Results 1  10
of
37
EventClock Automata: A Determinizable Class of Timed Automata
 Theoretical Computer Science
, 1999
"... We introduce eventrecording automata. An eventrecording automaton is a timed automaton that contains, for every event a, a clock that records the time of the last occurrence of a. The class of eventrecording automata is, on one hand, expressive enough to model (finite) timed transition systems an ..."
Abstract

Cited by 90 (3 self)
 Add to MetaCart
We introduce eventrecording automata. An eventrecording automaton is a timed automaton that contains, for every event a, a clock that records the time of the last occurrence of a. The class of eventrecording automata is, on one hand, expressive enough to model (finite) timed transition systems and, on the other hand, determinizable and closed under all boolean operations. As a result, the language inclusion problem is decidable for eventrecording automata. We present a translation from timed transition systems to eventrecording automata, which leads to an algorithm for checking if two timed transition systems have the same set of timed behaviors. We also consider eventpredicting automata, which contain clocks that predict the time of the next occurrence of an event. The class of eventclock automata, which contain both eventrecording and eventpredicting clocks, is a suitable specification language for realtime properties. We provide an algorithm for checking if a timed automa...
Verifying Clocked Transition Systems
 In Proceedings of the Fifth International Workshop on Languages and Compilers for Parallel Machines
, 1996
"... . This paper presents a new computational model for realtime systems, called the clocked transition system (cts) model. The cts model is a development of our previous timed transition model, where some of the changes are inspired by the model of timed automata. The new model leads to a simpler s ..."
Abstract

Cited by 35 (9 self)
 Add to MetaCart
. This paper presents a new computational model for realtime systems, called the clocked transition system (cts) model. The cts model is a development of our previous timed transition model, where some of the changes are inspired by the model of timed automata. The new model leads to a simpler style of temporal specification and verification, requiring no extension of the temporal language. We present verification rules for proving safety properties (including timebounded response properties) of clocked transition systems, and separate rules for proving (timeunbounded) response properties. All rules are associated with verification diagrams. The verification of response properties requires adjustments of the proof rules developed for untimed systems, reflecting the fact that progress in the real time systems is ensured by the progress of time and not by fairness. The style of the verification rules is very close to the verification style of untimed systems which allows t...
Deductive verification of realtime systems using STeP
 COMPUTER SCIENCE DEPARTMENT, STANFORD UNIVERSITY
, 1998
"... We present a modular framework for proving temporal properties of realtime systems, based on clocked transition systems and lineartime temporal logic. We show how deductive verification rules, verification diagrams, and automatic invariant generation can be used to establish properties of realtim ..."
Abstract

Cited by 30 (8 self)
 Add to MetaCart
We present a modular framework for proving temporal properties of realtime systems, based on clocked transition systems and lineartime temporal logic. We show how deductive verification rules, verification diagrams, and automatic invariant generation can be used to establish properties of realtime systems in this framework. We also discuss global and modular proofs of the branchingtime property of nonZenoness. As an example, we present the mechanical verification of the generalized railroad crossing case study using the Stanford Temporal Prover, STeP.
A Practical and Complete Algorithm for Testing RealTime Systems
 In Formal Techniques in RealTime and FaultTolerant Systems, LNCS 1486
, 1998
"... . This paper presents a formal method for generating conformance tests for realtime systems. Our algorithm is complete in that, under a test hypothesis, if the system being tested passes every test generated then the tested system is bisimilar to its specification. Because the test algorithm has ex ..."
Abstract

Cited by 29 (2 self)
 Add to MetaCart
. This paper presents a formal method for generating conformance tests for realtime systems. Our algorithm is complete in that, under a test hypothesis, if the system being tested passes every test generated then the tested system is bisimilar to its specification. Because the test algorithm has exponential worst case complexity and finite state automata models of realtime systems are typically very large, a judicious choice of model is critical for the successful testing of realtime systems. Developing such a model and demonstrating its effectiveness are the main contributions of this paper. Keywords: realtime systems, blackbox testing, timed automata 1 Introduction An idealistic description of a formal development method from requirements to an implementation in hardware and software runs as follows. Construct successive refinements of the requirements until a detailed design is produced, verifying formally at each stage that the refinement satisfies the requirements imposed b...
Modeling and Verification of a FaultTolerant Realtime Startup Protocol using Calendar Automata
, 2004
"... We discuss the modeling and verification of realtime systems using the SAL model checker. A new modeling framework based on event calendars enables dense timed systems to be described without relying on continuously varying clocks. We present verification techniques that rely on induction and ab ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
We discuss the modeling and verification of realtime systems using the SAL model checker. A new modeling framework based on event calendars enables dense timed systems to be described without relying on continuously varying clocks. We present verification techniques that rely on induction and abstraction, and show how these techniques are e#ciently supported by the SAL symbolic modelchecking tools. The modeling and verification method is applied to the faulttolerant realtime startup protocol used in the Timed Triggered Architecture.
Compositional Verification of Realtime Systems
 Proc. 9'th IEEE Symp. On Logic In Computer Science
, 1994
"... This paper presents a compositional proof system for the verification of realtime systems. Realtime systems are modeled as timed transition modules, which explicitly model interaction with the environment and may be combined using composition operators. Composition rules are devised such that the ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
This paper presents a compositional proof system for the verification of realtime systems. Realtime systems are modeled as timed transition modules, which explicitly model interaction with the environment and may be combined using composition operators. Composition rules are devised such that the correctness of a system may be determined from the correctness of its components. These proof rules are demonstrated on Fischer's mutual exclusion algorithm, for which mutual exclusion and bounded response are proven. 1 Introduction This paper presents a compositional proof system for the verification of realtime systems. Realtime systems are a particular class of reactive systems, i.e., systems exhibiting ongoing interaction with the environment, distinguished by the observation that the correctness of a realtime system depends not only on the qualitative aspects of its behavior, but also on the quantitative timeliness of its behavior. Realtime systems are modeled as timed transition ...
Finite State Automata As Conceptual Model For EServices
, 2003
"... Recently, a plethora of languages for modeling and specifying different facets of eServices have been proposed, and some of them provides constructs for representing time. Time is needed in many contexts to correctly capture the dynamics of transactions and of composability between eServices. Howe ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
Recently, a plethora of languages for modeling and specifying different facets of eServices have been proposed, and some of them provides constructs for representing time. Time is needed in many contexts to correctly capture the dynamics of transactions and of composability between eServices. However, to the best of our knowledge, all the proposed languages for representing eService behaviour and temporal constraints lack both a clear semantics and an underlying conceptual model. In this paper, we propose a conceptual representation of eService behaviour, taking time constraints into account, and a new XMLbased language, namely WSTL (WEB SERVICE TRANSITION LANGUAGE), that integrates well with standard languages in order to completely specify eServices. In particular, WSTL allows for specifying an eService starting from its conceptual representation, in a straightforward way.
Finitary Fairness
"... Fairness is a mathematical abstraction: in a multiprogramming environment, fairness abstracts the details of admissible ("fair") schedulers; in a distributed environment, fairness abstracts the relative speeds of processors. We argue that the standard definition of fairness often is unnecessarily we ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
Fairness is a mathematical abstraction: in a multiprogramming environment, fairness abstracts the details of admissible ("fair") schedulers; in a distributed environment, fairness abstracts the relative speeds of processors. We argue that the standard definition of fairness often is unnecessarily weak and can be replaced by the stronger, yet still abstract, notion of finitary fairness. While standard weak fairness requires that no enabled transition is postponed forever, finitary weak fairness requires that for every computation of a system there is an unknown bound k such that no enabled transition is postponed more than k consecutive times. In general, the finitary restriction n(F) of any given fairness requirement F is the union of all !regular safety properties contained in F. The adequacy of the proposed abstraction is shown in two ways. Suppose we prove a program property under the assumption of finitary fairness. In a multiprogramming environment, the program then satisfies the property for all fair finitestate schedulers. In a distributed environment, the program then satisfies the property for all choices of lower and upper bounds on the speeds (or timings) of processors. The bene ts of nitary fairness are twofold. First, the proof rules for verifying liveness properties of concurrent programs are simplified: wellfounded induction over the natural numbers is adequate to prove termination under finitary fairness. Second, the fundamental problem of consensus in a faulty asynchronous distributed environment can be solved assuming finitary fairness.
Specification and Verification of Faulttolerance, Timing and Scheduling
 ACM TRANSACTIONS ON PROGRAMMING LANGUAGES AND SYSTEMS
, 1999
"... Faulttolerance and timing have often been considered to be implementation issues of a program, quite distinct from the functional safety and liveness properties. Recent work has shown how these nonfunctional and functional properties can be verified in a similar way. However, the more practical qu ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
Faulttolerance and timing have often been considered to be implementation issues of a program, quite distinct from the functional safety and liveness properties. Recent work has shown how these nonfunctional and functional properties can be verified in a similar way. However, the more practical question of determining whether a realtime program will meet its deadlines, i.e. showing that there is a feasible schedule, is usually done using scheduling theory, quite separately from the verification of other properties of the program. This makes it hard to use the results of scheduling analysis in the design, or redesign, of faulttolerant, realtime programs. This paper shows how faulttolerance, timing and schedulability can be specified and verified using a single notation and model. This allows a unified view to be taken of the functional and nonfunctional properties of programs and a simple transformational method to be used to combine these properties. It also permits results fro...
Highlevel modeling and analysis of the traffic alert and collision avoidance system
 TCAS). Proceedings of the IEEE
, 2000
"... In this paper, we demonstrate a highlevel approach to modeling, analyzing, and verifying complex safetycritical systems through a case study on the Traffic Alert and Collision Avoidance System (TCAS) [1–3]; an avionics system that detects and resolves aircraft collision threats. Due to the complex ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
In this paper, we demonstrate a highlevel approach to modeling, analyzing, and verifying complex safetycritical systems through a case study on the Traffic Alert and Collision Avoidance System (TCAS) [1–3]; an avionics system that detects and resolves aircraft collision threats. Due to the complexity of the TCAS software and the hybrid nature of the closedloop system, the traditional testing technique of exhaustive simulation does not constitute a viable verification approach. Moreover, the detailed specification of the system software employed to date as a means towards analysis and verification, neither help in intuitively understanding the behavior of the system, nor enable the analysis of the closedloop system behavior. We advocate defining highlevel hybrid system models that capture the behavior not only of the software, but also of the airplanes, sensors, pilots, etc. In particular, we show how the core components of TCAS can be captured by relatively simple Hybrid I/O Automata (HIOA) [4, 5], which are amenable to formal analysis. We then outline a methodology for establishing conditions under which TCAS guarantees sufficient separation in altitude for aircraft involved in collision threats. The contributions of this paper are the highlevel models of the closedloop TCAS system and the demonstration of the usefulness of highlevel modeling, analysis, and verification techniques.