IdeaExchange

This paper considers the problem of establishing live resource allocation in workﬂows with synchronization stages. Establishing live resource allocation in this class of systems is challenging since deciding whether a given level of resource capacities is su ﬃ cient to complete a single process is NP-complete. In this paper, we develop two necessary conditions and one su ﬃ cient condition that provide quickly computable tests for the existence of process completing sequences. The necessary conditions are based on the sequence of completions of n subprocesses that merge together at a synchronization. Although the worst case complexity is O(2 n ), we expect the number of subprocesses combined at any synchronization will be su ﬃ ciently small so that total computation time remains manageable. The su ﬃ cient condition uses a reduction scheme that computes a su ﬃ cient capacity level of each resource type to complete and merge all n subprocesses. The worst case complexity is O( n · m ), where m is the number of synchronizations. Finally, the paper develops capacity bounds and polynomial methods for generating feasible resource allocation sequences for merging systems with single unit allocation. This method is based on single step look-ahead for deadly marked siphons and is O(2 n ). Throughout the paper, we use a class of Petri nets called Generalized Augmented


Introduction
In recent years, liveness-enforcing supervisory control has been an active area of research for resource allocation systems characterized by processes with highly ordered, linear workflows.This research has been motivated to a large degree by the need to control resource allocation in large, highly automated manufacturing systems, where process workflow is highly sequential and is typically prespecified in a product's process plan.In brief, a sequential resource allocation system (RAS) consists of a set of resources, each available at a finite level, and a set of processes that progresses through sequences of processing stages, with each stage requiring a predetermined set of the system resources.Furthermore, a process instance is allowed to advance to its next stage only when it has been granted the complete set of required resources and only then will it release the currently held resources that are not required for the following stage.
Because the resource allocation schemes discussed above are embedded in the operation of many technologically advanced systems, a complete understanding of their worst case behaviors is essential when devising operating logic for their control.Indeed, if resource allocation is not properly constrained, the sequential RAS will attain resource allocation states from which additional allocation-deallocation of some subset of resources is not possible.This situation is highly undesirable, because resource allocation stalls, the involved processes and the resources they hold are idle, and outside intervention to resolve and reset the system is required.Liveness enforcing supervision seeks to avoid these situations and maintain completely smooth operation by imposing an appropriate supervisory control policy.
Reveliotis et al. [1] present a taxonomy for sequential RAS based on the structure of the allocation requests associated with various processing stages.This taxonomy includes (i) single-unit (SU) RAS, which admits only linearly ordered process sequences with resource requests corresponding to standard unit vectors, (ii) conjunctive (C) RAS, which admits linearly ordered process flows with arbitrary resource requests, and (iii) disjunctive/conjunctive (D/C) RAS, which allows the process to use alternative workflow sequences.Lower-numbered classes in the taxonomy are specializations of the higher-numbered and therefore present simpler behaviors which are more easily analyzed and controlled.Indeed, many results on RAS liveness and the synthesis of tractable liveness enforcing supervisors (LES) have been developed for the SU-RAS class, see, for example, [2,3] for seminal papers.Researchers have also addressed the problem in the context of the more general classes of D-RAS, C-RAS, and D/C-RAS, see [4,5] for early results.An interesting discussion that provides a unifying perspective for many of these results, and also highlights the currently prevailing issues in the area, can be found in [6].Additional recent reviews are provided in [7,8].
In [9], Reveliotis et al. extends the taxonomy of [1] to include RAS with process synchronizations, that is, RAS where a process may consist of several subprocesses operating independently until some synchronization stage is attained, at which point subprocesses recombine through merging and splitting and then continue as a new set.We shall refer to this class of RAS as A/D-RAS (assembly/disassembly RAS), since, in the case of manufacturing, this class covers products with both assembly and disassembly in their specified workflow.We notice, however, that synchronization also commonly occurs in project management and business workflow scenarios where finite resources must be allocated to competing tasks, which must eventually merge and spawn successor tasks.
From the perspective of logical analysis and control, a major difference between the A/D-RAS and those addressed in the taxonomy of [1] is that we can no longer quickly be sure that the given level of resource capacities is sufficient to complete even a single process.More specifically, since a single process may consist of several concurrent and independently operating subprocesses, each requesting, using, and holding resources, there is no guarantee that resources are of sufficient capacity to allow these subprocesses to attain required synchronization states.In this paper, we refer to this issue as the "quasi-liveness" problem since, by definition, an underlying Petri net model of the A/D-RAS will be quasi-live if, for every transition of the net (including those representing synchronizations), there exists a sequence of transition firings (resource allocations) that enables that transition.In [9], it is established that the lack of quasiliveness in the A/D-RAS can be explained by the presence of a particular type of deadly marked siphon in the underlying net dynamics and that testing quasi-liveness, a rather easy task for nets modeling the D/C-RAS, now becomes an NPcomplete problem (cf.also [10] for a formal proof on the NPcompleteness of the quasi-liveness problem in the considered RAS class).Thus, assessing process quasi-liveness raises important and novel research problems to be addressed for this RAS.For quasi-live processes, an additional issue is identifying sequences of resource allocations that enable the involved process synchronizations.Once such sequences have been identified, standard D/C-RAS deadlock avoidance policies can be implemented to control concurrent allocation of resources across several concurrently operating processes.
We note that in [11], Xie and Jeng also study resource allocation in systems with synchronizations by analyzing a class of ordinary Petri nets called extended resource control nets (ERCN).More specifically, they develop structural characterizations for the ERCN quasi-liveness and liveness that are based on the notion of empty siphons.In other work, Wu et al. [12] model assembly/disassembly processes using resource-oriented Petri nets.Based on the models, a deadlock control policy is proposed and proved to be computationally efficient and less conservative than the existing policies in the literature.Hsieh [13] develops a subclass of Petri net models called nonordinary controlled flexible assembly Petri nets with uncertainties for assembly systems and studies their robustness to resource failure.Hu et al. [14] proposes a class of Petri nets to study automated manufacturing systems with either flexible routes or assembly operations.Using structural analysis, the authors show that liveness of such systems can be attributed to the absence of under-marked siphons.
Our work, on the other hand, places more emphasis on the associated design and control problems, seeking first to find resource levels that guarantee quasi-liveness and then to find resource allocation sequences that enable synchronization transitions.In [15,16], we model the A/D-RAS using a subclass of Petri nets known as Generalized Augmented Marked Graphs (G-AMG).Based upon the notion of reachability graph, we present an algorithm that determines the quasi-liveness of a process subnet by enumerating all execution sequences that are resource-enabled under the considered resource availability; if the net is quasi-live, there will be at least one sequence that leads to process completion.For a quasi-live process, the reachability graph provides complete information about the resource allocation sequences that can be used.Since the graph is exponential in size, it is generally necessary to select a smaller subset of sequences to use for supervision.Based on the work presented in [15,16], Choi [17] develops a mixed integer program that selects a small subset of process completing sequences for the development of liveness enforcing supervisors.This defines a manageable set of realizable behaviors the system can exhibit.The subset is selected such that a performance controller, posed as a Markov decision process, has the greatest potential to optimize system performance.
In this paper, we seek to develop more tractable methods of identifying process completing sequences for certain subclasses.More specifically, we define a special case of G-AMG, called G-AMG A , which models a RAS comprising only "assembly" or merging operations.For RAS modeled by G-AMG A 's, we develop two necessary conditions for quasi-liveness which provide quick tests.We also develop a polynomial net reduction algorithm that can be used to compute resource levels sufficient to assure quasi-liveness.
We then turn our attention to the more restricted subclass of G-AMG A , G-AMG ASU , in which resource allocation is of the single-unit type.For this class, we develop resource bounds that guarantee polynomial quasi-liveness.We also present a polynomial algorithm for computing resourcefeasible sequences when the resource bounds are met.
We organize the remainder of the paper as follows.Section 2 presents and discusses our A/D-RAS model.Section 3 develops the necessary conditions, the sufficient condition, and the net reduction algorithm for generating a process completing sequence for the G-AMG A .Section 4 develops sufficient resource bounds along with a polynomial algorithm for generating process completing sequences in assembly systems with single unit resource allocation, G-AMG ASU .Finally, Section 5 provides concluding remarks and discusses future research.

The G-AMG Model for the A/D-RAS
References [9,12] formally define the G-AMG structure for the A/D-RAS.For completeness, the Appendix repeats this definition.Figure 1 provides an example of a G-AMG process net.
Note from Figure 1 that the net has an initial place, p 0 , marked with a single token.This represents the uninitiated process.The initial transition, t I , serves as the order release transition, which initiates production of the five subprocesses.The places of t I •, call this set P I , hold the released subprocess orders.No resources are allocated to subprocesses in P I , that is, t I merely releases orders for the subprocesses it does not allocate resources.This is indicated by the zero need vector associate with places in P I .
We use P S to represent the set of places that model processing operations, typically those with nonzero resource need, and T S to represent those transitions that allocatedeallocate resources.Thus, resource places are only connected to transitions in T S .Note that the sequential logic underlying the execution of the set of subprocesses is expressed by the induced subnet P S ∪ T S .
Places of P S are labeled with resource need for three resource types.We do this to simplify the figure.In fact, each resource type has its own place (the set of resource places is P R ) and is marked with a number of tokens representing its capacity (we will denote the capacity or resource, r i , as C i ).Consider Figure 2, illustrating the connectivity for resource r 1 .The weight W(r 1 , t 1 ) = 1 represents the number of units of r 1 requested by the subprocess at t 1 .The needs of a process place p ∈ P s with respect to some resource r i ∈ P R , are expressed by the value of u i (p), where u i is the p-semiflow introduced by item 5 of Definition A.11.
Note that resource types support the execution of the different requesting subprocesses in a reusable fashion, that is, their utilization does not diminish their capacity.
Firing of t 7 ∈ T S represents the completion of the process.This event deallocates all resources and places a token in the final completion place, p F ∈ P F .When this happens, the final transition, t F , which signals process completion, is allowed to fire and a new process release is enabled.Only  places of P F provide input to t F , t F is the only input of p 0 , and p 0 is the only output of t F .Also, p 0 is the only input of t I , and t I is the only output of p 0 .Finally, t I is the only input of places in P I , and these places connect to transitions in T S .Since the process net (without resource places) is a marked graph, each place in {p 0 } ∪ P I ∪ P S ∪ P F has exactly one input and one output.This implies that processes can exhibit concurrency and synchronization but not choice.To be well-defined, we require that the process net be strongly connected.Finally, we will say that P = {p 0 } ∪ P I ∪ P S ∪ P F , T = {t I , t F } ∪ T S , N = P ∪ T and N R = (P ∪ P R ) ∪ T. To summarize, we have the following notation.p 0 : Initial process place.The initial marking of p 0 specifies the maximum number of concurrently executing processes.
P I : Places that hold subprocesses ready to begin processing.
P S : Places where processing occurs.These typically have associated resource needs.
P F : Places holding the completed process.
P R : The set of resource places.
P: {p 0 } ∪ P I ∪ P S ∪ P F , all places except resource places.
t I : The "order release" transition.
T S : Transitions that allocate-deallocate resources and that synchronize, merge, or split subprocesses.
t F : The "process completion" transition.
T: {t I , t F } ∪ T S the set of transitions.

W(r, t):
The number of units of resource r requested at transition t.
N: P ∪ T, the process net without resources.
N R : (P ∪ P R ) ∪ T, the process net with resources.
As previously stated, the Appendix (Definition A.11) provides the formal definition.
As mentioned in the introduction, assessing the quasiliveness of the G-AMG is NP-complete [10].Thus, determining whether or not a given process has a sequence of transition firings (resource allocations) that enables t F requires super-polynomial computation in the general case.Detailed discussions on quasi-liveness and related issues for the general case can be found in [12,14].
In this paper, we investigate live resource allocation for assembly systems only; that is, we impose that for all t ∈ T S ⊆ N R , t • ∩P S is a singleton.In Section 3, we develop conditions that provide quickly computable tests on quasiliveness.In Section 4, we develop polynomial methods for resolving quasi-liveness and generating feasible resource allocation sequences for assembly systems with single unit resource allocation.

The G-AMG A Model for the A-RAS
This section develops results for the subclass, referred to as G-AMG A , of A/D-RAS systems restricted to assembly only (A-RAS).In other words, systems in G-AMG A ⊆ G-AMG have subprocess merging but no splitting.For this subclass of systems, N is restricted as follows: for all t ∈ T S , |t • ∩P S | = 1.Thus, a transition (other than t I ) can perform no splitting operation; that is, there is no disassembly.For this subclass, we develop a set of quick tests for quasi-liveness based on necessary conditions and sufficient conditions.The necessary conditions are based on local tests of "place concurrence" for each synchronizing transition.If these conditions are not met, then the net is not quasi-live.If these tests do not indicate lack of quasi-liveness, we then perform a polynomial sufficiency test, that, if met, guarantees quasi-liveness and provides resource enabled execution sequences.

Necessary Conditions for A-RAS. Consider an N R . Let
T Synch be the set of transitions that synchronize subprocesses, that is, For example, in Figure 1, T Synch = {t 5 , t 6 , t 7 }.We note that for each t ∈ T Synch , all places in •t ∩ P S must be simultaneously marked for synchronization to occur.Further, there must exist sufficient remaining unallocated resources to fire the synchronization once these places are marked.For example, in Figure 1, for t 5 to be process enabled, it is necessary that the three subprocesses synchronized at t 5 are simultaneously allocated a total of three units of resource type, r 2 .To resource enable t 5 , one additional unit of r 2 is required.Thus, if the capacity of r 2 is less than three, t 5 cannot be process enabled, and if the capacity of r 2 is less than four, t 5 cannot be both process and resource enabled.Thus, as illustrated by this example, if there exists t ∈ T Synch and resource, r i , such that This is our first necessary condition that resource capacities must be sufficient to be both process enabled and resource enabled t ∈ T Synch .
Further, note that transitions t 5 and t 6 must be fired to process-enable t 7 .Since we fire only one transition at a time, these must be fired in some order.Suppose t 6 is fired before t 5 .Then the subprocess at place t 6 • ∩ P S will be assembled and holding two units of r 3 after firing t 6 .Then to fire t 5 , subprocesses at •t 5 ∩ P S will need to be holding five units of r 3 .Thus, r 3 must have at least seven units of capacity if t 6 fires before t 5 .
On the other hand, if t 5 is fired before t 6 , then the subprocess at place t 5 • ∩ P S will be assembled and holding two units of r 3 .Then to fire t 6 , the subprocess at •t 6 ∩ P S will need to be holding three units of r 3 .Thus, r 3 must have at least five units of capacity if t 5 fires before t 6 .Clearly, if r 3 has capacity four, the net is not quasi-live.If r 3 has capacity five or six, t 5 t 6 is resource enabled but t 6 t 5 is not.If r 3 has capacity seven or greater, both sequences are resource enabled.
More generally, suppose t ∈ T Synch has K subprocess input places, that is, Since N is a marked graph, each p ∈ •t ∩ P S will have only one input transition.Since N is assembly only, each p ∈ •t ∩ P S will have a unique input transition.Thus, to process enable t, these K transitions will have to be fired in some order.
and so forth.Firing t (1) marks p (1) , firing t (2) marks p (2) , and so forth.When {p (1) , p (2) , . . ., p (K) } are all marked, t is process enabled.With unlimited resources, there are K! possible firing sequences for {t (1) , t (2) , . . ., t (K) } that processenable t (assuming each is fired only once).However, with finite resource capacities, some (possibly all) of the firing sequences might be infeasible.For example, in Figure 1, if r 3 has capacity six, then the firing sequence t 6 t 5 is not possible, although t 5 t 6 is.
Let σ k be the set of partial firing sequences of {t (1) , t (2) , . . ., t (K) } of length k ≤ K (again assuming that each transition will occur at most once in any sequence of σ k ).Note that σ ∈ σ k marks k places of •t ∩ P S and leaves K − k unmarked.If there exists k < K such that for every marked k-subset of {p (1) , p (2) , . . ., p (K) }, all input transitions to the unmarked (K − k)-complement are resource disabled, then N R cannot be quasi-live.
Putting more formally, let S k be a k-subset of {p (1) , This is our second necessary condition that resource capacities must be sufficient to fire all the input transitions to subprocess input places of t ∈ T Synch .
Algorithm 1 checks these necessary conditions.The algorithm starts with a For loop that tests every synchronization transition for violations of the two necessary conditions.The first check is for necessary condition 1, where the resources required to process-enable plus the resources required to resource-enable the synchronization are compared to the resource capacities.If a violation is found, then the net cannot be quasi-live, and the algorithm terminates by returning not quasi-live.
If no violation of the first necessary condition is found, then the algorithm initiates a While loop for testing the second condition.The first step is to initialize a subset counter, which, for the given synchronization transition, counts the number of k-subsets of the process input places that violate the second necessary condition.If it found that all k-subsets violate the second necessary condition, that is, subset count = total number of k-subsets, then the algorithm terminates by returning not quasi-live.
Note that the inner For loop determines whether a given k-subset violates the second necessary condition or not.It does this by checking all the places in the (K-k)complement to see if their input transitions are resource enabled.If none is, then none of these places can be marked, and the synchronization cannot be process enabled by first marking the k-subset and then firing the input transitions of the (K-k)-complement.If this is true for a k-subset, then that k-subset violates the second condition and the counter, subset count, is incremented.Again, if we find k < K such that all k-subsets violate the second necessary condition, that is, subset count = total number of k-subsets, then the algorithm terminates by returning not quasi-live.
We note that Algorithm 1 enumerates all subsets of the input places for each synchronization transition, and thus, in the strictest sense, this check is of exponential complexity.However, we expect that the number of subprocesses combined at any synchronization will be sufficiently small so that the total computation of Algorithm 1 will be quite small in comparison to the complete enumeration of the reachability graph in [12,14], and therefore the check is worthwhile.
If no violations of either of the necessary conditions are found, then the quasi-liveness remains unverified that is, we cannot say whether the net is quasi-live or not.In the following section, we will develop a sufficient condition for quasi-liveness and an algorithm, for generating a process completing sequence based on this sufficient condition.

Sufficient Condition Test for Quasi-Liveness of the A-RAS.
This subsection develops a sufficiency test for the G-AMG A model.This test makes use of reductions performed on two types of structures contained in the G-AMG A .In Figure 3, consider the three net segments: {t I , p 1 , t 1 , p 2 , t 2 , p 3 , t 10 }, {t I , p 4 , t 4 , p 5 , t 5 , p 6 , t 10 }, and {t I , p 7 , t 7 , p 8 , t 8 , p 9 , t 10 }.These three represent the sequential processing steps of the three subprocesses marking places {p 1 , p 4 , p 7 } ⊆ P I that synchronize at t 10 .Any interaction between the three subprocesses is strictly limited to resource competition.Otherwise their processing up to t 10 is independent, possibly concurrent, depending on resource capacities.
We note the following.
(1) The subprocess of p 1 requires a total allocation of 1, 1, 0 in order to reach p 3 , where it will release the unit of r 1 and will hold the unit of r 2 .
(2) The subprocess of p 4 requires a total allocation of 0, 1, 1 in order to reach p 6 , where it will release the unit of r 2 and will hold the unit of r 3 .
(3) The subprocess of p 7 requires a total allocation of 1, 0, 1 in order to reach p 9 , where it will release the unit of r 3 and will hold the unit of r 1 .
Thus, if we have sufficient resources to simultaneously allocate 1, 1, 0 to the first subprocess, 0, 1, 1 to the second, and 1, 0, 1 to the third, then we are sure that the three subprocesses can reach the synchronization stage.Thus, we say that if , then resource capacities are sufficient to processenable the synchronization at t 10 .
We refer to a structure such as {t I , p 1 , t 1 , p 2 , t 2 , p 3 , t 10 } as a Type-I structure; that is, a Type-I structure is a segment t I , p (1) , t (1) , p (2) , t (2) , . . ., t (k−1) , p (k) , t of N, where The first condition states that p (1) is an output place of t I ; the second states that all places are nonresource places; the third states that none of the intermediate transitions are synchronizations; the fourth states that the last transition is a synchronization; and the last states there are at least three places in the structure.
Thus, a Type-I structure of N is a path in N with at least three places that begins with t I , ends with a synchronization, and has the property that all intermediate transitions are not synchronizations.
Applying this reduction to the three Type-I structures in the example yields the resulting net shown in Figure 4.Note that the net now contains no Type-I structure.More formally, let ρ 1 represent a Type-I reduction on net N, and let ρ 1 (N) be the resulting net.Then ρ 1 applies the following actions to N.
Note that Ψ i (p (k) ) retains the maximum usage of resource, r i , along the Type-I structure.Thus, the resource bound associated with the undeleted place, p (k) , will be the number of units of each resource required for the subprocess to reach the synchronization transition.
We note that all Type-I structures can be found in number of steps polynomial in places and transitions.We now proceed to our second reduction.Now consider net segments { t I , p 1 , t 1 , p 3 , t 10 , t I , p 4 , t 4 , p 6 , t 10 , t I , p 7 , t 7 , p 9 , t 10 } of Figure 4. We refer to this structure as a Type-II structure, that is, a set of at least two parallel segments, starting at t I , with two intermediate places, and ending at t ∈ T Synch .
More formally, a Type-II structure is composed of m > 1 parallel segments in N ending in t ∈ T Synch : 1. t I , p (11) , t (11) , p (12)  for i / = j.A Type-II reduction, ρ 2 , is similar to the Type-I reduction in that it applies a bound update and then a net reduction.We first illustrate the bound update and reduction and then state it more formally.
To understand the next bound update, consider the nets of Figure 5.Each place in (a) is labeled with resource need.To mark p 3 , we require 121 units for resources r 1 , r 2 and r 3 , thus, in (b), Ψ 3 = 121 .Similarly, Ψ 6 = 223 and Ψ 9 = 412 for places p 6 and p 9 , respectively, as shown in (b).
Places in (b) are also labeled with their original resource needs, u 3 , u 6 , and u 9 .Now, for p 3 , p 6 , and p 9 , consider δ i (p k ) = Ψ i (p k ) − u i (p k ).We refer to δ i (p k ) as the "return" of resource, r i , by the corresponding subprocess.Letting let δ k denote the vector δ i (p k ): Sort the places {p 3 , p 6 , p 9 } by decreasing return for r 1 .Then we have ordered set p 9 , p 6 , p 3 since 4 ≥ 2 ≥ 0. In 5(a), if we first mark p 9 , then p 6 , and finally p 3 according to the firing sequence σ = t 5 t 6 t 3 t 4 t 1 t 2 , the following capacity constraints must be met (note that C is the resource capacity vector): Taking the component-wise max across these constraints yields 435 ≤ C. Thus, 435 is necessary and sufficient to execute σ = t 5 t 6 t 3 t 4 t 1 t 2 .We will refer to σ as a "serialized" firing sequence, since it advances the Type-I subprocesses to the synchronization transition one at a time.In other words, a serialized firing sequence does not allow parallel Type-I subprocesses to process in parallel.We refer to the computed bounds as serialized bounds.
Note that if we sort {p 3 , p 6 , p 9 } in any other way, say p 6 , p 3 , p 9 , we get a different serialized firing sequence for marking the places and a different set of resource bounds (in this case, t 3 t 4 t 1 t 2 t 5 t 6 and 533 , resp.).The bound for r 1 can be no smaller, although the bounds for r 2 and r 3 might be tighter.This is established by the following lemma.Lemma 1.Let p j and p k be two places in a Type-II structure, where δ i (p j ) and δ i (p k ) are the returns of resource r i for p j and Before going to the proof, note (recall) the following: (1) u i (p j ) is the need (number of units held) of r i at p j ; (2) Ψ i (p k ) is the maximum need for r i along the Type-I structure leading to p k ; (3) given that the jth subprocess has advanced to p j , Ψ i (p k ) + u i (p j ) is a lower bound on the number of units of r i required to advance the kth subprocess from its place in P I to p k ; (4) given that the jth and kth subprocesses are both at their initial places in P I , max(Ψ i (p j ), Ψ i (p k ) + u i (p j )) is a lower bound on the number of units of r i required to first advance the jth subprocess to p j and then the kth subprocess to p k .

Proof.
By assumption δ i (p j ) ≥ δ i (p k ).Further, Ψ i (p j ) ≥ δ i (p j ), since the jth subprocess cannot return more of r i than it is allocated. Then, The point is to show that if we advance the subprocesses serially; that is, one at a time, from their places in P I to their synchronization transition, in order of decreasing return of r i , then we will minimize the need for r i in the serial advancement.
We can now formally state the bound update and net reduction.To understand the subscripts, please refer to the definition of a Type-II structure given above.Our approach is to identify a critical resource, r c , perhaps one that is most constraining or most expensive, and compute bounds for Type-II reductions using the returns for r c as a sorting key in ordering the corresponding subprocesses.

Resource Bound Update for Critical Resource, r c
For a Type-II structure Subsequently, let ρ 2 (N) denote the net resulting from a Type-II reduction having been applied to N; that is, in ρ 2 (N) all Type-II structures have been reduced.Clearly, all Type-II structures in a net can be found in number of steps polynomial in places and transitions.
Let us now apply a Type-II reduction to the net of Figure 4. Assuming that r 1 is the critical resource, we obtain the resulting net depicted in Figure 6 (note that a new Type I structure has emerged).
Lemma 2 guarantees the computed bounds are sufficient for some serialized firing sequence.based on the return of critical resource, r c (perhaps arbitrarily chosen), δ c (p) = Ψ c (p) − u c (p), and let p 1 p 2 , . . ., p m be the sorted set, in order of decreasing return.Then, if the resource capacities satisfy the following constraint set: we can first fire σ 1 and mark p 1 , next fire σ 2 and mark p 2 , and so forth.Thus, by updating Ψ (1k) with the component-wise maximum of C} before the Type-II reduction, we assure that Ψ (1k) in ρ 2 ρ 1 (N) is a sufficient resource level to enable the firing sequence σ 1 σ 2 , . . ., σ m in N.
We will now establish some necessary properties for these reductions.We note that the reductions are defined on N and not on N R ∈ G-AMG A .For the sake of brevity, we will use the notation "N ∈ G-AMG A implies ρ(N) ∈ G-AMG A " to indicate that a reduction preserves the class defining structure of the process flow.Note that in the strictest sense, if N R ∈ G-AMG A and N is the corresponding process subnet, then N ∈ G-AMG A , since it represents a valid process flow with no resource requirements.

Lemma 5. If N ∈ G-AMG A and N /
= ℵ, then there exists a Type-I or Type-II structure in N.
Proof.Suppose that N is not irreducible.Then T S / = ∅.
Suppose that there exists neither Type-I structure nor Type-II structure.Then, since no Type-I structure exists, every t u ∈ T S is a synchronization.This implies that |t I • | > 1, otherwise there are no subprocesses to synchronize.Since no Type-II structure exists, for every pair (p j , p k This implies that for every p j ∈ t I •, ∃ p u / ∈ t I • such that p j and p u synchronize at p j •.Note that there must be a path from t I to p u , and the first node of this path, say p v , must be in t I •.Further, the synchronization transition, p v •, must fire before p u can be marked.Thus, for every p j ∈ t I • there exists p v ∈ t I • such that p v • must be enabled and fired before p j • can be enabled and fired.Since t I • is finite, this implies a cyclic dependency among the transitions of t I • •, which contradicts the implication of Definition A.11 that every cycle of N passes through p 0 .
With these results, the following theorems are now straightforward.

Theorem 1. For every N ∈ G-AMG A , there is a finite sequence of reductions that maps N to irreducible form. Further, sequence length is O(|P S |).
Proof.Suppose N ∈ G-AMG A is not in irreducible form.Then, it can be reduced by the following algorithm, which will return the required sequence of reductions: Note that if η is not irreducible, then ρ 2 (ρ 1 (η)) has fewer places than η.Since N has finite places, the While will terminate in a finite number of steps not larger than |P S | since each iteration will eliminate at least one place.
Algorithm 2 uses Type-I and Type-II reductions to compute resource levels sufficient to guarantee quasi-liveness.The algorithm starts with N, and for each process place, defines a bounding function, Ψ, for each resource.This bounding function is initialized to the resource need of the place.The While loop then updates the bounding function and applies reductions until the net is irreducible, at which point the resource bounds are returned.
More specifically, in the first For loop, the resource bound of the last place of each Type-I structure is updated with the maximum resource usage along the structure.Thus, the resource bound associated with the last place of each Type-I structure will be the number of units of each resource necessary for the subprocess to reach the synchronization transition.After these updates, the net reduction is applied.
After the Type-I reduction, if the net is not irreducible, at least one Type-II structure will be present.For each Type-II structure, say { t I , p (11) , t (11) , p (12) , t j , t I , p (21) , t (21) , p (22) , t j . . .t I , p (m1) , t (m1) , p (m2) , t j }, the second For loop first updates the resource bounds of the place in the first path, t I , p (11) , t (11) , p (12) , t j , as illustrated and discussed above, and then deletes the other places. ( The first constraint says that a subprocess must be allocated a resource for its first processing step.The second says that no more than one unit of one resource type may be requested at a transition.The third says that when a unit of resource is allocated at a transition, all resources held by the requesting subprocesses must be returned.Finally, the fourth says that if a transition does not allocate a resource, then the return must be exactly one unit less than the number currently held (except for transitions in •P F , which release all resources).We have the following lemma.
Lemma 7.For any P ∈ P S \ (P I ∪ P F ), the resource need vector is an m dimensional unit vector.
Proof.For P ∈ P S \ (P I ∪ P F ) we consider the following exhaustive cases.
Case 1. Suppose u h (p) = 0 for h = 1, . . ., m.By (1), P / ∈ P I • •, but there must be a path, say γ, from some P u ∈ P I to P. The first transition of the path, p u •, allocates one unit of some resource to the corresponding subprocess.Thus, some transition along γ must deallocate all resources with no additional allocation.This violates (4).
Case 2. Suppose u h (p) = k > 1 for some r h .Either these k units of r h are accumulated through at least k transitions or they result from insufficient resource release at the firing of a synchronization transition.By (3), when a resource is allocated to a set of requesting subprocesses, all resources held by those subprocesses must be released.Thus, resources cannot be accumulated through consecutive transitions firings.By (4), if no resources are allocated at a transition, the corresponding subprocesses must still return all resources held except one.Thus, u h (p) = k > 1 for some r h violates both (3) and (4).
Case 3. Suppose u h (p) = 1 and u k (p) = 1.By the logic of Case 2, this is impossible.Now, for N R ∈ G-AMG ASU , the reversed subnet, N R , as defined in Section 3, has splitting (disassembly) but no merging.In the following, we use N R to develop resource bounds that guarantee quasi-liveness and polynomial sequence enumeration for N R .Note that t u ∈ T Synch in N R is a disassembly transition in N R .Let T Split be the set of disassembly transitions in N R .Note that for t ∈ T Split , Proof.Let N be initially marked as given above.Note that N i is a strongly connected marked graph with every circuit containing the place p 0 initially marked with exactly one token.For t j ∈ |LT h Split |, there exists a path, from t F to t j , say τ j .Note that there exists a circuit passing through t j , say γ j , such that τ j is a subpath of γ j .For any other t k ∈ |LT

Note that |LT h
Split | can be quickly and easily computed for each resource and will play an important role in developing an enumeration policy for N R .Now consider the following lemma.
Lemma 9. Given an N R , suppose M 0 (p 0 ) = 1, M 0 (p) = 0, for all p ∈ P S ∪ P I ∪ P F , and that M 0 [ M k .Define induced marking M * k as follows: If marking M * k is free of deadly marked siphons, then M k is free of deadly marked siphons.
Proof.We prove this result by contradiction.Let s be a deadly marked siphon in M k .Then, there will exist another siphon s ⊆ s which is deadly marked in M k and minimal.The structure of N R implies that the minimal siphons containing place p 0 are the circuits of the marked graph, N .This observation, when combined with the presumed structure for the initial marking M 0 , implies that, for any marking M k ∈ R(N R , M 0 ), p 0 / ∈ s.But, the construction of M * k implies that s does not increase its token content, and, therefore, it constitutes a deadly marked siphon for M * k .The last conclusion contradicts the working assumption and concludes the proof.
The importance of the marking M * k is that its corresponding subprocesses are each strictly SU-RAS for at least one step.That is, any token in M * k is holding one unit of resource and requesting one unit of resource.When the requested unit is allocated, the held unit is released, and the token advances to its next place.The lemma guarantees that if there is no deadlock among the subprocesses of M * k (assuming the reduced resource capacity levels of M * k ), then there is no deadly marked siphon in M k .We will use this fact along with resource bounds to be computed from the results of Lemma 9 to develop a single step look-ahead enumeration policy for N R that is polynomial in net size.The policy is as follows.
Enumeration Policy Φ.Let σ j be a firing sequence for N R such that M 0 [σ j M j and suppose t u is enabled at M j such that M j [t u M k .Admit the extension σ j t u only if the marking M * k is free of deadly marked siphons.
We note that detecting whether or not a marking has a deadly marked siphon is polynomial in the size of the net and is thus very fast.However, allowing markings only if they are free of deadly marked siphons does not guarantee policy correctness since we may admit markings from which deadly marked siphons are unavoidable.For our purposes, we will define policy correctness as follows.
Definition 10.An enumeration policy is "correct" if for any marking, M j , admitted under the policy, there exists a sequence of transition firings, σ j / = ε, such that (1) M j [σ j M 0 , (2) for any prefix of σ j , say τ k , where M j [τ k M k , M k is admitted under the policy.
We, now, are in the position to prove the following.

Theorem 3. For t j ∈ T h
Split and h = 1, . . ., m, let Proof.Suppose that a marking, M k , is accepted by Φ.Then M * k contains no deadly marked siphon and thus M k contains no deadly marked siphon.Note that in M * k , the capacity of every resource is at least U h max + 2, h = 1 . . .m.Let Π be the set of subprocesses in M k where Π = Π ND ∪ Π D , Π ND ∩ Π D = ∅.Π D is the set of subprocesses at disassembly operations, that is, tokens marking Case 2. Suppose that Π ND = ∅ and Π D / = ∅ in M k .There exist only subprocesses at disassembly operations.Thus, each resource has at least U h max +2 free units, h = 1 . . .m. Sufficient resources are available to fire any transition of T Split .Suppose t ∈ T Split is enabled in M k and that M k [t Mg.M * g contains no deadly marked siphon.To see this, note that if M g has Π ND = ∅, then each resource continues to exhibit at least U h max + 2 free units, h = 1 . . .m.If M g has Π ND / = ∅, then each resource, r h , h = 1 . . .m, has at least 2 units of free capacity.
Thus, Enumeration Policy Φ guarantees resourceenabled sequences of transition firings that complete the disassembly process, N R .We are now ready to present Algorithm 3. It starts with N R in the initial marking and generates a firing sequence that completes the disassembly by using single step look-ahead for deadly marked siphons.The most computationally intensive step is the siphon check, which can be done in polynomial time, no worse than O(|P S | + |T S |).By Theorem 3, the loop will require no more than |T S | iterations, since every iteration will identify an admissible transition, and thus the algorithm is O(|T S | 2 ).By returning the reversed sequence, we get the resource enabled assembly sequence for the assembly net, N R .We note that the termination request computations of Algorithm 1 can easily be implemented in Algorithm 3.
Input: (N R , M 0 ) Output: σ j / = ε such that M 0 [σ j M 0 Set σ j = t F , and fire t F Set M j = M 0 [t F Loop Find t ∈ E t (M j ) st M j [t M k , M * k contains no deadly marked siphon σ j = σ j t If M k = M 0 , return reverse (σ j ) Else M j = M k End Loop Algorithm 3 As an aside, we note that the converse of Lemma 9 is not true; that is, a deadly marked siphon in M * k does not imply a deadly marked siphon in M k .In fact, it is easy to illustrate markings which are "safe" in the sense that the firing sequence can be extended to reach M 0 but for which the induced marking exhibits a deadly marked siphon and is rejected.Thus, the Enumeration Policy Φ is suboptimal in the sense that it rejects some transition firings that lead to "safe" markings.Further, even when the capacity bounds of Theorem 3 are in place, N R can exhibit markings with no deadly marked siphon but from which every sequence of transition firings leads to a marking with a deadly marked siphon.Thus, a policy that does single step look-ahead on the unaltered markings of N R is not correct.Finally, we note that since Theorem 3 applies to disassembly systems, when the specified bounds are in place, quasi-liveness is guaranteed and sequence enumeration is polynomial for the class of disassembly nets G-AMG DSU .

Conclusion
In this paper, we developed models and algorithms for a class of Petri nets that support resource allocation in systems with synchronization and splitting operations.Our focus was on establishing quasi-liveness and enumerating process completing sequences.This is challenging since, for this class of systems, the quasi-liveness problem is NP-complete.Our tenet is that once quasi-liveness is established and a process completing sequence is generated, previously published liveness enforcing supervisors can be used to control the operation of these systems.For the general case, we proposed a breadth-first search algorithm that generates the reachability tree and computes minimal termination requests for each marking.We discussed the complexity of this approach as well as the need for selecting a smaller set of sequences for use in supervision.We then developed two special subclasses that for systems with assembly only, and for each class established that polynomial sequence enumeration is possible if the resource capacities meet certain bounds.The first subclass was assembly with conjunctive resource allocation.For this class, we developed a net reduction algorithm that reduces the net to a minimal form and, in so doing, computes a resource sufficiency bound for "serialized" firing sequences.
The second special case was that of assembly with single unit resource allocation.For this class, we developed resource bounds and an enumeration policy that guarantees a process completing sequence in polynomial time.In current and future work, we are addressing liveness enforcing supervision for assembly/disassembly systems with unreliable resources, particularly those subject to degradation.
For every t ∈ T Synch //Check for violations of the first necessary condition Find r i such that W(r i , t) + p∈•t∩PS u i (p) > C i If successful, return Not Quasi-live //Check for violations of the second necessary condition Else , t 2. t I , p (21) , t (21) , p (22) , t .
(11)f.It is clear that Ψ (1k) in ρ 1 (N) enables σ 1 = t (11) t (12) ...t (1,k−1) in N, Ψ (2n) in ρ 1 (N) enables σ 2 = t (21) t (22) ...t (2,n−1)in N, and so forth.Now ρ 1 (N) will contain Type-II structure { t I , p(11), t(11), p (1k) , t j , t I , p (21) , t (21) , p (2n) , t j , . . ., t I , p (m1) , t (m1) , p (mp) , t j }.Before doing the Type-II reduction, we sort {p (1k) , p (2n) , . . ., p (mp) } | • t ∩ P Si | = 1 and m h=1 u h (•t ∩ P S ) = 1.If u h (•t ∩ P S ) = 1, we refer to r h as the "disassembly resource."Let T h Split = {t : t ∈ T Split and u h (•t ∩ P S ) = 1 in N R }, h = 1, . . ., m.The set, T h Split , collects all the disassembly transitions in N R that have r h as the disassembly resource.Since each disassembly utilizes a single resource type, we have T u Split ∩ T v For t ∈ T S , let Γ(t) be the set of transitions in T S reachable from t in paths of N R not containing p 0 .Note that for t ∈ T S , Γ(t) identifies reachable transitions that occur later in the disassembly process.Let LT h Split = {t : t ∈ T h Split and T h Split ∩ Γ(t) = ∅} and note that LT h Split represents the set of disassembly transitions that use r h as the disassembly resource but have no reachable transition (without including p 0 ) that does the same.That is, these are disassembly transitions, which use r h , that occur latest in the disassembly process.The following lemma guarantees that the total token count in the set of disassembly operation places requiring r h is no greater than |LT h Given an N R , if M 0 (p0) = 1 and M 0 (p) = 0, text f or all p ∈ P S ∪ P I ∪ P F , then for every marking M j such that M 0 [ M j , M j (•T h Split ∩ P S ) ≤ |LT h

h
Split |, t j and t k are mutually unreachable except through paths including p 0 .As a result, t j and t k are not in a common circuit.This implies LT h Split such that t v ∈ Γ(t u ); this implies that t u and t v belong to a common circuit.Thus, the number of circuits in which resource r h is used as a disassembly resource is precisely LT h Split .By the fundamental property of marked graphs, M j (•T h Split ∩ P S ) ≤ |LT h •T Split ∩ P S , and Π ND is the set of subprocesses not at disassembly.Suppose that Π ND / = ∅ in M k .Since there is no deadly marked siphon in M * k , there is no subset of Π ND deadlocked in M * k .Thus, ∃π u ∈ Π ND and enabled t v / ∈ T Split such that firing t v allocates a unit of resource r h to π u and causes π u to release a unit of resource r p .Now suppose that M k [t v M g and that M g contains a deadly marked siphon.Thus, M * g contains a deadly marked siphon, which implies a deadlock among processes of Π ND in M * g .Because of the resource bounds, each deadlocked subprocess of M * g is blocked by at least two other deadlocked subprocesses of M * g .To summarize, we have the following: (1) M * k has no deadlock among Π ND , (2) M * k [t v M * g , (3) t v allocates a single unit of r h to π u and releases a single unit of r p , (4) M * g has a deadlock among Π ND , and (5) every deadlocked subprocess of M * g is blocked by at least two other deadlocked subprocesses of M * g .It is clear that allocating r h to π u causes the deadlock, implying that r h is a resource involved in the deadlock.Thus, in M * g , at least two units of r h are allocated to subprocesses in Π ND , and in fact, there must be another subprocess π a ∈ Π ND requesting r h at t a / ∈ T Split in both M * k and M * g .Allocating r h to π a rather than π u , that is, M k [t a M p cannot result in deadlock among processes of Π ND .Hence neither M * p nor M p contains a deadly marked siphon.