Formal specification and verification of decentralized self-adaptive systems using symmetric nets

Engineering distributed self-adaptive systems is challenging due to multiple interacting components, some of which monitor and possibly modify the behavior of managed components that operate in highly dynamic settings. Formalizing such systems having a decentralized adaptation control has been recognized as a hard task. In this article, we introduce a formal framework based on Symmetric Nets (a well-established subclass of Colored Petri nets) for modeling and analyzing distributed self-adaptive discrete-event systems. Even though Petri Nets represent a sound and expressive formal model of concurrency and distribution, they cannot specify in a natural way structural changes enacted by adaptation procedures. We overcome this limitation by means of a two-layer modeling approach that enables clear separation of concerns and allows multiple decentralized adaptation procedures to be specified, validated, and verified against formal requirements. Validation and verification techniques are supported by powerful off-the-shelf tools tailored to Symmetric Nets. A self-healing manufacturing system case study is used to show applicability, advantages, and shortcomings of the approach. In particular, complexity issues are thoroughly discussed and mitigated by adopting complementary approaches based on interleaving reduction and behavioral symmetries exploitation.

components may become temporarily or permanently unavailable, can disappear and appear, for instance due to faults and on-the-fly repairs. Self-adaptation -see de  -is an effective approach to deal with the increasing complexity and dynamism of these systems. Self-adaptation is often used as a means to achieve rapid adjustment of both production capacity and functionality, in response to new execution circumstances (operational contexts, environments and requirements), by reorganizing or changing its components (e.g., machines of the production systems, mechanisms for individual machines, sensors, controllers) directly in production. In this context there exists more than ever the need for robustness, resiliency, dependability. As stated by Weyns et al. (2013) and Arcaini et al. (2017), facing such a complexity in a distributed (decentralized) setting has been recognized as a major challenge in the field of self-adaptation. For this reason, formal methods providing the ability to reason on such a complexity are highly demanded. In particular, formal models representing both the structure and the behavior of self-adaptation and approaches to validate and verify them at design-time are of extreme importance to engineer self-adaptive systems.
Petri Nets (PNs) are a sound and expressive formal model of concurrency and distribution. However, both low-level and high-level PNs (even if Turing complete in some extensions) cannot represent in a natural way the ability of modifying their behavior and/or structure in response to their perception of the system itself as well as their surroundings and their goals. Several attempts to face this critical issue gave rise to new PN extensions, in which enhanced modeling power is not always accompanied by adequate analysis techniques. A representative example in this category is the "nets within nets" paradigm, introduced by Valk (2004). In this approach tokens represent themselves PNs. This ensures more flexibility in modeling, but significantly reduces the applicability of traditional PN analysis techniques.
To face this major challenge we propose a two-layer formal approach based on Symmetric Nets (SNs), 1 introduced by . Our approach gives to designers the ability to model distributed DESs in both their nominal and evolutionary behaviors, through a clear separation of concerns. The key idea, introduced in this article, is to exploit a "special" SN called emulator to encode, execute and change the behavior of any given P/T system. The design of the managed and managing subsystems are clearly separated. The modeler can specify the nominal behavior of the system and its own evolutionary behavior by means of adaptation procedures (one foreach adaptation concern). An adaptation procedure makes use of a collection of APIs, acting as sensors and actuators on the managed subsystem. Namely, they give the ability to read and modify the structure of the managed subsystem in order to achieve specific adaptation goals. Our modeling framework 2 allows behavioral symmetries to be exploited in order to analyze the symbolic state space in a efficient way. Furthermore, formal verification activities can take advantage of existing off-the-shelf software tools, such as GREATSPN introduced by Baarir et al. (2009).
A preliminary introduction of this ongoing research activity has been presented by . Here, we provide an extended presentation of the approach exemplifying both specification and verification using a self-healing manufacturing system case study. Self-healing (or self-repairing) refers to the ability of detecting faults/failures and recovering autonomously by changing the current configuration of the system. In this article, we present: (i) a more accurate comparison with the state of the art; (ii) an improved definition and formal description of the framework; (iii) additional evaluation activities; (iv) and a new case study, i.e., a self-healing manufacturing system that shows adaptation behavior to achieve reconfigurability and fault tolerance. Specifically, the contribution of this article can be summarized as follows.
-we define a SN-based modeling framework for self-adaptive distributed DESs having decentralized adaptation control; -we discuss the usage of symbolic structural analysis techniques to validate our modeling framework; -we describe the applicability of our approach using a self-healing manufacturing system case study; -we show how native SN analysis/verification techniques can be used to analyze systems modeled by using our framework.
The remainder of this article is as follows. In Section 2, we recall background notions of P/T nets and SNs. In Section 3, we present an example of self-healing manufacturing system used as main case study. In Section 4, we introduce an informal overview on our approach to model self-adaptive distributed systems using SNs. In Section 5, we formalize the emulating framework. In Section 6, we describe validation activities conducted on of the emulating framework. In Section 7, we describe how the modeler can specify adaptation procedures and how to compose them to create the whole system. In Section 8, we discuss complexity issues and how to tackle them. In Section 9, we describe formal verification of requirements. In Section 10, we discuss related work. Finally, in Section 11 we draw our conclusion and we outline future directions of our work.

Background
This section collects all the definitions used in the rest of the paper, and introduces the P/T net and SN formalisms. The reader may refer to (Reisig 1985) and ) for a detailed description of P/T nets and SN, respectively.

Multisets, Multiset-functions, and their operations
A multiset (or bag) over a domain D is a map b : A bag whose elements have multiplicity one is said set-type. A multiset b may be expressed as a weighted formal sum of its elements, where weights represent multiplicity (if equal to one it may be omitted). With some overloading, b may also denote the bag d∈b d. The empty multiset, i.e., the multiset with an empty support, is denoted ∅ D , or just ∅ if its domain is implicit. 3 The whole set of bags over D is denoted Bag [D]. Let b 1 , b 2 ∈ Bag [D]. The sum b 1 + b 2 , the difference b 1 − b 2 , and the intersection b 1 ∩ b 2 are bags in Bag [D] defined, for any d ∈ D, as: . Two bags b 1 , b 2 are said disjoint if b 1 ∩ b 2 = ∅. Associativity holds for +, ∩ (which may be treated as n-ary operators), but not −. Relational bag-operators apply component-wise, e.g., b 1 < b 2 if and only if b 1 (d) < b 2 (d), ∀d ∈ D.
Let k ∈ N, the scalar product k · b 1 is b 1 ∈ Bag [D], Bag-operators have intuitive functional extensions. Let f 1 , f 2 : D → Bag [D ], and op be a binary operator 4 : The support is a bridge between bag-and set-functions. As for relational operators, f 1 < f 2 if and only if f 1 (d) < f 2 (d), ∀d ∈ D. The symbol ∅ D,D , or ∅ if the arity is implicit, denotes the function D → ∅ D , ∀d ∈ D. Function equivalence is naturally set as f 1 ≡ f 2 if and only if f 1 (d) = f 2 (d), ∀d ∈ D. The notions of set-type and disjoint extend to bag-functions as well, considering all the elements of function(s) domain(s). Let The function Cartesian product f 1 × f 2 × . . . f n : D → Bag[D 1 × D 2 × . . . D n ] is defined as: The notation f 1 , f 2 , . . . , f n , called function-tuple, is used in place of f 1 ×f 2 ×. . . f n . Two operators are peculiar to bag-functions. Let f : D → Bag [D ]. The transpose f T r : The linear extension f * : [D]. Function composition builds on linear extension. Let h : D primeprime → Bag [D], , ∀d ∈ D primeprime . We use the same notation (f ) for a function and its linear extension, implicitly referring to the latter when the argument is a bag. Finally, let {f i } be a family of functions D → Bag [D ]. A linear combination F = i λ i · f i , λ i ∈ Z, is a function D → Bag [D ] if and only if ∀d ∈ D, x ∈ D : F (d)(x) = ( i λ i · f i (d)(x)) ≥ 0. In that case, F is called well-defined.

Place/Transition (P/T) nets with inhibitor arcs
A P/T net enriched with inhibitor arcs is a 5-tuple (P , T  The elements of P and T are called places and transitions, respectively. The former, drawn as circles, represent system state-variables, whereas the latter, drawn as bars, represent state local changes. The overall (distributed) state of a P/T net, called marking, is defined as a bag m ∈ Bag [P ]. The marking of p is m(p).
A P/T net is a kind of directed, bipartite multi-graph, with input, output, inhibitor edges (the latter, drawn with an ending small circle), described by I , O, H , respectively. Let f ∈ {I, O, H }: if f (p, t) = k, k > 0, then a corresponding weight-k arc connects p to t. The assumption that there is no isolated node, i.e., a node that no edge is incident to, is more than acceptable from the modeling point view and plays an important role in a reconfigurable context. 5 The behavior of a P/T net in a given marking is specified by the transition firing rule. A transition t ∈ T is enabled in a marking m if and only if: ( 3 ) If t is enabled in m then it may fire, leading to marking m , where: This is denoted m [t m . A pair (N, m), where N is a P/T net and m is a marking of N , is called P/T system. The interleaving semantics of a P/T system (N, m 0 ), where m 0 represents the initial state, is specified by the reachability graph (RG), an edge-labelled, directed multi-graph (V , E) whose nodes are markings. The RG is defined inductively: The set V is called reachability set.

Symmetric nets
Symmetric Nets (SNs), 6 introduced by , are a high-level Petri net standard 7 formalism featuring a particular syntax which highlights the behavioral symmetries of systems. SNs are a flavor of Colored Petri nets, introduced by Jensen (1997), that have two different types of transitions, for observable (time-consuming, in stochastic SN) and immediate (logical, non-observable) events. The latter are drawn as tiny bars and take priority over the former type. In this section, we formally define SNs using the net in Fig. 1 to illustrate the base elements of the syntax. Figure 1 represents an excerpt of a simple broadcast communication protocol among nodes of a network. A node of the network (logically partitioned in two sub-networks) broadcasts messages to the other nodes. Upon reception of a data-message, a node broadcasts in turn an ack to the others. An ack is kept by the initial sender and discarded by the remaining nodes. A session successfully ends if the initial sender receives ack replies by all the others. Messages sent between the sub-networks may get lost but the excerpt here shown does not handle this event.

SNs and Color-annotations
A SN is a 9-tuple (P , T , C, D, g, I, O, H, π), where P and T are the finite, disjoint sets of places and transitions. C = {C i , i = 1 . . . , n}, n ∈ N + , holds the color classes, which define the SN color structure: they are finite, pair-wise disjoint sets, each representing (at least two) system entities of a certain kind. A color class C i may be either circularly ordered or partitioned into static subclasses C i,j . The static partitioning of classes determines the symmetry of a SN model, indeed, all and only the colors of a subclass denote homogeneous components with an equivalent behavior. For instance, the SN in Fig. 1 has two color classes N, L, representing network nodes and (types of) messages, respectively, each partitioned in two static subclasses. The elements of each subclass of N (representing a sub-network) are symmetric, i.e., undistinguishable from one another. The two subclasses of L are singletons. Each SN model is also provided with a neutral color class X = {•}. D maps each v ∈ P ∪ T to a color domain, usually defined as a Cartesian product of color classes: where ∅ ⊂ C ⊆ C, and e i ∈ N + is the number of repetitions of C i in the domain. There may also be nodes with a neutral domain D(v) = X. A place color domain D(p) defines the possible colors (tuples of color elements from D(p)) of the tokens which can stay in p. For instance, the color domain of the place EnRoute is N 2 × L. A transition color domain D(t) defines the possible firing instances of t: these are tuples of color elements, and typed local variables (V ar(t)) are used to refer to such elements in a tuple in D(t): for each C i ∈ C , there are e i distinct type-C i variables. Thus V ar(t) implicitly defines D(t). A transition instance may be intuitively seen as a binding of colors to transition's variables. An instance of transition broadcast (the model's only observable transition), with D(broadcast) = N × L, e.g., is a color binding of variables n and l. At the beginning, the place Sender holds a single token s 1 , data , in that case the only possible binding for broadcast is (n = s 1 , l = data). Formally, transition variables are interpreted as projection functions (Section 2.3.3).
A transition t with V ar(t) = ∅, or a place p that holds undistinguishable tokens, has a neutral domain. For simplicity, the arcs that a neutral SN node is incident to are inscribed by N + values. Similarly, the marking of a neutral place p is expressed by a value in N.
g maps each t ∈ T to a guard g(t) : D(t) → {true, f alse}, formally defined in Section 2.3.3. A guard restricts a transition's instances. A transition instance b ∈ D(t), also denoted (t, b), is said valid if and only if g(t)(b) = true. The color domain of t actually refers to the restriction of D(t) to valid instances of t (assumed non-empty). For simplicity, we use the same symbol. When omitted, a transition guard is meant equal to the constant true.
I [p, t], O[p, t], H[p, t], are families of functions, D(t) → Bag [D(p)], defined for each pair (p, t) ∈ P × T , annotating input/output/inhibitor arcs respectively. The syntax of an arc function is formally defined in Section 2.3.3.
Finally, π is a map T → N, and π(t) is the priority of t. A transition t is said observable if and only if π(t) = 0, otherwise t is said immediate. All the transitions in Fig. 1 but broadcast are immediate and have the same priority.

Semantics
A SN marking m is a P -vector such m[p] ∈ Bag [D(p)]. We call m[p] the marking of p, the elements of m[p] tokens. The dynamics of a SN is defined by the firing rule. We assume that missing arcs are annotated by empty bag-functions.
An instance (t, b) has concession in a marking m if and only if: ) has concession in m and there is no higher priority transition's instance having concession in m. Assuming the aforementioned (initial) marking for place Sender (i.e., a single token s 1 , data ), the instance (n = s 1 , l = data) of broadcast is enabled. If enabled, (t, b) may fire, leading to a marking m formally defined as: t, b), and this is denoted m[t, b m . The firing of (broadcast, n = s 1 , l = data), according to the arc-function semantics illustrated in the next section, withdraws the token s 1 , data from the input place Sender and puts the (type-set) bag of tokens x∈N,x =s 1 1 · s 1 , x, data into output place EnRoute, representing a broadcast data-message sent by node s 1 .
A marking m is said vanishing if there are some immediate transition instances enabled in m, tangible otherwise. A SN model is a SN with a tangible initial marking m 0 . Assuming that there are no infinite sequences of immediate transition instances, it is possible to define the tangible reachability graph (TRG) of a SN model, an edge-labelled, directed multi-graph (V , E) whose nodes are tangible markings: m 0 ∈ V ; if m ∈ V and there exists a (possibly empty) sequence

Guards and Arc-functions Syntax
We use a simple convention for color-classes and variables. Color classes are denoted by single capital letters in normal font, e.g., V. The i-th static subclass of V, if any, is denoted by V i . The set V ar(t), t ∈ T , includes all and only the variable symbols occurring in g(t) or in any function I [p, t], O[p, t], H[p, t], ∀p ∈ P . A variable is denoted by a single lowercase letter, which implicitly refers to the variable's type, e.g., v i is a class-V variable. The number of V-variables in V ar(t) coincides with the repetitions e V of V in D(t): a subscript i ranging in 1 . . . e V is used to differentiate variables of the same class. It may be omitted if e V = 1.
Projections The adopted convention outlines the transition variable semantics: v i ∈ V ar(t) is a function D(t) → Bag[V] that maps a color-tuple b to the i-th occurrence of color V in b (formally, a singleton bag).
Guards A transition guard g(t) : D(t) → {true, f alse} is defined in terms of basic predicates and the usual logical connectives. Referring to a generic class V, a basic predicate is any of the following: The 2nd and 3rd predicates are admitted if the class V is partitioned. If V is ordered, then in the first type of predicate projections may be suffixed by ++, −−, denoting the mod |V| successor/predecessor of selected color.
For example, the guard of transition lostMsg in Fig. 1, where D(lostMsg) = N 2 ×L, indicates that only messages that are sent from a sub-network to the other may get lost.
Arc-function syntax SN arc-functions are built of class-functions. We consider any arc linking a place p to a transition t and assume that color class V occurs in D(p).
A class-V function f i is a map D(t) → Bag [V], which is defined as a linear combination of (type-set) elementary functions: where e h may be any of {v j , V q , V} (symbol All may be used in place of V): v j is a projection, possibly suffixed (if V is ordered) by ++, −− -V q (admitted if V is partitioned) and V (All) are constant functions mapping to x∈V q 1 · x and x∈V 1 · x, respectively. The class-N function All−n appearing on the output arc from broadcast to EnRoute (Fig. 1), e.g., maps a color pair c 1 , c 2 ∈ N × L = D(broadcast) to x∈N,x =c 1 1 · x, which represents the whole set of network nodes but c 1 .
An arc-function F [p, t] : D(t) → Bag [D(p)] is in turn defined as a linear combination: where T k is a Cartesian product f 1 , . . . , f n of class-functions 9 (Section 2.1, Eqs. 2) and g k is an (optional) guard defined on D(t), with the same syntax as transition guards: Scalars in Eqs. 5 and 6 must ensure that linear combinations are well-defined. The arc-function O[EnRoute, broadcast] = n, All − n, l ( Fig. 1), e.g., when evaluates on c 1 , c 2 ∈ N × L = D(broadcast) results in c 1 , x∈N,x =c 1 1 · x, c 2 , a bag Cartesian product which corresponds to all triplets with c 1 as 1st element, a node other than c 1 as 2nd element, and c 2 as 3rd element. That is, a type-c 2 broadcast message sent by node c 1 .
A worthwhile property of SN arc-functions is that any F [p, t] can be equivalently expressed as where each term T i [g i ] is: is |V| − 2, the other tuples are size-one.
We may therefore assume that arc functions are linear combinations of type-set, constantsize (and, if needed, pair-wise disjoint) function-tuples.

The self-healing manufacturing system case study
In this section, we introduce a self-healing (or self-repairing) manufacturing system example to put into place the major concepts of our approach. Here adaptation procedures run over a distributed infrastructure in order to reconfigure the usage of the available resources depending on the current condition of the system itself and the environment. To achieve this goal, the system defines primitive actions to be applied in production, such as connection/inhibition of the available/faulty production lines and migration of the raw products among available machines of the production system.
In our running example, we consider a Manufacturing System (MS) composed of two production lines, that refine a number of raw pieces in order to compose the final product. Typically, the reconfiguration process consists in deciding whether to inhibit faulty components and/or migrate raw products towards available resources of the system, depending on a set of metrics (either simple or derived). For the sake of simplicity, we confine our example to two metrics: the status of the available production lines and the workload in terms of assigned raw products. The value associated to these metrics will be used to plan and execute the adaptation. In particular, the system must be endowed with the ability of recognizing the status of the production lines and change accordingly the current availability of resources and the current workload. As described by Dicesare et al. (1993), Meng (2010), and Capra (2016), this scenario is very common in smart MS, where reorganizing or changing components must be taken into account in the system design in order to achieve robustness, flexibility and resiliency in the production environment. Fig. 2 shows a P/T net modeling the MS with a symmetrical fault schema (i.e., SMS). Two production lines are represented by the subnets { pl 1 , tl 1 , pw 1 } and { pl 2 , tl 2 , pw 2 }, respectively. The two lines refine raw pieces of the same type, represented by tokens inside the two corresponding subnets. Pairs of refined pieces are taken from both lines, then assembled to get the final product (represented by the firing of ta 1 , i.e., the assembler component). The loader component (transition tlo 1 ) initializes the whole process by picking up two raw pieces a time from the storage component (place pin 1 ) initially holding N pieces, and putting them onto the lines. After the expected number of final items is obtained, the system starts again (transition trs 1 ). The model contains also the specification of a faulty behavior. In fact, a product line is periodically subject to failures (represented by tfa 1 and tfa 2 ). Faults can occur and block the lines. Faults are modeled by means of tokens inside the place pb 1 (i.e., faults in the first line) or inside pb 2 (i.e., faults in the second line). We here assume that the probability of having failures on both the lines at the same time is negligible. can be obtained by removing either the transition tfa 1 or tfa 2 . In this case, a single product line is subject to failures. As the previous model, the occurrence of a failure causes the line to be blocked.

Symmetrical fault schema
Indeed, blocked lines hinder the liveness of the whole production process. Thus, a common adaptation scenario for both the SMS and the AMS is the reconfiguration of the system to handle occurrences of faults. In fact, the production should continue without shutting down the system using the available resources (i.e., the remaining production lines). The faulty lines must be inhibited or detached from the system, and the behavior of both the loader and the assembler must be changed accordingly. Namely, the loader must put two raw pieces a time on the available line, and the assembler must take pairs of refined pieces from the working line. As soon as the failing component is repaired, the system should go back to its nominal configuration.
Although P/T nets represent an expressive model of concurrency and distribution, the adaptation scenario reported above (involving structural changes of the model) cannot be specified in a natural way. In the next section, we describe how our modeling framework can be used to overcome this limitation by introducing the self-adaptation process with clear separation of concerns.

Preview of the approach
According to de , we adopt the general terms managed (or base-level) and managing (or reflective) subsystems to denote the two main parts of an adaptable/evolvable system.
The environment refers to the external world, such as physical and/or software components, in which the system runs/interacts, and where the effects of the system (in its nominal and adapted behaviors) will be observed. The managed subsystem provides support for monitoring and executing adaptations controlled by the managing subsystem. This latter component contains the adaptation logic that deals with one or more concerns. In our framework, the adaptation logic is viewed as a set of adaptation procedures realizing multiple (concurrent) feedback control loops, as introduced by Brun et al. (2009). We assume the target system (both managed and managing components) is distributed and we assume decentralization of the control decisions.
In particular, we consider decentralization at the level of the adaptation procedures, as introduced by de Lemos et al. (2013). Figure 3 shows an abstract overview of our modeling framework. In this section we introduce the rationale of the major components that we further detail in Section 5.
The base-level contains the definition of the managed subsystem as a P/T system. It describes the system's nominal behavior and its interaction with the environment. For instance, the SMS model in Fig. 2 specifies the nominal behavior of our case study. Such a model represents the base-level layer of a self-adaptive manufacturing system.
The base-level is then endowed with self-adaptation capability. These additional features are specified in the high-level layer which implements the system's adaptation logics. In our modeling framework, the components inspecting and possibly modifying the base-level are formalized as SN models. The structure of the higher-level is shown in Fig. 3  managing subsystem as a number of adaptation procedures.
The emulator is a built-in SN model provided by our framework. The role of the emulator is to encode a given P/T net and emulate its dynamics. The target base-level (a P/T system) is encoded as a marking of the emulator, so that it can be manipulated by transitions linked to the emulator net through a well-defined interface. The base-level manipulation may cause base-level's structure/state be consistently changed, and may be concurrent with emulation. The modeler can specify and validate atomic transformation rules to be applied to the encoded P/T net. Transitions are provided through SN models. A symbolic structural calculus for SN is used to (automatically) check the soundness of transformation rules, and safely link them (through arc functions) to the rest of the model. The evolutionary API provides a basic (yet complete) collection of pre-defined primitive transformations to perform introspection/intercession on the base-level. For instance, the API can provide the current configuration of the encoded system, add/remove P/T nodes and edges, and change its marking. Each primitive is defined by a SN subnet that modifies the encoded net consistently and atomically. The net-interface plays a crucial role, providing an interface between user-defined transformations/API primitives and the emulator. It manages, in particular, the consistent update of essential data-structures (SN places) which are used in the emulation algorithm to improve efficiency.
The managing subsystem contains a collection of adaptation procedures, specified as disjoint SNs. Each procedure manages an adaptation concern, and implements a feedback loop monitoring the base-level subsystem. In our selected case study, the following adaptation concerns are treated: (i) fault tolerance -continue producing in presence of a faulty line, which is temporarily put off-line, without shutting down the system; (ii) load balancing -bring raw pieces to all the available production lines, to optimize resource usage.
Adaptation procedures are specified independently, and are activated in specific conditions evaluated on the base-level encoding. Procedures are concurrent, also with the base-level dynamics, and operate different adaptation plans. In this sense, we do not assume the existence of a centralized controller. The modeling framework guarantees a theoretically consistent evolution of the system, whereas logical correctness is formally checked by using consolidated analysis techniques for SNs.
Procedures may use predefined, primitive API operations representing a base set of sensors and actuators. In addition, they may also integrate user-defined transformation rules, that enhance model flexibility. For instance, the procedure (i) fault tolerance, directly accesses the emulator's evolutionary interface (a set of SN places encoding the base-level) to recognize the presence of a token either in pb 1 or pb 2 (a failure occurrence). When a failure occurs, it carries out a number of changes to the base-level by using write API primitives. For instance, residual raw pieces on the faulty line are moved to the working one. Then, the loader and assembler components are adapted to ensure system operation even in presence of a failure.
Our modeling framework also allows temporal aspects to be specified. In this case, the modeler uses the native stochastic extension of SNs (i.e., SSNs) to enrich the system specification. Namely, transitions representing observable events can be associated with rates characterizing exponential firing delays.

The emulation framework
The emulator reproduces the interleaving semantics of a P/T system encoded as a SN colored marking. In this section, we first introduce the notion of net encoding in Section 5.1, and then we formally describe the behavior and the structural properties of the emulator in Section 5.2. We introduce the notion of user-defined transformation rules in Section 5.3 and we describe how to link them to the emulator through the net-interface in Section 5.4. We also describe the set of pre-defined primitives that compose the evolutionary API in Section 5.5.

P/T nets encoding
As anticipated, our approach is based on encoding a P/T net as the marking of specific places of the emulator SN. These places compose the evolutionary interface, which is defined as follows: Intuitively, the EI is suitably linked to both the emulator model (that cause the encoded P/T to be executed) and additional SNs implementing net-transformation rules (comparable to the rules of graph transformation systems).
The emulator's color structure builds on two color-classes P, T, holding descriptors for the nodes of a P/T net, and on color domain Arc = P × T, whose color-tuples describe the edges of a P/T net. For the sake of simplicity, we will use the same symbols for colors and corresponding P/T nodes, letting the context disambiguate their role. We assume that classes P and T are either circularly ordered or partitioned for modeling reasons, as detailed in the following. Let The encoding mechanism allows the firing of P/T transitions to be emulated efficiently. The explicit representation of bag differences I − O and O − I reduces the complexity of the computation of transition firing effects. In the following, we use the notation m N to indicate a SN marking which encodes a given P/T net.
The other way around, the conditions ensuring that a SN marking encodes a P/T system are formally expressed by: The 1st condition is related to non-emptiness of a P/T net. The 2nd condition to the meaning of bag differences I − O and O − I , and to the fact that output edges of a P/T net are implicitly represented. The third condition ensures the absence of isolated places: p 1 is the projection P × T → P.
The absence of isolated nodes is relevant in a context where the structure/state of the managed subsystem may change due to adaptation procedures. In this setting, spurious transformations may lead a system to an inconsistent state. The implicit representation of P/T nodes by means of edges avoids any trickiness due to possible dangling edges, as it happens in graph transformation approaches.
The P/T net corresponding to a graph-encoding m is defined as follows.
Definition 3 (encoded P/T system) Let m be a P/T encoding (Def. 2). The encoded P/T system is ( As an example, the encoding of the AMS model introduced in Section 3 is as follows.

The emulator
For the sake of readability, we introduce the emulator component through the pseudocode in Algorithm 1. The complete SN specification is available in Appendix A. The rationale of the main operations performed by the emulator can be summarized as follows. A reachable tangible marking of the SN matches a reachable marking of the encoded P/T net (N, m), an enabled instance of the only observable transition PT fire with D(PT fire) = T, matches an enabled P/T transition. When a firing occurs, an instance (PT fire, t = t k ) triggers a sequence σ of immediate transition instances emulating the firing of t k , in accordance with the atomic semantics of Petri nets. The main steps executed in the sequence σ are denoted by steps i, ii, and iii in the pseudocode (and the SN model in Appendix A). The description of these steps follows.
i This step is triggered by a token in neutral place beginTestEnab. All and only P/T transitions in the place checkList are marked as "to be checked". These transitions are tested for enabling, by moving tokens from checkList to toTest and by considering first input places then inhibitor places (once a time). At the end of this process the place checkList is emptied, and enabList is filled up. The step i ends by firing the transition endTestEnab.
ii This step starts with the firing of a color-instance of transition PT fire. The effect is to non-deterministically chose a P/T transition t (according to the semantics of P/T nets) from place enabList. Thus, the marking of place MARK is modified, according to the firing rule of P/T systems. Namely, for each element in (I − O)(p, t), m(p) is decremented and for each element in (O − I )(p, t), m(p) is incremented. This step is triggered by a token in neutral place beginFiring. iii This step updates the marking of two places holding the transitions that were enabled before the firing of t (place enabList) and those whose enabling must be checked upon it (place checkList), respectively, by taking account of the (asymmetric) Structural Conflict (SC) and Structural Causal Connection (SCC) relations between P/T transitions, formalized at lines 24 and 30 of Algorithm 1, respectively: t SC t 2 if and only if t may disable t 2 in a marking, whereas t SCC t 2 if and only if t may enable t 2 .
The use of these two auxiliary places may greatly enhance the efficiency of the whole emulation process.
The behavior of the emulator SN which is mechanically translated from Algorithm 1 is formalized as follows. As a direct corollary of Property 2, we have: 10 nil represents a kind of default class-T color.

Corollary 1
The tangible reachability graph of the emulator whose initial marking m 0 encodes a P/T system (N, m 0 ) and matches conditions 1,2 of Property 2 is isomorphic to the reachability graph of (N, m 0 ). 11 The emulation process must coherently resume after any structural change to the encoded system. Property 3 defines a state (vanishing marking) from which the emulation of a P/T system may coherently restart. The rationale is that from this state, assuming that all P/T transitions potentially disabled by a structural change were moved from enabList to checkList then all those potentially enabled (not in enabList) were added to checkList, the emulator eventually reaches a tangible marking that satisfies Property 2. The net-interface component of the framework (Section 5.4) transparently manages all that.
Property 3 Let (N, m) be a P/T system, m be an emulator vanishing marking encoding (N, m) (Definition 1) such that: Then, from m we eventually reach through any vanishing path the tangible marking m such that:

Transformation rules
We first introduce a general transformation rule of the encoded system, as a user-defined SN transition that is directly connected to the emulator's interface EI (7). Then we present an API of base transformation primitives. Transformation rules/primitives are transparently linked to the emulator through a net interface.
We follow a structural approach, by defining parametric (i.e., not depending on the encoded system) structural conditions ensuring that transformations are consistent, according to Def. 4, and the emulation of the encoded system is correct also in the face of changes to its state/topology. All these conditions (stated in a series of lemmas) can be automatically checked using the SN calculus introduced by Capra et al. (2005Capra et al. ( , 2015 and implemented on the tool SNEXPRESSION. 12 In such a calculus, structural conditions are formalized as symbolic expressions that are directly derived from SN arc-functions and manipulated algebraically. Definition 4 (Valid P/T transformation) A SN transition t linked to the emulator's evolutionary interface EI is a valid P/T transformation if and only if, for any P/T encoding m, ∀b ∈ D(t): m[t, b m ⇒ m is a P/T encoding. 11 E(m 0 ) can be automatically computed, instead of being pre-calculated, by setting a transient initial (tangible) marking with a token in neutral place startUp, All in checkList, and with places beginFiring and enabList empty. From such a marking we eventually reach m 0 12 Publicly available at: www.di.unito.it/ ∼ depierro/SNex. The SN calculus provides support for the computation of the following structural properties: conflict, causal connection, mutual exclusion, and some kinds of coloured semi-flows. It builds on the ability to solve symbolic formulae that are defined in terms of a language L and a base set of functional operators, under which L is closed: difference, intersection, composition, transpose, and bag support. The terms of L are SN arc functions possibly prefixed by guards (called filters) on function co-domains. Let A helpful operator that can be derived from the available ones is the function restriction.
is defined as: The SN calculus operates as a rewriting system. Any expression (formula) e is reduced to a normal form e ∈ L, where tuples may contain intersections of class-functions and be prefixed by filters. A term's normalization is denoted e → e .
As described by Capra et al. (2015), equivalence between expressions can be syntactically proven, thanks to the following base property of the calculus: The ability to syntactically check equivalences is exploited in relational operators. Let e, e be bag-expressions of the same arity: You can also syntactically verify whether an expression never evaluates to empty, i.e.: If e is suffixed by a guard g, then Eq. 12 only applies to those d satisfying g. Two basic place invariant properties used to verify the validity of P/T transformations follow.
Definition 5 (Mutually-exclusive places) Let p, p be any two different SN places such that D(p) = D(p ). p, p are mutually-exclusive (p ME p ) if and only if m[p] ∩ m[p ] = ∅, for every reachable marking m.
Definition 6 (Color-safe place) p ∈ P is color-safe if and only if m[p] is type-set, for every reachable marking m.
In the sequel, we assume that a (non-trivial) transition guard g(t) is implicitly appended to each adjacent arc-function. That is, A mostly structural characterization of SN transitions preserving place mutual-exclusion is formalized as follows.
Some auxiliary formulae defined/described in Table 1 are Multiset of colors actually put in place p by an instance of t.
Multiset of colors actually removed from place p by an instance of t.
Set of P -colors representing P/T places that edges (re)inserted by an instance of t are incident to.
Set of P -colors representing P/T places that only edges potentially erased by an instance of t are incident to.
there is an upper-bound for the occurrences of x in p due to the inhibitor arc-function, matching the occurrences of x withdrawn from p (indeed, H[p , t] is type-set); or C) x occurs at most once in p and belongs to I[p , t](b) (thus it is withdrawn from p , if t is enabled).
Condition C of Lemma 1 is not entirely structural, however, it extends the applicability of the lemma. We write p SME t p to mean that a transition t meets conditions A and B of Lemma 1, i.e., t preserves mutex of places p, p structurally.

Lemma 2 (Structural characterization of a valid P/T Transformation)
If the conditions C1-C5 below are satisfied, then t is a valid P/T transformation (Def. 4).
Before the formal proof, let us give an intuitive interpretation for each of the conditions above. We assume to start from a P/T encoding (Def. 2) and to fire any enabled instance of t. C1 preserves the non-emptiness of the encoding. C2 preserves mutex of places O I and I O. As for C3, it preserves the inclusion relationship between the marking of places I O and IN. Finally, C4, C5 retain the absence of isolated nodes. In particular, C4 considers the insertion of new P/T places in the current marking whereas C5 deals with the removal of P/T edges (the two operations that may affect that requirement).
Proof Let m be a P/T encoding, b ∈ D(t), and m[t, b m . The condition C1 means that no color-tuple (edge) is either removed or added by (t, b).
The condition C3 means that each color-tuple (edge) added to place I O by (t, b) is also added to place IN. In the same way, each color-tuple (edge) withdrawn from place IN is also removed from I O, thus preserving the relation m Condition C4 can be interpreted as follows: if the instance (t, b) inserts a potentially new P-color x in place MARK, then there is some edge (of any type) contextually (re)inserted by (t, b), that x is incident to. However, C4 itself is not enough to ensure absence of isolated nodes. In fact, C5 considers removal of color-edges by (t, b). It is a conjunctive form, built of three clauses. The set RbI (t)(b) holds P-colors representing places that only edges (of any kind) potentially erased by (t, b) are incident to. The first clause of C5 ensures that no such color may be added to place MARK. The second clause means that there is an upper bound for each color x ∈ RbI (t)(b) in SN place MARK, due to a inhibitor arc function (otherwise instance b wouldn't be enabled). The third clause ensures that, for any x ∈ RbI (t)(b), there cannot be more instances of x in MARK than those which are withdrawn by b (i.e., the upper-bound for color x coincides with In MARKt (b)(x), the number of instances of x withdrawn by b). As a consequence, also the last point of Def. 2 is met. Figure 4 shows an example of user-defined transition that may verify Lemma 2, i.e., represent a valid P/T transformation. Conditions C1-C4 are satisfied, indeed. The condition C5 is satisfied if the parameter k on HMARKt is not greater than 3 (if k < 3 t is not enabled).

The net-interface
A crucial aspect of the emulation approach is played by the consistent management of the places enabList and checkList, which are efficiently updated by exploiting the structural properties of the encoded P/T system. When connecting a transformation rule to the emulator, the semantics of these places must be preserved. In general, this is not at all easy. Therefore, we introduce a net-interface that links together the framework's components by transparently handling these aspects.
Formally, places enabList and checkList must be mutually-exclusive and colorsafe to allow the emulation of a P/T system to be carried out consistently. A mostly structural characterization of place color-safeness is given by the following.
If m[p] is type-set and one of the two conditions below is satisfied then:  by (t, b), is type-set. Due on the hypothesis on place p , every color of this set is present in p , and not in p. Thus, m[p ] is type-set.
Color-safeness and mutual-exclusion of places enabList and checkList can be easily verified on the emulator SN using Lemma 1 and 3. These two invariants are preserved by linking a valid P/T transformation rule t to places enabList and checkList through the net-interface, which coherently updates their marking based on the annotations of t. That may require a preliminary rewriting of functions In Ht, O [H, t] in disjoint terms that syntactically identify the instances of t that decrease (increase) the multiplicity of inhibitor arcs of an encoded P/T net and those that remove (add) inhibitor arcs. Indeed, decreasing (increasing) the weight of an inhibitor arc provides the opposite effect on the enabling of the linked transition of removing (adding) one such a arc. Such a rewriting is always possible and can be easily automated (we omit the boring technical details). Its semantics is formalized by Def. 7, where subscripts d, r and i, a used for the terms of In Ht and O[H, t], respectively, denote the different effects described above (i.e., decrease, remove, increase, add).
Definition 7 (Well-linked transformation rule) Let t be a valid P/T transformation. We say that t is well-linked (to the emulator) if and only if: For example, the transition t in Fig. 4 is trivially well-linked. Indeed, any color instance of t adds a new weight-2 inhibitor arc to the encoded P/T net, due to the type-set function HHt = p 1 , All . Therefore Assuming that a valid transformation t matches Def. 7, we can compute the parametric sets of P/T transitions potentially-enabled and potentially-disabled by any instance of t, whose expressions are described in Table 2 (where t 1 is a projection). The parametric colorset P D(t) represents the P/T transitions for which there are: i) input edges newly added or with an increased weight; or ii) newly added inhibitor edges; or iii) inhibitor edges with a decreased weight. The parametric color-set P E(t) represents, in some sense, the opposite. Note that the sets P E(t) and P D(t) may not be disjoint.
Moreover, the expressions W + [MARK, t], W − [MARK, t] represent the parametric sets of P/T places whose marking is increased or decreased, respectively, by an instance of t. By definition, it holds: A P/T transformation t is mechanically linked to the emulator through the net-interface modules shown in Figs. 5 and 6. The link is formally defined by the following output arcfunctions, where the function support implicitly denotes the corresponding type-set bag expression (we use the set-notation for readability): Figure 5 shows the module which manages the update of places enabList and checkList due to a firing of t, by preserving their invariant properties. Figure 6 shows the module performing a preliminary step, which consists of computing all P/T transitions which may be indirectly enabled/disabled due to a P/T transformation occurrence, because of the increase/decrease of the marking of some input/inhibitor place. The two modules are composed through a simple superposition of SN places sharing the name. ) T-colors representing P/T transitions potentially enabled by an instance of t.

The evolutionary API
In addition to user-defined transformations, the modeling framework supplies a collection of built-in read and write primitives, which can be used to sample and safely modify the state/structure of the base-level in procedures implementing the adaptation logics. This evolutionary API allows the internal mechanics of the emulator to be abstracted away from the modeler.
The places p in , p out represent a routine's in/out parameters. We can distinguish between read and write primitives, since only the formers including p out .
The available read and write API primitives are described on Tables 3 and 4, respectively. For each primitive, the input/output places and the involved EI elements are listed. 13 In the following, we use API to denote the whole set of the API input/output places.
An example of read primitive is mark, which may be used to get the marking of a given P/T place p. It implements a loop which counts for the occurrences of color p in place MARK, putting the result (a weighted tuple λ · p ) in place mResult.
An example of write primitive is addIn k , depicted in Fig. 7. This primitive adds k occurrences of an input P/T edge, denoted by a color-tuple p, t in place addIn, to the base-level encoding. The operation is atomic: each transition a i , i : 0 . . . k − 1, matches a condition in which there are i occurrences of color p, t in place O I (which encodes the difference between P/T functions O − I ), whereas a k matches a state in which O I holds at least k occurrences of color p, t . This primitive represents a template, whose actual configuration depends on parameter k. Our case study makes use of addIn k to implement some of the actuators. For instance, the fault tolerance procedure uses addIn 1 to increase the weight of input arc pl i , Assembler as a part of system's reconfiguration upon the failure of one production line.
It is worth noting that each P/T transformation implemented by the API primitives is valid and it meets Lemma 2. In particular, it preserves mutual exclusion between places O I and I O. addToken k : P -MARK : P It adds k tokens inside element p ∈ P .
delToken k : P -MARK : P It removes k tokens from p ∈ P .

Validation of the emulating framework
In this section we describe the validation activities conducted upon the emulating framework. In particular we show how symbolic structural analysis techniques have been used to validate the behavior of this core component. To make the paper self contained, in Section 6.1 we introduce preliminaries and basic notions. In particular, we introduce the basics of symbolic structural analysis as well as the properties of interest that can be efficiently verified. In Section 6.2, we describe the activity carried out to validate the emulating framework. Fig. 7 The addIn k API primitive's template Asymmetric Structural Conflict (SC): sets the necessary condition for transition disabling. It maps an instance b of t to the set of color instances t that may disable (t , b ), because they withdraw colors (tokens) from an input place of t , or put colors into an inhibitor place of t . Different instances of the same transition may be in self-conflict. In this case, the formula is similar, but for subtracting the identity.

Basic structural relations
Structural Causal Connection (SCC): defines the necessary condition for enabling. It maps an instance b of t to the set of instances of t that may enable (t , b ), because they put colors into an input place of t , or withdraw colors from an inhibitor place of t .
Structural Mutual Exclusion (SME): (t, b) and (t , b ) are in structural mutual exclusion if, whenever one is enabled, the other is not, and vice-versa. This happens if a place p is input for t and inhibitor for t , and the number of a color-token required for the enabling of t is as much, or more, than the limit for that color due to the inhibitor arc function. SME(t, t ) maps an instance b of t to the set of instances of t that cannot be enabled if (t , b ) is enabled. The formula on Table 5 works for type-set functions. P -invariants can be also taken into account. For instance, if p ME p , then the term I [p, t] T

r • I[p, t ] + I[p , t] T r • In p t
should be added to SME(t, t ). Another interesting possibility offered by SN is the automated verification of structural invariants involving place marking (P semi-flows) or transition sequences (T semi-flows). Even though these invariants do not take account inhibitor arcs and priorities, they allow us to formally and efficiently check properties complementary to structural relations. More in details, focusing on P -invariants, we can distinguish between colored (symbolic) and numerical ones. By using SNEXPRESSION we can check whether a given P -indexed vector of multiset-expressions defines a colored P-invariant, and possibly prove the coverage of all place instances. The expressions in the P -indexed vector denote functions from the place color domains to the invariant's domain. Such a vector is a P -invariant (or semi-flow) if, for each transition t, the sum over all places of the compositions of P -invariant's entry pinv [p] with the linear combination O[p, t] − 1 · I[p, t] results in the null function. The invariant marking expression is: p pinv[p](m 0 (p)).
Numerical P -semi-flows (or minimal semi-flow bases) can be checked as well. In fact, SN arc-functions can be rewritten as sums of guarded tuples mapping to constant-size bags, but for those color instances that falsify the guards. As an example, C i − c , depending on whether the color bound to c belongs to subclass C i or not, is either |C i | − 1 or |C i |-size. This may be rewritten as . This is the normal form for bag-expressions used by SNEXPRESSION.
As a consequence, by embedding function-tuple guards in transition guards, any SN transition can be split into a number of equivalent, mutually-exclusive replica, 14 whose I/O arc functions are constant-size, for all valid transition instances. In analogy with low-level PN, a |P |·|T | integer matrix H is defined, whose [p, t] entry holds |O[p, t](b)|−|I[p, t](b)|, for any instance b of t. Any non-null P -vector i which is a positive integer solution of the matrix product iH = 0 is a semi-flow, expressing a conservative law for the tokens flowing through the places corresponding to non-zero entries, abstracting from the token color. A place p is said covered by a semi-flow is the corresponding semi-flow entry is not null. A net is said covered if every place is covered. One such net is bounded.

Net-interface validation
The crucial aspect of the emulation framework is played by the consistent management of the places enabList and checkList. In fact, since transformations are interleaved (not mutually exclusive) with the nominal execution of the base-level layer, they shall be applied safely and avoid any inconsistency due to loss of information and/or addition of spurious information along the interleaved transformation and execution processes. As anticipated in Section 5, such a general property reduces in our context to check whether the places enabList and checkList are mutually-exclusive and color-safe. In the following we prove that these properties hold by means of the basic structural relations introduced above.
The SN model in Fig. 5 illustrates the part of the net-interface in charge of updating these two places. The model shares the places enabList, checkList, beginFiring, beginTestEnab with the emulator. The transitions that put colors into enabList, checkList, are pe 2 , pd 1 . The following holds: W + [checkList, pe 2 ] = t , and W + [checkList, pd 1 ] = t Thus, color-safeness of enabList is trivially preserved. According to Lemma 1 (A and B), pe 2 preserves mutual-exclusion between enabList and checkList: enabList SME pe 2 checkList Transition pe 2 preserves color-safeness of checkList due to Lemma 3(C1). Transition pd 1 preserves mutual exclusion between enabList and checkList and colorsafeness of checkList since it meets Lemma 1 (A and C) and Lemma 3 (C2), respectively. The two basic invariant properties of enabList, checkList are thus retained.
The non-empty structural relations (see Table 5) are listed below by category. In addition to assessing the validity of the emulating framework, we use these properties to reduce the whole model complexity. In fact, from this analysis it emerges that the color domain of transitions is T, but for endUpd, which is neutral domain. Therefore, we can ignore conflicts between endUpd and the other transitions since ∀t = endUpd, SME(t, endUpd) = All . This means that endUpd is mutually exclusive with any instance of every other sub-model transition.
As expected, structural relations between transitions involve only instances of the same color. Most of potential conflicts, however, are apparent, because the involved instances are mutually exclusive (possibly due to place mutual exclusion).
Places beginFiring and beginTestEnab are covered by a semi-flow on the emulator model, ensuring that m[beginFiring] + m[beginTestEnab] ≤ 1, for each m reachable from m 0 . The sub-model's correct behavior is expressed by the following path property. Assuming that tr ∈ m[potDisab] ∩ m[enabList], the only instances of color tr which are enabled are (pd 1 , tr) and (pe 3 , tr) in case tr ∈ m[potEnab] (according to SME). The latter instance is neither in structural conflict with the former one, nor causally connected to any other instance. Thus, (pd 1 , tr) eventually fires, by moving color tr from enabList to checkList, from where it cannot be removed by any instance.

Property 4 If m[beginStep
If tr ∈ m[potEnab], tr / ∈ m[checkList], and tr / ∈ m[enabList], the only transition instances of color tr which are enabled are (pe 2 , tr) and, if tr ∈ m[potDisab], (pd 2 , tr). Also in this case, the latter instance cannot be in conflict (neither directly nor indirectly) with the former one, which eventually fires, by putting color tr into checkList.
In all the other cases, the only transition instances of color tr which may fire preserve the marking of both checkList and enabList, and are not causally connected to any other instance of the same color.
Considering the model shown in Fig. 6, the following numerical semi-flow holds: This equation outlines the control-flow of this portion of the net-interface and it helps us to prove the following path property, which takes into account that transitions endIteInc, endIteDec (ending the loops managing P/T places whose marking has been possibly increased/decreased, encoded in marKInc, marKDec) have lower priority.
The proof in this case is omitted since is comparable to the one of Property 4. Property 4 and Property 5 together ensure consistent behavior of the whole emulator, once it has been linked to valid P/T transformations through the net-interface. The linking mechanism that allows the whole system to be composed will be described in Section 7.
A last remark concerns two other structural invariant properties of the sub-module in Fig. 6. It preserves color-safeness of places potDisab, potEnab, that matters for efficiency reasons. In addition, it meets the elementary colored semi-flows [I de D(p) ] p , ∀p ∈ EI, meaning that it preserves the emulator's interface.

The managing subsystem and module composition
In this section we show how to use the evolutionary API to create adaptation procedures (Section 7.1). We also introduce how to build the target self-adaptive system as a whole by leveraging SN module composition. (Section 7.2).

Managing subsystem
The managing subsystem has a decentralized layout composed of independent adaptation procedures. Each procedure implements a feedback control loop, taking into account an adaptation concern, and has a simple characterization. Let API in be set the set of API input places, API R ⊂ API in be the input places of read primitives, and, if p ∈ API R , out (p) ∈ API out be the companion output place.
Definition 9 (Adaptation procedure) An adaptation procedure P is a SN subnet such that: -P places include a non-empty subset of EI ∪ API and a disjoint set L of local places, with start ∈ L -every P's transition t matches Lemma 2 (if linked to EI) and: -L places are covered by semi-flows.
Summarizing, an adaptation procedure may include both visible and immediate transitions, user-defined P/T transformations, as well as calls to the evolutionary API. It can be linked to API input/output places exclusively by means of output/input arc functions, respectively.
Moreover, when invoking read API primitives, the corresponding output places must be empty. The assumption on local places ensure a (local) boundedness, and suggests that they represent a procedure's control-flow. Figure 8 shows the adaptation procedure (i) fault tolerance of the self-healing manufacturing system example. This procedure applies to both the symmetric (SMS) and asymmetric (AMS) fault schema. Its structure meets Definition 9. Being only composed of observable transitions, it is potentially concurrent with the emulated system. The procedure embeds read operations, by directly accessing the emulator's interface EI (through pairs of identical I/O arc functions), whereas indirectly carries out changes to the base-level by means of the evolutionary API.
We assume that the manufacturing system (see Section 3) is encoded in the emulator EI, and, as shown in Fig. 8, color classes P and T are partitioned into subclasses identifying P/T elements. We do not assume mutual-exclusion between the base-level and the high-level layers. Namely, the manufacturing system continues the production while the adaptation procedures monitor the base-level and enact changes. As discussed in Section 6, the modeling framework ensures that any changes on the base-level leads to a consistent structure. However, the logical correctness of the whole system depends on how the procedures are implemented by the modeler.
As an example, the procedure (i) is triggered when a place pb i is marked, meaning that one of the two lines is faulty (e.g., assume line 1). The blockLoader transition checks for this by reading the place MARK of EI. When firing, it also blocks the loader by adding an inhibitor arc between place pb 1 and transition tlo 1 , with the addH 1 actuator of the API in order to temporarily isolate the failed production line and rearrange the job on the available line. Then, the procedure adapts the assembler component (i.e., transition changeAssembler), by increasing the weight of the edge pw 2 , ta 1 through the addIN 1 primitive, and removing the edge pw 1 , ta 1 using the delIN 1 primitive. A link between the lines is created, by inserting a new transition, tfl 1 , flushing residual row pieces on the faulty line to the other one. Similarly, the procedure adapts the  loader component in order to avoid loading raw pieces into the faulty line. The transition changeLoader uses the addOut 1 and delOut 1 primitives to increase the weight of edge pl 2 , tlo 1 and withdraw the edge pl 1 , tlo 1 , respectively. Finally, the managed subsystem is resumed by removing the inhibitor arc between Broken and Loader. Figure 9 shows the base-level P/T net at the end of the adaptation process. The new transition tre 1 , added by procedure (i), simulates the repair activity on the faulty line.
The procedure (ii) load balancing brings the manufacturing system back to its nominal layout, after the faulty line has been repaired, and the system has entered a safe state (i.e., the place holding Worked pieces is empty). The formal specification of this procedure is available with the additional material included on the online repository accompanying this article.

Module composition
The SN models of our modeling framework (i.e., emulator, net-interface, API primitives, and adaptation procedures) are brought together through superposition of shared places (i.e., having same name and equal domain). This represents a convenient and simpler choice compared to transition superposition, since it does not require any rewriting of arc functions.
More precisely, given the emulator net E, a non-empty collection of adaptation procedures (P i ) i:1...n , the API primitives (N a i ) i:1...k used by any P i , and the net-interface (Figs. 6, 5), their composition results in a SN model M, whose elements (nodes, color structure, arc functions) are the sum of corresponding elements of involved modules.
To obtain the final SN model we merge the shared places included in the following components: Subnet composition through superposition of shared places is automated by the ALGE-BRA module of GREATSPN introduced by Baarir et al. (2009). The initial marking of M corresponds to the initial marking of its components, defined, as for the fixed parts of the model, in previous sections; all start places of adaptation procedures hold a neutral token.
In order for the different components of the model to correctly synchronize, immediate transitions of different modules are assigned different priority levels, 15 according to a partial order. 15 The priorities assigned to immediate transitions in each module are relative. π N 1 < π N 2 means that the greatest priority in N 1 is set less than the lowest in N 2 π P i < π N a i < π net in < π emulator Table 6 gives empirical evidence of how the emulation-based approach can effectively handle the descriptive complexity of models of self-adapting systems. It reports the number of elements of different Petri Nets that refer to different parts (steps) of a self-adaptive system's model built using the emulation-based approach, by varying the system's parameter (the number N of raw pieces).
The 1st column refers to the user-defined parts of the model, that is, the base-level P/T net used as a case study (both the AMS and the SMS schemas are considered) and the adaptation procedures. The 2nd column refers to the fixed part, i.e., the Emulator SN encoding the baselevel. The 3rd column, instead, refers to the P/T system obtained by applying the unfolding procedure to the overall SN model resulting from the composition of the fixed and userdefined modules.
The unfolding of an SN model, as described by , is an equivalent P/T net (with priorities) where each node represents an instance of a corresponding SN node. The unfolding of a stochastic SN is a Generalized Stochastic Petri Net (GSPN) introduced by . 16 The numeric values in each column refer to tokens, places, transitions, and arcs, respectively. We observe that the structural complexity of the emulation-based mechanism is more than acceptable (also when considering the module composition) whereas it explodes when using directly P/T nets: the number of net elements needed to model a semantically equivalent system is hundreds of magnitude orders bigger. This huge difference reflects, obviously, the greater expressivity of high-level PN versus classical ones. But it also highlights the enormous difficulty to embed adaptation issues in a plane, non-layered model.

Dealing with complexity issues
Major shortcomings of our emulating framework come from the limited data-abstraction capacity of SNs. A high number of immediate transitions are needed to preserve the atomic firing semantics of PN transitions, and ensure consistency of the adaptation logic. Legacy solvers/analysers for SNs, integrated in GREATSPN, do not efficiently manage large amounts of immediate transitions in state space generation or discrete-event simulation. In particular, they do not implement any technique to reduce the interleaving of immediate transition color instances, which, when simultaneously enabled, fire in all possible combinations (even when independent from one another). This may result in a combinatorial explosion of vanishing paths/states. GREATSPN state space builders do not even use any on-the-fly reduction (i.e., vanishing paths are erased at the end of the building process). To overcome these issues we discuss in this section on how structural techniques may significantly alleviate the overhead due to immediate transitions. We also consider an orthogonal approach, typical of SN, based on symmetries exploitation.

Transition interleaving reduction through structural relations
As previously mentioned, the unfolding of a (stochastic) SN results in a GSPN (a P/T net with priorities). GSPN immediate transitions are partitioned into equivalence classes, known as Extended Conflict Sets (ECS) introduced by Balbo (2001).
Each ECS represents a maximal set of transitions of the same priority potentially in (direct or indirect) conflict in a marking. The ECS builds on the indirect structural conflict described by Balbo (2001), recursively defined using the low-level structural conflict SC, and causal connection SCC (lines 24 and 30 of Alg. 1): The symmetric structural conflict (SSC) is defined as: Letting * denote the transitive closure, ECS(t i ) = {t j , t i SSC * t j ∧ ¬t i SME t j }. As thoroughly discussed by Balbo (2001), under very general conditions the order in which transitions on different ECS fire does not influence the behavior of a GSPN in terms of its tangible reachability graph (and time semantics). If we chose an arbitrary firing order we may greatly reduce the interleaving of immediate transitions.
We might calculate symbolic ECS directly at SN level, by computing the symmetric and transitive closure of symbolic relations (Capra et al. 2015) on Table 5.
As for the emulator, due to some regularity in its structure, we can use a similar, but much simpler technique, based on detection of apparent conflicts. If the following holds: it means that all the color-instances of t which are potentially in conflict with any instances of t are actually mutually exclusive with them. For instance, consider the net-interface in Fig. 5. In this model we have checked that the only non-apparent conflict is: SC(pd 1 , pe 3 ) = t . That is, any color-instance tr of pe 3 may be disabled by an instance of the same color of of pd 1 . According to ECS definition, two such color instances should belong to the same ECS. But, if we take a deeper look, we figure out that they are independent. The situation is described by the diagram in Fig. 10 You may observe that (pd 1 , tr) disables (pe 3 , tr) and enables (pe 1 , tr). Transitions pe 1 , pe 3 , however, are firing-equivalent since: Moreover, there are no indirect conflicts among net-interface's transition instances, because the higher-priority transitions of the emulator that may be causally connected to or in conflict with them may only be enabled (due to the place-invariant involving place beginFiring) by endUpd, whose firing disables each transition of the net-interface.
We can thus avoid the interleaving among the sub-model's transition instances by assigning each pd i , pe j a different priority.
Using similar arguments, we can check, for instance, that the pairs of transitions checkEnabIn, checkDisabH and checkEnabH, checkDisabIn in Fig. 6 may fire in an arbitrary order, as well transitions a i of the addIN k primitive in Fig. 7.

Auto-Interleaving Reduction through Ordering/Partitioning Color Classes
The interleaving among color-instances of an immediate transition is another major concern. Experimental evidence shows that a major source of inefficiency is the enabling test (step i of Algorithm 1). The bottleneck is represented by the transition toTestT, which nondeterministically selects the next P/T transition to check for enabling. The interleaving of its color-instances can be significantly reduced by defining color class T as ordered. This solution, implemented in a second version of the emulator drops the (potential) number of vanishing paths from O(|T|!) to O(|T|). The same idea can apply to color class P, in the further steps of the emulation. Unfortunately, ordering color classes prevent symmetries from being exploited if, for modeling reasons, they are further partitioned into subclasses, as explained in the next subsection.
The interleaving among color-instances of transition toTestT can be also reduced by observing that SC(toTestT, toTestT) = ∅, i.e., there are no structural auto-conflicts among instances of this transition, and no indirect conflicts caused by higher-priority transition instances. We can thus (automatically) split toTestT into an equivalent set of replicas, each one with a guard ensuring the membership of the color bound to transition's variable t 1 to a given subclass of T. Each replica is assigned a different priority. The emulator potential complexity, in terms of vanishing paths, lowers to O(s · max({|T i |, i : 1 . . . s})!), where s is the number of subclasses. We can analogously reduce auto-interleaving of other transitions (e.g., testNextIn, testNextH), by exploiting the partition of class P (if any).

Space complexity reduction through symmetries exploitation
Behavioral symmetries are implicitly expressed in SN models, through the particular syntax of their color annotations. Symmetries are exploited to build a symbolic, quotient reachability graph (SRG) and, in SSN, an associated lumped CTMC, or to drive an efficient discrete-event simulationof SN models. 17 A syntactical state equivalence relation is provided by the symbolic marking (SM) notion. A SM is an equivalence class of SN markings: m, m are equivalent if and only if one is obtained from the other through a color permutation preserving the static partition and the circular ordering of color classes (if any). As described by , the SRG built from an initial SM through a symbolic firing rule, retains all the information of the ordinary SN reachability graph.
A SM is defined in terms of dynamic subclasses, denoting parametric partitions of each color (sub)class. A dynamic subclass has a cardinality, i.e., it may represent a set of different colors in a (sub)class. Dynamic subclasses of ordered classes are ordered too, representing contiguous sets of colors. A color class which is both ordered and partitioned is like a completely split class, thus the only possible permutation on it is the identity.
An initial SM for the emulator-based model is simply defined from the ordinary initial marking, by replacing color-tokens {pl i } and {tr j } of P, T, with cardinality one dynamic subclasses {zp i } and {zt j }, respectively, each referring to a given subclass in the case of a static partition of P, T. The nodes (SM) of the resulting SRG, may thus represent classes of isomorphic P/T systems. 18 Checking graph isomorphism is in general complex. 19 In SN encoding of bipartite graphs, it corresponds to bringing a SM into a canonical form, as described by . Most of the inefficiency of legacy SRG algorithm is due to a brute-force enumeration of color permutations done during SM canonization. Therefore, although the SRG may result in a more compact structure than the ordinary RG, its execution time may be incomparably higher. Table 7 reports some experimental data. All results reported henceforth have been obtained running GREATSPN on FEDORA Gnu/Linux release 25 operating system, using a machine equipped with a 2.5 GHz INTEL Core i5 processor, and 16 GB 1600 MHz DDR3 RAM.

Experimental results on complexity
Data refers to the state space building process of the emulating framework encoding the SMS example (without adaptation procedures) by varying the model size N (i.e., number of raw pieces). In case the computation succeeds, the Table reports the execution time and the corresponding number of Tangible Marking (TM) and Vanishing Markings (VM). Otherwise it reports either FAIL (i.e., out of memory) or TIMEOUT (i.e., 3 hours). Data has been collected by using different versions of the emulating framework (EMU 1 -EMU 4 ) that implement different techniques to reduce the complexity discussed above.
The overhead due to immediate transitions clearly emerges. Nevertheless, it is possible to quantify the contribution of each reduction technique used to optimize the emulating framework. It is worth noting that, without any optimization, we have been able to solve models up to N = 8. In this case, we observe a number of VMs 9 times larger than what we obtain by using the EMU 1 version.
We also observe that the reduction of VMs achieved by ordering class T is comparable with the one obtained by partitioning T, whereas the latter adds up to the reduction due to Nevertheless, the time complexity of the SRG algorithm is higher as discussed above. When considering the SMS example in Fig. 2 (two parallel production lines), the exploitation of symmetries reduces the state space by a factor of ∼ 2 (according to the model's layout). Nonetheless, symmetries become crucial when considering systems having a high number of replicated components. For instance, consider the parametric model represented by the SN in Fig. 11 composed of M modules (i.e., production lines), working in parallel and synchronizing at a given point (M = 2 corresponds to the SMS example in Fig. 2).
When M grows up, the exploitation of symmetries becomes the only effective way to deal with the model's scalability. The intrinsic combinatorial complexity of one such model is untreatable otherwise (to give an idea, for M = 8 there are several dozens millions of ordinary states against just a few thousands of symbolic ones). Once again, the drawback here is the inefficiency (in terms of execution time) of the legacy SRG builder of GREATSPN, whose re-engineering is planned as a part of our future work.

Formal verification
In this section, we discuss significant verification activities that can be carried out on adaptive systems modeled with our framework. Since this approach relies on SNs, we can leverage a wide range of consolidated techniques. The techniques discussed in this section have been applied to our selected case study (both ASM and SMS schemas).

Timing analysis
As anticipated in Section 4, the emulator model can be used to model/simulate also stochastic PNs (SPNs), Each SPN transition t k is associated with a rate ρ k ∈ R + representing the parameter of a non-negative exponential density function from which the firing delay of t k is sampled, once it is enabled in a marking. Rates can be marking-dependent. This  To emulate a SPNs, we need to consider the emulator as a stochastic SN (SSN), formerly known as SWN, introduced by . The timed semantics of a SSN is that of its unfolding, i.e., a Generalized SPN. Observable transitions (called timed) are associated with exponential rates, as in SPN. Immediate transitions fire in zero-time with priority over timed ones, and are assigned weights used to solve in a probabilistic way possible conflicts arising in vanishing paths. As a result, the semantics of a SSN is a CTMC isomorphic to its TRG. The probabilities associated with vanishing paths determine, together with timed transition rates, the entries of the CTMC generator matrix. If an initial symbolic marking is set for a SSN, then it is possible to derive a lumped CTMC isomorphic to the tangible part of its SRG.
Rates/weights can be associated with SSN transition color-instances, or be markingdependent, according to the static partitioning of color classes. 20 In the emulator module, arbitrary rates can be attached to immediate transitions color-instances of the model's fixed parts without affecting its stochastic behavior.
To encode a SPN in the emulator, we may have to partition the emulator's color class T, so that we can distinguish groups of P/T transitions with different firing rates. P/T transitions are in fact encoded as color-instances of the SN timed transition PT fire. Figure 12 shows how the PT fire transition of the emulator has been automatically split in order to encode a stochastic version of the MS running example. Each individual PT fire i instance has a different firing rate, and corresponds to the firing of a subclass of T. Table 8 shows data obtained by analyzing the self-healing manufacturing systems (both AMS and SMS), including the adaptation procedures (managing line-faults and subsequent repairs), with different model size N . The reachability graph built by using the optimized EMU 3 version (i.e., transition interleaving reduction and partitioned classes) holds one maximal strongly-connected component (i.e., the initial marking is a home state), thus there is a steady-state solution of the corresponding CTMC. The first significant remark here is that the RG and the SRG in the AMS example have the same size. In this example, we do not reduce the space complexity with the SRG structure. This result reflects the structural properties of this model (i.e., it does not have behavioral symmetries). The SMS is composed of two symmetric parts (i.e., two faulty production lines). Here, the size of the SRG is reduced by a factor of ∼ 1.9 (considering both the tangible and the vanishing markings). The time instead increases by a factor of ∼ 9, varying from a few milliseconds (0.15 s. with N = 3) to a few minutes (208.11 s. with N = 6). The throughput column in Table 8 shows the average throughput of the Assembler component (i.e., the number of firings of the transition ta 1 in a time unit) of the encoded SPN. This value is congruently the same for the ordinary CTMC and the lumped one derived from the SRG. The last column of Table 8 reports the time required to compute the throughput value for all the transitions of the model. This value ranges from a few milliseconds (0.66 s. with N = 2) to a few seconds (49.71 s. with N = 16).

Model checking
The MC4CSL T A model checker, introduced by Amparore and Donatelli (2010), has been used to verify the correctness of our case studies with respect to design-time requirements. MC4CSL T A is a probabilistic model checker embedded in GREATSPN for the stochastic logic CSL T A . In the following, we provide a brief overview on the CSL T A stochastic logic to make the article self contained. We refer the reader to Amparore and Donatelli (2010) for a more details.
The CSL T A stochastic logic for CTMCs is characterized by the possibility of specifying path formulas through a single-clock Deterministic Timed Automata (DTA). Given λ ∈ [0, 1] a probability value, p ∈ AP an atomic proposition, and ∈ {≤, <, >, ≥} a comparison operator, a CSL T A state formula Φ is defined as follows: where A is a single-clock DTA. CSL T A uses DTAs to specify (timed) accepted paths and the model checker goal is to compute the probability of the set of accepted paths. A DTA A is composed of a set of states and a set of edges (e.g., see Fig. 13a). Each DTA is equipped with a clock (usually named x), that runs constantly and whose value increases linearly over time. Edges describe the transition relation and can be labeled with a clock and action  (21) and (22), respectively constraints. The DTA in Fig. 13a has two states l 0 and l 1 . The state l 0 is initial, and l 1 is final. An edge with a constraint in the form x = α is a boundary edge (marked with the symbol), and is triggered by elapsed time. An edge with a constraint α < x < β is an inner edge and is triggered by a transition firing in the PN model. States can have an associated boolean formula which predicates on the marking of the PN model.
Formal requirements in our framework can be expressed as general reachability, safety, liveness properties and invariants using the CSL T A stochastic logic. The properties can refer either to the behavior of the managing (i.e., the adaptation procedures) or the managed (i.e., the encoded base-level model) subsystem.
Safety Safety properties can predicate over either the nominal behavior or the adaptation process. For instance, we verified that the manufacturing systems (considering all their possible evolutions) does not lose raw pieces during the production. Equation 21 shows the formula used to verify the property. We use #p to denote the number of tokens inside the place p. P ≤0 safety (Φ 0 := #pin 1 + #pl 1 + #pl 2 + #pw 1 + #pw 2 + 2 · #pa 1 = N), (21) Figure 13a shows the safety DTA embedded in this formula. The Act label represents a wildcard action and it stands for "any firing transition". Since in the current example we do not take into account time, we leave a default check x > 0 on the clock variable x. This means that the actions are executed at any time greater than zero (i.e., Zeno behavior is not admitted).
A similar liveness property can be verified by targeting the load balancing adaptation concern. Namely, we verified that the load balance procedure always starts when a broken production line has been fixed.
Furthermore, we verified the adaptation integrity constraint (i.e., a common metaproperty often verified in self-adaptive systems (Zhang and Cheng 2006)). This metaproperty states that once the adaptation starts, it must eventually complete. Thus, the adaptation process eventually reaches its own final state and the desired changes are applied to the base-level. In the manufacturing systems, we verified this constraint by using the liveness formulas (24) and (25). The two CSL T A properties target the two adaptation procedures, respectively.
Timed properties Up to this point, we introduced a number of absolute properties, i.e., verified either with probability ≥ 1 (i.e., always true) or with probability ≤ 0 (i.e., always false). In fact, we considered so far a base-level encoded as P/T net. Nevertheless, a baselevel encoded as stochastic PN (see Section 9.1) opens up the possibility of verifying probabilistic (timed) properties. Equation 26 reports an example of timed property verified upon the stochastic AMS systems. P >0.9 timed (α := 1, β := 10, Φ 0 := #pb 1 > 0 ∨ #pb 2 > 0, The probability states that the probability fixing a failed line, within 10 time units, is greater than 0.9. The embedded timed DTA is shown in Fig. 14b.
Another example follows.
This latter property has been used to verify that the time required by the system to assemble all the raw products, in X time unit, is greater than L. Figure 15 reports the embedded timed 2 DTA.   Table 9 shows, for each property, the total execution time and space. Time values refer to resources required by both on-the-fly state space construction and computation of the forward steady-state solution of the SN model. The last time column shows the average time value required by these two (separated) activities. Results reveal that the amount of time required to compute the solution in both the two cases (AMS and SMS) is negligible and very low if compared with the build time. The build time varies from few milliseconds (∼ 0.16s./∼ 0.46s. with N = 2) to few minutes (∼ 44s./∼ 90s. with N = 16). The last column shows the average memory usage during the verification activities. It is worth noting that the total amount of memory is small even though the state space increases (especially in the number of vanishing markings) when increasing the problem size N . Average values remain below 1MB (∼ 1KB/∼ 2KB with N = 2 to ∼ 120KB/∼ 160KB with N = 16).

Related work
The approach described in this paper is part of our ongoing research activity on formal specification and verification of decentralized self-adaptive systems, as described by , Capra and Camilli (2018), Camilli et al. (2019), and Capra and Camilli (2020). Self-adaptation has been widely studied from different perspectives and different  (2017) for a more comprehensive overview on the landscape of self-adaptive systems. Here, we limit the comparison to formal methods for specifying and verifying self-adaptation, with particular focus on models of concurrency and DESs, such as PN-based approaches. In fact, although PNs represent a sound and expressive model of concurrency and distribution, they cannot represent in a natural way structural changes able to express self-perceiving and self-adaptation procedures (Reisig 1985). Several attempts to face this critical issue gave rise to new PN-based formalisms, in which an enhanced modeling power is not always accompanied by adequate analysis techniques. The formal framework introduced in this article has been mainly influenced by different existing approaches able to describe DESs with evolvable and/or adaptable behavior. A different, even if somehow related, paradigm based on pure SPEC-inscribed (algebraic) PNs -see Reisig (1991) -has been introduced by Capra (2016). The framework builds on a compact algebraic net which emulates the behavior of any P/T system encoded as a marking of the net. The model is completed by a library of atomic transformations (similar to graph-rewriting rules) implemented as (parametric) transitions, that one can use and compose with the emulator net to describe self-adaptation procedures. The OBJ specification language, introduced by Goguen et al. (1988) is adopted to inscribe the high-level nets. Though inspired by the same principles and sharing most of the goals, the approach introduced in this work is uniform and relies on well established formal methods. This choice permits consolidated analysis techniques to be leveraged. In fact, the main drawback of the algebraic emulator (and many other state of the art approaches) is the lack of supporting software tools. Currently available tools for algebraic PNs are based on too complex higher-order languages to non-expert users. Moreover, they often have a non standard and less intuitive semantics than the original one of pure algebraic specifications, introduced by Reisig (1991).
The use of "higher-order" tokens in PNs dates back to the approach presented by Valk (1998), where both system and object nets are Condition/Event systems. The synchronization between these entities is performed though special interface transitions. While preserving most principles of elementary nets theory, this technique does not allows dynamical transformations to be represented. A survey of approaches that combine "higher-order" tokens and the features of object-oriented programming has been presented by Valk (2004). In these models objects are instances of classes and object transformations are specified by methods.
However, most of these formalisms do not have a clear denotational semantics, thus limiting the applicability of classical analysis techniques. Reference Nets, introduced by (Cabac et al. 2005), are the representative of this class of formalisms, being supported by a Java software tool called RENEW. Another modeling approach, based on object-oriented Petri nets, has been introduced by Meng (2010) to describe reconfigurable manufacturing systems. This model integrates object-oriented methods, stepwise refinement ideas and Petri nets together. In particular the authors introduce the concepts of macro-place, used to model the aggregation of many processes, and macro-transition, used to link all the related macroplaces. This work focuses on the modeling activity. Validation and verification of such a models are currently not supported. Algebraic Higher-Order (AHO) nets, described by Hoffmann and Mossakowski (2002), are an extension of algebraic nets where the employed algebraic specification language HASCASL is higher-order. Tokens in AHO-nets represent P/T nets, that move across places, and that can be transformed using a restricted set of algebraic net-operators applied by firing transitions. AHO-nets have been proposed as a unifying framework for the "nets within nets" paradigm. An interesting evolution of this paradigm, based on AHO-nets and on the main ideas of graph transformation systems, has been introduced by Hoffmann et al. (2005a, b), where the token game is integrated with rule-based transformations of P/T nets. An algebraic extension of object nets called Higher Order Recursive Nets is proposed in Köhler-Bußmeier (2009), where an algebraic structure which refers to the topology of net-tokens is introduced, providing operators for nets composition. Net Rewriting Systems (NRSs) have been introduced by Llorens and Oliver (2004). This formalism represents a model of the dynamic changes in the structure of Petri nets. However such a formalism do not define analysis techniques able to formally verify designtime requirements. Reconfigurable Petri Nets (RecPNs) represent a subclass of NRS where reconfigurability is restricted to the flow relation (i.e., changes on place/transition elements are not feasible). In RecPNs, a system configuration is described as a P/T net and a change in the configuration is described as a graph rewriting rule. Verification algorithms here, are based on a translation process between a RecPNs model to an equivalent P/T net, so that the classical verification methods of P/T nets are applicable. An extension of NRSs (i.e., Improved RNSs) has been introduced by Li et al. (2009) to overcome property decidability issues. In this extension, three basic properties (liveness, boundedness, and reversibility) can be verified.
Other related approaches grounded on reflective frameworks have been introduced by Capra and Cazzola (2006) and . In particular, Reflective Petri nets (RPNs) aim at specifying and simulating evolving P/T systems through a meta-modeling layer composed of guards and strategies, provided in term of high-level Petri nets. The meta-modeling layer provides the ability to describe conditions (i.e., guards) that activate specific routines (i.e., strategies) able to change the structure of the lower layer (i.e., the P/T net). The main drawback of RPNs, once again, is the lack of supporting analysis techniques and software frameworks/tools.
The development of (single layer) PN-based approaches to specify and verify self-adaptive systems has been addressed by Zhang and Cheng (2006). An extension of this latter work, which takes into account also temporal concerns in real-time self-adaptive systems has been introduced by Camilli et al. (2015. The key idea of these modeling approaches is to unfold the nominal and the evolutionary behaviors of a self-adaptive systems in a single modeling layer, realizing a separation of concerns by means of zones (i.e., PN subnets). However these approaches allow to represent the adaptation from an abstract perspective, meaning that they do not allow the specification of adaptation procedures and the conditions under which the system is required to adapt itself. Although they are well supported by both design-time -see Bellettini et al. (2012) and Camilli (2014) -and runtime -see Camilli et al. (2017a) -analysis techniques, these approaches have limited modeling capability and they do not allow for an easy integration of structural changes in the model itself.
Other models of concurrency have been tailored to represent adaptable and/or evolvable systems. Process Algebras, such as Communicating Sequential Processes (CSP), have been extended in Bartels and Kleine (2011) to model systems able to react upon external stimuli by changing their internal behavior (e.g., to recover from errors). In this sense, self-healing systems can be viewed as a reactive systems that adapts itself in response to external inputs. Reconfiguration of systems is also supported by the work presented by Allen et al. (1998). Systems are described using the Architecture Description Language (ADL) Dynamic Wright. The formal semantics of the ADL is defined by a translation to CSP. Hence, formal properties on the architecture of the system can be verified on the level of CSP. These works focus on architectural aspects of adaptable system design and does not consider functional aspects of the system behavior.

Conclusion and future directions
In this paper, we introduce an SN-based formal modeling framework for self-adaptive systems with a decentralized adaptation control. SNs are a high-level PN formalism with a syntax that outlines behavioral symmetries of systems. The framework builds on an SN component that emulates the behavior of any P/T system (with inhibitor arcs) encoded as an SN marking. The P/T system represents the base-level of the model, which can be arbitrarily adapted using transformation rules/procedures logically forming the model's high-level layer. These two components are coherently linked through a net-interface.
Our approach exploits consolidated analysis techniques implemented by off-the-shelf software tools. We provide a detailed, formal presentation of both the SN-based emulator and the evolutionary components, that include an API of base transformations primitives on which distributed adaptation procedures can be specified. Symbolic structural analysis techniques have been used to validate the components of the emulation-based framework. State-space exploration techniques have been used instead to formally verify the modeled systems. At this stage, all the native SN features can be used: generation of a quotient (symbolic) state space (exploiting behavioral symmetries), timed analysis (thanks to the native stochastic extension of SN), and model checking to extract meaningful insights from both the base-level layer (i.e., the managed subsystem) and the high-level layer (i.e., the managing subsystem). The usability and effectiveness of our approach have been shown on two variants of a self-healing manufacturing system. Our experiments show both the applicability and the cost (in terms of time and space) required by verification activities. Major complexity concerns have been illustrated, discussed, and (partially) faced. All the models introduced in this paper have been released publicly to encourage the repetition of experiments.
Our ongoing research activity includes the following main directions. We are developing an easy-to-use Domain Specific Language to help non-expert users specify the decentralized adaptation control loops and the (arbitrarily complex) patterns of coordination among them. Furthermore, we are going to include explicit modeling of uncertain aspects of the surroundings employing probabilistic approaches, as suggested by Camilli et al. (2017b. We also aim at addressing the scalability and complexity concerns of the approach that arise when modeling realistic systems. On the one hand, we plan to enhance the current version of the symbolic state-space builder of GREATSPN by exploiting symbolic structural analysis to reduce the immediate transitions' interleaving. Indeed, the huge number of immediate transitions needed to preserve the atomic firing semantics of the base-level and to ensure the coherence in adaptation steps has been identified as a major bottleneck of our approach. We also believe that simple syntactical extensions of SN, such as flush-arcs and symmetric marking-dependent guards, could greatly alleviate this problem. On the other one hand, we aim at exploiting the modularity of the model and some invariant properties in its fixed parts. Figure 16 shows the whole SN model implementing our emulating framework described in Section 5. This model has been obtained mechanically by translating the listing reported in Algorithm 1. The marking encodes the AMS case study described in Section 3. Funding Open access funding provided by Libera Università di Bolzano within the CRUI-CARE Agreement.

Appendix A: Emulator SN model
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommonshorg/licenses/by/4.0/.