The VerTeCs team is focused on the use of formal methods to assess the reliability, safety and security of reactive software systems. By reactive software system we mean a system controlled by software which reacts with its environment (human or other reactive software). Among these, critical systems are of primary importance, as errors occurring during their execution may have dramatic economical or human consequences. Thus, it is essential to establish their correctness before they are deployed in a real environment, or at least detect incorrectness during execution and take appropriate action. For this aim, the VerTeCs team promotes the use of formal methods, i.e. formal specification of software and their required properties and mathematically founded validation methods. Our research covers several validation methods, all oriented towards a better reliability of software systems:

Verification, which is used during the analysis and design phases, and whose aim is to establish the correctness of specifications with respect to requirements, properties or higher level specifications.

Control synthesis, which consists in “forcing” (specifications of) systems to behave as desired by coupling them with a supervisor.

Conformance testing, which is used to check the correctness of a real system with respect to its specification. In this context, we are interested in model-based testing, and in particular automatic test generation of test cases from specifications.

Diagnosis and monitoring, which are used at run time to detect erroneous behaviour.

Combinations of these techniques, both at the methodological level (combining several techniques within formal validation methodologies) and at the technical level (as the same set of formal verification techniques - model checking, theorem proving and abstract interpretation - are required for control synthesis, test generation and diagnosis).

Our research is thus concerned with the development of formal models for the description of software systems, the formalization of relations between software artifacts (e.g. satisfaction, conformance between properties, specifications, implementations), the interaction between these artifacts (modelling of execution, composition, etc). We develop methods and algorithms for verification, controller synthesis, test generation and diagnosis that ensure desirable properties (e.g. correctness, completeness, optimality, etc). We try to be as generic as possible in terms of models and techniques in order to cope with a wide range of application domains and specification languages. Our research has been applied to telecommunication systems, embedded systems, smart-cards application, and control-command systems. We implemented prototype tools for distribution in the academic world, or for transfer to the industry.

Our research is based on formal models and our basic tools are **verification** techniques such as model checking, abstract interpretation, the control theory of discrete event systems,
and their underlying models and logics. The close connection between
testing, control and verification produces a synergy between these
research topics and allows us to share theories, models, algorithms
and tools.

The formal models we use are mainly automata-like structures such as
labelled transition systems (LTS) and some of their extensions: an
LTS is a tuple

To model reactive systems in the testing context, we use Input/Output
labeled transition systems (IOLTS for short). In this setting, the
interactions between the system and its environment (where the tester
lies) must be partitioned into inputs (controlled by the environment),
outputs (observed by the environment), and internal (non observable)
events modeling the internal behavior of the system. The alphabet

In the controller synthesis theory, we also distinguish between
controllable and uncontrollable events (

In the context of verification, we also use Timed Automata. A timed
automaton is a tuple

Also, for verification purposes, we use graph grammars that are a general tool to define families of graphs. Such grammars are formed by a set of rules whose left-hand sides are hyperedges and right-hand sides are hypergraphs. For graphs with finite degree, these grammars characterise transition graphs of pushdown automata (the correspondence between graphs generated by grammars and transition graphs of pushdown automata is bijective). Graph grammars provide a simple yet powerful setting to define and study infinite state systems.

In order to cope with models closer to practical specification
languages, we also need higher level models encompassing both control
and data aspects. We defined (input-output) symbolic transition
systems ((IO)STS), which are extensions of (IO)LTS that convey or
operate on data (i.e., program variables, communication parameters,
symbolic constants) through message passing, guards, and assignments.
Formally, an IOSTS is a tuple

Our research is based on well established theories: conformance testing, supervisory control, abstract interpretation, and theorem proving. Most of the algorithms that we employ take their origins in these theories:

graph traversal algorithms (breadth first, depth first, strongly connected components, ...). We use these algorithms for verification as well as test generation and control synthesis.

BDDs (Binary Decision Diagrams) algorithms, for manipulating Boolean formulae, and their MTBDDs (Multi-Terminal Decision Diagrams) extension for manipulating more general functions. We use these algorithms for verification, test generation and control.

abstract interpretation algorithms, specifically in the abstract domain of convex polyhedra (for example, Chernikova's algorithm for the computation of dual forms). Such algorithms are used in verification and test generation.

logical decision algorithms, such as satisfiability of formulas in Presburger arithmetics. We use these algorithms during generation and execution of symbolic test cases.

Verification in its full generality consists in checking that a
system, which is specified by a formal model, satisfies a required
property. Verification takes place in our research in two ways: on
the one hand, a large part of our work, and in particular controller
synthesis and conformance testing, relies on the ability to solve
some verification problems. Many of these problems reduce to
reachability and coreachability questions on a formal model (a state
*reachable from an initial state ${s}_{i}$* if an execution
starting from

On the other hand we investigate verification on its own in the context of complex systems. For expressivity purposes, it is necessary to be able to describe faithfully and to deal with complex systems. Some particular aspects require the use of infinite state models. For example asynchronous communications with unknown transfer delay (and thus arbitrary large number of messages in transit) are correctly modeled by unbounded FIFO queues, and real time systems require the use of continuous variables which evolve with time. Apart from these aspects requiring infinite state data structure, systems often include uncertain or random behaviours (such as failures, actions from the environment), which it make sense to model through probabilities. To encompass these aspects, we are interested in the verification of systems equipped with infinite data structures and/or probabilistic features.

When the state space of the system is infinite, or when we try to evaluate performances, standard model-checking techniques (essentially graph algorithms) are not sufficient. For large or infinite state spaces, symbolic model-checking or approximation techniques are used. Symbolic verification is based on efficient representations of sets of states and permits exact model-checking of some well-formed infinite-state systems. However, for feasibility reasons, it is often mandatory to use approximate computations, either by computing a finite abstraction and resort to graph algorithms, or preferably by using more sophisticated abstract interpretation techniques. For systems with stochastic aspects, a quantitative analysis has to be performed, in order to evaluate the performances. Here again, either symbolic techniques (e.g. by grouping states with similar behaviour) or approximation techniques should be used.

We detail below verification topics we are interested in: abstract interpretation, quantitative model-checking and analysis of systems defined by graph grammars.

Most problems in test generation or controller synthesis reduce to
state reachability and state coreachability problems which can be
solved by fixpoint computations of the form *successor states*” function defined by the program.

The big change induced by taking into account the data and not only the (finite) control of the systems under study is that the fixpoints become uncomputable. The undecidability is overcome by resorting to approximations, using the theoretical framework of Abstract Interpretation . The fundamental principles of Abstract Interpretation are:

to substitute to the *concrete domain* *abstract domain*

to use a *widening operator* (dynamic approximation) to
make the iterative computation of the least fixpoint of

Approximations are conservative so that the obtained result is an
upper-approximation of the exact result.
In simple cases the state space that should be
abstracted has a simple structure, but this may be more complicated
when variables belong to different data types (Booleans, numerics,
arrays) and when it is necessary to establish *relations* between
the values of different types.

Model-checking techniques for finite-state systems are now quite developed, and a current challenge is to adapt them as much as possible to infinite-state systems. We detail below two types of models we are interested in: timed automata and infinite-state probabilistic systems.

**Model-checking timed automata** The model of timed automata,
introduced by Alur and Dill in the 90's is commonly
used to represent real-time systems. Timed automata consist of an
extension of finite automata with continuous variables, called clocks,
that evolve synchronously with time, and can be tested and reset along
an execution. Despite their uncountable state space, checking
reachability, and more generally *via* the construction of a finite abstraction, the
so-called region automaton. The recent developments in model-checking
timed automata have aimed at modelling and verifying quantitative
aspects encompassing timing constraints, for example costs,
probabilities, frequencies. These quantitative questions demand
advanced techniques that go far beyond the classical methods.

**Model-checking infinite state probabilistic systems**
Model-checking techniques for finite state probabilistic systems are
now quite developed. Given a finite state Markov chain, for example,
one can check whether some property holds almost surely (i.e. the set
of executions violating the property is negligible), and one can even
compute (or at leat approximate as close as wanted) the probability
that some property holds. In general, these techniques cannot be
adapted to infinite state probabilistic systems, just as
model-checking algorithms for finite state systems do not carry over
to infinite state systems. For systems exhibiting complex data
structures (such as unbounded queues, continuous clocks) and
uncertainty modeled by probabilities, it can thus be hard to design
model-checking algorithms. However, in some cases, especially when
considering qualitative verification, symbolic methods can lead to
exact results. Qualitative questions aim neither at computing nore at
approximating a probability, but are only concerned with almost-sure
or non neglectible behaviours (that is events of probability either
one or non zero). In some cases, qualitative model-checking can be
derived from a combination of techniques for infinite state systems
(such as abstractions) with methods for finite state probabilistic
systems. However, when one is interested in computing (or rather
approximating) precise probability values (neither 0 nor 1), exact
methods are scarce. To deal with these questions, we either try to
restrict to classes of systems where exact computations can be made,
or look for approximation algorithms.

Currently, many techniques (reachability, model checking, ...) from
finite state systems have been generalised to pushdown systems, that
can be modeled by graph grammars. Several such extensions heavily
depend on the actual definition of the pushdown automata, for example,
how many top stack symbols may be read, or whether the existence of

Deterministic graph grammars enable us to focus on structural properties of systems. The connection with finite graph algorithms is often straightforward: for example reachability is obtained by iterating the finite graph algorithm iterated on the right hand sides of the rules. On the other hand, extending these grammars with time or probabilities is not straightforward: qualitative values associated to different copies (in the graph) of the same vertex (in the grammar) may differ, introducing complex equations. Furthermore, the fact that the left-hand sides of rules are single hyperarcs is a strong restriction. But removing this restriction would lead to non-recursive graphs. Identifying decidable families of graphs defined by contextual graph grammars is also very challenging.

We are mainly interested in conformance testing, which consists in checking whether a black box implementation under test (the real system that is only known by its interface) behaves correctly with respect to its specification (the reference which specifies the intended behavior of the system). In the line of model-based testing, we use formal specifications and their underlying models to unambiguously define the intended behavior of the system, to formally define conformance and to design test case generation algorithms. The difficult problems are to generate test cases that correctly identify faults (the oracle problem) and, as exhaustiveness is impossible to reach in practice, to select an adequate subset of test cases that are likely to detect faults. Hereafter we detail some elements of the models, theories and algorithms we use.

We use IOLTS (or IOSTS) as formal models for specifications,
implementations, test purposes, and test cases. We adapt a well
established theory of conformance testing , which
formally defines conformance as a relation between formal models of
specifications and implementations. This conformance relation, called
**ioco** compares the visible behaviors (called *suspension
traces*) of the implementation

In other words, suspension traces of

Interestingly, this characterization presents conformance with respect
to *canonical tester*
*canonical tester* also serves as a basis for test selection.

Test cases are processes executed against implementations in order to
detect non-conformance. They are also formalized by IOLTS (or IOSTS)
with special states indicating *verdicts*. The execution of test
cases against implementations is formalized by a parallel composition
with synchronization on common actions. A *Fail* verdict means
that the implementation under test (IUT) is rejected and should
correspond to non-conformance, a *Pass* verdict means that the IUT
exhibited a correct behavior and some specific targeted behaviour has
been observed, while an *Inconclusive* verdict is given to a
correct behavior that is not targeted.

Test suites (sets of test cases) are required to exhibit some properties relating the verdict they produce to the conformance relation. Soundness means that only non conformant implementations should be rejected by a test suite and exhaustiveness means that every non conformant implementation may be rejected by the test suite. Soundness is not difficult to obtain, but exhaustiveness is not possible in practice and one has to select test cases.

Test selection is often based on the coverage of some criteria
(state coverage, transition coverage, etc). But test
cases are often associated with *test purposes* describing some
abstract behaviors targeted by a test case.
In our framework, test purposes are specified as
IOLTS (or IOSTS) associated with marked states or dedicated variables,
giving them the
status of automata or observers accepting runs
(or sequences of actions or suspension traces).
Selection of test cases amounts to selecting traces
of the canonical tester accepted by the test purpose.
The resulting test case is then both an observer of
the negation of a safety property (non-conformance wrt.

Our first test generation algorithms are based on enumerative techniques, thus adapted to IOLTS models, and optimized to fight the state-space explosion problem. On-the-fly algorithms where designed and implemented in the TGV tool, which consist in computing co-reachable states from a target state during a lazy exploration of the set of reachable states in a product of the specification and the test purpose . However, this enumerative technique suffers from some limitations when specification models contain data.

More recently, we have explored symbolic test generation techniques
for IOSTS specifications . The objective is to avoid
the state space explosion problem induced by the enumeration of
values of variables and communication parameters. The idea consists
in computing a test case under the form of an *IOSTS*, i.e., a
reactive program in which the operations on data are kept in a
symbolic form. Test selection is still based on test purposes (also
described as IOSTS) and involves syntactical transformations of IOSTS
models that should ensure properties of their IOLTS semantics.
However, most of the operations involved in test generation
(determinisation, reachability, and coreachability) become
undecidable. For determinisation we employ heuristics that allow us
to solve the so-called bounded observable non-determinism (i.e., the
result of an internal choice can be detected after finitely many
observable actions). The product is defined syntactically. Finally
test selection is performed as a syntactical transformation of
transitions which is based on a semantical reachability and
co-reachability analysis. As both problems are undecidable for
IOSTS, syntactical transformations are guided by over-approximations
using abstract interpretation techniques. Nevertheless, these
over-approximations still ensure soundness of test
cases . These techniques are implemented in
the STG tool (see ), with an interface with NBAC
used for abstract interpretation.

**The supervisory control problem** is concerned with ensuring
(not only checking) that a computer-operated system works correctly.
More precisely, given a system model and a required property, the
problem is to control the model's behavior, by coupling it to a
supervisor, such that the controlled system satisfies the
property . The models used are LTSs and the
associated languages, where one makes a distinction between *controllable* and *non-controllable* actions and between *observable* and *non-observable* actions. Typically, the
controlled system is constrained by the supervisor, which can block
on the system's controllable actions in order to force it to behave
as specified by the property. The control synthesis problem can be
seen as a constructive verification problem: building a supervisor
that prevents the system from violating a property. Several kinds
of properties can be enforced such as reachability, invariance (i.e.
safety), attractivity, etc. Techniques adapted from model checking
are used to compute the supervisor. Optimality must be taken into
account as one often wants to obtain a supervisor
that constrains the system as few as possible.

**Supervisory control theory overview**. Supervisory control
theory deals with control of Discrete Event Systems. In this theory,
the behavior of the system

where *controllability condition* and it may be stated as

Namely, when acting on

The underlying techniques are similar to the ones used for Automatic
Test Generation. They consist of computing the product of the system
model and

The methods and tools developed by the VerTeCs project-team for test generation and control synthesis of reactive systems are intended to be as generic as possible. This allows us to apply them in many application domains where the presence of software is predominant and its correctness is essential. In particular, we apply our research in the context of telecommunication systems, for embedded systems, for smart-cards application, and control-command systems.

Our research on test generation was initially proposed for conformance testing of telecommunication protocols. In this domain, testing is a normalized process , and formal specification languages are widely used (SDL in particular). Our test generation techniques have already proved useful in this context, going up to industrial transfer. New standardized component-based design methodologies such as UML and OMG's MDE increase the need for formal techniques in order to ensure the compositionality of components, by verification and testing. Our techniques, by their genericity and adaptativity, have also proved useful at different levels of these methodologies, from component testing to system testing. The telecommunication industry now also tries to provide more and more services to the users. These services must be validated.

In the context of transport, software embedded systems are increasingly predominant. This is particularly important in automotive systems, where software replaces electronics for power train, chassis (e.g. engine control, steering, brakes) and cabin (e.g. wiper, windows, air conditioning) or new services to passengers are increasing (e.g. telematics, entertainment). Car manufacturers have to integrate software components provided by many different suppliers, according to specifications. One of the problems is that testing is done late in the life cycle, when the complete system is available. Faced with these problems, but also with the complexity of systems, compositionality of components, distribution, etc, car manufacturers now try to promote standardized interfaces and component-based design methodologies. They also develop virtual platforms which allow for testing components before the system is complete. It is clear that software quality and trust are one of the problems that have to be tackled in this context. This is why we believe that our techniques (testing and control) can be useful.

The main application domain for our techniques is control-command systems. In general, such systems control costly machines (see, e.g., robotic systems, flexible manufacturing systems), that are connected to an environment (e.g., a human operator). Such systems are often critical systems and errors occurring during their execution may have dramatic economical or human consequences. In this field, the controller synthesis methodology (CSM) is useful to ensure by construction the interaction between 1) the different components, and 2) the environment and the system itself. For the first point, the CSM is often used as a safe scheduler, whereas for the second one, the supervisor can be interpreted as a safe discrete tele-operation system. Also in the context of the Vacsim ANR project, we investigate the testing, monitoring and verification of control-command systems.

Stg (Symbolic Test Generation) is a prototype tool for the generation and execution of test cases
using symbolic techniques. It takes as input a specification and a
test purpose described as IOSTS, and generates a test case program
also in the form of IOSTS. Test generation in STG is based on a
syntactic product of the specification and test purpose IOSTS, an
extraction of the subgraph corresponding to the test purpose,
elimination of internal actions, determinisation, and simplification.
The simplification phase now relies on NBAC, which approximates
reachable and coreachable states using abstract interpretation. It is
used to eliminate unreachable states, and to strengthen the guards of
system inputs in order to eliminate some *Inconclusive* verdicts.
After a translation into C++ or Java, test cases can be executed on an
implementation in the corresponding language. Constraints on system
input parameters are solved on-the-fly (i.e. during execution) using a
constraint solver. The first version of STG was developed in C++,
using Omega as constraint solver during execution. This version has
been deposited at APP under number
IDDN.FR.001.510006.000.S.P.2004.000.10600.

A new version in OCaml has been developed in the last years. This version is more generic and will serve as a library for symbolic operations on IOSTS. Most functionalities of the C++ version have been re-implemented. Also a new translation of abstract test cases into Java executable tests has been developed, in which the constraint solver is LuckyDraw (VERIMAG). This version has also been deposited at APP and is available for download on the web as well as its documentation and some examples.

Finally, in collaboration with ULB, we implemented a prototype **SMACS , derived from STG, devoted to the control of
infinite systems modeled by STS.
**

Sigali is a model-checking tool that operates on ILTS (Implicit Labeled Transition Systems, an equational representation of an automaton), an intermediate model for discrete event systems. It offers functionalities for verification of reactive systems and discrete controller synthesis. It is developed jointly by the ESPRESSO and VerTeCs teams. The techniques used consist in manipulating the system of equations instead of the set of solutions, which avoids the enumeration of the state space. Each set of states is uniquely characterized by a predicate and the operations on sets can be equivalently performed on the associated predicates. Therefore, a wide spectrum of properties, such as liveness, invariance, reachability and attractivity, can be checked. Algorithms for the computation of predicates on states are also available . Sigali is connected with the Polychrony environment (ESPRESSO project-team) as well as the Matou environment (VERIMAG), thus allowing the modeling of reactive systems by means of Signal Specification or Mode Automata and the visualization of the synthesized controller by an interactive simulation of the controlled system. Sigali is registered at APP.

Sigali is also integrated as part of the compiler of the language BZR.

Probabilistic

A quantitative semantics for infinite timed words in timed automata based on the frequency of a run was introduced earlier by Bertrand, Bouyer, Brihaye and Stainer. Unfortunately, most of the results are obtained only for one-clock timed automata because the techniques do not allow to deal with some phenomenon of convergence between clocks. On the other hand, the notion of forgetful cycle was introduced by Basset and Asarin, in the context of entropy of timed languages, and seems to detect exactly these convergences. In , we investigate how the notion of forgetfulness can help to extend the computation of the set of frequencies to n-clock timed automata.

While model checking PCTL for Markov chains is decidable in polynomial-time, the decidability of PCTL satisfiability, as well as its finite model property, are long standing open problems. While general satisfiability is an intriguing challenge from a purely theoretical point of view, we argue that general solutions would not be of interest to practitioners: such solutions could be too big to be implementable or even infinite. Inspired by bounded synthesis techniques, we turn to the more applied problem of seeking models of a bounded size: we restrict our search to implementable – and therefore reasonably simple – models. In and together with John Fearnley and Sven Schewe from University of Liverpool, we propose a procedure to decide whether or not a given PCTL formula has an implementable model by reducing it to an SMT problem. We have implemented our techniques and found that they can be applied to the practical problem of sanity checking – a procedure that allows a system designer to check whether their formula has an unexpectedly small model.

Testing remains a widely used validation technique for software systems. However, recent needs in software development (e.g., in terms of security concerns) may require to extend this technique to address a larger set of properties. In , we explore the set of testable properties within the Safety-Progress classification where testability means to establish by testing that a relation, between the tested system and the property under scrutiny, holds. We characterize testable properties w.r.t. several relations of interest. For each relation, we give a sufficient condition for a property to be testable. Then, we study and delineate a fine-grain characterization of testable properties: for each Safety-Progress class, we identify the subset of testable properties and their corresponding test oracle. Furthermore, we address automatic test generation for the proposed framework by providing a general synthesis technique that allows to obtain canonical testers for the testable properties in the Safety-Progress classification. Moreover, we show how the usual notion of quiescence can be taken into account in our general framework, and, how quiescence improves the testability results. Then, we list some existing testing approaches that could benefit from this work by addressing a wider set of properties. Finally, we propose Java-PT, a prototype Java toolbox that implements the results introduced in this article.

Runtime enforcement is a powerful technique to ensure that a running system respects some desired properties. Using an enforcement monitor, an (untrusted) input execution (in the form of a sequence of events) is modified into an output sequence that complies to a property. Runtime enforcement has been extensively studied over the last decade in the context of untimed properties. The paper , introduces runtime enforcement of timed properties. We revisit the foundations of runtime enforcement when time between events matters. We show how runtime enforcers can be synthesized for any safety or co-safety timed property. Proposed runtime enforcers are time retardant: to produce an output sequence, additional delays are introduced between the events of the input sequence to correct it. Runtime enforcers have been prototyped and our simulation experiments validate their effectiveness.

The analysis of discrete event systems under partial observation is an important topic, with major applications such as the detection of information flow and the diagnosis of faulty behaviors. In we consider recursive tile systems, which are infinite systems generated by a finite collection of finite tiles, a simplified variant of deterministic graph grammars. Recursive tile systems are expressive enough to capture classical models of recursive systems, such as the pushdown systems and the recursive state machines. They are infinite-state in general and therefore standard powerset constructions for monitoring do not always apply. We exhibit computable conditions on recursive tile systems and present non-trivial constructions that yield effective computation of the monitors. We apply these results to the classic problems of opacity and diagnosability.

Opacity is a security property formalizing the absence of (secret) information leakage. We address the problem of synthesizing opaque systems. A secret predicate S over the runs of a system G is opaque to an external user having partial observability over G, if he can never infer from the observation of a run of G that the run belongs to S. We choose to control the observability of events by adding a device, called a mask, between the system G and the users. We first investigate the case of static partial observability where the set of events the user can observe is fixed once and for all by a static mask. In this context, we show that checking whether a system is opaque is PSPACE-complete, which implies that computing an optimal static mask ensuring opacity is also a PSPACE-complete problem. Next, we introduce dynamic partial observability where the set of events the user can observe changes over time and is determined by a dynamic mask. We show how to check that a system is opaque w.r.t. to a dynamic mask and also address the corresponding synthesis problem: given a system G and secret states S, compute the set of dynamic masks under which S is opaque. Our main result is that the set of such masks can be finitely represented and can be computed in EXPTIME and that this is a lower bound. We also address the problem of computing an optimal mask. This work was published in FMSD .

The Vacsim project (2011-2014) is a 3-year project with EDF R&D, Dassault Systèmes, LURPA Cachan, I3S Nice and Labri Bordeaux. The project aims at developping both methodological and formal contributions for the simulation and validation of control-command systems. The role of the Vertecs team will be to contribute to the advance of validation techniques for timed systems, including quantitative analysis and its application to testing, monitoring of timed systems, and verification of communicating timed automata. The VACSIM project funds the PhD thesis of Srinivas Pinisetty.

The project Ctrl-Green (2011-2014) is a 3-year project with UJF/LIG, INPT/IRIT, Inria, EOLAS, Scalagent. This project aims at developing techniques for the automatic optimal management of reconfigurable systems in the context of data centers using discrete controller synthesis methodology applied in the synchronous paradigm. The role of the Vertecs team will be to contribute to the development of new controller synthesis methodology for symbolic synchronous systems handling variables and to its application to the autonomic management of data centers.

Program: FP7

Project acronym: Artist Design

Project title: Artist - European Network of Excellence on Embedded System Design

Duration: 01/08 - 03/12

Coordinator: VERIMAG

Abstract: The central objective for ArtistDesign is to build on existing structures and links forged in Artist2, to become a virtual Center of Excellence in Embedded Systems Design. This will be mainly achieved through tight integration between the central players of the European research community. Also, the consortium is smaller, and integrates several new partners. These teams have already established a long-term vision for embedded systems in Europe, which advances the emergence of Embedded Systems as a mature discipline.

The research effort aims at integrating topics, teams, and competencies, grouped into 4 Thematic Clusters: “Modelling and Validation”, “Software Synthesis, Code Generation, and Timing Analysis”, “Operating Systems and Networks”, “Platforms and MPSoC”. “Transversal Integration” covering both industrial applications and design issues aims for integration between clusters.

The Vertecs EPI is a partner of the “Validation” activity of the “Modeling and Validation” cluster. This year, the Vertecs EPI has contributed to quantitative verification of timed automata , test generation from nondeterministic timed automata , and control sysnthesis using abstract interpretation for infinite state systems .

Université Libre Bruxelles (Belgium), Prof. Thierry Massart, Testing and control of symbolic transitions systems.

University of Kaiserslautern (Germany), Roland Meyer, Petri nets.

University of Dresden (Germany), Prof. Christel Baier, Probabilistic automata over infinite words.

University of Mons (Belgium), Prof. Thomas Brihaye, Stochastic timed automata.

Laurie Ricker, associate professor at the Mathematics & Computer Science department of Mount Allison University (Canada) has visited Vertecs for 6 months, from January 2012 to June 2012. We collaborate on control of discrete event systems for distributed and decentralized systems.

Nathalie Bertrand spent 9 months at University of Liverpool, from November 1st 2011 to July 31st 2012. Her visit was supported by the Leverhulme Trust and the Sabbatical program of Inria, which also permitted Paulin Fournier to spend 5 months at University of Liverpool for his Master thesis.

was PC member of QAPL'12, QEST'12, Infinity'12 and SYNT'12. She is since september 2012 a Steering Committee member of QEST. She was invited to give a talk at the research seminar of the Quantitative Logics and Automata (QuantLA) Doctoral School in Dresden, in December 2012. She is also a member of the panel for the Gilles Kahn prize awarded each year to an excellent PhD thesis in computer science.

is Vice President of the Project Committee of Inria Rennes - Bretagne Atlantique. He is member of the IFIP Working Group 10.2 on Embedded Systems. He is a member of the Steering Committe of the School MOVEP (held in Marseille in December 2012), and PC member of ICFEM 2012, ICST 2012, ICTSS 2012, RV 2013, TAP 2012 and 2013. He gave a lecture at the Summer School TAROT 2012. He co-organizes the Dagstuhl Seminar 13021 on "Symbolic Methods in Testing" in January 2013.

is Associate Editor of the IEEE Transactions on Automatic Control since 2009 and member of the IFAC Technical Committees (TC 1.3 on Discrete Event and Hybrid Systems) since 2005. He is member of the steering committee of MSR (Modélisation de systèmes réactifs). He was PC member of WODES'12, ICINCO'12. He is organizer of MSR 2013 in Rennes.

**Nathalie Bertrand**

Master : Techniques de vérification avancées, 10h, niveau M2, ISTIC, Université de Rennes 1.

Agrégation : Langages formels, 16h, niveau M2, ENS-Cachan-Antenne de Bretagne.

**Sébastien Chédor**

Licence : Programmation Java, 20h, niveau L2, ISTIC, Université de Rennes 1.

APF, 20h, niveau L1, ISTIC, Université de Rennes 1.

Initiation LaTeX, 6h, niveau L3, ENS-Cachan-Antenne de Bretagne.

Programmation, 20h, niveau L3, ENS-Cachan-Antenne de Bretagne.

**Paulin Fournier**

Licence : Scheme (TP), 20h, niveau L1, INSA-Rennes.

**Christophe Morvan**

Licence : Object Oriented programming with Java, 120h, niveau L2, Université de Marne-la-Vallée.

Systèmes d'exploitation (Cours), 36h, niveau L3, Université de Marne-la-Vallée.

Compilation (Cours-TD), 60h, niveau L3, Université de Marne-la-Vallée.

**Amélie Stainer**

Licence : Base de données (Cours-TD-TP), 28h, niveau L2, INSA-Rennes.

Agrégation : Modélisation (Cours), 11h, niveau M2, ENS-Cachan-Antenne de Bretagne.

Oraux blancs, 12h, niveau M2, ENS-Cachan-Antenne de Bretagne.

Préparation de leçons d'informatique, 10h, niveau M2, ENS-Cachan-Antenne de Bretagne.

PhD in progress: **Sébastien Chédor**, Verification and test of
systems modeled by regular graphs, started in September 2009,
supervised by Christophe Morvan and Thierry Jéron.

PhD in progress: **Paulin Fournier**, Parameterized Verification of
probabilistic systems, started in September 2012,
supervised by Nathalie Bertrand and Thierry Jéron.

PhD in progress: **Srinivas Pinisetty**, Runtime validation of
critical control-command systems, started in December 2011,
supervised by Hervé Marchand and Thierry Jéron.

PhD in progress: **Amélie Stainer**, Quantitative verification of
timed automata, started in October 2010, supervised by Nathalie
Bertrand and Thierry Jéron.

Nathalie Bertrand was a member of the PhD defense jury of Youssouf Oualhadj (LaBRI, Bordeaux) in december 2012.

Christophe Morvan has been involved in the organization of a public talk on Turing (celebrating the centenary of his birth) by Jean Lassègue. See the webpage.