Verifying Real-Time Systems using Explicit-time Description Methods

S. Andov a et.al. (Eds.): W orksh op on Quantitati ve Formal Metho ds: Theory and Applications (QFM’09) EPTCS 13, 2009, pp. 67–78, doi:10.4204 /EPTCS. 13.6 c  H. W ang & W . MacCaull This work is licensed under the Creativ e Commons Attr ibution License. V erifying Real-T im e Systems using Explicit-t ime Descript ion Methods Hao W ang and W endy MacCaull Centre for Logic and Information St. Francis Xavier Uni versity Antigonish, Canada { hwang, wmaccaul } @ stfx.ca T imed m odel check ing has b een extensiv ely resear ched in recent y ears. Many new formalisms with time exten sions and tools based on them have been presented . On the other hand, Exp licit-T ime Description Meth ods aim to verify r eal-time sy stems wit h general untimed mod el checkers. Lamp ort presented an explicit-time description method using a clock-tickin g process ( T ick ) to simulate the passage of time together with a group of global v ariab les for time r equiremen ts. Th is pape r pr oposes a new explicit-time descrip tion meth od with n o reliance o n global variables. In stead, it uses rendez vous synchro nization steps between the T ic k pro cess and each system pro cess to simulate time. This new method achieves better modularity an d facilitates usag e of m ore co mplex tim ing constrain ts. The two explicit-time d escription methods are implemented in D I V I N E , a well-known distributed-mem ory model checker . Preliminary experiment results sho w that o ur ne w metho d, with better modularity , is compara ble to Lamport’ s method with respect to time and memory effi ciency . 1 Introd uction Model checking is an automatic analys is method which explore s all possible states of a m odeled sys- tem to verify whether the system satisfies a formally specified property . It was populariz ed in indust rial applic ations , e.g., for computer hardware and sof tware, and has great po tential for modeling an d moni- toring complex and d istribu ted busine ss processes. T imed model checking, the method to formally verify real-ti me systems, is attracting increas ing attenti on from both the model check ing community and the real-ti me community . Ho weve r , general model checker s like SP IN [14] can only represe nt and verify the qua litativ e relations between e vent s, which con strains their us e for real-time sy stems. The quantifi ed time notions , including time instan t and duratio n, must be take n into account for timed model checkin g. For example in a safety criti cal applicatio n such as in an emergen cy department, after an emer genc y case arri ves at the hospital , general model checkin g of hospital protocol can only verify whether “the patient recei ves a certain treat m ent”, b ut to sa ve the patient’ s life, it shou ld be verified w hether the protoc ol ensure s that “the pat ient recei ves a certain treatment within 1 hour”. Many formalisms with time exte nsions hav e been prese nted as the basis for timed model check ers. A typical example is timed automata [5], w hich is an e xtensi on of finite-st ate automata with a set of clock v ariables to keep track of time. Lamport [16] calls this appr oach as Implicit-T ime Descrip tion Methods . UPP AAL [8] is a well-kno wn timed-auto m ata-ba sed model checke r; it has been successfully applie d to v arious real-time controllers and communication protocols. Con ven tional temporal logics like Linear T emporal L ogi c (L TL ) or Computatio n T r ee L ogi c (CTL) must be exten ded [6] to handle the specification of propertie s of timed automata. The foundatio n for the decidabil ity resu lts in timed automata is based on the notion of r e gion equiva lence ov er clock assignment [9]. Mode ls in a timed- automata -based m odel checker can not repre sent which time instant a transition is execu ted at within 68 V erifyin g R eal-T ime Systems using Explicit-time Description Methods a time regio n; such model checker s can only deal with specifica tion in v olving a time regi on or a pre- specified time ins tant. H o w e ver , man y real-ti me syste m s, espe cially tho se with pre-empti ve sched uling feature s, need to record the time instant when the pre-empt ion happ ens for succeeding calcu lation. For exa mple, triage is widely prac ticed in medical proced ures; the caregi ver C may be adminis tering some requir ed b ut non-critica l treatment on patient A when another patient B presents with a critical situation, such as a cardia c arrest. C then must move t o the higher priority task of treating B , b ut it is necess ary to store th e ela psed time of A ’ s treatmen t to de termine how much time is still neede d or t he treatment need s to be restarted. The stop-watc h auto m ata [4], an extens ion of timed autamata, is propos ed to tackle this; unfort unatel y as Krc ´ al and Y i discuss ed in [15], since th e reacha bility problem for th is class of automata is undecid able, there is no guarant ee for terminatio n in the general case. On the other hand, Lamport [16] advoc ated the Explicit -T ime Descriptio n Methods which aim to use ordina ry model check ers to realize timed model checking. He present ed an explic it-time description method us ing a cloc k-ticking process ( T ic k ) t o simulate the passage of time and a p air of glo bal var iables to store the time lo wer and upper boun ds for each modeled syst em process . The main advan tage of the exp licit-time appro ach is tha t it does not need spe cialized languages or tools for time descr iption . The method has been implemente d with popular model checke rs SPIN (sequentia l) [14] and S MV [17]. Re- cently , V an den Ber g et al. [10] succe ssfully applied LE DM to veri fy the safety of railw ay interlock ings for one of Australia’ s lar gest railway companies. The additiona l benefit of the exp licit-time appro ach is that as it expli citly records the passage of time so the curre nt time instant can be accesse d easily , the pre-empt i ve sch eduling pro blem discu ssed in the pre vious paragr aph that causes difficul ty using the timed-au tomata-b ased model chec kers can be modeled natu rally with expl icit-time descrip tion methods. In this paper , w e propose a ne w exp licit-time descripti on method called Sync-ba sed Explicit-time Descript ion Method (SEDM), which does not rely on global v ariables; instead it use s rende zv ous syn- chroni zation steps between the T ic k proc ess and each system process. After the T ick process completes synch roniza tion steps with e very system processe s, the global cloc k increments by one time unit. While , as Lamport commented [16], “ The appr oac h (LEDM) cann ot be used in pr ocess-b ased lang uag es and formalis ms with no expl icit global state , such as CC S, CSP , P etri nets, str eams and I/O automata ”, SEDM can do e xactly that. As an add ed advan tage, SEDM all o w s the timing constraints to be defined either globall y or locally so the whole system can be mo deled in a way th at enhan ces its modularity . W e choos e D I V I N E [7], a well-kno wn distrib uted model check er , because it accommodat es the up-to- date multi-co re archite cture, i.e., clusters of multi-core C PU’ s and it has been tested success fully in large- scale cluste rs, e ven in a large -scale optic al grid [19 ]. Experimen tal results sho w that S EDM is comparabl e to LEDM with respect to time and memory effici enc y so SE DM ca n be used in place of LEDM. The remain der of the paper is or ganized as follo ws. A fter a brief introdu ction to D I V I N E , Section 2 presents the LEDM w ith its D I V I N E implementation . The new method SEDM with its D I V I N E implementa tion is presented in Section 3. Section 4 desc ribes our experimen ts and the results. Section 5 conclu des the pa per . 2 Pr eliminaries The syntax outlined in 2.1, being incomplete , is meant for the presentat ion of the time-explic it descri ption methods ; the complete descrip tion can be fo und in [3]. H. W ang & W . MacCaull 69 2.1 The D I V I N E Mo del Check er and its Modeling Language D I V I N E is an explicit -state L T L model check ers based on the automata-bas ed proce dure by V ardi and W olper [18]. The prope rty to be specified is described by an L TL formula, both the system model and the L TL formula are represented by automata, then the m odel checking problem is reduce d to detecting in the combined automato n graph whethe r there is an accepting cycle , i.e., a cyc le in which one of the ver tices is marked “accepting” . W ith the distrib uted algor ithms to assign dif ferent portions of the state space to be explored by diff erent machines, D I V I N E can: (1) ver ify much lar ger system models; (2) finish the verification in significantly less time (in compariso n with the well-kno wn explici t-state L TL model check er S PIN). D VE is the modeling langua ge of D I V I N E . Like in Promela (the modeling language of SPIN), a model des cribed in D VE cons ists of processes, message cha nnels and v ariables. Each proces s, identified by a unique name procid , consists of a list of local v ariable decla ration s, proc ess states decla rations, initial state dec laration and a list of tran sitions. A transitio n transfers the proc ess state from s t a t eid 1 to s t a t eid 2 , the transitio n may contain a guard (which decides whether the transit ion can be ex ecuted), a synch roniza tion (which communicates data with anothe r process) and ef fects (which assi gns new v alues to local or global va riables ). S o we ha ve Transiti on ::= st a t eid 1 -> st at eid 2 { Guard Sync Effect } The Guard contain s the ke yword guard follo w ed by a boolean expres sion and the Effe ct contains the ke yword eff ect follo wed by a list of as signment s. The Sync follo ws the denotation for communi- cation i n CSP , ‘!’ for the sende r and ‘?’ fo r t he recei ver . The synchr onization can be either asynch ronous or ren dezv ous. The chanid is the chan nel for the synchro nization; v alue(s) can be transferred in it. S o we ha ve Sync ::= sync cha nid !Sync Value | chanid ?SyncVa lue The prope rty to be specified can be written as an L T L formula and a correspondi ng pr opert y pr o- cess can be automatically gen erated. Model ed system processe s and the proper ty pro cess prog ress syn- chrono usly , so the latter can observ e the system’ s beha vior step by step and catc h errors. 2.2 Lamport Explicit-time Description Method The passage of time and timed quantified v alues can be expresse d in untimed languages and properti es to be specified can be expres sed in con ventio nal temporal logics. In LE DM, curren t time is represe nted with a global va riable now that is incremen ted by an added T ick process. As we mentioned earlier , ordina ry model checkers can only deal w ith inte ger v ariables, and the real-time sys tem can be m odeled in discrete -time only using an expli cit-time descriptio n. The T ic k process increments now by 1. Placing lo w er -bound and upper -bound timing constrain ts on transitions in processes is the common way to model real-time systems. Figure 1 sho w s a simple examp le of only two transition s, transit ion S : s t a t eid l -> s t a t eid m is follo wed by the transition A : st at eid m -> s t a t eid n . An upper -bound timing con- straint on w hen a t ransition A : s t a t eid m -> s t a t eid n must oc cur is exp ressed by a g uard on the transition in th e T ick pro cess so as to pre vent an increase in t ime from vi olating the con straint. A lo w er -bound con- straint on when the transition A m ay occur is express ed by a guard on A so it cannot be exe cuted earlier than it should be. Each system process P i has a pair of count-do wn timers as globa l var iables ub t imer i 70 V erifyin g R eal-T ime Systems using Explicit-time Description Methods Figure 1: States and timeline for proc ess P i and l bt imer i for th e timing constrain ts on its tran sitions. A large en ough int eger constan t INFINI TY is defined; tho se upper bound timers with the value of INFINITY are not activ e and the T ick process do es not decrement them. All upper bound timers are initializ ed to INF INITY and all lower bou nd timers are initial ized to zero. For transition A , the timer s will be set to the corr ect valu es by its preced ing transition S . As now is incr emented by 1, each non -INFINITY ubtime r and non-z ero lbtimer is decr emented by 1. Initial ly , ( ub t imer i , l b t imer i ) are set to ( INFINITY , 0 ) . The transit ion S is ex ecuted at time in- stant t 0 , and ( ub t imer i , l b t imer i ) are set to ( τ 2 , τ 1 ) . After τ 1 time units, i.e., at time instant t 1 when ( ub t im er i , l b t imer i ) is equal to ( τ 2 − τ 1 , 0 ) , the transit ion A is enable d. Both timers w ill be reset or set to ne w time bounds after the exe cution of A . If the tra nsition A is sti ll not execu ted when the time rea ches t 2 and ubt imer i is equal to 0, the transiti on in the T ick process is disabled, which m eans the clock has to stop he re. Only after ub t imer i is se t by transitio n A , the T ic k process can s tart aga in. In this way , the t ime upper -bound constrain t is rea lized. The T ic k process and the system process P i in D VE are describe d in Figur e 2 and Figure 3. process P Tick { state tick; init tick; trans tick -> tick { guard al l ubt imers >0; effect now = now + 1, d ecr ement s al l t imers ; } ; } Figure 2: T ic k process in D VE for LED M W e observe that the v alue of now is limited by the size of type integer and careless incr ementing can cause over flow error . This can be a v oided by incremen ting now using modular arithmetic, i.e., setting now = ( now + 1 ) mod MAXIM AL ( MAXIMAL is the maximal integer v alue suppor ted b y the model checke r). The valu e limit can also be increased by li nking sev eral int egers, i.e., ev ery time ( in t 1 +1) mod MAXIMAL becomes zero again, int 2 incremen ts by 1, an d so on. Note that the varia ble now is only incremented in the T ick process and does not appear in an y other pro cess. So for general system mode ls in w hich time H. W ang & W . MacCaull 71 process P i { state ..., state l, state m, stat e n; init ...; trans ... -> ... ; state l -> state m { ...; effe ct se t t im ers f or t ransi t ionA ; } , state m -> state n { guard lbtimer [ i ] ==0; effect ... ; } , ... -> ... ; } Figure 3: System proc ess P i in D VE for LEDM lo wer and upper boun ds suf fice, the variab le now should be remo ved. 3 The New Sync-based Explicit-T ime Description Method This sectio n prese nts the ne w S EDM, foll owed by two example s to illustrat e its modularit y adv antage and capabi lity to mode l pre-empti ve schedulin g problems. 3.1 The Method In the new SEDM, the passage of time is also simulated by an addition al T ick proces s. In one time unit, it completes synchroniza tion steps with each system process. The curre nt time is the cou nt of pre vious synch roniza tion steps, so all the timing v ariables can be defined eith er locally or globally . In this wa y , local timers can be added or removed without af fecting the model globally and good m odula rity can be achie ved. Note that the now va riable can also be remov ed for a similar reason, but if an y system proce ss contai ns any enabling condi tion that is dependen t on a certain time instant, it is safe to define a now v ariable locally . For the same examp le in Figure 1, P i has local timers ( ubt imer , l b t imer ) . For the transitio n A : s t a t eid m -> s t a t eid n , each of the timers will be set to the correct valu es ( τ 2 , τ 1 ) by its precedin g transition, S : s t a t eid l -> s t a t eid m . T he exe cution is similar to L amport’ s method except: (1) the timers are decre- mented locally by 1 afte r each synch roniza tion with the T ick proce ss; (2) if the trans ition A is still not ex ecuted when the time reaches t 2 and ub t imer i is equal to 0, there is no synchroniz ation step before ex ecuting transition A . B ecause the T ick process has to synchroniz e with each process for each tick, it must wait for P i ’ s ne xt s ync statemen t. The T ick proc ess, for two system proce sses, in D VE is describ ed in Figure 4. The loc al ub timer and lbtimer can be defined and used in a system process as in Figure 5. Readers may argu e against the usage of round-rob in scheduling of all synchroni zation steps in one tick: P 1 always ticks befo re P 2. Actually , a time m odel to be verified is b uilt to cov er ev ery poss ible ex ecution of all system steps, w hich can be assured in S EDM by separati ng transitio ns for system steps and transitio ns for time synchr onization in all system processes . Therefore , we do not need to cov er e very possible sequence of all synchron ization step s, one sequence is enough for the verification . Readers may also be concerned abo ut the size of the state spa ce and time efficien cy as SE DM adds N synchroniz ation steps for eve ry time unit, N being the number of system processes. Ho w e ver , the exp erimental resu lts (see Section 4) sho w that as the model gro w s bigger , the time and memory effici enc y 72 V erifyin g R eal-T ime Systems using Explicit-time Description Methods process P Tick { state tick1, tick2; init tick1; trans tick1 -> tick2 { sync chan1! ; } , tick2 -> tick1 { sync chan2! ; } ; } Figure 4: T ic k process in D V E for SEDM process P i { int ubtimer, lbtime r; state state l, stat e m, state n, ...; init ...; trans ... -> ... ; state l -> state m { ... ; effect se t t imers f or t ransi t ionA ; } , state m -> state m { guard ubtimer >0; sync chan1? ; effect d ecr ement t imers by 1 ; } , state m -> state n { gua rd lbtimer==0 && ...; ...; } , ... -> ... ; } Figure 5: System process P i in D VE for SE DM and size of state space are compara ble to those of LEDM. 3.2 An Example with Complex Timers As the time can be accesse d locally with SEDM, complex timing constrain ts, e.g., fixed time delay (the special case when ubti mer==lbt imer ), multiple indep endent (possibl y ove rlapping) timers and depen dent timers, can be exp ressed more con ven iently than with LEDM becaus e with the latter method ne w global v ariables must defined and the T ic k process must be updated. Figure 6 describe s five tran sitions A , B , C , D , E in P i (see the upper part of the figure) and their asso- ciated timeline. T ransition A : s t a t eid m -> s t a t eid n has a fixed time delay , τ 0 ; transition B : st at eid n -> s t a t eid o has upper and lo wer bounds, ( τ 2 , τ 1 ) ; transitio n C : st at eid n -> st at eid p has upper and lo wer bound s, ( τ 4 , τ 3 ) . After the execut ion of transition A , there is a time period, ( t 3 , t 4 ) , during which both transit ion B and C are enabled and ch osen non-det erministi cally . T ransition D : st a t eid o -> s t a t eid q and E : s t at eid p -> s t a t eid q ha ve the upper and lo wer bounds which are dep endant on the e xec ution time of B or C . T he proc ess P i in D VE is described in Figure 7. 3.3 An Example of Pre-e mptiv e Scheduling Follo wing the triage exa m ple d escribed in Section 1, we con sider a s ystem of multip le parallel ta sks with dif ferent priorities , assu ming that the right to an exclus i ve resource is depri v able, i.e., a highe r priority task B may depriv e the resource from the curr ently run ning task A . In this cas e, the elaps ed time of A ’ s ex ecution must be stored for a futu re resumed execu tion. H. W ang & W . MacCaull 73 Figure 6: States and timeline for comple x timers using SED M process P i { ...; trans ... -> ... ; state l -> state m { ... ; effect fixdelay= τ 0 ; } , state m -> state m { guard fixdela y>0; sync chan1?; effect fixdelay =fixdelay -1 ; } , state m -> state n { gua rd fixdelay==0 ; ...; effect ubtimer1 = τ 3 ,lbtimer 1= τ 1 , ubtimer2 = τ 4 ,lbtimer 2= τ 2 ; } , state n -> state n { guard ubtimer 2>0; sync chan1?; effect d ecr ement t imers by 1 ; } , state n -> state o { gua rd ubtimer1>0 && lbtimer1== 0; ...; } , state n -> state p { guard ubtimer 2>0 && lbtimer2==0; ...; } , ... -> ... ; } Figure 7: System proc ess P i in D VE with complex timers Figure 8 shows a portion of a state transition diagram for task A , assumin g A needs the exclus ive resour ce R for 10 time units; when R becomes av ailable at time instant t 0 , A starts its execu tion by enterin g the state E xec ; at time instant t 1 , B depri ves A ’ s right to R , and A changes to the state Deprived and stores the elapsed t 1 − t 0 time units; when R becomes av ailabl e again, A resumes its exe cution to state Exec for th e remaining 10 − ( t 1 − t 0 ) unit s. Implementation of this ex ample using any one of the three e xplicit-time descript ion methods is str aightforward . Figure 9 shows the process for t ask A in D VE using SEDM (assumin g A has the lo west priority ). 74 V erifyin g R eal-T ime Systems using Explicit-time Description Methods Figure 8: An Example of Pre-empti ve Scheduling byte isROccupie d=0; // 0 mean s available process A { default( Tag, t ag A ) int timeToGo =10; state s i, s Exe c, s D eprived, ...; init ...; trans ... -> ... ; s i -> s Exec { gua rd isROccupied== 0; effect isROccup ied=Tag, ltimer=timeToGo ; s Exec -> s Exec { gu ard ltimer>0; sync chan1?; effect ltimer=l timer-1; } , s Exec -> s Depr ived { guard isROccupied =Tag && ltimer> 0; effect timeToGO =ltimer; } , s Depriv ed -> s D eprived { guard isROccupi ed!=0; syn c chan1?; } s Deprived -> s Exec { gua rd isROccupied== 0; effect isROccup ied=Tag, ltimer =timeToG o; } , s Exec -> s Next { gu ard ltimer==0; effect isROccup ied=0; } , ... -> ... ; } Figure 9: Process in D VE for Pre-empti ve Scheduling Example using S EDM 4 Experiments in D I V I N E For the con ven ience of comparison, we ex periment w ith the Fischer ’ s mutual ex clusio n algori thm, a well-kno wn benc hmark for timed model check ing, which is also used by Lamport in his expe riments H. W ang & W . MacCaull 75 [16]. T he brief descri ption of the algorithm is adapted from [16]. Our experimen ts model the algori thm in D I V I N E using LE DM and SE DM, and compare the time and memory ef fi cienc y and size of state space. Fischer’ s algorithm is a shared-memory , multi-th readed algorithm. It uses a shared var iable x whose v alue is eithe r a threa d identi fi er (starting from 1) or zero; its i nitial v alue is ze ro. For t he co n venience of specifica tion of th e safety p roperty in o ur ex periments, we use a cou nter c to count the number of threads that are in the critica l section. The progr am for thread t is describe d in Figure 10. ncs : non critica l section ; a : wait until x = 0; b : x := t ; c : if x 6 = t then goto a ; cs : critic al section; d : x := 0; got o ncs ; Figure 10: Program of thre ad t in Fischer’ s algorithm The timin g constr aints are, first, tha t step b must be exec uted at most δ time un its (as a uppe r bound ) after the preceding e xec ution of step a ; and second, that step c cannot be exec uted until at least ε time units (as a lo wer bou nd) after the preced ing ex ecution of step b . For step c , there is an additiona l upper bound ε u p per to ensure fairness . For con venien ce, we use the same va lue for three constraints , i.e., δ = ε = ε u p per = T . The algo rithm is tested for 6 threads. The safety prop erty , “no more than one proces s can be in the cri tical section” , is spec ified as G ( c < 2 ) for the model. LEDM SEDM T States T ime Memory States Time Memory 2 64498 7 1.8 4700.1 183858 6 2.9 486 5.3 4 30485 15 3.3 4942.8 6 923088 4.3 56 41.9 6 1120117 9 7.2 6343.4 18460 632 9.3 7402.0 8 3295289 9 18.6 9958 . 9 4817755 2 21.2 11905 .0 10 82428155 49.2 18016.2 1139141 04 46.1 2189 4.8 12 182767 747 115.0 34906.3 244265616 108.8 41454.5 14 369377 435 290.9 65205.1 482259672 230.0 78936.2 16 693683 459 617.5 122549.0 889586 256 611.2 148010.0 Figure 11: Time (in s econds), number of states an d memory usa ge (in MB) for Fischer’ s algorith m using two e xplicit-time m ethod s in D I V I N E w ith 16 CPUs The versio n 0.8.1 of the D I V I N E -Cluster is used. This version has the ne w feature of pre-compiling the model in D VE into dynamically linked C function s; this feature speed s up the state space generat ion significa ntly . According to the published exp erimenta l results of D I V I N E [19], we choose the O WC TY ( One W ay to C atch Them Y oung ) algorithm for better time efficie ncy as our example proper ty is known to hold. All e xperiments are execut ed on the Mahone cluste r of A CE net [1], the high performan ce computin g conso rtium for uni versities in Atlantic Canada. The clus ter is a Par allel Sun x410 0 AMD Opteron (dua l- core) cluste r equipped with Myri-10G intercon nection. Parallel jobs are ass igned using the Open MPI library . 76 V erifyin g R eal-T ime Systems using Explicit-time Description Methods Figure 11 compares time and memory ef fi cienc y f or the two expl icit-time desc ription methods in both ver sions of D I V I N E with 16 CPUs; it al so sho ws ho w the size of state spaces increase as T increases. While SED M has the bigger number of states for all models, as the model becomes larger , the time increa ses more slo w ly than with LEDM: time increase s by a factor of 343 as T increas es from 2 to 16 with LEDM; time increases by a factor of 204 as T incre ases from 2 to 16 w ith SEDM; It is also interes ting to find t hat starting from T = 10, the time spe nt with SEDM is less th an the time with L EDM. Because SE DM adds N sync hroniz ation steps (recall that N is the number of system proces ses) for each time units, the size of state space of the model generated by our method is bigge r than that by Lamport’ s method. But as the model becomes bigg er , the dif ference becomes insig nificant. For T = 2, states ( SED M ) states ( LED M ) =2.85, while for T = 16, the two numb ers of state size become comparable . The m emory usages of both methods are comparable . Because OWCTY algor ithm requires that the whole state space fi t into the (distrib uted) memory , enough m emory resource must be allocated in order for the verifica tion to succeed. Note that when inc reasing the number of CPUs a n added portion of memory need s to be count ed for increa sing inter -node communicati ons. 5 Discussion and Conclusion In this paper , we propose a ne w method, SEDM using rendezv ous synchroni zation steps, so the timing constr aints ca n be defined either g lobally or locally , compared to the hea vy relia nce on global v ariabl es in LEDM. Consequen tly , SEDM makes it possible to model discrete time wit h some process-b ased untimed langua ges withou t explicit global varia bles. W ith SED M, real-t ime systems can be modeled with a high deg ree of modularity and more complex timing cons traints can be modeled more con venien tly . As Lamport mention in [16], the explic it-time descrip tion methods are not designe d to beat special- ized timed model check ers like UPP AA L: it is obvio us that time-automata -based m odel check ers can handle continuou s time semantics while EDMs can only deal with discr ete time semanti cs. Howe ver , EDMs are intended to offer more option s for the veri fi cation of real-time systems. First, expli cit-time descri ption methods pro vide a solution for accessing and stor ing the current time instant for the pre- empti ve scheduling m odels. S econd, while the size of state space in an exp licit-time method grows along with the number of time units, it is less sensiti ve to the number of concurrently running timers. This su ggests that the ex plicit-time method imple m ented in an un-timed model che cker may ve rify more comple x system beha viors. Third, as V an den Berg et al. mention in [10], in some real-world scenar ios when significant resources alre ady hav e been in ve sted into the model for a general model check er such as SPIN or SMV , it is much easier and there fore prefer able to extend the existing model to represent time not ions rather than to re- m odel the entire system for a speci alized timed model chec ker . Last bu t not least, exp licit-time descr iption m ethod s enable the usage of exis ting lar ge-scale distr ib uted model check ers such as D I V I N E so that we can v erify much bigger real-ti me systems. This researc h is part of an ambitious researc h and de velopmen t projec t, B uildin g Decision-sup port thr oug h Dyna mic W orkflow Systems for Hea lth Car e [12]. V erificatio n that the health care process de sign meets its specifications and monito ring the pro cess to check speci fi cations for each i nstance (patient ) are essent ial. Real wo rld hea lth ca re work fl o w proce sses are h ighly dyn amic an d local changes ar e the norm. In additio n to work in verificatio n, members of our research group [2 ] are currently in vestigat ing paral- lel and dist ribute d appro aches to reason ing about struc tured knowled ge bases (on tologies). Interfacin g these reasoners and distrib uted model c heckers with workflo w eng ines will pe rmit runtime monitoring of comple x, highly var iable and safety critical proces ses. Currently , we are using expli cit-time descriptio n H. W ang & W . MacCaull 77 methods to model and verify rea l-worl d health care processes. As a continuous effor t in practical timed m odel check ing, we also study the effici enc y problem of exp licit-time description s and ha ve m ade some progr ess based on optimizing the tick proces s [20], so that EDMs can be applied to problems of lar ger scale. Dutertr e and Sorea [13] and Clarke et al. [11] recent ly pre sented two differ ent abstract ion techniques for timed auto mata and the abstractio n outcome can be verified usin g un-timed m odel check ers. W e also intend to study the possib ility of this kind of techni que in distrib uted model check ers. Ackno wledgment This researc h is sponsored by NSE RC, an Atlantic Computationa l Excellen ce N etwor k (A CEnet) Post Doctoral Research Fello wship and by the Atlantic C anada Opportuniti es Agency through an Atlantic Inno vatio n Fund project. The computationa l facil ities are provid ed by ACEnet . W e also thank Jiri Barnat, Kei th Miller and the anon ymous rev ie wers of QFM’09 for their helpful comments. Refer ences [1] Atlantic Compu tational Excellence network (A CEnet). http://www . ace-net.ca /. Last acce ssed on N ov . 2 009 . [2] Centr e for Logic and Informa tion, St. F rancis Xavier University . http://logic.stfx.ca/. Last accessed on N ov . 2009 . [3] D I V I N E pr o ject. http://divine.fi.mu ni.cz/. Last accessed on N ov . 2009 . [4] Y asmina Abdedd a¨ ım & Oded Maler (2002 ): Pr eemp tive Job-Sh op Scheduling Using Stopwatch Automata . In: Joost-Pieter Katoen & Per dita Ste vens, editors: T ACAS , Lecture Notes in Com puter Science 2280. Springer , pp. 113– 126. [5] Rajeev Alur & David L. Dill (1994 ): A Theory of T imed A uto mata . Theor . Comp ut. Sci. 126(2 ), p p. 1 83–23 5. [6] Rajeev Alur & Thomas A. Hen zinger (199 1): Logics an d Models of Real T ime: A Surve y . In : J. W . d e Bakker , Cornelis Huizing , W illem P . de Roever & Grzegor z Rozenberg, editor s: REX W orksho p , Lecture Notes in Computer Science 600. Springer-V erlag , pp. 74–1 06. [7] Jiri Barna t, Lubo s Brim , Ivana ˇ Cern ´ a, Pavel Moravec, Petr Ro ˇ c kai & P av e l ˇ Sime ˇ ce k (2006): DiV inE – A T o ol for Distributed V erifi cation (T ool P ape r) . In: Computer Aided V erification , Lecture Notes in Comp uter Science 4144. Springe r-V erlag, pp . 278–281 . [8] Johan Bengtsson , Kim G. Larsen , Fredrik Larsson , Paul Pettersson & W ang Y i ( 1995) : U P PA A L — a T ool Suite for A utomatic V erification of Real–T ime Systems . In: Proc. of W o rkshop on V erification and Control of Hybrid Systems III , number 1066 in Lecture Notes in Computer S cience. Springe r-V erlag, pp . 232–2 43. [9] Johan Bengtsson & W ang Y i (20 03): T imed A uto mata: Semantics, Algorithms and T ools . In: J ¨ org Desel, W olfgang Reisig & Grzegor z Rozenberg, e ditors: Lectures on Concur rency and Petri Nets , Lecture Notes in Computer Science 3098. Springer, pp. 87 –124. [10] Lion el van d en Berg, Paul A. Strooper & Kirsten W inte r (2 007): I ntr oducin g T ime in an Industrial Appli- cation of Model- Checking . In: Stefan Leu e & Ped ro Merino , ed itors: FMICS , Lecture Notes in Computer Science 4916. Springe r , pp. 56–67. [11] Ed mund M. Clarke, Flavio Lerda & Mur alidhar T alupu r (2007 ): An Abstraction T echnique for Rea l-time V erificatio n . In: S. R am esh & P . Samp ath, editors: Next Generation Desigh and V erification Methodo logies , Lecture Notes in Computer Science. Springer-V er lag, pp . 1–17. [12] Jeff Dallien, W endy M acCaull & Allen Tien ( 2008) : Initia l W ork in th e Design and Develop ment o f V e rifiable W o rkflow Man agement S ystems an d Some App lications to Health Car e . In: 5th Intern ational W orksho p on Model-b ased Methodo logies for Perv asive and Embedded Software . IEEE Computer Society , pp. 78– 91. 78 V erifyin g R eal-T ime Systems using Explicit-time Description Methods [13] Brun o Dutertre & M aria Sorea (2004) : Modeling and V erificatio n of a F ault-T olerant Real- T ime Startup Pr otocol Usin g Calen dar Automata . In : Y assine Lak hnech & Sergio Y ovin e, editors: FORMA TS/FTR TFT , Lecture Notes in Computer Science 3253. Springer-V erlag, pp. 199–214 . [14] Gerar d J. Holzmann (1991): Design and V alida tion of Computer Pr otocols . Prentice Hall. [15] Pav el Krc ´ al & W an g Y i (20 04): Decidable and Und ecidable Pr oblems in Schedulability Ana lysis Using T imed A uto mata . In: Kurt Jensen & Andreas Podelski, editors: T ACAS , Lecture Notes in Computer Science 2988. Springe r , pp. 236–250. [16] Leslie Lamport (2 005): Rea l-T ime Mod el Checking is Really Simple . In: Domin ique Borrion e & W olf gang J. Paul, editors: CHARME , Lecture Notes in Computer Science 3725. Springe r-V erlag, pp . 162–175 . [17] Ken L. McMillan (1992): Symbolic model chec kin g - an appr oach to th e state e x plosion pr oblem . Ph.D. thesis, Carnegie Mellon Uni versity . [18] Mosh e Y . V ardi & Pierre W olper ( 1986) : An Automata-Theoretic Appr o ach to Automatic P r ogram V erifica - tion (Pr elimin ary Report) . In: LICS . IEEE Computer Society , pp. 332–344. [19] Kees V erstoep, Henri E. Bal, Jiri Barnat & Lu bos Brim ( 2009) : Efficient lar ge-scale model checking . In: IPDPS . IEEE, pp. 1–12. [20] Hao W ang & W en dy MacCaull (20 09): An Efficient Explicit-time Description Method for T imed Model Checking . In: Parallel a nd Distributed Metho ds in verifiCation, 8th International W orksho p, PDMC 2009, Held as Part of the F or mal Methods W eek 200 9, Eindhoven, the Netherlan ds, Nov em ber 2-6, 2009 .