Analysis of a Biphase Mark Protocol with Uppaal and PVS by Vaandrager, F.W. & Groot, A.L. de






The following full text is a preprint version which may differ from the publisher's version.
 
 





Please be advised that this information was generated on 2017-12-06 and may be subject to
change.
A nalysis of a B iphase M ark P rotocol 
w ith  U ppaal and PV S
F.W . Vaandrager* and A.L. de Groot**
N ijm egen In s titu te  for C om puting  and  In fo rm ation  Sciences 
R adboud  U niversity  N ijm egen 
P.O . Box 9010, 6500 GL N ijm egen, T he  N etherlands 
{ fv a a n ,a d r id g } @ c s .ru .n l
A bstract. T he b iphase m ark  pro toco l is a  convention for rep resen t­
ing b o th  a s tring  of b its  and  clock edges in  a  square wave. T he  p ro ­
toco l is frequently  used for com m unication  a t  th e  physical level of the  
IS O /O S I hierarchy, and  is im plem ented  on m icrocontrollers such as the  
In te l 82530 Serial C om m unications C ontro ller. A n im p o rtan t p ro p erty  
of th e  p ro toco l is th a t  b it strings of a rb itra ry  len g th  can  be  tra n sm it­
ted  reliably, desp ite  differences in  th e  clock ra te s  of sender and  receiver 
(d r if t) , varia tions of th e  clock ra te s  ( j it te r ) , and  d is to rtio n  of th e  signal 
after genera tion  of an  edge. In  th is  artic le , we show how th e  pro toco l can  
be m odelled n a tu ra lly  in  te rm s of tim ed  au to m ata . W e use th e  m odel 
checker U PPAAL to  derive th e  m axim al to lerances on th e  clock ra te s , for 
d ifferent in stances of th e  pro toco l, and  to  su p p o rt th e  general p a ra m e t­
ric verification  th a t  we form alized using th e  p roo f a ss is tan t PV S. B ased 
on th e  derived p a ram e te r co n stra in ts  we propose instances o f B M P  th a t 
are correct ( a t  least in  our m odel) b u t have a faster b it ra te  th a n  the  
in stances th a t  are com m only im plem ented  in  hardw are.
Keywords. b iphase m ark  protocol, form al m ethods, m odel checking, 
theo rem  provers, tim ed  au to m ata .
1 In trodu ction
The biphase mark protocol (BMP) is a fundamental protocol th a t is widely 
used in applications where data written by one device is read by another. It is 
used, for instance, in microcontrollers such as the Intel 82530 Serial Communi­
cations Controller [24], in some optical communications and satellite telemetry 
applications, and for communication between consumer electronics devices. A 
variation of biphase mark, called “Manchester” , is used in the Ethernet. The 
first rigorous, formal analysis of (some instances of) the protocol was carried out 
by Moore [27] using the Boyer-Moore theorem prover Nqthm [10]. Moore used 
the biphase mark protocol to illustrate a formal, logical model of asynchronous
* S u ppo rted  by EU  IS T  p ro jec t IST-2001-35304 A dvanced M ethods for T im ed  System s 
(A M E T IST ).
** S u ppo rted  by N W O  p ro jec t 612.062.000 A rch itec tu re  for S tru c tu rin g  th e  requ ire­
m en ts Specification of E m bedded  Safety-critical System s (ASSESS).
communication. We refer to [27] for additional information and references on 
BMP.
In this article, we present the results of our efforts to model and analyze the 
biphase mark protocol using the verification tools U ppaal and PVS. Our model 
generalizes Moore’s model, since it incorporates “clock jitte r” and the distortion 
in the signal due to the presence of an edge is not limited to the time-span of the 
cycle during which the edge was written. We use U ppaal [26], a model checker 
for networks of timed autom ata, to automatically prove correctness of several 
instances of the protocol and to find error scenarios based on some incorrect 
instances. These experiments suggest constraints on the model parameters that 
are necessary for correctness. Using the proof assistant PVS [28] we establish 
that these constraints are in fact sufficient for correctness. Our main objective 
for this article is to demonstrate tha t the timed autom ata framework [2] allows 
for natural, straightforward modeling and analysis of this type of physical level 
communications protocols. Methodologically, our results are interesting since we 
use two different tools — the model checker U ppaal and the proof assistant PVS 
— in a combined manner to analyze a single system. Both tools play a vital and 
complementary role in our analysis. As a byproduct of our efforts, we manage to 
find instances of BMP th a t are correct (at least in our model) but have a faster 
bit rate than the instances tha t are commonly implemented in hardware.
Outline. Section 2 contains an informal presentation of the protocol. In Sec­
tion 3 we present our UppAAL model and the param eter constraints tha t we 
inferred by trying to  verify several instances of the protocol with UppAAL model 
checker. Section 4 describes a straightforward encoding of the (semantics of) the 
UppAAL model within the higher order logic input language of the proof assis­
tant PVS. Section 5 reports on the formalization with PVS of the (manual) proof 
that the param eter constraints are sufficient for correctness. In Section 6, we in­
vestigate the consequences of the derived param eter constraints. In particular, 
we show how to syntesize the instance of BMP with the fastest bit rate given an 
upper bound on the time needed for the signal to stabilize after occurrence of 
an edge. Finally, Section 7 discusses related work and draws some conclusions.
The full U ppaal and PVS sources are available at the URL
h ttp :/ /w w w .c s .ru .n l/ i ta /p u b lic a t io n s /p a p e rs /fv a a n /B M P .h tm l.
2 Inform al D escrip tion  o f th e  P rotoco l
Essentially, the biphase mark protocol is just a convention for representing both 
a string of bits and clock edges in a square wave. In the protocol (see Figure 1, 
taken from [27]) each bit of a message is encoded in a cell, which consists of a 
number of clock cycles and which is logically divided into a m ark subcell and a 
code subcell. A typical configuration is 16 cycles for the mark subcell and another 
16 for the code subcell. The signal, which at any time is either high or low, always 
changes value right at the beginning of a cell. In addition, if the signal encodes 
a “1” the value also changes right at the beginning of the code subcell. If a cell 









if  these two signals are 
equal, a 0 was sent
if these two signals are 
different, a 1 was sent
F ig . 1. Biphase mark terminology.
0 0 0message
decode the bit string again from the square wave, a decoder waits for an edge 
that marks the beginning of a cell and then samples the wire after a specified 
number of clock cycles ( the sampling distance). If the value just after the edge 
agrees with the sampled value then the decoder assumes a “0” has been sent, 
otherwise it assumes a “1” has been sent.
A clear advantage of BMP over, say, the naive scheme in which a “1” is en­
coded by a high signal and a “0” by a low signal, is th a t BMP “synchronizes” 
the clocks of coder and decoder at the beginning of each cell. In a setting with 
unreliable clocks, a decoder might not see the difference between the naive en­
coding of 10000 consecutive 1’s, and the naive encoding of 10001 consecutive 1’s. 
If BMP is used this problem does not arise, except of course when clocks become 
excessively (depending on the other parameters of the protocol, usually 4 or 5 
orders of magnitude worse than common clock crystals provide) unreliable.
Proving correctness of physical implementations of BMP is nontrivial due 
the combination of at least three factors:
1. A physical system can not generate a perfect square wave. Edges will not be 
vertical or square: an electrical signal changes continuously and may even 
“ring” before stabilizing at its new level. In our model we will assume that 
the value of the signal is nondeterministically defined (reading may produce 
any value) during some bounded interval after the coder generates an edge.
2. If a signal is constant throughout a clock cycle then we may assume that 
sampling of this signal by the decoder yields the correct value. However, if 
the value changes during a clock cycle then any value may come out as we do 
not know at which point during the cycle sampling takes place. In our model 
we will assume tha t the decoder samples the signal nondeterministically at 
some point during each clock cyle.
3. Physical clocks drift (that is, their rate may be too high or too low) and 
exhibit jitte r (that is, their rate may change over time). In our model we 
will assume th a t the clock rates of sender and receiver are contained in an 
interval, so tha t subsequent clock ticks may be separated by any length of 
time in tha t interval.
3
As a consequence of these complications, one can easily imagine scenarios in 
which, for instance, a decoder altogether misses an edge and completely garbles 
the remainder of the signal (in Section 3.10 we will present such scenarios). In 
this article we identify the precise constraints on the various parameters of the 
protocol (lengths of clock cycles, time before signal stabilizes, et cetera) that 
must be met in order to ensure correctness.
3 U ppaal M odel and A nalysis
In this section, we describe the model tha t we constructed of the biphase mark 
protocol and the analysis results tha t we obtained using the timed model check­
ing tool U ppa a l . For a detailed account of U ppaal we refer to [26] and to 
h ttp ://w w w .uppaal.com .
3.1 A rc h ite c tu re
Figure 2 presents the overall architecture of our U ppaal model. The model
F ig . 2. Architecture of the U ppaal model.
consists of a network of 7 timed autom ata (shown as rectangles), which commu­
nicate via shared variables (circles) and synchronization actions (labeled arrows). 
Automaton C lock  models the hardware clock at the coding side. The automa­
ton C o d e r models the encoding process: based on a sequence of bits (which 
is received via variable in )  and the tick  events from the C lock  automaton, it 
generates edge events tha t determine a square wave. W ithin our model, the 
environment (which is represented by the tester) places a new bit in variable 
i n  whenever the C o d e r is willing to accept a g et event. The W ire  automaton 
nondeterministically transforms the perfect square wave from the C o d e r into 
a signal whose value, stored in variable w, is nondeterministically defined dur­
ing a specified interval after the coder generates an edge. Automaton C lock2,
4
which is similar to Clock, models the hardware clock at the decoding side. The 
Sam pler automaton periodically copies (samples) the value of variable w into 
variable new. The Boolean variable s is used to coordinate the sampler and 
clock. Automaton D ecoder models the decoding process. If at the occurrence 
of a clock tick automaton D ecoder observes that the value of new  has changed 
it starts counting a specified number of clock ticks and then compares the value 
of new  after those ticks with the value it had before. Depending on the outcome 
it places either a 0 or a 1 in register out and informs the environment about 
the fact that a new bit has become available via a p u t action. The automaton 
Tester, finally, nondeterministically selects bits, places them in register in  upon 
request and checks whether the sequence of bits delivered via register out agrees 
with the sequence entered via register in . Whenever it observes a discrepancy, 
the T ester automaton jumps to a designated error location. Hence, in order to 
establish correctness we must prove that the error location can not be reached.
3.2 M odel P a ram e te rs
Figure 3 lists the parameters that are used in the model (constants in Uppaal 
terminology) and gives an example instantiation. The domain of all parameters 







Fig. 3. Parameters of the Uppaal model.
of the number of clock cycles. Similarly, mark and sample specify the size of the 
mark subcell and the sampling distance, respectively. This specific configuration 
is used in the Intel 82530 Serial Communications Controller [24]. Constants min 
and max specify the minimum and maximum number of time units in a clock 
cycle (say, measured in nanoseconds); we assume 0 < min < max. Constant 
edgelength specifies the number of time units needed for the signal to stabilize 
after occurrence of an edge. The values listed for min, max and edgelength are 
not meant to be realistic — our model’s clocks are much worse than any that 
are used in real machines [14].
3.3 F irs t Clock
Timed automaton Clock models the hardware clock at the coding side. The 




single transition. The automaton performs a synchronization action t ic k ! when 
its clock x  has reached a value between min and max, and then returns to its 
initial state by resetting x.
3.4 T he C oder
We worked hard to make all the timed automata as simple as possible. As a 
result of our efforts, all automata in our model have at most 5 locations.1 The 
automaton Coder, displayed in Figure 5, is one of the two timed automata in 
our model with 5 locations. The automaton C oder describes how the biphase 
mark protocol encodes a string of bits and clock edges into a square wave. In its 
initial location C0 the automaton immediately (the location is urgent) jumps 
via a g e t? transition to location C1, thereby telling the environment that it is 
about to fetch a new bit from the i n  register. In the location C1, which is also 
urgent, an edge is generated and the automaton jumps, depending on the bit 
that is being transmitted, either to location C2 (in case in  =  1) or to location 
C3 (in case in  =  0). A local integer counter n  is used to count clock ticks. 
Upon entering location C2 the automaton waits until mark clock ticks have 
occurred, and then generates an edge and jumps to location C3. In location C3 
the automaton waits until cell clock ticks have occurred and then jumps back 
to its initial location to transmit the next bit. In our model, we assume that 
there is always a next bit to transmit. It should not be difficult to generalize our 
work to a setting where sometimes the environment has no more bits available 
for transmission.
3.5 T he W ire
The W ire  automaton, displayed in Figure 6 , is introduced to model our as­
sumption that it takes edgelength time before an electric signal stabilizes after 
occurrence of an edge. The Boolean variable v is toggled when an edge? event 
occurs. Thus, v evolves according to the perfect square wave that is generated 
by the C oder. There is also another Boolean variable w, whose values reflect
1 A ctually , th e  num ber of locations is no t a  good m easure of com plexity  since in  th e  
presence of in teger variables each tim ed  a u to m a to n  is triv ia lly  equivalent to  one 
w ith  ju s t a  single location . W ith o u t in troducing  any ad d itiona l in teger variables or 
coding tricks we could have easily reduced  th e  num ber of locations of th e  Coder 
a u to m a to n  to  3 if U ppaal would have p e rm itte d  us to  decora te  tran s itio n s  w ith  




the actual observations that can be made on a physical wire. In the initial loca­
tion W 0 the wire is stable and the values of v and w  agree. Upon occurrence of 
an edge? the W ire  automaton moves to the unstable location W 1 in which w  
can be assigned any value at any time. After being unstable for edgelength time 
units, the system moves back again to the stable location W 0 and the value of 
w  settles to v. For the parameter assignments for which the BMP is correct the 
C oder never generates an edge if the W ire  is in location W 1. We will prove 
this by establishing that location W 2 is unreachable in the full system for any 
of the parameter assignments that we consider.
We find it convenient to give names to all the transitions in an automaton. 
This is achieved by misusing the broadcast primitive in U ppaal: the broad­
cast actions fu zz  ! and settle ! do not synchronize with actions from any other 
automaton, but are just there to give transitions a name.
In our model we assume instantaneous message delivery: edges generated by 
the C oder may be detected instantaneously by the D ecoder. We claim that the 
constraints on the parameters that we derive in this paper to ensure correctness 
are not affected when we introduce a fixed transmission delay for all edges. 
However, we do not formally prove this claim in this article.
3.6 T he Sam pler
The Sam pler automaton, displayed in Figure 7, only has a single location and 




w  to a variable n ew  that is used as input for the decoder. To ensure that the 
sample transition occurs exactly once during every clock cycle we use an auxiliary 
Boolean variable s: if s =  0 then the sampler may sample and if s =  1 then the 
(decoder) clock may tick. Only the samples taken during the mark and sample 




The Clock2 automaton, displayed in Figure 8, models the hardware clock at the 
decoding side. This automaton is exactly the same as the Clock at the coder 
side, except that it also reads/writes variable s to ensure strict alternation of 
the sample and tock actions.
s := 0
Fig. 8. Clock2.
3.8 T he D ecoder
The D ecoder automaton, shown in Figure 9, models in a straightforward man-
8
Fig. 9. Decoder.
ner the decoding of the (sampled) wire signal into a bit string. The automaton 
uses a local Boolean variable o ld  to record wire values it has seen earlier. Like 
the C oder automaton, the activity of the D ecoder automaton is driven by 
clock ticks. In the initial location D0, each clock tick causes the automaton to 
compare the most recent value that has been sampled from the wire (new ) with 
the value stored in old. As long as these values remain the same no action is 
taken. But as soon as the values of old and new  become different, the automa­
ton concludes that an edge has occurred, moves to location D1, and toggles the 
value of old. In location D1 the automaton waits until sample clock ticks have 
occurred (counted using a local integer variable m) and then jumps to location 
D2. If at that point in time new  equals old then output variable out is assigned 
the value 0, otherwise out is assigned the value 1 (cf Figure 1). In a subsequent 
transition that occurs immediately, the environment is informed that a new out­
put has been produced (via a p u t! synchronization) and the D ecoder returns 
to its initial location.
3.9 T he Tester
Figure 10 depicts the T ester automaton, the seventh and last component of 
the model. This automaton is not part of the biphase mark protocol but just 
a highly nondeterministic environment of the protocol that has been designed 
to test its correctness. If the protocol (the C oder in fact) asks for a new bit, 
the T ester puts a nondeterministically selected bit in shared variable i n . The 
T ester remembers which bits it has sent to the protocol; in  and buf store the 
most-recent two bits sent. If a third bit is requested by the C oder the overflow 
location T3 is reached We will prove that for all parameter assignments for which 







by the C oder but not yet delivered by the D ecoder. While searching for error 
scenarios that arise for parameter assignments that do not satisfy the constraints, 
we will encounter instances of our model in which two bits can be inside the 
protocol. We felt no need to model a tester that can handle situations in which 
three or more bits are sent but not yet received. Whenever the protocol (the 
D ecoder) produces an output, the T ester checks whether this is the expected 
value. If it is correct, the T ester forgets the value, otherwise it jumps to a special 
E rro r location. If the protocol is correct then the E rro r location can not be 
reached.
3.10 U ppaal A nalysis R esults
The set of reachable symbolic states of our model is relatively small, and for all 
properties and parameter assignments that we tried, Uppaal managed to estab­
lish validity or produced a counterexample within a second (running Upppaal 
version 3.4.7 on a standard PC). Some basic well-formedness properties that 
we tested are that the system contains no deadlocks, the coder never starts an­
other voltage transition (edge) while the W ire  automaton is still in its unstable 
location, and that there are never more than two bits in transit in the protocol:
A[] not (deadlock or Wire.W2 or T ester.T 3).
But the key correctness property, of course, is that the T ester never enters the 
E rro r location:
A[] not (T e s te r .E rro r) .
10
Whether these properties hold depends on the specific choice of the parameter 
values. Through playing with different parameter assignments, and replaying the 
error traces in the simulator, we discovered that there appear to be essentially 
three different scenarios that may lead the T ester to the E rro r location: (1) 
the decoder may miss the edge at the beginning of a cell, (2) the decoder may 
sample too early, or (3) it may sample too late.
The first error scenario is illustrated in Figure 11. In this scenario, the coder
Coder start transmission of 1
Coder completes mark phase maximally fast 




I 1 max max
t
t Sampler samples at very end long clock cycle
Sampling at very beginning long clock cycle
Fig. 11. First error scenario: decoder misses edge at beginning of cell.
transmits a 1 and passes through the mark phase (location C2) maximally fast. 
This means that mark • min time units after the edge event that marks the 
beginning of the cell we already see the edge event that marks the end of the 
mark phase (the line labeled v in Figure 11). We assume that after the first 
edge the wire remains unchanged maximally long, that is edgelength time units, 
whereas after the second edge the wire immediately takes the new value (the 
line labeled w  in Figure 11). Now the decoder may altogether miss the voltage 
change on the wire if it (1) operates maximally slow for two clock cycles, (2) 
samples at the very beginning of the first clock cycle, just before the value of w  
changes, (3) samples again at the very end of the second cycle, right after the 
value of w  has changed again. In order to avoid this error scenario, the following 
constraint on the parameters must be met, which ensures that an edge at the 
beginning of a cell will always be detected by the decoder:
mark • min > 2 • max +  edgelength (1)
11
The second error scenario, in which the decoder samples too early, is illus­
trated in Figure 12. In this scenario, the C oder operates maximally slow whereas 
the decoder operates maximally fast. The C oder transmits a 1 and remains in
Coder starts transmission of 1 Coder completes mark phase maximally slow
mark * max edgelength
w
new (sample -  1) * min
' min -fc
X  j  Decoder receives 0
/  High voltage sampled at beginning clock cycle
Sampling at end of cycle, right after edge is generated
Fig. 12. Second error scenario: decoder samples too early.
the mark phase maximally long, that is mark • max time units elapse between 
the two edge events (line labeled v in Figure 12). This time, the wire immedi­
ately takes on the new value after the first edge, and sticks to the previous value 
maximally long after the second edge (line labeled w  in Figure 12). The decoder 
immediately detects the first edge and operates maximally fast. This means that 
the clock cycle in which it samples the value that will determine whether a 0 or 
a 1 will be decoded starts after (sample — 1) • min time units. If we assume that 
sampling takes place at the very beginning of this clock cycle, then the wrong bit 
(namely 0 instead of 1) will be decoded if the sampling takes place right before 
w  changes its value for the second time. In order to avoid this error scenario, the 
following constraint on the parameters must be met:
(sample — 1) • min > mark • max +  edgelength (2)
This constraint ensures that the decoder will not sample too early.
The third error scenario, in which the decoder samples too late, is illustrated 
in Figure 13. In this scenario the C oder operates maximally fast whereas the 
decoder is maximally slow: at the point where the decoder samples the coder 
has already started with the transmission of the next bit. In order to avoid this 
error scenario, the following constraint on the parameters must be met, which 
ensures that the decoder does not sample too late:
cell • min > (sample +  2) • max +  edgelength (3)
12
Coder completes transmission maximally fast 
» • •  * cell * min
Coder start transmission of 0
Decoder detects edge 
Sampling at very beginning clock cycle
Fig. 13. Third error scenario: decoder samples too late.
An obvious question that arises is whether the three constraints introduced 
above are enough to ensure correctness: is the error location unreachable for all 
parameter assignments that satisfy constraints (1), (2) and (3)? This question 
can not be answered using Uppaal, since Uppaal can only compute the set of 
reachable states for a fixed parameter assignment, and there are infinitely many 
parameter assignments that satisfy the three constraints. Using deductive veri­
fication and the theorem prover PVS, we will establish in the next two sections 
that the three constraints together indeed guarantee correctness.
4 T ranslating th e  U ppaal M odel into P V S
For the verification of the correctness of the biphase mark protocol with the 
given parameter constraints in a symbolic fashion we use the theorem prover 
PVS, which is a higher-order logic theorem prover developed by SRI [28]. We 
employ a framework in PVS that provides us with the standard definitions for 
automata and a guideline as to how to translate automata from Uppaal to PVS. 
The translation is intended to ensure that the PVS model closely resembles the 
Uppaal model, so that it is easy to validate and to propagate changes from one 
model to the other.
An automaton in Uppaal consists of a number of locations, some state vari­
ables and clocks, and transitions (labeled arrows) from one location to another; 
the transitions may also be labeled with assignments to the state variables and 
clocks, and they may be annotated with guards. Our translation deals with each
13
of these parts of the automaton in turn, yielding a PVS model containing loca­
tions, state variables, and transitions. The translation of the automata in our 
U ppaal model from diagrams into our PVS framework in  general proceeds as 
follows:
1. The locations and state variables of the Uppaal model are modeled in PVS 
as enumerations and records, respectively.
2. Anonymous transitions (transitions not labeled with an action label) need 
to be labeled to distinguish them. There are none in the Uppaal model we 
have, since all of its transitions are labeled.
3. Our approach focuses on local translations — each automaton is translated 
into PVS with no regard for the context it will be placed in. Shared variables 
complicate this, because they require that two independently translation au­
tomata synchronize on an otherwise invisible action (i.e. assignments to the 
shared variables). Therefore we make that synchronization explicit. Shared 
variables are replaced by local variables whose values are synchronized via 
a parameter of the transition. For instance, the get! action is replaced by a 
get!(b) where b is the value generated by the tester and read by the coder.
4. The union of the sets of events of all the automata in the system is used as 
the global set of events. Explicit time delay is included as delay(d).
5. For each automaton, we define a local state and a local transition relation, 
as well as the local initial state. The local transition relation must deal with 
the global set of events — this is because our translation is a simple one and 
does not take into account which events are relevant for which automata. No 
change should occur in response to events not used locally in the automaton.
6 . The parallel composition of the automata is constructed by hand. The global 
state is a record containing the local states of each automaton. The global 
initial state is exactly the product of the local initial states.
7. The global transition relation applies each local transitions to the appropri­
ate local state; since all local transitions are given the global event, synchro­
nization on shared events in the run is obtained.
We will perform each of these steps for the model of the biphase mark protocol 
in the following sections. There is one place where we diverge from the U ppaal 
model in Section 3: we translate the product automaton of the sampler and the 
second clock, instead of translating each individually. The reason for doing so 
is that the shared variable s, which ensures strict alternation of actions in the 
automata, is not used in a way that our shared-variable translation can deal with. 
It is, in the end, simpler to translate the product automaton than to invent a 
complicated translation that can deal with the shared variable.
4.1 M erging A u to m ata
The product automaton of the sampler and the second clock is easy to calculate, 
and yields an U ppaal diagram like the one in Figure 14. We use this automa­
ton instead of the two separate ones because both automata write to the shared
14
y <= max 
SO
S a m n le t y <= max
S1
y  > =  m in
Fig. 14. Product of automata for sampler and decoder clock.
variable s, which makes our simple-and-straightforward translation to PVS in­
applicable.
In this merged automaton, we have two locations, that represent the state 
s =  0 and s =  1 of the separate automata; again, Sample! and tock! events occur 
in turn, with no more than max time between tock!s.
4.2 R em oving Shared  V ariables
There are a few shared variables in the Uppaal model, as shown in Figure 2. 
These are:
— in, between coder and tester.
— w, between wire and sampler.
— new, between sampler and decoder.
— out, between decoder and tester.
— s, the variable shared between the sampler and the second clock, is not
needed, since we use the product of those two automata instead.
Each of the uses, (reads or writes), of one of these shared variables can be 
changed into a parameterized event so that all variables become local. Consider 
in, shared between the coder and the tester. The tester nondeterministically sets 
the value of in on several transitions labeled with get!. These can be replaced 
by a parameterized get!(b) that represents the shared assignment in :=  b. In the 
coder, there is only one transition labeled get?, and the (shared) value of in is 
used in urgent transitions immediately afterwards. We replace it by get?(b), and 
save the value in a local variable in. It is straightforward to prove that the values 
of both local variables in in the two automata are always equal, which is what 
we would expect of a shared variable.
Similarly, the value w that is read from the wire by the sampler can be added 
as a parameter to the action Sample!. The wire’s local transition allows a Sample! 
transition with parameter b only when the wire variable w has the value b. The 
sampler’s transition tock! triggers a read of the value of new in the decoder. We 
can add the value of new as a parameter to it and use that value where needed.
Finally, the value of out is written by the decoder when it does a put! action, 
and the tester reads the value immediately. Here too, adding a parameter to pass 
the value put by the decoder removes the need for a shared variable.
15
The collection of events in PVS is represented by an abstract datatype — this 
means that we automatically have axioms that the events are distinct, as one 
would expect from an enumeration of all the distinct kinds of events. The PVS 
code is shown in Figure 15. We see the four parameterized actions, two actions 
without parameters, the two broadcast actions with no parameters ( s e t t l e  and 
fuzz), and the additional delay event representing the passage of time. Note 
that delay is parameterized by a posreal, i.e. a positive and non-zero amount of 
time. This means that in our PVS model, there are no events which delay by zero 
time. This is a subtle difference with the Uppaal semantics, where zero delays 
are possible (they do not change the state or the value of any clocks though, so 
their deletion from the PVS model does no harm).
BMActions : DATATYPE BEGIN
4.3 R e p re se n tin g  E v en ts
d e la y ( d :p o s r e a l )  : d e la y ? % Time d e la y
t i c k  : t i c k ? % S ender c lo c k  t i c k
to c k (w :b o o l)  : to c k ? % Sam pler c lo c k  t i c k
g e t ( b :b o o l )  : g e t? % Get m essage b i t
p u t ( b :b o o l )  : p u t? % Message b i t  r e c e iv e d
edge : edge? % C oder i n v e r t s  w ire v a lu e
fu z z  : fu z z ? % W ire d u r in g  edge
s e t t l e  : s e t t l e ? % W ire s t a b i l i z e s  to v a lu e
sam p le (w :b o o l) : sam ple? % Sample from  w ire
END BMActions
Fig. 15. PVS Datatype for the Events of the biphase mark protocol.
4.4 Local S ta tes and  T ransitions
The aim of the translation into PVS is to prove that the parameter constraints 
that have been deduced in Section 3.10 are correct, i.e. that all choices of param­
eters within those constraints yield a correct protocol. We attempt to remain as 
close as possible to the U ppaal model, so that it is intuitively clear that the PVS 
model represents the diagrams accurately. To this end we will do the following 
for each automaton: define an enumeration of the locations of the automaton (if 
it has more than one) so that we can refer to those locations by name; define 
a record that holds the location of the automaton and its local variables and 
clocks; define a transition relation on the local state where the primary selec­
tion is by event. This means that the transition relation is written in PVS like 
“if event is delay, then do this; else, if event is get, then do this ; . . . ” — the 
uniformity of expression defining the transition relation is important in partially 
automating proofs over the automaton.
The remainder of this section shows the translation of specific automata — 
the Clock, the Coder — in more detail.
16
T h e  Clock: The clock has only one location, and a single clock named x, so the 
record structure for the state of the clock is very simple: a single field for the 
clock x, as can be seen in Figure 16. One might argue that this representation 
could be simplified, down to identifying the state of the Clock with the value of 
the clock variable x, but we believe that consistency in structure is important 
for the automation of proofs.
There are two different transitions that the clock can take: time can pass 
(subject to the location invariant), or the clock can tick (subject to the transition 
guard). The PVS code for this does a case distinction on the event in order to 
determine whether a given state-transition is allowed. The PVS code for the 
transition is shown in Figure 16. The PVS code defines a record type ClockState
C lo c k S ta te  : TYPE+ = [# x :T im e #] ;
C lo c k T ra n s i t io n (s :C lo c k S ta te ,a :B M A c tio n s ,s _ :C lo c k S ta te )  : b o o l =
CASES a  OF
d e la y (d )  : s _ ‘x <= max AND s_ = s WITH [ x :=  s ‘x+d ] ,  
t i c k  : s ‘x >= min AND s_ = s WITH [ x := 0  ]
ELSE s_  = s
ENDCASES ;
Fig. 16. PVS code for the Clock’s state and transition relation.
(the [#  # ]  indicate a record) with a single field x for the clock. The transition 
relation for the clock is named C lockTransition and is a function of three 
variables, yielding a Boolean value. The parameters are s and s_, the local from  
state and the local to state, while a is the global event that occurs; the transition 
relation must state whether the transition from local state s to s_ when the 
system performs an action a is allowed. The transition relation is defined using 
a CASES statement, where we can list the events that change the local state of 
the clock. We see the use of the ELSE clause in the CASES expression in order to 
deal with “all-the-events-not-mentioned-yet.” The CASES statement is required 
to be total by PVS, so we use the ELSE clause to make it so. It is important 
to state that the state stays the same (s_ = s) when unhandled events occur, 
since otherwise the state is allowed to change nondeterministically when other 
automata perform an action.
The two events that are relevant for the Clock automaton are handled by 
writing the precondition (either the location invariant or the transition guard) 
in conjunction with an expression stating how the local variables should be 
updated. The update expression is typically written as s_ = s WITH [  E ]. The 
expression s WITH [ E ] has the value of the record s with the fields named in 
E updated by assignment; we read this as calculating the new state based on s 
and asserting that state s_ is that state. For the delay event, we need to check 
that the location invariant is not violated by a delay of d time, and the clock
17
x must advance by d for the transition to be acceptable. In a similar vein, the 
transition for tick conjoins the transition guard with the resetting of clock x.
Coder: The structure of the coder is far complex than that of the Clock. There 
are only 3 event types (get, edge, tick) that need to be handled, but since the 
event labels occur multiple times in the diagram the expressions stating legality 
of a particular state-transition are more complex. The presence of urgent loca­
tions adds the delay event to the list-of-events-to-handle. In Figure 17 we see 
that in has become iv  — this is because in  is a reserved word in PVS. The value
C o d e rL o ca tio n s  : TYPE+ = { c0 , c1 , c2 , c3 , c4 } ;
C o d e rS ta te  : TYPE+ = [# 
lo c  : C o d e rL o c a tio n s , 
n  : b e lo w [ c e l l ] ,
iv  : b o o l 
#] ;
Fig. 17. PVS code for the Coder’s state.
iv  is represented by a Boolean value; 0 or 1 would serve as well, but require an 
additional type definition. State component n is declared to be below [cell] , 
which means n  < cell; PVS requires that we prove this (which is trivial and done 
automatically with typecheck-prove).
The transition relation for the Coder is fairly straightforward. Delay events 
cannot happen when the Coder is in locations c0, c1 or c4 since these are urgent 
locations (and recall that delays are non-zero in our PVS model), but the state 
of the coder must stay the same when delay actions do occur otherwise. The 
PVS code is shown in Figure 18.
The event get? can only occur when the Coder is in location c0, and it is 
accompanied by a change in location and saving the parameter value to a local 
variable. This is straightforward enough. The edge! event can occur in one of 
three places; we write a disjunction of the transition expressions for each of those 
three distinct transitions. Each one of those transition expressions — as usual
— checks that the initial location is correct, checks the guard on the transition, 
and states what the resulting state must be. Finally tick? occurs in four places 
in the diagram, and each of these is dealt with similarly.
Other Autom ata: The other automata in the system (the wire, the sampler with 
the second clock, the decoder and the tester) are all straightforward to translate
— the state consists of a few fields for the local variables, and the transitions 
are all of types similar to what we have already described. The complete PVS 




CASES a  OF 
d e la y (d )  
g e t ( b )  
edge
t i c k
ELSE
ENDCASES
( s ‘ lo c  = c2 OR s ‘lo c  = c3 ) AND s_ = s ,  
s ‘ lo c  = c0 AND s_ = s WITH [ lo c := c 1 ,  iv:= 
( s ‘ lo c  = c1 AND s ‘ iv  AND 
s_ = s WITH [ lo c := c 2  ] ) OR 
( s ‘ lo c  = c1 AND NOT s ‘ iv  AND 
s_ = s WITH [ lo c := c 3  ] ) OR 
( s ‘ lo c  = c4 AND
s_ = s WITH [ lo c := c 3  ] ) ,
( s ‘ lo c  = c2 AND s ‘n < m ark-1 AND 
s_ = s WITH [ n : = s ‘n+1 ] ) OR 
( s ‘ lo c  = c2 AND s ‘n = m ark-1  AND
s_ = s WITH [ lo c := c 4 ,  n : = s ‘n+1 ] ) OR 
( s ‘ lo c  = c3 AND s ‘n < c e l l - 1  AND 
s_ = s WITH [ n : = s ‘n+1 ] ) OR 
( s ‘ lo c  = c3 AND s ‘n = c e l l - 1  AND 
s_ = s WITH [ lo c := c 0 ,  n := 0  ] ) 
s_  = s
;b ] ,
F ig .18. PVS code for the Coder’s transition relation.
4.5 G lobal S ta tes and  T ransitions
The global state of the entire system is of course the product of all the local 
states of the constituent automata. The easiest way to achieve this in PVS is 
to define a new record with one field for each of the constituent automata, as 
shown in Figure 19. This global state contains no global variables, and hence 
the composition of the transition relations is straightfoward as well.
G lo b a lS ta te  
now 
c lo c k  
co d e r 
w ire  
sam p le r 
d eco d e r 
t e s t e r  
#] ;
TYPE+ = [# 
Tim e,
C lo c k S ta te ,
C o d e rS ta te ,
W ire S ta te ,
S a m p le rS ta te ,
D e c o d e rS ta te ,
T e s te r S ta t e
Fig. 19. Global state of the system model of the biphase mark protocol.
The transition relation for the global state is the conjunction of the local 
transitions for each automaton applied to the local states; the event a is passed
19
to each local transition, along with the relevant local state. By having a struc­
tured and straightforward representation of the global state, the global transition 
becomes straightforward as well and we can later apply some automation to the 
calculation of next-states in the executions of the global automaton. The global 
transition relation is shown in Figure 20.
G lo b a lT ra n s i t io n ( s :G lo b a lS ta te ,a :B M A c tio n s ,s _ :G lo b a lS ta te )  : b o o l = 
s _ ‘now = s ‘now + IF  d e la y ? (a )  THEN d (a )  ELSE 0 ENDIF AND 
C lo c k T r a n s i t i o n ( s ‘c l o c k , a , s _ ‘ c lo c k )  AND 
C o d e r T r a n s i t io n ( s ‘c o d e r , a , s _ ‘ co d e r) AND 
W ir e T r a n s i t io n ( s ‘w i r e , a , s _ ‘w ire )  AND 
S a m p le r T r a n s i t io n ( s ‘s a m p le r ,a , s _ ‘sam p le r)  AND 
D e c o d e rT ra n s i t io n ( s ‘d e c o d e r ,a , s _ ‘d e c o d e r)  AND 
T e s t e r T r a n s i t i o n ( s ‘t e s t e r , a , s _ ‘t e s t e r )
Fig. 20. Global transition relation of the biphase mark protocol.
5 P rovin g C orrectness, w ith  V ariations
The proof of the correctness of the biphase mark protocol was fairly straightfor­
ward, in large part thanks to the invariants turned up by the experimentation 
with Uppaal. The additional verification found one omission in an invariant, 
which was repaired by strengthening it; this enabled us to prove the correctness 
of all instances of the protocol within the parameter space.
The proof in PVS of the correctness of the protocol and the necessity of 
the given bounds on the parameters is purely symbolic, and shows that every 
instance that falls within the parameter constraints suggested by the U ppaal 
analysis is correct. The proof proceeds by collecting 37 invarants and verifying 
each invariant in turn; together, these invariants imply the global correctness of 
the protocol.
I  : THEOREM
LET T = R‘s t a t e s ( i ) ‘t e s t e r  IN
NOT (T ‘lo c  = t 3  OR T ‘ lo c  = e r r o r  ) ;
Fig. 21. PVS code for main correctness theorem. The expressions for T represents 
the state of the Tester at index i of run R, while T 'lo c  represents the location 
the Tester is in.
The global statement of correctness is much as in the Uppaal verification: 
in all executions of the automata for the biphase mark protocol, there is no state
20
of the system in which the tester automaton is in state t3, or in state error. In 
PVS this appears as the theorem shown in Figure 21. In the theorem, the LET 
expression is substituted into the remainder of the theorem (after the IN), and 
the whole theorem is implicitly universally quantified over any unbound variables 
(in this case, index i and run R).
The U ppaal verification — in particular the invariants checked there — 
gives a guideline for the formal verification of the protocol in PVS, but it is not 
a road map. Indeed, as far as U ppaal is concerned, we need not bother with any 
invariant other than that t3 and error are unreachable. This is both the strength 
and the weakness of verification through U ppaal — we verify a single instance, 
or several instances, and though the truth  of U p p aa l’s assertion that location 
t3 is unreachable does not change, we cannot see how this truth is arrived at, 
nor what the most general bounds of the parameters of the protocol might be.
Section 5.1 details the structure of the proof and the approach used, while 
Section 5.2 shows how some automation can be introduced into the proofs in 
order to shorten them and make them more understandable to the human reader. 
Section 5.3 examines the effect of introducing automation into the proofs.
5.1 S tru c tu re  of th e  Invarian t P ro o f
With the model as given the correctness condition is expressed in terms of the 
reachability of locations t3 and error. The correctness condition is given as an 
invariant on the state of the system, as already shown in Figure 21. There are 37 
invariants in all, each of which is proved by induction on the sequence of steps in 
a run of the automaton. The invariants are grouped as follows (Figures 23 and 
24 on page 23 show more detail):
— Invariants of the clock or coder in isolation, named P x  (6 invariants).
— Invariants of the wire, sampler, or decoder in isolation, named Qx (6).
— Invariants of pairs of automata, named Rx (4).
— Invariants of the coder, clock and wire in parallel, named Tx (5).
— Invariants of all but the tester in parallel, named Gx (9).
— Invariants of the system as a whole, named Hx (6).
— The global correctness invariant, I (1).
These 37 invariants were checked with U ppaal on some instances of the pro­
tocol before beginning the PVS verification. In the PVS proof, some invariants 
were re-ordered (since the proof of P5 needed the result of P 6 , for instance), 
and some corollaries were introduced to make proofs shorter. In the P, Q and 
R  groups, each invariant was proved individually. Groups T, G and H were 
proved simultaneously with the following approach (which is tailored to being 
convenient in PVS — mathematically, we are merely showing that the group of 
invariants is inductive):
1. For each invariant I k to be proven in the group, define a predicate I k (R, i )  
that takes an automaton run R  and an index i as parameters that asserts 
the invariant property on the ith state of the run R .
21
2. For each invariant I k, write and prove a lemma L k for the induction step of 
I k as follows (assume n  invariants in the group):
Ii(R , i) A I 2(R, i) A • • • A I n (R, i) ^  I k (R , i +  1)
3. Finally, define a lemma I  for the group as a whole:
Vi . Ii(R , i) A I 2(R, i) A • • • A I n (R, i)
The proof of this lemma is simple: check the base case of the induction, 
(i.e. that in all initial states, each invariant holds individually), and for the 
induction step use lemmata L 1 through Ln.
This approach can be used to find the interdependency graph of the invariants 
as well, by determining which invariant-predicates are not used in each proof. 
Figure 22 shows how the invariants of group G are interdependent — this also 
makes clear that no smaller group could be constructed that is still provable.
Fig. 22. The interdependence of lemmata in group G. An arrow from lemma 
Gj to G j  means that the proof of lemma i needs the result of lemma j.
The “simple” invariants in groups P, Q and R  are the sixteen invariants 
shown in Figure 23. The proof of each of these is fairly straightforward: induc­
tion on the index of the state the invariant is applied to. The base case is trivial 
and solved with (g rin d ), the induction step requires checking the relevant tran­
sitions, which means that the global transition relation G lobalE ffect needs to 
be introduced and expanded to the local transitions. Since these steps are the 
same for every proof, we define a simple strategy (scheme for automation) called 
( a u to - s t a r t )  that starts off an inductive proof by dealing with the base cases 
and the introduction of the local transitions (see Section 5.2 for more details on 
the additional automation).
22
C lock and  C oder 
P1 0 < x < max 
P2 co V ci ^  n =  0 
P3 c2 ^  in  A 0 < n < mark 
P4 c3 ^  0 < n < cell 
P 6 c4 ^  in A n =  mark 
P5 c3 A n < mark ^  —in
W ire, S am pler and  D ecoder
Q1 0 < z
Q2 wi ^  z < edgelength
Q3 0 < y < max 
Q4 do ^  m =  0 
Q5 di ^  0 < m < sample 
Q6 d2 ^  m =  sample
A u to m ato n  P airs 
R1 co V ci V c4 ^  x =  0
R2 so A z > y +  edgelength +  max ^  w =  new  
R2 si A z > y +  edgelength ^  w =  new 
R3 d2 ^  y =  0 
R4 wo ^  v =  w
F ig .23. The “simple” invariants of at most two automata.
These sixteen invariants, along with one additional support lemma, take 204 
proof steps to prove. Each invariant depends only on the invariants preceding it 
in the list (hence P 6 and P5  are reversed, since the naming of the invariants was 
established before the proofs were begun). Additional automation can reduce the 
number of steps taken considerably (i.e. by half), which we will examine shortly.
The remaining invariants are divided into four groups. The groups T, G and 
H are intra-dependent, which was partly illustrated in Figure 22, while group
I contains only a single invariant. Figure 24 shows the invariants. The effort 
for each intra-dependent group is far greater than the effort for the simpler 
invariants listed above. The T group of five invariants requires 432 proof steps
— again, with additional automation this can be reduced considerably.
The G group of invariants is by far the most complicated of the nests of 
interdependent invariants, and while proving it the original invariants suggested 
by the Uppaal tests were found to be insufficiently strong to prove the entire 
nest. The invariant G1 needs the additional condition
mark < n  ^  sample • min — mark • max < z
This condition was discovered after staring at the proofs — all of which could not 
be finished because of the lack of this information — for a few days. Once that 
was done, the proofs were fairly straightforward again, with only the question 
of which invariants were dependent on which others.
23
T5 — w2
T6 (co V ci V c4) ^  wo
T7 c2 V (c3 A in) ^  n • min < z — x < n • max 
T8 c4 ^  mark • min < z < mark • max 
T9 c3 A in A mark < n ^
(n — mark) • min < z — x < (n — mark) • max 
Global (except Tester)
G1 do ^  —c4 A (v = new V new = old)
G2 di ^  c2 V c3 V c4
G3 d2 ^  c3 A in = out A v = new A new = old 
G4 do A (co V vi V (c3 A mark < n)) ^  v = old
G5 do A (c2 V c3) A n < mark ^  v = old A z < y + max + edgelength 
G6 di A (—in V c2 V c4) ^
v = old A (m • min < z — y < (m + 2) • max + edgelength 
G7 di A c3 A in ^  v = old A
m • min — mark • max < z — y
< (m + 2) • max — mark • min + edgelength 
G8 d2 A —in ^  sample • min < z < cell • min
G9 d2 A in ^  sample • min — mark • max < z < (cell — mark) • min
Global
H1 di V d2 ^  ti 
H2 do A mark < n ^  to 
H3 do A mark > n ^  co V ti 
H4 c3 ^  to V ti 
H5 ci V c2 V c4 ^  ti
H6 co ^  to_____________________________________________
Global Correctness
I —I ( t 2 V t 3 V error )
Coder, Clock and Wire
Fig. 24. Invariants for three or more automata in parallel.
24
Although invariants H4, H5 and H 6 can be proved easily from H 1-H 3 and 
the G invariants, it turned out that H 1-H 3 need the later H invariants in their 
proofs, which made this a new (though simple) nest of interdependent invariants. 
Finally, I is an almost trivial conclusion of H 1-H 3 and H 6 .
PV S C om m and C oun t N ote
E X IS T E N C E -T C C 1 In serted  by PV S
B ETA 1 R educe function  app lica tion
IN D U C T 2 For invarian t I
SK O LEM 2 M anual in s tan tia tio n
N A M E 2 In troduc ing  abbrev ia tions
T Y P E P R E D 3 N eeded for min < max
IN ST ? 3 A u tom atic  in s tan tia tio n
A SSU M IN G -T C C 3 In serted  by PV S
IF F 5 Split boo lean  equivalence.
S U B T Y P E -T C C 9 In serted  by PV S
A U T O -STA R T 18 P a rtia lly  au to m a ted  s tra teg y
G R IN D 23 Prove au tom atica lly
H ID E 25 Sequent m anagem ent
C O M M E N T 41 Sequent m anagem ent
SKOLEM ! 45 A u tom atic  in s tan tia tio n
R EV E A L 49 Sequent m anagem ent
LEM M A 62 U sing invarian ts
IN ST 67 M anual in s tan tia tio n
CA SE 93 In troduc ing  facts
G RO U N D 115 D ecision procedures
PR O P A X 124 T riv ial decision procedures
R E P L A C E 131 R ew riting
L IF T -IF 139 C hanging CASES to  IF
D E L E T E 149 Sequent m anagem ent
SP L IT 236 C hanging IF to  a sp lit case
U SE 265 U sing invarian ts
EX PA N D 728 U sing defin ition
F L A T T E N 748 Sim plify sequent
A SSER T 1224 Sim plify sequent
Total: 4313
Fig. 25. Proof statistics for first attempt at invariants.
Initial proof statistics, of the hand-made proof with little automation, are 
shown in Figure 25 (these are entirely dependent on the PVS user that creates 
them, though). The statistics show that all the proofs together use only 28 dif­
ferent proof commands, one of which is a locally defined strategy for the purpose 
of initiating automaton invariant proofs ( a u to - s ta r t ) .  Four are sequent man­
agement commands not immediately relevant for the proofs themselves (these 
are (name), (h id e ) , (revea l) and (d e le te )). Three are proof commands au-
25
tomatically used by PVS for proving TCCs, (Type-Check Conditions, normally 
inserted by PVS when it cannot automatically deduce the type of an expression). 
One proof command is inserted by PVS automatically to finish a trivial proof 
(one of the form P  ^  P ). This leaves 19 different commands that are actually 
typed by the user; the vast majority are (a s se r t)  and ( f la t te n ) ,  which follow 
from the habits of the PVS user who made these particular proofs.
It should be clear that the amount of effort to do the proofs is enormous 
compared to the effort involved in the Uppaal verification. The main reason 
for this is that initially it is not clear how each proof should proceed, and there 
is little support built in to PVS for the kind of proofs that need to be done. 
Eventually, we see that the structures of the proofs are remarkably regular, and 
can develop some reusable automation for dealing with them.
There are several existing implementations of additional automation for proofs 
in a specific framework, both in PVS and outside of PVS. One example of far- 
ranging automation is ACL2, which is a highly automated first order theorem 
prover which has been used for the mechanical verification of microprocessors 
[29]. Similar (but much smaller-scale) microprocessor verification has been done 
in PVS, although with no automation [15]. Protocol verification using roughly 
the same framework as we have used here can be found in [12]. Automation of 
PVS proofs in a specific context is mentioned briefly in [17], Section 6.6.1; it 
is a shame that such improvements have not percolated into the standard PVS 
distribution. The TAME modeling environment [5] offers automation for timed 
automata models in PVS.
5.2 In tro d u c in g  A u tom ation  to  th e  Proofs
With the statistics of Figure 25 as a baseline, we can attempt to slim down the 
proofs by introducing additional automation. Two examples that occur quite 
frequently in the proofs are:
— Using (case) to  sp lit up  an  im plication. The PVS command ( s p l i t )  
splits a sequent with an implication as follows:
(A  ^  B )  h C  becomes B  h C  A h A
This throws away the fact that A  holds in the left branch of the proof; hence, 
we often use (case) and (a s s e r t)  in order to achieve:
(A ^  B) h C  becomes A , B  h C  A h A
By creating a tiny strategy ( s p l i t* )  that does this automatically, we achieve 
two things:
1. The proof becomes shorter (in terms of user-entered steps)
2. It becomes clearer where this technique is used, i.e. it distinguishes these 
frivolous uses of (case) from ones where real new facts are introduced.
26
— S plitting  a  CASES s ta te m e n t. When confronted by a large CASES statement 
in a sequent (which is common in the proof of the biphase mark protocol, 
since we have many automata with fairly large transition relation expres­
sions), it is often desirable to split it into one sequent for every case in the 
expression. This has the effect of examining each transition individually. 
Typically, the sequent appears as:
{-1} CASES R !1 'e v e n ts ( i!1 )  OF 
delay(d) : P1 
t ic k  : P2
This can be reduced to a collection of sequents, one for each case in the 
expression, each with a specific event and transition predicate. For instance, 
the second sequent to prove here would be
{-1} t ic k ? (R !1 'e v e n ts ( i!1 ) )  
{-2} P2
This can be achieved by using ( l i f t - i f )  to change the CASES statement 
into a collection of nested IFs, and then using ( s p l i t )  to split the IF state­
ment repeatedly, with the liberal application of ( f la t te n )  and (a s s e r t)  to 
massage the sequent into basic shape (or prove particular subgoals automat­
ically). Automating this process in a single prover command (au to -step ) 
gives us:
1. Shorter proofs
2. A more uniform structure of the proofs
We gain additional flexibility by automatically expanding local transition 
statements and by using the names of local transitions, instead of formula 
numbers. A typical application of the resulting strategy is to expand and sim­
plify the local transition for the Coder with (au to -step  ( ’c "Coder"))).
After re-doing the proofs with the additional automation (and with the 
knowledge that the first run of a proof in PVS is nearly always a bit messy), 
the proof statistics become much smaller. For invariant groups P, Q, R  and T 
results are shown in Figure 26.
This 79% reduction in the number of proof steps is partly attributable to 
the increased automation afforded by the (au to -step ) command. Some of the 
reduction can be attributed to the difference between finding  a proof (the ini­
tial proof attempt) and polishing a proof for presentation. While applying the 
increased automation to the proof we also have the benefit of knowing how 
the proof is supposed to go, and we can judiciously prune the proof of less- 
than-optimal proof explorations. Additionally, it occurs fairly regularly that it 
is unclear whether some subtree in a proof can be proved easily; once the proof 
is done it is clear that (grind) would have done the job as well, so the re-run 
of a proof replaces whole subtrees with (g rin d ) .
27
C om m and Before A fter
E X IS T E N C E -T C C 1 1
IN D U C T 1 1
SK O LEM 1 1
SPL IT * 1
A SSU M IN G -T C C 2 1
T Y P E P R E D 3 1
C O M M E N T 2
G R IN D 9 18
SU B T Y P E -T C C 9 9
CASE 10 6
PR O P A X 12 2
H ID E 13 0
SPL IT 14 9
A U T O -STA R T 16 22
SKOLEM ! 17 11
LEM M A 18 9
IN ST 23 14
D E L E T E 34 17
A U T O -S T E P 35
L IF T -IF 37 1
R EV E A L 38 0
R E P L A C E 45 18
G RO U N D 59 23
U SE 61 55
F L A T T E N 75 32
EX PA N D 111 24
A SSER T 217 77
Total: 826 390
Fig. 26. Proof statistics for groups P, Q, R  and T, before and after automation.
28
Once the structure of the PVS proofs for the biphase mark protocol was clear, 
additional automation was introduced in order to reduce the amount of steps 
used in doing the proofs. The comparisons of numbers of proof steps with and 
without the automation made in the previous section suggest what could have 
been. Future proofs with a simular structure may also benefit from this automa­
tion, using the new proof commands that were introduced:
— (s p l i t* )  Handle implications in a nicer way than ( s p l i t ) .
— (a u to - s ta r t)  Start an automaton proof by introducing local transition re­
lations.
— (au to -step ) Expand and rewrite a local transition relation.
There is a trade-off, though, when doing automated proofs, between brevity 
and comprehensibility. PVS’s tremendously powerful (grind) command can re­
duce many proofs to one step, once the proof has been found. Using (grind) 
when it is unclear that the lemma is sound is unwise, since it takes some time 
to grind its way through the proof, and then it can:
— Fail, returning you to the original proof state and requiring you to do the 
proof by hand anyway, or
— Give you 64 (or some other large number) bizarrely formed subgoals to prove.
Neither of these results of (grind) are really useful for advancing the proof 
itself. Therefore we feel that the use of (grind) should be restricted to those 
proofs that really are trivial. Somewhere in the middle lies the ideal, of a proof 
that is short enough to understand and not so thoroughly automated that it 
is unbelievable. The use of the U ppaal model gives similar results: we know 
something is true, but not necessarily why or whether the fact is interesting. 
Consider invariant G9:
G 9 (R ,i) : b o o l =
LET D = R‘s t a t e s ( i ) ‘d e c o d e r , C = R‘s t a t e s ( i ) ‘ c o d e r ,
W = R‘s t a t e s ( i ) ‘w ire ,  S = R‘s t a t e s ( i ) ‘ sam p le r IN 
D‘lo c  = d2 AND C‘ iv  =>
sam ple*m in -  mark*max <= W‘z AND W‘z < (c e l l-m a rk )* m in  ;
The important step in the proof of G9 is the induction step, which is proven 
in the PVS lemma Gi:
Gi : LEMMA
G 9 (R ,i)  AND G 3 (R ,i) AND G 7 (R ,i)  AND G 2 (R ,i)  AND G6 (R , i )  => G 9(R ,i+1)
The proof itself uses the earlier invariant Q3, the parameter assumption from 
equation 3 (on page 12) and an additional lemma, called Gi1. The proof itself 
has the following structure:
— Start with ( a u to - s ta r t) .
— Expand G9 itself.
5.3 S u m m a ry  o f A u to m a tio n
29
— For each automaton, use (au to -step ) to rewrite its local transitions and 
prove trivial subcases.
— Do a little rewriting and formula manipulation, introduce the additional 
invariants Q3 and Gi1 that are needed to prove each step.
Without automation, the proof of G9 took 179 steps, exploring blind alleys, 
over-using (a s s e r t) , and doing formula manipulation the tedious way. With a 
little automation such as described in the previous section, the number of proof 
steps declined to 59. In this simplified proof the structure of examining each 
automaton’s local transitions was very visible. Further reflection, though, shows 
that the proof can be reduced to 5 steps:
(AUTO-START T) % D eal w ith  b a se  c a se .
(LEMMA "Gi1" ( " i "  " j ! 1 "  "R" "R ")) % Needed much l a t e r  w ith  t h i s
(LEMMA "Q3" ( " i "  " j ! 1 "  "R" "R ")) % p a r t i c u l a r  i n s t a n t i a t i o n .
(USE "Sam pleE arlyE nough")
(GRIND) % L et PVS do th e  work.
This particular proof is a good example of a type of proof commonly found in 
mathematics texts: “Use lemmata Gi1, Q3 and the parameter inequalities; the 
details are left to the interested reader.” In our context the interested reader is 
the PVS theorem prover, which works out the details. Now, this proof might be 
good for verification purposes but it is certainly not the kind of proof one can 
write on first setting out to prove a property like G9. It is also not the kind 
of proof you would want to present as a didactic example to show the kind of 
reasoning needed in a particular domain, but again, as a succinct demonstration 
of truth it is fine.
This suggests that we can distinguish three flavors of proof, created while 
reasoning about the biphase mark protocol:
1. Exploratory proofs when we do not know how to prove the lemma — or even 
if the lemma is true. These proofs use mostly basic commands from the PVS 
proof language and are rather lengthy, although each step is very basic.
2. Polished proofs, using some automation that is built around the specific do­
main being studied and the framework that is in use. With suitable (not 
overly case-specific) automation, the size of proofs can be reduced over 50%, 
while their comprehensibility is improved because we can (for instance) re­
place a scattered collection of (expand), ( l i f t - i f )  and ( s p l i t )  with a 
single (c o n s id e r-e a c h - lo c a l- tra n s itio n )  proof command (although it is 
called (au to -step ) in our automation attempt).
3. Proofs that are as short as possible, for the purpose of machine verification of 
the lemma. These are useful for re-checking a theory after changes have been 
incorporated, or as a basis for “details are left to the reader” expositions.
6 P lay in g  w ith  th e  P aram eter Inequalities
Now that we have formally derived a number of constraints on the protocol 
parameters, it is interesting to explore the consequences of these results. An
30
implementor of BMP will probably have limited influence on the values of min, 
max and edgelength, but (s)he may freely choose the values of cell, mark and 
sample. For which values of these parameters is the bit rate maximal? Are the 
conventional implementation choices indeed the optimal ones?
Rather than the specific values for the lower bound min and upper bound 
max on the time between clock ticks, we find it convenient to consider the ratio
min
P max
Since 0 < min < max, ratio p is contained in the interval (0,1]. If p =  1 we 
have perfect hardware clocks, and the closer p gets to 0 , the more unreliable the 
clocks are. We also normalize the time edgelength with respect to the maximum 
time between clock ticks:
edgelength
E  = ------------- .
max
So E  specifies the number of clock cycles the signal may remain distorted after 
occurrence of an edge. Now we can rewrite the parameter constraints (1), (2) 
and (3) into:
mark • p > 2 +  E  (4)
(sample — 1) • p > mark +  E  (5)
cell • p > sample +  2 +  E  (6)
Since p G (0,1] and E  > 0, inequality (4) implies mark > 2. Using this fact in 
combination with inequality (5) implies sample > 3. Substituting this in inequal­
ity (6) gives cell > 5.
6.1 M inim izing th e  Cell Size (A ssum ing E  =  1)
Moore [27] assumed that the uncertain values read from the signal due to the 
presence of an edge are limited to the time-span of the cycle during which the 
edge was written, that is he assumed edgelength =  max or equivalently E  =  1. 
With this additional assumption, the parameter inequalities further simplify to
mark • p > 3 (7)
(sample — 1) • p > mark +  1 (8)
cell • p > sample +  3 (9)
Hence with p close to 1 the minimal values for the other parameters are
mark =  4 sample =  7 cell =  11.
Implementors prefer to use instances of BMP with
cell =  2 • mark (10)
31
since this implies that the signal on the wire will be high approximately 50% 
of the time and low 50% of the time, which is desirable from an electrical en­
gineering perspective ( “DC balanced”). With this additional requirement, the 
minimal values become
mark =  7 sample =  10 cell =  14.
These unconventional choices permit a faster bit rate (since fewer cycles are 
spent on each bit) than the conventional choices
mark =  16 sample =  23 cell =  32, and
mark =  8 sample =  11 cell =  16.
The next lemma states that if we assume that the cell size is twice the mark 
size, inequality 4 becomes redundant.
Lem m a 1. Inequality (4) follows from  (in)equalities (10), (5), (6) , E  > 0 and 
p G (0 , 1].
Proof. We derive:
(10),(6)
mark • p > sample — mark • p + 2  +  E
pe( 0,1]
> sample • p — p — mark +  2 +  E
(5)
> mark +  E  — mark +  2 +  E
E> 0
> 2 +  E .
6.2 M axim izing th e  Clock Tolerance
By combining constraints (4), (5) and (6) we infer a lower bound on p, that is, 
the maximal tolerance on timing:
2 +  E  mark +  E  sample +  2 +  E
p >  max(----- -, -------!----- - ,  ---------- ---------) (11)
mark sample — 1 cell
Figure 27 lists lower bounds for p for some example configurations, assuming 
E  = 1 . These numbers can be easily validated using the U ppaal model checker. 
Our results significantly improve on those of Moore [27], who obtained (for a 
model that is less general) a lower bound of 0 . 95 for p for the 18-cycle version of 
BMP, and a lower bound of 0.97 for the conventional 32-cycle version. Typical 
clocks used in hardware are incorrect by less than 6 • 10-6  seconds per second 
[14]. Thus,
1 -  6 • 10-6
p > ------------- ? «  0.99999.
' 1 +  6 • 10-6
This means that in practice there is no need to optimize on the lower bound for 
p .
32
cell 16 32 18 11 14
mark 8 16 5 4 7
sample 11 23 10 7 10
P 0.91 0.82 0.73 0.91 0.93
Fig. 27. Lower bound on p for some example configurations (with E  = 1 ).
6.3 M axim izing th e  Edge D isto rtio n  Tolerance
From a practical perspective, it is interesting to look for the maximal value for 
E , since, as we will see in the next subsection, this will allow us to optimize the 
bit rate. Using inequalities (4), (5) and (6) we infer that E  may take any value 
as long as:
E  < min(mark • p — 2, (sample — 1) • p — mark, cell • p — sample — 2) (12)
Figure 28 lists upper bounds for E  for some example configurations, taking a 
value 0.999 for p. If cell =  2 • max then, by Lemma 1, the minimal value for
cell 16 32 18 11 14
mark 8 16 5 4 7
sample 11 23 10 7 10
E 1.989 5.977 2.994 1 988 1 985
Fig. 28. Upper bound on E  for some example configurations (with p =  0.999).
the right hand side of inequality (12) is reached by either the second or third 
subterm of the min-expression. Since sample occurs positively in the second term 
and negatively in the third term, the choice of a real number value for sample 
that maximizes E  for this case is the one for which the second and third term 
are equal:
(sample — 1) • p — mark =  cell • p — sample — 2 .
The optimal (in the sense that it maximizes E) choice for sample therefore is
cell • p +  mark +  p — 2
1 + p
This optimal value is typically slightly less than 3ma2k - 1 since
3mark — 1 cell • p +  mark +  p — 2 (1 — p)(m +  3)
-------------—----------------------------- = ------- ;-------;---- -'■> 0
2 1 +  p 2(1 +  p) -
Using this observation, we may infer that (for realistic values of p and m, say 
p — 0.999 and m  < 1000):
33
-  if mark is odd then a strict upper bound on the value for E  is 4pmark 3mark 3. 
If we choose for sample the (integer) value 3ma2k-1 then E  may take any 
value below this upper bound.
— if mark is even then a strict upper bound on the value for E  is 3pmark-2mark-4p. 
If we choose for sample the (integer) value 3ma2k-2 then E  may take any value 
below this upper bound.
We write Eopt(mark) for the upper bound on the value of E  for mark size mark, 
and sampleopt(mark) for the optimal choice for sample given mark. In all examples 
of Figure 28 with cell =  2 • max the actual value of sample equals the optimal 
value (in the sense that it maximizes the upper bound on E ) that we derived.
6.4 O ptim izing th e  B it R a te
We can now generalize the results from Section 6.1 to a setting with arbitrary 
E . If we know E  and p then in order to optimize the bit rate we need to find 
the instance of BMP with the smallest cell size that is correct. To obtain this 
instance, we just take the smallest m  with E opt(m) > E  and then set cell to 2m, 
mark to m, and sample to sampleopt(m).
Based on our model we conclude that the 14-cycle instance of BMP is prefer­
able over the 16-cycle instance that has been implemented in the Intel 82530 
Serial Communications Controller. The 14-cycle version of the protocol allows 
for a more than 14% faster bit rate, but has basically the same tolerance for 
signal distortion following an edge. Also, the 30-cycle instance of BMP probably 
is preferable over the conventional 32-cycle version: it has almost the same tol­
erance for signal distortion after an edge (E =  5.97 if p =  0.999) but allows for a 
more than 6% faster bit rate. Note however that our model is quite abstract and 
ignores various engineering realities like metastability, reflection, noise and dis­
tortion. Like Moore [27], we offer our model primarily as a catalyst for thought. 
It is up to the engineers to decide whether our model is accurate enough for the 
purposes at hand.
7 R elated  W ork and C onclud ing R em arks
Related W ork  A main source of inspiration for this article has been the work of 
Moore [27]. The basic modelling assumptions that we use are similar to the ones 
proposed by Moore, although our model is somewhat more general: unlike Moore 
we allow for clock jitter in our model, and we also drop Moore’s assumption that 
the distortion in the signal due to the presence of an edge is limited to the time­
span of the cycle during which the edge was written. Moore [27] developed a 
general model of asynchronous communication and used this model to verify 
the correctness of 18 and 32 cycle instances of BMP. Interestingly, Moore did 
not succeed in establishing correctness of the 16 cycle instance that has been 
implemented by Intel. As we pointed out in Section 6.2, the bounds on timing 
uncertainty found by Moore are suboptimal.
34
Model checkers for timed and hybrid automata have been used successfully 
to analyze various physical level communication protocols for consumer elec­
tronics devices [9,16,20,6,18]. Since these protocols typically use variations of 
biphase mark (e.g. Manchester) an obvious idea was to try to recast Moore’s 
work in a setting of timed or hybrid automata. A first attempt in this direction 
was made by Ivanov & Griffioen [25], who automatically verified a few instances 
of BMP using the model checker HyTech. Their model is somewhat restrictive, 
however, since for instance sampling was only allowed at the end of a read cy­
cle. In September 1999, the first author (FV) constructed the Uppaal model 
that has been described in this paper (with only a few minor differences), and 
gave a presentation of this model and the derived parameter constraints during 
a symposium on the occasion of the retirement of Hans Peek as professor at the 
University of Nijmegen. After model and slides were made available on the web, 
several researchers took up the challenge to synthesize the parameter constraints 
automatically. Bensalem et al [7] propose algorithms and methods to compute 
invariants of infinite-state systems. Using their approach they managed to syn­
thesize versions of the last two parameter constraints for a simplified version 
of our model in which the W ire  and Sam pler automaton have been left out. 
The first parameter constraint is not needed in the simplified model. Henzinger, 
Preussig and Wong-Toi [19] succeeded to partially synthesize our parameter con­
straints for BMP (they always had to fix some parameter) by running HyTech 
on a manually constructed abstraction of the model.
An independent line of research was carried out by Van Hung [23,22]. In this 
work, the BMP has been modelled using Duration Calculus, and a full param­
eter analysis has been carried out with PVS. Van Hung models beginning and 
end of transmission, but assumes fixed clock rates (no jitter). The parameter 
inequalities discovered by Van Hung are similar to ours but with some “off by 
one” differences. Apparently, these differences are caused by some counterintu­
itive property of the Duration Calculus model: if the coder generates an edge, 
then the signal on the wire will be unreliable for E  cycles (RR in Van Hung’s 
terminology) starting from the last tick of the receiver clock. We believe our 
timed automaton model is more realistic.
Conclusions A fascinating question for us is whether our results about possible 
improvements of bit rates of the biphase mark protocol carry over from our 
model to the real world. Although we believe that our model accurately reflects 
the operation of some implementations of BPM (such as Intel 82530), there 
are other implementations in which the receiver operates in a slightly different 
manner. In the popular AMD 85C30 Serial Communications Controller [1], for 
instance, clock information is recovered from the BPM signal using a digital 
phase-locked loop (DPLL). The DPLL is driven by a clock that is nominally 16 
times the data rate. The DPLL uses this clock, along with the BPM signal, to 
construct a receive clock for the data. Depending on the precize timing of edges, 
the receive clock counter can be adjusted. To describe this mechanism accurately 
would require an adaptation of our model. Apart from investigating this issue,
35
another obvious direction for future research is to carry out a similar analysis 
for the Manchester encoding protocol as it is used in e.g. the Ethernet.
Uppaal has turned out to be an (almost) perfect tool for this type of ap­
plication. Modelling the biphase mark protocol in terms of networks of timed 
automata is very natural, the graphical user interface helps to visualize the au­
tomata, the simulator is a great help during the initial validation of the model, 
and the ability of Uppaal to generate counterexamples and to replay them in 
the simulator greatly helped to increase our insight in the protocol.
Several authors have explored extensions of timed automata tools that are 
able to handle parametrized timed automata and to verify/synthesize parame­
ter constraints [21,4,13]. We have arrived at the conclusion that this is probably 
not the way to go. Adding the feature of parameter handling to model checkers 
greatly affects performance and reduces the size of the systems that can be han­
dled. Still, generation of nonlinear constraints (like in the case of BMP) turns out 
to be difficult. The ability to handle complex models is essential for the success of 
model checking technology. The protocol discussed in the present article is very 
simple, but even in this case adding additional features such as termination, bus 
collisions, and a more accurate modelling of the hardware would probably push 
Uppaal to its limits. In our experience, it is typically easy to come up with 
general parameter constraints (linear or nonlinear) based on the counterexam­
ples produced by Uppaal. The challenge therefore is to verify correctness of 
the parametrized system while assuming these constraints. For this, the most 
promising approach in our view is via a translation of the Uppaal model to a 
general purpose theorem prover such as PVS and exploitation of powerful invari­
ant generation methods such as the ones proposed by [8,7]. For practical reasons 
and also because we had already a manual proof of the invariants available, we 
just used PVS and not any of the additional invariant generation methods.
The proof of the correctness of the biphase mark protocol in PVS is required 
since the collection of Uppaal invariants alone is not enough to establish that 
the parameter constraints are necessary and sufficient for the correctness of the 
protocol. The formalization in PVS revealed a small omission in the invariants 
from the manual proof and enabled us to establish global correctness of the 
protocol for all of its instances. Additionally, we show how a small effort in 
the automation of proofs can produce great improvements in proof size and 
readability.
Acknowledgements: The authors would like to thank the Stan Ivanov, partici­
pants to System Modelling Course for Philips Research, Jozef Hooman, Martijn 
Hendriks and Maarten Boasson for their comments on earlier version of this 
paper and the formalization of the biphase mark protocol.
R eferences
1. A dvanced M icro D evices, Inc. Technical Manual Am 8530H /Am 85C 30 Serial Com­
munications Controller, 1992.
36
2. R . A lur and  D.L. Dill. A theo ry  of tim ed  au to m ata . Theoretical Computer Science, 
126:183-235, 1994.
3. R . A lur and  T .A . H enzinger, editors. Proceedings o f the 8th International Confer­
ence on Computer Aided Verification, New B runsw ick, N J, USA, volum e 1102 of 
Lecture Notes in Computer Science. Springer-V erlag, Ju ly /A u g u s t 1996.
4. A. A nnichini, E. A sarin , and  A. B ouajjan i. Sym bolic techniques for param etric  
reasoning ab o u t coun ter and  clock system s. In  E .A . E m erson  and  A .P. S istla, edi­
to rs , Proceedings of the 12th International Conference on Computer Aided Verifica­
tion, volum e 1855 of Lecture Notes in  Computer Science, pages 419-434. Springer­
Verlag, 2000.
5. M yla A rcher, C onstance  H eitm eyer, and  Steve Sims. TAM E: A PV S in terface 
to  sim plify proofs for a u to m a ta  m odels. In  User Interfaces fo r  Theorem Provers, 
E indhoven, T he  N etherlands, 1998.
6 . J . B engtsson, W .O .D . Griffioen, K .J. K ristoffersen, K .G . L arsen, F . L arsson, P. P e t- 
tersson , and  W ang Yi. V erification of an  audio p ro toco l w ith  bus collision using 
U PPA A L. In  A lur and  H enzinger [3], pages 244-256.
7. S. B ensalem , M. B ozga, J .C . Fernandez, L. G hirvu , and  Y. Laknech. A tr a n s ­
fo rm ational app roach  for genera ting  non-linear invariants. In  J. Palsberg , edito r, 
SAS, volum e 1824 of Lecture Notes in  Computer Science, pages 58-74. Springer, 
2 0 0 0 .
8 . S. B ensalem , Y. Lakhnech, and  H. Saidi. Pow erful techniques for th e  au tom atic  
genera tion  of invariants. In  A lur and  H enzinger [3], pages 323-335.
9. D .J.B . Bosscher, I. Po lak , and  F .W . V aandrager. V erification o f an  audio contro l 
p ro tocol. In  H. Langm aack, W .-P. de R oever, and  J. V ytopil, ed ito rs, Proceedings 
o f the Third International School and Symposium  on Formal Techniques in Real­
Time and Fault-Tolerant System s (F T R T F T ’94), Lubeck, G erm any, Septem ber
1994, volum e 863 of Lecture Notes in  Computer Science, pages 170-192. Springer­
Verlag, 1994.
10. R .S. B oyer and  J.S . M oore. A Computational Logic Handbook. A cadem ic P ress, 
New York, 1988.
11. M. B ozga, C. Daws, O. M aler, A. O livero, S. T ripakis, and  S. Yovine. K ronos: A 
M odel-C hecking Tool for R eal-T im e System s. In  A .J. H u and  M .Y. V ardi, ed ito rs, 
Proceedings of the 10th International Conference on Computer Aided Verification, 
V ancouver, B C , C anada, volum e 1427 of Lecture Notes in Computer Science, pages 
546-550. Springer-V erlag, J u n e /J u ly  1998.
12. D. C hkliaev, J. H oom an, and  E . de V ink. V erification and  im provem ent of th e  
sliding window  protocol. In  Proceedings T A C A S ’03, volum e 2619, pages 113-127. 
L ectu re  N otes in  C o m pu ter Science, Springer-V erlag, 2003.
13. A. C ollom b-A nnichin i and  M. Sighireanu. P aram eterized  reachab ility  analysis 
o f th e  IE E E  1394 R oo t C on ten tion  P ro to co l using T R eX . In  P. P e tte rsso n  
and  S. Yovine, ed ito rs, Proceedings o f the Workshop on Real-Time Tools (RT- 
T 0 0 L S ’2001), 2001.
14. F lav iu  C ris tian . P robab ilistic  clock synchronization . Distributed Computing, 3:146­
158, 1989.
15. D avid  C yrluk. M icroprocessor verification  in  PV S: A m ethodology  and  sim ple 
exam ple. Technical R ep o rt SRI-CSL-93-12, C om pu ter Science L abora to ry , SRI 
In te rn a tio n a l, M enlo P ark , CA, dec 1993.
16. C. D aws and  S. Yovine. Tw o exam ples of verification  of m u ltira te  tim ed  au to m a ta  
w ith  KRONOS. In  Proceedings o f the 16th IE E E  Real-Time System s Symposium  
(R T S S ’95), P isa , Ita ly , pages 66-75. IE E E  C o m pu ter Society P ress, D ecem ber
1995.
37
17. W .O .D . Griffioen. Studies in  Computer Aided Verification of 
Protocols. P h D  thesis, U niversity  o f N ijm egen, M ay 2000. 
h ttp : / /w w w .c s .k u n .n l / i ta /fo rm e r_ m e m b e rs /d a v id g / ,IP A  thesis no. 2000-04.
18. K. H avelund, A. Skou, K .G . L arsen , and  K. Lund. Form al m odelling and  analysis 
o f an  au d io /v id eo  protocol: A n  in d u s tria l case s tu d y  using uppaal. In  Proceedings 
o f the 18th IE E E  Real-Time System s Symposium, pages 2-13. IE E E  C om puter 
Society P ress, 1997.
19. T .A . H enzinger, J. P reussig , and  H. W ong-Toi. Some lessons from  th e  H yTech 
experience. In  Proceedings of the 40th Annual Conference on Decision and Control 
(CDC), pages 2887-2892. IE E E  P ress, 2001.
20. P.-H . Ho and  H. W ong-Toi. A u to m ated  analysis of an  audio  contro l protocol. In  
P. W olper, ed ito r, Proceedings o f the 7th International Conference on Computer- 
Aided Verification, Liege, B elgium , volum e 939 of Lecture Notes in  Computer Sci­
ence. Springer-V erlag, Ju n e  1995.
21. T .S . H une, J .M .T . R om ijn , M .I.A . S toelinga, and  F .W . V aandrager. L inear p a ra ­
m etric  m odel checking of tim ed  au to m ata . Journal of Logic and Algebraic Pro­
gramming, 52-53:183-220, 2002.
22. D .V . H ung. M odelling and  verification  of b iphase m ark  pro toco ls using PV S. In  
Proceedings of the International Conference on Applications o f Concurrency to 
System  Design (CSD'98), A izu-w akam atsu , Fukush im a, Jap an , M arch 1998, pages 
88-98. IE E E  C om pu ter Society P ress, 1998.
23. D .V . H ung and  Ko K w ang II. V erification v ia  d ig itized  m odels of real-tim e 
hybrid  system s. In  Proceedings Asia-Pacific Software Engineering Conference 
(A P S E C ’96), pages 4-15. IE E E  C om pu ter Society P ress, 1996.
24. In te l C orpora tion . Microcommunications, 1991. In te l L ite ra tu re  Sales, P.O . Box 
7641, M t. P ro sp ec t, IL 60056-7641.
25. S. Ivanov and  W .O .D . Griffioen. V erification of a  b iphase m ark  protocol. R ep o rt 
CSI-R9915, C om puting  Science In s titu te , U niversity  of N ijm egen, A ugust 1999.
26. K. G. L arsen, P. P e tte rsso n , and  W . Yi. U ppaal in  a  N utshell. Int. Journal on 
Software Tools fo r  Technology Transfer, 1 (1-2):134-152, O ctober 1997.
27. J.S [tro ther]. M oore. A form al m odel o f asynchronous com m unication  and  its  use 
in  m echanically  verifying a  b iphase m ark  protocol. Formal Aspects of Computing, 
6(1):60-91, 1994.
28. S. Owre, J. R ushby, N. Shankar, and  F. von Henke. F orm al verification for fau lt- 
to le ran t arch itectu res: P ro legom ena to  th e  design of PV S. IE E E  Transactions on 
Software Engineering, 21(2):107-125, F eb ruary  1995.
29. J. Saw ada and  W . A. H un t. P rocessor verification  w ith  precise exceptions and 
specu lative execution. In  Proc. 10th International Computer Aided Verification 
Conference, pages 135-146, 1998.
38
