Scholars' Mine
Masters Theses

Student Theses and Dissertations

Spring 2006

Model checking control communication of a FACTS device
David Andrew Cape

Follow this and additional works at: https://scholarsmine.mst.edu/masters_theses
Part of the Computer Sciences Commons

Department:
Recommended Citation
Cape, David Andrew, "Model checking control communication of a FACTS device" (2006). Masters Theses.
4098.
https://scholarsmine.mst.edu/masters_theses/4098

This thesis is brought to you by Scholars' Mine, a service of the Missouri S&T Library and Learning Resources. This
work is protected by U. S. Copyright Law. Unauthorized use including reproduction for redistribution requires the
permission of the copyright holder. For more information, please contact scholarsmine@mst.edu.

THESIS
T 8952

MODEL CHECKING CONTROL COMMUNICATION OF A FACTS DEVICE

by

DAVID ANDREW CAPE

A THESIS
Presented to the Faculty of the Graduate School of the
UNIVERSITY OF MISSOURI-ROLLA
in Partial Fulfillment of the Requirements for the Degree

MASTER OF SCIENCE IN COMPUTER SCIENCE

2006

Approved by

Dr. Bruce McMillin, Advisor

Dr. Ralph Wilkerson

Copyright 2006
David Andrew Cape
All Rights Reserved

iii

ABSTRACT

This thesis concerns the design and verification of a real-time communication
protocol for sensor data collection and processing between an embedded computer
and a DSP. In such systems, a certain amount of data loss without recovery may be
tolerated. The key issue is to design and verify the correctness in the presence of
these lost data frames under real-time constraints. This thesis describes a temporal
verification that if the end processes do not detect that too many frames are lost,
defined by comparison of error counters against given threshold values, then there
will be a bounded delay between transmission o f data frames and reception of control
frames. This verification and others presented herein were performed with the model
checkers SPIN and RT-SPIN.

IV

ACKNOWLEDGMENT

The author would like to express his gratitude to his advisor Professor Bruce
McMillin for guidance and encouragement, to thesis committee members Professors
Vojta and Wilkerson for advice and participation in the defense, and to the Power
Research Group at UM R led by Professors Crow and McMillin for providing an
opportunity to learn about FACTS devices and their uses and for supporting this
research (Dr.

Liu led the modeling subgroup and was especially helpful).

Also,

thanks are due to the UMR Computer Science Department (Interim Chair Fikret
Ercal), and to the Open Power Project and Peking University for providing very
helpful access to a computer for verifications. Most importantly, the author would
like to thank his parents Daniel and Diane Cape and others who provided support
and encouragement while the author progressed from a computer science novice to
his current level, not an expert, but having some non-trivial degree of expertise.

V

TABLE OF CONTENTS

Page
A B S T R A C T ......................................................................................................................

iii

AC K N O W L E D G M E N T.................................................................................................

iv

LIST OF ILLUSTRATIONS .........................................................................................

vi

LIST OF T A B L E S ........................................................................................................... vii
SECTION
1. IN TRO D U C TIO N ...................................................................................................

1

2. MODEL CHECKING BACKGROUND .............................................................

4

2.1. MODEL CH ECKERS.......................................................

4

2.2. LINEAR TEM PORAL LOGIC ............

4

2.3. P R O M E L A ......................................................................................................

6

2.4. SPIN ...............................................................................................

6

2.5. TIMED A U T O M A TA ....................................................................................

8

2.6. R T -P R O M E L A ................................................................................................

8

2.7. R T -S P IN ......................

9

3. DSP AND CAN VERIFICATIONS...........................................

12

3.1. O V E R V IE W .....................................................................................................

12

3.2. DSP V E R IFIC A T IO N .................................................................................

12

3.3. CAN VERIFICATION ...... .............................

15

4. MODELS AND PRO BLEM S................................................................................ 27
5. COM PLEXITY COMPARISON TO ZCSP V E R IFIC A T IO N ......................

32

6 . CONCLUSION.........................................................................................................

38

APPENDICES
A. Promela c o d e .......................................................................................

41

B. RT-Promela c o d e ..................................................................................................... 50
B IB L IO G R A P H Y ............................................................................................................. 78
V I T A .....................................

80

VI

LIST OF ILLUSTRATIONS

Figure

Page

3.1

DSP State C h a rt........... . .....................................................................................

13

3.2

DSP Timed Automaton: Signal Generator.....................................................

15

3.3

DSP Timed Automaton: (Part of) Signal H andler........................................ 16

3.4

CAN Protocol Pseudocode: Top-level..............................................................

17

3.5

CAN Protocol Timed Automaton: CAN B u s.................................................

18

3.6

CAN Protocol Pseudocode: CAN b u s ..............................................................

19

3.7

CAN Protocol Timed Automaton: DSP B oa rd ..............................................

20

3.8

CAN Protocol Pseudocode: DSP B o a r d .........................................................

21

3.9

CAN Protocol Timed Automaton: Embedded P C .........................................

22

3.10

CAN Protocol Pseudocode: Embedded P C ....................................................

26

5.1

Complexity of Safety Verification for CAN_33.txt.........................................

33

5.2

Complexity of Liveness Verification for CAN_33.txt......................................

34

5.3

Output for Verification of CAN_finaL7.txt...................................................... 35

5.4

Output for Verification of CAN_imp_7.txt with parameters 10,6 , 2 , 3 .. . .. .

5.5

Output for Verification of CAN_imp_7.txt with parameters 8,5, 3, 3 ......... 37

36

vii

LIST OF TABLES

Table

Page

3.1

Estimates for Periods of DSP Interrupt Routines...........................................

17

3.2

Analysis of Synchronization Scenarios............................................................

5.1

Complexity of Verifications for CAN_33.txt with Various Parameter Sets . 33

25

1. INTRODUCTION

The context for the development of the communication protocol which is the
main focus of this thesis is an attempt to understand how to control electric power
flow in a power transmission system (network) by means of Flexible A /C Transmission
System (FACTS) devices [1]. A FACTS device has a DSP board that is responsible for
sensory data acquisition, transforming the data into a usable format, communicating
the data to an embedded PC, receiving control information from the embedded PC,
and applying the control information to the power electronics. The communication
between the DSP and the embedded PC is via a Controller Area Network (CAN) bus.
The problem of reliable data transfer has been solved by several protocols: the
alternating-bit protocol, the go-back N protocol, the selective repeat protocol, and
hybrids of these including the method used by TCP [2]. The alternating-bit proto
col is also called send-and-wait, because only one packet is sent at a time, and an
acknowledgement of receipt must be received by the sender before the next packet is
sent. Go-back N is a generalization o f the alternating-bit protocol: there is a window
of packets of data on the sender side which is sent, and the receiver acknowledges
them by sending an ACK message corresponding to the highest numbered packet
which was received in order. N refers to the size of the window, and there is a possi
bility of many duplicate data packets being sent, because the receiver does not buffer
any packets which are received out- of-order. The selective repeat protocol corrects
this deficiency, but it is more complex on both the sender and receiver sides, because
every packet must be explicitly ACKed (no cumulative ACKs as in go-back N). TCP

2

combines the best features of go-back N and selective repeat, and allows the receiver
to buffer out-of-order packets and use cumulative ACKs but is a complex protocol.
In verification work of the correctness properties of these protocols, Bull and
de Villiers [3] have done some work on the alternating-bit protocol and TCP. They
have proposed a formal development method involving the use of transition systems
for specification and have verified what they describe as “various correctness prop
erties such as freedom from deadlock and correct behaviour if messages are lost or
corrupted” with the SPIN model checker for the two above-mentioned protocols. For
the TCP verification, they used three different models for the three phases: establish
ment of the connection, data transfer, and teardown of the connection. Holzmann [4]
describes a verification of some standard safety properties and two liveness proper
ties for the go-back N protocol. The first liveness property is that sent messages are
eventually received, and the second liveness property is that messages are delivered
in order.
For this project, there are two reasons why the protocols just discussed are inap
propriate. First, there is no need for 100% reliability of the communication, because
the control loop need not furnish new settings every cycle; it can use settings from the
previous cycle without much harm being done to the integrity of the system. Second,
and more important, is that the CAN bus is slow enough that some retransmitted data
would not arrive in time to be helpful during the current cycle. Therefore, a protocol
which allows some message (data) loss but which guards against excessive losses is
called for. One wants to define perfect functioning as operating without message loss,
normal functioning as operating with not too much message loss, and malfunctioning
as operating with too much message loss. How to quantify the tolerable amount of
message loss is the goal.
There does not appear to be much information available about how others have
solved problems of meeting real-time constraints in a sensor network communication

3

protocol by allowing a tolerable level of data loss. Moreover, besides simply imple
menting a protocol which is postulated to be effective, another goal was to develop a
model for specifying correctness of the protocol so that the design could be formally
verified before implementation. Simply using the features of the CAN protocol, which
perform some notification of data loss and can be used to effect retransmission of data
was undesirable, because one does not want to rely on these mechanisms solely: One
wants to detect errors at the end processes instead of relying on the network to detect
its own errors.
It was expected that the main difficulties which would be encountered would
be the actual modeling of the components involved in the communication, the com
plexity of the model checking verification, and integrating the real-time assumptions
about the operation of the components into an asynchronous model which should
satisfy a global real-time correctness property related to response time between data
acquisition and application of control settings. All three of these difficulties did in
fact manifest themselves and were dealt with in different ways.
This thesis describes how these difficulties were overcome. In section 2, some
background information about the theory and implementation of model checking
software is provided.

In section 3, the actual method of verification is explained.

Section 4 describes in more detail the models which were used and the problems that
they attempted to solve, and the difficulties which were encountered. Next, in section
5, a comparison is made to the work of some others to verify another communication
protocol with the model checker SPIN. Finally, the discussion is concluded in section

6, and the code for the most important models is presented in the appendix.

4

2. MODEL CHECKING BACKGROUND

2.1. MODEL CHECKERS
For this project, Promela (Process Meta Language) and RT-Promela were used
with the model checkers SPIN and RT-SPIN (RT is an abbreviation for real- time,
and signifies that besides temporal properties related to the order of events explicit
timing properties were a concern, also). In addition to modeling, one must decide
which properties to try to verify and figure out how to represent those properties
in a convenient way (for the model checker to verify). A model checker is, then, a
software package which takes as input a model of a (usually concurrent) program
and some logical property or properties to be verified for the execution of the model.
These properties are usually divided into the categories of safety (something bad
never happens) or liveness (something good eventually happens) properties. Another
decomposition of temporal properties is safety and progress (more complicated to
define, see [5]). The model checker can verify a property mainly by exhaustive search
(as SPIN does) or by symbolic (fixed point) methods (as SMV does) [6, 7].

2.2. LINEAR TEMPORAL LOGIC
Temporal logic has its formal origin in ancient Greek philosophy, where it was
developed by the Megarians and the Stoics [8]. Essentially, they were concerned with
the meaning of the words possibly and necessarily, and proposed that they could be
understood in terms of whether a condition must eventually occur (in which case it
is possible) or whether it must occur always (in which case it is necessary).

The

5

viewpoint of the Megarians was to quantify over the past, present, and future, while
the Stoics quantified over the present and future only.

Computer scientists have

adopted the Stoics’ point of view.
In computer science, the state of a program is understood to be the values of
the important variables which would need to be saved if the program were to be
interrupted and restarted, including the values of all data and control variables, and
if applicable also the content of all message channels.
A transition is a change from one program state to another that occurs without
visiting any intermediate state. One may represent the states and transitions of a
program with a directed graph called a state transition system, where the vertices
are the states and the directed edges are the transitions.
A state formula is a Boolean expression involving the values of the state vari
ables.

Given a state, one may test whether it satisfies a particular state formula.

Temporal formulas are more complicated because they express properties of the ac
tual execution of a program through time. A temporal formula is formed by applying
temporal operators to state formulas, where the temporal operators capture the no
tion o f eventuality, persistence, or some shift of context to the next or previous state.
There are also some temporal operators which express the idea of something being
true until another thing is true or something being true since another thing was true.
The two main types of temporal logic are Linear Temporal Logic (LTL) and
Computation Tree Logic (CTL), and they are fairly similar except that LTL formulas
are evaluated on single execution traces, while CTL formulas are evaluated on the
entire forward-branching computation tree which expresses the range of possible exe
cutions of a program. For this reason, CTL operators also specify the scope of paths
through the computation tree which they apply to: for example, the CTL operator
AG means on all paths it is true from now on. In LTL, one uses the box operator to
express something close to this (the box operator means it is true from now on).

6

A description of the precise operators, axioms, and inference rules of LTL is
outside the scope of this thesis, so the reader is directed to chapter 3 of [5] for a
complete exposition. [6] is a good reference for CTL.

2.3. PROMELA
Promela (an acronym for process meta-language) is the modeling language for
the code which is used by the model checker SPIN [9]. It incorporates features of
CSP [10] and Guarded Commands [11]. Its data structures include ordinary numeric
variables, arrays, and FIFO message channels (which the author uses for one-way
communication only).
The basic statements of Promela include simple assignments, non- deterministic
selection constructs (if .. fi), and non-deterministic loop constructs (do .. .od). Each
statement has one or more control points which represent stopping points between
transitions in the execution of a program. This is sufficient for sequential programs,
but concurrent programs require a process structure. With concurrency also comes
the addition of message-passing statements, and communication can be either rendez
vous or buffered.

SPIN supports concurrency, and Promela enables one to write

concurrent processes, the transitions of which are interleaved non-deterministically.

2.4. SPIN
SPIN is one of the most popular model checkers, and it has been used for a
number of verifications which can be found in model checking literature. It is welldocumented and has a fairly large following. There is even a workshop devoted to
its use and development (enhancements have been built on top of it for a variety of
purposes).
The support of concurrency brings up the issue of deadlock of processes. SPIN
can check ordinary assertions about the program state as the program executes, but

7

it can also check for the possibility of deadlock in the execution of a program. SPIN
takes as input a concurrent or sequential program written in Promela and explores
all possible executions of the program to verify desired properties. In fact, it can
even allow premature termination at specified valid end-states of individual processes
without signaling deadlock.
Another type of verification is the non-existence of non-progress cycles, which
means that in any recurrent cycle of a program a progress state is visited at least
once. This basically guarantees that progress states are visited infinitely often in any
infinite execution of a program.
Related to progress verification is the verification of LTL temporal formulae by
means of never claims. A never claim is a type of monitor process which interleaves
with the normal execution of a program, and indicates that a program satisfies or
violates a given temporal assertion. SPIN verifies temporal formulae by negating them
and converting to a never claim monitor automaton. The program itself is converted
to an automaton also, and SPIN checks for the emptiness of the intersection of the
languages accepted by the program automaton and the never claim automaton. That
is, it verifies that the program never executes in a way which coincides with the
execution of the automaton representing the negation of the temporal formula.
Model-checkers must optimize the verification algorithms as much as possible,
essentially because they must deal with the so-called state-space explosion problem,
which is that the search space for these verifications is generally huge due to non
determinism in the execution of the individual processes and in the interleaving of
different processes.

One method to combat this is partial-order reduction, which

finds a subspace of the state transition system which faithfully represents the whole
system as far as the given verification is concerned. Another method is state-space

8

minimization, which amounts to storing the state-space efficiently in a special data
structure similar to an ordered binary decision diagram (OBDD) [7].

2.5. TIMED AUTOMATA
When one wants to do more than simply specify and verify properties of the or
der of events, by imposing timing constraints, it is convenient to use timed automata
as the underlying models. A timed automata diagram is a a collection of automata,
each with nodes corresponding to states and transitions corresponding to events such
as message-passing and clock resets.

Guards may be placed on the transitions to

specify the timing constraints and to synchronize the transitions of automata corre
sponding to different processes. For this reason, timed automata are sometimes called
timed I/O automata.
A classic example of a timed automata diagram is Train, Gate, Controller de
scribed in [12]. There are four processes, one of which is a monitor for verification
purposes only. They each have a local clock, and they synchronize on various tran
sitions by means of message-passing. Each process has at least one transition which
resets its local clock. One verifies via the monitor that the interval between the time
that the Gate is lowered across the intersection and the time that the Gate is raised
is less than K units (if K is 7 or greater).

2.6. RT-PROMELA
RT-Promela models timed automata by using timed statements with lazy (not
urgent) transitions [13]. Basically, one can specify when a statement may be exe
cuted by including it in a when statement, and one can reset clocks by using a reset

9

statement. These two may be combined to specify when clocks should be reset. In
RT-Promela, the timing constraints must be written using integer constants only.
One might erroneously interpret a timed statement as an urgent directive for
the way the model should execute - that is, that the statement must meet its timing
constraint.

This, however, is not the correct interpretation in RT-Promela.

One

should instead view a timing constraint as limiting when the statement is permitted
to occur, but there is only one condition which forces the statement to execute to meet
the constraint. That condition is when the statement is the last possible (in time)
transition that can occur, so if it does not execute the program will terminate either
correctly or incorrectly. This semantics of timed statements is why the transitions
are called lazy [13].
There is, unfortunately, not very much documentation about RT-Promela, so
the author has had to guess and experiment to understand how it works. For example,
the exact meaning of the modifier atomic is still not crystal clear to the author in
this context, but one hopes that it is clear enough to force the models to execute in
the desired manner. The DSP model was done chronologically later than the first
DSP-CAN-EPC model, so some lessons learned have been incorporated into a revised
higher-level model.

2.7. RT-SPIN
RT-SPIN is an enhancement of SPIN which was developed by Stavros Tripakis
to support dense real-time model checking. It uses SPIN components, but processes
models written in RT-Promela code, and can verify real-time properties of the models,
such as whether timing constraints can be met. It is theoretically only slightly more
complicated than SPIN, and [12] provides a good explanation of its operation.
For RT-SPIN, a state is again a stopping point between transitions. A transition
can be decomposed into an instantaneous action transition corresponding to execution

10

of a statement or a time transition which consumes some finite non-zero amount of
time. A run of a program is a sequence of state and clock valuation pairs, such that
each pair is obtained from the previous pair by a transition.
The use of Difference Bounds Matrices (DBMs) to represent regions or zones
of clock time values is apparently due to Dill et al. [14]. The basic idea is that the
timing constraints for timed automata can always be written as a collection of upper
bounds (possibly infinite) on differences between clock time values, with the addition
of an auxiliary clock variable

xq

which has the constant clock time value of zero.

Thus, one may use a matrix to store the upper bound values along with an indicator
of whether the inequality corresponding to a particular difference is strict or not.
To each DBM, there is associated a convex subset of Euclidean space which is
a solution set of a set of inequalities of the form Xi — Xj < k or Xi — Xj < k, where
the variables represent clock values or zero, and k is an integer or positive or negative
infinity.
For example, the inequality £3 — x 2 < 4 would be stored as an ordered pair
(4, < ) in position d$2 of the matrix. One can discover that the effect of the passage
of time on the DBM representing a clock region is almost trivial, and it is similarly
uncomplicated to represent unions and intersections of clock regions (see below). The
reset process is slightly more complex, but can be handled conveniently with DBMs.
It is helpful to understand the basic idea of how timing constraints are modeled,
following [12]. [6] also has a discussion of this issue.

D efin ition 1 For our purposes, a clock region is a union of equivalence classes of
points in a Euclidean space representing the values of the clocks, where equivalence is
defined as the property that substitution of one point for the other in any accepting
run does not prevent the new run from being extended to an accepting run with the
same untimed projection (the same sequence of states, ignoring the time information

11

that the state possesses) as the original accepting run. This just means that in some
sense the points are indistinguishable from the point of view of the program.
Clock regions and DBMs arise from the timing constraints of the model encoded
in RT-Promela, because only integer constants are permitted in the timing constraints
of statements.
It is natural to attach a clock region to the ordinary state information consisting
of data variables and control variables in order to represent the values of the clocks
which are possible when the state is visited. It is also natural to let a DBM represent
a clock region, because clock regions are not a priori convex, which is a desirable
property, and DBMs possess a nice canonical form and can faithfully represent a
clock region from the point of view of the timing constraints and state transition
system.
It is easy to calculate the effect of a time transition on a state which contains
time information, because the clocks run at the same rate, so pairwise clock differences
remain constant while an inequality such as Xi —0 < k in the definition of the original
state must be changed to Xi — 0 < oo as the clock X{ advances past the value k.
An action transition can occur from a state if the solution set of the DBM
associated to the state has a non-empty intersection with the timing constraint of
an enabled transition. In this case, the new DBM will be some transformed matrix
version of the intersection, and the transformation is described in section 5.2 of [12].
The process uses a canonical (minimal) form of a DBM as an intermediate step, then
resets the appropriate clocks as prescribed by the transition, and finally performs an
operation called maximization. The explanation of this process is rather complicated,
so it will not be duplicated here.
Zeno-cycle is the term used to describe a cycle in the reachability graph which
repeats infinitely many times in a finite amount of time. RT-SPIN by default detects
such possible executions and ignores them in its verification algorithm.

12

3. DSP AND CAN VERIFICATIONS

3.1. OVERVIEW
Both of the final DSP and CAN models employ assertion-checking as the main
method of verification. It was infeasible to explore the entire state space for infinite
runs due to complexity considerations, so counters were used to terminate the exe
cution in a reasonable amount of time. Progress verifications depend on infinite runs
and therefore did not make sense. The issue of deadlock was handled differently for
the two verifications. For the DSP, escape from deadlock was provided for deliber
ately so that an assertion could be checked. For the high-level CAN model, one relies
on the CAN bus protocol to resolve communication conflicts which could cause dead
lock. The DSP verification checks that the interrupt queue does not overflow, while
the CAN verification checks that during normal operation, control frames received by
the DSP have sequence numbers within a certain range relative to the most recent
sequence number of data frame sets sent by the DSP. The gap can be bounded by ad
justing the error thresholds at the end processes. Some of the verification complexity
details are presented in a separate section.

3.2. DSP VERIFICATION
As may be seen from the state chart below, the DSP CPU must handle four
different interrupt service routines on a roughly periodic basis. It may be trivial to
guess that scheduling will not be problematic, because each routine seems to execute
so quickly compared to its period. However, the modeling and timing estimates were

13

done more or less independently, so it was not until after a significant amount of work
had been done that the larger perspective was available, and it seemed worthwhile to
carry out the verification anyway.

START

Figure 3.1. DSP State Chart

Basically, the model consists of two processes, one being the generator of in
terrupt signals, and the other being the handler of such signals. For the generator,
upper and lower bounds were set for the periods of the signal occurrences, and a
do..od loop was constructed with options for sending signals corresponding to three
of the four interrupts (the SYN interrupt was not modeled because it is a very short
routine which occurs relatively infrequently). The signals may be sent only when
timing constraints are satisfied which guarantee that none of the signals is overdue
(past its upper bound) and at least one of the signals is actually due to occur (past
its lower bound). There are three other options corresponding to error conditions and
timeout.
The first error condition signifies that the interrupt handler process did not
execute one of the routines fast enough (according to its actual estimated duration)

14

because the model checking software does not enforce timing constraints (they are
lazy). If this occurs the generator is excused from meeting its timing constraints and
the verification is halted. The second error condition signifies that the handler did
not even start a routine promptly when it should have been, able to, and again the
generator process is excused from its timing constraints and the verification is halted.
For the DSP, one wants to verify that interrupt signals are handled in a timely
manner. A queue was used in the model to store signals as they occur. The author
verified that if the model deadlocks temporarily and the timeout condition becomes
true, then the interrupt queue being full was not the cause of the deadlock. Thus, the
handler failing to keep up with the generator is not the cause of deadlock, so one can
feel confident that the interrupt signals will actually be handled without overflowing
the interrupt queue due to inadequacy of the speed of the DSP CPU.

Assertion 1 timeout -> assert( nfull(Interrupts) )

A timed automata diagram was developed mid-way through the development of
the RT-Promela model, and helped to visualize how the RT-Promela model should
be revised. For example the original model featured a clock variable D, while in the
final RT-Promela model this is differentiated into an array of clocks for the set of
routines instead of just one clock.
Unfortunately, the DSP verification was so complex that it was necessary to
terminate the exploration of the state-space after a total of only 20 interrupt signals.
It was instructive to work with an intricate set of timing constraints, though, and this
effort ended up being more of an exercise than a conclusive verification for at least
two reasons. First, the execution times are estimated to be so short for the interrupt
service routines that the scheduling problem is almost ridiculously easy. Second, it
was discovered that in fact, there is no actual interrupt queue, so the model is a
bit flawed; interrupts are handled by setting flags, not by being placed in a queue.

15

START

a_to_d >= lperiod_A_to_D‘
InterruptslO

can >= Iperiod C A N *

count++
count == limit
.spwm >= lp erio d _S P W M *\can’

~ ®

ACCEPTABLE END-STATE

Figure 3.2. DSP Timed Automaton: Signal Generator

Finally, there may be some reason that the hardware, not the software could slow
down the handling of the interrupts, and that has not been modeled yet.

3.3. CAN VERIFICATION
The CAN bus communication has been the main focus of the efforts described in
this thesis. The models for the CAN bus and its end-processes (DSP and embedded
PC) started out very simply and have now become more realistic and more complex.
The earliest models of the CAN bus itself resemble a data store more than a channel,
and the earliest models of the end-processes contained strange constructions as a result
of trying to cope with the high degree of non-determinism in the communication. It
is better now, but probably still not perfect. The author has come to accept the
process of modeling as iterative and approximate rather than exact and rigorous, in
his experience. Still, the models have improved as more has been learned about the

16

Figure 3.3. DSP Timed Automaton: (Part of) Signal Handler

details of the objects being modeled and about model checking in general, especially
the real-time aspects.
The CAN bus communication is the highest-level o f the FACTS Power System
which the author has tried to model explicitly for verification. There is a possibility of
going up one more level, but that will not be a concern here. The DSP is the generator
of data frame sets periodically gathered by the analog-to-digital converter (A to D)
and sent to the embedded PC via the CAN bus. The DSP also quasi-periodically
receives control frames back from the embedded PC via the CAN bus, and periodically
applies the control information to the power electronics of the FACTS device. The
embedded PC periodically looks for data frames from the DSP, and computes the

17

clock b,c,d;
A_to_D_Clock (){
*[
(when {d>9, d<ll} reset {d} A_to_D_Timer!1 -> SKIP)
]

SPWM.Clock (){
*[
(when {c>5, d<7> reset {c> SPWM_Timer!l -> SKIP)

]
EPC.Clock (){
*[
(when {b>9, b<ll> reset -Cb> EPC_Timer!l -> SKIP)
]
>
I|ICAN ( ) || I DSP ( ) || IEPC ()
Figure 3.4. CAN Protocol Pseudocode: Top-level

corresponding control frame if it has a complete data frame set to process (data frames
could have been lost, potentially, or could arrive at an unfortunate time relative to the
embedded PC timer). Because of the possibility of some bad interleaving of events
on the embedded PC side of the communication, it has been decided to buffer the
previous cycles data frames in case a matching frame is late arriving.

Table 3.1. Estimates for Periods of DSP Interrupt Routines

Process
A to D
SPW M
EPC

Period (milliseconds)

1.0
0.6
1.0

18

The timing constraints which were introduced to force some approximate syn
chronization between the DSP and the embedded PC are implemented via timers
which activate events within the end processes. The timing constraints for the tick
ing of the clocks were set to either 9-11 units or 5-7 units, where units represent tenths
of milliseconds. Using an interval instead of an exact value allows for some drift to be
modeled. The clock variables b, c, and d were used to regulate the timers. The author
has since realized that it is not necessary to explicitly model the timers as separate
processes. The last model incorporates the timing constraints directly into the DSP,
CAN, and EPC processes. Basically, b, c, and d are local clocks for the three timers
which run at exactly the same rate, but which can be reset independently.

Figure 3.5. CAN Protocol Timed Automaton: CAN Bus

The three clocks, with or without the separate timer processes, do seem neces
sary, though (two for the DSP and one for the embedded PC ). The CAN bus itself
is no longer completely non-deterministic: once a message has been accepted by the
CAN bus for delivery, an attempt will be made to deliver the message, or the message

19

CAN (){
byte candata[2];
candatafO] := 0;
candataCl] := 1;
byte seq_EPC := 0;
*[

(DSP_to_CAN [0]?candata[0] ->
[(CAN_to_EPC[0]!candata[0] -> SKIP) [] SKIP])

□
(DSP_to_CAN [1]?candata[l] ->
[(CAN_to_EPC[l] !candata[l] -> SKIP)

[] SKIP])

□
(EPC_to_CAN?seq_EPC ->
[(CAN_to_DSP!seq_EPC -> SKIP)

[] SKIP])

]

>
Figure 3.6. CAN Protocol Pseudocode: CAN bus

will possibly get lost in transit. Therefore, only one message is being handled by the
CAN bus at a time.
During normal operation, messages will be received sequentially in order without
gaps, and the error counter will be decremented if appropriate. However, if a gap
in sequence numbers is observed, the error counter will be incremented. If the error
counter exceeds a certain threshold value, an error state will be diagnosed, and the
embedded assertions bypassed.

But when the error state has not occurred, it is

asserted that the gap between the sequence number of any control frame received by
the DSP and the sequence number of the most recent data frame sent is small. The
satisfaction of this assertion ensures that under normal conditions, the delay in the
control loop from data acquisition to the application of control activity is small.
Deadlock was a concern during most o f the modeling and verification process,
but the author has recently been assured that the CAN protocol can implicitly resolve

20

START

Figure 3.7. CAN Protocol Timed Automaton: DSP Board

conflicts such as two processes trying to send a message at the same time while neither
is attempting to receive. This realization simplifies the verification immensely.
It may be useful to explain some other features of the model code. The variable
names have evolved some along with the model: the oldest variables from the earliest
models are r_seq_in (for the control frame sequence number received by the DSP)
and s_seq_out (for the data frame sequence numbers of a set sent by the DSP). The
variable lmr is an abbreviation for last message received by the DSP. It is updated at
the end of the SPW M cycle.
On the embedded PC side, there are two arrays for storing data frames data_old
and data_new. It is almost obvious that new data frames are put into the data_new
array, and that in certain cases this information is combined with data_old in order
to make a complete, matching data frame set. The variable dfr is an abbreviation
for data frame received, and it is updated after complete matching data frame sets
are copied to data.old. The flag variable rcvd is also set to 1 in that case, and the

21

DSP (){
byte
byte
byte
byte
byte
byte
byte
*[

tick;
error := 0;
threshold := 2;
max_gap := 4;
r_seq_in;
s_seq_out := 1;
lmr := 0;
(A_to_D_Timer?tick ->
[(DSP_to_CAN[0]!s_seq_out -> SKIP) [] SKIP];
[(DSP_to_CAN[1]!s_seq_out -> SKIP) [] SKIP];
s_seq_out += 1)
[]
(CAN_to_DSP?r_seq_in -> SKIP)
[]
(SPWM_Timer?tick ->
atomic{
[
(r_seq_in == lmr + 1 ->
if(error>0) then error--;
if(error>0) then error— )
[]
(r_seq_in == lmr ->
error += 1;
if(error >= threshold)
then QUIT )
[]
(else ->
error += (r_seq_in - lmr);
if(error >= threshold)
then QUIT)
];
/* assertions go here */
lmr := r_seq_in
»

]
>

Figure 3.8. CAN Protocol Pseudocode: DSP Board

22

Figure 3.9. CAN Protocol Timed Automaton: Embedded PC

embedded P C ’s error counter is decremented if it is positive (it is never decremented
below zero). The variable rcvd remains 1 until an attempt is made to send a control
frame (with sequence number echoing the dfr sequence number) back via the CAN
bus to the DSP.
In case it is impossible to use the new data frame information to make a com 
plete, matching set, the embedded P C ’s error counter is incremented, and if it then
exceeds a threshold value an error condition is diagnosed and the run terminates. On
the DSP side, there is also an error counter, but its operation is more complicated,
basically because the A to D and SPW M timers have different periods. One would
expect, therefore, that for a certain fraction (about half) o f SPW M cycles, there will
not be any new control frame information to apply to the IG B T power electronics.
For that reason, such cycles result in an increment of the error counter by one, while
cycles in which new information is ready to be applied results in a decrement of at
most two. In case there is a gap in sequence numbers of control frames received, the

23

error counter is incremented by one plus the number of control frames missed, which
is relatively simple to express in a formula.

If the error counter on the DSP side

exceeds a threshold, then an error condition is diagnosed and the run terminates.
Thus, there are two error counters maintained locally in the end processes. If
neither causes an error condition to be detected, one can verify that a desirable higherlevel property holds for the whole DSP-CAN-EPC communication. That property is
that a control frame which was calculated based on a particular data frame set will
not arrive back at the DSP too long after the data frame set was sent.

This is

expressed in assertions at the end of the DSP loop by comparing the control frame
sequence number just received to the data frame sequence number just sent. The gap
is bounded, so the control- frame cannot be too far behind in time.

A s s e rtio n 2
if /* asserting control is not too far behind data */
:: /* control frame is not too large */
( r_seq_in < 255-max_gap*increment+l ) ->
assert(r_seq_in + max_gap*increment >= s_seq_out) ;
assert(r_seq_in <= s_seq_out)
:: /* data frame is not too small */
( s_seq_out >= max_gap*increment ) ->
assert(r_seq_in >= s_seq_out - max_gap*increment);
assert(r_seq_in <= s_seq_out)
:: /* control is about to wrap and data has just wrapped */
else ->
assert( r_seq_in >= 255 -max_gap*increment +1 +s_seq_out )
fi;

24

The reason for the assertions being split up into three cases has to do with the
possibility of the sequence numbers wrapping around as they pass the value 255, which
is the maximum value for a variable of byte type. In the inequalities, because wrap
around is an issue, it is necessary to restrict attention to positive quantities and to do
the modular arithmetic more or less explicitly by hand. For example, if the control
frame sequence number is not about to wrap-around, one asserts that the data frame
sequence number is larger than the control frame sequence number, but not too much
larger. Similarly, if the data frame sequence number has not just wrapped around,
one asserts that the control frame sequence number is small, but not too small. The
third case is the exception, and one asserts then that the data frame sequence number
is not too far past zero relative to the difference between the control frame sequence
number and 256 (which is expressed as 255 4- 1, because it is desirable to use byte
values). In a more thorough verification with more powerful software such as IF, a
progress label would be put in the DSP code for passing such assertions and infinite
runs would be explored. This would ensure the liveness property that no infinite run
ever stops passing the assertions successfully. That is, if the communication continues
forever, it does so successfully.
There are some interesting cases to be considered related to clock drift, resyn
chronization, and error-counting, due to duplicate or skipped frames. For example,
the DSP A to D timer and the EPC timer have roughly the same period, but that
does not guarantee that one of them will not completely lap the other one and for
some integer n execute n +1 cycles in the time that the other executes only n cycles.
Also, the SPW M timer and the EPC timer are not expected to be even approximately
synchronized. W hat will be the effect of this?
Missing a frame should not cause any problem at all, because the next frame
will contain even more up-to-data (better) information. Receiving a duplicate frame
causes the error counter to be incremented. In the case o f data frames, this is an

25

Table 3.2. Analysis of Synchronization Scenarios

Sender

Receiver

Content

Slower Process

Result

DSP
DSP
EPC
EPC

EPC
EPC
SPW M
SPW M

data
data
control
control

Sender
Receiver
Sender
Receiver

duplicate frame
missed frame
duplicate frame
missed frame

anomaly which corrects itself, and for control frames the error accounting is designed
to adjust for the discrepancy in timer periods.
It is probably still worthwhile, though, to investigate what would happen if the
mailbox queue overflows due to the mismatch of DSP and embedded PC cycles (in
case the PC is slower). It should not be hard to prevent such an overflow, but it was
not feasible to incorporate that into the model because of the increased complexity
that buffered communication would have added to the verification.

26

EPC (Mbyte tick;
byte error := 0;
byte threshold := 2;
byte data_old[2] ;
byte data_new[2] ;
byte seq_in;
byte dfr := 0;
byte rcvd := 0;
*[
(EPC_Timer?tick ->
[
(CAN_to_EPC[0] ?data_new[0] ->
seq_in := data_new[0]) [] SKIP];
[
(CAN_to_EPC[1] ?data_new[1] ->
seq_in := data_new[l]) [] SKIP];
atomic{[
(data_new[0] == data_new[l] ->
rcvd := 1;
dfr := data_new[0];
if(error>0) then error— )
[]
(data_old[0] == data_new[l] ->
rcvd := 1;
dfr := data_new[l] ;
if(error>0) then error— )
[]
(data_old[l] == data_new[0] ->
rcvd := 1;
dfr := data_new[0] ;
if(error>0) then error— )
[]
(else ->
error += 1;
if(error >= threshold)
then QUIT)
];
data_old[0] := data_new[0];
data_old[l] := data_new[l];
if(rcvd>0)
then [(EPC_to_CAN!dfr -> SKIP) [] SKIP]}
rcvd :- 0)
>

Figure 3.10. CAN Protocol Pseudocode: Embedded PC

27

4. MODELS AND PROBLEMS

This thesis concerns itself with how to provide a method of diagnosing error
conditions related to the loss of messages between the DSP and the embedded PC.
An error counter will be incremented when message loss is detected, and if it exceeds a
given threshold value, the system will be said to be in an error state, and appropriate
corrective measures will be taken. The main verification described in this thesis is
that this method will ensure that during normal operation control frames will follow
without too much delay after data frames are sent from the DSP to the embedded
PC.
The first task o f this project was learning some temporal logic so the framework
for verification would make sense. Next came a study of the alternating bit protocol
and a verification of the reliability of data communication between two processors.
From that base o f knowledge, it was hoped that a design for communication between
the DSP and the embedded PC could be fleshed out and its correctness verified. It
turned out to be much more difficult than the author imagined it would be, mostly be
cause distributed algorithms are so much more complicated than sequential programs:
deadlock was an ever-present issue to be dealt with, and the early simulations were
worrisome because there was so much message loss that it seemed that correct com
munication would almost never occur. The excessive message loss appeared because
in SPIN, one may simply insert a skip statement as a non-deterministic alternative
to the correct message-passing statement to allow message loss, but it is not so easy
to control the frequency of the losses.

28

Another issue in the early modeling efforts o f this project was how much syn
chronization would be present in the design. W ithout explicit synchronization, the
communication appeared to allow one of the end processes (DSP or embedded PC)
to repeatedly interact with the middle (CAN) process and starve the other process.
This is unrealistic, and was an undesirable feature which showed up over and over
again in the simulations.
At the beginning of the project, modeling non-real-time aspects of the system
was the main concern. After a while it became apparent that without some kind
of timing assumptions, the interaction between the DSP and the embedded PC was
too free and too many errors would occur. Despite these difficulties, some progress
was made and a few verifications were done before the conversion to RT-SPIN. An
untimed, non-deterministic, one data frame model was created at first, evem though
in reality three data frames make up a complete set of sensory data. Then multiple
data frames were added to the model and sorted on the embedded PC side in case
they arrived out o f order.
Next, it was verified that control frames depend on data frames (a control frame
with a particular sequence number would not be generated and sent before a corre
sponding complete data frame set had beeb received). This can be expressed in linear
temporal logic as:

Assertion 3

((!s)t/(p&&qr))||([]!s),

w here

s = ( r s e q J n = = data[0]),
p = (data[ 0] = = data[ 1]),

and

q = (data[ 1] = = data[ 2]).

What this is really expressing is “s is not true before p and q both become true” .
In other words, the control frame with sequence number data[0] is not received by

29

the DSP before the embedded PC receives all three data frames with that sequence
number. The author also verified that without a certain part of the code which sorts
the.data frames, this property did not hold, which reassures us that the model has
some validity.
T o build tim ing into the model, [15] presents an attractive approach. A method
had been developed which encouraged us to attempt to add timers to the model to
regulate the timing o f the end process cycles. The first attempt was simply a rough
scheduler which gave the DSP and embedded P C opportunities to execute in an
alternating manner (creating some implicit synchronization), but with the additional
possibility of one of them drifting ahead and executing twice in a row occasionally.
This led to the C A N series of models. For these models, LTL was not used in the
verifications because the author had already achieved some confidence by doing the
earlier verifications, and the main objective now was to avoid deadlock and to ensure
progress. The verifications began to stress the limits o f the model checker SPIN at
this point, because the synchronization was only approximate, and the state-space
grew tremendously, as did the time and memory requirements for the verification,
even with optimizations. It was at about this time that the third data frame was
eliminated from the models for simplicity’s sake.

As this was being completed, and

experimental data was collected on the complexity of the verification with different
degrees o f message loss allowed, the next step was to introduce timing, and the current
version from the C A N series of models was modified in a very simple way to reflect
real-time constraints.

RT-SPIN allows better modeling of the real-time aspects of

the system. It was a simple task to modify the untimed model for use with RTSPIN, by substituting a timing constraint for the signal from the scheduler. More
verifications were done, especially deadlock avoidance and checking a constraint about
the boundedness o f delay between data frames and control frames.

30

After achieving this success, the author assisted with the development o f a lowerlevel model of the DSP using standard H OO M T (High-Order O bject Model Tech
nique) methods [16], RT-Promela, and eventually timed automata diagrams (which
helped with visualization when the RT-Promela model seemed too complex). The
main concern here was that the DSP CPU would be able to handle its periodic tasks
effectively, adhering to their timing constraints, so real-time model checking was ap
propriate for a verification.
The DSP has a CPU and registers, and its operation is basically dependent on
interrupt signals which are event-driven (by expiration of a timer or by other fairly
regular events).

If a signal cannot be handled immediately, it has to wait for an

opportunity to be processed. However, the execution times of the interrupt routines
seems to be rather short, so this delay is not anticipated to be problematic. .
From the state chart, the author tried to write a model in RT-Promela to verify
that the DSP CPU would be able to schedule its periodic and aperiodic routines in
real-time.

This, again, was more difficult than was projected, and more modeling

was needed in the form of timed automata diagrams to help with the visualization
of the DSP C P U ’s requirements. This was very helpful, and the author wishes at
this point to recommend that timed automata diagrams.be used whenever real-time
modeling and verification becom e very complex and the state chart does not express
the possible sequences of events adequately. See section 3.2 for an in-depth discussion
of the DSP m odel and verifications.
W ithout explicit synchronization or timing constraints, and with a non- deter
ministic model o f the CAN bus, there was, as mentioned, simply too much freedom
for things to go wrong. One of the end processes (DSP or embedded P C ) could read
duplicate information repeatedly from the CAN process, or miss information entirely.
The non-determinism seemed necessary, however, to prevent deadlock, and it was
undesirable to impose synchronization in the protocol because doing so might slow it

31

down. Thus, it became important to take advantage o f the fact that with RT-SPIN
one can enforce an approximate synchronization by forcing the DSP process and the
embedded PC process to function with approximately equal cycle period durations.
W ith the lower-level DSP model completed, and having converted the commu
nication model to RT-Promela, it was then time to seriously consider beginning to
implement the CAN communication design in actual code, based on the model which
had been written in the modeling language RT-Promela.
At this point, it seemed desirable to modify the original CAN communication
model to reflect the finer details of the DSP process which were understood, and also
to improve the modeling techniques since the author had more exposure to RT-SPIN
by this time. Another feature which needed attention was the operation of the CAN
bus, since it was still difficult to avoid detecting potential deadlock situations during
the verifications. Common sense and experience have led us to believe that the CAN
protocol avoids deadlock in a natural way by some sort of conflict resolution, so the
model has been modified so that it does not detect deadlock.
Buffering was added to the EPC process after local discussion [17] to mitigate
the possibility that strange interleavings of the processes could cause incomplete data
frame sets to be received over and over again.

As the author reviewed the latest

version o f the model, it also seemed that some improvements should be made, based
on having a better understanding of the CAN bus and DSP operation. A newer model
was developed which incorporates some causality in the CAN bus process, and which
reflects more o f the complexity o f the timing of the DSP routines. The current model
of the CAN bus non-deterministically accepts a message for forwarding, but delivers it
(or loses it) before it accepts another message for forwarding. After the improvements,
verification of the boundedness o f gap between data frame and control frame sequence
numbers on the DSP side during normal operation was the main goal. See section
3.3 for an in-depth discussion of the CAN communication model and verifications.

32

5. CO M P L E X IT Y COMPARISON TO ZCSP VERIFICATION

It was not the main purpose of this project to study the capabilities of SPIN
and RT-SPIN with regard to computational complexity, but some material will be
presented along these lines. This includes a comparison to the work of [18], which
focuses on m odel checking o f a zero-cost secured protocol (ZCSP) using SPIN. That
work did not involve real-time considerations, but nonetheless mentions difficulties
with the capability of SPIN model checking software to handle complicated models.
The first data to be presented is for the first good model of the CAN com 
munication protocol that takes scheduling into account (CAN_33.txt). By varying
the number of channels that could potentially lose messages, it was found that the
complexity quickly became too much for SPIN to handle. Only the channels from
the CAN bus to the embedded PC were allowed to lose messages, even though there
are actually about three times that many communication channels in the model. The
thresholds for the error counters and the amount of drift between the cycles of the
embedded PC and the DSP were also limited because otherwise the complexity grew
too large, but data is available for four different sets of these parameters (A , B, C,
and D below).
At this time, the author does not recall for certain whether partial-order reduc
tion or state-space minimization was used with SPIN (they are not available yet for
RT-SPIN) in the verifications of CAN_33.txt. However, a recent test verification of
one of the simplest parameter sets using these optimization techniques was unable
to complete successfully on a laptop computer with almost 250 MB RAM available,
and the author had recorded that the original verification with that parameter set

33

Table 5.1. Complexity of Verifications for CAN_33.txt with Various Parameter Sets

Parameter set
P
thresholdDSP
thresholdEPC
lossy channels
0
1
2
3

A
B
96-192 64-192
2
2
2
2
states (TO6/ fo r
13/40
25/76
21/64
41/121
35/104
66/
61/
105/

C
D
96-192 64-102
3
3
2
2
safety/liveness
34/110
70/
54/159
in /
88/

Safety (no deadlock) Verification

Figure 5.1. Complexity of Safety Verification for CAN_33.txt

completed using approximately 400 MB. Therefore, it is unlikely that the original
verifications for which data is presented did not use any optimization (since other
wise 250 MB would have been enough RAM for the test - partial-order reduction
and state-space minimization should result in savings of more than 40 percent). The
number o f states (which should be equal to the number of transitions) is comparable

34

Liveness Verification

Figure 5.2. Complexity of Liveness Verification for CAN_33.txt

(within a couple o f orders of magnitude) for the ZCSP verification and the CAN_33.txt
verification. The same can be said for the amount of R A M used. If the CAN_33.txt
model had allowed more lossy communication channels or greater error thresholds, it
would be even closer. The ZCSP verification shows the value of optimizations such
as partial-order reduction and state-space minimization, and it is unfortunate that
these are not available yet for RT-SPIN.
For the later verifications that used RT-SPIN, less data has been collected,
but the sample verification output for the RT-SPIN verification of a version of the
CAN_final_7.txt model with one parameter set and of CANJmp_7.txt with two differ
ent parameter sets is included. CAN_imp_7.txt was developed from CAN_finaL7.txt
by internalizing the timer processes into the processes which receive signals from them
and eliminating the timers as separate, explicit process. Doing this reduced the com
plexity of the verifications.

The parameters mentioned below refer to the number

of executions of the SPW M code, the number of executions of the A_to_D code, the
threshold for the DSP, and max_gap for the DSP. The verifications should, o f course,

35

test the assertions by generating at least as many data frame sets as the value of the
parameter max_gap.

error: max search depth too small
right after err
pan: out of memory
8.58993e+09 bytes used
4096 bytes more needed
8.58993e+09 bytes limit (2~MEMCNT)
(Spin Version 2.9.0 — 14 July 1996)
Warning: Search not completed
Full statespace search for:
never-claim
- (none specified)
assertion violations +
acceptance
cycles - (not selected)
invalid endstates +
State-vector 176 byte, depth reached 8999999, errors: 0
8.87772e+07 states, stored
1.84868e+08 states, matched
2.73646e+08 transitions (= stored+matched)
1.28815e+08 atomic steps
hash conflicts: 2.23549e+10 (resolved)
(max size 2~18 states)
8.58993e+09 memory usage (bytes)

Clock Regions Hashed : 2000002
Collisions

: 1999935

Figure 5.3. Output for Verification of CAN_finaL7.txt

36

(Spin Version 2.9.0 —

14 July 1996)

Full statespace search for:
never-claim
- (none specified)
assertion violations +
acceptance
cycles - (not selected)
invalid endstates +
State-vector 120 byte, depth reached 266, errors: 0
6.39578e+07 states, stored
9.38204e+07 states, matched
1.57778e+08 transitions (= stored+matched)
1.01081e+08 atomic steps
hash conflicts: 2.88615e+09 (resolved)
(max size 2~18 states)
5.05796e+09 memory usage (bytes)
unreached in proctype DSP
line 71, state 37, "error = (error-1)"
(1 of 74 states)
unreached in proctype CAN
(0 of 23 states)
unreached in proctype EPC
line 198, state 41, "error = (error-1)"
(1 of 70 states)
Clock Regions Hashed : 4095
Collisions

: 4028

Figure 5.4. Output for Verification of CAN_imp_7.txt with parameters 10, 6, 2, 3

37

(Spin Version 2.9.0 —

14 July 1996)

Full statespace search for:
never-claim
- (none specified)
assertion violations +
acceptance
cycles - (not selected)
invalid endstates +
State-vector 120 byte, depth reached 214, errors: 0
3.0831e+07 states, stored
4.47373e+07 states, matched
7.55683e+07 transitions (= stored+matched)
5.09641e+07 atomic steps
hash conflicts: 7.70396e+08 (resolved)
(max size 2~18 states)
2.64418e+09 memory usage (bytes)
unreached in proctype DSP
(0 of 74 states)
unreached in proctype CAN
(0 of 23 states)
unreached in proctype EPC
(0 of 70 states)
Clock Regions Hashed : 2699
Collisions

: 2632

Figure 5.5. Output for Verification of CAN_imp_7.txt with parameters 8, 5, 3, 3

38

6. CONCLUSION

Real-time model checking is significantly easier with appropriate tools.

The

software used in the modeling and model checking in this thesis is not the state-of-theart, it turns out, but it is a good learning tool, and it provides a m ethod for design and
some simple verifications. Probably the IF model checking package is more capable of
handling com plex problems, and it should be considered for future work. Nonetheless,
RT-Promela and RT-SPIN are enhancements of the popular model checker SPIN, so
that is an advantage in itself. SPIN has a GUI available called XSPIN which was
very useful during the simulation phase of the project, because it enabled the author
to visualize what was going wrong during the execution of his early, not-so-great
concurrent program designs. As some expertise was developed, simulation became
less important, and RT-SPIN was sufficient without the XSPIN GUI.
The H O O M T process is also useful as a bridge from usable code to the code
used by the m odel checking software (RT-Promela, in this case). It was especially
helpful to draw timed automata diagrams based on the ordinary state chart for the
DSP. For the CA N communication, a state chart is probably too complicated, but
it is possible that a timed automata diagram could also be helpful in addition to
common-sense intuition about what is going on.
SPIN and RT-SPIN both use LTL, but there is not really any reason for the
author to insist that it is better than CTL or any other reasonable temporal logic.
LTL is a little bit simpler to learn and work with, it seems, so that is probably why
it was used in this thesis. The IF package uses CADP, apparently, which is based on
CTL, and the author has learned of some techniques for reducing the complexity of

39

some common model checking problems which can be applied in the IF environment.
One major advantage that any real-time model checker could offer is the possibility
of partial-order reduction, the theoretical foundation of which has been laid by Minea
[19]. This could significantly increase the capability of any model checking software.
Despite the limitations o f SPIN and RT-SPIN, it has been verified that in a
model of the DSP (which is an approximation of the actual operation), the CPU
can schedule its interrupt service routines in real-time, but this low-level verification
could be improved, because a better understanding of the DSP has now been achieved
compared to at the start o f the modeling. More importantly, it has been verified that
with a reasonable definition of normal operation (possibly with some message loss),
which can be monitored by the end processes (DSP and embedded PC ), an acceptable
level o f information integrity can be guaranteed in the CAN bus communication
protocol which may be used in a FACTS device.
A protocol design had already been developed by the modeling group of the
Power Research Group at UMR, and part of the work described in this thesis was
working backwards from this and showing that it could be modified to satisfy a reason
able notion of correctness. Basically, a counter will be incremented and decremented
when errors are detected, and normal functioning is then (by definition) operating
with the error counter below a threshold parameter. In a manner of speaking, a solu
tion was guessed based on an idea of what the problem was that needed to be solved,
and then was formally modeled. Low-level and high-level constraints were specified
such that the satisfaction o f the low-level constraints guarantees the satisfaction of
the desired high-level constraints (and this was verified).
In modeling the components, a sort of rough estimate of how they ought to
work was modeled and then manuals were consulted and details were filled in. To
deal with the time and space complexity of running the verifications, more powerful
computers were located and the models were simplified. Finally, the most interesting

40

problem was integrating the timing constraints into the model, and some prior work
was found which provided some insight.
This thesis has presented the author with an opportunity to learn both practical
modeling and verification techniques as well as some theory ,o f temporal logic and
model checking in general. It has been a sometimes frustrating, but often rewarding
experience, and the work presented here is the result of many revisions to the models
discussed. Modeling and model checking must strike a balance between accuracy and
abstraction, and it is hoped that a good balance has been obtained here.

APPEN DIX A
Promela code

//CAN_33.txt (Promela Code)

mtype = { msg, ack };
chan DSP_to_CAN[3] = [0] of {mtype, byte};
chan CAN_to_EPC[3] = [0] of {mtype, byte};
chan EPC_to_CAN = [0] of {mtype, byte};
chan CAN_to_DSP = [0] of {mtype, byte};
chan CLK_to_DSP = [0] of {mtype, bit};
chan CLK_to_EPC = [0] of {mtype, bit};

byte r_seq_in;
#define increment 32

active proctype CLK 0
{
byte P = 128;
endO:

do

:: atomic{CLK_to_DSP!msg (0) ->
P = P - 32;
if
:: (P<=64) -> break
:: else
fi}
:: atomic{CLK_to_EPC!msg (0) ->
P = P + 32;
if
:: (P>=192) -> break

43

:: else
fi>
od
>

active proctype DSP ()
{
byte threshold = 3;
byte s_seq_out = increment;
byte error = 0, r_count_lost=0;
byte lmr = 0 ;
bit tick;
bool giveup = false;
endl:

do

:: CLK_to_DSP?msg (tick) ->
/* send data frames and receive control frames */
/* send three data frames */
if
/*

:: true*/
:: DSP_to_CAN[0]!msg (s_seq_out)
fi;
if
:: true
:: DSP_to_CAN[1]!msg (s_seq_out)
f i;

if

:: true
:: DSP_to_CAN[2]!msg (s_seq_out)
fi;
s_seq_out = s_seq_out + increment;
do
/* receive a control frame */
:: atomic{CAN_to_DSP?msg (r_seq_in) ->
if
:: atomic{( r_seq_in == lmr + increment ) ->
if
:: (error > 0) ->
error = error - 1
:: else
fi>
:: atomic-Celse ->
/* fine-tune this later */
error = error + 1;
if
:: (error >= threshold) ->
atomic{giveup = true;
break}
:: else
fi>
fi}
progressl:

atomic-Clmr = r_seq_in;
r_count_lost = 0}

/* lose a control frame and then give up */

45

:: atomic-Ctrue ->
atomic{r_count_lost = r_count_lost + 1;
if
:: (r_count_lost >= 2) ->
giveup = true
:: else
f i;
if
:: (r_count_lost >= 1) ->
break
:: else
fi»
od;
if
:: atomic-C(giveup == true) ->
break>
:: else
fi
od
>

active proctype CAN ()
{
byte seq_EPC=0;
byte candata[3];
candata[0] = 0;
candata[l] = 0;

46

candata[2] = 0 ;
end2:

do

/* pass Ctrl frames and data frames back and forth */
/* receive data frames */
:: DSP_to_CAN[0]?msg (candata[0])
:: DSP_to_CAN[1]?msg (candata[l])
:: DSP_to_CAN[2]?msg (candata[2])
/* receive a control frame */
:: EPC_to_CAN?msg (seq_EPC)
/* send a control frame */
:: CAN_to_DSP!msg (seq_EPC)
'/* send data frames */
:: CAN_to_EPC[0]!msg (candata[0])
:: CAN_to_EPC[1]!msg (candata[l])
:: CAN_to_EPC[2]!msg (candata[2])
od
>

active proctype EPC ()
{
byte data[3];
byte threshold = 2;
byte count_repeat = 0 ;
byte seq_in;
byte error = 0;
byte lmr = 0;
byte dfr = 0 ;

47

bit tick;
bool giveup = false;
bool recvd = false;
/* send control frames and receive data frames .*/
end3:

do

:: CLK_to_EPC?msg (tick)

->

/* receive three data frames */
if
:: atomic{CAN_to_EPC[0]?msg (data[0]) ->
seq_in = data[0]>
/*

:: true*/
fi;
if
:: atomic{CAN_to_EPC[1]?msg (data[l]) ->
seq_in = data[l]}.
:: true
fi;
if
:: atomic{CAN_to_EPC[2] ?msg (data[2]) ->
seq_in = data[2]}
:: true
fi;
atomic-Cif
/* data frame seq nums match */
:: ( (data[0] == data[l]) && (data[l] == data[2]) ) ->
atomic-Crecvd = true;
dfr = seq_in}

48

if
:: ( data[0] == lmr ) ->
count_repeat = count_repeat + 1;
if
:: ( count_repeat >= threshold ) ->
giveup = true
:: else
fi
: : else ->
count_repeat = 0
f i;
if
:: (error > 0) ->
error = error - 1
:: else
fi
:: else ->
error = error + 1;
if
(error >= threshold) ->
giveup = true
:: else
fi
fi;
if
:: (giveup == true) -> break
:: else ->

49

if
:: (recvd .== true) ->
if
:: EPC_to_CAN!msg (dfr)
:: true
fi
:: else
fi
fi>
atomic-Clmr = seq_in;
recvd = false}
od
}

APPENDIX B
RT-Promela code

//DSP_rt_26.txt (RT-Promela code)

mtype = { msg >;
chan Interrupts = [6] of {mtype, byte};

#define lexec_A_to_D 4
#define exec_A_to_D 5
#define lperiod_A_to_D 990
#define period_A_to_D 1000
#define lexec_CAN 1
#define exec_CAN 2
#define lperiod_CAN 990
#define period_CAN 1000
#define lexec_SPWM 1
#define exec_SPWM 2
#define lperiod_SPWM 610
#define period_SPWM 620
#define limit 20

clock a_to_d, can, spwm,/* syn,*/ D[4], T;
byte count;
bit error;
bit ErRoR;

active proctype Generator ()
{
do /^periodically send an interrupt*/

(error == 1) -> break
(ErRoR == 1) -> break
atomic-(when{a_to_d>=lperiod_A_to_D,
a_to_d<period_A_to_D, can<period_CAN, spwm<period_SPWM}
reset{a_to_d, D [013Interrupts !msg (0) ->
count=count+l;
if
:: (count == limit) -> break
:: else -> skip
fi
}
atomic-Cwhen-[can>=lperiod_CAN,
can<period_CAN, a_to_d < period_A_to_D, spwm<period_SPWM}
reset-Ccan, D [1] >
Interrupts!msg (1) ->
count=count+l;
if
:: (count == limit) -> break
:: else -> skip
fi
>
atomic-Cwhen-[spwm>=lperiod_SPWM,
spwm<period_SPWM, a_to_d<period_A_to_D, can<period_CAN}
reset-Cspwm, D [2] >
Interrupts!msg (2) ->
count=count+l;

53

if
:: (count .== limit) -> break
:: else -> skip
fi
}
:: timeout -> assert( nfull(Interrupts) ); break
od
>

active proctype Handler ()

byte interrupt;
endO:

-

do

// 6 is (1 + max_exec_time), a generous estimate of the delay
:: atomic-[when{D [0] <6, D[l]<6, D[2]<6,
a_to_d<period_A_to_D, can<period_CAN, spwm<period_SPWM>
reset-CT} Interrupts?msg (interrupt) -> skip};
progressO:

if //now leave the ISR

:: (interrupt == 0) ->
if
:: when{T >= lexec_A_to_D, T < exec_A_to_D}
reset{D[0], D[l] , D[2]} skip;
: : atomic{when{T >= exec_A_to_D} error = 1; break}
fi
:: (interrupt == 1) ->
if
:: when{T >= lexec_CAN, T < exec_CAN}

reset{D[0] , D [1] , D[2]> skip;

:: atomic-Cwhen-CT >= exec_CAN} error = 1; break}
fi
:: (interrupt == 2) ->
if

:: when-CT >= lexec_SPWM, T < exec_SPWM}
reset{D[0] , D [1] , D[2]} skip;
:: atomic {when-CT >= exec_SPWM} error = 1; break}
fi
fi

:: atomic{when-CD[0]>=6, D[l]<6, D[2]<6,
a_to_d<period_A_to_D, can<period_CAN, spwm<period_SPWM}
reset{T} Interrupts?msg (interrupt) -> skip};
progressO:

if //now leave the ISE

:: (interrupt == 0) ->
ErRoR = 1;
break
:: (interrupt == 1) ->
if
: : when{T >= lexec_CAN, T < exec_CAN}
reset{D [0] , D[l], D[2]} skip;
:: atomic{when{T >= exec_CAN} error = 1; break}
fi
:: (interrupt == 2) ->
if
:: when{T >= lexec_SPWM, T < exec_SPWM}

reset{D[0] , D[l], D[2]} skip;
:: atomic{when-[T >= exec_SPWM} error = 1; break}
fi
fi
:: atomic{when{D[0]<6, D[l]>=6, D[2]<6,
a_to_d<period_A_to_D, can<period_CAN, spwm<period_SPWM}
reset{T} Interrupts?msg (interrupt) -> skip};
progressO:

if //now leave the ISR

:: (interrupt == 0) ->
if
:: when{T >= lexec_A_to_D, T < exec_A_to_D}
reset{D[0], D [1] , D[2]} skip;
:: atomic{when-[T >= exec_A_to_D} error = 1; break}
fi
:: (interrupt == 1) ->
ErRoR = 1;
break
:: (interrupt == 2) ->
if
:: when{T >= lexec_SPWM, T < exec_SPWM}
reset{D[0] , D[l] , D[2]} skip;
:: atomic-Cwhen{T >= exec_SPWM} error = 1; break}
fi
fi
:: atomic{when{D [0] <6, D[l]<6, D[2]>=6,
a_to_d<period_A_to_D, can<period_CAN, spwm<period_SPWM}
reset{T} Interrupts?msg (interrupt) -> skip};

progressO:

if //now leave the ISR

:: (interrupt == 0) ->
if
:: when{T >= lexec_A_to_D, T < exec_A_to_D}
reset{D[0] , D [1] , D[2]> skip;
:: atomic{when-CT >= exec_A_to_D} error = 1; break}
fi
:: (interrupt == 1) ->
if
:: when{T >= lexec_CAN, T < exec_CAN}
reset{D[0], D [1] , D[2]> skip;
:: atomic{when-CT >= exec_CAN} error = 1; break}
fi
:: (interrupt == 2) ->
ErRoR = 1;
break
fi

:: atomic-[when-(D [0] <6, D[l]>=6, D[2]>=6,
a_to_d<period_A_to_D, can<period_CAN, spwm<period_SPWM}
reset{T} Interrupts?msg (interrupt) -> skip};
progressO:

if //now leave the ISR

:: (interrupt == 0) ->
if
:: when{T >= lexec_A_to_D, T < exec_A_to_D}
reset{D[0], D [1] , D[2]} skip;
:: atomic{when-(T >= exec_A_to_D} error = 1; break}

57

fi
:: (interrupt == 1) ->
ErRoR = 1;
break
:: (interrupt == 2) ->
ErRoR = 1;
break
fi
:: atomic{when-(D [0] >=6, D[l]<6, D[2]>=6,
a_to_d<period_A_to_D, can<period_CAN, spwm<period_SPWM}
reset{T} Interrupts?msg (interrupt) -> skip};
progressO:

if //now leave the ISR

:: (interrupt == 0) ->
ErRoR = 1;
break
:: (interrupt == 1) ->
if
:: when-CT >= lexec_CAN, T < exec_CAN}
reset-[D[0], D[l] , D[2]} skip;
:: atomic{when{T >= exec^CAN} error = 1; break}
fi
:: (interrupt == 2) ->
ErRoR = 1;
break
fi
:: atomic-Cwhen-CD [0] >=6, D[l]>=6, D[2]<6,
a_to_d<period_A_to_D, can<period_CAN, spwm<period_SPWM}

58

reset-[T} Interrupts?msg (interrupt) -> skip};
progressO:

if //now leave the ISR

:: (interrupt == 0) ->
ErRoR = 1;
break
:: (interrupt == 1) ->
ErRoR = 1;
break:

:: (interrupt == 2) ->
if
:: when{T >= lexec_SPWM, T < exec.SPWM}
reset{D[0], D [1] , D[2]} skip;
:: atomic{when{T >= exec_SPWM} error = 1; break}
fi
fi

:: atomic-Cwhen-[D [0] >=6, D[l]>=6, D[2]>=6,
a_to_d<period_A_to_D, can<period_CAN, spwm<period_SPWM}
reset{T} Interrupts?msg (interrupt) ->
ErRoR = 1;
break}

od
}

//CAN_final_7.txt (RT-Promela code)

/* this construct may not be essential, follows previous examples
mtype = { msg };

/* communication channel declarations */
/* arrays of two unbuffered channels */
chan DSP_to_CAN [2] = [0] of {mtype, byte};
chan CAN_to_EPC[2] = [0] of {mtype, byte};
/* simple unbuffered channels */
chan EPC_to_CAN = [0] of {mtype, byte};
chan CAN^to_DSP = [0] of {mtype, byte};
chan A_to_D_Timer = [0] of {mtype, byte};
chan SPWM_Timer = [0] of {mtype, byte};
chan EPC_Timer = [0] of {mtype, byte};

/* global variable declarations and initializations */
byte QUIT = 0 ;
clock b, c, d;

/* gap b/n data fr. Seq. numbers ((256/increment) distinct #s) */
#define increment 32
#define start 160
#define COUNT 7
active proctype A_to_D_Clock ()
{
byte count1 = 0;

60

do /* loop with nondeterministic selection until break */
:: (QUIT==1) -> break /* terminate */
:: /* send a signal every 9-11 time units */
when {d>9, d<ll} reset{d} A_to_D_Timer!msg.(1) ->
atomic /* no process interleaves inside this block */

count1 = count1 + 1;
if
:: (countl>=3*C0UNT/5) ->QUIT=1;
break /* terminate */
:: else
fi
>
od
>
active proctype SPWM_Clock ()
{
byte count2 = 0 ;
do
:: (QUIT==1) -> break
: : when -Cc>5, c<7} reset{c} SPWM_Timer !msg (1) ->
atomic{count2 = count2 + 1;
if
:: (count2>=C0UNT) -> QUIT=1;break
:: else
fi>
od

}
active proctype EPC_Clock ()
{
do
:: (QUIT == 1) -> break

:: when {b>9, b<ll} reset{b} EPC_Timer!msg (1) -> skip
/*

atomic{count = count + l;
if
:: (count>=CDUNT) -> QUIT=l;break
:: else
fi}*/
od

}

active proctype DSP O

byte tick; /* dummy variable for clock tick */
byte error = 0; /* counter */
byte threshold = 2; /* parameter for detecting failure */
byte max_gap = 4; /* parameter for use in assertions */
byte r_seq_in; /* seq # of control frame received by DSP */
byte s_seq_out = start+increment; /* set initial data fr. */
byte lmr = start; /* last message seq # received */
do
:: (QUIT==1) -> break /* terminate */
:: A_to_D_Timer?msg (tick) ->/* data fr. trans. starts */
if

62

:: DSP_to_CAN [0]!msg(s_seq_out) ;
:: skip /* possible message loss */
fi;
if
:: DSP_to_CAN [1]!msg (s_seq_out)
:: skip /* possible message loss */
fi;
s_seq_out = s_seq_out + increment
CAN_to_DSP?msg (r_seq_in) -> skip /*receive control fr. */
SPWM_Timer?msg (tick) ->/* Ctrl fr. deliv. to power elect. */
atomic{if
:: /* new control frame is in sequence */
( lmr + increment - r_seq_in == 0 ) ->
if
:: (error > 0) ->
error = error - 1
:: else
fi;
if
: : (error > 0) ->
error = error - 1
:: else
fi
:: /* control frame is a duplicate */
( lmr - r_seq_in == 0 ) ->
/* increment error, check if it exceeds threshold */
error = error + 1;

63

if
:: (error >= threshold) ->

QUIT =1;
break
:: else
fi
:: /* a control frame has been skipped */
else ->
/* increment error according to size of the gap */
error = error + (r_seq_in - lmr)/increment;
if
:: (error >= threshold) ->

QUIT = 1;
break
:: else
fi
fi;
if /* asserting control is not too far behind data */
:: /* control frame is not too large */
( r_seq_in < 255-max_gap*increment+l ) ->
assert(r_seq_in + max_gap*increment >= s_seq_out);
assert(r_seq_in <= s_seq_out)
:: /* data frame is not too small */
( s_seq_out >= max_gap*increment ) ->
assert(r_seq_in >= s_seq_out - max_gap*increment);
assert(r_seq_in <= s_seq_out)
:: /* control is about to wrap and data has just wrapped */

64

else ->
assert( r_seq_in >= 255-max_gap*increment+l+s_seq_out )
fi;
lmr = r_seq_in} /* update last message received */
od
>

active proctype CAN ()
{
byte seq_EPC = start;
byte candata[2];
candata[0] = start;
candata[l] = start;
do/*control from EPC to DSP, data in other direction */
:: (QUIT ==1) -> break
/* receive, and send or lose data frames */
:: DSP_to_CAN[0]?msg (candataCO]) ->
if
:: CAN_to_EPC [0]!msg(candata[0] )
:: skip
fi
:: DSP_to_CAN [1]?msg(candata[l] ) ->
if
:: CAN_to_EPC [1]!msg (candata[l] )
:: skip
fi
:: /* receive, and send or lose a control frame */

65

EPC_to_CAN?msg (seq_EPC) ->
/* send or lose a control frame */
if
:: CAN_to_DSP!msg (seq.EPC)
:: skip
fi
od
>

active proctype EPC ()

-C
byte tick; /* dummy variable for clock tick */
byte error = 0 ;

/* counter */

byte threshold = 2; /* for use in detecting failure */
byte data_old[2]; /* buffered data fr. sequence numbers */
byte data_new[2]; /* new data frame sequence numbers */
byte seq_in; /* seq. # of one of the received data fr. */
byte dfr = 0 ;

/* seq. # of matching data frame set */

byte rcvd = 0; /* value>0 means new fr. should be sent */
do
: : (QUIT == 1) -> break
:: EPC_Timer?msg (tick) ->/* begin PC cycle on signal */
if
:: CAN_to_EPC [0]?msg (data_new[0]) ->/* receive fr. 0 */
seq_in = data_new[0]
:: skip
fi;

66

if
:: CAN_to_EPC[1]?msg (data_new[l]) ->/* receive fr. 1 */
seq_in = data_new[l]
:: skip

fi;
atomic-Cif
:: /* new data frame seq nums match */
( data_new[0]==data_new[l] ) ->
rcvd = 1;
dfr = data_new[0];
if
:: (error > 0) ->
error = error - 1
:: else
fi
:: /* one new matches one old */
(data_old[0]==data_new[1] ) ->
rcvd = 2 ;
dfr = data_new[l];
if
:: (error > 0) ->
error = error - 1
:: else
fi
:: /* other new matches other old */
(data_old[1]==data_new[0]) ->
rcvd = 3;

67

dfr = data_new[0] ;
if
:: (error > 0) ->
error = error - 1
:: else
fi
:: /* no new match can be made */
else ->
error = error + 1;
if
:: (error >= threshold) ->
QUIT = 1 ;
break
:: else
fi
fi;
data_old [0] =data_new [0] ;
data_old [1] =data_new[l] ;}
if
:: (rcvd>0) ->/* new matching data was received */
if
:: EPC_to_CAN!msg (dfr) /* send a control frame */
:: skip /* possible message loss */
fi
:: else
fi;
rcvd = 0 /* reset rcvd */

68

od

69

//CAN_imp_7.txt (RT-Promela code)

/* this construct may not be essential, follows previous examples */
mtype = { msg };
/* communication channel declarations */
/* arrays of two unbuffered channels */
chan DSP_to_CAN[2] = [0] of {mtype, byte};
chan CAN_to_EPC[2] = [0] of {mtype, byte};
/* simple unbuffered channels */
chan EPC_to_CAN = [0] of {mtype, byte};
chan CAN_to_DSP = [0] of {mtype, byte};

/* global variable declarations and initializations */
byte QUIT = 0;
clock b, c, d;

/* gap between data fr. seq. numbers ((256/increment) distinct #s) */
#define increment 16
#define start 176
#define COUNT1 8
#define C0UNT2 5

active proctype DSP ()
{
byte count1 = 0;
byte count2 = 0;
byte tick; /* dummy variable for clock tick */

70

byte error = 0 ;

/* counter */

byte threshold = 3; /* parameter for detecting failure */
byte max_gap = 3 ;

/* parameter for use in assertions */

byte r_seq_in = start; /* seq # of control fr. received by DSP */
byte s_seq_out = start+increment; /* set initial data frame */
byte lmr = start; /* last message (control) seq # received */
do
:: (QUIT==1) -> break /* terminate */
:: when{d>9, d<10} reset{d} countl=count1+1 ->
atomic /* means no process interleaves inside this block */
{if
:: (count1>=C0UNT2) -> QUIT=1; /* global flag variable */
break
:: else
fi>
/* data frame transmission starts */
if
:: DSP_to_CAN [0]!msg(s_seq_out);
:: skip /* possible message loss */
fi;
if
:: DSP_to_CAN [1]!msg (s_seq_out)
:: skip /* possible message loss */
fi;
s_seq_out = s_seq_out + increment
:: CAN_to_DSP?msg (r_seq_in) -> skip /*receive control frame */
:: when{c>5, c<6} reset{c} count2~count2+l ->

71

atomic

{if
:: (count2>=C0UNT1) -> QUIT=1;
break
:: else
fi}
./* Ctrl fr. delivery to power electronics */
atomic{if

:: /* new control frame is in sequence */
( lmr + increment - r_seq_in == 0 ) ->
if
:: (error > 0) ->
error = error - 1
:: else
fi;
if
:: (error > 0) ->
error = error - 1
:: else
fi
:: /* control frame is a duplicate */
( lmr - r_seq_in == 0 ) ->
/* increment error, check if it exceeds threshold */
error = error + 1;
if
:: (error >= threshold) ->
QUIT = 1;

72

break
:: else
fi
:: /* a control frame has been skipped */
else ->
/* increment error according to size of the gap */
error = error + (r_seq_in - lmr)/increment - 1;
if
:: (error >= threshold) ->

QUIT = 1;
break
: : else
fi
fi;
if /* asserting control is not too far behind data */
:: /* control frame is not about to wrap-around */
( r_seq_in < ( 255 - max_gap*increment + 1 ) ) ->
assert(r_seq_in + max_gap*increment >= s_seq_out);
assert(s_seq_out >= r_seq_in)
:: /* data frame has not just wrapped-around */
( s_seq_out >= max_gap*increment ) ->
assert(s_seq_out - max_gap*increment <= r_seq_in);
assert(r_seq_in <= s_seq_out)
:: /* control is about to wrap and data has just wrapped */
else ->
assert( r_seq_in >=
s_seq_out + (255 - max_gap*increment + 1) )

fi;
lmr = r_seq_in> /* update last message received */
od
>

active proctype CAN ()
{
byte seq_EPC = start;
byte candata[2];
candata[0] = start;
candata[l] = start;
do/*control from EPC to DSP, data in other direction */
:: (QUIT ==1) -> break
/* receive, and send or lose data frames */
:: DSP_to_CAN[0]?msg (candata[0]) ->
if
:: CAN_to_EPC [0]!msg(candata[0] )
:: skip
fi
:: DSP_to_CAN[1]?msg(candata[l]) ->
if
:: CAN_to_EPC [1]!msg (candata[l])
:: skip
fi
::•/*• receive, and send or lose a control frame */
EPC_to_CAN?msg (seq_EPC) ->
/* send or lose a control frame */

74

if
:: CAN_to_DSP!msg (seq_EPC)
:: skip
fi
od
>

active proctype EPC 0

■C
byte count3 = 0;
byte tick; /* dummy variable for clock tick */
byte error = 0; /* counter */
byte threshold = 3; /* for use in detecting failure */
byte data_old[2] ; /* buffered data frame sequence numbers */
byte data_new[2] ; /* new data frame sequence numbers */
byte seq_in; /* seq. number of one of the received data fr. */
byte dfr = 0; /* seq. number of matching data fr. set */
byte rcvd = 0; /* value>0 new control fr. should be sent */
do
:: (QUIT == 1) -> break
:: when-[b>9, b<10> reset{b} count3=count3+l ->
atomic-C
if
:: (count3>=C0UNT2) -> QUIT=1;
break
:: else
fi>

/* begin embedded PC cycle on signal */
if
:: CAN_to_EPC[0]?msg (data_new[0]) ->/* receive fr. 0 */
seq_in = data_new[0]
:: skip
fi;
if
:: CAN_to_EPC[1]?msg (data_new[l]) ->/* receive fr. 1 */
seq_in = data_new[l];
:: skip
fi;
atomic-Cif
:: /* new data frame seq nnms match */
( data_new[0]==data_new[l] ) ->
rcvd = 1;
dfr = data_new[0] ;
if
:: (error > 0) ->
error = error - 1
:: else
fi
:: /* one new matches one old */
(data_old [0]==data_new[l]) ->
rcvd = 1;
dfr = data_new[l] ;
if
:: (error > 0) ->

76

error = error - 1
:: else
fi
:: /* other new matches other old */
(data_old[1]==data_new[0] ) ->
rcvd = 1;
dfr = data_new[0];
if
:: (error > 0) ->
error = error - 1
:: else
fi
:: /* no new match can be made */
else ->
error = error + 1;
if
:: (error >= threshold) ->

QUIT =1;
break
: : else
fi
fi;
data_old[0]=data_new[0];
data_old[1]=data_new[1] >
if
:: (rcvd>0) ->/* new matching data was received */
if

:: EPC_to_CAN!msg (dfr) /* send a control frame */
:: skip /* possible message loss */
fi
:: else
fi;
rcvd = 0 /* reset rcvd */

78

BIBLIO G RAPH Y

[1] A. Armbruster, B. McMillin, and M. Crow. Controlling power using facts devices
and the maximum flow algorithm. In Proc. 5th International Conference on
Power Systems Operation and Planning, 2002.
[2] J. Kurose and K. Ross. Com puter Networking: A Top-down Approach Featuring
the Internet. Pearson Education, Inc., 2005.
[3] Dirk Bull and Pieter De Villiers. Using spin to verify protocols at the imple
mentation level. In A C M International Conference Proceeding Series; Vol. 30
Proceedings o f the 2002 annual research conference of the South African insti
tute o f com puter scientists and information technologists on Enablement through
technology, pages 195-204, 2002.
[4] G. Holzmann. The model checker spin. IE EE Transactions on Software Engi
neering, 23(5):279-295, 1997.
[5] Z. Manna and A. Pnueli. The Temporal Logic o f Reactive and Concurrent Sys
tems: Specification. Springer-Verlag, 1992.
[6] E.M. Clarke, Jr., O. Grumberg, and D. Peled. Model Checking. The MIT Press,
1999.
[7] K. McMillan. Symbolic Model Checking. PhD thesis, Carnegie M ellon University,
1992.
[8] N. Rescher and A. Urquhart. Temporal Logic. Springer-Verlag, 1971.
[9] G. Holzmann. The SPIN Model Checker P rim er and Reference Manual. AddisonWesley, 2004.
[10] C.A.R. Hoare. Communicating Sequential Processes. Prentice Hall International,
1985.
[11] E. W . Dijkstra. Guarded commands, nondeterminacy and formal derivation of
programs. Communications o f the ACM , 18(8):453 - 457, 1975.
[12] S. Tripakis and C. Courcoubetis. Extending promela and spin for real time. In
Second International Workshop, Tools and Algorithms fo r the Construction and
Analysis o f Systems, page 329 348, March 1996.
[13] S. Tripakis. Rt-spin faq. http://www-verimag.imag.fr/~tripakis/rtspinjaq.html.
[14] R. Alur, C. Courcoubetis, N. Halbwachs, D. Dill, and H. W ong-Toi. Minimization
of timed transition systems. In Lecture N otes In Computer Science; Vol. 630,
Proceedings o f the Third International Conference on Concurrency Theory, pages
340-354, 1992.

79

[15] Z.
Gu and
K.G.
Shin.
Model-checking
of
real-time
embedded software
based
on
corba
http://kabru. eecs. umich. edu/aires/paper/guAsorc05.pdf.

component-based
event
service.

[16] M. Ryan, S. Markose, Y. Cheng, F. Liu, and B. McMillin. Structured objectoriented co-analysis/co-design o f hardware/software for the facts power system.
In 29th Annual Computers, Software, and Applications Conference, 2005.
[17] J. Townsend, personal communication.
[18] V. Beaudenon, E. Encranaz, and J-L. Desbarbieux. Design validation o f zcsp
with spin. IEEE, 2003.
[19] M. Minea. Partial Order Reduction fo r Verification o f Timed Systems.
thesis, Carnegie Mellon University, 1999.

PhD

80

VITA

David Andrew Cape was born on May 18, 1966, in Pensacola, Florida.

He

earned the degree of Bachelor o f Arts in M athem atics/Physics at New College of the
University of South Florida (now New College o f Florida) where he was a National
Merit Scholar, and he earned the degree of Master of Science in Mathematics at the
University of Florida. The degree of Master of Science in Com puter Science will be
conferred upon him on M ay 13, 2006, at the University o f Missouri at Rolla.
He has also been a student at Massachusetts Institute of Technology and at
Washington University in St. Louis, and he was an adjunct instructor of mathematics
one summer at East Central College in Union, Missouri. As a graduate assistant at
M IT, UF, and UM R, he taught mathematics and com puter science courses including
algebra, trigonometry, calculus, and data structures. His academic interests include
software engineering (modeling and verification), real-time distributed systems, and
com plexity theory (self-witnessing languages), as well as algebraic geometry (p-adic
cohom ology theories).

