Integration of Software Specification Techniques for Applications in Engineering

Volume 3147 of the series Lecture Notes in Computer Science pp 541-566

Modeling and Formal Verification of Production Automation Systems

  • Jürgen RufAffiliated withWilhelm-Schickard-Institut für Informatik, Universität Tübingen
  • , Roland J. WeissAffiliated withWilhelm-Schickard-Institut für Informatik, Universität Tübingen
  • , Thomas KropfAffiliated withWilhelm-Schickard-Institut für Informatik, Universität Tübingen
  • , Wolfgang RosenstielAffiliated withWilhelm-Schickard-Institut für Informatik, Universität Tübingen

* Final gross prices may vary according to local VAT.

Get Access


This paper presents the real-time model checker RAVEN and related theoretical background. RAVEN augments the efficiency of traditional symbolic model checking with possibilities to describe real-time systems. These extensions rely on multi-terminal binary decision diagrams to represent time delays and time intervals. The temporal logic CCTL is used to specify properties with time constraints. Another noteworthy feature of our model checker is its ability to compose a system description out of communicating modules, so called I/O-interval structures. This modular approach to system description alleviates the omnipresent state explosion problem common to all model checking tools.

The case study of a holonic material transport system demonstrates how such a production automation system can be modeled in our system. We devise a detailed model of all components present in the described system. This model serves as basis for checking real-time properties of the system as well as for computing key properties like system latencies and minimal response times. A translation of the original model also allows application of another time bounded property checker for verification of the holonic production system. Finally, we present an approach combining simulation and formal verification that operates on the same system model. It enables verification of larger designs at the cost of reduced coverage. Only critical states detected during simulation runs are further subjected to exhaustive model checking. We contrast the runtimes and results of our different approaches.