Practical Automaton proofs in PVS by Groot, A.L. de
PDF hosted at the Radboud Repository of the Radboud University
Nijmegen
 
 
 
 
The following full text is a publisher's version.
 
 
For additional information about this publication click this link.
http://hdl.handle.net/2066/32099
 
 
 
Please be advised that this information was generated on 2017-12-05 and may be subject to
change.
Practical Automaton Proofs in PVS
Adriaan de Groot
Practical Automaton Proofs in PVS
een wetenschappelijke proeve op het gebied
van de Natuurwetenschappen, Wiskunde en Informatica
Proefschrift
ter verkrijging van de graad van doctor
aan de Radboud Universiteit Nijmegen,
op gezag van de rector magnificus, prof. mr. S.C.J.J. Kortmann,
volgens besluit van het College van Decanen
in het openbaar te verdedigen op
donderdag 6 maart 2008
om 10:30 uur precies
door
Adriaan de Groot
geboren op 6 januari 1973 te Calgary, Canada
Promotor:
prof. dr. Frits Vaandrager
Copromotor:
dr. Jozef Hooman (Radboud Universiteit Nijmegen en
Embedded Systems Institute)
Manuscriptcommissie:
prof. dr. Erik Proper
prof. dr. Herman Geuvers
dr. Angelika Mader (Universiteit Twente)
Practical Automaton Proofs in PVS
by
Adriaan de Groot
Copyright text © 2008, Adriaan de Groot, Lent.
Copyright illustrations © 2000,2001 R. Stevens, used by permission.
ISBN 978-90-9022682-8, IPA Dissertation Series 2008-02.
Typeset with LATEX2e.
Set in Bitstream Vera 10pt.
Printed by Ipskamp Print Partners, Enschede.
The work in this thesis was carried out under the auspices of the Insti-
tute for Programming Research and Algorithmics (IPA). This research was
supported by the Netherlands Organization for Scientific Research (NWO),
project 612.062.000: Architectures for Structuring the requirements Spec-
ification of Embedded Safety-critical Systems (ASSESS).
Preface
Most PhD. theses start with a litany of woes, a description of the tedium, the
loneliness, and the hard time writing. Sadly, this thesis is one of them. Writ-
ing a thesis is hard to do. It’s hard to let go of text you have written which
needs to be thrown out in the name of brevity, accuracy, or consistency. It’s
hard not to throw out the baby with the bathwater, too.
I do hope some of the baby is left in here.
Having two babies — Mira and Amiel — two years apart while writing a
thesis is not the brightest thing to do, although it does reduce the tedium
and the loneliness. It also brings home the realization that formal methods
will get you only so far, and there is room in this world for informal methods
of system design, construction, and post-delivery configuration as well. I
have tried to include some funny pictures in this thesis for our younger
readers, thanks to the efforts of R. Stevens.
Various people influenced and inspired me throughout the research rep-
resented by this thesis. My first and foremost influences were of course
my promotor Frits Vaandrager and my daily supervisor Jozef Hooman. Two
men with very different approaches to verification; Frits has always seemed
to value beauty in a theory above all else, while Jozef is more goal oriented
when it comes to proving properties in concrete case studies. Via Jozef I
learned of my scientific ‘grandfather’ Willem-Paul de Roever, from whom I
stole the habit of asking exacting questions (during conferences or while
reading specifications).
Exacting (and sometimes nasty) questions are important in verification.
You have to keep asking whether a given specification is right — both cor-
rect and sensible — and in the end you always find out that there’s things
terribly wrong with it anyway and you have to start over. Nasty questions
v
about safety need to be asked; nasty questions about liveness and progress
need to be asked as well. My gratitude goes out to all those who asked the
progress question ‘is your thesis done yet?’ over the past few years.
The mother of my children, Mignon Engel, probably asked the progress
question the most often; my mom is guilty of similar prodding; daughter
Mira only asked ‘but why?’ when I told her I was writing a book. If this
sounds like a repeat of a list of thank-yous to the women in my life from my
Master’s thesis, then it is, but with different women this time.
A number of people at the department of Computer Science in Nijmegen
made the experience all the more enjoyable — Mirèse Willems for always
being there and keeping track of the ups and downs of everyone; Angelika
Mader for showing me what it’s like to be intelligent and energetic; Hanno
Wupper for being philosophical about things and dragging me into some
alternate research directions; Martijns of various plumage for the social
aspect. To all of them, a thank you for the past four and more years.
This thesis is dedicated to the memory of my grandmother Cornelia
Agatha van Royen-Boogaerdt, who passed away at the age of 95 the day
before the manuscript was due. Long ago her husband, the Adriaan after
whom I was named, wrote a thesis too, and she understood.
vi
Contents
1 Introduction 1
2 Light Control 15
2.1 The Light-Control Case Study . . . . . . . . . . . . . . . . . . . 16
2.2 Terminology and Formalization Approach . . . . . . . . . . . . 18
2.2.1 Iterative Approach . . . . . . . . . . . . . . . . . . . . . . 19
2.2.2 Tool Support . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2.3 Formalization with PVS . . . . . . . . . . . . . . . . . . . 21
2.3 Top-Level Formalization . . . . . . . . . . . . . . . . . . . . . . 23
2.3.1 Timing Primitives . . . . . . . . . . . . . . . . . . . . . . 24
2.3.2 Light Primitives . . . . . . . . . . . . . . . . . . . . . . . 24
2.3.3 Inputs to the System . . . . . . . . . . . . . . . . . . . . 25
2.3.4 Outputs of the System . . . . . . . . . . . . . . . . . . . . 26
2.3.5 Informal Specification of the User Needs . . . . . . . . . 27
2.3.6 First Attempt at Formalization . . . . . . . . . . . . . . . 28
2.3.7 Analysis of Remaining Informal Requirements . . . . . . 31
2.4 Analysis of the Requirements . . . . . . . . . . . . . . . . . . . 33
2.4.1 Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.4.2 Second Formalization, Avoiding Conflicts . . . . . . . . . 34
2.5 Refinement using Dimmable Lights . . . . . . . . . . . . . . . . 35
2.5.1 Formalizing the Dimmable Light . . . . . . . . . . . . . . 36
2.5.2 Specification of the Dimmable Light . . . . . . . . . . . . 38
2.5.3 Combining Lights . . . . . . . . . . . . . . . . . . . . . . 40
2.5.4 The Control System . . . . . . . . . . . . . . . . . . . . . 41
2.5.5 Composition of the Undelayed Implementation . . . . . 43
2.5.6 Proving Undelayed Refinement . . . . . . . . . . . . . . 44
vii
2.6 Introducing Delays . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.6.1 A Dimmable Light with Response Time . . . . . . . . . . 47
2.6.2 Delay-Refinement . . . . . . . . . . . . . . . . . . . . . . 50
2.7 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . 51
2.7.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 52
2.8 Source Material . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.8.1 Problem Description . . . . . . . . . . . . . . . . . . . . . 53
2.8.2 User Needs . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.8.3 Questions and Answers . . . . . . . . . . . . . . . . . . . 56
3 Structuring Automata 59
3.1 Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.1.1 Automaton Examples . . . . . . . . . . . . . . . . . . . . 62
3.1.2 Automaton Properties . . . . . . . . . . . . . . . . . . . . 66
3.2 Unstructured Automata . . . . . . . . . . . . . . . . . . . . . . 68
3.2.1 Unstructured Automata in Informal Rigor . . . . . . . . 68
3.2.2 Unstructured Automata in PVS . . . . . . . . . . . . . . 70
3.2.3 Considerations in the Formalization . . . . . . . . . . . . 75
3.3 Automata with Locations . . . . . . . . . . . . . . . . . . . . . . 78
3.3.1 Locations in Informal Rigor . . . . . . . . . . . . . . . . 79
3.3.2 Locations in PVS . . . . . . . . . . . . . . . . . . . . . . . 80
3.4 Timed Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
3.4.1 Timed automata in PVS . . . . . . . . . . . . . . . . . . . 86
3.5 Hybrid Automata . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.5.1 Hybrid automata in PVS . . . . . . . . . . . . . . . . . . . 93
3.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4 Two Simple Examples 97
4.1 The Prisoners’ Release Problem . . . . . . . . . . . . . . . . . . 98
4.1.1 Modeling the Prisoners’ Release . . . . . . . . . . . . . . 101
4.1.2 Translation to PVS . . . . . . . . . . . . . . . . . . . . . . 104
4.1.3 Verifying the Prisoners’ Release . . . . . . . . . . . . . . 107
4.1.4 Comments on the Modeling Process . . . . . . . . . . . . 110
4.2 FutureBus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.2.1 The Arbitration Protocol . . . . . . . . . . . . . . . . . . 113
4.2.2 Modeling Bus Values . . . . . . . . . . . . . . . . . . . . 116
viii
4.2.3 Modeling FutureBus . . . . . . . . . . . . . . . . . . . . . 118
4.2.4 Verifying FutureBus . . . . . . . . . . . . . . . . . . . . . 122
4.2.5 Comments on the Process . . . . . . . . . . . . . . . . . 129
5 Biphase Mark Protocol 133
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.2 Informal Description of the Protocol . . . . . . . . . . . . . . . 135
5.3 Uppaal Model and Analysis . . . . . . . . . . . . . . . . . . . . 137
5.3.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.3.2 Model Parameters . . . . . . . . . . . . . . . . . . . . . . 139
5.3.3 First Clock . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.3.4 The Coder . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5.3.5 The Wire . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5.3.6 The Sampler . . . . . . . . . . . . . . . . . . . . . . . . . 142
5.3.7 Second Clock . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.3.8 The Decoder . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.3.9 The Tester . . . . . . . . . . . . . . . . . . . . . . . . . . 145
5.3.10Uppaal Analysis Results . . . . . . . . . . . . . . . . . . . 146
5.4 Translating the Uppaal Model into PVS . . . . . . . . . . . . . 150
5.4.1 Merging Automata . . . . . . . . . . . . . . . . . . . . . . 151
5.4.2 Removing Shared Variables . . . . . . . . . . . . . . . . 152
5.4.3 Representing Events . . . . . . . . . . . . . . . . . . . . 153
5.4.4 Local States and Transitions . . . . . . . . . . . . . . . . 153
5.4.5 Global States and Transitions . . . . . . . . . . . . . . . 157
5.5 Proving Correctness, with Variations . . . . . . . . . . . . . . . 158
5.5.1 Structure of the Invariant Proof . . . . . . . . . . . . . . 159
5.5.2 Introducing Automation to the Proofs . . . . . . . . . . . 167
5.5.3 Summary of Automation . . . . . . . . . . . . . . . . . . 170
5.6 Automaton Theory for Uppaal Translation . . . . . . . . . . . . 172
5.6.1 Making Local Variables . . . . . . . . . . . . . . . . . . . 172
5.6.2 Synchronization through shared events . . . . . . . . . . 174
5.7 Playing with the Parameter Inequalities . . . . . . . . . . . . . 175
5.7.1 Minimizing the Cell Size . . . . . . . . . . . . . . . . . . 176
5.7.2 Maximizing the Clock Tolerance . . . . . . . . . . . . . . 177
5.7.3 Maximizing the Edge Distortion Tolerance . . . . . . . . 178
5.7.4 Optimizing the Bit Rate . . . . . . . . . . . . . . . . . . . 179
5.8 Related Work and Concluding Remarks . . . . . . . . . . . . . 180
ix
6 Bay Area Rapid Transit 185
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
6.1.1 The BART system . . . . . . . . . . . . . . . . . . . . . . 186
6.2 Approach to the BART System . . . . . . . . . . . . . . . . . . . 190
6.2.1 Notation and Tools . . . . . . . . . . . . . . . . . . . . . . 191
6.2.2 Finding the System Boundary . . . . . . . . . . . . . . . 193
6.2.3 Modeling the Environment . . . . . . . . . . . . . . . . . 194
6.2.4 Formalizing Properties . . . . . . . . . . . . . . . . . . . 199
6.2.5 High-Level Design and Verification . . . . . . . . . . . . 200
6.3 Application to the BART System . . . . . . . . . . . . . . . . . . 200
6.3.1 Step 1: Finding the System Boundary . . . . . . . . . . . 200
6.3.2 Step 2: Model the Environment . . . . . . . . . . . . . . 202
6.4 Designing a Controller . . . . . . . . . . . . . . . . . . . . . . . 216
6.4.1 Formalizing the UML Diagrams . . . . . . . . . . . . . . 220
6.4.2 Proving that the Controller Works . . . . . . . . . . . . . 226
6.5 Results raised by this technique . . . . . . . . . . . . . . . . . . 230
7 Conclusion 233
7.1 Summary of Results . . . . . . . . . . . . . . . . . . . . . . . . 233
7.2 Reflection on the Problem . . . . . . . . . . . . . . . . . . . . . 235
7.2.1 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
7.2.2 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . 237
7.2.3 Readability . . . . . . . . . . . . . . . . . . . . . . . . . . 238
7.3 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
A Introducing PVS 243
A.1 Types and Objects . . . . . . . . . . . . . . . . . . . . . . . . . 243
A.2 Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
A.3 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
A.4 Syntactic Peculiarities . . . . . . . . . . . . . . . . . . . . . . . 250
A.5 Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Bibliography 255
Samenvatting 267
x
Introduction You keep using that word. I donot think it means what you think
it means. – Inigo Montoya
This thesis is about an approach to modeling, validating and verifying com-
puter-based systems. The kinds of systems we examine happen to be em-
bedded systems, for the most part, but our approach is generally applicable
to computer-based systems. Since verification is essential to the production
of safe and reliable systems, we feel the entire process that precedes the
actual construction of such a system is in need of formal support; various
studies in this thesis show how a systematic approach to modeling and val-
idation can be applied to part of the software development lifecycle: the
requirements and specification phases. We focus on the practical side of
modeling and validation, showing how to approach problems of ambiguity
and incompleteness in the informal requirements. We illustrate some of the
considerations used in arriving at the approach used in this thesis. The case
studies and considerations show how this approach can be effective in find-
ing errors in models — errors which, when corrected, lead to better models
and higher quality computer-based systems.
The literature on formal methods and requirements specification tells us
that errors in a requirements specification propagate through all phases of
the design; they are often difficult to detect and costly to repair (e.g. [77,
82]). The general aim of our work is to investigate how the quality of the
requirements specification can be improved. Formulating the requirements
of a complex embedded system, including timing requirements, is far from
trivial. Often these specifications are ambiguous, incomplete or even in-
consistent. Therefore we need a systematic approach to formalizing and
analyzing these specifications which detects those ambiguities, omissions
and inconsistencies.
When doing analysis of formal models it is important to be able to relate
1
2 CHAPTER 1. INTRODUCTION
the results in the formal model — proofs, or changes that need to be made
to the models in order to complete the proofs — to the original informal
documents that form the basis of the formal model. To this end we follow a
process of “informal rigor” aimed at making sure that the formal models are
traceable back to the original informal document. Chapters 2 and 6 show
that informal specifications, even ones that seem sensible on first reading,
may contain essential ambiguities and conflicting requirements which may
be found using a more formal analysis. This ensures that the formal model
has an impact on the informal documents, and hence an impact on the rest
of the system development.
The chapters of this thesis are collected from articles written in the pe-
riod 2000–2005. Each focuses on a different part of modeling, validating
and verifying embedded systems. Chapter 2 examines requirements and
traceability [26]; chapter 3 defines a framework within which we will for-
malize the systems in the remainder of the thesis; chapter 4 looks at mod-
eling, as an illustration of the framework; in chapter 5 we combine tools in
order to verify a network protocol, while examining the practice of verifi-
cation proofs [87]; finally chapter 6 shows how the modeling of the hybrid
environment of a control system can be approached [54].
The remainder of this chapter gives a more detailed introduction to the
problem we attempt to solve and the approach used.
Problem
How can we write better requirements specifications? Can theorem provers
help in understanding informal specifications while translating them into a
more formal form? Can theorem proving technologies be applied effectively
during the requirements engineering phase of software development?
The construction of a system usually begins with some informal wishes,
written in natural language. These informal wishes may be overly brief, may
presume all manner of background knowledge, etc. In short, the require-
ments need to be formalized and analyzed. We aim to illustrate that it is
possible to write better requirements specifications through the use of for-
mal methods and that theorem provers can be applied to the requirements
engineering phase of software development. We will demonstrate that this
can be done in such a manner that potential defects in the software — stem-
ming from ambiguity, incompleteness or inconsistency in the informal spec-
3ifications — can be detected earlier in the engineering cycle and resolved.
This helps the understanding of the informal specifications and with that
better understanding comes better requirements specifications.
To enable the effective and structured practical application of theorem
proving tools to the requirements phase we will develop a framework in
a theorem prover that supports the formalization of systems as automata
(transition systems) and proving properties of such automata.
In this thesis we will apply theorem proving technologies to the modeling
of software systems, to the validation of those models and the formalization
of requirements for those models. Five case studies illustrate how theorem
provers can be used while working on the requirements specifications of
computer-based systems. Each case study illustrates that the use of a theo-
rem prover can improve the understanding of the informal specification and
in finding errors and omissions; two of the case studies — chapters 5 and 6
— pay more attention to the effectiveness of using the theorem prover.
Approach
Our approach to modeling, validation and verification of embedded systems
aims to be a practical one as well: one that stresses ‘do this, then that.’
When we illustrate that theorem provers can be applied to requirements
engineering, we will do so in sufficient detail that it is clear how we apply
them. Practical issues of administering the traceability of the formalization
(i.e. keeping track of what parts of the informal specification lead to a given
formula) and proof structure will be dealt with in order that the reader
can apply our approach to other problems. This thesis is not written as a
textbook, but it might be used for such a purpose.
The measure of success in applying a theorem prover in the require-
ments engineering phase is the correctness of the resulting formal require-
ments document. Since the only measure of that correctness is the initial
informal document or further interaction with the purveyor of that informal
document, this is a flawed measure: we cannot meaningfully measure our
understanding of the formalization of an informal document against our un-
derstanding of that informal document. As a derivative measure, we will
count the number of errors — inconsistencies, incompleteness or ambigu-
ities — found in the informal document through the formalization process.
Finding errors is therefore a success. The case studies in the remainder of
4 CHAPTER 1. INTRODUCTION
this thesis will illustrate how the errors are found (and usually corrected).
We use the theorem prover PVS [71] in our work. PVS (Proof Verification
System) provides a strongly typed higher-order logic with an expressive
syntax, so that the models we write in PVS are relatively easy to read —
in our opinion, at least. The reader of this thesis may want to examine
appendix A in order to learn to read the PVS code in this book. Readable
formal specifications and models help in validating the models against the
original informal descriptions.
The following sections explain our approach to modeling, validation and
verification using PVS based on informal requirements documents in more
detail; the descriptions are generally applicable to the case studies in this
book as far as the different steps are actually performed in the case study.
The Light-Control study (chapter 2) is primarily concerned with modeling
and formalizing requirements while ignoring validation and verification; the
Biphase Mark Protocol study (chapter 5) performs verification based on an
existing formal model.
Modeling
The construction of a system usually begins with some informal wishes,
written in natural language. We understand that such an informal document
is open to interpretation and misunderstanding; a wish is not the kind of
document you can hand off to a programmer or systems engineer who will
then construct the system for you (unless that programmer has previous
experience solving just the kind of problem you want to be solved). One
possible informal (fictional) wish is the following:
We want a defrobnicator. A defrobnicator is not an actual
device; much like widget, doodad and thing-ma-jig, it denotes
something small and technical which we find hard to describe
and whose function is unclear.
Now, unless it is possible to find a systems engineer with defrobnica-
tion experience, we will need to elicit more information, and elucidate the
wishes into a description of what the wish entails. Basically, this means
asking questions and structuring the answers in some way. This addition
of detail to the description and the introduction of structure changes it into
the beginning of a blueprint of the thing which we want to make.
5Informal Wish
Informal Description
Elucidation
The questions we ask and the answers
we get do not just influence the informal
description — it may turn out that the
questions make our customer realize that
he does not want a defrobnicator at all,
but (say) a toothbrush. This interplay be-
tween informal and more formal descrip-
tions (higher and lower in the diagram, re-
spectively) can yield surprising insights, as will be seen in the Light-Control
case study in chapter 2. In this thesis we will write validation for the act
of checking that one description does, in fact, describe what we want it to
describe. This thesis was written in the shadow of Hanno Wupper’s use of
the words “validation” and “verification” as described in [96], so the ter-
minology differs from the IEEE Standard Glossary of Software Engineering
[47]. Within this thesis, consistently switch “validation” and “verification”
to conform to IEEE terminology. We do this by comparing it with the avail-
able less-formal descriptions; how we do this is described in chapter 2. It
boils down to always asking the same question: “do we really mean that?”
For our hypothetical defrobnicator, we might converse with our cus-
tomer, and so add details to the description of the defrobnicator until we
end up with the following, still informal, description:
As a hypothetical device, the defrobnicator has no extant pur-
pose that we can use to justify these details; suffice to say that
the suffix -tor means it does something, de- shows that it removes
or takes away, and the middle bit shows the importance of things
which are frobbed. Therefore, the defrobnicator must have an
input conveyor belt and an output conveyor belt; the input leads
to an examining station where widgets that are frobbed are dis-
carded. The unfrobbed widgets are passed on to the output belt.
Once we have a nicely detailed informal description, we might be able to
pass it along to a programmer, who might do the right thing with it. How-
ever, for some kinds of systems the level of confidence needed that the pro-
grammer does the “right” thing with the description needs to be very high.
6 CHAPTER 1. INTRODUCTION
Informal
Specification
Mathematical
Specification
Translation
Since we never produce software systems
with just a single programmer anymore,
we need coordination and integration be-
tween the parts that the programmers
produce individually; for this, too, we need
more precise specifications and a level of
confidence that the understandings of the
specifications match. In order to achieve
this level of confidence, we turn to a mathematical description of the sys-
tem, where ambiguity is banished. The word “banished” should be taken
with a grain of salt, since the interpretation of a mathematical model in the
real world entails some ambiguity and inaccuracy in itself. Such a mathe-
matical description may additionally mean that the description is amenable
to automatic conversion into a working system, or may be used for analysis
and simulation before the actual system is built. Because the defrobnicator
is clearly a safety-critical system (frobbed widgets are toxic at up to three
hundred feet) where mathematical precision is dearly needed, we will write
a new description of the defrobnicator like the following:
∀w ∈W . (i(w) ∧ e(w) ∧ ¬frob(w))⇒ o(w)
Our hypothetical programmer, who is well versed in Formal Methods
and in the domain of widgets both frobbed and unfrobbed, understands this
formula immediately and rushes off to build the system with the correct
number of conveyor belts (two, perhaps?). This leaves our customer rather
worried, because he has no idea whether that formula has anything to do
with the defrobnicator he has in mind. This means that the jump from infor-
mal description to mathematical description is too big a leap to take in one
go. To bridge the gap, we split the translation from informal to formal into
smaller steps. We might introduce an intermediate statement of the formula
above:
For all widgets, if they are input to the machine and they enter
the machine and they are not frobbed then they exit the machine
(what happens to frobbed widgets is unimportant).
7Informal
Formal
Semi-Formal
(Mathematical)
These smaller steps translate the in-
formal specification first into some semi-
formal notation (of which there are many)
and then translating the semi-formal nota-
tion into the formal mathematical notation
that our programmer loves. Each of these
steps could of course be split up again, so
that the resulting translation steps are all
small enough to be believable.
Why do we need to worry about the size of the steps in the modeling
process, or about the size of the gap between one model and the next? Does
the introduction of many translations mean that errors can slip into the
translation itself? Does this whole “formal methods circus” actually get us
anywhere?
Some answers to these questions and others can be found in this thesis,
although they have been examined before; see chapter 1 for a comparison
to existing work.
This entire process — many steps composed of elicitation, elucidation,
validation — is referred to as the modeling process. From our initial, infor-
mal, wishes we derive a mathematical model (description) of the system we
want. We will assume that at some point we arrive at a model that can be
realized, i.e. turned into a real system in a straightforward fashion. One
approach for realization is to use program transformation to create code.
By construction, the code realizes the mathematical model we start with.
Alternatively, we might rely on our programmer to validate that the C code
she writes realizes the mathematical model and in realizing it that it actually
does the defrobnication, i.e. it works. This final step, creating the system
itself, is outside the scope of this thesis. We are concerned with the mod-
eling phase and how formal methods can be used to produce high-quality
mathematical models.
Verification
Thus far we have concentrated on the question of validation — justifying
that the addition of details and other changes at every step are faithful to the
original wishes for the system. Validation is not the only thing of interest,
though. Colloquially, validation is concerned with whether we are building
8 CHAPTER 1. INTRODUCTION
“the right system,” i.e. the system that is actually desired. This is why we
check at every step that the increased amount of formalization still reflects
the informal wishes. The sibling question to validation is the question of
“are we building the system right,” i.e. whether the system is constructed
in the correct way and that it does what is desired. This is verification.
Informal Description
Formal Specification
Design
Invention
While we can validate that each step of
the translation is faithful, it is still possible
that the end result of the translation is not
what we really wanted — because at each
step we are concerned only with faithful-
ness of the translation, not with the even-
tual purpose of the system as a whole. We
will need to, eventually, actually build a
system to which we apply the specifica-
tion; we need to judge in an independent
fashion whether the mathematical specifi-
cation is realized by the system we build.
For instance, we want a defrobnicator, and we can detail the specification
of that into a mathematical description of what that means. However, we
have not really described how a defrobnicator should be built, so it is hard
to tell if the defrobnicator will satisfy our expectations. Therefore we inde-
pendently create a design for the defrobnicator:
The conveyor belt is connected to a stepper motor for advancing
the widgets on the belt; the foot-bone is connected to the primary
horizontal impeller shaft; the impeller shaft control is connected
to the control system. The control system is also connected to the
optical scanner system so that incoming widgets are scanned for
evidence of frobnication before they reach the foot-bone which
removes any frobbed widgets from the widget stream.
This design represents how we will build the physical defrobnicator. The
verification question asks whether this design will in fact satisfy the specifi-
cation.
Our experience with the case studies in this thesis shows the following:
the validation of the steps by which the informal wishes are turned into a
mathematical model of the system turns up many questions. Answering (or
trying to answer) these questions yields useful insight into the structure of
9the system and the way in which it is supposed to operate. By far the most
questions are raised here. Formulating all of the properties of the system
to be built is more complicated than formulating just a few that happen to
be easy to express. Things like safety tend to be easy to express: the bad
things that should not happen (called “safety properties”) are often quite
clear, such as in the BART case study in chapter 6. However, expressing the
good things that need to happen (commonly known as “liveness properties”)
can be quite difficult. Some of the chapters in this book focus on safety
(chapter 6 for instance) while others examine liveness properties (such as
the FutureBus example in section 4.2).
Failed verification attempts — those cases where we cannot give a proof
that a specific property holds for our system model — do tell us that some-
thing is wrong. However, there are several possibilities for “what is wrong.”
Either the model does not correctly express the machine we should build,
or the property does not really express a property our system should have
(or both). A philosophical consideration of validation and verification can be
found in [96].
Consider our approach as a whole, from and informal description of
wishes to a validated formal specification and a verified design, in the figure
below:
Specifications
Informal Description
Informal
Semi-Formal
Semi-Formal
Formal
Designs
Informal
Semi-Formal
Formal
Verification
Invention
10 CHAPTER 1. INTRODUCTION
The figure illustrates our entire approach to the modeling and verifica-
tion of embedded systems; the breadth of the arrows in the diagram indi-
cates approximately how useful that step is — based on the experiences of
the case studies in this thesis — for finding errors in the model or specifica-
tion and in giving insight into the system.
In the figure, translations which involve validation are vertical arrows;
dotted arrows indicate translations that may be done several times to pro-
duce more intermediate steps. Somewhere along the line we invent — de-
duce from the informal specification or create from common sense — a de-
sign for the system. At the end when we have both a formal specification
and a formal design for the system, we can do verification of the one against
the other.
In this thesis, the formal representation of the system design and its
properties (i.e. specification) is in PVS. PVS is a theorem prover that assists
a little in finding proofs of properties of models and helps a lot in main-
taining the tedious administration of large proofs. The language of PVS is
higher-order logic, and the concrete syntax is such that a PVS formula is
fairly easy to read for someone with a mathematical background. In addi-
tion, the syntax is quite expressive, resembling some constructs of imper-
ative programming languages. This simplifies the writing of specifications
relative to the use of a theorem prover such as Coq [19, 13], which uses
a more limited syntax. To some extent, though, one can get used to any
particular theorem prover, and the author was already versed in PVS, so its
continued use was natural. See [31] or [43] for other modeling efforts in
PVS and comparisons with other theorem provers.
Although PVS can be used to represent mathematics in an ad-hoc fash-
ion, it is most useful to have a framework to work with that constrains the
form of the formalization somewhat, so that we can re-use results from ear-
lier applications of the framework. For the purpose of this thesis, we will
model our systems as automata of some sort. This gives our formalizations
some structure: we need to give the parts of the automaton for the system
model. It also constrains our method of verification to (invariant) reasoning
about the traces of the automata. This use of a framework also allows us to
implement additional automation in PVS, for abbreviating future proofs.
11
How to Read this Thesis
This thesis collects several articles, written over a span of several years,
and places them in a single context of slowly improving methodologies (and
notation) for translating informal wishes into formal requirements and spec-
ifications. The notation for those formal requirements has changed in the
course of the years, so that the requirements written in an early article such
as the Light-Control study (1999) in chapter 2 are quite different from later
requirements in style — a different approach to formalization is taken, and
the form of the PVS theories is different. Earlier articles use earlier versions
of PVS, so the PVS code may not work in newer version of the same tool.
Each chapter notes which PVS version was used in creating it.
The Light-Control study [26] is different from the other studies in an-
other manner as well: it is concerned with the development of a formal set
of requirements for a system and considers the informal desires as an object
of study. By translating those desires into the formal language of PVS (and
validating the translation) and subsequently analyzing the formal desires,
we conclude that the informal desires are inconsistent and unobtainable.
Once the Light-Control study has set the stage for demonstrating our
approach, we proceed to explain the automaton framework which we use
in the remainder of the thesis to formalize various case studies. Chapter 3
[previously unpublished] goes into some detail on how the framework is
constructed and what is available from it.
With the framework firmly established, we apply it to two simple ex-
amples in chapter 4 [previously unpublished]. The first example is that of
the Prisoners’ Release problem, which is a simple communications proto-
col. The FutureBus arbitration protocol is the second example, and shows
another protocol which is analyzed in a different fashion. These two exam-
ples illustrate our approach to modeling and verification using operational
reasoning.
Next follow two large case studies. In chapter 5, we formalize a model
of a Biphase Mark protocol [87] and analyze the correctness of the protocol.
This work uses the Uppaal model checker to search for timing constraints
and then proves (with PVS) that the timing constraints on the protocol are
both necessary and sufficient. In this way we show that the timings of con-
crete instances of the Biphase Mark protocol (for instance, Ethernet) could
be some 15% tighter without endangering the correctness of the protocol.
12 CHAPTER 1. INTRODUCTION
This verification uses invariant-based reasoning and introduces a number
of automatic tools into the framework which make proofs much shorter and
less tedious.
Chapter 6 turns to modeling hybrid systems [54], where we model (part
of) the Bay Area Rapid Transit system and design a simple controller for
the trains that run in that transit system. The safety of the controller is
then proved. The hybrid nature of the system makes verification complex,
from a PVS interface point of view (the prover is not good at manipulating
quadratic equations) as well as from a theoretical point of view: design-
ing the controller and determining the necessary safety margins from the
specified ones is non-trivial.
The conclusion of this thesis contains an overview of the case studies
and reflections on “what have we learned?” The conclusion is followed by
appendices: the syntax and semantics of PVS for readers who need an intro-
duction to the proof tool; a summary of the Light-Control source documents;
a summary of the BART source documents; and a consideration of composi-
tion of automata in PVS.
Related Work
There are of course many similar attempts and case studies in the field of
modeling and in the field of improving models through the application of
formal methods in particular. Our methods are characterized by an intera-
tive approach and a focus on tracing requirements from the informal stage
through to the formalization. In this section, we briefly examine a variety of
other work in the field, showing how our approach differs:
Requirements Reformulation using Formal Specification [92].
This paper describes experiences related to the development of the
Nulka Electronic Decoy, using Timed Interval Calculus. The formal-
ization of the requirements detects incomplete requirements, missing
requirements, poor terminology and unnecessary requirements. The
effectiveness and benefits found in this case study are similar to the
results found in our Light-Control study in section 2.
Practical Application of Formal Methods in Modeling and Simu-
lation [56]. This paper applies lightweight formal methods to analyze
13
requirements early in the development cycle. The approach uses for-
mal techniques for analyzing the assumptions, relationships and prop-
erties of the requirements by following a three-phase analysis:
1. Restating the requirements in a formal notation.
2. Identifying ambiguities, conflicts and inconsistencies.
3. Model-checking or theorem-proving to study system properties.
This approach strongly resembles our own as formulated in chapter 2.
Microprocessor Verification in PVS [22]. Using a PVS framework
that resembles ours — except for being more primitive, owing to the
state of PVS in 1994 — the authors verify a pipelined microproces-
sor using the principle of (bi)simulation, in which the executions of a
specification state machine correspond through an abstraction func-
tion with the executions of a concrete machine. We see some salient
points of our framework in this effort: decomposition of models into
multiple automata which are represented as structures in PVS, for in-
stance.
TAME The Timed Automata Modeling Environment [8, 7] is a model-
ing environment for timed automata based on and in PVS. It resembles
our own framework in some ways, for instance through a focus on the
literary qualities of proofs in PVS. While TAME does not consider re-
quirements an important issue in modeling and verification, it does
offer useful support in the modeling phase itself. We might see TAME
as a complementary approach to our efforts in chapter 6. By combin-
ing well-supported tools in modeling with an approach that focuses on
requirements and validation we believe that it might be possible to
create formal specifications of systems that leverage the advantages
of both systems.
TIOA There is a consistent mechanical translation of Timed I/O Au-
tomata [64, 68] into PVS which takes much of the drudgery of the
translation away. However, this leaves us with the issue of the valida-
tion and verification of the TIOAmodel. The approach described in this
thesis could be applied to the creation of those models.
14 CHAPTER 1. INTRODUCTION
Light Control leave a little light on in thewindow // leave a little light by
the back door too. – Wyrd Sisters
The interactive theorem prover PVS is used to formalize the user needs
of the Light-Control system. The Light-Control system is meant to con-
trol the room lighting in an office building, although we handle a sim-
plified system that controls the lighting only in a single room. First the
system is modeled at a high level of abstraction, in terms of properties
the user can observe. After resolving ambiguities and conflicts, a refine-
ment is defined, using dimmable light actuators. The dimmable light
actuator is a model of “real” lights, although still with some idealized
behavior. Correctness of the refinement is proved in PVS, under the
assumption that there are no internal delays. Next these internal de-
lays are taken into account, leading to a new notion of delay-refinement
which allows abstraction from delays such that systems with delays can
be seen as an approximation of an undelayed specification.
This chapter uses PVS 2.4.
Originally appeared in the Journal of Universal Computer Science [27], november
2000. Some modifications have been made to remove extraneous material. A
summary of the case study which was available in the journal has been written
for this chapter, see section 2.8 of this chapter or the original full paper [74].
It is known from the literature that errors in a requirements specification
propagate through all phases of the design; they are often difficult to detect
and costly to repair (e.g. [77, 82]). The general aim of the work in this chap-
ter is to investigate how the quality of the requirements specification can
be improved, especially focusing on embedded systems. Formulating the re-
quirements of a complex embedded system, including timing requirements,
is far from trivial. Often these specifications are ambiguous, incomplete or
even inconsistent.
15
16 2.1 The Light-Control Case Study
To obtain unambiguous requirements, we propose to formalize the re-
quirements in formal language, that is, a language with a precise mathe-
matical meaning. This also enables formal analysis of the specification to
detect errors and inconsistencies and a formal proof of consistency. More-
over, subsequent refinement and design steps can be proved correct in a
formal, mathematical way.
Our approach is motivated by three points that we consider to be impor-
tant for a successful formalization of requirements.
• The first formalization of the requirements should be close to the infor-
mal specification. This makes it easy to trace problems raised during
formal analysis back to the informal formulation such that they can
be discussed with domain experts. After consulting these experts, the
incorporation of their solutions in the formal specification is rather
straightforward. Moreover, by having a close connection with the in-
formal specification, validation of the formal specification “does it cap-
ture the requirements we really need?” becomes easier, see e.g. [96].
• The approach should enable an iterative development of the (formal)
requirements. It should be possible to refine a high-level, abstract
specification to a more detailed, concrete specification.
• There should be convenient tool support to analyze the requirements
specification. For instance, it should be possible to reason about con-
sequences of the specification and to prove consistency of a number
of desired properties.
This chapter uses the Light-Control Case Study [74] as a vehicle to
demonstrate our approach to requirements specification for complex em-
bedded systems.
2.1 The Light-Control Case Study
The Light-Control system [74] is described in the Journal of Universal Com-
puter Science in June 2000; in the interest of making this thesis self-con-
tained we provide an abstract of the problem and some additional source
materials in section 2.8. To emphasize the essential points of our approach,
2.1 The Light-Control Case Study 17
we do not formalize the whole specification, but focus on the user needs for
rooms and the dimmable lights.
Page numbers in the text of this chapter refer to the pages of the in-
formal specification [74]. U1, U2, etc. refer to the user needs on page 9
of the original case study paper. The same user needs are included in sec-
tion 2.8.2 on page 54 of this thesis. Q1, Q2, etc. refer to the list of questions
and answers, available on the web site for the case study [61]. We base our
specification on the original informal specification and the answers to ques-
tions Q1–Q46 (the state of affairs as of December 15th 1999). We include
the questions-and-answers which affect our work in section 2.8.3. More
questions were posed to the case study team, but we decided not to try to
adapt our specification to every change. In particular, Q58, posed after the
closing date for this work, does add information that contradicts some of
our assumptions (see section 2.5.1).
Structure of this Chapter
This chapter begins with an explanation of the terminology we use in sec-
tion 2.2; this terminology differs slightly from what is used in the rest of
this thesis. Our approach remains one of iterative refinement with an em-
phasis on validation. Once the approach is clear, we apply the iterative
approach. This yields a top-level requirements formalization in section 2.3;
the requirements are analyzed and found wanting in section 2.4. We then
refine the formalization by introducing dimmable lights in section 2.5 and
demonstrate that we can create a controller that satisfies the requirements.
From there we add delays into the model of the system and show that this
forces us to reconsider the notion of “satisfying requirements.” Conclusions
follow in section 2.7. A selection of the source material used is included as
section 2.8.
This particular case study was done before the development of the au-
tomaton framework described in chapter 3 which is used in the other case
studies in this thesis. The formalization done in this chapter could surely be
done in the format of the automaton framework, but because the emphasis
is on the formalization of the requirements and not on the modeling or val-
idation of the system, there is not much that fits into the framework. The
state of the system is defined and the user needs are formalized as predi-
cates which are quantified over the evolution of the system in time; in the
18 2.2 Terminology and Formalization Approach
automaton framework this would become a quantification over states in an
execution of the automaton. Some formalizations that express durations
would become slightly more complicated, but on the whole the formaliza-
tion can easily be translated into the automaton framework. On the other
hand, little practical gain beyond confidence in the framework comes from
changing formalisms in this late stage, since the results of the case study
are primarily inconsistency results: the informal requirements themselves
are inconsistent and formalizing them in any formalism should reveal these
inconsistencies. Our approach is fairly practical, focusing on light-weight
formalization, traceability and validation. The results found here, tracing
inconsistency results to the informal requirements, show that this practical
approach is valuable.
2.2 Terminology and Formalization Approach
In our terminology, a system is a black box that can be distinguished from its
environment. We can only observe the exterior of a system which has a finite
number of ports. Let L denote the set of ports. The system interacts with its
environment through these ports, and only through the ports. Interaction in
this case means exchanging values. Each port has an associated port-type
which can be any data type, although simple data types (integers, booleans,
records over these types) are commonly used. The number of ports of a
system is fixed (i.e. |L|) and there is some fixed data type Tp for each port
p ∈ L.
We partition the ports of a system into two disjoint sets: the input ports
Li and the output ports Lo. We define I = Πp∈LiTp to be the set of inputs
to the system (this is a tuple of values for each input port) and similarly and
O = Πp∈LoTp for the type of tuples over the types of the output ports.
Since we are dealing with real-time-systems, we need some notion of
time (see e.g. [84, 55] for an overview). For the purpose of this chapter, we
model time with the real numbers. At each instant in time we can observe
a system and record a so-called observation, which is a tuple of type O. A
characteristic of a system is a function which assigns an observation to each
point of time, i.e. gives us the values at the output ports for each point in
time.
We formalize the informal specification using the following approach.
2.2.1 Iterative Approach 19
1. First formalize the types of the input ports of the system, including
possible assumptions about the input.
2. Next we formalize the types that constitute the outputs of the system.
3. This allows us to define the types for observations and characteristics
of the system.
4. Then we formalize the informal specification sentence-by-sentence,
adding quantifiers where needed, resulting in formulae that are very
close to the informal text and that restrict the allowed output, i.e. what
characteristics are acceptable.
5. We analyze the resulting formulae concerning consistency (by trying
to find a model satisfying them) and by trying to derive undesired
consequences from the specification — often called “putative” theo-
rems [71].
6. Problems encountered are related back to the informal specification
and should be resolved, e.g. by consulting domain experts.
7. This process is repeated until we are satisfied with the current formal
specification.
2.2.1 Iterative Approach
In the Light-Control Case Study, we proceed through three steps that rep-
resent a typical iterative approach to formal requirements engineering of
embedded systems.
1. First we formulate a high-level abstract specification in terms of con-
cepts that can be observed by users of the systems. In the Light-
Control Case Study we formalize the user needs in terms of light
scenes, occupancy of rooms, observed illumination in a room, etc. This
is done in the sections 2.3 and 2.4. The actual formalization proceeds
according to the steps described in section 2.2.
2. In section 2.5 we refine this high-level specification by introducing
sensors and actuators. To keep the refinement simple in this step,
20 2.2 Terminology and Formalization Approach
we assume that there are no internal delays; all internal communica-
tion takes place instantaneously. In this paper we formally describe a
dimmable light and refine the high-level specification by introducing
two dimmable lights for each room that together should realize the
required illumination. We show that the resulting specification refines
the high-level specification in the classical sense. That is, every output
of the refined system is allowed by the high-level specification.
3. In the final step, described in section 2.6, we take the internal delays
into account. Important here is the observation that this is not a clas-
sical refinement; due to these internal delays, the timing requirements
of the high-level specification are not met. Still, we establish a formal
relation by defining a general notion of delay-refinement. This saves
us from rewriting the entire specification produced in previous steps
to take the internal delays into account. Most importantly, though,
this allows us to relate the formal specification of a system with delays
to the informal text which mentions delays for actuators but abstracts
from them in the high-level requirements.
2.2.2 Tool Support
Our specifications are formulated in the language of the interactive theo-
rem prover PVS [71]. The specification language of PVS is a classical, typed
higher-order logic with a large number of built-in types (e.g. booleans, in-
tegers, reals) and type-constructors (as functions, sets, tuples, records), in-
cluding a powerful mechanism to define abstract data types. Typechecking
PVS specifications is not decidable and the system may require the user to
prove so-called Type Check Conditions (TCCs) to ensure type correctness.
Specifications can be structured through a hierarchy of parameterized the-
ories. Logical analysis of specifications can be mechanized using the pow-
erful theorem prover of the PVS system.
Our choice of PVS is based on earlier experience with this tool and case
studies from the literature, e.g. to model a steam boiler control system [90]
and to formalize the requirements of a command and control system [88].
The specification language of PVS is very expressive and fairly intuitive,
which makes it easy to maintain a close connection with informal text. The
fact that the language is strongly typed turns out to be very useful for the
2.2.3 Formalization with PVS 21
System with
i1
i2
i3
i4 o2
In
pu
ts
O
ut
pu
ts
o1
specification S
Figure 2.1: A system with four inputs and two outputs.
early detection of errors. For details of PVS notation and semantics, please
refer to appendix A.
2.2.3 Formalization with PVS
We show by an example how we model system requirements in PVS. Con-
sider a system with four inputs and two outputs which should satisfy some
specification S (see figure 2.1). The set of ports for this system is L =
{I1 . . . I4, O1, O2}. The set of output ports is Lo = {O1, O2}. Assume as given a
PVS theory systemTypes which defines the type Time and the types T1 through
T4 of the ports I1 through I4, respectively.
The PVS theory system, shown below, first imports theory systemTypes and
then lists the input ports. Each input port is modeled as a function from Time
to the type of the port. We define the output type of the system (component)
as type O. Given the input characteristics the possible output characteristics
of the system are specified by S_predicate — this is the system specification
we are aiming to write down. An arbitrary output characteristic satisfying
this predicate is given by instance which is defined as a constant of the type
consisting of all output functions satisfying S_predicate. When we declare
an instance that satisfies the predicate, PVS creates a TCC that demands
that we prove that the predicate is satisfiable, i.e. that the specification can
be realized.
system [ (IMPORTING systemTypes)
I1:[Time->T1], I2:[Time->T2],
I3:[Time->T3], I4:[Time->T4] ] : THEORY
BEGIN
22 2.2 Terminology and Formalization Approach
O : TYPE+ = ...
S_predicate : [ [Time->O] -> bool ] = ...
instance : { out:[Time->O] | S_predicate(out) }
END system
In this style, it is easy to compose a system out of parts that are con-
nected in some way. We simply connect the input ports of a part with the
instance that represents the output of another part.
Inputs
Pa
rt1 Part2
Pa
rt3
Pa
rt4
i1
i2
i3
i4
o1
o2
Outputs
Figure 2.2: A system composed of four parts with four external inputs and
two outputs.
Consider the system in figure 2.2, below. The system as a whole has
inputs I1 through I4. These inputs are passed to the theories which specify
parts 1, 3 and 4. The outputs of parts 1 and 3 are passed on to other
parts. The outputs of parts 2 and 4 are finally declared to be outputs of
the system. Each part is assumed to be defined in a theory partn in the
style of the theory system, above. We then import each theory partn. We
refer to definitions from the theory partn (in particular the instance from
the imported theory) by prefixing them with the name of the theory and a
dot, as in part1.instance. This leads to a theory like the following:
system [ (IMPORTING systemTypes)
I1:[Time->T1], I2:[Time->T2],
I3:[Time->T3], I4:[Time->T4] ] : THEORY
BEGIN
IMPORTING part1[I3,I4]
IMPORTING part2[part1.instance]
2.3 Top-Level Formalization 23
IMPORTING part3[I2,part1.instance]
IMPORTING part4[I1,part3.instance]
O : TYPE+ = [ part4.O, part2.O ]
instance(t:Time) : O =
( part4.instance(t), part2.instance(t) )
END system
By adhering to this style of specification, we can produce relatively com-
plex and nested specifications using the principle of nested black boxes.
2.3 Top-Level Formalization
In this section we describe our first formalization of a part of the Light-
Control system [74], following the steps described in section 2.2. Instead of
formalizing as much as possible of the informal specification, we consider
only a part of the specification and investigate formal analysis and refine-
ment steps for this part. We focus on the user needs U1 through U12 (p. 9)
that describe the desired amount of illumination in a room.
According to p. 5, a room has a two ceiling light groups (window and
wall), each with a push button and a dimmer-actuator. Henceforth we refer
to these ceiling light groups as dimmable lights. The user can specify so-
called light scenes, consisting of a desired ambient light level in the room
and how this should be realized using the two dimmable lights (i.e. using
one of them or both). There is also a motion detector in each room and
a door-closed contact; in the current formalization we abstract from the
motion and door sensors and assume we can observe whether a room is
occupied or not.
In a preliminary version of the formalization of the requirements, all PVS
theories were parameterized by a uninterpreted type Rooms and most def-
initions contained an argument to identify the room under consideration.
Since this parameter did not have any influence on the definitions, because
the requirements of rooms are independent, we removed it from the formal-
ization. The room under consideration is left implicit.
In section 2.3.1 we start with a PVS theory that introduces a few tim-
ing primitives. Basic types to describe light scenes are presented in sec-
tion 2.3.2. The inputs and the outputs of the theory containing the user
needs are defined in the sections 2.3.3 and 2.3.4, respectively. The most im-
24 2.3 Top-Level Formalization
portant informal user needs are presented in section 2.3.5. Our first attempt
to formalize them can be found in section 2.3.6. Section 2.3.7 discusses the
remaining user needs.
2.3.1 Timing Primitives
Since the user needs refer to periods of time, we start with a PVS theory that
introduces a few basic timing primitives. As mentioned in the introduction,
we use the real numbers to represent physical time. The type real is pre-
defined in PVS, together with the usual operations such as +,−,×,≤.
TimePrim : THEORY
BEGIN
Time : TYPE+ = real
TimeDuration : TYPE+ = { d:real | d>=0 }
nzTimeDuration : TYPE+ = { d:TimeDuration | d>0 }
Using the reals as a model of time implies that time is dense, so the value
of a port might change at any point in time and with arbitrary separation in
time.
We also introduce functions ms and sec that convert some whole num-
ber of milliseconds or seconds into a real value corresponding to the same
length of time in the time model. Using functions like ms and sec make the
formal specification easier to read for both domain experts and customers.
We have chosen to equate one milisecond with intervals of unit length, lead-
ing to a simple conversion.
ms(n:nat) : TimeDuration = n
sec(n:nat) : TimeDuration = ms(1000*n)
END TimePrim
2.3.2 Light Primitives
The PVS theory LightTypes defines the type LightScene as a record contain-
ing a desired ambient light level and an option that indicates which of the
lights should be used to achieve the desired ambient light level, based on
the text on p. 13.
BoundedLux stems from the informal text on p. 7 describing the external
light sensor. Although no mention of bounds is made on p. 13 in the descrip-
tion of light scenes, we assumed that 0–10000 would be a good range for
2.3.3 Inputs to the System 25
light scenes. Most sources indicate that typical office illumination is around
300 lux, perhaps 400 lux for brightly-lit ones. An operating theatre with
intense overhead lighting may reach 10000 lux. Outdoors, the sun does a
much better job, easily providing 40000 lux of illumination on an average
day. The range 0–10000 seems, therefore, to be quite adequate to describe
office lighting.
LightTypes : THEORY
BEGIN
IMPORTING TimePrim
Lux : TYPE+ = { n:real | n>=0 }
BoundedLux : TYPE+ = { l:Lux | l<=10000 }
SceneOption : TYPE+ = { window, wall, both }
LightScene : TYPE+ =
[# light: BoundedLux, option: SceneOption #]
END LightTypes
2.3.3 Inputs to the System
Since the specification is basically concerned with a single room that is
occupied by users, the occupation status of the room under consideration
will be given as an input to the system. A room could be considered oc-
cupied if the motion detector (mentioned on p. 5 and p. 13) in the room
senses motion. We have chosen not to use the motion detectors in this ini-
tial specification, since the motion sensors are not part of the user’s view
of the system. Instead, we rely on the abstract occupied? for the occupation
status.
In the PVS theory UserNeeds, the parameter (input port for the system)
occupied? has type [Time->bool], i.e. a function which expresses at each
point in time whether the room is occupied or not. This abstracts away all
the ways in which the system determines that the room is occupied. The
other inputs of the system are at least the room lighting parameters that
the user can choose, which are described in U9 on p. 9:
U9: The room control panel for an office should contain at least:
a possibility to set each ceiling light group; a possibility to set
the chosen and the default light scene; and a possibility to set
T1.
26 2.3 Top-Level Formalization
Hence the parameters of theory UserNeeds include time-dependent func-
tions that model the chosen scene and the default scene. The clause “set
each ceiling light group” is interpreted to mean that the user has push
buttons as described on p. 7. This is translated in PVS as the two inputs
pushbutton1 and pushbutton2 (they are used in a very limited fashion, namely
to indicate that the user has performed some explicit action to choose a light
scene). The user can set T1, a period of time which indicates how long a
room must remain empty before the control system should take action. It
is referred to in U3 and U4 (see section 2.3.5). With all of the inputs to the
system identified, the theory UserNeeds starts as follows:
UserNeeds [ (IMPORTING TimePrim,LightTypes)
occupied? : [Time->bool],
chosen_scene : [Time->LightScene],
default_scene : [Time->LightScene],
pushbutton1 : [Time->bool],
pushbutton2 : [Time->bool],
T1 : [Time->nzTimeDuration] ] : THEORY
2.3.4 Outputs of the System
The outputs of the system are the things that the user can actually see. At
the highest level, the user needs on p. 9 are concerned with light scenes that
should be realized in the rooms. Earlier, in theory LightTypes we already
introduced type LightScene to model the parameters that the user can set,
as defined on p. 13 under “light scene.” In that definition, light intensities
are stated to vary between 0 and 10000 with the type BoundedLux. In a
room the light level is potentially unbounded, since it may be a very bright
sunny day outside. The amount of light the lights themselves can produce
is never stated in the informal specification, nor how light intensities add
up, so there is no reason to believe that the amount of light that could be
in the room is less than 10000 Lux. Therefore we use the unbounded type
Lux to represent the amount of light in the room. Now we define a new type
roomObservables to model what is observed in a room at some point in time:
the amount of light and which of the lights are on. A room characteristic is
that behavior through time.
roomObservables : TYPE+ = [# light: Lux, option: SceneOption #]
roomCharacteristics : TYPE+ = [Time->roomObservables]
2.3.5 Informal Specification of the User Needs 27
light
User Needs as yet
undetermined.
pushbutton1
default
scene
chosen
occupied?
scene
T1
pushbutton2
User Needs
option
Specification of
Figure 2.3: Inputs and Outputs for the User Needs.
Figure 2.3 shows the input and output of the system which summarizes
sections 2.3.3 and 2.3.4. No specification is given yet for the system, just
the “interface” of ports that it has.
2.3.5 Informal Specification of the User Needs
For reference, we include the text of the user needs U1–U4 from p. 9 of [74].
The wording of U1 has been changed by Q42, so we quote the modified text
here.
U1: If a person occupies a room, there has to be safe illumination
unless a specific light scene has been chosen or the ceiling light
groups are set manually. This means that when the default scene
is established (i.e. through U4) and the room is occupied, there
must be safe illumination. When the room is occupied and some
light scene has been chosen by the user, the lighting must be set
according to that scene.
U2: As long as the room is occupied, the chosen light scene has
to be maintained.
28 2.3 Top-Level Formalization
U4: If the room is reoccupied after more than T1 minutes since
the last person has left the room, the default light scene has to
be established.
The remaining user needs that have not been mentioned yet (U5–U8 from
p. 9) are discussed in section 2.3.7, where we will argue that they do not
contribute materially to this first top-level formalization.
2.3.6 First Attempt at Formalization
Our initial attempt concentrated on the specification of the user needs in a
naive manner. The initial wording of U1 on p. 9 was sufficiently confusing
to require a question (Q42), after which the wording of the user need was
amended to its final form as shown in section 2.3.5. Later we discovered
that this wording still contains some ambiguities, but it suffices to provide
us with a first formula in PVS.
We start with the formal definition of U1. It states that the illumination in
a room has to be safe under certain circumstances, namely if the default has
been established and as long as nothing has been chosen by the user. We
interpret this as meaning that when the default is established, the user’s
choice is “forgotten”, so that nothing else is desired. As long as the user
makes no choice about the light scene, for example by manipulating the
controls for the chosen light scene or toggling the lights, the safe lighting
must persist.
The default light scene is established under conditions set out in U4.
Hence we formalize those conditions first. To formalize the notion of reoc-
cupation, as mentioned in U4, first a few predicates that abbreviate state-
ments about intervals.
occupied_until(t:Time) : bool =
EXISTS (t0:Time | t0 < t ) :
FORALL (t1:Time | t0 <= t1 AND t1 < t) : occupied?(t1)
unoccupied_period(t0,t : Time) : bool =
FORALL (t1:Time | t0 <= t1 AND t1 < t) : NOT occupied?(t1)
A room is reoccupied at time t only if the room becomes occupied at t, it
was occupied until some moment t0 in the past, and unoccupied between t0
and t.
2.3.6 First Attempt at Formalization 29
reoccupation_period(t0:Time,t:Time | t0 < t) : bool =
occupied_until(t0) AND unoccupied_period(t0,t) AND occupied?(t)
With this notion of reoccupied we can define notions reoccupied_withinT1
and reoccupied_longer_thanT1 which state that the previous occupation was
at most, respectively more than, T1 time ago.
reoccupied_withinT1(t) : bool =
EXISTS t0 : reoccupation_period(t0,t) AND t - t0 <= T1(t0)
reoccupied_longer_thanT1(t) : bool =
EXISTS t0 : reoccupation_period(t0,t) AND t - t0 > T1(t0)
To increase the confidence in the definitions, we have proved that the
last two notions are disjoint.
disjoint_reoccupation : LEMMA
NOT (reoccupied_withinT1(t) AND reoccupied_longer_thanT1(t))
When the default has been established, which can now be formalized
with the primitives above, we maintain safe illumination as long as nothing
has been chosen by the user. To formalize the last clause, we define a func-
tion userInputs that provides at each time an observation of the three inputs
with which the user can explicitly choose a scene, namely the push buttons
and chosen_scene. This definition just clumps together the three inputs; its
primary importance is in abbreviating other definitions.
userInputs(t:Time) : [ bool,bool,LightScene ] =
( pushbutton1(t), pushbutton2(t), chosen_scene(t) )
Any change in these inputs indicates that the user has taken action to
choose a specific scene. Changing the default scene parameters is not con-
sidered to be an action indicating explicit choice.
no_input_change(t1:Time,t2 : Time | t1<=t2) : bool =
FORALL (t | t1 <= t AND t < t2) : userInputs(t)=userInputs(t1)
Formula safe_illumination is a straightforward translation of “safe illu-
mination” as stated on p. 13 and used in U1.
safe_illumination(l:roomObservables) : bool = l‘light>14
30 2.3 Top-Level Formalization
After all these preparations we now present our first attempt to formal-
ize U1. The parameter roomlight is the output characteristic for the room
(i.e. the function mapping time to the observables in the room).
U1try(roomlight) : bool =
FORALL (t:Time) :
( occupied?(t) AND
(EXISTS (t1:Time | t1<=t) :
reoccupied_longer_thanT1(t1) AND no_input_change(t1,t))
)
IMPLIES safe_illumination(roomlight(t))
While producing this formalization we realized that the specification U4
does not mention the situation when the room is entered the first time,
i.e. when there was no previous occupation period. It seems reasonable
to have also safe illumination then. Hence we weaken the condition in U1
by removing the reoccupation and reformulating the condition as “if the
room is left unoccupied for T1 time, then the default light scene has to be
established.” This modified condition has been formalized in a convenient
predicate called enforce_safety.
enforce_safety(t:Time) : bool =
EXISTS (t0, t1: Time) : t0 + T1(t0) < t1 AND t1 <= t AND
unoccupied_period(t0,t1) AND no_input_change(t1,t)
Predicate enforce_safety applies to a room if it was unoccupied for a
T1 period of time — which is sufficient to require the default scene and
safety as well — and the user subsequently made no explicit choice about
the scene. Hence we reformulate U1 as follows:
U1(roomlight) : bool = FORALL t : occupied?(t) AND
enforce_safety(t)
IMPLIES safe_illumination(roomlight(t))
Since our previous condition in U1try implies enforce_safety, it is easy to
prove that this U1 implies U1try. Oddly, the first time that someone enters
the room — near the beginning of Time — T1 might be greater than the
amount of time that has passed at all. This means that enforce_safety still
might not hold the first time someone enters the room. We do not consider
this a problem.
Compared to all the steps taken for formalizing U1, the formalization of
U2 is very straightforward.
2.3.7 Analysis of Remaining Informal Requirements 31
U2(roomlight) : bool = FORALL t : occupied?(t)
IMPLIES roomlight(t)=chosen_scene(t)
These two simple requirements, both derived intuitively from the infor-
mal requirements, already lead to the discovery of the first inconsistencies.
This is demonstrated in section 2.4.
Considering the informal formulation of U1 through U4 (see section 2.3.5),
it is important to mention that we have chosen a meaning for “maintains”
and “established” as follows:
Maintain: To maintain a light scene, the light scene is estab-
lished at all moments within the interval over which the scene is
maintained.
Establish: To establish a light scene in a room, the selected
light groups (as indicated by the option of the light scene) must
be used to produce illumination of the room such that the to-
tal amount of illumination is equal to the light scene’s value for
desired illumination.
Since we already formalized the notion of reoccupation, U3 and U4 can
be formulated easily:
U3(roomlight) : bool = FORALL t : reoccupied_withinT1(t)
IMPLIES roomlight(t)=chosen_scene(t)
U4(roomlight) : bool = FORALL t : reoccupied_longer_thanT1(t)
IMPLIES roomlight(t)=default_scene(t)
2.3.7 Analysis of Remaining Informal Requirements
Above we have considered user needs U1–U4 and U9 (to determine the
input). We examine the user needs U5–U8 in short, to convince ourselves
that they have been sufficiently addressed and that we have not missed any
important part of the informal specification.
U5: For each room, the chosen light scene can be set using the
room control panel.
U6: For each room, the default light scene can be set by using
the room control panel.
32 2.3 Top-Level Formalization
Requirements U5 and U6 are reflected in the inputs to the system, al-
though we do not model how or where the user can make such a change.
This does not need to be formalized. They are also restated in U9.
U7: For each room, the value T1 can be set by using the room
control panel.
Allowing the user to change T1 makes it an input to the system instead
of some constant (as we did in a preliminary attempt, not shown here).
This time-dependent input makes it somewhat more complicated to find out
when a room is reoccupied after T1 time since we do not know which value
of T1 to use (it can change after all). In our definition of enforce_safety we
chose to use the value of T1 at the beginning of a period of unoccupation as
the duration required to enforce safety, as opposed to the value of T1 at the
moment of reoccupation. If T1 cannot change while the room is unoccupied
this distinction is not important.
U8: If any outdoor light sensor or the motion detector of a room
does not work correctly, the user of this room has to be informed.
Since we are not concerned with sensors at this level of abstraction, and
certainly not with defective sensors, we leave this requirement out.
Then there is U9 which re-states things we already know:
U9: The room control panel for an office should contain at least:
a possibility to set each ceiling light group; a possibility to set
the chosen and the default light scene; and a possibility to set
T1.
Finally, we list a number of detailed observations or choices that have
been made about the current formalization.
• The default scene is a separate scene that can be set by the user to
whatever he or she desires. This is superficially different from the be-
havior required by the answer to question Q27, where a single default
scene is defined by the facility manager . However, for the purpose of
our formalization who changes the scene is not important, just that it
does change. In addition, the answer to Q27 seems strangely at odds
with U9.
2.4 Analysis of the Requirements 33
• Although initially we were pleased at the prospect of restricting the
number of possible light scenes to three as allowed by Q40, this proved
to be unnecessary and we allow the user to set both the option and the
desired light level to whatever values he or she wishes.
• The “reoccupied” clauses in U3 and U4 mention “within T1” and “after
more than T1”, respectively. This is interpreted to mean “≤ T1” and
“> T1”, respectively.
• In an earlier attempt we modeled that inputs to the system — related
to a single room— do not change when the room is unoccupied, i.e. the
user cannot change the settings for a room unless the user is in that
specific room. This was not actually used and has been removed from
the specification presented here.
2.4 Analysis of the Requirements
While analyzing the formal specification of the user needs we identified
three conflicts. The conflicts between different user needs are described
in section 2.4.1. An improved formalization that avoids these conflicts is
presented in section 2.4.2.
2.4.1 Conflicts
The formalization as presented in section 2.3.6 has a number of conflicting
requirements within the specification itself. A conflict arises when there is
a situation in which several user needs impose incompatible requirements
on the desired light in the room. The following fact illustrates a conflict with
U1 and U2.
U1U2conflict : FACT U1(roomlight) AND U2(roomlight) AND
occupied?(t) AND enforce_safety(t)
IMPLIES chosen_scene(t)‘light>14
When the room is occupied and safety is enforced then both U1 and U2
apply and the chosen scene must realize an ambient light level that is safe
(i.e. greater than 14 Lux). This imposes a restriction on the scenes that can
be chosen by the user: the user may only choose safe scenes. A similar
conflict exists between U1 and U4:
34 2.4 Analysis of the Requirements
U1U4conflict : FACT U1(roomlight) AND U4(roomlight) AND
occupied?(t) AND enforce_safety(t) AND
reoccupied_longer_thanT1(t)
IMPLIES default_scene(t)‘light>14
This implies that the default scene should be safe, although this is not stated
by any of the other informal requirements. Since we allow arbitrary user
inputs (including an arbitrary default scene), this could lead to a contradic-
tion.
Another kind of conflict is embodied in the relationship between U2 and
U4. U2 unconditionally states that the chosen scene must be maintained;
U4 conditionally states that the default scene is to be established. Since we
have assumed that “to maintain” implies “to establish,” this is a problem
unless the default and the chosen scenes are equal.
U2U4conflict : FACT U2(roomlight) AND U4(roomlight) AND
reoccupied_longer_thanT1(t)
IMPLIES chosen_scene(t)=default_scene(t)
2.4.2 Second Formalization, Avoiding Conflicts
In the previous section we have identified three conflicts between the user
needs; between U1 and U2, U1 and U4 and U2 and U4. We improve our
previous formalization by resolving these conflicts, assuming the informal
document intended some implicit priority between user needs.
Concerning the U1 - U2 conflict, we assume U1 has priority over U2.
Safety is paramount.
Note that this choice depends to some extent on our choice of meanings
for “establish” and “maintain” and our resolution of the conflict between
U2 and U4, below. As such, other solutions are possible, and it should be
noted that the answer to question Q50 (which falls outside of the set of
the questions we consider) states that “light scenes always have priority
over safety”. That particular answer makes safety irrelevant, since there
is always a scene (either default or chosen) established when the room is
occupied.
Since we give priority to U1, U1 is not changed and U2 is reformulated
so that it is complementary to U1. This is done by requiring that U2 only
2.5 Refinement using Dimmable Lights 35
specifies the light in the room if safety is not enforced. This ensures that
when the room is reoccupied that a safe light scene is established, but that
the user can subsequently explicitly make the light scene unsafe.
U2(roomlight) : bool = FORALL t : occupied?(t) AND
NOT enforce_safety(t)
IMPLIES roomlight(t)=chosen_scene(t)
We found no conflict with U3 and leave it unchanged. Concerning U4,
we have already solved the conflict between U2 and U4, because with the
new formulation of U2 we can prove:
reocc_enforce : LEMMA reoccupied_longer_thanT1(t)
IMPLIES enforce_safety(t)
To solve the conflict between U1 and U4, we apply function makeSafe to
make a given light scene safe (i.e. ensure that the light level is at least 14
Lux). When the room has been unoccupied for at least T1 time, and then
reoccupied, the default light scene is made safe (and established, though
U2).
makeSafe(l:LightScene) : LightScene =
IF safe_illumination(l) THEN l
ELSE (# light:=15, option:=l‘option #) ENDIF
U4(roomlight) : bool = FORALL t : reoccupied_longer_thanT1(t)
IMPLIES roomlight(t)=makeSafe(default_scene(t))
Having resolved the conflicts in the informal requirements, we now for-
mulate the specification of the system as a whole, which is a simple con-
junction of the individual requirements. Using this statement we can define
an instance as described in section 2.2.
allNeeds(roomlight) : bool = U1(roomlight) AND U2(roomlight) AND
U3(roomlight) AND U4(roomlight)
2.5 Refinement using Dimmable Lights
As a first step towards a realization of the abstract specification of the pre-
vious section, we perform a refinement in terms of dimmable lights (which
36 2.5 Refinement using Dimmable Lights
are partly specified in the Light-Control case study document) and a control
system which controls these lights.
As noted in section 2.3.6 on page 31 we have assumed that the meaning
of “establish” relates the desired scene to some kind of operations on the
lights in the room. These operations must now be applied to the dimmable
lights of this refinement. The dimmer-actuators on the dimmable lights in
the ceiling-light groups are to be set such that the settings of the light real-
ize the desired light scene. We will state assumptions about the relationship
between the dimmers and the amount of light produced.
Refining the specification in terms of a control system and dimmable
lights requires specifications of each of these parts, as well as how they
work together. Section 2.5.1 defines the characteristics of a dimmable light
in isolation. In section 2.5.3 we model a component that formalizes our
assumptions about the combined effect of the two dimmable lights in a room
on the observed room light. Section 2.5.4 defines the behavior of the control
system for each room. These components are composed in section 2.5.5 to
obtain an undelayed implementation. Then in section 2.5.6 we demonstrate
that this implementation satisfies our formalized user needs.
2.5.1 Formalizing the Dimmable Light
For the formalization of the dimmable light we used the text and the figure
on pp. 7–8 of the informal specification. Section 2.10 mentions:
Inputs to a dimmable light are created by a pulse to toggle the
light, by a dimmer to set the current dim value, and by control
system active to show the status of the control system. If this
signal is not sent every 60 seconds, the dimmable light switches
to fail safe mode, i.e. dim value is assumed to be 100%. Outputs
of a dimmable light are generated by a status line to show the
current state (on or off) of the light.
One purely textual problem can be identified immediately. On p. 7, the
range for a dimmer (which is an input to the dimmable light) is defined as
0–100% while the description of the range mentions only the values 0% and
10-100%. We have assumed that the values 1-9% are also permitted, and
that they also produce light. Another textual problem is that the expression
“dimmer value of 100%” is ambiguous: does it mean that the light is entirely
2.5.1 Formalizing the Dimmable Light 37
dimmed (producing no light at all) or that the light is entirely on (producing
the maximum amount of light)? Given the use of the expression in fail-safe
mode (dimmer value 100%) we use the latter interpretation: at dimmer level
0%, no light is produced, and at dimmer level 100%, the light is fully on.
The amount of light the lights themselves can produce is never stated
in the informal specification. We have no way of knowing how much light a
dimmable light produces. We assume that a dimmable light produces light
proportional to its dimmer setting when the light is on, and that a dimmable
light can produce anywhere from 0 Lux (off) to 10000 Lux (fully on, dimmer
set to 100%).
A final simplification is rather pragmatic: we have chosen to drop the
pulse and the push button from the light itself. The informal text states:
p. 5 If the ceiling light group is completely on, it will be switched
off; otherwise it will be switched on completely.
p. 6 If the hallway section light group is on, then it will be switch-
ed off; otherwise it will be switched on.
p. 8 Inputs to a dimmable light are created by a pulse to toggle
the light.
One reason for deleting these two inputs from the dimmable light is that
they duplicate functionality already achieved by the dimmer (a value of 0%
is the same as off). Another is that of ambiguity: the effect of the push
button appears to vary depending on what kind of room the light is placed
in, which makes it unappealing to model it in a generic dimmable light.
The dimmable light is specified in our standard PVS style, as described in
section 2.2. First we define in theory LightTypes the types for the input. The
input of the control system active (CSA) input line has type ZO which stands
for “Zero One”, an enumeration type that is different from the booleans.
ZO : NONEMPTY_TYPE = { zero, one }
DimmerValue : NONEMPTY_TYPE = { n:real | n>=0 AND n<=100 }
dimmer_on?(d:DimmerValue) : bool = d>0
The theory about dimmable lights is parameterized by functions that give
the input values for the light in the course of time.
38 2.5 Refinement using Dimmable Lights
lig
ht
 O
bs
er
va
bl
es
nation
status
illumi
csa
value
dimmer
Dimmable
Light
Figure 2.4: Inputs and Outputs of a Dimmable light.
DimmableLight [ (IMPORTING TimePrim,LightTypes)
control_system_active : [Time->ZO],
dimmer_value : [Time->DimmerValue] ] : THEORY
Next, as the output of the dimmable light, we define types for the charac-
teristics of lights. Recall that Lux has already been defined in section 2.3.2.
lightObservables : NONEMPTY_TYPE =
[# status : bool, illumination : Lux #]
lightCharacteristics : NONEMPTY_TYPE = [Time->lightObservables]
Typechecking these definitions leads to a Type Check Condition (TCC)
which requires us to prove that the type lightObservables should be non-
empty. The proof is trivial, for instance the record value
[# status:=true, illumination:=15 #]
is an element of that type. Figure 2.4 depicts the input and output of a
dimmable light.
2.5.2 Specification of the Dimmable Light
We now turn to the second step in our formalization approach, where we
write down the specification of the behavior of the dimmable light in order
to constrain the output characteristics, based on the inputs to the light.
First we formalize the fail-safe mode of the light, as mentioned on p. 8:
2.5.2 Specification of the Dimmable Light 39
If this (i.e. the control-system-active) signal is not sent every 60
seconds, the dimmable light switches to fail-safe mode, i.e. dim
value is assumed to be 100%.
Here “sent” means “received as input by the light.” A non-trivial formaliza-
tion of this condition is given by first rephrasing the informal specification:
if the control system is not alive anymore, the dimmable light switches to
fail-safe mode. The control system is considered alive if it has sent a control-
system-active signal to this light in the past 60 seconds. Formally,
alive?(t) : bool = EXISTS t0 : t - sec(60) <= t0 AND t0 <= t AND
control_system_active(t0) = one
We require a period of at least 60 seconds before switching to fail-safe
mode. The function failsafe_dimmer uses alive? and the value of the dim-
mer input to define the actual dimmer value of the light:
failsafe_dimmer(t) : DimmerValue =
IF (alive?(t)) THEN dimmer_value(t) ELSE 100 ENDIF
Next we formalize the light production of a dimmable light: we assume
it is proportional to the dimmer value according to the formula set out pre-
viously in section 2.5.1 on page 37.
lightProduction(d:DimmerValue) : Lux = 100 * d
The functions defined above are used to define the predicate that char-
acterizes the output of the dimmable light.
lc : VAR lightCharacteristics
DimLight_predicate (lc) : bool = FORALL t :
LET fd=failsafe_dimmer(t) IN
status(lc(t)) = dimmer_on?(fd) AND
illumination(lc(t)) = lightProduction(fd)
Next we define an instance satisfying this constraint, as described in
our general approach in section 2.2.3 on page 21. Recall that the PVS ex-
pression (DimLight_predicate) denotes the set of light characteristics that
satisfy that predicate. Since we declare an instance satisfying the predi-
cate, typechecking leads to a TCC to show that the type is not empty. Here
it is easy to construct an element thelc and show that it has the desired
properties.
40 2.5 Refinement using Dimmable Lights
instance : (DimLight_predicate)
thelc : lightCharacteristics = LAMBDA t :
LET fd = failsafe_dimmer(t) IN
(# status := dimmer_on?(fd),
illumination := lightProduction(fd) #)
2.5.3 Combining Lights
Since a room has two dimmable lights we must set both dimmers based
on the desired light scene in one single room; this requires a number of
assumptions about the behavior of light. Here we assume that the light
production of the two lights in a room is summed to find the total light in
a room. The two lights contribute equally to the light in a room when both
are on.
For each light we can discover whether the light is a wall or a window
light using the enumeration type LightIds, as defined in theory LightTypes.
LightIds : TYPE = { window, wall }
Figure 2.5 shows input and output of a component that formalizes our
assumption about the combined light production. This is reflected in the
corresponding PVS theory as follows.
CombineLight[ (IMPORTING TimePrim,LightTypes)
dimlight : [LightIds->lightCharacteristics]
] : THEORY
BEGIN
roomlight : VAR roomCharacteristics
The following predicate characterizes the total amount of light (as the
sum of the illumination of both dimmers) and the option (i.e. window, wall,
or both) using the status of each of the lights.
CombineLight_predicate(roomlight) : bool = FORALL t :
LET windowlight = dimlight(window)(t),
walllight = dimlight(wall)(t)
IN
light(roomlight(t)) =
windowlight‘illumination + walllight‘illumination AND
option(roomlight(t)) =
2.5.4 The Control System 41
nation
wa
ll
status
illumi
nation
Combine
Lights
light
option
ro
om
 O
bs
er
va
bl
es
wi
nd
ow
status
illumi
Figure 2.5: Inputs and Outputs of a Combine Lights Component.
IF windowlight‘status AND NOT walllight‘status
THEN window
ELSIF NOT windowlight‘status AND walllight‘status
THEN wall
ELSE both ENDIF
As usual, we define an instance of the room characteristics satisfying this
predicate. Also here it is straightforward to prove the generated TCC.
2.5.4 The Control System
The control system should calculate dimmer values based on the desired
light scene (which may be the default scene or the chosen scene, depend-
ing on U3 and U4). It must also provide the other input signals to the two
dimmable lights – in our case only the control-system-active (CSA) signal,
since we have abstracted away the other inputs. Given the specifications of
the dimmable lights and the combination of the lights, the aim is to spec-
ify a control system such that the implementation depicted in figure 2.6 is
actually a refinement of the user needs. As can be seen in the figure, PVS
theory Control has the same parameters as theory UserNeeds.
42 2.5 Refinement using Dimmable Lights
ro
om
 O
bs
er
va
bl
es
scene
default
scene
(window)
(window)
Dimmable
Light
Light
Dimmable
illumi
Control Combine
Lights
light
option
occupied?
T1
push
button1
push
button2
User Needs
(wall)
csa
dimmer
value
(wall)
dimmer
value
csa
nation
status
status
illumi
nation
chosen
Figure 2.6: Undelayed Refinement of User Needs
We start with the definition of the output type, ControlOutput, which pro-
vides the input for each light. Additionally we define a few useful variables.
ControlOutput : TYPE =
[# control_system_active : [LightIds->[Time->ZO]],
dimmerval : [LightIds->[Time->DimmerValue]]
#]
co : VAR ControlOutput
li : VAR LightIds
ls : VAR LightScene
csa : VAR [LightIds->[Time->ZO]]
dimval : VAR [LightIds->[Time->DimmerValue] ]
Next we define the CSA (Control System Active) signal that our system
produces. A real system would assert the signal at certain moments in its
control loop as an indication that processing proceeds normally and not
assert the signal otherwise. Since we are not dealing with failures here, we
simply specify that the CSA-signal is continuously one:
csa_predicate(csa) : bool = FORALL li, t : csa(li)(t) = one
2.5.5 Composition of the Undelayed Implementation 43
Next we specify the contribution of dimmer li in the realization of a cer-
tain light scene ls. Recall that we assumed that the amount of Lux produced
by a single dimmer equals 100 times the dimmer value (see the definition of
lightProduction in theory DimmableLight):
dimmer_part(li,ls) : DimmerValue =
CASES ls‘option OF
both : ls‘light/200,
window : CASES li OF
window : ls‘light/100,
wall : 0
ENDCASES,
wall : CASES li OF
window : 0,
wall : ls‘light/100
ENDCASES
ENDCASES
This matches the kind of light – wall or window – with the desired light
scene, and determines the dimmer setting accordingly. Next the dimmer
value for each dimmable light is defined by predicate dimval_predicate. It
basically applies function dimmer_part to a particular light scene which de-
pends on whether safety is enforced or not.
dimval_predicate(dimval) : bool = FORALL li, t :
dimval(li)(t) =
IF enforce_safety(t)
THEN dimmer_part(li,makeSafe(default_scene(t)))
ELSE dimmer_part(li,chosen_scene(t)) ENDIF
Combining the predicates on the output, we can now easily define a par-
ticular instance of the control component. Again the TCC is easy to prove.
instance : { co | csa_predicate(control_system_active(co)) AND
dimval_predicate(dimmerval(co)) }
2.5.5 Composition of the Undelayed Implementation
In theory UndelayedImpl we compose the components defined above, accord-
ing to figure 2.6. As the figure shows, the theory has the same input param-
eters as the theories UserNeeds and Control.
44 2.5 Refinement using Dimmable Lights
Mainly following the pattern described in section 2.2.3, we import the
relevant theories by giving them a name and use typical instances of the
output as input to other theories.
control : THEORY = Control[occupied?,chosen_scene,default_scene,
pushbutton1,pushbutton2,T1]
windowdimmer : THEORY =
DimmableLight[control_system_active(control.instance)(window),
dimmerval(control.instance)(window)]
walldimmer : THEORY =
DimmableLight[control_system_active(control.instance)(wall),
dimmerval(control.instance)(wall)]
dimlight : [LightIds->lightCharacteristics] = LAMBDA li :
CASES li OF
window : windowdimmer.instance,
wall : walldimmer.instance
ENDCASES
combinedlight : THEORY = CombineLight[dimlight]
instance : roomCharacteristics = combinedlight.instance
2.5.6 Proving Undelayed Refinement
In theory UndelayedRef we prove the undelayed refinement. It has the same
parameters as UserNeeds and UndelayedImpl, and imports these two theories
as follows.
IMPORTING UserNeeds[occupied?,chosen_scene,default_scene,
pushbutton1,pushbutton2,T1]
undelimpl : THEORY =
UndelayedImpl[occupied?,chosen_scene,default_scene,
pushbutton1,pushbutton2,T1]
Now the aim is to prove theorem undelayed_refinement which states that our
implementation (with undelayed dimmable lights and the control system)
satisfies the requirements:
undelayed_refinement : THEOREM
2.5.6 Proving Undelayed Refinement 45
UserNeeds.allNeeds(undelimpl.instance)
Our proof consists of several lemmas that state the refinement for each
of the user needs. We start with the proof for U1:
refineU1 : LEMMA UserNeeds.U1(undelimpl.instance)
In the interactive proof of this lemma with the PVS proof checker, we first list
all available information by introducing the types of the instances and ex-
panding the definitions of all predicates. Next there is a rather mechanical
instantiation with the current time point, a further unfolding of definitions
and simple rewriting.
The next user need, U2, which states that the chosen light scene is
maintained while the room is occupied, turned out to be more difficult to
handle. If a light scene requires absolute darkness (0 Lux) then both dim-
mers are set to zero. In the definition of CombineLight_predicate in theory
CombineLight we have chosen to identify the situation where both dimmers
are set to zero with a light scene option of both. Only during the proof of
U2, however, we realized that the chosen light scene can associate any op-
tion with a desired illumination of zero. Intuitively we cannot distinguish
between darkness realized with one light or two lights. Of course, we could
make our definition of CombineLight_predicate less prescriptive, but for sim-
plicity we axiomatically1 declare here that all dark scenes have option both.
LightScenesZero : AXIOM
ls‘light = 0 IMPLIES ls‘option = both
A straightforward consequence of this axiom is the following FACT.
LightScenesProp1 : FACT
ls‘option = wall OR ls‘option = window IMPLIES ls‘light > 0
Using this fact, we can prove that the refined system satisfies U2.
refineU2 : LEMMA UserNeeds.U2(undelimpl.instance)
1In retrospect this is a fantastically bad idea, and I spent later years railing against AXIOMs
in any PVS code; this axiom introduces unsoundness in the system because clearly (0,wall)
is a light scene and the AXIOM states that wall=both. A safe way to repair this without
interfering with the definition of combining lights is to restrict the type of light scenes with a
type predicate.
I have left the original statement in this thesis as an illustration of something that seems like
a good idea, and really isn’t.
46 2.6 Introducing Delays
While trying to prove that the refined system fulfills our formalization
of U3, we discovered that the following situation leads to a conflict. Sup-
pose a user enters a room, sets some chosen scene, and leaves. After more
than T1 time has passed, the user returns and does not explicitly request
a scene. Because of U4, the default scene is established. After some time,
the user leaves and returns quickly in less than T1 time. U3 states that the
chosen scene should be reestablished, even though the default scene was
established in the meantime. We choose to give U4 priority over U3 in this
case; if a room has been empty for a long time, and a user walks in, out and
in again without changing any of the settings, the room should still have the
default safe lighting. This caused us to add a clause NOT enforce_safety to
the definition of U3:
U3new(roomlight) : bool = FORALL t : reoccupied_withinT1(t) AND
NOT enforce_safety(t)
IMPLIES roomlight(t)=chosen_scene(t)
But now we observe that U2 implies this new U3 (in fact, this was already
the case with our first formalization in section 2.3.6).
U2impliesU3new : LEMMA U2(roomlight) IMPLIES U3new(roomlight)
Hence we remove U3 from the user needs, leading to the following defini-
tion:
allNeeds(roomlight) : bool = U1(roomlight) AND U2(roomlight) AND
U4(roomlight)
The proof that the refined system fulfills U4 is straightforward. A trivial
combination of the lemmas for U1, U2, and U4 leads to a proof of the final
theorem.
undelayed_refinement : THEOREM
UserNeeds.allNeeds(undelimpl.instance)
The proof of this theorem — including all of its lemmas such as refineU1
listed above — took us about 150 interactive steps in PVS.
2.6 Introducing Delays
Thus far, only the timing mentioned explicitly in the requirements — the
time it takes for the default scene to be established, and the time users
2.6.1 A Dimmable Light with Response Time 47
are away from the room — have been taken into account in our framework.
In the implementation of section 2.5 the control component calculates dim-
mer values instantaneously. Moreover, the dimmable lights react instanta-
neously to the dimmer value and produce an amount of light proportional to
the dimmer value. This is not very realistic, since computation is not really
instantaneous and the lights have a well defined response time (p. 7 of the
informal specification). Hence it seems important to model these internal
delays properly.
As an example, our next formalization takes one of these delays explic-
itly into account; in section 2.6.1 we add a delay to the dimmable lights.
In section 2.6.2 we show that this does not lead to a classical refinement.
Still, we establish a formal relation with the undelayed implementation by
defining a kind of delay-refinement in section 2.6.2.
2.6.1 A Dimmable Light with Response Time
The informal specification suggests that changing the dimmer value from
x to y causes the light to change gradually from producing light propor-
tional to x to producing light proportional to y. It also suggests that the
time needed to change is proportional to the difference between x and y. To
simplify, we assume that the light changes instantaneously from producing
light proportional to x to producing light proportional to y at some moment
constrained by the maximal delay of dimdelay miliseconds (we use the sym-
bolic constant dimdelay; the informal specification mentions a response time
of 10ms). Figure 2.7 shows an example course of values for the dimmer
value, a realistic physical light with the response time and gradual change
described here and the course of values for our delayed light which changes
instantaneously within the response time.
We model a delayed dimmable light by re-using the specification of an
undelayed light and applying a delay function to its output. Given a certain
delay d, a function f on the time domain is called a delay function if it
shifts time monotonically by at most d time units. Events happening at time
t − d will be observed by time t at the latest and the ordering of events is
preserved. First we express monotonicity: the “delayed time” may never
decrease.
monotonic?(f) : bool = FORALL t1, t2 : t1 < t2 => f(t1)< f(t2)
48 2.6 Introducing Delays
Max. response time
y
x
Realistic
Light
t1 t3t2 t5
y
xLight
Delayed
t4
y
x
Dimmer 
Value
Figure 2.7: Sample light production and dimmer values for a realistic phys-
ical light and our model which only takes delays into account.
Next we define that function f is a delay function if it shifts time at most d
back. We shift time back since the function will be applied to the domain
of a characteristic of the system (i.e. a function from the time domain to
observables). That is, the new (delayed) output is determined from the orig-
inal output at a previous time point, at most d time units back. Additionally,
we require that f is surjective and monotonically increasing.
delayFunction?(d)(f) : bool = surjective?(f) AND monotonic?(f) AND
FORALL t : t-d < f(t) AND f(t) <= t
To increase our confidence in the definition we proved a few properties
about it. The function id is the identity function; not delaying at all should
certainly be admissible as “delaying less than d.”
dF_injective : THEOREM monotonic?(f) IMPLIES injective?(f)
dF_bijective : THEOREM delayFunction?(d)(f) IMPLIES bijective?(f)
dF_accepts_longer_delays : THEOREM delayFunction?(d)(f) AND d0>=d
IMPLIES delayFunction?(d0)(f)
dF_id : LEMMA delayFunction?(d)(id)
2.6.1 A Dimmable Light with Response Time 49
xTime
y=x
y=x−d
Delayed time
0
0
y
Figure 2.8: Delay functions. For a given d, delay functions with delay d are
monotonic surjective continuous functions bounded by y = x and y = x− d.
These delay functions occupy a narrow strip of the plane. Figure 2.8
illustrates that as time marches inexorably on along the y = x line a delay
function may wobble unsteadily along between the lines y = x and y = x−d.
A delay function may never get ahead of time itself, nor drop behind by more
than d.
Next we define a delayed implementation of the user needs. This pro-
ceeds in two steps: first we need a delay function.
dimdelay : nzTimeDuration
delayf : (delayFunction?(dimdelay))
The delayed implementation is defined by simply applying the chosen
delay function to the time domain of the output of each dimmer and using
that as input for the combined light component.
dwindowdimmer_instance : lightCharacteristics =
(windowdimmer.instance) o delayf
dwalldimmer_instance : lightCharacteristics =
(walldimmer.instance) o delayf
ddimlight : [LightIds->lightCharacteristics] = LAMBDA li :
CASES li OF
window : dwindowdimmer_instance,
wall : dwalldimmer_instance
ENDCASES
50 2.6 Introducing Delays
dcombinedlight : THEORY = CombineLight[ddimlight]
instance : roomCharacteristics = dcombinedlight.instance
Observe that we have applied the same delays to both failsafe dimmers
in the system. In section 2.7, we discuss the problems that occur if the
delays are not the same.
2.6.2 Delay-Refinement
Although these delayed dimmable lights represent a more realistic imple-
mentation, for any non-zero delay the delayed implementation no longer
satisfies the specification allNeeds. For instance, we cannot guarantee that
the chosen scene will be established immediately, as required by our for-
malization of U2. Hence, also the delayed implementation is not a classical
refinement (in the sense of behavior inclusion) of the undelayed one.
For a relatively small dimmer delay (500ms for instance), we still think
that the delayed implementation is a reasonable approximation of the un-
delayed one. The aim of this section is to express this more formally, by
establishing some kind of approximation relation between the two.
To define a general delay-refinement relation, assume given an arbitrary
range R and two functions, concr and abstr from the time domain to R.
The relation concr « abstr, denoting that concr is a delay-refinement of
abstr, expresses that there exists a delay d such that any abstract value
equals a concrete value at a point at most d time units later.
concr, abstr : VAR [Time->R]
<<(concr,abstr) : bool = EXISTS d :
(FORALL t : (EXISTS t1 : t <= t1 AND t1 < t+d AND
abstr(t) = concr(t1)));
Using roomObservables instead of the range R. we show that the delayed
implementation is indeed related to the undelayed one by <<.
delayed_ref : THEOREM
DelayedImpl.instance << UndelayedImpl.instance
Observe, however, that the relation << is rather weak and allows for
instance a reordering of the output values. Such reorderings are avoided
2.7 Concluding Remarks 51
by the delay functions we introduced before, so we define a second delay-
refinement which preserves the order. This leads to the delay-refinement
relation <= which is shown to be stronger than <<.
<= (concr,abstr) : bool =
EXISTS d, (f : (delayFunction?(d))) : abstr o f = concr;
ref_rel : LEMMA (concr <= abstr) IMPLIES (concr << abstr)
As expected, in the Light-Control case study it is easy to prove that the
delayed implementation is a delay refinement according to the definition
above.
delayed_refinement : THEOREM
DelayedImpl.instance <= UndelayedImpl.instance
2.7 Concluding Remarks
We have formalized the user needs of the Light-Control case study in the
specification language of the interactive theorem prover PVS. First, this was
done on the level of users of the system, in terms of what they can observe.
Several problems with the informal specification have been detected and
resolved. A few important user needs (U1–U4) already gave rise to a number
of questions.
Using dimmable light actuators, this specification was refined to a more
concrete one. This also demonstrates the consistency of the high-level spec-
ification. Such a formal consistency proof turned out to be very useful be-
cause it revealed an unexpected conflict in the user requirements that had
not been noticed previously. Next we further refined the specification, in-
troducing an explicit delay in the dimmable light. Observing that this does
not lead to a classical refinement, we introduced a new notion of delay-
refinement and used it to relate the specification with delays to the one
without. A PVS dump file with all theories and proofs can be found on the
author’s website [25].
2.7.1 Related Work
Related to our work are especially other approaches using PVS. The design-
ers of PVS advocate the use of PVS during the early phases of the design
52 2.7 Concluding Remarks
of computer systems. For example [76] describes the use of strong type
checking, completeness and consistency checking using powerful decision
procedures and model-checking of PVS for requirements engineering. This
has been applied in several industrial applications. For instance, [21] de-
scribes four case studies in which requirements for new flight software sub-
systems on NASA’s Space Shuttle were analyzed. The size of the analyzed
specifications ranges from 20 to 110 pages of informal description. Analysis
included reachability analysis using the state exploration tool Murphi and
theorem proving with PVS. The formalization of the requirements of part of
a command and control system in PVS in a similar style is described in [88].
The refinement with delays described in section 2.6 is related to work by
A. Mok [69], who deals with timing dependencies in implementing real-time
systems.
Note that our work with property-oriented specifications clearly differs
from State Chart-like approaches (with examples in [63, 62, 34]) or other
work on transition systems such as TAME [6] or RSML [35]. In our opinion,
those approaches are too far removed from the kind of informal specification
we have to deal with. In particular we feel that our sentence-by-sentence
translation of the informal specification is easier to validate than a single
huge step to a State Chart-like presentation. A state-transition based for-
malization is of course very valuable in the further development of the for-
mal specification. We believe that the two approaches can co-exist, by doing
smaller, more easily validatable steps as described in the introduction to this
thesis. This provides both easy validation and useful verification. As such
our approach of translating informal specifications into PVS can be seen as a
precursor to the writing of a transition system: our formulas could conceiv-
ably be translated into transition systems or they could be used to validate
traces of a transition system.
2.7.2 Future Work
In future work we shall investigate the representation of the formal require-
ments specification in a notation which is more convenient for domain ex-
perts (e.g. using notations from the UML).
Another interesting topic for future research is the problem of defining
appropriate refinement notions that can be used during our incremental
formalization of the requirements. In the current case study we observed
2.8 Source Material 53
that a convenient development of the specifications, close to the informal
text, need not correspond to classical refinement. In our formalization, the
two instances of a delayed dimmable light have been obtained by applying
the same delay function to an undelayed light. This makes it considerably
easier to find a formal relation between the undelayed and the delayed im-
plementation.
Suppose, however, that the delays are different — say, one light has a
constant delay of 1 second and the other light has a constant delay of 2
seconds. This is reasonable because each individual light will have some in-
dividual physical characteristics that cause the delays associated with each
light to be different. Suppose the dimmer of each light is set to 0%, remain-
ing 0 until time t1 when it is set to 100% and remains at 100%. The amount
of light produced by the two lights together is 0 Lux until time t1 + 1s. At
time t1 + 1s the first light begins producing light proportional to a dimmer
setting of 100%, while the other light is still producing light proportional to
a dimmer setting of 0%. This situation lasts until time t1 + 2s. During the
interval [t1+1s, t1+2s] the total amount of light produced is not proportional
to either a dimmer setting of 0% or 100%.
Hence there are situations where not only the timing of the output dif-
fers from the high-level specification, but there are also periods with output
values that are not allowed by this specification. Still, we would like to con-
sider the more detailed implementation as a reasonable approximation. In
future research we intend to investigate the formalization of this intuition.
2.8 Source Material
This section collects the relevant source material from the Light-Control
case study [74] in one place. The text of the case study itself is originally by
Stefan Queins, Gerhard Zimmermann, Martin Becker, Martin Kronenburg,
Christian Peper, Rolf Merz and Jürgen Schäfer of the university of Kaiser-
slautern. Originally published as [74, 61].
2.8.1 Problem Description
In a large office building, the lighting is controlled by an automatic system.
In each office, there are two lights — one near the internal wall, one near
54 2.8 Source Material
the window. Occupants of the offices can set a desired light scene which
means setting the desired amount of illumination and how to achieve that
illumination using one or the other or both lights. In the interest of conserv-
ing energy, though, the lights automatically switch off if there is nobody in
the room. This is detected by a motion sensor and a door switch. The inter-
play between sensors and actuators (the lights) and the user’s inputs to the
system in the form of desired light scenes is the subject of this case study.
There is some timing involved, related to how long a room must be unoc-
cupied before the lights switch off. When a user returns to an office room,
the previously set light scene must be restored. If a room remains unoccu-
pied for a long period of time, the light scene is set to some default value
(i.e. the user’s personal setting in the office is lost). The requirements on
the timing are what make the Light-Control System interesting.
The requirements for the system are contained mostly in requirements
called U1 through U9; these will be quoted at appropriate places below.
Our formalization is fairly high-level: we abstract from the motion sensor
and door-closed contact and substitute a single “room is occupied” notion.
An additional simplification is the omission of the outside lighting. In the
original problem description, the office lighting scene needs to compensate
for the illumination outdoors. When the sun is out, there is less need for
inside lighting. We might pretend that our office building is in Oulu, Finland,
in December and so conclude that the outside lighting is zero, thus justifying
this simplification.
2.8.2 User Needs
U1: If a person occupies a room, there has to be safe illumination
unless a specific light scene has been chosen or the ceiling light
groups are set manually. This means that when the default scene
is established (i.e. through U4) and the room is occupied, there
must be safe illumination. When the room is occupied and some
light scene has been chosen by the user, the lighting must be set
according to that scene.
U2: As long as the room is occupied, the chosen light scene has
to be maintained.
2.8.2 User Needs 55
U3: If the room is reoccupied within T1 minutes since the last
person has left the room, the chosen light scene has to be re-
established.
U4: If the room is reoccupied after more than T1 minutes since
the last person has left the room, the default light scene has to
be established.
U5: For each room, the chosen light scene can be set using the
room control panel.
U6: For each room, the default light scene can be set by using
the room control panel.
U7: For each room, the value T1 can be set by using the room
control panel.
U8: If any outdoor light sensor or the motion detector of a room
does not work correctly, the user of this room has to be informed.
U9: The room control panel for an office should contain at least:
a possibility to set each ceiling light group; a possibility to set
the chosen and the default light scene; and a possibility to set
T1.
U10: The ceiling light groups should be maintained by the con-
trol system depending on the current light scene.
U11: A room control panel in an office should be movable as is a
telephone.
U12: In all other rooms, the room control panel should be in-
stalled near a door leading to the hallway section.
U13: When a hallway section is occupied by a person, there has
to be safe illumination.
U14: Before a person enters one hallway section from another
one or from a staircase, the hallway section ceiling light group in
the section being entered has to be on.
56 2.8 Source Material
2.8.3 Questions and Answers
The questions which were posed during the case study period were col-
lected on the Light-Control Case Study website [61]. We include a selection
of the questions and answers here, including all of those referred to by the
text.
Q2: The expression “if nothing else is desired by the chosen
light scene” in 9:U1 may give way to some ambiguity. Does U1
mean that in setting an ambient light level any input below 14
lux should be regarded as invalid? Or that any light setting be-
low 14 lux should be ignored, and a minimum light level of 14
lux should be established instead? Also, U1 is formally inconsis-
tent with 9:U5 (a person can turn the lights off while occupying
a room!) and possibly others...
A2: Look at answer of Q36. Each room user may override the
“safe illumination” requirement.
Q27: Who defines a light scene? [9:P24]
A27: All light scenes, besides the default light scene, are defined
by the user. The default light scene is defined by the facility
manager.
Q36: In 9:U1, what is the meaning of “...nothing else is desired
...”? Does this “nothing else” means “no more additional illumi-
nation”?
A36: No, the illumination can also be decreased. The user can
decide to have unsafe illumination in his room.
Q40: On p9:U5, p13:T3(light-scene): For each room is it possible
to define any number of light-scenes, each given a unique name.
User of that room may then select any of these as the “chosen
light scene”?
A40: A limited number of three light scenes is sufficient in this
case. Each has a unique name, given by the user. Any of it can
be selected by the user as the “chosen light scene”.
Q42: Referring to 9:U1, 9:U9, 9:U13 and the answers to Q36
and Q2, I still can’t decide what “nothing else is desired” actu-
ally means. As far as I read U1, it says: If a user occupies a room,
2.8.3 Questions and Answers 57
there must be safe lighting (>14lux) unless the user wants some-
thing else. Q36 specifically states that this “something else” can
be as dark or as light as the user wishes. But this happens only
if there is some chosen light scene (whatever its desired light-
ing characteristics). Naively, I could assume that both the user-
settable light scenes (at least three, Q40) and the default light
scene indicate user wishes about the lighting. In that case, user
wishes will always override the “safe lighting” requirement. Is
that the intended meaning? Or is the default light scene a way
of indicating there is no user wish and should I read U1 as: If
a person occupies a room, there has to be safe lighting unless a
specific light scene has been chosen; this means that when the
default scene is established (i.e. through U4) and the room is oc-
cupied, there must be safe lighting. When the room is occupied
and some light scene has been chosen by the user, the lighting
must be set according to that scene. Hopefully this will finally pin
down U1 exactly, it seems to be one of the most problematical of
all the requirements.
A42: We take over your proposal with some minor changes. So
we get a new version of requirement U1: If a person occupies
a room, there has to be safe illumination unless a specific light
scene has been chosen or the ceiling light groups are set man-
ually. This means that when the default scene is established
(i.e. through U4) and the room is occupied, there must be safe
illumination. When the room is occupied and some light scene
has been chosen by the user, the lighting must be set according
to that scene.
Q50: On p10:NF1 : Even if it causes unsafe lighting?
A50: Yes. Light scenes have always priority over safety.
Q58: On p7:T2 (dimmer): The dimmer has a range of 0–100%,
but only the values 0–9% and 10–100% are explained. What is
the meaning of the values 1–9%?
A58: For 1–9% the dimmer is off, too.
58 2.8 Source Material
Structuring
Automata
wij zijn maar
speelgoedmannetjes //
speelgoedmannetjes en meer
niet, helaas // gewoon maar
speelgoedmannetjes // en we zijn
hier nu de baas – Drs. P
This chapter focuses on automata and how to model them in the PVS
theorem prover. We begin by introducing automata from a modeling
and mathematical point of view, and then formalizing them in PVS.
Since a balance needs to be struck between modeling detail and
model size, we distinguish different levels of structure to include in the
automaton model. We begin with “unstructured” automata, the most
general form which does not exploit any details about the structure of
the automaton. We add locations and other details of the automaton
state, and then proceed to timed automata, where we exploit the struc-
ture of clocks and clock actions as well. Finally, hybrid automata are
introduced.
This chapter uses PVS 3.2
Automata are a simple and natural way of specifying behavior of a wide
variety of systems. Both reactive and non-reactive systems can be specified
in such a way, and it is comparatively straightforward to build a physical
machine corresponding to an automaton specification, provided the specifi-
cation is not too complex. A typical application of specification through the
use of automata is that of CPU design; the behavior of a coffee-vending ma-
chine can be modeled as well, or a steel plant, or social processes. Automata
are everywhere, much like adjoint functors.
There are other ways of specifying behavior, of course: sequence charts,
Live Sequence Charts, English language text, C++ code. We might have
chosen any of those with which to model the systems we are interested in,
59
60 CHAPTER 3. STRUCTURING AUTOMATA
but those tend to be more difficult to represent in a theorem prover and
moreover may be reduced to automata through suitable transformations.
Automata are often considered to denote systems (or descriptions of sys-
tems) that are realizable — an automaton can be built as a machine and sold
in the real world. There are formalisms in which one can describe behavior
that is not physically realizable. Automata described in the formalism of
I/O Automata [67, 65] are not necessarily realizable (e.g. because it allows
unbounded buffers), so the mere name “automaton” should not be taken as
an indicator that a system description can be realized as a machine.
In order to reason formally about the behavior of a system, or about
the behavior of the system represented as an automaton, we must have a
formal representation of that automaton. Manipulating such formal rep-
resentations is a chore and susceptible to subtle errors, so we turn to a
mechanical aid to our reasoning abilities in the form of a theorem prover.
PVS fills this role for us, and we will represent automata in the language of
PVS for the purpose of manipulating them.
Structure of this Chapter
Section 3.1 introduces the automata — labeled transition systems — we are
interested in. These are loosely based on I/O Automata [65], although we
will not necessarily use the standard I/O Automaton notation to write them
down.
Sections 3.2 through 3.5 describe the “flavors” of automata we are in-
terested in: plain, plain with locations, timed and hybrid automata. Where
appropriate, we use Uppaal-style diagrams [60, 59], even when this sug-
gests more structure that we really intend to use. Each section contains a
general description of the kind of automaton; this is followed by a represen-
tation of the same automata in PVS, with a discussion of the main stumbling
blocks in the translation or notable differences between the mathematical
formulation and the PVS version.
Section 3.2 describes the simplest flavor of automaton, the unstructured
automaton (“plain,” above). Sections 3.2.1 and 3.2.2 contain the informal
rigor and PVS treatments of the simplest unstructured automata respec-
tively.
Using additional structure present in the system being described by an
automaton leads to several different flavors of the automaton framework
3.1 Automata 61
in PVS. For instance, automata may naturally be drawn as diagrams with
locations; this adds some additional structure to the way the state of the
automaton may change (e.g. the location part of the state changes only by
following the arrows in the diagram). Adding this to the formalization in
PVS gives us a framework which itself knows about and handles the loca-
tions present in the diagram. Increasing the amount of structure in the
description of the automaton has its price though, since there is more struc-
ture to “drag around” all the time during proofs and other manipulations.
Section 3.3 deals with this variety of automata.
Sometimes time plays an essential role in the behavior, for instance by
specifying that something must not happen too late (airbag-control systems
come to mind). Section 3.4 introduces these timed automata to the reader.
Since timed systems need a model of time, we add time explicitly to our PVS
theories (as opposed to adding it ad-hoc when we need it). This provides
us with some control of the way time is used in proofs, and helps with the
validation of the models.
With time comes hybrid behavior — continuous variables that change
with the passage of time — and we can add this in a structured fashion to
the PVS model as well in section 3.5.
We structure the formalization of the automaton definitions in PVS into
a number of theories: one for basic data structures used by the automata,
one for the definitions used by unstructured automata, one adding loca-
tions to the mix, one for basic definitions of clocks and intervals, one adding
timed behavior to the automaton model, etc. Note that each theory not
only provides theory for the corresponding automaton model, but also pro-
vides a syntax in PVS for denoting such automaton models. For instance,
the automata with locations provide a syntax for denoting locations in an
automaton and the transitions between those locations.
3.1 Automata
An automaton is a kind of (mathematical) description of a system that has
both state and a notion of action, where actions (may) change the state of
the system. The word automaton has Greek and Latin roots and is commonly
used to refer to a mechanism that is relatively self-operating — that is, the
actions are under the control of the automaton itself. In the 18th century
62 3.1 Automata
a variety of automata — machines to perform particular actions, such as
playing chess or writing — were constructed for public amusement. The
20th century had automata for controlling traffic lights and making coffee.
The word has been assimilated into the Dutch language as the all pervasive
“koffieautomaat,” which dispenses inspiration to PhD. students everywhere;
it is a machine that is relatively self-operating, which responds to the action
of throwing in money by delivering coffee.
3.1.1 Automaton Examples
Consider the coffee vending machine; its state can be described in terms
of a number of variables that together make up the complete state of the
machine. The level of abstraction at which we consider the machine is im-
portant: at one extreme we could write down the quantum-mechanical state
of every atom in the machine, while at another extreme we can simply the
machine as “on” or “off.” Depending on the purpose for which we are de-
scribing a particular automaton, some levels of abstraction may be more
pratical than others. Here the “practical” emphasizes the work needed to
produce the formalization and manipulate it while keeping the purpose of
the entire formalization in mind. Some purposes require a different form or
level of detail in the formalization than others.
When considering whether the machine gives correct change we may be
justified in formalizing the machine in such a way that we do not have to
consider whether there is sufficient water in the machine. If we are con-
cerned with fire safety, then perhaps the water level is important. Choosing
the level of detail correctly is of practical import: one in which we have
far fewer states (since we need not distinguish all the irrelevant details) is
easier to work with.
When working on a formalization, we may distinguish abstraction, sim-
plification and assumption. Abstraction is the representation of a quantity
by something else with less detail but the same essential behavior (what
this essential behavior is is left to the person doing the abstraction). Sim-
plification removes some essential behavior that makes a certain problem
intractable; it is a way of dealing with a “justifiably wrong” problem. Finally
assuming explicitly reduces the range of behavior without removing detail
or losing information as abstraction and simplification do.
A coffee vending machine contains a water reservoir; this reservoir has
3.1.1 Automaton Examples 63
some amount of water in it and coffee is prepared from that water. One may
assume that the water level in the reservoir is sufficient for coffee; this can
only be done if the water level has not been abstracted or simplified away.
We might simplify the coffee machine by removing the water level from the
coffee machine description entirely. It may be justifiably wrong, though, if
the problem being dealt with is not one connected to the water levels in the
machine. One may abstract the water level to “more than one cup left” or
“less than one cup left” if the essential behavior of the system depends only
on a sufficient amount of water for one more cup.
Continuing with the coffee vending machine: let us simplify away is-
sues of whether the machine is on or off, whether there is coffee in the bin,
whether there is water in the reservoir, etc. We are interested only in the
amount of money in the machine. We abstract that amount to a single (in-
teger) state variable that counts how much money has been inserted into
the machine. We will count money up to a maximum of three euros and 99
cents; the actions related to inserting money are the insertion of a 1, 2, 5,
10, 20, 50, 100 or 200 cent coin. Besides inserting money (or rather, al-
lowing money to be inserted) the coffee vending machine can perform one
important action, and that is dispense coffee. When coffee is dispensed,
the amount of credit available is reduced by 45 cents (price of coffee at the
university of Nijmegen cafeteria in 2007).
This fairly informal description of the behavior of the coffee vending ma-
chine can be made more precise by structuring it better. This can be done
by casting it in a diagram or a formula, or even by just writing it down in a
more rigid text format. We will attempt each form in turn here. Note that
that these forms are expressly not the best-possible re-wording or improve-
ment on the specification at each step. They serve as an illustration of what
may happen in the course of a typical formalization effort on an informal
specification. Comments about the results of each formalization attempt
will be written in italics below each form.
Coffee Vending Machine (Unstructured Test) The coffee machine de-
livers a cup of hot, tasty and inspiring coffee with a little bit of foam on top
for 45 cents.
Does the payment happen before or after delivery?
64 3.1 Automata
Coffee Vending Machine (Structured Text)
• Let c represent the amount of credit in the coffee machine at any given
moment. The value of c is initially 0.
• If c < 200 then new coins can be inserted in the machine, and in re-
sponse to the coin insertion, the value of c is increased appropriately.
• If c ≥ 40 then the machine may dispense coffee and the amount of
credit in the machine is decreased by 40 (cents).
This makes clear that payment happens before, but dispens-
ing coffee is not mandatory (it says “may”). The constraint
c < 200 may be surprising, since the informal description
reads “three euro and 99 cents,” but if there is more than
199 cents in the machine a two-euro coin would put the total
over the 3.99 limit.
Coffee Vending Machine (Diagram) The following diagram — in the
style of Uppaal or UML diagrams, which we will elaborate on later — shows
how we might draw the behavior of the coffee vending machine. Arrows are
labeled with the action being performed (cq. dispense and insert) and the
changes that occur in the state are written after a slash (/). Conditions on
the actions — such as that coffee can only be dispensed if there is at least 40
cents of credit — are written in square brackets ([]) as is common in UML.
[c>=40] dispense / c:=c−40
[c<200] insert(v) / c:=c+v
/ c:=0
Without a formal semantics of the diagram it remains un-
clear what happens when a dispense or insert action is at-
tempted and the conditions for it are not met. The idea that
this is a coffee machine has been abstracted away.
3.1.1 Automaton Examples 65
Coffee Vending Machine (Formula) One commonly used formalization
of automata uses transition relations which are paramaterized by the action
being performed, which gives a collection of binary relations over states.
For instance, Tdispense would be a transition relation for the dispense ac-
tion. A relation is a set of pairs (s, s′) where s and s′ represent the state of
the system; if (s, s′) is in the relation Ta then it is possible for the action a
to change the state of the system from s to s′. We give the formalizations of
the transition relations for dispense and insert. Note that the insert action
is parameterized by the value of the coin v being inserted; we can read the
transition relation Tinsert(v) as a family of transition relations, one for each
coin value.
Since the state of the machine consists solely of the credit value stored
in it, we will identify the machine state with the value of the variable c:
Tdispense
d= {(c, c′) | c ≥ 40 ∧ c′ = c− 40}
Tinsert(v)
d= {(c, c′) | c < 200 ∧ c′ = c+ v}
This formalization has the same problems as the automaton
diagram — without an execution semantics of the formulas,
we do not know what this does. The semantics should define
what happens when a dispense action is attempted (insofar
as “attempted” means anything within those semantics) in a
state c for which the transition relation is empty.
This formalization also abstracts away the actors involved:
it is no longer visible which actions are under the control of
the environment (e.g. the user inserting coins) and which are
controlled by the automaton (e.g. dispensing coffee).
Coffee Vending Machine (timed) In all of the previous descriptions of
the coffee vending machine we neglected the idea of time entirely. There
is a sequence of events — coin insertions, then coffee dispensing — but
no indication of the time involved. With such a specification, a coffee ma-
chine that waits a year before dispensing coffee satisfies the requirements
because the events occur in the correct order.
66 3.1 Automata
This kind of extra detail is added to the coffee cending machine descrip-
tion by adding annotations like “within 30 seconds” or “no more than 5 sec-
onds ago” to the descriptions; how this is formulated depends on whether
we are using diagrams or formulas or some other form of description.
3.1.2 Automaton Properties
Reasoning about an automaton seeks to discover properties of the automa-
ton; indeed the desired properties are usually prior to the automaton and
we are interested in verifying (i.e. discovering) that the automaton has the
desired properties. The desired properties also affect what abstractions and
simplifications are acceptable in modeling the desired system: obviously we
cannot simplify away some quality of the system that is essential for the
desired properties.
One example property which we may want to discover is if the machine
can ever hold a credit value of 37 cents (clearly yes: one coin of 20, one of
10, one of 5 and one of 2 cents). Suppose the coffee vending machine has a
coin sorter which rejects 1 and 2 cent coins; then the credit value of 37 cents
can not be reached, but proving that requires some algebraic reasoning
that is not entirely straightforward. A different property is if the coffee
vending machine ever gives out coffee without taking in money. Properties
of automata can take many forms. Let us consider some characterizations
of the properties of automata.
One large class of properties is known as safety properties [58], which
state that “bad things do not happen.” This requires us to identify what the
“bad things” are for our system and then prove that whatever happens the
bad things do not. Another class of properties is that of liveness properties,
which state that eventually something good does happen. Other properties
can be wrestled into one of the two categories safety or liveness: the prop-
erty “state s is visited at most once” is the same as a safety property with
one of the “bad things” defined as “state s is visited a second time.” Simi-
larly, “state s is visited exactly once” is a combination of the safety property
already stated and a liveness property with “good thing” defined as “state s
is visited.” The classic paper [2] shows that this holds generally: any prop-
erty can be defined as the conjunction of a safety and a liveness property.
Another way of categorizing properties of automata is by mathematical
properties of the properties themselves. For instance, we can distinguish
3.1.2 Automaton Properties 67
invariant and non-invariant properties.
A property that is invariant holds for all states in every run, and is said
to be a property of the automaton. Most of the properties proved about
systems in this thesis are of the invariant kind. Safety properties are usu-
ally invariant as well. If there are no runs, then invariant properties hold
vacuously. Non-invariant properties are all those that are not invariant. A
property of the coffee vending machine that is not invariant is “the machine
holds less than 45 cents.” Properties that asset something of more than
one state are not invariant either, for the rather trivial reason that invari-
ant properties are properties of single states. For instance, “if the machine
contains 199 cents, it must contain less money in a later state.”
Invariant and non-invariant properties use different proof principles in
order to establish that they hold for any given automaton.
A property P of states is called inductive if the following two (higher-
order) properties hold of P :
• P (s0) holds for all initial states s0 ∈ I of runs.
• P (si) ⇒ P (si+1), the property holds for all successor states in runs as
well.
An inductive property is necessarily invariant. Invariants are not necessarily
inductive — it may be necessary to strengthen the invariant in order to
prove that it is inductive. We will see examples of this in chapter 5.
Proving non-invariant properties will usually resort to operational reson-
ing, often on execution fragments of the automaton. The execution frag-
ments are usually defined by beginning and ending “moments,” like “from
the moment the brakes are engaged” to “when the vehicle comes to a com-
plete stop.” Reasoning about execution fragments differs from reasoning
about entire runs because the properties we are concerned with are not
naturally susceptible to induction — the fragments are finite after all. In-
duction on the length of of the execution fragment is sometimes possible,
but not always effective. We will see operational reasoning in the example
of the IEEE 896 FutureBus contention protocol in section 4.2.
68 3.2 Unstructured Automata
3.2 Unstructured Automata
(This description is loosely based on Ansgar Fehnker [29] section 2.3) A
labeled transition system is a 4-tupleM≡ 〈S,A, I, T 〉, consisting of a state
space S, a set of initial states I ⊆ S, a set of actions (labels) A, and a
transition relation T : S ×A → P(S).
The state space S of the transition system represents “everything that
is important” about the system at the level of abstraction we have chosen.
The actions represent observable occurences.
If, for some states s, s′ ∈ S and an action a ∈ A, we have s′ ∈ T (s, a),
we write s
a→ s′, and we say that the 3-tuple (s, a, s′) is admitted by the
transition relation. Informally, s
a→ s′ means that the transition system can
perform the action a and change its state from s to s′. We may identify the
relation T with its characteristic set, so we will often write (s, a, s′) ∈ T to
mean (s, a, s′) is admitted by T .
Both the state space and the set of actions may be infinite (countably or
uncountably so). The set of initial states may be infinite as well. A purely
finite transition system might represent a traffic light: three states (red, yel-
low and green) and a single action (change color — or perhaps three actions
if you prefer). An infinite transition system might have a state representing
a position on the ground and actions representing a change in that position;
both states and actions can be represented by a real number and are hence
infinite.
An unstructured automaton is a labeled transition system, a 4-tuple of
state, actions, initial states and a transition relation. In the this section,
where we write ‘automaton’ we mean a labeled transition system. The un-
structured state of the automata will last until section 3.3.
3.2.1 Unstructured Automata in Informal Rigor
A run, or execution, of an automatonM is an infinite alternating sequence
of states from S and actions from A. We might draw this as
s0, a0, s1, a1, . . . , sn, an, . . .
or in a more graphically pleasing fashion as
s0
a0→ s1 a1→ s2 · · · sn an→ sn+1 an+1→ · · ·
3.2.1 Unstructured Automata in Informal Rigor 69
We require that s0 ∈ I and that each 3-tuple (si, ai, si+1) is admitted by
the transition relation. We say that the automaton starts in state s0. An
automaton may be in state si and then perform an action a0 (or passively,
an event ai occurs) and after that action the state of the automaton is si+1.
We will write si(r) and ai(r) to denote the i-th state and i-th action of a
run r, respectively. In cases whether the run r is clear from the context or
irrelevant, we will omit it.
A state s is said to be reachable if there is a finite prefix of an execution
with state s as the final state; that is, there is a finite sequence
s0
a0→ s1 a1→ s2 · · · sn an→ s
An execution fragment is a finite subsequence of an execution; these are
subsequences beginning with a state i and ending with a state j > i, so that
we can easily and meaningfully quantify over all the transitions (3-tuples
s, a, s′ admitted by the transition relation) in the execution fragment. There
are j − i transitions in the fragment and j − i+ 1 states.
Three technicalities should be noted regarding executions:
1. Our definition of run as an infinite sequence implies that every state
occurring in a run has a successor state. Systems with quiescent
states or terminating executions — these are typically protocols that
are finished at some point, like the FutureBus arbitration protocol de-
scribed in section 4.2 — must explicitly include a transition that al-
lows quiescense. The definition for such a transition τ will typically be
T (s, τ) = {s}.
2. An automaton need not have any executions. Consider, for instance,
an automaton where
∀s ∈ I . ∀a ∈ A . T (s, a) = ∅
Since no transitions leave the initial states, there are also surely no
infinite alternating sequences of states and actions beginning with an
initial state where each 3-tuple of state, action, state is admitted by the
transition relation. Therefore such an automaton has no executions at
all. We will examine the question of existence of executions in more
detail later, since the non-existence of executions may be a more subtle
issue than this crude example.
70 3.2 Unstructured Automata
3. Since the set of reachable states is defined in terms of prefixes of
executions, a state is reachable only if it appears in some execution; if
there are no executions, such as in the example above, then there are
no reachable states either — not even the initial states!
As a concrete example of an unstructured automaton (labeled transi-
tion system), we present the traffic light. The state space S is the colors
{red, yellow,green} and we identify one action, “change color.” The initial
state of the system, chosen arbitrarily, is red. Finally, the transition relation
is defined as follows (where s′ is the “next” state and a is the action — but
there is only one action, so it does not enter the picture):
T (s, a, s′) =

s = red ∧ s′ = green ∨
s = green ∧ s′ = yellow ∨
s = yellow ∧ s′ = red
3.2.2 Unstructured Automata in PVS
(See appendix A for more information on the PVS notation and terminology
used in this section.) In the mathematical theory of automata we began by
defining a 4-tuple of the parts of an automaton and then defining notions
for automata in general based on the contents of this “container” for an
automaton. In PVS we follow a similar course: the package that holds the
general theory about automata is a single PVS THEORY which is parameter-
ized by the four parts of an automaton. For a particular automaton, we
instantiate this theory with the particular state, actions, etc. required. This
gives us the theory of, say, a particular coffee vending machine, with all the
general theorems about automata specialized for coffee vending machines.
The container theory for automata is shown below. The similarity to
the 4-tuple of the definitions in the previous section should be obvious.
We see the uninterpreted types State and Action which represent the au-
tomaton parameters S and A. Init represents the set of initial states I.
Effect, finally, represents the transition relation as a predicate over triples
(s, a, s′) ∈ S × A × S. Except for Currying, (i.e. the order of applying ar-
guments and the need for parentheses), PVS considers a set of elements of
type T and a predicate over T and a function T → B equivalent; therefore:
Effect(s, a, s′) ⇐⇒ (s, a, s′) ∈ Effect ⇐⇒ s′ ∈ T (s, a)
3.2.2 Unstructured Automata in PVS 71
The PVS code contains a few annotations: the annotation TYPE+ means
that the type cannot be empty, i.e. neither the state space nor the set of
actions may be empty. The initial states are defined by a set, which is con-
strained to be non-empty — see the brief PVS introduction on predicate
types on page 251. The set of actions cannot be empty either since the
transition relation cannot have an empty domain.
AutomatonUnstructured [
States : TYPE+,
Actions: TYPE+,
Init : (nonempty?[States]),
Effect : pred[[States,Actions,States]]
] : THEORY
We can instantiate this theory to create a concrete instance of an au-
tomaton using the PVS keyword IMPORTING. Assume the parts of the automa-
ton are defined in PVS with names S, A, I and T for the states, actions, initial
states and the transition relation, respectively. Then we can write
IMPORTING AutomatonUnstructured[S,A,I,T];
PVS checks that the assumptions made by the theory about the parameters
of that therory, hold for a concrete instantiation. The only requirements
PVS places on us are those determined by the type information given in the
theory header, i.e. that the state and action sets are non-empty, that the set
of initial states is indeed a non-empty subset of the state space, and that
the transition relation is a set of 3-tuples. When doing the instantiation,
PVS will attempt to prove that these requirements are met. Usually the non-
emptiness of the sets is clear and it will succeed automatically, but there
are cases where we will have to do this by hand.
The runs of the automaton are defined by the set Runs in PVS, which is
defined as one might expect: it is the set of all those alternating sequences
of states and actions that satisfy the definition. We begin by defining the set
of all such alternating sequences, called pre-runs:
PreRuns : TYPE =
[# states : sequence[States],
actions : sequence[Actions]
#] ;
72 3.2 Unstructured Automata
Here we have chosen to represent the alternating sequences as a pair
of sequences; this is isomorphic to an alternating sequence in an obvious
fashion. By convention, the i-th action is the action that changes the state
of the system from state i to state i + 1. In the rare case that we need the
pair of (state,action) or triple (state,action,state), there are functions Step
and Step3 that give them to us for a given pre-run. See section 3.2.3 for
details.
The alternating sequences are restricted to the sequences that obey the
transition relation by asserting that predicate EffectOK holds. The predicate
EffectOk states that each three-tuple (state,action,state) in the pre-run is
accepted by the transition relation.
EffectOK(pr:PreRuns) : bool =
FORALL (i:nat) :
Effect(pr‘states(i), pr‘actions(i), pr‘states(i + 1))
Additionally, we require that runs begin in an initial state — that is, the
zero’th state of the run must be an element of the set Init.
Runs : TYPE =
{ pr:PreRuns | Init(pr‘states(0)) AND EffectOK(pr) }
This is the essential part of an automaton: its executions. Everything
we add after this is really sugar to make working with the executions of an
automaton easier. The sugar for unstructured automata consists of a few
lemmas that make it easier to use the definition of runs in a proof (doing
everything from first principles quickly becomes tiresome).
Returning to the instantiation of this theory for the purpose of formal-
izing a system as an automaton, we will always proceed as follows: in a
theory external to the automaton framework, define the four parts of the
automaton, then use the IMPORTING clause to instantiate the framework with
those parts.
Facts about Executions: When doing proofs about all the executions of
an automaton we will often use inductive reasoning. The base case requires
us to prove a property for initial states; the induction step requires using
the transition relation. In proofs it is nice to have a way to introduce these
in a single proof step (that saves typing in the long run).
3.2.2 Unstructured Automata in PVS 73
Two lemmata are proved so that we can more easily use the facts that
the zero’th state of the run is an initial state and that the transition relation
holds between two subsequent states. These lemmata are EffectIntro and
InitIntro. We use *Intro as names for lemmata that introduce facts into the
sequent that might be proven through other means but which are clumsy to
do in other ways. The lemma itself is straightforward:
EffectIntro : LEMMA
FORALL (R:Runs,i:nat) :
Effect(R‘states(i),R‘actions(i),R‘states(i+1)) ;
Proofs which proceed manually will typically proceed with a PVS induc-
tion strategy and then use InitIntro and EffectIntro in the two separate
branches. As an alternative, we define the notion of inductive (state pred-
icate) as described earlier in section 3.1.2 and prove that our property P
is inductive. Then it is invariant as well, which is stated by the lemma
InductiveImpliesInvariant.
Inductive?(P:pred[States]) : bool =
( FORALL (s:(Init)) : P(s) ) AND
FORALL (s:States,a:Actions,s_:States | Effect(s,a,s_)) :
P(s) => P(s_) ;
InductiveImpliesInvariant : LEMMA
Inductive?(P) =>
FORALL (R:Runs,i:nat) : P(R‘states(i)) ;
Example Instantiation: There are many ways we can choose to represent
the coffee-vending-machine automaton shown in figure 3.1.1 of page 64 (not
to mention the other descriptions of the automaton given there).
The state of our automaton is clearly only the value of c, the amount of
credit stored in the machine. This can be represented by a natural number
(to represent whole eurocents; the notation below[N] means natural num-
bers belowN , and our machine only stores up to four euros of credit). There
are two actions, insert and dispense. Let us simplify a little and use only 20
cent coins — the coin slot is one-size only. Then we might represent the
state and actions of the automaton as follows:
State : TYPE+ = below[400] ;
Actions : TYPE+ = { Insert, Dispense } ;
74 3.2 Unstructured Automata
The initial states are those states where there are zero (0) cents in the
machine; this is easy enough to write down. The transition relation can be
defined in many different ways in PVS. We will use a CASES structure here to
distinguish between the two actions, as follows:
Init(s:State) : bool = s=0 ;
Transition(s:State,a:Actions,s_:State) : bool =
CASES a OF
Insert : s<200 AND s_ = s+20,
Dispense : s>=45 AND s_ = s-45
ENDCASES ;
Note that the transition relation contains an expression for each action
and that the expression is broken down into a precondition and an actual
effect statement; we have written the preconditions before the AND. Having
a consistent style of definition like this makes it easier to validate the model
because the structure of the formulas matches the informal description.
Normally, we will write an automaton theory to do three things:
1. Defines the parts of the automaton, i.e. the states, actions, and transi-
tions, as above.
2. Imports the automaton framework, which defines Runs as a type which
can be manipulated; these runs are the executions of the automaton
we have just defined. The import part of the theory is a single line
IMPORTING AutomatonUnstructured[State,Actions,Init,Transition]
3. States theorems about the type Runs, which are really theorems about
the behavior of the automaton. We will examine this in a little more
detail below.
For instance, we may wish to prove that the coffee vending automaton
keeps a non-negative balance. This theorem formulated in the language of
PVS might appear like this:
Positive : LEMMA
FORALL (R:Runs, i:nat) :
R‘states(i) >= 0
3.2.3 Considerations in the Formalization 75
The type Runs refers to the runs of the automaton under consideration (in
cases where more than one automaton is involved, we must state explicitly
which runs), and R represents some unspecified run. The variable i is an
index into the sequence of states and actions in the execution. The PVS
notation R‘states(i) can be read as “the i’th state of the run R.”
This is the kind of statements we can make (and prove) about the au-
tomata defined in the (unstructured) automaton framework. The lemma is
quantified over runs and indexes in the runs, so does not apply directly to
states; we could re-formulate it as follows:
1. Define a property of states, stating that the state has a positive bal-
ance: Positive?(s:States) : bool = s>=0
2. Prove that this property is inductive.
3. Conclude that the property holds for all states of all runs by lemma
InductiveImpliesInvariant.
3.2.3 Considerations in the Formalization
In this section we give some of the rationale behind the definition of Runs
given previously.
The framework begins by defining runs of the automatonM. The mathe-
matical definition is as an infinite alternating sequence of states and actions.
PVS has definitions for sequences, both finite and infinite. These sequences
are modeled as functions from the natural numbers to some type T, the type
of the sequence. The problem of alternating sequences comes from the fact
that there is not one type of the elements in the sequence, but two: the
states and the actions.
Several solutions present themselves immediately:
• Define the sum type of states and actions, and define a pseudo-run as
a sequence of states-and-actions, such as this:
state_or_action : DATATYPE BEGIN
a(a:Actions) : action?
s(s:States) : state?
END sum
pseudo_run : TYPE = sequence[state_or_action]
76 3.2 Unstructured Automata
By using predicate subtypes, we could define a type Run where even
indices are states and odd ones are actions, something like this:
alternating?(r:pseudo_run) : bool =
FORALL (i:nat) :
(even?(i)=>state?(r(i)) AND
(odd?(i)=>action?(r(i))
The intended interpretation of a sequence R of this form is as follows:
R(0)
R(1)→ R(2) R(3)→ · · ·
The downside of chosing this representation of the alternating se-
quence is that there is no direct way of denoting action i (which la-
bels the transition from state i to state i + 1 in the run). Action i is
element 2i + 1 of the sequence, and we need to use extra type infor-
mation (i.e. alternating?) to establish that that is, in fact, an action.
This makes the use of this particular definition somewhat clumsy, and
we need additional PVS machinery to emulate the natural terminology
used when referring to parts of the runs.
• Define a pair of states and actions, and then define a run as a sequence
of those pairs. This leads to a definition like the following:
pseudo_run : TYPE = sequence[ [ States, Actions] ] ;
We might equivalently use a record type with two fields instead of a
pair, which provides meaningful names for the fields. When using this
notation, we write r for a run, and r(i) for the i’th element of a run,
which is the pair of state i and action i.
To denote the i’th state, we write r(i)‘1 (or something similar, de-
pending on whether we use pairs or records). The actions and states
are intertwined — we have no simple mechanism to obtain just the
states or just the actions.
The intended interpretation of a sequence R of this form is as follows:
R(0)‘1
R(0)‘2→ R(1)‘1 R(1)‘2→ · · ·
3.2.3 Considerations in the Formalization 77
• Define a pair of sequences, one of states and one of actions. Equiva-
lently, use a record with two fields, such as the following:
pseudo_run : TYPE =
[# states : sequence[States],
actions : sequence[Actions]
#] ;
The intended interpretation of this pair of sequences as an alternating
sequence is as follows:
R‘states(0)
R‘actions(0)→ R‘states(1) R‘actions(1)→ · · ·
There is a tiny notational advantage to this form over the preceding
form: indices come at the end of an expression, so that we write R
for a run, R‘states for the entire sequence of states of the run, and
R‘states(i) for the i’th state of the run, which seems slightly more
natural than R(i)‘state.
Of these three options, we choose the last because its notation feels
most natural and it allows us to use the sequences of states and actions
separately. We seem to need the sequence of states far more often than we
need the ith pair (s, a) of a run. On those rare occasions that we do need the
pairs or triples, we can extract them from this definition with the following
two functions:
Step(R:PreRuns)(i:nat) : [States,Actions] =
(R‘states(i),R‘actions(i)) ;
Step3(R:PreRuns)(i:nat) : [States,Actions,States] =
(R‘states(i),R‘actions(i),R‘states(i+1)) ;
From a purely mathematical standpoint, there is no difference between
any of these structures — they are all isomorphic. Chosing any one to-
gether with suitably defined extraction functions for the other representa-
tions would do. Since we are not concerned purely with the mathematical,
but also with the PVS notation and proof convenience, this is the best for-
malization of an alternating sequence of states and actions to choose.
78 3.3 Automata with Locations
3.3 Automata with Locations
Consider the automaton in figure 3.1, below. This has a slightly more com-
plicated state than the exceedingly simple one-circle-and-some-arrows ex-
amples we have seen thus far. The figure is taken from page 119 of the
FutureBus arbitration example in section 4.7. The state of the automaton is
apply / link := v
l0
l1
link := 0
v := P
l2
read / v := bus
compute / v := v(v,P)
Figure 3.1: An automaton with locations which impart additional structure.
structured by the use of locations — the circles in the diagram. Locations
play a central role in diagramming and model-checking tools such as Uppaal
or UML State Charts. We can imagine keeping track of (part of) the state
of the system by placing a coin on the diagram on one of the locations, and
sliding the coin around in a manner reminiscent of Petri nets.
The presence of locations in the diagram makes certain things imme-
diately clear (for people): if the automaton’s state indicates that it is in
location 1 (in future, we will say “the automaton is in location 1” without re-
ferring to its state) then in any previous state it must have been in location
0. This is immediately clear from just part of the state of the automaton and
can prove to be quite useful in proving properties of the automaton.
Theoretically, the locations are not interesting: they are just a part of the
state. However, from a practical perspective they are useful in describing
state changes and they introduce graphs connecting the locations which are
convenient for reasoning.
The following two sections describe the introduction of locations more
carefully, both in the language of informal rigor and in PVS.
3.3.1 Locations in Informal Rigor 79
a / c:=c+2
c:=0 a / c:=c+1
l0 l1
Figure 3.2: An automaton where a single action a has a different effect
depending on which location it occurs in.
3.3.1 Locations in Informal Rigor
In this extended automaton model, we propose an automaton as a 6-tuple
〈S,L,A, I, T ,G〉 where the new components L and G are the set of locations
and the graph of the location diagram, respectively. The graph G is a set of
edges (l, a, l′) between locations, annotated with an action in each case.
Note that locations add nothing to the expressive power of automata. For
every automaton with locations, there is an exactly equivalent automaton
with no (explicit) locations where the locations are encoded into the state.
We can add a variable l of the type of the set of locations to the existing
state S. The new state S ′ = L × S and we define a with a suitably chosen
transition relation T ′ such that: T ′((s, l), a, (s′, l′)) if and only if l → l′ is an
edge of the location graph and that edge is labeled with action a and the
change of state s→ s′ is allowed by the labels on the transition.
We are attempting to keep the transition relation for the opaque state
of the automaton — the S and T parts of it — independent of the locations
and the location graph. Similarly, we wish to keep the location graph free of
annotations based on the opaque state. This simplifies writing the location
transition relation in PVS somewhat. For a given action a the effect on the
opaque part of the state should be the same independent of the location
transition, and location transition guards should not refer to the opaque
state S. This means that we cannot write the automaton from figure 3.2
without renaming one of the actions a, since they have different effects on
the opaque state. For the examples in this thesis, this is a restriction we
can live with. For other systems where the location graph and the transi-
tion relation for the opaque state are more intertwined, we suggest using
the unstructured automaton theory instead with a systematic approach to
integrating the locations into the state of the system.
The relation derived from the state-transition relation T and the location-
transition graph G must be the following, with both the transition relation
80 3.3 Automata with Locations
for the opaque state and the graph edge being checked:
T̂ ((s, l), a, (s′, l′)) = T (s, a, s′) ∧ (l, a, l′) ∈ G
3.3.2 Locations in PVS
We present the translation of the informal rigor into PVS. The locations are
added to the state space of the automaton and the edges of the graph are
taken into account in an adapted transition relation. Given a state space
S, actions A and locations L we also need the transition relation Effect for
the opaque state space S, initial states Init and a graph Graph with initial
location Start. We define the combined state space, initial combined state
and transition relation as follows:
SState : TYPE+ = [#
S:States,
L:Locations
#] ;
SInit(s:SState) : bool = Init(s‘S) AND s‘L=Start ;
SEffect(s:SState,a:Actions,s_:SState) : bool =
Effect(s‘S,a,s_‘S) AND Graph(s‘L,a,s_‘L) ;
We define a record type with fields for both the opaque state and the
location. This will lead to nested records in most cases and proofs will have
to deal with PVS structures such as R‘states(i)‘S‘field. A suitable choice
of additional automation (through automatic rewrite rules or strategies) will
reduce that syntactical complexity.
These three definitions along with the given actions A are passed to the
unstructured automaton theory and provide us with the normal unstruc-
tured definitions for automata.
IMPORTING AutomatonUnstructured[SState,Actions,SInit,SEffect]
It is possible to think of the location graph as an automaton in its own
right; the graph has the correct type for a transition relation over locations
and actions. We can use any theory we develop for unstructured automata
just as effectively on the locations graph. If we need such results, we can
3.3.2 Locations in PVS 81
l’
Self−loop
In
Out
l
Figure 3.3: Local part of a location graph with transitions, where a node
has only (optional) self-loop transitions and a single outgoing arc to another
node.
lift the initial location to a singleton set and use the following PVS theory
instantiation:
IMPORTING AutomatonUnstructured
[Locations,Actions,singleton(Start),Graph]
If we consider only the locations with the graph as an automaton, then
we can prove a few useful properties of the runs of that simple (unstruc-
tured) automaton. The most useful of these are simple graph properties
such as the following:
If a node l of the directed graph G has only one successor node
l′, then any path which passes through l to another node must
pass through that successor node l′.
The local part of the graphG is shown in figure 3.3 and shows that from l it is
only possible to leave l by going to l′. This is formulated in PVS as follows, if
the automaton is in location l at index i in some run and later at index i+j is
in a different location then at some point (between i and i+j) the automaton
must be in location l′. The PVS predicate self_or_single_successor? states
that node l has optional self-loops and only a single distinct successor l′ in
the graph. The formalization is not particularly elegant.
successor_new_location : LEMMA
FORALL (l,l_:Locations) :
82 3.4 Timed Automata
self_or_single_successor?(l,l_) =>
FORALL (R:Runs, i:nat, j:nat) :
R‘states(i)‘L=l AND
R‘states(i+j)‘L/=l =>
EXISTS (k:nat | k<=j) :
R‘states(i+k)‘L=l_ ;
If we wish to consider the locations that the automaton occupies in se-
quence as an automaton in its own right, we need some machinery to cal-
culate that “location automaton.” We can extract the runs of the location
automaton from the runs of the complete automaton. Graphically, if
(si, li)
ai→ (si+1, li+1) ai+1→ · · ·
then the “split out” sequence
li
ai→ li+1 ai+1→ · · ·
is a run of the location automaton.
In PVS this extractions proceeds straightforwardly, although we need to
use some additional PVSmachinery outside the scope of this section to prove
that the resulting runs are runs of the location automaton.
locations(R:Runs) : [# states:sequence[Locations],
actions:sequence[Actions] #] =
(# states:=LAMBDA (i:nat) : R‘states(i)‘L,
actions:=R‘actions
#) ;
This concludes the PVS formalization of automata with locations. We
have re-used the framework for unstructured automata and the machinery
it provides, while adding the additional structure provided by locations. The
structure can be exploited separately though the locations function in order
to reason purely about the locations graph.
3.4 Timed Automata
Timed Automata [3, 66] are an extension to transition systems where the
advance of time is taken into account and can cause events to occur. The
3.4 Timed Automata 83
passage of time is not an observable action of the transition system but im-
posed externally. We normally consider time to be continuous. In another
setting, we might consider discrete time where the ticking of a clock rep-
resents the passage of time. Such a discrete model can be immediately
transformed back into a “regular” unstructured automaton by introducing a
“tick” action, and so will not be considered in this chapter. For the purposes
of this thesis and our automaton models, we will take time to be continuous,
modeled by the non-negtive real numbers; van Thienen [84] shows that time
models can be the subject of a thesis all on their own.
Timed automata are equipped with clocks, special real-valued variables
in the state of the automaton that advance as time passes. Clocks are as-
sumed to be perfect, that is, if δ time passes then the clock values advance
by δ as well, for any value of δ. Clocks can be individually reset to zero (0)
by a special action on the part of the automaton. Clocks may not be other-
wise assigned to. Figure 3.4 shows an abstract notation for timed automata
while figure 3.5 shows a concrete example — a traffic light.
The introduction of clocks raises several questions which have been
dealt with time and time again in the literature; these questions address
the semantics of delay events and of non-delay events.
• Do non-delay events have a duration? We model non-delay events as
instantaneous; no clocks change during a non-delay event except for
those clocks that are reset to zero. Real world processes that take non-
negligable time may be modeled by a pair of start and stop actions with
some delay enforced between them.
• Do delay events affect the state? Delay events do not change the rest
of the state of the automaton at all (i.e. that part of the state that is
not the clocks).
By introducing explicit delay events, we coerce the timed automaton
model back into the form of our unstructured automata — a run is a se-
quence of alternating states and events, except now there are special events
called delays. The runs of a timed automatonM are alternating sequences
of states and actions, where the actions may be drawn fromA∪{δ(t) | t > 0};
this might be represented as follows (the entire state of the automaton now
includes the wall clock now; the state portion contains the opaque state and
84 3.4 Timed Automata
^ clock resets
[location invariant]
[transition guard]
action
^ state effect
Figure 3.4: An abstract portion of a timed automaton. We use a diagram
with locations and arcs annotated with events and effects on the opaque
state of the automaton. We add location invariants which constrain the
values of the clocks in each location, guards on the transition which con-
strain the values of clocks when taking the transition and clock resets which
change the state of the clocks during a transition.
the clocks of the automaton):
〈state,now〉 〈s0, 0〉 a0→ 〈s1, 0〉 δ(2)→ 〈s2, 2〉 a2→ 〈s3, 2〉 δ(0.2)→ 〈s4, 2.2〉 · · ·
This special clock, called now, is one which records time from the beginning
of an execution and which is never reset to 0; this provides for a measure of
elapsed time, and can be used to demonstrate progress in the automaton.
The wall clock is not part of the state of the automaton, and we will disal-
low references to it in the automaton description. We do not enforce this
through syntactic or other means, but only as a style guideline. In any case,
an automaton can easily introduce a clock x that is never reset and which
therefore mimics the wall clock.
A simple property of runs is that delay actions can be subdivided or
combined with no ill effects; that is,
si
δ(t)→ si+1 δ(t
′)→ si+2 impliessi δ(t+t
′)→ si+2
If the left-hand fragment is an execution fragment of some run R of the
automaton, then there is also a run R′ containing the right-hand fragment.
The passage of time can force changes in state, for instance a traffic light
changes from green to yellow, waits three seconds, and then changes from
yellow to red. This is achieved by a location invariant, which is a predicate
on the state space and the values of the clocks. Well-formedness of the ex-
pressions involving clocks is an issue for model checkers but not necessarily
3.4 Timed Automata 85
change [x>=3] ^ x:=0
^ x:=0 change [x>=30] ^ x:=0
change [x>=27] ^ x:=0
Yellow
[x<=27 sec]
GreenRed
[x <= 30sec]
[x <= 3sec]
Figure 3.5: A concrete example of a timed automaton, the traffic light. As
in the description on page 70, the light has three locations corresponding to
the light which is on and a single action change to switch between locations.
The variable x is a clock which is reset to zero on each transition. Each
state and each transition arc is annotated with a constraint on the value
of x such that the automaton remains in a location for a fixed amount of
time (30 seconds in location Red, for instance) and then must transition to
a different location.
for our PVS framework. After every transition, the location invariant of the
resulting location must hold. This is most commonly used to force a transi-
tion out of a location after some amount of time (e.g. by setting a location
invariant t ≤ 5, we can force a maximal sojourn time in the location of at
most five time units).
It is intuitively clear that time cannot be stopped in its tracks; it must
always progress beyond any arbitrary point. Our automaton executions,
being infinite sequences of states and actions, must always allow time to
progress (perhaps in later states) and must eventually surpass any arbitrary
time value. Automata that do not meet this requirement are said to display
Zeno Behavior, from the ancient Greek philosopher who demonstrated that
the hare could not catch the tortoise; here, the hands of the clock cannot
reach noon. The only ways to have an infinite execution that never reaches
a particular point in time are to have infinitely many events that do not in-
crease clocks at all, or to advance the clocks by an exponentially-decreasing
amount with each advance (or a mixture of the two). We will disallow Zeno
behavior in our executions of timed automata.
86 3.4 Timed Automata
3.4.1 Timed automata in PVS
One approach to formalizing timed automata in PVS is to define a theory
(with a large number of parameters) that builds up timed automata in the
manner that we did for automata with locations. This has been done in the
literature, see for instance [89] for a formalization that takes the parameters
States, Actions, Init, Effect, as before, with new parameters Clocks, Resets,
Guards and Invariants.
The Clocks parameter enumerates the clocks that are present in the sys-
tem. Typically this will be a finite type, but there is no requirement that it
be so. The state of the entire automaton is the opaque state plus the valua-
tion of the clock variables. Every transition is annotated with a set of clocks
that must be reset to zero when a transition is taken along such an edge;
this is formalized with Resets. Each transition may also be annotated with a
constraint on the values of clocks stating when the transition may be taken,
stated in Guards. Each state may be adorned with Invariants, conditions on
the clock variables; these serve to eventually push the automaton out of a
given state.
One downside of the theory described in [89] is that it builds a single
theory for timed automata. There is no possibility to use it for simple un-
structured automata, or automata with locations. The hierarchy of different
automaton types (as described in this thesis in sections 3.2 through 3.5) is
not preserved in this approach. The neglect of the hierarchy is not strange
since the theory is intended as a semantics of timed automata only, but it
is slightly inconvenient for practical automaton proofs when timing is not
important.
We will briefly present an approach that preserves the type hierarchy,
making timed automata an extension of the theories we already have. Con-
sider the diagram in figure 3.5, which is a suggestive one, as it is based
very loosely on Uppaal diagrams. It includes locations as well as timing.
Locations do not necessarily need to be explicit in timed automata — time
and locations are orthogonal — but a common and natural way to specify
the invariants and guards is to attach them to nodes and arcs of the location
graph.
Our theory takes a large number of parameters. Some of these are famil-
iar from earlier theories which define automata with locations. The param-
eter Clocks is an enumerated type which names the clocks in the system.
3.4.1 Timed automata in PVS 87
We annotate locations in the graph with clock constraints (which are pred-
icates on the values of clocks, i.e. [ [Clocks->real] -> bool ]). These are
the location invariants and passed as PVS theory parameter Invariant. We
similarly annotate edges of the graph with sets of clocks to be reset (Resets)
and guards on the clock values (Guards).
AutomatonTimed [
States : TYPE+,
Locations : TYPE+,
Clocks : TYPE+,
Actions : TYPE+,
Init : (nonempty?[States]),
Effect : pred[[States,Actions,States]],
Graph : pred[[Locations,Actions,Locations]],
(IMPORTING AutomatonClockTypes[Clocks])
Invariant : [ Locations->ClockConstraint ],
Resets : [ (Graph)->setof[Clocks] ],
Guards : [ (Graph)->ClockConstraint ],
Start : Locations
] : THEORY
If we drop the annotations of invariants, resets and guards from the
diagram, we have a “normal” automaton with locations. The state of the
clocks — including the wall clock “now” — is added to the opaque type for
the state of the automaton.
TState : TYPE+ = [#
S:States,
C:ClockValues,
now:Time
#] ;
We introduce an explicit delay action. This gives us the distinction be-
twee delay actions and non-delay actions, and we can use the PVS datatype
machinery to help us distinguish those cases.
TActions : DATATYPE BEGIN
a(a:Actions) : action?
d(d:Delay) : delay?
END TActions ;
88 3.4 Timed Automata
We now turn to the effect of each of these actions on the state of the
system. The delay actions are clear: they should not change the opaque
state of the automaton at all and advance all of the clocks (including the
“now” clock).
DelayEffect(s:TState,d:Delay,s_:TState) : bool =
s_‘S = s‘S AND
s_‘C = advance_clocks(s‘C,d) AND
s_‘now = s‘now + d ;
Turning to the non-delay actions, we encounter a problem. We wish to re-
use the theory for location automata in defining timed automata; this spares
us proving the lemmata for location automata again. However, we find we
cannot express the location invariants or the effect (resets) on the clocks
within the transition relation. The transition relation operates on the state
of the automatonwithout locations, as explained in section 3.3.1 on page 79.
Since the invariants and the guards and resets all operate on edges of the
location graph, we cannot apply them to the TState representation of the
state of the system. Instead we will leave the clocks entirely unconstrained
in our definition of the transition relation. This means that we allow any
changes in clock values. We therefore leave out any expression concerning
s‘C in the PVS formalization of the effect of non-delay actions:
InstantEffect(s:TState,a:Actions,s_:TState) : bool =
Effect(s‘S,a,s_‘S) AND
s_‘now = s‘now;
Combining these two transition relations into one which deals with the
distinction between delay and non-delay actions is straightforward. We also
construct an augmented location graph which allows delay actions as self-
loops for all locations in the graph, and then use the existing theory for
automata with locations.
TEffect(s:TState, a:TActions, s_:TState) : bool =
CASES a OF
a(act) : InstantEffect(s,act,s_),
d(del) : DelayEffect(s,del,s_)
ENDCASES ;
TGraph(l:Locations, a:TActions, l_:Locations) : bool =
IF delay?(a) THEN l=l_ ELSE Graph(l,a(a),l_) ENDIF ;
3.4.1 Timed automata in PVS 89
IMPORTING AutomatonLocations[
TState, Locations, TActions, TInit,
TEffect, TGraph, Start]
The location automaton that we construct this way has runs in which
the behavior of the clocks is unconstrained. Any change in the values of
the clocks is permitted. We apply the neccesary restrictions on the runs
in order to obtain the desired behavior. In the following, the states of the
automata are nested records, so for a state s we have the semi-opaque state
s‘S and the location s‘L; within the semi-opaque state (which is of type
TState defined here) we have the wall clock s‘S‘now and the clock values
s‘S‘C and the opaque state s‘S‘S.
• The invariant holds in each state.
invariants_hold?(r:LocationAutomaton.FullRuns) : bool =
FORALL (i:nat) : Invariant(r‘states(i)‘L)(r‘states(i)‘S‘C) ;
• The guard holds in any transition.
guards_hold?(r:LocationAutomaton.FullRuns) : bool =
FORALL (i:nat) :
action?(r‘actions(i)) =>
Guards(arc(r,i))(r‘states(i)‘S‘C)
• The clocks are reset following the reset function at each transition.
The function reset_clocks updates a clock valuation with those clocks
which are reset while leaving the other clock values unchanged.
clocks_update?(r:LocationAutomaton.FullRuns) : bool =
FORALL (i:nat) :
action?(r‘actions(i)) =>
r‘states(i+1)‘S‘C =
reset_clocks(r‘states(i)‘S‘C,Resets(arc(r,i)))
• The runs are non-Zeno.
nonzeno?(r:LocationAutomaton.FullRuns) : bool =
FORALL (t:Time) : EXISTS (i:nat) : now(r‘states(i)) > t ;
90 3.4 Timed Automata
With these four predicates that express the proper behavior of the clocks
with respect to the annotations on the location graph, we now define the
subtype of the runs of the location automaton where these four restrictions
hold. This type is what we use for the runs of a timed automaton.
TimedRuns : TYPE = { r:LocationAutomaton.FullRuns |
nonzeno?(r) AND invariants_hold?(r) AND
guards_hold?(r) AND clocks_update?(r) } ;
In the unstructured automaton theory we introduced a number of helper
lemmata intended to be used as prover commands, such as InitIntro. We
do the same here with ResetsIntro, GuardsIntro and InvariantIntro.
This machinery shows us that is is possible to define timed automata
with locations as an extension of automata with locations (but no explicit
time) in a straightforward and relatively elegant manner. The resulting def-
initions have many nested record field accesses. However, this very same
theory that shows that it is possible to add timing to automata in a straight-
forward manner by using PVS machinery also serves to underscore that it
is probably not worth the hassle: instead of using this theory, we could just
as well add clocks and delay actions directly to the state and actions of our
theory, copy the definitions of nonzeno? and the invariants restrictions into
our theory and then use the automata with locations theory, or the PVS the-
ory for unstructured automata directly. The examples in this thesis — the
chapers 5 and 6 use timed automata — follow this approach of adding tim-
ing by hand. This does not make the theory outlined here superfluous, since
the definitions and lemmata carry over to our manual introduction of timers
elsewhere.
In short, we can systematically and practically add time to an automaton
by following the following steps:
1. Define an enumerated type naming all of the clocks in the system.
2. Define the type of clock valuations as [Clocks->Time].
3. Add a field with clock valuations to the state of the system; alterna-
tively add fields (of type Time) for each clock individually.
4. Add a delay action to the set of actions of the system.
3.5 Hybrid Automata 91
5. Add an effect for the delay action to the transition relation which up-
dates all of the clocks; if invariants are to be used, check that the
resulting clock valuation is valid.
6. Update the effects of the non-delay actions to preserve the clock val-
ues (or to reset them); if guards are used, check them and if invariants
are used, check that they hold in the resulting state.
7. Use the locations or unstructured automaton theory to define runs.
8. Define a subtype of runs that is nonzeno?.
Since we need to name the clocks, define resets, define guards and define
location invariants regardless of whether we use the theory described above
or our method of adding time manually, the difference in the amount of work
is not very large.
3.5 Hybrid Automata
Where timed automata introduce clocks, which are variables that advance
as time passes and where the clocks change at the same rate as time passes,
hybrid automata may contain variables whose rate is not 1, which may have
arbitrarily complex continuous behavior.
When drawing diagrams of hybrid automata it is important to maintain
the distinction between clocks, continuous variables and the discrete parts
of the state. Clocks have rate 1 and may only be reset. Continuous vari-
ables may have any rate; assignment may or may not make sense. Consider
a continuous variable x representing the physical location of a train on a
length of track, then assignment to x which moves a train from Toronto to
Madrid with a single = sign does not make sense. Assignment to the jerk
rate (third derivative of x) x′′′ does make sense as the train begins to move.
The discrete state does not change during a delay action.
For timed automata and the formalisms commonly used to write them
down (TIOA [52], Uppaal [60, 59]) this is enforced by the syntax of the for-
malism. At the time of writing of the hybrid parts of this thesis, we were
most interested in using the UML [75] for semi-formal specification pur-
poses, and invented an ad-hoc extension to the UML State Charts [32] for
the purpose of describing hybrid behavior. Further formalization of the UML
92 3.5 Hybrid Automata
dl/dt = f−l/k
[ x<1 ]
dl/dt = −l/k
[ x<1 ]
Filling
dl/dt = f−l/k
[ l>=0.9 ]
/ x := 0
l:=0.5
[ l<=0.1 ]
[ x=1 ]
[ x=1 ]
/ x := 0
Emptying
Wait
Wait
dl/dt = −l/k
Figure 3.6: An example hybrid automaton. The tank empties at a rate pro-
portional (k) to the amount of water in it (l), and fills at a constant rate (f ).
The two wait locations last one second (x < 1).
language can be found in [39]; that makes the semi-formal qualification used
in this thesis less necessary. The ad-hoc approach could well have been
avoided if [53] was better known. (Semi) Automatic translation from UML
State Charts to some kind of specification language is also possible, see for
instance [42]. This extension is described in chapter 6 on the BART system.
In particular states of the system the values of the continuous vari-
ables evolve according to some differential equation (which may be state-
specific). These differential equations constrain the traces of the continuous
variables. When a delay action δ(t) occurs, the continuous variables evolve
for t time; in the new state of the system, all the discrete variables remain
unchanged, while the continuous ones (and the clocks, special continuous
variables with rate 1) are updated.
Just as with timed automata, conditions may be attached to transitions.
These are called guards and express a condition on the state of the system
for taking the transition. Similarly, invariants may be attached to states;
these conditions must hold while the automaton is in that state. Guards
and invariants may involve general continuous variables. This may cause
considerable trouble while doing a proof, though, because PVS is not very
effective at complicated algebraic or numeric computation.
It is possible for invariants — attached to some set of states of the au-
tomaton, or more commonly drawn as belonging to a location — to force
state changes based on the passage of time. An invariant, (e.g. x < 3) may
3.5.1 Hybrid automata in PVS 93
constrain the evolution of a continuous variable in a hybrid automaton; no
delay may occur wherein the variable takes on a value that is disallowed by
the invariant.
A famous example of a hybrid system which might be controlled (or mod-
eled) by an automaton is the water-vessel [81, 36, 83], where water drains
out of a basin, and may be pumped into the basin as well. A controller strives
to keep the water level between two markers on the side of the basin, using
information about flow rates and some primitive sensor inputs. The automa-
ton in figure 3.6 shows how this may be modeled with hybrid automata. In
this diagram, locations are annotated with differential equations; l is the
continuous variable that denotes how full the tank is. When the pump is off,
the tank empties at a rate proportional to how full it is. When the pump is
switched on, water enters the tank at a constant rate (while continuing to
drain out the bottom). In the automaton in figure 3.6, the pump switches
on when the tank is nine-tenths empty, and switches off again when it is
nine-tenths full. Switching the pump on or off takes a little time, so there
are “wait” locations which model the one second delay.
In this example, we see that the invariants are attached to the locations
Emptying and Filling, constraining the level of the water in the tank in order
to switch from one location to the other. The runs of such an automaton
must be constrained so that every state in the run satisfies the invariants
and also that the intermediate values taken by the continuous variables
during their evolution in a delay transition are acceptable.
3.5.1 Hybrid automata in PVS
In the section on timed automata in PVS, section 3.4.1, we showed that we
can add clock variables in a systematic and practical manner to our PVS
models of automata. Clocks are a special case of continuous variables with
rate 1; the evolution of clocks is constrained as follows (these are the same
conditions as in section 3.4.1):
• In delay transitions of duration t the clocks evolve for that long; invari-
ants must be checked to ensure that the delay is of a valid length.
• In non-delay transitions the clock values do not change except for reset
(assigning zero to a clock variable).
94 3.6 Conclusion
• Time must progress (i.e. the non-Zeno predicate must hold).
We gave a straightforward method for adding clocks directly to an au-
tomaton model; we can do the same for general continuous variables.
1. Define an enumerated type CV naming all of the continuous variables
in the system.
2. Define the type of valuations as [CV->real].
3. Add a field with valuations to the state of the system; alternatively add
fields (of type real) for each variable individually.
4. (Optional, if no clocks have been defined yet) Add a delay action to the
set of actions of the system.
5. Add an effect for the delay action to the transition relation which up-
dates all of the continuous variables by calculating their evolution; if
invariants are to be used, check that the resulting valuation is valid.
6. Update the effects of the non-delay actions to preserve the values of
the continuous variables (or to assign to them); if guards are used,
check them and if invariants are used, check that they hold in the
resulting state.
7. Use the timed or locations or unstructured automaton theory to define
runs.
The example in this thesis in chapter 6 uses this straightforward ap-
proach to continuous variables.
3.6 Conclusion
This chapter has formalized automata in general in PVS and then provided
PVS machinery for dealing with additional structure in those automata such
as locations. An extension with clocks in order to model timed automata has
been given, both as a PVS theory and as a method for adding those clocks
directly to a model; in general the direct method is easier to do. A similar
method is given for hybrid automata where continuous variables may evolve
according to any differential equation.
3.6 Conclusion 95
There are examples for each variety of automaton framework, illustrat-
ing the issues involved in translating particular informal specifications into
automata and PVS. Chapter 4 shows our method of formalization and verifi-
cation as applied to the “prisoners’ release problem” in section 4.1 and the
IEEE 896 FutureBus bus arbitration protocol in section 4.2. The examples
for complex timed and hybrid behavior are the two large case studies in
chapters 5 and 6.
96 3.6 Conclusion
Two Simple
Examples
same pattern on the table //
same clock on the wall // been
one seat empty 18 years in all //
freezin’ slow time away from the
world – Tragically Hip
This chapter contains two simple examples that show how the automa-
ton framework can be applied to “real world” problems. We perform
the steps outlined in the introduction to this thesis on page 9, beginning
from an informal problem description and proceeding to a formal spec-
ification in PVS of the problem in the automaton framework, and then
proving desired properties of those formal specifications.
This chapter uses PVS 3.2
This chapter contains two simple examples that show how the unstruc-
tured automaton framework can be applied to “real world” problems. The
simple problems are the following:
• The Prisoners’ Release Problem (section 4.1), which is essentially a
very simple protocol used by prisoners to signal covertly their pres-
ence to a particular other prisoner. We are interested in the correct-
ness of the protocol, i.e. that the presence information is correctly
transmitted and received. This example focuses on the formalization
of the protocol itself.
• The IEEE 894 FutureBus bus-contention protocol (section 4.2), a more
complex protocol used in real hardware devices to handle cases where
more than one device attached to a bus wants to make use of the bus.
This example focuses on the structure of the correctness proofs.
We follow the steps outlined in the introduction to this thesis, beginning
from an informal problem description and proceeding to a formal specifica-
tion in PVS of the problem in the automaton framework, and then proving
97
98 4.1 The Prisoners’ Release Problem
desired properties of those formal specifications. Each of the two sections
of this chapter is readable independently. The reader is assumed to be fa-
miliar with the syntax of PVS from appendix A and the automaton framework
as presented in chapter 3, section 3.2 in particular.
4.1 The Prisoners’ Release Problem
This section describes the Prisoner’s Release Problem, which is essen-
tially a simple protocol for use by prisoners to signal their presence
covertly to a specific other prisoner. The protocol is framed in the con-
text of a group of prisoners trying to collect enough information to en-
able their release; an error in the protocol means that the prisoners will
be executed.
This protocol is modeled in the PVS theorem prover using our un-
structured automaton framework. This choice of framework is reason-
able because the automaton representing each individual prisoner has
very little structure, so we do not need the overhead of a more struc-
tured approach.
The original Prisoners’ Release problem seems to have appeared in a
Hungarian collection of mathematical puzzles, as mentioned in [91]. There
is considerable literature available about this problem that focuses on the
amount of time it will take for the prisoners to be released (assuming the
protocol is correct) and on variations that speed up the release process.
Here we consider only the safety of the prisoners, not how long it takes
them to get out. The prisoner’s release problem is stated by William Wu
[95]:
There are 100 prisoners in solitary cells. There is a central
living room with one light bulb and a switch controlling the bulb.
The bulb and switch are initially off. No prisoner can see the
light bulb from his or her own cell. Every day, the warden picks
a prisoner at random (but fairly, so all prisoners have an equal
chance of being selected, and in the long run the chance of all the
prisoners having been selected at least once approaches 1). The
selected prisoner visits the living room and can take note of the
state of the light bulb. The prisoner can manipulate the switch,
changing the state of the light bulb to on or off as he or she
4.1 The Prisoners’ Release Problem 99
wishes. The selected prisoner also has the option of announcing
that all 100 prisoners have visited the living room at least once by
now. If this assertion is false, all 100 prisoners will be executed
immediately. If, however, it is true, all 100 will be released.
The prisoners are allowed to gather one evening to think of a
plan to ensure that at least one of them can eventually truthfully
assert that they have all visited the living room.
This is a typical system with a safety property: bad things must not hap-
pen. Being executed is considered a bad thing for the prisoners, so the se-
lected prisoner must not make the announcement that all have visited when
that claim is false. A liveness property of the same protocol is that eventu-
ally the prisoners are released (i.e. eventually all of them have visited the
living room and the selected prisoner knows this, so that the announcement
may be made). We do not consider the liveness problem in this section.
We will show a protocol from the literature [95, 91] that ensures this safety
property. The proof of the safety property can be found in section 4.1.3.
For the purposes of this analysis of the prisoners’ release problem, we
will denote the number of prisoners by N , with N > 1. Each prisoner is
assumed to have a good memory. The guards and warden of the prison do
not tamper with the light bulb or switch, and the light bulb does not burn
out during the course of the prisoners’ experiment.
There are variations on the exact rules of the problem: in some variants,
there is no guarantee that exactly one prisoner visits the living room each
day (there may be zero or more visits per day); in some variants, the pris-
oners do not know the initial state of the light bulb (this is only a problem
if there is also no fixed starting day when the first prisoner visits the living
room, since if the prisoner knows she is the first, she can initialize the light
bulb to a known value); other twists are possible as well.
We focus on one of the most simple variants: each day, exactly one pris-
oner visits the living room, and the prisoners all know when the first pris-
oner will visit (say, July 25th 1755) so that the prisoner visiting then knows
that she is the first to visit the living room.
A protocol that works safely but sub-optimally (in the sense that it is
expected to take a long time to get the prisoners released) is the following
so-called “one-counter” solution:
1. The prisoner who enters the living room on the first day calls herself
100 4.1 The Prisoners’ Release Problem
the Counter, and keeps an integer count in her mind, initialized to
1. This is the count of prisoners including herself that have certainly
visited the living room. The Counter turns the light bulb on. All other
prisoners are called Drones, and all the drones are initially active.
2. When an active drone enters the living room, if the light bulb is on, he
turns it off and becomes an inactive drone. If the bulb is off, he does
nothing and remains an active drone.
3. An inactive drone does nothing to the bulb or the switch.
4. When the Counter enters the living room, if the bulb is off, she incre-
ments the count in her head by one, and turns the bulb on. If the bulb
is on, she does nothing (leaving the light on).
5. When the count maintained by the Counter reaches N , she announces
that all the prisoners have visited the living room at least once.
According to Wu, [95], this protocol has an average running time of 28
years before the Counter frees the prisoners for a N = 100. Wu also writes
that “the probability of success for this algorithm converges to 1.” It is
unclear what Wu means exactly by this probability — most likely that in the
long run, all the prisoners will have visited the living room and will have
been counted and that the prisoners may be released. We will prove that
this algorithm terminates with success only, i.e. that the Counter announces
only when all the prisoners have really visited the living room. This boils
down to the following fact: the Counter’s count reaches N only when all N
prisoners have indeed visited the living room. This shows that the protocol
is safe: none of the prisoners is going to die (except perhaps from old age).
Consider a sketch of the correctness of this protocol:
1. Whenever the Counter leaves the living room, the light bulb is on.
2. When the Counter returns, if the light bulb is still on then all the pris-
oners that visited the living room since her last visit must have been
inactive drones.
3. When the Counter returns, if the light bulb is off, then there must
have been exactly one active drone who turned it off — and that drone
is now an inactive drone. The Counter’s count is increased by one to
reflect this. Figure 4.1 shows a fragment of the protocol.
4.1.1 Modeling the Prisoners’ Release 101
O
th
er
 d
ro
ne
s 
vi
si
t
Light on Light off
Fragment
Time
C
ou
nt
er
 v
is
its
C
ou
nt
er
 v
is
its
C
ou
nt
er
 v
is
its
C
ou
nt
er
 v
is
its
In
ac
tiv
e 
dr
on
es
 v
is
it
A
ct
iv
e 
dr
on
e 
vi
si
ts
Figure 4.1: Fragment of an execution of the Prisoners’ Release protocol.
4. Hence, the counter’s count increases by one only if an active drone has
changed to inactive since her the last visit to the living room, which
means that that newly-counted prisoner has visited the living room.
5. The Counter’s count increases by one each time she visits the living
room and one drone has changed to passive; each time she visits the
living room, the count she maintains equals the total number of inac-
tive drones.
6. Hence, when the count reaches N , all the drones must have visited
the living room (and the Counter has too).
As befits a sketch-of-a-proof, this one is somewhat convincing but wrong.
4.1.1 Modeling the Prisoners’ Release
We will begin by drawing some state machine diagrams showing in a slightly
more rigorous fashon what the state of each of the prisoners is, and what
actions the prisoners can take. Then we will translate these diagrams into
our unstructured PVS theory.
102 4.1 The Prisoners’ Release Problem
Outside
visit_C /
if (count=N) ^announce
light:=on
if (light=off) count:=count+1
count:=1
light:=on
Figure 4.2: Behavior of the Counter.
Consider the actions that the Counter and the drones might perform.
On one hand, visiting the living room means entering it and then leaving
it again, which we might model as two actions. On the other hand, there
is no meaningful interleaving of actions: after a prisoner enters the living
room, the only possible next action is that same prisoner leaving the living
room. We may argue about whether turning on or off the switch and light
bulb are (distinct) actions for the purpose of the automaton model as well.
Certainly at some level of detail we might want to include switching, but it
seems unnecessary here. No other actions are mentioned in the protocol
besides the “announce” action. As stated previously, the “announce” action
is performed implicitly when the Counter’s count reaches N .
Figure 4.2 shows a simple model of the Counter’s behavior: it has an
atomic action visit_C to represent the Counter’s visit to the living room.
The action updates the state of the counter and the light in one transition.
The diagram includes the “announce” action as a reminder, even though in
the PVS model we will leave it implicit.
The automaton for the drones can similarly be drawn as a diagram with
two locations — one for when the drone is active and one for passive — or
with one location and a slightly more complicated expression on the transi-
tion. We choose the latter, which leads to an automaton diagram as shown
in figure 4.3. Each drone has an identity (name), d. While the drone d has
only a single action visit, we distinguish visits by each individual drone by
parametrizing those actions by identity of the drone d, giving visitd.
The complete model of the system is the composition of a single Counter
automaton with N − 1 drone automata. We now have actions visit_C and
visit_d (for the Counter C and each individual drones d). Each drone has
4.1.1 Modeling the Prisoners’ Release 103
light:=on, active_d:=falseOutside
active_d:=true
visit_d /
if (active_d and light=off) 
Figure 4.3: Behavior of the drones.
Outside
visit_C /
if (count=N) ^announce
light:=on
if (light=off) count:=count+1
visit_d /
if (active_d and light=on) light:=off, active_d:=false
count:=1
{d=1..N−1} active_d:=true
light:=on
Figure 4.4: Product automaton representing the entire system.
a single Boolean variable active. The counter has a single integer variable
count. The state shared between the automata is the variable light which
identifies the state of the light bulb in the living room. If we calculate the
product of the N automata in the system, we arrive at the automaton shown
in figure 4.4. Since each component automaton has only one location and
one (unique) transition, we end up with one location and N transitions in
the product automaton.
Although the final product automaton is simple and might have been
arrived at directly, the approach through individual automata for each kind
of prisoner offers better traceability and may be easier to validate.
104 4.1 The Prisoners’ Release Problem
4.1.2 Translation to PVS
In order to translate this protocol into our PVS framework, we need to decide
on four things: the 〈S,A, I, T 〉 for the automaton. Let us begin with the
actions A. We ignore the announce action by the Counter. It is implicitly
taken when the count maintained by the Counter reached N . This leaves us
with merely the visit_d and visit_C actions.
At this point we should decide on a formal representation of the identities
of the different prisoners. Since each prisoner has one action he or she can
perform, we can identify prisoners identities and their actions. The global
state of the system is then some function mapping prisoner identities to
records of values for that prisoner. Since we have N prisoners in total with
one distinguished prisoner (the Counter), we can use the natural numbers
0 . . . N − 1 to represent the prisoners; 0 identifies the Counter. We will use
0 to represent the visit_C action and the natural numbers 1 . . . N − 1 to
represent the visit_d actions.
Next, we turn to the global state space S. Clearly, this will include the
state of the light bulb. We can model this as a variable light with two
possible values: off and on. The count, maintained by the Counter, can be
represented as an integer variable count over the range 0 . . . N (since the
Counter counts prisoners including herself, this will be initialized at 1). For
each drone, the drone remembers whether he is active or passive. We will
use a set Passive whose elements are those prisoners who are passive; the
Counter is always an element of the set Passive.
In addition, we will keep track of which prisoners have really visited the
living room — consider this part of the warden’s administration, to which
the prisoners have no access. We need this information in order to state the
correctness condition of the system. Technically we might compute it from
the run of the automaton, but it is much easier to maintain it in the state
of the system, with the caveat that the transition relations must update
the state in a valid way (for instance, the transitions for the prisoners may
not refer to it). The set of prisoners that have visited the living room is
represented in PVS by the set Visited.
In the PVS code below, the expression below[N] is the type of the natural
numbers below N , i.e. 0 . . . N − 1.
PrisonerIds : TYPE+ = below[N] ;
Counter : PrisonerIds = 0;
4.1.2 Translation to PVS 105
LightState : TYPE+ = { on, off } ;
GlobalState : TYPE = [#
Passive : setof[PrisonerIds],
Visited : setof[PrisonerIds],
count : below[N+1],
light : LightState
#] ;
Our central safety property — that the Counter only announces that all
the prisoners have visited the living room when they have in fact done so —
will be that count reaches N only when Visited is the set of all prisoners.
The initial state I of our system is clear: Count is 1 because the Counter
counts herself. Both sets Counted and Visited are singletons containing the
Counter only. The light is on. The unique initial state is defined as a constant
InitState and the set of initial states is the singleton set containing only
InitState.
InitState : GlobalState =
(# Passive:=singleton[PrisonerIds](Counter),
Visited:=singleton[PrisonerIds](Counter),
count:=1,
light:=on
#) ;
Init : setof[GlobalState] = singleton(InitState) ;
Finally, we need to define the the transition relation T . We will write
the effect of the Counter’s action separately from the effect of the drones’
actions. Each action affects the global state of the system except for the
Visited set. We factor out the change to that part of the system state in
order to avoid inadvertently modifying it by one of the prisoners. We must
therefore constrain all the fields of the global state except for Visited. The
Counter’s predicate is:
CounterEffect(g,g_) : bool =
g_‘Passive = g‘Passive AND g_‘light = on AND
IF g‘light = on
THEN g_‘count=g‘count
106 4.1 The Prisoners’ Release Problem
ELSE g_‘count=g‘count+1
ENDIF ;
Here we see that the predicate for the Counter’s action contains “noise,”
since it specifies that the set of passive drones does not change. See sec-
tion 4.1.4 for comments on this style of specification. Notice that the func-
tion CounterEffect is disguised as a relation because the automaton frame-
work requires a relation, not a function. We might have written the function
and then wrapped it up as a relation instead; we do not believe that the
clarity of the specification is affected in this case.
The effect predicate for a visit by another prisoner is very similar to the
effect of a visit by the Counter: the prisoner manipulates the light bulb if
needed and may become passive (i.e. be added to the set Counted). The only
difference here is that the effect has an additional parameter, namely which
prisoner d is performing the action.
PrisonerEffect(g,a,g_) : bool =
g_‘count = g‘count AND
IF g‘light = on AND NOT g‘Passive(a)
THEN g_‘light = off AND
g_‘Passive = add(a,g‘Passive)
ELSE g_‘light = g‘light AND
g_‘Passive = g‘Passive
ENDIF ;
Finally, we define the transition relation for the system as a whole by dis-
tinguishing between the actions of the Counter and those of the drones; the
warden’s administration of who has visited the living room is also updated
here. As a validation exercise, we would check that all of the fields of the
global state are constrained by this transition relation definition.
Effect(g:GlobalState,i:PrisonerIds,g_:GlobalState) : bool =
g_‘Visited = add(i,g‘Visited) AND
IF i=Counter
THEN CounterEffect(g,g_)
ELSE PrisonerEffect(g,i,g_)
ENDIF ;
Now that we have the four parts of the automaton defined properly —
the S,A, I and T — the framework defines the rest for us.
IMPORTING AutomatonUnstructured[GlobalState,PrisonerIds,Init,Effect] ;
4.1.3 Verifying the Prisoners’ Release 107
4.1.3 Verifying the Prisoners’ Release
The verification of the safety property of the system — i.e. that the Counter
only announces that all the prisoners have visited the living room when
that is really the case — proceeds roughly in three steps: formalizing the
property in PVS, collecting useful facts, and proving the main result.
Formalizing the safety property: Since we have chosen to make the “an-
nounce” action implicit (if the Counter’s internal count variable reaches N ,
she announces that all prisoners have visited), we need to reformulate the
safety property in terms of the state of the system as formalized:
The count maintained by the Counter reaches N only if all the
prisoners have visited the living room.
The property can be translated into PVS as follows. We quantify it over
all the states reached in runs of the system; r is a run and i is an index in the
run. The runs come from the automaton framework used in the IMPORTING
statement at the end of the previous section. r‘states(i) denotes the i-th
state in the execution r. The complete set of prisoners is denoted fullset,
which is predefined in PVS as the set of all the elements of a type.
AnnounceWhenFull : THEOREM
r‘states(i)‘count = N =>
r‘states(i)‘Visited = fullset ;
Collecting useful facts: On the way to proving that the Prisoners’ Re-
lease protocol is safe, as formalized above, it is convenient to collect facts
about the system’s behavior. We collect mostly behavior “in-the-small,” lo-
cal behavior of single automata on (short) execution fragments, as opposed
to behavior “in-the-large” of the system as a whole.
Such useful facts include: the sets of passive drones and of prisoners that
have visited the living room are monotonically non-decreasing with respect
to set inclusion — no prisoner ever re-activates or un-visits the living room.
Another monotone-lemma states that the count maintained by the Counter
never decreases. One important lemma, called ConservativeCount, states
that the set of passive drones is a subset of the prisoners that have visited
the living room — no drone enters passive mode without visiting the living
room, as follows:
108 4.1 The Prisoners’ Release Problem
ConservativeCount : THEOREM
subset?(r‘states(i)‘Passive,r‘states(i)‘Visited) ;
This can be used in conjunction with a lemma stating that the Counter’s
count value reaches N only when the set Counted has N members (i.e. is the
full set of prisoners) to quickly prove the main safety property.
Proving the main result: While collecting useful facts about the system
can be helpful, for the Prisoners’ Release problem the moment of critical
insight is that the state space of the system is divided in two: when the
light is on, and when the light is off. When the light is on (turned on by
the Counter, and left on by passive drones), the count maintained by the
Counter is equal to the number of drones that are passive. When the light
is off (turned off by an active drone who has become a passive drone), there
is one passive drone that has not yet been counted. We designate these two
assertions about the relationship between the count and the size of the set
of passive drones as match? and almostmatch?.
match?(g:GlobalState) : bool =
Size(g‘Passive)=g‘count ;
almostmatch?(g:GlobalState) : bool =
Size(g‘Passive) = g‘count+1 ;
The formal statement of this relationship is as follows:
LightImpliesMatch : LEMMA
IF r‘states(i)‘light = on
THEN match?(r‘states(i))
ELSE almostmatch?(r‘states(i))
ENDIF ;
The central point of our verification now becomes proving that the rela-
tion between the state of the light and the match?, almostmatch? predicates
holds; once we have it, we can prove the main safety property informally as
follows:
• If the light is on, then match? holds, so if the Counter has counted N ,
then the size of the set of passive drones must be N , and hence all of
them have been counted.
4.1.3 Verifying the Prisoners’ Release 109
• If the light is off, then almostmatch? holds, so if the Counter counts
N , then the size of the set of passive drones must be N + 1, which is
impossible for a set over a domain of N elements.
The proof that the characterization of the state space is correct is a fairly
straightforward inductive proof. In the initial state we can see that the light
is on, and the Counter is the only non-active prisoner and her count of non-
active prisoners is 1 — the base case is satisfied. The steps of the proof are
straightforward, and boil down to four cases. Let si and si+1 be subsequent
states in an execution of the automaton. Then:
1. The light is off in si and on in si+1. Clearly, this was done by the
Counter, and she has incremented her count by one. Since we know
that almostmatch? held in si and the set of passive drones has not
changed, then match? holds in si+1.
2. The light is off in si and off in si+1. Clearly, the Counter cannot have
visited the living room in this step (or the light would be on). Hence a
drone must have visited the living room, and he has not changed his
status. The Counter’s count is unchanged as well, so match? holds in
both states.
3. The light is on in si and off in si+1. Again, this cannot be the work of the
Counter, and her count remains unchanged in this step. The prisoner
who has switched off the light has changed to a passive drone. The
size of the set of passive drones has increased by one. Hence, match?
holds in si and almostmatch? holds in si+1.
4. The light is on in both si and si+1. This means that either the Counter
visited the living room, and she did not change anything, or a passive
drone visited the living room, and he did not change anything either.
In either case, match? holds in both states.
This seemingly straightforward proof takes some 80 basic steps in PVS.
This number is inflated by the necessity of manually substituting the initial
state into the induction base case. In this way it takes 4 steps to prove the
informal statement “clearly in the initial state match? holds and the count is
correct.” Counting proof steps is a tricky business. Often once it is clear
110 4.1 The Prisoners’ Release Problem
that a proof can be done, one can shorten the proof considerably by judi-
cious use of (grind), but this is asking for trouble in proofs not done al-
ready. In chapter 5 we will see some techniques to reduce the number of
user-entered proof steps.
4.1.4 Comments on the Modeling Process
The bulk of the effort of a proof goes into finding the right proof approach,
collecting the useful facts that will be needed for the proof, and maintaining
those facts as the specification of the system changes.
With a mechanical proof checker such as PVS, it is fairly simple to keep
useful facts available; there is no need (beyond use of disk space and some
slowdown when re-checking theories) to dispose of them, and unlike paper
notes the useful facts are unlikely to be misplaced. The “useful facts” may
not be so useful in the end, for instance if they describe a property that
is not used. This is only to be expected when searching for a proof of a
theorem; some blind alleys are followed. The not-so-useful properties do
serve a purpose, though, for validating the specification and ensuring that
changes to the specification stay within the realm of what is sensible.
Case in point is an initial specification of the actions of the drones in
this protocol. When constructing the safety proof, we discovered that the
specification of the action of the drones was incorrect, because we could not
finish the proof. The problem was that the meaning of the states of the light
bulb had been swapped in the effect predicate for the drones. A quick and
ill-considered fix (attempting to swap the meanings of the light bulb states
elsewhere as well) made the errors in the specification worse, but this was
discovered while mechanically re-checking the existing “useful facts.” This
enabled us to revert the fix and try a different approach before taking up
hours of time in poring over an unsuccessful proof.
Finding the right proof approach is always the hardest part of any veri-
fication. For the verification of the Prisoners’ Release problem, we initially
envisioned a proof based on execution fragments, as was sketched infor-
mally in section 4.1. This led to a whole collection of “interesting facts” that
built towards a fragment-based proof, but the end result remained elusive.
Each fragment needed a number of invariants, such as that the Counter’s
count remained constant except when she visited the living room, and that
it increased by at most one on a fragment, and that at most one active drone
4.2 FutureBus 111
could turn the light on per fragment. These proofs were rather tedious to
do. We eventually abandoned the fragment-based proof and turned our at-
tention to an inductive proof.
Although finding the right invariant took a few days, the final proof of
the invariant was fairly straightforward, as has been seen in section 4.1.3.
The informal proof sketched in section 4.1 on page 4.1 turned out to be a
poor beginning for a formal proof.
4.2 FutureBus
This section aims to show how (hardware) protocol verification can be
done using our automaton framework in the PVS proof system with the
explicit use of structure in the automata. As an example we use a pro-
tocol used for bus arbitration in asynchronous systems that was studied
by Hooman in [40]. This section shows how the same protocol can be
analyzed in PVS within a framework that reduces the ad-hoc-ness of
the proof. The proofs are done by operational reasoning on execution
fragments.
In an asynchronous system where many independent devices share a single
data bus, bus contention may occur, where more than one device needs to
write to the data bus at some point in time. In typical bus configurations,
when more than one device writes to the bus simultaneously the data is gar-
bled and a risk of electrical short-circuits exists. Therefore we need some
mechanism to avoid simultaneous writes and to grant the data bus to one
of the devices for writing in a process of arbitration. An arbitration bus is
added to the system, which has slightly different characteristics than the
data bus — mostly that simultaneous concurrent writes to the arbitration
bus are allowed. The arbitration bus is electrically different from the data
bus, and more expensive and slightly more complicated to use in electron-
ics, which is why the data bus is not made of the same stuff.
With the arbitration bus in place, when two or more devices concurrently
wish to write to the data bus, the arbitration bus is used first to determine
which of the devices may use the the data bus. A protocol is still needed
so that the devices engaged in bus arbitration can determine when the ar-
bitration has terminated and which device has the right to write to the data
bus. We begin with the requirements for the bus arbitration protocol:
112 4.2 FutureBus
Device 1 Device 2
B0
B1
B2
l0,2 l2,2
l2,0
Device 0
l0,0 l1,0
l1,1l1,2
Figure 4.5: An arbitration bus withK = 3. Bus lines are designated Bk. The
link lines for device i are labeled li,k.
The bus protocol must allow an arbitrary (but finite) number of
devices to participate in arbitration. Within a fixed finite time
dependent on the physical characteristics of the bus (and not on
the number of devices participating) the protocol must terminate
with a single device on the bus identified as “the winner” which
may write to the data bus.
This section focuses on the arbitration bus and the protocol used for
arbitration in the IEEE 896 FutureBus specification [48]. The characteristics
of the data bus are outside our scope, as is just how the devices on the
bus begin arbitration. We will take giant steps in translating this informal
description into PVS because our primary interest is in the verification, not
in the validation parts.
In the FutureBus specification, the arbitration bus has some fixed num-
ber K of bus lines. Each of these can carry one of N different signal levels,
giving us NK different possible signal patterns on the arbitration bus. Nor-
mally N = 2. Each device on the bus is connected to the bus by K link lines,
each capable of carrying one of the N different signal levels. The number of
devices on the bus must be less than NK . This allows each device to have a
unique identifying signal pattern that can be expressed on the bus. Figure
4.5 shows an example with N = 3.
The characteristics of the bus protocol are described informally and
briefly in section 4.2.1. The descriptions in [40] are very short as well so
we refer the reader to the IEEE 896 FutureBus specification [48] for full
information. Section 4.2.2 shows how we formalize some basic data types
that are used on the bus in PVS. In section 4.2.3, we model each individual
4.2.1 The Arbitration Protocol 113
device connected to the bus as an automaton in PVS and aggregate this into
the global state space of the entire system. Subsequently we turn our at-
tention to verifying the protocol. Section 4.2.4 describes how we prove that
the protocol stabilizes, i.e. after some time the protocol bus reaches a sta-
ble value equal to the largest priority vector of the participating modules.
Finally, section 4.2.5 reflects on the modeling and verification process.
4.2.1 The Arbitration Protocol
A fixed number of devices (called “modules” in [40]) is attached to the ar-
bitration bus; some of these devices contend for the data bus and execute
the protocol described in this section. The beginning of the bus contention
phase is clear to all the devices so that all the participating devices know
that there is bus contention going on. Also, the set of devices contending
for the bus is fixed for the duration of the protocol. No device joins the arbi-
tration protocol midway through. Since non-contending devices do nothing
during the arbitration protocol, they can be safely ignored, and we model
only those devices participating in arbitration.
The devices on the arbitration bus can write values to their own link
lines, which connect the device to the bus itself. The lines of the arbitration
bus individually take on the maximum of the values written to the corre-
sponding link lines. For N = 2 this can be electrically realized by connect-
ing the arbitration bus to each link line through a pull-up resistor so that
a grounded (0 value) link line does not short out the bus and using +5V
for a 1 value. In any case, the problem of short-circuits needs to be solved
physically for the arbitration bus — otherwise it has the same problem of
short-circuits that the data bus has and which the arbitration bus aims to
solve. Figure 4.6 holds an example of a sequence of writes to a single shared
bus with K = 3 and N = 4. In the presence of multiple devices writing to
the bus at once, the bus value need not be equal to any of the written values.
This can be seen in figure 4.6.
Every device on the bus has a unique (within the system) priority P as-
signed to it, something like Ethernet MAC addresses which are unique to
each individual piece of Ethernet hardware. These priority values are not
necessarily “baked in” to the device as Ethernet MAC values are, allowing
some flexibility in assigning priorities to devices when assembling a system.
This priority is expressed as one of the NK different vectors that the ar-
114 4.2 FutureBus
Device 0 300 300 300 023 023 000 000
Device 1 000 102 102 102 102 102 100
Device 2 000 000 031 031 030 030 030
Bus 300 302 332 133 133 132 130
Figure 4.6: A sequence of writes (from different devices) to an arbitration
bus with N = 4,K = 3. Time progresses from left to right; the link values
that change in each step are in boldface. The bus value is obtained by
taking the maximum in each place from all the link line values for that place.
bitration bus can carry; each priority maps one-to-one with a vector which
can be written to the bus. Priority vectors are ordered lexicographically or
by value as base-N integers. The arbitration protocol is simple: the (con-
tending) device that claims the bus with the highest priority gets the bus.
Devices with a low priority value on the bus are at a disadvantage in acquir-
ing the data bus — they may even suffer starvation if other devices claim
the bus all the time.
If we disregard termination — this will be discussed in the section 4.2.5
where a finite time limit applies to detecting termination — then we must
concentrate on the stabilization of the bus. Eventually the arbitration bus
must maintain a single vector, the priority vector of the device with the
highest priority that is participating in arbitration. Note that if every device
on the bus writes its priority vector to the arbitration bus the bus will take
on the maximum value of the link lines for each place; this will in general
not be any one of the particular values place on the link lines. Therefore
we need a protocol that causes devices with a low priority to “give up” the
arbitration, until only one is left.
Every device is assumed to have a variable v that can store priorities,
i.e. v is a vector of length K of values 0 . . . N − 1. Let P denote the (unique)
priority vector of the device. For priority vectors v, we write v(j) for the
value of v in the j + 1-th line. The first component of v (v(0)) is the most
significant for the priority.
Each device on the arbitration bus executes the following algorithm:
0. Initially, v = P and the link lines are all 0.
1. Write v to the link lines.
4.2.1 The Arbitration Protocol 115
2. Read the K lines of the arbitration bus and store them into v.
3. Compute a new value of v as follows:
vj =
{
0 if ∃j′ < j. P (j′) < v(j′)
P (j) otherwise
4. Goto 1.
Informally, step 3 can be described as “for each position j, ‘give up’ on
position j and write zero there if some other device beats our own P in some
position less than j.” Trivially, we can see that step 3 never changes the
value of v(0), so all devices always write P (0) to link line 0. This means that
the value on the arbitration bus in line 0 is always the greatest of the P (0)
values — which naturally is the P (0) value of the device with the highest
priority.
Consider two devices on the arbitration bus with priorities 135 and 321,
executing in lock-step as follows:
0 Initially, all the link lines and the arbitration bus have value 0.
1a The first device writes 135 to its link lines and the arbitration bus takes
on that value.
1b The second device writes 321 to its link lines and the arbitration bus
takes on the value 335 (the place-wise maximum of each link line).
2 Both devices read the bus.
3a The first device gives up on the 2nd and 3rd lines because the value
on the arbitration bus in line 1 is 3; this is greater than its own value
in on line 1 (P (0)) of 1. The v for the next round of the first device is
therefore 100.
3b The second device gives up on line 3 because the value on the arbitra-
tion bus in line 2 is 3; this is greater than its own value in line 2 (P (1))
of 2. The v for the next round of the second device is therefore 320.
1 Both devices write their new v values to their link lines and the bus
takes on the value 320.
116 4.2 FutureBus
2 Both devices read the bus.
3a The first device still gives up on places 2 and 3; its v remains un-
changed.
3b The second device no longer gives up on place 3 and sets v to 321.
1 Both devices write their v values to their link lines and the bus takes
on the value 321.
After this last step the value of the bus never changes again. If termina-
tion is to be considered, [40] shows that this protocol reaches a stable state
after finite time T + 3KT if all the modules on the bus complete a full cycle
every T time units. We reiterate this demonstration later in this chapter on
page 130.
4.2.2 Modeling Bus Values
This section introduces some PVS notation and formalizes the notion of “bus
vectors.” Once we have such bus vectors we formalize the ordering relation
on them so that the notion “higher priority” follows naturally. Some PVS
technicalities ensue when we define “highest priority.”
Defining Bus Vectors: The PVS theory which defines bus vectors has two
parameters, the number K for bus lines, and the number of signal levels N .
Because we will model the bus as a vector of natural numbers, we name our
theory NumberVectors as follows:
NumberVectors [K,N : posnat] : THEORY BEGIN
We will represent a bus with K lines and N values as a vector of fixed
length K of values in the range [0 . . . N −1]. A straightforward way to repre-
sent such a vector (there is a predefined PVS type vector, but it is variable-
length, so we need a new name) in PVS is as a function with domain below[K]
and range below[N]; if v is such a vector, then v(0) denotes the value of the
first element of the vector. The following fragment introduces the function
type for vectors.
NumberVectors : TYPE+ = [ below[K] -> below[N] ] ;
4.2.2 Modeling Bus Values 117
Ordering Bus Vectors: Since we are interested in the “largest” priority
vector in the system, we need to define an ordering < with respect to which
we can determine the largest vector. The choice of < and the formula in
step 3 of the algorithm are critically interdependent — the form of step 3
as given suggests a lexicographic ordering on the vectors, with the first bus
line (which is numbered 0) being the most significant line. Our definition of
the lexicographic ordering < (there are many equivalent ones) is:
<(v1,v2) : bool =
EXISTS (l:below[K]) : v1(l) < v2(l) AND
FORALL (j:below[K] | j<l) : v1(j) = v2(j)
This definition of lexicographic order focuses on the first line l in which
the vector v1 is smaller than the vector v2. Since this formulation of lexico-
graphic ordering might be considered peculiar or non-intuitive by some, it is
worthwhile examining other orders that might be used, to validate that the
ordering is sensible. The PVS code for this example contains an alternative
interpretation of the priority vectors as K-digit base-N numbers. We also
provide a proof that the ordering on the natural numbers of that interpreta-
tion is equivalent to the ordering given by our lexicographic definition.
An essential property of this ordering is that it is both strict and a total
order. We use the predefined predicate on relations strict_total_order?,
defined as the conjunction of irreflexivity, transitivity, and trichotomy (for
every pair of vectors v, w one of v = w, v < w or v > w holds). We prove the
following lemma showing < to be strict and total:
ValStrictTotal : LEMMA strict_total_order?(<)
Defining the Maximum Bus Value: There is of course at least one device
in the system whose priority vector is the largest (if two devices have the
same priority vector this is a system design error, not a problem with the
protocol). Let us call the set of identities of devices connected to the bus and
participating in the arbitration protocol ProcessIds. We assume a function
p that maps device identities i to their priority vector. For a device id ∈
ProcessIds, p(id) is its priority vector. We define a set of device identities
maxids; this is the set of device identities which are equal or greater than
all the others. Since the set of priority vectors is finite this set must be
non-empty.
118 4.2 FutureBus
maxids : setof[ProcessIds] = { id | FORALL idn : p(idn) <= p(id) }
Since we have a non-empty set we can pick one of the elements from it.
This is the identity of some device in the system; we know that that device
has a priority vector that is equal to or greater than all the others. We define
a constant maxid by picking a member from the set.
maxid : ProcessIds = choose(maxids)
PVS now generates a Type Check Condition, TCC, requiring us to prove
that the set is non-empty:
% Judgement subtype TCC generated (at line 33) for maxids
maxids_nonempty: OBLIGATION nonempty?[ProcessIds](maxids);
We now turn to properties of the set maxids and the device identity maxid.
Clearly all devices whose identities are in the set maxids have the same
priority vector, by the strictness and totality of the ordering <. We mentioned
earlier that it is a system design error to have more than one device in the
system with the same priority vector; we can formalize this requirement on
the function p by requiring it to be injective. With that assumption that p is
injective it follows that maxids is a singleton and that maxid is therefore the
identity of the single device with the greatest priority — this is the device
that should win the arbitration protocol.
maxidsPriority : LEMMA maxids(id) AND maxids(idn) => p(id)=p(idn)
maxidsSingle : LEMMA injective?(p) => singleton?(maxids)
4.2.3 Modeling FutureBus
In [40] the primary focus is on verification and the paper simply states com-
mitments that the devices attached to the bus make. We will attempt to
provide a model that is more clearly derived from the initial protocol de-
scription; we arrive at the same commitments, though.
We will model the behavior of each device individually as an automaton
that takes the steps described in section 4.2.1. Then we will formalize the
state of the entire system as the product of all the participating devices’
states. Finally, we will use our PVS automaton framework to create runs
of the complete system, so that we can reason about sequences of actions
performed by the system.
4.2.3 Modeling FutureBus 119
compute / v := comp(v,P)
l0
l1
link := 0
v := P
    
    
    



l2
read / v := bus
apply / link := v
Figure 4.7: The protocol for a single device, modeled as an automaton.
Since the protocol as described is a sequence of steps with no control
flow except for the “goto start,” the automaton is straightforward. For ev-
ery step of the protocol we introduce a location in the automaton, and a
transition out of the location represents performing the action in that pro-
tocol step. This gives us the automaton shown in figure 4.7. Note the initial
transition which corresponds to the initialization in step 0 of the protocol.
In the diagram the variable v is local to each automaton; P is the (fixed)
priority vector of the device.
Local and Global State: We begin by introducing an enumerated type in
PVS so that we can refer to the locations in the automaton by name. The
following PVS statement does this for us.
Locations : TYPE = {l0, l1, l2}
Each automaton (device) individually has a local state consisting of the
vector for its link lines, the stored vector v, and in which location (step of
the protocol) it is. In PVS we will use a record type to collect the state of
one automaton. This gives us
LocalStates : TYPE+ = [# loc : Locations,
v : NumberVectors,
link : NumberVectors #]
Now that we have the local state of the devices, we can look at the state
of the system as a whole. The P constant in the automaton diagram for all
the devices in the system is represented by the function p. Just as p is a
120 4.2 FutureBus
function from device identities to their priority vectors, we model the state
of the system as a whole as a function that maps device identities to their
local state.
GlobalState : TYPE+ = [ProcessIds -> LocalStates]
The value of the arbitration bus itself has not yet been specified at all
yet; it is not part of any module’s local state, nor was it defined in the
section about bus values, since the bus value depends on the local state of
the modules (their link lines). We can calculate the value of the bus given
all the local states by finding the maximum value on each line. This is done
in the following three definitions: for a given global state and line number j,
we calculate the identities of those devices that write a maximum link value
in line j; we choose one of those identities; the value of the bus in each
line is the value of the link line of the device chosen for each line. This is a
somewhat baroque construction.
maxlinks(s:GlobalState)(j:below[K]) : setof[ProcessIds] =
{ id | FORALL idn : link(s(id))(j) >= link(s(idn))(j) }
maxlink(s)(j) : ProcessIds = choose(maxlinks(s)(j)) ;
bus(s)(j) : below[M] = link(s(maxlink(s)(j)))(j) ;
One alternative formulation is more directly as a function that computes
the maximum link value directly for each place, instead of using the addi-
tional indirection through the set of device identities. This would certainly
be simpler in terms of calculating the bus value, but creates additional com-
plexity later when identifying which device “wins” the bus.
Another alternative is to model the bus itself as an automaton where
each write to the bus by a device changes the state of the bus as a whole.
Unfortunately, the bus value can only be computed by examining the link
values from all of the devices. Modeling the bus as a separate automaton
would mean that it needs to keep track of all of the values of the link lines
of other automata. This duplicates state in any case, and is unpleasant to
write.
Local and Global Transitions: Each individual device automaton can
perform one of three actions, represented by transitions in the automaton
4.2.3 Modeling FutureBus 121
diagram in figure 4.7, above. Each action is parametrized by the device
identity (ProcessId) performing the action, as follows:
ArbiterActions [ ProcessId : TYPE ] : DATATYPE BEGIN
read(id : ProcessId) : read?
compute(id : ProcessId) : compute?
apply(id : ProcessId) : apply?
END ArbiterActions
Obviously, a device can only perform a certain action when it is in the
correct location to do so. We will write a PVS predicate that states this
restriction, based on an action a (one of the three just defined) and a global
state s, as follows:
Pre(a)(s) : bool =
CASES a OF
read(id) : loc(s(id)) = l1,
compute(id) : loc(s(id)) = l2,
apply(id) : loc(s(id)) = l0
ENDCASES
Here the CASES statement distinguishes between the three actions just
defined; in each case we check that the location of automaton id in the
given global state is the right one. s(id) is the local state of automaton id,
and loc() is a function that returns the automaton’s location.
This predicate Pre is part of the transition relation T which we are to de-
fine for the entire system. It is often convenient to break down the general
transition relation into two parts: the precondition which states whether an
action a can take place in a given system state, and an effect that defines
the change in state. This is reflected in the automata-with-locations the-
ory given earlier in chapter 3.3. This precondition resembles the annotated
location-transition graph used in that theory.
Each automaton can take a single transition at any time, changing its
local state. The change in the global state for each local transition is limited
to the local state; for example, the read action for automaton i updates the
value v held by i:
read(id) : s1 = s0 WITH [(id)(v) := bus(s0),
(id)(loc) := l2],
122 4.2 FutureBus
The transition relation for the system as a whole is the conjunction of
the precondition Pre and transition expressions, one for each action, similar
to the one for read above.
Initial State: The only missing piece in our formalization is the set of
initial states, which we formalize as the following predicate. We introduce
the definition zero, which is the all-zero vector.
zero : NumberVectors = LAMBDA (j:below[K]) : 0 ;
Init(s) : bool = FORALL id :
loc(s(id))=l0 AND v(s(id))=p(id) AND link(s(id)) = zero
Automaton Instantiation: Now that we have all of the parts of the for-
malization of the behavior of the system, we can use our automaton frame-
work to define the runs of the system and provide us with some useful PVS
machinery to prove properties about it:
Effect(s0,a,s1) : bool =
Pre(a)(s0) AND
CASES a OF
read(id) : s1 = s0 WITH [(id)(v) := bus(s0),
(id)(loc) := l2],
compute(id) : s1 = s0 WITH [(id)(v) := comp(v(s0(id)),p(id)),
(id)(loc):=l0],
apply(id) : s1 = s0 WITH [(id)(link) := v(s0(id)),
(id)(loc):=l1]
ENDCASES
IMPORTING AutomatonUnstructured
[GlobalState, ArbiterActions, Init, Effect]
4.2.4 Verifying FutureBus
We will now show conditions under which all the lines of the arbitration
bus reach a stable value which they keep for the remainder of the execu-
tion. When all the lines of the arbitration bus are stable, the largest priority
vector has been found and we can consider the protocol to have finished.
4.2.4 Verifying FutureBus 123
Our formalization of the notion “a stable bus” is based on counting the
lines of the bus. The bus is stable up to and including line i when the bus
lines 0 . . . i never change their value again in the remainder of the execution.
The correctness of the protocol, for the purpose of this section, is that the
protocol eventually reaches a state where the bus is stable for all the bus
lines 0 . . .K − 1.
We can begin with a collection of trivialities. The following three lemmas
are representatives of a whole class of trivialities related to the location
transition graph.
l0l2Il1 : LEMMA
loc(states(r)(i_1)(id))=l0 AND
loc(states(r)(i_1+i_2)(id))=l2 =>
EXISTS (i_3 | i_3<=i_2) : loc(states(r)(i_1+i_3)(id))=l1 ;
l1l0Il2 : LEMMA
loc(states(r)(i_1)(id))=l1 AND
loc(states(r)(i_1+i_2)(id))=l0 =>
EXISTS (i_3 | i_3<=i_2) : loc(states(r)(i_1+i_3)(id))=l2 ;
l0l1IApply : LEMMA
loc(states(r)(i_1)(id))=l0 AND
loc(states(r)(i_1+i_2)(id))=l1 =>
EXISTS (i_3 | i_3<=i_2) : actions(r)(i_1+i_3)=apply(id) ;
The first states that if a given device is first in location l0 and later in l2
(see figure 4.7) then it must pass through location l1. The second is similar,
with different locations. The third lemma states that in order for a device to
change from location l0 to l1, it must perform an apply action.
Lemmas of this form may be handled in the general case by the automa-
ton framework with locations from section 3.3. There is a trade-off between
proving such lemmata in their full generality and the annoyance of proving
several similar lemmata; the latter can often be done with cut-and-paste.
Creating Execution Fragments: We will divide the execution of an au-
tomaton into execution fragments based on properties of the events and
states that occur within those fragments. One of the most important prop-
erties we use is the predicate AtLeastOnce, which states that in a given run
124 4.2 FutureBus
r, a given device with ID id performs a certain action ac somewhere in the
execution fragment [i0 . . . i1].
AtLeastOnce(r,ac,id)(i_0:nat,i_1:nat | i_0<=i_1) : bool =
EXISTS (i_2:nat | i_0 <= i_2 AND i_2 <= i_1) :
actions(r)(i_2)=ac(id)
An immediate application of this predicate is in defining AllReadApply,
which states that all devices perform a read action and then an apply action
(in that order) in the fragment [i0 . . . i1].
AllReadApply(r)(j_1:nat,j_2:nat | j_1<j_2) : bool =
FORALL (id) :
EXISTS (i_1:nat | j_1<=i_1 AND i_1<j_2) :
AtLeastOnce(r,read,id)(j_1,i_1) AND
AtLeastOnce(r,apply,id)(i_1+1,j_2)
Using both of these we define the notion of a “round.” The notion of
round is closely tied to the notion of a stable bus, so we will simply present
the definition here and work toward explaining why it is useful. We define a
predicate stating that a given run r is in round k at step i. The notion of a
round is inductively defined. The run is in round k + 1 at step i if there is a
i′ < i such that the run is in round k at step i′ and since then every device
has subsequently performed both a read and an apply. Because the defi-
nition is inductive, we need to use the PVS keyword RECURSIVE and provide
a decreasing measure in order to guarantee that the recursion terminates.
Using the round number k is the obvious thing to do.
Round(r,i,k) : RECURSIVE bool =
IF k=0 THEN AtLeastOnce(r,apply,maxid)(0,i)
ELSE EXISTS (i_2:posnat) : i_2<i AND Round(r,i_2-1,k-1) AND
AllReadApply(r)(i_2,i)
ENDIF MEASURE k ;
Let us consider a some suggestive scenarios to illustrate the intuition
behind this definition. We can see that the value of v(0) never changes in
an automaton — it is always P (0), the first line of the priority vector of
the automaton. This means that all automata always apply the value P (0)
to their first link line; in particular the automaton maxid with the largest
priority vector does so too. Since there is no automaton with a P (0) value
4.2.4 Verifying FutureBus 125
greater than the P (0) value of the maxid automaton, the maximum first link
line value is the P (0) value of maxid. Consider the first index i in a run
R at which all of the automata have done an apply. Automaton maxid has
written its P (0) value to its first link line and the bus assumes this value.
The v(0) values will continue to be applied indefinitely. Therefore once all
the automata have done an apply, the first bus line has that value and it
never changes again. The bus is stable in the first line.
In the following scenario, all the automata proceed in lock-step: all the
automata perform an apply step, then all of them do a read, then all do a
compute, and so on. There are no additional interleavings; no automaton
performs a read before all of them are done with apply. We write Pmaxid for
the priority vector of device maxid. Consider:
1. After all the apply actions, the value on bus line 0 is equal to the value
of Pmaxid(0).
2. All the devices read this value, so all of them get vi(0) = Pmaxid(0).
Clearly there is no device i 6= maxid with Pi(0) > Pmaxid(0).
3. In the compute step, all the devices i who fail to claim the bus because
Pi(0) < Pmaxid(0) “give up” in line 0. A device that gives up in line 0
computes 0 for the remaining bus lines 1 . . .K − 1. This is formalized
in the predicate beaten and the definition of comp:
beaten(v1,v2,j) : bool = EXISTS l : l < j AND v1(l) > v2(l)
comp(v1,v2) : NumberVectors =
LAMBDA j : IF beaten(v1,v2,j) THEN 0 ELSE v2(j) ENDIF
We argued earlier that devices that give up on line 0 will continue to
do so indefinitely.
4. Now that all the devices have “gone around” their diagram once, we
see that three things hold:
• The bus is stable through line 0.
• The devices that did not “give up” in line 0 have Pi(0) = Pmaxid(0)
and Pi(1) ≤ Pmaxid(1). Pmaxid in particular does not give up in
line 0, although it may give up in later lines.
126 4.2 FutureBus
• Devices that did not give up in line 0 will write their P (1) to link
line 1 in the next round and all others write a 0.
5. In the next round, therefore, the value on line 1 will equal the value if
Pmaxid(1). All devices will read the bus value and get vi(0) = Pmaxid(0)
and vi(1) = Pmaxid(1). Some devices still contending for the bus
(i.e. that do not give up in line 0) will give up in line 1 because they
have Pi(1) < Pmaxid(1). At the end of the round, the bus is stable
through line 1 and all devices that do not give up in lines 0 or 1 have
Pi(0) = Pmaxid(0) and Pi(1) = Pmaxid(1).
6. Repeating the steps 4 and 5 n times, we have that after all the au-
tomata have “gone around” n times, the bus is stable through line n.
In this lock-step scenario, the bus stabilizes one line at a time, one line
per round. We wish to allow additional interleavings, for instance where
one automaton performs multiple apply-read-compute cycles while another
performs only one. The definition of Round given earlier allows such inter-
leavings, so we will turn now to a formalization of the notion of bus stability
and correctness.
Defining Correctness: Informally, we have defined correctness of this
protocol in a fairly general manner: the bus is stable in line i when the
value on the bus in line i never changes again. We have not given any
specifics of what value the bus should reach, but we certainly know what
the desired value is: the bus should stabilize on the value of the highest
priority, i.e. Pmaxid. Our formalization of stability uses this desired value to
define stability through line k (at state i in a run r):
BusStable(r,i,k) : bool =
FORALL i1 : i1 >= i IMPLIES
LET s = states(r)(i1) IN
FORALL k_2 : k_2 <= k IMPLIES bus(s)(k_2) = p(maxid)(k_2)
Next, global correctness means that eventually the bus is stable through
line K − 1. However, we are missing a notion of fairness or progress that
will ensure that such a state is reached. Instead, we will state a conditional
correctness theorem: if enough progress has been made (in the form of
K − 1 rounds) then the bus is stable through line K − 1 as well.
4.2.4 Verifying FutureBus 127
Correctness : THEOREM
Round(r,i,K-1) => BusStable(r,i+1,K-1) ;
We will prove this through induction, showing that after n rounds the
first n lines of the bus are stable.
Base Case: The First Line Stabilizes. This is the base case of the induc-
tion. We have argued previously that the first element of the priority vector
of device maxid is the largest — this is a consequence of the definition. Ad-
ditionally, once device maxid applies its P (0) to the link lines the bus takes
on that value in the first line. This is formalized in MaxFirstGreatest and in
ZS0. The lemmata, ZS0 included, are quantified over executions r and state
numbers i.
MaxFirstGreatest : LEMMA
FORALL (id:ProcessIds) : p(maxid)(0) >= p(id)(0)
ZS0 : LEMMA
link(states(r)(i)(maxid))(0)=p(maxid)(0) =>
bus(states(r)(i))(0)=p(maxid)(0)
A weak consequence of these two, along with the fact that once device
maxid has applied P (0) to its link lines it keeps that value in v(0), is the
following lemma. The relation to the definition of Round should be obvious.
ZeroStable : THEOREM
AtLeastOnce(r,apply,maxid)(0,i) =>
BusStable(r,i+1,0) ;
Inductive Case: Stabilizing the Rest of the Bus. Suppose that the bus
is stable on lines 0 . . . k at step i. Then whenever a device reads from the bus
after step i, it will read the values of p(maxid) on those lines. This means
that immediately after device id reads from the bus, part of the value of v for
that device is known. As long as the device stays in location l2 (i.e. before
it computes a new value for v), the value of v remains unchanged.
match_maxid(v:NumberVectors,k) : bool =
FORALL (k_2:nat | k_2<=k) : v(k_2)=p(maxid)(k_2) ;
128 4.2 FutureBus
AfterReadFromStableBus : LEMMA
BusStable(r,i,k) =>
FORALL (i_1:nat | i<=i_1) :
loc(states(r)(i_1+1)(id))=l2 AND
AtLeastOnce(r,read,id)(i,i_1) =>
match_maxid(states(r)(i_1+1),id,k) ;
Proving this lemma in PVS is non-trivial. We used three additional lem-
mas and two abbreviating definitions. The proof takes some 90 proof-steps,
many of which are PVS-administrative in nature.
The next step in proving that the bus stabilizes is determining what the
devices compute; in particular what digit k + 1 of the vector v is computed
by each device. Recall our formalization of the compute action:
comp(v1,v2) : NumberVectors =
LAMBDA j : IF beaten(v1,v2,j) THEN 0 ELSE v2(j) ENDIF
Since the value of digit k + 1 depends on the values of digits 0 . . . k read
from the bus, it therefore depends on the value of p(maxid) only. The fol-
lowing lemma states that in the presence of a stable bus up to line k, the
computation uses only the device’s own priority vector and that of device
maxid.
AfterReadComputeFromStableBus : LEMMA
k+1<K AND BusStable(r,i,k) =>
FORALL (j_1:nat | i<=j_1) :
actions(r)(j_1)=read(id) =>
FORALL (j_2:nat | j_1<=j_2) :
loc(states(r)(j_2)(id))=l0 =>
v(states(r)(j_2)(id))(k+1) = comp(p(maxid),p(id))(k+1) ;
From this we can conclude that — when the bus is stable up to digit k
— each device will write comp(p(maxid),p(id))(k+1) to link lines k + 1. In
particular, this means that only devices whose priority vector’s digits 0 . . . k
are equal to the digits of p(maxid) (i.e. those that do not give up before line
k+1) will write their digit k+1 to the link lines. All other devices will write
a 0 to link line k + 1. In turn, we know that when every device has read and
written a new value to the link lines, that the digit value written by maxid is
the largest, and the bus takes on this value. This is the crux of our induction
step for global correctness.
4.2.5 Comments on the Process 129
EveryoneComputed : LEMMA
k+1<K =>
(FORALL (id) : link(s(id))(k+1)=comp(p(maxid),p(id))(k+1)) =>
bus(s)(k+1)=p(maxid)(k+1) ;
Our correctness argument now links the notion of “round” with the sta-
bility of the bus. The lemma EveryoneComputed shows that the k+1-th line of
the bus takes on the value of the k+1-th digit of the maximum priority vector,
once all the devices have computed and written a value to their link lines.
Suppose the bus is stable to line k and AfterReadComputeFromStableBus holds
in some state with index i in an execution. If we have AllReadApply(i,i+j)
then we can conclude that EveryoneComputed holds in state index i+ j — and
thus the bus is stable up to line k + 1. Since these assumptions entail the
definition of round k + 1, we have the inductive argument for the following,
where the global correctness property stated previously is a special case:
CorrectInduction : THEOREM
Round(r,i,k) => BusStable(r,i+1,k) ;
4.2.5 Comments on the Process
We have shown how we model the IEEE 896 FutureBus bus-arbitration pro-
tocol as a collection of automata in PVS. We subsequently proved that under
the assumption of progress (e.g. no device waits indefinitely before writing
to the bus), the bus stabilizes to the value of the maximum priority. This
proof was done without introducing timing.
Our modeling effort is an example of how protocols can be modeled in
PVS as automata using our automaton framework. This effort may serve as
an example of how proofs can be done within the automaton framework.
Future work: The framework used in this paper does not include any tim-
ing properties within the automata themselves. Future work to explicitly
include the timing information in the automata will naturally make use of
the timed-automata framework. The addendum below gives a sketch how
we might approach the problem of determining the time it takes to reach
round K − 1, given an upper bound T on the time it takes an automaton to
make a complete round through all three locations. The sketch follows the
130 4.2 FutureBus
timing proof given in [40] and as such is not immediately suitable for use in
our timed automata framework.
This example also does not make use of the automata framework with
locations which was described in section 3.3.1. The FutureBus example was
the inspiration for the design of the automata-with-locations theory, though,
and re-doing the example with that framework will prove trivial. This would
also remove the need for the trivialities mentioned at the beginning of sec-
tion 4.2.4, which are covered by the successor_new_location lemma.
Addendum: Timing The original paper [40] analyzes the timing of the
protocol in some detail, deriving a timing bound that for K bus lines, the
protocol terminates (i.e. the bus is stable on all lines) after at most T +3KT
time units, where T represents the “cycle time” of a single device. The cy-
cle time is defined as the amount of time it takes the device to complete
one whole “round” of the protocol, performing steps 1, 2 and 3 of the pro-
tocol described on page 115. In this addendum, we will examine the timing
behavior in a slightly looser setting, arriving at a similar time bound. This
means that we have not formalized the proof in PVS, nor included timing in
the model of the protocol in PVS. Indeed, one may read “slightly looser” as
“hand waving.”
We define the cycle time T as the maximum time it takes an automaton
in a location l to reach location l anew. This means that if a automaton is in
location l0 at time t, then in the time interval (t, t + T ] the automaton visits
locations l1 and l2 and returns to location l0. The automaton performs all
three actions of the protocol within that interval. There is no minimum time
to complete a cycle; devices are allowed to be fiendishly fast.
All of the automata begin in location l0 at time 0, so within T time they
must arrive back at l0; this means that all of the automata perform an apply
action within the interval [0, T ]. This includes the automaton m which has
the highest priority. By lemma ZeroStable (on page 127) this means that
round 0 is done and the bus is stable through line 0. By time T we are
there.
Suppose the bus is stable through line k because round k is finished at
time t. This happens, of course, because all of the automata have done a
read and an apply. Let us assume that the last automaton to do the apply
was automaton m, so that it is in location l1. Regardless of what locations
the other automata are in, within T time they must reach l0, then within a
4.2.5 Comments on the Process 131
subsequent 2T make another two runs around, performing both a read (the
first time around) and an apply (the second time). For automaton m, we
know that within T time units it must return to location l0, so it does a read
along the way. Then within an additional T automaton m makes another
round, performing an apply.
So if round k is reached at time t, then round k + 1 is reached at the
latest at time t+ 3T . The tardiest automaton m in round k finishes with the
next round k + 1 at time t + 2T at the latest, but the other automata may
slow the protocol down. Inductively, we find that the protocol stabilizes in
time T + 3KT , just like as has been demonstrated by Hooman in [40].
With this stabilization time, we can add termination to the protocol sim-
ply by exiting the apply / read / compute loop after that much time.
132 4.2 FutureBus
Biphase Mark
Protocol
there’s no sign of no big
breakdown // it’s just these little
things // that keep putting me off
the track – Madrugada
The biphase mark protocol is a convention for representing both a string
of bits and clock edges in a square wave. The protocol is frequently used
for communication at the physical level of the ISO/OSI hierarchy, and is
implemented on microcontrollers such as the Intel 82530 Serial Com-
munications Controller. An important property of the protocol is that
bit strings of arbitrary length can be transmitted reliably, despite differ-
ences in the clock rates of sender and receiver (drift), variations of the
clock rates (jitter), and distortion of the signal after generation of an
edge. In this section, we show how the protocol can be modeled natu-
rally in terms of timed automata. We use the model checker Uppaal to
derive the maximal tolerances on the clock rates, for different instances
of the protocol, and to support the general parametric verification that
we formalized using the proof assistant PVS. Based on the derived pa-
rameter constraints we propose instances of biphase mark that are cor-
rect (at least in our model) but have a faster bit rate than the instances
that are commonly implemented in hardware.
This chapter uses PVS 3.2
This section is the result of cooperation with Frits Vaandrager (sup-
ported by EU IST project IST-2001-35304 Advanced Methods for Timed
Systems AMETIST).
Published in Formal Aspects of Computing, December 2006 [85], report version
[86].
133
134 5.1 Introduction
5.1 Introduction
The biphase mark protocol (BMP) is a fundamental protocol that is widely
used in applications where data written by one device is read by another.
It is used, for instance, in microcontrollers such as the Intel 82530 Serial
Communications Controller [49], in some optical communications and satel-
lite telemetry applications, and for communication between consumer elec-
tronics devices. A variation of biphase mark, called “Manchester”, is used
in the Ethernet. The first rigorous, formal analysis of (some instances of)
the protocol was carried out by Moore [70] using the Boyer-Moore theorem
prover Nqthm [15]. Moore used the biphase mark protocol to illustrate a
formal, logical model of asynchronous communication. We refer to [70] for
additional information and references on BMP.
In this article, we present the results of our efforts to model and ana-
lyze the biphase mark protocol using the verification tools Uppaal and PVS.
Our model generalizes Moore’s model, since it incorporates “clock jitter”
and the distortion in the signal due to the presence of an edge is not lim-
ited to the time-span of the cycle during which the edge was written. We
use Uppaal [59], a model checker for networks of timed automata, to au-
tomatically prove correctness of several instances of the protocol and to
find error scenarios based on some incorrect instances. These experiments
suggest constraints on the model parameters that are necessary for correct-
ness. Using the proof assistant PVS [71] we establish that these constraints
are in fact sufficient for correctness. Our main objective for this article is
to demonstrate that the timed automata framework [3] allows for natural,
straightforward modeling and analysis of this type of physical level commu-
nications protocols. Methodologically, our results are interesting since we
use two different tools — the model checker Uppaal and the proof assistant
PVS— in a combined manner to analyze a single system. Both tools play a
vital and complementary role in our analysis. Uppaal helps us find the pa-
rameter conditions for correctness and PVS lets us prove that correctness.
As a byproduct of our efforts, we manage to find instances of BMP that are
correct (at least in our model) but have a faster bit rate than the instances
that are commonly implemented in hardware.
Outline: Section 5.2 contains an informal presentation of the protocol.
In Section 5.3 we present our Uppaal model and the parameter constraints
5.2 Informal Description of the Protocol 135
1 0 0 0 1 1
cell
cell edges
signals sent
mark subcell
code subcell
if these two signals are 
equal, a 0 was sent
if these two signals are 
different, a 1 was sent
message
sampling distance
Figure 5.1: Biphase mark terminology.
that we inferred by trying to verify several instances of the protocol with the
Uppaal model checker. Section 5.4 describes a straightforward encoding
of the (semantics of) the Uppaal model within the higher order logic input
language of the proof assistant PVS. Section 5.5 reports on the formalization
with PVS of the (manual) proof that the parameter constraints are sufficient
for correctness. In Section 5.7, we investigate the consequences of the
derived parameter constraints. In particular, we show how to synthesize
the instance of BMP with the fastest bit rate given an upper bound on the
time needed for the signal to stabilize after occurrence of an edge. Finally,
Section 5.8 discusses related work and draws some conclusions.
The full Uppaal and PVS sources are available at the URL
http://www.cs.ru.nl/ita/publications/papers/fvaan/BMP.html
5.2 Informal Description of the Protocol
Essentially, the biphase mark protocol is just a convention for representing
both a string of bits and clock edges in a square wave. In the protocol
(see figure 5.1, taken from [70]) each bit of a message is encoded in a cell,
which consists of a number of clock cycles and which is logically divided into
a mark subcell and a code subcell. A typical configuration is 16 cycles for
the mark subcell and another 16 for the code subcell. The signal, which at
any time is either high or low, always changes value right at the beginning
of a cell. In addition, if the signal encodes a “1” the value also changes right
136 5.2 Informal Description of the Protocol
at the beginning of the code subcell. If a cell encodes a “0” then the signal
remains constant throughout the cell. In order to decode the bit string again
from the square wave, a decoder waits for an edge that marks the beginning
of a cell and then samples the wire after a specified number of clock cycles
(the sampling distance). If the value just after the edge agrees with the
sampled value then the decoder assumes a “0” has been sent, otherwise it
assumes a “1” has been sent.
A clear advantage of BMP over, say, the naive scheme in which a “1” is
encoded by a high signal and a “0” by a low signal, is that BMP “synchro-
nizes” the clocks of coder and decoder at the beginning of each cell. In a
setting with unreliable clocks, a decoder might not see the difference be-
tween the naive encoding of 10000 consecutive 1’s (a high signal for 10000
time units), and the naive encoding of 10001 consecutive 1’s (similar, but
in the presence of unreliable clocks 10001 time units might take less time
on one device than 10000 time units on another). If BMP is used this prob-
lem does not arise because the clocks synchronize in every cell, except of
course when clocks become excessively unreliable. Depending on the other
parameters of the protocol, this problem arises with clocks 4 or 5 orders of
magnitude worse than what common clock crystals provide.
Proving correctness of physical implementations of BMP is nontrivial due
to the combination of at least three factors:
1. A physical system can not generate a perfect square wave. Edges will
not be vertical or square: an electrical signal changes continuously
and may even “ring” before stabilizing at its new level. In our model
we will assume that the value of the signal is nondeterministically de-
fined (reading may produce any value) during some bounded interval
after the coder generates an edge.
2. If a signal is constant throughout a clock cycle we may assume that
sampling of this signal by the decoder yields the correct value. How-
ever, if the value changes during a clock cycle then any value may
come out as we do not know at which point during the cycle sampling
takes place. In our model we will assume that the decoder samples
the signal nondeterministically at some point during each clock cycle.
3. Physical clocks drift (that is, their rate may be too high or too low) and
exhibit jitter (that is, their rate may change over time). In our model
5.3 Uppaal Model and Analysis 137
we will assume that the clock rates of sender and receiver are con-
tained in an interval, so that subsequent clock ticks may be separated
by any length of time in that interval.
As a consequence of these complications, one can easily imagine scenarios
in which, for instance, a decoder altogether misses an edge and completely
garbles the remainder of the signal. In section 5.3.10 we will present such
scenarios. In this section we identify the precise constraints on the vari-
ous parameters of the protocol (lengths of clock cycles, time before signal
stabilizes, etc.) that must be satisfied in order to ensure correctness.
5.3 Uppaal Model and Analysis
In this section, we describe the model that we constructed of the biphase
mark protocol and the analysis results that we obtained using the timed
model checking tool Uppaal. The model contains inequalities based on the
parameters of the protocol (the length of the cell and the mark) as well
as the clock parameters (jitter and drift). We use the results of Uppaal
analysis to derive constraints on the parameters themselves which yield
correct protocol instances. For a detailed account of Uppaal we refer to
[59] and to http://www.uppaal.com .
5.3.1 Architecture
Figure 5.2 presents the overall architecture of our Uppaal model. The model
consists of a network of 7 timed automata (shown as rectangles), which com-
municate via shared variables (circles) and synchronization actions (labeled
arrows). Automaton Clock models the hardware clock at the coding side.
The automaton Coder models the encoding process: based on a sequence
of bits (which is received via variable in) and the tick events from the Clock
automaton, it generates edge events that determine a square wave. Within
our model, the environment (which is represented by the tester) places a
new bit in variable in whenever the Coder is willing to accept a get event.
The Wire automaton nondeterministically transforms the perfect square
wave from the Coder into a signal whose value, stored in variable w, is
nondeterministically defined during a specified interval after the coder gen-
erates an edge. Automaton Clock2, which is similar to Clock, models the
138 5.3 Uppaal Model and Analysis
Tester
in
Clock
Coder Wire Sampler
Clock2
outDecoderw new
s
tick
edge
get
tock
put
Figure 5.2: Architecture of the Uppaal model. TheWiremodels the physical
medium; the Sampler models the hardware that converts the signal back
into digital form. The correctness of the protocol is checked by the Tester
automaton.
hardware clock at the decoding side. The Sampler automaton periodically
copies (samples) the value of variable w into variable new. The Boolean
variable s is used to coordinate the sampler and clock. AutomatonDecoder
models the decoding process. If at the occurrence of a clock tick automa-
ton Decoder observes that the value of new has changed it starts counting
a specified number of clock ticks and then compares the value of new af-
ter those ticks with the value it had before. Depending on the outcome it
places either a 0 or a 1 in variable out and informs the environment about
the fact that a new bit has become available via a put action. The automaton
Tester, finally, nondeterministically selects bits, places them in variable in
upon request and checks whether the sequence of bits delivered via register
out agrees with the sequence entered via register in. Whenever it observes
a discrepancy, the Tester automaton jumps to a designated error location
internal to the Tester. Hence, in order to establish correctness we must
prove that the error location can not be reached.
5.3.2 Model Parameters 139
cell 16
mark 8
sample 11
min 89
max 100
edgelength 89
Figure 5.3: Parameters of the Uppaal model.
X0
x <= max
x >= min
tick!
x := 0
Figure 5.4: Clock. Variable x is a clock variable.
5.3.2 Model Parameters
Figure 5.3 lists the parameters that are used in the model (constants in
Uppaal terminology) and gives an example choice of the parameter values
that yields a correct protocol. The domain of all parameters is the set of
natural numbers. Constant cell specifies the size of a cell in terms of the
number of clock cycles. Similarly, mark and sample specify the size of the
mark subcell and the sampling distance, respectively. This specific config-
uration is used in the Intel 82530 Serial Communications Controller [49].
Constants min and max specify the minimum and maximum number of time
units in a clock cycle (measured in nanoseconds, for instance); we assume
0 < min ≤ max. Constant edgelength specifies the number of time units
needed for the signal to stabilize after occurrence of an edge. The values
listed for min, max and edgelength are not meant to be realistic — the clocks
in our model are much worse than any that are used in real machines [20].
5.3.3 First Clock
Timed automaton Clock models the hardware clock at the coding side. The
automaton, which is displayed in Figure 5.4, has only a single location and
a single transition. The automaton performs a synchronization action tick!
140 5.3 Uppaal Model and Analysis
when its clock x has reached a value between min and max, and then returns
to its initial state by resetting x.
5.3.4 The Coder
We worked hard to make all the timed automata as simple as possible. As
a result of our efforts, all automata in our model have at most 5 locations,
although the number of locations is not a good measure of simplicity or
complexity. In the presence of integer variables each timed automaton is
trivially equivalent to one with just a single location. Without introducing
any additional integer variables or coding tricks we could have easily re-
duced the number of locations of the Coder automaton to 3 if Uppaal would
have permitted us to decorate transitions with multiple synchronization la-
bels, as in the tool Kronos [16]. This optimization is not carried out in the
PVS formalization either. The automaton Coder, displayed in Figure 5.5,
is one of the two timed automata in our model with 5 locations. The au-
tomaton Coder describes how the biphase mark protocol encodes a string
of bits and clock edges into a square wave. In its initial location C0 the au-
tomaton immediately (the location is urgent) jumps via a get? transition to
location C1, thereby telling the environment that it is about to fetch a new
bit from the in register. In the location C1, which is also urgent, an edge
is generated and the automaton jumps, depending on the bit that is being
transmitted, either to location C2 (in case in = 1) or to location C3 (in case
in = 0). A local integer counter n is used to count clock ticks. Upon enter-
ing location C2 the automaton waits until mark clock ticks have occurred,
and then generates an edge and jumps to location C3. In location C3 the
automaton waits until cell clock ticks have occurred and then jumps back to
its initial location to transmit the next bit. In our model, we assume that
there is always a next bit to transmit. It should not be difficult to generalize
our work to a setting where sometimes the environment has no more bits
available for transmission.
5.3.5 The Wire
The Wire automaton, displayed in Figure 5.6, is introduced to model our
assumption that it takes edgelength time before an electric signal stabilizes
after occurrence of an edge. The Boolean variable v is toggled when an
5.3.5 The Wire 141
C4
C3
C2C1
C0
get?
in == 1
edge!
n < mark - 1
tick?
n := n+1
in == 0
edge!
n < cell - 1
tick?
n := n+1
n == cell - 1
tick?
n := 0 edge!
n == mark - 1
tick?
n := n+1
Figure 5.5: Coder. Variable n counts ticks to count out the mark and code
subcells. The variable in holds the bit to be sent; it is set by the get? tran-
sition.
W2
W1
z <= edgelength
W0
w := 1 - w
fuzz!
edge?
z := 0,
v := 1 - v
z == edgelength
w := v
settle!
edge?
Figure 5.6: Wire. Here, z is a clock variable that keeps track of the
edgelength time during which the wire’s value is unstable. Both v and w
are Boolean variables; v is the value being sent and w is the value that the
wire would give if it were read.
142 5.3 Uppaal Model and Analysis
edge? event occurs. Thus, v evolves according to the perfect square wave
that is generated by the Coder. There is also another Boolean variable w,
whose values reflect the actual observations that can be made on a physical
wire. In the initial location W0 the wire is stable and the values of v and
w agree. Upon occurrence of an edge? the Wire automaton moves to the
unstable location W1 in which w can be assigned any value at any time.
After being unstable for edgelength time units, the system moves back again
to the stable location W0 and the value of w settles to v. For the param-
eter assignments for which the BMP is correct the Coder never generates
an edge if the Wire is in location W1. We will prove this by establishing
that locationW2 is unreachable in the full system for any of the parameter
assignments that we consider.
We find it convenient to give names to all the transitions in an automa-
ton. This is achieved by misusing the broadcast primitive in Uppaal: the
broadcast actions fuzz! and settle! do not synchronize with actions from
any other automaton, but are just there to give transitions a name.
In our model we assume instantaneous message delivery: edges gener-
ated by the Coder may be detected instantaneously by the Decoder. We
claim that the constraints on the parameters that we derive in this paper to
ensure correctness are not affected when we introduce a fixed transmission
delay for all edges. However, we do not formally prove this claim in this
article.
5.3.6 The Sampler
The Sampler automaton, displayed in Figure 5.7, only has a single location
and a single transition. The transition copies (samples) the value of the wire
variable w to a variable new that is used as input for the decoder. To ensure
that the sample transition occurs exactly once during every clock cycle we
use an auxiliary Boolean variable s: if s = 0 then the sampler may sample
and if s = 1 then the (decoder) clock may tick. Only the samples taken
during the mark and sample clock cycles are actually used in the protocol,
though.
5.3.7 Second Clock 143
s == 0
new := w,
s := 1
Sample!
Figure 5.7: Sampler. The sample is read from w (the value on the wire)
and stored in variable new. The sampler can read only when s is zero; the
second clock resets s on every tick.
y <= max
y >=min && s==1
tock!
y := 0,
s := 0
Figure 5.8: Clock2. This clock uses y to keep track of time; it resets s every
tick to allow the sampler to read a new value.
5.3.7 Second Clock
The Clock2 automaton, displayed in Figure 5.8, models the hardware clock
at the decoding side. This automaton is exactly the same as the Clock at
the coder side, except that it also reads/writes variable s to ensure strict
alternation of the sample and tock actions.
5.3.8 The Decoder
The Decoder automaton, shown in Figure 5.9, models in a straightforward
manner the decoding of the (sampled) wire signal into a bit string. The au-
tomaton uses a local Boolean variable old to record wire values it has seen
earlier. Like the Coder automaton, the activity of the Decoder automaton
is driven by clock ticks. In the initial locationD0, each clock tick causes the
automaton to compare the most recent value that has been sampled from
the wire (new) with the value stored in old. As long as these values remain
the same no action is taken. But as soon as the values of old and new be-
come different, the automaton concludes that an edge has occurred, moves
to location D1, and toggles the value of old. In location D1 the automaton
144 5.3 Uppaal Model and Analysis
D2
D1D0
new != old
tock?
old := new
put!
m := 0
m == sample - 1
tock?
out := (new != old),
m := m + 1,
old := new
m < sample - 1
tock?
m := m+1
new == old
tock?
Figure 5.9: Decoder. The decoder counts clock ticks using m. It stores
a value sampled from the mark subcell in old and a value from the code
subcell in new.
5.3.9 The Tester 145
T3T2T1
Error
T0 get!in := 1
get!
buf := in,
in := 1
out != in
put?put?
get!
in := 0
out == in
put?
get!
buf := in,
in := 0
out == buf
put?
out != buf
put?
get!
Figure 5.10: Tester. In our model, it is the tester that both generates the
bitstream for the coder and reads it from the decoder. Here, in and buf
store the two “in-flight” bits; they are set non-deterministically.
waits until sample clock ticks have occurred (counted using a local integer
variable m) and then jumps to location D2. If at that point in time new
equals old then output variable out is assigned the value 0, otherwise out
is assigned the value 1 (cf Figure 5.1). In a subsequent transition that oc-
curs immediately, the environment is informed that a new output has been
produced (via a put! synchronization) and the Decoder returns to its initial
location.
5.3.9 The Tester
Figure 5.10 depicts the Tester automaton, the seventh and last component
of the model. This automaton is not part of the biphase mark protocol but
just a highly nondeterministic environment of the protocol that has been
designed to test its correctness. If the protocol (the Coder in fact) asks
for a new bit, the Tester puts a nondeterministically selected bit in shared
variable in. The Tester remembers which bits it has sent to the protocol; in
146 5.3 Uppaal Model and Analysis
and buf store the most-recent two bits sent. If a third bit is requested by
the Coder the overflow location T3 is reached. We will prove that for all
parameter assignments for which the protocol operates correctly, there is at
most one bit that has been accepted by the Coder but not yet delivered by
the Decoder. While searching for error scenarios that arise for parameter
assignments that do not satisfy the constraints, we will encounter instances
of our model in which two bits can be inside the protocol. We felt no need
to model a tester that can handle situations in which three or more bits
are sent but not yet received. Whenever the protocol (the Decoder) pro-
duces an output, the Tester checks whether this is the expected value. If
it is correct, the Tester forgets the value, otherwise it jumps to a special
Error location. If the protocol is correct then the Error location can not be
reached.
5.3.10 Uppaal Analysis Results
The set of reachable symbolic states of our model is relatively small, and for
all properties and parameter assignments that we tried, Uppaal managed to
establish validity or produced a counterexample within a second (running
Upppaal version 3.4.7 on a standard PC). By playing with the parameter
assignments we can explore the state space of possible assignments for
cell length, mark, and clock parameters and so derive plausible parameter
inequalities which ensure the correctness of the protocol. We do not include
the specific Uppaal instances or output in this chapter.
Some basic well-formedness properties that we tested are that the sys-
tem contains no deadlocks, the coder never starts another voltage transition
(edge) while the Wire automaton is still in its unstable location, and that
there are never more than two bits in transit in the protocol:
A[] not (deadlock or Wire.W2 or Tester.T3).
But the key correctness property, of course, is that the Tester never enters
the Error location:
A[] not (Tester.Error).
Whether these properties hold depends on the specific choice of the param-
eter values. Through playing with different parameter assignments, and
replaying the error traces in the simulator, we discovered that there appear
5.3.10 Uppaal Analysis Results 147
max
v
w
new
Sampling at very beginning long clock cycle
Sampler samples at very end long clock cycle
Coder start transmission of 1
Coder completes mark phase maximally fast
mark * min
edgelength
max
Figure 5.11: First error scenario: decoder misses edge at beginning of cell.
to be essentially three different scenarios that may lead the Tester to the
Error location: (1) the decoder may miss the edge at the beginning of a
cell, (2) the decoder may sample too early, or (3) it may sample too late.
The first error scenario is illustrated in Figure 5.11. In this scenario, the
coder transmits a 1 and passes through the mark phase (location C2) max-
imally fast. This means that mark · min time units after the edge event that
marks the beginning of the cell we already see the edge event that marks
the end of the mark phase (the line labeled v in Figure 5.11). We assume
that after the first edge the wire remains unchanged maximally long, that is
edgelength time units, whereas after the second edge the wire immediately
takes the new value (the line labeled w in Figure 5.11). Now the decoder
may altogether miss the voltage change on the wire if it (1) operates max-
imally slow for two clock cycles, (2) samples at the very beginning of the
first clock cycle, just before the value of w changes, (3) samples again at
the very end of the second cycle, right after the value of w has changed
again. In order to avoid this error scenario, the following constraint on the
parameters must be met, which ensures that an edge at the beginning of a
148 5.3 Uppaal Model and Analysis
High voltage sampled at beginning clock cycle
new
w
v
Decoder receives 0
mark * max edgelength
Coder starts transmission of 1
Coder completes mark phase maximally slow
(sample − 1) * min min
Sampling at end of cycle, right after edge is generated
Figure 5.12: Second error scenario: decoder samples too early.
cell will always be detected by the decoder:
mark ·min > 2 ·max+ edgelength (5.1)
The second error scenario, in which the decoder samples too early, is
illustrated in Figure 5.12. In this scenario, the Coder operates maximally
slow whereas the decoder operates maximally fast. The Coder transmits
a 1 and remains in the mark phase maximally long, that is mark · max time
units elapse between the two edge events (line labeled v in Figure 5.12).
This time, the wire immediately takes on the new value after the first edge,
and sticks to the previous value maximally long after the second edge (line
labeled w in Figure 5.12). The decoder immediately detects the first edge
and operates maximally fast. This means that the clock cycle in which it
samples the value that will determine whether a 0 or a 1 will be decoded
starts after (sample − 1) · min time units. If we assume that sampling takes
place at the very beginning of this clock cycle, then the wrong bit (namely
0 instead of 1) will be decoded if the sampling takes place right before w
changes its value for the second time. In order to avoid this error scenario,
5.3.10 Uppaal Analysis Results 149
Decoder detects edge
v
w
new
Sampling at very end of cycle, 1 received
Coder completes transmission maximally fast
cell * min
Coder start transmission of 0
edgelength
sample * maxmaxmax
Sampling at very beginning clock cycle
Figure 5.13: Third error scenario: decoder samples too late.
the following constraint on the parameters must be met:
(sample− 1) ·min > mark ·max+ edgelength (5.2)
This constraint ensures that the decoder will not sample too early.
The third error scenario, in which the decoder samples too late, is il-
lustrated in Figure 5.13. In this scenario the Coder operates maximally
fast whereas the decoder is maximally slow: at the point where the decoder
samples the coder has already started with the transmission of the next bit.
In order to avoid this error scenario, the following constraint on the pa-
rameters must be met, which ensures that the decoder does not sample too
late:
cell ·min > (sample+ 2) ·max+ edgelength (5.3)
An obvious question that arises is whether the three constraints intro-
duced above are enough to ensure correctness: is the error location un-
reachable for all parameter assignments that satisfy constraints (5.1), (5.2)
and (5.3)? This question can not be answered using Uppaal, since Uppaal
150 5.4 Translating the Uppaal Model into PVS
can only compute the set of reachable states for a fixed parameter assign-
ment, and there are infinitely many parameter assignments that satisfy the
three constraints. Using deductive verification and the theorem prover PVS,
we will establish in the next two sections that the three constraints together
indeed guarantee correctness.
5.4 Translating the Uppaal Model into PVS
For the verification of the correctness of the biphase mark protocol with
the given parameter constraints in a symbolic fashion we use the theorem
prover PVS, which is a higher-order logic theorem prover developed by SRI
[71]. We employ a framework in PVS that provides us with the standard
definitions for automata and a guideline as to how to translate automata
from Uppaal to PVS. The translation is intended to ensure that the PVS
model closely resembles the Uppaal model, so that it is easy to validate and
to propagate changes from one model to the other.
An automaton in Uppaal consists of a number of locations, some state
variables and clocks, and transitions (labeled arrows) from one location to
another; the transitions may also be labeled with assignments to the state
variables and clocks, and they may be annotated with guards. Our transla-
tion deals with each of these parts of the automaton in turn, yielding a PVS
model containing locations, state variables, and transitions. The translation
of the automata in our Uppaal model from diagrams into our PVS framework
in general proceeds as follows:
1. The locations and state variables of the Uppaal model are modeled in
PVS as enumerations and records, respectively.
2. Anonymous transitions (transitions not labeled with an action label)
need to be labeled to distinguish them. There happen to be no anony-
mous transitions in the Uppaal model we have.
In general, there may be unlabeled transitions in the Uppaal model
which need to have names in PVS. We must attach labels to there in
order to name them. A good approach — a Uppaal trick, really — is to
use broadcast messages which no other automaton is listening for.
3. Our approach focuses on local translations — each automaton is trans-
lated into PVS with no regard for the context it will be placed in.
5.4.1 Merging Automata 151
Shared variables are replaced by local variables whose values are
synchronized via a parameter of the transition. See sections 5.4.2
and 5.6.1 for details.
4. The union of the sets of events of all the automata in the system is used
as the global set of events. Explicit time delay is included as delay(d).
5. For each automaton, we define a local state and a local transition rela-
tion, as well as the local initial state. The local transition relation must
deal with the global set of events — this is because our translation is
a simple one and does not take into account which events are relevant
for which automata. No change should occur in response to events not
used locally in the automaton.
6. The parallel composition of the automata is constructed by hand. The
global state is a record containing the local states of each automaton.
The global initial state is exactly the product of the local initial states.
7. The global transition relation applies each local transitions to the ap-
propriate local state; since all local transitions are given the global
event, synchronization on shared events in the run is obtained (see
5.6.2 for details).
We will perform each of these steps for the model of the biphase mark
protocol in the following sections. There is one place where we diverge
from the Uppaal model in Section 5.3: we translate the product automaton
of the sampler and the second clock, instead of translating each individually.
The reason for doing so is that the shared variable s, which ensures strict
alternation of actions in the automata, is not used in a way that our shared-
variable translation can deal with. It is, in the end, simpler to translate the
product automaton than to invent a complicated translation that can deal
with the shared variable.
5.4.1 Merging Automata
The product automaton of the sampler and the second clock is easy to cal-
culate, and yields an Uppaal diagram like the one in figure 5.14. We use
this automaton instead of the two separate ones because both automata
152 5.4 Translating the Uppaal Model into PVS
S0
y <= max
S1
y <= max
new := w
Sample!
y >= min
tock! y := 0
Figure 5.14: Product of automata for sampler and decoder clock.
write to the shared variable s, which makes our simple-and-straightforward
translation to PVS inapplicable.
In this merged automaton, we have two locations, that represent the
state s = 0 and s = 1 of the separate automata; again, Sample! and tock!
events occur in turn, with no more than max time between tock!s.
5.4.2 Removing Shared Variables
There are a few shared variables in the Uppaal model, as shown in fig-
ure 5.2. These are:
• in, between coder and tester.
• w, between wire and sampler.
• new, between sampler and decoder.
• out, between decoder and tester.
• s, the variable shared between the sampler and the second clock, is
not needed, since we use the product of those two automata instead.
Each of the uses, (reads or writes), of one of these shared variables can
be changed into a parametrized event so that all variables become local, as
described in section 5.6.1. As an example, consider in, shared between the
coder and the tester. The tester sets the value of in on several transitions
labeled with get!. These can be replaced by a parametrized get!(b) that
represents the shared assignment in := b.
5.4.3 Representing Events 153
We replace all the shared variables by local variables with explicit syn-
chronization. The theory is detailed in section 5.6.1.
Previously in section 4.1.1, we did use shared variables. However, that
example was not very representative as we constructed the product automa-
ton by hand prior to translating to PVS; the product automaton also had only
a single location and was otherwise fairly simple. In the biphase mark pro-
tocol, we have a larger collection of automata and a larger set of locations;
the product automaton is much larger. We also focus on translating the
automata individually and constructing the product automaton in PVS, as
opposed to doing the construction first (by hand) and then translating.
5.4.3 Representing Events
The collection of events in PVS is represented by an abstract datatype — this
means that we automatically have axioms that the events are distinct, as one
would expect from an enumeration of all the distinct kinds of events. The
PVS code is shown in figure 5.15. We see the four parametrized actions, two
actions without parameters, the two broadcast actions with no parameters
(settle and fuzz), and the additional delay event representing the passage
of time. Note that delay is parametrized by a posreal, i.e. a positive and
non-zero amount of time. This means that in our PVS model, there are no
events which delay by zero time. This is a subtle difference with the Uppaal
semantics, where zero delays are possible (they do not change the state or
the value of any clocks though, so their deletion from the PVS model does
no harm).
5.4.4 Local States and Transitions
The aim of the translation into PVS is to prove that the parameter constraints
that have been deduced in Section 5.3.10 are correct, i.e. that all choices
of parameters within those constraints yield a correct protocol. We attempt
to remain as close as possible to the Uppaal model, so that it is intuitively
clear that the PVS model represents the diagrams accurately. To this end
we will do the following for each automaton: define an enumeration of the
locations of the automaton (if it has more than one) so that we can refer
to those locations by name; define a record that holds the location of the
automaton and its local variables and clocks; define a transition relation on
154 5.4 Translating the Uppaal Model into PVS
BMActions : DATATYPE BEGIN
tock(b:bool) : tock? % Sampler clock tick
get(b:bool) : get? % Get message bit
put(b:bool) : put? % Put message bit
sample(b:bool) : sample? % Sample from wire
tick : tick? % Sender clock tick
edge : edge? % Coder inverts wire value
fuzz : fuzz? % Wire during edge
settle : settle? % Wire stabilizes to value
delay(d:posreal) : delay? % Time delay
END BMActions
Figure 5.15: PVS Datatype for the Events of the biphase mark protocol.
the local state where the primary selection is by event. This means that the
transition relation is written in PVS like “if event is delay, then do this; else,
if event is get, then do this ; . . . ” — the uniformity of expression defining
the transition relation is important in partially automating proofs over the
automaton.
The remainder of this section shows the translation of specific automata
— the Clock, the Coder — in more detail.
The Clock: The clock has only one location, and a single clock named x,
so the record structure for the state of the clock is very simple: a single
field for the clock x, as can be seen in figure 5.16. One might argue that
this representation could be simplified, down to identifying the state of the
Clock with the value of the clock variable x, but we believe that consistency
in structure is important for the automation of proofs.
There are two different transitions that the clock can take: time can
pass (subject to the location invariant), or the clock can tick (subject to
the transition guard). The PVS code for this does a case distinction on the
event in order to determine whether a given state-transition is allowed. The
PVS code for the transition is shown in figure 5.16. The PVS code defines a
record type ClockState (the [# #] indicate a record) with a single field x for
the clock. The transition relation for the clock is named ClockTransition and
is a function of three variables, yielding a Boolean value. The parameters
are s and s_, the local from state and the local to state, while a is the global
5.4.4 Local States and Transitions 155
ClockState : TYPE+ = [# x:Time #] ;
ClockTransition(s:ClockState,a:BMActions,s_:ClockState) : bool =
CASES a OF
delay(d) : s_‘x <= max AND s_ = s WITH [ x:= s‘x+d ],
tick : s‘x >= min AND s_ = s WITH [ x:=0 ]
ELSE s_ = s
ENDCASES ;
Figure 5.16: PVS code for the Clock’s state and transition relation.
event that occurs; the transition relation must state whether the transition
from local state s to s_ when the system performs an action a is allowed.
The transition relation is defined using a CASES statement, where we can list
the events that change the local state of the clock. We see the use of the
ELSE clause in the CASES expression in order to deal with “all-the-events-not-
mentioned-yet.” The CASES statement is required to be total by PVS, so we
use the ELSE clause to make it so. It is important to state that the state stays
the same (s_ = s) when unhandled events occur, since otherwise the state
is allowed to change nondeterministically when other automata perform an
action.
The two events that are relevant for the Clock automaton are handled
by writing the precondition (either the location invariant or the transition
guard) in conjunction with an expression stating how the local variables
should be updated. The update expression is typically written as s_ = s
WITH [ E ] in which E contains assignments to record fields. The expression
s WITH [ E ] has the value of the record swith the fields named in E updated
by assignment; we read this as calculating the new state based on s and
asserting that state s_ is that state. For the delay event, we need to check
that the location invariant is not violated by a delay of d time, and the clock
xmust advance by d for the transition to be acceptable. In a similar vein, the
transition for tick conjoins the transition guard with the resetting of clock x.
Coder: The structure of the coder is far complex than that of the Clock.
There are only 3 event types (get, edge, tick) that need to be handled, but
since the event labels occur multiple times in the diagram the expressions
156 5.4 Translating the Uppaal Model into PVS
stating legality of a particular state-transition are more complex. The pres-
ence of urgent locations adds the delay event to the list-of-events-to-handle.
In figure 5.17 we see that in has become iv— this is because in is a reserved
word in PVS. The value iv is represented by a Boolean value; 0 or 1 would
CoderLocations : TYPE+ = { c0, c1, c2, c3, c4 } ;
CoderState : TYPE+ = [#
loc : CoderLocations,
n : below[cell],
iv : bool
#] ;
Figure 5.17: PVS code for the Coder’s state.
serve as well, but require an additional type definition. State component n
is declared to be below[cell], which means n < cell; PVS requires that we
prove this (which is trivial and done automatically with typecheck-prove).
The transition relation for the Coder is fairly straightforward. Delay
events cannot happen when the Coder is in locations c0, c1 or c4 since
these are urgent locations (and recall that delays are non-zero in our PVS
model), but the state of the coder must stay the same when delay actions do
occur otherwise. The PVS code is shown in figure 5.18.
The event get? can only occur when the Coder is in location c0, and it
is accompanied by a change in location and saving the parameter value to
a local variable. This is straightforward enough. The edge! event can occur
in one of three places; we write a disjunction of the transition expressions
for each of those three distinct transitions. Each one of those transition
expressions — as usual — checks that the initial location is correct, checks
the guard on the transition, and states what the resulting state must be.
Finally tick? occurs in four places in the diagram, and each of these is dealt
with similarly.
Other Automata: The other automata in the system (the wire, the sam-
pler with the second clock, the decoder and the tester) are all straightfor-
ward to translate — the state consists of a few fields for the local variables,
and the transitions are all of types similar to what we have already de-
scribed. The complete PVS specification for the automata can be obtained
5.4.5 Global States and Transitions 157
CoderTransition(s:CoderState,a:BMActions,s_:CoderState) : bool =
CASES a OF
delay(d) : ( s‘loc = c2 OR s‘loc = c3 ) AND s_ = s,
get(b) : s‘loc = c0 AND s_ = s WITH [ loc:=c1, iv:=b ],
edge : ( s‘loc = c1 AND s‘iv AND
s_ = s WITH [ loc:=c2 ] ) OR
( s‘loc = c1 AND NOT s‘iv AND
s_ = s WITH [ loc:=c3 ] ) OR
( s‘loc = c4 AND
s_ = s WITH [ loc:=c3 ] ) ,
tick : ( s‘loc = c2 AND s‘n < mark-1 AND
s_ = s WITH [ n:=s‘n+1 ] ) OR
( s‘loc = c2 AND s‘n = mark-1 AND
s_ = s WITH [ loc:=c4, n:=s‘n+1 ] ) OR
( s‘loc = c3 AND s‘n < cell-1 AND
s_ = s WITH [ n:=s‘n+1 ] ) OR
( s‘loc = c3 AND s‘n = cell-1 AND
s_ = s WITH [ loc:=c0, n:=0 ] )
ELSE s_ = s
ENDCASES ;
Figure 5.18: PVS code for the Coder’s transition relation.
from the URL mentioned in the introduction of this section on page 135.
5.4.5 Global States and Transitions
The global state of the entire system is of course the product of all the local
states of the constituent automata. The easiest way to achieve this in PVS is
to define a new record with one field for each of the constituent automata,
as shown in figure 5.19. This global state contains no global variables, and
hence the composition of the transition relations is straightforward as well.
The transition relation for the global state is the conjunction of the lo-
cal transitions for each automaton applied to the local states; the event a is
passed to each local transition, along with the relevant local state. By hav-
ing a structured and straightforward representation of the global state, the
global transition becomes straightforward as well and we can later apply
some automation to the calculation of next-states in the executions of the
158 5.5 Proving Correctness, with Variations
global automaton. The global transition relation is shown in figure 5.20.
5.5 Proving Correctness, with Variations
The proof of the correctness of the biphase mark protocol was fairly straight-
forward, in large part thanks to the invariants turned up by the experimen-
tation with Uppaal. The additional verification found one omission in an
invariant, which was repaired by strengthening it; this enabled us to prove
the correctness of all instances of the protocol within the parameter space.
The proof in PVS of the correctness of the protocol and the necessity
of the given bounds on the parameters is purely symbolic, and shows that
every instance that falls within the parameter constraints suggested by the
Uppaal analysis is correct. The proof proceeds by collecting 37 invariants
and verifying each invariant in turn; together, these invariants imply the
global correctness of the protocol.
GlobalState : TYPE+ = [#
clock : ClockState,
coder : CoderState,
wire : WireState,
sampler : SamplerState,
decoder : DecoderState,
tester : TesterState
#] ;
Figure 5.19: Global state of the system model of the biphase mark protocol.
GlobalTransition(s:GlobalState,a:BMActions,s_:GlobalState) : bool =
ClockTransition(s‘clock,a,s_‘clock) AND
CoderTransition(s‘coder,a,s_‘coder) AND
WireTransition(s‘wire,a,s_‘wire) AND
SamplerTransition(s‘sampler,a,s_‘sampler) AND
DecoderTransition(s‘decoder,a,s_‘decoder) AND
TesterTransition(s‘tester,a,s_‘tester)
Figure 5.20: Global transition relation of the biphase mark protocol.
5.5.1 Structure of the Invariant Proof 159
The global statement of correctness is much as in the Uppaal verification:
in all executions of the automata for the biphase mark protocol, there is
no state of the system in which the tester automaton is in state t3, or in
state error. In PVS this appears as the theorem shown in figure 5.21. In the
theorem, the LET expression is substituted into the remainder of the theorem
(after the IN), and the whole theorem is implicitly universally quantified over
any unbound variables (in this case, index i and run R).
The Uppaal verification — in particular the invariants checked there —
gives a guideline for the formal verification of the protocol in PVS, but it is
not a road map. Indeed, as far as Uppaal is concerned, we need not bother
with any invariant other than that t3 and error are unreachable. This is both
the strength and the weakness of verification through Uppaal — we verify a
single instance, or several instances, and though the truth of Uppaal’s as-
sertion that location t3 is unreachable does not change, we cannot see how
this truth is arrived at, nor what the most general bounds of the parameters
of the protocol might be.
Section 5.5.1 details the structure of the proof and the approach used,
while Section 5.5.2 shows how some automation can be introduced into the
proofs in order to shorten them and make them more understandable to the
human reader. Section 5.5.3 examines the effect of introducing automation
into the proofs.
5.5.1 Structure of the Invariant Proof
With the model as given the correctness condition is expressed in terms of
the reachability of locations t3 and error. The correctness condition is given
as an invariant on the state of the system, as already shown in figure 5.21.
There are 37 invariants in all, each of which is proved by induction on the
sequence of steps in a run of the automaton. The invariants are grouped as
follows (figures 5.23 and 5.24 on page 163 show more detail):
I : THEOREM
LET T = R‘states(i)‘tester IN
NOT (T‘loc = t3 OR T‘loc = error ) ;
Figure 5.21: Correctness defined by the tester’s behavior.
160 5.5 Proving Correctness, with Variations
• Invariants of the clock or coder in isolation, named Px (6 invariants).
• Invariants of the wire, sampler, or decoder in isolation, named Qx (6).
• Invariants of pairs of automata, named Rx (4).
• Invariants of the coder, clock and wire in parallel, named Tx (5).
• Invariants of all but the tester in parallel, named Gx (9).
• Invariants of the system as a whole, named Hx (6).
• The global correctness invariant, I (1).
These 37 invariants were checked with Uppaal on some instances of the
protocol before beginning the PVS verification. In the PVS proof, some in-
variants were re-ordered (since the proof of P5 needed the result of P6, for
instance), and some corollaries were introduced to make proofs shorter. In
the P, Q and R groups, each invariant was proved individually. Groups T,
G and H were proved simultaneously with the following approach (which is
tailored to being convenient in PVS— mathematically, we are merely show-
ing that the group of invariants is inductive):
1. For each invariant Ik to be proved in the group, define a predicate
Ik(R, i) that takes an automaton run R and an index i as parameters
that asserts the invariant property on the i-th state of the run R.
2. For each invariant Ik, write and prove a lemma Lk for the induction
step of Ik as follows (assume n invariants in the group):
I1(R, i) ∧ I2(R, i) ∧ · · · ∧ In(R, i)⇒ Ik(R, i+ 1)
3. Finally, define a lemma I for the group as a whole:
∀i . I1(R, i) ∧ I2(R, i) ∧ · · · ∧ In(R, i)
The proof of this lemma is simple: check the base case of the induction,
(i.e. that in all initial states, each invariant holds individually), and for
the induction step use lemmata L1 through Ln.
5.5.1 Structure of the Invariant Proof 161
G6
G1
G2
G3
G4
G5
G7
G8
G9
Figure 5.22: The interdependence of lemmata in group G. An arrow from
lemma Gi to Gj means that the proof of lemma i needs the result of lemma
j. In broad gray arrows, we see a path that demonstrates that the proof of
G1 requires all the other results.
162 5.5 Proving Correctness, with Variations
This approach can be used to find the interdependency graph of the in-
variants as well, by determining which invariant-predicates are not used in
each proof. Figure 5.22 shows how the invariants of group G are interde-
pendent — this also makes clear that no smaller group could be constructed
that is still provable.
The “simple” invariants in groups P, Q and R are the sixteen invariants
shown in figure 5.23. The proof of each of these is fairly straightforward:
induction on the index of the state the invariant is applied to. The base
case is trivial and solved with (grind), the induction step requires check-
ing the relevant transitions, which means that the global transition relation
GlobalEffect needs to be introduced and expanded to the local transitions.
Since these steps are the same for every proof, we define a simple strat-
egy (scheme for automation) called (auto-start) that starts off an inductive
proof by dealing with the base cases and the introduction of the local tran-
sitions (see Section 5.5.2 for more details on the additional automation).
These sixteen invariants, along with one additional support lemma, take
204 proof steps to prove. Each invariant depends only on the invariants
preceding it in the list (hence P6 and P5 are reversed, since the naming
of the invariants was established before the proofs were begun). Additional
automation can reduce the number of steps taken considerably (i.e. by half),
which we will examine shortly.
The remaining invariants are divided into four groups. The groups T, G
andH are intra-dependent, which was partly illustrated in figure 5.22, while
group I contains only a single invariant. Figure 5.24 shows the invariants.
The effort for each intra-dependent group is far greater than the effort for
the simpler invariants listed above. The T group of five invariants requires
432 proof steps — again, with additional automation this can be reduced
considerably.
The G group of invariants is by far the most complicated of the nests
of interdependent invariants, and while proving it the original invariants
suggested by the Uppaal tests were found to be insufficiently strong to prove
the entire nest. The invariant G1 needs the additional condition
mark ≤ n⇒ sample ·min−mark ·max ≤ z
This condition was discovered after staring at the proofs — all of which
could not be finished because of the lack of this information — for a few
5.5.1 Structure of the Invariant Proof 163
Clock and Coder
P1 0 ≤ x ≤ max
P2 c0 ∨ c1 ⇒ n = 0
P3 c2 ⇒ in ∧ 0 ≤ n < mark
P4 c3 ⇒ 0 ≤ n < cell
P6 c4 ⇒ in ∧ n = mark
P5 c3 ∧ n < mark⇒ ¬in
Wire, Sampler and Decoder
Q1 0 ≤ z
Q2 w1 ⇒ z ≤ edgelength
Q3 0 ≤ y ≤ max
Q4 d0 ⇒ m = 0
Q5 d1 ⇒ 0 ≤ m < sample
Q6 d2 ⇒ m = sample
Automaton Pairs
R1 c0 ∨ c1 ∨ c4 ⇒ x = 0
R2 s0 ∧ z > y + edgelength+max⇒ w = new
R2 s1 ∧ z > y + edgelength⇒ w = new
R3 d2 ⇒ y = 0
R4 w0 ⇒ v = w
Figure 5.23: The “simple” invariants of at most two automata.
164 5.5 Proving Correctness, with Variations
Coder, Clock and Wire
T5 ¬w2
T6 (c0 ∨ c1 ∨ c4)⇒ w0
T7 c2 ∨ (c3 ∧ in)⇒ n ·min ≤ z − x ≤ n ·max
T8 c4 ⇒ mark ·min ≤ z ≤ mark ·max
T9 c3 ∧ in ∧mark ≤ n⇒
(n−mark) ·min ≤ z − x ≤ (n−mark) ·max
Global (except Tester)
G1 d0 ⇒ ¬c4 ∧ (v = new ∨ new = old)
G2 d1 ⇒ c2 ∨ c3 ∨ c4
G3 d2 ⇒ c3 ∧ in = out ∧ v = new ∧ new = old
G4 d0 ∧ (c0 ∨ c1 ∨ (c3 ∧mark ≤ n))⇒ v = old
G5 d0 ∧ (c2 ∨ c3) ∧ n < mark⇒ v 6= old ∧ z ≤ y +max+ edgelength
G6 d1 ∧ (¬in ∨ c2 ∨ c4)⇒
v = old ∧ (m ·min ≤ z − y ≤ (m+ 2) ·max+ edgelength
G7 d1 ∧ c3 ∧ in⇒ v 6= old ∧
m ·min−mark ·max ≤ z − y
≤ (m+ 2) ·max−mark ·min+ edgelength
G8 d2 ∧ ¬in⇒ sample ·min ≤ z < cell ·min
G9 d2 ∧ in⇒ sample ·min−mark ·max ≤ z < (cell−mark) ·min
Global
H1 d1 ∨ d2 ⇒ t1
H2 d0 ∧mark ≤ n⇒ t0
H3 d0 ∧mark > n⇒ c0 ∨ t1
H4 c3 ⇒ t0 ∨ t1
H5 c1 ∨ c2 ∨ c4 ⇒ t1
H6 c0 ⇒ t0
Global Correctness
I ¬(t2 ∨ t3 ∨ error)
Figure 5.24: Invariants for three or more automata in parallel.
5.5.1 Structure of the Invariant Proof 165
days. Once that was done, the proofs were fairly straightforward again,
with only the question of which invariants were dependent on which others.
Although invariants H4, H5 and H6 can be proved easily from H1–H3
and theG invariants, it turned out thatH1–H3 need the laterH invariants in
their proofs, which made this a new (though simple) nest of interdependent
invariants.
Finally, I is an almost trivial conclusion of H1–H3 and H6.
Initial proof statistics, of the hand-made proof with little automation, are
shown in Figure 5.25 (these are entirely dependent on the PVS user that
creates them, though). The statistics show that all the proofs together use
only 28 different proof commands, one of which is a locally defined strat-
egy for the purpose of initiating automaton invariant proofs (auto-start).
Four are sequent management commands not immediately relevant for the
proofs themselves (these are (name),(hide), (reveal) and (delete)). Three
are proof commands automatically used by PVS for proving TCCs, (Type-
Check Conditions, normally inserted by PVS when it cannot automatically
deduce the type of an expression). One proof command is inserted by PVS
automatically to finish a trivial proof (one of the form P ⇒ P ). This leaves
19 different commands that are actually typed by the user; the vast major-
ity are (assert) and (flatten), which follow from the habits of the PVS user
who made these particular proofs.
It should be clear that the amount of effort to do the proofs is enormous
compared to the effort involved in the Uppaal verification. The main reason
for this is that initially it is not clear how each proof should proceed, and
there is little support built in to PVS for the kind of proofs that need to be
done. Eventually, we see that the structures of the proofs are remarkably
regular, and can develop some reusable automation for dealing with them.
There are several existing implementations of additional automation for
proofs in a specific framework, both in PVS and outside of PVS. One ex-
ample of far-ranging automation is ACL2, which is a highly automated first
order theorem prover which has been used for the mechanical verification
of microprocessors [78]. Similar (but much smaller-scale) microprocessor
verification has been done in PVS, although with no automation [22]. Pro-
tocol verification using roughly the same framework as we have used here
can be found in [17]. Automation of PVS proofs in a specific context is men-
tioned briefly in [31], Section 6.6.1; it is a shame that such improvements
have not percolated into the standard PVS distribution. The TAME modeling
166 5.5 Proving Correctness, with Variations
PVS Command Count Note
EXISTENCE-TCC 1 Inserted by PVS
BETA 1 Reduce function application
INDUCT 2 For invariant I
SKOLEM 2 Manual instantiation
NAME 2 Introducing abbreviations
TYPEPRED 3 Needed for min < max
INST? 3 Automatic instantiation
ASSUMING-TCC 3 Inserted by PVS
IFF 5 Split boolean equivalence.
SUBTYPE-TCC 9 Inserted by PVS
AUTO-START 18 Partially automated strategy
GRIND 23 Prove automatically
HIDE 25 Sequent management
COMMENT 41 Sequent management
SKOLEM! 45 Automatic instantiation
REVEAL 49 Sequent management
LEMMA 62 Using invariants
INST 67 Manual instantiation
CASE 93 Introducing facts
GROUND 115 Decision procedures
PROPAX 124 Trivial decision procedures
REPLACE 131 Rewriting
LIFT-IF 139 Changing CASES to IF
DELETE 149 Sequent management
SPLIT 236 Changing IF to a split case
USE 265 Using invariants
EXPAND 728 Using definition
FLATTEN 748 Simplify sequent
ASSERT 1224 Simplify sequent
Total: 4313
Figure 5.25: Proof statistics for first attempt at invariants.
5.5.2 Introducing Automation to the Proofs 167
environment [8] offers automation for timed automata models in PVS.
5.5.2 Introducing Automation to the Proofs
With the statistics of figure 5.25 as a baseline, we can attempt to slim down
the proofs by introducing additional automation. Two examples that occur
quite frequently in the proofs are:
• Using (case) to split an implication. The PVS command (split)
splits a sequent with an implication as follows:
(A⇒ B) ` C becomes B ` C ∧ ` A
This throws away the fact that A holds in the left branch of the proof;
hence, we often use (case) and (assert) in order to achieve:
(A⇒ B) ` C becomes A,B ` C ∧ ` A
By creating a tiny strategy (split*) that does this automatically, we
achieve two things:
1. The proof becomes shorter (in terms of user-entered steps)
2. It becomes clearer where this technique is used, i.e. it distin-
guishes these frivolous uses of (case) from ones where real new
facts are introduced.
• Splitting a CASES statement. When confronted by a large CASES state-
ment in a sequent (which is common in the proof of the biphase mark
protocol, since we have many automata with fairly large transition re-
lation expressions), it is often desirable to split it into one sequent for
every case in the expression. This has the effect of examining each
transition individually. Typically, the sequent appears as:
{-1} CASES R!1‘events(i!1) OF
delay(d) : P1
tick : P2
...
168 5.5 Proving Correctness, with Variations
This can be reduced to a collection of sequents, one for each case in
the expression, each with a specific event and transition predicate.
For instance, the second sequent to prove here would be
{-1} tick?(R!1‘events(i!1))
{-2} P2
...
This can be achieved by using (lift-if) to change the CASES state-
ment into a collection of nested IFs, and then using (split) to split the
IF statement repeatedly, with the liberal application of (flatten) and
(assert) to massage the sequent into basic shape (or prove particular
subgoals automatically). Automating this process in a single prover
command (auto-step) gives us:
1. Shorter proofs
2. A more uniform structure of the proofs
We gain additional flexibility by automatically expanding local transi-
tion statements and by using the names of local transitions, instead of
formula numbers. A typical application of the resulting strategy is to
expand and simplify the local transition for the Coder with (auto-step
(’c "Coder" )) .
After re-doing the proofs with the additional automation (and with the
knowledge that the first run of a proof in PVS is nearly always a bit messy),
the proof statistics become much smaller. For invariant groups P, Q, R and
T results are shown in figure 5.26.
This 79% reduction in the number of proof steps is partly attributable to
the increased automation afforded by the (auto-step) command. Some of
the reduction can be attributed to the difference between finding a proof
(the initial proof attempt) and polishing a proof for presentation. While
applying the increased automation to the proof we also have the benefit of
knowing how the proof is supposed to go, and we can judiciously prune the
proof of less-than-optimal proof explorations. Additionally, it occurs fairly
regularly that it is unclear whether some subtree in a proof can be proved
easily; once the proof is done it is clear that (grind) would have done the
job as well, so the re-run of a proof replaces whole subtrees with (grind).
5.5.2 Introducing Automation to the Proofs 169
Command Before After
EXISTENCE-TCC 1 1
INDUCT 1 1
SKOLEM 1 1
SPLIT* 1
ASSUMING-TCC 2 1
TYPEPRED 3 1
COMMENT 2
GRIND 9 18
SUBTYPE-TCC 9 9
CASE 10 6
PROPAX 12 2
HIDE 13 0
SPLIT 14 9
AUTO-START 16 22
SKOLEM! 17 11
LEMMA 18 9
INST 23 14
DELETE 34 17
AUTO-STEP 35
LIFT-IF 37 1
REVEAL 38 0
REPLACE 45 18
GROUND 59 23
USE 61 55
FLATTEN 75 32
EXPAND 111 24
ASSERT 217 77
Total: 826 390
Figure 5.26: Proof statistics for groups P, Q, R and T, before and after
automation.
170 5.5 Proving Correctness, with Variations
5.5.3 Summary of Automation
Once the structure of the PVS proofs for the biphase mark protocol was
clear, additional automation was introduced in order to reduce the amount
of steps used in doing the proofs. The comparisons of numbers of proof
steps with and without the automation made in the previous section sug-
gest what could have been. Future proofs with a similar structure may also
benefit from this automation, using the new proof commands that were in-
troduced:
• (split*) Handle implications in a nicer way than (split).
• (auto-start) Start an automaton proof by introducing local transition
relations.
• (auto-step) Expand and rewrite a local transition relation.
There is a trade-off, though, when doing automated proofs, between
brevity and comprehensibility. PVS’s tremendously powerful (grind) com-
mand can reduce many proofs to one step, once the proof has been found.
Using (grind) when it is unclear that the lemma is sound is unwise, since it
takes some time to grind its way through the proof, and then it can:
• Fail, returning you to the original proof state and requiring you to do
the proof by hand anyway, or
• Give you 64 (or some other large number) bizarrely formed subgoals
to prove.
Neither of these results of (grind) are really useful for advancing the proof
itself. Therefore we feel that the use of (grind) should be restricted to those
proofs that really are trivial. Somewhere in the middle lies the ideal, of a
proof that is short enough to understand and not so thoroughly automated
that it is unbelievable. The use of the Uppaal model gives similar results:
we know something is true, but not necessarily why or whether the fact is
interesting.
Consider invariant G9:
G9(R,i) : bool =
LET D = R‘states(i)‘decoder, C = R‘states(i)‘coder,
5.5.3 Summary of Automation 171
W = R‘states(i)‘wire, S = R‘states(i)‘sampler IN
D‘loc = d2 AND C‘iv =>
sample*min - mark*max <= W‘z AND W‘z < (cell-mark)*min ;
The important step in the proof of G9 is the induction step, which is
proved in the PVS lemma Gi:
Gi : LEMMA
G9(R,i) AND G3(R,i) AND G7(R,i) AND
G2(R,i) AND G6(R,i) =>
G9(R,i+1)
The proof itself uses the earlier invariant Q3, the parameter assumption
from equation 5.3 (on page 149) and an additional lemma, called Gi1. The
proof itself has the following structure:
• Start with (auto-start).
• Expand G9 itself.
• For each automaton, use (auto-step) to rewrite its local transitions
and prove trivial subcases.
• Do a little rewriting and formula manipulation, introduce the addi-
tional invariants Q3 and Gi1 that are needed to prove each step.
Without automation, the proof of G9 took 179 steps, exploring blind al-
leys, over-using (assert), and doing formula manipulation the tedious way.
With a little automation such as described in the previous section, the num-
ber of proof steps declined to 59. In this simplified proof the structure of
examining each automaton’s local transitions was very visible. Further re-
flection, though, shows that the proof can be reduced to 5 steps:
(AUTO-START T) % Deal with base case.
(LEMMA "Gi1" ("i" "j!1" "R" "R")) % Needed much later with this
(LEMMA "Q3" ("i" "j!1" "R" "R")) % particular instantiation.
(USE "SampleEarlyEnough")
(GRIND) % Let PVS do the work.
This particular proof is a good example of a type of proof commonly found
in mathematics texts: “Use lemmata Gi1, Q3 and the parameter inequalities;
the details are left to the interested reader.” In our context the interested
172 5.6 Automaton Theory for Uppaal Translation
reader is the PVS theorem prover, which works out the details. Now, this
proof might be good for verification purposes but it is certainly not the kind
of proof one can write on first setting out to prove a property like G9. It is
also not the kind of proof you would want to present as a didactic example
to show the kind of reasoning needed in a particular domain, but again, as
a succinct demonstration of truth it is fine.
This suggests that we can distinguish three flavors of proof, created
while reasoning about the biphase mark protocol:
1. Exploratory proofs when we do not know how to prove the lemma —
or even if the lemma is true. These proofs use mostly basic commands
from the PVS proof language and are rather lengthy, although each
step is very basic.
2. Polished proofs, using some automation that is built around the spe-
cific domain being studied and the framework that is in use. With
suitable (not overly case-specific) automation, the size of proofs can
be reduced over 50%, while their comprehensibility is improved be-
cause we can (for instance) replace a scattered collection of (expand),
(lift-if) and (split) with a single (auto-step) proof command.
3. Proofs that are as short as possible, for the purpose of machine veri-
fication of the lemma. These are useful for re-checking a theory after
changes have been incorporated, or as a basis for “details are left to
the reader” expositions.
5.6 Automaton Theory for Uppaal Translation
This section explains some of the reasoning behind the translation from
Uppaal diagrams (or labeled transition systems in general) into PVS. The
mechanism for implementing synchronization on shared transitions is ex-
plained in section 5.6.2.
5.6.1 Making Local Variables
Suppose two automataM1 andM2 share a variable v in the Uppaal model.
Our PVS method is based on defining a record type for the local state ofM1
5.6.1 Making Local Variables 173
a
v:=2
b
BA
v:=1
Figure 5.27: Two automata with a shared variable yet disjoint action sets.
and of M2 and defining local transition predicates as well that take only
the local state of each automaton into account. This makes implementing a
shared variable somewhat difficult.
Consider a variable v local to some automaton A. The local transition
relation for A, translated into PVS, states that the state of A remains un-
changed by any event that does not apply to A; when v is shared with an-
other automaton B, it may be that both A and B change the shared value
of v even if their sets of actions are disjoint (consider figure 5.27). In our
PVS translation, automaton A states that its state (including the value of v)
should not change at all when events take place that are not named in its
signature – that is, the event b is prevented from changing the value of v.
This makes it impossible to share v. Placing the variable v in the global
state — the record type GlobalState in our translation — makes it impossi-
ble to access v at all from the local transition relations for A and B, unless
we pass the global state to both. If we do that, then the whole advantage
of using local transitions where possible disappears. Therefore we must
either abandon the straightforward local translation we have defined in or-
der to use a simple mechanism for shared (global) variables, or keep the
simple translation and find a slightly more complicated approach for shared
variables.
We choose to keep our simple translation, since we are concerned with
creating a framework which is easy to use by hand and where the size of
the PVS expressions can be limited somewhat, i.e. forcing the user to deal
with the full global state in every step is out of the question. We give each
automaton a local copy of the variable v. When a shared variable changes
value (i.e. there is an assignment to the variable on a transition), we syn-
chronize all the automata that share that variable on the transition. The
174 5.6 Automaton Theory for Uppaal Translation
action label for the transition is augmented with the value assigned to the
shared variable. If the transition is anonymous, we invent a new label for it.
This approach works well when for each variable, there is only one au-
tomaton writing to the variable and one or more reading from it. In the
Biphase Mark Protocol model, this is the case. It is easy to show that the
shared variable has the same value in both automata.
5.6.2 Synchronization through shared events
The semantics of labeled transition systems demand that if two different
automataM1 andM2 both have a transition labeled t, then the composition
M1||M2 can perform a t only when both of the automata can perform a t.
This ensures synchronization of the automata by the transition t. Typically
this is used to ensure that both automata are in some specific location before
taking the transition t.
More generally, the parallel composition(∣∣∣∣
i
Mi
)
can perform t ⇐⇒ ∀i .Mi can perform t
where we assume that if a transition t does not appear inMi, thenMi can
always perform t, leaving its state unchanged. In our PVS model, this is
implemented as follows:
• Each automaton’s transition relation is formalized with a CASES expres-
sion that distinguishes the different transition labels. Each CASES ex-
pression contains an ELSE clause that captures all the transitions not
mentioned explicitly and asserts that the state of the automaton does
not change, e.g. each transition relation ends thus:
ELSE s_ = s
ENDCASES
• The formalization of transitions that do occur in one automaton have
the following form:
label?(t) : precondition(s) AND
effect(s,s_)
5.7 Playing with the Parameter Inequalities 175
The precondition will normally check the location of the automaton to
ensure that the transition label (i.e. t = label) can be performed. The
effect part of the predicate states how the new values of the state are
derived from the old.
• The global transition relation is the conjunction of all of the local tran-
sitions applied to their local state.
Clearly, for a transition t to be performed by the global automaton, it
must be performable by each individual automatonMi, and for that to hap-
pen either the transition t must not appear in Mi (so that the ELSE clause
applies) or the precondition on transition t in automaton Mi must be sat-
isfied. Therefore, for all the automata in which the transition t occurs, the
precondition is satisfied (and so the automaton can perform t); the remain-
ing automata do not change state at all, since they are oblivious to the tran-
sition t. This corresponds with the semantics of labeled transition systems.
5.7 Playing with the Parameter Inequalities
Now that we have formally derived a number of constraints on the protocol
parameters, it is interesting to explore the consequences of these results.
An implementer of BMP will probably have limited influence on the values of
min, max and edgelength, but (s)he may freely choose the values of cell, mark
and sample. For which values of these parameters is the bit rate maximal?
Are the conventional implementation choices indeed the optimal ones?
Rather than the specific values for the lower bound min and upper bound
max on the time between clock ticks, we find it convenient to consider the
ratio
ρ =
min
max
.
Since 0 < min ≤ max, ratio ρ is contained in the interval (0, 1]. If ρ = 1 we
have perfect hardware clocks, and the closer ρ gets to 0, the more unreliable
the clocks are. We also normalize the time edgelength with respect to the
maximum time between clock ticks:
E =
edgelength
max
.
176 5.7 Playing with the Parameter Inequalities
So E specifies the number of clock cycles the signal may remain distorted
after occurrence of an edge. Now we can rewrite the parameter constraints
(5.1), (5.2) and (5.3) into:
mark · ρ > 2 + E (5.4)
(sample− 1) · ρ > mark+ E (5.5)
cell · ρ > sample+ 2 + E (5.6)
Since ρ ∈ (0, 1] and E ≥ 0, inequality (5.4) implies mark > 2. Using this fact
in combination with inequality (5.5) implies sample > 3. Substituting this in
inequality (5.6) gives cell > 5.
5.7.1 Minimizing the Cell Size
Moore [70] assumed that the uncertain values read from the signal due to
the presence of an edge are limited to the time-span of the cycle during
which the edge was written, that is he assumed edgelength = max or equiv-
alently E = 1. With this additional assumption, the parameter inequalities
further simplify to
mark · ρ > 3 (5.7)
(sample− 1) · ρ > mark+ 1 (5.8)
cell · ρ > sample+ 3 (5.9)
Hence with ρ close to 1 the minimal values for the other parameters are
mark = 4 sample = 7 cell = 11.
Implementers prefer to use instances of BMP with
cell = 2 ·mark (5.10)
since this implies that the signal on the wire will be high approximately 50%
of the time and low 50% of the time, which is desirable from an electrical
engineering perspective (“DC balanced”). With this additional requirement,
the minimal values become
mark = 7 sample = 10 cell = 14.
5.7.2 Maximizing the Clock Tolerance 177
These unconventional choices permit a faster bit rate (since fewer cycles
are spent on each bit) than the conventional choices
mark = 16 sample = 23 cell = 32, and
mark = 8 sample = 11 cell = 16.
The next lemma states that if we assume that the cell size is twice the
mark size, inequality 5.4 becomes redundant.
Lemma 1 Inequality (5.4) follows from (in)equalities (5.10), (5.5), (5.6),
E ≥ 0 and ρ ∈ (0, 1].
Proof 1 We derive:
mark · ρ (5.10),(5.6)> sample−mark · ρ+ 2 + E
ρ∈(0,1]
≥ sample · ρ− ρ−mark+ 2 + E
(5.5)
> mark+ E −mark+ 2 + E
E≥0
≥ 2 + E.
5.7.2 Maximizing the Clock Tolerance
By combining constraints (5.4), (5.5) and (5.6) we infer a lower bound on ρ,
that is, the maximal tolerance on timing:
ρ > max(
2 + E
mark
,
mark+ E
sample− 1 ,
sample+ 2 + E
cell
) (5.11)
Figure 5.28 lists lower bounds for ρ for some example configurations, as-
suming E = 1. These numbers can be easily validated using the Uppaal
model checker. Our results significantly improve on those of Moore [70],
who obtained (for a model that is less general) a lower bound of 0.95 for ρ
for the 18-cycle version of BMP, and a lower bound of 0.97 for the conven-
tional 32-cycle version. Typical clocks used in hardware are incorrect by
less than 6 · 10−6 seconds per second [20]. Thus,
ρ ≥ 1− 6 · 10
−6
1 + 6 · 10−6 ≈ 0.99999.
This means that in practice there is no need to optimize on the lower bound
for ρ.
178 5.7 Playing with the Parameter Inequalities
cell 16 32 18 11 14
mark 8 16 5 4 7
sample 11 23 10 7 10
ρ 0.91 0.82 0.73 0.91 0.93
Figure 5.28: Lower bound on ρ for some example configurations (with E =
1).
5.7.3 Maximizing the Edge Distortion Tolerance
From a practical perspective, it is interesting to look for the maximal value
for E, since, as we will see in the next subsection, this will allow us to
optimize the bit rate. Using inequalities (5.4), (5.5) and (5.6) we infer that
E may take any value as long as:
E < min(mark · ρ− 2, (sample− 1) · ρ−mark, cell · ρ− sample− 2)(5.12)
Figure 5.29 lists upper bounds for E for some example configurations, tak-
ing a value 0.999 for ρ. If cell = 2 ·max then, by Lemma 1, the minimal value
cell 16 32 18 11 14
mark 8 16 5 4 7
sample 11 23 10 7 10
E 1.989 5.977 2.994 1.988 1.985
Figure 5.29: Upper bound on E for some example configurations (with ρ =
0.999).
for the right hand side of inequality (5.12) is reached by either the second
or third subterm of the min-expression. Since sample occurs positively in
the second term and negatively in the third term, the choice of a real num-
ber value for sample that maximizes E for this case is the one for which the
second and third term are equal:
(sample− 1) · ρ−mark = cell · ρ− sample− 2.
5.7.4 Optimizing the Bit Rate 179
The optimal (in the sense that it maximizes E) choice for sample therefore is
cell · ρ+mark+ ρ− 2
1 + ρ
This optimal value is typically slightly less than 3mark−12 since
3mark− 1
2
− cell · ρ+mark+ ρ− 2
1 + ρ
=
(1− ρ)(m+ 3)
2(1 + ρ)
≥ 0
Using this observation, we may infer that (for realistic values of ρ and m,
say ρ ≥ 0.999 and m ≤ 1000):
• When mark is odd then a strict upper bound on the value for E is
4ρmark−3mark−3
2 . If we choose for sample the (integer) value
3mark−1
2 then
E may take any value below this upper bound.
• When mark is even then a strict upper bound on the value for E is
3ρmark−2mark−4ρ
2 . If we choose for sample the (integer) value
3mark−2
2 then
E may take any value below this upper bound.
We write Eopt(mark) for the upper bound on the value of E for mark size
mark, and sampleopt(mark) for the optimal choice for sample given mark. In all
examples of figure 5.29 with cell = 2 ·max the actual value of sample equals
the optimal value (in the sense that it maximizes the upper bound on E) that
we derived.
5.7.4 Optimizing the Bit Rate
We can now generalize the results from Section 5.7.1 to a setting with arbi-
trary E. If we know E and ρ then in order to optimize the bit rate we need
to find the instance of BMP with the smallest cell size that is correct. To
obtain this instance, we just take the smallest m with Eopt(m) > E and then
set cell to 2m, mark to m, and sample to sampleopt(m).
Based on our model we conclude that the 14-cycle instance of BMP is
preferable over the 16-cycle instance that has been implemented in the In-
tel 82530 Serial Communications Controller. The 14-cycle version of the
protocol allows for a more than 14% faster bit rate, but has basically the
same tolerance for signal distortion following an edge. Also, the 30-cycle
180 5.8 Related Work and Concluding Remarks
instance of BMP probably is preferable over the conventional 32-cycle ver-
sion: it has almost the same tolerance for signal distortion after an edge
(E = 5.97 if ρ = 0.999) but allows for a more than 6% faster bit rate. Note
however that our model is quite abstract and ignores various engineering
realities like metastability, reflection, noise and distortion. Like Moore [70],
we offer our model primarily as a catalyst for thought. It is up to the engi-
neers to decide whether our model is accurate enough for the purposes at
hand.
5.8 Related Work and Concluding Remarks
Related Work A main source of inspiration for this article has been the
work of Moore [70]. The basic modeling assumptions that we use are sim-
ilar to the ones proposed by Moore, although our model is somewhat more
general: unlike Moore we allow for clock jitter in our model, and we also
drop Moore’s assumption that the distortion in the signal due to the pres-
ence of an edge is limited to the time-span of the cycle during which the
edge was written. Moore [70] developed a general model of asynchronous
communication and used this model to verify the correctness of 18 and 32
cycle instances of BMP. Interestingly, Moore did not succeed in establishing
correctness of the 16 cycle instance that has been implemented by Intel. As
we pointed out in Section 5.7.2, the bounds on timing uncertainty found by
Moore are suboptimal.
Model checkers for timed and hybrid automata have been used success-
fully to analyze various physical level communication protocols for con-
sumer electronics devices [14, 23, 38, 10, 33]. Since these protocols typ-
ically use variations of biphase mark (e.g. Manchester) an obvious idea was
to try to recast Moore’s work in a setting of timed or hybrid automata. A
first attempt in this direction was made by Ivanov & Griffioen [50], who au-
tomatically verified a few instances of BMP using the model checker HyTech.
Their model is somewhat restrictive, however, since for instance sampling
was only allowed at the end of a read cycle. In September 1999, the first
author (FV) constructed the Uppaal model that has been described in this
paper (with only a few minor differences), and gave a presentation of this
model and the derived parameter constraints during a symposium on the
occasion of the retirement of Hans Peek as professor at the University of
5.8 Related Work and Concluding Remarks 181
Nijmegen. After model and slides were made available on the web, sev-
eral researchers took up the challenge to synthesize the parameter con-
straints automatically. Bensalem et al [11] propose algorithms and methods
to compute invariants of infinite-state systems. Using their approach they
managed to synthesize versions of the last two parameter constraints for a
simplified version of our model in which theWire and Sampler automaton
have been left out. The first parameter constraint is not needed in the sim-
plified model. Henzinger, Preussig and Wong-Toi [37] succeeded to partially
synthesize our parameter constraints for BMP (they always had to fix some
parameter) by running HyTech on a manually constructed abstraction of the
model.
An independent line of research was carried out by Van Hung [46, 45].
In this work, the BMP has been modelled using Duration Calculus, and a
full parameter analysis has been carried out with PVS. Van Hung models
beginning and end of transmission, but assumes fixed clock rates (no jitter).
The parameter inequalities discovered by Van Hung are similar to ours but
with some “off by one” differences. Apparently, these differences are caused
by some counter intuitive property of the Duration Calculus model: if the
coder generates an edge, then the signal on the wire will be unreliable for
E cycles (RR in Van Hung’s terminology) starting from the last tick of the
receiver clock. We believe our timed automaton model is more realistic.
Conclusions A fascinating question for us is whether our results about
possible improvements of bit rates of the biphase mark protocol carry over
from our model to the real world. Although we believe that our model accu-
rately reflects the operation of some implementations of BPM (such as Intel
82530), there are other implementations in which the receiver operates in
a slightly different manner. In the popular AMD 85C30 Serial Communica-
tions Controller [1], for instance, clock information is recovered from the
BPM signal using a digital phase-locked loop (DPLL). The DPLL is driven by
a clock that is nominally 16 times the data rate. The DPLL uses this clock,
along with the BPM signal, to construct a receive clock for the data. De-
pending on the precise timing of edges, the receive clock counter can be
adjusted. To describe this mechanism accurately would require an adapta-
tion of our model. Apart from investigating this issue, another obvious direc-
tion for future research is to carry out a similar analysis for the Manchester
encoding protocol as it is used in e.g. the Ethernet.
182 5.8 Related Work and Concluding Remarks
Uppaal
has turned out to be an (almost) perfect tool for this type of application.
Modeling the biphase mark protocol in terms of networks of timed automata
is very natural, the graphical user interface helps to visualize the automata,
the simulator is a great help during the initial validation of the model, and
the ability of Uppaal to generate counterexamples and to replay them in the
simulator greatly helped to increase our insight in the protocol.
Several authors have explored extensions of timed automata tools that
are able to handle parametrized timed automata and to verify/synthesize
parameter constraints [44, 5, 18]. We have arrived at the conclusion that
this is probably not the way to go. Adding the feature of parameter han-
dling to model checkers greatly affects performance and reduces the size of
the systems that can be handled. Still, generation of nonlinear constraints
(like in the case of BMP) turns out to be difficult. The ability to handle com-
plex models is essential for the success of model checking technology. The
protocol discussed in the present article is very simple, but even in this
case adding additional features such as termination, bus collisions, and a
more accurate modeling of the hardware would probably push Uppaal to
its limits. In our experience, it is typically easy to come up with general
parameter constraints (linear or nonlinear) based on the counterexamples
produced by Uppaal. The challenge therefore is to verify correctness of the
parametrized system while assuming these constraints. For this, the most
promising approach in our view is via a translation of the Uppaal model to
a general purpose theorem prover such as PVS and exploitation of powerful
invariant generation methods such as the ones proposed by [12, 11]. For
practical reasons and also because we had already a manual proof of the in-
variants available, we just used PVS and not any of the additional invariant
generation methods.
The proof of the correctness of the biphase mark protocol in PVS is re-
quired since the collection of Uppaal invariants alone is not enough to es-
tablish that the parameter constraints are necessary and sufficient for the
correctness of the protocol. The formalization in PVS revealed a small omis-
sion in the invariants from the manual proof and enabled us to establish
global correctness of the protocol for all of its instances. Additionally, we
show how a small effort in the automation of proofs can produce great im-
provements in proof size and readability.
5.8 Related Work and Concluding Remarks 183
Acknowledgments: The authors would like to thank the Stan Ivanov, the
participants of the System Modeling Course at Philips Research, and espe-
cially Jozef Hooman, Martijn Hendriks and Maarten Boasson for their com-
ments on earlier version of this paper and the formalization of the biphase
mark protocol.
184 5.8 Related Work and Concluding Remarks
Bay Area Rapid
Transit
i was ridin’ on a train // and it
wasn’t bound for glory that’s for
sure. – Love and Rockets
The Bay Area Rapid Transit System (BART) is a control system for the
automated metro trains in the San Francisco Bay Area. This control
system has extensive safety requirements to insure that passengers on
the trains are not harmed by collisions or sudden changes in train speed.
The software on the trains has been verified by Sandia National Labs.
The BART system is interesting because of the hybrid dynamics of the
system, which must be taken into account when proving safety. We ap-
ply the approach described in chapter 3 to the BART system. We ensure
that the formalization is valid by translating the informal requirements
first into UML notation and then translating that into PVS. We formalize
some of the safety constraints of the system, design a controller for the
trains and then prove that that controller is safe within our formaliza-
tion.
In 2001 a Dagstuhl workshop [51] was organized on the subject of the
BART system and contributions were solicited for various approaches to
the problem of verification of the system. This chapter is the result of
our approach to the verification challenges posed by the BART system.
This chapter uses PVS 3.0
This section was written as a contribution to a Dagstuhl workshop on software-
intensive systems [51] and later published part of the book Mastering the Com-
plexity [54].
185
186 6.1 Introduction
6.1 Introduction
It is well-known from the literature that mistakes in the requirements of
a computer system propagate through all phases of the software develop-
ment process. The later a mistake is discovered, the more expensive it is to
repair. Requirements documents can be incomplete, inaccurate or inconsis-
tent, and it is important to be able to detect mistakes from all three of these
categories. Finding and repairing these defects early in the development
cycle improves the quality of the software and reduces costs.
In the embedded systems field, more than anywhere else, systems are
built for a particular environment which is reasonably well understood. Em-
bedded systems are also often safety-critical systems, meaning that their
safety properties within their expected context need to be checked with
the greatest rigor and accuracy. This implies that in particular we need an
accurate model of the environment. An environmental model can be consid-
ered part of the requirements of an embedded system because the system
is specifically intended to operate in such a context. This chapter concen-
trates on modeling the environment of an embedded system, the BART train
which is to be controlled by our embedded system. The train itself is the
environment of the embedded control system.
6.1.1 The BART system
This section reiterates the essence of the BART system. It is explained far
more extensively in the problem description handed out for the Dagstuhl
seminar [94]. The following text is from the problem description [93] by
Victor Winter.
The Bay Area Rapid Transit System, BART for short, is a metro-
politan-area train system in and around San Francisco and Oak-
land. Currently, the system runs approximately 50 trains, and
trains pass some points in the system every two-and-a-half min-
utes. In order to increase the efficiency of the system, i.e. to
run more trains over the same stretches of track in a given pe-
riod of time, an automated system, the AATC (Advanced Auto-
matic Train Controller) is being introduced. This must control
the trains by giving them speed and acceleration commands.
6.1.1 The BART system 187
Train Gap
Track
Following Train
(Train 1)
Leading Train
(Train 2)
Figure 6.1: The simplified BART system.
Safety is paramount, and the system designers are required to
prove (in some sense of the word) that the AATC system they de-
sign is safe within the limits stated by California state law.
Our simplified view of the BART system is illustrated in figure 6.1. In
this figure, two trains travel over a single track. Both trains go in the same
direction. Train 1 is considered to be under the control of the AATC. Train
1 follows train 2, and the most important safety criterion we have is that
the two trains never collide. By law, this means that the distance between
the two trains — the train gap — is never less than the Worst-Case Stopping
Distance (WCSD) of train 1; the WCSD is a function of the train speed and
other factors. The behavior of train 2, the leading train, is of no particular
interest to us, except that it does not travel backwards.
Every so often the AATC may send a command to a train, giving the train
a target speed. The train will accelerate or decelerate to the target speed
and maintain that speed until a new speed command arrives or the train
enters fail-safe mode. In the trains in San Francisco, switching from accel-
eration to braking (and vice-versa) takes 1 second at least, and the trains
maintain a speed 3.2 km/h below the target speed.
The following three paragraphs are taken from the case study document,
[94, 93], and illustrate the informal requirements which we begin with. As
informal requirements go, these are quite precise (compare for instance
with the Light Control requirements in chapter 2).
P16 The AATC system operates on 1/2-second cycles. Each half-
188 6.1 Introduction
second the station computer receives ranging and speed infor-
mation (derived from tachometer data) from the trains. It uses
that information to compute an uncertainty envelope for the loca-
tion of each train (mean and standard deviation). For this study,
assume this function works as intended and provides fully reli-
able inputs to the speed/acceleration selection problem. This in-
formation, along with track signal and track layout information,
is used to compute speed and acceleration commands.
P17 Commands are time stamped and become invalid 2 seconds
after the identified time. This time stamping (or time tagging) is
done by what is called a Message Origination Time Tag (MOTT).
When a train sends performance data back to the station, it at-
taches the time that it sends (originates) the message. When that
information is used to update the position estimate, the MOTT is
associated with that position estimate. The time stamp provides
a measure of the currency of a position estimate. When that posi-
tion estimate is used to compute a speed/acceleration command,
that MOTT is attached to the command. The train then checks
the MOTT before exercising a command. A train will continue
to exercise that command until a new one arrives or until that
command expires, 2 seconds after the originating time.
P18 If the train does not have a currently valid command, it goes
into maximum braking. The control algorithms thus have to be
designed so that if all communications are lost, then when com-
mands expire and trains come to a stop, no safety violations will
have occurred. That is, the stopping location of any train after
lost communications, has timed out, and has come to a stop will
be (1) behind any closed gates and (2) behind the rear end of
any trains ahead. This sequence of events, along with a very
pessimistic definition of how long it physically takes to stop a
train once braking begins, defines what is called the “Worst-Case
Stopping Profile.” Similarly, the control algorithms have to be de-
signed so that whatever happens, the train must not exceed any
track speed limits.
In the rest of this section, when we refer to paragraphs Px, the para-
graph numbers are from the published version of the problem description,
6.1.1 The BART system 189
[94].
Simplifications: Our model of the BART system contains a number of sim-
plifications that are very important to the “faithfulness” of the model with
respect to the real system. This lack of faithfulness — and in particular some
assumptions about trains which are better than the trains are in real-life —
means that our model is not conservative with respect to safety. Conclu-
sions drawn on the basis of this model need not apply in the real world.
These simplifications are: the track is assumed to be flat, trains always
accelerate or decelerate at a fixed rate a and no jerk rate (derivative of ac-
celeration) is taken into account, and trains match the target speed exactly
(instead of remaining 3.2 km/h below the requested speed).
The WCSD of a train — a terribly pessimistic estimate of how far the
train will travel before it comes to a complete stop — is a function of the
speed of the train. The true calculation of the WCSD in the BART system
takes track grade and slipperiness into account. In our simplified view of
the BART system, all the tracks are flat and dry.
Both trains send data to the AATC every half-second. This information
includes the train’s position and speed. The AATC records this information.
In the real BART system, the position and speed are subject to some uncer-
tainty, and status reports can get lost. Our simplified version of the BART
system does not lose messages and the position reports are considered to
be entirely accurate.
Structure of this Chapter
In section 6.2, we turn to the approach to modeling the system. We de-
tail how we proceed with respect to validation of the translation into UML.
Section 6.3 concentrates on the initial translation of the informal require-
ments. Here we translate the physics and other behavior of the train into
UML. The design of a controller to steer the (model) trains is constructed in
section 6.4 and proved to be correct within the model. Finally, section 6.5
states the most interesting results of our modeling and verification effort.
190 6.2 Approach to the BART System
Boundary Model the
Environment
Properties
Formalize
High−Level
Design High−Level
Verification
Find System
Figure 6.2: Overview of our approach to the case study.
6.2 Approach to the BART System
In this section we explain the steps of our approach in more detail. Some
steps which are performed minimally for the BART case study are mentioned
only briefly, with references to other chapters in this thesis. A high-level
overview of our approach with its five steps is shown in figure 6.2.
Our five-step approach aims to produce a high-quality semi-formal re-
quirements document that can be used for further development. In this
chapter, we focus upon step 2, modeling the environment, while demon-
strating the remaining steps. The last two steps, High-Level Design and
Verification, could be considered part of a later phase of development.
1. Clearly separate the system under development from the environment
in which it will operate.
2. Model the environment in a formal fashion. We apply several itera-
tions of the construct-and-validate approach described in section 6.2.3
below to analyze and validate the environment model.
3. State the properties (e.g. safety, functionality) which the system under
development is required to realize in its environment.
4. Do some very limited high-level design of the system under develop-
ment (e.g. develop a controller for the system).
5. Check the properties (i.e. prove that they hold in the model) against
the high-level design and environmental model.
6.2.1 Notation and Tools 191
The last two steps are not essential to the formalization of the requirements,
but serve as useful additional checks that the requirements are consistent
and realizable. In addition, the high-level design could be used in further
development.
We wish to demonstrate that our 5-step approach with its iterative ap-
proach in each step — especially the iterative approach to the formalization
of the environment — is a useful tool in improving the quality of a require-
ments document. In particular, we hope to identify and resolve incomplete-
ness, inaccuracy and inconsistency within the given informal document.
In order to perform all five steps of our method within the space of this
chapter we have selected a small but representative part of the BART case
study to examine. We have chosen to model the behavior of the trains of the
BART system with a somewhat simplified physics. We restrict ourselves to
the single desirable safety property that trains should not collide with each
other. We ignore track grade and weather conditions throughout this whole
chapter. We are not concerned with getting trains from station to station in
a timely manner; only that they travel safely. This limited scope allows us to
demonstrate all the steps of our method.
6.2.1 Notation and Tools
Our approach is in principle independent of any particular notation. Any
real application, though, needs an agreed-upon notation. The notation must
be usable for further software development and be sufficiently formal for
analysis.
The Unified Modeling Language (UML) is a reasonable choice for no-
tation for our method. Since UML is becoming the standard notation for
industrial software development, using it has the advantage of connecting
well with the rest of the development process. In addition, there is ongoing
work [89, 57] on giving parts of the language a formal semantics so it is
usable for analysis as well.
To analyze a requirements specification (meaning the semi-formalized
UML representation, not the informal requirements document we started
with) in a formal fashion naturally requires a formal representation of the
UML model. We will naturally represent the UML diagrams in PVS as au-
tomata using our automata framework from chapter 3. Since we are dealing
with hybrid automata we will use the approach to hybrid automata advo-
192 6.2 Approach to the BART System
cated in section 3.5.
Our use of the UML and PVS in formalizing the requirements is:
1. We draw a UML Use-Case Diagram in order to delineate the border
between the system and the environment. This is often unclear in
informal requirements documents, where details of both system and
environment are mixed together. Both Class Diagrams and Message
Sequence Charts are used to discover the border and to document
details of that border. We detail this step in section 6.2.2 and apply it
in section 6.3.1.
2. The development of a model of the environment proceeds iteratively:
we alternate between phases of construction (finding structure and
behavior) and phases of validation (tracing, checking form and check-
ing meaning). Structure is captured in Class Diagrams, while behavior
is written down using State Charts.
Details may be seen in section 6.2.3.
3. Formalizing properties of the system under development is an activity
that proceeds iteratively much like the development of the environ-
mental model. This step produces mathematical formulas stating rela-
tionships between quantities mentioned in the Class Diagrams. In this
chapter we do little work with the requirements themselves; see the
Light-Control case study in chapter 2 for a detailed illustration of how
we deal with formalizing the properties of an embedded system.
4. High-level design is beyond the scope of this chapter. Our demonstra-
tion here is limited to a single iteration of the constructive phases of
our approach to step 2. Our high-level design consists of more Class
Diagrams and State Charts, similar to our model of the environment.
We claim that this design (of a train controller) is safe.
5. Checking properties (i.e. proving the correctness of the system as de-
signed) is beyond the scope of this chapter. We will give a small
demonstration, though, by proving that the simple AATC design pro-
duced in step 4 satisfies our definition of safe.
This chapter therefore concentrates on step 2, the problem of formalizing
the environment of the system under development. The particulars of our
approach will be explained below.
6.2.2 Finding the System Boundary 193
6.2.2 Finding the System Boundary
In the first step of our approach we draw up a Use-Case Diagram to doc-
ument the system boundary and the actors that interact directly with the
system. Almost every UML method begins with drawing up Use-Case Dia-
grams, and any good UML book, such as [73], contains a description of how
to go about drawing such a diagram.
In the case of embedded controllers, we scan the informal requirements
document for phrases like “the controller” or “the control system,” and we
use those phrases to help us determine what is the control system that needs
to be designed and what is the rest of the system that needs to be controlled.
In the Use-Case Diagram itself, we denote the system by a dashed box,
labeled with the name of the system. Around the outside of the box we place
stick figures representing actors — (semi-) autonomous entities outside the
system itself that interact with the system. In most UML applications the
actors are real people using an application program to interact with the
system, but in embedded controllers the actors can be external mechanical
devices, sensors, applications, or computer equipment.
It is important to note that actors portray roles that are played by iden-
tifiable entities outside the system, i.e. a single physical entity may be por-
trayed by several actors in the Use-Case Diagram. A single actor may rep-
resent several physical devices external to the system all of which play the
same (or similar) roles.
If the informal requirements document includes requirements for the
system under development, we can try to write these as goals that the actors
want to realize by using the system. In a train control system, for example,
“get train to station on time,” could be a goal. These goals are drawn in
ovals within the system boundary, and attached to the actors (roles) that
are concerned with that goal.
In this chapter, we create the Use-Case Diagram by quickly reading the
informal requirements document and drawing actors as we come across
them; figure 6.5 in section 6.3.1 shows the results. The Use-Case Diagram
is subject to revisions as we take more or less of the informal document into
account.
194 6.2 Approach to the BART System
Validation
Behavior
Checking
Form
Checking
Meaning
Structuring
Tracing
Construction
Finding
Figure 6.3: Overview of the phases of the Modeling Step.
6.2.3 Modeling the Environment
The second step of our approach, modeling the environment, is the primary
focus of this entire chapter. We will refer to this step as “the modeling step.”
The modeling step gradually constructs a model of the environment of
the system under development. The phases are shown in figure 6.3, below.
The phases of this step can be divided into constructive phases, where we
draw new diagrams or change old ones, and validation phases, where we
check that the diagrams we have made are sensible with respect to the en-
vironment we are modeling. The various phases may easily be compared
to the steps of the waterfall model; unlike the waterfall model we insist on
iteration and no fixed path through the various phases. There is a recom-
mended path which seems to yield good results, but we will not be dogmatic
about it.
Figure 6.3 shows that we begin with a structuring phase, followed by
a phase in which we look for behavior to formalize. After these first two
constructive steps, we can perform any of the validation steps or continue
6.2.3 Modeling the Environment 195
constructing diagrams as we see fit. It is useful to have completed a tracing
phase at least once before entering the checking forms phase, and similarly
it is useful to check the form before checking the properties of the diagrams.
Once we feel we have done enough validation, we call the diagrams finished
and move on to the next step of our approach.
Structuring phase: The structuring phase adds details about the actors
in the environment to our diagrams. This phase produces Class Diagrams
and Message Sequence Charts. The Message Sequence Charts are used to
document the communication between the actors and the system. Once the
communication paths are clear, we can add details about the various actors
in a Class Diagram.
A Message Sequence Chart is a diagram that represents an interaction
between environmental entities and the system under development. An in-
teraction shows how a particular goal can be reached. The Message Se-
quence Chart shows only the messages exchanged between entities and the
system, not the internal actions of each. A Message Sequence Chart shows
a typical sequence of messages used to realize some goal, not necessarily
the only way of doing so, and it does not exclude other interactions not
shown in the Message Sequence Chart.
A Message Sequence Chart is immediately useful in determining some
of the structure of the system because it shows us which messages (at the
very least) the various entities in the environment can send and receive, and
similarly it shows what messages are sent and received by the system under
development. These details can be conveniently noted in a Class Diagram.
A Class Diagram defines the interfaces involved in the system and the
environment. For every actor (role) we draw a class in the Class Diagram.
A class has a list of messages that instances of the class can receive and
a collection of variables. These variables usually represent properties or
qualities that may vary per instance of the class and that are visible to the
external world of that instance.
The Class Diagram shows us what kind of things there are in the system
and its environment. Together with the Use-Case Diagram, this gives us an
overview of the structure of the system. The Class Diagram is the important
result of this phase of the modeling step. The Message Sequence Charts are
byproducts, but will be useful in the next phase as well.
196 6.2 Approach to the BART System
Finding Behavior: The behavioral phase adds details concerning the be-
havior of every part of the environment. Every class discovered in the struc-
turing phase should have at least one State Chart attached to it. Such a
State Chart documents exactly how an instance of a class reacts to incom-
ing messages and what changes in variable values occur.
A State Chart consists of a number of states with transitions between
them, and is one way of representing a labeled transition system or automa-
ton as described in section 3.2. There is a large body of literature about
the exact semantics of State Charts. The graphical language of the Uppaal
model-checking tool is obviously related to that of State Charts. There are
many pathological cases that can be considered and choices to be made.
We will avoid pathological cases and draw only “flat” State Charts in this
chapter that are easy to understand.
Our interpretation of flat State Chart semantics is as follows:
• An empty or absent guard is considered “true.”
• When a message arrives, transitions labeled with it are taken immedi-
ately, if their guards are satisfied.
• The actions on a transition are performed instantaneously, along with
the sending of messages.
• Transitions with no trigger are taken as soon as their guards are true.
We also extend standard UML State Charts with a number of notations
in order to be able to formalize the dynamic behavior of the trains: the
most important extension is that we add the notion of time to State Charts.
While (an instance of a class with) a State Chart remains in a particular
state, time passes. This is made explicit within the State Chart by adding
timer variables both to the Class Diagram and the State Chart. In addition,
we can annotate states with differential equations such that some variables
change their value continuously as time passes. These equations are noted
as actions within a state, e.g. / dv/dt = a. The semantics of these extensions
(compatible with our notation in section 3.2) are:
• Timer resets on transitions occur instantaneously.
• In a state, time may pass. As time passes, all timers advance uniformly.
Continuous variables change according to the differential equations (if
any) in the state.
6.2.3 Modeling the Environment 197
[time=10]
Long
/ dtime/dt = 1 / dtime/dt = 1
NotLong
triggerEvent
/ time:=0
Figure 6.4: Sample of a State Chart with extensions.
• Time can pass only as long as no transitions become possible.
The last semantic rule means that we can write guards based on timer
values or on continuous variables in order to exit a state as soon as the timer
or continuous value meets the guard condition. Figure 6.4 shows a State
Chart using our extensions. Because of the timer reset on the transition to
the state NotLong and the guard on the transition out of that state, we see
that we remain in the NotLong state for exactly 10 time units.
There is much work elsewhere on formalizing the exact meaning of a
State Chart in a real-time setting. Our formalization is rather ad-hoc and
does not address any of the pathological cases of State Chart construction.
The real-time UML profile is an official attempt at extending State Charts
with useful notation for real-time systems and a semantics.
Validation Phases: After the first two construction phases, we have a
body of Class Diagrams each with one or more State Charts attached. This
gives us both the structure of the environment and the behavior of individual
parts of it.
The next three phases basically check the products of the first two. A
number of standard questions is asked, and the answers given can be used
to modify the diagrams or the informal document. The checking phases
can be done in any order desired, or in parallel. It is sensible, though, to do
them in the order listed because of the amount of effort involved, i.e. there is
not much sense doing a long complicated verification phase if tracing later
shows that we have forgotten to read a chapter of the informal requirements
document.
198 6.2 Approach to the BART System
Tracing Phase: The tracing phase asks the question “have we been suffi-
ciently accurate in producing the formal description from the informal speci-
fication?” This is answered by documenting where all the diagram elements
come from in the construction phases. Ideally, we tag every element of
the UML diagrams with a paragraph or page number referring to the infor-
mal document. This justifies each diagram element and provides a trace of
where it came from.
The other side of accuracy is completeness. We need to check that every
paragraph of the informal document has been considered and that that the
relevant information from each paragraph has been used. In order to doc-
ument this, we draw up a list of paragraph numbers and for each we state
where it has been used or why it is irrelevant. This provides another form of
traceability: from parts of the informal specification to diagram elements.
This is particularly helpful if changes are made to the informal document
(for example, due to questions raised in later phases) and we need to adjust
the diagrams in a consistent manner.
Form Checking Phase: The phase where we check the form of the dia-
grams asks questions related to the truthfulness of the model with respect
to itself. These questions can be answered by looking at the diagrams with-
out understanding their meaning within the system being modeled, only
their meaning as diagrams.
There are simple checks that can be performed on the State Charts in
the model that should be performed. Again, these are questions related to
the form of the diagrams, and they can be answered almost mechanically.
• Does the system react to incoming messages in every state?
• Are the guards on transitions consistent and complete?
• Are all assignments to timer variables really reset assignments?
For models of physical systems with hybrid behavior we need additional
checks of the hybrid behavior: we need to check that variables that repre-
sent some physical quantity are used in a consistent manner, i.e. if x rep-
resents the physical position of an object, then the object cannot move dis-
continuously through an assignment. This is similar to the check for timer
variables, which are just a special case of continuous variables.
6.2.4 Formalizing Properties 199
Checking Meaning: This phase asks us to judge whether the model is
good enough. It requires a thorough understanding of both the model and
the system being modeled. Thus far we have checked that the formal model
is accurate and thorough with respect to the informal document (tracing)
and that it is internally consistent (checking form). In this phase we ask
whether the model is consistent with the actual environment described in
the informal document.
The basic questions to ask in this section are: “The model predicts such-
and-such. Does this happen in the real world as well?” and the converse
“We observe such-and-such in the real world environment. Does the same
thing happen in the model?” The best thing to do is to confer with a domain
expert again about the model of the environment; this time, instead of work-
ing from the informal document towards the formal model, work from the
formal model towards the real world. For the purpose of answering these
questions, simulation techniques can be used. A simulation allows you to
see how the model of the system behaves. Most model checkers include
simulation tools as well.
Once we have finished this step of our approach, we have a Use-Case
Diagram stating the high-level goals of the system to be built and how those
goals relate to various parts of the environment. We also have a Class Di-
agram that formalizes the structure of the entities in the system and the
environment, and for each class we have one or more State Charts that for-
malizes the behavior of instances of the class. Each of these diagrams has
been validated through one of the steps of the validation phase, so we can
be fairly confident that the diagrams accurately reflect the requirements.
6.2.4 Formalizing Properties
The formalization of the properties of the system is not a topic in this chap-
ter. For every high-level goal in the Use-Case Diagram, we can write a
mathematical formula based on variables from actor instances and the sys-
tem itself. See chapter 2 for a more in-depth look at the formalization of
properties for the system.
200 6.3 Application to the BART System
6.2.5 High-Level Design and Verification
High-Level design and verification need not be considered part of our re-
quirements improvement approach. However, they do serve as a final check
that the requirements that have been developed are sensible.
In this chapter, our design will be in the form of a State Chart for the
behavior of the control system. Our verification consists of translating all
the diagrams into the language of the PVS theorem-prover and proving that
the design satisfies the properties formalized in the previous step.
6.3 Application to the BART System
As a demonstration of our approach and its usefulness in finding mistakes
in a requirements document, we will apply it to the BART / AATC case study.
In section 6.1.1 we selected a representative part of the case study for our
approach: we chose to model only the trains of the BART system. Of course,
we could only make this choice after reading the informal requirements
document and performing the first step of our approach, finding the sys-
tem boundary. Our report on the first step in section 6.3.1 below therefore
includes this selection process.
Based on our choices in section 6.3.1, some parts of the informal doc-
ument become irrelevant. For example, the document mentions gates and
track segments, but these are not important for the behavior of the BART
trains. We ignore them.
After finding the system boundary and choosing what we will model, we
continue by modeling the environment of the system in section 6.3.2. From
there we proceed to design an AATC controller system in section 6.4. The
safety of this controller is verified in section 6.4.2.
6.3.1 Step 1: Finding the System Boundary
Quickly reading the informal requirements document leads us to skip para-
graphs P1–P9 because they provide only background information and set
the stage for this case study. Paragraph P10 is the first paragraph explain-
ing technical details of the BART system. It names three parts: the station
computer, the communications network, and the train(s) in the system. The
same paragraph mentions that the train has both brakes and motors.
6.3.1 Step 1: Finding the System Boundary 201
AATC System
Never Collide
with Leading Train
Obey Speed
Limits
Stop at Stations
Provide a
Smooth Ride
Train
Figure 6.5: Use-case overview based on P10, P14, P50.
The AATC system’s environment is made up of the trains that it controls.
From a UML point of view, this means that the trains are actors — things
outside of the system itself that cooperate with the system to achieve some
goal. This is a fact we can find in P5, P10 and P12. The AATC’s high-level
goal is to provide safe and comfortable passenger train service in the Bay
Area. We can break this high-level goal down into a number of sub-goals
which can be represented by a UML Use-Case Diagram. This is shown in
figure 6.5. The goals come from paragraph P14.
Paragraph P12 suggests that the communications network is perfect,
i.e. messages sent through the network arrive in order, with no delay, and
no messages are ever lost. Therefore we will abstract away the commu-
nications system and allow the environment to communicate directly with
the AATC system. Similarly, we could model the brakes and the motors sep-
arately (insofar as they are really separate; the informal document never
makes that clear) but it seems to add a lot of complexity without adding
interesting behavior.
This high-level view of the system in figure 6.5 contains too many goals
to be realizable and checkable within this chapter, while at the same time
202 6.3 Application to the BART System
Train
Train
Controller
Never Collide
with Leading Train
Train
Sensors
Motor and
Brakes
AATC System
Figure 6.6: Use-Case Diagram simplified, based on P10, P11, P16.
the level of detail related to the environment is too low. Reading paragraphs
P10, P11, P16 shows that the environment of the AATC system, while phys-
ically contained completely within a train “consist,” logically has two parts:
the physical part of the train (a large piece of metal that is constrained by
the laws of physics) and a train controller (a computer inside the physical
train) that manipulates the brakes and motors of the train in response to
commands sent by the AATC system.
We simplify the system by ignoring the goals of the system except “never
collide with leading train.” We elaborate the actors involved in order to
illustrate the logical construction of the train. This is shown in figure 6.6.
6.3.2 Step 2: Model the Environment
Our goals for this step of the approach are to produce a Class Diagram for
the system as a whole, and State Charts for each class. We will run through
the five phases of modeling the environment.
Structuring
This phase is concerned with drawing a Class Diagram for the entire system.
In order to detail the interfaces involved, we draw some Message Sequence
6.3.2 Step 2: Model the Environment 203
command(MOTT,rv,ra)
status(MOTT,x,v) command(MOTT,rv,ra)
Train AATC
Train
Controller
50
0m
s
status(MOTT,x,v)
Figure 6.7: Messages sent between system and environment.
Charts as well. This entire section is based on P15–P17.
Paragraph P15 mentions some of the messages that are sent through
the communications network of the BART system: trains send sensor data
(P16) and the stations send speed and acceleration commands (P17).
The interface between the Train actor and the AATC system is related
to the status reports mentioned in P16: the train sends speed and ranging
information to the AATC, along with a time-stamp. The commands are sent
back to the train controller since those commands need to be interpreted
as motor or brake commands before they can affect the train itself. For
the interfaces between the actors and the AATC system, a message passing
interface makes sense, since real messages are being sent over a radio link.
There is no other communication between the train (or its controller)
and the AATC system. Figure 6.7 shows the messages passed in the system.
Note that the physical part of the train sends messages but receives none;
the train controller receives messages but sends none.
The interface between the actors — between the physical parts of the
train and the train controller — is not suited to message passing. The train
controller continuously influences the train by varying the acceleration im-
parted on the train by the brakes and motors. For this interface, we use
some shared variables which are set by the train controller and read by the
physical train.
Now that we have identified the messages that are used to communicate
between our system and the environment (the actors), we can draw a Class
204 6.3 Application to the BART System
Controller
cmd(LMOT,rv,ra)
AATC
status(MOTT,x,v)
Train
Sensors
Motors and Brakes
Figure 6.8: Class Diagram for actors.
Diagram for the AATC system’s environment. This formalizes the interfaces
that are used. Each class lists the messages that it can receive. The Class
Diagram can be used to collect information contained implicitly in other
diagrams, and refers to other diagrams for clarification. Figure 6.8 shows
a first attempt at a Class Diagram that shows all the actors, the system and
their interfaces.
Finding Behavior
This section adds State Charts to the classes found in the previous section.
Each class in figure 6.8 will have its behavior described in terms of one
or more State Charts. It turns out that some classes benefit, in terms of
complexity, from using more than one State Chart to describe their behavior.
The first part of this section is concerned with the physical behavior of the
Train class. The second part shows how messages to the Train Controller
class are handled.
Common sense tells us that the train has a certain position and speed.
These are the real physical attributes of the train, and they change contin-
uously. We use our extensions to the State Chart notation to denote these
continuously variable values. We use x for the train’s position and v for
its speed. In addition, the maximal jerk rate that the motors can exert in-
fluences the acceleration of the train. We will write j for the jerk rate.
The differential equations are straightforward. This leads to an initial State
Chart for the train physics as shown in figure 6.9.
Looking at P16, we see that the station receives sensor data from the
6.3.2 Step 2: Model the Environment 205
/ dx/dt = v
/ dv/dt = a
/ da/dt = j
Figure 6.9: Train Physics. The variables x, v, a and j are represent the
train’s position, speed, acceleration and jerk.
trains every half second. We will interpret this to mean that the train sends
the data every half second and that the station then receives it. This means
we need to add a timer and a transition such that every half second the train
sends its position and speed to the AATC. We will call this timer ta. This
leads us to add a transition from the lone state in figure 6.9 to itself. We
choose milliseconds as the unit of time, so half a second is 500 time units.
Therefore the guard on this new transition can be written as [ta=500]. and
this transition must be taken every 500ms.
Looking at the next paragraph of the informal specification, P17, we see
that the status message also carries a timestamp MOTT. This means that
the train must have a local clock in order to report the time. We will call
the timer that records the local time in the train twc, for Train Wall Clock.
The status message that is sent to the AATC system carries the position and
speed as well as the value of the twc timer when the message is sent. Adding
the transition to the State Chart for the Train class yields figure6.10.
Handling command messages Under normal circumstances, the train
regularly (every 500ms) receives a command message from the AATC carry-
ing a desired speed and acceleration. P16–P17 tell us that each message
carries a time-stamp: the time stamp of the last status report received from
the train by the AATC system.
The values received from the AATC need to be stored so that the train
controller can act upon them. The state regular operation in figure 6.11
captures this behavior. It has a transition to itself that is triggered by the
206 6.3 Application to the BART System
[ta=500] / ta:=0 ^ AATC.status(twc,x,v)
/ ta:=0
/ dx/dt = v
/ dv/dt = a
/ da/dt = j
Figure 6.10: Train behavior with status reporting.
[twc−pmot>=2000] 
Regular
Operation
/ pmot:=0 cmd(LMOT,mv,ma) / pmot:=LMOT, rv:=mv, ra:=ma
Failsafe
Mode
/ rv:=0, ra:=−3mphps
Figure 6.11: Train Controller behavior for command messages.
receipt of a new command message. We use the variables pmot (previous
message origination time) and rv and ra (requested speed and acceleration,
respectively) to store these incoming values. The starting state is chosen
such that the train begins with a requested speed of zero, i.e. it should
remain at rest.
If no commands arrive, then eventually the train should enter fail-safe
stop mode, as mentioned in P18. It does this when the last command re-
ceived has a timestamp more than two seconds old. The two seconds are
measured between the value of the twc timer and the pmot value. The vari-
able pmot holds the timestamp of the last command received. The guard,
then, for the fail-safe mode is [twc-pmot≥2000]. When the train enters fail-
safe stop mode, it tries to begin braking by setting rv and ra to suitable
values. All this is shown in figure 6.11.
Controlling Brakes and Motors The train controller handles configuring
both the motors and the brakes (which, due to regenerative braking, may
6.3.2 Step 2: Model the Environment 207
be the same physical device). We assume two predicate methods motorEn-
gaged() and brakeEngaged() that state when the brakes or motor are en-
gaged. These are necessary because the informal requirements document
does not state exactly how long it takes to engage or disengage the brakes
and motors, nor does it state under what conditions the motors and brakes
can be considered to be disengaged. When the motors and brakes are dis-
engaged, the physical unit may be reconfigured for braking or acceleration.
Some time is spent reconfiguring the unit; during this mode change, timer
tc is used to track the delay. The delay is stated to be 1000ms in P35, P36.
Diagram 6.12 shows our State Chart for controlling the motors and brakes.
This diagram is still fairly “high-level” since we have omitted details of
exactly how the the jerk rate is set when the motor or brakes are activated.
We have used functions fb1, fb2, fa1 and fa2 as placeholders for the real
behavior of the brakes and motors.
Intermission: Updating the Class Diagram
Each of the State Charts we have drawn states (part of) the behavior of one
of the classes from our Class Diagram in figure 6.8. Since the State Charts
have introduced variables and the passage of time introduces timers, we
will need to add these variables and timers to the Class Diagram.
The train controller and the train itself both have timers, twc, ta and tc.
The train itself variables x, v, the acceleration a and the jerk rate j. All
these variables are added to the Train class from Class Diagram 6.8. We
aggregate the status reporting and brakes and motors classes entirely into
the Train class, since the degree of coupling between the two is large. This
leads to a new and expanded Class Diagram, which is shown in figure 6.13.
Tracing
This section shows the operation of the tracing phase of our approach. As
stated in the overview of our approach in section 6.2.1, this is a largely
administrative phase. Readers interested in the results of this phase without
the tedious justification can skip to “Issues Raised,” on page 210.
Sections 1 through 3 of the informal specification, P1–P9, are general
introductory paragraphs and contain no important information for our view
of the environment of the AATC system. Section 4 is heavily used: P10–P15
208 6.3 Application to the BART System
Brake
Change to
Mode
Disengaged
Motor
Change to
Mode
Brake
Mode
/ j:=fb1(rv,ra) / j:=fb2(rv,ra)
Disengaging
Brakes
/ ra:=0
/ rv:=0
Disengaging
Motor
/ j:=fa2(rv,ra)
Acceleration
Mode
/ j:=fa1(rv,ra)
[rv<v]
[rv>v]
[tc=1000]
/ tc:=0
/ tc:=0
[rv>v]
[tc=1000]
[rv<v]
[!brakeEngaged()]
[!motorEngaged()]
Figure 6.12: Train Controller behavior controlling motors and brakes.
rv,ra : Real
tc : Timer
Controller
cmd(LMOT,rv,ra)x,v,a : Real
j : Real
ta,twc : Timer
Train AATC
status(MOTT,x,v)
pmot : Time
Figure 6.13: Class diagram showing all variables.
6.3.2 Step 2: Model the Environment 209
were used to create diagram 6.5 or indicate what is not to be considered
part of the case study. P13 is not used because it concerns the interlocking
of track segments, not train safety. P16–P18 are used in diagrams 6.10
and 6.11. The remainder of section 4, P19–P22, is concerned with the
physical division of the AATC system and not relevant for our description of
the environment.
Section 5 of the informal document has not been used much: P23 de-
scribes the information that the AATC has to work with, but this just repeats
P16. P24 defines the high-level goals present in our Use-Case Diagram 6.6,
P25 and P26 describe gate information which is uninteresting for our view
of the system. Finally, P27 reiterates P17 with considerably more detail.
P28 is a one-line filler paragraph.
Section 6 contains some details not yet taken into account: P29 de-
scribes details of the function fa1 which is used in diagram 6.12. It is stated
in P29 that the train can coast in propulsion mode, so it is possible that
there is no “Disengaged” state as shown in the diagram. P30 states that
the train will initiate braking to prevent speeding, which is reflected in
the guard rv < v on the transition from the “Acceleration Mode” state to
“Disengaging Motor.” This transition can be taken in response to a com-
mand which changes the requested speed of the train, or in response to the
train reaching too great a speed (for example, as a result of rolling down
a hill). We assume that the train will also initiate acceleration to achieve
the requested speed whenever it is in braking mode and going too slow.
P31 states that trains can enter open-loop braking and brake at 3mphps;
the transition to fail-safe mode in diagram 6.11 reflects that. It is unclear,
though, whether the mode-change delay applies to open-loop braking as
well, and whether it is possible to exit from open-loop braking mode with-
out a system reset. P32 and P33 remind us that rain is an important fac-
tor in reducing brake rates, but our simplified view of the system assumes
dry flat track. P34 repeats information already available in P27. P35 and
P36 define the mode-change delay, which is incorporated into diagram 6.12
by including the mode-change states and the predicate methods motorEn-
gaged() and brakeEngaged() functions. Finally, P37 reminds us that we may
idealize the physics of the trains to some extent.
The section on the worst-case stopping profile of the train is not relevant
for our description of the actual behavior of the train, but is relevant for
the design of the AATC system itself. The train stops when its speed reaches
210 6.3 Application to the BART System
zero; the WCSD is the distance that the system must assume that it will
take to do so. This makes P38–P49 unimportant for our formalization at
this moment. Similarly, all of sections 8 (P50–P55) and 9 (P56–P65) are
concerned with qualitative and quantitative aspects of the commands to be
sent to the trains, and are therefore not relevant now.
The questions-and-answers section is relevant for the behavior of the
trains, since P66 states that trains can never go backwards (even if, for
example, they are in coast-mode while resting on an up-grade of 4%). This
obviously means that the differential equations used to describe the train in
diagram 6.11 are not entirely accurate: a negative v is impossible. While
P67–P70 are irrelevant, P71 shows that the state “Disengaged” in diagram
6.12 does not exist in the train itself. This means some minor changes in the
diagram are needed. P72–P78 again are not concerned with the specific
behavior of the trains, and therefore unimportant for the formalization of
the environment of the AATC system.
This concludes our survey of all of the paragraphs of the informal re-
quirements specification. We have traced each paragraph to a specific part
of our formalization or explained why the paragraph is irrelevant. Each
part of the formal specification comes from documented parts of the infor-
mal specification, so the formalization is traceable.
Issues Raised After re-reading the informal specification there are six
distinct changes that need to be made to the diagrams in order to reflect
new knowledge:
1. The train’s behavior while accelerating is more complex than docu-
mented in the diagram. This issue will be resolved in section 6.3.2.
2. The disengaged state in figure 6.12 should not be there. Except dur-
ing mode changes, the propulsion unit is always configured for either
braking or acceleration. It is possible to coast in acceleration mode,
though. We will repair this diagram in section 6.3.2 as well.
3. The transition out of braking mode is assumed to be taken also when
the train brakes to below the requested speed. It should be docu-
mented as such. This too is resolved in section 6.3.2.
4. Open-loop braking may need to be treated differently from normal
braking. This issue will not be resolved.
6.3.2 Step 2: Model the Environment 211
Failsafe
Mode
cmd(LMOT,mv,ma)
/ pmot:=LMOT, rv:=mv, ra:=ma
Operation
Regular [twc−pmot>=2000] 
/ rv:=0, ra:=−3mphps
/ pmot:=0 cmd(LMOT,mv,ma) / pmot:=LMOT, rv:=mv, ra:=ma
Figure 6.14: Train Controller (messages) behavior.
5. The differential equations describing the train’s physics need to be
extended to handle the “no backwards” behavior. This will not be re-
solved in our UML diagrams, but only in the PVS formalization. It turns
out to be a useful simplification for our formal verification.
One final consideration not directly related to the tracing phase, but which
is raised by re-reading the informal document, is the following:
6. The behavior of the status mechanism, from P16 seems straightfor-
ward. However, the paragraph in question opens with “the AATC sys-
tem operates on 1/2-second cycles.” Our assumption that this means
that the trains send sensor data every half second may not be accurate
at all, since the sentence makes no statement about how often trains
send status messages. Perhaps the AATC system sends new commands
every half-second, based on whatever information it has about trains.
This is not a question we can resolve ourselves.
Intermission: Updating the State Charts
Now that we have asked a number of questions and answered most, we can
re-do the UML diagrams describing the train’s behavior.
The physical behavior of the train has not changed, so figure 6.10 re-
mains unchanged. Figure 6.11 is modified by adding a transition back to
the “Regular Operation” state, yielding figure 6.14, below.
Finally, the diagram for the train controller controlling the motors and
brakes is considerably revised. There are additional states dealing with the
specialized acceleration behavior of the train, and the “Disengaged” state
212 6.3 Application to the BART System
has disappeared. The function fa1 has been split into three parts, fm1,
fm2 and fm3 depending on the state of the train, in order to implement the
different acceleration profiles mentioned in P29 and P30.
The three guards PD, PN and PC in figure 6.15 are defined as:
PD ≡ v < rv − 7mph
PN ≡ rv − 7mph ≤ v < rv − 2mph
PC ≡ rv − 2mph ≤ v ≤ rv
These changes to the diagrams resolve the questions raised so far. We
will continue work with the diagrams 6.6, 6.10, 6.13, 6.14 and 6.15.
Checking Form
This section examines the diagrams that have been drawn so far. The aim
of this section is to ask questions about the form of the diagrams. Standard
questions that should be asked about State Charts are:
• Does the system respond to messages in every state?
The only message that is sent to the train is cmd, and in both states
(Regular Operation and Failsafe Mode) the train responds to the mes-
sage. Since there are no other messages that can be sent to the train,
this phase of the analysis is short.
• Are the guards of all states consistent and complete?
If a state has transitions with guards on them, then the guards should
either be disjunct or the informal specification should explicitly allow
the choice between the non-disjunct transitions. In addition, we need
to ask if the transitions out of a state are indeed all of the ways to leave
the state. The easiest way of checking this is to examine every state in
the system and consider the transitions there. Few of the states in our
diagrams even have more than one transition out of them. That makes
consistency easy to check. The guards on transitions within the set
of drive states in figure 6.15 are obviously complete: if the requested
speed is less than the current speed, the train switches to brake mode;
otherwise one of PD , PN or PC holds.
6.3.2 Step 2: Model the Environment 213
Motor
Change to
Mode
Disengaging
Brakes
/ j:=fb2(rv,ra)
Brake
Mode
/ j:=fb1(rv,ra)
Disengaging
Motor
/ j:=fa2(rv,ra)
Brake
Change to
Mode
/ tc:=0
[!brakeEngaged()]
/ tc:=0
[!motorEngaged()]
/ j:=fm1(rv,ra)
Drive
Fast
/ j:=fm2(rv,ra)
Drive
Slow
/ j:=fm3(rv,ra)
Drive
Stop
These are the
"drive" states
of the train, all
related to the 
"Acceleration
Mode" state.
[tc=1000]
/ ra:=0, ra:=0
[PN]
[!PN]
[PC]
[!PC]
[PD]
[!PD]
[rv<v]
[rv>v]
[tc=1000]
Figure 6.15: Train Controller (brakes and motor) behavior.
214 6.3 Application to the BART System
• Are assignments to timer variables resets only? The timer vari-
ables in the diagrams are twc (the wall clock), ta (the status reporting
timer) and tc (the state change timer). All the assignments to those
variables are indeed resets.
• Are the continuous variables used sensibly? In the diagrams with
continuous (hybrid) variables, the jerk rate j is assigned and the other
variables a, v, and x follow. The train’s position or speed are not
crudely changed through assignment.
Checking Meaning
We have validated the form of the diagrams, without reference to their
meaning as derived from the informal specifications. In this section, we
validate the diagrams with respect to the text of the informal specification.
This takes two forms: we ask some fairly standard questions concerning the
completeness and accuracy of the diagrams, and then proceed to formu-
late “putative theorems” (see page 19) in order to validate the formulation
against desired properties of the informal specification.
• Is the timing of the transitions correct? We have assumed that
transitions take no time, and have modeled the mode-change delay
when switching from braking mode to propulsion mode (or vice-versa)
by including a delay state (the states Mode Change to Brake and Mode
Change to Motor) with an explicitly enforced delay of 1000ms with the
timer tc.
• Are all needed transitions included in the diagrams?
This is the highly subjective question. It asks about the system’s re-
sponse to changes in its internal variables, timeouts, etc. In particular,
we need to check that no timeouts are missed, and that timers are re-
set when appropriate.
Through our tracing activity we have made a case that the diagrams
are accurate; by examining the diagrams we can see that there may
be a transition missing from the state Mode Change to Brake to Mode
Change to Motor. Consider the scenario in which the train begins
(changing to) braking in response to rv < v; while in the Mode Change
6.3.2 Step 2: Model the Environment 215
to Brake location a new command arrives with rv > v; it may be pos-
sible to abort a change to braking mode and switch back to motor
control without going through the brake mode entirely. This possi-
bly missing transition depends on the equipment on the train and the
ambiguity cannot be resolved by us here.
The putative theorems state properties we believe that the system has
and whose confirmation through a proof — even an informal demonstration
instead of a rigorous proof — serves to increase our confidence in the model.
In this section we will informally “verify” one property, that the trains cannot
reach a speed over 80mph.
One goal of the system originally pictured in figure 6.5 is that the train
should never exceed the posted civil speed limit (see P14,P76). The posted
civil speed limit is always less than or equal to 80mph. We ask the question:
can the train ever exceed the maximum civil speed limit of 80mph? The
maximum speed the AATC can send is 80mph as well.
A full mathematical proof is beyond the scope of this paper, but we can
suggest the following: in the three Drive states the speed of the train is
at most (in state Drive Stop) 2mph below the requested speed, and the re-
quested speed is at most 80mph. In the braking states the acceleration is
less than or equal to zero, so we need to check primarily if the speed in
states Disengaging Motor and Mode Change to Brake can exceed the max-
imum civil speed limit of 80mph. We reach the Disengaging Motor state
from one of the drive states; the maximum sojourn time in this state and
the Mode Change to Brake is not specified — it is unclear if switching off the
motor takes time in the informal specification. We will assume a maximum
two seconds stay in the two states (one second for reconfiguration and one
second for disengaging the motor). The maximum acceleration we can have
coming into the state Disengaging Motor is 3mphps, but this holds only if PD
holds, i.e. v < rv − 7mph. In two seconds we do not exceed rv and certainly
not 80mph. Examining the other cases where PN or PC hold show similar
results. Therefore in this simple model the train cannot exceed 80mph.
Consider adding a small amount of detail to the train model: if we in-
volve the track grade in the train’s physics then we can calculate that on a
4% downgrade, (certainly possible conditions within the BART system area),
that the train receives an additional acceleration of 0.88mphps due to the
grade (see P54). Suppose the train has rv = 80mph and a speed of 78mph.
216 6.4 Designing a Controller
In this case when the train controller enters state Drive Stop but the train
will continue to increase its speed due to the grade; if the incline is long
enough, after 2.3 seconds the train will reach 80mph. At that point two
more transitions are taken and the train reconfigures for braking. This
takes at least one more second, during which the train has reached a maxi-
mum speed of 80.88mph. This shows that we should begin braking earlier,
perhaps disposing of the Drive Stop state entirely. Since we have simpli-
fied away the track grade, this exercise has no bearing on our model or its
verification, but serves to illustrate how our model is not conservative with
respect to safety in the real world.
Although this phase suggests that we could make a few changes to the
diagrams, we will not do so and keep the diagrams from section 6.3.2 un-
changed.
6.4 Designing a Controller
In this section, we begin the design of a controller (i.e. the design of the
AATC system itself) by constructing a State Chart that sends commands to a
trailing train based on the information the AATC has on the trailing and the
leading train. We ignore things like track grade and rolling resistance in
the design of the controller, since we have ignored them in the description
of the environment as well.
We see that we need to design a control system that controls one train
while also listening to status reports from another, as illustrated in fig-
ure 6.16.
Our AATC system therefore must react to incoming status messages and
(possibly) send command messages. Let us assume that we have a state
“normal operation” to deal with all these messages. We must distinguish
between status messages coming from the leading train (T2) and from the
following train (T1). Two separate transitions handle this; the MOTT and
speed information of T2 is discarded. We allow commands to be sent as
often or as seldom as desired by using a fake guard [newSpeed]. We need
a guard, since empty guards are considered true and will cause the tran-
sition to be taken immediately. The informal specification suggests that
commands are sent every half second (in P16) and also that at most one
command can be verified by the AATC and sent per half-second (in P20), so
6.4 Designing a Controller 217
Leading
command
Note that command
messages may be
sent more often
than once every
half second.
AATC
status
command
status
status
command
status
status
status
50
0m
s
command
Train
Following
Train
Figure 6.16: Communications between trains and the AATC.
218 6.4 Designing a Controller
[newSpeed] ^T1.cmd(LMOT,rv,ra)
Normal
Operation
T2.status(−,x,−) / x2:=x
/LMOT:=MOTT
/x1:=x
/v1:=v
T1.status(MOTT,x,v)
Figure 6.17: Design for the AATC.
we could replace the guard with a timer and a half-second cycle.
We annotate each message in the State Chart with the name of the object
it is sent to or received from. In addition, we will add a number of variables
to the AATC class to store information received from the trains:
x1, x2 The position report sent by the following train (x1) and the leading
train (x2).
v1 The last reported speed for the following train.
lmot1 The MOTT sent by the trailing train with its last status report.
Figure 6.17 shows the resulting State Chart. This State Chart shows
us more of how the system should react to the trains. There is no upper
bound on how long the control system waits between command messages
(i.e. no upper bound on how long it takes for newSpeed to become true),
since the control system can choose not to send any command to a train
and thus let the train enter fail-safe stop mode (this is not stated in the
informal specification but the author Victor Winter assures us this is so).
The diagram also does not state what speed and acceleration values are
sent to the train. We cannot just send any values as speed and acceleration,
since that may violate the safety principles. In the end, we need to check
that in the complete system (the two trains and the controller) the following
holds:
T1.x+wcsd(T1.v) < T2.x
6.4 Designing a Controller 219
[newSpeed AND SafetyCheck(x1,v1,x2,rv,ra)]
Normal
Operation
T2.status(−,x,−) / x2:=x
/LMOT:=MOTT
/x1:=x
/v1:=v
T1.status(MOTT,x,v)
^ T1.cmd(LMOT,rv,ra)
Figure 6.18: Design for the AATC with safety features.
i.e. wherever T1 (the trailing train) is, it can always stop before wherever
T2 is — even if T2 comes to a catastrophic halt.
Our challenge now is to find out what conditions to enforce on the speed
and acceleration values sent to the trains so that the safety conditions are
met. Obviously there is a safe speed and acceleration command possible:
order the train to stop (speed 0mph, maximal deceleration of -1.5mphps).
With the train standing still, no unsafe situation can be created. This is a
typical conflict between safety and liveness; it is safest not to do anything,
and without liveness requirements to force activity, the system may fall into
passivity. However, we have consciously chosen to ignore liveness; we need
only satisfy the system goal “avoid collision.”
In essence, for every distance between trains 1 and 2, (and if we were
modeling more accurately, the track conditions need to be taken into ac-
count too), we need to calculate the maximum allowable speed and ensure
that the speed sent is less than that. We will denote this calculation and
check in the diagram by the predicate SafetyCheck(x1,v1,x2,rv,ra) yielding,
finally, figure 6.18. The parameters of the safety check are the location and
speed of train 1 and the location of train 2 along with the requested speed
and acceleration.
How to find a good definition for SafetyCheck(v,a) is beyond the scope of
this chapter. The following crudely defined formula is a starting point, and
in later sections we provide a more detailed formula that can be used with
220 6.4 Designing a Controller
a further-simplified model of the trains’ behavior for formal verification.
SafetyCheck(x1, v1, x2, rv, ra) ≡ rv ≤ 80mph ∧
x1 + dtbt(v1, ra) + wcsd(msbt(v1)) ≤ x2
In the formula, dtbt stands for Distance Traveled Before Timeout, i.e. the
distance traveled by the train between its last status report and the moment
it enters fail-safe mode. wcsd of course stands for Worst-Case Stopping Dis-
tance, which is a function of the Maximum Speed reached Before Timeout
msbt. This formula contains several extra margins for error; the WCSD itself
takes into account that the train accelerates at its maximum rate until time-
out and the distance that is traveled before the timeout occurs. Even so,
we need to keep the extra margins in order to show that the trailing train is
always at least the WCSD away from the leading train.
6.4.1 Formalizing the UML Diagrams
Just as in section 6.3.2, we want to be able to verify properties of the AATC
we have designed. In 6.3.2 we had but three State Charts to keep track
of: The Train and two for the Train Controller. The verification done in
section 6.3.2 was of the highly informal sort as well, so we need to consider
the complexity of a formal verification of the complete system.
While in theory a theorem prover can do any sort of mathematics —
with human intervention and assistance — we quickly realized that PVS is
extremely limited in its ability to manipulate algebraic expressions, and sim-
plifying an expression such as the definition of the WCSD as in the informal
document is an exercise in frustration. There is ongoing work to make the-
orem provers in general and PVS in particular more effective in algebraic
manipulation, but we chose to simplify our model instead to reduce the
complexity of the expressions encountered. Our simplifications are:
• Elimination of the jerk rate. We use only one fixed acceleration a,
which the train can use in accelerating or braking. The train can coast
as well, with an acceleration of 0.
• Elimination of the mode change delays. The train can switch from
accelerating to full braking (both at rate a) in an instant.
6.4.1 Formalizing the UML Diagrams 221
• The fail-safe timeout is two seconds from the last received command
instead of two seconds from the timestamp of that command.
• Elimination of the details of the movement of the leading train. We as-
sume that it always moves forward and do not worry about the manner
in which it does so.
• Elimination of the fine-tuning of the train’s approach to the target
speed. Instead of using the three drive states with different jerk-rate
profiles, we let the train accelerate at full speed to the requested speed
and then switch to coast mode.
• Both trains send their status report at the same time, not at different
times as illustrated in figure 6.16.
The first two simplifications mean that the train in the simplified model
reacts more quickly to commands and timeouts than a real train. The third
simplification means that the simplified trains enter fail-safe stop mode later
than a real train would. In this one case the simplification is conservative
with respect to safety while the first two simplifications are not. The fourth
simplification is hardly a simplification at all. As far as our limited view
of the AATC is concerned, the behavior of the front train may as well be
random, and we need to control the back train such that it cannot crash
into the unpredictable front train. The last of the simplifications is intended
to reduce the number of states we need to consider.
After these simplifications we could reconstruct State Charts to repre-
sent them, but we proceed directly to the representation in PVS. Instead of
representing each State Chart individually in PVS, we represent the product
automaton.
We use a single global state that holds the values of all the variables and
timers in the system. These are the position and speed of the trailing train,
x and v. Our simplifications remove the need for the trailing train’s accel-
eration or jerk rate. The leading train is represented only by its position.
The timers tc and twc are still needed for determining the period for send-
ing status messages and for determining the time of day. Since we have
simplified away the mode-change delay, the timer ta is not needed. Due to
our simplification of the fail-safe timeout, we do not need the variable pmot
either. This leaves us with the following bit of PVS code, which defines a
record type holding all of the variables relevant to the system. There is
222 6.4 Designing a Controller
Behavior
Failsafe
Mode
Regular
Operation
/ pmot:=0 cmd(LMOT,mv,ma) / pmot:=LMOT, rv:=mv, ra:=ma
[twc−pmot>=2000] 
/ rv:=0, ra:=−3mphps
cmd(LMOT,mv,ma)
/ pmot:=LMOT, rv:=mv, ra:=ma
Train
Controller
(messages)
Train
Controller
(motor)
M
ot
or
Ch
an
ge
 to
M
od
e
Di
se
ng
ag
in
g
Br
ak
es
/ j
:=
fb
2(
rv
,ra
)
Br
ak
e
M
od
e
/ j
:=
fb
1(
rv
,ra
)
Di
se
ng
ag
in
g
M
ot
or
/ j
:=
fa
2(
rv
,ra
)
Br
ak
e
Ch
an
ge
 to
M
od
e
/ j
:=
fm
2(
rv
,ra
)
[tc
=1
00
0]
/ r
a:
=0
, r
a:
=0
[P
N]
[!P
N]
[P
C]
[!P
C][P
D] [
!P
D]
/ j
:=
fm
3(
rv
,ra
)/ 
j:=
fm
1(
rv
,ra
)
/ t
c:
=0
[rv
<v
]
[rv
>v
]
/ t
c:
=0
[tc
=1
00
0]
Dr
ive
Fa
st
Dr
ive
Sl
ow
Dr
ive
St
op[m
ot
or
Di
se
ng
ag
ed
()]
[b
ra
ke
Di
se
ng
ag
ed
()]
/ ta:=0
/ dx/dt = v
/ dv/dt = a
/ da/dt = j
[ta=500] / ta:=0 ^ AATC.status(twc,x,v)Train
Figure 6.19: Composition of parts for the leading train.
6.4.1 Formalizing the UML Diagrams 223
AATC
System
Trailing
Train
System
Leading
Train
System
Normal
Operation
T2.status(−,x,−) / x2:=x
/LMOT:=MOTT
/x1:=x
/v1:=v
T1.status(MOTT,x,v)
^ T1.cmd(LMOT,rv,ra)
[newSpeed AND SafetyCheck(x1,v1,x2,rv,ra)]
/ dx/dt >= 0
Figure 6.20: Composition of parts for the entire system. The leading train
is defined by figure 6.19, while the AATC system is described by the single
State Chart from 6.18.
224 6.4 Designing a Controller
no explicit location (e.g. nowhere is the location fail-safe mode mentioned),
because the individual locations are not relevant any more after all of our
simplifications. The variable names have changed a little from the State
Charts, but should be self-evident.
States : TYPE = [#
posT1 : Position, % models actual position of T1
speedT1 : SpeedLimit, % current speed of T1
reqspT1 : SpeedLimit, % requested speed for T1
posT2 : Position, % actual position of T2
% next variables at controller
x1 : Position, % last info about position of T1
v1 : SpeedLimit, % last info about speed of T1
x2 : Position, % last info about position of T2
% now two timers/clocks for T1
c : Time, % to express status period
cns : Time, % time since last new speed
% And the global clock
now : Time
#] ;
Runs of this system consist of states based on these variables and actions
which may be:
• Time passes, which advances the timers and updates the continuous
variables, but does nothing else. In the PVS formalization, this action
is written Delay(d) where d represents the number of milliseconds
that pass.
• The AATC sends a new command to the trailing train, which sets the
rv variable and resets the fail-safe timeout timer. The command has a
new requested speed v and is written NewSpeed(v).
• The fail-safe timer expires. This causes an immediate change to fail-
safe brake mode and sets the requested speed to zero. This is written
FailStop.
• The status timer expires. A message is sent to the AATC which updates
the variables recording the position and speed of the trailing train.
The action Status represents this transition.
6.4.1 Formalizing the UML Diagrams 225
These four different steps need to be formalized as well. For each step
we need to write out under which conditions it can take place (for example,
the status timer expires when the timer c reaches 500ms) and what the
effect of the step is, (i.e. what effects the transitions has and how to code
the new state). The condition will be formalized as a *Guard predicate, while
the effect will be a relation between two states called *Effect.
The status transition can only occur when the timer c has the right value
(abstracted away as P):
StatusGuard(s) : bool = s‘c = P
The effect of the transition is that the AATC system receives the position and
speed of both trains and records them. The new state is therefore an update
of the old state with the AATC variables updated. This appears in PVS as
shown below; similar expressions are written for the remaining transitions
for fail-safe stop and receiving a new command.
StatusEffect(s0,s1) : bool =
s1 = s0 WITH
[ x1 := s0‘posT1, v1 := s0‘speedT1,
x2 := s0‘posT2, c := 0 ]
The guard and effect for the passage of time are slightly complicated,
though. We cannot let time pass indefinitely. In particular, if one of the
timers would reach a value that it enables a transition, we cannot delay
past that value. We have two timers c and cns which trigger transitions; we
need to check that delaying by t time units is allowable. The effect of a delay
is that the timers advance and the continuous variables change according
to the solutions of their differential equations. This is shown in the PVS code
as follows:
Delay(s)(t) : bool = s‘c + t <= P AND
( s‘cns + t <= FP OR s‘failsafeT1 )
DelayEffect(s0,d,s1) : bool = EXISTS (p : nonneg_real) :
s1 = s0 WITH
[ posT1 := s0‘posT1 + X(d,s0‘speedT1,s0‘reqspT1,a),
speedT1 := V(d,s0‘speedT1,s0‘reqspT1,a),
posT2 := s0‘posT2 + p, c := s0‘c + d,
cns := s0‘cns + d, now := s0‘now + d ]
226 6.4 Designing a Controller
In this bit of PVS code, X and V are PVS functions that encode the solu-
tion of the differential equations for position and speed as well as taking
care of the changes in acceleration due to reaching the requested speed.
Each uses the delay d, the current speed s0‘speedT1, the requested speed
s0‘reqspT1 and the acceleration constant a to calculate the resulting po-
sition or speed after the delay. The leading train is assumed just to move
forward a non-negative amount. This kind of non-deterministic behavior is
difficult to formalize in PVS, which is the cause of the odd-looking EXISTS
clause in the formula.
Part of the PVS code for the calculation of new positions is shown below.
For a complete PVS dump, see the author’s website [25].
X_ramp(d:Time,v:nonneg_real,a:real | v+a*d>=0) : nonneg_real =
d*v + a*d*d/2
All of this translation work, from State Chart to PVS code, is straight-
forward, although not trivial. Once we have all the guards and transitions
defined with respect to the global state of our system, we can formalize the
notion of an execution of the State Chart in PVS. Recall that an execution
of a system is a sequence of states and actions where each triple of state,
action and subsequent-state is legal according to the State Chart, i.e. the
effect of the action matches the assignments on the transition in the State
Chart and the subsequent-state represents correctly the state reached after
the transition. All that remains is to include the PVS code from the automa-
ton framework.
6.4.2 Proving that the Controller Works
Consider the parallel composition of automata shown in figures 6.19 and
6.20. In these figures and the subsequent formalization in PVS we describe
the behavior of the BART system as a whole. In order to prove that the
behavior shown by the system meets the goals that we have set we will first
need to formalize those goals. Then we will need to prove that all of the
states reached by our system, i.e. every possible situation that can occur
during the operation of our design, is safe in that sense.
Formalizing the Safety Condition California law states that the trains
must be kept at least the worst-case stopping distance apart. This intends
6.4.2 Proving that the Controller Works 227
to prevent the trains from colliding. Our safety goal as shown in figure 6.6
is formulated solely in terms of the trains not colliding. This is an easier
goal to formalize and surely embodies the spirit of the law, although the
letter of the law states that trains must be the WCSD apart; even when
standing still, the WCSD is non-zero because it assumes an instantaneous
maximal acceleration over two seconds (until timeout is guaranteed) and
then minimum braking, yielding a from-standstill WCSD of a little over 11m.
Our weak formulation (non-collision) is as follows:
WeakSafety(s:States) : bool = s‘posT1 < s‘posT2 ;
where posT1 represents the real position of the trailing train and posT2
represents the position of the leading train.
Since this safety notion is based on discrete states we might worry that
“in between” states, as time passes, the safety condition is violated. Fig-
ure 6.21 shows a picture of possible movement where in between safe
states, an unsafe state is reached.
This situation is easy to imagine when the trailing train is braking, al-
though the distance graph of the trailing train will then be a smooth para-
bola. We claim that the controller keeps the trains sufficiently far apart
(because of the additional safety margins it keeps beyond the WCSD) that
situations like this one cannot occur. A sketch of a proof is as follows:
Our safety margin, defined in section 6.4, ensures that the trains are at
least dtbt(v1, ra) + wcsd(msbt(v1)) apart, where wcsd is the worst-case stop-
ping distance (i.e. the safety margin), dtbt is the distance traveled before
a timeout triggers braking and msbt is the maximum speed reached before
timeout. The dtbt and msbt pessimistic estimates based on maximal instan-
taneous acceleration. Even if the leading train is stationary and the trailing
train accelerates at the maximal rate, it will travel less far than dtbt; its
speed will be less than msbt. Therefore at all instants between the two safe
states, the WCSD of the trailing train is less than wcsd(msbt(v1)) and there
is some additional margin of safety remaining in dtbt.
This proof-outline shows, informally, that the legal safety requirement
(the trains are always at least WCSD apart) is satisfied.
Proving correctness: The whole proof of correctness of our design was
done in PVS. This took several weeks of intensive proof work. The reasons
it took so long were:
228 6.4 Designing a Controller
Time
D
is
ta
nc
e
Safe
State
Safe
State
Leading Train
Trailing Train
Delay transition
Figure 6.21: Safe states with an unsafe intermediate configuration that does
not appear in a discrete state.
6.4.2 Proving that the Controller Works 229
• PVS is not very effective at manipulating algebraic expressions This
made much of the work related to the continuous movement of the
trains extremely tedious. After this work was completed, the manip
package [28] was released which eases algebraic manipulation con-
siderably.
• The original statement of SafetyCheck on page 220 of this thesis was
insufficiently strong to allow us to prove the safety of the system. We
needed to reformulate the safety condition and add even more dis-
tance between the trains. This can be seen in the final formalization,
below.
The stricter formulation of SafetyCheck can be seen below. Constants
(500, 2000) denote times in milliseconds. 80 is the maximum speed in miles
per hour. In this stricter formulation we ignore the relative timing of status
and command messages and use worst-case values for both timeouts and
status latency.
lsp(d,v0,v) : Speed = IF v0<v THEN V(d,v0,v,a) ELSE v0 ENDIF ;
SafetyCheck(s,v) : bool =
LET vP = lsp(500,s‘v1,80) % max speed after last status
IN v <= 80 AND
s‘x1
+ X(500,s‘v1,80,a) % worst case position increase
+ X(2000,vP,80,a) % worst case increase until fail stop
+ wcsd(lsp(2000,vP,80)) % consider largest speed
< s‘x2
The proof of the safety of this system proceeds as follows:
• Some time before each command message a status message is sent.
There is also a last status message before each command message,
i.e. the most recent status message. Suppose that the state is safe —
no collision — at the time of that most recent status message.
• Since the new speed command is sent, there must be a new speed v
such that SafetyCheck holds. This tells us that the distance between
the lead and the trailing train must be larger than just the “no colli-
sion” distance.
230 6.5 Results raised by this technique
• After the status message, the train can have moved at most X(500,
s‘v1, Vmax,a). Recall that X formalizes the distance traveled in a
period of time with given starting and target speeds and a fixed accel-
eration. Since the amount of time since the status message is less than
or equal to 500ms, and the requested speed is necessarily less than or
equal to 80mph and the acceleration is fixed (see the list of simplifi-
cations on page 220), the train travels less than X(500,s‘v1,Vmax,a)
between the status message and the command message. This is a triv-
ial exercise in linear inequalities with quadratic expressions on paper,
but an exercise in tedium with PVS. At the same time, the train has
reached a speed of at most lsp(500,s‘v1,80).
• Suppose that no speed command is ever sent after the one currently
under consideration. Then the train travels until a timeout happens —
which is less than X(2000,vP,80,a), and then brakes to a halt, which
will take less than the worst-case stopping distance of wcsd( lsp( 2000,
vP, 80 )). Therefore the trailing train comes to a stop before it has
traveled the whole distance separating it from the lead train. This
case is safe.
• If a second speed command is sent, then we first determine that all
the status messages after the first command message and before the
second one are safe – no collision occurs. This proceeds along similar
lines as the previous case: we calculate how far the train can move at
most and find that it is less than the distance separating the two trains
at the moment the first new speed command is sent.
Since all the status messages between this speed command and the
next are safe, then the next speed command occurs in the same con-
text as this speed command: there is a recent status message in a safe
state. This returns us to the first step of this proof outline.
Using an inductive proof this proof outline translates into some 200 lem-
mas in PVS which prove the safety of the system.
6.5 Results raised by this technique
In this chapter, we have applied our 5-step approach to the BART case study.
We have concentrated on modeling the environment of the AATC system,
6.5 Results raised by this technique 231
enabling us to find inconsistencies, incompleteness, and inaccuracies in the
informal requirements document. The tracing phase on page 207 — re-
reading the informal document with a set of formal diagrams at hand —
yields 5 issues that need to be resolved in order to create an accurate model.
These may be considered omissions (instances of incompleteness) in the
informal document. The phase that checks the meaning of the diagrams
discovered an additional issue with respect to the drive states in the motor
controller on page 215. Most of these finds were repaired in our model;
none were life-threatening, but they do serve to illustrate how difficult it is
to write a truly accurate informal requirements document and how a careful
and methodical formalization can help improve it.
In section 6.4 we designed a controller for the model of the environment
we have created. This controller was proved to be correct. While this does
not necessarily belong to the activities of requirements engineering, it does
serve to illustrate that the 5-step approach yields diagrams that are useful
beyond the requirements engineering part of the software life-cycle.
232 6.5 Results raised by this technique
Conclusion day after day // i get angry // andi will say // that the day // is in my
sight // when i’ll take a bow // and
say goodnight. – Violent Femmes
This thesis has presented three large case studies, two small examples and
a framework in PVS for the formalization of automata. It is the product
of four years of (sometimes intermittent) hard work on reading informal
requirements specifications, translating them into something more formal
and proving properties of the resulting models.
Over the course of those years, we have arrived at an approach that is
fairly practical — hence the title of this thesis. The emphasis on practi-
cal results yields a straightforward approach: read, understand, formalize,
ask questions and repeat. We see that this approach results in lots of ques-
tions; these questions indicate ambiguities in the original informal specifica-
tion and, as we stated in the introduction, these ambiguities are expensive.
Therefore our practical approach seems to be useful, at least in reducing
the hypothetical costs of software development following this approach.
This thesis is intended to be a source of inspiration to other students,
as a kind of “here’s how to do it” guide that does not push a particular
theory. Since the pitfalls are documented as well (below), I hope this steers
some new hopefuls around the yawning chasms of operational reasoning
and inconvenient definitions.
7.1 Summary of Results
Each chapter of this thesis contains one primary message to take away.
These messages distill the lesson learned from the case study or theoretical
construction to one or two sentences.
233
234 7.1 Summary of Results
Chapter 2 (Light-Control ) We check if a specification written in natural (infor-
mal) language is complete and consistent. In order to do these checks,
we need to turn to formalization and mathematics to understand the
specification properly.
Pitfalls: Adding axioms to PVS theories is tempting and hazardous. The
theory interface used in this chapter ties the work to a fairly old ver-
sion of PVS; this makes it difficult to use modern tools such as manip
or integrate new theories from third parties with this approach.
Message: Checking for consistency is hard to do; using formal meth-
ods it becomes easier to check in a structured manner, but that does
not resolve all the inconsistencies, as we saw in uncovering additional
conflicts in the Light Control requirements in section 2.5.6.
Chapter 3 (Structuring Automata) Here we create a framework for describing
(formalizing) automata in PVS; this framework is generally reusable.
We extend the framework with tailored support for automata with lo-
cations and provide a step-by-step guide to adding time and hybrid
behavior to the automata.
Pitfalls: Considering all the possible formalizations of something like
alternating sequences is likely to take too long. Producing the most-
general lemma for a given class of properties does not necessarily
produce one that is useful in specific cases.
Message: A general framework for modeling is a nice thing to have,
but it is clear that any practical use will have to specialize it consider-
ably.
Chapter 4 (Two Simple Examples) Two examples show how straightforward mod-
eling work based on an informal specification can be. However, exist-
ing elegant operational proofs do not sit well in the PVS framework
and must be redone.
Pitfalls: Operational reasoning with many quantors looks good on pa-
per but is very difficult to translate to PVS in such a way that the proofs
remain doable.
Message: The framework from chapter 3 can be used to model and
verify protocols, but it requires a good deal of specialization.
7.2 Reflection on the Problem 235
Chapter 5 (Biphase Mark Protocol ) We use Uppaal to produce a first model of
a protocol and to validate our intuitions about the parameters of that
protocol. Using PVS we rigorously check the correctness of the param-
eter constraints.
Pitfalls: Invariant proofs with lots of interrelated lemmata are quick to
appear and tedious to simplify. It is difficult to find out which lemmata
exactly are needed in a particular theorem.
Message: Specializing the framework even more with custom proof
commands tailored to the kind of proof being done can yield great
improvements in the amount of effort needed for a proof.
Chapter 6 (Bay Area Rapid Transit) Translating a large and incomplete informal
specification into our formal PVS automaton model takes a lot of work
but is mostly a matter of paying attention to detail. Reasoning about
hybrid systems and the complicated equations involved is not PVS’s
forte, but we succeed in designing a train controller and prove that it
is safe.
Pitfalls: PVS is not the nicest system for doing real number manipula-
tion. It is easy to get sidetracked in a proof into doing lengthy manip-
ulations where a separate lemma abstracting away the real number
manipulation would do the job better.
Message: PVS can be used for proving properties of hybrid controllers.
7.2 Reflection on the Problem
In the introduction to this thesis, on page 2, we introduce the problems that
this thesis intends to address. These problems are stated in two questions;
looking back we see that both questions may be answered affirmatively.
• Can theorem provers help in understanding informal specifications
while translating them into a more formal form?
• Can theorem proving technologies be applied effectively during the
requirements engineering phase of software development?
The case for answering the first question “yes” is made primarily in chap-
ters 2 and 5, and less so in the other chapters. In the Light Control Case
236 7.2 Reflection on the Problem
Study (chapter 2) we expressly use the theorem prover to formulate our
understanding of the requirements. By analyzing the resulting statements
and using the theorem prover we can demonstrate the inconsistencies in
the requirements. In the Biphase Mark Protocol Study (chapter 5) we use
a combination of tools in order to derive intuitions and then verify those
intuitions. The use of the theorem prover in particular helps us in under-
standing exactly why the parameters of the protocol must be selected as
they are.
We believe that the use of the automaton framework of chapter 3 in
subsequent formalization efforts and the effort involved in both the formal-
ization and proofs shows that the framework can be applied effectively. The
approach advocated in this thesis illustrates what steps to take to apply the
tools effectively.
7.2.1 Method
The method applied in this thesis is one that may boil down to common
sense:
1. Read and understand the informal requirements in a small scope, that
is understand each sentence as it happens.
2. Formalize each small fragment in isolation (or as much isolation as
makes sense). Problems encountered in formalization in this step
suggest misunderstanding or basic problems in the informal require-
ments. We demonstrate this step in the Light Control Case Study. The
examples in chapter 4 also attempt to formalize small parts of the sys-
tem at once.
3. Examine the formalizations for consistency. This may be as simple as
placing the formalizations together in PVS and letting the type-checker
find inconsistencies. In the Light Control Case Study we find that
putting the formalizations together shows us — even without further
use of the proof checker — that there are problems with the formal-
ization or the requirements.
4. Find an overall correctness requirement and formalize that in terms
of the model already constructed. The examples in chapter 4, the
7.2.2 Scalability 237
Biphase Mark Protocol in chapter 5 and the BART system in chapter 6
all have such overall correctness requirements.
In applying this method we have discovered inconsistencies and errors
in a variety of protocols and systems. While the method as a whole has not
been applied consistently to each study, each chapter uses at least one of
the steps to in order to better understand the requirements of a system and
to improve the quality of the specifications involved.
One of the results of the case studies in this thesis is that doing highly
local formalization of the informal requirements can be beneficial. This is
a relatively low-effort activity, as most sentences or paragraphs of an in-
formal specification refer only to a few datatypes and state changes. The
collected formulas can be checked for consistency more easily than the col-
lection of informal sentences, while we can still ask good questions about
the requirements.
7.2.2 Scalability
Each of the examples in this thesis is fairly small. Any model with a few
variables and at most a few hundred locations cannot realistically stress the
tools used. The examples in chapters 2 and 5 do give an approach to larger,
modular specifications.
By using the PVS theory (module) mechanism we can isolate specifica-
tions of subsystems and connect them together explicitly in an overall sys-
tem theory. Chapter 2 does this to specify the different parts of the system
and also to substitute refined versions of system components, allowing us
to incrementally refine the specification of the system.
By specifying automata separately and then constructing the product
automaton in PVS we can analyze each in isolation or in composed systems.
Chapter 5 expresses facts about small compositions before working on the
primary correctness; this gives us the groups of theorems P, Q, etc. which
are all needed to prove the global correctness invariant I.
Our method — or rather PVS— offers means to structure complex specifi-
cations which extend beyond the small examples shown here. The approach
is not limited in it scaling by the tools themselves, only by the ability of its
users to manage all of the local specifications and their composition. In this
the approach is no different from managing the informal specifications of
238 7.3 Future Work
the same system. The tools, however, do help in maintaining consistency
across the local formalizations and our emphasis on formalizing small parts
of the system in isolation ensures that we can trace the formalizations back
to the parts of the informal requirements that they come from.
7.2.3 Readability
Many formal representations are daunting to read at first sight. For any
non-trivial system it is difficult to formulate a formal version of the require-
ments “just right” at first attempt — even assuming that the informal re-
quirements are unambiguous and free of errors. For people who do not
daily use any given formalism (e.g. PVS) the formalization can obscure more
than it clarifies.
Our approach advocates formalizing single sentences, if possible, and
of recording where parts of the formalization come from. This ensures that
someone who does not daily work with the formalism in question can at least
see informally what the formalization is supposed to mean. The questions-
and-answers in chapter 2 as well as the correspondence mentioned in chap-
ter 6 illustrate how we — expert users of the formalism — can still ask
questions about the informal text when issues are raised in the formaliza-
tion.
While we believe that PVS specifications in the style used in this thesis
are fairly readable, we realize that our views are skewed by years of use of
the formalism. We do not advocate exposing people untrained in the formal-
ism of PVS to the requirements when they are translated into PVS. Instead,
a valid chain of translations should be presented in order to maintain com-
munications between the expert in formal methods and the informal domain
expert.
7.3 Future Work
Since the chapters of this thesis were written years apart and redacted
mostly for factual correctness, the “future work” contained in them is some-
times in the past. We turn our attention primarily to the work that remains
to be done and which is still relevant.
In the Light-Control Case Study (section 2.7.2 on page 52) we prove
7.3 Future Work 239
that implementing the room lighting requirements with dimmable lights is
a refinement (in the classical sense). Refinement remains an interesting
subject; I spent many afternoons working with Hanno Wupper on notions of
approximate refinement. This never saw a worthy publication, though it did
yield some taxonomic research reports. In 2005, work on -refinement by
Jeroen Voeten et al. [41, 30] brought this notion to sound footing indepen-
dently.
The power of (proof) tools and tailoring them (through specialized proof
strategies) really only became apparent to me in 2004. In retrospect I would
like to re-do the BART case study with a firmer grasp of the tools involved.
That would be a fine illustration of how practical modeling and proof tech-
niques need to be learned.
One additional item of future work suggests itself: improve PVS. After
using PVS for over a decade, there are a number of things that still bother
me about it. Typing LISP expressions after a prompt is not an acceptable
form of user interaction in the current decade. Various tools have been built
— none specifically for PVS— that attempt to wrap the text-mode interfaces
of some theorem provers with something a little more fancy. One of the
best-known tools is ProofGeneral [9]. ProofGeneral provides a little relief in
terms of the user interface for interactive theorem provers such as coloring,
syntax highlighting, proof-by-pointing, tagging and symbol display but it is
not available for PVS. There remain a number of small items that would
make PVS much nicer to use (for me, at least):
• Expression Evaluator: It can be quite difficult to check a definition
for correctness; is this function I defined the right one or not? Con-
sider a bit of PVS code like the following:
CtoF(c:real) : real = 5*c/9 ;
Is that the right definition? To check that (informally, as a validation
step while writing the definition of CtoF) we could evaluate the expres-
sion CtoF(n) for various values of n.
Such a PVS expression-evaluator could be used as follows: enter an
expression; this expression is parsed and type-checked; (assert) is
applied repeatedly to the expression until nothing changes and the re-
sult is printed. Other strategies (perhaps even (grind)) might be used
240 7.3 Future Work
as well, along with auto-rewrite rules. This will reduce the expression
as far as possible within PVS, often yielding an improved understand-
ing of the validity of the definition.
Some of this work has been done, and there is a subset of the PVS
language called “executable PVS” [80, 79] which can be used as a pro-
gramming language and yields computational results. However, this
executable PVS is limited to those parts of PVS where execution is well-
defined. It has also not been integrated with the PVS tool so that a
standard installation can make use of it.
• Term Selection During Proofs: Proofs are fragile — one reason for
this is that it is often necessary to paste a chunk of text from the se-
quent into a proof command, for instance in an (inst) or a (case). This
introduces a dependency in the proof on particular variable names or
subscripts or function names, even when such a dependency is not
needed.
It would be convenient to be able to say some of the following in a
proof (note formula numbers may be replaced by labels below; labels
are under-documented and very useful):
– The right-hand side of the equality in formula number -3.
– The first variable x with a subscript (any subscript, for instance
x_2) in formula number -3.
– The smallest expression that starts with permute( and is properly
balanced (i.e. up to the matching closing parenthesis) in formula
number -3.
– The largest expression matching the regular expression x + .*
(denoting “x plus anything”).
Using the manip package [28], one can specify sub-expressions such as
the right-hand side of an equality, but in a slightly clumsy manner; it
also requires wrapping each command with an (apply). PVS is missing
a consistent integration of these matching possibilities everywhere.
• Lemmatize Sequent: It happens all the time in big proofs: you look
at a sequent and realize you’ve seen it before. Since it it difficult
(and fragile) to copy proof sub-trees, the next best thing is to turn the
7.3 Future Work 241
sequent into a lemma, prove the lemma, and use it. However, turning
a sequent into a lemma is problematic: you can’t just cut-and-paste
the text, and you can’t use the new lemma immediately.
Suppose we had a (lemmatize-sequent) command. It should produce a
nice textual representation of the sequent. This can be done by univer-
sally quantifying all the variables in the formula; skolemized variables
or variables from explicit quantifiers in the initial formulation being
proved should be left as free variables in the resulting lemma for the
user to resolve.
By adding this command to PVS, it supports one natural style of theory
better: you try to prove something, discover that the proof has some
structure and then invent a lemma to use. On paper, it is not difficult
to assume a lemma during a proof; in PVS, it is impossible right now.
These additions to PVS would make it a much more pleasant and produc-
tive proof-assistant to use; the speed of doing proofs would be increased and
the fragility of those proofs would be reduced. Proofs should not be ham-
pered by procedural constraints when the proof checking afterward can
correct any procedural mistakes; adding lemmata on-the-fly is not harmful
here. Proofs in natural language can use pronouns, ellipses and referen-
tial words in their vocabulary to refer quickly and efficiently to parts of the
expressions in a proof. Formal proofs in a theorem proved should not be
hampered by the lack of this vocabulary, which is why we need better ways
to refer to parts of proofs in this formal setting.
This wraps up our journey through one portion of the landscape of au-
tomaton proofs with PVS. It’s a jungle out there. Take care as you explore
further, and thank you for reading.
242 7.3 Future Work
Introducing
PVS
welcome my son // welcome to
the machine // where have you
been? // it’s all right, we know
where you’ve been – Pink Floyd
This chapter contains a very short introduction to PVS, its syntax and
semantics. The reader interested in further use of PVS should read the
documentation accompanying the PVS distribution, particularly [72].
We present only the parts of PVS that are used in the theories presented
in this thesis. For doing practical automaton proofs it should be enough,
though.
PVS is a higher-order theorem prover, which means that it manipulates not
only mathematical objects of the first order — sets, constants, logical atoms
and their connections — but also mathematical objects constructed from
those first-order objects, such as functions, formulas, and predicates over
first-order objects. The practical upshot of this is that we can concicely
define a wide variety of structures which model the automata we are inter-
ested in.
We cover five main subjects in this chapter, datatypes, theories (the main
structuring element in PVS), definitions (the way to create new things), syn-
tactic peculiarities and proofs.
A.1 Types and Objects
PVS has a number of built-in types, which are always available (and handled
somewhat specially by the system). These types are:
• bool for truth values (Boolean values true and false).
• nat for natural numbers (0 . . .).
243
244 A.1 Types and Objects
• real for real numbers.
• tuples of any arity > 1 of any type, denoted by square brackets [] sur-
rounding a list of types separated by commas, such as [ bool, nat ]
which is the type of pairs of Boolean values and natural numbers. Tu-
ples are rarely used because records are usually more convenient.
• functions of any arity > 1 of any type, denoted by square brackets
surrounding a list of domain types separated by commas, a function-
arrow -> and followed by the range type of the function, such as
[ bool -> nat ] which is the type of functions from Boolean values
to natural numbers. A function can be manipulated just like any other
mathematical object, and it can also be applied to arguments to yield
an expression of its range type.
• records, which behave much like tuples, consisting of square brackets
and octothorpes ([# #]) surrounding a list of record fields separated
by commas; each record field consists of a name followed by a colon
( :) and a type. The fields can be referred to by name; if we have
a record type [# number:nat, prime:bool #] and an object n of that
type, we can write prime(n) to refer to the value of the prime field for
that object. Alternatively, we may write n‘prime; this notation is often
easier to read.
The automaton framework and the examples in this thesis make heavy
use of record types, since they provide a convenient means to struc-
ture and refer to a (coordinated) collection of mathematical objects.
PVS has a number of shorthand notations for defining types, as well as a
full-blown algebraic (abstract) data type notation. These are:
• predicates P are usually given type pred[T], which is shorthand for
the function type [ T -> bool ]. Predicates are usually given names
ending in a question mark; definitions are written as functions of some
parameters returning bool, for instance:
even?(n:nat) : bool = EXISTS (m:nat) : m*2 = n;
odd?(n:nat) : bool = EXISTS (m:nat) : m*2+1 = n;
• sets of elements of a particular type T have the type setof[T]; this
type is equivalent to pred[T]. A set is identified with its characteristic
A.1 Types and Objects 245
prime1 : TYPE = [ nat, bool ] ;
number(p:prime1) : nat = proj_1(p) ;
prime(p:prime1) : bool = proj_2(p) ;
Figure A.1: Tuple used to store a natural number and a Boolean value; addi-
tional functions are defined to refer to the parts of the tuple in a meaningful
way.
function. The constant function which yields true is called fullset and
represents the set which contains all the elements of T. Conversely,
emptyset represents the empty set ∅. The predicate non-empty? over
sets states that a set is non-empty.
Membership of an element e in a set V is written V(e) (there are other
ways, too, but this is the one we choose). Elements are added to a set
with the function add; add(V,e) means V ∪ {e}. A typical set-theoretic
lemma is that for all V and e the formula add(e,V)(e) holds.
• abstract datatypes are defined by surrounding a list of constructor-
recognizer pairs with DATATYPE BEGIN and END. A constructor func-
tion creates an object of the abstract datatype (possibly from argu-
ments); a recognizer is a predicate that states that an object of the
abstract datatype was created by that constructor. Each constructor-
recognizer pair is a constructor for the type, followed by a colon, fol-
lowed by a name for the recognizer for that constructor. A constructor
is a name, optionally followed by a list of parameters surrounded by
brackets (()) and separated by commas; each parameter is a name, a
colon, and a type.
It is possible to define more-or-less the same type with different amounts
of PVS machinery. For non-recursive datatypes, we can use tuples, records
or abstract datatypes. Figures A.1, A.2 and A.3 show definitions for a par-
ticular datatype (a pair of a natural number and a Boolean variable along
with functons number and prime for accessing the elements of the pair) in all
three styles.
Only abstract data types can represent recursive data types such as
trees; here one or more constructors can take parameters of the abstract
data type being defined. Abstract datatypes are also used to define type
246 A.1 Types and Objects
prime2 : TYPE = [# number:nat, prime: bool #] ;
Figure A.2: Record type used to store a natural number and a Boolean value;
no extra machinery is needed since the field names can be used to refer to
the parts of the record.
prime3 : DATATYPE BEGIN
p(number:nat, prime: bool) : p?
END prime3
Figure A.3: Abstract data type used to store a natural number and a Boolean
value; the constructor is named p and the recognizer p?, following PVS con-
vention.
union, for instance, data objects that are either a natural number or a
Boolean value. They are also commonly used to define the actions per-
formed by automata when the actions are parameterized in some way (for
instance, in the FutureBus example in section 4.2 has actions apply, read
and compute, all parameterized by a device ID).
Objects of the various types are denoted as one might expect: strings of
digits for natural numbers, the strings true and false for Boolean values,
tuples are surrounded by parenthesis and abstract data types are written
using constructor terms. Records have a slightly different syntax, using
parenthesis-octothorpe ((# #) surrounding a list of assignments to the fields
of the record; each assignment consists of a field name, an assignment sym-
bol (:=) and a value of the relevant type. Figure A.4 shows examples of
values written in all three common datatype styles.
P1 : prime1 = ( 17, true )
P2 : prime2 = (# number:=17, prime:=true #)
P3 : prime3 = p(17,true)
Figure A.4: Values written in all three common datatype styles (tuple,
record and abstract datatype).
A.2 Theories 247
A.2 Theories
The primary unit of organization in PVS is the theory. A theory collects def-
initions — of types, constants and functions — along with theorems about
them into one unit. A theory provides these definitions with a context of
definitions (like “let V be a set”) and assumptions (like “V is non-empty”);
these definitions and assumptions are called parameters to the theory. The-
ories need not have parameters, though — there is always the implied PVS
context available which provides types like the natural numbers, Boolean
values, orderings of the natural numbers, and a host of other things.
A theory may be parameterized by just about anything — types, con-
stants or functions (assuming the domain and range types of the function
are available to the theory, either as parameters or because they are are
built in to PVS). These parameters are named, and constitute the context of
the theory; within the theory, reference to the names of the theory parame-
ters is permitted.
A theory can be instantiated for particular values of its parameters (such
as “let V be the set of even integers”), which fills in those particular values
in all of the definitions (which remain valid) and theorems (which remain
true, since the theorems use only the assumptions available in the context
of the theory).
Consider the following theory which has three parameters: some type T ,
a function from T to T called f , and a binary predicate called < on T . The
theory itself is called “Shrink.”
Shrink [
T: TYPE,
f : [T->T],
< : pred[T,T] ] : THEORY BEGIN
shrinks? : bool =
FORALL (t:T) : f(t) < t;
END Shrink
Within the theory, we can refer to T , f and < and use them in the def-
initions however we like. Only when the theory is instantiated is there a
concrete instance of T to use, and hence a concrete instance of the defini-
tions inside the theory. In order to instantiate a theory, one imports it and
gives objects as parameters for the theory. This happens within another
theory. Instantiations may be relatively nonsensical, like this one:
248 A.2 Theories
Theorem
Transition
Relation
Automaton
Framework
Automaton
Datatypes
State Space
Datatype
Actions
Datatype
Correctness
Figure A.5: Typical tree structure for theories defining an automaton. The
automaton framework itself is split into several theories; the datatypes for
actions and state space are usually defined in separate theories and they
are imported into a theory that defines the transition relation. Finally, an
overall correctness theorem is formulated in the theory that pulls everything
together.
% Inside another theory
addOne(n:nat) : nat : n+1
greater(n,m:nat) : bool = n > m
IMPORTING Shrink[nat,addOne,greater]
The instantiation of the theory Shrink is done by the IMPORTING line, with
the parameters as given — nat is used as type T, a function addOne is used
for the f in the imported theory, etc. After instantiation, the definitions from
the imported theory can be used as if they had been defined locally, so the
constant shrinks? is now available to the importing theory.
Through importings, a collection of theories forms a tree; no cycles are
allowed, although a theory may be instantiated more than once (if it is, some
additional disambiguation notation is needed, for instance to distinguish
between different instances of shrinks?.
The automaton framework defined in this thesis in chapter 3 is a col-
lection of theories that is imported for use in all of the case studies. It
forms part of the theory tree and its definitions can be used. A typical tree
of theories for an automaton model and proof looks like the tree shown in
figure A.5.
A.3 Definitions 249
A.3 Definitions
Where theories provide the structure for PVS, definitions provide the “con-
tent” of the mathematical notions. A declaration has a name, possibly some
parameters, and a type (for the purpose of this section, TYPE is also a type).
A definition is a declaration followed by an equality (=) sign and a defining
expression.
We have seen numerous examples of both declarations and definitions
already in this chapter. Consider a definition of a function from natural
numbers to natural numbers, such as this one:
frob(n:nat) : nat = n*3+1
The part frob(n:nat) : nat is the declaration part; this declares that
there is a function with the name frob with one parameter yielding a natural
number. Since we are asserting the existence of an object, PVS requires
us to prove that such an object exists. Many proofs can be automatically
discharged by the prover, but occasionally a declaration will cause a TCC
(Type Correctness Condition) which must be proved by hand. One way of
proving existence is to explicitly give an object that has the right type, in the
defining expression. The requirement on the defining expression is that it
have the right result type, i.e. that n*3+1 is a natural number in this example.
This is relatively easy for PVS to prove, but by no means do all defining
expressions yield a trivial existence proof, so here we may run into TCCs as
well.
A common idiom in this thesis is to define a predicate that states desired
properties of an object (e.g. of the system being modeled) and then declare
an object satisfying that predicate, like so:
desiredSystem : (requirementsPredicate)
Here, desiredSystem is some object of type (requirementsPredicate), i.e. it
is some element of a type T that satisfies that predicate. When we write an
expression like this, which posits the existence of an element of a type, PVS
requires that the type be non-empty. This may require us to prove that the
predicate accepts at least one element.
Because existence proofs are done by example in PVS, it is usually easier
to just calculate an object satisfying the predicate by hand, then defining
an object of the predicate type with that defining expression. Then you
250 A.4 Syntactic Peculiarities
need to prove the defining expression has the right type, but that is easier
than doing an existence proof. This is why the Light-Control case study in
chapter 2 defines an instance for each requirements predicate, to show the
predicate is non-empty.
Besides declarations that assert the existence of an object, we can also
do variable declarations. A variable declaration in PVS introduces a type for
the given variables so that we do not need to specify the type of that variable
in the rest of the theory. This means that we can use a variable declaration
to give a variable v a “default type” so that it can be used without type an-
notations. This is convenient in a theory with many definitions and lemmata
all about elements of a particular type. For instance, a theory about natural
numbers will have lots of definitions with parameters n and m — which are
implicitly natural numbers. Writing n:nat everywhere is tedious, so a single
variable declaration can make n default to type nat as follows (while still
allowing different types, say n:(even?) in places where it is needed):
n : VAR nat
Any type can be used to declare variables; when the variable is used it
may trigger a TCC to prove its existence, though.
A.4 Syntactic Peculiarities
This section describes a number of “peculiarities” of PVS, which may sur-
prise readers who are used to the notation of informal rigor of regular math-
ematics or other proof assistants. It is arranged in no particular order and
covers only those peculiarities used in this thesis; it makes no attempt to be
complete.
Lambda Functions: Most definitions of functions use the defining form
name( arg:T ) : T’ = ..., which hides the function type by focusing on the
return type. Occasionally (as in section 4.2.3) we wish to emphasize the
function type and do not want to write out the parameter types; in even
more rare cases we need to pull a function out of a hat with no name for
it (this happens during proofs). This gives us the need to define functions
without giving them a name and without writing out the parameter lists
in full. For this we use the LAMBDA notation, which is of course directly
A.4 Syntactic Peculiarities 251
derived from the λ-calculus of functional programming languages. A simple
example of a definition using lambda-notation is the following definition of
addOne which rather superfluously adds one to its natural number argument
n.
addOne: [ nat -> nat ] = LAMBDA (n:nat) : n+1
Predicate Types: For any predicate P on a type T (in PVS we would write
P : pred[T]) we can define the set of elements of T that satisfy P as follows:
S : setof[T] = { t:T | P(t) }
We can read this bit of PVS as normal mathematics: let S be the set of
elements of T defined by the expression “those elements t of T for which
P (t) holds.
A shorthand notation exists for this common notation, which is to write
(P) instead. This is read as “the set satisfying P ”. It is also a type expres-
sion, so we can write
ev : (even?)
make_odd(n:(even?)) : (odd?) = n+1
Currying: Functions may be Curryed; the Curryed parameters are group-
ed by parenthesis. The type of a Curryed function is written following the
regular typing rules, so a function taking a natural number and returning
a predicate on natural numbers is typed [ nat -> pred[nat] ] or equiv-
alently [ nat -> [ nat -> bool ] ]. Partial application of functions is al-
lowed, which is useful for functions returning predicates. A parameterized
predicate can be used to define types of natural numbers less than some
constant, such as small numbers (less than twenty):
lessThan(n:nat)(m:nat) : bool = m < n ;
smallNumbers : TYPE+ = (lessThan(20)) ;
Definitions from Parameterized Theories: PVS has built-in notation for
the set of natural numbers {0 . . . N−1}, the numbers smaller thanN , written
below[N]. One might expect the notation below(N), as in the Curryed exam-
ple above; the notation below[N] comes from below being defined in a theory
252 A.5 Proofs
parameterized by N as opposed to being parameterized in the definition of
below itself (see also A.2).
The theory defining below has a parameter N ; this theory is available
in unistantiated form to any PVS theory (this is because the theory is part
of the PVS prelude, which is special). Instead of instantiating the theory,
the individual definitions are instantated when used. We see this in the
definition of bus vectors in section 4.2.3.
Record and Function Updates: Given a record r with field f , one may be
interested in the record r′ that has all the same values as r except in field
f , which gets a new value v. The notation for this is:
r WITH [ f:=v ]
This notation is used extensively in all forms of the automaton framework to
change the state of the system (usually represented by a record) to a new
value. Similarly, this notation can be used to “update” a function, yielding
a new function with the same domain and range but with a different value
in a single point. Consider the function f (of PVS type [D -> R]) and a point
x in its domain, and a value v in its range. Then the following two PVS
expressions are equivalent:
f WITH [ (x) := v ]
LAMBDA (d:D) : IF d=x THEN v ELSE f(d) ENDIF
Clearly the first is much easier to read. Function updates are rare; in this
thesis they are used only in section 4.2.3 where the global state of the sys-
tem is represented by a function mapping device IDs to local states. With
each action, a local state is changed, so the global state function is updated
to yield the new local state at the relevant point.
A.5 Proofs
A proof in PVS is a sequence of proof-commands that manipulates a proof
state to a proof goal. Some proof commands introduce new goals which
must all be discharged in order to complete the proof. The PVS system al-
lows the user to interactively create a proof by applying commands to a
proof state; administrative commands are available for manipulating the
A.5 Proofs 253
list of “pending” proof states. A proof state consists of a conjunction of
antecedent formulas which (ought to) logically imply the disjunction of con-
sequent formulas. A proof state is displayed in PVS as formulas “above the
line” and “below” it, as follows:
[-1] antecedent_formula_1
[-2] antecedent_formula_2
...
[-n] antecedent_formula_n
|=========
[1] consequent_formula_1
...
[m] consequent_formula_m
The intention of a proof is to manipulate the proof state into a one where:
1. The conjunction of the antecedent formulas (above the line) implies
one of the consequent formulas,
or
The conjunction of the antecedent formulas is false, in which case ex
falso quodlibitur applies and the proof is done.
2. PVS recognizes that condition 1 holds.
The latter condition is important. Occasionally PVS suffers from a “brain
fart” and does not recognize logical implications that one might think it
should. There are various PVSIsStupid lemmata in the PVS theories that ac-
company this thesis that deal with such situations. Sometimes the problem
is invisible — just because a symbol < looks the same as another symbol <
does not mean it is the same symbol, so apparently trivial implications can
sometimes get bogged down.
The language of the PVS prover is quite extensive. Chapter 5 shows what
kind of commands are used in the proofs in part of this thesis. Of the 150 or
so available commands, we use only 50; only 30 get regular use. Some of the
commands available are very specialized; they apply in specific cases which
do not seem to have materialized within the context of this work. Doing
proofs with the “primitive” proof commands that do small-scale changes
tends to be easier to understand and less fragile in the long run.
254 A.5 Proofs
When we report amounts of proof effort in this thesis, this refers to the
number of proof steps used. Clearly, using more specialized proof com-
mands (if they apply) would reduce the apparent amount of effort required.
Chapter 5 shows how writing commands that are specific to the kind of
proofs one is doing (much like the non-primitive commands in PVS which
apply in specific cases) can reduce the effort considerably.
Bibliography
[1] Advanced Micro Devices, Inc. Technical Manual Am8530H/Am85C30
Serial Communications Controller, 1992.
[2] Bowen Alpern and Fred B. Schneider. Recognizing safety and liveness.
Distributed Computing, 2(3):117–126, 1987.
[3] R. Alur and D.L. Dill. A theory of timed automata. Theoretical Com-
puter Science, 126:183–235, 1994.
[4] R. Alur and T.A. Henzinger, editors. Proceedings of the 8th Interna-
tional Conference on Computer Aided Verification, New Brunswick, NJ,
USA, volume 1102 of Lecture Notes in Computer Science. Springer-
Verlag, July/August 1996.
[5] A. Annichini, E. Asarin, and A. Bouajjani. Symbolic techniques for para-
metric reasoning about counter and clock systems. In E.A. Emerson
and A.P. Sistla, editors, Proceedings of the 12th International Confer-
ence on Computer Aided Verification, volume 1855 of Lecture Notes in
Computer Science, pages 419–434. Springer-Verlag, 2000.
[6] Myla Archer and Constance Heitmeyer. Human-style theorem proving
using PVS. In E. Gunter and A. Felty, editors, Theorem Proving in
Higher Order Logics (TPHOLs’97), pages 33–48. LNCS 1275, Springer-
Verlag, 1997.
[7] Myla Archer, Constance Heitmeyer, and Elvinia Riccobene. Using
TAME to prove invariants of automata models: Two case studies. In
Proc. Third ACM Workshop on Formal Methods in Software Practice
(FMSP’00), pages 25–36, August 2000.
255
256 Bibliography
[8] Myla Archer, Constance Heitmeyer, and Steve Sims. TAME: A PVS
interface to simplify proofs for automata models. In User Interfaces
for Theorem Provers, Eindhoven, The Netherlands, 1998.
[9] David Aspinall. Proof general. http://proofgeneral.inf.ed.ac.uk/.
[10] J. Bengtsson, W.O.D. Griffioen, K.J. Kristoffersen, K.G. Larsen, F. Lars-
son, P. Pettersson, and Wang Yi. Verification of an audio protocol with
bus collision using UPPAAL. In Alur and Henzinger [4], pages 244–256.
[11] S. Bensalem, M. Bozga, J.C. Fernandez, L. Ghirvu, and Y. Laknech.
A transformational approach for generating non-linear invariants. In
J. Palsberg, editor, SAS, volume 1824 of Lecture Notes in Computer
Science, pages 58–74. Springer, 2000.
[12] S. Bensalem, Y. Lakhnech, and H. Saidi. Powerful techniques for the
automatic generation of invariants. In Alur and Henzinger [4], pages
323–335.
[13] Yves Bertot and Pierre Castéran. Interactive Theorem Proving and Pro-
gram Development. Texts in Theoretical Computer Science. An EATCS
Series. Springer Verlag, 2004.
[14] D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an au-
dio control protocol. In H. Langmaack, W.-P. de Roever, and J. Vy-
topil, editors, Proceedings of the Third International School and Sym-
posium on Formal Techniques in Real-Time and Fault-Tolerant Sys-
tems (FTRTFT’94), Lübeck, Germany, September 1994, volume 863 of
Lecture Notes in Computer Science, pages 170–192. Springer-Verlag,
1994.
[15] R.S. Boyer and J.S. Moore. A Computational Logic Handbook. Aca-
demic Press, New York, 1988.
[16] M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine. Kro-
nos: A Model-Checking Tool for Real-Time Systems. In A.J. Hu and M.Y.
Vardi, editors, Proceedings of the 10th International Conference on
Computer Aided Verification, Vancouver, BC, Canada, volume 1427 of
Lecture Notes in Computer Science, pages 546–550. Springer-Verlag,
June/July 1998.
Bibliography 257
[17] D. Chkliaev, Jozef Hooman, and E. de Vink. Verification and improve-
ment of the sliding window protocol. In Proceedings TACAS’03, volume
2619, pages 113–127. Lecture Notes in Computer Science, Springer-
Verlag, 2003.
[18] A. Collomb–Annichini and M. Sighireanu. Parameterized reachability
analysis of the IEEE 1394 Root Contention Protocol using TReX. In
P. Pettersson and S. Yovine, editors, Proceedings of the Workshop on
Real-Time Tools (RT-TOOLS’2001), 2001.
[19] Coq theorem prover website. http://coq.inria.fr/.
[20] Flaviu Cristian. Probabilistic clock synchronization. Distributed Com-
puting, 3:146–158, 1989.
[21] J. Crow and B. Di Vito. Formalizing space shuttle software require-
ments: Four case studies. ACM Transactions on Software Engineering
and Methodology, 7(3):296–332, 1998.
[22] David Cyrluk. Microprocessor verification in PVS: A methodology and
simple example. Technical Report SRI-CSL-93-12, Computer Science
Laboratory, SRI International, Menlo Park, CA, dec 1993.
[23] C. Daws and S. Yovine. Two examples of verification of multirate timed
automata with KRONOS. In Proceedings of the 16th IEEE Real-Time
Systems Symposium (RTSS’95), Pisa, Italy, pages 66–75. IEEE Com-
puter Society Press, December 1995.
[24] J.W. de Bakker, C. Huizing, W.P. de Roever, and G. Rozenberg, editors.
Proceedings REX Workshop on Real-Time: Theory in Practice, Mook,
The Netherlands, June 1991, volume 600 of Lecture Notes in Computer
Science. Springer-Verlag, 1992.
[25] Adriaan de Groot. Research and PVS code website. http://research.
englishbreakfastnetwork.org/.
[26] Adriaan de Groot and Jozef Hooman. Analyzing the light-control sys-
tem with PVS. The Light-Control Case Study: Problem Description,
6(7):621–649, August 2000.
258 Bibliography
[27] Adriaan de Groot and Jozef Hooman. Analyzing the light control system
with PVS. Journal of Universal Computer Science, 6(7):621–649, 2000.
[28] Bruno Dutertre. Manip: A strategy package for PVS. http://shemesh.
larc.nasa.gov/people/bld/manip.html.
[29] Ansgar Fehnker. Citius, Vilius, Melius: Guiding and Cost-Optimality in
Model Checking of Timed and Hybrid Systems. PhD thesis, University
of Nijmegen, April 2002.
[30] O. Florescu, J. Huang, J. Voeten, and H. Corporaal. Towards stronger
property preservation in real-time systems synthesis. Technical Report
ESR-2006-02, Eindhoven University of Technology, 2006.
[31] W.O.D. Griffioen. Studies in Computer Aided Verification of Protocols.
PhD thesis, University of Nijmegen, May 2000.
[32] D. Harel. Statecharts: a visual approach to complex systems. Science
of Computer Programming, 8(3):231–274, 1987.
[33] K. Havelund, A. Skou, K.G. Larsen, and K. Lund. Formal modelling
and analysis of an audio/video protocol: An industrial case study using
Uppaal. In Proceedings of the 18th IEEE Real-Time Systems Sympo-
sium, pages 2–13. IEEE Computer Society Press, 1997.
[34] M. Heimdahl and N. Leveson. Completeness and consistency in hi-
erarchical state-based requirements. IEEE Transactions on Software
Engineering, 22(6):363–377, 1996.
[35] Mats P. E. Heimdahl and Barbara J. Czerny. Using PVS to analyze hier-
archical state-based requirements for completeness and consistency.
In Proc. of the IEEE High Assurance Systems Engineering Workshop
(HASE’96). IEEE, October 1996.
[36] T.A. Henzinger, Z. Manna, and A. Pnueli. Timed transition systems. In
de Bakker et al. [24], pages 226–251.
[37] T.A. Henzinger, J. Preussig, and H. Wong-Toi. Some lessons from the
HyTech experience. In Proceedings of the 40th Annual Conference on
Decision and Control (CDC), pages 2887–2892. IEEE Press, 2001.
Bibliography 259
[38] P.-H. Ho and H. Wong-Toi. Automated analysis of an audio control pro-
tocol. In P. Wolper, editor, Proceedings of the 7th International Confer-
ence on Computer Aided Verification, Liège, Belgium, volume 939 of
Lecture Notes in Computer Science. Springer-Verlag, June 1995.
[39] J. Hooman and M.B. van der Zwaag. A semantics of communicating
reactive objects with timing. In Proceedings SVERTS Workshop of
the Sixth International Conference on the Unified Modeling Language,
UML 2003, 2003.
[40] Jozef Hooman. Compositional verification of a distributed real-time
arbitration protocol. Real-Time Systems, 6(2):173–205, 1994.
[41] J. Huang, J.P.M. Voeten, and M.C.W. Geilen. Real-time property preser-
vation in approximations of timed systems. In Proceedings of the first
ACM and IEEE International Conference on Formal Methods and Mod-
els for Co-Design (MEMOCODE), pages 163–171. IEEE Computer So-
ciety Press, 2003.
[42] E.-M.G.M. Hubbers and M.D. Oostdijk. Generating JML specifications
from UML state diagrams. In Proceedings of forum on specification
and design languages, ECSI CD-ROM, pages 263–273, 2003.
[43] Marieke Huisman. Reasoning about JAVA programs in higher order
logic with PVS and Isabelle. PhD thesis, University of Nijmegen, Febru-
ary 2001.
[44] T.S. Hune, J.M.T. Romijn, M.I.A. Stoelinga, and F.W. Vaandrager. Linear
parametric model checking of timed automata. Journal of Logic and
Algebraic Programming, 52-53:183–220, 2002.
[45] D.V. Hung. Modelling and verification of biphase mark protocols us-
ing PVS. In Proceedings of the International Conference on Appli-
cations of Concurrency to System Design (CSD’98), Aizu-wakamatsu,
Fukushima, Japan, March 1998, pages 88–98. IEEE Computer Society
Press, 1998.
[46] D.V. Hung and Ko Kwang II. Verification via digitized models of real-
time hybrid systems. In Proceedings Asia-Pacific Software Engineering
Conference (APSEC’96), pages 4–15. IEEE Computer Society Press,
1996.
260 Bibliography
[47] IEEE. IEEE Std. 610.12-1990, Standard Glossary of Software Engi-
neering Terminology. Institute of Electrical & Electronics Engineers,
1990.
[48] The Institute of Electrical and Electronics Engineers, Inc. IEEE Stan-
dard Backplane Bus Specification for Multiprocessor Architectures:
Futurebus, 1988.
[49] Intel Corporation. Microcommunications, 1991. Intel Literature Sales,
P.O. Box 7641, Mt. Prospect, IL 60056-7641.
[50] S. Ivanov and W.O.D. Griffioen. Verification of a biphase mark pro-
tocol. Report CSI-R9915, Computing Science Institute, University of
Nijmegen, August 1999.
[51] Stefan Jähnichen, Jeff Kramer, Michel Lemoine, and Martin Wirsing,
editors. Dagstuhl Seminar 01221, Can Formal Methods Cope with
Software-Intensive Systems? Dagstuhl-Seminar-Report 308, 2001.
http://www.dagstuhl.de/01221/.
[52] D.K. Kaynar, N.A. Lynch, R. Segala, and F.W. Vaandrager. The Theory
of Timed I/O Automata. Morgan & Claypool, 2006.
[53] Y. Kesten and A. Pnueli. Timed and hybrid statecharts and their textual
representation. In J. Vytopil, editor, Formal Techniques in Real-Time
and Fault-Tolerant Systems, volume 571 of Lecture Notes in Computer
Science, pages 591–619. Springer-Verlag, 1992.
[54] Fabrice Kordon and Michel (Eds.) Lemoine. Formal Methods for Em-
bedded Distributed Systems. Springer Verlag, 2004.
[55] Ron Koymans. (Real) time: A philosophical perspective. In J. W.
de Bakker, Cornelis Huizing, Willem P. de Roever, and Grzegorz Rozen-
berg, editors, REX Workshop, volume 600 of Lecture Notes in Com-
puter Science, pages 353–370. Springer, 1991.
[56] D. Richard Kuhn, Dan Craigen, and Mark Saaltink. Practical applica-
tion of formal methods in modeling and simulation, July 2003. Invited
talk at Summer Simulation Conference.
Bibliography 261
[57] Marcel Kyas, Harald Fecher, Frank S. de Boer, Mark van der Zwaag,
Jozef Hooman, Tamarah Arons, and Hillel Kugler. Formalizing UML
models and OCL constraints in PVS. In Semantic Foundations of Engi-
neering Design Languages (SFEDL), number 115 in Electronic Notes
in Computer Science, pages 39–47. Elsevier, 2004.
[58] Leslie Lamport. Proving the correctness of multiprocess programs.
IEEE Trans. Software Eng., 3(2):125–143, 1977.
[59] K. G. Larsen, P. Pettersson, and W. Yi. Uppaal in a Nutshell. Int. Journal
on Software Tools for Technology Transfer, 1(1–2):134–152, October
1997.
[60] Kim Guldstrand Larsen, Paul Pettersson, and Wang Yi. UPPAAL in a
nutshell. International Journal on Software Tools for Technology Trans-
fer, 1(1-2):134–152, 1997.
[61] Light-control case study: Questions and answers, 1999. http://vs.
informatik.uni-kl.de/activities/recs/qna/qna.html.
[62] N. Leveson, M. Heimdahl, H. Hildreth, and J. Reese. Requirements
specification for process-control systems. IEEE Transactions on Soft-
ware Engineering, 20(9):684–707, 1994.
[63] N. Leveson, M. Heimdahl, H. Hildreth, J. Reese, and R. Ortega. Ex-
periences using Statecharts for a system requirements specification.
In Proc. 6th Workshop on Software Specification and Design, pages
31–41. IEEE Computer Society Press, 1991.
[64] Hongping Lim, Dilsun Kaynar, Nancy Lynch, and Sayan Mitra. Trans-
lating timed i/o automata specifications for theorem proving in pvs. In
Proceedings of Formal Modelling and Analysis of Timed Systems (FOR-
MATS’05), volume 3829 of LNCS, Uppsala, Sweden, September 2005.
Springer.
[65] N.A. Lynch and M.R. Tuttle. An introduction to input/output automata.
CWI Quarterly, 2(3):219–246, September 1989.
[66] N.A. Lynch and F.W. Vaandrager. Action transducers and timed au-
tomata. Report CS-R9460, CWI, Amsterdam, November 1994. Also,
262 Bibliography
Technical Memo MIT/LCS/TM-480.b, Laboratory for Computer Sci-
ence, Massachusetts Institute of Technology, Cambridge, MA, October
1994.
[67] N.A. Lynch and F.W. Vaandrager. Action transducers and timed au-
tomata. Formal Aspects of Computing, 8(5):499–538, 1996.
[68] Sayan Mitra, Yong Wang, Nancy Lynch, and Eric Feron. Safety verifica-
tion of model helicopter controller using hybrid input/output automata.
In Hybrid Systems: Computation and Control (HSCC’03), Prague, the
Czech Republic, pages 259–273. Lecture Notes in Computer Science,
Springer-Verlag, 2003.
[69] Aloysius K. Mok. Coping with implementation dependencies in real-
time system verification. In de Bakker et al. [24], pages 485–501.
[70] J. Strother Moore. A formal model of asynchronous communication
and its use in mechanically verifying a biphase mark protocol. Formal
Aspects of Computing, 6(1):60–91, 1994.
[71] S. Owre, J. Rushby, N. Shankar, and F. von Henke. Formal verifica-
tion for fault-tolerant architectures: Prolegomena to the design of PVS.
IEEE Transactions on Software Engineering, 21(2):107–125, February
1995.
[72] S. Owre, N. Shankar, and J. M. Rushby. User Guide for the PVS Speci-
fication and Verification System. CSL, 1995.
[73] Terry Quatrani. Visual Modeling with Rational Rose and UML. Addison
Wesley, 1998.
[74] S. Queins, G. Zimmermann, M. Becker, M. Kronenburg, C. Peper,
R. Merz, and J. Schäfer. The Light-Control Case Study: Prob-
lem Description. Journal of Universal Computer Science, 6(7):586–
596, July 2000. http://www.jucs.org/jucs_6_7/light_control_
problem_description.
[75] J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Lan-
guage - Reference Manual. Addision-Wesley, 1999.
Bibliography 263
[76] J. Rushby. Calculating with requirements. In 3rd Symposium on Re-
quirements Engineering, pages 144–146. IEEE, 1997.
[77] John Rushby. Formal methods and the certification of critical systems.
Technical Report CSL-93-7, SRI International, Menlo Park CA 94025
USA, December 1993.
[78] J. Sawada and W. A. Hunt. Processor verification with precise excep-
tions and speculative execution. In Proc. 10th International Computer
Aided Verification Conference, pages 135–146, 1998.
[79] N. Shankar. Efficiently executing PVS. Technical report, SRI Interna-
tional, Inc., Menlo Park, CA, 1999.
[80] N. Shankar. Using decision procedures with a higher-order logic. In
Theorem Proving in Higher Order Logics, volume 2152 of Lecture
Notes in Computer Science, pages 5–26. Springer Verlag, 2001.
[81] H.B. Sipma and Z. Manna. Specification and verification of controlled
systems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors,
Proceedings of the Third International School and Symposium on For-
mal Techniques in Real-Time and Fault-Tolerant Systems (FTRTFT’94),
Lübeck, Germany, September 1994, volume 863 of Lecture Notes in
Computer Science, pages 641–659. Springer-Verlag, 1994.
[82] I. Sommerville. Software Engineering, 5/e. Addison-Wesley Publishing
Company, 1996.
[83] T. Henzinger, Z. Manna, and A. Pnueli. Towards Refining Temporal
Specifications into Hybrid Systems. In R.L. Grossmann, A. Nerode,
A.P. Ravn, and H. Rischel, editors, Hybrid Systems, volume 736, pages
60–76. Springer Verlag, 1993.
[84] H. van Thienen. It’s About Time: Using Funmath for Specification
and Analysis of Discrete Dynamic Systems. PhD thesis, University of
Nijmegen, January 1994.
[85] Frits W. Vaandrager and Adriaan de Groot. Analysis of a biphase mark
protocol with uppaaland pvs. Formal Asp. Comput., 18(4):433–458,
2006.
264 Bibliography
[86] F.W. Vaandrager and Adriaan de Groot. Analysis of a biphase mark pro-
tocol with Uppaal and PVS. Report NIII-R0445, Nijmegen Institute for
Computing and Information Sciences, University of Nijmegen, Novem-
ber 2004.
[87] F.W. Vaandrager and A.L. de Groot. Analysis of a biphase mark protocol
with Uppaal and PVS. Formal Aspects of Computing Journal, pages
Online first, DOI 10.1007/s00165–006–0008–1, 2006.
[88] J. van de Pol, Jozef Hooman, and E. de Jong. Formal requirements spec-
ification for command and control systems. In Proc. of the Conference
on Engineering of Computer-Based Systems, pages 37–44. IEEE, 1998.
[89] Mark van der Zwaag and Jozef Hooman. A semantics of communicat-
ing reactive objects with timing. STTT, Int. Journal on Software Tools
for Technology Transfer, 8(2):97–112, 2006. DOI:10.1007/s10009-005-
0207-8.
[90] J. Vitt and Jozef Hooman. Assertional specification and verification us-
ing PVS of the steam boiler control system. In J.-R. Abrial, E. Börger,
and H. Langmaack, editors, Formal Methods for Industrial Applica-
tions: Specifying and Programming the Steam Boiler Control, pages
453–472. LNCS 1165, Springer-Verlag, 1996.
[91] IBM website. “Ponder This”. http://domino.watson.ibm.com/Comm/
wwwr_ponder.nsf/challenges/July2002.html, July 2002.
[92] Luke Wildman. Requirements reformulation using formal specifica-
tion: A case study. In Charles Lakos, Robert Esser, Lars M. Kristensen,
and Jonathan Billington, editors, Formal Methods in Software Engi-
neering and Defence Systems 2002, volume 12 of Conferences in Re-
search and Practice in Information Technology, pages 75–83, Adelaide,
Australia, 2002. ACS.
[93] Victor L. Winter, Raymond S. Berg, and James T. Ringland. Bay area
rapid transit district advance automated train control system case
study description. http://www.pst.informatik.uni-muenchen.de/
dagstuhl/.
Bibliography 265
[94] Victor L. Winter, Raymond S. Berg, and James T. Ringland. Bay area
rapid transit district advance automated train control system case
study description. High integrity software, 577:115–135, 2001.
[95] William Wu. 100 prisoners and a light bulb. http://www.
ocf.berkeley.edu/~wwu/papers/100prisonersLightBulb.pdf, De-
cember 2002.
[96] Hanno Wupper. Design as the discovery of a mathematical theorem:
What designers should know about the art of mathematics. Report CSI-
R9729, Computing Science Institute, University of Nijmegen, 1997.
266 Bibliography
Samenvatting
Dit proefschrift gaat over een aanpak van een probleem bij het ontwer-
pen van software systemen. Het opstellen van de eisen waaraan zo’n sys-
teem moet voldoen is een ingewikkelde zaak. Eisen die in informele — niet-
wiskundige maar gewone — taal gesteld worden zijn weliswaar het makke-
lijkst leesbaar voor de meeste mensen, maar ze dragen niet noodzakelijk bij
tot het essentiële begrip van wat gewenst is:
We willen een klontemiggel.
Als we een precieze definitie van de klontemiggel hebben, dan kunnen we
er vast eentje maken. Maar wat is een precieze definitie? Voor wie moet
het precies zijn? Voor de programmeur van het systeem betekent ‘precies’
iets anders dan voor de klant die zo’n apparaat in de keuken wil gebruiken.
Waar de programmeur een formule wil zien zoals
∀b∈B .u(b) ⊆ b
heeft de opdrachtgever meer baat bij een langere tekst met uitleg
(1.a) Uit de klontemiggel komt hetzelfde beslag dat in de invoer-
trechter gegoten wordt, maar dan zonder de klonten.
Nu rest ons de vraag of wat de programmeur leest en wat de opdracht-
gever vertelt wel overeenkomen. Staat er hetzelfde? Los van Brouweri-
aanse overwegingen kunnen we wel aangeven hoe de formules tot stand
komen, bijvoorbeeld door uit te leggen waar de B voor staat.
Tussen het verlangen naar een klontemiggel en een formule die pre-
cies uitdrukt wat een klontemiggel hoort te doen, ligt een lange weg. Eerst
zullen wij meer details los moeten peuteren, om tot een meer gedetailleerde
267
268 Samenvatting
informele omschrijving te komen. Vanuit deze informele vereisten komen
we tot formele vereisten door middel van vertalen, verfijnen en detailleren.
Door bij te houden wat we wanneer maken en waarom kunnen we een
traceerbare vertaling doen, waardoor de vertaling aanneembaar wordt. Op-
merkingen als de volgende in het vertalingsproces doen wonderen:
In de formule stelt B het beslag voor — al het beslag dat ooit
uit de klontemiggel komt en zal komen — en er komt geen beslag
uit dat er niet in is gegoten.
(Bron: zin (1.a) van de informele eisen.)
Naast het feit dat we willen traceren waar de formules vandaan komen,
willen we ook na gaan dat de formule valide (naar waarheid) is. Daartoe
moeten we bij elke vertalingsstap nagaan of deze wel klopt. Aangezien we
vanuit een informele beschrijving naar een formule aan het vertalen zijn, is
dit geen formele bezigheid maar alweer een kwestie van overtuiging: is het
aannemelijk dat er hetzelfde staat, zij het in twee verschillende (want meer
of minder formele) talen?
Door kleine stapjes te nemen kunnen we beter zien hoe de eisen zich
ontwikkelen en beter onderbouwen dat de eisen goed zijn. Als we op het
punt komen dat we formele eisen opstellen, dan moeten we verder gaan
met formules die op grillige wijze kunnen veranderen. Wiskundig gezien
zal een meer gedetailleerde formule niet (noodzakelijk) de minder gede-
tailleerde formules impliceren. Als voorbeeld van de ontwikkeling van eisen,
de klontemiggel:
1. We willen een klontemiggel.
2. Een klontemiggel haalt klonten uit beslag.
3. Je giet beslag in een klontemiggel en het komt er zonder klontjes
uit. Er is een invoer-trechter en een uitvoer-slang; beslag gaat in de
invoer-trechter en komt uit de uitvoer-slang, zonder klontjes. Niet
meer dan één liter beslag per minuut in de klontemiggel doen.
4. ∃i:[T→P(B)].∃o:[T→P(B)].∀t∈T.o(t) ⊆ i(t) ∧ ¬klont(o(t))
In dit overzicht van hoe de eisen zich ontwikkelen zijn de eerste stappen vrij
makkelijk te volgen: er worden details toegevoegd die omschrijven wat er
in vorige eisen bedoeld werd. De vertaling naar een formule is nogal plots
Samenvatting 269
en er moet een goeie uitleg bij staan waarom dat een valide bewerking is
van de vorige eis. Bij het opstellen van zo’n verantwoording merken we dat
de opmerking “niet meer dan één liter beslag per minuut” is verdwenen bij
de vertaling. Daaruit blijkt dat de validatie niet zomaar overgeslagen mag
worden.
Er is nog een kwestie die speelt: terwijl we de eisen opstellen voor het
software systeem of voor de machine, moeten we in de gaten houden dat
het systeem ook nog ergens gebouwd moet worden. Met andere woorden,
we hebben een doel voor ogen en moeten ook nog een ontwerp maken. Net
als bij de eisen beginnen we vaak met een informeel ontwerp en komen we
uit bij een formule:
De klontemiggel heeft een invoer-trechter boven en de uitvoer-
slang onder, van roestvrij staal.
λi : [T→ P(B)], t : T . (t < 4)?ϕ : i(t− 4)− klont(i(t− 4))
Verificatie is het proces waarbij wij aantonen dat het ontwerp voldoet
aan de eisen die we gesteld hebben. Uiteindelijk willen we een bewijs
(verificatie) dat het wiskundig gestelde ontwerp voldoet aan de wiskundig
gestelde eisen. Als we weten dat het ontwerp en de eisen op valide wijze
zijn verkregen vanuit de oorspronkelijke wensen, dan kunnen we er op
vertrouwen dat het systeem zal doen wat het moet doen.
De vraag: Hoe kunnen we betere vereisten (requirements specifications)
opstellen? Kunnen bewijssystemen helpen bij het vertalen van vereisten
naar een formele(re) vorm? Kunnen we deze bewijssystemen effectief toe-
passen bij het vergaren van de vereisten van het systeem?
Hierboven wordt gesuggereerd dat een systematische aanpak met een
valide vertaling gevolgd door verificatie doeltreffend is. In dit proefschrift
ontwikkelen we een raamwerk dat gebruikt kan worden bij de vertaling
en dat ondersteuning biedt bij de uiteindelijke verificatie. Vijf studies illu-
streren het gebruik van dit raamwerk:
• De studie “Light Control Case Study” (hoofdstuk 2) behandelt de ver-
taling van vereisten door zin-voor-zin informele vereisten naar de nota-
tie van een bewijssysteem te vertalen. Dan blijken die informele vereis-
ten niet verenigbaar met elkaar te zijn — iets wat niet makkelijk te zien
is aan de informele eisen zelf.
270 Samenvatting
• De studie “Prisoners’ Release” (hoofdstuk 4) verhaalt van een groep
gevangenen die informatie moeten uitwisselen. Hier ligt de nadruk op
de verificatie van een eenvoudig protocol, net als bij de “FutureBus”
studie (eveneens hoofdstuk 4).
• In de bestudering van het “Biphase Mark Protocol” (hoofdstuk 5) ge-
bruiken we naast een bewijssysteem ook een “model checker” om te
zoeken naar optimale parameters bij een protocol. Hier gebruiken we
dus extra gereedschap om bij de vertaling van eisen de grenzen aan
te scherpen en de formulering te preciseren.
• Tot slot nemen we de trein, het BART metro-systeem dat in San Fran-
cisco rijdt. Hier vertalen wij alweer een stel informele vereisten naar
een omschrijving van het systeem en ontwerpen vervolgens een een-
voudige besturing voor de volautomatische treinstellen. De verificatie
dat de besturing veilig is vereist veel algebraïsche manipulatie, en het
blijkt dat het gekozen bewijssysteem daar niet handig in is.
De antwoorden: In dit proefschrift wordt een aanpak aanbevolen van
modellerings- en verificatiekwesties die zowel praktisch als eenvoudig is:
• lees de informele vereisten goed door,
• vertaal elk klein stukje van de vereisten in een formele taal,
• controleer die stukjes op consistentie en samenhang — dit kan al bij-
voorbeeld door ze naast elkaar in het bewijssysteem op te schrijven
en er automatische controle op toe te passen — en stel zo nodig de
formele of informele vereisten bij,
• formuleer een globale correctheidseis waaraan het geheel moet vol-
doen en verifieer dat dat zo is.
De verschillende stappen leiden onafhankelijk van elkaar tot verbeter-
ingen in de vereisten, zoals geïllustreerd wordt in de verschillende hoofd-
stukken van dit proefschrift. Doordat we de onvolkomenheden en tegen-
strijdigheden uit de vereisten weten te halen, wordt de kwaliteit en de nauw-
keurigheid van de eisen verhoogd. Met betere eisen valt betere software te
bouwen.
Samenvatting 271
Het gebruik van een bewijssysteem — in dit proefschrift PVS (Proof Veri-
fication System) van SRI, ontwikkeld door Shankar et al. [71] en gekenmerkt
door een expressieve syntax en rijke voorraad aan datatypes — helpt bij het
vertalen doordat de vereisten makkelijk geanalyseerd kunnen worden. In
de “Light Control Case Study” schrijven we elke kleine informele eis op in
de taal van PVS. Die vertaling is tamelijk eenvoudig.
Ook in de BART studie blijkt dat het gebruik van een bewijssysteem als
formeel notenapparaat helpt bij het opsporen van kleine foutjes in de in-
formele eisen. Er blijkt dat niet alle gevallen omschreven zijn. In de formele
tekst zijn die makkelijker te ontdekken dan in de informele tekst.
De effectiviteit van het gebruik van bewijssystemen bij het ontwikkelen
van eisen voor software systemen blijkt uit het feit dat we zoveel foutjes
vinden in informele tekst die er op het eerste gezicht — en zelfs bij herlezing
— goed uit ziet. We kunnen niet alleen foutjes opsporen, we kunnen een
bewijssysteem ook effectief gebruiken voor het verifiëren van vermoedens
die ontstaan door andere ontwerp technieken. Hoofdstuk 5 laat zien hoe we
de grenzen van een protocol onderzoeken en hoe we vervolgens bewijzen
dat we de grenzen hebben gevonden. Het effect hiervan is dat we een
bepaald protocol tot 10% sneller kunnen maken.
Al met al blijkt dat het gebruik van bewijssystemen bij het opstellen van
de eisen en het ontwerp van een software systeem doeltreffend is: we halen
fouten weg en stellen de eisen nauwkeuriger vast. Daar staat een aanzien-
lijke hoeveelheid specialistisch werk (het gebruik van het bewijssysteem)
tegenover; in de toekomst willen wij onderzoeken op wat voor manier we
dat werk kunnen versoepelen en automatiseren.
272 Samenvatting
Curriculum Vitæ
6 januari 1973 geboren te Calgary, Canada
1990 General Studies, University of Calgary
1991–1999 Studie Technisch Gerichte Informatica,
Radboud Universiteit Nijmegen
1998–1999 Studiecoördinator Informatica,
Radboud Universiteit Nijmegen
1999–2005 Junior Onderzoeker, later Assistent in Opleiding,
afdeling Informatica voor Technische Toepassingen,
Radboud Universiteit Nijmegen
2005–2007 Post-doc Medewerker, project CodeYard,
afdeling Security of Systems,
Radboud Universiteit Nijmegen
2006–heden Post-doc Onderzoeker, project SQO-OSS,
Athens University of Economics and Business
273

