PAPER Special Issue on Verification, Test and Diagnosis of VLSI Systems # Temporal Verification of Real-Time Systems\* Sérgio V. CAMPOS<sup>†</sup>, Edmund M. CLARKE<sup>†</sup>, Wilfredo MARRERO<sup>†</sup>, Marius MINEA<sup>†</sup>, Nonmembers and Hiromi HIRAISHI<sup>††</sup>, Member This paper presents a general method for computing quantitative information about finite-state real-time systems. We have developed algorithms that compute exact bounds on the delay between two specified events and on the number of occurrences of an event in a given interval. This technique allows us to determine performance measures such as schedulability, response time, and system load. Our algorithms produce more detailed information than traditional methods. This information leads to a better understanding of system behavior, in addition to determining its correctness. The algorithms presented in this paper are efficiently implemented using binary decision diagrams and have been incorporated into the SMV symbolic model checker. Using this method, we have verified a model of an aircraft control system with 1015 states. The results obtained demonstrate that our method can be successfully applied in the verification of real-time system designs. key words: formal verification, real-time system, temporal logic #### 1. Introduction A number of algorithms have recently been proposed for verifying the behavior of finite-state real-time systems [1], [4], [6]–[8]. These algorithms assume that timing constraints are given explicitly in some notation like temporal logic. Typically, the designer provides a constraint on response time for some operation, and the verifier automatically determines if it is satisfied or not. Unfortunately, these techniques do not provide any information about how much a system deviates from its expected performance, although this information can be extremely useful in fine-tuning the behavior of the system. In this paper we give algorithms to compute quanti- Manuscript received November 28, 1994. Manuscript revised February 16, 1995. <sup>†</sup>The authors are with the School of Computer Science, Carnegie Mellon University, Pittsburgh, PA 15213, USA. ††The author is with the Faculty of Engineering, Kyoto Sangyo University, Kyoto-shi, 603 Japan. This research was sponsored in part by the National Science Foundation under grant no. CCR-9217549, by the Semiconductor Research Corporation under contract 92-DJ-294, and by the Wright Laboratory, Aeronautical Systems Center Air Force Materiel Command, USAF, and the Advanced Research Projects Agency (ARPA) under grant number F33615-93-1-1330. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied of the U.S. government. tative timing information, such as exact upper and lower bounds on the time between a request and the corresponding response. Our algorithms provide insight into how well a system works, rather than just determining whether it works at all. They enable a designer to determine the timing characteristics of a complex system given the timing parameters of its components. This information is especially useful in the early phases of system design, when it can be used to establish how changes in a parameter affect the global behavior of the system. We model a real-time system as a labeled statetransition graph, where each path corresponds to an execution trace of the actual system. This graph is implemented internally using binary decision diagrams (BDDs) [2], which generally produce a very compact representation. By employing symbolic model-checking techniques [3], [12], we are able to handle extremely large state spaces with up to 10<sup>30</sup> states efficiently. We show how to determine the minimum and maximum length of all paths leading from a set of starting states (representing the request) to a set of final states (representing the response). We also present algorithms that calculate the minimum and the maximum number of times a specified condition can hold on a path from a set of starting states to a set of final states. These algorithms are also extended to timed transition graphs (TTG) [4], a model in which transitions take more than one time unit to occur. We believe that the techniques developed can be adapted to other models of computation as well. Other approaches for analyzing real-time system exist. For example, the *rate monotonic scheduling* theory (RMS) [9], [10], [13] defines a priority assignment algorithm that guarantees optimal response time [10]. The RMS theory proposes a schedulability test based on total CPU utilization; a set of processes (which have priorities assigned according to RMS) is schedulable if the total utilization is below a computed threshold. If the utilization is above this threshold, schedulability is not guaranteed. Moreover, this analysis only considers certain types of processes with limitations, for example, on periodicity and synchronization. Another approach to schedulability analysis uses algorithms for computing the set of reachable states of a finite-state system [7], [8]. The algorithms construct the model with the added constraint that whenever an exception occurs (e.g. a deadline is missed) the system transitions to a special exception state. Verification consists of computing the set of reachable states and checking whether the exception state is in this set. No restrictions are imposed on the model in this approach, but the algorithm only checks if exceptions can occur or not. We develop an analysis method that does not impose any restriction except that the system be modeled as a set of processes that run in parallel and are defined by state-transition graphs. For example, the actual functional behavior of each process can be modeled and analyzed. Schedulability is determined by computing the minimum and maximum execution times for all processes. The process set is schedulable if and only if each process is guaranteed to finish execution before its next period starts. Our technique always determines if the set of processes is schedulable or not, unlike RMS analysis, which may not provide any schedulability information if utilization is above the computed threshold. If the processes are not schedulable, our algorithms determine which specific deadlines are missed and by how much. When no deadline is missed, the same results provide response times for each process, an important performance measure for real-time systems. To demonstrate how our tools work, we verify a simplified aircraft control system. We model the software that controls the various components of an airplane, and gather timing information about the system using the tools described above. The system consists of a set of priority driven processes, where each process is responsible for a subsystem of the aircraft, such as navigation, display, radar and weapons. The schedulability of this process set is determined. Moreover the computation of quantitative characteristics also provides other valuable results about the system being modeled, such as: - The overhead associated with preemption by other processes. This information is extremely important for determining the amount of priority inversion in a system. - How fast a subsystem responds to an event. For example, in this model, pressing the fire button generates a complex sequence of events before the weapons are actually fired. We were able to determine the overhead imposed by the firing protocol and how it affects the overall response time of the system. The different types of properties described above show how versatile this approach is. Many other quantitative characteristics can be computed by our algorithms. Moreover, in each case we were able to provide the user with insight into the behavior of the system, as opposed to only asserting its correctness. This information leads to a better understanding of system behavior and can be essential in improving performance. #### 2. Modeling Real Time Systems The real-time systems we verify are modeled using state-transition graphs. A state $\overline{v}$ in this model can be thought of as a vector assigning values to the state variables $v_1, v_2, \ldots, v_n$ . The transition relation $N(\overline{v}, \overline{v'})$ can be represented as a Boolean formula which evaluates to true when there is a transition in the model from the state $\overline{v}$ to the state $\overline{v'}$ , where $\overline{v} = \langle v_1, \ldots, v_n \rangle$ and $\overline{v'} = \langle v'_1, \ldots, v'_n \rangle$ . We assume that the transition relation is total (i.e. every state has at least one transition). A path in the transition graph is defined as a sequence of states $\overline{v_0}, \overline{v_1}, \overline{v_2}, \ldots$ such that $N(\overline{v_i}, \overline{v_{i+1}})$ is true for every $i \geq 0$ . In addition, we define a set of initial states, and all computations are performed on states reachable from this set. A set of states can also be represented by a Boolean formula which evaluates to true if and only if its variables are assigned the values of the variables in a state in the set. Note that if $S(\overline{v})$ is a formula representing a set of states and $N(\overline{v},\overline{v'})$ is a formula for the transition relation, the formula $\exists \overline{v}[S(\overline{v}) \land N(\overline{v},\overline{v'})]$ represents the set of successors to states in $S(\overline{v})$ . This operation can be thought of as a function mapping a set of states $S(\overline{v})$ to the set of its successors $S'(\overline{v'})$ . We use binary decision diagrams (BDDs) [2] to efficiently represent Boolean formulas and to manipulate them using the standard Boolean operations. Because of the close relationship between a Boolean formula, its BDD, and the set of states satisfying the formula, we identify these three entities. In particular, sets and set operations are more intuitive than boolean operations on formulas or BDD operations so we present our algorithms using sets, but the implementation uses BDDs and the corresponding BDD operations. ## 3. Quantitative Timing Algorithms We first present the lower bound algorithm (Fig. 1). The algorithm takes two sets of states as input, start and final. It returns the length of (i.e. number of edges in) a shortest path from a state in start to a state in final. If no such path exists, the algorithm returns infinity. The function T(S) gives the set of states that are successors of some state in S. The function T, the sets of states R and R', and the operations of intersection and union can all be easily implemented using BDDs. The first algorithm is relatively straightforward. Intuitively, the loop in the algorithm computes the set of states that are reachable from *start*. If at any point, we encounter a state satisfying *final*, we return the number of steps taken to reach the state. ``` \begin{aligned} & \textbf{proc lower (start, final)} \\ & i = 0; \\ & R = start; \\ & R' = T(R) \cup R; \\ & \textbf{while } (R' \neq R \land R \cap final = \emptyset) \textbf{ do} \\ & i = i + 1; \\ & R = R'; \\ & R' = T(R') \cup R'; \\ & \textbf{if } (R \cap final \neq \emptyset) \\ & \textbf{ then return } i; \\ & \textbf{ else return } \infty; \end{aligned} ``` Fig. 1 Lower bound algorithm. ``` proc upper (start, final) i=0; R=TRUE; R'=not\_final; while (R' \neq R \land R' \cap start \neq \emptyset) do i=i+1; R=R'; R'=T^{-1}(R') \cap not\_final; if (R=R') then return \infty; else return i; ``` Fig. 2 Upper bound algorithm. Next, we consider the upper bound algorithm (Fig. 2). This algorithm also takes *start* and *final* as input. It returns infinity if there exists an infinite path beginning in a state in *start* that never reaches a state in *final*. Otherwise, it returns the length of a longest path from a state in *start* to a state in *final*. The function $T^{-1}(S')$ gives the set of states that are predecessors of some state in S'. We also denote by *not\_final* the set of all states that are not in *final*. As before, the algorithm is implemented using BDDs. The upper bound algorithm is more subtle than the previous algorithm. A backward search from the states in *not\_final* is more convenient in this case than a forward search. Proofs of both algorithms can be found in Ref. [5]. We have also developed algorithms that calculate the minimum and the maximum number of times a specified condition cond can hold on a path from a set of starting states to a set of final states. For this purpose, we define a new state-transition system, in which the states are pairs consisting of a state in the original system and a positive integer, denoting the number of states in cond that have been traversed on such a path. Thus, if the original state-transition graph has state set S, then the augmented state set will be $S_a = S \times \mathbb{N}$ . The augmented transition relation $N_a \subseteq S_a \times S_a$ is defined in terms of the original transition relation $N \subseteq S \times S$ by incrementing the integer component k whenever a state in cond is traversed. ``` \begin{array}{l} N_a(\langle s,k\rangle,\langle s',k'\rangle) = N(s,s') \\ \wedge (s' \in cond \wedge k' = k+1 \vee s' \notin cond \wedge k' = k) \end{array} ``` The algorithms use the augmented transition re- lation and the value of the counter component k to produce the desired information. We have applied the same technique to a more powerful model of real-time systems, timed transition graphs [4], in which the time taken by a transition is defined by a time interval. These extensions can also be found in [5]. #### 4. Example — An Aircraft Control System One of the most critical applications of real-time systems is in aircraft control. It is extremely important that time bounds are not violated in such systems. Because of the risks involved in the failure of an aircraft, only conservative approaches to design and implementation are routinely used. Many modern techniques for software design such as formal methods are not commonly employed. We believe that formal verification can be very useful in increasing the reliability of these systems by assisting in the validation of schedulability and response times of the various components. This section briefly describes an aircraft control system used in military airplanes. Such a control system can be characterized by a set of sensors and actuators connected to a central processor. This processor executes the software to analyze sensor data and control the actuators. Our model describes this control program and determines whether its timing constraints are met. The requirements used are similar to those of existing military aircraft, and the model is derived from the one described in Ref. [11]. The aircraft controller is divided into systems and subsystems as shown in Table 1, each of which performs a specific task in controlling the airplane: - Navigation: Computes aircraft position. - Radar Control: Receives and processes data from radars. It also identifies targets and target position. - Radar Warning Receiver: This system identifies possible threats to the aircraft. - Weapon Control: Aims and activates aircraft weapons. - Display: Updates information on the pilot's screen. - Tracking: Updates target position. Data from this system is used to aim the weapons. - Data Bus: Provides communication between processor and external devices. Timing constraints for each subsystem are derived from factors such as required accuracy, human response characteristics and hardware requirements. Table 2 presents the subsystems being modelled, as well as their major timing requirements. In order to enforce the different timing constraints of the processes, priority Table 1 Aircraft controller. | System | Subsystem | Per. | Exec | %сри | Pri | |---------|---------------|-------|------|-------|-----| | Display | status update | 200 | 3 | 1.50 | 12 | | | keyset | 200 | 1 | 0.50 | 16 | | | hook update | 80 | 2 | 2.50 | 36 | | | graph. displ. | 80 | 9 | 11.25 | 40 | | | store update | 200 | 1 | 0.50 | 20 | | RWR | contact mgmt | 25 | 5 | 20.00 | 72 | | Radar | target update | 50 | 5 | 10.00 | 60 | | | track filter | 25 | 2 | 8.00 | 84 | | NAV | nav update | 50 | 8 | 16.00 | 56 | | | steer cmds. | 200 | 3 | 1.50 | 24 | | Track | target update | 100 | 5 | 5.00 | 32 | | Weapon | weapon prot. | 200* | Ī | 0.50 | 28 | | | weapon aim | 50 | 3 | 6.00 | 64 | | | weapon rel. | 200** | 3 | 1.50 | 98 | | Dat Bus | poll device | 40 | 1 | 2.50 | 68 | $<sup>\</sup>ensuremath{\bigstar}$ We apon protocol is an aperiodic process with a deadline of 200 ms. Table 2 Experimental results. | | | Execution Times | | | | | |--------------------|------|-----------------|-----|------------|-----|--| | Subsystem | dead | preempt | | no preempt | | | | | line | min | max | min | max | | | Weapon release | 5 | 3 | 3 | 3 | 9 | | | Radar track filter | 25 | 2 | 5 | 2 | 10 | | | Contact mgmt. | 25 | 7 | 10 | 7 | 15 | | | Data bus poll | 40 | 1 | 11 | 1 | 14 | | | Weapon aim | 50 | 10 | 14 | 2 | 18 | | | Radar target upd | 50 | 12 | 19 | 12 | 19 | | | NAV update | 50 | 20 | 34 | 20 | 27 | | | Display graphic | 80 | 10 | 44 | 10 | 43 | | | Display hook upd | 80 | 14 | 46 | 14 | 47 | | | Track target upd | 100 | 26 | 51 | 26 | 51 | | | Weapon protocol | 200 | 1 | 21 | 3 | 46 | | | NAV steer cmds. | 200 | 35 | 85 | 36 | 74 | | | Display store upd | 200 | 36 | 95 | 37 | 97 | | | Display keyset | 200 | 37 | 96 | 38 | 98 | | | Display status upd | 200 | 40 | 99 | 41 | 101 | | scheduling is used. The priority assignment has been done according to the RMS theory [9], [10]. Concurrent processes are used to implement each subsystem. With the exception of the weapon system, all other systems contain only periodic processes. The weapon system contains a mixture of periodic and aperiodic processes. It is activated when the display keyset subsystem identifies that the pilot has pressed the firing button. This event causes the weapon protocol subsystem to be activated. It then signals the weapon aim subsystem that has been previously blocked. Weapon aim is then scheduled to be executed every 50 ms. It aims the aircraft weapons based on the current position of the target. It also decides when to fire and then starts the weapon release subsystem. The firing sequence can be aborted until weapon release is scheduled, but not after this point. Weapon release then executes periodically and fires the weapons 5 times, once per second. ### 5. Verification of the Aircraft Control System We have implemented this control system in the SMV language [12]. The SMV model checker has been used to verify its functional correctness, while its timing correctness has been checked using the quantitative algorithms described in this paper. In order to optimize response time, we have implemented a preemptive scheduler. However, preemptability is a feature that may not always be available. Non-preemptive schedulers are easier to implement, and allow for simpler programs but usually increase response time for higher priority processes. To assess the effect of preemption in our system we have also implemented a non-preemptive scheduler. Using the model described above, we were able to compute the schedulability of the system. This is one of the most important properties of a real-time system. It states that no process will miss its deadline. In this example the deadlines are the same as the periods (except for the weapon release subsystem). We determine schedulability by computing the minimum and maximum execution times for each process and checking if they always finish before their deadline. The RMS theory checks for schedulability by computing the CPU utilization of the process set. It may not provide any schedulability information if the utilization exceeds a certain threshold. Our method however, is always able to determine schedulability. Moreover, it only requires that processes be modelled as state graphs, while RMS imposes restrictions on their behavior. Table 2 summarizes the execution times computed by our algorithms for both the preemptive and non-preemptive schedulers. Processes are shown in decreasing order of priority. We can see from this table that the process set is schedulable using preemptive scheduling. An analysis of a similar process set using RMS showed that only the first eight processes were guaranteed to meet their deadlines [11]. From our results we can also identify many important parameters of the system. For example, the response time is usually very low for best-case computations, but it is also good for the worst case. Most processes take less than half their required time to execute. This indicates that the system is still not close to saturation, although the total CPU utilization is high. Notice also that preemption does not have a big impact on response times. Except for the most critical process, all others maintain their schedulability if a non-preemptive scheduler is used. Moreover, we can see that non-preemption causes weapon release to miss its deadline, but by a relatively small amount. If a preemptive scheduler were expensive, reducing the CPU utilization slightly might make the complete system schedulable without changing the scheduler. By having such information, the designer can easily assess the impact of various alternatives to improve the performance, without having to change the implementation. It should be <sup>\*\*</sup> Weapon release has a period of 200 ms, but its deadline is 5 ms. noted that an analysis of this type can't be done using methods like the RMS utilization test or reachability computation. The algorithms described can be used to analyze the system in many different ways. For example, the effect of preemption on execution time can be assessed as follows. We have computed the maximum and minimum execution times for processes after they have been granted the CPU. If minimum and maximum are not the same, the process can be preempted after starting execution. For example, the display graphic subsystem can finish in as little as 7 ms and in as much as 14 ms after it starts execution. In other words, preemption overhead can be as high as 7 ms for this subsystem. The NAV steering subsystem has a minimum of 1 ms and a maximum of 44 ms. This means that other processes can delay it for 43 ms. It is clear that NAV steering can be preempted for a longer time than display graphic, since it has lower priority. Our results, however, allow us to determine how much longer it can be preempted. In a similar fashion, we can compute the priority inversion time for high priority processes. This can aid in identifying the reasons why a system is not predictable, and help correct its behavior. We examine one more property of this particular model. The weapon system is critical to the aircraft. It is very important that it respond quickly to the pilot's command. However, when a pilot presses the firing button, many subsystems are involved in identifying and responding to this event. By computing the minimum and maximum times between pressing the fire button and the execution of the weapon release process we are able to determine if the weapon system responds quickly enough to satisfy the aircraft requirements. In our example, the minimum time is 120 ms and the maximum time is 167 ms, not accounting for the possibility that the firing sequence may be aborted. Again, this type of analysis may be difficult to do with other tools. The RMS schedulability test cannot give tight bounds on specific response times for such properties, since its only parameter is CPU utilization. Algorithms that use reachability analysis are also inappropriate for such analysis. Specific exceptions, with previously defined time bounds, would have to be added to the model to observe these characteristics. The finite-state model was implemented in about 600 lines of SMV code. The final model has about 10<sup>15</sup> states, and the transition relation uses approximately 4600 BDD nodes. To compute each property described above took between 5 and 15 seconds using an i486 based workstation. #### 6. Conclusion This paper proposes a general framework for computing quantitative characteristics of finite-state real-time systems. We have devised algorithms that calculate ex- act numerical bounds on the delay between two specified events, as well as on the frequency of the occurrence of a condition within a given interval. Rather than just determining the correctness of the model, the results computed by our algorithms provide hints about its behavior that can be useful in improving the performance of the system. Our method can be easily integrated with model checking techniques. In fact, the *lower* and *upper bound* algorithms have been added to the most recent version of the SMV model checking system. Using this implementation we demonstrate the practical importance of our approach by analyzing a model of an aircraft control system. We have been able to obtain stronger results than those produced using traditional methods for real-time system verification. We have found this approach to be very flexible. We have shown how quantitative characteristics can be computed for state-transition graphs. In addition, we have extended the algorithms to models in which transitions may take more than one time unit. We also plan to investigate the application of these techniques to other models of computation. We believe that the quantitative information that our method provides can be extremely useful to designers during the development of real-time systems. We are confident that these techniques will prove practical in the verification of a variety of other realistic designs. #### References - [1] Alurand, R. and Henzinger, T.A., "Logics and models of real-time: a survey," in *Lecture Notes in Computer Science, Real-Time: Theory in Practice*, Springer-Verlag, 1992. - [2] Bryant, R.E., "Graph-based algorithms for boolean function manipulation," *IEEE Trans. Comput.*, vol.C-35, no.8, pp.677-691, Aug. 1986. - [3] Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L. and Hwang, J., "Symbolic model checking: 10<sup>20</sup> states and beyond," in *Proc. Logic in Computer Science*, 1990. - [4] Campos, S.V. and Clarke, E.M., "Real-time symbolic model checking for discrete time models," in *Proc. First* AMAST International Workshop in Real-Time Systems, 1993. - [5] Campos, S.V., Clarke, E.M., Marrero, W., Minea, M. and Hiraishi, H., "Computing quantiative characteristics of finite-state real-time systems," CMU Technical Report, CMU-CS-94-147, 1994. - [6] Emerson, E.A., Mok, A.K., Sistla, A.P. and Srinivasan, J., "Quantitative temporal reasoning," in *Lecture Notes in Computer Science*, Springer-Verlag, 1990. - [7] Fredette, A.N. and Cleaveland, R., "Rtsl: a language for real-time schedulability analysis," in *Proc. IEEE Real-Time Systems Symposium*, 1993. - [8] Gerber, R. and Lee, I., "A proof system for communicating shared resources," in *Proc. IEEE Real-Time Systems Symposium*, 1990. - [9] Lehoczky, J.P., Sha, L., Strosnider, J.K. and Tokuda, H., "Fixed priority scheduling theory for hard real-time systems," in Foundations of Real-Time Computing – Scheduling and Resource Management, Kluwer Academic Publishers, 1991. - [10] Liu, C.L. and Layland, J.W., "Scheduling algorithms for multiprogramming in a hard real-time environment," J. ACM, vol.20, no.1, 1973. - [11] Locke, C.D., Vogel, D.R. and Mesler, T.J., "Building a predictable avionics platform in Ada: a case study," in *Proc. IEEE Real-Time Systems Symposium*, 1991. - [12] McMillan, K.L., "Symbolic model checking an approach to the state explosion problem," Ph.D. Thesis, School of Computer Science, Carnegie Mellon Univ., May 1992. - [13] Sha, L., Klein, M.H. and Goodenough, J.B., "Rate monotonic analysis for real-time systems," in Foundations of Real-Time Computing Scheduling and Resource Management. Kluwer Academic Publishers, 1991. Sérgio V. Campos received the bachelors degree in computer science from Universidade Federal de Minas Gerais (Belo Horizonte — Brasil) in 1986 and the masters degree in computer science from the same university in 1990. Since 1990 he has been a doctoral student in the School of Computer Science at Carnegie Mellon University. His interests include verification of real-time systems, hardware and software in general. Edmund M. Clarke received the B.A. degree in mathematics from the University of Virginia, Charlottesville, in 1967, the M.A. degree in mathematics from Duke University, Durham NC, in 1968, and the Ph.D. degree in Computer Science from Cornell University, Ithaca NY, in 1976. After receiving his Ph.D., he taught in the Department of Computer Science, Duke University, for two years. In 1978 he moved to Harvard University, Cambridge, MA where he was an Assistant Professor of Computer Science in the Division of Applied Sciences. After leaving Harvard in 1982, he took a position as an Associate Professor in the Computer Science Department at Carnegie-Mellon University, Pittsburgh, PA. He was appointed Full Professor in 1989. His interests include software and hardware verification and automatic theorem proving. Dr. Clarke has served on the editorial boards of Distributed Computing and Logic and Computation and is currently an editor-in-chief of Formal Methods in Systems Design. He is a member of the Association for Computing Machinery, IEEE Computer Society, Sigma Xi, and Phi Beta Kappa. Wilfredo Marrero received the B.A. degree in Computer Science and Mathematics from Columbia University in the city of New York in 1992. Since then he has been a Ph.D. student working with Professor Edmund Clarke at Carnegie Mellon University in Pittsburgh. His research interests include software and hardware verification and automata theory. Mr. Marrero is also a member of Phi Beta Kappa. Marius Minea was born in 1969 in Timişoara, Romania. He received the Diploma-Engineer degree in Computer Science from the Technical University of Timişoarain 1993. Since then he has been a Ph.D. student in the School of Computer Science at Carnegie Mellon University. His interests include formal verification, real-time systems and computer-aided design. Hiromi Hiraishi was born in Kyoto, Japan, on February 21, 1951. He received the B.E., M.E. and D.E. degrees from Kyoto University in 1973, 1975 and 1983 respectively. From 1975 to 1991 he was a faculty of Department of Information Science, Kyoto University. Since 1991 he has been a Professor in Department of Information and Communication Sciences, Faculty of Engineering, Kyoto Sangyo University. His major research in- terests cover formal verification, temporal logics and computer aided design. He is a member of the Information Processing Society of Japan and the IEEE Computer Society.