Communications-based Train Control (CBTC) systems are metro signalling platforms, which coordinate and protect the movements of trains within the tracks of a station, and between different stations. In CBTC platforms, a prominent role is played by the Automatic Train Supervision (ATS) system, which automatically dispatches and routes trains within the metro network. Among the various functions, an ATS needs to avoid deadlock situations, i.e., cases in which a group of trains block each other. In the context of a technology transfer study, we designed an algorithm for deadlock avoidance in train scheduling. In this paper, we present a case study in which the algorithm has been applied. The case study has been encoded using ten different formal verification environments, namely UMC, SPIN, NuSMV/nuXmv, mCRL2, CPN Tools, FDR4, CADP, TLA+, UPPAAL and ProB. Based on our experience, we observe commonalities and differences among the modelling languages considered, and we highlight the impact of the specific characteristics of each language on the presented models.
Introduction
Communications-based Train Control (CBTC) systems are the de-facto standard for metro signalling and control, including several interacting wayside and onboard components that ensure safety and availability of trains within the metro network. In the context of a technology transfer project named TRACE-IT, the authors of the current paper, together with representatives of a large railway company, designed one of the main components of a CBTC system prototype, namely the Automatic Train Supervision (ATS) system [10] . This is a wayside system that dispatches and monitor trains along the metro network, according to a set of predefined missions. The ATS includes a scheduling kernel, which shall ensure that, regardless of train delays, no deadlock situation occurs, i.e., the missions are designed in such a way that it never happens that two or more trains block each other from completing their missions. In the context of the project, we applied formal methods to design and verify a scheduling algorithm that addresses the deadlock avoidance problem [25] . The application of the algorithm to the TRACE-IT case study was initially modelled and verified by means of the UMC tool [30, 4, 20] . Then, the design of the case study was replicated with other six different formal frameworks -i.e., SPIN [16, 29] , NuSMV/nuXmv [5, 18] , mCRL2 [14, 9] , CPN Tools [17, 31] , FDR4 [13, 27] and CADP [11, 6] -to explore the potential of formal methods diversity [24] . This is the usage of different formal tools to validate the same design, to increase the confidence on the verification results [19] . In the current paper, we present the models discussed in [24] , focusing on the differences between the modelling languages, rather than on formal verification diversity. Furthermore, we provide three additional models, using TLA+ [21, 7] , ProB [2, 15] and UPPAAL [8, 32] . Within the context of this paper, our goal is to provide some feedback on the differences and traps that should be tackled when changing the reference frameworks, and the commonalities that would allow a simple translation from one framework to another. The models are made available in Appendix A and in attachment to this paper.
The remainder of the paper is structured as follows. In Sect. 2 we provide an overview of the modelled algorithm. In Sect. 3 we present the different models, discussing commonalities and differences with a focus on syntactic and semantics discrepancies. Sect. 4 concludes the paper. In Appendix A, we report the different models presented.
A Deadlock Avoidance Algorithm for ATS
This section describes basic elements of the modelled algorithm, which was defined in our previous works [26, 25] . Fig. 1 shows the structure of the railway layout considered in this study. Nodes in the yard correspond to itinerary endpoints, and the connecting lines correspond to the entry/exit itineraries to/from those endpoints. Eight trains are placed in the layout. Each train has its own mission to execute, defined as a sequence of itinerary endpoints. For example, the mission of train0, which traverses the layout from left to right along top side of the yard, is defined by the mission vector: T 0 = [1, 9, 10, 13, 15, 20, 23] (the numbers in the vector refer to the sequence of traversed endpoints in the diagram of Fig. 1 ). The mission of train7, which instead traverses the layout from right to left, is defined by the vector: T 7 = [26, 22, 17, 18, 12, 27, 8] . The progress status of each train is represented by the index, pointing to a position in the mission vector, which allows the identification of the endpoint in which the train is at a certain moment. We will have 8 variables P 0 , . . . , P 7 , one for each train, which store the current index for the train. For example, at the beginning, we have P 0 = 0, . . . , P 7 = 0, since all the trains occupy the initial endpoints of their missions -at index 0 in the vector. To solve this problem the scheduling algorithm of the ATS must take into consideration two critical sections A and B -i.e., zones of the layout in which a deadlock might occur -which have the form of a ring of length 8 (see Fig. 2 ), and guarantee that these rings are never saturated with 8 trains -further information on how critical sections are identified can be found in our previous work [25] . This can be modelled by using two global counters RA and RB, which record the current number of trains inside these critical sections, and by updating them whenever a train enters or exits these sections. For this purpose, each train mission T i , with i = 0 . . . MISSION LEN (in our case MISSION LEN = 7) , is associated with: a vector of increments/decrements A i to be applied to counter RA at each step of progression; a vector B i of increments/decrements to be applied to counter RB.
For example, given T 0 = [1, 9, 10, 13, 15, 20, 23] , and A 0 = [0, 0, 0, 1, 0, −1, 0], when train0 moves from endpoint 10 to endpoint 13 (P 0 = 3) we must check that the +1 increment of RA does not saturate the critical section A, i.e., RA + A 0 [P 0 ] ≤ LA (in our case, LA = 7); if the check passes then the train can proceed and safely update the counter RA := RA + A 0 [P 0 ]. The maximum number of trains allowed in each critical section (i.e., 7), will be expressed as LA and LB in the following. The critical section A and B which must not be saturated by 8 trains The models presented in Appendix A, which implement the algorithm described above, are deadlockfree, since the verification is being carried on as a final validation of a correct design. The actual possibility of having deadlocks, if the critical sections management were not supported or incorrectly implemented, can easily be observed by raising from 7 to 8 the values of the variables LA or LB.
The case study presented here is actually a fragment of the complete TRACE-IT case study. In the original model the railway layout is much larger and the trains continually repeat cycling round missions. In that configuration further deadlocks situations may occur and further critical sections have to be defined and managed. The model considered in this case study represents just one of the three fragments in which the complete TRACE-IT layout has been decomposed to render the complexity of the problem amenable for formal verification. This is a typical procedure in the verification of real-world railway problems [33] .
The current design, in which each system state logically corresponds to a set of train progresses and each train movement logically corresponds to an atomic system evolution step, leads to a state-space of 1, 636, 535 configurations. This data is useful because it allows the user to cross-check the correctness of the encoding of this logical design in the various frameworks.
Commonalities and Differences

The basic blackboard model
We want to build a model that describes all the possible evolutions of the system composed by the 8 trains, with purpose of verifying the correctness of the A0, ..., A7 and B0, ..., B7 tables that control the non saturation of the sections A and B, and the correctness of the assumption that the A and B sections are the only zones where a deadlock might occur. The design skeleton we have in mind is that of a blackboard model, where a global space of common variables is read and updated by a set of atomic transformation operations. An atomic system evolution corresponds to a one-step movement of one train in the yard, which can occur when the next endpoint is free and when the move does not saturate neither the A section, nor the B section. We have encoded the above simple skeleton design Within the context of this paper, our goal is to provide some feedback on the differences and traps that should be tackled when changing the reference frameworks, and the commonalities that would allow a simple translation from one framework to another. Each framework surely has its own typical set of features that might lead to the best modelling and verification of a system, but, in this work, we are not interested in comparing the best way in which all the 10 frameworks could model the system. Instead, we are interested in seeing if, and to which extent, our basic design skeleton could be fitted with minimal transformations in all the frameworks taken into consideration.
In the following subsections we summarise some of the aspects that appear to characterise the differences of the various frameworks as evidenced by our specification problem. These observations can support the reader in making sense of the different models that are reported in Appendix A 1 , and attached to the current paper. More specifically, for each framework, we provide one or more model variants. The variants represent different modelling styles, according to the classification provided in Sect. 3.2. In the case of CPN Tools, the different variants are associated to models with a different number of trains. Indeed, in our experiments, presented in [24, 23] , CPN Tools was not able to verify the case with eight trains, and models with a lower number or trains were tested. Table 1 provides a brief description of the different variants considered, with the associated file names.
System Design Structure
The frameworks taken into account allow different kinds of model structures, which can be seen in our variants.
Sequential With the sequential design structure the global system status is read and updated by a single sequential, nondeterministic process. This is the case that more directly reflects our initial design skeleton, and this structure has been modelled in all the considered frameworks 2 , with the excep-tion of CPN Tools. Indeed, this modelling style can be reproduced with CPN Tools, but it is not in line with the typical use of Petri Nets.
Parallel without Shared Memory With this design structure we indicate the case in which different parallel process interact among themselves in the absence of a common shared memory that could be directly read and updated by the processes. This is in general the case of concurrent frameworks, such as UMC, CPN, FDR4, CADP, mCRL2, where sets of processes (or a network layout in the case of Petri Nets) are used to model the system, and where a single entity might model the evolutions in time of a specific component of the system status (e.g., a variable). This is not our main reference scenario, however in the case of mCRL2, CADP, FDR4, CPN Tools we show alternative modelling examples that follow this design structure 3 .
Parallel with Shared Memory With this design structure a set of parallel processes share a common memory space, and, at the same time, may interact through inter-process communication. SPIN and UPPAAL are the only frameworks that allow the user to design a system in this way. An example of this model structure has been shown only in the case of UPPAAL 4 .
subsectionLanguage Style Another evident difference among the various frameworks, is the overall style of the language used to specify the system. For example, if we consider the way in which the transition relation (i.e., the system evolutions) are described, we can observe that three main approaches are followed by our considered frameworks. These three language styles can be qualified as imperative, logical and algebraic, and are exemplified below with small fragments of code in the style of CADP-LNT [12] 5 , TLA+ and FDR4, respectively.
In spite of the apparent difference, if the state transformation to be carried out during a system evolution is simple (like it happens in our case), the three styles are roughly equivalent, and translation from one style to the other can be performed with limited effort.
Arrays and Indexing
In our example we do not have the need to use sophisticated data structures, and our design skeleton is just based on integer values and fixed-size tables of numbers. Sometimes, e.g., in the case of UMC, SPIN, NuSMV/nuXmv, CADP-LNT, UPPAAL, TLA+, array-like types and indexing operations are natively supported by the specification language; other times, e.g., in the case of CPN Tools, FDR4, mCRL2, arrays should be represented as functions, or sequences, or lists, and the indexing operations possibly manually encoded as custom recursive functions. For example, in the case of FDR4 we have: 9,10,13,15,20,23> --list 
System Initialisation
The different ways in which the frameworks treat system initialisation point out a difference that might trick an inexperienced designer. Three different approaches can be recognised when a state variable in defined by the model, but not explicitly initialised at system startup.
Default Value
The uninitialised variables might get some default initial value (typically 0 for integers). This is the approach found in UMC, SPIN, UPPAAL.
Error The situation can be statically recognised as a design error, and notified to the designer. This is the approach followed by TLA+, ProB, CPN Tools, FDR4, mCRL2, CADP-LNT.
Nondeterministic Assignment
The not explicitly initialised variable may nondeterministically get any of the possible values allowed by its type. This approach has been encountered only in in Nu-SMV/nuXmv. From one side this choice provides a powerful and flexible way to specify a rich set of possible system initial values, from the other side it might trick an inexperienced designer wrongly thinking that a classical default value (like 0) is used instead.
The Transition Relation
In all the considered frameworks the transition relation is defined by rules that have the form: guardcondition / state-transformation-effects. A possible question is what happens to the variables that are not explicitly modified by the state-transformation-effects. The situation is similar to the initialisation issue previously seen. Also in this case we have three different approaches:
Previous Value
The not explicitly assigned state variables preserve their previous value. This is the approach followed by CPN, UPPAAL, FDR4, mCRL2, SPIN, UMC, ProB, CADP-LNT.
Default Value
The not explicitly assigned state variables get a default null value. This is what happens in the case of TLA+.
Nondeterministic Assignment
The not explicitly assigned variable may nondeterministically get any of the possible values allowed by its type. This is what happens in the NuSMV/nuXmv case.
The difference among the three classes is evident if we compare the fragments of state-transformationeffects as they occur in CADP-LNT, TLA+ and NuSMV/nuXmv:
While with CADP-LNT it is not needed to make explicit that P1 ... P7 do not change their value, in TLA+ we need to use the keyword UNCHANGED, and in NuSMV/nuXmv we have to explicitly state, for each variable, that the next value is equal to the one at the previous execution step.
Another relevant difference among the various frameworks is whether they allow the transition relation to be only partially defined, i.e., are certain inputs and certain states allowed not to trigger a system evolution?
In our problem this situation actually occurs. For example, when a train cannot proceed because its next endpoint is occupied by another train, the rule describing the train progress cannot be applied. In all frameworks, with the exception of NuSMV/nuXmv, this does not represent a problem. It simply means that from such a system configuration state there is no outgoing edge corresponding to the movement of that train.
In the case of NuSMV/nuXmv instead the transition relation must be a total function. This means that if a certain state configuration and a certain system input does not trigger an actual system evolution, we should equally explicitly state that the next system state is unchanged. If we fail to explicitly state that, the consequence is that the next state can become any state where all the system state variables nondeterministically get any of the values allowed by their type. Notice that in this way we are introducing self loops in many states of the graph describing the system behaviour, and this has a certain impact on the way in which the system properties could be stated and verified. For example, the user might be constrained to specify fairness constraints, or avoid the use of LTL formulas, or avoid CTL formulas like AF<statepredicate>. Indeed the verification approach of NuSMV always takes into consideration only infinite -possibly fair, if requested -traces 6 .
Verification Techniques
In our case the property we want to verify is that for all possible executions all the trains eventually complete their missions. This property can be easily specified and verified in all the considered frameworks. However each framework provides original advanced verification features not supported by other frameworks. The possibility to translate a specification from a formalism to another might lead to several advantages:
• We can increase the confidence of the verification results, given that none of the analysed frameworks are qualified at the highest integrity levels usually required by safety critical standards.
• We can exploit the specific strong points of more than one framework (e.g. the friendliness of a user interface, the ability to scale well, the possibility of generating program code or performing model based testing).
• We can verify a wider class of properties. For example, by importing a FDR4 model into ProB we can verify also LTL/CTL properties, by translating a model into UPPAAL we can introduce and verify further time related aspects, and so on. Table 2 summarises the basic verification features that the considered frameworks make available.
Some Performance Data
It is not a goal of our paper to make a comparative evaluation of the various frameworks in terms of scalability or performance. Nevertheless a summary of the experienced times when evaluating the property that for all possible executions all the trains eventually complete their missions might still be a useful approximate indication of the impact of a certain system design approach / formal verification technique in terms of performance. The verification times presented in Table 3 are expressed as ranges because they actually depend of the specific design approach adopted, on the specific formulas being evaluated, and on the specific options used during the tool execution. We refer to [24] for additional details. 
Conclusion
The availability of CBTC systems relies on the existence of smart ATS systems that prevent the occurrence of deadlock situations in the metro network. In this paper, we present different models of a scheduling algorithm for an ATS, which was designed and verified to avoid deadlocks. Ten different formal frameworks are used, and different variants of system design structure are presented, according to the features made available by the frameworks. Differences in terms of language style, allowed data types, and treatments of the system evolution are observed, based on the developed models. In our future work, we plan to adapt our design to tools for model-based development such as Simulink/Stateflow, and SCADE, to explore their potential in terms of modelling styles and verification capabilities, and compare them with the other frameworks. Furthermore, in the context of the EU ASTRail project 7 we are involved in a comparative analysis of formal and semi-formal tools in the railway domain. The experience gained with the different frameworks will be applied to provide diverse models for ERTMS/ETCS (European Rail Traffic Management System/European Train Control System) Level 3, the next evolution of ERTMS/ETCS. This will allow us to further stress the capability of the frameworks with a different design, including time and probabilistic aspects. It shall be noticed that, in the current work, we did not discuss aspects related to the usability of the various frameworks. This issue is of paramount importance, as highlighted, among others, by Sirjani [28] , and is also going to be considered in the context of the ASTRail project.
[ 
CADP-LNT
module CADP_ONEWAY8SEQ is
type Train_Number is range 0 .. 7 of nat end type LA := 7; --limit for region A LB := 7; --limit for region B --------------train missions ------------T0 := Train_Mission ( 1, 9, 10, 13, 15, 20, 23) ; T1 := Train_Mission ( 3, 9, 10, 13, 15, 20, 24) ; T2 := Train_Mission ( 5, 27, 11, 13, 16, 20, 25) ; T3 := Train_Mission ( 7, 27, 11, 13, 16, 20, 26) ; T4 := Train_Mission (23, 22, 17, 18, 11, 9, 2) ; T5 := Train_Mission (24, 22, 17, 18, 11, 9, 4) ; T6 := Train_Mission (25, 22, 17, 18, 12, 27, 6) ; T7 := Train_Mission (26, 22, 17, 18, 12, 27, 8) ; , 9,10,13,15,20,23> M1 = < 3, 9,10,13,15,20,24> M2 = < 5,27,11,13,16,20,25> M3 = < 7,27,11,13,16,20,26> M4 = <23,22,17,18,11, 9, 2> M5 = <24,22,17,18,11, 9, 4> M6 = <25,22,17,18,12,27, 6> M7 = <26,22,17,18,12,27 , 8> , 9,10,13,15,20,23,22] ; --G1 % T1 := [ 3, 9, 10, 13, 15, 20, 24, 22] ; --R1 % T2 := [ 5, 27, 11, 13, 16, 20, 25, 22] ; --Y1 % T3 := [ 7, 27, 11, 13, 16, 20, 26, 22] ; --B1 % T4 := [23, 22, 17, 18, 11, 9, 2, 1] ; --G2 % T5 := [24, 22, 17, 18, 11, 9, 4, 3] ; --R2 % T6 := [25, 22, 17, 18, 12, 27, 6, 5] ; --Y2 % T7 := [26, 22, 17, 18, 12, 27, 8, 7] ; --B2 %%%%%%%%%%% verfication process : %%%%%%%%%%%%%%%%% % % mcrl22lps mcrl2_oneway8seq.txt temp.lps % lps2pbes -fformula.mcf temp.lps temp.pbes % formula.mcf= "mu X.(([!arrived]X) && (<true> true))" == AF {arrived} % time pbes2bool -s2 -vrjittyc temp.pbes % > real 1m53.996s % > user 1m52.243s % > sys 0m1.583s % > USED VIRTUAL MEMORY 1.06 GB % % time pbes2bool -s2 temp.pbes % > real 19m47.753s % % lps2lts -rjittyc --verbose temp.lps temp.lts % ltsinfo temp.lts % > state space stats: (49 levels, 1_636_545 states and 7_134_233 transitions) % > % > % % formula.mcf= "mu X.(([!arrived]X) && (<true> true))" == AF {arrived} % formula.mcf= "[ true* ] < true* . ARRIVED > true" == AG EF {arrived} % pbes2bool -c print evidence on validity of formula, nedded by lpsxsim for % % lps2lts --verbose âĂŞrjittyc âĂŞcached -D -F temp.lps temp.lts % ( -sdepth -sBreadth --suppress --todo=maxnum --no-info % % the generation of counter-examples % pbes2bool -zb breadth-first % pbes2bool -zd depth-first % pbes2bool --todo -strategy %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
PROPERTIES /* -------train missions --------------T0: int[] :
= [ 1, 9, 10, 13, 15, 20, 23] ; --G1 T1: int[] := [ 3, 9, 10, 13, 15, 20, 24] ; --R1 T2: int[] := [ 5, 27, 11, 13, 16, 20, 25] ; --Y1 T3: int[] := [ 7, 27, 11, 13, 16, 20, 26] ; --B1 T4: int[] := [23, 22, 17, 18, 11, 9, 2] ; --G2 T5: int[] := [24, 22, 17, 18, 11, 9, 4] ; --R2 T6: int[] := [25, 22, 17, 18, 12, 27, 6] ; --Y2 T7: int[] := [26, 22, 17, 18, 12, 27, 8] [ 1, 9, 10, 13, 15, 20, 23] ; --G1 T1 := [ 3, 9, 10, 13, 15, 20, 24] ; --R1 T2 := [ 5, 27, 11, 13, 16, 20, 25] ; --Y1 T3 := [ 7, 27, 11, 13, 16, 20, 26] ; --B1 T4 := [23, 22, 17, 18, 11, 9, 2] ; --G2 T5 := [24, 22, 17, 18, 11, 9, 4] ; --R2 T6 := [25, 22, 17, 18, 12, 27, 6] ; --Y2 T7 := [26, 22, 17, 18, 12, 27, 8] 
has not yet completed its mission P7 < 6 & ----the next place is not occupied by other trains 
-ctt checks totatlity of transition relation function ---r prints actual number of reachable states --
-is ignore SPEC properties ---AG used ad hoc algorithm for AG-only properties --nusmv -v 1 -bmc -bmc_length 100 cyclic8-smv.txt , 9,10,13,15,20,23,22] ; --G1 // T1 := [ 3, 9, 10, 13, 15, 20, 24, 22] ; --R1 // T2 := [ 5, 27, 11, 13, 16, 20, 25, 22] ; --Y1 // T3 := [ 7, 27, 11, 13, 16, 20, 26, 22] ; --B1 // T4 := [23, 22, 17, 18, 11, 9, 2, 1] ; --G2 // T5 := [24, 22, 17, 18, 11, 9, 4, 3] ; --R2 // T6 := [25, 22, 17, 18, 12, 27, 6, 5] ; --Y2 // T7 := [26, 22, 17, 18, 12, 27, 8, 7] ; , see also -k pan -c0 --counts all errors pan -c --saves in the trail file the info for 3rd error pan -e -c0 --saves all errors trails each one in file specI.trail spin -k specI.trail -c spec.pml --displays the trail for error I pan -r trailfilename --read and execute trail in file pan -rN --read and execute N-th error trail pan -C --read and execute trail -columnated output (can add -v,-n) pan -r -PN read and execute trail -restrict trail output to proc N pan -(for help on options) T0 == << 1, 9,10,13,15,20,23>> T1 == << 3, 9,10,13,15,20,24>> T2 == << 5,27,11,13,16,20,25>> T3 == << 7,27,11,13,16,20,26>> T4 == <<23,22,17,18,11, 9, 2>> T5 == <<24,22,17,18,11, 9, 4>> T6 == <<25,22,17,18,12,27, 6>> T7 == <<26,22,17,18,12,27, 8>> 10 UMC Class REGION2 is Vars: , 9,10,13,15,20,23] ; --G1 T1: int[] := [ 3, 9, 10, 13, 15, 20, 24] ; --R1 T2: int[] := [ 5, 27, 11, 13, 16, 20, 25] ; --Y1 T3: int[] := [ 7, 27, 11, 13, 16, 20, 26] ; --B1 T4: int[] := [23, 22, 17, 18, 11, 9, 2] ; --G2 T5: int[] := [24, 22, 17, 18, 11, 9, 4] ; --R2 T6: int[] := [25, 22, 17, 18, 12, 27, 6] ; --Y2 T7: int[] := [26, 22, 17, 18, 12, 27, 8] 
int :=1; --initial value for region RA RB: int :=1; --initial value for region RB LA: int :=7; --limit value for region RA LB: int :=7; --limit value for region RB -
Behavior: 
-------------------------------------------------------------------------------------------------------------------------------------
UPPAAL
// // global declarations // //-------train missions ------const int T0 [7] = { 1, 9,10,13,15,20,23} ; const int T1 [7] = { 3, 9,10,13,15,20,24} ; const int T2 [7] = { 5,27,11,13,16,20,25} ; const int T3 [7] = { 7,27,11,13,16,20,26} ; const int T4 [7] = {23, 22,17,18,11, 9, 2} ; const int T5 [7] = {24, 22,17,18,11, 9, 4} ; const int T6 [7] = {25, 22,17,18,12,27, 6} ; const int T7 [7] = {26, 22,17,18,12,27, 8}; const int LA =7; // limit value for region RA const int LB =7; // limit value for region RB //-------region A: train constraints ------const int A0 [7] = { 0, 0, 0, 1, 0,-1, 0}; //G1 const int A1 [7] = { 0, 0, 0, 1, 0,-1, 0}; // R1 const int A2 [7] = { 0, 0, 1,-1, 0, 1, 0}; // Y1 const int A3 [7] = { 0, 0, 1,-1, 0, 0, 0}; // B1 const int A4 [7] = { 0, 1, 0, 0,-1, 0, 0}; // G2 const int A5 [7] = { 0, 1, 0, 0,-1, 0, 0}; // R2 const int A6 [7] = { 0, 0, 0,-1, 0, 0, 0}; // Y2 const int A7 [7] = { 0, 1, 0,-1, 0, 0, 0}; // B2 //-------region B: train constraints ------const int B0 [7] = { 0, 0, 0, 1, 0,-1, 0}; // G1 const int B1 [7] = { 0, 0, 0, 1, 0,-1, 0}; // R1 const int B2 [7] = { 0, 0, 1,-1, 0, 0, 0}; // Y1 const int B3 [7] = { 0, 0, 1,-1, 0, 1, 0}; // B1 const int B4 [7] = { 0, 1, 0, 0,-1, 0, 0}; // G2 const int B5 [7] = { 0, 1, 0, 0,-1, 0, 0}; // R2 const int B6 [7] = { 0, 1, 0,-1, 0, 0, 0}; // Y2 const int B7 [7] = { 0, 0, 0,-1, 0, 0, 0}; // B2 //------------------------------------------int P0 := 0; int P1 := 0; int P2 := 0; int P3 := 0; int P4 := 0; int P5 := 0; int P6 := 0; int P7 := 0; int RA :=1; // initial value for region RA int RB :=1; // initial value for region RB broadcast chan move0,move1,move2,move3,move4,move5,move6,move7; //------------template defintions ---------process Uppaal_Model ( 
