Abstract. This is a tutorial paper on the tool Uppaal. Its goal is to be a short introduction on the flavor of timed automata implemented in the tool, to present its interface, and to explain how to use the tool. The contribution of the paper is to provide reference examples and modeling patterns. 1

This paper studies the structural complexity of model checking for several timed modal logics presented in the literature. More precisely, we consider (variations on) the specification formalisms used in the tools CMC and Uppaal, and fragments of a timed -calculus. For each of the logics, we characterize the computational complexity of model checking, as well as its specification and program complexity, using (parallel compositions of) timed automata as our system model. In particular, we show that the complexity of model checking for a timed -calculus interpreted over (networks of) timed automata is EXPTIME-complete, no matter whether the complexity is measured with respect to the size of the specification, of the model or of both. All the flavours of model checking for timed versions of Hennessy-Milner logic, and the restricted fragments of the timed µ-calculus studied in the literature on CMC and Uppaal, are shown to be PSPACE-complete or EXPTIME-complete. Amongst the complexity results o ered in the paper is a theorem to the effect that the model checking problem for the sublanguage L s of the timed -calculus, proposed by Larsen, Pettersson and Yi, is PSPACE-complete. This result is accompanied by an array of statements showing that any extension of L s has an EXPTIME-complete model checking problem. We also argue that the model checking problem for the timed propositional µ-calculus T is EXPTIME-complete, thus improving upon results by Henzinger, Nicollin, Sifakis and Yovine.

Currently, formal verification of reactive, critical or embedded systems is a crucial problem, and automatic verification, more specifically model checking, has been widely developed during the last 20 years (see [CLA 99, SCH 01] for surveys). In this approach, we build a formal model M (e.g. an automaton, Petri net, etc.) describing

We present a new approach to unbounded, fully symbolic model checking of timed automata that is based on an efficient translation of quantified separation logic to quantified Boolean logic. Our technique preserves the interpretation of clocks over the reals and can check any property expressed in the timed calculus. The core operations of eliminating quantifiers over real variables and deciding separation logic are respectively translated to eliminating quantifiers on Boolean variables and checking Boolean satisfiability (SAT). We can thus leverage well-known techniques for Boolean formulas, including Binary Decision Diagrams (BDDs) and recent advances in SAT and SAT-based quantifier elimination. We present preliminary empirical results for a BDD-based implementation of our method.

Abstract. In this paper we use the timed modal logic Lν to specify control objectives for timed plants. We show that the control problem for a large class of objectives can be reduced to a model-checking problem for an extension (L cont ν) of the logic Lnu with a new modality. More precisely we define a fragment of Lν, namely L det ν, such that any formula that holds for the plant if and only if there is a controller that can enforce the control objective. We also show that the new modality of L cont ν strictly increases the expressive power of Lν while model-checking of Lc remains EXPTIMEcomplete. control objective of L det ν can be translated into a L cont ν 1

Capturing, refining, and analyzing requirements are some of the most challenging tasks in building a software system. How well these tasks are performed significantly impacts the quality of the developed software system. The difficulty of these tasks is greatly exacerbated for the software of embedded systems, since these systems are commonly used for critical applications, have to operate reliably for long periods of time, and need to adhere to real-time constraints. In this dissertation, we introduce a modeling and analysis approach for centralized and distributed real-time embed-ded systems that supports the use of formal specifications and model checking. The approach comprises four main elements: First, we developed specification patterns for specifying real-time properties to aid the developer in formally specifying critical real-time system properties. Second, to enhance the accessibility of the specification patterns, we developed natural language representation and specification capabilities for qualitative and real-time properties. Third, based on industrial project informa-tion, we developed object analysis patterns to facilitate the creation of UML analysis models of embedded systems. Fourth, we defined an iterative modeling and analysis

This paper introduces a framework for the development, modelling and analysis of distributed, real-time control systems which communicate using the deterministic broadcast communication protocol, CAN. We adopt a hierarchical approach in which system designs are expressed in the high-level, Ada-like, language, CANDLE, which is given a timed transition semantics by translation to a base language, bCANDLE (pronounced `basic candle') which is a simple but expressive process language with a value-passing, broadcast communication primitive, message priorities and an explicit time construct. The formal semantics of bCANDLE can be found in [6]. Broadcasting...

This study oers a characterization of the collection of properties expressible in Hennessy-Milner Logic (HML) with recursion that can be tested using nite LTSs. In addition to actions used to probe the behaviour of the tested system, the LTSs that we use as tests will be able to perform a distinguished action nok to signal their dissatisfaction during the interaction with the tested process. A process s passes the test T i T does not perform the action nok when it interacts with s. A test T tests for a property in HML with recursion i it is passed by exactly the states that satisfy . The paper gives an expressive completeness result oering a characterization of the collection of properties in HML with recursion that are testable in the above sense.

Abstract: The pervasive nature of mobile and wireless systems has led to increased concerns over Quality of Service (QoS). In the prevailing models for QoS management, QoS resolution is achieved by table look-up, a feature that makes table access the focal point of activity. This approach suffers from two limitations, namely, an inability to deal with unexpected QoS requests, and a reliance on human intervention for update of information. This paper is concerned with the presentation of an architecture for supporting automated QoS resolution through verification. The architecture is modular and the QoS resolution function is performed by a subsidiary component, which combines knowledge base with resolution mechanism. This separation of concerns and the support for flexible QoS management has the advantage of

(rapporteur) (rapporteur) (rapporteur) This thesis is mostly based on joint works with: