Due to rapidly increasing system complexity, ever-shortening time-to-market, and growing demands for soft real-time, formal methods are becoming indispensable in the synthesis of embedded real-time systems. In this work, a formal method based on Time Free-Choice Petri Nets (TFCPN) is proposed for synthesizing and controlling Soft Embedded Real-Time Systems (SERTS). Technically, the proposed method employs quasi-static data scheduling for satisfying limited embedded memory requirements and controls firing interval bounds for satisfying soft real-time constraints. An application example is given to illustrate the feasibility of the formal method, which can also be used for code generation.
a time interval´« ¬µ such that if a system task completes execution no earlier than « and no later than ¬, then the task does not miss its deadline, where « and ¬ are integers representing some points in the time-line.
Informally, our target problem is to synthesize an embedded real-time system starting from an initial set of loose specifications into a final set of strict specifications such that the final specification satisfies all user-given real-time constraints such as response times, deadline, and periods. A specification ½ is said to be looser than another specification ¾ if all the behaviors given by ¾ are implied by ½ . In plain terms, our solution is to restrict loose specifications into stricter ones such that given constraints are met.
The two main issues involved in the design of SERTS are as follows:
Bounded Memory Execution: A processor cannot have infinite amount of memory space for the execution of any software process. This fact is even more emphasized in an embedded system, which generally has only a few hundreds of kilobytes memory installed. Thus, a SERTS must utilize as less memory as possible.
Soft Real-Time Constraints:
A processor may have to execute several concurrent tasks with precedence and temporal constraints. Thus, a SERTS is generally composed of several soft concurrent real-time tasks.
Our formal model is based on the recently proposed Time Free-Choice Petri Nets (TFCPN) [15] , which is a sub-class of Time Petri Nets. In solution to the above two issues, our proposed method consists of the following two phases:
Quasi-Static Data Scheduling (QSDS): This scheduling phase ensures that embedded real-time applications do not require an unbounded amount of memory for execution, since embedded real-time systems have limited amount of embedded memory,
Firing-Interval Bound Synthesis (FIBS):
This synthesis phase ensures that an embedded real-time system meets all soft real-time constraints, which are generally modeled as action or firing time intervals. This phase is also called Controller Synthesis since controllers can be synthesized for soft real-time systems using this method.
Software code can also be generated for soft real-time systems by applying our synthesis method to a recently proposed code generation scheme, which was for hard real-time systems [15] . Due to page-limits, we will not delve into this part of the work in this article.
This article is organized as follows. Section 2 gives some previous work related to SERTS synthesis. Section 3 will formulate, model, and solve the SERTS synthesis problem. Section 4 will illustrate the proposed method through an application example. Section 5 will conclude the article with some research directions for future work.
¾º ÈÊ ÎÁÇÍË ÏÇÊÃ
Currently, synthesis of soft real-time systems is a hot topic of research in the field of hardware-software codesign of embedded systems [11] . Previously, a large effort was directed towards synthesis of hard real-time systems, especially in the application of formal methods. Synthesis was mainly carried out for communication protocols [19] , plant controllers [4, 18, 5] , and real-time schedulers [25, 1] because they generally exhibited regular behaviors. Only recently has there been some work on automatically generating code for embedded systems [17, 16, 23, 26, 6] . In the following, we will briefly survey the existing works on the synthesis of non real-time software and controller synthesis, on which our work is based.
Lin [16, 17] proposed an algorithm that generates a software program from a concurrent process specification through intermediate Petri-Net representation. This approach is based on the assumption that the Petri-Nets are safe, i.e., buffers can store at most one data unit, which implies that it is always schedulable. The proposed method applies quasi-static scheduling to a set of safe Petri-Nets to produce a set of corresponding state machines, which are then mapped syntactically to the final software code. Later, Zhu and Lin [26] proposed a compositional version of the synthesis method that reduced the generated code size and was thus more efficient.
A software synthesis method was proposed for a more general Petri-Net framework by Sgroi et al. [23] . A quasi-static scheduling algorithm was proposed for Free-Choice Petri Nets (FCPN) [23] . A necessary and sufficient condition was given for a FCPN to be schedulable. Schedulability was first tested for a FCPN and then a valid schedule generated by decomposing a FCPN into a set of Conflict-Free (CF) components which were then individually and statically scheduled. Code was finally generated from the valid schedule.
Balarin et al. [6] proposed a software synthesis procedure for reactive embedded systems in the Codesign Finite State Machine (CFSM) [7] framework with the POLIS hardware-software codesign tool [7] . This work cannot be easily extended to other more general frameworks.
Besides synthesis, there are also some recent work on the verification of automata and a (temporal) property given as a formula in Timed Computation Tree Logic (TCTL) [2, 9] , a controller is synthesized such that it restricts the behavior of the system for satisfying the property. This is the controller synthesis problem. Recently, system parameters have also been taken into consideration for real-time controller synthesis [14] .
¿º ÇÊÅ Ä Ë AEÌÀ ËÁË AE ÇAEÌÊÇÄ
A formal synthesis method for soft embedded real-time systems is presented in this section. Its basic features are that the synthesized system executes in bounded memory and satisfies all user-given soft real-time constraints. Before going into details, the system model and related terminologies are presented.
A soft embedded real-time system is specified as a set of Time Free-Choice Petri Nets (TFCPN), which are time extensions of Free-Choice Petri Nets (FCPN) [23] . As mentioned in Section 2, FCPN was used for the quasi-static scheduling of embedded real-time software. But, there was no concept of time in the FCPN model, which makes it an inconvincing model for real-time systems. FCPN was recently extended to include time just as Merlin and Farber's Time Petri Nets (TPN) [20] are time extension of standard Petri Nets. The extended version called TFCPN was introduced in [15] and is presented here.
In the rest of this section, we first define TFCPN, give its properties, and explain why TFCPN are used for modeling SERTS. Then, the problem to be solved is formulated. Finally, our proposed synthesis algorithm is described. Graphically, a TFCPN can be depicted as in Fig. 1 By disallowing confusions, a system modeled by TFCPN can be easily analyzed and synthesized because conflicts can be resolved through net decomposition of a TFCPN into conflict-free components. Though the free-choice restriction disables a designer from describing systems that have coexisting concurrency and conflicts (i.e. synchronization with conflict as in Fig. 2 ), yet the net decomposition approach can be extended to general Petri nets, which will be part of our future research.
Semantically, the behavior of a TFCPN is given by a sequence of markings, where a marking is an assignment of tokens to places. Formally, a marking is a vector Å Ñ ½ Ñ ¾ Ñ È , where Ñ is the non-negative number of tokens in place Ô ¾ È . Starting from an initial marking Å ¼ , a TFCPN may transit to another marking through the firing of an enabled transition and re-assignment of tokens. A transition is said to be enabled when all its input places have the required number of tokens for the required amount of time, where the required number of tokens is the weight as defined by the flow relation and the required amount of time is the earliest starting time « as defined
by . An enabled transition upon firing, the required number of tokens are removed from all the input places and the specified number of tokens are placed in the output places, where the specified number of tokens is that specified by the flow relation on the connecting arcs. An enabled transition may not fire later than the latest firing time ¬ defined by .
SERTS have both data-dependent executions as well as time-dependent specifications. Both of these characteristics are well-captured by TFCPN. TFCPN can distinguish clearly between choice and concurrency, hence they are good models of data-dependent and concurrent computations. Further, TFCPN can also distinguish clearly between data-dependent and time-dependent choices, thus TFCPN are well-defined models for our target SERTS. In multimedia presentations, network computing, distance learning, and other soft real-time systems, the real-time behavior can be controlled, that is, restricted such that the system satisfies some pre-defined specification. For example, if the tolerable network lag in some kind of network computing is pre-specified as 10 seconds, then the behavior of the network computing environment could be controlled such that under all circumstances a maximum of 10 seconds network lag is encountered during computation.
To model the above soft real-time behavior, we define a new simplified linear temporal logic, which a controller is supposed to enforce in a SERTS. 
where ¾ , Ô is a non-negative integer vector of È elements, and ½ and ¾ are TRS formulae.
Semantically, ¿ Ô means eventually and obeying the timing restriction there exists a TFCPN marking Å such that Å Ô, where Ô is a token assignment represented by a non-negative integer vector of È elements such that each element represents the amount of tokens that must reside in the corresponding place. This definition is the same as a marking, but we do not call it a marking because Ô might not be reachable from the initial marking. Further, ¾ Ô means for all reachable markings Å, while obeying the timing restriction , Å Ô. Thus, a TRS gives a linear temporal condition that a TFCPN must satisfy. Since we consider a single microprocessor (executing software) in our soft embedded real-time systems, linear temporal logic in the above TRS form (Equation 1) is sufficient for expressing all reachability properties such as safeness, deadlines, boundedness, deadlock-free, and starvation. 
return ÉË Ë Ö Ö Ó Ö ;
else ÉËË ÉËË ÉËË ; Other properties which are not as important for SERTS such as liveness cannot be specified using TRS. Given a system model TFCPN (Definition 1) and a specification logic (Definition 2), we are now ready to formulate our problem as follows.
Definition 3 : Soft Embedded Real-Time System Synthesis
Given a system modeled by a set of TFCPN Ë È Ì Å ¼ µ ½ ¾ Ò and a specification in TRS, the system description Ë is to be synthesized by scheduling and by modifying firing interval bounds such that Ë is made to satisfy .
As introduced in Section 1 and formulated in Definition 3, there are two objectives for our SERTS synthesis algorithm, namely bounded memory execution and soft real-time constraints satisfaction.
Thus, the algorithm SERTS Synthesize() proposed in Table 1 is intuitively divided into two phases corresponding to the two objectives.
As shown in Table 1 , given a set of TFCPNs Ë È Ì Å ¼ µ ½ ¾ Ò , a maximum bound on memory , and a TRS , a system is synthesized upon completion of the following two phases.
The basic concept here is to employ net decomposition such that firing choices that exists in a TFCPN are segregated into individual Conflict-Free (CF) components. This is done by a procedure CF Generate() as in Step (2) for each , which results in a set of CF components corresponding to . The CF components are not distinct decompositions as a transition may occur in more than one component. As in
Step (4), each CF component of each TFCPN is quasi-static scheduled, that is, starting from an initial marking for each component, a finite complete cycle is constructed, where a finite complete cycle is a sequence of transition firings that returns the net to its initial marking. A CF component is said to be schedulable if a finite complete cycle can be found for it and if it is deadlockfree. Once all CF components of a TFCPN are scheduled, a valid quasi-static data schedule ÉËË for the TFCPN can be generated as a set of the finite complete cycles. The reason why this set is a valid schedule is that since each component always returns to its initial marking, no tokens can get collected at any place. Details of this procedure can be found in [23] .
We have extended the quasi-static scheduling approach given in [23] to consider timing constraints on transition firings during the scheduling process. A quasi-static schedule is said to be feasible only if all transition firing intervals are satisfied. Satisfaction of memory bound can be checked by observing if the memory space represented by the maximum number of tokens in any marking does not exceed the bound. Here, each token represents some amount of buffer space (i.e., memory) required after a computation (transition firing). Hence, the total amount of actual memory required is the memory space represented by the maximum number of tokens that can get collected in any marking, which results from the transition firings in a quasi-static data schedule.
¿º¿º¾ Ö Ò ÁÒØ ÖÚ Ð ÓÙÒ ËÝÒØ × ×´ Á Ëµº
This phase consists of a procedure Controller Synthesize() as in Step (9) of Table 1, which synthesizes a controller for system Ë with quasi-static schedules ÉËË ½ ÉËË Ò to satisfy a TRS .
Some embedded soft real-time systems, such as multimedia and networks, can tolerate latencies that occur due to network lags, inferior display technologies, weak processing power, and limited memory bandwidth. In order to control such systems, normally a controller is needed to ensure quality of service (QOS), predictability, and reliability. The two main issues involved in the design of a controller for embedded soft real-time systems are as follows:
Synchronization Wait: A software task, upon completion of its scheduled jobs, may have to wait for a period of time to synchronize with another software task or with the hardware.
Real-Time Specification:
In order to satisfy some given real-time specification, such as deadlines, a software task must finish execution of its scheduled jobs earlier than system-permitted deadlines.
Solving the above two issues, a synthesis method must generate a controller that ensures all synchronizations and real-time specifications are met. In our proposed method, the above two issues are solved as follows. Here, each software task Ì is associated with a time interval´« ¬µ, where « is the earliest start time of Ì and ¬ is the latest finish time of Ì .
Postpone Release Time: For synchronization to be feasible and for predictable behavior, a software task that needs to wait for some other tasks, should have its earliest start time « changed into « · AE Û , where AE Û ¼ is the amount of wait time required.
Advance Finish Time: For satisfaction of real-time specifications, the deadline of a software task is advanced from ¬ to ¬ AE , where AE ¼ is the difference in the user-specified and system-permitted deadlines.
As shown in Table 2 , a solution to FIBS is proposed as an algorithm Controller Synthesize(), which consists of three nested for-loops spanning over each TFCPN (Step (1)), over each schedule of a TFCPN (Step (2)), and over each transition in a schedule (Step (3)).
Firing Interval Bound Synthesis or
Controller Synthesis mainly restricts some transition firing interval ´Øµ ´« ¬µ into a smaller interval´« ¼ ¬ ¼ µ, where « ¼ « and ¬ ¼ ¬, such that a given TRS formula is satisfied. In the above case,´« ¬µ is said to be less restricted than´« ¼ ¬ ¼ µ.
The conditions given in Step (3) of Table 2 Step (5), with details in Table 3 .
Corresponding to the two kinds of path-formulae in a TRS , there are two ways for incorporating the new set of interval bounds in Ë.
¿ Ô :
A variable Min IBS keeps track of the set of minimally restricted transition firing intervals of for satisfying (Steps (6) and (7)). A solution
Controller Synthesis Algorithm for TFCPN/TRS
for each schedule Ú ¾ ÉËË (2) for each Ø ¾ Ú , Ø ¾ in trans´Ôµ and token ´Ôµ ¼, Ô ¾ È (3) (9) and (10) assigns the final set of interval bounds to the system Ë. Table 3 synthesizes (modifies) the firing interval bounds for a sequence of transition firings, which is a prefix of a schedule Ú Ø ¼ Ø ½ Ø , such that the modified system satisfies both and the aggregate delay interval . The switch-case statement in Step (1) to Step (7) 
IBS assign() in Steps

IBS Synthesize() in
is on EFT (Step (8)) or LFT (
Step (14)), there is a loop for modifying the firing interval bounds´« ¬ µ of transitions starting from the th one. If even after all transitions have firing intervals modified and is still not satisfied then an error is returned (Steps (13) and (19)). Otherwise, the set of modified firing intervals is returned (
Step (20)).
