Hardware-Software Coverification of Concurrent Embedded Real-Time Systems

Pao-Ann Hsiung
Institute of Information Science, Academia Sinica, Taipei, TAIWAN.
E-mail: eric@iis.sinica.edu.tw

Abstract

The results of hardware-software co-design of concurrent embedded real-time systems are often not verified or not easily verifiable. This has serious consequences when high-assurance systems are codesigned. The main difficulty lies in the different time-scales of the embedded hardware, of the embedded software, and of the environment. This difference makes hardware-software coverification not only a difficult task for most systems, but has also restricted coverification to the initial system specifications. Currently, most codesign tools or methodologies only support validation in the form of cosimulation and testing of design alternatives. Here, we propose a new formal coverification method based on linear hybrid automata. The basic problems found in most coverification tasks are presented and solved. For complex systems, a simplification strategy is proposed to attack the state-space explosion occurring in formal coverification. Experimental results show the feasibility of our approach and the increase in verification scalability through the application of the proposed method.

1. Introduction

An embedded real-time system is one which is installed within a larger system called the environment. It is generally a compact, task-oriented, and budget-limited system. It has to satisfy timing constraints as well as cost limits. Hence, embedded real-time systems usually have both hardware and software interacting with each other to accomplish a specific task. Hardware tries to satisfy timing constraints, and software reduces the overall cost and provides design flexibility. The presence of both hardware and software incurs difficulties in verifying an embedded real-time system. Some common obstacles faced are: the lack of a formal method that can specify both hardware and software, the different time scales of the hardware, the software, and the environment, the requirement of communication protocols between hardware and software, synchronization mechanisms in hardware-software interfaces, and the lack of a formal verification technology devoted to hardware-software coverification. After a careful analysis of possible verification techniques and a survey of existing approaches, we felt the need of proposing a new coverification method that can tackle some of the above problems and at the same time has the potential of scaling to industrial processes.

The three different time scales of an embedded system and its environment posed a great problem in previous approaches (see Section 2). The differing time scales lead to an explosion of state-space during model composition for coverification. Hybrid automata, as defined later in Section 3, were proposed for modeling hybrid systems [2]. Not only can each hybrid automaton have a different time scale, but a hybrid automata can also have different time scales within each location (collection of states). This feature allows the modeling of a multi-rate system that has several timers with different progress rates. In the hardware-software context, this means not only can we model a single chip hardware (1-ASIC) and a uniprocessor software (1-CPU), but also multi-chip hardware (n-ASIC) and multiprocessor software (m-CPU), where n > 0 and m > 0.

It is well-known that a protocol or any other control-related system is best modeled by Finite State Machines (FSM) [18]. The states and transitions occurring in protocols or controllers can be explicitly and formally specified by FSM. The theory of formal verification has a large part based on FSM. Further, hardware-software systems either require communication protocols for message-passing or shared memory for synchronization. For the above two reasons, if a complete hardware-software system is modeled by FSM, then there is no need of specifying the interfaces separately. Hybrid automata are another extension of FSM.

Another reason for using the hybrid automata model is that an embedded digital system can always be perceived as a linear system, that is, the clock rates are all linear. The verification theory for linear hybrid automata was proposed by Alur et al in [2] and already implemented in the HyTech tool [17]. Our contribution mainly lies in modeling embedded digital systems using the linear hybrid automata model, demonstrating how basic coverification problems can be solved, experimenting with real examples, and proposing
a simplification strategy for coverifying complex systems.

This article is organized as follows. Section 2 describes some related and previous work. Section 3 gives the formal definition of a hybrid automaton and describes how an embedded system can be modeled by a network of hybrid automata. Section 4 presents some elementary commonly-found coverification problems and how they are solved. A simplification strategy is also presented for coverifying complex systems. Section 5 presents an Ethernet Bridge case study illustrating our coverification concepts and method. Section 6 concludes with some future work.

2. Previous Work

In the recent few years, due to computer technology revolution, the widespread use of computers, and the obvious benefits of installing a computing processor within a system, embedded systems have taken advantage of this trend. Large systems can now significantly decrease their overall cost by designing parts of embedded systems as software executing on a general-purpose computation processor. This cost reduction is desirable, but it has also created a new few problems of its own such as the need for a communication protocol between the hardware and software parts, more complicated fault-tolerance problems, the myth that software can be easily changed, without any heavy consequences, and coverification problems.

Codeign is an emerging field of research that deals with designing systems that have both hardware and software. In the past few years, several codesign methodologies were proposed, such as COSMOS [12], TOSCA [4], ECOS project [1], LOTOS-based codesign [22], CMAPS [19] to name a few. Codesign tools also abound, such as SpecSyn [14], Ptolemy, and Polis [5] all three of UC Berkeley, VULCAN [15] of Stanford University, COSYMA [13] of Braunschweig University, CODES [8] of Siemens, Tyndex of INRIA, SAW of CMU, COWARE of IMEC, and CHRONO [11] of Washington University. Either a combined programming language such as VHDL with C and HardwareC, or some formal specification language such as LOTOS, ETOILE, Estere, graphical FSM, CSP, etc. are used for specifying embedded systems. Formal techniques have often been limited to the specification stage since formal verification of the system specification in LOTOS [22].

From the above, most codesign methodologies or tools currently validate the codesigns produced, instead of verifying them. Validation occurs in the form of cosimulation and testing. Coverification, although difficult, should not be neglected, especially in high-consequence systems such as nuclear projects, safety systems, etc. The main problems faced in coverifying a design such as different time-scales, etc. were presented in Section 1. Below, we briefly mention two formal models that have been used for coverification and/or codesign, namely CFMS and IPN.

Codesign FSM (CFMS) [9, 10, 6] is a formal model used in the POLIS codesign tool [5]. Coverification is performed by translating CFMS into traditional FSM and existing FSM-based verification techniques applied. The problem of different time scales is not solved because traditional FSM either have no notion of time or their extension such as Timed Automata [3] allow specification of clocks with a single uniform rate only.

Interpreted Petri Nets (IPN) were used for synthesizing interfaces in [23]. Temporal constraints were specified by asserting a delay to a place in IPN. But, the delays occurring in a multi-rate system must be transformed into a common base rate. This transformation is not always ideal or straightforward.

Both CFMS and IPN have the same problem of having to handle different time scales, either for coverification or codesign. The hybrid automata model we use for formal coverification solves the problem of different time-scales and at the same time automatic coverification can be performed. We will show how using this model, several coverification problems are solved.

Further, existing real-time system verification tools such as Uppaal [7], SGM (State-Graph Manipulators) [20, 24], and others do not explicitly distinguish hardware and software verification. Since our model is based on hybrid automata, we use the HyTech tool [17] developed by Henzinger, et al. HyTech is a tool for verifying hybrid systems.

3. Hybrid Automata Model

The hardware-software timing coverification approach proposed in this article is mainly based on the hybrid automata model. There are various reasons for using such a model as given in Section 1. In this section, hybrid systems are defined and illustrated with examples, the hybrid automata model is formally defined, and different system models for hardware-software coverification are proposed.

The hybrid automata model was initially proposed for hybrid systems. A hybrid system consists of a discrete program with an analog environment [2]. For example, a thermostat which controls the temperature of a room by sensing the temperature and controlling a heater is a hybrid system because when the heater is off the temperature decreases with a rate of $-K_x$ and when the heater is on, the temperature changes with a rate of $K(h-x)$, where $K$ is a constant related to the room and $h$ is a constant related to the power of the heater. The specification for the thermostat is that the temperature should be maintained between $m$ and $M$ degrees ($0 < m < M$). Other examples of hybrid systems include a water-level monitor, timed mutual-exclusion protocol, leaking gas burner, and a game of billiards [16, 17]. Hybrid systems can also be composed in parallel. Linear
hybrid systems are hybrid systems that have their activities, invariants, and transition relations all expressed as linear expressions on the system variables [2].

A hybrid automaton can be formally defined as follows.

**Definition 1 Hybrid Automaton (HA)**
A hybrid automaton (HA) is a tuple $H = (L, V, B, E, \alpha, \eta)$ such that: $L$ is a set of locations, $V$ is a set of variables, $B$ is a set of synchronization labels, $E$ is a set of edges called transitions, $E = \{e = (l, b, \mu, \mu'), l, l' \in L, b \in B, \mu \subseteq \mathcal{Y}^2\}$, where $\mathcal{Y}$ is the set of all valuations of the variables in $V$, $\alpha$ is a labeling function that assigns to each location a set of activities which are time-invariant, and $\eta$ is a labeling function that assigns to each location $l \in L$ an invariant condition $\eta(l) \subseteq \mathcal{Y}$.

A state of a hybrid automaton $H$ is a pair $(l, v)$, where $l \in L$ and $v$ is a valuation of the variables in $V$. A run of $H$ is a finite or infinite sequence

$$\rho : \sigma_0 \rightarrow \tau_0 \rightarrow \sigma_1 \rightarrow \tau_1 \ldots$$

where $\sigma_i = (l_i, v_i)$, $t_i \in \mathcal{R}^0$, $f_i \in \alpha(l_i)$, $f_i(0) = v_i$, $f_i(t) \in \eta(l_i)$ for $0 \leq t \leq t_i$, and $\sigma_{i+1}$ is a transition successor of $\sigma_i' = (l_i, f_i(t_i))$.

An embedded system with hardware and software can be mapped into a network of linear hybrid automata (LHA). In the simplest case, one hybrid automaton represents the hardware and one represents the software. The hardware and software interfaces are modeled into the hardware hybrid automaton (HHA) and the software hybrid automaton (SHA), respectively. Another form of modeling could be mapping hardware into several LHA each representing some physical hardware component and software into several LHA each representing a software process.

In the following, two different models are proposed for the two types of embedded system architectures found today, namely, 1-ASIC/1-CPU and multi-ASIC/multi-CPU. How the models can be interchangeably used is explained.

### 3.1. Simple Model

This model consists of only two LHA, one representing the hardware and one the software. This model is suitable for 1-ASIC/1-CPU embedded systems because there are only two clock rates: one for the ASIC and one for the CPU executing the software. If the interaction of the embedded system with its environment is to be verified then one more LHA is specified for modeling the environment. Synchronization between the hardware and the software is achieved by declaring synchronization labels on transitions of the LHA. A more complex system consisting of $n$-ASIC$m$-CPU ($n, m > 0$) can also be modeled using the simple model, but the verification accuracy have to be traded-off for model simplicity and verification scalability because the clock rates are now declared as ranges instead of a single value. The rate range for hardware must cover all the $n$ ASICs' clock rates and the rate range for the software must cover all the $m$ CPUs' clock rates. In this case, the simple model can only guarantee that if the hardware and the software clock rates are within that range, then the system is correct or feasible, but it does not guarantee correctness or safeness for specific rate values. The network model as presented in the following will be a more accurate one for such systems.

An example of a simple model is given in Fig. 1 which models a generic hardware/software system where the hardware waits for a specific period of time for response from the software. The hardware times out if the software does not respond within the time limit.

### 3.2. Network Model

This model consists of more than two LHA, where either the hardware or the software or both are represented by collections of LHA. This model is suitable for an $n$-ASIC$m$-CPU system, where each ASIC and each CPU can be represented by one LHA. In this case, there would be $n + m$ LHA in the network model. If the number of LHA is too large and thus affects verification, then a more compact model can be obtained by modeling each type of ASIC and each type of CPU by a single LHA. Assuming that there is a small number of different types of ASICs and CPUs, then the network model would be more manageable and verifiable. Although synchronizations among the hardware and the software components can again be achieved by synchronization labels as in the simple model, yet due to the complex behavior of the system, communication protocols are used instead. A communication protocol is modeled by an individual LHA, so as to maintain modularity and ease of verification. If two or more codesign alternatives, produced as a result of some codesign methodology, were similar in respects except for the communication protocol used in the hardware-software interface, then the network model can be easily reused by just replacing the LHA representing the communication protocol by a new one.

### 4. Covertification Techniques

Using the hybrid automata model for an embedded system, solution techniques are proposed for some commonly-found covertification problems. The five commonly-found elementary covertification problems presented here include: Software Synchronization, Hardware Synchronization, Software Concurrency, Hardware Concurrency, and Integrated Codesign Alternative Verification. A systematic simplification technique called SHIV (Software-Hardware-Interface...
Verification) is also presented for verifying complex systems. SHIV decomposes the LHA models into three parts, namely the software, the hardware, and the interface, and ensures that a system is safe by verifying each part.

4.1. Software Synchronization

In most embedded systems, the software accomplishes some tasks that are costly for the hardware. Often, the hardware makes a request to the software for performing a task and waits for the software to respond. Blocking synchronization is assumed throughout this article because embedded systems are generally synchronous. Asynchrony increases complexity and embedded systems usually cannot afford it. The hardware after making a request waits for a pre-specified period of time, as determined by the system specification or the co-design methodology. If the time limit is reached and the software has not yet responded, the hardware enters a dangerous ambiguous state and the system is unsafe. Coverage must ensure that all such software synchronizations are successful for the given different time scales of the hardware and the software.

Figure 1 shows a LHA simple model of a software synchronization. The hardware has a relative clock rate of \([5/6, 7/6]\) and the software \([3/4, 4/5]\). Running the model using the HyTech tool, we found that software synchronization is guaranteed only if \(9h_{\text{max}} \geq 14s_{\text{min}}\). Further analysis shows that if \([h_t, h_u]\) and \([s_t, s_u]\) were the hardware and software clock rates, respectively, then the condition for software synchronization is a parametric expression:

\[ s_t h_{\text{max}} \geq h_u s_{\text{min}} \quad (2) \]

where \(h_{\text{max}}\) is the maximum time the hardware, after making a request, will wait for the software response and \(s_{\text{min}}\) is the maximum time the software must take for computation of the requested task or equivalently the slowest computation delay.

4.2. Hardware Synchronization

In contrast to software synchronization, hardware synchronization involves a minimum time that the hardware must wait after making a request to the software. This situation occurs in the execution of periodic tasks, where the start time of two instances of the same tasks must be separated by a minimum time interval. For example, when the software is responsible for digital signal processing, if two instances of the same tasks overlap randomly, then the computation of the first task will be affected by the second one, thus causing a delay in all future outputs. The situation becomes worse when more than two instances of the same task all overlap causing a heavy workload on the processor executing the software. Coverage in this case must ensure that the hardware does not violate the minimum wait time constraints.

Figure 2 shows a hybrid automata model of a hardware synchronization. The hardware and software relative clock-rate ranges were \([5/6, 7/6]\) and \([3/4, 4/5]\), respectively. The model specification was executed using HyTech and the results obtained: hardware synchronization is guaranteed when the parametric condition \(25s_{\text{max}} \geq 24h_{\text{min}}\) is satisfied. Further analytical study shows that if the hardware and software clock-rate ranges were \([h_t, h_u]\) and \([s_t, s_u]\), respectively, then the hardware synchronization is guaranteed only if the following condition is satisfied:

\[ h_u s_{\text{max}} \geq s_u h_{\text{min}} \quad (3) \]

where \(s_{\text{max}}\) is the maximum computation time of the software and \(h_{\text{min}}\) is the minimum wait-time of the hardware.

4.3. Software Concurrency

If a multiprocessor system is within cost constraints for executing the software, a natural question that arises is how many computation processors must be used to speed up software execution in order to cope with hardware requirements and thus guarantee a safe and feasible system. This question can be answered through Software Concurrency Verification (SCC). Software concurrency verification mainly derives parametric conditions that must be satisfied by a \(m\)-processor system \((m \geq 1)\) to ensure a safe system. The clock rates for each configuration of the \(m\)-processor system \((m \geq 1)\) must be estimated. The hardware waits
for some minimum period of time after making a request. By increasing the quantity of processors, the software performance could be improved and thus the results could be produced within the hardware minimum period of time.

Figure 3 shows a hybrid automata model for a system with one hardware and three possible software configurations: 1-processor, 2-processor, and 3-processor systems. The hardware relative clock rate is assumed to be [3/5, 2/3] and that of the software configurations [1/4, 3/7], [1/2, 2/3], and [3/4, 4/5], respectively. A sub-linear increase in computing power of the software configurations is assumed. If \( h_{\text{max}} \) is the maximum hardware wait-time time and 2\( s_{\text{min}} \) is the slowest software computation period, then on running through HyTech either one of the following holds:

- all the three configurations are safe if \( h_{\text{max}} > 3s_{\text{min}} \),
- only the 1-processor system is not safe if \( h_{\text{max}} > 2s_{\text{min}} \), or
- only the 3-processor system is safe if \( h_{\text{max}} > s_{\text{min}} \).

Depending on the particular task at hand, \( h_{\text{max}} \) and 2\( s_{\text{min}} \) could be estimated and the degree of software concurrency obtained through verification.

**4.4. Hardware Concurrency**

In contrast to software concurrency verification, which increases software performance to meet hardware requirements, Hardware Concurrency Verification (HCC) decreases the hardware cost to meet both the cost and software requirements. Often a cheaper, slower hardware could satisfy all timing requirements in an embedded system. Opting for such a hardware could decrease overall system cost, thus leaving more budget for other embedded systems. Hardware concurrency verification derives parametric conditions for each hardware-software configuration and the verification engineer could then decide on one particular configuration that meets the timing requirements.

Figure 4 shows the LHA model of hardware concurrency verification with three hardware configurations \( H_1 \), \( H_2 \), and \( H_3 \) and one software configuration \( S \). The hardware clock rates are respectively [1/4, 3/7], [1/2, 2/3], and \([3/4, 4/5]\) and that of the software is \([3/5, 2/3]\). Suppose that \( h_{\text{min}} = 1 \), \( h_{\text{min}} = 2 \), and \( h_{\text{min}} = 3 \) are the respective minimum time that the hardware configurations must wait (see Hardware Synchronization Verification in Subsection 4.2) and \( s_{\text{max}} \) be the maximum computation time of software. Running this model through HyTech, we obtain the result that the system configurations are safe only if the following conditions are satisfied:

- \( (H_1, S) \) is safe if \( 3h_{\text{min}} < s_{\text{max}} \),
- \( (H_1, S) \) and \( (H_2, S) \) are safe if \( 2h_{\text{min}} < s_{\text{max}} \),
- \( (H_1, S), (H_2, S), \) and \( (H_3, S) \) are all safe if \( h_{\text{min}} < s_{\text{max}} \).

Hence, if in the slowest and cheapest hardware configuration \( (H_1) \) the condition \( 3h_{\text{min}} < s_{\text{max}} \) is met, then we can use \( H_1 \) instead of the costlier \( H_2 \) and \( H_3 \) hardware configurations.

**4.5. Integrated Codesign Alternative Verification**

Integrated Codesign Alternative Verification (ICAV) handles the case of complex embedded systems with more than one hardware architectures and a multiprocessor system for executing the software. Several codesign alternatives may be produced and validated by a codesign methodology. Normally the selection criterion may depend on either the cost (minimum cost) or the performance (maximum throughput) or both (minimum cost-performance ratio). ICAV proposes a new criterion, namely Incompatibility Ratio of Software-Hardware (IRISH), which is defined as the safest ratio of hardware and software clock rates. By a safe ratio, it means that the ratio is either a minimum or a maximum that must be satisfied by an embedded system's
Table 1. ICAV Example

<table>
<thead>
<tr>
<th>HW Clock</th>
<th>SW Clock</th>
<th>C</th>
<th>P</th>
<th>C/P</th>
<th>ρ</th>
</tr>
</thead>
<tbody>
<tr>
<td>C1</td>
<td>3/2, 15/8</td>
<td>3/4, 4/5</td>
<td>1000</td>
<td>100</td>
<td>10.00</td>
</tr>
<tr>
<td>C2</td>
<td>3/2, 15/8</td>
<td>1/2, 5/8</td>
<td>750</td>
<td>80</td>
<td>9.38</td>
</tr>
<tr>
<td>C3</td>
<td>5/6, 7/6</td>
<td>3/4, 4/5</td>
<td>650</td>
<td>60</td>
<td>10.83</td>
</tr>
<tr>
<td>C4</td>
<td>5/6, 7/6</td>
<td>1/2, 5/8</td>
<td>500</td>
<td>50</td>
<td>10.00</td>
</tr>
</tbody>
</table>

C: Cost, P: Performance, ρ: IRIISH

clock rates in order for the system to be safe. IRIISH is a global minimum ratio when there are purely software synchronizations, it is a global maximum ratio when there are purely hardware synchronizations, otherwise it is expressed as a range with its lower bound being the minimum of all locally minimal ratios corresponding to software synchronizations and its upper bound being the maximum of all locally maximal ratios corresponding to hardware synchronizations. This metric achieves a better trade-off between the hardware and the software than the conventional cost-performance ratio because the latter can be deceiving at times when the cost is especially low or the performance has peak bursts.

IRIISH is best illustrated by an example as shown in Fig. 5. There are two hardware alternatives with clock rates [3/2, 15/8] and [5/6, 7/6] and two software alternatives with clock rates [3/4, 4/5] and [1/2, 5/8]. This example is a case of multiple software synchronization. Table 1 shows the four different configurations (C1, C2, C3, C4) achievable by the two hardware and the two software alternatives along with their costs, performance values, and cost-performance ratios. We observe that under different metrics the best design configuration is different:

- C4 has the least cost, but it has a poor performance,
- C1 has the best performance, but it has a high cost,
- C2 has the best cost-performance ratio, but on applying ICAV we found that it has the largest software-hardware incompatibility, that is the highest IRIISH, which means synchronization and other communications could require a large effort, and
- C3 has the least IRIISH, which means that the hardware and the software are the least incompatible and thus achieves a better hardware-software trade-off than the others.

4.6. Software-Hardware-Interface Verification

A new modularized verification strategy called Software-Hardware-Interface Verification (SHIV) is proposed for hardware-software embedded systems. Generally, the software and the hardware of an embedded system communicate either through an interface using communication protocols or through shared memory using synchronization variables. The interface is often explicit and important in an embedded system. The SHIV strategy verifies an embedded system by verifying each part individually, namely the hardware, the software, and the interface. The assume-guarantee principle of formal modular verification [21] is employed in SHIV. In verifying (guaranteeing) the interface, it is assumed that both the hardware and the software themselves are correct. Similarly, the principle is applied to the other two parts: the hardware and the software.

In the context of the linear hybrid automata model, SHIV works as follows. SHIV must perform each of the following steps to verify a system.

- **Software Verification**: The triggering conditions on transitions interconnecting interface and software are assumed to be TRUE. All clock variables are either reset or advanced a period of time depending on the triggering conditions on the above transitions.
- **Hardware Verification**: The triggering conditions on the transitions interconnecting interface and hardware are assumed to be TRUE. All clock variables are either reset or advanced a period of time depending on the triggering conditions on the above transitions.
- **Interface Verification**: The triggering conditions on the transitions interconnecting the interface and the hardware and on the transitions interconnecting the interface and the software are assumed to be TRUE. All clock variables are either reset or advanced a period of time depending on the triggering conditions on the above transitions.

5. Ethernet Bridge Case Study

Besides the five elementary problems presented in the previous section, we had applied our approach to several
real-world systems. An Ethernet Bridge example is presented in this section for illustration. Figure 6 shows the process graph of an Ethernet Bridge [22]. Bridges extend LANs by providing increased length, number of stations, performance, and reliability. They operate below the MAC Service Boundary, and is transparent to protocols operating above the boundary, in the Logical Link Control (LLC). It is assumed as in [22] that the Ethernet LANs operate under the CSMA/CD access method. The basic function performed by bridges are: (1) frame forwarding, (2) learning station addresses, and (3) resolving topology loops with the spanning tree algorithm. The communication estimates given in [22] were transformed into our linear hybrid automata, which is illustrated in Fig. 7.

It was found that if the LHA model in Fig. 7 was directly verified using HyTech, it could not terminate even after modifying the system model as indicated in the HyTech user guide [17]. Finally, the SHV strategy was applied. The decomposed hardware and software LHA are shown in Fig. 8 and the interface LHA in Fig. 9. We present the interface verification which is the most important for a cosynthesis problem. The bridge processing rate was taken as 3000 pps (packets per second) and the hardware area constraint was assumed to be 4000 as in [22].

Given a hardware clock range of $[51/10, 6]$ and a software clock range of $[1/5, 2/5]$, the safety condition was

$$4h_{min} \leq 51s_{max}$$

(4)

For the estimates found in [22], $h_{min}$ is 127 and $s_{max}$ is 10, hence the above equation is satisfied.

Since Equation (4) depends on clock rates, a further analysis shows that if $[h_i, h_u]$ and $[s_i, s_u]$ were the respective hardware and software clock ranges, then the condition

---

Figure 6. Ethernet Bridge: Process Graph

Figure 7. Ethernet Bridge: LHA Model

Figure 8. Ethernet Bridge: HW/SW Models

Figure 9. Ethernet Bridge: Interface Models
would be as follows.

\[ \frac{h_{\text{min}}}{s_{\text{max}}} \leq \frac{h_I}{s_u} \quad \text{or} \quad s_u h_{\text{min}} \leq h_I s_{\text{max}} \]  

(5)

6. Conclusion

A linear hybrid automata model based verification approach was proposed for hardware-software embedded systems. It was shown how different time scales of the hardware and the software and the environment could be handled by the model. Five commonly-found elementary verification problems were presented and solved using the proposed approach. A simplification strategy called SHIV was also proposed for complex systems. Finally, an Ethernet Bridge case study was presented which showed how SHIV could be used to verify a system when the traditional approach failed. Future work will include developing more strategies using the linear hybrid automata model to solve other verification problems.

References


