From Petri hypernets to 1-safe nets

From Petri hypernets to 1-safe nets?

Marek A. Bednarczyk1, Luca Bernardinello2

Wies law Paw lowski1 and Lucia Pomello2

1 Institute of Computer Science, P.A.S., Gdansk. Poland2 DISCO, Universita degli Studi di Milano–Bicocca, Milano, Italy

Summary. Petri hypernets offer a formalism suitable for modelling dynamic agentsoperating in hierarchically structured environments. They can manipulate otheragents as tokens, and be manipulated as tokens by other agents at the same time.The hierarchical structure of hypernets is not static in contrast to other models ofmobility based on Petri nets. Agents can exchange tokens with their sub- or super-agents, and thereby change the hierarchy. Hypernets, in the simple form presentedhere, are descriptions of finite dynamic systems. This note explains how each hy-pernet can be seen as a compact representation of a standard Petri net. That is weexhibit a uniform translation that takes a hypernet and returns a Petri net togetherwith a class of 1-safe markings closed under firing, so that the case graph of thelatter is isomorphic to the transition system generated by the set of all admissiblehypermarkings of the former.

Keywords: mobility, hypernets, 1-safe Petri nets, agents

1 Introduction

Petri hypernets were introduced in [3] with the aim to account for mobilityin an intuitive visual framework based on Petri nets.

The issue of mobility arises typically in the context of a system composedof open and autonomous dynamic agents. The agents, software or otherwise,should be capable of an interaction with their environment. This includesinteraction between agents, since each agent is a part of the environment forother agents. The agents should be open in the sense that the interactionmay change their behaviour. The agents should also be able to influence theirown fate by means of autonomous decisions. Mobility, in its simplest form,amounts to changing agent’s current location.? This research has been partially supported by the CATNET project within

CNR/PAN cooperation programme and by MIUR.

2 M. A. Bednarczyk, L. Bernardinello, W. Paw lowski, L. Pomello

Assume there are two disjoint sets, a set of agents and a set of locations.The environment, identified with global state, is given as two binary relationsbetween agents and locations. One relation captures the idea of a locationhosting several agents. The other captures the idea of an agent owning severallocations. These containment relations are many-to-one, i.e., each agent mayoccupy at most one location, and each location belongs to exactly one agent.

One usually requires that the containment relations induce a tree order.The root of the tree is then the unique agent without a location to host it. Thisleads to a natural hierarchy among agents. Interaction among agents resultsin agents moving from one location to another; as a result the hierarchy maychange. Let us see how various known formalisms fit the above principles.

π and other process calculi. π-calculus, see [12], presents a process ori-ented view of a system, i.e., agents are processes of the π-calculus. Agent’sidentity and the locations are implicit, and one line of research is to derivethem from the dynamic semantics. Dynamic evolution of the system amountsto changing its state, i.e., the structure of top level process and its subpro-cesses. As a result some of the processes and their locations, may get killedwhile new are created. The autonomy of agents is limited. Dynamic linksbetween processes are created by means of names, which the processes canexchange. The tree structure of agents is guaranteed—it is the syntactic treeassociated to the process. Similar features are found in mobile Petri nets,cp. [2, 7] and similar models. Alternatively, one considers located π-calculi inwhich a set of abstract locations is given and each process is assigned to alocation.

Ambients. One of the first formalisms for mobility proposed, see [8]. Eachagent, called ambient, determines a boundary that declares what is in it. Thus,an ambient has only one implicit location. The ambient may also containinstructions such as in, out or open. Performing such an instruction changesthe shape of the containment tree. In ambient calculus like in π-calculus namesare used as references to ambients. This allows an agent to determine whereit wants to go itself. This is much stronger form of autonomy than in otherframeworks. The above instructions together with name creation make theambient calculus very expressive.

Nets-within-nets approach. The idea to use nets as tokens of other netshas appeared quite early in the studies of Petri nets, see [14], as a particu-lar instance of higher-level nets. The idea is being applied by Valk and hiscolleagues, e.g., to give a Petri net account of objects, see [15, 11], see also[10].

In nets-within-nets approach an agent is a Petri net, while its locations arethe places of the net. Each agent exclusively owns its places and the ownershiprelation is static. Valk’s approach comes in two forms, with so called referenceand value semantics. In the first case the many-to-one principle does not apply

From Petri hypernets to 1-safe nets 3

to hosting—many places may contain references to the same agent. On theother hand, all such references may travel among places of a single net. Thus,a tree-like containment of nets is guaranteed. The value semantics adheres tothe many-to-one principle of hosting. But in this case one cannot easily dealwith agent’s identities, since each splitting results in agent duplication. Withboth semantics the sub-agent tree is static.

Petri hypernets. Petri hypernets offer another ramification of the nets-within-nets approach. Agents can exchange tokens with their sub- or super-agents, which may change the agent hierarchy, like in the ambient calculus.Unlike in the ambient calculus, however, the hierarchy limits the autonomyof agents in hypernets. Here, the destination of an agent is determined by itssuper-agent. In hypernets the agents are structured as composition of modules.The state machine shape of the modules guarantees preservation of agent’sidentity. Consequently, it was possible to develop a logic in which the dynamicand structural properties of individual agents can be expressed and model-checked, see [5].

Hypernets, in the simple form studied here, are succinct descriptions offinite dynamic systems. The autonomy of our agents is more limited thanthat of ambients. Hypernet formalism offers two modularisation mechanismsin the form of the modular structure of agents, and the hierarchy of agents.Unlike in other approaches the hierarchy of agents may dynamically evolve.

This note explains how each hypernet can be seen as a compact repre-sentation of a standard Petri net. That is we exhibit a uniform translationthat takes a hypernet and returns a Petri net together with a class of 1-safemarkings closed under firing, so that the case graph of the latter is isomorphicto the transition system generated by the set of all admissible hypermarkingsof the former. Moreover, we demonstrate that the S-invariants ([13]) of theresulting net capture some structural properties of agents in the hypernet.

To convey the ideas we consider a running example specified by the fol-lowing plain language description, see also [1].

Example 1 (Airport example). The task is to model an airport in which thereare two sorts of objects handled: travellers and planes. The planes arrive fromoutside the airport by performing the landing action. Upon landing each planemay wish to dispose of its passengers by engaging in deplane action with theairport, or it may be refueled and moved to the boarding gate. While at theboarding gate it may engage with the airport in boarding travellers, or it may besent away by performing the take-off action. As a result of deplaning action atraveller on board leaves the plane and enters the airport. Conversely, boardingaction moves a traveller from the airport to the plane. It is required that aplane undergoes refueling only when there are no travellers on board.

The rest of the paper is structured as follows. In Section 2, the definition ofhypernets is recalled, both with the help of the running example, and formally.Section 3 is devoted to the translation of hypernets into 1-safe nets, together


with some considerations on the meaning of certain place-invariants of the netswe obtain, and on some consequences of such translation. Finally, Section 4draws our conclusions and indicates directions of future developments.

2 Petri hypernets — a definition

In the sequel the definition of Petri hypernets given in [3] is presented in anew, hopefully better structured form. Hypernets are presented here in twostages, just as the usual Petri nets. First, we explain the structure, then weintroduce the idea of marking and of change of marking.

2.1 The static structure of Petri hypernets

A hypernet is a set of agents; agents are made of modules. Modules are mod-elled by state-machine nets, so an agent can be seen as the synchronous prod-uct of its modules. Each agent and each module is of a specific sort (see Def. 1and Def. 3); the sort of a module determines which agents can be hosted inits places (locations).

Definition 1. Let Σ be a finite set of sorts. A module of sort α (α-module)is a, possibly empty, finite Petri net N = (PN ∪ IN ∪ON , TN , FN ), where PN

is the set of local places (or locations), IN ⊆ { ? } ∪ { ?β | β ∈ Σ, β 6= α },ON ⊆ { ! } ∪ { !β | β ∈ Σ, β 6= α } are the sets of communication places(input and output ports, respectively), TN is the set of transitions, and FN ⊆((PN ∪ IN ) × TN ) ∪ (TN × (PN ∪ ON )) is the flow relation. We assume thatPN ∩ IN = ∅, and PN ∩ON = ∅ and |pre(t)| = 1 = |post(t)|.

Definition 2. A (mobile) agent is an indexed set A of modules, that is A ={Nα |α ∈ Σ }, where Nα is an α-module, Pα

A ∩PκA = ∅ whenever α 6= κ, and

the following structural consistency condition among agent’s modules holds:

FαA(?β, t) ∨ Fα

A(t, !β) implies ∃p ∈ P βA such that F β

A(p, t), (1)

where PαA , Tα

A and FαA , denote local places, transitions and flow relation of an

α-module of A, respectively.

At first it looks as if the assumption that an agent is a synchronous productof state machines limits the expressive power of the framework. However, anyelementary net can be replaced by an equivalent net that is a synchronousproduct of state machines, see [6]. The same holds for 1-safe Petri nets, see [4].

Let PA =⋃{Pα

A | α ∈ Σ } and TA =⋃{Tα

A | α ∈ Σ } denote the sets oflocal places and transitions of A, respectively. Modules can share transitions:the occurrence of the same transition in several modules is used for theirsynchronisation.

When all the modules comprising an agent are the empty net, that agentbehaves like an unstructured token in a basic net.


Ports ? and ! serve to communicate with agent’s current super-agent, ifthere is one. Those of the form ?β and !β serve to communicate with agent’ssub-agents located in its β-module. In the sequel we shall see that the twokinds of ports are complementary to each other. For instance, an agent willbe ready to perform action t with Fα

A(?β, t) provided it contains in its β-module a sub-agent ready to perform t with Fα

A(!, t), and vice versa: an agentwill be ready to perform action t with Fα

A(t, !β), provided it contains, in itsβ-module, a sub-agent ready to perform t with Fα

A(t, ?). This idea is capturedin the sequel by the notion of consortium.

Condition 1 in Def. 2 is visualised on Fig. 1. It deals with communicationof an agent with its tokens. Assume that the α-module of the agent containstransition t with either an input port ?β or an output port !β. Such inputand output ports are represented as circles on the input and output links,respectively. Then Condition 1 asserts that the β-module must contain tran-

t

tp

α:

β:

t

ptβ:

α:

Fig. 1. Structural consistency between modules of an agent.

sition t, and the precondition of t in β-module must be a local place. Thus,the consistency of a request by α-module to receive something from below, orsend down to an agent in the β-module can be locally verified by looking atthe agents in the local place p such that F β

A(p, t). The condition supports theconvention to draw Fα

A(?β, t) and FαA(t, !β) as links between the occurrence

of t in the α-module and the input and output arcs of t in the β-module.For any agent A and any t ∈ Tα

A let preαA(t) and postαA(t) denote the (nec-

essarily unique) input and output of t in the α-module of A, respectively. Notethat preα

A(t) and postαA(t) can be either local places or communication ports.We have already remarked that the communication ports with sub-agentsare represented as circles, or lassos, on the input and output links. Intendedcommunication with super-agents is graphically represented by broken linehalf-circles, as shown in Fig. 2.

Airport example (cntd.) A hypernet suitable for dealing with our exam-ple should contain at least three sorts: sort π for handling planes, sort τ forhandling passengers and α for the airport. Fig. 2 describes an airport agentwhich consists of two non empty modules. The π-module for plane handlinghas elaborate structure. It has actions deplane and board for deplaning and


lgland refuel take−offbg

boarddeplane

l

A

π:

τ :

Fig. 2. Structure of an airport agent.

boarding passengers from planes. The purpose of action refuel is evident, butlet us stress that it also transfers the plane from landing gate lg to board-ing gate bg . The remaining actions land and take-off use ports ? and ! forcommunication with the (implicit) higher level agent—governor of the airport.Such ports are visualised as half-circles. Here, the idea is that the governormight provide the airport with new airplanes by also engaging in action land .It should also take over the planes scheduled to leave the airport by engagingin action take-off .

The τ -module for traveller handling has two actions: deplane and boardfor deplaning and boarding passengers, respectively. The module has one localplace and two ports: ?π and !π. The first port serves to retrieve passengers froma plane while performing action deplane, the other is to put them on-board aplane while performing board . The ports explicitly refer to the π-module asthe source/target of communication.

Condition (1) in Def. 2 is satisfied by the airport agent. We have alreadyremarked that in the traveller handling module depicted on Fig. 2 the input port?π of deplane transition facilitates the retrieval of passengers from a plane.That means that a π-token, i.e., a token of sort plane, must be involved inthis action as a source of travellers. Condition (1) guarantees that transitiondeplane is present in the π-module of the airport, and that this preconditionis a local place, here lg , where such a plane may be found. The other instanceof (1) ensures that a plane into which transition board directs travellers hasto be found in a local precondition bg of board in the π-module of the airport.

Definition 3. A Petri hypernet is a finite family N of agents together withsorting, i.e., a function σ : N → Σ that assigns to each agent its sort.


It is assumed that the agents in N have mutually disjoint sets of local places.Thus, any place p ∈ PN =

⋃{PA |A ∈ N } can be assigned its sort σ(p) = α

where α is the sort of a module of the (unique) A ∈ N , such that p ∈ PαA .

2.2 Transitions in Petri hypernets.

This almost ends the presentation of the static structure of hypernets. Themissing thing is the explanation of what are the transitions of hypernets.

Suppose t ∈ TA is a transition of agent A. Then A in a given state canperform t only if all its α-modules such that t ∈ Tα

A can perform t. This meansthat we assume inter-module synchronisation on common transitions.

Let us concentrate now on a single α-module of A such that t ∈ TαA . If the

input and output places of t in the module are locations (that is, local places),then in order to perform t it is enough to find a token in preα

A(t) and move it topostαA(t). Otherwise, preα

A(t) or postαA(t), or both, are communication ports.Then inter-level synchronisation between agents should take place either tofind the source of communication, or its target, or both.

Flow of communication. The task now is to describe how a group ofagents, called consortium, should cooperate with each other to ensure thattogether they can execute a transition t. Whereas the inter-module synchro-nisation is static in nature, the inter-level is not—it depends on the evolvingdistribution of agents among locations. Thus, the ability to fire a transitionhas to take into account possible relative positions and communication linksamong the members of a consortium. This is achieved in a pairwise fashion, solet us start by considering the case of two agents A and A′ helping each other

��

��

��

��

(2)(1)

t

t t

t

t t

A’ A

A A’

β:

α:

β:

α:

α: α:

Fig. 3. A Bα A′ — two instances of inter-level communication flow from A to A′.

to perform transition t by establishing a communication link for α-tokens flow


from A to A′, notation A Bα A′. The idea is presented on Fig. 3. The leftpart of Fig. 3 describes the case of agent A′ trying to input something fromits token A. So, this is an up α-flow from A to A′. The case of a down α-flowfrom A to A′ is represented on the right of Fig. 3.

The existence of an α-flow requires that two conditions are satisfied.

Proximity: The agents should be close one to another. Formally, one shouldbe a token in a local precondition of t of the other agent. In terms ofFig. 3 we see on the left agent A in the local input place of t of A′ in theβ-module. On the right the situation is opposite. The term “proximity”here relates to the inter-level proximity only. In particular, two agentslocated in the same place are not considered to be close.

Matching: Each agent should match the communication request of the other.Agent A of sort β on the left of Fig. 3 is interested in sending somethingup on the α-module to its super-agent A′. The latter has complementaryexpectations: to take an agent of sort α from one of its tokens in preβ

A′(t).A dual flow, with an agent trying to send something down to one of itstokens is presented on the right of Fig. 3.

Airport example (cntd.) On Fig. 4 the airport agent was filled with twoplane agents P1 and P2, and also with two traveller agents T1 and T2. Itshould be clear that P1 Bτ A and A Bτ P2 hold.

It is time now to generalise the above to consortium, i.e., to a set of inter-connected agents, each capable of performing t, and supporting other membersof the team in doing so, provided the others are also willing to cooperate inthat way.

Let us start by considering a triple Γ = (t, T , ξ), where t is a transition,T is a set of active agents, and ξ is a function, which assigns passive agents(tokens) to input places of instances of t in T . More formally

• t ∈ TN =⋃{TA |A ∈ N } is a transition of N .

• T ⊆ {A ∈ N | t ∈ TA } is the set of active agents of Γ .• In(Γ ) = PN ∩

⋃α∈Σ{ preα

A(t) |A ∈ T } is the set of local inputs of Γ . andlocal outputs

• Out(Γ ) = PN ∩⋃

α∈Σ{ postαA(t) |A ∈ T } is the set of local outputs of Γ .• ξ : In(Γ ) → N is an injective function such that σ(ξ(p)) = σ(p) for each

input place p of t in T .• Tξ = { ξ(p) | p ∈ In(Γ ) } is the set of passive agents of Γ . Note that an

agent can be active and passive at the same time.• ↑ : Tξ → T is defined by A′ ↑= A iff ξ(p) = A′ for some p ∈ PA. Thus,

A′ ↑= A whenever A′ is chosen by ξ as a token for some of the local inputplaces of t in A.


Consider agents A,A′ ∈ T . Then, as explained on Fig. 3, there is an α-flowfrom A to A′ in Γ , written A Bα A′, if one of the following conditions issatisfied.

1. postαA(t) = ! ∧ ξ(preβA′(t)) = A ∧ preα

A′(t) = ?β.2. postαA(t) = !β ∧ ξ(preβ

A(t)) = A′ ∧ preαA′(t) = ?.

Finally, we are ready to define the notion of consortium.

Definition 4. A triple Γ as above is a consortium provided the following hold.

1. T is non-empty.2. A ∈ T and Fα

A(?, t) implies A ∈ Tξ ∧ A↑Bα A3. A ∈ T and Fα

A(t, !) implies A ∈ Tξ ∧ A Bα A↑4. A ∈ T and Fα

A(?β, t) implies ξ(p) ∈ T ∧ ξ(p) Bα A, where p = preβA(t)

5. A ∈ T and FαA(t, !β) implies ξ(p) ∈ T ∧ A Bα ξ(p), where p = preβ

A(t)6. The undirected graph (T ,

⋃α∈Σ Bα) is connected.

Most of the conditions have a simple justification. Condition 1 says that atleast one active agent has to be involved. Conditions 2-5 stipulate that mem-bers of T provide matching communication capabilities for other members ofthe group. Finally, condition 6 says that T is a minimal such group of agents.

Airport example (cntd.). Let us consider airport agent from Fig. 2 to-gether with two airplane agents P1 and P2, and two passenger agents T1and T2. The plane agents have a very simple structure. It consists of just onenon empty module for traveller handling. A plane is always ready to accept anew passenger from its superior, and always ready to dispose of any passen-gers that are on-board. Traveller agents are unstructured tokens. The grouptogether with two consortia is depicted on Fig. 4. One consortium involvesdeplane and agents A and P1 as active agents. The local input places of theseagents are lg and c1 . The passive token agents chosen for these places areP1 and T1, respectively. Note that P1 is both active and passive. This meansthat it will move a token, here T1, and be moved as a token at the same time.There is one flow involved in this consortium, namely P1 Bτ A.

Another consortium involves board and agents A and P2 as active agents.The local input places of these agents are bg and l . The passive token agentschosen for these places are P2 and T2, respectively. The only flow involvedis A Bτ P2.

Chains of flow. A consortium Γ = (t, T , ξ) is a minimal group of verticallyinterconnected agents which together can change the state of the hypernet bymoving some agents from one location to another. To implement this idea weneed to know which agents to move and also their initial and final locations.Intuitively, agents in T move those in Tξ. The initial locations of token agentsTξ is given by ξ−1. So, there is just one problem, find their final locations.


��

��

��

��

��

��

��

��

deplane

deplane

deplane

land

board

take−offlg bg

boardc1

boardc2

l

refuel

T2

A

P2

P1

T1

π:

τ :

τ :

τ :

Fig. 4. Consortia—inter-level communication flow.

The ability to find such unique locations stems from conditions 2-5 ofDefinition 4. The mechanism involved is explained by means of a generalisationof the notion of α-flow among the members of consortium Γ . An α-chain offlow in Γ is a finite non-empty sequence c = A1 . . . An of agents from T , suchthat AiBαAi+1 for 1 ≤ i < n. Let pre (c) = preα

A1(t) and post (c) = postαAn

(t).The first observation is that chains of flow which end in a communication

port can always be extended. Moreover, the extension is uniquely determined.

Lemma 1. Let c = A1 . . . An be an α-chain in Γ , n ≥ 1.

• if postαAn(t) /∈ PAn then there exists a unique agent A in T such that

An Bα A• if preα

A1(t) /∈ PA1 then there exists a unique agent A in T such that ABαA1

Proof. Immediate by conditions 2-5 of Definition 4. ut

The above leads to the following characterisation of α-chains in which thesame agent occurs twice.


Lemma 2. Let c = A1A2 . . . An be an α-chain in Γ and n ≥ 2. If A1 = An

then c′ = cA2 is also an α-chain in Γ and so is c′′ = An−1c.

Proof. Immediate by Lemma 1. ut

Since all sets of agents are finite in our framework it follows that any suffi-ciently long chain contains a repetition of an agent. This has the followingconsequence.

Proposition 1. Let Γ = (t, T , ξ) be a consortium. For any agent A ∈ T suchthat preα

A(t) is a location there exists a unique chain c = A1 . . . An such thatA = A1 and postαAn

(t) is a local place as well.

Proof. Put c = A1 = A. If postαA1(t) is local we are done. Otherwise, by

Lemma 1 we can keep extending c to the right either until the last elementof the chain has a local α-output of t, or indefinitely. In the first case we aredone. But the other is impossible. Assume, to the contrary, that we can keepextending this chain forever. So, one of the agents must occur twice. Thus, byLemma 2, we can start indefinitely extending the chain to the left in a uniquefashion—which contradicts assumption that preα

A1(t) is a local place. ut

It is immediate to notice that the same argument works for the converse.That is, given an output place of Γ one can start building a chain of flowwhich will lead to a corresponding input location. The following result followsimmediately by Prop. 1.

Proposition 2. Each consortium Γ = (t, T , ξ) induces a sort-preserving bi-jection trgΓ : In(Γ ) → Out(Γ ) where trgΓ (p) = q iff there is a κ-chain offlow c in Γ , where κ = σ(p), such that p = pre (c) and q = post (c).

2.3 The dynamics of Petri hypernets

Let us define now the dynamics of a hypernet H = (N , σ). In hypernets thelocations of an agent are distributed among its modules. Hence, the state of ahypernet is uniquely defined as a many-to-one correspondence between agentsand locations, cf. [3].

Definition 5. The state of a hypernet, called hypermarking, is a sort-preservingpartial function µ : N → PN . A consortium Γ = (t, T , ξ) is enabled at a hy-permarking µ, notation µ[Γ 〉, if µ(ξ(p)) = p for all p ∈ In(Γ ). A consortiumΓ enabled at µ can fire, yielding a new hypermarking µ′ defined as follows.

µ′A ={

trgΓ (µA) A ∈ Tξ

µA A /∈ Tξ

Consider a hypernet (N , σ) with an initial hypermarking µ. Then its hyper-case graph has hypermarkings reachable from µ as states and transitions cor-responding to firing consortia.


2.4 Tree-type hypermarkings

Each hypermarking µ induces an agent containment relation. Let ≤µ be thereflexive and transitive closure of the set of all pairs (A′, A) of agents from Nsuch that µA′ ∈ PA. A hypermarking µ is said to be tree-type if (N ,≤µ) is atree-type partial order.

The dynamics of hypernets was defined without assumption that hyper-markings are tree-type. Nevertheless, since practically all approaches to mo-bility are based on the assumption that the agent containment is tree-type,we also consider this issue here. The following result states that we also canrestrict our attention to tree-type hypermarkings.

Theorem 1 (cf. [3], Prop. 1). The class of tree-type hypermarkings of ahypernet is closed under firing.

This result is not evident when one considers the nature of firing a consortium.In general it amounts to the simultaneous movement of several agents alongthe associated chains of flow between various locations. If arbitrary simulta-neous tree rewritings are allowed it is easy to obtain loops of the containmentrelation. Theorem 1 states that the kind of rewriting allowed in hypernetsdoes not introduce loops.

2.5 Examples

Boarding and deplaning passengers Our first example demonstratesthe effect of an inter-level communication between agents. The left part of

� � � � � � � � � � � � � � ��

� � � � � � � � � � � � � � ��

� � � � � � � � � � � � � � � � � � � � ��

� � � � � � � � � � � � � � � � � � � � ��

� � � � � � � � ��

� � � � � � � ��

� � � � � � � � � � � � � � � � � � � � � ��

� � � � � � � � � � � � � � � � � � � � � ��

� � � � � � � � � � � � � ��

� � � � � � � � � � � � � � � � � � � ��

� � � � � � � � � � ��

� � � � � � � � ��

� � � � � � � � ��

ll

P1 T2

T1

P2

A

P1 T2

T1

P2

A

Fig. 5. T2 is boarding plane P2

Fig. 5 shows a situation at the airport as described in Section 2.2, with twoconsortia—corresponding to the deplane and board actions respectively. Thelatter consists of a plane P2 and the airport A as active agents and a traveller


T2 as a passive token. As a result of firing the consortium the passenger T2is moved from the passenger’s lounge (place l) to the plane and vanishes fromthe level of the airport. The new situation is depicted in the right part of theFig. 5.

Let us consider two marked hypernets, both involving three agents, seeFig. 6. The difference between them is that agents A and B demand inter-

��

��

��

��

C

B

A

t

tβ:

α:

��

��

��

��

A

C

B

t

t

t

t

q

α:

γ:

β:

γ:

Fig. 6. Two hypernets

level synchronisation while performing transition t in the hypernet depictedon the right, but there is no such requirement in the other hypernet.

Two independent consortia. A possible evolution of the hypernet de-picted on the left of Fig. 6. is shown on Fig. 7. One consortium picks theagent B as an active token that moves a passive agent C. Another picks A asan active token that moves a passive agent B. Intuitively, these two consortiaare independent, even though transitions with the same name are fired in bothcases.

The idea of independence can be formulated now as follows. Two consortiaare independent if their sets of passive agents are disjoint. One can fire suchindependent consortia concurrently.

In our case, since both consortia relate to the same transition, in principlewe could take their union. Thus, A and B would be active, and B and Cwould be passive. Note that the union would satisfy all the conditions fromthe definition of consortium, except condition 6.


��

��

��

��

��

��

��

��

��

��

��

��

� � � � � �

��

��

��

A

B

C

A

B

C

A

B

C

A

B

C

Fig. 7. Firing two independent consortia

Inter-level synchronisation without token exchange. Let us considerthe possible evolution of the hypernet depicted on the right of Fig. 6. Theevolution is shown on Fig 8. This time agent A cannot move its token B

��

��

��

��

��

��

��

��

��

��

��

��

A

B

C

A

B

C

A

B

C

t’

Fig. 8. Inter-level synchronisation via short loop.

initially. It has to wait for B to participate in such a synchronous move.The consortium which is responsible for the second move on Fig 8. does notinvolve any agent being passed between A and B. The mutual expectationsof the agents result in a short loop, i.e., a pure inter-level synchronization oftransitions. Note that this synchronization can only occur between agents onadjacent levels of the hierarchy.

3 From hypernets to 1-safe Petri nets

In this section we show that the semantics of Petri hypernets can be providedby 1-safe Petri nets, cf. [13]. The construction is done in two stages.

First, to each hypernet H = (N , σ) we associate an unmarked Petri netNH .


Second, to each hypermarking µ of H we associate a 1-safe marking Mµ

of NH in such a way that the dynamic evolution of H from µ is isomorphicto the dynamic evolution of NH with Mµ as an initial marking.

3.1 Structural expansion of Petri hypernets

Let H = (N , σ) be a hypernet. Define NH = (B,E, F ) as follows.

• conditions B = { 〈 p, A 〉 | σ(p) = σ(A), A ∈ N , p ∈ PN }The intended meaning: place 〈 p, A 〉 represents the condition that in thehypernet the agent A is at place p.

• events E is the set of all consortia Γ = (t, T , ξ) of H.• flow relation F ⊆ B×E∪E×B. With Γ = (t, T , ξ) it is given as follows.

F (〈 p, A 〉, Γ ) iff p ∈ In(Γ ) and ξ(p) = AF (Γ, 〈 p, A 〉) iff p ∈ Out(Γ ) and ξ(trg−1

Γ (p)) = A.

Thus, each location of H is modeled in NH by a number of copies, one for eachagent of an appropriate sort. Consortia become transitions of the resulting net.Each consortium contains detailed information about the active and passiveagents involved and, as explained in Prop. 2, about the source and the targetlocations for each passive agent. This is simply restated by the definition offlow of NH .

Airport example (cntd.). We shall now demonstrate, using our leadingexample, how the expansion works. Let us consider a hypernet consisting ofthe airport, two airplanes and two passengers with the sorting defined in anobvious way (see Fig. 4). The corresponding expansion (do not pay attentionto the marking yet) is depicted on Fig. 9.

On the basis of the example the following observation should be made.First, the expansion does not reflect the ability of the airport agent to

communicate with its unspecified super-agent. It simply cuts such unmatchedlinks.

Second, the modular structure of the hypernet is reflected by the structureof the basic net obtained by expansion in the following sense.

The set B of conditions can be partitioned into disjoint sets BA ={ 〈 p, A 〉 ∈ B | A ∈ N } and the subnet of NH generated by any such setis a state machine component of the whole net NH . Each component modelsall the possible locations in which an agent A, seen as a single token, canbe and all the possible changes of location (events) it can do. Some of theseevents are synchronous interactions with other agents. Each event of NH isbalanced, with the same number of input and output places.

The hypernet presentation is much more concise than the equivalent 1-safe net expansion. To see this let us consider the airport example again.Now, let us see how the complexity of the hypernet and its expansion changeswhen the number of traveller and plane agents varies. The addition of a new


agent increases the complexity of the hypernet by a constant. Thus, addingk agents will increase the size of the marked hypernet linearly, i.e., by k · Cα

for some constant Cα depending on the class of agents. Let C be the size ofthe hypernet representation airport with one plane and one traveller agent,and let C ′ be the size of its expansion. Adding m plane agents and n travelleragents will increase the size of the hypernet to C +m ·Cπ +n ·Cτ . An analysisof the expansion depicted on Fig. 9 shows that this will lead to a net of sizeO(m · n · C ′).

3.2 From marked Petri hypernets to 1-safe Petri nets

Given a hypermarking µ defined on N we define marking Mµ on the corre-sponding Petri net as follows.

〈 p, A 〉 ∈ Mµ iff µ(A) = p (2)

Proposition 3. The hyper-case graph of a marked hypernet is isomorphic tothe case graph of the corresponding Petri net, which is 1-safe.

Proof. Consider the set of markings of NH of a hypernet H given by (2).Every marking Mµ is 1-safe by construction. Note that Mµ = Mν iff µ = νfor arbitrary hypermarkings µ, ν of H. Moreover, µ[Γ 〉ν implies Mµ[Γ 〉Mν

and Mµ[Γ 〉M implies µ[Γ 〉, let ν be such that µ[Γ 〉ν, hence Mµ[Γ 〉Mν . Thus,the result follows immediately since the formula (µ[Γ 〉 iff Mµ[Γ 〉) holds byconstruction for an arbitrary consortium Γ of H. ut

The marked hypernet from Fig. 4 gives rise to the marking depicted onFig. 9 in the expanded version.

(c2,T2) (l,T2)

(bg,P2) (lg,P1)

deplane

deplane

(c1,T2)

deplane

deplane

(lg,P2)(bg,P1)

boardboard

board board

(l,T1)(c2,T1) (c1,T1)

Fig. 9. Expanded marked hypernet from Fig. 4

The blow-up of the size induced by expansion has some limitation if onetakes into account another measure of complexity, namely the size of the


hyper-case graph. By Prop. 3 it follows that the hyper-case graph of thehypernet and the case graph of its expansion are isomorphic. Yet, the sizeof the hyper-case graph is O(2n log n) where n is the size of the hypernets,see [5]. Since the case graph of a 1-safe net of size m is O(2m) it followsthat even if the expanded hypernet is large, then its case graph cannot betoo big. But one has to keep in mind that we talk about (hyper)nets withreachable (hyper)markings, whereas the structural expansion usually createsthe expansion which has many unreachable places and transitions. The exactrelationship remains to be investigated.

3.3 Potential applications of the expansion

Hypernets allow the designer to use a concise, and hopefully more naturalnotation for features related to the mobility of agents. The translation ofhypernets into 1-safe nets shows that hypernets are well rooted in the standardtheory of Petri nets, with its precise semantics, expressed in terms of a basickind of nets.

Besides this foundational aspect, the translation allows us to apply the richset of techniques and algorithms developed over the years for analyzing 1-safenets (see, for example, [9, 13]). Among them, we find algorithms to checkliveness, reachability of a place or of a marking, fairness properties, and soon. The family of methods based on the computation of place- and transition-invariants can then be applied in order, for instance, to check safety propertiesof a hypernet.

The actual effectiveness of these techniques obviously depends on the costof the translation, and on the size of the 1-safe net one obtains, as alreadydiscussed. These costs should be compared to the cost of computing the tran-sition system of the hypernet, and checking properties on it, cf. [5].

The 1-safe net associated to a given hypernet H contains, by construction,some specific place-invariants which correspond to the structural componentsof the hypernet. Given an agent A, the set of places { 〈 p, A 〉 | σ(p) = σ(A) }is a place-invariant; it contains all places where the agent can be potentiallyhosted. Since no token corresponding to some other agent can be put in theseplaces, and A is unique, this is actually an invariant with value 1. For any sortα ∈ Σ, the set { 〈 p, X 〉 | σ(p) = α = σ(X) } is a place-invariant. It consists ofall places derived from places in all the α-modules in the hypernet; this set ispopulated by the agents of the same sort, whose number is fixed, since agentscannot be created nor deleted.

An example of a more interesting, although very simple, place-invariantcan be shown on a modified version of the airport model shown before.

In this variant, we add a place in the airport, representing a refuellingstation, where planes are refuelled after landing, and before moving to theboarding gate.

The airport modified in this way is shown in Fig. 10. When a plane is at therefuelling station, no passenger should be on board. This constraint is enforced


��

��

deplane board

l

land lg to_rf rf to_bg bg take−off

π:

γ:

τ :

Fig. 10. Airport

by changing the structure of a plane, as shown in Fig. 11. (To simplify theexample, we assume that a plane contains just one seat.) Two modules havebeen added. Module ι keeps track of the state of the plane by distinguishinga ‘critical state’, dng , in which either some passenger is on board or the plane

��

��

cabin

to_rf

sf

deplaneboard

dng

to_bg

OneSeater

τ : γ:

ι:

Fig. 11. One seater plane

is in a dangerous area (for instance, the refuelling station), and a ‘safe’ state,sf . The only token flowing in this module is an empty agent.


Module γ is used to enforce interaction between a plane and the airportmanager when approaching or leaving the refuelling station; unlike in the pre-vious version, now a plane must, so to speak, give its consensus to refuelling,and will refuse to do so if some passenger is still on board.

In this example, we assume that there are four agents: the airport, oneplane P , one passenger T , and one ‘controller’ C, living in the ι module of P(this agent can never leave that module, as the figure shows).

Assume that in the initial hypermarking the plane is at the landing gatelg , its controller is in place dng , and the passenger is aboard (place cabin).

Consider now the translation of this hypernet into a 1-safe net, part ofwhich is shown in Fig. 12. This net contains the place-invariant {(sf , C), (rf , P ),

��

��

��

��

��

��

(rf,P) to_bg (bg,P)to_rf

board

(lg,P)

(dng,C)

(sf,C)

deplane

(l,T) (cabin,T)

Fig. 12. One seater plane

(cabin, T )}. Notice that this invariant contains places from three differentmodules in two agents. Detecting such invariants by looking at the hypernetis by no means trivial. The value of this invariant in the initial marking, hencealso in any reachable marking, is 1. From this, we deduce that when P is beingrefuelled, no passenger is in its cabin. For such a simple example, the sameproperty could have been easily shown by an ad hoc argument using directlythe structure of the hypernet, but for more elaborate models, computing placeinvariants can help in proving specific safety properties.

4 Conclusions and future work

Petri hypernets were introduced inside the nets-within-nets paradigm by theauthors in [3] as a visual framework suitable for modeling mobility of agents.The paper explains Petri hypernets by giving their semantics in terms theirtranslation into 1-safe Petri nets.


The main characteristics of the model are the following. There is a fixedamount of individual agents. Each agent is modeled by a net and can manip-ulate other agents as tokens, while being manipulated as token by anotheragent at the same time. The net-within-net approach yields a hierarchy ofagents.

Each agent has assigned its sort. Each agent has its net structure explicitlydecomposed into a sorted family of state machine modules. A module of sort αdescribes how the agent handles tokens of sort α. The state machine structureof modules ensures that agents are neither created nor destroyed.

The hierarchical structure of hypernets is not static. Agents can exchangetokens with their sub- or super-agents and thus the hierarchy changes. Thisfeature is peculiar to our model and is not considered in other net basedapproaches.

Hypernets are structured and succinct description of finite dynamic sys-tems. Each hypernet can be uniformly expanded into a net so that its hyper-case graph is isomorphic to the case graph of its expansion.

This translation not only shows that hypernets are well rooted inside thetheory of Petri nets, it also allows us to reinterpret on hypernets all the prop-erties of the model one can derive on the 1-safe net by means of the techniquedeveloped in the literature for this basic net model, e.g., as suggested in theprevious section by means of S-invariants.

The individual token semantics (each agent is identifiable) is another dif-ference between hypernets and other models. The choice of this semanticsleads to a logic in which the dynamic and structural properties of agents canbe expressed and model checked as proposed in [5]. There is already a sim-ple editor-simulator of hypernets which has recently been extended with amodel-checker for the logic proposed in [5].

Some extensions of the model are under consideration. In the present def-inition two agents at the same location cannot interact with each other. Weplan to relax the definition of consortium in order to allow such interactions.We would also like to consider the possibility of creating and deleting agentswhile maintaining a precise semantics inside net theory. We are investigatingsynchronous product of hypernets as a way to incorporate multi-facet view ofsystems. We plan to investigate how invariants and other techniques can bedefined directly on hypernets.

References

1. P. Andrade and P. Baldan, H. Baumeister, et al. AGILE: Software architec-ture for mobility. In M. Wirsing, D. Pattinson, and R. Hennicker, editors,Recent Trends in Algebraic Development Techniques. 16th International Work-shop WADT 2002, Frauenchiemsee, Germany, September 24-27, 2002. RevisedSelected Papers, volume 2755 of LNCS, pages 48–70. Springer-Verlag, 2003.

2. A. Asperti and N. Busi. Mobile Petri nets. Technical Report UBLCS-96-10,Lab. for Computer Science, University of Bologna, Italy, 1996.


3. M. A. Bednarczyk, L. Bernardinello, W. Paw lowski, and L. Pomello. Modellingmobility with Petri hypernets. In J. L. Fiadeiro, P. D. Mosses, and F. Orejas,editors, Recent Trends in Algebraic Development Techniques. 17th InternationalWorkshop WADT 2004, Barcelona, Spain, March 27-30, 2004. Revised SelectedPapers, volume 3423 of LNCS, pages 28–44. Springer-Verlag, 2005.

4. M. A. Bednarczyk and A. M. Borzyszkowski. On concurrent realization ofreactive systems and their morphisms. In H. Ehrig, G. Juhas, J. Padberg, andG. Rozenberg, editors, Unifying Petri Nets, volume 2128 of Lecture Notes inComputer Science, pages 346–379. Springer, 2001.

5. M. A. Bednarczyk, W. Jamroga, and W. Paw lowski. Expressing and verifyingtemporal and structural properties of mobile agents. In L. Czaja, editor, Proceed-ings of the Concurrency, Specification and Programming Workshop CS&P’05,pages 57–68, 2005.

6. L. Bernardinello. Synthesis of net systems. In M. A. Marsan, editor, Applicationand Theory of Petri Nets, volume 691 of Lecture Notes in Computer Science,pages 89–105. Springer, 1993.

7. N. Busi and L. Padovani. A distributed implementation of mobile nets as mobileagents. In M. Steffen and G. Zavattaro, editors, FMOODS, volume 3535 ofLNCS, pages 259–274. Springer, 2005.

8. L. Cardelli and A. D. Gordon. Mobile ambients. In Foundations of SoftwareScience and Computation Structures: First International Conference, FOSSACS’98. Springer-Verlag, Berlin Germany, 1998.

9. J. Esparza. Decidability and complexity of Petri net problems - an introduction.In Reisig and Rozenberg [13], pages 374–428.

10. K. Hoffmann, H. Ehrig, and T. Mossakowski. High-level nets with nets andrules as tokens. In G. Ciardo and P. Darondeau, editors, ICATPN, volume 3536of LNCS, pages 268–288. Springer, 2005.

11. M. Kohler, D. Moldt, and H. Rolke. Modelling mobility and mobile agents usingnets within nets. In W. van der Aalst and E. Best, editors, Applications andTheory of Petri Nets 2003, Proceedings, volume 2679 of LNCS, pages 121–139.Springer-Verlag, 2003.

12. R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes, parts 1-2.Information and Computation, 100(1):1–77, 1992.

13. W. Reisig and G. Rozenberg, editors. Lectures on Petri Nets I: Basic Models,Advances in Petri Nets, volume 1491 of LNCS. Springer, 1998.

14. R. Valk. Nets in computer organisation. In W. Brauer, W. Reisig, and G. Rozen-berg, editors, Advances in Petri Nets, volume 255 of LNCS, pages 218–233.Springer, 1986.

15. R. Valk. Object Petri nets: Using the nets-within-nets paradigm. In J. Desel,W. Reisig, and G. Rozenberg, editors, Lectures on Concurrency and Petri Nets,volume 3098 of LNCS, pages 819–848. Springer, 2003.

Documents

From Petri hypernets to 1-safe nets