2010 Asia Pacific Software Engineering Conference
The Analysis of Sequence Diagram with Time Properties in Qualitative and
Quantitative Aspects by Model Transformation
Meixia Zhu1,2 , Hanpin Wang1,2 , Yongzhi Cao1,2 , Zizhen Wang1,2 , Wei Jin1,2
1. Institute of software, School of EECS, Peking University,
2. Key Laboratory of High Confidence Software Technologies,Ministry of Education
Peking, China
Email: ilryx8292@gmail.com, whpxhy@pku.edu.cn, caoyz@pku.edu.cn
Abstract—The Sequence Diagram (SD) with time properties
is frequently used in the preliminary developing phase of
embedded real time system, however, it is not easy to verify due
to its informal semantics. An extended time Petri net (TPN)
with weak semantics–TLOPNforSD–is defined and proved to be
decidable as far as reachability, boundedness and coverability
are concerned. A method for progressively refining the SD is
also offered in the transformation phase. The SD with time
properties are made to be more reliable in two aspects: (1)
an enabled transitions generating algorithm based on weak
semantics is designed. Based on this algorithm, the verification
of SD with time properties in qualitative aspect can be realized
by dint of ROMEO; (2) using the state-class diagram obtained
in qualitative analysis phase, a scheduling strategy satisfying
all the time constraints specified in the SD is worked out. The
strategy is used to get compelling time intervals which are
more accurate than the static intervals predefined on the SD
for every event.
Keywords-real-time systems; MARTE; formal methods; Se-
quence Diagram; Scheduling
I. I NTRODUCTION
A. Motivations
The MARTE [1] specification intends to replace the
existing UML Profile for Schedulability, Performance and
Time [2] by adding capabilities to UML for model-driven
development of embedded real-time systems (ERTS). In
MARTE, the sequence diagram (SD) is extended to depict
time properties. This kind of SD has become a popular
modeling approach. However, as a behavioral diagram, it
cannot bear some crucial functions such as refinement and
verification that have to be considered in the develop-
ing process, even though with other methods supplies in
MARTE, and this is mainly due to its inherent informal
semantics, but it’s not easy to directly offer formal semantics
to it because of its special structural features. Since model
transformation is an effective way for analyzing seemingly
complex systems, those SDs that are designed according to
the MARTE specification are without exception.
Hitherto, Timed Automata (TA) [3] and Networks of
Timed Automata (NTA) [4] are still recognized as two
classical formalisms for modeling real-time systems with
dense time. Rich theoretical foundations and a number of
1530-1362/10 $26.00 © 2010 IEEE 118
DOI 10.1109/APSEC.2010.23
developed verification tools like UPPAAL [5], KRONOS [6],
IF [7] and CMC [8] have been offered. The automata
(in UML [9], they are known as state machines) are also
extended in MARTE to model ERTS. However, the SDs
and automata respectively focus on different aspects of the
ERTS.
∙ SD is a kind of interaction diagram that focuses on
the message transmitting among a number of objects.
while, automaton is a convenient form to define the life-
cycle of just one object, or an order of the invocations
of its operation. Intuitively, the former is in connection
with a set of objects, but the latter is only interested in
one particular object.
∙ Each event respectively has a clock to control its
earliest and latest executing time in SD, but in TA
and NTA, the occurrence times of all actions are
controlled by one global clock. Some constraints such
as (𝑡1 −𝑡0 ) = 𝑑1 <= (1, 𝑚𝑠); and (𝑡12 when (𝑜𝑘 == 𝑡𝑡
and 𝑎𝑡 == 𝑡𝑡)< 𝑡11 + (3, 𝑚𝑠)) defined in figure 1
cannot be conveniently expressed in TA and NTA
because two and more clocks are considered in the
above constraints.
We hope to find a more suitable intermediate model. In
this paper, we intend to choose timed Petri net (TPN) [10]
as the intermediate model. For ERTS, other extensions of
Petri net on time have also been proposed to allow the
combination of an unbounded discrete structure with dense-
time variables, such as the Time-Arc Petri Net (TAPN) [11]
and Time-Arc Petri Net with read arcs [12]. While, TPN is
more suitable for SD, and this is mainly due to:
∙ Time properties are placed on each sending event or
receiving event but not on object in SD, while, as far
as TAPN is concerned, time properties are placed on
the tokens of every place. If we transform SD into
TAPN, then we have to place each time constraint
on one appropriate token. It is quite clear that this
transforming method violates the real intention of SD
with time properties. So to place the time properties on
the transitions of the corresponding TPN seems more
suitable.
 SD: ex 𝑡11 can be satisfied but not their definite occurring time, so
:A :B :C we believe that the TPN with weak semantics is preferable.
While, the traditional TPN is not suitable for SD. So we
loop(n<4 and at=f )
m2
[1,2], I(t 2 ) extend it and denote this extended TPN as labeled open
[1,3], I(t 0 )
m1 Petri net with time properties(TLOPNforSD) to model the
[3,6], I( t 1 ) [1,5],I( t 3 )
SD with time properties.
Break(n=4) [1,5], I(t 4 ) Comparing with the existing works on SD with time
m3 [2,5] , I( t 9 )
[2,3], I( t 5 ) properties, we not only give its formal semantics and prove
m6 [1,3], I(t 10 )
m4 m5 that the most important properties–reachability, boundedness
[3,5],I(t 6 ) [1,4], I(t7 ) [1,2], I( t 8 )
[2,4], I(t 11 ) and coverability–are decidable under weak semantics. More-
Alt o k= t
[1,5],I(t 15 )
[1,3], I(t 14 ) [2,3], I(t 13 )
[1,3], I(t 12 ) over, we realize the analysis of SD in both qualitative and
m8 m7 quantitative aspects.
[2,4], I(t 18 ) [2,6],I( t 16 )
o k= f
m 10
m9 B. Related Works
[1,4], I(t 17 )
[1,2], I(t 19 )
The problem of generating formal models from SD has
c onstraint: been studied by several researchers during the last few years.
(1) (t 1 -t 0 )=d 1 <=(1,m s);
(2) (t 12 w hen (ok==tt and at==tt))<t 11 +(3,m s)
We restrict our discussion on the works that aim at deriving
(3)d 1 <=t 15 -t 6 <=d 1 *30 w hen (ok==tt and at==tt) Petri net models from original SD models.
The literatures in [13], [14] and [15] use Petri nets
as the intermediate models to remedy the defects of the
Figure 1. An SD with time properties UML models in formal aspects. But, their common goal
is to have a formal model to prove qualitative properties
P t1,[0,1] such as absence of deadlocks, liveness and fairness, and
quantitative properties are out of their concerning scope.
In [16], [17], [18], the authors not only try to use Petri
nets to eliminate the semantic confusions, but also to put
t2,[0,2]
the net models to quantitative analysis process. However, the
common problem is that SDs are not thoroughly considered.
Figure 2. a TPN to illustrate the difference among different semantics
Although there are several literatures such as [19], [20]
and [21] that specialize in SD, they only deal with the
Different semantics can be chosen in order to realize the sending and receiving events, and few of them consider the
clock resets in TPN. An simple example (figure 2) illustrates combined fragments. We consider SD defined in MARTE
the difference among these semantics. For a TPN 𝑁 , 𝑡/𝑇𝑟 specifications, so the time properties must be considered. As
means when the enabled transition 𝑡 fires, the clocks of 𝑇𝑟 far as we know, the SD with time properties has been studied
where 𝑇𝑟 ⊆ 𝑇 will be reset, where 𝑇 is the set of transitions in several literatures [22], [23] and [24] which only concen-
of the TPN 𝑁 . trate on the transforming process. And it is mainly because
of the undecidability of TPN with strong semantics [25].
Time interval [0,1] 1 (1,2] Ermeson Andrade etc. present the process of mapping SD
(strong, intermediate) t2/{t1,t2}, t1/emptySet t1/emptySet emptySet/emptySet
into TPN with energy constraints so as to analyze and verify
(strong, atomic) t2/{ t2}, t1/emptySet t1/emptySet emptySet/emptySet
(strong, persistent) t2/emptySet, t1/emptySet t1/emptySet emptySet/emptySet the functional, time and energy requirements in early phases
Time interval [0,1] [1,2] of the life-cycle development in [26]. They take the time
(weak, intermediate) t2/{t1,t2}, t1/emptySet t2/{t1,t2}, t1/emptySet interval as two discrete time values, that is to say they
(weak, atomic) t2/{ t2}, t1/emptySet t2/{ t2}, t1/emptySet
(weak, persistent) t2/emptySet, t1/emptySet t2/emptySet, t1/emptySet consider the continuous dynamic varying process of every
clock as two discrete instantaneous time points. It is clear
that it violates the time specifications of the corresponding
Figure 3. Clock reset strategies of TPN SD.
In this paper, we intends to solve the above problems by
In the weak semantics, all time delays are allowed means of model transformation. Our paper is organized as
whereas in the strong one, all transitions are urgent, i.e. follow: The definition of TLOPNforSD which covers the
time delays cannot disable transitions. In other words, the intact information of SD is given in section 2. We offer the
time intervals under strong semantics are rigid, but they are transforming rules and the composition method to realize
loose under weak semantics. Take the constraint (𝑡12 when the refinement purpose in section 3. A series of proving
(𝑜𝑘 == 𝑡𝑡 and 𝑎𝑡 == 𝑡𝑡)< 𝑡11 +(3, 𝑚𝑠)) as example again, and algorithm are offered for the analysis of SD with time
we pay attention to whether the constraint between 𝑡12 and properties in section 4. Finally, we concludes our work and

119

point out the future working directions in section 5. An
example is running through to illustrate our methods.
II. TLOPN FOR SD
Let Σ ⊆ C ∪ Z≥0 be a finite character set where C is a
finite alphabet set and Z≥0 is a finite set of non-negative
integars. Σ∗ is the set of finite words over Σ. We use
R≥0 to represent the set of non-negative real numbers. A
mapping V is defined from 𝑋 ⊆ (Σ∗ ∪ R≥0 ) to R≥0 . For
∀x∈Σ and ∀d ∈ R≥0 , V(x + d) = V(x) + d. We note 0
the valuation which assigns to every 𝑥 ∈ Σ the value 0.
Definition 1 LPNforSD: a Labeled Petri Net for SD is a
tuple (𝑃 , 𝑇 , 𝐹 , 𝐿𝑃 , 𝑀𝑇 , 𝑚0 ) where:
∙ (𝑃 , 𝑇 , 𝐹 ) is a net [27],
∙ 𝐿𝑃 is a labeling function on 𝑃 , 𝐿𝑃 : 𝑃 → (𝑂 ∪ 𝑀 ) ×
Σ∗ , where 𝑂 ⊆ Σ∗ is the objects set and 𝑀 ⊆ Σ∗ is
the message set satisfying 𝑂 ∩ 𝑀 = ∅ and 𝑂 ∪ 𝑀 ∕= ∅,
∙ 𝑀𝑇 is defined in definition 2.
∙ 𝑚0 is the initial marking function, 𝑚0 : 𝑃 → Z≥0 .
Definition 2 𝑀𝑇 : is a tuple (𝐿𝑇 , Λ𝑇 , EXP, Γ𝑇 , 𝑣𝑎𝑙𝑢𝑒𝑇 )
where:
∙ 𝐿𝑇 is a labeling function on 𝑇 , 𝐿𝑇 : 𝑇 → Σ ,
∗ putation functions over 𝐸𝑛(𝑚). Intuitively, 𝑣(𝑡) represents
∙ Λ𝑇 : 𝑇 →{𝑓 𝑜𝑟𝑘, 𝑗𝑜𝑖𝑛, 𝑔𝑢𝑎𝑟𝑑, 𝑒𝑣𝑒𝑛𝑡} is a classifica-
tion function. For convenience, we respectively denote
𝑓 𝑜𝑟𝑘, 𝑗𝑜𝑖𝑛, 𝑔𝑢𝑎𝑟𝑑, 𝑒𝑣𝑒𝑛𝑡 as 𝑓, 𝑗, 𝑔, 𝑒,
∙ EXP is the set of guard expressions defined in MARTE
specification [1],
∙ Γ𝑇 is a cartesian product on 𝑇 ,
* for those 𝑡 ∈ 𝑇 whose Λ𝑡 = 𝑒, Γ𝑡 : 𝑡 → 𝐿𝑡 ×
Λ𝑡 × {!, ?} × 𝜎, where 𝜎 ∈ 𝑀 ;
* for those 𝑡 whose Λ𝑡 = 𝑓 or 𝑗, Γ𝑡 : 𝑡 → 𝐿𝑡 × 𝑓
or 𝑡 → 𝐿𝑡 × 𝑗;
* for those 𝑡 whose Λ𝑡 = 𝑔, Γ𝑡 : 𝑡 → 𝐿𝑡 ×𝑔×𝑒𝑥𝑝,
where 𝑒𝑥𝑝 ∈ 𝐸𝑋𝑃 ,
∙ 𝑣𝑎𝑙𝑢𝑒𝑇 : 𝑇 → {tt, ff} where tt and ff respectively
represent 𝑇 𝑟𝑢𝑒 and 𝐹 𝑎𝑙𝑠𝑒 is a computation function
that only takes effect on the transition whose Λ𝑇 (𝑡) =
𝑔𝑢𝑎𝑟𝑑.
Definition 3 LOPNforSD: a labeled Open Petri Net for SD
is a tuple (𝑃 , 𝑇 , 𝐹 , 𝐿𝑃 , 𝑀𝑇 , 𝑚0 , 𝑃𝑜 , 𝐿𝑃𝑜 , 𝐹𝑜 ) where:
∙ (𝑃 , 𝑇 , 𝐹 , 𝐿𝑃 , 𝑀𝑇 , 𝑚0 ) is a LPNforSD,
∙ 𝑃𝑜 is the open places of LOPNforSD, where 𝑃𝑜 ∩𝑃 = ∅
and 𝑃𝑜 ∪ 𝑃 ∕= ∅,
∗
∙ 𝐿𝑃𝑜 : 𝑃𝑜 → 𝑀 × Σ × {𝑖𝑛, 𝑜𝑢𝑡}.
∪
∙ 𝐹𝑜 ⊆ (𝑇 × 𝑃𝑜 ) (𝑃𝑜 × 𝑇 ), where 𝐹𝑜 ∩ 𝐹 = ∅ and
𝐹𝑜 ∪ 𝐹 ∕= ∅
The definition of LOPNforSD is different from the tra-
ditional definition of OPN [31] where a place can be both
an input and an output place at the same time. For every
𝑝 ∈ 𝑃 ∪ 𝑃𝑜 , 𝑡 ∈ 𝑇 , defines the presets and postsets are:
120
∙
𝑝 = {𝑡 ∈ 𝑇 ∣(𝑡, 𝑝) ∈ 𝐹𝑜 ∪ 𝐹 }
𝑝∙ = {𝑡 ∈ 𝑇 ∣(𝑝, 𝑡) ∈ 𝐹𝑜 ∪ 𝐹 }
∙
𝑡 = {𝑝 ∈ 𝑃 ∪ 𝑃0 ∣(𝑝, 𝑡) ∈ 𝐹𝑜 ∪ 𝐹 }
𝑡∙ = {𝑝 ∈ 𝑃 ∪ 𝑃0 ∣(𝑡, 𝑝) ∈ 𝐹𝑜 ∪ 𝐹 }
Definition 4 TLOPNforSD: a Labeled Open Petri Net for
SD with Time Properties is a tuple (𝑃 , 𝑇 , 𝐹 , 𝐿𝑃 , 𝑀𝑇 , 𝑚0 ,
𝑃𝑜 , 𝐿𝑃𝑜 , 𝐹𝑜 , 𝐼) where:
∙ (𝑃 , 𝑇 , 𝐹 , 𝐿𝑃 , 𝑀𝑇 , 𝑚0 , 𝑃𝑜 , 𝐿𝑃𝑜 , 𝐹𝑜 ) is a LOPNforSD,
∙ 𝐼: 𝑇 → R+ × R+ associates each transition with a
static time interval in the form of [𝑒𝑓 𝑡(𝑡), 𝑙𝑓 𝑡(𝑡)], where
𝑒𝑓 𝑡(𝑡) and 𝑙𝑓 𝑡(𝑡) are separately the static earliest and
latest firing time of 𝑡 ∈ 𝑇 , and ′ [′ and ′ ]′ can be
separately replaced by ′ (′ and ′ )′ .
A transition 𝑡 is enabled in a marking 𝑚 iff 𝑚 ⊇∙ 𝑡∧(Λ(𝑡) ∈
{𝑓, 𝑒, 𝑗} ∨ (Λ(𝑡) == 𝑔 ∧ 𝑣𝑎𝑙𝑢𝑒(𝑡) == 𝑡𝑡)). The enabled
transitions set under 𝑚 is denoted as 𝐸𝑛(𝑚). Now, we
introduce a fundamental definition configuration as semantic
premise for TLOPNforSD.
Definition 5 A configuration is a triple (𝑚, 𝑣, 𝑓 ), where 𝑚
is a marking over 𝑃 and 𝑚(𝑝) is the number of tokens in
place 𝑝. The last two components of (𝑚, 𝑣, 𝑓 ) are two com-
the amount of time that has elapsed since t is enabled and
f(t) the time point that 𝑡 is fired for each 𝑡 ∈ 𝐸𝑛(𝑚).
An enabled transition 𝑡 can be fired if v(𝑡) belongs to I(𝑡).
The marking obtained after the firing is the new marking
𝑚′ = 𝑚 −∙ 𝑡 + 𝑡∙ . Some time intervals are reset and the
corresponding transitions are newly enabled. We define a
predicate ↑ 𝑒𝑛𝑎𝑏𝑙𝑒𝑑(𝑡′ , 𝑚, 𝑡) which will be 𝑡𝑟𝑢𝑒 if 𝑡′ is
newly enabled by the firing of t from marking 𝑚 and 𝑓 𝑎𝑙𝑠𝑒
otherwise. It indicates whether we need to reset the clock
of 𝑡′ after firing t.
Definition 6 Semantics of TLOPNforSD: the weak seman-
tics of a TLOPNforSD 𝑁𝑠𝑑 =(P, T, F, 𝐿𝑃 , 𝑀𝑇 , 𝑚0 , 𝑃𝑜 , 𝐿𝑃𝑜 ,
𝐹𝑜 , 𝐼) is described by a timed transition system 𝑁𝑡𝑡𝑠 =(Q,
𝐸𝑛(𝑀 )
𝑞0 , Σ, →) where 𝑄 = N𝑃 × R≥0 , 𝑞0 = (𝑚0 , 0) and →
consists of discrete and continuous moves:
∙ For ∀𝑎 ∈ Σ, the discrete transition relation is defined
𝑎
→ (𝑚′ , 𝑣 ′ ) iff ∃𝑡 ∈ 𝑇 s.t. 𝐿(𝑡) = 𝑎 ∧ 𝑡 ∈
by: (𝑚, 𝑣) −
𝐸𝑛(𝑚) ∧ 𝑚′ = 𝑚 −∙ 𝑡 + 𝑡∙ ∧ 𝑣(𝑡) ∈ 𝐼(𝑡) ∧ ∀𝑡′ ∈
𝐸𝑛(𝑚′ )∧
{
𝑣 ′ (𝑡′ ) = 0 𝑖𝑓 ↑ 𝑒𝑛𝑎𝑏𝑙𝑒𝑑(𝑡′ , 𝑀, 𝑡)
𝑣 ′ (𝑡′ ) = 𝑣(𝑡′ ) 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
The definition of ↑ 𝑒𝑛𝑎𝑏𝑙𝑒𝑑(𝑡′ , 𝑚, 𝑡) is as follow:
↑ 𝑒𝑛𝑎𝑏𝑙𝑒𝑑(𝑡′ , 𝑚, 𝑡)=(𝑡′ ∈ 𝐸𝑛(𝑚 −∙ 𝑡 + 𝑡∙ ) ∧ (𝑡′ ∈ ∕
𝐸𝑛(𝑚 −∙ 𝑡) ∨ 𝑡 == 𝑡′ ));
∙ For ∀𝑑 ∈ 𝑅+ , the continuous transition relation is
𝑑
defined by: (m, v) −→ (m, v′ ) iff v′ = v + d.
 III. T RANSFORMATION AND COMPOSITION OF SD
A. From SD to TLOPNforSD
The objects are transformed to the places, the names of
the objects are denoted by the label of the corresponding
places. The sending event and receiving event are designated
as !m and ?m. The transforming process is starting from the
first event on top to the last event on bottom of the identical
object. As far as the combined fragments are concerned, they
are transformed into LPNforSDs by dint of 𝑔𝑢𝑎𝑟𝑑, 𝑓 𝑜𝑟𝑘 and
𝑗𝑜𝑖𝑛 transitions. The optional fragment can be considered
as an alternative fragment that the first operand having non-
empty content and the second is empty. The semantics of
the break fragment is equivalent to that of an alternative
fragment with the contents of the break fragment as one
operand and all remaining elements as else branch. The
negative and assert fragments are considered as stand alone
parts. The set of traces that defined with Neg is equal to the
set of traces given by its (sole) operand, only that it is a set
of invalid traces [28]. Please note that:
(ob1, p1)
(m , p3,out) (m , p3,in)
(T 1, e, !m )
(ob1, p3)
(1) sending
(T 1, f)
1
2
3
4
(T , g, exp 1 )
(T 2, j)
(4) PAR
Figure 4.
∙ the places labeled 1, 2, 3, 4 are dispensable, an most
one between 1 and 2, between 3 and 4 can be chosen.
∙ the expressions are determined by the source SD, and
exp1 and exp2 are complementary.
In SD, each object may be decomposed into a new set of
objects, which collectively form a new SD. Using algorithm
1, we can realize the vertical refinement and horizontal com-
position purposes synchronously. We put the time properties
in the form of time intervals on the transitions whose Λ𝑡 = 𝑒,
and the others, we describe them as time expressions that
the corresponding TLOPNforSD has to satisfy. Then from
the LOPNforSD, we get the TLOPNforSD finally.
IV. A NALYSIS OF SD WITH TIME PROPERTIES
A. Theoretical basis
It is well known that the untimed Petri net is decid-
able when the reachability, boundedness and coverability
problems are concerned. In this section, we prove that the
undecidability results in [22] do not hold when considering
Input: 𝑇 𝐿𝑂𝑃 𝑁 𝑓 𝑜𝑟𝑆𝐷𝑠𝑢𝑏 = {𝐿𝑂𝑃 𝑁 𝑓 𝑜𝑟𝑆𝐷𝑜𝑏1 ,. . . ,
𝐿𝑂𝑃 𝑁 𝑓 𝑜𝑟𝑆𝐷𝑜𝑏𝑛 }, 𝑀 = {𝑚1 ,. . . , 𝑚𝑘 },
𝐺𝑢𝑎𝑟𝑑 = {𝑔𝑢𝑎𝑟𝑑1 ,. . . , 𝑔𝑢𝑎𝑟𝑑𝑙 },
𝑃 𝑎𝑟 = {< 𝑓1 , 𝑗1 >,. . . , < 𝑓𝑟 , 𝑗𝑟 >}
Output: 𝐿𝑂𝑃 𝑁 𝑓 𝑜𝑟𝑆𝐷𝑤ℎ𝑜𝑙𝑒
for (int 𝑖 = 1, 𝑖 <= 𝑘, i++) do
pick out the open places 𝑝𝑥 , 𝑝𝑦 whose labels are
separately (𝑚𝑖 , 𝑝𝑥 , 𝑖𝑛) and (𝑚𝑖 , 𝑝𝑦 , 𝑜𝑢𝑡), the arc
𝑎𝑟𝑐𝑠 whose source is 𝑝𝑥 and the arc 𝑎𝑟𝑐𝑡 whose
target is 𝑝𝑦 ;
delete 𝑝𝑥 and 𝑝𝑦 ;
create one place 𝑝𝑧 labeled with (𝑚𝑖 , 𝑝𝑧 ), 𝑎𝑟𝑐𝑡
directs to 𝑝𝑧 , 𝑎𝑟𝑐𝑠 is directed from 𝑝𝑧 , the source
of 𝑎𝑟𝑐𝑡 and the target of 𝑎𝑟𝑐𝑠 are not changed;
end
for for(int 𝑗 = 1, 𝑗 <= 𝑙, j++) do
for (int 𝑝 = 1, 𝑝 <= 𝑛, p++) do
pick out the presets and postsets of the
transitions whose third elements are separately
𝑔𝑢𝑎𝑟𝑑𝑗 == tt and 𝑔𝑢𝑎𝑟𝑑𝑗 == ff, and denoted
them separately as 𝑝𝑟𝑒𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==tt ,
𝑝𝑟𝑒𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==ff , 𝑝𝑜𝑠𝑡𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==tt and
𝑝𝑜𝑠𝑡𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==ff ;
(ob1, p1) delete all the transitions whose third element is
(T , g, exp 1 ) (T , g, exp n ) 𝑔𝑢𝑎𝑟𝑑𝑗 == tt or 𝑔𝑢𝑎𝑟𝑑𝑗 = ff;
create two transitions 𝐺𝑥 and 𝐺𝑦 labeled
(T 1, e,?m )
2
1 separately with (𝐺𝑥 , 𝑔, 𝑔𝑢𝑎𝑟𝑑𝑗 == tt) and
(𝐺𝑦 , 𝑔, 𝑔𝑢𝑎𝑟𝑑𝑗 == ff)
3
(ob1, p3)
(2) receiving
for(int 𝑞 = 1, 𝑞 ≤ ∣𝑝𝑟𝑒𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==tt ∣, 𝑞 + +)
4
(3) ALT create an arc that directs to 𝐺𝑥 from
𝑝𝑟𝑒𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==tt .𝑞;
for(𝑞 = 1, 𝑞 ≤ ∣𝑝𝑟𝑒𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==ff ∣, 𝑞 + +)
create an arc that directs to 𝐺𝑦 from
(T , g, exp 2 )
𝑝𝑟𝑒𝑔𝑢𝑟𝑎𝑟𝑑𝑗 =ff .𝑞;
for(𝑞 = 1, 𝑞 ≤ ∣𝑝𝑜𝑠𝑡𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==tt ∣, 𝑞 + +)
(5) LOOP
create an arc that direct from 𝐺𝑥 to
𝑝𝑜𝑠𝑡𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==tt .𝑞;
the transformation rules for(𝑞 = 1, 𝑞 ≤ ∣𝑝𝑜𝑠𝑡𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==ff ∣, 𝑞 + +)
create an arc that direct from 𝐺𝑦 to
𝑝𝑜𝑠𝑡𝑔𝑢𝑟𝑎𝑟𝑑𝑗 ==ff .𝑞;
for (𝑗 = 1, 𝑗 <= 𝑟, 𝑗 + +) do
for (𝑝 = 1, 𝑝 <= 𝑛, 𝑝 + +) do
pick out the preset of the transition
whose second element is 𝑓 , and
denoted it as 𝑝𝑟𝑒𝑓 ;
pick out the postset of the transition
whose second element is 𝑗, and denoted
it as 𝑝𝑜𝑠𝑡𝑗 ;
delete the transitions whose second
element is 𝑓 or 𝑗;
create two new transitions 𝐺𝑥 and 𝑇𝑦
whose second elements are separately 𝑓
and 𝑗;
create arcs directed from the 𝑝𝑟𝑒𝑓 to
𝐺𝑥 ;
create arcs directed from 𝐺𝑦 to 𝑝𝑜𝑠𝑡𝑗 ;
end
end
end
end
Algorithm 1: Composing Sub-nets to a Whole-net
121
 (A, p1)
(B, p2) timed sequence of a corresponding TLOPNforSD.
(m 1, p4) (t 1 ,e, ?m 1),[1,2]
(t 0 , e, !m 1 ),[1,3]

(B, p6)
t 2 ,[3,6]
(e,!m 2 )
(m 2 , p7)
Proposition 1 Let 𝑁𝑠𝑑 be a TLOPNforSD with singleton
(user, p5)
(AT M, p8)
t 3 ,[1,5]
(e,?m 2 )
intervals and (𝑚, v, f) be a configuration of 𝑁𝑠𝑑 compatible
with some multiset of transitions Δ. Then, for any transition
g 1 ,(g, n<4 and at==0)

(A, p9)
g 2 , (g, n=4 or at==1)

(B, p10)
(C, p3)

(C, p11)
𝑡 ∈ 𝐶𝑎𝑛𝑑𝑖𝑑𝑎𝑡𝑒(𝑚, Δ) such that 𝛿(𝑡) = 𝑙𝑓 𝑡(𝑡) − 𝑣(𝑡) is
minimal, we have:
𝛿(𝑡) 𝑡
(𝑚, v, 0) −−→ (𝑚, v + 𝛿(𝑡), 0) − → (𝑚′ , v′ , f(t));
g 4 ,(g, at==1) (C, p19)
(A, p17)
g 3 , (g, n==4)
∙

(A, p12)
(e, !m 4 )
t 6 :[3,5]
(m 4 , p20)
(B, p18) ∙ (𝑚 , 𝑣 , 𝑓 (𝑡)) is compatible with 𝛿 ′ = 𝛿 ∖ 𝑡.
′ ′
(C, p14)
t 7 :[1,4]
Proof: Let 𝑡 ∈ 𝐶𝑎𝑛𝑑𝑖𝑑𝑎𝑡𝑒(𝑚, Δ) is a transition such
t 9 :[2,5] (m 6 , p25)
(m 3 , p45) (B, p13) (e, ?m 4 ) (Bank, p24)
(e, ?m 3 ) (user, p21) (e, ?m 5 )
(e, !m 3 ) (B, p22)
that for ∀𝑡′ ∈ 𝐶𝑎𝑛𝑑𝑖𝑑𝑎𝑡𝑒(𝑚, Δ), we have 𝑙𝑓 𝑡(𝑡) − v(𝑡) =
t 5 ,[2,3]
t 4 ,[1,5] t 10 :[1,3]
(e, !m 6 ) (e, ?m 6 )
(A, p15) (B, p16) (m 5 , p23)
𝛿(𝑡) ≤ 𝛿(𝑡′ ) = 𝑙𝑓 𝑡(𝑡′ ) − 𝑣(𝑡′ ).
t 11 :[2,4]
t 8 :[1,2]
g 5 ,(g, ok==1) (e, !m 5 ) (B, p27)
(A, p28)
(C, p26)
(B, p29)
∙ When we consider the weak semantics, the timing
(C, p30) 𝛿(𝑡)
elapsing transition (𝑚, v, 0) −−→ (𝑚, v + 𝛿(𝑡), 0) is
g 6 ,(g, ok==0)
(e, ?m 7 )
(m 7 ,p31)
(e, ?m 8 ) t 13 :[2,3] (e, !m 7 )
t 15 :[1,5] t 12 :[1,3] (B, p38) (C, p36) 𝑡
(m 8 ,p36)
(B, p32)
(A, p41)
possible, and the discrete transition (𝑚, v + 𝛿(𝑡), 0) − →
(e, ?m 9 ) (e, !m 9 )
′ ′
(e, !m 8 )
(C, p35) t 17 :[1,4] (m 9 , p43)
t 16 :[2,6] (𝑚 , v , f(t)) is also possible since the intervals is sin-
ok=0 t 14 :[1,3]

(B, p33)
(A, p34)
Figure 5.
the weak semantics we defined in section 2. A set of
notations were defined as follows:
∙ For a TLOPNforSD 𝑁𝑠𝑑 , we denote the LOPNforSD
obtained by removing from 𝑁𝑠𝑑 the component 𝐼 as
𝑈
𝑁𝑠𝑑 ,
𝑃 𝑇
∙ Given a set of configurations 𝐶 ⊆ 𝑁 ×R≥0 ×R≥0
of 𝑁𝑠𝑑 , we denote the projection of 𝐶 over the set 𝑁
as 𝑢𝑛𝑡𝑖𝑚𝑒(𝐶),
∙ A marking 𝑚 and a multiset of transitions Δ of 𝑁𝑠𝑑 ,
we define the set 𝐶𝑎𝑛𝑑𝑖𝑑𝑎𝑡𝑒(𝑚, Δ)= {𝑡 ∈ Δ∣𝑚 ⇒𝑡
𝑚′ ⇒∗Δ∖𝑡 }, we then say that a configuration (𝑚, v, f)
is compatible with a multiset Δ iff 𝑚 ⇒∗Δ and ∀𝑡 ∈
𝐶𝑎𝑛𝑑𝑖𝑑𝑎𝑡𝑒(𝑚, Δ), v(t) ≤ lft(t), 𝑓 (𝑡) ≤ 𝑓 (𝑡𝑏 ) + 𝑙𝑓 𝑡(𝑡)
where 𝑡𝑏 is the transition that occurring just before t. ∀𝑡
whose Λ(𝑡) ∈ {𝑔, 𝑓, 𝑗} is instantaneous and the default
time interval is [0, 0], so v(t) ≤ 𝑙𝑓 𝑡(𝑡) and 𝑓 (𝑡𝑏 ) +
𝑒𝑓 𝑡(𝑡) ≤ f(t) ≤ 𝑓 (𝑡𝑏 ) + 𝑙𝑓 𝑡(𝑡) is taking for granted.
Theorem 1 Given a TLOPNforSD 𝑁𝑠𝑑 transformed from
𝑈
𝑆𝐷, we have 𝑢𝑛𝑡𝑖𝑚𝑒(𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 ))= 𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 ).
Proof: 1.1: 𝑢𝑛𝑡𝑖𝑚𝑒(𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 )) ⊆ 𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 )𝑈 ).
for ∀𝑚 ∈ 𝑢𝑛𝑡𝑖𝑚𝑒(𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 )) , there exists 𝑣 and 𝑓
such that (𝑚, 𝑣, 𝑓 ) ∈ 𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 ), and a sequence 𝜌
denoted as 𝜌 = 𝑑0 , 𝑎0 , ⋅ ⋅ ⋅ , 𝑑𝑛 , 𝑎𝑛 where 𝑑0 , ⋅ ⋅ ⋅ , 𝑑𝑛 are
time units sequence and 𝑎0 , ⋅ ⋅ ⋅ , 𝑎𝑛 are events sequence
𝑑0 𝑎0
satisfying (𝑚0 , 0, 0) −→ (𝑚0 , 𝑑0 , 0) −→ (𝑚′ , 𝑣 ′ , 𝑓 ′ ) −→
𝑎𝑛
⋅ ⋅ ⋅ −−→ (𝑚, 𝑣, 𝑓 ). According to the definition of 𝑁 𝑈 , we
have 𝑚0 −→
𝑎1 𝑎𝑛
𝑚′ ⋅ ⋅ ⋅ −−→ 𝑚 such that 𝑚 ∈ 𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 𝑈
𝑈
1.2:𝑢𝑛𝑡𝑖𝑚𝑒(𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 )) ⊇ 𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 ). We now
firstly prove the following proposition which help us to turn
a sequence of transitions of the untimed LOPNforSD into a
(A, p42) (m 10 , p44)
(B, p39) (C, p37)
gleton and t is the first firing transition and v + 𝛿(𝑡) =
t 19 :[1,2]
(e, ?m 10 )
(e, !m 10 )
t 18 :[2,4]
(B, p40) v(𝑡) + 𝛿(𝑡) = 𝑙𝑓 𝑡(𝑡) = 𝑒𝑓 𝑡(𝑡).
∙ To prove compatibility, according to the definition of
the TLOPNforSD of Fig.1 compatible, we will first prove 𝑀 ′ →∗Δ′ . It is obvious
since 𝑡 ∈ 𝐶𝑎𝑛𝑑𝑖𝑑𝑎𝑡𝑒(𝑚, Δ) and Δ′ = Δ ∖ 𝑡; then, let
𝑡′ ∈ 𝐶𝑎𝑛𝑑𝑖𝑑𝑎𝑡𝑒(𝑚, Δ′ ), we will prove v(𝑡′ ) ≤ 𝑙𝑓 𝑡(𝑡′ )
and 𝑓 (𝑡′ ) ≤ 𝑓 (𝑡)+𝑙𝑓 𝑡(𝑡). we first prove v(𝑡′ ) ≤ 𝑙𝑓 𝑡(𝑡′ ).
We distinguish two cases according to the value of the
predicate ↑ 𝑒𝑛𝑎𝑏𝑙𝑒𝑑(𝑡′ , 𝑚, 𝑡):
– If ↑ 𝑒𝑛𝑎𝑏𝑙𝑒𝑑(𝑡′ , 𝑚, 𝑡) is true, then we have v′ (𝑡′ ) =
0, then v′ (𝑡′ ) ≤ 𝑙𝑓 𝑡(𝑡′ ) and 𝑓 (𝑡′ ) = (𝑓 (𝑡)+𝑣(𝑡′ ))≤
𝑇
(𝑓 (𝑡) + 𝑙𝑓 𝑡(𝑡′ )) are obvious.
𝑃
– Otherwise, we have v′ (𝑡′ ) = v(𝑡′ ) and (𝑡′ ∈
𝐸𝑛(𝑚 −∙ 𝑡 + 𝑡∙ ) ∧ (𝑡′ ∕∈ 𝐸𝑛(𝑚 −∙ 𝑡) ∨ 𝑡 = 𝑡′ )) =
𝑓 𝑎𝑙𝑠𝑒). It has two cases according to the above
valuation:
∗ 𝑡′ ∕∈ 𝐸𝑛(𝑚 −∙ 𝑡 + 𝑡∙ ), then we have (Λ(𝑡) =
𝑔 ∧ 𝑣𝑎𝑙𝑢𝑒(𝑡) = 𝑓 𝑎𝑙𝑠𝑒) ∨∙ 𝑡′ ≤ 𝑚 −∙ 𝑡 + 𝑡∙ .
1) if Λ(𝑡) = 𝑔 ∧ 𝑣𝑎𝑙𝑢𝑒(𝑡) = 0, it is contrary to
𝑡 ∈ 𝐶𝑎𝑛𝑑𝑖𝑑𝑎𝑡𝑒(𝑚, Δ)
2) if 𝑀 −∙ 𝑡 + 𝑡∙ <∙ 𝑡′ , then it is contrary to
𝑚′ ⇒∗Δ′ , where Δ′ = Δ∖𝑡.
∗ 𝑡 ∈ 𝐸𝑛(𝑚 −∙ 𝑡) ∧ 𝑡 ∕= 𝑡′ , then 𝑚 −∙ 𝑡 ≥∙
′
𝑡′ . As a consequence, we have 𝑚 −∙ 𝑡′ ≥∙ 𝑡,
then 𝑀 ⇒𝑡′ ⇒𝑡 and 𝑡′ ∈ 𝐶𝑎𝑛𝑑𝑖𝑑𝑎𝑡𝑒(𝑚, Δ). So
𝑣(𝑡′ ) ≤ 𝑙𝑓 𝑡(𝑡′ ) and because of 𝑣 ′ (𝑡′ ) = 𝑣(𝑡′ ),
at last we get 𝑣 ′ (𝑡′ ) ≤ 𝑙𝑓 𝑡(𝑡′ ) as desired. In the
sequel, we have 𝑣(𝑡′ ) ≤ 𝑙𝑓 𝑡(𝑡′ ), then 𝑓 (𝑡′ ) =
(𝑓 (𝑡) + 𝑣(𝑡′ )) ≤ (𝑓 (𝑡) + 𝑙𝑓 𝑡(𝑡′ )) is obvious.
𝑑1 𝑈
We start to prove 𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 ) ⊆ 𝑢𝑛𝑡𝑖𝑚𝑒(𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 )).
𝑈
∀𝑚 ∈ 𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 ), we have a transition sequence denoted
). as Δ such that 𝑚0 ⇒∗Δ 𝑚. We consider two cases according
to the time intervals.
𝑈
∙ 𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 ) ⊆ 𝑢𝑛𝑡𝑖𝑚𝑒(𝑅𝑒𝑎𝑐ℎ(𝑁𝑠𝑑 )) is obvious in
the case of TLOPNforSD with singleton intervals.

122
 Since, each time intervals on the transitions holds the Input: P:arrey of places; pre: array of preset; post:
following property: 𝑣(𝑡) = 𝑙𝑓 𝑡(𝑡) = 𝑒𝑓 𝑡(𝑡), and (𝑚0 , array of postset;
0, 0) is compatible with Δ. so according to proposition Output: P’:array of places
1, we have v′ such that (𝑚, 𝑣 ′ , 𝑓 ) is compatible with for (int 𝑖 = 1, 𝑖 ≤ ∣𝑇 ∣, 𝑖 + +) do
𝑒𝑛 ← (Λ(𝑇𝑖 ) ∈ {𝑓, 𝑒, 𝑗} ∨ (Λ(𝑇𝑖 ) = 𝑔 ∧
Δ′ = Δ ∖ Δ′′ , where Δ′′ is the transition multiset that ⋀∣𝑃 ∣
𝑣𝑎𝑙𝑢𝑒(𝑇𝑖 ) == tt))∧ 𝑗=1 𝑝𝑟𝑒𝑗 > 0 → ∣𝑝𝑗 ∣ ≥ 𝑝𝑟𝑒𝑗 );
fired from (𝑚0 , 0, 0) to (𝑚, 𝑣 ′ , 𝑓 ).
if (𝑒𝑛 ∧ 𝑣(𝑇𝑖 ) ∈ 𝐼(𝑇𝑖 ) then
∙ Otherwise, first, we have (𝑚0 , 0, 0) is compatible with ∣𝑝′𝑗 ∣ ← (∣𝑝𝑗 ∣ − 𝑝𝑟𝑒𝑗 + 𝑝𝑜𝑠𝑡𝑗 );
Δ, we assume that 𝑡 ∈ 𝐶𝑎𝑛𝑑𝑖𝑑𝑎𝑡𝑒(𝑚, Δ) such that 𝑣 ′ (𝑡) ← 0;
𝛿(𝑡) = 𝑙𝑓 𝑡(𝑡) − 𝑣(𝑡) is minimal, then according to for (int 𝑘 = 1, 𝑘 ≤ (𝑖 − 1), 𝑘 + +) do
proposition 1, we have: (i)(𝑚0 , 0, 0) →𝛿(𝑡) (𝑚0 , 𝑣 + 𝑒𝑛 ← (Λ(𝑇𝑘 ) ∈ {𝑓, 𝑒, 𝑗} ∨ (Λ(𝑇𝑘 ) =
⋀∣𝑃 ∣
𝛿(𝑡), 0) →𝑡 (𝑚′ , 𝑣 ′ , 𝑓 (𝑡)), (ii) (𝑚′ , 𝑣 ′ , 𝑓 (𝑡)) is compat- 𝑔 ∧ 𝑣𝑎𝑙𝑢𝑒(𝑇𝑘 ) == tt)) ∧ 𝑗==tt (𝑝𝑟𝑒′𝑗 >
ible with Δ′ = Δ ∖ 𝑡. To continue this process, we 0 → ∣𝑝′𝑗 ∣ ≥ 𝑝𝑟𝑒′𝑗 ∧ ∣𝑝′𝑗 ∣ < (∣𝑝𝑗 ∣ − 𝑝𝑟𝑒𝑗 ));
finally have 𝑣 ′ such that (𝑚, 𝑣 ′ , 𝑓 (𝑡′ )) is compatible if (en) then
with Δ′ = Δ ∖ Δ′′ , where Δ′′ is the transition multiset 𝑣 ′ (𝑡) ← 0;
that fired from (𝑚0 , 0, 0) to (𝑚, 𝑣 ′ , 𝑓 (𝑡′ )). end
else
𝑣 ′ (𝑡) ← 𝑣(𝑡);
From the above results, we get: end
end
Corollary 1 The marking reachability, boundedness and for (int 𝑘 = 𝑖 + 1, 𝑘 ≤ ∣𝑇 ∣, 𝑘 + +) do
coverability problems are decidable for TLOPNforSD with 𝑒𝑛 ← ((Λ(𝑇𝑘 ) ∈ {𝑓, 𝑒, 𝑗} ∨ (Λ(𝑇𝑘 ) =
⋀∣𝑃 ∣
weak semantics. 𝑔 ∧ 𝑣𝑎𝑙𝑢𝑒(𝑇𝑘 ) == tt)) ∧ 𝑗=1 (𝑝𝑟𝑒′𝑗 > 0 →
∣𝑝′𝑗 ∣ ≥ 𝑝𝑟𝑒′𝑗 ∧ ∣𝑝′𝑗 ∣ < (∣𝑝𝑗 ∣ − 𝑝𝑟𝑒𝑗 )));
Take this corollary as foundation, we start to analyze SD if (en) then
with time properties. 𝑣 ′ (𝑡) ← 0;
end
B. Analysis of SD with time properties else
1) Qualitative Aspect: The verification work of SD with 𝑣 ′ (𝑡) ← 𝑣(𝑡);
end
time properties is carried out by dint of ROMEO [30]. end
Just as we have pointed out, the main difference between else
strong semantics and weak semantics reflects in their firing ∣𝑝′𝑗 ∣ ← ∣𝑝𝑗 ∣
strategies, i.e. the definition of a proper next-state relation. end
ROMEO produces a time transition system (TTS) based on end
end
strong semantics, so we have to design an algorithm to
Algorithm 2: Checking and firing of every transition
redefine the next-state relation. Then, using TCTL for the
TPN(TPN-TCTL) [32] that is based on Generalized Mutual
Exclusion Constraints (GMEC) [33] to specify the time Input: 𝑇 𝐿𝑂𝑃 𝑁 𝑓 𝑜𝑟𝑆𝐷𝑤ℎ𝑜𝑙𝑒 ;
properties, we can realize the qualitative analysis of SD with Output: state-class diagram of 𝑇 𝐿𝑂𝑃 𝑁 𝑓 𝑜𝑟𝑆𝐷𝑤ℎ𝑜𝑙𝑒 ;
weak semantics. label 𝐸𝑛(𝑚0 ) as the initial state 𝑐0 and tag it with
′
A library that captures the weak semantics of TLOP- 𝑛𝑒𝑤′ ;
NforSD has been implemented in order to perform the while ′ 𝑛𝑒𝑤′ states exist do
verification. This library consists of two modules(𝑃 𝑙𝑎𝑐𝑒() select a new state 𝑐𝑥 = 𝐸𝑛(𝑚);
and 𝑇 𝑟𝑎𝑛𝑠𝑖𝑡𝑖𝑜𝑛()). The 𝑃 𝑙𝑎𝑐𝑒() module can be constructed if 𝐸𝑛(𝑚) = ∅ then
as an array of integers as in classic Petri nets. while the it is a final state of the graph and tag it ′ 𝑒𝑛𝑑′ ;
𝑇 𝑟𝑎𝑛𝑠𝑖𝑡𝑖𝑜𝑛() is an algorithm(Algorithm 2) to capture the end
enabled transition in every marking and the time resets after else
firing an enabled transition. Based on the algorithm, we get for (int 𝑖 = 1, 𝑖 <= ∣𝐸𝑛(𝑚)∣, i++) do
the state-class diagram [34] using Algorithm 3. create a transition 𝑡𝑖 whose label is
For space constraints, we just give out the marking (𝐿(𝑡𝑖 ), 𝐼(𝑡𝑖 )) where 𝑡𝑖 ∈ 𝐸𝑛(𝑚);
draw an state 𝑐′𝑥 = (𝐸𝑛(𝑚′ )), where
distributions of 𝐶9, 𝐶21 and 𝐶25 where 𝑚′ = 𝑚 −∙ 𝑡𝑐 + 𝑡∙𝑐 ;
∙ 𝐶9={𝑝1 = 0, . . . , 𝑝13 = 0, 𝑝14 = 1, 𝑝15 = 1, 𝑝16 = 0, draw an arc from 𝑐𝑥 to 𝑥′𝑥 and label it with
. . . , 𝑝45 = 0} 𝑡𝑖 }
∙ 𝐶21={𝑝1 = 0, . . . , 𝑝32 = 0, 𝑝33 = 1, 𝑝34 = 1, 𝑝35 = 0,
tag𝑐𝑥 with ’dead’;
end
𝑝36 = 0, . . . , 𝑝45 = 0} end
∙ 𝐶25={𝑝1 = 0, . . . ,𝑝36 = 0, 𝑝37 = 1, 𝑝38 = 0, 𝑝39 = 0, end
𝑝40 = 1, 𝑝41 = 0, 𝑝42 = 1, 𝑝43 = 0, . . . , 𝑝45 = 0} Algorithm 3: Generate state class diagram from TLOP-
The syntax of GMEC and TPN-TCTL are as follows: NforSD

123
Definition 7 𝐺𝑀 𝐸𝐶 = 𝑎 ∗ 𝑚(𝑖){+, −}𝑏 ∗ 𝑚(𝑗){<, ≤, > C0

T0
C14
T11
C15

, ≥, =}𝑘 ∣ 𝑝 ∧ 𝑞 ∣ 𝑝 ∨ 𝑞 ∣ 𝑝 → 𝑞 ∣ ¬𝑝
T 11 G5, G6
T0 G5 G6
T10
where 𝑀 : marking; 𝑖,𝑗: place index; 𝑎,𝑏,𝑘: integer; ∗,+,−, T 1 C1
T 10 C13 T 12 C16 T 16 C17
∧, ∨, →, ¬: usual operator; 𝑝,𝑞: GMEC. G1
T1

C2
T9 T12 T16
T2
T 9 C12
TPN-TCTL=E(p)U[a,b](q)∣A(p)U[a,b](q)∣EF[a,b](p)∣ T2 T 13 C18 T 17 C22

AF[a,b](p)∣EG[a,b](p)∣AG[a,b](p)∣𝐸𝐹 [𝑎, 𝑏](𝑝) → [0, 𝑏](𝑞) T 3 C3

T8
T13 T17
T 8 C11
where p,q: GMEC; U: until; E: exists; A: forall; F: eventu- T3 T 14 C19 T 18 C23
T7
ally; G: always; →: response; a: integar; b: integer∪{∞}. G1, G2 C4
T 7 C10
T14 T18

T 15 C20 T 19 C24
G2
T6
Take Fig.1 as example, we have: C5 G3, G4
G4
T 6 C7
T15 T19

Null C21 Null C25

∙ EF[0,16](m(35)-m(30)=1) is checked to be 𝑓 𝑎𝑙𝑠𝑒 but G3
C8 C9
EF[0,17](m(35)-m(30)=1) is 𝑡𝑟𝑢𝑒 and the trace is C6 T4
T4
T5 T5 Null

𝑇0 , 𝑇1 , 𝑇2 , 𝑇3 , 𝐺2 , 𝐺4 , 𝑇6 , 𝑇7 , 𝑇8 , 𝑇9 , 𝑇10 , 𝑇11 , 𝐺5 , 𝑇12 .

This means that 𝑇 12 must wait for at least 17ms to Figure 6. the state class diagram of Fig. 1
fire timing from scratch.
2) Quantitative Aspect: In MARTE specification, the
expressions such as (𝑡1 − 𝑡0 ) = 𝑑1 <= (1, 𝑚𝑠) and ∙ Compelling time interval is a time interval in the form
𝑑1 <= 𝑡15 − 𝑡6 <= 𝑑1 ∗ 30 when (𝑜𝑘 = 𝑡𝑡 and 𝑎𝑡 = 𝑡𝑡) of [𝑚𝑒𝑓 𝑡(𝑡), 𝑚𝑙𝑓 𝑡(𝑡)] which means that in order to
of figure 1 are time constraints to regulate the scheduling of satisfy the time constraints of the SD, its corresponding
the sending and receiving events. Now, we start to deal with event must be occurred not earlier than 𝑚𝑒𝑓 𝑡(𝑡) and not
the scheduling of SD with time properties. We use the state later than 𝑚𝑙𝑓 𝑡(𝑡).
class diagram as the foundation model. The analysis order ∙ For a SD, there may be several schedules according to
of the time constraints is defined as: its time constraints. We denote the set composed by
∙ 𝑡𝑖 and 𝑡𝑗 have constraints and 𝑡𝑖 < 𝑡𝑗 , then 𝑡𝑖 is the schedules as 𝑆𝑐ℎ = {𝑠𝑐ℎ1 , 𝑠𝑐ℎ2 , ..., 𝑠𝑐ℎ𝑘 }, Then
considered at first. the set of the compelling intervals of every schedule
∙ The constraints have the form of 𝑐𝑜𝑛𝑠𝑡𝑟𝑎𝑖𝑛𝑡(𝑡𝑖 , 𝑡𝑗 ), ∪𝑘 denoted as 𝐼𝑆𝑐ℎ = {𝐼𝑠𝑐ℎ1 , 𝐼𝑠𝑐ℎ2 , ..., 𝐼𝑠𝑐ℎ𝑘 } and
is
𝑐𝑜𝑛𝑠𝑡𝑟𝑎𝑖𝑛𝑡(𝑡𝑖 , 𝑡𝑘 ), 𝑡𝑖 < 𝑡𝑗 , 𝑡𝑖 < 𝑡𝑘 and 𝑡𝑗 < 𝑡𝑘 , then 𝑖=1 𝐼𝑠𝑐ℎ𝑖 is denoted as 𝐼𝑐 .
𝑐𝑜𝑛𝑠𝑡𝑟𝑎𝑖𝑛𝑡(𝑡𝑖 , 𝑡𝑗 ) is considered at first. ∙ We denote 𝐼𝑐 ∪ (𝐼/𝐼𝑐 ) as the compelling intervals set
∙ The constraints have the form of 𝑐𝑜𝑛𝑠𝑡𝑟𝑎𝑖𝑛𝑡(𝑡𝑖 , 𝑡𝑗 ), of SD.
𝑐𝑜𝑛𝑠𝑡𝑟𝑎𝑖𝑛𝑡(𝑡𝑚 , 𝑡𝑛 ) and 𝑡𝑖 , 𝑡𝑗 , 𝑡𝑚 , 𝑡𝑛 are different from
each other, then 𝑐𝑜𝑛𝑠𝑡𝑟𝑎𝑖𝑛𝑡(𝑡𝑖 , 𝑡𝑗 ), 𝑐𝑜𝑛𝑠𝑡𝑟𝑎𝑖𝑛𝑡(𝑡𝑚 , 𝑡𝑛 ) Isch1, Isch2 0<=I(t1)<=1
at=tt
can be considered in any order. n=1
0<=t0<=3, 2<=t1<=7, 5<=t2<=13, 6<=t3<=15
T 0, T 1, T 2, T 3
at=ff, n=2 T 0, T 1, T 2, T 3

Take figure 1 as example, We first consider the loop frag- 0<=I(t0)<=3, 2<=I(t1)<=4, 3<=I(t2)<=6,
1<=I(t3)<=2, 1<=I(t4)<=5, 2<=I(t5)<=3,
6<=t0<=18, 8<=t1<=22, 11<=t2<=28,12<=t3<=30

at=ff,n=3 T 0, T 1, T 2, T 3
ment, when 𝑛 = 4, it says the keyword is wrong, and the
3<=I(t6)<=5, 1<=I(t7)<=4, 1<=I(t8)<=2,
2<=I(t9)<=5, 1<=I(t10)<=3, 2<=I(t11)<=4, 12<=t0<=33, 14<=v(t1)<=37, 17<=v(t2)<=43, 18<=t3<=45
1<=I(t12)<=3, 2<=I(t13)<=3, 1<=I(t14)<=4,
1<=I(t15)<=5, 2<=I(t16)<=6, 1<=I(t17)<=4, n=4 T 0, T 1, T 2, T 3
user can not continue the following behavior. Otherwise, it 2<=I(t18)<=4, 1<=I(t19)<=2
18<=t0<=48, 20<=t1<=52, 23<=t2<=58, 24<=t3<=60

says after 𝑛 ≤ 3 times, the user enters the correct keyword, Break, T 4, T 5 sch1

and he can continue the following behaviors. We take 𝑛 = 1

18<=t0<=48, 20<=t1<=52, 23<=t2<=58, d1=t1-t0<=1 18<=t0<=48, 18<=t1<=49, 21<=t2<=55,
24<=t3<=60, 25<=t4<=65, 27<=t5<=68 22<=t3<=57, 23<=t4<=62, 25<=t5<=65

T 6, T 7
as example, then the diagram is described in figure 7 (for 0<=t0<=3, 2<=t1<=7, 5<=t2<=13,
6<=t3<=15, 9<=t6<=20, 10<=t7<=24,
T 8, T 9,
T 10, T 11
space constraints, those parts when 𝑛 = 2, 3 are omitted 0<=t0<=3, 2<=t1<=7, 5<=t2<=13,
6<=t3<=15, 9<=t6<=20, 10<=t7<=24,
T 16, T 17, T 18, T 19 11<=t8<=26, 13<=t9<=31,
ok=ff 14<=t10<=34, 16<=t11<=38

ok=tt T 12, T 13, T 14, T 15

from it). It is desirable to complete a task using the least 11<=t8<=26, 13<=t9<=31,14<=t10<=34,
16<=t11<=38, 18<=t16<=44, 19<=t17<=47,
21<=t18<=51, 22<=t19<=53 0<=t0<=3, 2<=t1<=7, 5<=t2<=13, Isch3
amount of time unit. Using this method, we can compute d1=t1-t0<=1 6<=t3<=15, 9<=t6<=20, 10<=t7<=24,
11<=t8<=26, 13<=t9<=31, 14<=t10<=34,
0<=I(t15)<=2,
sch2 0<=I(t12)<=3,
out the maximal and minimal time consumption units. 0<=t0<=3, 2<=t1<=4, 5<=t2<=10,
16<=t11<=38, 17<=t12<=41, 19<=13<=44,
20<=t14<=48, 21<=t15<=53
0<=I(t1)<=1
6<=t3<=12, 9<=t6<=17, 10<=t7<=21,
Please note that in complex system, there may be more 11<=t8<=23, 13<=t9<=28,14<=t10<=31,
16<=t11<=35, 19<=t17<=44, 21<=t18<=48,
d1=t1-t0<=1

22<=t19<=50
than one schedule according to the various conditions, so the 0<=t0<=3, 0<=t1<=4, 3<=t2<=10, 4<=t3<=12,
0<=t0<=3, 0<=t1<=4, 3<=t2<=10, 7<=t6<=17, 8<=t7<=21, 9<=t8<=23,
least and most time consumption amount may be different 4<=t3<=12, 7<=t6<=17, 8<=t7<=21,
9<=t8<=23, 11<=t9<=28, 12<=t10<=31,
t12<=t11+3 11<=t9<=28, 12<=t10<=31, 14<=t11<=35,
15<=t12<=38, 17<=t13<=41, 18<=t14<=45,

from each other. Then we have to compute out the amount 14<=t11<=35, 14<=t12<=38,
16<=t13<=41,17<=t14<=45, 18<=t15<=50
d1<=t15-t6<=30*d1
19<=t15<=50
d1<=t15-t6<=30*d1

of every schedule, whereas the computing mode is identical.
The consumption interval is in fact the firing interval of the sch3
0<=t0<=3, 0<=t1<=4, 3<=t2<=10, 4<=t3<=12,
7<=t6<=17, 8<=t7<=21, 9<=t8<=23,
final node in the TTS for TLPNforSD. 11<=t9<=28, 12<=t10<=31,14<=t11<=35,
14<=t12<=38, 16<=t13<=41, 17<=t14<=45,
0<=t0<=3, 0<=t1<=4, 3<=t2<=10, 4<=t3<=12,
7<=t6<=17, 8<=t7<=21, 9<=t8<=23,
11<=t9<=28, 12<=t10<=31, 14<=t11<=35,
15<=t12<=38, 17<=t13<=41, 18<=t14<=45,
19<=t15<=47
t12<=t11+3

From the schedules getting from a set of conditions, we 18<=t15<=47

can get the compelling time intervals of every event. Some

Figure 7. The time scheduling strategy of Fig. 1
intervals may be changed, while some may be the same as
their static intervals.

124
 strategies minimal time(ms) maximal time(ms)
n=4 25 65
n=1 and ok=tt 18 47
n=1 and ok=ff 22 50
n=2 and ok=tt 24 62
n=2 and ok=ff 28 65
n=3 and ok=tt 30 77
n=3 and ok=ff 34 80
Figure 8. the time consumption table of Fig. 1
V. C ONCLUSION
It is not easy to carry out the qualitative and quantitative
analysis of the SD with time properties due to its informal
semantics. We choose TPN with weak semantics among a
set of formal models for designing and analyzing ERTS,
because we find out that TPN with weak semantics is a
more acceptable intermediate model for SD with time prop-
erties. However, the traditional TPN can not cover all the
information of SD, So we define an extended TPN model–
TLOPNforSD with weak semantics– as our intermediate
model.
The transformation rules from SD to TLOPNforSD are
offered. In SD, each object may be decomposed into a
new set of objects, which collectively form a new SD.
An algorithm is offered to realize the vertical refinement
and horizontal composition purposes synchronously. Using
this algorithm, the construction of the TLOPNforSD can be
considered as a progressive refinement process. Then We
put the time properties in the form of time intervals on the
transitions whose Λ𝑡 = 𝑒, and the others, we describe them
as time expressions that the corresponding TLOPNforSD has
to satisfy.
As far as we know, there is no work dealing with verifi-
cation problem of SD with time properties that is described
according to MARTE specification. We firstly prove the
decidability of reachability, boundedness and coverability of
TLOPNforSD with weak semantics. Because the enabled
condition is different from TPN with strong semantics, so
we design an algorithms to check if each transition can
be enabled or not, and to compute out the result after
firing those transitions. Using GMEC and TPN-TCTL that
offered in ROMEO, we realize the qualitative analysis of
TLOPNforSD.
In MARTE specification, a SD always contain some time
constraints that have to be satisfied. And these constraints
can be considered as the time conditions of the SD’s
scheduling policy. So we propose one method to take those
time constraints under consideration when we deal with the
scheduling of the SD.
Comparing with other works, we not only offer an inte-
125
grate formal semantics which is consistent with the literal
definition of SD with time properties in MARTE specifi-
cation, but realize its verification and scheduling according
to its time constraints. Moreover, the methods are more effi-
cient and practical in dealing with the behaviors among mul-
tiple objects since the intermediate model–TLOPNforSD–
offers open ports to support the further refinement and
composition purposes.
In this paper, we focus on the analyzing of single model.
In fact, the consistency among multiple models is also
crucial in the designing process of ERTS. We are now
trying to settle the following open questions of SD with
time properties:
∙ The timing consistency analysis among multiple SDs
when they are in connection with each other via shared
communication message, and
∙ the decomposition technique which is used to decom-
pose one TLOPNforSD into a set of TLOPforSDs.
Using this technique, we intends to check whether the
information of one single object extracting from the
corresponding source SD is consistent with the infor-
mation provided by its corresponding state machine.
VI. ACKNOWLEDGMENT
This work is supported by National Natural Science
Foundation of China under grant No. 60873061, the National
Basic Research Program of China (973 Program) under
Grant No.2009CB320701 and 2010CB328103.
R EFERENCES
[1] A UML Profile for MARTE: Modeling and Analysis of Real-
Time Embedded systems, Beta 2 (convenience document
without change bars), http://www.omgmarte.org/, June 2008.
[2] Object Management Group, UML Profile for Schedulability,
Performance, and Time Specification, OMG Adopted Spec-
ification formal/03-09-01, September 1, 2003.
[3] R. Alur and D. Dill. Automata for modelling real-time
systems. In Proceedings of the 17th International Colloquium
on Algorithms, Languages and Programming (ICALP’90),
volume 443 of LNCS, pages 322-335. Springer-Verlag,
1990.
[4] R. Alur and D. Dill. A theory of timed automata. Theoretical
Computer Science, 126(2):183-235, 1994.
[5] K.G. Larsen, P. Pettersson, and W. Yi. Uppaal in a Nutshell.
International Journal on Software Tools for Technology
Transfer, 1(1-2):134-152, 1997.
[6] M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis,
and S. Yovine. Kronos: A model-checking tool for real-time
systems. In Proceedings of the 10th International Conference
on Computer-Aided Verification (CAV’98), volume 1427 of
LNCS, pages 546-550. Springer-Verlag, 1998.
[7] Marius Bozga, Susanne Graf, Ileana Ober, Iulian Ober, and
Joseph Sifakis. The IF toolset. In Formal Methods for the
Design of Real-Time Systems, Interna- tional School on For-
mal Methods for the Design of Computer, Communication
and Software Systems(SFM-RT’04), volume 3185 of LNCS,
pages 237-267. Springer- Verlag, 2004.
[8] F. Laroussinie and K.G. Larsen. CMC: A tool for composi-
tional model-checking of real-time systems. In Proceedings
of the FIP TC6 WG6.1 Joint International Conference on
Formal Description Techniques for Distributed Systems and
Com- munication Protocols(FORTE XI) and Protocol Speci-
fication, Testing and Veri- fication(PSTV XVIII), pages 439-
456. Kluwer, B.V., 1998.
[9] OMG Unified Modeling LanguageTM (OMG UML), Super-
structure Version 2.2, http://www.omg.org/, Febuary 2009.
[10] Philip Meir Merlin. A Study of the Recoverability of Com-
puting Systems. PhD thesis, University of California, Irvine,
CA, USA, 1974.
[11] T. Bolognesi, F. Lucidi, and S. Trigila. From timed Petri nets
to timed LOTOS. In Proceedings of the IFIP WG 6.1 Tenth
International Symposium on Protocol Specification, Testing
and Verification (Ottawa 1990), pages 1-14. North-Holland,
Amsterdam, 1990.
[12] J. Srba. Timed-arc Petri nets vs. networks of timed automata.
In Proceedings of the 26th International Conference on Ap-
plication and Theory of Petri Nets(ICATPN 2005), volume
3536 of LNCS, pages 385-402. Springer-Verlag, 2005.
[13] Saldhana, J., Shatz, S. UML Diagrams to Object Petri
NEt Models: An Approach for Modeling and Analysis. the
12𝑡ℎ International COnference on Software Engineering
and Knowledge Engineering, Chicaro, IL, USA, Knowledge
Systems Institute, pp: 103-110, 2000.
[14] 𝑒, M. On Formalizing UML with High-level
Bardsi, L., Pezz`
Petri Nets. Concurrent OOP and PN, LNCS 2001, pp: 276-
304, 2001.
[15] Hu, Z., Shatz, S.M.. Mapping UML diagrams to a Petri
net notation for system simulation. In the proceeding of 6𝑡ℎ
SEKE, Banff, Alta., Canada, pp: 213-219, 2004.
[16] Javier Campos, Jos´𝑒 Merseguer. On the Integration of UML
and Petri Nets in Software Development. ICATPN, pp: 19-
36, 2006.
[17] Juan Pablo Lpez-Grao, Jos Merseguer, Javier Campos. From
UML activity diagrams to Stochastic Petri nets: application
to software performance engineering. WOSP 2004: 25-36.
[18] Canevet, C., Gilmore, S., Hillston, J., Prowse, M., Stevens,
P.. Performance modelling with UML and stochastic process
algebras. IEEE Proceedings, Computers and Digital Tech-
niques 150 (2), 107-120.
[19] Sima Emadi and Fereidoon Shams. Transformation of Use-
case and Sequence Diagrams to Petri Nets. 2009 ISECS
International Colloquium on Computing, Communication,
Control, and Management, pp:399-403, 2009.
126
[20] Mohamed Ariff Ameedeen, Behzad Bordbar. A Model
Driven Approach to Represent Sequence Diagrams as Free
Choice Petri Nets. 12th International IEEE Enterprise Dis-
tributed Object Computing Conference, pp. 213-221.
[21] Evelina N. Koycheva, Trifon A, Trifonov, Hristo T. Aladjov.
Modelling of UML Sequence Diagrams with Generalized
Nets. First International IEEE Symposium” intelligent sys-
tems”, pp. 79-84, 2002.
[22] Sebastien Bornot, Joseph Sifakis and Stavros Tripakis. Mod-
eling urgency in timed systems. Lecture Notes In Computer
Science, Vol. 1536:103-129, 1997.
[23] Jonathan Lee, Jiann-I Pant, Jong-Yih Kuo, Yong-Yi Fanjiang
and Stephen Yang. Towards the Verification of Scenarios
with Time Petri-Nets. COMPSAC: 503-508, 2000.
[24] ˘
Oddleif Halvorsen, Ragnhild Kobro and 𝑄ystein Haugen.
Time Exceptions in Sequence Diagrams. MoDELS 2006
Workshops, LNCS 4364:131-142, 2007.
[25] Baldan, P., Corradini, A., Ehrig, H., Heckel, R.. Composi-
tional Semantics for open Petri nets based on deterministic
processes. Mathematical Structures in Computer Science 15
(1), pp. 1-35, 2005.
[26] Emeson Andrade, Paulo Maciel, Gustavl Callou, Bruno
Nogueire and Carios Araujo. Mapping UML Sequence Di-
agram to Time Petri Net for Requirement Validation of
Embedded RealTime. SAC: 377-381, 2009.
[27] Murata, T.. Petri nets: properties, analysis, and applications.
Proceedings of the IEEE 77(4) (1989): 541-580.
[28] Meixhia Zhu, Hanpin Wang, Wei Jin, Zizhen Wang, Chunx-
iang Xu. Semantic Analysis of UML2.0 Sequence Diagram
Based on Model Transformation. To appear in STPSA 2010.
[29] B. Berthomineu, P-O. Ribet, and F. Vernadat. The tool TINA-
Construction of abstract state spaces for Petri nets and
time Petri nets. International journal of Production Research,
42(14): 2741-2756, 2004.
[30] Ch. Seidner, G. Gardey, D. Lime, M. Magnin, and O. Roux.
Romeo: A tool for time Petri net analysis. http://remeo.rts-
software.org/.
[31] Baldan, P., Corradini, A., Ehrig, H., Heckel, R.: Composi-
tional Semantics for open Petri nets based on deterministic
processes. Mathematical Structures in Computer Science
15(1), pp. 1-35, 2005.
[32] Hanifa Boucheneb, Guillaume Gardey and Olivier H. Roux.
TCTL model-checking of Time Petri Nets. IRCCyN Technical
report number RI2006-14.
[33] A Giua, F. DiCesare, and M Silva. Generalized mutual
exclusion constraints on nets with uncontrollable transitions.
In IEEE Int. Conf. on SMC, 1992.
[34] Bernard Berthomieu and Michel Diaz. Modeling and Veri-
fication of Time Dependent Systems Using Time Petri Nets.
IEEE TRANSACTIONS ON SOFTWARE ENGINEER-
ING, 17(3), pp. 259-273, MARCH 1991.