A new modeling framework based on event calendars enables dense timed systems to be described without relying on continuously varying clocks. We present verification techniques that rely on induction and abstraction, and show how these techniques are efficiently supported by the SAL symbolic model-checking tools. The modeling and verification method is applied to the fault-tolerant real-time startup protocol used in the Timed Triggered Architecture.

Unable to display preview. Download preview PDF. Skip to main content. Advertisement Hide. Formal Modeling and Analysis of Timed Systems. Conference paper. This process is experimental and the keywords may be updated as the learning algorithm improves. This is a preview of subscription content, log in to check access. Bensalem, S. In: Alur, R. CAV LNCS, vol. Rushby, J.

## Download Modeling and Verification of Real-time Systems (ISTE) ebook

In: Emerson, E. Rule R4-T describes the movement of a train: it updates its attributes, sends a Traveling message to itself to be received in at least 10 time units simulating the time needed to reach the end of this segment and sends a message to the segment it was in to inform that this train is leaving. If there is a gate, message Go will be treated by rule R5-T , that requires the gate to open immediately the Open message is scheduled to arrive exactly in the next time unit without delay.

The application of rule R5-T also generates a message OpenGate , that shall arrive between 2 and 3 time units the time needed for the gate to open , and will trigger rule R6-T , that will then move the train to the next position. The type graph describes that each railroad segment keeps the information about its identifier attribute id: Natural , its neighbour the reference nextr , its state busy:Boolean and the knowledge whether it is a station or not station:Boolean.

The initial graph is given by two consecutive RSegm instances. Instances of RSegm can react to messages MayGo? The type graph indicates that gates have one attribute open that describes whether the gate is opened or closed. By rule R1-G , if the gate is requested to open, its closure is scheduled to occur between 5 and 8 time units, i. By rule R2-G , if the gate is opened and there is a close request, attribute open is modified to false.

As discussed in the previous section, the semantics of graph grammars is based on rule applications.

First, we give the formal definitions of how these rule applications are obtained in the untimed graph grammars. Then, we explain how these rule applications can be enhanced to handle time. The resulting semantic model will be a transition system in which states correspond to reachable graphs equipped with clocks and transitions describe rule applications or the elapse of time. Rule Application, Computation. Given a rule r and a state G, we say that this rule is applicable in this state if there is a match m , that is, an occurrence of the left-hand side of the rule in the state.

We denote such rule application by G I. Graphs G and H are called input and output graphs of this rule application. A rule application means that all items that are in the left-hand side of the rule and not in the right-hand side will be deleted from G, and all items that are in the right-hand side of r but not in its left-hand side will be included in G formally, this effect can be described by a pushout in suitable categories of graphs.

This means that the same rule may be applicable to a graph using different matches. A computation of a graph grammar is a sequence of rule applications starting with the initial graph of the grammar, and in which the output graph of one rule application is the input graph of the next one.

### Version française

We say that a graph or state G is reachable if there is a computation in which the output graph of the last rule application is G. A rule application using rule r and match m is a pushout in the category OBGraph C. An example of a rule application is shown in Figure 5. Typically, the semantics of a system described using a graph grammar is a transition system where the states are graphs and the transitions describe the possible rule applications. This semantics, however, does not take into consideration any time restrictions. In order to define the transition system that gives semantics to a timed object-based graph grammar, we make an extension of the usual semantics, including clocks on states and allowing only rule applications that respect time restrictions.

One requirement that is imposed on the semantic model is that all clocks advance simultaneously. This requirement implies that the relations among delivery times of messages in a state are preserved in the subsequent states, and this assures that the time constraints of the system are adequately modeled.

## Modeling and Verification of a Fault-Tolerant Real-Time Startup Protocol Using Calendar Automata

Note that this does not impose a serious restriction in practice, since we are just assuming that clocks count the time in the same units and never stop until they are deallocated in particular, this does not mean that we have a global notion of time. Timed State. In the semantical model proposed here, states are described by tuples G, Clocks G , mc G , val G , where G is a timed object-based graph, Clocks G is a set of clock names, a function mc G associates a clock with each timed message of G, and a function val G associates a time natural number with each clock.

Timed Computations. In both cases, time restrictions must be obeyed: in the case of rule applications, it must be assured that a message will be treated only within its delivery time this is guaranteed by suitable definition of match for timed rules ; in the case of time elapse, the maximum treatment time of all messages should not be violated this is guaranteed by forbidding computations that would lead to inconsistent states, that is, states that do not satisfy the time restrictions.

## Formal Design and Verification of Real-Time Embedded Software | SpringerLink

A timed computation is defined by a sequence of such state changes corresponding to rule application or time elapse. Therefore, by construction, a timed computation guarantees that time restrictions will never be violated. This transition may only occur in case the following restriction is satisfied: for all timed message msg of G i with corresponding clock c msg ,.

The latter should also respect message delivery time restrictions: a clock can only be updated if the maximum time of the corresponding message is not violated. By construction, this transition system corresponds to the class of all timed computations of a TOBGG.

Lab : is the set of all labels of transitions in Tran. Figure 6 illustrates part of the transition system obtained for the Railroad System presented in Subsection 2. Rectangles represent states and arrows model transitions state changes. States are composed by a graph G and by functions mc G and val G represented in the lower part of rectangles , that associate, respectively, a clock with each timed message of graph G and a time with each clock.

Transitions labeled by a non-negative value correspond to state changes due to elapse of time and transitions labeled by a rule name correspond to state changes caused by the application of the respective rule. For example, from the initial state IG to state G0 the transition labeled by 12 just updates clock1, and the transition from G0 to G2 corresponds to the application of rule R2-T. In the latter case, Traveling is the trigger message it is consumed and a timed message Wait is created.

The clock associated with this message, clock2, is initialized with zero. To be able to perform automatic verification of timed object-based graph grammars, we translate each TOBGG to an equivalent timed automaton, and use the existing tools to verify properties of timed automata to check the TOBGG. Timed Automata [1, 4] are used to specify and verify real-time systems. To express the behavior of a system with time restrictions, Timed Automata extend Nondeterministic Automata with a finite set of clocks.

In this model states and transitions are associated to clock constraints. A clock constraint is a conjunction of atomic constraints, which compare clock variables with a constant value a nonnegative rational value. A clock constraint associated to a state named invariant indicates how many time units the system may remain on a certain state. The constraint of a transition represents its activation conditions. Moreover, each transition is associated to a set possibly empty of clocks that are reset with the occurrence of this transition. Figure 7 shows an example of a timed automaton where s0 and si represent the states of the system.

To each timed automaton TA we can associate a corresponding transition system [1]. The possible transitions are the ones specified in TA , and transitions that increment the clocks all clocks are incremented simultaneously. All transitions and reachable states must satisfy the time restrictions. Formally, the semantics of a timed automaton A is defined by associating a transition system S A with it.

### Services on Demand

Each state of S A is a pair s, val , such that s is a location of A and val is a clock interpretation for Clocks such that val satisfies the invariant I s. The set of all states of A is denoted by Q A. There are two types of transitions in S A [1]:. Thus, S A is a transition system with label-set. In this section we define formally how to obtain a timed-automaton that grasps this idea of behavior of timed OBGGs.