Equivalence Verification of Timed Transition Models Mark Lawford and Hong Zhang Software Quality Research Lab, McMaster University 1280 Main St W., Hamilton, ON, Canada L8S 4K1 lawford@mcmaster.ca, zhangh5@cas.mcmaster.ca Abstract This paper describes how the Timed Automata Modeling Environment (TAME) has been modified to provide a for- mal model for Time Transition Models (TTMs) in the PVS proof checker. State-event equivalences (extensions of Mil- ner’s observation equivalences) are also formalized in PVS for state-event labeled transition systems (SELTS), the un- derlying semantic model of TTMs. These theories are used to verify a real-time control system. 1 Introduction Timed Transition Models (TTMs) are a form of guarded transition systems that can be used to conveniently model real-time systems in a discrete time setting [11, 12]. In particular one may model a system’s desired behavior or specification using one TTM and the actual implementa- tion of the system using another, more detailed TTM [7]. One can then verify that the implementation is in some sense equivalent to the specification. To be of practical use, such equivalence verification techniques require some form of mechanized support. This paper describes how the Timed Automata Modeling Environment (TAME) [2, 3] has been modified to provide a formal model for TTMs in the PVS proof checker. Strong and weak versions of state-event equivalences are formalized in PVS for state-event labeled transition systems (SELTS), the underlying semantic model of TTMs. These theories are then applied to formally verify an industrial real-time control system. The remainder of this section discusses related work. Section 2 gives a brief description of TTMs and SELTS. The formalization of TTMs and SELTS in PVS is described in section 3. Section 4 gives the definitions of strong and weak state-event equivalences and their formalization in PVS. The PVS work is then used to mechanize the verifica- tion of an industrial real-time controller in section 5. Finally section 6 summarizes the method’s benefits, limitations and possible extensions. 1.1 Related Work The Timed Automata Modeling Environment (TAME) [2, 3] is a special-purpose interface to PVS designed to sup- port developers of software systems in proving invariants. It supports the creation of PVS descriptions of three different automata models: Lynch-Vaandrager (LV) timed automata, I/O automata, and the automata model that underlies SCR specifications. It does not include support for verifying dif- ferent types of equivalences on pairs of automata models, nor does it support automated composition of automatons. The user must combine the individual automaton descrip- tions to produce a single TAME specification by extracting the common variables to produce a single TAME specifica- tion. TAME does not support TTMs directly and its represen- tation of time as part of the state variables is not sufficient for the TTMs. In TAME, the time variable now is explic- itly changed in the LV timed automata by a special time- passage action ν . The time requirement for other non-time- passage actions are checked against the first and last value of the corresponding action. TAME uses the real numbers extended with ∞ to represent time values. In our TTM model, we use the extended natural numbers to represent time values. A special tick action is needed to update all the clocks is associated with each non-tick action. Our actions also need to satisfy the state variable requirements appear- ing in guard conditions, which is a very common situation in control systems. The PVS theories underlying TAME pro- vide the basis for our formalization of TTMs in PVS. We make use of some of the basic theories and follow a similar template based method to make the theories easier to use. As we have used TAME as the initial basis for our TTM models in PVS, our method currently also requires manual composition of TTMs. Finally, we have add theories defin- ing equivalences between pairs of models. Verifying the state-event equivalences described in this paper for finite state TTMs reduces to solving the rela- tional coarsest partition problem on the underlying transi- tion structure [7], and hence can be solved using model-