Deductive verification of real-time systems using STeP  by Bjørner, Nikolaj S. et al.
Theoretical Computer Science 253 (2001) 27{60
www.elsevier.com/locate/tcs
Deductive verication of real-time systems using STeP(
Nikolaj S. BjHrner, Zohar Manna, Henny B. Sipma, Tomas E. Uribe 
Computer Science Department, Stanford University, Stanford, CA, 94305, USA
Abstract
We present a modular framework for proving temporal properties of real-time systems, based
on clocked transition systems and linear-time temporal logic. We show how deductive verication
rules, verication diagrams, and automatic invariant generation can be used to establish properties
of real-time systems in this framework. We also discuss global and modular proofs of the
branching-time property of non-Zenoness. As an example, we present the mechanical verication
of the generalized railroad crossing case study using the Stanford Temporal Prover, STeP.
c© 2001 Elsevier Science B.V. All rights reserved.
Keywords: Real-time systems; Temporal verication; Modularity; Receptiveness
1. Introduction
Many formalisms have been proposed to model real-time systems. Most are restricted
to systems where time is the only variable with innite domain (also called real-time
systems with nite control). When real-time systems include software, we would like to
analyze them using frameworks that can handle innite data domains other than time.
Similarly, it is generally accepted that larger and more complex systems require mod-
ular analysis techniques; however, the combination of modularity and real-time poses
particular challenges. This paper explores the modular verication of innite-control
real-time systems in a general deductive setting. We show how computer-aided tools
for deductive and deductive-algorithmic verication, including verication diagrams,
decision procedures, and invariant generation, are used to analyze such systems.
( This research was supported in part by the National Science Foundation under grant CCR-95-27927,
the Defense Advanced Research Projects Agency under NASA grant NAG2-892, ARO under
grant DAAH04-95-1-0317, ARO under MURI grant DAAH04-96-1-0341, and by Army contract
DABT63-96-C-0096 (DARPA).
 Corresponding author.
E-mail address: nikolajjmannajsipmajuribe@cs.stanford.edu (T.E. Uribe).
0304-3975/01/$ - see front matter c© 2001 Elsevier Science B.V. All rights reserved.
PII: S0304 -3975(00)00088 -8
28 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
Clocked transition systems were introduced by Manna and Pnueli [41] as a simple
but general model for real-time systems. Continuous real-time is modeled explicitly as
part of the system, using clock variables that increase uniformly, including a master
clock that measures the passage of time. This model, in the spirit of [1], allows the
reuse of standard deductive verication tools for discrete reactive systems [33].
We add modularity to this framework, dening clocked transition modules. Systems
often have a natural decomposition into modules, where useful properties of the entire
system may be inferred from properties of the modules. Properties of the composed
system will still hold if modules are replaced by new ones that satisfy the required
modular properties.
Verication at the module level has several advantages: the number of verication
conditions is smaller, module properties are often more intuitive, and modules may
be replaced while reusing the same proofs for the global system and other modules,
provided the new modules satisfy the same properties. Properties of each module can be
proved independently and later on used to prove properties of larger systems. Properties
of a module can be established using deductive or algorithmic techniques whenever they
are applicable.
Properties veried over a real-time system may be misleading if the system de-
scription is Zeno, that is, it contains computation prexes that cannot be extended to
computations in which time can grow beyond any bound. Therefore, verication of
real-time systems should always be preceded by a check that the system description is
non-Zeno. This check may also be performed at the module level, in which case we
prove the stronger property of receptiveness. We propose diagrams that reduce proofs
of non-Zenoness and receptiveness to a set of rst-order verication conditions.
To illustrate our methodology, we show how safety properties of the well-known
generalized railroad crossing benchmark for real-time verication can be formally ver-
ied in a modular fashion, and how we can check that our system description is
non-Zeno. For this, we use the Stanford Temporal Prover, STeP, a tool for verifying
linear-time temporal properties of reactive systems [11]. To facilitate the verication
process, STeP includes verication rules, verication diagrams, decision procedures,
and automatic invariant generation methods; we will have the opportunity to use all of
these in the verication process.
1.1. Outline
Section 2 introduces the basic computational model and specication language. Sec-
tion 3 extends this framework to account for modularity, and describes how modular
verication of safety properties can be performed. Section 4 presents verication rules
and verication diagrams for proving temporal safety properties, and also discusses
global and modular non-Zenoness proofs. In Section 5 we briey describe the STeP
system, including modularity and invariant generation. Section 6 describes the speci-
cation and verication of the generalized railroad crossing example using STeP. We
conclude with a brief overview of related work in Section 7.
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 29
2. Preliminaries
2.1. System description: clocked transition systems
Our computational model is that of clocked transition systems [41], an extension
of transition systems to account for continuous real time. They are closer to timed
automata [2] than the previously proposed timed transition systems [32]. The basic
idea, following [1], is to add explicit real-valued clock variables to the system, which
measure the passing of time.
A clocked transition system (CTS) S= hV; ;T; i consists of:
{ V: A nite set of system variables, partitioned into a set D of discrete variables,
which can be of any type, and a set C of real-valued clock variables. A subset of the
discrete variables may be designated as system constants, that is, no transition may
modify these variables. One of the clock variables, T , is designated as the master
clock. A state is a type-consistent assignment to the system variables. The set of all
states is the state-space, . An assertion, or state-formula, is a rst-order formula
whose free variables belong to V. For an assertion p, we say that a state s is a
p-state if p is satised by s, written s j=p.
{ : The initial condition, a satisable assertion characterizing the possible initial
states. We require that  implies T =0.
{ T: A nite set of transitions. Each transition  maps each state s2 into a set of
-successor states (s). Each transition  is described by a transition relation
(V;V0), a rst-order formula which refers to both unprimed and primed system
variables. An unprimed system variable indicates its value in the current state s,
while the primed version indicates the value in the next-state s0. Transitions in T are
discrete and happen instantaneously; therefore we require that no transition modify
the master clock, i.e.  implies T 0=T for every transition 2T.
{ : The time-progress condition. This is an assertion over V, used to specify a
global restriction on the progress of time.
To account for the passage of time, we add to the set of transitions a tick transition,
whose transition relation is given by
tick : 9
0
@ > 0 ^ 8t 2 [0; ]:(D;C + t)^
D0 = D ^ C0 = C + 
1
A
where C0=C+ stands for
V
c2C (c
0 = c+). Thus, tick preserves the values of all
discrete variables and uniformly increments all clocks by an amount  that satises the
global time-progress condition . The tick transition is the only one that can change
the master clock T .
The set T[ ftickg is the extended set of transitions, TT . A run of a clocked
transition system S : hV; ;T; i is an innite sequence of states  : s0; s1; : : : such
that (1) s0 j=  and (2) for each j>0 there is some 2TT such that sj+1 2 (sj).
In this case we say that  is taken at sj. The enabling condition of a transition  is
30 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
9V0:(V;V0), characterizing the set of states where  can be taken. A state s is
reachable if it appears in some run of S. A run is a computation if it satises time
divergence, that is, the value of T increases beyond any bound. Comp(S) is the set
of all computations of S.
In specications of real-time systems it is common to associate lower and upper
time bounds with transitions. In the CTS formalism, a lower bound l on transition 
is enforced by associating a clock c with  and adding the condition c>l to ’s
enabling condition. When the enabling condition for  rst becomes true, c is reset
to 0. Upper bounds appear as constraints on : if u is the upper bound on , then
c6u appears as a conjunct in . [41] shows how a timed transition system can be
translated to a CTS in this way.
Note that the generality of transition systems allows us to describe real-time systems
whose discrete component is innite as well as nite state. That is, the clocks need
not be the only variables with an unbounded domain.
2.2. Specication language: linear-time temporal logic
We use linear-time temporal logic (LTL) as our property specication language
[38]. Future temporal operators include (always), W (wait-for),  (eventually),
© (next), and U (until). Past operators include 	 (previously), - (so-far), - (once),
and S (since). We write p) q as an abbreviation of (p! q). A past formula is
one that contains no future temporal operators.
Recall that for a state s and an assertion p, we write s j= p if p is true under
the system variable assignment for state s. Given a sequence of states  : s0; s1; : : : and
temporal formulas ’1, ’2, p, q, we dene
(; i) j= :’ i (; i)2’.
(; i) j= ’1 ^ (_ )’2 i (; i) j= ’1 and (or) (; i) j= ’2.
(; i) j=  p i (; j) j= p for all j>i.
(; i) j= pU q i there is some j>i such that (; j) j= q and (; k) j= p for all
i6k<j.
(; i) j= pW q i (; i) j=  p or (; i) j= pU q.
These are all the LTL operators we will use in this paper { see [40] for more details.
Since clocks are system variables, temporal formulas may freely refer to them. This
includes, in particular, the master clock T , allowing the natural expression of time-
dependent properties. For example, (l6T ^T6u!p) states that p holds over the
time interval [l; u].
A computation  : s0; s1; : : : satises ’ i (; 0) satises ’. A temporal formula ’ is
valid over a CTS S, written as S j= ’, if every computation of S satises ’. In this
case, we also say that ’ is S-valid.
System and auxiliary variables can be divided into rigid and exible variables. Rigid
variables cannot change their value over time, whereas exible variables can. Rigid
system variables are, in eect, constants. Rigid auxiliary variables are useful for quan-
tication across time steps.
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 31
2.3. Non-Zenoness
A CTS S is non-Zeno if every nite prex of a run of S can be extended to a
computation; that is, it is always possible for time to grow beyond any bound.
Any system that models a real-world process must necessarily be non-Zeno, since
any such process will diverge in time. A verication eort would be questionable if
the system were Zeno, since such systems are not implementable.
Furthermore, the goal is often not merely to model and verify a real-world process,
but to design a controller for a given real-world model M . This controller is a module
C such that the parallel composition of C and M satises some temporal specication.
Even when M is a faithful model, a badly designed C may cause the combined system
to be Zeno.
As a simple example, one way to satisfy a safety specication is for the controller to
force time to stop whenever the safety specication is about to be violated. Consider
a water-level controller description C that adds the following conjunct to the time-
progress condition:
:(level>high) ^ :(level< low):
Any system composed with this controller will trivially satisfy the specication
(level> low ^ level6 high):
Other examples may be constructed where Zeno behavior is less obvious, e.g. where
a controller stops time by switching on and o innitely often with time intervals
1; 12 ;
1
4 ;
1
8 ; : : : Thus, having proposed a controller, a rst check should be for non-
Zenoness. Otherwise, verifying other properties may be of little use.
Non-Zenoness is an existential property, and cannot be expressed within linear-
time temporal logic. However, it can be expressed with the following formula in the
branching-time computation tree logic CTL (see [24]):
8 > 0: 8t: AG(T = t ! EF(T>t + ))
where  and t are rigid auxiliary variables. That is, for every >0 and at every reach-
able state, where the global clock T has value t, there is a possible future state where
T has increased by at least . This turns out to be equivalent to
9 > 0: 8t: AG(T = t ! EF(T>t + )):
We discuss how branching-time reasoning can be used to prove non-Zenoness in
Section 4.3. Modular verication of non-Zenoness is discussed in Sections 4.4
and 4.5.
Controlled non-Zenoness. With this characterization of non-Zenoness we assume that
all transitions of the CTS cooperate to achieve time divergence. From a control-theoretic
32 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
point of view, one could rene this notion to distinguish between controllable events,
uncontrollable events, and the clock, where only the controllable events and the clock
can be assumed to collaborate towards time divergence. We would then have to ex-
change the path modality EF by a game modality characterizing the states where the
controller and clock can force time T to grow beyond t0 + , regardless of how the
uncontrollable events unfold. We will not pursue this model of non-Zenoness further
here, but instead discuss the related notion of receptiveness in Section 4.4.
3. Clocked transition modules
We adapt the compositional verication methodology of [17] to clocked transition
systems, adding the option of synchronizing transitions. Clocked transition modules
(CTM’s) allow the system to be decomposed into interacting modules. The model
allows interaction via shared variables and via synchronization of transitions. These
modules can then be analyzed independently and the results inherited by the full system.
Formally, a clocked transition module M : hV; ;T; i contains the same elements as
a CTS, augmented with the following:
{ A partition of the set of system variables V into private (VP) and shared (VS)
variables, where the master clock T is shared.
{ A label ‘() for each transition .
Clock variables can be private or shared; as with CTS’s, the only requirements are that
they be uniformly incremented by the tick transition, and that the shared master clock
T is never changed by a transition other than tick.
3.1. The environment transition
A stand-alone module is interpreted as a clocked transition system by adding an en-
vironment transition E , which can arbitrarily change the values of all shared variables
except T . Formally, E has transition relation
E :
 ^
u2VP
(u0 = u)
!
^ (T 0 = T ):
Given a module M : hV;T; ;i, its associated CTS is
SM : hV;T [ fEg; ;i;
where V is the set of all the variables in our vocabulary, that is, all variables that can
ever be referenced in any module that is part of our system. Comp(M) is dened to be
equal to Comp(SM ). A temporal property ’ is valid over a module M , or modularly
valid for M , written M j= ’, i SM j= ’.
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 33
3.2. Module composition
Given two modules M1 : hV1;T1; 1; 1i and M2 : hV2;T2; 2; 2i, their parallel
composition [M1 jjM2] is the clocked transition module M : hV;T; ;i dened as
follows:
{ V=V1 [V2, D=D1 [D2 and C=C1 [C2.
{ VP =VP1 [VP2 and VS =VS1 [VS2 . The modules are assumed to be compatible,
in that VP1 and V2 (resp. V
P
2 and V1) should be disjoint.
{ =1 ^2 and =1 ^2.
{ The set T of new transitions and their labels are dened as follows: for a transition
 in T1 (resp. T2) whose label does not appear in T2 (resp. T1), T includes the
transition with the same label and relation
 ^
0
@ ^
v2VP2
(v = v0)
1
A
0
@resp:  ^
0
@ ^
v2VP1
(v = v0)
1
A
1
A ;
For each pair of transitions 1 2T1 and 2 2 T2 that have the same label l, there
is a corresponding transition in [M1 jjM2], also labeled l, with transition relation
1 ^ 2 .
The following theorem relates the computations of two modules and those of their
parallel composition:
Theorem 3.1. Comp([M1 jjM2])Comp(M1)\Comp(M2).
Proof. Consider a computation  : s0; s1; : : : of [M1 jjM2]. We show that  is a com-
putation of M1. The initial state s0 must satisfy 1 ^2, and hence 1. Consider
a transition from si to si+1 in . This transition must be due to (1) a transition in
T1, possibly synchronized with one in T2, (2) a transition in T2, which must pre-
serve the private variables of M1, (3) the environment transition E for [M1 jjM2], or
(4) a tick transition. In case (1), the same transition in T1 can be taken in a com-
putation of M1. In case (2), the environment transition for M1 can account for this
state-change in a computation of M1. In case (3), the same environment transition can
take place in a computation of M1, since the private variables of M1 are a subset
of those of [M1 jjM2]. Finally, a tick transition for [M1 jjM2] must satisfy the time-
progress condition 1 ^2, and hence be a valid tick transition for M1. Hence,  is
also a computation of M1.
Note that while transitions with matching labels are composed synchronously, asyn-
chronous communication is always possible using shared variables or buered channels.
Typically, the synchronizing transitions correspond to control signals that connect two
modules together, as we will see in Section 6. A similar approach is used to model
real-time systems in [42].
Hiding: In practice, it is useful to distinguish transitions that will never synchronize
with other modules. Hiding a label l in a module M stipulates that all transitions labeled
34 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
by l are internal to M and cannot synchronize with other transitions. Consequently,
hidden transitions cannot be disabled by the environment. Furthermore, such transitions
can be assumed to preserve the private variables of all other modules.
Controlled and external transitions: Discussion of receptiveness for modular non-
Zenoness proofs (Section 4.4) requires that we identify which transitions are taken on
the initiative of the module and which at the initiative of the environment. For this pur-
pose, we mark each transition as controlled or external, similar to the input=output
distinctions of I=O automata [26]. The external transitions will be controlled by the
environment, and the controlled ones by the module.
When two modules are composed, transitions that only appear in one module inherit
their marking in the new one. If a transition label appears in both modules, we require
that transitions with this label should not appear marked as controlled in both. When
two transitions with matching labels are composed, the new transition is controlled
if one of them is controlled. Otherwise, both must be external, and the new
transition is also external.
This marking is only dened for module transitions: the environment and tick tran-
sitions are not marked.
For a module M , we require that external transitions have enabling condition true.
This property is preserved by module composition. In the following, when we write
[M1 jjM2] we assume that modules M1 and M2 are well-formed and compatible, so
they can be composed.
4. Deductive verication
4.1. Verication of safety properties
A safety property is one that can be expressed by a formula of the form p, for
a past temporal formula p. This includes invariances, where p is an assertion, and
wait-for properties, of the form p) qWr for assertions p, q and r. Many useful
specications that are progress properties in their untimed version correspond to safety
properties when a time bound is added [41]. For example, showing that a system
reaches and maintains p within time  is expressed as the invariance (T>!p).
Many verication rules for standard transition systems [40] can be reused for the
verication of clocked transition systems, since the basic computational model and
specication language are virtually the same. The invariance rule INV and the wait-
for rule WAIT, shown in Figs. 1 and 2, can be used to prove simple modular safety
properties. These rules reduce the modular validity of a temporal formula to the general
validity of a set of rst-order verication conditions. The triple f’g  f g stands for
the formula
(’(V ) ^ (V; V 0))!  (V 0):
Rules INV and WAIT generate (N +2) verication conditions for a CTM with N transi-
tions (including the tick and E transitions).
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 35
For CTM M and assertions ’, p,
I1. ’ ! p
I2.  ! ’
I3. f’g  f’g for each  2TT
M j= p
Fig. 1. Invariance rule INV.
For CTM M and assertions p, q, ’, r,
W1. ’ ! q
W2. p ! r _ ’
W3. f’g  fr _’g for each  2TT
M j= p ) qW r
Fig. 2. Waiting-for rule WAIT.
We say that an assertion p is inductive for a module M if p can be proved using
rule INV with ’ equal to p (that is, p holds initially and is preserved by all transitions).
If these verication conditions can be proved assuming a set of properties S, we say
that p is inductive relative to S.
In the case of the WAIT rule, recall that p) qW r is an abbreviation of
(p! qW r). The intermediate assertion ’ strengthens q; it should hold whenever p
is true, and continue to hold until r becomes true.
These rules are sound for proving safety properties of CTM’s [41]. Furthermore,
[33] shows that these rules are also complete (relative to the underlying rst-order
reasoning) for non-Zeno CTS’s.
A consequence of Theorem 3.1 is that any linear-time temporal property which holds
for a module M1 will also hold for [M1 jjM2] for any M2:
Corollary 4.1. If M1 j= ’ for an LTL property ’; then [M1 jjM2] j= ’ for any module
M2.
We will only use this fact in the case of safety properties. A module can satisfy
non-trivial progress properties only if restrictions on the environment are made, or
transitions hidden to avoid a deadlocking environment. Assumption-guarantee proof
systems [1, 16] are essential for these applications.
Note that Comp(M1) may be a strict superset of Comp([M1 jjM2]), so safety proper-
ties of [M1 jjM2] may not hold modularly for M1 or M2. Note also that the inclusion in
Theorem 3.1 can be strict, due to the presence of synchronizing transitions. For exam-
ple, consider a module M1 (resp. M2) containing a single transition 1 (resp. 2) that
increments a private variable x1 (resp. x2), where 1 and 2 have the same label and
x1; x2 are initially 0. Then hx1; x2i : h0; 0i ; h1; 0i ; h1; 1i ; : : : is a prex of a computation
36 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
in both Comp(M1) and Comp(M2). However, this cannot happen in a computation of
[M1 jjM2], since synchronization requires that x1 and x2 must increase at the same time.
In this example, note that 1 can change x2 in a computation of M1. This could not
be the case if 1 were hidden in M1.
4.2. Verication diagrams
Proofs of temporal system specications can often be conveniently presented using
verication diagrams [39]. A verication diagram D is a directed graph whose nodes
are labeled by formulas and edges labeled by transitions. Node labels summarize sets
of states, and edges represent possible state transitions between them. Every edge e
is labeled by a transition (e). A terminal node in D is one with no outgoing edges.
Nodes(D) is the set of nodes in D, and Term(D) is the set of terminal nodes.
With a verication diagram D and system S we associate a set of S-verication
conditions. When these are valid we say the diagram D is S-valid. Similarly, we
associate a set of ’-verication conditions with a diagram D and temporal formula ’.
When these are valid, the S-validity of the diagram implies the S-validity of ’.
We will use diagrams to prove wait-for properties, of the form p) qWr for asser-
tions p, q and r. For convenience, we introduce a special class of diagrams for these
properties:
Denition 4.2 (Wait-for diagrams). A wait-for diagram is a verication diagram D,
where each node n is labeled by the formula ’n. With each non-terminal node n 2
Nodes(D) and every transition  in S; we associate the S-verication condition
f’ng 
8<
:’n _
0
@ _
m2(n)
’m
1
A
9=
; :
The ’-verication conditions for D necessary to prove ’ : p) qWr are:
W1:p !
_
n2Nodes(D)
’n all p-states are somewhere in the diagram
W2:
^
n =2Term(D)
(’n ! q) the non-terminal nodes in D are q-states
W3:
^
n2Term(D)
(’n ! r) the terminal nodes imply r
Thus, a wait-for diagram is a graphical alternative to rule WAIT of Fig. 2, with the
disjunction
W
n ’n over the non-terminal nodes fng replacing the intermediate assertion
’ of rule WAIT.
Like the verication rules of Section 4.1, these diagrams are sound and complete for
establishing wait-for properties of non-Zeno CTS’s [33]. We will see examples of wait-
for diagrams in Section 6.4. STeP also supports diagrams for response and invariance
properties. Furthermore, arbitrary linear-time temporal formulas can be veried in STeP
using the generalized verication diagrams introduced in [14].
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 37
4.3. Non-Zenoness diagrams
As discussed in Section 2.3, any realistic real-time system specication should be
non-Zeno. Furthermore, the possibility of Zeno systems compromises the completeness
of our diagrams and rules [33]. We will use a special class of verication diagrams to
verify non-Zenoness. Reecting the existential nature of the property, the verication
conditions associated with these diagrams use the notation of possibility triples:
Denition 4.3 (Possibility triples). With a possibility triple
f’g  9f g
we associate the verication condition
’(V )! 9V 0:(V; V 0) ^  (V 0):
A possibility triple f’g 9 f g is valid i at every ’-state it is possible for transition
 to reach a  -state.
Denition 4.4 (Non-Zenoness diagrams). A non-Zenoness diagram is a directed
graph D where each node n is labeled by an assertion ’n and a ranking function n,
whose range is a well-founded domain. The diagram also contains two distinguished
constants t0 and . We associate the following rst-order verication conditions with a
non-Zenoness diagram D:
Well-formedness: t0 is a fresh Skolem constant;  can be expressed as a function of
system constants and is greater than 0.
Initiality: (T = t0)!
W
n2Nodes(D) ’n:
Progress: For every node n in D, either (i) some outgoing edge is labeled by
a transition that is enabled and can decrease the well-founded order, or (ii) tick is
enabled and can advance time beyond t0 + . Formally,
f’ng tick 9fT>t0 + g_
_
em=hn;mi2Out(n)
f’n ^ n = ug (em) 9f’m ^ m  ug;
where u is an auxiliary rigid variable, and Out(n) is the set of outgoing edges from n.
Proposition 4.5. An S-valid non-Zenoness diagram establishes that S is non-Zeno.
Justication: Consider an S-valid non-Zenoness diagram D. The Initiality condition
ensures that every reachable state where T = t0 is contained in a diagram node. By
the Progress conditions, at every node in D a transition can be taken that advances
time beyond  or decreases the well-founded order, moving to another node in D.
Following such transitions must eventually advance time beyond , since otherwise
38 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
well-foundedness would be violated. Thus, since  is xed and greater than 0, the
system is itself non-Zeno.
4.4. Modular non-Zenoness: receptiveness
It would be preferable to establish non-Zenoness for modules and then infer the
non-Zenoness of their composition, as we propose in Section 4.1 for the case of safety
properties. Unfortunately, unlike safety properties, non-Zenoness is not closed under
parallel composition: the composition of two modules may fail to be non-Zeno even
if each module is non-Zeno. 1
A condition that implies non-Zenoness and is preserved under parallel composition is
receptiveness [4, 23]. Informally, a module is receptive if it is non-Zeno whenever it is
composed with a reasonably cooperative environment { one that does not maliciously
prevent the advance of time.
More formally, a module M is receptive if at every reachable state M can construct
a computation in which time diverges or only nitely many steps are taken by M .
Similarly to [4, 23, 26], this is represented by a game between the module and its
environment, called the receptiveness game.
Recall that module transitions are marked as controlled or external. Starting at
a state s, the game constructs a run of SM as follows: at each step, the environment
proposes to take the environment transition E , an external transition, or the tick
transition with an increment env>0. The module proposes a controlled transition,
which should be enabled, or a mod>0 by which the tick transition can be taken. The
next-state is chosen as follows:
{ If the environment proposed E or an external transition, this transition is taken,
and the move counts as an environment move. The environment chooses the next-
state as well.
{ If the environment proposed tick and the module proposed a controlled transition
, then  is taken. The module chooses the next-state values of the private variables,
and the environment then chooses those of the shared variables, consistent with .
The move is counted as a module move.
{ The last case is where both have proposed a tick transition. Then tick is taken, with
duration minfenv; modg. This is considered a module move if mod6env, and an
environment move otherwise.
At any given point, the module loses the game if it cannot propose a move, that
is, no controlled or tick transition is enabled. The module wins the game over an
innite run if either (1) time advances beyond any bound, or (2) the module only
performs a nite number of moves.
Note that the environment can always make a move: E and external transitions
are always enabled, and it is not required to choose an enabled tick.
1 This does not contradict Corollary 4.1, since non-Zenoness is not an LTL property, as we discuss in
Section 2.3.
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 39
A module strategy is a function that maps every reachable state to a suitable
controlled transition, choosing next-state values for the private variables, or a mod
increment for the tick transition. The strategy determines the module’s proposed move
at each step of the receptiveness game.
Denition 4.6 (Receptiveness). A module M is receptive if it has a strategy that wins
against any environment, starting the receptiveness game at any reachable state. We
call this a winning strategy for M .
A winning strategy must be dened at every reachable state.
Proposition 4.7. (a) If M is receptive; then its associated CTS SM is non-Zeno. (b)
If M1 and M2 are receptive; then [M1 jjM2] is receptive.
Justication: (a) If M is receptive, it has a winning strategy, in particular, against
an environment that always lets M move { one that always proposes tick, where
env>mod if M also proposes tick. For any reachable state, this game generates a
run of SM where time diverges, so SM is non-Zeno. Note that the controlled and
tick transitions should thus, on their own, ensure time divergence.
(b) Assume that M1 and M2 are receptive. The winning strategy for M = [M1 jjM2]
is constructed from winning strategies for M1 and M2 as follows:
Consider a state s reachable in a run of M . The proof of Theorem 3.1 applies to
runs as well, so s is a reachable state for both M1 and M2. We consider two cases,
depending on what each strategy proposes at s:
(i) At least one of the modules, say M1, proposes a controlled transition . Since 
can only synchronize with external transitions of M2, all transitions correspond-
ing to  in M can be taken, and any one can be chosen. In this case, M2 sees
an environment move that takes E if  does not synchronize, or an external
transition of M2 otherwise.
(ii) M1 proposes tick with 1 and M2 proposes tick with 2. In this case, a tick with
min f1; 2g can be taken, since it will satisfy the progress conditions for both
modules. If 1 =2, both modules see a module move in their respective games.
Otherwise, the module that proposed the shorter duration will see a module move,
and the other will see an environment move, namely a shorter tick.
In all cases, the new strategy selects a valid move, which is a module move for at
least one of the modules, and a module move or an environment move for the other,
where the module moves follow the respective winning strategies. Environment moves
in the game for M are environment moves in the games for M1 and M2. Now assume,
for a contradiction, that M loses the game. Since M always has a valid move, this
must be an innite run, where time does not diverge and M moves innitely often.
This means that at least one module moves innitely often as well, and thus loses its
own game, a contradiction.
40 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
4.5. Receptiveness diagrams
To show that a module is receptive we use receptiveness diagrams. They are similar
to the non-Zenoness diagrams of Section 4.3, but we now make a distinction between
transitions taken by the module and transitions taken by the environment.
Denition 4.8 (Receptiveness diagrams). A receptiveness diagram for a module M is
a directed graph D, where each node n is labeled by an assertion ’n and a rank-
ing function n, which only depends on private variables of M and whose range is
a well-founded domain. The diagram contains two distinguished constants, t0 and .
We associate the following rst-order verication conditions with a receptiveness dia-
gram D:
Well-formedness: t0 is a fresh Skolem constant;  can be expressed as a function of
system constants and is greater than 0.
Initiality: (T = t0)!
W
n2Nodes(D) ’n.
Module: For every node n in D, either (i) some outgoing edge is labeled by tick
or a controlled transition, which is enabled and can decrease the well-founded order,
or (ii) tick is enabled and can advance time beyond t0 + . Formally,
f’ng tick 9fT>t0 + g_
_
em=hn;mi2COut(n)
f’n ^ n = ug (em) 9f’m ^ m  ug;
where COut(n) is the set of outgoing edges from n labeled by controlled or tick
transitions.
Environment: For every node n and tick, environment or external transition ,
either the assertion ’n is preserved by , or  leads to one of the nodes in (n) (the set
of nodes reachable from n by an edge labeled by ) without increasing the well-founded
order. Formally,
f’n ^ n = ug 
8<
:(’n ^ n 4 u) _
0
@ _
m2N (;n)
(’m ^ m 4 u
1
A
9=
; ;
where N (; n) denotes the set of nodes m such that there is an edge from n to m
labeled by .
A receptiveness diagram is M -valid if all of its verication conditions are valid.
Proposition 4.9. An M -valid receptiveness diagram establishes that M is receptive.
Justication: Assume we have an M -valid receptiveness diagram D. The winning
strategy for M is as follows. By the Initiality condition for D, the game starts at some
node in the diagram. Whenever a node n is reached, if tick can advance time beyond
t0+, then such a time-increment mod is chosen. Otherwise, the Module conditions for
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 41
D ensure that tick or a controlled transition, which can be taken, labels an outgoing
edge from n. The strategy chooses such a transition (where tick is chosen with the
maximum possible mod), choosing values for the private variables that guarantee a
successor node where the ranking is decreased. This is possible because the ranking
functions only depend on private variables, so a suitable next-state will be reached
regardless of the environment’s choice for the shared variables.
By the Environment conditions on D, any move by the environment must stay within
D, so the game will always stay within D, unless time progresses beyond t0 + . This
is a winning strategy, since by the ranking functions, the only way that the game can
be played over an innite run without advancing time past t0 +  is if the module
moves only nitely many times.
When all the strongly connected components in a receptiveness diagram D only
contain environment or external transitions, it is clear that a game where the module
moves innitely often cannot remain forever within the diagram, since only nitely
many transitions can be taken outside a strongly connected component, before an in-
nite computation eventually ends up inside one. In this case, we will associate a default
well-founded ordering with D as follows: sort D topologically into its MSCS (maxi-
mally strongly connected components) S0; : : : ; SN , where nodes in Si are not reachable
from nodes in Sj if i > j. The well-founded domain is the nite set f0; : : : ; Ng ordered
by <. For each node n, if n 2 Si then n def= i.
5. The STeP system
The Stanford Temporal Prover, STeP, is a tool for the deductive and algorithmic
verication of reactive and real-time systems [11, 10]. Untimed reactive systems are
expressed by fair transition systems; real-time systems are expressed by clocked tran-
sition systems. Specications are given in linear-time temporal logic.
STeP implements verication rules and verication diagrams, including rules INV and
WAIT of Section 4.1, the wait-for diagrams of Section 4.2, and the non-Zenoness dia-
grams of Section 4.3. 2 A collection of decision procedures for built-in theories including
integers, reals, datatypes and equality, is combined with propositional and rst-order
reasoning to simplify verication conditions, proving many of them automatically [9].
For those which cannot be established automatically, an interactive Gentzen-style theo-
rem prover is available. STeP also includes a model checker, which can automatically
establish or refute linear-time temporal properties of nite-state systems.
Features such as parameterization and the tick transition introduce quantiers in veri-
cation conditions. Fortunately, the required quantier instantiations are often \obvious"
in that they use instances that can be provided by the decision procedures themselves.
Accordingly, we have developed an integration of rst-order reasoning and decision
2 Receptiveness diagrams have not been implemented yet.
42 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
procedures that can automatically discharge many verication conditions that would
otherwise require the use of the interactive prover [9, 13].
By allowing systems expressed by rst-order transition relations and using a rich
assertion language that includes constraints over the reals, STeP can support the real-
time framework described in Section 2.
5.1. Generation of invariants
STeP provides tools for automatic generation of invariants based on the static analy-
sis of transition systems [12]. These invariants can then be used as auxiliary properties
in deductive verication and model checking. We now briey describe forward propa-
gation, one of the methods presented in [12], and an application to the real-time case
that automatically generates useful auxiliary properties in Section 6.
The strongest postcondition post(; ’) of a formula ’ relative to a transition  is the
formula 9V0 ((V0; V )^’(V0)), describing the set of states reachable from a ’-state
by taking . In forward propagation we simulate the system by executing transitions,
starting from the initial states, until we reach a xpoint. Such an execution step can
be expressed by
F(X ) def=  _ post(TT ; X )
def=  _

_
2TT
9V0 : X (V0) ^ (V0; V )

:
The operator F is a predicate transformer, taking a predicate X and producing the
new predicate _ post(TT ; X ). The least xpoint of F: X:F(X ), which is equal
to
W1
i=0F
i( false), characterizes the set of reachable states, and is thus the strongest
possible system invariant. However, expressing this xpoint can require quantica-
tion over auxiliary variables, resulting in formulas that are not very useful in
practice.
An alternative, weaker way to establish invariants is to compute
F(true) =  _
 _
2TT
9V0 : (V0; V )
!
:
F(true) characterizes the set of states reachable by one execution step, starting from
the entire state space. In [8], these are called rearmed invariants, and are generated
for the parallel composition of untimed sequential programs. In [49] they are used for
hardware verication.
To obtain succinct and useful invariants, it is desirable to eliminate the existen-
tial quantiers. Both [8] and [49] apply heuristics to approximate F(true) tailored
towards the class of systems they consider. Similarly, in STeP we use the resident
simplier to eliminate redundant quantiers in the generated invariant and approximate
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 43
post(tick; true) to (D;C), justied as follows:
post(tick; true) = 9D0;C0; 
0
@ > 0 ^ 8t 2 [0; ] : (D0;C0 + t)^
D = D0 ^ C = C0 + 
1
A
which, by taking D0 = D and C0 = C − , is equivalent to
9 : ( > 0 ^ 8t 2 [0; ] : (D;C − + t))
which implies (D;C).
5.2. Modules in STeP
A transition system module in STeP contains a name, an interface declaration, and
a body. The body contains a list of transitions and, in the case of clocked transition
systems, a time-progress condition.
In the STeP system specications below, communication between modules occurs in
the form of synchronizing transitions, so we will not need shared variables. Variables
declared as local are private variables. Variables declared as in cannot be changed
by any module, and are treated as constants.
For convenience, transitions can be described using guarded commands. These con-
tain an enabling condition ’, tagged by enable, and a set of variable assignments of
the form x := e, tagged by assign. This adds the conjuncts ’ and x0 = e to the corre-
sponding transition relation. Of the variables not mentioned in an assignment statement,
shared variables can be modied arbitrarily, whereas all other variables are unchanged.
A STeP specication is a set of axioms and properties. Properties are proof obliga-
tions, whereas axioms represent additional assumptions or previously proved properties.
We write [M] |= p to indicate that module M satises property p.
6. Example: generalized railroad crossing
We illustrate our methodology by verifying the generalized railroad crossing (GRC)
benchmark problem, originally proposed in [28]. Our system description closely follows
the operational specication presented in [29]. The goal is to design and verify a
controller that lowers and raises a gate such that (a) the system is \safe:" the gate is
down if a train is passing the intersection, and (b) the system is \useful:" the gate is
up if there is no good reason for it to be down.
6.1. System description
The GRC system contains N parallel railroad tracks protected by a gate and a gate
controller. Each track is divided into three regions: I (intersection), P (an interval
preceding the intersection), and notHere (everywhere else). The gate can be in any of
four states: down, up, goingDown, and goingUp. Initially all trains are notHere and
44 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
Clocked Transition Module Trains
in minTimeToI : real where minTimeToI > 0
in maxTimeToI : real where maxTimeToI > 0
type trainStatus = fnotHere, P, Ig
local trains: array[1..N] of trainStatus
where Forall i:[1..N].(trains[i] = notHere)
local firstEnter: array[1..N] of real
local lastEnter : array[1..N] of real
Progress
Forall i:[1..N].(trains[i] = P --> T <= lastEnter[i])
Transition trainsEnter[i:[1..N]] :
enable trains[i] = notHere
assign trains[i] := P,
firstEnter[i] := T + minTimeToI,
lastEnter[i] := T + maxTimeToI
Transition enterI[i:[1..N]] :
enable trains[i] = P /\ T >= firstEnter[i]
assign trains[i] := I
Transition trainsExit[i:[1..N]] :
enable trains[i] = I
assign trains[i] := notHere
Fig. 3. The Trains clocked transition module.
the gate is in state up. Each track is equipped with two sensors: one located at the
beginning of the P-region, triggered when the front of the train enters, and one at
the end of the I -region, triggered when the train completely leaves the intersection.
The gate accepts two commands, lower and raise, with the obvious eects.
We model this system as the parallel composition of three clocked transition modules:
Trains: The Trains module, shown in Fig. 3, has three transitions parameterized
by i:[1..N], illustrated in Fig. 4. Constants minTimeToI and maxTimeToI are the
minimum and maximum time it may take a train to reach the intersection from the
time it enters P. The lower bound is reected in the enabling condition of enterI
and the upper bound is included in the progress condition: when a train is in P, time
cannot advance beyond this upper bound.
Gate: The Gate module, shown in Fig. 5, has four transitions, illustrated in Fig. 6.
Constants gateRiseTime and gateDownTime represent the times to fully raise and
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 45
Fig. 4. Transitions for the Trains module.
Clocked Transition Module Gate
in gateRiseTime : real where gateRiseTime > 0
in gateDownTime : real where gateDownTime > 0
type gateStatus = fup, down, goingUp, goingDowng
local gate: gateStatus where gate = up
local lastDown, lastUp: real
Progress ( (gate = goingUp --> T <= lastUp) /\
(gate = goingDown --> T <= lastDown) )
Transition lower :
assign (gate,lastDown) :=
if gate = up \/ gate = goingUp
then (goingDown,T + gateDownTime)
else (gate,lastDown)
Transition raise :
assign (gate,lastUp) :=
if gate = down \/ gate = goingDown
then (goingUp,T + gateRiseTime)
else (gate,lastUp)
Transition isUp :
enable gate = goingUp
assign gate := up
Transition isDown :
enable gate = goingDown
assign gate := down
Fig. 5. The Gate clocked transition module.
46 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
Fig. 6. Transitions for the Gate module.
lower the gate. The time-progress condition states that the gate can stay at most this
long in a moving state, after which the transition isUp or isDown must be taken;
otherwise, time cannot advance.
Controller: The composition [Gate k Trains] is neither \safe" nor \useful:" the
gate can be arbitrarily raised or lowered regardless of the presence of trains. A con-
troller is needed to constrain the behavior of the gate, based on observation of the trains.
Such a module is shown in Fig. 7. It has parameterized transitions trainsEnter and
trainsExit that, upon module composition, synchronize with their counterparts in the
Trains module, reecting the modeling assumption that the communication between
sensor and controller is instantaneous. Similarly, transitions lower and raise in Con-
troller synchronize with the corresponding transitions in the Gate module. We will
prove that the system [Gate k Controller k Trains] is safe and useful.
Note that the modules have no shared variables, but communicate only through
synchronous transitions.
To relate the presence of trains with the behavior of the gate, Controller uses
the local array trainHere[i] to record the trains at each track, while gs records the
status of the gate. Transitions trainsEnter and trainsExit in the controller have
no enabling conditions, since the controller cannot control when they are taken. In
contrast, transitions raise and lower are determined by the controller. Since there is
a delay between lowering the gate and the gate being down, the controller has to plan
when to lower it. Therefore, when the sensor is triggered, the controller estimates the
earliest possible time the train will be in the intersection, by setting schedTime to T
(the current time) + conMinI. For the system to be safe, we must assume that this
estimate is conservative, that is, conMinI is smaller than the actual minimum time,
minTimeToI, that a train may take to reach the intersection from the time it triggers the
sensor. This assumption is expressed by axiom ACT1 of Fig. 8. Note that conMinI is
an internal system constant of the controller, while minTimeToI represents the actual
value as exhibited by the trains.
The rst conjunct of the Controller time-progress condition ensures that the gate
is lowered in time, according to the controller’s estimate. Again, this estimate must
be conservative, as stated by axiom AGC1. To ensure that the gate is not raised too
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 47
Clocked Transition Module Controller
in conMinI : real where conMinI > 0
in gammaDown: real where gammaDown > 0
in gammaUp : real where gammaUp > 0
in carPassingTime: real where carPassingTime > 0
in beta : real where beta > 0
type gstatus = fgUp,gDowng
local gs: gstatus where gs = gUp
local schedTime: array[1..N] of real
local trainHere: array[1..N] of bool
where Forall i:[1..N]. !trainHere[i]
Progress (gs = gUp --> Forall i:[1..N].
(trainHere[i] --> T < schedTime[i] - gammaDown)) /\
(gs = gDown --> Exists i:[1..N]. (trainHere[i] /\
schedTime[i] <= T + gammaUp + carPassingTime + gammaDown))
Transition trainsEnter [i:[1..N]] :
assign schedTime[i] := T + conMinI,
trainHere[i] := true
Transition lower :
enable gs = gUp /\ Exists i:[1..N].(trainHere[i] /\
schedTime[i] <= T + gammaDown + beta)
assign gs := gDown
Transition trainsExit [i:[1..N]] :
assign trainHere[i] := false
Transition raise :
enable gs = gDown /\ Forall i:[1..N].(trainHere[i] -->
T + gammaUp + carPassingTime + gammaDown < schedTime[i])
assign gs := gUp
Fig. 7. The Controller clocked transition module.
early, the enabling condition of raise requires that there be no trains in the intersec-
tion. In fact, it states that the gate cannot be raised if another train approaches and
there is no time to raise the gate, let one automobile pass, and lower the gate again.
Constant gammaUp is a conservative estimate of the time needed to raise the gate,
48 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
AXIOM AC1 (feasibility): gammaDown < conMinI
AXIOM ACT1 (conservative estimate): conMinI < minTimeToI
AXIOM AGC1 (conservative est.): gateDownTime < gammaDown
AXIOM AGC2 (conservative est.): gateRiseTime < gammaUp
Fig. 8. Axioms relating system constants.
and carPassingTime is the minimum time for an automobile to pass the intersection.
These controller restrictions on the gate behavior ensure a safe intersection.
Further controller restrictions on the gate behavior are necessary to make the system
useful. First, the gate should not be lowered when it is not necessary. This restriction
is ensured by the second conjunct of the enabling condition, where beta is a positive
constant that gives the controller some time-interval to lower the gate. Second, the
gate should not stay down without reason. This restriction is enforced by the second
conjunct of the controller’s time-progress condition, which states that the controller
can keep the gate down only if there is a train that is suciently near. There is no
corresponding slack variable beta’ for raising the gate, since we do not model urgency
in raising the gate.
6.2. Modular analysis
Before proving properties over the entire system, we analyze the modules individually
and in various combinations. By Theorem 3.1 of Section 4, properties proved for
individual modules, or pairwise compositions of them, will also hold for the entire
system, and can thus be used as axioms when verifying properties of the complete
system.
Fig. 9 lists some properties proved valid over single or pairwise combinations of
modules. Property GC1 states to what extent the controller knows the status of the gate
(it cannot distinguish between goingUp and up). Property GC2 states that whenever
the controller has given the command lower, the gate is guaranteed to be down within
gateDownTime. Property GC3 states the main property of the controller, namely that the
gate will be down before a train is expected to enter the intersection. Property TC1 states
that the status of the train is correctly represented internally in the controller. Property
TC2 states that the controller’s estimate of the expected arrival time is conservative.
All these properties were proved with STeP using rule INV. Many of the resulting
verication conditions were proved automatically by STeP’s decision procedures, and
the rest required straightforward use of the interactive prover. Properties G1 and G2
were generated by the automatic invariant generation method described in Section 5.1.
6.3. Specication
The informal requirements that the system must be \safe" and \useful" must be
precisely formulated as formulas in temporal logic. The requirement of safety, that the
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 49
PROPERTY G1: [Gate] |= gate = goingDown ==> T <= lastDown
PROPERTY G2: [Gate] |= gate = goingUp ==> T <= lastUp
PROPERTY T1: [Trains] |=
Forall i:[1..N].(T < firstEnter[i] ==> trains[i] != I)
PROPERTY T2: [Trains] |=
Forall i:[1..N].(trains[i] = P ==>
firstEnter[i] <= T + minTimeToI /\
T <= lastEnter[i] /\
lastEnter[i] - firstEnter[i] = maxTimeToI - minTimeToI)
PROPERTY C1: [Controller] |= gs = gUp ==>
Forall i:[1..N].(trainHere[i] --> T < schedTime[i] - gammaDown)
PROPERTY GC1: [Gate || Controller] |=
gs = gDown <==> (gate = goingDown \/ gate = down)
PROPERTY GC2: [Gate || Controller] |=
gs = gDown ==> lastDown <= T + gateDownTime
PROPERTY GC3: [Gate || Controller] |= gs = gDown ==>
Forall i:[1..N].(trainHere[i] --> lastDown < schedTime[i])
PROPERTY TC1: [Controller || Trains] |=
Forall i:[1..N].(trainHere[i] <==> trains[i] != notHere)
PROPERTY TC2: [Controller || Trains] |=
Forall i:[1..N].(trainHere[i] ==> schedTime[i] < firstEnter[i])
Fig. 9. Modularly valid auxiliary properties.
gate is down whenever there is a train in the intersection, is straightforward to express
PROPERTY safety: [Gate || Controller || Trains] |=
(Exists i:[1..N].trains[i] = I) ==> gate = down
The \usefulness" (or utility) requirement states that the gate should be up when there
is no good reason for it to be down, and is more dicult to formalize. In [29] this
requirement is formulated as follows (adapted to our notation and naming of constants):
For a state si in a computation  : s0; s1; : : : ; si; : : : such that si[gate] 6= up, where si[x]
is the value of variable x in state si, one of the following conditions must hold:
(i) A train has passed recently: there exists j6i such that sj[trains[k]] = I for
some k6N and Tj>Ti −maxPost, where Ti is the value of the master clock in
state si and maxPost is the maximum time we allow for the gate to move up.
50 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
Fig. 10. An interval where the gate should stay down.
value maxPre, maxPost: real
value t: real
PROPERTY utility1: [Gate || Controller || Trains] |=
gate = goingDown /\ t = T ==>
T <= t + maxPre Awaits Exists i:[1..N].trains[i] = I
PROPERTY utility2: [Gate || Controller || Trains] |=
t = T /\ (Forall i:[1..N] . trains[i] != I) ==>
(T <= t + maxPre + carPassingTime + maxPost)
Awaits
(T <= t + maxPost /\ gate = up) \/
(T <= t + maxPre + carPassingTime + maxPost /\
Exists i:[1..N].trains[i] = I)
Fig. 11. Specication of the utility property.
(ii) A train will arrive soon: there exists j>i such that sj[trains[k]] = I for some
k6N and Tj6Ti +maxPre, where maxPre is the maximum time we allow for
the gate to lower before a train arrives at the intersection.
(iii) There is not enough time between the passage of two trains to let an automo-
bile pass: there exist n6i; m>i, such that sn[trains[k]] = I , sm[trains[‘]] = I
for some k; ‘6N , and Tm − Tn6maxPre + maxPost + carPassingTime, where
carPassingTime is the minimum time required for one automobile to pass over
the tracks. Fig. 10 illustrates this case.
We reformulate this property as the two wait-for properties of Fig. 11, where
Awaits stands for theW (wait-for) operator. Specication variables maxPre and max-
Post, also dened in Fig. 11, are bounds on the time the gate is not up before and
after a train is in the intersection. To ensure that there exists a controller such that
the overall system satises the specication, their values must be suciently large,
as expressed by axioms ASP1 and ASP2 in Fig. 12. Axiom ASP1 states that we
cannot require the gate to be up within the time it takes to raise the gate. Similarly,
axiom ASP2 states maxPre should be larger than the time it takes to lower the gate,
as expressed by gateDownTime. To account for the uncertainty in how long it takes
the train to reach the intersection we add the term maxTimeToI - minTimeToI; the
controller must assume the shortest time to decide when to lower the gate, but the
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 51
AXIOM ASP1: maxPost > gammaUp
AXIOM ASP2: maxPre >
gateDownTime + maxTimeToI - minTimeToI + margin
AXIOM ASP3: margin > (gammaDown - gateDownTime)
+ (minTimeToI - conMinI) + beta
AXIOM ASP4: margin <= carPassingTime
Fig. 12. Axioms relating specication variables to system constants.
Fig. 13. Wait-for verication diagram for utility1.
train may actually arrive at the latest possible time. The term margin accounts for the
fact that the controller does not have access to the precise values of gateDownTime
and minTimeToI and therefore must make conservative estimates in gammaDown and
conMinI, thus increasing the time the gate is down. Finally, axiom ASP4 limits how
conservative these estimates can be by requiring that margin does not exceed the time
it takes a car to cross the intersection.
Property utility1 states that if the gate is going down at time t, then a train will
enter the intersection within time maxPre. This forbids spurious or premature lowering
of the gate. Property utility2 states that if there are no trains in the intersection
at time t, then the gate is up within time maxPost or another train approaches and
will reach the intersection within time maxPre + carPassingTime + maxPost. This
forbids keeping the gate down unnecessarily.
6.4. Verication
Property safety: The property safety was proved with STeP using the INV verica-
tion rule. The property is inductive relative to the previously proved modular properties
shown in Fig. 9; therefore, no auxiliary assertion ’ had to be constructed. Of the 10
verication conditions, only two required non-trivial user interaction to be proved.
Property utility1: The wait-for verication diagram of Fig. 13 was used to prove
utility1. The boldface boundary indicates a terminal node. This diagram generates
eight verication conditions: the ve S-verication conditions were established auto-
matically. An additional invariant is required to prove that the antecedent of utility1
implies the formula in the top-most node. This invariant is summarized in gateInv
52 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
Fig. 14. Wait-for verication diagram for utility2.
below, proved using INV. The other two ’-verication conditions were proved with
trivial user interaction.
PROPERTY gateInv: [Trains || Controller || Gate] |=
gate = goingDown ==> Exists i:[1..N].
(trains[i] = P /\ firstEnter[i] - gammaDown - beta <= T)
Property utility2: The wait-for verication diagram of Fig. 14 was used to prove
utility2. It generates 36 verication conditions, all of which were proved valid with
the help of the previously proved invariants. Twelve of the verication conditions were
proved automatically, and the rest required some user interaction.
6.5. Proving non-Zenoness
Before we discuss receptiveness in Section 6.6, we give a global non-Zenoness proof,
considering the composition of all three modules.
A non-Zenoness diagram for [Gate || Controller || Trains] is given in Fig. 15. 3
This diagram uses encapsulation conventions [39]: a compound node labeled by an
assertion f adds f as a conjunct to each one of its subnodes, and an edge arriving
3 Quantiers in STeP have maximal scope, so some parentheses are omitted.
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 53
Fig. 15. Global non-Zenoness diagram.
at (or departing from) a compound node represents a set of edges that arrive at (or
depart from) each of its subnodes.
The ranking functions i associated with nodes ni are given by
i
def=(i; ;; 0) for i = 0; 3; : : : ; 7; and
i
def=(1; fk : [1::N ] j urgent(k)g; i) for i = 1; 2:
The range of the i’s is the set N  2[1::N ] N, a well-founded domain using,
as the well-founded order, the lexicographic extension h<;;<i of the <-ordering
on N and the subset ordering . The predicate urgent(i) holds if trains[i] = P and
t0 +  > lastEnter[i]: an urgent train must enter I before time can advance beyond
t0 + .
STeP was used to check this non-Zenoness diagram, generating the associated veri-
cation conditions and proving their system validity.
Given our interleaving model of computation, it is essential that at any reachable
state there is only a nite number of urgent trains. Otherwise, an innite number of
54 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
Fig. 16. Receptiveness diagram for the Trains module.
events would have to happen in a bounded time interval. Other computational models,
such as those based on partial orders [45], can account for event independence, and
do not need the restriction to a nite number of trains.
6.6. Proving receptiveness
In the spirit of modularity, we now sketch, more informally, a modular non-Zenoness
proof for our GRC specication, by showing that the individual modules are receptive
and then inferring non-Zenoness for the combined system using Proposition 4.7. As
we will see, the combined modular proof eort is more costly than the global non-
Zenoness proof above. The advantage of a modular justication is that modules can
be replaced by other receptive modules, while still ensuring the non-Zenoness of the
entire system. (However, this justication has not yet been mechanically checked using
STeP.)
For the Trains module, all transitions are controlled. For the Gate module,
lower and raise are external (decided by the Controller module), while isUp
and isDown are controlled. For the Controller module, lower and raise are
controlled, while trainsEnter and trainsExit are external (decided by the
Trains module).
We present receptiveness diagrams to show that the Trains, Controller and Gate
modules are receptive. In our diagrams, we will use bold edges to indicate controlled
or tick transitions, which can be chosen by the module, and single edges for external
ones.
The diagram in Fig. 16 represents a proof that the Trains module is receptive. The
ranking functions for nodes n2 and n1 count the number of trains that still have to
enter the intersection (that is, must perform a transition) before time can be advanced
freely, since taking transition enterI is forced by the progress condition. Note that the
module may choose whether to take any transition that is not forced by the progress
condition; in particular, it can choose not to have a train enter P.
The diagram in Fig. 17 represents a proof that the Controller module is receptive.
In node n3 the module can always take the lower transition, since 6beta, and the
resulting state will satisfy canStayDown (the formula : canStayDown is equivalent
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 55
Fig. 17. Receptiveness diagram for the Controller module.
to 1 used in Fig. 15). In n2 the module can let time advance beyond t0 + , justied
by the existence of at least one train that is close enough, and that will stay close
enough until it exits. In n1 the module can always take the raise transition, since
: canStayDown is its enabling condition. The resulting state will satisfy canStayUp,
since 6gammaUp+ carPassingTime. Finally, node n0 allows time to advance beyond
t0 + . The absence of an environment edge hn0; n3i is justied by 6conMinI −
gammaDown: whenever a train enters time will advance beyond t0 +  before the
controller has to lower the gate.
The only non-trivial MSCS in the diagram is fn1; n2g, which contains only external
transitions, so we can use the default well-founded order. The diagram in Fig. 18
proves that the Gate module is receptive. The states where the module cannot let time
advance beyond t0 +  are covered by nodes n2 and n3. However, from these nodes,
transitions isUp and isDown, respectively, are guaranteed to be enabled and can take
the module to a node where time can be advanced. In all other nodes the module can
let time advance beyond t0 + . As regards the environment condition, the absence of
environment edges hn1; n3i and hn0; n2i is justied by our choice to have  smaller than
the minimum of gateRiseTime and gateDownTime. This choice of  guarantees that
whatever a raise or lower transition is taken while T>t0, the module is not forced
by the progress condition to take the isUp or isDown transition before t0 + .
7. Related work
7.1. The railroad crossing benchmark
The GRC and similar examples have been analyzed using many dierent specication
techniques and tools. The rst machine-veried proof of safety and utility properties
of a railroad crossing controller appeared in [46]. A linear-time model for real-time
56 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
Fig. 18. Receptiveness diagram for the Gate module.
specications was encoded in the higher-order specication language of the PVS sys-
tem [44], and formal proofs were conducted using the PVS proof-assistant. PVS was
also used in [48] to verify a railroad crossing system formulated in the Duration Calcu-
lus [18]. The work of [6] uses Timed Statecharts [37] to encode real-time systems, and
the HOL prover [27] to conduct a formal proof. The version of the railroad controller
we present appeared in [29], which reports preliminary experience with PVS and the
Larch prover [25] to obtain a formally checked proof.
When numerical values are substituted for some of the symbolic parameters in the
problem formulation, it is possible to obtain systems suitable for automatic real-time
model checkers such as HYTECH [30], KRONOS [20], and UPPAAL [7]; see, for in-
stance, [21]. These tools are based on representing bisimilar regions of the reachable
state-space using linear constraints over the reals. The constraint logic programming
language CLP(R) includes built-in solvers for constraints over the reals. CLP(R) is
used in [50] to check a hybrid solution to the GRC.
7.2. Real-time verication frameworks
A related deductive framework for the analysis of real-time systems is presented
in [31]. That paper provides a bisimulation-based translation from a class of real-
time systems and specications to untimed versions that are amenable to standard
verication methods for innite-state reactive systems. [31] also studies methods for
translating liveness properties into safety formulas when progress is guaranteed within
a computable bound.
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 57
The clocked transition system approach using explicit clock variables can be traced
to [1]. There, system specications in the temporal logic of actions (TLA) are ex-
tended by a clock variable now. Since systems and specications are modeled in the
same logic, the real-time TLA system description includes additional conjunctions con-
straining real-time behaviors of transitions, and requiring non-Zenoness. Modularity
and assumption-guarantee specications are handled in a version of TLA that mixes
classical and intuitionistic logical connectives. Proof rules for the modular verication
of timed transition systems are presented in [16] and [17].
Systems driven by a digital clock where time advances by discrete intervals of
xed size can be analyzed using automatic model checking tools. In [15] the CTL
branching-time logic is extended with metric temporal operators, and the computational
model is enhanced with timed transition graphs. In [43] the StateTime visual toolset
allows the designer to encode a discrete-event real-time system, using a statechart
graphical interface with debugging utilities. The computational model is that of timed
transition modules (TTMs), where time is incremented by discrete amounts. TTM’s
are translated into standard fair transition systems; STeP’s model checker and theorem-
proving utilities are then used to verify temporal specications.
7.3. Proving non-Zenoness
Modular conditions for ensuring non-Zenoness are discussed in [1, 4, 26, 36]. Like the
one we use, they are variations on the sucient, but not necessary, modular condition
of receptiveness, introduced in [23] in the general context of open circuit components.
Our non-Zenoness diagrams are inspired by the possibility diagrams used in [34].
Although the property itself is not expressible in LTL, another approach to proving
non-Zenoness within an LTL framework is reported in [35]. The validity of possibility
properties over a particular system is reduced to the validity of closure formulas, based
on TLA formulas that describe the system itself.
8. Conclusions
We have presented a machine-checked modular verication of a real-time control
system, using clocked transition modules as the computational model and temporal
logic to capture the requirements. The STeP verication system was used to verify the
specied properties and to check that the system is well-specied, that is, that it is
non-Zeno.
To verify non-Zenoness and the related modular property of receptiveness, we pro-
posed non-Zenoness and receptiveness diagrams, which reduce the proof of such prop-
erties to that of rst-order verication conditions. These diagrams provide an intuitive,
visual representation of the corresponding proofs.
The proofs of the safety and utility properties were simplied by automatically gen-
erated auxiliary invariants. Diagrams were also used to reduce the verication of these
58 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
temporal properties to proofs of rst-order verication conditions. Many of these ver-
ication conditions were proven automatically by STeP’s decision procedures, while
the rest required some user interaction to prove their validity.
Future work aims at increasing the use of model checking techniques in the verica-
tion of real-time systems by using abstraction [19, 51], and enhancing the verication
support, including machine-guided construction of verication diagrams [47] and more
powerful decision procedures [9].
Acknowledgements
We thank Uri Lerner and the anonymous reviewers for their feedback and comments.
References
[1] M. Abadi, L. Lamport, An old-fashioned recipe for real time, in: J.W. de Bakker, C. Huizing, W.P. de
Roever, G. Rosenberg (Eds.), Proc. REX Workshop \Real-Time: Theory in Practice", Lecture Notes in
Computer Science, vol. 600, Springer, Berlin, 1992, pp. 1{27.
[2] R. Alur, D.L. Dill, A theory of timed automata, Theoret. Comput. Sci. 126 (1994) 183{235.
[3] R. Alur, T.A. Henzinger (Eds.), in: Proc. 8th Internat. Conf. on Computer Aided Verication, Lecture
Notes in Computer Science, vol. 1102, Springer, Berlin, July 1996.
[4] R. Alur, T.A. Henzinger, Modularity for timed and hybrid systems, Proc. 8th Internat. Conf. on
Concurrency Theory, Lecture Notes in Computer Science, vol. 1243, Springer, Berlin, 1997, pp. 74
{88.
[5] R. Alur, T.A. Henzinger, E.D. Sontag (Eds.), in: Hybrid Systems III: Verication and Control, Lecture
Notes in Computer Science, vol. 1066, Springer, Berlin, 1996.
[6] J. Armstrong, L. Barroca, Specication and verication of reactive system behaviour: the railroad
crossing example, Real-Time Systems 10 (1996) 143{178.
[7] J. Bengtsson, K. Larson, F. Larsson, P. Pettersson, W. Yi, Uppaal-a tool suite for automatic verication
of real-time systems, in: R. Alur, T.A. Henzinger, E.D. Sontag (Eds.), Hybrid Systems III: Verication
and Control, Lecture Notes in Computer Science, vol. 1066, Springer, Berlin, 1996, pp. 232{243.
[8] S. Bensalem, Y. Lakhnech, H. Saidi, Powerful techniques for the automatic generation of invariants,
in: R. Alur, T.A. Henzinger (Eds.), Proc. 8th Internat. Conf. on Computer Aided Verication, Lecture
Notes in Computer Science, vol. 1102, Springer, Berlin, July 1996, pp. 323{335.
[9] N.S. BjHorner, Integrating decision procedures for temporal verication, Ph.D. thesis, Computer Science
Department, Stanford University, November 1998.
[10] N.S. BjHrner, A. Browne, E.S. Chang, M. Colon, A. Kapur, Z. Manna, H.B. Sipma, T.E. Uribe, STeP:
the stanford temporal prover, User’s Manual, Tech. Rep. STAN-CS-TR-95-1562, Computer Science
Department, Stanford University, November 1995.
[11] N.S. BjHrner, A. Browne, E.S. Chang, M. Colon, A. Kapur, Z. Manna, H.B. Sipma, T.E. Uribe,
STeP: deductive-algorithmic verication of reactive and real-time systems, in: R. Alur, T.A. Henzinger
(Eds.), Proc. 8th Internat. Conf. on Computer Aided Verication, Lecture Notes in Computer Science,
vol. 1102, Springer, Berlin, July 1996, pp. 415{418.
[12] N.S. BjHrner, A. Browne, Z. Manna, Automatic generation of invariants and intermediate assertions,
Theoret. Comput. Sci. 173(1) (1997) 49{87. Preliminary version appeared in 1st Internat. Conf. on
Principles and Practice of Constraint Programming, Lecture Notes in Computer Science, vol. 976,
Springer, Berlin, 1995, pp. 589{623.
[13] N.S. BjHrner, M.E. Stickel, T.E. Uribe, A practical integration of rst-order reasoning and decision
procedures, Proc. 14th Internat. Conf. on Automated Deduction, Lecture Notes in Computer Science,
vol. 1249, Springer, Berlin, July 1997, pp. 101{115.
N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60 59
[14] A. Browne, Z. Manna, H.B. Sipma, Generalized temporal verication diagrams, In 15th Conf. on the
Foundations of Software Technology and Theoretical Computer Science, Lecture Notes in Computer
Science, vol. 1026, Springer, Berlin, 1995, pp. 484{498.
[15] S. Campos, E.M. Clarke, Real-time symbolic model checking for discrete time models, in: T. Rus,
C. Rattray (Eds.), Theories and Experiences for Real-Time System Development, AMAST, World
Scientic Publishing Company, Singapore, 1995.
[16] E.S. Chang, Compositional verication of reactive and real-time systems, Ph.D. thesis, Computer Science
Department, Stanford University, Stanford, California, 1993, Tech. Report STAN-CS-TR-94-1522.
[17] E.S. Chang, Z. Manna, A. Pnueli, Compositional verication of real-time systems, Proc. 9th IEEE Symp.
Logic in Comp. Sci., IEEE Computer Society Press, Silverspring, MD, 1994, pp. 458{465.
[18] Z. Chaochen, C.A.R. Hoare, A.P. Ravn, A calculus of durations, Inform. Process. Lett. 40 (5) (1992)
269{276.
[19] M.A. Colon, T.E. Uribe, Generating nite-state abstractions of reactive systems using decision
procedures, in: A.J. Hu, M.Y. Vardi (Eds.), Proc. 10th Internat. Conf. on Computer Aided Verication,
Lecture Notes in Computer Science, vol. 1427, Springer, Berlin, July 1998,, pp. 293{304.
[20] C. Daws, A. Olivero, S. Tripakis, S. Yovine, The tool KRONOS, in: R. Alur, T.A. Henzinger, E.D.
Sontag (Eds.), Hybrid Systems III: Verication and Control, Lecture Notes in Computer Science,
vol. 1066, Springer, Berlin, 1996, pp. 208{219.
[21] C. Daws, S. Yovine, Verication of multirate timed automata with KRONOS: two examples, Tech.
Rep. Spectre-95-06, VERIMAG, April 1995.
[22] J.W. de Bakker, C. Huizing, W.P. de Roever, G. Rosenberg (Eds.), in: Proc. REX Workshop
\Real-Time: Theory in Practice", Lecture Notes in Computer Science, vol. 600, Springer, Berlin, 1992.
[23] D.L. Dill, Trace Theory for Automatic Hierarchical Verication of Speed-Independent Circuits, MIT
Press, Cambridge, MA, 1989.
[24] E.A. Emerson, Temporal and modal logic, in: J. van Leeuwen (Ed.), Handbook of Theoretical Computer
Science, vol. B, Elsevier Science Publishers (North-Holland), Amsterdam, 1990, pp. 995{1072.
[25] S.J. Garland, J.V. Guttag, A guide to LP, the Larch Prover, Tech. Rep. 82, Digital Equipment
Corportation, SRC, December 1991.
[26] R. Gawlick, R. Segala, J.F. SHgaard-Andersen, N.A. Lynch, Liveness in timed and untimed systems,
in: S. Abiteboul, E. Shamir (Eds.), Proc. 21st Internat. Colloq. Aut. Lang. Prog., Lecture Notes in
Computer Science, vol. 820, Springer, Berlin, 1994.
[27] M. Gordon, T.F. Melham, Introduction to HOL: A Theorem Proving Environment for Higher Order
Logic, Cambridge University Press, Cambridge, 1993.
[28] C. Heitmeyer, R.D. Jeords, B. Labaw, A benchmark for comparing dierent approaches for specifying
and verifying real-time systems, Proc. 10th Internat. Workshop on Real-Time Operating Systems and
Software, 1993.
[29] C. Heitmeyer, N. Lynch, The generalized railroad crossing: a case study in formal verication of
real-time systems, Proc. IEEE Real-Time Systems Symp., IEEE Press, New York, December 1994,
pp. 120{131.
[30] T.A. Henzinger, P. Ho, HYTECH: the Cornell hybrid technology tool, in: Hybrid Systems II, Lecture
Notes in Computer Science, vol. 999, Springer, Berlin, 1995, pp. 265{293.
[31] T.A. Henzinger, P.W. Kopke, Verication methods for the divergent runs of clock systems, in:
H. Langmaack, W.P. de Roever, J. Vytopil (Eds.), Proc. 3rd Internat. Symp. on Formal Techniques in
Real Time and fault Tolerant Systems, Lecture Notes in Computer Science, vol. 863, Springer, Berlin,
September 1994, pp. 351{372.
[32] T.A. Henzinger, Z. Manna, A. Pnueli, Temporal proof methodologies for timed transition systems,
Inform. and Comput. 112 (2) (1994) 273{337.
[33] Y. Kesten, Z. Manna, A. Pnueli, Verifying clocked transition systems, in: R. Alur, T.A. Henzinger,
E.D. Sontag (Eds.), Hybrid Systems III: Verication and Control, Lecture Notes in Computer Science,
vol. 1066, Springer, Berlin, 1996, pp. 13{40.
[34] Y. Kesten, Z. Manna, A. Pnueli, Verication of clocked and hybrid systems, in: G. Rozenberg,
F.W. Vaandrager (Eds.), Lectures on Embedded Systems, Lecture Notes in Computer Science, vol.
1494, Tutorial, Springer, Heidelberg, 1998, pp. 4{73.
[35] L. Lamport, Proving possibility properties, Tech. Rep. 137, Digital Equipment Corporation, Systems
Research Center, July 1995.
60 N.S. Bjo=rner et al. / Theoretical Computer Science 253 (2001) 27{60
[36] N. Lynch, F.W. Vaandrager, Forward and backward simulations for timing-based systems, in: J.W. de
Bakker, C. Huizing, W.P. de Roever, G. Rosenberg (Eds.), Proc. REX Workshop \Real-Time: Theory
in Practice", Lecture Notes in Computer Science, vol. 600, Springer, Berlin, 1992,, pp. 397{446.
[37] O. Maler, Z. Manna, A. Pnueli, From timed to hybrid systems, in: J.W. de Bakker, C. Huizing, W.P.
de Roever, G. Rosenberg (Eds.), Proc. REX Workshop \Real-Time: Theory in Practice", Lecture Notes
in Computer Science, vol. 600, Springer, Berlin, 1992, pp. 447{484.
[38] Z. Manna, A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems: Specication, Springer,
Berlin, New York, 1991.
[39] Z. Manna, A. Pnueli, Temporal verication diagrams, in: M. Hagiya, J.C. Mitchell (Eds.), Proc. Internat.
Symp. on Theoretical Aspects of Computer Software, Lecture Notes in Computer Science, vol. 789,
Springer, Berlin, 1994,, pp. 726{765.
[40] Z. Manna, A. Pnueli, Temporal Verication of Reactive Systems: Safety, Springer, Berlin, New York,
1995.
[41] Z. Manna, A. Pnueli, Clocked transition systems, Tech. Rep. STAN-CS-TR-96-1566, Computer Science
Department, Stanford University, April 1996.
[42] J.S. Ostro, in: Temporal Logic of Real-Time Systems, Advanced Software Development Series,
Research Studies Press (Wiley), Taunton, England, 1990.
[43] J.S. Ostro, A visual toolset for the design of real-time discrete event systems, IEEE Trans. Control
Systems Technol. (1997).
[44] S. Owre, S. Rajan, J.M. Rushby, N. Shankar, M.K. Srivas, PVS: combining specication, proof checking,
and model checking, in: R. Alur, T.A. Henzinger (Eds.), Proc. 8th Internat. Conf. on Computer Aided
Verication, Lecture Notes in Computer Science, vol. 1102, Springer, Berlin, July 1996, pp. 411{414.
[45] D.A. Peled, V. Pratt, G.J. Holzmann (Eds.), Workshop on Partial Order Methods in Verication
(Princeton: 1996), DIMACS Series in Discrete Mathematics and Theoretical Computer Science, vol.
29, July 1997.
[46] N. Shankar, Verication of real-time systems using PVS, in: C. Courcoubetis (Ed.), Proc. 5th Internat.
Conf. on Computer Aided Verication, Lecture Notes in Computer Science, vol. 697, Springer, Berlin,
June 1993,, pp. 280{291.
[47] H.B. Sipma, Diagram-based verication of discrete, real-time and hybrid systems, Ph.D. thesis, Computer
Science Department, Stanford University, December 1998.
[48] J.U. Skakkebk, A verication assistant for a real-time logic, Ph.D. thesis, Technical University of
Denmark, 1994.
[49] J.X. Su, D.L. Dill, C.W. Barrett, Automatic generation of invariants for processor verication, 1st
Internat. Conf. on Formal Methods in Computer-Aided Design, Lecture Notes in Computer Science,
vol. 1166, Springer, Berlin, November 1996, pp. 377{388.
[50] L. Urbina, The generalized railroad crossing: Its symbolic analysis in CLP(R), in: Principles and Practice
of Constraint Programming, Lecture Notes in Computer Science, vol. 1118, Springer, Berlin, August
1996, pp. 564{567.
[51] T.E. Uribe, Abstraction-based deductive-algorithmic verication of reactive systems, Ph.D. thesis,
Computer Science Department, Stanford University, December 1998.
