Verification of Real-time Systems Shohreh Farahani shohreh.farahani @ gmail.com Mete Omerali meteomerali @ gmail.com Darko Durisic ddjurisic @ gmail.com Pavel Rabetski rabeckijps @ gmail.com Armando Manzanera armand0mc @ hotmail.com 1. INTRODUCTION Real-time systems are systems in which time necessary for execution of some parts of the system is critical. For example, if a plane is hit by a strong wind, system must detect it and try to balance the plane before it becomes too late. So in this case, it is not enough just to guarantee that the system will detect the hit, but also how fast that will happen. That is why verification of real- time systems properties plays very important part, especially if human lives are endangered by possible slow response time of the system. This document will focus on two major verification problems. First one is how to use a model checking technique for verifying that the behavior of the real-time system corresponds to the temporal logic formula. The second one is reachability problem (existence of execution path between two nodes of the system). The solutions to both problems are given using dense time model of time representation. Firstly, section 2 of the document will describe syntax and semantics of temporal logic formulas over branching time structures - CTL, and its real-time extension TCTL that will additionally allow specifying when something should happen in the system. Then, in section 3 of the document, timed automata will be introduced. A timed automaton is a version of automaton which is equipped with a set of clocks that count time. There can be multiple clocks assigned to each automata. Clocks start counting from the first state, but they can be reset at any time during transitions. They are used for checking if necessary time constraints are met before system changes its state. Section 4 of the document introduces clock assignments, their equivalence classes and how they are used to form regions. Main purpose of a region and region graph is to solve the problem of infinite number of system states due to denseness of the time (different time implies different state), so we can apply standard algorithms that work in a discrete time. In the end of section 4, the algorithm for proving that system property satisfies temporal logic formula is presented and explained (Labeling algorithm). Section 5 covers 3 different algorithms for solving reachability problem. Reachability problem has vital importance for several reasons. Firstly, it can express safety property of the system. For example, if there is a set of unsafe or incorrect states of the system, then non-reachability of this set implies system safety. Secondly, most algorithms for checking other properties are based on algorithms for checking reachability. Finally, section 6 of the document describes one of the software tools used for verification of the real-time systems called UPPAAL. 2. TCTL (Shohreh) 2.1 CTL CTL stands for Computation Tree Logic and it was presented for the first time by Emerson and Clarke as c. Let us assume that A is a set of automatic prepositions. CTL represents a temporal logic (formula) over branching time structures, and is defined as follows: [1] φ μ= p | false | φ 1 → φ 2 | ∃○ φ 1 | ∃ (φ 1  φ 2 ) | ∀ (φ 1  φ 2 ) Explanation:  p – atomic preposition  φ 1 → φ 2 – the truth of φ 1 implies the truth of φ 2 for the overall truth of formula φ 1 φ 2 φ T T T T F F F T T F F T  ∃○ φ 1 – in a successor state of the system, φ 1 will be true (φ 1 holds)  ∃ (φ1  φ2) – if φ 1 is true (φ 1 holds), there exists a path somewhere in the future in which φ 2 will become true (φ 2 holds)  ∀ ( φ1  φ2) – if φ1 is true (φ 1 holds), for every path in the future φ 2 will become true (φ 2 holds) For proving that given CTL formula φ explained above is satisfiable (⊨), we need to define what Kripke structure and a path is. [1] [7] Kripke structure ℳ is defined as a tuple ℳ = (S, ȝ, E) whereμ  S is a set of states  ȝ determines which prepositions are true in each state  E represent the transition between states Example 1: Figure 1: Sample automata A Kripke structure for the given automata A with 3 states (S 1 , S 2 , S 3 ) and prepositions p 1 and p 2 looks like this: