Journal of Engineering

Volume 2013 (2013), Article ID 970487, 13 pages

http://dx.doi.org/10.1155/2013/970487

## Controller Synthesis of Time Petri Nets Using Stopwatch

Laboratoire VeriForm, Department of Computer Engineering, Ecole Polytechnique de Montréal, P.O. Box 6079, Station Centre-ville, Montréal, QC, Canada H3C 3A7

Received 30 August 2012; Revised 16 January 2013; Accepted 21 January 2013

Academic Editor: WaiKeung Wong

Copyright © 2013 Parisa Heidari and Hanifa Boucheneb. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Scheduling is often a difficult task specially in complex systems. Few tools are targeted at both modeling and scheduling of the systems. In controller synthesis, a scheduler is seen as a controller to manage shared resources and timing requirements of a system. This paper proposes a time Petri net-based approach for controller synthesis and finding a scheduler using stopwatch. The solution suggested here is particularly interesting for preemptive scheduling purposes. This paper deals with time Petri nets with controllable and uncontrollable transitions and assumes that a controllable transition can be suspended and retrieved when necessary. In fact, the paper supposes that every controllable transition can be associated with stopwatch. With this hypothesis, the objective is to model a system by time Petri nets and calculate subintervals where the system violates the given property. Then, the controller associates the corresponding controllable transitions with stopwatch to suspend them in their bad subintervals. The interesting advantage of this solution is that this approach synthesizes an ordinary time Petri net model before adding stopwatch. Therefore, complicated computations and overapproximations required during controller synthesis of time Petri nets associated with stopwatch are avoided.

#### 1. Introduction

A scheduler is a kind of controller that manages shared resources and timing specifications of the system. In the concept of controller synthesis, actions are partitioned into two disjoint sets, *controllable* and *uncontrollable*. Controllable actions are those that can be managed by the controller (forced to happen or prevented from happening). Uncontrollable actions are those that the controller has no control on. As an example, an internal counter in a digital system progresses with each clock cycle until it captures a predefined value and is reset after then. In a multitasking system, a newly arrived task waits for accessing resources. After accessing the required resources, each task spends its execution time and then releases the resources. If the task is periodic, it stays in a passive state before its next arrival. Process arrival depends on its period and its termination depends on the execution time. Then, both process arrival and termination of execution are uncontrollable, whereas access to the shared resources and starting the execution are controllable [1].

In order to manage shared resources among different periodic tasks with different levels of priority, the solution is to suspend a task with the lower priority and let the others with the higher priorities execute and use the resources. Then, the suspended task is retrieved until it finishes its execution. When a task is suspended, the execution time is not progressing. This behavior is modeled by stopwatch.

Stopwatch is an extension of timed models to facilitate modeling of interruption and resumption of a job. Once an interrupt happens, a task is suspended. Later, it is retrieved and continued from where it was interrupted. During the interruption, the clock of interrupted task is stopped while other clocks progress normally. The idea of stopwatch has been discussed and extended to timed automata (TA) as well as time petri nets (TPN) and some types of TA and TPN associated with stopwatch are already introduced [2–5]. In stopwatch, we may have some states whose clocks keep progressing, while in some other states the clock is stopped and keeps the value it had before being interrupted as if the clock has a memory and after being retrieved it continues with its previous value.

In a multitasking real-time system with interruptible tasks and shared resources, a suitable scheduler is necessary to manage the resources and to prevent blocking and deadlock. The scheduler guarantees the well functionality of the system in terms of respecting deadline, priority, and similar constraints. Each task cannot start execution until the required resources are available. A task releases the occupied resources after finishing its execution.

In multitasking systems, tasks are categorized to periodic, aperiodic, and sporadic [6].

(i) *Periodic Task.* Periodic tasks arrive in regular intervals. Worst-case and best-case execution time is of the specifications defined for periodic tasks. Deadline is the other characteristic defined for these tasks with respect to their worst-case execution time. Deadline in periodic tasks can be either soft or hard. A critical deadline is called hard deadline whereas meeting a soft deadline is not critical.

(ii) *Aperiodic Task.* Tasks with irregular interarrivals are called aperiodic. Aperiodic tasks are usually associated with soft deadlines.

(iii) *Sporadic Task.* Aperiodic tasks with a minimum interarrival are called sporadic. Sporadic tasks are associated with hard deadlines.

A periodic task may have the following three states [7].

(i) *Waiting.* Once a periodic task arrives, it should wait for required resources.

(ii) *Execution.* When all required resources are available, the task starts its execution and spends its execution time in this state.

(iii) *Passive.* After being executed, the task releases the required resources and waits until its next arrival. The time between two consecutive task arrivals is equal with the given period.

In a multitasking system with periodic tasks, the scheduler should manage the shared resources in a way that the predefined period for the tasks is respected. On the other hand, some of the tasks may be associated with a deadline or priority. In that case, the scheduler should suspend the execution of a task with lower priority and let the higher priority tasks to use the resources. Once the tasks with higher priority are executed, the other tasks with lower priorities are retrieved and continue their execution. This behavior is called preemptive scheduling.

In the field of controller synthesis, a scheduler is seen as a controller [7, 8]. The scheduler should manage the shared resources and starts execution of each task in a way that the timing constraints, deadlines, and priorities are respected. Arrival of each task is due to its period and then is uncontrollable. Execution time is also predefined and then is uncontrollable. The only controllable action is the starting of an execution. In preemptive scheduling, a task can be suspended during its execution and leave the resources to some other task with a higher priority.

One solution is to model the system with time Petri nets associated with stopwatch. In this context, each task execution is modeled by a transition equipped with stopwatch and then the corresponding controller is synthesized to manage suspension and resumption of each task such that the corresponding timing constraints are respected. As we will see in this paper, one problem with this solution is that the state space of time Petri nets associated with stopwatch is not exact and requires some overapproximation.

The other problem is that time Petri nets associated with stopwatch does not preserve the boundedness property. Let be a time Petri net, be a time Petri net associated with stopwatch, and shows the corresponding state class graph, the following relation holds:

This condition is not always true for a time Petri net associated with stopwatch. In other terms,

Indeed, if the number of reachable markings in a time Petri net associated with stopwatch is finite, the number of state classes is not necessarily finite [3]. These limitations hinder the controller synthesis of time Petri nets with stopwatch.

In this paper, we suggest an alternative solution. We propose to synthesize a time Petri net without stopwatch where the transitions corresponding to the task executions are considered controllable. We extract the controller (i.e., scheduling strategy) and then add the stopwatch to model the controlled system (the system and its scheduler). In fact, we suggest to implement the synthesized controller by means of stopwatch.

In the following, we discuss how the algorithm suggested in [9] for controller synthesis of time Petri nets is used for scheduling purposes to synthesize a controller for interruptible tasks. The algorithm of [9] is permissive and the computed controller is restricting time intervals making the system to satisfy the given properties. In this paper, we suggest to suspend a task during its bad subinterval. This approach is useful for preemptive scheduling purposes where safety properties correspond to meeting deadlines, priorities, preventing deadlock for shared resources, and so forth.

In this paper, we use a synthesized controller (output of the algorithm of [9] in particular), and we show how to control the system using stopwatch. In order to implement the controller by means of stopwatch, we assume that it is possible to associate each controllable transition with a stopwatch so as to suspend or resume it whenever needed.

The rest of this paper is organized as follows. Section 2 is dedicated to time Petri nets, their definition, and semantics. Section 3 presents a literature review on different stopwatch Petri nets. Section 4 has a brief survey on the solution proposed in [9]. Section 5 synthesizes a controller using stopwatch. Section 6 presents an example of a multitasking system. Finally, Section 7 gives the conclusion and future work.

#### 2. Time Petri Nets

A time Petri net () is a Petri net augmented with time intervals associated with transitions. This paper focuses on the classical semantics, called intermediate semantics in [10], in the context of monoserver and strong semantics [11]. Formally, a is a tuple where (i) and are finite sets of places and transitions such that . (ii) and are the backward and the forward incidence functions , where is the set of nonnegative integers). (iii) is the initial marking (). (iv) is the static interval function ( is the set of nonnegative rational numbers. associates with each transition an interval called the static firing interval of . Bounds and of the interval are the minimum and maximum firing delays of , respectively.

In a controllable time Petri net, transitions are partitioned into controllable and uncontrollable transitions, denoted by and , respectively (with and ). For the sake of simplicity and clarification, in this paper the controllable transitions are depicted as white bars, while the uncontrollable ones as black bars.

A TPN, is called bounded if for every reachable marking , there is a bound where holds. In this condition, stands for the number of places in .

Let be a marking and a transition. Transition is enabled for if and only if all required tokens for firing are present in , that is, . Firing of leads to the marking defined by: . We denote the set of transitions enabled for , that is, . For , we denote the set of transitions enabled in but in conflict with , that is, . Let and the successor marking of by ; a transition is said to be newly enabled in if and only if is not enabled in the intermediate marking (i.e., ) or . We denote the set of transitions newly enabled , by firing from ; that is, .

The TPN state is defined as a pair , where is a marking and is a firing interval function . The initial state is where is the initial marking and , for . Let and be two states of the TPN model, and . The transition relation over states is defined as follows. (i), also denoted by , if and only if the state is reachable from state , after time units, that is, , and . (ii) if and only if the state is reachable from the state by immediately firing transition , that is, , , and , if , and , otherwise.

The TPN state space is the structure , where is the initial state of the TPN and being the reflexive and transitive closure of the relation defined above is the set of reachable states of the model. A in the TPN state space , of a state , is a maximal sequence , such that . By convention, for any state , the relation holds. The sequence is called the timed trace of . The sequence , is called the firing sequence (untimed trace) of . A marking is reachable if and only if s.t. its marking is . (resp., timed/untimed traces) of the TPN are all runs (resp., timed/untimed traces) of the initial state .

To use enumerative analysis techniques with time Petri nets, their generally infinite state spaces are abstracted. Abstraction techniques construct by removing some irrelevant details, a finite contraction of the state space of the model, which preserves properties of interest. For best performances, the contraction should also be the smallest possible and computed with the minimal resources in terms of time and space. The preserved properties are usually verified using standard analysis techniques on the abstractions [12]. Several state space abstraction methods have been proposed in the literature for time Petri nets (the *state class graph *(SCG) [13], the *zone based graph *(ZBG) [14], etc.). They may differ in the characterization of states (interval or clock states), the state agglomeration criteria, the abstract states representation, the preserved properties (markings, linear or branching properties), and their size.

These abstractions are finite for all bounded time Petri nets. However, abstractions based on clocks are less interesting than the interval-based abstractions when only linear properties are of interest. Indeed, abstractions based on clocks do not enjoy naturally the finiteness property for bounded TPN with unbounded intervals as it is the case for abstractions based on intervals. The finiteness is enforced using an approximation operation, which may involve some overhead computation. The algorithm of [9] is based on the state class graph method.

##### 2.1. The State Class Graph Method

In the state class graph method [13], all states reachable by the same firing sequence from the initial state are agglomerated in the same node and considered modulo the relation of equivalence defined by: two sets of states are equivalent if and only if they have the same marking and the same firing domain (the firing domain of a set of states is the union of the firing domains of its states). All equivalent sets are agglomerated in the same node called a *state class* defined as a pair , where is a marking and is a formula which characterizes the firing domain of . For each transition enabled in , there is a variable , in , representing its firing delay. can be rewritten as a set of atomic constraints of the form , or , where , are transitions, , and is the set of rational numbers. (for economy of notation, we use operator even if ):

Each domain is expressed by the canonical form that is usually encoded by a difference bound matrix (DBM) [15]. The canonical form of is encoded by the DBM (a square matrix) of order defined by: , where () represents a fictitious transition whose delay is always equal to and is the largest value of in the domain of . Its computation is based on the shortest path *Floyd-Warshall*'s algorithm and is considered as the most costly operation (cubic in the number of variables in ). The canonical form of a DBM makes some operations over formulas like the test of equivalence easier. Two formulas are equivalent if and only if the canonical forms of their DBMs are identical.

The initial state class is , where . Let be a state class and a transition and the set of states defined by: . The state class has a successor by (i.e., , if and only if is enabled in and can be fired before any other enabled transition; that is, the following formula is consistent: . A formula is consistent if and only if there is, at least, one tuple of values that satisfies, at once, all constraints of . In this case, the firing of leads to the state class computed as follows [13]. (1). (2). (3)Replace in each , by (). (4)Eliminate by substitution and each of transition conflicting with in . (5)Add constraint , for each transition .

Formally, the SCG of a TPN model is a structure , where is the initial state class, iff and . The SCG is finite for all bounded TPNs and preserves linear properties [16]. Let be a state class and a sequence of transitions firable from . We denote the state class reachable from by firing successively transitions of . We define inductively this set as follows: and , if .

As an example, Figure 2 shows the state class graph of the TPN presented at Figure 1. Its state classes are reported in Table 1.

Let be a sequence of transitions firable from , the same transition may be newly enabled several times. To distinguish among different enablings of the same transition , we denote for the transition (newly) enabled by the th transition of the sequence; denotes the transition enabled in . Let with be a sequence of transitions firable from s.t. . We define the largest subclass of (i.e., ) s.t. is firable from all its states, that is, .

#### 3. Literature Review

The idea of suspension and resumption of a task in a system is modeled in different ways in timed automata and time Petri nets [2–4, 17, 18]. In [2], the authors have introduced stopwatch automata (SWA) as a subclass of timed linear hybrid automata. In stopwatch automata, an additional binary variable is defined to show the rate of time progression. The clocks may have two velocities (time derivation): zero or one. Zero signifies stopped while one signifies normal progress. If clocks are running, they progress with a global rate, identical to all nonstopped clocks of the model. The authors have shown that stopwatch automata is as expressive as timed languages.

In [3], the authors have introduced inhibitor hyperarcs to interrupt an enabled transition. Once a place connected to a transition via an inhibitor arc is marked, the transition is suspended and stops firing. In other words, once an inhibitor arc is enabled, the corresponding transition is interrupted. They have called these nets IHTPN (time Petri nets with inhibitor hyperarcs). In Figure 3, is enabled. As soon as is marked, firing is suspended. Note that an inhibitor hyperarc is not graphically presented by a classical arrow; instead, it is depicted with an empty circle at the extreme of the edge.

In [17], the authors have discussed an extension of time Petri nets adapted for scheduling. This extension is called scheduling extended time Petri nets (SETPN). SETPN is suitable to model concurrent tasks and shared resources with fixed priority. The behavior of scheduler is implicitly included in the model and the scheduler is not modeled as a separate agent.

In [17], time Petri nets are associated with two more properties and standing for resource allocation and priority, respectively. As an example, suppose two different concurrent tasks sharing the same resource ( is identical for both). Although both transitions are enabled, the one with a higher priority is active while the other is suspended. For each marking , a function determines whether is active or not.

The time Petri nets presented in [17] assign both priority and resources to places. It is particularly suitable for scheduling approaches. State space analysis is done mapping scheduling Petri nets to hybrid automata (state class stopwatch automata). The advantage of this solution is using an automated tool like HYTECH [19] already existing for manipulation of hybird automata.

Another extension of time Petri nets called preemptive time Petri nets is discussed in [18]. Preemptive time Petri nets are suitable for scheduling and preemptive approaches. In Preemptive time Petri nets, resource and priority are characteristics of transitions while in SETPN they were assigned to places. The preemptive time Petri nets as well as scheduling extended time Petri nets are adapted specifically for scheduling purposes with fixed priority rather than general cases of interruption and resumption of some tasks. A more generalized model comes in [4, 5].

Another stopwatch model comes in [4, 5]. Post- and Pre-initialized stopwatch Petri nets (SWPN) [4, 5] also model interruption and retrieving of tasks. In such stopwatch Petri nets, transitions are partitioned into two disjoint subclasses where is the set of interruptible transitions and is the set of noninterruptible transitions. Stopwatches can suspend enabled interruptible transitions. For each transition , there is a function representing the value of its associated stopwatch. If , signifies the time elapsed since was first enabled, whereas if , represents the time elapsed since was last enabled. A transition is called firable if it is enabled () and .

In contrary with IHTPN where a marked place suspended an enabled transition, in this model stopwatch consumes some tokens to disable an enabled transition. It is implemented by means of some extra places/transitions. A stopwatch transition is in conflict with an interruptible transition. Thus, consuming a token can suspend an interruptible enabled transition. With this model, an interrupt is unpredictable and we do not know when it happens. In fact at any time, the interruptible task and the interrupt both have equal chance to happen. The simple Petri nets of Figure 4 reported from [4] are a simple example of SWPN of an interruptible task.

Let be a transition and a marking, is called: (i)*enabled*. If denoted by ; (ii)*firable*. If , denoted by ; (iii)*suspended*. If , denoted by .

The notion indicates that is newly enabled by firing of at marking .

The new concept Preinitialization defined in this model refers to noninterruptible transitions. For every , is firable if has already been initialized when becomes enabled. In other words, when .

The concept, is defined for interruptible transitions. When an interruptible transition is fired the associated is initialized (). Figures 5 and 6 reported from [4] show the difference between time evolution in an interruptible transition and a noninterruptible transition. In these figures, the notions , and stand for enabling, disabling, and firing of a transition, respectively.

In brief, according to the types of transitions, two types of clock initialization are defined. (i)*Preinitialization*. Given a transition where is the set of noninterruptible transitions, clock initialization is called preinitialization happening when is recently enabled. As soon as a transition becomes enabled, its associated clock is initialized. (ii)*Postinitialization*. Given a transition where is the set of interruptible transitions, clock initialization is called post-initialization happening after firing ; it means that the transition initializes the clock after being fired. Post-initialization is dependent on transition firing.

In [4], continuous and discrete transitions are defined as follows.

Let , a continuous transition is denoted by iff : (i), if the transition is not enabled;(ii) if is enabled;(iii).

And a discrete transition is denoted by iff : (i), (ii), (iii) if (postinitialization), (iv)(a)0 if ; (preinitialization) (b) Otherwise.

In order to perform further timing analysis, the same as scheduling extended time Petri nets of [17], the SWPN is transformed to hybrid automaton. In addition, a forward algorithm is suggested to compute reachable states.

If the number of stopwatches increases, for example if all of the transitions are interruptible, the complexity of calculation will highly increase. Scheduling time Petri nets and preemptive time Petri nets are both subclasses of stopwatch Petri nets. An ordinary TPN is also a SWPN where .

After having a survey on different stopwatch Petri nets available in the literature, in the following, we will have a brief review on the algorithm of [9] and then investigate how to integrate stopwatch in the controller synthesis approach of [9].

#### 4. Safety Controller Synthesis Approach Proposed in [9]

Let be a TPN with controllable and uncontrollable transitions () and a set of markings to be avoided (bad). For a safety property, the approach proposed in [9] (see Algorithms 1 and 2) consists of exploring, on-the-fly and path by path, the state class graph of the TPN while collecting the bad sequences and the losing states (sequences or states that lead to bad markings). The list Passed is used to retrieve the set of state classes processed so far, their bad sequences, and their losing subclasses. For a given state class and a bad sequence feasible from , the function Fire is used to compute forwardly all states of which lead by a sequence of transitions to an undesirable marking (i.e., a losing subclass of ). The function explore receives parameters being the class under process, the transition leading to , and the set of traveled classes in the current path. Succinctly, it recursively computes the bad sequences of (from bad sequences of its successors) and verifies whether or not can be controlled so as to avoid its bad sequences. It returns the set of bad sequences if they cannot be avoided from . Otherwise, it returns an empty set, which means that can be controlled (i.e., has no bad sequences or there is at least one controllable transition such that its firing interval in can be restricted so as to avoid reaching bad states). The restriction of the interval of in is obtained by subtracting from its interval in , intervals of in its bad subclasses.

This approach tries to control the system behavior starting from the last to the first state class of bad paths. If it fails to control a state class of a path, so as to avoid all bad state classes, the algorithm tries to control its previous state classes. If it succeeds to control a state class, there is no need to control its predecessors. The aim is to limit as little as possible the behavior of the system (more permissive controller).

In [20], we have proven that this approach gives the maximally permissive controller and if it fails to compute the controller then the controller does not exist. We have also investigated the hardness complexity of the approach step by step.(i)The complexity of computing BI of a state class (in worst case) is where is the number of paths starting from the state class and leading to bad markings, is the maximal length of such paths, and is the number of transitions in the model. (ii)The complexity for computing Dep relation used in Algorithms 1 and 2 is , where is the number of places in the model (complexity of testing ).

In [14], the authors have discussed the completeness complexity for bounded TPNs. They have proven that model checking of TPN-TCTL formula on a bounded TPN is PSPACE-complete.

Let us explain this approach, by means of an example. Consider the TPN shown at Figure 1, its state class graph presented at Figure 2 and its state classes reported in Table 1. Suppose that only is controllable (i.e., ) and we want to avoid reaching markings where places and are both not marked (i.e., state classes and ) by choosing appropriately the firing intervals of . For this example, we have , , , and .

The process starts by calling (see Figure 7). Since is not in Passed and its marking is not forbidden, explore is successively called for the successors of : and . In explore of , function explore is successively called for and . In explore of , function explore is called for the successor of by : . For the successor of by (i.e., ), there is no need to call explore as it belongs to the current path. Since has a forbidden marking, explore of returns to explore of with , which, in turn, adds to Passed and returns to explore of with .

In explore of , function explore is called for (). This call returns, to explore of , with , since has a forbidden marking. In explore of , the tuple is added to Passed and is returned to explore of . Then, explore of calls , which in turn calls . Since has only one successor () and this successor belongs to the current path, the call of explore for adds to Passed and returns to explore of with , which, in turn, returns to explore of .

After exploring both successors of , in explore of , we get in the set of bad paths of . As the state class has a controllable transition , its bad subclasses are computed: and . The firing interval of in () is not covered by the union of intervals of in bad subclasses of (). Then, is added to Passed. As is newly enabled, the empty set is returned to the function main, which concludes that a controller exists. According to the list Passed, needs to be controlled (). For all others, there is nothing to do.

#### 5. Controller Synthesis and Stopwatch

In this section, we consider time Petri nets with controllable/uncontrollable transitions and show how such a system is controlled by associating some of the controllable transitions with stopwatch. First, we apply the on-the-fly algorithm of [9] and calculate the appropriate controller. Then, instead of restricting time intervals of corresponding controllable transitions, we associate them with stopwatch. In fact, we suspend some transition during its bad subinterval to control a system so as to satisfy a given property.

We consider the inhibitor hyperarcs of [3]. The controller shall suspend a controllable transition in its bad subinterval and retrieve it otherwise. Let us remember the example of Figure 1 with the state class graph of Figure 2 and Table 1. We have seen that in order to prevent the system entering the forbidden state classes and , the controller should prevent from firing before . Thus, an inhibitor hyperarc is added to the transition . This inhibitor hyperarc connects to a place called . At the beginning, this place is marked and then is suspended. At the token of is consumed and the corresponding hyperarc becomes disabled. The controllable transition is now firable again. The token is returned to place after is fired. Thus, the controller suspends during its bad subinterval and resumes it after then. At the beginning, all clocks are initialized to zero. Then, time elapses but in , this transition is suspended and hence its clock does not elapse anymore. Later at time , this transition is retrieved and becomes active. We do not need to delay it anymore, that is why the lower bound of the interval associated with is modified to . Now the clock starts elapsing. Within 2 time units should be fired (i.e., when the actual time of the general clock of the system reaches to ). Then, the interval associated with in a controlled TPN associated with stopwatch is . Figure 8 represents the clock evaluation of the transition . The controlled Petri nets of this example are presented in Figure 9.

In summary, our goal is to synthesize the state class graph of the system through Algorithms 1 and 2 (see [9]) and calculate bad subintervals of the corresponding controllable transitions. Then, suspend the appropriate controllable transitions during their bad subintervals. Note that in [9], we were restricting and limiting time intervals while in this approach the idea is to delay and suspend them. In this research, we suppose every controllable transition can be associated with a stopwatch if needed. As explained earlier in Section 1, in a multitasking system with periodic tasks only execution of a task is controllable. Then, those transitions modeling the task executions are considered controllable and consequently could be suspended and retrieved.

Above, we have shown how to control a system when the bad subinterval is at the beginning of the firing interval. What if the acceptable subinterval is at the beginning and bad subintervals are after? Consider the example of Figure 10. A controllable transition is associated with firing interval . Suppose that, based on Algorithms 1 and 2, the subinterval is acceptable while is a bad subinterval, where . The controlled time Petri nets are presented in Figure 11. Figure 12 represents the clock evaluation of and shows how the new interval associated with is calculated. In , is marked and is neither active nor enabled. Meanwhile, at the time , becomes enabled and is fired consuming the token in . Thus, right at , the transition becomes active and its associated clock starts elapsing. Note that associated stopwatch delays for time units and we do not want to delay it anymore; then, the lower bound of the new associated interval in controlled TPN is . After time units, is fired, and becomes marked again. Consequently, is suspended.

Consider the same example of Figure 10 and this time suppose that Algorithms 1 and 2 give the following output.

is acceptable, is a bad subinterval, is acceptable where the condition holds. With the same idea, the controlled Petri nets are presented in Figure 13 and the clock evaluation of is shown in Figure 14.

##### 5.1. Why Inhibitor Hyperarcs?

We have shown, how to achieve a controlled model from an uncontrolled time Petri nets by adding inhibitor hyperarcs. One question is why among different types of stopwatch inhibitor hyperarcs are chosen? Is it possible to use another stopwatch model? The answer is yes; but, inhibitor hyperarcs provide more flexibility and less complication. Let us see if this idea is feasible using other types of Petri nets with stopwatch.

We consider the post- and preinitialized Petri nets proposed in [4, 5] for stopwatch and try to control a model where a controllable transition associated with time interval has a bad subinterval . Based on our hypothesis, the controller should suspend the controllable transition at and resume it at . The characteristic of post and pre-initialized Petri nets is that they consume the same token of the original model and in addition, the exact time when the model becomes suspended is unknown as stopwatch transition and original transition have the same chance for firing. At the first glance, the idea is feasible by adding one place and two transitions. However, there are some issues. We explain the problem through an example.

We consider the same example of Figure 1. The suggested controlled model using post and pre-initialized Petri nets comes in Figure 15. The controllable transition is associated with stopwatch. The stopwatch interrupts the task at and resume it at . The problem is at , both transitions and are enabled with equal chance of firing whereas, in order to have a controlled model, should fire at before . Thus, the controller fails unless if we modify the interval associated to to which is not of interest in this approach.

The other alternative is presented at Figure 16. An auxiliary place solves the problem. Hence, using the stopwatch Petri nets suggested in [4, 5], it is not easy to give a general solution to control a model considering the output of Algorithms 1 and 2. In addition, the resulting controlled nets are more complicated. For example, in case the controllable transition is associated with the interval where its bad subinterval is and then, the controlled model becomes complicated.

#### 6. Illustrative Example

Suppose the multitasking system depicted in Figure 17 with the following specifications: four tasks , and are being executed. Two tasks and are uncontrollable. The task is periodic with a period of and then, its start execution is controllable. Suppose that starting execution of is also controllable. is depended to and meaning that it can be executed only when and are executed. Two tasks and share a common resource. On the other hand, enters through a single capacity buffer. It means that if is not executed by the end of its period, the system will block. In Figure 7, tasks are modeled by tokens and the execution of each task is shown by the transition . If is not executed by the end of its period the system enters the state Block, and, is the transition to be avoided. Delay is a place modeling the behavior of the buffer considering the period of the task . And finally, executes within time units, in , within and in .

The state class graph of the model is given in Figure 18 and Table 2 shows the state class informations. Based on the state class graph of the system, the state classes , and are forbidden. Let us briefly trace the algorithm on the state class graph. First, we follow the algorithm on the left branch where the state classes , and are located. The algorithm starts from and is executed recursively to , then , and finally reaches to with a forbidden marking. Then, it comes back to with and to with . The other successor available from is which is also forbidden. Till now there is no enabled controllable transition to avoid these classes and the algorithm continues returning back to with . The other successor available from is which is also forbidden. Thus, it returns back to with . The other successor available from is which is safe and the algorithm continues to , and finally which is a forbidden state. Then, it goes back to with and consequently to with . The other successors available from are the forbidden state and which is already under processing. Note that two enabled controllable transitions are available at , but the controller cannot act at this level because may fire before or and lead to a forbidden state. Then, the algorithm continues and returns back to with where no controllable transition is available. Consequently, the algorithm continues and returns back to and finally reaches to where newly enabled controllable transitions are available. Till now the path to be avoided at includes .

The procedure is similar for the other path available from including and its successors. The forbidden state reachable through this path is and in order to avoid this forbidden state, the controller can act at with two enabled controllable transitions. So, nothing is returned to from this path. Having a closer look to the state class graph and the output of the algorithm, we conclude that at each state where and are newly enabled and the controller should act (i.e., , and ), the controller should force to fire before (i.e., ). In other words, should not be active at . It is sufficient to add an inhibitor hyperarc to deactivate at . The controller cannot act at the state class as discussed earlier and has nothing to do at the state class (the permissive controller will act later at the state class ). Note that a state class like which is reachable through a forbidden state () is not processed by the algorithm as it is supposed to be avoided in the controlled system. The controlled model using inhibitor hyperarcs is given at Figure 19.

Our model is now safe. Yet some challenges exist. Look at the state class graph of the model presented at Figure 18. In some paths one task is executed frequently while others are still waiting. For example, see the paths leading to . Although the system is not blocked, some of the tasks cannot be executed. A good scheduler had better to perform different tasks alternatively. We may want to consider alternation, particular sequences, add a deadline for each task or other possible policies. And finally, we may ask if it is possible to restrict the execution time of a task even if it is in its safe subinterval? Then, while synthesizing a scheduler, we can add more constraints and scheduling policies beyond “safe states.” Further researches are required to answer these questions.

#### 7. Conclusion

In this paper, we have extended the approach discussed in [9] to time Petri nets with stopwatch and have suggested to associate the controllable transitions with stopwatch in order to prevent their bad subintervals. We have proposed that in case a controller (like a scheduler) cannot restrict time intervals associated with controllable transitions, the controllable transitions can be suspended in their bad subintervals. Synthesizing a time Petri net associated with stopwatch is complicated and needs some overapproximations. Besides, time Petri nets associated with stopwatch do not preserve the boundedness property. In this paper, we have suggested a more effective alternative. We synthesize a time Petri net without stopwatch and then, equip the controllable transitions with stopwatch where necessary. With this assumption, every controllable transition can be suspended in its bad subinterval and resumed otherwise. Amongst different types of stopwatch, our solution is based on inhibitor hyperarcs.

The approach suggested in this paper is particularly useful at design level for preemptive scheduling purposes, managing shared resources and critical sections. This is a good starting point for further researches on scheduling and to calculate automatically a scheduler in a multitasking system. It is interesting to see how the approach can be applied in a more general case with a variable number of tasks and dependencies. Consider different scheduling policies are challenging and are worth to be considered in further studies.

#### References

- P. Heidari,
*A forward on-the-fly approach for safety and reachability controller synthesis of timed systems [Ph.D. thesis]*, École Polytechnique de Montréal, 2012. - F. Cassez and K. Larsen, “The impressive power of stopwatches automata,” in
*Proceedings of the 11th International Conference on Concurrency Theory (CONCUR '00)*, pp. 138–152, Springer, 2000. - O. H. Roux and D. Lime, “Time petri nets with inhibitor hyperarcs. formal semantics and state space computation,” in
*Proceedings of the International Conference on Application and Theory of Petri Nets (ICATPN ’04)*, pp. 371–390, 2004. - A. Allahham and H. Alla, “Post and pre-initialized stopwatch Petri nets: formal semantics and state space computation,”
*Nonlinear Analysis*, vol. 2, no. 4, pp. 1175–1186, 2008. View at Publisher · View at Google Scholar · View at Scopus - A. Allahham and H. Alla, “Réseaux de Petri à chronomètres post et pré-initialisés,” in
*Proceedings of the 6 ème Colloque Francophone sur la Modélisation des Systémes Réactifs (MSR ’07)*, pp. 263–280, Lyon, France, 2007. - D. Isovic and G. Fohler, “Efficient scheduling of sporadic, aperiodic, and periodic tasks with complex constraints,” in
*Proceedings of the 21st IEEE Real-Time Systems Symposium*, pp. 207–216, 2000. - K. Altisen, G. Gossler, and J. Sifakis, “A methodology for the construction of scheduled systems,” in
*Proceedings of the Formal Techniques in Real-Time and Fault-Tolerant Systems (FTRTFT '00)*, pp. 106–120, 2000. - K. Altisen, G. Gossler, A. Pnueli, J. Sifakis, S. Tripakis, and S. Yovine, “A framework for scheduler synthesis,” in
*Proceedings of the 20th IEEE Real-Time Systems Symposium (RTSS'99)*, pp. 154–163, December 1999. View at Scopus - P. Heidari and H. Boucheneb, “Efficient method for checking the existence of a safety/ reachability controller for time petri nets,” in
*Proceedings of the 10th International Conference on Application of Concurrency to System Design (ACSD '10)*, pp. 201–210, June 2010. View at Publisher · View at Google Scholar · View at Scopus - O.-H. Roux, D. Lime, S. Haddad, F. Cassez, and B. Brard, “Comparison of different semantics for time Petri nets,” in
*Proceedings of the 3rd Automated Technology for Verification and Analysis*, vol. 3707 of*Lecture Notes in Computer Science*, pp. 293–307, 2005. - M. Boyer and F. Vernadat, “Language and bisimulation relations between subclasses of timed petri nets with strong timing semantic,” Tech. Rep., LAAS, 2000. View at Google Scholar
- W. Penczek and A. Polrola, “Specification and model checking of temporal properties in time Petri nets and timed automata,” in
*Proceedings of the 25th International Conference on Application and Theory of Petri Nets*, vol. 3099 of*Lecture Notes in Computer Science*, pp. 37–76, 2004. - B. Berthomieu and M. Diaz, “Modeling and verification of time dependent systems using time Petri nets,”
*IEEE Transactions on Software Engineering*, vol. 17, no. 3, pp. 259–273, 1991. View at Publisher · View at Google Scholar · View at Scopus - H. Boucheneb, G. Gardey, and O. H. Roux, “TCTL model checking of time petri nets,”
*Journal of Logic and Computation*, vol. 19, no. 6, pp. 1509–1540, 2009. View at Publisher · View at Google Scholar · View at Scopus - J. Bengtsson,
*Clocks, DBMs and states in timed systems [Ph.D. thesis]*, Uppsala Universitet, Sweden, 2002. - B. Berthomieu and F. Vernadat, “State class constructions for branching analysis of time Petri nets,” in
*Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS '03)*, pp. 442–457, 2003. - D. Lime and O. Roux, “A translation based method for the timed analysis of scheduling extended time Petri nets,” in
*Proceedings of the 25th IEEE International Real-Time Systems Symposium (RTSS '04)*, pp. 187–196, December 2004. View at Scopus - G. Bucci, A. Fedeli, L. Sassoli, and E. Vicario, “Timed state space analysis of real-time preemptive systems,”
*IEEE Transactions on Software Engineering*, vol. 30, no. 2, pp. 97–111, 2004. View at Publisher · View at Google Scholar · View at Scopus - T. A. Henzinger, P.-H. Ho, and H. Wong-Toi, “HYTECH: a model checker for hybrid systems,” in
*Proceedings of the 9th International Conference on Computer-Aided Verification (CAV '97)*, vol. 1254 of*Lecture Notes in Computer Science*, pp. 460–463, Springer, Berlin, Germany, 1997. - P. Heidari and H. Boucheneb, “Maximally permissive controller synthesis for time petri nets,”
*International Journal of Control*, vol. 86, no. 3, pp. 493–511, 2013. View at Publisher · View at Google Scholar