A Modular Verification Framework Based on Finite & Deterministic DEVS

Moon Ho Hwang and Bernard P. Zeigler
Arizona Center for Integrative Modeling and Simulation, Electrical and Computer Engineering Department, The University of Arizona, Tucson, AZ 85721, USA
{mhhwang, zeigler}@ece.arizona.edu

Keywords: Discrete Event System Specification (DEVS), Finite and Deterministic DEVS, Modular Verification Framework, Illegal Behavior, Legal Behavior;

Abstract
In order to check if the system behavior satisfies the requirement set, this paper uses a class of DEVS, called finite & deterministic DEVS (FD-DEVS). Since the infinite state behavior of FD-DEVS networks can be abstracted as a finite reachable graph, this paper utilizes the reachable graph structure to check the emptiness of illegal behavior detected by checkers, called rejectors, as well as the non-emptiness of legal behavior generated by components under testing.

I. Introduction
Hierarchical and modular system modeling functionality has been strongly demanded [8] so Discrete Event System Specification (DEVS) has been evolved from a non-hierarchical formalism [13] to a hierarchical and modular one [14]. This formalism has been intensively researched from the viewpoint of simulation and execution over past 30 years [15]. In spite of the advantage of DEVS’s hierarchical and modular modeling capability, the verification method based on DEVS has been successful only recently, by abstracting the infinite state behavior of DEVS [6].

In order to check if the system behavior satisfies the requirement set, this paper uses a class of DEVS, called finite & deterministic DEVS. Since the infinite state behavior of FD-DEVS networks can be abstracted as a finite reachable graph[7], this paper utilizes the reachable graph structure to check the emptiness of illegal behavior detected by checkers, called rejectors, as well as the non-emptiness of legal behavior generated by components under testing.

This paper is organized as follows. Section II defines the time event segment and its concatenation operation. The formal definition of FD-DEVS is given from the view points of the atomic model as well as the coupled model in Section III. Section IV introduces the language of FD-DEVS as a set of event segments to reach an acceptance state. Thus we will check if the illegal language is empty as well as the legal language is not empty. Section V illustrates a verification example using an intersection traffic light control. Section VI summarizes contributions of our proposed framework. Finally, conclusions and further research directions are given in Section VII.

II. Timed Event Segment
Given an arbitrary event set $Z$ and a time based $\mathbb{T} = \mathbb{R}_{[0,\infty]} \overset{def}{=} \{t|0 \leq t \leq \infty\}$, a timed event is defined as a pair of $(t, \bar{a})$ such that $t \in \mathbb{T}$ and $\bar{a} \in Z^*$ is an event string, where $Z^*$ is the Kleene closure of $Z$ [5]. The Kleene closure of an event set $Z$ is a set of all finite length of strings over $Z$, for example $Z = \{a, b\}$, then $Z^* = \{\epsilon, a, b, aa, ab, bb, aab, aba, \ldots\}$ where $\epsilon$ denotes the empty string or the nonevent. Therefore, an event trajectory $\omega : \mathbb{T} \rightarrow Z^*$ is used for describing all timed events over the time horizon from 0 to $\infty$. For example, the event trajectory $\omega = (t_1, b)(t_2, aab)$ is $\omega(t) = b$ for $t = t_1$; $\omega(t) = aab$ for $t = t_2$; $\omega(t) = \epsilon$ otherwise. If the number of events in an event trajectory $\omega$ is denoted by $|\omega|$, for $\omega = (t_1, b)(t_2, aab)$, $|\omega|=4$. Obviously, $|\epsilon|=0$.

We define the all possible events over $Z$ at all times as $\Omega_Z = \mathbb{T} \times Z^*$. An event segment can be defined from a time interval $[t_i, t_u]$ and the domain function, $dom$ is a map from an event segment to its observation interval. An event segment in $\Omega_Z[t_i, t_u]$ can be written as $\omega[t_i, t_u]$ or $\omega : [t_i, t_u] \rightarrow Z^*$ such that $dom(\omega[t_i, t_u]) = [t_i, t_u]$.

Sometimes we omit the observation interval such as $\omega \in \Omega_Z$ if $dom(\omega) = [0, \infty]$ or $dom(\omega)$ is not important.

Given two time events $(t, ab)$ and $(t, ba)$ at a time $t$, the concatenation of $(t, ab)$ and $(t, ba)$ is $(t, ab)(t, ba)$ and it can be also written as $(t, abba)$. A pair of con-
tiguous segments \( \omega_1 \in \Omega_Z[t_1, t_2] \) and \( \omega_2 \in \Omega_Z[t_2, t_3] \), the concatenation of \( \omega_1 \) and \( \omega_2 \) is defined as a form of \( \omega_1 \cdot \omega_2 : [t_1, t_3] \rightarrow \Omega^* \) such that \( \omega_1 \cdot \omega_2(t) = \omega_1(t) \) for \( t \in [t_1, t_2] \); \( \omega_1(t) \cdot \omega_2(t) = \omega_2(t) \) for \( t = t_2 \); \( \omega_1 \cdot \omega_2 (t) \) for \( t \in [t_2, t_3] \); If there is no confusion, we will omit ‘.’ so \( \omega_1 \cdot \omega_2 \) is the same as \( \omega_1 \cdot \omega_2 \).

The empty segment within \([t_1, t_u]\), denoted by \( \epsilon_{[t_1, t_u]} \), is that \( \omega(t) = \epsilon \) for \( t \in [t_1, t_u] \). Since \( \epsilon \) is the identity of concatenation of events [5], i.e., \( \epsilon \cdot \omega = \omega \) where \( \omega \in Z \), if \( \omega = \epsilon_{[t_1, t]}(t, z) \epsilon_{[t, t_u]}(z) \) where \( t \in \text{dom}(\omega) = [t_1, t_u] \) and \( z \in Z \), it can be simply written as \( \omega = (t, z) \).

### III. FD-DEVS

#### A. Atomic FD-DEVS

1) Definition of Atomic FD-DEVS: An atomic FD-DEVS is a 9-tuple,

\[
M = < X, Y, S, s_0, \tau, \delta_x, \rho, \delta, \lambda >
\]

where,

- \( X \) and \( Y \) are finite sets of input and output events, respectively such that \( X \cap Y = \emptyset \).
- \( S \) is a non-empty and finite state set.
- \( s_0 \in S \) is the initial state.
- \( \tau : S \rightarrow \mathbb{Q}_{[0, \infty]} \) is the time advance function where \( \mathbb{Q}_{[0, \infty]} \) denotes a set of non-negative rational numbers with infinity.
- \( \delta_x : S \times X \rightarrow S \) is the external transition function.
- \( \rho : S \times X \rightarrow \mathbb{B} \) is the reschedule-indicating function that returns 1 when a reschedule is needed; otherwise, returns 0.
- \( \delta : S \rightarrow S \) is the internal transition function.
- \( \lambda : S \rightarrow Y \cup \{ \epsilon \} \) is the internal output function. \( \square \)

Notice that \( \delta_x \), \( \delta \), and \( \lambda \) are partial functions that can be defined for some elements in the domain.\(^2\)

2) State Transition of Atomic FD-DEVS: Given \( M = < X, Y, S, s_0, \tau, \delta_x, \rho, \delta, \lambda > \), the total state set considers the schedule \( t_s \) and its elapsed time \( e \) as well as state \( s \) such that

\[
Q = \{(s, t_s, e) | s \in S, t_s \in \mathbb{Q}_{[0, \infty]}, 0 \leq e \leq t_s \}
\]

From the total state set \( Q \) and the total event set \( Z = X \cup Y \cup \{ \epsilon \} \), the total state transition function \( \delta : Q \times Z \rightarrow Q \) maps to other total state. For \((s, t_s, e) \in Q \) where \( t_s \in \mathbb{Q}_{[0, \infty]} \) and \( z \in Z \),

\[
\delta((s, t_s, e), z) = (s', t'_s, e')
\]

where

\(^3\)In this paper \( f(\ldots) \vdash \) denotes that \( f(\ldots) \) is defined for any partial function \( f(\ldots) \). For example, \( \delta_x(s, z) \vdash \) means that \( \delta_x(s, z) \) is defined.

---

[Fig. 1. (a) Lights Configuration (b) Controller FD-DEVS (c) Mutual Exclusion Rejector (d) The Verification Frame]

[\[\text{External Transition}\] For \( z \in X \), \((s', t'_s, e') =
\begin{align*}
&\{\delta_x(s, x), \tau(\delta_x(s, x)), 0\} & \text{for } \delta_x(s, z) \vdash \rho(s, z) = 1 \\
&\{\delta_x(s, x), t_s, e\} & \text{for } \delta_x(s, z) \vdash \rho(s, z) = 0 \\
&\{s, t_s, e\} & \text{otherwise}
\end{align*}
\]

[\[\text{Internal Transition}\] For \( z \in Y \cup \{ \epsilon \} \), \((s', t'_s, e') =
\begin{align*}
&\{\delta_x(s, z), \tau(\delta(s, z)), 0\} & \text{for } z = \lambda(s), e = t_s \\
&\{s, t_s, e\} & \text{undefined} \\
&\{s, t_s, e\} & \text{otherwise}
\end{align*}
\]

3) Execution of Atomic FD-DEVS: An execution of an atomic FD-DEVS \( M \) is a sequence of state changes from \( q \in Q \) according to a sequence of I/O events. Formally, an execution is defined as \( \Delta : Q \times \Omega_Z \rightarrow Q \); For \( q = (s, t_s, e) \in Q, \omega, \omega' \in \Omega_Z[0, t], t \in T \) and \( z \in Z^e \)

\[
\Delta((s, t_s, e), \omega) = \begin{cases} \\
\delta((s, t_s, e + t), z) & \text{for } \omega = \epsilon_{[0, t]}(t, z), \delta_1 \vdash \\
\delta(\Delta(q, \omega'_{[0, t]}), z) & \text{for } \omega = \omega'_{[0, t]}(t, z), \delta_2 \vdash \\
\text{undefined} & \text{otherwise}
\end{cases}
\]

where \( \delta_1 \) and \( \delta_2 \) means \( \delta((s, t_s, e + t), z) \) and \( \delta(\Delta(q, \omega'_{[0, t]}), z) \), respectively.

**Example 1:** Let’s consider a cross road system in which there are two lights: \( \circ \) for green and \( \bigcirc \) for walk, as shown in Figure 1(a). Figure 1(b) shows an atomic FD-DEVS, CRC that controls \( \circ \) and \( \bigcirc \) lights. The formal model of CRC is: \( X = \{p\}; Y = \{g: 0, g: 1, w: 0, w: 1\} \) where ports \( g \) and \( w \) stand for
“green” and “walk”, while values 0 and 1 for “off” and “on”, respectively; $S=\{10,11, G, GR, WW, DW\}$
where $10$ and $11$ are initial states, $G$ stands for “green on”, $GR$ for “green to red”, $WW$ for “walking for walk on”, $WW$ for “don’t walk”; $\tau(10)=\tau(11)=0$, $\tau(G)=10$, $\tau(10)=5$, $\tau(11)=2\tau(w)=26$, $\tau(DW)=2$; $\delta(10)=\delta(11)=G$, $\delta(G)=G$, $\delta(10)=W$, $\delta(11)=D$, $\delta(G)=D$; $\delta(10)=W$, $\delta(11)=D$, $\delta(G)=D$; $\delta(10)=W$, $\delta(11)=D$, $\delta(G)=D$.

\[\delta(i(t), t_{si}, t_{ei}, i(t)) =\] for $z \in \bigcup_{M \in D} Y_i \cup \{\epsilon\}$

and $\lambda_{i^*}(s_{i^*}) = z$.

\[\delta((s_i(t), t_{si}, t_{ei}, i(t)), z) \] for $M_i = M_{i^*}$,

\[\delta((s_i(t), t_{si}, t_{ei}, i(t)), z) \] for $(z, x_i) \in C_{yx}$

otherwise

However, if $z \in \bigcup_{M \in D} Y_i \cup \{\epsilon\}$, $c \neq t_{si}$, or $\lambda_{i^*}(s_{i^*}) \neq z$, then $(s_i(t), t_{si}, e')$ is undefined because $\delta((s_i(t), t_{si}, e_i), z)$ is undefined.

3) Execution of Coupled FD-DEVS: Similar to the atomic FD-DEVS, an execution of a coupled FD-DEVS $N$ from $q \in Q$ with $\omega \in \Omega$ is defined as $\Delta : Q \times \Omega \rightarrow Q$. For $q = (\ldots, q_i, \ldots)$ where $q_i = (s_i(t), t_{si}, e_i) \in Q_i$, $z \in Z$ and $\omega, \omega' \in \Omega_{Z[0, t]}$, $\Delta(q, \omega) =\] for $\omega = e_{[0,t]}(t, z), \delta_1 \vdash \] for $\omega = e_{[0,t]}(t, z), \delta_1 \vdash \] for $\omega = e_{[0,t]}(t, z), \delta_2 \vdash \] undefined

otherwise

where $\delta_1$ and $\delta_2$ means $\delta((\ldots, s_i(t), t_{si}, e_i+1), \ldots, z)$ and $\delta((\ldots, q_i, \omega_{[0,t]}), \ldots, z)$, respectively.

IV. Verification Framework

This paper focuses our interest on a segment $\omega \in \Omega_Z$ such that $|\omega| = \infty$ and $dom(\omega) = [0, \infty)$ because our interesting system is a live system that works forever. For $\omega$ s.t. $|\omega| = \infty$, since FD-DEVS has finite states, the resulting $\Delta(q_0, \omega)$ can either stay at a $q' \in Q$ whose $\tau(q') = \infty$ or move around in the set of state in a transition loop. Both cases can be seen as staying at a strongly connected components that we will talk about from now on.

A. Behavior of Atomic FD-DEVS

Given a total state $q \in Q$, $q$ is said to be reachable to $q' \in Q$ if $\exists \omega \in \Omega_Z$ such that $\Delta(q, \omega) = q'$. The strong components (or strongly connected components) of $q \in Q$ is the maximal set whose every element is reachable to $q$, and vice versa. Formally, the strong components of $q$ is defined by a function $SC : Q \rightarrow 2^Q$ such that

$SC(q) = \{q' | \omega, \omega' \in \Omega_Z : \Delta(q, \omega) = q', \Delta(q', \omega') = q\}$

For example, in CRC of Figure 1 (b), $SC((1,1,0,0)) = \{((1,1,0,0))\}$ and $SC((G,10,0,10)) = \{(G,10,0,10), (GR,5,0,5), (W,2,0,2), (W,26,0,26), (W,2,0,2)\}$. To define a set of goals in our model easily, we would use the discrete state $s \in S$ rather than a total set $q \in Q$. To drop time information from a total state $q = (s, t, e) \in Q$, we use the discrete state of $q$ as $\text{disc-s}(q) = s$. The $\text{disc-s}$ is also overloaded as a function $\text{disc-s} : 2^Q \rightarrow 2^S$ such that for $Q' \subseteq Q$,

$\text{disc-s}(Q') = \{s | (s, t, e) \in Q'\}$
For example, in CRC of Figure 1(b), disc-

s(SC((G,10,[0,10]))={q, GR, WM, W, DW}

Given a pair of (M, A) where M is an atomic FD-

DEVS and A ⊆ S is its acceptance states, the behavior
(or language) of (M, A) is defined as

\[ L(M, A) = \{ \omega \in \Omega_Z | disc-s(SC(\Delta(q_0, \omega))) \cap A \neq \emptyset \} \]

In other words, the language of (M, A) is the set of all possible segments that reach \( s \in A \) infinitely often. Let \( A=\{\omega\} \) for CRC shown in Figure 1(b), then \( L(CRC, A) = \{ \omega | \omega=(0,0,0), (t_i+3, t_i+7, 1)(t_i+33, ) \} \) where \( i = 0 \) to \( \infty \).

B. Behavior of Verification Frame

If a coupled FD-DEVS N is built for verification of a system, the components D of N may consist of two disjointed components: components under testing and tester, called rejectors. A rejector is supposed to have its acceptance states as bad situations. If there is no event segment that leads any rejector to reach a bad situation, behaviors of components under testing can be legal behavior unless there no component under testing cannot reach its acceptance state. Thus, we need to show that no rejectors reach bad situations while also showing that all components under testing can reach their acceptance states.

Suppose that N is a verification frame N whose subcomponents D consists of a set of components under testing \( D_T \) and a set of rejectors \( D_R \) such that \( D = D_T \cup D_R \) and \( D_T \cap D_R = \emptyset \) while the set of acceptance states of N is the n-tuple \( A = < \ldots, A_i, \ldots > \) where \( n = |D| \) and \( A_i \) denotes the set of acceptance states of \( M_i \in D \). The projected discrete states from \( Q' \) with \( i \) for a set of total states \( Q' \subseteq Q \) is

\[ disc-s(Q', i) = \{ s_i \in S_i | (\ldots, (s_i, t_{si}, e_i), \ldots) \in Q' \} \]

Then, the illegal behavior (or illegal language) is defined as \( L_R(N, A) = \{ \omega \in \Omega_Z | \exists M_i \in D_R : disc-s(SC(\Delta(q_0, \omega)), i) \cap A_i \neq \emptyset \} \)

where \( q_0 = (\ldots, q_0) \ldots \) is the initial total state of N such that for all \( M_i q_0 = (s_{0i}, \tau(s_{0i}), 0). \) In other words, \( L_R(N, A) \) is a set of segments that lead at least one rejector to reach a bad situation.

In addition, the behavior (or language) of components under testing is defined as \( L_T(N, A) = \{ \omega \in \Omega_Z | \forall M_i \in D_T : disc-s(SC(\Delta(q_0, \omega)), i) \cap A_i \neq \emptyset \} \)

Thus \( L_T(N, A) \) is a set of segments that make all components under testing reach an acceptance state infinitely often.

A pair of \( (N, A) \) is said to be accepted if \( L_R(N, A) = \emptyset \) and \( L_T(N, A) \neq \emptyset \).

C. Decidability of \( (N, A) \) Acceptance

For checking if \( L_T(N, A) \neq \emptyset \) and \( L_R(N, A) = \emptyset \), to generate all possible segments in \( \Omega_Z \) might be impossible because the number of segments under testing can be infinite.

Instead of generating all segments directly, we can use the graph structure of all possible transitions of FD-

DEVS. This paper utilizes a finite reachable graph for FD-DEVS networks. The finite reachable graph of a coupled FD-DEVS, \( N =< X, Y, D, C_{xx}, C_{yx}, C_{yy} > \) is define as

\[ RG(N) =< Z, V, v_0, E > \]

where

- \( Z = X \cup Y_i \cup \{ \epsilon \} \) is the set of triggering events.
- \( V \) is a set of zones. A zone \( v = (((s_i, t_{si}), \ldots), D) \) consists of a state-scheduler vector \( (((s_i, t_{si}), \ldots), \) and a clock zone \( D). \)
- \( v_0 \in V \) is the initial zone such that \( v = (((s_0i, \tau(s_{0i})), \ldots), D^0) \) where \( D^0 \) is the initial clock zone.
- \( E \subseteq V \times Z \times V \) is a transition relation that satisfies the following property: For \( q = (((s_i, t_{si}, e_i), \ldots), D), \forall e_i \in D \) and \( z \in Z, \)

\[ \delta(q, z) = q' \iff (v, z, v') \in E \]

such that \( v = (((s_i, t_{si}, e_i), \ldots), D), \forall e_i \in D \) and \( v' = (((s_i', t_{si}', e_i'), \ldots), D'), \forall e_i' \in D'. \)

A transition path is a state transition sequence caused by an event sequence \( z = z_0 z_1 \ldots z_n \in Z^* \) from the initial vertex \( v_0 \) to \( v \) and we denote it as \( v_0 \stackrel{z}{\rightarrow} v_n \) if \( (v_0, z_0, v_1) \in E, \ldots, (v_{n-1}, z_n, v_n) \in E. \) To define the infinite length of transition sequence, we define strong components of \( v \in V \) again. \( SC : V \rightarrow 2^V \) defines a strong components of \( v \) such that

\[ SC(v) = \{ v' | \exists z, z' \in Z^*, v \stackrel{z}{\rightarrow} v', v' \stackrel{z'}{\rightarrow} v \} \]

The kernel directed and acyclic graph (shortly kernel DAG) of a graph G is used in checking the emptiness of the illegal behavior. The kernel DAG of \( RG(N) \) is

\[ K(RG(N)) =< V, E > \]

where

- \( V \) is the set of SC(v) for each \( v \in V \) of \( RG(N) \). In particular, \( v_0 = SC(v_0) \) is the initial node.
- \( E \subseteq V \times V \) is the set of arcs such that \( (v_1, v_2) \in E \) implies \( (v_1, z, v_2) \in E \) of \( RG(N) \) such that \( SC(v_1) = v_1 \) and \( SC(v_2) = v_2. \)

*For details of a generating algorithm of the finite reachable graph for coupled FD-DEVS, the reader can refer to [7].
In $K(RG(N))$, a node $v \in V$ is reachable from $v_0$ if there is a sequence of arcs that reaches from $v_0$ to $v$. And we overload the projected discrete sets functions for $v \in V$ of $RG(N)$ and $v \in V$ of $K(RG(N))$, respectively:

$$\text{disc-s}(v, i) = s_i \text{ for } v = ((\ldots, (s_i, t_{s_i}), \ldots), D)$$

and

$$\text{disc-s}(v, i) = \{\text{disc-s}(v, i) | v \in V\}$$

**Theorem 1**: Suppose that $N$ is a verification frame and $A$ is the vector of acceptance states for $N$. Then $L_R(N, A) = \emptyset$ and $L_T(N, A) = \emptyset$ if $\forall v \in V$ reachable from $v_0$ s.t. $\forall M_i \in D_R, \text{disc-s}(v, i) \cap A_i = \emptyset$ and $\exists v \in V$ reachable from $v_0$ s.t. $\forall M_i \in D_T, \text{disc-s}(v, i) \cap A_i \neq \emptyset$.

**Proof**: If $\forall v \in V$ reachable from $v_0$ s.t. $\forall M_i \in D_R, \text{disc-s}(v, i) \cap A_i = \emptyset$,

$$\Rightarrow \forall M_i \in D_R, \exists v \in V \text{ s.t. } \text{disc-s}(v, i) \cap A_i = \emptyset$$

and $\exists v \in V$ reachable from $v_0$ s.t. $\forall M_i \in D_T, \text{disc-s}(v, i) \cap A_i \neq \emptyset$.

$$\Rightarrow \exists \omega \in \Omega_Z \text{ s.t. disc-s}(\Delta(q_0, \omega), i) \cap A_i = \emptyset$$

$$\Rightarrow L_R(N, A) = \emptyset$$

**Lemma 1**: Given the pair of $(N, A)$, checking $L(N, A) = 0$ is decidable.

**Proof**: By Theorem 1, we can show that $\exists \omega \in V$ is reachable from $v_0$ s.t. $\forall M_i \in D_T, \text{disc-s}(v, i) \cap A_i \neq \emptyset$ and $\forall v \in V$ reachable from $v_0$ s.t. $\forall M_i \in D_R, \text{disc-s}(v, i) \cap A_i = \emptyset$ for checking if $L_T(N, A) \neq \emptyset$ and $L_R(N, A) = \emptyset$. It is known that generating $RG(N)$ is decidable in exponential time of $\mid D \mid$ that is the number of atomic FD-DEVS [7]. Constructing $K(RG(N))$ is decidable with $O(|V| + |E|)$ complexity where $|V|$ and $|E|$ are the numbers of zones and transitions of $RG(N)$, respectively [9].

**Example 2 (Mutual Exclusion between $\oplus$ and $\otimes$)**: Let’s consider again the cross road lights shown in Figure 1(a) and suppose that they are controlled by CRC shown in Figure 1(b) through output ports g and w, respectively. Now we want to check whether $\oplus$ and $\otimes$ have “on” exclusively or not. To do this, we use rejector MXR that reaches R11 state when CRC violates the requirement, that means, it transmits 1 though g before sending 0 though w, vice versa.

We can build a verification frame, VCM shown in Figure 1(d) where $D_T=\{\text{CRC}\}$, $D_R=\{\text{MXR}\}$; Given the vector of acceptance states $A = \leq A_{\text{CRC}}, A_{\text{MXR}} \geq \leq \{\emptyset\}, \{\text{R11}\} \geq$, we first check $L_T(VCM, A) \neq \emptyset$ using $K(RG(VCM))$. Figure 2(a) shows $RG(VCM)$ whose a vertex is a reachable state of $RG(VCM)$ so there are 7 vertices. We can make $K(RG(VCM))$ by combining SC($v$) for each $v \in V$ of $RG(VCM)$ so that 5 vertices surrounded by a dashed line are contained by $K(RG(VCM))$.

To verify if $L_R(VCM, A) = \emptyset$, we need to check for all $v \in V$ with index MXR such that $\text{disc-s}(v_0, \text{MXR}) \cap A_{\text{MXR}} = \{\text{A00}\} \cap \{\text{R11}\} = \emptyset$; $\text{disc-s}(v_0, \text{MXR}) \cap A_{\text{MXR}} = \{\text{A00}\} \cap \{\text{R11}\} = \emptyset$; $\text{disc-s}(v_0, \text{MXR}) \cap A_{\text{MXR}} = \{\text{A01}, \text{A00}, \text{A10}\} \cap \{\text{R11}\} = \emptyset$; Thus we can say that $L_T(VCM, A) = \emptyset$.

Similarly, we can check if $L_T(VCM, A) \neq \emptyset$. For $R_T=\{\text{CRC}\}$ since $\text{disc-s}(v_0, \text{CRC}) \cap A_{\text{CRC}} = \{\text{CRC}, \text{GR}, \text{W}, \text{DW}\} \cap \{\emptyset\} \neq \emptyset$, so $L_T(VCM, A) \neq \emptyset$.

Therefore, we can accept the implementation, CRC, under the tester (rejector), MXR.

However, if we switch outputs of states GR and W of
such that $\lambda(\text{GR}) = w:1$ and $\lambda(\text{WW}) = g:0$, we get a different reachable graph from the original, as shown in Figure 2(b). Even though $L_T(VCM, A) \neq \emptyset$ as the same as the original, we can find the bad behavior detected by $\text{MXR}$: $\text{disc-s}(v_5, \text{MXR}) \cap \{R11\} = \text{disc-s}(v_6, \text{MXR}) \cap \{R11\} = \{R11\} \neq \emptyset$. Therefore, this implementation of CRC controller is rejected by $\text{MXR}$.

\[ \square \]

V. Illustrative Example

This section shows an example of modular verification of an intersection traffic light system that is shown in Figure 3. This intersection has four ways and each way has three lights: green (.dtd), left turn (l.l), and red (r.r) for traffic, and two lights: walk (w.w) and don’t walk (d.d) for pedestrians.

A. System Requirements

The requirements for this system control can be enumerated as follows.

1) Intra Traffic Way

a) (Safety) Only one light among (d.d), (l.l), and (r.r) can be on. More than one light on is allowed within 0.01 sec.

b) (Time Constraints) Once (d.d) is on, it lasts 35±1 sec., while (l.l) for 15±1 sec.

c) (Fairness) The circulation order of turning on is (r.r), (d.d), (l.l) and (r.r) again unless the pausing signal externally occurs.

2) Cross Road

a) (Safety) (w.w) and (d.d) are mutual-exclusively on with switching tolerant time 0.01 sec.

b) (Safety) When (w.w) is on, (d.d) should be on.

c) (Fairness and Time Constraints) Without pushing button, (d.d) is on. If one pushes the button when (d.d) is on, (w.w) will be on 2±0.1 sec. after (r.r) becomes newly on again. This behavior repeats forever.

3) Inter Traffic Ways: Notice that pairs (Way1 and Way3) and (Way2 and Way4) should be controlled in the same way at the same time. For example, Way1 has (d.d) on, so Way3 does. Thus we need to build the control logics for Way1 and Way2 not for all four traffic ways. From now on, we focus the control logic between Way1 and Way2.

a) (Starting) We can push the starting button after the booting time 5 sec. is passed. When the starting button is pushed, Way1 has (d.d).

b) (Terminating) For emergency or maintenance, when the pause button is pushed, all ways become (r.r) within less than 5 sec. and the system returns to the booting status.

c) (Fairness) (d.d) moves to the other way (Way1 $\Rightarrow$ Way2). This circulation repeats until the pause button is pushed.

d) (Time Constraints for Safety) When (d.d) turns from one to another, there is 2±0.5 sec. delay unless the pause button is pushed.

e) (Safety) When one way has (d.d) or (l.l), other side has (r.r).

B. Implementation

1) Intra Traffic Controller: Figure 4 illustrates how we implemented a verification frame for the intra-traffic controller. Figure 4(a) shows an implementation of Spec1-a that is a rejector detecting violation of the mutual exclusion between $g$, $a$, and $r$ where $\text{MXR}1$, $\text{MXR}2$, $\text{MXR}3$ are the atomic FD-DEVS introduced in Example 1. For checking time constrains of Spec1-b, we made an atomic FD-DEVS $\text{TimeRangeD}_R$ which detects "too early error" from $E$ to $RJ$ or "too late error" from $L$ to $RJ$ where time tolerant range is $[d-t, d+t]$. Using $\text{TimeRangeD}_R$, we could build the Spec1-b checker as shown in Figure 4(c). Figure 4(d) illustrates an atomic FD-DEVS model for the Spec1-c checker that detects the violation of circulating order among (d.d), (d.d), and (l.l). Figure 4(e) shows the verification frame for checking Spec1-a. Spec1-b and Spec1-c are not violated and the controller, GAR has the legal and live behavior. GAR has its initial state 1R that generates $r:1$ to turn (r.r) on first, and then turn (d.d) and (l.l) off by output $g:0$ and $a:0$ at IG and IA, respectively. When receiving state signal $s:1$, GAR gets into D that turns (r.r) off by $r:0$ and moves to $\text{R2G}$ turning (d.d) on by $g:1$. After staying 35 sec. at G, GAR turns (l.l) off by $g:0$ and changes into $\text{G2A}$ that turns (l.l) on by
on by $a:1$. After staying 15 sec. at $A$, it turns $\ominus$ off by $a:0$ and goes back to $R$ with turning $\oplus$ on again. When pausing event $s:0$ occurs at either $D$, $R2G$, $G$, $G2A$ or $A$, the current state moves to $IR$ for re-initializing all lights $G$, $\ominus$ and $R$.

2) Cross Road Controller: To construct the verification frame for cross road specifications we model components as illustrated in Figure 5. The checker for safety requirement Spec2-b was implemented as shown in Figure 5(a) while the time constrained behavior of Spec2-c was built as Figure 5(b). The component under testing was a coupled FD-DEVS whose one model is a push switch $PS$ shown in Figure 5(c) and the other is $NOT$ gate (whose state diagram is omitted here). Figure 5(d) shows the verification frame checking the cross road requirements.

3) Inter Traffic Controller: To control inter traffic ways, we used an atomic FD-DEVS model, called module circulator ($MC$) as shown in Figure 6(a). This model is booting for 2 seconds at $B$ and it becomes ready to handle the starting event $s$ at state $I$. Once it gets the starting signal $s$ at $I$, it moves to $toM1$ whose $\tau(toM1)=2$ for a safety then moves to $M1$ with output $g1:1$ that is triggering the circulation of $G$, $\ominus$ and $R$ at Way1. When getting $r1:1$, the circulation moves to Way2 through $toM2$ and $M2$. Then it repeats forever unless the pausing event $p$ happens. If $p$ occurs, depending on the current states it moves directly to $B$ or it moves via $P1$ or $P2$ to $B$.

As shown in Figure 7(b), we could construct an intertraffic controller (ITC) using one $MC$ and two GARs named $GAR1$ and $GAR2$ which were introduced first in Figure 4(e). We built the checker for Spec3-abcd as one atomic FD-DEVS as shown in Figure 6(c). That is, it checks, the starting and terminating behaviors, circulation fairness of authority between Way1 and Way2 as well as time constraints for staying at a state. The checker for Spec3-e was implemented using two $OR$ gates and two mutually inclusion rejector, $MIR1$ and $MIR2$ as shown at the bottom of Figure 6(d). Whole coupling information of the verification frame for the inter-traffic control is shown in Figure 6(d).

Finally, as we can see Figure 7, the intersection light controller (ILC) could be built using one ITC and four cross road controllers that are grouped as (CRC1, CRC3) and (CRC2, CRC4).
C. Verification Performance

Hardware platform in which we implemented has Intel Pentium-4™ (3 GHz) with 512 MBytes RAM. We used Microsoft Visual.Net 2005™ for compiling the C-# language.

We first checked the emptiness of illegal behavior using the set of checkers for Spec1, Spec2, and Spec3 whose configurations have been illustrated in Figure 4, Figure 5, and Figure 6, respectively. All of the checkers could not find any bad behavior. For checking the non-emptiness of legal behavior of the integrated components ILC shown in Figure 7, we varied the number of push buttons used ranging from none to 3 (we stopped the case of full usage of all push buttons in cross roads because of the memory lack). All of configurations have the non-empty legal behavior. Table I summarizes the result of our performance experiment.

<table>
<thead>
<tr>
<th>Behavior</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>$L_R$</td>
<td>a</td>
<td>7</td>
<td>42</td>
<td>38</td>
<td>0.4</td>
</tr>
<tr>
<td></td>
<td>b</td>
<td>5</td>
<td>30</td>
<td>23</td>
<td>0.14</td>
</tr>
<tr>
<td></td>
<td>c</td>
<td>8</td>
<td>65</td>
<td>128</td>
<td>0.14</td>
</tr>
<tr>
<td>$L_T$</td>
<td>0</td>
<td>13</td>
<td>80</td>
<td>311</td>
<td>1.47</td>
</tr>
<tr>
<td></td>
<td>1</td>
<td>13</td>
<td>80</td>
<td>690</td>
<td>2.88</td>
</tr>
<tr>
<td></td>
<td>2</td>
<td>13</td>
<td>80</td>
<td>2,665</td>
<td>11.23</td>
</tr>
<tr>
<td></td>
<td>3</td>
<td>13</td>
<td>80</td>
<td>19,086</td>
<td>147.44</td>
</tr>
</tbody>
</table>

$L_R : L_R(N, A); L_T : L_T(N, A); a: Spec1; b: Spec2; c: Spec3; 0: no push button; 1: using push button1; 2: using push buttons 1 & 2; using push buttons 1, 2 & 3; |D|: the number of involved atomic FD-DEVS; $\sum |S|$: the number of all states in $D; |V_1|$: the number of vertices of $RG(N)$; Time1: the elapsed time for generating $RG(N)$; $|V_2|$: the number of vertices of $K(RG(N))$; Time2: the elapsed time for generating $K(RG(N))$.

VI. Contributions

This paper proposes a verification framework based on a sub-class of DEVS, called FD-DEVS so that the finite reachable graph of FD-DEVS networks is used for checking the emptiness of the illegal behavior as well as the non-emptiness of the legal behavior. One of the advantages of this verification framework over other formalism such as timed automata [2] is its modularity, which has been originated from the coupling scheme of DEVS [14]. Each component in our verification framework can work as an independent module as interacting with other components through the coupling relation. However, since the synchronization of state transition between two timed automata is done by the same name of events [2] [1] [11], a component might not be reused for different purposes. For example, the identical mutual exclusion rejectors, MXR1, MXR2, and MXR3 with input ports a and b shown in Figure 4(a) should change their port names for synchronization with different events g, a and r when using the synchronization used in the automata theory.

The applicability of this proposed verification framework is much broader than other DEVS approaches [12], [4], [10] that seem to be applicable in only closed systems which don’t interact with external influences. In addition, compared to the experimental framework which is based on the simulation of DEVS models [15], this proposed framework has advantages because it generates all possible reachable states while simulation attempts to trace one possible trajectory in a run. In other words, we don’t know when we can stop the simulation experiment for the perfect testing, especially in case of the system under testing being an open system.
VII. Conclusion and Further Research

To check if the implementation of a system satisfies the requirement set, this paper proposed a verification framework based on FD-DEVS networks whose components are partitioned into testers (or checkers), called rejectors, and components under testing. In the proposed verification framework, the illegal behaviors can be detected modularly by any rejector, while non-empty legal behavior of components under testing can be guaranteed by the kernel DAG of the finite reachable graph that covers all acceptance conditions of each component. As an illustrative example, an intersection traffic control system has been verified that it’s implementation met the whole set of requirements.

However, as we could see in Section V, even though the number of reachable states is finite, it can be exploded as the number of subcomponents or the number of external influences increases. Thus, extending scalability can be one of the most demanding research in our approach. One possible way for this might employ the ordered binary decision diagram [3] in which the behavior is preserved while the size of memory requirement can be greatly reduced. Another possibility might be the state reduction in which the behavior can be different from the origin if the difference can be tolerated. To do this, we can think other finite state DEVS with non-determinism in terms of time advance as well as state transitions. In addition, the performance range of coupled FD-DEVS will be needed in terms of the optimistic and pessimistic cases as done in the schedule-preserved DEVS [6]

Acknowledgment

This work was supported by the Korea Research Foundation Grant (No: M01-2004-000-20045-0).

References