Model Checker Aided Design of a Controller for a Wafer Scanner by Hendriks, M. et al.
PDF hosted at the Radboud Repository of the Radboud University
Nijmegen
 
 
 
 
The following full text is a preprint version which may differ from the publisher's version.
 
 
For additional information about this publication click this link.
http://hdl.handle.net/2066/60423
 
 
 
Please be advised that this information was generated on 2017-12-06 and may be subject to
change.
Model Checker Aided Design of a Controller 
for a Wafer Scanner*
M artijn  H endriks1 B arend van den Nieuwelaar21 
Frits V aandrager1
1Nijmegen Institute for Computing and Information Sciences,
University of Nijmegen, The Netherlands 
{martijnh,fvaan}@cs.kun.nl
2 Department of Mechanical Engineering,
Eindhoven University of Technology, The Netherlands 
N.J.M.v.d.Nieuwelaar@tue.nl
A bstract
For a case-study of a wafer scanner from the semiconductor industry it is 
shown how model checking techniques can be used to compute (i) a simple 
yet optimal deadlock avoidance policy, and (ii) an infinite schedule that op­
timizes throughput. Deadlock avoidance is studied based on a simple finite 
state model using Smy, and for throughput analysis a more detailed timed 
automaton model has been constructed and analyzed using the UPPAAL tool.
The Smy and UPPAAL models are formally related through the notion of a 
stuttering bisimulation. The results were obtained within two weeks, which 
confirms once more that model checking techniques may help to improve 
the design process of realistic, industrial systems. Methodologically, the case 
study is interesting since two models (and in fact also two model checkers) 
were used to obtain results that could not have been obtained using only a 
single model (tool).
Keywords: Resource allocation systems, deadlock avoidance policy, through­
put optimization, model checking, finite and timed automata, stuttering 
bisimulation.
1 Introduction
Scheduling and resource allocation problems occur in many different domains, 
for instance (1) scheduling of production lines in factories to optimize costs and 
delays, (2) scheduling of computer programs in (real-time) operating systems to 
meet deadline constraints, (3) scheduling of micro instructions inside a processor 
with a bounded number of registers and processing units, (4) scheduling of trains 
(or airplanes) over limited quantities of railway tracks and crossroads, and (5) 
mission planning for autonomous robots on spacecrafts. Typically, in each of these
‘Supported by the European Community Project IST-2001-35304 (AMETIST).
^Part-time software architect at ASML, Veldhoven, The Netherlands.
1
domain problems are solved using different approaches and mathematical tools. 
The EU IST project Ametist (see h t t p : / / a m e t i s t . c s .u tw e n te .n l / ) envisages a 
unifying framework for time-dependent behavior and dynamic resource allocation 
tha t crosses the boundaries of application domains.
In the Ametist approach, components of a system are modeled as dynamical 
systems with a state space and a well-defined dynamics. All that can happen in a 
system is expressed in terms of behaviors tha t can be generated by the dynamical 
systems; these constitute the semantics of the problem. Verification, optimiza­
tion, synthesis and other design activities explore and modify system structure so 
tha t the resulting behaviors are correct, optimal, etc. Preferably, the limitations 
of currently known computational solutions should not influence modeling too 
much: only after the semantics of a problem is properly understood, abstractions 
and specialization due to computational considerations can intervene. In such 
situations, the soundness of abstractions should ideally also be proved, either via 
deductive verification or model checking.
The mission of Ametist is to extend this approach, which underlies the suc­
cessful domain of form al verification, to resource allocation, scheduling and other 
time-related problems. The mathematical carrier for the Ametist methodology 
is the timed automaton  model [2, 3], a modeling framework for discrete event 
dynamical systems tha t can handle quantitative timing delays between events. 
Some tools for model checking timed autom ata already exist. Model checking is 
a method for formally verifying dynamical systems. Specifications about the sys­
tem are expressed as temporal logic formulas, and efficient symbolic algorithms 
are used to traverse the model and to check (fully automatically) if the specifica­
tion holds or not. We aim at further improving model checking tools for timed 
automata, investigating the applicability of these tools, and establishing links to 
tools developed in specific domains whenever appropriate.
In this paper, as an illustration of the Ametist methodology, we use model 
checking techniques to solve the deadlock avoidance and throughput optimization 
problems for a realistic case of a wafer scanner from the semiconductor industry.
A major concern in the design of controllers for many resource allocation sys­
tems (RASs) is deadlock, a permanently blocking condition. There are three gen­
eral ways of handling deadlock: (i) deadlock prevention, (ii) deadlock detection 
and resolution, and (iii) deadlock avoidance. Deadlock prevention restricts the 
system in such a way tha t deadlock is a priori impossible. As a consequence, 
performance may be unnecessarily low. Deadlock detection and resolution, on 
the other hand, is not restrictive at all and detects and resolves a deadlock at 
run-time. This, however, may be very expensive. Deadlock avoidance achieves a 
middle ground; it dynamically chooses the control actions to avoid the occurrence 
of deadlock. In this paper, we show how a least restrictive deadlock avoidance 
policy (DAP) for the wafer scanner can be easily computed using Smy, a model 
checker for finite automata. This DAP can be represented by a very short predi­
cate over the states of the wafer scanner, which can be used by the controller for 
the wafer scanner.
In addition, we use the timed automaton tool UPPAAL to define a refined model 
tha t adds timing constraints to address the issue of throughput optimization.
2
We relate the U p p aa l model to the Smy model via the concept of stuttering 
bisimulation  introduced by [5]. Since stuttering bisimulation preserves validity 
of CTL formulas (without nexttime operator), all properties (and in particular 
the DAP) that we established for the untimed model using Smy, carry over to the 
U p p aa l model. It is not possible to compute the least restrictive DAP directly for 
the U p p aa l model since (a) U p p aa l does not support full CTL, and (b) the state 
space of the U p p aa l model is so big that it cannot be fully explored. However, 
using heuristics we are able to use the U p p aa l model checker to to find an infinite 
schedules that optimize throughput.
Contribution. We obtained our results within two weeks, which confirms once 
more that model checking may help to improve the design process of realistic, 
industrial systems. Our deadlock avoidance policy computation approach is re­
ferred to in a patent application of ASML, which shows its significance for industry. 
Methodologically, the case study is interesting since two models (and in fact also 
two model checkers) were used to obtain results that could not have been obtained 
using only a single model (tool). Our approach illustrates ones more tha t build­
ing models tha t are just abstract enough for addressing a specific question, often 
provides a way to deal with the state space explosion problem. The Smy and 
UppAAL models are formally related through the notion of a stuttering bisimula­
tion. We are not aware of other work that addresses both deadlock avoidance and 
throughput optimization in (what essentially is) a single framework.
Related work. Other papers in which model checking tools are used to solve 
scheduling problems include a case study in which a control schedule for a smart 
card personalization system is synthesized using the Smy model checker [10], and a 
case study in which the U p p aa l model checker is used to find feasible schedules for 
a steel plant [9]. The present work is a follow-up on [4], which considers the same 
example as the present paper and uses suboptimal deadlock prevention heuristics 
to generate schedules that are not guaranteed to be optimal. The present work, 
however, gives a least restrictive (and thus optimal) deadlock avoidance policy and 
a schedule that optimizes stationary throughput in the absence of errors.
Much research has been devoted to deadlock avoidance in RASs, see for in­
stance [17, 18]. Discouraged by the NP-completeness of optimal deadlock avoid­
ance for many RAS classes, see for instance [13], this kind of work generally focuses 
either on computation of suboptimal but polynomial DAPs or on optimal policies 
for very specific sub classes. Much of this work uses the Petri net formalism [16] 
for the modeling and analysis of RASs.
In [11] a deadlock free controller is constructed by an iterative process. The 
parallel composition of the controller and the plant is checked against deadlock 
by Smy. If a deadlock state is found, then the controller is adjusted to exclude 
the counterexample and the verification is run again. Otherwise, the controller is 
deadlock free. Finally, the work presented in [20] deals with verification of several 
DAPs using Smy.
Outline. First, Section 2 informally presents the case study. Section 3 then 
presents the Smy model and shows two ways of obtaining an exact character­
ization of the set of safe states using Smy. In Section 4, a U p p aa l model of 
the wafer scanner is proposed and infinite schedules which optimize throughput
3
are computed. Finally, Section 5 draws some conclusions and gives directions 
for future work. The full Smy and U ppaal models are available at the URL 
h t tp : / /w w w .c s .k u n .n l / i ta /p u b l ic a t io n s /p a p e r s /m a r t i jn h / .
2 The E U V  M achine
Lithographic machines, called wafer scanners, are used within the semiconductor 
industry to project chip designs on slices of silicon which are called wafers. A key 
performance characteristic of wafer scanners is throughput. In order to maximize 
throughput, a controller must have a strategy that optimizes throughput in the 
absence of errors. Moreover, no deadlock may ever arise since resolution of the 
deadlock means that the machine is off-line for a relatively long period (or at least 
has a suboptimal throughput).
Figure 1 schematically depicts a possible design of the wafer flow within an 
Extreme Ultra Violet machine (EUV machine), which is a particular type of wafer 
scanner that is currently being developed by ASML (EUV refers to the kind of 
radiation tha t is used to expose the wafers). The inside of an EUV machine is 
kept vacuum as EUV light is absorbed by a
The wafer flow is as follows. First, the 
track robot (which is not shown) puts a 
wafer in one of the four locks. This lock is 
depressurized, and then the wafer is picked 
up by one of the two internal robots. Each 
internal robot has two arms tha t can each 
hold a wafer and tha t are opposite to each 
other. The internal robot turns and puts 
the wafer on the closest chuck, which is in 
the so-called “measure position” . The wafer 
is measured and a chuck swap is performed.
The chuck with the measured wafer now is 
in the “expose position” and the wafer is 
exposed. After another chuck swap, the ex­
posed wafer is picked up by one of the in­
ternal robots which turns and puts it in a 
depressurized lock. After the lock has been pressurized, the track robot removes 
the exposed wafer from the machine. Each wafer thus has a fixed recipe for its 
route: lock - internal robot - chuck - internal robot - lock. There is a choice which 
locks, internal robots and chucks are used by a wafer. An obvious question that 
arises is why we not let the unexposed wafers flow through the upper two locks 
and let the exposed wafers exit through the lower two locks. In tha t case there 
are no crossing material paths which means tha t there is no deadlock possible. 
The answer is twofold. First, if locks are unidirectional then filling the machine 
from the initial, empty, state takes unnecessarily long. Second, if locks are unidi­
rectional then the depressurization operation might become critical instead of the 
exposure, since depressurization takes more than twice as long as exposure. This
ir.
Locks Internal robots Chucks
Figure 1: Wafer paths within the EUV 
machine.
4
is bad, since the lens which is used during the exposure is the most expensive part 
of the wafer scanner and must therefore have a maximal utilization. In Section 4, 
we will prove tha t indeed the exposure operation has maximal utilization in the 
design of Figure 1.
A typical example of a deadlock situation in the EUV machine would be a 
state in which all four robot arms hold unprocessed wafers, and both chucks hold 
processed wafers. A controller for the EUV machine should ensure tha t no such 
deadlock situation can ever be reached. The problem of finding such a control 
strategy is commonly referred to as the deadlock avoidance problem. The EUV 
machine is a disjunctive RAS according to the taxonomy of [14]. Instead of the 
traditional Petri net or graph based approaches to solving the deadlock avoidance 
problem, we will show in the next section how it can be tackled using the Smy 
model checker.
3 A Least R estrictive D eadlock A voidance Policy
In this section, after a (very) brief introduction into Smy, we present our Smy 
model of the EUV machine, discuss how one can formalize the notion of deadlock 
as a temporal logic formula, and present the deadlock avoidance policy tha t we 
synthesized using Smy. The reader is referred to [7] and [15] for an extensive 
introduction into model checking and Smy.
3.1 SM V
In the approach supported by the Smy model checker, a system is modeled as 
a finite transition system, i.e. as a tuple (S, sinit, ^ )  where S is a finite set of 
states, sinit is the initial state, and ^  ç  S x S is the transition relation. We write 
s ^  s' instead of (s, s') e ^ .  A state is defined as a valuation of a number of state 
variables. The value of state variable v in state s is denoted by s(v). Furthermore, 
s[v := c] denotes the state tha t is obtained by updating the value of v in state 
s to c. A path of a transition system is a sequence sos1s2 ■ ■ ■ such tha t for all i, 
si ^  si+1. A state is reachable if it occurs on some path.
In Smy, specifications are described in Computation Tree Logic (CTL), a 
branching time temporal logic. Below some examples of CTL formulas are given, 
which should be sufficient to understand the present paper. The basic building 
blocks of CTL are atomic formula, which denote functions from the set of states 
to {true, false}. For instance, if p is a state variable, then p  =  2 is an atomic 
formula, which denotes the function from states to {true, false} tha t maps a state 
s to true iff s(p) =  2. In this case, we say state s satisfies formula p =  2, notation 
s =  (p =  2). Every atomic formula is a state formula. State formulas can be 
combined with Boolean connectives and path operators. We show three path op­
erators that are relevant for this paper. First, if 0 is a state formula, then A G (0) 
also is a state formula. A state s satisfies A G (0), denoted by s |= A G (0), if for 
all paths s0s 1s2 . . .  with s =  s0, and for all i > 0, si |= 0. Second, if 0 is a state 
formula, then E F(0) is also a state formula. We define s |= E F(0) if there exists 
a path s0s 1s2 . . .  such tha t s =  s0 and si |= 0, for some i > 0. Finally, if 0 is a
5
—  state variables
l : array 0..3 of {e,r,g};
rb: array 0..1 of array 0..1 of {e,r,g};
c : array 0..1 of {e,r,g};
-- initialization 
for (i=0; i<4; i=i+1) 
init(l[i]):=e; 
for (i=0; i<2; i=i+1) 
for (j=0; j<2; j=j+1) 
init(rb[i] [j]) :=e; 
for (i=0; i<2; i=i+1) 
init(c[i]):=e;
—  system dynamics 
for (i=0; i<4; i=i+1)
tl[i]: process entry_exit(l[i]);
for (i=0; i<4; i=i+1) 
for (j=0; j<2; j=j+1)
lr[i][j]: process move(l[i],rb[(i<2?0:1)][j]);
for (i=0; i<2; i=i+1) 
for (j=0; j<2; j=j+1) 
for (k=0; k<2; k=k+1)
rc[i][j][k]: process move(rb[i][j],c[k]);
for (i=0; i<2; i=i+1)
exp[i]: process expose(c[i]);
}
module main ()
Figure 2: Smv model of EUV machine.
state formula, then EG (0) also is a state formula. We define s |= E G (0) if there 
exists a path s0s 1s2 . . .  with s =  s0 such tha t for all i >  0, si |= 0.
3.2 A n SM V  M odel o f th e  E U V  M achine
The EUV machine can be modeled conveniently and concisely in Smy. In fact, 
the full code is displayed in Figure 2.
For each of the 10 positions in the machine our model contains a state variable: 
an array l  of size 4 for the locks, a 2-dimensional array rb  of size 2 x 2 for the 
robots, and an array c of size 2 for the chucks. These state variables can either 
take value e (em pty), which means tha t the position is empty, value r  (red), which 
means tha t the position is occupied by an unexposed wafer, or g (green), which 
means that the position is occupied by an exposed wafer. Initially, the machine is 
completely empty and all state variables have value e.
To model the system dynamics, i.e., the movement and exposure of wafers, 
we introduce 22 asynchronous processes, which are executed in an interleaving 
fashion:
• For each of the 4 locks i  we have process t l [ i ] ,  which may either put an 
unexposed wafer in lock i  if it is empty, or move an exposed wafer from
module entry_exit (p)
{
if (p=e) 
next(p):=r; 
else if (p=g) 
next(p):=e;
}
module move (lft,rgt)
{
if (lft=r && rgt=e)
{
next(lft):=e; 
next(rgt):=r;
}
else if (lft=e && rgt = g) 
{
next(lft):=g; 
next(rgt):=e;
}
}
module expose (p)
{
if (p=r)
next(p):=g;
}
6
the lock to the track robot. In the definition of process t l [ i ]  we use an 
auxiliary function en try _ ex it that describes the state change that results 
from running this process.
• For each of the 16 pairs of positions i, j  such that i  is on the left of j  and 
a wafer can move directly from i  to j  (or back), we introduce a process 
that takes care of moving unexposed wafers from i  to j , and exposed wafers 
from j back to i. In the definition of these processes we use a function 
m ove(lft, rg t)  tha t describes the state change tha t results from moving a 
wafer from l f t  to rg t  or vice versa.
• For each of the 2 chucks i  we introduce a process exp[i] tha t models exposure 
of the wafer. An auxiliary function expose describes the state change that 
results from exposing the wafer at position p: the value of the corresponding 
state variable changes color from r  (red) to g (green).
In the Smy model we abstract from the turning of internal robots. So a wafer 
can be picked up by both arms of an internal robot (possibly, the robot first has 
to turn). Similarly, the Smy model abstracts from chuck swaps and the measure 
operation. In Section 4, we present a more detailed model of the EUV machine in 
which we do not abstract from these aspects.
As it turns out, our Smy model has 57116 reachable states, which is close to 
the total number of states which equals 310 =  59049. An example of an unreach­
able state is one in which the machine is completely filled with exposed wafers. 
Transition systems of this size can very easily be handled by Smy and the com­
puter hardware that is available today. In fact, Smy routinely handles systems 
with 1020 states and beyond, so we expect that our approach can also be applied 
to considerably larger designs.
3.3 D efin ing D eadlock  and Safety in SM V
Standard textbooks on operating systems, e.g. [19], state four conditions for dead­
lock in systems tha t consist of processes tha t compete for resources. The first 
three conditions concern the model itself and are necessary, and the fourth con­
dition concerns the states of the model and is necessary and sufficient when the 
first three are met:
1. M utual exclusion : only one process may use a resource at a time.
2. Hold and wait : a process may hold allocated resources while awaiting as­
signment of others.
3. No preemption  : no resource can be forcibly removed from a process that is 
holding it.
4. Circular wait : a closed chain of processes exists such that each process holds 
at least one resource needed by the next resource in the chain.
7
In the EUV machine, the wafers are the processes and they compete for the 
positions in the machine that constitute the resources. Clearly, the EUV machine 
satisfies the first three conditions for deadlock. The fourth condition, which thus 
is necessary and sufficient for deadlock, can be formalized with help from a needs 
function, tha t specifies for each wafer the set of positions it may move to. Let 
P  denote the set of positions in the EUV machine. For p e  P  and c e  {r, g}, 
we define needs(p, c) ç  P  to be the set of positions (different from p) to which 
a wafer with color c at position p may move next. In particular, for p a chuck, 
needs(p, r) =  needs(p, g) =  R, where R is the set of positions of the internal 
robots. If s is a state and p a position then we use needss (p) as an abbreviation 
for needs(p, s(p)). The circular wait property can now be defined as follows.
D efin ition  3.1 (C irc u la r  w ait) A state s has a circular wait in  Q ç  P  iff, for  
all q e  Q,
s(q) =  e A 0 =  needss(q) ç  Q =  0.
It is not possible to directly formulate the circular wait property in terms of 
CTL, so some encoding is required. The basic idea is that the machine has a 
circular wait in a subset Q of positions iff the wafers in Q will never be able to 
move again. Observe that if in our model a transition s ^  s' moves a wafer from 
place p to place p', then p is empty in s'. Thus, the property tha t some wafer 
cannot move anymore can be formalized in CTL as follows.
D efin ition  3.2 (Jam ) A position  p is jammed in state s i f f  s |= A G (p =  e). A  
state s is jammed i f f  some position is jam m ed in s.
Proposition 3.5 below asserts the equivalence of the circular wait and jammed 
properties, thereby providing us with a way to express deadlocks in CTL. In order 
to prove the proposition, we need two technical lemmas stating that (a) circular 
waits are preserved by the transition relation, (b) if a position p is jammed then 
also any position to which the wafer at p may move next is jammed. We prove 
Proposition 3.5 and the technical lemmas only for our model of the EUV machine, 
but from the proofs it should be clear tha t these results can be generalized to a 
whole class of resource allocation problems.
L em m a 3.3 Suppose that state s has circular wait in  Q and s ^  s'. Then state 
s' has circular wait in  Q .
P ro o f . We consider three cases, corresponding to different types of transitions:
• If a process en try _ ex it takes a step, then this does not involve any position 
in Q: entry of a new wafer on positions in Q is not possible since all these 
positions are filled; also exit of a wafer in Q is not possible since for all 
positions in q e  Q we have needss(q) =  0. Since none of the variables in Q 
is modified, the fact tha t s has circular wait in Q implies that also state s' 
has circular wait in Q.
8
• Also if a process move takes a step then this does not involve any position 
in Q: entry of a new wafer on positions in Q is not possible since all these 
positions are filled; also exit of a wafer in Q is not possible since for all 
positions in q e  Q we have needss(q) ç  Q. Hence the circular wait property 
is preserved by the transition.
• If a process expose takes a step, then this does not effect emptiness of 
positions, nor the value of the needs set. Hence the circular wait property is 
preserved by the transition, and also s' has circular wait in Q.
L em m a 3.4 Suppose position p is jam m ed in state s and p' e  needss(p). Then 
position p' is jam m ed in  s .
P r o o f .  By contradiction. Suppose p' is not jammed. Then there exists a path 
on which eventually p' is empty. If in this path, directly after p' becomes empty, 
we schedule a transition tha t empties p (this is possible since p' e  needss(p)), we 
obtain a path in which eventually p is empty. But we assumed no such path exists. 
Contradiction. ■
P ro p o s itio n  3.5 A state has a circular wait in some Q i f  and only i f  it is jammed. 
P r o o f .
^  Assume tha t state s has a circular wait in Q. Pick an element q e  Q (this 
exists since s has circular wait in Q). By Lemma 3.3, any state s' reachable 
from s in zero or more steps has circular wait in Q. Hence, s' |= (q =  e). It 
follows that s |= AG(q =  e). Therefore, state s is jammed.
^  Assume tha t state s is jammed. Then there exists a position q such tha t q is 
jammed in s. Define q to be the least fixed-point ^Q({q}Uneedss(Q)). Then, 
by construction, needss(q) ç  Q =  0. By Lemma 3.4, using an inductive 
argument, it follows tha t all positions in Q are jammed in s. This implies 
in particular that, for all q e  Q, s(q) =  e and needss (q) =  0 (the latter 
inequality follows because if needss(q) =  0 this implies tha t q is a lock that 
is filled with an exposed wafer, so q can be emptied in a single transition, 
which contradicts the assumption that q is jammed). It now follows that 
state s has a circular wait in Q.
In the remainder of this paper, we will say that a state is deadlocked if it 
has circular wait, i.e., if it is jammed. The question that we need to answer 
is whether and how we can prevent the system of entering a deadlocked state. 
In D ijkstra’s paper on the banker’s algorithm  [8], the first published deadlock 
avoidance algorithm, a state is defined to be safe if “all processes can be run to
9
completion” . In our case, the wafers are the processes and “a wafer is run to 
completion” if it exits the machine. Thus, D ijkstra’s definition can be translated 
to CTL as follows.
D efin ition  3.6 (Safe s ta te s )  A state s is safe i f f  s |= E F  (^/\peP (p =  e ) ) .
Note that in general safe and not being deadlocked are different things. If a 
state s is not deadlocked then s |= / \ peP E F(p =  e), i.e., each individual position 
can be emptied, but it need not be the case tha t all positions can be emptied 
simultaneously. If a state is deadlocked it is unsafe, but if it is unsafe it need not 
be deadlocked. However, in many cases and (according to Smy) in particular for 
our model of the EUV machine, the following property does hold 1:
AG(safe (E G  -deadlock)). (1)
This formula suggests a simple least restrictive deadlock avoidance policy (DAP): 
just keep the system in a safe state. This policy can be realized for the EUV 
machine. Every non-initial safe state has at least one safe successor (different 
from itself), otherwise it would not be not possible to return to the initial state. 
In addition, we verified using Smy tha t all successors of the initial state are again 
safe.
3.4 A  Least R estr ic tive  D A P
In order to actually build a controller tha t always keeps the system in a safe state, 
it would clearly be very helpful to have a simple, yet exact characterization of the 
set of safe states. We see two ways to obtain such a characterization.
1. When checking whether the initial state is safe, Smy computes a binary 
decision diagram (BDD, see [6]) which provides a compact representation 
of the set of safe states. W ith the available Smy releases it is not possible 
to get the BDD out. However, since there is an open-source distribution 
available solving this problem should just be a m atter of programming.
2. The set of safe states can be manually characterized by the following iterative 
procedure:
S := true
w hile (sinit |= AG(safe S))
S := S A ( - C )
where C is the characterization of the last state of the counter example that 
is generated by Smy.
xIn fact, in the EUV machine a state is safe if and only if it has no deadlock. It is easy to 
come up with variations of the machine with states that are not safe and not deadlocked, for 
example a design in which the internal robots only have one arm. In such cases, in order to make 
formula (1) hold, we need to require weak fairness for all processes in the Smv model to exclude 
runs in which no progress is made due to infinite stuttering of some components.
10
Figure 3: The four possible unsafe scenarios (modulo symmetry) in the EUV machine.
The first approach enables a least restrictive DAP with linear time complexity, 
since checking whether a state is included in a BDD takes O(n) operations, where n 
is the number of booleans from which the BDD is composed (20 in case of the EUV 
machine). The size of the BDD, however, can in the worst case be exponential 
in the number of booleans. A second drawback is tha t it can be difficult to 
derive individual unsafe and/or deadlock situations from a BDD, which may be 
required during the design phase of the system. The second approach can quickly 
become practically infeasible since all unsafe states are explicitly enumerated. If 
it is carried out manually, however, then it might be possible to abstract from 
irrelevant state information and to visualize the various unsafe situations in the 
system. This technique has been used to characterize the safe states of the EUV 
machine. W ith five iterations, we found four unsafe situations, depicted in Figure
3, which happen to characterize all deadlocks. A right-pointing arrow represents 
a red wafer, a left-pointing arrow represents a green wafer, and a black square 
represents a red or green wafer. The predicate S that exactly characterizes the 
set of safe states is the negation of the situations shown in Figure 3, and which 
are described by predicates d1, d2, d3 and d4 in Figure 4.
4 Throughput A nalysis
A first objective for a controller of the EUV machine is to avoid deadlocks. In the 
previous section, using our Smy model, we synthesized a least restrictive control 
policy tha t achieves this. A second key objective for a controller of the machine 
of course is to maximize throughput. Our Smy model is not sufficiently detailed 
to address this issue since, for instance, relevant information about the delays 
in the locks and the speed of the robots has not been included. Also, the Smy 
model abstracts from the delays due to turning of the internal robots, measuring
11
#define empty (l[0]=e & l[1]=e & l[2]=e & l[3]=e & rb[0][0]=e & rb[0][1]=e & 
rb[1][0]=e & rb[1][1]=e & c[0]=e & c[1]=e)
#define safe (EF(empty))
#define d1a (l[0]=r & l[1]=r & rb[0][0]=g & rb[0][1]=g)
#define d1b (l[2]=r & l[3]=r & rb[1][0]=g & rb[1][1]=g)
#define d1 (d1a | d1b)
#define d2 (~c[0]=e & ~c[1]=e & rb[0][0]=r & rb[0][1]=r & rb[1][0]=r & rb[1][1]=r)
#define d3a (~c[0]=e & ~c[1]=e & rb[0][0]=r & rb[0][1]=r &
((rb[1][0]=r & rb[1][1]=g) | (rb[1][0]=g & rb[1][1]=r)) & l[2]=r & l[3]=r) 
#define d3b (~c[0]=e & ~c[1]=e & rb[1][0]=r & rb[1][1]=r &
((rb[0][0]=r & rb[0][1]=g) | (rb[0][0]=g & rb[0][1]=r)) & l[0]=r & l[1]=r) 
#define d3 (d3a | d3b)
#define d4 (~c[0]=e & ~c[1]=e & ((rb[0][0]=r & rb[0][1]=g) | (rb[0][0]=g & rb[0][1]=r)) & 
((rb[1][0]=r & rb[1][1]=g) | (rb[1][0]=g & rb[1][1]=r)) & 
l[0]=r & l[1]=r & l[2]=r & l[3]=r)
safe_iff_p0
safe_iff_p1
safe_iff_p2
safe_iff_p3
safe_iff_p4
SPEC AG( safe <-> 1);
SPEC AG( safe <-> ~(d1) );
SPEC AG( safe <-> ~(d1 | d2) );
SPEC AG( safe <-> ~(d1 | d2 | d3) );
SPEC AG( safe <-> ~(d1 | d2 | d3 | d4) );
Figure 4: Smv characterization of the set of safe states.
of wafers, and swapping of the chucks. Therefore, in this section, we present a 
more refined timed automata model ( [2, 3]), which contains sufficient information 
to address the throughput issue.
In order to define and analyze our model, we used the model checking tool 
U pp aa l. U p p aa l supports modeling of systems in terms of networks of timed 
autom ata which are extended by blocking synchronization and bounded integer 
variables. Similarly to Smy, the semantics of a U p p aa l model is defined by a 
transition system. In addition to the discrete part, the states also contain a real­
valued clock valuation. For these models, the U p p aa l model checker can decide a 
subset of Timed Computation Tree Logic (TCTL, see [1]). For a detailed account 
of U p p aa l we refer to [12] and to h ttp ://w w w .uppaal.com .
After presenting the U ppaal model of the EUV machine in Section 4.1, we 
discuss the relationship between the U ppaal and Smy models in Section 4.2. 
Then, in Section 4.3, we use U ppaal to derive a schedule for the EUV machine 
tha t optimizes throughput.
4.1 U P P A A L  M odel
The U ppaal model of the EUV machine contains the same state variables as the 
Smy model for the positions in the machine: arrays l ,  rb  and c, which may take 
the same values e, r  and g to indicate tha t a position is respectively empty, filled 
with an unexposed wafer, or with an exposed wafer.
In addition, the U ppaal model has a number of Boolean state variables to 
ensure “physical integrity” :
12
const H 1480; const S 260; const PRES 120; const DEPRES 670;
const LOAD 25; const UNLOAD 25; const L2R_T 23; const R2L_T 23;
const R2C_T 40; const C2R_T 54; const TURN 10; const MEAS 140;
const EXPO 250; const SWAP 10; const TR1 50; const TR2 50;
Figure 5: Timing parameters in the U ppaal model.
• For each lock id  there is a Boolean lb t[id ] which is true iff either pressure 
in the lock is not atmospheric or in case a track robot is busy loading or 
unloading a wafer.
• Similarly, for each lock id  there is a Boolean lb  [id] which is true iff either the 
lock is not vacuum or in case an internal robot is busy loading or unloading 
a wafer.
• For each chuck id  there is a Boolean cb[id] which is true iff either an internal 
robot is accessing chuck c[id] or an internal robot may not access chuck c[id] 
because it is not in location measure (i.e., it is busy with something).
The model consists of 12 automata, of which 11 model physical components of 
the machine: the track robot, the four locks, the four robot arms (two for each 
of the robots), and the two chucks. These autom ata move wafers around with 
certain delays and according to the material paths as specified in Section 2. An 
additional automaton, the observer, is used to observe when exposed wafers exit 
the system (unload events). W ithin the model a number of timing parameters 
are used. Figure 5 lists the values for these parameters tha t were selected for the 
design of the EUV machine. Below, the individual templates of the model are 
explained. All templates have a local clock x. If a template is called a “process” , 
then this template has no parameters.
Figure 6 shows the track robot process. Initially, the track robot is ready 
to load a wafer to a lock. From its initial location, the track robot may move 
instantaneously to a location where it is ready to unload a wafer from a lock, but 
the reverse transition takes time TR1. When the track robot is ready to load, 
it may actually start loading a wafer to one of the four locks, provided the lock 
is empty and has atmospheric pressure. Similarly, when the track robot is ready 
to unload, it may start to unload a wafer from one of the locks, provided the 
lock contains a processed wafer and has atmospheric pressure. Upon finishing an 
unload operation the track robot synchronizes over the channel unload with the 
observer, and after TR 2  time units returns to its initial state.
Figure 7 shows the U ppaal template for a lock. It has one parameter id, 
tha t gives the identity of the locks. Initially, a lock has atmospheric pressure. A 
lock may then start depressurizing provided the track robot is not busy with it. 
Similarly, if a lock is at vacuum pressure, it may start pressurizing if the internal 
robot is not busy with it.
There are two internal robots in the system, each equipped with two arms. 
Initially, one arm points at the chucks and the other arm points at the locks. An 
internal robot may turn, which interchanges the positions of the arms. Figures 8
13
iroi==E && Nbtroi
x:=0, lbt[0]:=true, 
l[0]:=R
- 0 — Î
:==LOAD
lbt[0]:=false
x<=LOAD 
=E && !lbt[1l __ x==LOAD
ibix:=0, lbt[1]:=true, 
l[1]:=R
l t[1]:=false
x<=LOAD 
l[2l==E && !lbt[2l x==LOAD
x:=0, lbt[2]:=true, 
l[2]:=R
lbt[2]:=false
x<=LOAD 
l[3l==E && !lbt[3l x==LOAD
x:=0, lbt[3]:=true, 
l[3]:=R
lbt[3]:=false
(CU ready_to_loa d ready_to_unloadJ
x==UNLOAD x<=UNLOAD l[0]==G 
unload!____________ __________ && !lbt[Q]
lbt[0]:=false, x:=0 O lbt[0]:=true, 
l[0]:=E, x:=0
depressurize
x<=DEPRES
!lbt[idl______
lbt[id]:=true,
x:=0
X==PRES
lbt[id]:=false
x==DEPRES
lb[id]:=false
o
!lb[id]
lb[id]:=true. ■ o
pressurize x:=0 vacuum
x<=PRES
X= = U N LOA D x<=UNLO AD
unload!____________ /
lbt[1]:=false, x:=0 '
l[1]—G 
&& !lbt[1] 
lbt[1]:=true, 
l[1]:=E, x:=0
Figure 7; Template for a lock.
X= = U N LOA D x<=UNLO AD
unload!_________
lbt[2]:=false, x:=0 O
l[2]— G 
&& !lbt[2] 
lbt[2]:=true, 
l[2]:=E, x:=0
X= = U N LOA D x<=UNLO AD
unload!_________
lbt[3]:=false, x:=0 O
l[3]— G 
&& !lbt[3] 
lbt[3]:=true, 
l[3]:=E, x:=0
Figure 6: Process for the track robot.
and 9 show the templates for the two types of robot arms. These templates have 
four parameters: a constant id tha t identifies the internal robot to which the arm 
belongs, two constants 10 and 11 tha t identify the locks to which the robot arm has 
access, and a channel turn. Note tha t the templates have different initial states, 
and tha t the turn  time T U R N  is only measured by the template for robot arm
0. When a robot arm is at the locks, then it can get a wafer from a lock (L02R  
and L12R ), or it can put a wafer in a lock (R2L0  and R2L1). Of course, it can 
only perform these actions if the lock is at vacuum pressure, and if the wafer flow 
is as specified in Section 2. Similarly, when a robot arm is at the chucks then it 
can load/unload a wafer to/from  the chuck tha t is at the measure location. The 
cb variables are used to ensure tha t only one robot arm has access to the chuck 
at a time and tha t the chuck cannot execute a transition while the robot arm is 
loading/unloading a wafer.
14
rb[id][0]== E && 
I[I1]==R 
I[I1]: = E, 
Ib[l1]:=true, x:=0
rb[id][0]==G && 
I[I1]==E && 
rb[id][0]:=E, 
Ib[l1]:=true, x:=0
rb[id][0]==R && 
c[1]==E &&
rbpcJ]|o]:=E, c[1]:=R, 
cb[1]:=true, x:=0
rb[id][0]==E && 
c[1]==G &&
rb?i[d1]lo]:=G, c[1]:=E, 
x:=0
Figure 8: Template for a robot arm 0.
L02R 
x<=L2R T
R2C1
x<=R2C T
Figure 9: Template for a robot arm 1.
Figures 10 and 11 show the U p p a a l  processes for Chuck 0 and Chuck 1 respec­
tively. Chuck 0 is initially in the “measure” position while Chuck 1 initially is
measuring
x<=MEAS
x>=MEAS
cb[0]:=false
c[0]==R && !m 
.&& cb[0]==false 
cb[0]:=true, x:=0, 
m:=true
icbfOl
swap!
cb[0]:=true, x:=0
x>=SWAP
swap!
cb[01:=false
O r ~swapping
x<=SWAP
swapping!
x<=SWAP
- o
swap!
x:=0
swap!
x:=0
c[01==R && 
c[0]:=G, x:=0, 
m:=fa!se
exposing
x<=EXPO
Figure 10: Process for chuck 0.
15
Figure 11: Process for chuck 1.
in the “expose” position. The chucks can simultaneously swap by synchronization 
over the channel swap. Note tha t chuck 0 measures the time tha t is needed for 
swapping. The cb variables are used by the chucks and the robot arms to prevent 
faulty behavior: (i) a robot can only access a chuck if it is in the measure position 
and not measuring (thus, the chuck must be in location measure), and (ii) when a 
robot is accessing a chuck, then the chuck may not perform any transitions. Each 
chuck has a local Boolean variable m which is true iff there is a measured wafer on 
the chuck; only a measured wafer can be exposed.
Figure 12 shows the observer process which, as we will explain in more detail 
in Section 4.3, is used to ensure progress in the model. This process measures the 
time until the first unload event in location LO, and the time between two unload 
events in location LI.
LO L I
© unload? unload?x : 0  x: 0
Figure 12: Process for the observer.
4.2 B isim ulation  betw een  SM V  and U P P A A L  m odels
Clearly, there is a relationship between the Smv model and the U p p a a l  model. 
The Smv model is an abstraction from the U p p a a l  model, which has the property 
tha t every transition in the U p p a a l  model can be simulated in the Smv model, and 
vice versa. Formally, the relationship between the two models can be expressed as 
a stuttering bisimulation relation in the sense of [5]. Stuttering bisimulations are 
defined in terms of Kripke structure, an extension of transition systems in which 
to each state a set of atomic propositions is associated that hold in tha t state.
D efin ition  4.1 (Kripke Structures) Let A P  be a set of atomic proposition
symbols. A Kripke structure is a structure (S ,s init, —>,1), where (S ,s init, —>) is a 
transition system and function I : S  —> 2AP associates to each state a set o f atomic 
proposition symbols.
In this paper, we let A P  be the set of equations of the form p = v, where p 
is a position in the E U V  machine and v  G { e , r ,  g}. For the transition systems 
induced by the Smv and U p p a a l  models, the labeling is obvious: we label a state 
s with p = v iff this equation holds in s. For the Smv model the labelling function
16
is injective: different states have different labels. For the U ppaal model this is 
clearly not the case.
A stuttering bisimulation relates states from two Kripke structures. Initial 
states are related, and related states are labeled with the same proposition sym­
bols. If two states are related and from one state a transition is possible, then 
it should be possible to simulate this transition from the related state, after first 
doing zero or more stuttering transitions, i.e., transitions tha t do not change the 
labeling.
D efin ition  4.2 (S tu tte r in g  B is im u la tio n ) A  stuttering bisimulation between 
Kripke structures ( S ,s init, ^ , l )  and (S ',s 'nit, ^ , l )  is a relation R  ç  S  x  S ' such 
that
!• (s init, Sinit) G R ,
2. I f  (r, s) G R then l(r) =  l(s),
3. i f  (r, s) G R and r ^  r ' then there exist, fo r  some n  > 0, s0, s \ , . . .  , sn such 
that so =  s and, fo r  all i < n, si si+i , (r, si) G R  and (r', sn ) G R.
4. i f  (r, s) G R  and s ^  s' then there exist, fo r  some n  > 0, r0, r \ , . . .  , rn such 
that r0 =  r and, fo r  all i < n , ri ^  ri+\, (ri , s) G R  and (rn , s') G R.
P ro p o s itio n  4.3 Consider the projection function  n from  states o f the Kripke 
structure induced by the U p p aa l model to states o f the Kripke structure induced 
by the Smv model. Function n only preserves the values o f the arrays l ,  rb  and 
c. Let R  be the relation consisting o f pairs (s ,n(s)) ,  fo r  s a reachable state from  
the U p p aa l model. Then R  is a stuttering bisimulation between the U p p aa l and 
Smv Kripke structures.
P r o o f  ( s k e tc h ) .  Function n  maps the initial state of the U p p aa l model, in 
which the machine is completely empty, to the initial state of the Smv model.
By definition n, and hence R, preserves labeling of states.
Transfer property (3) follows by inspection of all the transitions in the U ppaal 
model: each transition either does not affect the labeling, in which case it can be 
simulated by a stuttering transition in the Smv model, or it does affect the labeling 
but then a process in the Smv model is enabled that results in the same change 
of labels.
Proving transfer property (4) is somewhat more involved.
We need a number of auxiliary invariants on the U ppaal model. These include 
the integrity constraints mentioned at the beginning of Section 4.1 tha t restrict 
the values of the Booleans lb t[id ], lb[id] and cb[id]. Also, we need some obvious 
invariants tha t relate the locations of connected robot arms, and the locations of 
the two chucks. The full set of invariants is listed in the file E U V -invarian ts.q  
at h t tp : / /w w w .c s .k u n .n l / i ta /p u b lic a t io n s /p a p e r s /m a r t i jn h / . The state 
space of the U ppaal model is too big too establish these invariants directly. How­
ever, we were able to prove them automatically for an abstraction of the model
17
in which we remove all clock variables, the arrays l ,  rb  and c, as well as all refer­
ences to these variables in transitions and locations. This is a valid abstraction in 
the sense tha t each invariant of the abstract model also holds for the original full 
U ppaal model.
A key observation in the proof of transfer property (4) is tha t from any reach­
able state of the U ppaal mode we can drive the system back to its initial state
— except for the values of arrays l ,  rb  and c, the values of the local clocks x, and 
the value of the m variables — by doing stuttering steps only. More specifically, 
let p be the mapping from states of the Smv model to states of the U p p aa l model 
such that, for any r, in state p(r) the values of arrays l ,  rb  and c are equal to 
the values in r, and all locations and Boolean variables have their initial value, 
except the two m variables, which are true iff the corresponding chuck contains an 
unprocessed wafer. Then we claim that, for any reachable state s of the U p p aa l 
model with n(s) =  r, there exists a path with only stuttering steps from s to a 
state which, up to the values of local clocks, is equal to p(r).2 To see why this 
claim holds, first observe that each process in a non-quiescent location (a location 
with a nontrivial invariant) may evolve to a quiescent state by some stuttering 
transitions with guards tha t only refer to the local clock x, and (possibly) with 
synchronization output labels (!) for which a corresponding input (?) is always 
enabled. After all processes have reached a quiescent state we can, one by one, 
drive each process back to its initial location:
1. The track robot only has two quiescent locations: ready to load and ready 
to unload. Via two successive internal transitions, we can drive the track 
robot from ready to unload to ready to load in time TR1.
2. Each lock has two quiescent locations corresponding to atmospheric and 
vacuum pressure. If a lock id  is vacuum then, since the robotarms are in a 
quiescent state, due to the invariants, !lb[id]. Hence we can drive the lock 
to its initial location (atmospheric pressure) by to successive transitions in 
time PRES.
3. In order to bring the robot arms to their initial location, we may need to 
turn them around. The invariants for the robot arms imply that we can 
bring all arms in their initial location simultaneously.
4. For the chucks, we also have to ensure that m is true in case a chuck con­
tains an unprocessed wafer. This can be achieved by driving the automaton 
through the measuring location, which may require swapping of the chucks. 
After the m variables have been set to the appropriate value, me may need 
to swap the chucks again. The invariants for the chucks imply tha t we can 
bring both chucks to their initial location.
If all processes are in their initial location, then the invariants imply tha t also 
the Boolean arrays lb , l b t  and cb have their initial values. From this the claim 
follows.
2Technically, the values of the clocks are irrelevant ( “inactive”) in the initial locations, and 
Uppaal also abstracts from their value.
18
Next, we claim for any state r from the Smv model tha t if s enables some 
transition, this can be simulated from p(r), possibly after some stuttering steps. 
This follows from a routine case distinction. For instance, a transition moving a 
wafer from a lock 0 to an internal robot can be simulated by first depressuring 
lock 0, possibly turning the robot arm, and then moving the wafer to the robot 
via the transition to location L02R. We leave it to the reader to check the details 
of all the cases. ■
The significance of the above result stems from the fact tha t validity of CTL 
formulas without nexttime operator (i.e. all the formulas used in this paper) is 
preserved by stuttering bisimulation equivalence (see [5]). Thus all the results on 
deadlock avoidance established using Smv in Section 3 carry over to the U ppaal 
model. It is not possible to obtain these results directly using the U ppaal tool 
since (a) U ppaal does not support full CTL, and (b) the state space of the U ppaal 
model is so big tha t it cannot be fully explored.
4.3  F inding an O ptim al Schedule
As mentioned above, the observer process of Figure 12 observes unload events. It 
starts in location L0  and upon the first unload event it resets its local clock x  and 
enters location L1. In location L1 the clock is reset whenever an unload event 
takes place. The observer is used to find an infinite schedule tha t takes at most H  
time units until the first unload event, and tha t has at most S  time units between 
two unload events. Such a schedule is specified by the following TCTL property 
tha t can be checked by U ppaal.
EG ((observer.L0  ^  observer.x < H ) A (observer.L1 ^  observer.x < S )) (2)
If this property is satisfied, then U p p aa l can return an example execution that 
consists of a path followed by a cycle. Such an execution thus gives an infinite 
control schedule for the wafer scanner with a stationary throughput of at least 
one wafer per S  time units. Unfortunately, the size of the reachable state space 
prevents U p p aa l from finding such an execution directly. We therefore added 
heuristics to the model to prune the state space:
1. The DAP derived in the previous section has been used to avoid unsafe 
material configurations of the machine.
2. Some transitions are useless (or suboptimal) in certain states, e.g., an inter­
nal robot can always turn, but this is useless if it does not hold wafers. The 
state space has been reduced by adding guards that prevent such useless 
behavior.
3. The optimal behavior of the locks in the initial phase (the filling of the ma­
chine) differs from their optimal behavior in the stationary phase. Therefore 
a heuristic has been added to enforce this difference: a lock can pressurize 
when it contains either an exposed wafer, or it is empty and the machine is 
not yet filled with enough wafers to be in the stationary state.
19
4. Some transitions have been made urgent (greedy): they must be taken as 
soon as they are enabled. For instance, if the DAP allows loading a wafer 
to a lock, then this must be done immediately.
Note tha t using urgent transitions without the DAP may be an unwise idea, 
since this can result in many deadlocks with the effect tha t an execution satisfying 
Property 2 does not exist anymore in the model. Also note tha t at least the last 
three heuristics may remove good schedules.
A lower bound on the time until the first unload event, m inh, can easily be 
derived from the model. It is also easy to see tha t the minimal separation time 
between exposed wafers tha t appear at the chuck tha t is in the measure position 
(and can therefore be picked up by an internal robot) equals m ins =  E X P O SE  +  
SW AP, where the former is the time needed for the expose operation and the 
latter is the time needed for the chuck swap. Therefore, the theoretical maximal 
stationary throughput of the machine is at most one wafer per m ins time units. For 
the U p p aa l model with heuristics it is possible to find an execution that satisfies 
Property 2 for a value of H  tha t is 5% larger than minh and for S  =  m ins . 
Figure 13 shows this schedule tha t optimizes the stationary throughput of the 
EUV machine.
C0
C1
R00
R01
R10
R11
L0
L1
L2
L3
TrackRobot
n o n ï o n ^ C
..... I - H O H O H O
1 1 .................. a.....i  i ............ il
I II I...I...□..H....
-H....II..I..H.....I
i....... i  i ..... : .......n i...... i  i
II.....■  I
■ n M l
C2R
DEPRES
EXPO
L2R
L2T
MEAS
PRES
R2C
R2L
SWAP
SWITCH
T2L
TURN
■ ■
■ D 1
I I I ...... ■  I  II II II II
A B
Figure 13: A schedule that optimizes the stationary throughput of the EUV machine. The 
cyclic part of the schedule consists of the interval between points A and B. The operation 
of the chucks is critical in the cyclic part.
Two other machine lay-outs have also been investigated w.r.t. throughput. 
First, the incoming wafers have been restricted to the upper two locks and the 
outgoing wafers to the lower two locks (to prevent deadlock a priori; see Sec-
20
C1
R00
R01
R10
R11
L0
L1
L2
L3
TrackRobot
C0
r x
■
C2R
DEPRES
EXPO
L2R
L2T
MEAS
PRES
R2C
R2L
SWAP
SWITCH
T2L
TURN
r x
m m
......... i il
□i n  i .... .... n  m
Figure 14: A schedule that optimizes the stationary throughput of the EUV machine 
in which unexposed wafers enter through the upper two locks (L0 and L1) and exposed 
wafers exit through the lower two locks (L2 and L3). The cyclic part of the schedule 
consists of the interval between points A and B. Clearly, the operation of the locks is 
critical in the cyclic part.
tion 2). Note tha t one lock has a wafer throughput of one wafer per mini =  
LO AD  +  P R E S  +  D E P R E S  +  L 2 R -T  time units, where LO AD  is the time needed 
by the track robot to place a wafer in the lock, (D E )P R E S  is the time needed 
to (de)pressurize a lock, and L 2 R -T  is the time needed by an internal robot to 
grab a wafer from a lock. Thus, two locks have a throughput of at most one 
wafer per 1 m ini time units. Since 1 m ini > m ins , a better upper bound on the 
throughput is 1 wafer per 2mini time units. We are able to find a schedule for 
a value of H  tha t is 11% larger than minh and for S  =  1 m inl . Therefore, this 
schedule optimizes the stationary throughput of this alternative machine lay-out. 
Concluding, the optimal stationary throughput is 61% smaller than the optimal 
stationary throughput of the original machine, and not the expose operation but 
the locks have become critical. This confirms our line of thought in Section 2. 
Figure 14 shows this alternative schedule.
The second alternative lay-out consists of only two locks and one internal robot. 
Again, an upper bound on the throughput of this machine is 1 wafer per 1 minl 
time units. The throughput loss compared to the original machine thus is at least 
61%. However, the best schedule we are able to find with U p p aa l has a stationary 
throughput that is 83% worse than the optimal schedule for the original machine. 
Figure 15 shows this alternative schedule.
A B
21
C0
C1
R00
R01
L0
L1
TrackRobot
£ ■ .....
n
i  ■  i ....
i i ■  
i
n......i l ....m
1 . . . 1 . . . 1 I I
I 1 I I I
«
:
!
C2R
DEPRES
EXPO
L2R
L2T
MEAS
PRES
R2C
R2L
SWAP
SWITCH
T2L
TURN
Figure 15: A schedule for the EUV machine with only two locks and one internal robot. 
The cyclic part of the schedule consists of the interval between points A and B.
5 C onclusions
The Smv model checker has successfully been used to characterize the set of safe 
states of the EUV machine. This characterization consists of a very short boolean 
expression over the places in the machine and is useful for the design of an actual 
controller since deadlock can easily be avoided by examining the possible successor 
states of the current state. Since the characterization is exact, the controller 
implements a least restrictive (optimal) deadlock avoidance policy. Furthermore, 
we used the U ppaal model checker to compute infinite schedules for the EUV 
machine tha t optimize stationary throughput. The throughput of two alternative 
machine configurations has also been analyzed and it is shown tha t the original 
configuration has a throughput that is at least 61% higher. In theory, our approach 
can be applied to a broad class of resource allocation systems. As always when 
using model checking, the state space explosion is the main problem for scalability. 
Altogether, in our view, the present work nicely illustrates the usefulness of model 
checking techniques to support the design process of applications that involve 
resource allocation and scheduling. Building models tha t are just abstract enough 
for addressing a specific question, often provides a good way to deal with the state 
space explosion problem.
Acknowledgements. The authors thank Biniam Gebremichael for his useful 
suggestions concerning the Smv model.
A B
22
R eferences
[1] R. Alur, C. Courcoubetis, and D. L. Dill. Model checking in dense real time. Infor­
mation and Computation, 104:2-34, 1993.
[2] R. Alur and D. L. Dill. Automata for modeling real-time systems. In 17th Interna­
tionaal Colloquium on Automata, Languages and Programming, pages 322-335, 1990.
[3] R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer Science, 
126:183-235, 1994.
[4] N. C. W. M. Braspenning. Scheduling and behavior verification of machines based 
on task-resource models. Master’s thesis, Department of Mechanical Engineering, 
Eindhoven University of Technology, The Netherlands, October 2003. Confidential.
[5] M.C. Browne, E.M. Clarke, and O. Grümberg. Characterizing finite Kripke structures 
in propositional temporal logic. Theoretical Computer Science, 59(1,2):115—131, 1988.
[6] R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE 
Transaction on Computers, C-35(8):677-691, August 1986.
[7] E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. The MIT Press, 2000.
[8] E. W. Dijkstra. Cooperating sequential processes. Technical report, Eindhoven Uni­
versity of Technology, The Netherlands, 1965.
[9] A. Fehnker. Scheduling a steel plant with timed automata. In Proceedings of the 
sixth International Conference on Real-Time Computing Systems and Applications 
(RTCSA’99). IEEE Computer Society Press, 1999.
10] B. Gebremichael and F. W. Vaandrager. Control synthesis for a smart card person­
alization system using symbolic model checking. In K. G. Larsen and P. Niebert, 
editors, Formal Modeling and Analysis of Timed Systems (FORMATS’OS), number 
2791 in LNCS, pages 189-203. Springer-Verlag, 2004.
11] V. Hartonas-Garmhausen, E. M. Clarke, and S. Campos. Deadlock prevention in 
flexible manufacturing systems using symbolic model checking. In IEEE Conference 
on Robotics and Automation, volume 1, pages 527-532, 1996.
12] K. G. Larsen, P. Pettersson, and W. Yi. U ppaal in a nutshell. International Journal 
on Software Tools for Technology Transfer, 1(1/2):134—152, 1997.
13] M. Lawley and S. A. Reveliotis. Deadlock avoidance for sequential resource alloca­
tion systems: Hard and easy cases. International Journal of Flexible Manufacturing 
Systems, 13(4):385-404, 2001.
14] M. Lawley, S. A. Reveliotis, and P. Ferreira. Design guidelines for deadlock han­
dling strategies in flexible manufacturing systems. International Journal of Flexible 
Manufacturing Systems, 9(1):5-30, January 1997.
15] K. L. McMillan. Symbolic Model Checking. PhD thesis, Carnegie Mellon University, 
Pittsburgh, May 1992.
16] T. Murata. Petri nets: Properties, analysis, and applications. Proceedings of the 
IEEE, 77(4):541-580, 1989.
17] J. Park and S. A. Reveliotis. Deadlock avoidance in sequential resource allocation 
systems with multiple resource acquisitions and flexible routings. IEEE Transactions 
on Automatic Control, 46(10):1572-1583, 2001.
23
[18] S. A. Reveliotis, M. Lawley, and P. Ferreira. Polynomial-complexity deadlock avoid­
ance policies for sequential resource allocation systems. IEEE Transactions on Au­
tomatic Control, 42(10):1344-1357, 1997.
[19] W. Stallings. Operating Systems -  Internals and Design Principles. Prentice-Hall, 
1998.
[20] Y. Wang and Z. Wu. Deadlock avoidance control synthesis in manufacturing systems 
using model checking. In IEEE American Control Conference, volume 2, pages 1702­
1704, 2003.
24
