We present a hierarchical version of timed automata, equipped with data types, hand-shake synchronization, and local variables. We describe the formal semantics of this hierarchical timed automata (HTA) formalism in terms of a transition system.
Introduction
Hierarchical structures are a powerful mechanism to describe complex systems. They benefit from concepts like modularity and encapsulation and scale up well in industrial settings.
Modeling languages-like UML [BRJ98] -use hierarchical structures to organize design and specifications in different views of a system, meeting the needs of developers, customers, and implementors. In particular, they capture a notion of correctness, in terms of requirements the system has to meet. Formal methods typically address model correctness, for they operate on a (possibly very close) mathematical formalization of the model. This makes it possible to prevent errors inexpensively at early design stages. Of particular interests are statechart-like models [Har87, HG97] , that describe a behavioral view and allow execution of a model on a high level.
Our ambition is to build a hierarchical real-time formalism-called hierarchical timed automata model or HTA model for short-, that can be used as input for model-checking tools. Correctness requirements are expressed in a dialect of the TCTL [HNSY94] logic. If we want to preserve decidability, this dictates restrictions on the expressiveness of the model. We need a formal definition of the semantics of this formalism to define the set of legal executions.
HTAs are based on preliminary work done by Wang and David [DY00] , but apply some significant changes. In HTAs, both entries and exits of superstates as immediate and nonblocking. In order to give a clear semantics, our abstract-and concrete XML-syntax contains strong well-formedness constraints. These do not weaken the expressiveness, but make the task of constructing models more tedious in practice. As a remedy for the user, a sufficiently smart editor can operate on a less restrictive input-language, that is pre-compiled to our XML syntax, while possibly asking the user to resolve all ambiguities on demand.
For the real-time aspect, we use constructs from timed automata theory, i.e., formal clocks, clock resets, and invariants.
The multitude of modeling elements in hierarchical structures makes it subtle to construct a both clean and usable model-checking engine. Algorithms formulated for simpler structures tend to be more reliable, better analyzed, and tuned for efficiency in many cases. To experiment with our formalism, we describe a translation of HTAs to (flat) Uppaal timed automata, and use this as a test-bed for our formalism. To represent HTAs physically, we use a XML document type definition [XML] , that shapes the internal model representation of a fictitious tool (nicknamed HUppaal).
Plan This report is organized as follows. Section 2 gives a informal description of our hierarchical timed automata model. Section 3 contains the formal syntax of HTAs. Section 4 gives a formal semantics for the HTA model. Section 5 describes our implementation of a flattening procedure. In Section 6 we exemplify our flattening procedure on a cardiac pacemaker model and give run-times for applying Uppaal's model checking engine on the translation. Section 7 lists unresolved issues and future work. The Appendix contains the full document type definitions of (hierarchical) HUppaal and (flat) Uppaal, and finishes with a small glossary. 
Hierarchical Timed Automata: Informal Overview
This section contains an informal description of hierarchical timed automata. They find physical representation through the XML document type definition in Appendix A.
Elements of the HTA Structure
Hierarchical timed automata are basically hierarchical state machines, that can be put in parallel on various levels. The basic units of control are called locations, which may be basic states or superstates, i.e., itself a (hierarchical) state machine. In the latter case, the contained locations are called substates. At any point, a location is either active or inactive. Superstates can be of type XOR (where exactly one substate is active, if the superstate is active) or of type AND (where every substate is active if the superstate is active).
Transitions connect locations. If source or target of a transitions is a superstate, the transition connects to distinguished entries and exits. These are auxiliary structures and sometimes referred to as pseudo-locations. Pseudo-locations are different from ordinary (proper) locations, since they mark intermediated steps in a more complex transition, and cannot be part of a proper configurations, see below.
Transitions can be equipped with guards, assignments and at most one synchronization. Transitions are enabled, if their guards evaluate to true (in the current configuration), the synchronization (if any) is possible and they can reach a target configuration. A transition is not enabled, if taking it would lead to a configuration where a location invariant is violated.
As auxiliary constructs, pseudo-transitions ( connector s 1 ) are used. At least one end of a pseudo-transition connects to a pseudo-location. Pseudo-transitions cannot be augmented with synchronizations, but in special situations may carry guards and/or assignments, as explained in Section 3 in detail.
Integer variables are shared (multi-read, multi-write), and may occur in guards and assignments. As a real-time construct, hierarchical timed automata are equipped with clocks. Clocks are understood as real-valued variables that change continuous and synchronous as time passes. Clocks can be reset to 0 on transitions, but not set to specific values. Clock values can occur in guards in a syntactically restricted fashion 2 . They can also occur in invariants, but only downwards closed, i.e., either as an expression x < c or x ≤ c, where c is an integer constant.
Hand-shake communication exits between parallel superstates by means of sending (!) or receiving (?) a signal on a channel. Two parallel automata can synchronize on transitions by executing them at the same instant. If they are equipped with conflicting variable assignments, the one of the transition labeled with "!" is executed first. Channels may be declared locally, restricting the potential participants in a hand-shake communication. We have to assure, that the control situation remains valid after processing both transitions. A transition t originating in a superstate S cannot synchronize with a transition inside S, for processing t corresponds to rendering S inactive.
There is a top level, where a parallel composition of fundamental superstates is specified. They are understood as running in parallel, but not put together in an AND superstate for ease of usage: we assume, that system designers will frequently change this part, e.g., to test a controller with respect to different environments put in parallel. Therefore, this parallel composition is realized textually via the system tag. For the fundamental superstates, an initial entry has to be declared ( globalinit ). Moreover, they are allowed to terminate if specified so (canexit attribute in globalinit ), i.e., they can reach a special halt situation that can never be revoked.
3
In the following, we describe entry and exit of superstates.
Entries Every superstate has a set of entries, that build part of its interface to the outside world. They are denoted by a stub, or alternatively, by a bullet: •. Transitions connect to superstates via entries.
Default Entry
Optionally, a superstate S can have one entry, that is declared to be the default entry. If a transition on the next higher level ends at the border of S, without pointing to an explicit entry, it is assumed to lead to this default entry. In the case that no default entry is declared, such a transition is an error in the model.
History Entry
A superstate may be declared to be a history-superstate, by equipping it with a special history entry, designated by a capital H in a circle, H . If the superstate is entered via this, the last control location this superstate was in (before it became inactive) is restored. Additionally, all locally declared variables are restored. The locally declared clocks are not reset, but kept running. Only clocks explicitly declared as forgetful clock are set to 0 on entry via a history entry.
A history entry has to be equipped with a default history location, which is entered, if this is the first time the superstate becomes active. This location may be non-basic itself.
Every non-basic substate of S of a history superstate H is constrained to have either a history entry or a default-entry. If H is entered via the history entry, and the control points to S, then S is entered either via its history entry, or via the default entry, if S has no history entry.
There is no explicit deep history entry, that guarantees to instantiate the history of all enclosed substates as well. However, this can be expressed explicitly, by adding a history entry to all such substates and their descendants.
Forks Forks split the control to parallel substates. A fork can carry assignments and clock resets, but no guards or synchronization. Forks may trigger a cascade of other forks, that are all part of the same transition step. For simplicity, we treat here every entry of an AND superstate as a fork, i.e., it is required to have an outgoing transition to every substate and these transition are understood to be taken in parallel.
Local Clocks Clocks may be declared local to a superstate S. The first time S becomes active, these clocks are set to 0. On re-entry, local clocks are re-set to 0 as well, with one exception: ordinary local clocks are not re-set, if S is entered via an history entry. They can be thought of as kept running when S becomes inactive. Their value increases in accordance to the global clock. In general, it is not predictable whether it will be re-entered via a history entry or not.
The local clocks declared to be forgetful clock are always reset on entry, even this happens via a history entry.
Location Invariants Transitions t to locations carrying an invariant can only be taken, if the invariant evaluates to true (after possible clock resets executed along t). This generalizes in the situation, where a transition points to a non-basic location: it can only be taken, if the invariants of all reached locations (in case of a fork, there can be several) evaluate to true after executing the run-to-completion step.
Exits Explicit exits are denoted by a stub, or-alternatively-by a bullseye ( • ). Pseudotransitions leading to an exit can only be taken, if the transition step associated with it can be taken as a whole. (This is in conformance with the UML notion of run-to-completion steps.) For notational convenience, various copies of explicit exits can be present in the same superstate. They are identified by sharing the same name.
As a well-formedness constraint, every exit that is reached by a transition, has to be connected to a transition or pseudo-transition on the next-higher level.
[guard] 
Default Exits
The understanding of a default exit is a specially designated exit, that can be reached either unconditionally or guarded from every enclosed location. This implies, that all non-basic substates are required to have default exits as well. If the guard is identical to true, this explicitly denotes a superstate to be interrupt-able, since it can be left in any case (provided it can synchronize on exit with parallel substates; typically, one of them will trigger the interrupt).
From the inside, they are not visible in general. But they can be indicated by an unlabeled general exit, see Figure 1 .
Joins Joins are auxiliary constructs in AND superstates, that move control upward one level, after all substates became inactive. A join can carry guards, but no synchronization, clock resets, or assignments. Joins may be required to synchronize with other joins, that are all part of the same transition. In our notion, either all or none of them are taken.
We make the simplifying assumption, that every join can be associated with exactly one exit. Therefore we treat exits of AND superstates as joins.
4
A configuration describes a snapshot of the system. In particular, every configuration 1. marks every location of the system as active or inactive 2. denotes one control location for every active XOR superstate 3. defines a value for every global variable and clock, and every local variable and clock of active superstate 4. defines a value for every local variable and local clock for every active superstate and the inactive ones, that contains a history entry
We call a configuration proper, if it does not contain pseudo-locations. A run-to-completion step is a tuple consisting of a proper source configuration, a step (that is either a proper transition or a sequence containing one proper transition and arbitrary many pseudo-transitions), and a proper target configuration (that is reached from the source configuration via execution of this step).
Dynamics of Transitions
An execution step of the model is either an action step or a delay step. An action step corresponds to executing one run-to-completion step, or-in case of synchronization-two synchronizing run-to-completion steps in an atomic fashion. A run-to-completion step is composed from one proper transition and arbitrary many pseudo transitions. Pseudo-transitions to exits are allowed to have guards, but no assignment, clock-resets or synchronization labels. This guarantees that, given the conjunction of the guards evaluates to true in this configuration, the join can be executed to completion.
Urgency Urgency is a property of transitions and marks them as having priority over delay. If an urgent transition is enabled, the system is not allowed to delay, but must take an action transition as the next step.
Urgency cannot be only be used to resolve conflicts between action transitions and delay transition. An urgent action transition does not have priority over a non-urgent one, if both of them are enabled.
Lax Input Language
For notational convenience, it makes sense to allow a user to draw statechart diagrams in a more liberal way. In most cases, this can be safely translated to an explicit formulation. Some examples of this are given in Figure 2 . Note that arrows on the left-hand side are sometimes replaced by sequences, that contain pseudo-states (stubs), pseudo-transitions, and exactly one ordinary transition. This is the one, where guards, assignments and synchronizations are attached. Following the UML notion of run-to-completion steps, the understanding of the explicit notation is identical with the (usual) interpretation of the lax notation.
In case of ambiguity, we expect a model editor to be clever enough to resolve the choices explicitly. In the following we always assume to have the explicit format, for this makes the task of formalizing the semantics easier.
Formal Syntax of HTAs
In this section we define the formal syntax of hierarchical timed automata. This is split up in the data parts, the structural parts, and a set of well-formedness constraints.
Data Components
We introduce the data components of hierarchical timed automata, that are used in guards, synchronizations, resets, and assignment expressions. Some of this data is kept local to a generic location, denoted by l.
Integer variables Let V be a finite set of integer variables. V (l) ⊆ V is the set of integer variables local to a superstate l. Channels Let Ch a finite set of synchronization channels. Ch(l) ⊆ Ch is the set of channels that are local to a superstate l, i.e., there cannot be synchronization along a channel c ∈ Ch(l) between one transition inside l and one outside l. Guards and invariants A data constraints is a boolean expressions of the form A ∼ A, where A is an arithmetic expression over V and ∼∈ {<, >, =, ≤, ≥}. A clock constraints is an expressions of the form x ∼ n or x − y ∼ n, where x, y ∈ C and n ∈ N with ∼∈ {< , >, =, ≤, ≥}. A clock constraint is downward closed, if ∼∈ {<, =, ≤}. A guard is a finite conjunction over data constraints and clock constraints. An invariant is a finite conjunction over downward closed clock constraints. Guard is the set of guards, Invariant is the set of invariants. Both contain additionally the constants true and false.
Synchronizations
Assignments A clock reset is of the form x := 0, where x ∈ C. A data assignment is of the form v := A, where v ∈ V and A an arithmetic expression over V . Reset is the set of clock resets and data assignments.
Structural Components
We give now the formal definition of our hierarchical timed automaton.
Definition 1 A hierarchical timed automaton is a tuple S, S 0 , δ, σ, V, C, Ch, T where
• S is a finite set of locations. root ∈ S is the root.
• S 0 ∈ S is a set of initial locations.
S . δ maps l to all possible substates of l. δ is required to give rise to a tree structure with root root. We readily extend δ to operate on sets of locations in the obvious way.
• σ : S → {AND, XOR, BASIC, ENTRY, EXIT, HISTORY} is a type function on locations.
• V, C, Ch are sets of variables, clocks, and channels. They give rise to Guard, Reset, Sync, and Invariant as described in Section 3.1.
• Inv : S → Invariant maps every locations l to an invariant, possibly to the constant true. 
Notational conventions We use the predicate notation TYPE(l) for T Y P E ∈ {AND, XOR,BASIC,ENTRY,EXIT,HISTORY }, l ∈ S. E.g., AND(l) is true, exactly if σ(l) = AND.
The type HISTORY is a special case of an entry. We use HENTRY(l) to capture simple entry or history entry, i.e.,
HENTRY(l) stands for ENTRY(l) ∨ HISTORY(l).
We define the parent function
We use δ * (l) to denote the set of all nested locations of a superstate l, including l. δ − * is the set of all ancestors of l, including l. Moreover we use δ
We introduceδ to refer to the children, that are proper locations.
We use V + (l) to denote the variables in the scope of location l:
and Ch + (l) are defined analogously.
Well-Formedness Constraints
We give the rules to ensure consistency of a given hierarchical timed automaton.
Location constraints
We require a number of sanity properties on locations and structure.
The function δ has to give rise to a proper tree rooted at root, and S = δ * (root). Basic nodes are empty:
Substates of AND superstate are not basic: AND(l) ∧ n ∈ δ(l) ⇒ ¬BASIC(n).
Invariants of pseudo-locations are trivial:
Initial location constraints S 0 has to correspond to a consistent and proper control situation, i.e., root ∈ S 0 and for every l ∈ S 0 it the following holds:
Variable constraints We explicitly disallow conflict in assignments in synchronizing transitions:
where vars(r) is the set of integer variables occurring in r. We require an analogous constraint to hold for the pseudo-transitions originating in the entry of an AND superstate.
Static scope: For l g,s,r,u 
Entry constraints Let e ∈ S, HENTRY(e). If XOR(δ
, and e i ∈ δ(l i ). In case of HISTORY(e), outgoing transitions declare the default history locations. If a superstate s has a history entry, then every substate l of s has to provide either a history entry or a default entry.
Transition constraints Transitions have to respect the structure given in δ and cannot cross levels in the hierarchy, except via connecting to entries or exits. The set of legal transitions is given in Table 1 Note that transitions cannot lead directly from entries to exits.
Transitions l 
Operational Semantics of HTAs
We present the operational semantics of our hierarchical timed automaton model. A configuration captures a snapshot of the system, i.e., the active locations, the integer variable values, the clock values, and the history of some superstates. Configurations are of the form (ρ, µ, ν, θ), where
• ρ : S → 2 S captures the control situation. ρ can be understood as a partial, dynamic version of δ, that maps every superstate s to the set of active substates. If a superstate s is not active, ρ(s) = ∅. We define Active(l)
• µ : S → (Z) * . µ gives the valuation of the local integer variables of a superstate l as a finite tuple of integer numbers. If ¬Active(l) then µ(l) = λ (the empty tuple). If Active(l) then we require that |µ(l)| = |V (l)| and µ is consistent with respect to the value of shared variables (i.e., always maps to the same value). We use µ(l)(a) to denote the value of a ∈ V (l). When entering a non-basic location, local variables are added to µ and set to an initial value (0 by default). We use the shorthand 0 V (l) for the tuple (0, 0 . . . 0) with arity |V (l)|.
• θ reflects the history, that might be restored by entering superstates via history entries.
It 
Reached locations by forks In order to denote the set of locations reached by following a fork, we define the function Targets θ : 2 S → 2 S relative to θ.
We use the notation Targets θ (l) for Targets θ ({l}), if the argument is a singleton. Targets * θ is the reflexive transitive closure of Targets θ .
Configuration vector transformation Taking a transition t : l g,s,r,u
−−−→ l entails in general 1. executing a join to exit l, 2. taking the proper transition t itself, and 3. executing a fork at l . If l (respectively l ) is a basic location, part 1. (respectively 3.) is trivial. Together, this defines a run-to-completion step. We represent a run-to-completion step formally by a transformation function T t , which depends on a particular transition t. The three parts of this step are described as follows.
ν is updated to
If EXIT(l), the history is recorded. Let H be the set of superstates h ∈ ρ × (δ −1 (l)), where HasHistory(h) holds. Then θ
. r(µ 1 ) denotes the updated values of the integers after the assignments and r(ν 1 ) the updated clocks after the resets. 3. fork:
3 ) by moving the control to all proper locations reached by the fork, i.e., those in Targets *
Thus we can compute ρ 3 as follows: 
If the context is unambiguous, we use ρ Tt and ν Tt for the parts ρ 3 respectively ν 3 of the transformed configuration corresponding to transition t.
Starting points for joins A superstate s can only be exited, if all its parallel substates can synchronize on this exit. For an exit l ∈ δ(s) we recursively define the family of sets of exits PreExitSets(l). Each element X of PreExitSets(l) is itself a set of exits. If transitions are enabled to all exits in X, then all substates can synchronize.
PreExitSets(n i ), where
PreExitSets(m), where m
Here, the operator : Rule predicates To give the rules, we need to define predicates that evaluate conditions on the dynamic tree ρ. We introduce the set set of active leaves (in the tree described by ρ), which are the innermost active states in a superstate l:
The predicate expressing that all the substates of a state l can synchronize on a join is:
Note that JoinEnabled is trivially true for a basic location l.
For the invariants of a location we use a function Inv ν : S → {true, false}, that evaluates the invariant of a given location with respect to a clock evaluation ν. We use the predicate Inv(ρ, ν) to express, that for control situation ρ and clock valuation ν all invariants are satisfied.
Inv(ρ, ν)
We introduce the predicate TransitionEnabled over transitions t : l g,s,r,u −−−→ l , that evaluates to true, if t is enabled.
Since urgency has precedence over delay, we have to capture the global situation, where some urgent transition is enabled. We do this via the predicate UrgentEnabled over a configuration.
Rules We give now the action rule. It is not possible to break it in join, action, and fork because the join can be taken only if the action is enabled and the action is taken only if the invariants still hold after the fork.
Here g is the guard of the transition and r the set of resets and assignments. The urgency flag u has no effect here. This rule applies for action transitions between basic locations as well as superstates. In the later case, this includes the appropriate joins and/or fork operations.
The delay transition rule is:
where ν + d stands for the current clock assignment plus the delay for all the clocks. Time elapses in a configuration only when all invariants are satisfied and there is no urgent transition enabled.
The last transition rule reflects the situation, where two action transitions synchronize via a channel c.
We choose a particular order here but it is not crucial since our well-formedness constraints ensure, that the assignments cannot conflict with each other.
If no action transition is enabled or becomes enabled when time progresses, we have a deadlock configuration, which is typically a bad thing. If in addition time is prevented to elapse, this is a time stopping deadlock. Usually this is an error in the model, since it does not correspond to any real world behavior.
Our rules describe all legal sequences of transitions. A trace is a finite or infinite sequence of legal transitions, that start at the initial configuration S 0 , with all variables and clocks set to 0. For our purposes it suffices to associate a hierarchical timed automaton semantically with the (typically infinite) set of all derivable traces.
15
In this section we give a detailed description of our flattening procedure, that translates our hierarchical timed automaton model to to a parallel composition of (flat) Uppaal timed automata [LPY97] .
XML] to ease lexing and parsing. Code and Java documentation can be found at http://www.brics.dk/~omoeller/hta/vanilla-1/. Since this amounts to 9359 lines of documented code, we strive to give a concise description here.
The fundamental concept of our flattening algorithm is the translation of every hierarchical superstate into one Uppaal automaton. All these automatons are put in parallel. This can lead to an exponential blow-up in terms of templates, or in other words, of the model size. This is a consequence of the fact that hierarchical models can be exponentially more concise [AKY99] . Some auxiliary structures have to be introduced in order to mimic the behavior of hierarchical machines adequately.
Outline of the Flattening Algorithm
The basic concept of the procedure is the translation of instantiated templates. For every superstate occurring in the HTA model, one Uppaal template is constructed. However, this cannot be done in an transducer fashion. Since parallel states synchronize on exit, information about exits depends on other parts, that may not have been translated yet.
Thus the translation has three phases: collection of instantiations, computation of global joins, and post-processing channel communication.
For sake of clarity, we choose to omit various thinkable optimizations. For example, XOR substates of XOR superstates or AND substates of AND superstates are not lifted, even if there are no local variables on the lower levels.
Phase I: Collection of Instantiations
In this phase, the (implicit) hierarchical instantiation tree is traversed and for every hierarchical superstate, the skeleton of a (flat) template is constructed.
Initially, the direct children of the root are on the stack, i.e., the fundamental superstates as contained in the system element. How exactly the superstates I are translated is dependent on their type, that is either XOR or AND.
Algorithm: PHASE I: instantiateTemplates

input:
Stack S of superstates to translate output: Set T of (flat) timed automata Set GJ of global join starting points Translation of XOR Superstates. In a hierarchical XOR template X, at most one location is active at the same point in time. To represent the situation that none is active, we introduce -in the translationX-the special location X_IDLE, which is also the initial state. All entries are translated by a transition from X_IDLE.
For every substate S of X we introduce a location S_ACTIVE_IN_X inX. In Figure 6 , the XOR superstate X has only one substate S. X and S are translated to the two timed automatons in Figures 9 and 10 . 5 Moreover, for every entry e of S we introduce an auxiliary location inX, called X_AUX_S_e. These are declared committed and are connected to S_ACTIVE_IN_X with a transition, that synchronizes on a signal enter_S_in_X_via_e. Transitions leading originally to a S-entry e in X are represented in the translation by leading to X_AUX_S_e and trigger-without interleaving with other components-the activation of the substate S.
Exits of this substate S are more complicated, for they are only possible, if all non-basic substates of S can exit. This is described as global joins, see Section 5.2.
If superstate X is inactivated, this is realized in the translationX by transitions to IDLE_X, that are triggered by an exit_X synchronization channel. If the superstate X has a default exit, every non-auxiliary location inX has a transition to IDLE_X.
Translation of AND Superstates.
A hierarchical AND machine A is a parallel composition of sub-machines, where either none or all of them are active. In the translationÂ (Figure 3 ), these situations are represented by the locations A_IDLE and A_ACTIVE. If A is activated, this is always specific to a designated entry e i of A. The sub-machines S i of A are all entered, but the signals enter_Si_via_ej depend on the choice of ej. Therefore, for every entry there is a separate chain leading from A_IDLE to A_ACTIVE. The auxiliary locations in between are declared committed (marked by a c), thus there are no time delays possible.
The exit of A is represented inÂ via a transition from A_ACTIVE to A_IDLE, which carries the synchronization signal exit_A.
Phase II: Computation of Global Joins
Transitions originating from superstates are a subtle issue, for they may require a cascade of substate exits-called global join-in order to be taken. In Figure 4 (a), the substates S1, S2, and S3 have to be exited, before LOC can be reached. If Sn is active in S2, it has to be exited as well. In phase I of our flattening algorithm, the output GJ collects the topmost components, that have to be exited, if a transition (like to LOC in Figure 4 ) has to be translated. One entry in GJ can give rise to a number of global joins, possibly exponential in the depth of hierarchical structure. In Figure 4 , the locations L3a and L3b can be treated uniformly, but the location L1 has to be encoded in a different global join, where there is no exit of substate Sn.
Every possible global join is translated to a sequence like in Figure 4 (b). The auxiliary variable trigger keeps track of the number of active basic locations, that are connected to this global join via a transition to an exit. It has to reach the threshold value N to enable the first transition. Moreover, it has to be possible to mimic the transition to LOC, i.e., the guard (if any) has to be satisfied and synchronization (if any) has to be possible. Synchronization is not possible with transitions inside S1. If this situation arises in the given HTA model, we introduce new channels to avoid this conflict and duplicate transitions accordingly, see 5.3. Roughly this can be described with the pseudo-code expandGlobalJoins.
Phase III: Post-processing Channel Communication
If a transition in the hierarchical timed automaton formalism starts at a non-basic state S and carries a synchronization, it cannot synchronize with a transition inside S. Since the substate/superstate relation is lost in the translation, we have to resolve this scope conflict explicitly. In Vanilla-1 we do this by introducing duplications of channels and transitions.
We start with a priority queue Q over transitions that possibly can cause a conflict. These elements were collected during the construction of the global joins. Q is sorted obeying the partial order introduced by the substate/superstate relation on instantiations. Then the Forall transitionsl →m add the assignment trigger tree := trigger tree − 1 tol →m let N := number of leaf sets in tree let S tree := substates occurring in tree Forall transition t starting at root(tree) create a chain of transitions, starting witht, corresponding to exiting every s ∈ S tree / see Figure 4 (b); note the additional guard trigger tree ==N / post-processing can be described as in the pseudo-code snip-let postprocessChannels.
Correctness of the Translation
Starting at the root level, we can define a correspondence between every legal global state of the HTA model and its translation into Uppaal timed automata.
Every superstate S in the hierarchical timed automaton model corresponds exactly to one Uppaal timed automatonŜ. For proper configurations, we can relate ρ in the hierarchical timed automaton model to a control vectorρ in the Uppaal model. For an Uppaal automaton U,ρ(U) denotes the active location of U. For all XOR superstates X,ρ contains at positionX either a translation of a basic statel, sub_S_active_in_X, or IDLE, depending on whether ρ(X) maps to a basic state, to a substate S, or to ∅. For AND superstate A, ρ(Â) =IDLE if ρ(A) = ⊥ andρ(Â) = {Ŝ | S parallel substate of A} otherwise. The value of the introduced auxiliary variables is completely determined by the current control location, i.e., it is redundant for the configuration and only serves to enable or disable transitions. Since entries and exits in the Uppaal translation are guaranteed to take place without time delay (due to encoding with committed locations), data and clock evaluations u carries over without changes. If a hierarchical trace t exits, it can be mimiced by the translation in each step. Likewise, if a translationt of a hierarchical trace is legal in the Uppaal model, this is due to a sound sequence of entries and exits and corresponds to a trace in the hierarchical timed automaton formalism.
21
Example: Translation of a Cardiac Pacemaker
In this section we apply our flattening procedure on a hierarchical timed automaton version of a cardiac pacemaker model. This model is strongly motivated by the often-used UML design example, see e.g. [Dou99] . The pacemaker is put in parallel with a model of a human heart and a programmer, who changes operation modes on the pacemaker. We translate the hierarchical timed automaton model of this composition to an equivalent (flat) Uppaal timed automata model and explain the obtained automata in detail. Additionally, we report on run-time data of the formal verification of this translation with respect to safety and response properties. 
The Cardiac Pacemaker Model
The main component of the pacemaker is a XOR superstate with the two sub-states Off and On. If the pacemaker is on, it can in the different modes Idle, AAI, AAT, VVI, VVT, and AVI. The first letter indicates, to which chamber of the heart an electrical pacing pulse is sent (articular or ventricular). The second letter indicates, which chamber of the heart is monitored (articular or ventricular). In the Self Inhibited (I) modes, a naturally occurring heartbeat blocks a pulse from being sent, whereas in the Self Triggered (T) modes a pacing pulse will always occur, either triggered by a timeout or by the heart contraction itself.
For simplicity, we restrict to the operation modes Idle, VVT, VVI, and AVI. Of particular interest is the AVI mode, which is described as an AND superstate with two parallel substates. Thus, in our example only the ventricular chamber is observed, but a pace signal may be sent either to the ventricular or articular chamber. Heart Model. We use a simplified model of a human heart, that might require pacing ( Figure 6 ). The human heartbeat is in fact a complex sequence of chamber contractions, in this model we consider two chambers the (left) atrial and ventricular. A healthy heart will contract those in a steady rhythm, dictated by the time delays DELAY AFTER V and DELAY AFTER A. We use the local clock t to model this rhythm. Since in our example we only monitor the ventricular chamber, this one synchronizes on VSense, in case that anybody is listening (indicated by listening == 1).
After the contraction of the ventricular chamber, our model might non-deterministically stop beating on own account. If it does so for too long, the critical state Flatline is reached.
The pacemaker can send an impulse either to the atrial or ventricular chamber, i.e., synchronize on channels APace or VPace.
The particular heart chamber then is scheduled for contraction in the very next moment, no matter when these signals occur. This is modeled by using the default exit and re-entering at one of the leftmost locations.
Programmer Model. The signals commandedOn!, commandedOff!, toIdle!, toVVI!, toVVT!, and toAVI! are issued by a medical person, called the programmer in our context. We do not make assumptions, on how or in which order she issues these signals, but require a time delay of at least DELAY_AFTER_MODESWITCH after each signal. If one of the signals commandedOff! or toIdle! was issued, this is recorded in the binary variable wasSwitchedOff. Note that we equipped the pacemaker with default exits, thus it can always synchronize with these signals. The programmer is modeled by a two-state machine. In the first state, Modeswitch, any signal can be issued while entering the second state. The second state is left after exactly DELAY_AFTER_MODESWITCH time units. We introduced two extra states Random and Idle, to encode alternative behavior that is not relevant here.
Additionally, we allow the programmer to terminate at some point, i.e., reach a specific stop state that can never be revoked. We use our global exit construction for this. Termination is possible, whenever the programmer is in the Modeswitch state.
Translation to Uppaal Timed Automata
In the HTA model, the Programmer, Heart, and Pacemaker are put in parallel. Only the Programmer is allowed to terminate.
In the translation, this yields
• one automaton to start the three parts ( Figure 7) • one automaton for the Programmer (Figure 8) • two automata for the Heart, a top-level (Figure 9 ), where exit and re-entry happens and one for the substate (Figure 10 ), where the heart is beating • seven automata for the Pacemaker, put together as -one automaton for the top-level (Figure 11 ), where the pacemaker is either On or Off -one automaton for the VVI operation mode (Figure 13 ) -one automaton for the VVT operation mode (Figure 14) -three automata for the AVI operation mode, one for the AND superstate (Figure 15) and two for the substates listening to the ventricular chamber ( Figure 16 ) and pacing the articular chamber ( Figure 17) Over all, the increase in terms of model size was noticable, but moderate. Table 2 lists this data in detail. A large number of committed locations were introduced to encode entry and global joins. However, these forks and joins are triggering a deterministic sequence of actions and thus do not significantly increase the state space. A similar observation holds Figure 12 : Translation of the XOR superstate, where the pacemaker is active. It can reside in the locations Idle, VVIMode, VVTMode, and AVIMode. There are no direct transitions between these modes, the superstate has to be exited to change in between them.
Refractory VVI_TIME <= REFRACTORY_TIME WaitingforSense VVI_TIME <= SENSE_TIMEOUT WaitingforSenseAU VVI_TIME <= 0 Pacing VVI_TIME <= 0 IDLE PcOVVIdfltENTRYtrpcmkr2sbCmpt6VVIMd7? triggerVar4 := triggerVar4 + 1 VVI_TIME == REFRACTORY_TIME VVI_TIME := 0, V_listening := 1
VentricularChamberSense? VVI_TIME := 0 VVI_TIME == SENSE_TIMEOUT VVI_TIME := 0, V_listening := 0 VPace! VVI_TIME := 0 xtSglNR7? triggerVar4 := triggerVar4 -1 xtSglNR7?
triggerVar4 := triggerVar4 -1 xtSglNR7?
triggerVar4 := triggerVar4 -1 Figure 13 : Translation of the XOR superstate corresponding to the VVI Mode.
28
Refractory VVT_TIME <= REFRACTORY_TIME WaitingforSense VVT_TIME <= SENSE_TIMEOUT WaitingforSenseAU VVT_TIME <= 0 Pacing VVT_TIME <= 0 IDLE PcOVVTdfltENTRYtrpcmkr2sbCmpt6VVTMd8? triggerVar5 := triggerVar5 + 1 VVT_TIME == REFRACTORY_TIME VVT_TIME := 0, V_listening := 1
VentricularChamberSense? VVT_TIME := 0,V_listening := 0 VVT_TIME == SENSE_TIMEOUT VVT_TIME := 0, V_listening := 0 
Model-Checking the Uppaal Model
We used the translation as input to the Uppaal tool. The system as described is not deadlock free: when the programmer terminates after switching off the pacemaker, and the heart stops beating, a configuration is reached where time can delay indefinetley. In one variation, the programmer was explicitly disallowed to exit. In a second variation, the pacemaker could not be switched off. In both variations, deadlock freedom was established via a run of the model-checking engine on a true invariant with switch settings -Aa (convex hull approxiation and active clock reduction switched on), and took 3.50 respectively 1.75 seconds. We verified two desirable properties in the (non-variated) obtained hierarchical timed automaton model. Property (i) is a safety property and states, that the heart never stops for too long, unless the pacemaker was switched off by the programmer (in which case we cannot give any guarantees). Property (ii) is a response property and states, that after an articular contraction, there will inevitably follow a ventricular contraction. In particular this guarantees, that no deadlocks are possible between these control situations.
The latest version of the Uppaal tool 6 is able to perform the model-checking of both properties successfully in 11.83 repectively 4.26 seconds. The verification of the typically more expensive property (ii) is faster, since here it is possible to apply a property preserving convex hull over-approximation, that is not preservative with respect to property (i). We use a Sun Enterprise 450 with UltraSPARC-II processors, 300 MHz, and made use of Uppaal's rich set of optimization options. In particular the active clock reduction gives drastic improvements in model-checking time in this example.
It is worthwhile to mention, that validity of property (i) is strongly dependent on the parameter setting of the model. We use the constants from Figure 18 . If the programmer is allowed to swich between modes very fast, it is possible that she prevents the pacemaker from doing its job. E.g., for MODE_SWITCH_DELAY = 65 the property (i) does not hold any more. In practice it is often a problem to find parameter settings, that entail a safe or correct operation of the system. In related work, an extended version of Uppaal is used to derive parameters yieling property satisfaction automatically, see [HRSV01] .
Summary
We defined a hierarchical timed automaton formalism and equipped it with a formal semantics in terms of a transition system. We present a translation to Uppaal timed automata.
Our formalism is realized via the XML grammar in Appendix A. We implemented our translation procedure in Java as a transformation from XML documents according to Appendix A to XML documents according to Appendix B. The later is an input format to the Uppaal tool. Our experimental data indicates, that the overhead introduced in the translation is tolerable in terms of model size and run-times of the model-checking engine on the translation.
The XML document type definition in A is designed to be flexible and extensible. It is based on a template/instantiation mechanism and uses purely textual data for parts that supposedly change frequently during model design, like the elements declaration or system . It is intended to eventually replace the Uppaal document format, thus the hierarchical features are optional. In fact, if a document does not contain a component element, the only difference between a document of type grammar Appendix A and a document of type grammar Appendix B is, that the former declares initial states via globalinit element, whereas the latter uses the init tag.
Future Work
Though we have a working prototype for a grammar and a translation, it is to be considered work in progress. We made the implementation accessible for future reference as frozen version at http://www.brics.dk/~omoeller/hta/vanilla-1/.
The translation Vanilla-1 is documented as a milestone to make experiments with. It is not able to translate some powerful modeling constructs, though they are already present syntactically.
Unresolved Issues in Vanilla-1 are in particular local declarations, scope overriding, history entries, synchronization mechanisms other than handshake communication, and parameterized templates.
In near future, it is planed to implement an editor for the hierarchical grammar in the Uppaal tool. Simulation and verification of hierarchical models, however, are done on flat Uppaal timed automata, constructed by future versions of Vanilla-1.
There is a strong correspondence between hierarchical and flat traces. However, the imperative of introducing fresh and unambiguous names for flattened constructs makes it difficult for a human user to see this immediately, compare Section 6. One possible remedy for this is to equip the Uppaal simulator with the appropriate mapping, so it can display names as specified in the hierarchical system. We feel that it is also necessary to provide a translation of TCTL formulas to corresponding ones in the flattened version. This seems to be purely syntactical, but strongly dependent on the mapping of local and global variables.
Looking ahead, we believe that there is a great potential for exploiting the hierarchical structure directly in terms of shaping more efficient model checking algorithms. Since we want this to work in practice, we consider it crucial for this enterprise to get the hierarchical modeling formalism right. 
