**1. Introduction**

128 Real-Time Systems, Architecture, Scheduling, and Application

ITU-T (2004). Z. 120. Message Sequence Charts, available at http://www.itu.int/rec/T-

Manna, Z. & Pnueli A. (1992). The Temporal Logic of Reactive and Concurrent Systems:

Manna, Z. & Pnueli A. (1995). Temporal Verification of Reactive Systems: Safety, ISBN

Maoz, S. & Harel, D. (2011). On tracing reactive systems, Software and Systems Modeling,

Micskei, Z. & Waeselynck, H. (2011). The many meanings of UML 2 Sequence diagrams: a

OMG (2011). Unified Modeling Language, Superstructure, version 2.4.1. Available from:

Roubtsova, E.E., & van Katwijk, J., & Toetenel, W.J., & Pronk, C., & de Rooij, R.C.M. (2000).

Störrle, H. (2004). Assert, Negate and Refinement in UML-2 Interactions, *Proceedings of 3rd* 

Walkowiak, A. (2011). Specification of reactive systems, PhD Thesis (in Polish), Wrocław

survey, Software and Systems Modeling, vol. 10, no. 4., pp. 489-514, , ISSN 1619-

Specification of Real-Time Systems in UML, Electronic Notes in Theoretical

*Int. Workshop on Critical Systems Development with the UML (CSDUML'04)*, Lisbon,

University of Technology, Faculty of Informatics and Management, Institute of

Specification, ISBN 0387976647 , *Springer-Verlag*

Nissanke, N. (1997). Realtime systems, ISBN 978-0136512745, *Prentice Hall* 

http://www.omg.org/spec/UML/2.4.1/Superstructure/PDF/

URL: http//www.elsevier.nl/locate/entcs/volume39.html 13 pages

vol. 10, no. 4., pp. 447-468, ISSN 1619-1366

REC-Z.120

1366

October 2004

Informatics

0387944591, *Springer-Verlag* 

Computer Science, vol. 39, no. 3.

Verification of real time software is facing two problems: (1) how we should manage to produce verification rules and (2) how we should apply the rules to specify the problem. In this chapter we provide a method by which we get down to these two problems. In the first step, we specify real time software using *Timed Automata* and then we state it in RTL, real time logic, propositions. Timed Automata address modeling systems in time (Alure & Dill, 1996). In the second step, we obtain the safety constraints from *reachability graph* of Timed Automata of the problem specification and after that we state it in real time logic propositions. These propositions showing safety constraints are used for verification of the propositions, i.e. the results of the specification obtained in the first step. To show the effectiveness of our method, we set forth it for the RCC (Rail Road Crossing Control) real time system.

Software verification is an important process in constructing software and a main factor for obtaining safety from the quality of software. For verification of software we should deal with its verification against the expected behavior. The expected behavior is safe characteristics or prepositions that the software must always agree with. For this purpose, there are three main approaches: (1) static verification, (2) software testing and (3) run-time verification. Meanwhile one of the important and key approaches, essentially used for mission and safety critical systems, is the run-time verification; the existence of the problems in the first and second approaches is the reason of using run-time verification. For example, we can indicate the disability of the first method in proving the complicated and large specifications. Another instance is rapidly increasing the number of states (called state explosion) in the *model checking* method, which is a static verification one.

Because Timed Automata are methods based on time and event, they are suitable for describing the behavior of real time systems and because Timed Automata are visual methods, their understanding is easy. But they have limitations for specification of some statuses and also they cannot specify some conditions very well. Therefore, we need especial methods for analysis and verification of Timed Automata behavior that increase safety in these systems and decrease the amount of the faults.

There are different ways to verification of Timed Automata behavior. One of these ways is using *reachability graph*; however an especial method should be chosen to cover the

Construction of Real-Time Oracle Using Timed Automata 131

Each element *e* of *E* is denoted by a,cc,X l l' ⎯⎯⎯→ represents a transition from the location l to

the clock constraint cc defining an enabling condition. The function I assigns each location

If the enabling conditions and the values of the location invariant are in the set CX only, then the automaton is called *diagonal-free*. Given the transition a,cc,X e:l l' ⎯⎯⎯→ , we write source(s), action(s), target(s), guard(s) and reset(s) for l,l',a,cc and X, respectively. The clocks in Timed Automata allow expressing the time properties. An enabling condition constrains the execution of a transition. An invariant condition permits an automaton to stay at the

Real-time systems are usually represented by networks (sets) of Timed Automata. A typical example widely considered in the literature, is modeling an automated railroad crossing

A set of timed automata can be composed into a global (product) timed automaton as follows: the transitions of the timed automata that do not correspond to a shared action are interleaved whereas the transitions labeled with a shared action are synchronized. There are many different denitions for a parallel composition. One definition is determining the multi-way synchronization, i.e., each component that contains a communication transition

be a finite ordered set of indices, and i

λ

ϑ

λ

λ

where 0

i i ii i i i

∧ ∈ ∈ ∈ ⇔

(labeled with a shared action) has to perform this action (Penczek & Polrola, 2006).

= (A ,L ,l ,E ,X ,I ), is a set (network) of Timed Automata indexed with

1 n 1 n i i i A(a) i i A(a) i i i

(l ,...,l ),a, cc , X ,(l' ,...,l' ) E

( i A(a))(l ,a,cc ,X ,l' ) E and( i \A(a))l' l .

∀ ∈ ∈ ∀∈ = 

λ

is a timed automaton specified as: <sup>0</sup>

are called components. Let A(a) {i |a A } =∈ ∈

χ

ϑ

of the clocks to be reset, and with

ζ

i be a set of the indices of the

= (A,L,l ,E,X,I) , where

. A composition (product) of the Timed

 = ∈ { |i } ϑ

 λ

(2)

λ. The

can stay in l .

ϕ,

• A is a nite set of actions, where A IR ∩ = <sup>0</sup><sup>+</sup>

⊆ is a transition relation,

is a (location) invariant.

the location l' , executes the action a , with the set X ⊆

location l as long as the clock constraint I(l) is satisfied.

λ

components containing the action i i a A ∈ <sup>∈</sup>

λ

And the *transition relation* is given as Relation 2.

λ

 ϑ

(known as the Train–Gate–Controller).

**Definition**. Let 1 n {i ,...,i } λ=

ζ

i i ii i ii

Automata 1 n i i ||...||

ϑ

λ,

λ,

λ , • 1 n i i i ii I((l ,...,l )) I (l ), λ = ∧ <sup>∈</sup>λ

ϑ

automata in

• A A = i i <sup>∈</sup>

• L L = ∏i i <sup>∈</sup>

• X X = i i <sup>∈</sup>

• 1 n 00 0 i i l (l ,...,l ) = ,

l L ∈ a clock constraint defining the conditions under which

• L is a finite set of locations,

θ

l L ∈ is an initial location, • X is a finite set of clocks, • <sup>X</sup> E L\*A\*C \*2 \*L <sup>X</sup>

θ

• <sup>0</sup>

• <sup>X</sup> I:L C →

weakness of this method. We can use methods that are based on logic for reasoning and timing the Timed Automata. In this chapter, we suggest a framework for setting and executing Timed Automata using *Real Time Logic* (RTL) providing a reasoning framework based on *First Order Logic* (FOL). RTL reflects a different method for timed systems (Paneka et al, 2006).

In this chapter, we show that Timed Automata per se is not able to show constraints of the systems, but if it is used with formal textual language such as RTL, expressing the constraints of the system would by more.

This chapter includes four sections: (1) in the second section, we express a brief explanation about Timed Automata, (2) in the third one we address an explanation about Real Time Logic and (3) in fourth section we express our approach to simulate Timed Automata by means of Real Time logic. In this section, we propose a case study and specify it using Timed Automata and Real Time logic. Then, we discuss the system constraints to supervise unsafe states.
