research article controller synthesis of time petri nets...
TRANSCRIPT
Hindawi Publishing CorporationJournal of EngineeringVolume 2013 Article ID 970487 13 pageshttpdxdoiorg1011552013970487
Research ArticleController Synthesis of Time Petri Nets Using Stopwatch
Parisa Heidari and Hanifa Boucheneb
Laboratoire VeriForm Department of Computer Engineering Ecole Polytechnique de Montreal PO Box 6079Station Centre-ville Montreal QC Canada H3C 3A7
Correspondence should be addressed to Parisa Heidari parisaheidaripolymtlca
Received 30 August 2012 Revised 16 January 2013 Accepted 21 January 2013
Academic Editor WaiKeung Wong
Copyright copy 2013 P Heidari and H BouchenebThis is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in anymedium provided the originalwork is properly cited
Scheduling is often a difficult task specially in complex systems Few tools are targeted at both modeling and scheduling of thesystems In controller synthesis a scheduler is seen as a controller to manage shared resources and timing requirements of a systemThis paper proposes a time Petri net-based approach for controller synthesis and finding a scheduler using stopwatchThe solutionsuggested here is particularly interesting for preemptive scheduling purposesThis paper deals with time Petri nets with controllableand uncontrollable transitions and assumes that a controllable transition can be suspended and retrievedwhennecessary In fact thepaper supposes that every controllable transition can be associated with stopwatch With this hypothesis the objective is to modela system by time Petri nets and calculate subintervals where the system violates the given property Then the controller associatesthe corresponding controllable transitions with stopwatch to suspend them in their bad subintervals The interesting advantage ofthis solution is that this approach synthesizes an ordinary time Petri net model before adding stopwatch Therefore complicatedcomputations and overapproximations required during controller synthesis of timePetri nets associatedwith stopwatch are avoided
1 Introduction
A scheduler is a kind of controller that manages sharedresources and timing specifications of the system In theconcept of controller synthesis actions are partitioned intotwo disjoint sets 119888119900119899119905119903119900119897119897119886119887119897119890 and 119906119899119888119900119899119905119903119900119897119897119886119887119897119890 Control-lable actions are those that can be managed by the controller(forced to happen or prevented from happening) Uncon-trollable actions are those that the controller has no controlon As an example an internal counter in a digital systemprogresses with each clock cycle until it captures a predefinedvalue and is reset after then In amultitasking system a newlyarrived task waits for accessing resources After accessing therequired resources each task spends its execution time andthen releases the resources If the task is periodic it stays in apassive state before its next arrival Process arrival depends onits period and its termination depends on the execution timeThen both process arrival and termination of execution areuncontrollable whereas access to the shared resources andstarting the execution are controllable [1]
In order to manage shared resources among differentperiodic tasks with different levels of priority the solution isto suspend a task with the lower priority and let the others
with the higher priorities execute and use the resourcesThen the suspended task is retrieved until it finishes itsexecution When a task is suspended the execution time isnot progressing This behavior is modeled by stopwatch
Stopwatch is an extension of timed models to facilitatemodeling of interruption and resumption of a job Once aninterrupt happens a task is suspended Later it is retrievedand continued from where it was interrupted During theinterruption the clock of interrupted task is stopped whileother clocks progress normally The idea of stopwatch hasbeen discussed and extended to timed automata (TA) aswell as time petri nets (TPN) and some types of TA andTPN associated with stopwatch are already introduced [2ndash5] In stopwatch we may have some states whose clocks keepprogressing while in some other states the clock is stoppedand keeps the value it had before being interrupted as if theclock has a memory and after being retrieved it continueswith its previous value
In a multitasking real-time system with interruptibletasks and shared resources a suitable scheduler is neces-sary to manage the resources and to prevent blocking anddeadlock The scheduler guarantees the well functionalityof the system in terms of respecting deadline priority and
2 Journal of Engineering
similar constraints Each task cannot start execution until therequired resources are available A task releases the occupiedresources after finishing its execution
Inmultitasking systems tasks are categorized to periodicaperiodic and sporadic [6]
(i) Periodic Task Periodic tasks arrive in regular intervalsWorst-case and best-case execution time is of the speci-fications defined for periodic tasks Deadline is the othercharacteristic defined for these tasks with respect to theirworst-case execution time Deadline in periodic tasks can beeither soft or hard A critical deadline is called hard deadlinewhereas meeting a soft deadline is not critical
(ii) Aperiodic Task Tasks with irregular interarrivals arecalled aperiodic Aperiodic tasks are usually associated withsoft deadlines(iii) Sporadic Task Aperiodic tasks with a minimum interar-rival are called sporadic Sporadic tasks are associated withhard deadlines
A periodic task may have the following three states [7](i) Waiting Once a periodic task arrives it should wait forrequired resources
(ii) ExecutionWhen all required resources are available thetask starts its execution and spends its execution time in thisstate
(iii) Passive After being executed the task releases therequired resources and waits until its next arrival The timebetween two consecutive task arrivals is equal with the givenperiod
In a multitasking system with periodic tasks the sched-uler should manage the shared resources in a way that thepredefined period for the tasks is respected On the otherhand some of the tasks may be associated with a deadlineor priority In that case the scheduler should suspend theexecution of a task with lower priority and let the higherpriority tasks to use the resources Once the tasks with higherpriority are executed the other tasks with lower priorities areretrieved and continue their executionThis behavior is calledpreemptive scheduling
In the field of controller synthesis a scheduler is seenas a controller [7 8] The scheduler should manage theshared resources and starts execution of each task in a waythat the timing constraints deadlines and priorities arerespected Arrival of each task is due to its period and thenis uncontrollable Execution time is also predefined and thenis uncontrollable The only controllable action is the startingof an execution In preemptive scheduling a task can besuspended during its execution and leave the resources tosome other task with a higher priority
One solution is to model the system with time Petrinets associated with stopwatch In this context each taskexecution ismodeled by a transition equippedwith stopwatchand then the corresponding controller is synthesized tomanage suspension and resumption of each task such that thecorresponding timing constraints are respected As we will
see in this paper one problem with this solution is that thestate space of time Petri nets associated with stopwatch is notexact and requires some overapproximation
The other problem is that time Petri nets associated withstopwatch does not preserve the boundedness property LetN1be a time Petri net N
2be a time Petri net associated
with stopwatch and SCG shows the corresponding state classgraph the following relation holds
N1is bounded lArrrArr SCG of N
1is finite (1)
This condition is not always true for a time Petri netassociated with stopwatch In other terms
N2is bounded 999489999513999457 SCG of N
2is finite (2)
Indeed if the number of reachable markings in a time Petrinet associated with stopwatch is finite the number of stateclasses is not necessarily finite [3] These limitations hinderthe controller synthesis of time Petri nets with stopwatch
In this paper we suggest an alternative solution Wepropose to synthesize a time Petri net without stopwatchwhere the transitions corresponding to the task executionsare considered controllable We extract the controller (iescheduling strategy) and then add the stopwatch tomodel thecontrolled system (the system and its scheduler) In fact wesuggest to implement the synthesized controller by means ofstopwatch
In the following we discuss how the algorithm sug-gested in [9] for controller synthesis of time Petri nets isused for scheduling purposes to synthesize a controller forinterruptible tasks The algorithm of [9] is permissive andthe computed controller is restricting time intervals makingthe system to satisfy the given properties In this paper wesuggest to suspend a task during its bad subinterval Thisapproach is useful for preemptive scheduling purposes wheresafety properties correspond to meeting deadlines prioritiespreventing deadlock for shared resources and so forth
In this paper we use a synthesized controller (outputof the algorithm of [9] in particular) and we show how tocontrol the system using stopwatch In order to implementthe controller by means of stopwatch we assume that itis possible to associate each controllable transition with astopwatch so as to suspend or resume it whenever needed
The rest of this paper is organized as follows Section 2 isdedicated to time Petri nets their definition and semanticsSection 3 presents a literature review on different stopwatchPetri nets Section 4 has a brief survey on the solutionproposed in [9] Section 5 synthesizes a controller using stop-watch Section 6 presents an example of a multitasking sys-tem Finally Section 7 gives the conclusion and future work
2 Time Petri Nets
A time Petri net (TPN) is a Petri net augmented with timeintervals associated with transitions This paper focuses onthe classical semantics called intermediate semantics in [10]in the context of monoserver and strong semantics [11]Formally a TPN is a tuple (119875 119879PrePost119872
0 Is) where
(i) 119875 and 119879 are finite sets of places and transitions suchthat (119875 cap 119879 = 0)
Journal of Engineering 3
(ii) Pre and Post are the backward and the forwardincidence functions (PrePost 119875 times119879 rarr N whereNis the set of nonnegative integers)
(iii) 1198720is the initial marking (119872
0 119875 rarr N)
(iv) Is is the static interval function (Is 119879 rarr Q+ times(Q+ cup
infin))Q+ is the set of nonnegative rational numbersIs associates with each transition 119905 an interval calledthe static firing interval of 119905 Bounds darr Is(119905) and uarr Is(119905)of the interval Is(119905) are the minimum and maximumfiring delays of 119905 respectively
In a controllable time Petri net transitions are partitionedinto controllable and uncontrollable transitions denoted by119879119888and 119879
119906 respectively (with 119879
119888cap 119879119906= 0 and 119879 = 119879
119888cup 119879119906)
For the sake of simplicity and clarification in this paper thecontrollable transitions are depicted as white bars while theuncontrollable ones as black bars
A TPN is called bounded if for every reachable marking119872 there is a bound 119887 isin N119901 where 119872 le 119887 holds In thiscondition 119901 stands for the number of places in 119875
Let 119872 be a marking and 119905 a transition Transition 119905 isenabled for 119872 if and only if all required tokens for firing 119905are present in 119872 that is forall119901 isin 119875 119872(119901) ge Pre(119901 119905) Firingof 119905 leads to the marking 1198721015840 defined by forall119901 isin 119875 119872
1015840(119901) =
119872(119901) minus Pre(119901 119905) + Post(119901 119905) We denote En(119872) the set oftransitions enabled for 119872 that is En(119872) = 119905 isin 119879 | forall119901 isin
119875Pre(119901 119905) le 119872(119901) For 119905 isin En(119872) we denote CF(119872 119905)
the set of transitions enabled in119872 but in conflict with 119905 thatis CF(119872 119905) = 119905
1015840isin En(119872) | 119905
1015840= 119905 or exist119901 isin 119875119872(119901) lt
Pre(119901 1199051015840) + Pre(119901 119905) Let 119905 isin En(119872) and 1198721015840 the successormarking of119872 by 119905 a transition 1199051015840 is said to be newly enabledin 1198721015840 if and only if 1199051015840 is not enabled in the intermediate
marking (ie119872 minus Pre(sdot 119905)) or 1199051015840 = 119905 We denote New(1198721015840 119905)the set of transitions newly enabled 1198721015840 by firing 119905 from119872that is New(1198721015840 119905) = 119905
1015840isin En(1198721015840) | 119905 = 119905
1015840or exist119901 isin
1198751198721015840(119901) minus Post(119901 119905) lt Pre(119901 1199051015840)
The TPN state is defined as a pair (119872 Id) where 119872 is amarking and Id is a firing interval function (Id En(119872) rarr
Q+ times (Q+ cup infin)) The initial state is (1198720 Id0) where119872
0is
the initial marking and Id0(119905) = Is(119905) for 119905 isin En(119872
0) Let
(119872 Id) and (1198721015840 Id1015840) be two states of the TPNmodel 120579 isin R+
and 119905 isin 119879 The transition relation rarr over states is defined asfollows
(i) (119872 Id) 120579997888rarr (1198721015840 Id1015840) also denoted by (119872 Id) + 120579 if
and only if the state (1198721015840 Id1015840) is reachable from state(119872 Id) after 120579 time units that is ⋀
1199051015840isinEn(119872)120579 le uarr
Id(1199051015840)1198721015840 = 119872 and forall11990510158401015840 isin En(1198721015840) Id1015840(11990510158401015840) = [Max(darrId(11990510158401015840) minus 120579 0) uarr Id(11990510158401015840) minus 120579]
(ii) (119872 Id) 119905997888rarr (1198721015840 Id1015840) if and only if the state (1198721015840 Id1015840)
is reachable from the state (119872 Id) by immediatelyfiring transition 119905 that is 119905 isin En(119872) darr Id(119905) = 0forall119901 isin 119875 119872
1015840(119901) = 119872(119901) minus Pre(119901 119905) + Post(119901 119905) and
forall1199051015840isin En(1198721015840) Id1015840(1199051015840) = Is(1199051015840) if 1199051015840 isin New(1198721015840 119905) and
Id1015840(1199051015840) = Id(1199051015840) otherwise
The TPN state space is the structure (Q rarr 1199020) where
1199020
= (1198720 Id0) is the initial state of the TPN and
Q = 119902 | 1199020
lowast
997888rarr 119902(
lowast
997888rarr being the reflexive and transitive closureof the relation rarr defined above) is the set of reachable statesof the model A run in the TPN state space (Q rarr 119902
0) of a
state 119902 isin Q is amaximal sequence120588 = 1199021
1205791
997888rarr 1199021+1205791
1199051
997888rarr 1199022
1205792
997888rarr
1199022+ 1205792
1199052
997888rarr 1199023 such that 119902
1= 119902 By convention for any
state 119902119894 the relation 119902
119894
0
997888rarr 119902119894holds The sequence 120579
1119905112057921199052
is called the timed trace of 120588 The sequence 11990511199052 is called
the firing sequence (untimed trace) of 120588 A marking 119872 isreachable if and only if exist119902 isin Q st its marking is 119872 Runs(resp timeduntimed traces) of the TPN are all runs (resptimeduntimed traces) of the initial state 119902
0
To use enumerative analysis techniques with time Petrinets their generally infinite state spaces are abstractedAbstraction techniques construct by removing some irrel-evant details a finite contraction of the state space of themodel which preserves properties of interest For best perfor-mances the contraction should also be the smallest possibleand computed with the minimal resources in terms of timeand space The preserved properties are usually verifiedusing standard analysis techniques on the abstractions [12]Several state space abstraction methods have been proposedin the literature for time Petri nets (the state class graph(SCG) [13] the zone based graph (ZBG) [14] etc) Theymay differ in the characterization of states (interval or clockstates) the state agglomeration criteria the abstract statesrepresentation the preserved properties (markings linear orbranching properties) and their size
These abstractions are finite for all bounded time Petrinets However abstractions based on clocks are less inter-esting than the interval-based abstractions when only linearproperties are of interest Indeed abstractions based onclocks do not enjoy naturally the finiteness property forbounded TPN with unbounded intervals as it is the case forabstractions based on intervals The finiteness is enforcedusing an approximation operation which may involve someoverhead computation The algorithm of [9] is based on thestate class graph method
21 The State Class Graph Method In the state class graphmethod [13] all states reachable by the same firing sequencefrom the initial state are agglomerated in the same node andconsidered modulo the relation of equivalence defined bytwo sets of states are equivalent if and only if they have thesamemarking and the same firing domain (the firing domainof a set of states is the union of the firing domains of its states)All equivalent sets are agglomerated in the same node called astate class defined as a pair 120572 = (119872 119865) where119872 is a markingand 119865 is a formula which characterizes the firing domain of120572 For each transition 119905
119894enabled in119872 there is a variable 119905
119894 in
119865 representing its firing delay 119865 can be rewritten as a set ofatomic constraints of the form 119905
119894minus 119905119895le 119888 119905
119894le 119888 or minus119905
119895le 119888
where 119905119894 119905119895are transitions 119888 isin Q cup infin and Q is the set of
rational numbers (for economy of notation we use operatorle even if 119888 = infin)
Each domain is expressed by the canonical form that isusually encoded by a difference bound matrix (DBM) [15]The canonical form of 119865 is encoded by the DBM 119863 (a square
4 Journal of Engineering
matrix) of order |En(119872)| + 1 defined by forall119905119894 119905119895isin En(119872) cup
1199050 119889119894119895= (le Sup
119865(119905119894minus 119905119895)) where 119905
0(1199050notin 119879) represents
a fictitious transition whose delay is always equal to 0 andSup119865(119905119894minus 119905119895) is the largest value of 119905
119894minus 119905119895in the domain of 119865
Its computation is based on the shortest path Floyd-Warshallrsquosalgorithm and is considered as the most costly operation(cubic in the number of variables in 119865) The canonical formof a DBM makes some operations over formulas like the testof equivalence easier Two formulas are equivalent if and onlyif the canonical forms of their DBMs are identical
The initial state class is 1205720
= (1198720 1198650) where 119865
0=
⋀119905119894isinEn(119872
0)darr Is(119905
119894) le 119905
119894le uarr Is(119905
119894) Let 120572 = (119872 119865) be
a state class and 119905119891a transition and succ(120572 119905
119891) the set of
states defined by succ(120572 119905119891) = 119902
1015840isin Q | exist119902 isin 120572 exist120579 isin
R+ st 119902
120579
997888rarr 119902 + 120579
119905119891
997888rarr 1199021015840 The state class 120572 has a successor
by 119905119891(ie succ(120572 119905
119891) = 0) if and only if 119905
119891is enabled in 119872
and can be fired before any other enabled transition that isthe following formula is consistent 119865 and (⋀
119905119894isinEn(119872)119905119891 le 119905
119894)
A formula F is consistent if and only if there is at least onetuple of values that satisfies at once all constraints ofF In thiscase the firing of 119905
119891leads to the state class 1205721015840 = (119872
1015840 1198651015840) =
succ(120572 119905119891) computed as follows [13]
(1) forall119901 isin 1198751198721015840(119901) = 119872(119901) minus Pre(119901 119905119891) + Post(119901 119905
119891)
(2) 1198651015840 = 119865 and (⋀119905119894isinEn(119872)119905119891 minus 119905119894 le 0)
(3) Replace in 1198651015840 each 119905119894= 119905119891 by (119905
119894+ 119905119891)
(4) Eliminate by substitution 119905119891and each 119905
119894of transition
conflicting with 119905119891in119872
(5) Add constraint darr Is(119905119899) le 119905
119899leuarr Is(119905
119899) for each
transition 119905119899isin New(1198721015840 119905
119891)
Formally the SCG of a TPN model is a structure (CCrarr 1205720) where 120572
0= (119872
0 1198650) is the initial state class forall119905
119894isin
119879 120572
119905119894
997888rarr 1205721015840 iff 120572
1015840= succ(120572 119905
119894) = 0 and CC = 120572 |
1205720
lowast
997888rarr 120572 The SCG is finite for all bounded TPNs andpreserves linear properties [16] Let 120572 = (119872 119865) be a stateclass and 120596 isin 119879
+ a sequence of transitions firable from120572 We denote succ(120572 120596) the state class reachable from 120572 byfiring successively transitions of 120596 We define inductively thisset as follows succ(120572 120596) = 120572 if 120596 = 120598 and succ(120572 120596) =succ(succ(120572 1205961015840) 119905
119894) if 120596 = 120596
1015840sdot 119905119894
As an example Figure 2 shows the state class graph ofthe TPN presented at Figure 1 Its state classes are reportedin Table 1
Let120596 be a sequence of transitions firable from 120572 the sametransitionmay be newly enabled several times To distinguishamong different enablings of the same transition 119905
119894 we denote
119905119896
119894for 119896 gt 0 the transition 119905
119894(newly) enabled by the kth
transition of the sequence 1199050119894denotes the transition 119905
119894enabled
in 119872 Let 120596 = 1199051198961
1 119905
119896119898
119898isin 119879+ with 119898 gt 0 be a sequence
of transitions firable from 120572 st succ(120572 120596) = 0 We defineFire(120572 120596) the largest subclass 1205721015840 of 120572 (ie 1205721015840 sube 120572) st 120596is firable from all its states that is Fire(120572 120596) = 119902
1isin
120572 | exist1205791 120579
119898 1199021
1205791
997888rarr 1199021+1205791
1199051198961
1
997888997888rarr 1199022 119902
119898+120579119898
119905119896119898
119898
997888997888rarr 119902119898+1
1199051[0 4]
1199053[2infin[ 1199054[0 1]
1199052[2 3]
11990121199011
11990141199013
Figure 1 A simple Petri net with 119879119888= 1199051
1205720
1205723
1205726 1205724 1205725
12057221205721 1199054
1199052
1199053 1199051
1199052
1199051
1199052
1199053
1199054
Figure 2 The state graph of the TPN presented at Figure 1
3 Literature Review
The idea of suspension and resumption of a task in asystem is modeled in different ways in timed automataand time Petri nets [2ndash4 17 18] In [2] the authors haveintroduced stopwatch automata (SWA) as a subclass of timedlinear hybrid automata In stopwatch automata an additionalbinary variable is defined to show the rate of time progressionThe clocks may have two velocities (time derivation) zeroor one Zero signifies stopped while one signifies normalprogress If clocks are running they progress with a globalrate identical to all nonstopped clocks of the model Theauthors have shown that stopwatch automata is as expressiveas timed languages
In [3] the authors have introduced inhibitor hyperarcs tointerrupt an enabled transition Once a place 119901 connected toa transition 119905 via an inhibitor arc is marked the transition 119905 issuspended and stops firing In other words once an inhibitorarc is enabled the corresponding transition is interruptedThey have called these nets IHTPN (time Petri nets withinhibitor hyperarcs) In Figure 3 119905
1is enabled As soon as
1198752is marked firing 119905
1is suspended Note that an inhibitor
hyperarc is not graphically presented by a classical arrowinstead it is depicted with an empty circle at the extreme ofthe edge
In [17] the authors have discussed an extension of timePetri nets adapted for scheduling This extension is calledscheduling extended time Petri nets (SETPN) SETPN issuitable to model concurrent tasks and shared resources withfixed priorityThe behavior of scheduler is implicitly included
Journal of Engineering 5
Table 1 The state classes of the TPN presented at Figure 2
1205720 1199011+ 1199012
0 le 1199051le 4 and 2 le 119905
2le 3 120572
1 1199012+ 1199013
0 le 1199052le 3 and 2 le 119905
31205726 1199014
1205722 1199011+ 1199014
0 le 1199051le 2 120572
3 1199013+ 1199014
0 le 1199053and 0 le 119905
4le 1
1205724 1199012
0 le 1199052le 1 120572
5 1199013+ 1199014
2 le 1199053lt infin and 0 le 119905
4le 1
1199051[1198861 1198862]
11990121199011
1199013
Figure 3 A simple example of time Petri nets with inhibitorhyperarc 119905
1is active if 119901
2is not marked otherwise it is suspended
in the model and the scheduler is not modeled as a separateagent
In [17] time Petri nets are associated with two moreproperties 120574 and 120596 standing for resource allocation andpriority respectively As an example suppose two differentconcurrent tasks sharing the same resource (120574 is identical forboth) Although both transitions are enabled the one with ahigher priority is activewhile the other is suspended For eachmarking 119872 a function Act determines whether 119872 is activeor not
The time Petri nets presented in [17] assign both pri-ority and resources to places It is particularly suitable forscheduling approaches State space analysis is done map-ping scheduling Petri nets to hybrid automata (state classstopwatch automata) The advantage of this solution is usingan automated tool like HYTECH [19] already existing formanipulation of hybird automata
Another extension of time Petri nets called preemptivetime Petri nets is discussed in [18] Preemptive time Petrinets are suitable for scheduling and preemptive approachesIn Preemptive time Petri nets resource and priority arecharacteristics of transitions while in SETPN they wereassigned to places The preemptive time Petri nets as well asscheduling extended time Petri nets are adapted specificallyfor scheduling purposes with fixed priority rather thangeneral cases of interruption and resumption of some tasksA more generalized model comes in [4 5]
Another stopwatch model comes in [4 5] Post- and Pre-initialized stopwatch Petri nets (SWPN) [4 5] also modelinterruption and retrieving of tasks In such stopwatch Petrinets transitions are partitioned into two disjoint subclasses119879 = 119879int cup 119879no-int where 119879int is the set of interruptible tran-sitions and 119879no-int is the set of noninterruptible transitionsStopwatches can suspend enabled interruptible transitionsFor each transition 119905
119894 there is a function 119907(119905
119894) representing the
value of its associated stopwatch If 119905119894isin 119879int 119907(119905119894) signifies the
time elapsed since 119905119894was first enabled whereas if 119905
119894isin 119879no-int
119907(119905119894) represents the time elapsed since 119905
119894was last enabled
119905susp[120582 1205822]1
1199052[120572 120573]
1199051[0 0]
119905resu[1205741 1205742]
1199012
1199011
1199013
Figure 4 An interruptible task modeled by SWPN reported from[4]
A transition is called firable if it is enabled (119872 gt Pre(119905119894)) and
darr Is(119905119894) le 119907(119905
119894) le uarr Is(119905
119894)
In contrary with IHTPN where a marked place sus-pended an enabled transition in this model stopwatchconsumes some tokens to disable an enabled transition Itis implemented by means of some extra placestransitionsA stopwatch transition is in conflict with an interruptibletransition Thus consuming a token can suspend an inter-ruptible enabled transition With this model an interrupt isunpredictable and we do not know when it happens In factat any time the interruptible task and the interrupt both haveequal chance to happen The simple Petri nets of Figure 4reported from [4] are a simple example of SWPN of aninterruptible task
Let 119905119894be a transition and119872 a marking 119905
119894is called
(i) enabled If119872 ge Pre(119905119894) denoted by 119905
119894isin En(119872)
(ii) firable If 119905119894isin En(119872)and darr Is(119905
119894) le 119907(119905
119894) le uarr Is(119905
119894)
denoted by 119905119894isin Firable(119872)
(iii) suspended If Pre(119905119894) gt 119872 and 119907(119905
119894) gt 0 denoted by
119905119894isin susp(119872)
The notion uarr enabled(119905119894119872 119905119896) indicates that 119905
119894is newly
enabled by firing of 119905119896at marking119872
The new concept Preinitialization defined in this modelrefers to noninterruptible transitions For every 119905
119894isin 119879no-int
119905119894is firable if 119907(119905
119894) has already been initialized when 119905
119894
becomes enabled In other words 119907(119905119894) = 0 when 119905
119894isin
uarr enabled(119905119894119872 119905119896)
The concept postinitialization is defined for interruptibletransitionsWhen an interruptible transition is fired the asso-ciated 119907(119905
119894) is initialized (119907(119905
119894) = 0) Figures 5 and 6 reported
from [4] show the difference between time evolution in aninterruptible transition and a noninterruptible transition Inthese figures the notions 119864119863 and 119865 stand for enablingdisabling and firing of a transition respectively
6 Journal of Engineering
119907(119905119894)
119864 119864 119864119863 119865
Time
Figure 5 Time elapses 119905119894is an interruptible transition
119907(119905119894)
119864 119864119863 119865
Time
Figure 6 Time elapses 119905119894is a noninterruptible transition
In brief according to the types of transitions two types ofclock initialization are defined
(i) Preinitialization Given a transition 119905119894
isin 119879no-intwhere119879no-int is the set of noninterruptible transitionsclock initialization is called preinitialization happen-ing when 119905
119894is recently enabled As soon as a transition
becomes enabled its associated clock is initialized(ii) Postinitialization Given a transition 119905
119894isin 119879int where
119879int is the set of interruptible transitions clock initial-ization is called post-initialization happening after fir-ing 119905119894 it means that the transition initializes the clock
after being fired Post-initialization is dependent ontransition firing
In [4] continuous and discrete transitions are defined asfollows
Let 119889 isin R+ a continuous transition is denoted by(119872 119907)
119889
997888rarr (119872 1199071015840) iff forall119905
119894isin 119879
(i) 1199071015840(119905119894) = 119907(119905
119894) if the transition 119905
119894is not enabled
(ii) 1199071015840(119905119894) = 119907(119905
119894) + 119889 if 119905
119894is enabled
(iii) 119872 ge Pre(119905119894) rArr 119907
1015840le uarr Is(119905
119894)
And a discrete transition is denoted by (119872 119907)
119905119894
997888rarr (1198721015840 1199071015840)
iff forall119905119894isin 119879
(i) 119905119894isin Firable(119872)
(ii) 1198721015840 = 119872 minus Pre(119905119894) + Post(119905
119894)
(iii) 1199071015840(119905119894) = 0 if 119905
119894isin 119879int (postinitialization)
(iv) forall119905119896isin 119879 1199071015840(119905
119896) =
(a) 0 if 119905119896isin uarr enabled(119905
119896119872 119905119894) (preinitialization)
(b) 119907(119905119894) Otherwise
In order to perform further timing analysis the sameas scheduling extended time Petri nets of [17] the SWPNis transformed to hybrid automaton In addition a forwardalgorithm is suggested to compute reachable states
If the number of stopwatches increases for exampleif all of the transitions are interruptible the complexityof calculation will highly increase Scheduling time Petrinets and preemptive time Petri nets are both subclasses ofstopwatch Petri nets An ordinary TPN is also a SWPNwhere119879int = 0
After having a survey on different stopwatch Petri netsavailable in the literature in the following wewill have a briefreview on the algorithm of [9] and then investigate how tointegrate stopwatch in the controller synthesis approach of[9]
4 Safety Controller Synthesis ApproachProposed in [9]
Let N be a TPN with controllable and uncontrollable tran-sitions (119879 = 119879
119888cup 119879119906) and a set of markings to be avoided
(bad) For a safety property the approach proposed in [9] (seeAlgorithms 1 and 2) consists of exploring on-the-fly and pathby path the state class graph of the TPN N while collectingthe bad sequences and the losing states (sequences or statesthat lead to bad markings) The list Passed is used to retrievethe set of state classes processed so far their bad sequencesand their losing subclasses For a given state class 120572 and abad sequence 120596 feasible from 120572 the function Fire is used tocompute forwardly all states of 120572 which lead by a sequence oftransitions to an undesirable marking (ie a losing subclassof 120572) The function explore receives parameters 120572 being theclass under process 119905 the transition leading to 120572 and Cthe set of traveled classes in the current path Succinctlyit recursively computes the bad sequences of 120572 (from badsequences of its successors) and verifies whether or not 120572can be controlled so as to avoid its bad sequences It returnsthe set of bad sequences if they cannot be avoided from 120572Otherwise it returns an empty set which means that 120572 canbe controlled (ie 120572 has no bad sequences or there is at leastone controllable transition 119905
119888such that its firing interval in
120572 can be restricted so as to avoid reaching bad states) Therestriction of the interval of 119905
119888in 120572 is obtained by subtracting
from its interval in 120572 intervals of 119905119888in its bad subclasses
This approach tries to control the system behavior start-ing from the last to the first state class of bad paths If it failsto control a state class of a path so as to avoid all bad stateclasses the algorithm tries to control its previous state classesIf it succeeds to control a state class there is no need to controlits predecessors The aim is to limit as little as possible thebehavior of the system (more permissive controller)
In [20] we have proven that this approach gives themaximally permissive controller and if it fails to compute the
Journal of Engineering 7
Functionmain (TPNN Markings bad)WhereN is a TPNbad is a set of bad markingsLet 119879
119888be the set of controllable transitions of N and
1205720the initial state class of N
Passed = 0If (explore (120572
0 120598 1205720) = 0) then
Controller does not existreturn
end iffor all ((120572 Ω LI) isin Passed) do
Ctrl[120572] = ⋃(119905119888 119905119904 BI)isinLI(119905119888 119905119904 INT (120572 119905119888 minus 119905119904) minus BI)
end for(lowastRemarks)120572 = (119872 119865)En119888(119872) = En(119872) cap 119879
119888
En0119888(119872) = En
119888(119872) cup 119905
0
New119888(119872 119905) = New(119872 119905) cap 119879
119888
New(1198720 120598) = En(119872
0)
1199050is a fictitious transition whose time variable is fixed at 0
Dep (120572 119905 LI) equivexist(119905119888 119905119904BI) isin LI 119905
119888notin New(119872 119905) and (119905
119904notin New(119872 119905)or
INT (120572 119905119888minus 1199050) sube ⋂
119868isinBI(119868 oplus INT (120572 119905119904minus 1199050)))
Algorithm 1 On-the-fly algorithm for the safety control of TPN-Part I
Function Traces explore (Class 120572 Trans 119905 ClassesC)if (existΩ LI st (120572 Ω LI) isin Passed) then
if (Ω = 0 and Dep (120572 119905 LI)) thenreturn 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
end ifif (119872 isin bad) then
return 119905end ifTraces Ω = 0for all 1199051015840 isin En(119872) st succ (120572 1199051015840) = 0 and succ (120572 1199051015840) notin C
doΩ =Ω cup explore (succ (120572 1199051015840) 1199051015840C cup succ (120572 1199051015840))
end for Ω contains all bad sequences of 120572if (Ω = 0) then
Passed = Passed cup (120572 0 0)return 0
end ifLI = (119905
119888 119905119904BI) | (119905
119888 119905119904) isin En
119888(119872) times En0
119888(119872) and
BI = ⋃120596isinΩ
INT (Fire (120572 120596) 119905119888minus 119905119904) sub INT (120572 119905
119888minus 119905119904)
Passed = Passed cup (120572Ω LI)if (Dep (120572 119905 LI)) then
return 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
Algorithm 2 On-the-fly algorithm for the safety control of TPN-Part II
8 Journal of Engineering
Explore (1205720 120598 1205720)Returnempty
Explore (1205721 1199051 1205720 1205721)Return 119905111990521199053 11990511199053
Explore (1205723 1199052 1205720 1205721 1205723)
Explore (1205726 1199053 1205720 1205721 1205723 1205726)Return 1199053
Explore (1205725 1199051 1205720 1205722 1205725)Returnempty
Explore (1205722 1199052 1205720 1205722)Returnempty
Explore (1205724 1199053 1205720 1205721 1205724)
1205721
1205720
1205726
1205723
1199053
11990521199051
1205724
1205725
1199052
1199053
1199051
1205722
Return 1199053
Return 11990521199053
Figure 7 Applying Algorithms 1 and 2 on the TPN at Figure 1 forAG not 119901
1+ 1199013= 0
controller then the controller does not exist We have alsoinvestigated the hardness complexity of the approach step bystep
(i) The complexity of computing BI of a state class (inworst case) is119874(119870times119871times119899
119905
2)where119870 is the number of
paths starting from the state class and leading to badmarkings 119871 is the maximal length of such paths and119899119905is the number of transitions in the model
(ii) The complexity for computing Dep relation used inAlgorithms 1 and 2 is119874(|LI|times119898times|BI|) where119898 is thenumber of places in the model (complexity of testingNew(119872 119905))
In [14] the authors have discussed the completenesscomplexity for bounded TPNs They have proven that modelchecking of TPN-TCTL formula on a bounded TPN isPSPACE-complete
Let us explain this approach by means of an exampleConsider the TPN shown at Figure 1 its state class graphpresented at Figure 2 and its state classes reported in Table 1Suppose that only 119905
1is controllable (ie 119879
119888= 1199051) and we
want to avoid reaching markings where places 1199011and 119901
3are
both not marked (ie state classes 1205724and 120572
6) by choosing
appropriately the firing intervals of 1199051 For this example we
have 119879119888= 1199051 bad = 119901
2 1199014 Passed = 0 and 120572
0=
(1199011+ 1199012 0 le 119905
1le 4 and 2 le 119905
2le 3)
The process starts by calling explore(1205720 120598 1205720) (see
Figure 7) Since 1205720is not in Passed and its marking is not
forbidden explore is successively called for the successorsof 1205720 explore(120572
1 1199051 1205720 1205721) and explore(120572
2 1199052 1205720 1205722) In
explore of 1205721 function explore is successively called for 120572
3
and 1205724 In explore of 120572
3 function explore is called for the
successor 1205726of 1205723by 1199053 explore(120572
6 1199053 1205720 1205721 1205723 1205726 For the
successor of 1205723by 1199054(ie 120572
0) there is no need to call explore
as it belongs to the current path Since 1205726has a forbidden
marking explore of 1205726returns to explore of 120572
3with 119905
3
which in turn adds (1205723 11990521199053 0) to Passed and returns to
explore of 1205721with 119905
21199053
In explore of 1205721 function explore is called for 120572
4
(explore(1205724 1199053 1205720 1205721 1205724)) This call returns to explore of
1205721 with 119905
3 since 120572
4has a forbidden marking In explore
of 1205721 the tuple (120572
1 11990521199053 1199053 0) is added to Passed and
119905111990521199053 11990511199053 is returned to explore of 120572
0 Then explore
of 1205720
calls explore(1205722 1199052 1205720 1205722) which in turn calls
explore(1205725 1199051 1205720 1205722 1205725) Since 120572
5has only one successor
(1205720) and this successor belongs to the current path the call of
explore for 1205725adds (120572
5 0 0) to Passed and returns to explore
of 1205722with 0 which in turn returns to explore of 120572
0
After exploring both successors of 1205720 in explore of 120572
0 we
get inΩ = 119905111990521199053 11990511199053 the set of bad paths of 120572
0 As the state
class 1205720has a controllable transition 119905
1 its bad subclasses are
computed Fire(1205720 119905111990521199053) = (119901
1+ 1199012 0 le 119905
1le 2 and 2 le
1199052le 3 and 1 le 119905
2minus 1199051le 3) and Fire(120572
0 11990511199053) = (119901
1+ 1199012 0 le
1199051le 1 and 2 le 119905
2le 3 and 2 le 119905
2minus 1199051le 3) The firing interval
of 1199051in 1205720([0 4]) is not covered by the union of intervals
of 1199051in bad subclasses of 120572
0([0 2] cup [0 1] = [0 4]) Then
(1205720 119905111990521199053 11990511199053 (1199051 1199050 [0 2])) is added to Passed As 119905
1is
newly enabled the empty set is returned to the functionmainwhich concludes that a controller exists According to the listPassed 120572
0needs to be controlled (Ctrl[120572
0] = (119905
1 1199050 [0 4] minus
[0 2])) For all others there is nothing to do
5 Controller Synthesis and Stopwatch
In this section we consider time Petri nets with control-lableuncontrollable transitions and show how such a systemis controlled by associating some of the controllable transi-tions with stopwatch First we apply the on-the-fly algorithmof [9] and calculate the appropriate controller Then insteadof restricting time intervals of corresponding controllabletransitions we associate them with stopwatch In fact wesuspend some transition during its bad subinterval to controla system so as to satisfy a given property
We consider the inhibitor hyperarcs of [3]The controllershall suspend a controllable transition in its bad subintervaland retrieve it otherwise Let us remember the example ofFigure 1 with the state class graph of Figure 2 and Table 1We have seen that in order to prevent the system enteringthe forbidden state classes 120572
4and 120572
6 the controller should
prevent 1199051from firing before ]2 4] Thus an inhibitor hyper-
arc is added to the transition 1199051 This inhibitor hyperarc
connects 1199051to a place called119901susp At the beginning this place
is marked and then 1199051is suspended At [2 2] the token of
119901susp is consumed and the corresponding hyperarc becomesdisabled The controllable transition 119905
1is now firable again
The token is returned to place 119901susp after 1199051 is fired Thus thecontroller suspends 119905
1during its bad subinterval and resumes
it after then At the beginning all clocks are initialized to zeroThen time elapses but in [0 2] this transition is suspendedand hence its clock does not elapse anymore Later at time[2 2] this transition is retrieved and becomes active Wedo not need to delay it anymore that is why the lowerbound of the interval associated with 119905
1is modified to 0
Now the clock starts elapsing Within 2 time units 1199051should
be fired (ie when the actual time of the general clock ofthe system reaches to 4) Then the interval associated with
Journal of Engineering 9
0 1 2 3 40
1
2
119907(1199051)
Time
119907(1199051) ne 0
119907(1199051) = 0
Figure 8 Clock evaluation of 1199051in the controlled TPN of Figure 9
1199051in a controlled TPN associated with stopwatch is [0 2]
Figure 8 represents the clock evaluation of the transition 1199051
The controlled Petri nets of this example are presented inFigure 9
In summary our goal is to synthesize the state class graphof the system through Algorithms 1 and 2 (see [9]) andcalculate bad subintervals of the corresponding controllabletransitions Then suspend the appropriate controllable tran-sitions during their bad subintervals Note that in [9] wewererestricting and limiting time intervals while in this approachthe idea is to delay and suspend them In this research wesuppose every controllable transition can be associated witha stopwatch if needed As explained earlier in Section 1 ina multitasking system with periodic tasks only execution ofa task is controllable Then those transitions modeling thetask executions are considered controllable and consequentlycould be suspended and retrieved
Above we have shown how to control a system whenthe bad subinterval is at the beginning of the firing inter-val What if the acceptable subinterval is at the beginningand bad subintervals are after Consider the example ofFigure 10 A controllable transition 119905
1is associated with firing
interval [119886 119887] Suppose that based on Algorithms 1 and 2the subinterval [119886 120572
1] is acceptable while ]120572
1 119887] is a bad
subinterval where 119886 le 1205721lt 119887 The controlled time Petri
nets are presented in Figure 11 Figure 12 represents the clockevaluation of 119905
1and shows how the new interval associated
with 1199051is calculated In [0 119886[ 119901susp is marked and 119905
1is neither
active nor enabled Meanwhile at the time 119886 1199051199031
becomesenabled and is fired consuming the token in 119901suspThus rightat 119886 the transition 119905
1becomes active and its associated clock
starts elapsing Note that associated stopwatch delays 1199051for
119886 time units and we do not want to delay it anymore thenthe lower bound of the new associated interval in controlledTPN is 0 After 120572
1time units 119905
1199032is fired and 119901susp becomes
marked again Consequently 1199051is suspended
Consider the same example of Figure 10 and this timesuppose that Algorithms 1 and 2 give the following output
[119886 1205721[ is acceptable [120572
1 1205722[ is a bad subinterval [120572
2 119887]
is acceptable where the condition 119886 lt 1205721lt 1205722le 119887 holds
1199051[0 2]
1199053[2infin[ 1199054[0 1]
1199052[2 3]119905resu [2 2]
119875susp
11990121199011
11990141199013
Figure 9 Time Petri net of Figure 1 controlled by inhibitor hyper-arcs (119879
119888= 1199051)
1199051[119886 119887]
1199012
1199013
Figure 10 A simple time Petri net (119879119888= 1199051)
With the same idea the controlled Petri nets are presented inFigure 13 and the clock evaluation of 119905
1is shown in Figure 14
51Why InhibitorHyperarcs Wehave shown how to achievea controlled model from an uncontrolled time Petri netsby adding inhibitor hyperarcs One question is why amongdifferent types of stopwatch inhibitor hyperarcs are chosenIs it possible to use another stopwatch model The answeris yes but inhibitor hyperarcs provide more flexibility andless complication Let us see if this idea is feasible using othertypes of Petri nets with stopwatch
We consider the post- and preinitialized Petri nets pro-posed in [4 5] for stopwatch and try to control amodel wherea controllable transition associated with time interval [119886 119887]has a bad subinterval [119886 120572] Based on our hypothesis thecontroller should suspend the controllable transition at [119886 119886]and resume it at [120572 120572] The characteristic of post and pre-initialized Petri nets is that they consume the same tokenof the original model and in addition the exact time whenthe model becomes suspended is unknown as stopwatchtransition and original transition have the same chance forfiring At the first glance the idea is feasible by adding oneplace and two transitions However there are some issuesWeexplain the problem through an example
We consider the same example of Figure 1 The suggestedcontrolled model using post and pre-initialized Petri netscomes in Figure 15The controllable transition 119905
1is associated
with stopwatchThe stopwatch interrupts the task at [0 0] andresume it at [2 2] The problem is at [0 0] both transitions1199051and 119905sus are enabled with equal chance of firing whereas
in order to have a controlled model 119905sus should fire at [0 0]before 119905
1 Thus the controller fails unless if we modify the
interval associated to 1199051to ]0 2] which is not of interest in
this approach
10 Journal of Engineering
1199051[0 1205721 minus 119886[
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199012
1199013
1199011199040
1199011199041
119901susp
Figure 11The controlledTPNof Figure 10 using inhibitor hyperarcs(119879119888= 1199051) Forbidden interval is ]120572
1 119887] where 119886 le 120572
1lt 119887
Time0
01205721
119907(1199051) 119907(1199051) = 1205721 minus 119886
119886 119887
1205721 minus 119886
119907(1199051) = 0
Figure 12 Clock evaluation of 1199051in the controlled TPN of Figure 10
Forbidden interval is ]1205721 119887] where 119886 le 120572
1lt 119887
1199051[0 119887 minus 119886 + 1205721 minus 1205722]
1199051199033[1205722 minus 1205721 1205722 minus 1205721]
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199013
11990121199011199040
1199011199041
119901susp
1199011199042
Figure 13 A simple time Petri net controlled by inhibitor hyperarcs(119879119888= 1199051) the bad subinterval is [120572
1 1205722[ where 119886 lt 120572
1lt 1205722le 119887
The other alternative is presented at Figure 16 An auxil-iary place 119901
119904solves the problem Hence using the stopwatch
Petri nets suggested in [4 5] it is not easy to give ageneral solution to control a model considering the output ofAlgorithms 1 and 2 In addition the resulting controlled netsare more complicated For example in case the controllabletransition is associated with the interval [119886 119887] where its badsubinterval is [120572 119887] and 119886 le 120572 then the controlled modelbecomes complicated
Time
00
119907(1199051)
119887 minus 119886 + 1205721 minus 1205722
1205721 minus 119886
1205722119886 1198871205721
Figure 14 Clock evaluation of 1199051in a controlled TPN of Figure 10
The forbidden interval is ]1205721 1205722] where 119886 lt 120572
1lt 1205722le 119887
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
Figure 15 Controlling the example of Figure 1 using stopwatch of[4] The controller fails
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
119901119904
Figure 16 Controlled model of Figure 1 using stopwatch of [4]
6 Illustrative Example
Suppose the multitasking system depicted in Figure 17 withthe following specifications four tasks 119879
1 1198792 1198793 and 119879
4are
being executed Two tasks 1198793and 119879
4are uncontrollable The
task 1198791is periodic with a period of [6 6] and then its start
execution is controllable Suppose that starting execution of1198792is also controllable 119879
4is depended to 119879
2and 119879
3meaning
that it can be executed only when1198792and1198793are executed Two
tasks1198791and1198792share a common resource On the other hand
1198791enters through a single capacity buffer It means that if 119879
1
is not executed by the end of its period the system will blockIn Figure 7 tasks are modeled by tokens and the execution ofeach task 119879
119894is shown by the transition 119905
119894 If 1198791is not executed
by the end of its period the system enters the state Block and1199055is the transition to be avoided Delay is a placemodeling the
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 Journal of Engineering
similar constraints Each task cannot start execution until therequired resources are available A task releases the occupiedresources after finishing its execution
Inmultitasking systems tasks are categorized to periodicaperiodic and sporadic [6]
(i) Periodic Task Periodic tasks arrive in regular intervalsWorst-case and best-case execution time is of the speci-fications defined for periodic tasks Deadline is the othercharacteristic defined for these tasks with respect to theirworst-case execution time Deadline in periodic tasks can beeither soft or hard A critical deadline is called hard deadlinewhereas meeting a soft deadline is not critical
(ii) Aperiodic Task Tasks with irregular interarrivals arecalled aperiodic Aperiodic tasks are usually associated withsoft deadlines(iii) Sporadic Task Aperiodic tasks with a minimum interar-rival are called sporadic Sporadic tasks are associated withhard deadlines
A periodic task may have the following three states [7](i) Waiting Once a periodic task arrives it should wait forrequired resources
(ii) ExecutionWhen all required resources are available thetask starts its execution and spends its execution time in thisstate
(iii) Passive After being executed the task releases therequired resources and waits until its next arrival The timebetween two consecutive task arrivals is equal with the givenperiod
In a multitasking system with periodic tasks the sched-uler should manage the shared resources in a way that thepredefined period for the tasks is respected On the otherhand some of the tasks may be associated with a deadlineor priority In that case the scheduler should suspend theexecution of a task with lower priority and let the higherpriority tasks to use the resources Once the tasks with higherpriority are executed the other tasks with lower priorities areretrieved and continue their executionThis behavior is calledpreemptive scheduling
In the field of controller synthesis a scheduler is seenas a controller [7 8] The scheduler should manage theshared resources and starts execution of each task in a waythat the timing constraints deadlines and priorities arerespected Arrival of each task is due to its period and thenis uncontrollable Execution time is also predefined and thenis uncontrollable The only controllable action is the startingof an execution In preemptive scheduling a task can besuspended during its execution and leave the resources tosome other task with a higher priority
One solution is to model the system with time Petrinets associated with stopwatch In this context each taskexecution ismodeled by a transition equippedwith stopwatchand then the corresponding controller is synthesized tomanage suspension and resumption of each task such that thecorresponding timing constraints are respected As we will
see in this paper one problem with this solution is that thestate space of time Petri nets associated with stopwatch is notexact and requires some overapproximation
The other problem is that time Petri nets associated withstopwatch does not preserve the boundedness property LetN1be a time Petri net N
2be a time Petri net associated
with stopwatch and SCG shows the corresponding state classgraph the following relation holds
N1is bounded lArrrArr SCG of N
1is finite (1)
This condition is not always true for a time Petri netassociated with stopwatch In other terms
N2is bounded 999489999513999457 SCG of N
2is finite (2)
Indeed if the number of reachable markings in a time Petrinet associated with stopwatch is finite the number of stateclasses is not necessarily finite [3] These limitations hinderthe controller synthesis of time Petri nets with stopwatch
In this paper we suggest an alternative solution Wepropose to synthesize a time Petri net without stopwatchwhere the transitions corresponding to the task executionsare considered controllable We extract the controller (iescheduling strategy) and then add the stopwatch tomodel thecontrolled system (the system and its scheduler) In fact wesuggest to implement the synthesized controller by means ofstopwatch
In the following we discuss how the algorithm sug-gested in [9] for controller synthesis of time Petri nets isused for scheduling purposes to synthesize a controller forinterruptible tasks The algorithm of [9] is permissive andthe computed controller is restricting time intervals makingthe system to satisfy the given properties In this paper wesuggest to suspend a task during its bad subinterval Thisapproach is useful for preemptive scheduling purposes wheresafety properties correspond to meeting deadlines prioritiespreventing deadlock for shared resources and so forth
In this paper we use a synthesized controller (outputof the algorithm of [9] in particular) and we show how tocontrol the system using stopwatch In order to implementthe controller by means of stopwatch we assume that itis possible to associate each controllable transition with astopwatch so as to suspend or resume it whenever needed
The rest of this paper is organized as follows Section 2 isdedicated to time Petri nets their definition and semanticsSection 3 presents a literature review on different stopwatchPetri nets Section 4 has a brief survey on the solutionproposed in [9] Section 5 synthesizes a controller using stop-watch Section 6 presents an example of a multitasking sys-tem Finally Section 7 gives the conclusion and future work
2 Time Petri Nets
A time Petri net (TPN) is a Petri net augmented with timeintervals associated with transitions This paper focuses onthe classical semantics called intermediate semantics in [10]in the context of monoserver and strong semantics [11]Formally a TPN is a tuple (119875 119879PrePost119872
0 Is) where
(i) 119875 and 119879 are finite sets of places and transitions suchthat (119875 cap 119879 = 0)
Journal of Engineering 3
(ii) Pre and Post are the backward and the forwardincidence functions (PrePost 119875 times119879 rarr N whereNis the set of nonnegative integers)
(iii) 1198720is the initial marking (119872
0 119875 rarr N)
(iv) Is is the static interval function (Is 119879 rarr Q+ times(Q+ cup
infin))Q+ is the set of nonnegative rational numbersIs associates with each transition 119905 an interval calledthe static firing interval of 119905 Bounds darr Is(119905) and uarr Is(119905)of the interval Is(119905) are the minimum and maximumfiring delays of 119905 respectively
In a controllable time Petri net transitions are partitionedinto controllable and uncontrollable transitions denoted by119879119888and 119879
119906 respectively (with 119879
119888cap 119879119906= 0 and 119879 = 119879
119888cup 119879119906)
For the sake of simplicity and clarification in this paper thecontrollable transitions are depicted as white bars while theuncontrollable ones as black bars
A TPN is called bounded if for every reachable marking119872 there is a bound 119887 isin N119901 where 119872 le 119887 holds In thiscondition 119901 stands for the number of places in 119875
Let 119872 be a marking and 119905 a transition Transition 119905 isenabled for 119872 if and only if all required tokens for firing 119905are present in 119872 that is forall119901 isin 119875 119872(119901) ge Pre(119901 119905) Firingof 119905 leads to the marking 1198721015840 defined by forall119901 isin 119875 119872
1015840(119901) =
119872(119901) minus Pre(119901 119905) + Post(119901 119905) We denote En(119872) the set oftransitions enabled for 119872 that is En(119872) = 119905 isin 119879 | forall119901 isin
119875Pre(119901 119905) le 119872(119901) For 119905 isin En(119872) we denote CF(119872 119905)
the set of transitions enabled in119872 but in conflict with 119905 thatis CF(119872 119905) = 119905
1015840isin En(119872) | 119905
1015840= 119905 or exist119901 isin 119875119872(119901) lt
Pre(119901 1199051015840) + Pre(119901 119905) Let 119905 isin En(119872) and 1198721015840 the successormarking of119872 by 119905 a transition 1199051015840 is said to be newly enabledin 1198721015840 if and only if 1199051015840 is not enabled in the intermediate
marking (ie119872 minus Pre(sdot 119905)) or 1199051015840 = 119905 We denote New(1198721015840 119905)the set of transitions newly enabled 1198721015840 by firing 119905 from119872that is New(1198721015840 119905) = 119905
1015840isin En(1198721015840) | 119905 = 119905
1015840or exist119901 isin
1198751198721015840(119901) minus Post(119901 119905) lt Pre(119901 1199051015840)
The TPN state is defined as a pair (119872 Id) where 119872 is amarking and Id is a firing interval function (Id En(119872) rarr
Q+ times (Q+ cup infin)) The initial state is (1198720 Id0) where119872
0is
the initial marking and Id0(119905) = Is(119905) for 119905 isin En(119872
0) Let
(119872 Id) and (1198721015840 Id1015840) be two states of the TPNmodel 120579 isin R+
and 119905 isin 119879 The transition relation rarr over states is defined asfollows
(i) (119872 Id) 120579997888rarr (1198721015840 Id1015840) also denoted by (119872 Id) + 120579 if
and only if the state (1198721015840 Id1015840) is reachable from state(119872 Id) after 120579 time units that is ⋀
1199051015840isinEn(119872)120579 le uarr
Id(1199051015840)1198721015840 = 119872 and forall11990510158401015840 isin En(1198721015840) Id1015840(11990510158401015840) = [Max(darrId(11990510158401015840) minus 120579 0) uarr Id(11990510158401015840) minus 120579]
(ii) (119872 Id) 119905997888rarr (1198721015840 Id1015840) if and only if the state (1198721015840 Id1015840)
is reachable from the state (119872 Id) by immediatelyfiring transition 119905 that is 119905 isin En(119872) darr Id(119905) = 0forall119901 isin 119875 119872
1015840(119901) = 119872(119901) minus Pre(119901 119905) + Post(119901 119905) and
forall1199051015840isin En(1198721015840) Id1015840(1199051015840) = Is(1199051015840) if 1199051015840 isin New(1198721015840 119905) and
Id1015840(1199051015840) = Id(1199051015840) otherwise
The TPN state space is the structure (Q rarr 1199020) where
1199020
= (1198720 Id0) is the initial state of the TPN and
Q = 119902 | 1199020
lowast
997888rarr 119902(
lowast
997888rarr being the reflexive and transitive closureof the relation rarr defined above) is the set of reachable statesof the model A run in the TPN state space (Q rarr 119902
0) of a
state 119902 isin Q is amaximal sequence120588 = 1199021
1205791
997888rarr 1199021+1205791
1199051
997888rarr 1199022
1205792
997888rarr
1199022+ 1205792
1199052
997888rarr 1199023 such that 119902
1= 119902 By convention for any
state 119902119894 the relation 119902
119894
0
997888rarr 119902119894holds The sequence 120579
1119905112057921199052
is called the timed trace of 120588 The sequence 11990511199052 is called
the firing sequence (untimed trace) of 120588 A marking 119872 isreachable if and only if exist119902 isin Q st its marking is 119872 Runs(resp timeduntimed traces) of the TPN are all runs (resptimeduntimed traces) of the initial state 119902
0
To use enumerative analysis techniques with time Petrinets their generally infinite state spaces are abstractedAbstraction techniques construct by removing some irrel-evant details a finite contraction of the state space of themodel which preserves properties of interest For best perfor-mances the contraction should also be the smallest possibleand computed with the minimal resources in terms of timeand space The preserved properties are usually verifiedusing standard analysis techniques on the abstractions [12]Several state space abstraction methods have been proposedin the literature for time Petri nets (the state class graph(SCG) [13] the zone based graph (ZBG) [14] etc) Theymay differ in the characterization of states (interval or clockstates) the state agglomeration criteria the abstract statesrepresentation the preserved properties (markings linear orbranching properties) and their size
These abstractions are finite for all bounded time Petrinets However abstractions based on clocks are less inter-esting than the interval-based abstractions when only linearproperties are of interest Indeed abstractions based onclocks do not enjoy naturally the finiteness property forbounded TPN with unbounded intervals as it is the case forabstractions based on intervals The finiteness is enforcedusing an approximation operation which may involve someoverhead computation The algorithm of [9] is based on thestate class graph method
21 The State Class Graph Method In the state class graphmethod [13] all states reachable by the same firing sequencefrom the initial state are agglomerated in the same node andconsidered modulo the relation of equivalence defined bytwo sets of states are equivalent if and only if they have thesamemarking and the same firing domain (the firing domainof a set of states is the union of the firing domains of its states)All equivalent sets are agglomerated in the same node called astate class defined as a pair 120572 = (119872 119865) where119872 is a markingand 119865 is a formula which characterizes the firing domain of120572 For each transition 119905
119894enabled in119872 there is a variable 119905
119894 in
119865 representing its firing delay 119865 can be rewritten as a set ofatomic constraints of the form 119905
119894minus 119905119895le 119888 119905
119894le 119888 or minus119905
119895le 119888
where 119905119894 119905119895are transitions 119888 isin Q cup infin and Q is the set of
rational numbers (for economy of notation we use operatorle even if 119888 = infin)
Each domain is expressed by the canonical form that isusually encoded by a difference bound matrix (DBM) [15]The canonical form of 119865 is encoded by the DBM 119863 (a square
4 Journal of Engineering
matrix) of order |En(119872)| + 1 defined by forall119905119894 119905119895isin En(119872) cup
1199050 119889119894119895= (le Sup
119865(119905119894minus 119905119895)) where 119905
0(1199050notin 119879) represents
a fictitious transition whose delay is always equal to 0 andSup119865(119905119894minus 119905119895) is the largest value of 119905
119894minus 119905119895in the domain of 119865
Its computation is based on the shortest path Floyd-Warshallrsquosalgorithm and is considered as the most costly operation(cubic in the number of variables in 119865) The canonical formof a DBM makes some operations over formulas like the testof equivalence easier Two formulas are equivalent if and onlyif the canonical forms of their DBMs are identical
The initial state class is 1205720
= (1198720 1198650) where 119865
0=
⋀119905119894isinEn(119872
0)darr Is(119905
119894) le 119905
119894le uarr Is(119905
119894) Let 120572 = (119872 119865) be
a state class and 119905119891a transition and succ(120572 119905
119891) the set of
states defined by succ(120572 119905119891) = 119902
1015840isin Q | exist119902 isin 120572 exist120579 isin
R+ st 119902
120579
997888rarr 119902 + 120579
119905119891
997888rarr 1199021015840 The state class 120572 has a successor
by 119905119891(ie succ(120572 119905
119891) = 0) if and only if 119905
119891is enabled in 119872
and can be fired before any other enabled transition that isthe following formula is consistent 119865 and (⋀
119905119894isinEn(119872)119905119891 le 119905
119894)
A formula F is consistent if and only if there is at least onetuple of values that satisfies at once all constraints ofF In thiscase the firing of 119905
119891leads to the state class 1205721015840 = (119872
1015840 1198651015840) =
succ(120572 119905119891) computed as follows [13]
(1) forall119901 isin 1198751198721015840(119901) = 119872(119901) minus Pre(119901 119905119891) + Post(119901 119905
119891)
(2) 1198651015840 = 119865 and (⋀119905119894isinEn(119872)119905119891 minus 119905119894 le 0)
(3) Replace in 1198651015840 each 119905119894= 119905119891 by (119905
119894+ 119905119891)
(4) Eliminate by substitution 119905119891and each 119905
119894of transition
conflicting with 119905119891in119872
(5) Add constraint darr Is(119905119899) le 119905
119899leuarr Is(119905
119899) for each
transition 119905119899isin New(1198721015840 119905
119891)
Formally the SCG of a TPN model is a structure (CCrarr 1205720) where 120572
0= (119872
0 1198650) is the initial state class forall119905
119894isin
119879 120572
119905119894
997888rarr 1205721015840 iff 120572
1015840= succ(120572 119905
119894) = 0 and CC = 120572 |
1205720
lowast
997888rarr 120572 The SCG is finite for all bounded TPNs andpreserves linear properties [16] Let 120572 = (119872 119865) be a stateclass and 120596 isin 119879
+ a sequence of transitions firable from120572 We denote succ(120572 120596) the state class reachable from 120572 byfiring successively transitions of 120596 We define inductively thisset as follows succ(120572 120596) = 120572 if 120596 = 120598 and succ(120572 120596) =succ(succ(120572 1205961015840) 119905
119894) if 120596 = 120596
1015840sdot 119905119894
As an example Figure 2 shows the state class graph ofthe TPN presented at Figure 1 Its state classes are reportedin Table 1
Let120596 be a sequence of transitions firable from 120572 the sametransitionmay be newly enabled several times To distinguishamong different enablings of the same transition 119905
119894 we denote
119905119896
119894for 119896 gt 0 the transition 119905
119894(newly) enabled by the kth
transition of the sequence 1199050119894denotes the transition 119905
119894enabled
in 119872 Let 120596 = 1199051198961
1 119905
119896119898
119898isin 119879+ with 119898 gt 0 be a sequence
of transitions firable from 120572 st succ(120572 120596) = 0 We defineFire(120572 120596) the largest subclass 1205721015840 of 120572 (ie 1205721015840 sube 120572) st 120596is firable from all its states that is Fire(120572 120596) = 119902
1isin
120572 | exist1205791 120579
119898 1199021
1205791
997888rarr 1199021+1205791
1199051198961
1
997888997888rarr 1199022 119902
119898+120579119898
119905119896119898
119898
997888997888rarr 119902119898+1
1199051[0 4]
1199053[2infin[ 1199054[0 1]
1199052[2 3]
11990121199011
11990141199013
Figure 1 A simple Petri net with 119879119888= 1199051
1205720
1205723
1205726 1205724 1205725
12057221205721 1199054
1199052
1199053 1199051
1199052
1199051
1199052
1199053
1199054
Figure 2 The state graph of the TPN presented at Figure 1
3 Literature Review
The idea of suspension and resumption of a task in asystem is modeled in different ways in timed automataand time Petri nets [2ndash4 17 18] In [2] the authors haveintroduced stopwatch automata (SWA) as a subclass of timedlinear hybrid automata In stopwatch automata an additionalbinary variable is defined to show the rate of time progressionThe clocks may have two velocities (time derivation) zeroor one Zero signifies stopped while one signifies normalprogress If clocks are running they progress with a globalrate identical to all nonstopped clocks of the model Theauthors have shown that stopwatch automata is as expressiveas timed languages
In [3] the authors have introduced inhibitor hyperarcs tointerrupt an enabled transition Once a place 119901 connected toa transition 119905 via an inhibitor arc is marked the transition 119905 issuspended and stops firing In other words once an inhibitorarc is enabled the corresponding transition is interruptedThey have called these nets IHTPN (time Petri nets withinhibitor hyperarcs) In Figure 3 119905
1is enabled As soon as
1198752is marked firing 119905
1is suspended Note that an inhibitor
hyperarc is not graphically presented by a classical arrowinstead it is depicted with an empty circle at the extreme ofthe edge
In [17] the authors have discussed an extension of timePetri nets adapted for scheduling This extension is calledscheduling extended time Petri nets (SETPN) SETPN issuitable to model concurrent tasks and shared resources withfixed priorityThe behavior of scheduler is implicitly included
Journal of Engineering 5
Table 1 The state classes of the TPN presented at Figure 2
1205720 1199011+ 1199012
0 le 1199051le 4 and 2 le 119905
2le 3 120572
1 1199012+ 1199013
0 le 1199052le 3 and 2 le 119905
31205726 1199014
1205722 1199011+ 1199014
0 le 1199051le 2 120572
3 1199013+ 1199014
0 le 1199053and 0 le 119905
4le 1
1205724 1199012
0 le 1199052le 1 120572
5 1199013+ 1199014
2 le 1199053lt infin and 0 le 119905
4le 1
1199051[1198861 1198862]
11990121199011
1199013
Figure 3 A simple example of time Petri nets with inhibitorhyperarc 119905
1is active if 119901
2is not marked otherwise it is suspended
in the model and the scheduler is not modeled as a separateagent
In [17] time Petri nets are associated with two moreproperties 120574 and 120596 standing for resource allocation andpriority respectively As an example suppose two differentconcurrent tasks sharing the same resource (120574 is identical forboth) Although both transitions are enabled the one with ahigher priority is activewhile the other is suspended For eachmarking 119872 a function Act determines whether 119872 is activeor not
The time Petri nets presented in [17] assign both pri-ority and resources to places It is particularly suitable forscheduling approaches State space analysis is done map-ping scheduling Petri nets to hybrid automata (state classstopwatch automata) The advantage of this solution is usingan automated tool like HYTECH [19] already existing formanipulation of hybird automata
Another extension of time Petri nets called preemptivetime Petri nets is discussed in [18] Preemptive time Petrinets are suitable for scheduling and preemptive approachesIn Preemptive time Petri nets resource and priority arecharacteristics of transitions while in SETPN they wereassigned to places The preemptive time Petri nets as well asscheduling extended time Petri nets are adapted specificallyfor scheduling purposes with fixed priority rather thangeneral cases of interruption and resumption of some tasksA more generalized model comes in [4 5]
Another stopwatch model comes in [4 5] Post- and Pre-initialized stopwatch Petri nets (SWPN) [4 5] also modelinterruption and retrieving of tasks In such stopwatch Petrinets transitions are partitioned into two disjoint subclasses119879 = 119879int cup 119879no-int where 119879int is the set of interruptible tran-sitions and 119879no-int is the set of noninterruptible transitionsStopwatches can suspend enabled interruptible transitionsFor each transition 119905
119894 there is a function 119907(119905
119894) representing the
value of its associated stopwatch If 119905119894isin 119879int 119907(119905119894) signifies the
time elapsed since 119905119894was first enabled whereas if 119905
119894isin 119879no-int
119907(119905119894) represents the time elapsed since 119905
119894was last enabled
119905susp[120582 1205822]1
1199052[120572 120573]
1199051[0 0]
119905resu[1205741 1205742]
1199012
1199011
1199013
Figure 4 An interruptible task modeled by SWPN reported from[4]
A transition is called firable if it is enabled (119872 gt Pre(119905119894)) and
darr Is(119905119894) le 119907(119905
119894) le uarr Is(119905
119894)
In contrary with IHTPN where a marked place sus-pended an enabled transition in this model stopwatchconsumes some tokens to disable an enabled transition Itis implemented by means of some extra placestransitionsA stopwatch transition is in conflict with an interruptibletransition Thus consuming a token can suspend an inter-ruptible enabled transition With this model an interrupt isunpredictable and we do not know when it happens In factat any time the interruptible task and the interrupt both haveequal chance to happen The simple Petri nets of Figure 4reported from [4] are a simple example of SWPN of aninterruptible task
Let 119905119894be a transition and119872 a marking 119905
119894is called
(i) enabled If119872 ge Pre(119905119894) denoted by 119905
119894isin En(119872)
(ii) firable If 119905119894isin En(119872)and darr Is(119905
119894) le 119907(119905
119894) le uarr Is(119905
119894)
denoted by 119905119894isin Firable(119872)
(iii) suspended If Pre(119905119894) gt 119872 and 119907(119905
119894) gt 0 denoted by
119905119894isin susp(119872)
The notion uarr enabled(119905119894119872 119905119896) indicates that 119905
119894is newly
enabled by firing of 119905119896at marking119872
The new concept Preinitialization defined in this modelrefers to noninterruptible transitions For every 119905
119894isin 119879no-int
119905119894is firable if 119907(119905
119894) has already been initialized when 119905
119894
becomes enabled In other words 119907(119905119894) = 0 when 119905
119894isin
uarr enabled(119905119894119872 119905119896)
The concept postinitialization is defined for interruptibletransitionsWhen an interruptible transition is fired the asso-ciated 119907(119905
119894) is initialized (119907(119905
119894) = 0) Figures 5 and 6 reported
from [4] show the difference between time evolution in aninterruptible transition and a noninterruptible transition Inthese figures the notions 119864119863 and 119865 stand for enablingdisabling and firing of a transition respectively
6 Journal of Engineering
119907(119905119894)
119864 119864 119864119863 119865
Time
Figure 5 Time elapses 119905119894is an interruptible transition
119907(119905119894)
119864 119864119863 119865
Time
Figure 6 Time elapses 119905119894is a noninterruptible transition
In brief according to the types of transitions two types ofclock initialization are defined
(i) Preinitialization Given a transition 119905119894
isin 119879no-intwhere119879no-int is the set of noninterruptible transitionsclock initialization is called preinitialization happen-ing when 119905
119894is recently enabled As soon as a transition
becomes enabled its associated clock is initialized(ii) Postinitialization Given a transition 119905
119894isin 119879int where
119879int is the set of interruptible transitions clock initial-ization is called post-initialization happening after fir-ing 119905119894 it means that the transition initializes the clock
after being fired Post-initialization is dependent ontransition firing
In [4] continuous and discrete transitions are defined asfollows
Let 119889 isin R+ a continuous transition is denoted by(119872 119907)
119889
997888rarr (119872 1199071015840) iff forall119905
119894isin 119879
(i) 1199071015840(119905119894) = 119907(119905
119894) if the transition 119905
119894is not enabled
(ii) 1199071015840(119905119894) = 119907(119905
119894) + 119889 if 119905
119894is enabled
(iii) 119872 ge Pre(119905119894) rArr 119907
1015840le uarr Is(119905
119894)
And a discrete transition is denoted by (119872 119907)
119905119894
997888rarr (1198721015840 1199071015840)
iff forall119905119894isin 119879
(i) 119905119894isin Firable(119872)
(ii) 1198721015840 = 119872 minus Pre(119905119894) + Post(119905
119894)
(iii) 1199071015840(119905119894) = 0 if 119905
119894isin 119879int (postinitialization)
(iv) forall119905119896isin 119879 1199071015840(119905
119896) =
(a) 0 if 119905119896isin uarr enabled(119905
119896119872 119905119894) (preinitialization)
(b) 119907(119905119894) Otherwise
In order to perform further timing analysis the sameas scheduling extended time Petri nets of [17] the SWPNis transformed to hybrid automaton In addition a forwardalgorithm is suggested to compute reachable states
If the number of stopwatches increases for exampleif all of the transitions are interruptible the complexityof calculation will highly increase Scheduling time Petrinets and preemptive time Petri nets are both subclasses ofstopwatch Petri nets An ordinary TPN is also a SWPNwhere119879int = 0
After having a survey on different stopwatch Petri netsavailable in the literature in the following wewill have a briefreview on the algorithm of [9] and then investigate how tointegrate stopwatch in the controller synthesis approach of[9]
4 Safety Controller Synthesis ApproachProposed in [9]
Let N be a TPN with controllable and uncontrollable tran-sitions (119879 = 119879
119888cup 119879119906) and a set of markings to be avoided
(bad) For a safety property the approach proposed in [9] (seeAlgorithms 1 and 2) consists of exploring on-the-fly and pathby path the state class graph of the TPN N while collectingthe bad sequences and the losing states (sequences or statesthat lead to bad markings) The list Passed is used to retrievethe set of state classes processed so far their bad sequencesand their losing subclasses For a given state class 120572 and abad sequence 120596 feasible from 120572 the function Fire is used tocompute forwardly all states of 120572 which lead by a sequence oftransitions to an undesirable marking (ie a losing subclassof 120572) The function explore receives parameters 120572 being theclass under process 119905 the transition leading to 120572 and Cthe set of traveled classes in the current path Succinctlyit recursively computes the bad sequences of 120572 (from badsequences of its successors) and verifies whether or not 120572can be controlled so as to avoid its bad sequences It returnsthe set of bad sequences if they cannot be avoided from 120572Otherwise it returns an empty set which means that 120572 canbe controlled (ie 120572 has no bad sequences or there is at leastone controllable transition 119905
119888such that its firing interval in
120572 can be restricted so as to avoid reaching bad states) Therestriction of the interval of 119905
119888in 120572 is obtained by subtracting
from its interval in 120572 intervals of 119905119888in its bad subclasses
This approach tries to control the system behavior start-ing from the last to the first state class of bad paths If it failsto control a state class of a path so as to avoid all bad stateclasses the algorithm tries to control its previous state classesIf it succeeds to control a state class there is no need to controlits predecessors The aim is to limit as little as possible thebehavior of the system (more permissive controller)
In [20] we have proven that this approach gives themaximally permissive controller and if it fails to compute the
Journal of Engineering 7
Functionmain (TPNN Markings bad)WhereN is a TPNbad is a set of bad markingsLet 119879
119888be the set of controllable transitions of N and
1205720the initial state class of N
Passed = 0If (explore (120572
0 120598 1205720) = 0) then
Controller does not existreturn
end iffor all ((120572 Ω LI) isin Passed) do
Ctrl[120572] = ⋃(119905119888 119905119904 BI)isinLI(119905119888 119905119904 INT (120572 119905119888 minus 119905119904) minus BI)
end for(lowastRemarks)120572 = (119872 119865)En119888(119872) = En(119872) cap 119879
119888
En0119888(119872) = En
119888(119872) cup 119905
0
New119888(119872 119905) = New(119872 119905) cap 119879
119888
New(1198720 120598) = En(119872
0)
1199050is a fictitious transition whose time variable is fixed at 0
Dep (120572 119905 LI) equivexist(119905119888 119905119904BI) isin LI 119905
119888notin New(119872 119905) and (119905
119904notin New(119872 119905)or
INT (120572 119905119888minus 1199050) sube ⋂
119868isinBI(119868 oplus INT (120572 119905119904minus 1199050)))
Algorithm 1 On-the-fly algorithm for the safety control of TPN-Part I
Function Traces explore (Class 120572 Trans 119905 ClassesC)if (existΩ LI st (120572 Ω LI) isin Passed) then
if (Ω = 0 and Dep (120572 119905 LI)) thenreturn 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
end ifif (119872 isin bad) then
return 119905end ifTraces Ω = 0for all 1199051015840 isin En(119872) st succ (120572 1199051015840) = 0 and succ (120572 1199051015840) notin C
doΩ =Ω cup explore (succ (120572 1199051015840) 1199051015840C cup succ (120572 1199051015840))
end for Ω contains all bad sequences of 120572if (Ω = 0) then
Passed = Passed cup (120572 0 0)return 0
end ifLI = (119905
119888 119905119904BI) | (119905
119888 119905119904) isin En
119888(119872) times En0
119888(119872) and
BI = ⋃120596isinΩ
INT (Fire (120572 120596) 119905119888minus 119905119904) sub INT (120572 119905
119888minus 119905119904)
Passed = Passed cup (120572Ω LI)if (Dep (120572 119905 LI)) then
return 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
Algorithm 2 On-the-fly algorithm for the safety control of TPN-Part II
8 Journal of Engineering
Explore (1205720 120598 1205720)Returnempty
Explore (1205721 1199051 1205720 1205721)Return 119905111990521199053 11990511199053
Explore (1205723 1199052 1205720 1205721 1205723)
Explore (1205726 1199053 1205720 1205721 1205723 1205726)Return 1199053
Explore (1205725 1199051 1205720 1205722 1205725)Returnempty
Explore (1205722 1199052 1205720 1205722)Returnempty
Explore (1205724 1199053 1205720 1205721 1205724)
1205721
1205720
1205726
1205723
1199053
11990521199051
1205724
1205725
1199052
1199053
1199051
1205722
Return 1199053
Return 11990521199053
Figure 7 Applying Algorithms 1 and 2 on the TPN at Figure 1 forAG not 119901
1+ 1199013= 0
controller then the controller does not exist We have alsoinvestigated the hardness complexity of the approach step bystep
(i) The complexity of computing BI of a state class (inworst case) is119874(119870times119871times119899
119905
2)where119870 is the number of
paths starting from the state class and leading to badmarkings 119871 is the maximal length of such paths and119899119905is the number of transitions in the model
(ii) The complexity for computing Dep relation used inAlgorithms 1 and 2 is119874(|LI|times119898times|BI|) where119898 is thenumber of places in the model (complexity of testingNew(119872 119905))
In [14] the authors have discussed the completenesscomplexity for bounded TPNs They have proven that modelchecking of TPN-TCTL formula on a bounded TPN isPSPACE-complete
Let us explain this approach by means of an exampleConsider the TPN shown at Figure 1 its state class graphpresented at Figure 2 and its state classes reported in Table 1Suppose that only 119905
1is controllable (ie 119879
119888= 1199051) and we
want to avoid reaching markings where places 1199011and 119901
3are
both not marked (ie state classes 1205724and 120572
6) by choosing
appropriately the firing intervals of 1199051 For this example we
have 119879119888= 1199051 bad = 119901
2 1199014 Passed = 0 and 120572
0=
(1199011+ 1199012 0 le 119905
1le 4 and 2 le 119905
2le 3)
The process starts by calling explore(1205720 120598 1205720) (see
Figure 7) Since 1205720is not in Passed and its marking is not
forbidden explore is successively called for the successorsof 1205720 explore(120572
1 1199051 1205720 1205721) and explore(120572
2 1199052 1205720 1205722) In
explore of 1205721 function explore is successively called for 120572
3
and 1205724 In explore of 120572
3 function explore is called for the
successor 1205726of 1205723by 1199053 explore(120572
6 1199053 1205720 1205721 1205723 1205726 For the
successor of 1205723by 1199054(ie 120572
0) there is no need to call explore
as it belongs to the current path Since 1205726has a forbidden
marking explore of 1205726returns to explore of 120572
3with 119905
3
which in turn adds (1205723 11990521199053 0) to Passed and returns to
explore of 1205721with 119905
21199053
In explore of 1205721 function explore is called for 120572
4
(explore(1205724 1199053 1205720 1205721 1205724)) This call returns to explore of
1205721 with 119905
3 since 120572
4has a forbidden marking In explore
of 1205721 the tuple (120572
1 11990521199053 1199053 0) is added to Passed and
119905111990521199053 11990511199053 is returned to explore of 120572
0 Then explore
of 1205720
calls explore(1205722 1199052 1205720 1205722) which in turn calls
explore(1205725 1199051 1205720 1205722 1205725) Since 120572
5has only one successor
(1205720) and this successor belongs to the current path the call of
explore for 1205725adds (120572
5 0 0) to Passed and returns to explore
of 1205722with 0 which in turn returns to explore of 120572
0
After exploring both successors of 1205720 in explore of 120572
0 we
get inΩ = 119905111990521199053 11990511199053 the set of bad paths of 120572
0 As the state
class 1205720has a controllable transition 119905
1 its bad subclasses are
computed Fire(1205720 119905111990521199053) = (119901
1+ 1199012 0 le 119905
1le 2 and 2 le
1199052le 3 and 1 le 119905
2minus 1199051le 3) and Fire(120572
0 11990511199053) = (119901
1+ 1199012 0 le
1199051le 1 and 2 le 119905
2le 3 and 2 le 119905
2minus 1199051le 3) The firing interval
of 1199051in 1205720([0 4]) is not covered by the union of intervals
of 1199051in bad subclasses of 120572
0([0 2] cup [0 1] = [0 4]) Then
(1205720 119905111990521199053 11990511199053 (1199051 1199050 [0 2])) is added to Passed As 119905
1is
newly enabled the empty set is returned to the functionmainwhich concludes that a controller exists According to the listPassed 120572
0needs to be controlled (Ctrl[120572
0] = (119905
1 1199050 [0 4] minus
[0 2])) For all others there is nothing to do
5 Controller Synthesis and Stopwatch
In this section we consider time Petri nets with control-lableuncontrollable transitions and show how such a systemis controlled by associating some of the controllable transi-tions with stopwatch First we apply the on-the-fly algorithmof [9] and calculate the appropriate controller Then insteadof restricting time intervals of corresponding controllabletransitions we associate them with stopwatch In fact wesuspend some transition during its bad subinterval to controla system so as to satisfy a given property
We consider the inhibitor hyperarcs of [3]The controllershall suspend a controllable transition in its bad subintervaland retrieve it otherwise Let us remember the example ofFigure 1 with the state class graph of Figure 2 and Table 1We have seen that in order to prevent the system enteringthe forbidden state classes 120572
4and 120572
6 the controller should
prevent 1199051from firing before ]2 4] Thus an inhibitor hyper-
arc is added to the transition 1199051 This inhibitor hyperarc
connects 1199051to a place called119901susp At the beginning this place
is marked and then 1199051is suspended At [2 2] the token of
119901susp is consumed and the corresponding hyperarc becomesdisabled The controllable transition 119905
1is now firable again
The token is returned to place 119901susp after 1199051 is fired Thus thecontroller suspends 119905
1during its bad subinterval and resumes
it after then At the beginning all clocks are initialized to zeroThen time elapses but in [0 2] this transition is suspendedand hence its clock does not elapse anymore Later at time[2 2] this transition is retrieved and becomes active Wedo not need to delay it anymore that is why the lowerbound of the interval associated with 119905
1is modified to 0
Now the clock starts elapsing Within 2 time units 1199051should
be fired (ie when the actual time of the general clock ofthe system reaches to 4) Then the interval associated with
Journal of Engineering 9
0 1 2 3 40
1
2
119907(1199051)
Time
119907(1199051) ne 0
119907(1199051) = 0
Figure 8 Clock evaluation of 1199051in the controlled TPN of Figure 9
1199051in a controlled TPN associated with stopwatch is [0 2]
Figure 8 represents the clock evaluation of the transition 1199051
The controlled Petri nets of this example are presented inFigure 9
In summary our goal is to synthesize the state class graphof the system through Algorithms 1 and 2 (see [9]) andcalculate bad subintervals of the corresponding controllabletransitions Then suspend the appropriate controllable tran-sitions during their bad subintervals Note that in [9] wewererestricting and limiting time intervals while in this approachthe idea is to delay and suspend them In this research wesuppose every controllable transition can be associated witha stopwatch if needed As explained earlier in Section 1 ina multitasking system with periodic tasks only execution ofa task is controllable Then those transitions modeling thetask executions are considered controllable and consequentlycould be suspended and retrieved
Above we have shown how to control a system whenthe bad subinterval is at the beginning of the firing inter-val What if the acceptable subinterval is at the beginningand bad subintervals are after Consider the example ofFigure 10 A controllable transition 119905
1is associated with firing
interval [119886 119887] Suppose that based on Algorithms 1 and 2the subinterval [119886 120572
1] is acceptable while ]120572
1 119887] is a bad
subinterval where 119886 le 1205721lt 119887 The controlled time Petri
nets are presented in Figure 11 Figure 12 represents the clockevaluation of 119905
1and shows how the new interval associated
with 1199051is calculated In [0 119886[ 119901susp is marked and 119905
1is neither
active nor enabled Meanwhile at the time 119886 1199051199031
becomesenabled and is fired consuming the token in 119901suspThus rightat 119886 the transition 119905
1becomes active and its associated clock
starts elapsing Note that associated stopwatch delays 1199051for
119886 time units and we do not want to delay it anymore thenthe lower bound of the new associated interval in controlledTPN is 0 After 120572
1time units 119905
1199032is fired and 119901susp becomes
marked again Consequently 1199051is suspended
Consider the same example of Figure 10 and this timesuppose that Algorithms 1 and 2 give the following output
[119886 1205721[ is acceptable [120572
1 1205722[ is a bad subinterval [120572
2 119887]
is acceptable where the condition 119886 lt 1205721lt 1205722le 119887 holds
1199051[0 2]
1199053[2infin[ 1199054[0 1]
1199052[2 3]119905resu [2 2]
119875susp
11990121199011
11990141199013
Figure 9 Time Petri net of Figure 1 controlled by inhibitor hyper-arcs (119879
119888= 1199051)
1199051[119886 119887]
1199012
1199013
Figure 10 A simple time Petri net (119879119888= 1199051)
With the same idea the controlled Petri nets are presented inFigure 13 and the clock evaluation of 119905
1is shown in Figure 14
51Why InhibitorHyperarcs Wehave shown how to achievea controlled model from an uncontrolled time Petri netsby adding inhibitor hyperarcs One question is why amongdifferent types of stopwatch inhibitor hyperarcs are chosenIs it possible to use another stopwatch model The answeris yes but inhibitor hyperarcs provide more flexibility andless complication Let us see if this idea is feasible using othertypes of Petri nets with stopwatch
We consider the post- and preinitialized Petri nets pro-posed in [4 5] for stopwatch and try to control amodel wherea controllable transition associated with time interval [119886 119887]has a bad subinterval [119886 120572] Based on our hypothesis thecontroller should suspend the controllable transition at [119886 119886]and resume it at [120572 120572] The characteristic of post and pre-initialized Petri nets is that they consume the same tokenof the original model and in addition the exact time whenthe model becomes suspended is unknown as stopwatchtransition and original transition have the same chance forfiring At the first glance the idea is feasible by adding oneplace and two transitions However there are some issuesWeexplain the problem through an example
We consider the same example of Figure 1 The suggestedcontrolled model using post and pre-initialized Petri netscomes in Figure 15The controllable transition 119905
1is associated
with stopwatchThe stopwatch interrupts the task at [0 0] andresume it at [2 2] The problem is at [0 0] both transitions1199051and 119905sus are enabled with equal chance of firing whereas
in order to have a controlled model 119905sus should fire at [0 0]before 119905
1 Thus the controller fails unless if we modify the
interval associated to 1199051to ]0 2] which is not of interest in
this approach
10 Journal of Engineering
1199051[0 1205721 minus 119886[
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199012
1199013
1199011199040
1199011199041
119901susp
Figure 11The controlledTPNof Figure 10 using inhibitor hyperarcs(119879119888= 1199051) Forbidden interval is ]120572
1 119887] where 119886 le 120572
1lt 119887
Time0
01205721
119907(1199051) 119907(1199051) = 1205721 minus 119886
119886 119887
1205721 minus 119886
119907(1199051) = 0
Figure 12 Clock evaluation of 1199051in the controlled TPN of Figure 10
Forbidden interval is ]1205721 119887] where 119886 le 120572
1lt 119887
1199051[0 119887 minus 119886 + 1205721 minus 1205722]
1199051199033[1205722 minus 1205721 1205722 minus 1205721]
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199013
11990121199011199040
1199011199041
119901susp
1199011199042
Figure 13 A simple time Petri net controlled by inhibitor hyperarcs(119879119888= 1199051) the bad subinterval is [120572
1 1205722[ where 119886 lt 120572
1lt 1205722le 119887
The other alternative is presented at Figure 16 An auxil-iary place 119901
119904solves the problem Hence using the stopwatch
Petri nets suggested in [4 5] it is not easy to give ageneral solution to control a model considering the output ofAlgorithms 1 and 2 In addition the resulting controlled netsare more complicated For example in case the controllabletransition is associated with the interval [119886 119887] where its badsubinterval is [120572 119887] and 119886 le 120572 then the controlled modelbecomes complicated
Time
00
119907(1199051)
119887 minus 119886 + 1205721 minus 1205722
1205721 minus 119886
1205722119886 1198871205721
Figure 14 Clock evaluation of 1199051in a controlled TPN of Figure 10
The forbidden interval is ]1205721 1205722] where 119886 lt 120572
1lt 1205722le 119887
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
Figure 15 Controlling the example of Figure 1 using stopwatch of[4] The controller fails
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
119901119904
Figure 16 Controlled model of Figure 1 using stopwatch of [4]
6 Illustrative Example
Suppose the multitasking system depicted in Figure 17 withthe following specifications four tasks 119879
1 1198792 1198793 and 119879
4are
being executed Two tasks 1198793and 119879
4are uncontrollable The
task 1198791is periodic with a period of [6 6] and then its start
execution is controllable Suppose that starting execution of1198792is also controllable 119879
4is depended to 119879
2and 119879
3meaning
that it can be executed only when1198792and1198793are executed Two
tasks1198791and1198792share a common resource On the other hand
1198791enters through a single capacity buffer It means that if 119879
1
is not executed by the end of its period the system will blockIn Figure 7 tasks are modeled by tokens and the execution ofeach task 119879
119894is shown by the transition 119905
119894 If 1198791is not executed
by the end of its period the system enters the state Block and1199055is the transition to be avoided Delay is a placemodeling the
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Journal of Engineering 3
(ii) Pre and Post are the backward and the forwardincidence functions (PrePost 119875 times119879 rarr N whereNis the set of nonnegative integers)
(iii) 1198720is the initial marking (119872
0 119875 rarr N)
(iv) Is is the static interval function (Is 119879 rarr Q+ times(Q+ cup
infin))Q+ is the set of nonnegative rational numbersIs associates with each transition 119905 an interval calledthe static firing interval of 119905 Bounds darr Is(119905) and uarr Is(119905)of the interval Is(119905) are the minimum and maximumfiring delays of 119905 respectively
In a controllable time Petri net transitions are partitionedinto controllable and uncontrollable transitions denoted by119879119888and 119879
119906 respectively (with 119879
119888cap 119879119906= 0 and 119879 = 119879
119888cup 119879119906)
For the sake of simplicity and clarification in this paper thecontrollable transitions are depicted as white bars while theuncontrollable ones as black bars
A TPN is called bounded if for every reachable marking119872 there is a bound 119887 isin N119901 where 119872 le 119887 holds In thiscondition 119901 stands for the number of places in 119875
Let 119872 be a marking and 119905 a transition Transition 119905 isenabled for 119872 if and only if all required tokens for firing 119905are present in 119872 that is forall119901 isin 119875 119872(119901) ge Pre(119901 119905) Firingof 119905 leads to the marking 1198721015840 defined by forall119901 isin 119875 119872
1015840(119901) =
119872(119901) minus Pre(119901 119905) + Post(119901 119905) We denote En(119872) the set oftransitions enabled for 119872 that is En(119872) = 119905 isin 119879 | forall119901 isin
119875Pre(119901 119905) le 119872(119901) For 119905 isin En(119872) we denote CF(119872 119905)
the set of transitions enabled in119872 but in conflict with 119905 thatis CF(119872 119905) = 119905
1015840isin En(119872) | 119905
1015840= 119905 or exist119901 isin 119875119872(119901) lt
Pre(119901 1199051015840) + Pre(119901 119905) Let 119905 isin En(119872) and 1198721015840 the successormarking of119872 by 119905 a transition 1199051015840 is said to be newly enabledin 1198721015840 if and only if 1199051015840 is not enabled in the intermediate
marking (ie119872 minus Pre(sdot 119905)) or 1199051015840 = 119905 We denote New(1198721015840 119905)the set of transitions newly enabled 1198721015840 by firing 119905 from119872that is New(1198721015840 119905) = 119905
1015840isin En(1198721015840) | 119905 = 119905
1015840or exist119901 isin
1198751198721015840(119901) minus Post(119901 119905) lt Pre(119901 1199051015840)
The TPN state is defined as a pair (119872 Id) where 119872 is amarking and Id is a firing interval function (Id En(119872) rarr
Q+ times (Q+ cup infin)) The initial state is (1198720 Id0) where119872
0is
the initial marking and Id0(119905) = Is(119905) for 119905 isin En(119872
0) Let
(119872 Id) and (1198721015840 Id1015840) be two states of the TPNmodel 120579 isin R+
and 119905 isin 119879 The transition relation rarr over states is defined asfollows
(i) (119872 Id) 120579997888rarr (1198721015840 Id1015840) also denoted by (119872 Id) + 120579 if
and only if the state (1198721015840 Id1015840) is reachable from state(119872 Id) after 120579 time units that is ⋀
1199051015840isinEn(119872)120579 le uarr
Id(1199051015840)1198721015840 = 119872 and forall11990510158401015840 isin En(1198721015840) Id1015840(11990510158401015840) = [Max(darrId(11990510158401015840) minus 120579 0) uarr Id(11990510158401015840) minus 120579]
(ii) (119872 Id) 119905997888rarr (1198721015840 Id1015840) if and only if the state (1198721015840 Id1015840)
is reachable from the state (119872 Id) by immediatelyfiring transition 119905 that is 119905 isin En(119872) darr Id(119905) = 0forall119901 isin 119875 119872
1015840(119901) = 119872(119901) minus Pre(119901 119905) + Post(119901 119905) and
forall1199051015840isin En(1198721015840) Id1015840(1199051015840) = Is(1199051015840) if 1199051015840 isin New(1198721015840 119905) and
Id1015840(1199051015840) = Id(1199051015840) otherwise
The TPN state space is the structure (Q rarr 1199020) where
1199020
= (1198720 Id0) is the initial state of the TPN and
Q = 119902 | 1199020
lowast
997888rarr 119902(
lowast
997888rarr being the reflexive and transitive closureof the relation rarr defined above) is the set of reachable statesof the model A run in the TPN state space (Q rarr 119902
0) of a
state 119902 isin Q is amaximal sequence120588 = 1199021
1205791
997888rarr 1199021+1205791
1199051
997888rarr 1199022
1205792
997888rarr
1199022+ 1205792
1199052
997888rarr 1199023 such that 119902
1= 119902 By convention for any
state 119902119894 the relation 119902
119894
0
997888rarr 119902119894holds The sequence 120579
1119905112057921199052
is called the timed trace of 120588 The sequence 11990511199052 is called
the firing sequence (untimed trace) of 120588 A marking 119872 isreachable if and only if exist119902 isin Q st its marking is 119872 Runs(resp timeduntimed traces) of the TPN are all runs (resptimeduntimed traces) of the initial state 119902
0
To use enumerative analysis techniques with time Petrinets their generally infinite state spaces are abstractedAbstraction techniques construct by removing some irrel-evant details a finite contraction of the state space of themodel which preserves properties of interest For best perfor-mances the contraction should also be the smallest possibleand computed with the minimal resources in terms of timeand space The preserved properties are usually verifiedusing standard analysis techniques on the abstractions [12]Several state space abstraction methods have been proposedin the literature for time Petri nets (the state class graph(SCG) [13] the zone based graph (ZBG) [14] etc) Theymay differ in the characterization of states (interval or clockstates) the state agglomeration criteria the abstract statesrepresentation the preserved properties (markings linear orbranching properties) and their size
These abstractions are finite for all bounded time Petrinets However abstractions based on clocks are less inter-esting than the interval-based abstractions when only linearproperties are of interest Indeed abstractions based onclocks do not enjoy naturally the finiteness property forbounded TPN with unbounded intervals as it is the case forabstractions based on intervals The finiteness is enforcedusing an approximation operation which may involve someoverhead computation The algorithm of [9] is based on thestate class graph method
21 The State Class Graph Method In the state class graphmethod [13] all states reachable by the same firing sequencefrom the initial state are agglomerated in the same node andconsidered modulo the relation of equivalence defined bytwo sets of states are equivalent if and only if they have thesamemarking and the same firing domain (the firing domainof a set of states is the union of the firing domains of its states)All equivalent sets are agglomerated in the same node called astate class defined as a pair 120572 = (119872 119865) where119872 is a markingand 119865 is a formula which characterizes the firing domain of120572 For each transition 119905
119894enabled in119872 there is a variable 119905
119894 in
119865 representing its firing delay 119865 can be rewritten as a set ofatomic constraints of the form 119905
119894minus 119905119895le 119888 119905
119894le 119888 or minus119905
119895le 119888
where 119905119894 119905119895are transitions 119888 isin Q cup infin and Q is the set of
rational numbers (for economy of notation we use operatorle even if 119888 = infin)
Each domain is expressed by the canonical form that isusually encoded by a difference bound matrix (DBM) [15]The canonical form of 119865 is encoded by the DBM 119863 (a square
4 Journal of Engineering
matrix) of order |En(119872)| + 1 defined by forall119905119894 119905119895isin En(119872) cup
1199050 119889119894119895= (le Sup
119865(119905119894minus 119905119895)) where 119905
0(1199050notin 119879) represents
a fictitious transition whose delay is always equal to 0 andSup119865(119905119894minus 119905119895) is the largest value of 119905
119894minus 119905119895in the domain of 119865
Its computation is based on the shortest path Floyd-Warshallrsquosalgorithm and is considered as the most costly operation(cubic in the number of variables in 119865) The canonical formof a DBM makes some operations over formulas like the testof equivalence easier Two formulas are equivalent if and onlyif the canonical forms of their DBMs are identical
The initial state class is 1205720
= (1198720 1198650) where 119865
0=
⋀119905119894isinEn(119872
0)darr Is(119905
119894) le 119905
119894le uarr Is(119905
119894) Let 120572 = (119872 119865) be
a state class and 119905119891a transition and succ(120572 119905
119891) the set of
states defined by succ(120572 119905119891) = 119902
1015840isin Q | exist119902 isin 120572 exist120579 isin
R+ st 119902
120579
997888rarr 119902 + 120579
119905119891
997888rarr 1199021015840 The state class 120572 has a successor
by 119905119891(ie succ(120572 119905
119891) = 0) if and only if 119905
119891is enabled in 119872
and can be fired before any other enabled transition that isthe following formula is consistent 119865 and (⋀
119905119894isinEn(119872)119905119891 le 119905
119894)
A formula F is consistent if and only if there is at least onetuple of values that satisfies at once all constraints ofF In thiscase the firing of 119905
119891leads to the state class 1205721015840 = (119872
1015840 1198651015840) =
succ(120572 119905119891) computed as follows [13]
(1) forall119901 isin 1198751198721015840(119901) = 119872(119901) minus Pre(119901 119905119891) + Post(119901 119905
119891)
(2) 1198651015840 = 119865 and (⋀119905119894isinEn(119872)119905119891 minus 119905119894 le 0)
(3) Replace in 1198651015840 each 119905119894= 119905119891 by (119905
119894+ 119905119891)
(4) Eliminate by substitution 119905119891and each 119905
119894of transition
conflicting with 119905119891in119872
(5) Add constraint darr Is(119905119899) le 119905
119899leuarr Is(119905
119899) for each
transition 119905119899isin New(1198721015840 119905
119891)
Formally the SCG of a TPN model is a structure (CCrarr 1205720) where 120572
0= (119872
0 1198650) is the initial state class forall119905
119894isin
119879 120572
119905119894
997888rarr 1205721015840 iff 120572
1015840= succ(120572 119905
119894) = 0 and CC = 120572 |
1205720
lowast
997888rarr 120572 The SCG is finite for all bounded TPNs andpreserves linear properties [16] Let 120572 = (119872 119865) be a stateclass and 120596 isin 119879
+ a sequence of transitions firable from120572 We denote succ(120572 120596) the state class reachable from 120572 byfiring successively transitions of 120596 We define inductively thisset as follows succ(120572 120596) = 120572 if 120596 = 120598 and succ(120572 120596) =succ(succ(120572 1205961015840) 119905
119894) if 120596 = 120596
1015840sdot 119905119894
As an example Figure 2 shows the state class graph ofthe TPN presented at Figure 1 Its state classes are reportedin Table 1
Let120596 be a sequence of transitions firable from 120572 the sametransitionmay be newly enabled several times To distinguishamong different enablings of the same transition 119905
119894 we denote
119905119896
119894for 119896 gt 0 the transition 119905
119894(newly) enabled by the kth
transition of the sequence 1199050119894denotes the transition 119905
119894enabled
in 119872 Let 120596 = 1199051198961
1 119905
119896119898
119898isin 119879+ with 119898 gt 0 be a sequence
of transitions firable from 120572 st succ(120572 120596) = 0 We defineFire(120572 120596) the largest subclass 1205721015840 of 120572 (ie 1205721015840 sube 120572) st 120596is firable from all its states that is Fire(120572 120596) = 119902
1isin
120572 | exist1205791 120579
119898 1199021
1205791
997888rarr 1199021+1205791
1199051198961
1
997888997888rarr 1199022 119902
119898+120579119898
119905119896119898
119898
997888997888rarr 119902119898+1
1199051[0 4]
1199053[2infin[ 1199054[0 1]
1199052[2 3]
11990121199011
11990141199013
Figure 1 A simple Petri net with 119879119888= 1199051
1205720
1205723
1205726 1205724 1205725
12057221205721 1199054
1199052
1199053 1199051
1199052
1199051
1199052
1199053
1199054
Figure 2 The state graph of the TPN presented at Figure 1
3 Literature Review
The idea of suspension and resumption of a task in asystem is modeled in different ways in timed automataand time Petri nets [2ndash4 17 18] In [2] the authors haveintroduced stopwatch automata (SWA) as a subclass of timedlinear hybrid automata In stopwatch automata an additionalbinary variable is defined to show the rate of time progressionThe clocks may have two velocities (time derivation) zeroor one Zero signifies stopped while one signifies normalprogress If clocks are running they progress with a globalrate identical to all nonstopped clocks of the model Theauthors have shown that stopwatch automata is as expressiveas timed languages
In [3] the authors have introduced inhibitor hyperarcs tointerrupt an enabled transition Once a place 119901 connected toa transition 119905 via an inhibitor arc is marked the transition 119905 issuspended and stops firing In other words once an inhibitorarc is enabled the corresponding transition is interruptedThey have called these nets IHTPN (time Petri nets withinhibitor hyperarcs) In Figure 3 119905
1is enabled As soon as
1198752is marked firing 119905
1is suspended Note that an inhibitor
hyperarc is not graphically presented by a classical arrowinstead it is depicted with an empty circle at the extreme ofthe edge
In [17] the authors have discussed an extension of timePetri nets adapted for scheduling This extension is calledscheduling extended time Petri nets (SETPN) SETPN issuitable to model concurrent tasks and shared resources withfixed priorityThe behavior of scheduler is implicitly included
Journal of Engineering 5
Table 1 The state classes of the TPN presented at Figure 2
1205720 1199011+ 1199012
0 le 1199051le 4 and 2 le 119905
2le 3 120572
1 1199012+ 1199013
0 le 1199052le 3 and 2 le 119905
31205726 1199014
1205722 1199011+ 1199014
0 le 1199051le 2 120572
3 1199013+ 1199014
0 le 1199053and 0 le 119905
4le 1
1205724 1199012
0 le 1199052le 1 120572
5 1199013+ 1199014
2 le 1199053lt infin and 0 le 119905
4le 1
1199051[1198861 1198862]
11990121199011
1199013
Figure 3 A simple example of time Petri nets with inhibitorhyperarc 119905
1is active if 119901
2is not marked otherwise it is suspended
in the model and the scheduler is not modeled as a separateagent
In [17] time Petri nets are associated with two moreproperties 120574 and 120596 standing for resource allocation andpriority respectively As an example suppose two differentconcurrent tasks sharing the same resource (120574 is identical forboth) Although both transitions are enabled the one with ahigher priority is activewhile the other is suspended For eachmarking 119872 a function Act determines whether 119872 is activeor not
The time Petri nets presented in [17] assign both pri-ority and resources to places It is particularly suitable forscheduling approaches State space analysis is done map-ping scheduling Petri nets to hybrid automata (state classstopwatch automata) The advantage of this solution is usingan automated tool like HYTECH [19] already existing formanipulation of hybird automata
Another extension of time Petri nets called preemptivetime Petri nets is discussed in [18] Preemptive time Petrinets are suitable for scheduling and preemptive approachesIn Preemptive time Petri nets resource and priority arecharacteristics of transitions while in SETPN they wereassigned to places The preemptive time Petri nets as well asscheduling extended time Petri nets are adapted specificallyfor scheduling purposes with fixed priority rather thangeneral cases of interruption and resumption of some tasksA more generalized model comes in [4 5]
Another stopwatch model comes in [4 5] Post- and Pre-initialized stopwatch Petri nets (SWPN) [4 5] also modelinterruption and retrieving of tasks In such stopwatch Petrinets transitions are partitioned into two disjoint subclasses119879 = 119879int cup 119879no-int where 119879int is the set of interruptible tran-sitions and 119879no-int is the set of noninterruptible transitionsStopwatches can suspend enabled interruptible transitionsFor each transition 119905
119894 there is a function 119907(119905
119894) representing the
value of its associated stopwatch If 119905119894isin 119879int 119907(119905119894) signifies the
time elapsed since 119905119894was first enabled whereas if 119905
119894isin 119879no-int
119907(119905119894) represents the time elapsed since 119905
119894was last enabled
119905susp[120582 1205822]1
1199052[120572 120573]
1199051[0 0]
119905resu[1205741 1205742]
1199012
1199011
1199013
Figure 4 An interruptible task modeled by SWPN reported from[4]
A transition is called firable if it is enabled (119872 gt Pre(119905119894)) and
darr Is(119905119894) le 119907(119905
119894) le uarr Is(119905
119894)
In contrary with IHTPN where a marked place sus-pended an enabled transition in this model stopwatchconsumes some tokens to disable an enabled transition Itis implemented by means of some extra placestransitionsA stopwatch transition is in conflict with an interruptibletransition Thus consuming a token can suspend an inter-ruptible enabled transition With this model an interrupt isunpredictable and we do not know when it happens In factat any time the interruptible task and the interrupt both haveequal chance to happen The simple Petri nets of Figure 4reported from [4] are a simple example of SWPN of aninterruptible task
Let 119905119894be a transition and119872 a marking 119905
119894is called
(i) enabled If119872 ge Pre(119905119894) denoted by 119905
119894isin En(119872)
(ii) firable If 119905119894isin En(119872)and darr Is(119905
119894) le 119907(119905
119894) le uarr Is(119905
119894)
denoted by 119905119894isin Firable(119872)
(iii) suspended If Pre(119905119894) gt 119872 and 119907(119905
119894) gt 0 denoted by
119905119894isin susp(119872)
The notion uarr enabled(119905119894119872 119905119896) indicates that 119905
119894is newly
enabled by firing of 119905119896at marking119872
The new concept Preinitialization defined in this modelrefers to noninterruptible transitions For every 119905
119894isin 119879no-int
119905119894is firable if 119907(119905
119894) has already been initialized when 119905
119894
becomes enabled In other words 119907(119905119894) = 0 when 119905
119894isin
uarr enabled(119905119894119872 119905119896)
The concept postinitialization is defined for interruptibletransitionsWhen an interruptible transition is fired the asso-ciated 119907(119905
119894) is initialized (119907(119905
119894) = 0) Figures 5 and 6 reported
from [4] show the difference between time evolution in aninterruptible transition and a noninterruptible transition Inthese figures the notions 119864119863 and 119865 stand for enablingdisabling and firing of a transition respectively
6 Journal of Engineering
119907(119905119894)
119864 119864 119864119863 119865
Time
Figure 5 Time elapses 119905119894is an interruptible transition
119907(119905119894)
119864 119864119863 119865
Time
Figure 6 Time elapses 119905119894is a noninterruptible transition
In brief according to the types of transitions two types ofclock initialization are defined
(i) Preinitialization Given a transition 119905119894
isin 119879no-intwhere119879no-int is the set of noninterruptible transitionsclock initialization is called preinitialization happen-ing when 119905
119894is recently enabled As soon as a transition
becomes enabled its associated clock is initialized(ii) Postinitialization Given a transition 119905
119894isin 119879int where
119879int is the set of interruptible transitions clock initial-ization is called post-initialization happening after fir-ing 119905119894 it means that the transition initializes the clock
after being fired Post-initialization is dependent ontransition firing
In [4] continuous and discrete transitions are defined asfollows
Let 119889 isin R+ a continuous transition is denoted by(119872 119907)
119889
997888rarr (119872 1199071015840) iff forall119905
119894isin 119879
(i) 1199071015840(119905119894) = 119907(119905
119894) if the transition 119905
119894is not enabled
(ii) 1199071015840(119905119894) = 119907(119905
119894) + 119889 if 119905
119894is enabled
(iii) 119872 ge Pre(119905119894) rArr 119907
1015840le uarr Is(119905
119894)
And a discrete transition is denoted by (119872 119907)
119905119894
997888rarr (1198721015840 1199071015840)
iff forall119905119894isin 119879
(i) 119905119894isin Firable(119872)
(ii) 1198721015840 = 119872 minus Pre(119905119894) + Post(119905
119894)
(iii) 1199071015840(119905119894) = 0 if 119905
119894isin 119879int (postinitialization)
(iv) forall119905119896isin 119879 1199071015840(119905
119896) =
(a) 0 if 119905119896isin uarr enabled(119905
119896119872 119905119894) (preinitialization)
(b) 119907(119905119894) Otherwise
In order to perform further timing analysis the sameas scheduling extended time Petri nets of [17] the SWPNis transformed to hybrid automaton In addition a forwardalgorithm is suggested to compute reachable states
If the number of stopwatches increases for exampleif all of the transitions are interruptible the complexityof calculation will highly increase Scheduling time Petrinets and preemptive time Petri nets are both subclasses ofstopwatch Petri nets An ordinary TPN is also a SWPNwhere119879int = 0
After having a survey on different stopwatch Petri netsavailable in the literature in the following wewill have a briefreview on the algorithm of [9] and then investigate how tointegrate stopwatch in the controller synthesis approach of[9]
4 Safety Controller Synthesis ApproachProposed in [9]
Let N be a TPN with controllable and uncontrollable tran-sitions (119879 = 119879
119888cup 119879119906) and a set of markings to be avoided
(bad) For a safety property the approach proposed in [9] (seeAlgorithms 1 and 2) consists of exploring on-the-fly and pathby path the state class graph of the TPN N while collectingthe bad sequences and the losing states (sequences or statesthat lead to bad markings) The list Passed is used to retrievethe set of state classes processed so far their bad sequencesand their losing subclasses For a given state class 120572 and abad sequence 120596 feasible from 120572 the function Fire is used tocompute forwardly all states of 120572 which lead by a sequence oftransitions to an undesirable marking (ie a losing subclassof 120572) The function explore receives parameters 120572 being theclass under process 119905 the transition leading to 120572 and Cthe set of traveled classes in the current path Succinctlyit recursively computes the bad sequences of 120572 (from badsequences of its successors) and verifies whether or not 120572can be controlled so as to avoid its bad sequences It returnsthe set of bad sequences if they cannot be avoided from 120572Otherwise it returns an empty set which means that 120572 canbe controlled (ie 120572 has no bad sequences or there is at leastone controllable transition 119905
119888such that its firing interval in
120572 can be restricted so as to avoid reaching bad states) Therestriction of the interval of 119905
119888in 120572 is obtained by subtracting
from its interval in 120572 intervals of 119905119888in its bad subclasses
This approach tries to control the system behavior start-ing from the last to the first state class of bad paths If it failsto control a state class of a path so as to avoid all bad stateclasses the algorithm tries to control its previous state classesIf it succeeds to control a state class there is no need to controlits predecessors The aim is to limit as little as possible thebehavior of the system (more permissive controller)
In [20] we have proven that this approach gives themaximally permissive controller and if it fails to compute the
Journal of Engineering 7
Functionmain (TPNN Markings bad)WhereN is a TPNbad is a set of bad markingsLet 119879
119888be the set of controllable transitions of N and
1205720the initial state class of N
Passed = 0If (explore (120572
0 120598 1205720) = 0) then
Controller does not existreturn
end iffor all ((120572 Ω LI) isin Passed) do
Ctrl[120572] = ⋃(119905119888 119905119904 BI)isinLI(119905119888 119905119904 INT (120572 119905119888 minus 119905119904) minus BI)
end for(lowastRemarks)120572 = (119872 119865)En119888(119872) = En(119872) cap 119879
119888
En0119888(119872) = En
119888(119872) cup 119905
0
New119888(119872 119905) = New(119872 119905) cap 119879
119888
New(1198720 120598) = En(119872
0)
1199050is a fictitious transition whose time variable is fixed at 0
Dep (120572 119905 LI) equivexist(119905119888 119905119904BI) isin LI 119905
119888notin New(119872 119905) and (119905
119904notin New(119872 119905)or
INT (120572 119905119888minus 1199050) sube ⋂
119868isinBI(119868 oplus INT (120572 119905119904minus 1199050)))
Algorithm 1 On-the-fly algorithm for the safety control of TPN-Part I
Function Traces explore (Class 120572 Trans 119905 ClassesC)if (existΩ LI st (120572 Ω LI) isin Passed) then
if (Ω = 0 and Dep (120572 119905 LI)) thenreturn 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
end ifif (119872 isin bad) then
return 119905end ifTraces Ω = 0for all 1199051015840 isin En(119872) st succ (120572 1199051015840) = 0 and succ (120572 1199051015840) notin C
doΩ =Ω cup explore (succ (120572 1199051015840) 1199051015840C cup succ (120572 1199051015840))
end for Ω contains all bad sequences of 120572if (Ω = 0) then
Passed = Passed cup (120572 0 0)return 0
end ifLI = (119905
119888 119905119904BI) | (119905
119888 119905119904) isin En
119888(119872) times En0
119888(119872) and
BI = ⋃120596isinΩ
INT (Fire (120572 120596) 119905119888minus 119905119904) sub INT (120572 119905
119888minus 119905119904)
Passed = Passed cup (120572Ω LI)if (Dep (120572 119905 LI)) then
return 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
Algorithm 2 On-the-fly algorithm for the safety control of TPN-Part II
8 Journal of Engineering
Explore (1205720 120598 1205720)Returnempty
Explore (1205721 1199051 1205720 1205721)Return 119905111990521199053 11990511199053
Explore (1205723 1199052 1205720 1205721 1205723)
Explore (1205726 1199053 1205720 1205721 1205723 1205726)Return 1199053
Explore (1205725 1199051 1205720 1205722 1205725)Returnempty
Explore (1205722 1199052 1205720 1205722)Returnempty
Explore (1205724 1199053 1205720 1205721 1205724)
1205721
1205720
1205726
1205723
1199053
11990521199051
1205724
1205725
1199052
1199053
1199051
1205722
Return 1199053
Return 11990521199053
Figure 7 Applying Algorithms 1 and 2 on the TPN at Figure 1 forAG not 119901
1+ 1199013= 0
controller then the controller does not exist We have alsoinvestigated the hardness complexity of the approach step bystep
(i) The complexity of computing BI of a state class (inworst case) is119874(119870times119871times119899
119905
2)where119870 is the number of
paths starting from the state class and leading to badmarkings 119871 is the maximal length of such paths and119899119905is the number of transitions in the model
(ii) The complexity for computing Dep relation used inAlgorithms 1 and 2 is119874(|LI|times119898times|BI|) where119898 is thenumber of places in the model (complexity of testingNew(119872 119905))
In [14] the authors have discussed the completenesscomplexity for bounded TPNs They have proven that modelchecking of TPN-TCTL formula on a bounded TPN isPSPACE-complete
Let us explain this approach by means of an exampleConsider the TPN shown at Figure 1 its state class graphpresented at Figure 2 and its state classes reported in Table 1Suppose that only 119905
1is controllable (ie 119879
119888= 1199051) and we
want to avoid reaching markings where places 1199011and 119901
3are
both not marked (ie state classes 1205724and 120572
6) by choosing
appropriately the firing intervals of 1199051 For this example we
have 119879119888= 1199051 bad = 119901
2 1199014 Passed = 0 and 120572
0=
(1199011+ 1199012 0 le 119905
1le 4 and 2 le 119905
2le 3)
The process starts by calling explore(1205720 120598 1205720) (see
Figure 7) Since 1205720is not in Passed and its marking is not
forbidden explore is successively called for the successorsof 1205720 explore(120572
1 1199051 1205720 1205721) and explore(120572
2 1199052 1205720 1205722) In
explore of 1205721 function explore is successively called for 120572
3
and 1205724 In explore of 120572
3 function explore is called for the
successor 1205726of 1205723by 1199053 explore(120572
6 1199053 1205720 1205721 1205723 1205726 For the
successor of 1205723by 1199054(ie 120572
0) there is no need to call explore
as it belongs to the current path Since 1205726has a forbidden
marking explore of 1205726returns to explore of 120572
3with 119905
3
which in turn adds (1205723 11990521199053 0) to Passed and returns to
explore of 1205721with 119905
21199053
In explore of 1205721 function explore is called for 120572
4
(explore(1205724 1199053 1205720 1205721 1205724)) This call returns to explore of
1205721 with 119905
3 since 120572
4has a forbidden marking In explore
of 1205721 the tuple (120572
1 11990521199053 1199053 0) is added to Passed and
119905111990521199053 11990511199053 is returned to explore of 120572
0 Then explore
of 1205720
calls explore(1205722 1199052 1205720 1205722) which in turn calls
explore(1205725 1199051 1205720 1205722 1205725) Since 120572
5has only one successor
(1205720) and this successor belongs to the current path the call of
explore for 1205725adds (120572
5 0 0) to Passed and returns to explore
of 1205722with 0 which in turn returns to explore of 120572
0
After exploring both successors of 1205720 in explore of 120572
0 we
get inΩ = 119905111990521199053 11990511199053 the set of bad paths of 120572
0 As the state
class 1205720has a controllable transition 119905
1 its bad subclasses are
computed Fire(1205720 119905111990521199053) = (119901
1+ 1199012 0 le 119905
1le 2 and 2 le
1199052le 3 and 1 le 119905
2minus 1199051le 3) and Fire(120572
0 11990511199053) = (119901
1+ 1199012 0 le
1199051le 1 and 2 le 119905
2le 3 and 2 le 119905
2minus 1199051le 3) The firing interval
of 1199051in 1205720([0 4]) is not covered by the union of intervals
of 1199051in bad subclasses of 120572
0([0 2] cup [0 1] = [0 4]) Then
(1205720 119905111990521199053 11990511199053 (1199051 1199050 [0 2])) is added to Passed As 119905
1is
newly enabled the empty set is returned to the functionmainwhich concludes that a controller exists According to the listPassed 120572
0needs to be controlled (Ctrl[120572
0] = (119905
1 1199050 [0 4] minus
[0 2])) For all others there is nothing to do
5 Controller Synthesis and Stopwatch
In this section we consider time Petri nets with control-lableuncontrollable transitions and show how such a systemis controlled by associating some of the controllable transi-tions with stopwatch First we apply the on-the-fly algorithmof [9] and calculate the appropriate controller Then insteadof restricting time intervals of corresponding controllabletransitions we associate them with stopwatch In fact wesuspend some transition during its bad subinterval to controla system so as to satisfy a given property
We consider the inhibitor hyperarcs of [3]The controllershall suspend a controllable transition in its bad subintervaland retrieve it otherwise Let us remember the example ofFigure 1 with the state class graph of Figure 2 and Table 1We have seen that in order to prevent the system enteringthe forbidden state classes 120572
4and 120572
6 the controller should
prevent 1199051from firing before ]2 4] Thus an inhibitor hyper-
arc is added to the transition 1199051 This inhibitor hyperarc
connects 1199051to a place called119901susp At the beginning this place
is marked and then 1199051is suspended At [2 2] the token of
119901susp is consumed and the corresponding hyperarc becomesdisabled The controllable transition 119905
1is now firable again
The token is returned to place 119901susp after 1199051 is fired Thus thecontroller suspends 119905
1during its bad subinterval and resumes
it after then At the beginning all clocks are initialized to zeroThen time elapses but in [0 2] this transition is suspendedand hence its clock does not elapse anymore Later at time[2 2] this transition is retrieved and becomes active Wedo not need to delay it anymore that is why the lowerbound of the interval associated with 119905
1is modified to 0
Now the clock starts elapsing Within 2 time units 1199051should
be fired (ie when the actual time of the general clock ofthe system reaches to 4) Then the interval associated with
Journal of Engineering 9
0 1 2 3 40
1
2
119907(1199051)
Time
119907(1199051) ne 0
119907(1199051) = 0
Figure 8 Clock evaluation of 1199051in the controlled TPN of Figure 9
1199051in a controlled TPN associated with stopwatch is [0 2]
Figure 8 represents the clock evaluation of the transition 1199051
The controlled Petri nets of this example are presented inFigure 9
In summary our goal is to synthesize the state class graphof the system through Algorithms 1 and 2 (see [9]) andcalculate bad subintervals of the corresponding controllabletransitions Then suspend the appropriate controllable tran-sitions during their bad subintervals Note that in [9] wewererestricting and limiting time intervals while in this approachthe idea is to delay and suspend them In this research wesuppose every controllable transition can be associated witha stopwatch if needed As explained earlier in Section 1 ina multitasking system with periodic tasks only execution ofa task is controllable Then those transitions modeling thetask executions are considered controllable and consequentlycould be suspended and retrieved
Above we have shown how to control a system whenthe bad subinterval is at the beginning of the firing inter-val What if the acceptable subinterval is at the beginningand bad subintervals are after Consider the example ofFigure 10 A controllable transition 119905
1is associated with firing
interval [119886 119887] Suppose that based on Algorithms 1 and 2the subinterval [119886 120572
1] is acceptable while ]120572
1 119887] is a bad
subinterval where 119886 le 1205721lt 119887 The controlled time Petri
nets are presented in Figure 11 Figure 12 represents the clockevaluation of 119905
1and shows how the new interval associated
with 1199051is calculated In [0 119886[ 119901susp is marked and 119905
1is neither
active nor enabled Meanwhile at the time 119886 1199051199031
becomesenabled and is fired consuming the token in 119901suspThus rightat 119886 the transition 119905
1becomes active and its associated clock
starts elapsing Note that associated stopwatch delays 1199051for
119886 time units and we do not want to delay it anymore thenthe lower bound of the new associated interval in controlledTPN is 0 After 120572
1time units 119905
1199032is fired and 119901susp becomes
marked again Consequently 1199051is suspended
Consider the same example of Figure 10 and this timesuppose that Algorithms 1 and 2 give the following output
[119886 1205721[ is acceptable [120572
1 1205722[ is a bad subinterval [120572
2 119887]
is acceptable where the condition 119886 lt 1205721lt 1205722le 119887 holds
1199051[0 2]
1199053[2infin[ 1199054[0 1]
1199052[2 3]119905resu [2 2]
119875susp
11990121199011
11990141199013
Figure 9 Time Petri net of Figure 1 controlled by inhibitor hyper-arcs (119879
119888= 1199051)
1199051[119886 119887]
1199012
1199013
Figure 10 A simple time Petri net (119879119888= 1199051)
With the same idea the controlled Petri nets are presented inFigure 13 and the clock evaluation of 119905
1is shown in Figure 14
51Why InhibitorHyperarcs Wehave shown how to achievea controlled model from an uncontrolled time Petri netsby adding inhibitor hyperarcs One question is why amongdifferent types of stopwatch inhibitor hyperarcs are chosenIs it possible to use another stopwatch model The answeris yes but inhibitor hyperarcs provide more flexibility andless complication Let us see if this idea is feasible using othertypes of Petri nets with stopwatch
We consider the post- and preinitialized Petri nets pro-posed in [4 5] for stopwatch and try to control amodel wherea controllable transition associated with time interval [119886 119887]has a bad subinterval [119886 120572] Based on our hypothesis thecontroller should suspend the controllable transition at [119886 119886]and resume it at [120572 120572] The characteristic of post and pre-initialized Petri nets is that they consume the same tokenof the original model and in addition the exact time whenthe model becomes suspended is unknown as stopwatchtransition and original transition have the same chance forfiring At the first glance the idea is feasible by adding oneplace and two transitions However there are some issuesWeexplain the problem through an example
We consider the same example of Figure 1 The suggestedcontrolled model using post and pre-initialized Petri netscomes in Figure 15The controllable transition 119905
1is associated
with stopwatchThe stopwatch interrupts the task at [0 0] andresume it at [2 2] The problem is at [0 0] both transitions1199051and 119905sus are enabled with equal chance of firing whereas
in order to have a controlled model 119905sus should fire at [0 0]before 119905
1 Thus the controller fails unless if we modify the
interval associated to 1199051to ]0 2] which is not of interest in
this approach
10 Journal of Engineering
1199051[0 1205721 minus 119886[
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199012
1199013
1199011199040
1199011199041
119901susp
Figure 11The controlledTPNof Figure 10 using inhibitor hyperarcs(119879119888= 1199051) Forbidden interval is ]120572
1 119887] where 119886 le 120572
1lt 119887
Time0
01205721
119907(1199051) 119907(1199051) = 1205721 minus 119886
119886 119887
1205721 minus 119886
119907(1199051) = 0
Figure 12 Clock evaluation of 1199051in the controlled TPN of Figure 10
Forbidden interval is ]1205721 119887] where 119886 le 120572
1lt 119887
1199051[0 119887 minus 119886 + 1205721 minus 1205722]
1199051199033[1205722 minus 1205721 1205722 minus 1205721]
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199013
11990121199011199040
1199011199041
119901susp
1199011199042
Figure 13 A simple time Petri net controlled by inhibitor hyperarcs(119879119888= 1199051) the bad subinterval is [120572
1 1205722[ where 119886 lt 120572
1lt 1205722le 119887
The other alternative is presented at Figure 16 An auxil-iary place 119901
119904solves the problem Hence using the stopwatch
Petri nets suggested in [4 5] it is not easy to give ageneral solution to control a model considering the output ofAlgorithms 1 and 2 In addition the resulting controlled netsare more complicated For example in case the controllabletransition is associated with the interval [119886 119887] where its badsubinterval is [120572 119887] and 119886 le 120572 then the controlled modelbecomes complicated
Time
00
119907(1199051)
119887 minus 119886 + 1205721 minus 1205722
1205721 minus 119886
1205722119886 1198871205721
Figure 14 Clock evaluation of 1199051in a controlled TPN of Figure 10
The forbidden interval is ]1205721 1205722] where 119886 lt 120572
1lt 1205722le 119887
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
Figure 15 Controlling the example of Figure 1 using stopwatch of[4] The controller fails
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
119901119904
Figure 16 Controlled model of Figure 1 using stopwatch of [4]
6 Illustrative Example
Suppose the multitasking system depicted in Figure 17 withthe following specifications four tasks 119879
1 1198792 1198793 and 119879
4are
being executed Two tasks 1198793and 119879
4are uncontrollable The
task 1198791is periodic with a period of [6 6] and then its start
execution is controllable Suppose that starting execution of1198792is also controllable 119879
4is depended to 119879
2and 119879
3meaning
that it can be executed only when1198792and1198793are executed Two
tasks1198791and1198792share a common resource On the other hand
1198791enters through a single capacity buffer It means that if 119879
1
is not executed by the end of its period the system will blockIn Figure 7 tasks are modeled by tokens and the execution ofeach task 119879
119894is shown by the transition 119905
119894 If 1198791is not executed
by the end of its period the system enters the state Block and1199055is the transition to be avoided Delay is a placemodeling the
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 Journal of Engineering
matrix) of order |En(119872)| + 1 defined by forall119905119894 119905119895isin En(119872) cup
1199050 119889119894119895= (le Sup
119865(119905119894minus 119905119895)) where 119905
0(1199050notin 119879) represents
a fictitious transition whose delay is always equal to 0 andSup119865(119905119894minus 119905119895) is the largest value of 119905
119894minus 119905119895in the domain of 119865
Its computation is based on the shortest path Floyd-Warshallrsquosalgorithm and is considered as the most costly operation(cubic in the number of variables in 119865) The canonical formof a DBM makes some operations over formulas like the testof equivalence easier Two formulas are equivalent if and onlyif the canonical forms of their DBMs are identical
The initial state class is 1205720
= (1198720 1198650) where 119865
0=
⋀119905119894isinEn(119872
0)darr Is(119905
119894) le 119905
119894le uarr Is(119905
119894) Let 120572 = (119872 119865) be
a state class and 119905119891a transition and succ(120572 119905
119891) the set of
states defined by succ(120572 119905119891) = 119902
1015840isin Q | exist119902 isin 120572 exist120579 isin
R+ st 119902
120579
997888rarr 119902 + 120579
119905119891
997888rarr 1199021015840 The state class 120572 has a successor
by 119905119891(ie succ(120572 119905
119891) = 0) if and only if 119905
119891is enabled in 119872
and can be fired before any other enabled transition that isthe following formula is consistent 119865 and (⋀
119905119894isinEn(119872)119905119891 le 119905
119894)
A formula F is consistent if and only if there is at least onetuple of values that satisfies at once all constraints ofF In thiscase the firing of 119905
119891leads to the state class 1205721015840 = (119872
1015840 1198651015840) =
succ(120572 119905119891) computed as follows [13]
(1) forall119901 isin 1198751198721015840(119901) = 119872(119901) minus Pre(119901 119905119891) + Post(119901 119905
119891)
(2) 1198651015840 = 119865 and (⋀119905119894isinEn(119872)119905119891 minus 119905119894 le 0)
(3) Replace in 1198651015840 each 119905119894= 119905119891 by (119905
119894+ 119905119891)
(4) Eliminate by substitution 119905119891and each 119905
119894of transition
conflicting with 119905119891in119872
(5) Add constraint darr Is(119905119899) le 119905
119899leuarr Is(119905
119899) for each
transition 119905119899isin New(1198721015840 119905
119891)
Formally the SCG of a TPN model is a structure (CCrarr 1205720) where 120572
0= (119872
0 1198650) is the initial state class forall119905
119894isin
119879 120572
119905119894
997888rarr 1205721015840 iff 120572
1015840= succ(120572 119905
119894) = 0 and CC = 120572 |
1205720
lowast
997888rarr 120572 The SCG is finite for all bounded TPNs andpreserves linear properties [16] Let 120572 = (119872 119865) be a stateclass and 120596 isin 119879
+ a sequence of transitions firable from120572 We denote succ(120572 120596) the state class reachable from 120572 byfiring successively transitions of 120596 We define inductively thisset as follows succ(120572 120596) = 120572 if 120596 = 120598 and succ(120572 120596) =succ(succ(120572 1205961015840) 119905
119894) if 120596 = 120596
1015840sdot 119905119894
As an example Figure 2 shows the state class graph ofthe TPN presented at Figure 1 Its state classes are reportedin Table 1
Let120596 be a sequence of transitions firable from 120572 the sametransitionmay be newly enabled several times To distinguishamong different enablings of the same transition 119905
119894 we denote
119905119896
119894for 119896 gt 0 the transition 119905
119894(newly) enabled by the kth
transition of the sequence 1199050119894denotes the transition 119905
119894enabled
in 119872 Let 120596 = 1199051198961
1 119905
119896119898
119898isin 119879+ with 119898 gt 0 be a sequence
of transitions firable from 120572 st succ(120572 120596) = 0 We defineFire(120572 120596) the largest subclass 1205721015840 of 120572 (ie 1205721015840 sube 120572) st 120596is firable from all its states that is Fire(120572 120596) = 119902
1isin
120572 | exist1205791 120579
119898 1199021
1205791
997888rarr 1199021+1205791
1199051198961
1
997888997888rarr 1199022 119902
119898+120579119898
119905119896119898
119898
997888997888rarr 119902119898+1
1199051[0 4]
1199053[2infin[ 1199054[0 1]
1199052[2 3]
11990121199011
11990141199013
Figure 1 A simple Petri net with 119879119888= 1199051
1205720
1205723
1205726 1205724 1205725
12057221205721 1199054
1199052
1199053 1199051
1199052
1199051
1199052
1199053
1199054
Figure 2 The state graph of the TPN presented at Figure 1
3 Literature Review
The idea of suspension and resumption of a task in asystem is modeled in different ways in timed automataand time Petri nets [2ndash4 17 18] In [2] the authors haveintroduced stopwatch automata (SWA) as a subclass of timedlinear hybrid automata In stopwatch automata an additionalbinary variable is defined to show the rate of time progressionThe clocks may have two velocities (time derivation) zeroor one Zero signifies stopped while one signifies normalprogress If clocks are running they progress with a globalrate identical to all nonstopped clocks of the model Theauthors have shown that stopwatch automata is as expressiveas timed languages
In [3] the authors have introduced inhibitor hyperarcs tointerrupt an enabled transition Once a place 119901 connected toa transition 119905 via an inhibitor arc is marked the transition 119905 issuspended and stops firing In other words once an inhibitorarc is enabled the corresponding transition is interruptedThey have called these nets IHTPN (time Petri nets withinhibitor hyperarcs) In Figure 3 119905
1is enabled As soon as
1198752is marked firing 119905
1is suspended Note that an inhibitor
hyperarc is not graphically presented by a classical arrowinstead it is depicted with an empty circle at the extreme ofthe edge
In [17] the authors have discussed an extension of timePetri nets adapted for scheduling This extension is calledscheduling extended time Petri nets (SETPN) SETPN issuitable to model concurrent tasks and shared resources withfixed priorityThe behavior of scheduler is implicitly included
Journal of Engineering 5
Table 1 The state classes of the TPN presented at Figure 2
1205720 1199011+ 1199012
0 le 1199051le 4 and 2 le 119905
2le 3 120572
1 1199012+ 1199013
0 le 1199052le 3 and 2 le 119905
31205726 1199014
1205722 1199011+ 1199014
0 le 1199051le 2 120572
3 1199013+ 1199014
0 le 1199053and 0 le 119905
4le 1
1205724 1199012
0 le 1199052le 1 120572
5 1199013+ 1199014
2 le 1199053lt infin and 0 le 119905
4le 1
1199051[1198861 1198862]
11990121199011
1199013
Figure 3 A simple example of time Petri nets with inhibitorhyperarc 119905
1is active if 119901
2is not marked otherwise it is suspended
in the model and the scheduler is not modeled as a separateagent
In [17] time Petri nets are associated with two moreproperties 120574 and 120596 standing for resource allocation andpriority respectively As an example suppose two differentconcurrent tasks sharing the same resource (120574 is identical forboth) Although both transitions are enabled the one with ahigher priority is activewhile the other is suspended For eachmarking 119872 a function Act determines whether 119872 is activeor not
The time Petri nets presented in [17] assign both pri-ority and resources to places It is particularly suitable forscheduling approaches State space analysis is done map-ping scheduling Petri nets to hybrid automata (state classstopwatch automata) The advantage of this solution is usingan automated tool like HYTECH [19] already existing formanipulation of hybird automata
Another extension of time Petri nets called preemptivetime Petri nets is discussed in [18] Preemptive time Petrinets are suitable for scheduling and preemptive approachesIn Preemptive time Petri nets resource and priority arecharacteristics of transitions while in SETPN they wereassigned to places The preemptive time Petri nets as well asscheduling extended time Petri nets are adapted specificallyfor scheduling purposes with fixed priority rather thangeneral cases of interruption and resumption of some tasksA more generalized model comes in [4 5]
Another stopwatch model comes in [4 5] Post- and Pre-initialized stopwatch Petri nets (SWPN) [4 5] also modelinterruption and retrieving of tasks In such stopwatch Petrinets transitions are partitioned into two disjoint subclasses119879 = 119879int cup 119879no-int where 119879int is the set of interruptible tran-sitions and 119879no-int is the set of noninterruptible transitionsStopwatches can suspend enabled interruptible transitionsFor each transition 119905
119894 there is a function 119907(119905
119894) representing the
value of its associated stopwatch If 119905119894isin 119879int 119907(119905119894) signifies the
time elapsed since 119905119894was first enabled whereas if 119905
119894isin 119879no-int
119907(119905119894) represents the time elapsed since 119905
119894was last enabled
119905susp[120582 1205822]1
1199052[120572 120573]
1199051[0 0]
119905resu[1205741 1205742]
1199012
1199011
1199013
Figure 4 An interruptible task modeled by SWPN reported from[4]
A transition is called firable if it is enabled (119872 gt Pre(119905119894)) and
darr Is(119905119894) le 119907(119905
119894) le uarr Is(119905
119894)
In contrary with IHTPN where a marked place sus-pended an enabled transition in this model stopwatchconsumes some tokens to disable an enabled transition Itis implemented by means of some extra placestransitionsA stopwatch transition is in conflict with an interruptibletransition Thus consuming a token can suspend an inter-ruptible enabled transition With this model an interrupt isunpredictable and we do not know when it happens In factat any time the interruptible task and the interrupt both haveequal chance to happen The simple Petri nets of Figure 4reported from [4] are a simple example of SWPN of aninterruptible task
Let 119905119894be a transition and119872 a marking 119905
119894is called
(i) enabled If119872 ge Pre(119905119894) denoted by 119905
119894isin En(119872)
(ii) firable If 119905119894isin En(119872)and darr Is(119905
119894) le 119907(119905
119894) le uarr Is(119905
119894)
denoted by 119905119894isin Firable(119872)
(iii) suspended If Pre(119905119894) gt 119872 and 119907(119905
119894) gt 0 denoted by
119905119894isin susp(119872)
The notion uarr enabled(119905119894119872 119905119896) indicates that 119905
119894is newly
enabled by firing of 119905119896at marking119872
The new concept Preinitialization defined in this modelrefers to noninterruptible transitions For every 119905
119894isin 119879no-int
119905119894is firable if 119907(119905
119894) has already been initialized when 119905
119894
becomes enabled In other words 119907(119905119894) = 0 when 119905
119894isin
uarr enabled(119905119894119872 119905119896)
The concept postinitialization is defined for interruptibletransitionsWhen an interruptible transition is fired the asso-ciated 119907(119905
119894) is initialized (119907(119905
119894) = 0) Figures 5 and 6 reported
from [4] show the difference between time evolution in aninterruptible transition and a noninterruptible transition Inthese figures the notions 119864119863 and 119865 stand for enablingdisabling and firing of a transition respectively
6 Journal of Engineering
119907(119905119894)
119864 119864 119864119863 119865
Time
Figure 5 Time elapses 119905119894is an interruptible transition
119907(119905119894)
119864 119864119863 119865
Time
Figure 6 Time elapses 119905119894is a noninterruptible transition
In brief according to the types of transitions two types ofclock initialization are defined
(i) Preinitialization Given a transition 119905119894
isin 119879no-intwhere119879no-int is the set of noninterruptible transitionsclock initialization is called preinitialization happen-ing when 119905
119894is recently enabled As soon as a transition
becomes enabled its associated clock is initialized(ii) Postinitialization Given a transition 119905
119894isin 119879int where
119879int is the set of interruptible transitions clock initial-ization is called post-initialization happening after fir-ing 119905119894 it means that the transition initializes the clock
after being fired Post-initialization is dependent ontransition firing
In [4] continuous and discrete transitions are defined asfollows
Let 119889 isin R+ a continuous transition is denoted by(119872 119907)
119889
997888rarr (119872 1199071015840) iff forall119905
119894isin 119879
(i) 1199071015840(119905119894) = 119907(119905
119894) if the transition 119905
119894is not enabled
(ii) 1199071015840(119905119894) = 119907(119905
119894) + 119889 if 119905
119894is enabled
(iii) 119872 ge Pre(119905119894) rArr 119907
1015840le uarr Is(119905
119894)
And a discrete transition is denoted by (119872 119907)
119905119894
997888rarr (1198721015840 1199071015840)
iff forall119905119894isin 119879
(i) 119905119894isin Firable(119872)
(ii) 1198721015840 = 119872 minus Pre(119905119894) + Post(119905
119894)
(iii) 1199071015840(119905119894) = 0 if 119905
119894isin 119879int (postinitialization)
(iv) forall119905119896isin 119879 1199071015840(119905
119896) =
(a) 0 if 119905119896isin uarr enabled(119905
119896119872 119905119894) (preinitialization)
(b) 119907(119905119894) Otherwise
In order to perform further timing analysis the sameas scheduling extended time Petri nets of [17] the SWPNis transformed to hybrid automaton In addition a forwardalgorithm is suggested to compute reachable states
If the number of stopwatches increases for exampleif all of the transitions are interruptible the complexityof calculation will highly increase Scheduling time Petrinets and preemptive time Petri nets are both subclasses ofstopwatch Petri nets An ordinary TPN is also a SWPNwhere119879int = 0
After having a survey on different stopwatch Petri netsavailable in the literature in the following wewill have a briefreview on the algorithm of [9] and then investigate how tointegrate stopwatch in the controller synthesis approach of[9]
4 Safety Controller Synthesis ApproachProposed in [9]
Let N be a TPN with controllable and uncontrollable tran-sitions (119879 = 119879
119888cup 119879119906) and a set of markings to be avoided
(bad) For a safety property the approach proposed in [9] (seeAlgorithms 1 and 2) consists of exploring on-the-fly and pathby path the state class graph of the TPN N while collectingthe bad sequences and the losing states (sequences or statesthat lead to bad markings) The list Passed is used to retrievethe set of state classes processed so far their bad sequencesand their losing subclasses For a given state class 120572 and abad sequence 120596 feasible from 120572 the function Fire is used tocompute forwardly all states of 120572 which lead by a sequence oftransitions to an undesirable marking (ie a losing subclassof 120572) The function explore receives parameters 120572 being theclass under process 119905 the transition leading to 120572 and Cthe set of traveled classes in the current path Succinctlyit recursively computes the bad sequences of 120572 (from badsequences of its successors) and verifies whether or not 120572can be controlled so as to avoid its bad sequences It returnsthe set of bad sequences if they cannot be avoided from 120572Otherwise it returns an empty set which means that 120572 canbe controlled (ie 120572 has no bad sequences or there is at leastone controllable transition 119905
119888such that its firing interval in
120572 can be restricted so as to avoid reaching bad states) Therestriction of the interval of 119905
119888in 120572 is obtained by subtracting
from its interval in 120572 intervals of 119905119888in its bad subclasses
This approach tries to control the system behavior start-ing from the last to the first state class of bad paths If it failsto control a state class of a path so as to avoid all bad stateclasses the algorithm tries to control its previous state classesIf it succeeds to control a state class there is no need to controlits predecessors The aim is to limit as little as possible thebehavior of the system (more permissive controller)
In [20] we have proven that this approach gives themaximally permissive controller and if it fails to compute the
Journal of Engineering 7
Functionmain (TPNN Markings bad)WhereN is a TPNbad is a set of bad markingsLet 119879
119888be the set of controllable transitions of N and
1205720the initial state class of N
Passed = 0If (explore (120572
0 120598 1205720) = 0) then
Controller does not existreturn
end iffor all ((120572 Ω LI) isin Passed) do
Ctrl[120572] = ⋃(119905119888 119905119904 BI)isinLI(119905119888 119905119904 INT (120572 119905119888 minus 119905119904) minus BI)
end for(lowastRemarks)120572 = (119872 119865)En119888(119872) = En(119872) cap 119879
119888
En0119888(119872) = En
119888(119872) cup 119905
0
New119888(119872 119905) = New(119872 119905) cap 119879
119888
New(1198720 120598) = En(119872
0)
1199050is a fictitious transition whose time variable is fixed at 0
Dep (120572 119905 LI) equivexist(119905119888 119905119904BI) isin LI 119905
119888notin New(119872 119905) and (119905
119904notin New(119872 119905)or
INT (120572 119905119888minus 1199050) sube ⋂
119868isinBI(119868 oplus INT (120572 119905119904minus 1199050)))
Algorithm 1 On-the-fly algorithm for the safety control of TPN-Part I
Function Traces explore (Class 120572 Trans 119905 ClassesC)if (existΩ LI st (120572 Ω LI) isin Passed) then
if (Ω = 0 and Dep (120572 119905 LI)) thenreturn 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
end ifif (119872 isin bad) then
return 119905end ifTraces Ω = 0for all 1199051015840 isin En(119872) st succ (120572 1199051015840) = 0 and succ (120572 1199051015840) notin C
doΩ =Ω cup explore (succ (120572 1199051015840) 1199051015840C cup succ (120572 1199051015840))
end for Ω contains all bad sequences of 120572if (Ω = 0) then
Passed = Passed cup (120572 0 0)return 0
end ifLI = (119905
119888 119905119904BI) | (119905
119888 119905119904) isin En
119888(119872) times En0
119888(119872) and
BI = ⋃120596isinΩ
INT (Fire (120572 120596) 119905119888minus 119905119904) sub INT (120572 119905
119888minus 119905119904)
Passed = Passed cup (120572Ω LI)if (Dep (120572 119905 LI)) then
return 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
Algorithm 2 On-the-fly algorithm for the safety control of TPN-Part II
8 Journal of Engineering
Explore (1205720 120598 1205720)Returnempty
Explore (1205721 1199051 1205720 1205721)Return 119905111990521199053 11990511199053
Explore (1205723 1199052 1205720 1205721 1205723)
Explore (1205726 1199053 1205720 1205721 1205723 1205726)Return 1199053
Explore (1205725 1199051 1205720 1205722 1205725)Returnempty
Explore (1205722 1199052 1205720 1205722)Returnempty
Explore (1205724 1199053 1205720 1205721 1205724)
1205721
1205720
1205726
1205723
1199053
11990521199051
1205724
1205725
1199052
1199053
1199051
1205722
Return 1199053
Return 11990521199053
Figure 7 Applying Algorithms 1 and 2 on the TPN at Figure 1 forAG not 119901
1+ 1199013= 0
controller then the controller does not exist We have alsoinvestigated the hardness complexity of the approach step bystep
(i) The complexity of computing BI of a state class (inworst case) is119874(119870times119871times119899
119905
2)where119870 is the number of
paths starting from the state class and leading to badmarkings 119871 is the maximal length of such paths and119899119905is the number of transitions in the model
(ii) The complexity for computing Dep relation used inAlgorithms 1 and 2 is119874(|LI|times119898times|BI|) where119898 is thenumber of places in the model (complexity of testingNew(119872 119905))
In [14] the authors have discussed the completenesscomplexity for bounded TPNs They have proven that modelchecking of TPN-TCTL formula on a bounded TPN isPSPACE-complete
Let us explain this approach by means of an exampleConsider the TPN shown at Figure 1 its state class graphpresented at Figure 2 and its state classes reported in Table 1Suppose that only 119905
1is controllable (ie 119879
119888= 1199051) and we
want to avoid reaching markings where places 1199011and 119901
3are
both not marked (ie state classes 1205724and 120572
6) by choosing
appropriately the firing intervals of 1199051 For this example we
have 119879119888= 1199051 bad = 119901
2 1199014 Passed = 0 and 120572
0=
(1199011+ 1199012 0 le 119905
1le 4 and 2 le 119905
2le 3)
The process starts by calling explore(1205720 120598 1205720) (see
Figure 7) Since 1205720is not in Passed and its marking is not
forbidden explore is successively called for the successorsof 1205720 explore(120572
1 1199051 1205720 1205721) and explore(120572
2 1199052 1205720 1205722) In
explore of 1205721 function explore is successively called for 120572
3
and 1205724 In explore of 120572
3 function explore is called for the
successor 1205726of 1205723by 1199053 explore(120572
6 1199053 1205720 1205721 1205723 1205726 For the
successor of 1205723by 1199054(ie 120572
0) there is no need to call explore
as it belongs to the current path Since 1205726has a forbidden
marking explore of 1205726returns to explore of 120572
3with 119905
3
which in turn adds (1205723 11990521199053 0) to Passed and returns to
explore of 1205721with 119905
21199053
In explore of 1205721 function explore is called for 120572
4
(explore(1205724 1199053 1205720 1205721 1205724)) This call returns to explore of
1205721 with 119905
3 since 120572
4has a forbidden marking In explore
of 1205721 the tuple (120572
1 11990521199053 1199053 0) is added to Passed and
119905111990521199053 11990511199053 is returned to explore of 120572
0 Then explore
of 1205720
calls explore(1205722 1199052 1205720 1205722) which in turn calls
explore(1205725 1199051 1205720 1205722 1205725) Since 120572
5has only one successor
(1205720) and this successor belongs to the current path the call of
explore for 1205725adds (120572
5 0 0) to Passed and returns to explore
of 1205722with 0 which in turn returns to explore of 120572
0
After exploring both successors of 1205720 in explore of 120572
0 we
get inΩ = 119905111990521199053 11990511199053 the set of bad paths of 120572
0 As the state
class 1205720has a controllable transition 119905
1 its bad subclasses are
computed Fire(1205720 119905111990521199053) = (119901
1+ 1199012 0 le 119905
1le 2 and 2 le
1199052le 3 and 1 le 119905
2minus 1199051le 3) and Fire(120572
0 11990511199053) = (119901
1+ 1199012 0 le
1199051le 1 and 2 le 119905
2le 3 and 2 le 119905
2minus 1199051le 3) The firing interval
of 1199051in 1205720([0 4]) is not covered by the union of intervals
of 1199051in bad subclasses of 120572
0([0 2] cup [0 1] = [0 4]) Then
(1205720 119905111990521199053 11990511199053 (1199051 1199050 [0 2])) is added to Passed As 119905
1is
newly enabled the empty set is returned to the functionmainwhich concludes that a controller exists According to the listPassed 120572
0needs to be controlled (Ctrl[120572
0] = (119905
1 1199050 [0 4] minus
[0 2])) For all others there is nothing to do
5 Controller Synthesis and Stopwatch
In this section we consider time Petri nets with control-lableuncontrollable transitions and show how such a systemis controlled by associating some of the controllable transi-tions with stopwatch First we apply the on-the-fly algorithmof [9] and calculate the appropriate controller Then insteadof restricting time intervals of corresponding controllabletransitions we associate them with stopwatch In fact wesuspend some transition during its bad subinterval to controla system so as to satisfy a given property
We consider the inhibitor hyperarcs of [3]The controllershall suspend a controllable transition in its bad subintervaland retrieve it otherwise Let us remember the example ofFigure 1 with the state class graph of Figure 2 and Table 1We have seen that in order to prevent the system enteringthe forbidden state classes 120572
4and 120572
6 the controller should
prevent 1199051from firing before ]2 4] Thus an inhibitor hyper-
arc is added to the transition 1199051 This inhibitor hyperarc
connects 1199051to a place called119901susp At the beginning this place
is marked and then 1199051is suspended At [2 2] the token of
119901susp is consumed and the corresponding hyperarc becomesdisabled The controllable transition 119905
1is now firable again
The token is returned to place 119901susp after 1199051 is fired Thus thecontroller suspends 119905
1during its bad subinterval and resumes
it after then At the beginning all clocks are initialized to zeroThen time elapses but in [0 2] this transition is suspendedand hence its clock does not elapse anymore Later at time[2 2] this transition is retrieved and becomes active Wedo not need to delay it anymore that is why the lowerbound of the interval associated with 119905
1is modified to 0
Now the clock starts elapsing Within 2 time units 1199051should
be fired (ie when the actual time of the general clock ofthe system reaches to 4) Then the interval associated with
Journal of Engineering 9
0 1 2 3 40
1
2
119907(1199051)
Time
119907(1199051) ne 0
119907(1199051) = 0
Figure 8 Clock evaluation of 1199051in the controlled TPN of Figure 9
1199051in a controlled TPN associated with stopwatch is [0 2]
Figure 8 represents the clock evaluation of the transition 1199051
The controlled Petri nets of this example are presented inFigure 9
In summary our goal is to synthesize the state class graphof the system through Algorithms 1 and 2 (see [9]) andcalculate bad subintervals of the corresponding controllabletransitions Then suspend the appropriate controllable tran-sitions during their bad subintervals Note that in [9] wewererestricting and limiting time intervals while in this approachthe idea is to delay and suspend them In this research wesuppose every controllable transition can be associated witha stopwatch if needed As explained earlier in Section 1 ina multitasking system with periodic tasks only execution ofa task is controllable Then those transitions modeling thetask executions are considered controllable and consequentlycould be suspended and retrieved
Above we have shown how to control a system whenthe bad subinterval is at the beginning of the firing inter-val What if the acceptable subinterval is at the beginningand bad subintervals are after Consider the example ofFigure 10 A controllable transition 119905
1is associated with firing
interval [119886 119887] Suppose that based on Algorithms 1 and 2the subinterval [119886 120572
1] is acceptable while ]120572
1 119887] is a bad
subinterval where 119886 le 1205721lt 119887 The controlled time Petri
nets are presented in Figure 11 Figure 12 represents the clockevaluation of 119905
1and shows how the new interval associated
with 1199051is calculated In [0 119886[ 119901susp is marked and 119905
1is neither
active nor enabled Meanwhile at the time 119886 1199051199031
becomesenabled and is fired consuming the token in 119901suspThus rightat 119886 the transition 119905
1becomes active and its associated clock
starts elapsing Note that associated stopwatch delays 1199051for
119886 time units and we do not want to delay it anymore thenthe lower bound of the new associated interval in controlledTPN is 0 After 120572
1time units 119905
1199032is fired and 119901susp becomes
marked again Consequently 1199051is suspended
Consider the same example of Figure 10 and this timesuppose that Algorithms 1 and 2 give the following output
[119886 1205721[ is acceptable [120572
1 1205722[ is a bad subinterval [120572
2 119887]
is acceptable where the condition 119886 lt 1205721lt 1205722le 119887 holds
1199051[0 2]
1199053[2infin[ 1199054[0 1]
1199052[2 3]119905resu [2 2]
119875susp
11990121199011
11990141199013
Figure 9 Time Petri net of Figure 1 controlled by inhibitor hyper-arcs (119879
119888= 1199051)
1199051[119886 119887]
1199012
1199013
Figure 10 A simple time Petri net (119879119888= 1199051)
With the same idea the controlled Petri nets are presented inFigure 13 and the clock evaluation of 119905
1is shown in Figure 14
51Why InhibitorHyperarcs Wehave shown how to achievea controlled model from an uncontrolled time Petri netsby adding inhibitor hyperarcs One question is why amongdifferent types of stopwatch inhibitor hyperarcs are chosenIs it possible to use another stopwatch model The answeris yes but inhibitor hyperarcs provide more flexibility andless complication Let us see if this idea is feasible using othertypes of Petri nets with stopwatch
We consider the post- and preinitialized Petri nets pro-posed in [4 5] for stopwatch and try to control amodel wherea controllable transition associated with time interval [119886 119887]has a bad subinterval [119886 120572] Based on our hypothesis thecontroller should suspend the controllable transition at [119886 119886]and resume it at [120572 120572] The characteristic of post and pre-initialized Petri nets is that they consume the same tokenof the original model and in addition the exact time whenthe model becomes suspended is unknown as stopwatchtransition and original transition have the same chance forfiring At the first glance the idea is feasible by adding oneplace and two transitions However there are some issuesWeexplain the problem through an example
We consider the same example of Figure 1 The suggestedcontrolled model using post and pre-initialized Petri netscomes in Figure 15The controllable transition 119905
1is associated
with stopwatchThe stopwatch interrupts the task at [0 0] andresume it at [2 2] The problem is at [0 0] both transitions1199051and 119905sus are enabled with equal chance of firing whereas
in order to have a controlled model 119905sus should fire at [0 0]before 119905
1 Thus the controller fails unless if we modify the
interval associated to 1199051to ]0 2] which is not of interest in
this approach
10 Journal of Engineering
1199051[0 1205721 minus 119886[
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199012
1199013
1199011199040
1199011199041
119901susp
Figure 11The controlledTPNof Figure 10 using inhibitor hyperarcs(119879119888= 1199051) Forbidden interval is ]120572
1 119887] where 119886 le 120572
1lt 119887
Time0
01205721
119907(1199051) 119907(1199051) = 1205721 minus 119886
119886 119887
1205721 minus 119886
119907(1199051) = 0
Figure 12 Clock evaluation of 1199051in the controlled TPN of Figure 10
Forbidden interval is ]1205721 119887] where 119886 le 120572
1lt 119887
1199051[0 119887 minus 119886 + 1205721 minus 1205722]
1199051199033[1205722 minus 1205721 1205722 minus 1205721]
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199013
11990121199011199040
1199011199041
119901susp
1199011199042
Figure 13 A simple time Petri net controlled by inhibitor hyperarcs(119879119888= 1199051) the bad subinterval is [120572
1 1205722[ where 119886 lt 120572
1lt 1205722le 119887
The other alternative is presented at Figure 16 An auxil-iary place 119901
119904solves the problem Hence using the stopwatch
Petri nets suggested in [4 5] it is not easy to give ageneral solution to control a model considering the output ofAlgorithms 1 and 2 In addition the resulting controlled netsare more complicated For example in case the controllabletransition is associated with the interval [119886 119887] where its badsubinterval is [120572 119887] and 119886 le 120572 then the controlled modelbecomes complicated
Time
00
119907(1199051)
119887 minus 119886 + 1205721 minus 1205722
1205721 minus 119886
1205722119886 1198871205721
Figure 14 Clock evaluation of 1199051in a controlled TPN of Figure 10
The forbidden interval is ]1205721 1205722] where 119886 lt 120572
1lt 1205722le 119887
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
Figure 15 Controlling the example of Figure 1 using stopwatch of[4] The controller fails
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
119901119904
Figure 16 Controlled model of Figure 1 using stopwatch of [4]
6 Illustrative Example
Suppose the multitasking system depicted in Figure 17 withthe following specifications four tasks 119879
1 1198792 1198793 and 119879
4are
being executed Two tasks 1198793and 119879
4are uncontrollable The
task 1198791is periodic with a period of [6 6] and then its start
execution is controllable Suppose that starting execution of1198792is also controllable 119879
4is depended to 119879
2and 119879
3meaning
that it can be executed only when1198792and1198793are executed Two
tasks1198791and1198792share a common resource On the other hand
1198791enters through a single capacity buffer It means that if 119879
1
is not executed by the end of its period the system will blockIn Figure 7 tasks are modeled by tokens and the execution ofeach task 119879
119894is shown by the transition 119905
119894 If 1198791is not executed
by the end of its period the system enters the state Block and1199055is the transition to be avoided Delay is a placemodeling the
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Journal of Engineering 5
Table 1 The state classes of the TPN presented at Figure 2
1205720 1199011+ 1199012
0 le 1199051le 4 and 2 le 119905
2le 3 120572
1 1199012+ 1199013
0 le 1199052le 3 and 2 le 119905
31205726 1199014
1205722 1199011+ 1199014
0 le 1199051le 2 120572
3 1199013+ 1199014
0 le 1199053and 0 le 119905
4le 1
1205724 1199012
0 le 1199052le 1 120572
5 1199013+ 1199014
2 le 1199053lt infin and 0 le 119905
4le 1
1199051[1198861 1198862]
11990121199011
1199013
Figure 3 A simple example of time Petri nets with inhibitorhyperarc 119905
1is active if 119901
2is not marked otherwise it is suspended
in the model and the scheduler is not modeled as a separateagent
In [17] time Petri nets are associated with two moreproperties 120574 and 120596 standing for resource allocation andpriority respectively As an example suppose two differentconcurrent tasks sharing the same resource (120574 is identical forboth) Although both transitions are enabled the one with ahigher priority is activewhile the other is suspended For eachmarking 119872 a function Act determines whether 119872 is activeor not
The time Petri nets presented in [17] assign both pri-ority and resources to places It is particularly suitable forscheduling approaches State space analysis is done map-ping scheduling Petri nets to hybrid automata (state classstopwatch automata) The advantage of this solution is usingan automated tool like HYTECH [19] already existing formanipulation of hybird automata
Another extension of time Petri nets called preemptivetime Petri nets is discussed in [18] Preemptive time Petrinets are suitable for scheduling and preemptive approachesIn Preemptive time Petri nets resource and priority arecharacteristics of transitions while in SETPN they wereassigned to places The preemptive time Petri nets as well asscheduling extended time Petri nets are adapted specificallyfor scheduling purposes with fixed priority rather thangeneral cases of interruption and resumption of some tasksA more generalized model comes in [4 5]
Another stopwatch model comes in [4 5] Post- and Pre-initialized stopwatch Petri nets (SWPN) [4 5] also modelinterruption and retrieving of tasks In such stopwatch Petrinets transitions are partitioned into two disjoint subclasses119879 = 119879int cup 119879no-int where 119879int is the set of interruptible tran-sitions and 119879no-int is the set of noninterruptible transitionsStopwatches can suspend enabled interruptible transitionsFor each transition 119905
119894 there is a function 119907(119905
119894) representing the
value of its associated stopwatch If 119905119894isin 119879int 119907(119905119894) signifies the
time elapsed since 119905119894was first enabled whereas if 119905
119894isin 119879no-int
119907(119905119894) represents the time elapsed since 119905
119894was last enabled
119905susp[120582 1205822]1
1199052[120572 120573]
1199051[0 0]
119905resu[1205741 1205742]
1199012
1199011
1199013
Figure 4 An interruptible task modeled by SWPN reported from[4]
A transition is called firable if it is enabled (119872 gt Pre(119905119894)) and
darr Is(119905119894) le 119907(119905
119894) le uarr Is(119905
119894)
In contrary with IHTPN where a marked place sus-pended an enabled transition in this model stopwatchconsumes some tokens to disable an enabled transition Itis implemented by means of some extra placestransitionsA stopwatch transition is in conflict with an interruptibletransition Thus consuming a token can suspend an inter-ruptible enabled transition With this model an interrupt isunpredictable and we do not know when it happens In factat any time the interruptible task and the interrupt both haveequal chance to happen The simple Petri nets of Figure 4reported from [4] are a simple example of SWPN of aninterruptible task
Let 119905119894be a transition and119872 a marking 119905
119894is called
(i) enabled If119872 ge Pre(119905119894) denoted by 119905
119894isin En(119872)
(ii) firable If 119905119894isin En(119872)and darr Is(119905
119894) le 119907(119905
119894) le uarr Is(119905
119894)
denoted by 119905119894isin Firable(119872)
(iii) suspended If Pre(119905119894) gt 119872 and 119907(119905
119894) gt 0 denoted by
119905119894isin susp(119872)
The notion uarr enabled(119905119894119872 119905119896) indicates that 119905
119894is newly
enabled by firing of 119905119896at marking119872
The new concept Preinitialization defined in this modelrefers to noninterruptible transitions For every 119905
119894isin 119879no-int
119905119894is firable if 119907(119905
119894) has already been initialized when 119905
119894
becomes enabled In other words 119907(119905119894) = 0 when 119905
119894isin
uarr enabled(119905119894119872 119905119896)
The concept postinitialization is defined for interruptibletransitionsWhen an interruptible transition is fired the asso-ciated 119907(119905
119894) is initialized (119907(119905
119894) = 0) Figures 5 and 6 reported
from [4] show the difference between time evolution in aninterruptible transition and a noninterruptible transition Inthese figures the notions 119864119863 and 119865 stand for enablingdisabling and firing of a transition respectively
6 Journal of Engineering
119907(119905119894)
119864 119864 119864119863 119865
Time
Figure 5 Time elapses 119905119894is an interruptible transition
119907(119905119894)
119864 119864119863 119865
Time
Figure 6 Time elapses 119905119894is a noninterruptible transition
In brief according to the types of transitions two types ofclock initialization are defined
(i) Preinitialization Given a transition 119905119894
isin 119879no-intwhere119879no-int is the set of noninterruptible transitionsclock initialization is called preinitialization happen-ing when 119905
119894is recently enabled As soon as a transition
becomes enabled its associated clock is initialized(ii) Postinitialization Given a transition 119905
119894isin 119879int where
119879int is the set of interruptible transitions clock initial-ization is called post-initialization happening after fir-ing 119905119894 it means that the transition initializes the clock
after being fired Post-initialization is dependent ontransition firing
In [4] continuous and discrete transitions are defined asfollows
Let 119889 isin R+ a continuous transition is denoted by(119872 119907)
119889
997888rarr (119872 1199071015840) iff forall119905
119894isin 119879
(i) 1199071015840(119905119894) = 119907(119905
119894) if the transition 119905
119894is not enabled
(ii) 1199071015840(119905119894) = 119907(119905
119894) + 119889 if 119905
119894is enabled
(iii) 119872 ge Pre(119905119894) rArr 119907
1015840le uarr Is(119905
119894)
And a discrete transition is denoted by (119872 119907)
119905119894
997888rarr (1198721015840 1199071015840)
iff forall119905119894isin 119879
(i) 119905119894isin Firable(119872)
(ii) 1198721015840 = 119872 minus Pre(119905119894) + Post(119905
119894)
(iii) 1199071015840(119905119894) = 0 if 119905
119894isin 119879int (postinitialization)
(iv) forall119905119896isin 119879 1199071015840(119905
119896) =
(a) 0 if 119905119896isin uarr enabled(119905
119896119872 119905119894) (preinitialization)
(b) 119907(119905119894) Otherwise
In order to perform further timing analysis the sameas scheduling extended time Petri nets of [17] the SWPNis transformed to hybrid automaton In addition a forwardalgorithm is suggested to compute reachable states
If the number of stopwatches increases for exampleif all of the transitions are interruptible the complexityof calculation will highly increase Scheduling time Petrinets and preemptive time Petri nets are both subclasses ofstopwatch Petri nets An ordinary TPN is also a SWPNwhere119879int = 0
After having a survey on different stopwatch Petri netsavailable in the literature in the following wewill have a briefreview on the algorithm of [9] and then investigate how tointegrate stopwatch in the controller synthesis approach of[9]
4 Safety Controller Synthesis ApproachProposed in [9]
Let N be a TPN with controllable and uncontrollable tran-sitions (119879 = 119879
119888cup 119879119906) and a set of markings to be avoided
(bad) For a safety property the approach proposed in [9] (seeAlgorithms 1 and 2) consists of exploring on-the-fly and pathby path the state class graph of the TPN N while collectingthe bad sequences and the losing states (sequences or statesthat lead to bad markings) The list Passed is used to retrievethe set of state classes processed so far their bad sequencesand their losing subclasses For a given state class 120572 and abad sequence 120596 feasible from 120572 the function Fire is used tocompute forwardly all states of 120572 which lead by a sequence oftransitions to an undesirable marking (ie a losing subclassof 120572) The function explore receives parameters 120572 being theclass under process 119905 the transition leading to 120572 and Cthe set of traveled classes in the current path Succinctlyit recursively computes the bad sequences of 120572 (from badsequences of its successors) and verifies whether or not 120572can be controlled so as to avoid its bad sequences It returnsthe set of bad sequences if they cannot be avoided from 120572Otherwise it returns an empty set which means that 120572 canbe controlled (ie 120572 has no bad sequences or there is at leastone controllable transition 119905
119888such that its firing interval in
120572 can be restricted so as to avoid reaching bad states) Therestriction of the interval of 119905
119888in 120572 is obtained by subtracting
from its interval in 120572 intervals of 119905119888in its bad subclasses
This approach tries to control the system behavior start-ing from the last to the first state class of bad paths If it failsto control a state class of a path so as to avoid all bad stateclasses the algorithm tries to control its previous state classesIf it succeeds to control a state class there is no need to controlits predecessors The aim is to limit as little as possible thebehavior of the system (more permissive controller)
In [20] we have proven that this approach gives themaximally permissive controller and if it fails to compute the
Journal of Engineering 7
Functionmain (TPNN Markings bad)WhereN is a TPNbad is a set of bad markingsLet 119879
119888be the set of controllable transitions of N and
1205720the initial state class of N
Passed = 0If (explore (120572
0 120598 1205720) = 0) then
Controller does not existreturn
end iffor all ((120572 Ω LI) isin Passed) do
Ctrl[120572] = ⋃(119905119888 119905119904 BI)isinLI(119905119888 119905119904 INT (120572 119905119888 minus 119905119904) minus BI)
end for(lowastRemarks)120572 = (119872 119865)En119888(119872) = En(119872) cap 119879
119888
En0119888(119872) = En
119888(119872) cup 119905
0
New119888(119872 119905) = New(119872 119905) cap 119879
119888
New(1198720 120598) = En(119872
0)
1199050is a fictitious transition whose time variable is fixed at 0
Dep (120572 119905 LI) equivexist(119905119888 119905119904BI) isin LI 119905
119888notin New(119872 119905) and (119905
119904notin New(119872 119905)or
INT (120572 119905119888minus 1199050) sube ⋂
119868isinBI(119868 oplus INT (120572 119905119904minus 1199050)))
Algorithm 1 On-the-fly algorithm for the safety control of TPN-Part I
Function Traces explore (Class 120572 Trans 119905 ClassesC)if (existΩ LI st (120572 Ω LI) isin Passed) then
if (Ω = 0 and Dep (120572 119905 LI)) thenreturn 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
end ifif (119872 isin bad) then
return 119905end ifTraces Ω = 0for all 1199051015840 isin En(119872) st succ (120572 1199051015840) = 0 and succ (120572 1199051015840) notin C
doΩ =Ω cup explore (succ (120572 1199051015840) 1199051015840C cup succ (120572 1199051015840))
end for Ω contains all bad sequences of 120572if (Ω = 0) then
Passed = Passed cup (120572 0 0)return 0
end ifLI = (119905
119888 119905119904BI) | (119905
119888 119905119904) isin En
119888(119872) times En0
119888(119872) and
BI = ⋃120596isinΩ
INT (Fire (120572 120596) 119905119888minus 119905119904) sub INT (120572 119905
119888minus 119905119904)
Passed = Passed cup (120572Ω LI)if (Dep (120572 119905 LI)) then
return 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
Algorithm 2 On-the-fly algorithm for the safety control of TPN-Part II
8 Journal of Engineering
Explore (1205720 120598 1205720)Returnempty
Explore (1205721 1199051 1205720 1205721)Return 119905111990521199053 11990511199053
Explore (1205723 1199052 1205720 1205721 1205723)
Explore (1205726 1199053 1205720 1205721 1205723 1205726)Return 1199053
Explore (1205725 1199051 1205720 1205722 1205725)Returnempty
Explore (1205722 1199052 1205720 1205722)Returnempty
Explore (1205724 1199053 1205720 1205721 1205724)
1205721
1205720
1205726
1205723
1199053
11990521199051
1205724
1205725
1199052
1199053
1199051
1205722
Return 1199053
Return 11990521199053
Figure 7 Applying Algorithms 1 and 2 on the TPN at Figure 1 forAG not 119901
1+ 1199013= 0
controller then the controller does not exist We have alsoinvestigated the hardness complexity of the approach step bystep
(i) The complexity of computing BI of a state class (inworst case) is119874(119870times119871times119899
119905
2)where119870 is the number of
paths starting from the state class and leading to badmarkings 119871 is the maximal length of such paths and119899119905is the number of transitions in the model
(ii) The complexity for computing Dep relation used inAlgorithms 1 and 2 is119874(|LI|times119898times|BI|) where119898 is thenumber of places in the model (complexity of testingNew(119872 119905))
In [14] the authors have discussed the completenesscomplexity for bounded TPNs They have proven that modelchecking of TPN-TCTL formula on a bounded TPN isPSPACE-complete
Let us explain this approach by means of an exampleConsider the TPN shown at Figure 1 its state class graphpresented at Figure 2 and its state classes reported in Table 1Suppose that only 119905
1is controllable (ie 119879
119888= 1199051) and we
want to avoid reaching markings where places 1199011and 119901
3are
both not marked (ie state classes 1205724and 120572
6) by choosing
appropriately the firing intervals of 1199051 For this example we
have 119879119888= 1199051 bad = 119901
2 1199014 Passed = 0 and 120572
0=
(1199011+ 1199012 0 le 119905
1le 4 and 2 le 119905
2le 3)
The process starts by calling explore(1205720 120598 1205720) (see
Figure 7) Since 1205720is not in Passed and its marking is not
forbidden explore is successively called for the successorsof 1205720 explore(120572
1 1199051 1205720 1205721) and explore(120572
2 1199052 1205720 1205722) In
explore of 1205721 function explore is successively called for 120572
3
and 1205724 In explore of 120572
3 function explore is called for the
successor 1205726of 1205723by 1199053 explore(120572
6 1199053 1205720 1205721 1205723 1205726 For the
successor of 1205723by 1199054(ie 120572
0) there is no need to call explore
as it belongs to the current path Since 1205726has a forbidden
marking explore of 1205726returns to explore of 120572
3with 119905
3
which in turn adds (1205723 11990521199053 0) to Passed and returns to
explore of 1205721with 119905
21199053
In explore of 1205721 function explore is called for 120572
4
(explore(1205724 1199053 1205720 1205721 1205724)) This call returns to explore of
1205721 with 119905
3 since 120572
4has a forbidden marking In explore
of 1205721 the tuple (120572
1 11990521199053 1199053 0) is added to Passed and
119905111990521199053 11990511199053 is returned to explore of 120572
0 Then explore
of 1205720
calls explore(1205722 1199052 1205720 1205722) which in turn calls
explore(1205725 1199051 1205720 1205722 1205725) Since 120572
5has only one successor
(1205720) and this successor belongs to the current path the call of
explore for 1205725adds (120572
5 0 0) to Passed and returns to explore
of 1205722with 0 which in turn returns to explore of 120572
0
After exploring both successors of 1205720 in explore of 120572
0 we
get inΩ = 119905111990521199053 11990511199053 the set of bad paths of 120572
0 As the state
class 1205720has a controllable transition 119905
1 its bad subclasses are
computed Fire(1205720 119905111990521199053) = (119901
1+ 1199012 0 le 119905
1le 2 and 2 le
1199052le 3 and 1 le 119905
2minus 1199051le 3) and Fire(120572
0 11990511199053) = (119901
1+ 1199012 0 le
1199051le 1 and 2 le 119905
2le 3 and 2 le 119905
2minus 1199051le 3) The firing interval
of 1199051in 1205720([0 4]) is not covered by the union of intervals
of 1199051in bad subclasses of 120572
0([0 2] cup [0 1] = [0 4]) Then
(1205720 119905111990521199053 11990511199053 (1199051 1199050 [0 2])) is added to Passed As 119905
1is
newly enabled the empty set is returned to the functionmainwhich concludes that a controller exists According to the listPassed 120572
0needs to be controlled (Ctrl[120572
0] = (119905
1 1199050 [0 4] minus
[0 2])) For all others there is nothing to do
5 Controller Synthesis and Stopwatch
In this section we consider time Petri nets with control-lableuncontrollable transitions and show how such a systemis controlled by associating some of the controllable transi-tions with stopwatch First we apply the on-the-fly algorithmof [9] and calculate the appropriate controller Then insteadof restricting time intervals of corresponding controllabletransitions we associate them with stopwatch In fact wesuspend some transition during its bad subinterval to controla system so as to satisfy a given property
We consider the inhibitor hyperarcs of [3]The controllershall suspend a controllable transition in its bad subintervaland retrieve it otherwise Let us remember the example ofFigure 1 with the state class graph of Figure 2 and Table 1We have seen that in order to prevent the system enteringthe forbidden state classes 120572
4and 120572
6 the controller should
prevent 1199051from firing before ]2 4] Thus an inhibitor hyper-
arc is added to the transition 1199051 This inhibitor hyperarc
connects 1199051to a place called119901susp At the beginning this place
is marked and then 1199051is suspended At [2 2] the token of
119901susp is consumed and the corresponding hyperarc becomesdisabled The controllable transition 119905
1is now firable again
The token is returned to place 119901susp after 1199051 is fired Thus thecontroller suspends 119905
1during its bad subinterval and resumes
it after then At the beginning all clocks are initialized to zeroThen time elapses but in [0 2] this transition is suspendedand hence its clock does not elapse anymore Later at time[2 2] this transition is retrieved and becomes active Wedo not need to delay it anymore that is why the lowerbound of the interval associated with 119905
1is modified to 0
Now the clock starts elapsing Within 2 time units 1199051should
be fired (ie when the actual time of the general clock ofthe system reaches to 4) Then the interval associated with
Journal of Engineering 9
0 1 2 3 40
1
2
119907(1199051)
Time
119907(1199051) ne 0
119907(1199051) = 0
Figure 8 Clock evaluation of 1199051in the controlled TPN of Figure 9
1199051in a controlled TPN associated with stopwatch is [0 2]
Figure 8 represents the clock evaluation of the transition 1199051
The controlled Petri nets of this example are presented inFigure 9
In summary our goal is to synthesize the state class graphof the system through Algorithms 1 and 2 (see [9]) andcalculate bad subintervals of the corresponding controllabletransitions Then suspend the appropriate controllable tran-sitions during their bad subintervals Note that in [9] wewererestricting and limiting time intervals while in this approachthe idea is to delay and suspend them In this research wesuppose every controllable transition can be associated witha stopwatch if needed As explained earlier in Section 1 ina multitasking system with periodic tasks only execution ofa task is controllable Then those transitions modeling thetask executions are considered controllable and consequentlycould be suspended and retrieved
Above we have shown how to control a system whenthe bad subinterval is at the beginning of the firing inter-val What if the acceptable subinterval is at the beginningand bad subintervals are after Consider the example ofFigure 10 A controllable transition 119905
1is associated with firing
interval [119886 119887] Suppose that based on Algorithms 1 and 2the subinterval [119886 120572
1] is acceptable while ]120572
1 119887] is a bad
subinterval where 119886 le 1205721lt 119887 The controlled time Petri
nets are presented in Figure 11 Figure 12 represents the clockevaluation of 119905
1and shows how the new interval associated
with 1199051is calculated In [0 119886[ 119901susp is marked and 119905
1is neither
active nor enabled Meanwhile at the time 119886 1199051199031
becomesenabled and is fired consuming the token in 119901suspThus rightat 119886 the transition 119905
1becomes active and its associated clock
starts elapsing Note that associated stopwatch delays 1199051for
119886 time units and we do not want to delay it anymore thenthe lower bound of the new associated interval in controlledTPN is 0 After 120572
1time units 119905
1199032is fired and 119901susp becomes
marked again Consequently 1199051is suspended
Consider the same example of Figure 10 and this timesuppose that Algorithms 1 and 2 give the following output
[119886 1205721[ is acceptable [120572
1 1205722[ is a bad subinterval [120572
2 119887]
is acceptable where the condition 119886 lt 1205721lt 1205722le 119887 holds
1199051[0 2]
1199053[2infin[ 1199054[0 1]
1199052[2 3]119905resu [2 2]
119875susp
11990121199011
11990141199013
Figure 9 Time Petri net of Figure 1 controlled by inhibitor hyper-arcs (119879
119888= 1199051)
1199051[119886 119887]
1199012
1199013
Figure 10 A simple time Petri net (119879119888= 1199051)
With the same idea the controlled Petri nets are presented inFigure 13 and the clock evaluation of 119905
1is shown in Figure 14
51Why InhibitorHyperarcs Wehave shown how to achievea controlled model from an uncontrolled time Petri netsby adding inhibitor hyperarcs One question is why amongdifferent types of stopwatch inhibitor hyperarcs are chosenIs it possible to use another stopwatch model The answeris yes but inhibitor hyperarcs provide more flexibility andless complication Let us see if this idea is feasible using othertypes of Petri nets with stopwatch
We consider the post- and preinitialized Petri nets pro-posed in [4 5] for stopwatch and try to control amodel wherea controllable transition associated with time interval [119886 119887]has a bad subinterval [119886 120572] Based on our hypothesis thecontroller should suspend the controllable transition at [119886 119886]and resume it at [120572 120572] The characteristic of post and pre-initialized Petri nets is that they consume the same tokenof the original model and in addition the exact time whenthe model becomes suspended is unknown as stopwatchtransition and original transition have the same chance forfiring At the first glance the idea is feasible by adding oneplace and two transitions However there are some issuesWeexplain the problem through an example
We consider the same example of Figure 1 The suggestedcontrolled model using post and pre-initialized Petri netscomes in Figure 15The controllable transition 119905
1is associated
with stopwatchThe stopwatch interrupts the task at [0 0] andresume it at [2 2] The problem is at [0 0] both transitions1199051and 119905sus are enabled with equal chance of firing whereas
in order to have a controlled model 119905sus should fire at [0 0]before 119905
1 Thus the controller fails unless if we modify the
interval associated to 1199051to ]0 2] which is not of interest in
this approach
10 Journal of Engineering
1199051[0 1205721 minus 119886[
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199012
1199013
1199011199040
1199011199041
119901susp
Figure 11The controlledTPNof Figure 10 using inhibitor hyperarcs(119879119888= 1199051) Forbidden interval is ]120572
1 119887] where 119886 le 120572
1lt 119887
Time0
01205721
119907(1199051) 119907(1199051) = 1205721 minus 119886
119886 119887
1205721 minus 119886
119907(1199051) = 0
Figure 12 Clock evaluation of 1199051in the controlled TPN of Figure 10
Forbidden interval is ]1205721 119887] where 119886 le 120572
1lt 119887
1199051[0 119887 minus 119886 + 1205721 minus 1205722]
1199051199033[1205722 minus 1205721 1205722 minus 1205721]
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199013
11990121199011199040
1199011199041
119901susp
1199011199042
Figure 13 A simple time Petri net controlled by inhibitor hyperarcs(119879119888= 1199051) the bad subinterval is [120572
1 1205722[ where 119886 lt 120572
1lt 1205722le 119887
The other alternative is presented at Figure 16 An auxil-iary place 119901
119904solves the problem Hence using the stopwatch
Petri nets suggested in [4 5] it is not easy to give ageneral solution to control a model considering the output ofAlgorithms 1 and 2 In addition the resulting controlled netsare more complicated For example in case the controllabletransition is associated with the interval [119886 119887] where its badsubinterval is [120572 119887] and 119886 le 120572 then the controlled modelbecomes complicated
Time
00
119907(1199051)
119887 minus 119886 + 1205721 minus 1205722
1205721 minus 119886
1205722119886 1198871205721
Figure 14 Clock evaluation of 1199051in a controlled TPN of Figure 10
The forbidden interval is ]1205721 1205722] where 119886 lt 120572
1lt 1205722le 119887
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
Figure 15 Controlling the example of Figure 1 using stopwatch of[4] The controller fails
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
119901119904
Figure 16 Controlled model of Figure 1 using stopwatch of [4]
6 Illustrative Example
Suppose the multitasking system depicted in Figure 17 withthe following specifications four tasks 119879
1 1198792 1198793 and 119879
4are
being executed Two tasks 1198793and 119879
4are uncontrollable The
task 1198791is periodic with a period of [6 6] and then its start
execution is controllable Suppose that starting execution of1198792is also controllable 119879
4is depended to 119879
2and 119879
3meaning
that it can be executed only when1198792and1198793are executed Two
tasks1198791and1198792share a common resource On the other hand
1198791enters through a single capacity buffer It means that if 119879
1
is not executed by the end of its period the system will blockIn Figure 7 tasks are modeled by tokens and the execution ofeach task 119879
119894is shown by the transition 119905
119894 If 1198791is not executed
by the end of its period the system enters the state Block and1199055is the transition to be avoided Delay is a placemodeling the
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 Journal of Engineering
119907(119905119894)
119864 119864 119864119863 119865
Time
Figure 5 Time elapses 119905119894is an interruptible transition
119907(119905119894)
119864 119864119863 119865
Time
Figure 6 Time elapses 119905119894is a noninterruptible transition
In brief according to the types of transitions two types ofclock initialization are defined
(i) Preinitialization Given a transition 119905119894
isin 119879no-intwhere119879no-int is the set of noninterruptible transitionsclock initialization is called preinitialization happen-ing when 119905
119894is recently enabled As soon as a transition
becomes enabled its associated clock is initialized(ii) Postinitialization Given a transition 119905
119894isin 119879int where
119879int is the set of interruptible transitions clock initial-ization is called post-initialization happening after fir-ing 119905119894 it means that the transition initializes the clock
after being fired Post-initialization is dependent ontransition firing
In [4] continuous and discrete transitions are defined asfollows
Let 119889 isin R+ a continuous transition is denoted by(119872 119907)
119889
997888rarr (119872 1199071015840) iff forall119905
119894isin 119879
(i) 1199071015840(119905119894) = 119907(119905
119894) if the transition 119905
119894is not enabled
(ii) 1199071015840(119905119894) = 119907(119905
119894) + 119889 if 119905
119894is enabled
(iii) 119872 ge Pre(119905119894) rArr 119907
1015840le uarr Is(119905
119894)
And a discrete transition is denoted by (119872 119907)
119905119894
997888rarr (1198721015840 1199071015840)
iff forall119905119894isin 119879
(i) 119905119894isin Firable(119872)
(ii) 1198721015840 = 119872 minus Pre(119905119894) + Post(119905
119894)
(iii) 1199071015840(119905119894) = 0 if 119905
119894isin 119879int (postinitialization)
(iv) forall119905119896isin 119879 1199071015840(119905
119896) =
(a) 0 if 119905119896isin uarr enabled(119905
119896119872 119905119894) (preinitialization)
(b) 119907(119905119894) Otherwise
In order to perform further timing analysis the sameas scheduling extended time Petri nets of [17] the SWPNis transformed to hybrid automaton In addition a forwardalgorithm is suggested to compute reachable states
If the number of stopwatches increases for exampleif all of the transitions are interruptible the complexityof calculation will highly increase Scheduling time Petrinets and preemptive time Petri nets are both subclasses ofstopwatch Petri nets An ordinary TPN is also a SWPNwhere119879int = 0
After having a survey on different stopwatch Petri netsavailable in the literature in the following wewill have a briefreview on the algorithm of [9] and then investigate how tointegrate stopwatch in the controller synthesis approach of[9]
4 Safety Controller Synthesis ApproachProposed in [9]
Let N be a TPN with controllable and uncontrollable tran-sitions (119879 = 119879
119888cup 119879119906) and a set of markings to be avoided
(bad) For a safety property the approach proposed in [9] (seeAlgorithms 1 and 2) consists of exploring on-the-fly and pathby path the state class graph of the TPN N while collectingthe bad sequences and the losing states (sequences or statesthat lead to bad markings) The list Passed is used to retrievethe set of state classes processed so far their bad sequencesand their losing subclasses For a given state class 120572 and abad sequence 120596 feasible from 120572 the function Fire is used tocompute forwardly all states of 120572 which lead by a sequence oftransitions to an undesirable marking (ie a losing subclassof 120572) The function explore receives parameters 120572 being theclass under process 119905 the transition leading to 120572 and Cthe set of traveled classes in the current path Succinctlyit recursively computes the bad sequences of 120572 (from badsequences of its successors) and verifies whether or not 120572can be controlled so as to avoid its bad sequences It returnsthe set of bad sequences if they cannot be avoided from 120572Otherwise it returns an empty set which means that 120572 canbe controlled (ie 120572 has no bad sequences or there is at leastone controllable transition 119905
119888such that its firing interval in
120572 can be restricted so as to avoid reaching bad states) Therestriction of the interval of 119905
119888in 120572 is obtained by subtracting
from its interval in 120572 intervals of 119905119888in its bad subclasses
This approach tries to control the system behavior start-ing from the last to the first state class of bad paths If it failsto control a state class of a path so as to avoid all bad stateclasses the algorithm tries to control its previous state classesIf it succeeds to control a state class there is no need to controlits predecessors The aim is to limit as little as possible thebehavior of the system (more permissive controller)
In [20] we have proven that this approach gives themaximally permissive controller and if it fails to compute the
Journal of Engineering 7
Functionmain (TPNN Markings bad)WhereN is a TPNbad is a set of bad markingsLet 119879
119888be the set of controllable transitions of N and
1205720the initial state class of N
Passed = 0If (explore (120572
0 120598 1205720) = 0) then
Controller does not existreturn
end iffor all ((120572 Ω LI) isin Passed) do
Ctrl[120572] = ⋃(119905119888 119905119904 BI)isinLI(119905119888 119905119904 INT (120572 119905119888 minus 119905119904) minus BI)
end for(lowastRemarks)120572 = (119872 119865)En119888(119872) = En(119872) cap 119879
119888
En0119888(119872) = En
119888(119872) cup 119905
0
New119888(119872 119905) = New(119872 119905) cap 119879
119888
New(1198720 120598) = En(119872
0)
1199050is a fictitious transition whose time variable is fixed at 0
Dep (120572 119905 LI) equivexist(119905119888 119905119904BI) isin LI 119905
119888notin New(119872 119905) and (119905
119904notin New(119872 119905)or
INT (120572 119905119888minus 1199050) sube ⋂
119868isinBI(119868 oplus INT (120572 119905119904minus 1199050)))
Algorithm 1 On-the-fly algorithm for the safety control of TPN-Part I
Function Traces explore (Class 120572 Trans 119905 ClassesC)if (existΩ LI st (120572 Ω LI) isin Passed) then
if (Ω = 0 and Dep (120572 119905 LI)) thenreturn 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
end ifif (119872 isin bad) then
return 119905end ifTraces Ω = 0for all 1199051015840 isin En(119872) st succ (120572 1199051015840) = 0 and succ (120572 1199051015840) notin C
doΩ =Ω cup explore (succ (120572 1199051015840) 1199051015840C cup succ (120572 1199051015840))
end for Ω contains all bad sequences of 120572if (Ω = 0) then
Passed = Passed cup (120572 0 0)return 0
end ifLI = (119905
119888 119905119904BI) | (119905
119888 119905119904) isin En
119888(119872) times En0
119888(119872) and
BI = ⋃120596isinΩ
INT (Fire (120572 120596) 119905119888minus 119905119904) sub INT (120572 119905
119888minus 119905119904)
Passed = Passed cup (120572Ω LI)if (Dep (120572 119905 LI)) then
return 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
Algorithm 2 On-the-fly algorithm for the safety control of TPN-Part II
8 Journal of Engineering
Explore (1205720 120598 1205720)Returnempty
Explore (1205721 1199051 1205720 1205721)Return 119905111990521199053 11990511199053
Explore (1205723 1199052 1205720 1205721 1205723)
Explore (1205726 1199053 1205720 1205721 1205723 1205726)Return 1199053
Explore (1205725 1199051 1205720 1205722 1205725)Returnempty
Explore (1205722 1199052 1205720 1205722)Returnempty
Explore (1205724 1199053 1205720 1205721 1205724)
1205721
1205720
1205726
1205723
1199053
11990521199051
1205724
1205725
1199052
1199053
1199051
1205722
Return 1199053
Return 11990521199053
Figure 7 Applying Algorithms 1 and 2 on the TPN at Figure 1 forAG not 119901
1+ 1199013= 0
controller then the controller does not exist We have alsoinvestigated the hardness complexity of the approach step bystep
(i) The complexity of computing BI of a state class (inworst case) is119874(119870times119871times119899
119905
2)where119870 is the number of
paths starting from the state class and leading to badmarkings 119871 is the maximal length of such paths and119899119905is the number of transitions in the model
(ii) The complexity for computing Dep relation used inAlgorithms 1 and 2 is119874(|LI|times119898times|BI|) where119898 is thenumber of places in the model (complexity of testingNew(119872 119905))
In [14] the authors have discussed the completenesscomplexity for bounded TPNs They have proven that modelchecking of TPN-TCTL formula on a bounded TPN isPSPACE-complete
Let us explain this approach by means of an exampleConsider the TPN shown at Figure 1 its state class graphpresented at Figure 2 and its state classes reported in Table 1Suppose that only 119905
1is controllable (ie 119879
119888= 1199051) and we
want to avoid reaching markings where places 1199011and 119901
3are
both not marked (ie state classes 1205724and 120572
6) by choosing
appropriately the firing intervals of 1199051 For this example we
have 119879119888= 1199051 bad = 119901
2 1199014 Passed = 0 and 120572
0=
(1199011+ 1199012 0 le 119905
1le 4 and 2 le 119905
2le 3)
The process starts by calling explore(1205720 120598 1205720) (see
Figure 7) Since 1205720is not in Passed and its marking is not
forbidden explore is successively called for the successorsof 1205720 explore(120572
1 1199051 1205720 1205721) and explore(120572
2 1199052 1205720 1205722) In
explore of 1205721 function explore is successively called for 120572
3
and 1205724 In explore of 120572
3 function explore is called for the
successor 1205726of 1205723by 1199053 explore(120572
6 1199053 1205720 1205721 1205723 1205726 For the
successor of 1205723by 1199054(ie 120572
0) there is no need to call explore
as it belongs to the current path Since 1205726has a forbidden
marking explore of 1205726returns to explore of 120572
3with 119905
3
which in turn adds (1205723 11990521199053 0) to Passed and returns to
explore of 1205721with 119905
21199053
In explore of 1205721 function explore is called for 120572
4
(explore(1205724 1199053 1205720 1205721 1205724)) This call returns to explore of
1205721 with 119905
3 since 120572
4has a forbidden marking In explore
of 1205721 the tuple (120572
1 11990521199053 1199053 0) is added to Passed and
119905111990521199053 11990511199053 is returned to explore of 120572
0 Then explore
of 1205720
calls explore(1205722 1199052 1205720 1205722) which in turn calls
explore(1205725 1199051 1205720 1205722 1205725) Since 120572
5has only one successor
(1205720) and this successor belongs to the current path the call of
explore for 1205725adds (120572
5 0 0) to Passed and returns to explore
of 1205722with 0 which in turn returns to explore of 120572
0
After exploring both successors of 1205720 in explore of 120572
0 we
get inΩ = 119905111990521199053 11990511199053 the set of bad paths of 120572
0 As the state
class 1205720has a controllable transition 119905
1 its bad subclasses are
computed Fire(1205720 119905111990521199053) = (119901
1+ 1199012 0 le 119905
1le 2 and 2 le
1199052le 3 and 1 le 119905
2minus 1199051le 3) and Fire(120572
0 11990511199053) = (119901
1+ 1199012 0 le
1199051le 1 and 2 le 119905
2le 3 and 2 le 119905
2minus 1199051le 3) The firing interval
of 1199051in 1205720([0 4]) is not covered by the union of intervals
of 1199051in bad subclasses of 120572
0([0 2] cup [0 1] = [0 4]) Then
(1205720 119905111990521199053 11990511199053 (1199051 1199050 [0 2])) is added to Passed As 119905
1is
newly enabled the empty set is returned to the functionmainwhich concludes that a controller exists According to the listPassed 120572
0needs to be controlled (Ctrl[120572
0] = (119905
1 1199050 [0 4] minus
[0 2])) For all others there is nothing to do
5 Controller Synthesis and Stopwatch
In this section we consider time Petri nets with control-lableuncontrollable transitions and show how such a systemis controlled by associating some of the controllable transi-tions with stopwatch First we apply the on-the-fly algorithmof [9] and calculate the appropriate controller Then insteadof restricting time intervals of corresponding controllabletransitions we associate them with stopwatch In fact wesuspend some transition during its bad subinterval to controla system so as to satisfy a given property
We consider the inhibitor hyperarcs of [3]The controllershall suspend a controllable transition in its bad subintervaland retrieve it otherwise Let us remember the example ofFigure 1 with the state class graph of Figure 2 and Table 1We have seen that in order to prevent the system enteringthe forbidden state classes 120572
4and 120572
6 the controller should
prevent 1199051from firing before ]2 4] Thus an inhibitor hyper-
arc is added to the transition 1199051 This inhibitor hyperarc
connects 1199051to a place called119901susp At the beginning this place
is marked and then 1199051is suspended At [2 2] the token of
119901susp is consumed and the corresponding hyperarc becomesdisabled The controllable transition 119905
1is now firable again
The token is returned to place 119901susp after 1199051 is fired Thus thecontroller suspends 119905
1during its bad subinterval and resumes
it after then At the beginning all clocks are initialized to zeroThen time elapses but in [0 2] this transition is suspendedand hence its clock does not elapse anymore Later at time[2 2] this transition is retrieved and becomes active Wedo not need to delay it anymore that is why the lowerbound of the interval associated with 119905
1is modified to 0
Now the clock starts elapsing Within 2 time units 1199051should
be fired (ie when the actual time of the general clock ofthe system reaches to 4) Then the interval associated with
Journal of Engineering 9
0 1 2 3 40
1
2
119907(1199051)
Time
119907(1199051) ne 0
119907(1199051) = 0
Figure 8 Clock evaluation of 1199051in the controlled TPN of Figure 9
1199051in a controlled TPN associated with stopwatch is [0 2]
Figure 8 represents the clock evaluation of the transition 1199051
The controlled Petri nets of this example are presented inFigure 9
In summary our goal is to synthesize the state class graphof the system through Algorithms 1 and 2 (see [9]) andcalculate bad subintervals of the corresponding controllabletransitions Then suspend the appropriate controllable tran-sitions during their bad subintervals Note that in [9] wewererestricting and limiting time intervals while in this approachthe idea is to delay and suspend them In this research wesuppose every controllable transition can be associated witha stopwatch if needed As explained earlier in Section 1 ina multitasking system with periodic tasks only execution ofa task is controllable Then those transitions modeling thetask executions are considered controllable and consequentlycould be suspended and retrieved
Above we have shown how to control a system whenthe bad subinterval is at the beginning of the firing inter-val What if the acceptable subinterval is at the beginningand bad subintervals are after Consider the example ofFigure 10 A controllable transition 119905
1is associated with firing
interval [119886 119887] Suppose that based on Algorithms 1 and 2the subinterval [119886 120572
1] is acceptable while ]120572
1 119887] is a bad
subinterval where 119886 le 1205721lt 119887 The controlled time Petri
nets are presented in Figure 11 Figure 12 represents the clockevaluation of 119905
1and shows how the new interval associated
with 1199051is calculated In [0 119886[ 119901susp is marked and 119905
1is neither
active nor enabled Meanwhile at the time 119886 1199051199031
becomesenabled and is fired consuming the token in 119901suspThus rightat 119886 the transition 119905
1becomes active and its associated clock
starts elapsing Note that associated stopwatch delays 1199051for
119886 time units and we do not want to delay it anymore thenthe lower bound of the new associated interval in controlledTPN is 0 After 120572
1time units 119905
1199032is fired and 119901susp becomes
marked again Consequently 1199051is suspended
Consider the same example of Figure 10 and this timesuppose that Algorithms 1 and 2 give the following output
[119886 1205721[ is acceptable [120572
1 1205722[ is a bad subinterval [120572
2 119887]
is acceptable where the condition 119886 lt 1205721lt 1205722le 119887 holds
1199051[0 2]
1199053[2infin[ 1199054[0 1]
1199052[2 3]119905resu [2 2]
119875susp
11990121199011
11990141199013
Figure 9 Time Petri net of Figure 1 controlled by inhibitor hyper-arcs (119879
119888= 1199051)
1199051[119886 119887]
1199012
1199013
Figure 10 A simple time Petri net (119879119888= 1199051)
With the same idea the controlled Petri nets are presented inFigure 13 and the clock evaluation of 119905
1is shown in Figure 14
51Why InhibitorHyperarcs Wehave shown how to achievea controlled model from an uncontrolled time Petri netsby adding inhibitor hyperarcs One question is why amongdifferent types of stopwatch inhibitor hyperarcs are chosenIs it possible to use another stopwatch model The answeris yes but inhibitor hyperarcs provide more flexibility andless complication Let us see if this idea is feasible using othertypes of Petri nets with stopwatch
We consider the post- and preinitialized Petri nets pro-posed in [4 5] for stopwatch and try to control amodel wherea controllable transition associated with time interval [119886 119887]has a bad subinterval [119886 120572] Based on our hypothesis thecontroller should suspend the controllable transition at [119886 119886]and resume it at [120572 120572] The characteristic of post and pre-initialized Petri nets is that they consume the same tokenof the original model and in addition the exact time whenthe model becomes suspended is unknown as stopwatchtransition and original transition have the same chance forfiring At the first glance the idea is feasible by adding oneplace and two transitions However there are some issuesWeexplain the problem through an example
We consider the same example of Figure 1 The suggestedcontrolled model using post and pre-initialized Petri netscomes in Figure 15The controllable transition 119905
1is associated
with stopwatchThe stopwatch interrupts the task at [0 0] andresume it at [2 2] The problem is at [0 0] both transitions1199051and 119905sus are enabled with equal chance of firing whereas
in order to have a controlled model 119905sus should fire at [0 0]before 119905
1 Thus the controller fails unless if we modify the
interval associated to 1199051to ]0 2] which is not of interest in
this approach
10 Journal of Engineering
1199051[0 1205721 minus 119886[
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199012
1199013
1199011199040
1199011199041
119901susp
Figure 11The controlledTPNof Figure 10 using inhibitor hyperarcs(119879119888= 1199051) Forbidden interval is ]120572
1 119887] where 119886 le 120572
1lt 119887
Time0
01205721
119907(1199051) 119907(1199051) = 1205721 minus 119886
119886 119887
1205721 minus 119886
119907(1199051) = 0
Figure 12 Clock evaluation of 1199051in the controlled TPN of Figure 10
Forbidden interval is ]1205721 119887] where 119886 le 120572
1lt 119887
1199051[0 119887 minus 119886 + 1205721 minus 1205722]
1199051199033[1205722 minus 1205721 1205722 minus 1205721]
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199013
11990121199011199040
1199011199041
119901susp
1199011199042
Figure 13 A simple time Petri net controlled by inhibitor hyperarcs(119879119888= 1199051) the bad subinterval is [120572
1 1205722[ where 119886 lt 120572
1lt 1205722le 119887
The other alternative is presented at Figure 16 An auxil-iary place 119901
119904solves the problem Hence using the stopwatch
Petri nets suggested in [4 5] it is not easy to give ageneral solution to control a model considering the output ofAlgorithms 1 and 2 In addition the resulting controlled netsare more complicated For example in case the controllabletransition is associated with the interval [119886 119887] where its badsubinterval is [120572 119887] and 119886 le 120572 then the controlled modelbecomes complicated
Time
00
119907(1199051)
119887 minus 119886 + 1205721 minus 1205722
1205721 minus 119886
1205722119886 1198871205721
Figure 14 Clock evaluation of 1199051in a controlled TPN of Figure 10
The forbidden interval is ]1205721 1205722] where 119886 lt 120572
1lt 1205722le 119887
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
Figure 15 Controlling the example of Figure 1 using stopwatch of[4] The controller fails
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
119901119904
Figure 16 Controlled model of Figure 1 using stopwatch of [4]
6 Illustrative Example
Suppose the multitasking system depicted in Figure 17 withthe following specifications four tasks 119879
1 1198792 1198793 and 119879
4are
being executed Two tasks 1198793and 119879
4are uncontrollable The
task 1198791is periodic with a period of [6 6] and then its start
execution is controllable Suppose that starting execution of1198792is also controllable 119879
4is depended to 119879
2and 119879
3meaning
that it can be executed only when1198792and1198793are executed Two
tasks1198791and1198792share a common resource On the other hand
1198791enters through a single capacity buffer It means that if 119879
1
is not executed by the end of its period the system will blockIn Figure 7 tasks are modeled by tokens and the execution ofeach task 119879
119894is shown by the transition 119905
119894 If 1198791is not executed
by the end of its period the system enters the state Block and1199055is the transition to be avoided Delay is a placemodeling the
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Journal of Engineering 7
Functionmain (TPNN Markings bad)WhereN is a TPNbad is a set of bad markingsLet 119879
119888be the set of controllable transitions of N and
1205720the initial state class of N
Passed = 0If (explore (120572
0 120598 1205720) = 0) then
Controller does not existreturn
end iffor all ((120572 Ω LI) isin Passed) do
Ctrl[120572] = ⋃(119905119888 119905119904 BI)isinLI(119905119888 119905119904 INT (120572 119905119888 minus 119905119904) minus BI)
end for(lowastRemarks)120572 = (119872 119865)En119888(119872) = En(119872) cap 119879
119888
En0119888(119872) = En
119888(119872) cup 119905
0
New119888(119872 119905) = New(119872 119905) cap 119879
119888
New(1198720 120598) = En(119872
0)
1199050is a fictitious transition whose time variable is fixed at 0
Dep (120572 119905 LI) equivexist(119905119888 119905119904BI) isin LI 119905
119888notin New(119872 119905) and (119905
119904notin New(119872 119905)or
INT (120572 119905119888minus 1199050) sube ⋂
119868isinBI(119868 oplus INT (120572 119905119904minus 1199050)))
Algorithm 1 On-the-fly algorithm for the safety control of TPN-Part I
Function Traces explore (Class 120572 Trans 119905 ClassesC)if (existΩ LI st (120572 Ω LI) isin Passed) then
if (Ω = 0 and Dep (120572 119905 LI)) thenreturn 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
end ifif (119872 isin bad) then
return 119905end ifTraces Ω = 0for all 1199051015840 isin En(119872) st succ (120572 1199051015840) = 0 and succ (120572 1199051015840) notin C
doΩ =Ω cup explore (succ (120572 1199051015840) 1199051015840C cup succ (120572 1199051015840))
end for Ω contains all bad sequences of 120572if (Ω = 0) then
Passed = Passed cup (120572 0 0)return 0
end ifLI = (119905
119888 119905119904BI) | (119905
119888 119905119904) isin En
119888(119872) times En0
119888(119872) and
BI = ⋃120596isinΩ
INT (Fire (120572 120596) 119905119888minus 119905119904) sub INT (120572 119905
119888minus 119905119904)
Passed = Passed cup (120572Ω LI)if (Dep (120572 119905 LI)) then
return 119905 sdot 120596 | 120596 isin Ω
end ifreturn 0
Algorithm 2 On-the-fly algorithm for the safety control of TPN-Part II
8 Journal of Engineering
Explore (1205720 120598 1205720)Returnempty
Explore (1205721 1199051 1205720 1205721)Return 119905111990521199053 11990511199053
Explore (1205723 1199052 1205720 1205721 1205723)
Explore (1205726 1199053 1205720 1205721 1205723 1205726)Return 1199053
Explore (1205725 1199051 1205720 1205722 1205725)Returnempty
Explore (1205722 1199052 1205720 1205722)Returnempty
Explore (1205724 1199053 1205720 1205721 1205724)
1205721
1205720
1205726
1205723
1199053
11990521199051
1205724
1205725
1199052
1199053
1199051
1205722
Return 1199053
Return 11990521199053
Figure 7 Applying Algorithms 1 and 2 on the TPN at Figure 1 forAG not 119901
1+ 1199013= 0
controller then the controller does not exist We have alsoinvestigated the hardness complexity of the approach step bystep
(i) The complexity of computing BI of a state class (inworst case) is119874(119870times119871times119899
119905
2)where119870 is the number of
paths starting from the state class and leading to badmarkings 119871 is the maximal length of such paths and119899119905is the number of transitions in the model
(ii) The complexity for computing Dep relation used inAlgorithms 1 and 2 is119874(|LI|times119898times|BI|) where119898 is thenumber of places in the model (complexity of testingNew(119872 119905))
In [14] the authors have discussed the completenesscomplexity for bounded TPNs They have proven that modelchecking of TPN-TCTL formula on a bounded TPN isPSPACE-complete
Let us explain this approach by means of an exampleConsider the TPN shown at Figure 1 its state class graphpresented at Figure 2 and its state classes reported in Table 1Suppose that only 119905
1is controllable (ie 119879
119888= 1199051) and we
want to avoid reaching markings where places 1199011and 119901
3are
both not marked (ie state classes 1205724and 120572
6) by choosing
appropriately the firing intervals of 1199051 For this example we
have 119879119888= 1199051 bad = 119901
2 1199014 Passed = 0 and 120572
0=
(1199011+ 1199012 0 le 119905
1le 4 and 2 le 119905
2le 3)
The process starts by calling explore(1205720 120598 1205720) (see
Figure 7) Since 1205720is not in Passed and its marking is not
forbidden explore is successively called for the successorsof 1205720 explore(120572
1 1199051 1205720 1205721) and explore(120572
2 1199052 1205720 1205722) In
explore of 1205721 function explore is successively called for 120572
3
and 1205724 In explore of 120572
3 function explore is called for the
successor 1205726of 1205723by 1199053 explore(120572
6 1199053 1205720 1205721 1205723 1205726 For the
successor of 1205723by 1199054(ie 120572
0) there is no need to call explore
as it belongs to the current path Since 1205726has a forbidden
marking explore of 1205726returns to explore of 120572
3with 119905
3
which in turn adds (1205723 11990521199053 0) to Passed and returns to
explore of 1205721with 119905
21199053
In explore of 1205721 function explore is called for 120572
4
(explore(1205724 1199053 1205720 1205721 1205724)) This call returns to explore of
1205721 with 119905
3 since 120572
4has a forbidden marking In explore
of 1205721 the tuple (120572
1 11990521199053 1199053 0) is added to Passed and
119905111990521199053 11990511199053 is returned to explore of 120572
0 Then explore
of 1205720
calls explore(1205722 1199052 1205720 1205722) which in turn calls
explore(1205725 1199051 1205720 1205722 1205725) Since 120572
5has only one successor
(1205720) and this successor belongs to the current path the call of
explore for 1205725adds (120572
5 0 0) to Passed and returns to explore
of 1205722with 0 which in turn returns to explore of 120572
0
After exploring both successors of 1205720 in explore of 120572
0 we
get inΩ = 119905111990521199053 11990511199053 the set of bad paths of 120572
0 As the state
class 1205720has a controllable transition 119905
1 its bad subclasses are
computed Fire(1205720 119905111990521199053) = (119901
1+ 1199012 0 le 119905
1le 2 and 2 le
1199052le 3 and 1 le 119905
2minus 1199051le 3) and Fire(120572
0 11990511199053) = (119901
1+ 1199012 0 le
1199051le 1 and 2 le 119905
2le 3 and 2 le 119905
2minus 1199051le 3) The firing interval
of 1199051in 1205720([0 4]) is not covered by the union of intervals
of 1199051in bad subclasses of 120572
0([0 2] cup [0 1] = [0 4]) Then
(1205720 119905111990521199053 11990511199053 (1199051 1199050 [0 2])) is added to Passed As 119905
1is
newly enabled the empty set is returned to the functionmainwhich concludes that a controller exists According to the listPassed 120572
0needs to be controlled (Ctrl[120572
0] = (119905
1 1199050 [0 4] minus
[0 2])) For all others there is nothing to do
5 Controller Synthesis and Stopwatch
In this section we consider time Petri nets with control-lableuncontrollable transitions and show how such a systemis controlled by associating some of the controllable transi-tions with stopwatch First we apply the on-the-fly algorithmof [9] and calculate the appropriate controller Then insteadof restricting time intervals of corresponding controllabletransitions we associate them with stopwatch In fact wesuspend some transition during its bad subinterval to controla system so as to satisfy a given property
We consider the inhibitor hyperarcs of [3]The controllershall suspend a controllable transition in its bad subintervaland retrieve it otherwise Let us remember the example ofFigure 1 with the state class graph of Figure 2 and Table 1We have seen that in order to prevent the system enteringthe forbidden state classes 120572
4and 120572
6 the controller should
prevent 1199051from firing before ]2 4] Thus an inhibitor hyper-
arc is added to the transition 1199051 This inhibitor hyperarc
connects 1199051to a place called119901susp At the beginning this place
is marked and then 1199051is suspended At [2 2] the token of
119901susp is consumed and the corresponding hyperarc becomesdisabled The controllable transition 119905
1is now firable again
The token is returned to place 119901susp after 1199051 is fired Thus thecontroller suspends 119905
1during its bad subinterval and resumes
it after then At the beginning all clocks are initialized to zeroThen time elapses but in [0 2] this transition is suspendedand hence its clock does not elapse anymore Later at time[2 2] this transition is retrieved and becomes active Wedo not need to delay it anymore that is why the lowerbound of the interval associated with 119905
1is modified to 0
Now the clock starts elapsing Within 2 time units 1199051should
be fired (ie when the actual time of the general clock ofthe system reaches to 4) Then the interval associated with
Journal of Engineering 9
0 1 2 3 40
1
2
119907(1199051)
Time
119907(1199051) ne 0
119907(1199051) = 0
Figure 8 Clock evaluation of 1199051in the controlled TPN of Figure 9
1199051in a controlled TPN associated with stopwatch is [0 2]
Figure 8 represents the clock evaluation of the transition 1199051
The controlled Petri nets of this example are presented inFigure 9
In summary our goal is to synthesize the state class graphof the system through Algorithms 1 and 2 (see [9]) andcalculate bad subintervals of the corresponding controllabletransitions Then suspend the appropriate controllable tran-sitions during their bad subintervals Note that in [9] wewererestricting and limiting time intervals while in this approachthe idea is to delay and suspend them In this research wesuppose every controllable transition can be associated witha stopwatch if needed As explained earlier in Section 1 ina multitasking system with periodic tasks only execution ofa task is controllable Then those transitions modeling thetask executions are considered controllable and consequentlycould be suspended and retrieved
Above we have shown how to control a system whenthe bad subinterval is at the beginning of the firing inter-val What if the acceptable subinterval is at the beginningand bad subintervals are after Consider the example ofFigure 10 A controllable transition 119905
1is associated with firing
interval [119886 119887] Suppose that based on Algorithms 1 and 2the subinterval [119886 120572
1] is acceptable while ]120572
1 119887] is a bad
subinterval where 119886 le 1205721lt 119887 The controlled time Petri
nets are presented in Figure 11 Figure 12 represents the clockevaluation of 119905
1and shows how the new interval associated
with 1199051is calculated In [0 119886[ 119901susp is marked and 119905
1is neither
active nor enabled Meanwhile at the time 119886 1199051199031
becomesenabled and is fired consuming the token in 119901suspThus rightat 119886 the transition 119905
1becomes active and its associated clock
starts elapsing Note that associated stopwatch delays 1199051for
119886 time units and we do not want to delay it anymore thenthe lower bound of the new associated interval in controlledTPN is 0 After 120572
1time units 119905
1199032is fired and 119901susp becomes
marked again Consequently 1199051is suspended
Consider the same example of Figure 10 and this timesuppose that Algorithms 1 and 2 give the following output
[119886 1205721[ is acceptable [120572
1 1205722[ is a bad subinterval [120572
2 119887]
is acceptable where the condition 119886 lt 1205721lt 1205722le 119887 holds
1199051[0 2]
1199053[2infin[ 1199054[0 1]
1199052[2 3]119905resu [2 2]
119875susp
11990121199011
11990141199013
Figure 9 Time Petri net of Figure 1 controlled by inhibitor hyper-arcs (119879
119888= 1199051)
1199051[119886 119887]
1199012
1199013
Figure 10 A simple time Petri net (119879119888= 1199051)
With the same idea the controlled Petri nets are presented inFigure 13 and the clock evaluation of 119905
1is shown in Figure 14
51Why InhibitorHyperarcs Wehave shown how to achievea controlled model from an uncontrolled time Petri netsby adding inhibitor hyperarcs One question is why amongdifferent types of stopwatch inhibitor hyperarcs are chosenIs it possible to use another stopwatch model The answeris yes but inhibitor hyperarcs provide more flexibility andless complication Let us see if this idea is feasible using othertypes of Petri nets with stopwatch
We consider the post- and preinitialized Petri nets pro-posed in [4 5] for stopwatch and try to control amodel wherea controllable transition associated with time interval [119886 119887]has a bad subinterval [119886 120572] Based on our hypothesis thecontroller should suspend the controllable transition at [119886 119886]and resume it at [120572 120572] The characteristic of post and pre-initialized Petri nets is that they consume the same tokenof the original model and in addition the exact time whenthe model becomes suspended is unknown as stopwatchtransition and original transition have the same chance forfiring At the first glance the idea is feasible by adding oneplace and two transitions However there are some issuesWeexplain the problem through an example
We consider the same example of Figure 1 The suggestedcontrolled model using post and pre-initialized Petri netscomes in Figure 15The controllable transition 119905
1is associated
with stopwatchThe stopwatch interrupts the task at [0 0] andresume it at [2 2] The problem is at [0 0] both transitions1199051and 119905sus are enabled with equal chance of firing whereas
in order to have a controlled model 119905sus should fire at [0 0]before 119905
1 Thus the controller fails unless if we modify the
interval associated to 1199051to ]0 2] which is not of interest in
this approach
10 Journal of Engineering
1199051[0 1205721 minus 119886[
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199012
1199013
1199011199040
1199011199041
119901susp
Figure 11The controlledTPNof Figure 10 using inhibitor hyperarcs(119879119888= 1199051) Forbidden interval is ]120572
1 119887] where 119886 le 120572
1lt 119887
Time0
01205721
119907(1199051) 119907(1199051) = 1205721 minus 119886
119886 119887
1205721 minus 119886
119907(1199051) = 0
Figure 12 Clock evaluation of 1199051in the controlled TPN of Figure 10
Forbidden interval is ]1205721 119887] where 119886 le 120572
1lt 119887
1199051[0 119887 minus 119886 + 1205721 minus 1205722]
1199051199033[1205722 minus 1205721 1205722 minus 1205721]
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199013
11990121199011199040
1199011199041
119901susp
1199011199042
Figure 13 A simple time Petri net controlled by inhibitor hyperarcs(119879119888= 1199051) the bad subinterval is [120572
1 1205722[ where 119886 lt 120572
1lt 1205722le 119887
The other alternative is presented at Figure 16 An auxil-iary place 119901
119904solves the problem Hence using the stopwatch
Petri nets suggested in [4 5] it is not easy to give ageneral solution to control a model considering the output ofAlgorithms 1 and 2 In addition the resulting controlled netsare more complicated For example in case the controllabletransition is associated with the interval [119886 119887] where its badsubinterval is [120572 119887] and 119886 le 120572 then the controlled modelbecomes complicated
Time
00
119907(1199051)
119887 minus 119886 + 1205721 minus 1205722
1205721 minus 119886
1205722119886 1198871205721
Figure 14 Clock evaluation of 1199051in a controlled TPN of Figure 10
The forbidden interval is ]1205721 1205722] where 119886 lt 120572
1lt 1205722le 119887
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
Figure 15 Controlling the example of Figure 1 using stopwatch of[4] The controller fails
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
119901119904
Figure 16 Controlled model of Figure 1 using stopwatch of [4]
6 Illustrative Example
Suppose the multitasking system depicted in Figure 17 withthe following specifications four tasks 119879
1 1198792 1198793 and 119879
4are
being executed Two tasks 1198793and 119879
4are uncontrollable The
task 1198791is periodic with a period of [6 6] and then its start
execution is controllable Suppose that starting execution of1198792is also controllable 119879
4is depended to 119879
2and 119879
3meaning
that it can be executed only when1198792and1198793are executed Two
tasks1198791and1198792share a common resource On the other hand
1198791enters through a single capacity buffer It means that if 119879
1
is not executed by the end of its period the system will blockIn Figure 7 tasks are modeled by tokens and the execution ofeach task 119879
119894is shown by the transition 119905
119894 If 1198791is not executed
by the end of its period the system enters the state Block and1199055is the transition to be avoided Delay is a placemodeling the
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 Journal of Engineering
Explore (1205720 120598 1205720)Returnempty
Explore (1205721 1199051 1205720 1205721)Return 119905111990521199053 11990511199053
Explore (1205723 1199052 1205720 1205721 1205723)
Explore (1205726 1199053 1205720 1205721 1205723 1205726)Return 1199053
Explore (1205725 1199051 1205720 1205722 1205725)Returnempty
Explore (1205722 1199052 1205720 1205722)Returnempty
Explore (1205724 1199053 1205720 1205721 1205724)
1205721
1205720
1205726
1205723
1199053
11990521199051
1205724
1205725
1199052
1199053
1199051
1205722
Return 1199053
Return 11990521199053
Figure 7 Applying Algorithms 1 and 2 on the TPN at Figure 1 forAG not 119901
1+ 1199013= 0
controller then the controller does not exist We have alsoinvestigated the hardness complexity of the approach step bystep
(i) The complexity of computing BI of a state class (inworst case) is119874(119870times119871times119899
119905
2)where119870 is the number of
paths starting from the state class and leading to badmarkings 119871 is the maximal length of such paths and119899119905is the number of transitions in the model
(ii) The complexity for computing Dep relation used inAlgorithms 1 and 2 is119874(|LI|times119898times|BI|) where119898 is thenumber of places in the model (complexity of testingNew(119872 119905))
In [14] the authors have discussed the completenesscomplexity for bounded TPNs They have proven that modelchecking of TPN-TCTL formula on a bounded TPN isPSPACE-complete
Let us explain this approach by means of an exampleConsider the TPN shown at Figure 1 its state class graphpresented at Figure 2 and its state classes reported in Table 1Suppose that only 119905
1is controllable (ie 119879
119888= 1199051) and we
want to avoid reaching markings where places 1199011and 119901
3are
both not marked (ie state classes 1205724and 120572
6) by choosing
appropriately the firing intervals of 1199051 For this example we
have 119879119888= 1199051 bad = 119901
2 1199014 Passed = 0 and 120572
0=
(1199011+ 1199012 0 le 119905
1le 4 and 2 le 119905
2le 3)
The process starts by calling explore(1205720 120598 1205720) (see
Figure 7) Since 1205720is not in Passed and its marking is not
forbidden explore is successively called for the successorsof 1205720 explore(120572
1 1199051 1205720 1205721) and explore(120572
2 1199052 1205720 1205722) In
explore of 1205721 function explore is successively called for 120572
3
and 1205724 In explore of 120572
3 function explore is called for the
successor 1205726of 1205723by 1199053 explore(120572
6 1199053 1205720 1205721 1205723 1205726 For the
successor of 1205723by 1199054(ie 120572
0) there is no need to call explore
as it belongs to the current path Since 1205726has a forbidden
marking explore of 1205726returns to explore of 120572
3with 119905
3
which in turn adds (1205723 11990521199053 0) to Passed and returns to
explore of 1205721with 119905
21199053
In explore of 1205721 function explore is called for 120572
4
(explore(1205724 1199053 1205720 1205721 1205724)) This call returns to explore of
1205721 with 119905
3 since 120572
4has a forbidden marking In explore
of 1205721 the tuple (120572
1 11990521199053 1199053 0) is added to Passed and
119905111990521199053 11990511199053 is returned to explore of 120572
0 Then explore
of 1205720
calls explore(1205722 1199052 1205720 1205722) which in turn calls
explore(1205725 1199051 1205720 1205722 1205725) Since 120572
5has only one successor
(1205720) and this successor belongs to the current path the call of
explore for 1205725adds (120572
5 0 0) to Passed and returns to explore
of 1205722with 0 which in turn returns to explore of 120572
0
After exploring both successors of 1205720 in explore of 120572
0 we
get inΩ = 119905111990521199053 11990511199053 the set of bad paths of 120572
0 As the state
class 1205720has a controllable transition 119905
1 its bad subclasses are
computed Fire(1205720 119905111990521199053) = (119901
1+ 1199012 0 le 119905
1le 2 and 2 le
1199052le 3 and 1 le 119905
2minus 1199051le 3) and Fire(120572
0 11990511199053) = (119901
1+ 1199012 0 le
1199051le 1 and 2 le 119905
2le 3 and 2 le 119905
2minus 1199051le 3) The firing interval
of 1199051in 1205720([0 4]) is not covered by the union of intervals
of 1199051in bad subclasses of 120572
0([0 2] cup [0 1] = [0 4]) Then
(1205720 119905111990521199053 11990511199053 (1199051 1199050 [0 2])) is added to Passed As 119905
1is
newly enabled the empty set is returned to the functionmainwhich concludes that a controller exists According to the listPassed 120572
0needs to be controlled (Ctrl[120572
0] = (119905
1 1199050 [0 4] minus
[0 2])) For all others there is nothing to do
5 Controller Synthesis and Stopwatch
In this section we consider time Petri nets with control-lableuncontrollable transitions and show how such a systemis controlled by associating some of the controllable transi-tions with stopwatch First we apply the on-the-fly algorithmof [9] and calculate the appropriate controller Then insteadof restricting time intervals of corresponding controllabletransitions we associate them with stopwatch In fact wesuspend some transition during its bad subinterval to controla system so as to satisfy a given property
We consider the inhibitor hyperarcs of [3]The controllershall suspend a controllable transition in its bad subintervaland retrieve it otherwise Let us remember the example ofFigure 1 with the state class graph of Figure 2 and Table 1We have seen that in order to prevent the system enteringthe forbidden state classes 120572
4and 120572
6 the controller should
prevent 1199051from firing before ]2 4] Thus an inhibitor hyper-
arc is added to the transition 1199051 This inhibitor hyperarc
connects 1199051to a place called119901susp At the beginning this place
is marked and then 1199051is suspended At [2 2] the token of
119901susp is consumed and the corresponding hyperarc becomesdisabled The controllable transition 119905
1is now firable again
The token is returned to place 119901susp after 1199051 is fired Thus thecontroller suspends 119905
1during its bad subinterval and resumes
it after then At the beginning all clocks are initialized to zeroThen time elapses but in [0 2] this transition is suspendedand hence its clock does not elapse anymore Later at time[2 2] this transition is retrieved and becomes active Wedo not need to delay it anymore that is why the lowerbound of the interval associated with 119905
1is modified to 0
Now the clock starts elapsing Within 2 time units 1199051should
be fired (ie when the actual time of the general clock ofthe system reaches to 4) Then the interval associated with
Journal of Engineering 9
0 1 2 3 40
1
2
119907(1199051)
Time
119907(1199051) ne 0
119907(1199051) = 0
Figure 8 Clock evaluation of 1199051in the controlled TPN of Figure 9
1199051in a controlled TPN associated with stopwatch is [0 2]
Figure 8 represents the clock evaluation of the transition 1199051
The controlled Petri nets of this example are presented inFigure 9
In summary our goal is to synthesize the state class graphof the system through Algorithms 1 and 2 (see [9]) andcalculate bad subintervals of the corresponding controllabletransitions Then suspend the appropriate controllable tran-sitions during their bad subintervals Note that in [9] wewererestricting and limiting time intervals while in this approachthe idea is to delay and suspend them In this research wesuppose every controllable transition can be associated witha stopwatch if needed As explained earlier in Section 1 ina multitasking system with periodic tasks only execution ofa task is controllable Then those transitions modeling thetask executions are considered controllable and consequentlycould be suspended and retrieved
Above we have shown how to control a system whenthe bad subinterval is at the beginning of the firing inter-val What if the acceptable subinterval is at the beginningand bad subintervals are after Consider the example ofFigure 10 A controllable transition 119905
1is associated with firing
interval [119886 119887] Suppose that based on Algorithms 1 and 2the subinterval [119886 120572
1] is acceptable while ]120572
1 119887] is a bad
subinterval where 119886 le 1205721lt 119887 The controlled time Petri
nets are presented in Figure 11 Figure 12 represents the clockevaluation of 119905
1and shows how the new interval associated
with 1199051is calculated In [0 119886[ 119901susp is marked and 119905
1is neither
active nor enabled Meanwhile at the time 119886 1199051199031
becomesenabled and is fired consuming the token in 119901suspThus rightat 119886 the transition 119905
1becomes active and its associated clock
starts elapsing Note that associated stopwatch delays 1199051for
119886 time units and we do not want to delay it anymore thenthe lower bound of the new associated interval in controlledTPN is 0 After 120572
1time units 119905
1199032is fired and 119901susp becomes
marked again Consequently 1199051is suspended
Consider the same example of Figure 10 and this timesuppose that Algorithms 1 and 2 give the following output
[119886 1205721[ is acceptable [120572
1 1205722[ is a bad subinterval [120572
2 119887]
is acceptable where the condition 119886 lt 1205721lt 1205722le 119887 holds
1199051[0 2]
1199053[2infin[ 1199054[0 1]
1199052[2 3]119905resu [2 2]
119875susp
11990121199011
11990141199013
Figure 9 Time Petri net of Figure 1 controlled by inhibitor hyper-arcs (119879
119888= 1199051)
1199051[119886 119887]
1199012
1199013
Figure 10 A simple time Petri net (119879119888= 1199051)
With the same idea the controlled Petri nets are presented inFigure 13 and the clock evaluation of 119905
1is shown in Figure 14
51Why InhibitorHyperarcs Wehave shown how to achievea controlled model from an uncontrolled time Petri netsby adding inhibitor hyperarcs One question is why amongdifferent types of stopwatch inhibitor hyperarcs are chosenIs it possible to use another stopwatch model The answeris yes but inhibitor hyperarcs provide more flexibility andless complication Let us see if this idea is feasible using othertypes of Petri nets with stopwatch
We consider the post- and preinitialized Petri nets pro-posed in [4 5] for stopwatch and try to control amodel wherea controllable transition associated with time interval [119886 119887]has a bad subinterval [119886 120572] Based on our hypothesis thecontroller should suspend the controllable transition at [119886 119886]and resume it at [120572 120572] The characteristic of post and pre-initialized Petri nets is that they consume the same tokenof the original model and in addition the exact time whenthe model becomes suspended is unknown as stopwatchtransition and original transition have the same chance forfiring At the first glance the idea is feasible by adding oneplace and two transitions However there are some issuesWeexplain the problem through an example
We consider the same example of Figure 1 The suggestedcontrolled model using post and pre-initialized Petri netscomes in Figure 15The controllable transition 119905
1is associated
with stopwatchThe stopwatch interrupts the task at [0 0] andresume it at [2 2] The problem is at [0 0] both transitions1199051and 119905sus are enabled with equal chance of firing whereas
in order to have a controlled model 119905sus should fire at [0 0]before 119905
1 Thus the controller fails unless if we modify the
interval associated to 1199051to ]0 2] which is not of interest in
this approach
10 Journal of Engineering
1199051[0 1205721 minus 119886[
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199012
1199013
1199011199040
1199011199041
119901susp
Figure 11The controlledTPNof Figure 10 using inhibitor hyperarcs(119879119888= 1199051) Forbidden interval is ]120572
1 119887] where 119886 le 120572
1lt 119887
Time0
01205721
119907(1199051) 119907(1199051) = 1205721 minus 119886
119886 119887
1205721 minus 119886
119907(1199051) = 0
Figure 12 Clock evaluation of 1199051in the controlled TPN of Figure 10
Forbidden interval is ]1205721 119887] where 119886 le 120572
1lt 119887
1199051[0 119887 minus 119886 + 1205721 minus 1205722]
1199051199033[1205722 minus 1205721 1205722 minus 1205721]
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199013
11990121199011199040
1199011199041
119901susp
1199011199042
Figure 13 A simple time Petri net controlled by inhibitor hyperarcs(119879119888= 1199051) the bad subinterval is [120572
1 1205722[ where 119886 lt 120572
1lt 1205722le 119887
The other alternative is presented at Figure 16 An auxil-iary place 119901
119904solves the problem Hence using the stopwatch
Petri nets suggested in [4 5] it is not easy to give ageneral solution to control a model considering the output ofAlgorithms 1 and 2 In addition the resulting controlled netsare more complicated For example in case the controllabletransition is associated with the interval [119886 119887] where its badsubinterval is [120572 119887] and 119886 le 120572 then the controlled modelbecomes complicated
Time
00
119907(1199051)
119887 minus 119886 + 1205721 minus 1205722
1205721 minus 119886
1205722119886 1198871205721
Figure 14 Clock evaluation of 1199051in a controlled TPN of Figure 10
The forbidden interval is ]1205721 1205722] where 119886 lt 120572
1lt 1205722le 119887
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
Figure 15 Controlling the example of Figure 1 using stopwatch of[4] The controller fails
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
119901119904
Figure 16 Controlled model of Figure 1 using stopwatch of [4]
6 Illustrative Example
Suppose the multitasking system depicted in Figure 17 withthe following specifications four tasks 119879
1 1198792 1198793 and 119879
4are
being executed Two tasks 1198793and 119879
4are uncontrollable The
task 1198791is periodic with a period of [6 6] and then its start
execution is controllable Suppose that starting execution of1198792is also controllable 119879
4is depended to 119879
2and 119879
3meaning
that it can be executed only when1198792and1198793are executed Two
tasks1198791and1198792share a common resource On the other hand
1198791enters through a single capacity buffer It means that if 119879
1
is not executed by the end of its period the system will blockIn Figure 7 tasks are modeled by tokens and the execution ofeach task 119879
119894is shown by the transition 119905
119894 If 1198791is not executed
by the end of its period the system enters the state Block and1199055is the transition to be avoided Delay is a placemodeling the
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Journal of Engineering 9
0 1 2 3 40
1
2
119907(1199051)
Time
119907(1199051) ne 0
119907(1199051) = 0
Figure 8 Clock evaluation of 1199051in the controlled TPN of Figure 9
1199051in a controlled TPN associated with stopwatch is [0 2]
Figure 8 represents the clock evaluation of the transition 1199051
The controlled Petri nets of this example are presented inFigure 9
In summary our goal is to synthesize the state class graphof the system through Algorithms 1 and 2 (see [9]) andcalculate bad subintervals of the corresponding controllabletransitions Then suspend the appropriate controllable tran-sitions during their bad subintervals Note that in [9] wewererestricting and limiting time intervals while in this approachthe idea is to delay and suspend them In this research wesuppose every controllable transition can be associated witha stopwatch if needed As explained earlier in Section 1 ina multitasking system with periodic tasks only execution ofa task is controllable Then those transitions modeling thetask executions are considered controllable and consequentlycould be suspended and retrieved
Above we have shown how to control a system whenthe bad subinterval is at the beginning of the firing inter-val What if the acceptable subinterval is at the beginningand bad subintervals are after Consider the example ofFigure 10 A controllable transition 119905
1is associated with firing
interval [119886 119887] Suppose that based on Algorithms 1 and 2the subinterval [119886 120572
1] is acceptable while ]120572
1 119887] is a bad
subinterval where 119886 le 1205721lt 119887 The controlled time Petri
nets are presented in Figure 11 Figure 12 represents the clockevaluation of 119905
1and shows how the new interval associated
with 1199051is calculated In [0 119886[ 119901susp is marked and 119905
1is neither
active nor enabled Meanwhile at the time 119886 1199051199031
becomesenabled and is fired consuming the token in 119901suspThus rightat 119886 the transition 119905
1becomes active and its associated clock
starts elapsing Note that associated stopwatch delays 1199051for
119886 time units and we do not want to delay it anymore thenthe lower bound of the new associated interval in controlledTPN is 0 After 120572
1time units 119905
1199032is fired and 119901susp becomes
marked again Consequently 1199051is suspended
Consider the same example of Figure 10 and this timesuppose that Algorithms 1 and 2 give the following output
[119886 1205721[ is acceptable [120572
1 1205722[ is a bad subinterval [120572
2 119887]
is acceptable where the condition 119886 lt 1205721lt 1205722le 119887 holds
1199051[0 2]
1199053[2infin[ 1199054[0 1]
1199052[2 3]119905resu [2 2]
119875susp
11990121199011
11990141199013
Figure 9 Time Petri net of Figure 1 controlled by inhibitor hyper-arcs (119879
119888= 1199051)
1199051[119886 119887]
1199012
1199013
Figure 10 A simple time Petri net (119879119888= 1199051)
With the same idea the controlled Petri nets are presented inFigure 13 and the clock evaluation of 119905
1is shown in Figure 14
51Why InhibitorHyperarcs Wehave shown how to achievea controlled model from an uncontrolled time Petri netsby adding inhibitor hyperarcs One question is why amongdifferent types of stopwatch inhibitor hyperarcs are chosenIs it possible to use another stopwatch model The answeris yes but inhibitor hyperarcs provide more flexibility andless complication Let us see if this idea is feasible using othertypes of Petri nets with stopwatch
We consider the post- and preinitialized Petri nets pro-posed in [4 5] for stopwatch and try to control amodel wherea controllable transition associated with time interval [119886 119887]has a bad subinterval [119886 120572] Based on our hypothesis thecontroller should suspend the controllable transition at [119886 119886]and resume it at [120572 120572] The characteristic of post and pre-initialized Petri nets is that they consume the same tokenof the original model and in addition the exact time whenthe model becomes suspended is unknown as stopwatchtransition and original transition have the same chance forfiring At the first glance the idea is feasible by adding oneplace and two transitions However there are some issuesWeexplain the problem through an example
We consider the same example of Figure 1 The suggestedcontrolled model using post and pre-initialized Petri netscomes in Figure 15The controllable transition 119905
1is associated
with stopwatchThe stopwatch interrupts the task at [0 0] andresume it at [2 2] The problem is at [0 0] both transitions1199051and 119905sus are enabled with equal chance of firing whereas
in order to have a controlled model 119905sus should fire at [0 0]before 119905
1 Thus the controller fails unless if we modify the
interval associated to 1199051to ]0 2] which is not of interest in
this approach
10 Journal of Engineering
1199051[0 1205721 minus 119886[
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199012
1199013
1199011199040
1199011199041
119901susp
Figure 11The controlledTPNof Figure 10 using inhibitor hyperarcs(119879119888= 1199051) Forbidden interval is ]120572
1 119887] where 119886 le 120572
1lt 119887
Time0
01205721
119907(1199051) 119907(1199051) = 1205721 minus 119886
119886 119887
1205721 minus 119886
119907(1199051) = 0
Figure 12 Clock evaluation of 1199051in the controlled TPN of Figure 10
Forbidden interval is ]1205721 119887] where 119886 le 120572
1lt 119887
1199051[0 119887 minus 119886 + 1205721 minus 1205722]
1199051199033[1205722 minus 1205721 1205722 minus 1205721]
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199013
11990121199011199040
1199011199041
119901susp
1199011199042
Figure 13 A simple time Petri net controlled by inhibitor hyperarcs(119879119888= 1199051) the bad subinterval is [120572
1 1205722[ where 119886 lt 120572
1lt 1205722le 119887
The other alternative is presented at Figure 16 An auxil-iary place 119901
119904solves the problem Hence using the stopwatch
Petri nets suggested in [4 5] it is not easy to give ageneral solution to control a model considering the output ofAlgorithms 1 and 2 In addition the resulting controlled netsare more complicated For example in case the controllabletransition is associated with the interval [119886 119887] where its badsubinterval is [120572 119887] and 119886 le 120572 then the controlled modelbecomes complicated
Time
00
119907(1199051)
119887 minus 119886 + 1205721 minus 1205722
1205721 minus 119886
1205722119886 1198871205721
Figure 14 Clock evaluation of 1199051in a controlled TPN of Figure 10
The forbidden interval is ]1205721 1205722] where 119886 lt 120572
1lt 1205722le 119887
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
Figure 15 Controlling the example of Figure 1 using stopwatch of[4] The controller fails
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
119901119904
Figure 16 Controlled model of Figure 1 using stopwatch of [4]
6 Illustrative Example
Suppose the multitasking system depicted in Figure 17 withthe following specifications four tasks 119879
1 1198792 1198793 and 119879
4are
being executed Two tasks 1198793and 119879
4are uncontrollable The
task 1198791is periodic with a period of [6 6] and then its start
execution is controllable Suppose that starting execution of1198792is also controllable 119879
4is depended to 119879
2and 119879
3meaning
that it can be executed only when1198792and1198793are executed Two
tasks1198791and1198792share a common resource On the other hand
1198791enters through a single capacity buffer It means that if 119879
1
is not executed by the end of its period the system will blockIn Figure 7 tasks are modeled by tokens and the execution ofeach task 119879
119894is shown by the transition 119905
119894 If 1198791is not executed
by the end of its period the system enters the state Block and1199055is the transition to be avoided Delay is a placemodeling the
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
10 Journal of Engineering
1199051[0 1205721 minus 119886[
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199012
1199013
1199011199040
1199011199041
119901susp
Figure 11The controlledTPNof Figure 10 using inhibitor hyperarcs(119879119888= 1199051) Forbidden interval is ]120572
1 119887] where 119886 le 120572
1lt 119887
Time0
01205721
119907(1199051) 119907(1199051) = 1205721 minus 119886
119886 119887
1205721 minus 119886
119907(1199051) = 0
Figure 12 Clock evaluation of 1199051in the controlled TPN of Figure 10
Forbidden interval is ]1205721 119887] where 119886 le 120572
1lt 119887
1199051[0 119887 minus 119886 + 1205721 minus 1205722]
1199051199033[1205722 minus 1205721 1205722 minus 1205721]
1199051199032[1205721 minus 119886 1205721 minus 119886]
1199051199031[119886 119886]
1199013
11990121199011199040
1199011199041
119901susp
1199011199042
Figure 13 A simple time Petri net controlled by inhibitor hyperarcs(119879119888= 1199051) the bad subinterval is [120572
1 1205722[ where 119886 lt 120572
1lt 1205722le 119887
The other alternative is presented at Figure 16 An auxil-iary place 119901
119904solves the problem Hence using the stopwatch
Petri nets suggested in [4 5] it is not easy to give ageneral solution to control a model considering the output ofAlgorithms 1 and 2 In addition the resulting controlled netsare more complicated For example in case the controllabletransition is associated with the interval [119886 119887] where its badsubinterval is [120572 119887] and 119886 le 120572 then the controlled modelbecomes complicated
Time
00
119907(1199051)
119887 minus 119886 + 1205721 minus 1205722
1205721 minus 119886
1205722119886 1198871205721
Figure 14 Clock evaluation of 1199051in a controlled TPN of Figure 10
The forbidden interval is ]1205721 1205722] where 119886 lt 120572
1lt 1205722le 119887
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
Figure 15 Controlling the example of Figure 1 using stopwatch of[4] The controller fails
119905sus[0 0]
119905resu[2 2]
1199053[2infin[ 1199054[0 1]
1199051[0 2] 1199052[2 3]
1199012
1199013
119901susp
1199011
1199014
119901119904
Figure 16 Controlled model of Figure 1 using stopwatch of [4]
6 Illustrative Example
Suppose the multitasking system depicted in Figure 17 withthe following specifications four tasks 119879
1 1198792 1198793 and 119879
4are
being executed Two tasks 1198793and 119879
4are uncontrollable The
task 1198791is periodic with a period of [6 6] and then its start
execution is controllable Suppose that starting execution of1198792is also controllable 119879
4is depended to 119879
2and 119879
3meaning
that it can be executed only when1198792and1198793are executed Two
tasks1198791and1198792share a common resource On the other hand
1198791enters through a single capacity buffer It means that if 119879
1
is not executed by the end of its period the system will blockIn Figure 7 tasks are modeled by tokens and the execution ofeach task 119879
119894is shown by the transition 119905
119894 If 1198791is not executed
by the end of its period the system enters the state Block and1199055is the transition to be avoided Delay is a placemodeling the
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Journal of Engineering 11
Table 2 State classes of the TPN presented at Figure 17
1205720 Delay + 119875
1+ Resource 2 le 119905
2le 3 5 le 119905
3le 6 2 le 119905
1le 2 6 le 119905
5le 6
1205721 Delay + 119875
1+Wait 3 le 119905
3le 4 4 le 119905
5le 4
1205722 Delay + 119875
1+ Resource 2 le 119905
2le 3 3 le 119905
3le 4 2 le 119905
1le 2 6 le 119905
5le 6
1205723 Delay + 119875
3+Wait 0 le 119905
4le 1 0 le 119905
5le 1
1205724 1198751+Wait + Block 0 le 119905
3le 0
1205725 Delay + 119875
1+Wait 1 le 119905
3le 2 4 le 119905
5le 4
1205726 Delay + 119875
1+ Resource 2 le 119905
2le 3 1 le 119905
3le 2 2 le 119905
1le 2 6 le 119905
5le 6
1205727 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 0 le 119905
5le 1
1205728 1198753+Wait + Block 0 le 119905
4le 1
1205729 Delay + 119875
3+Wait 0 le 119905
4le 1 2 le 119905
5le 3
12057210 Delay + 119875
1+Wait 0 le 119905
3le 0 4 le 119905
5le 4
12057211 Delay + Resource + 119875
3
0 le 1199052le 2 0 le 119905
1le 1 4 le 119905
5le 5
0 le 1199052minus 1199051le 1 minus4 le 119905
2minus 1199055le minus3 minus4 le 119905
1minus 1199055le minus4
12057212 Delay + Resource + 119875
12 le 1199052le 3 0 le 119905
3le 0 2 le 119905
1le 2 6 le 119905
5le 6
12057213 Resource + 119875
1+ Block 1 le 119905
2le 3 4 le 119905
3le 6 minus4 le 119905
2minus 1199053le minus2
12057214 Resource + 119875
1+ Block 2 le 119905
2le 3 5 le 119905
3le 6
12057215 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 1 le 119905
5le 3
12057216 Delay + 119875
3+Wait 0 le 119905
4le 1 4 le 119905
5le 4
12057217 Delay + Resource + 119875
32 le 1199052le 3 2 le 119905
1le 2 6 le 119905
5le 6
12057218 1198751+Wait + Block 2 le 119905
3le 4
12057219 Delay + 119875
1+Wait 3 le 119905
3le 4 0 le 119905
5le 1
12057220 Resource + 119875
1+ Block 0 le 119905
2le 2 3 le 119905
3le 5 minus4 le 119905
2minus 1199053le minus2
12057221 Delay + Resource + 119875
12 le 1199052le 3 5 le 119905
3le 6 2 le 119905
1le 2 3 le 119905
5le 4
12057222 Delay + 119875
1+Wait 3 le 119905
3le 4 1 le 119905
5le 2
12057223 1198751+Wait + Block 1 le 119905
3le 3
ResourceDelay
WaitBlock
1199054[0 1]
1199052[2 3]1199051[2 2]1199055[6 6] 1199053[5 6]
1199012
1199011
Figure 17 A periodic system with 119879119888= 1199051 1199052
behavior of the buffer considering the period of the task 1198791
And finally 1198791executes within [2 2] time units 119879
2in [2 3]
1198793within [5 6] and 119879
4in [0 1]
The state class graph of the model is given in Figure 18and Table 2 shows the state class informations Basedon the state class graph of the system the state classes1205724 1205728 12057213 12057214 12057218 12057220 and120572
23are forbidden Let us briefly
trace the algorithm on the state class graph First we followthe algorithm on the left branch where the state classes1205724 1205728 and 120572
13are located The algorithm starts from 120572
0
and is executed recursively to 1205721 then 120572
3 1205727and finally
reaches to 12057213with a forbidden markingThen it comes back
to 1205727with 119905
5 and to 120572
3with 119905
41199055 The other successor
available from 1205723is 1205728which is also forbidden Till now
there is no enabled controllable transition to avoid theseclasses and the algorithm continues returning back to 120572
1
with 119905311990541199055 11990531199055 The other successor available from 120572
1
is 1205724which is also forbidden Thus it returns back to
1205720with 119905
2119905311990541199055 119905211990531199055 11990521199055 The other successor available
from 1205720is 1205722which is safe and the algorithm continues to
1205725 1205729 12057215 12057219 and finally 120572
18which is a forbidden state
Then it goes back to 12057219
with 1199055 and consequently to 120572
15
with 11990521199055 The other successors available from 120572
15are the
forbidden state 12057220and 120572
2which is already under processing
Note that two enabled controllable transitions are available at12057215 but the controller cannot act at this level because 119905
5may
fire before 1199051or 1199052and lead to a forbidden state Then the
algorithm continues and returns back to 1205729with 119905
411990521199055 11990521199055
where no controllable transition is available Consequentlythe algorithm continues and returns back to 120572
5and finally
reaches to 1205722where newly enabled controllable transitions
are available Till now the path to be avoided at 1205722includes
11990521199053119905411990521199055 1199052119905311990541199055
The procedure is similar for the other path availablefrom 120572
2including 120572
6and its successors The forbidden state
reachable through this path is 12057223and in order to avoid this
forbidden state the controller can act at 12057221with two enabled
controllable transitions So nothing is returned to 1205722from
this path Having a closer look to the state class graph andthe output of the algorithm we conclude that at each statewhere 119905
1and 1199052are newly enabled and the controller should
act (ie 1205720 1205722 and 120572
21) the controller should force 119905
1to fire
before 1199052(ie 119905
2minus 1199051gt 0) In other words 119905
2should not be
active at [2 2] It is sufficient to add an inhibitor hyperarcto deactivate 119905
2at [2 2] The controller cannot act at the
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
12 Journal of Engineering
1205721
1205727
1205720 12057261199051 1199051
1199051
1199055
11990511199052
1205722
1205723
11990511199053
12057212
12057223 12057222
11990511199052
1199052
11990531199053
12057211
11990531199053
1199054
1199053
1199053
1199053
1199052
1199052
1199052
1199052
1199052
1199052
12057210
1199055
1199055
1199055
119905511990551199054 119905212057216 1205721712057220
12057215
1199051
1199054
12057213
12057218
12057219
12057214
1205724
1199054 1205729
1205725
120572211205728
Figure 18 The state class graph of the TPN presented at Figure 17
1199054[0 1]
1199052[0 1]1199051[2 2]
1199055[6 6]
1199053[5 6]
ResourceDelay
Wait
Block
1199012119901susp
1199011
Figure 19 Controlled model of Figure 17 using inhibitor hyperarcs
state class 12057215
as discussed earlier and has nothing to do atthe state class 120572
6(the permissive controller will act later at
the state class 12057221) Note that a state class like 120572
14which is
reachable through a forbidden state (1205728) is not processed by
the algorithm as it is supposed to be avoided in the controlledsystem The controlled model using inhibitor hyperarcs isgiven at Figure 19
Our model is now safe Yet some challenges exist Lookat the state class graph of the model presented at Figure 18In some paths one task is executed frequently while othersare still waiting For example see the paths leading to 120572
17
Although the system is not blocked some of the tasks cannotbe executed A good scheduler had better to performdifferenttasks alternatively We may want to consider alternationparticular sequences add a deadline for each task or otherpossible policies And finally we may ask if it is possible torestrict the execution time of a task even if it is in its safesubintervalThen while synthesizing a scheduler we can addmore constraints and scheduling policies beyond ldquosafe statesrdquoFurther researches are required to answer these questions
7 Conclusion
In this paper we have extended the approach discussed in[9] to time Petri nets with stopwatch and have suggested toassociate the controllable transitions with stopwatch in orderto prevent their bad subintervals We have proposed thatin case a controller (like a scheduler) cannot restrict timeintervals associated with controllable transitions the control-lable transitions can be suspended in their bad subintervals
Synthesizing a time Petri net associated with stopwatch iscomplicated and needs some overapproximations Besidestime Petri nets associated with stopwatch do not preservethe boundedness property In this paper we have suggesteda more effective alternative We synthesize a time Petri netwithout stopwatch and then equip the controllable transi-tions with stopwatch where necessary With this assumptionevery controllable transition can be suspended in its badsubinterval and resumed otherwise Amongst different typesof stopwatch our solution is based on inhibitor hyperarcs
The approach suggested in this paper is particularlyuseful at design level for preemptive scheduling purposesmanaging shared resources and critical sections This is agood starting point for further researches on schedulingand to calculate automatically a scheduler in a multitaskingsystem It is interesting to see how the approach can beapplied in amore general case with a variable number of tasksand dependencies Consider different scheduling policies arechallenging and areworth to be considered in further studies
References
[1] P Heidari A forward on-the-fly approach for safety and reach-ability controller synthesis of timed systems [PhD thesis] EcolePolytechnique de Montreal 2012
[2] F Cassez and K Larsen ldquoThe impressive power of stopwatchesautomatardquo in Proceedings of the 11th International Conferenceon Concurrency Theory (CONCUR rsquo00) pp 138ndash152 Springer2000
[3] O H Roux and D Lime ldquoTime petri nets with inhibitorhyperarcs formal semantics and state space computationrdquo inProceedings of the International Conference on Application andTheory of Petri Nets (ICATPN rsquo04) pp 371ndash390 2004
[4] A Allahham and H Alla ldquoPost and pre-initialized stopwatchPetri nets formal semantics and state space computationrdquoNonlinear Analysis vol 2 no 4 pp 1175ndash1186 2008
[5] A Allahham and H Alla ldquoReseaux de Petri a chronometrespost et pre-initialisesrdquo in Proceedings of the 6 eme ColloqueFrancophone sur la Modelisation des Systemes Reactifs (MSRrsquo07) pp 263ndash280 Lyon France 2007
[6] D Isovic and G Fohler ldquoEfficient scheduling of sporadicaperiodic and periodic tasks with complex constraintsrdquo in
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Journal of Engineering 13
Proceedings of the 21st IEEE Real-Time Systems Symposium pp207ndash216 2000
[7] K Altisen G Gossler and J Sifakis ldquoA methodology for theconstruction of scheduled systemsrdquo in Proceedings of the FormalTechniques in Real-Time and Fault-Tolerant Systems (FTRTFTrsquo00) pp 106ndash120 2000
[8] K Altisen G Gossler A Pnueli J Sifakis S Tripakis and SYovine ldquoA framework for scheduler synthesisrdquo in Proceedingsof the 20th IEEE Real-Time Systems Symposium (RTSSrsquo99) pp154ndash163 December 1999
[9] P Heidari and H Boucheneb ldquoEfficient method for checkingthe existence of a safety reachability controller for time petrinetsrdquo in Proceedings of the 10th International Conference onApplication of Concurrency to System Design (ACSD rsquo10) pp201ndash210 June 2010
[10] O-H Roux D Lime S Haddad F Cassez and B BrardldquoComparison of different semantics for time Petri netsrdquo inProceedings of the 3rd Automated Technology for Verification andAnalysis vol 3707 of Lecture Notes in Computer Science pp293ndash307 2005
[11] M Boyer and F Vernadat ldquoLanguage and bisimulation relationsbetween subclasses of timed petri nets with strong timingsemanticrdquo Tech Rep LAAS 2000
[12] W Penczek and A Polrola ldquoSpecification and model checkingof temporal properties in time Petri nets and timed automatardquoin Proceedings of the 25th International Conference on Appli-cation and Theory of Petri Nets vol 3099 of Lecture Notes inComputer Science pp 37ndash76 2004
[13] B Berthomieu andM Diaz ldquoModeling and verification of timedependent systems using time Petri netsrdquo IEEE Transactions onSoftware Engineering vol 17 no 3 pp 259ndash273 1991
[14] H Boucheneb G Gardey and O H Roux ldquoTCTL modelchecking of time petri netsrdquo Journal of Logic and Computationvol 19 no 6 pp 1509ndash1540 2009
[15] J Bengtsson Clocks DBMs and states in timed systems [PhDthesis] Uppsala Universitet Sweden 2002
[16] B Berthomieu and F Vernadat ldquoState class constructions forbranching analysis of time Petri netsrdquo in Proceedings of the9th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS rsquo03) pp 442ndash4572003
[17] D Lime andO Roux ldquoA translation basedmethod for the timedanalysis of scheduling extended time Petri netsrdquo in Proceedingsof the 25th IEEE International Real-Time Systems Symposium(RTSS rsquo04) pp 187ndash196 December 2004
[18] G Bucci A Fedeli L Sassoli and E Vicario ldquoTimed state spaceanalysis of real-time preemptive systemsrdquo IEEE Transactions onSoftware Engineering vol 30 no 2 pp 97ndash111 2004
[19] T A Henzinger P-H Ho and H Wong-Toi ldquoHYTECH amodel checker for hybrid systemsrdquo in Proceedings of the 9thInternational Conference on Computer-Aided Verification (CAVrsquo97) vol 1254 of Lecture Notes in Computer Science pp 460ndash463 Springer Berlin Germany 1997
[20] P Heidari andH Boucheneb ldquoMaximally permissive controllersynthesis for time petri netsrdquo International Journal of Controlvol 86 no 3 pp 493ndash511 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of