BISIMILARITY AND BEHAVIOUR-PRESERVING RECONFIGURATIONS OF OPEN PETRI NETS

. We propose a framework for the speciﬁcation of behaviour-preserving recon-ﬁgurations of systems modelled as Petri nets. The framework is based on open nets, a mild generalisation of ordinary Place/Transition nets suited to model open systems which might interact with the surrounding environment and endowed with a colimit-based composition operation. We show that natural notions of bisimilarity over open nets are congruences with respect to the composition operation. The considered behavioural equivalences diﬀer for the choice of the observations, which can be single ﬁrings or parallel steps. Additionally, we consider weak forms of such equivalences, arising in the presence of unobservable actions. We also provide an up-to technique for facilitating bisimilarity proofs. The theory is used to identify suitable classes of reconﬁguration rules (in the double-pushout approach to rewriting) whose application preserves the observational semantics


Introduction
Petri nets are a well-known model of concurrent and distributed systems, widely used both in theoretical and applicative areas.In classical approaches, such as [34], nets are intended to represent closed, completely specified systems evolving autonomously through the firing of transitions.In order to represent open systems, namely systems which can interact with the surrounding environment or, from a different perspective, systems which are only partially specified, several extensions of the basic model of Petri nets have been considered in the literature.Conceptually, this effort dates back to the early works on net composition and refinement and to the studies concerning the development of compositional semantics for Petri nets (a discussion of the related literature can be found in the concluding section).
Generally speaking, important issues that must be faced when modelling open systems can be summarised as follows.Firstly, a large (possibly still open) system is typically built out of smaller open components.Syntactically, an open system is equipped with suitable interfaces, over which the interaction with the external environment can take place.Semantically, openness can be represented by defining the behaviour of a component as if it were embedded in general environments, determining any possible interaction over the interfaces.
Secondly, often the building components of an open system are not statically determined, but they can change during the evolution of the system, according to predefined reconfiguration rules triggered by internal or external solicitations.
The work in this paper outlines a framework where open systems can be modelled as Petri nets, capturing both the requirements mentioned above.Observational semantics based on (weak) bisimulation are shown to be congruences with respect to the composition operation defined over Petri nets.Building on this, suitable reconfigurations of such systems can be specified as net rewritings, which preserve the behaviour of the system.The relation with other approaches in the literature addressing similar issues will be discusses in Section 7.
The framework presented here is based on so-called open nets, a mild generalisation of ordinary Petri nets introduced in [3,4] to answer the first of the requirements above, i.e., the possibility of interacting with the environment and of composing a larger net out of smaller open components.An open net is an ordinary net with a distinguished set of places, designated as open, through which the net can interact with the surrounding environment.As a consequence of such interaction, tokens can be freely generated and removed in open places.In the mentioned papers open nets are endowed with a composition operation, characterised as a pushout in the corresponding category, suitable to model both interaction through open places and synchronisation of transitions.
In the first part of the paper, after having extended the existing theory for open nets to deal with marked nets, we introduce bisimulation-based observational equivalences for open nets.Following a common intuition about reactive systems (see, e.g., [43,29] or the recent [20]) such equivalences are based on the observation of the interactions between the given net and the surrounding environment.The framework treats uniformly strong bisimilarity, where every transition firing is observed, and weak bisimilarity, where a subset of unobservable transition labels is fixed (corresponding to τ -actions in process calculi) and the firings of transitions carrying such labels are considered invisible.We also consider step bisimilarity (see, e.g., [44,30]), obtained by taking as observations possibly parallel steps rather than single firings of transitions, thus capturing, to some extent, the concurrency properties of the system.
The considered notions of bisimilarity are shown to be congruences with respect to the composition operation over open nets.Interestingly enough, this holds also when the set of non-observable labels is not empty, i.e., for weak bisimilarities: some natural questions regarding the relation with weak bisimilarity in CCS are addressed.In addition, we propose an up-to technique for facilitating bisimilarity proofs.
Exploiting the results in the first part of the paper we next introduce a framework for open net reconfigurations.The fact that open net components are combined by means of pushouts naturally suggests a setting for specifying net reconfigurations, based on doublepushout (DPO) rewriting [14].Using the congruence result for bisimilarity we identify classes of transformation rules which ensure that reconfigurations of the system do not affect its observational behaviour.
In order to understand this paper some basic knowledge of category theory (see for instance [32]) is required.

Marked Open Nets
An open net, as introduced in [3,4], is an ordinary P/T Petri net with a distinguished set of open places, which represent the interface through which the environment can interact with the net.An open place can be an input place, meaning that the environment can put tokens into it, or an output place, from which the environment can remove tokens, or both.In this section we introduce the basic notions for open nets as presented in [4], generalising them to nets with initial marking: this will be needed in the treatment of bisimilarity in Section 4.
Given a set X we write 2 X for the powerset of X and X ⊕ for the free commutative monoid over X, with monoid operation ⊕, whose elements will be referred as multisets over X.Moreover, given a function h : X → Y we denote by the same symbol h : 2 X → 2 Y its extension to sets, and by h ⊕ : X ⊕ → Y ⊕ its monoidal extension.Given a multiset u ∈ X ⊕ , with u = x∈X u x • x, for x ∈ X we will write u(x) to denote the coefficient u x .With little abuse of notation, we will write x ∈ u iff u(x) ≥ 1.Given u, v ∈ X ⊕ we write u ≤ v when u(x) ≤ v(x) for any x ∈ X.In this case the multiset difference v ⊖ u is the multiset w such that u ⊕ w = v.The symbol 0 denotes the empty multiset.Definition 1.1 (multiset projection).Given a function f : X → Y and a multiset u ∈ Y ⊕ we denote by (u ↓ f ) ∈ X ⊕ the projection of u along f , which is the multiset over X defined as (u In other words, ( ↓ f ) : Y ⊕ → X ⊕ is the monoidal extension of the function ( ↓ f ) : Y → X ⊕ defined by (y ↓ f ) = x 1 ⊕ . . .⊕ x n when f −1 (y) = {x 1 , . . ., x n }.For instance, given f : In the following we will mainly work with injective functions, for which the projection operation satisfies some expected properties, such as We consider nets where transitions are labelled over a fixed set of labels Λ.
Definition 1.2 (P/T Petri net).A P/T Petri net is a tuple N = (S, T, σ, τ, λ) where S is the set of places, T is the set of transitions (with S ∩ T = ∅), σ, τ : T → S ⊕ are functions mapping each transition to its pre-and post-set and λ : T → Λ is a labelling function for transitions.
In the sequel we will denote by • (•) and (•) • the monoidal extensions of the functions σ and τ to functions from T ⊕ to S ⊕ .Moreover, given s ∈ S, the pre-and post-set of s are defined by • s = {t ∈ T : s ∈ t • } and s • = {t ∈ T : s ∈ • t}.Definition 1.3 (Petri net category).Let N 0 and N 1 be Petri nets.A Petri net morphism f : N 0 → N 1 is a pair of total functions f = f T , f S with f T : T 0 → T 1 and f S : S 0 → S 1 , such that for all t 0 ∈ T 0 , ) and λ 1 (f T (t 0 )) = λ 0 (t 0 ).The category of P/T Petri nets and Petri net morphisms is denoted by Net.
It is worth recalling that category Net is a subcategory of the category Petri of [24], which has the same objects, but more general morphisms which can map a place to a multiset of places.
We next introduce the notion of open net.As anticipated above, differently from [3,4], we work here with marked nets.Z is the initial marking.Hereafter, unless stated otherwise, all open nets will be assumed implicitly to be marked.An open net will be denoted simply by Z and the corresponding initial marking by û.Subscripts carry over to the net components.The graphical representation for open nets is similar to that for standard nets.In addition, the fact that a place is input or output open is represented by an ingoing or outgoing dangling arc, respectively.For instance, in net Z 1 of Fig. 1, place s is both input and output open, while s ′ is only output open.
The notion of enabledness for transitions is the usual one, but besides the changes produced by the firing of the transitions of the net, we consider also the interaction with the environment which is modelled by events, denoted by + s or − s , which produce or consume a token in an open place s.Such events corresponds to the pseudo-transitions of [43] and to the transition in the universal context of [29].Definition 1.5 (set of extended events).Let Z be an open net.The set of extended events of Z, denoted by TZ and ranged over by ǫ is defined as Definition 1.6 (firings and steps).Let Z be an open net.A step in Z consists of the execution of a multiset of (extended) events A step is called a firing when A consists of a single event, i.e., A = ǫ ∈ TZ .
A firing can be (i) the execution of a transition u ⊕ A step is the execution of a multiset of transitions and interactions with the environment, of the kind We now introduce suitable morphisms relating open nets, which are morphisms between the underlying P/T nets, satisfying certain conditions on the open places and on the initial marking.In particular, given an injective morphism f : Z 1 → Z 2 , we can think of N Z 1 as a subnet of N Z 2 .In this case, we require that a place of Z 1 is input/output open in Z 2 only if it is so in Z 1 , and that a transition in T Z 2 − T Z 1 can put/remove a token on/from a place of Z 1 only if that place is input/output open in Z 1 .Furthermore, any place of Z 1 must have the same number of tokens of its image in Z 2 .This is formalized by the following definition, which introduces general morphisms, possibly non-injective.

Definition 1.7 (open net category). An open net morphism
then an interaction of the environment with Z 2 through s would also affect Z 1 : therefore s must be open in Z 1 as well.That is, input/output open places must be reflected by the embedding, as stated by the first part of conditions 1.(i) and 1.(ii).Furthermore, if a transition in T Z 2 − T Z 1 can put a token in a place s of Z 1 , this is seen from Z 1 as an interaction with the environment, and therefore s must be (input) open in Z 1 : this is formalized by the second part of conditions 1.(i) and 1.(ii).Finally, condition 2 requires the marking of Z 1 to be the projection of the marking of Z 2 : any place s 1 ∈ S Z 1 must carry the same number of tokens as its image f (s 1 ) ∈ S Z 2 , i.e., û1 (s 1 ) = û2 (f (s 1 )) for any s 1 ∈ S Z 1 .
Consider, for instance, morphism f 1 : Z 0 → Z 1 in Fig. 1: the mapping of places and transitions is suggested by the shape and labelling of the nets.Note that in Z 1 a "new" c-labelled transition is attached to the places s and s ′ .This is legal since the corresponding places in Z 0 are output open and input open, respectively.Note also that the number of tokens in places in Z 0 and in their image through f 1 is the same.Instead, the number of tokens in the place s ′′ in Z 1 is not constrained since it is not in the image of f 1 : the place is marked, but f 1 would have been a legal morphism also if s ′′ were not marked.
It is worth observing that most of the constructions in the paper will be defined for open net embeddings, hence readers can limit their attention to embeddings if this helps the intuition.Still, on the formal side, working in a larger host category with more general morphisms is essential to obtain a characterisation of the composition operation in terms of pushouts.Specifically, non-injective open net morphisms are needed as mediating morphisms (recall, for example, that the category of sets with injective functions does not have all pushouts).
Observe that the constraints characterising open nets morphisms have an intuitive graphical interpretation: • The connections of transitions to their pre-set and post-set have to be preserved.New connections cannot be added.• In the larger net, a new arc may be attached to a place only if the corresponding place of the subnet has a dangling arc in the same direction.Dangling arcs may be removed, but cannot be added in the larger net.• The number of tokens in each place in the source net must be preserved in the target.
Instead, there are no restrictions on the marking of places of the target net which are not in the image of the source net.
In the sequel, given an open net morphism f = f S , f T : Z 1 → Z 2 , to lighten the notation we will omit the subscripts "S" and "T " in its place and transition components, writing f (s) for f S (s) and f (t) for f T (t).Moreover we will write Z 2 and f ⊕ (x s ) undefined, otherwise.Note that f ⊕ can be partial since open places can be mapped to closed places.
The next proposition explicitly shows that category ONet, as introduced in Definition 1.7, is well defined.To prove this fact we will use the well-definedness of the category of unmarked open nets, introduced in [4].This category, denoted here by ONet u , has (unmarked) open nets as objects and mappings satisfying only condition 1 in Definition 1.7 as morphisms.These will be referred to as unmarked open net morphisms.Proposition 1.8.Open net morphisms are closed under composition.
Proof.Let f 1 : Z 1 → Z 2 and f 2 : Z 2 → Z 3 be open net morphisms.Then f 1 and f 2 are unmarked open net morphisms and thus, since ONet u is a well-defined category, also f 2 •f 1 is an unmarked open net morphism.In order to prove that f 2 • f 1 is a well defined open net morphism it remains to show that it satisfies also condition 2 in Definition 1.7, i.e., that it reflects the initial marking.But this fact follows easily from the definition.In fact, for any Unlike most of the morphisms considered over Petri nets in the literature, open net morphisms are not simulations.As an example, consider the open net embedding in Fig. 2(a).While the transition labelled c in the net Z 1 can fire infinitely many times, its image in the second net Z 2 can fire only once.
Instead, since open net embeddings are designed to capture the idea of inserting a net into a larger one, they are expected to reflect the behaviour, in the sense that given an embedding f : Z 0 → Z 1 , the behaviour of Z 1 can be projected along f to the behaviour of Z 0 .The target net of a morphism is in general more "instantiated" and thus more constrained than the source net (e.g., a place which is open in the source net can be closed in the target).We will come back to this fact in the conclusions.
Although the paper will mainly use open net embeddings, a remark about non-injective morphisms is in order.Consider the open net morphism f 2 in Fig. 2 As, intuitively, the two transitions of Z 1 become the same transition in Z 2 , in this case by reflection of behaviour we mean that the firing of t in Z 2 must be reflected to the parallel firing of t ′ and t ′′ in Z 1 .Note that this is the case, e.g., for the initial markings: s enables t and its projection (s In the rest of this section we formalize the intuition that an open net embedding f : Z → Z ′ reflects the behaviour by showing that each step of Z ′ can be projected along f to a step of Z.It could be shown that the behaviour of an open net is reflected along non-injective morphisms as well, but this would require some technical complications which we prefer to avoid, as it will not be used in the rest of the paper. We start by defining the projection of multisets of extended events along open net embeddings.Definition 1.9 (projecting extended events).Given an open net embedding f : Z → Z ′ , the projection of extended events along f , denoted ( ⇓ f ) : The monoidal extension of ( ⇓ f ) to multisets of extended events will be denoted by the same symbol ( ⇓ f ) : T ⊕ Z ′ → T ⊕ Z .In words, if we think of the embedding f : Z → Z ′ as an inclusion, then given a transition t ′ , the projection (t ′ ⇓ f ) is the transition itself if t ′ is in Z. Otherwise, if t ′ is not in Z but it consumes or produces tokens in places of Z, the projection of t ′ contains the corresponding extended events, expressing the interactions over open places.Similarly, the projection of an extended event + s ′ is the event itself if s ′ is in Z, and it is the empty multiset otherwise: in fact, in this case (s ′ ↓ f ) = 0.
It is easily checked that the projection operation is well-defined, in the sense that, e.g., if Proof.Proofs are routine.We prove explicitly only the third point.Since • (•) and (•) • are monoidal functions it is sufficient to prove the result only on the generators.We concentrate on • (•), since the proof for (•) • is completely analogous.We distinguish various cases: where the second equality is justified by point (1).
If, instead, Hence, in this case the result is obvious since Suppose, e.g., that A ′ = − s ′ .In this case (A ′ ⇓ f ) = − (s ′ ↓f ) and the result trivially holds.
We are now ready to present the main result of this section.
Lemma 1.11 (reflection of behaviour).Let f : Z → Z ′ be an open net embedding.For Proof.Let f : Z → Z ′ be an open net embedding and assume that u [by Lemma 1.10.(3)]and similarly Observe that there is an obvious forgetful functor F : ONet → Net, defined by Since functor F acts on arrows as the identity, with abuse of notation, given an open net morphism f : Z 0 → Z 1 we will often write f :

Composing Open Nets
We introduce next a basic mechanism for composing open nets which is characterised as a pushout construction in category ONet.A pushout is a canonical way of describing a gluing construction.The case of unmarked nets was already discussed in [4].Here we extend the theory to deal with marked open nets.This will allow later to define reconfigurations of open nets, where the applicability of a reconfiguration rule can depend on the marking.
Intuitively, two open nets Z 1 and Z 2 are composed by specifying a common subnet Z 0 , and then by joining the two nets along Z 0 .
Let us start with a technical definition which will be useful below.
Proposition 2.1 (composition of multisets).Consider a pushout diagram in the category of sets as below, where all morphisms are injective. Given . Such a multiset u 3 will be denoted by u 3 = u 1 ⊎ u 0 u 2 or simply by u 1 ⊎ u 2 when making u 0 explicit is not needed.
3 as follows: for each s ∈ S 3 , Let us start checking that u 3 is well-defined.In fact, firstly, the definition assigns a coefficient to every s ∈ S 3 because α 1 and α 2 are jointly surjective.Secondly, if there are s 1 ∈ S 1 and s 2 ∈ S 2 such that α 1 (s 1 ) = α 2 (s 2 ), since the square is a pushout and all functions are injective we have f 1 −1 (s 1 ) = {s 0 } and f 2 −1 (s 2 ) = {s 0 } for some s 0 ∈ S 0 : thus, since (u 1 ↓ f 1 ) = (u 2 ↓ f 2 ) by hypothesis, we obtain u 1 (s Now, in order to prove (for i ∈ {1, 2}) that (u 3 ↓ α i ) = u i , notice that, since α i is injective, this amounts to show that for any s ∈ S i we have u i (s) = u 3 (α i (s)), which is immediate by the definition of u 3 .
Concerning the second part of the statement, let Then just observe that by Lemma 1.10.(1),we have for i ∈ {1, 2} (( follows by the defining property of the composition of markings. Intuitively, the multiset u 1 ⊎ u 0 u 2 can be seen as the "least upper bound" of the images of the two multisets in S ⊕ 3 .As in [3,4], two embeddings f 1 : Z 0 → Z 1 and f 2 : Z 0 → Z 2 are called composable if the places which are used as interface by f 1 , i.e., the places in(f 1 ) and out(f 1 ), are mapped by f 2 to input and output open places of Z 2 , respectively, and also the symmetric condition holds.

Definition 2.2 (composability of embeddings). Let f
be embeddings in ONet (see Fig. 3).We say that f 1 and Composability is necessary and sufficient to ensure that the pushout of f 1 and f 2 can be computed in Net and then lifted to ONet.

embeddings in
ONet (see Fig. 3).Compute the pushout of the corresponding diagram in category Net obtaining net N Z 3 and morphisms α 1 and α 2 , 1 and then take as open places, for x ∈ {+, −}, is the pushout in ONet of f 1 and f 2 if and only if f 1 and f 2 are composable.In this case we write Proof.We know by [4] (Proposition 6) that the above result holds for unmarked nets, i.e., in the category ONet u .Here we must additionally show that (i) the α i are marked morphisms and that (ii) if we take any other net Z ′ 3 , with α ′ i : Z i → Z ′ 3 making the diagram commute, then the mediating morphism γ : Z 3 → Z ′ 3 (which exists uniquely as an unmarked net morphism by the result in [4]) respects the condition on the marking.Now, (i) is immediate since Proposition 2.1 tells us that (û 3 ↓ α i ) = ûi for i ∈ {1, 2}.Property (ii) can be proved along the same lines.As an example, the open net embeddings f 1 and f 2 in Fig. 4 are composable.In fact, in(f 1 ) = {s ′ }, out(f 1 ) = {s} and in(f 2 ) = {s}, out(f 2 ) = {s ′ }, and thus it is easy to see that the conditions of Definition 2.2 are satisfied.The net Z 3 is the resulting pushout object.

Composing Steps
In this section we analyse the behaviour of an open net Z 3 arising as the composition of two nets Z 1 and Z 2 along an interface Z 0 .More specifically, we show that steps of the component nets Z 1 and Z 2 can be "composed" to give a step of Z 3 when they agree on the interface and satisfy suitable compatibility conditions.
For instance, concerning the example pushout in Fig. 4, note that net Z 1 can fire the transition labelled a and the lower transition labelled c.If this is "mimicked" in Z 2 by firing a and putting a token into the lower place s ′ (via an interaction + s ′ with the environment), then such steps are compatible in a sense made precise below and can be combined into a step of the composed net Z 3 .
We start with a technical lemma which will be pivotal in the paper.Assume that the first component makes a step and the second component imitates this step, acting only on the places of the common interface, without firing any internal transition.Then the two local steps can be combined to a step of the composed net.
Otherwise, since f 1 is an embedding, there is exactly one place in S Z 0 which is mapped to s.With a little abuse of notation let such place be denoted , be the common projection.As a consequence, we have and thus, by Lemma 1.10.( 3) so that we can consider the composition of markings and symmetrically, since (A 1 Let us concentrate on • (•), as the other case is analogous.To prove (3.1), by Proposition 2.1 we can show that ( Thus to conclude we must show that

and this is proved by showing
Since ( ⇓ ) is monoidal in the first argument by Lemma 1.10.(1), it is sufficient to show (3.2) on generators: Assume, for instance, that A 1 = + s 1 (the other case is completely analogous).Therefore On the other hand and, again, by the fact that Z 3 is a pushout, we deduce easily that f ⊕ 2 ((s 1 ↓ f 1 )) = (α 1 (s 1 ) ↓ α 2 ), hence the desired equality.This concludes the proof of (3.2), from which (3.1) follows.Now, by exploiting (3.1) we can easily conclude.In fact, the steps in Z 1 and Z 2 are of the kind , we deduce that, as desired By a sequence of passages analogous to those used above, we can show that u The fact that such step projects to u i [A i v i for i ∈ {1, 2} immediately follows by construction.
We are now able to show how steps of the component nets can be "joined" to a step of their composition, provided that the steps satisfy a suitable compatibility condition, that we are going to introduce.Roughly, we must be able to split each of the two steps A 1 , A 2 into an internal part A I i and an external part A E i , with the intuition that the external part can include only firings of transitions in the interface and interactions with the environment induced by the internal part of the other step.
Put more precisely, from the point of view of Z 1 the events can be of four different kinds: (1) transitions that are local to Z 1 (2) transitions that occur also in Z 0 (3) interactions with Z 2 (of the form + s , − s ) (4) interactions with the environment of both nets (also of the form + s , − s ).Now if one splits the set A 1 into A I 1 and A E 1 , it is necessary to put all events of type (1) into A I 1 and all events of type (3) into A E 1 .For the remaining two types we have a choice, but whenever we put an event of Z 1 into A E 1 , we have to put the corresponding event in Z 2 into A I 2 (and vice versa).For reasons of simplicity we have chosen to work with a split into only two sets instead of four, even if this split is non-unique.

and we can decompose the steps as
For instance, let us consider again the pushout in Fig. 4. Two compatible steps can be The compatibility is witnessed by the decomposition As mentioned above such decompositions are not uniquely determined: alternative ones are given by A Note that since transition t 0 also belongs to the interface, it can be considered either internal to Z 1 or internal to Z 2 , while t ′ 1 has to be considered internal to Z 1 , and the interaction + s ′ on the open place s ′ has to be considered external to Z 2 .
Another simple example of compatible steps is given by A 1 = − s and A 2 = − s .In this case, we have the choice to consider the only event − s internal to Z 1 and external to Z 2 or vice versa.

be a corresponding decomposition (see Definition 3.2). Then there exists a unique step u
Vice versa, any step

whose composition gives back the original step.
Proof.Concerning the first part, by definition of compatibility, we know that A 1 and A 2 can be decomposed as • .Thus we could choose and dually Therefore, we can use Lemma 3.1 and, defining u By exploiting Proposition 2.1, we easily see that , where u 0 denotes the common projection of u 1 and u 2 over Z 0 .Similarly, is the desired step.The fact that it projects over the steps we started from in Z 1 and Z 2 follows by construction.
For the second part, consider any step includes only interactions with the environment.Then, if we define it is easy to show that the decomposition satisfies the requirements in Definition 3.2, hence the two steps are compatible, and their composition is immediately seen to give back the original step.
Note that, in the decomposition of steps A 1 and A 2 considered in the proof above, all firings of transitions in the interface Z 0 are included in the internal part of A 2 , i.e., no such transition is included in A I 1 .The possibility of having a decomposition with these properties will be useful later, in the proof of the congruence results.

Bisimilarity of Open Nets
In this section we study various notions of bisimilarity for open nets, proving that they are congruences with respect to the colimit-based composition operation.The considered behavioural equivalences will differ for the choice of the observations, which can be single firings or parallel steps.Additionally, we will consider weak forms of such equivalences, arising in the presence of unobservable actions.Given an open net Z, the labeled transition systems we shall consider will have all markings of the net, S ⊕ Z , as states, but they will differ concerning the transitions and their labels.For example, in the firing lts the transitions are generated by the firings of Z, and correspondingly they are labelled over the set As discussed in the conclusions, the firing lts resembles the labelled transition system arising from the view of Petri nets as reactive systems in [26,35].Analogous ltss are also obtained in [43] with the use of pseudo-transitions and in [29] by inserting a net in a universal context.
Instead, in the step lts the transitions are generated by the steps of Z, and they are labeled over Λ ⊕ Z .The corresponding notion of bisimilarity will capture, to some extent, the concurrency properties of the system (see, e.g., [44,30]).
For notational convenience we extend the labelling function λ Z to the set of extended events TZ , by defining λ Z (x) = x for x ∈ TZ − T Z (i.e., for x = + s or x = − s with s ∈ S Z ).
As we have done above for the transition relations, in the sequel the subscripts "S" and "F" will be used for distinguishing notions based on the step and on the firing behaviour, respectively, of a net.
When observing the behaviour of a system, usually only a subset of events is considered visible.Here this is formalised by selecting a subset of labels representing internal firings, playing a role similar to τ -actions in process calculi, and then considering a corresponding notion of weak bisimilarity.Let Λ τ ⊆ Λ be a subset of unobservable labels, fixed for the rest of the paper.Definition 4.2 (weak transition systems).For x ∈ {S, F} we write Then the weak (step or firing) lts is defined by letting Transitions labelled with 0 will be often referred to as τ -transitions or silent transitions.Weak step and firing bisimilarity is now defined in a standard way, but note that when the set of unobservable labels is empty, this actually corresponds to strong bisimilarity.Only, in order to be able to relate the extended events of the two nets, we need to specify for each open place of one net which is the corresponding open place in the other net; therefore bisimulations between two nets are parametrised by a bijection between their open places.Given two open nets Z 1 and Z 2 a correspondence η = η + , η − between Z 1 and Z 2 is a pair of bijections η In order to simplify the notation, in the following, given an open place s 1 ∈ O + Z 1 ∪ O − Z 1 we will write simply  η(s 1 ) to denote its image through the appropriate component of η, i.e., a correspondence η = η + , η − will be identified with the function • the symmetric condition holds; where η(+ s ) = + η(s) , η(− s ) = − η(s) , and η(ℓ) = ℓ for any ℓ ∈ Λ.
Two open nets Z 1 and Z 2 are (weakly) η-x-bisimilar, denoted a correspondence and there exists a (weak) η-bisimulation R over Z 1 and Z 2 such that (û 1 , û2 ) ∈ R. We will say that Z 1 and Z 2 are (weakly) x-bisimilar, written η Z 2 for some correspondence η.Clearly, step bisimilarity is finer than firing bisimilarity, i.e., if Observe that in the definition of step bisimilarity, whenever v ℓ =⇒ S,Z v ′ and thus one can assume that the step inducing ℓ ; S,Z does not include any τ -transition (since, if this is not the case, the τ -transitions can be anticipated or postponed).
As an example, consider the open nets in Fig. 5, which can be seen as the representation of (part of) the booking process in a travel agency.The bookings of the flight (bookFlight) and of the hotel (bookHotel) are independent and could be performed in parallel.However, this is possible only for agency A (Fig. 5(a)), while in agency B (Fig. 5(b)), where a single person takes care of all bookings, the two actions will be executed sequentially.Now, it is easy to check that, assuming that only the actions bookFlight and bookHotel are visible, the two nets are firing bisimilar, but they are not step bisimilar.Hence, as already mentioned, step bisimilarity discriminates also according to the degree of parallelism that is possible in a computation.As already mentioned, weak bisimilarity boils down to the notion of strong bisimilarity when all labels are observable, i.e., when Λ τ = ∅.For convenience of the reader we make explicit the notion of strong bisimilarity.Definition 4.4 (strong bisimilarity).When Z 1 and Z 2 are weakly η-x-bisimilar open nets, with Λ τ = ∅ we say that Z 1 and Z 2 are strongly η-x-bisimilar and write We can finally state the congruence property for the considered behavioural equivalences with respect to the composition operation on open nets.The result will be proved separately for the various cases in the next subsection.
, as in Fig. 6 where f 1 , f 2 and g 2 are embeddings, f 1 and f 2 are composable, and f 1 and g 2 are composable as well. If

Proofs of the Congruence Results.
In order to prove the congruence results it is convenient to proceed as follows: we first consider strong step bisimilarity which can be more easily handled than its weak variant.
Next the proof of the congruence result for the weak variant can adapted from the strong case.Finally, as firing bisimulation can (almost) be considered as a special case of step bisimulation, the proof of the corresponding congruence result easily follows from that of step bisimilarity.It is worth stressing that the complexity of the proof is mainly due to the fact that we consider steps instead of single firings.We start with a technical lemma which will play a central role later.It states that for given composable embeddings f 1 : Z 0 → Z 1 and f 2 : Z 0 → Z 2 , any step in Z 2 where interactions with the environment only occur on places which are open also in Z 1 + Z 0 Z 2 , can be projected along f 2 to Z 0 and then simulated in Z 1 .
Lemma 4.6.Let f 1 : Z 0 → Z 1 and f 2 : Z 0 → Z 2 be composable embeddings in ONet, let By definition of A 1 we deduce that there is + s 0 ∈ (A 2 ⇓ f 2 ) with f 1 (s 0 ) = s 1 .Now, by the assumptions on A 2 , there are two possibilities: By the definition of projection for steps, this implies that and thus s 0 ∈ in(f 2 ).Since f 1 and f 2 are composable, we have that Since the diagram in Fig. 3 commutes, we have that α 1 (s

and thus
• [by Lemma 1.10.(4)]Hence, the step u 1 [A 1 v 1 can be performed.Clearly, the two steps in Z 1 and Z 2 are compatible, and thus we conclude with Lemma 3.3.
, as in Fig. 6, where f 1 , f 2 and g 2 are embeddings, with f 1 , f 2 and f 1 , g 2 composable and To simplify the notation, assume, without loss of generality, that all the morphisms in the diagrams of Fig. 6 are inclusions and η = id.Hence Now let R be a η-S-bisimulation over Z 2 and W 2 such that (û 2 , v2 ) ∈ R, which exists by hypothesis.Consider the relation R ′ over Z 3 and W 3 defined as The condition above on u 1 and v 1 means that the markings can differ, but only for the number of tokens in places of the interface net Z 0 (notice that the marking of Z 0 is completely determined by the marking of components Z 2 and W 2 ).
In order to prove that R ′ is a η ′ -S-bisimulation, assume that u ) and by Lemma 3.3 we can project the step A 3 over the components Z 1 and Z 2 thus getting for i ∈ {1, 2} the following steps in Z i : Since by the same lemma such steps are compatible, according to Definition 3.2, we can find partitions 3) Additionally, as shown in the proof of Lemma 3.3, we can assume, w.l.o.g., that A E 2 consists only of interactions with the environment, i.e., or, equivalently, that A I 1 does not contain firings of transitions of Z 0 .Now, since (u 2 , v 2 ) ∈ R, the step (4.1) of Z 2 can be simulated by W 2 , i.e., there is We can now split B 2 in an "internal" and an "external" part, according to the splitting of A 1 , i.e., we define 2 consists only of interactions with the environment, which are necessarily also in B 2 since λ ⊕ (B 2 ) = λ ⊕ (A 2 ) (and recall that places in the interface have the same name in Z 2 and W 2 ).Now, define and thus we have (4.9) Now, the idea is to construct a step in W 3 by using separately the internal part of the step in W 2 and the internal part of the step in Z 1 (which plays the role of a context).
In order to apply Lemma 4.6 to the step in (4.8), we note that if + s ∈ B I 2 then s ∈ O + W 3 (and the same holds for − s ).In fact, if + s ∈ B I 2 , then by construction of B I 2 and since λ [by def. of v E 2 in (4.7)] and moreover [since g 2 and f 2 "agree" on O Z 0 ] Therefore, by Lemma 4.6, we have that Now, by Proposition 2.1, we can join the steps (4.11) and (4.17) and obtain i.e., the desired step which can be used to simulate u 3 ℓ −→ S,Z 3 u ′ 3 .In fact the label is ′ , we have that the target state of the step is ∈ R by construction.Moreover, the fact that u ′ 1 ⊖u ′ 0 = v ′ 1 ⊖v ′ 0 immediately follows from the fact that this property holds of the starting markings and we executed the same internal step in Z 1 .
Proof.In order to show the desired result, we build on the proof of the strong case (Theorem 4.7).Let us use the same notation and define the relation R ′ in the same way.In order to prove that R ′ is an S-weak bisimulation we proceed as follows.Let u 3 ℓ 3 ; S,Z 3 u ′ 3 and let us focus on the case ℓ 3 = 0 (the case in which ℓ 3 = 0 is completely analogous).This transition is induced by a step u 3 [A 3 u ′ 3 , which can be projected over Z 1 and Z 2 , thus getting, for i ∈ {1, 2} Let the weak transition in W 2 arise from the sequence of steps 2 ) = ℓ (and as remarked after Definition 4.3 we can assume that no transition in B h 2 has an unobservable label).Now, any τ -step (i < h) consists only of firings of transitions of W 2 .Hence, as in the strong case, by using Lemma 4.6 we can conclude that there is a "corresponding" 1 , consisting only of interactions with the environment, and their composition is a τ -step in W 3 of the kind , we can apply the same argument as in the strong case, to get steps Repeating the same argument for the remaining τ -steps, (i > h), i.e., using again Lemma 4.6, we can prove that there are steps 1 , consisting only of interactions with the environment, correspondingly τ -steps in W 3 of the kind
Proof.The proof remains essentially the same as for step bisimulation (Theorem 4.7 and Theorem 4.8).Only some minor adaptations are required.
Let us focus on weak bisimulation, which is the more general case.We use the same notation as in Theorem 4.8 and define R ′ in the same way.In order to prove that R ′ is an S-weak bisimulation we proceed as follows.
Let (u 3 , v 3 ) ∈ R ′ and let u 3 ℓ ; F,Z 3 u ′ 3 .Then there must be a step such that ǫ 3 ∈ TZ 3 and λ Z 3 (ǫ 3 ) = ℓ.We can project the step over Z 2 , thus getting The delicate case is the one in which In fact, in this case, A 2 is in general a proper multiset (of interactions with the environment) and thus we cannot argue, as in the case of step bisimulation, that the transition u 2 −→ F,Z 2 u ′ 2 must be simulated by W 2 , since only single firings are simulated.
In order to proceed, we have first to linearise the step in (4.18) as Interestingly, the joint effect of the projection and of the linearization corresponds to the function ψ used in [43, page 96] to project a firing in the combined net to a firing sequence in the host net.Now we can say that this is simulated in W 2 by which in turn (since − s i and + s j firings can be clearly postponed and anticipated, respectively) can be reorganised as and thus finally to Then we can proceed exactly as in the proof for step bisimilarity.We now give some hints as to why weak (firing) bisimilarity is a congruence in the case of open nets, but not in CCS [25].Remember that a classical counterexample for CCS is as follows: p 1 = τ.a.0 ≈ a.0 = p 2 , but q 1 = τ.a.0 + b.0 ≈ a.0 + b.0 = q 2 .The reason for the latter inequality is that q 1 can do a τ and become a.0, while q 2 cannot mimic this step.Fig. 7 shows a similar situation of nondeterministic choice for open nets, where τ is the only unobservable label.However, note that here the two nets Z 1 (corresponding to τ.a.0) and Z ′ 1 (corresponding to a.0) are not weakly firing bisimilar.Whenever the τ -transition is fired in Z 1 , resulting in the marking m 1 , this can not be mimicked in Z ′ 1 by staying idle, since then in Z ′ 1 a transition with label − s ′ 1 is possible, while a transition labelled − s 1 is not possible for the net Z 1 with marking m 1 .Also note that the places s 1 respectively s ′ 1 must be output open in order to allow composition with the net Z 2 .
Roughly, this means that for open nets we are always able to observe the first invisible action in an open component, which is reminiscent of the definition of observation congruence in CCS: two processes p, q are called observation congruent if they are weakly bisimilar, with the additional constraint that whenever the first step of p is a τ -action, then it has to be answered by at least one τ -action of q (and vice versa).In both settings it is only the first τ -action that can be observed but not the subsequent ones.

Some Proof Techniques for Bisimilarity
We next present some properties of (strong and weak) bisimilarity, which can help in bisimilarity proofs.We first show that the set of open places can be uniformly reduced without altering the equivalence of open nets.Then we provide an up-to technique for firing bisimilarity. We where place s has been closed, we are sure that x s ∈ ℓ, and thus u 2 Hence we get the desired result.
We next provide a kind of up-to technique for firing bisimilarity.Given an open net Z, let us define the out-degree of a place s ∈ S as the maximum number of tokens that the firing of an extended event can remove from s, formally: The idea, formalised by the notion of up-to bisimulation, is to allow tokens to be removed from input open places, when they exceed the out-degree of the place.More precisely, given a net Z and a marking u ∈ S ⊕ , let us say that a marking Note that when the number of tokens in a place s does not exceed its out-degree, i.e., u(s) ≤ deg(s), then v(s) = 0, i.e., no token is subtractable from s.If instead, u(s) > deg(s), then the tokens in s which exceeds the out-degree of s can be safely subtracted from s.It is clear that when v is subtractable from u, all transitions enabled in u are also enabled in u ⊖ v.Note that the empty marking is subtractable from any other marking.
That is, the intuition behind up-to bisimulations is that some tokens might be superfluous since they are not necessary to fire a transition.Hence in the bisimulation game they can be removed in the two successor markings.
A first technical lemma shows an invariance property of up-to F-bisimulations, with respect to adding tokens in open places.
a correspondence between Z 1 and Z 2 , and let R be an up-to η-F-bisimulation between Z 1 and Z 2 .Then (1) Proof. 1.In order to simplify the notation, let us assume, without loss of generality, that η is the identity (i.e., O + The other cases are completely analogous.
Observe that, since s ∈ O + Z 1 , we have for a suitable v ′ ∈ O + Z 1 subtractable from u ′ 1 ⊕ s.Also notice that, since a + s can always be performed, we can assume that the firing sequence (5.1) is of the kind Putting the above together with (5.2), we have that 1 , and thus we conclude.2. By an inductive reasoning, exploiting point 1, we can show that the relation up-to for any n.Then we exploit the fact that the union of weak bisimulations up-to is again a weak-bisimulation up-to.
We can finally prove the soundness of the up-to technique.Proposition 5.4.Let Z 1 and Z 2 be open nets, and let η : O Z 1 ↔ O Z 2 be a correspondence between Z 1 and Z 2 .Let R be an up-to η-F-bisimulation.Then for any (u 1 , u 2 ) ∈ R we have that (Z 1 , u 1 ) ≈ F η (Z 2 , u 2 ).Proof.In order to simplify the notation, let us assume, without loss of generality, that η is the identity (i.e., O +

and assume that
. By Lemma 5.3 we know that R ′ is an up-to bisimulation, and thus there exists a transition As it often happens with up-to techniques, the above result might allow to show that two nets are firing bisimilar by exhibiting finite relations (while bisimulations are typically infinite).E.g., consider the open nets on the right, where label a is observable.Then any firing bisimulation would include at least the pairs {(k • s, k • s) : k ∈ N}, where s is the only place.Instead, according to the definition above {(0, 0), (s, s)} is an up-to bisimulation.
Note that, instead, the up-to technique does not extend to step bisimilarity: since an unbounded number of tokens can be needed to fire a parallel step there is no obvious generalisation of the notion of subtractable marking.

Reconfigurations of Open Nets
The results in the previous sections are used here to design a framework where a system specified as a (possibly open) Petri net can be reconfigured dynamically by transformation rules, triggered by the state/shape of the system.The congruence results allows one to characterise classes of reconfigurations which preserve the observational behaviour of the system.

Behaviour Preserving Reconfigurations of Open Nets.
The fact that the composition operation over open nets is defined in terms of a pushout construction suggests naturally a way of reconfiguring open nets by using the double-pushout approach to rewriting [14].
A rewriting rule over open nets consists of a pair of morphisms in ONet: where L p , K p , R p are open nets, called left-hand side, interface and right-hand side of the rule p, and l p , r p are open net embeddings.Intuitively, the rule specifies that, given a net Z, if the left-hand side L p matches a subnet of Z then this can be reconfigured into Z ′ by replacing the occurrence of L p with the right-hand side R p , preserving the subnet K p .The notion of transformation is formally defined below., an open net embedding.We say that Z rewrites to Z ′ using p at match m, denoted Z ⇒ p,m Z ′ or simply Z ⇒ p Z ′ , if the diagram of Fig. 8(a) can be constructed in ONet, where both squares are pushouts, and morphism n is composable with both l p and r p .
We stress that we are interested in transformations where the two pushout squares are built from composable arrows (technically, this ensures that the transformation can be performed in Net and then "lifted" to ONet).
We can now characterise the rules which do not alter the observational behaviour of an open Petri net as the rules with bisimilar left and right-hand side.Then the next result is an easy consequence of Theorem 4.5.

Theorem 6.3 (behaviour-preserving reconfigurations). Let p be a x-behaviour preserving rule (x ∈ {F, S}). Given an open net
Proof.Just observe that, in the DPO diagram of Figure 8(a), since the arrows l p , n and r p , n are composable, we can apply Theorem 4.5 to conclude that Z ≈ x Z ′ .
For instance, consider the double-pushout diagram in Fig. 8(b).It can be easily seen that the left-and right-hand sides of the applied rule are strongly (step) bisimilar.Hence we can conclude that Z and Z ′ are strongly (step) bisimilar as well.

Applying Rules to Open Nets.
As it is common in the categorical approaches to (graph) rewriting, the notion of open net transformation proposed in Definition 6.1 is rather "declarative" in style, because it requires the existence of two pushouts in category ONet, without stating how they can be constructed, and under which conditions.A more explicit description of the conditions under which a rule can be applied to an open net and of the way the resulting net can be constructed, is clearly necessary for practical purposes.Looking at Fig. 8(a), given a rule p and a match m : L p → Z, in order to build the open net transformation: • The pushout complement of l p and m must exist.The resulting arrows n and d must be such that l p and n are composable.A necessary condition for the existence of the pushout complement is a sort of dangling condition: a place can be deleted only if all the transitions connected to this place are removed as well, otherwise the flow arcs of this transition would remain dangling.This ensures that the pushout complement exists and is unique in the underlying category Net, but, as discussed below, it is not sufficient, in general, to conclude the existence of the pushout complement in ONet.Additionally, there can be several pushout complements and in this case a canonical choice should be considered.
• The resulting arrow n must be composable with r p : then we know how to build Z ′ by Proposition 2.3.although a general theory of DPO rewriting has been developed recently in the framework of adhesive categories [19], we cannot exploit it here since the category of open nets falls outside the scope of the theory.
Next we analyse the conditions which ensure the applicability of open net rules.We will first consider the case of general, possibly non-behaviour preserving rules.Then we will instantiate the developed theory to the setting of behaviour preserving rules, which turns out to be simpler and more intuitive.The reader which is not interested in the general case can safely skip it.6.2.1.Applying General Rules.In this section we develop general results concerning the applicability of a rewriting rule to an open net.Given an open net Z, a rule p and a match m : L p → Z, we first focus on the existence of the pushout complement in ONet.As mentioned above, a first necessary condition is a sort of dangling condition, which, however, in general, is not sufficient.Consider, for instance, the diagram in Fig. 9 Moreover, in the case of general rules, the pushout complement in ONet might not be unique.In fact, whenever, as in Fig. 9(c Output open places are defined analogously.The initial marking ûD is defined by ûD (s) = ûZ (d(s)) for any place s ∈ S D .
Proof.The proof is long, but straightforward.We have already motivated the dangling condition above.In order to understand condition 2, observe that, roughly, a place s of L p is in l p (in(l p )) if applying the rule p the place is preserved but at least one transition in , as desired.Concerning the initial marking, note that for any s ∈ S K we have ûK (s) = ûZ (m(l p (s)) = ûD (d(n(s)) = ûD (s), where the last equality holds by construction.We know that Z is the pushout of n and l p in Net.We have to prove that it is also a pushout in ONet.It is worth observing that in the case of rules p such that morphism l p preserves open places, i.e., l p (O x Kp ) ⊆ O x Lp for x ∈ {+, −}, the above result ensures the existence of a unique pushout complement.

Concerning the set of open places we have to show that
Given a match m : L p → Z as in the proposition above, the transformation can be completed if n : K p → D and r p : K p → R p are composable.For this we need to suitably restrict matches.plus the dual conditions on output places.
Intuitively, a match is proper if whenever s ∈ l p (in(r p )), i.e., the rule p creates a new (ingoing) transition connected to place s, then m(s) is (input) open (condition 4).Additionally, input (output) places for the match which are preserved by the rule must be input (output) open in R p .An example in which condition 4 is violated can be found in Fig. 10(a).For place s in K p we have s ∈ in(r p ), since transition t is added in R p , but s ∈ in(l p ).Note that the mapping from D to Z ′ is not a valid open net morphism, since place s in D is not open.In Fig. 10(b) instead is condition 5 which is violated.Place s of L p is in in(m), it is preserved by the rule, but the corresponding place in R p is not open.Again we cannot complete the DPO step since the mapping from R p to Z ′ is not a valid open net morphism (place s should be input open in R p ).
We finally arrive at the desired result.

6.2.2.
Applying Behaviour Preserving Rules.Sufficient hypotheses which ensure the applicability of behaviour preserving rules are made explicit in the following statement.This is a corollary of the general theory of transformations for open nets developed before.Corollary 6.7 (applying behaviour preserving rules).Let p be a x-behaviour preserving rule, let Z be an open net and let m : L p → Z be a match such that: a. for all s ∈ L p − l p (K p ) we have Z ; and the dual of the last two conditions, obtained by replacing in() by out() and + by −, hold.Then, there exists a transformation Z ⇒ p,m Z ′ .
Proof.This is an easy consequence of Lemma 6.6.We need to show that conditions (a)-(c) ensure that the match m is proper, i.e., it satisfies conditions 1-5 of Lemma 6.4 and Definition 6.5.
Condition 1 is the same as condition (a), condition 2 is just a compact notation for condition (b) and condition 4 is exactly condition (c).Concerning condition 3, observe that, since p is a behaviour preserving rule then (r p • l −1 p ) |O Lp is a correspondence between the left-and right-hand side.This means that for any place s in O x Lp there must be a place The last equality is justified by the fact that p is behaviour preserving, and thus, as observed above, (r p • l −1 p ) |O Lp is a correspondence between L p and R p .The intuition underlying the conditions above is the following.Condition (a) is a typical dangling condition, which we have already commented.Condition (b) says that if s ∈ in(l p ), i.e., if some (ingoing) transitions are deleted from s then the image of s in Z must be (input) open if so is its image in L p .Finally, by condition (c), if s ∈ in(r p ) − in(l p ), i.e., the rule p creates a new (ingoing) transition connected to place s, without replacing any old one, then the image of s in Z must be (input) open.
As an example, consider again the DPO diagram in Fig. 8(b).It is not difficult to see that the rule and the match satisfy the conditions of Corollary 6.7.Hence we can complete the double-pushout construction transforming Z into Z ′ , as depicted in the same figure.

Modeling Dynamic Reconfigurations of Services.
Open nets allow us to specify a system as built out of smaller components.Then, its behaviour is captured by the firing or step behaviour of the open net.However, for highly dynamic systems, as mentioned in the introduction, it can be useful to have the possibility of specifying that, under suitable conditions, some structural changes or reconfigurations of the system can take place.For instance the invocation of a service could trigger a rule which provides an implementation of the required service.
The theory of open net reconfigurations can do the job.As an example, consider net Z 0 in Fig. 12 which models the view of a traveller on the journey planning and ticket purchase services offered through a travel agency portal.We distinguish abstract transitions representing services that should be provided elsewhere and concrete transitions representing local services and control flow actions.The invocation of an external service can be seen at different levels of abstraction.From the point of view of the client process it is just the firing of an abstract transition.At a lower level of abstraction, it is captured by a rule such as the one at the top of Fig. 11.An application of this rule, replacing the abstract transition by a new open net, models the discovery and binding of the concrete services required.The left-and right-hand sides of the rule are weakly firing (actually, also step) bisimilar if we observe only the interactions at the open (interface) places, i.e., if we take Λ τ = Λ.This can be seen as a proof of the fact that the bound service meets the requirements: both in the abstract transition and in its concrete counterpart any inquiry will produce a corresponding itinerary.
The rule at the bottom of Fig. 11 represents a case where a simple pattern is replaced by a richer one.On the left we say that, given an itinerary, we can either purchase the required tickets or cancel the processes.On the right the transaction is refined, adding a prior reservation phase, while keeping the option to cancel.As above, the rule has weakly firing (and step) bisimilar left-and right-hand sides, ensuring that the visible effect of the abstract and concrete transitions at the interfaces is the same.
A possible sequence of transformations is shown in Fig. 12.By Theorem 6.3, we are sure that the transformations do not change the observable behaviour of the system, i.e., the start and end nets are weakly bisimilar, a fact that can be interpreted as a proof of conformance of the provided service with respect to the abstract specification.
We have shown only a small example application, however, we believe that this technique can be applied to larger case studies, such as the banking scenario studied in [12].In order to do this automatically, it would be necessary to implement mechanized bisimulation checking procedures.For finite state spaces, this is quite straightforward, for infinite state spaces we could resort to the techniques presented in [15].In any case the up-to technique presented in Section 5 will be very useful for practical case studies.
Another relevant question is the following: which kind of bisimilarity should be used?While strong firing bisimilarity is conceptually the simplest behavioural equivalence, practical examples usually require weak bisimulations in order to abstract from internal or silent moves.Finally, step bisimulation is able to distinguish processes that differ with respect to the degree of concurrency.This can be relevant if the observer is able to distinguish different degrees of parallelism or if we take into account efficiency questions.

Conclusions and Related Work
Open nets, introduced in [3,4], are a reactive extension of standard Petri nets which allows to model systems interacting with an unspecified environment.
As mentioned in the introduction there is a vast related literature.A close conceptual relationship exists with the early studies on modular construction and refinement techniques (see, e.g., [37,36,28,41]) and on composition operators and compositional semantics for Petri nets (see, e.g., [1,9,6,46]).The last class comprises also the algebraic approaches to Petri nets which view the class of Petri nets as a category and, characterising the semantics of interest as a universal constructions, automatically deduce the compositionality for suitably defined operators [47,48,24].
More recent approaches, which focus more explicitly on the definition of notion of module and interface and where the reactive aspects are taken into account in the semantics can be classified roughly into two classes.Some approaches aim at defining a "calculus of nets", where a set of process algebra-like operators allow one to build complex nets starting from a set of predefined basic components.In this family, the papers [29,33] propose an algebra of (labelled) Petri nets with interfaces, consisting of public (input) places and (output) transitions, with operators which allow e.g., to add new transitions and places, to connect existing public transitions and places by new arcs, to hide items in the net.We also recall the Petri Box calculus [10,18,17], where a special class of safe nets, called plain boxes, provides the basic components, which are then combined by means of (refinement-based) composition operators.Another family of approaches can be classified as "componentoriented": the emphasis, rather than on the algebraic aspects, is put on the mechanisms which allow one to build larger systems by combining nets with clearly identified interfaces.For instance the book [43] proposes a technique for inserting a net, called daughter net, into a so-called host net.The composition is realised by joining the two nets along a predefined set of places, playing the role of open places.The distinction between input and output open places, absent in [43], instead is later considered in [45].A compositionality result is proved for language equivalence and a notion of bisimilarity, very close to ours, is defined.Interestingly, the same book also focuses on an alternative approach to net composition, based on an operation of synchronised parallel product in the style of [48].Such operation, roughly speaking, joins two nets by forcing the synchronisation of transitions with the same label.Other members of the "component-oriented" family are, for example, the Petri net components [16] and the nets with pins [5].We also recall workflow nets [38] which have been proposed as a formal model for the description of workflows, i.e., business processes specified in terms of tasks and shared resources.Workflow nets are special Petri nets satisfying suitable conditions, like the existence of one initial and one final place: tokens in such places characterise the start and the end, respectively, of the represented process.The model has been extended for the specification of interorganisational workflows [39], represented as a set of workflow nets connected through additional places for asynchronous communication and synchronisation requirements on transitions.Additional references, as well as a detailed comparison between the approaches to Petri net composition and reactivity just cited and the open net model can be found in [4].
In this paper, firstly we have generalised the theory of open nets, including the characterisation of net composition using pushouts, to the case of marked nets.Next we have introduced several natural notions of bisimilarity over open nets, showing that weak bisimilarities, arising in the presence of unobservable actions, and, as a particular case, also strong bisimilarities are congruences with respect to the colimit-based composition operation over open nets.The considered notions of bisimilarity differ for the choice of the observations.These can be single firings, thus leading to what we called firing bisimilarity, a standard notion of interleaving equivalence, capable of capturing the branching structure of computations.Alternatively, we can observe parallel steps, thus obtaining step bisimilarity, which allows to capture, to some extent, the degree of parallelism that is possible in a component.This can be useful, e.g., when a component is replaced by another one since we might be interested in taking a replacement that exhibits at least the same concurrent behaviour and is hence equally efficient.
In recent years, reactive extensions of Petri nets have been obtained by exploiting a general theory of reactive systems developed for automatically deriving bisimulation congruences.Specifically, an encoding of Petri nets as bigraphical reactive systems has been proposed in [27], while [35] proposes an encoding of nets as reactive systems in the cospan category over an adhesive category.Our results about strong firing bisimilarity can be seen as a generalisation of those in [27,35], which essentially are developed for a special kind of open nets, where there is no distinction between input and output open places.Furthermore the composition operation used in the cited papers does not allow synchronisation of transitions (technically, the interface net does not contain transitions).
Concerning weak step bisimilarity, some connections seem to exist with the work on action refinement, which goes back to [37].For example, in [44] (weak) step bisimilarity is shown to be a congruence with respect to a refinement operation which allows to replace a single event with a deterministic finite event structure.Although the setting is different and a direct comparison is not possible, we observe that, compared to refinement-based approaches, where single transitions are refined by a subnet, the theory presented here works for general reconfigurations, in which both the left-and right-hand sides can be general, arbitrarily large nets.
Weak (step) bisimilarity for Petri nets is studied also in [29].They observe that such an equivalence is not a congruence in general, but for Petri nets satisfying a suitable condition on the labelling of the public transitions (well-labelled nets), a context closure allows one to get a congruence which is then characterised by means of a universal context.The setting is different from ours since the issue of net composition is tackled at a finer level of granularity: the basic components of a net are assumed to be transitions with empty pre-and post-set and single places, which are then combined by means of constructors that allow one to connect places and transitions.Still it would be interesting to understand if a formal relation can be established, e.g., trying to internalise the pushout-based composition operation in the algebra of connectors of [29].
Similarities exist also with the problem studied in [11], where a reactive Petri net model which admits a compositional behavioural equivalence is exploited, in the framework of web-services, to provide a theoretical basis to service composition and discovery.This technique is then used in a case study for checking the correctness of service specifications and the replaceability of services in a banking scenario [12].Disregarding the technical differences, such as the fact that the mentioned paper deals with C/E nets and the use of read arcs, the kind of nets of interest for this approach are essentially a subclass of open Petri nets, satisfying some structural requirements (all labels are invisible and the interface consists of a single input and a single output place, plus some read places).Generally speaking, compositional Petri net models appears to be promising as a formalism for the specification of control and composition in service oriented architectures as suggested, e.g., in [8,22,40,23].Investigating possible applications of (reconfigurable) open Petri nets, along the lines of the presented example, in the setting of web-service specification and analysis represent a stimulating direction of future research.
In the second part of the paper we have proposed a rewriting-based framework for Petri nets with reconfigurations.We have shown how our congruence results can be used to identify classes of reconfigurations which do not alter the observational behaviour of the system.This is applied to a small case study of a workflow-like model of a travel agency, where we showed how abstract services can be replaced by more concrete implementations and how we can ensure that the behaviour of the full net is preserved under such operations.
Action refinement of Petri nets (see, e.g., [37,36,28,41]), that we already mentioned above, can be seen as a special form of reconfiguration.The idea of using rewriting techniques for providing a reconfiguration mechanism for Petri nets has been already explored in the literature (see, e.g., reconfigurable nets of [2,21] and high-level replacement systems applied to Petri nets in [31]).In this approaches, however, the emphasis is more on rewriting as a computational mechanism, rather than on the study of the way the behaviour of the system is affected by the reconfigurations.In future work, besides deepening the relationships between these approaches and ours, we will continue studying the notion of reconfigurable open nets and describe in more detail how reconfigurations can be triggered by the net itself, for example by reaching certain markings or by firing certain transitions, following an intuition similar to that of dynamic nets [13].
Finally, it would be worth studying whether a formal duality can be established between our morphisms and standard simulation morphisms for Petri nets.Viewing our morphisms as inverses of (partial) simulation morphisms would allow to get a precise correspondence between our pushout-based composition and pullback-based synchronisation of Petri nets.Surely by simply taking Winskel's morphisms [47] this does not work (technically because when they are undefined on a transition they must be undefined on the corresponding preand post-set).Also more general morphisms for Petri nets, like those proposed in [42,7], would not provide an immediate solution.Still, it looks feasible to identify generalisations of such morphisms to the context of open Petri nets allowing to develop a dual theory based on simulations.

Figure 1 :
Figure 1: Two open nets and an open net morphism.

Definition 1 . 4 (
open net).An open net is a pair Z = (N Z , O Z ), consisting of a P/T Petri net N Z = (S Z , T Z , σ Z , τ Z , λ Z ) and a pair O Z = (O + Z , O − Z ) ∈ 2 S Z × 2 S Z ,the sets of input open, respectively, output open places of the net.A marked open net is a pair (Z, û) where Z is an open net and û ∈ S ⊕ and symmetrically, • − s = s and − s • = 0, the notion of pre-and post-set extends to multisets of extended events.Given a marking u ∈ O + Z ⊕ , we denote by + u the multiset s∈O + Z u(s) • + s .Similarly, reflection of initial marking).The morphism f is called an open net embedding if both f T and f S are injective.We will denote by ONet the category of open nets and open net morphisms.Conceptually, condition 1 formalizes the intuition that each open net can interact with the environment only through open places.In fact, given an embedding

Figure 2 :
Figure 2: (a) Open net morphisms are not simulations and (b) an example of non-injective open net morphism.

Figure 4 :
Figure 4: An example of a pushout in ONet.

4. 1 .
A High Level View on the Congruence Results.A first step consists of defining suitable labelled transition systems (ltss) associated with an open net.Generally speaking, net transitions carry a label which is observed when they fire.Additionally, in the labelled transition systems we also observe what happens at the open places.This corresponds to observing the potential interactions with the surrounding environment, as open places act as gluing points in the composition operation, and it is pivotal for the mentioned congruence results.

Definition 4 . 1 (
step and firing lts for an open net).The step lts associated to an open net Z is the pair S ⊕ Z , → S,Z , where states are markings u Z ∈ S ⊕ Z and the transition relation (a) Travel agency A. (b) Travel agency B.

Figure 5 :
Figure 5: Two open nets which are firing bisimilar but not step bisimilar.
Definition 4.3 ((weak)  step and firing bisimilarity).Let Z 1 , Z 2 be open nets and η : O Z 1 ↔ O Z 2 be a correspondence between Z 1 and Z 2 .A (weak) η-x-bisimulation (with x ∈ {S, F} -S for step and F for firing) between Z 1 and Z 2 is a relation over markings R

Figure 7 :
Figure 7: Two pushouts of open nets for the comparison to CCS.

1 (
start by showing that given two bisimilar nets, if we "close" corresponding open places in both nets we still get two bisimilar nets.Given an open net Z and an open place s ∈ O x Z , let us denote by Z − (s, x) the open net obtained from Z by closing place s, i.e., Z ′ = (N, O Z ′ ), where O x Z ′ = O x Z − {s}.The initial marking remains the same.Proposition 5.1 ("closing" open places).Let Z 1 ≈ x η Z 2 , with x ∈ {F, S}.Let s ∈ O x Z x ∈ {−, +}) be an open place in Z 1 .Then the nets Z 1 − (s, x) and Z 2 − (η(s), x) are η-x-bisimilar.

Definition 6 . 1 (
open net transformation).Let p be a rewriting rule over open nets, let Z be an open net and let m : L p → Z be a match, i.e.

Figure 9 :
Figure 9: (a),(b) A pushout complement in Net which cannot be lifted to ONet and (c)A situation in which the pushout complement is not unique in ONet.
(a).It is easy to realise that the only place in D must be input open since an additional transition is attached to such place in Z.However, the resulting diagram is not a pushout in ONet: since the places in L p and in D are input open also their image in Z should be input open.Similarly, the diagram Fig. 9(b) is not a pushout in ONet, although the underlying diagram is a pushout in Net, since place s of Z should be input open.
), there is an open place in K p whose image is not open in L p (and thus neither in Z), then the corresponding place in D can be either open or not.For instance, the diagram in Fig. 9(c) admits two possible pushout complements consisting of an open net D with a single place s which can be or not input open.Under additional requirements it is possible to prove the existence of a minimal pushout complement D, i.e., a pushout complement which embeds into any other and which is taken as a canonical choice.Roughly, the minimal pushout complement is the maximally open one: whenever a place could be either open or not, it is taken to be open (in Fig.9(c), this corresponds to take the pushout complements D with place s input open).

Lemma 6 . 4 (
existence of the pushout complement).Let p be a rewriting rule over open nets, let Z be an open net and let m : L p → Z be a match.Assume that(1) for all places s ∈ L p − l p (K p ) we have • m(s), m(s) • ⊆ m(L p − l p (K p )); (2) m(l p (in(l p )) ∩ O + Lp ) ⊆ O + Z and m(l p (out(l p )) ∩ O − Lp ) ⊆ O − Z ; (3) m(O x Lp − l p (O x Kp )) ⊆ O x Z for x ∈ {+, −}.Then the pushout complement exists in Net, defined as D = Z − m(L p − l p (K p )), componentwise over the place and transition sets, and it can be lifted to a minimal pushout complement in ONet by taking as input open places: • s is removed.Since the rule deletes an input transition from m(s) -the image of s in Zthe corresponding place in D belongs to in(d) and thus it must be input open.Therefore if s is open also in L p , necessarily, by the construction of pushout in ONet, m(s) must be open in Z.Similarly, for condition 3, if a place is open in L p and it is not in the image of K p then necessarily it will be open in Z. Formally we have to show that (a) the mappings n and d are well-defined open net morphisms, (b) l p and m are composable and (c) Z is the pushout.Minimality of the pushout complement then follows by construction.(a.1) n is a well-defined open net morphism.Let us prove that n −1 (O + D ) ∪ in(n) ⊆ O + K (the condition on output open places is analogous).If s ∈ n −1 (O + D ) we have two possibilities according to the way

(a. 2 )
d is a well-defined open net morphism.Also in this case we only prove that d−1 (O + Z ) ∪ in(d) ⊆ O + D (the condition on output open places is analogous).If s ∈ d −1 (O + Z ) then s ∈ O + D by definition.If, instead, s ∈ in(d)then it is easy to see that there exists s ′ ∈ S K such that s ′ ∈ in(l p ) ⊆ O + K .Now, there are two subcases:− If l p (s ′ ) ∈ O + L we have that s ′ ∈ l p (in(l p ))∩O + L and thus m(s ′ ) ∈ m(l p (in(l p ))∩O + L ) ⊆ O + Z by condition 2. Since d(s) = m(s ′ ) we deduce that s ∈ d −1 (O + Z ) ⊆ O + D by construction of D. − If l p (s ′ ) ∈ O + L then s ′ ∈ O + K − O + L , and thus n(s ′ ) ∈ n(O + K − O + L ) ⊆ O + D , by construction of D.The condition over the initial marking is trivially satisfied by construction.(b)n and l p are composable.We show the two conditions for composability separately:− n(in(l p )) ⊆ O + D In fact, if s ∈ in(l p ),then it is easy to see that m(l p (s)) ∈ in(d) ⊆ O + D .Now, m(l p (s)) = d(n(s)) and, since d is an open net morphism, it must reflect open places, and thus n(s) ∈ O + D .− l p (in(n)) ⊆ O + L If s ∈ l p (in(n)) then, it is easy to see that s ∈ in(m) ⊆ O + L , as desired.(c) Z is the pushout.
Then the converse inclusion, and thus equality, follows from the fact that m and d are open net morphisms.Let s ∈ S Z such that there are s ′ ∈ O + L and s ′′ ∈ O + D such that m(s ′ ) = s = d(s ′′ ).Thus, there is s ′′′ ∈ S K such that l p (s ′′′ ) = s ′ and n(s ′′′ ) = s ′′ .Sinces ′′ ∈ O + D , then either s ′′ ∈ d −1 (O + Z ) or s ′′ ∈ n(O + K − O + L ).Since s ′ ∈ O +L and l p (s ′′′ ) = s ′ , the second possibility cannot arise.In the first case s = d(s ′′ ) ∈ O + Z , as desired.When s is only in the image of D, the proof is analogous.When it is only in the image of L P , we can use condition 3 in the hypothesis.Summarizing, condition 1 of Lemma 6.4 is a dangling condition.By the remaining conditions, if a place s in L p is open, and the rule prescribes either the deletion of incoming/outgoing transitions from such place (condition 2) or the deletion of the place itself (condition 3), then the image of s in Z must be open.Examples of what fails when conditions 2 and 3 are violated can be found in Fig.9(a) and 9(b).

Lemma 6 . 6 (
applying general rules).Let p be a rule over open nets, let Z be an open net and let m : L p → Z be a proper match.Then there exists a transformation Z ⇒ p,m Z ′ .Proof.Let p be a rule over open nets, let Z be an open net and let m : L p → Z be a proper match.Then, by using Lemma 6.4 we can construct the minimal pushout complement of l p and m, as in Fig.8(a).In order to conclude, it suffices to show that n and r p are composable.To this aim observe that by properness of the match:• n(in(r p )) ⊆ O + D (and the same condition holds for out(.))In fact, let s ∈ in(r p ) We distinguish two possibilities.If s ∈ in(l p ) then necessarily n(s) ∈ in(d) and thus n(s) ∈ O + D , since n is an open net morphism.If instead, s ∈ in(l p ), then s ∈ in(r p ) − in(l p ), hence, by condition 4 of Definition 6.5, m(l p (s)) ∈ O + Z .Since m(l p (s)) = d(n(s)) and d is an open net morphism, we conclude that also in this case n(s) ∈ O + D .• r p (in(n)) = r p (l −1 p (in(m))) ⊆ O + Rp (and the same condition holds for out(.))Immediate by condition 5 of Definition 6.5.

Figure 12 :
Figure 12: Transformation of open nets representing a travel agent's portal.
and, by definition of open net morphism s ′ must be open, i.e., s ′ ∈ O x Kp .Therefore O x Lp ⊆ l p (O x Kp ) and thus condition 3 is trivially satisfied.Similarly, for condition 5, observe that, by definition of open net morphisms, in(m) ⊆ O + Lp , and, thus r p