Abstract. In this paper, we report on an application of the validation and verification tool kit Uppaal in the design and analysis of a prototype gear controller, carried out in a joint project between industry and academia. We give a detailed description of the formal model of the gear controller and its surrounding environment, and its correctness formalized according to the informal requirements delivered by our industrial partner of the project. The second contribution of this paper is a solution to the problem we met in this case study, namely how to use a tool like Uppaal, which only provides reachability analysis to verify bounded response time properties. The advantage of our solution is that we need no additional implementation work to extend the existing modelchecker, but simple manual syntactical manipulation on the system description.
Introduction
Over the past few years, a number of modeling and verification tools for real-time systems [5] [6] [7] have been developed based on the theory of timed automata [3] . They have been successfully applied in various case studies [4, 9, 11] . However, the tools have been mainly used in the academic community, namely, by the tool developers. It has been a challenge to apply these tools to real-sized industrial case studies. In this paper we report on an application of the verification tool-kit Uppaal to a prototype gear controller developed in a joint project between industry and academia. The project has been carried out in collaboration between Mecel AB and Uppsala University.
The gear controller is a component in the real-time embedded system that operates in a modern vehicle. The gear-requests from the driver (or a dedicated component implementing a gear change algorithm) are delivered over a communication network to the gear controller. The controller implements the actual gear change by actuating the lower-level components of the system, such as the clutch, the engine, and the gearbox. Obviously, the behavior of the gear controller is critical to the safety of the vehicle. Simulation and testing have been the traditional ways to ensure that the behavior of the controller satisfies certain safety requirements. However, these methods are by no means complete in finding errors though they are useful and practical. As a complement, formal techniques have been a promising approach to ensure the correctness of embedded systems. The project is to use formal modeling techniques in the early design stages to describe design sketches, and to use symbolic simulators and model checkers as debugging and verification tools to ensure that the predicted behavior of the designed controller at each design phase satisfies certain requirements under given assumptions in the environment where the gear controller is supposed to operate (i.e., the clutch, the engine, the gearbox, etc.). The requirements on the controller and assumptions about the environment have been described by Mecel AB in an informal document, and then formalized in the Uppaal model and a simple linear-time logic based on the Uppaal logic to deduce the design of the gear controller.
We shall give a detailed description of the formal model of the gear controller and its surrounding environment, and its correctness according to the informal requirements delivered by Mecel AB. Another contribution of this paper is a lesson we learnt in this case study, namely, how to use a tool like Uppaal, which only provides a reachability analysis to verify bounded response time properties e.g., if f 1 (a request) becomes true at a certain time point, f 2 (a response) must be guaranteed to be true within a time bound. We present a logic and a method to characterize and model-check response time properties. The advantage of this approach is that we need no additional implementation work to extend the existing model-checker, but simple manual syntactical manipulation on the system description.
Uppaal 1 is a tool suite for validation and symbolic model-checking of real-time systems. It consists of a number of tools including a graphical editor for system descriptions, a graphical simulator, and a symbolic modelchecker. In the design phase, the symbolic simulator of Uppaal is applied intensively to validate the dynamic behavior of each design sketch, in particular for fault detection, derivation of time constraints (e.g., the time bounds for which a gear change is guaranteed), and later also for debugging using diagnostic traces (i.e., counter examples) generated by the model-checker. The correctness of the gear controller design has been established by automatic proofs of 47 logical formulas derived from the informal requirements specified by Mecel AB. The verification was performed in a few seconds on a Pentium PC 2 running Uppaal.
Related to the approach of checking bounded response time properties presented in this paper is the work on reachability testing due to Aceto et al. [1, 2, 9] . In their approach, a logical formula of a safety and boundedliveness logic is transformed into a testing automaton which is composed in parallel with the system description to check the validity of the formula by reachability analysis 3 . This may seem more attractive as no syntactical manipulations of the system description seem to be required. However, in practice it is often the case that the system description indeed must be manipulated to make all the system actions appearing in the logical formulae visible to the testing automaton. The reachability testing approach also requires some actions of the system description to be urgent (i.e., to be taken as early as possible) [1, 2] . This is not the case with our technique. In fact, in the presented case study, we verify several bounded response time properties of the gear controller involving non-urgent behaviors.
The paper is organized as follows: In the next section we present a simple logic to characterize safety and response time properties and a method to model-check such properties. In Sects. 5 and 6 the gear controller system and its requirements are informally and formally described. In Sect. 7 the formal description of the system and its requirements are transformed using the technique developed in Sect. 3 for verification by reachability analy-
Further information on installation and documentation for
Uppaal is available at http://www.uppaal.com/.
2 2.99 s on a Pentium 75 MHz equipped with 24 MB of primary memory.
3 The technique of reachability testing is related to the use of "never claims" in the verification tool Spin [8] .
sis. Section 8 concludes the paper. Finally, as appendices, we enclose the list of requirements in the q-format and the formal descriptions for the whole system in the atgformat of Uppaal.
Preliminaries
In this section, we briefly introduce all the necessary definitions for the basis of the Uppaal modeling language. For details, we refer to [10, 12] .
Timed transition systems and timed traces
A timed transition system is a labeled transition system with two types of labels: atomic actions and delay actions (i.e., positive reals), representing discrete and continuous changes of real-time systems.
Let A be a finite set of actions and P be a set of atomic propositions. We use I R + to stand for the set of non-negative real numbers, ∆ for the set of delay actions { (d) | d ∈ I R + }, and Σ for the union A ∪ ∆ ranged over by α, α 1 , α 2 , etc. Definition 1. A timed transition system over A and P is a tuple S = S, s 0 , −→, V , where S is a set of states, s 0 is the initial state, −→⊆ S × Σ × S is a transition relation, and V : S → 2 P is a proposition assignment function. 2
A trace σ of a timed transition system is an infinite sequence of transitions in the form:
A position π of σ is a natural number. We use σ[π] to stand for the πth state of σ, and σ(π) for the πth transition of σ, i.e., σ[π] = s π and σ(π) = s π α π −→ s π+1 . We use δ(s α −→ s ) to denote the duration of the transition, defined by δ(s
Given positions i, k with i ≤ k, we use ∆(σ, i, k) to stand for the accumulated delay of σ between the positions i, k, defined by ∆(σ, i, k) = i≤j<k δ(σ(j)). We shall only consider non-zeno traces.
Definition 2. A trace σ is non-zeno if for any natural number T there exists a position k such that ∆(σ, 0, k) > T . For a timed transition system S, we denote by T r(S) all non-zeno traces of S starting from the initial state s 0 of S. 2
Timed automata with data variables
We study the class of timed transition systems that can be syntactically described by timed automata extended with data variables ranging over finite data domains.
Assume a finite set of clock variables C ranged over by x, etc., and a finite set of data variables D ranged over by i, etc. We use V to denote the union of C and D, ranged over by v. We use G(V) to stand for the set of formulas ranged over by g, generated by the following syntax: g ::= c | g ∧ g where c is a constraint of the form: x ∼ n or i ∼ n for x ∈ C, i ∈ D, ∼∈ {<, ≤, =, ≥, >} and n being a natural number. We shall call elements of G(V) guards. Similarly, we use I(C) to stand for the set of conjunctive guards of the form: x < n or x ≤ n, and call the elements of I(C) invariant conditions.
To manipulate clock and data variables, we use resetoperations of the form: v := e where v is a clock or data variable and e is an expression. A reset-operation on a clock variable should be in the form x := 0; a resetoperation on an integer variable is similar to an assignment statement in a high-level programming language in the form: i := e where e is an arithmetic expression 4 . We call a set of such reset-operations a reset-set. A reset-set is proper when the variables are assigned a value at most once. We use R to denote the set of all proper reset-sets, ranged over by r, r , etc.
Definition 3. A timed automaton A over actions A, atomic propositions P, and V, is a tuple N, l 0 , −→, I, V , where N is a finite set of nodes (or locations), l 0 is the initial node, and −→⊆ N × G(V) × A × R × N corresponds to the set of edges. In the case, l, g, a, r, l ∈−→ we shall write, l g,a,r −→ l . I : N → I(C) is a function which for each node assigns an invariant condition, and V : N → 2 P is a proposition assignment function which for each node gives a subset of atomic propositions true in the node. We shall use P (A) to stand for the union of the subsets of propositions true in all the nodes N of A, i.e.,
Informally, a process modeled by an automaton starts at its initial location l 0 with all its variables initialized to 0. The values of the clocks increase synchronously with time at location l. At any time, the process can change location by following an edge l g,a,r −→ l provided the current values of the variables satisfy the enabling condition g. With this transition, the variables are updated by r.
A variable assignment is a mapping which maps clock variables C to the non-negative reals and data variables D to integers. For a variable assignment u and a delay d, v⊕d denotes the variable assignment such that (v⊕d)(x) = v(x) + d for any clock variable x and (v⊕ d)(i)=v(i) for any integer variable i. This definition of ⊕ reflects that all clocks operate with the same speed and that data variables are time-insensitive. For a resetoperation r (a set of assignment-operations) we use r(u) to denote the variable assignment u with u (v) = V (e, u) whenever v := e ∈ r and u (v ) = u(v ) otherwise, where V (e, u) denotes the value of e in u. Given a guard g ∈ G(V) 4 For BNF definition of arithmetic expressions, we refer to the Uppaalhome page.
and a variable assignment u, g(u) is a Boolean value describing whether g is satisfied by u or not.
Networks of automata
To model concurrency and synchronization, we introduce a CCS-like parallel composition operator for automata. Assume automata A 1 ...A n . We use A to denote their parallel composition A 1 || . . . ||A n . The intuitive meaning of A is similar to the CCS parallel composition of A 1 ...A n with all actions being restricted, that is, (A 1 ||...||A n )\A. Thus, only internal synchronization between the components A i is possible. We shall call A a network of automata 5 . We simply view A as a vector and use A i to denote its ith component.
A control vector l of a network A is a vector of locations where l i is a location of A i . We shall write l[l i /l i ] to denote the vector where the ith element l i of l is replaced by l i .
A state of a network A is a configuration l, u where l is a control vector of A and u is a variable assignment. The initial state of A is l 0 , u 0 where l 0 is the initial control vector whose elements are the initial locations of A i 's and u 0 is the initial variable assignment that maps all variables to 0.
The semantics of a network of automata A is defined in terms of a timed transition system S = S, s 0 , −→, V with the set S of states being the set of configurations, s 0 being the initial state, i.e., l 0 , u 0 , the proposition assignment function V is defined by V ( l, u ) = l i ∈l V i (l i ), and the transition relation defined as follows:
Note that the timed transition system defined above can also be represented finitely as a timed automaton. In fact, one may effectively construct the product automaton of A 1 . . . A n such that its timed transition system is bisimilar to S. The nodes of the product automaton is simply the product of A i 's nodes, the invariant conditions on the product nodes are the conjunctions of the conditions on all A i 's nodes, the set of clocks is the (disjoint) union of A i 's clocks, and the edges are based on synchronizable A i 's edges with enabling conditions conjuncted and reset-sets unioned.
Thus, theoretically, there is no difference between the notions of a timed automaton and a network of such. However, for efficient verification, it is often not necessary to construct the product automaton. We shall distinguish between them only in discussing verification methods, not when semantic aspects are concerned.
Finally, we denote by T r(A) all non-zeno traces of the timed transition system S i.e., T r(A) = T r(S).
3 A logic for safety and bounded response time properties
At the start of the project, we found that it was not so obvious how to formalize (in the Uppaal logic) the pages of informal requirements delivered by the design engineers. One of the reasons was that our logic is too simple, which can express essentially only invariant properties. It later became obvious that these requirements could be described in a simple logic, which can be model-checked by reachability analysis in combination with a certain syntactical manipulation on the model of the system to be verified. We also noticed that though the logic is so simple, it characterizes the class of logical properties verified in all previous case studies where Uppaal is applied (e.g., see [4, 9] ).
Syntax and semantics
The logic may be seen as a timed variant of a fragment of the linear temporal logic (LTL) which does not allow nested applications of modal operators. It is designed to express invariant and bounded response time properties.
Definition 4 (State-formulas). Assume that C is a set of clocks and P is a finite set of propositions. Let F s denote the set of state-formulas over C and P ranged over by f, f 1 , f 2 etc. ., defined as follows:
where p ∈ P is an atomic proposition and g is an atomic clock constraint in the form x ∼ n or x − y ∼ n for x, y ∈ C, ∼ ∈ {<, ≤, =, ≥, >} and n being a natural number. 2
As usual, we use f 1 ∨ f 2 to stand for ¬(¬f 1 ∧ ¬f 2 ), and tt and ff for ¬f ∨ f and ¬f ∧ f , respectively. Further, we use
Definition 5 (Trace-formulas). The set F t ranged over by ϕ, ψ of trace-formulas over F s is defined as follows: 
where T is a natural number. If f 1 and f 2 are Boolean combinations of atomic propositions, we call f 1 ≤T f 2 a bounded response time formula. 2 INV(f ) states that f is an invariant property. A system satisfies INV(f ) if all its reachable states satisfy f. It is useful to express safety properties, that is, bad things (e.g., deadlocks) should never happen, in other words, the system should always behave safely. f 1 ≤T f 2 is similar to the strong Until-operator in LTL, but with an explicit time bound. In addition to the time bound, it is also an invariant formula. This means that as soon as f 1 is true of a state, f 2 must be true within T time units. However, it is not necessary that f 1 must be true continuously before f 2 becomes true as required by the traditional Untiloperator.
We shall call a formula of the form f 1 ≤T f 2 a bounded response-time formula. Intuitively, f 1 may be considered as a request and f 2 as a response; thus f 1 ≤T f 2 specifies the bound for the response time to be T .
We interpret F s and F t in terms of states and (infinite and non-zeno) traces of timed automata. We write (l, u) |= f to denote that the state (l, u) satisfies the stateformula f and σ |= ϕ to denote that the trace σ satisfies the trace-formula ϕ. The interpretation is defined on the structure of f and ϕ, given in Table 1 . Naturally, if all the traces of a timed automaton satisfy a trace-formula, we say that the automaton satisfies the formula.
Definition 6. Assume a network of automata A and a trace-formula ϕ. We write A |= ϕ iff σ |= ϕ for all σ ∈ T r(A). 2 4 Verifying bounded response time properties by reachability analysis
The current version of Uppaal can only model-check invariant properties by reachability analysis. The question is how to use a tool like Uppaal to check for bounded response time properties i.e., how to transform the modelchecking problem A |= f 1 ≤T f 2 to a reachability problem. A standard solution is to translate the formula to a testing automaton t (see e.g., [9] ) and then check whether the parallel system A||t can reach a designated state of t.
We take a different approach. We modify (or rather decorate) the automaton A according to the stateformulas f 1 and f 2 , and the time bound T and then construct a state-formula f such that
where M(A) is the modified version of A.
We study an example. As usual, assume that each node of an automaton is assigned implicitly a proposition at(l) meaning that the current control node is l. Consider an automaton A illustrated in Fig. 1 and a formula at(l 1 ) ≤3 at(l 2 ) (i.e., it should always reach l 2 from l 1 within 3 time units). To check whether A satisfies the formula, we introduce an extra clock c ∈ C and a Boolean variable 6 v 1 into the automaton A, that should be initiated with ff. Assume that the node l 1 has no local loops, i.e., containing no edges leaving and entering l 1 . We modify the automaton A as follows:
1. Duplicate all edges entering node l 1 . 2. Add ¬v 1 as a guard to the original edges entering l 1 . 3. Add v 1 := tt and c := 0 as reset-operations to the original edges entering l 1 . 4. Add v 1 as a guard to the auxiliary copies of the edges entering l 1 . The modified (decorated) automaton M(A) is illustrated in Fig. 2 . Now, we claim that
The invariant property v 1 ⇒ c ≤ 3 states that either ¬v 1 or if v 1 then c ≤ 3. There is only one situation that violates the invariant: v 1 and c > 3. Due to the progress property of time (or non-zenoness), the value of c should always increase. It will sooner or later pass 3. But if l 2 is reached before c reaches 3, v 1 will become ff. Therefore, the only way to keep the invariant property true is that l 2 is reached within 3 time units whenever l 1 is reached. The above method may be generalized to efficiently model-check response time formulas for networks of automata. Let P(f) denote the set of atomic propositions occurring in a state-formula f. Assume a network A and a response time formula f 1 ≤T f 2 . For simplicity, we consider the case when only atomic propositions occur in f 1 and f 2 . Note that this is not a restriction, the result can be easily extended to the general case which also allows clock constraints in f 1 and f 2 . We introduce to A the following auxiliary variables:
1. An auxiliary clock c ∈ C and a Boolean variable v 1 (to denote the truth value of f 1 ).
An auxiliary Boolean variable
Assume that all the Booleans of P(f 1 ), P(f 2 ) and v 1 are initiated to ff. Let E(f ) denote the Boolean expression by replacing all p ∈ P(f ) with their corresponding Boolean variable v p . As usual, E(f )[tt/v p ] denotes a substitution that replaces v p with tt in E(f ). This can be extended in the usual way to set of substitutions. For instance, the truth value of f at a given state s may be calculated by
Now we are ready to construct a decorated version M(A) for the network A. We modify all the components A i of A as follows:
(a) Make two copies of each such edge.
(b)To the original edge, add v 1 as a guard.
(c) To the first copy, add
as a guard and c := 0, v 1 := tt and
as a guard and v p := tt for all p ∈ V (l 1 ) as reset-operations.
For all edges of
as a guard and v 1 := ff as a reset-operation. 4. Finally, remove v p := tt and v p := ff whenever they occur at the same edge 7 .
Thus, we have a decorated version M(A i ) for each A i of A. Assume that a component automaton A i is as il-
For a bounded response time formula f 1 ≤T f 2 , we now have the following fact:
Note that we could have constructed the product automaton of A first. Then the construction of M(A) from the product automaton would be much simpler. However, the size of M(A) will be much larger; it will be exponential in the size of the component automata. Our construction here is purely syntactical based on the syntactical structure of each component automaton. The size of M(A) is in fact linear in the size of the component automata. It is particularly appropriate for a tool like Uppaal, that is based on on-the-fly generation of the state-space of a network. For each component automaton A, the size of M(A) can be calculated precisely as follows: in addition to one auxiliary clock c and
the number of edges of A (note that no extra nodes are introduced in M(A)).
Note also that in the above construction, we have the restriction that f 1 and f 2 contain no constraints, but only atomic propositions. The construction can be easily generalized to allow constraints by considering each constraint as a proposition and decorating each location (that is, the incoming edges) where the constraint could become true when the location is reached. In fact, this is what we did above on the Boolean expressions (constraints) E(f 1 ) and E(f 2 ).
The gear controller
In this section we informally describe the functionality and the requirements of the gear controller proposed by Mecel AB, as well as the abstract behavior of the environment where the controller is supposed to operate.
Functionality
The gear controller changes gears by requesting services provided by the components in its environment. The interaction with these components is over the vehicle's communication network. A description of the gear controller and its interface is as follows:
Interface: The interface receives service requests and keeps information about the current status of the gear controller, which is either changing gear or idling. The user of this service is either the driver using the gear stick or a dedicated component implementing a gear change algorithm. The interface is assumed to respond when the service is completed. Gear controller: The only user of the gear controller is its interface. The controller performs a gear change in five steps beginning when a gear change request is received from the interface. The first step is to accomplish a zero torque transmission, making it possible to release the currently set gear. Second, the gear is released. The controller then achieves synchronous speed over the transmission and sets the new gear.
Once the gear is set the engine torque is increased so that the same wheel torque level as before the gear change is achieved. Under difficult driving conditions the engine may not be able to accomplish zero torque or synchronous speed over the transmission. It is then possible to change gear using the clutch. By opening the clutch (i.e., disengaging the clutch), and consequently the transmission, the connection between the engine and the wheels is broken. The gearbox is at this state able to release and set the new gear, as zero torque and synchronous speed is no longer required. When the clutch closes (i.e., engages) it safely bridges the speed and torque differences between the engine and the wheels. We refer to these exceptional cases as recoverable errors.
The environment of the gear controller consists of the following three components:
Gearbox: It is an electrically controlled gearbox with control electronics. It provides services to set a gear in 100-300 ms and to release a gear in 100-200 ms. If a setting or releasing-operation of a gear takes more than 300 ms or 200 ms, respectively, the gearbox will indicate this and stop in a specific error state. Clutch: It is an electrically controlled clutch that has the same sort of basic services as the gearbox. The clutch can open or close within 100-150 ms. If a opening or closing is not accomplish within the time bounds, the clutch will indicate this and reach a specific error state. Engine: The engine offers three modes of operation: normal torque, zero torque, and synchronous speed. The normal mode is normal torque where the engine gives the requested engine torque. In zero torque mode the engine will try to find a zero torque difference over the transmission. Similarly, in synchronous speed mode the engine searches zero speed difference between the engine and the wheels 8 . The maximum time bound searching for zero torque is limited to 400 ms within which a safe state is entered. Furthermore, the maximum time bound for synchronous speed control is limited to 500 ms. If 500 ms elapse the engine enters an error state. We will refer to the error states in the environment as unrecoverable errors since it is impossible for the gear controller alone to recover from these errors.
Requirements
In this section we list the informal requirements and desired functionality on the gear controller, provided by Mecel AB. The requirements are to ensure the correctness of the gear controller. A few operations, such as gear changes and error detections, are crucial to the correctness and must be guaranteed within certain time bounds. In addition, there are also requirements on the controller to ensure desired qualities of the vehicle, such as: good comfort, low fuel consumption, and low emission. 1. Performance. These requirements limit the maximum time to perform a gear change when no unrecoverable errors occur. (a) the clutch is not opened in time, (b)the clutch is not closed in time, (c) the gearbox is not able to set a gear in time, (d)the gearbox is not able to release a gear in time.
Formal description of the system
To design and analyze the gear controller we model the controller and its environment in the Uppaal model [10] . The modeling phase has been separated into two steps. First, a model of the environment is created, as its behavior is specified in advance as assumptions (see Sect. 5.1). Second, the controller itself and its interface are designed to be functionally correct in the given environment. Figure 4 shows a flow-graph of the resulting model where nodes represent automata and edges represent synchronization channels or shared variables (enclosed within parenthesis). The gear controller and its interface are modeled by the automata GearControl (GC) and Interface (I). The environment is modeled by the three automata: Clutch (C), Engine (E), and GearBox (GB). The system uses eight variables. Four are timers that measure 1/1000 of seconds (ms): GCTimer, GBTimer, CTimer, and ETimer. The two data variables, named FromGear and ToGear, are used as gear change requests 9 and the variables UseCase and ErrStat are assigned when errors occur in the system (see Sect. 7). In the following we describe the five automata of the system.
The three automata of the environment model the basic functionality and time behavior of the components in the environment. The components have two channels associated with each service: one for requests and one to respond when service has been performed. Gearbox: In automaton GearBox, shown in Fig. B3 , inputs on channel ReqSet request a gear set and the corresponding response on GearSet is output if the gear is successfully set. Similarly, the channel ReqNeu requests the neutral gear and the response GearNeu signals if the gear is successfully released. If the gearbox fails to set or release a gear the locations named ErrorSet and ErrorNeu are entered, respectively. Clutch: The automaton Clutch is shown in Fig. B1 Given the formal model of the environment, the gear controller has been designed to satisfy both the functionality 
INV ( GearControl.COpenError ⇒ Clutch.ErrorOpen ) ( 8 )
INV ( GearControl.GNeuError ⇒ GearBox.ErrorNeu ) (10)
i ∈ {R, 1, . . . , 5} GearControl.Initiate
GearControl.Initiate
requirements given in Sect. 5.1, and the correctness requirements in Sect. 5.2 Gear controller: The GearControl automaton is shown in Fig. B5 . Each main loop implements a gear change by interacting with the components of the environment. The designed controller measures response times from the components to detect errors (as failures are not signaled). The reaction of the controller depends on how serious the occurred error is. It either recovers the system from the error, or terminates in a prespecified location that points out the (unrecoverable) error: COpenError, CCloseError, GNeuError or GSetError. Recoverable errors are detected in the locations CheckTorque and CheckSyncSpeed. Interface: The automaton Interface shown in Fig. B2 , requests gears R, N, 1, ..., 5 from the gear controller. Requests and responses are sent through channel ReqNewGear and channel NewGear, respectively. When a request is sent, the shared variables FromGear and ToGear are assigned values corresponding to the current and the requested new gear, respectively.
Formal validation and verification
In this section we formalize the informal requirements given in Sect. 5.2 and prove their correctness using the symbolic model-checker of Uppaal.
To enable formalization (and verification) of requirements, we decorate the system description with two integer variables, ErrStat and UseCase. The variable ErrStat is assigned values at unrecoverable errors: 1 if Clutch fails to close, 2 if Clutch fails to open, 3 if GearBox fails to set a gear, and 4 if GearBox fails to release a gear. The variable UseCase is assigned values whenever a recoverable error occurs in Engine: 1 if it fails to deliver zero torque, and 2 if it is not able to find synchronous speed. The system model is also decorated to enable verification of bounded response time properties, as described in Sect. 3.
Before formalizing the requirement specification of the gear controller we define negation and conjunction for the bounded response time operator and the invariant operator defined in Sect. 3, A |= ϕ 1 ∧ ϕ 2 if and only if A |= ϕ 1 and A |= ϕ 2
A |= ¬ϕ if and only if A |= ϕ
We also extend the (implicit) proposition at(l) to at(A, l), meaning that the control location of automaton A is currently l. Finally, we introduce Poss(f ) to denote ¬INV(¬f ), f 1 ≤T f 2 to denote ¬(f 1 ≤T f 2 ), and A.l to denote at(A, l). We are now ready to formalize the requirements.
Requirement specification
The first performance requirement 1a, i.e., that a gear change must be completed within 1.5 s given that no unrecoverable errors occur, is specified in property 1 (see Table 2 ). It requires the location GearChanged in automaton GearControl to be reached within 1.5 s after location Initiate has been entered. Only scenarios without unrecoverable errors are considered as the value of the variable ErrStat is specified to be zero 11 . To consider scenarios with normal operation we also restrict the value of variable UseCase to zero (i.e., no recoverable errors occurs). Property 2 requires gear changes to be completed within 1 s given that the system is operating normally.
The properties 3 to 6 require the system to terminate in known error-locations that point out the specific error when errors occur in the clutch or the gear (requirements 4a to 4d). Up to 350 ms is allowed to elapse between the occurrence of an error and that the error is indicated in the gear controller. The properties 10 to 10 restrict the controller design to indicate an error only when the corresponding error has arisen in the components. Observe that no specific location in the gear controller is dedicated to indicate the unrecoverable error that may occur when the engines speed-regulation is interrupted (i.e., when location Engine.ErrorSpeed is reached). Property 11 ensures that no such location is needed since this error is always a consequence of a preceding unrecoverable error in the clutch or in the gear.
Property 12 holds if the system is able to use all gears (requirement 3a). Furthermore, for full functionality and predictability, the system is required to be deadlock-free (requirement 2a). This has been checked with an internal version of the Uppaal tool 12 .
The properties 13 and 14 specify the informal predictability requirements 2b and 2c.
A number of functionality requirements specify how the gear controller should interact with the environment (e.g., 3a to 3f). These requirements have been used to design the gear controller. They have later been validated using the simulator in Uppaal and have not been formally specified and verified.
Time bound derivation
Property 1 requires that a gear change should be performed within 1 s. Even though this is an interesting property in itself one may ask for the lowest time bound for which a gear change is guaranteed. We show that the time bound is 900 ms for error-free scenarios by proving that the change is guaranteed at 900 ms (property 15), and that the change is possibly not completed at 899
11 Recall that the variable ErrStat is assigned a positive value (i.e., greater than zero) whenever an unrecoverable error occurs. 12 The deadlock checker will be distributed with the next release of the Uppaal tool, which will have version number 3.2. ms (property 16). Similarly, for scenarios when the engine fails to deliver zero torque we derive the bound 1,055 ms, and if synchronous speed is not delivered in the engine the time bound is 1,205 ms.
We have shown the shortest time for which a gear change is possible in the three scenarios to be: 150 ms, 550 ms, and 450 ms. However, gear changes involving neutral gear may be faster as the gear does not have to be released (when changing from gear neutral) or set (when changing to gear neutral). Finally, we consider the same three scenarios but without involving neutral gear by constraining the values of the variables FromGear and ToGear. The derived time bounds are: 400 ms, 700 ms and 750.
Verification results
We have totally verified 47 logical formulas (listed in Appendix A) of the system using Uppaal installed on a 75 MHz Pentium PC equipped with 24 MB of primary memory. The verification of all the formulas consumed 2.99 s.
Conclusion
In this paper, we have reported an industrial case study in applying formal techniques for the design and analysis of control systems for vehicles. The main output of the case study is a formally described gear controller and a set of formal requirements. The designed controller has been validated and verified using the tool Uppaal to satisfy the safety and functionality requirements on the controller, provided by Mecel AB. It may be considered as one piece of evidence that the validation and verification tools of today are mature enough to be applied in industrial projects.
We have given a detailed description of the formal model of the gear controller and its surrounding environment, and its correctness formalized in 47 logical formulas according to the informal requirements delivered by industry. The verification was performed in a few seconds on a Pentium PC running Uppaal. Another contribution of this paper is a solution to a problem we encountered in this case study, namely, how to use a tool like Uppaal, which only provides reachability analysis to verify bounded response time properties. We have presented a logic and a method to characterize and model-check such properties by reachability analysis in combination with simple syntactical manipulation on the system description.
This work concerns only one component, namely, the gear controller of a control system for vehicles. Future work naturally includes modeling and verification of the whole control system. The project is still in progress and we hope to report more on this in the near future. synchronous speed in at least 50 ms and at most 500 ms. // // // INFORMAL REQUIREMENTS ON THE GEARBOX CONTROLLER DESIGN // // The Gearbox controller should satisfy the following informal // requirements. The properties given in parentheses are the // formal description of the listed requirement. // // R1. A gear change should be performed within 1 second (P6 -P8, // P3). // // R2. When an error arises, the system will reach a predefined // error state marking the error (P9 -P11). // // R3. The system should be able to use all gears (P2 -P3). // // R4. There will be no deadlocked state in the system (P17). // // R5. When the system indicates gear neutral, the engine should // be in initial state (P12). // // R6. When the system indicates a gear, the engine should be in // a state performing torque regulation (P13). // // R7. The gearbox controller will never indicate open or closed // clutch when the clutch is closed or open respectively // (P14). // // R8. The gearbox controller will never indicate gear set or // gear neutral when the gear is not set or not idle, // respectively (P15). // // R9. When the engine is regulating on torque, the clutch is // closed (P16). // // // FORMALIZING THE REQUIREMENTS // // The requirements above have been formalised using variables // and locations of automata. The system variables listed below // are variables used by the components of the system; the // auxiliary variables are decorations to the system used to // formalize the requirements only. In the system description, the // auxiliary variables appear only in assignments (not in guards). // This ensures that the system behavior is not changed when the // auxiliary variables are introduced (or removed). // // The variables ErrStat and UseCase are used to trace errors. // ErrStat is set when unrecoverable errors occur; UseCase is // set when recoverable errors occur, that will be recovered by // the gearbox controller.
// // The systems component locations that appear in the formulae // below can be found in the system description file // engine.{atg|ta}. // // System Variables: // // o GCTimer -gearbox controller timer, // o ETimer -engine timer, // o GBTimer -gearbox timer, // o CTimer -clutch timer, // o FromGear -selected gear before gear change (0=N, 1=1, . .., // 6=R), // o ToGear -selected gear after gear change (0=N, 1=1, . .., // 6=R). // // Auxiliary Variables: // // o SysTimer -system timer, reset at each request for new gear // (in the gearbox controller), // o ErrStat -0 = no errors, // 1 = close clutch error, // 2 = open clutch error, // 3 = set gear failure, // 4 = error releasing gear. // o UseCase -0 = ideal scenario, no problems occurred, // 1 = engine was not able to deliver zero torque, // 2 = engine was not able to find synchronous speed.
. It is possible to switch to gear nr 5 and to reverse gear // (i.e. R).
. It is possible to switch gear in 1000 ms (not very interest // ing).
. When the gearbox is in position N, the gear is not in // position 1-5 or R. 
. The gear is never N, when the gearbox is idle (expected to // be neutral).
. In the case of no errors (in gear and clutch) and ideal // (engine) scenario, // a) a gear switch is guaranteed in 900 ms (including 900 ms), // a') a gear switch is not guaranteed in strictly less than 900 // ms, // b) it is impossible to switch gear in less than 150 ms, // b') it is possible to switch gear at 150 ms, // c) it is impossible to switch gear in less than 400 ms if the // switch is not from/to gear N. // c') it is possible to switch gear at 400 ms if the switch is // not from/to gear N. ToGear>0 and ( SysTimer<400 ) ) imply \ not ( GearControl.GearChanged ) ) // c') E<> ( ErrStat==0 and UseCase==0 and FromGear>0 and ToGear>0 and \ GearControl.GearChanged and ( SysTimer==400 ) )
. When no errors (in gear and clutch) occur, but engine fails // to deliver zero torque: // a) a gear switch is guaranteed after 1055 ms (not including // 1055), // a') it is impossible to switch gear in 1055 ms, // b) it is impossible to switch gear in less than 550 ms, // b') it is possible to switch gear at 550 ms, // c) it is impossible to switch gear in less than 700 ms if the // switch is not from/to gear N. // c') it is possible to switch gear at 700 ms if the switch is // not from/to gear N. 
. When no errors occur, but engine fails to find synchronous // speed: // a) a gear switch is guaranteed in 1205 ms (including 1205), // a') a gear switch is not guaranteed at less than 1205 ms, // b) it is impossible to switch gear in less than 450 ms, // b') it is possible to switch gear at 450 ms, // c) it is impossible to switch gear in less than 750 ms if the // switch is not from/to gear N. // c') it is possible to switch gear at 750 ms if the switch is // not from/to gear N. Clutch.ErrorClose and ( GCTimer>200 ) Clutch.ErrorOpen and ( GCTimer>200 ) 
// a) If the gearbox can not set a requested gear (i.e a timeout // occurs) the gearbox controller will enter the location // GSetError within 350 ms. // b) When the gearbox controller enters location GSetError, there // is always a problem in the gearbox with setting the gear. GearBox.ErrorIdle and ( GCTimer>350 ) 
// c) If the gearbox can not switch to neutral gear (i.e. a // timeout occurs) the gearbox controller will enter the // location GNeuError within 300 ms. // d) When the gearbox controller enters location GNeuError there // is always a problem in the gearbox with switching to neutral // gear.
. If no errors occur in the engine, it is guaranteed to find // synchronous speed.
. When the gear is N, the engine is in initial or on its way // to initial (i.e. ToGear==0 and engine in zero).
( ( ToGear==0 and Engine.Zero ) or Engine.Initial ) )
. When the gear controller has a gear set, torque regulation // is always indicated in the engine. 
. As all states will satisfy "1 > 0", model-checking this // formula will generate the whole state-space of the system, // and the answer will be that the property is satisfied. // UPPAAL is designed to report all the deadlocked states // during state-space exploration. So if no deadlock is // reported before the final answer is given, the system is // deadlock-free. 
Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 Gear5 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear12 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear23 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear34 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear45 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear54 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear43 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear32 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21 chkGear21   chkGear1N chkGear1N chkGear1N chkGear1N chkGear1N chkGear1N chkGear1N chkGear1N chkGear1N chkGear1N chkGear1N chkGear1N chkGear1N  chkGear1N  chkGear1N  chkGear1N chkGear1N chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearN1 chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR chkGearNR   chkGearRN chkGearRN chkGearRN chkGearRN chkGearRN chkGearRN chkGearRN chkGearRN chkGearRN chkGearRN chkGearRN chkGearRN ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900 ETimer==900
ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ETimer:=0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0  ToGear==0  ToGear==0  ToGear==0 ToGear==0 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500 ETimer==500
ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0 ToGear==0  ToGear==0  ToGear==0  ToGear==0 ToGear==0   ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0 ToGear>0  ToGear>0  ToGear>0  ToGear>0 ToGear>0 ReqSpeed 
