Modeling task systems using parameterized partial orders by Houben, F. et al.
PDF hosted at the Radboud Repository of the Radboud University
Nijmegen
 
 
 
 
The following full text is a preprint version which may differ from the publisher's version.
 
 
For additional information about this publication click this link.
http://hdl.handle.net/2066/117109
 
 
 
Please be advised that this information was generated on 2017-12-05 and may be subject to
change.
Modeling Task Systems Using Parameterized Partial Orders
Fred Houben
ASML
Veldhoven, The Netherlands
Email: fred.houben@asml.com
Georgeta Igna
ICIS, MBSD group
Radboud University Nijmegen
Nijmegen, The Netherlands
Email: g.igna@cs.ru.nl
Frits Vaandrager
ICIS, MBSD group
Radboud University Nijmegen
Nijmegen, The Netherlands
Email: f.vaandrager@cs.ru.nl
Abstract—Inspired by work on model-based design of print-
ers, the notion of a parametrized partial order (PPO) was
introduced recently. PPOs are a simple extension of partial
orders, expressive enough to compactly represent large task
graphs with repetitive behavior. We present a translation of the
PPO subclass to timed automata and prove that the transition
system induced by the Uppaal models is isomorphic to the
configuration structure of the original PPO. Moreover, we
report on a series of experiments which demonstrates that the
resulting Uppaal models are more tractable than handcrafted
models of the same systems used in earlier case studies.
Keywords-parameterized partial order; concurrent systems;
timed automata
I. INTRODUCTION
The complexity of today’s real-time embedded systems
and their development trajectories is increasing rapidly. At
the same time, development teams are expected to pro-
duce high-quality and cost-effective products, while meeting
stringent time-to-market constraints. A common challenge
during development is the need to explore extremely large
design spaces, involving multiple metrics of interest (timing,
resource usage, energy usage, or cost). The number of design
parameters (number and type of processing cores, sizes
and organization of memories, interconnect, scheduling and
arbitration policies) is typically very large. Moreover, the
relation between parameter settings and design choices on
the one hand and metrics of interest on the other hand
is often difficult to determine. Given these observations,
real-time embedded system design trajectories require a
systematic approach, that should be automated as far as
possible. To achieve high-quality results, design process and
tooling need to be model-driven.
Many methods and tools for real-time embedded systems
follow the Y-chart pattern [1], [2]. This pattern is based
on the observation that the development of these systems
typically involves the co-development of a set of appli-
cations, a platform, and the mapping of the applications
onto the platform. In the Y-chart pattern, specification of
applications, platforms and mappings are separated. This
allows independent evaluation of various alternatives of one
of these system aspects while fixing the others.
Applications are typically described in terms of task
graphs representing partially ordered sets of tasks. In prac-
tice, we frequently see that certain tasks need to be executed
repetitively, for a finite number of times, and that there exists
a hierarchical relationship between tasks. For instance, a
manufacturing order of a beer brewery consists of several
pallets, containing several crates, each containing several
bottles of beer. Another example concerns a wafer scan-
ner manufacturing system from the semiconductor industry.
Wafers are produced in batches (lots). A wafer scanner
projects a mask on a wafer, using light. Eventually, the
projected masks result in Integrated Circuits (ICs). On one
wafer, multiple ICs and types of ICs are manufactured.
Multiple types of ICs involve multiple masks, and multiple
masks are placed on a reticle. As a final example, we
mention a copier machine, which has to process a certain
number of copies of a file, which in turn consists of
a certain number of pages. Due to the nested, repetitive
behavior, task graphs tend to become very large and no
longer practical for specification and analysis of application
behavior. Following [3], [4], we argue that repetitive task
structure of applications plays an important role in real-
time embedded systems design, and needs to be addressed
in methods for specifying and reasoning about such sys-
tems. Repetitive execution of tasks leads to finite repetitive
patterns in schedules. In practice, execution of the first few
instances and last few instances of a task differ slightly from
the rest. This is a large difference with unlimited repetitive
(’periodic’) behavior, which has received much attention in
the scheduling literature.
Within concurrency theory, several semantic models have
been proposed that are based on partial ordering of events
such as Mazurkiewicz [5] traces, pomsets (partially-ordered
multisets) [6], and event structures [7], but these models
do not incorporate an explicit notion of repetitive events.
Partial orderings of events with repetition can be defined
using Colored Petri Nets [8], [9], but this is an extremely
rich and expressive formalism, which may be considered too
complicated for the task at hand.
The Octopus project has developed a Design-Space Ex-
ploration (DSE) toolset [10] that aims to leverage existing
modeling, analysis, and DSE tools to support model-driven
DSE for real-time embedded systems [11]. The Octopus
toolset is centered on an intermediate representation, DSEIR
(Design-Space Exploration Intermediate Representation), to
capture design alternatives. DSEIR models can be exported
to various analysis tools. This facilitates reuse of mod-
els across tools and provides model consistency between
analyses. The use of an intermediate representation also
supports domain-specific abstractions and reuse of tools
across application domains. The current version of the
Octopus toolset integrates CPN Tools [8], [9] for stochastic
simulation of timed systems, SDF3 [13] for worst-case
throughput calculation, and Uppaal [14] for model checking
and schedule optimization. Inspired by work on model-
based design of printers, the Octopus toolset has introduced
the notion of parametrized partial orders [12]. PPOs are a
simple extension of partial orders, but expressive enough
to compactly represent large task graphs with repetitive
behavior. In DSEIR, applications are represented as PPOs.
This intermediate representation can be translated into the
input formats of CPN Tools and Uppaal. A translation
of PPOs to CPN Tools has recently been described in
[12]. In this paper, we define a restricted version of PPOs
that is more amenable to model checking. Moreover, we
give a translation into timed automata, the semantic model
underlying Uppaal.
Uppaal [14] is a model checker for networks of timed au-
tomata [15]. It has been successfully used in many domains,
e.g. for finding optimal solutions for scheduling problems
[16], performance analysis of real-time distributed systems
[17], [18], protocol verification [19] and controller synthesis
[20]. Within the Octopus project, we aim at harnessing the
verification power of Uppaal for DSE of real-time embedded
systems. We have applied Uppaal for DSE of industrial
printer designs, in particular for computing and optimizing
schedules, latencies, and controller strategies [21], [22], [23].
Although these case studies demonstrate that Uppaal is able
to handle industrial sized designs, the tool is really pushed to
its limits. Therefore, it is crucial to have a translation from
PPOs to Uppaal that is maximally efficient. By unfolding a
PPO into a task graph and introducing a separate automaton
for each task in the unfolding, we obtain a general translation
of PPOs to Uppaal. However, especially when we have
many repetitive events (e.g. print a 300-page document) the
translation becomes intractable.
Based on the observation that in practice the PPOs often
contain tasks that are not auto-concurrent and precedence
relations between task instances obey certain monotonicity
conditions, we define a subclass of PPOs that allows a
more efficient translation. This brings us to the two main
results of this paper: (a) a definition of a PPO subclass
and its translation to Uppaal together with a correctness
proof (the transition system induced by the Uppaal model is
isomorphic to the configuration structure of the PPO), and
(b) a series of experiments which demonstrates that Uppaal
models obtained through this translation are more tractable
than handcrafted models built for a printing system described
in [21].
The structure of this paper is as follows. The next sec-
tion recalls some preliminary definitions regarding labeled
transition systems, the underlying semantic notion used
throughout the paper. Section III defines PPOs and their
semantics, and the translation of a subset of PPOs into
networks of timed automata together with a proof of its
correctness. Section IV explains how this translation is
generalized to general embedded system designs, which
besides an application (modeled as a PPO) also involve a
platform and a mapping. Section V presents performance
evaluation results of models generated by comparing them
with handcrafted Uppaal models presented before in our
papers1. Concluding remarks and future work follow in
Section VI.
II. PRELIMINARIES
We use R≥0 and R>0 to denote the sets of nonnegative
and positive real numbers, respectively, and N to denote the
set of natural numbers.
If X and Y are sets then we write X ↪→ Y for the set
of partial functions from X to Y . Given a partial function
f ∈ X ↪→ Y , we write f(x) ↓ if f(x) is defined, and f(x) ↑
if f(x) is undefined, for x ∈ X .
A labeled transition system (LTS) is a tuple L =
(S, s0,Σ,→), where:
• S is a set of states,
• s0 ∈ S is an initial state,
• Σ is a set of action labels, and
• →⊆ S × Σ× S is a transition relation.
We write s a−→ s′ iff (s, a, s′) ∈→ and s → s′ if there
exists an action a ∈ Σ such that s a−→ s′. A path of L
is a sequence of states pi = s0s1 · · · sn such that, for all
0 ≤ i < n, si → si+1. In this case we say pi is a path from
s0 to sn. A state s ∈ S is reachable in L if there exists a
path from s0 to s.
Two labeled transition systems L1 = (S1, s10,Σ1,→) and
L2 = (S2, s20,Σ2,→) are isomorphic if Σ1 = Σ2 and there
exists a bijective function f : S1 → S2 such that:
• f(s10) = s
2
0 and
• s a−→ s′ ⇔ f(s) a−→ f(s′), for all s, s′ ∈ S1, a ∈ Σ1.
Given an LTS L = (S, s0,Σ,→), we define reach(L) to
be the LTS (S′, s0,Σ,→′), where S′ is the set of reachable
states of L and →′= {(s, a, s′) | s, s′ ∈ S′ ∧ s a−→ s′}.
III. PARAMETERIZED PARTIAL ORDERS
A parametrized partial order (PPO) is a partial order
that comes equipped with some extra structure to capture
repetitive behavior. In [12], a PPO is defined at task level
and assumes a precedence relation between tasks. In this
1The models generated for Section V are available at http://www.mbsd.
cs.ru.nl/publications/papers/fvaan/HIV12.
paper, we view a PPO from a different angle where tasks
are decomposed into events and a PPO imposes a partial
order relation at event level. This perspective allows us
to introduce a subclass of PPOs that can be efficiently
translated into networks of automata, and later in this section
we establish the correctness of this translation.
A. Definition of PPOs
Tasks in a PPO may be executed repeatedly: each task
has a collection of parameters and each valuation of these
parameters defines a task instance. The events in a PPO are
structured and correspond to either the start or the end of a
task instance.
Formally, we assume a universe P of typed variables
called parameters. A valuation of a set P ⊆ P of parameters
is a function that maps each parameter in P to an element
of its domain. We assume that the domain of each parameter
is a nonempty set. We write V (P ) for the set of valuations
of variables in P .
A parameterized partial order (PPO) is a tuple A =
(T ,M, E, U) where
• T is a finite set of tasks. We define the set of event types
by E = {s, e} × T . Projection functions task : E → T
and type : E → {s, e} are given by task((t, T )) = T
and type((t, T )) = t, and embeddings start : T → E
and end : T → E are given by start(T ) = (s, T ) and
end(T ) = (e, T ), with t ∈ {s, e}, and T ∈ T .
• M is a function that assigns to each task T a finite set
of parameters in P; we write V (T ) as a shorthand for
V (M(T )).
• E ⊆ E × E is a set of edges. We require, for each
T ∈ T , (start(T ), end(T )) ∈ E.
• For each edge p = (A,B) ∈ E, U(p) : V (task(A)) ↪→
V (task(B)) is a precedence function. We write A u→ B
if (A,B) ∈ E and U(A,B) = u. We require that the
start of a task instance precedes the end of that instance,
that is, for each task T ∈ T and valuation v ∈ V (T ),
U((start(T ), end(T )))(v) = v.
Below, we present two examples that illustrate how PPOs
can be used to model scheduling applications.
Example 1 (Printer): Figure 1a depicts a part of an ap-
plication encountered in the printer domain (see [21]). There
are three tasks: Scan, ScanIP and Delay, represented by
rectangles. The corresponding start and end event types are
indicated by subrectangles inscribed with s and e. Edges
show the dependencies between event types (the edges from
start to corresponding end are not shown). All three tasks
have one parameter: p of type [0, . . . , L] representing the
number of the current page processed. The constant L ∈ N
is a bound for the parameter p. A precedence function
A
u→ B is represented by a predicate that may contain
both the parameters of task(A) and primed versions of the
parameters of task(B). For instance, the predicate p′ = p+1
on the edge from ScanIP to Scan represents the precedence
Scan[p],
p:[0,L]
es
ScanIP[p],
p:[0,L]
es
Delay[p],
p:[0,L]
es
p' = p p' = p
p' = p
p' = p+1
p' = p+1
p' = p+1
p' = p+1
(a) Printer
Lot[l] es
Wafer[l,w] es
l'=l,
w'=1
l' = l,
w=15
l' = l+1
(w<15 ˄ l'=l ˄ w'=w+1) ˅
(w=15 ˄ l'=l+1 ˄ w'=1)
(b) Wafer production
Figure 1: PPO representation
function that maps a valuation v of the ScanIP parameters to
the unique valuation v′ of the Scan parameters that satisfies
v′(p) = v(p) + 1.
An instance of ScanIP may start as soon as its corre-
sponding instance of Scan has started. These task instances
of Scan and ScanIP may then proceed in parallel. However,
the next instance of Scan may only start after the current
instances of both Scan and ScanIP have ended. Between the
ScanIP and Delay tasks, there is also a dependency: only
after the occurrence of the start event in the ScanIP task,
the start event of the corresponding Delay task may occur.
Example 2 (Wafer production): The PPO displayed in
Figure 1b describes the production of an infinite series of
lots, where each lot is composed of 15 wafers. This example
is inspired by [4]. After the start of each lot, 15 wafer tasks
are executed in sequence, followed by the end of the lot.
B. From PPOs to Configuration Structures
The semantics of a PPO can be described in terms of
a labeled transition system, referred to as the configura-
tion structure of the PPO (see [7], [24]). The states of
a configuration structure are configurations, finite sets of
events that have already occurred. Each transition marks the
occurrence of a single new event for which all the immediate
predecessors have occurred.
Formally, an event is a pair (A, v) where A is an event
type and v ∈ V (task(A)) is a valuation of its task param-
eters. We write ev type((A, v)) = A and task((A, v)) =
task(A). Also, we write ev(A) for the set of events of a
PPO A. We call event (B,w) an immediate predecessor
of event (A, v), notation (B,w) 7→ (A, v), if (B,A) ∈
E ∧ U(B,A)(w) = v.
Let C ⊂ ev(A) and α ∈ ev(A) with α 6∈ C. We say that
C enables α, and write C ` α, if all immediate predecessors
of α are in C.
Let A be a PPO. The set conf(A) of configurations of A
is the smallest subset of the power set ℘(ev(A)) of events
of A such that:
1) ∅ ∈ conf(A),
2) if C ∈ conf(A), and C ` α then C ∪{α} ∈ conf(A).
The configuration structure of A is the LTS C(A) =
(conf(A), ∅, E , ), where (C,A,C ∪ {α}) ∈ iff C ∈
conf(A), ev type(α) = A and C ` α. We write C A C ′
if (C,A,C ′) ∈ . Also, we sometimes write C α C ′ to
denote that C
ev type(α) C ′ and C ′ = C ∪ {α}.
In a PPO there are no conflicts between events: it is
not possible that the occurrence of one event disables the
occurrence of another event. In fact, it is easy to prove that
the set of configurations of a PPO is closed under union: if
C ∈ conf(A) and C ′ ∈ conf(A) then C∪C ′ ∈ conf(A). We
call an event reachable if it occurs in some configuration,
and write rev(A) for the set of reachable events of A. Note
that, since in a PPO we allow cyclic predecessor relations, it
may occur that some (or even all) events are not reachable.
If α and β are in rev(A), we write α ≤A β, if for each
configuration C ∈ conf(A), β ∈ C implies α ∈ C. The
technical lemma below, whose simple proof we omit, states
that the ≤A contains the immediate predecessor relation:
Lemma 1: Let A be a PPO with events α and β such that
α 7→ β. Then β ∈ rev(A) implies α ∈ rev(A) and α ≤A β.
The following lemma, which is again easy to prove, states
that a parametrized partial order (PPO) induces a partial
ordering relation on its (reachable) events.
Lemma 2: Let A be a PPO, then ≤A is a partial order
on rev(A).
C. Restricted PPOs
We explore the behavior of PPOs using the Uppaal model
checker, and for this we need to translate PPOs to the input
language of Uppaal. Here we describe a translation of a
subclass of PPOs in which no two instances of a task can
run concurrently. It is possible to translate arbitrary PPOs
to Uppaal (provided the parameter domains are finite) but
this translation leads to networks of automata that are much
harder to analyze.
We call a PPO A restricted if it satisfies the following
five conditions, for all tasks T and T ′, for all precedence
functions A u→ B with task(A) = T and task(B) = T ′,
and for all valuations v, w ∈ V (T ):
• C0: The only edges between events of the same task
are the one from the start event to the end event, and
the one from the end event to the start event:
task(A) = task(B) ⇒ ((A,B) ∈ E ⇔ A 6= B)
We write next(T ) for the function
U((end(T ), start(T )), and let <T be the least
transitive relation on valuations in V (T ) satisfying
v <T next(T )(v). Write v ≤T w iff v <T w or v = w.
• C1: There is exactly one valuation of the parameters of
T that does not appear in the range of next(T ). This
valuation is referred to as the initial valuation of T ,
and is written v0T .
• C2: next(T ) is injective
• C3: u is only defined for reachable valuations:
u(v) ↓ ⇒ v0T ≤T v
• C4: u is monotonic:
v ≤T w ∧ u(w) ↓ ⇒ u(v) ↓ ∧ u(v) ≤T ′ u(w)
Axioms C0, C1 and C2 impose precedence restrictions
between event instances of the same task that exclude auto-
concurrency. Axiom C0 implies that we have an edge from
the end event type of a task to the corresponding start event
type. Axiom C1 implies that, for each task, there is only one
event that does not depend on some other event of the same
task: necessarily this is going to be the first event of the task
that will occur. Axiom C2 implies that each event of a task,
except the initial one, has a unique immediate predecessor
event that belongs to the same task. Axioms C0-C2 still
allow cyclic precedence edges between events of the same
task, but axiom C3 implies that u is not defined for such
“ghost events”. Axiom C4, finally, states that a precedence
function that links events of different tasks is monotonic w.r.t
the event ordering within tasks. The reader may check that
the PPOs of Examples 1 and 2 are restricted.
Lemma 3: Let A be a restricted PPO with task T and
valuation v. Then
1) (end(T ), v) ∈ rev(A) implies (start(T ), v) ∈ rev(A)
and (start(T ), v) ≤A (end(T ), v).
2) (start(T ), next(T )(v)) ∈ rev(A) implies
(end(T ), v) ∈ rev(A) and (end(T ), v) ≤A
(start(T ), next(T )(v)).
3) ≤A is a total ordering on the set {α ∈ rev(A) |
task(α) = T} of reachable events of T .
D. From Restricted PPOs to Networks of Automata
We will show how each restricted PPO can be translated
into a Uppaal-style parallel composition of a number of
automata in such a way that (the reachable part of) the LTS
induced by the composition of these automata is isomorphic
to the configuration structure of the PPO. We refer the reader
to [14] for an introduction to Uppaal.
Let A be a PPO as above. We define N (A) to be the LTS
induced by the parallel composition of the Uppaal template
displayed in Figure 2, for each task T ∈ T . Below we
explain the various predicates and functions occurring in
Figure 2. The composed system N (A) has the following
set of global shared variables:
{T.p, loc[T ], done[T ] | T ∈ T ∧ p ∈M(T )}.
Variable loc[T ] records the current location of the task
automaton for T , which can be either L1 or L2. Boolean
!done[T] &&
dep_met(start(T))
update()
end(T)? start(T)!
L1
L2
dep_met(end(T))
Figure 2: Automaton for task T
variable done[T ] records whether the last event of T has
been executed. Since different tasks may use the same
parameter names, we make a copy T.p of each parameter
p ∈M(T ). As long as task T has not yet been completed,
variable T.p gives the value of p in the next event of T
that will occur. Variable loc[T ] is initialized to L1, variable
done[T ] is initialized to false, and variable T.p is initialized
to v0T (p), for each parameter p ∈M(T ).
For a given state of the automaton for task T , let function
val(T ) return the current valuation of the parameters of task
T . For each event type A with task(A) = T , function
done(A) returns true iff the last event of A has occurred:
done(A) = done[T ] ∨ (loc[T ] = L2 ∧
type(A) = s ∧ next(T )(val(T )) ↑)
If the last event of A has not occurred, function next(A)
gives the valuation of the parameters for the next event of
A:
next(A)=
{
next(T )(val(T )), if loc[T ] = L2 ∧ type(A) = s
val(T ) , otherwise
Suppose that the last event of type A has not occurred, then
in order to decide whether the next event of A may occur, we
check for each incoming precedence edge B u→ A whether
the dependency induced by that edge has been met:
dep met(A) = ∀B, u : B u→ A ∧ task(B) 6= task(A) =⇒
dep met(B, u,A)
Note that the task automaton already takes care of the de-
pendencies induced by precedence functions between pairs
of start and end events of T . In order to decide whether
the dependencies induced by B u→ A are met, we first
check if done(B) evaluates to true. If so then all events
of B have occurred and hence all dependencies induced by
B
u→ A have been met. Next we check whether u(next(B))
is defined. If not then, by monotonicity, all dependencies
induced by B u→ A have been met. Finally, we check
whether next(A) precedes u(next(B)). If so, then for any
immediate predecessor of next(A), that is, for any parameter
valuation v of B with u(v) = next(A), monotonicity implies
v < next(B). Formally,
dep met(B, u,A) = done(B) ∨ u(next(B)) ↑
∨ next(A) <T u(next(B))
Finally, function update() sets done[T ] to true if the last
event for task T has occurred, and otherwise updates the
parameters of T according to function next(T ).
Lemma 4: For all reachable states s of N (A) and for all
tasks T ∈ T , the following invariant properties hold:
1) v0T ≤T s.val(T )
2) s.done[T ]⇒ next(T )(s.val(T )) ↑
3) s.done[T ]⇒ s.loc[T ] = L1
Proof: Straightforward by induction on the length of
the shortest path leading to s.
Theorem 1: Let A be a PPO. Then LTSs C(A) and
reach(N (A)) are isomorphic.
Proof: Let N (A) = (S, s0, E ,→). If s ∈ S is a state
and e is an expression containing variables of N (A), then
we write s.e for the result of evaluating expression e in
state s. For each event type A ∈ E , we define a function
<A : S → 2ev(A) that associates to each state of N (A) a
set of events of type A. Intuitively, this is the set of events of
type A that have occurred before reaching state s. Suppose
task(A) = T . Then
<A(s) = if s.done(A) then
{(A, v) ∈ ev(A) | v ≤T s.val(T )}
else
{(A, v) ∈ ev(A) | v <T s.next(A)}
fi
Let function < : S → 2ev(A) be defined by:
<(s) =
⋃
A∈E
<A(s)
We will prove that < is an isomorphism from reach(N (A))
to C(A).
Claim 1. <(s0) = ∅.
Proof: Let A be an event type. Let task(A) = T .
By definition of s0 we have s0.done(A) = false and
s0.next(A) = v
0
T . Hence, by definition of <A, <A(s0) =
{(A, v) | v <T v0T }. But since, by condition C1, v0T does
not appear in the range of next(T ), there exists no v such
that v <T v0T . Hence <A(s0) = ∅. Since A was chosen
arbitrarily, it follows that also <(s0) = ∅.
Claim 2. If s is a reachable state and s A−→ s′ then <(s) `
(A, s.val(T )).
Proof: Let v = s.val(T ). Assume that s A−→ s′ and
assume that (B,w) is an immediate predecessor of (A, v).
It suffices to prove that (B,w) ∈ <B(s).
If task(B) = task(A) and A = start(T ) then, by C0, B =
end(T ) and next(T )(w) = v. Since s A−→ s′, s.done[T ] =
false. This implies s.done(B) = false. Also s.next(B) =
s.val(T ) = v. We infer that
<B(s) = {(B, x) ∈ ev(A) | x <T v}
Since w <T v it follows that (B,w) ∈ <B(s), as required.
If task(B) = task(A) and A = end(T ) then B =
start(T ) and w = v. If s.done(B) holds then (B,w) ∈
<B(s) and we are done. If s.done(B) does not hold then
next(T )(val(T ))) ↓ and next(B) = next(T )(val(T ))). It
follows that (B,w) ∈ <B(s).
We may therefore assume that task(B) 6= task(A). Let
U(B,A) = u and task(B) = T ′. Then u(w) = v. Since
s
A−→ s′, s.dep met(B, u,A) holds. This means that one of
the following three cases applies:
• s.done(B).
Using the first invariant of Lemma 4, we infer v0T ′ ≤T ′
s.val(T ′). Using the second invariant of Lemma 4, we
infer that next(T ′)(s.val(T ′)) ↑. Condition C3 implies
that v0T ′ ≤T ′ w. It follows that w ≤T ′ s.val(T ′). Hence
(B,w) ∈ <B(s), as required.
• s.done(B) = false and u(s.next(B)) ↑.
By monotonicity imposed by condition C4, we do not
have s.next(B) <T ′ w. Condition C3 implies v0T ′ ≤T ′
w, and Lemma 4 implies v0T ′ ≤T ′ s.next(B). Hence
w <T ′ s.next(B) and thus (B,w) ∈ <B(s).
• s.next(A) <T u(s.next(B)).
Since s A−→ s′, s.next(A) = s.val(T ) = v. As in the
previous case, we use conditions C3, C4 and Lemma 4
to argue that w <T ′ s.next(B), and thus (B,w) ∈
<B(s).
Claim 3. If s A−→ s′ then <(s′) = <(s)∪{(A, s.val(T ))}.
Proof: Assume s A−→ s′. It is easy to check that for all
event types B with task(B) 6= task(A), <B(s′) = <B(s).
Let : E → E be the function given by start(T ) = end(T )
and end(T ) = start(T ), for all T . We claim that <A(s′) =
<A(s)∪{(A, s.val(T ))} and <A(s′) = <A(s). We consider
four cases:
• A = start(T ) and next(T )(s.val(T )) ↑.
Since s A−→ s′, s.next(A) = s.val(T ) and s.done(A) =
false. Hence
<A(s) = {(A, v) ∈ ev(A) | v <T s.val(T )}
Since s A−→ s′, s′.loc[T ] = L2 and s′.val(T ) =
s.val(T ). Thus next(T )(s′.val(T )) ↑ and s′.done(A).
Hence
<A(s′) = {(A, v) ∈ ev(A) | v ≤T s.val(T )}
Thus <A(s′) = <A(s) ∪ {(A, s.val(T ))}. Since s A−→
s′, s.done(end(T )) = false and s′.done(end(T )) =
false. Moreover s′.next(end(T )) = s.next(end(T )) =
s.val(T ). Hence
<A(s′) = <A(s)
= {(A, v) ∈ ev(A) | v <T s.val(T )}
• A = start(T ) and next(T )(s.val(T )) ↓.
Since s A−→ s′, s.next(A) = s.val(T ) and s.done(A) =
false. Hence
<A(s) = {(A, v) ∈ ev(A) | v <T s.val(T )}
Since s A−→ s′, s′.loc[T ] = L2 and s′.val(T ) =
s.val(T ). Thus next(T )(s′.val(T )) ↓, s′.done(A) =
false, and s′.next(A) = next(T )(s′.val(T )). Hence
<A(s′) = {(A, v) ∈ ev(A) | v <T next(T )(s.val(T ))}
By C2, <A(s′) = <A(s)∪{(A, s.val(T ))}. Since s A−→
s′, s.done(end(T )) = false and s′.done(end(T )) =
false. Moreover s′.next(end(T )) = s.next(end(T )) =
s.val(T ). Hence
<A(s′) = <A(s)
= {(A, v) ∈ ev(A) | v <T s.val(T )}
• A = end(T ) and next(T )(s.val(T )) ↑.
Since s A−→ s′, done(A) = false and s.next(A) =
s.val(T ). Hence
<A(s) = {(A, v) ∈ ev(A) | v <T s.val(T )}
Moreover, s′.done[T ], s′.done(A) and s′.val(T ) =
s.val(T ). Hence
<A(s′) = {(A, v) ∈ ev(A) | v ≤T s.val(T )}
Thus <A(s′) = <A(s) ∪ {(A, s.val(T ))}. By the
assumptions, s.done(A). We can also infer s′.done(A).
Hence
<A(s′) = <A(s)
= {(A, v) ∈ ev(A) | v ≤T s.val(T )}
• A = end(T ) and next(T )(s.val(T )) ↓.
Since s A−→ s′, done(A) = false and s.next(A) =
s.val(T ). Hence
<A(s) = {(A, v) ∈ ev(A) | v <T s.val(T )}
Moreover, s′.done(A) = false, s′.next(A) = s′.val(T )
and s′.val(T ) = next(T )(s.val(T )). Hence
<A(s′) = {(A, v) ∈ ev(A) | v <T next(T )(s.val(T ))}
By C2, <A(s′) = <A(s)∪ {(A, s.val(T ))}. By the as-
sumptions, s.done(A) = false and s′.done(A) = false.
Moreover
s.next(A) = next(T )(s.val(T )) = s′.val(T ) = s′.next(A)
This implies
<A(s′) = <A(s)
It follows that <(s′) = <(s) ∪ {(A, s.val(T ))}.
Claim 4. If s is a reachable state of N (A) then <(s) ∈
conf(A).
Proof: Straightforward, by induction on the length of
the shortest path to s, using Claims 1-3.
Claim 5. If s, s′ are reachable states of N (A) and s A−→ s′
then <(s) A <(s′).
Proof: Straightforward, by combining Claims 2, 3 and
4.
In order to prove that < is bijective, we define an inverse
function S that maps configurations of A to states of N (A).
Let C be a configuration and let T be a task. Write CT for
the subset of C of events of type T . We consider four cases:
1) If CT = ∅ then variable loc[T ] is set to L1, variable
done[T ] is set to false, and variable T.p is set to v0T (p),
for each parameter p ∈M(T ).
2) If CT 6= ∅ and the unique maximal event of CT (cf
Lemma 3) is of the form (start(T ), v), then variable
loc[T ] is set to L2, variable done[T ] is set to false,
and variable T.p is set to v(p), for each parameter
p ∈M(T ).
3) If CT 6= ∅, the unique maximal event of CT is of
the form (end(T ), v) and next(T )(v) ↓, then variable
loc[T ] is set to L1, variable done[T ] is set to false,
and variable T.p is set to next(T )(v)(p), for each
parameter p ∈M(T ).
4) If CT 6= ∅, the unique maximal event of CT is of
the form (end(T ), v) and next(T )(v) ↑, then variable
loc[T ] is set to L1, variable done[T ] is set to true,
and variable T.p is set to v(p), for each parameter
p ∈M(T ).
The following claim directly implies that < is injective.
Claim 6. For each reachable state s of network N (A),
S(<(s)) = s.
Proof: Assume s is a reachable state of N (A). Let C =
<(s) and s′ = S(C). We must prove s′ = s. Assume T ∈
T . It suffices to prove, s′.val(T ) = s.val(T ), s′.loc[T ] =
s′.loc[T ] and s′.done[T ] = s′.done[T ]. Let A = start(T )
and B = end(T ). We consider 5 cases:
1) s.done[T ] = false and s.loc[T ] = L1 and s.val(T ) =
v0T . Then, by Claim 1, C = ∅. Hence, also CT = ∅.
By definition of S, s′.loc[T ] = L1, s′.done[T ] = false
and s′.val[T ] = v0T . Thus, s
′ = s, as required.
2) s.done[T ] = false and s.loc[T ] = L1 and s.val(T ) 6=
v0T . Then s.done(A) = s.done(B) = false, so
CT = {(A, v), (B, v) | v ≤T s.val(T )}.
By Lemma 4, v0T ≤T s.val(T ). Hence, by assumption
s.val(T ) 6= v0T , v0T <T s.V al(T ). Thus CT 6= ∅ and
the unique maximal event of CT is of the form (B,w)
with next(T )(w) = s.val(T )). By definition of S,
s′.loc[T ] = L1, s′.done[T ] = false and s′.val[T ] =
s.val[T ]. Thus, s′ = s, as required.
3) s.done[T ] = false, s.loc[T ] = L2 and
next(T )(s.val(T )) ↑. Then s.done(A) = true
and s.done(B) = false, so CT = {(A, v) |
v ≤T s.val(T )} ∪ {(B, v) | v <T s.val(T )}.
Thus CT 6= ∅ and the unique maximal event
of CT is (A, s.val(T )). Hence, by definition
of S, s′.loc[T ] = L2, s′.done[T ] = false and
s′.val[T ] = s.val[T ]. Thus, s′ = s, as required.
4) s.done[T ] = false, s.loc[T ] = L2 and
next(T )(s.val(T )) ↓. Then s.done(A) =
s.done(B) = false and
CT = {(A, v) | v <T next(T )(s.val(T ))}
∪{(B, v) | v <T s.val(T )}
Thus CT 6= ∅ and the unique maximal event of CT is
(A, s.val(T )). Hence, by definition of S, s′.loc[T ] =
L2, s′.done[T ] = false and s′.val[T ] = s.val[T ]. Thus,
s′ = s, as required.
5) s.done[T ] = true. Then, by definition of <, CT =
{(A, v), (B, v) | v ≤T s.val(T )}. Hence CT 6= ∅ and
the unique maximal event of CT is (B, s.val(T )). By
Lemma 4, next(T )(s.val(T )) ↑ and s.loc[T ] = L1. By
definition of S, s′.loc[T ] = L1, s′done[T ] = true and
s′.val[T ] = s.val[T ]. Thus s′ = s, as required.
Claim 7. If s is reachable, <(s) = C, C A C ′ and
s′ = S(C ′) then s A−→ s′.
Proof: By Claim 6, S(C) = s. Let task(A) = T .
Since C A C ′, s.done[T ] = false. Hence, in order to
prove that s enables an A-transition, it suffices to establish
that dep met(A) holds in s. For this, in turn, it suffices
to prove, for any incoming precedence edge B u→ A with
task(B) 6= task(A), that dep met(B, u,A) holds in s. Let
C ′ = C ∪{α} with α = (A, v). Since C ` α, all immediate
predecessors of α are in C. Let B u→ A be a precedence
edge of A and let task(B) = T ′. We consider the following
cases:
• CT ′ = ∅
Since C contains all immediate predecessors of α, there
exists no event (B,w) such that U(B,A)(w) = v.
Since CT ′ = ∅, then s.done[T ′] = false and s.loc[T ′] =
L1, it means that s.done(B) = false. Knowing that
B
u→ A and s.done(B) = false, the next event of
type B, namely β = (B, v0T ′) will occur in future. If
u(next(B)) ↓ and β is not an immediate predecessor
of α, it follows that v < u(next(B)), meaning that
dep met(B, u,A) holds in s. If u(next(B)) ↑, by
the second case in the definition of dep met(B, u,A),
dep met(B, u,A) is true in s.
• CT ′ 6= ∅ and (B,w) is the unique maximal event of
CT ′ of the form (end(T ), w) with next(T ′)(w) ↑. This
implies that s.done[T ′] = true and that s.done(B)
holds, therefore dep met(B, u,A) holds is s.
• CT ′ 6= ∅ and (B,w) is the unique maximal event of
CT ′ where next(T ′)(w) ↓ and u(s.next(B)) ↑. This
means that the second condition in the definition of
dep met(B, u,A) is true, meaning that
dep met(B, u,A) holds is s.
setReleaseRequest(T),
update(), cWork=Work
greedyClaim!
lazyClaim!
cWork=(cWork−cPace*i)>? 0,
cPace = Pace(T), x=0
setClaimRequest(T),
x=0,cPace = Pace(T)
setClaimRequest(T),
x=0,cPace = Pace(T)
throttle!
release!
i:int[0,size] cPace>0 imply x <= divide(cWork,cPace)
!done[T] &&
dep_met(start(T))&&
canClaim(T)&&
!greedy
Pace(T)!=cPace
!done[T]&&
dep_met(start(T))&&
canClaim(T)&&greedy
Update
L2
i<=x && (i+1)>x
L1
dep_met(end(T)) &&
cPace==Pace(T) && 
cPace>0 &&
x >= divide(cWork,cPace)
Figure 3: Task Template
L
release?
resource_cap[id]+=resMessages[id],
resMessages[id]=0
greedyClaim?
resource_cap[id]-=resMessages[id],
resMessages[id]=0
lazyClaim?
resource_cap[id]-=resMessages[id],
resMessages[id]=0
Figure 4: Resource template
• CT ′ 6= ∅ and (B,w) is the unique maximal event of
CT ′ where next(T ′)(w) ↓ and u(s.next(B)) ↓. Since
u(B,A)(w) = v it means that u(s.next(B)) 6=T v, and
by C4, we have that u(w) <T u(s.next(B)), therefore
dep met(B, u,A) holds in s.
We conclude that s enables an A-transition. Suppose s A−→
s′′. Then, by Claim 5, <(s) A <(s′′). Since C has only
one outgoing A-transition, <(s′′) = C ′. Hence, by Claim 6,
s′′ = s′, as required.
Claim 8. < is a bijection from the reachable states of
N (A) to conf(A).
Proof: Straightforward using Claims 1, 4, 6 and 7.
The theorem now follows by combination of the claims.
IV. GENERATED UPPAAL MODELS
As mentioned in the introduction, we have developed a
toolset for exploring embedded system designs, that is cen-
tered around an intermediate, Y-chart based representation.
In this representation, a system is described as a combi-
nation of three modules: applications, platform and one of
their possible mappings. Applications are described as PPOs
and the platform as a collection of resources. Each resource
is characterized by two parameters: total capacity and pace
per time unit. The latter parameter might change during task
execution e.g. the pace of a bus depends on the number of
tasks that use the bus at some point in time. In this pattern,
the mapping module contains details about the number of
resources that some tasks claim and release at the beginning
and at the end of their execution, respectively.
The generated Uppaal models have a simple structure:
each task and resource that appears in the Y-chart represen-
tation instantiates a task template or a resource template,
respectively, that we detail below.
The task template shown in Figure 3 is an extended
version of the untimed task template of Figure 2. The
template is enriched with timing and resource constraints
like a variable Work for the total amount of work that should
be processed and a function Pace(T) which returns the pace
at which the data is being processed, that depends on the
pace of the resources claimed.
Formally, the templates of Figures 2 and 3 can be related
through the notion of a timed step simulation introduced in
[25]. Since timed step simulations are compositional [25],
we can associate to any reachable state of our timed model a
configuration of the PPO that represents the application part
of it. Note however that, due to the imposed timing con-
straints, certain configurations of a PPO cannot be reached
in the timed setting.
In Figure 3, the transitions from L1 to L2 encode a start
event, and the reverse transition encodes an end event. A
start event can occur if variable done evaluates to false,
meaning that the last start event has not occurred yet, the
dependencies induced by the event precedence functions
are satisfied (the dep met function), and all the resources
claimed have enough capacity available to process the task
(the canClaim condition). Tasks are scheduled using either
a greedy or a lazy policy. If a resource changes its pace,
then a throttle channel is urgently enabled in each task
automaton that uses the resource at that moment. On the
transition between Update and L2 locations, the remaining
amount of work is computed (parameter cWork) and also
the task pace (variable cPace) is updated. For these updates,
a select statement is used in order to under-approximate the
time elapsed from the latest pace modification recorded by
the clock x (of real type) to the closest integer (variable i)
below this value. This approximation is necessary because
clock variables cannot be utilized in expressions. Finally,
the transition from L2 to L1 location, which encodes an
end event, will fire when the dependencies of the end event
are satisfied (dep met(end(T))) and the task duration has
elapsed, that is computed by the remaining work divided by
the current pace. Moreover, valuation of the parameters of
next task instance is computed on this transition.
The resource template has a simpler structure as shown
in Figure 4. The transitions with the greedyClaim and
lazyClaim channels fire at the occurrence of a start event,
whereas the transition with the release channel fires when an
end event occurs. The channels in this template are broadcast
which implies that all resources that instantiate this, interact
with any task where an event occurs. The resMessages array
is shared between tasks and resources, and it is updated
by a task in the setClaimRequest and setReleaseRequest
functions with the amount of resource capacities claimed or
Figure 5: Oce´ printer architecture
released, respectively. At the occurrence of an event in a
task, the resources that are used by the task have a non-
zero value placed at their position in the resMessages array.
Further, they subtract or add this value from their available
current capacity.
V. EXPERIMENTS
We now turn to an experimental evaluation of Uppaal
models generated from Y-chart based representations that
use the PPO theory. We compare these models with hand-
crafted models that have been presented in [21], built for
printing systems. In the handcrafted models, each application
has been modeled as a single automaton that contains all
its component tasks. This way of modeling is more natural
for design engineers but less efficient to analyze as we see
further. All the experiments are performed with Uppaal,
version 4.1.2, on a Sun Fire X4440 server with 16 cores
(AMD Opteron 8356, 2.3GHz) and 128 Gb of DDR2 RAM.
The printer architecture is depicted in Figure 5.
The cases explored here are depicted in Figures 6, 7 and
8. We use the same notation as in Figure 1. In addition, the
rectangles contain, between parentheses, the task durations.
The labels on the arrows specify the precedence function and
the resources handed over. The circles encode resources and
within parentheses their maximum capacity is listed (one
by default). The dashed lines represent resource claims. The
difference between the amount claimed and what is handed
over is released at the end of a task.
In each experiment we computed the fastest time in which
all tasks are completed (also called makespan) by using
greedy scheduling. Three performance metrics were used
to evaluate each experiment: the peak memory usage (the
’Mem’ column) and running time (the ’Time’ column) of
Uppaal, and the total number of states explored. Table I gives
the comparison results for the Direct Copy application in
parallel with the Simple Print and Table II shows the Direct
Copy case in parallel with Process from Store. The first two
columns in each table indicate how many task instances are
processed in total for each component task of an application.
To combat state space explosion, we used the sweep
line method of Uppaal [26]. For this, each model was
IP2[p]
(3s)
es
Download[p]
(dynamic)
es
Upload[p]
(dynamic)
es
RAM
(96MB)
USB down
(4Mb/s)
IP2
USB up
(4Mb/s)
24MB
p' = p
RAM 12MB
1
4Mb/s
4Mb/s
p' = p
RAM 24MB
IP1[p]
(3s)
esIP1
1
p' = p
RAM 24MB
Figure 6: Process from Store
Download[p]
(dynamic)
es
Print[p]
(4s)
es
RAM
(96MB)
USB down
(4Mb/s)
PrintIP
12MB
4MB/s
1
p' = p
RAM12MB
Figure 7: Simple Print
ScanRec[p]
(1s)
es
Scan[p]
(6s)
es
IP1[p]
(3s)
es
IP2[p]
(3s)
es
ScanIP[p]
(6s)
es
Upload[p]
(dynamic)
es
Delay[p]
(3s)
es
      p' = p
RAM 48MB p' = p
p' = p
Scanner 1
RelMem[p]
(0s)
es
p' = p
p' = p
RAM 48MB
Print[p]
(4s)
es
RAM
(96MB)
Scanner
ScanIP
IP1
IP2
USB up
(4Mb/s)
p' = p
p' = p
p' = p
PrintIP
p' = p
p' = p
p' = p
RAM 12MB
1
1
48MB
p' = p
RAM 48MB
p' = p+1
1
4Mb/s
1
1
p' = p+1
Figure 8: Direct Copy
Table I: Direct Copy(DC) ‖ Simple Print(SP) Case - Com-
parison Handcrafted Models(grey) vs. Generated Models
(O.M. - out of memory)
DC SP Mem Time Make- States
(KB) (s) span(s) Explored
2 3 4500 0.50 23 1130
5432 0.60 23 413
7 10 5480 1.60 71 10578
5748 1.60 71 3050
35 50 12808 11.31 367 149926
9572 17.00 367 48196
70 100 26568 27.92 737 433816
18480 51.42 737 155491
334 500 598996 279.70 3585 6843592
282732 961.98 3585 3038099
667 1000 2321768 1304.87 7166 25206064
1076552 3964.64 7166 11704000
903 1355 4165896 1937.88 9705 45225661
1962576 7805.70 9705 21272017
904 1356 O.M. O.M. O.M. O.M.
1965192 7655.01 9715 21302397
1460 1960 O.M. O.M. O.M. O.M.
4052524 18199.70 15117 44117751
Table II: Direct Copy(DC) ‖ Process from Store (PFS)
Case - Comparison Handcrafted Models(grey) vs. Generated
Models (O.M. - out of memory)
DC PFS Mem Time Make- States
(KB) (s) span(s) Explored
1 2 4456 0.40 15 704
5916 0.60 15 411
10 20 7540 4.10 114 47551
7332 7.90 114 20118
25 50 21352 19.51 279 334606
14420 48.03 279 135453
120 240 586172 384.66 1324 8255421
244920 1122.34 1324 3269408
240 480 2555392 1857.78 2644 33327861
1008512 4824.23 2644 13162088
303 606 4077452 2419.45 3337 53223828
1573952 8196.21 3337 21007415
304 608 O.M. O.M. O.M. O.M.
1583572 8155.78 3348 21146664
480 960 O.M. O.M. O.M. O.M.
4057584 23394.71 5284 52819448
annotated with progress measures (i.e. task instance) that
Uppaal uses during the analysis to store only the states where
the progress measures are weakly monotonically increasing,
or occasionally decreasing.
The state space of the generated models is significantly
smaller than the state space of the handcrafted models
(reduced between 41% and 71%). There are two causes
that lead to the large difference in the number of states
explored during the analysis of the two models. Firstly, the
resource template of the handcrafted models has three states:
Idle, Running and one to model a recovery phase that some
resources like Scanner require. In the generated models,
the recovery phase is modeled as an additional task. The
other cause is the tasks that need more than one resource
for processing. In the generated models, one can easily
model multi-resource claims using broadcast channels and a
shared array, as explained in Section IV. By contrast, in the
handcrafted models, a multi-resource claim was modeled by
third party automata. These automata were placed between
the application automata and resource automata. For each
resource required, we added an extra third party automaton.
This extra automaton registers the claim to the resource
automaton then it waits for the resource automaton to
become available. When it is available it sends the request.
On completion of the processing, it sends an end event to
the application automaton.
Tables I and II also show up to a 61% decrease in
the peak memory used by Uppaal during the analysis.
However, analysis of the generated models requires more
time. This happens due to the parametric representation that
characterizes the generated models where a lot of details
were encoded into functions. Some of these functions require
a lot of time to be evaluated due to the conditions or function
calls that they incorporate.
VI. CONCLUSIONS
PPOs are a simple extension of partial orders, but expres-
sive enough to compactly represent large task graphs with
repetitive behavior. We have presented a translation from
a subclass of PPOs to Uppaal, together with a correctness
proof that the transition system induced by a Uppaal model
is isomorphic to the configuration structure of a PPO.
We also presented experiments which demonstrate that the
Uppaal models obtained through this translation are more
tractable than handcrafted models of the same systems used
in earlier case studies.
As explained in this paper, when the applications (use
cases) of a real-time embedded system design are described
using PPOs, then we have a well-defined partial order
structure on the corresponding events. Due to competition
for resources and timing constraints, only a fragment of all
the interleavings of this partial order will be possible in the
full system model. Nevertheless, it will be interesting to see
if partial order reduction techniques [27], [28] will allow us
to exploit the inherent structure of PPOs to alleviate the state
space explosion problem when analyzing the full system
model.
Another interesting topic for future research is to adapt
the results of [4] to the PPO settings. This approach reduces
the complexity of scheduling problems by exploiting the
repetitive structure of tasks: it reduces a scheduling problem
to a problem containing a minimal number of identical repe-
titions, and after solving this smaller problem, the computed
schedule is expanded to a schedule for the original, more
complex scheduling problem.
Acknowledgment: This research has been carried out
as part of the OCTOPUS project under the responsibility
of the Embedded Systems Institute. This project is partially
supported by the Netherlands Ministry of Economic Affairs
under the Bsik program. This research was also supported
by European Community’s FP7 Programme under grant
agreement no 214755 (QUASIMODO). We thank Twan
Basten, Alexandre David, Martijn Hendriks, Nikola Trcˇka,
Marc Voorhoeve, for inspiring discussions on the topic of
this paper. We dedicate this paper to the memory of Marc
Voorhoeve, 1950 - 2011, who devised the notion of a PPO.
REFERENCES
[1] F. Balarin, Hardware-software co-design of embedded sys-
tems: the POLIS approach. Kluwer, 1997.
[2] B. Kienhuis, E. Deprettere, K. Vissers, and P. van der Wolf,
“An approach for quantitative analysis of application-specific
dataflow architectures,” in ASAP, IEEE CS, 1997, pp. 338–
349.
[3] N. v. d. Nieuwelaar, J. v. d. Mortel-Fronczak, and J. Rooda,
“Design of supervisory machine control,” in European Con-
trol Conference, 2003.
[4] M. Hendriks, B. van den Nieuwelaar, and F. Vaandrager,
“Recognizing finite repetitive scheduling patterns in manufac-
turing systems,” in MISTA, University of Nottingham, 2003,
pp. 291–319.
[5] A. Mazurkiewicz, “Trace theory,” in Petri Nets: Applications
and Relationships to Other Models of Concurrency, LNCS
255, Springer, 1987, pp. 278–324.
[6] V. Pratt, “Modeling concurrency with partial orders,” Int.
Journal of Parallel Programming, vol. 15, pp. 33–71, 1986.
[7] G. Winskel, “An introduction to event structures,” in Linear
Time, Branching Time and Partial Order in Logics and
Models for Concurrency, LNCS 354, Springer, 1989, pp. 364–
397.
[8] K. Jensen, L. Kristensen, and L. Wells, “Coloured Petri nets
and cpn tools for modelling and validation of concurrent
systems,” STTT, vol. 9, pp. 213–254, 2007.
[9] K. Jensen and L. Kristensen, Coloured Petri Nets: Modelling
and Validation of Concurrent Systems. Springer, 2009.
[10] Octopus toolset homepage, http://dse.esi.nl, 2011.
[11] T. Basten, E. Van Benthum, M. Geilen, M. Hendriks,
F. Houben, G. Igna, F. Reckers, S. De Smet, L. Somers,
E. Teeselink, N. Trcˇka, F. Vaandrager, J. Verriet, M. Voorho-
eve, and Y. Yang, “Model-driven design-space exploration for
embedded systems: the Octopus toolset,” in ISoLA, LNCS
6415, Springer, 2010, pp. 90–105.
[12] N. Trcˇka, M. Voorhoeve, and T. Basten, “Parameterized par-
tial orders for modeling embedded system use cases: Formal
definition and translation to coloured Petri nets,” in ACSD,
IEEE CS, 2011, pp. 13–18.
[13] S. Stuijk, M. Geilen, and T. Basten, “Sdf3: Sdf for free,” in
ACSD, IEEE CS, 2006, pp. 276–278.
[14] G. Behrmann, A. David, and K. Larsen, “A tutorial on
Uppaal,” in SFM-RT 2004, LNCS 3185, Springer, 2004, pp.
200–236.
[15] R. Alur and D. L. Dill, “A theory of timed automata,” TCS,
vol. 126, pp. 183–235, 1994.
[16] Y. Abdeddaı¨m, A. Kerbaa, and O. Maler, “Task graph
scheduling using timed automata,” in IPDPS, IEEE CS, 2003,
pp. 237.
[17] M. Hendriks and M. Verhoef, “Timed automata based analysis
of embedded system architectures,” IPDPS, IEEE CS, 2006.
[18] S. Perathoner, E. Wandeler, L. Thiele, A. Hamann,
S. Schliecker, R. Henia, R. Racu, R. Ernst, and M. G.
Harbour, “Influence of different system abstractions on the
performance analysis of distributed real-time systems,” in
EMSOFT, ACM, 2007, pp. 193–202.
[19] J. Berendsen, B. Gebremichael, F. Vaandrager, and M. Zhang,
“Formal specification and analysis of zeroconf using Uppaal,”
ACM TECS, vol. 10, no. 3, 2011.
[20] F. Cassez, J. J. Jessen, K. G. Larsen, J.-F. Raskin, and
P.-A. Reynier, “Automatic synthesis of robust and optimal
controllers - an industrial case study,” in HSCC, LNCS 5469,
Springer, 2009, pp. 90–104.
[21] G. Igna, V. Kannan, Y. Yang, T. Basten, M. Geilen, F. Vaan-
drager, M. Voorhoeve, S. Smet, and L. Somers, “Formal
modeling and scheduling of datapaths of digital document
printers,” in FORMATS, LNCS 5215, Springer, 2008, pp.
170–187.
[22] G. Igna and F. Vaandrager, “Verification of printer datapaths
using timed automata,” in ISoLA, LNCS 6415, Springer, 2010,
pp. 412–423.
[23] I. AlAttili, F. Houben, G. Igna, S. Michels, F. Zhu, and
F. Vaandrager, “Adaptive scheduling of data paths using Up-
paal Tiga,” in QFM, Electronic Proceedings in TCS, vol. 13,
2009, pp. 1–12.
[24] R. v. Glabbeek and G. Plotkin, “Configuration structures,
event structures and Petri nets,” TCS, vol. 410, no. 41, pp.
4111–4159, 2009.
[25] J. Berendsen and F. Vaandrager, “Compositional abstraction
in real-time model checking,” in FORMATS, LNCS 5215,
Springer, 2008, pp. 233–249.
[26] S. Christensen, L. Kristensen, and T. Mailund, “A sweep-line
method for state space exploration,” in TACAS, LNCS 2031,
Springer, 2001, pp. 450–464.
[27] D. Peled, “Ten years of partial order reduction,” in CAV,
LNCS 1427, Springer, 1998, pp. 17–28.
[28] K. L. McMillan, “Using unfoldings to avoid the state explo-
sion problem in the verification of asynchronous circuits,” in
CAV, LNCS 663, Springer, 1992, pp. 164–177.
