Model checking embedded system designs by Brinksma, Ed & Mader, Angelika
Model checking embedded system designs
Ed Brinksma and Angelika Mader
Faculty of Computer Science, University of Twente
{brinksma,mader}@cs.utwente.nl
Extended abstract 1
1 Introduction
Model checking has established itself as a successful tool
supported technique for the verification and debugging of
various hardware and software systems [16]. Not only in
academia, but also by industry this technique is increasingly
being regarded as a promising and practical proposition, es-
pecially in the area of hardware verification [22].
Model checking is also being applied with success to the
analysis of the control software in embedded systems [37].
Because such systems are often mission critical, in the sense
that their failure to operate correctly can be very costly in
terms of cost and safety, there is a natural tendency to apply
advanced methods to guide and analyse their design.
Because model checkers typically trace the behaviour
leading to the explored states they can be used not only ana-
lytically, i.e. to verify that given control designs are correct,
but also synthetically, i.e. to derive or optimize control de-
signs. Examples of such controller synthesis in the context
of timed automata can be found in [31, 7].
In this extended abstract we survey the basic principles
behind the application of model checking to controller veri-
fication and synthesis. Although the development of model
checkers for sophisticated models of system behaviour is
a nontrivial task, the conceptual ingredients often remain
straightforward.
The major problem besetting model checking, as with
many tools dealing with concurrent systems, is the infamous
state space explosion, caused by the fact that the global state
space of a system grows exponentially with the local state
spaces of its components. The more sophisticated the model
of behaviour, the more difficult to control this phenomenon
effectively. This makes abstract modelling and state space
search techniques decisive practical ingredients of model
checking applications, more than the sophistication of the
behavioural model that is supported.
1The authors dedicate this paper to their daughter Esther Lilian, whose
birth during its writing reduced it to an extended abstract.
A promising development is the area of guided model
checking, in which the state space search strategy of the
model checking algorithm can be influenced to visit more
interesting sets of states first. In particular, we will discuss
how model checking can be combined with heuristic cost
functions to guide search strategies.
In the final section of this extended abstract we list a
number of current research developments, especially in the
area of reachability analysis for optimal control and related
issues.
2 Model checking in a nutshell
Model checking is basically a brute force exploration of
the states of a given system, checking that a given state s sat-
isfies a property P . As a basic model for system behaviour
here we use labelled transition systems that offer a straight-
forward way of representing system behaviour in terms of
states and state transitions.
Definition 1 A labelled transition system T is tuple
〈S,Act,→〉 with S a nonempty set of system states; Act
a nonempty set of actions; and →⊆ S × Act × S a transi-
tion relation. Instead of (s, a, s′) ∈→ we write s a→ s′, and
s→ s if the action a is not relevant.
A simple but important form of state space exploration
is reachability analysis. This amounts to checking whether
states belonging to a GOAL set can be reached following
transitions from a given set of initial states INIT (often re-
stricted to a unique initial state s0 ∈ S). This can be seen as
calculating the smallest fixpoint S∗ containing INIT of the
functional F(S) = S ∪ Post(S), where Post(S) = {s′ ∈
S|∃s ∈ S : s → s′}, and checking that S∗ ∩ GOAL = ∅.
This is known as forward reachability checking; an abstract
algorithm for this is given in Figure 1; backwards reachabil-
ity analysis takes the dual approach by exchanging the roles
of INIT and GOAL, and working with B(S) = S ∪Pre(S),
where Pre(S) = {s′ ∈ S|∃s ∈ S : s′ → s}.
If the labelled transition system is finite, i.e. if S and
L are finite, then the above algorithm will terminate. It as-
sumes that the test s ∈ GOAL can be decided on the basis of
1
Proceedings of the Sixth International Workshop on Discrete Event Systems (WODES’02) 
0-7695-1683-1/02 $17.00 © 2002 IEEE 
PASSED := ∅
WAITING := INIT
while WAITING = ∅ do
remove some s from WAITING
if s ∈ GOAL then return(yes)
if s /∈ PASSED then
PASSED := PASSED ∪ {s}
WAITING := WAITING ∪ {s′|s→ s′}
return(no)
Figure 1. a forward reachability algorithm
local attributes of the state s, such as e.g. the value of vari-
ables in state s. A classical example of reachability anal-
ysis is deadlock analysis, to see whether a system contains
reachable states without outgoing transitions, which can be
checked by taking GOAL=df {s ∈ S|Post(s) = ∅}.
The sort of properties that can be analysed by reacha-
bility analysis can be substantially boosted beyond sets that
can be characterised by propositional properties of states.
To check for regular properties of system traces reachabil-
ity analysis can be applied to the parallel composition of
transition systems. The composition T1||T2 of two transi-
tion systems T1 and T2 with action sets L1 and L2, respec-
tively, is the product of their respective state spaces with the
transition relation defined the SOS inference rules given in
Figure 2.
s1
a→ s′1
(s1, s2)
a→ (s′1, s2)
a ∈ L1 − L2
s2
a→ s′2
(s1, s2)
a→ (s1, s′2)
a ∈ L2 − L1
s1
a→ s′1, s2 a→ s′2
(s1, s2)
a→ (s′1, s′2)
a ∈ L1 ∩ L2
Figure 2. SOS-rules for composition
Let A be a deterministic automaton with actions in Act,
i.e. a finite labelled transition system 〈SA, Act,→A〉 with
a set of states SUCCESS⊆ SA such that for all s and a their
is at most one s′ with s a→ s′, accepting a trace language
L ⊆ Act∗. To model check property
PL(s) =df {s ∈ S|∃σ ∈ L : s σ→}
on a transition system T we carry out a reachability analysis
on T ||A with
GOAL = {(s, t) ∈ S × SA|t ∈ SUCCESS}
with INIT= {s}. In this context the automaton A is some-
times referred to as the test automaton, cf. [3].
Much of model checking research has been devoted to
checking properties for more powerful logics with LTL
[32], CTL [20], and the modal µ-calculus [28] as impor-
tant examples. LTL (linear temporal logic) can be used
to characterize behaviour in terms of infinite traces. In-
stead of (test) automata, it uses Bu¨chi automata to encode
the acceptance conditions for infinite traces and reachability
analysis of the strongly connected components of a transi-
tion system. The latter are subsets S of system states in
which each state is reachable from each other state, and that
are closed under transitions, i.e. Post(S) ⊆ S, see [38].
CTL (Computational Tree Logic) and the µ-calculus are so-
called branching-time logics that characterize behaviour in
terms of infinite trees of whose branches represent alterna-
tive behaviours and branching points the points of choice.
Their model checking procedures essentially compute more
sophisticated fixpoints over the state set, driven by recursive
descent over the structure of the formulas [15].
We will confine ourselves essentially to reachability
analysis, however. This has two reasons: first, most of
what we have to say can be phrased in terms of reachability
analysis, and obviates the need to deal with the complex-
ities of more refined logical approaches. Second, experi-
ence indicates many practical problems can be dealt with
effectively in this more restrictive setting. This can be un-
derstood informally as follows: a common division of sys-
tem requirements that must be checked is that into safety
and liveness properties. The former category states that “no
bad behaviour will occur”. This can often be readily trans-
lated into a reachability property: it can be checked whether
an approprately chosen set of “bad” states states is reach-
able. The liveness properties, which express that “eventu-
ally some good behaviour will occur”, in principle require
more than just reachability, but in the setting of embedded
systems many important liveness properties belong to the
more restricted class of bounded liveness properties. This
is a statement of the form “event a will occur before event
b (or time t)”. Such properties can be tested by reachability
analysis, e.g. using test automata that keep track whether b
can occur without first having seen a.
An interesting feature of most model checking algo-
rithms is that in case of a goal state being reached they can
produce witnesses. These are behaviour traces leading from
an initial state to a goal state that it is reached. As the goal
states are often ‘bad’ states that should in principle not be
reachable in a safety analysis, such traces are also referred
to as counterexamples. The capability to produce coun-
terexamples is obtained by refining the algorithm of Fig-
ure 2 by storing the states in the set PASSED in a labelled
tree data structure where node s is linked with label a to
node s′ when it is established that s a→ s′. This refinement
of PART makes it correspond to a prefix of the ‘unrolling’ of
the transition system that is being analysed. If a goal state
2
Proceedings of the Sixth International Workshop on Discrete Event Systems (WODES’02) 
0-7695-1683-1/02 $17.00 © 2002 IEEE 
is encountered the corresponding witness or counterexam-
ple is obtained by tracing back to the (a) root node of the
tree. This refinement entails that the set WAITING consists
not of states, but of ‘detected transitions’ s a→ s′ from a leaf
node s in PASSED. Implementing this set using a queue-like
data type that is dequeued by the remove some operation in
the algorithm obtains a breadth-first search strategy for state
space exploration, using a stack-like data type similarly im-
plements a depth-first strategy. Breath-first strategies are at-
tractive because they always generate a shortest counterex-
amples, if any exist. Their disadvantage is that they are very
expensive, generally storing (many) more transitions than
depth-first strategies to find counterexamples.
The practically most limiting factor for model checking
are the space requirements for storing the set/tree PASSED
of states/transitions that have already been visited. Data
types and algorithms to economize such space require-
ments, such as BDDs, bitstate hashing, partial-order search
etc. [13, 25, 33], are therefore of vital interest for the practi-
cal application of model checking. Such methods, however,
cannot be of any help in cases where there are in principle an
unbounded number of states that need to be explored. This
can be because the system model includes features such as
unbounded message queues, or, more interesting in our con-
text, state parameters of a continuous nature, such as time
in real-time systems, or other physical quantities in hybrid
systems in general.
Symbolic model checking adresses these issues by look-
ing at finite representations of infinite state systems by lift-
ing the transition relation from individual states to (infinite)
sets of states for how to do this depend on the source of
unboundedness in the model. For us it will be interesting
to get an idea by looking at model checking algorithms for
timed automata [4], a very popular model for representing
real-time embedded systems. The model consist of a fi-
nite state machine or automaton modelling the finite control
structure underlying the system at hand; it is extended with
clock variables from a given set C. The variables ‘follow’
time in the sense that their values increase with ∆t when
∆t time units elapse, but can be reset as the result of a con-
trol transition. Both control states or locations and transi-
tions may be guarded by propositions over the set of clocks
taken from a set B(C). For locations these propositions are
known as invariants and state for what clock values the sys-
tem is allowed to be in a particular location. For transitions
they state under which clock conditions a transition may be
taken.
Definition 2 A timed automaton A is a tuple 〈L,E, I, l0〉
with L a finite set of (control) locations; E ⊆ L × B(C)×
P(C)×L the set of edges, where an edge contains a source
location, a guard, a set of clocks to be reset, and a target
location; I : L → B(C) assigns invariants to locations;
and l0 ∈ L the initial location. We write l g,r−→ l′ instead of
(l, g, r, l′) ∈ E.
It is clear that timed automata have an infinite underly-
ing state space consisting of states of the form 〈l, v〉, where
l is a location and v is a so-called clock assignment. A
seminal result by Alur and Dill is that if the expressivity of
the set of clock expression is carefully restricted (compar-
isons between natural numbers and clocks x or clock dif-
ferences x − y), reachability for timed automata becomes
decidable. This is done by partitioning the space of clock
assignments into so-called regions whose elements affect
the control flow through guards and invariants in precisely
the same manner. An improvement over the concept of re-
gion is that of a zone, which is used in Uppaal, and can be
understood as the coarsest partioning that has this property.
In Figure 3 there is a reformulation of the basic reachabil-
ity algorithm of Figure 1 for timed automata with zones.
〈s, Z〉  〈s′, Z ′〉 expresses states with location s and as-
signments in zone Z can reach states with location s′ and
assignments in Z ′ either by letting time pass (delaying) or
executing a control transition.
PASSED := ∅
WAITING := {〈s0, Z0〉}
while WAITING = ∅ do
remove some 〈s, Z〉 from WAITING
if ∃〈g, Zg〉 ∈ GOAL: s = g ∧ Z ⊆ Zg
then return(yes)
if ∀〈s, Z ′〉 ∈ PASSED: Z ⊆ Z ′
then
PASSED := PASSED ∪ {〈s, Z〉}
WAITING := WAITING ∪
{〈s′, Z ′〉|〈s, Z〉 〈s′, Z ′〉}
return(no)
Figure 3. Abstract reachability with zones
Reachability analysis can also be applied to hybrid au-
tomata, but due to the more complicated nature of the dy-
namics of the continuous variables decidability cannot be
obtained since the corresponding algorithm may not termi-
nate, in contrast to that of Figure 3. Here safety analysis
is often carried out using so-called over-approximation, by
extending to a decidable version that makes more states
reachable than are reachable in the actual system. If certain
bad states are unreachable in an over-approximation then
this result carries over to the original system. Examples can
be found in [17, 21].
3
Proceedings of the Sixth International Workshop on Discrete Event Systems (WODES’02) 
0-7695-1683-1/02 $17.00 © 2002 IEEE 
LIS
101
QI
102
LIS
201
QI
202
LIS
301
QI
302
LIS
401
FIS
801
LIS
501
QIS
TI
502
503
LIS
601
TIS
602
LIS
701
TIS
702
PIS
1001
PIS
901
B1 B2
B3
B4
K1
B6B5
B7
P1 P2
V2
V1
V3
V8 V9
V7
V6 V4
V5
V13
V11
V12
V29
V14
V15
V17
V16
V10
V18
V19
V21V23
V27 V20
V24
V25 V28V26 V22
cooling
water
salt
cooling
water
cooling
water
H O2
H O2
Figure 4. The P/I-Diagram of the Batch Plant
3 Example: verification and optimization of
a controller
One of the case studies of the European VHS project was
the design and verification of a controller for a simple chem-
ical batch plant, as depicted in Figure 4, originally designed
for student exercises. We describe its main features below;
a more detailed account can be found in Kowalewski’s de-
scription of the plant [27]. It turned out to be a very nice
example for the application of model checking techniques.
The plant “produces” batches of diluted salt solution
from concentrated salt solution (in container B1) and water
(in container B2). These ingredients are mixed in container
B3 to obtain the diluted solution, which is subsequently
transported to container B4 and then further on to B5. In
container B5 an evaporation process is started. The evapo-
rated water goes via a condenser to container B6, where it is
cooled and pumped back to B2. The remaining hot, concen-
trated salt solution in B5 is transported to B7, cooled down
and then pumped back to B1.
The controlled batch plant is clearly a hybrid system.
The discrete element is provided by the control program and
the (abstract) states of the valves, mixer, heater and coolers
(open/closed, on/off). Continuous aspects are tank filling
levels, temperatures, and time. The latter can be dissected
into real-time phenomena of the plant on the one hand, such
as tank filling, evaporation, mixing, heating and cooling
times, and the program execution and reaction times,on the
other.
In [30, 11] we report on the use of the model checker
SPIN [36] to the verification and optimization of a con-
troller for this plant. SPIN is a state-of-the-art model
checker. Its models are essentially labelled transition sys-
tems defined in the related modelling language Promela.
As Promela does not cater for modelling continuous sys-
tem parameters an adequate discrete model had to be de-
vised. For volumes and temperatures only critical extremal
values were considered; time was discretized and a variable
time-advance technique [35] was used to avoid a state space
explosion caused by having a huge domain of dicretized
time points. This technique makes sure that only essential
points in time (when something ’happens’) are considered
in reachability analysis, and not the uninteresting time states
leading up to them.
In [30] we showed how a controller that was designed
by careful analysis of the plant could be verified using this
model. Because SPIN supports LTL model checking this
could be done by verifying a formula that states that a state
in which a batch is produced is reached infinitely often.
However, because the behaviour of the plant is fully deter-
mined by the control actions, reachability analysis would
also suffice to establish this by showing that a next batch
producing state is reachable from a batch producing state
(this involves adding a batch counter to the model to avoid
a trivial solution in which such a state is reached by doing
nothing).
In [12] it is subsequently shown how the controller may
be optimized with respect to time, i.e. to look for a batch
production schedule that takes a minimal time for produc-
ing a batch. The original controller design was such that
it would always schedule a maximal non-conflicting set of
events (i.e. not competing for the same resources). Now
the controller model was made non-deterministic by allow-
ing all non-empty subsets of non-conflicting events to be
scheduled. Then reachability analysis was used to find wit-
nesses for states whereN batches had been produced before
time T . By increasing N for fixed T each time a witness is
found, the last witness trace that can be found contains the
scheduling information for optimal batch production. Here,
it is crucial to carefully tune the ‘time horizon’ T , which
should be large enough not to prematurely cut off a possi-
bly interesting witness, and should be small enough to allow
effective searching of the state space. The latter has become
potentially very large by the nondeterministic model of the
controller.
4
Proceedings of the Sixth International Workshop on Discrete Event Systems (WODES’02) 
0-7695-1683-1/02 $17.00 © 2002 IEEE 
4 Minimal-cost guided model checking
The search for optimal schedules as explained above in-
volves the explicit manipulation of the parameters N and T
(and in fact an other parameter to control the degree of non-
deterministic branching, see [11]), to control the effective-
ness of the search for witnesses. Such guiding of the search
strategy can be made more explicit by adding a notion of
cost to the selection of alternatives. The process can then be
guided by automatically selecting the cheapest alternative.
Figure 5 describes a refinement of the standard (sym-
bolic) reachability algorithm using a notion of cost. It re-
quires that symbolic states A come equipped with cost as-
signments π that determine the cost π(s) for each state s ∈
A. Moreover, it is assumed that for each priced symbolic
state 〈A, π〉 the function minCost(A, π) = inf{π(s)|s ∈
A} can be determined effectively. Priced symbolic states
can be ordered by defining 〈A, π〉  〈B, η〉 if B ⊆ A and
π(s) ≤ η(s) for all s ∈ B, which can be paraphrazed infor-
mally as 〈A, π〉 is “as big and cheap” as 〈B, η〉.
COST := ∞
PASSED := ∅
WAITING := {〈s0, π0〉}
while WAITING = ∅ do
remove 〈A, π〉 from WAITING
with minimal minCost(A, π)
if A ∩ GOAL = ∅ ∧minCost(A ∩ GOAL, π) < COST
then COST:=minCost(A ∩ GOAL, π)
if ∀〈B, η〉 ∈ PASSED: 〈B, η〉  〈A, π〉
then
PASSED := PASSED ∪ {〈A,Zπ〉}
WAITING := WAITING ∪
{〈B, η〉|〈A, π〉 〈B, η〉}
return(COST)
Figure 5. Symbolic minimal-cost reachability
In [29] an instantiation of the above minimal-cost reach-
ability algorithm is presented for timed automata, the lin-
early prices timed automata model, which has been imple-
mented in the UPPAAL tool. Here, costs accumulate lin-
early with the residence time in locations with location-
dependent rates, and with transition dependent costs for
each transition taken. Minimal-cost reachability in this set-
ting is shown to be decidable. An independent result along
these lines can be cound in [5].
In [12] this approach is compared to the SPIN approach
for finding optimal schedules. The search strategy that is ac-
tually employed uses so-called heuristics, a variant in which
a separately defined variable is used to determine the prior-
ity with which states are removed from the WAITING list. In
all except one case optimal schedules were easily detected
this way, obviating the need for repeated runs with different
parameter values, as with SPIN. It does need some experi-
mentation, however, to find heuristics that induce the right
search strategy. Details and applications to other case stud-
ies can be found in [21].
5 Scheduling synthesis
Given guided model checking strategies to evaluate
promising parts of the reachability tree first, model check-
ing techniques can also be used effectively to synthesize
controllers. The simplest case is when the plant to be con-
trolled is deterministic, in the sense that it either moves
on its own to a uniquely determined next state, or makes
a transition caused by a control action that is uniquely de-
termined by that action. The VHS batch plant case study
is an example of this. This kind of scheduling control, and
the related field of planning is a rich source of problems
[19, 26, 14, 1, 2].
In such cases one can do reachability analysis on the un-
controlled plant model, with plant states in which (several)
batches have been produced as goal states. Guided search
obtains witnesses that contain the necessary scheduling in-
formation. Because the uncontrolled plant allows for very
many useless control scenarios (e.g. opening a valve under
an empty container, opening and immediately closing the
same valve, etc.), this usually requires some tweaking of
the model and/or the search heuristics to get rid of impro-
ductive behaviours.
Using test automata to exclude the selection of already
detected scheduling strategies can be used to find more gen-
eral or alternative schedules. Using minimal-cost reachabil-
ity schedules can be detected that satisfy some optimality
criterion.
General supervisory control for discrete events systems
[34] is closely related to reachability analysis on game au-
tomata. A game automaton is a labelled transition system
〈S,Act,→〉 with an action set Act = C ∪ E that is par-
titioned into environment (or uncontrolled) actions from E
and controlled actions from C. Given a set of GOAL states
one wishes to establish the subset WG ⊆ S of states in
which the controller has a winning strategy, i.e. from which
a state in GOAL can be reached no matter what enabled en-
vironment actions are selected on the way. This set can ac-
tually determined by backward reachability analysis, calcu-
lating the smallest fixpoint containing GOAL of
B(S) = S ∪ PreC(S) ∪ PreE (S)
where
• PreC(S) = {s ∈ S|∃s′ ∈ S, a ∈ C : s a→ s′}
• PreE(S) = {s ∈ S|∀s′ ∈ S, a ∈ E : s a→ s′}
5
Proceedings of the Sixth International Workshop on Discrete Event Systems (WODES’02) 
0-7695-1683-1/02 $17.00 © 2002 IEEE 
Putting G = GOAL this fixpoint can be calculated as the
limit of the chain
G ⊆ B(G) ⊆ . . . ⊆ Bi(G) ⊆ Bi+1(G) ⊆ . . .
where for finite game automata the limit is obtained by stag-
nation for some finite index i. This can be done using an
algorithm analogous to that of Figure 1.
A classical paper on the application of game theory
and winning strategies to controller synthesis for timed au-
tomata is the one by Maler, Pnueli and Sifakis [31].
6 Research issues
As shown above there are fruitful applications of model
checking techniques, especially reachability analysis, to the
design and verification of embedded systems, varying from
the analysis of given control systems to the synthesis of new
controllers. Important issues that play a role in current re-
search are:
• Expressive model classes: embedded systems often
have to deal with a combination of extensions of the
transition system paradigm along different modelling
dimensions, such as real-time behaviour, uncertainty
(nondeterminism and stochastic behaviour), and a no-
tion of cost and/or rewards. The challenge is to be able
to have models that can be effectively model checked
in all useful areas of this multi-dimensional space.
These models must also have efficient machine rep-
resentations in the form of clever symbolic data struc-
tures, such as zones, BDDs, clock difference diagrams,
etc.
It is especially challenging to see whether results that
have been obtained in the context of (optimal) control
and timed automata can be extended to models that in-
clude stochastic features. In this respect it is interest-
ing to know that model checking techniques are be-
ing developed for the machine-assisted evaluation of
performability measures of continuous time Markov
chains and decision processes [23, 24]. There is also
work being done on the incorporation of probabilistic
choice in the UPPAAL framework [18].
• Compositionality: to combat the state space explosion
effectively it will be necessary to do as much of the
calculations on the smaller local state spaces of com-
ponent processes as possible, instead of on the po-
tentially huge global state space of a system. It is
therefore interesting to see to what extent compistional
model checking techniques such as CBR (composi-
tional backwards reachability) [8] carry over to the
(optimal) reachability problems discussed above.
• Optimality and guided search: cost-driven reachabil-
ity analysis can also be applied to the game theoretic
approach control synthesis described above [10]. Be-
cause of the huge state spaces of most practical ap-
plication, guided search techniques are almost always
needed to obtain results with a reasonable use space
and time resources. A much better understanding is
needed of effective search heuristics and how they are
best represented.
• Abstractions: abstraction fights the state space explo-
sion by replacing a (too) large model with a simpler
one that preserves all properties of interest. There is a
well-establised body of work in classical model check-
ing that relates abstractions to classes of logical formu-
las that represent properties of interest. Abstractions
can also be developed that preserve winning strategies,
also in the presence of cost functions [10].
• Modelling methodology: this practically important as-
pect of applications is often overlooked. As was re-
ported here the VHS batch plant case study showed
that good results could be obtained using a non-
symbolic model checker (SPIN) on a hybrid control
problem. Clever modelling techniques may compen-
sate for less advanced modelling features, and in fact
produce more manageable state spaces. There is a lack
of systematic understanding of how qualitative fea-
tures such as ease of modelling, size of model, preci-
sion of results, maintainability, verification speed, etc.
relate to different modelling classes and styles. The
current practice is best described by the slogan “model
hacking preceedes model checking”.
• Verification vs. testing: the drive to obtain models that
can be used effectively for analysis via model check-
ing techniques leads to the application of aggressive
abstraction techniques to obtain the needed compact-
ification and simplification. This may easily lead to
models that no longer preserve all relevant properties
of the actual, implemented system. Testing is the vali-
dation method that addresses a system at the level of its
physical implementation, and that can be used to check
whether undue abstractions have been made. It is im-
portant to understand how model-based testing meth-
ods may be used to systematically complement verifi-
cation by model checking, and help to validate model
cheking models [9].
The IST project AMETIST [6] adresses these and other
issues in an effort to develop a full-blown methodology for
the design and analysis the of real-time embedded systems
with a special focus (optimal) scheduling and resource allo-
cation problems.
6
Proceedings of the Sixth International Workshop on Discrete Event Systems (WODES’02) 
0-7695-1683-1/02 $17.00 © 2002 IEEE 
Acknowledgements
Much of the contents of the paper result from joint
work and discussions with Kim Larsen. The application
of heuristic search methods to the batch plant example was
doen in collaboration with Ansgar Fehnker.
References
[1] Y. Abdedda¨im and O. Maler. Job-shop scheduling us-
ing timed automata. In Proceedings CAV 2001, volume
2102 of Lecture Notes in Computer Science, pages 478–492.
Springer-Verlag, 2001.
[2] Y. Abdedda¨im and O. Maler. Pre-emptive job-shop schedul-
ing using stopwatch automata. In Proceedings TACAS 2002,
volume 2280 of Lecture Notes in Computer Science, pages
113–126. Springer-Verlag, 2002.
[3] L. Aceto, P. Bouyer, A. B. no, and K. Larsen. The power
of reachability testing for timed automata. In Proceedings
FST & TCS’98, volume 1530 of Lecture Notes in Computer
Science, pages 245–256. Springer-Verlag, 1998.
[4] R. Alur and D. Dill. A theory of timed automata. Theoretical
Computer Science, 138:183–335, 1994.
[5] R. Alur, S. L. Torre, and G. Pappas. Optimal paths in
weighted timed automata. In Fourth International Workshop
on Hybrid Systems: Computation and Control, number 2034
in Lecture Notes in Computer Science, pages 49–62, 2001.
[6] AMETIST homepage.
http://ametist.cs.utwente.nl/.
[7] E. Asarin, O. Maler, A. Pnueli, and J. Sifakis. Controller
synthesis for timed automata. In Proceedings IFAC Sym-
posium on System Structure and Control, pages 469–474.
Elsevier, 1998.
[8] G. Behrmann, K. Larsen, H. Andersen, H. Hulgaard, and
J. Lind-Nielsen. Verification of large state/events systems
using compositionslity and dependency analysis. In Tools
and Algorithms for the Construction and Analysis of Sys-
tems, volume 1579 of Lecture Notes in Computer Science,
pages 163–177. Springer-Verlag, 1999.
[9] E. Brinksma. Verification is experimentation! Software
Tools for Technology Transfer, 3(2):107–111, 2001.
[10] E. Brinksma and K. Larsen. From reachability to optimal
control, 2002. unpublished manuscript.
[11] E. Brinksma and A. Mader. Verification and optimization of
a PLC control schedule. In Proceedings of SPIN2000, vol-
ume 1885 of Lecture Notes in Computer Science. Springer,
2000.
[12] E. Brinksma, A. Mader, and A. Fehnker. Verification and
optimization of a plc control schedule. Software Tools for
Technology Transfer, 2002. accepted for publication.
[13] R. Bryant. Graph-based algorithms for boolean function ma-
nipulation. IEEE Transactions on Computers, C-35(8):677–
691, 1986.
[14] A. Cimatti, E. Giunchiglia, F. Giunchiglia, and P. Traverso.
Planning via model checking: A decision procedure for
ar. In Proceedings 4th European Conference on Planning
(ECP-97), volume 1348 of Lecture Notes in Artificial Intel-
ligence, pages 130–142. Springer-Verlag, 1997.
[15] E. Clarke, E. Emerson, and A. Sistla. Automatic verifica-
tion of finite-state concurrent systems using trmporal logic
specifications. ACM TOPLAS, 8(2):244–263, 1986.
[16] E. Clarke and J. Wing. Formal methods:state of the art and
future directions. Technical report, Strategic Directions in
Computing Research, Formal Methods Working Group, au-
gust 1996.
[17] T. Dang and O. Maler. Reachability analysis via face lift-
ing. In Hybrid Systems: Computation and Control, volume
1386 of Lecture Notes in Computer Science, pages 96–109.
Springer-Verlag, 1998.
[18] P. D’Argenio, B. Jeannet, H. Jensen, and K. Larsen. Reach-
ability analysis of probabilistic systems by successive re-
fienements. In Proceedings PAPM-PROBMIV 2001, volume
2165 of Lecture Notes in Computer Science, pages 29–56.
Springer-Verlag, 2001.
[19] H. Dierks, G. Berhrmann, and K. Larsen. Solving planning
problems using real-time model-checking (translating pddl3
into timed automata). In Proceedings AIPS, 2002. to appear.
[20] E. Emerson and E. Clarke. Using branching time temporal
logic to synthesize synchronization skeletons. Science of
Computer Programming, 2:241–266, 1982.
[21] A. Fehnker. Citius, Vilius, Melius. PhD thesis, University of
Nijmegen, 2002.
[22] R. Gerth. Model checking if your life depends on it: a view
from intel’s trenches. In M. Dwyer, editor, Model Check-
ing Software, Proceedings 8th International SPIN Work-
shop, volume 2057 of Lecture Notes in Computer Science,
page 15. Springer-Verlag, 2001.
[23] B. Haverkort, L. Cloth, H. Hermanns, J.-P. Katoen, and
C. Baier. Model checking performability properties. In Pro-
ceedings DSN 2002. IEEE CS Press, 2002.
[24] H. Hermanns and J.-P. Katoen. Performance evalua-
tion:=(process algebra + model checking) x markov chains.
In Proceedings CONCUR 2001, volume 2165 of Lecture
Notes in Computer Science, pages 59–81. Springer-Verlag,
2001.
[25] G. Holzmann. An improved protocol reachability analysis
technique. Software-Practice and Experience, 18(2):137–
161, 1988.
[26] T. Hune, K. G. Larsen, and P. Pettersson. Guided Synthe-
sis of Control Programs using UPPAAL. Nordic Journal of
Computing, 8(1):43–64, 2001.
[27] S. Kowalewski. Description of case study CS1 “exper-
imental batch plant”. http://www-verimag.imag.
fr/VHS/main.html, July 1998.
[28] D. Kozen. Results on the propositional µ-calculus. Theoret-
ical Computer Science, 27:333–354, 1983.
[29] K. G. Larsen, G. Behrmann, E. Brinksma, A. Fehnker,
T. Hune, P. Pettersson, and J. Romijn. As cheap as possible:
Efficient cost-optimal reachability for priced timed automat.
In G. Berry, H. Comon, and A. Finkel, editors, Proceedings
of CAV 2001, number 2102 in Lecture Notes in Computer
Science, pages 493–505. Springer–Verlag, 2001.
[30] A. Mader, E. Brinksma, H. Wupper, and N. Bauer. Design
of a PLC control program for a bach plant, VHS case study
1. European Journal of Control, 7(4):416–454, 2001.
7
Proceedings of the Sixth International Workshop on Discrete Event Systems (WODES’02) 
0-7695-1683-1/02 $17.00 © 2002 IEEE 
[31] O. Maler, A. Pnueli, and J. Sifakis. On the synthesis of
discrete controllers for timed systems. In E. Mayr and
C. Puech, editors, Proceedings STACS ’95, volume 900
of Lecture Notes in Computer Science, pages 229–242.
Springer-Verlag, 1995.
[32] Z. Manna and A. Pnueli. The Temporal Logic of Reactive
and Concurrent Systems: Specification. Springer-Verlag,
1992.
[33] D. Peled. Combining partial-order reductions with on-the-
fly model checking. Formal Methods in System Design,
8:39–64, 1996.
[34] P. Ramadge and W. Wonham. Supervisory control of a class
of discrete event processes. SIAM Journal of Control and
Optimization, 25(1):206–230, 1987.
[35] G. Shedler. Regenerative Stochastic Simulation. Academic
Press, 1993.
[36] SPIN homepage. http://wwwnetlib.bell-labs.
com/netlib/spin/whatispin.html.
[37] J. Tretmans, K. Wijbrans, and M. Chaudron. Development
of a storm surge barrier controil system: Revisiting seven
myths of formal methods. Formal Methods in System De-
sign, 19(2):195–215, 2001.
[38] M. Vardi and P. Wolper. Reasoning about infinite computa-
tions. Information and Computation, 115:1–37, 1994.
8
Proceedings of the Sixth International Workshop on Discrete Event Systems (WODES’02) 
0-7695-1683-1/02 $17.00 © 2002 IEEE 
