Abstract-Many safety-critical real-time embedded systems need to meet stringent timing constraints such as preserving delay bounds between input and output events. In model-based development, a system is often implemented by using a code generator to automatically generate source code from system models, and integrating the generated source code with a platform. It is challenging to guarantee that the implemented systems preserve required timing constraints, because the timed behavior of the source code and the platform is closely intertwined. In this paper, we address this challenge by proposing a model transformation approach for the code generation. Our approach compensates the platform-processing delays by adjusting the timing parameters in system models, based on an Integer Linear Programming problem formulation. We demonstrate the usefulness of our approach via a case study of infusion pump systems. Experimental results show that the code generated using our approach can better preserve the timing constraints.
I. INTRODUCTION
Many safety-critical real-time embedded systems need to meet stringent timing constraints, of which a common type is the bounded delay between input and output events. For example, a car should stop (output event) within three seconds when a driver hits a brake (input event); a pacemaker should generate electrical signals (output event) within eight milliseconds when an abnormal heart rhythm is detected (input event). The violation of such timing constraints may lead to catastrophic consequences. Thus, it is important to guarantee that the developed real-time embedded systems satisfy the timing constraints. One promising approach is via modelbased development. First, a system model is built to capture abstractions of the system's timed behavior. Then, if the model is verified to satisfy the timing constraints, source code is automatically generated from the model using a code generator. Finally, the generated code is implemented on a platform. By platform, we refer to a collection of hardware (e.g., sensors/actuators) and software (e.g., real-time operating systems and I/O device drivers) that are required for the code to read input from or write output to the environment.
System models are typically constructed independently of a specific platform for a few benefits: (1) the generated source code can be implemented on many different platforms, and (2) the modeling process can be initiated without knowledge of specific platform in the early system development stage. Stateof-the-art code generators, such as Real-Time Workshop [13] and TIMES [4] , produce source code using timing parameters specified in a system model directly, with the assumption that the input/output (I/O) communication between the code and the environment can be processed infinitely fast by a platform. *This work has been performed while the first author was at the University of Pennsylvania.
However, it is difficult, if not impossible, for any platform to meet this assumption in practice, due to processing delays caused by, e.g., I/O device drivers or communication jitter.
In our previous work, we proposed to overcome this obstacle by modeling architectural aspects of platforms [12] [10] and generating test cases [11] . However, one limitation is that, the code generated from models that incorporate platformprocessing delays, when being implemented on a specific platform, may yield a system that does not respect timing constraints verified at the modeling level. Because platformprocessing delays are added to the code-level delays. It is challenging to guarantee that the implemented systems preserve required timing constraints, because timing aspects of the system model, the code and the platform are closely intertwined.
In this paper, we aim to address this challenge by proposing a model transformation approach for the code generation. We argue that system models are not appropriate representations of the code-level timed behavior. We transform a system model into a software model by explicitly characterizing (non-zero) platform-processing delays and appropriately compensating those delays. The software model is then used to generate code, which would be implemented on the platform whose processing delays are compensated during the model transformation process. The resulting system implementation is guaranteed to meet the timing constraints that have been verified in the system model. We restrict our attention to timing constraints in the type of bounded delay between I/O events.
Our model transformation approach involves two steps. First, check whether it is feasible to compensate the processing delays of a given platform while preserving bounds on delays between observable events in the system model and implementation. Second, adjust timing parameters in the system model to obtain a software model that compensates the platform-processing delays. We formulate and solve the problem using Integer Linear Programming (ILP). We define the objective function of ILP based on the goal of obtaining a software model with the least timed behavior perturbation from the system model. The linear constraints of ILP are given to quantify the delay-bound differences between the system model and implementation, taking into account the model's I/O delays accumulated over paths (between pairs of I/O transitions) and the platform-processing delays. By solving the ILP problem, we obtain a set of timing parameter assignments that can be used to transform the system model into a software model.
We demonstrate the usefulness of our approach via a case study of infusion pump systems. Experimental results show that systems implemented with the code generated from our transformed software models have (significantly) better performance in terms of timing constraints preservation.
The rest of this paper is organized as follows. Section II introduces a motivating example, the problem statement and an overview of our approach. Section III describes how to compute the minimum and maximum delays of I/O events in the system model and implementation. Section IV develops the ILP problem formulation for the model transformation. Section V presents a case study of infusion pump systems. Finally, Section VI discusses related work and Section VII summarizes our findings.
II. PROBLEM STATEMENT AND APPROACH OVERVIEW A. Motivating Example
We first explain, through the following example, why we need to transform system models for representing the codelevel timed behavior. Consider a system model represented as an event-clock automaton [3] (cf. Definition 2) shown in Figure 1 . Each transition in the model is labelled with either an input (a 1 ? and a 3 ?) or an output (a 2 !) event. Each event is associated with a clock, which is automatically reset to zero whenever a transition associated with the corresponding event is taken. For example, the clock x a1 is reset to zero when the transition labelled with the input event a 1 ? is taken. Transitions are also annotated with clock guard conditions. For example, the guard condition x a1 ≥ 2 ∧ x a1 ≤ 10 means that the transition can be taken anytime non-deterministically in between 2 and 10 time-unit after the previous transition. It is straightforward to verify that the example model satisfies the following timing constraint (REQ0): "a system shall produce the output a 2 ! within 2 and 10 time-unit since the input a 1 ? event occurs from the environment".
The timing parameters in the clock guard conditions do not distinguish code-level delays and platform-processing delays. Suppose the platform-processing delay is 2 time units. Then a system implemented using the code generated from the model shown in Figure 1 would not preserve REQ0, because the delay of output a 2 ! is now bounded by 4 and 12 time units. This implies that the system model shown in Figure 1 is not an appropriate representation for the code generation. Thus, there is a need for model transformation. In practice, the given platform-processing delays are often in a range (i.e., minimum and maximum bounds) rather than a single constant, which makes the model transformation challenging. Because we need to consider the intermix of min/max platform-processing delays and code-level delays, while the latter may also be affected by the model structure (e.g., loops). Once we know what the ranges of platform delays are, timing guards in the model can be adjusted so that the generated code, running on the platform, would exhibit correct system-level behavior. Figure 2 shows an overview of relations between system model, software model, code, platform and implementation. We adopt Parnas' four-variable model [14] to define the boundaries of an implemented system (shown in the right side of the figure). In the four-variable model, monitored (m) and controlled (c) variables characterize changes of physical environmental quantities; on the other hand, input (i) and output (o) variables characterize software behavior that interact with the physical environment through input/output devices (i.e., platforms in our work). Based on this variable mapping, we define the boundaries of an implemented system to formalize the problem: io-boundary that separates a platform and the code, and mc-boundary that separates an environment and a platform. Suppose that, for a given platform, the minimum and maximum delays of processing each input/output event is known (cf. Definition 3). The goal is to transform a system model (M s ) into a software model (M c ) by compensating the platform-processing delays (P), in order to preserve the timing constraints in the system implementation.
B. Problem Statement
We first define three functions: f Ms , f SOF , and f IMP , which quantify the min/max delay-bounds of the occurrence of an I/O event succeeding another event in the system model, ioboundary (software model), and mc-boundary, respectively. Formally, we define f Ms (i , j ) as the min/max delay-bounds of simple paths (i.e., those without cycles) starting from the transition i and ending with the transition j in the system model M s . For example, the timing constraint REQ0 can be formally denoted by f Ms (1 , 2 )= [2, 10] , representing that the output transition 2 shall be taken in between 2 and 10 timeunit after taking the input transition 1 of Model 1 shown in Figure 1 . Given a simple path p, we can also write f Ms (p). We define f SOF and f IMP in a similar fashion as for f Ms . In the model transformation from M s to M c , we only adjust the timing parameters (i.e., clock guards) and do not change the model structure. Therefore, there are one-to-one mappings between transitions i and j for f Ms 
Definition 1 (Delay-Bound Inclusion Constraint). A system implementation preserves the delay-bound inclusion constraint with respect to the corresponding system model iff:
• the minimum delay bound of f IMP for any pair of I/O events at the mc-boundary is no less than that of f Ms , • the maximum delay bound of f IMP for any pair of I/O events at the mc-boundary is no greater than that of f Ms . Formally, we denote the constraint satisfaction by f IMP The key of model transformation from a system model M s into a software model M c lies in solving the research problem of finding a suitable function f SOF such that the induced function f IMP (based on the known platform-processing delay P) preserves the delay-bound inclusion constraint with respect to the function f Ms (determined by M s ). We also need to show that any system implementation meeting the delaybound inclusion constraint is guaranteed to satisfy the timing requirements that are verified in the system model M s .
C. Approach Overview
Finding a suitable function f SOF is a challenging problem. On the one hand, we need to consider its dependency to the function f IMP and the platform-processing delay P. On the other hand, we need to make sure that the derived function f IMP and the system model function f Ms satisfy the delay-bound inclusion constraint. The simple shrinking or expanding timing guards of f Ms would not give us a satisfying f SOF , because the Mapping from system models to implementations change of timing guards in one transition (e.g., with the intent of decreasing f SOF ) may actually increase f SOF for another transition/path, due to the complex dependency among various I/O transitions and the mixture of minimum/maximum delays.
Our approach is to formalize those dependencies in terms of a set of linear constraints to automatically find timing parameter assignments for the function f SOF using the integer linear programming (ILP). First, we propose algorithmic procedures to compute f Ms and f IMP . The computation of f Ms is based on the timing parameters (i.e., clock guard constants) in the system model M s , while the computation of f IMP is based on the timing parameters of the software model M c (represented as variables in f SOF ) and the platform-processing delays P. Then, we formalize the delay-bound inclusion constraint between f Ms and f IMP as a set of linear inequality constraints for ILP. A satisfying solution of the ILP problem gives us a set of variable assignments for f SOF , which can be used to parameterize the timing guards of the software model M c . Finally, we show by Theorem 1 that the system implemented using the code generated from the software model M c is guaranteed to satisfy the timing requirements (i.e., bounded delays between a pair of I/O events).
III. COMPUTING f Ms AND f IMP In this section, we develop algorithmic procedures for computing f Ms and f IMP , which are functions that quantify the min/max delay-bound of any pair of I/O transitions and events in the system model and the implementation, respectively. In this paper, we consider system models that are represented as event-clock automata [3] .
are an initial and a final location, respectively; Σ = Σ in ∪ Σ out is an alphabet with a set of input (resp. output) events Σ in (resp. Σ out ); E = {(L, L , a, ϕ)} is a fine set of transitions with each transition connecting a starting location L and an ending location L , labelled with an input/output event a ∈ Σ, and associated with a clock constraint ϕ over the clocks C Σ .
We refer to [3] for the formal operational semantics of event-clock automata. An informal semantic description for an example model could be found in Section II-A. In this paper, we consider three different model structure patterns, namely, sequential (e.g., Model 1 shown in Figure 1 ), alternative (e.g., Model 2 in Figure 3 ), and cyclic (e.g., Model 3 in Figure 4) .
A. Computing f Ms
The computation of the function f Ms , which represents the minimum and maximum delay-bounds between two I/O tran- sitions in the system model, is non-trivial. Firstly, there can be many different paths in between two transition occurrences. In this case, the path that has the minimum delay can be different from the one that has the maximum delay. Therefore, we need to examine all possible paths between the two transitions in order to compute f Ms . Secondly, paths connecting two transitions may include cycles. Since we assume non-negative guard conditions, the minimum delay bound is obtained by considering only a simple path. However, when it comes to the maximum delay bound, it differs depending on how many cycles are taken between the two transitions. For example, in Model 3 (cf. Figure 4) , the maximum delay-bound between transitions 1 and 3 increases as more cycles are taken.
We first show how to compute f Ms for a pair of transitions which are connected by simple paths (i.e., paths that do not contain any repeating locations) only. To this end, we adapt the Floyd-Warshall algorithm. The Floyd-Warshall algorithm computes the minimum and maximum timing intervals between the entering of locations L i and L j in a model with
We cannot use the Floyd-Warshall algorithm to compute f Ms directly, because the function represents the delaybound between two transitions rather than locations. Instead, we define:
where L Now, we generalize the computation of f Ms for paths with cycles (i.e., non-simple paths). Proof: See the Appendix. Note that Lemma 1 is only applicable to event-clock automata where clocks reset on every transition, which is sufficient for this paper. The computation for more general cases (e.g., clocks reset in arbitrary transitions) was studied in [8] using the reachability graph, but that algorithm may not terminate in the presence of cycles.
Lemma 1. The min/max delay-bound over a (non-simple) path
Example 2. Consider a path p in Model 3 that starts with the transition t 1 and ends with t 3 after repeating two cycles; that is, p=t 1 ,t 2 ,t 3 ,t 1 ,t 2 ,t 3 . The path p consists of the following simple paths: 
B. Computing f IMP
In the following, we describe how to compute the function f IMP based on the platform-processing delay P and the codelevel delay f SOF . are the minimum and maximum times needed for the platform to process the event a k , respectively.
Definition 3 (Platform-Processing Delay). For any I/O event
The platform-processing delay characterizes the min/max delays consumed by a given platform (independently of the code-level delays) to process each I/O event. In Figure 2 , this delay is considered as the input delay consumed over the information flow from m to i, and the output delay consumed over the information flow from o to c. These delays occurring over the information flows originate from several delay segments that are necessary for the code to interact with its environment via a platform, such as the timing overhead for processing physical input/output signals incurred by device drivers and scheduling delays. More details of such delay segments can be found in our previous work [11] [10] , and this paper assumes that the platform-processing delays are bounded as minimum and maximum parameters. 
That is, it takes the platform at least 1 and at most 2 timeunit from the moment it reads the input event a 1 (mapped to m variable in Figure 2 ) from the environment at the mcboundary until the moment the code reads the processed input event (mapped to i variable) at the io-boundary. Similarly, it takes the platform at least 3 and at most 4 time-unit from the moment the code writes the output event a 2 (mapped to o variable) at the io-boundary until the moment the platform writes the processed output event (mapped to c variable) to the environment at the mc-boundary. Now, we explain the relation between the system implementation delay f IMP , the code-level delay f SOF , and the platformprocessing delay P. For example, Figure 6 illustrates how the system model and the implementation behave differently when processing a pair of the input transition 1 (t 1 ) and the output transition 2 (t 2 ) of Model 1. In the system model, t 2 is taken (lower-direction arrow) in between 2 and 10 time-unit since t 1 has been taken (upper-direction arrow); therefore, f Ms (1 , 2 )= [2, 10] . In the implementation, the delaybound f IMP (1 , 2 ) may differ from f Ms (1 , 2 ) if the same timing parameters (T s ) of M s is used to implement the code-level delay (f SOF ). Suppose the code is generated using T s (i.e., 2 and 10), and this code is to be integrated with a platform that has the processing delay: P= [1, 2] (assuming that the same min/max bound is applied to all I/O events). Assume that the code interacts with the platform through a set of primitives: read primitive to read the processed input values from the platform or to read current clock values; reset primitive to set the clock values to zero; write primitive to write the output values to the platform. Note that the time instances when these primitives are called by the code are different from the times when the corresponding I/O occurs in the environment, due to the platform delays.
This implemented system behaves as follows: when the input (denoted as a m 1 ) associated with the transition t 1 of M s is generated from the environment, (1) the platform reads a m 1 first at the mc-boundary (red upper arrow); (2) the code reads the processed input (denoted as a i 1 ) at the io-boundary sometime after, in between 1 and 2 time-unit (first green diamond poll) due to P(a 1 ), and reset the associated clock (x a1 ); (3) the code produces the output (denoted as a o 2 ) at the io-boundary (second diamond poll) in between 2 and 10 time-unit after reading the previous input (a i 1 ); (4) the platform processes and writes the output (denoted as a c 2 ) to the environment at the mc-boundary (red lower arrow) in between 1 and 2 time-unit due to P(a 2 ). Intuitively, f IMP (1 , 2 ) will be larger than f Ms (1 , 2 ) (i.e., f IMP ∈ f Ms ) in this case; this deviation occurs since the I/O information flow and P have not been compensated in implementing the code-level delay (f SOF ) (i.e., the code-level delay should have been shrinked for the compensation in this case). In general, f IMP can be larger or smaller than f Ms depending on the event type and the amount of the platform-processing delay and the dependency among different transitions; the four possible I/O patterns and their implementation behavior are illustrated in Figure 7 . Therefore, it is problematic to generate the code using the same parameters (T s ) of M s . Instead, we want to find a new timing parameter assignment (T c ) that can be used for the code so that the delay-bound inclusion constraint holds.
In order to find T c , we derive the equation of f IMP by separating two parts: we consider the part that constitutes the platform-processing delay (P) as known parameters, while we leave the part that constitutes the code-level delay (f SOF ) as unknown variables; now, f IMP for any pair of I/O events can be calculated as follows:
Each event (i, j) occurring at the mc-boundary is either input or output, hence there are four combinations for a pair of events that can be calculated as follows:
• Case 1: i is an input event and j is an output event:
i is an output event and j is an output event:
i is an output event and j is an input event:
i is an input event and j is an input event:
These equations are obtained by the straightforward case analysis illustrated in Figure 7 . A detailed derivation in given in Appendix.
IV. DELAY-BOUND ADJUSTMENT USING INTEGER LINEAR PROGRAMMING
In this section, we explain how to find the unknown variables (T c ) that will be used to implement the code-level delay (f SOF ) using the integer linear programming (ILP).
A. Intuition of the Delay-Bound Adjustment
We formalize the ILP problem to find T c to generate the code that can be integrated with a platform preserving the delay-bound inclusion constraint with respect to the system model (M s ). Before explaining the details, the intuition behind this formalization is given.
Consider the timed behavior of M s and the implemented system in Figure 6 . In case the code is generated using T s , two orthogonal aspects result in the deviation of the timed behavior between M s and the implementation.
(1) the deviation of the uncertainty range: the uncertainty range of a pair of I/O transition t i and t j of M s and the uncertainty range of a pair of the corresponding I/O events of an implemented system is defined as follows:
This range implies that the time interval where the second transition (t j ) is allowed to occur following the first transition (t i ). However, if the code is generated using the original timing parameter assignment (T s ), the system model uncertainty (Δ Ms ) is directly implemented as a code as well. The issue is that the chosen platform will add another uncertainty that comes from the platform-processing delay (P). For example, in Fig. 6-(b) , the uncertainty range of the implementation (Δ IMP ) becomes 10 that is larger than the system model uncertainty (Δ Ms ) by 2; this additional amount comes from P that results in violation of the delay-bound inclusion constraint. To remedy this, we introduce the Shrinking operation to adjust either upper-bound or lower-bound of the guard condition of the code to compensate P; this will make Δ IMP fit into that of Δ Ms by either increasing the lower-bound or decreasing the upper-bound (i.e., Δ IMP (i, j) ≤ Δ Ms (i, j)). In Figure 8 -(c), for example, the uncertainty range of the implementation is reduced by changing the guard condition associated with t 2 from [2,10] to [4, 10] (i.e., the lower bound of the original guard condition is increased by 2).
[ ] Figure 8 -(c), the resulting f IMP (1 , 2 ) is [6, 14] that is not included in 2 ) ). This implies that it is not sufficient to perform the Shrinking operation only in order to obtain T c . The main reason is that the shrinking operation only makes Δ IMP fit into Δ Ms , but it does not consider the aspects originating from different combinations of I/O information flows. Depending on the types of I/O event pairs, the delay-bound of an implementation is deviated from M s in four different ways as illustrated in Figure 7 . To remedy this, we introduce the Shift operation that moves the relative timing of the second event occurrence back and forth by adjusting both the upper and lower guard condition of the code (c.f., the shrinking operation only adjusts either guard condition). In Figure 8 -(d), for example, both the lower and upper guard condition of the code are decreased by 4; the result of this shift operation is that the code should now produce the output in between 0 and 6 time-unit; then the implementation preserves the delay-bound inclusion constraint with respect to M s (i.e.,
Applying the shrinking/shift operations for all possible pairs of I/O transitions is challenging since there are many different aspects intertwined with each other in a complicated pattern, such as the platform-processing delay, the I/O information flows and the dependency among different I/O transitions. Furthermore, these operations may be impossible under certain circumstances (e.g., Δ IMP is too small relative to the amount of the delay that has to be shrinked). We explain how these conditions are formalized in terms of the ILP so that the two operations (i.e., shrinking and shifting) can be automatically performed for all possible I/O transitions to adjust the codelevel delay.
B. Formalization of the ILP Problem for Acyclic Models
We first explain how the problem is formalized for acyclic models, and then explain how it can be extended to cyclic models. Integer Variable Mapping to the Model: To formalize the ILP problem, we first map integer variables to the system model (M s ) that express the unknown min/max code-level delay (f SOF ). Here is our mapping: two integer variables, t Type 1 and type 2 characterize the delay-bound inclusion constraints of Definition 1; we need the constraints of type 3 and type 4 to obtain only non-negative guard conditions whose minimum delay bound is less than the maximum bound.
Example 4 (Linear Constraints for Model 1)
. Model 1 has three pairs of I/O transitions: (1,2), (2,3), (1, 3) , and here are the linear constraints:
Suppose a platform is characterized as P= [1, 2] , and the code is assumed to be generated from Model 1. In this case, the linear constraints are obtained by plugging in P as follows:
The constraints (C1a,b), (C2a,b), (C3a,b) are relevant to the pairs of transitions (1,2), (2,3), (1,3), respectively. The constraints (C1a)-(C3a) and (C1b)-(C3b) are the type 1 and type 2 constraints, respectively; the right hand side of these constraints come from the calculated f Ms according to Lemma 1, while the left hand side are obtained based on the calculations of f IMP in Section III by replacing f min SOF (i , j ) and f max SOF (i , j ) with the linear combination of (1) the relevant integer variables that express the unknown code-level delay, and (2) the known platform-processing delay. On the other hand, the constraint (C4) and (C5) are the type 3 and type 4 constraints needed independently of the platform-processing delay (P).
The linear constraints for Model 2 are also similarly defined, and those constraints and the example are given in Appendix. Defining Objective Functions for Optimization: Our goal is to find the parameter assignments (T c ) for the unknown variables that satisfy these linear constraints. Note that there can be many possible parameter assignments that satisfy these linear constraints. For example, in Figure 8 To this end, we define optimality in choosing T c by considering the following aspect: apart from the platform-processing delay (P), the code also requires some computation time for its internal processing; for example, the code computes the output based on the input according to the control law that can be a complex function. Therefore, a better solution is to find T c that maximizes the room for the internal computation of the code. In the above example, the assignment (lower bound: 0, upper bound: 6) is a better solution than the other assignment (lower bound: 0, upper bound: 1) since the code can have more computation time before producing the second event (i.e, 6 time-unit versus 1 time-unit). Such an optimal assignment can be obtained by defining the objective function that maximizes the uncertainty range of the implementation (Δ IMP ) as close as to that of the system model (Δ Ms ); this will allow us to find the largest room for the code computation while preserving the linear constraints. Suppose a system model (M s ) has n pairs of I/O transitions. Then, we also have n uncertainty ranges for the system model (Δ Ms ) and an implemented system (Δ IMP ) that corresponds to each pair of I/O transitions. Δ Ms is known since it is calculated from the known T s , but Δ IMP is unknown since it is calculated from the unknown T c . Let Δ IMP (k) be the uncertainty range of an implemented system for a particular pair (k) of I/O transitions. Then, the general form of our objective function is as follows:
For example, Model 1 has three uncertainty ranges that correspond to the three pairs of I/O transitions.
The following is the objective function for Model 1:
Our solver will find the parameter assignment for the six variables (t Suppose the code is to be generated from Model 1, and integrated with a platform characterized as P= [1, 2] ; then the optimal parameter assignment for the code is (t In Example 5, the solver finds no feasible parameter assignment for the code in case the platform with P= [1, 3] has to be used. This implies that no code can be generated from Model 1 for this platform by preserving the delaybound inclusion constraint. However, suppose another platform P= [1, 2] is chosen whose maximum I/O processing delay is 1 time-unit faster than the previous platform. In this case, the solver can find the optimal parameter assignment that can be used to generate the code running on this platform. The objective function for Model 2 is also similarly defined, and it is given in Appendix with the example of the optimal assignment.
We believe that one can define more refined notions of optimality in terms of the internal computation time for the code. One possible notion is to give more internal computation time for a particular I/O transition than the other in case adjusting both Δ IMP equally conforms linear constraints. Accommodating such refined optimality will result in more complex objective functions than Equation 3. Exploring all possible notions of optimality and comparing them to each other is out of the scope of this work.
C. Handling Cyclic Models
Note that, if a model contains cycles, there can be an infinite number of paths between a pair of transitions. For example, Model 3 contains a cycle closed by transition 3. Consider a pair of transitions (t 1 , t 3 ) ; there are an infinite number of paths, corresponding to the number of times the cycle has been followed. Yet, we want to preserve the delay-bound inclusion property for each of these paths. To this end, we show that it is sufficient to consider only the simple paths through the model to guarantee that the delay-bound inclusion property for arbitrary paths, as follows: Theorem 1. Given a platform processing delay P and a system model
Now, the objective function can be similarly defined as Model 1 and Model 2; the following is the list of uncertainty ranges that correspond to the pairs of I/O transitions in Model 3:
The following is the objective function for Model 3:
Example 7 (Optimal parameter assignment of Model 3). Suppose the code is to be generated from Model 3, and integrated with a platform characterized as P=[0,1]; then the optimal parameter assignment for the code is (t 10, 2, 8, 9, 9 ). Consider another P= [1, 2] ; then there is no possible parameter assignment for the code generation.
V. CASE STUDY: INFUSION PUMP SYSTEMS
An infusion pump is a safety-critical medical device that injects drugs to a patient's body in a controlled manner for medical purposes, such as diabetes treatments or anesthesia. Its hardware platform is equipped with sensors (e.g., a bolus request button, empty reservoir switch) and actuators (e.g., a pump motor, alarm buzzer) to interact with its physical environment (e.g., patient). For example, a patient presses a bolus request button to request an additional amount of drugs; a pump rotates a pump-motor that generates physical forces to move a loaded syringe so that drug can flow from the syringe to the patient. In addition, the pump should detect various alarming conditions using sensor input (e.g., empty/low reservoir condition) to generate alarm signals to caregivers in a timely manner.
In order to show the applicability of the proposed approach, we generate the code for the Baxter II Syringe PCA infusion pump platform used for the GPCA reference implementation project [9] , and validated several delay-bound inclusion constraints (the equipment setup is shown in Appendix). Here are the details of the case study: (1) Modeling and verification for the infusion pump systems: Model 4 in Figure 9 is the system model (M s ) used for this case study, and its informal semantics and the implication in the actual PCA pump implementation are as follows: in the initial location (L 1 ), the pump waits for the patient's bolus request (in the implementation, the input mBolusReq is generated by pressing a button). However, the pump shall not accept a bolus request occurring earlier than 5000 ms 1 since the previous infusion has been either normally finished by providing the expected amount of drugs or abnormally finished due to the alarming condition (i.e, those premature bolus requests should be ignored). Otherwise, the pump shall process any valid bolus request by taking the transition from L 1 to L 2 . In L 2 , the pump shall initiate the bolus infusion in between 150 ms and 470 ms by taking the transition from L 2 to L 3 (in the implementation, the output cStartInf usion is produced by rotating the pump motor at a calculated speed). Any bolus infusion will finish in between 300 ms and 750 ms by taking the transition from L 3 to L 1 (in the implementation, the output cStopInf usion is produced by stopping the pump motor rotation), unless it encounters the empty syringe condition. During the infusion, if the empty syringe is detected (in the implementation, the input mEmptySyringe is detected from the switch sensor that is pressed when the syringe hits the bottom), the pump takes a transition from L 3 to L 4 to prepare alarms. In L 4 , the pump raises an alarm in between 200 ms and 500 ms by taking the transition from L 4 to L 1 (in the implementation, the output cAlarm is produced by providing signals to a buzzer and alarm LEDs).
Here are three timing constraints considered in this case study:
• (2) Obtaining the platform-processing delay (P): We measured the platform-processing delay (P) of each input and output of the Baxter PCA pump according to the measurement method introduced in [11] , and here is the brief explanation:
To measure the input processing delay, we obtained the timestamp (t m ) when the input is generated from the environment (mc-boundary), and obtained another timestamp (t i ) when the code reads the processed input (io-boundary); the input processing delay is calculated by subtracting t m from t i . To measure the output processing delay, we obtained the timestamp (t o ) when the output is generated from the code (io-boundary), and another timestamp (t c ) when the platform actually writes the processed output to the environment (mcboundary); the output processing delay is calculated by subtracting t o from t c .
We obtained each timestamp using the oscilloscope that captures the signal changes of the sensors and actuators of the PCA pump (the example of this oscilloscope measurement is given in Appendix). The measurement has been performed 20 times to measure each I/O delay (two inputs and three outputs), and the min/max bound and the average of the measured platform processing delay are summarized in Table. delay (f IMP ) is expected to stay within these min/max bounds. The blue line represents the actual delay of the implemented system that executes the code generated from the system model (M s ) without any delay adjustment; on the other hand, the red line represents the actual delay of the implemented system that executes the code generated from the software model (M c ) that has been constructed according to the proposed approach. According to our testing results, all measured implementation delays of the system running the code generated from M c are within the delay-bound allowed by M s for the three timing constraints (i.e., the delay-bound inclusion constraint holds under this testing set). On the other hand, most measured implementation delays of the system running the code generated from M s are out of the interval allowed by M s for all three timing constraints (i.e., the delay-bound inclusion constraint does not hold under this testing set). This result shows that a system model (M s ) is not an appropriate model to generate the code for the timing constraint conformance; instead, a software model (M c ) has to be used to generate the code toward the timing constraint conformance.
VI. RELATED WORK
There have been a number of works to incorporate the platform processing delay in high level models in several different ways. [16] proposed a parametric semantics that allows the reaction time of a platform to be modeled, and an analytic method to check if a platform has sufficient processing power for property preservation. On the other hand, [2] proposed a way to explicitly model software and platforms together to abstract the timed behavior of an implementation. Their approach includes platform modeling such as, digital clock, program execution and I/O interfaces, so that the collection of these models can be checked for the property preservation of an implementation. [1] [15] also studied how platform-specific timing delays can be incorporated with the platform-independent model. Their approach is to transform the platform-independent model into a physical model by decomposing each action transition in two separate transitions to express the platform-overhead required for processing events of the platform-independent model. Even though these platform models proposed in each work [16] [2] [1] [15] are useful in analyzing the property preservation of an implementation, these works lack of consideration as to how software part can be generated and integrated with a platform in a way the implementation still holds the property. Furthermore, their platform models are rather too abstract by ignoring some aspects that result in the timed behavior deviation between a model and an implementation. For example, these works lack of consideration as to how I/O dependency and information flow that affect to the timed behavior of an implementation w.r.t. its model. In comparison to the above works and our work that considered the timed automata semantics in characterizing timing aspects of platforms, there are other works that express the timing aspects in different ways. AADL [6] introduced several components that can express platform's timing aspects such as threads, port connections, and bus components; TrueTime [7] introduced kernel and network blocks that can be connected to the ordinary Simulink blocks so that the temporal behavior of a system that executes control algorithms on a particular platform can be simulated. Even though these modeling strategies do not discuss about the code generation, we believe that the way these works abstract the timing aspects of platforms can complement our work in refining the definition of the platform processing delays.
Regarding to the delay-bound computation, [5] defined three quantitative refinement metrics -(a) maximum time difference, (b) eventual maximum time difference, (c) average time difference.-that quantify the timing mismatches between a model and its implemented systems. Even though this work does not consider how to obtain code from the timed models, we believe that these are more refined metrics to reason about the relationship between a model and its implementations compared to our delay-bound inclusion constraint. We leave applying these metrics to extend our code generation framework as a future work.
VII. CONCLUSION AND FUTURE WORK We proposed a way to transform a system model (M s ) into a software model (M c ) in order to compensate the platformprocessing delays (P) for code generation purpose. Our model transformation is performed by formalizing it using integer linear programming in order to preserve the delay-bound inclusion constraint at the implementation level. This approach provides two types of automation in the code generation process: (1) given a platform, it automatically checks whether there exists a code generation strategy that preserves the delaybound inclusion constraint; (2) (if it is feasible), the software model (M c ) is automatically obtained from the system model (M s ), which guarantees to generate optimal code that can utilize the maximum computation time in between processing any pairs of I/O events. Our case study using the infusion pump system shows the code generated from M c better preserves the delay-bound inclusion constraints compared to the code generated from M s .
As a future work, we plan to study a broader scope of modeling patterns that can be applicable for computation of f Ms and f IMP . We also plan to extend a notion of platforms to the distributed setting. That is, a system model abstracts timed behavior of distributed systems; and several different code should be generated running on each platform that are connected through network. This requires more refined definition of the platform-processing delays (e.g., incorporating network delays) and a new model transformation strategy for code generation.
APPENDIX

A. Notations
Table IV list the notations used in the paper.
Notations Definitions
The system model The software model
The timing parameter assignments to the system model and the software model
The lower/upper bound of clock values associated with a transition k of the software model
The lower/upper bound of clock values associated with a transition k in the system model The min/max platform processing delay of the event ak; By adding min and max superscript, each indicates minimum delay bound and maximum delay bound separately.
The min/max delay bound of a transition j succeeding a transition i in the system model; By adding min and max superscript, each indicates minimum delay bound and maximum delay bound separately
The min/max delay bound of a path p in the system model; By adding min and max superscript, each indicates minimum delay bound and maximum delay bound separately
The min/max delay bound of an event j (corresponding to transition j in the system model) succeeding an event i (corresponding to transition i in the system model) at the mc-boundary; By adding min and max superscript, each indicates minimum delay bound and maximum delay bound separately
The min/max delay bound of a final event (corresponding to the final transition of p in the system model) succeeding a start event (corresponding to the start transition of p in the system model) at the mc-boundary; By adding min and max superscript, each indicates minimum delay bound and maximum delay bound separately
The min/max delay bound of an event j (corresponding to transition j in the system model) succeeding an event i (corresponding to transition i in the system model) at the io-boundary; By adding min and max superscript, each indicates minimum delay bound and maximum delay bound separately
The system model-level input/output event (identifier: k)
The implementation-level input event: the input (m) generated from the environment at the mcboundary; the input (i) processed by the platform at the io-boundary (identifier: k)
