Abstract For a case-study of a wafer scanner from the semiconductor industry it is shown how model checking techniques can be used to compute (1) a simple yet optimal deadlock avoidance policy, and (2) an infinite schedule that optimizes throughput. Deadlock avoidance is studied based on a simple finite state model using Smv, and for throughput analysis a more detailed timed automaton model has been constructed and analyzed using the Uppaal tool. The Smv and Uppaal models are formally related through the notion of a stuttering bisimulation. The results were obtained within 2 weeks, which confirms once more that model checking techniques may help to improve the design process of realistic, industrial systems. Methodologically, the case study is interesting since two models were used to obtain results that could not have been obtained using only a single model.
Introduction
Scheduling and resource allocation problems occur in many different domains, for instance (1) scheduling of production lines in factories to optimize costs and delays, (2) scheduling of computer programs in (real-time) operating systems to meet deadline constraints, (3) scheduling of instructions inside a processor with a bounded number of registers and processing units, (4) scheduling of trains (or airplanes) over limited quantities of railway tracks and crossroads, and (5) mission planning for autonomous robots on spacecrafts. Typically, in each of these domain problems are solved using different approaches and mathematical tools. The EU IST project Ametist envisages a unifying framework for time dependent behavior and dynamic resource allocation that crosses the boundaries of application domains.
In the Ametist approach, components of a system are modeled as dynamical systems with a state space and a well-defined dynamics. All that can happen in a system is expressed in terms of behaviors that can be generated by the dynamical systems; these constitute the semantics of the problem. Verification, optimization, synthesis and other design activities explore and modify system structure so that the resulting behaviors are correct, optimal, etc. Preferably, the limitations of currently known computational solutions should not influence modeling too much: only after the semantics of a problem is properly understood, abstractions and specialization due to computational considerations can intervene. In such situations, the soundness of abstractions should ideally also be proved, either via deductive verification or model checking. Ametist aims to extend this approach, which underlies the successful domain of formal verification, to resource allocation, scheduling and other time-related problems. The present paper serves as an illustration of this methodology.
A major concern in the design of controllers for many resource allocation systems (RASs) is deadlock, a permanently blocking condition. There are three general ways of handling deadlock: (1) deadlock prevention, (2) deadlock detection and resolution, and (3) deadlock avoidance. Deadlock prevention restricts the system in such a way that deadlock is a priori impossible. As a consequence, performance may be unnecessarily low. Deadlock detection and resolution, on the other hand, is not restrictive at all and detects and resolves a deadlock at run-time. This, however, may be very expensive. Deadlock avoidance achieves a middle ground; it dynamically chooses the control actions to avoid the occurrence of deadlock. In this paper, we show how a least restrictive deadlock avoidance policy (DAP) for the wafer scanner can be easily computed using Smv, a model checker for finite automata. This DAP can be represented by a very short predicate over the states of the wafer scanner, which can be used by the controller for the wafer scanner. In addition, we use the timed automaton tool Uppaal to define a refined model that adds timing constraints to address the issue of throughput optimization. We relate the Uppaal model to the Smv model via the concept of stuttering bisimulation introduced by Browne et al. [8] . Since stuttering bisimulation preserves the validity of CTL formulas (without nexttime operator), all properties (and in particular the DAP) that we established for the untimed model using Smv, carry over to the Uppaal model. It is not possible to compute the least restrictive DAP directly for the Uppaal model since (a) Uppaal does not support full CTL, and (b) the state space of the Uppaal model is so big that it cannot be fully explored. Using heuristics, however, we are able to use the Uppaal model checker to find an infinite schedule that optimizes throughput.
Contribution The main contribution of our paper is a uniform, model based approach to deal with both deadlock avoidance and throughput optimization. We present a case study in which for each of these two problems a model is constructed and a solution is computed with a model checker. The two models are related formally through the notion of a stuttering bisimulation. We are not aware of other work that addresses both deadlock avoidance and throughput optimization in (what essentially is) a single framework.
Our results were obtained within 2 weeks, and we believe that our method can be applied by engineers with a background in computer science after training of only a few days. This confirms that model checking may help to improve the design process of realistic, industrial systems. Our DAP computation approach is referred to in a patent application of ASML, which shows its significance for industry. Methodologically, the case study is interesting since two models were used in combination to obtain results that could not have been obtained using only a single model. Our approach illustrates once more that building models that are just abstract enough for addressing a specific question, often provides a way to deal with the state space explosion problem. Probably, we could have carried out the complete analysis using a single tool, namely Kronos [24] , a model checker for timed automata that supports full Timed CTL. We decided to use Uppaal because of its greater maturity, efficiency and user friendliness. In particular, the graphical user interface and simulator facilitated communication about our model with the ASML engineers. Since Uppaal does not support full CTL model checking, we used Smv, which is also very mature and efficient, for the computation of the DAP.
Related work Much research has been devoted to deadlock avoidance in RASs, see for instance [20, 21] . Discouraged by the NP-completeness of optimal deadlock avoidance for many RAS classes, see for instance [15] , this kind of work generally focuses either on computation of suboptimal but polynomial DAPs or on optimal policies for very specific sub classes. Much of this work uses the Petri net formalism [18] for the modeling and analysis of RASs. Using these approaches, the deadlock avoidance problem from the present paper can be solved very easily.
In [14] , the model checker Smv is used to construct a deadlock-free controller by an iterative process. The parallel composition of the controller and the plant is checked against deadlock by Smv. If a deadlock state is found, then the controller is adjusted to exclude the counterexample and the verification is run again. Otherwise, the controller is deadlock free. The work presented in [23] deals with verification of several DAPs using Smv.
Papers in which model checking tools are used to solve scheduling problems include a case study in which a control schedule for a smart card personalization system is synthesized using the Smv model checker [13] , a case study in which the Uppaal model checker is used to find feasible schedules for a steel plant [12] , a recent case study in which the Uppaal model checker is used to find feasible schedules for lacquer production [4] , and a case study by Niebert et al. [19] who used Kronos [24] to synthesize infinite schedules with stationary throughput for a chemical batch plant. The present work is a followup on [7] , which considers the same example and uses suboptimal deadlock avoidance heuristics to generate schedules that are not guaranteed to be optimal.
Outline First, Sect. 2 informally presents the case study. Section 3 then presents the Smv model and shows two ways of obtaining an optimal DAP using Smv. In Sect. 4, a Uppaal model of the wafer scanner is described, and infinite schedules which optimize throughput are computed. Also, we present a stuttering bisimulation that relates the Uppaal model with the Smv model of Sect. 3. Finally, Sect. 5 draws some conclusions and gives directions for future work.
The EUV machine
Lithographic machines, called wafer scanners, are used within the semiconductor industry to project chip designs on slices of silicon which are called wafers. A key performance characteristic of wafer scanners is throughput, i.e., the number of wafers that can be processed per time unit. For a typical recipe 1 it is desirable that the exposure operation (which uses the lens which is the most expensive part of the machine) is critical in optimal schedules. In order to maximize throughput, a controller should have a strategy that optimizes throughput in the absence of errors. Furthermore, a controller should be deadlock-free, since deadlock resolution is expensive. ASML aims at design-time verification of (key parts of) the control software for the wafer scanners that it develops, in order to prevent occurrence of errors while customers are using the machines. Figure 1 schematically depicts a possible design of an extreme ultra violet machine (EUV machine), which is a particular type of wafer scanner that is currently being developed by ASML. The inside of an EUV machine is kept vacuum as EUV light is absorbed by air. The wafer flow is presented in Fig. 1 . First, the external track robot (which is not shown) puts a wafer in one of the four locks. This lock is depressurized, and then the wafer is picked up by one of the two internal robots. Each internal robot has two arms that can each hold a wafer and that are opposite to each other. The internal robot turns and puts the wafer on the closest chuck, which is in the so-called "measure position". The wafer is measured and a chuck swap is performed. The chuck with the measured wafer now is in the "expose position" and the wafer is exposed. After another chuck swap, the exposed wafer is picked up by one of the internal robots which turns and puts it in a depressurized lock. After the lock has been pressurized, the track robot removes the exposed wafer from the machine. Each wafer thus has a fixed recipe for its route: lock -internal robot -chuckinternal robot -lock. There is a choice which locks, internal robots and chucks are used by a wafer. An obvious 1 The timing parameters of the production depend on the chips to be produced. question that arises is why we do not let the unexposed wafers enter through the upper two locks and let the exposed wafers exit through the lower two locks. In that case there are no crossing material paths which means that we have deadlock prevention by construction. The answer is twofold. First, if locks are unidirectional then filling the machine from the initial, empty, state takes unnecessarily long. Second, if locks are unidirectional then the depressurization operation might become critical instead of the exposure, since depressurization takes more than twice as long as exposure in a typical wafer recipe. As noted above, this is undesirable. In Sect. 4, we will prove that indeed the exposure subsystem is critical in the design of Fig. 1 , and that restricting the wafer flow to prevent deadlock a priori lowers both the throughput and the utilization of the exposure subsystem. A typical example of a deadlock situation in the EUV machine would be a state in which all four robot arms hold unprocessed wafers, and both chucks hold processed wafers. A controller for the EUV machine should ensure that no such deadlock situation can ever be reached. The problem of finding such a control strategy is commonly referred to as the deadlock avoidance problem. The EUV machine is a disjunctive RAS according to the taxonomy of [16] . Instead of the traditional Petri net or graph-based approaches to solving the deadlock avoidance problem, we will show in the next section how it can be tackled using the Smv model checker.
Least restrictive deadlock avoidance policy
In this section, after a (very) brief introduction into Smv, we present our Smv model of the EUV machine, discuss how one can formalize the notion of deadlock as a temporal logic formula, and present the deadlock avoidance policy that we synthesized using Smv. The reader is referred to [10] and [17] for an extensive introduction into model checking and Smv.
SMV
In the approach supported by the Smv model checker, a system is modeled as a finite transition system, i.e., as a tuple (S, s init , →) where S is a finite set of states, s init is the initial state, and → ⊆ S × S is the transition relation. We write s → s instead of (s, s ) ∈→. A state is defined as a valuation of a number of state variables. 
An SMV model of the EUV machine
The EUV machine can be modeled conveniently and concisely in Smv. In fact, the full code is displayed in Fig. 2 .
For each of the ten positions in the machine our model contains a state variable: an array l of size 4 for the locks, a two-dimensional array rb of size 2 × 2 for the robots, and an array c of size 2 for the chucks. These state variables can either take value e (empty), which means that the position is empty, value r (red), which means that the position is occupied by an unexposed wafer, or g (green), which means that the position is occupied by an exposed wafer. Initially, the machine is completely empty and all state variables have value e.
To model the system dynamics, i.e., the movement and exposure of wafers, we introduce 22 asynchronous processes, which are executed in an interleaving fashion: -For each of the four locks i we have process tl [i] , which may either put an unexposed wafer in lock i if it is empty, or move an exposed wafer from the lock to the track robot. In the definition of process tl [i] we use an auxiliary function entry_exit that describes the state change that results from running this process. -For each of the 16 pairs of positions i, j such that i is on the left of j and a wafer can move directly from i to j (or back), we introduce a process that takes care of moving unexposed wafers from i to j, and exposed wafers from j back to i. In the definition of these processes we use a function move(lft, rgt) that describes the state change that results from moving a wafer from lft to rgt or vice versa. -For each of the 2 chucks i we introduce a process exp[i] that models exposure of the wafer. An auxiliary function expose describes the state change that results from exposing the wafer at position p: the value of the corresponding state variable changes color from r (red) to g (green).
In the Smv model we abstract from the turning of internal robots. So a wafer can be picked up by both arms of an internal robot (possibly, the robot first has to turn). Similarly, the Smv model abstracts from chuck swaps and the measure operation. In Sect. 4, we present a more detailed model of the EUV machine in which we do not abstract from these aspects.
As it turns out, our Smv model has 57, 116 reachable states, which is close to the total number of states which equals 3 10 = 59, 049. An example of an unreachable state is one in which the machine is completely filled with exposed wafers. Transition systems of this size can very easily be handled by Smv and the computer hardware that is available today, so we expect that our approach can also be applied to considerably larger designs.
Defining deadlock and safety in SMV
Standard textbooks on operating systems, e.g., [22] , state four conditions for deadlock in systems that consist of processes that compete for resources. The first three conditions concern the model itself and are necessary, and the fourth condition concerns the states of the model and is necessary and sufficient when the first three are met: (1) mutual exclusion: only one process may use a resource at a time, (2) hold and wait: a process may hold allocated resources while awaiting assignment of others, (3) no preemption: no resource can be forcibly removed from a process that is holding it, and (4) circular wait: a closed chain of processes exists such that each process holds at least one resource needed by the next resource in the chain.
In the EUV machine, the wafers are modeled as the processes and they compete for the positions in the machine that constitute the resources. The model of the EUV machine satisfies the first three conditions for deadlock. The fourth condition, which is thus necessary and sufficient for deadlock, can be formalized with help from a needs function, that specifies for each wafer the set of positions it may move to. Let P denote the set of positions in the EUV machine. For p ∈ P and c ∈ {r, g}, we define needs(p, c) ⊆ P to be the set of positions (different from p) to which a wafer with color c at position p may move next. In particular, if p is a chuck, then needs(p, r) = needs(p, g) = R, where R is the set of positions of the internal robots. If s is a state and p a position then we use needs s (p) as an abbreviation for
needs(p, s(p)).
The circular wait property can now be defined as follows.
Definition 1 (Circular wait) A state s has a circular wait in Q
It is not possible to directly formulate the circular wait property in terms of CTL, so some encoding is required. The basic idea is that the machine has a circular wait in a subset Q of positions iff the wafers in Q will never be able to move again. Observe that if in our model a transition s → s moves a wafer from place p to place p , then p is empty in s . Thus, the property that some wafer cannot move anymore can be formalized in CTL as follows.
Definition 2 (Jam) A position p is jammed in state s iff s | AG(p = e). A state s is jammed iff some position is jammed in s.
Proposition 1 below asserts the equivalence of the circular wait and jammed properties, thereby providing us with a way to express deadlocks in CTL. In order to prove the proposition, we need two technical lemmas stating that (a) circular waits are preserved by the transition relation, (b) if a position p is jammed then also any position to which the wafer at p may move next is jammed. We prove Proposition 1 and the technical lemmas only for our model of the EUV machine, but from the proofs it should be clear that these results can be generalized to a whole class of resource allocation problems.
Lemma 1 Suppose that state s has circular wait in Q and s → s . Then state s has circular wait in Q.
Proof We consider three cases, corresponding to different types of transitions:
-If a process entry_exit takes a step, then this does not involve any position in Q: entry of a new wafer on positions in Q is not possible since all these positions are filled; also exit of a wafer in Q is not possible since for all positions in q ∈ Q we have needs s (q) = ∅. Since none of the variables in Q is modified, the fact that s has circular wait in Q implies that also state s has circular wait in Q. -Also if a process move takes a step then this does not involve any position in Q: entry of a new wafer on positions in Q is not possible since all these positions are filled; also exit of a wafer in Q is not possible since for all positions in q ∈ Q we have needs s (q) ⊆ Q. Hence the circular wait property is preserved by the transition. -If a process expose takes a step, then this does not effect emptiness of positions, nor the value of the needs set. Hence the circular wait property is preserved by the transition, and also s has circular wait in Q.
Lemma 2 Suppose position p is jammed in state s and p ∈ needs s (p). Then position p is jammed in s.
Proof By contradiction. Suppose p is not jammed. Then there exists a path on which eventually p is empty. If in this path, directly after p becomes empty, we schedule a transition that empties p (this is possible since p ∈ needs s (p)), we obtain a path in which eventually p is empty. But we assumed no such path exists. Contradiction.
Proposition 1 A state has a circular wait in some Q iff it is jammed.
Proof ⇒ Assume that state s has a circular wait in Q. Pick an element q ∈ Q (this exists since s has circular wait in Q). By Lemma 1, any state s reachable from s in zero or more steps has circular wait in Q. Hence, s | (q = e). It follows that s | AG(q = e). Therefore, state s is jammed. ⇐ Assume that state s is jammed. Then there exists a position q such that q is jammed in s. Define q to be the least fixed-point μQ({q} ∪ needs s (Q)). Then, by construction, needs s (q) ⊆ Q = ∅. By Lemma 2, using an inductive argument, it follows that all positions in Q are jammed in s. This implies in particular that, for all q ∈ Q, s(q) = e and needs s (q) = ∅ (the latter inequality follows because if needs s (q) = ∅ this implies that q is a lock that is filled with an exposed wafer, so q can be emptied in a single transition, which contradicts the assumption that q is jammed). It now follows that state s has a circular wait in Q.
In the remainder of this paper, we will say that a state is deadlocked if it has circular wait, i.e., if it is jammed. The question that we need to answer is whether and how we can prevent the system of entering a deadlocked state. In Dijkstra's paper on the banker's algorithm [11] , the first published deadlock avoidance algorithm, a state is defined to be safe if "all processes can be run to completion". In our case, the wafers are the processes and "a wafer is run to completion" if it exits the machine. Thus, Dijkstra's definition can be translated to CTL as follows.
Definition 3 (Safe states)
p∈P EF(p = e), i.e., each individual position can be emptied, but it need not be the case that all positions can be emptied simultaneously. If a state is deadlocked it is unsafe, but if it is unsafe it need not be deadlocked. However, in many cases and (according to Smv) in particular for our model of the EUV machine, the following property does hold for the initial state 2 :
AG(safe iff (EG ¬deadlock)).
(
This formula suggests a simple least restrictive DAP: just keep the system in a safe state. This policy can be realized for the EUV machine. Every non-initial safe state has at least one safe successor (different from itself), otherwise it would not be not possible to return to the initial state. In addition, we verified using Smv that all successors of the initial state are again safe.
A least restrictive DAP
In order to actually build a controller that always keeps the system in a safe state, it wouldclearly be very helpful 2 In fact, in the EUV machine a state is safe if and only if it has no deadlock. Thus, the RAS structure induced by the operation of the wafer scanner facilitates the application of the results presented in [15, 21] . It is, however, easy to come up with variations of the machine with states that are not safe and not deadlocked, for example a design in which the internal robots only have one arm. In such cases, in order to make formula (1) hold, we need to require weak fairness for all processes in the Smv model to exclude runs in which no progress is made due to infinite stuttering of some components.
to have a simple, yet exact characterization of the set of safe states. We see two ways to obtain such a characterization.
1. When checking whether the initial state is safe, Smv computes a binary decision diagram (BDD, see [9] ) which provides a compact representation of the set of safe states. 2. The set of safe states can be manually characterized by a predicate expression P that is constructed by the following iterative procedure:
where C is the characterization of the last state of the counter example that is generated by Smv.
The first approach enables a least restrictive DAP with linear time complexity, since checking whether a state is included in a BDD takes O(n) operations, where n is the number of booleans from which the BDD is composed (20 in case of the EUV machine). The size of the BDD, however, can in the worst case be exponential in the number of booleans. A second drawback is that it can be difficult to derive individual unsafe and/or deadlock situations from a BDD, which may be required during the design phase of the system. The second approach can quickly become practically infeasible since all unsafe states are explicitly enumerated. If it is carried out manually, however, then it might be possible to abstract from irrelevant state information and to visualize the various unsafe situations in the system. Of course, this requires some effort and creativity from the analyst. The second approach has been used to characterize the safe states of the EUV machine. With five iterations, we found four unsafe situations, depicted in Fig. 3 , which happen to characterize all deadlocks.
The predicate P that exactly characterizes the set of safe states is the negation of the situations shown in Fig. 3 , and which are described by predicates d1, d2, d3 and d4 in Fig. 4 .
Note that Smv can also be used to obtain a simple under-approximation of the set of safe states (when, e.g., the BDD is too large to use and the iterative process is too time consuming). If C is a candidate for a simple under-approximation, then this can be verified with the CTL property AG(C ⇒ safe). Again, counter-examples can be used to correct C while retaining low complexity. Note, however, that it now becomes necessary to ensure that the initial state is reachable from any state in C (this is true by definition for the set of all safe states). 
Throughput analysis
The first objective for a controller of the EUV machine is to avoid deadlocks. In the previous section, using our Smv model, we synthesized a least restrictive control policy that achieves this. The second key objective for a controller of the machine of course is to maximize throughput. Our Smv model is not sufficiently detailed to address this issue since, for instance, relevant information about the delays in the locks and the speed of the robots has not been included. Also, the Smv model abstracts from the delays due to turning of the internal robots, measuring of wafers, and swapping of the chucks. Therefore, in this section, we present a more refined timed automata model ( [2, 3] ), which contains sufficient information to address the throughput issue.
In order to define and analyze our model, we used the Uppaal model checking tool. Uppaal supports modeling of systems in terms of networks of timed automata extended with blocking synchronization and bounded integer variables. Similarly to Smv, the semantics of a Uppaal model is defined by a transition system. In addition to the discrete part, the states also contain a realvalued clock valuation. For these models, the Uppaal model checker can decide a subset of timed computation tree logic (TCTL, see [1] ). For a detailed account of Uppaal we refer to [5] and to http://www.uppaal.com.
After presenting the Uppaal model of the EUV machine in Sect. 4.1, we discuss the relationship between 
UPPAAL model
The Uppaal model of the EUV machine contains the same state variables as the Smv model for the positions in the machine: arrays l, rb and c, which may take the same values e, r and g to indicate that a position is respectively empty, filled with an unexposed wafer, or with an exposed wafer. In addition, the Uppaal model has a number of Boolean state variables to ensure "physical integrity": -For each lock id there is a Boolean lbt[id] which is true iff either pressure in the lock is not atmospheric or in case a trackrobot is busy loading or unloading a wafer. -Similarly, for each lock id there is a Boolean lb [id] which is true iff either the lock is not vacuum or in case an internal robot is busy loading or unloading a wafer. -For each chuck id there is a Boolean cb[id] which is true iff either an internal robot is accessing chuck The model consists of 12 automata, of which 11 model physical components of the machine: the trackrobot, the four locks, the four robotarms (two for each of the robots), and the two chucks. These automata move wafers around with certain delays and according to the material paths as specified in Sect. 2. An additional automaton, the observer, is used for throughput optimization.
Within the model a number of timing parameters are used. Figure 5 lists the values for these parameters that were provided by the designers of the machine.
Below, the individual timed automaton templates of the model are explained. Each template has a local clock x. Figure 6 shows the trackrobot process. Initially, the trackrobot is ready to load a wafer to a lock. From its initial location, the trackrobot may move instantaneously to a location where it is ready to unload a wafer from a lock, but the reverse transition takes time TR1. When the trackrobot is ready to load, it may actually start loading a wafer to one of the four locks, provided the lock is empty and has atmospheric pressure. Similarly, when the trackrobot is ready to unload, it may start to unload a wafer from one of the locks, provided the lock contains a processed wafer and has atmospheric pressure (which is governed by the lbt variables). Upon finishing an unload operation the trackrobot synchronizes over the channel unload with the observer (which is explained below), and after TR2 time units returns to its initial state. Figure 7 shows the Uppaal template for a lock. It has one parameter id that provides the identity of this lock. Initially, a lock has atmospheric pressure. A lock may start depressurizing if the trackrobot is not busy with it. Similarly, if a lock is vacuum, it may start pressurizing if the internal robot is not busy with it.
There are two internal robots in the system, each equipped with two arms. Initially, one arm points at the chucks and the other arm points at the locks. An internal robot may turn, which interchanges the positions of the arms. Figure 8 shows This template has four parameters: a constant id that identifies the internal robot to which the arm belongs, two constants l0 and l1 that identify the locks to which the robotarm has access, and a channel turn. When a robotarm is at the locks, then it can get a wafer from a lock (L02R and L12R), or it can put a wafer in a lock (R2L0 and R2L1). Of course, it can only perform these actions if the lock is vacuum, and if the wafer flow is as specified in Sect. 2. Similarly, when a robotarm is at the chucks then it can load/unload a wafer to/from the chuck that is at the measure location. The cb variables are used to ensure that only one robotarm has access to the chuck at a time and that the chuck cannot execute a transition while the robotarm is loading/unloading a wafer. The template for the type of robotarm that initially points to the chucks is almost similar. It has another initial location, namely at_chuck, and it uses the "receiving" part of the channel (turn?) for proper synchronous turning of the two arms. Figure 9 shows the Uppaal processes for the chuck that initially is in the "measure" position. Like the robotarms, the chucks can simultaneously swap by synchronization over the channel swap. The cb variables are used by the chucks and the robotarms to prevent faulty behavior: (1) a robot can only access a chuck if it is in the measure position and not measuring (thus, the chuck must be in location measure), and (2) when a robot is accessing a chuck, then the chuck may not perform any transitions. Each chuck has a local Boolean variable m which is true iff there is a measured wafer on the chuck; only a measured wafer can be exposed. The process for the chuck that initially is in the expose position is almost identical. It has expose as initial location, and it uses the "receiving" part of the channel (swap?) for proper synchronous swapping of the chucks.
Finally, Fig. 10 shows the observer process which, as we will explain in more detail in Sect. 4.3, is used to ensure progress in the model. This process measures the time until the first wafer exits the system (this is signaled by the trackrobot over the channel unload) in location L0, and the time between two consecutive unload events in location L1 using its local clock x.
Bisimulation between SMV and UPPAAL models
Clearly, there is a relationship between the Smv model and the Uppaal model. The Smv model is an abstraction from the Uppaal model, which has the property that every transition in the Uppaal model can be simulated in the Smv model, and vice versa. Formally, the relationship between the two models can be expressed as a stuttering bisimulation relation in the sense of [8] . Stuttering bisimulations are defined in terms of Kripke structures, an extension of transition systems in which to each state a set of atomic propositions is associated that hold in that state. In this paper, we let AP be the set of equations of the form p = v, where p is a position in the EUV machine and v ∈ {e, r, g}. For the transition systems induced by the Smv and Uppaal models, the labeling is obvious: we label a state s with p = v iff this equation holds in s. For the Smv model the labeling function is injective:different states have different labels. For the Uppaal model this is clearly not the case.
A stuttering bisimulation relates the states from two Kripke structures. Initial states are related, and related states are labeled with the same proposition symbols. If two states are related and from one state a transition is possible, then it should be possible to simulate this transition from the related state, after first doing zero or more stuttering transitions, i.e., transitions that do not change the labeling.
Definition 5 (Stuttering bisimulation)
A stuttering bisimulation between Kripke structures (S, s init , →, l) and Transfer property (3) follows by inspection of all the transitions in the Uppaal model: each transition either does not affect the labeling, in which case it can be simulated by a stutte ring transition in the Smv model, or it does affect the labeling but then a process in the Smv model is enabled that results in the same change of labels.
Proving transfer property (4) is somewhat more involved. We need a number of auxiliary invariants on the Uppaal model. These include the integrity constraints mentioned at the beginning of Sect. 4.1 that restrict the values of the Booleans lbt[id], lb[id] and cb [id] . Also, we need some obvious invariants that relate the locations of connected robotarms, and the locations of the two chucks. The full set of invariants is listed in the file EUV-invariants.q which is available at http://www. cs.ru.nl/ita/publications/papers/martijnh/. The state space of the Uppaal model is too big to establish these invariants directly. However, we were able to prove them automatically for an abstraction of the model in which we remove all clock variables, the arrays l, rb and c, as well as all references to these variables in transitions and locations. This is a valid abstraction in the sense that each invariant of the abstract model also holds for the original full Uppaal model.
A key observation in the proof of transfer property (4) is that from any reachable state of the Uppaal mode we can drive the system back to its initial state -except for the values of arrays l, rb and c, the values of the local clocks x and the value of the m variables -by doing stuttering steps only. More specifically, let ρ be the mapping from states of the Smv model to states of the Uppaal model such that, for any r, in state ρ(r) the values of arrays l, rb and c are equal to the values in r, and all locations and Boolean variables have their initial value, except the two m variables, which are true iff the corresponding chuck contains an unprocessed wafer. Then we claim that, for any reachable state s of the Uppaal model with π(s) = r, there exists a path with only stuttering steps from s to a state which, up to the values of local clocks, is equal to ρ(r). 3 To see why this claim holds, first observe that each process in a non-quiescent location (a location with a nontrivial invariant) may evolve to a quiescent state by some stuttering transitions with guards that only refer to the local clock x, and (possibly) with synchronization output labels (!) for which a corresponding input (?) is always enabled. After all processes have reached a quiescent state we can, one by one, drive each process back to its initial location:
1. The trackrobot has only two quiescent locations:
ready to load and ready to unload. Via two successive internal transitions, we can drive the trackrobot from ready to unload to ready to load in time TR1. 2. Each lock has two quiescent locations corresponding to atmospheric pressure and vacuum. If a lock id is vacuum then, since the robotarms are in a quiescent state, due to the invariants, !lb[id]. Hence we can drive the lock to its initial location (atmospheric pressure) via two successive transitions in time PRES. 3. In order to bring the robotarms to their initial location, we may need to turn them around. The invariants for the robotarms imply that we can bring all arms in their initial location simultaneously. 4. For the chucks, we also have to ensure that m is true in case a chuck contains an unprocessed wafer. This can be achieved by driving the automaton through the measuring location, which may require swapping of the chucks. After the m variables have been set to the appropriate value, me may need to swap the chucks again. The invariants for the chucks imply that we can bring both chucks to their initial location.
If all processes are in their initial location, then the invariants imply that also the Boolean arrays lb, lbt and cb have their initial values. From this the claim follows. Next, we claim for any state r from the Smv model that if s enables some transition, this can be simulated from ρ(r), possibly after some stuttering steps. This follows from a routine case distinction. For instance, a transition moving a wafer from a lock 0 to an internal robot can be simulated by first depressurizing lock 0, possibly turning the robotarm, and then moving the wafer to the robot via the transition to location L02R. We leave it to the reader to check the details of all the cases.
The significance of the above result stems from the fact that the validity of CTL formulas without nexttime operator (i.e., all the formulas used in this paper) is preserved by stuttering bisimulation equivalence (see [8] ). Thus, all the results on deadlock avoidance established using Smv in Sect. 3 carry over to the Uppaal model. It is not possible to obtain these results directly using the Uppaal tool since (a) Uppaal does not support full CTL, and (b) the state space of the Uppaal model is so big that it cannot be fully explored.
Finding an optimal schedule
As mentioned above, the process of Fig. 10 observes unload events. It starts in location L0 and upon the first unload event it resets its local clock x and enters location L1. In location L1 the clock is reset whenever an unload event takes place.
The observer is used to find an infinite schedule that takes at most H time units until the first unload event, and that has at most S time units between two unload events. Such a schedule is specified by the following TCTL property that can be checked by Uppaal.
If this property is satisfied, then Uppaal can return an example execution that consists of a path followed by a cycle. Such an execution thus gives an infinite control schedule for the wafer scanner with a stationary throughput of at least one wafer per S time units. Unfortunately, the size of the reachable state space prevents Uppaal from finding such an execution directly. We therefore added heuristics to the model to prune the state space:
1. The DAP derived in the previous section has been used to avoid unsafe material configurations of the machine. 2. Some transitions are useless (or suboptimal) in certain states, e.g., an internal robot can always turn, but this is useless if it does not hold wafers. The state space has been reduced by adding guards that prevent such useless behavior. 3. The optimal behavior of the locks in the initial phase (the filling of the machine) differs from their R01   R00   C1   C0   C2R  DEPRES  EXPO  L2R  L2T  MEAS  PRES  R2C  R2L  SWAP  SWITCH  T2L  TURN optimal behavior in the stationary phase. Therefore, a heuristic has been added to enforce this difference; a lock can pressurize when it contains either an exposed wafer, or it is empty and the machine
is not yet filled with enough wafers to be in the stationary state. 4. Some transitions have been made urgent (greedy): they must be taken as soon as they are enabled. For instance, if the DAP allows loading a wafer to a lock, then this must be done immediately.
Note that using urgent transitions without the DAP may be an unwise idea, since this can result in many deadlocks with the effect that an execution satisfying Property 2 does not exist anymore in the model. Also note that at least the last three heuristics may remove good schedules.
A lower bound on the time until the first unload event, min h , can easily be derived from the model. It is also easy to see that the minimal separation time between exposed wafers that appear at the chuck that is in the measure position (and can therefore be picked up by an internal robot) equals
where the former is the time needed for the expose operation and the latter is the time needed for the chuck swap. Therefore, the theoretical maximal stationary throughput of the machine is at most one wafer per min s time units. For the Uppaal model with heuristics it is possible to find (in almost no time) an execution that satisfies Property 2 for a value of H that is 5% larger than min h and for S = min s . This execution was found by minimizing the values of H and S in formula 2 such that it can still be fulfilled. Figure 11 shows this schedule that thus optimizes the stationary throughput of the EUV machine.
It took only little effort to change the Uppaal model in order to analyze two alternative machine designs with respect to throughput. In the first design alternative, the incoming wafers have been restricted to the upper two locks and the outgoing wafers to the lower two locks, in order to prevent deadlock a priori (see Sect. 2). Note that one lock has a wafer throughput of one wafer per min l = LOAD + PRES + DEPRES + L2R_T time units, where LOAD is the time needed by the track robot to place a wafer in the lock, (DE)PRES is the time needed to (de)pressurize a lock, and L2R_T is the time needed by an internal robot to grab a wafer from a lock. Thus, two locks have a throughput of at most one wafer per We are able to find a schedule for a value of H that is 11% larger than min h and for S = 1 2 min l . Therefore, this schedule optimizes the stationary throughput of this alternative machine lay-out. To conclude, the optimal stationary throughput is 61% smaller than the optimal stationary throughput of the original machine, and not Figure 12 shows this alternative schedule. The second design alternative consists of only two locks and one internal robot. Again, an upper bound on the throughput of this machine is 1 wafer per 1 2 min l time units. The throughput loss compared to the original machine is thus at least 61%. However, the best schedule we have been able to find with Uppaal has a stationary throughput that is 83% worse than the optimal schedule for the original machine. Figure 13 shows this alternative schedule.
Conclusions
The Smv model checker has successfully been used to characterize the set of safe states of the EUV machine. This characterization consists of a very short boolean expression over the places in the machine and is useful for the design of an actual controller since deadlock can easily be avoided by examining the possible successor states of the current state. Since the characterization is exact, the controller implements a least restrictive (optimal) deadlock avoidance policy.
Furthermore, we used the Uppaal model checker to compute infinite schedules for the EUV machine that optimize stationary throughput. It took little effort to change the Uppaal model in order to analyze two alternative machine designs. In theory, our approach can be applied to a broad class of resource allocation systems. As always when using model checking, the state space explosion is the main problem for scalability.
Altogether, in our view, the present work nicely illustrates the usefulness of model checking techniques to support the design process of applications that involve resource allocation and scheduling. Building models that are just abstract enough for addressing a specific question, often provides a good way to deal with the state space explosion problem.
A nice topic for future research would be to add probabilities to the picture. The timing of the various robot and exposure operations in the EUV machine is known very precisely and exhibits minimal variability. So for these operations our deterministic model appears to be the right choice. However, the delay involved in the operation of the locks (pressurization and depressurization) is variable and for this a stochastic model makes sense. It would be interesting to carry out an analysis along the lines of [6] in which the quality of schedules that we computed using Uppaal is assessed with respect to timeliness, utilization of resources and sensitivity to different assumptions about the stochastic behavior of the EUV machine.
