Modeling Critical Systems with Timing Constraints in Event-B Faezeh Siavashi 1 , Marina Wald´ en 1 , Leonidas Tsiopoulos 1 and J¨ uri Vain 2 1 ˚ Abo Akademi University, Turku, Finland fsiavash@abo.fi, mwalden@abo.fi, ltsiopou@abo.fi 2 Tallinn University of Technology, Tallinn, Estonia vain@ico.ee 1 Introduction The complexity of safety critical systems consisting of software and hardware parts is con- tinuously increasing. Formal methods address the issues of provably correct design offering mathematical techniques to create specifications to develop and verify safety critical systems [1]. They ensure that the implemented systems work correctly according to the defined specifi- cations. In this paper, we study the practical aspects of applying Event-B [1] for modelling and verification of time-critical systems. Event-B has been used for developing industrial strength systems, but it lacks timing support. UPPAAL [8], on the other hand, is a model checker which has a good support for timing. In order to enrich the application areas of Event-B, we aim at extending it with timing aspects from UPPAAL. By adding timing properties to Event-B, we can guarantee provably correct timing design on the same basis as the functional correctness is ensured [3]. Event-B is based on the B-Method and is meant for refinement-based development of dis- tributed and reactive systems where implementation details are added to design specifications in a stepwise manner. The system model is extended with new variables and assignments, and new conditions, e.g. stronger guards and invariants. Event-B comes with the Rodin tool, that provides automatic and interactive discharging of proof obligations [5]. UPPAAL is a model checker with extended timed automata called UPPAAL Timed Automata (UPTA)[2]. Our main contribution is that we exploit the patterns for modeling and refinement of timing properties within UPPAAL and transform these patterns to patterns in Event-B. Hence, we are able to verify that the refined timing specification combined with refined functionality together satisfy the more abstract specification [6]. Our work is exemplified by a case study provided by Danfoss Power Electronics, which was part of the EU-project RECOMP (2010-2013) [4]. The case study is available in detail in [7]. 2 Model transformation from UPPAAL to Event-B We model the timing properties of the system in UPPAAL. These models are then transformed to Event-B as follows: (1) Each UPPAAL model location is mapped to a state of Event-B. (2) Each transition between locations in the UPPAAL model is mapped to an event in Event-B. (3) The abstract clock in UPPAAL is mapped to an event in Event-B. (4) The invariants and guards in UPPAAL are modeled to guards in Event-B. (5) The declarations in the UPPAAL model is mapped to invariants and axioms in Event-B, according to the data types of the parameters in UPPAAL. Real-time systems contain a variety of patterns for timing constraints. In this work, we focus on the two most important and common timing constraints and their refinement patterns: Delay 70