IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. XXX, NO. XXX, XXX XXX 1 Compositional verification for Hierarchical Scheduling of Real-Time systems Laura Carnevali, Alessandro Pinzuti, and Enrico Vicario, Member, IEEE, Abstract—Hierarchical Scheduling (HS) techniques achieve resource partitioning among a set of Real-Time Applications, providing reduction of complexity, confinement of failure modes, and temporal isolation among system applications. This facilitates compositional analysis for architectural verification and plays a crucial role in all industrial areas where high- performance microprocessors allow growing integration of multiple applications on a single platform. We propose a compositional approach to formal specification and schedulability analysis of Real-Time Applications running under a Time Division Multiplexing (TDM) Global Scheduler and preemptive Fixed Priority (FP) Local Schedulers, according to the ARINC-653 standard. As a characterizing trait, each application is made of periodic, sporadic, and jittering tasks with offsets, jitters, and non-deterministic Execution Times, encompassing intra-application synchronizations through semaphores and mailboxes and inter-application communications among periodic tasks through message passing. The approach leverages the assumption of a TDM partitioning to enable compositional design and analysis based on the model of preemptive Time Petri Nets (pTPNs), which is expressly extended with a concept of Required Interface (RI) that specifies the embedding environment of an application through sequencing and timing constraints. This enables exact verification of intra-application constraints and approximate but safe verification of inter-application constraints. Experimentation illustrates results and validates their applicability on two challenging workloads in the field of safety-critical avionic systems. Index Terms—Real-Time systems, Hierarchical Scheduling, ARINC-653, Time Division Multiplexing, preemptive Fixed Priority, compositional verification, preemptive Time Petri Nets, symbolic state-space analysis. ✦ 1 I NTRODUCTION H IERARCHICAL Scheduling (HS) supports assignment of resources to clusters of schedulable entities and enables fine-grained resource partitioning among their con- stituent elements, providing aggregate resource allocation among a set of Real-Time Applications. This yields reduc- tion of complexity, confinement of failure modes, and tem- poral isolation among system applications. The scheduling hierarchy is usually represented as a tree of nodes with an arbitrary number of levels, where each node may have an arbitrary number of children [38]. Among the disparate architectures that may serve the design of HS systems, a way of composing existing applications with different timing characteristics is to use a two-level scheduling paradigm: at the global level, a scheduler selects which application will be executed next and for how long; at the local level, a scheduler is used for each application to determine which task will be scheduled next [31]. Various analytical approaches address HS of systems that encompass local resource sharing [18], [27], [29], [30], [31], [16], [22], [38]. In [18], a two-level HS architecture manages the execution of both real-time and non real- time applications on a single processor, assuming an Ear- liest Deadline First (EDF) global scheduler and a Total Bandwidth Server (TBS) [39] for each application. The • The authors are with the Dipartimento di Sistemi e Informatica - Universit` a di Firenze 3, via S. Marta, 50139, Firenze, Italy. E-mail: carnevali, grassi, vicario@dsi.unifi.it approach is extended in [27] to encompass Rate Monotonic (RM) global scheduling policy under the assumption of periodic tasks with harmonic periods. In [29], an exact schedulability condition is provided for a two-level HS scheme with EDF global scheduling policy and EDF/RM local scheduling policy. In [31], [30], a methodology based on the periodic server abstraction derives the class of server parameters that guarantees schedulability for Fixed Priority (FP) local schedulers. Response time analysis is employed in [16] to obtain exact schedulability conditions for systems that are handled by FP preemptive scheduling both at the local and at the global level, comparing Periodic, Sporadic, and Deferrable Servers. In [33], a resource-level scheduler partitions a shared resource into real-time virtual resources and makes each of them accessible only to the tasks of an individual application, supporting task-level schedulability with respect to given partitions under FP and EDF policies. The resource model of [22], [38] supports the derivation of the exact schedulability condition for a partitioned resource with periodic behavior under EDF and RM policies. The approach also encompasses an interface model that represents the temporal guarantees of a parent scheduler through a periodic resource model, and abstracts the temporal requirements of a child scheduler through a periodic workload model. A compositional method is provided that derives the timing requirements of the par- ent scheduler from those of its child schedulers, so that the parent model is schedulable iff its child models are schedulable. Recent analytical approaches address HS of systems that