we would use a notation , called a stateschedule vector, where is a state of and is a lifespan at . 1) Invariant Time Zone: An invariant time zone is a time zone covering all possible elapsed times in a given

For example, Fig. 4(c) shows the invariant time zone of which results in . Observe that given a FD-DEVS network and its state , the elapsed time vector exists in . 2) Successor Time Zone After a State Transition: An successor time zone is defined as ’s successive time zone by rein , and then by letting the time zone setting each grow within an invariant time zone of the next state-schedule vector . Formally, this operation is defined as

where

, and strand for operations, respectively.

, and

6

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING

Fig. 5.

operation.

Fig. 4 shows the successor time zone from with trig, gered by the input event ?push1. To compute we need to use , and Intersection , as shown in Fig. 4(a)–(d). 3) Time Zone for Enabling : As mentioned in (4), an can be enabled when output and internal state transition . Thus, we need to compute a time zone when before generating the next zone triggered by . To get this time for are passed during reaches as zone, all

where , and stands for operation. Given which is a time zone in Fig. 4(d), gray areas in Fig. 5(a) and (b) show time zones which are achieved by and , respectively. IV. REACHABILITY GRAPH OF FD-DEVS NETWORK The basic idea behind generating a reachability graph (RG) is that if infinitely many instances of elapsed times of a FD-DEVS network can be abstracted as a finite number of equivalent classes, RG will also have finite numbers of vertices and edges because associated states and events of components are finite.

(2) and (3), respectively. Each vertex of RG has an equivalent class of states in which elapsed times are abstracted by the time zone introduced in the previous section. If we know that a state has been already visited we do not repeat the same procedure again. In this way, this procedure will terminate as long as RG has finite vertices and edges. To describe algorithms for generating a reachability graph in detail, we will use the following notations: for a given zone . , called the discrete • zone, is the state-schedule vector; • for the pair of state and schedule of component ; for the upper bound of the elapsed time of • component at the time zone of . Algorithm 1: 1: ; Add to ; 2: 3: while 4: 5: for all do ; 6: 7: 8: end for 9: for all do 10: if 11: ; 12: ; 13: 14: 15: ; Add to 16: 17: end if 18: end for 19: end while

;

;

;

;

; ;

A. Algorithm for Generating Reachability Graph The structure of the proposed reachability graph is defined as the following definition. Definition 4: The reachability graph of a FD-DEVS network, , is defined as

where • is the set of triggering events. • is a set of zones. A zone is and a a pair of a state-schedule vector time zone . is the ini• tial zone where where is the initial time zone. is a transition relation. An edge represents that if an event occurs, and it changes the state-schedule from to that of , and reset for each . Algorithms that we introduce here try to visit all possible states by applying two state transitions: and defined in •

Algorithm 2: 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16:

for all

or ;

if

then ;

Add to else

; ;

end if end for if or For each

then then add to

if

; ;

if Add Add end if

s.t. to

then and

; to

;

Algorithm 1, named , is the main procedure that traces all possible states by triggering an external state

HWANG AND ZEIGLER: REACHABILITY GRAPH OF FINITE AND DETERMINISTIC DEVS NETWORKS

transition as well as an output and internal state transition until are available. The starting point of this to-be-tested states in searching is the initial zone which was defined in Definition 4. Generating a next reachable zone triggered by each external is considered in lines 5 to 8 of Algorithm 1. First, event from the algorithm copies the candidate of the next vertex and calls that is Algorithm 2. Let us take a look into Algorithm 2. Algorithm 2 updates an influencee of event through the couin (at line 1). If there is such a coupling, it compling ; if , update not only but also putes (at line 4), as well as add to a set (a line 5). If , update only state as (lines 7). Algorithm 2 does not go further for the case that and which indicates that nothing changes by (line 10). Otherwise, to avoid meaningless time passage when , Algorithm 2 adds to (at line 11) of will be reset by applying operation with so that (at line 12). is newly generated, i.e., s.t. If the next zone 8, Algorithm 2 adds to both the vertex set of the (lines 13 to 14). reachability graph and the to-be-tested set to the edge set In addition, add an edge of (line 15). Let us revisit the output and internal state transition part of Algorithm 1. Unlike the external transition, recall that the internal transition of component can be enabled only . To check the possibility of , Algorithm at the current vertex by 1 checks the upper bound of evaluating (line 10). If this condition is satisfied, Algorithm 1 copies to , makes the time zone of when reaches , calculates the output and the next state , updates the state of the internal transition as of , add to after making and schedule as empty, and generates the next reachable zone by calling , as shown in lines 11 to 16 in Algorithm 1. Example 3 (Reachability Graph of Two-Slot Toaster): Fig. 6 illustrates the reachability graph of the two-slot toaster in Example 2. This reachability graph has 11 vertices and 20 edges. Each vertex shows its state-schedule vector and its time zone drawn in a gray area. For example, the initial zone , where and is . Here, each operation, time zone is illustrated as the result of but the steps in such as shown in Fig. 4(a)–(d) are is illustrated by a directed omitted. Each edge arc, where and are located at the source and the destination of the arc, while the triggering event and the set of resetting are augmented around the arc. clocks B. Completeness of Algorithm

7

Fig. 6. Reachable graph of two-slot toaster.

Definition 5 (Behavioral Structure of ): Given a FD-DEVS network, , and its , the behavioral structure of reachability graph is defined as a 7-tuple

where is the input event set of is the sum of all output events set (including the silent event) of subcomponents; s.t. is the initial state; The time advance function is defined for The external state transition is defined as follows. For , if and (9) where

To show the completeness of Algorithms 1 and 2, we would show the behavioral equivalence between a given FD-DEVS network and its reachability graph . To do this, we first define the behavior of . 8Given

two zones v and v ; v v .

(v ) =

( )

=

v iff

(v ) =

(v ) and

(9a) (9b) (9c) For

, if for all

and

.

, then The output and internal

8

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING

state transition function follows. For and

is defined as , s.t.

, if

(10) are determined by (9a) and (9b). , if , then for all . are The total event set and the total state set of defined as the same as those of FD-DEVS network . The total is defined identically as (4) but by state transition of in (9) and in (10). using The state trajectory function , and the language of over a finite observation length, denoted by , and , denoted by the infinite length language of are defined as the same as (6), (7), and (8), respectively. Lemma 1: of s.t. . Proof: Recall that . ( case:) Assume that . That means there is a convex subarea such that . Thus, we can s.t. . ( case:) Suppose that say s.t. but . Since cannot be equal to because before becomes other where reaches all the time in . But it contradicts s.t. . Lets check the possi. By the which bility of , is used when Algorithm 2 computes there is no possibility . Thus, if s.t. then . Definition 6: Let . Then, is a schedule equiva, if for all lent of , denoted by . is a schedule equivalent of if . Theorem 1: Let and be the total states of and , . Then, for . respectively, and Proof: Let , and s.t. . First of all, let us assume that . Then, for any . Let us check and . We will investigate into three cases: i) , ii) , and iii) otherwise. i) Thus, in s.t. and in s.t. and because s.t. . in s.t. If in and and . Since Algorithm 1 copies the next zone from the current zone , and Algorithm 2 . considers the influence of only when (Case x1:) If where For

and

. (Case x2:) If

s.t.

so and

Thus, s.t. and Since (Case x4:) If At this time value of Thus, . ii) Suppose that because Lemma 1,

. At this time where and . (Case x3:) If so . At this time , where and

where so .

where so . too. s.t. so where and . so , where and . Since regardless of the , and . too. By Cases x1 to x4, and

. Observe that for . By . By at line 12 in Algorithm 1,

. and and

s.t. where

.

so where and . Above Cases x1 to x4 can be applied for calculates the influencees of . Thus, . but then iii) If , at the same time, because . If and but then , at the same time, because . Thus, . Lemma 2: If then Proof: If

s.t. for

,

.

. Thus, , then for . So by Definition 6. and be the initial total states of Theorem 2: Let and , respectively. Then, for where . Proof: By Definitions 3 and 5, the initial states of both and as defined as . , so . Let us assume that and check if where and , because DEVS is a time invariant system [16], [15]. Suppose that . Then, (by Lemma 2). Suppose that . Recall that and . By Theorem 1, so . where By induction, we can say . Corollary 1: Given . . Proof: By Theorem 2.

HWANG AND ZEIGLER: REACHABILITY GRAPH OF FINITE AND DETERMINISTIC DEVS NETWORKS

9

C. Complexity and Termination of Algorithm , the while loop In the main procedure, continues until there is no further new zone. Thus, complexities is strongly related to the number of all possible zones generated. For each component , the number of possible combinations is bounded to because of state and schedule the schedule applies not only to but also to pre. Since we have a decessors of for which . set of subcomponents Let us check the upper bound of the number of possible dif. ferent time zone for a give zone To find the bound, we would introduce a number, , such for all . Let that is be the set of finite schedule. And is undefined if ; otherwise, . Let be number of possible bounds of and be the number of possible difference bounds between and . Suppose that is undefined. Then, so . Since Algorithm 2 adds all to the set if and , and the number of possible is 1. If and for all . Thus, the number of possible is 1 again. . The Let us consider the case that greatest common divisor (GCD) of a set of rational numis the largest positive rational number that divides bers without remainder. Let be GCD of all elements of . Then, there are different values can be possible , as well as upper bounds for lower bound w.r.t. . Let that is a natural . Recall that there is the constraints number, then . Thus, if , only one possible case ; If , two possible cases for . Likewise, if has for number of possibilities such as . Thus, . in which its lower bound cannot be less than 0, the Unlikely can reach- and then the number of all lower bound of is possible combinations of lower and upper bound for . Since each vertex can have edges of external transitions for all as well as output and internal state transitions for all , complexities of both memory space and computing time are which is proportional to if is undefined or ; otherwise, .9 V. EXAMPLE OF REACHABILITY GRAPH-BASED ANALYSIS Even though the time complexity of the proposed algorithm is proven as exponential in in “the worst case”, we made 9The reason why we restricted the range of time advance function  as the set of rational numbers is that if the range of  is the set of real numbers, for example, 3 and 5, we cannot find the bound of the number of vertices in general, i.e., the algorithm proposed here cannot terminate. In addition, as we can see first two statements in (2), why we explicitly use two cases of continuing or updating t and t is that if we use the form of  (s) =  (s) t and t = 0 for whenever  is executed [15], uncountably many states will be generated (because of no restriction on the occurrences of external input events) and this fact contradicts the finite set of states of an atomic FD-DEVS.

p

p

0

Fig. 7. Monorail system.

an experiment of the practical example to see the proposed algorithm performance. The experiment result includes to check the system safety and liveness which are defined as “a bad situation could not happen in the system” and “the system keeps working forever,” respectively. For a discussion of how to define and solve safety and liveness in a formal way, the reader can refer to [8]. The hardware platform used was Presario X1000 Laptop with 1.3 GHz CPU and 1.0 GByte RAM. We consider a monorail system in which stations are connected in a circular railroad so vehicles can circulate along the rail. The number of stations can be varied depending on the size of area the system serves so we will study the safety and the liveness of systems by varying the number of stations from four to eight. Fig. 7(a) illustrates an instance of the configurations, which has four stations. We can imagine the coupling relations for 5, 6, 7, and 8 stations. Station is a controller modeled by an atomic FD-DEVS whose structure is drawn in Fig. 7(b). In the Station stand for input events of vehicle, pull-signal, model, additional-loading, respectively, while stands for the output vehicle event. There are three state variables: phase Empty , Loading , Sending , Waiting , , tracking the vehicle identification; and Collided indicating “next station is occupied.” To avoid collisions that can occur when more than one vehicle attempts to occupy a station (let us call it ) at the same time, the station prior to (let us call it ) should dispatch the vehicle ONLY when ’s . In Fig. 7(b), an arc is augmented by (precondition), (postconat , dition). For example, when a station receives but its phase does not change; After staying it makes

10

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING

TABLE I PERFORMANCE FOR CHECKING SAFETY AND LIVENESS OF MONORAIL SYSTEMS

increases sharply when we increase the number of stations in the monorail system. VI. CONCLUSIONS AND FURTHER RESEARCH

in

for seconds, if , it changes into internally without producing any output indicated , it changes into . A dashed line by , if indicates an external state transition in which so that the state change to but the schedule and the elapsed time are preserved. All obvious transitions such as are omitted in Fig. 7(b). for odd numbered The loading time is assigned as for even numbered stations. There are three stations, vehicles that are operated in all configurations. Let be the number of stations in the configuration. Then, the initial state for each station ST is determined by where as

For each

, the set of unsafe states is defined by , while the set of working states are defined by , respectively. We checked if there is possibility for any station (if no, the system is safe.), and to reach we also checked if there is possibility not to continue to move (if no, the system is alive). around in To double check that the proposed procedure correctly predicts the system safety, we changed slightly a Stations’s at arcs from state transitions to miss the assignment to and to in Fig. 7(b). Under these conditions, the procedure successfully found a Collision state in Station 1. For double checking liveness, we disconnected the pull-signal coupling from Station 3 to Station 2. The algorithm correctly found that Station 2 is not alive (this is so, since it stays at and cannot repeat visit and ). Table I summarizes the performance from generating the reachability graph of each configuration, to checking safety and liveness. For the case of 8 stations, less than 7 min was taken to check safety and liveness including generating the reachability graph. However, as proved in Section IV-C, we can see that the computational time for generating the reachability graph

This paper proposed a subclass of finite and deterministic DEVS, called FD-DEVS. Compared to its superclass DEVS, FD-DEVS has less expressive power. However, it has the advantage of supporting generation of a finite-vertex reachability graph. The key idea is that infinitely many instances of elapsed times of components in a FD-DEVS network can be abstracted by a time zone equivalence. Based on the time zone abstraction technique, an algorithm to generate a finite-vertex reachability graph was introduced and their completeness and time complexity were investigated. Since space and time complexities of generating the proposed reachability graph are exponential in the number of components in FD-DEVS networks, research to reduce such a hard computation remains as a challenge. In the mean time, quantitative analysis techniques are expected to exploit the timing information of the reachability graph. REFERENCES [1] R. Alur, “Timed automata,” in Proc. 11th Int. Conf. Computer-Aided Verification, LNCS, 1999, vol. 1633, pp. 8–22. [2] B. Berthomieu and M. Diaz, “Modeling and verification of time dependent systems using time Petri nets,” IEEE Trans. Softw. Eng., vol. 17, no. 3, pp. 259–273, Mar. 1991. [3] E. M. Clarke, Jr., O. Grumberg, and D. A. Peled, Model Checking. Cambridge, MA: MIT Press, 1999. [4] D. L. Dill, “Timing assumptions and verification of finite-state concurrent systems,” in Proc. Workshop on Computer Aided Verification Methods for Finite State Systems, Grenoble, France, 1989, pp. 197–212. [5] J. S. Hong, H. S. Song, T. G. Kim, and K. H. Park, “RT-DEVS executive: A seamless realtime software development framework,” Discrete Event Dyn. Syst., vol. 7, pp. 355–375, 1997. [6] K. J. Hong and T. G. Kim, “Timed I/O test sequences for discrete event model verification,” in Proc. 13th Int. Conf. AI, Simulation, and Planning in High Autonomy Systems, 2005, pp. 257–284. [7] M. H. Hwang, “Generating finite-state behavior of reconfigurable automation systems: DEVS approach,” in Proc. 2005 IEEE-CASE, Edmonton, AB, Canada, 2005, IEEE. [8] M. H. Hwang and B. P. Zeigler, “A modular verification framework using finite & deterministic DEVS,” in Proc. 2006 Spring Simulation Multi-Conference: DEVS Symp., Huntsville, AL, Apr. 2–8, 2006, pp. 57–65, SCS. [9] M. H. Hwang and B. P. Zeigler, “Expressiveness of verifiable hierarchical clock systems,” Int. J. General Syst. vol. 37, no. 4, pp. 391–413, Aug. 2008. [Online]. Available: http://acims.arizon.edu/ [10] M. H. Hwang, S. K. Cho, B. P. Zeigler, and F. Lin, Processing time bounds of schedule-preserving DEVS ACIM, Tech. Rep. 2007–H1. [Online]. Available: http://acims.arizon.edu/ [11] R. G. Sargent, J. H. Mize, D. H. Withers, and B. P. Zeigler, “Hierarchical modeling for discrete event simulation (panel),” in Proc. 25th Winter Simulation Conf., Los Angeles, CA, 1993, ACM Press. [12] H. S. Song and T. G. Kim, “Application of real-time DEVS to analysis of safety-critical embedded control systems: Railroad crossing control example,” SIMULATION, vol. 81, no. 2, pp. 119–136, Feb. 2005. [13] J. Wang, Timed Petri Nets: Theory and Application. Boston, MA: Kluwer, 1998. [14] B. P. Zeigler and S. D. Chi, “Symbolic discrete event system specification,” IEEE Trans. Syst., Man, Cybern., vol. 22, no. 6, pp. 1428–1443, Nov./Dec. 1992. [15] B. P. Zeigler, H. Praehofer, and T. G. Kim, Theory of Modeling and Simulation: Integrating Discrete Event and Continuous Complex Dynamic Systems, 2nd ed. London, U.K.: Academic, 2000. [16] B. P. Zeigler, Theory of Modeling and Simulation, 1st ed. New York: Wiley, 1976.

HWANG AND ZEIGLER: REACHABILITY GRAPH OF FINITE AND DETERMINISTIC DEVS NETWORKS

Moon Ho Hwang (M’09) received the B.S. degree in 1990 from Hong-Ik University, Seoul, Korea, the M.S. degree in 1992, and the Ph.D. degree in 1999, both from Korea Advanced Institute of Science and Engineering (KAIST), Taejon, Korea. From 1998 to 2003, he developed several commercial simulators for automated manufacturing systems as the Director of a Simulation and Control Group at the research center of CubicTek Ltd. Company, Seoul. He has been a Research Assistant Professor with the Department of Electrical and Computer Engineering, University of Arizona, Tucson, since 2006. His research interests include system analysis using discrete-event system specification (DEVS), Timed Automata and Petri-net, and scheduling and optimal control of manufacturing systems, workflow systems, and business process management systems.

11

Bernard P. Zeigler (SM’87–F’94) is a Professor of Electrical and Computer Engineering at the University of Arizona, Tucson. He is Director of the Arizona Center for Integrative Modeling and Simulation. He is internationally known for his 1976 foundational text Theory of Modeling and Simulation (New York: Academic, 2000). Prof. Zeigler is a Fellow of the International Society for Modeling and Simulation.