In a former paper, we de ned a new semantics for timed automata, the Almost ASAP semantics, which is parameterized by to cope with the reaction delay of the controller. We showed that this semantics is implementable provided there exists a strictly positive value for the parameter for which the strategy is correct. In this paper, we de ne the implementability problem to be the question of existence of such a . We show that this question is closely related to a notion of robustness for timed automata de ned in [Pur98] and prove that the implementability problem is decidable.

Abstract. We propose a symbolic algorithm for the analysis of the robustness of timed automata, that is the correctness of the model in presence of small drifts on the clocks or imprecision in testing guards. This problem is known to be decidable with an algorithm based on detecting strongly connected components on the region graph, which, for complexity reasons, is not effective in practice. Our symbolic algorithm is based on the standard algorithm for symbolic reachability analysis using zones to represent symbolic states and can then be easily integrated within tools for the verification of timed automata models. It relies on the computation of the stable zone of each cycle in a timed automaton. The stable zone is the largest set of states that can reach and be reached from itself through the cycle. To compute the robust reachable set, each stable zone that intersects the set of explored states has to be added to the set of states to be explored. 1

Abstract. Whereas formal verification of timed systems has become a very active field of research, the idealised mathematical semantics of timed automata cannot be faithfully implemented. Several works have thus focused on a modified semantics of timed automata which ensures implementability, and robust model-checking algorithms for safety, and later LTL properties have been designed. Recently, a new approach has been proposed, which reduces (standard) model-checking of timed automata to other verification problems on channel machines. Thanks to a new encoding of the modified semantics as a network of timed systems, we propose an original combination of both approaches, and prove that robust model-checking for coFlat-MTL, a large fragment of MTL, is EXPSPACE-Complete. 1

Abstract. Formal verification of timed systems is well understood, but their implementation is still challenging. Raskin et al. have recently brought out a model of parameterized timed automata in which the transitions might be slightly delayed or expedited. This model is used to prove that a timed system is implementable with respect to a safety property, by proving that the parameterized model robustly satisfies the safety property. We extend here the notion of implementability to the broader class of linear-time properties, and provide PSPACE algorithms for the robust model-checking of Büchi-like and LTL properties. We also show how those algorithms can be adapted in order to verify boundedresponse-time properties.

Correct and efficient implementation of general real-time applications remains by far an open problem. A key issue is meeting timing constraints whose satisfaction depends on features of the execution platform, in particular its speed. Existing rigorous implementation techniques are applicable to specific classes of systems e.g. with periodic tasks, time deterministic systems. We present a general model-based implementation method for real-time systems based on the use of two models. • An abstract model representing the behavior of real-time software as a timed automaton. The latter describes user-defined platform-independent timing constraints. Its transitions are timeless and correspond to the execution of statements of the real-time software.

Timed automata are governed by an idealized semantics that assumes a perfectly precise behavior of the clocks. The traditional semantics is not robust because the slightest perturbation in the timing of actions may lead to completely different behaviors of the automaton. Following several recent works, we consider a relaxation of this semantics, in which guards on transitions are widened by ∆> 0 and clocks can drift by ε> 0. The relaxed semantics encompasses the imprecisions that are inevitably present in an implementation of a timed automaton, due to the finite precision of digital clocks. We solve the safety verification problem for this robust semantics: given a timed automaton and a set of bad states, our algorithm decides if there exist positive values for the parameters ∆ and ε such that the timed automaton never enters the bad states under the relaxed semantics.

The scientific context of the DOTS project is specification, verification and design of information systems. The research domain we have in mind started about 25 years ago with seminal papers by Clarke, Pnueli and Sifakis. Since then the domain has witnessed an impressive growth: a comprehensive theory has been developed, efficient algorithms have been designed, and tools like model checkers have been developed. These tools allow to verify automatically that a model of a system satisfies its specification. The research results have also penetrated the industry world as model checkers are now used in an industrial context for numerous case studies which in turn provided some feedback to improve the theory and algorithms. Complex systems, such as embedded systems that are widely used nowadays (telecommunication, transport, automation), are often distributed – composed of several components that communicate together –, timed – contain timing constraints –, and open – interact with their environment. Each of these aspects considered separately is now relatively well understood and corresponds to an active research area. The big challenge is to deal with systems which present several of these features. The aim of the DOTS project is to associate researchers specialized in verification of different aspects mentioned above in order to tackle problems that emerge when considering several features simultaneously. In this way we plan to significantly advance both theory as well as algorithmics of design and verification of distributed, open and timed systems. The area of formal verification covers now a wide range of problems that share a common theoretical basis, but require specific approaches and techniques. In addition to model checking – the classical problem that consists in deciding whether a given model satisfies a given specification – the DOTS project will mainly address two important verification problems: control and non-interference. An important characteristic of the DOTS project is our choice of methods and tools to address the problems mentioned above. We plan to use games to cope with interactive aspects and partial orders to deal with the distributed aspect.

Abstract. Recent works by Raskin et al. have brought out a model of parameterized timed automata which can be used for proving that timed systems are implementable. This is strongly connected to robustly verifying timed automata, i.e. verifying whether a property still holds even if the transitions may be slightly delayed or expedited. In those works, they have proved decidability of robust model-checking for simple safety objectives like “avoid a set of bad states”. We extend here these results by providing PSPACE algorithms for the robust model-checking of Büchi-like and LTL properties. We also solve the case of the boundedresponse-time property. 1

Abstract. Sampled semantics of timed automata is a nite approximation of their dense time behavior. While the former is closer to the actual character of the latter makes it appealing for system modeling and veri cation. We study one aspect of the relation between these two semantics, namely checking whether the system exhibits some qualitative (untimed) behaviors in the dense time which cannot be reproduced by any implementation with a xed sampling rate. More formally, the sampling problem is to decide whether there is a sampling rate such that all qualitative behaviors (the untimed language) accepted by a given timed automaton in dense time semantics can be also accepted in sampled semantics. We show that this problem is decidable. 1

Abstract—Guaranteeing timing properties is an important issue as we develop safety-critical real-time systems such as cardiac pacemakers. We present a safety assured development approach of real-time software using a pacemaker as our case study. Following the model-driven development techniques, measurement-based timing analysis is used to guarantee timing properties in implementation as well as in the formal model. Formal specification with timed automata is checked with respect to timing properties by model checking technique and is transformed into implementation systematically. When timing properties may be violated in the implementation due to timing delay, it is suggested to measure the time deviation and reflect it to the code explicitly by modifying guards. The model is altered according to the modifications in the code. These changes of the code and the model are considered safe if all the properties