Petri Nets

Lecture Notes

Prof. Javier Esparza

June 18, 2019

2
Contents

I Petri Nets: Syntax, Semantics, Models 7

1 Basic definitions 9
1.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2 Modelling with Petri nets 19

2.1 A buffer of capacity n . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2 Train tracks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3 Dining philosophers . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4 A logical puzzle . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.5 Peterson’s algorithm . . . . . . . . . . . . . . . . . . . . . . . . 24
2.6 The action/reaction protocol . . . . . . . . . . . . . . . . . . . . 26
2.7 Some variants of the main model . . . . . . . . . . . . . . . . . . 28
2.8 Some sytems modeled by Petri nets with weight arcs . . . . . . . 30
2.8.1 Readers and writers . . . . . . . . . . . . . . . . . . . . . 30
2.8.2 Population protocols . . . . . . . . . . . . . . . . . . . . 31
2.9 Some Petri net models taken from the literature . . . . . . . . . . 35
2.10 Analysis problems . . . . . . . . . . . . . . . . . . . . . . . . . 37

II Analysis Techniques for Petri Nets 39

3 Decision procedures 43
3.1 Decision procedures for 1-bounded Petri nets . . . . . . . . . . . 43
3.1.1 Complexity for 1-bounded Petri nets . . . . . . . . . . . . 44
3.2 Decision procedures for general Petri nets . . . . . . . . . . . . . 48
3.2.1 A decision procedure for Boundedness . . . . . . . . . . 48
3.2.2 Decision procedures for Coverability . . . . . . . . . . . 50

3
4 CONTENTS

3.2.3 Decision procedures for other problems . . . . . . . . . . 65

3.2.4 Complexity . . . . . . . . . . . . . . . . . . . . . . . . . 70

4 Semi-decision procedures 81
4.1 Linear systems of equations and linear programming . . . . . . . 81
4.2 The Marking Equation . . . . . . . . . . . . . . . . . . . . . . . 82
4.3 S- and T-invariants . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.3.1 S-invariants . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.3.2 T-invariants . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.4 Siphons and Traps . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.4.1 Siphons . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.4.2 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

5 Petri net classes with efficient decision procedures 95

5.1 S-Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5.2 T-systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.2.1 Liveness . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.2.2 Boundedness . . . . . . . . . . . . . . . . . . . . . . . . 99
5.2.3 Reachability . . . . . . . . . . . . . . . . . . . . . . . . 99
5.2.4 Other properties . . . . . . . . . . . . . . . . . . . . . . 101
5.3 Free-Choice Systems . . . . . . . . . . . . . . . . . . . . . . . . 104
5.3.1 Liveness . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.3.2 Boundedness . . . . . . . . . . . . . . . . . . . . . . . . 113
5.3.3 Reachability . . . . . . . . . . . . . . . . . . . . . . . . 115
5.3.4 Other properties . . . . . . . . . . . . . . . . . . . . . . 119
CONTENTS 5

Sources
The main sources are:

J. Desel. Struktur und Analyse von Free-Choice-Petrinetzen. Deutscher

Universitäts Verlag, 1992.
J. Desel und J. Esparza. Free-choice Petri nets. Cambridge Tracts in
Theoretical Computer Science 40, Cambridge University Press, 1995.

The Petri net model of Peterson’s algorithm is taken from

E. Best. Semantics of Sequential and Parallel Programs. Prentice-

Hall, 1996.

The action-reaction protocol is taken from

R. Walter. Petrinetzmodelle verteilter Algorithmen – Intuition und

Beweistechnik. Dieter Bertz Verlag, 1996.

The train examples of Chapter 2 belong to the Petri net folklore. They were
first introduced by H. Genrich.
6 CONTENTS
 Part I

Petri Nets: Syntax, Semantics,

Models

7
Chapter 1

Basic definitions

1.1 Preliminaries
Numbers
N, Z, Q and R denote the natural, rational, and real numbers.

Relations
Let X be a set and R ⊆ X × X a relation. R∗ denotes the transitive and reflexive
closure of R. R−1 is the inverse of R, that is, the relation defined by (x, y) ∈
R−1 ⇔ (y, x) ∈ R.

Sequences
A finite sequence over a set A is a mapping σ : {1, . . . , n} → A, denoted by the
string a1 a2 . . . an , where ai = σ(i) for every 1 ≤ i ≤ n, or the mapping  : ∅ → A,
the empty sequence. The length of σ is n and the length of  is 0.
An infinite sequence is a mapping σ : IN → A. We write σ = a1 a2 a3 . . . with
ai = σ(i).
The concatenation of two finite sequences or of a finite and an infinite sequence
is defined as usual. Given a finite sequence σ, we denote by σ ω the infinite con-
catenation σσσ . . ..
σ is a prefix of τ if σ = τ or σσ 0 = τ for some sequence σ 0 .
The alphabet of a sequence σ is the set of elements of A occurring in σ. Given
a sequence σ over A and B ⊆ A, the projection or restriction σ|B is the result of
removing all occurrences of elements a ∈ A \ B in σ.

9
10 CHAPTER 1. BASIC DEFINITIONS

Vectors and matrices

Let A = {a1 , . . . , an } be a finite set and let K be one of N, Z, Q, R.
We represent a mapping X : A → K by the vector (X(a1 ), . . . , X(an )). We
identify the mapping X and its vector representation.
Given vectors X = (x1 , . . . , xn ) and Y = (y1 , . . . , yn ), the (scalar) product
X · Y is the number x1 y1 + . . . + xn yn (we do not distinguish between row and
column vectors!). We write X ≥ Y to denote x1 ≥ y1 ∧. . .∧xn ≥ yn ,a nd X > Y
to denote x1 > y1 ∧ . . . ∧ xn > yn .
Let B = {b1 , . . . , bm } be a finite set. A mapping C : A × B → K is repre-
sented by the n × m matrix
 
C(a1 , b1 ) C(a1 , b2 ) ··· C(a1 , bm )
 C(a2 , b1 ) C(a2 , b2 )
 ··· C(a2 , bm ) 

 ··· ··· ··· ··· 
C(an , b1 ) C(an , b2 ) ··· C(an , bm )
We also write C = (cij )i=1,...,n,j=1,...,m , where cij = C(ai , bj ).
Let X = (x1 , . . . , xm ) be a vector and let C be a n × m matrix. The product
C · X is the vector Y = (y1 , . . . , yn ) given by

y(i) = ci1 x1 + . . . + cim xm

and for X = (x1 , . . . , xn ) the product X · C is the vector Y = (y1 , . . . , ym ) given

by
y(i) = c1i x1 + . . . + cni xn

Complexity Classes
We recall some basic notions of complexity theory. Formal definitions can be found
in standard textbooks.
A program is deterministic if it only has one possible computation for each
input. A program is nondeterministic if it may execute different computations for
the same input.
A program (deterministic or not) runs in f (n)-time for a function f : N → N
if for every input of length n (measured in bits) every computation takes at most
f (n) time. Given a set C of functions N → N (for example, C can be the set
of all polynomial functions), a program runs in C-time if it runs in f (n) time for
some function f (n) of C. Often we speak of a “polynomial-time program” or
“exponential-time” program, meaning a program that runs in time f (n) for some
polynomial resp. exponential function f (n).
1.1. PRELIMINARIES 11

Similarly, a program needs f (n)-memory or f (n)-space for a function f : N →

N if it uses at most f (n) bits of memory for every input of length n. The f (n) bits
do not include the memory needed to store the input. We speak of “polynomial-
space” or “exponential-space” programs.
Informally, a problem consists of a universe U of possible inputs, and a predi-
cate P on U assigning to each u ∈ U a value P (u) ∈ {0, 1}. For example, U can
be the set of all finite graphs, and P (u) the predicate with P (u) = 1 iff u has a
cycle.
A deterministic program solves a problem (U, P ) if it terminates for every input
u ∈ U and returns P (u).
A nondeterministic program solves a problem (P, U ) if for every input u ∈ U :

• if P (u) = 1 then at least one computation of the program returns 1; and

• if P (u) = 0 then every computation of the program returns 0.

Observe: if the program returns 1 then we know P (u) = 1, otherwise we do not

know anything.

• P is the class of problems that can be solved by polynomial-time determin-

istic programs.

• NP is the class of problems that can be solved by polynomial-time nondeter-

ministic programs.

• PSPACE is the class of problems that can be solved by polynomial-space

deterministic programs.

• NPSPACE is the class of problems that can be solved by polynomial-space

nondeterministic programs.

• EXPTIME is the class of problems that can be solved by exponential-time

deterministic programs.

• EXPSPACE is the class of problems that can be solved by exponential-space

deterministic programs.

We have

P ⊆ NP ⊆ PSPACE ⊆ EXPTIME ⊆ EXPSPACE.

It is widely believed that all these inclusions are strict. However, all we know for
sure is the (rather trivial fact) P ⊂ EXPTIME. We also know:
12 CHAPTER 1. BASIC DEFINITIONS

Theorem 1.1.1 [Savitch’s theorem]

NPSPACE = PSPACE.

A problem Π1 = (U1 , P1 ) can be polynomially reduced to Π2 = (U2 , P2 ) if

there is a function f : U1 → U2 satisfying the following two properties:
• for every u1 ∈ U1 : P1 (u1 ) = 1 iff P2 (f (u1 )), and
• there is a polynomial-time deterministic program that computes f .
For all the complexity classes above, if Π1 can be reduced to Π2 and Π2 belongs
to the class, then so does Π1 .
A problem is hard for a complexity class if all problems in the class can be
reduced to it. It is complete for the class if it is hard for the class, and belongs to
the class.

1.2 Syntax
Definition 1.2.1 (Net, preset, postset)
A net N = (S, T, F ) consists of a finite set S of places (represented by circles),
a finite set T of transitions disjoint from S (squares), and a flow relation (arrows)
F ⊆ (S × T ) ∪ (T × S).
The places and transitions of N are called elements or nodes. The elements of
F are called arcs.
Given x ∈ S ∪ T , the set • x = {y | (y, x) ∈ F } is the preset of S x and
•
x = {y | (x, y) ∈ F } is the postset of x. For X ⊆ S ∪ T we denote X = • •x
x∈X
and X • =
S •
x .
x∈X

Example. Let N = (S, T, F ) be the net

S = {s1 , . . . , s6 }
T = {t1 , . . . , t4 }
F = {(s1 , t1 ), (t1 , s2 ), (s2 , t2 ), (t2 , s1 ),
(s3 , t2 ), (t2 , s4 ), (s4 , t3 ), (t3 , s3 ),
(s5 , t3 ), (t3 , s6 ), (s6 , t4 ), (t4 , s5 )}

Figure 1.1 shows the graphical representation of N . For example we have

•t = {s2 , s3 } and • S = S • = T .
2

Remark: Nets with empty S, T or F are allowed!

1.2. SYNTAX 13

s1 s3 s5

t1 t2 t3 t4

s2 s4 s6

Figure 1.1: Graphical representation of the net N

Subnets Non−subnets

s1 s1

t1 t1

s3 s3

t2 t3 t2 t3

s4 s4

t2

Figure 1.2: Subnets and non-subnets of the net of Figure 1.1

Definition 1.2.2 (Subnet)

N 0 = (S 0 , T 0 , F 0 ) is a subnet of N = (S, T, F ) if
• S 0 ⊆ S,

• T 0 ⊆ T , and

• F 0 = F ∩ ((S 0 × T 0 ) ∪ (T 0 × S 0 )) (not F 0 ⊆ F ∩ ((S 0 × T 0 ) ∪ (T 0 × S 0 )) !).

Figure 1.2 shows some subnets and non-subnets of the net of Figure 1.1.

Definition 1.2.3 (Path, circuit)

A path of a net N = (S, T, F ) is a finite, nonempty sequence x1 . . . xn of nodes of
N such that (x1 , x2 ), . . . , (xn−1 , xn ) ∈ F . We say that a path x1 . . . xn leads from
x1 to xn .
14 CHAPTER 1. BASIC DEFINITIONS

A path is a circuit if (xn , x1 ) ∈ F and (xi = xj ) ⇒ i = j for every 1 ≤ i, j ≤

n.
N is connected if (x, y) ∈ (F ∪ F −1 )∗ for every x, y ∈ S ∪ T , and strongly
connected if (x, y) ∈ F ∗ for every x, y ∈ S ∪ T .

Remarks:

• Every net with 0 or 1 node is strongly connected!

• If N is strongly connected then it is also connected.

Proposition 1.2.4 Let N = (S, T, F ) be a net.

(1) N is connected iff there are no two subnets (S1 , T1 , F1 ) and (S2 , T2 , F2 ) of
N such that

• S1 ∪ T1 6= ∅, S2 ∪ T2 6= ∅;
• S1 ∪ S2 = S, T1 ∪ T2 = T , F1 ∪ F2 = F ;
• S1 ∩ S2 = ∅, T1 ∩ T2 = ∅.

(2) A connected net is strongly connected iff for every (x, y) ∈ F there is a path
leading from y to x.

Proof. Exercise. 

1.3 Semantics
Definition 1.3.1 (Markings)
Let N = (S, T, F ) be a net.PA marking of N is a mapping M : S → IN. Given
R ⊆ S we write M (R) = M (s). A place s is marked at M if M (s) > 0. A
s∈R
set of places R is marked at M if M (R) > 0, that is, if at least one place of R is
marked at M .

Instead of mappings S → IN sometimes we use vectors. For this we fix a

total order on the places of N . With this convention we can represent a marking
M : S → IN as a vector of dimension |S|.
Markings are graphically represented by drawing black dots (“tokens”) on the
places.
1.3. SEMANTICS 15

Definition 1.3.2 (Firing rule, dead markings)

A transition is enabled at a marking M if M (s) ≥ 1 for every place s ∈ • t. If t
is enabled, then it can occur or fire, leading from M to the marking M 0 (denoted
t
M −→ M 0 ) given by:

 M (s) − 1 if s ∈ • t \ t•

0
M (s) = M (s) + 1 if s ∈ t• \ • t
M (s) otherwise


A marking is dead if it does not enable any transition.

Example 1.3.3 Let M be the marking of the net N in Figure 1.1 given by M (s1 ) =
M (s4 ) = M (s5 ) = 1 and M (s2 ) = M (s3 ) = M (s6 ) = 0. We denote this
marking by the vector (1, 0, 0, 1, 1, 0).
The marking enables transitions t1 and t3 , because • t1 = {s1 } and • t3 =
{s4 , s5 }. Transition t2 is not enabled, because M (s2 ) = 0. Transition t4 is not
enabled, because M (s6 ) = 0. We have

1 t
(1, 0, 0, 1, 1, 0) −→ (0, 1, 0, 1, 1, 0)
3 t
(1, 0, 0, 1, 1, 0) −→ (1, 0, 1, 0, 0, 1)

Definition 1.3.4 (Firing sequence, reachable marking)

Let N = (S, T, F ) be a net and let M be a marking of N . A finite sequence
σ = t1 . . . tn is enabled at a marking M if there are markings M1 , M2 , . . . , Mn
t1 t2 t3 tn σ
such that M −→ M1 −→ M2 −→ . . . −→ Mn . We write M −→ Mn . The empty

sequence  is enabled at any marking and we have M −→ M .
σ
If M −→ M 0 for some markings M, M 0 and some sequence σ, then we write
∗
M −→ M 0 and say that M 0 is reachable from M . [M i denotes the set of markings
that are reachable from M .
An infinite sequence σ = t1 t2 . . . is enabled at a marking if there are markings
t1 t2
M1 , M2 , . . . such that M −→ M1 −→ M2 −→ . . .

Example 1.3.5 Let N be the net of Figure 1.1 and let M = (1, 0, 0, 1, 1, 0) be a
marking of N . We have
t 1 t 3
(1, 0, 0, 1, 1, 0) −−→ (0, 1, 0, 1, 1, 0) −−→ (0, 1, 1, 0, 0, 1)
↓ t2
t4
(1, 0, 0, 1, 0, 1) −−→ (1, 0, 0, 1, 1, 0)
So M enables the finite sequence t1 t3 t2 t4 and the infinite sequence (t1 t3 t2 t4 )ω .
16 CHAPTER 1. BASIC DEFINITIONS

Proposition 1.3.6 A (finite or infinite) sequence σ is enabled at M iff every finite

prefix of σ is enabled at M .

Proof. Easy exercise. 

The following simple lemma plays a fundamental role in many results about
Petri nets.

Lemma 1.3.7 [Monotonicity lemma]

Let M and L be two markings of a net.
σ σ
(1) If M −→ M 0 for a finite sequence σ, then (M + L) −→ (M 0 + L) for every
marking L.
σ σ
(2) If M −→ for an infinite sequence σ, then (M + L) −→ for every marking
L.

Proof. (1): by induction on the length of σ.

Basis: σ = .  is enabled at any marking.
τ t
Step: Let σ = τ t (t transition) such that M −→ M 00 −→ M 0 . By induction
τ t
hypothesis (M + L) −→ (M 00 + L). From the firing rule and M 00 −→ M 0 we get
t τt
(M 00 + L) −→ (M 0 + L). So (M + L) −→ (M 0 + L).

(2): We show that every finite prefix of σ is enabled at M + L. The result then
follows from Proposition 1.3.6. By Proposition 1.3.6, every finite prefix of σ is
enabled at M . That is, for every finite prefix τ of σ there is a marking M 0 such that
τ τ
M −→ M 0 . By (1) we get (M + L) −→ (M 0 + L), and we are done. 

Definition 1.3.8 (Petri nets)

A Petri net, net system, or just a system is a pair (N, M0 ) where N is a connected
net N = (S, T, F ) with nonempty sets of places and transitions, and an initial
marking M0 : S → IN. A marking M is reachable in (N, M0 ) or a reachable
∗
marking of (N, M0 ) if M0 −→ M .

Definition 1.3.9 (Reachability graph)

The reachability graph G of a Petri net (N, M0 ) where N = (S, T, F ) is the di-
rected, labeled graph satisfying:
• The nodes of G are the reachable markings of (N, M0 ).

• The edges of G are labeled with transitions from T .

1.3. SEMANTICS 17

t
• There is an edge from M to M 0 labeled by t iff M −→ M , that is, iff M
enables t and the firing of t leads from M to M 0 .

R EACHABILITY-G RAPH((S, T, F, M0 ))
1 (V, E, v0 ) := ({M0 }, ∅, M0 );
2 Work := {M0 };
3 while Work 6= ∅
4 do select M from Work ;
5 Work := Work \ {M };
6 for t ∈ enabled(M )
7 do M 0 := fire(M, t);
8 if M 0 ∈/V
9 then V := V ∪ {M 0 }
10 Work := Work ∪ {M 0 };
11 E := E ∪ {(M, t, M 0 )};
12 return (V, E, v0 )

Figure 1.3: Algorithm for computing the reachability graph

The algorithm of Figure 1.3 computes the reachability graph. It uses two functions:

• enabled(M ): returns the set of transitions enabled at M .

t
• fire(M, t): returns the marking M 0 such that M −→ M 0 .

The set Work may be implemented as a stack, in which case the graph will be
constructed in a depth-first manner, or as a queue for breadth-first. Breadth first
search will find the shortest transition path from the initial marking to a given
(erroneous) marking. Some applications require depth first search.
18 CHAPTER 1. BASIC DEFINITIONS
Chapter 2

Modelling with Petri nets

2.1 A buffer of capacity n

We model a buffer with capacity for n items. Figure 2.1 shows the Petri net for
n = 3. The model consists of n cells, each of them with capacity for one item.

Cell−1−empty Cell−2−empty Cell−3−empty

s1 s3 s5

t1 t2 t3 t4

s2 s4 s6

Cell−1−full Cell−2−full Cell−3−full

Figure 2.1: A 3-buffer

The addition of a new item is modeled by the firing of t1 . The firing of transition
ti models moving the item in cell i − 1 to cell i. Firing tn+1 models removing one
item. Observe that the buffer is concurrent: there are reachable markings at which
transitions t1 and tn+1 can occur independently of each other, that is, an item can
be added while another one is being removed.
Figure 2.2 shows the reachability graph of the buffer with capacity 3. By in-
spection of the reachability graph we can see that the following properties hold:
• Consistency: no cell is simultaneously empty and full (that is, no marking puts
tokens on si and si+1 for i = 1, 2, 3).
• 1-boundedness: every reachable marking puts at most one token in a given place.

19
20 CHAPTER 2. MODELLING WITH PETRI NETS

(10 10 10)
t1

(01 10 10) t4

t2

(10 01 10)

t4 t1 t3

(01 01 10) (10 10 01)

t3 t1
t4
(01 10 01)

t2
t4
(10 01 01)

t1

(01 01 01)

Figure 2.2: Reachability graph of the 3-buffer

• Deadlock freedom: every reachable marking has at least one successor marking.
Even more: every cell can always be filled and emptied again (every transition
can occur again).
• Capacity 3: the buffer has indeed capacity 3, that is, there is a reachable marking
that puts one token in s2 , s4 , s6 .
• The initial marking is reachable from any reachable marking (that is, it is always
possible to empty the buffer).
• Between any two reachable markings there is a path of length at most 6.

2.2 Train tracks

Four cities are connected by unidirectional train tracks building a circle. Two trains
circulate on the tracks. Our task is to ensure that it will never be the case that two
trains occupy the same track.
Figure 2.3 shows a solution of the problem modeled as a Petri net. the four
tracks are modeled by places s1 , . . . , s4 . A token on si means that there is train in
the i-th track.
The four control places l1 , . . . , l4 guarantee that no reachable marking puts
more than one token on si . This property can be proven by means of the reacha-
bility graph shown in Figure 2.4. Since every reachable marking puts at most one
2.2. TRAIN TRACKS 21

s1
t4 t1

l1
s4 l4 l2 s2
l3

t3 t2
s3

Figure 2.3: Train tracks (first version)

{l1 s2 l3 s4 }
t2 t4

{l1 l2 s3 s4 } {s1 s2 l3 l4 }

t3 t4 t2 t1

{s1 l2 s3 l4 }
t1 t3

{l1 s2 s3 l4 } {s1 l2 l3 s4 }

Figure 2.4: Reachability graph of the Petri net of Figure 2.3

token on a place, we denote a marking by the set of places marked by it. For in-
stance, we denote by {l1 , s2 , l3 , s4 } the marking that puts a token on l1 , s2 , l3 and
s4 .

Consider now a slightly different system. We have 8 cities connected in a

circuit, and three trains use the tracks. To increase safety, we have to guarantee
that there always is at least one empty track between any two trains.

The Petri net of Figure 2.5 is a solution of the problem: The reader can con-
struct the reachability graph and show that the desired property holds. However,
the graph is pretty large!
22 CHAPTER 2. MODELLING WITH PETRI NETS

Figure 2.5: Train tracks (second version)

2.3 Dining philosophers

Four philosophers sit around a round table. There are forks on the table, one be-
tween each pair of philosophers. The philosophers want to eat spaghetti from a
large bowl in the center of the table (see the top of Figure 2.6). Unfortunately the
spaghetti is of a particularly slippery type, and a philosopher needs both forks in
order to eat it. The philosophers have agreed on the following protocol to obtain
the forks: Initially philosophers think about philosophy, when they get hungry they
do the following: (1) take the left fork, (2) take the right fork and start eating, (3)
return both forks simultaneously, and repeat from the beginning. Figure 2.6 shows
a Petri net model of the system.
Two interesting questions about this systems are:

• Can the philosophers starve to death (because the system reaches a dead-
lock)?

• Will an individual philosopher eventually eat, assuming she wants to?

2.4 A logical puzzle

A man is travelling with a wolf, a goat, and a cabbage. The four come to a river
that they must cross. There is a boat available for crossing the river, but it can carry
only the man and at most one other object. The wolf may eat the goat when the
2.4. A LOGICAL PUZZLE 23

4 3

1 2

thinking eating
l4 r3
fork
eating thinking
r4 b4 b3 l3

fork fork

l1 b1 b2 r2
thinking eating
fork
r1 l2
eating thinking

Figure 2.6: Petri net model of the dining philosophers

24 CHAPTER 2. MODELLING WITH PETRI NETS

man is not around, and the goat may eat the cabbage when unattended (see Figure
2.7)
Can the man bring everyone across the river without endangering the goat or
the cabbage? And if so, how?
We model the system with a Petri net. The puzzle mentions the following
objects: Man, wolf, goat, cabbage, boat. Both can be on either side of the river. It
also mentions the following actions: Crossing the river, wolf eats goat, goat eats
cabbage.
Objects and their states are modeled by places. (We can omit the boat, because
it is always going to be on the same side as the man.) Actions are modeled by
transitions. Figure 2.7 shows the transitions for the three actions.

2.5 Peterson’s algorithm

Peterson’s algorithm is a well-known solution to the mutual exclusion problem for

two processes.

var m1 , m2 : {false, true} (init false);

hold : {1, 2};

while true do while true do

m1 := true; m2 := true;
hold := 1; hold := 2;
await(¬m2 ∨ hold = 2); await(¬m1 ∨ hold = 1);
(critical section); (critical section);
m1 := false; m2 := false;
od od

The Petri net of Figure 2.8 models this algorithm. The variable mi is modeled
by the places mi = true and mi = false. A token on mi = true means that
at the current state of the program (marking) the variable mi has the value true
(so the Petri net must satisfy the property that no reachable marking puts tokens
on both mi = true and mi = false at the same time). Variable hold is modeled
analogously.
A token on p4 (q4 ) indicates that the left (right) process is in its critical section.
Mutual exclusion holds if no reachable marking puts a token on p4 and q4 . The
Petri net has 20 reachable markings.
2.5. PETERSON’S ALGORITHM 25

Left bank Right bank

Man MLR Man

ML MR

Wolf WLR Wolf

WL WR

Goat GLR Goat

GL GR

Cabbage CLR Cabbage

CL CR

Left bank Right bank

Man MRL Man

ML MR

Wolf WRL Wolf

WL WR

Goat GRL Goat

GL GR

Cabbage CRL Cabbage

CL CR

Left bank Right bank

Man Man
ML MR

Wolf Wolf
WL WR
WGL WGR

Goat Goat
GL GR
CGL CGR

Cabbage Cabbage
CL CR

Figure 2.7: Transitions modelling the actions of the puzzle

26 CHAPTER 2. MODELLING WITH PETRI NETS

p1 m1 = f m2 = f q1

u6 u1 v1 v6

m1 = t m2 = t
p2 q2
hold = 2

u3 u2 v2 v3

p3 q3

hold = 1
u4 u5 v5 v4

p4 q4

Figure 2.8: Petri net model of Peterson’s algorithm

2.6 The action/reaction protocol

Two agents must repeatedly exchange informations. When an agent requests an

information from the other one, it must wait for an answer before proceeding. The
task is to design a protocol for the exchanges. In particular, the protocol must
guarantee that it is not possible to reach a situation in which both processes are
waiting from an answer from the other one.
A first attempt at a solution is shown in Figure 2.9. Requests are modeled by the
Action transitions, and replies by the Reaction transitions. However, this solution
can reach a deadlock: both processes can issue a request simultaneously, after
which they wait forever for an answer. We call such a situation a crosstalk. Figure
2.10 shows a second attempt. Now processes can detect that a crosstalk has taken
place. If a process detects a crosstalk, it answers the request of its partner, and then
continues to wait for an answer to its own request. This solution has no deadlocks
(prove it!), but it exhibits the following problem: a non-cooperative process can
always get answers to its requests, without ever answering any request from its
partner. The solution is deadlock free, but unfair. The third attempt (Figure 2.11)
is fair. If a process detects a crosstalk, then it answers the request of its partner, as
before, but then it moves to a state in which it is only willing to receive an answer
to its own question. Unfortunately, the system has again a deadlock (can you find
it?).
2.6. THE ACTION/REACTION PROTOCOL 27

answer−rl
wait−l done−r

action−l reaction−r
request−lr
idle−l idle−r
request−rl
reaction−l action−r

done−l wait−r
answer−lr

Figure 2.9: First attempt

a−rl
w−l d−r

r−lr
a−l r−r

i−l ct−l ct−r i−r

r−l a−r
r−rl
d−l w−r
a−lr

Figure 2.10: Second attempt

28 CHAPTER 2. MODELLING WITH PETRI NETS

a−rl

w−l d−r

r−lr

a−l r−r
ct−l

i−l i−r

ct−r
r−l a−r

r−rl

w−r
d−l

a−lr

Figure 2.11: Third attempt

The final attempt (Figure 2.12) is both deadlock-free and fair. The protocol
works in rounds. A “good” round consists of a request and an answer. In a “bad”
round both processes issue a request and they reach a crosstalk situation. Such a
round continues as follows: both processes detect the crosstalk, send each other an
“end-of-round” signal, wait for the same signal from their partner, and then move
to their initial states.
The solution is not perfect. In the worst case there are only bad rounds, and no
requests are answered at all.

2.7 Some variants of the main model

Definition 2.7.1 (Nets with place capacities)
A net with capacities N = (S, T, F, K) consists of a net (S, T, F ) and a mapping
K : S → IN.
A transition t is enabled at a marking M of N if
– M (s) ≥ 1 for every place s ∈ • t and
– M (s) < K(s) for every place s ∈ t• \ • t
The notions of firing, Petri net with capacities, etc. are defined as in the capacity-
free case.

Definition 2.7.2 (Nets with weighted arcs)

2.7. SOME VARIANTS OF THE MAIN MODEL 29

end−of−round−l

a−rl
w−l d−r

r−lr
a−l r−r

i−l ct−l ct−r i−r

r−rl
r−l a−r

d−l w−r

a−lr

end−of−round−r

Figure 2.12: Last attempt

A net with weighted arcs N = (S, T, W ) consists of two disjoint sets of places and
transitions and a weight function W : (S × T ) ∪ (T × S) → IN. A transition t is
enabled at a marking M of N if M (s) ≥ W (s, t) for every s ∈ S. If t is enabled
then it can occur leading to the marking M 0 defined by

M 0 (s) = M (s) + W (t, s) − W (s, t)

for every place s.

In Petri nets with weighted arcs, the preset and postset of a transition is not a
set, but a multiset, i.e., a set that can contain multiple copies of an object. If, for
example, W (s, t) = 3, then the preset of t contains 3 copies of the place s. Other
notions are defined as in the standard model.

Definition 2.7.3 (Nets with inhibitor arcs)

A net with inhibitor arcs N = (S, T, F, I) consists of two disjoint sets of places
and transitions, a set F ⊆ (S × T ) ∪ (T × S) of arcs, and a set I ⊆ S × T ,
disjoint with F , of inhibitor arcs. A transition t is enabled at a marking M of N
if M (s) > 0 for every place s such that (s, t) ∈ F , and M (s) = 0 for every place
s such that (s, t) ∈ I. If t is enabled then it can occur leading to the marking M 0 ,
defined as for standard Petri nets.
30 CHAPTER 2. MODELLING WITH PETRI NETS

ri wj

Ri Si m Vj Wj

si vj

Ri : Process i reads Wi : Process j writes

Si : Process i idle Vj : Process j idle
ri : Process i starts reading wj : Process j starts writing
si : Process i stops reading vj : Process j stops writing

m readers n writers

Figure 2.13: Readers and writers

Definition 2.7.4 (Nets with reset arcs)

A net with reset arcs N = (S, T, F, R) consists of two disjoint sets of places and
transitions, a set F ⊆ (S × T ) ∪ (T × S) of arcs, and a set R ⊆ S × T , disjoint
with F , of reset arcs. A transition t is enabled at a marking M of N if M (s) > 0
for every place s such that (s, t) ∈ F ∪ R. If t is enabled then it can occur leading
to the marking obtained after the following operations:

• Remove one token from every place s such that (s, t) ∈ F .

• Remove all tokens from every place s such that (s, t) ∈ R.

• Add one token to every place s such that (t, s) ∈ F .

2.8 Some sytems modeled by Petri nets with weight arcs

2.8.1 Readers and writers
The Petri net with weighted arcs of Figure 2.13 models a solution to the “readers
and writers” problem. A set of processes has access to a database. Processes can
read concurrently, but a process can only write if no other processes reads nor
writes.
2.8. SOME SYTEMS MODELED BY PETRI NETS WITH WEIGHT ARCS 31

Rule Nr. Rule

1 AY , AN 7→ PN , PN
2 Aα , Pβ 7→ Aα , Pα α, β ∈ {Y, N}

Table 2.1: A first protocol for computing majority.

Exercise: Modify the Petri net so that reading processes can not indefinitely
prevent another process from writing.

2.8.2 Population protocols

Population protocols are a model of distributed computation by anonymous, iden-
tical finite-state agents. While they were initially introduced to model networks of
passively mobile sensors, they capture the essence of distributed computation in
diverse areas such as trust propagation and chemical reactions.
We introduce them by means of several examples. Then we present the formal
definitions, and show how they can be translated into Petri nets.

The Black Ninjas. The Black Ninjas are an ancient secret society of warriors.
It is so secret that its members do not even know each other and how many they
are. When there is a matter to discuss, Sensei, the founder of the society, asks the
ninjas to meet at night, preferably during a storm as it minimizes the chance of
being surprised by the enemy.
As it happens, all ninjas have just received a note asking them to meet in a
certain Zen garden at midnight, wearing their black uniform, in order to decide
whether they should attack a nearby castle at dawn. The decision is taken by ma-
jority, and in the case of a tie the ninjas will not attack. All ninjas must decide their
vote in advance, the only purpose of the meeting is to compute the final outcome.
When the ninjas reach the garden in the gloomy night, dark clouds cover the
sky as rain pours vociferously. The weather is so dreadful that it is impossible to
see or hear anything at all. For this reason, voting procedures based on visual or
oral communication are hopeless. Is there a way for the ninjas to conduct their vote
in spite of these adverse conditions?

A first protocol. Sensei has foreseen this situation and made preparations. The
note sent to the ninjas contains detailed instructions on how to proceed. Each ninja
must wander randomly around the garden. Two ninjas that happen to bump into
32 CHAPTER 2. MODELLING WITH PETRI NETS

Rule Nr. Rule

1 AY , AN 7→ PN , PN
2 Aα , Pβ 7→ Aα , Pα α, β ∈ {Y, N}
3 PN , PY 7→ PN , PN

Table 2.2: A second protocol for computing majority.

each other exchange information using touch according to the following protocol.
Each ninja maintains two bits of information:
• the first bit indicates whether the ninja is currently active (A) or passive (P);
and

• the second bit indicates the current expectation of each ninja on the final
outcome of the vote: yes, we will attack (Y) or no, we will not attack (N).
This gives four possible states for each ninja: AY , AN , PY , PN . Initially the
ninjas set their first bit to A, i.e., they are all active, and their second bit to their
vote. State changes obey interaction rules or transitions of the form p, q 7→ p0 , q 0 ,
meaning that if the interacting ninjas are in states p and q, respectively, they move
to states p0 and q 0 . Sensei specifies two rules, shown on Table 2.1, with the implicit
assumption that for any combination of states not covered by the rules, the ninjas
must simply keep their current states.

A second protocol. The protocol works fine for a time, but then disaster strikes.
At one gathering there is an equal number of Y-ninjas and N-ninjas. In this case —
and only in this case — the protocol is incorrect. There is an execution in which
the ninjas do not reach consensus, and after which the states of the ninjas cannot
change anymore. At dawn only some ninjas attack, they are decimated, and Sensei
commits harakiri.
The newly elected Sensei II analyzes the problem and quickly comes up with
a repair for the protocol. It is shown in Table 2.2: a new rule PY , PN 7→ PN , PN
is added. If all ninjas become passive, which can only happen in the case of a tie,
then the new rule guarantees that an N-consensus is eventually reached.

A third protocol. Again, the new protocol works fine . . . until it doesn’t. The
story repeats itself: At dawn no consensus has been reached, only some ninjas
attack, they are decimated. The successor, Sensei III, considers the general scenario
in which Y has a majority of only one ninja, and finds the following explanation:
2.8. SOME SYTEMS MODELED BY PETRI NETS WITH WEIGHT ARCS 33

Rule Nr. Rule

1 AY , AT 7→ AY , PY
2 AY , AN 7→ AT , PT
3 AT , AN 7→ AN , PN
4 AT , AT 7→ AT , PT
5 Aα , Pβ 7→ Aα , Pα α, β ∈ {Y, T, N}

Table 2.3: A third protocol for computing majority.

In this situation, the protocol reaches with high probability a configuration with
one single ninja in state AY and many ninjas in states PN . There is now a struggle
between the single AY ninja, who turns PN -ninjas to PY using the second rule,
against the many PN -ninjas, who turn PY -ninjas back to PN using the new rule.
The AY -ninja eventually “wins”, and consensus Y is reached, but only after she
turns all PN -ninjas to PY before any of the PN -ninjas converts any of them back
to PY .
Sensei III wants a new protocol with a clean design. Since ties are the source
of all problems, she decides that the protocol should explicitly deal with them. So,
apart from being active or passive, ninjas can now have a more refined expectation
of the outcome: Y, N, and T (for “tie”). The protocol is shown on Table 2.3. When
two active ninjas meet, only one of them becomes passive, and both change their
expectation in the natural way. For example, if the expectations are Y and T, then
the ninja with expectation T changes it to Y. This explains rules 1 to 4. Rule 5 is
the usual one: passive ninjas adopt the expectation of active ninjas.

Formal definition of population protocols. As mentioned in the introduction,

a population protocol consists of a set of
2 2

states Q and a set of transitions T ⊆
Q × Q . A transition (q1 , q2 ), (q3 , q4 ) ∈ T is denoted (q1 , q2 ) 7→ (q3 , q4 ). A
configuration is a multiset of states. A configuration, say C, such that C(q1 ) = 2
and C(q2 ) = 1, indicates that currently there are two agents in state q1 and one
agent in state q2 . The connection to Petri nets is immediate: The Petri net modeling
a protocol has one place for each state, and one transition for every transition of
the protocol. If transition t of the Petri net models (q1 , q2 ) 7→ (q3 , q4 ), then • =
Hq1 , q2 I, and t• = Hq3 , q4 I, where Hq1 , q2 I. An agent in state q is modeled by a
token in place q. A configuration C with C(q) agents in state q is modeled by the
marking putting C(q) tokens in place q for every q ∈ Q.
Figure 2.14 shows the Petri net for the first two majority protocols. Transitions
34 CHAPTER 2. MODELLING WITH PETRI NETS

AY AN AY AN

2 2

PY PN PY PN
th 2

Figure 2.14: Weighted Petri nets for the first and second protocol. Transitions t
such that • t = t• are not shown.

t such that • t = t• (whose firing does not change the current marking) have been
omitted. Population protocols are designed to compute predicates ϕ : Nk → {0, 1}.
We first give an informal explanation of how a protocol computes a predicate,
and then a formal definition using Petri net terminology. A protocol for ϕ has a
distinguished set of input states {q1 , q2 , . . . , qk } ⊆ Q. Further, each state of Q,
initial or not, is labeled with an output, either 0 or 1. Assume for example k = 2.
In order to compute ϕ(n1 , n2 ), we first place ni agents in qi for i = 1, 2, and 0
agents in all other states. This is the initial configuration of the protocol for the
input (n1 , n2 ). Then we let the protocol run. The protocol satisfies that in every
fair run starting at the initial configuration (fair runs are defined formally below),
eventually all agents reach states labeled with 1, and stay in such states forever, or
they reach states of labeled with 0, and stay in such states forever. So, intuitively,
in all fair runs all agents eventually “agree” on a boolean value. By definition, this
value is the result of the computation, i.e, the value of ϕ(n1 , n2 ).
Formally, and in Petri net terms, fix a Petri net N = (S, T, W ) with |• t| =
2 = |t• | for every transition t. Further, fix a set I = {p1 , . . . , pk } of input places,
and a function O : P → {0, 1}. A marking M of N is a b-consensus if M (p) > 0
implies O(p) = b. A b-consensus M is stable if every marking reachable from
t1 t2
M is also a b-consensus. A firing sequence M0 −−→ M1 −−→ M2 · · · of N is fair
if it is finite and ends at a deadlock marking, or if it is infinite and the following
t
condition holds for all markings M, M 0 and t ∈ T : if M −→ M 0 and M = Mi
tj+1 t
for infinitely many i ≥ 0, then Mj −−−→ Mj+1 = M −→ M 0 for infinitely many
j ≥ 0. In other words, if a fair sequence reaches a marking infinitely often, then
all the transitions enabled at that marking will be fired infinitely often from that
marking. A fair firing sequence converges to b if there is i ≥ 0 such that Mj is
a b-consensus for every marking j ≥ i of the sequence. For every v ∈ Nk with
2.9. SOME PETRI NET MODELS TAKEN FROM THE LITERATURE 35

|v| ≥ 2 let Mv be the marking given by Mv (pi ) = vi for every pi ∈ I, and

Mv (p) = 0 for every p ∈ P \ I. We call Mv the initial marking for input v. The
net N computes the predicate ϕ : Nk → {0, 1} if for every v ∈ Nk , every fair
firing sequence starting at Mv converges to b.

2.9 Some Petri net models taken from the literature

Petri nets have multiple applications. To complete our collection of models, we
present three examples taken from scientific papers in three different areas: biol-
ogy, manufacturing, and business administration.

A model of a biological system. Petri nets are often used to model biological
systems. In these applications, tokens represent molecules or cells, and transi-
tions correspond to chemical reactions or biological processes. Figure 2.15, taken
from the paper “Executable cell biology”, by J. Fisher and T.A. Henzinger (Nature
biotechnology, 2007), shows in part (a) a simple, standard weighted Petri net. Part
( b ) shows a simplified logical regulatory graph for the biosynthesis of tryptophan
in E. coli. Each node of the regulatory graph represents an active component: tryp-
tophan (Trp), the active enzyme (TrpE) and the active repressor (TrpR). The node
marked by a rectangle accounts for the import of Trp from external medium. All
nodes are binary (that is, can take the value 0 or 1), except Trp, which is repre-
sented by a ternary variable (taking the values 0, 1, 2). Arrows represent activation
and bars denote inhibition (inhibitor arcs). Part ( c ) shows Petri net of the Trp
regulatory network. Each of the four components of part (b) is represented by two
complementary places and all the different situations that lead to a change of the
state of the system are modeled by one of the nine transitions (t1 , . . . , t9 ).

A model of a flexible manufacturing system. Figure 2.16, taken from the paper
“Optimal Petri-Net-Based Polynomial-Complexity Deadlock-Avoidance Policies
for Automated Manufacturing Systems” by Xing et al. (IEEE Trans. on Systems,
Man, and Cybernetics, 2009) shows a flexible manufactuting cell with has four
machines, modeled by places p20 to p23 , and three robots, modeled by places p24
to p26 . Tokens model parts, and so, for example, a token at p20 means that the part
represented by the token is currently being processed at the first machine. Each
machine can hold two parts at the same time, and each robot can hold one part.

A model of a business process. Figure 2.16, taken from the paper “Business
process management as the “Killer App” for Petri nets” by van der Aalst (Software
nd have been used to model T-cell activation and differentiation8,9, The initial T-cell model was followed by a more extensive animated
well as C. elegans development10,11,13,14. model of T-cell differentiation in the thymus9. A major advantage of
Interacting state machine models are particularly suitable for Statecharts compared to other state-based formalisms, such as Reactive
scribing mechanistic models of biological systems that are well Modules16, is the fact that this language is visual. The user can draw
derstood qualitatively. Such models do not require quantitative data states and state changes and the tool automatically creates an execut-
ating to the number of molecules and reaction rates. They allow the able model, enabling relatively easy and intuitive programming even
eation of abstract high-level models and the application of strong for nonspecialists. Efroni et al. used reactive animation (Box 2)9,53,
alysis tools such as model checking. The possibility of hierarchical where a reactive system drives the display of animation software to
ucturing is extremely useful in cases where the behavior is distrib- visualize the model. These studies were followed by ongoing efforts to
ed over many cells and where multiple copies of the same process model C. elegans development10,11,13,14, which used Statecharts and a
36 CHAPTER 2. MODELLING WITH PETRI NETS
e executed in parallel. visual language called Live Sequence Charts54 and more recently a lan-
There are many different languages to express interacting state guage called Reactive Modules16 that supports compositional analysis
achine models. Using the visual language (Box 2) of Statecharts15, techniques (Box 2).

ure 3 Petri nets. (a) A simple, standard

tri net. The circles denote places, whereas a p2
2
c
Trpext Trpext
boxes denote transitions. The distribution t1 t3
p1
tokens (black dots) in the places at a given 2 2 2
me defines a marking. Transitions change p3
t2 2 3 t4
marking by removing a token from each t3+ t3– t3 t2+ t2– t4
oming arrow and adding a token to each 2
going arrow. (b) Simplified logical regulatory 2
ph for the biosynthesis of tryptophan in 2 2
coli. Each node of the regulatory graph TrpE TrpE Trp Trp
resents an active component: tryptophan b
Trpext
p), the active enzyme (TrpE) and the active TrpR 2 2
ressor (TrpR). The node marked by a 2
tangle accounts for the import of Trp from t6 t7 t5 t8 t9
1 2 1
ernal medium. All nodes are binary (that
can take the value 0 or 1), except Trp, 1
ich is represented by a ternary variable Trp TrpE
king the values 0, 1, 2). Arrows represent 1 TrpR TrpR
ivation and bars denote inhibition. (c) Petri
of the Trp regulatory network. Each of the
r components of b is represented by two complementary places and all the 2.15:
Figure differentPetri
situations thatthe
net of leadTrp
to a regulatory
change of the network
state of the system are
deled by one of the nine transitions (t1–t9). Figures reproduced with permission from ref. 46.

TURE BIOTECHNOLOGY VOLUME 25 NUMBER 11 NOVEMBER 2007 1243

196 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 39, NO. 1, JANUARY 2009

saturated. Similarly, the firing of t6 requires r2 and leads θ1

saturated.
If a marked S3 PR contains ξ-resources, the controller given
in Definition 7 cannot guarantee that the controlled system is
live. Moreover, note that a ξ-resource is related with many
MPRT-circuits, i.e., it is contained in at least two MPRT-
circuits. To obtain a deadlock-free controller for this kind of
Petri-net models in the following, we will first reduce Petri-net
models by ξ-resources so that the reduced ones do not contain
any ξ-resources but still fall into the class of S3 PRs. By apply-
ing the design method for optimal polynomial-complexity DAP
to the reduced models, a suboptimal polynomial-complexity
DAP for a general S3 PR is obtained.
Definition 8: Let (N, M0 ) = (P ∪ P 0 ∪ PR , T, F, M0 ) be
a marked S3 PR and r a ξ-resource of (N, M0 ). The reduced
model of (N, M0 ) on r is a Petri net

(N (r), MA0 ) = (PA ∪ P 0 ∪ PAR , TA , FA , MA0 )

which can be obtained by the following three steps. Fig. 2. Petri-net model (N, M0 ) of an flexible manufacturing cell.
Figure 2.16: Petri net model of a flexible manufacturing system
Step 1) Delete the resource place r and its related arcs from
we can consider its input and output operation places as one
N , and let PAR = PR \ {r}. operation place because they use the same resource type. This
•
Step 2) For each transition t ∈ PAR ∩ • r, for example,
way, (N (r), MA0 ) can be considered as a marked S3 PR, in
r1 ∈ PAR such that (r1 , t) ∈ F and (t, r) ∈ F ,
which the concept of MPRT-circuits can be used. Thus, the
delete (r1 , t) from S3 PR. Let ps =(p) t. If |p•s | = conclusions in (N, M0 ) hold in (N (r), MA0 ). To be pointed out
1, then ∀ts ∈ • ps , add (r1 , ts ) if (ts , r1 ) ∈ / F and
later, the reduction procedure can be repeated for any number
delete (ts , r1 ) if (ts , r1 ) ∈ F . If |p•s | = k > 1, let of times, and the reduced model will remain as S3 PR. Thus, if
p•s = {t1 , t2 , . . . , tk } and (r) ti = ri , i = 1, 2, . . . , k, R(θ1 ) ∩ R(θ2 ) has multiple resources, we can reduce them one
and then, replace ps with k operation places
by one to an S3 PR without ξ-resources.
and, ∀ts ∈ • ps , with k transitions, i.e., delete Example 2: The flexible manufacturing cell considered in
ps and its related arcs and add k operation [4] has four machines m1 −m4 . Each machine can hold two
places, denoted as ps1 , ps2 , . . . , psk . Let ts ∈ • ps
parts at the same time. Moreover, the cell contains three ro-
and ps0 =(p) ts . Delete ts and its related arcs, bots r1 , r2 , and r3 , and each of them can hold one part.
add k transitions, denoted as ts1 , ts2 , . . . , tsk , (in Its Petri-net model (N, M0 ) is shown as in Fig. 2. The
which case, we will say that ts is separable
set of resource places is R = {m1 , m2 , m3 , m4 , r1 , r2 , r3 } =
and is separated into ts1 , ts2 , . . ., and tsk ) and (p20 , p21 , p22 , p23 , p24 , p25 , p26 ). The capacities of resources
add arcs (p , t ), (t , p ), (p , t ), (r , t ), and
2.10. ANALYSIS PROBLEMS 37

and Systems Modeling, 2014), shows a Petri net model of the life-cycle of a re-
quest for compensation. A transition may carry a label referring to some activity.
Transitions without a label are “silent”.

Figure 2.17: Petri net model of a business process

2.10 Analysis problems

We introduce a number of properties which capture, in an abstract way, the types of
properties we are interested about when analyzing one of the models of the chapter.
We assume that nets have at least one place and one transition.

Definition 2.10.1 (System properties)

Let (N, M0 ) be a Petri net.
(N, M0 ) is deadlock free if every reachable marking enables at least one tran-
sition (that is, no reachable marking is dead).
(N, M0 ) is live if for every reachable marking M and every transition t there
is a marking M 0 ∈ [M i that enables t. (Intuitively: every transition can always fire
again).
(N, M0 ) is bounded, if for every place s there is a number b ≥ 0 such that
M (s) ≤ b for every reachable marking M . M0 is a bounded marking of N if
(N, M0 ) is bounded. The bound of a place s of a bounded Petri net (N, M0 ) is the
number
max{M (s) | M ∈ [M0 i}
(N, M0 ) is b-bounded if every place has bound b.
38 CHAPTER 2. MODELLING WITH PETRI NETS

In these notes we study the following problems:

• Deadlock freedom: is a given Petri net (N, M0 ) deadlock-free?

• Liveness: is a given Petri net (N, M0 ) live?

• Boundedness: is a given Petri net (N, M0 ) bounded?

• b-boundedness: given b ∈ N and a Petri net (N, M0 ), is (N, M0 ) b-bounded?

• Reachability: given a Petri net (N, M0 ) and a marking M of N , is M

reachable?

• Coverability: given a Petri net (N, M0 ) and a marking M of N , is there a

reachable marking M 0 ≥ M ?

There are some simple connections between these problems:

Proposition 2.10.2
(1) Liveness implies deadlock freedom.

(2) If (N, M0 ) is bounded then there is a number b such that (N, M0 ) is b-

bounded.

(3) If (N, M0 ) is bounded, then it has finitely many reachable markings.

Proof. (1) follows immediately from the definitions. (2) and (3) follow from the
definitions and from the fact that a Petri net has finitely many places. 

Sometimes we also use the following notion

Definition 2.10.3 (Well-formed nets)

A net N is well formed if there is a marking M0 such that the Petri net (N, M0 ) is
live and bounded.

and consider the following problem

• Well-formedness: is a given net well formed?

 Part II

Analysis Techniques for Petri

Nets

39
 41

Chapter 3 shows (sometimes without proofs) that Deadlock-freedom, Live-

ness, Boundedness, b-Boundedness, Coverability, and Reachability are all de-
cidable. The decision procedures for these problems have high complexity, but, at
the same time, results of complexity theory show that no efficient algorithms exist
for them.
Since faster runtimes are often required in many practical applications, we of-
ten use algorithms that can be applied to arbitrary Petri nets, but sometimes answer
‘’ don’t know”, or do not terminate. We call them semi-decision procedures. We
also use faster decision procedures for special Petri net classes.
Chapter 4 is devoted to semi-decision procedures. Chapter 5 presents efficient
decision algorithms for three classes: S-nets, T -nets, and Free-Choice nets
42
Chapter 3

Decision procedures

3.1 Decision procedures for 1-bounded Petri nets

In many practical cases Petri nets are bounded by construction. A bounded Petri
net has finitely many reachable markings, and so the reachability graph can be
computed and stored, at least in principle. If the reachability graph is available,
then it is easy to give algorithms for b-Boundedness, Reachability, and Deadlock-
freedom running in linear time in the size of the reachability graph. We show now
that this is also the case for Liveness:
Let G = (V, E) be the reachability graph of a Petri net(N, M0 ). We define the
∗ ∗ ∗ ∗
relation ←→⊆ V ×V as follows: M ←→ M 0 gdw. M −→ M 0 and M 0 −→ M.
∗
The relation ←→ is clearly an equivalence relation on V . Each equivalence
∗
class V 0 ⊆ V of ←→ yields together with E 0 = E ∩ (V 0 × V ) a strongly connected
component (SCC) (V 0 , E 0 ) of G.
Strongly connected components are partially ordered by the relation < defined
as follows: (V 0 , E 0 ) < (V 00 , E 00 ) if V 0 6= V 00 and ∀M 0 ∈ V 0 , M 00 ∈ V 00 : M 00 ∈
[M 0 i. The bottom SCCs of the reachability graph are the maximal SCCs with
respect to <.

Proposition 3.1.1 Let (N, M0 ) be a bounded Petri net. (N, M0 ) is live iff for
every bottom SCC of the reachability graph of (N, M0 ) and for every transition t,
some marking of the SCC enables t.

Proof. (⇒) Assume (N, M0 ) is live. Let M be a marking of a bottom SCC of the
reachability graph of (N, M0 ), and let t be a transition of N . By the definition of
liveness, some marking reachable from M enables t. By the definition of bottom
SCC, this marking belongs to the same bottom SCC as M .

43
44 CHAPTER 3. DECISION PROCEDURES

(⇐) Assume that for every bottom SCC of the reachability graph of (N, M0 ) and
for every transition t, some marking of the SCC enables t. We show that (N, M0 )
is live. Let M be an arbitrary marking reachable from M0 , and let t be a transition.
By the definition of a bottom SCC, there is a bottom SCC such that every marking
of it is reachable from M . Since some marking of the SCC enables t, we are done.


The condition of Proposition 3.1.1 can be checked in linear time using Tarjan’s
algorithm, which computes all the SCCs of a directed graph in linear time. The
algorithm can be easily adapted to compute the bottom SCCs.

3.1.1 Complexity for 1-bounded Petri nets

A 1-bounded Petri net with n places may have up to 2n reachable markings. There-
fore, all algorithms based on the construction of the reachability graph have ex-
ponential worst-case runtime for 1-bounded Petri nets. Using Savitch’s theorem
it is also easy to show that they are in PSPACE. For example, the following
polynomial-memory nondeterministic program solves Reachability. Let Mg be
the goal marking, that is, the marking whose reachability should be checked. The
program stores a marking M ; initially M = M0 . (Since the net is 1-bounded, if
the net has n places then a marking can be stored using n bits, and so the program
only needs linear space in the size of the net.) While M 6= Mg , the program non-
deterministically chooses a transition t enabled at M , computes the marking M 0
t
such that M −→ M 0 , and sets M := M 0 .
If the marking is not reachable, this program does not terminate. If we want
the program to always terminate, then we can add to it a n-bit counter that counts
the number of steps. Since the Petri net has at most 2n reachable markings, if M
is reachable then it is reachable in at most 2n − 1 steps. If the counter reaches the
value 2n − 1 without reaching the marking M , the program stops.
We now show that the problems are PSPACE-complete. We do so by means of
a universal lower bound for the complexity of deciding whether a 1-bounded Petri
net satisfies an interesting behavioral property:

Rule of thumb 1:
All interesting questions about the behaviour of 1-bounded Petri
nets are PSPACE-hard.

Notice that a rule of thumb is not a theorem. There are behavioral properties
of 1-bounded Petri nets that can be solved in polynomial time. For instance, the
3.1. DECISION PROCEDURES FOR 1-BOUNDED PETRI NETS 45

question “Is the initial marking a deadlock?” can be answered very efficiently;
however, it is so trivial that hardly anybody would consider it really interesting.
So a more careful formulation of the rule of thumb would be that all questions
described in the literature as interesting are at least PSPACE-hard. Here are 14
examples:

• Is the Petri net live?

• Is some reachable marking a deadlock?

• Is a given marking reachable from the initial marking?

• Is there a reachable marking that puts a token in a given place?

• Is there a reachable marking that does not put a token in a given place?

• Is there a reachable marking that enables a given transition?

• Is there a reachable marking that enables more than one transition?

• Is the initial marking reachable from every reachable marking?

• Is there an infinite run?

• Is there exactly one run?

• Is there a run containing a given transition?

• Is there a run that does not contain a given transition?

• Is there a run containing a given transition infinitely often?

• Is there a run which enables a transition infinitely often but contains it only
finitely often?

We need some preliminaries.

Turing machines. We use single tape Turing machines with one-way infinite
tapes, i.e., the tape has a first but not a last cell. For our purposes it suffices to con-
sider Turing machines starting on empty tape, i.e., initially the tape containing only
blank symbols. So we define a Turing machine as a tuple M = (Q, Γ, δ, q0 , F ),
where Q is the set of states, Γ the set of tape symbols (containing a special blank
symbol), δ : (Q × Γ) → Q × Γ × {R, L}) the transition function, q0 the initial
state, and F the set of final states. The size of a Turing machine is the number of
bits needed to encode its transition relation.
46 CHAPTER 3. DECISION PROCEDURES

Linearly and exponentially bounded automata. We work with Turing ma-

chines that can only use a finite tape fragment, or equivalently, with Turing ma-
chines whose tape has both a first and a last cell. We call them bounded automata.
We assume that the first and last cells are marked with two special symbols, say $
and #, and that the transition function guarantees that the head never moves to the
left of the first cell or to the right of the last cell.
A function f : N → N induces the class of f (n)-bounded automata, which
contains for all k ≥ 0 the bounded automata of size k that can use f (k) tape cells
(including the first and last cells). 1 When f (n) = n we get the class of linearly
bounded automata.
The PSPACE-hardness of all these problems is a consequence of one single
fundamental fact.

A linearly bounded automaton of size n can be simulated by a 1-

bounded Petri net of size O(n2 ). Moreover, there is a polynomial
time procedure which constructs this Petri net.

The notion of simulation used here is very strong: a 1-bounded Petri net sim-
ulates a Turing machine if there is bijection f between the configurations of the
machine and the markings of the net such that the machine can move from a con-
figuration c1 to a configuration c2 in one step if and only if the Petri net can move
from the marking f (c1 ) to the marking f (c2 ) through the firing of exactly one
transition.
Let A = (Q, Γ, Σ, δ, q0 , F ) be a linearly bounded automaton of size n. The
computations of M visit at most the cells c1 , . . . , cn . Let C be this set of cells. The
simulating Petri net N (A) contains a place s(q) for each state q ∈ Q, a place s(c)
for each cell c ∈ C, and a place s(a, c) for each symbol a ∈ Γ and for each cell
c ∈ C. A token on s(q) signals that the machine is in state q. A token on s(c)
signals that the machine reads the cell c. A token on s(a, c) signals that the cell c
contains the symbol a. The total number of places is |Q| + n · (1 + |Σ|).
The transitions of N (A) are determined by the state transition relation of A. If
(q 0 , a0 , R) ∈ δ(q, a), then we have for each cell c a transition t(q, a, c) whose input
places are s(q), s(c), and s(a, c) and whose output places are s(q 0 ), s(a0 , c) and
s(c0 ), where c0 is the cell to the right of c. If (q 0 , a0 , L) ∈ δ(q, a) then we add a
similar set of transitions. The total number of transitions is at most 2 · |Q|2 · |Γ|2 · n,
and so O(n2 ), because the size of A is O(|Q|2 · |Γ|2 ).
1
Notice that we deviate from the standard definition, which says that an automaton is f (n)-
bounded if it can use at most f (k) tape cells for an input word of length k. Since we only consider
bounded automata working on empty tape, the standard definition is not appropriate for us.
3.1. DECISION PROCEDURES FOR 1-BOUNDED PETRI NETS 47

The initial marking of N (A) puts one token on s(q0 ), on s(c1 ), and on the
place s(B, ci ) for 1 ≤ i ≤ n, where B denotes the blank symbol. The total size of
the Petri net is O(n2 ).
It follows immediately from this definition that each move of A corresponds to
the firing of one transition. The configurations reached by A along a computation
correspond to the markings reached along its corresponding run. These markings
put one token in exactly one of the places {s(q) | q ∈ Q}, in exactly one of the
places {s(c) | c ∈ C}, and in exactly one of the places {s(a, c) | a ∈ Σ} for each
cell c ∈ C. So N (A) is 1-bounded.
In order to answer a question about a linearly bounded automaton A we can
construct the net N (A), which is only polynomially larger than A, and solve the
corresponding question about the runs of A. For instance, the question “does any
of the computations of A terminate?” corresponds to “has the Petri net N (A) a
deadlock?”
It turns out that most questions about the computations of linearly bounded
automata are PSPACE-hard. To begin with, the (empty tape) acceptance problem
is PSPACE-complete:

Given: a linearly bounded automaton A.

To decide: if A accepts the empty input.

Moreover, the PSPACE-hardness of this problem is very robust: it remains

PSPACE-complete if we restrict it to

• bounded automata having one single accepting state,

• bounded automata having one single accepting configuration.

Many other problems can be easily reduced to the acceptance problem in poly-
nomial time, and so are PSPACE-hard too. Examples are:

• does A halt?,

• does A visit a given state?,

• does A visit a given configuration?

• does A visit a given configuration infinitely often?

We obtain in this way a large variety of PSPACE-hard problems. Since N (A)

is only polynomially larger than A, all the corresponding Petri net problems are
PSPACE-hard as well. For instance, a reduction from the problem “does A ever
48 CHAPTER 3. DECISION PROCEDURES

visit a given configuration?” proves PSPACE-hardness of the reachability prob-

lem for 1-bounded Petri nets. Furthermore, once we have some PSPACE-hard
problems for 1-bounded Petri nets we can use them to obtain new ones by reduc-
tion. For instance, the following problems can be easily reduced to the problem of
deciding if there is a reachable marking that puts a token on a given place:
• is there a reachable marking that concurrently enables two given transitions
t1 and t2 ?
• can a given transition t ever occur?
• is there a run containing a given transition t infinitely often?
13 out of the 14 problems at the beginning of the section (and many others) can
be easily proved PSPACE-hard using these techniques. Only the liveness problem,
the first in our list, is a bit more complicated.

3.2 Decision procedures for general Petri nets

We study the decidability and complexity of Boundedness, Coverability, Reach-
ability, Deadlock-freedom and Liveness for general Petri nets, not necessarily
bounded. The algorithms of the bounded case no longer work, because the con-
struction of the reachability graph may not terminate.

3.2.1 A decision procedure for Boundedness

The b-Boundednesss problem is clearly decidable: if the input Petri net (N, M0 )
has n places, then the number of b-bounded markings of N is nb+1 . So we can
decide b-Boundedness by constructing the reachability graph of (N, M0 ) until
either the construction terminates, or we find a reachable marking that is not b-
bounded.
The same idea gives a semi-decision procedure for Boundedness: again, we
construct the reachability graph. If the input (N, M0 ) is bounded, then there are
finitely many reachable markings, the construction terminates, and we can return
“bounded”. However, if the net is unbounded then this procedure does not termi-
nate.
We now give a decision procedure for Boundedness. We need two lemmas.
The first one is a simple adaptation of König’s Lemma; the second is known as
Dickson’s Lemma.
Lemma 3.2.1 (Königs lemma) Let G = (V, E) be the reachability graph of a
Petri net (N, M0 ). If V is infinite, then G contains an infinite simple path.
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 49

Proof. Assume V = [M0 i is infinite. For every reachable marking M there is a

simple path πM from M0 to M . Since M0 has finitely many immediate succes-
sors (at most one for each transition of N ), and each simple path πM visits one of
them, at least one immediate successor M1 of M0 has infinitely many successors
in (V \ {M0 }, E), that is, [M1 i \ {M0 } is infinite. Iterating this argument we con-
struct an infinite simple path M0 M1 M2 · · · . 

Lemma 3.2.2 (Dickson’s lemma) For every infinite sequence A1 A2 A3 . . . of vec-

tors of Nk there is an infinite sequence i1 < i2 < i3 . . . of indexes such that
Ai1 ≤ Ai2 ≤ Ai3 . . ..

Proof. By induction on k
Basis: k = 1. Then the elements of A are just numbers. The set {A1 , A2 , · · · }
has a minimum, say c1 . Choose i1 as some index (say, the smallest), such that
Ai1 = c1 . Consider now the set {Ai1 +1 , Ai1 +2 , · · · }. The set has a minimum c2 ,
which by definition satisfies c1 ≤ c2 . Choose i2 as the the smallest index i2 > i1
such that Ai2 = c2 , etc.
Step: k > 1. Given a vector Ai , let A0i be the vector of dimension k − 1 consisting
of the first k − 1 components of Ai , and let ai be the last component of Ai . We
write Ai = (A0i | ai ).
Since the vectors of A01 A02 A03 · · · have dimension k − 1, by induction hypothesis
there is an infinite subsequence A0i1 ≤ A0i2 ≤ A0i3 · · · . Consider now the sequence
ai1 ai2 ai3 · · · . By induction hypothesis there is a subsequence aj1 ≤ aj2 ≤ aj3 · · · .
But then we have Aj1 ≤ Aj2 ≤ Aj3 · · · , and we are done. 

Remark: Lemma 3.2.2 shows that the partial order ≤⊆ Nk × Nk is a well-quasi-

order. Given a set A, and a partial order ⊆ A × A, we say that  is a well-
quasi-order if every infinite sequence a1 a2 a3 · · · ∈ Aω contains an infinite chain
ai1  ai2  · · · . In the next section we examine well-quasi-orders in more detail.
We use König’s Lemma and Dickson’s lemma to provide the following char-
acterization of unboundedness.

Theorem 3.2.3 (N, M0 ) is unbounded iff there are markings M and L such that
∗ ∗
L 6= 0 and M0 −→ M −→ (M + L)

Proof. (⇐) : Assume there are such markings M, L. By the Monotonicity Lemma
we have
∗ ∗ ∗
M1 −→ (M1 + L) −→ (M1 + 2 · L) −→ . . .
50 CHAPTER 3. DECISION PROCEDURES

Since L 6= 0, the set [M0 i of reachable markings is infinite and (N, M0 ) is un-
bounded.
(⇒) Assume (N, M0 ) is unbounded. Then the set [M0 i of reachable markings is
t1 t1
infinite. By Königs lemma there is an infinite firing sequence M0 −→ M1 −→
M2 . . . such that the markings M0 , M1 , M2 , . . . are pairwise distinct. By Dickson’s
∗ ∗
Lemma there are indexes i < j such that M0 −→ Mi −→ Mj and Mi ≤ Mj .
Choose M := Mi and L := Mj − Mi . Since Mi and Mj are distinct, we have
L 6= 0. 

Theorem 3.2.4 Boundedness is decidable.

Proof. We give an algorithm that always terminates and always returns the cor-
rect answer: “ bounded” or “unbounded”. The algorithm explores the reachability
graph of the input Petri net (N, M0 ) using breadth-first search. After adding a
new marking M 0 , the algorithm checks if the part of the graph already constructed
∗ ∗
contains a sequence M0 −→ M −→ M 0 such that M ≤ M 0 (and M 6= M 0 ,
because M 0 is new). The algorithm terminates if it finds such a sequence, in which
case it returns “unbounded”, or if it cannot add any new marking, in which case it
returns “bounded”.
If (N, M0 ) is bounded, then by Theorem 3.2.3 the algorithm never finds a new
marking M 0 satisfying the condition above. So, since the Petri net has only finitely
many reachable markings, the algorithm terminates because it cannot find any new
marking, and correctly returns “bounded”.
If (N, M0 ) is unbounded, then there are infinitely many reachable markings,
and the algorithm cannot terminate because it runs out of reachable markings. On
the other hand, by Theorem 3.2.3 the algorithm eventually finds markings M 0 and
M as above, and so it correctly answers “unbounded”. 

3.2.2 Decision procedures for Coverability

The reachability graph of a Petri net can be infinite, in which case the algorithm
for computing the reachability graph will not terminate. Therefore, the algorithm
cannot decide that a given marking is not coverable. In this section we introduce
several decision procedures that overcome this problem.

Coverability graphs
We show how to construct a coverability graph of a Petri net (N, M0 ). the cov-
erability graph is always finite, and satisfies the following property: a marking M
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 51

of (N, M0 ) is coverable iff some node M 0 of the coverability graph of (N, M0 )

covers M , i.e., satisfies M 0 ≥ M .
We introduce a new symbol ω. Intuitively, it stands for an arbitrarily large
number. We extend the arithmetic on natural numbers with ω as follows. For all
n ∈ N:
n + ω = ω + n = ω,
ω + ω = ω,
ω − n = ω,
0·ω =0
n ≥ 1 ⇒ n · ω = ω · n = ω,
n ≤ ω and ω ≤ ω.
Observe that ω − ω remains undefined, but we will not need it.
We extend the notion of markings to ω-markings. An ω-marking of a net N =
(S, T, F ) is a mapping M : S → N ∪ {ω}. Intuitively, in an ω-marking, each place
s has either a certain number of tokens or “arbitrarily many” tokens.
The enabling condition and the firing rule neatly extend to ω-markings with
the extended arithmetic rules: recall that a transition t is enabled at a marking M
if M (s) > 0 for every s ∈ • t. Now M (s) > 0 may hold because M (s) = ω.
Further, recall that if t is enabled, then it can fire, leading from M to the marking
M 0 given by:
 M (s) − 1 if s ∈ • t \ t•

0
M (s) = M (s) + 1 if s ∈ t• \ • t
M (s) otherwise


If s ∈ • t ∪ t• and M (s) = ω, then we have M 0 (s) = ω. That is, if a place contains

ω tokens, then firing a transition will not change its number of tokens, even if the
transition is connected with an arc to the place.
Assume M 0 ∈ [M i and M ≤ M 0 . Then there is some sequence of transi-
t1 t2 ...tn
tions t1 t2 . . . tn such that M −− −−−→ M 0 . By the Monotonicity Lemma, there is
t t ...t
a marking M 00 with M 0 −− 1 2
−−−→ n
M 00 . Further, if we denote ∆M := M 0 − M ,
00 0
then M = M + ∆M = M + 2∆M (see Figure 3.1). By firing the transition
sequence t1 t2 . . . tn repeatedly we can “pump” an arbitrary number of tokens to all
the places s for which ∆M (s) > 0.
The main idea for the construction of the coverability graph is to replace the
marking M 0 by the ω-marking M 0 + ω · ∆M . The algorithm is shown in Figure
3.2. The following notations are used in the AddOmegas subroutine:
• M 00 →
− E M iff (M 00 , t, M ) ∈ E for some t ∈ T .
∗
• M 00 −→E M iff ∃n ≥ 0 : ∃M0 , M1 , . . . , Mn : M 00 = M0 →E M1 →E
M2 →E · · · →E Mn = M .
52 CHAPTER 3. DECISION PROCEDURES

M
t1 t2 ... tn
M’
t1 t2 ... tn
M’’ ...

=
∆Μ ∆Μ
Μ+∆Μ Μ+2∆Μ ...

Figure 3.1: Pumping tokens.

Observe that C OVERABILITY-G RAPH is very similar to R EACHABILITY-G RAPH,

it just adds a call to subroutine AddOmegas(M, t, M 0 , V, E). Line 3 causes all
places whose marking in M 0 is strictly larger than in the “parent” M 00 to contain
ω, while markings of other places remain unchanged.
We show that C OVERABILITY-G RAPH terminates, and that a marking M of
(N, M0 ) is coverable iff some node M 0 of the coverabilitygraph of (N, M0 ) covers
M , i.e., satisfies M 0 ≥ M

Theorem 3.2.5 C OVERABILITY-G RAPH terminates.

Proof. Assume that C OVERABILITY-G RAPH does not terminate. We derive a

contradiction. If C OVERABILITY-G RAPH does not terminate, then it constructs an
infinite graph. Since every node of the graph has at most |T | successors, by König’s
lemma the graph contains an infinite path Π = M1 M2 . . .. If an ω-marking Mi of
Π satisfies Mi (p) = ω for some place p, then Mi+1 (p) = Mi+2 (p) = . . . = ω.
So Π contains a marking Mj such that all markings Mj+1 , Mj+2 , . . . have ω’s at
exactly the same places as Mj . Let Π0 be the suffix of Π starting at Mj . Consider
the projection Π00 = mj mj+1 . . . of Π0 onto the non-ω places. Let n be the number
of non-ω places. Π00 is an infinite sequence of distinct n-tuples of natural numbers.
By Dickson’s lemma, this sequence contains markings Mk , Ml such that k < l
and Mk ≤ Ml . This is a contradiction, because, since Mk 6= Ml , when executing
AddOmegas(Ml−1 , t, Ml , V, E) the algorithm adds at least one ω to Ml−1 . 

For the rest of the proof we start with a lemma. It states that if C OVERABILITY-
G RAPH adds an ω-marking M 0 , say M 0 = (ω, 2, 0, ω, 3, ω), then for every k, say
15, there is a reachable marking where the ω-components have at least the value 15;
for example, for 15 the marking could be (17, 2, 0, 234, 3, 15). In other words, if
the algorithm adds an ω-marking (ω, 2, 0, ω, 3, ω), it is possible to reach arbitrarily
large values for all ω-components simultaneously.

Definition 3.2.6 Given an ω-marking M , we say that s is an ω-place of M if

M (s) = ω, and a normal place of M if M (s) ∈ N.
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 53

C OVERABILITY-G RAPH((P, T, F, M0 ))
1 (V, E, v0 ) := ({M0 }, ∅, M0 );
2 Work : set := {M0 };
3 while Work 6= ∅
4 do select M from Work ;
5 Work := Work \ {M };
6 for t ∈ enabled(M )
7 do M 0 := fire(M, t);
8 M 0 := AddOmegas(M, t, M 0 , V, E);
9 if M 0 ∈/V
10 then V := V ∪ {M 0 }
11 Work := Work ∪ {M 0 };
12 E := E ∪ {(M, t, M 0 )};
13 return (V, E, v0 );

A DD O MEGAS(M, t, M 0 , V, E)
1 for M 00 ∈ V
∗
2 do if M 00 < M 0 and M 00 −→E M
3 then M 0 := M 0 + ((M 0 − M 00 ) · ω);
4 return M 0 ;

Figure 3.2: Algorithm for the construction of the coverability graph

54 CHAPTER 3. DECISION PROCEDURES

Lemma 3.2.7 For every ω-marking M 0 added by C OVERABILITY-G RAPH to V

and for every k > 0, there there is a reachable marking Mk0 satisfying Mk0 (s) =
M 0 (s) for every normal place s of M 0 , and Mk0 (s) > k for every ω-place of M 0 .

Proof. Consider an arbitrary point during execution of C OVERABILITY-G RAPH.

We prove that if all ω-markings added to V until this point satisfy the lemma, then
the next ω-marking that is added to V also does.
Assume the algorithm is currently exploring marking M and transition t, and
t
let M be the ω-marking such that M −→ M . By induction hypothesis, for every
k > 0 there is a reachable marking Mk satisfying Mk (s) = M (s) for every place
normal place s of M , and Mk (s) > k for every ω-place s of M .
Assume AddOmegas does not add any new ω to M , and M ∈ / V . Then
C OVERABILITY-G RAPH adds M to V , and we can take M k as the marking given
t
by Mk+1 −→ M k : Indeed, since Mk+1 (s) > k + 1 for every ω-place of M , and t
removes at most one token from s, we have M k (s) > k.
Assume now that AddOmegas finds a unique ω-marking M 00 satsifying the
∗ t
condition M 00 −→E M −→ M and M 00 ≤ M . Assume further that M 00 (s0 ) <
M (s0 ) holds for a unique place s0 (the case where there is more than one such
M 00 and more than one such s0 is similar). Then C OVERABILITY-G RAPH adds to
V the marking M 0 = M + (M − M 00 ) · ω, which has exacly one more ω-place
than M 00 , namely the place s0 . We prove that for every k > 0 it is possible to reach
a marking Mk0 satisfying Mk0 (s) = M 0 (s) for every normal place s of M 0 , and
Mk0 (s) > k for every ω-place of M 0 .
Fix an arbitrary k. Our goal is to construct the marking Mk0 .
σ t
Let σ be a firing sequence such that M 00 −→ M −→ M . By induction hypothe-
sis, for every ` > 0 there is a reachable marking M`00 satisfying M`00 (s) = M 00 (s)
for every normal place s of M 00 , and M`00 (s) > ` for every ω-place s of M 00 .
Observe that the sequence σt may not be firable from M`00 : Indeed, consider an
ω-place s of M 00 . The sequence σt may remove tokens from s, but if the sequence
is fired from M 00 then we do not “notice” because M 00 (s) = ω. If ` is not large
enough, then M`00 (s) may not have enough tokens to fire σt. However, M`00 enables
σt for every sufficiently large value of `. 2 Even more: since M 00 (s) ≤ M (s) for
every normal place s of M 00 , by choosing a sufficiently large ` we can execute σt
from M`00 not only once, but as many times as we want. Moreover, since M 00 (s0 ) <
M (s0 ), by executing σt a sufficiently large number of times we can put arbitrarily
many tokens in the place s0 .
2
For instance, take ` = |σt|, since σ t can remove at most |σt| tokens from a place.
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 55

We can now finally define the marking Mk0 . Choose a number ` large enough
to guarantee that

(1) M`00 enables (σt)k+1 , and

(σt)k+1
(2) the marking M ` given by M`00 −−−−−→ M ` satisfies M ` (s) > k for every
ω-place of M 00 .

Since the execution of σt adds at least one token to s0 , after the execution of
(σt)k+1 the place s0 has at least k + 1 tokens, and so M ` (s) > k. Since M `
also satisfies (2), we can take Mk0 := M ` . 

Theorem 3.2.8 Let (N, M0 ) be a Petri net and let M be a marking of N . There
is a reachable marking M 0 ≥ M iff the coverability graph of (N, M0 ) contains an
ω-marking M 00 ≥ M .

Proof. (⇒): Assume there is a reachable marking M 0 ≥ M . Then some firing

sequence
t1 t2 tn
M0 −−→ M1 −−→ M2 · · · Mn−1 −−→ M0
of (N, M0 ) leads from M0 to M 0 . By the definition of the algorithm, the cover-
ability graph contains a path
t t t
1
M0 −−→ M10 −−→
2
M20 · · · Mn−1 −−→
n
Mn0

such that Mi0 ≥ Mi for every 1 ≤ i ≤ n. Take M 00 = Mn0 .

(⇐): Assume the coverability graph of (N, M0 ) contains an ω-marking M 00 ≥
M . By Lemma 3.2.7, there is a reachable marking Mk00 satisfying Mk00 (s) = M 00 (s)
for every normal place s of M 00 , and Mk00 (s) > k for every ω-place s of M 00 . Take k
larger than any of the components of M , and set M 0 := Mk00 . We have M 0 ≥ M . 

Rackoff’s algorithm
The coverability graph allows us to answer coverability of any marking. However,
Coverability asks whether a particular marking M can be covered. The question is
whether we can give a bound on the size of the fragment of the coverability graph
we need to construct to find an ω-marking covering M .
We consider Petri nets in which places may have a negative number of tokens.
Transitions can occur independently of the number of tokens in their input places.
56 CHAPTER 3. DECISION PROCEDURES

Definition 3.2.9 (Integer nets) Let N = (S, T, F ) be a net. A generalized mark-

ing of N (g-marking for short) is a mapping G : S → Z. An integer net is a pair
(N, G0 ) where N is a net and G0 is a g-marking. The firing rule of integer nets is
defined as follows: A g-marking G enables all transitions, and the occurrence of t
at G leads to the marking G0 given by

 G(s) − 1 if s ∈ • t \ t•

0
G (s) = G(s) + 1 if s ∈ t• \ • t
G(s) otherwise


t
We denote by G ,→ G0 that firing t at G leads to the g-marking G0 . An integer
t1 t2 tn
firing sequence of an integer net is a sequence G0 ,→ G1 ,→ · · · ,→ Gm .

Every marking is also a g-marking, ever Petri net is also an integer net, and
every firing sequence is also an integer firing sequence, but the converse does not
hold.
In the rest of the section we fix a net N with places {s1 , . . . , sk }, and identify
g-markings with vectors of Zk .

Definition 3.2.10 Let G ∈ Zk be a g-marking of N and let 0 ≤ i ≤ k.

• G is i-natural if its first i-components are natural numbers, i.e., if 0 ≤ G(j)

for every 1 ≤ j ≤ i.

• G is (i, r)-natural if 0 ≤ G(j) < r for every 1 ≤ j ≤ i.3

t1 tm
Let σ = G0 ,→ · · · ,→ Gm be an integer firing sequence, and let G ∈ Zk .

• σ is i-natural if all of G0 , G1 , . . . , Gm are i-natural g-markings.

• σ is (i, r)-natural if all of G0 , G1 , . . . , Gm are (i, r)-natural g-markings.

• σ is (i, G)-covering if Gm (j) ≥ G(j) for every 1 ≤ j ≤ i. 4

Intuitively, G is i-natural if its restriction to the first i places is a “normal”

marking, and σ is i-natural if its restriction to the first i places is a “normal” firing
sequence. In particular, since N has k places, the k-natural sequences ane the
“normal” firing sequences coincide. So deciding if M is coverable in (N, M0 ) is
equivalent to deciding if (N, M0 ) has a (k, M )-covering sequence.
We prove the following result:
3
Observe that we require G(j) < r, not G(j) ≤ r.
4
But possibly Gm (j) < G(j) for components j > i.
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 57

k
Pk 3.2.11 [Rackoff 1978] Let M ∈ N kbe a marking of N , and let n =
Theorem
1 + i=1 M (i). For every marking M0 ∈ N of N , if (N, M0 ) has a (k, M )-
O(k log k)
covering sequence, then it has one of length at most (2n)(k+1)! ∈ n2 .

Before proving the theorem, we make two observations:

• The bound (2n)(k+1)! depends on the number of tokens of M and on k, the

number of places of N . However, it does not depend on the number of tokens
of M0 .

• The bound is polynomial on n (for Petri nets with a fixed number k of places,
the bound is of the form O(nc ) for some constant c), but double exponential
on k (for markings with a fixed number n of tokens, the bound is of the form
ck log k
22 for some constant c).

The proof of the theorem is based on the following Lemma:

Lemma 3.2.12 Let G ∈ Zk be a g-marking of N , and let n = 1 + ki=1 |G(i)|.

P
For every G0 ∈ Zk and for every 0 ≤ i ≤ k, if (N, G0 ) has an (i, G)-covering
sequence, then it has one of length at most f (i), where f is inductively defined as
follows:

• f (0) = 1, and

• f (i) = (nf (i − 1))i + f (i − 1) for every i ≥ 1.

Proof The proof is by induction on i.

Base: i = 0. Follows vacuously from the fact that G0 is a (0, G)-covering sequence
(the condition G0 (j) ≥ G(j) for every 1 ≤ j ≤ i holds vacuously when i = 0).
Step: i > 0. Assume (N, G0 ) an (i, G)-covering sequence. We consider two
cases:

Case 1: (N, G0 ) has an (i, G)-covering, (i, nf (i − 1))-natural sequence.

Assume the sequence is
t1 tm
σ = G0 ,→ · · · ,→ Gm
and assume further that it has minimal length.
We claim that G0 , G1 , . . . , Gm are pairwise different. Assume the contrary:
there exist α < β such that Gα (j) = Gβ (j) for every 1 ≤ j ≤ i. Then the
sequence
t1 t tβ+1 tβ+2 tm
σ 0 = G0 ,→ · · · −−→
α
Gα ,→ G0β+1 ,→ · · · ,→ G0m
58 CHAPTER 3. DECISION PROCEDURES

is also (i, G)-covering and (i, nf (i − 1))-natural, contradicting the minimality of

σ. This proves the claim.
Since σ is (i, nf (i − 1))-natural, for every g-marking G0 appearing in σ and
for for every 1 ≤ j ≤ i we have 0 ≤ G0 (j) < nf (i − 1). That is, there are
nf (i − 1) possible values for G0 (j). It follows that there are at most (nf (i − 1))i
different possible values for the segment (G0 (1), G0 (2), . . . , G0 (i)) of G0 . By the
claim above, the length of σ is at most (nf (i − 1))i ≤ f (i).

Case 2: (N, G0 ) has no (i, G)-covering, (i, nf (i − 1))-natural sequence.

Then there is an (i, G)-covering sequence that is not (i, nf (i − 1))-natural. Let
this sequence be
t1 t2 tm
σ = G0 ,→ G1 ,→ · · · Gm−1 ,→ Gm
Let Gα+1 be the first vector of σ that is not (i, nf (i − 1))-natural. Without loss of
generality, we can assume Gα+1 (i) ≥ nf (i − 1) (if this would not be the case, we
can just reorder the places of the net). Then the prefix
t1 tα
G0 ,→ · · · ,→ Gα

is (i, Gα )-covering and (i, nf (i − 1))-natural. As in the previous case, we can

assume α ≤ (nf (i − 1))i .
Since
tα+1 tα+2 tm
Gα+1 ,→ Gα+2 ,→ · · · ,→ Gm
is an (i − 1, G)-covering and (i − 1)-natural sequence of (N, Gα+1 ), by induction
hypothesis there exists another (i − 1, G)-covering and (i − 1)-natural sequence
u1 u2 u`
Gα+1 ,→ H1 ,→ · · · ,→ H`

of (N, Gα+1 ) of length at most f (i − 1), that is, ` ≤ f (i − 1). Since Gα+1 (i) ≥
nf (i − 1), and a sequence of length f (i − 1) can remove at most f (i − 1) tokens
from the place si , after the execution of the new sequence the number of tokens in
si is at least (n−1)f (n−1) ≥ n−1. By the definition of n, we have n−1 ≥ G(i).
So the sequence
t1 tα tα+1 u1 u2 u`
σ 0 = G0 ,→ · · · ,→ Gα ,→ ,→ H1 ,→ · · · ,→ H`

is an (i, G)-covering and i-natural sequence of (N, G0 ) of length at most (nf (i −

1))i + f (i − 1) = f (i). 
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 59

The function f grows rapidly in k:

f (0) = 1
f (1) = (nf (0))1 + f (0) = n + 1 ∈ O(n)
f (2) = (nf (1))2 + f (1) = (n(n + 1))2 + n + 1 ∈ O(n4 )
f (3) = (nf (2))3 + f (2) ∈ O(n15 )
f (4) = (nf (3))4 + f (3) ∈ O(n64 )
In general, if f (i) ∈ O(nj ), then f (i + 1) ∈ O(n(1+j)(1+i) ).
We now proceed to prove Theorem 3.2.11:

Proof of Theorem 3.2.11. Assume that (N, M0 ) has a (k, M )-covering sequence.
By Lemma 3.2.12, it has one of length at most f (k). So it suffices to prove f (k) ≤
(2n)(k+1)! .
We prove by induction on i that f (i) ≤ (2n)(i+1)! for every i ≥ 0. Recall
that n ≥ 1 holds by the definition of n. Further, it follows immediately from the
definition of f that f (i) ≥ 1 for every i ≥ 0.
Base: i = 0. Since n ≥ 1, we have f (0) = 1 ≤ 2n = (2n)1! .
Step: i > 0. Assume f (i − 1) ≤ (2n)i! . We prove f (i) ≤ (2n)(i+1)! . We have:
f (i) = (nf (i − 1))i + f (i − 1) (definition of f )
≤ (n(2n)i! )i + (2n)i! (ind. hyp.)
≤ (n(2n)i! )i + (n(2n)i! )i (n ≥ 1, i ≥ 1)
= 2(n(2n)i! )i
= 2ii!+1 nii!+i
≤ 2(i+1)! n(i+1)! (n ≥ 1, i ≥ 1)
= (2n)(i+1)!
O(k log k)
Finally, let us prove (2n)(k+1)! ∈ n2 . We first show (k + 1)! ∈ 2O(k log k) .

(k + 1)! ≤ (k + 1)k+1 (definition of factorial)

≤ (2k)k+1 (k ≥ 1)

k+1
= 2(log k+1) = 2(log k+1)(k+1)
∈ 2O(k log k)
Now, since 2n ≤ n2 for every n ≥ 1, we get
(2n)(k+1)! ≤ n2(k+1)!
O(k log k) 1+O(k log k)
∈ n2·2 = n2
O(k log k)
= n2
60 CHAPTER 3. DECISION PROCEDURES

By Theorem 3.2.11, in order to decide coverability of M we can just construct

the reachability graph using breadth-first search up to depth (2n)(k+1)! , where n
is the number of tokens of M plus 1, and k is the number of places in the net.
Clearly, the same holds for the coverability graph, because, loosely speaking, it
just “improves” our chances of covering M .

The backwards-reachability algorithm

The backwards reachability algorithm decides if a marking M is coverable in

(N, M0 ) by considering the set M of all markings that cover M , computing the
set of predecessors of M, i.e., the set of all markings M 0 (reachable or not) such
∗
that M 0 −→ M 00 for some M 00 ∈ M, and checking if M0 belongs to this set. Since
even the set M is infinite, this computation requires to use a finite representation
of infinite set of markings.

Definition 3.2.13 (Upward-closed sets of markings)

A set M of markings of a net N is upward closed if M ∈ M and M 0 ≥ M imply
M 0 ∈ M.
A marking M of an upward closed set M is minimal if there is no M 0 ∈ M
such that M 0 ≤ M and M 0 6= M .

Observe that an upward closed set is completely determined by its minimal

elements: two upwards closed sets are equal iff their sets of minimal elements are
equal.

Lemma 3.2.14 Every upward-closed set of markings has finitely many minimal
elements.

Proof. Assume M is upward closed and has infinitely many minimal markings
M1 , M2 , . . .. By Dickson’s Lemma there are i 6= j such that Mi ≤ Mj . But then
Mj is not minimal. Contradiction. 

An important consequence of the lemma is that every upwards closed set can
be finitely represented by its set of minimal elements.
We define the set pre(M) of predecessors of a set of markings M, and the set
pre ∗ (M) of markings from which one ca reach some marking of M.
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 61

Definition 3.2.15 Let M be a set of markings of a net N = (S, T, F ), and let

t ∈ T be a transition. We define
t
pre(M, t) = {M 0 | M 0 −→ M for some M ∈ M}
[∞
pre(M) = pre(M, t)
t∈T

and further

pre 0 (M) = M
pre i+1 (M) = pre pre i (M) for every i ≥ 0


∞
[
∗
pre (M) = pre i (M)
i=0

We have the following fundamental lemma:

Lemma 3.2.16 If M is upward closed, then pre(M) and pre ∗ (M) are also up-
ward closed.

Proof. We first show that pre(M) is upward closed. Let M 0 ∈ pre(M). We have
to prove that M 0 + M 00 ∈ pre(M) holds for every marking M 00 .
t
Since M 0 ∈ pre(M) there is M ∈ M and a transition t such that M 0 −→ M .
t
By the firing rule we have M 0 + M 00 −→ M + M 00 for every marking M 00 . Since
t
M is upward closed, we have M + M 00 ∈ M. Since M 0 + M 00 −→ M + M 00 , we
get M 0 + M 00 ∈ pre(M).
Now we prove that pre ∗ (M) is upward closed. By repeated application of teh
first part of this lemma we obtain that pre j (X) is upward closed for every j ≥ 0.
So pre ∗ (M) is a union of upward-closed sets. But it follows immediately from
the definition of an upward-closed set that the union of upward-closed sets if also
upward closed. 

Combining Lemma 3.2.16 and Lemma 3.2.14 we obtain:

Theorem 3.2.17 Let M be an upward-closed set of markings of a net. Then there

is i ≥ 0 such that
[i
∗
pre (M) = pre j (M)
j=0
62 CHAPTER 3. DECISION PROCEDURES

Proof. By Lemma 3.2.16, pre ∗ (M) is upward closed. By Lemma 3.2.14, the
set m∗ of minimal markings
Si of pre ∗ (M) is finite. therefore, there exists an in-
∗
dex i such that m ⊆ j=0 pre j (M). Since this union is upward closed, we get
pre ∗ (M) ⊆ ij=0 pre j (M). By the definition of pre ∗ (M), we have pre ∗ (M) =
S
Si j
j=0 pre (M). 

BACK 1((P, T, F, M0 , M )) BACK 2((P, T, F, M0 , M ))

1 M := {M 0 | M 0 ≥ M }; 1 m := {M };
2 Old M := ∅; 2 old m := ∅;
3 while true 3 while true
4 do Old M := M; 4 do old m := m; S
5 M := M ∪ pre(M); 5 m := min(m ∪ t∈T pre(R[t] ∧ m));
6 if M0 ∈ M 6 if ∃M 0 ∈ m : M0 ≥ M 0
7 then return covered end 7 then return covered end
8 if M = Old M 8 if m = old m
9 then return not covered end 9 then return not covered end

Figure 3.3: Backwards reachability algorithm.

This theorem leads to the algorithm on the left of of Figure 3.3. Observe that
the termination of the algorithm follows from Dickson’s Lemma, and does not
require knowledge of Petri nets. In particular, the termination argument does not
provide information on the number of iterations of the while loop. However, using
Rackoff’s theorem we can obtain an upper bound.

Theorem 3.2.18 Let M be an upward-closed set of markings of a net with a set

P S. Let {M1 , . . . , Mm } be the set of minimal markings of M, let ni =
of places
1 + s∈S Mi (s) for every 1 ≤ i ≤ m, and let n = max{n1 , . . . , nm }. Then

(2n)(k+1)!
[
∗
pre (M) = pre j (M)
j=0

Proof. Let M ∈ pre ∗ (M). By the definition of pre ∗ (M), there is a mark-
∗
ing M 0 ∈ M such that M −→ M 0 , and so M 0 ≥ Mi for some minimal marking
Mi . By Theorem 3.2.11 and the definition of n, there exists a firing sequence
σ
M −→ M 00 ≥ Mi such that |σ| ≤ (2n)(k+1)! . Since M is upward closed, we have
M 00 ∈ M, and so M ∈ pre j (M) for j = |σ| ≤ (2n)(k+1)! . 
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 63

The algorithm on the left of of Figure 3.3 is not yet directly implementable,
because it manipulates infinite sets. For each operation (union and pre) and for
? ?
each test (the tests M = Old M and M0 ∈ M of the while-loop), we have to
supply an implementation that uses only the finite representation of the set, that is,
its set of minimal elements. For the tests this is easy. Given a set M, let min(M)
denote the set of minimal elements of M. We have:
(1) M0 ∈ M iff there exists M 0 ∈ min(M) such that M0 ≥ M 0 .

(2) M = Old M iff min(M) = min(Old M).

Let us now derive implementations for the operations ∪ and pre. Given a
transition t, let R[t] be the marking that puts one token in each output place of t,
and no tokens elsewhere. (This is the minimal marking that reverse-enables t, i.e.,
the minimal marking that allos us to fire t “backwards”). Further, given a set M of
markings let M[t] = {M ∈ M | M ≥ R[t]}. That is, M[t] is the set of markings
of M that enable t “backwards” Observe that if M is upward closed, then so is
M[t]. We have (exercise):


(3) min(M ∪ pre(M)) = min min(M) ∪ [ min(pre(M)



= min min(M) ∪ min pre(M, t)
t∈T



(4) min(pre(M, t) = pre min(M[t]), t .
These equations reduce the problem of computing min(M ∪ pre(M)) to com-
puting min(M[t]). For this we introduce a definition. Given two markings M, M 0 ,
let M ∧ M 0 be the marking defined by (M ∧ M 0 )(s) = max{M (s), M 0 (s)}
for every place s. Further, given a marking M and a set of markings M, define
M ∧ M = {M ∧ M 0 | M 0 ∈ M}.
Then we have (exercise)
(5) If M is upward closed, then min(M[t]) = R[t] ∧ min(M). 5

That is, the minimal markings of M that reverse-enable t are obtained by taking the
minimal markings of M, and computing their join with the marking R[t]. Putting
together (3)-(5) we obtain
(6) If M is upward closed, then
!
[

min(M ∪ pre(M)) = min min(M) ∪ pre R[t] ∧ min(M)
t∈T
5
Since M ∧R[t] ≥ M , if M is upward closed we have M ∧R[t] ∈ M for every M ∈ min(M).
64 CHAPTER 3. DECISION PROCEDURES

Using these observations, we obtain the implementable version of the backwards-

reachability algorithm shown on the right of Figure 3.3.

The abstract backwards-reachability algorithm

The backwards reachability algorithm can be reformulated in more general terms,

which allows to apply it to other models of concurrency more general than Petri
nets. This is an important advantage of the backwards reachability algorithm over
the coverability graph technique.

Definition 3.2.19 Given a set A, and a partial order ⊆ A × A, we say that  is

a well-quasi-order (wqo) if every infinite sequence a1 a2 a3 · · · ∈ Aω contains an
infinite chain ai1  ai2  · · · (where i1 < i2 < i3 . . .).

Here are some examples of well-quasi-orders:

• The pointwise order ≤ on Nk .

• The subword order on Σ∗ for any finite alphabet Σ.

We say w1  w2 if w1 is a scattered subword of w2 , that is, if w1 can be
obtained from w2 by deleting letters. Higman’s lemma states that every infi-
nite sequence of words contains an infinite chain with respect to the subword
order.

• The subtree order on the set of finite trees over a finite alphabet Σ.
We say that t1  t2 if there is an injective mapping from the nodes of tree
t1 into the nodes of t2 that preserves reachability: n0 is reachable from n
in t1 iff the image of n0 is reachable from the image of n in t2 . Kruskal’s
lemma states that every infinite sequence of trees contains an infinite chain
with respect to the subtree order.

Definition 3.2.20 Let A be a set and let  A×A be a wqo. A set X ⊆ A is upward
closed if x ∈ X and x  y implies y ∈ X for every x, y ∈ A. In particular, given
x ∈ A, the set {y ∈ A | y  x} is upward-closed.
A relation →⊆ A × A is monotonic if for every x → y and every x0  x there
is y 0  y such that x0 → y 0 .
Given X ⊆ A, we define

pre(X) = {y ∈ A | y → x and x ∈ X}
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 65

Further we define:
pre 0 (X) = X
pre i+1 (X) = pre pre i (X) for every i ≥ 0


∞
[
pre ∗ (X) = pre i (X)
i=0

We can now prove the following theorem:

Theorem 3.2.21 Let A be a set and let  A × A be a wqo. Let X0 ⊆ A be an

upward closed set and let →⊆ A × A be monotonic. Then there is j ∈ N such that
j
[
∗
pre (X) = pre i (X)
i=0

This theorem can be used to obtain a backwards reachability algorithm for

generalizations of Petri nets, like reset Petri nets, or lossy channel systems, whose
transition relation is monotonic. Other net models, like Petri nets with inhibitor
arcs, do not have a monotonic transition relations (adding tokens may disable a
transition), and the theorem cannot be applied to them . In fact we have:

Theorem 3.2.22 Deadlock freedom, Liveness, Boundedness, b-boundedness,

Reachability, and Coverability are all undecidable for Petri nets with inhibitor
arcs.

3.2.3 Decision procedures for other problems

Reachability
The decidability of Reachability was open for about 10 years until it was proved
by Mayr in 1980. Kosaraju and Lambert simplified the proof in 1982 and 1992,
respectively. All these algorithms and their proofs exceed the framework of this
course.
In 2012 Leroux provided a new, very simple algorithm. Its proof is as compli-
cated as the proofs of the previous ones, but the algorithm is very simple.

Definition 3.2.23 (Semilinear set) A set X ⊆ Nk is linear if there is r ∈ Nk (the

root) and a finite set P ⊆ Nk (the periods) such that
X
X = {r + λp p | ∀p ∈ P : λp ∈ N}
p∈P

A semilinear set is a finite union of linear sets.

66 CHAPTER 3. DECISION PROCEDURES

Observe that a semilinear set can be finitely represented as a set of pairs {(r1 , P1 ), . . . , (rn , Pn )}
giving the roots and periods of its linear sets.

Theorem 3.2.24 [Leroux 2012] Let (N, M0 ) be a Petri net and let M1 be a mark-
ing of N . If M1 is not reachable from M0 , then there exists a semilinear set M of
markings of N such that
(a) M0 ∈ M,
t
(b) if M ∈ M and M −→ M 0 for some transition t of N , then M 0 ∈ M, and

(c) M1 ∈
/ M.

Given the root r and periods p1 , . . . , pn of a semilinear set M, we can check

whether M satisfies (a)-(c). Indeed, checking (a) amounts to solving the linear
system of diophantine equations
n
X
M0 = r + λi pi
i=1

with unknowns λ1 , . . . , λn . Similarly, checking (c) amounts to showing that

n
X
M =r+ λi pi
i=1

has no solution. Finally, checking (b) is more complicated, but reduces to checking
validity of a formula of a theory called Presburger arithmetic for which decision
procedures exist.
Now, Theorem 3.2.24 can be used to give an algorithm for Reachability con-
sisting of two semi-decision procedures, one that explores the reachability graph
breadth-first and stops if it finds the goal marking M , and another one that enu-
merates all semilinear sets, and stops if one of them satisfies (a)-(c). The two
procedures run in parallel, and, since one of the two is bound to terminate, yield
together a decision procedure for Reachability.

Deadlock-freedom
We reduce Deadlock-freedom to Reachability. We proceed in two steps. First,
we reduce Deadlock-freedom to an auxiliary problem P, and then we reduce P to
reachability.

P: Given a Petri net (N, M0 ) and a subset R of places of N , is there a

reachable marking M such that M (s) = 0 for every s ∈ R?
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 67

Theorem 3.2.25 Deadlock-freedom can be reduced to P.

Proof. Let (N, M0 ) be a Petri net such that N = (S, T, F ). Define

S = {R ⊆ S | ∀t ∈ T : • t ∩ R 6= ∅}

that is, an element of S contains for every transition t at least one of the input
places of t. We have

(1) S is a finite set.

(2) A marking M of N is dead iff the set of places unmarked at M is an element

of S.

Suppose now that there is an algorithm that decides P. We can then decide Deadlock-
freedom as follows. For every R ∈ S we use the algorithm for P to decide if some
reachable marking M satisfies M (s) = 0 for every s ∈ R. It follows from (2) that
(N, M0 ) is deadlock-free if the answer is negative in all cases. Since, by (1), we
only have to solve a finite number of instances of P, Deadlock-freedom is decid-
able. 

Theorem 3.2.26 P can be reduced to Reachability.

Proof. Let (N, M0 ) be a Petri net where N = (S, T, F ), and let R be a set
of places of N . We construct a new Petri net (N 0 , M00 ) by adding new places,
transitions, and arcs to (N, M0 ). We proceed in two steps (see Figure 3.4). In the
first step, we add

• two new places s0 and r0 , putting one token on s0 .

• a transition t0 and arcs (s0 , t0 ) and (t0 , r0 ).

• two arcs (s0 , t) and (t, s0 ) for every transition t ∈ T .

After these additions, as long as there is a token in s0 , all transitions of T

can fire. However, transition t0 can occur at any time, removing this token, and
when this happens all transitions of T become “dead”. Intuitively, the firing of t0
“freezes” the current marking of N . In the second step we add:

• a new transition ts and arcs (s, ts ), (r0 , ts ), (ts , r0 ) for every place s ∈ S \R.
68 CHAPTER 3. DECISION PROCEDURES

S\R

ts1
s1
.
. ..
. . ..
.
. ..
.
. ..
tsn ..

sn

t1 tm
.........

s0 t0 r0

Figure 3.4: Construction of Theorem 3.2.26

Intuitively, these transitions are “garbage collectors”. The “garbage” are the
tokens in the places of S \ R. If r0 becomes marked, then the garbage collectors
can remove all tokens from these places. This concludes the definition of (N 0 , M00 ).
Let Mr0 be the marking of N 0 that puts one token on r0 and no tokens else-
where. We have
(1) If some reachable marking M of (N, M0 ) puts no tokens in R, then Mr0 is
a reachable marking of (N 0 , M00 ).
To reach Mr0 , we first fire a sequence of transitions of T leading from M0
to M , then we fire t0 , and finally we fire the transitions {ts | s ∈ S} until all
places of S are empty.

(2) If Mr0 is a reachable marking of (N 0 , M00 ), then some marking M reachable

from (N, M0 ) puts no tokens in R.
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 69

Mr0 can only be reached by firing t0 at a marking that puts no tokens in R

(because after firing t0 the places of R cannot be emptied anymore). So we
can choose M as the marking reached immediately before firing t0 .
By (1) and (2), we can decide if some reachable marking M of (N, M0 ) puts
no tokens in R as follows: construct (N 0 , M00 ) and decide if Mr0 is reachable.
therefore, if there is an algorithm for Reachability, then there is also one for P. 

Liveness
Liveness can also be reduced to Reachability, but the proof is more complex. We
sketch the reduction for the problem whether a given transition t of a Petri net
(N, M0 ) is live.
Let Et be the set of markings of N that enable t. Clearly, Et is upward closed.
By Lemma 3.2.16, the set pre ∗ (Et ) is also upward closed. Now, pre ∗ (Et ) is the
set of markings of N that enable some firing sequence ending with t. Let Dt be
the complement of pre ∗ (Et ), that is, the set of markings from which t cannot be
enabled anymore. We have: (N, M0 ) is live iff [M0 i ∩ Dt = ∅.
If Dt is a finite set of markings, and we are able to compute it, then we are
done: we have reduced the liveness problem to a finite number of instances of
Reachability. However, the set Dt may be infinite, and we do not yet know how
to compute it. We show how to deal with these problems.
Every upward-closed set of markings is semilinear (exercise). Using the back-
wards reachability algorithm, we can compute the finite set min(pre ∗ (Et )), and
from it we can compute a representation of pre ∗ (Et ) as a semilinear set. Now we
use a powerful result: the complement of a semilinear set is also semilinear; more-
over, there is an algorithm that, given a representation of a semilinear set X ⊆ Nk ,
computes a representation of the complement Nk \ X. So we are left with the prob-
lem: given a Petri net (N, M0 ) and a semilinear set X, decide if some marking of
X is reachable from M0 .
This problem can be reduced to Reachability as follows (brief sketch). We
construct a Petri net that first simulates (N, M0 ), and then transfers control to an-
other Petri net which nondeterministically generates a marking of X on “copies”
of the places of N . This second net then transfers control to a third, whose tran-
sitions remove one token from a place of N and a token from its “copy”. If X is
reachable, then the first net can produce a marking of X, the second net can pro-
duce the same marking, and the third net can then remove all tokens from the first
and second nets, reaching the empty marking. Conversely, if the net consisting of
the three nets together can reach the empty marking, then (N, M0 ) can reach some
marking of X.
70 CHAPTER 3. DECISION PROCEDURES

3.2.4 Complexity
Unfortunately, all the problems we have seen so far have very high complexity.
We prove that all of them are EXPSPACE-hard. That is, the memory needed
by any algorithm solving one of these problems grows at least exponentially in
the size of the input Petri net. Rackoff’s algorithm shows that Coverability is
EXPSPACE-complete, that is, that exponentially growing memory suffices. The
same can be proved for Boundedness. For a long time it was conjecture that
Deadlock-freedom, Liveness, and Reachability were EXPSPACE-complete as
well. However, the conjecture was disproved in 2019: these three problems have
non-elementary complexity. To explain what this means, define inductively the
functions exp k (x) as follows:

• exp 0 (x) = x;

• exp k+1 (x) = 2exp k (x) .

The complexity class k-EXPSPACE contains the problems that can be solved by
a Turing machine using at most exp k (n) space for inputs of length n. The class of
elementary problems is defined as
∞
[
k-EXPSPACE
k=0

In other words, a problem is elementary if there is a number k and a Turing machine

that solves every instance of the problem of size n using at most exp k (n) space.
Some problems related to logical theories have non-elementary complexity.
Logical theories are sets of formulas, typically defined by closing a set of atomic
formulas under boolean operations and quantification. Without getting into details,
in some logical theories the complexity of deciding if a formula is true is given
by a tower of exponentials whose height is equal to the number of quantifiers in
the formula times some constant. Since formulas can have an arbitrary number of
quantifiers, these problems are non-elementary.
Consider the function that assigns to each n the number exp n (n). This function
grows faster than any tower-of-exponentials function of fixed height. However, the
function belongs to the class of primitive recursive functions. Loosely speaking,
these are the functions computable by programs using only for-loops. In particular,
such programs are guaranteed to terminate, because no for-loop can run forever.
There are functions that grow even faster than every primitive-recursive function.
The best known example is the Ackermann function, inductively defined by
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 71


n + 1
 if m = 0
A(m, n) = A(m − 1, 1) if m > 0 and n = 0

A(m − 1, A(m, n − 1)) if m > 0 and n > 0


All known algorithms for Deadlock-freedom, Liveness, and Reachability

have non-primitive recursive runtime, that is, their runtime grows faster than any
elementary function.
The rest of the section is the counterpart of Section 3.1.1 for arbitrary Petri
nets. The rule of thumb is now:

All interesting questions about the behavior of Petri√ nets are

EXPSPACE-hard. More precisely, they require at least 2O( n) -space.

In particular, all the questions we asked about 1-safe Petri nets can be reformu-
lated for Petri nets, and turn out to have at least this space complexity. As in the
case of 1-safe Petri nets, this is a consequence of one single fundamental fact:

A deterministic, exponentially bounded automaton of size n can be sim-

ulated by a Petri net of size O(n2 ). Moreover, there is a polynomial time
procedure which constructs this net.

In order to answer a question about the computation of an exponentially space

bounded automaton A, we can construct the net that simulates A, which has size
O(n2 ), and solve the corresponding question. If the original question requires 2n
space, as is the case for√many properties, then the corresponding question about
nets requires at least 2O( n) -space.
Bounded automata and general Place/Transition Petri nets do not “fit” well. It
is not appropriate to model a cell of a bounded automaton as a place, as we did
in the 1-safe case, because the cell contains one out of a finite number of possible
symbols, while the place can contain infinitely many tokens, and so the same infor-
mation as a nonnegative integer variable. So we use an intermediate model, namely
counter programs. It is well-known that so-called bounded counter programs can
simulate bounded automata (see below), and we show that Petri nets can simulate
bounded counter programs.
A counter program is a sequence of labeled commands separated by semi-
colons. Basic commands have the following form, where l, l1 , l2 are labels or
addresses taken from some arbitrary set, for instance the natural numbers, and x is
a variable over the natural numbers, also called a counter:
72 CHAPTER 3. DECISION PROCEDURES

l: x := x + 1
l: x := x − 1
l: goto l1 unconditional jump
l: if x = 0 then goto l1 conditional jump
else goto l2
l: halt

A program is syntactically correct if the labels of commands are pairwise dif-

ferent, and if the destinations of jumps correspond to existing labels. For conve-
nience we can also require the last command to be a halt command.
A program can only be executed once its variables have received initial values.
In this paper we assume that the initial values are always 0. The semantics of
programs is that suggested by the syntax. The only point to be remarked is that
the command l : x := x − 1 fails if x = 0, and causes abortion of the program.
Abortion must be distinguished from proper termination, which corresponds to the
execution of a halt command. Observe in particular that counter programs are
deterministic.
A counter program C is k-bounded if after any step in its unique execution
the contents of all counters are smaller than or equal to k. We make use of a well
known construction of computability theory:

There is a polynomial time procedure which accepts a determin-

istic bounded automaton A of size n and returns a counter pro-
gram C with O(n) commands simulating the computation of A
on empty tape; in particular, A halts if and only if C halts. More-
n
over, if A is exponentially bounded, then C is 22 -bounded.

n
Now, it suffices to show that a 22 -bounded counter program of size O(n) can
be simulated by a Petri net of size O(n2 ). This is the goal of the rest of this section.
Since a direct description of the sets of places and transitions of the simulating
net would be very confusing, we introduce a net programming notation with a very
simple net semantics. It is very easy to obtain the net corresponding to a program,
and execution of a command corresponds exactly to the firing of a transition. So we
can and will look at the programming notation as a compact description language
for Petri nets.
A net program is rather similar to a counter program, but does not have the
possibility to branch on zero; it can only branch nondeterministically. However, it
has the possibility of transferring control to a subroutine. The basic commands are
as follows:
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 73

l: x := x + 1
l: x := x − 1
l: goto l1 unconditional jump
l: goto l1 or goto l2 nondeterministic jump
l: gosub l1 subroutine call
l: return end of subroutine
l: halt

Syntactical correctness is defined as for counter programs. We also assume

that programs are well-structured. Loosely speaking, a program is well-structured
if it can be decomposed into a main program that only calls first-level subroutines,
which in turn only call second-level subroutines, etc., and the jump commands in
a subroutine can only have commands of the same subroutine as destinations.6 We
do not formally define well-structured programs, it suffices to know that all the
programs of this section are well-structured.
We sketch a (Place/Transition) Petri net semantics of well-structured net pro-
grams. The Petri net corresponding to a program has a place for each label, a place
for each variable, a distinguished halt place, and some additional places used to
store the calling address of a subroutine call. There is a transition for each assign-
ment and for each unconditional jump, and two transitions for each nondetermin-
istic jump, as shown in Figure 3.5. We illustrate the semantics of the subroutine
command by means of the program
1: gosub 4;
2: gosub 4;
3: halt;
4: goto 5 or goto 6;
5: return;
6: return
The corresponding Petri net is shown in Figure 3.6. Observe that the places 1 calls 4
and 2 calls 4 are used to remember the address from which the subroutine was
called.
Clearly, the Petri net corresponding to a net program with k commands has
O(k) places and O(k) transitions, and its initial marking has size O(k). So it is of
size O(k 2 ).
n
Let C be a 22 -bounded counter program with O(n) commands. We show
that C can be simulated by a net program N (C) with O(n) commands, which
corresponds to a Petri net of size O(n2 ). Unfortunately, the construction of N (C)
6
Here we consider the main program as a zero-level subroutine, i.e., jump commands in the main
program can only have commands of the main program as destinations.
74 CHAPTER 3. DECISION PROCEDURES

l l

x x

l1 l1

l : x:=x+1; l : x:=x-1;
l1: ... l1: ...

l l l

l1 l1 l2 halt

l: goto l1 l: goto l 1 l: halt

or
goto l 2

Figure 3.5: Net semantics of assignments and jumps

requires quite a bit of low-level programming. But the reward is worth the hacking
effort.
The notion of simulation is not as strong as in the case of 1-safe Petri nets.
In particular, net programs are nondeterministic, while counter programs are deter-
ministic. A net program N simulates a counter program C if the following property
holds: C halts (executes the command halt) if and only if some computation of N
halts (other computations may fail).
Each variable x of N (be it a variable from C or an auxiliary variable) has an
n
auxiliary complement variable x. N takes care of setting x = 22 at the beginning
of the program. We call the code that takes care of this Ninit (C).7 The rest of
N (C), called Nsim (C), simulates C and takes care of keeping the invariant x =
n
22 − x.
We design Nsim (C) first. This program is obtained through replacement of
each command of C by an adequate net program. Commands of the form x :=
x + 1 (x := x − 1) are replaced by the net program x := x + 1; x := x − 1
n
Recall that by definition all variables of N have initial value 0. Therefore, if we need x = 22
7

initially, then we have to design preprocessing code for it.

3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 75

1_calls_4 4

2 5 6

2_calls_4 return_4

halt

Figure 3.6: Net semantics of subroutines

76 CHAPTER 3. DECISION PROCEDURES

(x := x − 1; x := x + 1). Unconditional jumps are replaced by themselves. Let us

now design a program

Testn (x,ZERO, NONZERO)

to replace a conditional jump of the form

l: if x = 0 then goto ZERO
else goto NONZERO
The specification of Testn is as follows:
n
If x = 0 (1 ≤ x ≤ 22 ), then some execution of the program leads to
ZERO (NONZERO), and no computation leads to NONZERO (ZERO);
moreover the program has no side-effects: after any execution leading
to ZERO or NONZERO no variable has changed its value.

Actually, it is easier to design a program Test0n (x,ZERO, NONZERO) with the

same specification but a side-effect: after an execution leading to ZERO, the values
of x and x are swapped.8 Once Test0n has been designed, we can take:

Program Testn (x, ZERO, NONZERO):

Test0n (x, continue, NONZERO);
continue: Test0n (x, ZERO, NONZERO)

because the values of x and x are swapped 0 times if x > 0 or twice if x = 0, and
so Testn has no side effects.
The key to the design of Test0n lies in the following observation: Since x never
n
exceeds 22 , testing x = 0 can be replaced by nondeterministically choosing

• to decrease x by 1, and if we succeed then we know that x > 0, or

n n
• to decrease x by 22 , and if we succeed then we know that x = 22 , and so
x = 0.

If we choose wrongly, that is, if for instance x = 0 holds and we try to decrease
x by 1, then the program fails; this is not a problem, because we only have to
guarantee that the program may (not must!) terminate, and that if it terminates then
it provides the right answer.
n
Decreasing x by 1 is easy. Decreasing x by 22 is the difficult part. We leave it
for a routine Decn to be designed, which must satisfy the following specification:
8
Executions leading to NONZERO must still be free of side-effects.
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 77

n
If the initial value of s is smaller than 22 , then every execution of
n
Decn fails. If the value of s is greater than or equal to 22 , then all
executions terminating with a return command have the same effect
n n
as s := s − 22 ; s := s + 22 ; in particular, there are no side-effects.
All other executions fail.

Test0n proceeds by transferring the value of x to a special variable sn , and then

n
calling the routine Decn , which decreases sn by 22 . In this way we need one
single routine Decn , instead of one for each different variable to be decreased,
which leads to a smaller net program.

Program Test0n (x, ZERO, NONZERO):

n
** initially sn = 0 and sn = 22 **
goto nonzero or goto loop;
nonzero: x := x − 1; x := x + 1; goto NONZERO;
loop: x := x − 1; x := x + 1; sn := sn + 1; sn := sn − 1;
goto exit or goto loop
exit: gosub decn ; goto ZERO
** the routine called at decn is Decn (sn ) **

It is easy to see that Test0n meets its specification: if x > 0, then we may choose
n
the nonzero branch and reach NONZERO. If x = 0, then x = 22 . After looping
n
22 times on loop the values of x, x and sn , sn have been swapped. The values of
sn and sn are swapped again by the subroutine Decn , and then the program moves
to ZERO. Moreover, if x = 0 then no execution reaches the NONZERO branch,
because the program fails at x := x − 1. If x > 0, then no execution reaches the
n
ZERO branch, because sn cannot reach the value 22 , and so Decn fails.
The next step is to design Decn . We proceed by induction on n, starting with
0
Dec0 . This is easy, because it suffices to decrease s by 22 = 2. So we can take

Subroutine Dec0 (s):

s := s − 1; s := s + 1;
s := s − 1; s := s + 1;
return

Now we design Deci+1 under the assumption that Deci is already known. The
definition of Deci+1 contains two copies of a program Test0i , called with different
parameters. We define this program by substituting i for n everywhere in Test0n .
Test0i calls the routine Deci at the address deci . Notice that this is correct, because
we are assuming that the routine Deci has already been defined.
78 CHAPTER 3. DECISION PROCEDURES

i+1
The key to the design of Deci+1 is that decreasing by 22 amounts to decreas-
i i
ing 22 times by 22 , because
i+1 i i i
22 = (22 )2 = 22 · 22
i+1
So decreasing by 22 can be implemented by two nested loops, each of which is
i
executed 22 times, such that the body of the inner loop decreases s by 1. The loop
i
variables have initial values 22 , and termination of the loops is detected by testing
the loop variables for 0. This is done by the Test0i programs.

Subroutine Deci+1 (s):

i
** Initially yi = 22 = zi , y i = 0 = z i **
** The initialisation is carried out by Ninit **
outer loop: yi := yi − 1; y i := y i + 1;
inner loop: zi := zi − 1; z i := z i + 1;
s := s − 1; s := s + 1;
Test0i (zi , inner exit , inner loop);
inner exit: Test0i (yi , outer exit, outer loop);
outer exit: return

Observe also that both instances of Test0i call the same routine at the same label.
It could seem that Deci+1 swaps the values of yi , y i and zi , z i , which would
be a side-effect contrary to the specification. But this is not the case. These swaps
are compensated by the side-effects of the ZERO branches of the Test0i programs!
Notice that these branches are now the inner exit and outer exit branches.
When the program leaves the inner loop, Test0i swaps the values of zi and z i . When
the program leaves the outer loop, Test0i swaps the values of yi and y i .
This concludes the description of the program Testn , and so the description of
the program Nsim (C). It remains to design Ninit (C). Let us first make a list of the
initializations that have to be carried out. Nsim (C) contains
• the variables x1 , . . . , xl of C with initial value 0; their complementary vari-
n
ables x1 , . . . , xl with initial value 22 ;

• a variable s with initial value 0; its complementary variable s with initial

n
value 22 ;
i
• two variables yi , zi for each i, 0 ≤ i ≤ n − 1, with initial value 22 ; their
complementary variables y i , z i for each i, 0 ≤ i ≤ n − 1, with initial value
0.
Now, the specification of Ninit (C) is simple
3.2. DECISION PROCEDURES FOR GENERAL PETRI NETS 79

Ninit (C) uses only the variables in the list above; every successful
execution leads to a state in which the variables have the correct initial
values.

Ninit (C) calls programs Inci (v1 , . . . , vm ) with the following specification:

All successful executions have the same effect as

i
v1 := v1 + 22 ;
...;
i
vm := vm + 22

In particular, there are no side-effects.

These programs are defined by induction on i, and are very similar to the family of
Deci programs. We start with Inc0 :

Program Inc0 (v1 , . . . , vm ):

v1 := v1 + 1; v1 := v1 + 1;
...
vm := vm + 1; vm := vm + 1

and now give the inductive definition of Inci+1 :

Program Inci+1 (v1 , . . . , vm ):

i
** Initially yi = 22 = zi , y i = 0 = z i **
outer loop: yi := yi − 1; y i := y i + 1;
inner loop: zi := zi − 1; z i := z i + 1;
v1 := v1 + 1;
...
vm := vm + 1;
Test0i (zi , inner exit , inner loop);
inner exit: Test0i (yi , outer exit, outer loop);
outer exit: . . .

It is easy to see that these programs satisfy their specifications. Now, let us
consider Ninit (C). Apparently, we face a problem: in order to initialize the vari-
i+1
ables v1 , . . . , vm to 22 the variables yi and zi must have already been initialized
i
to 22 ! Fortunately, we find a solution by just carrying out the initializations in the
right order:
80 CHAPTER 3. DECISION PROCEDURES

Program Ninit (C):

Inc0 (y0 , z0 );
Inc1 (y1 , z1 );
...
Incn−1 (yn−1 , zn−1 );
Incn (s, x1 , . . . , xl )

This concludes the description of N (C), and it is now time to analyze its size.
Consider Nsim (C) first. It contains two assignments for each assignment of C,
an unconditional jump for each unconditional jump in C, and a different instance
of Testk for each conditional jump. Moreover, it contains (one single instance of)
the routines Decn , Decn−1 , . . . , Dec0 (notice that Testn calls Decn , which calls
Decn−1 , etc.). Both Testn and the routines have constant length. So the number of
commands of Nsim (C) is O(n).
Ninit (C) contains (one single instance of) the programs Inci 1 ≤ i ≤ n. The
programs Inc1 , . . . , Incn−1 have constant size, since they initialize a constant num-
ber of variables. The number of commands of Incn is O(n), since it initializes
O(n) variables.
So we have proved that N (C) contains O(n) commands. It follows that its cor-
responding Petri net has size O(n2 ), which concludes our presentation of Lipton’s
result.
Chapter 4

Semi-decision procedures

4.1 Linear systems of equations and linear programming

In the next two sections we will construct linear systems of equations with integer
or rational coefficients that provide partial information about our analysis prob-
lems. We will prove propositions like “if the system of equations A · X ≤ b (we
will see how this system looks like) has a rational positive solution, then the Petri
net (N, M0 ) is bounded” (sufficient condition), or “if M is reachable in (N, M0 ),
then the system of equations B · X = b has a solution over the natural numbers”
(necessary condition). Such propositions lead to semi-decision procedures to prove
or disprove a property. The complexity of these procedures depends on the com-
plexity of solving the different systems of equations.
We define the size of a linear system of equations A · X = b or A · X ≤ b
where A = (aij )i=1,...n,j=1,...,m and b = (bj )j=1,...,m as
X X
{log 2 |aij | | 1 ≤ i ≤ n, 1 ≤ j ≤ m} + {log 2 |bj | | 1 ≤ j ≤ m}
The problem of deciding whether A · X = b has
• a rational solution can be solved in polynomial time (though not by means
of Gauss elimination!).
• an integer solution can be solved in polynomial time.
• a nonnegative integer solution is NP-complete.
The problem of deciding whether A · X ≤ b has
• a rational solution can be solved in polynomial time. 1

1
In practice we often use the Simplex algorithm, which has exponential worst-case complexity,
but is very efficient for most instances.

81
82 CHAPTER 4. SEMI-DECISION PROCEDURES

• an integer solution is NP-complete.

• a nonnegative integer solution is NP-complete.

Given a linear objective function f (X) = c1 x1 + . . . cm we can decide with the
same runtime whether there is a solution Xop that maximizes f (X) and, if so, the
value f (Xop ).

4.2 The Marking Equation

Definition 4.2.1 (Incidence matrix)
Let N = (S, T, F ) be a net. The incidence matrix N : (S × T ) → {−1, 0, 1} is
given by 

 0 if (s, t) 6∈ F and (t, s) 6∈ F or
(s, t) ∈ F and (t, s) ∈ F

N(s, t) =

 −1 if (s, t) ∈ F and (t, s) 6∈ F
1 if (s, t) 6∈ F and (t, s) ∈ F


The column N(−, t) is denoted by t, and the row N(s, −) by s.

Example 4.2.2

s1 s2

t1 t2 t3 t4
t1
s1 −1 0 1 0
s3
s2 −1 0 0 1
t3 t4
s3 1 −1 0 0
t2
s4 0 1 −1 0
s5 0 1 0 −1

s4 s5

Definition 4.2.3 (Parikh-vector of a sequence of transitions)

Let N = (S, T, F ) be a net and let σ be a finite sequence of transitions. The
Parikh-vector σ : T → IN of σ is defined by

σ(t) = number of occurrences of t in σ

Lemma 4.2.4 (Marking Equation Lemma)

σ
Let N be a net and let M −→ M 0 be a firing sequence of N . Then M 0 = M +N·σ.
4.2. THE MARKING EQUATION 83

Proof. By induction on the length of σ.

Basis: σ = . Then M = M 0 and σ = 0
τ t
Step: σ = τ t for some sequence τ and transition t. Let M −→ L −→ M 0 . We
have
M0 = L + t (Definition of t)
=L+N·t (Definition of t)
= M + N · τ + N · t (Induction hyp.)
= M + N · (τ + t)
= M + N · τt (Definition of Parikh-vector)
=M +N·σ (σ = τ t)


t1 t2 t3
Example 4.2.5 In the previous net we have (11000) −−→ (10001), and

−1
     
1 1 0 1 0  
1

 0  
  1  
  −1 0 0 1 
  1 

 0 =
  0 +
  1 −1 0 0 · 
  1 
 0   0   0 1 −1 0 
0
1 0 0 1 0 −1

The marking reached by firing a sequence σ from a marking M depends only

on the Parikh-vector σ. In other words, if M enables two sequences σ and τ with
σ = τ , then both σ and τ lead to the same marking.

Definition 4.2.6 (The Marking Equation)

The Marking Equation of a Petri net (N, M0 ) is M = M0 + N · X with variables
M and X.

The Marking equation leads to the following semi-algorithms for Bounded-

ness, b-Boundedness, (Non)-Reachability, and Deadlock-freedom:

Proposition 4.2.7 (A sufficient condition for boundedness)

Let (N, M0 ) be a Petri net. If the optimization problem
P
maximize M (s)
s∈S
subject to M = M0 + N · X

has an optimal solution, then (N, M0 ) is bounded.

84 CHAPTER 4. SEMI-DECISION PROCEDURES

P
Proof. Let n be the optimal solution of the problem. Then n ≥ M (s) holds
s∈S
for every marking M for which there
P exists a vector X such that M = M0 +N·X.
By Lemma 4.2.4 we have n ≥ M (s) for every reachable marking M , and so
s∈S
n ≥ M (s) for every reachable marking M and every place s. 

Exercise: Change the algorithm so that it checks whether a given place is bounded.

Proposition 4.2.8 (A sufficient condition for non-reachability)

Let (N, M0 ) be a Petri net and let L be a marking of N . If the equation

L = M0 + N · X (with only X as variable)

has no solution, then L is not reachable from M0 .

Proof. Immediate consequence of Lemma 4.2.4. 

Proposition 4.2.9 (A sufficient condition for deadlock-freedom)

Let (N, M0 ) be a 1-bounded Petri net where N = (S, T, F ). If the following
system of inequations has no solution then (N, M0 ) is deadlock-free.

P = M0 + N• · X
M
M (s) < | t| for every transition t.
s∈·t

Proof. We show: if there is a reachable dead marking M , then M is a solution

of the system. By Lemma 4.2.4 and the reachability of M there is a vector X sat-
isfying M = M0 + N · X. Since (N, M0 ) is 1-bounded, we have M (s) ≤ 1 for
every place s. Let t be an arbitrary transition. Since M does not enable t, we have
M (s) =P0 for at least one place s ∈ • t. Since M does not enable any transition,
we get M (s) < |• t|. 
s∈·t

Remark 4.2.10 The converses of these propositions do not hold (that is why they
are semi-algorithms!). Counterexamples are:
• To Proposition 4.2.7:

s1
t1
s2
s1 0
t1 s2 1
4.3. S- AND T-INVARIANTS 85

(N, M0 ) ist bounded but

     
0 0 0
= + ·n
n 0 1
for every n (that is, the Marking Equation has a solution for every marking
of the form (0, n)).

• To Proposition 4.2.8:
Peterson’s algorithm: the marking (p4 , q4 , m1 = true, m2 = true, hold =
1) ist not reachable, but the Marking Equation has a solution (Exercise: find
a smaller example).

• To Proposition 4.2.9:
Peterson’s algorithm with an additional transition t satisfying • t = {p4 , q4 }
and t• = ∅. The Petri net is deadlock free, but the Marking Equation has a
solution for (m1 = true, m2 = true, hold = 1) that satisfies the conditions
of Proposition 4.2.9 (Exercise: find a smaller example).

4.3 S- and T-invariants

4.3.1 S-invariants
Definition 4.3.1 (S-invariants)
Let N = (S, T, F ) be a net. An S-invariant of N is a vector I : S → Q such that
I · N = 0.

Proposition 4.3.2 (Fundamental property of S-invariants)

∗
Let (N, M0 ) be a Petri net and let I be a S-invariant of N . If M0 −→ M , then
I · M = I · M0 .
σ
Proof. We have M0 −→ M for some firing sequence σ. By the Marking Equation
Lemma we get
M = M0 + N · σ
and so
I ·M = I · M0 + I · N · σ (Marking Equation)
= I · M0 (I · N = 0)


The value of the expression I · M is therefore the same for every reachable
marking M , and so it constitutes an invariant of (N, M0 ).
86 CHAPTER 4. SEMI-DECISION PROCEDURES

s1 s2

t1 t2 t3

s3 s4

Figure 4.1

Example 4.3.3 We compute the S-invariants of the net of Figure 4.1

The incidence matrix is:
t1 t2 t3
s1 1 −1 0
s2 0 −1 1
s3 −1 1 0
s4 0 1 −1

We compute the solutions of the system of equations

 
1 −1 0
 0 −1 1 
(i1 , i2 , i3 , i4 ) · 
 −1
=0
1 0 
0 1 −1

The general form of the S-invariants is therefore (x, y, x, y) with x, y ∈ Q

The following propositions are an immediate consequence of the definition of

S-invariants:

Proposition 4.3.4 The S-invariants of a net form a vector space over the real num-
bers.

This definition of S-invariant is very suitable for machines, but not for humans,
who can only solve very small systems of equations by hand. There is an equiva-
lent definition which allows people to decide, even for nets with several dozens of
places, if a given vector is an S-invariant.
P
Proposition 4.3.5 I is an S-invariant of N = (S, T, F ) iff. ∀t ∈ T : I(s) =
P s∈• t
I(s).
s∈t•
4.3. S- AND T-INVARIANTS 87

s1 s2

t1

t2
s3

t3

s4

Figure 4.2

Proof. I · N = 0 is equivalentP to I · t P
= 0 for every transition t. So for every
transition t we have: I · t = I(s) − I(s). 
s∈t• s∈• t

Example 4.3.6 We show that I = (1, 1, 2, 1) is an S-invariant of the net of Figure

4.2. The condition of Proposition 4.3.5 must hold for transitions t1 , t2 und t3 .

• Transition t1 : I(s1 ) + I(s2 ) = I(s3 ) = 2.

• Transition t2 : I(s3 ) = I(s1 ) + I(s4 ) = 2.

• Transition t3 : I(s3 ) = I(s4 ) + I(s2 ) = 2.

With the help of S-invariants we can give sufficient conditions for boundedness
and necessary conditions for liveness and for the reachability of a marking.

Definition 4.3.7 (Semi-positive and positive S-invariants)

Let I be an S-invariant of N = (S, T, F ). I is semi-positive if I ≥ 0 and I 6= 0,
and positive if I > 0 (that is, if I(s) > 0 for every s ∈ S). The support of an
S-invariant is the set hIi = {s ∈ S | I(s) > 0}.

Proposition 4.3.8 [A sufficient condition for boundedness]

Let (N, M0 ) be a Petri net. If N has a positive S-invariant I, then (N, M0 ) is
bounded. More precisely: (N, M0 ) is n-bounded for
I · M0
 
n = max | s is a place of N
I(s)
88 CHAPTER 4. SEMI-DECISION PROCEDURES

Proof. Let M be any reachable marking. By the fundamental property of S-

invariants we have I · M = I · M0 .
Let s be an arbitrary place of N . Since I > 0 we have I(s)·M (s) ≤ I ·M = I ·M0
and M (s) ≤ I·M 0
I(s) . 

Proposition 4.3.9 [A necessary condition for liveness]

If (N, M0 ) is live, then I · M0 > 0 for every semi-positive S-invariant of N .

Proof. Let I be a semi-positive S-invariant and let s be a place of hIi. Since

(N, M0 ) is live, some reachable marking M satisfies M (s) > 0. Since I is semi-
positive, we have I · M ≥ I(s) · M (s) > 0. Since I is a S-invariant, we get
I · M0 = I · M > 0 

These two propositions lead immediately to semi-algorithms for Boundedness

and Liveness.

Definition 4.3.10 (The ∼ relation)

Let M and L be markings and let I be a S-invariant of a net N . M und L agree on
I if I · M = I · L. We write M ∼ L if M and L agree on all invariants of N .

Proposition 4.3.11 [A necessary condition for reachability]

Let (N, M0 ) be a Petri net. M ∼ M0 holds for every M ∈ [M0 i.

Proof. Follows from the fundamental property of S-invariants. 

The following theorem allows one to decide if M ∼ L holds for two given mark-
ings M and L.

Theorem 4.3.12 Let N be a net and let M, L be two markings of N .

M ∼ L iff the equation M = L + N · X has a rational solution.

Proof. (⇒): Since M ∼ L, we have I · (L − M ) = 0 for every S-invariant I.

We now recall a well-known theorem of linear algebra. Given a n×m matrix A,
let U = {u ∈ Nn | u · A = 0}, and let V = {v ∈ Nm | u · v = 0 for every u ∈ U }.
Then both U and V are vector spaces, and the columns of A contain a basis of V .
If we take A := N, then U is the set of S-invariants of N , and so, by the the-
orem, the columns of N contain a basis of the vector space of vectors v satisfying
I · v = 0 for every S-invariant I. In particular, since (L − M ) is one of these
vectors, (L − M ) is a linear combination over Q of the columns of N, and so the
equation N · X = (L − M ) has a rational solution.
(⇐) : Let I be an S-invariant of N . Since I · N = 0 we have I · L = I · M + I ·
4.3. S- AND T-INVARIANTS 89

N · X = I · M. 
We also have the following consequences:

M is reachable from L
6⇑ ⇓
M = L + N · X has a solution X ∈ N|T |
6⇑ ⇓
M = L + N · X has a solution X ∈ Q|T |
m
M ∼L

4.3.2 T-invariants
Definition 4.3.13 (T-invariants)
Let N = (S, T, F ) be a net. A vector J : T → Q is a T-invariant of N if N·J = 0.
P
Proposition 4.3.14 J is a T-invariant of N = (S, T, F ) iff ∀s ∈ S : J(t) =
P t∈• s
J(t).
t∈s•

Proposition 4.3.15 [Fundamental property of T-invariants]

Let N be a net, let M be a marking of N , and let σ be a sequence of transitions
σ
of N enabled at M . The vector σ is a T-invariant of N iff M −→ M .
σ
Proof. (⇒) : Let M 0 be the marking satisfying M −→ M 0 . By the Marking
Equation we have M 0 = M + N · σ. Since N · σ = 0 we get M 0 = M
(⇐) : By the Marking Equation we have M = M + N · σ and so N · σ = 0. 

Example 4.3.16 We compute the T-invariants of the net of Figure 4.1 as the solu-
tions of the system of equations
 
1 −1 0  
 0 −1 j1
1 


 −1 j2  = 0
1 0 
j3
0 1 −1

The general form of the T-invarints is (x, x, x), where x ∈ Q.

Using T-invariants we obtain a necessary condition for well-formedness of a

net:
90 CHAPTER 4. SEMI-DECISION PROCEDURES

t2 t4

t3
s1 s2 s3 s4

t1 t5

Figure 4.3

Theorem 4.3.17 [Necessary condition for well-formedness]

Every well-formed net has a positive T-invariant.
Proof. Let N be a well-formed net and let M0 be a live and bounded marking of
N . By liveness there is an infinite firing sequence σ1 σ2 σ3 · · · such that every σi is
a finite firing sequence containing all transitions of N . We have
1σ 2 σ
3 σ
M0 −→ M1 −→ M2 −→ ...

By boundedness there are indices i < j such that Mi = Mj . So the sequence

σi+1 . . . σj satisfies
σi+1 ...σj
Mi −−→ Mi
and so J = σi+1 + . . . + σj is a T-invariant of N . Further, J is positive because
every transition occurs at least once in σi+1 . . . σj . 

4.4 Siphons and Traps

4.4.1 Siphons
Definition 4.4.1 (Siphon)
Let N = (S, T, F ) be a net. A set R ⊆ S of places is a siphon of N if • R ⊆ R• .
A siphon R is proper if R 6= ∅.

{s1 , s2 } is a siphon of the net of Figure 4.3 because

•
{s1 , s2 } = • s1 ∪ • s2 = {t2 } ∪ {t1 } = {t1 , t2 }

und
{s1 , s2 }• = s•1 ∪ s•2 = {t1 } ∪ {t2 , t3 } = {t1 , t2 , t3 }
4.4. SIPHONS AND TRAPS 91

Proposition 4.4.2 [Fundamental property of siphons]

σ
Let R be a siphon of a net N , and let M −→ M 0 be a firing sequence of N . If
M (R) = 0, then M 0 (R) = 0.

Proof. Since • R ⊆ R• , the transitions that can mark R can only occur at markings
that already mark R. 

Loosely speaking, a siphon that becomes unmarked (or “empty”), remains un-
marked forever.

Corollary 4.4.3 [A necessary condition for reachability]

If M is reachable in (N, M0 ), then for every siphon R, if M0 (R) = 0 then
M (R) = 0.

We can easily check in polynomial time if this condition holds. For this we first
observe that, if R1 and R2 are siphons of N , then so is R1 ∪R2 (exercise). It follows
that there exists a unique largest siphon Q0 unmarked at M0 (more precisely, R ⊆
Q0 for every siphon R such that M0 (R) = 0). We claim that the condition holds if
and only if M (Q0 ) = 0.
• If the condition holds, then, since M0 (Q0 ) = 0 by definition, we get M (Q0 ) =
0.

• If the condition does not hold, then there is a siphon R such that M0 (R) = 0
and M (R) > 0. Since R ⊆ Q0 , we also have M (Q0 ) > 0.
The siphon Q0 can be determined with the help of the following algorithm,
which computes the largest siphon Q contained in a given set R of places—it suf-
fices then to choose R as the set of places unmarked at M0 .

Input: A net N = (S, T, F ) and R ⊆ S.

Output: The largest siphon Q ⊆ R.
Initialization: Q := R.

begin
while there are s ∈ Q and t ∈ • s such that t ∈
/ Q• do
Q : = Q \ {s}
endwhile
end

Exercise: Show that the algorithm is correct. That is, prove that the algorithm
terminates, and that after termination Q is the largest siphon contained in R.
92 CHAPTER 4. SEMI-DECISION PROCEDURES

Proposition 4.4.4 [A necessary condition for liveness]

If (N, M0 ) is live, then M0 marks every proper siphon of N .

Proof. Let R be a proper siphon of N and let s ∈ R. Since we assume that N

is connected, • s ∪ s• 6= ∅, and, since R is a siphon, s• 6= ∅. Let t ∈ s• 6= ∅. By
liveness some reachable marking enables t, and so some reachable marking marks
s, and therefore also the siphon R. By Proposition 4.4.3 the initial marking M0
also marks R. 
Again, the condition can be checked with the help of the algorithm above: the
condition holds if and only if Q0 = ∅. We now look at deadlock-freedom. We can
obtain a sufficient condition for it, but not one that is easy to check.

Proposition 4.4.5 If M is a dead marking of N , then the set of places unmarked

at M is a siphon of N .

Proof. Let R = {s | M (s) = 0}. For every transition t there is a place s ∈ • t

such that M (s) = 0 (otherwise t would be enabled). So R• contains all transitions
of N , and therefore • R ⊆ R• . 

Corollary 4.4.6 [A sufficient condition for deadlock-freedom] Let (N, M0 ) be a

Petri net. If every reachable marking marks all siphons of N , then (N, M0 ) is
deadlock-free.

4.4.2 Traps
Definition 4.4.7 (Trap)
Let N = (S, T, F ) be a trap. A set R ⊆ S of places is a trap if R• ⊆ • R. A trap
R is proper if R 6= ∅.

{s3 , s4 } is a trap of the net of Figure 4.3.

Proposition 4.4.8 [Fundamental property of traps]

σ
Let R be a trap of a net N and let M −→ M 0 be a firing sequence of N . If
M (R) > 0, then M 0 (R) > 0.

Proof. Since • R ⊆ • R, transitions that take tokens from R put tokens in R. 

So, loosely speaking, marked traps stay marked. Notice, however, that this
does not mean that the number of tokens of a trap cannot decrease. The number
can go up or down, just not become 0.
4.4. SIPHONS AND TRAPS 93

Corollary 4.4.9 [A necessary condition for reachability]

If M is reachable in (N, M0 ), then for every trap R, if M0 (R) > 0 then M (R) >
0.

As in the case of siphons, we can check in polynomial time if this condition

holds. If R1 and R2 are traps of N , then so is R1 ∪ R2 (exercise). So there exists
a unique largest trap Q0 unmarked at M (more precisely, R ⊆ Q0 for every trap
R such that M (R) = 0). It is easy to see that the condition holds if and only if
M0 (Q0 ) = 0 (exercise).
To compute the largest trap unmarked at M , we can transform the algorithm
that computes the largest siphon contained in a given set of places into an algorithm
for computing the largest trap (exercise).
Recall that checking the sufficient condition for deadlock-freedom was compu-
tationally expensive, because of the form “for every reachable marking ...”. Com-
bining siphons and traps we obtain an easier-to-check condition.

Proposition 4.4.10 [A sufficient condition for deadlock-freedom]

Let (N, M0 ) be a Petri net. If every proper siphon of N contains a trap marked at
M0 , then (N, M0 ) is deadlock-free.

Proof. Easy consequence of Corollary 4.4.6 and Proposition 4.4.8. 

The siphon-trap condition cannot be checked in polynomial time unless P=NP

(whether every proper siphon contains a marked trap is an NP-complete problem),
but can be checked with the help of a SAT-solver (see “New algorithms for deciding
the siphon-trap property” by O. Oanea, H. Wimmel, and K. Wolf).
We finally show how to combine S-invariants and traps to prove that Peterson’s
algorithm satisfies the mutual exclusion property. For the Petri net model of Figure
2.8 mutual exclusion means that no reachable marking M satisfies M (p4 ) ≥ 1 ∧
M (q4 ) ≥ 1. We first compute three S-invariants:

(1) M (hold = 1) + M (hold = 2) = 1

(2) M (p2 ) + M (p3 ) + M (p4 ) + M (m1 = f ) = 1

(3) M (q2 ) + M (q3 ) + M (q4 ) + M (m1 = f ) = 1

and two constraints derived from traps:

(4) M (m1 = f ) + M (p2 ) + M (hold = 1) + M (q3 ) > 0

(5) M (m2 = f ) + M (q2 ) + M (hold = 2) + M (p3 ) > 0

94 CHAPTER 4. SEMI-DECISION PROCEDURES

Assume now M (p4 ) ≥ 1 ∧ M (q4 ) ≥ 1 holds. We have:

M (p4 ) ≥ 1 ∧ M (q4 ) ≥ 1

⇒ {(2), (3)}

M (p2 ) + M (p3 ) + M (m1 = f ) = 0 ∧ M (q2 ) + M (q3 ) + M (m2 = f ) = 0

⇒ {(1)}

M (m1 = f ) + M (p2 )+ M (m2 = f ) + M (q2 )+

M (hold = 1) + M (q3 ) = 0 ∨ M (hold = 2) + M (p3 ) = 0

Contradicts (4) Contradicts (5)

Chapter 5

Petri net classes with efficient

decision procedures

In the three sections of this chapter we study three classes of Petri nets: S-systems,
T-systems, and free-choice systems. The sections have a similar structure. After the
definition of the class, we introduce three theorems: the Liveness, Boundedness,
and Reachability Theorem. The Liveness Theorem characterizes the live Petri nets
in the class. The Boundedness Theorem characterizes the live and bounded sys-
tems. The Reachability Theorem characterizes the reachable markings of the live
and bounded systems. The proof of the theorems requires some results about the
structure of S- and T-invariants of the class, which we also present.
The theorems immediately yield decision procedures for Liveness, Bounded-
ness and Reachability whose complexity is much lower than those for general
Petri nets.
At the end of the section we present a final theorem, the Shortest Path Theorem,
which gives an upper bound for the length of the shortest firing sequence leading
to a given reachable marking.
The reader may ask why boundedness only for live Petri nets, and why reach-
ability only for live and bounded Petri nets. A first reason is that, in many applica-
tion areas, a Petri net model of a correct system must typically be live and bounded,
and so, when one of these properties fails, it does not make much sense to further
analyze the model. The second reason is that, interestingly, the general characteri-
zation of the bounded systems or the reachable markings is more complicated and
less elegant than the corresponding characterization for live or live and bounded
Petri nets.
The proofs of the theorems are very easy for S-systems, a bit more involved for
T-systems, and relatively complex for free-choice systems. For this reason we just

95
96CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

sketch the proofs for S-systems, explain the proofs in some detail for T-systems,
and omit them for free-choice systems.

5.1 S-Systems
Definition 5.1.1 (S-nets, S-systems) A net N = (S, T, F ) is a S-net if |• t| = 1 =
|t• | for every transition t ∈ T . A Petri net (N, M0 ) is a S-system if N if N is a
S-net.

Proposition 5.1.2 (Fundamental property of S-systems)

Let (N, M0 ) be a S-system with N = (S, T, F ). Then M0 (S) = M (S) for every
reachable marking M .

Proof. Every transition consumes one token and produces one token. 

Theorem 5.1.3 [Liveness Theorem] A S-system (N, M0 ) where N = (S, T, F ) is

live iff N is strongly connected and M0 (S) > 0.

Proof. (Sketch.)
(⇒): If N is not strongly connected, then there is an arc (s, t) such that N has no
path from t to s. For every marked place s0 such that there is a path from s0 to s,
we fire the transitions of the path to bring the tokens in s0 to s, and then fire t to
empty s. We have then reached a marking from which no tokens can “travel” back
to s, and so a marking from which t cannot occur again. So (N, M0 ) is not live.
If M0 marks no places, then no transition can occur, and (N, M0 ) is not live.
(⇐): If N is strongly connected and M0 puts at least one token somewhere,
then the token can freely move, reach any other place, and so enable any transition
again. 

Theorem 5.1.4 [Boundedness Theorem] A live S-system (N, M0 ) where N =

(S, T, F ) is b-bounded iff M0 (S) ≤ b.

Proof. Trivial. 

Exercise: give a counterexample for non-live S-systems.

Theorem 5.1.5 [Reachability Theorem] Let (N, M0 ) be a live S-system and let M
be a marking of N . M is reachable from M0 iff M0 (S) = M (S).
5.2. T-SYSTEMS 97

Proof. N is strongly connected by Proposition 5.1.3. So we are free to dis-

tribute the tokens of M0 in an arbitrary way, and reach any marking M , as long as
M (S) = M0 (S). 

Proposition 5.1.6 [S-invariants of S-nets] Let N = (S, T, F ) be a connected S-

net. A vector I : S → Q is a S-invariant of N iff I = (x, . . . , x) for some x ∈ Q.

Proof.
Each transition t ∈ T has exactly one input place st and an output place s0t . So
we have X X
I(s) = I(st ) and I(s) = I(s0t )
s∈• t s∈t•
and therefore
I is a S-invariant
⇔ {Proposition 4.3.5 (alternative definition of S-invariant)}
∀t ∈ T : I(st ) = I(s0t )
⇔ {N is connected}
∀s1 , s2 ∈ S : I(s1 ) = I(s2 )
⇔ {}
∃x ∈ Q∀s ∈ S : I(s) = x.


5.2 T-systems
Definition 5.2.1 (T-nets, T-systems) A net N = (S; T, F ) is a T-net if |• s| = 1 =
|s• | for every place s ∈ S. A system (N, M0 ) is a T-system if N is a T-net.

Notation: Let γ be a circuit of a net N and let M be a marking

Pof N . We denote
by M (γ) the number if tokens of γ under M , that is, M (γ) = s∈γ M (s).
Proposition 5.2.2 (Fundamental property of T-systems) Let γ be a circuit of a
T-systems (N, M0 ) and let M be a reachable marking. Then M (γ) = M0 (γ).
Proof. Firing a transition does not change the number of tokens of γ. If the transi-
tion does not belong to the circuit, then the distribution of tokens in the circuit does
not change. If the transition belongs to the circuit, then it removes one token from
a place of the circuit, and adds a token to another place. The token count does not
change. 
98CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

5.2.1 Liveness
Theorem 5.2.3 [Liveness Theorem] A T-system (N, M0 ) is live iff M0 (γ) > 0 for
every circuit γ of N .

Proof.
(⇒) Let γ be a circuit with M0 (γ) = 0. By Proposition 5.2.2 we have M (γ) =
0 for every reachable marking M . So no transition of γ can ever occur.
(⇐) Let t be an arbitrary transition and let M be a reachable marking. We
show that some marking reachable from M enables t. Let SM be the set of places
s of N satisfying the following property: there is a path from s to t that contains
no place marked at M . We proceed by induction on |SM |. Basis: |SM | = 0. Then
M (s) > 0 for every place s ∈ • t, and so M enables t.
Step: |SM | > 0. By the fundamental property of T-systems, every circuit of N is
marked at M . So there is a path Π such that:

(1) Π leads to t;

(2) M marks no place of Π;

(3) Π has maximal length (that is, no path longer than Π satisfies (1) and (2)).

Let u be the first element of Π. By (3) u is a transition and M marks all places of
• u. So M enables u. Moreover, we have u 6= t because M does not enable t. Let
u
M −→ M 0 . We show that SM 0 ⊂ SM , and so that |SM 0 | < |SM |.

1. SM 0 ⊆ SM
Let s ∈ SM 0 . We show s ∈ SM . There is a path Π0 = s . . . t containing
no place marked at M 0 . Assume Π0 contains a place r marked at M . Since
u
M 0 (r) = 0 and M −→ M 0 we have u ∈ r• and so {u} = r• . So u is
the successor of r in Π0 . Since u 6= t, M 0 marks the successor of u in Π0 ,
contradicting the definition of Π0 .

2. SM 0 6= SM . Let s be the successor of u in Π. Then s ∈ SM but s 6∈ SM 0 ,

because M 0 (s) > 0.
σ
By induction hypothesis there is a firing sequence M 0 −→ M 00 such that M 00 en-
u σ
ables t. It follows M −→ M 0 −→ M 00 , and so M 00 is a marking reachable from
M that enables t. 
5.2. T-SYSTEMS 99

5.2.2 Boundedness
Theorem 5.2.4 [Boundedness Theorem] A place s of a live T-system (N, M0 ) is
b-bounded iff it belongs to some circuit γ such that M0 (γ) ≤ b.

Proof. (⇐) Follows from the fundamental property of T-systems (Proposition

5.2.2).
(⇒) Let M be a reachable marking such that M (s) is maximal. We have M (s) ≤
b. Define the marking L as follows:

M (r) if r 6= s
L(r) =
0 if r = s

We claim that (N, L) is not live. Otherwise there would be a firing sequence
σ
L −→ L0 such that L0 (s) > 0, and by the Monotonicity Lemma we would have
σ
M −→ M 0 for some marking M 0 satisfying M 0 (s) = L0 (s) + M (s) > M (s),
contradicting the maximality of M (s). By the Liveness Theorem some circuit γ is
unmarked at L but marked at M . Since L and M only differ in the place s, the cir-
cuit γ contains s. Further, s is the only place of γ marked at M . So M (γ) = M (s),
and since M (s) ≤ b we get M (γ) ≤ b. 

Corollary 5.2.5 Let (N, M0 ) be a live T-system

1. A place of N is bounded iff it belongs to some circuit.

2. Let s be a bounded place. Then

∗
max{M (s) | M0 −→ M } = min{M0 (γ) | γ contains s}

3. (N, M0 ) is bounded iff N is strongly connected.

Proof. Exercise 

5.2.3 Reachability
We need to have a closer look at the T-invariants of T-systems.

Proposition 5.2.6 [T-invariants of T-nets] Let N = (S, T, F ) be a connected T-

net. A vector J : T → Q is a T-invariant iff J = (x . . . x) for some x ∈ Q.

Proof. Dual of the proof of Proposition 5.1.6. 

100CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

Theorem 5.2.7 [Reachability Theorem] Let (N, M0 ) be a live T-system. A mark-

ing M is reachable from M0 iff M0 ∼ M .

Proof. (⇒) Proposition 4.3.11

(⇐) By Theorem 4.3.12 there is a rational vector X such that

M = M0 + N.X (5.1)

The vector J = (1, 1, . . . , 1) is a T-invariant of N (Proposition 5.2.6). So we have

N · (X + λJ) = N · X

for every λ ∈ Q. So without loss of generality we can assume X ≥ 0.

Let T be the set of transitions of N . We show:

(1) There is a vector Y : T → IN such that M = M0 + N · Y . Let Y be the

vector with Y (t) = dX(t)e for every transition t (dxe denotes the smallest
integer larger than or equal to x). By (5.1) we have

M (s) = M0 (s) + X(t1 ) − X(t2 )

for every place s, where {t1 } = • s and {t2 } = s• . Both M (s) and M0 (s)
are integers. By the definition of Y we get

X(t1 ) − X(t2 ) = Y (t1 ) − Y (t2 )

So M (s) = M0 + Y (t1 ) − Y (t2 ), which implies M = M0 + N · Y .

∗
(2) M0 −→ M P
By induction over |Y | = t∈T Y (t).
Basis: |Y | = 0. Then Y = 0 and M = M0 .
Step: |Y | > 0.
We show that M0 enables some transition of hY i. Let

Sy = {s ∈ • hY i | M0 (s) = 0}

Let s ∈ Sy. By M0 (s) = 0 and M0 + N · Y = M ≥ 0 we have:

if some transition of s• belongs to hY i, then some transition of • s

belongs to hY i. (*)
5.2. T-SYSTEMS 101

Let Π be a path of maximal length containing places of Sy and transitions

of hY i (such a path exists, because otherwise N would contain a circuit
unmarked at M0 ). By (*), the first node of Π is a transition t ∈ hY i, and no
place of • t belongs to Sy. So M0 marks every place of • t, that is, M0 enables
t.
t
Let M0 −→ M1 . We have

M1 + N(Y − t) = M

where
|Y − t| = |Y | − 1 < |Y |
∗ t ∗
By induction hypothesis we have M1 −→ M . Since M0 −→ M1 −→ M ,
∗
we get M0 −→ M .

5.2.4 Other properties

The theorems we have introduced have many interesting consequences. Her are
two of them.

Theorem 5.2.8 Let N be a strongly connected T-net. For every marking M0 the
following statements are equivalent:

(1) (N, M0 ) is live.

(2) (N, M0 ) is deadlock-free.

(3) (N, M0 ) has an infinite firing sequence.

Proof. (1) ⇒ (2) ⇒ (3) follow immediately from the definitions. We show (3) ⇒
(1).
σ
Let M0 −→ be an infinite firing sequence. We claim that every transition of N
occurs in σ. Since N is strongly connected, (N, M0 ) is bounded (Theorem 5.2.4).
t1 t2 t3
Let σ = t1 t2 t3 . . ., and M0 −→ M1 −→ M2 −→ . . .. Since (N, M0 ) is bounded,
there are indices i and j with i < j such that Mi = Mj . Let σij be the subsequence
of σ containing the transitions between Mi and Mj . By the fundamental property
of T-invariants (Proposition 4.3.15) σij is a T-Invariant . By Proposition 5.2.6 there
102CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

is n ∈ N such that σij = (n . . . n). So every transition of N occurs in σij , and so

the same holds for σ.
Since every transition of N occurs in σ, for every place and every circuit of N
some marking reached during the execution of N marks the place or the circuit.
By the fundamental property of T-systems, all circuits of N are marked at M0 . By
the Liveness Theorem (Theorem 5.2.3), (N, M0 ) is live. 

Theorem 5.2.9 [Genrich’s Theorem] Let N be a strongly connected T-net with at

least one place and one transition. There is a marking M0 such that (N, M0 ) is
live and 1-bounded.

Proof. Since N is strongly connected, any marking that puts tokens on all places of
N is live, because it marks all circuits (Liveness Theorem), and bounded, because
all markings of N are (Corollary 5.2.5).
Let (N, M ) be live and bounded, but not 1-bounded. We construct another live
marking L of N satisfying the following two conditions:

(1) L(γ) ≤ M (γ) for every circuit γ of N , and

(2) L(γ) < M (γ) for at least one circuit γ.

By Theorem 5.2.4, at least one place of N has a smaller bound under L as under
M . Iterating this construction we obtain a 1-bounded marking of N .
Let s be a non-1-bounded place of (N, M ). Some reachable marking M 0 sat-
isfies M 0 (s) ≥ 2. Let L be the marking that puts exactly one token in s, and as
many tokens as M elsewhere.
Since M is live, it marks all circuits of N . By construction L also marks all
circuits, and so L is also live. Condition (1) is a consequence of the definition of L.
Condition (2) holds for all circuits containing s (and there is at least one, because
N is strongly connected). 

Finally we prove a result stating that for any two markings M1 , M2 of a 1-

bounded T-system (live or not), if M2 is reachable from M1 , then it can be reached
from M1 in at most n(n − 1)/2 steps where n is the number of transitions of the
T-system.
The result is proved with the help of two lemmas.

Definition 5.2.10 Given a sequence σ of transitions, we denote by A(σ) the set of

transitions occurring at least once in σ.
5.2. T-SYSTEMS 103

σ σ t
Lemma 5.2.11 Let (N, M0 ) be a T-system and let M0 −−1−−
2
→ for some sequences
∗
σ1 σ2 ∈ T , some t ∈ T such that
• t∈
/ A(σ1 ), and
• A(σ2 ) ⊆ A(σ1 ).
σ tσ
Then M0 −−1−−→.
2

Proof. By induction on the length of σ2 . If |σ2 | = 0 there is nothing to prove.

σ1 σ 0 t u
Assume σ2 = σ20 u for some u ∈ T . We prove M0 −−−−2−−→, and then the result
follows by applying the induction hypothesis to σ1 σ20 t.
σ1 σ 0
2 u t
Let M0 −−−−→ M1 −→ M2 −→. Consider two cases:
• u• ∩ • t = ∅. Then t is already enabled at M1 , and we are done.
• u• ∩ • t 6= ∅. Let s ∈ u• ∩ • t. Since u ∈ A(σ2 ) and A(σ2 ) ⊆ A(σ1 ), we have
u ∈ A(σ1 ). Since t ∈ / A(σ1 ), we have t ∈ / A(σ2 ). So u occurs at least twice
in σ1 σ2 , while t occurs zero times. It follows M2 (s) ≥ 2, and therefore
M1 (s) ≥ 1. Further, for every s ∈ • t \ u• we have M1 (s) = M2 (s) ≥ 1. So
t is already enabled at M1 , and we are done.

Lemma 5.2.12 Let (N, M0 ) be a 1-bounded T-system with N = (S, T, F ), and

σ
let M0 −→ M . Then there exist sequences σ1 σ2 such that
σ σ
1 2
(1) M0 −−−−→ M .
(2) no transition occurs more than once in σ1 ,
(3) A(σ2 ) ⊆ A(σ1 ), and
(4) if σ is nonempty then A(σ2 ) ⊂ A(σ1 ).
Proof. We first prove that (1)-(3) hold by induction on |σ|. If |σ| = 0, then take
τ t
σ1 , σ2 = . Assume σ = τ t for some t ∈ T and M0 −→ M 0 −→ M . By induction
τ1 τ2
hypothesis there are τ1 , τ2 such that M0 −−−→ M 0 , no transition occurs more than
once in τ1 , and A(τ2 ) ⊆ A(τ1 ). It t ∈ A(τ1 ), then take σ1 = τ1 and σ2 = τ2 t. If
τ t τ2
t∈/ A(τ1 ), then by Lemma 5.2.11 we have M0 −−1−−→ M , and we take σ1 = τ1 t
and σ2 = τ2 .
To prove (4), assume we have σ1 , σ2 satisfying (1)-(3). We consider several
cases.
104CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

• A(σ1 ) = ∅. Then, by (3), we have σ1 = σ2 = , and (4) holds vacuously.

• A(σ1 ) = T . If A(σ2 ) ⊂ A(σ1 ) then we are done. If A(σ2 ) = A(σ1 ),

then A(σ2 ) = T , and by (2) both σ1 and σ2 contains every transition exactly
σ1 σ2
once. Since N is a T-system, we then have M0 −−→ M0 −−→ M0 . But then
we can replace σ2 by , and now the pair , σ1 satisfies (1)-(4).

• ∅ 6= A(σ1 ) 6= T . Since N is 1-bounded, by the Boundedness Theorem it is

strongly connected. So there is a place s with input and output transitions t
and u, respectively, such that t ∈ A(σ1 ) and u ∈ / A(σ1 ). By (3) we have
u∈ / A(σ2 ). If t ∈ A(σ2 ) then M (s) ≥ 2, contradicting 1-boundedness. So
t∈/ A(σ2 ), and so A(σ2 ) ⊂ A(σ1 ).

Theorem 5.2.13 [Shortest Sequence Theorem] Let (N, M0 ) be a b-bounded T-

system and let M be a reachable marking. Then there is an occurrence sequence
σ
M0 −→ M such that |sigma| ≤ b·n(n−1)/2, where n is the number of transitions
of N .

Proof. We only prove the case b = 1. The general case requires a slight general-
ization of Lemma 5.2.11 and 5.2.12.
By repeated application of Lemma 5.2.12 there exists an occurrence sequence
σ σ ··· σn
M0 −−1−−2−−−→ M such that

• σi 6=  for every 1 ≤ i ≤ n,

• no transition occurs more than once in any of σ1 , . . . , σn , and

• A(σ1 ) ⊂ A(σ2 ) ⊂ · · · ⊂ A(σn ).

Pn n(n−1)
Then we have |σi | ≤ n−i+1 for every 1 ≤ i ≤ n, and so |σ| ≤ i=1 i = 2 .


5.3 Free-Choice Systems

Definition 5.3.1 (Free-Choice nets, Free-Choice systems) A net N = (S, T, F )
is free-choice if s• × • t ⊆ F for every s ∈ S and t ∈ T such that (s, t) ∈ F . A
Petri net (N, M0 ) is free-choice if N is a free-choice net..
5.3. FREE-CHOICE SYSTEMS 105

free−choice not free−choice

Figure 5.1

This definition is very concise and moreover symmetric with respect to places
and transitions. If the reader finds it cryptic, the following equivalent definitions
may help.

Proposition 5.3.2 [Alternative definitions of free-choice nets]

(1) A net is free-choice if for every two transitions t1 , t2 :

(t1 6= t2 ∧ • t1 ∩ • t2 6= ∅) ⇒ • t1 = • t2

(2) A net is free-choice if for every two places s1 , s2 :

(s1 6= s2 ∧ s•1 ∩ s•2 6= ∅) ⇒ s•1 = s•2

Proof. Exercise. 

Figure 5.1 illustrates these definitions.

Clearly, S- and T-systems are special cases of free-choice systems (see Figure
5.2).

5.3.1 Liveness
We showed in the last chapter that a Petri net in which every siphon contains an ini-
tially marked trap is deadlock-free, but the converse does not hold. For free-choice
systems we obtain Commoner’s Theorem, a much stronger result characterizing
liveness.

Theorem 5.3.3 [First part of Commoner’s Liveness Theorem]

Let (N, M0 ) be a free-choice system. If every proper siphon of N contains a trap
marked at M0 , then (N, M0 ) is live.
106CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

Free−choice systems

S−systems Circuits T−systems

Figure 5.2: Net classes

Proof. We need the following definitions. Let M be a marking of N . A transition

t is dead at M if it is not enabled at any marking of [M i. Let DM denote the set
of transitions dead at M . A transition t is live at M if t 6∈ DM 0 for every marking
M 0 ∈ [M i. Let LM be the set of transitions live at M . Notice that a transition may
be neither live nor dead at a marking. We have

• If t ∈ LM and M 0 ∈ [M i, then t ∈ LM 0 , that is, live transitions stay live.

• If t ∈ DM and M 0 ∈ [M i, then t ∈ LM 0 , that is, dead transitions stay dead.

• If t 6∈ LM ∪ DM then there is a marking M 0 reachable from M such that

t ∈ DM 0 . That is, transitions that are neither live nor dead may die.

We prove that if (N, M0 ) is not live, then some proper siphon of N does not
contain any trap marked at M0 . Let T be the set of transitions of N . Since (N, M0 )
is not live, then, by the definitions above, there is a marking M reachable from M0
such that T = DM ∪ LM , that is, every transition is either live or dead at M , and
DM 6= ∅.
We claim: for every transition t ∈ DM there exists st ∈ • t such that M (st ) = 0
and every t0 ∈ • st is dead at M .
Let St be the set of input places of t not marked at M . Since t ∈ DM , the set
St is nonempty. Since N is free-choice, for every s ∈ St every transition of s•t is
dead at M (otherwise we could fire t). So along any occurrence sequence starting
at M the number of tokens in each place of St does not decrease. Therefore, if all
transitions of • St are live at M then we can reach a marking that marks all of them.
But such a marking enables t, contradicting that t is dead at M . So at least one
place st ∈ • t is dead at M , which proves the claim.
Let now R = {st | t ∈ DM }. By the claim, and since DM 6= ∅, the set R
is a siphon unmarked at M . If R would contain a trap marked at M0 then, since
5.3. FREE-CHOICE SYSTEMS 107

s1 s2

s3 s4 s5 s6

s7 s8

Figure 5.3: A free-choice system

marked traps remain marked, R would be marked at M . So R does not contain any
trap marked at M0 . 

A siphon is minimal if it does not properly contain any proper siphon. Clearly,
the Liveness Theorem still holds if we replace “siphon” by “minimal siphon”.
The net of Figure 5.3 has four minimal siphons: R1 = {s1 , s3 , s5 , s7 }, R2 =
{s2 , s4 , s6 , s8 }, R3 = {s2 , s3 , s5 , s7 } and R4 = {s1 , s4 , s6 , s8 }. R1 , R2 , R3 and
R4 are also traps, and so, in particular, they contain traps. By the Liveness Theo-
rem, every marking that marks R1 , R2 , R3 and R4 is live.
We now proceed to prove the second part of the theorem. We have to show
that if some proper siphon R of a free-choice system (N, M0 ) does not contain
an initially marked trap, then (N, M0 ) is not live. If such a siphon exists, then
the maximal trap Q ⊆ R is unmarked at M0 , and so M0 only can mark places of
D := R \ Q. Loosely speaking, we construct a firing sequence that “empties” the
places of D without marking the places of Q. In this way we reach a marking at
which the siphon R is empty, which proves that (N, M0 ) is not live.
We need the notion of a cluster.

Definition 5.3.4 (Cluster) Let N = (S, T, F ) be a net. A cluster is an equivalence

class of the equivalence relation ((F ∩ (S × T )) ∪ (F ∩ (S × T ))−1 )∗ . We denote
108CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

Figure 5.4: Clusters of the net of Figure 5.3

[x] the cluster of the node x ∈ S ∪ T .

It follows from the definition that every node of a net belongs to exactly one
cluster, that is, the set of clusters is a partition of S ∪ T .
Figure 5.4 shows the clusters of the net of Figure 5.3.
The following proposition is easy to prove:

Proposition 5.3.5 Let (N, M0 ) be a free-choice system with N = (S, T, F ), and

let c be a cluster of c.

(1) (s, t) ∈ F for every s ∈ c ∩ S and t ∈ c ∩ T .

(2) A marking enables some transition of c iff it enables every transition of c.

By (2) we can say that M enables a cluster.

The firing sequence σ that empties the siphon Ris constructed as follows. We
define an allocation that assigns to each cluster c of N containing places of D a
5.3. FREE-CHOICE SYSTEMS 109

transition of c ∩ T . Intuitively, the allocation is a recipe indicating which transition

to fire: Whenever the transitions of the cluster are enabled, we fire the allocated
transition, and never any of the others. The sequence σ is constructed by repeat-
edly enabling the clusters of D, which is possible by liveness, and then firing the
allocated transition.
We define allocations.

Definition 5.3.6 (Allocation) Let N = (S, T, F ) be a net and let C be a set of

clusters of N . An allocation of C is a mapping α : C → T such that α(c) ∈ c for
every c ∈ C.

Let C = {[t] | t ∈ D• }. We construct an allocation α : C → T satisfying the

following properties.
(a) α is circuit-free, that is, there is no cycle containing only places of D and
allocated transitions. If there were such a cycle, then by firing only allocated
transitions we might never be able to empty D, because tokens in the cycle
would never “leave” it.
(b) α does not allocate any transition of • Q. Otherwise firing this transition
would mark the trap Q, which would make it impossible to empty the siphon.
(c) while there are tokens in D it is always possible to fire any allocated transi-
tion again, without firing any of the non-allocated transitions.
The recipe to construct an allocation satisfying (a) and (b) is given in the proof
of the following lemma. Notice that this part does not require the free-choice
property.

Lemma 5.3.7 Let N be a net, let R be a set of places of N , and let Q be the
maximal trap included in Q, and let D = R \ Q. Let C = {[t] | t ∈ D• }. There
exists a circuit-free allocation α : C → T such that α(C) ∩ • Q = ∅.

Proof. By induction on |R|. If |R| = 0 then C = ∅ and we take the empty

allocation. If |R| > 0 and R is a trap then D = ∅, and again C = ∅. If R is not a
trap then there exists t ∈ R• \ • R (intuitively, t is a way-out through which tokens
can leave R). Let R0 = R \ • t, let Q0 be the maximal trap of R0 , let D0 = R0 \ Q0 ,
and let C 0 = {[t] | t ∈ (D0 )• }.
By induction hypothesis there exists an allocation α0 : C 0 → T , circuit-free for
D , such that α0 (C 0 ) ∩ • Q0 = ∅. Define α : C → T as follows:
0

(
t if t ∈ c
α(c) = 0
α (c) otherwise
110CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

We have to show that α is circuit-free and α(C) ∩ • Q0 = ∅. We first prove the

following facts, which we leave as an exercise:

(i) Q is the maximal trap included in R0 .

(ii) D ⊆ D0 ∪ • t. (Use (i).)

(iii) C ⊆ C 0 ∪ {[t]}. (Use (ii) and the definition of C.)

(iv) α(C) ⊆ α(C 0 ) ∪ {t}. Use (iii) and the definition of α.)

To show that α is circuit-free, assume D∪α(C) contains a circuit γ. By (ii) and (iv)
we have D ∪ α(C) ⊆ D0 ∪ α0 (C 0 ) ∪ {t} ∪ • t. By induction hypothesis D ∪ α0 (C 0 )
is circuit-fee. So γ contains transition t. Since all places of γ belong to R and
t∈/ • R, we have that γ contains no place of t• , contradicting that γ is a circuit.
To prove α(C) ∩ • Q0 = ∅ we first observe that α(C) ∩ • Q0 ⊆ (α(C 0 ) ∪ {t}) ∩
• Q0 , which is equal to {t} ∩ • Q0 by induction hypothesis, and equal to ∅ because

t∈/ • R and • Q ⊆ • R. 

We now prove that we can find an infinite occurrence sequence that “respects a
given allocation”. This part crucially requires the free-choice property.

Lemma 5.3.8 [Allocation Lemma]

Let (N, M0 ) be a live free-choice system, let C be a set of clusters of N , and let
σ
α : C → T be an allocation of C. There is an infinite occurrence sequence M0 −→
such that σ contains

• infinitely many occurrences of allocated transitions, and

S
• no occurrences of non-allocated transitions of C, i.e., of transitions of c∈C c\
{α(c)}.

Proof. We iteratively define occurrence sequences σ0 , σ1 , σ2 , . . ., and define σ as

their concatenation.
Given a marking Mi , let τi be a minimal occurrence sequence that enables
some cluster c ∈ C. The sequence exists by liveness. By the free-choice property,
the sequence σi = τi α(c) is also a firing sequence. Let Mi+1 be the marking given
σi
by Mi −−→ Mi+1 . 

Theorem 5.3.9 [Second half of Commoner’s Liveness Theorem]

Let (N, M0 ) be a free-choice system. If (N, M0 ) is live, then every proper siphon
of N contains a trap marked at M0 .
5.3. FREE-CHOICE SYSTEMS 111

Proof. Let F be a proper siphon of N , and let Q be the maximal trap included in
Q. We prove M0 (Q) > 0.
Since (N, M0 ) is live, we have M0 (R) > 0 by Proposition 4.4.4. Let D =
R \ Q. If D• = ∅ then D is a trap and so D ⊆ Q, but then D = ∅ and we are done.
If D• 6= ∅ then let C = {[t] | t ∈ D• }. By Lemma 5.3.7 there is an allocation
σ
with domain C and circuit-free for D satisfying α(C) ∩ • Q = ∅. Let M0 −→ be
the occurrence sequence of Lemma 5.3.8. It is easy to see that
• Q cannot become marked during the occurrence of σ.
Because transitions of • Q are not allocated, and so do not occur in σ.
• Q is marked at some point during the occurrence of σ.
Since α is circuit-free, there is an allocated transition t that occurs infinitely
often in σ, and whose input places are not output places of any allocated
transition. So the input places of t must get tokens from transitions that do
not belong to the clusters of C. But these transitions are necessarily output
transitions of Q.

The non-liveness problem for free-choice systems is NP-complete, and so we

cannot expect to find a polynomial algorithm to check the condition of Commoner’s
Theorem:

Theorem 5.3.10 [Complexity]

The problem
Given: A free-choice system (N, M0 )
Decide: Is (N, M0 ) not live?
is NP-complete.

Proof. Membership in NP follows from Commoner’s theorem: guess a siphon of

N , compute in polynomial time the maximal trap contained in R, and check that it
is unmarked at M0 .
The proof of NP-hardness is by reduction from SAT, the satisfiability problem
for boolean formulas. The reduction is illustrated in Figure 5.5, which shows the
free-choice system for the formula
Φ = (x1 ∨ x3 ) ∧ (x1 ∨ x2 ∨ x3 ) ∧ (x2 ∨ x3 )

112CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

A1 A2 A3

x1 x1 x2 x2 x3 x3

C1 C2 C3

False

Figure 5.5: Free-choice system for the formula Φ

5.3. FREE-CHOICE SYSTEMS 113

s1 s2

s3 s5 s4 s6

s7 s8

Figure 5.6: S-components of the net of Figure 5.3

5.3.2 Boundedness
Definition 5.3.11 (S-component) Let N = (S, T, F ) be a net. A subnet N 0 =
(S 0 , T 0 , F 0 ) of N is an S-component of N if

1. N 0 is a strongly connected S-net, and

2. T 0 = • S 0 ∪ S 0• (where s• = {t ∈ T | (t, s) ∈ F }, and analogously for • s).

Figure 5.6 shows two S-components of the net of Figure 5.3.

S-components are for free-choice systems what circuits are for T-systems: fir-
ing a transition does not change the number of tokens of an S-component.

Proposition 5.3.12 Let (N, M0 ) be a Petri net and let N 0 = (S 0 , T 0 , F 0 ) be an

S-component of N . Then M0 (S 0 ) = M (S 0 ) for every marking M reachable from
M0 .

Proof. Firing a transition either takes no tokens from a place of the component
and adds none, or it takes exactly one token and adds exactly one token. 
114CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

Theorem 5.3.13 [Hack’s Boundedness Theorem]

Let (N, M0 ) be a live free-choice system. (N, M0 ) is bounded iff every place of
N belongs to a S-component.

Proof. (⇐) Exercise

(⇒) (Sketch). We first show that every minimal siphon N is the set of places of a
S-component. Then we show that every place is contained in some minimal siphon.


Proposition 5.3.14 [Place bounds]

Let (N, M0 ) be a live and bounded free-choice system and let s be a place of N .
We have
∗
max{M (s) | M0 −→ M } =
min{M0 (S 0 ) | S 0 is the set of places of a S-component of N }

Proof. Analogous to the Boundedness Theorem for T-systems. 

Theorem 5.3.10 shows that there is no polynomial algorithm for Liveness (un-
less P = N P ). Now we ask ourselves what is the complexity of deciding if a
free-choice system is simultaneously live and bounded. We can of course first use
the decision procedure for liveness, and then, if the net is live, check the condi-
tion of the Boundedness Theorem. But there are more efficient algorithms.1 . The
fastest known algorithm runs in O(n · m) time for a net with n places and m tran-
sitions. A not so efficient but simpler algorithm follows immediately from the next
theorem:

Theorem 5.3.15 [Rank Theorem]

A free-choice system (N, M0 ) is live and bounded iff

1. N has a positive S-invariant.

2. N has a positive T-invariant.

3. The rank of the incidence matrix (N) is equal to c − 1, where c is the number
of clusters of N .

4. Every siphon of N is marked under M0 .

1
Compare with this: in order to decide if a number is divisible by 100.000, we can first check if
it is divisible by 3125, and, if so, if it is divisible by 32. However, there is a faster procedure: check
if the last five digits are zeros.
5.3. FREE-CHOICE SYSTEMS 115

Proof. Omitted. 

Conditions (1) and (2) can be checked using linear programming, condition (3)
using well-known algorithms of linear algebra, and condition (4) with the algo-
rithm of Section 4.4.1.

5.3.3 Reachability
The reachability problem is NP-hard for live and bounded free-choice nets.

Theorem 5.3.16 Reachability is NP-hard for live and bounded free-choice nets.

Proof. We reduce SAT to the following problem:

Given: A live and bounded free-choice system (N, M0 ) where N =

(S, T, F ), two disjoint sets T=1 , T≥1 ⊆ T , and a marking M .
Decide: Is M reachable from M0 by means of a firing sequence that
fires each transition of T=1 exactly once, and each transition of T≥1 at
least once?

Figure 5.7 shows the net N , the markings M0 and M , and the sets T=1 , T≥1 for
the formula x1 ∧ (x1 ∨ x2 ) ∧ (x1 ∨ x2 ). the formula has three clauses C1 , C2 , C3 .
The black tokens correspond to M0 , and the white tokens to M . Intuitively, the
net chooses a variable xi , and assigns it a value by firing txi or f xi . This sends
tokens to the three modules at the bottom of the figure, one for each clause. More
precisely, for each clause the transition sends exactly one token to one of the two
transitions of the module: if the value makes the clause true, then the token goes
to the input place of the transition that belongs to T≥1 ; otherwise the token goes to
the input place of the other transition. The formula is satisfiable iff the Petri net has
a firing sequence that fires each transition of T=1 exactly once, (this corresponds
to choosing a truth assignment) and each transition of T≥1 at least one (so that at
least one of the literals of each clause is true under the assignment).
Now we reduce the problem above to the reachability problem for live and
bounded free-choice nets. Given a net with sets T=1 , T≥1 ⊆ T , we “merge” each
transition of T≥1 with the transition t≥1 of a separate copy of the “module” shown
in Figure 5.8. Similarly, we merge each transition of T=1 with the transition t=1 of
a separate copy of the “module” shown in Figure 5.9.
The first module ensures that in order to reach the marking M the transition
t≥1 has to be fired at least once. The second module ensures that the transition t=1
has to be fired exactly once. 
 116CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

Start

=1 =1

x1 x2

tx 1 fx1 tx 2 fx2

>
=1 >
=1 >
=1

C1 C2 C3

End

Marking M0
Marking M

Figure 5.7: Result of the reduction for the formula x1 ∧ (x1 ∨ x2 ) ∧ (x1 ∨ x2 )
5.3. FREE-CHOICE SYSTEMS 117

>1 Marking M 0
t=
Marking M

Figure 5.8: The first module

1111 00000
0000 11111 0000
1111
1111111111111111
0000000000000000
0000000000000000
1111111111111111
0000000000000000
1111111111111111
0000000000000000
1111111111111111 000
111
0000000000000000
1111111111111111
0000000000000000
1111111111111111 000
111
0000000000000000
1111111111111111
0000000000000000
1111111111111111
Marking M0
t= 1
00
110000000000000000
1111111111111111
0000000000000000
1111111111111111
001111111111111111
0000000000000000
Marking M

110000000000000000
1111111111111111
0000000000000000
1111111111111111
0000000000000000
1111111111111111
11111
00000 11111
00000
11111
00000

Figure 5.9: The second module.

118CHAPTER 5. PETRI NET CLASSES WITH EFFICIENT DECISION PROCEDURES

As for Commoner’s Theorem, membership in NP is harder to prove. It follows

from this theorem, due to Yamasaki et al.

Definition 5.3.17 Let N = (S, T, F ) be a net, and let U ⊆ T . The subnet NU =

(S 0 , T 0 , F 0 ) generated by U is given by:

• T0 = U,

• S 0 = • U ∪ U • , and

• F 0 = F ∩ ((S 0 × T 0 ) ∪ (T 0 × S 0 )).

Theorem 5.3.18 [Reachability Theorem]

Let (N, M0 ) be a live and bounded free-choice system. M is reachable from M0
iff there X ∈ N|T | such that

• M = M0 + N · X, and

• (NU , MU ) has no unmarked traps, where U = {t ∈ T | X(t) > 0} and

MU is the projection of M onto the places of NU .

Proof. Omitted. 

Membership in NP can then be proved as follows: Guess a set U ⊆ T , con-

struct NU , compute in polynomial time the maximal trap of NU unmarked at M ,
check that it is the empty trap, guess in polynomial time a vector X ∈ N|T | such
that X(t) ≥ 1 for every t ∈ U , and check that it is a solution of M = M0 + N · X.
Proving that the vector can be guessed in polynomial time follows from the fact
that Integer Linear Programming is also in NP. A more direct proof of membership
in NP follows from the Shortest Sequence Theorem for free-choice systems (see
Theorem 5.3.21 below).
For systems satisfying an additional condition there is a polynomial algorithm.
A Petri net (N, M0 ) is cyclic if, loosely speaking, it is always possible to return to
the initial marking. Formally: ∀M ∈ [M0 i : M0 ∈ [M i. We have:

Theorem 5.3.19 [Reachability Theorem for Cyclic Free-Choice Nets]

Let (N, M0 ) be a live, bounded, and cyclic free-choice system. A marking M of
N is reachable from M0 iff M0 ∼ M .

Proof. Omitted. 

Corollary 5.3.20 The problem

5.3. FREE-CHOICE SYSTEMS 119

Given: a live, bounded, and cyclic free-choice system (N, M0 ) and a

marking M
Decide: Is M reachable?

can be solved in polynomial time.

This result is only useful if we are able to check efficiently if a live and bounded
free-choice system is cyclic. The following theorem shows that this is the case:

Theorem 5.3.21 A live and bounded free-choice system (N, M0 ) is cyclic iff M0
marks every proper trap of N .

Proof. Omitted. 

5.3.4 Other properties

There is also a Shortest Sequence Theorem for live and bounded free-choice nets.

Theorem 5.3.22 [Shortest Sequence Theorem]

Let (N, M0 ) be a b-bounded free-choice system and let M be a reachable marking.
σ
Then there is an occurrence sequence M0 −→ M such that |sigma| ≤ b n(n +
1)(n + 2)/6, where n is the number of transitions of N .

This gives a simpler prove that the reachability problem for live and bounded
free-choice nets is in NP: just guess in polynomial time an occurrence sequence
leading to M .