This paper describer the formal verification of the recently intraducedDualTmsition Petri Net (DTPN) models [IZ]. using model checlung techniques. The methodology presented addresses the symbolic model checking of embedded systems behavioural pmpenies, expressed in either computation tree logics (Cn) M linear temporal logics ( L n ) . The embedded system specification is given in iems of DTPN models. where elements of the model are captured in a four-module library which implements the behaviour of the model. Key issues in the development of the methodology are the heterogeneity and the nondeterministic nature of the model. This is handled by inuoducing some modifications in both structure and behaviour of the model. thus reducinp L e points of nondeterminim. Several features ofthe methcdolog are discussed and two examples are given in order to show the validity of the model.
Petri net (PN) based models are a suitable intemal design representation for hardwardsoftware specifications of embedded systems.
since they M capableofexploiting many desiredfeat"~~e6ofthede-sign. e.6. concurrency PRES+ is a Pem net oriented model aimed to represent embedded system. which has been applied to formal verification 131. Verification of Timed CTL (TCTL) pmpenies of PRES+ models is possible by means of their traosformation into Timed Automata. A new IDR. which efficiently captures both control and data structure from a behavioural description of M embedded system, has been recently proposed 1121. This model is called Dual Tronriiion Perri Net (DTPN). and one of its features is the combined represenmian of contr~l and data R O w This paper describes the formal verification. using symbolic model checking techniques. of the recently i n d u c e d DTPN models. The aim of this work is to exploit the features related to the coexistence of control and data Raw in embedded systems specification.
We capture the s~ucture and behaviour of the embedded system by means of an IDR and further apply the Cadence SMV tool 1141 in order to rearan about its pmpefies. This work is oganised as follows. Section 2 invoduca the framewMk of this pap=, as well as proposes a methodolo9 for symbolic model checking which takes into account the heterogeneous nature of embedded systems. W-"ally. two embedded systems of different complexity M analysed in Section 3. while some concluding remarks are given in Section 4. Model checking algorithms check for completeness and uniqueness of a solution. Therefore. the mount of nondetermioism present in the transition relation of the underlying Kripke structure has to be conmlled. I n order to combine the DTPN modelling technique with symbolic model checking algorithms, it is important to perform a reduction in the poinu of nondeleminism of the model. To achieve this, Section 2.1 incorporates some funher resuietionr to the current definitions of DTPN. 
VERIFICATION OFDUAL TRANSITION PETRI NETS

Modified Dual lkansition Petri Net
Symbolic Model Checking Methodology
The proposed (symbolic) model checking methodology based on DTPN models is shown in Figure 2 Figure 3 . The exuaction of each p a n i.r. the application of the Ip(p)I and Lp(p) operators in order to obtain modulus and phase respectively. is performed through a direct access to the corresponding member of the structure.
Tramitions
Both control and data transitions have the same mechanism which involver (5l)checking whether they areenabledornot, and(s2) executing an action if $1 holb. 
Figure 4 Algorithm tor a DTPN COntml Transition
The algorithm presented in Figure 4 consists of two main p m . checking for an enabling condition (51) and the hnng operation -finally. 11 ; s not guarded by any guard funcuon (nnce I is the default value on the result of a guard(J module).
According to these CansideraLions. Which can be unfolded into:
The boolean result of (4) is used in pan r2 to see whether the next step of the phase of each marked place is assigned to the resull of the firing mle or ils former content.
Similarly. Figure 6 shows the algorithm for a data transition q E Q. The deadlock condition is another modal logics formula. which can be expressed as:
This means that "at least one conuol transition is enabled. The condition vn is used to mason abaut the availability of a module in the execution path. Thereby. pan st of Figure 6 shows that the deaalock condition. which has been globally defined. affects the en parameter.
Guard Function
The guard iunclion G. defined in [IZ]. maps information from the data domain into the control domain by comparing the value in a place with the label v d of the guard function. This boolean waluation is taken into account by a control transition I E T.
3 Analysis of Properties in DTPN Models
The analysis of behavioural propenies is of much interest in PN theory (thus. in DTPN). Since the evolution of the state of an embedded system is a time function. assuring that a c e w n temporal logics formula holds thrmgbout the entire e~olution leads to pain knowledge of the syrtem's behaviour. In this section we analyse three behavioural properties. i.r. TL formula. namely mrlzabilify. refer) and livmrn. and present the CTULTL formulae which describes them.
To investigate about the dynamics of a system modelled in terms of a PN extension. it is necessary to perform the rmclmbiliry molyrib of the system's model. Safety propenies are conditions that are venfied along any execution path. These type of properties are usually assaciated with some critical behaviour. thereby they should always hold. Classically. a . =/ e PN only allows a boalean marking function. which means that the fallowing LTL formula holds:
( L P ( P , ) c I )
!=I Analogously. liveness propenies are useful to express that "interesting things eventually happen". Like in classical PNr. a conwol transition I, is said to be live if it can eventually fire, which implies that it is eventually enabled 3 yre(i). V I < i < m. where nt = ITI.
Thus. a live DTPN model satisfier the following L n properry:
EXPERIMENTAL RESULTS
The proposed methodology has been applied to a number of examples in order to demonstrate its validity. Without loosing generality. the implementation of the algorithms has been done using the Cadence SMV IMI I141 as verification engine for the methodology, for the following remns:
-It is robust and well known wilhin the community.
-It is able to analyre both CTL and LTL propertier.
. It can patentially reduce the BDD space by means of sym-. 11 suppons data type reduction. metry.
Verification of State Machines
In Uur section we present I very basic FSM which will aid to the understanding of the DTPN model itself and the propeny encoding pmess. The FSM analyred has a cyclic behaviour. unless a reset (RST) rigal holds 1131. and its number of states is directly proportional to the number of places in the net. The simple sequence far this four-hit state machine is: 0001 -0010 -0100 -1000.
When RST holds. the state register is unconditionally assigned a value of 0001.
The DTPN model far such a behaviour has been i n d u c e d in Scction 2.1. With reference to Figure I . there are two input signals: clock (CLK) and reset (RST). The fint signal is bound into m r ilion it while the latter into transition 14. This means that the firing of r~ represents the rising edge of CLK (i.e. when the signal CLK is active) and the firing of td takes place when RST holds.
Once the DTPN model is encoded in the way described in Section 2.2, and ured as input to the verification engine. some pmpenier of the embedded system can be analysed. Since there are two signals present in this FSM. i.r. CLK and RST. it is imponant to check how the model responds to each of them, independently.
First. we propose four LTL formulas to check if the sequential behaviour produced by the CLK signal is the desired one. Properties q j , rp2.73 and (p4 show the natural evolution of the state for this FSM assuming no ~S P I action, i.e. 14 never firer. which is itself another pr~peny to verify: Property qr is an arrwtprion. which means that it is assumed to be me while verifying propenier q,,V1 2 i 5 4. This assumption can be read as Iiie rchcduler nwcrpoinrr Io 11. where sch' is the value pointed by sch. Since thereexist an interdependability among vi. it can be concluded that if all four properties hold (we already know that the BDD space generated will only consider the cases in which qc holds), the embedded system will remain in the cyclic behaviour described at the beginning of this section.
Ipt=2(IP(PI)I=I
To verify that firing u will reset the system. regardless of the prev i o s state. the following LTL propony should be assessed:
, = 2 ( L P ( P r ) = I ==$ olP(Pl)l=l)
This means that if, at any time pz is marked with a taken. then the next state has Ip(pl)l = I unavoidably.
The four-rtate example presented in this section has allocated I105 BDD nodes in memory. If the same example is encoded as a classical PN. 4353 BDD nodes are necesrq in order to verify equivalent properties Moreover. it is not difficult to extend there resulls to a larger number of states in the FSM. Since the SMV twI used here is potentially designed to cope with rymmerry. having to formulale more qi pro-es in orderto verify the correcmers of the FSM for the CLK signal will not necessarily increase the BDD space proporti0"allY.
Verification of a VME-bus controller
An interesting asynchronous circuit which has k n widely studied is the VME-bur ~~n t r o l l e r
[9]. Tiis bus is af much interest in indusmal applications (e.8. avionics), since 11 provides a flexible multi-master bur arbitration scheme which is both simple and not vulnerable to noise. The VME design iechnology has evolved since it k a m e an ANSI approved standard. In [7] . the controller was modelled by means of Signal Transition Graphs (STG). a Pew net oriented formalisation of timing diagrams for asynchronous design. and then syntherired into a gate netlist. Since STGs are a form of PNs and ihe DTPN model is ageneralisation of PNs (c/ Section 2). we can apply the proposed methodology to this conmller. Figure 7 shows the interface of a generic device connected to a VME bus. The functionality of [he ~onmller is toregulate the reading and writing cycles of the device connected to the bus through I 
We know that a next-state function in the synthesis of FSM represen= the behaviour of the system described in terms of ils previous state. This is anabgoour to the 0 operator in temporal logics. Therefore. we use the notation ==+ 0 to express a 'bext-slaIe" function. i.c. if the cause of the implication holds then the comequence holds in the nex! time step. Therefore, we propose three LTL formulas (vi. w and q3) to request the infmiiely ofm completion of (5). (6) and (7). 91 = 2 3 LDT,cxArrco j OD)
Since (8) 
CONCLUSIONS
