A timed extension for AltaRica by Cassez, Franck et al.
A timed extension for AltaRica
Franck Cassez, Claire Pagetti, Olivier Roux
To cite this version:
Franck Cassez, Claire Pagetti, Olivier Roux. A timed extension for AltaRica. Fundamenta In-
formaticae, Polskie Towarzystwo Matematyczne, 2004, 62 (3–4), pp.291–332. <inria-00363026>
HAL Id: inria-00363026
https://hal.inria.fr/inria-00363026
Submitted on 20 Feb 2009
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Fundamenta Informaticae XXI (2001) 1001–1042 1001
IOS Press
A Timed Extension for AltaRica
Franck Cassez, Claire Pagetti and Olivier Roux
IRCCyN
1 rue de la Noë
BP 92101
44321 Nantes Cedex 3
France
email: Name.Surname@irccyn.ec-nantes.fr
Abstract. In this paper we present a timed extension of the AltaRica formalism. Following previous
works, we first extend the semantics of AltaRica with time and define timed components and timed
nodes. Moreover we lift the priority features of AltaRica to the timed case. We obtain a timed
version of AltaRica, called Timed AltaRica. Finally we give a translation of a Timed AltaRica
specification into a usual timed automaton. These are the semantic foundations of a high-level
hierarchical language for the specification of timed systems.
Keywords: AltaRica, Semantics, Timed Automata
1. Introduction
Context. The development of complex and safety-critical systems requires the use of formal methods
and tools for system design and specification. In the case of discrete systems the so-called reactive lan-
guages [1, 2, 3, 4] have been used for almost a decade to specify industrial systems. They give a rigourous
and elegant basis for the structured development of reactive systems with the use of composition and hier-
archical specifications for instance. On those specifications such techniques like model-checking can be
applied to check for some properties on the designed systems.
The need for a counterpart specification language in the case of timed specifications arose recently
as timing information can now be dealt with while verifying a system with tools like UPPAAL [5],
CMC [6], KRONOS [7] or HyTech [8]. We give here the theoretical foundations of such a high-level
Address for correspondence: Franck Cassez, IRCCyN, BP 92101, 1 rue de la Noë, 44321 Nantes Cedex 3, France
1002 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
specification language for timed systems. We extend the AltaRica [9, 10, 11] formalism with timing
features.
AltaRica is a high-level specification formalism that allows one to specify constraint automata [9]
with the following features:
• a component has its own variables (internal or external), plus some others it can only read (flow
variables) that are shared by the others;
• components can be defined hierarchically and composed together by a general synchronization
mechanism. Such a general component is called a node. One can express broadcast communica-
tion, give priority among some transitions, etc.
Moreover AltaRica has an unambiguous semantics [11, 10] defined in terms of (interfaced) transition
systems. From this semantic model, it is possible to compile AltaRica to lower level formalisms for
different verification purposes: fault-trees to perform reliability analysis [12], Petri nets, Markov graphs
or finite state automata (that can be analysed with the tool MEC [13, 14, 15, 16] for instance).
Nevertheless one cannot specify real-time constraints in AltaRica and of course this becomes crucial
when some timing information contributes to the modelling and correctness of the system. Moreover
there is no real high-level specification language for timed and hybrid systems. This makes AltaRica
a good candidate to fill this gap. Once the language has been extended with timing constraints, we can
take advantage of the work carried out these last years about timed systems: it is now well-known how to
deal with the verification of timed automata [17] and hybrid automata [18, 19] and many efficient tools
are now available [8, 7, 20]. This adds a new feature to the AltaRica toolbox.
Our Contribution. Our work consists in extending the AltaRica formalism with real-time constraints
and define a timed version of AltaRica called Timed AltaRica. We thus extend the theoretical founda-
tions of AltaRica: we enhance the semantic model of AltaRica, the interfaced transition system (ITS),
into timed interfaced transition system (TITS) and give the semantics of Timed AltaRica in terms of
TITS. We proceed by shifting all the theoretical results obtained for AltaRica (e.g. interface bisimula-
tion homomorphism, rewriting of a node into a component, . . . ) to the timed case: this is important as it
gives Timed AltaRica good compositional properties that are needed in practice. Finally we present an
algorithm to compile Timed AltaRica specifications into timed automata (which can be then analyzed
with UPPAAL [5]).
Outline of the paper. In the next section, we remind the basics about AltaRica and introduce a running
example: the Train-Gate-Controller example. Section 3 is the core of the paper and presents Timed
AltaRica the timed extension of AltaRica. In sections 4 and 5 we respectively give (i) the algorithm for
translating Timed AltaRica components into timed automata and (ii) an example of the use of priorities
for timed specifications. We conclude by some perspectives in section 6.
The proofs of the theorems are given in the appendices (pages 1035– 1042).
2. An Overview of the AltaRica Language
In this section we recall some basics of AltaRica [10, 11] and give an example of an AltaRica specific-
ation:the train-gate-controller [21]. In this example, the aim is to keep the gate closed when a train is in
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1003
a critical section. We will use three AltaRica components to model the system and describe how they
synchronize.
2.1. Specifying Reactive Systems in AltaRica
A specification in AltaRica is a node. A node is a hierarchical description. It can be built from sub-nodes
and so on. A node that contains no sub-nodes is a component. A node is basically composed of:
• the variables definitions (type, range, . . . ), and events definitions,
• the transition relation,
• the initial constraint and global constraint.
1: node TRAIN
2: flow N : [0,1]; // These are the flow variables
3: event approach, in, exit;
4: state etat : [0,2]; n : [0,1];
5: trans
6: etat=0 |- approach ->
7: etat := 1, n := 1;
8: etat=1 |- in -> etat := 2;
9: etat=2 |- exit -> etat := 0, n := 0;
10: init
11: etat:=0, n:=0;
12: assert
13: N=n;
14: edon
(a) Spec. of the Train in AltaRica
Far Before
On
approach,n := 1
in
exit,n := 0
Far ≡ etat = 0
Before ≡ etat = 1
On ≡ etat = 2
(b) Spec. of the Train as an Automaton
Figure 1. Specification of a Train
2.1.1. Components
In the example of Fig. 1, we define a component1 train to model the behaviour of a train in two equivalent
manners in order to ease the understanding: an AltaRica description (see Fig. 1(a)) and a standard
automaton (see Fig. 1(b)). A train is either Far of the critical section, or Before or On meaning it is
respectively near or inside the critical zone. In the AltaRica specification, the variable etat (line 4)
ranging in [0, 2] represents the locations Far, Before, On of the train. The events of the component
TRAIN are approach, in and exit (line 3). We also use a state variable n (line 4) to denote that the train is
in {Before,On}. Initially the component is in configuration etat=0,n=0,N=0 (line 11), written (0, 0, 0)
for short. When a transition occurs the values of the state variables change accordingly as well as the
1In AltaRica the keyword node in used for components (nodes with no sub-nodes) as well as for hierarchical nodes; indeed a
component is a special case of node with no sub-nodes.
1004 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
value of the flow variable in order to satisfy the assertion (line 13). For instance, when event approach
occurs in (0, 0, 0) the configuration (1, 1, 1) is reached.
2.1.2. Interfaces
The component’s state variables are not visible from outside of the component. Their scope is thus
the component itself just as for usual programming languages. To allow sharing of information and
synchronization on variables of other components one can use flow variables. Flow variables can be read
by other nodes. The part of the component which is visible by other components is called the interface.
It consists in the events of the components and the flow variables.
The flow variable N is in the interface of the node TRAIN (line 2). This means that other nodes can
read it and use the value of N. The value of the flow variable N is constrained to be equal to n at anytime
(see the assert line 13) and the purpose of N is to make the value of n available outside.
Assume another node for the controller is given by the AltaRica specification of Fig. 2(a). A trans-
ition of the form etat = 1 |- approach -> ; (line 9) means that approach does not bring about
any change in the state variables values (but not this is a deadlock!). In the component CONTROLLER the
purpose of the flow variable N (referred to as CONTROLLER.N from now on) is to count the total number
of trains in the region {Before,On} (if we assume there are many train components). Depending on the
value of the flow CONTROLLER.N the controller will make the gate go up on an exit signal (if the value is
1, line 8) or will leave the gate closed if CONTROLLER.N > 1 (line 7).
The value of CONTROLLER.N may change on any discrete transition and be assigned any integer as no
assertion constrains this flow in the node CONTROLLER. Apart from the events listed in the component’s
events section (line 3), we assume a special discrete event ² for synchronization purposes. This event is
enabled in any configuration and does not change the values of variables of type state. Nevertheless
flow variables can be updated on ² transitions with values satisfying the assertion. As the assertion of the
node CONTROLLER is implicitely true the variable CONTROLLER.N may be assigned any integer value on
an ² transition. This somewhat strange behavior will become clear when we introduce hierarchical nodes
and constraints among flows of different nodes (see assert line `main−assert on Fig. 3).
As for the node GATE (Fig. 2(b)) it consists in receiving orders from the controller (events Go_up and
Go_down) and after a while2 to actually go up or down (events up and down).
2.1.3. Hierarchy and Synchronization
As emphasized in the introduction, one can describe a system by composing and building new nodes
from sub-nodes. For example we can define a node Main (see Fig. 3) specifying the train-gate-controller
with two trains. Indeed nodes can be instantiated and used as templates to build higher-level nodes.
The node of Fig. 3 is composed of four instantiated sub-nodes (t1, t2, g and c, see Fig. 3, lines 2–
5) which interact in two ways: flow coordination and synchronization of events. The synchronization
constraint (after keyword sync, lines 6–14) reads as follows: if a component does not appear in a syn-
chronization vector, it is assumed to do the ² action. Note that events up and down are not synchronized
and thus they will be assumed to be synchronized with ² transitions of the other components. Finally
the global assertion, line 15, constrains the flow variables so that N of the node MAIN is always equal
2We will see later how this can be made precise using timing constraints to make a timed version of the controller and the gate
in Fig. 5.
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1005
1: node CONTROLLER
2: flow N : [0,p];
3: event approach, exit, Go_up, Go_down;
4: state etat : [0,2];
5: trans
6: etat=0 |- approach -> etat := 1;
7: etat=0 & N>1 |- exit -> ;
8: etat=0 & N=1 |- exit -> etat := 2;
9: etat = 1 |- approach -> ;
10: etat = 1 |- exit -> ;
11: etat=1 |- Go_down -> etat := 0;
12: etat=2 |- Go_up -> etat := 0;
13: etat=2 |- approach -> etat := 1;
14: init etat := 0, z := 0;
15: edon
(a) The Controller
node GATE
event Go_down, Go_up, down, up;
state etat : [0,3];
trans
etat=0 |- Go_up -> ;
etat=0 |- Go_down -> etat := 1;
etat=1 |- Go_down -> ;
etat=1 |- down -> etat := 2;
etat=1 |- Go_up -> etat :=3;
etat=2 |- Go_down -> ;
etat=2 |- Go_up -> etat := 3;
etat=3 |- Go_up -> ;
etat=3 |- Go_down -> etat := 1;
etat=3 |- up -> etat := 0;
init etat:=0;
edon
(b) The Gate
Figure 2. AltaRica Specifications for the Controller and the Gate
to the number of trains on the critical section. A joint move of the components t1,t2,g,c can be
<t1.approach,t2.approach,c.approach> (see line 7) in which case the variable c.N will be up-
dated on the ² move of component c to satisfy the assertion of node MAIN i.e. c.N=t1.N+t2.N. This
is why we need to have the possibility to update flow variables on ² transitions. Anyway a meaningful
specification should be such that all flow variables are constrained at least in the outermost node. Note
that some constraints could be unsatisfiable: for instance if we add t1.N=2+t2.N to the assert line, this
clearly can not be satisfied and the resulting system has no configuration. It is also possible to constrain
the state space: if we use t1.N=t2.N we impose that the two trains issue approach at the same time and
leave the critical section at the same time (event exit). This is due to the fact that no configuration with
t1.N not equal to t2.N is satisfiable hence no transition with only one approach event can be fired.
1: node MAIN
2: sub
3: t1,t2 : TRAIN;
4: g : GATE;
5: c : CONTROLLER;
6: sync
7: <t1.approach,t2.approach,c.approach>;
8: <t1.approach,c.approach>;
9: <t2.approach,c.approach>;
10: <t1.exit,t2.exit,c.exit>;
11: <t1.exit,c.exit>;
12: <t2.exit,c.exit>;
13: <g.Go_down,c.Go_down>;
14: <g.Go_up,c.Go_up>;
15: assert c.N=t1.N+t2.N;
16: edon
Figure 3. Hierarchical Node
1006 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
2.2. Formal Semantics of AltaRica
The semantics of AltaRica specifications is given by Interfaced Transition Systems. For a detailed
presentation of these notions the reader is referred to [11, 10].
2.2.1. Interfaced Transition Systems
Definition 2.1. (Interfaced Transition system [10])
An interfaced transition system (ITS) is a tuple A = 〈E,F, S, pi, T 〉 with:
1. E = E+ ∪ {ε} is a finite set of events such that ε 6∈ E+;
2. F is a set of flow values;
3. S is the set of states;
4. pi : S → 2F associates to each state s in S all the admissible flow values in s. We assume
∀s ∈ S, pi(s) 6= ∅.
5. T ⊆ S × F × E × S is the transition relation and satisfies:
(a) (s, f, e, s′) ∈ T ⇒ f ∈ pi(s)
(b) ∀s ∈ S, ∀f ∈ pi(s), (s, f, ε, s) ∈ T
A configuration of an ITS is a pair (s, f) ∈ S × F such that f ∈ pi(s). Every tuple (s, f, e, s′) ∈ T
corresponds to the set of transitions ((s, f), e, (s′, f ′)) between configurations s.t. f ′ ∈ pi(s′).
Remark 2.1. In AltaRica, if a transition (s, f, e, s′) is firable then there exists a configuration (s′, f ′)
(as item 4 of Def. 2.1 assumes pi(s) is not empty for s ∈ S). This remark will carry over timed ITS. The
set F may be considered as a set of properties (or observations) associated to the states by the mapping
pi. Also note that T is a shorthand for the explicit transition relation T ′ between configurations with
T ′ ⊆ S × F × E × S × F and (s, f, e, s′, f ′) ∈ T ′ ⇐⇒ (s, f, e, s′) ∈ T ∧ f ′ ∈ pi(s′).
2.2.2. Priorities
In AltaRica we can constrain the behaviours of a system by giving priorities to some transitions when
more than one is possible. For instance, this concept is classical in scheduling [22]. Formally, a priority
relation < is a strict partial order over the events. A transition labelled e can be fired from a configuration
(s, f) if it is maximal, i.e. no other transition e′ such that e < e′ is firable in (s, f).
Definition 2.2. (Priority relation [10])
A priority relation over E is a strict partial order over E such that ∀v ∈ E+, v 6< ε and ε 6< v (with
E+ = E \ {ε}).
Definition 2.3. (Priority Restriction Operator)
Let A = 〈E,F, S, pi, T 〉 be an ITS and < a priority relation over E. We define the priority restriction
operator ¹ for the transition relation T ⊆ S × F × E × S and the priority relation < by: (s, f, e, s′) ∈
T¹< ⇐⇒ (s, f, e, s′) ∈ T ∧
(
∀e′ ∈ E , (∃s′ ∈ S | (s, f, e′, s′) ∈ T ) =⇒ e 6< e′
)
.
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1007
2.2.3. Formulas and Expressions
We consider hereafter the expressions E(X) built over the variables in a set X . These expressions can
be either integer terms, boolean terms etc. The only thing we assume is that the variables in X take their
values in a setD. A valuation ν of a set of variables X is a mapping ν : X → D and the set of valuations
of X is denoted DX . The value of an expression e ∈ E(X) in the context ν : X → D is denoted e(ν).
Given a set E(X) we can define the set F(X) of first order formulas over E(X) using some suitable
predicates (e.g. ≤,= in the case of integer expressions) and the existential and universal quantifiers. For
f ∈ F(X) we denote free(f) the set of free variables in f . We assume that tt (true) and ff (false) which
are predicates of arity 0 belong to F(X). In the sequel we often omit the base set X when we use F(X)
as only the free variables used in a formula f ∈ F(X) are relevant.
The interpretation JfK of a formula f ∈ F(X) with free(f) ⊆ X ′ is a subset of DX′ : JfK ⊆ DX′ .
Also we have JttK = DX and JffK = ∅.
An assignment for the variables in X is a mapping a : X → E(X). Intuitively an assignment of the
form x := y + z + 2 will be defined by a(x) = y + z + 2. Given a valuation ν : X → D, we denote
by a(ν) the valuation defined by a(ν)(x) = a(x)(ν). We denote by Id the identity assignment such that
∀x, Id(x) = x.
Now we define an abstract syntax for the AltaRica components and nodes again taken from [10].
2.2.4. AltaRica Components
AltaRica components give an abstract syntax for the basic systems (no hierarchy) introduced in the
previous section.
Definition 2.4. (Component)
A component is a tuple C = 〈VS , VF , E,A,M,<〉 with:
1. VS , VF are finite sets for respectively state variables, flow variables, with the property of being 2
by 2 disjoint. We denote VT = VS ∪ VF ;
2. E = E+ ∪ {ε} is a finite set of events and as usual ε is the empty action;
3. A ∈ F is an assertion such that free(A) ⊆ VC ;
4. M ⊆ F×E×E(VC)VS is a macro-transition relation such that (tt, ε, Id) ∈M and every (g, e, a) ∈
M satisfies:
(a) g ∈ F is a guard such that free(g) ⊆ VC ,
(b) e ∈ E+ is the event of the transition,
(c) a : VS → E(VC) is an assignment for the variables in VS ,
5. < is a priority relation.
Remark 2.2. In [10], another set of flow variables is defined: it corresponds to unobservable flow vari-
ables that can be used as intermediary variables. We omit them in this work as they do not increase the
expressiveness of the language. Indeed they can be defined as existentially quantified flow variables in
the assertion of a node.
1008 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
Now we can define the semantics of a component to be an ITS. For the semantic definitions, we
assume that all variables in VS ∪ VF have a common domain D.
Definition 2.5. (Semantics of Components)
Let C = 〈VS , VF , E,A,M,<〉 be a component. The semantics of C is the interfaced transition system
JCK = 〈E,F, S, pi, T 〉 constructed in the following way:
1. F = DVF ;
2. S = {s ∈ DVS | ∃f ∈ DVF | (s, f) ∈ JAK};
3. pi : S → 2F such that pi(s) = {f | (s, f) ∈ JAK};
4. T ⊆ S × F × E × S is given by T = JMK¹< with:
(a) let t = (g, e, a) ∈M , then JtK = {(s, f, e, s′) | (s, f) ∈ JA ∧ gK ∧ s′ = a(s, f)},
(b) JMK = ∪t∈M JtK.
Note that because of item 4 above the requirement pi(s) 6= ∅ for ITS is always fulfilled.
2.2.5. AltaRica Nodes
A node is built from n nodes. The purpose of nodes is to give a semantics to hierarchical definitions and
synchronization in AltaRica.
Definition 2.6. (Node)
A node is a tuple N = 〈VF , E,<,N0, · · · ,Nn, V 〉 with:
1. VF is a set of flow variables,
2. E = E+ ∪ {ε} is a finite set of events,
3. < is a priority relation over E,
4. for all i ∈ [1, n], Ni is a component or a node; VFi is the set of flow variables of Ni and Ei the set
of events. We assume ∀i 6= j ∈ [1, n], VFi ∩ VFj = ∅,
5. N0 is a special component called the control component. The set of events of N0 is E0 = E
and the priority relation of N0 is the empty relation. The set of flow variables of N0 is VF0 =
VF ∪ VF1 ∪ VF2 ∪ · · · ∪ VFn ,
6. V = Vd ∪ Vimp is the set of specified synchronization vectors:
• Vd ⊆ E
?
0 × · · · × E
?
n × 2
[0,n+1] where E?i = Ei ∪ {?e|e ∈ Ei+}; we define Eid by: e ∈
Eid if ∃〈· · · , xi, · · · 〉 ∈ Vd with xi ∈ E?i ; Eid corresponds to the set of events of node i
that are synchronized; Vd induces a set of synchronization vectors (see below). The last
component in 2[0,n+1] constrains the sets of “?”-events in the nodes that need to participate
in the synchronization (see below).
• Vimp ⊆ E0 × · · · × En × {∅} is the set of implicit synchronization vectors with:
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1009
– 〈ε, · · · , ε, ∅〉 ∈ Vimp,
– ∀i ∈ [0, n],∀ei ∈ Ei \ E
i
d, 〈ε, · · · , ei, · · · , ε, ∅〉 ∈ Vimp.
Vimp contains all the synchronization vectors with non synchronized events.
An example of how Vd generates synchronization vectors can be given by the node MAIN of Fig. 3.
Assume in this node, we replace the line 7by <t1.approach?,t2.approach?,c.approach> >= 1.
The meaning of this new specification is that it induces the set of synchronization vectors in which
more than 1 (given by the >=1 constraint) event qualified with a “?” appears. Thus <c.approach>
is not an allowed vector whereas <t1.approach,c.approach>, <t2.approach,c.approach> and
<t1.approach,t2.approach,c.approach> are allowed. The unfolding of the following constrained
vector <t1.approach?,t2.approach?,c.approach> >= 1 contains only the three allowed vectors
defined above. Note that our definition involving subsets of [0, n+ 1] allows us to specify more precise
vectors than the one given by the number of “?”-events that have to be present. The synchronization set
V generates a set of synchronization vectors of E0 × E1 × · · · × En together with a priority relation on
them3. As already mentioned, a vector of the form <t1.approach?,t2.approach?,c.approach> >=
1 generates all the synchronization vectors containing at least one event the name of which is qualified
by a “?”. The priority relation for those vectors corresponds to giving priority to the one with the max-
imal number of “?”-events occurring in the vector: in the previous case <t1.approach,c.approach>
and <t2.approach,c.approach> are both strictly lower (have less priority) than the 3-component
vector <t1.approach,t2.approach,c.approach>. In this case, each time both t1.approach and
t2.approach are simultaneously enabled this priority relation imposes they are fired at the same time.
Thus this specification rules out the behaviours where only one of these transitions is fired whereas the
other is enabled. We do not want to constraint the system in such a way and approach events cannot
be constrained in the specification. This is why we have given three distinct synchronization vectors
involving event approach and they are independant from each other.
Finally, the set Vimp consists of all the events that are not involved in any synchronization: they must
occur on their own, hence the synchronization vectors of the form 〈ε, · · · , e, · · · , ε〉 (events up and down
of components Gate of Fig. 2(b)).
For a formal definition of how to generate the synchronization vectors corresponding to V the reader
is referred to [10]. We only need here to consider the set of synchronization vectors and the priority
relation generated by V .
In the definition of the timed nodes (section 3.6) we will focus on timed features and will consider
that V has been “unfolded” into the set of synchronization vectors V˜ it generates and the priority relation
<eV it induces, i.e. we will use V˜ ⊆ E0 × E1 × · · · ×En and <eV instead of V .
There is a fundamental result about nodes: they can be rewritten (syntactically) into components that
preserve their semantics [10].
Theorem 2.1. ([10, 11])
If N is an AltaRica node, CN its rewriting into a component (as defined in [10]), then JN K and JCN K are
bisimilar.
In the next section we focus on extending ITS, AltaRica components and nodes with time. We define
our timed extension on these objects. Also we show that the results obtained in the untimed case [10, 11]
3how this is done is defined in [10].
1010 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
still hold (e.g. Theorem 2.1).
3. Timed Extension of AltaRica
Our aim is to build a timed extension of AltaRica, which means we need to keep the framework defined
for the untimed case: ITS, priorities and components. First we extend ITS into Timed ITS (see Def. 3.1)
and define timed priorities. Then we add timing constraints to components (i.e. clock variables) and give
the semantics of timed components into TITS. Finally we define timed nodes, give their semantics and
prove that they can be syntactically rewritten into an equivalent (timed bisimilar) component.
3.1. Preliminaries about Timed Systems
Before defining Timed AltaRica we recall some basics about timed systems [23]. More precisely we
use the framework of timed automata [17] and the associated usual notations. The real-valued variables
will be clocks: a clock is a positive real valued variable, and it evolves at a constant rate w.r.t. physical
time.
Clock valuations and assignments. A clock valuation for the clocks in a set X is a mapping v : X 7→
R≥0 that assigns a positive real value to each clock in X . A clock assignment is a mapping a : X →
E(X). For decidability reasons, we will restrict the allowed assignment expressions in section 4.4 to
simple assignments given by table 2, page 1030. We denote by A(X) the set of clock assignments.
As defined in subsection 2.2.3, for a clock valuation v and an assignment a, we denote a(v) the clock
assignment a(v)(x) = a(x)(v). For t ∈ R≥0 the clock valuation v+t is defined by ∀x ∈ X, (v+t)(x) =
v(x) + t.
The set of clock constraints B(X) over a set X of clocks is defined inductively by:
g := x v r| x− y v r |g ∧ g |g ∨ g (1)
with x, y ∈ X,v∈ {<,<,>,≥,=}, r ∈ Q. Also we denote by BC(X) the subset of B(X) that defines
convex clock constraints. A clock constraint g is a particular formula and evaluates either to tt or ff :
JgK ⊆ RX≥0 and g(ν) = tt⇐⇒ ν ∈ JgK.
Timed Transition Systems and Timed Automata. A timed transition system [23] (TTS) is a tuple
(Q,E,Q0,→), where Q is set of locations, E is the set of actions, Q0 is the set of initial states, →⊆
Q × (E ∪ R≥0) × Q. A timed automaton [17] is a tuple (L,L0, E,X, I, T ) such that L is a (finite) set
of locations, X is a finite set of clocks, L0 is s.t.JL0K ⊆ L × RX≥0 is a predicate that defines the set of
initial states, E is a finite set of actions, T ⊆ L × (B(X) × E × A(X)) × L is the transition relation,
I : L→ BC(X) is the invariant constraint.
The semantics of a timed automaton (L,L0, E,X, I, T ) is given by a TTS (L × RX≥0, E,Q0, →)
where Q0 = JL0K and ∀(l, v) ∈ L× RX≥0 the transition relation → is defined by: i) discrete steps of the
form (l, v) e−→ (l′, v′) if ∃(l, g, e, a, l′) ∈ T, such that g(v) = tt, v′ = a(v), v′ ∈ JI(l′)K, ii) continuous
steps of the form (l, v) δ−→ (l, v′), δ ∈ R≥0 if ∀δ′ ≤ δ, v + δ′ ∈ JI(l)K.
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1011
A very useful result about timed automata (actually updatable timed automata [24]) is that reachab-
ility is decidable [17, 24] for this class of timed systems. Hence automatic verification tools have been
designed to analyse timed automata, and among them UPPAAL [5], KRONOS [7] and CMC [6]. We
will give in the last section a translation from a Timed AltaRica specification into a timed automaton.
This will allow us to use UPPAAL [5] or KRONOS [7] or CMC [6] to check timed properties on the
designed systems.
In the sequel, we define Timed Interfaced Transition Systems (TITS) that are extended TTS. The
timed extension of AltaRica components are timed components that are the counter parts of timed auto-
mata: the semantics of timed components is given by TITS.
3.2. Timed Interfaced Transition Systems
Timed Interfaced Transition Systems are an extension of ITS with real-valued variables and flows.
Definition 3.1. (Timed Interfaced Transition System)
A timed interfaced transition system (in the sequel TITS) of continuous dimension (n,m) and time
domain4 T is a tuple A = 〈Et, Ft, St, pi, T 〉 with:
1. Et = E+ ∪ {ε} ∪ T where E+ is a finite set of events such that ε 6∈ E+ ∪ T and E+ ∩ T = ∅;
2. Ft ⊆ F ×Rm is the set of flow values, where F is the set of discrete flow values and Rm is the set
of continuous flow values;
3. St ⊆ S×Rn is the set of states where S is the set of discrete states and Rn is the set of continuous
states;
4. pi : St → 2Ft associates to each state q ∈ St all the admissible flow values in q. We assume
∀q ∈ St, pi(q) 6= ∅.
5. T ⊆ St × Ft × Et × St × Ft is the transition relation and satisfies:
(a) (q, g, e, q′, g′) ∈ T ⇒ g ∈ pi(q) ∧ g′ ∈ pi(q′)
(b) ∀q ∈ St,∀g, g′ ∈ pi(q) we have (q, g, ε, q, g′) ∈ T
(c) ∀q ∈ St,∀g ∈ pi(q) we have (q, g, 0, q, g) ∈ T
A configuration of a TITS is a pair ((s, ν), (f, µ)) ∈ St × Ft such that (f, µ) ∈ pi(s, ν).
Remark 3.1. Compared to item 5 of Def. 2.1, we need to be more precise when defining the set of
transitions of a TITS. Indeed we want to enforce discrete variables to remain unchanged when time
elapses. Assume we define the transition relation T in the same way as it was in defined item 5 of
Def. 2.1: T ⊆ St × Ft × Et × St. Then we will not be able to leave discrete flow values unchanged
during a delay transition when we define the semantics of AltaRica timed components (Def. 3.7): in the
target configuration, we can only constrain the state variables in St and not the flow variables in Ft. Thus
we prefer to define T over St×Ft×Et×St×Ft which enables us to refer to the source and target flow
values of a transition as in item 5.(c) of Def. 3.1.
4we assume 0 ∈ T and T = N or Q≥0 or R≥0 or {0}.
1012 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
Also note the following properties: if n = 0 and m = 0 and T = {0} we obtain the definition of
ITS. Indeed as pointed out in remark 2.1, we can give the definition of the transition relation of an ITS
in terms of transitions between configurations. If m = 0 and we add an initial state to the TITS then
we obtain the definition of TTS: F is to be interpreted as the set of atomic properties. It is possible to
consider an integer time domain, T = N. Notice that in this case even if we allow only integer time steps
in the TITS, the values of the clocks can be in R≥0. For a dense time domain T = Q≥0 is suitable. For
a continuous time domain one can take T = R≥0. In the following we assume the time domain is R≥0
when we deal with Timed AltaRica nodes.
3.3. Timed Bisimulations
In the sequel we will use the notion of timed bisimulations between timed systems. We define it for TITS
extending the definition of interfaced bisimulation of [10]:
Definition 3.2. (Timed Interfaced Bisimulation)
Let A1 = 〈Et, Ft, S1t , pi1, T1〉 and A2 = 〈Et, Ft, S2t , pi2, T2〉 be two TITS. A timed interfaced bisimu-
lation relation for A1 and A2 is a relation R ⊆ S1t × S2t that satisfies 4 conditions:
1. ∀q1 ∈ S1t ,∃q2 ∈ S2t s.t. (q1, q2) ∈ R and ∀q2 ∈ S2t ,∃q1 ∈ S1t s.t. (q1, q2) ∈ R,
2. ∀(q1, q2) ∈ R, pi1(q1) = pi2(q2),
3. ∀(q1, g, e, q′1, g′1) ∈ T1, ∀q2 ∈ S2t such that (q1, q2) ∈ R then ∃(q2, g, e, q′2, g′2) ∈ T2 s.t.
(q′1, q
′
2) ∈ R,
4. ∀(q2, g, e, q′2, g′2) ∈ T2, ∀q1 ∈ S1t such that (q1, q2) ∈ R then ∃(q1, g, e, q′1, g′1) ∈ T1 s.t.
(q′1, q
′
2) ∈ R.
Two TITS are timed bisimilar iff there exists a timed interfaced bisimulation relation on their set of states.
In the sequel we use the term timed bisimulation instead of timed interfaced bisimulation. Like in the
untimed case, an interfaced bisimulation can be expressed as an homomorphism between two TITS.
Definition 3.3. (Timed Interfaced Bisimulation Homomorphism)
Let A1 = 〈Et, Ft, S1t , pi1, T1〉 and A2 = 〈Et, Ft, S2t , pi2, T2〉 be two TITS. A timed interfaced bisimu-
lation homomorphism h : A1 → A2 is a mapping h : S1t → S2t such that:
1. h is surjective,
2. ∀q1 ∈ S1t , pi1(q1) = pi2(h(q1)),
3. ∀(q1, g, e, q′1, g′1) ∈ T1,∃g′2 such that (h(q1), g, e, h(q′1), g′2) ∈ T2,
4. ∀q1 ∈ S1t ,∀q′2 ∈ S2t s.t. (h(q1), g, e, q′2, g′2) ∈ T2 then ∃q′1 ∈ S1t such that h(q′1) = q′2 and
∃g′1 ∈ pi1(q
′
1) such that (q1, g, e, q′1, g′1) ∈ T1.
We use the term timed bisimulation homomorphism as a shorthand for timed interfaced bisimulation
homomorphism.
The following theorem is an extension to TITS of previous results on ITS and follows from [10, 25]:
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1013
Theorem 3.1. Two TITS A1 and A2 are timed bisimilar if and only if there exists a TITS B and two
timed interfaced bisimulation homomorphisms h1 : A1 → B and h2 : A2 → B.
The proof is given in Appendix A.1.
3.4. Timed Priorities
In the untimed version of AltaRica, priorities among events play an important role [10]: they allow the
easy modeling of priorities among concurrently enabled transitions. It is natural in a timed setting to try
and introduce timed priorities i.e. priorities among transitions involving some timing information. Again
we want to extend the existing AltaRica specification language and add timed priorities.
Timed priorities in timed systems have been introduced for timed automata [26] and a comprehensive
study of timed priorities can be found in [27, 28, 29]. The most common timed priority is urgency [30]:
basically, it says that if a transition is enabled in a timed automaton, time can not elapse and this transition
must be fired immediately. Without loss of expressiveness we define urgent events: if an event in a Timed
AltaRica specification is urgent then all the transitions labelled by this event are urgent. We then extend
Def. 2.2 to allow priority between time labels (in T) and discrete events:
Definition 3.4. (Simple Timed Priority Relation)
A simple timed priority relation < over E is a strict partial order over E∪{time} such that < is a priority
relation over E and a strict partial order over Etime+ with Etime+ = E+ ∪ {time} and ∀v ∈ E+, v 6< time.
Then a > time means5 that event a is urgent and has to be fired immediately when enabled (a
semantic definition of priorities will appear later in this section in Def. 3.6). Also note that if a > time
and b > a then b > time: the urgency of event a entails urgency of greater events.
This allows us to model what is called eagerness in [30]: an eager transition is one that forbids time
elapsing if it is enabled. In the papers [27, 28] other notions of priorities are defined: (i) a delayable
transition is one that can be fired when its guard is true and before a certain deadline; (ii) a lazy transition
is one that has no deadline (it may or may not be fired). We will add in Def. 3.7 (time) guards into Timed
AltaRica components which will enable us to define lazy transitions. It is proved in [28] that a delayable
transition can be encoded using lazy an eager transitions. As we already know (Def. 3.4) how to define
eager transitions, we are able to express the three types of priorities proposed in [30].
More elaborate ways of prioritising transitions are given in [27]. The aim is to express priority
between events when several are enabled by using timing information. It is an extension of the priority
relation notion: we want to express that e < e′ only if e′ will not be enabled in some future. Intuitively,
we will write e <5 e′ for: the transition labelled e′, if enabled within 5 time units, has priority over e.
We now extend the notion of simple timed priority relation:
Definition 3.5. (Timed Priority Relation)
A timed priority relation < over E is a 3-ary relation in Etime+ × (N ∪ {∞}) × Etime+ satisfying the
following conditions (we denote a1 <k a2 for (a1, k, a2) ∈<):
• the binary relation <0 is a simple timed priority relation,
5We rule out time > a as the purpose of a priority relation is to add a sort of liveness in the system by forcing some discrete
actions to be taken.
1014 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
• a <k b ∧ a = time =⇒ k = 0,
• ∀k ∈ N, <k is a strict partial order,
• a1 <k a2 =⇒
(
∀k′ < k, a1 <k′ a2
)
.
Remark 3.2. Notice that in [27], another condition can be imposed on < (a transitivity condition). This
condition is related to the building of live timed systems and is not relevant in our setting. It is aimed at
preserving liveness in the systems and can then add new behaviors. We do not want to build live timed
systems but only to provide a restriction operator (by giving priorities) that restricts the set of behaviors
of the system. Note also we restrict the bounds to N which in theory is enough for specifying timed
systems.
The static priority of AltaRica coincides with the particular timed priority where all the delays are equal
to zero, i.e. k = 0.
As in section 2.2.2, we define the timed priority restriction operator.
Definition 3.6. (Timed Priority Restriction Operator)
Let A = 〈Et, Ft, St, pi, T 〉 be a TITS of continuous dimension (m,n), time domain T and < a timed
priority relation over E. We define the timed priority restriction operator ¹ for the transition relation
T ⊆ St × Ft × Et × St × Ft and the timed priority relation < by:
(q, g, e, q′, g′) ∈ T ¹<⇔ (q, g, e, q′, g′) ∈ T ∧

if e = t ∈ T,∀t′ ∈ T, t′ < t, if (q, g, t′, q′′, g′′) ∈ T
then ∀e′ ∈ E+, (q′′, g′′, e′, q′′′, g′′′) ∈ T =⇒
time 6<0 e
′.
otherwise if (q, g, t, q′′, g′′) ∈ T, t ∈ T, t ≤ k,
then ∀e′, (q′′, g′′, e′, q′′′, g′′′) ∈ T =⇒ e 6<k e′.
We denote A¹< = 〈Et, Ft, St, pi, T ¹<〉.
Remark 3.3. Again, if T = {0}, we obtain the definition of the priority relation restriction (Def. 2.3).
We can lift the following theorem for ITS stated in [10] to TITS:
Theorem 3.2. (Priority and Timed Bisimulation)
Let A1 = 〈Et, Ft, S1t, pi1, T1〉 and A2 = 〈Et, Ft, S2t, pi2, T2〉 be two TITS and < a timed priority
relation over E. If h : A1 −→ A2 is a timed bisimulation homomorphism then h : A1¹< −→ A2¹< is
also a timed bisimulation homomorphism.
The proof is given in appendix A.2.
3.5. Timed Components
Timed AltaRica components are the timed extensions of AltaRica components (see Def. 2.4). Our
extension consists in adding clocks to AltaRica components. Hence our model is closely related to
the timed automaton model. Adding real-valued variables instead of clocks is quite straightforward:
the resulting model is then close to the hybrid automaton model. In this paper we focus on the timed
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1015
extension and the addition of clocks. We consider the formulas F, expressions E and set of values D
settled in section 2.2.3.
Definition 3.7. (Timed Component)
A timed component is a tuple T = 〈VS ∪ CS , VF ∪ CF , E,A, M,<〉 with:
1. VS , VF are finite sets for respectively state variables, flow variables with the property of being
disjoint. We denote VT = VS ∪ VF ; CS , CF are finite sets for respectively clock variables, real
flow variables with the property of being disjoint. We denote CT = CS ∪ CF ; also we assume
VT ∩ CT = ∅;
2. E = E+ ∪ {ε} where E+ is a finite set of events and as usual ε is the empty action;
3. A = AVT ∩ ACT ∈ F is an assertion such that free(A) ⊆ VT ∪ CT ; AVT ∈ F, free(AVT ) ⊆ VT .
ACT =
∧
k∈K Pk =⇒ Ik where K is a finite set of indices, Pk ∈ F, free(Pk) ⊆ VT , Ik ∈ F,
free(Ik) ⊆ CT and Ik defines a convex region of Rp if |CT | = p;
4. M ⊆ (F × B(CT )) × E × (E(VT )VS × A(CT )) is a macro-transition relation such that every
((g, γ), e, (a,R)) ∈M satisfies:
(a) (g, γ) is a guard such that g ∈ F and free(g) ⊆ VT ; γ ∈ B(CT );
(b) e ∈ E is the event of the transition;
(c) a : VS → E(VT ) is an assignment for the variables in VS . R ∈ A(CT ) is the clock assign-
ment of the transition;
5. < is a timed priority relation.
Remark 3.4. Item 3 of Def. 3.7 allows us to specify constraints C between clock variables and real-
valued flow variables (e.g. Y = x where Y is a flow variable and x is clock variable): it suffices to use
tt =⇒ C where C ∈ F(CT ) (e.g. tt =⇒ Y = x).
Notice that the semantics of A is a subset of (DVS × Rn) × (DVF × Rm) as well as the semantics of a
guard (g, γ).
Example 3.1. (The Train)
In Fig. 4 the time features of component TRAIN appear on line 7 where a clock (state) variable t is
declared; it is used to constrain the guards of the transitions (see lines 9 to 11) and on some of them t
is reset; also the assertion (lines 16–17) implies that when in state etat = 1 (resp. 2) time cannot elapse
after t has reached 30 (resp. 20).
Definition 3.8. (Semantics of Timed Components)
Let T = 〈VS ∪ CS , VF ∪ CF , E,A,M,<〉 be a timed component. Let |CS | = n and |CF | = m. The
semantics of T over the time domain T is the timed interfaced transition system JT K = 〈Et, Ft, St, pi, T 〉
of dimension (n,m) constructed in the following way:
1. Et = E ∪ T,
2. Ft = DVF × Rm,
1016 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
1: node TRAIN
2: flow N : [0,1];
3: event approach, in, exit;
4: state
5: etat : [0,2];
6: n : [0,1];
7: t : clock; // Definition of a clock variable
8: trans
9: t >= 70 & etat=0 |- approach -> etat := 1, t := 0, n := 1;
10: 20 <= t <= 30 & etat=1 |- in -> etat := 2, t := 0;
11: 10 <= t <= 20 and etat=2 |- exit -> etat := 0, t := 0, n := 0;
12: init
13: etat=0,n=0,t=0;
14: assert
15: N=n;
16: (etat=1) => (t<=30); // Time assertions
17: (etat=2) => (t<=20);
18: edon
Figure 4. Specification of a Train as a Timed Component
3. St = {(s, ν) ∈ DVS × Rn≥0|∃(f, µ) ∈ DVF × Rm | ((s, ν), (f, µ)) ∈ JAK},
4. pi : St → 2Ft such that pi(q) = {(f, µ)| (q, (f, µ)) ∈ JAK},
5. T ⊆ St × Ft × Et × St × Ft and T = JMK¹< with:
(a) let t = ((g, γ), e, (a,R)), define JtK by:
((s, ν), (f, µ), e, (s′, ν ′), (f ′, µ′)) ∈ JtK if

((s, ν), (f, µ)) ∈ JA ∧ g ∧ γK
∧s′ = a(s, f)
∧ ν ′ = R(ν, µ)
∧ (f ′, µ′) ∈ pi(s′, ν ′)
with R(ν, µ) the new clock assignment after resetting the variables in R.
(b) let δ ∈ T, define JδK by:
((s, ν), (f, µ), δ, (s, ν ′), (f, µ′)) ∈ JδK if

((s, ν), (f, µ)) ∈ JAK
∧ν ′ = ν + δ ∧ ((s, ν ′), (f, µ′)) ∈ JAK
∧∀δ′ ≤ δ, ∃µδ′ | (ν + δ
′, µδ′) ∈ JI(s, f)K
with I(s, f) =
∧
k∈K|(s,f)∈Pk
Ik.
(c) JMK = ∪t∈M JtK
⋃
∪δ∈TJδK.
Remark 3.5. Note that JI(s, f)K is a convex set as it is a conjunction of convex sets. We have not used
this property of I(s, f) in the semantics of components as it is not required in this definition. Anyway in
the sequel we will need this assumption and this is why we have put it in Def. 3.7 of timed components.
The delay transitions in the semantics of a timed components leave the “continuous” flows free
to take any value as long as the invariant I(s, f) is satisfied. This is rather permissive as the values
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1017
encountered along a delay transition could even be non continuous. For instance a constraint on a flow
like x ≤ Y ≤ x+2 where x is a clock and Y a continuous flow would allow Y to take any value between
x and x + 2 at each time point. If we define flow to be clock we constrain the set of equations we can
write in the assertion. Indeed equations like Y = 2x could not be defined with a “clock” Y . So far we
stick to this permissive definition and we will tackle later which kind of flows can be “implemented” (see
section 4.4).
Finally in the case CF = ∅ we obtain the definition of timed automata (again if we add an initial
state); the semantics of such a timed component is then a TTS (again VF is to be interpreted as some
properties or observations on each state.)
As for the untimed case we have the following lemma:
Lemma 3.1. Let T = 〈VS ∪CS , VF ∪CF , E,A,M,<〉 be a timed component and < is a timed priority
priority relation. Then J〈VS ∪ CS , VF ∪ CF , E,A,M,<〉K = J〈VS ∪ CS , VF ∪ CF , E,A,M, ∅〉K¹<.
The proof is straightforward from Def. 3.6 and Def. 3.8.
3.6. Timed Nodes
Timed nodes are straightforward extensions of nodes. Indeed, if we assume as stated in Def. 2.6 of a
node, that the synchronization constraint is expanded, the new constraint added by the time transitions is
trivial: the synchronized time transitions for n nodes are of the form (δ, δ, · · · , δ), δ ∈ T where T is the
time domain and they do not need to be specified.
Definition 3.9. (Timed Node)
A timed node is a tuple N = 〈VF , CF , E,<,N0, · · · ,Nn, (V˜ , <eV )〉 with:
1. VF is a set of flow variables,
2. CF is the set of real flow variables,
3. E = E+ ∪ {ε} is a finite set of events,
4. < is a timed priority relation over E,
5. for all i ∈ [1, n], Ni is a timed component or a timed node; the interface of the node is composed
of (i) VFi ∪ CFi , the set of discrete flows and real flows of Ni and (ii) Ei the set of events of Ni.
We assume ∀i 6= j ∈ [1, n], VFi ∩ VFj = CFi ∩ CFj = ∅,
6. N0 is a special timed component called the control component. The set of events of this node is
E0 = E and the priority relation of N0 is the empty relation. The set of (discrete) flow variables
of N0 is VF0 = VF ∪ VF1 ∪ VF2 ∪ · · · ∪ VFn , and the set of real flow variables is CF0 = CF ∪
CF1 ∪ CF2 ∪ · · · ∪ CFn ,
7. V˜ ⊆ E0×E1× · · · ×En is an expanded synchronization set together with a priority relation <eV .
(see Def. 2.2).
1018 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
Remark 3.6. Notice that <eV is a priority relation and not a timed priority relation. This is because
(V˜ , <eV ) expresses the discrete synchronization constraint.
Example 3.2. (Hierarchical Specification of the Train-Gate-Controller)
A timed version of the train-gate-controller is given in Fig. 5. Notice that the gate is a component, the
train is the component given by Fig. 1, but the node MAIN embeds the CONTROLLER node and plays the
role of N0.
node GATE
event Go_down, Go_up, down, up;
state etat : [0,3];
y : clock;
trans
etat=0 |- Go_up -> ;
etat=0 |- Go_down -> etat:=1, y:=0;
etat=1 |- Go_down -> ;
etat=1 & y <= 10 |- down -> etat:=2;
etat=1 |- Go_up -> etat:=3, y:=0;
etat=2 |- Go_down -> ;
etat=2 |- Go_up -> etat:=3, y:=0;
etat=3 |- Go_up -> ;
etat=3 |- Go_down -> etat:=1, y:=0;
etat=3 & y <= 10 |- up -> etat:=0;
init
etat:=0, y:=0;
assert
(etat =1) => (y <= 10);
(etat =3) => (y <= 10);
edon
(a) The Timed Gate
node MAIN
flow N : [0,p];
event approach, exit, Go_up, Go_down;
priorities Go_up (<,k) approach;
state etat : [0,2];
z : clock;
trans
etat=0 |- approach -> etat:= 1, z:=0;
etat=0 & N>1 |- exit -> ;
etat=0 & N=1 |- exit -> etat:= 2, z:=0;
etat = 1 |- approach -> ;
etat = 1 |- exit -> ;
etat=1 & z<=10 |- Go_down -> etat:=0;
etat=2 & z <= 10 |- Go_up -> etat:=0;
etat=2 |- approach -> etat:= 1, z:=0;
sub t1, t2 : TRAIN, g : GATE;
sync <t1.approach,t2.approach,approach>;
<t1.approach,approach>;
<t2.approach,approach>;
<Go_down,g.Go_down>;
<t1.exit,t2.exit,exit>;
<t1.exit,exit>;
<t2.exit,exit>;
<Go_up,g.Go_up>;
init
etat := 0, z := 0;
assert
N=t1.N+t2.N;
(etat =1) => (z <10);
(etat =2) => (z <= 10);
edon
(b) The Timed Controller
Figure 5. Timed AltaRica Specifications for the Controller and the Gate
Syntactically there is not much changes between timed and untimed nodes. The differences appear
in the semantics where the timed transitions are synchronized:
Definition 3.10. (Semantics of Timed Nodes)
Let N = 〈VF , CF , E,<,N0, · · · ,Nn, (V˜ , <eV )〉 be a timed node and JNiK = 〈Eit , Fit , Sit , pii, Ti〉
of dimension (ni,mi) for i ∈ [0, n]. The semantics of N is the timed interfaced transition system
JN K = 〈Et, Ft, St, pi, T 〉 of dimension (
∑n
k=0 ni, |CF |) defined by:
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1019
1. Et = E ∪ T,
2. Ft = DVF × Rm, with m = |CF |,
3. for qi ∈ Sit , let q = (q0, q1, · · · , qn), then
pi(q) = {(f, µ) ∈ DVF × Rm | ∀i ∈ [1, n],∃ηi ∈ pii(qi) | ((f, µ), η1, η2, · · · , ηn) ∈ pi0(q0)}
4. St = {q ∈ S0t × S1t × · · · × Snt |pi(q) 6= ∅};
5. T ⊆ St × Ft × Et × St × Ft is defined by:
(a) let <0 be the timed priority relation defined by:
(e0, e1, · · · , en) <0 (e
′
0, e
′
1, · · · , e
′
n)⇐⇒ e0 < e
′
0
(b) let e = (e0, e1, · · · , en) ∈ E0 × · · · × En ∪ {(δ, · · · , δ)}, s = (s0, s1, · · · , sn) and s′ =
(s′0, s
′
1, · · · , s
′
n). Define TN by:
〈s, f, e, s′, f ′〉 ∈ TN ⇐⇒

∃f0 = (f, f1, · · · , fn) ∈ pi0(s0)
∃f ′0 = (f
′, f ′1, · · · , f
′
n) ∈ pi0(s
′
0)
∀i ∈ [0, n], (si, fi, ei, s′i, f
′
i) ∈ Ti
(c) then T = (TN¹<V˜ )¹<0.
We have the node version of lemma 3.1:
Lemma 3.2. Let N = 〈VF , CF , E,<,N0, · · · ,Nn, (V˜ , <eV )〉 be a timed node and JN K its semantics.
Then JN K = J〈VF , CF , E, ∅,N0, · · · ,Nn, (V˜ , <eV )〉K¹<.
The proof is straightforward from Def. 3.9 and Def. 3.10.
The semantics of nodes is compositional with respect to timed bisimulation:
Theorem 3.3. LetN = 〈VF , CF , E,<,N0, · · · ,Nn, (V˜ , <eV )〉 andN
′ = 〈VF , CF , E,<,N
′
0, · · · ,N
′
n,
(V˜ , <eV )〉 be two timed nodes such that ∀i ∈ [0..n] there is a timed homomorphism hi from JNiK to JN
′
i K.
Then there exists a timed homomorphism h from JN K to JN ′K.
The proof is given in appendix A.3.
Timed AltaRica is a hierarchical modeling language so that each timed node can be expressed by a timed
component. The timed priorities and the synchronization are directly encoded into the resulting timed
component. LetN = 〈VF ∪CF , E,<,N0, · · · ,Nn, (V˜ , <V˜ )〉 be a timed node, we present the construc-
tion (extending the one given in [10]) of a timed component CN = 〈VS ∪ CS , VF ∪ CF , E,A,M,<〉
which has the same semantics.
First we associate to each timed node a timed component defined as follows:
1020 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
Definition 3.11. (Symbolic Semantics)
If N = 〈VF ∪ CF , E,<,N0, · · · ,Nn, (V˜ , <V˜ )〉 is a timed node, with Ni = 〈VFi ∪ CFi , Ei, <i
,Ni0 , · · · ,Nin , (V˜i, <V˜i)〉 for 0 ≤ i ≤ n, we denote by CN = 〈VS ∪ CS , VF ∪ CF , E,A,M, ∅〉 the
timed component constructed as follows:
1. ∀0 ≤ i ≤ n
(a) ifNi is a timed component, then we defineN ′i = Ni¹<i and the timed priority is syntactically
encoded in N ′i as defined later in section 3.7.2;
(b) if Ni is a timed node, then we define N ′i = CNi the rewriting of Ni into a timed component
and encode timed priority syntactically as defined in section 3.7.2;
(c) we denote N ′i = 〈V ′Si ∪ C ′Si , V ′Fi ∪ C ′Fi , E′i, A′i,M ′i , ∅〉;
2. VS = V ′S0 ∪ · · · ∪ V
′
Sn
and CS = C ′S0 ∪ · · · ∪ C
′
Sn
;
3. A = (∃i=1..n(V ′Fi ∪ C
′
Fi
)).
∧
i=0..nA
′
i;
where the notation ∃i=1..n(Wi).φ stands for: ∀i,∃ηi ∈ Wi such that φ(ηi). For ((s, ν), (f, µ)) ∈
DVS × RCS ×DVF × RCF we define:
• ((s, ν), (f, µ)) ∈ JAK ⇐⇒ ∀i ∈ [1..n],∃ηi ∈ D
V ′Fi × R
C′Fi s.t. ((s, ν), (f, µ), η1, · · · , ηn))
∈ J
∧
i=0..nA
′
iK,
• ∀i ∈ [1..n], ((s, ν), (f, µ), η1, · · · , ηn)) ∈ JA′iK ⇐⇒ ((si, νi), ηi) ∈ JA
′
iK.
4. the set of macro-transitionsM ⊆ (F×B(CT ))×E×(E(VT )VS×A(CT )) is defined byM = (M ′¹
<eV )¹<0, where<0 is the timed priority relation specified in Def. 3.10, and ((g, γ), e, (a,R)) ∈M
′
if and only if:
• ∀0 ≤ i ≤ n, there is a transition ((gi, γi), ei, (ai, Ri)) ∈M ′i such that:
– g = (∃i=1..nVFi).g0 ∧ · · · ∧ gn,
– γ = (∃i=1..nCFi) .γ0 ∧ · · · ∧ γn,
• ∀x ∈ VS ∩ V
′
Si
we have a(x) = ai(x) and ∀c ∈ CS ∩ C ′Si we have R(c) = Ri(c),
• e = (e0, e1, · · · , en) ∈ V˜ .
Theorem 2.1 (see page 1009) for untimed nodes carries over to timed nodes:
Theorem 3.4. Let N be a timed node. Then N can be rewritten into a timed component CN such that
JN K and JCN K are timed bisimilar.
The proof is given in appendix A.4.
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1021
3.7. Syntactical Timed Priority
In [27] the authors show that it is possible to encode a priority relation by strengthening the guards of a
component: this way one can syntactically encode the priority relation.
We tackle this problem in the timed case. Let T = 〈VS ∪ CS , VF ∪ CF , E,A,M, ∅〉 be a timed
component and < be a timed priority relation. We first assume6 that < contains no urgent events i.e.
∀e ∈ E, time 6< e. Our aim is to compute the transition relation M¹< syntactically i.e. by finding new
guards that define M ¹<. We first rewrite our timed component so that we are sure that when a guard
evaluates to true, the corresponding transition can indeed be fired, i.e. the resulting new state satisfies
assertion A. This is done by adding weakest precondition (section 3.7.1) into the existing guards. Then
we show how to encode timed priority (section 3.7.2) again by strengthening the guards. Finally we
detail how urgency is handled in section 3.7.3.
3.7.1. Weakest Precondition
The key point is to know if a transition ((g, γ), e, (a,R)) can really be fired, and the fact that the guard
evaluates to true is not sufficient: a new state can be reached from ((s, ν), (f, µ)), only if after the assign-
ments given by (a,R) pi(a(s, f), R(ν, µ)) 6= ∅, i.e. there are some admissible flow values. This latter
condition depends on assertion A of the timed component and can be seen as a weakest precondition.
First assume we have an untimed component (Def. 2.4). Let t = (g, e, a) be a transition of this
component, and A the assertion. For Q ⊆ S × F , we define Pret(Q) = {(s, f) | ∃f ′ | (a(s, f), f ′) ∈
Q}. Assume Pret(JAK) can be defined by a formula φt ∈ F, and free(φt) ⊆ VT . Now if we take
t′ = (g ∧ φt, e, a), we are sure that when g ∧ φt evaluates to true the transition t can be fired as (s, f) ∈
Jg ∧ φtK =⇒ pi(a(s, f)) 6= ∅.
We can extend this to the timed component. For t = ((g, γ), e, (a,R)) we define Pret(Q) =
{((s′, ν ′), (f ′, µ′)) | ∃f ′′, µ′′ | ((a(s′, f ′), R(ν ′, µ′)), (f ′′, µ′′)) ∈ Q}. Assume Pret(JAK) can be writ-
ten as φt ∧ θt with free(φt) ⊆ VT and free(θt) ⊆ CT .
Then if we define t′ = ((g ∧ φt, γ ∧ θt), e, (a,R)), we can ensure that if the guard of t′ evaluates to
true, t can be fired.
Now we show how to encode Pret(JAK) into guards of the form (g, γ) with g ∈ F, free(g) ⊆ VT
and γ ∈ B(CT ). Assume A = p1 ∧ p2 ∧ · · · ∧ pn ∧ (q1 =⇒ i1) ∧ · · · ∧ (ql =⇒ il). Assume
Pret(JAK) is a conjunction of the form7 p′1 ∧ p′2 ∧ · · · ∧ p′k ∧ (q′1 =⇒ i′1) ∧ · · · ∧ (q′m =⇒ i′m). Let
P ′ = p′1 ∧ p
′
2 ∧ · · · ∧ p
′
k. We can rewrite Pret(JAK) as8:∨
J∪I=[1..m]
I∩J=∅
P ′
∧
∧j∈J¬q
′
j
∧
∧r∈Iq
′
r︸ ︷︷ ︸
GI,J
∧
∧r∈Ii
′
r︸ ︷︷ ︸
ΓI,J
This is a formula of the form
∨
p=1..sGp ∧ Γp with Gp ∈ F, free(Gp) ⊆ VT and Γp ∈ B(CT ). Now we
create s transitions from t = ((g, γ), e, (a,R)) defined by:
∀p ∈ [1..s], tp = ((g ∧Gp, γ ∧ Γp), e, (a,R))
6Urgency is dealt with in section. 3.7.3 and requires additional assumptions and definitions.
7Quantifier elimination in Pret(JAK) can only be done under some conditions (e.g. the discrete domain is finite). We do not
discuss this in this paper and assume we can actually find a quantifier-free expression for Pret(JAK).
8This expression is equivalent to the one given in [10], Def. 9.2.3 (Priorités Syntaxiques), page 85.
1022 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
It remains to replace t by the tp, p ∈ [1..s] to build a new timed component and t can be fired in the
original component if and only if one of the tp can be fired in the new component (leading to the same
values for the state variables.) In the sequel we assume guards have been strengthened so that if a guard
evaluates to true then the transition can actually be fired.
3.7.2. Encoding Timed Priority
The Simple Case. Let t = ((g, γ), e, (a,R)) ∈ M . Assume e <k e′ and there is only one transition
t′ = ((g′, γ′), e′, (a′, R′)) ∈M labelled with e′. Then t can be fired from a configuration q only if (g, γ)
is true in q and:
1. either g′ is not true in q,
2. or g′ is true in q and γ′ will not be true within k time units.
First we deal with the discrete part of the guard and split the transition t into t1 and t2 with:
• t1 = ((g ∧ ¬g
′, γ), e, (a,R)) which corresponds to item 1 above;
• t2 = ((g∧g
′, γ), e, (a,R)) which corresponds to item 2 above although γ needs to be strengthened
to meet the requirements of item 2 above.
We now show how to strengthen γ in t2. A useful operator was introduced in [28, 29] for this purpose:
Definition 3.12. (Modal Operator [28, 29])
Let X = {x1, x2, · · · , xn}. Let ν ∈ Rn and k ∈ N. Let φ ∈ B(X) and T be the time domain. We define
the (state) predicate 3kφ by:
(3kφ)(ν)⇐⇒ ∃t ∈ T, t ≤ k, φ(ν + t)
Now we strengthen the guard γ in t2 and define t′2 = ((g ∧ g′, γ ∧ (¬3kγ′)), e, (a,R)). According
to [28, 29], it is possible to eliminate the existential quantifier in 3kγ′ and to obtain a quantifier-free
formula (we will not get into the details and refer the reader to [28, 29]).
General Case. In the general case there could be p transitions t′i = ((g′i, γ′i), ei, (a′i, R′i)) s.t. e <k1
e1, · · · , e <kp ep. Then we split t into 2p transitions tF = ((gF , γF ), e, (a,R)) with F ⊆ [1..p]:
gF = g ∧
∧
i∈[1..p]\F
¬g′i ∧
∧
i∈F
g′i (2)
γF = γ ∧
∧
i∈F
¬3kiγ
′
i (3)
Remark 3.7. As stated in remark 3.2, page 1014, we do not modify the invariants of the system.
According to [27], the formula 3kγ can be written as simple formula in B(CT ). If we denote by M¹<
the transition relation obtained by:
1. strengthening the guards by the weakest precondition for fireability as defined in section 3.7.1,
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1023
2. strengthening the guards to encode the timed priority relation as defined above in this subsection,
we obtain a new timed component T ¹<= 〈VS ∪ CS , VF ∪ CF , E,A,M¹<, ∅〉 such that:
Lemma 3.3. (Syntactical Priority)
JT ¹<K = JT K¹<.
Lemma 3.3 follows from Def. 3.10 and Def. 3.12. From lemma 3.1, we obtain the following corollary:
Corollary 3.1. J〈VS ∪ CS , VF ∪ CF , E,A,M,<〉K = J〈VS ∪ CS , VF ∪ CF , E,A,M, ∅〉¹<K
This completes the syntactical encoding of timed priority without urgency for timed components.
3.7.3. Encoding Urgency
Urgency consists in preventing time elapsing when a discrete transition is enabled. In this section we
assume the time domain isR≥0. Also we assume time determinism and denote ν−t the valuation defined
by (ν−t)(x) = ν(x)−t (time non determinism is more technically involved but can be handled as well).
Our work is based on previous papers by S. Bornot, J. Sifakis and S. Tripakis [28, 29, 27]. The authors
define the notion of rising edge of a guard that plays a central role:
Definition 3.13. (Rising Edge [27])
Let X = {x1, x2, · · · , xn}, ν ∈ Rn and γ ∈ B(X). The rising edge of γ, denoted γ↑ is the predicate
defined by:
γ↑ (v) =
(
γ(v) ∧ ∃t > 0 , ∀0 < t′ ≤ t, ¬γ(v − t′)
)
∨
(
¬γ(v) ∧ ∃t > 0,∀0 < t′ ≤ t, γ(v + t′)
) (4)
We assume that each guard of a transition labelled by an urgent event is such that Jγ ↑K ⊆ JγK.
Indeed x > 10 is not a relevant guard for an urgent transition as there is no first instant at which the
guard becomes true: the transition becomes urgent strictly after 10 which is a fuzzy instant and this is
in contradiction with urgency. Note that in this case (x > 10)↑≡ (x = 10) which gives the same
rising edge as for x ≥ 10 but the latter has a first instant for which it is true. This problem is well-
known and is already discussed in [29]. Note that in this case equation (4) of Def. 3.13 simplifies in
γ↑ (v) =
(
γ(v) ∧ ∃t > 0 , ∀0 < t′ ≤ t, ¬γ(v − t′)
)
. We also assume that a guard γ of an urgent
transition is convex and this implies that γ↑ is convex as well.
Urgency as an assertion The semantics of urgency (see Def. 3.6) implies that when a transition be-
comes urgent (i.e. its guard is true) time elapsing is forbidden and this is the semantics proposed in [29].
It does not imply that the urgent transition is fired. Also this notion is different from the notion of urgency
in UPPAAL [20] which only constrains processes to synchronize on common channels (synchronized
events) whenever they can.
To be more precise assume we have a component U with an urgent transition eu as defined on
Fig. 6(a).
Start in configuration (s = 0, x = 0). At some point f can occur. If it occurs before x = 10 it is
possible to let some time elapse until x = 10 reaching (s = 1, x = 10). At this point the urgent transition
prevents time from elapsing. Anyway a new occurrence of f could occur and set s to 0 again: in this
1024 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
1: node U
2: state
3: s : [0,1];
4: x : clock;
5: event
6: e_u > time, f
7: trans
8: s=1 & 10<= x<=20 |- e_u -> s:=0;
9: |- f -> s:=0;
10: |- f -> s:=1;
11: init s:=0, x:=0 ;
12: edon
(a) Node U with event eu urgent
1: node U_Y
2: flow Y ; // the flow variable Y
3: state
4: s : [0,1];
5: x : clock;
6: event
7: e_u, f
8: trans
9: s=1 & 10<=x<=20 |- e_u -> s:=0;
10: |- f -> s:=0;
11: |- f -> s:=1;
12: init s:=0, x=0 ;
13: assert
14: (s=1) => (10<x<=20 => Y=0)
15: edon
(b) Urgency as an assertion
Figure 6. Encoding Urgency
configuration the urgent event eu is no more enabled and time can elapse. Thus to use our notion of
urgency to force a transition to occur, one must ensure that once an urgent transition is enabled (x = 10)
no other transition can disable it (to achieve this, one could change the enabling condition True of line `9
of node U to x<10).
To encode urgency, we use an additional real flow variable Y (see line 2 of Fig. 6(b)). This flow
variable is assumed to be reset to 0 on each discrete transition and evolves at rate 1 (synchronous with
physical time) on delay transitions. How this will be achieved will be dealt with later in this section.
The syntactical encoding of urgency consists in adding a timed invariant (line 14 of node U_Y, Fig. 6(b))
to constrain time elapsing. Note that this assertion implies Y = 0 only when x > 10 (and not x ≥
10). Intuitively, assume we reach a configuration (s = 1, x < 10). Then time can elapse from this
configuration until x = 10. Indeed (s = 1, x = 10) satisfies Def. 3.6 as for each strictly preceding
instant the assertion is true. From this configuration on time cannot elapse as Y > 0 and the assertion
forbids it. Now if we reach (s = 1, 10 ≤ x ≤ 20) by firing a discrete transition, Y is set to 0 and time
elapsing is also forbidden. This achieves urgency (in the sense that time elapsing is prevented).
Some limitations of our encoding is that we do not know how to deal with urgent transitions with
sharp urgent guards as x = 5. This is why we require an additional assumption on guards for urgent
transitions: the (temporal) guard γu must satisfy ∃² > 0 , ν ∈ Jγu↑K =⇒ ∀²′ ≤ ² ν + ²′ ∈ JγuK. We
refer to this latter property as γu is not sharp.
Correctness of the encoding Let T = (VS ∪CS , VF ∪CF , E,A,M,<) be a timed component where
< consists in one element: eu > time (eu is urgent). Assume there is one urgent transition tu =
((gu, γu), eu, (au, Ru)), γu is not sharp, and there is a flow variable Y that is reset on each discrete
transition and evolving at rate 1 on delay transitions.
Define the timed component Tu = (VS ∪ CS , VF ∪ CF , E,A ∧ ϕu,M, ∅) with ϕu
def
= gu =⇒(
(γu ∧ ¬(γu↑)) =⇒ Y = 0
)
. Note that we assume Y is an invisible variable that does not belong to
CF . This is just for the sake of clarity as otherwise we need to define a new notion of timed bisimilarity
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1025
for timed interfaced transition systems that do not have the same sets of flow variables (remind that
Def. 3.2 imposes the two systems to have the same interface).
Theorem 3.5. JT K and JTuK are timed bisimilar.
The proof is given in appendix A.5.
Implementation of the encoding To implement our encoding and add a fresh flow variable Y , we
proceed as follows:
1. create node U_Y from node U, as described by Fig. 6(b),
2. build a new node YY (Fig. 7(a)) that manages a variable Y that satisfies the assumptions we needed
before: Y is reset on each discrete transition and evolves at rate 1 on delay transitions. Each
discrete event of other components will be synchronized with event u of YY;
3. build a parent node UU that synchronizes U_Y and YY; this node is given in Fig. 7(b).
node YY
flow Y;
event u;
state
y : clock;
trans
|- u -> y:=0 ;
init y:=0;
assert Y=y
edon
(a) Node YY
node UU
event e_u,f;
sub CU_Y:U_Y; C_YY:YY;
sync
<f,C_YY.u,CU_Y.f>;
<e_u,C_YY.u,CU_Y.e_u>;
assert
CU_Y.Y=C_YY.Y
edon
(b) Node UU
Figure 7. Hierarchical Modeling of Urgency
This scheme can be carried out for multiple urgent events. We do not detail this in this paper as it is
just a technical exercise.
Now that we know how to encode timed priority syntactically and how to flatten a node into a
component. We proceed with a translation of timed components into timed automata. This will enable
us to check various timed properties.
4. From Timed Nodes to Timed Automata
In this section, we present a translation of Timed AltaRica specifications to timed automata [17]. This
way we can extract a timed automaton from a Timed AltaRica specification and carry out some veri-
fication of temporal properties using tools for analysing timed systems like UPPAAL [5], CMC [6] or
KRONOS [31]. Notice that thanks to theorem 3.4 we only need to define the translation for timed
components.
1026 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
4.1. From Timed AltaRica Components to Timed Automata
Let T = 〈VS ∪ CS , VF ∪ CF , E,A,M, ∅〉 be a timed component with |CS | = n and |CF | = m (thanks
to lemma 3.3, we can assume the timed priority relation of T is the empty relation). From Def. 3.7, the
assertion of a timed component consists in two parts:
• AVT which gives a constraint on the discrete variables,
• ACT which associates a time invariant to a predicate on the discrete variables.
Thus we write ACT =
∧p
j=1(Pj =⇒ Ij) with free(Pj) ⊆ VT and free(Ij) ⊆ CT .
As we want to build a timed automaton (which is timed bisimilar to the original node) from a timed
component, we need to define the locations of this timed automaton. They are built from the assertion on
the discrete variables, and must be labelled with a timed invariant. We define the translation of a timed
component with no flow variables and explain later how we deal with components with flow variables.
We write G unionmulti L = [1..p] as a shorthand for G,L ⊆ [1..p], G ∩ L = ∅, G ∪ L = [1..p] i.e. G and L
form a partition of [1..p].
Definition 4.1. (Timed Automaton Associated with a Timed Component)
Let T = 〈VS∪CS , VF∪CF , E,A,M, ∅〉 be a timed component with VF = CF = ∅. LetA = AVT ∧ACT
with free(AVT ) ⊆ VT , ACT =
∧p
j=1(Pj =⇒ Ij) and free(Pj) ⊆ VT and free(Ij) ⊆ CT . Given
G ⊆ [1..p], L ⊆ [1..p], we define:
rLG =
(
∧j∈GPj
)
∧
(
∧j∈L¬Pj
) (5)
lLG = AVT ∧ r
L
G (6)
The timed automaton9 A(T ) = (L,L0, E,X, I, T ) associated with T is defined by:
• L = {lLG |G unionmulti L = [1..p] ∧ Jl
L
GK 6= ∅} is the set of locations10,
• L0 = L is the set of initial states (actually in real Timed AltaRica specifications, a set of initial
states is given as in the example of Fig. 5(b); assume this set is defined by a predicate init then
L0 = init),
• E is the set of events,
• X = CT is the set of clocks,
• the invariant I is defined by: I(lLG) =
{
∧k∈GIk if G 6= ∅
tt otherwise
• the transition relation T is defined by: let lLG, lL
′
G′ ∈ L such that JlLG ∧ gK 6= ∅ and a(JlLG ∧ gK) ∩
JlL
′
G′K 6= ∅ (the source location intersects the discrete guard and the target location intersects the
discrete part of the state space) and t = ((g, γ), e, (a,R)) ∈M , then
(lLG, (g ∧ Pret(l
L′
G′) ∧ γ, e, (a,R)), l
L′
G′) ∈ T
9see section 3.1 for the definition of a timed automaton
10Thus the number of locations is exponential in the number of predicates of ACT . Notice that this definition gives a partition
of the set of states defined by AVT and that JlLGK ⊆ St × Ft.
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1027
Remark 4.1. As we have imposed that the Ik denote convex sets, the invariants I(lLG) are allowed by
the definition of timed automaton (section 3.1).
In the previous definition we assume we can give constraints on the discrete variables in the guards,
and allow assignments of the discrete variables on a transition, which is not formally allowed by the
definition of timed automata of section 3.1, but this definition can trivially be extended to include this
(timed automata of UPPAAL [5] allow the use of such features). Also if we do not make any assumption
on the domain of the discrete variables of a Timed AltaRica specification the number of locations may
be infinite. Anyway we can define the translation of a timed component into a timed automaton (with
potentially an infinite number of locations):
Theorem 4.1. Let T = 〈VS ∪ CS , VF ∪ CF , E,A,M, ∅〉 be a timed component with VF = CF = ∅.
Then JT K and JA(T )K are timed bisimilar.
The proof is given in appendix A.6.
4.2. The Train Example
We now apply the previous translation to the train example of Fig. 8.
1: node TRAIN
2: // flow N : [0,1]; commented out
3: event approach, in, exit;
4: state
5: N : [0,1]; // N is now a state variable
6: etat : [0,2];
7: n : [0,1];
8: t : clock;
9: trans
10: t >= 70 & etat=0 |- approach -> etat := 1, t := 0, n := 1, N:=1;
11: 20 <= t <= 30 & etat=1 |- in -> etat := 2, t := 0;
12: 10 <= t <= 20 and etat=2 |- exit -> etat := 0, t := 0, n := 0, N:=0;
13: init
14: etat:=0;n:=0;N:=0;t:=0;
15: assert
16: // N=n; commented out
17: (etat=1) => (t<=30);
18: (etat=2) => (t<=20);
19: edon
Figure 8. Train Timed Component with no Flow Variables
The flow variable N is first assumed to be a state variable (line 5) and an assignment is given for N on
lines 10–12. We assume that this enables us to get rid of the assertion on N (i.e. line 16 is commented
out). Table 1 gives the locations and invariants of the corresponding timed automaton.
The next step consists in computing the graph structure: the result for the train component of Fig. 8 is
given on Fig. 9. Notice that we compute an abstract timed automaton in the sense that discrete variables
are not interpreted: as a result the number of locations of the timed automaton where the discrete variables
are interpreted might be larger than the number of locations of this abstract timed automaton, even could
be infinite.
1028 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
G unionmulti L rLG l
L
G I(l
L
G)
∅ unionmulti {1, 2} etat = 0 etat = 0 tt
{1} unionmulti {2} etat = 1 etat = 1 t ≤ 30
{2} unionmulti {1} etat = 2 etat = 2 t ≤ 20
{1, 2} unionmulti ∅ ff ff –
Table 1. Locations and Invariants of the Train Component
l1,2∅
l21
t ≤ 30
l12
t ≤ 20
t ≥ 70 ∧ etat = 0
approach
(etat,n,N,t) := (1, 1, 1, 0)
20 ≤ t ≤ 30 ∧ etat = 1
in
(etat,t) := (2, 0)
10 ≤ t ≤ 20 ∧ etat = 2
exit
(etat,n,N,t) := (0, 0, 0, 0)
Figure 9. Translation of the Train component
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1029
4.3. Discussion of our Translation
The assumption that flow variables become clock state variables of the timed component means that the
flows evolution rates and resets must follow the evolution rules of a clock in a timed automaton. This
imposes restriction on the type of equations one can write in the assert part of a Timed AltaRica program.
We will not go into details about it and the reader is referred to [32] for an exhaustive presentation.
Nevertheless such constraints like Y = x, Y = x + 1 etc. (where Y is a flow and x a clock) can be
dealt with in the translation into timed automata. More complex equations Y = 2x + y can be handled
using hybrid automata [18]. Constraints like x+ 1 ≤ Y ≤ 2y + x cannot be encoded into linear hybrid
automata as the slope of Y is unbounded. In the sequel we assume that only assertions of the simple
type Y = x or Y = x+ c, c ∈ N are used so that we can encode them into timed automata constraints.
Computing the assignments of the flow variables that have become state variables is in this case easy and
detailed in Table 3.
The other choices we have made can be accounted for by the following reasons:
• we do not want to have an expensive computation to produce the timed automaton; our translation
scheme is easy to implement and does not require extensive computation;
• also, we do not want to deal with clocks in the translation as it is the purpose of the tools for
analysing timed systems to do some computation on continuous time domains; we only perform
syntactical rewriting;
• we do not want to constrain the discrete variables to be in a finite domain before doing the trans-
lation: indeed this could be the case that the variables are in a finite domain only because of the
timing constraints. Thus we do not want to compute the domain of the variables in our translation.
This is why the locations are predicates on the discrete variables and transitions constrain updates
of these variables. Notice also that this could be the case that the timed automaton associated
with a timed component has a finite bisimilar quotient whereas the untimed component has no
finite bisimilar quotient (e.g. if a transition contains an update of the form x := x + 1). With
our translation, we do not need to assume that the untimed component admits a finite bisimilar
quotient.
4.4. Reachability Issues for Timed AltaRica Components
Timed AltaRica components are translated into timed automata as described previously. If the domain
of the discrete variables is finite, we obtain a timed automaton with a finite number of discrete states.
Reachability is decidable for timed component if the translation of a timed component belongs to a class
of timed automata for which reachability is decidable. This problem has been extensively studied and an
exhaustive set of results was given in [24]. We recall (see section 3.1) that the set of clock constraints
B(X) over a set X of clocks is defined inductively by the grammar (see equation 1):
g := x v r| x− y v r |g ∧ g |g ∨ g
with x, y ∈ X,v∈ {<,<,>,≥,=}, r ∈ Z. The set of diagonal-free constraints Bdf (X) is defined by
the sub-grammar:
g := x v r|g ∧ g |g ∨ g
1030 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
with x ∈ X,v∈ {<,<,>,≥,=}, r ∈ N. Table 2 gives a summary of the results in [24] (an assignment
of the form x :< c means that x is assigned any value less than c) concerning the decidability of the
reachability problem for timed automata: decidability depends on the type of guards of the automata and
on the type of assignments allowed.
Deterministic Assignment Guards in Bdf (X) Guards in B(X)
x := c (1)
x := y (2) Decidable
x := x+ 1 (3) Decidable
x := y + c (4) Undecidable
x := x− 1 (5) Undecidable
Non-Deterministic Assignment Guards in Bdf (X) Guards in B(X)
x :< c (6) Decidable
x :> c (7) Decidable
x :v y + c (8) Undecidable
y + c <: x :< y + d (9)
y + c <: x :< z + d (10) Undecidable
Table 2. Decidability Results for Reachability in Timed Automata (from [24])
In our setting, the decidability of reachability depends on the type of guards and assignments of the
timed component as well as on the type of assertions used to constrain the continuous flow variables. If
we allow only assertions on the continuous flow variables of the form Y = x+c′ where Y is a continuous
flow variable, x is a clock state variable and c′ ∈ N then the updating of Y on discrete transitions can
be encoded as a clock assignment according to the encoding described in Table 3: in the case of non-
deterministic assignments (6–10) of x we encode the assignment for Y with an ²-transition that occurs
right after the one assigning x without any time elapsing (can be implemented by committed locations in
UPPAAL for instance).
Combining Tables 2 and 3 we obtain that for an assertion containing only constraints of the form
Y = x+ c′ with Y a flow variable and x is a clock variable, c′ ∈ N:
• if all the guards on the clock and continuous flow variables are in Bdf (X), reachability is decidable
in case the assignments of the clock state variables are not of type (5) nor (10);
• if all the guards on the clock and continuous flow variables are in B(X), reachability is decidable
only if the assignment of the clock state variables are of the form (1) or (2) and c′ = 0 (Y = x and
x := y allowed).
5. A Case Study Using Timed Priorities
In this section we give an example of the use of time priorities in Timed AltaRica and the modeling
power they give. We consider again the train-gate-controller introduced in section 2:
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1031
Type of Assignment for x Type of Assignment for Y
x := c (1) Y := c+ c′ (1)
x := y (2) Y := y + c′ (4)
x := x+ 1 (3) Y := Y + 1 (3)
x := y + c (4) Y := y + c+ c′ (4)
x := x− 1 (5) Y := Y − 1 (5)
x :< c (6)
x :> c (7)
x :v y + c (8) ²-trans. Y := x+ c′ (4)
y + c <: x :< y + d (9)
y + c <: x :< z + d (10)
Table 3. Encoding Flow Variable Y constrained by Y = x+ c′
• there are two tracks crossing at the gate,
• the trains can come from any side on these two tracks,
• the aim is to ensure property P stating “the gate is closed when at least one train is on the near
section”. Also we do not want to open the gate if a train is crossing and another is going to cross
in a near future (this is where the priorities will be used).
Let k ∈ N be a parameter, we fix some timed priorities among the two events approach and Go_up
within a delay k. First, we translate this system in timed automata by applying the translation developed
in the previous section 4. Second, we analyse the system using UPPAAL [5] (note in this case we do
have to instantiate k with a value in N before using the tool).
5.1. Translation of the Train-Gate-Controller into Timed Automata
The components Train-Gate-Controller have been given in Fig. 1, page 1003 and Fig. 5, page 1018.
From those components we can build timed automata using the algorithm defined in section 4.1.
For this particular case of a hierarchical node with sub-components we can use an alternative way for
building the timed automaton A(Main): it is the synchronized product of the three automata obtained
by translating each component into a timed automaton. The timed automata for nodes TRAIN and GATE
are given in Fig. 10. The timed automaton11 corresponding to node MAIN is given in Fig. 11. MAIN.N.
On the synchronized product of the three UPPAAL timed automata, property P is given by the
UPPAAL-style property:
A[]((TRAIN1.s2 or TRAIN2.s2) imply GATE.etat==2)
We can check that P is satisfied for any fixed value of k.
11To deal with priority, we use the algorithms given in section 3.7 and we obtain a priority free component.
1032 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
s0
s1
t<=30
s2
t<=20
t>=10,t<=20, etat ==2
etat :=0, n :=0,t:=0
exit!
t >= 70, etat ==0
etat :=1,n:=1,t:=0
approach!
t>=20,t<=30, etat ==1
etat :=2,t:=0
in!
s0
s1
y<=10
s2
y<=10
etat ==0
etat :=1,y:=0
Go_down!
etat ==0
Go_up!
etat ==2
Go_down!
etat ==1
etat :=3,y:=0
Go_up!
etat ==2
etat :=3,y:=0
Go_up!
y<=10, etat ==1
etat :=2
down!
etat ==3
etat :=1,y:=0
Go_down!  etat ==3
Go_up!
y<=10, etat ==3
etat :=0
up!
Figure 10. Train and Gate Automata in UPPAAL
s0
s1
z<10
s2
z<=10
etat ==0,X2 >= 70
etat :=1,z:=0, N :=0
approach!
 etat ==0,X2 >= 70
 etat :=1,z:=0, N :=1
approach!
 etat ==0,X2 >= 70
 etat :=1,z:=0, N :=2
approach!
etat ==1,X1 >= 70
approach!
N:=2
etat ==1,X1 >= 70
approach!
N:=0
etat ==1,X1 >= 70
approach!
N:=1
etat ==1,X2 >= 70
approach!
N:=1
etat ==1,X2 >= 70
approach!N:=2
etat ==1,X2 >= 70
approach!
N:=0
etat ==1
exit!
N:=0
etat ==1
exit!
N:=2etat ==1
exit!
N:=1
etat ==0, N >1
exit!
N:=2
etat ==0, N >1
exit!
N:=1
etat ==0, N >1
exit!
N:=0
etat ==0, N >1
exit!
N:=2
etat ==0, N >1
exit!
N:=1
etat ==0, N >1
exit!
N:=0
 etat ==2,X1 >= 70
 etat :=1,z:=0, N :=0
approach!
etat ==2,X1 >= 70
etat :=1,z:=0, N :=1
approach!
etat ==2,X1 >= 70
etat :=1,z:=0, N :=2
approach!
z<=10, etat ==1
 etat :=0, N :=0
Go_down!
z<=10, etat ==1
 etat :=0, N :=1
Go_down!
z<=10, etat ==1
 etat :=0, N :=2
Go_down! z<=10, etat ==2,X1<70-k,X2<70-k
 etat :=0, N :=0
Go_up!
z<=10, etat ==2,X1<70-k,X2<70-k
 etat :=0, N :=1
Go_up!
z<=10, etat ==2,X1<70-k,X2<70-k
 etat :=0, N :=2
Go_up!
Figure 11. Controller Automata in UPPAAL
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1033
5.2. Influence of Timed Priorities
Timed priorities constrain the system and one of the first questions that arises is what kind of behaviour
do we forbid. The priority we have given in Fig. 5(b), page 1018 means that we do not want to raise the
gate if a new train can enter the near section within less than k time units. As intended, there should be
a threshold value k0 for k such that for all k ≥ k0, the gate remains closed forever. We can express this
as the property12 A[](GATE.etat==2) and it is satisfied for k0 = 40.
Another interesting problem concerns the liveness of the system. As stated in remark 3.2, page 1014,
some deadlock may occur when prioritising the system. The train-gate-controller without priority is
deadlock free and looses this property as soon as k > 0.
6. Conclusion
We have shown how to add clocks to AltaRica and build a timed extension of this formalism: Timed
AltaRica. This timed extension has the same features as the untimed ones and we were able to prove all
the results obtained for the untimed case:
• two timed bisimilar timed interfaced transition systems remain timed bisimilar when we apply a
timed priority restriction (theorem 3.2),
• a timed component with timed priorities can syntactically be rewritten into a timed component
without timed priorities and has the same semantics (lemma 3.3),
• the synchronised product (for nodes) is compositional with respect to timed bisimulation (the-
orem 3.3),
• a timed node can be rewritten into a timed component that has the same semantics (theorem 3.4).
Moreover we have defined a translation of timed components into usual timed automata (section 4)
so that we can use tools for analysing timed automata (like UPPAAL) to carry out our verification.
Moreover the implementation of our translation called Timed AltaRica-Compiler is currently being
added to the AltaRica toolbox.
Our future work is many-fold:
• complete the extension of AltaRica by adding features allowing the user to specify hybrid sys-
tems [18]; the main problem is to deal with time priorities in this case. The work we have presen-
ted in this paper is correct for clock variables but additional work is needed for systems where
variables may have arbitrary integer slopes;
• study the problem of preserving liveness when using priorities (following the framework of [27]),
• use our Timed AltaRica-compiler on real industrial case studies,
• investigate in alternative ways of checking the correctness of Timed AltaRica specifications: this
amounts to design some hierarchical model-checking algorithms taking advantage of the structure
of Timed AltaRica specifications.
12Actually to prove this property with the restricted TCTL set of UPPAAL we have to change the initial set of states to check
this property.
1034 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
References
[1] G. Berry and G. Gonthier. The esterel synchronous programming language: Design, semantics, implement-
ation. Science of Computer Programming, 19(2):87–152, 1992.
[2] N. Halbwachs, P. Caspi, P. Raymond, and D. Pilaud. The synchronous data-flow programming language
LUSTRE. Proceedings of the IEEE, 79(9):1305–1320, September 1991.
[3] P. Le Guernic, M. Le Borgne, T. Gautier, and C. Le Maire. Programming real-time applications with Signal.
Proceedings of the IEEE, 79(9):1321–1336, September 1991.
[4] F. Cassez and O. Roux. Compilation of the Electre reactive language into finite transition systems. Theoretical
Computer Science, 146(1–2):109–143, juillet 1995.
[5] P. Pettersson and K. G. Larsen. UPPAAL2k. Bulletin of the European Association for Theoretical Computer
Science, 70:40–44, February 2000.
[6] F. Laroussinie and K. G. Larsen. CMC: A tool for compositional model-checking of real-time systems. In
Proc. IFIP Joint Int. Conf. Formal Description Techniques & Protocol Specification, Testing, and Verification
(FORTE-PSTV’98), pages 439–456. Kluwer Academic Publishers, 1998.
[7] M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine. Kronos: A model-checking tool for
real-time systems. In A. J. Hu and M. Y. Vardi, editors, Proc. 10th International Conference on Computer
Aided Verification, Vancouver, Canada, volume 1427, pages 546–550. Springer-Verlag, 1998.
[8] T. A. Henzinger, P. H. Ho, and H. Wong-Toi. HYTECH: A model checker for hybrid systems. International
Journal on Software Tools for Technology Transfer, 1(1-2):110–122, 1997.
[9] G. Point and A. Rauzy. Altarica - constraint automata as a description language. European Journal on
Automation, 1999. Special issue on the Modelling of Reactive Systems.
[10] G. Point. Altarica : Contribution à l’unification des méthodes formelles et de la sûreté de fonctionnement.
PhD thesis, University of Bordeaux I, Janvier 2000.
[11] A. Arnold, A. Griffault, G. Point, and A. Rauzy. The AltaRica formalism for describing concurrent systems.
Fundamenta Informaticae, 40:109–124, 2000.
[12] A. Griffault, S. Lajeunesse, G. Point, A. Rauzy, J.-P. Signoret, and P. Thomas. The AltaRica language. In
Proceedings of the International Conference on Safety and Reliability, ESREL’98. Balkema Publishers, June
20-24 1998.
[13] A. Arnold, D. Begay, and P. Crubille. Construction and analysis of transition systems with MEC. World
Scientific, 1994.
[14] A. Arnold. An experience with MEC in a real industrial project. 1995.
[15] A. Vincent. Conception et réalisation d’un vérificateur de modèles AltaRica. PhD thesis, University of
Bordeaux I, 2003.
[16] A. Griffault and A. Vincent. The mec 5 model checker. In International Conference on Computer Aided
Verification (CAV’04), Lecture Notes in Computer Science. Springer-Verlag, July 2004. to appear.
[17] R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science B, 126:183–235, 1994.
[18] T. A. Henzinger. The theory of hybrid automata. In Proceedings, 11th Annual IEEE Symposium on Logic in
Computer Science, pages 278–292, New Brunswick, New Jersey, 27–30 July 1996. IEEE Computer Society
Press.
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1035
[19] R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero, J. Sifakis, and
S. Yovine. The algorithmic analysis of hybrid systems. Theoretical Computer Science, 138(1):3–34, 1995.
[20] J. Bengtsson, K. Larsen, F. Larsson, P. Pettersson, W. Yi, and C. Weise. New generation of UPPAAL, 1998.
[21] B. Bérard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, and P. Schnoebelen. Systems and
Software Verification. Model-Checking Techniques and Tools. Springer-Verlag, 2001.
[22] J. Sifakis and S. Yovine. Compositional specification of timed systems. In 13th Annual Symp. on Theoretical
Aspects of Computer Science, STACS’96,, volume 1046 of lncs, pages 347–359, 1996. Invited paper.
[23] K. G. Larsen, P. Pettersson, and W. Yi. Compositional and Symbolic Model-Checking of Real-Time Sys-
tems. In Proc. of the 16th IEEE Real-Time Systems Symposium, pages 76–87. IEEE Computer Society Press,
December 1995.
[24] P. Bouyer, C. Dufourd, E. Fleury, and A. Petit. Are timed automata updatable ? In Proc. 12th Int. Conf. Com-
puter Aided Verification (CAV’2000), Chicago, IL, USA, July 2000, volume 1855, pages 464–479. Springer,
2000.
[25] A. Arnold. Finite transition systems. Prentice-Hall, Masson, 1994.
[26] S. Bornot and J. Sifakis. On the composition of hybrid systems. In HSCC, pages 49–63, 1998.
[27] S. Bornot, G. Goessler, and J. Sifakis. On the construction of live timed systems. In Tools and Algorithms
for Construction and Analysis of Systems, pages 109–126, 2000.
[28] S. Bornot, J. Sifakis, and S. Tripakis. Modeling urgency in timed systems. Lecture Notes in Computer
Science, 1536:103–129, 1998.
[29] S. Bornot and J. Sifakis. An algebraic framework for urgency. Information and Computation, 163(1):172–
202, 2000.
[30] J. Sifakis and S. Yovine. Compositional specification of timed systems (extended abstract). In Symposium
on Theoretical Aspects of Computer Science, pages 347–359, 1996.
[31] C. Daws, A. Olivero, S. Tripakis, and S. Yovine. The tool KRONOS. In Hybrid Systems III: Verification and
Control, volume 1066, pages 208–219, Rutgers University, New Brunswick, NJ, USA, 22–25 October 1995.
Springer.
[32] C. Pagetti. Extension temporisée du langage AltaRica. PhD thesis, Ecole Centrale de Nantes et Université
de Nantes, April 2004.
A. Appendices
A.1. Proof of Theorem 3.1
Theorem A.1. Two TITS A1 and A2 are timed bisimilar if and only if there exists a TITS B and two
timed interfaced bisimulation homomorphisms h1 : A1 → B and h2 : A2 → B.
Proof:
1036 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
If part. Assume there exist two homomorphisms h1 : A1 −→ B and h2 : A2 −→ B and denote
B = 〈Et, Ft, St, pi, T 〉. Define the relation R ⊆ S1t × S2t by: R(s, s′) ⇐⇒ h1(s) = h2(s′) We show
that R is a timed interfaced bisimulation by proving it satisfies the four points of Def. 3.2.
1. Let q1 ∈ S1t et s = h1(q1) ∈ St. Since h2 is surjective there exists q2 ∈ S2t s.t. h(q2) = s =
h(q1).
2. Let (q1, q2) ∈ R. Then h1(q1) = h2(q2). By item 2 of Def. 3.3 it follows that pi1(q1) =
pi(h1(q1)) = pi(h2(q2)) = pi2(q2).
3. Let (q1, g, e, q′1, g′1) ∈ T1. By item 3 of Def. 3.3 there exists g′ ∈ s.t. (h1(q1), g, e, h1(q′1), g′) ∈ T .
Let q2 ∈ S2t s.t. (q1, q2) ∈ R. Then h2(q2) = h1(q1) and by item 4 of Def. 3.3 we have i) there
exists q′2 ∈ S2t s.t. h2(q′2) = h1(q′1) i.e. (q′1, q′2) ∈ R and ii) there exists g′2 ∈ pi2(q′2) s.t.
(q2, g, e, q
′
2, g
′
2) ∈ T2. As the two TITS A1 and A2 play a symmetric role we obtain both items 3
and 4 of Def. 3.2.
Only if part The idea is as follows: there is a largest bisimulation ≡1 for A1 and ≡2 for A2 and those
two largest bisimulations give two transition systems A1/≡1 and A2/≡2 that are isomorphic. Moreover
each bisimulation≡i can be made a function and we can build two homomorphisms from these functions.
The scheme is depicted in Fig. 12.
A1 A2
A1/≡1 A2/≡2
R
h1 h2
φ
Figure 12. Building a Timed bisimulation Homomorphism
Let V ⊆ X1 × X2 and U ⊆ X2 × X3 be two binary relations. We denote V.U ⊆ X1 × X3 the
relation s.t. (q, q′) ∈ (V.U) ⇐⇒ ∃q2 ∈ X2 s.t. (q, q2) ∈ V and (q2, q′) ∈ U . For a binary relation
L ⊆ X × X denote L−1 = {(q, q′)|(q′, q) ∈ L} and L∗ = ∪n∈NLn with L0 = Id and Li+1 = L.Li.
Note that (L.L−1)∗ is an equivalence relation.
Assume A1 and A2 are timed bisimilar and denote R a bisimulation relation on S1t × S2t .
The relations ≡1
def
= (R.R−1)∗ ⊆ S1t × S1t and ≡2
def
= (R−1.R)∗ ⊆ S2t × S2t are both equivalence
relations. We define the quotient A1/≡1 and A2/≡2 and the functions hi : Ai −→ Ai/≡i by: hi(s) = [s]
([s] denotes the equivalence class for s). It is easy to see that hi is a timed bisimulation homomorphism.
Also define the mapping φ by:
φ : A1/≡1 −→ A2/≡2
[s] 7−→ [s′] ⇐⇒ (s, s′) ∈ R
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1037
φ is a (timed bisimulation) isomorphism. Now let h′1 = φ◦h1. h′1 is a timed bisimulation homomorphism
(composition of an isomorphism and homomorphism). This completes the proof.
uunionsq
A.2. Proof of Theorem 3.2
Theorem A.2. (Priority and Timed Bisimulation)
Let A1 = 〈Et, Ft, S1t, pi1, T1〉 and A2 = 〈Et, Ft, S2t, pi2, T2〉 be two TITS and < a timed priority
relation over E. If h : A1 −→ A2 is a timed bisimulation homomorphism then h : A1¹< −→ A2¹< is
also a timed bisimulation homomorphism.
Proof:
Let h : A1 −→ A2 be a timed bisimulation homomorphim. We show that h is also a timed bisimulation
homomorphim from A1¹< onto A2¹<.
For points 1 and 2 of Def. 3.3 just notice that < only restricts the transition relation and does not
involve the set of states and the mapping pii=1,2.
Now for point 3, let (q1, g, e, q′1, g′) ∈ T1 ¹<, then (h(q1), g, e, h(q′1), g′) ∈ T2. Assume that
(h(q1), g, e, h(q
′
1), g
′) /∈ T2¹<, then according to Def. 3.6 there are two possibilities:
1. either e = t ∈ T and ∃e′ >0 time, t′ < t, (h(q1), g, t′, q′′2 , g′′) ∈ T2 ∧ (q′′2 , g′′, e′, q′′′2 , g′′′) ∈ T2.
Since h is an homomorphism and (h(q1), g, t′, q′′2 , g′′) and (q′′2 , g′′, e′′, q′′′2 , g′′′) are in T2, there
exists q′′1 , q′′′1 ∈ S1t s.t. h(q′′1) = q′′2 , h(q′′′1 ) = q′′′2 ∧ (q1, g, t′, q′′1 , g′′) and (q′′1 , g′′, e′, q′′′1 , g′′′) are in
T1. Hence (q1, g, e, q′1, g′) cannot be in T1¹< which contradicts the first assumption.
2. otherwise e ∈ E+ and ∃e′|e <k e′ and ∃t ≤ k|(h(q1), g, t, q′′2 , g′′) ∈ T2 and (q′′2 , g′′, e′, q′′′2 , g′′′) ∈
T2. Since h is an homomorphism and (h(q1), g, t, q′′2 , g′′) and (q′′2 , g′′, e′, q′′′2 , g′′′) are in T2, there
exists q′′1 , q′′′1 ∈ S1t |h(q′′1) = q′′2 , h(q′′′1 ) = q′′′2 and (q1, g, t, q′′1 , g′′) and (q′′1 , g′′, e′, q′′′1 , g′′′) are in
T1. This contradicts again the fact that (q1, g, e, q′1) ∈ T1¹<. This ends the proof of point 3.
Now let q1 ∈ S1t , q′2 ∈ S2t such that (h(q1), g, e, q′2, g′) ∈ T2¹<. Then ∃q′1 ∈ S1t |h(q′1) = q′2 and
(q1, g, e, q
′
1, g
′) ∈ T1. Again assume that for all q′1 s.t. h(q′1) = q′2, we have (q1, g, e, q′1, g′) /∈ T1¹<:
1. if e ∈ T, this means that ∃t1 < t, (q1, g, t1, q′′1 , g′′) ∈ T1 and ∃e′ >0 time that is firable from
(q′′1 , g
′). Then from item 4 of the Def. of homomorphism we get (h(q1), g, t1, h(q′′1), g′′) ∈ T2 ∧
(h(q′′1), g
′′, e′, q′′′2 , g
′′′) ∈ T2 and it contradicts (h(q1), g, e, q′2, g′) ∈ T2¹<.
2. Otherwise e ∈ E+ and there exists e′ ∈ E+ and t ≤ k s.t. e <k e′, (q1, g, t, q′′1 , g′′) ∈ T1 and
(q′′1 , g
′′, e′, q′′′1 , g
′′′) ∈ T1. It follows that (h(q1), g, t, h(q′′1), g′′), (h(q′′1), g′′, e′, h(q′′′1 ), g′′′) ∈ T2
which again contradicts the hypothesis (h(q1), g, e, q′2) ∈ T2¹<. This ends the proof of point 4 and
of the theorem.
uunionsq
A.3. Proof of Theorem 3.3
Theorem A.3. LetN = 〈VF , CF , E,<,N0, · · · ,Nn, (V˜ , <eV )〉 andN
′ = 〈VF , CF , E,<,N
′
0, · · · ,N
′
n,
(V˜ , <eV )〉 be two timed nodes such that ∀i ∈ [0..n] there is a timed homomorphism hi from JNiK to JN
′
i K.
Then there exists a timed homomorphism h from JN K to JN ′K.
1038 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
Proof:
Let JNiK = 〈Et, Fit , Sit , pii, Ti〉 and JN ′i K = 〈Et, Fit , S′it , pi
′
i, T
′
i 〉 be the TITS that give the semantics of
the timed nodes. First we assume < is the empty relation.
Define h by:
h : St −→ S
′
t
q = (q0, . . . , qn) 7−→ h(q) = (h0(q0), . . . , hn(qn))
We prove that h is timed bisimulation homomorphism from N to N ′.
1. h is obviously surjective,
2. assume m = |CF | and f = (f, µ). For pi(q) we get:
pi(q) = {f ∈ DVF × Rm | ∀i ∈ [1, n], ∃ηi ∈ pii(qi) | (f, η1, . . . , ηn) ∈ pi0(q0)}
= {f ∈ DVF × Rm | ∀i ∈ [1, n], ∃ηi ∈ pi
′
i(hi(qi)) | (f, η1, . . . , ηn) ∈ pi
′
0(h0(q0))}
= pi(h(q))
3. if (q, g, e, q1, g′) ∈ T since < is the empty relation and by definition of T (see Def. 3.10) it follows
that (h(q), g, e, h(q1), g′) ∈ T ′,
4. let q = (q0, q1, . . . , qn) ∈ St and q′ = (q′0, q′1, . . . , q′n) ∈ S′t s.t. (h(q), g, e, q′, g′) ∈ T ′. Assume
e = (e0, . . . , en). Then by definition of T ′ (Def. 3.10) we have:
∃f0 = (g, f1, . . . , fn) ∈ pi
′
0(h0(q0))
∃f ′0 = (g
′, f ′1, . . . , f
′
n) ∈ pi
′
0(q
′)
s.t. ∀i ∈ [0, n] (hi(qi), fi, ei, q′i, f
′
i) ∈ T
′
i
As each hi is an homomorphism we get: ∃q′′i ∈ Sit s.t. hi(q′′i ) = q′i and f ′i ∈ pii(q′′i ) and
(qi, fi, ei, q
′′
i , f
′
i) ∈ Ti. This means:
∃f0 = (g, f1, . . . , fn) ∈ pi0(q0)
∃f ′0 = (g
′, f ′1, . . . , f
′
n) ∈ pi
′
0(q
′′
0)
s.t. ∀i ∈ [0, n] (qi, fi, ei, q′′i , f
′
i) ∈ Ti
Take q′′ = (q′′0 , . . . , q′′n). We have h(q′′) = q′ and ∃f ′0 ∈ pi(q′′) s.t. (q, g, e, q′′, g′) ∈ T .
Now assume < is not the empty relation. Let N∅ = 〈VF , CF , E, ∅,N0, · · · ,Nn, (V˜ , <eV )〉 and
N ′∅ = 〈V
′
F , C
′
F , E, ∅,N
′
0, · · · ,N
′
n, (V˜ , <eV )〉. With the previous proof in the case of an empty priority
relation we get that there exists an homomorphism h from N∅ to N ′∅. Applying theorem 3.2 we obtain
that h is also an homomorphism from N to N ′. This completes the proof.
uunionsq
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1039
A.4. Proof of Theorem 3.4
Theorem A.4. Let N be a timed node. Then N can be rewritten into a timed component CN such that
JN K and JCN K are timed bisimilar.
Proof:
We prove theorem 3.4 by induction. Let N = 〈VF ∪ CF , E,<,N0, · · · ,Nn, (V˜ , <V˜ )〉 and JN K =
〈Et, Ft, St, pi, T 〉. Let CN = 〈VS ∪ CS , VF ∪ CF , E,A,M, ∅〉 as given by Definition 3.4, and JCN K =
〈Et, Ft, S
′
t, pi
′, T ′〉.
Base Step For the base step assume all the Ni are timed components: Ni = 〈VSi ∪ CSi , VFi ∪
CFi , Ei, Ai,Mi, ∅〉 (note the priority relation is empty as we can use the syntactical encoding of timed
priorities defined in section 3.7) and JNiK = 〈Eit , Fit , Sit , pii, Ti〉.
We prove that N and CN are timed bisimilar. Take equality as a candidate to be a bisimulation
relation.
1. checking that equality is a total relation on St×S′t amounts to checking that ∀q ∈ St, pi(q) = pi′(q)
and this is done in the second point,
2. let q = (q0, q1, · · · , qn) and f = (f, µ);
pi(q) = {f ∈ DVF × Rm | ∀i ∈ [1..n],∃ηi | ηi ∈ pii(qi) ∧ (f, η1, · · · , ηn) ∈ pi0(q0)}
= {f ∈ DVF × Rm | ∀i ∈ [1..n],∃ηi | (qi, ηi) ∈ JAiK ∧ (q, f , η1, · · · , ηn) ∈ JA0K}
= {f ∈ DVF × Rm | ∀i ∈ [1..n],∃ηi | (q, f , η1, · · · , ηn) ∈ J∧i=0..nAiK}
= {f ∈ DVF × Rm | ∀i ∈ [1..n],∃ηi | (q, f) ∈ J∃i=1..n(VFi ∪ CFi). ∧i=0..n AiK}
= {f ∈ DVF × Rm | ∀i ∈ [1..n],∃ηi | (q, f) ∈ JAK}
= pi′(q)
3. let 〈(q0, q1, · · · , qn), f, e, (q′0, q′1, · · · , q′n), f ′〉 ∈ T We denote q = (q0, q1, · · · , qn) and q′ =
(q′0, q
′
1, · · · , q
′
n). Note that Ti = JMiK as for all Ni the priority relation is empty.
• if e = (e0, e1, · · · , en) with ei 6∈ T then by Def. 3.10:
∃f0 = (f, f1, · · · , fn) ∈ pi0(q0)
∃f ′0 = (f
′, f ′1, · · · , f
′
n) ∈ pi0(q
′
0)
}
such that ∀i ∈ [0..n], (qi, fi, ei, q′i, f ′i) ∈ JMiK
This entails that (q, f) ∈ JAK. Also by Def. 3.8 ∀i ∈ [0..n] there exists a transition
((gi, γi), ei, (ai, Ri)) ∈ Mi s.t. (qi, fi) ∈ JAi ∧ gi ∧ γiK and q′i = (ai, Ri)(qi, fi) and
(q′i, f
′
i) ∈ JAiK. This implies that (q′, f ′) ∈ JAK. It remains to find a transition in M s.t.
the transition from (q, f) to (q′, f ′) is fireable in CN . Take ((g, γ), e, (a,R)) in CN given
by g = (∃i=1..nVFi).g0 ∧ · · · ∧ gn, γ = (∃i=1..nCFi).γ0 ∧ · · · ∧ γn and a(x) = ai(x) for
x ∈ VS ∩V
′
Si
and R(c) = Ri(c) for c ∈ CS ∩C ′Si . As ∀i ∈ [0..n] (qi, fi) ∈ JAi∧gi∧γiK we
have (q, f) ∈ J∃i=1..nVFi).g0∧· · ·∧gn
∧
γ = (∃i=1..nCFi).γ0∧· · ·∧γnK and as (q, f) ∈ JAK
we get (q, f) ∈ JA ∧ g ∧ γK. As we already mentioned (q′, f ′) ∈ JAK. Moreover (q′, f ′) =
1040 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
(a,R)(q, f) and by Def. 3.8 this means that 〈(q0, q1, · · · , qn), f, e, (q′0, q′1, · · · , q′n), f ′〉 ∈
T ′. The converse is straightforward and we finally have 〈(q, f), e, (q′, f ′)〉 ∈ T ⇐⇒
〈(q, f), e, (q′, f ′)〉 ∈ T ′ for e = (e0, e1, · · · , en) with ei 6∈ T.
• if e = (δ, δ, · · · , δ) with δ ∈ T the have to ensure that all long the way from q to q′ the time
constraint (invariant) holds. This is straightforward by pointing out that if (q, f), δ, (q′, f ′) ∈
T then ∀δ′ ≤ δ we have (q, f), δ′, (q′′, f ′′) ∈ T for some (q′′, f ′′). Then using Def. 3.8 we
easily get the result that (q0, q1, · · · , qn), f, δ, (q′0, q′1, · · · , q′n), f ′〉 ∈ T ′. Again the converse
holds and we end up with T = T ′.
Induction Step Let N = 〈VF ∪ CF , E,<,N0, · · · ,Nn, (V˜ , <V˜ )〉 and assume all the Ni can be re-
written into timed components CNi s.t. Ni and CNi are timed bisimilar. Let N ′ = 〈VF ∪ CF , E,<
, CN 0, · · · , CN n, (V˜ , <V˜ )〉. Then using the base step proof we conclude there exists a timed component
CN ′ that is bisimilar to N ′. By theorem 3.3 we also have that N ′ and N are timed bisimilar and hence
CN ′ and N are timed bisimilar.
This completes the proof.
uunionsq
A.5. Proof of Theorem 3.5
Theorem A.5. Let T = (VS , CS , VF , CF , E,A,M,<) be a timed component where > consists in one
element: eu > time (eu is urgent). Assume there is one urgent transition tu = ((gu, γu), eu, (au, Ru))
and γu is not sharp. Define the timed component Tu = (VS , CS , VF , CF , E,A ∧ ϕu,M, ∅) with
ϕu
def
= gu =⇒
(
(γu ∧ ¬(γu↑)) =⇒ Y = 0
) (7)
Assume the flow variable Y is reset on each discrete transition and evolves at rate 1 on delay transitions.
Then JT K and JTuK are timed bisimilar.
Proof:
First note that as γu is not sharp Jγu ∧ ¬(γu↑)K 6= ∅. Indeed for all ² > 0 the set W² = {ν + ²′ | ν ∈
Jγu↑K and ²′ ≤ ²} is included in ¬(γu↑). Hence if Jγu ∧ ¬(γu↑)K = ∅ it must be the case that for all
² > 0 the set W² ∩ JγuK is empty and contradicts the fact that γu is not sharp.
Second γu ∧ ¬(γu↑) is past-opened i.e. if ν ∈ Jγu ∧ ¬(γu↑)K then there is ² > 0 such that ∀²′ ≤ ²
we have ν − ²′ ∈ Jγu ∧ ¬(γu↑)K. This follows from the constraint that the guard of an urgent transition
has a first instant for which it becomes true.
Again we assume Y is not part of the configuration of the system and it is a global variable updated
by an oracle. This enables us to use our notion of timed bisimilarity (Def. 3.2). Otherwise we would
have to define timed bisimilarity for timed components with different sets of (clock) flows.
JMK¹< is the transition relation of JT K and we denote JMuK the transition relation of Tu.
First part: JMK¹<⊆ JMuK. Remark that discrete transitions are unchanged and we only need to prove
that each delay transition in JMK¹< is a transition in JMuK.
Assume (s, ν), (f, µ), δ, (s, ν ′), (f, µ′) ∈ JMK¹< with δ > 0. By Def. 3.8, item 4.(c) it implies that
i) (s, ν), (f, µ), δ, (s, ν ′), (f, µ′) ∈ JMK and by Def. 3.6 that ii) ∀t′ < t s.t. ((s, ν), (f, µ), t′, (s, ν +
F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica 1041
t′), (f, µ + t′)) ∈ JMK, if ((s, ν + t′), (f, µ + t′), e, q′, g′) ∈ JMK then e 6> time. By i) we know
that ∀δ′ ≤ δ if ((s, ν), (f, µ), δ′, q′, g′) ∈ JMK then (q′, g′) ∈ JAK. Now if (s, f) ∈ JguK we need to
prove that (ν ′, µ′) ∈ ϕu. δ > 0 implies Y > 0. Hence (γu ∧ ¬(γu↑)) must be false at (s, ν ′), (f, µ′).
Assume it is true at (s, ν ′), (f, µ′). Then as (γu ∧ ¬(γu ↑)) is past-opened there must be ² > 0 s.t.
∀²′ ≤ ² , ((s, ν ′ − ²′), (f, µ′ − ²′)) ∈ J(γu ∧ ¬(γu↑))K. This contradicts ii). Thus (γu ∧ ¬(γu↑)) is not
satisfied for any δ′ ≤ δ and A ∧ ϕu holds all along the delay transition (s, ν), (f, µ), δ, (s, ν ′), (f, µ′)
which implies this transition is in JMuK.
Second part: JMuK ⊆ JMK¹<. Assume (s, ν), (f, µ), δ, (s, ν ′), (f, µ′) ∈ JMuK and δ > 0. By Def. 3.8
this means that all long the path from (s, ν), (f, µ) to (s, ν ′), (f, µ′) assertion A ∧ ϕu holds. In case
(s, f) 6∈ JguK clearly the transition is in JMK¹<. If (s, f) ∈ JguK then (γu ∧ ¬(γu↑)) =⇒ Y = 0 must
hold all along the way. Again as Y > 0 (because δ > 0) it must be the case that (γu∧¬(γu↑)) is false for
all 0 < t′ ≤ δ i.e. ¬γu ∨ γu↑ holds. Either ∀0 < t′ < δ, γu is false and in this case no urgent transition
can be fired on the way from (s, ν), (f, µ) to (s, ν ′), (f, µ′) and (s, ν), (f, µ), δ, (s, ν ′), (f, µ′) ∈ JMK¹<.
Or γu holds for some 0 < t′′ < t. Then γu↑ must hold at t′′. By the fact that γu ∧ γu↑ is not single
we know that there is a t′′ < t′′′ < t s.t. γu holds at t′′′ as well as ¬(γu↑)). Hence Y must be equal
to zero at t′′′ which cannot be the case. Hence there cannot be any t′′ < δ s.t. tu is fireable and again
(s, ν), (f, µ), δ, (s, ν ′), (f, µ′) ∈ JMK¹<.
This completes the proof.
uunionsq
A.6. Proof of Theorem 4.1
Theorem A.1. Let T = 〈VS ∪ CS , VF ∪ CF , E,A,M, ∅〉 be a timed component with VF = CF = ∅.
Then JT K and JA(T )K are timed bisimilar.
Note that we have shifted the clock flows into the state variables of the component and we allow only
flows that are clock-definable.
Proof:
We denote JT K = 〈Et, Ft, St, pi, T 〉 with Ft = {tt } (Ft cannot be empty because of the definition of
TITS) and pi is constant and equal to pi(q) = tt. A(T ) = (L,L0, E,X, I, T ) and the semantics of A(T )
is a TTS (see section 3.1) (Q,E,→). Thus it is also TITS 〈E′t, F ′t , S′t, pi′, T ′〉 of dimension (|X|, 0),
with E′t = E ∪ R≥0, Ft = {tt }, S′t = {(l, ν) | ν ∈ Jinv(l)K }, pi(q) = tt (always non empty) and T ′
is given by →. We omit f is configuration like (s, f) as it always amounts to (s, tt).Now we prove that
JT K and JA(T )K are timed bisimilar: as a candidate for a timed bisimulation relation we take equality of
the states.
1. Let q = (s, ν) ∈ St. We apply Def. 3.8:
(s, ν) ∈ St ⇐⇒ (s, ν) ∈ JAVT ∧ACT K
⇐⇒ s ∈ JAVT K ∧ (s, ν) ∈ JACT K
⇐⇒ s ∈ lLG, G unionmulti L = [1..p](lLG form a partition of AVT ) and ν ∈ J∩k∈GIkK
⇐⇒ s ∈ lLG ∧ ν ∈ JInv(l
L
G)K
⇐⇒ (s, ν) ∈ S′t
1042 F. Cassez, C. Pagetti and O. Roux / A Timed Extension for AltaRica
2. pi and pi′ are constant and equal to tt, so they agree for each state,
3. let (s, ν) ∈ St. Then (s, ν) ∈ S′t by item 1 above. Assume ((s, ν), e, (s1, ν1)) ∈ T with e ∈ E+.
We have to prove that ((s, ν), e, (s1, ν1)) ∈ T ′. As ((s, ν), e, (s1, ν1)) ∈ T there is a transition
t = (g, γ), e, (a,R)) ∈ M such that i) (s, ν) ∈ JA ∧ g ∧ γK, ii) s1 = a(s) and iii) ν1 = R(ν).
This implies that in A(T ) there is a transition of the form (lLG, g ∧ Pret(l
L1
G1
) ∧ γ, e, (a,R), lL1G1).
By iii) we get that (s, ν) ∈ JPret(lL1G1)K. By i) (s, ν) satisfies g ∧ γ ∧ lLG. So in the semantics
of A(T ) a transition of the form ((s, ν), e, (s′, ν ′)) can be taken. As we use (a,R) to update
the values of the state variables and (a,R) are deterministic we obtain (s′, ν ′) = (s1, ν1). Now
assume ((s, ν), δ, (s1, ν1)) ∈ T with δ ∈ R≥0. By definition (s, ν) ∈ JAK and (s1, ν1) ∈ JAK
and as we have time determinism for the flow variables ∀0 ≤ δ′ ≤ δ, (s, ν + δ′) ∈ I(s) with
I(s) = ∩k|s∈PkIk. s ∈ l
L
G fo some G unionmulti L = [1..p] and the invariant for lLG is Inv(lLG) = ∩k∈GIk.
Inv(lLG) and I(s) coincides and thus ((s, ν), δ, (s1, ν1)) ∈ T ′.
4. the converse of item 3 above is straightforward and proved exactly as item 3.
This completes the proof. uunionsq
