Formalizing Time4sys using parametric timed automata by André, Étienne
Formalizing Time4sys using parametric timed
automata
E´tienne Andre´
Universite´ Paris 13, LIPN, CNRS, F-93430, Villetaneuse, France
JFLI, CNRS, Tokyo, Japan
National Institute of Informatics, Tokyo, Japan
Abstract—Critical real-time systems must be verified to avoid
the risk of dramatic consequences in case of failure. Thales
developed an open formalism “Time4sys” to model real-time
systems, with expressive features such as periodic or sporadic
tasks, task dependencies, distributed systems, etc. However,
Time4sys does not natively allow for a formal reasoning. In this
work, we present a translation from Time4sys to (parametric)
timed automata, so as to allow for a formal verification.
Index Terms—real-time systems, schedulability analysis,
Time4sys, parametric timed model checking, IMITATOR
I. INTRODUCTION
Real-time systems combine concurrent behaviors with hard
real-time constraints. The correctness of real-time systems is
crucial especially for critical systems, the failure of which may
cause irreparable damages. A formal analysis of the system
before its execution is therefore necessary. Real-time systems
are made of tasks (that can be periodic or not) to be executed
on one or more processors. Tasks are notably characterized
by a relative deadline that stipulates how much time can be
spent from the activation time of an instance of the task to
the completion of that instance. Often, a deadline miss in a
real-time system is an undesired behavior just as bad as a
wrong result in a computation. Each processor comes with a
scheduling policy, that decides what task should be executed.
Such policies can be preemptive, i. e., may temporarily stop a
task processing to move to a higher priority task. Of utmost
importance is the schedulability analysis, that is: given a set of
tasks to execute with their timing constraints (period, best case
and worst case execution times, deadline) together with the
scheduling policies, ensure that no deadline miss will occur.
Thales, a multinational company of 64,000 employees fo-
cusing on aerospace, defense and transportation, developed an
internal tool for modeling real-time systems. This tool was
then recently made public under the name Time4sys, with its
code made open source.1
Fig. 1 shows an example of Time4sys’ graphical user
interface, with one processor (“CPU1”, yellow square) on
This is the author (and slightly extended) version of the manuscript of the
same name published in the proceedings of the 13th International Symposium
on Theoretical Aspects of Software Engineering (TASE 2019). The final
version is available at http://ieeexplore.ieee.org/. This work is supported by the
ASTREI project funded by the Paris Iˆle-de-France Region, with the additional
support of the ANR national research program PACS (ANR-14-CE28-0002)
and ERATO HASUO Metamathematics for Systems Design Project (No.
JPMJER1603), JST.
1https://github.com/polarsys/time4sys
which 6 tasks (blue squares) are assigned. Blue lines
indicate task dependencies: for example, whenever task
Trajectory_Prediction is completed, an instance of
Tracking_Control2 is activated. Two tasks are periodi-
cally activated, i. e., Tracking_Control1 (period: 100 ms,
jitter: 30 ms), and Processing (period: 40 ms, no jitter).
However, Time4sys mainly focuses on modeling, and not on
verification. While it is possible to design complex real-time
systems using Time4sys and its graphical user interface (see
Fig. 1), no formal verification can be made. As a consequence,
transformation rules from a subset of the Time4sys syntax
were proposed to the input format of tools such as Pegase2,
MAST [Gon+01] or Cheddar [Sin+04], which allow for some
formal verification. However, these tools only support some
syntactic features: for example, Cheddar does not support
task dependency constraints. In 2015, the FMTV challenge3
made public a problem proposed by Thales, that consists in
performing some verifications (and computations) on a real-
time system model designed using Time4sys. Due to uncertain
periods, i. e., periodic tasks with a fixed but not completely
known period, most solutions failed in computing the desired
best-case and worst-case computation times. Beside a solution
that obtained the correct times using simulation, the only
method able to compute these times in an exact fashion used
parametric timed model checking [SAL15]. Although modeled
by Time4sys, the model of [SAL15] was formalized in an ad-
hoc manner to solve a given problem, while we propose here
a systematic formalization.
Contribution: In this work, we propose a translation
of the Time4sys syntax to an extension of timed au-
tomata [AD94], a common formalism to verify systems in-
volving concurrency and time. In addition, we allow the use
of parameters to cope for uncertainty by setting as target of
our translation parametric timed automata, that extend timed
automata with unknown (or uncertain) constants [AHV93]. In
other words, some values such as periods or offsets can be
completely unknown, or known with a limited certainty (e. g.,
in a predefined interval). The goal is to offer translation rules,
so as to be able to analyze formally Time4sys models even
in the presence of uncertainty. Even further, the ultimate goal
2http://www.realtimeatwork.com/software/rtaw-pegase/
3“Formal Methods for Timing Verification Challenge”, in the WATERS
workshop: http://waters2015.inria.fr/
ar
X
iv
:1
90
5.
09
45
8v
1 
 [c
s.S
E]
  2
3 M
ay
 20
19
Figure 1: Time4sys graphical user interface
is to synthesize the values of some timings constants seen as
parameters that make the system schedulable.
Related works: Schedulability analysis of real-time sys-
tems using model checking was tackled in the past, with
several works in the 1990s directly or indirectly targeting
real-time systems (e. g., [WME92; AHV93; AD94; YMW97;
CC99]). In [AM02; AAM06], schedulability analysis for some
real-time systems is performed using timed automata [AD94]
or stopwatch automata.
When timing constants (periods, jitters, offsets, deadlines,
etc.) become uncertain or unknown, schedulability analysis
becomes much harder. A method is to use parametric timed
formalisms such as parametric timed automata [AHV93].
In [CPR08] parametric automata are used to synthesize values
for offsets, periods, deadlines or computation times for which
the system is schedulable. While the problem is in general
undecidable, a decidable subclass is exhibited. In [Fri+12], the
authors use stopwatch automata to perform robust schedulabil-
ity analysis, i. e., where some of the timing constants can vary
while preserving the schedulability. In [Sun+13], we proposed
a method to synthesize values of values such as deadlines and
periods for which schedulability is ensured for a real-time
system modeled using a set of pipelines: while the method
is slower than an analytical method and MAST [Gon+01],
our method is also more complete. Despite some ad-hoc
experiments, no automatic transformation from an existing
formalism to parametric timed automata was proposed.
For uniprocessor real-time systems only, (parametric) task
automata offer a more compact representation than (paramet-
ric) timed automata [Fer+07; NWY99; And17].
Finally, Time4sys was partially translated to parametric time
Petri nets [Lim+09].
Outline: We present Time4sys in Section II. We recall
the syntax and semantics of parametric timed automata in
Section III. We present our main transformation in Section IV,
and we report experiments as a proof of concept in Section V.
Finally, we conclude and outline perspectives in Section VI.
II. TIME4SYS
Time4sys4 is a graphical representation of real-time systems
designed and released by Thales.
Time4sys has a formally established syntax given in the
form of a metamodel. Time4sys uses a subset of the MARTE
OMG standard [OMG08] as a basis to represent a synthetic
view of the system design model that captures all elements,
data and properties impacting the system timing behavior and
required to perform timing verification (e. g., tasks mapping on
processors, communication links, execution times, scheduling
parameters, etc.).
By using MDE (model-driven engineering) settings,
Time4sys is being developed as an Eclipse Polarsys plugin,
and comes with a user-friendly graphical interface.
While the semantics of real-time systems modeled in
Time4sys is clear (perhaps up to some minor aspects),
Time4sys does not natively allow itself for any verification,
and relies on external tools such as MAST [Gon+01] or
Cheddar [Sin+04].
Supported features: Time4sys allows to model processors
(“hardware resources”) and tasks (“software resources”), with
their execution times (possibly in the form an interval) and
their deadline. In addition, tasks can be activated periodically
or sporadically, possibly with a minimum inter-arrival time.
Periodic tasks can be subject to a jitter j: that is, the ith
instance of a task with period p will occur in [(i − 1) × p −
j, (i − 1) × p + j]. In addition, tasks can be subject to an
offset o: in that case, the ith instance of a task with period p
will occur at time (i− 1)× p+ o.
4https://fed4sae.eu/industrial-platforms/time4sys-thales/
2
CPU1
CPU2
CPU1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
T5 T1 T5 T1
T2 T7 T4 T7
T6 T3
Figure 2: The beginning of a possible execution of the system in Fig. 3
Tasks usually come with a relative deadline: that is, every
time a new task instance is activated, this instance must
complete its execution within this deadline. Otherwise, a
deadline miss occurs, and the system is not schedulable. The
schedulability analysis consists in formally checking that, for
any execution consistent with the task model (periods, offsets,
deadlines, execution times, scheduling policy. . . ), no deadline
miss will ever occur.
Time4sys supports both uniprocessor and multi-processor
real-time systems. Task dependencies are supported, including
between different processors; that is, the completion of a task
on a given processor can trigger the activation of a task on
the same or on another processor. This is perhaps one of the
key aspects of Time4sys, as these dependencies are not always
supported by existing schedulability analysis techniques.
Various scheduling policies are supported by Time4sys,
including:
• fixed priority (FPS): each task on a given processor
comes with a given static priority and, upon completion
of a task instance, the highest priority task instance in the
waiting queue is selected for execution;
• preemptive FPS: a version of FPS where a lower priority
task can be temporarily stopped to execute a newly
activated instance of a higher priority task;
• (preemptive) RMS: FPS where tasks with shorter periods
necessarily have a higher priority;
• shortest job first (SJF): the shortest task instance is
selected first;
• Time-division multiple access (TDMA) and Round
Robin: tasks are allocated slots in a cyclic manner to
execute (part of) their instances, one after the other.
Example 1. Consider the real-time system in Fig. 3 modeled
using Time4sys (the [0; 0] intervals should be disregarded).
This system features seven tasks to be executed on three
processors. Processors are depicted in yellow boxes, while
tasks are depicted using blue squares (green boxes can be
disregarded in our framework). Blue lines represent task
dependencies, while red lines denote sporadic or periodic
activations. Tasks T1 and T5 are periodic, T6 is sporadic,
while others are activated by task dependencies. Only task T1
is subject to an offset (called “phase” in Time4sys). All
three processors use the FPS scheduling policy. Assume that
periodic tasks (Task 1 and Task 6) have deadlines equal to
their period (i. e., 10 and 20, respectively).
Let us consider the beginning of a possible execution of this
system (given in Fig. 2). At system start (t = 0), Task 5 will
be activated; as Task 1 is not activated (due to the offset of 5),
Task 5 (although of lower priority) executes on CPU1. On
CPU3, Task 6 may be activated anytime, as this is a sporadic
task. Let us assume Task 6 is not activated at t = 0. At
t = 0, no other task is activated and therefore only CPU1
is active, and both CPU2 and CPU3 are idle. At t = 4, Task 6
is activated, and starts on CPU3. Then, at t = 5 (which is
the offset of Task 1), an instance of Task 1 is activated; as
Task 1 has higher priority than Task 5, Task 5 is preempted,
and Task 1 starts executing. At t = 9.4, Task 1 finishes its
computation (recall that its computation time lies in [4, 5]).
Then, at that time, an instance of Task 2 is activated by the
completion of Task 1; as CPU2 is idle, it starts to execute
immediately. In parallel, the computation of Task 5 resumes
on CPU1; assuming this execution of Task 5 lasts 7 time
units (in interval [6, 8]), then this instance will be completed
at t = 11.4. At t = 10, Task 6 completes, triggering the
activation of Task 7 on CPU2—which must however wait the
end of T2 since it is of lower priority. And so on.
Now observe that, if the deadline of Task 5 was 11 (instead
of 20), then at t = 11, a deadline miss would occur for Task 5,
as the execution of its instance is not completed by its deadline
(see Appendix A1 for details). Or, alternatively, if the deadline
of Task 5 was 20 but the worst case execution time of Task 1
was 15, then at t = 20, Task 5 has still not completed, and
again a deadline miss occurs (see Appendix A2 for details).
This justifies the study of two problems for Time4sys
models:
• being able to verify that a system is schedulable;
• being able to exhibit suitable values (notably for ex-
ecution times and deadlines) for which the system is
schedulable.
III. PARAMETRIC TIMED AUTOMATA
Let N, Q+ and R≥0 denote the set of non-negative integers,
non-negative rationals and non-negative reals, respectively.
We assume a set X = {x1, . . . , xH} of clocks, i. e., real-
valued variables that evolve at the same rate. A clock valuation
is a function ν : X→ R≥0. We write ~0 for the clock valuation
assigning 0 to all clocks. Given d ∈ R≥0, ν + d denotes the
valuation s.t. (ν + d)(x) = ν(x) + d, for all x ∈ X. Given
R ⊆ X, we define the reset of a valuation ν, denoted by
[ν]R, as follows: [ν]R(x) = 0 if x ∈ R, and [ν]R(x) = ν(x)
otherwise.
We assume a set P = {p1, . . . , pM} of parameters, i. e.,
unknown constants. A parameter valuation v is a function v :
P → Q+. We assume ./ ∈ {<,≤,=,≥, >}. A guard g is a
constraint over X∪P defined by a conjunction of inequalities
of the form x ./ d, or x ./ p with x ∈ X, d ∈ N and p ∈ P.
Given g, we write ν |= v(g) if the expression obtained by
3
replacing each x with ν(x) and each p with v(p) in g evaluates
to true.
Parametric timed automata (PTA) extend timed au-
tomata [AD94] with parameters within guards and invariants
in place of integer constants [AHV93].
Definition 1 (PTA). A PTA A is a tuple
A = (Σ, L, l0,X,P, I, E), where:
1) Σ is a finite set of synchronization actions,
2) L is a finite set of locations,
3) l0 ∈ L is the initial location,
4) X is a finite set of clocks,
5) P is a finite set of parameters,
6) I is the invariant, assigning to every l ∈ L a guard I(l),
7) E is a finite set of edges e = (l, g, a,R, l′) where l, l′ ∈ L
are the source and target locations, a ∈ Σ, R ⊆ X is a
set of clocks to be reset, and g is a guard.
Given a parameter valuation v, we denote by v(A) the non-
parametric structure where all occurrences of a parameter pi
have been replaced by v(pi). We denote as a timed automaton
any structure v(A), by assuming a rescaling of the constants:
by multiplying all constants in v(A) by their least common
denominator, we obtain an equivalent (integer-valued) TA, as
defined in [AD94].
Example 2. An example of PTA is given in Fig. 4a (page 6).
It features two locations l1 and l2, one synchronization action
actT, one clock xactT, and two parameters TPeriod and
TOffset.
Let us now recall the concrete semantics of TA.
Definition 2 (Semantics of a TA). Given a PTA A =
(Σ, L, l0,X,P, I, E), and a parameter valuation v, the seman-
tics of v(A) is given by the timed transition system (TTS)
(S, s0,→), with
• S = {(l, ν) ∈ L× RH≥0 | ν |= v(I(l))},
• s0 = (l0,~0),
• → consists of the discrete and (continuous) delay transi-
tion relations:
1) discrete transitions: (l, ν) e7→ (l′, ν′), if (l, ν), (l′, ν′) ∈
S, and there exists e = (l, g, a,R, l′) ∈ E, such that
ν′ = [ν]R, and ν |= v(g).
2) delay transitions: (l, ν) d7→ (l, ν + d), with d ∈ R≥0,
if ∀d′ ∈ [0, d], (l, ν + d′) ∈ S.
Given a TA v(A) with concrete semantics (S, s0,→), we
refer to the states of S as the concrete states of v(A). A run
of v(A) is an alternating sequence of concrete states of v(A)
and pairs of edges and delays starting from the initial state
s0 of the form s0, (e0, d0), s1, · · · with i = 0, 1, . . . , ei ∈ E,
di ∈ R≥0 and (si, ei, si+1) ∈ →. Given a state s = (l, ν), we
say that s is reachable in v(A) if s appears in a run of v(A).
By extension, we say that l is reachable; and by extension
again, given a set T of locations, we say that T is reachable
if there exists l ∈ T such that l is reachable in v(A).
A. Reachability synthesis
We will use here reachability synthesis to perform para-
metric schedulability analysis. That is, the system will be
schedulable for valuations of the PTA for which the valuated
TA does not reach a set of given locations modeling deadline
misses.
The procedure synthesizing valuations for which a set of
locations is (un)reachable is called EFsynth: it takes as input
a PTA A and a set of target locations T , and attempts to
synthesize all parameter valuations v for which T is reachable
in v(A). EFsynth was given and formalized in e. g., [JLR15]
and may not terminate, but if it terminates, then its result is
exact (sound and complete). EFsynth traverses the parametric
zone graph of A, which is a potentially infinite extension of
the well-known zone graph of TAs (see, e. g., [AS13; JLR15]
for a formal definition).
B. IMITATOR
IMITATOR [And+12] is a parametric timed model checker
supporting networks of parametric timed automata extended
with various features such as stopwatches (i. e., the ability
to stop the elapsing of some clocks, allowing to model
preemption in real-time systems), synchronization using syn-
chronization actions, global discrete rational-valued variables
that can read and modified in guards, etc. In the following,
we refer to these extended PTAs as PTAs. Our translation
takes advantage of the features offered by IMITATOR, notably
stopwatches and action synchronization.
IMITATOR was used in the past to verify several industrial
case studies (e. g., [Fri+12; SAL15]).
IV. TRANSLATING TIME4SYS INTO PTAS
In this section, we present our translation from the syntax of
Time4sys into parametric timed automata (extended with stop-
watches). We use the real-time system in Fig. 3 to exemplify
our translation.
A. Assumptions
We make the following assumptions on the Time4sys mod-
els we aim at analyzing:
1) We allow only one-to-one task dependencies; that
is, a given task upon completion can activate only
a single task. This is not the case of Fig. 1 as
Tracking_control2 activates two tasks; in contrast,
this assumption is satisfied in Fig. 3.
2) For periodic tasks, the deadline is equal to the period.
3) No jitters are allowed.
How to lift these assumptions is discussed in Section VI.
B. General translation scheme
We will build a network of PTAs synchronized on syn-
chronization actions. By default, we assume the model is
fully parameterized, i. e., all timing constants (deadlines, pe-
riods, offsets, jitters. . . ) are parameters in the sense of PTAs’
unknown constants. Assigning these parameters to a fixed
value can be done trivially in IMITATOR, and makes the
4
Figure 3: Example of Time4sys model
subsequent analysis simpler. For example, in Fig. 3, we should
set T1period := 10 ps.
In addition, we use the following same convention as in the
literature, as well as in IMITATOR: different objects (clocks,
parameters, variables, actions—but not locations) with the
same name in different PTAs refer to shared objects. For
example, a clock named x used in two different PTAs is the
same clock. However, two locations l1 in two different PTAs
are (naturally) two different locations.
The various PTAs will be synchronized using synchroniza-
tion actions. Given a task T , two actions will be used: actT,
denoting the activation of an instance of T , and finT to
denote its completion. Note that, thanks to our assumption
of deadlines equal to periods, not more than one instance of a
task is present (executing or waiting) at a given time: indeed,
if a second instance of a task is activated, this would mean
that the first one did not complete within its period.
C. Task activation patterns
We consider two main kinds of activation patterns: periodic
tasks and sporadic tasks.
a) Periodic tasks: Given a task T with period TPeriod
and offset TOffset, we create a PTA with a local clock xactT
synchronizing on action actT, given in Fig. 4a. The first
location is used to encode the offset at the beginning, while the
second one is used to encode the periodic behavior. Initially,
in l1, the system must wait TOffset time units before starting
the periodic behavior, according to the definition of the offset.
Then, after exactly TOffset time units (encoded by the guard
xactT = TOffset), the PTA activates task T using the
synchronization action actT and moves to the second location.
There, every exactly TPeriod time units (encoded by the guard
xactT = TPeriod), the PTA activates task T .
b) Sporadic tasks: Sporadic tasks are characterized by
their minimum inter-arrival time. The encoding of sporadic
task T with minimum inter-arrival time TIAT is very similar
to the case of a periodic task, and is given in Fig. 4b. The only
differences are the absence of invariant in the lower location,
and the fact that the activation is not anymore when xactT =
TPeriod, but when xactT ≥ TIAT.
D. Task precedences
We now encode task precedences. Recall that, although this
syntactic feature is intuitive (“upon completion, a given task
triggers the activation of another task”), many tools do not
support them; for example, Cheddar does not support task
such dependency constraints. Due to our assumption banning
multiple precedences, such task precedences can be seen as
task chains, that are reminiscent of the pipelines that we
modeled in [Sun+13] using PTAs. For example, in Fig. 3,
there are three task chains:
1) T1 → T2 → T3 → T4;
2) T6 → T7; and
3) T5.
Translating these task chains is done by constraining the
order between the various task activations and completions.
However, since the total execution time of the whole task chain
can be larger than the first task’s period, a single automaton
is not sufficient. Therefore, we “split” the chain, and encode
each dependency as a PTA; as usual, these PTAs will be
synchronized on the synchronization actions.
We give the translation of the task chain “T1 → T2 →
T3 → T4” in the three PTAs given in Fig. 5. The three
locations named l3 are urgent locations (preceded by “U :”),
i. e., locations where time cannot elapse: that is, in Fig. 5a, the
activation of task T2 comes immediately after the completion
of T1.
E. Scheduling policies
The scheduler of each CPU is translated into a PTA ac-
cording to its scheduling policy. We focus on preemptive
FPS as this is one of the most widely used policies, and
arguably one of the most complex to encode. Recall that FPS
always executes the highest priority task (all tasks of a given
processor have a different priority); preemption allows to stop
5
l1
xactT ≤ TOffset
l2
xactT ≤ TPeriod
xactT = TOffset
actT
xactT := 0
xactT = TPeriod
actT
xactT := 0
(a) Periodic task
l1
xactT ≤ TOffset
l2
xactT = TOffset
actT
xactT := 0
xactT ≥ TIAT
actT
xactT := 0
(b) Sporadic task
Figure 4: Translating activation patterns
l1 l2 U : l3 l1
actT1 finT1 actT2
(a) Tasks T1 and T2
l1 l2 U : l3 l1
actT2 finT2 actT3
(b) Tasks T2 and T3
l1 l2 U : l3 l1
actT3 finT3 actT4
(c) Tasks T3 and T4
Figure 5: Translating task chain T1 → T2 → T3 → T4
the ongoing computation to move to a higher priority incoming
task. RMS is a particular case of FPS where a shorter period
is necessarily assigned a higher priority (not necessarily the
case in FPS).
Encoding FPS: Our encoding of FPS is a formalization
of the ad-hoc scheme of [Sun+13]. Fig. 6 shows the translation
of CPU1 from Fig. 3, assuming its policy is preemptive FPS,
with the priority of Task 1 being higher than that of Task 5.
We use stopwatches, and the stopped clocks in a location are
given in the dashed rectangle together with the invariant. We
assume task T1 has higher priority over T5. The processor
starts by being idle, waiting for a task activation. As soon
as a task is activated (e. g., action actT5), it moves to one
of the locations where the corresponding task is running
(execT5). If it receives another activation request (actT1),
it moves to the location corresponding to the higher priority
task running (execT1waitT5), where T1 is executed and T5
is waiting to be executed. The fact that T5 does not execute
anymore is modeled by the stopping of the clock xexecT5
corresponding to task T5. Moreover, while a task executes,
the scheduler automaton checks if it misses its deadline (e. g.,
guard xactT5 > T5Period, where T5Period is T5’s deadline
since we assumed deadlines to be equal to periods). In the
case of a deadline miss, the processor PTA moves to a special
failure location (“deadline missed”) and stops any further
computation.
The model of a non-preemptive processor is very similar
to the model of preemptive processor: the central location in
Fig. 6 which accounts for the fact that T5 is stopped when T1
is activated, in the non-preemptive case must not stop T5, but
simply remember that T1 has been released, so that we can
move to the top state when T5 completes its instance.
Encoding TDMA: We also encoded the “Time-division
multiple access” (TDMA) scheduling policy. This scheduling
policy is fairly simple, as there are no priorities: the scheduler
simply passes a “token” to each of its tasks in a circular
manner. If an instance of this task is activated, then this task
executed for a predefined amount of time (generally small). If
no instance of this task is activated, then the processor remains
idle during the predefined amount of time, before moving to
the next task.
Other scheduling policies: Other scheduling policies are
discussed in Section VI.
F. Handling uncertainty
A major interest of our transformation is its ability to
handle uncertainty. Indeed, all timing constants (periods, dead-
lines, offsets. . . ) can be possibly kept parametric, or can be
constrained to belong to a predefined interval. For example,
to model the period of a task T1 equal to 100 ms known
with a precision of 1 %, it suffices to declare the parameter
T1Period ∈ [99, 101], which can be simulated by a small
PTA gadget—or is natively offered by the input syntax of
IMITATOR.
Then, the system is schedulable for all valuations such that
the system reaches none of the DeadlineMissed locations
defined in Section IV-E. This can be computed by the EFsynth
algorithm implemented in IMITATOR.
G. Implementation
We implemented our translation in a Java program of
2,900 lines of code called Time4sys2IMITATOR [AJM19].
The program takes as input a Time4sys model exported from
the interface (that comes in the form of an XML file), and
outputs a PTA model in the IMITATOR input syntax. We
support all the features mentioned in Section IV.
V. EXPERIMENTS
As a proof of concept, we apply our transformation to the
example in Fig. 3. Task 1 (resp. 5) has an activation period of
10 (resp. 20) and an offset of 5 (resp. 0). Task 6 is sporadic
with a minimum interarrival time of 20. The best and worst
case computation times for the tasks are given in bracket;
for example, the computation time of each instance of task 1
is non-deterministically chosen in [4, 5]. Recall that all three
6
idle
stop(xexecT1,
xexecT5
execT1
T1WCET ≥ xexecT1
stop(xexecT5)
execT1waitT5
T1WCET ≥ xexecT1
stop(xexecT5)
execT5
T5WCET ≥ xexecT5
stop(xexecT1)
DeadlineMissed
actT1
xexecT1 := 0
actT5
xexecT5 := 0
xexecT1 ≥ T1BCET
finT1
xactT1 := 0
actT5
xactT1 > T1Period
DeadlineMiss
xexecT1 ≥ T1BCET
finT1
xactT1 := 0
xactT5 > T5Period
∨xactT1 > T1Period
DeadlineMiss
xexecT5 ≥ T5BCET
finT5
xactT5 := 0
actT1
xactT5 > T5Period
DeadlineMiss
Figure 6: Translating the scheduler CPU1 with a preemptive FPS scheduling policy
(a) WCET 1 and 4 (b) Deadlines 1 and 5
Figure 7: Some 2-D graphical representations
processors use FPS. The priorities are chosen as follows: for
CPU1, T1 > T5; for CPU2, T2 > T4 > T7; for CPU2,
T6 > T3.
Our translation yields a model made of 14 synchronization
actions, 14 clock variables, and (up to) 28 parameters, that
consist of all periods, deadlines, offsets and best and worst
case execution times. IMITATOR allows to keep none, some
or all of the parameters unconstrained to allow for various
levels of parameterization.
Experiments were conducted using IMITATOR 2.10.4 “But-
ter Jellyfish” on a Dell XPS 13 9365 i7 (2017) running Linux
Mint 18.2 64 bits with 8 GiB memory.5
a) Non-parametric schedulability analysis: First, we val-
uate all parameters (therefore the model is entirely non-
parametric), and we assume that all deadlines are equal to
period for periodic tasks (we are not interested in deadline
violations for other tasks, therefore their deadline can be set to
an arbitrarily large value). An analysis with IMITATOR (com-
putation time: 0.2 s) certifies that this model is schedulable,
i. e., no deadline miss occurs.
b) Parametric WCETs: Then, we leave some parameters
unconstrained, so as to not only verify the schedulability but
5Experimental results with models, logs, results and graphics can be found
at https://www.imitator.fr/static/TASE19.
also to synthesize parameter values for which the system is
schedulable. Leaving T1WCET and T4WCET unconstrained
yields the following constraint (time: 1.5s):6
4 ≤ T1WCET ≤ 6 ∧ T4WCET ≥ 1
∧ T1WCET + T4WCET < 9
A graphical representation (output by IMITATOR) is given
in Fig. 7a.
Then, we run a 4-dimensional analysis to infer values
for T1WCET, T4WCET, T5WCET and T7WCET (time:
11.5s); the result is given in Fig. 8a.
c) Parametric deadlines: We then parameterize deadlines
of tasks 1 and 5. The result (computed in 0.63 s) is given
below:
T1Deadline ∈ [5, 13] ∧ T5Deadline ∈ [10, 20]
A graphical representation is given in Fig. 7b.
d) Parametric offset: We also study the influence of the
offset of Task 1 on the schedulability. An analysis with one
parameter OffsetT1 gives (time: 2.0 s): OffsetT1 ∈ (1, 8).
It may be surprising that the system is non-schedulable for a
zero-offset: this comes from the fact that, if Task 1 is activated
too soon, Task 2 (that is activated upon completion of Task 1)
will preempt CPU2, preventing Task 7 to complete, notably in
the worst case when Task 6 is activated at the highest possible
period allowed by its sporadic nature and Task 7 lasts for its
longest duration (15 time units).
e) Multidimensional parametric analyses: We finally
relate the various variables of the system by performing
parametric analyses in different dimensions. We first relate
deadlines and WCETs of tasks 1 and 5. The analysis (time:
8.9 s) gives the result in Fig. 8b.
Finally, we relate three values of task 1, i. e., its offset, its
WCET and its deadline. We give the result (time: 40.6 s) in
Fig. 8c.
6While IMITATOR may sometimes output incomplete constraints, all con-
straints given in this manuscript are certified exact (sound and complete) by
the tool.
7
T5WCET ≥ 6 ∧ T4WCET ≥ 1
∧ 20 ≥ 2 ∗ T1WCET + T5WCET
∧ 9 > T1WCET + T4WCET
∧ T1WCET ≥ 4 ∧ T7WCET ≥ 10
∨
T5WCET ≥ 6 ∧ T7WCET ≥ 10
∧ 16 > 2 ∗ T4WCET + T7WCET
∧ T1WCET + T4WCET ≥ 9
∧ 20 ≥ 2 ∗ T1WCET + T5WCET
(a) 4-dimensional parametric WCETs
T5Deadline ≥ T1WCET + T5WCET
∧ T1WCET ≥ 4
∧ T1Deadline ≥ T1WCET
∧ 15 ≥ T1WCET + T5WCET
∧ T5Deadline + 5 ≥ 2 ∗ T1WCET + T5WCET
∧ 20 ≥ T5Deadline
∧ 10 ≥ T1Deadline
∧ T5WCET ≥ 6
∧ 20 ≥ 2 ∗ T1WCET + T5WCET
∨
10 ≥ T1Deadline ∧ T1Deadline ≥ T1WCET
∧ T1WCET + T5WCET > 15
∧ T1WCET ≥ 4
∧ T5Deadline ≥ 2 ∗ T1WCET + T5WCET
∧ 20 ≥ T5Deadline
(b) WCETs and deadlines
13 > T1WCET + T1Offset
∧ 6 > T1WCET ≥ 4
∧ 10 ≥ Deadline
∧Deadline ≥ T1WCET
∧ T1Offset > 1
∨
7 > T1Offset > 3
∧ 10 ≥ Deadline ≥ 6
∧ T1WCET = 6
(c) Task 1: offset, WCET, deadline
Figure 8: Results
VI. PERSPECTIVES
In this work, we proposed a first translation of an industrial
formalism to model real-time systems into a parametric timed
formalism, namely parametric timed automata. We discuss
below short-term perspectives.
Lifting assumptions: We did not support the full syntax
of Time4sys, as we used some assumptions defined in Sec-
tion IV-A.
We assumed that all periodic tasks must have a deadline
equal to the period. While deadlines less than or equal to the
period is very straightforward (and is part of our implementa-
tion), deadlines larger than periods may render the translation
more elaborate. Indeed, our encoding of Section IV-D needs
to be deeply modified, as we need to encode more than one
instance of a task at a given time. An option is to split
further the task chains, and add some additional integer-valued
variables, but this solution will come at the cost of a less
efficient analysis.
Multiple dependencies remain to be supported: on the
one hand, a task activating several tasks (e. g., in Fig. 1,
Tracking_control2 upon completion activates both
Camera_control and Tracking_control3) is natural
and should be supported without difficulties by action syn-
chronization in parametric timed automata; on the other hand,
the semantics of several tasks activating a single task looks
more dubious, and we are not even sure to want to support
this syntax.
Jitters can easily be supported: however, they slightly
complicate the model of task activation patterns, and are
therefore discarded both in this work and temporarily in our
implementation (with the goal to introduce them soon).
After lifting these assumptions, we note that we support
the vast majority of the Time4sys syntax, with the exception
of multiple input task activation—which, again, may seem
dubious as its semantics is very unclear.
Alternative scheduler models: A natural future work will
be to propose optimizations or variants in the translation, no-
tably of the scheduler model, and test their practical efficiency
on a set of benchmarks, such as the IMITATOR benchmarks
library [And19].
Implementing other scheduling policies, such as earliest
deadline first (EDF) or shortest job first (SJF), should be
straightforward. Round Robin resembles TDMA in the sense
that the scheduler moves a “token” to its tasks; however, the
main difference is that, whenever a task has no activated
instance, the processor immediately moves to the next one.
This is not difficult as such, but this requires more locations
in the PTA model than for TDMA.
Translation to UPPAAL: A translation into the state-of-
the-art UPPAAL model-checker [LPY97] is on our agenda.
However, a translation to UPPAAL would lose the ability to
use unknown or uncertain constants; in addition, UPPAAL does
not fully support stopwatches, needed to model preemption.
Execution traces: Finally, in case of a deadline miss, we
aim at displaying the faulty model trace leading to the deadline
miss back to the Time4sys model. Note that Time4sys also
features a metamodel for such traces.
ACKNOWLEDGEMENTS
The author is grateful to Romain Soulat (Thales Re-
search and Technology, Palaiseau) for interactions concerning
Time4sys, to Jawher Jerray and Sahar Mhiri for their help
on the implementation of the translation of Time4sys into
IMITATOR, and to the reviewers for helpful suggestions.
REFERENCES
[AAM06] Yasmina Adbeddaı¨m, Eugene Asarin, and Oded Maler.
“Scheduling with timed automata”. In: Theoretical
Computer Science 354.2 (2006), pp. 272–300. DOI: 10.
1016/j.tcs.2005.11.018 (cit. on p. 2).
[AD94] Rajeev Alur and David L. Dill. “A theory of timed
automata”. In: Theoretical Computer Science 126.2
(Apr. 1994), pp. 183–235. ISSN: 0304-3975. DOI: 10.
1016/0304-3975(94)90010-8 (cit. on pp. 1, 2, 4).
[AHV93] Rajeev Alur, Thomas A. Henzinger, and Moshe Y.
Vardi. “Parametric real-time reasoning”. In: STOC.
Ed. by S. Rao Kosaraju, David S. Johnson, and Alok
Aggarwal. San Diego, California, United States: ACM,
1993, pp. 592–601. ISBN: 0-89791-591-7. DOI: 10.1145/
167088.167242 (cit. on pp. 1, 2, 4).
[AJM19] E´tienne Andre´, Jawher Jerray, and Sahar Mhiri.
Time4sys2IMITATOR: A tool to formalize real-time
system models under uncertainty. Submitted. 2019
(cit. on p. 6).
8
[AM02] Yasmina Adbeddaı¨m and Oded Maler. “Preemptive
Job-Shop Scheduling using Stopwatch Automata”.
In: TACAS. Ed. by Joost-Pieter Katoen and Perdita
Stevens. Vol. 2280. Lecture Notes in Computer Sci-
ence. Grenoble, France: Springer-Verlag, Apr. 2002,
pp. 113–126. DOI: 10 . 1007 / 3 - 540 - 46002 - 0 9 (cit. on
p. 2).
[And+12] E´tienne Andre´, Laurent Fribourg, Ulrich Ku¨hne, and
Romain Soulat. “IMITATOR 2.5: A Tool for Ana-
lyzing Robustness in Scheduling Problems”. In: FM.
Ed. by Dimitra Giannakopoulou and Dominique Me´ry.
Vol. 7436. Lecture Notes in Computer Science. Paris,
France: Springer, Aug. 2012, pp. 33–36. DOI: 10.1007/
978-3-642-32759-9 6 (cit. on p. 4).
[And17] E´tienne Andre´. “A unified formalism for monopro-
cessor schedulability analysis under uncertainty”. In:
FMICS-AVoCS. Ed. by Ana Cavalcanti, Laure Petrucci,
and Cristina Seceleanu. Vol. 10471. Lecture Notes
in Computer Science. Torino, Italy: Springer, 2017,
pp. 100–115. DOI: 10.1007/978-3-319-67113-0 7 (cit. on
p. 2).
[And19] E´tienne Andre´. “A benchmark library for parametric
timed model checking”. In: FTSCS. Ed. by Cyrille
Artho and Peter Csaba O¨lveczky. Vol. 1008. Commu-
nications in Computer and Information Science. Gold
Coast, Australia: Springer, 2019, pp. 75–83. DOI: 10.
1007/978-3-030-12988-0 5 (cit. on p. 8).
[AS13] E´tienne Andre´ and Romain Soulat. The Inverse
Method. FOCUS Series in Computer Engineering and
Information Technology. 176 pages. ISTE Ltd and John
Wiley & Sons Inc., 2013. ISBN: 9781848214477 (cit. on
p. 4).
[CC99] Se´rgio Vale Aguiar Campos and Edmund M. Clarke.
“Analysis and Verification of Real-Time Systems Using
Quantitative Symbolic Algorithms”. In: International
Journal on Software Tools for Technology Transfer 2.3
(1999), pp. 260–269. DOI: 10.1007/s100090050033 (cit. on
p. 2).
[CPR08] Alessandro Cimatti, Luigi Palopoli, and Yusi Rama-
dian. “Symbolic Computation of Schedulability Re-
gions Using Parametric Timed Automata”. In: RTSS.
Barcelona, Spain: IEEE Computer Society, 2008,
pp. 80–89. ISBN: 978-0-7695-3477-0. DOI: 10 . 1109 /
RTSS.2008.36 (cit. on p. 2).
[Fer+07] Elena Fersman, Pavel Krca´l, Paul Pettersson, and
Wang Yi. “Task automata: Schedulability, decidability
and undecidability”. In: Information and Computation
205.8 (2007), pp. 1149–1172. DOI: 10.1016/j.ic.2007.01.
009 (cit. on p. 2).
[Fri+12] Laurent Fribourg, David Lesens, Pierre Moro, and
Romain Soulat. “Robustness Analysis for Schedul-
ing Problems using the Inverse Method”. In: TIME.
Ed. by Mark Reynolds, Paolo Terenziani, and Ben
Moszkowski. Leicester, UK: IEEE Computer Society
Press, Sept. 2012, pp. 73–80. DOI: 10.1109/TIME.2012.10
(cit. on pp. 2, 4).
[Gon+01] Michael Gonza´lez Harbour, J. J. Gutie´rrez Garcı´a,
Jose´ C. Palencia Gutie´rrez, and J. M. Drake Moyano.
“MAST: Modeling and Analysis Suite for Real Time
Applications”. In: ECRTS. Delft, The Netherlands:
IEEE Computer Society, 2001, pp. 125–134. DOI: 10.
1109/EMRTS.2001.934015 (cit. on pp. 1, 2).
[JLR15] Aleksandra Jovanovic´, Didier Lime, and Olivier H.
Roux. “Integer Parameter Synthesis for Real-Time Sys-
tems”. In: IEEE Transactions on Software Engineering
41.5 (2015), pp. 445–461. DOI: 10 . 1109 / TSE . 2014 .
2357445 (cit. on p. 4).
[Lim+09] Didier Lime, Olivier H. Roux, Charlotte Seidner,
and Louis-Marie Traonouez. “Romeo: A Parametric
Model-Checker for Petri Nets with Stopwatches”. In:
TACAS. Ed. by Stefan Kowalewski and Anna Philip-
pou. Vol. 5505. Lecture Notes in Computer Science.
York, United Kingdom: Springer, Mar. 2009, pp. 54–
57. DOI: 10.1007/978-3-642-00768-2 6 (cit. on p. 2).
[LPY97] Kim Guldstrand Larsen, Paul Pettersson, and Wang Yi.
“UPPAAL in a Nutshell”. In: International Journal on
Software Tools for Technology Transfer 1.1-2 (1997),
pp. 134–152. DOI: 10.1007/s100090050010 (cit. on p. 8).
[NWY99] Christer Norstro¨m, Anders Wall, and Wang Yi. “Timed
Automata as Task Models for Event-Driven Systems”.
In: RTCSA. Hong Kong, China: IEEE Computer So-
ciety, 1999, pp. 182–189. DOI: 10 . 1109 / RTCSA . 1999 .
811218 (cit. on p. 2).
[OMG08] OMG. Modeling and analysis of real-time and embed-
ded systems (MARTE). Tech. rep. 2008 (cit. on p. 2).
[SAL15] Youcheng Sun, E´tienne Andre´, and Giuseppe Lipari.
“Verification of Two Real-Time Systems Using Para-
metric Timed Automata”. In: WATERS. Ed. by Sophie
Quinton and Tullio Vardanega. Lund, Sweden, July
2015 (cit. on pp. 1, 4).
[Sin+04] Frank Singhoff, Je´roˆme Legrand, Laurent Nana, and
Lionel Marce´. “Cheddar: a flexible real time scheduling
framework”. In: SIGAda. Ed. by John W. McCormick
and Ricky E. Sward. Atlanta, GA, USA: ACM, 2004,
pp. 1–8. DOI: 10.1145/1032297.1032298 (cit. on pp. 1, 2).
[Sun+13] Youcheng Sun, Romain Soulat, Giuseppe Lipari,
E´tienne Andre´, and Laurent Fribourg. “Parametric
Schedulability Analysis of Fixed Priority Real-Time
Distributed Systems”. In: FSTCS. Ed. by Cyrille Artho
and Peter O¨lveczky. Vol. 419. Communications in
Computer and Information Science. Auckland, New
Zealand: Springer, Oct. 2013, pp. 212–228. DOI: 10 .
1007/978-3-319-05416-2 14 (cit. on pp. 2, 5, 6).
[WME92] Farn Wang, Aloysius K. Mok, and E. Allen Emer-
son. “Formal Specification of Synchronous Distributed
Real-Time Systems by APTL”. In: ICSE. Ed. by Tony
Montgomery, Lori A. Clarke, and Carlo Ghezzi. Mel-
bourne, Australia: ACM Press, 1992, pp. 188–198. DOI:
10.1145/143062.143113 (cit. on p. 2).
[YMW97] Jin Yang, Aloysius K. Mok, and Farn Wang. “Sym-
bolic Model Checking for Event-Driven Real-Time
Systems”. In: ACM Transactions on Programming Lan-
guages and Systems (TOPLAS) 19.2 (1997), pp. 386–
412. DOI: 10.1145/244795.244803 (cit. on p. 2).
APPENDIX
A. Examples with deadline misses
1) Modifying the deadline: Consider again the real-time
system in Fig. 3. Now observe that, if the deadline of Task 5
was 11 (instead of 20), then at t = 11, a deadline miss
would occur for Task 5, as the execution of its instance is
not completed by its deadline. This situation is depicted in
Fig. 9a: the deadline is depicted using a down arrow, and the
part of the execution of the instance of Task 5 violating the
deadline is highlighted using a red box.
2) Modifying the WCET: Alternatively, if the deadline of
Task 5 was 20 as in the original definition but the worst case
execution time of Task 1 was 15 (with an increased period and
deadline for Task 1 of, say, 20), then at t = 20, Task 5 has
9
CPU1
CPU2
CPU3
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
T5 T1 T5 T1
T2 T7 T4 T7
T6 T3
(a) Deadline miss for Fig. 3 if T5Deadline = 11
CPU1
CPU2
CPU3
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
T5 T1 T5
T2 T7 T4 T7
T6 T3
(b) Deadline miss for Fig. 3 if T1WCET = 15
Figure 9: Two examples of deadline misses
still not completed and, again, a deadline miss occurs. This
situation is depicted in Fig. 9b.
10
