A Compositional Approach for Schedulability Analysis of Distributed Avionics Systems
Abstract
This work presents a compositional approach for schedulability analysis of Distributed Integrated Modular Avionics (DIMA) systems that consist of spatially distributed ARINC653 modules connected by a unified AFDX network. We model a DIMA system as a set of stopwatch automata in Uppaal to verify its schedulability by model checking. However, direct model checking is infeasible due to the large state space. Therefore, we introduce the compositional analysis that checks each partition including its communication environment individually. Based on a notion of message interfaces, a number of message sender automata are built to model the environment for a partition. We define a timed selection simulation relation, which supports the construction of composite message interfaces. By using assumeguarantee reasoning, we ensure that each task meets the deadline and that communication constraints are also fulfilled globally. The approach is applied to the analysis of a concrete DIMA system.
Simon Bliudze and Saddek Bensalem (Eds): Methods and Tools for Rigorous System Design (MeTRiD 2018) EPTCS 272, 2018, pp. A Compositional Approach for Schedulability Analysis of Distributed Avionics Systems–LABEL:LastPage, doi:10.4204/EPTCS.272.4 © P. Han, Z. Zhai B. Nielsen & U. Nyman This work is licensed under the Creative Commons Attribution License.
A Compositional Approach for Schedulability Analysis of Distributed Avionics Systems
Pujie Han Zhengjun Zhai \IfArrayPackageLoaded  





{hanpujie,zhaizjun}@mail.nwpu.edu.cn and Brian Nielsen Ulrik Nyman \IfArrayPackageLoaded  




{bnielsen,ulrik}@cs.aau.dk 
1 Introduction
The architecture of Distributed Integrated Modular Avionics (DIMA) has been successfully applied to the aviation industry. A DIMA system installs standardized computer modules in spatially distributed locations[20] that are connected by a unified bus system[4] such as an AFDX network. Avionics applications residing on the modules run in ARINC653[2] compliant operating systems. The generic distributed structure of DIMA significantly improves performance and availability as well as reduces development and maintenance costs, while it also dramatically increases the complexity of schedulability analysis. A schedulable DIMA system should fulfil not only the temporal requirements of realtime tasks in each ARINC653 module but also communication constraints among the distributed nodes. As a result, the system integrators need to consider both computation and communication when analyzing the schedulability of DIMA architecture.
Currently, model checking approaches have been increasingly developed in the schedulability analysis of complex realtime systems. However, we found no studies that analyzed the schedulability of distributed avionics systems as a whole including the network by model checking. The related research isolates computation modules from their underlying network, thereby considering these nodes as independent hierarchical scheduling systems or investigating the network in isolation, which possibly leads to pessimistic results. There have been works using modelchecking to analyze the temporal behavior of individual avionics modules in various formal models such as Coloured Petri Nets (CPN)[11], preemptive Time Petri Nets (pTPN)[6], Timed Automata (TA)[3], and StopWatch Automata (SWA)[17, 9], and verify schedulability properties via state space exploration. Unfortunately, when being applied to concrete avionics systems, all of them suffer from an inevitable problem of state space explosion. For hierarchical scheduling systems, some studies[7, 19, 5] exploit the inherent temporal isolation of ARINC653 partitions[2] and analyze each partition separately, but they ignore the behavior of the underlying network or the interactions among partitions. Thus these methods are not applicable to DIMA environments in which multiple distributed ARINC653 partitions communicate through a shared network to perform an avionics function together.
In this paper, we present a compositional approach for schedulability analysis of DIMA systems that are modeled as Uppaal SWA, i.e. the TA extended with stopwatches. Compared with the clocks in TA, stopwatches can be blocked and resumed at any location and thus are effective in modeling task preemption. We decompose the system in such a way that we can check each ARINC653 partition including a model of its communication environment individually and then assemble the local results together to derive conclusions about the schedulability of an entire system. Thereby, we verify a number of smaller, simpler, abstract systems rather than directly verifying a larger, more complex, concrete system including the details about all the partitions and the network. The main contributions of this paper are summarized as follows:

A compositional approach performs assumeguarantee reasoning[13] to reduce the complexity of symbolic modelchecking in the schedulability analysis of DIMA systems.

An abstraction relation, timed selection simulation relation, allows users to create a set of abstract models that collectively describe the external behavior of a concrete model, thereby simplifying the abstraction in assumeguarantee reasoning.

A notion of message interfaces decouples the communication dependencies between partitions. By composing any partition with its related message interfaces and verifying safety properties of the composition, we can conclude that these properties are still preserved at the global level.
The rest of the paper is organized as follows. Section 2 gives the necessary formal notions. The Uppaal modeling of DIMA systems is presented in section 3. Section 4 gives the concept of timed selection simulation and its properties. In section 5, we detail the compositional analysis approach. Section 6 shows an experiment on a concrete DIMA system, and section 7 finally concludes.
2 Preliminaries
In this section, we present formal definitions including SWA with an input/output extension and its semantic object Timed I/O Transition Systems(TIOTSs)[10].
Suppose that is a finite set of clocks and is a finite set of integer variables. A valuation with denotes a mapping from to and from to . Let be the set of linear constraints. A guard is a linear constraint which is defined as a finite conjunction of atomic formulae in the form of , or with , and . Given any valuation , we change the values of clocks and integer variables using an update operation in the form of or where and , and is the set of all possible update operations. In addition, we define an action set . All the actions can be subsumed under two sets of unicast actions and broadcast actions . By contrast, denotes an internal action and .
Definition 1 (Stopwatch Automaton[8]).
A stopwatch automaton is a tuple where is a finite set of locations, is the initial location, is a finite set of clocks, is a finite set of integer variables, is a set of edges, is a finite set of actions divided into inputs() and outputs(), is a mapping , and is a mapping .
From a syntactic viewpoint, SWA belongs to the class of TA extended with , which can prevent part of the clocks from changing in specified locations semantically. We now shift the focus to the semantic object TIOTS of SWA.
In a TIOTS, there are two types of transitions: delay and action transitions. We use the set to denote the delay, and refer to the 0delay as .
Definition 2 (Timed I/O Transition System).
A timed I/O transition system is a tuple where is an infinite set of states, is the initial state, is a finite set of actions divided into inputs() and outputs(), , and is a transition relation. represents , which has the properties of time determinism, time reflexivity, and time additivity[10].
For any SWA, a state is defined as a pair where is a location and is a valuation over clocks and integer variables. On the basis of TIOTSs, the operational semantics of SWA is defined as follows.
Definition 3.
The operational semantics of a stopwatch automaton is a timed I/O transition system where is the set of states of , is the initial state of , is the same set of actions as , and is the transition relation defined by

iff

iff .
For any transition , two symbols and denote the action belonging to input and output respectively. Given , iff , s.t. . or denotes the reflexive and transitive closure of . iff , or , s.t. and , s.t. or and .
The definition of parallel composition of TIOTSs is similar to that in [10]. Given two TIOTSs , they are compatible iff they satisfy the following conditions:

(Unique output) .

(Deterministicpair unicast) .
Note that broadcast actions in the composition of TIOTSs are inputenabled: .
Definition 4 (Parallel Composition).
Suppose two timed I/O transition systems and are compatible. The parallel composition is the timed I/O transition system where , , , , , and is the largest relation generated by the following rules:

INDEPL:

DELAY:

SYNCIN:

SYNCBIO:

SYNCUIO:
We use to denote the set of TA and SWA in our modeling framework. For any , we define the composite model iff their TIOTSs satisfy .
3 Avionics System Modeling
We focus on a generic DIMA architecture including a set of ARINC653 modules connected by an AFDX network, as shown in Fig.1. There is a threelayer structure in the DIMA system that consists of scheduling, task, and communication layers.
The scheduling layer is defined as the scheduling facilities for generic computation resources of a DIMA system, where standardized computer modules execute concurrent application tasks in partitioned operating systems. In this operating system, partitions are scheduled by a Time Division Multiplexing (TDM) scheduler and each partition also has its local scheduling policy, preemptive Fixed Priority (FP), to manage the internal tasks[2]. The scheduling layer is modeled as two TA templates PartitionSupply and TaskScheduler in Uppaal ^{1}^{1}1Models available at http://eptcs.web.cse.unsw.edu.au/paper.cgi?MARSVPT2018:2. The PartitionSupply depicted in Fig.2 provides the service of TDM partitioning for a particular partition pid. The TaskScheduler implementing FP scheduling allocates processor time to the task layer only when the partition is active.
The task layer contains all the application tasks executing avionics functions. A task is regarded as the smallest scheduling unit, each of which runs concurrently with other tasks in the same partition. The execution of a task is modelled as a sequence of commands that are either computing for a duration, locking/unlocking a resource, or sending/receiving a message. We consider two task types: periodic tasks and sporadic tasks. A periodic task has a fixed release period, while a sporadic task is characterized by a minimum separation between consecutive jobs. The task layer is instantiated from two SWA templates PeriodicTask and SporadicTask in Uppaal. Since the tasks in a partition are scheduled by a task scheduler, we use a set of binary channels as scheduling actions to communicate between task models and TaskScheduler.
The communication layer carries out interpartition communication over a common AFDX network. The AFDX protocol stack realized by an End System(ES) interfaces with the task layer through ARINC653 ports. Based on the AFDX protocol structure, the communication layer is further divided into UDP/IP layer and Virtual Link layer, where a Virtual Link (VL) ensures an upper bound on endtoend delay. In Uppaal, the UDP/IP layer is divided into two TA templates IPTx and IPRx, which calculate the latency of the UDP/IP layer in a transmitting ES and a receiving ES respectively. Similarly, two TA templates VLinkTx and VLinkRx model the delay of a VL in opposite directions.
From a global view of the system, its schedulability is also affected by the communication layer. According to the ARINC653 standard[2], there are two types of ARINC653 ports, sampling ports and queuing ports. A sampling port can accommodate at most a single message that remains until it is overwritten by a new message. A refresh period is defined for each sampling port. This attribute provides a specified arrival rate of messages, regardless of the rate of receiving requests from tasks. In contrast, a queuing port is allowed to buffer multiple messages in a message queue with a fixed capacity. However, the operating system is not responsible for handling overflow from the message queue.
In this paper, we verify the following three typical schedulability properties:

All the tasks meet their deadlines in each partition.

The refresh period of any sampling port is guaranteed.

The overflow from any queuing ports must be avoided.
The schedulability of an avionics system is described and verified as a safety property of the above TA/SWA models. We add a set of error locations to the templates. Once schedulability is violated, the related model will lead itself to one of the error locations immediately. Thus, the schedulability is replaced with this safety property :
(1) 
which belongs to a simplified subset of TCTL used in Uppaal.
However, since the verification algorithm inside Uppaal for SWA introduces a slight overapproximation[8]^{2}^{2}2Exact reachability for SWA with more than 3 stopwatches is known to be undecidable[8]., Uppaal may sometimes give the verification result “Maybe satisfied” or “May not be satisfied”. To further refine the result in this case we manually analyse the possible counter example using Uppaal’s concrete simulator to determine if the system is unschedulable. Alternatively, the statistical modelchecking (SMC) engine could be invoked to attempt an automatic falsification. In our experiences, the result only appears when the system is on the very borderline of being schedulable.
4 Timed Selection Simulation
We propose a notion of timed selection simulation relation to support assumeguarantee reasoning. Compared with some other abstraction relations like timed simulation[16] and timed ready simulation[15], timed selection simulation only abstracts a selected subset of actions from the concrete model. Applying timed selection simulation to the abstraction of a concrete system, one can pay attention to part of the system, individually model the behavior of each component, and thereby obtain a composite abstract model rather than a monolithic one.
Considering the semantic object of an automaton , we denote the error states of by the set where is the errorlocation set of . Thus, for any TIOTS , its error states are defined as a set , and the following function indicates whether a state has violated schedulability properties:
(2) 
Given two compatible TIOTSs with the errorstate set , their composition has the errorstate set and the function .
Based on the function , the formal definition of timed selection simulation is given as follows.
Definition 5 (Timed Selection Simulation).
Let and be two timed I/O transition systems with . Let R be a relation from to . We call R a timed selection simulation from to , written via , provided and for all , and

if for some , , then such that and

if for some , , then such that and

if for some , , then such that and

if for some , , then such that and
Definition 6.
Let be stopwatch automata. We say that , if and only if their corresponding timed I/O transition systems satisfy .
We now give some necessary properties of timed selection simulation.
Theorem 1.
Timed selection simulation is a preorder.
For any automaton , by construction, the reachability of its error locations is equivalent to that of the error states in the corresponding TIOTS . Hence the following theorem shows that timed selection simulation can preserve the satisfaction of the safety properties in the form of Eq.(1).
Theorem 2 (Property preservation).
Let be timed I/O transition systems and be the set of error states of . Given a safety property that any error states are not reachable, if and , then .
Theorem 3 (Abstraction compositionality).
Let be timed I/O transition systems. If , , and and are compatible, then .
Theorem 4 (Compositionality).
Let , be timed I/O transition systems. Suppose and are the parallel compositions of compatible timed I/O transition systems. If , and , then .
5 Compositional Analysis
We apply assumeguarantee reasoning to the schedulability analysis, and describe the schedulability goal as a safety property (Eq.(1)). As shown in Fig.3, our compositional analysis is comprised of the following four steps:

Decomposition: The system is first decomposed into a set of communicating partitions modeled by TA and SWA. The global property is also divided into several local properties, each of which belongs to one partition.

Construction of message interfaces: We define message interfaces as the assumption and abstraction of the communication environment for each partition. In general, the templates of message interfaces should be built manually by the engineers.

Model checking: The local properties under the assumptions and the abstraction relations are verified by model checking.

Deduction: From the assumeguarantee rules, we finally derive the global property by combining all the local results.
The procedure can be performed automatically except for the first construction of message interfaces. We assume that a task never blocks while communicating with other partitions, which is commonly used in avionics systems[12, 7]. Otherwise a loop of communication dependency will cause circular reasoning, because the assumptions of a partition might be based on its own state recursively.
5.1 Decomposition
Assume that there are constituent partitions in a system. Let be the SWA composite model of a partition. Let be the errorlocation set of . The safety property : denotes the schedulability of . The global property is therefore written as , and the goal of our schedulability analysis is expressed as the verification problem:
(3) 
that can be further divided into satisfaction relations:
(4) 
Since the errorlocation set is only allowed to be manipulated by , we check each partition model independently for the corresponding local property instead of the original verification problem with a large and complex system. However, the communication environment of , which denotes the behavior that receives messages from other partitions, may affect the satisfaction of the schedulability property . Hence when performing the verification for partition , one needs to give the assumptions of its communication environment and verifies the local property under these assumptions.
5.2 Construction of message interfaces
A set of TA models is created to describe the messagesending behavior of a partition. Each of the TA is called a message interface of this partition and associated with a particular message type. Suppose there are a number of messages sent from partition to another partition and their corresponding message interfaces make up a composite TA model . When we analyze in the compositional way, it should be safe for to replace . Hence, we say that a message interface of is an abstraction of .
Our abstraction of the message delivery between a partition and its underlying network is modelled using broadcast synchronization. A broadcast action represents a specific message types. Let be the action set of a composite model for any partition . An action (resp. ) denotes that receives(resp. sends) messages with the type from(resp. to) other partition(s). The symbol represents the condition that there exists a partition sending messages to via an action set .
Definition 7 (Message Interface).
Let be the output action set of a stopwatch automaton . For any output action , the timed automaton with an action set is a message interface of if and only if there exists a timed selection simulation relation on such that
(5) 
We build the templates of message interfaces in accordance with the characteristics of messagesending actions. In practice, the structure of an interface can be designed straightforwardly from the task specification. The template in Fig.4 shows a message interface that sends messages periodically via the action array pmsg. Then we make an automatized binary search for the interface’s parameters such as offset in the template and meanwhile check the satisfaction of timed selection simulation relation.
The message interfaces can serve as the assumptions of the communication environment of a partition. The composition of the message interfaces for all provides with a “complete” abstraction of , which models the behavior of all the output actions from to . According to the abstraction compositionality (Theorem 3) of the preorder , we have
(6) 
Considering all the partitions except in the system, we describe the communication environment of as the composite model .
5.3 Model checking
In the third step, the local property of under assumption can be verified by model checking. We denote these subproblems by
(7) 
Normally, in Eq.(7) has a much smaller model size than its corresponding partition model in Eq.(4). Thus, the compositional approach allows us to verify a simpler abstract partition model instead of a complex concrete system model including the details about all the partitions.
In addition, we capture the computation time of each task as an interval between a bestcase and worstcase execution time. When analyzing the schedulability of a partition, the modelchecker explores all scheduling decisions that can be made in such an interval, and hence also examines possible cases of scheduling timing anomalies[18].
5.4 Deduction
We derive the global property by combining local results in the last step. For any schedulable system, each property should be concluded from the satisfaction of Eq.(7) under assumptions and all the abstraction relations of Eq.(6). According to the compositionality (Theorem 4) and property preservation (Theorem 2) of timed selection simulation, we have the following assumeguarantee rule:
(8) 
Note that this assumeguarantee rule only provides a sufficient schedulability condition, for abstract message interfaces might slightly overapproximate the external behavior of a partition.
A simplified DIMA system exemplifies the reasoning procedure. In the example, the system model is decomposed into three partitions . We divide the global property into three local properties . Accordingly, the goal of the verification problem is to check
(9) 
From Eq.(4), this problem can be replaced with three subproblems:
(10) 
Without loss of generality, we take the verification of for example to show how the modelchecking and deduction are carried out in the following steps.
Assume that sends two types of messages, and , via two actions and respectively, and sends only a with action . We create one message interface (like Eq.(5)) for each message type received by in the system. The abstraction relations from Eq.(5) can be expressed as
(11) 
From abstraction compositionality of the preorder , we can obtain
(12) 
Then, from reflexivity and compositionality of the preorder , the composite model of the system satisfies
(13) 
Note that when we apply the compositionality to checking a partition , any output actions sent to will never be removed in abstraction relations (Eq.(12)), which satisfies the condition (2) of theorem 4.
Since Eq.(15) covering all three partitions in the system has a higher complexity than Eq.(14), the techniques of model checking can be adopted to verify the simpler problem Eq.(14) instead of the original goal Eq.(15). The same steps will be repeated for local properties and .
Consequently, we conclude all the local results of (10) according to the reasoning process from Eq.(11) to Eq.(15). When we analyze the partition and its communication environment, the local result of Eq.(15) can be deduced from Eq.(11) and Eq.(14) in the following assumeguarantee rule.
(16) 
The local results are then combined to constitute the global result of Eq.(9).
6 Case Study
In this section, we applies the compositional approach to an avionics system which combines the workload of [7] and the AFDX configuration of [14]. The workload consists of 5 partitions, and further divided into 18 periodic tasks and 4 sporadic tasks. Considering the interpartition messages in the workload, we assign each message type a separate VL with the same subscript. The messages of and are handled at the refresh period in sampling ports. and are configured to operate in queuing ports, each of which can accommodate a maximum of one message.
As shown in Fig.5, we consider the distributed architecture that comprises 3 ARINC653 modules connected by an AFDX network. The module accommodates and , the module executes and , and the partition is allocated to . There are 4 VLs  connecting 3 ESs across 2 switches and in the AFDX network. The arrows above VLs’ names indicate the direction of message flow.
The avionics system equips each of its processor cores with a partition schedule. Assume the modules in the experiment to be singleprocessor platforms. Fig.5 gives the partition schedules, which fix a common major time frame at and allocate to each partition within every . All the partition schedules are enabled at the same initial instant. The scheduling configuration keeps the temporal order of the partitions in [7]. Hence the partition schedules contain five disjoint windows , , , , and , where the second parameter is the offset from the start of and last the duration.
We analyze the schedulability of this avionics system following the procedure in section 5:
(1) Decomposition: The system is first decomposed into five sets of SWA template instances corresponding to five partitions. The schedulability of any partition is described as the Uppaal query :
(17) 
where the boolean variable perror[i] should be assigned to True once any error locations are reached in . When analyzing the schedulability of , we only instantiate the set of SWA template instances of into Uppaal processes. This set contains two scheduler models coming from PartitionSupply and TaskScheduler, all the PeriodicTask and SporadicTask models in , and the communication layer models from which receives messages.
(2) Construction of message interfaces: The message interfaces are constructed from the template depicted in Fig.4, for all the messages originate in periodic tasks. There are four unknown parameters period, initOffset, offset, and jitter in the template. Initially, the parameters of a message interface are set to the same values as these of the source task. Then we employ a binary search to heuristically refine offset and jitter, meanwhile guaranteeing timed selection simulation relation exists.
(3) Model checking: The schedulability of five partitions is checked individually. After combining the models of and its message interfaces, we verify the property by model checking in Uppaal. The verification was repeated for each partition to evaluate the schedulability of a complete system. The experiment was executed on the Uppaal 4.1.19 64bit version and an Intel Core i75600U laptop processor.
(4) Deduction: According to the assumeguarantee rule described in Eq.(8), we conclude the schedulability of the complete system from the results of the verification of five partitions.
Results of the Analysis
The result in Table 1 shows that each partition is separately schedulable (The results “Yes” of Case 1) except the partition (The result “No”). From a global view, we cannot conclude directly that the system is nonschedulable, because the compositional approach described in section 5 only provides a sufficient condition for schedulability. Nevertheless, we find a counterexample by simulation in Uppaal, and thus it can be concluded that the current system is not schedulable. The counterexample shows that violates the constraint of the refresh period of due to network latency.
Considering the effect of network latency on the scheduling configuration, we updated the partition schedules by performing a swap of time slots between and . The modified partition schedules provide five windows , , , , and . The compositional analysis of the updated system was executed again. The result (Case 2 in Table 1) shows that all the partitions of the updated system are individually schedulable. Thus, the updated system finally achieves the schedulability at the global level.
Table 1 also shows the performance in terms of execution time and memory usage. In both cases, the partition contains more instantiated models (19 processes) than the other four partitions. As a result, modelchecking runs evidently slower and requires more memory than the others. Nevertheless, the compositional analysis could be performed on ordinary computers within an acceptable time.
Compared with the compositional way, global analysis based on the same Uppaal models would require 51 processes including all the 22 task models, whose state space is much more complex than the others. This causes Uppaal to run out of memory within a few minutes, and thus makes the global analysis infeasible. In contrast, the compositional approach only requires at most 5 task models when we perform model checking, offering effective state space reduction.
7 Conclusion
In this paper, we present a compositional approach for schedulability analysis of DIMA systems, which are modeled as a set of stopwatch automata in Uppaal, describing schedulability as safety properties of models. We check each ARINC653 partition including its communication environment individually, thereby reducing the complexity of modelchecking. The techniques presented in this paper are applicable to the design of DIMA scheduling systems. We have applied the compositional approach to a concrete DIMA system. As future work, we plan to develop a modelbased approach to the automatic optimization and generation of the partition schedules of a DIMA system.
No.  Case 1  Case 2  

Result  Time  Mem  Result  Time  Mem  
Yes  7.46  146  Yes  6.07  105  
Yes  0.95  46  Yes  1.10  52  
No  42.94  664  Yes  256.48  3041  
Yes  0.69  43  Yes  0.68  43  
Yes  19.41  509  Yes  128.56  2041 
References
 [1]
 [2] AEEC (2010): Avionics application software standard interface: part 1  required services. ARINC Specification 653P13, Aeronautical Radio Inc.
 [3] Tobias Amnell, Elena Fersman, Leonid Mokrushin, Paul Pettersson & Wang Yi: TIMES: a tool for schedulability analysis and code generation of realtime systems. In: FORMATS 2003, doi:http://dx.doi.org/10.1007/9783540409038˙6.
 [4] Björn Annighöfer & Frank Thielecke (2014): A systems architecting framework for distributed integrated modular avionics. DGLR, doi:http://dx.doi.org/10.1007/s1327201501561.
 [5] Jalil Boudjadar, Kim Guldstrand Larsen, Jin Hyun Kim & Ulrik Nyman: Compositional schedulability analysis of an avionics system using UPPAAL. In: AASE 2014.
 [6] Laura Carnevali, Giuseppe Lipari, Alessandro Pinzuti & Enrico Vicario: A formal approach to design and verification of twolevel hierarchical scheduling systems. In: RST 2011, doi:http://dx.doi.org/10.1007/BF00360340.
 [7] Laura Carnevali, Alessandro Pinzuti & Enrico Vicario (2013): Compositional verification for hierarchical scheduling of realtime systems. IEEE Transactions on Software Engineering 39(5), pp. 638–657, doi:http://dx.doi.org/10.1109/TSE.2012.54.
 [8] Franck Cassez & Kim Larsen: The impressive power of stopwatches. In: CONCUR 2000, doi:http://dx.doi.org/10.1007/3540446184˙12.
 [9] Franco Cicirelli, Angelo Furfaro, Libero Nigro & Francesco Pupo: Development of a schedulability analysis framework based on pTPN and UPPAAL with stopwatches. In: DSRA 2012, doi:http://dx.doi.org/10.1109/DSRT.2012.16.
 [10] Alexandre David, Kim G Larsen, Axel Legay, Ulrik Nyman & Andrzej Wasowski: Timed I/O automata: a complete specification theory for realtime systems. In: HSCC 2010, doi:http://dx.doi.org/10.1145/1755952.1755967.
 [11] RB Dodd (2006): Coloured petri net modelling of a generic avionics mission computer. Technical Report, DTIC.
 [12] Arvind Easwaran, Insup Lee, Oleg Sokolsky & Steve Vestal: A compositional scheduling framework for digital avionics systems. In: RTCSA 2009, doi:http://dx.doi.org/10.1109/RTCSA.2009.46.
 [13] Orna Grumberg & David Long (1994): Model checking and modular verification. Toplas 16(3), pp. 843–871, doi:http://dx.doi.org/10.1145/177492.177725.
 [14] J Javier Gutiérrez, J Carlos Palencia & Michael González Harbour (2014): Holistic schedulability analysis for multipacket messages in AFDX networks. RealTime Systems 50(2), doi:http://dx.doi.org/10.1007/s1124101391922.
 [15] Henrik Jensen (1999): Abstractionbased verification of distributed systems. Ph.D. thesis, Aalborg university.
 [16] Henrik Jensen, Kim Larsen & Arne Skou: Scaling up UPPAAL. In: FTRFS 2000, doi:http://dx.doi.org/10.1007/3540453520˙4.
 [17] Marius Mikučionis, Kim Larsen, Jacob Rasmussen, Brian Nielsen, Arne Skou, Steen Palm, Jan Pedersen & Poul Hougaard: Schedulability analysis using UPPAAL: HerschelPlanck case study. In: ISoLA 2010, doi:http://dx.doi.org/10.1007/9783642165610˙21.
 [18] Jan Reineke, Björn Wachter & Stefan Thesing et al.: A definition and classification of timing anomalies. In: WCET 2006.
 [19] Youcheng Sun, Giuseppe Lipari, Romain Soulat, Laurent Fribourg & Nicolas Markey: Componentbased analysis of hierarchical scheduling using linear hybrid automata. In: RTCSA 2014, doi:http://dx.doi.org/10.1109/RTCSA.2014.6910502.
 [20] Guoqing Wang & Qingfan Gu: Research on distributed integrated modular avionics system architecture design and implementation. In: DASC 2013, doi:http://dx.doi.org/10.1109/dasc.2013.6712647.