The Definition of Extended High-level Timed Petri Nets

: Many extensions of Petri nets have been proposed to model the behaviors and time relations of embedded system, yet these models are all based on some assumptions about the behaviors of embedded systems. Especially they all do not have the actual ability to model interrupt mechanism of embedded system. A new net which is called Extended High Level Timed Petri Nets (EHLTPN) is introduced in this study. It shows how to extend High Level Petri Nets (HLPN) with time, actions and interrupt mechanism. Interruptible subnets corresponding to different interruptible resources are introduced to model the behaviors and time relations of distributed embedded real-time systems. Each interruptible subnet realizes interrupt mechanism by an Interrupt Switch Transition and a set of Resuming Transitions. We give an informal description of this new model and show how this model be formally defined. A transform rule presented shows that each subnet corresponding to an interruptible resource in EHLTPN can be transformed into a behaviorally equivalent subnet of HLTPN AT with priority. This model makes it possible to create the compact and comprehensive models for distributed embedded real-time systems.


INTRODUCTION
With the development of electrical technology, embedded system has been widely used in many domains. Their applications range from simple domestic devices, such as washing machines, central heating systems and electronic gatekeepers, to highly critical system, such as flight control, air traffic control, robot control and aero spacecraft etc. There many of them are real-time distributed embedded systems which are related to the health or safety of human life and property. So the safety of such system must be considered.
Time is an important factor which affects the safety of real-time distributed embedded systems. In real-time systems, correctness depends not only on the result produced by computations, but also on the time at which results are produced. The system may enter an incorrect state if the right result is produced too early or too late with respect to certain time bounds [1] . In such case, however, time issues become essential. In the process of designing a real-time embedded system, programmers have to deal with the relating time constrains with the requirement of the system. Especially in distributed real-time embedded systems time relations become more complex than normal embedded system. If the system can't satisfy these time constrains the safety of these systems will be seriously affected.
During the last 20 years, many formal and informal methods have been used for specification, analysis, verification and program testing. Formal methods include standardized specification languages such as the languages ESTELLE [2] , LOTOS [3] and SDL [4] and also other widely used specification method, for example, finite automata, Petri net [5] and temporal logics and algebras of processes [6] . They all have the ability to describe time constrains of object system, but most of them focus on the analysis of system specification, many aspects of embedded systems have been omitted, such as interrupt, DMA, operating system. So these methods can't be used to give an actual result of the correctness of system's time relations.
Except Petri net, most of these methods only support static time analysis and can't be used to reflect the active property of embedded system. Especially in distributed real-time embedded system, many processors exchange message currently and the different parts of such system continuously react to the outside environment. These behaviors of such system are active. So Petri net is one of the best methods used to model and analyze distributed real-time embedded system.
Since Carl Adam Petri introduced Petri net in 1962, in order to model different properties of different system, many extensions have been added. Such as, by assigning firing times to the transitions of Petri net time was firstly introduced by Ramchandani in Timed Petri net [7] ; In Merlin's time Petri net, an interval is annotated with each transition and transitions only can fire between corresponding intervals after the enable instant of such transition [8] . Time Petri net have more power than timed Petri net. High-Level timed Petri nets (HLTPN) are well described by Ghezzi [9] . HLTPN has the similar time representing mechanism as time Petri net, but in HLTPN, each place can have more than one data types and transitions are annotated with an action inscription to describe the actions of corresponding transition.
At first, Petri net was mainly used to model concurrent system, but now with the development of embedded system, Petri net are more and more used to model embedded system. Some extensions have been introduced, such as Dual Transition Petri Net (DTPN) [10,11] . DTPN captures both control and data flow structure from a behavioral description of an embedded system. It is used to represent the specification of embedded system. Some efforts also have been done to model the behaviors of embedded operating system and interrupt system. Miguel Felder extends real-time structured analysis to specification of the detailed design of embedded real-time system and combines the proposed notation with Petri nets. In this model, he gives a subnet to model the schedule mechanism of embedded operating system [12] . Giacomo Bucci introduced Preemptive Time Petri Nets by extending Time Petri Nets with an additional mechanism of resource assignment which makes the progress of timed transitions be dependent on the availability of a set of preemptable resources [13,14] . This mechanism corresponds to the preemptable schedule mechanism of most embedded system. Zuberek [15] in Modified M-Timed Petri nets firstly introduces interrupt arcs which can easily be represented with inhibitor arcs [16] . In Modified M-Timed Petri nets, a firing of a transition may be interrupted if the set of this transition's interrupting places are nonempty. If during a firing period of such transition t, all t's interrupting places contain at least one token, the firing of t ceases and the tokens removed from t's input places at the beginning of firing, are "return" to their original places. Janusz Borkowski gives a descriptive method to model interrupt with Region-based Petri nets (RPN) [17] . As an extension to Color Petri Nets, RPN is proposed to model actions affecting a set of places while the exact marking is neither known nor important.
All of those Petri net extensions mentioned above don't have the ability to model embedded system accurately. Especially they have many difficulties to model the accurate time relations of embedded software. In these extensions, they have all kinds of assumptions about the behaviors of embedded system, such as the events, priority, execute sequence and so on. These assumptions ordinarily just suit to one aspects of embedded software, they lose generality and just adapt to special situation.
Interrupt system is an important part of embedded systems. Different from normal system, embedded systems often have many interrupt sources and interrupts occur continually. Interrupts greatly disturb the program executing sequence and delay the program executing time. So the influence of interrupts must be considered in the development of embedded system. Particularly remarkable is that the schedule mechanisms of most embedded operating systems are based on interrupt mechanism. Embedded operating systems reschedule tasks each time when they exit from interrupt procedure so that embedded operating system can schedule tasks preemptively. Based on interrupt mechanism we can model schedule mechanism easily and directly and needn't relay on those assumptions about embedded system. Hence, Petri nets can perfectly model preemptive schedule of tasks as long as it can model interrupt.
Distributed real-time embedded systems are complex real-time systems. Such system normally is composed of many embedded processors and run different embedded software. These processors exchange data each other and communicate with outside environment concurrently through all kinds of interfaces. So the time relations of such system are more complex than single processor embedded system. Until now there hasn't a model that can descript the active time relations of such system perfectly.
In this study, we introduce an extension of HLPN [18] , called Extended High-Level Timed Petri Net, which allows the representation of the time relations and resource management of complex distributed real-time embedded system in a simple and direct way. This model extends HLPN by adding time, actions and interruptible subnets. Each interruptible subnet corresponds to an interruptible resource and includes an Interrupt Switch Transition and a set of Resuming Transitions. These two special type transitions are used to model the behaviors of each interruptible subnet when interrupts occur. Formal and informal definitions of EHLTPN are all presented. A rule for transforming an interruptible subnet into HLTPN AT with priority is also presented. At last, give a small example of EHLTPN.
Informal definition of EHLTPN: Traditional Petri Net has many difficulties in modeling interrupt. First of all, interrupts occur irregularly, they perhaps happen at any point allowing the occurrence of interrupt. So we can't know the exact point where interrupt occurs. All of the points that have the possibility to be interrupted should be considered. Secondly, if model all the points where interrupts perhaps happen, the number of place will be enormous. It's hard to manage this model. Thirdly, the analysis of such model is very difficult.
An example of interrupt model of HLPN with time and priority is shown in Fig. 1. In Petri net with priority, each transition is annotated with a natural number, called priority level. If more than two transitions are enabled at the same time, only those annotated with highest priority level are allowed to fire. The firing time of transitions is denoted by notation "d" and "d" is annotated with each transition. This figure describes an interrupt model of a program section in which interrupts perhaps happen at place Point(i) and Point(i+1). Except transition Point(i)SwProcA, Point(i)SwProcB, Point(i+1)SwProcA and Point(i+1)SwProcB, all the transitions in this model have priority level 1 while the former four transitions have higher priority level 2. The left part of this figure models a program section. Each transition in this section represents one time execution of code and at the moment when these transitions fires, the processes of firing can't be interrupted. This means that interrupt only can occur where the program section run to a place otherwise the interrupt will not occur.
Place INTNo represents the source of interrupts. If there is a token in it, shows that an interrupt request has been pended. Place INTTable keeps a list to save the interrupt procedure entrance of each interrupt number. Place INTProcA and INTProcB represent the beginning of two interrupt procedures. Transition Point(i)SwProcA, Point(i)SwProcB, Point(i+1)SwProcA and Point(i+1)SwProcB represent the behaviors when interrupts occur at Point(i) or Point(i+1).
Transition ProcAIRETPoint(i), ProcAIRETPoint(i+1), ProcBIRETPoint(i) and ProcBIRETPoint(i+1) represent the operations when interrupt procedure ends. Place Point(i)RevA, Point(i)RevB, Point(i+1)RevA and Point(i+1)RevB are used to keep the status of Point(i) and Point(i+1) corresponding to different interrupt procedures when interrupt occurs and used to restore the status of Point(i) or Point(i+1) when interrupt procedure ends.
Suppose at a moment, interrupt 1 comes, thus a token emerges in place INTNo and its value is 1. At the same time, program section 1 run to place Point(i), so transition t(i+1) and transition Point(i)SwProcA are enabled at the same time. However, transition Point(i)SwProcA has the higher priority level than transition t(i+1), so it fires and prevents the firing of transition t(i+1). Transition Point(i)SwProcA from place INTTable gets the interrupt procedure entrance of interrupt number 1, place INTProcA. Then executes Procedure A and keep the status of place Point(i) in place Point(i)RevA. When this procedure ends, transition ProcAIRETPoint(i) restore the status of point(i). The process of interrupt finished.
From Fig. 1 we can see that the numbers of places and transitions are directly proportional to the number of interruptible points in the model. An embedded software model perhaps exists millions of such points. Fortunately we needn't know the exact point where an interrupt occurs. Knowing that the interrupt occurs in which program section is enough.
In this study, EHLTPN extended from HLPN is introduced. In EHLTPN, places represent the different states of system; tokens in place represent the resources of system; transitions represent the operations that operate on input tokens. Each token can save arbitrary complex data types of data, normally represented by a tuple, hence one token can represent many kinds of resource at the same time. In EHLTPN, a time function is annotated with each transition indicating how long the input tokens are kept in this transition after the transition fires. An action inscription which models the behavior of each transition is annotated with each transition.
In architecture, EHLTPN contains a finite number of interruptible subnets. Each interruptible subnet corresponds to an interruptible resource. This resource takes part in all the operations of this subnet and it is the unique interruptible resource in this interruptible subnet. At certain condition it can interrupt current operation and then goes to run another series of operations and when these operations end, it resumes the status of the operation interrupted just now and continues to finish this operation just like it hasn't been interrupted. Such procedure is called interrupt procedure.
Interruptible resource has two forms in each subnet. One form is a token whose data type is a tuple with two elements and the content of its first element is a sign which is used to represents the existence of interruptible resource in this subnet. Places of such data type are called interruptible places. Another form is a firing transition. Because interruptible resource takes part in all the operations of this subnet and it is the unique interruptible resource in this subnet, each transition in this subnet has one and only one interruptible place belong to its preset and the cardinality of the multiset annotated with the arc from this interruptible place to the transition is one. Similarly, for each transitions in this subnet, has one and only one interruptible place belong to its postset and the cardinality of the multiset annotated with the arc from this transition to the interruptible place is one too. Hence when a transition fires, it moves a token with interruptible resource from an interruptible place belongs to its preset. When the transition stops firing, it also moves a token with interruptible resource to an interruptible place belongs to its postset.
An active node is a node which has the interruptible resource in an interruptible subnet. It may be a place or a transition. An interruptible place that has a token is an active node. A firing transition also is an active node. All the active nodes except uninterruptible transitions are interruptible. Since the interruptible resource in a subnet is unique, at any time, in each subnet, exists one and only active node. Thus when an interrupt occurs, we can get the active node which is interrupted directly. The status of this active node at the moment when it is interrupted is called a breakpoint.
Each interruptible subnet has two special type transitions, called Interrupt Switch Transition and Resuming Transition. Interrupt Switch Transition represents the operations when interrupt occurs and Resuming Transition represents the operations when the interrupt procedure ends. Each interruptible subnet has only one Interrupt Switch Transition but may have a group of Resuming Transitions. Thus each interruptible subnet only can responses to one interrupt request a time but may have many interrupt procedures concurrently.
At the moment when Interrupt Switch Transition fires, it saves the breakpoint of the interrupted active node to a special variable bp associated with it and the data type of this variable is "BreakPoint". Interrupt Switch Transition interrupts the operations of current active node at the same time. If this breakpoint is a place, then the token in it is removed; if the breakpoint is a transition, set the remaining firing time of this transition 0 and the status of this transition recovers to be "normal" just like it has not fired. At the moment when Interrupt Switch Transition stops firing, it resumes the breakpoint which is produced by the function B annotated with it. When Resuming Transition stops firing, it does the same operation as Interrupt Switch Transition does. The breakpoint may be a place or a transition. If it is a place, then move the token keeping in the breakpoint to it. If it is a transition then resume its status kept in the breakpoint. This status includes the remaining firing time of this transition, the values binding to the variables annotated with its input arcs and tokens which are moved in as it fired. But these tokens in most cases have no use for the firing of this transition, so in the latter of this study we don't keep the values of these tokens.
When we use EHLTPN model distributed real-time embedded system, each subnet corresponds to the software running on an embedded processor. The processor is the interruptible resource and takes part in all the operations of all the transitions. Interrupt Switch Transition corresponds to operations when the processor responds to the interrupt requests from outside and Resuming Transition corresponds to the machine instruction IRET. Figure 2 is an interrupt model represented by EHLTPN corresponding Fig. 1. In this model, the arcs drawing by dash style are not the true arcs of this model. Here, they are used to represent how the interruptible resource is moved when interrupt occurs.

Formal definition of EHLTPN
The definition of EHLTPN: At first, we recall the definition of HLPN. All the notations without clear definition here refer to [18] .
R is a set of sorts; * is a set of operators together with their arity in R which specifies the names of the domain and co-domain of each of operators; * V is a set of sorted variables; (iii). C:P R H is a function which types places; (iv). AN=(A, TC) is a pair of net annotations; and for all (p,t), (t ,p) ∈ F, A(p,t), ( is the initial marking function which associates a multiset of tokens of correct type with each place.
Then we give the definition of HLPN with time and actions. In EHLTPN a special data type "BreakPoint" is introduced. BreakPoint is used to save the status of the breakpoint where interrupt occurs. Breakpoint may be a place or a transition. If the breakpoint is a place, the type of this breakpoint, the ID of this place and the tokens in this place are kept. If it is a transition, the type of this breakpoint, the ID of this transition, the left firing time of this transition and the values of variables annotated with the input arcs of this transition are kept.
Because only variables which have bound values can take part in the calculation of actions and the terms annotated with output arcs, thus keep the values of every variables is enough.
In order to give a clear definition of the semantic of EHLTPN, here give some definitions of notations about data type BreakPoint. Variables of BreakPoint data type usually are denoted by bp or bp 1 , bp 2 , bp 3 , …. Because of the complexity of BreakPoint data type, it can't be described by normal data type. In order to get and set the values of a BreakPoint data type, following methods are provided: * bp.type() returns the type of breakpoint bp. If returns t, represents bp is a breakpoint of transition type. Otherwise it will return p to represent it is a place type; * bp.settype(p or t) sets the type of bp; * bp,ID()returns the node ID of breakpoint bp.  In EHLTPN the definition of preset and postset is the same as other kind of Petri Nets. That is, ∀ x∈ P ∪ T, • and x • the preset and postset separately.
Behavior of EHLTPN Definition 3.6: Enabling rule: a transition t i ∈ T ∧ t i ∉ T Run is enabled in Marking, * time M , at time time, for a particular assignment to its variables, time , known as a mode of t i , iff following properties are satisfied: To give the abstract definition about time, here a well-defined semantics is given: t + and t -, are two special time relative to time t ,      Of two natural numbers, the bigger one has higher priority level.
(i). All the transitions added in step 2 and step 3 have priority level 2.
(ii). All the other transitions have priority level 1 lower than level 2. They are all transformed from subgraph (a) to subgraph (b). In Fig. 3, transition i t in subgraph (a) is transformed to a sequence of places and transitions, In Fig. 4, transition t31 and t32 are added in subgraph (b) to model the behaviors of t SC1 in subgraph (a) and they connect breakpoint bp1 and bp2 separately. In Fig. 5, transition t31, t32, t41 and t42 are added in subgraph (b) to model the behaviors of transition 1 1, 2 RC tR tR T ∈ in subgraph (a).
The set of all markings and modes of  (ii). This follows directly from transform rule step 1,2,3.
(iii). This follows directly from part (i).