Compositional verification for Hierarchical Scheduling of Real-Time systems by Pinzuti, Alessandro
UNIVERSITÀ DEGLI STUDI DI FIRENZE
Dipartimento di Sistemi e Informatica
Dottorato di Ricerca in
Ingegneria Informatica, Multimedialità e Telecomunicazioni
ING-INF/05 Ingegneria Informatica
Compositional verification
for Hierarchical Scheduling
of Real-Time systems
Alessandro Pinzuti
Ph.D. Coordinator
Prof. Giacomo Bucci
Advisors
Prof. Enrico Vicario
Prof. Giacomo Bucci
XXV Ciclo – 2011-2013
Dedicated to my loving parents Massimo, Cinzia, Debora, and
to my dear Valentina for their encouragement and support.
Abstract
The correctness evaluation of both sequencing and timing con-
straints constitutes a major effort in the development of safety
critical real-time systems.
On the one hand the prevalent approach based on software simu-
lation is no longer satisfactory not only it requires an inordinate
amount of computational and human resources, but also because
it does not provide formal assurance. According to this formal
verification techniques are indispensable, also due to the scale of
modern real-time systems.
On the other hand verification techniques suffer from `compo-
sitional complexity´, that is the size of a system state space
grows exponentially with respect to the number and size of its
components. Moreover, for real-time systems this problem is ex-
acerbated by the representation of the timing information. To
face the computational complexity of verifying real-time systems,
techniques based on compositional verification and scheduling hi-
erarchies seem to be promising.
Hierarchical Scheduling (HS) techniques achieve resource parti-
tioning among a set of Real-Time Applications, providing reduc-
tion of complexity, confinement of failure modes, and temporal
isolation among system applications. This facilitates composi-
tional analysis for architectural verification and plays a crucial
role in all industrial areas where high-performance microproces-
sors allow growing integration of multiple applications on a single
platform.
This dissertation proposes a compositional approach to formal
specification and schedulability analysis of Real-Time Applica-
tions running under a Time Division Multiplexing (TDM) Global
Scheduler and preemptive Fixed Priority (FP) Local Schedulers,
according to the ARINC-653 standard. As a characterizing trait,
each application is made of periodic, sporadic, and jittering tasks
with offsets, jitters, and non-deterministic Execution Times, en-
compassing intra-application synchronizations through semaphores
and mailboxes and inter-application communications among pe-
riodic tasks through message passing. The approach leverages
the assumption of a TDM partitioning to enable compositional
design and analysis based on the model of preemptive Time Petri
Nets (pTPNs), which is expressly extended with a concept of Re-
quired Interface (RI) that specifies the embedding environment of
an application through sequencing and timing constraints. This
enables exact verification of intra-application constraints and ap-
proximate but safe verification of inter-application constraints.
Experimentation illustrates results and validates their applica-
bility on two challenging workloads in the field of safety-critical
avionic systems.
Contents
1 Introduction 1
1.1 Verification of Real-Time systems . . . . . . . . . . . . . . . . . 1
1.2 Verification of Hierarchical Scheduling systems . . . . . . . . . . 8
1.3 Compositional verification of real-time systems . . . . . . . . . . 11
1.4 Outline of The Dissertation . . . . . . . . . . . . . . . . . . . . 19
2 Domain Model 21
2.1 Domain Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2 Standard ARINC-653 . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.1 ARINC-653 architecture: Partitions . . . . . . . . . . . . 26
2.2.1.1 Spatial partitioning . . . . . . . . . . . . . . . 27
2.2.1.2 Temporal partitioning . . . . . . . . . . . . . . 27
2.2.1.3 ARINC 653 Services . . . . . . . . . . . . . . . 28
2.2.1.4 ARINC653 systems verification needs . . . . . . 29
3 Hierarchical Scheduling systems without inter-application com-
munications 31
3.1 Compositional verification of an HS system without inter-application
communications . . . . . . . . . . . . . . . . . . . . . . . . . . 32
CONTENTS iv
3.1.1 Preemptive Time Petri Nets . . . . . . . . . . . . . . . . 32
3.1.1.1 Syntax . . . . . . . . . . . . . . . . . . . . . . 32
3.1.1.2 Semantics . . . . . . . . . . . . . . . . . . . . 33
3.1.1.3 Analysis . . . . . . . . . . . . . . . . . . . . . 35
3.1.2 An example workload . . . . . . . . . . . . . . . . . . . 36
3.1.3 The pTPN submodel of the Task-Set . . . . . . . . . . . 37
3.1.4 The pTPN submodel of the Global Scheduler . . . . . . . 39
3.1.5 Architectural verification . . . . . . . . . . . . . . . . . . 40
4 Hierarchical Scheduling systems with inter-application communi-
cations 42
4.1 Compositional verification of an HS system with inter-application
communications . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.1.1 Required Interfaces . . . . . . . . . . . . . . . . . . . . . 43
4.1.1.1 Syntax . . . . . . . . . . . . . . . . . . . . . . 43
4.1.1.2 Semantics . . . . . . . . . . . . . . . . . . . . 46
4.1.2 Construction of a Required Interface . . . . . . . . . . . 47
4.1.3 The pTPN submodel of the Required Interface . . . . . . 49
4.1.4 Verification of Required Interfaces . . . . . . . . . . . . . 51
4.1.4.1 Location of the occurrence of events within time-
slots . . . . . . . . . . . . . . . . . . . . . . . 51
4.1.4.2 Lower and upper bounds on the duration elapsed
between two time-slots . . . . . . . . . . . . . 52
4.1.4.3 Lower and upper bounds on the time elapsed
between two events . . . . . . . . . . . . . . . 54
4.1.4.4 Verification procedure . . . . . . . . . . . . . . 55
4.1.4.5 Soundness . . . . . . . . . . . . . . . . . . . . 58
4.1.4.6 An example . . . . . . . . . . . . . . . . . . . 59
4.1.5 Complexity . . . . . . . . . . . . . . . . . . . . . . . . . 60
CONTENTS v
5 Experience on real complexity avionic systems 63
5.1 Experience on real complexity avionic systems . . . . . . . . . . 63
5.1.1 A case-study without inter-application communications . . 64
5.1.1.1 Workload structure . . . . . . . . . . . . . . . 65
5.1.1.2 Results of the analysis . . . . . . . . . . . . . . 66
5.1.2 A case study with inter-application communications . . . 67
5.1.2.1 Workload structure . . . . . . . . . . . . . . . 68
5.1.2.2 Inter-application interactions . . . . . . . . . . 69
5.1.2.3 Results of the analysis . . . . . . . . . . . . . . 73
6 Conclusions 75
6.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
A Appdx A 78
B Appdx B 86
B.1 The structure of the pTPN submodel of the Required Interface . 86
B.1.1 Invariant Inv1 . . . . . . . . . . . . . . . . . . . . . . . 87
B.1.2 Invariant Inv2 . . . . . . . . . . . . . . . . . . . . . . . 88
B.1.3 Invariant Inv3 . . . . . . . . . . . . . . . . . . . . . . . 88
B.1.3.1 Reset of the expected time to the next occur-
rence of an event . . . . . . . . . . . . . . . . 89
B.1.3.2 Conservation of the expected time to the next
occurrence of an event . . . . . . . . . . . . . 92
References 96
CONTENTS vi
List of Figures
1.1 Soft real-time: The system can react after the deadline, but the
utility decreases (maybe fast) and at some point gets to zero (no
damage occurs). Hard real-time: Missing the deadline the utility
function goes immediately to ’minus infinity’ which entails that a
catastrophic event will happen. . . . . . . . . . . . . . . . . . . 2
2.1 The addressed structure of HS systems represented through a
UML-MARTE class diagram. . . . . . . . . . . . . . . . . . . . 23
2.2 Embedded Avionic Architecture (source: ARINC-653 Standard) . 26
2.3 Standard ARINC-653: Confinement of failure modes . . . . . . . 29
3.1 The pTPN submodel of the Task-Set of application A1 in the HS
system of Table 3.1. . . . . . . . . . . . . . . . . . . . . . . . . 38
3.2 The pTPN submodel of the Global Scheduler of application A1
in the HS system of Table 3.1. . . . . . . . . . . . . . . . . . . 40
4.1 A scheme illustrating inter-application interactions in the HS sys-
tem of Table 3.1. . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.2 A scheme illustrating the allocation of M time-slots T1, ..., TM
to N applications A1, ..., AN . . . . . . . . . . . . . . . . . . . . 52
LIST OF FIGURES vii
5.1 Case study with inter-application communications: a scheme il-
lustrating message-passing interactions. . . . . . . . . . . . . . . 70
A.1 A scheme used in the proof of Theorem 4.1.2 to illustrate: the
succession of time-slots elapsed during the execution of a symbolic
run ρu ∈ Suij and ρv ∈ Svij; the time-slots during which ti and tj
occur; and, the duration elapsed between the end of a time-slot
during which tj occurs and the beginning of the subsequent time-
slot during which ti occurs. In the concrete example, the scheme
assumes that: Pi = 3P ; Pj = 2P ; Πij = 6P ; ti occurs during
time-slots T 17 and T 47 ; and, tj occurs during time-slots T 14 , T 34 ,
and T 54 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
A.2 A scheme used in the proof of Theorem 4.1.2 to illustrate the
time-slots comprised between a pair of time-slots 〈T rk , T qh〉 ∈ Wij
when k ≤ h ∧ r ≤ q. . . . . . . . . . . . . . . . . . . . . . . . 81
A.3 A scheme used in the proof of Theorem 4.1.2 to illustrate the
time-slots comprised between a pair of time-slots 〈T rk , T qh〉 ∈ Wij
when k > h ∧ q > r. . . . . . . . . . . . . . . . . . . . . . . . 81
B.1 A pTPN fragment modeling the occurrence of an event ti after
an event tj. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
B.2 A pTPN fragment modeling the occurrence of a model transition
conditioning the environment. . . . . . . . . . . . . . . . . . . . 88
B.3 A pTPN fragment modeling an event ti whose expected time is
reset at the occurrence of an event tj. . . . . . . . . . . . . . . 89
B.4 A pTPN fragment modeling an event tk whose expected time is
reset at the occurrence of events tj and ti. . . . . . . . . . . . . 90
B.5 A pTPN fragment modeling an event tk whose expected time is
reset at the occurrence of an event ti but not at the occurrence
of an event tj that may precede ti. . . . . . . . . . . . . . . . . 90
LIST OF FIGURES viii
B.6 A pTPN fragment modeling an event ti that may occur after an
event tj although its expected time is not reset at the occurrence
of tj. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
LIST OF FIGURES ix
Chapter
1
Introduction
1.1 Verification of Real-Time systems
Embedded Real-Time (RT) systems are special-purpose information process-
ing units closely integrated into theirs environment. They are typically ded-
icated to a specific application domain for accomplishing a predetermined
task inside a device, e.g., they fly our planes, manage our electrical grid,
control our nuclear power plants, run our medical devices, guide our trains,
and so much more. When a processing unit is embedded into a specific envi-
ronment, the constraints imposed by the particular application domain very
often lead to heterogeneous and distributed implementations, where systems
are composed of hardware components communicating through an intercon-
nection network. In these systems, functional and non-functional properties
not only depend on the internal behaviour of the various components but also
on the external interactions among system components via communication
INTRODUCTION 1
Verification of Real-Time systems
channels.
Embedded systems are usually reactive systems which interact with their
physical environment through sensors an actuators, hence they have to keep
the pace with their environment, behaving in a predictable manner and ad-
hering to timing requirements as well [23]. This means that many embedded
systems must meet real-time constraints, i.e. they must react to stimuli
within a time interval dictated by the environment. Such a real-time con-
straint is called hard if not meeting it could result in a catastrophic event,
and it is called soft otherwise (see Figure 1.1).
deadline
V(t)
(a) Soft real-time
t
deadline
V(t)
(b) Firm
t
0 (no value)
deadline
V(t)
(c) Hard essential
t
-n (penalty)
deadline
V(t)
(c) Hard real-time
t
- innity (disaster)
Figure 1.1. Soft real-time: The system can react after the deadline, but the util-
ity decreases (maybe fast) and at some point gets to zero (no damage occurs).
Hard real-time: Missing the deadline the utility function goes immediately to
’minus infinity’ which entails that a catastrophic event will happen.
It becomes apparent that these kinds of systems are inherently difficult to
design and to analyze, given that not only the logic coherence, the safety,
and the correctness of the computations of the whole real-time system are of
major concern, yet also the timeliness of the computed results.
INTRODUCTION 2
Verification of Real-Time systems
During the design process of a real-time embedded system some questions
arise, such as whether the timing properties of system design will meet the
design requirements (e.g., will a task miss its deadline?), whether process
synchronisations on resources are respected (e.g., will a priority inversion
occur?), or what kinds of interferences a system component will be subjected
to (e.g., will RT applications respect theirs inter-application communications
constraints?).
Consequently, to support design decisions before much time is invested in
detailed implementations it becomes one of the major challenges in the design
process to analyze specific characteristics of system design, such as event
sequencing and timing constraints, semaphore synchronisations, end-to-end
delays on inter-application communications, and buffer requirements. Such
analysis is generally referred to as system level performance analysis. When
this kind of analysis is carried out on complex real-time systems, many factors
of complexity are faced which can make it difficult, and with potentially
inaccurate or too pessimistic results:
• Resource Sharing: Complex real-time embedded systems typically host
multiple applications, with tasks executing concurrently, sharing re-
sources, and communicating with messages via interconnection chan-
nels. A single system often employs various different policies on its re-
spective components for resource sharing and different scheduling poli-
cies may even be employed on a single component through emerging
hierarchical approaches.
• Interferences: Depending on the resource sharing policies that are em-
ployed on a system, different applications may interfere with each other
(e.g., via message passing or, in a more complex case via semaphore
synchronisations). In the analysis of interferences, special care has to be
taken with scheduling anomalies often observed on complex embedded
INTRODUCTION 3
Verification of Real-Time systems
systems, where the worst-case behaviour of one application sometimes
occurs only when other applications do not execute their worst-case
behaviour.
• Variable Execution Demands: The execution demand of an application
task is often variable and depends for instance on the data or the type
of the processed event.
• Different types of concurrent tasks: A complex real-time system deals
with various types of recurrent tasks, such as periodic, sporadic or jit-
tering tasks, depending on whether their release time is deterministic,
bounded by a minimum but not a maximum value, or constrained be-
tween a minimum and a maximum value, respectively.
• Multiple processors: A distributed real-time system is generally built
up from a combination of various components with different processing
units each one requiring specific analysis.
To address these issues, various approaches have been developed which ad-
dress the verification of real-time embedded systems, relying on simulation
and/or on techniques based on mathematical and logic concepts, provid-
ing assurances of software or hardware safety in reasonable time. These
approaches have recently greatly increased the size and complexity of the
systems that can be treated.
Methods for verification of real-time systems can broadly be divided into
tree main categories: simulation approaches, analytical approaches, and ap-
proaches based on state space analysis. The major differentiation criteria
among these categories regards the quality of results that can be obtained
with the respective methods.
Currently, simulation based methods for verification of real-time con-
straints are largely used in industry, where system designers mostly rely on
INTRODUCTION 4
Verification of Real-Time systems
commercial tools such as Cadence’s VCC [1], Mentor Graphics’ Seamless [2],
ARM’s MaxSim [3], and Synopsis SystemStudio [4]. Simulation based meth-
ods have the main advantage of taking into account many dynamic and com-
plex interactions of a system architecture implemented. However, in terms
of guaranteeing correctness, they typically suffer from insufficient corner case
coverage [39] (i.e., non exhaustiveness), because any concrete simulation-run
may in general not guarantee to cover all corner cases. Besides, they often
suffer from long running times (mostly depending on the attained accuracy)
and from high set-up effort for each new architecture and mapping to be
analyzed. An attempt to overcome the latter two disadvantages of strictly
simulation based methods, various approaches are proposed that combine
simulation and analysis for both performance estimation and schedulability
analysis. In [51], the authors combine simulation and analysis by a hybrid
trace-based simulation methodology, and, in [49], Poletti et al. provide a
method to combine the SystemC simulator [12] with formal analysis based
on Real-Time Calculus [84]. While these mixed strategies help to shorten
simulation run-times, they leave the trouble of non exhaustiveness.
To overcome these problems and guarantee exhaustiveness of the analysis
results, various methods based on analytic formal analysis have been devel-
oped, which permit to deliver worst-case results for various system properties,
exhibiting low computational cost. However, the main disadvantage of these
analytical formal methods is typically their lack in incorporating complex
interactions and state-dependent behaviours of the system, often providing
pessimistic results. Analytical performance models for embedded processors
were proposed in [7] and [43], where the computation, communication, and
memory resources of a processor are all described using simple algebraic equa-
tions that do not take into account the dynamics of the applications such as
variations in resource loads and shared resources. Therefore, methods lack in
accuracy and provide the analysis results that typically show large deviations
INTRODUCTION 5
Verification of Real-Time systems
from the properties of the final system implementation. A large literature ex-
ists on the scheduling of tasks on shared computing resources, see for example
[23] and the references therein. In particular in the real-time systems domain
many results are available on schedulability analysis and worst-case response
time analysis of individual tasks on single processor systems with various
scheduling policies. Examples are analysis methods for fixed-priority, rate-
monotonic [61], deadline monotonic [56], or earliest deadline first scheduling
[61] [9], or for time triggered policies like TDMA or round-robin.
The results obtained with the formal analysis based methods described so
far are in general hard upper bounds to the worst-case result and hard lower
bounds to the best-case result of the various analyzed properties of a system.
In fact, in this literature, the analytical analysis of correctness concerns both
the logical sequencing and the quantitative timing of events and it relies on
the assumption of a number of hypotheses about the structure of the task-
set, which easies the problem of sequencing correctness. Moreover, analytic
methods are limited to the computation of a few specific system measures
and each method is restricted to a specific mathematical abstraction to which
the system specification under analysis must be translated, which may lead
to overly conservative analysis results. In general, these analytical techniques
are hurdled by a number of aspects, such as: sporadic tasks or tasks with
mutual dependencies in the time of release, inter-tasks dependencies due to
mutual exclusion on shared resources or to dataflow precedence relations,
internal sequencing of tasks, nondeterministic computation times, multiple
processors, and flexible adaptation of process parameters to transient over-
load.
For complex task-sets that expose any of these factors, verification of
both sequencing and timing correctness may become sufficiently critical to
motivate the use of approaches based on state-space analysis of models such
as Timed Automata (TA), Petri Nets (PNs), and Process Algebra (PA).
INTRODUCTION 6
Verification of Real-Time systems
However, these approaches do not represent preemptive behaviours, in fact
they can not represent clocks whose advancement can be suspended and
then resumed, which instead is the most common case in the context of
multi-tasking systems.
Several models have been proposed that address this issue: Extending
Timed Automata (TAs), Stopwatch automata (SWAs)[27], preemptive Time
Petri Nets (pTPNs) [21], Time Petri Nets with Inhibitor Hyperarcs [79],
and Scheduling Time Petri Nets (Scheduling-TPNs) [57]. The major limit
of these models is state space explosion, which may jeopardize the verifica-
tion of correctness of both the logical sequencing and the quantitative timing
of events for large models. All these formalisms encompass temporal pa-
rameters varying within an assigned interval and support the representation
of suspension in the advancement of clocks. In particular, their semantics
can be defined in terms of a state transition rule driving the evolution of
a logical location and of a set of densely-valued clocks, which requires that
the state-space be covered through equivalence classes. This requires that
the state-space be covered through equivalence classes, which usually rely on
Difference Bounds Matrix (DBM) encoding. In particular, in [21], an effi-
cient approach enumerates an approximation of the state-space of a pTPN,
preserving Difference Bounds Matrix (DBM) encoding [87], [14], [29] and
supporting derivation of the tight timing profile of clocks enabled along a
path, which cleans up false behaviors introduced by the approximation. In
[26], the theory of isolated pTPNs is cast in a tailoring of the V-Model SW
life cycle that supports design, implementation, and testing of real-time tasks
running under preemptive FP (flat) scheduling.
INTRODUCTION 7
Verification of Hierarchical Scheduling systems
1.2 Verification of Hierarchical Scheduling systems
The advances in the field of computer architecture lead to increasingly pow-
erful microprocessors, and trigger a trend towards higher integration of func-
tionality in embedded systems design. This trend is mostly motivated by
cost reductions, but also by the reuse of legacy applications, as well the
opportunity of functionality enhancements.
The main question that arises when integrating a number of real-time ap-
plications onto a single microprocessor, is how to schedule these applications
such that their individual timing requirements are not violated. The simplest
method to compose several real-time applications into a single resource would
be to use a unique scheduling policy for all applications. Schedulability anal-
ysis of the integrated system could then be done using traditional analysis
methods. However, this approach is typically not applicable, since the ap-
plications are often implemented by different vendors, and moreover because
time and cost constraints often force the re-use of already implemented ap-
plications. Moreover, this approach is also not practical and scalable, since
it does not allow independent implementation of independent applications.
Therefore, the problem then becomes how to integrate real-time applications
with different individual scheduling policies onto a single resource, so that
the individual timing requirements are not violated. This problem can be
faced introducing a scheduling hierarchy.
Hierarchical Scheduling (HS) supports assignment of resources to clusters
of schedulable entities and enables fine-grained resource partitioning among
their constituent elements, providing aggregate resource allocation among a
set of Real-Time Applications. This yields reduction of complexity, confine-
ment of failure modes, and temporal isolation among system applications.
The scheduling hierarchy is usually represented as a tree of nodes with an
arbitrary number of levels, where each node may have an arbitrary number
INTRODUCTION 8
Verification of Hierarchical Scheduling systems
of children [82]. Among the disparate architectures that may serve the design
of HS systems, a way of composing existing applications with different timing
characteristics is to use a two-level scheduling paradigm: at the global level,
a scheduler selects which application will be executed next and for how long;
at the local level, a scheduler is used for each application to determine which
task will be scheduled next [60]. Such approaches are increasingly used in
practice for real-time systems. For example, the ARINC-653 standard [6]
by the Engineering Standards for Avionics and Cabin Systems committee
specifies partition-based design of avionics applications.
Various analytical approaches address HS of systems encompassing local
resource sharing [32], [50], [58], [59], [60], [30], [36], [82].
In [32], a two-level HS architecture manages the execution of both real-
time and non real-time applications on a single processor, assuming an Ear-
liest Deadline First (EDF) global scheduler and a Total Bandwidth Server
(TBS) [83] for each application. The approach is extended in [50] to encom-
pass Rate Monotonic (RM) global scheduling policy under the assumption
of periodic tasks with harmonic periods.
In [58], an exact schedulability condition is provided for a two-level HS
scheme with EDF global scheduling policy and EDF/RM local scheduling
policy. In [60], [59], a methodology based on the periodic server abstraction
derives the class of server parameters that guarantees schedulability for Fixed
Priority (FP) local schedulers. They represent the service provided by a
server as a so-called characteristic function, which is equivalent to a service
curve. Based on this characteristic function, Lipari and Bini [60] investigate
a server that provides the service of a periodic resource model. This model
also assumes that the capacity of a server is always made available at the end
of its period. Lipari and Bini also investigate the problem of server parameter
selection. For this they approximate the service provided by their periodic
server with a bounded delay resource model, and the delay and the speed
INTRODUCTION 9
Verification of Hierarchical Scheduling systems
factor are then used to determine the delay and capacity of their periodic
server. The presented method is however overly pessimistic.
Almeida et al. [8] builds on the work of Lipari and Bini, and introduces
a response time analysis for a server with jitter, thus allowing a limited
generalization of the server model of Lipari and Bini. Almeida et al. also
investigate the problem of server parameter selection, and propose binary
search to determine the capacity of a periodic server. However, the method
presented by Almeida et al. suffers from the same pessimism as the method
of Lipari and Bini.
Response time analysis is employed in [30] to obtain exact schedulabil-
ity conditions for systems that are handled by FP preemptive scheduling
both at the local and at the global level, comparing Periodic, Sporadic, and
Deferrable Servers. In [68], a resource-level scheduler partitions a shared re-
source into real-time virtual resources and makes each of them accessible only
to the tasks of an individual application, supporting task-level schedulability
with respect to given partitions under FP and EDF policies. The resource
model of [36], [82] supports the derivation of the exact schedulability condi-
tion for a partitioned resource with periodic behaviour under EDF and RM
policies. The exact schedulability is obtained primarily by introducing the
concept of demand bound functions to represent the workload demand of the
tasks in an application, but also by using the correct delay bound in their
server schedulability analysis. The approach also encompasses an interface
model that represents the temporal guarantees of a parent scheduler through
a periodic resource model, and abstracts the temporal requirements of a child
scheduler through a periodic workload model.
Only a few model based approaches are proposed in literature addressing
the modelling of HS systems. In [25] the authors propose a a formal ap-
proach to the development of real-time applications with non-deterministic
Execution Times and local resource sharing managed by a Time Division
INTRODUCTION 10
Compositional verification of real-time systems
Multiplexing (TDM) global scheduler and preemptive Fixed Priority (FP)
local schedulers, according to the scheduling hierarchy prescribed by the
ARINC-653 standard. The methodology leverages the theory of preemptive
Time Petri Nets (pTPNs) to support exact schedulability analysis, to guide
the implementation on a Real-Time Operating System (RTOS), and to drive
functional conformance testing of the real-time code.
1.3 Compositional verification of real-time systems
With the rapid growth of networking and high-computing power, the de-
mand for large-scale and complex software systems has increased dramati-
cally. Since many of these software systems support or supplant human con-
trol of real-time safety-critical systems (such as those found in flight control,
space shuttle control, aircraft avionics, robotics, patient monitoring devices,
and nuclear power plants), failure of such complex distributed systems could
have disastrous effects. The major obstacle in the practical applicability of
both analytical algorithmic and model based verification is the size of the rep-
resentation of the state space of these systems, which is roughly exponential
in the number of state variables. This problem usually known as ’state space
explosion’ has been at the center of most research on formal verification, and
it is notably exacerbated for real-time systems because timing information
compounds the state space.
A key step in achieving scalability in the verification of large real-time
systems mentioned above is to ’divide and conquer’, where the correctness
of a given system is established from the correctness of the system’s compo-
nents, each of which may be treated as a system itself and further reduced.
When no further reduction is possible or desirable, global techniques for veri-
fication may be used to verify the bottom-level components. The advantages
of compositional verification are clear as each system component is both
INTRODUCTION 11
Compositional verification of real-time systems
smaller and simpler than the system itself. Furthermore, the application of
compositional techniques often provides greater insight into the interaction
among system components than it is provided by global techniques.
Various analytical techniques has been proposed to manage large scale
systems, extending the concepts of classical scheduling theory to distributed
systems. Such extensions, often referred to as holistic scheduling analysis,
must in particular consider the delays caused by the use of possibly shared
communication resources, which must not be neglected. But rather than de-
noting a specific performance analysis method, holistic scheduling analysis
comprises a collection of techniques for scheduling analysis of distributed em-
bedded systems. The work of Tindell and Clark [85] was the first approach
towards holistic scheduling analysis. Tindell and Clark combine fixed pri-
ority preemptive scheduling on processing resources of a distributed system
with TDMA scheduling on the interconnecting communication bus. This
work was improved in accuracy by Yen et al. [89] by taking into account
data dependencies, and by Pop et al. [74] by considering control dependen-
cies. Later, many holistic scheduling analysis techniques for various other
combinations of scheduling policies have been investigated, [86], [75], [71].
In the collection of holistic scheduling analysis techniques, every technique
is tailored towards a particular combination of input event model, resource
sharing policy and communication arbitration. While this permits detailed
analysis of the temporal behavior of a specific distributed system, it has the
drawback that a new analysis method must be developed for every new input
event model, communication protocol, and resource sharing policy. This cir-
cumstance not only restricts the applicability of holistic scheduling analysis,
but the consequently large heterogeneous collection of different techniques
also makes it difficult to use holistic scheduling analysis in practice.
A more general approach to extend the concepts of classical schedul-
ing theory to heterogeneous distributed systems was presented by Richter
INTRODUCTION 12
Compositional verification of real-time systems
et al. in [76], [78] and [77]. In contrast to the holistic scheduling analy-
sis that attempts to extend classical scheduling analysis to special classes
of distributed systems, Richter et al. propose a compositional performance
analysis methodology with the main goal to directly exploit the successful
results of classical scheduling theory, in particular for sharing a single pro-
cessor or a single communication link. In this compositional approach, every
single processor or communication link of a distributed system is analyzed
locally. To interconnect the various components, the method relies on a set
of standard event arrival patterns. Based on the arrival patterns of the in-
coming event streams and on the scheduling policy of the component, an
appropriate classical analysis technique is chosen individually for each single
processor or communication link to compute the worst-case and best-case
response time of every event stream at the component as well as to compute
the arrival patterns of the outgoing event streams that will trigger succeeding
components. The local analysis results are then combined to obtain global
end-to-end delays and buffer requirements. This approach does not take
into account sporadic tasks, non-deterministic execution time, and resource
sharing through semaphores among system components.
Recent compositional analytical approaches address HS of complex dis-
tributed systems encompassing global resource sharing [31], [10], [37]. The
method of [30] is extended in [31] with a global resource access policy called
Hierarchical Stack Resource Policy (HSRP), which bounds priority inversion
and limits the interference due to overruns during resource accesses. In [10],
the Subsystem Integration and Resource Allocation Policy (SIRAP) provides
temporal isolation between subsystems that share logical resources, facilitat-
ing the integration of applications developed by independent suppliers. In
[37], compositional techniques support automatic scheduling and correctness
verification of ARINC-653 [6] partitions with global resource sharing.
Another promising analytic technique for compositional analysis of real-
INTRODUCTION 13
Compositional verification of real-time systems
time systems also addressing hierarchical scheduling is the Real-Time Cal-
culus (RTC) [84], which is a direct extension of Network Calculus (NC) [53].
Network Calculus is centred around the so-called cumulative arrival and ser-
vice functions, which basically count both the events arriving as input to an
application and the amount of available resources needed to handle the event
stream in the application over time. In contrast, Real-Time Calculus uses
interval bound functions to characterise both event streams (Arrival Curve)
and available resources (Service Curve). These curves can be derived from
the event stream by applying a sliding window algorithm, allowing to ad-
dress several kinds of patterns for message arrivals and service providing. In
doing so, the RTC moves from the absolute time to a relative time domain,
where some knowledge from the event stream is lost with respect to a NC
approach (e.g. the exact time at which a specific situation occurred as well
as any knowledge of the average load and capacity). Moreover, RTC con-
siders only independent event streams where the arrival of an event x from
a stream A is not influenced by the arrival of an event y from a stream B.
In particular, it is difficult to accurately exploit implicit timing correlations
between event arrivals on different event streams. In [84] Lothar Thiele et
al., propose a framework of Modular Performance Analysis tailored towards
performance analysis of distributed real-time systems based on Real-Time
Calculs, where independent applications share a common execution platform
to process event streams. In such systems, the framework can be used to com-
pute hard upper and lower bounds on maximum end-to-end delays and buffer
requirements, but also other performance criteria such as individual resource
utilizations may be analyzed. The obtained analysis results are deterministic
and provide hard upper and lower bounds for any analyzed quantity, enabling
the framework to be used for the analysis of hard-real time systems. In con-
trast to most analytical analysis methods discussed above, this framework
follows a completely different approach to performance analysis, leading to
INTRODUCTION 14
Compositional verification of real-time systems
a good degree of generality and modularity. The key enabling factor for this
generality and modularity within the real-time calculus, is the consequent
representation of all time-varying quantities (event streams and resources) in
the time interval domain. Moreover, in [84] Lothar Thiele et al., introduce
new components that enable interface-based design and analysis of systems
with hierarchical scheduling within their framework. They introduce a com-
ponent that models a computation or communication resource with a TDMA
sharing policy, and methods are presented for optimal parameter selection for
such a component. Nevertheless, this approach does not deal with sporadic
tasks and resource sharing at both local and global level.
In the field of model based approaches, Timed Automata, Petri Nets, and
Process Algebra seem to be promising to address compositional analysis.
Compositional verification based on model-checking was introduced in
[28], aiming at reducing the complexity of large designs validation. Since
then, the problem has been studied in several formalisms [65].
Timed Automata (TA) have been largely used for compositional analysis.
In [5] [11] Behrmann et al. analyze distributed systems involving real-time
components through the UPPAAL tool environment. However, the approach
is limited to synchronous communication in Timed Automata, and also the
existence of different event types in the modeled system requires in general
to explicitly model all streams of events with a timer, increasing the com-
plexity of the analysis. Therefore the analysis of such models will quickly
lead to state-space explosion, turning the analysis effort to be prohibitive.
This problem was addressed by Hendriks et al. in [47], where they propose
a Timed Automata based approach to performance analysis where timers
shared among components are modelled with global variables if they do not
hold events of different types. However, this technique reduces the state-
space explosion problem, but it does not dispose of it. In fact, even though
the size of the Timed Automata model of a distributed system is often drasti-
INTRODUCTION 15
Compositional verification of real-time systems
cally reduced with this approach, model checking analysis times are typically
still by several orders of magnitude longer than with any of the previously
described formal analysis based methods.
In Madl et al. [64] introduce model checking for schedulability analysis
of event-driven asynchronous distributed real-time systems with execution
intervals using Timed Automata. Starting from the same essential idea as the
work in [64], in Macariu at al. [63] an hierarchical scheduling model where the
execution of tasks is constrained by the availability of the temporal partitions
and, instead of modelling just the tasks of an application individually as in
[64], the authors model a whole scheduling level. However the approach yields
pessimistic schedulability results and the state space explosion problem still
remain.
In [52] Lampka et al. propose a very interesting hybrid technique to com-
positional performance analysis of distributed real-time systems, combining
a formal approach as TA with an analytical approach as RTC. Authors aim
at exploiting the power of TA in the verification of component performance
measures and to use the power of RTC to combine local component results
deriving holistic measures related to the entire system. They employ the
TA exact evaluation technique only for local analysis of system components,
while the more pessimistic RTC state-less analysis is used to maintain scal-
ability. Nevertheless, the approach always suffers form state space explosion
problem which still remains in the verification via TA of system inner com-
ponents.
Process algebrae, which are largely used to model process behaviours, are
also used to describe real-time components in a compositional manner. The
basic idea of process algebrae is that distributed systems may be modelled
as sets of concurrent communicating processes, providing both description
languages and techniques for assessing correctness. The languages are based
on small sets of elementary constructs that permit to describe systems at
INTRODUCTION 16
Compositional verification of real-time systems
different levels of abstraction. The operators have intuitive interpretations,
and model basic notions like: parallel composition, nondeterminism, abstrac-
tion, and sequentialization. Various variants have been defined and the most
well-known are the Algebra of Communicating Processes (ACP [13]), Mil-
ner’s Calculus of Communicating Systems (CCS [66]), Hoare’s Calculus of
Sequential Processes (CSP [48]), Language of Temporal Ordered Systems
(LOTOS [19]), and pi-calculus [67]. The latter process algebra has inspired
modern composition languages like XLANG and BPEL. In the compositional
perspective, the pi-calculus offers constructs to compose activities in terms
of sequential, parallel, and conditional execution, combinations of which can
lead to compositions of arbitrary complexity. In [42], a two-way mapping
is defined between BPEL and the more expressive process algebra LOTOS.
As major advantage, this translation permits the verification of temporal
properties with the CADP [41] model-checking toolbox.
Rocco De Nicola et al. in [69] propose PAL (Process Algebra based on
Linda [46]), a process algebra obtained by interpreting abstract actions as
Linda primitives, permitting to model and verify concurrent distributed real-
time systems relying on asynchronous communications. In particularly, PAL
is an applicative process algebra, obtained by embedding the Linda prim-
itives for inter process communication in a CCS/CSP like language, where
asynchrony is modelled by considering outputs as elementary concurrent pro-
cesses, whose execution does not delay the progress of the senders. The work
of [69] is extended in [17] where the Klaim (Kernel Language for Agents In-
teraction and Mobility) language is designed to program distributed systems
consisting of several mobile components that interact through multiple dis-
tributed tuple spaces. In particular, Klaim primitives allow programmers to
distribute and retrieve data and processes to and from the nodes of a net.
In [24] Francesco Calzolai et al., present TAPAS a software environment
for supporting specification and analysis of concurrent systems via Process
INTRODUCTION 17
Compositional verification of real-time systems
Algebras, which embeds the theory proposed in [17].
In [73] Insup Lee et al. describe a process algebraic framework for a
formal treatment of the problem of compositional hierarchical scheduling
reasoning about resource demand and supply inspired by the timed process
algebra ACSR [54] [55]. In ACSR, realtime tasks are specified by enunciating
their consumption needs for resources. To also accommodate resource-supply
processes in [73] the authors define a framework where, given a resource
CPU, its complimentary denotes for availability of CPU for the corresponding
demand process. This work takes advantage of the component-based design
of real-time systems presented in [40] [82] [38], where interfaces abstract the
timing requirements of a component with a minimum resource supply that
is needed to meet the resource demand of the component.
Petri nets were introduced in [72] as a formalism to model concurrent sys-
tems. Their main attraction is the natural way in which many basic aspects
of concurrent systems are identified both mathematically and conceptually.
In [22] Vicario et al., propose an extended Petri net model which con-
siders modular partitioning along with timing restrictions and environment
models is presented. Module constructs permit the specification of a complex
system as a set of message passing modules with the timing semantics of time
Petri nets. Nevertheless, this approach to compositional validation of timed
systems does not encompass preemptive behaviours.
Dianxiang et al. [88] provide a compositional schedulability analysis
of Real-Time Systems using Time Petri Nets by separating timing proper-
ties from other behavioral properties. The analysis of behavioral properties
is conducted based on the reachability graph of the underlying Petri net,
whereas timing constraints are checked in terms of absolute and relative fir-
ing domains. Also this approach does not encompass preemptive behaviours.
INTRODUCTION 18
Outline of The Dissertation
1.4 Outline of The Dissertation
This dissertation proposes a compositional approach to HS of Real-Time
Applications handled by a TDM Global Scheduler and preemptive FP Local
Schedulers as prescribed by the ARINC-653 standard [6], encompassing peri-
odic, sporadic, and jittering tasks with offsets, jitters, and non-deterministic
Execution Times, intra-application synchronizations, and inter-application
communications among periodic tasks. To this end, preliminary results of
[25] are improved by extending and combining the modular approach of [22]
for compositional validation of timed systems and the technique of [21], [20]
for timeliness analysis of preemptive models. As a notable trait, the approach
addresses systems that include periodic, sporadic, and jittering tasks, with
offset and jitter delays and nondeterministic Execution Times.
Specifically, the assumption of a TDM global policy is exploited to enable
the specification of each application through a separate pTPN accounting
both for the internal behavior of the application and for the temporal par-
titioning. This reduces the complexity of the problem and supports exact
verification of intra-application constraints. To encompass inter-application
message passing among periodic tasks, the model of pTPNs is extended with
a concept of Required Interface (RI) that partially specifies the embedding
environment of an application through sequencing and timing constrains, un-
der the assumption that sporadic tasks have lower priority level than tasks
involved in inter-application communications and are not synchronized ei-
ther with them or with higher priority tasks. This enables derivation of safe
bounds on inter-application constraints through composition of analysis re-
sults of individual models. The approach is experimented on two challenging
workloads of the literature on safety-critical avionic systems, which were also
extended in complexity.
The rest of the thesis is organized as follows:
INTRODUCTION 19
Outline of The Dissertation
Chapter 2 describes the addressed structure of HS systems, which encom-
pass offsets, jitters, and inter-application communications through message
passing, and proposes an overview of the ARINC-653 standard.
Chapter 3 recalls syntax, semantics, and analysis of pTPNs (Section 3.1.1),
introduces a running example (Section 3.1.2), and describes how the theory
of pTPNs can be applied to support compositional design of HS systems
(Sections 3.1.3 and 3.1.4) and verification of intra-application constraints
(Section 3.1.5).
Chapter 4 enriches the model of pTPNs with a notion of RI so as to
fit the needs of the real-time domain and support the specification of inter-
application communications among periodic tasks (Section 4.1.1); illustrating
the concept of RI with reference to the running example and discussing how
RIs are derived (Section 4.1.2); presenting 3 invariants that are satisfied by
the pTPN submodel of the RI (Section 4.1.3); presenting a compositional
technique for verification of inter-application constraints, exemplifying its
application to the running example (Section 4.1.4); and, characterizing the
complexity of architectural verification (Section 4.1.5).
In Chapter 5, the approach is experimented on two real case studies, ad-
dressing a safety-critical avionic system limited to intra-application synchro-
nizations (Section 5.1.1) and one also encompassing inter-application com-
munications (Section 5.1.2).
Conclusions are finally drawn in Chapter 6.
For the sake of readability, all theorem proofs and the invariants of the RI
submodel are reported in Appendix A and Appendix B, respectively.
INTRODUCTION 20
Chapter
2
Domain Model
The aim of this thesis is to provide a compositional approach to formal speci-
fication and schedulability analysis of Real-Time Applications running under
a Time Division Multiplexing (TDM) Global Scheduler and preemptive Fixed
Priority (FP) Local Schedulers, according to the ARINC-653 standard, and
addressing the verification of both intra and inter-application communication
constraints.
This Chapter 2 describes the addressed structure of HS system, which en-
compass offsets, jitters, and inter-application communications through mes-
sage passing, and proposes an overview of the ARINC-653 standard.
2.1 Domain Model
This thesis addresses a single-processor HS system with the following struc-
ture (see Fig. 2.1) [23]:
DOMAIN MODEL 21
Domain Model
• A TDM Global Scheduler partitions time into possibly different time-
slots and assigns each of them to a single preemptive FP Local Sched-
uler.
• Each FP Local Scheduler manages a Real-Time Application running a
set of Tasks.
• A Task recurrently releases Jobs with a non-deterministic release time
within [Tmin, Tmax], a deterministic offset O, and a non-deterministic
jitter within [Jmin, Jmax], i.e., the nth job is released at time n · Tmin +
h ·(Tmax−Tmin)+O+Jmin+k ·(Jmax−Jmin), with h, k ∈ [0, 1]. A Task
is said Periodic, Sporadic or Jittering, depending on whether Tmin =
Tmax 6= ∞, Tmin < Tmax = ∞, or Tmin < Tmax 6= ∞, respectively.
A Task is subject to a deadline, which is often coincident with its
minimum inter-release time.
• A Job is a sequence of Chunks, each associated with a resource re-
quired with a priority level (low priority numbers run first), a non-
deterministic Execution Time, and an entry-point method implement-
ing its functional behavior.
• Chunks belonging to tasks of the same application run concurrently
in the same time-slots, and they may interact through the usual IPC
mechanisms (e.g., semaphores and mailboxes).
Chunks belonging to periodic tasks of different applications are sep-
arated in time, and they may exchange messages subject to sequenc-
ing and timing constraints through shared channels. Statically dimen-
sioned channels are assumed among periodic tasks as required by the
ARINC-653 standard [6] which in fact rules out the so-called covert
channels.
DOMAIN MODEL 22
Domain Model
Chunks of sporadic tasks have lower priority level than that of chunks
involved in inter-application communications and are not synchronized
either with them or with higher priority chunks.
TDMGlobal Scheduler
<<Scheduler>>
+time-slots: Integer[*]
FPLocal Scheduler
<<SecondaryScheduler>>
1..*
Real-TimeApplication
<<SchedulableResource>>
Task
<<SwSchedulableResource>>
+deadline: Integer
+releaseType: ArrivalPattern
+offset: Integer
+jitter_min: Integer
+jitter_max: Integer
1..*
J ob
<<SwSchedulableResource>>
Periodic Task
+releaseType=ArrivalPatter:PeriodicPattern
+period= Integer
Sporadic Task
+releaseType=ArrivalPattern:SporadicPattern
+minInterarrival= Integer
J itteringTask
+releaseType=ArrivalPattern:J itteringPattern
+minInterarrival= Integer
+maxInterarrival= Integer
Chunk
<<EntryPoint>>
+bcet: Integer
+wcet: Integer
Binary Semaphore
<<SwMutualExclusionResource>>
+mechanism=BooleanSemaphore
1
0..*
<<MessageComResource>>
Mailbox
1..*
1..*
0..*
<<HwResource>>
CPU
0..*
+priority: Integer
Figure 2.1. The addressed structure of HS systems represented through a
UML-MARTE class diagram.
The UML class diagram of Fig. 2.1 illustrates the scheme using the stereo-
types of the MARTE (Modeling and Analysis of Real-Time and Embedded
systems) profile [70]: the Global Scheduler is specified by the stereotype
Scheduler, i.e., a resource that brings access to its processing resources ac-
cording to a certain scheduling policy; a Local Scheduler is a SecondarySched-
uler, i.e., a scheduler that manages a fraction of the processing capacity of
DOMAIN MODEL 23
Standard ARINC-653
a protected resource scheduled by a main scheduler; a Real-Time Applica-
tion is a SchedulableResource, i.e., a concurrent resource that competes with
other resources for the processing capacity of a protected resource; a Task
is a SwSchedulableResource, i.e., a resource that executes concurrently with
other resources under the supervision of a scheduler, and can be a Periodic
Task, Sporadic Task, or Jittering Task; a Job is an instance of a task and
is thus specified by the stereotype SwSchedulableResource; a Chunk is an
EntryPoint, i.e., a routine executed in the context of a resource that runs
concurrently with other resources under the supervision of a scheduler; a Bi-
nary Semaphore is a SwMutualExclusionResource, i.e., a resource commonly
used to synchronize access to shared variables; a Mailbox used in message
passing between different applications is a MessageComResource, i.e., a com-
munication resource used to exchange messages.
The propose scheduling hierarchy is consistent with the standard ARINC-
653, which is one of the most important standard in the avionic field. ARINC-
653 based software has been implemented in A380, A400M and B787 airlin-
ers, and (at least) three commercial real-time operating systems (i.e., Wx-
Works 653, PikeOS, and LynksOS-178 RTOS) have been updated to offer
ARINC-653 compliance.
2.2 Standard ARINC-653
Real-time applications have gradually evolved form simple one-task embed-
ded programs to large multi-task and distributed systems, where a set of RT
applications interact with each other. Modern large real-time applications
are usually based on real-time operating systems like VxWorks [8], PikeOS
[7], LynksOS [3], WindowsCE [9], and Linux RTAI [2]. These applications
should be developed according to well defined practical rules, for example the
adoption of either real-time tasks priorities according to a predictable pol-
DOMAIN MODEL 24
Standard ARINC-653
icy (such as Rate Monotonic or Deadline Monotonic Policies) or Inter-task
communication protocols preventing the system from deadlocks and unpre-
dictable delays. In such context standards play an important role by defining
syntax and semantics of system calls, and by providing the interface exposes
by the operating system to the application layer. They provide a new ab-
straction layer in the real-time software design process, which makes possible
to create complete large distributed real-time systems. The ARINC 653 stan-
dard [6] has its origin in the civil avionic world with the aim to provide a
standardized interface between a given Real-Time Operating System (RTOS)
and the corresponding application software, as well as a set of functionalities
to improve the safety and certification process of a safety-critical system.
The ARINC 653 standardized interface provides portability to the appli-
cations, easies the integration tasks and opens the aeronautics avionics mar-
ket to software companies providing specialised Commercial Off-The Shelf
(COTS) components. ARINC 653 provides to developers of civil aviation
applications a dependable and fault tolerant, certifiable, hardware and Op-
erating System (OS) independent, common interface to access resources like
memory (through partitioning services), execution time slots, process man-
agement, time, process communication and process synchronization in safety
critical Real Time Operating Systems (RTOS).
The ARINC-653 specification is an important block from the Integrated
Modular Avionics (IMA) definition [1], where the partitioning concept emerges
for protection and functional separation between applications, usually for
fault containment and ease of verification, validation and certification. Fol-
lowing the IMA concept, modern on-board avionic subsystems (software ap-
plications) are grouped in a limited set of standard microprocessor units.
The units and other electronic devices communicate via a standard network
interface.
The ARINC-653 concept was first deployed in the Boeing 777, using
DOMAIN MODEL 25
Standard ARINC-653
avionics supplied by Honeywell. Its standardization has originally begun
with the publishing of the ARINC Report 651 [3]. The first draft of ARINC
653 was published in 1997. Currently, the Airbus A380, the A400M and
the Boeing 787 aircrafts use an IMA architecture with modules providing an
ARINC 653 interface.
2.2.1 ARINC-653 architecture: Partitions
OPERATING SYSTEM
PARTITIONING SCHEDULER HEALTH MONITOR
LOGICAL COMMUNICATIONS EXCEPTION HANDLING
MMU CLOCK BITE
HARDWARE
COMMUNICATIONS
MEDIA
INPUT CONTROLLERINTERRUPT CONTROLLER
MEMORY MANAGEMENT
PHYSICAL COMMUNICATIONS
DEVICE HANDLERS
HARDWARE INTERFACE SYSTEM
CONTEXT
SWITCHING
BIT
INTERRUPT HANDLING
Application
Software
of
Partition 1
Application
Software
of
Partition 2
Application
Software
of
Partition 3
APEX
COEX
A
PP
LI
CA
TI
O
N
 
SO
FT
W
A
RE
CO
RE
 
PR
O
CE
SS
O
R CO
RE
EN
V
IR
O
N
M
EN
T
SO
FT
W
A
RE
CO
RE
Figure 2.2. Embedded Avionic Architecture (source: ARINC-653 Standard)
The architecture of a standard ARINC 653 system is shown in Figure 2.2.
At the application software layer, each real-time application is executed in
a confined context, called partition in the ARINC 653 terminology, which is
a key concept introduced in the specification. It creates a container for an
application and guarantees that its execution is both spatially and tempo-
DOMAIN MODEL 26
Standard ARINC-653
rally isolated. The partitions are divided into two categories, i.e., application
partitions and system partitions. Application partitions execute avionic ap-
plications consisting in general of one or more real-time tasks and can only
use the services provided by a logical application executive (APEX) inter-
face. System partitions may use also specific functions provided by the core
software layer (e.g., hardware interfaces and device drivers), being allowed to
bypass the standard APEX interface. In addition, the execution environment
provided by the OS kernel module must furnish a relevant set of operating
system services, such as process scheduling and management, time and clock
management, and inter-process synchronization and communication.
2.2.1.1 Spatial partitioning
Spatial partitioning ensures that an application cannot write into the memory
or data of an application running on a different partition. A partition is like a
program ( within an application environment) that has its own data, context
and configuration attributes, and that is restricted to use only ARINC 653
services to interface with the system.
2.2.1.2 Temporal partitioning
Temporal partitioning guarantees that the activities in one partition do not
affect the timing of the activities in the other partitions. It is ensured by
a fixed cycle based scheduling. Specifically, the OS maintains a major time
frame (MAF) of fixed duration, which is periodically repeated throughout
the module’s runtime operation. Partitions are activated by allocating one
or more partition windows within this major time frame. The activation
order of the partitions is defined off-line at configuration time using some
configuration tables. This provides a deterministic scheduling methodology
since partitions are furnished with a predefined amount of time to access pro-
DOMAIN MODEL 27
Standard ARINC-653
cessor resources. Real-time tasks executed within a partition can be locally
scheduled according to priority-based policy.
2.2.1.3 ARINC 653 Services
The ARINC 653 service requests specify the application executive APEX
interface layer proposed to the application software developer. A required
set of services is mandatory to claim strict compliance with the ARINC 653
standard, which can be grouped in the following major classes: partition and
process management, time management, intra and inter-partition communi-
cations (also called intra and inter-application communications), and health
monitoring.
• Time Management provides to the partitions the means to control the
execution of periodic and aperiodic processes.
• Inter-Partition Communication services permit a partition to access
a communication channel and communicate with other partitions via
messages passing. Ports used by the partitions to send messages to or
receive messages from a channel are statically defined by the system
designer, and partitions cannot bypass the routing policy and create
covert channels.
• Intra-partition communication services include process communication
means as mail boxes and synchronization means as semaphores. These
functionalities remain internal to the partition, thus a failure on an
intra-partition communication cannot affect another partition 2.3.
• Finally, process Health Monitoring services are provided, allowing the
handling of errors at process level, including partition shutdown and
restart, if needed. In particularly, the Health Monitoring (HM) func-
tions consist of a set of mechanisms to monitor system resources and
DOMAIN MODEL 28
Standard ARINC-653
Safe Partition 1
Ada Program
Safety Level: A
(High)
Safe Partition 2
EC++ Program
Safety Level: B
(Medium)
Safe Partition 3
C Program
Safety Level: D
(Low)
NO EFFECT!!
INTEGRITY-178B/ARINC 653 APEX API
INTEGRITY-178B Kernel
Embedded Processor
FAILURE!!
GMART
Ada run-time
Figure 2.3. Standard ARINC-653: Confinement of failure modes
application components. The HM helps to isolate faults and to pre-
vent failures from propagation. Within the scope of the ARINC 653
standard specification, the HM functions are defined for the process,
partition and system levels.
2.2.1.4 ARINC653 systems verification needs
Despite the provided mechanisms to improve system reliability and robust-
ness, several issues must be addressed during the development of systems
compliant with the ARINC-653 standard:
• Partitions scheduling. The overall hierarchical scheduling policy com-
posed by a Time Division Multiplexer global scheduler and Fixed-
Priority local schedulers must be validated to check that tasks have
enough time for their execution without missing their deadlines.
• Resources: The ARINC-653 standard defines services to send or re-
DOMAIN MODEL 29
Standard ARINC-653
ceive data. However, it is necessary to check that message passing
synchronisations respect sequencing and timing constraints assumed in
the design stage.
Such a verification would avoid unexpected deadlocks or crashes. These
requirements should be validated at a design-level, before any implementation
work so as to reduce testing efforts and detect errors early in the development
process.
DOMAIN MODEL 30
Chapter
3
Hierarchical Scheduling systems
without inter-application
communications
This chapter 3 recalls syntax, semantics, and analysis of pTPNs (Section 3.1.1),
introduces a running example (Section 3.1.2), and describes how the theory
of pTPNs can be applied to support compositional design of HS systems
(Sections 3.1.3 and 3.1.4) and verification of intra-application constraints
(Section 3.1.5).
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 31
Compositional verification of an HS system without inter-application communications
3.1 Compositional verification of an HS system
without inter-application communications
When the HS system does not encompass dependencies among applications, a
disciplined use of the theory of pTPNs [21], [20], [26] enables a modeling and
analysis approach that fits the requirements of the HS domain. Exploiting
the TDM temporal partitioning, each application is represented through a
separate model, reducing the complexity of the problem and enabling exhaus-
tive verification of sequencing and timing constraints of complex systems.
Specifically, the pTPN model of each application is made of the submodels
of the Task-Set and the Global Scheduler. This section 3.1 propose syntax,
semantics and analysis of pTPNs [21], [20], introduce an example, and then
characterize the two mentioned submodels.
3.1.1 Preemptive Time Petri Nets
3.1.1.1 Syntax
A pTPN [21], [20] is a tuple 〈P, T,A−, A+, A·,m0, F Is, τ0, Res,Req, Prio〉.
The first 7 members 〈P, T,A−, A+, A·,m0, F Is〉 comprise the model of
Time Petri Nets (TPNs): P and T are disjoint sets of places and transitions,
respectively; A− ⊆ P × T , A+ ⊆ T × P , and A· ⊆ P × T are sets of
precondition, postcondition, and inhibitor arcs, respectively; a place p is said
to be an input, an output, or an inhibitor place for a transition t if 〈p, t〉 ∈ A−,
〈t, p〉 ∈ A+, or 〈p, t〉 ∈ A·, respectively; m0 : P → N is the initial marking
associating each place with a non-negative number of tokens; FIs : T →
R+0 × (R+0 ∪ {∞}) associates each transition t ∈ T with a firing interval
delimited by a static Earliest Firing Time EFT s : T → R+0 and a (possibly
infinite) static Latest Firing Time LFT s : T → R+0 ∪ {∞}. τ 0 : T → R+0
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 32
Compositional verification of an HS system without inter-application communications
associates each transition with an initial time-to-fire.
The last 3 members 〈Res,Req, Prio〉 extend the model of TPNs with a
mechanism of resource assignment: Res is a set of preemptable resources
disjoint from P and T ; Req : T → 2Res associates each transition with a
subset of Res representing its resource request; Prio : T → N associates
each transition with a static priority level.
3.1.1.2 Semantics
The state of a pTPN is a pair s = 〈m, τ〉, where m is a marking and τ : T →
R+0 ∪ {∞} associates each transition with a dynamic time-to-fire. The state
evolves according to a transition rule defined by two clauses of firability and
firing.
Firability. A transition is enabled if each of its input places contains
at least one token and none of its inhibitor places contains any token. An
enabled transition is progressing if any of its resources is not required by
any other enabled transition with a higher priority level; otherwise, it is
suspended. A progressing transition is firable if its time-to-fire is not higher
than that of any other progressing transition.
Firing. When a transition t0 fires, the state s = 〈m, τ〉 is replaced by a
new state s′ = 〈m′, τ ′〉. Marking m′ is derived from m by removing a token
from each input place of t0 and by adding a token to each output place of t0:
mtmp(p) =
 m(p)− 1 if p . 〈p, t〉 ∈ A
−,
m(p) else,
m′(p) =
 mtmp(p) + 1 if p . 〈t, p〉 ∈ A
+,
mtmp(p) else.
(3.1)
Transitions enabled by m′ are said persistent if they are also enabled by m
and mtmp, otherwise they are said newly-enabled. Transition t0 is always
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 33
Compositional verification of an HS system without inter-application communications
regarded as newly-enabled if it is still enabled after its own firing. For any
transition ti that was progressing in s and is persistent after the firing of t0,
the time-to-fire is reduced by the time elapsed in the previous state:
τ ′(ti) = τ(ti)− τ(t0). (3.2)
For any transition tx that was suspended in s and is persistent after the firing
of t0, the time-to-fire remains unchanged:
τ ′(tx) = τ(tx). (3.3)
For any transition ta that is newly enabled after the firing of t0, the time-to-
fire takes a non-deterministic value sampled in the static firing interval
EFT s(ta) ≤ τ ′(ta) ≤ LFT s(ta). (3.4)
Remark: A resource requested by a set of transitions with equal priority
is deterministically assigned to one of them according to a predefined order
of transitions. Otherwise, the choice could be left non-deterministic by enu-
merating all possible resource allocations. The common trait of both these
schemes is that the set of possible resource allocations is determined by the
current marking. More fine and complex schemes could also be implemented
but requiring a refinement of the theory of analysis. In particular, in order to
represent the usual condition where a running task cannot be preempted by a
task with equal priority, the concept of logical location of the state should be
extended so as to include not only the current marking but also the previous
allocation of resources. A more complex scheme, making resource assignment
dependent also on the timing of computations, is proposed in [57], but at the
expense of a much higher complexity of analysis in the class of Linear Hybrid
Automata.
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 34
Compositional verification of an HS system without inter-application communications
3.1.1.3 Analysis
In the analysis of pTPN models, the set of states that are reachable from a
state s = 〈m, τ〉 is in general densely infinite, as the vector τ takes values in
a dense domain. To obtain a discretely enumerable reachability relation, the
state-space is partitioned into equivalence classes called state-classes, each
collecting the continuous variety of states that are reached through the same
firing sequence but with different values of timers [14], [16], [87]. This induces
a reachability relation among state-classes according to which a state-class
S ′ is reachable from state-class S through a transition t if and only if S ′
contains all and only the states that are reachable from some state collected
in S through the firing of t. This relation defines a graph of reachability
among classes that is called state-class-graph (SCG) [87], [21].
A path in the SCG represents the continuous set of runs that execute a
given set of transitions in a given qualitative order with a continuous variety
of timings between subsequent firings. Any of these paths is called symbolic
run, it is identified by a starting state-class and a sequence of transitions,
and it is associated with a completion interval calculated over the set of
completion times of the underlying runs. The finite set of symbolic runs that
fire the same sequence of transitions from different starting state-classes is
referred to as symbolic execution sequence.
As the model encompasses suspension and resumption of timers, time
domains of state-classes turn out to be linear convex polyhedra, requiring
exponential complexity for derivation and encoding [20], [21], [79], [15]. In
[21], the complexity of the problem is avoided through the enumeration of
an over-approximation of the SCG that replaces the time domain of each
state-class with its tightest enclosing Difference Bounds Matrix (DBM), i.e.,
a set of linear inequalities constraining the difference between the times to
fire of any two enabled transitions. This enables efficient derivation and
encoding of state-classes with polynomial complexity with respect to the
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 35
Compositional verification of an HS system without inter-application communications
number of enabled transitions. For any symbolic run in the overapproximated
SCG, the exact set of constraints limiting the set of feasible timings can be
derived through an algorithm that cleans up false behaviors introduced by
the approximation, providing a tight bound on the minimum and maximum
time that can be spent along the run.
3.1.2 An example workload
Table 3.1 shows an example workload of 3 complex yet separate and non-
interfering Real-Time Applications, extending the usual structure used for
ARINC-653 partitions [37] to specify not only the organization of each ap-
plication into tasks, but also the internal decomposition of each task into
chunks. In Section 4.1, the example will be extended to also encompass
inter-application communications.
Appl. Slot Slot length Task Release Offset Jitter Deadline Chunk Prio Exec. Time Sem Mbx
A1 T1 10
Tsk11 [60, 60] 0 [0, 0] 60 C111 2 [1, 2] - -
Tsk12 [60, 60] 0 [0, 2] 50
C121 3 [2, 3] - -
C122 3 [1, 2] mux11 -
Tsk13 [60, 60] 2 [0, 0] 60
C131 4 [3, 4] - -
C132 4 [1, 2] mux11 -
A2 T2 10
Tsk21 [60, 60] 0 [0, 0] 60 C211 2 [1, 2] - -
Tsk22 [90, 90] 0 [0, 0] 80
C221 3 [3, 5] - -
C222 3 [1, 2] mux21 -
Tsk23 [120, 120] 0 [0, 0] 120
C231 4 [5, 7] - -
C232 4 [1, 2] mux21 -
A3 T3 10
Tsk31 [60, 60] 0 [0, 0] 60 C311 2 [1, 2] - -
Tsk32 [60, 60] 0 [0, 0] 50 C321 3 [2, 4] - -
Tsk33 [60, 60] 0 [0, 0] 60 C331 4 [1, 2] - -
Table 3.1. The workload of a HS system made of 3 Real-Time Applications
(times expressed in ms).
The example considers a TDM Global Scheduler which partitions a period
of 30 ms in 3 time-slots T1, T2, and T3 of equal length of 10 ms, and assigns
them to applications A1, A2, and A3, respectively. For instance, A1 is made
of 3 periodic tasks Tsk11, Tsk12, and Tsk13 with period of 60 ms and deadline
of 60, 50, and 60 ms, respectively. Moreover, Tsk12 has a jitter interval of
[0, 2] ms and Tsk13 has an offset of 2 ms. Tsk11 is made of a single chunk
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 36
Compositional verification of an HS system without inter-application communications
C111 with priority level 2 and expected Execution Time interval of [1, 2] ms;
Tsk12 is made of two chunks C121 and C122 with priority level 3 and expected
Execution Time interval of [2, 3] and [1, 2] ms, respectively; Tsk13 is made
of two chunks C131 and C132 with priority level 4 and expected Execution
Time interval of [3, 4] and [1, 2] ms, respectively. Chunks C122 and C132 are
synchronized on binary semaphore mux11.
3.1.3 The pTPN submodel of the Task-Set
The translation of a workload specification into a corresponding pTPN fol-
lows a structured procedure which can be easily automated. Fig. 3.1 shows
the Task-Set submodel of application A1 in the HS system of Table 3.1.
Recurrent job releases are modeled by transitions that have neither input
places nor resource requests, and thus fire repeatedly with inter-firing times
falling within their respective firing intervals, e.g., t110 models job releases
of Tsk11. In a similar manner, offsets and jitters are modeled by transitions
with no resource request chained through their input places, e.g., t121 models
the jitter of Tsk12. Chunks are modeled by transitions having static firing
intervals equal to the min-max range of Execution Time, associated with
resource request and static priorities, e.g., t111 models the completion of the
unique chunk of Tsk11, which requires resource cpu with priority level 2 for
an Execution Time between 1 and 2 ms. Computations in different jobs
compete for resource cpu and run under FP preemptive scheduling, e.g., if
t111 becomes enabled while t122 is progressing, then t111 preempts t122 which
becomes suspended.
The access to shared resources is modeled so as to represent a priority
ceiling emulation [81], which raises the priority of any locking chunk to the
highest priority of any chunk that ever uses that lock, i.e., the ceiling priority
of the resource. Priority handling is combined with semaphore synchroniza-
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 37
Compositional verification of an HS system without inter-application communications
p111
p121
p131 p134 p135
p124p123
p133
mux11
p122
p132
t110
[60,60]
t111
[1,2]
[prio=2]-{cpu}
t120
[60,60]
t122
[2,3]
[prio=3]-{cpu}
t132
[3,4]
[prio=4]-{cpu}
t130
[60,60]
t123
[0,0]
[prio=3]-{cpu}
t124
[1,2]
[prio=3]-{cpu}
t133
[0,0]
[prio=4]-{cpu}
t134
[0,0]
[prio=3]-{cpu}
t135
[1,2]
[prio=3]-{cpu}
t121
[0,2]
t131
[2,2]
(C111)
(jitter)
(offset)
(Tsk11 release)
(Tsk12 release)
(Tsk13 release)
(mux11 wait)
(mux11 wait)
(C121) (C122)
(C131) (C132)(priority boost)
Figure 3.1. The pTPN submodel of the Task-Set of application A1 in the HS
system of Table 3.1.
tion, using an individual semaphore for each shared resource. According to
this, any chunk that accesses a shared resource acquires a semaphore before
resource usage and releases it after completion, and, if it runs at a lower prior-
ity level than the resource ceiling, it also raises its priority before semaphore
acquisition and restores it after semaphore release. Binary semaphores are
modeled in a straightforward manner as places initially marked with 1 token,
e.g., mux11 models a binary semaphore synchronizing the second chunks of
Tsk12 and Tsk13. Semaphore acquisition and priority boost operations are
explicitly represented as immediate transitions, e.g., t133 models a priority
boost operation and t134 represents a wait operation on mux11. The corre-
sponding semaphore release and priority deboost operations are allocated to
transitions that also account for chunk completions, e.g., t135 accounts for a
signal operation on mux11, a deboost operation, and the completion of C132.
Note that semaphore synchronization would not be actually needed in the
specific example at hand where all tasks run on a single processor and priority
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 38
Compositional verification of an HS system without inter-application communications
ceiling is applied. Yet, the model accounts for this construct to illustrate the
potential of expressivity.
Also note the explicit representation of priority boost through an im-
mediate transition. Actually, pTPN analysis identifies possible or necessary
behaviors without associating them with any concept of probability. In this
perspective, even though t133 is immediate, the model accepts a behavior
where Tsk13 is preemepted after completion of t132 and before t133. More-
over, an explicit representation of a priority boost takes relevance in a Model
Driven Development approach, which generates code and other concrete ar-
tifacts by associating each model element with a specific counterpart. In
reality, a preemption event would have null probability to occur during a
zero-time operation, but any operation would not occur in zero time. A dif-
ferent way of properly accounting for this behavior would consist in assigning
t133 a non-immediate firing interval. This would represent the same behav-
iors in a more understandable manner, at the expense of an higher size of
the state-space.
3.1.4 The pTPN submodel of the Global Scheduler
The Global Scheduler is modeled by a pTPN submodel made of a sequence
of transitions, each accounting for the completion of a time-slot after a de-
terministic firing time. Transitions modeling time-slots assigned to the ap-
plication are not associated with a resource request, while the other ones
require resource cpu with a higher priority level than that of any task of the
application. In so doing, transitions modeling jobs of the Task-Set may be
progressing and advance their clocks during the time-slots allocated to the
application, while they are suspended during the other time-slots.
Fig. 3.2 shows the Global Scheduler submodel of application A1 in the
HS system of Table 3.1. Transitions tgs1 , tgs2 , and tgs3 model the completion
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 39
Compositional verification of an HS system without inter-application communications
pgs1 pgs2
[10,10]
[10,10]
[prio=1] - {cpu}
pgs3
[10,10]
[prio=1] - {cpu}
tgs1 tgs3tgs2(T1) (T2) (T3)
Figure 3.2. The pTPN submodel of the Global Scheduler of application A1 in
the HS system of Table 3.1.
of time-slots T1, T2, and T3, respectively. Since A1 is scheduled to execute in
time-slot T1 and its tasks require resource cpu with a priority level between
2 and 4, tgs1 is not associated with a resource request, while tgs2 and tgs3
require resource cpu with priority level 1.
3.1.5 Architectural verification
The pTPN model of each application can be analyzed in isolation, since
its embedding environment is throughly accounted by the Global Scheduler
submodel. The analysis can be performed through the Oris Tool [44], which
supports enumeration of the state-class-graph, selection of symbolic runs at-
taining specific sequencing and timing conditions, and tight evaluation of
their range of timings. In particular, the identification of all symbolic runs
that start with a task release and end with its completion, which we call
task symbolic runs, enables the derivation of the Best Case Completion Time
(BCCT) and the Worst Case Completion Time (WCCT) of each task. This
permits to verify whether deadlines are met and with which minimum laxity.
Architectural verification of the HS system of Table 3.1 proves that all task
deadlines are met, completing state-space enumeration of system applica-
tions in nearly 3 seconds, and selection and timeliness analysis of their task
symbolic runs in approximately 9 minutes. For instance, for application A1,
state-space analysis enumerates 97 state-classes associated with 38 reachable
markings; selection of task symbolic runs derives 108, 162, and 670 paths for
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 40
Compositional verification of an HS system without inter-application communications
Tsk11, Tsk12, and Tsk13, respectively; timeliness analysis of task symbolic
runs provide a [BCCT, WCCT] interval of [1, 2], [4, 7], and [31, 33] ms for
Tsk11, Tsk12, and Tsk13, respectively, guaranteeing that all deadlines are
met with minimum laxity of 58, 53, and 27 ms, respectively.
HIERARCHICAL SCHEDULING SYSTEMSWITHOUT INTER-APPLICATION COMMUNICATIONS 41
Chapter
4
Hierarchical Scheduling systems
with inter-application
communications
In this Chapter 4 the model of pTPNs is enriched with a notion of Required
Interface (RI) so as to fit the needs of the real-time domain and support the
specification of inter-application communications among periodic tasks (Sec-
tion 4.1.1); illustrating the concept of RI with reference to the running exam-
ple and discussing how RIs are derived (Section 4.1.2); presenting 3 invariants
that are satisfied by the pTPN submodel of the RI (Section 4.1.3); present-
ing a compositional technique for verification of inter-application constraints,
exemplifying its application to the running example (Section 4.1.4); and,
characterizing the complexity of architectural verification (Section 4.1.5).
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 42
Compositional verification of an HS system with inter-application communications
4.1 Compositional verification of an HS system
with inter-application communications
When the HS system encompasses dependencies among applications, sepa-
rate modeling and compositional verification of single applications requires a
major shift in the analysis approach that can decouple the concurrent impact
on shared resources. To this end, the model of pTPNs [21] is enriched with
a concept of Required Interface (RI) that partially specifies the embedding
environment of an application through sequencing and timing constraints.
The use of RIs as a means to decouple the analysis of interacting models was
proposed in [22]. In that work, the approach was applied to non-preemptive
models and without a specific discipline of composition. By leveraging on
the hierarchical structure of HS systems, this work extends the concept in
order to encompass also the much more complex case of preemptive behavior.
The RI of an application is transposed into a corresponding pTPN, which
can be concurrently analyzed with the pTPN submodels of the Task-Set and
the Global Scheduler, enabling correctness verification based on state-space
enumeration.
4.1.1 Required Interfaces
This section provides the notion of RI and propose a compositional technique
for verification of inter-application constraints.
4.1.1.1 Syntax
Applications communicate with their environment through reading ports and
writing ports that are connected with reading places and writing transitions,
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 43
Compositional verification of an HS system with inter-application communications
respectively, by a set of internal links ILink:
ILink ⊆
(
∪i∈[1,N ](PortinAi × PAi)
)
∪
(
∪i∈[1,N ](TAi × PortoutAi )
)
, (4.1)
where A1, ..., AN is the set of N applications of the system and PortinAi ,
PortoutAi , PAi , and TAi are the sets of reading ports, writing ports, places,
and transitions of an application Ai, respectively. The arrival of a token
in a reading place models the receipt of a message; conversely, the firing
of a writing transition accounts for a message dispatch. Inter-application
interactions are performed through a set of external links ELink connecting
reading and writing ports of different applications:
ELink ⊆
(
∪i,j∈[1,N ], i6=jPortoutAi × PortinAj
)
. (4.2)
For instance, in Fig. 4.1, applications A1 and A2 write messages on writing
ports out11 and out21, respectively; conversely, application A3 reads messages
from A1 and A2 on reading ports in31 and in32, respectively. In particular,
the dispatch of a message from A1 and A2 is modeled by the firing of writing
transitions t111 and t211, respectively; conversely, the receipt of a message
from A1 and A2 is represented by the arrival of a token in reading places
pin31 and pin32 , respectively, through the firing of reading transitions tin31
and tin32 , respectively. According to this, internal and external links are
ILink = {〈t111, out11〉, 〈t211, out21〉, 〈in31, pin31〉, 〈in32, pin32〉} and ELink =
{〈out11, in31〉, 〈out21, in32〉}, respectively. Also note that, in the model of A3,
transitions t313 and t323 represent the processing of a message from A1 and
A2, respectively, while transitions t311 and t321 account for the absence of a
message from A1 and A2, respectively.
The Required Interface RIAi extends the model of an application Ai with a
set of fictitious transitions and post-condition arcs accounting for the arrival
of tokens into reading places, and with a set of timing constraints limiting
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 44
Compositional verification of an HS system with inter-application communications
[0,0]
[0,0]
[1,2][60,60]
p312
[prio=2] - {cpu}[prio=2] - {cpu}
[prio=2] - {cpu}
t310
t312t311
Pin31
 in31
in32
Application A3Application A1
 out11
Application A2
[60,60]  out21
[0,0]
[0,0]
[2,4][60,60] p321
p322
[prio=3] - {cpu}[prio=3] - {cpu}
[prio=3] - {cpu}
t320
t322t321
Pin32tin32
tin31
. . .
p111t110 t111
[1,2]
[prio=2] - {cpu}
t313
t323
p311
[1,2]
[prio=2] - {cpu}
p211t210 t211
[60,60]
. . .
. . .
(C211)
(C111)
(C311)
(C321)
Figure 4.1. A scheme illustrating inter-application interactions in the HS system
of Table 3.1.
the firing of fictitious transitions:
RIAi = 〈T inAi , AinAi , F IsRIAi 〉. (4.3)
T inAi is a set of fictitious reading transitions, one for each reading port of the
application; AinAi is a set of fictitious post-condition arcs, connecting each
reading transition tin with each of the reading places that are linked with the
corresponding reading port in; BRIAi ⊆ T inAi×(T tsAi∪T inAi∪{t∗}) associates each
reading transition tin ∈ T inAi with an event that conditions the embedding
environment of the application, which can be a transition of the Task-Set
submodel T tsAi , or a fictitious reading transition in T
in
Ai
, or the fictitious event
t∗ corresponding to the beginning of the execution; and, FIsRIAi associates
each element of BRIAi with a set of required static firing intervals:
FIsRIAi
: BRIAi →
(
(R+0 ∪ {∞})× (R+0 ∪ {∞})
)
∪ {continue}. (4.4)
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 45
Compositional verification of an HS system with inter-application communications
4.1.1.2 Semantics
The state of the pTPN model of an application Ai closed with its Required
Interface RIAi is a triple sRIAi = 〈m, τ, τRIAi 〉, where m is the marking of Ai,
τ is the time-to-fire of (regular) transitions of Ai, and τRIAi : T
in
Ai
→ R+0 ∪{∞}
associates each fictitious reading transition tin of Ai with a required dy-
namic time-to-fire initially sampled within its required static firing interval
FIsRIAi
(tin, t∗). When a transition t0 fires, the state sRIAi = 〈m, τ, τRIAi 〉 is
replaced by a new state s′RIAi = 〈m
′, τ ′, τ ′RIAi 〉. The firability clause and the
derivation of m′ and τ ′ in the firing clause are defined as in the rule of Sec-
tion 3.1.1.2, with the only difference that the set of transitions is augmented
to TAi ∪ T inAi . The dynamic time-to-fire of each fictitious reading transition
tin is updated as follows:
• if 〈tin, t0〉 ∈ BRIAi , then tin is regarded as newly-enabled and τ ′RIAi (tin)
takes a non-deterministic value sampled within FIsRIAi (tin, t0);
• if 〈tin, t0〉 6∈ BRIAi , then tin is regarded as persistent-progressing and
τ ′RIAi (tin) is reduced by the value of the firing time of t0.
The static firing intervals of reading transitions express expected con-
straints on the time elapsing between the firing of a transition or the arrival of
a token in a reading place and the firing of a reading transitions. Specifically,
FIsRIAi
(tin, t0) = [EFT sRIAi (tin, t0), LFT
s
RIAi
(tin, t0)] ∈ R+0 ×(R+0 ∪{∞}) if the
expected time to the next occurrence of tin is supposed to be reset at the oc-
currence of t0 with a non-deterministic value within [EFT sRIAi (tin, t0), LFT
s
RIAi
(tin, t0)];
FIsRIAi
(tin, t0) = (∞,∞) if tin is not supposed to occur after the occurrence of
t0; and, FIsRIAi (tin, t0) = continue if the expected time to the next occurrence
of tin is not supposed to be reset at the occurrence of t0. According to this,
after the firing of a transition t0 such that 〈tin, t0〉 ∈ BRIAi ∧ FIsRIAi (tin, t0) =
[EFT sRIAi (tin, t0), LFT
s
RIAi
(tin, t0)], tin cannot fire before being continuously
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 46
Compositional verification of an HS system with inter-application communications
persistent for a time longer than EFT sRIAi (tin, t0), neither it can remain
persistent-progressing without firing for a time longer than LFT sRIAi (tin, t0).
4.1.2 Construction of a Required Interface
Here is presented the concept of RI with reference to the RI of A3 in the
HS system specified by the workload of Table 3.1. RIA3 shown in Ta-
ble 4.1 prescribes that: i) after the beginning of execution, a message ei-
ther from A1 or A2 must arrive within [60, 70] ms and [70, 80] ms, re-
spectively, i.e., FIsRIA3 (tin31 , t∗) = [60, 70] and FI
s
RIA3
(tin32 , t∗) = [70, 80];
ii) it is never the case that two subsequent messages from A1 arrive with-
out an intermediate message from A2 or the completion of a message pro-
cessing (either from A1 or A2), and vice-versa, i.e., FIsRIA3 (tin31 , tin31) =
FIsRIA3
(tin32 , tin32) = (∞,∞); iii) the arrival of a message from A1 does
not affect the expectancy about the next arrival of a message from A2, and
vice-versa, i.e., FIsRIA3 (tin32 , tin31) = FI
s
RIA3
(tin31 , tin32) = continue; iv) af-
ter the processing of a message from A1 or A2, the next message from
A1 and A2 must arrive within [35, 45] and [42, 52] ms, respectively, i.e.,
FIsRIA3
(tin31 , t313) = [35, 45] and FIsRIA3 (tin32 , t323) = [42, 52]; v) the comple-
tion of processing of a message from A1 does not affect the expectancy about
the next arrival of a message from A2, and vice-versa, i.e., FIsRIA3 (tin32 , t313) =
FIsRIA3
(tin31 , t323) = continue.
init msg from A1 msg from A2 proc. msg from A1 proc. msg from A2
t∗ tin31 tin32 t313 t323
msg from A1 tin31 [60, 70] (∞,∞) continue [35, 45] continue
msg from A2 tin32 [70, 80] continue (∞,∞) continue [42, 52]
Table 4.1. The RI of application A3 in the HS system of Table 3.1. The
element in row ti and column tj is the expected time to the next occurrence of
ti after the occurrence of tj , i.e., FIsRIA3 (ti, tj). Times are expressed in ms.
Note that an RI constraint of type continue represents an event that
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 47
Compositional verification of an HS system with inter-application communications
does not change the expected time to the next occurrence of another event,
permitting to leave constraints between independent events unspecified. For
instance, in the example of Table 4.1, the arrival or the processing of a
message from A2 does not reset the expected time to the next arrival of a
message from A1. According to this, FIsRIA3 (tin31 , t313) constrains the time
that elapses from the processing of a message from A1 until the arrival of the
next message from A1 to be within [35, 45] ms, possibly with intermediate
arrival or processing of a message from A2. It is worth stressing that this
largely increases the expressivity of the RI with respect to [22], permitting to
encompass combinations of events that do not directly condition each other,
to hold memory across RI events, and to decouple independent communica-
tion channels. This fits the needs of the domain of real-time systems which
usually include sequencing and timing constraints on multiple concurrent
timers.
In a practical perspective, the definition of RIs is an iterative process
driven by design assumptions about the expected behavior of different com-
ponents and by a twofold constraint: on the one hand, RIs must be tight
enough to make the symbolic state-space of isolated applications finite; on
the other hand, they must be loose enough to be actually satisfied with re-
spect to the composition environment and possibly robust to changes. While
these iterations may require subsequent guesses and analyses to determine
required static firing intervals, events of RIs are defined on the basis of inter-
application communications. Specifically, the RI of an application contains a
row for each input event (i.e., an event coming from the environment such as
the arrival of a message) and a column for the fictitious event corresponding
to the beginning of the execution, for each input event, and for each event
of the application that is an input event for another application or is instru-
mental to the realization of synchronization mechanisms such as time-outs.
Then, in each iterative step, some patterns can be applied to determine the
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 48
Compositional verification of an HS system with inter-application communications
required static firing interval of an RI constraint FIRIAi (tin, t0):
• A constraint of type [EFT sRIAi (tin, t0), LFT
s
RIAi
(tin, t0)] is used to re-
strain the time that elapses between two dependent events. Lower and
upper bounds are tentatively guessed as a trade-off among various fac-
tors including latency bounds on inter-application communications, the
period of the Global Scheduler, the assignment and length of time-slots,
and the periods of communicating tasks.
• A constraint of type (∞,∞) is intentionally chosen by the designer to
restraint possible ordering of events in the communication pattern by
preventing the occurrence of tin after t0.
• A constraint of type continue is used when tin and t0 are independent
events of separate communication channels or events that turn out to
be dependent due to accidental facts which are not the result of design
choices.
4.1.3 The pTPN submodel of the Required Interface
The assumption of an RI makes the model of a Real-Time Application closed
and allows its analysis in isolation. In [22], this was implemented by extend-
ing the state-space enumeration algorithm so as to take RI constraints into
account during the construction of the state-class-graph. Here a different
approach is followed where the application with its RI is translated into an
equivalent pTPN, which integrates the submodels of the Task-Set and the
Global Scheduler with a submodel of the RI, thus enabling reuse of existing
analysis tools [44], [45].
The pTPN that represents the RI is constructed so as to guarantee three
invariants:
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 49
Compositional verification of an HS system with inter-application communications
• Inv1: for each event tj appearing in some RI column (i.e., tj ∈ T inA ∪
T tsA ∪ {t∗} and ∃ ti ∈ T inA such that 〈ti, tj〉 ∈ BRIA), the model includes
a place pafter tj that will contain one token iff tj is the last occurred
event;
• Inv2: for each input event ti that appears in some RI row and may
occur after event tj (i.e., ti ∈ T inA , tj ∈ T inA ∪ T tsA ∪ {t∗} such that
〈ti, tj〉 ∈ BRIA and FIsRIA(ti, tj) 6= (∞,∞)), the model includes an
immediate transition ti after j that will fire iff ti is the next input event
occurring after tj;
• Inv3: for each input event ti whose expected time is reset at the oc-
currence of event tj (i.e., ti ∈ T inA , tj ∈ T inA ∪ T tsA ∪ {t∗} such that
〈ti, tj〉 ∈ BRIA and FIsRIA(ti, tj) ∈ R+0 ∪ (R+0 × {∞})), the model in-
cludes a transition ttimer ij accounting for the expected time to the next
occurrence of ti measured since the occurrence of tj. This has firing
interval equal to FIsRIA(ti, tj), a precondition place ppre timer ij, and a
postcondition place ppost timer ij. According to this: i) ppre timer ij will
contain a token and ttimer ij will be enabled iff the expected time to
the next occurrence of ti was reset after tj, and ii) ppost timer ij will
contain a token iff the expected time to the next occurrence of ti since
the occurrence of tj has just expired.
Note that, according to invariants Inv1 and Inv2, a token arrives in pafter tj
at the firing of some transition tj after h for some th ∈ T inA ∪ T tsA ∪ {t∗} such
that FIsRIA(tj, th) 6= (∞,∞). According to invariant Inv3, for each input
event ti whose expected time is reset at the occurrence of events tj1 , ..., tjR ,
there is at most an event tj ∈ {tj1 , ..., tjR} such that place ppre timer ij contains
a token and transition ttimer ij is enabled.
The Appendix B shows that these invariants can be easily (though te-
diously) satisfied using conventional reasoning steps on Petri Net modeling.
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 50
Compositional verification of an HS system with inter-application communications
Besides, in the sequel of the treatment, the three invariants turn out to be
sufficient to support proofs on the properties guaranteed by RIs.
4.1.4 Verification of Required Interfaces
Assumptions made in RIs can be verified through the composition of results
obtained in separate analysis of individual application models, each made of
the Task-Set submodel, the Global Scheduler submodel, and, possibly, the
RI submodel. The theory of verification proceeds through five steps:
• we determine the necessary and sufficient condition for an event ti to
occur within a given time-slot (Theorem 4.1.1 in Section 4.1.4.1);
• for any two events ti and tj, we derive lower and upper bounds on the
duration elapsed between the end of a time-slot during which tj may
occur and the beginning of the subsequent time-slot during which ti
may occur (Theorem 4.1.2 in Section 4.1.4.2);
• we provide lower and upper bounds on the time elapsed between events
tj and ti (Theorem 4.1.3 in Section 4.1.4.3);
• we define a procedure for verification of RI constraints (Section 4.1.4.4);
• finally, we prove that the verification procedure is sound (Theorem 4.1.4
in Section 4.1.4.5).
To help readability, proof are deferred to the Appendix A.
4.1.4.1 Location of the occurrence of events within time-slots
Let the period of length P of a TDM Global Scheduler be partitioned into
M time-slots T1, ..., TM of length ∆1, ..., ∆M , respectively, each exclusively
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 51
Compositional verification of an HS system with inter-application communications
allocated to one of N applications A1, ..., AN (see Fig. 4.2). In so doing,
each application is assigned one or more time-slots. Let FIsRIAn (ti, tj) be a
constraint of the RI of An, i.e., ti ∈ T inAn is a writing transition in the Task-
Set submodel of some application Au, and tj ∈ T inAn ∪ T tsAn ∪ {t∗} may be a
writing transition in the Task-Set submodel of some application Av, or some
transition in the Task-Set submodel of An, or the init transition t∗ in the
RI submodel of An. Let tgs1 , ..., tgsM be the transitions accounting for the
completion of T1, ..., TM , respectively, in the Global Scheduler submodel of
each application.
... ... ... ... ...
Figure 4.2. A scheme illustrating the allocation of M time-slots T1, ..., TM to
N applications A1, ..., AN .
Theorem 4.1.1: A transition ti belonging to the model of an application
Ai may fire during time-slot Th, which we write ti ⇓ Th, iff the state-space of
Ai contains a symbolic run that: starts with tgsh−1 ; includes ti; and, ends up
with tgsh .
4.1.4.2 Lower and upper bounds on the duration elapsed between
two time-slots
Let ti be a transition belonging to a periodic task of Au with period Pi, and
let tj be a transition belonging to a periodic task of Av with period Pj, which
we write ti ∈ T tsAu,Pi and tj ∈ T tsAv ,Pj ; let Πij be the Least Common Multiple
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 52
Compositional verification of an HS system with inter-application communications
(LCM) of Pi, Pj, and P ; and, let Suij and Svij be the sets of symbolic runs in
the state-spaces of Au and Av that: start with t∗ or tgs1 , end up with tgsM ,
and last for a time equal to Πij. According to this, during the execution
of a symbolic run ρu ∈ Suij or ρv ∈ Svij, a sequence of Πij/P periods of the
Global Scheduler elapses. As a corollary of Theorem 4.1.1, ti occurs during
the h-th time-slot of the q-th period of a symbolic run ρu ∈ Suij, which we
write ti ⇓ T qh , iff ρu includes an occurrence of ti comprised between the q-
th occurrences of tgsh−1 and tgsh . Let Wij be the set of pairs of time-slots
〈T rk , T qh〉 such that T rk is a time-slot in ρv ∈ Svij during which tj occurs and
T qh is the subsequent time-slot in ρu ∈ Suij during which ti occurs.
Theorem 4.1.2: The duration γji that elapses between the end of a time-
slot during which a transition tj ∈ T tsAv ,Pj may fire and the beginning of the
subsequent time-slot during which a transition ti ∈ T tsAu,Pi may fire is lower
bounded by Γminji and upper bounded by Γmaxji :
Γminji = min〈T r
k
,T q
h
〉∈Wij
 ∑
z∈Ikh
∆z + P (q − r − φkh)
 ,
Γmaxji = max〈T r
k
,T q
h
〉∈Wij
 ∑
z∈Ikh
∆z + P (q − r − φkh)
 ,
(4.5)
where:
Ikh =

{z ∈ N>0 | k + 1 ≤ z ≤ h− 1} if k < h
∅ if k = h
{z ∈ N>0 | k + 1 ≤ z ≤M ∨ 1 ≤ z ≤ h− 1} if k > h
(4.6)
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 53
Compositional verification of an HS system with inter-application communications
and
φkh =

0 if k ≤ h ∧ r ≤ q,
1 if k > h ∧ r < q,
−Πij
P
if k < h ∧ r > q,
1− Πij
P
if k ≥ h ∧ r ≥ q.
(4.7)
Remark: When ti and tj belong to the Task-Set submodel of the same
application or tj = t∗, it is not necessary to derive a bounding interval for
the time elapsed between two time-slots during which tj and ti may occur,
since tight bounds on their inter-occurrence time can be derived through
Theorem 4.1.3.
4.1.4.3 Lower and upper bounds on the time elapsed between two
events
Theorem 4.1.3: The duration ωji that elapses between the firings of tj ∈
T tsAv ,Pj and ti ∈ T tsAu,Pi , without any intermediate firing of tj, ti, or a transition
appearing in the RI of an application An that resets the expected time of ti
or prevents its execution, is lower bounded by Ωminji and upper bounded by
Ωmaxji :
Ωminji = min
k∈[1,M ] | tj⇓Tk
BCETρ(tj ,tgsk ) + Γ
min
ji + min(h−1)∈[1,M ] | ti⇓Th
BCETρ(tgsh−1 ,ti),
Ωmaxji = max
k∈[1,M ] | tj⇓Tk
WCETρ(tj ,tgsk ) + Γ
max
ji + max(h−1)∈[1,M ] | ti⇓Th
WCETρ(tgsh−1 ,ti),
(4.8)
where: ρ(tj, tgsk) is a symbolic run in the state-space of Av that starts with
tj, ends up with tgsk , and does not include any intermediate firing of tj, or a
transition in the Global Scheduler submodel of Av, or a transition appearing
in the RI of An that resets the expected time of ti or prevents its execution;
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 54
Compositional verification of an HS system with inter-application communications
and, ρ(tgsh−1 , ti) is a symbolic run in the state-space of Au that starts with
tgsh−1 , ends up with ti, and does not include any intermediate firing of ti, or a
transition in the Global Scheduler submodel of Au, or a transition appearing
in the RI of An that resets the expected time of ti or prevents its execution.
Remark: Theorem 4.1.3 can be extended to encompass the case in which
ti and tj belong to the Task-Set submodel of the same application Ai and,
thus, may both fire during the same time-slot. In particular, the time that
elapses between the firings of tj and ti occurring during the same time-slot is
tightly bounded by the BCET and the WCET of any symbolic run ρ(tj, ti)
in the state-space of Ai that: starts with tj, ends up with ti, and does
not include any intermediate firing of tj, ti, or a transition of the Global
Scheduler submodel of Ai, or a transition appearing in the RI of An that
resets the expected time of ti or prevents its execution.
Theorem 4.1.3 can also be extended to encompass the case in which tj =
t∗. In fact, tight bounds on the duration that elapses from t∗ and ti are
represented by the BCET and the WCET of any symbolic run in the state-
space of Ai that: starts with t∗, ends up with ti, and does not include any
intermediate firing of ti or a transition appearing in the RI of An that resets
the expected time of ti or prevents its execution.
4.1.4.4 Verification procedure
When the state-space of each application (possibly closed with its RI) has
been analyzed, the satisfaction of constraints prescribed by RIs in the compo-
sition environment can be verified by combining individual analysis results.
Following the notation of Section 4.1.4.1, let FIsRIAn (ti, tj) be an RI con-
straint of an application An, so that ti is a writing transition in the Task-Set
submodel of some application Au 6= An, while tj may be a writing transition
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 55
Compositional verification of an HS system with inter-application communications
in the Task-Set submodel of some application Av 6= An, or some transition
in the Task-Set submodel of An, or the init transition t∗ in the RI submodel
of An. Under this notation, the RI constraint FIsRIAn (ti, tj) can be verified
through the following steps:
• If FIsRIAn (ti, tj) ∈ R+0 × (R+0 ∪ {∞}), by relying on Theorem 4.1.3,
the constraint is satisfied if: i) a symbolic run ρ(tj, tgsk) exists in the
state-space of Av or An, and ii) a symbolic run ρ(tgsh−1 , ti) exists in the
state-space of Au, and iii) [Ωminji ,Ωmaxji ] ⊆ FIsRIAn (ti, tj).
• If FIsRIAn (ti, tj) = (∞,∞), by relying on Theorems 4.1.1 and 4.1.3,
the constraint is satisfied if: i) no symbolic run ρ(tj, tgsk) exists in the
state-space of Av or An, or ii) no symbolic run ρ(tgsh−1 , ti) exists in the
state-space of Au, or iii) a symbolic run ρ(tj, tgsk) exists in the state-
space of Av or An, a symbolic run ρ(tgsh−1 , ti) exists in the state-space
of Au, and, for any pair of time-slots 〈T rk , T qh〉 ∈ Wij, some transition
tc 6= ti, tj belonging to an application Ad and appearing in RIAn always
fires within a time-slot T ba comprised between T rk and T
q
h . Note that,
as a corollary of Theorem 4.1.1, the latter condition is satisfied if an
occurrence of td comprised between the b-th occurrences of tgsa−1 and
tgsa is included in any symbolic run in the state-space of Ad that starts
with t∗ or tgs1 , ends up with tgsM , and lasts for a time equal to Πij.
• If FIsRIAn (ti, tj) = continue, no check is required as the assumption
does not pose any constraint on the occurrence of ti after tj.
Note that, unless the constraint FIsRIAn (ti, tj) is of type continue, its ver-
ification relies on analysis results of at least an application different from
An.
Remark: It is worth remarking that bounds obtained through Theo-
rem 4.1.3 are safe but not tight when events tj and ti belong to different
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 56
Compositional verification of an HS system with inter-application communications
applications. Actually, this does not depend on state-space overapproxi-
mation of individual application models, but rather on the way how tight
analysis results of individual applications are combined. In fact, the steps
of verification of RI assumptions rely on selection and timeliness analysis of
symbolic runs of individual application models performed through the ap-
proach of [21], which provides tight results through clean-up of false behav-
iors introduced by the approximation. Conversely, Theorem 4.1.2 neglects
combinations of time-slots during which tj and ti cannot subsequently occur,
and Theorem 4.1.3 neglects combinations of the Execution Time of symbolic
runs ρ(tj, tgsk) and ρ(tgsh−1 , ti) that cannot actually occur. In principle, tight
bounds could be obtained through integration of the state-spaces of indi-
vidual applications and tight timeliness analysis of symbolic runs that start
with tj and end with ti. Although projections could be used along the in-
tegration process to conceal local application events, the approach appears
not to be worth the candle, since the state-space may get considerably huge.
This may jeopardize exhaustive state-space enumeration and would in any
case increase the complexity of selection and timeliness analysis of symbolic
runs for verification purposes, thus preventing application to cases of real
complexity.
Also note that integration of the state-spaces of individual applications
would open the way to compositional verification of non-HS systems running
under FP preemptive scheduling. However, for the same reasons exposed
above, this would hamper concrete application of the approach.
In a practical perspective, safe bounds computed on RI assumptions make
compositional verification robust with respect to changes in temporal param-
eters of the HS system, both in timing requirements and processor utilization
of individual applications and in latency bounds imposed on inter-application
communications. This allows safe schedulability analysis of HS systems of
real complexity. In fact, when minimal variations in timing properties of
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 57
Compositional verification of an HS system with inter-application communications
the HS system cause a deadline to be missed or an RI assumption to be
broken, then the violation is often the result of anomalies and subtle effects
that cannot be mastered by the designer, revealing the need for a refinement
of system architecture more than for precise estimates on inter-application
interactions.
4.1.4.5 Soundness
Verification of RI constraints relies on the state-spaces of individual applica-
tions, derived under the assumption of RI constraints themselves. To remove
the apparent tautology that may arise in the presence of circular dependen-
cies, we prove that if compositional verification does not detect any violation
of RI assumptions, then the model that would result from the integration of
individual application models also satisfies RI assumptions. Specifically, the
integrated model combines the Task-Set and the Global Scheduler submodels
of system applications, and directly connects writing transitions with the cor-
responding reading places to account for inter-application communications.
Although the complexity of the model could be reduced by resorting to a
unique representation of the Global Scheduler, the state-space may get con-
siderably huge. Nevertheless, we assume that the integrated model comprises
a sound representation of the behavior of the HS system.
To provide an accurate formulation, let Ψ(Ai) be the model of appli-
cation Ai made of the Task-Set and the Global Scheduler submodels, let
Ψ(Ai)i∈{1,2,...,N} be the integrated models of applications A1, A2, ..., AN ,
and, let Ψ(Ai +RIAi) be the model of application Ai possibly closed with its
RI submodel.
Theorem 4.1.4: Given a set of N applications A1, A2, ..., AN , if composi-
tional verification performed on Ψ(Ai + RIAi) does not detect any violation
of the assumptions made by RIAj ∀ i, j ∈ {1, 2, ..., N}, then Ψ(Ai)i∈{1,2,...,N}
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 58
Compositional verification of an HS system with inter-application communications
satisfies the assumptions made by RIAi ∀ i ∈ {1, 2, ..., N}.
While the technical proof is deferred to the Appendix A, we report here
a sketch that makes explicit the way how this relies on the specificities of HS
systems. Ab absurdo, we assume that there exists some time t when the first
violation of an RI assumption in Ψ(Ai)i∈{1,2,...,N} occurs for the RI constraint
FIsRIAn (ti, tj). For instance, if FI
s
RIAn
(ti, tj) = [b, w] ⊆ R+0 ×(R+0 ∪{∞}), then
a symbolic run ρ(tj, ti) exists in the state-space of Ψ(Ai)i∈{1,2,...,N} such that
its Execution Time interval is not included in [b, w]. Due to the temporal iso-
lation induced by the TDM global scheduler, ρ(tj, ti) can be decomposed into
a sequence of runs, each comprising a behavior of an individual application.
As the violation is not due to a previous violation of an RI assumption, these
behaviors are also represented in the state-spaces of individual applications
and compositional verification detects a violation of FIsRIAn (ti, tj), which is
not possible by hypothesis.
4.1.4.6 An example
Architectural verification of the HS system of Table 3.1 under the assumption
of RIA3 relies on the state-spaces of A1 and A2 enumerated in Section 3.1.5
and performs state-space analysis on the pTPN model of A3 closed with the
submodel of RIA3 . This enumerates 14725 state-classes for 215 markings in
nearly 10 seconds, with no token accumulation in any place. According to
this, the model of A3 is able to catch events prescribed by RIA3 , thus changing
the expectancy on its embedding environment according to the constraints
of RIA3 shown in Table 4.1.
The number of symbolic runs is increased from 16 to 7955, 9584, and
10947 for tasks Tsk31, Tsk32, and Tsk33, respectively. Selection of task sym-
bolic runs and their timeliness analysis is completed in less than 1 minute
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 59
Compositional verification of an HS system with inter-application communications
for all tasks, yielding the same values of the BCET and the WCET. Veri-
fication of RIA3 constraints is successfully completed in nearly 10 seconds,
guaranteeing that all requirements are satisfied and tightening the timing
intervals which they are attained with. In particular, the time between t∗
and tin31 , t∗ and tin32 , t311 and tin31 , and t321 and tin32 , is proven to be within
[61, 62], [71, 72], [39, 41], and [45, 49] ms, respectively, which are bounded
by the prescribed RI intervals of [60, 70], [70, 80], [35, 45], and [42, 52] ms,
respectively.
Note that exhaustive verification could not be afforded through state-
space analysis of a unique flat model of the HS system, since the enumeration
exhausts 4 GB RAM yielding nearly 106 classes in approximately 10 minutes.
In fact, as usual in techniques based on state-space enumeration [21], [27],
[79] [57], the complexity of the analysis notably increases with the number
of concurrent tasks and with the number of sporadic tasks.
4.1.5 Complexity
Verification of intra- and inter-application constraints faces a problem of
state-space size, which depends to different extent on the structure of the
submodels of the application.
• The Task-Set submodel comprises the factors that have a higher im-
pact on the complexity of state-space analysis, such as: the number of
concurrent tasks, in particular sporadic and jittering tasks; the ratio
between the minimum temporal parameter and the hyperperiod of the
task-set; and, the relative variability of non-deterministic parameters
such as jitters and Execution Times [21].
• The RI submodel affects the complexity of state-space analysis in a
more limited manner. For any two events ti and tj of an RI constraint
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 60
Compositional verification of an HS system with inter-application communications
that is not equal to (∞,∞), the RI submodel includes a transition
with possibly nondeterministic firing interval which accounts for the
expected time to the occurrence of event tj after event ti. However,
the maximum number of concurrently enabled transitions in the RI
submodel is limited by the maximum number of concurrent RI events,
which is the maximum number of RI constraints in the same column
that are not equal to (∞,∞).
• The Global Scheduler submodel has even less impact on the complex-
ity of state-space analysis. In fact, all its transitions have deterministic
firing interval and only one of them is enabled in each state-class; fur-
thermore, transitions representing the duration of time-slots that are
not allocated to the application are enabled in state-classes where the
transitions of the Task-Set submodel that account for computations are
suspended.
Enumeration of task symbolic runs has linear complexity both in the out-
put degree of state-classes, which is upper-bounded by the maximum number
of concurrently firable transitions, and in the length of the traces, which is
linear with respect to the ratio between the longest and the shortest inter-
release time among tasks, provided that all deadlines are met. Timeliness
analysis of task symbolic runs has polynomial complexity in the length of
the traces. However, if the analysis is only oriented to determine whether
deadlines are met, an overapproximate duration could be derived in linear
time with respect to the length of the traces, so as to derive the exact timing
profile only for those runs whose approximate duration exceeds the deadline.
Verification of an RI constraint FIsRIAn (ti, tj) between an event ti of an
application Au and an event tj of an application Av is performed through The-
orems 4.1.1, 4.1.2, and 4.1.3 illustrated in Section 4.1.4. First, we enumerate
symbolic runs in Suij and Svij and the couples of time-slots 〈T qh , T rk 〉 ∈ Wij
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 61
Compositional verification of an HS system with inter-application communications
during which tj and ti may occur in linear time with respect to the length
of the traces (Theorem 4.1.1); afterwards, we derive a lower and an upper
bound on the duration elapsed between any two time-slots during which
tj and ti may occur as the min-max time elapsed between any couple of
time-slots 〈T rk , T qh〉 ∈ Wij, which is performed in log time with respect to
|Wij| = |Suij| · |Svij| (Theorem 4.1.2); finally, we compute a lower and an
upper bound on the duration elapsed between tj and ti through enumer-
ation and timeliness analysis of symbolic runs ρ(tj, tgsk) and ρ(tgsh−1 , ti),
k, (h − 1) ∈ [1,M ], which is performed in polynomial time with respect
to the length of these traces, usually shorter than task symbolic runs (The-
orem 4.1.3).
HIERARCHICAL SCHEDULING SYSTEMSWITH INTER-APPLICATION COMMUNICATIONS 62
Chapter
5
Experience on real complexity
avionic systems
In this chapter 5 the approach is experimented on two real case studies, ad-
dressing a safety-critical avionic system limited to intra-application synchro-
nizations (Section 5.1.1) and one also encompassing inter-application com-
munications (Section 5.1.2).
5.1 Experience on real complexity avionic systems
The feasibility and effectiveness of our proposed approach is validated on two
real case studies from the field of safety-critical avionic systems [34], [62], [37],
the former limited to intra-application interactions, the latter also address-
ing inter-application communications. To test the limits of applicability of
the approach, the complexity of both workloads was also increased further
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 63
Experience on real complexity avionic systems
beyond the limits of [34], [62], [37]. Various metrics were used to evaluate
the complexity of practical architectural verification, notably the number of
enumerated state-classes, the number of selected task symbolic runs, and a
qualitative measure of time spent in enumeration and timeliness analysis. All
experiments were performed through the Oris Tool [80] on an Intel Pentium
4 Quad Core desktop processor.
5.1.1 A case-study without inter-application communications
In [62], a heavily-loaded single-processor workload specifies functional and
non-functional requirements that are representative of the complexity of a
wide range of aircraft applications. The specification includes periodic and
aperiodic tasks with prescribed deadline and deterministic Execution Time,
and with neither offsets nor jitters. All inter-task input/output interactions
are performed through a single data bus. Tasks are grouped by their func-
tional responsibility and classified as critical, essential, or background depend-
ing on the importance of their responsibility, and as certain, likely, possible,
or unlikely depending on their likelihood. The workload is addressed as a
case study in [34], [33]. In [34], the subset of 15 tasks of [62] that are certain,
possible, or likely (with the exception of an essential possible task for which
the expected Execution Time is not specified) is modeled as a Coloured Petri
Net. In that model, aperiodic tasks are made periodic with period coincident
with the deadline; moreover, task periods originally equal to 52 and 55 ms
are rounded down to 50 ms. In [33], analytical techniques are applied to
provide exact Worst Case Response Times under various scheduling policies.
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 64
Experience on real complexity avionic systems
Appl. Slot Slot length Task Release Offset Jitter Deadline Chunk Prio Exec. Time Sem Mbx
A1 T1 3
Tsk11 [10, 10] 0 [0, 0] 5 C111 2 [0.6, 0.8] - -
Tsk12 [40, 40] 0 [0, 1] 40
C121 3 [1.0, 1.2] - -
C122 3 [0.2, 0.4] - mbx11(r)
Tsk13 [40, 40] 10 [0, 2] 40
C131 4 [1.8, 2.3] - -
C132 4 [0.6, 0.9] - mbx11(s)
Tsk14 [40,∞) 20 [0, 0] 40 C141 5 [1.1, 1.4] - -C142 5 [0.1, 0.2] - -
A2 T2 4
Tsk21 [40,∞) 0 [0, 0] 40 C211 2 [0.2, 0.3] mux21 -C212 2 [0.4, 0.5] - -
Tsk22 [50, 50] 0 [0, 1] 50
C221 3 [4.6, 6.1] - -
C222 3 [0.2, 0.3] mux21 -
Tsk23 [50, 50] 0 [0, 2] 50
C231 4 [3.4, 4.4] - -
C232 4 [0.2, 0.4] mux22 -
Tsk24 [50, 50] 16 [0, 0] 50
C241 5 [4.7, 6.1] - -
C242 5 [0.1, 0.3] mux22 -
A3 T3 1
Tsk31 [80, 80] 2 [0, 0] 80 C311 2 [3.6, 4.8] - -
Tsk32 [100,∞) 15 [0, 0] 100 C321 3 [0.4, 0.5] - -
A4 T4 1
Tsk41 [100, 100] 0 [0, 2.5] 100
C411 2 [3.4, 4.2] - -
C412 2 [0.8, 1.4] mux41 -
Tsk42 [200,∞) 10 [0, 0] 200 C421 3 [0.4, 0.5] - -C422 3 [0.2, 0.3] mux41 -
A5 T5 1
Tsk51 [200, 200] 10 [0, 0] 200 C511 2 [1.2, 1.6] - -
Tsk52 [400,∞) 3 [0, 0] 400 C521 3 [3.6, 4.8] - -
Tsk53 [1000, 1000] 0 [0, 2] 1000 C531 4 [3.0, 4.0] - -
Table 5.1. Case study without inter-application communications: Modified
version of the workload of [34]. Changes of task parameters are highlighted in
bold and times are expressed in ms.
5.1.1.1 Workload structure
We partition the workload of [34] in 5 applications A1, A2, A3, A4, and A5,
which are exclusively assigned a time-slot of length of 3, 4, 1, 1, and 1 ms,
respectively. Within each application, higher levels of priority are assigned
to tasks with lower values of period or minimum inter-release time following
a kind of Rate Monotonic ordering, e.g., Tsk11, Tsk12, Tsk13, and Tsk14 of
A1 are assigned priority level 2, 3, 4, and 5, respectively. On the one hand,
as shown in Table 5.1, we partially reduce the workload complexity with
respect to [62] by rounding periods of 52 and 55 ms down to 50 ms. On the
other hand, and with much more impact, we actually increase the original
complexity of the workload of [62] in various aspects to stress practical limits
of our approach and tools:
• 7 tasks are assigned an offset, e.g., Tsk13 is assigned an offset of 10 ms;
• 6 tasks are assigned a jitter, e.g., Tsk12 is assigned a jitter interval of
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 65
Experience on real complexity avionic systems
[0, 1] ms;
• periodic tasks of [34] that were aperiodic in the original workload of
[62] are here modeled as sporadic tasks, with minimum inter-release
time coincident with the deadline, e.g., Tsk14 is periodic with period
of 40 ms in [34] and is modeled here as a sporadic task;
• the deterministic Execution Time d of every task is replaced with the
non-deterministic interval [0.6 d, 0.8 d], e.g., Tsk11 has an Execution
Time of 1 ms in the workload of [34], which is replaced here by the
interval [0.6, 0.8] ms;
• semaphore and mailbox synchronizations are added on the basis of
task functional responsibilities: in particular, three binary semaphores
named mux21, mux22, and mux31 are used to synchronize Tsk21 and
Tsk22, Tsk23 and Tsk24, and Tsk41 and Tsk42, respectively, to share
flight data, images to be displayed, and weapon trajectory, respectively;
a mailbox mbx11 is used by Tsk13 (sender) and Tsk12 (receiver) to
exchange data about target tracking.
Note that changes in task parameters reduce the maximum processor uti-
lization from 0.975 to 0.780, which is indeed necessary to make the workload
actually schedulable under FP local scheduling.
5.1.1.2 Results of the analysis
Architectural verification enumerates in less than 7 minutes 16470, 13684,
5099, 9269, and 63679 state-classes for A1, A2, A3, A4, and A5, respectively,
covered by 108, 166, 30, 75, and 48 markings, respectively. Selection and
timeliness analysis of task symbolic runs require approximately 265, 105, 5, 3,
and 40 minutes for A1, A2, A3, A4, and A5, respectively. This proves that all
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 66
Experience on real complexity avionic systems
deadlines are met and enables direct derivation of a number of relevant quan-
titative metrics. For instance, this provides a quantitative measure of the
minimum laxity, e.g., Tsk11, Tsk12, Tsk13, and Tsk14 have a [BCCT,WCCT]
interval equal to [0.6, 0.8], [20.8, 31.2], [13.0, 30.8], and [2.8, 29.8] ms, respec-
tively, which corresponds to a laxity of 4.2, 8.8, 9.2, and 10.2 ms, respectively.
5.1.2 A case study with inter-application communications
In [37], various workloads obtained from a real-time avionic system pro-
vide notable benchmarks for ARINC-653 [6] partitions. These workloads are
specified as a set of single-processor applications made of periodic tasks with
assigned period, deadline, and deterministic Execution Time. In particular,
workloads 1 and 2 include tasks with non-zero offset but zero jitter, while
workloads 3 through 7 include tasks with non-zero jitter but zero offset.
In [37], resource models based techniques [68], [40], [82], [35] are extended
into a compositional approach that supports both automated scheduling of
ARINC-653 partitions including tasks with non-zero offset and generation of
a static partition level schedule. In particular, offsets and jitters are used
to abstract end-to-end latency bounds on inter-application communications.
We address a case study that increases the original complexity of a workload
of [37] by far beyond the usual limits demonstrated in state-space analysis
tools. On the one hand, with respect to [37], the method proposed in this
thesis does not support automated generation of a partition schedule. On
the other hand, the approach is able to guarantee exact verification of intra-
application constraints for tasks having a non-deterministic Execution Time,
providing a quantitative measure of the latency which deadlines are attained
with. Moreover, in our approach, offsets and jitters account for temporal
variations in the arrival process of tasks, while intra and inter-application in-
teractions are explicitly accounted in the model through semaphore/mailbox
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 67
Experience on real complexity avionic systems
synchronizations and RI constraints, respectively.
5.1.2.1 Workload structure
Appl. Slot Slot length Task Release Offset Jitter Deadline Chunk Prio Exec. Time Sem Mbx
A1 T1 5
Tsk11 [25, 25] 2 [0, 0] 25
C111 2 [0.8, 1.3] - -
C112 2 [0.1, 0.2] - -
Tsk∗12 [50, 50] 3 [0, 0] 50 C121 3 [0.2, 0.4] - -
Tsk13 [50, 50] 3 [0, 0] 50 C131 4 [2.7, 4.2] - -
Tsk∗14 [50, 50] 0 [0, 0] 50 C141 5 [0.1, 0.2] mux11 -
Tsk∗15 [120,∞) 0 [0, 0] 120
C151 6 [0.6, 0.9] - -
C152 6 [0.1, 0.2] mux11 -
A2 T2 5
Tsk21 [50, 50] 0 [0, 0.5] 50 C211 2 [1.9, 3.0] - -
Tsk∗22 [50, 50] 2 [0, 0] 50 C221 3 [0.7, 1.1] - -
Tsk∗23 [100, 100] 0 [0, 0] 100 C231 4 [0.1, 0.2] mux21 -
Tsk∗24 [100,∞) 10 [0, 0] 100
C241 5 [0.8, 1.3] - -
C242 5 [0.2, 0.3] mux21 -
A3 T3 5
Tsk∗31 [25, 25] 0 [0, 0.5] 25 C311 2 [0.5, 0.8] - -
Tsk∗32 [50, 50] 0 [0, 0] 50 C321 3 [0.7, 1.1] - -
Tsk33 [50, 50] 0 [0, 0] 50 C331 4 [1.0, 1.6] - -
Tsk∗34 [100,∞) 11 [0, 0] 100
C341 5 [0.7, 1.0] - -
C342 5 [0.1, 0.3] - -
A4 T4 5
Tsk41 [25, 25] 3 [0, 0.2] 25 C411 2 [0.7, 1.2] - -
Tsk42 [50, 50] 5 [0, 0] 50 C421 3 [1.2, 1.9] - -
Tsk∗43 [50, 50] 25 0 50 C431 4 [0.1, 0.2] - -
Tsk44 [100, 100] 11 [0, 0] 100 C441 5 [0.7, 1.1] - -
Tsk45 [200, 200] 13 [0, 0] 200 C451 6 [3.7, 5.8] - -
A5 T5 5
Tsk∗51 [50, 50] 0 [0.1, 0.3] 50 C511 1 [0.7, 1.1] - -
Tsk52 [50, 50] 2 [0, 0] 50 C521 2 [1.2, 1.9] - -
Tsk∗53 [200, 200] 0 [0, 0] 200
C531 3 [0.4, 0.6] - -
C532 3 [0.2, 0.3] mux51 -
Tsk54 [200,∞) 14 [0, 0] 200 C541 4 [1.4, 2.2] - -C542 4 [0.1, 0.2] mux51 -
Table 5.2. Case study with inter-application communications: Modified version
of the workload 1 of [37]. Changes of task parameters are highlighted in bold;
additional tasks are starred; times are expressed in ms.
We successfully applied our approach to schedule the heavy-loaded work-
load 3 of [37], which is composed of 34 periodic tasks with non-zero jitter
allocated to 10 applications. We consider here a modified version of the
medium-loaded workload 1 of [37], which is expressly stressed to test the
limits of applicability of the approach. The workload is made of 10 periodic
tasks allocated to 5 applications, each running within a time-slot of length
of 5 ms, with 8 of the tasks having non-zero offset. The modified version is
shown in Table 5.2, where higher levels of priority are assigned to tasks with
lower values of period or minimum inter-release time:
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 68
Experience on real complexity avionic systems
• 2 periodic tasks are assigned a jitter, e.g., Tsk21 is assigned a jitter
interval of [0, 0.5] ms;
• the deterministic Execution Time d of every task is replaced by the
non-deterministic interval [0.7 d, 1.1 d], e.g., Tsk11 has an Execution
Time of 1.4 ms in the workload of [37], which is replaced here by the
interval [0.9, 1.5] ms;
• the workload is added 9 periodic and 3 sporadic tasks having non-
deterministic Execution Time, with 5 of them having non-zero offset
and 2 of them having non-zero jitter, e.g., A1 is added periodic tasks
Tsk12 and Tsk14 and sporadic task Tsk15;
• 3 applications are added a binary semaphore shared between a pair of
tasks, e.g., tasks Tsk14 and Tsk15 of A1 are synchronized on binary
semaphore mux11.
Note that changes in task parameters and the addition of tasks increase the
maximum processor utilization from 0.378 to 0.571.
5.1.2.2 Inter-application interactions
To show the extent of viability of the proposed approach, we extend the core
of [37] with message-passing interactions among applications assuming that
A1 and A2 are senders, A3 is a receiver, A4 and A5 are both senders and
receivers. More specifically (see Fig. 5.1):
• A1, A2, A4, and A5 send messages through tasks Tsk12, Tsk22, Tsk42,
and Tsk52, respectively, to writing ports out12, out22, out42, and out52,
respectively, which are associated with writing transitions t122, t222,
t427, and t522 respectively.
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 69
Experience on real complexity avionic systems
• A3 receives messages from A1, A2, and A4 through tasks Tsk31, Tsk32,
and Tsk33, respectively, from reading ports in31, in32, and in33, respec-
tively, which are associated with reading transitions tin31 , tin32 , and
tin33 , respectively. In particular, transitions t315, t325 and t335 model
the processing of a message from A1, A2, and A4, respectively.
• A4 receives messages from A1 and A5 through tasks Tsk42 and Tsk43,
respectively, from reading ports in42 and in43, respectively, which are
associated with reading transitions tin42 and tin43 , respectively. In par-
ticular, transitions t426 and t436 model the processing of a message from
A1 and A5, respectively.
• A5 receives messages from A1 and A2 through tasks Tsk51 and Tsk52,
respectively, from reading ports in51 and in52, respectively, which are
associated with reading transitions tin51 and tin52 , respectively. In par-
ticular, transitions t515 and t525 model the processing of a message from
A1 and A2, respectively.
Application A1
t122
[0.2,0.4] [prio=3] - {cpu}
. . .
 out12
Application A2 Application A5
Pin51
 in51
tin51
. . .
Pin52
 in52
tin52
. . .
Application A4
Pin42
 in42
tin42
. . .
Pin43
 in43
tin43
. . .
Application A3
Pin32
 in32
tin32
. . .
Pin31
tin31
 in31 . . .
[1.2,1.9]
[prio=3] - {cpu}
t522
out52. . .
t222
[0.7,1.1] [prio=3] - {cpu}  out22
. . .
[1.2,1.9]
[prio=3] - {cpu}
t427
out42. . .
Pin33
 in33
tin33
. . .
(C221)
(C421) (C521)
(C121)
Figure 5.1. Case study with inter-application communications: a scheme illus-
trating message-passing interactions.
Receiver applications A3, A4, and A5 are associated with an RI. The RI of
A5 shown in Table 5.3 prescribes that: i) after the beginning of execution, a
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 70
Experience on real complexity avionic systems
message either from A1 or A2 must arrive within [50, 55] ms and [55, 60] ms,
respectively; ii) the arrival of a message from A1 and the completion of its
processing do not affect the expectancy about the next arrival of a message
from A2, and vice-versa; iii) it is never the case that two subsequent messages
from A1 arrive without an intermediate message from A2 or the completion
of a message processing (either from A1 or A2), and vice-versa; iv) after the
processing of a message from A1 or A2, the next message from A1 and A2
is constrained to arrive within [30, 35] ms and [32.5, 37.5] ms, respectively.
Note that message flows from A1 to A5 and from A2 to A5 do not directly
affect each other, identifying two independent communication channels.
init msg from A1 msg from A2 proc. msg from A1 proc. msg from A2
t∗ tin51 tin52 t515 t525
msg from A1 tin51 [50, 55] (∞,∞) continue [30, 35] continue
msg from A2 tin52 [55, 60] continue (∞,∞) continue [32.5, 37.5]
Table 5.3. Case study with inter-application communication: the RI of A5
The RI of A4 shown in Table 5.4 prescribes that: i) after the beginning
of execution, a message from A1 is supposed to arrive neither sooner than
50 ms nor later than 55 ms and no message from A5 must arrive; ii) it is
never the case that two subsequent messages from A1 arrive or a message
from A1 arrives after a message from A5 or the completion of processing
of a message from A1 without the intermediate completion of processing of
a message from A5; iii) it is never the case that two subsequent messages
from A5 arrive or a message from A5 arrives after a message from A1 or
the completion of processing of a message from A5 without the intermediate
completion of processing of a message from A1; iv) when a message from A1
has been processed, a message from A5 is expected to arrive within [3.5, 6.5]
ms; v) when a message from A5 has been processed, a message from A1
is expected to arrive within [8, 14] ms. Note that constraints (iv) and (v)
condition the arrival of messages from A1 to the completion of processing of
messages from A5, and vice-versa, making the flows of messages from A1 to
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 71
Experience on real complexity avionic systems
A4 and from A5 to A4 be two dependent communication channels.
init msg from A1 msg from A5 proc. msg from A1 proc. msg from A5
t∗ tin42 tin43 t426 t436
msg from A1 tin42 [50, 55] (∞,∞) (∞,∞) (∞,∞) [8, 14]
msg from A5 tin43 (∞,∞) (∞,∞) (∞,∞) [3.5, 6.5] (∞,∞)
Table 5.4. Case study with inter-application communication: the RI of A4
The RI of A3 shown in Table 5.5 prescribes that: i) after the beginning
of execution, a message either from A1 or A4 is supposed to arrive within
[50, 55] ms and [65, 70] ms, respectively, and no message from A2 must arrive;
ii) after the arrival of a message from A1, a message from A2 is expected to
arrive within [5, 10] ms; iii) the arrival of a message from A1 or A2 and
the completion of processing of a message from A2 do not condition the
expectancy about the next arrival of a message from A4; iv) the arrival and
the completion of processing of a message from A4 do not condition the next
arrival of messages from A1 and A2; v) it is never the case that two subsequent
messages from A1 arrive or a message from A1 arrives after a message from A2
without the intermediate arrival of a message from A4 or the intermediate
completion of a message processing (either from A2 or A4); vi) it is never
the case that two subsequent messages from A2 arrive or a message from
A2 arrives after the completion of processing of a message from A2 without
the intermediate arrival of a message from A1 or A4 or the completion of
processing of a message from A4; vii) it is never the case that two subsequent
messages from A4 arrive without the intermediate arrival of a message from
A1 or A4 or the intermediate completion of processing of a message (either
from A2 or A4); viii) after the completion of processing of a message from
A2, a message from A1 is supposed to arrive within [40, 45] ms; ix) after
the completion of processing of a message from A4, a message from A4 is
supposed to arrive within [2, 7] ms. Note that the flows of messages from A1
to A3 and from A2 to A3 are two dependent communication channels, while
the flow of messages from A4 to A3 is independent of both them.
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 72
Experience on real complexity avionic systems
init msg from A1 msg from A2 msg from A4 proc. msg from A2 proc. msg from A4
t∗ tin31 tin32 tin33 t325 t335
msg from A1 tin31 [50, 55] (∞,∞) (∞,∞) continue [40, 45] continue
msg from A2 tin32 (∞,∞) [5, 10] (∞,∞) continue (∞,∞) continue
msg from A4 tin33 [65, 70] continue continue (∞,∞) continue [2, 7]
Table 5.5. Case study with inter-application communication: the RI of A3.
5.1.2.3 Results of the analysis
State-space analysis enumerates in less than 5 minutes 46758, 4557, 33902,
1087, and 33224 state-classes for A1, A2, A3, A4, and A5, respectively, covered
by 151, 124, 863, 300, and 472 reachable markings, respectively, with no
token accumulation in any place. Selection of task symbolic runs and their
timeliness analysis require nearly 30, 18, 105, 367, and 30 minutes for A1,
A2, A3, A4, and A5, respectively. In particular, Tsk21 has the lowest number
of paths, i.e., 1343, which are analyzed in approximately 4 min, while Tsk45
has the highest number of paths, i.e., 6193722, which are analyzed in nearly
360 minutes. Timeliness analysis provides tight values for the BCCT and the
WCCT of each task, guaranteeing that all deadlines are met and with which
minimum laxity. For instance, Tsk11, Tsk12, Tsk13, Tsk14, and Tsk15 have
a [BCCT,WCCT] interval equal to [2.9, 3.5], [3.3, 3.9], [27.9, 29.6], [0.1, 0.4]
ms, and [3.6, 48.9] ms respectively, which correspond to a laxity of 21.5, 46.1,
20.0, 49.6 ms, and 71.1 ms, respectively.
Verification of RI constraints performs timeliness analysis of 3616760
paths in approximately 4 hours, proving that all requirements are satisfied.
For instance, verification of FIsRIA4 (tin43 , t426) requires selection and timeli-
ness analysis of all symbolic runs ρ(t426, tgs4) in the state-space of A4 that
start with the firing of t426 and end with the firing of tgs4 and all symbolic
runs ρ(tgs4 , t513) in the state-space of A5 that start with the firing of tgs4
and end with the firing of t513. This enumerates 23 and 59174 symbolic
runs for ρ(t426, tgs4) and ρ(tgs4 , t513), respectively, in nearly 5 seconds and 2
minutes, respectively, providing a [BCCT, WCCT] interval of [1.9, 3.1] and
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 73
Experience on real complexity avionic systems
[1.9, 3.0] ms, respectively. This results in a safe bound of [3.6, 6.1] ms for
FIsRIA4
(tin42 , t426), which satisfies the RIA4 requirement of [3.5, 6.5] ms.
EXPERIENCE ON REAL COMPLEXITY AVIONIC SYSTEMS 74
Chapter
6
Conclusions
6.1 Conclusions
Hierarchical Scheduling is gaining importance as a technology that enables
the integration of multiple applications on a single platform, providing re-
source partitioning, reduction of complexity, and confinement of failure modes.
This thesis proposes a compositional approach that leverages the HS struc-
ture to support in viable manner schedulability analysis of complex real-time
systems running under a TDM Global Scheduler and preemptive FP Local
Schedulers. To this end, we extend and combine the approach of [22] for
modular validation of reactive timed systems and the technique of [21], [20]
for timeliness analysis of real-time preemptive systems. In principle, the ex-
tension of the approach of [22] to encompass preemptive systems would be
possible, but it would be practically not viable since the RI should charac-
terize the expected time to each preemption event that an application may
CONCLUSIONS 75
Conclusions
undergo. Nevertheless, in the specific setting of HS systems, the assump-
tion of a TDM partitioning makes the approach amenable to extension to
applications running under preemptive FP local scheduling. Each applica-
tion is represented through a separate and structured pTPN model that
accounts for intra-application synchronizations, inter-application communi-
cations, and the TDM temporal partitioning. This supports exact verifica-
tion of intra-application constraints through separate analysis of individual
models and enables the derivation of safe bounds on inter-application con-
straints through the composition of analysis results. Also, partitioning of a
high number of tasks into subsets specified by individual models easies the
assignment of task priorities made by the programmer in the design stage.
As a relevant trait, the proposed approach handles complex real-time
systems with non-deterministic temporal parameters, intra-application syn-
chronizations through semaphores and mailboxes, and inter-application com-
munications among periodic tasks through message passing, under the as-
sumption that sporadic tasks have lower priority level than tasks involved
in inter-application communications and are not synchronized either with
them or with higher priority tasks. This attains an expressivity that encom-
passes systems of claimed significance and real complexity, supports agile
specification of design parameters available in the development process of
HS systems, and enables convenient modeling of the usual patterns of real-
time concurrency [18]. The experimentation addresses two case studies from
the literature on safety-critical avionic systems also extended in complexity,
proving that the approach scales up to the needs of real applicative cases.
The proposed approach can be applied to multi-level scheduling hierar-
chies made of a tree of schedulers where leaf nodes are FP schedulers and
non-leaf nodes are TDM schedulers. In this case, the root scheduler partitions
its period into a number of time-slots and exclusively assigns each of them
to one of its children schedulers, iterating the process until each sub-slot
CONCLUSIONS 76
Conclusions
is assigned to a leaf FP scheduler. In doing so, each application is exclu-
sively assigned a number of sub-slots and can thus be analyzed in isolation,
supporting compositional verification of inter-application constraints.
The proposed approach can directly encompass homogeneous multi-processor
HS systems with static processor allocation. In this case, each processor
would be exclusively assigned a TDM Global Scheduler and transitions in
the pTPN model of an application would require a different resource de-
pending on the processor which the application is allocated to. Future work
will include extension to the case of multi-processor systems with dynamic
processor allocation, which could be accomplished by enriching the model
of pTPNs with a concept of resource partitioning that dynamically allocates
portions of one or more resources to system applications.
Implementation and testing activities presented in [25] for HS systems
without inter-application dependencies can be extended to handle inter-
application communications, by adapting the coding process and the decision
algorithm used in conformance testing so as to take RI events into account.
In so doing, the comprehensive model driven approach of [26] could become
applicable to support multiple steps along the development life cycle.
To this end, the approach of [26] provides a strong basis for application
of the proposed technique within a Model Driven Development framework
that covers design, implementation, and testing activities.
Further research will be also directed to apply the expressiveness of Real-
Time Calculus [84] in the representation of inter-/intra-application constraints
to the definition of RIs of system applications.
CONCLUSIONS 77
Appendix
A
Appdx A
Appendix: Theorem Proofs
Theorem 4.1.1: A transition ti belonging to the model of an application Ai
may fire during time-slot Th, which we write ti ⇓ Th, iff the state-space of
Ai contains a symbolic run that: starts with tgsh−1 ; includes ti; and, ends up
with tgsh .
Proof: If ti fires during Th at time τ(ti), then τ(tgsh−1) ≤ τ(ti) ≤ τ(tgsh).
Thus, the pTPN model of Ai admits a behavior where transitions tgsh−1 , ti,
and tgsh fire in the order tgsh−1 → ... → ti → ... → tgsh . Therefore, the
state-space of the pTPN model of Ai includes a symbolic run that starts
with tgsh−1 , includes ti, and ends up with tgsh .
Conversely, if the state-space of A contains a symbolic run that starts with
tgsh−1 , includes ti, and ends with tgsh , then the pTPN model of Ai admits a
APPDX A 78
behavior where transitions tgsh−1 , ti, and tgsh fire in the order tgsh−1 → ...→
ti → ... → tgsh . According to this, τ(tgsh−1) ≤ τ(ti) ≤ τ(tgsh), which means
that ti fires during Th.
Theorem 4.1.2: The duration γji that elapses between the end of a time-
slot during which a transition tj ∈ T tsAv ,Pj may fire and the beginning of the
subsequent time-slot during which a transition ti ∈ T tsAu,Pi may fire is lower
bounded by Γminji and upper bounded by Γmaxji :
Γminji = min〈T r
k
,T q
h
〉∈Wij
 ∑
z∈Ikh
∆z + P (q − r − φkh)
 ,
Γmaxji = max〈T r
k
,T q
h
〉∈Wij
 ∑
z∈Ikh
∆z + P (q − r − φkh)
 ,
(A.1)
where:
Ikh =

{z ∈ N>0 | k + 1 ≤ z ≤ h− 1} if k < h
∅ if k = h
{z ∈ N>0 | k + 1 ≤ z ≤M ∨ 1 ≤ z ≤ h− 1} if k > h
(A.2)
and
φkh =

0 if k ≤ h ∧ r ≤ q,
1 if k > h ∧ r < q,
−Πij
P
if k < h ∧ r > q,
1− Πij
P
if k ≥ h ∧ r ≥ q.
(A.3)
Proof: To encompass all patterns according to which the tasks of ti and
tj mutually release jobs, any pair of time-slots 〈T rk , T qh〉 ∈ Wij is considered
so as to take into account any firing sequence that lasts for a time equal to
Πij.
APPDX A 79
If T rk precedes T
q
h , either k ≤ h ∧ r ≤ q or k > h ∧ r < q ∀ 〈T rk , T qh〉 ∈ Wij.
To help the reader, graphical schemes shown in Figs. A.1, A.2, and A.3
illustrate the succession of time-slots that elapse during the execution of a
symbolic run ρu ∈ Suij and a symbolic run ρv ∈ Svij between the end of a time-
slot T rk during which tj occurs and the beginning of the subsequent time-slot
T qh during which ti occurs. In particular, Fig. A.1 refers to the concrete
example where Pi = 3P , Pj = 2P , Πij = 6P , ti occurs during time-slots T 17
and T 47 , and tj occurs during time-slots T 14 , T 34 , and T 54 ; Fig. A.2 refers to the
general case where k ≤ h ∧ r ≤ q; and, Fig. A.3 refers to the general case
where k > h ∧ r < q. If k ≤ h ∧ r ≤ q, then γji is equal to the duration
of the time-slots from T rk+1 to T rh−1 plus the duration of q − r periods of the
Global Scheduler, i.e., ∑h−1z=k+1 ∆z + P (q − r). Otherwise, if k > h ∧ r < q,
then γji is equal to the duration of the time-slots from T rk+1 to T rM plus the
duration of time-slots from T r+11 to T r+1h−1 plus the duration of q−r−1 periods
of the Global Scheduler, i.e., ∑Mz=k+1 ∆z +∑h−1z=1 ∆z + P (q − r − 1).
If T qh precedes T rk , either k < h ∧ r > q or k ≥ h ∧ r ≥ q ∀ 〈T rk , T qh〉 ∈ Wij.
Specifically, it may be the case that tj occurs during the k-th time-slot of the
r-th period of a firing sequence of length Πij and ti occurs during the h-th
time-slot of the q-th period of the subsequent firing sequence of length Πij.
According to this, T qh is replaced by T
q+
Πij
P
h and the proof is reduced to the
previous case. In fact, if k < h ∧ r > q, then γji is equal to the duration of
the time-slots from T rk+1 to T rh−1 plus the duration of q+
Πij
P
−r periods of the
Global Scheduler, i.e.,∑h−1z=k+1 ∆z+P (q+ΠijP −r). Otherwise, if k ≥ h ∧ r ≥ q,
then γji is equal to the duration of the time-slots from T rk+1 to T rM plus the
duration of time-slots from T r+11 to T r+1h−1 plus the duration of q+
Πij
P
− r− 1
periods of the Global Scheduler, i.e.,∑Mz=k+1 ∆z+∑h−1z=1 ∆z+P (q+ ΠijP −r−1).
APPDX A 80
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
Figure A.1. A scheme used in the proof of Theorem 4.1.2 to illustrate: the
succession of time-slots elapsed during the execution of a symbolic run ρu ∈ Suij
and ρv ∈ Svij ; the time-slots during which ti and tj occur; and, the duration
elapsed between the end of a time-slot during which tj occurs and the beginning
of the subsequent time-slot during which ti occurs. In the concrete example,
the scheme assumes that: Pi = 3P ; Pj = 2P ; Πij = 6P ; ti occurs during
time-slots T 17 and T 47 ; and, tj occurs during time-slots T 14 , T 34 , and T 54 .
... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
Figure A.2. A scheme used in the proof of Theorem 4.1.2 to illustrate
the time-slots comprised between a pair of time-slots 〈T rk , T qh〉 ∈ Wij when
k ≤ h ∧ r ≤ q.
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ......
Figure A.3. A scheme used in the proof of Theorem 4.1.2 to illustrate
the time-slots comprised between a pair of time-slots 〈T rk , T qh〉 ∈ Wij when
k > h ∧ q > r.
APPDX A 81
Theorem 4.1.3: The duration ωji that elapses between the firings of tj ∈
T tsAv ,Pj and ti ∈ T tsAu,Pi , without any intermediate firing of tj, ti, or a transition
appearing in the RI of an application An that resets the expected time of ti
or prevents its execution, is lower bounded by Ωminji and upper bounded by
Ωmaxji :
Ωminji = min
k∈[1,M ] | tj⇓Tk
BCETρ(tj ,tgsk ) + Γ
min
ji + min(h−1)∈[1,M ] | ti⇓Th
BCETρ(tgsh−1 ,ti),
Ωmaxji = max
k∈[1,M ] | tj⇓Tk
WCETρ(tj ,tgsk ) + Γ
max
ji + max(h−1)∈[1,M ] | ti⇓Th
WCETρ(tgsh−1 ,ti),
(A.4)
where: ρ(tj, tgsk) is a symbolic run in the state-space of Av that starts with
tj, ends up with tgsk , and does not include any intermediate firing of tj, or a
transition in the Global Scheduler submodel of Av, or a transition appearing
in the RI of An that resets the expected time of ti or prevents its execution;
and, ρ(tgsh−1 , ti) is a symbolic run in the state-space of Au that starts with
tgsh−1 , ends up with ti, and does not include any intermediate firing of ti, or a
transition in the Global Scheduler submodel of Au, or a transition appearing
in the RI of An that resets the expected time of ti or prevents its execution.
Proof: The duration ωji can be split into: the duration λjk that elapses
between the firing of tj and the end of a time-slot Tk during which it may fire;
the duration γji that elapses between the end of a time-slot during which tj
may fire and the beginning of the subsequent time-slot during which ti may
fire; the duration λhi that elapses between the beginning of a time-slot Th
during which ti may fire and the firing of ti. The minimum among the BCETs
and the maximum among the WCETs of symbolic runs ρ(tj, tgsk) over the set
of time slots Tk during which tj may fire comprise tight estimates of λjk; in a
similar manner, the minimum among the BCETs and the maximum among
the WCETs of symbolic runs ρ(tgsh−1 , ti) over the set of time slots Th during
which ti may fire comprise tight estimates of λhi; finally, Theorem 4.1.2 pro-
vides safe bounds Γminji and Γmaxji for γji. According to this, Ωminji and Ωmaxji
APPDX A 82
comprise safe bounds for ωji. Note that Ωminji and Ωmaxji are bounds not only
because Γminji and Γmaxji are bounds but also because the concurrent execu-
tion of system applications may prevent some combinations of the Execution
Times of ρ(tj, tgsk) and ρ(tgsh−1 , ti). For instance, they may never both attain
their BCET.
Theorem 4.1.4: Given a set of N applications A1, A2, ..., AN , if composi-
tional verification performed on Ψ(Ai + RIAi) does not detect any violation
of the assumptions made by RIAj ∀ i, j ∈ {1, 2, ..., N}, then Ψ(Ai)i∈{1,2,...,N}
satisfies the assumptions made by RIAi ∀ i ∈ {1, 2, ..., N}.
Proof: Ab absurdo, we assume that there exists some time t when the
first violation of an RI assumption in Ψ(Ai)i∈{1,2,...,N} occurs for the RI con-
straint FIsRIAn (ti, tj). Note that multiple RI assumptions FI
s
RIAx1
(ty1 , tz1),
FIsRIAx2
(ty2 , tz2), ..., FIsRIAxH (tyH , tzH ) may be broken at the same time if
events tz1 , tz2 , ..., tzH may fire at the same time. Due to the temporal iso-
lation induced by the TDM Global Scheduler, this may occur if tz1 , tz2 , ...,
tzH belong to the same application or to two applications that are assigned
contiguous time-slots. By construction, the number of events of an appli-
cation that can be observed by RIs is finite and each of them cannot occur
repeatedly with null inter-occurrence time. According to this, the number of
violations of RI assumptions that occur at the same time is guaranteed to be
finite, and we can fairly take into consideration the first violation.
As RI assumptions of type continue do not pose any constraint on the
occurrence of ti after tj, either FIsRIAn (ti, tj) = [b, w] ⊆ R+0 × (R+0 ∪ {∞}) or
FIsRIAn (ti, tj) = (∞,∞). Note that ti is a writing transition in the Task-Set
submodel of some application Au 6= An, while tj may be a writing transition
in the Task-Set submodel of some application Av 6= An, or some transition
in the Task-Set submodel of An, or the init transition t∗ in the RI submodel
of An.
APPDX A 83
• If FIsRIAn (ti, tj) = [b, w], a violation occurs if the time elapsed be-
tween events tj and ti is lower than b or higher than w, i.e., if a
symbolic run ρ(tj, ti) exists in the state-space of Ψ(Ai)i∈{1,2,...,N} such
that: it starts with tj; it ends up with ti; it does not include any
intermediate firing of tj, ti, and any transition appearing in RIAn ;
and, [BCETρ(tj ,ti),WCETρ(tj ,ti)] 6⊆ [b, w]. Any symbolic run ρ(tj, ti)
can be decomposed into symbolic runs ρ(tj, tgsk), ρ(tgsk , tgsh−1), and
ρ(tgsh−1 , ti), where indexes k and h refer to the time-slots Tk and Th
during which tj and ti occur, respectively.
Symbolic run ρ(tgsk , tgsh−1) is made of a sequence of time-slots Θ from
Tk+1 to Th−1, identified by the firings of transitions of the Global Sched-
uler submodel, and its Execution Time δ is the sum of the durations of
the time-slots of that sequence. Due to the temporal isolation induced
by the TDM Global Scheduler, ρ(tj, tgsk) and ρ(tgsh−1 , ti) comprise be-
haviors of individual applications which tj and ti belong to, respectively.
Since the violation of FIsRIAn (ti, tj) is not caused by a previous violation
of another RI assumption, these behaviors are represented also in the
state-class-graphs of individual application models possibly closed with
their RI, admitting Θ as a feasible sequence of time-slots elapsed be-
tween a pair of time-slots in Wij. Specifically, a symbolic run ρ(tj, tgsk)
exists in the state-space of either Ψ(Av +RIAv) or Ψ(An +RIAn), and
a symbolic run ρ(tgsh−1 , ti) exists in the state-space of Ψ(Au + RIAu),
such that BCETρ(tj ,tgsk ) + Γ
min
ji + BCETρ(tgsh−1 ,ti) ≤ BCETρ(tj ,ti) and
WCETρ(tj ,tgsk ) + Γ
max
ji + WCETρ(tgsh−1 ,ti) ≥ WCETρ(tj ,ti). Accord-
ing to this, the bounding interval obtained through Theorem 4.1.3 is
[Ωminji ,Ωmaxji ] 6⊆ [b, w] and compositional verification detects a violation
of FIsRIAn (ti, tj), which is not possible by hypothesis.
• If FIsRIAn (ti, tj) = (∞,∞), a violation occurs if ti fires after tj without
APPDX A 84
any intermediate firing of any transition appearing in RIAn , i.e., if a
symbolic run exists in the state-space of Ψ(Ai)i∈{1,2,...,N} such that it
starts with tj, ends up with ti, and does not include any intermediate
firing of tj, ti, and any transition appearing in RIAn . The proof, which
is not reported here, goes again ab absurdo and consists in showing
that ρ(tgsk , tgsh−1) can be decomposed into a sequence of runs, each
comprising a behavior of an individual application. As the violation is
not due to a previous violation of an RI assumption, these behaviors are
also represented in the state-spaces of individual applications. Also in
this case, compositional verification detects a violation of FIsRIAn (ti, tj),
which is not possible by hypothesis.
APPDX A 85
Appendix
B
Appdx B
B.1 The structure of the pTPN submodel of the
Required Interface
We show here how the three invariants are satisfied by completing the struc-
ture of the RI submodel with the proper addition of places, transitions, and
arcs. In particular, each RI constraint has a counterpart in the RI submodel,
which permits to guarantee that the model behavior satisfies the constraint.
APPDX B 86
The structure of the pTPN submodel of the Required Interface
B.1.1 Invariant Inv1
To guarantee invariant Inv1, at the occurrence of an input event ti after an
event tj, the token is moved from pafter tj to pafter ti (see Fig. B.1). According
to this, ti after j is preconditioned by pafter tj and postconditioned by pafter ti .
p after tj
t i after j p after ti
Figure B.1. A pTPN fragment modeling the occurrence of an event ti after an
event tj .
Note that a transition ti after j accounts for a reading transition ti ∈ T inA
that fires after a transition tj ∈ T inA ∪ T tsA ∪ {t∗}. According to this, each
transition ti after j can be regarded as an instance of the reading transition
ti ∈ T inA , and, in turn, each reading transition ti ∈ T inA is associated with as
many transitions ti after j as the number of events tj ∈ T inA ∪ T tsA ∪ {t∗} after
which it may fire. To properly integrate the RI submodel with the Task-Set
submodel, each transition ti after j is post-conditioned by the reading place
associated with the reading transition ti ∈ T inA .
APPDX B 87
The structure of the pTPN submodel of the Required Interface
If ti ∈ T tsA is a model transition conditioning the environment, ti after j is
also preconditioned by a place pmsg i where a token arrives at the firing of ti
in the Task-Set submodel (see Fig. B.2).
p after tj
t i after j p after ti
p msg ti
Figure B.2. A pTPN fragment modeling the occurrence of a model transition
conditioning the environment.
Note that, to properly integrate the RI submodel with the Task-Set sub-
model, each transition ti ∈ T tsA in the Task-Set submodel of application A is
post-conditioned by place pmsg i in the RI submodel of A.
B.1.2 Invariant Inv2
To guarantee invariant Inv2, immediate transitions of the RI submodel re-
quire resource cpu with a higher level of priority than that of any other
transition in the application model. According to this, whenever an event
timer expires or a model transition conditioning the environment fires, timers
of possible subsequent events are updated according to RI constraints.
B.1.3 Invariant Inv3
To guarantee invariant Inv3, we distinguish two cases depending on whether
the expected time of an event ti that may occur after an event tj is reset or
not at the occurrence of tj.
APPDX B 88
The structure of the pTPN submodel of the Required Interface
B.1.3.1 Reset of the expected time to the next occurrence of an
event
If an event ti may occur after an event tj and its expected time is reset at
the occurrence of tj, when a token arrives in pafter tj , a token is also added
to every place ppre timer ij associated with any such event ti (see Fig. B.3).
According to this, any transition tj after h is postconditioned by any place
ppre timer ij. The structure of Fig. B.3 results in the following behavior:
when a token arrives in ppre timer ij, transition ttimer ij becomes enabled and,
whenever it comes to fire after the occurrence of tj, the token is moved from
ppre timer ij to ppost timer ij. This enables ti after j which fires immediately.
t j after h p after tj
t i after j p after tip post timer ijt timer ijp pre timer ij
Figure B.3. A pTPN fragment modeling an event ti whose expected time is
reset at the occurrence of an event tj .
The scheme of Fig. B.3 must be extended to account for the existence of
multiple events that may occur after tj and ti. This results in two different
cases:
• If the expected time of some event tk is reset both at the occurrence
of tj and ti, when a token arrives in pafter ti , a token is also removed
from ppre timer kj (see Fig. B.4). According to this, ti after j is also
preconditioned by ppre timer kj.
• If the expected time to the next occurrence of some event tk is reset at
the occurrence of ti but not at the occurrence of the previous event tj,
APPDX B 89
The structure of the pTPN submodel of the Required Interface
t j after h p after tj
t i after j
p after tip post timer ijt timer ijp pre timer ij
t k after j p after tkp post timer kjt timer kjp pre timer kj
Figure B.4. A pTPN fragment modeling an event tk whose expected time is
reset at the occurrence of events tj and ti.
when a token arrives in pafter ti and the timer of tk that was reset at
the occurrence of some event tv has not yet expired, then the token in
ppre timer kv is removed (see Fig. B.5). To this end, the model includes:
t k after v p after tk
p post timer kv
t timer kvp pre timer kv
t i after j p after ti
p post timer ij
t timer ijp pre timer ij
p after pre timer reset ij
tpre timer reset ij
p after pre timer stop ij
tpre timer stop ijkv
tpre timer no reset ij
Figure B.5. A pTPN fragment modeling an event tk whose expected time is
reset at the occurrence of an event ti but not at the occurrence of an event tj
that may precede ti.
i) two immediate transitions tpre timer reset ij and tpre timer no reset ij; ii)
two places pafter pre timer stop ij and pafter pre timer reset ij; and, iii) an
APPDX B 90
The structure of the pTPN submodel of the Required Interface
immediate transition tpre timer stop ijkv for each pair of events tk, tv such
that FIsRIA(tk, ti), F I
s
RIA
(tk, tv) ∈ R+0 × (R+0 ∪{∞}) and FIsRIA(tk, tj) =
continue.
The structure of Fig. B.5 results in the following behavior: if a token
arrives in ppost timer ij when a place ppre timer kv contains a token, then
the corresponding transition tpre timer stop ijkv fires immediately, adding
a token to pafter pre timer stop ij. This enables tpre timer reset ij which fires
immediately, adding a token to pafter pre timer reset ij which, in turn,
enables ti after j. Conversely, if every place ppre timer kv is empty, then
every transition tpre timer stop ijkv is not enabled. Therefore, transition
tpre timer no reset ij is enabled and fires immediately, adding a token to
pafter pre timer reset ij.
Note that any transition tpre timer stop ijkv is preconditioned by ppost timer ij
to let it fire only if the timer of ti that was reset after tj has just expired;
the postcondition arc from tpre timer stop ijkv to ppost timer ij is thus nec-
essary to allow the subsequent firings of tpre timer reset ij and ti after j. In
a similar manner, any transition tpre timer no reset ijkv is preconditioned
by ppost timer ij and inhibited by ppre timer kv, pafter pre timer stop ij, and
pafter pre timer reset ij, to let it fire only if the timer of ti that was reset
after tj has just expired and no timer of tk is active; the postcondition
arc from tpre timer no reset ijkv to ppost timer ij is thus necessary to allow
the subsequent firing of ti after j.
APPDX B 91
The structure of the pTPN submodel of the Required Interface
B.1.3.2 Conservation of the expected time to the next occurrence
of an event
If an event ti may occur after an event tj but its expected time is not reset
at the occurrence of tj, the model allows the timer of ti that was reset at
the occurrence of some event tz to expire after the occurrence of tj (see
Fig. B.6). To this end, the model includes a place pafter post timer expiration ij
p after tj
t i after j p after ti
p after tz
t i after zp post timer izt timer izp pre timer iz
t post timer expiration ijz
p after post timer expiration ij
Figure B.6. A pTPN fragment modeling an event ti that may occur after an
event tj although its expected time is not reset at the occurrence of tj .
and an immediate transition tpost timer expiration ijz for each event tz such that
FIsRIA(ti, tz) ∈ R+0 × (R+0 ∪ {∞}).
The structure of Fig. B.6 results in the following behavior: if the time-
to-fire of a transition ttimer iz expires when pafter tj contains a token, then
ppost timer iz is added a token, enabling the corresponding transition
tpost timer expiration ijz which fires immediately. This removes the token in
pafter tj and ppost timer iz, and adds a token to pafter tj
and pafter post timer expiration ij. Therefore, ti after j becomes enabled and fires
immediately, removing the token in pafter tj and pafter post timer expiration ij,
and adding a token to pafter ti .
Note that any transition tpost timer expiration ijz is preconditioned by pafter tj
APPDX B 92
The structure of the pTPN submodel of the Required Interface
to let it fire only if the last occurred event is tj; the postcondition arc from
tpost timer expiration ijz to pafter tj is thus necessary to allow the subsequent
firing of ti after j.
APPDX B 93
Acknowledgements
Prima di tutto un grazie va al mio Professore Enrico Vicario, per
la fiducia che ha riposto in me, per l’aiuto attivo al lavoro di tesi,
e per avermi dato la possibilità di capire, facendomi partecipe
della sua passione, che cosa è, e che cosa significa fare Ricerca.
Grazie Laura. Mi hai insegnato tanto e sei sempre stata un punto
di riferimento su cui contare, insieme a te ho passato tre anni fan-
tastici, cercherò di far tesoro di tutto ciò che hai saputo trasmet-
termi ed insegnarmi.
Grazie Babbo. Fine anni 2000, hai comprato il mio primo com-
puter, un bellissimo 286 con sopra il DOS e con Prince of Persia
installato. La mia passione nasce lì, da quel mucchio di circuiti
integrati, da quel cursore lampeggiante e dalla sintassi semplice
del QBasic. Quel giorno piantasti un seme che nel corso degli
anni ho coltivato e da cui adesso raccolgo i primi frutti. Grazie
per avermi assecondato in tutto ciò che mi piaceva e che talvolta
non incontrava le tue passioni, se ho avuto sempre fondamenta
solide su cui costruire per raggiungere i miei obiettivi è senz’altro
merito tuo.
Grazie Mamma. Quando tornavo stanco, affamato ed anche ner-
voso dall’Università sei sempre stata presente, vicina e pronta
a non farmi mai mancare nulla. Ora che sono lontano capisco
ancora di più l’importanza e la bellezza di quei tuoi semplici,
naturali gesti.
Debora. A te va un grazie particolare, negli ultimi anni ci siamo
avvicinati tantissimo forse perché crescendo la differenza di età si
sente meno e le gioie e i problemi incontrati e condivisi diventano
gli stessi. Ti sento vicina, sento che posso contare su di te e che
condividendo le nostre esperienze possiamo crescere seguendo la
stessa direzione senza allontanarci e perderci.
Grazie Marco. Molto probabilmente non sarei qui a scrivere
questa Tesi se non avessi percorso affianco a te gli anni dell’Università,
un viaggio comune nel quale è stato un piacere imparare a stupirsi
della bellezza e grazia delle cose studiate assieme.
Lampredotto. Un altro grazie particolare va a Tommaso, com-
pagno di studio e di `giovedì Lampredotto´, non ci siamo mai
fatti mancare nulla. . . gelati, muosse, cornetti gelato da un kg,
trippa, lampredotti e peposi hanno sempre accompagnato alle-
gramente le nostre fantastiche pause pranzo.
Infine, un grazie enorme a tutti i ragazzi del STLab! Irene, Ja-
copo, Carlo, Lorenzo, Valeriano, Andrea, Fulvio, Andrea e Ste-
fano. Studiare e vivere il laboratorio assieme è stato un vero
piacere, sarà difficile e forse impossibile trovare un ambiente così
bello e solare dove poter coltivare le proprie passioni.
No. . . non mi sono dimenticato di Te. . . Grazie Valentina per avermi
accompagnato con gioia ed Amore in questi anni di studio e
Ricerca.
References
[1] The cadence virtual component co-design (vcc).
http://www.cadence.com/products/vcc.html.
[2] Seamless hardware/software co-verification, mentor graphics.
http://www.mentor.com/seamless.
[3] Soc designer with maxsim technology (arm).
http://www.arm.com/products/DevTools/MaxSim.html.
[4] System studio (synopsis). http://www.synopsis.com/products/cocentricstudio/.
[5] Uppaal. http://www.uppaal.com/.
[6] Avionics application software standard interface: Part 1 - required ser-
vices (ARINC specification 653-2). Technical report, Avionics Electronic
Engineering Committee (ARINC). March 2006.
[7] A. Agarwal. Performance tradeoffs in multithreaded processors. Paral-
lel and Distributed Systems, IEEE Transactions on, 3(5):525 –539, sep
1992.
REFERENCES 96
[8] L. Almeida and P. Pedreiras. Scheduling within temporal partitions:
response-time analysis and server design. In Proceedings of the 4th ACM
international conference on Embedded software, EMSOFT ’04, pages 95–
103, New York, NY, USA, 2004. ACM.
[9] S. Baruah, L. Rosier, and R. Howell. Algorithms and complexity con-
cerning the preemptive scheduling of periodic, real-time tasks on one
processor. Real-Time Systems, 2:301–324, 1990.
[10] M. Behnam, I. Shin, T. Nolte, and M. Nolin. SIRAP: a synchronization
protocol for hierarchical resource sharing real-time open systems. In
EMSOFT ’07: Proc. of the 7th ACM & IEEE Int. Conf. on Embedded
SW, pages 279–288, New York, NY, USA, 2007. ACM.
[11] G. Behrmann, R. David, and K. G. Larsen. A tutorial on uppaal. pages
200–236. Springer, 2004.
[12] L. Benini, D. Bertozzi, D. Bruni, N. Drago, F. Fummi, and M. Pon-
cino. Systemc cosimulation and emulation of multiprocessor soc designs.
Computer, 36(4):53 – 59, april 2003.
[13] J. A. Bergstra and J. W. Klop. Algebra of communicating processes
with abstraction. Theor. Comput. Sci., 37:77–121, 1985.
[14] B. Berthomieu and M. Diaz. Modeling and verification of time depen-
dent systems using time petri nets. IEEE Trans. on SW Eng., 17(3),
March 1991.
[15] B. Berthomieu, D. Lime, O. H. Roux, and F. Vernadat. Reachability
Problems and Abstract State Spaces for Time Petri Nets with Stop-
watches. Discrete Event Dynamic Systems, 17(2), June 2007.
REFERENCES 97
[16] B. Berthomieu and M. Menasche. An enumerative approach for analyz-
ing time Petri nets. In R. E. A. Mason, editor, Information Processing:
Proc. of the IFIP congress 1983, volume 9, pages 41–46. Elsevier Science,
1983.
[17] L. Bettini, V. Bono, R. D. Nicola, G. Ferrari, D. Gorla, M. Loreti,
E. Moggi, R. Pugliese, E. Tuosto, and B. Venneri. The klaim project:
Theory and practice. In Global computing: Programming environments,
languages, security and analysis of systems, VOLUME 2874 of LNCS,
pages 88–150. Springer-Verlag, 2003.
[18] E. Bini and G. Buttazzo. A Hyperbolic Bound for Rate Monotonic Al-
gorithm. 2001.
[19] T. Bolognesi and E. Brinksma. Introduction to the iso specification
language lotos. Comput. Netw. ISDN Syst., 14(1):25–59, Mar. 1987.
[20] G. Bucci, A. Fedeli, L. Sassoli, and E. Vicario. Modeling Flexible Real
Time Systems with Preemptive Time Petri Nets. In Proc. of the 15th
Euromicro Conf. on Real-Time Systems (ECRTS03), July 2003.
[21] G. Bucci, A. Fedeli, L. Sassoli, and E. Vicario. Timed State Space
Analysis of Real Time Preemptive Systems. IEEE Trans. on SW Eng.,
30(2):97–111, Feb. 2004.
[22] G. Bucci and E. Vicario. Compositional Validation of Time-Critical
Systems Using Communicating Time Petri Nets. IEEE Trans. on SW
Eng., 21(12):969–992, 1995.
[23] G. Buttazzo. Hard Real-Time Computing Systems. Springer, 2005.
[24] F. Calzolai, R. De Nicola, M. Loreti, and F. Tiezzi. Tapas: A tool for
the analysis of process algebras. T. Petri Nets and Other Models of
Concurrency, 1:54–70, 2008.
REFERENCES 98
[25] L. Carnevali, G. Lipari, A. Pinzuti, and E. Vicario. A Formal Ap-
proach to Design and Verification of Two-Level Hierarchical Scheduling
Systems. In Proc. of the Ada-Europe Int. Conf. on Reliable SW Tech.,
pages 118–131. Springer-Verlag, 2011.
[26] L. Carnevali, L. Ridi, and E. Vicario. Putting preemptive Time Petri
Nets to work in a V-Model SW life cycle. IEEE Trans. on SW Engi-
neering, 37(6), Nov./Dec. 2011.
[27] F. Cassez and K. G. Larsen. The Impressive Power of Stopwatches,
volume 1877. LNCS, August, 2000.
[28] E. M. Clarke, D. E. Long, and K. L. McMillan. Compositional model
checking. In LICS, pages 353–362, 1989.
[29] D. Dill. Timing Assumptions and Verification of Finite-State Concurrent
Systems. volume 407 of Lecture Notes in Computer Science. Springer,
1990.
[30] R. I. Davis and A. Burns. Hierarchical Fixed Priority Pre-Emptive
Scheduling. In RTSS ’05: Proc. of the 26th IEEE Int. Real-Time Sys-
tems Symposium, pages 389–398, Washington, DC, USA, 2005. IEEE
Computer Society.
[31] R. I. Davis and A. Burns. Resource Sharing in Hierarchical Fixed Pri-
ority Pre-Emptive Systems. In Proc. of the 27th IEEE Int. Real-Time
Systems Symposium, pages 257–270, Washington, DC, USA, 2006. IEEE
Computer Society.
[32] Z. Deng and J. W. Liu. Scheduling real-time applications in an open
environment. In RTSS ’97: Proc. of the 18th IEEE Real-Time Systems
Symposium, pages 308–319, Washington, DC, USA, 1997. IEEE Com-
puter Society.
REFERENCES 99
[33] R. B. Dodd. An analysis of task scheduling for a generic avionics mission
computer. Technical report, Australian Government, Department of
Defence, Defence Science and Technology Organisation, October 2006.
[34] R. B. Dodd. Coloured Petri Net Modelling of a Generic Avionics Mission
Computer. Technical report, Australian Government, Department of
Defence, Defence Science and Technology Organisation, April 2006.
[35] A. Easwaran, M. Anand, and I. Lee. Compositional Analysis Framework
Using EDP Resource Models. In Proc. of the 28th IEEE Int. Real-Time
Systems Symposium, RTSS ’07, pages 129–138, Washington, DC, USA,
2007. IEEE Computer Society.
[36] A. Easwaran, I. Lee, I. Shin, and O. Sokolsky. Compositional schedula-
bility analysis of hierarchical real-time systems. In ISORC ’07: Proc. of
the 10th IEEE Int. Symposium on Object and Component-Oriented Real-
Time Distributed Computing, pages 274–281, Washington, DC, USA,
2007. IEEE Computer Society.
[37] A. Easwaran, I. Lee, O. Sokolsky, and S. Vestal. A Compositional
Scheduling Framework for Digital Avionics Systems. In International
Workshop on Real-Time Computing Systems and Applications, pages
371–380, 2009.
[38] A. Easwaran, I. Shin, O. Sokolsky, and I. Lee. Incremental schedulability
analysis of hierarchical real-time components. In EMSOFT ’06: Pro-
ceedings of the 6th ACM & IEEE International conference on Embedded
software, pages 272–281, New York, NY, USA, 2006. ACM.
[39] A. Fantechi, S. Gnesi, and A. Maggiore. Enhancing test coverage by
back-tracing model-checker counterexamples. Electron. Notes Theor.
Comput. Sci., 116:199–211, Jan. 2005.
REFERENCES 100
[40] X. A. Feng and A. K. Mok. A Model of Hierarchical Real-Time Virtual
Resources. In Proc. of the 23rd IEEE Real-Time Systems Symposium,
RTSS ’02, pages 26–35, Washington, DC, USA, 2002. IEEE Computer
Society.
[41] J.-C. Fernandez, H. Garavel, A. Kerbrat, L. Mounier, R. Mateescu, and
M. Sighireanu. Cadp - a protocol validation and verification toolbox,
1996.
[42] A. Ferrara. Web services: a process algebra approach. In Proceedings of
the 2nd international conference on Service oriented computing, ICSOC
’04, pages 242–251, New York, NY, USA, 2004. ACM.
[43] M. A. Franklin and T. Wolf. A network processor performance and de-
sign model with benchmark parameterization. In In Network Processor
Workshop in conjunction with Eighth International Symposium on High
Performance Computer Architecture (HPCA-8, pages 117–139. Morgan
Kaufmann Publishers, 2002.
[44] G. Bucci and L. Carnevali and L. Ridi and E. Vicario. Oris: a Tool
for Modeling, Verification and Evaluation of Real-Time Systems. Inter-
national Journal of Software Tools for Technology Transfer, 12(5):391 –
403, 2010.
[45] G. Gardey and D. Lime and M. Magnin and O.(H.) Roux. Roméo: A
tool for analyzing Time Petri Nets. Springer, 2005.
[46] D. Gelernter. Generative communication in linda. ACM Trans. Program.
Lang. Syst., 7(1):80–112, Jan. 1985.
[47] M. Hendriks and M. Verhoef. Timed automata based analysis of embed-
ded system architectures. In Parallel and Distributed Processing Sym-
posium, 2006. IPDPS 2006. 20th International, page 8 pp., april 2006.
REFERENCES 101
[48] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall,
1985.
[49] S. Kiinzli, F. Poletti, L. Benini, and L. Thiele. Combining simulation and
formal methods for system-level performance analysis. In Design, Au-
tomation and Test in Europe, 2006. DATE ’06. Proceedings, volume 1,
pages 1 –6, march 2006.
[50] T. W. Kuo and C. H. Li. A Fixed-Priority-Driven Open Environment
for Real-Time Applications. pages 256–267, 1999.
[51] K. Lahiri, A. Raghunathan, and S. Dey. System-level performance
analysis for designing on-chip communication architectures. Computer-
Aided Design of Integrated Circuits and Systems, IEEE Transactions on,
20(6):768 –783, jun 2001.
[52] K. Lampka, S. Perathoner, and L. Thiele. Analytic real-time analy-
sis and timed automata: a hybrid methodology for the performance
analysis of embedded real-time systems. Design Autom. for Emb. Sys.,
14(3):193–227, 2010.
[53] J.-Y. Le Boudec and P. Thiran. Network calculus: a theory of determin-
istic queuing systems for the internet. Springer-Verlag, Berlin, Heidel-
berg, 2001.
[54] I. Lee, P. Brémond-Grégoire, and R. Gerber. A process algebraic ap-
proach to the specification and analysis of resource-bound real-time sys-
tems. In PROCEEDINGS OF THE IEEE, pages 158–171, 1994.
[55] I. Lee, A. Philippou, and O. Sokolsky. Resources in process algebra. J.
Log. Algebr. Program., 72(1):98–122, 2007.
REFERENCES 102
[56] J. Y.-T. Leung and J. Whitehead. On the complexity of fixed-
priority scheduling of periodic, real-time tasks. Performance Evaluation,
2(4):237 – 250, 1982.
[57] D. Lime and O. H. Roux. Formal verification of real-time systems with
preemptive scheduling. Real-Time Syst., 41(2):118–151, 2009.
[58] G. Lipari and S. K. Baruah. Efficient Scheduling of Real-Time Multi-
Task Applications in Dynamic Systems. In IEEE Real Time Tech. and
Applications Symposium, pages 166–175, 2000.
[59] G. Lipari and E. Bini. Resource partitioning among real-time appli-
cations. In In Proc. of Euromicro Conference on Real-Time Systems,
pages 151–158. IEEE Computer Society, 2003.
[60] G. Lipari and E. Bini. A methodology for designing hierarchical schedul-
ing systems. Journal of Embedded Computing, 1(2):257–269, 2005.
[61] C. Liu and J. Layland. Scheduling algorithms for multiprogramming in
a hard-real-time environment. J. ACM, 20(1):46–61, 1973.
[62] C. D. Locke, D. R. Vogel, and L. Lucas. Generic avionics software
specification. Technical report, Software Engineering Institute, Carnegie
Mellon University, 1990.
[63] G. Macariu and V. Cretu. Timed automata model for component-based
real-time systems. In Proceedings of the 2010 17th IEEE International
Conference and Workshops on the Engineering of Computer-Based Sys-
tems, ECBS ’10, pages 121–130, Washington, DC, USA, 2010. IEEE
Computer Society.
[64] G. Madl, N. Dutt, and S. Abdelwahed. A conservative approximation
method for the verification of preemptive scheduling using timed au-
tomata. In Proceedings of the 2009 15th IEEE Symposium on Real-Time
REFERENCES 103
and Embedded Technology and Applications, RTAS ’09, pages 255–264,
Washington, DC, USA, 2009. IEEE Computer Society.
[65] K. L. McMillan. Verification of an implementation of tomasulo’s algo-
rithm by compositional model checking. In CAV, pages 110–121, 1998.
[66] R. Milner. Communication and concurrency. Prentice-Hall, Inc., Upper
Saddle River, NJ, USA, 1989.
[67] R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes,
part i. I AND II. INFORMATION AND COMPUTATION, 100, 1989.
[68] A. K. Mok, A. X. Feng, and D. Chen. Resource Partition for Real-Time
Systems. In IEEE Real Time Technology and Applications Symposium,
pages 75–84, 2001.
[69] R. D. Nicola and R. Pugliese. Linda based applicative and imperative
process algebras, 2000.
[70] Object Management Group. UML Profile for MARTE: Modeling and
Analysis of Real-Time Embedded systems v1.0, 2009.
[71] J. Palencia and M. Harbour. Offset-based response time analysis of
distributed systems scheduled under edf. In Real-Time Systems, 2003.
Proceedings. 15th Euromicro Conference on, pages 3 – 12, july 2003.
[72] C. Petri. Kommunikation mit Automaten. Rheinisch-WestfAalisches
Institut fAur Instrumentelle Mathematik an der UniversitAat Bonn In
German, 1962.
[73] A. Philippou, I. Lee, O. Sokolsky, and J.-Y. Choi. A process algebraic
framework for modeling resource demand and supply. In Proceedings
of the 8th international conference on Formal modeling and analysis of
REFERENCES 104
timed systems, FORMATS’10, pages 183–197, Berlin, Heidelberg, 2010.
Springer-Verlag.
[74] P. Pop, P. Eles, and Z. Peng. Performance estimation for embedded
systems with data and control dependencies. In In CODES, pages 62–
66, 2000.
[75] P. Pop, P. Eles, and Z. Peng. Schedulability analysis and optimization
for the synthesis of multi-cluster distributed embedded systems. In In
Proceedings of Design Automation and Test in Europe Conference, pages
184–189, 2003.
[76] K. Richter and R. Ernst. Event model interfaces for heterogeneous sys-
tem analysis. 2008 Design, Automation and Test in Europe, 0:0506,
2002.
[77] K. Richter, M. Jersak, and R. Ernst. A formal approach to mpsoc
performance verification. Computer, 36(4):60 – 67, april 2003.
[78] K. Richter, D. Ziegenbein, M. Jersak, and R. Ernst. Model composition
for scheduling analysis in platform design, 2002.
[79] O. H. Roux and D. Lime. Time Petri Nets with Inhibitor Hyperarcs.
Formal Semantics and State-Space Computation. 25th Int. Conf. on
Theory and Application of Petri Nets, 3099:371–390, 2004.
[80] L. Sassoli and E. Vicario. Analysis of real time systems through the
Oris tool. In Proc. of the 3rd Int. Conf. on the Quant. Evaluation of
Sys. (QEST), Sept., 2006.
[81] L. Sha, R. Rajkumar, and J. P. Lehoczky. Priority inheritance proto-
cols: An approach to real-time synchronization. IEEE Trans. Comput.,
39(9):1175–1185, 1990.
REFERENCES 105
REFERENCES
[82] I. Shin and I. Lee. "periodic resource model for compositional real-
time guarantees". In Proc. of the 24th IEEE Int. Real-Time Systems
Symposium, RTSS ’03, pages 2–13, Washington, DC, USA, 2003. IEEE
Computer Society.
[83] M. Spuri and G. Buttazzo. Scheduling Aperiodic Tasks in Dynamic
Priority Systems. Real-Time Systems, 10:179–210, 1996.
[84] L. Thiele, S. Chakraborty, and M. Naedele. Real-time calculus for
scheduling hard real-time systems. In International Symposium on
Circuits and Systems ISCAS 2000, volume 4, pages 101–104, Geneva,
Switzerland, 2000.
[85] K. Tindell. Holistic schedulability analysis for distributed hard real-time
systems, 1994.
[86] K. Tindell, A. Burns, and A. Wellings. Calculating controller area
network (can) message response times. Control Engineering Practice,
3:1163–1169, 1995.
[87] E. Vicario. Static Analysis and Dynamic Steering of Time Dependent
Systems Using Time Petri Nets. IEEE Trans. on SW Eng., August 2001.
[88] D. Xu, X. He, and Y. Deng. Compositional schedulability analysis
of real-time systems using time petri nets. IEEE Trans. Softw. Eng.,
28(10):984–996, Oct. 2002.
[89] T. Yen and W. Wolf. Performance estimation for real-time distributed
embedded systems. In Computer Design: VLSI in Computers and Pro-
cessors, 1995. ICCD ’95. Proceedings., 1995 IEEE International Con-
ference on, pages 64 –69, oct 1995.
REFERENCES 106
