Abstract
This paper considers the problem of establishing live resource allocation in workflows with synchronization stages. Establishing live resource allocation in this class of systems is challenging since deciding whether a given level of resource capacities is sufficient to complete a single process is NP-complete. In this paper, we develop two necessary conditions and one sufficient condition that provide quickly computable tests for the existence of process completing sequences. The necessary conditions are based on the sequence of completions of subprocesses that merge together at a synchronization. Although the worst case complexity is , we expect the number of subprocesses combined at any synchronization will be sufficiently small so that total computation time remains manageable. The sufficient condition uses a reduction scheme that computes a sufficient capacity level of each resource type to complete and merge all subprocesses. The worst case complexity is , where is the number of synchronizations. Finally, the paper develops capacity bounds and polynomial methods for generating feasible resource allocation sequences for merging systems with single unit allocation. This method is based on single step look-ahead for deadly marked siphons and is . Throughout the paper, we use a class of Petri nets called Generalized Augmented Marked Graphs to represent our resource allocation systems.
1. Introduction
In recent years, liveness-enforcing supervisory control has been an active area of research for resource allocation systems characterized by processes with highly ordered, linear workflows. This research has been motivated to a large degree by the need to control resource allocation in large, highly automated manufacturing systems, where process workflow is highly sequential and is typically prespecified in a product’s process plan. In brief, a sequential resource allocation system (RAS) consists of a set of resources, each available at a finite level, and a set of processes that progresses through sequences of processing stages, with each stage requiring a predetermined set of the system resources. Furthermore, a process instance is allowed to advance to its next stage only when it has been granted the complete set of required resources and only then will it release the currently held resources that are not required for the following stage.
Because the resource allocation schemes discussed above are embedded in the operation of many technologically advanced systems, a complete understanding of their worst case behaviors is essential when devising operating logic for their control. Indeed, if resource allocation is not properly constrained, the sequential RAS will attain resource allocation states from which additional allocation-deallocation of some subset of resources is not possible. This situation is highly undesirable, because resource allocation stalls, the involved processes and the resources they hold are idle, and outside intervention to resolve and reset the system is required. Liveness enforcing supervision seeks to avoid these situations and maintain completely smooth operation by imposing an appropriate supervisory control policy.
Reveliotis et al. [1] present a taxonomy for sequential RAS based on the structure of the allocation requests associated with various processing stages. This taxonomy includes (i) single-unit (SU) RAS, which admits only linearly ordered process sequences with resource requests corresponding to standard unit vectors, (ii) conjunctive (C) RAS, which admits linearly ordered process flows with arbitrary resource requests, and (iii) disjunctive/conjunctive (D/C) RAS, which allows the process to use alternative workflow sequences. Lower-numbered classes in the taxonomy are specializations of the higher-numbered and therefore present simpler behaviors which are more easily analyzed and controlled. Indeed, many results on RAS liveness and the synthesis of tractable liveness enforcing supervisors (LES) have been developed for the SU-RAS class, see, for example, [2, 3] for seminal papers. Researchers have also addressed the problem in the context of the more general classes of D-RAS, C-RAS, and D/C-RAS, see [4, 5] for early results. An interesting discussion that provides a unifying perspective for many of these results, and also highlights the currently prevailing issues in the area, can be found in [6]. Additional recent reviews are provided in [7, 8].
In [9], Reveliotis et al. extends the taxonomy of [1] to include RAS with process synchronizations, that is, RAS where a process may consist of several subprocesses operating independently until some synchronization stage is attained, at which point subprocesses recombine through merging and splitting and then continue as a new set. We shall refer to this class of RAS as A/D-RAS (assembly/disassembly RAS), since, in the case of manufacturing, this class covers products with both assembly and disassembly in their specified workflow. We notice, however, that synchronization also commonly occurs in project management and business workflow scenarios where finite resources must be allocated to competing tasks, which must eventually merge and spawn successor tasks.
From the perspective of logical analysis and control, a major difference between the A/D-RAS and those addressed in the taxonomy of [1] is that we can no longer quickly be sure that the given level of resource capacities is sufficient to complete even a single process. More specifically, since a single process may consist of several concurrent and independently operating subprocesses, each requesting, using, and holding resources, there is no guarantee that resources are of sufficient capacity to allow these subprocesses to attain required synchronization states. In this paper, we refer to this issue as the “quasi-liveness” problem since, by definition, an underlying Petri net model of the A/D-RAS will be quasi-live if, for every transition of the net (including those representing synchronizations), there exists a sequence of transition firings (resource allocations) that enables that transition. In [9], it is established that the lack of quasi-liveness in the A/D-RAS can be explained by the presence of a particular type of deadly marked siphon in the underlying net dynamics and that testing quasi-liveness, a rather easy task for nets modeling the D/C-RAS, now becomes an NP-complete problem (cf. also [10] for a formal proof on the NP-completeness of the quasi-liveness problem in the considered RAS class). Thus, assessing process quasi-liveness raises important and novel research problems to be addressed for this RAS. For quasi-live processes, an additional issue is identifying sequences of resource allocations that enable the involved process synchronizations. Once such sequences have been identified, standard D/C-RAS deadlock avoidance policies can be implemented to control concurrent allocation of resources across several concurrently operating processes.
We note that in [11], Xie and Jeng also study resource allocation in systems with synchronizations by analyzing a class of ordinary Petri nets called extended resource control nets (ERCN). More specifically, they develop structural characterizations for the ERCN quasi-liveness and liveness that are based on the notion of empty siphons. In other work, Wu et al. [12] model assembly/disassembly processes using resource-oriented Petri nets. Based on the models, a deadlock control policy is proposed and proved to be computationally efficient and less conservative than the existing policies in the literature. Hsieh [13] develops a subclass of Petri net models called nonordinary controlled flexible assembly Petri nets with uncertainties for assembly systems and studies their robustness to resource failure. Hu et al. [14] proposes a class of Petri nets to study automated manufacturing systems with either flexible routes or assembly operations. Using structural analysis, the authors show that liveness of such systems can be attributed to the absence of under-marked siphons.
Our work, on the other hand, places more emphasis on the associated design and control problems, seeking first to find resource levels that guarantee quasi-liveness and then to find resource allocation sequences that enable synchronization transitions. In [15, 16], we model the A/D-RAS using a subclass of Petri nets known as Generalized Augmented Marked Graphs (G-AMG). Based upon the notion of reachability graph, we present an algorithm that determines the quasi-liveness of a process subnet by enumerating all execution sequences that are resource-enabled under the considered resource availability; if the net is quasi-live, there will be at least one sequence that leads to process completion. For a quasi-live process, the reachability graph provides complete information about the resource allocation sequences that can be used. Since the graph is exponential in size, it is generally necessary to select a smaller subset of sequences to use for supervision. Based on the work presented in [15, 16], Choi [17] develops a mixed integer program that selects a small subset of process completing sequences for the development of liveness enforcing supervisors. This defines a manageable set of realizable behaviors the system can exhibit. The subset is selected such that a performance controller, posed as a Markov decision process, has the greatest potential to optimize system performance.
In this paper, we seek to develop more tractable methods of identifying process completing sequences for certain subclasses. More specifically, we define a special case of G-AMG, called G-AMGA, which models a RAS comprising only “assembly” or merging operations. For RAS modeled by G-AMGA’s, we develop two necessary conditions for quasi-liveness which provide quick tests. We also develop a polynomial net reduction algorithm that can be used to compute resource levels sufficient to assure quasi-liveness. We then turn our attention to the more restricted subclass of G-AMGA, G-AMGASU , in which resource allocation is of the single-unit type. For this class, we develop resource bounds that guarantee polynomial quasi-liveness. We also present a polynomial algorithm for computing resource-feasible sequences when the resource bounds are met.
We organize the remainder of the paper as follows. Section 2 presents and discusses our A/D-RAS model. Section 3 develops the necessary conditions, the sufficient condition, and the net reduction algorithm for generating a process completing sequence for the G-AMGA. Section 4 develops sufficient resource bounds along with a polynomial algorithm for generating process completing sequences in assembly systems with single unit resource allocation, G-AMGASU. Finally, Section 5 provides concluding remarks and discusses future research.
2. The G-AMG Model for the A/D-RAS
References [9, 12] formally define the G-AMG structure for the A/D-RAS. For completeness, the Appendix repeats this definition. Figure 1 provides an example of a G-AMG process net.
Note from Figure 1 that the net has an initial place, , marked with a single token. This represents the uninitiated process. The initial transition, , serves as the order release transition, which initiates production of the five subprocesses. The places of •, call this set , hold the released subprocess orders. No resources are allocated to subprocesses in , that is, merely releases orders for the subprocesses it does not allocate resources. This is indicated by the zero need vector associate with places in .
We use to represent the set of places that model processing operations, typically those with nonzero resource need, and to represent those transitions that allocate-deallocate resources. Thus, resource places are only connected to transitions in . Note that the sequential logic underlying the execution of the set of subprocesses is expressed by the induced subnet .
Places of are labeled with resource need for three resource types. We do this to simplify the figure. In fact, each resource type has its own place (the set of resource places is ) and is marked with a number of tokens representing its capacity (we will denote the capacity or resource, , as ). Consider Figure 2, illustrating the connectivity for resource . The weight represents the number of units of requested by the subprocess at . The needs of a process place with respect to some resource , are expressed by the value of , where is the -semiflow introduced by item 5 of Definition A.11.
Note that resource types support the execution of the different requesting subprocesses in a reusable fashion, that is, their utilization does not diminish their capacity.
Firing of represents the completion of the process. This event deallocates all resources and places a token in the final completion place, . When this happens, the final transition, , which signals process completion, is allowed to fire and a new process release is enabled. Only places of provide input to is the only input of , and is the only output of . Also, is the only input of , and is the only output of . Finally, is the only input of places in , and these places connect to transitions in .
Since the process net (without resource places) is a marked graph, each place in has exactly one input and one output. This implies that processes can exhibit concurrency and synchronization but not choice. To be well-defined, we require that the process net be strongly connected. Finally, we will say that , , and . To summarize, we have the following notation.: Initial process place. The initial marking of specifies the maximum number of concurrently executing processes.: Places that hold subprocesses ready to begin processing. : Places where processing occurs. These typically have associated resource needs. : Places holding the completed process. : The set of resource places. :, all places except resource places. : The “order release” transition. : Transitions that allocate-deallocate resources and that synchronize, merge, or split subprocesses.: The “process completion” transition. : the set of transitions. : The number of units of resource requested at transition . :, the process net without resources. :, the process net with resources.
As previously stated, the Appendix (Definition A.11) provides the formal definition.
As mentioned in the introduction, assessing the quasi-liveness of the G-AMG is NP-complete [10]. Thus, determining whether or not a given process has a sequence of transition firings (resource allocations) that enables requires super-polynomial computation in the general case. Detailed discussions on quasi-liveness and related issues for the general case can be found in [12, 14].
In this paper, we investigate live resource allocation for assembly systems only; that is, we impose that for all , is a singleton. In Section 3, we develop conditions that provide quickly computable tests on quasi-liveness. In Section 4, we develop polynomial methods for resolving quasi-liveness and generating feasible resource allocation sequences for assembly systems with single unit resource allocation.
3. The G-AMGA Model for the A-RAS
This section develops results for the subclass, referred to as , of A/D-RAS systems restricted to assembly only (A-RAS). In other words, systems in G-AMG have subprocess merging but no splitting. For this subclass of systems, is restricted as follows: for all , . Thus, a transition (other than ) can perform no splitting operation; that is, there is no disassembly. For this subclass, we develop a set of quick tests for quasi-liveness based on necessary conditions and sufficient conditions. The necessary conditions are based on local tests of “place concurrence” for each synchronizing transition. If these conditions are not met, then the net is not quasi-live. If these tests do not indicate lack of quasi-liveness, we then perform a polynomial sufficiency test, that, if met, guarantees quasi-liveness and provides resource enabled execution sequences.
3.1. Necessary Conditions for A-RAS
Consider an . Let be the set of transitions that synchronize subprocesses, that is, . For example, in Figure 1, . We note that for each , all places in must be simultaneously marked for synchronization to occur. Further, there must exist sufficient remaining unallocated resources to fire the synchronization once these places are marked. For example, in Figure 1, for to be process enabled, it is necessary that the three subprocesses synchronized at are simultaneously allocated a total of three units of resource type, . To resource enable , one additional unit of is required. Thus, if the capacity of is less than three, cannot be process enabled, and if the capacity of is less than four, cannot be both process and resource enabled. Thus, as illustrated by this example, if there exists and resource, , such that , where is the capacity of , then cannot be quasi-live.
This is our first necessary condition that resource capacities must be sufficient to be both process enabled and resource enabled .
Further, note that transitions and must be fired to process-enable . Since we fire only one transition at a time, these must be fired in some order. Suppose is fired before . Then the subprocess at place will be assembled and holding two units of after firing . Then to fire , subprocesses at • will need to be holding five units of . Thus, must have at least seven units of capacity if fires before .
On the other hand, if is fired before , then the subprocess at place will be assembled and holding two units of . Then to fire , the subprocess at will need to be holding three units of . Thus, must have at least five units of capacity if fires before . Clearly, if has capacity four, the net is not quasi-live. If has capacity five or six, is resource enabled but is not. If has capacity seven or greater, both sequences are resource enabled.
More generally, suppose has subprocess input places, that is, . Since is a marked graph, each will have only one input transition. Since is assembly only, each will have a unique input transition. Thus, to process enable , these transitions will have to be fired in some order.
Let = and let , where , , and so forth. Firing marks , firing marks , and so forth. When are all marked, is process enabled. With unlimited resources, there are possible firing sequences for that process-enable (assuming each is fired only once). However, with finite resource capacities, some (possibly all) of the firing sequences might be infeasible. For example, in Figure 1, if has capacity six, then the firing sequence is not possible, although is.
Let be the set of partial firing sequences of of length (again assuming that each transition will occur at most once in any sequence of ). Note that marks places of and leaves unmarked. If there exists such that for every marked -subset of , all input transitions to the unmarked -complement are resource disabled, then cannot be quasi-live.
Putting more formally, let be a -subset of , that is, such that . Note that there are total -subsets of . If such that for all , for all , such that , then cannot be quasi-live.
This is our second necessary condition that resource capacities must be sufficient to fire all the input transitions to subprocess input places of .
Algorithm 1 checks these necessary conditions. The algorithm starts with a For loop that tests every synchronization transition for violations of the two necessary conditions. The first check is for necessary condition 1, where the resources required to process-enable plus the resources required to resource-enable the synchronization are compared to the resource capacities. If a violation is found, then the net cannot be quasi-live, and the algorithm terminates by returning not quasi-live.
| ||||||||||||||||||||||||||||||||||||||||||
If no violation of the first necessary condition is found, then the algorithm initiates a While loop for testing the second condition. The first step is to initialize a subset counter, which, for the given synchronization transition, counts the number of -subsets of the process input places that violate the second necessary condition. If it found that all -subsets violate the second necessary condition, that is, subset_count = total number of -subsets, then the algorithm terminates by returning not quasi-live.
Note that the inner For loop determines whether a given -subset violates the second necessary condition or not. It does this by checking all the places in the -complement to see if their input transitions are resource enabled. If none is, then none of these places can be marked, and the synchronization cannot be process enabled by first marking the -subset and then firing the input transitions of the -complement. If this is true for a -subset, then that -subset violates the second condition and the counter, subset_count, is incremented. Again, if we find such that all -subsets violate the second necessary condition, that is, subset_count = total number of -subsets, then the algorithm terminates by returning not quasi-live.
Consider an example assembly system depicted in Figure 3. Assume that = . We have both and in . Checking for the first necessary condition, we have for , and for, resulting in no violation. A similar check finds that does not violate the first necessary condition. We now check for the second necessary condition. For , we have and for , and for , and and for . Hence, there is no violation. Similar checks for and reveal that there is no violation. For , we have for , for , and for ; as a result, the condition is not violated. Similarly, and yield no violation. Therefore, does not violate the second necessary condition. Likewise, does not violate the second necessary condition either.
We note that Algorithm 1 enumerates all subsets of the input places for each synchronization transition, and thus, in the strictest sense, this check is of exponential complexity. However, we expect that the number of subprocesses combined at any synchronization will be sufficiently small so that the total computation of Algorithm 1 will be quite small in comparison to the complete enumeration of the reachability graph in [12, 14], and therefore the check is worthwhile.
If no violations of either of the necessary conditions are found, then the quasi-liveness remains unverified that is, we cannot say whether the net is quasi-live or not. In the following section, we will develop a sufficient condition for quasi-liveness and an algorithm, for generating a process completing sequence based on this sufficient condition.
3.2. Sufficient Condition Test for Quasi-Liveness of the A-RAS
This subsection develops a sufficiency test for the model. This test makes use of reductions performed on two types of structures contained in the . In Figure 3, consider the three net segments: , , and . These three represent the sequential processing steps of the three subprocesses marking places that synchronize at . Any interaction between the three subprocesses is strictly limited to resource competition. Otherwise their processing up to is independent, possibly concurrent, depending on resource capacities.
We note the following.(1)The subprocess of requires a total allocation of in order to reach , where it will release the unit of and will hold the unit of .(2)The subprocess of requires a total allocation of in order to reach , where it will release the unit of and will hold the unit of .(3)The subprocess of requires a total allocation of in order to reach , where it will release the unit of and will hold the unit of .
Thus, if we have sufficient resources to simultaneously allocate to the first subprocess, to the second, and to the third, then we are sure that the three subprocesses can reach the synchronization stage. Thus, we say that if + + = , then resource capacities are sufficient to process-enable the synchronization at .
We refer to a structure such as as a Type-I structure; that is, a Type-I structure is a segment , , , , , …, , , of , where(1),(2), (3), (4), (5).
The first condition states that is an output place of ; the second states that all places are nonresource places; the third states that none of the intermediate transitions are synchronizations; the fourth states that the last transition is a synchronization; and the last states there are at least three places in the structure.
Thus, a Type-I structure of is a path in with at least three places that begins with , ends with a synchronization, and has the property that all intermediate transitions are not synchronizations.
Now, consider the Type-I structure, , in Figure 3. Suppose we reduce it as follows:(1)delete and and all corresponding edges;(2)insert edge ;(3)set the resource need vector associated with to the component-wise maximum of the need vectors of all places in the Type-I structure, that is, the component-wise maximum of ;; = .
Applying this reduction to the three Type-I structures in the example yields the resulting net shown in Figure 4. Note that the net now contains no Type-I structure.
More formally, let represent a Type-I reduction on net , and let be the resulting net. Then applies the following actions to .
Resource Bound Update
For each Type-I structure , assign , , and let denote the vector.
Net Reduction
Delete and the associated arcs. Add arc ().
Note that () retains the maximum usage of resource, , along the Type-I structure. Thus, the resource bound associated with the undeleted place, , will be the number of units of each resource required for the subprocess to reach the synchronization transition.
We note that all Type-I structures can be found in number of steps polynomial in places and transitions. We now proceed to our second reduction.
Now consider net segments ,, of Figure 4. We refer to this structure as a Type-II structure, that is, a set of at least two parallel segments, starting at , with two intermediate places, and ending at .
More formally, a Type-II structure is composed of parallel segments in ending in :1.2.. m., , , , such that and for.
A Type-II reduction, , is similar to the Type-I reduction in that it applies a bound update and then a net reduction. We first illustrate the bound update and reduction and then state it more formally.
To understand the next bound update, consider the nets of Figure 5. Each place in (a) is labeled with resource need. To mark , we require units for resources , and , thus, in (b), . Similarly, and for places and , respectively, as shown in (b).
Places in (b) are also labeled with their original resource needs, , , and . Now, for , and , consider . We refer to as the “return” of resource, , by the corresponding subprocess. Letting let denote the vector : , we have , , and , as shown in Figure 5(b).
Sort the places by decreasing return for . Then we have ordered set since . In 5(a), if we first mark , then , and finally according to the firing sequence , the following capacity constraints must be met (note that is the resource capacity vector): = , + = , + + .
Taking the component-wise max across these constraints yields . Thus, is necessary and sufficient to execute . We will refer to as a “serialized” firing sequence, since it advances the Type-I subprocesses to the synchronization transition one at a time. In other words, a serialized firing sequence does not allow parallel Type-I subprocesses to process in parallel. We refer to the computed bounds as serialized bounds.
Note that if we sort in any other way, say , we get a different serialized firing sequence for marking the places and a different set of resource bounds (in this case, and , resp.). The bound for can be no smaller, although the bounds for and might be tighter. This is established by the following lemma.
(a)
(b)
Lemma 1. Let and be two places in a Type-II structure, where and are the returns of resource for and . If , then .
Before going to the proof, note (recall) the following:(1) is the need (number of units held) of at ;(2) is the maximum need for along the Type-I structure leading to ;(3) given that the th subprocess has advanced to , + is a lower bound on the number of units of required to advance the th subprocess from its place in to ;(4) given that the th and th subprocesses are both at their initial places in , max(, + ) is a lower bound on the number of units of required to first advance the th subprocess to and then the th subprocess to .
Proof. By assumption . Further, , since the jth subprocess cannot return more of than it is allocated.Then,;;. Thus, max.Now, since , we have ;and;;(since).Thus,.
The point is to show that if we advance the subprocesses serially; that is, one at a time, from their places in to their synchronization transition, in order of decreasing return of , then we will minimize the need for in the serial advancement.
We can now formally state the bound update and net reduction. To understand the subscripts, please refer to the definition of a Type-II structure given above. Our approach is to identify a critical resource, , perhaps one that is most constraining or most expensive, and compute bounds for Type-II reductions using the returns for as a sorting key in ordering the corresponding subprocesses.
Resource Bound Update for Critical Resource,
For a Type-II structure Let , , Sort by decreasing Let be the sorted set For Set to max End ForEnd For
Net Reduction
Delete and the associated arcs.
Subsequently, let () denote the net resulting from a Type-II reduction having been applied to ; that is, in () all Type-II structures have been reduced. Clearly, all Type-II structures in a net can be found in number of steps polynomial in places and transitions.
Let us now apply a Type-II reduction to the net of Figure 4. Assuming that is the critical resource, we obtain the resulting net depicted in Figure 6 (note that a new Type I structure has emerged).
Lemma 2 guarantees the computed bounds are sufficient for some serialized firing sequence.
Lemma 2. Suppose with Type-I structures connecting and , , , …, and . Then in is a sufficient resource level to enable a firing sequence of that marks .
Proof. It is clear that in () enables in , in () enables in , and so forth. Now () will contain Type-II structure ,,. Before doing the Type-II reduction, we sort based on the return of critical resource, (perhaps arbitrarily chosen), , and let be the sorted set, in order of decreasing return. Then, if the resource capacities satisfy the following constraint set: , ++ ≤ in , we can first fire and mark , next fire and mark , and so forth. Thus, by updating with the component-wise maximum of , , before the Type-II reduction, we assure that in is a sufficient resource level to enable the firing sequence in .
We will now establish some necessary properties for these reductions. We note that the reductions are defined on and not on . For the sake of brevity, we will use the notation “implies ” to indicate that a reduction preserves the class defining structure of the process flow. Note that in the strictest sense, if and is the corresponding process subnet, then , since it represents a valid process flow with no resource requirements.
Lemma 3. implies .
Proof. Suppose has no Type-I structure. Then, ( and hence . Suppose has a Type-I structure 〈〉. In (), this structure is transformed to . Since , are connected to the rest of through and only, the reduction is local and all other places, transitions, and arcs remain intact. Thus implies .
Lemma 4. implies .
Proof. Suppose N has no Type-II structure. Then, and thus . Suppose has a Type-II structure , ⋯. In (), the m parallel sequences are transformed into the single sequence, . As before, all other places and transitions remain intact, and thus implies .
The above two lemmas establish that : , . Note that for any , and , , , , , and there is a path from to . Let = , . It is clear that and that will not affect , since has no Type-1 or Type-2 structure. We refer to as “irreducible.”
Lemma 5. If and , then there exists a Type-I or Type-II structure in .
Proof. Suppose that is not irreducible. Then . Suppose that there exists neither Type-I structure nor Type-II structure. Then, since no Type-I structure exists, every is a synchronization. This implies that , otherwise there are no subprocesses to synchronize. Since no Type-II structure exists, for every pair , . This implies that for every such that and synchronize at . Note that there must be a path from to , and the first node of this path, say , must be in . Further, the synchronization transition, , must fire before can be marked. Thus, for every there exists such that must be enabled and fired before can be enabled and fired. Since is finite, this implies a cyclic dependency among the transitions of , which contradicts the implication of Definition A.11 that every cycle of passes through .
With these results, the following theorems are now straightforward.
Theorem 1. For every , there is a finite sequence of reductions that maps N to irreducible form. Further, sequence length is ).
Proof. Suppose is not in irreducible form. Then, it can be reduced by the following algorithm, which will return the required sequence of reductions:Set (empty string)While (concatenation)End WhileReturn Note that if is not irreducible, then (()) has fewer places than . Since has finite places, the While will terminate in a finite number of steps not larger than since each iteration will eliminate at least one place.
In the following, we will let () denote the net that results after the Type-I/Type-II reduction sequence has been applied times.
Theorem 2. For every , let and suppose that has survived at least one update to without being deleted. Then is sufficient to enable a firing sequence in that enables .
Proof. Suppose has been involved in Type-I and Type-II structures over the n reductions and is the surviving place of those reduced structures. By the induction hypothesis, is sufficient to enable a firing sequence in that enables , say . Note that in , and is in a Type-I structure (assuming ), since it is the lone input to and . (To see this, recall that since is performed after , has no Type-II structures.) Let … be this Type-I structure in . On subsequent Type-I reduction, , for , then will be deleted, along with corresponding arcs and arc will be added. Thus, will be sufficient for firing sequence , which marks .
Now, consider () with a Type-II structure , ⋯, where marks , marks ,…, and marks . Suppose we order by decreasing return, , and let be the ordered set. Then, if we let be the component-wise maximum of , it is clear that is sufficient to enable the firing sequence , and thus after the Type-II reduction, for in = ) is sufficient to enable firing sequence in , which enables .
Algorithm 2 uses Type-I and Type-II reductions to compute resource levels sufficient to guarantee quasi-liveness. The algorithm starts with , and for each process place, defines a bounding function, , for each resource. This bounding function is initialized to the resource need of the place. The While loop then updates the bounding function and applies reductions until the net is irreducible, at which point the resource bounds are returned.
| ||||||||||||||||||||||||||||||||||||||||||
More specifically, in the first For loop, the resource bound of the last place of each Type-I structure is updated with the maximum resource usage along the structure. Thus, the resource bound associated with the last place of each Type-I structure will be the number of units of each resource necessary for the subprocess to reach the synchronization transition. After these updates, the net reduction is applied.
After the Type-I reduction, if the net is not irreducible, at least one Type-II structure will be present. For each Type-II structure, say , … , the second For loop first updates the resource bounds of the place in the first path, , as illustrated and discussed above, and then deletes the other places. We note that before the bounds are computed for the Type-II reduction, the places in the Type-II structure are sorted. These sorted sets are saved on a last-in-first-out list and returned by the algorithm since they can be used to construct the serialized sequence which corresponds to the computed bounds. Thus, if the serialized bounds computed by Algorithm 2 are met, a serialized sequence can be easily constructed and, in the strictest sense, enumeration of the reachability graph need not occur. However, some additional enumeration and search might be desirable, since the serialized transition firings limit the concurrency of subprocesses.
Consider Figure 6. The resulting net is obtained after Type-I and Type-II reductions have been applied to the example assembly system of Figure 3. A Type-I structure, , can be further reduced, giving rise to with , and . We now have a Type-II structure: and . Assuming that is a critical resource and hence a sorting key, the Type-II structure is reduced to with . However, if is used as a sorting key and the subprocess is executed first, then the Type-II structure is reduced to having . If , then the first Type-II reduction guarantees quasi-liveness.
We note that it is possible to compute a looser set of resource bounds that guarantees that any precedence feasible sequence of transition firings is resource enabled by replacing the interior of the third For loop with the following statement:
This sum guarantees that the maximum resource needs of the corresponding subprocesses can be met simultaneously, and thus every sequence of transition firings will be resource feasible. Clearly, in this case, enumeration is not required.
4. The Model for the ASU-RAS
This section studies the subclass of systems in where net places have single unit resource need; that is is the subclass of where for all , , where and being the -semiflow in item 5 of Definition A.11 of the Appendix. We refer to this class as the ASU-RAS. For the ASU-RAS, we develop resource capacity bounds for which quasi-liveness is polynomial in the number of places and transitions in the underlying . We also develop a fast method for finding sequences without developing the reachability graph of the underlying .
More formally, we impose the following additional constraints on of .
Definition 6. is the class of nets obtained by placing the following constraints on:(1)for all ,,(2)for all ,(3)for all , then , for , (4)for all , if , then The first constraint says that a subprocess must be allocated a resource for its first processing step. The second says that no more than one unit of one resource type may be requested at a transition. The third says that when a unit of resource is allocated at a transition, all resources held by the requesting subprocesses must be returned. Finally, the fourth says that if a transition does not allocate a resource, then the return must be exactly one unit less than the number currently held (except for transitions in , which release all resources). We have the following lemma.
Lemma 7. For any , the resource need vector is an dimensional unit vector.
Proof. For we consider the following exhaustive cases.Case 1. Suppose for . By (1), , but there must be a path, say , from some . The first transition of the path, , allocates one unit of some resource to the corresponding subprocess. Thus, some transition along must deallocate all resources with no additional allocation. This violates (4).Case 2. Suppose for some . Either these units of are accumulated through at least transitions or they result from insufficient resource release at the firing of a synchronization transition. By (3), when a resource is allocated to a set of requesting subprocesses, all resources held by those subprocesses must be released. Thus, resources cannot be accumulated through consecutive transitions firings. By (4), if no resources are allocated at a transition, the corresponding subprocesses must still return all resources held except one. Thus, for some violates both (3) and (4).Case 3. Suppose . By the logic of Case 2, this is impossible.
Now, for , the reversed subnet, , as defined in Section 3, has splitting (disassembly) but no merging. In the following, we use to develop resource bounds that guarantee quasi-liveness and polynomial sequence enumeration for . Note that in is a disassembly transition in . Let be the set of disassembly transitions in . Note that for , and . If = 1, we refer to as the “disassembly resource.” Let and in , . The set, , collects all the disassembly transitions in that have as the disassembly resource. Since each disassembly utilizes a single resource type, we have when .
For be the set of transitions in reachable from in paths of not containing . Note that for identifies reachable transitions that occur later in the disassembly process. Let = and and note that represents the set of disassembly transitions that use as the disassembly resource but have no reachable transition (without including ) that does the same. That is, these are disassembly transitions, which use , that occur latest in the disassembly process. The following lemma guarantees that the total token count in the set of disassembly operation places requiring is no greater than .
Lemma 8. Given an , if and , for all , then for every marking such that .
Proof. Let be initially marked as given above. Note that is a strongly connected marked graph with every circuit containing the place initially marked with exactly one token. For , there exists a path, from to , say . Note that there exists a circuit passing through , say , such that is a subpath of . For any other , and are mutually unreachable except through paths including . As a result, and are not in a common circuit. This implies circuits passing through elements of . Further note that for , such that ; this implies that and belong to a common circuit. Thus, the number of circuits in which resource is used as a disassembly resource is precisely . By the fundamental property of marked graphs, .
Note that can be quickly and easily computed for each resource and will play an important role in developing an enumeration policy for . Now consider the following lemma.
Lemma 9. Given an , suppose , , for all , and that . Define induced marking as follows: If marking is free of deadly marked siphons, then is free of deadly marked siphons.
Proof. We prove this result by contradiction. Let be a deadly marked siphon in . Then, there will exist another siphon which is deadly marked in and minimal. The structure of implies that the minimal siphons containing place are the circuits of the marked graph, . This observation, when combined with the presumed structure for the initial marking , implies that, for any marking , . But, the construction of implies that does not increase its token content, and, therefore, it constitutes a deadly marked siphon for . The last conclusion contradicts the working assumption and concludes the proof.
The importance of the marking is that its corresponding subprocesses are each strictly SU-RAS for at least one step. That is, any token in is holding one unit of resource and requesting one unit of resource. When the requested unit is allocated, the held unit is released, and the token advances to its next place. The lemma guarantees that if there is no deadlock among the subprocesses of (assuming the reduced resource capacity levels of ), then there is no deadly marked siphon in . We will use this fact along with resource bounds to be computed from the results of Lemma 9 to develop a single step look-ahead enumeration policy for that is polynomial in net size. The policy is as follows.
Enumeration Policy
Let be a firing sequence for such that and suppose is enabled at such that . Admit the extension only if the marking is free of deadly marked siphons.
We note that detecting whether or not a marking has a deadly marked siphon is polynomial in the size of the net and is thus very fast. However, allowing markings only if they are free of deadly marked siphons does not guarantee policy correctness since we may admit markings from which deadly marked siphons are unavoidable. For our purposes, we will define policy correctness as follows.
Definition 10. An enumeration policy is “correct” if for any marking, , admitted under the policy, there exists a sequence of transition firings, , such that(1),(2) for any prefix of , say , where , is admitted under the policy.We, now, are in the position to prove the following.
Theorem 3. For and , let If for , , then is correct.
Proof. Suppose that a marking, , is accepted by . Then contains no deadly marked siphon and thus contains no deadly marked siphon. Note that in , the capacity of every resource is at least 2, . Let be the set of subprocesses in where . is the set of subprocesses at disassembly operations, that is, tokens marking , and is the set of subprocesses not at disassembly.
Case 1. Suppose that in . Since there is no deadly marked siphon in , there is no subset of deadlocked in . Thus, and enabled such that firing allocates a unit of resource to and causes to release a unit of resource .
Now suppose that and that contains a deadly marked siphon. Thus, contains a deadly marked siphon, which implies a deadlock among processes of in . Because of the resource bounds, each deadlocked subprocess of is blocked by at least two other deadlocked subprocesses of .
To summarize, we have the following: (1) has no deadlock among , (2) , (3) allocates a single unit of to and releases a single unit of , (4) has a deadlock among , and (5) every deadlocked subprocess of is blocked by at least two other deadlocked subprocesses of .
It is clear that allocating to causes the deadlock, implying that is a resource involved in the deadlock. Thus, in , at least two units of are allocated to subprocesses in , and in fact, there must be another subprocess requesting at in both and . Allocating to rather than , that is, cannot result in deadlock among processes of . Hence neither nor contains a deadly marked siphon.
Case 2. Suppose that and in . There exist only subprocesses at disassembly operations. Thus, each resource has at least free units, . Sufficient resources are available to fire any transition of . Suppose is enabled in and that contains no deadly marked siphon. To see this, note that if has , then each resource continues to exhibit at least + 2 free units, . If has , then each resource, , , has at least 2 units of free capacity.
Thus, Enumeration Policy guarantees resource-enabled sequences of transition firings that complete the disassembly process, . We are now ready to present Algorithm 3. It starts with in the initial marking and generates a firing sequence that completes the disassembly by using single step look-ahead for deadly marked siphons. The most computationally intensive step is the siphon check, which can be done in polynomial time, no worse than . By Theorem 3, the loop will require no more than iterations, since every iteration will identify an admissible transition, and thus the algorithm is . By returning the reversed sequence, we get the resource enabled assembly sequence for the assembly net, . We note that the termination request computations of Algorithm 1 can easily be implemented in Algorithm 3.
| ||||||||||||||||||||||
As an aside, we note that the converse of Lemma 9 is not true; that is, a deadly marked siphon in does not imply a deadly marked siphon in . In fact, it is easy to illustrate markings which are “safe” in the sense that the firing sequence can be extended to reach but for which the induced marking exhibits a deadly marked siphon and is rejected. Thus, the Enumeration Policy is suboptimal in the sense that it rejects some transition firings that lead to “safe” markings. Further, even when the capacity bounds of Theorem 3 are in place, can exhibit markings with no deadly marked siphon but from which every sequence of transition firings leads to a marking with a deadly marked siphon. Thus, a policy that does single step look-ahead on the unaltered markings of is not correct. Finally, we note that since Theorem 3 applies to disassembly systems, when the specified bounds are in place, quasi-liveness is guaranteed and sequence enumeration is polynomial for the class of disassembly nets .
5. Conclusion
In this paper, we developed models and algorithms for a class of Petri nets that support resource allocation in systems with synchronization and splitting operations. Our focus was on establishing quasi-liveness and enumerating process completing sequences. This is challenging since, for this class of systems, the quasi-liveness problem is NP-complete. Our tenet is that once quasi-liveness is established and a process completing sequence is generated, previously published liveness enforcing supervisors can be used to control the operation of these systems. For the general case, we proposed a breadth-first search algorithm that generates the reachability tree and computes minimal termination requests for each marking. We discussed the complexity of this approach as well as the need for selecting a smaller set of sequences for use in supervision. We then developed two special subclasses that for systems with assembly only, and for each class established that polynomial sequence enumeration is possible if the resource capacities meet certain bounds. The first subclass was assembly with conjunctive resource allocation. For this class, we developed a net reduction algorithm that reduces the net to a minimal form and, in so doing, computes a resource sufficiency bound for “serialized” firing sequences. The second special case was that of assembly with single unit resource allocation. For this class, we developed resource bounds and an enumeration policy that guarantees a process completing sequence in polynomial time. In current and future work, we are addressing liveness enforcing supervision for assembly/disassembly systems with unreliable resources, particularly those subject to degradation.
Appendix
Definition A.11. A G-AMG is a Petri net, such that(1), where;(2), where ;(3)→ satisfies the following:(a) such that → for , and otherwise. Similarly, for , and otherwise,(b)( × ) → and ( × . Similarly, () while (() × ) ,(c)() ( and () (() ;(4)the net generated by is a strongly connected marked graph such that every cycle contains ;(5)for all , and there exists a minimal integral -semiflow, , such that , , and ;(6) is pure and strongly connected. with , for all and , otherwise.