Model Checking Timed Systems with Priorities Pao-Ann Hsiung and Shang-Wei Lin Department of Computer Science and Information Engineering, National Chung Cheng University, Chiayi, Taiwan−621, ROC E-mail: hpa@computer.org Abstract Priorities are used to resolve conflicts such as in re- source sharing and in safety designs. The use of priorities has become indispensable in real-time system design such as in scheduling, synchronization, arbitration, and fairness guaranteeing. There are several modeling frameworks that show how timed systems with priorities are to be designed and how priority schedulers can be automatically synthe- sized. However, the verification of timed systems with pri- orities using model checking is still a relatively untouched area. We show what the issues are in model checking timed systems with priorities and how the issues are solved in this work. In the process, we propose an optimal zone subtrac- tion algorithm. The method has been implemented into the SGM model checker and successfully applied to real-time embedded systems and safety-critical systems, which illus- trate the feasibility and advantages of the proposed verifi- cation method. 1. Introduction Concurrency results in conflicts when resources are shared such as two or more processes trying to use the same processor or the same peripheral device in real-time embedded systems. To resolve such conflicts, scheduling, synchronization, and arbitration are some well-known so- lutions that have been popularly used in operating systems and in hardware designs. A common artifact of these solu- tions is the prioritization of contending parties. A low pri- ority process is allowed to execute only when all processes with higher priorities are disabled. Priorities may take dif- ferent forms in different methods such as the process arrival time in FIFO scheduling, the task period in rate monotonic scheduling, the task deadline in earliest deadline schedul- ing, or even as simple as an integer value assigned by a user to a real-time task. Priorities are also necessary for model- ing interrupts in embedded systems. System models used for design and verification such as timed automata, statecharts, and others allow non- determinisms which arise out of concurrency, interleaving, and information hiding. However, non-determinisms often result in unmanageably large state-spaces. Prioritization of transitions not only models real systems more accurately but also removes non-determinisms and thus reduces the size of state-spaces. Several modeling frameworks have been proposed for modeling and designing systems with priorities. However, their verification techniques are still very limited. All the above mentioned reasons have moti- vated us to model check timed systems with priorities. The target model for prioritization in this work will be timed automata (TA) [4], because it is widely used in most model checkers for real-time systems such as SGM [18, 23], RED [22], UPPAAL [6], and Kronos [24]. The main issue here is how to extend the syntax and semantics of TA with- out losing its original theoretical basis for model checking. The remaining portion is organized as follows. Section 2 describes previous work related to priority modeling and verification. Basic definitions used in our work are given in Section 3. Section 4 will formulate the solutions to solving the above described issues in prioritizing timed automata and then verifying them. An application example is given in Section 5 to show how priority helps in model checking. The article is concluded and future research directions are given in Section 6. 2. Related Work Several work of Joseph Sifakis [1, 2, 16] have focused on modeling timed systems with priorities. A solid theoretical basis has been laid by these work for modeling schedulers based on priorities. Several well-known scheduling meth- ods such as FIFO, rate-monotonic, earliest deadline first, least laxity first, priority ceiling protocol were modeled by priority rules. Deadlock-free controllers were also synthe- sized to meet safety properties expressed as priority rules [16]. A real-time process with arrival time, execution time, and period or deadline was formally modeled using differ- ent time urgencies such as delayable (must transit before the Proceedings of the 11th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA’05) 1533-2306/05 $20.00 © 2005 IEEE