Model Checker Aided Design of a Controller for a Wafer Scanner by Hendriks, M. et al.
PDF hosted at the Radboud Repository of the Radboud University
Nijmegen
 
 
 
 
The following full text is a preprint version which may differ from the publisher's version.
 
 
For additional information about this publication click this link.
http://hdl.handle.net/2066/35654
 
 
 
Please be advised that this information was generated on 2017-12-06 and may be subject to
change.
M odel Checker A ided D esign  of a Controller for 
a W afer Scanner*
M artijn  H endriks1, B arend van den Nieuwelaar2**, and F rits V aandrager1
1 Nijmegen Institute for Computing and Information Sciences, 
Radboud University Nijmegen, The Netherlands 
{m artijnh,fvaan}@ cs.ru.nl,
2 Department of Mechanical Engineering 
Eindhoven University of Technology, The Netherlands 
N.J.M .v.d.Nieuwelaar@ tue.nl
A b s tra c t. For a case-study of a wafer scanner from the semiconduc­
tor industry it is shown how model checking techniques can be used to 
compute (i) a simple yet optimal deadlock avoidance policy, and (ii) an 
infinite schedule that optimizes throughput. Deadlock avoidance is stud­
ied based on a simple finite state model using S m v, and for throughput 
analysis a more detailed timed automaton model has been constructed 
and analyzed using the UPPAAL tool. The S m v  and UPPAAL models are 
formally related through the notion of a stuttering bisimulation. The 
results were obtained within two weeks, which confirms once more that 
model checking techniques may help to improve the design process of 
realistic, industrial systems. Methodologically, the case study is interest­
ing since two models (and in fact also two model checkers) were used 
to obtain results that could not have been obtained using only a single 
model (tool).
1 In trodu ction
Scheduling and resource allocation problem s occur in m any different domains, 
for instance (1) scheduling of production lines in factories to  optim ize costs and 
delays, (2) scheduling of com puter program s in (real-time) operating  system s to  
m eet deadline constraints, (3) scheduling of micro instructions inside a proces­
sor w ith a bounded num ber of registers and processing units, (4) scheduling of 
tra ins (or airplanes) over lim ited quantities of railway tracks and crossroads, and 
(5) mission planning for autonom ous robots on spacecrafts. Typically, in each of 
these dom ain problems are solved using different approaches and m athem atical 
tools. The EU 1ST project A m etist (see h t t p : / / a m e t i s t . c s . u t w e n t e . n l / ) en­
visages a unifying framework for tim e-dependent behavior and dynam ic resource 
allocation th a t crosses the boundaries of application domains.
* Supported by the European Community Project IST-2001-35304 (Ametist).
** Part-time software architect at ASML, Veldhoven, The Netherlands.
In the A m etist approach, com ponents of a system  are modeled as dynamical 
systems w ith  a s ta te  space and a well-defined dynam ics. All th a t can happen 
in a system  is expressed in term s of behaviors th a t can be generated by the 
dynam ical systems; these constitu te  the sem antics of the problem. Verification, 
optim ization, synthesis and other design activities explore and modify system  
structu re  so th a t the  resulting behaviors are correct, optim al, etc. Preferably, 
the lim itations of currently  known com putational solutions should not influence 
m odeling too  much: only after the sem antics of a problem  is properly under­
stood, abstractions and specialization due to  com putational considerations can 
intervene. In such situations, the  soundness of abstractions should ideally also 
be proved, either via deductive verification or model checking.
The mission of A m etist is to  extend th is approach, which underlies the suc­
cessful dom ain of form al verification, to  resource allocation, scheduling and other 
tim e-related problems. The m athem atical carrier for the A m etist m ethodology 
is the timed autom aton  model [2,3], a m odeling framework for discrete event 
dynam ical system s th a t can handle quantita tive  tim ing delays between events. 
Some tools for model checking tim ed au tom ata  already exist, e.g., K r o n o s  [22] 
and UPPAAL [13]. Model checking is a m ethod for formally verifying dynam ical 
systems. Specifications about the system  are expressed as tem poral logic for­
mulas, and efficient symbolic algorithm s are used to  traverse the model and to  
check (fully autom atically) if the  specification holds or not. We aim  a t further 
improving model checking tools for tim ed au tom ata, investigating the applica­
bility of these tools, and establishing links to  tools developed in specific dom ains 
whenever appropriate.
In this paper, as an illustration of the A m etist methodology, we use model 
checking techniques to  solve the deadlock avoidance and th roughput optim iza­
tion problem s for a realistic case of a wafer scanner from the sem iconductor 
industry.
A m ajor concern in the  design of controllers for m any resource allocation 
system s (RASs) is deadlock, a perm anently  blocking condition. There are three 
general ways of handling deadlock: (i) deadlock prevention, (ii) deadlock detec­
tion and resolution, and (iii) deadlock avoidance. Deadlock prevention restricts 
the system  in such a way th a t deadlock is a priori impossible. As a consequence, 
perform ance m ay be unnecessarily low. Deadlock detection and resolution, on 
the o ther hand, is not restrictive a t all and detects and resolves a deadlock at 
run-tim e. This, however, m ay be very expensive. Deadlock avoidance achieves 
a m iddle ground; it dynam ically chooses the control actions to  avoid the oc­
currence of deadlock. In this paper, we show how a least restrictive deadlock 
avoidance policy (DAP) for the  wafer scanner can be easily com puted using 
Smv, a model checker for finite au tom ata. This DAP can be represented by a 
very short predicate over the sta tes of the wafer scanner, which can be used by 
the controller for the  wafer scanner.
In addition, we use the tim ed au tom aton  tool UPPAAL to  define a refined 
model th a t adds tim ing constrain ts to  address the  issue of th roughpu t optim iza­
tion. We relate the UPPAAL model to  the  Smv model via the concept of stuttering
bisimulation in troduced by Browne, Clarke and G rum berg [5]. Since stu ttering  
bisim ulation preserves validity of CTL formulas (w ithout nexttim e operator), 
all properties (and in particu lar the  DAP) th a t we established for the untim ed 
model using Smv, carry  over to  the UPPAAL model. I t is not possible to  com pute 
the least restrictive DAP directly  for the UPPAAL model since (a) UPPAAL does 
not support full CTL, and (b) the sta te  space of the  UPPAAL model is so big 
th a t it cannot be fully explored. Using heuristics, however, we are able to  use the 
UPPAAL model checker to  to  find an infinite schedule th a t optimizes throughput.
Contribution. We obtained our results w ithin two weeks, and we believe th a t 
our m ethod can be applied by engineers w ith a background in com puter science 
after tra in ing  of only a few days. This confirms th a t model checking m ay help 
to  improve the design process of realistic, industrial systems. O ur DAP com­
p u ta tion  approach is referred to  in a p a ten t application of ASML, which shows 
its significance for industry. M ethodologically, the case study  is interesting since 
two models (and in fact also two model checkers) were used in com bination to  
ob tain  results th a t could not have been obtained using only a single model (tool). 
O ur approach illustrates once more th a t building models th a t are ju s t abstract 
enough for addressing a specific question, often provides a way to  deal w ith the 
sta te  space explosion problem . The Smv and UPPAAL models are formally re­
lated  through the notion of a stu tte rin g  bisim ulation. We are not aware of other 
work th a t addresses bo th  deadlock avoidance and th roughput optim ization in 
(what essentially is) a single framework.
Related work. O ther papers in which model checking tools are used to  solve 
scheduling problem s include a case study  in which a control schedule for a sm art 
card personalization system  is synthesized using the Smv model checker [10], 
and a case study  in which the  UPPAAL model checker is used to  find feasible 
schedules for a steel plant [9]. The present work is a follow-up on [4], which 
considers the same example as the  present paper and uses suboptim al deadlock 
avoidance heuristics to  generate schedules th a t are not guaranteed to  be optim al. 
The present work, however, gives a least restrictive (and thus optim al) DAP and 
a schedule th a t optim izes s ta tionary  th roughpu t in the absence of errors.
Much research has been devoted to  deadlock avoidance in RASs, see for in­
stance [18,19]. Discouraged by the  NP-com pleteness of optim al deadlock avoid­
ance for m any RAS classes, see for instance [14], th is kind of work generally 
focuses either on com putation  of suboptim al bu t polynom ial DAPs or on opti­
mal policies for very specific sub classes. M uch of th is work uses the P etri net 
formalism [17] for the  modeling and analysis of RASs.
In [11] a deadlock free controller is constructed  by an iterative process. The 
parallel com position of the controller and the p lan t is checked against deadlock 
by Sm v . If a deadlock sta te  is found, then  the controller is ad justed  to  exclude 
the counterexam ple and the  verification is run  again. Otherwise, the  controller 
is deadlock free. Finally, the work presented in [21] deals w ith verification of 
several DAPs using Sm v .
Outline. F irst, Section 2 inform ally presents the  case study. Section 3 then 
presents the  Smv model and shows two ways of obtaining an optim al DAP us­
ing Sm v . In Section 4, a U ppa a l  model of the  wafer scanner is proposed and 
infinite schedules which optim ize th roughpu t are com puted. Finally, Section 5 
draws some conclusions and gives directions for future work. A full version of 
this article, which includes all the  proofs, is available as [12]. The complete 
Smv and U ppa a l  models used in our case study  are available a t the URL 
h t t p : / / w w w .c s . r u .n l / i t a / p u b l i c a t i o n s / p a p e r s / m a r t i j n h / .
2 T he E U V  M achine
Locks Internal robots Chucks
Lithographic machines, called wafer scanners, are used w ithin the semiconduc­
tor industry  to  project chip designs on slices of silicon which are called wafers. 
A key perform ance characteristic of wafer scanners is th roughput, i.e., the  num ­
ber of wafers th a t can be processed per tim e unit. For a typical recipe1 it is 
desirable th a t the  exposure operation  (which uses the  lens which is the m ost ex­
pensive p a rt of the machine) is critical in optim al schedules. In order to  maximize 
th roughput, a controller should have a s tra tegy  th a t optim izes th roughpu t in the 
absence of errors. Furtherm ore, we require th a t the  controller is deadlock-free, 
since deadlock resolution is expensive.
Figure 1 schem atically depicts a possible design of an Extreme Ultra V iolet 
machine (EUV m achine), which is a particu lar type of wafer scanner th a t is 
currently  being developed by ASML. The inside of an EUV m achine is kept 
vacuum  as EUV light is absorbed by air. The wafer flow is presented in Figure 1. 
F irst, the external track  robot (which 
is not shown) pu ts a wafer in one of 
the four locks. This lock is depressur­
ized, and then  the  wafer is picked up 
by one of the  two in ternal robots. Each 
in ternal robot has two arm s th a t can 
each hold a wafer and th a t are oppo­
site to  each other. The in ternal robot 
tu rns and pu ts the  wafer on the closest 
chuck, which is in the so-called “mea­
sure position” . The wafer is m easured 
and a chuck swap is perform ed. The 
chuck w ith the m easured wafer now is 
in the “expose position” and the wafer 
is exposed. A fter another chuck swap, 
the exposed wafer is picked up by one 
of the in ternal robots which tu rn s and 
pu ts it in a depressurized lock. Af­
ter the  lock has been pressurized, the 
track  robot removes the exposed wafer
from the  machine. Each wafer thus has a fixed recipe for its route: lock - internal 
robot - chuck - in ternal robot - lock. There is a choice which locks, in ternal robots
Fig. 1: W afer pa ths w ithin the  EUV m a­
chine.
1 The timing parameters of the production depend on the chips to be produced.
and chucks are used by a wafer. An obvious question th a t arises is why we not 
let the unexposed wafers flow through the upper two locks and let the exposed 
wafers exit through  the lower two locks. In th a t case there are no crossing m ate­
rial pa ths which m eans th a t there is no deadlock possible by construction. The 
answer is twofold. F irst, if locks are unidirectional then  filling the m achine from 
the initial, empty, s ta te  takes unnecessarily long. Second, if locks are unidirec­
tional then  the depressurization operation m ight become critical instead of the 
exposure, since depressurization takes more th an  twice as long as exposure in a 
typical wafer recipe. As noted above, th is is undesirable. In Section 4, we will 
prove th a t indeed the exposure subsystem  is critical in the design of Figure 1, 
and th a t restricting the wafer flow to  prevent deadlock a priori lowers b o th  the 
th roughput and the  u tilization of the exposure subsystem .
A typical exam ple of a deadlock situation  in the EUV m achine would be a 
sta te  in which all four robot arm s hold unprocessed wafers, and b o th  chucks 
hold processed wafers. A controller for the  EUV machine should ensure th a t 
no such deadlock situation  can ever be reached. The problem  of finding such a 
control s tra tegy  is commonly referred to  as the deadlock avoidance problem. The 
EUV m achine is a disjunctive RAS according to  the taxonom y of [15]. Instead 
of the trad itional P etri net or graph based approaches to  solving the deadlock 
avoidance problem, we will show in the next section how it can be tackled using 
the Smv model checker.
3 A  Least R estr ic tive  D eadlock  A voidan ce P olicy
In this section, after a (very) brief in troduction into Sm v , we present our Smv 
model of the EUV machine, discuss how one can formalize the notion of deadlock 
as a tem poral logic formula, and present the  deadlock avoidance policy th a t we 
synthesized using Sm v . The reader is referred to  [7] and [16] for an extensive 
introduction into model checking and Sm v .
3.1  S M V
In the approach supported  by the Smv model checker, a system  is modeled as 
a finite transition system, i.e. as a tuple (S, sinit, ^ )  where S  is a finite set of 
states, s init is the initial s ta te , and ^  C S  x S  is the transition  relation. We 
w rite s ^  s' instead of (s, s') G ^ .  A s ta te  is defined as a valuation of a num ber 
of state variables. The value of sta te  variable v in s ta te  s is denoted by s(v). 
Furtherm ore, s[v :=  c] denotes the sta te  th a t is obtained by updating  the  value 
of v in sta te  s to  c. A path  of a transition  system  is a sequence sos1s2 • • • such 
th a t for all i, s* ^  si+1. A s ta te  is reachable if it occurs on some p a th  th a t s ta rts  
in sinit.
In Smv, specifications are described in Computation Tree Logic (CTL), a 
branching tim e tem poral logic. Below some examples of CTL formulas are given, 
which should be sufficient to  understand  the present paper. The basic building 
blocks of CTL are atomic formula, which denote functions from the  set of sta tes
to  {true, false}. For instance, if v is a s ta te  variable, then  v =  2 is an atom ic 
formula, which denotes the function from sta tes to  {true, false} th a t m aps a 
sta te  s to  true iff s(v) =  2. In this case, we say s ta te  s satisfies formula v =  2, 
no tation  s =  (v =  2). Every atom ic formula is a state formula. S ta te  formulas 
can be combined w ith Boolean connectives and path operators. We show three 
p a th  operators th a t are relevant for this paper. F irst, if ^  is a s ta te  formula, then 
A G (^ ) also is a s ta te  formula. A sta te  s satisfies A G (^ ), denoted by s =  A G (^ ), 
if for all pa ths s0s 1s2 . . .  w ith  s =  s0, and for all i >  0, s* =  ^. Second, if ^  is a 
sta te  formula, then  E F (^ )  is also a sta te  formula. We define s =  E F (^ )  if there 
exists a p a th  s0s 1s2 . . .  such th a t s =  s0 and s* =  ^, for some i >  0. Finally, if 
^  is a s ta te  formula, then  E G (^ )  also is a s ta te  formula. We define s =  E G (^ ) 
if there exists a p a th  s0s 1s2 . . .  w ith  s =  s0 such th a t for all i >  0, s* =  ^.
3 .2  A n  S M V  M o d e l o f  t h e  E U V  M a c h in e
The EUV machine can be modeled conveniently and concisely in Sm v . In fact, 
the  full code is displayed in Figure 2.
module main ()
—  state variables
array 0..3 of {e,r,g};
array 0..1 of array 0..1 of {e,r,g};
array 0..1 of {e,r,g};
—  initialization 
for (i=0; i<4; i=i+1)
init(l[i]):=e; 
for (i=0; i<2; i=i+1) 
for (j=0; j<2; j=j+1) 
init(rb[i][j]):=e; 
for (i=0; i<2; i=i+1) 
init(c[i]):=e;
—  system dynamics 
for (i=0; i<4; i=i+1)
tl[i]: process entry_exit(l[i]);
for (i=0; i<4; i=i+1) 
for (j=0; j<2; j=j+1)
lr[i][j]: process move(l[i] ,rb[(i<2?0:1)][j]);
for (i=0; i<2; i=i+1) 
for (j=0; j<2; j=j+1) 
for (k=0; k<2; k=k+1)
rc[i][j][k]: process move(rb[i][j],c[k]);
module entry_exit (p)
{
if (p=e)
next(p):=r; 
else if (p=g) 
next(p):=e;
}
module move (lft,rgt)
{
if (lft=r && rgt=e)
{
next(lft):=e;
next(rgt):=r;
}
else if (lft=e && rgt = g) 
{
next(lft):=g; 
next(rgt):=e;
}
}
module expose (p)
{
if (p=r)
next(p):=g;
}
for (i=0; i<2; i=i+1)
exp[i]: process expose(c[i]);
Fig. 2: Smv model of EUV machine.
For each of the  10 positions in the  m achine our model contains a sta te  vari­
able: an array  l  of size 4 for the locks, a 2-dimensional array rb  of size 2 x 2 
for the  robots, and an array  c of size 2 for the  chucks. These sta te  variables can 
either take value e (em pty), which m eans th a t the position is empty, value r  
(red), which m eans th a t the  position is occupied by an unexposed wafer, or g 
(green), which means th a t the position is occupied by an exposed wafer. Initially, 
the machine is com pletely em pty and all s ta te  variables have value e.
To model the system  dynam ics, i.e., the  movement and exposure of wafers, 
we introduce 22 asynchronous processes, which are executed in an interleaving 
fashion:
— For each of the 4 locks i  we have process t l [ i ] ,  which m ay either pu t an 
unexposed wafer in lock i  if it is empty, or move an exposed wafer from 
the lock to  the  track robot. In the  definition of process t l [ i ]  we use an 
auxiliary function e n try _ e x i t  th a t describes the  s ta te  change th a t results 
from running th is process.
— For each of the 16 pairs of positions i ,  j  such th a t i  is on the left of j  and 
a wafer can move directly  from i  to  j  (or back), we introduce a process 
th a t takes care of moving unexposed wafers from i  to  j  , and exposed wafers 
from j  back to  i .  In the definition of these processes we use a function 
m o v e (lf t, r g t )  th a t describes the sta te  change th a t results from moving a 
wafer from l f t  to  r g t  or vice versa.
— For each of the  2 chucks i  we introduce a process exp[i] th a t models exposure 
of the wafer. An auxiliary function expose describes the s ta te  change th a t 
results from exposing the wafer a t position p: the value of the corresponding 
sta te  variable changes color from r  (red) to  g (green).
In the  Smv model we abstrac t from the tu rn ing  of in ternal robots. So a wafer 
can be picked up by b o th  arm s of an in ternal robot (possibly, the  robot first has 
to  tu rn ). Similarly, the  Smv model abstrac ts from chuck swaps and the  measure 
operation. In Section 4, we present a more detailed model of the  EUV machine 
in which we do not abstrac t from these aspects.
As it tu rns out, our Smv model has 57116 reachable states, which is close 
to  the  to ta l num ber of sta tes which equals 310 =  59049. An exam ple of an 
unreachable s ta te  is one in which the m achine is com pletely filled w ith exposed 
wafers. Transition system s of th is size can very easily be handled by Smv and 
the com puter hardw are th a t is available today. In fact, Smv routinely handles 
system s w ith 1020 sta tes and beyond, so we expect th a t our approach can also 
be applied to  considerably larger designs.
3 .3  D e fin in g  D e a d lo c k  a n d  S a fe ty  in  S M V
Standard  textbooks on operating systems, e.g. [20], s ta te  four conditions for 
deadlock in system s th a t consist of processes th a t com pete for resources. The 
first three conditions concern the model itself and are necessary, and the fourth 
condition concerns the sta tes of the  model and is necessary and sufficient when
the  first three are met: (i) m utual exclusion: only one process m ay use a resource 
at a tim e, (ii) hold and wait: a process m ay hold allocated resources while await­
ing assignm ent of others, (iii) no preem ption: no resource can be forcibly removed 
from a process th a t is holding it, and (iv) circular wait: a closed chain of pro­
cesses exists such th a t each process holds a t least one resource needed by the 
next resource in the  chain.
In the  EUV machine, the wafers are modeled as the processes and they  
com pete for the positions in the machine th a t constitu te  the  resources. The 
model of the  EU V  machine satisfies the first three conditions for deadlock. The 
fourth condition, which thus is necessary and sufficient for deadlock, can be 
formalized w ith help from a needs function, th a t specifies for each wafer the 
set of positions it m ay move to. Let P  denote the  set of positions in the EUV 
machine. For p  G P  and c G {r, g}, we define needs(p,c) C P  to  be the set of 
positions (different from p) to  which a wafer w ith color c a t position p  m ay move 
next. In particular, if p  is a chuck, then  needs(p, r )  =  needs(p, g) =  R, where R  is 
the set of positions of the  in ternal robots. If s is a s ta te  and p  a position then  we 
use needss (p) as an abbreviation for needs(p, s(p)). The circular wait property  
can now be defined as follows.
D e f in it io n  1 ( C ir c u la r  w a it) .  A state s has a circular wait in  Q C P  iff
s(q) =  e A 0 =  needss (q) C Q =  0 for all q G Q.
It is not possible to  directly  form ulate the circular wait p roperty  in term s of 
CTL, so some encoding is required. The basic idea is th a t the m achine has a 
circular wait in a subset Q of positions iff the wafers in Q will never be able to  
move again. Observe th a t if in our model a transition  s ^  s' moves a wafer from 
place p  to  place p ', then  p  is em pty in s ' . Thus, the property  th a t some wafer 
cannot move anymore can be formalized in CTL as follows.
D e f in it io n  2 ( J a m ) .  A position  p  is jam m ed in state s iff s =  A G (p  =  e). A 
state s is jam m ed iff some position is jam m ed in s.
Proposition 1 below asserts the  equivalence of the  circular wait and jam m ed 
properties, thereby providing us w ith a way to  express deadlocks in CTL. It has 
only been proven for our model of the EUV machine, bu t from the proofs it 
should be clear th a t these results can be generalized to  a whole class of resource 
allocation problems.
P r o p o s i t io n  1. A state has a circular wait in some Q iff it  is jammed.
In the rem ainder of th is paper, we will say th a t a sta te  is deadlocked if it 
has circular wait, i.e., if it is jam m ed. The question th a t we need to  answer 
is w hether and how we can prevent the system  of entering a deadlocked state. 
In D ijk stra’s paper on the banker’s algorithm  [8], the first published deadlock 
avoidance algorithm , a s ta te  is defined to  be safe if “all processes can be run 
to  com pletion” . In our case, the wafers are the processes and “a wafer is run  to  
com pletion” if it exits the machine. Thus, D ijk stra’s definition can be transla ted  
to  CTL as follows.
Note th a t in general safe and not being deadlocked are different things. If a sta te  
s is not deadlocked then  s =  / \ peP E F (p  =  e), i.e., each individual position 
can be em ptied, b u t it need not be the  case th a t all positions can be em ptied 
simultaneously. If a s ta te  is deadlocked it is unsafe, bu t if it is unsafe it need not 
be deadlocked. However, in m any cases and (according to  Smv) in particu lar for 
our model of the EUV machine, the following property  does hold2:
A G  (safe ^  (E G  -dead lock)). (1)
This formula suggests a simple least restrictive DAP: ju s t keep the system  in a 
safe state. This policy can be realized for the  EUV machine. Every non-initial 
safe s ta te  has a t least one safe successor (different from itself), otherwise it would 
not be not possible to  re tu rn  to  the initial s ta te . In addition, we verified using 
Smv th a t all successors of the initial s ta te  are again safe.
3 .4  A  L e a s t  R e s t r ic t iv e  D A P
In order to  actually  build a controller th a t always keeps the system  in a safe state, 
it would clearly be very helpful to  have a simple, yet exact characterization of 
the set of safe states. We see two ways to  obtain  such a characterization.
1. W hen checking w hether the  initial s ta te  is safe, Smv com putes a binary 
decision diagram  (BDD, see [6]) which provides a com pact representation  of 
the set of safe states. W ith  the available Smv releases it is not possible to  get 
the BDD out. However, since there is an open-source d istribu tion  available 
solving th is problem  should ju s t be a m a tte r of program m ing.
2. The set of safe sta tes can be m anually characterized by the  following iterative 
procedure:
S  :=  true
w h ile  (sinit =  A G (safe  S))
S  :=  S  A ( - C )
where C  is the characterization  of the last s ta te  of the counter example th a t 
is generated by Sm v .
The first approach enables a least restrictive DAP w ith linear tim e complex­
ity, since checking w hether a sta te  is included in a BDD takes O (n) operations, 
where n  is the num ber of booleans from which the BDD is composed (20 in case 
of the  EUV machine). The size of the BDD, however, can in the worst case be
2 In fact, in the EUV machine a sta te  is safe if and only if it has no deadlock. It is
easy to  come up w ith variations of the machine w ith states th a t are not safe and not 
deadlocked, for example a design in which the internal robots only have one arm. In 
such cases, in order to  make formula (1) hold, we need to  require weak fairness for 
all processes in the Smv model to  exclude runs in which no progress is made due to 
infinite stu ttering  of some components.
D efin it io n  3 (S a fe  s ta te s ) . A state s is safe i f f  s =  E F  (p =  e)J .
exponential in the  num ber of booleans. A second drawback is th a t it can be dif­
ficult to  derive individual unsafe an d /o r deadlock situations from a BDD, which 
m ay be required during the design phase of the system. The second approach 
can quickly become practically  infeasible since all unsafe sta tes are explicitly 
enum erated. If it is carried out manually, however, then  it m ight be possible to  
abstrac t from irrelevant sta te  inform ation and to  visualize the various unsafe 
situations in the system . Of course, th is requires some effort and creativ ity  from 
the analyst. The second approach has been used to  characterize the  safe sta tes 
of the  EUV machine. W ith  five iterations, we found four unsafe situations, de­
picted in Figure 3, which happen  to  characterize all deadlocks. A right-pointing
Fig. 3: The four unsafe scenarios (modulo symmetry) in the EUV machine.
arrow represents an unexposed wafer, a left-pointing arrow represents an ex­
posed wafer, and a black square represents an unexposed or exposed wafer. The 
predicate S  th a t exactly characterizes the  set of safe sta tes is the  negation of 
the situations shown in Figure 3, and can be described in the  inpu t language of 
Smv w ith  695 characters.
Note th a t Smv can also be used to  obtain  a simple under-approxim ation 
of the set of safe sta tes (when, e.g., the BDD is too  large to  use and the  ite r­
ative process is too  tim e consuming). If C  is a candidate for a simple under­
approxim ation, then  th is can be verified w ith the  CTL property  A G (C  ^  safe). 
Again, counter-exam ples can be used to  correct C  while retain ing low complex­
ity. Note, however, th a t it now becomes is necessary to  ensure th a t the  initial 
s ta te  is reachable from any s ta te  in C  (this is tru e  by definition for the  set of all 
safe states).
4 T hroughp ut A nalysis
A first objective for a controller of the EU V  m achine is to  avoid deadlocks. In 
the previous section, using our Smv model, we synthesized a least restrictive 
control policy th a t achieves this. A second key objective for a controller of the 
machine of course is to  maximize th roughput. O ur Smv model is not sufficiently 
detailed to  address th is issue since, for instance, relevant inform ation about the 
delays in the locks and the speed of the robots has not been included. Also,
the  Smv model abstrac ts from the  delays due to  tu rn ing  of the in ternal robots, 
m easuring of wafers, and swapping of the  chucks. Therefore, in th is section, we 
present a more refined timed automata model ([2,3]), which contains sufficient 
inform ation to  address the  th roughput issue.
In order to  define and analyze our model, we used the U p p a a l  model check­
ing tool. U p p a a l  supports m odeling of system s in term s of networks of tim ed 
au tom ata  which are extended by blocking synchronization and bounded inte­
ger variables. Similarly to  Smv, the sem antics of a U p p a a l  model is defined by 
a transition  system . In addition to  the  discrete part, the  sta tes also contain a 
real-valued clock valuation. For these models, the  U p p a a l  model checker can 
decide a subset of Timed Computation Tree Logic (TCTL, see [1]). For a detailed 
account of U p p a a l  we refer to  [13] and to  h ttp ://w w w .u p p a a l.c o m .
After presenting the U ppa a l  model of the EU V  machine in Section 4.1, we 
discuss the relationship between the U ppa a l  and Smv models in Section 4.2. 
Then, in Section 4.3, we use U ppa a l  to  derive a schedule for the  EUV machine 
th a t optim izes th roughput.
4 .1  U P P A A L  M o d e l
The U p p a a l  model of the  EU V  machine contains the same s ta te  variables as 
the Smv model for the positions in the machine: arrays l ,  rb  and c, which 
m ay take the same values e, r  and g to  indicate th a t a position is respectively 
empty, filled w ith an unexposed wafer, or w ith an exposed wafer. In addition, 
the U p p a a l  model has a num ber of Boolean sta te  variables to  ensure “physical 
in tegrity” . For instance, an in ternal robot can only access a lock if it is vacuum. 
This requirem ent is modeled using the Boolean lb  [id] for lock num ber id . The 
model consists of 12 au tom ata, of which 11 model physical com ponents of the 
machine: the track robot, the  four locks, the  four robot arm s (two for each 
of the robots), and the two chucks. These au tom ata  move wafers around with 
certain  delays and according to  the  m aterial pa ths as specified in Section 2. An 
additional autom aton, the observer, is used for th roughpu t optim ization.
To illustra te  the  modeling in U p p a a l ,  we present the  tem plate  for one arm  
of an in ternal robot, see Figure 4. This tem plate  has four param eters: a constant 
id th a t identifies the  in ternal robot to  which the  arm  belongs, two constants 10 
and 11 th a t identify the  locks to  which the  robot arm  has access, and a channel 
turn . W hen a robot arm  is a t the  locks, then  it can get a wafer from a lock 
(L02R  and L12R), or it can pu t a wafer in a lock (R2L0  and R 2L 1 ). Of course, 
it can only perform  these actions if the lock is vacuum, and if the wafer flow is 
as specified in Section 2. Similarly, when a robot arm  is a t the chucks then  it 
can load /un load  a wafer to /fro m  the  chuck th a t is a t the  measure location. The 
cb variables are used to  ensure th a t only one robot arm  has access to  the chuck 
a t a tim e and th a t the  chuck cannot execute a transition  while the robot arm  is 
loading/unloading a wafer.
Figure 5 shows the  observer process which, as we will explain in more detail 
in Section 4.3, is used to  ensure progress in the  model. This process measures 
the tim e until the  first wafer exits the  system  (this is called an unload event) in
Fig. 4: Template for a robot arm.
location LO, and the  tim e between two consecutive unload events in location L I  
using its local clock x.
LO LI
© unload? I unload?x:=0 -OC] 5=
Fig. 5: Process for the observer.
4.2 Bisimulation between SMV and UPPAAL models
Clearly, there is a relationship between the Smv model and the UPPAAL model. 
The Smv model is an abstraction  from the UPPAAL model, which has the  prop­
erty  th a t every transition  in the  UPPAAL model can be sim ulated in the  Smv 
model, and vice versa. Formally, the relationship between the two models can 
be expressed as a stuttering bisimulation  relation in the sense of [5]. S tu ttering  
bisim ulations are defined in term s of Kripke structure , an extension of transition  
system s in which to  each sta te  a set of atom ic propositions is associated th a t 
hold in th a t state.
Definition 4 (Kripke Structures). Let AP be a set o f  atom ic proposition 
symbols. A Kripke structure is a structure  (S', s init, — / ) ,  where (S', s init, —►) is a 
transition system  and function  I : S' —*■ 2AP associates to each state a set of 
atomic proposition symbols.
In th is paper, we let AP be the  set of equations of the form p  = v, where p  
is a position in the  EUV machine and v G { e ,r ,g } . For the  transition  system s 
induced by the Sm v and UPPAAL models, the labeling is obvious: we label a 
sta te  s w ith p = v  iff th is equation holds in s. For the  Sm v model the labeling
function is injective: different sta tes have different labels. For the UPPAAL model 
this is clearly not the case.
A stu tte rin g  bisim ulation relates sta tes from two Kripke structures. Initial 
sta tes are related, and related  sta tes are labeled w ith the same proposition sym­
bols. If two sta tes are related  and from one s ta te  a transition  is possible, then  it 
should be possible to  sim ulate this transition  from the related  sta te , after first 
doing zero or more stuttering transitions, i.e., transitions th a t do not change the 
labeling.
D e f in it io n  5 ( S tu t t e r in g  B is im u la tio n ) .  A s tu tte rin g  bisim ulation between 
Kripke structures (S, s init, ^ ,  l) and (S ', s'init, ^ ' , l) is a relation R  C S  x S ' s.t.
(S init, S'nit) € R ,
2. If (r, s) € R  then l(r) =  l(s),
3. if  (r, s) € R  and r ^  r '  then there exist, for some n  >  0, so, s i , . .  ., sn such 
that so =  s and, for all i <  n, si ^ '  s i+ i, (r, s i ) € R  and (r ', sn) € R.
4. if  (r, s) € R  and s ^  s ' then there exist, for some n  >  0, ro, r i, . . .  , r n such 
that ro =  r and, for all i <  n, ri ^  ri+ i, (r i, s) € R  and (rn, s') € R.
P r o p o s i t io n  2. Consider the projection function n from  states of the Kripke 
structure induced by the UPPAAL model to states of the Kripke structure induced 
by the SMV model. Function n only preserves the values of the arrays l ,  rb  and 
c. Let R  be the relation consisting of pairs ( s ,n (s ) ) , for s a reachable state from  
the UPPAAL model. Then R  is a stuttering bisimulation between the UPPAAL and 
SMV Kripke structures.
The significance of the  above result stem s from the fact th a t validity of CTL 
formulas w ithout nexttime operator (i.e. all the formulas used in th is paper) is 
preserved by stu tte rin g  bisim ulation equivalence (see [5]). Thus, all the  results on 
deadlock avoidance established using Smv in Section 3 carry  over to  the UPPAAL 
model. I t is not possible to  ob tain  these results directly  using the UPPAAL tool 
since (a) UPPAAL does not support full CTL, and (b) the s ta te  space of the 
UPPAAL model is so big th a t it cannot be fully explored.
4 .3  F in d in g  a n  O p tim a l  S c h e d u le
As m entioned above, the  observer process of Figure 5 observes unload events. 
I t s ta rts  in location LO and upon the first unload event it resets its local clock 
x and enters location L1. In location L1 the  clock is reset whenever an unload 
event takes place. The observer is used to  find an infinite schedule th a t takes 
at m ost H  tim e un its until the  first unload event, and th a t has a t m ost S  tim e 
units between two unload events. Such a schedule is specified by the  following 
TC TL property  th a t can be checked by UPPAAL.
E G ((observer.LO  ^  observer.x <  H ) A (observer.L1 ^  observer.x <  S)) (2)
If th is p roperty  is satisfied, then  UPPAAL can re tu rn  an example execution 
th a t consists of a p a th  followed by a cycle. Such an execution thus gives an infinite
control schedule for the  wafer scanner w ith a stationary th roughput of at least 
one wafer per S  tim e units. U nfortunately, the size of the  reachable sta te  space 
prevents UPPAAL from finding such an execution directly. We therefore added 
heuristics to  the  model to  prune the s ta te  space:
1. The DAP derived in the previous section has been used to  avoid unsafe 
m aterial configurations of the machine.
2. Some transitions are useless (or suboptim al) in certain  states, e.g., an internal 
robot can always tu rn , bu t th is is useless if it does not hold wafers. The sta te  
space has been reduced by adding guards th a t prevent such useless behavior.
3. The optim al behavior of the  locks in the initial phase (the filling of the m a­
chine) differs from their optim al behavior in the  s ta tionary  phase. Therefore 
a heuristic has been added to  enforce this difference: a lock can pressurize 
when it contains either an exposed wafer, or it is em pty and the machine is 
not yet filled w ith enough wafers to  be in the s ta tionary  state.
4. Some transitions have been m ade urgent (greedy): they  m ust be taken as 
soon as they  are enabled. For instance, if the DAP allows loading a wafer to  
a lock, then  th is m ust be done immediately.
Note th a t using urgent transitions w ithout the  DAP m ay be an unwise idea, 
since th is can result in m any deadlocks w ith the effect th a t an execution satis­
fying P roperty  2 does not exist anymore in the  model. Also note th a t a t least 
the last three heuristics m ay remove good schedules.
A lower bound on the tim e until the  first unload event, minh, can easily be 
derived from the model. I t is also easy to  see th a t the m inim al separation tim e 
between exposed wafers th a t appear a t the  chuck th a t is in the m easure position 
(and can therefore be picked up by an in ternal robot) equals mins =  E X PO SE +  
SWAP, where the  former is the tim e needed for the expose operation and the 
la tte r is the tim e needed for the  chuck swap. Therefore, the  theoretical m axim al 
s ta tionary  th roughpu t of the  m achine is a t m ost one wafer per mins tim e units. 
For the UPPAAL model w ith heuristics it is possible to  find an execution th a t 
satisfies P roperty  2 for a value of H  th a t is 5% larger th an  minh and for S  =  mins . 
Figure 6 shows th is schedule th a t optim izes the s ta tionary  th roughput of the 
EUV machine.
It took only little  effort to  change the UPPAAL model in order to  analyze two 
alternative m achine designs w .r.t. th roughput. In the  first design, the incoming 
wafers have been restricted  to  the  upper two locks and the  outgoing wafers to  
the lower two locks (to prevent deadlock a priori; see Section 2). We can easily 
find an optim al schedule w ith S  = 1 .6 1  • mins th a t shows th a t not the  expose 
operation bu t the locks have become critical. This confirms our suspicion th a t 
has been sta ted  in Section 2. The second alternative design consists of only two 
locks and one in ternal robot. We can easily find a schedule w ith S  =  1.82 • mins , 
bu t we cannot guarantee th a t th is is an optim al schedule.
LENS
C0
C1
R00
R01
R10
R11
L0
L1
L2
L3
C2R
DEPRES
EXPO
L2R
L2T
MEAS
PRES
R2C
R2L
SWAP
SWITCH
T2L
TURN
Fig. 6: A schedule that optimizes the stationary throughput of the EUV machine. The 
cyclic part of the schedule consists of the interval between points A and B. Note that 
the operation of the lens is only interrupted by the chuck swap (which is necessary).
TrackRobot
A B
5 C onclusions
The SMV model checker has successfully been used to  characterize the  set of 
safe sta tes of the EU V  machine. This characterization consists of a very short 
boolean expression over the places in the m achine and is useful for the  design 
of an actual controller since deadlock can easily be avoided by exam ining the 
possible successor sta tes of the  current s ta te . Since the characterization is exact, 
the  controller im plem ents a least restrictive (optim al) deadlock avoidance policy. 
Furtherm ore, we used the U ppa a l  model checker to  com pute infinite schedules 
for the  EUV machine th a t optim ize s ta tionary  th roughpu t. I t took little  effort to  
change the U ppa a l  model in order to  analyze two alternative machine designs. 
In theory, our approach can be applied to  a broad class of resource allocation 
systems. As always when using model checking, the sta te  space explosion is the 
m ain problem  for scalability. A ltogether, in our view, the  present work nicely 
illustrates the usefulness of model checking techniques to  support the  design 
process of applications th a t involve resource allocation and scheduling. Building 
models th a t are ju s t abstrac t enough for addressing a specific question, often 
provides a good way to  deal w ith the s ta te  space explosion problem.
Acknowledgements. The authors thank  B iniam  Gebremichael for his useful 
suggestions concerning the SMV model, and the anonymous reviewers for their 
helpful com m ents on a prelim inary version of the present paper.
R eferences
1. R. Alur, C. Courcoubetis, and D. L. Dill. Model checking in dense real time. 
Information and Computation, 104:2-34, 1993.
2. R. Alur and D. L. Dill. Automata for modeling real-time systems. In Proceedings 
17th ICALP, pages 322-335, 1990.
3. R. Alur and D. L. Dill. A theory of timed automata. TCS, 126:183-235, 1994.
4. N. C. W. M. Braspenning. Scheduling and behavior verification of machines based 
on task-resource models. M aster’s thesis, Department of Mechanical Engineering, 
Eindhoven University of Technology, The Netherlands, October 2003. Confidential.
5. M.C. Browne, E.M. Clarke, and O. Griimberg. Characterizing finite Kripke struc­
tures in propositional temporal logic. TCS, 59(1,2):115-131, 1988.
6. R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE 
Transaction on Computers, C-35(8):677-691, August 1986.
7. E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. MIT Press, 2000.
8. E. W. Dijkstra. Cooperating sequential processes. Technical report, Eindhoven 
University of Technology, The Netherlands, 1965.
9. A. Fehnker. Scheduling a steel plant with timed automata. In Proceedings 
RTCSA’99. IEEE Computer Society Press, 1999.
10. B. Gebremichael and F. W. Vaandrager. Control synthesis for a smart card per­
sonalization system using symbolic model checking. In Proceedings FORMATS’03, 
LNCS 2791, pages 189-203. Springer-Verlag, 2004.
11. V. Hartonas-Garmhausen, E. M. Clarke, and S. Campos. Deadlock prevention in 
flexible manufacturing systems using symbolic model checking. In IEEE Confer­
ence on Robotics and Automation, volume 1, pages 527-532, 1996.
12. M. Hendriks, N.J.M. van den Nieuwelaar, and F.W. Vaandrager. Model checker 
aided design of a controller for a wafer scanner. Report NIII-R0430, Institute for 
Computing and Information Sciences, University of Nijmegen, June 2004.
13. K. G. Larsen, P. Pettersson, and W. Yi. UPPAAL in a nutshell. International 
Journal on Software Tools for Technology Transfer, 1(1/2):134-152, 1997.
14. M. Lawley and S. A. Reveliotis. Deadlock avoidance for sequential resource alloca­
tion systems: Hard and easy cases. International Journal of Flexible Manufacturing 
Systems, 13(4):385-404, 2001.
15. M. Lawley, S. A. Reveliotis, and P. Ferreira. Design guidelines for deadlock han­
dling strategies in flexible manufacturing systems. International Journal of Flexible 
Manufacturing Systems, 9(1):5-30, January 1997.
16. K. L. McMillan. Symbolic Model Checking. PhD thesis, Carnegie Mellon University, 
Pittsburgh, May 1992.
17. T. Murata. Petri nets: Properties, analysis, and applications. Proceedings of the 
IEEE, 77(4):541-580, 1989.
18. J. Park and S. A. Reveliotis. Deadlock avoidance in sequential resource allocation 
systems with multiple resource acquisitions and flexible routings. IEEE Transac­
tions on Automatic Control, 46(10):1572-1583, 2001.
19. S. A. Reveliotis, M. Lawley, and P. Ferreira. Polynomial-complexity deadlock 
avoidance policies for sequential resource allocation systems. IEEE Transactions 
on Automatic Control, 42(10):1344-1357, 1997.
20. W. Stallings. Operating Systems. Prentice-Hall, 1998.
21. Y. Wang and Z. Wu. Deadlock avoidance control synthesis in manufacturing sys­
tems using model checking. In IEEE American Control Conference, volume 2, 
pages 1702-1704, 2003.
22. S. Yovine. KRONOS: a verification tool for real-time systems. International Journal 
on Software Tools for Technology Transfer, 1(1/2):123-133, 1997.
