Verification

Formal-Based Design
and Verification of SoC
Arbitration Protocols: A
Comparative Analysis of
TDMA and Round-Robin
Maroua Ben Slimane Riadh Robbana
University of Carthage, Tunisia Polytechnic School University of Carthage, INSAT

Imene Ben Hafaiedh

University of Tunis El Manar, ISI

SoC design. The TDMA scheduling pol-

Editor’s note: icies have several advantages and they
The article showcases formal modeling and verification of two SoC are particularly suitable for safety-crit-
arbitration protocols. ical architectures because they facili-
—Wen Chen, NXP tate clock synchronization without any
message overhead and support timely
fault detection. The TDMA scheme is
 As System-on-Chips (SoCs) are increasing based on the fixed allocation of a time slot to each
in size and complexity, their validation and verifica- master. Unfortunately, high priority communica-
tion have become important and more difficult to tions in TDMA-based strategies may lead to impor-
achieve. Currently, the most widely used SoC design tant latencies as a time slot may be allocated to a
is typically bus based and consists of shared commu- master which did not ask for it. Such a disadvantage
nication resources managed by dedicated arbiters is encompassed by a well-known arbitration proto-
that are in charge of serializing access requests. That col, namely, the round-robin scheme. In this paper,
is why the communication architecture as well as we propose a formal specification for the design
arbiters design are the backbone of the SoC design and verification of SoC bus arbitration protocols.
and have a large effect on its quality both in terms In particular, we focus on the verification, analysis,
of performance and reliability. Assuming bus-based and comparison of TDMA and round-robin arbiters.
communication architecture, several well-known These design models are traditionally described
arbitration policies have been proposed, such as with hardware tools and environments like Ver-
TDMA [1] and round-robin [2] which are consid- ilog, VHDL, and validation results which are mainly
based only on simulations and test sequences [3],
ered as the most widely used scheduling policies in
[4] and not on f­ormal verification. Indeed, there
Digital Object Identifier 10.1109/MDAT.2017.2713352 exist few published results addressing a thorough
Date of publication: 7 June 2017; date of current version: formal verification of the design of round-robin
13 September 2017. arbiters in an automated way. In [5] and [6], formal

54 2168-2356/17 © 2017 IEEE Copublished by the IEEE CEDA, IEEE CASS, IEEE SSCS, and TTTC IEEE Design&Test
Authorized licensed use limited to: PSG COLLEGE OF TECHNOLOGY. Downloaded on January 03,2024 at 16:59:24 UTC from IEEE Xplore. Restrictions apply.
 v­ erification of the hardware architecture of round-
robin arbiters have been verified using the HOL
tool based on the method of Theorem-Proving.
However, the use of this tool is interactive and the
process of verification has to be done manually by
experts. Moreover, the proofs were not scalable,
which means that, the proofs and validation results
are only valid for the arbiter with 4 × 4 configura-
tion size and, thus, not useful for configurations with
more complex architectures. In [7] and [8], formal
models for the description of TDMA protocols have
been proposed. However, the proposed models are
not scalable and cannot be easily adapted to other
TDMA policies nor extended to a larger number
of masters.
This paper provides a high-level formal model
for the specification of arbitration protocols in a SoC
architecture. The model is specified in particular, for
TDMA and round-robin protocols. However, it can
be easily adapted to different arbitration policies.
Formal verification such as for deadlock freedom is
achieved through model-checking. The implemen-
tation is then automatically generated and different
analysis experiments have been performed.
Preliminaries
In this section, we present a high-level mod-
eling formalism for the description of the TDMA
and round-robin arbitration protocols. We choose
to specify our model using the real-time BIP com-
ponent framework [9]. BIP is a component-based
framework for building real-time systems based on a
rigorous formal semantics that relies on rich interac-
tion models between components [10]. An atomic
component is essentially a timed automation labe-
led by ports used for communication among differ-
ent components.
Definition 1 (Atomic component). An atomic com-
ponent B is defined by the tuple B = (L, P, C, T, tpc),
where L is a finite set of locations, P is a finite set of
ports, C is a set of clocks, and T ⊆ L × (P × G(C) × 2C )
× L is a set of transitions labeled with a port, and a
timing constraint and a subset of clocks to be reset.
tpc: L → G(C ) assigns to each location l ∈ L, a time
progress condition tpcl ∈ G(C). G(C) is the set of
timing constraints that are defined according to the
following grammar: tc := true ∣ false ∣ c ∼ k ∣ tc ∧ tc,
with c ∈ C, k ∈ Z ≥ 0 and ∼∈ {≤, =, ≥}.
September/October 2017
Authorized licensed use limited to: PSG COLLEGE OF TECHNOLOGY. Downloaded on January 03,2024 at 16:59:24 UTC from IEEE Xplore. Restrictions apply.
In practice, an atomic component can be
extended with variables which are used to store local
data. Moreover, each component transition can be
associated with a Boolean condition specifying for
which values of the local variables it is enabled, and an
(internal) update function triggered along with transi-
tion execution which modifies values of variables.
A BIP model is built from a set of n atomic com-
ponents {Bi = (Li, Pi, Ci, Ti, tpci)}i∈[1,n], such that their
respective sets of ports and clocks to be pairwise
disjoint.
Definition 2 (Interaction). An interaction between
atomic components ​​​{​Bi​  ​​}​​  ni=1 ​​​is a subset of ports a ⊆ P,
such that it contains at most one port of every com-
ponent, that is, │a ∩ Pi│ ≤ 1 for all i ∈ {1, …, n}.
Since an interaction a uses at most one port of every
component, we simply denote a = {pi}i∈I , where
I ⊆ {1, …, n} and pi ∈ Pi for all i ∈ I. A component Bi
is participating in a if i ∈ I.
Definition 3 (BIP Model). We denote by B =
γ(B1, …, Bn), the BIP model obtained by applying
a set of interactions γ to the set of atomic compo-
nents { ​​​ ​Bi​  ​​  = ​(​Li​  ​​ , ​Pi​  ​​ , ​Ci​  ​​ , ​Ti​  ​​ , tp​c​ i​​)​}​​  n ​​.​ It is defined
i=1
by the atomic component B = (L, γ, C, Tγ, tpc),
where L = L1 × … × Ln, C = ​​∪​  ni=1 ​​​ Ci, tpc(l ) = ⋀i∈n ​tp​c​ ​li​  ​​​.​​
A ­transition τ = (l, a, tc, r, l′) from l = (11, …, ln) to
l = (1′1, …, l′n) is in Tγ iff (1) a = {pi}i∈I ∈ γ, (2) for all i ∉ I
l′i = li and (3) and there exists transitions τi =(li, pi, tci,
ri, l′i) of Bi, i ∈ I, such that tc = ⋀i∈I tci, r = ⋃i∈I ri.
In BIP, interactions are structured by connectors.
A connector is a macro notation for representing
sets of related interactions in a compact manner. To
specify the set of interactions of a connector, two
types of synchronizations are defined:
• strong synchronization or rendezvous, when the
only interaction of a connector is the maximal one,
that is, it contains all the ports of the connector.
• weak synchronization or broadcast, when inter-
actions are all those containing any port initiat-
ing the broadcast.
To build our model, we use a key notion offered
by the BIP framework, namely, priorities. Priorities
can be defined between interactions to restrict non-
determinism. They allow straightforward modeling
of urgency and scheduling policies for distributed
systems.
55
 Verification
Interactions + Priorities
Figure 1. A formal model of SoC architecture.
Definition 4 (Priority in BIP). A priority order
denoted by < is a strict partial order on the set of
interactions γ. We denote that an interaction a has
lower priority than b by a < b which means that
whenever a and b are possible at the same global
state, then the one with the highest priority (b) will
be executed.
Formal Model for the Specification of
TDMA and Round-Robin Protocols
Based on the notions of BIP already described in
Preliminaries, we first provide a formal specification
of a shared bus topology in SoC. For this purpose, we
define the set of SoC processors as a set of timed BIP
atomic components {P1, P2, … , PN}. As usually, we
do not explicitly model the bus device as it is a pas-
sive device controlled by a bus arbiter. In the case of
a centralized arbitration, a unique arbiter manages
conflicts between processors. As we are intending a
distributed arbitration, a set of local arbiters is mod-
eled, each one associated to a processor and ensur-
ing arbitration by interacting with its peers. It gives its
processor access to the bus when the set of arbiters
agree on that. Similarly, these local arbiters are also
modeled by BIP components {A1, A2, … , AN}.
Any arbitration protocol is then ensured by
communication between these arbiter compo-
nents. Such communications are modeled by BIP
56
Authorized licensed use limited to: PSG COLLEGE OF TECHNOLOGY. Downloaded on January 03,2024 at 16:59:24 UTC from IEEE Xplore. Restrictions apply.
interactions. Arbitration protocols can be easily
achieved by means of BIP interactions between
local arbiters and priority between the correspond-
ing interactions.
Note that the model presented in Figure 1 rep-
resents the basis of the formal specification of any
SoC arbitration protocol. Indeed, for any arbitration
strategy, processors are modeled by the same BIP
components because what define the arbitration
schemes is not processors but arbiters and interac-
tions between them.
Note that, in our model, all connectors relat-
ing an arbiter to its corresponding processor are
rendezvous connectors, which means that the
only feasible interactions of such connectors are
the one requiring synchronization between con-
nected ports.
In our model, when a processor requests the bus
access, it informs its corresponding arbiter by acti-
vating a req port.
Then, the processor is still waiting until its
­arbiter fires the transition labeled by the port go.
Firing the transition go means that the processor is
given the bus access and goes to the state access.
This transition is fired by the arbiter with respect
to the arbitration policy achieved through interac-
tions between the different arbiters. In state access,
a processor starts performing its task, however, as it
IEEE Design&Test
 Figure 2. A formal model of TDMA protocol.
is controlled by its arbiter, two scenarios could be
possible:
• The arbiter can ask the processor to release
the bus when the task is not yet accomplished.
This means that the transition suspend will take
place. The processor will go into the state wait-
ing, where it waits for the next round to continue
the task.
• The arbiter can ask the processor to release the
bus when the task is already accomplished. In
this case, the transition release is fired and the
processor goes back to start state. The behavior
of arbiters and their interactions will be defined
according to the protocol under study. In this
paper, we focus in particular, on the TDMA and
round-robin protocols. For each protocol, we
give the behavior of the corresponding arbiters
and their interactions performed through BIP
connectors. Note that, the behavior of arbiters
and processors is the same for a given protocol,
thus, our model can be easily extended to N com-
ponents. For the sake of readability, we describe
our protocols for the case of only three proces-
sors and their local arbiters. However, experi-
ments and verification results of the section on
formal verification and analysis are performed
on a larger number of components automatically
generated.
September/October 2017
Authorized licensed use limited to: PSG COLLEGE OF TECHNOLOGY. Downloaded on January 03,2024 at 16:59:24 UTC from IEEE Xplore. Restrictions apply.
Formal Model of the TDMA Protocol
The TDMA access scheme is based on the fixed
allocation of a time-slot for each processor. In an
architecture of three processors, the bus bandwidth
is divided into three equal time slots. In each cycle,
a fixed time-slot is allocated to a processor in turn
whether it asks for the bus or not.
As already explained, the protocol strategy is per-
formed via arbiters, which are modeled by the set of
BIP components {A1, A2, A3}. Figure 2 depicts how
these arbiters are related through BIP connectors
and it gives the detailed behavior of an arbiter.
Note that all connectors in our model are ren-
dezvous connectors, which means that their unique
feasible interaction is the one involving all con-
­
nected ports. That is why, in the coming description,
we only use the notion of interaction as it is com-
pletely equivalent to its corresponding connector.
For each Ai, we define two clocks y and x and a
set of variables {Rndi, Pdi, Tfi} where:
• Rndi is initially set to i − 1 and it is updated in
each cycle to (Rndi + 1)mod3. When this varia-
ble reaches the maximum value of 2, the corre-
sponding arbiter gets the bus access.
• Pdi defines the period of time required by Pi to
finish its task. Initially, Pdi is set to 0.
• Tfi: is a boolean variable defining if a task is
­accomplished or not.
57
 Verification

The set of ports of each component defines how the bus to achieve its task, which means that Ai
the corresponding local arbiter interacts with the will suspend Pi by firing the transition suspend.
rest of components. The behavior of an arbiter Ai is • Case 2: the period Pdi is less or equal to the
described as follows: allocated time slot. In such case, the arbiter
Initially in state start, three scenarios could be ­possible: as well as the processor will synchronize on
the release transition and go back to the ini-
• Ai can fire the transition r​ e​q​ ​Ai​  ​​​.​​ This scenario takes tial state.
place when its corresponding processor has a
task to accomplish and thus both Ai and Pi fire Note that, releasing the bus even though Pi does
the interaction {​re​q​ ​Pi​  ​​​​​, r​ e​q​ ​Ai​  ​​​​​}. not finish its task, is ensured by the notion of invari-
• Ai can fire the transition g ​ ran​t​ ​Ai​  ​​​.​​ This scenario ant defined by BIP framework. Indeed, in state access
means that the arbiter gets a bus access, how- of Ai, an invariant Inv = x ≤ TS is defined where TS
ever, its corresponding processor does not have is the value of the allocated time slot, which guaran-
a task to perform. In TDMA policy, even though tees that Ai cannot stay in this state more than a TS
a processor does not ask for the bus, it will be period of time.
given a time slot and no other processor could TDMA arbitration is considered fair in the sense that
access the bus during this period of time. For this it performs the equal division of time among proces-
reason, Ai will go to an idle state, where it waits sors. However, the main problem of this strategy is the
the time slot to expire. Note that each ​gran​t​ ​Ai​  ​​​​​ port wasted-slots. This is the case when a time-slot is reserved
is connected to the ports {updatej}j≠i of the other for a component, which has no pending request.
arbiters. This interaction allows the rest of arbi- The round-robin is an arbitration mechanism
ters to update the value of their corresponding which alleviates the drawback of wasted-slots in the
Rndj variables even though they do not have a TDMA strategy. It can reallocate the available slot to
bus access. Moreover, as in TDMA strategy, arbi- another requesting device.
ters and processors have to synchronize their
clocks, such interaction allows clocks synchroni- Formal Model of Round-Robin Protocol
zation in each cycle. The round-robin arbitration protocol guarantees
• Ai can fire the transition ​updat​e​ ​Ai​  ​​​​​. This transition fairness among components and allows any unused
is fired in each cycle through the set of interac- slot to be reallocated to a component whose round-
{ }
tions ​​{​G​j​  j​  ≠i​​​​}​ = ​ updat​e​ ​Ai​  ​​​​ , ​{ gran​t​ ​Aj​  ​​​​  }​  j∈{1,
​ 2, 3}​ ​​ (see robin turn is later but who is ready now. The round-
j≠i
Figure 2). These interactions allow to update robin protocol works as follows. In each cycle, one
the variable Rnbi of each arbiter according to of the processor Pi (in round-robin order) has the
the formula: Rndi ← (Rndi + 1) mod 3 in each highest priority round of bus access. If a processor
cycle. In waiting state, the arbiter has already Pi does not need the bus in this cycle, the processor​​
performed ​re​q​ ​Ai​  ​​​​​ transition, which means that its P​ ​ji​  ≠j​​​​​ who has a request can be granted the bus and so
corresponding processor asks for the bus. The the time slot reserved to Pi will be reallocated to Pj
arbiter is then waiting for its time-slot allocation. in a round robin fashion. Based on the TDMA formal
When its variable Rndi has the highest value (in model already described, we now propose a formal
this case 2), it will get the bus access and thus model for the round-robin protocol (see Figure 3).
it fires the transition ​gran​t​ ​Ai​  ​​​​​, after which it syn- As already explained, BIP components defining
chronizes with its processor on go transition. If, the set of processors {P1, P2, P3} are kept the same.
however, the value of Rndi is not yet the high- However, the set of modifications affects only the
est round, it fires ​updat​e​ ​Ai​  ​​ ​​​ until it reaches the behavior of arbiters and their interactions. Note that,
desired value. minor changes have been performed, which means
In access state, Ai gets the bus access, means that the proposed model can be easily adapted to
that a time slot is allocated for Pi. Then two cases different arbitration schemes.
must be considered: In the round-robin protocol, there are no wasted
• Case 1: the period Pdi, required by Pi to time-slots. Indeed, when an arbiter Ai gets a bus access
achieve its task, is bigger than the time slot with no pending request, it will give the access to the
allocated. So, it will need multiple access to next arbiter in a round-robin order, which means that

58
Authorized licensed use limited to: PSG COLLEGE OF TECHNOLOGY. Downloaded on January 03,2024 at 16:59:24 UTC from IEEE Xplore. Restrictions apply.
IEEE Design&Test
 Priority Rule :
Figure 3. A formal model of round-robin protocol.
an arbiter Ai which does not have the highest prior-
ity round can access the bus if it requests for it only
when the one with the highest priority does not ask
for the bus. To ensure such a scenario, in our round-
robin model, we use the notion of priority offered by
BIP by defining the following priority rule:
GN < … < G2 < G1 iff Rnd1 > Rnd2 > … > RndN
with Gi = {​gran​t​ ​Ai​  ​​​,​​ {
​​​ updat​e​ ​Aj​  ​​}
​​ ​​  i≠j}
​​​
This rule means that the condition to fire ​gran​t​ ​Ai​  ​​​​​ is
not that Ai has the maximum value of Rndi (which
is the case of the TDMA scheme) but that it has the
maximal value among arbiters asking for the bus.
Another advantage of the round-robin protocol is
that when a processor Pi achieves its task, it releases
the bus even though its allocated time-slot is not yet
expired, which means that the use of the bus in this
case is more efficient than the TDMA policy.
Formal Verification and Analysis
In the previous section, we have described our
models for both the TDMA and the round-robin pro-
tocols. In this section, we perform the formal verifi-
cation of these models to prove their satisfaction of a
set of relevant properties required to guarantee their
correctness.
September/October 2017
Authorized licensed use limited to: PSG COLLEGE OF TECHNOLOGY. Downloaded on January 03,2024 at 16:59:24 UTC from IEEE Xplore. Restrictions apply.
In particular, we use model-checking, which
allows the verification of the correctness of a sys-
tem by checking whether the desired properties
are satisfied in every reachable state of that system.
Moreover, our verification is based on what is called
compositional model-checking which encompasses
the state space explosion problem inherent to mod-
el-checking of timed systems with a large number of
components. To this end, we apply the RTD-Finder
Model-Checker tool of BIP [11] on our models to
verify the correctness of the following properties:
deadlock-freedom, invariant, and mutual-exclusion
(see Figure 4).
Deadlock-Freedom Verification: By applying
the RTD-Finder to our models, we have proven their
deadlock-freedom at a high abstract level with no
need for code generation. Figure 5 gives the time taken
by the model-checker to verify deadlock-freedom for
different set of components. Indeed, our models are
easily extendable to any number of components as all
processors and arbiters have the same behavior.
Extending our models to a large number of com-
ponents provides a way to study at a high-level how
protocols may react in the context of more complex
architectures.
59
 Verification

TABLE 1 Verification time (seconds) for invariant and mutual-exclusion properties for TDMA and
round-robin protocols.

considerably by increasing the number of compo-

nents. Figure 5 shows that the verification of dead-
lock-freedom for the TDMA requires more time than
the round-robin model.
This is due to the additional state idle in TDMA
model and the clock constraint defined in this state
which increases the verification time needed by
RTD-Finder to compute enable states, the clocks
constraints, and the interactions invariant.

Invariant verification: We have also checked a

Figure 4. BIP model from formal verification
to code generation.
Figure 5(a) depicts the number of clocks Clk and
inter-actions Intr for both TDMA and round-robin
models for a large number of components. As both
models (TDMA and round-robin) have the same
structure, the number of defined clocks and inter-
actions are the same for both models. As expected,
the number of clocks and interactions increases
set of invariant properties on our models. Such prop-
erties are very interesting when it comes to real-time
systems. Indeed, they guarantee the respect of a set
of timed-constraints associated with system states. In
the TDMA model, for example, an invariant guaran-
tees that Ai cannot stay in access or idle states more
than a time-slot duration. Similarly, in the round-
robin model, the same invariant is defined for the
access state.
These invariant properties are formally described
using Temporal-Logic as follows:
AG (​acces​s​ ​Ai​  ​​​​​ ⇒ (​​x​ ​Ai​  ​​​​​ ≤ TS))
AG (​​idle​ ​Ai​  ​​​​​ ⇒ (​​x​ ​Ai​  ​​​​​ ≤ TS))
The verification time for the set of invariant prop-
erties is given in Table 1.

(a) (b)

Figure 5. (a) The number of clocks Clk and interactions Intr when increasing the number of
components. (b) Deadlock-freedom time verification for the TDMA and round-robin models.

60 IEEE Design&Test
Authorized licensed use limited to: PSG COLLEGE OF TECHNOLOGY. Downloaded on January 03,2024 at 16:59:24 UTC from IEEE Xplore. Restrictions apply.
 (a) (b)

Figure 6. Performance evaluation of TDMA and round-robin within 30 minutes of real-time executions:
(a) Number of access per processor. (b) Number of accomplished tasks per procesor.

Mutual-Exclusion Verification: We have for- could be easily parameterized. Figure 6 depicts the
mally verified the mutual-exclusion property on number of bus access and accomplished tasks for
bus access. Such a property guarantees that a given each processor within 30 minutes of real-time exe-
protocol cannot assert more than one access at one cutions for both TDMA and round-robin models.
moment and it is formally described as follows: Figure 6(a) shows that the number of access of each
processor to the bus within 30 minutes for the round-
∀ i, j ∈ {1, N}i≠j, AG (acces​​s​ ​Pi​  ​​​​​ ⇒ ¬acces​​s​ ​Pj​  ​​​)​​
robin model is bigger than that of the TDMA case.
This property is proven to be satisfied by our Consequently, and as depicted in Figure 6(b), the
models, for different number of components, and number of accomplished tasks of each processor
the time taken for its verification is given in Table 1. within the same real-time execution of the round-
Once, we have proven formally the correct- robin protocol is bigger than that of the TDMA, which
ness of our models with respect to the set of the proves, as expected, that the round-robin protocol
already given properties using the RTD-Finder mod- is more efficient as it is faster and provides higher
el-checker, more experiments and analysis could be bandwidth than TDMA protocol. This is due to wast-
easily performed using the automatically generated ed-slots (unused-slots) allocated to processors with
codes of our formal models as described in Figure 4. no pending requests in TDMA protocol.
Note that this generated code is proven to be seman- Indeed, as shown in Figure 7, the number of time
tically equivalent to initial models, which means slots which are not used by processors P2 and P3 is
that any properties already checked on the model
still hold on its generated code. Using the executa-
ble code generated by the Real-Time BIP frame-work
[12], real-time executions are run and different set of
experiments are then observed. In particular, we run
a set of real-time executions to compare and evalu-
ate the performance of the TDMA and round-robin
arbitration protocols.
These executions have been run for an archi-
tecture of four processors where the correspond-
ing period Pdi for each processors Pi, is defined as
follows: Pd1 = 30ms, Pd2 = 50ms, Pd3 = 10ms, and
Pd4 = 70ms. We also consider a configuration with
a time slot TS = 25ms and where P1 and P4 always
ask for the bus access unlike P2 and P3 which ask Figure 7. Number of used and wasted-slots per
for it periodically. Note that, any other configuration ­processor of TDMA protocol.

September/October 2017
61
Authorized licensed use limited to: PSG COLLEGE OF TECHNOLOGY. Downloaded on January 03,2024 at 16:59:24 UTC from IEEE Xplore. Restrictions apply.
 Verification
bigger than the rest of processors. This is due to the
fact that P2 and P3 do not always ask for a bus access.
However, in the TDMA policy, they are always given
a time slot whenever their round comes even if they
do not ask for it. However, the round-robin protocol
allows any unused slot to be reallocated to a proces-
sor whose round-robin turn is later but who is asking
for the bus now.
To the present day, much research has been done
to alleviate the TDMA problem and to propose an
optimal time slot value, while considering many fac-
tors. In addition, the weighted and Deficit round-robin
protocols have been proposed to compute a dynamic
time-slot. The main advantages of our proposed formal
model are that it can be easily adapted to new versions
of arbitration protocols. So, we are intending to build
upon our model and to propose formal models for
new variants of TDMA and round-robin or new proto-
cols by only modifying the arbitration strategy which
means the behavior of arbiters and the set of interac-
tions between them. Then, one could formally analyze
performance, verify properties, and compare protocols
easily at a high level of abstraction. Moreover, based
on these formal models, designers could automatically
obtain correct implementation and several experi-
ments could be performed, in particular, for systems
with a large number of components. 
 References
[1] H. Lonn and R. Snedsbol, “Efficient synchronization,
atomic broadcast, and membership agreement in
TDMR protocol,” in Proc. Int. Conf. Parallel Distributed
Syst., 1996, pp. 405–412.
[2] M. O. Gharan and G. N. Khan, “Index-based round-
robin arbiter for NoC routers,” in IEEE Comput. Soc.
Ann. Symp. VLSI, ISVLSI, 2015, pp. 62–67.
[3] J. Jou and Y. Lee, “An optimal round-robin arbiter
design for NoC,” J. Inf. Sci. Eng., vol. 26, no. 6,
pp. 2047–2058, 2010.
[4] J. Ge, “Round-robin arbiter design,” in Proc. Int. Conf.
Comput. Design Conf. Comput. Nanotechnol., 2006,
pp. 24–28.
[5] P. Curzon, “The formal verification of an ATM network,”
in Proc. Thirteenth Ann. ACM Symp. Principles
Distributed Comput., 1994.
[6] V. K. Pisini et al., “Formal hardware verification by
integrating HOL and MDG,” in Proc.Great Lakes
Symp. VLSI, 2000, pp. 23–28.
62
Authorized licensed use limited to: PSG COLLEGE OF TECHNOLOGY. Downloaded on January 03,2024 at 16:59:24 UTC from IEEE Xplore. Restrictions apply.
[7] P. P. Henrik Lnn, “Formal verification of a TDMA
protocol start-up mechanism,” in Proc. Pacific Rim Int.
Symp. Fault-Tolerant Syst., pp. 235–235.
[8] V. F. Rosset, P. Souto, and F. Vasques, “Model-checking
a group membership protocol for TDMA-based
networks with both static and dynamic scheduling,” in
Proc. the European Dependable Comput. Conf., 2006.
[9] A. Basu, M. Bozga, and J. Sifakis, “Modeling
heterogeneous real-time components in BIP,” in
SEFM, 2006, pp. 3–12.
[10] S. Bliudze and J. Sifakis, “The algebra of connectors—
Structuring interaction in BIP,” IEEE Trans. Comput.,
vol. 57, no. 10, 2008.
[11] L. Astefanoaei et al., “Compositional verification for timed
systems based on automatic invariant generation,”
Logical Methods Comput. Sci., vol. 11, 2015.
[12] S. B. Rayana et al., “RTD-Finder: A tool for
compositional verification of real-time component-based
systems,” in Tools and Algorithms for the Construction
and Analysis of Systems, 2016, pp. 394–406.
Maroua Ben Slimane is a PhD student at Tunisia
Polytechnic School (EPT), Tunisia. She received an
MSc in Computer Science from the Higher Institute of
Computer Science of Tunisia. Her research interests
include formal verification of distributed systems.
Contact her at [email protected].
Imene Ben Hafaiedh is an Assistant Professor
at the Higher Institute of Computer Science of
Tunisia. Hafaiedh received a PhD degree in Computer
Science from Grenoble University–Verimag Laboratory,
France, in 2011. Her research interests include
distributed and parallel systems, component-based
design and implementation, model-checking, and
formal verification. Contact her at ben.hafaiedh.imen@
gmail.com.
Riadh Robbana is a Professor at the National
Institute of Applied Sciences and Technologies,
Tunisia. He is the Leader of the Master Group
(Modeling and Analysis of Real-time Systems) at the
LIP2 Laboratory, El Manar University. His research
interests include formal verification and verification
of security protocols. Contact him at riadh.robbana@
gmail.com.
 Direct questions and comments about this article
to Imene Ben Hafaiedh, Higher Institute of Computer
Science of Ariana, Ariana 2080, Tunisia; e-mail: ben.
[email protected].
IEEE Design&Test