

# Computational Models for Embedded Systems

Vescan Andreea, PHD, Assoc. Prof.



Faculty of Mathematics and Computer Science  
Babeş-Bolyai University

Cluj-Napoca  
2025-2026



Lecture 7a: Finite State Machines (1)



# Software Systems Verification and Validation

---

“Tell me and I forget, teach me and I may remember, involve me and I learn.”

(Benjamin Franklin)

# Outline

- FSM – definition + example
- FSM – advantages & disadvantages
- FSM – modeling concurrency → composition
- Moore vs. Mealy
- **FSM – Demo - Traffic-Pedestrian**
  - FSMs – Traffic, Pedestrian, Traffic – Pedestrian – Composition
  - Traffic-Pedestrian – Electronic Circuit
  - Traffic-Pedestrian – Nucleo – project (video)
  - Traffic-Pedestrian – Model checking - JSpin
- Next lecture:
  - Invited lecture
  - Accenture

# FSM – definition

- $\text{FSM} = (I, O, S, r, \delta, \lambda)$ 
  - $I$  = input
  - $O$  = output
  - $S$  = states
  - $r$ =final states?
  - $\delta : I \times S \rightarrow S$  – state transition function
  - $\lambda : I \times S \rightarrow O$  – output function

# FSM – example

- If the driver turns on the key, and does not fasten the seat belt within 5 seconds
- then an alarm beeps for 5 seconds,
- or
- until the driver fastens the seat belt, or until the driver turns off the key



## FSM - example

- $\text{FSM} = (I, O, S, r, \delta, \lambda)$
- $I=\{\text{KEY\_ON}, \text{KEY\_OFF}, \text{BELT\_ON}, \text{END\_TIMER\_5}, \text{END\_TIMER\_10}\}$
- $O=\{\text{START\_TIMER}, \text{ALARM\_ON}, \text{ALARM\_OFF}\}$
- $S=\{\text{OFF}, \text{WAIT}, \text{ALARM}\}$
- $r=\text{OFF}$

Set of all subsets of  $I$  (implicit “and”)

- $\delta : 2^I \times S \rightarrow S$

e.g.  $(\{\text{KEY\_OFF}\}, \text{WAIT})=\text{OFF}$

All other inputs are implicitly absent

- $\lambda : 2^I \times S \rightarrow 2^O$

e.g.  $\lambda(\{\text{KEY\_ON}\}, \text{OFF})=\{\text{START\_TIMER}\}$

# FSM

## Advantages

- Easy to use  
(graphical languages)
- Powerful algorithms for
  - synthesis (SW and HW)
  - verification

## Disadvantages

- Sometimes over-specify implementation  
(sequencing is fully specified)
- Number of states can be unmanageable
- Numerical computations cannot be specified compactly  
(need Extended FSMs)

# Modeling Concurrency

- Need to compose parts described by FSMs
- Describe the system using a number of FSMs and interconnect them
- How do the interconnected FSMs talk to each other?
- Given ( $I$ -input,  $O$ -output,  $S$ -states,  $\delta : I \times S \rightarrow S$  state transition function,  $\lambda : I \times S \rightarrow O$  output function)
  - $M_1 = (I_1, O_1, S_1, r_1, \delta_1, \lambda_1)$  and
  - $M_2 = (I_2, O_2, S_2, r_2, \delta_2, \lambda_2)$
  - Find the composition
    - $M = (I, O, S, r, \delta, \lambda)$
    - Given a set of constraints of the form:
    - $C = \{(o, i_1, \dots, i_n) : o \text{ is connected to } i_1, \dots, i_n\}$

# FSM Composition

- Bridle complexity via hierarchy:

FSM product yields an FSM

- Fundamental hypothesis:
  - all the FSMs change state together (synchronicity)
- System state = Cartesian product of component states
  - (state explosion may be a problem...)

# FSM Composition

- Unconditional product  $M' = (I', O', S', r', \delta', \lambda')$
- $I' = I_1 \cup I_2$
- $O' = O_1 \cup O_2$
- $S' = S_1 \times S_2$
- $r' = r_1 \times r_2$
- $\delta' = \{(A_1, A_2, s_1, s_2, t_1, t_2) : (A_1, s_1, t_1) \in \delta_1 \text{ and } (A_2, s_2, t_2) \in \delta_2\}$
- $\lambda' = \{(A_1, A_2, s_1, s_2, B_1, B_2) : (A_1, s_1, B_1) \in \delta_1 \text{ and } (A_2, s_2, B_2) \in \delta_2\}$
- Note:
  - $A_1 \subseteq I_1, A_2 \subseteq I_2, B_1 \subseteq O_1, B_2 \subseteq O_2$
  - $2^{X \cup Y} = 2^X \times 2^Y$
- Constraint application
  - $\lambda = \{(A_1, A_2, s_1, s_2, B_1, B_2) \in \lambda' : \text{for all } (o, i_1, \dots, i_n) \in C \quad o \in B_1 \cup B_2 \text{ if and only if } i_j \in A_1 \cup A_2 \text{ for all } j\}$
  - The application of the constraint rules out the cases where the connected input and output have different values (present/absent).

# FSM Composition

- $I = I_1 \cup I_2$
- $O = O_1 \cup O_2$
- $S = S_1 \times S_2$

$o_1 \in O_1, i_3 \in I_2, o_1 = i_3$  (communication)



- Assume that

$$\delta_1(\{i_1\}, s_1) = t_1, \lambda_1(\{i_1\}, s_1) = \{o_1\}$$

$$\delta_2(\{i_2, i_3\}, s_2) = t_2, \lambda_2(\{i_2, i_3\}, s_2) = \{o_2\}$$

- We have:

$$\delta(\{i_1, i_2, i_3\}, (s_1, s_2)) = (t_1, t_2)$$

$$\lambda(\{i_1, i_2, i_3\}, (s_1, s_2)) = \{o_1, o_2\}$$

- i.e.  $i_3$  is in input pattern iff  $o_2$  is in output pattern.

# FSM Composition

- Problem: what if there is a cycle?
  - Moore machine:  $\delta$  depends on input and state,  $\lambda$  only on state
    - Composition is always *well-defined*
  - Mealy machine:  $\delta$  and  $\lambda$  depend on input and state
    - Composition may be *undefined*

*What if  $\lambda_1(\{i_1\}, s_1) = \{o_1\}$  but  $o_2 \notin \lambda_2(\{i_3\}, s_2)$ ?*

- Causality analysis in Mealy FSMs (Berry '98)



# Moore vs. Mealy

- Theoretically, same computational power (almost)
- In practice, different characteristics.

## Moore machines

- non-reactive  
(response delayed by 1 cycle)
- easy to compose  
(always well-defined)
- good for implementation
- software is always “slow”
- hardware is better when I/O is latched

## Mealy machines

- reactive (0 response time)
- hard to compose (problem with combinational cycles)
- problematic for implementation
- software must be “fast enough”  
(synchronous hypothesis)
- may be needed in hardware, for speed

# FSM – Mealy

- Finite-state components → behavior → a labeled finite graph
  - nodes = states of the component
  - $s =$  initial state → a sourceless edge incident on  $s$
  - a reaction → an edge from node  $s$  to node  $t$  labeled with input  $i$  and output  $o$ .
- Such graphs are called Mealy machines.
- Executions of the component = paths through this graph starting at an initial state.
- The Mealy machine representation of the Delay component



$$0 \xrightarrow{0/0} 0; \quad 0 \xrightarrow{1/0} 1; \quad 1 \xrightarrow{0/1} 0; \quad 1 \xrightarrow{1/1} 1.$$



# The vending machine

## - Example -

- A machine that sells coffee
  - Accepts one dollar (d1) bills
  - Maximum two dollars
  - Quarters change
  - Sells two products
  - Small coffee for \$1
  - Large coffee for \$1.25



# Denotational description basics

- Denotational descriptions are “implicit” in the sense that they describe the properties that the system must have. They often are given as a system of equalities and inequalities that must be satisfied by the system.
- The controller is denoted by a set of traces of symbols from an alphabet
- Non all-capital letters names belong to the alphabet of a process
- Capital letters names denote processes (CTRL is the controller process)
- A process is a letter followed by a process:  $P = x \rightarrow Q$
- SKIP is a process that successfully completes execution (it does nothing, it just completes the execution)
- If P and Q are processes then  $Z = P ; Q$  is a process that behaves like P until it completes and then like Q
- If P and Q are processes then  $P | Q$  denotes a choice between P and Q

# Vending machine description

- Alphabet



# Vending machine description

- Vending machine process

$$VM = (\text{SMALL} | \text{LARGE}); VM$$



Behaves as ( small “choice” large) until successful completion and then like VM

- It is a recursive definition of the form  $X = F(X)$
- For a large coffee:

$$\text{LARGE} = d1 \rightarrow (d1 \rightarrow (\text{lc} \rightarrow \text{CHANGE3}))$$

$$\text{CHANGE3} = q \rightarrow (q \rightarrow (q \rightarrow \text{STOP}))$$

# Vending machine FSM



# Vending machine

## I/O description

- $I = \{d1, sc, lc\}$
- $O = \{\text{serves}, \text{servel}, q\}$
- $S = \{\text{idle}, \$1, \$2, c1, c2, c3, c4\}$ 
  - (deterministic description)
    - $\delta : I \times S \rightarrow S$  state transition function
    - $\lambda : I \times S \rightarrow O$  output function
- Examples:  
 $\delta(d1, \text{idle}) = \$1 \rightarrow$  if waiting and one dollar is inserted  
change state to  $\$1$  credit  
 $\delta(sc, \$1) = \text{idle} \rightarrow$  if  $\$1$  credit and small coffee is requested, change state to idle and serve the coffee  
 $\lambda(sc, \$1) = \text{serves}$



# Vending machine

## I/O description

Labels: *input/output*, where input and output can both be empty



# Communication with the rest of the system

- Our state machine does not live in isolation
  - What is the communication semantics?
  - The serving system and the change return are electromechanical system with their own evolution dynamics



# FSM Composition

- **Concurrent Composition**

- Side-by-Side Synchronous Composition
- Side-by-Side Asynchronous Composition
- Shared Variables
- Cascade Composition



- The notation for FSMs becomes awkward when the number of states gets large.
- An extended state machine solves this problem by augmenting the FSM model with variables that may be read and written as part of taking a transition between states

- Lee and Seshia, *Introduction to Embedded Systems – A Cyber-Physical Systems Approach – Second Edition – MIT Press – 2017*, <https://ptolemy.berkeley.edu/books/leeseshia/>



## Extended State Machines



# FSM – Demo - Traffic-Pedestrian

## synchronous cascade composition

- FSM – Traffic
- FSM – Pedestrian
- FSM - Traffic – Pedestrian – Composition
- Traffic-Pedestrian – Electronic Circuit
- Traffic-Pedestrian – Nucleo – project (video)
- Traffic-Pedestrian – Model checking - JSpin



# FSM - Traffic - Pedestrian

## synchronous cascade composition

**variable:**  $count: \{0, \dots, 60\}$

**inputs:**  $pedestrian$  : pure

**outputs:**  $sigR, sigG, sigY$  : pure



**variable:**  $pcount: \{0, \dots, 55\}$

**input:**  $sigR$ : pure

**outputs:**  $pedG, pedR$ : pure



# FSM - Traffic - Pedestrian - Composition

## synchronous cascade composition



# FSM – Traffic – Pedestrian – Composition

## synchronous cascade composition

## Synchronous composition



# FSM - Demo - Traffic-Pedestrian

## synchronous cascade composition

- FSM – Traffic
- FSM – Pedestrian
- FSM - Traffic – Pedestrian – Composition
- Traffic-Pedestrian – Electronic Circuit
- Traffic-Pedestrian – Nucleo – project (video)
- Traffic-Pedestrian – Model checking - JSpin

The screenshot shows the JSpin Version 5.0 interface. The left side displays a state transition graph for a traffic-pedestrian system, featuring nodes like 'idle', 'red', 'green', and various atomic states for traffic and pedestrian signals. The right side shows the results of a state-space search. It includes a summary of search statistics: 888 states stored, 445 states watched, 1331 transitions (> stored=watched), and 16 atomic states. It also lists hash conflicts (0 resolved), memory usage (2.19G), and unreachable invariants. The search log at the bottom indicates the command run was successful, with files saved and a pan command completed.

```
File Edit Spin Convert Options Settings Output SpinSpider Help LTL formula [ ] ped_pres -> ped_cross
Open Check Random Interactive Guided Weak fairness Safety Verify Stop Translate Log LTL name SpinSpider Maximize
warning: never claim + accept Tlabel requires -a flag to fully validate the never claim must be
stutter-invariant
(Spin Version 5.0 - December 2010)
- Partial Order Reduction
Full state-space search for:
never claim
deadlock violations + (if within scope of c/claim)
cycle checks - (disabled by -DSEAFETY)
invalid and states
invalid atomic states
State-space search depth reached 765, *** errors: 0 ***
888 states, stored
445 states, watched
1331 transitions (> stored=watched)
16 atomic states
hash conflicts: 0 (resolved)
2.19G memory usage (Mb)
unreachable invariants
traffic_pedestrian.pml:42, state 58, "-end"
(1 of 58 states)
unreachable invariants
traffic_pedestrian.pml:53, state 16, "-end"
(1 of 16 states)
unreachable in claim never_D
E:\temp\ME533\spin\Beso\Channels\ traffic_pedestrian.ltl:11, state 11, "-end"
(1 of 11 states)
pan: elapsed time 0.001 seconds

E:\temp\ME533\spin\Beso\Channels\pan -e2000 -X ... done!
Saved traffic_pedestrian.ppr
Saved traffic_pedestrian.pml
bin\spin.exe -f "[!](ped_pres -> ped_cross)" ... done!
```

# References

- Rajeev Alur Principles of Embedded Computation, [Rajeev Alur](#)
  - <http://www.seas.upenn.edu/~cis540/>
  - Rajeev Alur, Principles of Cyber-Physical Systems, 2015 - COTA:9491
  - <https://www.bcucluj.ro/ro/despre-noi/filiala/biblioteca-de-matematic%C4%83-%C5%9Fi-informatic%C4%83>
- Lee and Seshia, *Introduction to Embedded Systems – A Cyber-Physical Systems Approach – Second Edition – MIT Press – 2017*, <https://ptolemy.berkeley.edu/books/leeseshia/>
- Design of Embedded Systems: Models, Validation and Synthesis, Alberto Sangiovanni-Vincentelli  
<https://inst.eecs.berkeley.edu/~ee249/fa07/>
- System Modelling (IL2202), [Axel Jantsch](#)  
<https://www.kth.se/student/kurser/kurs/IL2202?l=en>
- Statecharts: a visual formalism for complex systems, David Harel, **Science of Computer Programming, 1987**
- **The STATEMATE semantics of Statecharts, David HAREL, Amnon NAAMAD, ACM, 1996**

# CMES – Today

# Bring it All Together

## Finite State Machines

### FSM – definition + example



### Advantages

### Disadvantages

### FSM composition

- Bridle complexity via hierarchy:  
FSM product yields an FSM
- Fundamental hypothesis:  
All the FSMs change state together (synchronicity)
- System state = Cartesian product of component states  
State explosion may be a problem

### Moore vs. Mealy

## The vending machine

### FSM – Traffic – Pedestrian – Composition



# Next Lecture

- Invited lecture
- Accenture



# Thank You For Your Attention!

- ExitTicket
- Mentimeter
  - [menti.com](https://menti.com)
  - Code: ?





# Software Systems Verification and Validation

---

“Tell me and I forget, teach me and I may remember, involve me and I learn.”

(Benjamin Franklin)