The symbolic model-checking methods for real-time systems(Concurrency Theory and Applications '96) by Yamane, Satoshi
Title The symbolic model-checking methods for real-timesystems(Concurrency Theory and Applications '96)
Author(s)Yamane, Satoshi




Type Departmental Bulletin Paper
Textversionpublisher
Kyoto University




Dept. of Computer Science, Shimane University
1060 Nishikawatu, Matue city, Japan
Email:yamane@cis.shimane-u.ac.jp
It is important to verify timing conditions in real-time systems. The ver-
ification methods such as model checking and language inclusion algorithm,
bisimulation method have been researched. Especially symbolic model check-
ing is promising for verifying a large system. Time models are classified into
discrete time model and dense time model. In discrete time model, symbolic
model checker based on $\mathrm{B}\mathrm{D}\mathrm{D}$ (Binary Decision Diagram) has been developed.
But in dense time model, symbolic model checking based on BDD causes the
state-explosion problem because of generating region graph from specifica-
tion. In this paper, we propose symbolic model checking based on BDD in
dense time model, which do not use region graph. In our proposed symbolic
model checker, we represent state spaces by both BDD and $\mathrm{D}\mathrm{B}\mathrm{M}(\mathrm{D}\mathrm{i}\mathrm{f}\mathrm{f}\mathrm{e}\mathrm{r}\mathrm{e}\mathrm{n}\mathrm{C}\mathrm{e}$
Bound Matrices). We have realized effective symbolic model checker based
on BDD in dense time model by proposed method.
Key word real-time systems, verification, BDD, symbolic model checking
1 Introduction
It is important to formally verify whether specification satisfies verification
properties or not in real-time systems, such as operating systems and commu-
996 1997 222-242 222
nication protocols, logical circuits [1]. In dense time model, formal verification
methods are classified into language inclusion algorithm and model checking
as $\mathrm{f}\mathrm{o}\mathrm{l}1_{\mathrm{o}\mathrm{W}}\mathrm{S}[2]$ .
1. If both specification and verification specification are described by
timed automaton, verification problem reduces to language inclusion
problem in formal language $\mathrm{t}\mathrm{h}\mathrm{e}\mathrm{o}\mathrm{r}\mathrm{y}[3]$ . Language inclusion problem
is decided if verification specification language is closed under com-
plementation. Timed automaton is based on the ideas on coupling
$\omega$-automaton with timing constraints in dense time domain.
2. If specification is described by timed Kripke structure and verification
specification is described by real-time temporal logic, verification prob-
lem reduces to real-time model $\mathrm{c}\mathrm{h}\mathrm{e}\mathrm{c}\mathrm{k}\mathrm{i}\mathrm{n}\mathrm{g}[4]$ .
In this paper, we focus on model checking,because many interesting veri-
fication properties are expressive. Especially, we focus on symbolic model
$\mathrm{c}\mathrm{h}\mathrm{e}\mathrm{c}\mathrm{k}\mathrm{i}\mathrm{n}\mathrm{g}[5]$ based on $\mathrm{B}\mathrm{D}\mathrm{D}$ (Binary Decision $\mathrm{D}\mathrm{i}\mathrm{a}\mathrm{g}\mathrm{r}\mathrm{a}\mathrm{m}$) $[6],$ . bacause we can
avoid the state-explosion problem.
On the other hand, there are discrete time model and fictitious clock
time model, dense time $\mathrm{m}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{l}[2]$ . In discrete time model and fictitious clock
time model, symbolic model checking systems such as [7] and [8] have been
developed. But in discrete time model and fictitious clock time model, asyn-
chronous real-time systems can not be specified and $\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{i}\mathrm{e}\mathrm{d}[9]$ . In this paper,
we try to specify real-time systems by dense time model and formally verify
specification using model checking, especially symbolic model checking. In
dense time model, symbolic model checkers such as the verifier of multi-clock
$\mathrm{a}\mathrm{u}\mathrm{t}_{\mathrm{o}\mathrm{m}}\mathrm{a}\mathrm{t}\mathrm{o}\mathrm{n}[10]$ and $\mathrm{H}\mathrm{Y}\mathrm{T}\mathrm{E}\mathrm{c}\mathrm{H}[11]$ , KRONOS[12] have been developed. But
there are some problems in these symbolic model checkers as follows.
1. The verifier of multi-clock automaton requires large verification cost
because of generating region $\mathrm{g}\mathrm{r}\mathrm{a}\mathrm{p}\mathrm{h}[13]$ .
2. HYTECH is implemented by both symbolic representation and semi-
decision procedure using mathematica. But HYTECH is not implemeted
by BDD.
3. KRONOS is implemented by both symbolic representation and DBM.
But KRONOS is not implemeted by BDD.
223
From 1. and 2., 3., the dense time symbolic model checking based on
BDD without region graph have not yet been developed. For this reason, 1.
and 2., 3. cause the state- explosion problem.
In this paper, we develope symbolic model checking based on BDD. In gen-
eral, symbolic model checking is more effective than model checking because
of image computation and BDD. But in dense $\mathrm{t}’ \mathrm{i}\mathrm{m}\mathrm{e}$ model, it is difficult to
verify systems because of timing constraints. We try to store state transitions
and timing $\mathrm{c}\mathrm{o}\mathrm{n}\mathrm{s}.\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}\mathrm{t}\mathrm{s}$ by $\mathrm{t}\mathrm{h}\mathrm{e}$ . form
$(\mathrm{s},\wedge \mathrm{x},)$
.
where $\mathrm{s}$ is a set of states represented
by BDD and $\mathrm{X}\mathrm{l}\mathrm{S}$ a set of timlng constralnts represented by DBM. This form
allows us to verify systems using dense time symbolic model checking. This
form have been proposed for language inclusion algorithm by Dill D. and
Wong-Toi $\mathrm{H}[14]$ . They have realized the real-time symbolic verification sys-
tem based on BDD and DBM. We develope our real-time symbolic model
checking based on their ideas. Our approach for verification of real-time
systems is as follows.
1. System specification, which is described by parallel composition of
timed automata, is automatically transformed into timed Kripke struc-
ture.
2. Dense time symbolic model checking is based on both $\mathrm{B}\mathrm{D}\mathrm{D}$. and DBM.
For DBM, we can avoid the state- explosion problem.
In section 2 real-time specification is introduced. In section 3 real-time
temporal logic is introduced. In section 4 real-time symbolic model check-
ing is introduced. In section 5 examples of formal specification and timing
verification are introduced. In section 6 conclusion is introduced.
2 Specification method for real-time systems
2.1 Specification by timed Buchi automaton
Each process is specified by timed Buchi $\mathrm{a}\mathrm{u}\mathrm{t}_{\mathrm{o}\mathrm{m}\mathrm{a}}\mathrm{t}\mathrm{o}\mathrm{n}[15]$ and system specifi-
cation is the product automaton of timed Buchi automata. Because timed
Buchi automaton is closed under union and intersection. Timed Kripke struc-
ture is automatically transformed from system specification.
224
Definition 1 (timed Buchi automaton) Timed Buchi automaton is a $A=(\Sigma,$ $S,$ $s_{0},$ $c$
where
1. $\Sigma$ : a finite set of events
2. $S$ : a finite set of states
3. $S_{0}\subseteq S$ : a finite set of start states
4. $C$ : a finite set of clocks
5. $E\subseteq S\cross S\cross\Sigma\cross 2^{C}\cross\Phi(C)$ : a set of transitions
6. $F\subseteq S$ : accepting states
7. $\Phi(C)$ represents timing constraints $\delta$ of clock $C$, and is recursively de-
fined by a set $X(x\in X)$ of clock variables and a time constant $D$ as
follows.
$\delta::=x\leq D|D\leq X|\neg\delta|\delta_{1}$ A $\delta_{2}$
An edge $(s, sa, \lambda’,, \delta)$ represents a transition from state $s$ to state $s’$ on
input symbol a. We represent this transition as follows.
$Sarrow S’a,\lambda,\delta$
The set $\lambda\subseteq C$ gives the clocks to be reset with this transition. A run $r$ of
timed automaton over a word $\sigma\in\Sigma^{\omega}$ is an accepting run iff in$f(r)\cap F\neq 0$ .
Definition 2 (intersection of timed Buchi automata) Consider timed
Buchi automaton $Ai=(\Sigma, Si, s_{0}i, Ci, Ei, F_{i})_{f}i=l_{f}\mathit{2},$ $\ldots\prime n$ . Intersection can be
implemented by a trivial modification of the standard product. construction
for Buchi automata as follows.
1. The set of clocks for the product automaton A $is\cup C_{i}$
2. The states of $A$ are of the form $(s_{j1}\cross s_{j2}\cross\ldots.\cross s_{jn}.)$ , where each $s_{ji}\in S_{i}$
$f$
and $i=l,\mathit{2},$ $\ldots$ , $n_{f}j=l,$ $\ldots\prime m$ .
3. The initial state is of the form $(s_{01}\cross s_{02}\cross\ldots.\mathrm{x}s_{0n}))$ where each $s_{0i}\in S_{i}$
$f$
and $i=1,2,$ $\ldots$ , $n$ .
225
4. The set of transitions consists of $E_{1}\cross E_{2}\cross\ldots.\cross E_{n}$ . The transition of
$A$ is obtained by coupling the transitions of the individual automaton
having the same label. Let $\{\langle_{S_{ji},S_{ki},a}, \lambda_{i}, \delta i\rangle\in E_{i}|i=1,2, \ldots, n\}$ be a
set of transitions with the same label a. Corresponding to this set, there
is ajoint transition $\dot{o}fA$ out of each state of the form $(s_{j1}\cross s_{j2}\cross\ldots.\cross s_{jn})$
labeled with a. The new state is $(s_{k1}\cross s_{k2}\cross\ldots.\mathrm{x}s_{kn})$ with $j=k+l$ mod
$n$ if $s_{k}\in F_{k}$ and $j=k$ otherwise.
5. The set of clocks to be reset with the transition $is\cap\lambda_{i}$ , and the associated
clock constraint $is\wedge\delta i$ .
6. The accepting set of $A$ consists of $F_{1}\cross F_{2}\cross\ldots\cross F_{n}$
Theorem 1 (closure under intersection) Timed Buchi automaton is closed
under intersection.
(outline of proof)
According to [Definition 2], the class of timed language $L(A_{1})\cap L(A_{2})$ ac-
cepted by timed Buchi automaton $A_{1}\cross A_{2}$ is generated, where $L(A_{i})$ is the
class of timed language accepted by timed Buchi automaton $A_{i}$
2.2 Generation of timed Kripke structure
It is necessary to generate timed Kripke structure from timed automaton
in order to realize model checking. The generation method is the same as
the $\mathrm{r}\mathrm{e}\mathrm{f}\mathrm{e}\mathrm{r}\mathrm{e}\mathrm{n}\mathrm{c}\mathrm{e}[16]$ . A timed Kripke structure $\mathrm{T}$ corresponding to a timed
automaton A is defined to be a timed Kripke structure such that there exists
one to one correspondence between the state-input sequences of A and the
paths from one of an initial state. Next, we formally define the generation
method of timed Kripke structure as follows.
Definition 3 (timed Kripke structure) $T=(S’, \mu’, R’, \pi)$’ be a timed $I\mathrm{i}^{r}ripke$
structure. where
1. $S’$ : a finite set of states
2. $\mu’$ : $S’arrow 2^{P}$ assigns to each state the set of atomic propositions true
in that state.
226
3. $R’$ : a binary relation on $S’(R’\subseteq S’\cross S’)$ which gives the possible
transitions between states.
4. $\pi’$ : $S’arrow 2^{C}\cross\Phi(C)$ assigns to each state the set of clocks.
Next, we define operational semantics for a timed Kripke structure $\mathrm{T}$ in
terms of a transition system. A timed-state of the system is a pair $\mathrm{q}=(si^{J}, Xi)$ ,
$\mathrm{i}=0,$ $\ldots,\mathrm{n}$ , where $s_{i}’\in S’$ is a state and $x_{i}$ is a vector of clock values.
Definition 4 (semantics of timed Kripke structure) We define opera-
tional semantics for a timed $I_{\acute{1}^{r}}ripke$ structure $T$ as follows.
1. The set $q_{0}$ of initial states is the set of all timed-states whose state
component is an initial state in $T$, and whose clocks values are all equal
to $\mathit{0}$, as given by $q\mathrm{O}=${ $(S_{0}’,0)|s_{0}’$ is the set of initial states}
2. For each transition $s_{i}’arrow s_{i+1}’$ , let
$R’=\{(s_{i}’, x_{i}),$ $(S’i+1’ xi+1)|x_{i}\in\pi’$
. (s\’i) and $x_{i+1}\in\pi’(s_{i+1}’)_{y}s_{i}.’\cross s_{i+1}’\in$
$R’\}$
Next, we define the generation of timed Kripke structure from a timed
automaton.
Definition 5 (the generation of timed Kripke structure) Let $A=(\Sigma,$ $S,$ $s_{0},$ $c,$ $E,$ $f$
be a timed automaton , and $T=(S’, \mu’, R’, \pi’)$ be a timed Kripke structure.
The generation method is as follows.
1. $S’=E$
2. $.R’\subseteq E\mathrm{x}E$
3. $\mu’=Earrow 2^{\Sigma}=S’arrow 2^{P}$
4. $\pi’=Earrow 2^{C}\mathrm{x}\Phi(C)=s’arrow 2^{C}\cross\Phi(C)$
The example of the generation of timed Kripke structure is as shown in
Fig.1.
227
$|\mathcal{L}’\iota[|$ I $1\Leftrightarrow \mathrm{U}\wedge|[\rho_{l\iota \mathrm{e}}$ a $l\mathrm{I}\mathrm{U}\mathrm{c}\mathrm{U}\mathrm{e}$
Fig. 1 Generation method of timed Kripke structure




Theorem 2 (compatibility) For all timed automaton $A$ and temporal logic
$\phi$ , timed Kripke structures $T$, it holds that $|=_{A}\emptyset iff|=\tau\phi$
(proof)
From the definition of $A_{f}$ it follows that for each infinite sequence
$s_{0} \frac{\lambda_{0_{(}}}{t}S1’\frac{\lambda_{1_{(}}}{}a\mathrm{o},\delta \mathrm{o}a1,\delta_{1}s_{2}\frac{\lambda_{2}\backslash }{r}a_{2},\delta_{2}\ldots$
of transitions of $A$ there is a path $(s_{0\}}’’’Ss\ldots)1’ 2$’ of $T_{f}$
such that
$s_{i} \frac{i,\lambda_{i_{\backslash }}.\delta}{},s_{i1}a\dot{.}+\sim s_{i}’$
for all
$s_{i} \frac{\lambda_{\{}\delta}{}.\cdot iS_{i}a\dot{.},,+1$
Conversly, for each infinite sequence (s\’o, $s_{1}’,$ $s_{2}’,$ $\ldots$ ) of $T$, there is a path





for all s\’i in the first sequence.
Next observe that if
$s_{i} \frac{i,\lambda_{i_{\{}}\delta}{},is_{i+1}\sim as_{i}’$
then $s_{i+1}\models_{A}\phi$ iff $si’\vdash-T\phi$ . Using this observation and the above cor-
respondence between sequences of transitions of $A$ and sequences of states of
$T$, we can induction over $\phi$ prove that for all transtions of $A$ and states of
$T$.
3 $\mathrm{R}\mathrm{e}\mathrm{a},1$-time temporal logic
Verification property specification is described in RTCTL( $\mathrm{R}\mathrm{e}\mathrm{a}\mathrm{l}$-Timed CTL)
, which expands TCTL $(\mathrm{T}\mathrm{i}\mathrm{m}\mathrm{e}\mathrm{d}\mathrm{C}\mathrm{T}\mathrm{L})[13]$ with next state operator as follows.
Definition 6 (syntax of RTCTL) The formulas $\phi$ of RTCTL are induc-
tively defined as follows.
$\phi::=p|\neg\emptyset|\phi 1arrow\phi_{2}|EX_{\sim^{c}}\phi 1|E(\phi_{1}U_{\sim c}\phi_{2})|EG_{\sim c}\phi_{1}$
1. $E$ : for some sequence of states a formula holds
2. $X$ : next states operator
3. $U$ : until operator
4. $G$ : always operator
5. $p\in$ (atomic proposition)
6. $c\in N$ (natural number)
$7$. $\sim is$ binary relation $<,$ $\leq,$ $=,$ $\geq,$ $>$
Informally, $\mathrm{E}(\phi_{1}U_{<c}\phi_{2})$ means that for some sequence of states $s_{0’ 1}’’s,$ $s_{2}’,$ $\ldots$
there exits a sequence of states of time length less than $\mathrm{C}$ such that $\phi_{2}$ holds
at the last state and $\phi_{1}$ holds at all its intermediate states. $\cdot$
Definition 7 (syntactic abbreviations for RTCTL) We $.c$an. specify all
the temporal formulas using following syntactic abbreviations.
229
1. $EF_{\sim c}\phi_{1}=E(trueU\sim c\phi_{1})$
2. $AX_{\sim \mathrm{c}}\phi_{1}=\neg E\neg X_{\sim C}\emptyset 1$
3. A $G_{\sim C}\phi_{1}=\neg EF_{\sim c}\neg\phi_{1}$
4. A $\phi_{1}U_{\sim c}\phi_{2}=E$ [ $\neg\phi_{2}U_{\sim c}\neg\phi_{1}$ A $\neg\phi_{2}$ ] A $\neg EG_{\sim c}\neg\phi_{2}$
Here we define RTCTL-semantics in order to interpret RTCTL-formula
based on timed Kripke structure as follows.
Definition 8 (semantics of RTCTL) For a timed $I\mathrm{i}^{r}ripke$ strucutre $T=(S’, \mu’, R’, \pi’)$
, a state $s_{0}’\in S_{0}’$ , a sequence of states $s_{0’ 1’ n}^{\prime J\prime}s\ldots,$$S$ and a $RTC\dot{\tau}L$-formula
$\phi_{f}$ the satisfaction relation $(T, s_{0}’)\models\phi$ is defined $\dot{i}nducti.vely$ as follows.
1. $(T, s_{0}’)\models p$ iff $p\in\mu’(s_{0}’)$ .
2. $(T, s_{0}’)\models\neg\phi_{1}$ iff ( $T$, s\’o) $|=\phi_{1}$ is unsatisfiable.
3. $(T, s_{0}’)\models\phi_{1}arrow\phi_{2}$ iff $(T, s_{0}’)|=\phi_{1}$ is unsatisfiable or $(T, s_{0}’)\vdash-\phi_{2}$ .
4. $(T, s_{0}’)|=Ex_{\sim c}\phi 1$ ifffor some state $s_{1}’$ such that $(s_{0}’’, s_{1})\in R’,$ $s_{1}’|=\phi_{1}$
$and\sim c$ is satisfiable with $\mu’(s_{1}’)$ .
5. $(T, s_{0}’)|=E(\phi_{1}U_{\sim c}\phi_{2})$ iff for some sequence of states $(s_{0’ 1}^{J;}s, \ldots, S_{n}’)$ ,
$\exists i[i\geq$ A $(T, S_{i}^{;})\vdash-\phi_{2}\wedge\sim c$ is satisfiable with $\mu’(s_{i}’)\wedge\forall j[0\leq j<iarrow$
$(\tau_{s_{j}^{t}},)\vdash-\phi_{1}\wedge\sim c$ is satisfiable with $\mu’(s_{j}’)]]$
6. $(T, s_{0}’)|=EG_{\sim C}\phi 1$ ifffor some sequence of states $(s_{0}’, S_{1},.., s’.\prime n),$ $\forall i[0\leq$
$\dot{i}arrow(T, s\text{\’{i}})\models\phi_{1}\wedge\sim c$ is satisfiable with $\pi’$ (s\’i) $f$
4 Verification algorithm for real-time sym-
bolic model checking
In real-time symbolic model checking, for a timed Kripke structure $\mathrm{T}$ , we
represent state transitions relation $\mathrm{R}$ ’ as BDD and a set of states as the form
(s\’i, $x_{i}$ ) $(i=0,1, \ldots, n)$ , where $s_{i}’\in S’$ is a state represented by BDD and $x_{i}$ is
a vector of clock values represented by $\mathrm{D}\mathrm{B}\mathrm{M}$ (differences bounds matrix). In
order to realize real-time symbolic model checking, we compute a set of states
230
that satisfy the formulas by inverse image computation and test whether a
set of states satisfy timing constraints using DBM.
We define real-time symbolic model checking algorithm after defining in-
verse image computation and DBM.
4.1 Inverse image computation
Many of the idea used in symbolic model checking can be explained by con-
sidering the problem of computing reachable state sets, since reachable state
computations are at the heart of model $\mathrm{c}\mathrm{h}\mathrm{e}\mathrm{c}\mathrm{k}\mathrm{i}\mathrm{n}\mathrm{g}[16]$. Let $s_{i}$’ be a set of states
represented by the BDD $s_{i}’(\mathrm{V})$ . We wish to compute a BDD $s_{j}’(V’)$ that
represents the states reachable from $s_{i}’$ by the transitions in the transition
relation $R’$ :
$s_{j}’(V’)=\exists$ V. $[s_{i}’(\mathrm{V})\wedge R’(V, V’)]$ .
This is called image computation. But in real-time symbolic model checking,
we use inverse image computation. In inverse image computation, we com-
pute a BDD $s_{i}’(\mathrm{V})$ that represents the states backward reachable from $s_{j}’$ by
the transitions in the transition relation $R’$ :
$s_{i}’(\mathrm{V})=\exists V’.[S’j(V’)\wedge R’(V, V’)]$ .
4.2 $\mathrm{D}\mathrm{B}\mathrm{M}$ ( $\mathrm{d}\mathrm{i}\mathrm{f}\mathrm{f}\mathrm{e}\mathrm{r}\mathrm{e}\mathrm{n}\mathrm{C}\mathrm{e}\mathrm{s}$ bounds matrix)
4.2.1 reachability $\mathrm{a}\mathrm{n}\mathrm{a}\mathrm{l}\mathrm{y}_{\mathrm{S}}\mathrm{i}\mathrm{S}$ ( $\mathrm{t}\mathrm{e}\mathrm{s}\mathrm{t}$ timing constraints)
We can compute a set of states that satisfy the formulas using inverse im-
age computation. But we must test whether a set of states satisfy tim-
ing constraints. We will test timing $\mathrm{c}\mathrm{o}\mathrm{n}\mathrm{S}\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}\mathrm{t}\mathrm{S}$(reachability analysis) using
$\mathrm{D}\mathrm{B}\mathrm{M}[18,19]$ as follows.
Definition 9 ( $\mathrm{D}\mathrm{B}\mathrm{M}$ (Difference Bounds Matrices)) $)$ $DBM$ consists of
the matrix of timer valuations. Timer valuations are $de.fi.\cdot ned$ as follows.
$\forall i,j\in C:t_{i}-t_{j}\leq d_{i}j$
where
1. $t_{i}$ : clock variable
2. $t_{j}$ : clock variable
3. $d_{ij}$ : clock constant
231
The $(i, j)$ -element of $DBM$ is equal to $d_{ij}$ . $A$ fictitious clock $t\mathrm{O}$ that is al-
ways exactly zero is introduced. $d_{ij}\subseteq$ $\{..., -2, -1,0,1,2, \ldots\}\cup\{\ldots, -2^{-,1^{-},0^{-},1}--, 2^{-}, \ldots\}\cup$
$\{-\infty\}\cup\{\infty\}$ . The ordering $i$ over the integers is extended to $dij$ by the fol-
lowing law: for any interger a, $-\infty<a^{-}<a<(a+1)^{-}<\infty$ .
Next, we define reachability analysis using, D.BM.
Definition 10 (reachability analysis) $C_{7ener}ate$ the intersection of canon-
ical DBMs, check reachability between two states. Here we check whether state
$Darrow D’$ is possible or not.
(l)Perform canonical DBM by Floyd-Warshall’ $\mathrm{a}_{\mathrm{o}\mathrm{r}\mathrm{i}}\mathrm{t}\mathrm{h}\mathrm{n}1$ The each
inequality of $DBM$ is of the form $t_{i}-\dot{t}_{j}\leq d_{i,j}$ . An alternative formu-
lation of it allows the construction of a constraint graph for a given set
of inequalities. Each variable is represented as a node in the graph, and
an inequality $t_{i}-t_{i}\leq d_{i,j}$ is represented by a directed edge with weight
$d_{i,j}$ connecting $t_{i}$ to $t_{j}$ as shown in Fig.2. For this reason, we can get
canonical $DBM$ by Floyd-Warshall’ $alg_{ori}thm[l\mathit{8}\mathit{1}\cdot$
(2) $\mathrm{I}\mathrm{n}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{s}\mathrm{e}\mathrm{c}\mathrm{t}$ canonical DBMs intersection $DBM=m\dot{i}n\{d_{ij}, d_{i}’\}j$ where
1. $[d_{ij}]$ : canonical $DBM$ of $s$. tate $D$
2. $[d_{ij}’]$ : canonical D.$B.\cdot.M.$ o.f..stat..e $D’.\cdot$
In dense time $model_{J}$ in order to reach $D’$ from $D$, there is intersection
$DBM$ between $D$ and $D’[l\mathit{9}]$ .
(3) $\mathrm{T}\mathrm{e}\mathrm{S}\mathrm{t}$ intersection DBM If there is a negative-cost cycle in intersection
$DBM$, it is impossible to reach $D’$ from D. If there is no negative-cost
cycle in intersection $DBM$, it is possible to do so.
Fig. 2 the graph representation of $\mathrm{D}\mathrm{B}\mathrm{M}$
232
Next, we explain the validity of reachability analysis as follows.
Theorem 3 (the validity of reachability analysis) If there is a negative-
cost cycle in intersection $DBM$ of $D$ and $D’$ , it is impossible to reach $D’$ from
$D$ .
(proof)
We call a sequence of clock variables $t_{1},$ $t_{2},$ $\ldots$ , $t_{n}$ . The cost of the path in in-






If there is a negative-cost cycle $(t_{1}-t_{1}<0)$ , it is impossible to reach $D$ ’ from
$D$ .
4.2.2 Testing wheth.er a set of states $\mathrm{s}\mathrm{a}\mathrm{t}\mathrm{i}_{\mathrm{S}}\mathrm{f}..\mathrm{y}.\sim.c_{\mathrm{I}}$ in $\phi 1U_{\sim \mathrm{c}}\phi_{2}$
We must test whether a set of states $\mathrm{s}\mathrm{a}\mathrm{t}\mathrm{i}_{\mathrm{S}}\mathrm{f}\mathrm{y}\sim cin\phi_{1}U_{\sim c}\phi_{2}$. In other words,
we test whether the time elapsed in traversing a sequence between $\phi_{1}$ and $\phi_{2}$
$\mathrm{s}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{s}\mathrm{f}\mathrm{i}\mathrm{e}\mathrm{S}\sim c$. We test it using a clock variable in DBM as follows.
Definition 11 (the computation of the time elapsed in traversing a sequence)
We define the computation of the time elapsed in traversing a sequence be-
tween $s_{i}’$ and $s_{k}’(j<k)$ . We focus on some clock variable $x$ in $DBM$.
(l)when $\mathrm{x}$ is not reset between $s_{j}$’ and $s_{k}’$ The timing constraint is $x$
$\leq d$ or $x\geq d$ at $s_{j}’$ and $x\leq h$ or $x\geq h$ at $s_{k}’$ , where $d\leq h$ . We
compute the time elapsed in traversing a sequence between $s_{i}’$ and $s_{k}’$ as
follows in Fig.3.
1. case $x\leq d$ and $x\leq h$ : The elapsed time $t$ is $t\leq h- d.$ ..
2. case $x\underline{>}d$ and $x\geq h$ : The elapsed time $t$ is $t\geq h- d.$
3. case $x\leq d$ an.. $dx\geq h:-$ The elapsed time $t$ is $t\geq h$ .
4. case $x\geq d$ and $x\leq h$ : The elapsed time $t$ is $t\leq h- d.$
233
(2) $\mathrm{w}\mathrm{h}\mathrm{e}\mathrm{n}\mathrm{X}$ is reset between $s_{j}’$ and $s_{k}’$ Assuming that $x$ is reset at a state
$s_{l}’(j<l<k)$ . We compute the time elapsed in traversing a sequence
between $s_{j}’$ and $s_{l}’$ and the time elapsed in traversing a sequence between
$s_{l}’$ and $s_{k}’$ . We compute the elaped times using the same way as (1).
Finally, we add the time elapsed in traversing a sequence between $s_{j}’$
and $s_{l}’$ and the time elapsed in traversing a sequence between $s_{l}’$ and $s_{k}’$
From (1) and (2), we can compute the time elapsed in traversing a se-
quence between $s_{j}’$ and $s_{k}’$ .













Fig. 3 the time elapsed in state transitions
4.3 Real-time symbolic model checking
Finally, we $\dot{\mathrm{d}}$efine real-time symbolic model checking as follows.
Definition 12 (real-time symbolic model checking) The real-time sym-
bolic model checking consists of following procedures.
234
1. Firstly, we convert system specification into timed $I\mathrm{i}^{r_{?\dot{\tau}}}pke$ structure.
2. Secondly, we represent state transtions relation $R$ ’ as $BDD$ and a set
of states as the form $(s_{i}’, X_{i})(i=0,1, \ldots, n)$ , where $s_{i}’\in S’$ is a state
represented by $BDD$ and $x_{i}$ is a vector of clock values represented by
$DBM$(differences bounds matrix).
3. Next, we compute the set of states that satisfy every subformula using
inverse image computation and we test whether the set of states satisfy
timing constraints or not using $DBM$. We test whether the time elapsed
in traversing a sequence satisfy timing constraints in a $f_{ormul}a(for$ ex-
$ample_{f}\sim c$ in $E(\phi 1U_{\sim c}\phi 2)$ .
4. Finally, afler determining the set $S$ of states that satisfy the formula $f$)
we test whether $s_{0}’$ is a subset of $S(that$ is, whether $\neg s_{0}’(V)S(V)$ is
the $BDD$ representing true.) If it is, then the timed $I\mathrm{i}^{r}\Gamma ipke$ structure
satisfies $f$. .
Next, we define real-time symbolic model checking algorithm as follows.
Definition 13 (real-time symbolic model checking algorithm) For given
a structure $T=(S^{;}, \mu’, R’,)\pi’$ and a temporal logic formula $f$, we determine
$whether|=\tau f$. The algorithm is based on inverse image computation. Firstly,
we compute the set of states that satisfy all subformulas of $f$ of length $l_{f}$ the
second stage compute the set of states that satisfy all subformulas of $f$ of
length 2, and so on. At the end of $ith$ stage, the set of states that satisfy the
set of all subformula of length $\leq i$ will be computed. To perform computing
the set of states at stage $i$ , the set of states gathered in earlier stages is used.
One can conclude $that\models_{T}f$ if the initial state $(s_{0}’)$ is a subset of the set of
states. Let $\phi$ be a subformula of $f$. We compute the. set of states that satisfy
all subformulas $\phi$ of $f$ of length 1 as follows.









4. $\phi=Ex_{\sim \mathrm{c}}\phi 1$
return $functionEx\phi_{1}(Ex\phi_{1}(V), \sim c)$ ..
functionEX $\phi_{1}(EX\phi_{1}(V),\sim c)$
$EX\phi_{1}(V)=\exists V’.[R’(V, V’)\wedge\phi 1(V)\mathit{1}f$
$If\sim c$ is not satisfiable with $\phi’(EX\phi_{1}(V)’)$ , we compute $EX\phi_{1}(V)$
as follows.
$EX\phi_{1}(V):=Ex\phi_{1}(V)-E\dot{X}\phi_{1}(V)’j$
We test whether $EX\phi_{1}(V)$ is reac.hable from $\phi_{1}$ (V) satisfying timing
constraints;
If there is the set of states $EX\phi_{1}$ (V) ’ that does not satisfy timing
. $conStrafntSf$ ..
we compute $EX\phi_{1}$ (V) as follows.
$EX\phi_{1}(V):=EX\phi_{1}(V)- EX\phi_{1}(V)’\mathrm{i}$
return $EX\phi_{1}(V)$ ;





$U(V):=\phi 1(V)’\wedge^{\backslash }\exists V^{\backslash }’.[R’(V, V’)"\wedge T(V’)]i$
If there is the set of states $\pi’(U(V)’)$ that does not $satisfy\sim c$ , we
compute $U(VJ$ as follows. ..
. $\cdot$ $U(V):=U(V)-U(Vf’$ ;
If there is the set of states $U(V)$ ’ that does not satisfy $\dot{t}$iming con-
$Stra\dot{i}nts_{f}$ we compute $U(V)$ as follows.
$U(V):=U(V)-U(V)’$ ;
If $U(V)$ is included in $\phi_{1}$ (V), return $\phi_{1}(V)$ ;
If $U(V)$ is not included in $\phi_{1}(V),$ $T(\mathrm{Y}):=U(V)+\tau(V)_{j}$
$\}$
6. $\phi=EG_{\sim c}\phi 1$
$T(V):=\phi 1(V)j$
repeat $\{$
$U(V):=\phi_{1}(V)\wedge funct_{\dot{i}}onEx\phi_{1}(T(^{i}V)_{f}\sim c)$ ;




5 The verification system
5.1 Configuration of the verification system
We have developed the veirfication system based on this method using SBDD
$\mathrm{l}\mathrm{i}\mathrm{b}\mathrm{r}\mathrm{a}\mathrm{r}\mathrm{y}[21]$ as shown in Fig.4. It runs on $\mathrm{S}\mathrm{U}\mathrm{N}4/\mathrm{I}\mathrm{P}(12\mathrm{M}\mathrm{B})$ . The veirfication
system consists of compiler(lkstep) and real-time symbolic model checker $(3\mathrm{k}\mathrm{S}\mathrm{t}\mathrm{e}\mathrm{p})$ ,
which are implemented in $\mathrm{C}$ language.
Fig. 4 Configuration of verification system
5.2 Verification example
5.2.1 Specification
We present here the timed automata for the senders and the receivers of the
$\mathrm{C}\mathrm{S}\mathrm{M}\mathrm{A}/\mathrm{C}\mathrm{D}\mathrm{p}\mathrm{r}\mathrm{o}\mathrm{t}\mathrm{o}\mathrm{c}\mathrm{o}\mathrm{l}[22]$. The specification of sender and receiver is shown in
Fig.5. The sender stays in initial state SO until it receives a message. Then,
it tests the bus to see if it is ready or busy, collision detection. In receiver,
at initial state $\mathrm{R}\mathrm{O}$ , it is ready to be in the transmission of a message. If one
of the senders starts sending, the receiver sets to zero the timer $\mathrm{y}$ . When $\mathrm{y}$




We have verified using real-time symbolic model-checker whether verifica-
tion properties by RTCTL are satisfiable in specification. We input timed





system $=\mathrm{s}\mathrm{e}\mathrm{n}\mathrm{d}\mathrm{e}r$ receiver ;
Prooess specificarontsender);
State definition part $\mathrm{s}\mathrm{O}$,sl,...,s7;
Event definition part send, $\mathrm{t}\mathrm{a}\mathrm{u}$, ready, $\mathrm{c}\mathrm{d}$ , busy, begin, end;







State $\mathrm{d}\mathrm{e}\mathrm{t}\mathrm{i}\mathrm{n}\mathfrak{l}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n}$ part $\mathrm{R}\mathrm{O}$ . Rl, ...,R4;
Event $\mathrm{d}\mathrm{e}\mathrm{f}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{t}|\mathrm{o}\mathrm{n}$ part begin, $\mathrm{c}\mathrm{d}$ , ready, $\mathrm{c}\mathrm{d}$ :
Initial state definition part $\mathrm{R}\mathrm{O}$ ;
State transition definition part
$\mathrm{R}\mathrm{O}-\approx \mathrm{e}\mathrm{a}\mathrm{d}\mathrm{y},$ $\mathrm{y}:_{-}-\mathrm{O}*\triangleleft;$




Fig. 6 Example of input format into compiler
The verification properties are (1)EF send and (2) $\mathrm{E}\mathrm{F}(\mathrm{s}\mathrm{e}\mathrm{n}\mathrm{d}\mathrm{E}$ (ready $\mathrm{U}$
$\leq 5$ end)), (3) $\mathrm{E}\mathrm{F}$ ( $\mathrm{s}\mathrm{e}\mathrm{n}\mathrm{d}\vee \mathrm{E}(\mathrm{r}\mathrm{e}\mathrm{a}\mathrm{d}\mathrm{y}\mathrm{U}\leq 10$ end)), (4) $\mathrm{E}\mathrm{G}$ ( $S$ end $ready\wedge begin$ )
as shown in Table 1. In order to compare real-time symbolic model-cheker
and real-time model-checker, we have verified using real-time model-checker
whether verification properties by RTCTL are satisfiable in specification. We
have already reported real-time model-checker [4]. When we have $\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{i}\mathrm{e}\mathrm{d}‘ \mathrm{i}\mathrm{t}$
using real-time model-checker, we cannot verify 5665 states because of being
not enough memory. But we can verify more than 14588 states using real-
time symbolic model-checker. For this, we can avoid the state-explosion
problem. We can show symbolic model-checking fro dense time real-time
systems is effective. ”
239
6 Conclusion
In this paper, we have proposed real-time symbolic model checking method
based on both BDD and DBM. We have developed the verification system
and shown it effective by the $\mathrm{C}\mathrm{S}\mathrm{M}\mathrm{A}/\mathrm{C}\mathrm{D}$ protocol. We can avoid the state-
explosion problem. But we cannot verify 1020 states such as [5]. This shows
the verification system for dense time systems is high cost. But the dense
time has a desirable feature for representing two causally independent events
in asynchronous real-time systems. In order to verify very large systems, we
are developing the compositional verification system such as [5].
7 References
References
[1} Kavi $\mathrm{K}.\mathrm{M}.:\mathrm{R}\mathrm{e}\mathrm{a}\mathrm{l}$ -time Systems, Abstraction, Languages and Design
Methodologies, P.660,IEEE Computer Society (1992)
240
[2] Alur R. Henzinger $\mathrm{H}.\mathrm{A}.:$ ” $\mathrm{L}\mathrm{o}\mathrm{g}\mathrm{i}\mathrm{c}\mathrm{s}$ and Models of Real $\mathrm{T}\mathrm{i}\mathrm{m}\mathrm{e}:\mathrm{A}$ Sur-
vey”,LNCS 600,$\mathrm{p}\mathrm{p}.74$-106(1992)
[3] Yamane $\mathrm{S}.:$ ” $\mathrm{F}\mathrm{o}\mathrm{r}\mathrm{m}\mathrm{a}\mathrm{l}$ timing verification techniques for distributed sys-
$\mathrm{t}\mathrm{e}\mathrm{m}$”, $5\mathrm{t}\mathrm{h}$ IEEE CS Workshop on Future Trends of Distributed Comput-
ing $\mathrm{s}\mathrm{y}\mathrm{S}\mathrm{t}\mathrm{e}\mathrm{m}.\mathrm{s}(\mathrm{F}\mathrm{T}\mathrm{D}\mathrm{c}\mathrm{s}’ 95)_{\mathrm{P}\mathrm{p}.-460,\mathrm{I}},454\mathrm{E}\mathrm{E}\mathrm{E}$Computer Society(1995)
[4] Yamane $\mathrm{S}.:$ ” $\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{i}_{\mathrm{C}\mathrm{a}}\mathrm{t}\mathrm{i}_{\mathrm{o}\mathrm{n}}$ system for real-time specification based on ex-
tended real-time logic”,International Workshop on Real-Time Comput-
ing Systems and Applications(RTCSA),pp.192-196,IEEE Computer So-
ciety(1995)
[5] $\mathrm{M}\mathrm{c}\mathrm{M}\mathrm{i}\mathrm{l}\mathrm{l}\mathrm{a}\mathrm{n}\mathrm{K}.\mathrm{L}.$:Symbolic Model Checking,Kluwer,P.194(1993)
[6] Bryant $\mathrm{R}.\mathrm{E}.:$ ” $\mathrm{G}_{\Gamma}\mathrm{a}\mathrm{p}\mathrm{h}$-Based Algorithms for Boolean Function Ma-
nipulation”,IEEE Transactions on Computers, Vol.C-35,No.8,pp.677-
691 (1986)
[7] Campos $\mathrm{S}.\mathrm{V}$ . Clarke $\mathrm{E}.\mathrm{M}.:$ ” $\mathrm{R}\mathrm{e}\mathrm{a}\mathrm{l}$-time symbolic model checking for dis-
crete timemodels”,Proc. first AMAST Inter. $\mathrm{W}\mathrm{o}\dot{1}^{\backslash }\mathrm{k}\mathrm{S}\mathrm{h}_{0}\mathrm{p}.\mathrm{i}.\mathrm{n}$ Real-time
systems,pp.129-145,World Scientific(1994)
[8] Yang J. Mok $\mathrm{A}.\mathrm{K}$ . Wang $\mathrm{F}.:$ ” $\mathrm{S}\mathrm{y}\mathrm{m}\mathrm{b}_{\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{C}}$ model checking for event-driven
real-timesystems”,Proc. real-time systems symposium,pp.23-32(1993)
[9] Alur $\mathrm{R}.:\mathrm{T}\mathrm{e}\mathrm{C}\mathrm{h}\mathrm{n}\mathrm{i}\mathrm{q}\mathrm{u}\mathrm{e}\mathrm{S}$ for automatic verification of real-time systems,Phd
thesis,Stanford university(1991)
[10] Wang F. Mok $\mathrm{A}.\mathrm{K}$ . Emerson $\mathrm{E}.\mathrm{A}.:$” $\mathrm{s}_{\mathrm{y}}\mathrm{m}\mathrm{b}_{\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{C}}$ model checking for dis-
tributed real-time systems”,LNCS 670,pp.632-65l (1993)
[I1] Alur R. Henzinger $\mathrm{T}.\mathrm{A}$ . Pei-Hsin Ho:” Automatic symbolic verification of
embedded systems”,Proc. real-time systems symposium,pp.2-11 (1993)
[12] Henzinger $\mathrm{T}.\mathrm{A}$ . Nicollin X. Sifakis J. Yovine $\mathrm{s}.:$” $\mathrm{s}_{\mathrm{y}}\mathrm{m}\mathrm{b}_{\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{C}}$ model
checking for real-time systems”,IEEE symp. on Logic in Computer
$\mathrm{S}_{\mathrm{C}1\mathrm{e}\mathrm{n}\mathrm{c}\mathrm{e}}\sim,\mathrm{p}\mathrm{P}\cdot 394$-406(1992)
[13] Alur R. Courcoubetis C. Dill $\mathrm{D}.:$” $\mathrm{M}_{0}\mathrm{d}\mathrm{e}1$-Checking for Real-Time Sys-
tems”,Proc. 5th IEEE Logic in Computer Science,pp.414-425(1990)
241
[14] Dill D. Wong-Toi $\mathrm{H}.:^{\mathrm{y}}’ \mathrm{v}_{\mathrm{e}\mathrm{r}\mathrm{i}}\mathrm{f}\mathrm{i}\mathrm{C}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n}$ of real-time systems by successive over
and under $\mathrm{a}\mathrm{p}\mathrm{p}\mathrm{r}\mathrm{o}\mathrm{x}\mathrm{i}\mathrm{m}\mathrm{a}\mathrm{t}\mathrm{i}_{0}\mathrm{n}$ ”, $\mathrm{L}\mathrm{N}\mathrm{C}\mathrm{S}939,\mathrm{p}\mathrm{p}.4\mathrm{t}$}$9-422(1995)$
[15] Alur R. Dill D. $:$ ” $\mathrm{T}\mathrm{h}\mathrm{e}$ Theory of Timed Automata”,LNCS $600_{\mathrm{P}\mathrm{P}},.45-$
73(1992)
[16] Hiraishi $\mathrm{H}.:$ ” $\mathrm{D}\dot{\mathrm{e}}\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}$ verification of sequential machines based on e-free
regular temporal logic”,Computer hardware description languages and
their $\mathrm{a}\mathrm{p}\mathrm{p}\mathrm{l}\mathrm{i}_{\mathrm{C}\mathrm{a}\mathrm{t}}\mathrm{i}\mathrm{o}\mathrm{n}\mathrm{S}$ ”, $\mathrm{P}\mathrm{p}.249-263,\mathrm{E}\mathrm{l}\mathrm{S}\mathrm{e}\mathrm{v}\mathrm{i}\mathrm{e}\mathrm{r}$ science publishers(1990)
[17] Burch $\mathrm{J}.\mathrm{R}$. Clarke $\mathrm{E}.\mathrm{M}$ . Long $\mathrm{D}.\mathrm{E}$ . Mcmillan $\mathrm{K}.\mathrm{L}$ . Dill $\mathrm{D}.:$ ” $\mathrm{S}\mathrm{y}\mathrm{m}\mathrm{b}_{\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{C}}$
Model Checking for Sequential Circuit Verification”,IEEE Trans. CAD
of ICS,Vol.13, $\mathrm{N}\mathrm{o}.4,$ $\mathrm{P}\mathrm{p}.401- 424(1994.4)$
[18] Dill $\mathrm{D}.:$” $\mathrm{T}\mathrm{i}\mathrm{m}\mathrm{i}\mathrm{n}\mathrm{g}$ assumptions and verification of finite-state concurrent
systems”,LNCS 407,$\mathrm{p}\mathrm{p}.197$-212(1989)
[19] Alur R. Courcoubetis C. Dill D. Halbwachs N. Wong-Toi $\mathrm{H}.:$” $\mathrm{A}\mathrm{n}$ Im-
plementation of Three Algorithms for Timing Verification Based on
Automata Emptiness”,Proc. Real-Time Systems Symposium,pp.157-
166(1992)
[20] Emerson $\mathrm{E}.\mathrm{A}.:$ ” $\mathrm{T}\mathrm{e}\mathrm{m}\mathrm{p}_{0}\mathrm{r}\mathrm{a}1$ and modal logic”, Handbook of Theoretical
Computer Science,Vol. $\mathrm{B}$ ,pp.997-1072 (1990)
[21] Minato S. Ishiura N. Yajima $\mathrm{S}.:$” $\mathrm{S}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{e}\mathrm{d}$ Binary Decision Diagram with
Attributed Edges for Efficient Boolean Function Manipulation”,Proc.
27th Design Automation Conference,pp.52-57(1990)
[22] IEEE $\mathrm{A}\mathrm{N}\mathrm{S}\mathrm{I}/\mathrm{I}\mathrm{E}\mathrm{E}\mathrm{E}802.3,,$ $\mathrm{I}\mathrm{S}\mathrm{O}/\mathrm{D}\mathrm{I}\mathrm{S}$ 8802/3. IEEE Computer Society
Press(1985)
[23] Nicollin X. Sifakis J. Yovine S. :” Compiling real-time specifications into
extended automata”,IEEE trans. on SE, $\mathrm{V}\mathrm{o}\mathrm{l}.18,\mathrm{N}\mathrm{o}.9,\mathrm{P}\mathrm{p}.794$ -804(1992)
242
Preface
This volume contains the proceedings of the RIMS Workshop in Computing
titled Concurrency Theory and Applications ’96 which took place at Kyoto
University in July 1996. The aim of the workshop was to bring together
researchers and practitioners interested in concurrency in order to discuss
recent developments and trends in concurrency theory, exchange experiences
and opinions on applications of concurrency and to establish research con-
tacts.
In response to the call for papers, fifteen papers were accepted to be pre-
sented at the workshop and to appear in the proceedings. Also, four speakers
from abroad were invited: Professor Matthew Hennessy of the University
of Sussex, $\mathrm{U}\mathrm{K}$ , Professor Scott Smolka of SUNY at Stony Brook, USA, Dr
Huimin Lin of the Chinese Academy of Sciences, Beijing, China and Dr
Mark Harman of the University of North London, $\mathrm{U}\mathrm{K}$ .
The papers appearing in this volume span a wide range of topics, including
timed and classical process algebras and their applications, semantics for
CML, semantics and types for the $\pi$-calculus, model checking and descrip-
tion of real time and multimedia systems, program slicing and temporal
logic.
I would like to thank all those who presented their research at the workshop
as well as those who only attended it. Moreover, I particularly wish to thank
Yasuhiko Minamide, Shoji Yuen and Susumu Nishi.mura for an invaluable
help throughout the preparation and organisation of the workshop.
Irek Ulidowski
243
