Abstract. PLC-Automata are a class of real-time automata suitable to describe the behaviour of polling real-time systems. PLC-Automata can be compiled to source code for PLCs, a hardware widely used in industry to control processes. Also, PLC-Automata have been equipped with a logical and operational semantics, using Duration Calculus (DC) and Timed Automata (TA), respectively. The three main results of this paper are: (1) A simpli ed operational semantics. (2) A minor extension of the logical semantics, and a proof that this semantics is complete relative to our operational semantics. This means that if an observable satis es all formulas of the DC semantics, then it can also be generated by the TA semantics. (3) A proof that the logical semantics is sound relative to our operational semantics. This means that each observable that is accepted by the TA semantics constitutes a model for all formulas of the DC semantics.
Introduction
Programmable Logic Controllers (PLCs) are widely used in industry to control real-time embedded applications such as railway crossings, elevators, and production lines. PLCs are hardware devices that operate according to the simple but powerful architectural model of polling real-time systems. A polling real-time system behaves in cycles that can be split into three parts: the input values are polled, a new local state and output values are computed from the inputs and the old local state, and nally the new output values are written to the output ports. Depending for instance on the length of the computation, the duration of a cycle may vary, but some upper bound " on the cycle time is assumed to be available.
In this paper we study the operational and denotational semantics of polling real-time systems, i.e., the relationships between the input and output signals of such systems that are induced when a program is executed in real-time. 1 Our work builds on recent work within the UniForM-project 12] on PLC-Automata 6{9]. PLC-Automata, basically an extension of classical Moore machines 11], can be viewed as a simple programming language for PLCs. In 6], a compilation scheme is given that generates runnable PLC-code for any given PLCAutomaton. Moreover, a logical (denotational) and an operational semantics of PLC-Automata are presented employing Duration Calculus (DC) 19, 18] and Timed Automata (TA) 2], respectively. However, in 6] the relationships between these semantics are not further investigated.
The three main results established in this paper are: 1. A simpli ed operational semantics for PLC-Automata based on Timed Automata. 2. A minor extension of the logical semantics with some additional formulae, and a proof that this (restricted) semantics is complete relative to our operational semantics. This means that if an observable satis es all formulae of the DC semantics, then it can also be generated by the TA semantics. 3. A proof that the logical semantics is sound relative to our operational semantics. This means that each observable that is accepted by the TA semantics constitutes a model for all formulae of the (extended) DC semantics. An advantage of our operational semantics is that it is very intuitive, and provides a simple explanation of what happens when a PLC-Automaton runs on PLC hardware. Clearly, the 8 rules of the operational semantics are easier to understand than the 27 formulae of the DC semantics, especially for readers who are not experts in duration calculus. The operational semantics can also serve as a basis for automatic veri cation, using tools for timed automata such as Kronos 5] and UPPAAL 4] . Our timed automata semantics uses 3 clock variables, which makes it more tractable for such tools than the semantics of 6] which requires 2 clocks plus one clock for each input value.
The logical semantics also has several advantages. Rather than modelling the internal state variables and hidden events of PLC hardware, it describes the allowed observable behaviour on the input and output ports. Duration Calculus, an interval temporal logic for real-time, constitutes a very powerful and abstract speci cation language for polling real-time systems. Via the DC semantics, proving that a PLC-Automaton A satis es a DC speci cation SPEC reduces to proving that the duration calculus semantics A] ] DC logically implies SPEC . For this task all the proof rules and logical machinery of DCcan be used. In fact, in 7] an algorithm is presented that synthesises a PLC-Automaton from an (almost) arbitrary set of DC implementables, a subset of the Duration Calculus that has been introduced in 17] as a stepping stone for specifying distributed real-time systems. In 17] a fully developed theory can be found how implementables can be obtained from general DC formulae. Hence, the synthesis algorithm provides a powerful means to design correct systems starting from speci cations.
The fact that the TA and DC semantics are so di erent makes the proof of their equivalence interesting but also quite involved. In order to get the completeness result we had to extend the original DC semantics of 6] with 11 additional formulae. Ten of these formulae are just variations on a theme and express the presence of certain causalities between events. The eleventh formula is a variant of a formula from 6] and restricts the time during which an input can be ignored in a speci c situation. The new formulae are not required for the correctness proof of the synthesis algorithm. This indicates that they may not be so important in applications. Nevertheless, we believe that the formulae do express fundamental properties of polling real-time systems and it is not so di cult to come up with examples of situations in which the additional laws are used.
In this paper we only discuss the semantics of the simple PLC-Automata introduced in 6]. Meanwhile, PLC-Automata have been extended with a state charts like concept of hierarchy, in order allow for their use in the speci cation of complex systems 9] . We claim that it is possible to generalise the results of this paper to this larger class of hierarchical PLC-Automata. An interesting topic for future research is to give a low level operational semantics of PLCs, including hybrid aspects, clock drift, etc, and to prove that this low level semantics is a re nement of the semantics presented in this paper. Such a result would further increase con dence in the correctness of our semantic model.
PLC-Automata
In the UniForM-project 12] an automaton-like notion | called PLC-Automata | of polling real-time systems has been developed to enable formal veri cation of PLC-programs. Basically, Programmable Logic Controllers (PLCs), the hardware aim of the project, are just simple computers with a special real-time operating system. They have features for making the design of time-and safetycritical systems easier:
{ PLCs have input and output channels where sensors and actuators, resp., can be plugged in. { They behave in a cyclic manner where every cycle consists of three phases:
Poll all inputs and store the read values.
Compute the new values for the outputs. Update all outputs. { There is an upper time bound for a cycle, which depends on the program and on the number of inputs and outputs, that can be used to calculate an upper time bound for the reaction time. { Convenient standardised libraries are given to simplify the handling of time. The following formal de nition of a PLC-Automaton incorporates the upper time bound for a polling cycle and the possibility of delay reactions of the system depending on state and input.
De nition 1. A PLC-Automaton is a tuple A = (Q; ; ; q 0 ; "; S t ; S e ; ; !), We require that two technical restrictions hold, for all q 2 Q and a 2 , S t (q) > 0^a = 2 S e (q) =) (q; a) 6 = q
Restriction (1) is needed to ensure the correctness of the PLC-source-code representing a PLC-Automaton w.r.t. the semantics given in 6]. It can be trivially met by adding, for each q, all actions a with (q; a) = q to the set S e (q). Restriction (2) says that delay times are either 0 or larger than twice the cycle upper bound time . Figure 1 gives an example of a PLC-Automaton. A box representing a state (e.g. q 0 ) is annotated with the output (e.g. !(q 0 ) = T) in the upper part of the box and the pair of the delay time and the delay set in the lower part of the box (e.g. S t (q 0 ) = 5, S e (q 0 ) = f0; 1g). The automaton starts in state q with output N and remains in this state as long as the polled input is 0. The rst time the polled input is not 0 the automaton changes state according to the transition function. If, following a 1-input, state q 0 is entered then the automaton will start a timer. Now the following cases are possible.
{ The polled input is 0. In this case the automaton checks the timer. Only if the timer says that S t (q 0 ) = 5 time units have elapsed, the automaton takes the 0-transition back to state q. Otherwise the automaton stays in q 0 . { The polled input is 1. In this case the automaton remains in q 0 independently from the status of the timer due to the fact that the 1-transition leads to q 0 again.
{ The polled input is Error. In this case the automaton takes the Errortransition independently from the status of the timer because Error = 2 S e (q 0 ).
We would like to stress that the range of applicability of PLC-Automata is much wider than just PLCs. In fact, PLC-Automata are an abstract representation of a machine that periodically polls inputs and has the possibility of measuring time.
Timed Automaton Semantics of PLC-Automata
In this section we present an operational semantics of PLC-automata in terms of timed automata. For the de nition of timed automata the reader is referred to Appendix A. We rst present the components of the timed automaton T (A) that is associated to a given PLC-Automaton A, and then give some intuition.
Each location 2 of T (A) is a 4-tuple (i; a; b; q), where i 2 f0; 1; 2; 3g describes the current status of the PLC (\program counter"), a 2 contains the current input, b 2 contains the last input that has been polled, and q 2 Q is the current state of the PLC-Automaton.
There are three clocks in use: x measures the time the current latest input is stable, y measures the time spent in the current state, and z measures the time elapsed in the current cycle.
The edges of timed automaton T (A) are de ned in Table 1 2 Note that \locations" refer to the timed automaton and \states" to the PLCAutomaton.
The timed automaton models the cyclic behaviour of a polling system. The events within one cycle are: polling input, testing whether input has to be ignored, producing new output (if necessary), and ending the cycle. The \program counter" models the phases of a cycle. The picture below shows how these events change the values of the program counter.
{ \0" denotes the rst part of the cycle. The input
has not yet been polled. { \1" denotes that the polling has happened in the current cycle. The test whether to react has not been performed yet. { \2" denotes that polling and testing have happened. The system decided to ignore the input. { \3" denotes that polling and testing have happened. The system decided to react to the input. A clock z is introduced within the timed automaton to measure the time that has elapsed within the current cycle. This clock is not allowed to go above the time upper bound " and is reset at the end of each cycle.
In the rst phase of a cycle incoming input is polled. In the timed automaton model there are no continuous variables available by which we can model continuous input. We have to restrict to a nite set of inputs, and introduce for each a 2 a transition label a that models the discrete, instantaneous event which occurs whenever the input signal changes value and becomes a. At any time in the cycle the input signal may change its value. The current value of the input is recorded in the second component of a location of the timed automaton. Within our semantic model the occurrence of input events is described by transition (ta-1) in Table 1 .
The timed automaton model allows inputs that last only for one point of time, i.e., it is not required that time passes in between input events. However, it is of course realistic to assume that polling input takes some (small) amount of time, and that an input can only be polled if persists for some positive amount of time. Technically, we require that input may only be polled, if it has remained unchanged throughout a left-open interval. In the semantics we model this by a clock x that is reset whenever an input event occurs. Polling is only allowed if x is non-zero (see transition (ta-2)). The polled input is recorded in the third component of a location of T (A).
Next, we have to deal with input delay. Whether input has to be ignored or not depends on the state of the PLC-automaton and on the time during which the system has been in this state. The state of the PLC-automaton is recorded in the fourth component of the locations of T (A). Furthermore, we introduce a clock y that measures how long the current state is valid. Edges (ta-3), (ta-4) and (ta-5) describe the cases that the test-event has to distinguish: if a state requires no delay or if it requires delay but the delay time is over, then input is not ignored and in the subsequent location the program counter has value 3; otherwise the program counter is assigned value 2.
A cycle ends with an event tick (see (ta-6), (ta-7), (ta-8)). If the program counter has value 3 then the PLC-Automaton state is updated in the new location according to the function ; otherwise the PLC-Automaton state remains unchanged. After a tick-event the program counter gets value 0 and clock z is reset to indicate that a new cycle has started. If the state changes then also clock y is reset.
For each location (i; a; b; q) we will to reason about the actual input, state and output. Therefore, we introduce as atomic propositions input = a, state = q and output = !, abbreviated by a, q and !, resp. In fact, we assume that each state generates a unique output, and will often use the propositions q and !(q) as synonyms. Table 1 , for i 2 f0; 1; 2; 3g, a; b; c 2 , and q 2 Q.
Duration Calculus Semantics of PLC-Automata
In this section we give logical semantics for PLC-Automata in terms of the Duration Calculus (DC), based on the semantics of 6]. For a brief introduction to DC the reader is referred to Appendix B. In the previous section we modelled the inner workings of a PLC using timed automata. Now we change our perspective: instead of modelling the internal, operational behaviour, we use DC to describe which behaviour can be observed externally.
Let A = (Q; ; ; q 0 ; "; S t ; S e ; ; !) be a PLC-Automaton. We will give a set F(A) of DC formulae restricting the allowed interpretation of three observables input, state and output, with domains , Q, and , respectively. In the formulae below, q ranges over Q and A; B; C range over subsets of . In DC formula we write A for W a2A input = a and, if X is a set of states then X abbreviates W q2X state = q. By convention the empty set stands for false. With (q; A) we denote the set of states f (q; a) j a 2 Ag. Each of the following formula should be interpreted over all possible assignments to q; A; B; C. First of all, we want the system to start in the initial state, which is expressed by the formula de _ dq 0 e ; true (dc-1)
Recall that q 0 abbreviates state = q 0 .
Next, we de ne that the output of the system changes synchronously with the system's state:
The following set of formulae describes the general behaviour of PLCs. Only inputs that arrive after the system has switched into q may produce subsequent state transitions (dc-3). Moreover, due to the cyclic behaviour, a transition can only be triggered by an input which is not older than " time units (dc-4).
d:qe ; dq^Ae ?! dq _ (q; A)e (dc- 3) dq^Ae "
????! dq _ (q; A)e (dc-4) To ensure that the delay S t (q) is observed we add two formulae that correspond to (dc-3) and (dc-4). The rst formula (dc-5) states that the system is not allowed to change the state due to an input contained in S e (q) for the rst S t (q) time units. The second formula (dc-6) allows changes during the rst S t (q) time units only if the input is not in S e (q) and not older than " time units.
S t (q) > 0 =) d:qe ; dq^Ae St(q) ????! dq _ (q; AnS e (q))e (dc-5)
The formulae above do not force a transition, they only disallow some transitions. If we observe a change of the state, then we know that another cycle will be nished within the next " time units. Depending on the inputs that are valid, we know whether the state will change or not. In order to make this information exploitable we introduce formulae which force a reaction after at most " time units after a state change. First, two formulae for the case S t (q) = 0: S t (q) = 0^q = 2 (q; A) =) d:qe ; dq^Ae " ?! d:qe (dc-7) S t (q) = 0^q = 2 (q; A) =) d:qe ; (dqe >"^d Ae ; dBe) ?! dq _ (q; B)e (dc-8) Formula (dc-7) covers the case that q = 2 (q; A) holds for the whole interval of length " right after the state change, whereas formula (dc-8) takes care of the case that input from set A, which satis es q = 2 (q; A), is followed by input from an arbitrary set B. The remaining cases, like arbitrary input followed by input from A, are already covered by formulae (dc-3) and (dc-4).
The next two formulae concern the cases with a delay in state q, and are similar to the previous ones. Note, that (1) and a = 2 S e (q) implies q 6 = (q; a). S t (q) > 0^A \ S e (q) = ; =) d:qe ; dq^Ae " ?! d:qe of the PLC-Automaton in Figure 1 , which can not be realised according to the TA semantics of Section 3. We know that at t 0 and t 2 a cycle ends. The interval t 0 ; t 2 ] contains at least two cycles, since we assume t 2 ? t 0 > ". The rst cycle produces no state change, therefore input 0 is polled in the interval t 1 ; t 2 ]. Consequently, input 0 is also polled in the successive cycles, including the last cycle which ends at t 2 . This however implies that the change to state T at t 2 can not happen according to the TA semantics! Formula (dc-8) excludes this scenario (take q = N, A = f1g and B = f0g).
If the state changes then we know that a cycle begins and will be completed within the next " time units. The previous four formulae re ect that we have either two types of input or only one and there is a delay in current state or not. If the state is stable for a period longer than 2", then we know that this interval should also contain at least one cycle. If we are in state q and the input only enables transitions that leave q, then we know that this situation cannot hold for 2" time units: in the worst case we need slightly less than " time units to end the current cycle and an additional " time units to nish a subsequent cycle that reacts to the input. Therefore, we have a set of formulae similar to (dc-7)-(dc-10) concerning intervals of length 2" with a stable state. However, for this situation we do not only have to consider the cases no delay and delay active but also the cases delay has expired and delay expires in that particular interval. If there is no delay active in state q then the following two formulae apply.
In the case where S t (q) > 0 and the delay time has not expired only inputs not contained in S e (q) can force a transition to happen. If the delay time is expired then the system behaves like a system with no delay. Consequently the following two formulae are the same as (dc-11) and (dc-12), respectively, except that the state is stable for an additional S t (q) time units.
S t (q) > 0^q = 2 (q; A) =) 2(dqe St(q) ; dq^Ae =)`< S t (q) + 2") (dc-15)
Ae ; dBe) ?! dq _ (q; B)e (dc-16) To express that the delay time expires during an interval we need some more complicated formulae, but the idea is the same as in the foregoing cases. In the formulae, u ranges over Time.
S t (q) > 0^A \ S e (q) = ;^q = 2 (q; B) =) 2(dqe^true; (dAe ; dBe u )
Ae ; dBe ?! dq _ (q; B)e (dc-18) S t (q) > 0^A \ S e (q) = ;^q = 2 (q; B) =) dqe^true; (dAe ; (dBe ; dCe) u ) 2" St(q)+u ?????! dq _ (q; C)e (dc-19) Some of the formulae given in this section are not applicable in the initial phase. The premise of this formulae is only true if the state changes in the beginning of an interval, which can of course not be true in the initial state. The corresponding formulae for the initial phase are listed in Appendix C.
The DC semantics presented in this paper di ers from the one presented in 6] by the additional formulae (dc-8), (dc-10), (dc-12), (dc-14), (dc-16), (dc-17), (dc-18) and (dc-19) (together with the corresponding formulae for the initial phase). We also use < instead of in formulae (dc-11), (dc-13) and (dc-15). Hence, the conjunction of the formulae above is stronger than the semantics in 6].
5 Relation between TA and DC Semantics
The semantic objects of timed automata are runs; the semantic objects of the Duration Calculus are interpretations of observables (see Appendices A and B, respectively). In order to compare our two semantic models of PLC-Automata, we associate interpretations of observables to each run of a timed automaton.
We will then show that, for each PLC-Automaton A, the set of interpretations associated to timed automaton T (A) is (in a very strong sense) equivalent with the set of interpretations associated to the DC formulae F(A). This plan is illustrated in Figure 5 . In this section we will de ne the mapping from runs to interpretations of observables, and the equivalence = between sets of observables.
From Runs to Interpretations
Within the DC semantics we have three observables input, state and output with domains , Q, and , respectively. Within the TA semantics the values from these domains occur as proposition symbols and, for each location, exactly one proposition from holds, one proposition from Q, and one proposition from . We say that , Q and are leagues. De nition 3. For a timed automaton T = (S; X; L; E; I; P; ; S 0 ), we de ne a set P P of propositions to be a league, if at each location one and only one atomic proposition p 2 P is valid, i.e., 8s 2 S 9 1 p 2 P : p 2 (s) \ P. If P is a league then we de ne P to be the function that assigns to each location s the unique element of (s) \ P.
Each timed automaton T (A) has three leagues corresponding to the three observables in the DC semantics F(A): corresponds to input, Q to state, and to output. Recall that the interpretation of a DC observable is a function from time to the domain of this observable. Therefore, when mapping a run to an interpretation of an observable, we have to associate to each point of time a unique element of the domain, i.e., a proposition of a league. However, within runs of a timed automaton time needs not to increase strictly monotonically. Therefore, if in a run there are consecutive states at the same point in time, we use the last one to de ne the unique interpretation.
De nition 4. Let T be a timed automaton with a run r = ((s i ; v i ; t i )) i2IN and let o 1 ; : : :; o n be observables such that the domains D 1 ; : : :; D n are leagues of T . Let be the function that assigns to each t 2 Time the largest index i such that t i t. (Note that is well-de ned due to the divergence of time in r.) We de ne o1;::: ;on (r) to be the interpretion that assigns to each observable o j the state function f j given by f j (t) = Dj (s (t) ). We omit subscript o 1 ; : : :o n when clear from the context. Also, if R is a set of runs then we write (R) for the set f (r) j r 2 Rg.
Equivalence of Interpretations
In DC the truth of a formula is de ned by integrals of functions over intervals. Functions that are identical up to zero-sets give the same truth values for all formulae and can be identi ed. We therefore de ne two state functions f and g to be equivalent, notation f = g, if they di er in at most countably many points. Two interpretations I and I 0 are equivalent, notation I = I 0 , if obs I = obs I 0 for each observable obs. Hence, by de nition of = we see that, for each formula F, I = I 0 =) (I j = F () I 0 j = F): De nition 5. Let o 1 ; : : :; o n be observables with domains D 1 ; : : :; D n , F a set of DC formulae, and I(F) the set of interpretations of o 1 ; : : :; o n that satisfy the formulae of F. Let T be a timed automaton with leagues D 1 ; : : :; D n . We say that T is { sound with respect to F if for each run r 2 R(T ) there exists an interpretation I 2 I(F) such that o1;::: ;on (r) = I. { complete with respect to F if for each interpretation I 2 I(F) there exists a run r 2 R(T ) such that o1;::: ;on (r) = I. Note that T is sound w.r.t. F i (R(T )) I(F) i for each run r 2 R(T ) and for each formula F 2 F, (r) j = F. Conversely, it may be the case that T is complete w.r.t. F even though I(F) 6 (R(T )).
In Sections 6 and 7 we will show soundness and completeness, respectively, of T (A) w.r.t. F(A), for each PLC-Automaton A.
Soundness
In this section we will prove the following Theorem 6. Let A be a PLC-Automaton. Then T (A) is sound w.r.t. F(A), i.e., for each run r 2 R(T (A)) and for each formula F 2 F(A), (r) j = F.
Proof: Throughout this proof we x a run r = ((s i ; v i ; t i )) i2IN and let I = (r). For each of the 27 formulae F de ned in Section 4 and Appendix C, for each possible value of the variables q, A; B; C and u occurring in these formula, and for each e 2 Time we will prove that I; 0; e] j = F.
The locations s of timed automaton T (A) are 4-tuples to the components of which we will refer as s:phase, s:input, s:polled and s:state. We start with some technical lemmas that are heavily used in the rest of the proof, and then proceed with a case distinction on F.
Technical Lemmas
The rst lemma states that a polling transition can never follow another transition without any intervening delay:
Lemma 7. Suppose i > 0, s i?1 :phase = 0 and s i :phase = 1. Then t i?1 < t i .
Proof. According to the timed automata semantics a transition of type (ta-2) brings the system from location s i?1 to location s i . We distinguish the following three cases: { i = 1. Observe that v 0 (x) = 0 and (ta-2) has guard x > 0. { Location s i?1 is reached via a transition (ta-1). Observe that v i?1 (x) = 0 and (ta-2) has guard x > 0. { Location s i?1 is reached via a transition (ta-6), (ta-7) or (ta-8). Observe that v i?1 (z) = 0 and (ta-2) has guard z > 0. The next lemma states that when the system is in its initial phase, a state change can only occur after some time has elapsed. This means that each state persists for a positive amount of time. Proof. Since s j :phase = 0 and s j?1 :phase 6 = 0 a transition of type (ta-6), (ta-7) or (ta-8) occurs at t j . Because s i :phase = 0 and s j?1 :phase 6 = 0 at least one transition of type (ta-2) has to occur between t i and t j?1 . Let t k be the time of the last one of these transitions. Then s k :phase = 1 and s k?1 :phase = 0. By Lemma 7, t i < t k . Also v k (z) > 0 and, for all k l < j, s l :phase 6 = 0. This implies that clock z is only reset at time t j . Thus t j ? t k < " must hold.
Since DC identi es interpretations that are identical almost everywhere, we need a lemma that ensures that only input can be polled which has persisted for some time. Moreover there is an index j such that t j = e 2 , s j?1 :phase = 3 and s j :phase = 0. Let i be the largest index such that i < j and s i :phase = 0 (note the i is always well-de ned as s 0 :phase = 0). By Lemma 9, t i e 1 . Lemma 10 ensures that there exists a k with i < k < j, s k?1 :phase = 0, s k :phase = 1 and t i < t k . Moreover, there are indices m; j such that t m = e 2 , s m :phase = 0, t j = e 4 , s j?1 :phase = 3 and s j :phase = 0. Let i < j be the largest index with s i :phase = 0. Then e 2 < t i by Lemma 9. By Lemma 10 there exists a k such that i < k < j, s k?1 :phase = 0 and s k :phase = 1. Now there are two cases: If input from the complement of S e (q) occurs during a delay, then the system has to react like in a situation without delay and with arbitrary input. S t (q) > 0^A \ S e (q) = ; =) d:qe ; dq^Ae " ?! d:qe Proof. Similar to the proof of (dc-7). Note that by formula (1) the assumption S t (q) > 0^A \ S e (q) = ; implies q = 2 (q; A).
Formula dc-10 S t (q) > 0^A \ S e (q) = ; =) d:qe ; (dqe >"^d Ae ; dBe) St(q) ????! dq _ (q; BnS e (q))e
Proof. Similar to the proof of (dc-8). Use again that by formula (1) the assumption S t (q) > 0^A \ S e (q) = ; implies q = 2 (q; A).
Stable State
If input lasts 2" or more then we know for sure that it has been polled.
Formula dc-11 S t (q) = 0^q = 2 (q; A) =) 2(dq^Ae =) l < 2")
Proof. Assume S t (q) = 0^q = 2 (q; A). We prove the rhs by contradiction. Assume I; 0; e] j = 3(dq^Ae 2" ). Then there are time points e 1 and e 2 such that e 2 e 1 + 2" and I; e 1 ; e 2 ] j = dq^Ae. Let i be the largest index such that t i e 1 . Then I; t i ; e 2 ] j = dq^Ae. We distinguish two cases:
1. s i :phase = 0. By Lemma 9 there exists a j > i with t j < e 2 , s j?1 :phase 6 = 0 and s j :phase = 0. By Lemma 10 there exists a largest k with i < k < j, s k :phase = 1, s k?1 :phase = 0, t i < t k and t j ?t k < ". Using the assumption S t (q) = 0 we infer that in between t k and t j?1 a transition of type (ta-5) takes place so that s j?1 :phase = 3. By Lemma 11 we derive s k :polled 2 A, and therefore s j?1 :polled 2 A. Using assumption q = 2 (q; A) we obtain s j :state 6 = q. Now Lemma 8 implies I; t j ; e 2 ] j = d:qe ; true. Contradiction. q; B) )e). Then there are time points e 1 < e 2 < e 3 < e 4 q; B) )e.
Moreover, there is an index j such that t j = e 3 , s j?1 :phase = 3 and s j :phase = 0.
Let i be the largest index such that i < j, s i?1 :phase 6 = 0 and s i :phase = 0. By Lemma 9 we know that such an i exists and also that t j ? t i ". Lemma 10
ensures that there exists a k with i < k < j, s k?1 :phase = 0 and s k :phase = 1. We distinguish two cases: Since t m e 1 , we can routinely infer that an input in A is polled in the cycle from t m to t i , which (by the assumptions) leads to a state change at time t i . Contradiction.
Formula dc-13 S t (q) > 0^A \ S e (q) = ; =) 2(dq^Ae =) l < 2")
Proof. Similar to the proof of (dc-11). Use again that by formula (1) the assumption S t (q) > 0^A \ S e (q) = ; implies q = 2 (q; A). Moreover there are indices m; j such that t m = e 2 , v m (y) = 0, t j = e 5 , s j?1 :phase = 3 and s j :phase = 0. Let i be the largest index such that i < j, s i?1 :phase 6 = 0 and s i :phase = 0. By Lemma 9 we know that such an i exists and also that t j ?t i ". Lemma 10 ensures that there exists a k with i < k < j, s k?1 :phase = 0 and s k :phase = 1. We distinguish two cases:
1. t k > e 4 . By Lemma 11 we infer s k :polled 2 B. Since I; t m ; e 5 ] j = dqe and e 5 ?t m < S t (q), we know that v n (y) < S t (q) for all k n j. In combination with the fact that s j?1 :phase = 3 this allows us to infer that a transition of type (ta-5) occurs at some state s n with k < n < j. This implies that Since t p e 3 , we can routinely infer that an input in A is polled in the cycle from t p to t i , which (by the assumptions and formula (1)) leads to a state change at time t i . Contradiction. If input lasts longer than 2" we know for sure that it has been polled. So if after a delay period an input persists for 2" time then a PLC-Automaton should take an appropriate transition.
Formula dc-15 S t (q) > 0^q = 2 (q; A) =) 2(dqe St(q) ; dq^Ae =) l < S t (q) + 2") Proof. Assume S t (q) > 0^q = 2 (q; A). We prove the rhs by contradiction. Assume I; 0; e] j = 3(dqe St(q) ; dq^Ae^l S t (q) + 2"). Then there are time points e 1 < e 2 < e 3 such that { e 2 = e 1 + S t (q), { e 3 e 2 + 2", { I; e 1 ; e 3 ] j = dqe and { I; e 2 ; e 3 ] j = dAe.
Let m be the largest index such that t m e 1 and s m :phase = 0. Then I; t m ; e 3 ] j = dqe. Let i m be the largest index such that t i e 2 and s i :phase = 0. By Lemma 9 there exists a j > i with t j ?t i ", s j :phase = 0 and s j?1 :phase 6 = 0. By Lemma 10 there exists a k with i < k < j, s k :phase = 1, s k?1 :phase = 0, t i < t k and t j ? t k < ". We distinguish between two cases: 2. t k e 2 . Then t i < e 2 , and therefore t j < e 2 + ". By Lemma 9 there exists an n > j with t n < e 3 , s n :phase = 0 and s n?1 :phase 6 = 0. By a similar argument as in the previous case we can infer that at time t n the system jumps to a non-q state, and derive a contradiction. q; B) )e. Let p be the largest index such that t p e 1 . Then I; t p ; e 4 ] j = dqe. Thus v q (y) S t (q) for all q with t q e 2 . There is also an index j such that t j = e 4 , s j?1 :phase = 3 and s j :phase = 0. Let i be the largest index such that i < j, s i?1 :phase 6 = 0 and s i :phase = 0. By Lemma 9 we know that such an i exists and also that t j ?t i ". Lemma 10 ensures that there exists a k with i < k < j, s k?1 :phase = 0 and s k :phase = 1. We distinguish two cases:
1. t k > e 3 . By Lemma 11 we infer s k :polled 2 B. Hence s j?1 :polled 2 B and it follows that s j :state 2 (q; B). From this we can easily derive a contradiction.
2. t k e 3 . Then also t i e 3 . Let m be the largest index such that m < i, s m :phase = 0 and t i ? t m ". The existence of m is ensured by Lemma 9.
Since t m e 2 , we can routinely infer that an input in A is polled in the cycle from t m to t i . After the polling a test-transition changes the phase to 3 (use that v q (y) S t (q) for all q with t q e 2 ). Hence, by the assumption q = 2 (q; A), a state change occurs at time t i . Contradiction.
The next three formulae allow us to handle intervals where the delay expires.
Formula dc-17 S t (q) > 0^q = 2 (q; B)^A \ S e (q) = ; =) 2(dqe^true; (dAe ; dBe u ) 2" =)`< S t (q) + u) 2 (q; B)^A \ S e (q) = ;. We prove the rhs by contradiction. Assume I; 0; e] j = 3(dqe St(q)+u^t rue; (dAe ; dBe u ) 2" ). Then there are time points e 1 < e 2 < e 3 < e 4 such that { e 4 e 1 + S t (q) + u, { e 4 = e 2 + 2", { e 4 = e 3 + u, { I; e 1 ; e 4 ] j = dqe, { I; e 2 ; e 3 ] j = dAe and { I; e 3 ; e 4 ] j = dBe.
We sketch the rest of the proof. Since e 4 = e 2 + 2", the interval e 2 ; e 4 contains at least one full cycle by Lemma 9. Polling for this cycle either occurs in the subinterval ]e 2 ; e 3 ] or in the subinterval ]e 3 ; e 4 . In the rst case an action from A is polled and we derive a contradiction: since q = 2 (q; A) by assumption A \ S e (q) = ; and formula (1), the system jumps to a di erent state before e 4 .
In the second case an action from B is polled and we also derive a contradiction: since the delay time S e (q) has passed and q = 2 (q; B), there is a state transition state before e 4 .
Formula dc-18 S t (q) > 0^A \ S e (q) = ; =) dqe 2"^d Ae ; dBe ?! dq _ (q; B)e Proof. Assume S t (q) > 0^A \ S e (q) = ;. We prove the rhs by contradiction. Assume I; 0; e] j = 3((dqe 2"^d Ae ; dBe); d:(q _ (q; B))e). Then there are time points e 1 < e 2 < e 3 < e 4 such that { e 3 = e 1 + 2", { I; e 1 ; e 3 ] j = dqe, { I; e 1 ; e 2 ] j = dAe, { I; e 2 ; e 3 ] j = dBe and { I; e 3 ; e 4 ] j = d:(q _ (q; B))e.
We sketch the rest of the proof. Consider the PLC cycle that ends at time e 3 . Let t k be the time at which polling occurs in this cycle. We consider two cases. 1. If t k > e 2 then an action from B is polled. If this action is ignored because it is in S e (q) and the delay has not yet expired, then the resulting state after the transition at e 3 is q and we have a contradiction. But if the action is not ignored then a transition to a state in (q; B) occurs at time e 3 and we are also in trouble. 2. If t k e 2 then we know that a full PLC cycle is contained in the interval e 1 ; e 2 ]. Because an action from A is polled in this interval we have again a contradiction: since A \ S e (q) = ; and hence q = 2 (q; A), there is a state jump before e 2 .
Formula dc-19 S t (q) > 0^A \ S e (q) = ;^q = 2 (q; B) =) dqe^true; (dAe ; (dBe ; dCe) u ) 2" St(q)+u ?????! dq _ (q; C)e Proof. Assume S t (q) > 0^A \ S e (q) = ;^q = 2 (q; B). We prove the rhs by contradiction. Assume I; 0; e] j = 3((dqe^true; (dAe ; (dBe ; dCe) u ) 2" ) St(q)+u ; d:(q _ (q; C))e):
Then there are time points e 1 < e 2 < e 3 < e 4 < e 5 < e 6 such that { e 5 = e 1 + S t (q) + u, { e 5 = e 2 + 2", { e 5 = e 4 + u, We sketch the rest of the proof. Consider the PLC cycle that ends at time e 5 . Let t k be the time at which polling occurs in this cycle. We consider two cases. 1. If t k > e 4 then an action from C is polled. This means (since y S t (q) holds for each time point greater or equal than e 3 ) that a transition to a state in (q; C) occurs at time e 5 . Contradiction. 2. If t k e 4 then we know that a full PLC cycle is contained in the interval e 2 ; e 4 ]. Let t m be the time at which polling occurs in this cycle. Again we consider two cases. 2.1. t m > e 3 . Then an action from B is polled and we derive a contradiction: since q = 2 (q; B) and the delay time has passed there is a state jump before e 4 . 2.2. t m e 3 . Then an action from A is polled and we derive a contradiction: since A \ S e (q) = ; and thus q = 2 (q; A), there is a state jump before e 4 .
Initial Phase
The proofs for the formulae for the initial phase are analogous to the proofs of the corresponding formulae that we have proved above. Instead of the state change which is used to mark the beginning of a cycle in the above formulae, we use that initially s 0 :phase = 0 and v 0 (y) = v 0 (z) = 0.
Completeness
This section is entirely devoted to the proof of the following The construction of r proceeds inductively by considering successive time intervals, each one lasting from one change of state to the next change of state. We construct a run of the timed automaton as follows: We start at time t = 0. Iteratively, for each interval we derive restrictions on the observable input from the behaviour of the observable state and the set F of DC formulae. For the resulting patterns of observables input and state we construct a sequence of cycles as part of a run of the timed automaton. The run constructed in this way is diverging. This follows from the nite variability of observables: in each nite interval there is only a nite number of di erent values for each observable. In the context of our construction we have only a nite number of intervals to investigate within each nite interval of time. For each nite interval that we consider in the case distinction below we will only construct a nite number of cycles for the run of the timed automaton.
Basically, we distinguish the following two cases of behaviour. Formula (dc-7) (or (dc-7') for the initial interval) says that within ]t; t+" there is some input i with (q; i) = q. Choose the rst i-interval.
In the interval ]t 0 ? "; t 0 there is some input i 2 that is responsible for the state change, i.e., (q; i 2 ) = q 2 , which follows from (dc-4). Choose the last of all i 2 -intervals and denote it by ]b; e . We claim that input i precedes input i 2 . Because suppose this is not the case. Then e < t 0 and we obtain a contradiction by applying (dc-8) (or (dc-8') for the initial interval) with A = fa j (q; a) 6 = qg ranging from t to e, and B = fb j (q; b) 6 = q 2 g ranging from e to t 0 . The cycles of the run constructed are as follows: the rst cycle starts at t, and polls input i within the rst "-interval. The rst cycle ends before input i 2 ends, later than t 0 ? ", but not later than t + ". In the second cycle input i 2 is polled and the cycle ends at t 0 .
1.1.3. t 0 ? t > 2" -state q is stable for more than 2" As in the previous case we have that in the interval ]t 0 ?"; t 0 there must be some input i 2 responsible for the state change, i.e., (q; i 2 ) = q 2 , which follows from (dc-4). We choose the last of all i 2 -intervals and denote it by ]b; e . Next, we have to close the gap between t and b by a suitable sequence of intervals, such that in each of them there is some input i , and e k ; b] no inputs i hold for which (q; i) = q is valid The gaps between two intervals of the sequence is less than 2", which follows from (dc-11), i.e. b j+1 ? e j < 2" for 1 j < k. If e = t 0 then we infer by (dc-11) that t 0 ? e k < 2". Also if e < t 0 we can derive t 0 ? e k < 2": assume t 0 ? e k 2" and apply (dc-12) to the interval t 0 ? 2"; t 0 ] with an A-phase ranging from t 0 ? 2" until e to obtain a contradiction (use the assumption that the ]b; e -interval is the latest one). Having xed this sequence of intervals we can construct cycles of ?
?! q i i bj ej bj+1
" " " "
Polling points " in detail the run of the timed automaton. Intuitively, we start at t and jump from interval to interval (as if they were ice oes) until we reach input i 2 .
In each (open) interval we place a polling transition at the very beginning, followed by (at least) one complete cycle, and a polling transition at the very end. such that the distance between both is less than 2", and such that, for each 1 j k, p b j < p e j . 3 It could be also some other input i iv. If, for some 1 j k, b(p e j ? p b j )="c = n > 0 then we add n polling points such that the distance between the polling points in the interval is less than ". Finally, we place a cycle end right in the middle of each pair of adjacent polling points. Basically, this case works as case 1.1. The only di erence is that now input from S e (q) that has to be delayed plays the same rôle as input i with (q; i) = q in 1.1: it causes q to continue in the next cycle.
Substitute i 2 S e (q) for (q; i) = q in the proofs for case 1. formulae applied there take the versions for delay according to the following table (here dc-x(') stands for dc-x+dc-x'): case 1.1 dc-3 (') dc-4 dc-7 (') dc-8 (') dc-11 dc-12 here dc-5 (') dc-6 (') dc-9 (') dc-10 (') dc-13 dc-14(') 1.2.2. St(q) t 0 ? t < St(q) + 2" -q holds for at least delay time, but less than 2" more than delay time Like in case 1.1.3, a sequence of intervals has to be identi ed where the inputs cause state q to be stable also in the next cycle. Before delay time S t (q) has passed by input from S e (q) has this property, afterwards it is input i with (q; i) = q. By (2) we know that S t (q) > 2". Hence, by (dc- , there must be some input i e 2 S e (q) within the interval ]t; t+" . Next we use (dc-13), which says that the distance between intervals of input from S e (q) is less than 2", to construct a sequence of S e (q)-intervals, such that consecutive elements of the sequence are less than 2" apart, and the last interval ending somewhere in ]t + S t (q) ? 2"; t + S t (q) . By (dc-4), we know that some input i 2 responsible for the state change at t 0 (so (q; i 2 ) = q 2 ) occurs in the interval ]t 0 ? "; t 0 . We choose the latest subinterval of ]t 0 ? "; t 0 with input i 2 and denote it by ]b; e . By placing the test transition for the last cycle at t 0 we can ensure that the input i 2 is not ignored and the required transition to q 2 is made. We also need some input i in the interval ]t 0 ? 2"; e that causes q to be stable in the last 2" interval ]t 0 ? 2"; t 0 . Because the end of the delay time t + S t (q) happens to be in the interval ]t 0 ? 2"; t 0 ], this input may occur before t + S t (q), in which case it is in S e (q), or after t + S t (q) with (q; i) = i. In order to prove that input i exists, we distinguish between 5 cases: i. t + S t (q) < e < t 0 .
Apply (dc-19) with A from t 0 ? 2" to t + S t (q), B from t + S t (q) to e, and C from e to t 0 . Note that input i may overlap with i 2 if b < t + S t (q). In this case we use input i 2 once to remain in state q and once to jump out of it! ii. t + S t (q) < e = t 0 .
Apply (dc-17) with A from t 0 ?2" to t+S t (q), and B from t+S t (q) to e. Again input i may overlap with i 2 . iii. t + S t (q) = e = t 0 .
Above we already showed that an input from S e (q) occurs in the interval ]t + S t (q) ? 2"; t + S t (q) . By the assumptions, this interval coincides with ]t 0 ? 2"; e .
iv. t + S t (q) = e < t 0 .
Apply (dc-18) with A from t 0 ?2" to t+S t (q), and B from t+S t (q) to t 0 . Again input i may overlap with i 2 . v. t + S t (q) > e.
Apply (dc-18) with A from t 0 ? 2" to e, and B from e to t 0 .
In the case that e > t + S t (q), we can apply (dc-17) to show that the distance between i and the previous S e (q)-input is less than 2". Altogether, we have the desired sequence of intervals, and nally, we choose the polling, testing and cycle end points as in case 1.1.3.
1.2.3. St(q) + 2" t 0 ? t -q lasts at least 2" longer than delay time Again, the proof idea is very much the same as in case 1.1.3. We have to nd a sequence of intervals with input that cause q to continue in the next cycle. For the interval ]t; t + S t (q) input i e 2 S e (q) has this e ect, afterwards, in ]t + S t (q); t 0 , we need input i with (q; i) = q. We now argue that a sequence of intervals with necessary input exists.
Within the rst "-interval ]t; t + " there must be some input i e 2 S e (q), according to (dc-9) (or (dc-9') for the initial interval). We can conclude from (dc-13) that the gaps between subsequent intervals of input Usually only natural numbers are allowed as constants in the clock constraints, but in order associate a timed automaton to each PLC-Automaton our denition allows for real-valued constants. The price we have to pay is that we cannot model-check this kind of timed automata. However, as long as the PLCAutomaton uses only discrete delays and a discrete cycle time, the corresponding timed automaton semantics uses only discrete time constants, too. 
B Duration Calculus
In this section we recall the Duration Calculus (DC) 19 R P measuring the duration of P, i.e. the accumulated time P holds in the given interval. Semantically, R P denotes R e b P I (t)dt on the interval b; e]. Real-valued operators applied to duration terms are also duration terms.
Duration formulae are built from boolean-valued operations on duration terms, the special symbols true and false, and they are closed under propositional connectives, the chop-operator \;", and quanti cation over rigid variables. Their truth values depend on a given interval. We use F for a typical duration formula. Constants true and false evaluate to true resp. false on every given interval. The composite duration formula 
