Priced Timed Petri Nets

We consider priced timed Petri nets, i.e., unbounded Petri nets where each token carries a real-valued clock. Transition arcs are labeled with time intervals, which specify constraints on the ages of tokens. Furthermore, our cost model assigns token storage costs per time unit to places, and firing costs to transitions. This general model strictly subsumes both priced timed automata and unbounded priced Petri nets. We study the cost of computations that reach a given control-state. In general, a computation with minimal cost may not exist, due to strict inequalities in the time constraints. However, we show that the infimum of the costs to reach a given control-state is computable in the case where all place and transition costs are non-negative. On the other hand, if negative costs are allowed, then the question whether a given control-state is reachable with zero overall cost becomes undecidable. In fact, this negative result holds even in the simpler case of discrete time (i.e., integer-valued clocks).


Introduction
Petri nets [Pet62,Pet77] are a widely used model for the study and analysis of concurrent systems. Many different formalisms have been proposed which extend Petri nets with clocks and real-time constraints, leading to various definitions of Timed Petri nets (TPNs). A complete discussion of all these formalisms is beyond the scope of this paper and the interested reader is referred to the surveys in [Srb08, Bow96, BCH + 05].
An important distinction is whether the time model is discrete or continuous. In discrete-time nets, time is interpreted as being incremented in discrete steps and thus the ages of tokens are in a countable domain, commonly the natural numbers. Such discretetime nets have been studied in, e.g., [RGdFE99,dFERA00]. In continuous-time nets, time is interpreted as continuous, and the ages of tokens are real numbers. Some problems for continuous-time nets have been studied in [AN01,AN02,ADMN04,AMM07].
In parallel, there have been several works on extending the model of timed automata [AD94] with prices (weights) (see e.g., [ATP01, LBB + 01, BBBR07, BFH + 01, BFLM11, JT08, BFL + 08]). Weighted timed automata are suitable models for embedded systems, where one has to take into consideration the fact that the behavior of the system may be constrained by the consumption of different types of resources. Concretely, weighted timed automata extend classical timed automata with a cost function Cost that maps every location and every transition to a nonnegative integer (or rational) number. For a transition, Cost gives the cost of performing the transition. For a location, Cost gives the cost per time unit for staying in the location. In this manner, we can define, for each computation of the system, the accumulated cost of staying in locations and performing transitions along the computation.
Here we consider a very expressive model that subsumes all models mentioned above. Priced Timed Petri Nets (PTPN) are a generalization of classic Petri nets [Pet62] with realvalued (i.e., continuous-time) clocks, real-time constraints, and prices for computations.
Each token is equipped with a real-valued clock, representing the age of the token. The firing conditions of a transition include the usual ones for Petri nets. Additionally, each arc between a place and a transition is labeled with a time-interval whose bounds are natural numbers (or possibly ∞ as upper bound). These intervals can be open, closed or half open. Like in timed automata, this is used to encode strict or non-strict inequalities that describe constraints on the real-valued clocks. When firing a transition, tokens which are removed/added from/to places must have ages lying in the intervals of the corresponding transition arcs. Furthermore, we add special read-arcs to our model. These affect the enabledness of transitions, but, unlike normal arcs, they do not remove the token from the input place. Read arcs preserve the exact age of the input token, unlike the scenario where a token is first removed and then replaced. Read arcs are necessary in order to make PTPN subsume the classic priced timed automata of [BBBR07].
We assign a cost to computations via a cost function Cost that maps transitions and places of the Petri net to natural numbers. For a transition t, Cost (t) gives the cost of performing the transition, while for a place p, Cost (p) gives the cost per time unit per token in the place. The total cost of a computation is given by the sum of all costs of fired transitions plus the storage costs for storing certain numbers of tokens on certain places for certain times during the computation. Like in priced timed automata, having integers as costs and time bounds is not a restriction, because the case of rational numbers can be reduced to the integer case. In most of the paper we consider non-negative costs for transitions and places. In the last section we show that allowing negative costs makes even very basic questions undecidable.
Apart from the cost model, our PTPN are very close to the Timed-Arc Petri Nets of [Srb08] (except for some extensions; see below) in the sense that time is recorded by clocks in the individual tokens, of which there can be unboundedly many. This model differs significantly from the Time Petri Nets (also described in [Srb08]) where time is measured by a bounded number of clocks in the transitions. In addition to the cost model, our PTPN also extend the models of [Srb08], [AN01, AN02, ADMN04, AMM07] and [RGdFE99,dFERA00] in two other ways. First, our PTPN model includes read-arcs, which is necessary to subsume (priced) timed automata. Secondly, in PTPN, newly generated tokens do not necessarily have age zero, but instead their age is chosen nondeterministically from specified intervals (which can be point intervals). Our PTPN model uses a continuous-time semantics (with real-valued clocks) like the models considered in [AN01,AN02,ADMN04,AMM07] and unlike the simpler discrete-time semantics (with integer-valued clocks) considered in [RGdFE99,dFERA00]. We use a non-urgent semantics where tokens can grow older even if this disables the firing of certain transitions (sometimes for ever), like in the Timed-Arc Petri Nets of [Srb08] and unlike in the Time Petri Nets of [Srb08].
Thus, our PTPN are a continuous-time model which subsumes the continuous-time TPN of [AN01, AN02, ADMN04, AMM07], the Timed-Arc Petri Nets of [Srb08] and the priced timed automata of [ATP01, LBB + 01, BBBR07]. It should be noted that PTPN are infinite-state in several different ways. First, the Petri net itself is unbounded. So the number of tokens (and thus the number of clocks) can grow beyond any bound, i.e., the PTPN can create and destroy arbitrarily many clocks. In that PTPN differ from the priced timed automata of [ATP01, LBB + 01, BBBR07], which have only a finite number of controlstates and only a fixed finite number of clocks. Secondly, every single clock value is a real number of which there are uncountably many.
Our contribution. We study the cost to reach a given control-state in a PTPN. In Petri net terminology, this is called a control-state reachability problem or a coverability problem. The related reachability problem (i.e., reaching a particular configuration) is undecidable for (continuous-time and discrete-time) TPN [RGdFE99], even without taking costs into account. In general, a cost-optimal computation may not exist (e.g., even in priced timed automata it can happen that there is no computation of cost 0, but there exist computations of cost ≤ ǫ for every ǫ > 0).
Our main contribution is to show that the infimum of the costs to reach a given controlstate is computable, provided that all transition and place costs are non-negative. This cost problem had been shown to be decidable for the much simpler model of discrete-time PTPN in [AM09]. However, discrete-time PTPN do not subsume the priced timed automata of [BBBR07]. Moreover, the techniques from [AM09] do not carry over to the continuous-time domain (e.g., arbitrarily many delays of length 2 −n for n = 1, 2, . . . can can happen in ≤ 1 time).
On the other hand, if negative costs are allowed, then even very basic questions become undecidable. In Section 10 we show that the question whether a given control-state is reachable with zero overall cost is undecidable if negative transition costs are allowed. This negative result does not need real-valued clocks; it even holds in the simpler case of discrete time (i.e., integer-valued) clocks.
Outline of Used Techniques. Since the PTPN model is very expressive, several powerful new techniques are developed in this paper to analyze them. These techniques are interesting in their own right and can be instantiated to solve other problems.
In Section 2 we define PTPN and the priced coverability problem, and describe its relationship with priced timed automata and Petri nets. Then, in Sections 3-5, we reduce the priced coverability problem for PTPN to a coverability problem in an abstracted untimed model called AC-PTPN. This abstraction is done by an argument similar to a construction in [BBBR07], where parameters indicating a feasible computation are contained in a polyhedron, which is described by a totally unimodular matrix. However, our class of matrices is more general than in [BBBR07], because PTPN allow the creation of new clocks with a nonzero value. The resulting AC-PTPN are still much more expressive than Petri nets, because their configurations are arbitrarily long sequences of multisets (instead of a single multiset in the case of normal Petri nets). Moreover, the transitions of AC-PTPN are not monotone, because larger configurations cost more and might thus exceed the cost limit.
In order to solve coverability for AC-PTPN, we develop a very general method to solve reachability/coverability problems in infinite-state transition systems which are more general than the well-quasi-ordered/well-structured transition systems of [AČJT00,FS01]. We call this method the abstract phase construction, and it is described in abstract terms in Section 6. In particular, it includes a generalization of the Valk-Jantzen construction [VJ85] to arbitrary well-quasi-ordered domains.
In Section 7, we instantiate this abstract method with AC-PTPN and prove the main result. This instantiation is nontrivial and requires several auxiliary lemmas, which ultimately use the decidability of the reachability problem for Petri nets with one inhibitor arc [Rei08,Bon11]. There exist close connections between timed Petri nets, Petri nets with one inhibitor arc, and transfer nets. In Section 8 we establish a connection between a subclass of transfer nets called simultaneous-disjoint-transfer nets (SD-TN) and Petri nets with one inhibitor arc, and in Section 9 we show the decidability of a crucial property by reducing it to a reachability problem for SD-TN. By combining all parts, we show the main result, i.e., the computability of the infimum of the costs for PTPN.
The undecidability result for general costs of Section 10 is shown by a direct reduction from Minsky 2-counter machines, where a tradeoff between positive and negative costs is used to ensure a faithful simulation.

Priced Timed Petri Nets
2.1. Preliminaries. We use N, R ≥0 , R >0 to denote the sets of natural numbers (including 0), nonnegative reals, and strictly positive reals, respectively. For a natural number k, we use N k and N k ω to denote the set of vectors of size k over N and N ∪ {ω}, respectively (ω represents the first limit ordinal). For n ∈ N, we use [n] to denote the set {0, . . . , n}. For x ∈ R ≥0 , we use frac (x) to denote the fractional part of x. We use a set Intrv of intervals. An open interval is written as (w ∶ z) where w ∈ N and z ∈ N ∪ {∞}. Intervals can also be closed in one or both directions, e.g. [w ∶ z] is closed in both directions and [w ∶ z) is closed to the left and open to the right.
For a set A, we use A * and A ⊙ to denote the set of finite words and finite multisets over A, respectively. We view a multiset b over A as a mapping b ∶ A ↦ N. Sometimes, we write finite multisets as lists (possibly with multiple occurrences), so both [2.4, 2.4, 2.4, 5.1, 5.1] and [2.4 3 , 5.1 2 ] represent a multiset b over R ≥0 where b(2.4) = 3, b(5.1) = 2 and b(x) = 0 for x ≠ 2.4, 5.1. For multisets b 1 and b 2 over A, we say that b 1 ≤ b 2 if b 1 (a) ≤ b 2 (a) for each a ∈ A. We define b 1 + b 2 to be the multiset b where b(a) = b 1 (a) + b 2 (a), and (assuming b 1 ≤ b 2 ) we define b 2 − b 1 to be the multiset b where b(a) = b 2 (a) − b 1 (a), for each a ∈ A. We use a ∈ b to denote that b(a) > 0. We use ∅ or [] to denote the empty multiset and ε to denote the empty word.
Let (A, ≤) be a poset. We define a partial order ≤ w on A * as follows. Let a 1 . . . a n ≤ w b 1 . . . b m iff there is a subsequence b j 1 . . . b jn of b 1 . . . b m s.t. ∀k ∈ {1, . . . , n}. a k ≤ b j k . A subset B ⊆ A is said to be upward closed in A if a 1 ∈ B, a 2 ∈ A and a 1 ≤ a 2 implies a 2 ∈ B. If A is known from the context, then we say simply that B is upward closed. For B ⊆ A we define the upward closure B ↑ to be the set {a ∈ A ∃a ′ ∈ B ∶ a ′ ≤ a}. A downward closed set We say that t is enabled in (q 1 , M 1 ) if the first two conditions are satisfied. A transition t may be fired iff for each input-arc and each read-arc, there is a token with the right age in the corresponding input place. These tokens in I matched to the input arcs will be removed when the transition is fired, while the tokens in R matched to the read-arcs are kept. The newly produced tokens in O have ages which are chosen nondeterministically from the relevant intervals on the output arcs of the transitions. This semantics is lazy, i.e., enabled transitions do not need to fire and can be disabled again.
We write → = → Time ∪ → Disc to denote all transitions. For sets C, C ′ of configurations, we write C * → C ′ to denote that c * → c ′ for some c ∈ C and c ′ ∈ C ′ . A computation π (from c to c ′ ) is a sequence of transitions c 0 → c 1 → . . . → c n such that c 0 = c and c n = c ′ . We write c π → c ′ to denote that π is a computation from c to c ′ . Similarly, we write C π → C ′ to denote that ∃c 1 ∈ C, c n ∈ C ′ . c 1 π → c n .

2.4.
Costs. The cost of a computation consisting of one discrete transition t ∈ T is defined as Cost ((q 1 , M 1 ) → t (q 2 , M 2 )) ∶= Cost (t). The cost of a computation consisting of one timed transition is defined by cost of a computation is the sum of all transition costs in it, i.e., We write C v → C ′ to denote that there is a computation π such that C π → C ′ and Cost (π) ≤ v. We define OptCost (C, C ′ ) to be the infimum of the set v C v → C ′ , i.e., the infimum of the costs of all computations leading from C to C ′ . We use the infimum, because the minimum does not exist in general. We partition the set of places P = P c ∪ P f where Cost (p) > 0 for p ∈ P c and Cost (p) = 0 for p ∈ P f . The places in P c are called cost-places and the places in P f are called free-places.
2.5. Relation of PTPN to Other Models. PTPN subsume the priced timed automata of [ATP01, LBB + 01, BBBR07] via the following simple encoding. For every one of the finitely many clocks of the automaton we have one place in the PTPN with exactly one token on it whose age encodes the clock value. We assign cost zero to these places. For every control-state s of the automaton we have one place p s in the PTPN. Place p s contains exactly one token iff the automaton is in state s, and it is empty otherwise. An automaton transition from state s to state s ′ is encoded by a PTPN transition consuming the token from p s and creating a token on p s ′ . The transition guards referring to clocks are encoded as read-arcs to the places which encode clocks, labeled with the required time intervals. Note that open and half-open time intervals are needed to encode the strict inequalities used in timed automata. Clock resets are encoded by consuming the timed token (by an input-arc) and replacing it (by an output-arc) with a new token on the same place with age 0. The cost of staying in state s is encoded by assigning a cost to place p s , and the cost of performing a transition is encoded as the cost of the corresponding PTPN transition. Also PTPN subsume fully general unbounded (i.e., infinite-state) Petri nets (by setting all time intervals to [0 ∶ ∞) and thus ignoring the clock values).
Note that (just like for timed automata) the problems for continuous-time PTPN cannot be reduced to (or approximated by) the discrete-time case. Replacing strict inequalities with non-strict ones might make the final control-state reachable, when it originally was unreachable (i.e., it would cause qualitative differences, and not only quantitative ones).
2.6. The Priced Coverability Problem. We will consider two variants of the cost problem, the Cost-Threshold problem and the Cost-Optimality problem. They are both characterized by an initial control state q init and a final control state q fin .
Let c init = (q init , []) be the initial configuration and C fin = { q fin , M M ∈ (P × R ≥0 ) ⊙ } the set of final configurations defined by the control-state q fin . I.e., we start from a configuration where the control state is q init and where all the places are empty, and then consider the cost of computations that takes us to q fin . (If c init contained tokens with a non-integer age then the optimal cost might not be an integer.) In the Cost-Threshold problem we ask the question whether OptCost c init , C fin ≤ v for a given threshold v ∈ N.
In the Cost-Optimality problem, we want to compute OptCost c init , C fin .
t1 1 p2 2 6.5 q1 p1 2.7. A Running Example. Figure 1 shows a simple PTPN. We will use this PTPN to give examples of some of the concepts that we introduce in this paper.

Computations in δ-Form
We solve the Cost-Threshold and Cost-Optimality problems for PTPN via a reduction that goes through a series of abstraction steps. First we show that, in order to solve the cost problems, it is sufficient to consider computations of a certain form where the ages of all the tokens are arbitrarily close to an integer. This technique is similar to the corner-point abstraction used in the analysis of priced timed automata [BFH + 01, BFLM11,BBBR07] where sets of possible clock valuations are described by polyhedra, and where the infimum cost is achieved in the corner-points of these polyhedra. For PTPN, extra difficulties arise from the unbounded growth of configurations by newly created clocks in new tokens and the potential disappearance of old clocks in consumed tokens. Moreover, newly created clocks in PTPN do not necessarily have value zero. This leads to a more complex structure of the matrices that describe the polyhedra of clock valuations than in the case of priced timed automata; see Def. 3.2. However, we show in Lemma 3.4 that these more general matrices are still totally unimodular, which makes the corner-point abstraction possible. We decompose PTPN markings M into submarkings such that in every submarking the fractional parts (but not necessarily the integer parts) of the token ages are the same. We then arrange these submarkings in a sequence M −m , . . . , M −1 , M 0 , M 1 , . . . , M n such that M −m , . . . , M −1 contain tokens with fractional parts ≥ 1 2 in increasing order, M 0 contains the tokens with fractional part zero, and M 1 , . . . , M n contain tokens with fractional parts < 1 2 in increasing order.
Formally, the decomposition of a PTPN marking M into its fractional parts M −m , . . . , M −1 , M 0 , M 1 , . . . , M n is uniquely defined by the following properties: can be empty, but the other M i must be non-empty in order to get a unique representation.) We say that a timed transition (q, M ) x → (q, M ′ ) is detailed iff at most one fractional part of any token in M changes its status about reaching or exceeding the next higher integer value. Formally, let ǫ be the fractional part of the token ages in , no tokens reach the next integer), or M 0 = ∅ and x = ǫ (no tokens had integer age, but those in M −1 reach integer age). Every computation of a PTPN can be transformed into an equivalent one (w.r.t. reachability and cost) where all timed transitions are detailed, by replacing some long timed transitions with several detailed shorter ones where necessary. Thus we may assume w.l.o.g. that timed transitions are detailed. This property is needed to obtain a one-to-one correspondence between PTPN steps and the steps of A-PTPN, defined in the next section.
For δ ∈ (0 ∶ 1 5] the marking [(p 1 , x 1 ) , . . . , (p n , x n )] is in δ-form if, for all i ∶ 1 ≤ i ≤ n, it is the case that either (i) frac(x i ) < δ (low fractional part), or (ii) frac(x i ) > 1 − δ (high fractional part). I.e., the age of each token is close to (within < δ) an integer. We choose δ ≤ 1 5 to ensure that the cases (i) and (ii) do not overlap, and that they still do not overlap for a new δ ′ ≤ 2 5 after a delay of ≤ 1 5 time units.
The occurrence of a discrete transition t is said to be in δ-form if its output O is in δ-form, i.e., the ages of the newly generated tokens are close to an integer. This is not a property of the transition t as such, but a property of its occurrence, because it depends on the particular choice of O (which is not fixed but possibly nondeterministic within certain constraints; see Subsection 2.3).
Let N = (Q, P, T, Cost ) be a PTPN and c init = (q init , []) and C fin = { q fin , M M ∈ (P × R ≥0 ) ⊙ } as in the last section.
For 0 < δ ≤ 1 5, the computation π is in δ-form iff (1) Every occurrence of a discrete transition c i → t c i+1 is in δ-form, and (2) For every timed transition c i We show that, in order to find the infimum of the possible costs, it suffices to consider computations in δ-form, for arbitrarily small values of δ > 0.
Proof. Outline of the proof. We construct π ′ by fixing the structure of the computation π and varying the finitely many real numbers describing the delays of timed transitions and the ages of newly created tokens. The tuples of numbers corresponding to a possible computation are contained in a polyhedron, which is described by inequations via a totally unimodular matrix, and whose vertices thus have integer coordinates. Since the cost function is linear in these numbers, the infimum of the costs can be approximated arbitrarily closely by computations π ′ whose numbers are arbitrarily close to integers, i.e., computations π ′ in δ-form for arbitrarily small δ > 0. Detailed proof. The computation π with c init π → C fin consists of a sequence of discrete transitions and timed transitions. Let n be the number of timed transitions in π and x i > 0 (for 1 ≤ i ≤ n) be the delay of the i-th timed transition in π. Let m be the number of newly created tokens in π. We fix some arbitrary order on these tokens (it does not need to agree with the order of token creation) and call them t 1 , . . . , t m . Let y i be the age of token t i when it is created in π. (Recall that the age of new tokens is not always zero, but chosen nondeterministically out of given intervals.) We now consider the set of all computations π ′ that have the same structure, i.e., the same transitions, as π, but with modified values of y 1 , . . . , y m and x 1 , . . . , x n . Such computations π ′ have the same length as π and the sizes of the visited configurations match. Also if π is detailed then π ′ is detailed.
It remains to show that one such computation π ′ is in δ-form and Cost (π ′ ) ≤ Cost (π). The set of tuples (y 1 , . . . , y m , x 1 , . . . , x n ) for which such a computation π ′ is feasible is described by a set of inequations that depend on the transition guards. (The initial configuration, and the set of final configurations do not introduce any constraints on (y 1 , . . . , y m , x 1 , . . . , x n ), because they are closed under changes to token ages.) The inequations are derived from the following conditions. • The time always advances, i.e., x i > 0.
• When the token t j is created by an output arc with interval [a ∶ b] we have a ≤ y j ≤ b, and similarly with strict inequalities if the interval is (half) open. Note that the bounds a and b are integers (except where b = ∞ in which case there is no upper bound constraint). • Consider a token t j that is an input of some discrete transition t via an input arc or a read arc labeled with interval [a ∶ b]. Note that the bounds a and b are integers (or ∞). Let x k , x k+1 , . . . , x k+l be the delays of the timed transitions that happened between the creation of token t j and the transition t. Then we must have a ≤ y j +x k +x k+1 +⋅ ⋅ ⋅+x k+l ≤ b.
(Similarly with strict inequalities if the interval is (half) open.) These inequations describe a polyhedron PH which contains all feasible tuples of values (y 1 , . . . , y m , x 1 , . . . , x n ). By the precondition of this lemma, there exists a computation c init π → C fin and thus the polyhedron PH is nonempty. Therefore we obtain the closure of the polyhedron PH by replacing all strict inequalities <, > with normal inequalities ≤, ≥. Thus PH contains PH , but every point in PH is arbitrarily close to a point in PH . Now we show that the vertices of the polyhedron PH have integer coordinates.
Let v = (y 1 , . . . , y m , x 1 , . . . , x n ) be a column vector of the free variables. Then the polyhedron PH can be described by the inequation M ⋅ v ≤ c, where c is a column vector of integers and M is an integer matrix. Now we analyze the shape of the matrix M . Each inequation corresponds to a row in M . If the inequality is ≤ then the elements are in {0, 1}, and if the inequality is ≥ then the elements are in {0, −1}. Each of the inequations above refers to at most one variable y j , and possibly one continuous block of several variables x k , x k+1 , . . . , x k+l . Moreover, for each y j , this block (if it is nonempty) starts with the same variable x k . This is because the x k , x k+1 , . . . , x k+l describe the delays of the timed transitions between the creation of token t j and the moment where t j is used. x k is always the first delay after the creation of t j , and no delays can be left out. Note that the token t j can be used more than once, because transitions with read arcs do not consume the token. We present the inequalities in blocks, where the first block contains all which refer to y 1 , the second block contains all which refer to y 2 , etc. The last block contains those inequations that do not refer to any y j , but only to variables x i . Inside each block we sort the inequalities w.r.t. increasing length of the x k , x k+1 , . . . , x k+l block, i.e., from smaller values of l to larger ones. (For y j we have the same k.) Thus the matrix M has the following form: Formally, the shape of these matrices is defined as follows.
Definition 3.2. We call a (z × m + n)-matrix a PTPN constraint matrix, if every row has one of the following two forms. Let j ∈ {1, . . . , m} and k(j) ∈ {1, . . . , n} be a number that depends only on j, and let α ∈ {−1, 1}. First form: 0 j−1 α0 m−j 0 k(j)−1 α * 0 * . Second form: 0 * α * 0 * . Matrices that contain only rows of the second form all called 3-block matrices in [BBBR07].  Proof. First, every square submatrix of a PTPN constraint matrix has the same form and is also a PTPN constraint matrix. Thus it suffices to show the property for square PTPN constraint matrices. We show this by induction on the size. The base case of size 1 × 1 is trivial, because the single value must be in {−1, 0, 1}. For the induction step consider a square k × k PTPN constraint matrix M , with some n, m s.t. n + m = k. If M does not contain any row of the first form then M is a 3-block matrix and thus totally unimodular by [BBBR07] (Lemma 2). Otherwise, M contains a row i of the first form where M (i, j) ∈ {−1, 1} for some 1 ≤ j ≤ m. Without restriction let i be such a row in M where the number of nonzero entries is minimal. Consider all rows i ′ in M where M (i ′ , j) ≠ 0. Except for M (i ′ , j), they just contain (at most) one block of elements 1 (or −1) that starts at position m + k(j). By adding/subtracting row i to all these other rows i ′ where M (i ′ , j) ≠ 0 we obtain a new matrix M ′ where M ′ (i, j) is the only nonzero entry in column j in M ′ and det(M ′ ) = det(M ). Moreover, M ′ is also a PTPN constraint matrix, because of the minimality of the nonzero block length in row i and because all these blocks start at m+k(j). I.e., in M ′ these modified rows i ′ have the form 0 * 1 * 0 * or 0 * (−1) * 0 * . We obtain M ′′ from M ′ by deleting column j and row i, and M ′′ is a (k−1)×(k−1) PTPN constraint matrix (because j ≤ m). Theorem 3.5. [NW88]. Consider the polyhedron {v ∈ IR k M ⋅ v ≤ c} with M a totally unimodular (p × k) matrix and c ∈ Z p . Then the coordinates of its vertices are integers.
Since our polyhedron PH is described by a PTPN constraint matrix, which is totally unimodular by Lemma 3.4, it follows from Theorem 3.5 that the vertices of PH have integer coordinates.
Since the Cost function is linear in x 1 , . . . , x n (and does not depend on y 1 , . . . , y m ), the infimum of the costs on PH is obtained at a vertex of PH , which has integer coordinates by Theorem 3.5. Therefore, one can get arbitrarily close to the infimum cost with values y 1 , . . . , y m , x 1 , . . . , x n which are arbitrarily close to some integers. Thus, for every computation c init π → C fin there exists a modified computation π ′ with values y 1 , . . . , y m , x 1 , . . . , x n arbitrarily close to integers (i.e., π ′ in δ-form for arbitrarily small δ > 0) such that c init π ′ → C fin and Cost (π ′ ) ≤ Cost (π). (Note that the final configuration reached by π ′ possibly differs from the final configuration of π in the ages of some tokens. However, this does not matter, because the set of configurations C fin is closed under such changes.) The following corollary follows directly from Lemma 3.1 and shows that in order to find the infimum of the cost it suffices to consider only computations in δ-form for arbitrarily small δ > 0.

Abstract PTPN
We now reduce the Cost-Optimality problem to a simpler case without explicit clocks by defining a new class of systems called abstract PTPN (for short A-PTPN), whose computations represent PTPN computations in δ-form, for infinitesimally small values of δ > 0. For each PTPN N = (Q, P, T, Cost ), we define a corresponding A-PTPN N ′ , sometimes denoted by aptpn (N ). The A-PTPN N ′ is syntactically of the same form (Q, P, T, Cost ) as N . However, N ′ induces a different transition system, because its configurations and operational semantics are different. Below we define the set of markings of the A-PTPN, and then describe the transition relation. We will also explain the relation to the markings and the transition relation induced by the original PTPN.
Markings and Configurations. Fix a δ ∶ 0 < δ ≤ 2 5. A marking M of N in δ-form is encoded by a marking aptpn (M ) of N ′ which is described by a triple w high , b 0 , w low where w high , w low ∈ (P × [cmax + 1]) ⊙ * and b 0 ∈ (P × [cmax + 1]) ⊙ . The ages of the tokens in aptpn (M ) are integers and therefore only carry the integral parts of the tokens in the original PTPN. However, the marking aptpn (M ) carries additional information about the fractional parts of the tokens as follows. The tokens in w high represent tokens in M that have high fractional parts (their values are at most δ below the next integer); the tokens in w low represent tokens in M that have low fractional parts (their values at most δ above the previous integer); while tokens in b 0 represent tokens in M that have zero fractional parts (their values are equal to an integer). Furthermore, the ordering among the fractional parts of tokens in w high (resp. w low ) is represented by the positions of the multisets to which they belong in w high (resp. w low ). Let M = M −m , . . . , M −1 , M 0 , M 1 , . . . , M n be the decomposition of M into fractional parts, as defined in Section 3. Then we de- (This is well defined, because M i contains only tokens with one particular fractional part.) Furthermore, b 0 ((p, cmax + 1)) = ∑ y>cmax M ((p, y)), i.e., all tokens whose age is > cmax are abstracted as tokens of age cmax + 1, because the PTPN cannot distinguish between token ages > cmax . Note that w high and w low represent tokens with fractional parts in increasing order. An A-PTPN configuration is a controlstate plus a marking. If we apply aptpn to a set of configurations (i.e., aptpn(C fin )), we implicitly restrict this set to the subset of configurations in 2 5-form.
Transition Relation. The transitions on the A-PTPN are defined as follows. For every discrete transition t = (q 1 , q 2 , In, Read , The intuition is that the A-PTPN tokens in b i for i ≠ 0 represent PTPN tokens with a little larger, and strictly positive, fractional part. Thus their age is incremented by ǫ > 0 before it is matched to the input, read and output arcs. The fractional parts of the tokens that are not involved in the transition stay the same. However, since all the time intervals in the PTPN have integer bounds, the fractional parts of newly created tokens are totally arbitrary. Thus they can be inserted at any position in the sequence, between any positions in the sequence, or before/after the sequence of existing fractional parts. This is specified by the last condition on the sequence c −m ′ . . . c −1 , c 0 , c 1 . . . c n ′ .
The following lemma shows the connection between a PTPN and its corresponding A-PTPN for discrete transition steps.
14 P. A. ABDULLA AND R. MAYR Since the time intervals on transitions have integer bounds, we obtain match( Similarly as M , the marking O can be uniquely decomposed into parts with increasing fractional part of the ages of tokens, i.e., Thus M ′ can be uniquely decomposed into parts with increasing fractional part of the ages of tokens, i.e., . Moreover, this O can be chosen to be in δ-form, for the following reasons. The tokens in O whose fractional part is the same as a fractional part in M are trivially in δ-form, because M is in δ-form. The tokens in O whose fractional part is between two fractional parts in M is also trivially in δ-form, because M is in δ-form. Now consider the tokens in O whose fractional part is larger than any fractional part in M 1 + ⋅ ⋅ ⋅ + M n . Let δ 1 be the maximal fractional part in M 1 + ⋅ ⋅ ⋅ + M n . We have δ 1 < δ, because M is in δ-form. Since δ 1 < δ, the interval (δ 1 ∶ δ) is nonempty and contains uncountably many different values. Therefore there is still space for infinitely many different fractional parts in O in the interval (δ 1 ∶ δ). Finally consider the tokens in O whose fractional part is smaller than any fractional part in Now we show how to encode timed transitions into A-PTPN. We define A-PTPN transitions that encode the effect of PTPN detailed timed transitions x → for x ∈ (0 ∶ δ) or x ∈ (1 − δ ∶ 1) for sufficiently small δ > 0. We call these abstract timed transitions. For any mul- for x ≤ cmax and b + ((p, cmax + 1)) = b((p, cmax + 1)) + b((p, cmax )), i.e., the age cmax + 1 represents all ages > cmax . There are 4 different types of abstract timed transitions. (In the following all b i are nonempty.) This simulates a very small delay δ > 0 where the tokens of integer age in b 0 now have a positive fractional part, but no tokens reach an integer age.
This simulates a very small delay δ > 0 in the case where there were no tokens of integer age and the tokens in b −1 just reach the next higher integer age.
reach the next higher integer and no token gets an integer age.
This simulates a delay in (1 − δ ∶ 1) where the tokens in b 0 , . . . b k do not quite reach the next higher integer and the tokens on b k+1 just reach the next higher integer age. The cost model for A-PTPN is defined as follows. For every transition t ∈ T we have For abstract timed transitions of types 1 and 2 we define the cost as zero. For abstract timed transitions (q, M 1 ) → (q, M 2 ) of types 3 and 4, we define Cost ((q, , as if the elapsed time had length 1). The intuition is that, as δ converges to zero, the cost of the PTPN timed transitions of length in (0 ∶ δ) (types 1 and 2) or in (1 − δ ∶ 1) (types 3 and 4) converges to the cost of the corresponding abstract timed transitions in the A-PTPN. This will be shown formally in Lemma 4.4.
The following two lemmas show the connection between (detailed) timed transitions in PTPN and abstract timed transitions in the corresponding A-PTPN.
Proof. Let M = M −m +⋅ ⋅ ⋅+M −1 +M 0 +M 1 +⋅ ⋅ ⋅+M n be the unique decomposition of M into increasing fractional parts (as defined in Section 3), and aptpn (M ) as defined as above. Let ǫ be the fractional part of the ages of the tokens in M −1 . Since In the first case we have x < 1 − ǫ. Then the tokens in M +x −1 will have fractional part ǫ + x ∈ (1 − δ ∶ 1), and the tokens in M +x In the second case we must have x = 1 − ǫ and M 0 = ∅, because (q, M ) x → (q, M +x ) is a detailed timed transition. In this case exactly the tokens in M −1 reach the next higher integer age, i.e., the tokens in M +x −1 have integer age and the integer is one higher than the integer part of the age of the tokens in M 0 . Thus aptpn((q,  Proof. Let M = M −m +⋅ ⋅ ⋅+M −1 +M 0 +M 1 +⋅ ⋅ ⋅+M n be the unique decomposition of M into increasing fractional parts (as defined in Section 3), and aptpn (M ) as defined above. Let ǫ k be the fractional part of the ages of the tokens in M k for 0 ≤ k ≤ n.
In the first case we have , the token ages in M k+1 reach and slightly exceed the next higher integer age, while the token ages in M +x k still stay slightly below the next higher integer. Therefore The only other case is where x = 1 − ǫ k+1 for some k ∈ {0, . . . , n − 1}. Here exactly the tokens in M k+1 reach the next higher integer age. Therefore aptpn((q, The following Lemma 4.4, which follows from Lemmas 4.1,4.2, and 4.3, shows the connection between the computation costs in a PTPN and the corresponding A-PTPN. Proof. For the first part let π = c 0 → . . . → c n be a PTPN computation in detailed form and δ-form s.t. n * δ ≤ 1 5. So every timed transition x → has either x ∈ (0 ∶ δ) or x ∈ (1−δ ∶ 1). Furthermore, the fractional part of the age of every token in any configuration c i is < i * δ away from the nearest integer, because c 0 only contains tokens with integer ages. Since i ≤ n these ages are < n * δ ≤ 1 5 away from the nearest integer. Moreover, π is detailed and thus Lemmas 4.1, 4.2 and 4.3 apply. Thus there exists a corresponding A-PTPN computation π ′ = aptpn(c 0 ) → . . . → aptpn(c n ). By definition of the cost of A-PTPN transitions, for every discrete transition For the second part let c 0 be a PTPN configuration s.t. (ǫ, b 0 , ǫ) = c ′ 0 = aptpn(c 0 ), i.e., all tokens in c 0 have integer ages. We now use Lemmas 4.1, 4.2 and 4.3 to construct the PTPN computation π. Let δ i ∶= δ * 2 i−n for 0 ≤ i ≤ n. The construction ensures the following invariants. (1) c ′ i = aptpn(c i ), and (2) c i is in δ i -form. Condition (1) follows directly from Lemmas 4.1, 4.2 and 4.3. For the base case i = 0, condition (2) holds trivially, because all tokens in c 0 have integer ages. Now we consider the step from i to i + 1. Since c i is in δ i -form, we obtain from Lemmas 4.1, 4.2 and 4.3 that if the i− th transition in this sequence is a timed transition Now we consider the cost of the PTPN computation π. By definition of the cost of A-PTPN transitions, for every discrete transition The following theorem summarizes the results of this section. To compute the optimal cost of a PTPN, it suffices to consider the corresponding A-PTPN.
Theorem 4.5. The infimum of the costs in a PTPN coincides with the infimum of the costs in the corresponding A-PTPN.
Proof. We show that neither of the two costs for PTPN and A-PTPN can be larger than the other.
By Lemma 3.1 there exists a computation c init Thus we obtain Cost (π λ ) − I ′ ≤ 2λ. Since this holds for every λ > 0 we get I > I ′ .
By combining I ′ > I with I > I ′ we obtain I = I ′ as required.
4.1. The Running Example (cont.) We consider the running example from Subsection 2.7 again.
Below we describe four examples of abstract computation steps (not the same as in Subsection 2.7).
(i) A type 1 transition from c 1 leads to Below, we give three concrete timed transitions that correspond to the abstract steps (i)-(iii) described above.
A concrete timed transitions that correspond to the abstract step (iv) is the following

Abstracting Costs in A-PTPN
Given an A-PTPN, the cost-threshold problem is whether there exists a computation aptpn(c init ) π → aptpn(C fin ) s.t. Cost (π) ≤ v for a given threshold v. We now reduce this question to a question about simple coverability in a new model called AC-PTPN. The idea is to encode the cost of the computation into a part of the control-state. For every A-PTPN and cost threshold v ∈ N there is a corresponding AC-PTPN that is defined as follows. For where y represents the remaining allowed cost of the computation. We define a finite set of functions in the AC-PTPN for all nonnegative integers y s.t. v ≥ y ≥ Cost (t). I.e., we deduct the cost of the transition from the remaining allowed cost of the computation. For every A-PTPN abstract timed transition of the types 1 and 2 (q 1 , . . . ) → (q 1 , . . . ) we have corresponding AC-PTPN abstract timed transitions of the same types 1 and 2 where ((q 1 , y), . . . ) → ((q 1 , y), . . . ) for all 0 ≤ y ≤ v. I.e., infinitesimally small delays do not cost anything, and thus no cost is deducted from the remaining allowed cost.
For every A-PTPN abstract timed transition of type 3 (for some k ∈ {0, . . . , n}) I.e., we deduct the cost of the timed step (whose length is infinitesimally close to 1) from the remaining allowed cost of the computation. Similarly, for every A-PTPN abstract timed transition of type 4 (for some k ∈ {0, . . . , n − 1}) with I.e., we deduct the cost of the timed step (whose length is infinitesimally close to 1) from the remaining allowed cost of the computation.
The following lemma summarizes the connection between A-PTPN and AC-PTPN.
Lemma 5.1. There exists an A-PTPN computation aptpn(c init ) Proof. Directly from the definition of AC-PTPN.
Moreover, the connection between A-PTPN and AC-PTPN is constructive, i.e., the cost-threshold problem for A-PTPN can be reduced to the coverability problem for AC-PTPN described in Lemma 5.1.
Note that, unlike A-PTPN, AC-PTPN are not monotone. This is because steps of types 3 and 4 with more tokens on cost-places cost more, and thus cost-constraints might block such transitions from larger configurations. Thus one cannot directly reduce the AC-PTPN coverability problem to an A-PTPN coverability problem.

The Abstract Coverability Problem
We describe a general construction for solving reachability/coverability problems for infinitestate systems under some abstract conditions. In particular, we do not assume that the behavior of these systems is fully monotone w.r.t. some well-quasi-order (unlike in many related works [AČJT00,FS01]).
In subsequent sections we will show how this construction can be applied to solve AC-PTPN coverability, and thus the A-PTPN and PTPN cost-threshold problems.
We now show a generalization of this result.
Theorem 6.2. Let (Ω, ≤) be a set with a decidable well-quasi-order (wqo) ≤, and let V ⊆ Ω be upward-closed and recursively enumerable. Then the finite set V min of minimal elements of V is effectively constructible if and only if for every finite subset Proof. V min is finite, since ≤ is a wqo. For the only-if part, since X ↑ is upward-closed, it suffices to check for each of the finitely many elements of V min if it is not in X ↑. This is possible, because X is finite and ≤ is decidable. For the if-part, we start with X = ∅ and keep adding elements to X until X ↑ = V . In every step we do the (by assumption decidable) check if ∃v ∈ V. v ∉ X ↑. If no, we stop. If yes, we enumerate V and check for every element v if v ∉ X ↑ (this is possible since X is finite and ≤ is decidable). Eventually, we will find such a v, add it to the set X, and do the next step. Consider the sequence of elements v 1 , v 2 , . . . which are added to X in this way. By our construction v j ≥ v i for j > i. Thus the sequence is finite, because ≤ is a wqo. Therefore the algorithm terminates and the final set X satisfies ∃ v ∈ V. v ∉ X ↑, i.e., V ⊆ X ↑. Furthermore, by our construction X ⊆ V and thus X ↑ ⊆ V ↑= V . Thus X ↑ = V . Finally, we remove all non-minimal elements from X (this is possible since X is finite and ≤ is decidable) and obtain V min . Corollary 6.3. Let Σ be a finite alphabet and V ⊆ Σ * a recursively enumerable set that is upward-closed w.r.t. the substring ordering ≤. The following three properties are equivalent.
(1) The finite set V min of minimal elements of V is effectively constructible.
(2) For every finite subset Proof. By Higman's Lemma [Hig52], the substring order ≤ is a wqo on Σ * and thus V min is finite. Therefore the equivalence of (1) and (2) follows from Theorem 6.2. Property (1) implies that V is an effectively constructible regular language, which implies property (3). Property (2) is equivalent to checking whether V ∩ X ↑ ≠ ∅ and X ↑ is effectively regular because X is finite. Therefore, (3) implies (2) and thus (1).
Another interpretation of Corollary 6.3 is the following. An upward-closed set of strings V is always regular, but this regular language is effectively constructible if and only if regular queries to V are decidable.
Note that Theorem 6.2 (and even Corollary 6.3, via an encoding of vectors into strings) imply Theorem 6.1.
6.2. The Abstract Phase Construction. We define some sufficient abstract conditions on infinite-state transition systems under which a general reachability/coverability problem is decidable. Intuitively, we have two different types of transition relations. The first relation is monotone (w.r.t. a given quasi-order) on the whole state space, while the second relation is only defined/enabled on an upward-closed subspace. The quasi-order is not a well quasi-order on the entire space, but only on the subspace. In particular, this is not a well-quasi-ordered transition system in the sense of [AČJT00,FS01], but more general.
We call the following algorithm the abstract phase construction, because we divide sequences of transitions into phases, separated by occurrences of transitions of the second kind.
Definition 6.4. We say that a structure (S, C, ≤, →, → A , → B , init, F ) satisfies the abstract phase construction requirements iff the following conditions hold. 1.: S is a (possibly infinite) set of states, C ⊆ S is a finite subset, init ∈ S is the initial state and F ⊆ S is a (possibly infinite) set of final states. 2.: ≤ is a decidable quasi-order on S. Moreover, ≤ is a well-quasi-order on the subset C ↑ (where C ↑ = {s ∈ S ∃c ∈ C. s ≥ c}).
) Note that in 7.a and 7.b the set Pre * → A (U ↑) is not necessarily constructible, because ≤ is not a well-quasi-order on S. Note also that F is not necessarily upward-closed.
In order to check condition (2), we first construct a sequence of minimal finite sets U k ⊆ C ↑ for k = 1, 2, . . . such that U k ↑ = {s ∈ S ∃j ∶ 1 ≤ j ≤ k. s(→ B → * A ) j F } and show that this sequence converges.
First we construct the minimal finite set U ′ 1 ⊆ C ↑ s.t. U ′ 1 ↑ = Pre * → A (F ) ∩ C ↑. This is possible by conditions 6.a and 6.b of Def. 6.4. Then we construct the minimal finite set . This is possible by conditions 5.a and 5.b of Def. 6.4. For k = 1, 2, . . . we repeat the following steps. • Given the finite set U k ⊆ C ↑, we construct the minimal finite set This is possible because of Theorem 6.2, which we instantiate as follows.
Let Ω = C ↑ and V = Pre * → A (U k ↑) ∩ C ↑. Using the conditions from Def. 6.4 we have the following: By condition 2, ≤ is a decidable well-quasi-order on C ↑. By condition 4, V = Pre * → A (U k ↑) ∩ C ↑ is upward-closed, since → A is monotone. By conditions 7.a and 2, V is decidable, and by condition 7.b the question X ↑ ∩ V ≠ ∅ is decidable. Thus, by Theorem 6.2, the finitely many minimal elements of V , i.e., the set U ′ k+1 , are effectively constructible.
. This is possible by conditions 5.a and 5.b of Def. 6.4.
Then let U k+1 be the finite set of minimal elements of U ′′ k+1 ∪ U k . The sequence U 1 ↑, U 2 ↑, . . . is a monotone-increasing sequence of upward-closed subsets of C ↑, where U k is the finite set of minimal elements of U k ↑. This sequence converges, because ≤ is a well-quasi-order on C ↑ by condition 2 of Def. 6.4. Therefore, we get U n ↑ = U n+1 ↑ for some finite index n. Since ≤ is only assumed to be a quasi-order (instead of an order) the finite sets of minimal elements U n and U n+1 representing U n ↑ and U n+1 ↑ are not necessarily the same. However, we can still check whether U n ↑ = U n+1 ↑, and thus detect convergence, because U n and U n+1 are finite and ≤ is decidable by condition 2 of Def. 6.4.
Finally, by Def. 6.4 (cond. 7.a) we can do the final check whether init ∈ Pre * → A (U n ↑) and thus decide condition (2).
In the following section we use Theorem 6.5 to solve the optimal cost problem for PTPN. However, it also has many other applications, when used with different instantiations.
Remark 1. Theorem 6.5 can be used to obtain a simple proof of decidability of the coverability problem for Petri nets with one inhibitor arc. Normal Petri net transitions are described by → A , while the inhibited transition is described by → B . (This uses the decidability of the normal Petri net reachability problem [May84] to prove conditions 7.a and 7.b).
A different instantiation could be used to show the decidability of the reachability problem for generalized classes of lossy FIFO-channel systems [AJ96,CFI96] where, e.g., an extra type of transition → B is only enabled when some particular channel is empty.

The Main Result
In this section we state the main results on the decidability and complexity of the costthreshold problem.
7.1. The Lower Bound. We show that the cost-threshold problem for PTPN is computationally at least as hard as two other known problems.
(1) The reachability problem for Petri nets with one inhibitor arc.
(2) The control-state reachability problem for timed Petri nets (TPN) without any cost model.
The first item establishes a connection between PTPN and Petri nets with one inhibitor arc. This is interesting in itself, but it only yields a relatively weak EXPSPACE lower bound (via the EXPSPACE lower bound for reachability in ordinary Petri nets [Lip76]). The second item shows that the problem is F ω ω ω -hard in the fast growing hierarchy, by using a recent result from [HSS12]. In particular this means that the cost-threshold problem for PTPN is non primitive recursive.
Definition 7.1. Petri nets with one inhibitor arc [Rei08,Bon11] are an extension of Petri nets. They contain a special inhibitor arc that prevents a certain transition from firing if a certain place is nonempty.
Formally, a Petri net with an inhibitor arc is described by a tuple N = Q, P, T, (p i , t i ) where (p i , t i ) describes a modified firing rule for transition t i : it can fire only if p i is empty.
• Q is a finite set of control-states • P is a finite set of places • T is a finite set of transitions. Every transition t ∈ T has the form t = (q 1 , q 2 , I, O) where q 1 , q 2 ∈ Q and I, O ∈ P ⊙ . Let (q, M ) ∈ Q × P ⊙ be a configuration of N .
The reachability problem for Petri nets with one inhibitor arc is decidable [Rei08,Bon11]. Now we describe a polynomial time reduction from the reachability problem for Petri nets with one inhibitor arc to the cost-threshold problem for PTPN.
Lemma 7.2. Let Q, P, T, (p i , t i ) be a Petri net with one inhibitor arc with initial configuration (q init , []) and final configuration (q fin , []).
One can construct in polynomial time a PTPN (Q ′ , P ′ , T ′ , Cost ) with initial configuration c init = (q init , []) and set of final configurations Proof. Let Q, P, T, (p i , t i ) be a Petri net with one inhibitor arc with initial configuration (q init , []) and final configuration (q fin , []). We construct in polynomial time a PTPN (Q ′ , P ′ , T ′ , Cost ) with initial configuration c init = (q init , []) and set of final configurations We define Cost(p) = 1 for every p ∈ P , Cost(p) = 0 for p ∈ P ′ − P , and Cost(t ′ ) = 0 for t ′ ∈ T ′ . In order to define the transitions, we need a function that transforms multisets of places into multisets over P × Intrv by annotating them with time intervals. Let I.e., the age of the input tokens from p i must be zero and for the other input places the age does not matter. The transitions always output tokens of age zero. Instead of t i = (q i 1 , q i 2 , I i , O i ) ∈ T with the inhibitor arc (p i , t i ), we have the following transitions in T ′ : ). This simulates t i in two steps while enforcing an arbitrarily small, but nonzero, delay. This is because the token on place p 1 wait needs to age from age zero to an age > 0. If p i is empty then this yields a faithful simulation of a step of the Petri net with one inhibitor arc. Otherwise, the tokens on p i will age to a nonzero age and can never be consumed in the future. I.e., a token with nonzero age on p i will always stay there and indicate an unfaithful simulation.
To reach the set of final configurations C fin , we add the following two transitions: . This enforces a delay of exactly one time unit at the end of the computation, i.e., just before reaching C fin .
If On the other hand, if OptCost c init , C fin = inf{Cost (π) c init π → C fin } = 0 then the last step from q fin to q ′ fin must have taken place with no tokens on places in P . In particular, p i must have been empty. Therefore, the PTPN did a faithful simulation of a computation Lemma 7.2 implies that even a special case of the cost-threshold problem for PTPN, namely the question OptCost c init , C fin = 0, is at least as hard as the reachability problem for Petri nets with one inhibitor arc. The exact complexity of this problem is not known, but it is at least as hard as reachability in standard Petri nets (without any inhibitor arc). The exact complexity of the reachability problem for standard Petri nets is not known either, but an EXPSPACE lower bound has been shown in [Lip76].
The connection between the cost-threshold problem for PTPN and the control-state reachability problem for TPN is very easy to show. Proof. We construct the PTPN by extending the TPN with a cost function that assigns cost zero to all transitions and places. We define c init to be the initial configuration of the TPN and the set C fin by the target control-state of the TPN. If the target control-state is reachable in the TPN then OptCost c init , C fin = 0 in the PTPN, otherwise OptCost c init , C fin is undefined.
It has been shown in [HSS12] (Corollary 6.) that the control-state reachability problem for timed Petri nets (TPN) is F ω ω ω -hard in the fast growing hierarchy. By Lemma 7.3, we obtain the following theorem.
Theorem 7.4. The cost-threshold problem for PTPN is F ω ω ω -hard in the fast growing hierarchy, and thus non primitive recursive.

The Upper Bound.
Here we state the main computability result of the paper. Its proof refers to several auxiliary lemmas that will be shown in the following sections. Then OptCost c init , C fin is computable.
To compute this value, it suffices to solve the cost-threshold problem for any given threshold v ∈ N, i.e., to decide if aptpn(c init ) π → aptpn(C fin ) for some π with Cost (π) ≤ v.
To show this, we first decide if aptpn(c init ) π → aptpn(C fin ) for any π (i.e., reachability). This can be reduced to the cost-threshold problem by setting all place and transition costs to zero and solving the cost-threshold problem for v = 0. If no, then no final state is reachable and we represent this by inf{Cost (π) c init π → C fin } = ∞. If yes, then we can find the optimal cost v by solving the cost-threshold problem for threshold v = 0, 1, 2, 3, . . . until the answer is yes. Now we show how to solve the cost-threshold problem. By Lemma 5.1, this question is equivalent to a reachability problem ac v (aptpn(c init )) * → ⋃ 0≤y≤v ac y (aptpn(C fin )) in the corresponding AC-PTPN. This reachability problem is decidable by Lemma 7.8. Now we prove the remaining Lemma 7.8. For this we need some auxiliary definitions. ( (Intuitively, γ is obtained from β by adding tokens on free-places, while the tokens on costplaces are unchanged.) In this case, )) then we write α⊕β = γ. (Note that α is not uniquely defined, because it depends on the choice of the function f . However one such α always exists and only contains tokens on P f .) The partial order ≤ c on configurations of AC-PTPN is defined analogously with P c instead of P f , i.e., γ is obtained from β by adding tokens on cost-places.
The partial order ≤ f c on configurations of AC-PTPN is defined analogously with P instead of P f , i.e., γ is obtained from β by adding tokens on any places, and ≤ f c =≤ c ∪ ≤ f .
Lemma 7.7. The relations of Def. 7.6 have the following properties.
(1) ≤ f , ≤ c and ≤ f c are decidable quasi-orders on the set of all AC-PTPN configurations.
(3) ≤ f c is a well-quasi-order on the set of all AC-PTPN configurations.
Moreover, ≤ f , ≤ c and ≤ f c are quasi-orders in the set of all AC-PTPN configurations. Reflexivity holds trivially, and transitivity can easily be shown by composing the respective functions f .
(2) Now we show that ≤ f is a well-quasi-order on the set {c} ↑ = {s c ≤ f s} for every AC-PTPN configuration c. Consider an infinite sequence β 0 , β 1 , .
Lemma 7.8. Given an instance of the PTPN cost problem and a threshold v ∈ N, the reachability question ac v (aptpn(c init )) * → ⋃ 0≤y≤v ac y (aptpn(C fin )) in the corresponding AC-PTPN is decidable.
Proof. We instantiate a structure (S, C, ≤, →, → A , → B , init , F ), show that it satisfies the requirements of Def. 6.4, and then apply Theorem 6.5. Let S be the set of all AC-PTPN configurations of the form ((q, y) Let C be the set of all AC-PTPN configurations of the form ((q, y) In other words, the configurations in C only contain tokens on cost-places and the size of these configurations is limited by v. C is finite, because P c , cmax and v are finite.
Let ≤∶=≤ f of Def. 7.6, i.e., in this proof ↑ denotes the upward-closure w.r.t. ≤ f . By Lemma 7.7, ≤ is decidable, ≤ is a quasi-order on S, and ≤ is a well-quasi-order on {c} ↑ for every AC-PTPN configuration c. Therefore ≤ f is a well-quasi-order on C ↑, because C is finite.
Let → A be the transition relation induced by the discrete AC-PTPN transitions and the abstract timed AC-PTPN transitions of types 1 and 2. These are monotone w.r.t. ≤ f . Thus condition 4 of Def. 6.4 is satisfied.
Let → B be the transition relation induced by abstract timed AC-PTPN transitions of types 3 and 4. These are monotone w.r.t. ≤ f , but only enabled in C ↑, because otherwise the cost would be too high. (Remember that every AC-PTPN configuration stores the remaining allowed cost, which must be non-negative.) Moreover, timed AC-PTPN transitions of types 3 and 4 do not change the number or type of the tokens in a configuration, and thus → B ⊆ C ↑ × C ↑. So we have condition 5.a of Def. 6.4. Condition 5.b is satisfied, because there are only finitely many token ages ≤ cmax and the number and type of tokens is unchanged.
Condition 3 is satisfied, because →=→ A ∪ → B by the definition of AC-PTPN. Now we show the conditions 6.a and 6.b. F is upward-closed w.r.t. ≤ f c and → A is monotone w.r.t. ≤ f c (not only w.r.t ≤ f ). By Lemma 7.7, ≤ f c is a decidable wqo on the set of AC-PTPN configurations. Therefore, Pre * → A (F ) is upward-closed w.r.t. ≤ f c and effectively constructible (i.e., its finitely many minimal elements w.r.t. ≤ f c ), because the sequence Pre ≤i → A (F ) for i = 1, 2, . . . converges. Let K be this finite set of minimal (w.r.t. ≤ f c ) elements of Pre * → A (F ). We obtain condition 6.a., because K is finite and ≤ f c is decidable. Moreover, Pre * → A (F ) is also upward-closed w.r.t. ≤ f . The set C is a finite set of AC-PTPN configurations and C ↑ is the upward-closure of C w.r.t. ≤ f . Therefore Pre * → A (F ) ∩ C ↑ is upward closed w.r.t. ≤ f . Now we show how to construct the finitely many minimal (w.r.t. ≤ f ) elements of Pre * → A (F ) ∩ C ↑. For every k ∈ K let α(k) ∶= {k ′ k ′ ∈ C ↑, k ≤ c k ′ }, i.e., those configurations which have the right control-state for C ↑, but whose number of tokens on cost-places is bounded by v, and who are larger (w.r.t. ≤ c ) than some base element in K. In particular, α(k) is finite and constructible, because v is finite, and ≤ c and ≤ f are decidable. Note that α(k) can be empty (if k has the wrong control-state or too many tokens on cost-places). Let K ′ ∶= ⋃ k∈K α(k), which is finite and constructible. We show that Pre * → A (F ) ∩ C ↑ = K ′ ↑. Consider the first inclusion.
Therefore k ≤ f c x and x ∈ Pre * → A (F ). Also k ′ ∈ C ↑ and k ′ ≤ f x and thus x ∈ C ↑. Now we consider the other inclusion. If Moreover, the number of tokens on cost-places in x is bounded by v and the control-state is of the form required by C ↑, because x ∈ C ↑. Since, k ≤ f c x, the same holds for k and thus there is some k ′ ∈ α(k) s.t. k ′ ≤ f x. Therefore x ∈ K ′ ↑. To summarize, K ′ is the finite set of minimal (w.r.t. ≤ f ) elements of Pre * → A (F ) ∩ C ↑ and thus condition 6.b holds. Conditions 7.a and 7.b are satisfied by Lemma 9.3, (which will be proven in Section 9). So we have that our instantiation satisfies the abstract phase construction requirements of Def. 6.4. Therefore, Theorem 6.5 yields the decidability of the reachability problem init → * F , i.e., ac v (aptpn(c init )) * → ⋃ 0≤y≤v ac y (aptpn(C fin )).
The remaining Lemma 9.3 will be shown in Section 9. Its proof uses the simultaneousdisjoint transfer nets of Section 8.
• Q is a finite set of control-states • P is a finite set of places • T is a finite set of ordinary transitions. Every transition t ∈ T has the form t = (q 1 , q 2 , I, O) where q 1 , q 2 ∈ Q and I, O ∈ P ⊙ .
The restrictions above ensure that these cases are disjoint. Note that after firing a transfer transition all source places of transfers are empty, since, by the restrictions defined above, a place that is a source of a transfer can neither be the target of another transfer, nor receive any tokens from the output of this transfer transition.
Theorem 8.2. The reachability problem for SD-TN is decidable, and has the same complexity as the reachability problem for Petri nets with one inhibitor arc.
Proof. We show that the reachability problem for SD-TN is polynomial-time reducible to the reachability problem for Petri nets with one inhibitor arc (see Def. 7.1), and vice-versa. For the first direction consider an SD-TN N = (Q, P, T, Trans ), with initial configuration (q 0 , M 0 ) and final configuration (q f , M f ). We construct a Petri net with one inhibitor arc To simulate a transfer transition (q 1 , q 2 , I, O, ST ) ∈ Trans, we add another control-state q i to Q ′ , another place p(q 2 ) to P ′ and a transition (q 1 , q i , I ′ , O ′ + {p(q 2 )}) to T ′ , where I ′ , O ′ are derived from I, O as above. Moreover, for every pair (sr, tg) ∈ ST we add a transition (q i , q i , {sr, p i }, {tg}). This allows to simulate the transfer by moving the tokens from the source to the target step-by-step. The transfer is complete when all source places are empty, i.e., when p i is empty. Finally, we add a transition t i = (q i , q 2 , {p(q 2 )}, {}) and let the inhibitor arc be (p i , t i ). I.e., we can only return to q 2 when p i is empty and the transfer is complete. We return to the correct control-state q 2 for this transition, because the last step is only enabled if there is a token on p(q 2 ). So for all places p ∈ P and M ′ 0 (p(q)) = M ′ f (p(q)) = 0. Note that, by definition of SD-TN, source-places and target-places of transfers are disjoint. Therefore, the condition on the inhibitor arc enforces that all transfers are done completely (i.e., until p i is empty, and thus all places in S are empty) and therefore the simulation is faithful. Thus we obtain Since the reachability problem for Petri nets with one inhibitor arc is decidable [Rei08,Bon11], we obtain the decidability of the reachability problem for SD-TN. Now we show the reverse reduction. Consider a Petri net with one inhibitor arc N = Q, P, T, (p i , t i ) with initial configuration (q 0 , M 0 ) and final configuration (q f , M f ). We construct an SD-TN N ′ = (Q ′ , P ′ , T ′ , Trans ) with initial configuration (q ′ 0 , M ′ 0 ) and final Unlike in N , in N ′ the inhibited transition can fire even if p i is nonempty. However, in this case the contents of p i are moved to p x where they stay forever. I.e., we can detect an unfaithful simulation by the fact that p x is nonempty.
as required. Therefore, the reachability problem for SD-TN is polynomially equally hard as the reachability problem for Petri nets with one inhibitor arc.
The following corollary shows decidability of a slightly generalized reachability problem for SD-TN, which we will need in the proofs of the following sections.
Corollary 8.3. Let N be an SD-TN and F a set of SD-TN configurations, which is defined by a boolean combination of finitely many constraints of the following forms.
(1) control-state = q (for some state q ∈ Q) (2) exactly k tokens on place p (where k ∈ N) (3) at least k tokens on place p (where k ∈ N) Then the generalized reachability problem (q 0 , M 0 ) * → F is decidable.
Proof. First, the boolean formula can be transformed into disjunctive normal form and solved separately for each clause. Every clause is a conjunction of constraints of the types above. This problem can then be reduced to the basic reachability problem for a modified SD-TN N ′ and then solved by Theorem 8.2. One introduces a new final control-state q ′ and adds a construction that allows the transition from F to (q ′ , {}) if and only if the constraints are satisfied. For type (2) one adds a transition that consumes exactly k tokens from place p. For type (3) one adds a transition that consumes exactly k tokens from place p, followed by a loop which can consume arbitrarily many tokens from place p. We obtain Decidability follows from Theorem 8.2.

Encoding AC-PTPN Computations by SD-TN
In this section, we fix an AC-PTPN N , described by the tuple (Q, P, T, Cost ) and the costthreshold v. We use the partial order ≤∶=≤ f on AC-PTPN configurations; see Def. 7.6. We describe an encoding of the configurations of N as words over an alphabet Σ. We define Σ ∶= (P × [cmax + 1]) ∪ (Q × {y 0 ≤ y ≤ v}) ∪ {#, $}, i.e., the members of Σ are elements of P × [cmax + 1], the control-states of N , and the two "separator" symbols # and $. For a multiset b = [a 1 , . . . , a n ] ∈ (P × [cmax + 1]) ⊙ , we define the encoding enc (b) to be the word a 1 ⋯a n ∈ (P × [cmax + 1]) * . For a word w = b 1 ⋯b n ∈ (P × [cmax + 1]) ⊙ * , we define enc (w) ∶= enc (b n ) #⋯#enc (b 1 ), i.e., it consists of the reverse concatenation of the encodings of the individual multisets, separated by #. For a marking M = (w 1 , b, w 2 ), we define enc (M ) ∶= enc (w 2 ) $enc (b) $enc (w 1 ). In other words, we concatenate the encoding of the components in reverse order: first w 2 then b and finally w 1 , separated by $. Finally for a configuration c = ((q, y) , M ), we define enc (c) ∶= (q, y) enc (M ), i.e., we append the pair (q, y) in front of the encoding of M . The function enc () is extended from configurations to sets of configurations in the standard way. We call a finite automaton A over Σ a configuration-automaton if whenever w ∈ L(A) then w = enc(c) for some AC-PTPN configuration c. Proof. For every c ∈ C we construct an automaton A c s.t. L(A c ) = enc ({c} ↑). Remember that here the upward-closure is taken w.
, only tokens on free-places can be added in the upward-closure. Let L 1 = (Σ + 1 #) * . The language L 1 describes encodings of sets of tokens on free-places. Many such sets of tokens can be added during the upward closure w.r.t. ≤ f . Let Proof. Let Σ 1 = {(q, y) q ∈ Q, 0 ≤ y ≤ v} and Σ 2 = P × [cmax + 1]. Let L 1 = Σ * 2 and L 2 = L 1 (#Σ + 2 ) * and L 3 = L 2 $L 1 $L 2 . Then the language of A is Σ 1 L 3 , which is a regular language over Σ. , and we obtain that L(A 4 ) = enc X ↑ ∩ C ↑ . Note that the complement operation on words is not the same as the complement operation on the set of AC-PTPN configurations. Thus the need for intersection with A 3 . The question ∃z ∈ (X ↑ ∩ C ↑). z → * A U ↑ of 7.b can be decided by applying Lemma 9.4 to A 4 and U .
Lemma 9.4. Given a configuration-automaton A, C as in Lemma 7.8, and a finite set U ⊆ C ↑, it is decidable if there exists some AC-PTPN configuration c init ∈ enc −1 (L(A)) s.t. c init → * A U ↑. Proof. The idea is to translate the AC-PTPN into an SD-TN which simulates its computation. The automaton A is also encoded into the SD-TN and runs in parallel. A outputs an encoding of c init , a nondeterministically chosen initial AC-PTPN configuration from L(A). Since the SD-TN cannot encode sequences, it cannot store the order information in the sequences which are AC-PTPN configurations. Instead this is encoded into the behavior of A, which outputs parts of the configuration c init 'just-in-time' before they are used in the computation (with exceptions; see below). Several abstractions are used to unify groups of tokens with different fractional parts, whenever the PTPN is unable to distinguish them. AC-PTPN timed transitions of types 1 and 2 are encoded as SD-TN transfer transitions, e.g., all tokens with integer age advance to an age with a small fractional part. Since this operation must affect all tokens, it cannot be done by ordinary Petri net transitions, but requires the simultaneous-disjoint transfer of SD-TN. Another complication is that the computation of the AC-PTPN might use tokens (with high fractional part) from c init , which the automaton A has not yet produced. This is handled by encoding a 'debt' on future outputs of A in special SD-TN places. These debts can later be 'paid back' by outputs of A (but not by tokens created during the computation). At the end, the computation must reach an encoding of a configuration in U ↑ and all debts must be paid. This yields a reduction to a reachability problem for the constructed SD-TN, which is decidable by Theorem 8.2.
We devote the rest of the section to give the details of the proof. We show the lemma for the case where U is a singleton c fin . The result follows from the fact that U is finite and that U ↑ = ∪ c∈U c↑. We will define an SD-TN T = Q T , P T , T T , Trans T , a finite set C T init of (initial) configurations, and a finite set of (fi- The result then follows immediately from Theorem 8.2 (and Corollary 8.3). Let c fin = q fin , y fin , M fin where M fin is of the form (b −m ⋯b −1 , b 0 , b 1 ⋯b n ) and b i is of the form ((p i1 , k i1 ) , . . . , (p in i , k in i )) for i ∶ −m ≤ i ≤ n. Let the finite-state automaton A be of the form Q A , T A , q A 0 , F A where Q A is the set of states, T A is the transition relation, q A 0 is the initial state, and F A is the set of final states. A transition in T A is of the form (q 1 , a, q 2 ) where q 1 , q 2 ∈ Q A and a ∈ (P × [cmax We write q 1 a → q 2 to denote that (q 1 , a, q 2 ) ∈ T A . During the operation of T , we will run the automaton A "in parallel" with N . During the course of the simulation, the automaton A will generate the encoding of a configuration c init . We know that such an encoding consists of a control-state (q init , y init ) followed by the encoding of a marking M init , say of the form (c −m ′ ⋯c −1 , c 0 , c 1 ⋯c n ′ ). Notice that A may output the encoding of any marking in its language, and therefore the values of m ′ and n ′ are not a priori known.
To simplify the presentation, we introduce a number of conventions for the description of T . First we define a set X of variables (defined below), where each variable x ∈ X ranges over a finite domain dom (x). A control-state q then is a mapping that assigns, to each variable x ∈ X, a value in dom (x), i.e., q(x) ∈ dom (x). Consider a state q, variables x 1 , . . . , In the constructions we will define a set Θ of transition generators and define Below we will define the components Q T , P T , T T , and Trans T in the definition of T , together with the set C T init and configuration c T final . The set Q T is, as mentioned above, defined in terms of a set X of variables. The set X contains the following elements: • Mode indicates the mode of the simulation. More precisely, a computation of T will consist of three phases, namely an initialization, a simulation, and a final phase. Each phase is divided into a number of sub-phases referred to as modes. • A variable NState, with dom (NState) = Q, that stores the current control-state q N .
• A variable AState, with dom (AState) = Q A , that stores the current state of A. • A variable FState (i, j) with dom (FState (i, j)) = {true, false}, for each i ∶ −m ≤ i ≤ n and 1 ≤ j ≤ n i . During the simulation phase, the systems tries to cover all the tokens in the multisets of M fin . Intuitively, FState (i, j) is a flag that indicates whether the token (p i,j , k i,j ) has been covered.
• A variable CoverFlag that has one of the values on or off. The covering of tokens in M fin occurs only during certain phases of the simulation. This is controlled by the value of the variable CoverFlag. • A variable CoverIndex with −m ≤ CoverIndex ≤ n gives the next multiset whose tokens are to be covered. • For each p ∈ P and k ∶ 0 ≤ k ≤ cmax + 1, we have a variable RDebt (p, k), whose use and domain are explained below. During the simulation, we will need to use tokens that have still not been generated by A. To account for these tokens, we will implement a "debt scheme" in which tokens are used first, and then "paid back" by tokens that are later generated by A. The variable RDebt (p, k) keeps track of the number of tokens (p, k) that have been used on read arcs (the debt on tokens consumed in input operations are managed through specific places described later.) For a place p and a transition t, let Rmax (p, t) be the number of read arcs between p and t. Define Rmax ∶= max p∈P,t∈T Rmax (p, t). Then, dom (RDebt (p, k)) = {0, . . . , Rmax }. The definition of the domain reflects the fact the largest amount of debt that we will generate due to tokens raveling through read arcs is bounded by Rmax .
The set P T contains the following places: • For each p ∈ P and k ∶ 0 ≤ k ≤ cmax + 1, the set P T contains the place ZeroPlace (p, k).
The number of tokens in ZeroPlace (p, k) ∈ P T reflects (although it may be not exactly equal to) the number of tokens in p ∈ P whose ages have zero fractional parts. • For each p ∈ P and k ∶ 0 ≤ k ≤ cmax + 1, the set P T contains the places LowPlace (p, k) and HighPlace (p, k). These places play the same roles as above for tokens with ages that have low (close to 0) resp. high (close to 1) fractional parts. • For each p ∈ P and 0 ≤ k ≤ cmax + 1, the set P T contains the place InputDebt (p, k). The place represents the amount of debt due to tokens (p, k) traveling through input arcs.
There is a priori no bound on the amount of debt on such tokens. Hence, this amount is stored in places (rather than in variables as is the case for read tokens.) The Set C T init contains all configurations q T init , M T init satisfying the following conditions: The automaton A is simulated starting from its initial state q A 0 . • q T init (FState (i, j)) = false for all i ∶ −m ≤ i ≤ n and 1 ≤ j ≤ n i . Initially we have not covered any tokens in M fin . • q T init (RDebt (p, k)) = 0 for all p ∈ P and k ∶ 0 ≤ k ≤ cmax + 1. Initially, we do not have any debts due to read tokens. • M T init (p) = 0 for all places p ∈ P T . Initially, all the places of T are empty. Notice that the variables CoverFlag and CoverIndex are not restricted so CoverFlag may be on or off and CoverIndex may have any value −m ≤ CoverIndex ≤ n. Although NState is not restricted either, its value will be defined in the first step of the simulation (see below.) Next, we explain how T works. In doing that, we also introduce all the members of the set T T .
Initialization In the initialization phase the SD-TN T reads the initial control-state and then fills in the places according to M init . From the definition of the encoding of a configuration, we know that the automaton A outputs a pair (q, y) in its first transition. The first move of T is to store this pair in its control-state. Thus, for each transition q 1 (q,y) → q 2 in A where q ∈ Q and 1 ≤ y ≤ y init , the set Θ contains θ where: In other words, once T has input the initial control-state, it enters a new mode InitLow.
In mode InitLow, we read the multisets c 1 ⋯c m that represent tokens with low fractional parts. The system starts running A one step at a time, generating the elements of c m (that are provided by A.) When it has finished generating all the tokens in c m , it moves to the next multiset, generating the multisets one by one in the reverse order finishing with c 1 . We distinguish between two types of such tokens depending on how they will be used in the construction. More precisely, such a token is either consumed when firing transitions during the simulation phase or used for covering the multisets in M fin . A token (of the form (p, k)), used for consumption, is put in a place LowPlace (p, k). Recall that the relation → A in N is insensitive to the order of the fractional parts that are small (fractional parts of the tokens in c 1 , . . . , c n ′ .) Therefore, tokens in c 1 , . . . , c n ′ that have identical places p and identical integer parts k will all be put in the same place LowPlace (p, k). Formally, for each transition q 1 (p,k) → q 2 in A, the set Θ contains θ where: Each time a new multiset c j is read from A, the system decides whether it may be (partially) used for covering the next multiset b i in M fin . This decision is made by checking the value of the component CoverFlag. if CoverFlag = off then the tokens are only used for consumption during the simulation phase. However, if CoverFlag = on then the tokens generated by A can also be used to cover those in M fin . The multiset currently covered is given by the value of the component CoverIndex. More precisely, if CoverIndex = i for some i ∶ 1 ≤ i ≤ n then (part of) the multiset c j that is currently being generated by A (j ∶ 1 ≤ j ≤ n ′ ) may be used to cover (part of) the multiset b i . At this stage, we only cover tokens with low fractional parts (those in the multisets b 1 , . . . , b n .) When using tokens for covering, the order on the fractional parts of tokens is relevant. The construction takes into consideration different aspects of this order as follows: • According to the definition of the ordering ≤ f , the tokens in a given multiset c j may only be used to cover those in one and the same multiset (say b i .) This also agrees with the observation that the tokens represented in c j correspond to tokens in the original TPN that have identical fractional parts (the same applies to b i .) In fact, if this was not case, then we would be using tokens with identical fractional parts (in c j ) to cover tokens with different fractional parts. Analogously, the multiset b i can be covered only by the elements of one multiset c j .
• If i ′ < i then the fractional parts of the tokens represented by b i ′ are smaller than those represented by b i . The same applies to c j ′ and c j if j ′ < j. Therefore, if c j is used to cover b i and j ′ < j then c j ′ should be used to cover b i ′ for some i ′ < i. Furthermore, a multiset c j is not necessarily used to cover any multiset, i.e., all the tokens represented by c j may be used for consumption during the simulation (none of them being used for covering.) Similarly, it can be the case that a given b i is not covered by any multiset c j (all its tokens are covered by tokens that are generated during the simulation.) Also, a multiset c j may only be partially used to cover b i , i.e., some of its tokens may be used for covering b i while some are consumed during the simulation. Finally, b i may only be partially covered by c j , i.e., some of its tokens are covered by c j while the rest of tokens are covered by tokens generated during the simulation.
Formally, for each q 1 The transition sets the flag FState (i, j) to true indicating that the token has now been covered. A transition q 1 # → q 2 in A indicates that we have finished generating the elements of the current multiset c j . If CoverFlag = on then we have also finished covering tokens in the multiset b i . Therefore, we decide the next multiset i ′ < i in which which to cover tokens. Recall that not all multisets have to be covered and hence i ′ need not be equal to i − 1 (in fact the multisets b i ′′ for i ′ < i ′′ < i will not be covered by the multisets in M init .) We also decide whether to use b init j−1 to cover b i ′ or not. In the former case, we set CoverFlag to on, while in the latter case we set CoverFlag equal to off. Also, if CoverFlag = off then we decide whether to use c j−1 for covering b i or not. We cover these four possibilities by adding the following transition generators to Θ.
(i) For each transition q 1 # → q 2 in A, i ∶ 1 ≤ i ≤ n, and i ′ ∶ −m ≤ i ′ < i, we add θ where: This is the case where CoverFlag is on and continues to be on. Notice that no covering takes place if CoverIndex ≤ 0, and that the new value of CoverIndex is made strictly smaller than the current one.
(ii) For each transition q 1 # → q 2 in A, and each i, i ′ ∶ 1 ≤ i ′ < i ≤ n, we add θ where: This is the case where CoverFlag is on but it is turned off for the next step.
(iii) For each transition q 1 # → q 2 in A, we add θ where: This is the case where CoverFlag is off and continues to be off.
(iv) For each transition q 1 # → q 2 in A, we add θ where: This is the case where CoverFlag is off but it is turned on for the next step. The process of generating tokens with low fractional parts continues until we encounter a transition of the form q 1 $ → q 2 in A. According to the encoding of markings, this indicates that we have finished generating the elements of the multisets c 1 , . . . , c n . Therefore, we change mode from InitLow to InitZero (where we scan the multiset b 0 .) We have also to consider changing the variables CoverFlag and CoverIndex in the same way as above. Therefore, we add the following transition generators: (ii) For each transition q 1 $ → q 2 in A, i ∶ 1 ≤ i ≤ n, and i ′ ∶ −m ≤ i ′ < i, we add θ where: (iii) For each transition q 1 $ → q 2 in A, we add θ where: (iv) For each transition q 1 $ → q 2 in A, we add θ where: In InitZero the places are filled according to c 0 . The construction is similar to the previous mode. The only differences are that the tokens to be consumed will be put in places ZeroPlace (p, k) and that no tokens are covered in M fin .
For each transition q 1 (p,k) → q 2 in A, the set Θ contains θ where: Since the tokens are not used at this stage for covering the multisets of M fin , no transition generators are added for that purpose. Also, in contrast to tokens belonging to c 0 , . . . , c n ′ we cannot generate tokens belonging to c −m ′ , . . . , c −1 during the initialization phase. The reason is that, in the former case, we only need to keep track of the order of multisets whose tokens are used for covering (the ordering of the fractional parts in tokens used for consumption is not relevant.) Since the number n is given a priori in the construction (the marking M fin is a parameter of the problem), we need only to keep track of tokens belonging to at most n different multisets. This does not hold in the case of the latter tokens, since the order of the multisets to which the tokens belong is relevant also in the case of tokens that will be consumed. Since m ′ is not a priori bounded, we postpone the generation of these tokens to the simulation phase, where we generate these tokens from A "on demand": each time we perform a timed transition, we allow the HighPlace (p, k) tokens with the highest fractional part to be generated. This construction is made more precise in the description of the simulation phase.
The mode InitZero is concluded when we the next transition of A is labeled with $. This means that we have finished inputting the last multiset b 0 . We now move on to the simulation phase.
For each transition of the form q 1 $ → q 2 in A, we add θ to Θ where: Simulation. The simulation phase consists of simulating a sequence of transitions, each of which is either discrete, of type 1, or of type 2. Each type 2 transition is preceded by at least one type 1 transition. Therefore, from Sim we next perform a discrete or a type 1 transition. The (non-deterministic) choice is made using the transition generators θ 1 and θ 2 where: Discrete Transitions. A discrete transition t = (q 1 , q 2 , In, Read , Out) in N is simulated by a set of transitions in T . In defining this set, we take into consideration several aspects of the simulation procedure as follows: • Basically, an interval I on an arc leading from an input place p ∈ In to t induces a set of transitions in T T ; namely transitions where there are arcs from places ZeroPlace (p, k) with k ∈ I, and from places LowPlace (p, k) and HighPlace (p, k) with (k +ǫ) ∈ I for some ǫ ∶ 0 < ǫ < 1. An analogous construction is made for output and read places of t. Since a read arc does not remove the token from the place, there is both an input arc and output arc to the corresponding transition in T .
• We recall that the tokens belonging to c −m ′ , . . . , c −1 are not generated during the initial phase, and that these tokens are gradually introduced during the simulation phase. Therefore, a transition may need to be fired before the required HighPlace (p, k)-tokens have been produced by A. Such tokens are needed for performing both input and read operations. In order to cover for tokens that are needed for input arcs, we use the set of places InputDebt (p, k) for p ∈ P and 0 ≤ k ≤ cmax + 1. Then, consuming a token from a place HighPlace (p, k) may be replaced by putting a token in InputDebt (p, k). The "debt" can be paid back using tokens that are later generated by A. When T terminates, we require all the debt places to be empty (all the debt has been paid back.) Also, we need an analogous (but different) scheme for the read arcs. The difference is due to the fact that the same token may be read several times (without being consumed.) Hence, once the debt has been introduced by the first read operation, it will not be increased by the subsequent read operations. Furthermore, several read operations may be covered by a (single) input operation (a token in a place may be read several times before it is finally consumed through an input operations.) To implement this, we use the variables RDebt (p, k). Each time a number r of tokens (p, k) are "borrowed" for a read operation, we increase the value of RDebt (p, k) to r (unless it already has a higher value.) Furthermore, each debt taken on a token (p, k) in an input operation subsumes a debt performed on the same token (p, k) in a read operation. Therefore, the value of an old read debt is decreased by the amount of the input debt taken during the current transition. In a similar manner to input debts, the read debt is later paid back. When T terminates, we require all RDebt (p, k) variables to be equal to 0 (all the read debts have been paid back.) • The transition also changes the control-state of N .
To formally define the set of transitions in T induced by discrete transitions, we use a number of definitions. We define x • − y ∶= max(y − x, 0). For k ∈ N and an interval I, we write k ⊫ I to denote that (k + ǫ) ∈ I for some (equivalently all) ǫ ∶ 0 < ǫ < 1. During the simulation phase, there are two mechanisms for simulating the effect of a token traveling through an (input, read, or output) arc in N , namely, (i) by letting a token travel from (or to) a corresponding place; and (ii) by "taking debt". Therefore, we define a number of "transformers" that translate tokens in N to corresponding ones in T as follows: • ZeroPlaceTransf (p, I) ∶= {ZeroPlace (p, k) (0 ≤ k ≤ cmax + 1) ∧ (k ∈ I)}. The N -token is simulated by a T -token in a place that represent tokens with zero fractional parts.
is simulated by a T -token in a place that represent tokens with low fractional parts. Notice that we use the relation ⊫ since the fractional part of the token is not zero.
ken is simulated by a T -token in a place that represent tokens with high fractional parts.
is simulated by taking debt on an input token.
is simulated by taking debt on a read token. We extend the transformers to multisets, so for a multiset b = [(p 1 , I 1 ) , . . . , (p ℓ , I ℓ )], let We extend the other definitions to multisets analogously. An RDebt-mapping α is a function that maps each RDebt (p, k) to a value in {0, . . . , Rmax }. In other words, the function describes the state of the debt on read tokens. Now, we are ready to define the transitions in T that are induced by discrete transitions in N . Each such a transition is induced by a number of objects, namely: • A transition t = (q 1 , q 2 , In, Read , Out) ∈ T . This is the transition in N that is to be simulated in T . • The current remaining cost y ∶ Cost (t) ≤ y ≤ y init . The remaining cost has to be at least as large as the cost of the transition to be fired. • An RDebt-mapping α describing the current debt on read tokens.
• Multisets In Zero , In Low , In High , In Debt where In = In Zero + In Low + In High + In Debt .
Intuitively, the tokens traveling through arcs of t are covered by four types of tokens: − In Zero : N -tokens that will be transformed into T -tokens in places encoding ages with zero fractions parts. − In Low : N -tokens that will be transformed into T -tokens in places encoding ages with low fractions parts. − In High : N -tokens that will be transformed into T -tokens in places encoding ages with high fractions parts. − In Debt : N -tokens that will be covered by taking debt.
The roles of these multisets are similar to the above.
• Multisets Out Zero , Out Low , Out High where Out = Out Zero + Out Low + Out High .
The roles of the multisets Out Zero , Out Low , Out High are similar to their counter-parts above. For each such collection of objects (i.e., for each t, 0≤ y ≤ y init , α, In Zero , In Low , In High , In Debt , Read Zero , Read Low , Read High , Read Debt , Out Zero , Out Low , Out High ), we add the transition generator θ where: • PreCond (θ) = {Mode = Disc, NState = (q 1 , y)} ∪ α, i.e., the current mode is Disc, the current state of N is (q 1 , y), and the current debt on read tokens is given by α.
In other words, we change the mode back to Sim, and change the control-state of N to (q 2 , y − Cost (t)). The new read debts are defined as follows: We reduce the current debt α using the new debt on input tokens In Debt ′ , then we update the amount again using the new debt Read Debt ′ .
The multisets In Zero , In Low , In High represent tokens that will be consumed due to input arcs. These tokens are distributed among places according to whether their fractional parts are zero, low, or high. A similar reasoning holds for the multisets Read Zero , Read Low , Read High .
The read multisets are defined as in the previous item. The multisets Out Zero , Out Low , and Out High play the same roles as their input and read counterparts. The multiset Out Debt ′ represents the increase in the debt on read tokens.
Transitions of Type 1. The simulation of a type 1 transition is started when the mode is Type1.1. We recall that a type 1 transition encodes that time passes so that all tokens of integer age in b 0 will now have a positive fractional part, but no tokens reach an integer age. This phase is performed in two steps. First, in Type1.1 (that is repeated an arbitrary number of times), some of these tokens are used for covering the multisets of M fin in a similar manner to the previous phases. In the second step we change mode to Type1.2, at the same time switching on or off the component CoverFlag in a similar manner to the initialization phase. In Type1.2, the (only set) of transfer transitions encodes the effect of passing time. More precisely all tokens in a place ZeroPlace (p, k) will be moved to the place LowPlace (p, k), for k ∶ 1 ≤ k ≤ cmax + 1. From Type1.2 the mode will be changed to Type2.1.
To describe Type1.1 formally we add, On switching to Type1.2, we change the variables CoverFlag and CoverIndex in a similar manner to the previous phases. Therefore, we add the following transition generators: (i) For each i ∶ 1 ≤ i ≤ n, and i ′ ∶ −m ≤ i ′ < i, we add θ where: (iv) We add θ where: The set of transfer transitions is defined by the transfer transition generator θ Transitions of Type 2. Recall that transitions of type 2 encode what happens to tokens with the largest fractional parts when an amount of time passes sufficient for making these ages equal to the next integer (but not larger.) There are two sources of such tokens. The generation of tokens according to these two sources divides the phase into two steps. The first source are tokens that are currently in places of the form HighPlace (p, k). In Type2.1, (some of) these tokens reach the next integer, and are therefore moved to the corresponding places encoding tokens with zero fractional parts. As mentioned above, only some (but not all) of these tokens reach the next integer. The reason is that they are generated during the computation (not by A), and hence they have arbitrary fractional parts.
The second source are tokens that are provided by the automaton A (recall that these tokens are not generated during the initialization phase.) In Type2.2, we run the automaton A one step at a time. At each step we generate the next token by taking a transition q 1 (p,k) → q 2 . In fact, such a token (p, k) is used in two ways: either it moves to the place ZeroPlace (p, k), or it is used to pay the debt we have taken on tokens. The debt is paid back either (i) by removing a token from InputDebt (p, k); or (ii) by decrementing the value of the variable RDebt (p, k). A transition q 1 # → q 2 means that we have read the last element of the current multiset. This finishes simulating the transitions of type 1 and 2 and the mode is moved back to Sim starting another iteration of the simulation phase.
As usual, transition q 1 # → q 2 in A indicates means that we have read the last element of the current multiset. We can now move back to the mode Sim, changing the variables CoverFlag and CoverIndex in a similar manner to the previous phases.
The tokens can also be used for paying read debts. For each transition q 1 (p,k) → q 2 in A, and k ∶ 1 ≤ r ≤ Rmax , we add θ where: Finally, the tokens can be used for covering. For each transition q 1 A transition q 1 # → q 2 in A indicates that we have read the last element of the current multiset. We now let A generate the next multiset. We change the variables CoverFlag and CoverIndex in a similar manner to the previous phases.
The Set C T final contains all configurations q T fin , M T fin satisfying the following conditions: • q T fin (NState) = q fin . The AC-PTPN is in its final control-state. • q T fin (FState (i, j)) = true for all i ∶ −m ≤ i ≤ n and 1 ≤ j ≤ n i . We have covered all tokens in M fin .
• q T fin (RDebt (p, k)) = 0 for all p ∈ P and k ∶ 0 ≤ k ≤ cmax + 1. We have paid back all debts on read tokens. • M fin (InputDebt (p, k)) = 0 for all p ∈ P and 0 ≤ k ≤ cmax + 1. We have paid back all debts on input tokens.

Undecidability for Negative Costs
The cost threshold coverability problem for PTPN is undecidable if negative transition costs are allowed.
In fact, as we see from the proof of Theorem 10.1 below, the undecidability proof holds even if the costs of places are restricted to be non-negative integers, and the costs of transitions are restricted to be non-positive. Moreover, the undecidability proof does not require real-valued clocks, but works even if clock values are natural numbers, i.e., in the discrete-time case.
Theorem 10.1. The cost threshold problem for PTPN N = (Q, P, T, Cost ) is undecidable.
Proof. We prove that it is undecidable whether a given control-state can be reached with cost ≤ 0, through a reduction from the control-state reachability problem for Minsky 2counter machines [Min67].
We recall that a 2-counter machine M , operating on two counters x 0 and x 1 , is a triple (Q, δ, q init ), where Q is a finite set of control states, δ is a finite set of transitions, and q init ∈ Q is the initial control state. A transition r ∈ δ is a triple (q 1 , op, q 2 ), where op is of one of the three forms (for i = 0, 1): (i) x i ++ which increments the value of x i by one; (ii) x i −− which decrements the value of x i by one; or (iii) x i = 0? which checks whether the value of x i is equal to zero. A configuration c of M is a triple (q, y 0 , y 1 ), where q ∈ Q and y 0 , y 1 ∈ N. The configuration gives the control-state together with the values of the counters x 0 and x 1 . The initial configuration c init is (q init , 0, 0). The operational semantics of M is defined in the standard manner. In the control-state reachability problem, we are given a counter machine M and a (final) control-state q fin , and check whether we can reach a configuration of the form (q fin , y 0 , y 1 ) (for arbitrary y 0 and y 1 ) from c init .
Given an instance of the control-state reachability problem for 2-counter machines, with M = (Q, δ, q init ) and q fin ∈ Q, we derive an instance of the cost threshold coverability problem for a PTPN where we have only non-negative costs on places and only non-positive costs on transitions; and where the threshold vector is given by 0.
We define the PTPN N = (Q ′ , P, T, Cost ) as follows. Each control state q ∈ Q has a copy in Q ′ . For each counter x i we have a place x i ∈ P with C(x i ) = 1. The number of the number of tokens in place x 1−i , then the mentioned unit time delay will add a cost of n. We observe also that t r 2 will move the computation to q r 2 . This enables the next phase which will make it possible to reclaim the (unjustified) cost we have for the tokens in the place x 1−i . We can now fire the transition t r 3 m times, where m ≤ n, thus moving m tokens from x 1−i to p r and gaining 2m (i.e., paying −2m). Eventually, t r 7 will fire, moving control to q r 3 . From q r 3 , transition t r 4 can fire k times (where k ≤ m) moving k tokens back to x 1−i . The places p r and x 1−i will now contain m − k resp. n + k − m tokens. Eventually, transition t r 5 will fire, moving control to q r 4 and ensuring that no time has elapsed since the firing of t r 2 (and hence no extra costs added due to delays). Finally, transition t r 6 will fire, ensuring a delay of one time unit (thus costing 2(m − k) + (n + k − m) = n + m − k), moving control to q 2 , and resuming the "normal" simulation of M . The total cost ℓ for the whole sequence of transitions is ℓ = n − 2m + n + m − k = 2n − m − k. This means 0 ≤ ℓ and that ℓ = 0 only if k = m = n, i.e., all the tokens of x 1−i are moved to p r and back to x 1−i . In other words, we can reimburse all the unjustified cost (but not more than that).
This implies correctness of the construction as follows. Suppose that the given instance of the control-state reachability problem has a positive answer. Then, there is a faithful simulation in N (which will eventually put a token in the place q F ). In particular, each time we perform a transition which tests the value of counter x i , the corresponding place is indeed empty and hence we pay no cost for it. We can also choose to reimburse all the unjustified cost paid for counter x 1−i . Notice that, letting time pass in the parts of the computation that are not part of the simulation of a zero-testing transition, may only contribute with non-negative costs, and that we can always choose not to have any delays in those parts. It follows that the computation has an accumulated cost equal to 0. On the other hand, suppose that the given instance of the control-state reachability problem has a negative answer. Then the only way for N to put a token in q F is to 'cheat' during the simulation of a zero testing transition (as described above). However, in such a case the accumulated cost for simulating the transition is positive. Since simulations of increment and decrement transitions have zero costs, and simulations of zero testing transitions have non-negative costs, the extra cost paid for cheating cannot be recovered later in the computation. This means that the accumulated cost for the whole computation will be strictly positive, and thus we have a negative instance of the cost threshold coverability problem (with our chosen threshold of 0).

Conclusion and Extensions
We have shown that the infimum of the costs to reach a given control-state is computable in priced timed Petri nets with continuous time. This subsumes the corresponding results for less expressive models such as priced timed automata [BBBR07] and priced discrete-timed Petri nets [AM09].
For simplicity of presentation, we have used a one-dimensional cost model, i.e., with a cost ∈ R ≥0 , but our result on decidability of the Cost-Threshold problem can trivially be generalized to a multidimensional cost model (provided that the cost is linear in the elapsed time). However, in a multidimensional cost model, the Cost-Optimality problem is not defined, because the infimum of the costs does not exist, due to trade-offs between different components. E.g., one can construct a PTPN (and even a priced timed automaton) with a 2-dimensional cost where the feasible costs are {(x, 1 − x) x ∈ R ≥0 , 0 < x ≤ 1}, i.e., with uncountably many incomparable values.
Another simple generalization is to make token storage costs on places dependent on the current control-state, e.g., storing one token on place p for one time unit costs 2 if in control-state q 1 , but 3 if in control-state q 2 . Our constructions can trivially be extended to handle this.
Other extensions are much harder. If the token storage costs are not linear in the elapsed time then the infimum of the costs is not necessarily an integer. In particular, the corner-point abstraction of Section 4 and our translation to an A-PTPN problem would not work. It is an open question how to compute optimal costs in such cases.
Finally, some extensions make the cost-problems undecidable. As shown in Section 10, reachability of a given control-state with cost zero becomes undecidable if general integer costs (including negative costs, i.e., rewards) are allowed. This negative result holds even for the simpler case of discrete-time PTPN, i.e., when clocks values are natural numbers.
If one considers the reachability problem (instead of our control-state reachability problem) then the question is undecidable for TPN [RGdFE99], even without considering costs.