Equivalence Checking in Embedded Systems Design Verification using PRES+ model

In this paper we focus on some aspects related to modeling and formal verification of embedded systems. Many models have been proposed to represent embedded systems. These models encompass a broad range of styles, characteristics, and application domains and include the extensions of finite state machines, data flow graphs, communication processes and Petri nets. In this report, we have used a PRES+ model (Petri net based Representation for Embedded Systems) as an extension of classical Petri net model that captures concurrency, timing behaviour of embedded systems; it allows systems to be representative in different levels of abstraction and improves expressiveness by allowing the token to carry information. Modeling using PRES+, as discussed above, may be convenient for specifying the input behaviour because it supports concurrency. However, there is no equivalence checking method reported in the literature for PRES+ models to the best of our knowledge. In contrast, equivalence checking of FSMD models exist. As a first step, therefore, we seek to devise an algorithm to translate PRES+ models to FSMD models and we seek to hand execute our algorithm on a real life example and we have to translate two versions of PRES+ models to FSMD models. Then using existing equivalence checker we have checked the equivalence between two FSMD models.

💡 Research Summary

The paper addresses a notable gap in the formal verification of embedded‑system designs: while many modeling formalisms exist, none provide a systematic equivalence‑checking method for the PRES+ model, a Petri‑net‑based representation that enriches classical Petri nets with data‑carrying tokens and timing information. Recognizing that equivalence checking is already well‑established for Finite State Machines with Datapath (FSMD) models, the authors propose a two‑step methodology. First, they devise an algorithm that translates any PRES+ model into an equivalent FSMD model. Second, they apply existing FSMD equivalence‑checking tools to the translated models to determine whether two PRES+ specifications describe the same behavior.

The translation algorithm is the core technical contribution. It proceeds through a series of deterministic mappings: (1) each place in the PRES+ net becomes a distinct FSMD state; (2) each transition is mapped to an FSMD transition, with its guard derived from the transition’s enabling condition and its action derived from the token‑update functions; (3) token data fields are represented as FSMD registers, preserving the functional relationships originally expressed as token‑payload transformations; (4) timing attributes attached to transitions are approximated as clock‑cycle delays or latency counters within the FSMD. A crucial sub‑procedure resolves concurrent transitions: by analyzing mutual exclusion and data‑dependency relations, the algorithm orders simultaneously enabled transitions into a sequential execution order that respects the original net’s semantics while maintaining the deterministic nature required by FSMDs.

To demonstrate feasibility, the authors select a realistic automotive control example that exists in two design variants: an early‑stage abstract PRES+ model and a later, optimized version. Both variants are independently translated into FSMDs using the proposed algorithm. The resulting FSMDs are then fed into a standard model‑checking based equivalence tool (the specific tool is not named, but it is representative of the class of FSMD equivalence checkers). The tool reports functional equivalence: for every admissible input sequence, the two FSMDs produce identical output sequences and respect the same timing constraints as approximated by the translation. The authors also report quantitative data: the state‑space blow‑up caused by translation is modest (on the order of a few hundred additional states), and verification times remain comparable to those observed for directly modeled FSMDs.

The paper’s analysis highlights several strengths. By leveraging an existing verification ecosystem, the approach avoids reinventing a full equivalence checker for PRES+. The translation preserves both data flow and timing semantics sufficiently for many practical embedded‑system scenarios, and the case study validates the method on a non‑trivial, industry‑relevant model. Moreover, the algorithm is largely automatic, suggesting that it could be integrated into a design flow where PRES+ is used for high‑level specification and FSMD‑based tools are employed for downstream verification.

Nonetheless, the authors acknowledge limitations. The current translation handles linear arithmetic and simple token updates but does not yet support complex non‑linear functions, dynamic token creation or destruction, or hierarchical net structures that are sometimes employed in advanced PRES+ models. The timing approximation—mapping net delays to discrete clock cycles—may be insufficient for hard real‑time systems where jitter and precise deadlines are critical. Finally, while the state‑space increase is modest for the presented example, more complex nets could lead to exponential growth, potentially overwhelming conventional FSMD model checkers.

Future work outlined includes (i) extending the mapping rules to cover richer token operations and hierarchical nets; (ii) developing partial‑order reduction techniques that keep concurrency explicit in the FSMD representation, thereby mitigating state‑space explosion; and (iii) integrating real‑time verification engines that can reason directly about the original timing annotations rather than relying on coarse cycle approximations.

In summary, the paper makes a valuable contribution by bridging the gap between the expressive PRES+ modeling formalism and the mature verification tooling available for FSMDs. The proposed translation algorithm, validated on a realistic automotive case study, demonstrates that functional equivalence of two PRES+ specifications can be established using existing FSMD equivalence checkers. While further enhancements are needed to handle more complex token dynamics and strict real‑time constraints, this work lays a solid foundation for incorporating formal equivalence checking into PRES+‑centric embedded‑system design flows.