Controller Synthesis of Time Petri Nets Using Stopwatch

. Scheduling is often a difficult task specially in complex systems. Few tools are targeted at both modeling and scheduling of the systems. In controller synthesis, a scheduler is seen as a controller to manage shared resources and timing requirements of a system. This paper proposes a time Petri net-based approach for controller synthesis and finding a scheduler using stopwatch. The solution suggested here is particularly interesting for preemptive scheduling purposes. This paper deals with time Petri nets with controllable anduncontrollabletransitionsandassumesthatacontrollabletransitioncanbesuspendedandretrievedwhennecessary.Infact,the papersupposesthateverycontrollabletransitioncanbeassociatedwithstopwatch.Withthishypothesis,theobjectiveistomodel asystembytimePetrinetsandcalculatesubintervalswherethesystemviolatesthegivenproperty.Then,thecontrollerassociates thecorrespondingcontrollabletransitionswithstopwatchtosuspendthemintheirbadsubintervals.Theinterestingadvantageof thissolutionisthatthisapproachsynthesizesanordinarytimePetrinetmodelbeforeaddingstopwatch.Therefore,complicated computationsandoverapproximationsrequiredduringcontrollersynthesisoftimePetrinetsassociatedwithstopwatchareavoided.


Introduction
As c h e d u l e ri sak i n do fc o n t r o l l e rt h a tm a n a g e ss h a r e d resources and timing specifications of the system.In the concept of controller synthesis, actions are partitioned into two disjoint sets,  and .C o n t r o llableactionsarethosethatcanbemanagedbythecontroller (forced to happen or prevented from happening).Uncontrollable actions are those that the controller has no control on.As an example, an internal counter in a digital system progresses with each clock cycle until it captures a predefined value and is reset after then.In a multitasking system, a newly arrived task waits for accessing resources.After accessing the required resources, each task spends its execution time and then releases the resources.If the task is periodic, it stays in a passive state before its next arrival.Process arrival depends on its period and its termination depends on the execution time.Then, both process arrival and termination of execution are uncontrollable, whereas access to the shared resources and starting the execution are controllable [1].
In order to manage shared resources among different periodic tasks with different levels of priority, the solution is to suspend a task with the lower priority and let the others with the higher priorities execute and use the resources.Then, the suspended task is retrieved until it finishes its execution.When a task is suspended, the execution time is not progressing.This behavior is modeled by stopwatch.
Stopwatch is an extension of timed models to facilitate modeling of interruption and resumption of a job.Once an interrupt happens, a task is suspended.Later, it is retrieved and continued from where it was interrupted.During the interruption, the clock of interrupted task is stopped while other clocks progress normally.The idea of stopwatch has been discussed and extended to timed automata (TA) as well as time petri nets (TPN) and some types of TA and TPN associated with stopwatch are already introduced [2][3][4][5].Instopwatch,wemayhavesomestateswhoseclockskeep progressing, while in some other states the clock is stopped andkeepsthevalueithadbeforebeinginterruptedasifthe clock has a memory and after being retrieved it continues withitspreviousvalue.
In a multitasking real-time system with interruptible tasks and shared resources, a suitable scheduler is necessary to manage the resources and to prevent blocking and deadlock.The scheduler guarantees the well functionality of the system in terms of respecting deadline, priority, and similar constraints.Each task cannot start execution until the required resources are available.A task releases the occupied resources after finishing its execution.
In multitasking systems, tasks are categorized to periodic, aperiodic, and sporadic [6].
(i) Periodic Task.Periodic tasks arrive in regular intervals.Worst-case and best-case execution time is of the specifications defined for periodic tasks.Deadline is the other characteristic defined for these tasks with respect to their worst-case execution time.Deadline in periodic tasks can be either soft or hard.A critical deadline is called hard deadline whereas meeting a soft deadline is not critical.
(ii) Aperiodic Task.Tasks with irregular interarrivals are called aperiodic.Aperiodic tasks are usually associated with soft deadlines.
(iii) Sporadic Task.Aperiodic tasks with a minimum interarrival are called sporadic.Sporadic tasks are associated with hard deadlines.
A periodic task may have the following three states [7].
(i) Waiting.Once a periodic task arrives, it should wait for required resources.
(ii) Execution.When all required resources are available, the task starts its execution and spends its execution time in this state.
(iii) Passive.A ft e rb e i n ge x e c u t e d ,t h et a s kr e l e a s e st h e required resources and waits until its next arrival.The time between two consecutive task arrivals is equal with the given period.
In a multitasking system with periodic tasks, the scheduler should manage the shared resources in a way that the predefined period for the tasks is respected.On the other hand, some of the tasks may be associated with a deadline or priority.In that case, the scheduler should suspend the execution of a task with lower priority and let the higher priority tasks to use the resources.Once the tasks with higher priority are executed, the other tasks with lower priorities are retrieved and continue their execution.This behavior is called preemptive scheduling.
I nt h efi e l do fc o n t r o l l e rs y n t h e s i s ,as c h e d u l e ri ss e e n as a controller [7,8].The scheduler should manage the shared resources and starts execution of each task in a way that the timing constraints, deadlines, and priorities are respected.Arrival of each task is due to its period and then is uncontrollable.Execution time is also predefined and then isuncontrollable.Theonlycontrollableactionisthestarting of an execution.In preemptive scheduling, a task can be suspended during its execution and leave the resources to some other task with a higher priority.
O n es o l u t i o ni st om o d e lt h es y s t e mw i t ht i m eP e t r i nets associated with stopwatch.In this context, each task execution is modeled by a transition equipped with stopwatch a n dt h e nt h ec o r r e s p o n d i n gc o n t r o l l e ri ss y n t h e s i z e dt o manage suspension and resumption of each task such that the corresponding timing constraints are respected.As we will see in this paper, one problem with this solution is that the state space of time Petri nets associated with stopwatch is not exact and requires some overapproximation.
The other problem is that time Petri nets associated with stopwatch does not preserve the boundedness property.Let N 1 be a time Petri net, N 2 be a time Petri net associated with stopwatch, and SCG shows the corresponding state class graph, the following relation holds: This condition is not always true for a time Petri net associated with stopwatch.In other terms, Indeed, if the number of reachable markings in a time Petri net associated with stopwatch is finite, the number of state classes is not necessarily finite [3].These limitations hinder the controller synthesis of time Petri nets with stopwatch.
In this paper, we suggest an alternative solution.We propose to synthesize a time Petri net without stopwatch where the transitions corresponding to the task executions are considered controllable.We extract the controller (i.e., scheduling strategy) and then add the stopwatch to model the controlled system (the system and its scheduler).In fact, we suggest to implement the synthesized controller by means of stopwatch.
I nt h ef o l l o w i n g ,w ed i s c u s sh o wt h ea l g o r i t h ms u ggested in [9] for controller synthesis of time Petri nets is used for scheduling purposes to synthesize a controller for interruptible tasks.The algorithm of [9]i sp e r m i s s i v ea n d the computed controller is restricting time intervals making the system to satisfy the given properties.In this paper, we suggest to suspend a task during its bad subinterval.This approach is useful for preemptive scheduling purposes where safety properties correspond to meeting deadlines, priorities, preventing deadlock for shared resources, and so forth.
In this paper, we use a synthesized controller (output of the algorithm of [9]i np a r t i c u l a r ) ,a n dw es h o wh o wt o control the system using stopwatch.In order to implement the controller by means of stopwatch, we assume that it is possible to associate each controllable transition with a stopwatch so as to suspend or resume it whenever needed.
The rest of this paper is organized as follows.Section 2 is dedicated to time Petri nets, their definition, and semantics.Section 3 presents a literature review on different stopwatch Petri nets.Section 4 has a brief survey on the solution proposed in [9].Section 5 synthesizes a controller using stopwatch.Section 6 presents an example of a multitasking system.Finally, Section 7 gives the conclusion and future work.

Time Petri Nets
A time Petri net (TPN) is a Petri net augmented with time intervals associated with transitions.This paper focuses on the classical semantics, called intermediate semantics in [10], in the context of monoserver and strong semantics [11].Formally, a TPN is a tuple (, , Pre, Post, 0 , Is) where (i)  and  are finite sets of places and transitions such that ( ∩  = 0).
(ii) Pre and Post are the backward and the forward incidence functions (Pre, Post :× → N,whereN is the set of nonnegative integers).
(iv) Is is the static interval function (Is For the sake of simplicity and clarification, in this paper the controllable transitions are depicted as white bars, while the uncontrollable ones as black bars.
ATPN,iscalledboundedifforeveryreachablemarking ,t h e r ei sab o u n d∈N  where ≤holds.In this condition,  stands for the number of places in .
(i) (, Id) To use enumerative analysis techniques with time Petri nets, their generally infinite state spaces are abstracted.Abstraction techniques construct by removing some irrelevant details, a finite contraction of the state space of the model, which preserves properties of interest.For best performances, the contraction should also be the smallest possible and computed with the minimal resources in terms of time a n ds p a c e .Th ep r e s e r v e dp r o p e r t i e sa r eu s u a l l yv e r i fi e d using standard analysis techniques on the abstractions [12].Severalstatespaceabstractionmethodshavebeenproposed in the literature for time Petri nets (the state class graph (SCG) [13], the zone based graph (ZBG) [14], etc.).They may differ in the characterization of states (interval or clock states), the state agglomeration criteria, the abstract states representation, the preserved properties (markings, linear or branching properties), and their size.
These abstractions are finite for all bounded time Petri nets.However, abstractions based on clocks are less interesting than the interval-based abstractions when only linear properties are of interest.Indeed, abstractions based on clocks do not enjoy naturally the finiteness property for bounded TPN with unbounded intervals as it is the case for abstractions based on intervals.The finiteness is enforced using an approximation operation, which may involve some overhead computation.The algorithm of [9]isbasedonthe state class graph method.
2.1.The State Class Graph Method.In the state class graph method [13], all states reachable by the same firing sequence fromtheinitialstateareagglomeratedinthesamenodeand considered modulo the relation of equivalence defined by: tw osetso fs ta t esa r eeq ui valen tifa n do nl yifth eyh a v eth e same marking and the same firing domain (the firing domain of a set of states is the union of the firing domains of its states).All equivalent sets are agglomerated in the same node called a state class defined as a pair  = (, ),where is a marking and  is a formula which characterizes the firing domain of .For each transition   enabled in ,thereisavariable  ,in , representing its firing delay. can be rewritten as a set of atomic constraints of the form   −  ≤ ,   ≤or −  ≤ , where   ,   are transitions, ∈Q ∪ {∞},andQ is the set of rational numbers.(for economy of notation, we use operator ≤ even if =∞): Each domain is expressed by the canonical form that is usually encoded by a difference bound matrix (DBM) [15].The canonical form of  is encoded by the DBM  (a square matrix) of order |En()| + 1 defined by: ∀  ,  ∈ En() ∪ { 0 },   =( ≤ , Sup  (  −  )),w h e r e 0 ( 0 ∉ )r e p r e s e n t s a fictitious transition whose delay is always equal to 0 and Sup  (  −  ) is the largest value of   −  in the domain of .Its computation is based on the shortest path Floyd-Warshall's algorithm and is considered as the most costly operation (cubic in the number of variables in ).The canonical form of a DBM makes some operations over formulas like the test of equivalence easier.Two formulas are equivalent if and only if the canonical forms of their DBMs are identical.
The initial state class is  0 =(  0 , 0 ),w h e r e 0 = ⋀   ∈En( 0 ) ↓ Is(  )≤  ≤↑ Is(  ).L e t = (, ) be as t a t ec l a s sa n d  a transition and succ(,   ) the set of states defined by: succ(, Thestateclass has a successor by   (i.e., succ(,   ) ̸ =0),i fa n do nl yi f  is enabled in  and can be fired before any other enabled transition; that is, the following formula is consistent: ∧( ⋀   ∈En()   ≤  ).AformulaF is consistent if and only if there is, at least, one tuple of values that satisfies, at once, all constraints of F.Inthis case, the firing of   leadstothesta teclass  =(   ,  )= succ(,   ) computed as follows [13].
(4) Eliminate by substitution   and each   of transition conflicting with   in . ( Formally, the SCG of a TPN model is a structure (CC, →, 0 ),w h e r e 0 =(  0 , 0 ) is the initial state class, ∀  ∈ , =0 and CC ={ |  0 *  → } .Th eS C Gi sfi n i t ef o ra l lb o u n d e dT P N sa n d preserves linear properties [16].Let  = (, ) be a state class and ∈ + a sequence of transitions firable from .We denote succ(, ) the state class reachable from  by firing successively transitions of .We define inductively this set as follows: succ(, ) = , if =and succ(, ) = succ(succ(,   ),   ), if =  ⋅  .
As an example, Figure 2 shows the state class graph of the TPN presented at Figure 1.Its state classes are reported in Table 1.
Let  be a sequence of transitions firable from ,thesame transition may be newly enabled several times.To distinguish among different enablings of the same transition   , we denote    for >0the transition   (newly) enabled by the kth transition of the sequence;  0  denotes the transition   enabled in .Let=  1 1 ,...,    ∈ + with >0be a sequence of transitions firable from  s.t.succ(, ) ̸ =0.We define Fire(, ) the largest subclass   of  (i.e.,   ⊆ )s .t . is firable from all its states, that is, Fire(,

Literature Review
The idea of suspension and resumption of a task in a system is modeled in different ways in timed automata and time Petri nets [2-4, 17, 18].In [2], the authors have introduced stopwatch automata (SWA) as a subclass of timed linear hybrid automata.In stopwatch automata, an additional binary variable is defined to show the rate of time progression.The clocks may have two velocities (time derivation): zero or one.Zero signifies stopped while one signifies normal progress.If clocks are running, they progress with a global rate, identical to all nonstopped clocks of the model.The authors have shown that stopwatch automata is as expressive as timed languages.
In [3], the authors have introduced inhibitor hyperarcs to interrupt an enabled transition.Once a place  connected to a transition  via an inhibitor arc is marked, the transition  is suspended and stops firing.In other words, once an inhibitor arc is enabled, the corresponding transition is interrupted.They have called these nets IHTPN (time Petri nets with inhibitor hyperarcs).In Figure 3,  1 is enabled.As soon as  2 is marked, firing  1 is suspended.Note that an inhibitor hyperarc is not graphically presented by a classical arrow; instead, it is depicted with an empty circle at the extreme of the edge.
In [17], the authors have discussed an extension of time Petri nets adapted for scheduling.This extension is called scheduling extended time Petri nets (SETPN).SETPN is suitable to model concurrent tasks and shared resources with fixed priority.The behavior of scheduler is implicitly included T able1:ThestateclassesoftheTPNpresentedatFigure 2.
in the model and the scheduler is not modeled as a separate agent.
In [17], time Petri nets are associated with two more properties  and  standing for resource allocation and priority, respectively.As an example, suppose two different concurrent tasks sharing the same resource ( is identical for both).Although both transitions are enabled, the one with a higher priority is active while the other is suspended.For each marking , a function Act determines whether  is active or not.
The time Petri nets presented in [17]a s s i g nb o t hp r iority and resources to places.It is particularly suitable for s c h e d u l i n ga p p r o a c h e s .S t a t es p a c ea n a l y s i si sd o n em a pping scheduling Petri nets to hybrid automata (state class stopwatch automata).The advantage of this solution is using an automated tool like HYTECH [19] already existing for manipulation of hybird automata.
Another extension of time Petri nets called preemptive time Petri nets is discussed in [18].Preemptive time Petri nets are suitable for scheduling and preemptive approaches.In Preemptive time Petri nets, resource and priority are characteristics of transitions while in SETPN they were assigned to places.The preemptive time Petri nets as well as scheduling extended time Petri nets are adapted specifically for scheduling purposes with fixed priority rather than general cases of interruption and resumption of some tasks.A more generalized model comes in [4,5].
Another stopwatch model comes in [4,5].Post-and Preinitialized stopwatch Petri nets (SWPN) [4,5]a l s om o d e l interruption and retrieving of tasks.In such stopwatch Petri nets, transitions are partitioned into two disjoint subclasses = int ∪ no-int where  int is the set of interruptible transitions and  no-int is the set of noninterruptible transitions.Stopwatches can suspend enabled interruptible transitions.For each transition   ,thereisafunction(  ) representing the value of its associated stopwatch.If   ∈ int , (  ) signifies the time elapsed since   was first enabled, whereas if   ∈ no-int , (  ) represents the time elapsed since   was last enabled.A transition is called firable if it is enabled (>Pre(  ))and ↓ Is(  )≤(  )≤↑Is(  ).
In contrary with IHTPN where a marked place suspended an enabled transition, in this model stopwatch consumes some tokens to disable an enabled transition.It is implemented by means of some extra places/transitions.A stopwatch transition is in conflict with an interruptible transition.Thus, consuming a token can suspend an interruptible enabled transition.With this model, an interrupt is unpredictable and we do not know when it happens.In fact at any time, the interruptible task and the interrupt both have equal chance to happen.The simple Petri nets of Figure 4 reported from [4]  The new concept Preinitialization defined in this model refers to noninterruptible transitions.For every   ∈ no-int ,   is firable if (  ) has already been initialized when   becomes enabled.In other words, (  )=0 when   ∈ ↑ enabled(  ,,  ).
The concept, postinitialization is defined for interruptible transitions.When an interruptible transition is fired the associated (  ) is initialized ((  )=0 ).Figures 5 and 6 reported from [4] show the difference between time evolution in an interruptible transition and a noninterruptible transition.In these figures, the notions , ,a n d stand for enabling, disabling, and firing of a transition, respectively.In brief, according to the types of transitions, two types of clock initialization are defined.
(i) Preinitialization.Given a transition   ∈ no-int where  no-int is the set of noninterruptible transitions, clock initialization is called preinitialization happening when   is recently enabled.As soon as a transition becomes enabled, its associated clock is initialized.
(ii) Postinitialization.Given a transition   ∈ int where  int is the set of interruptible transitions, clock initialization is called post-initialization happening after firing   ; it means that the transition initializes the clock after being fired.Post-initialization is dependent on transition firing.
In [4], continuous and discrete transitions are defined as follows.
Let ∈R + , a continuous transition is denoted by (, )   →(,  ) iff ∀  ∈: And a discrete transition is denoted by (, ) In order to perform further timing analysis, the same as scheduling extended time Petri nets of [17], the SWPN is transformed to hybrid automaton.In addition, a forward algorithm is suggested to compute reachable states.
If the number of stopwatches increases, for example if all of the transitions are interruptible, the complexity of calculation will highly increase.Scheduling time Petri nets and preemptive time Petri nets are both subclasses of stopwatch Petri nets.An ordinary TPN is also a SWPN where  int =0.
After having a survey on different stopwatch Petri nets availableintheliterature,inthefollowing,wewillhaveabrief review on the algorithm of [9] and then investigate how to integrate stopwatch in the controller synthesis approach of [9].

Safety Controller Synthesis Approach
Proposed in [9] Let N be a TPN with controllable and uncontrollable transitions (=  ∪  ) and a set of markings to be avoided (bad).For a safety property, the approach proposed in [9](see Algorithms 1 and 2) consists of exploring, on-the-fly and path by path, the state class graph of the TPN N while collecting the bad sequences and the losing states (sequences or states that lead to bad markings).The list Passed is used to retrieve thesetofstateclassesprocessedsofar ,theirbadsequences, and their losing subclasses.For a given state class  and a bad sequence  feasible from ,thefunctionFireisusedto compute forwardly all states of  which lead by a sequence of transitionstoanundesirablemarking(i.e.,alosingsubclass of ).The function explore receives parameters  being the class under process,  the transition leading to ,a n dC the set of traveled classes in the current path.Succinctly, it recursively computes the bad sequences of  (from bad sequences of its successors) and verifies whether or not  canbecontrolledsoastoavoiditsbadsequences.Itreturns the set of bad sequences if they cannot be avoided from .
Otherwise, it returns an empty set, which means that  can be controlled (i.e.,  has no bad sequences or there is at least one controllable transition   such that its firing interval in  c a nb er e s t r i c t e ds oa st oa v o i dr e a c h i n gb a ds t a t e s ) .Th e restriction of the interval of   in  is obtained by subtracting from its interval in ,intervalsof  in its bad subclasses.This approach tries to control the system behavior starting from the last to the first state class of bad paths.If it fails to control a state class of a path, so as to avoid all bad state classes, the algorithm tries to control its previous state classes.If it succeeds to control a state class, there is no need to control its predecessors.The aim is to limit as little as possible the behavior of the system (more permissive controller).
In [20], we have proven that this approach gives the maximally permissive controller and if it fails to compute the  controller then the controller does not exist.We have also investigated the hardness complexity of the approach step by step.
(i) The complexity of computing BI of a state class (in worst case) is (× ×  2 ) where  is the number of paths starting from the state class and leading to bad markings, is the maximal length of such paths, and   is the number of transitions in the model.
(ii) The complexity for computing Dep relation used in Algorithms 1 and 2 is (|LI|××|BI|),where is the number of places in the model (complexity of testing New(, )).
In [14], the authors have discussed the completeness complexity for bounded TPNs.They have proven that model checking of TPN-TCTL formula on a bounded TPN is PSPACE-complete.
Let us explain this approach, by means of an example.Consider the TPN shown at Figure 1, its state class graph presented at Figure 2 and its state classes reported in Table 1.Suppose that only  1 is controllable (i.e.,   ={  1 })a n dw e want to avoid reaching markings where places  1 and  3 are both not marked (i.e., state classes  4 and  6 )b yc h o o s i n g appropriately the firing intervals of  1 .For this example, we have The process starts by calling explore( 0 ,,{ 0 }) (see Figure 7).Since  0 is not in Passed and its marking is not forbidden, explore is successively called for the successors of  0 : explore( 1 , 1 ,{ 0 , 1 }) and explore( 2 , 2 ,{ 0 , 2 }).I n explore of  1 , function explore is successively called for  3 and  4 .In explore of  3 , function explore is called for the successor  6 of  3 by  3 : explore( 6 , 3 ,{ 0 , 1 , 3 , 6 }.Forthe successor of  3 by  4 (i.e.,  0 ), there is no need to call explore as it belongs to the current path.Since  6 has a forbidden marking, explore of  6 returns to explore of  3 with { 3 }, which, in turn, adds ( 3 ,{ 2  3 }, 0) to Passed and returns to explore of  1 with { 2  3 }.

Controller Synthesis and Stopwatch
In this section, we consider time Petri nets with controllable/uncontrollable transitions and show how such a system is controlled by associating some of the controllable transitions with stopwatch.First, we apply the on-the-fly algorithm of [9] and calculate the appropriate controller.Then, instead of restricting time intervals of corresponding controllable transitions, we associate them with stopwatch.In fact, we suspend some transition during its bad subinterval to control asystemsoastosatisfyagivenproperty .
We consider the inhibitor hyperarcs of [3].The controller shall suspend a controllable transition in its bad subinterval and retrieve it otherwise.Let us remember the example of Figure 1 with the state class graph of Figure 2 and Table 1.We have seen that in order to prevent the system entering the forbidden state classes  4 and  6 ,t h ec o n t r o l l e rs h o u l d prevent  1 from firing before ]2, 4].Thus,aninhibitorhypera r ci sa d d e dt ot h et r a n s i t i o n 1 .This inhibitor hyperarc connects  1 to a place called  susp .At the beginning, this place is marked and then  1 is suspended.At [2,2] the token of  susp is consumed and the corresponding hyperarc becomes disabled.The controllable transition  1 is now firable again.The token is returned to place  susp after  1 is fired.Thus, the controller suspends  1 during its bad subinterval and resumes it after then.At the beginning, all clocks are initialized to zero.Then, time elapses but in [0, 2], this transition is suspended and hence its clock does not elapse anymore.Later at time [2,2], this transition is retrieved and becomes active.We d on o tn e e dt od e l a yi ta n y m o r e ,t h a ti sw h yt h el o w e r bound of the interval associated with  1 is modified to 0. Now the clock starts elapsing.Within 2 time units  1 should be fired (i.e., when the actual time of the general clock of the system reaches to 4).Then, the interval associated with   The controlled Petri nets of this example are presented in Figure 9.
In summary, our goal is to synthesize the state class graph of the system through Algorithms 1 and 2 (see [9]) and calculate bad subintervals of the corresponding controllable transitions.Then, suspend the appropriate controllable transitions during their bad subintervals.Note that in [9], we were restricting and limiting time intervals while in this approach the idea is to delay and suspend them.In this research, we suppose every controllable transition can be associated with a stopwatch if needed.As explained earlier in Section 1,i n a multitasking system with periodic tasks only execution of at a s ki sc o n t r o l l a b l e .Th e n ,t h o s et r a n s i t i o n sm o d e l i n gt h e task executions are considered controllable and consequently couldbesuspendedandretrieved.
Above, we have shown how to control a system when the bad subinterval is at the beginning of the firing interval.What if the acceptable subinterval is at the beginning and bad subintervals are after?Consider the example of Figure 10.A controllable transition  1 is associated with firing interval [, ].Suppose that, based on Algorithms 1 and 2, the subinterval [,  1 ] is acceptable while ] 1 ,] is a bad subinterval, where ≤ 1 < .Th ec o n t r o l l e dt i m eP e t r i nets are presented in Figure 11. Figure 12 represents the clock evaluation of  1 and shows how the new interval associated with  1 is calculated.In [0, [,  susp is marked and  1 is neither active nor enabled.Meanwhile, at the time ,  1 becomes enabled and is fired consuming the token in  susp .Thus,right at , the transition  1 becomes active and its associated clock s t a r t se l a p s i n g .N o t et h a ta s s o c i a t e ds t o p w a t c hd e l a y s 1 for  time units and we do not want to delay it anymore; then, thelowerboundofthenewassociatedintervalincontrolled TPN is 0.After 1 time units,  2 is fired, and  susp becomes marked again.Consequently,  1 is suspended.
Consider the same example of Figure 10 and this time suppose that Algorithms 1 and 2 give the following output.
[,   With the same idea, the controlled Petri nets are presented in Figure 13 and the clock evaluation of  1 is shown in Figure 14.

Why Inhibitor Hyperarcs?
We have shown, how to achieve controlled model from an uncontrolled time Petri nets by adding inhibitor hyperarcs.One question is why among different types of stopwatch inhibitor hyperarcs are chosen?Is it possible to use another stopwatch model?The answer is yes; but, inhibitor hyperarcs provide more flexibility and less complication.Let us see if this idea is feasible using other types of Petri nets with stopwatch.
We consider the post-and preinitialized Petri nets proposed in [4,5] for stopwatch and try to control a model where a controllable transition associated with time interval [, ] has a bad subinterval [, ].Based on our hypothesis, the controller should suspend the controllable transition at [, ] a n dr e s u m ei ta t[, ].The characteristic of post and preinitialized Petri nets is that they consume the same token of the original model and in addition, the exact time when the model becomes suspended is unknown as stopwatch transition and original transition have the same chance for firing.At the first glance, the idea is feasible by adding one place and two transitions.However, there are some issues.We explain the problem through an example.We consider the same example of Figure 1.Thesuggested controlled model using post and pre-initialized Petri nets comes in Figure 15.The controllable transition  1 is associated with stopwatch.The stopwatch interrupts the task at [0, 0] and resume it at [2,2].Th ep r o b l e mi sa t[0, 0], both transitions  1 and  sus are enabled with equal chance of firing whereas, in order to have a controlled model,  sus should fire at [0, 0] before  1 .Thus, the controller fails unless if we modify the interval associated to  1 to ]0, 2] which is not of interest in this approach.The other alternative is presented at Figure 16.Anauxiliary place   solves the problem.Hence, using the stopwatch Petri nets suggested in [4,5], it is not easy to give a general solution to control a model considering the output of Algorithms 1 and 2. In addition, the resulting controlled nets are more complicated.For example, in case the controllable transition is associated with the interval [, ] where its bad subinterval is [, ] and ≤then, the controlled model becomes complicated.

Illustrative Example
Suppose the multitasking system depicted in Figure 17 with the following specifications: four tasks  1 , 2 , 3 ,and 4 are being executed.Two tasks  3 and  4 are uncontrollable.The task  1 is periodic with a period of [6,6] and then, its start execution is controllable.Suppose that starting execution of  2 is also controllable.4 is depended to  2 and  3 meaning thatitcanbeexecutedonlywhen 2 and  3 are executed.Two tasks  1 and  2 share a common resource.On the other hand,  1 enters through a single capacity buffer.It means that if  1 is not executed by the end of its period, the system will block.In Figure 7, tasks are modeled by tokens and the execution of each task   is shown by the transition   .If 1 is not executed by the end of its period the system enters the state Block, and,  5 is the transition to be avoided.Delay is a place modeling the  [6,6]  3 [ The procedure is similar for the other path available from  2 including  6 and its successors.The forbidden state reachable through this path is  23 and in order to avoid this forbidden state, the controller can act at  21 with two enabled controllable transitions.So, nothing is returned to  2 from this path.Having a closer look to the state class graph and the output of the algorithm, we conclude that at each state where  1 and  2 arenewlyenabledandthecontrollershould act (i.e.,  0 , 2 ,and 21 ), the controller should force  1 to fire before  2 (i.e.,  2 − 1 >0 ).In other words,  2 should not be active at [2,2]    2 [0, 1]  1 [2,2]  5 [6,6]  3 [5,6] Resource Delay state class  15 a sd i s c u s s e de a r l i e ra n dh a sn o t h i n gt od oa t the state class  6 (the permissive controller will act later at the state class  21 ).Note that a state class like  14 which is reachable through a forbidden state ( 8 )isnotprocessedby the algorithm as it is supposed to be avoided in the controlled system.The controlled model using inhibitor hyperarcs is given at Figure 19.
Our model is now safe.Yet some challenges exist.Look at the state class graph of the model presented at Figure 18.In some paths one task is executed frequently while others are still waiting.For example, see the paths leading to  17 .Although the system is not blocked, some of the tasks cannot be executed.A good scheduler had better to perform different tasks alternatively.We may want to consider alternation, particular sequences, add a deadline for each task or other possible policies.And finally, we may ask if it is possible to restrict the execution time of a task even if it is in its safe subinterval?Then, while synthesizing a scheduler, we can add more constraints and scheduling policies beyond "safe states." Further researches are required to answer these questions.

Conclusion
In this paper, we have extended the approach discussed in [9] to time Petri nets with stopwatch and have suggested to associate the controllable transitions with stopwatch in order to prevent their bad subintervals.We have proposed that in case a controller (like a scheduler) cannot restrict time intervals associated with controllable transitions, the controllable transitions can be suspended in their bad subintervals.
Synthesizing a time Petri net associated with stopwatch is complicated and needs some overapproximations.Besides, time Petri nets associated with stopwatch do not preserve thebo undednessp r o perty .I nthispa per ,weha vesuggested am o r ee ff e c t i v ea l t e r n a t i v e .W es y n t h e s i z eat i m eP e t r in e t without stopwatch and then, equip the controllable transitions with stopwatch where necessary.With this assumption, every controllable transition can be suspended in its bad subinterval and resumed otherwise.Amongst different types of stopwatch, our solution is based on inhibitor hyperarcs.
The approach suggested in this paper is particularly useful at design level for preemptive scheduling purposes, managing shared resources and critical sections.This is a g o o ds t a r t i n gp o i n tf o rf u r t h e rr e s e a r c h e so ns c h e d u l i n g and to calculate automatically a scheduler in a multitasking system.It is interesting to see how the approach can be applied in a more general case with a variable number of tasks and dependencies.Consider different scheduling policies are challenging and are worth to be considered in further studies.

Figure 2 :
Figure 2: The state graph of the TPN presented at Figure 1.

Figure 8 :
Figure 8: Clock evaluation of  1 in the controlled TPN of Figure 9.

Figure 8
represents the clock evaluation of the transition  1 .

Figure 18 :
Figure 18: The state class graph of the TPN presented at Figure 17.
. It is sufficient to add an inhibitor hyperarc to deactivate  2 at [2, 2].The controller cannot act at the