An Approach to Formally Modeling and Verifying Distributed Real-time Embedded Software

Liqiong Chen
Department of Computer Science and Information Engineering, Shanghai Institute of Technology, Shanghai, China
Email: lqchen@sit.edu.cn

Guisheng Fan\textsuperscript{1,2} and Yunxiang Liu\textsuperscript{3}
\textsuperscript{1}Department of Computer Science and Engineering, East China University of Science and Technology, Shanghai, China
\textsuperscript{2} Shanghai Key Laboratory of Computer Software Evaluating and Testing, Shanghai, China
\textsuperscript{3} Department of Computer Science and Information Engineering, Shanghai Institute of Technology, Shanghai, China
Email: gsfan@ecust.edu.cn, yxliu@sit.edu.cn

Abstract—As computer systems become increasingly inter-networked, Distributed Real-time Embedded (DRE) systems has become increasingly common and important, a challenging problem faced by researchers and developers of DRE software is devising and implementing an method that can effectively analyze requirements in varying operational conditions. In this paper, a Hierarchical Distributed Real-time Embedded net (HDRE-net) is proposed as software analysis tool. The basic task, function module and communication process are modeled by using HDRE-net, thus forming the whole application through the synthesis operation of Petri net. Time Reachability Graph is adopted to analyze the correctness of HDRE-net, the basic properties of DRE software are also considered. Finally, a specific example is given to simulate the analysis process, and the results show that the method can be a good solution to analyze DRE software.

Index Terms—Distributed real-time and embedded system; Petri net; Time Reachability Graph; modeling; verifying

I. INTRODUCTION

As computer systems become increasingly inter-networked, most of critical systems in the world are embedded systems that control physical, chemical, biological, or defense processes and devices in real-time. Increasingly, these embedded systems are part of larger DRE system [1]. A typical DRE software will consist of multiple subsystems, which may be concentrated in a highly localized area, distributed over a wide geographic region, or may involve combinations of both local and distributed deployment. These subsystems will communicate with each other to exchange information and carry out coordinated actions [2].

Because DRE software is often characterized by complexity and volatility of requirements, developers require tools that support the rapid evaluation of design models against system-level temporal and functional properties. Such a validation activity helps identify requirement. However, a challenging problem faced by researchers and developers of DRE software is how to devise and implement a method that can effectively analyze requirements in varying operational conditions.

Basically, in a DRE system, if the basic properties are not met, the consequences can be disastrous, including great damage of resources or even loss of human lives [3]. Therefore it is necessary to model and analyze DRE software early in the lifecycle. In these early development phases, the cost effectiveness and ease of use of validation tools is significant, as well as the level of rigor supplied by the modeling language and environment. Despite recent advances in DRE systems development, however, there remain significant challenges that make it hard to develop large-scale DRE software [4, 5]. The key unresolved challenges include the lack of methods for effectively modeling, integrating, and verifying.

To address these challenges, we extend for Place Timed Petri net and propose a Hierarchical Distributed Real-time Embedded net (HDRE-net). The tasks and the relationships between tasks of DRE software are described in detail. In particular, we abstract communication process as a task, and using HDRE-net to describe resource and time delay of communication process, thus forming the whole application. Based on the constructed model, Time Reachability Graph is adopted to analyze the correctness of HDRE-net, the basic properties of DRE software are also considered.

The remainder of this paper is organized as follows. Section 2 presents the computation model. Section 3 shows how HDRE-net can be used to model DRE systems. Section 4 proposes analysis technologies of DRE software. In section 5, a specific example is given to simulate the modeling and analysis process. Section 6 presents some related works while section 7 is conclusions.
II. BASIC CONCEPT AND DEFINITION

A. Definition of HDRE-net

Timed Petri nets (TPN) is a mathematical formalism, which allows to model the features present in most concurrent and real-time systems, such as system, concurrency, asynchronism and distribution, etc. Some recent researches indicate that TPN is powerful enough to describe behavioral features of DRE software [6, 7]. The basic concepts of it can refer to [8]. In this paper, we extend for TPN and establish a model for analyzing DRE software.

Definition 1: A tuple \( \Sigma=(TPN,\iota,\gamma) \) is called Distributed Real-time Embedded net (DRE-net) iff:

1. \( TPN=(P\cup N, C, M_0) \) is a Timed Place net;
2. \( \iota \subset P \) is a special place, which is called the interface of \( \Sigma \) and denoted by the dotted circle;
3. \( \gamma \) is the priority function of transition. \( \gamma(t_i)=(\alpha_i,\beta_i) \), where \( \alpha_i,\beta_i \) are called the primary and secondary priority of transition \( t_i \).

The distribution of token in each place at time \( 0 \) is called the marking of DRE-net model, denoted by \( M \). The marking \( M(p) \) denotes the number of tokens in the place \( p \). \( M=M^t \cup M^r \), where \( M^t \) is the available tokens of \( M \), \( M^r \) is the unavailable tokens of \( M \). For any \( x \in (P \cup T) \), we denote the pre-set of \( x \) as \( \mathit{\mathbf{\bullet}}x=\{y|y \in (P \cup T)\land (y,x) \in \mathcal{E}\} \) and the post-set of \( x \) as \( x\mathit{\mathbf{\bullet}}=\{y|y \in (P \cup T)\land (x,y) \in \mathcal{E}\} \).

Definition 2: A six tuple \( \Omega=(\Sigma,\Gamma,\iota,\mathcal{T},\mathcal{A},\mathcal{P}) \) is called Hierarchical Distributed Real-time Embedded Net (HDRE-net) model, where:

1. \( \Sigma \) is DRE-net model, which describes the basic structure of \( \Omega \);
2. \( \Gamma=\{\Gamma|x \in \mathbb{R}^+\} \) is the finite set of DRE-net and HDRE-net, each element is called a page of \( \Omega \);
3. \( \mathcal{T}\subset\mathcal{T} \) is the set of substituted operation, each page of HDRE-net corresponds to a substituted node and denoted by the double rectangle;
4. \( \mathcal{A} \) is the page allocation function, whose function is to allocate the corresponding page to the substituted node;
5. \( \mathcal{P}\subset\mathcal{P} \) is the set of interface node, which describes the input and output of substituted node, and denoted by double circle;
6. \( \mathcal{P} \) is the mapping function of interface, which maps the interface node into the input and output of the operation.

From the definition, we can get that DRE-net is a special case of HDRE-net, that is, \( \Gamma \) in HDRE-net model is empty. In this paper, the firing of transition in DRE-net model is instantaneous and the invocation of transition is determined by its priority. By default, the delay time of place is \( 0 \); the priority of transition is \((0,0)\). The time unit can be set according to the specific circumstances. We will analyze the operation mechanism of HDRE-net model in the following.

B. Operation mechanism of HDRE-net

Because the tokens in HDRE-net model includes time factor, only using marking can't sufficient to describe the state of the system. In order to better describe time characteristics, we introduce the concept of wait time in this paper.

Definition 3: Let \( \Omega \) be a HDRE-net model, which reaches marking \( M \) at time \( \theta \), \( \forall p_i \in \mathcal{P} \), place \( p \) has \( j \) tokens in marking \( M \), \( \mathcal{P}^k \) is the \( k \)th token of \( p \). Vector : \( TS(p_i)=(TS_{p_i}^1,TS_{p_i}^2,\ldots,TS_{p_i}^k) \) is the wait time of place \( P_i \), where \( TS(p_i)^k=\max(\{\theta-\xi_k\},\xi_k) \), \( \xi_k \) is the time that token \( P_i^k \) generated. \( TS(p_i)^k \) is the wait time of token \( P_i^k \). \( TS(p_i)^m \) explains the model must wait \( M \) time units before using token \( P_i^k \). While \( TS(p_i)^m=0 \) represents the token is available. Recorded \( TS(M,\theta) \) as the wait time set of places under marking \( M \).

Definition 4: Let \( \Omega \) be a HDRE-net model, a pair \( S=(M,TS) \) is a called state of \( \Omega \) at time \( \theta \). Where \( M \) is marking, which describes the distribution of resources; \( TS(M,\theta) \) is the time stamp of marking \( M \), which depicts time properties of system.

Initial state \( S_0=(M_0,TS_0) \) where \( TS_0 \) is a zero vector, i.e., all tokens are available in the initial state. Two ways can be used to change state:

1. (1) time elapse, at the time \( \theta+\omega (\omega >0) \), because the wait time of tokens have changed which makes the model reach a new state \( \mathcal{S} \), denoted by \( S/\omega \rightarrow S \).
2. (2) transition firing, the firing of transition \( t_i \) will generate a new marking, thus the model will reach a new state \( S' \), denoted by \( S/t_i \rightarrow S' \).

The state \( S \) reaches state \( S' \) by firing transition \( t_i \) after waiting \( \omega \) time units is denoted by \( S(t_i,\omega) \rightarrow S' \).

Definition 5: Let \( \Omega \) be a HDRE-net model, \( S=(M,TS) \) is a state of \( \Omega \) at time \( 0 \), for transition \( t_i \in \mathcal{T} \), iff:

1. \( \forall p_i \in \mathcal{P}, p_i \in t_i \rightarrow M^t=M^t \cup W(p_i,t_i), t_i \) is called strong enabled under marking \( M \), denoted by \( M/t_i \geq \), all transitions that have strong enabled under marking \( M \) are record as set \( SET(M) \).
2. \( \forall p_i \in \mathcal{P}, p_i \in t_i \rightarrow M^t=M^t \cup W(p_i,t_i), t_i \) is called weak enabled under marking \( M \), denoted by \( M/t_i \geq \), all transitions that have weak enabled under marking \( M \) are record as set \( WET(M) \).

The set \( ET(M)=SET(M) \cup WET(M) \). If transition \( t_i \) has weak enabled under marking \( M \) and at least pass through \( \omega \) time units to be strong enabled, then \( \omega \) is called firing delay of transition \( t_i \) under marking \( M \). From the above definition, we can draw that the firing delay of strong enabled transition is \( 0 \), \( \omega=\max(\{TS(p_i)^k\}) \) is called firing delay of transition \( t_i \) under state \( S \), denoted by \( FD(S,t_i) \).

Definition 6: Let \( \Omega \) be a HDRE-net model, \( S=(M,TS) \) is a state of \( \Omega \) at time \( 0 \), \( \forall t_i \in ET(S), \omega \in \mathbb{N} \), the firing of transition \( t_i \) is effective iff it meets one of the following conditions:

1. \( t_i \in SET(M); \alpha_i \leq min(\alpha_i) \land \beta_i \leq min(\beta_i) \), where \( t_i \in SET(M), t_i \in U(t_i) \)
2. \( t_i \in WET(M); SET(M)=\Phi \land FD(S,t_i) \leq FD(S,t_i), t_i \in WET(M) \)

The set \( U(t_i)=\{t_i | t_i \in SET(M) \land \alpha_i = \alpha_i \} \) represents the set of transitions whose primary priority are equal to the primary priority of \( t_i \). All the effective firing transitions under state \( S \) are denoted by \( FT(S) \).
Definition 7: Let \( \Omega \) be a HDRE-net model, \( S=(M, TS) \) is a state of \( \Omega \) at time 0, the model will reach a new state \( S'=(M', TS') \) by effectively firing enabled transition \( t_i \), denoted by \( S(t_i, \omega) \rightarrow S' \), \( S' \) is called the reachable state of \( S \), the computation of \( M', TS' \) are based on the following rules:

1. Computing marking:
   \( \forall P_j \in t_i \rightarrow N_i, M'(P_j) = M(P_j) - W(P_j, t_i) + W(t_i, P_j) \)
2. Computing wait time:
   First, adding wait time to the new generated marking:
   \( TS(P_j) = 0 \), \( P_j \) is generated when firing transition \( t_i \);
   Second, modifying the wait time of tokens which are generated before the firing of transition \( t_i \):
   \( TS'(P_j) = \max\{TS(P_j) - \omega, 0\} \).
   The computation of wait time is mainly based on the generated time of token: for the newly generated tokens, the wait time is equal to the delay time of the corresponding place; if the token is generated before the firing of transition and not be removed, the wait time needs to be adjusted.

III. FORMAL MODELING DRE SOFTWARE

In this section, we will use HDRE-net model to describe task, resource and communication mechanism of DRE system, thus forming the model of the whole application. In order to distinguish substituted nodes and interface nodes, which is marked by the capital letters, and others place and transition are marked by the lowercase letters.

A. Requirements of DRE software

DRE software can be regarded as a number of modules; each module also contains a number of partially ordered, serial or parallel implemented sub tasks [9, 10]. The function of DRE systems will be distributed to a number of interrelated embedded devices, each device is responsible for certain functions, and has certain autonomy, but relies on the computation of other embedded devices. Among them, DRE system has the following characteristics:

1. Static priority schedule is adopted to realize preemption.

2. A task may also need other resources in addition to processor, such as variables or buffer; meanwhile each task has two ways to access the resource: exclusive access and sharing access.

3. Each task can not suspend itself before completion.

4. The overhead of task switching can be neglected.

B. Modeling DRE software

In this section, we will use HDRE-net to abstract and model for task, communication between tasks, resource of DRE software, then composing the HDRE-net model of each module according to the relationships between modules, thus forming the model of whole application. In order to distinguish the page of transition and place in each net, the task and module is marked in the model for task, communication between tasks, resource function, whose function is to assign necessary resources to each task, \( RS' \) represents the multiple set of resource, that is, a task can use multiple sources.

7. \( D \) is the operation deadline of whole application.

In order to clearly describe the modeling and analysis process of DRE software, we assume the tasks in DRE system have the following characteristics:

1. Static priority schedule is adopted to realize preemption.

2. A task may also need other resources in addition to processor, such as variables or buffer; meanwhile each task has two ways to access the resource: exclusive access and sharing access.

3. Each task can not suspend itself before completion.

4. The overhead of task switching can be neglected.

The model of task \( TK_{ij} \) is shown in Figure 1, where place \( p_{si}^{ij} \) describes the running state of task \( TK_{ij} \), while transition \( t_{si}^{ij} \), \( t_{st}^{ij} \), \( t_{sa}^{ij} \) describe the beginning and termination position of each task.

Assuming each task of DRE software has constructed the corresponding HDRE-net model which is shown in Figure 1. We will compose HDRE-net model of each task by their relationship.

Operator \( > \) represents the sequence relationship: If the firing of task \( TK_{ij} \) can lead to the firing of task \( TK_{ik} \), then the relationships between task \( TK_{ij} \) and \( TK_{ik} \) is sequence. \( TK_{ij} \) is the forward task of \( TK_{ik} \), while \( TK_{ik} \) is the backward task of \( TK_{ij} \). The set \( Forw(TK_{ij}) \) contains all the tasks which are the forward task of \( TK_{ij} \), \( Back(TK_{ij}) \) contains all the backward task of \( TK_{ij} \). The HDRE-net model of \( TK_{ij} \) is shown in Figure 2(a), the substituted node \( TK_{ij} \) and \( TK_{ik} \) corresponds to the page of task \( TK_{ij} \) and \( TK_{ik} \), while interface node \( P_{ji}^{pa} \), \( P_{ji}^{pa} \) represent the input and output of substituted node \( TK_{ij} \) and \( TK_{ik} \), and mapped into the interface \( p_{si}^{pa} \), \( p_{sa}^{pa} \) of task \( TK_{ij} \). Because the relation between task and substituted node is one by one, the substituted node is also called task in the following. In order to describe the sequence...
relationship, we introduce transition \(t_{on}\) to transfer the result of task \(TK_{ij}\) to the input interface of task \(TK_{ik}\).

![Figure 2. HDRE-net Model of basic Relation](image)

Operator \(\parallel\) represents the parallel relationship: If the relation between \(TK_{ij}\) and \(TK_{ik}\) is parallel. Let task \(TK_{ij}\) be the public forward task of task \(TK_{ik}\) and \(TK_{ikb}\), while task \(TK_{ik}\) is the public backward task of task \(TK_{ij}\) and \(TK_{ikb}\). The corresponding HDRE-net model of \(TK_{ij}\) is shown in Figure 2(b), we introduce transition \(t_{jk}\) and \(t_{jk}\), which make \(t_{jk} = \{p_{on}, p_{pa}\}\), \(t_{jk} = \{p_{on}, p_{pa}\}\), \(t_{jk} = \{p_{on}, p_{pa}\}\), and \(t_{jk} = \{p_{on}, p_{pa}\}\).

Operator \(TK_{ij}^{+}TK_{ik}\) represents the choice relationship, which means only one task can be chosen to fire. If task \(TK_{ij} \cup TK_{ik}\) which explains there has exclusive relation between them. The corresponding model of \(TK_{ij}^{+}TK_{ik}\) and \(TK_{ij} \cup TK_{ik}\) are shown in Figure 2(c)-(d).

We will construct the HDRE-net model of each module according to the requirement model and the relationships between tasks, which is shown in Figure 3. The operation process of module \(Ni\) is: Calling the tasks in the module according to the task and relationships between tasks after initializing; meanwhile the local clock begins to time, if all task has finished operating in the deadline, then calling termination operation to make it be in normal termination state, otherwise, calling overtime handling operation to make it be in overtime state.

In Figure 3, we introduce place \(p_{in}^{on}, p_{on}^{on}\) to describe the beginning and termination operation of module. Place \(p_{on}^{on}\) is used to control running time of module \(Ni\), place \(p_{dn}^{on}\) describes overtime state of module \(Ni\), transition \(t_{on}\) describes overtime handling operation of module \(Ni\), where \(t_{on} = \{p_{on}^{on}, t_{on}\}\), \(t_{on} = \{p_{on}^{on}, t_{on}\}\), \(t_{on} = \{p_{on}^{on}, t_{on}\}\), \(t_{on} = \{p_{on}^{on}, t_{on}\}\). If task \(TK_{ij}\) doesn't have forward task, then \(t_{on} = \{p_{on}^{on}, t_{on}\}\). If task \(TK_{ij}\) doesn't have afterward task, then \(t_{on} = \{p_{on}^{on}, t_{on}\}\).

According to the communication principle of CAN bus, the communication process of task \(TK_{ij}\) sending message to task \(TK_{gf}\) is abstracted as a communication task \(TK_{ij-gf}\) and set running time \(m_{ij-gf}\) of \(TK_{ij-gf}\) according to the size of message. The HDRE-net model of task \(TK_{ij-gf}\) is shown in Figure 4. In Figure 4, place \(p_{on}^{on}\) and \(p_{pa}^{on}\) are the input and output interface of task \(TK_{ij-gf}\) while place \(p_{on}\) and \(p_{pa}\) describe idle buffer and bus token resource. The execution process of communication task \(TK_{ij-gf}\) is: beginning to operation \((t_{on-gf})\) after getting data packet and entering into idle buffer waiting position \(p_{on-gf}\). Once getting the idle buffer, then writing data into buffer \((t_{on-gf})\) and entering into sending buffer position \(p_{on-gf}\); the system will release buffer and bus token \(t_{on-gf}\) after finishing data transmission.

In the HDRE-net model, the token represents resource. According to the characteristics of DRE software, the steps of modeling resource are: for the sharing resources \(rs\) such as cache, processor, bus, data, I/O and so on, we establish a place \(p_{on}\) to represent the distribution of resource. According to the function \(Rt\) in requirement model, we can determine the relationship between tasks and resources; the message is defined as a resource in the model.

We can form the HDRE-net model of whole application based on the above model. The operation processes of whole application are:

1. Each module is abstracted as a substituted node;
2. Constructing data process of the whole application according to the relationships between modules;
3. Introducing place \(p_{on}, p_{on}\) to describe the beginning and termination state of application, transition \(t_{on}, t_{on}^{on}\)

![Figure 3. HDRE-net Model of Module \(Ni\)](image)

![Figure 4. HDRE-net Model of Communication Process](image)
represent the beginning and termination operation of whole application.

(4) Analyzing the resource of the DRE software, and adding the corresponding place and arcs;
(5) Adding the model of communication task according to the communication requirements between tasks;
(6) Setting initial marking $M_0(p_w)=1$ and the distribution of initial resource.

In this paper, the allocation rules of transition's priority are as follows: all transitions in a module have the same primary priority, that is, all transitions in a module, including internal transition of the task, have the same main priority; the secondary priority of termination operation has the highest priority, including the termination operation of task, module and communication task, which is 0; Overtime handling has the lowest priority, for example, if the secondary priority is divided into $k$ levels, then the secondary priority of overtime handling transitions in all modules is set to $k$, the secondary priority of the rest transitions in the module were less than $k$; the primary priority of communication task can be set according to the actual requirements, and does not follow the above rules, but the main priority of communication tasks which have conflict are not the same, the priority of all inner transitions of communication model are equal; the priority of transition that introduced to describe the process is equal to $(0,0)$.

IV. ANALYSIS TECHNOLOGIES OF DRE SOFTWARE

A. Timed reachability graph

For the bounded HDRE-net, because its reachability state set $R(S_0)$ is a finite set, therefore, $R(S_0)$ is viewed as a vertex set, and the direct reachability relation between states is viewed as arc set, and the transition is marked in the corresponding arc, which constructs a directed arc. The directed graph is called Timed Reachable Graph in HDRE-net model. We can analyze state change, transition firing sequence and implementation time of system by using Timed Reachable Graph, thus getting the related properties of HDRE-net model.

According to the construction algorithm of Petri net reachability graph, we can construct Timed Reachable Graph of HDRE-net model. The model uses initial state as root node, and gradually computes each node in Timed Reachable Graph, and does following operations for current state $S$:
(1) Marking $S'$ to ensure that each state only has been visited once;
(2) Computing effective firing set $FT(S)$ of $S$;
(3) Computing next state $S'$ by arbitrarily choose a transition from $FT(S)$;
(4) If $S'$ has been in the constructed node set, then directly adding the corresponding arc and the side marked, otherwise $S'$ is added into the node set, and add the corresponding arc and side marked.

We can analyze different properties of $\Omega$ by using $RG(\Omega)$.

B. Basic Properties of DRE Software

The main purpose of modeling by using Petri net is to analyze the properties and function of actual system. This section discusses the basic properties of HDRE-net model, these properties has closely related with DRE software.

In this paper, places are used to represent the resource of DRE software, message storage location, and also can be used to indicate the availability of resources. Making sure whether these storage has overflowed or whether the capacity of resources have overflowed are very important. The boundedness of model is to check whether the described resource of HDRE-net model has overflowed. We will prove the constructed HDRE-net model is bounded in the following.

Property 1: HDRE-net model is bounded.
Proof: According to definition of boundness, we can prove that each place in the model is bounded in different cases, thus getting the model is bounded. Many resources (such as bus, input device of hardware and buffer) are shared resource in DRE software. In those system, there may easily result in deadlock and complete halt, therefore, it is necessary to analyze resource scheduling rules and deadlock-free properties.

Property 2: HDRE-net model ensure that each resource can allocate to one task one time.
Proof: Because the firing of transitions in the model is instant, and the resource in the model is characterized by a token. According to the semantic of HDRE-net model, we can get there doesn't exist a token that can be consumed by two tokens. That is, HDRE-net model ensure that each resource can be allocated to one task one time.

Property 3: HDRE-net model is deadlock-free.
Proof: Because tasks in HDRE-net model can execute only after getting all required resources, and will not require additional resources during proceeding, then HDRE-net model does not meet one of necessary condition of deadlock generated: the transition is obstructed due to requiring resource, and not releases the got resources. Therefore, HDRE-net model does not have deadlock. So the model does not have deadlock.

Property 4: The constructed HDRE-net model can ensure the principles of CAN bus protocol.
Proof: According to the principles of CAN bus protocol: (1) only one task sends message in the bus at any time; (2) If two tasks need to send message at the same time, then low-priority nodes need stop sending. Because CAN bus is modeling as resource in this paper, we can get principle (1) is established according to property 2 and 3, and because $C(p_{bus})=C(p_{req})=0$, two tasks need send message means that there are two transitions that has bus tokens has strong firing, from the firing rules of HDRE-net model, we can get the higher priority transition will send, and the lower priority transition will wait, thus ensuring principle(2).

Schedulability is an important characteristic for guarantying the reliability of DRE systems. We will introduce several special states before analyzing the schedulability of HDRE-net model.
Let $\Omega$ be a HDRE-net model, $S=(M,TS)$ is a state of $\Omega$ at time $t$:

$\text{(1)}$ if $\exists p\in\mathcal{P}$ which makes $M(p)_{d_m}=1$, then $S$ is called the overtime state;

$\text{(2)}$ if $\forall p\in\mathcal{P}$, then $S$ is called the dangerous state;

$\text{(3)}$ if $M(p)_{r_m}=1$, then $S$ is called the normal termination state, denoted by $S^\prime$.

Overtime state means that the operation can not be completed before the deadline, the model will reach overtime state when starts from the dangerous state; while the normal termination state is the state that all tasks have completed before the deadline; the other states in the system are called the normal state.

Definition 9: Let $\Omega$ be a HDRE-net model, then $\Omega$ is schedulable iff $S^\prime$ is reachable in $\Omega$.

The model is schedulable if all modules can complete before their deadlines, which is called a feasible schedule.

The feasible schedule is corresponding to a path from $S_0$ to $S^\prime$ in $\Omega$. Therefore, we can get necessary model of ELC sub-system by merging the corresponding interface. Because the setting of priority conflict task is less, therefore, the setting of priority conflict task is less, therefore, the setting of priority conflict task is less, therefore, the setting of priority can reduce level, and the communication buffer is set to 3. Because Module 3 need process a large number of data, ARM9 is used in this module, and the rest modules use 8051 Single-Chip. All modules use SJA100 as bus controller. According to the structure of ELC subsystem, and combining with the completed functions of each module, we can divide task set for each function module, and the corresponding bound is given in table I, in which time unit TTU is 2ms.

<table>
<thead>
<tr>
<th>Actual Mapping of Task</th>
<th>Transition</th>
<th>TC(TTU)</th>
<th>Actual Mapping of Task</th>
<th>Transition</th>
<th>TC(TTU)</th>
</tr>
</thead>
<tbody>
<tr>
<td>invoking</td>
<td>TK1,1</td>
<td>1</td>
<td>invoking</td>
<td>TK2,1</td>
<td>1</td>
</tr>
<tr>
<td>traffic light display</td>
<td>TK1,2</td>
<td>1</td>
<td>antenna trigger</td>
<td>TK2,2</td>
<td>1</td>
</tr>
<tr>
<td>trigger coil induction vehicle</td>
<td>TK1,3</td>
<td>1</td>
<td>connecting OBE</td>
<td>TK2,3</td>
<td>1</td>
</tr>
<tr>
<td>sending message to module 2</td>
<td>TK1,4</td>
<td>1</td>
<td>reading data</td>
<td>TK2,4</td>
<td>3</td>
</tr>
<tr>
<td>receiving processing results</td>
<td>TK1,5</td>
<td>1</td>
<td>sending data</td>
<td>TK2,5</td>
<td>3</td>
</tr>
<tr>
<td>displaying information screen</td>
<td>TK1,6</td>
<td>2</td>
<td>receiving data</td>
<td>TK2,6</td>
<td>1</td>
</tr>
<tr>
<td>open level</td>
<td>TK1,7</td>
<td>2</td>
<td>writing data</td>
<td>TK2,7</td>
<td>3</td>
</tr>
<tr>
<td>level block</td>
<td>TK1,8</td>
<td>2</td>
<td>disconnect</td>
<td>TK2,8</td>
<td>1</td>
</tr>
<tr>
<td>downloading latest data</td>
<td>TK3,1</td>
<td>2</td>
<td>invoking</td>
<td>TK4,1</td>
<td>1</td>
</tr>
<tr>
<td>receiving inherent information</td>
<td>TK3,2</td>
<td>1</td>
<td>front capturing</td>
<td>TK4,2</td>
<td>3</td>
</tr>
<tr>
<td>querying pull in record</td>
<td>TK3,3</td>
<td>1</td>
<td>side capturing</td>
<td>TK4,3</td>
<td>3</td>
</tr>
<tr>
<td>computing charge</td>
<td>TK3,4</td>
<td>2</td>
<td>storing picture</td>
<td>TK4,4</td>
<td>2</td>
</tr>
<tr>
<td>connecting account</td>
<td>TK3,5</td>
<td>2</td>
<td>sending data to monitor</td>
<td>TK4,5</td>
<td>2</td>
</tr>
<tr>
<td>qmount deducted</td>
<td>TK3,6</td>
<td>2</td>
<td>communication task 1</td>
<td>TK1,4$\rightarrow$2,1</td>
<td>0.5</td>
</tr>
<tr>
<td>sending processing results</td>
<td>TK3,7</td>
<td>2</td>
<td>communication task 2</td>
<td>TK2,5$\rightarrow$3,2</td>
<td>0.5</td>
</tr>
<tr>
<td>error info</td>
<td>TK3,8</td>
<td>2</td>
<td>communication task 3</td>
<td>TK3,7$\rightarrow$1,5</td>
<td>0.5</td>
</tr>
<tr>
<td>storing results and uploading</td>
<td>TK3,9</td>
<td>2</td>
<td>communication task 4</td>
<td>TK3,7$\rightarrow$2,6</td>
<td>0.5</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>communication task 5</td>
<td>TK3,8$\rightarrow$4,1</td>
<td>0.5</td>
</tr>
</tbody>
</table>

V. EXPERIMENTS

In order to better describe the above modeling process and explain the correctness of analysis process, we use an actual case -Electronic Toll Collection (ETC) as an example. ETC system is an advanced system which consists of high-tech equipment and software such as microwave technology, electronics technology, computer technology, communications and network technology, and can achieve the function of automatically charging the cost of road without stopping vehicle. Strictly speaking, ETC application is the typical DRE software.

The workflow of Export Control Lane (ELC) is: the system will inform lane computer of sending start-up instructions to antenna controller when trigger coil detects the pass of vehicles. The read information from OBE will be sent to data processing center for data processing and charging.

According to the actual requirements, we can divide the entire application into four function modules. Module 1 responses for controlling auxiliary equipment, including traffic lights, display screen, lever and coil; Module 2 responses for reading OBE data. Module 3 responses for processing charged data. Module 4 is used to capture the pecouta vehicles.

According to requirement model of ELC sub-system, we can model for task, module and communication process, and construct the HDRE-net model of ELC subsystem by merging the corresponding interface. Because the conflict task is less, therefore, the setting of priority can reduce level, and the communication buffer is set to 3. Because Module 3 need process a large number of data, ARM9 is used in this module, and the rest modules use 8051 Single-Chip. All modules use SJA100 as bus controller. According to the structure of ELC subsystem, and combining with the completed functions of each module, we can divide task set for each function module, and the corresponding bound is given in table I, in which time unit TTU is 2ms.
therefore, the setting of priority can reduce level, and the communication buffer is set to 3.

According to the construction algorithm of Time Reachability Graph and the HDRE-net model of ELC sub-system, we can get the corresponding Time Reachability Graph. Figure 6 lists part of Time Reachability Graph. The model has 559 states, according to the definition of the basic properties and its analysis method, we can draw the model is bound, deadlock free and live. The principle of CAN bus is also met. And we can draw that the model is scheduling by analyzing Table I.

VI. Related Works

In recent year, there has been some related works used for DRE systems design including formal methods. Subramonian et al[11] presents a reusable library of formal models based on Timed Automaton, which have developed to capture essential timing and concurrency semantics of foundational middleware building blocks provided by the ACE framework. Madl et al[12] investigates how DRE systems can be represented as discrete event systems (DES) in continuous time, and proposes an automated method for the performance evaluation of such systems. Liu[13] leverages the Two-Level Grammar (TLG) specification language and the Vienna Development Method (VDM) a formal methodology for developing DRE components and develops system code generation. UniFrame. Slaby et al [14] used task graph to describe tasks and relations between tasks in DRE systems, and evaluate the performance of component based enterprise DRE systems and reduce time/effort in the integration phase. Liu et al[15] used a timed colored Petri Net-based modeling toolkit describes all specifications consistently and automatically generates component bridges for DRE system integration, and a grammar-based formalism specifies context behaviors and validates integrated systems using sufficient context-related test cases. Hugues et al [16] propose a DRE system design framework based on middleware technology, which use Petri nets for modeling and verification DRE system.
components of DRE software. The main contributions of this paper are: (1) we proposed a HDRE-net model to better describe DRE software, thus providing effective management to DRE systems; (2) summarizing the modeling process of DRE software in detail, such as task, resource and communication process; (3) analyzing the correctness of constructed model and related properties of DRE software, thus ensuring the correctness of design. Using this method to model and analyze the DRE systems has the following advantages: (1) with modular functionality and a high degree of reusability; (2) with a rigorous mathematical foundation, easy to analyze and verify the established model; (3) reduce the computational complexity.

The study of Distributed Real-time and Embedded systems is still underway at present. Our current research is focused on exploring formal method as means to improve its mapping into DRE’s architecture. The following two aspects are the main work in the next phase: (1) further improves this method, consider the fault-tolerant of each task to guarantee the system’s schedulability; (2) developing the corresponding tools to support the modeling.

ACKNOWLEDGMENT

This paper is supported by key Foundation of Shanghai Educational Committee (07ZZ164, 06OZ016), Foundation of Shanghai Institute of Technology (Computer science and technology), Fund of Key Laboratory of Shanghai Science and Technology (09DZ2272600).

REFERENCES


Liqiong Chen. She was born in 1982, Ph. D. candidate. Her research interests include distributed computing, embedded systems and formal methods.

Guisheng Fan. He was born in 1980, Ph. D. candidate. His research interests include service oriented computing, distributed computing and formal methods.

Yunxiang Liu. He was born in 1967, professor, Ph. D. supervisor, IEEE senior member. His research interests include software engineering, information security and formal methods.