A Model for Industrial Real-Time Systems by Bin Waez, Md Tawhid et al.
A Model for Industrial Real-Time Systems
Md Tawhid Bin Waez1, Andrzej W ↪asowski
2, Juergen Dingel1, and Karen Rudie1
1 Queen’s University, Canada {waez@cs,dingel@cs,karen.rudie@}.queensu.ca
2 IT University of Copenhagen, Denmark wasowski@itu.dk
Abstract. Introducing automated formal methods for large industrial
real-time systems is an important research challenge. We propose timed
process automata (TPA) for modeling and analysis of time-critical systems
which can be open, hierarchical, and dynamic. The model offers two essen-
tial features for large industrial systems: (i) compositional modeling with
reusable designs for different contexts, and (ii) an automated state-space
reduction technique. Timed process automata model dynamic networks of
continuous-time communicating control processes which can activate other
processes. We show how to automatically establish safety and reachability
properties of TPA by reduction to solving timed games. To mitigate
the state-space explosion problem, an automated state-space reduction
technique using compositional reasoning and aggressive abstractions is
also proposed.
1 Introduction
This paper develops a model for the automated analysis of safety and reach-
ability properties in large industrial time-critical systems. To fulfill industrial
requirements, we consider time-critical systems that are open (communicate with
external components), hierarchical (can be decomposed and recomposed into
smaller control systems), and dynamic (the decomposition can change over time).
In the paper, we use real-time systems, meaning time-critical systems that fulfill
all these features. The model also facilitates compositional modeling and reusable
designs for different contexts.
An open system continuously interacts with an unpredictable environment. A
good example of time-critical open systems is a pacemaker, which continuously
interacts with a heart, an uncontrolled environment. The pacemaker’s performance
crucially depends on the exact timing of an action performed either by the system
or by the environment. The theory of timed games [1,2,3,4] is well-known in the
research community for the analysis of time-critical open systems.
A hierarchical system is a hierarchical composition of smaller systems. An
automotive system, developed by an original equipment manufacturer (OEM),
may be used in different models of cars. In this case, the system has a controller
which helps the system adapt to different environments and cars. In other words,
the system is an open system, which has two distinguished interacting segments:
the controller and the environment. Typically, these systems consist of other
smaller systems in a hierarchical structure. For instance, a system Actuator can
be a component of a larger system Position, while Position can be a component
of another system Brake-by-Wire, and so on. Every component of a system has a
specific set of tasks; for example, system Brake-by-Wire may use its component
Position to perform some desired tasks in interaction with the environment, and
Brake-by-Wire may also indirectly—through using Position—use its sub-component
Actuator to perform some desired tasks in interaction with the environment.
A dynamic system is a hierarchical system whose components may change
over time. Many hierarchical systems have dynamic characteristics, which are
activating components only when needed. Dynamic behaviors are an important
feature when resource constraints (such as limited memory) do not allow one to
keep all the components active at the same time. Sometimes dynamic behaviors
are inherent to the system. For example, we applied timed game theory in an
industrial project to construct a fault-tolerant framework for a hierarchical open
system that has a scheduler, a set of tasks, and a set of subtasks; only the
scheduler is active in the initial system-state; subtasks are activated by their
parent tasks, and the top level tasks are activated by their scheduler; thus the
scheduler controls tasks, and a task controls its subtasks; due to the termination
or the initialization of tasks (or subtasks) the structures of the processes may
change; thus the system is a dynamic open system [5].
Timed automata (TA) [6,7] are desirable for the development of real-time sys-
tems because TA can model and analyze both discrete-time controllable behaviors
of the system and continuous-time uncontrollable behaviors of the environment.
Timed automata and their more than 80 variants [8] are mostly studied for the
development of embedded systems, where behaviors of the components are known
and the number of the components is static. As a result, modeling techniques,
automated analyses, and other key issues of TA are typically addressed for static
closed systems. The application domain of TA is growing [8]. In our two projects
with General Motors (GM), we used different TA-based analyses to investigate
the fault-tolerance of real-time systems, which are part of many large-scale safety-
critical systems. During our industrial projects, we observed that continuous-time
formal methods of TA may provide the most accurate analysis; however, TA are
not suited for industrial real-time systems mainly because of poor scalability.
Moreover, we found that TA have no structured support for modeling real-time
systems, which may lead to cumbersome design details in a large-scale real-time
system having several control hierarchies. The paper extends TA to achieve better
modeling support and scalability for automated analysis of real-time systems.
We propose timed process automata (TPA), a variant of TA, for the develop-
ment of industrial real-time systems. The proposed variant provides compositional
modeling (with reusable designs for different contexts) and automated analysis—a
system needs to be modeled and analyzed using TPA only once when copies of it
are used as independent systems or multiple components of a larger system or
components of different larger systems or a combination of all previous scenarios.
The contributions of this paper include:
1. Timed process automata, the first model that provides compositional modeling
with reusable designs for dynamic hierarchical open time-critical systems.
2. Definition of a formal semantics for TPA.
3. An automated analysis for safety and reachability properties of TPA.
4. The first automated state-space reduction technique for time-critical systems,
which can be dynamic, hierarchical, and open.
The rest of the paper can be divided into seven sections:
Section 2 Describes the motivation for the work. The motivation is based on
the experience achieved from a couple of automotive industrial projects.
Section 3 Provides the required background to understand the paper.
Section 4 Presents the syntax (Sect. 4.1) and the semantics (Sect. 4.2) of TPA,
which use start actions, finish actions, final locations, and channels to facilitate
compositional modeling to reuse designs without manual alterations.
Section 5 Presents an automated analysis technique—based on timed games—
for TPA. The analysis model of a timed process automaton T is constructed
by composing a finite number of timed I/O automata (TIOA) [9,2,4], a variant
of TA, to mimic the execution of T . The analysis model is constructed using
an automated technique that allows the designer to avoid manual alteration
techniques for different compositions. Other than the automated construction,
the constructed analysis models essentially are TIOA models, whose state
spaces are too large to analyze industrial real-time systems.
Section 6 Develops an automated state-space reduction technique that converts
each callee process into a small automaton having only two locations and
two edges, irrespective of the size of the callee. The technique uses structured
construction of TPA, compositional reasoning, aggressive abstractions, and
fewer synchronizations to ensure smaller state space.
Section 7 Discusses related work. It also classifies TPA depending on the classi-
fication of TA variants presented in a previous work [8].
Section 8 Concludes the paper.
2 Motivation
The first goal of the paper is to develop a real-time model, where a designer will
not need to readjust a design for different compositions. The second and main
goal is to allow automated analysis of the model for industrial systems.
Figure 1 presents an abstract Brake-by-Wire system modeled using TIOA, and
the system is developed by an OEM. The model has seven automata representing
different copies of only three elements: one copy of the main thread of Brake-by-
Wire (the top automaton), two copies of the main thread of Position (the two
automata in the middle), and four copies of Actuator system (the four automata
in the bottom). Each Position system contains two children (Actuator systems)
and its main thread that schedules the children, communicates with its parent
(the main thread of Brake-by-Wire), and performs some other functions, which
cannot be performed by the children. Similarly, the Brake-by-Wire system contains
two children (Position systems) and its main thread that schedules the children
and performs some other functions, which cannot be performed by the children.
Fig. 1. An abstract Brake-by-Wire system modeled using standard TIOA
In this model, the main thread of Brake-by-Wire is the root, which does not have a
parent. However, in the future a car manufacturer may include this Brake-by-Wire
system in a car and then the main thread of Brake-by-Wire will no longer be the
root. Then a central control system may be able to start the main thread of Brake-
by-Wire. To analyze the new complex system, a designer will need to manually
alter the model again by including start and finish actions (in the top automaton
of Fig. 1). Let us assume a complex system contains N Break-by-Wire systems;
to analyze this complex system, a designer will need to manually construct at
least N × 7 automata with a proportionally growing alphabet! Existing TA-based
modeling techniques do not support compositional modeling with reusable designs
for different contexts; that is, a design may need to be altered manually in every
composition. All these ad hoc alterations may make a large industrial design
incomprehensible and error-prone. Figure 2 contains the same Brake-by-Wire
system of Fig. 1 modeled by using TPA. Timed process automata always model
a system only once. For example, Fig. 2 presents only three TPA, which are
equivalent to the seven automata of Fig. 1. Moreover, the number of copies and
the root status of Break-by-Wire system has no impact on the new design.
To the best of our knowledge, no automated state-space reduction technique
has been developed for the analysis of real-time systems. During our two projects
with GM, we noticed that even a (practically) very small real-time system may
have a state space too large for automated formal analysis because of hierarchy,
dynamic behaviors, and time calculations. We overcame the scalability problem
in one of the projects—construction of a fault-tolerance framework [5]—by
developing a manual state-space reduction technique that applies aggressive
Fig. 2. The same Brake-by-Wire system of Fig. 1 is modeled using TPA
abstractions and uses fewer synchronizations. Applying this manual technique to
a design of an industrial system is a challenging task. Moreover, the technique
may not work for every real-time systems. A generalized automated reduction
technique, therefore, is needed for analysis of large real-time systems, which is
provided in this paper by presenting an automated reduction technique for TPA.
3 Background
The semantic construction of TA is expressed using semantics objects called
timed transition systems (TTS) [10,4,7]. A timed I/O automaton [9,2,4] is a timed
automaton which has an input alphabet along with a regular output alphabet.
The controller plays controllable output transitions and the environment plays
uncontrollable input transitions; thus TIOA are a natural model for timed games.
Two TIOA are composable with each other if they don’t have a common output
action. The composition of two well-formed TIOA forms a larger timed I/O
automaton [2,4]. The section defines TTS, TIOA, composition of TIOA, and all
other terms required to understand the remaining paper.
Definition 1 [10,4,7] A timed transition system is a tuple T = (St, s0, Σ,d),
where St is an infinite set of states, s0 ∈ St is the initial state, Σ is an alphabet,
and d: St × (Σ ∪ R≥0) × St is a transition relation.
We use d ∈ R≥0 to denote delay. A TTS satisfies time determinism (i.e., whenever
s
d
d s′ and s
d
d s′′ then s′ = s′′ for all s ∈ S ), time reflexivity (i.e., s 0d s for
all s ∈ S ), and time additivity (i.e., for all s, s′′ ∈ S and all d1, d2 ∈ R≥0 we have
s
d1+d2d s′′ iff there exists an s′ such that s
d1d s′ and s′
d2d s′′). A run ρ of a TTS
T from a state s1 ∈ St is a sequence s1 a1d s2 a2d s3 · · · and sn+1 such that for all
1 ≤ m ≤ n : sm amd sm+1 with am ∈ Σ ∪ R≥0. A state s is reachable in a transition
system T if and only if there is a run s0 a0d s1 a1d s2 · · · an−1d sn, where s = sn. Timed
I/O transition systems (TIOTS) are TTS with input and output modalities on
transitions. Timed I/O transition systems are used to define semantics of TIOA.
A clock is a non-negative real variable. A constraint δ ∈ C(X,V) over a set of
clocks X and over a set of non-negative finitely bounded integer variables V is
generated by the grammar δF xm ≺ q | k ≺ α | xm − xn ≺ q | true | Φ ∧Φ, where
q ∈ Q≥0, α ∈ Z≥0, {xm, xn} ⊆ X, k ∈ V and ≺∈ {<,≤, >,≥}. Consequently, the set of
clock constraints C(X) is the set of constraints C(X,V), where V = ∅. Let Ψ (V) be
the set of assignments over the set of variables V.
Definition 2 [9,2,4,7] A timed I/O automaton is a tuple A = (L, l0, X,V, A, E, I),
where L is a finite set of locations, l0 ∈ L is the initial location, X is a finite
set of clocks, V is a finite set of non-negative finitely bounded integer variables,
A = Ai ⊕ Ao is a finite set of actions, partitioned into input actions Ai and output
actions Ao, E ⊆ L× A×Φ(X,V)×Ψ (V)× 2X × L is a set of edges, and I : L→ C(X)
is a total mapping from locations to invariants.
A clock valuation over X is a mapping RX≥0 : X → R≥0. Given a clock valuation v
and d ∈ R≥0, we write v + d for the clock valuation in which for each clock x ∈ X
we have (v+ d)(x) = v(x)+ d. For λ ⊆ X, we write v[x 7→ 0]x∈λ for a clock valuation
agreeing with v on clocks in X \ λ, and giving 0 for clocks in λ. For φ ∈ Φ(X,N)
and v ∈ RX≥0, we write v,N |= φ if v and N satisfy φ. Let e = (l, a, φ, θ, λ, l′) be
an edge, then l is the source location, a is the action label, and l′ is the target
location of e; the constraint φ has to be satisfied during the traversal of e; the
set of clocks λ ∈ 2X are reset to 0 and the set of non-negative finitely bounded
integer variables are updated to θ whenever e is traversed.
Definition 3 [2,4] Two timed I/O automata Am = (Lm, lm0 , Xm,Nm, Am, Em, Im)
and An = (Ln, ln0, Xn,Nn, An, En, In) are composable with each other when Amo ∩Ano =∅, Xm ∩ Xn = ∅, and Nm ∩ Nn = ∅; when composable, their composition is a TIOA
A = Am||An = (Lm × Ln, (lm0 , ln0), Xm ∪ Xn,Nm ∪ Nn, A, E, I), where A = Ai ∪ Ao with
Ao = Amo ∪ Ano and Ai = (Ami ∪ Ani ) \ Ao. The set of edges E contains:
– ((lm, ln), a, φm ∧ φn, λm ∪ λn, θm ∪ θn, (l′m, l′n)) ∈ E for each (lm, a, φm, θm, λm, l′m) ∈
Em and (ln, a, φn, θn, λn, l′n) ∈ En if a ∈ {Ami ∩ Ano} ∪ {Amo ∩ Ani }
– ((lm, ln), a, φm, λm, θm, (l′m, ln)) ∈ E for each (lm, a, φm, λm, θm, l′m) ∈ Em if a < An
– ((lm, ln), a, φn, λn, θn, (lm, l′n)) ∈ E for each (ln, a, φn, λn, θn, l′n) ∈ En if a < Am
and the set of invariants I is constructed as follows: I(lm, ln) = Im(lm) ∧ In(ln)
4 Processes
Timed process automata model processes, where each process is a real-time
system. Every process hierarchically contains its active callee processes. Thus
the control of a process is hierarchically shared with its active callee processes.
The main thread of a process can activate callee processes via communication
channels. An active process can receive any input in any state. An active callee
process can deactivate itself in any state of the main thread of its caller process.
An activated callee process dies within its worst-case execution time. This section
presents the syntax and the semantics of TPA.
4.1 Timed Process Automata
Timed process automata are a variant of TIOA. Unlike a timed I/O automaton,
a timed process automaton has a finite set of start actions As, a finite set of
finish actions Af , a final location lf , and a finite set of channels C.
The set of actions A = Ai ⊕ Ao ⊕ As ⊕ Af of a timed process automaton is a
disjoint union of finite sets of input actions Ai, output actions Ao, start actions As,
and finish actions Af . For every set of actions A, there exists a bijective mapping
between its start actions As and finish actions Af in such a way that for each start
action sN ∈ As there is exactly one finish action fN ∈ Af, and vice versa. These
actions can be used for starting and terminating processes associated with N. We
use s and f with the name N (of another timed process automaton) as a subscript
index (e.g., sN and fN) to denote a start action and a finish action, respectively.
We use the same subscript to indicate paired actions. We write a to denote an
action in general. Processes synchronize via instantaneous channels. Each TPA
uses the same designated symbols for its public channel (∗) and caller channel
(4). We use c to denote a channel in general.
Definition 4 A timed process automaton is a tuple T = (L, l0, X, A,C, E, I, lf ),
where L is a finite set of locations, l0 ∈ L is the initial location, X is a finite set
of clocks, A = Ai ⊕ Ao ⊕ As ⊕ Af is a finite set of actions as described above, C is a
finite set of channels, E ⊆ (L × A × C \ {4, ∗} × Φ(X) × 2X × L) ∪ (L × (Ai ∪ Ao) ×
{4, ∗} × Φ(X) × 2X × L) is a set of edges, I : L → Φ(X) is a total mapping from
locations to invariants, and lf ∈ L is a designated final location which does not
have any outgoing edges to other locations and has the invariant I(lf ) = true.
Figure 2 presents TPA Brake-by-Wire, Position, and Actuator. In the figure,
initial locations have a dangling incoming edge, final locations are filled with
black, and TPA names are underlined. The final location lf of a TPA may be
unreachable from the initial location (and then lf is not shown in the figure).
4.2 Process Executions
Every instance of a timed process automaton is a process. Two processes of
the same timed process automaton represent two different copies of the same
system. Every process has a unique process identifier. A process is a tuple
P = (id(P), tpa(P), channel(P)), where id(P)3 is the process identifier, timed process
automaton tpa(P) defines the execution logic, and caller channel channel(P) is
the private channel to communicate with the caller and the other processes which
are started via the same channel. A process Q is a callee of P if P is the caller of
Q. We use ⊥ to denote the caller channel of the root process. Every process P
of tpa(P) = (L, l0, X, A,C, E, I, lf ) has its own copy P.c of channel c ∈ C. We write
P.c.a meaning that action a is performed via channel P.c.
At the same time, no two processes of the same timed process automaton can
have the same caller channel. A process P, therefore, may have at most |C | × |As |
3 To avoid clutter, we abuse notation by writing P instead of id(P).
active callee processes. For example, an instance of automaton Brake-by-Wire
of Fig. 2 can activate at most two instances of automaton Position of Fig. 2 at
the same time via two different channels front and rear, where the instance of
Brake-by-Wire is the caller process of the two instances of Position, which are the
callee processes of the instance of Brake-by-Wire. A subprocess is a callee or a
callee of a subprocess, recursively. For example, every instance of Brake-by-Wire
has six subprocesses: two instances of Position and four instances of automaton
Actuator of Fig. 2. Every process hierarchically contains all of its subprocesses.
Two processes are siblings if they have the same caller channel. The caller can
use separate channels to differentiate control over different callees, even if they
are processes of the same automaton.
A process P starts a process Q of an automaton tpa(Q) via channel P.c by
traversing an edge e1 = ( , stpa(Q), c, , , ) labeled by a start action stpa(Q) if there
exists no active process of tpa(Q) with caller channel P.c; dually, P traverses an
edge e2 = ( , jtpa(Q), c, , , ) labeled by the paired finish action jtpa(Q) whenever Q
reaches its final state. No edge labeled by jtpa(Q) will ever be traversed if tpa(Q)
is a non-terminating timed process automaton. Correspondingly, note that exist-
ing processes may start different processes of tpa(Q)—but always with different
process identifiers. However, only P listens to finish action jtpa(Q) via channel
channel(Q). Process P traverses an edge e = ( , a, c, , , ) when P receives (respec-
tively, sends) an input (resp., output) a in channel P.c. Process P communicates
with its callee Q via channel(Q) and with the environment via channel P.∗.
We formalize the above mechanics of execution by first giving the semantics
of the main thread of the process, ignoring its subprocesses in Def. 5 and then
giving the semantics of the entire process in Def. 6. The standalone semantics of
a process are essentially the same semantics as a standard TIOA [7,9,2,4]. The
main difference is that states are decorated with process identifiers and edges with
channel names to distinguish different instances of the same TPA in Def. 6. Also
the caller channel 4 is instantiated for an actual parent process. The technical
reason for this will become apparent in Def. 6.
Definition 5 The standalone semantics S~P of a process P = (P, tpa(P), channel
(P)) are a TIOTS S~P = (L×RX≥0×P, (l0, 0, P), AP,−)4, where tpa(P) = (L, l0, X, A,C,
E, I, lf ), 0 is a function mapping every clock to zero and −⊆ (L×RX≥0 ×{P})× (AP∪
R≥0) × (L × RX≥0 × {P}) is the transition relation generated by the following rules:
Action For each clock valuation v ∈ RX≥0 and each edge (l, a, c, φ, λ, l′) ∈ E such
that v |= φ, v′ = v[x 7→ 0]x∈λ, and v′ |= I(l′) we have (l, v, P) P.c.a− (l′, v′, P) if
c , 4, otherwise (l, v, P) channel(P).a−−−−−−−−− (l′, v′, P)
Delay For each clock valuation v ∈ RX≥0 and for each delay d ∈ R≥0 such that
(v + d) |= I(l) we have (l, v, P) d− (l, v + d, P).
The transition system induced by the standalone semantics of a process is time
deterministic, time reflexive, and time additive.
4 AP is the set of actions where action names are constructed using regular expression
(P“.”C | channel(P))“.”A.
Ground timed process automata are TPA that cannot perform a start or finish
action (As ∪ Af = ∅). Automaton Actuator in Fig. 2, for instance, is a ground
timed process automaton. Compound timed process automata are TPA that can
perform a start or finish action (As ∪ Af , ∅). For example, Brake-by-Wire and
Position in Fig. 2 are compound TPA. A well-formed channel cannot be used
by two processes sharing an output action. Processes of a well-formed timed
process automaton have only well-formed channels. Non-recursive TPA are defined
inductively using the following rules: (i) every ground timed process automaton
is a non-recursive timed process automaton, and (ii) a compound timed process
automaton which performs only those start and finish actions whose subscripts
are the names of some other existing non-recursive TPA is a non-recursive timed
process automaton. All three TPA in Fig. 2, for example, are non-recursive TPA.
A process of a non-recursive timed process automaton hierarchically contains
only a finite number of subprocesses. The caller may activate an idle process,
iteratively. Thus a process may activate a subprocess an arbitrary number of
times. In this paper, we are only concerned with non-recursive well-formed TPA.
A standalone final state of a process P is (lf , v, P), where v is any clock valuation.
We use stP, stPi , c
P, and stPf to denote a standalone state, the standalone initial
state, the set of channels, and a standalone final state of process P, respectively.
We say that a process P is A′-enabled for a channel P.c if for every reachable
standalone state stP we have stP
P.c.a− st′P for some standalone state st′P for each
action a ∈ A′. We require that each process P is Ai-enabled (input enabled) for
all channels of P, and Af -enabled (finish enabled) for all channels of P other than
channels P.4 and P.∗ to reflect the phenomenon that inputs from the environment
and the deaths of callees are independent events, beyond the control of a process.
We present the semantics of a process in the following:
Definition 6 The global operational semantics G~P (semantics ~P for short)
of a process P = (P, tpa(P),⊥) are a TIOTS G~P = (2S , s0,P × C × A,→), where
S is the set of all the standalone states of all the processes in the universe,
tpa(P) = (L, l0, X, A, E, I, lf ), s0 = {stP0 } is the initial state, P is the set of all the
processes in the universe, C is the set of all the channels in the universe, A is
the set of all the actions in the universe, and →⊆ 2S × (P × C × A ∪ R≥0) × 2S is
the transition relation generated by the following rules:
stQ
Q.c.sT−−− st′Q and c < {4, ∗} {stW ∈ s | channel(W) = Q.c and tpa(W) = T } = ∅
stQ ∈ s (R,T,Q.c) is a freshly started process
s
Q.c.sT−−−−→ s \ {stQ} ∪ {stR0 , st′Q}
Start
stRf , st
Q ∈ s and channel(R) = Q.c
{stU ∈ s | channel(U) ∈ CR} = ∅ stQ Q.c.jtpa(R)−−−−−−− st′Q
s
Q.c.jtpa(R)−−−−−−−→ s \ {stRf , stQ} ∪ {st′Q}
Finish
s′ = {st′Q | stQ d− st′Q and stQ ∈ s and (stQ , stQ
f








o s′ = {stQ ∈ s | stQ Q.∗.a−− st′Q}
s
a−→ s \ s′ ∪ {st′Q | stQ Q.∗.a−− st′Q and stQ ∈ s}
Input
stQ
W.c.a−− st′Q and a ∈ AQo and stQ ∈ s
s′ = {stR ∈ s | stR W.c.a−− st′R and W.c is a channel}
s
Q.c.a−−−→ s \ s′ ∪ {st′R | stR W.c.a−− st′R and stR ∈ s}
Output
A global state is a set which holds standalone states of all active processes. The
Start rule states that the initial standalone state of a freshly started callee is
added to the global state whenever the corresponding start action is performed
by its caller. The rule also states that no two active processes can have the same
timed process automaton and the same caller channel. The Finish rule prescribes
that the standalone-final state of a callee is removed from the global state and
the caller executes the corresponding finish action whenever that callee is in the
standalone-final state and no standalone state of its subprocesses is in global
state. Thus the rule defines global-final state (final state for short) of a process:
a process is in its the final state when the process is in its final location and
the process has no active subprocess. The Delay rule declares that globally a
process can delay if that process and all of its active subprocesses can delay in
their respective standalone semantics. Every subprocess is a part of the root
process and thus if a subprocess is performing an action (or not idle) then the
root process is also not idle. The rule also says that a process cannot delay if
that process or any of its subprocess is in its global final state. That means a
process finishes as soon as it reaches its final state. The Input rule states that a
process receives an input from the environment via channel id.∗. Rule Output
declares a process send an output via channel id.c to others who share id.c. It
follows from the properties of the standalone semantics that the transition system
induced by Def. 6 is time deterministic, time reflexive, and time additive. The
process semantics, therefore, defines a well-formed TIOTS. This allows us to use
TA as a basis for analyzing TPA. A local run of the main thread of a process P
is a standalone run of P for which there exists a global run of P such that every
transition of that standalone run occurs in that global run. The local behavior of
the main thread of P consists of all of its local runs.
5 Analysis
We are interested in safety and reachability properties of real-time systems. This
section explains how such analyses can be performed using the theory of timed
games. A standard timed I/O automaton can be viewed as a concurrent two-
player timed game, in which the players decide both which action to play, and
when to play it. The input player represents the environment, and the output
player represents the system itself. Similarly, the main thread of a process acts as
a concurrent two-player timed game: the environment plays input transitions and
finish transitions, and the main thread of the process plays output transitions and
start transitions. Let’s consider interactions of a process defined in the previous
section. A process controls its output and start transitions. After starting a callee,
the main thread of the caller knows that the paired finish action will arrive within
the worst-case execution time of the associated callee. However, the main thread
does not have any control on the exact arrival time of a finish action. Finish
transitions along with input transitions are uncontrollable. The environment of
the main thread of a process consists of all the connected processes (such as
caller, siblings, and subprocesses) and all unconnected entities.
A global state of a process is safe if and only if all of the standalone states
which it contains are safe locations. A safety property asserts that the system
remains inside a set of global-safe states regardless of what the environment
does. We are interested in Safety Property I: Given a process P and a set of
unsafe locations LU of P, can the controller avoid LU in P regardless of what
the environment does? A global state of a process is a target state if and only
if at least one of its standalone states contains a target location. A reachability
property asserts that the system reaches any of the global-target states regardless
of what the environment does. We are interested in Reachability Property I:
Given a process P and a set of target locations LT of P, can the controller reach
a location of LT in P regardless of what the environment does?
The monolithic analysis constructs a static network of automata to represent
all possible global executions by mimicking the hierarchical call tree of the
analyzed process. It simulates a process execution by changing states of pre-
allocated TIOA which fall into two groups: a root automaton to simulate the local
behaviors of the main thread of the root process and a finite set of standalone
automata to simulate the local behaviors of the main threads of the subprocesses.
Fig. 3. A generalized view of standalone automata construction
Standalone Automata We construct a standalone automaton for each subprocess
to simulate the main thread of that process. To construct a standalone automaton,
we prefix the timed process automaton with a simulated start action and suffix
it with a simulated finish action. We use non-negative finitely bounded integer
variables5 in standalone automata to count the number of active callees, in order
5 The use of non-negative finitely bounded integer variables can be avoided if a more
cumbersome encoding is used.
to detect termination. We rename actions (e.g., a) of processes uniformly to encode
channel names (e.g., P.c) in action names (e.g., P.c.a) of standalone automata;
because standard TIOA do not support private channels. A standalone automaton
includes all the locations and slightly altered edges of the corresponding timed
process automaton. Moreover, each standalone automaton has two additional
locations: a new initial location lid0 to receive (resp., send) a start (resp., finish)
message from (resp., to) the caller, and a new unsafe location BAD to prevent
the automaton from waiting in final states instead of finishing. Every start
(resp., finish) increments (resp., decrements) a counter variable n. The automaton
represents finishing of the process in the final location when n = 0. Formally,
the standalone automaton of process P is standalone(P) = (L ∪ {lP0 , BAD}, lP0 , X ∪{xP}, {n}, AP, EP, IP), where tpa(P) = (L, l0, X, A,C, E, I, ls), lP0 and BAD are two
newly added locations, xP is a newly added clock, n is a non-negative finitely
bounded integer variable with the initial value 0, APo = A
′
o∪A′s∪{channel(P).ftpa(P)}
and APi = A
′
i ∪ A′f ∪ {channel(P). stpa(P), P.∗ .u} such that A′m = {channel(P).a | a ∈
Am} ∪ {P.c.a | a ∈ Am and c ∈ C \ {4}} where m ∈ {o, s, i, f} and newly added actions
are channel(P).stpa(P), channel(P).ftpa(P), and P.∗.u. The set of edges EP contains
– Converted edges that do not communicate via caller channel 4:
• An edge (l, P.c.a, φ, ξ, λ ∪ λ′, l′) ∈ EP for each edge (l, a, c, φ, λ, l′) ∈ E,
where c ∈ C \ {4}, the integer assignment is empty ξ = ∅ when a ∈ Ao ∪ Ai,
ξ = {n − −} when a ∈ Af , and ξ = {n + +} when a ∈ As
– Converted edges that communicate via caller channel 4:
• An edge (l, channel(P).a, φ, ∅, λ∪λ′, l′) ∈ EP for each edge (l, a,4, φ, λ, l′) ∈ E
– Additional new edges that simulate activation and deactivation:
• Three more edges (lP0 , channel(P).stpa(P), ∅, ∅, X, l0), (lf , channel(P).ftpa(P), n =
0 ∧ xP = 0, ∅, ∅, lP0 ), (lf , P.∗.u, n = 0 ∧ xP > 0, ∅, ∅, BAD) are in EP
λ′ = ∅ when l′ , lf , otherwise λ′ = {xP}. The invariant function IP maps each
location l ∈ L to I(l) and maps each location l ∈ {lP0 , BAD} to true. The standalone
semantics of automaton tpa(P) and the semantics of standalone automaton
standalone(P) are essentially the same.
Fig. 4. A generalized view of root automata construction
Root Automata To analyze a timed process automaton tpa(P) = (L, l0, X, A,C, E, I, lf ),
we construct the root automaton root(P) of process P. Standalone automaton
standalone(P) is slightly different from root(P). The differences are: (i) the caller
channel is always ⊥, (ii) the initial location of root automaton root(P) is the
location l0, which is also the initial location of tpa(P), and (iii) root automaton
does not have edge (lP0 ,⊥.stpa(P), ∅, ∅, X, l0), which simulates activation of P.
Monolithic Analysis Model The monolithic analysis model of a ground timed
processes automaton (such as Actuator) is its root automaton. We construct the
monolithic analysis model of automaton tpa(P) in the following iterative manner:
First Step: We construct the root automaton root(P).
Iterative Step: We construct a standalone automaton for each triple (Q, sT , c),
where Q is process for which we have constructed a standalone automaton or
the root automaton, tpa(Q) = (L, l0, X, A,C, E, I, lf ), c ∈ C \ {4, ∗}, sT ∈ As, and
( , sT , c, , , ) ∈ E.
Figures 3–4 present a generalized view of the standalone and root automata
constructions (a technical report [11] presents monolithic analysis models of
processes of TPA Actuator, Position, and Brake-by-Wire). The monolithic analysis
model constructs a parallel composition of all the TIOA constructed above. The
construction is finite, and the composition is a timed I/O automaton, because
we consider only non-recursive well-formed TPA. The created composition is
timed-bisimilar to the global semantics (modulo hiding the special actions and
renaming the others). Executions of this composition, when projected on the
original alphabet, are identical to the executions of the global semantics. Thus
the composition has the same properties. We convert Safety Property I to Safety
Property II: Given a process P and a set of unsafe locations LU of P, can the
controller avoid LU and all the BAD locations in the analysis model regardless
of what the environment does? We also convert Reachability Property I to
Reachability Property II: Given a process P and a set of target locations LT of
P, can the controller reach a location of LT in the analysis model avoiding all
the BAD locations regardless of what the environment does? Avoiding all the
newly added BAD locations in the analysis model ensures that each caller process
performs the corresponding finish action as soon as the callee finishes. Therefore,
if a Safety Property I (resp., Reachability Property I) holds for a process then
its corresponding Safety Property II (resp., Reachability Property II) also holds,
and vice versa.
6 State-Space Reduction
We introduce an automated state-space reduction technique for TPA to counteract
state-space explosion. The technique relies on compositional reasoning, aggressive
abstractions, and reducing process synchronizations. In the monolithic analysis of
Sect.5, a callee can be represented by an arbitrary number of standalone automata
and each of these automata can be arbitrarily large. The compositional reasoning
replaces hierarchical trees of standalone automata representing subprocesses with
simple abstractions (Fig. 5)—so called duration automata.
Fig. 5. A compositional (sound) analysis model on the left and a monolithic (sound
and complete) analysis model on the right of automaton Brake-by-Wire, where P is a
process of the automaton, R1 is the root automaton, S1–S7 are standalone automata,
and D1–D2 are duration automata
Fig. 6. A generalized view of dura-
tion automata construction
Duration Automata A duration automaton
(Fig. 6) is timed I/O automaton with only two
locations: the initial location (lP0 ) and the ac-
tive location (lP1 ). A duration automaton of an
analyzed process abstracts all the information
of global executions of the process other than
its worst-case execution time (WCET). It can
capture safety and reachability properties of
interest. The minimal-time safe reachability of
a target location is the minimal-time reachability [12,13] for which the controller
has a winning strategy to reach that target location by avoiding unsafe states. We
assume that the WCET W of a process P is the minimal-time safe reachability
time to reach location lP0 of automaton root(P) in the analysis model of P. This
is a known technique to limit the WCET of a controller [14,15]. The WCET
of P is unknown (W = ∞) when there is no winning strategy for the minimal-
time safe reachability to reach location lP0 of root(P). The duration automa-
ton of process P is duration(P) = ({lP0 , lP1 }, lP0 , {xP}, ∅, AP, EP, IP), where tpa(P) =
(L, l0, X, A,C, E, I, lf ), APi = {channel(P).stpa(P)}, APo = {channel(P).jtpa(P)}, the set
of edges EP = {(lP0 , channel(P).stpa(P), ∅, ∅, {xP}, lP1 ), (lP1 , channel(P).jtpa(P), ∅, ∅, ∅, lP0 )},
invariant IP maps location lP0 to true, and I
P maps location lP1 to x
P ≤W.
Compositional Analysis Model We construct the compositional analysis model
in a bottom-up manner: analysis of a compound process is performed only after
analyzing all its callees. Like the monolithic analysis, the compositional analysis
model of a ground timed process automaton tpa(Q) (such as Actuator) is a
root automaton of process Q. That TIOA is analyzed to construct a duration
automaton of Q. For a compound process P, we analyze automaton root(P) in the
context of the duration automata of its callees (instead of the entire hierarchical
structure of subprocesses). We construct the compositional analysis model of a
timed process automaton tpa(P) in the following manner:
First Step: We construct the root automaton root(P).
Second Step: We construct a duration automaton for each triple (P, sT , c), where
tpa(P) = (L, l0, X, A,C, E, I, lf ), c ∈ C \ {4, ∗}, sT ∈ As, and ( , sT , c, , , ) ∈ E.
Fig. 7. Steps of the compositional analysis of automaton Brake-by-Wire
Figure 7 presents the compositional analysis procedure of Brake-by-Wire (the
detailed models are presented in [11]). The compositional model construction
procedure terminates, and the composition of all the above TIOA is a timed
I/O automaton, because we consider only non-recursive well-formed TPA. The
duration automaton of a process can capture safety properties: if a process has a
winning strategy for a safety game, then all locations of its duration automaton are
considered safe; otherwise, the active location (lid1 ) of the duration automaton is
added to the set of unsafe locations LU . Now this duration automaton can be used
as a sound context to analyze the caller automaton for safety. A safety property
holds for a compound process when the main thread of the process preserves
the property locally and allows the activation of a callee only if that callee
also preserves the property. Duration automata can also capture reachability
properties: if a process has a winning strategy for a reachability game then
the active location (lid1 ) of the duration automaton is added to the set of target
locations LT ; otherwise, no target location is specified for this callee. This duration
automaton can be used as a sound context to analyze the caller automaton for
reachability. A reachability property holds for a compound process when the main
thread of the process can reach the target locally or can activate a callee where
the property holds. Like the monolithic analysis, the compositional analysis is
performed for Safety Property II and Reachability Property II. The compositional
analysis is sound: if a safety or reachability property holds in compositional
analysis then it holds in the global semantics. A duration automaton does not
contain any input and output actions of its process. Hence, the root automaton
in a compositional model does not synchronize with the input and output actions
of its callees—instead the automaton synchronizes for those actions with the
environment. The duration automaton was created under the assumption that
inputs are uncontrollable, so ignoring synchronization with inputs is sound.
Similarly, it is sound to open the inputs of the root automaton from a callee,
as they will be treated as open actions, so will be analyzed in a more “hostile”
environment than before the abstraction. Therefore, if a property holds in the
compositional analysis then it also holds for the monolithic analysis.
Scalability In all the steps of Fig. 7, the largest composition contains only three
automata, and except for the root automaton all are tiny duration automata.
Monolithic analysis model of Brake-by-Wire is a composition of seven automata
(see [11]). A duration automaton always has a small constant size (modulo the
size of the WCET constant), and so its state space is very simple (actually
the discrete state space is independent of the input model). We applied our
approach to examples like the one presented in our previous work [5]. First, we
modeled that problem with standard TIOA using shared variables. The timed
games solver Uppaal Tiga [16] produced a large winning strategy (290 MB) for a
safety objective for a configuration (C1 of [5])—a combination of different system
parameters—in the TIOA model within 94 seconds6. After that, we modeled the
same system with TPA, and applied the state-space reduction technique. The
same solver for the same configuration produced a much smaller winning strategy
(100 KB) for the same objective in our compositional model within 0.3 seconds.
Experiments for different configurations for the same system (of [5]) revealed
that speed up of two orders of magnitude is possible with the compositional
technique, while maintaining enough precision to obtain useful strategies for
realistic scheduling problems. The size of composition in the monolithic analysis
is exponential in the depth of the hierarchy, due to a product construction (it
is also linear in the multiplication of sizes of all included standalone automata).
In the compositional analysis, the depth of the hierarchy is constant (only two
layers) and we only take a product of one root automaton with several constant
size duration automata; this explains why the practically obtained speed ups are
so dramatic. The efficiency gains are primarily due to the coarse abstraction of
safety and reachability properties of an arbitrarily large callee into a tiny duration
automaton. Abstraction and compositional reasoning together might provide
similar speed ups for TIOA [5]; however, the restrictions that TPA impose on
models allow one to automate the procedure.
7 Related Work
Classical TA [6,7] and timed I/O automata [2,4] have explicit modeling support
only for static non-hierarchical structures. In 2011, we identified and classified
eighty variants of TA into eleven classes in a survey [8] and there may be
many more. Timed process automata fall in the class of TA with resources [8]
because of their ability to model dynamic behaviors, which is required when
resource constraints do not permit one to activate all the components at the
same time. More precisely, the model is a direct generalization of task automata
[17], dynamic networks of TA [18], and callable timed automata [19]. These three
variants model only closed systems, while TPA can model both closed and open
systems. Task automata model only two layers (a scheduler and its tasks) of
hierarchy, while TPA, dynamic networks of TA [18], and callable timed automata
are able to model any numbers of hierarchies. Unlike TPA, none of them supports
6 All the analyses were performed by Uppaal Tiga-0.17 on a PC with an Intel Core i3
CPU at 2.4 GHz, 4 GB of RAM, and running 64-bit Windows 7.
private communication, provides compositional modeling with reusable designs
for different contexts, or supports automated state-space reduction technique.
Dynamic networks of continuous-time automata have also been studied in the
context of hybrid automata [20,21]. These works model physical environments
using differential equations, which restrict the kinds of environments that can be
described. In practice, large differential equations make analyses unmanageable,
or can only give statistical guarantees [21]. These works focus on system dynamics,
and do not support private communication. Timed process automata can be
considered as a member of the class of TA with succinctness [8] because they hide
many design details from the designers to achieve succinctness (like TA variants
with urgency [22,23,8]). Timed process automata are also timed game automata
[1,3,2,4] because the new variant uses timed games for analysis.
8 Conclusion
We have presented timed process automata that captures dynamic activation
and deactivation of continuous-time control processes and private communication
among the active processes. We have provided a safety and reachability analysis
technique for non-recursive well-formed timed process automata. We have also
designed an abstraction- and compositional reasoning-based state-space reduc-
tion technique for automated analysis of large industrial systems. Our analysis
techniques can be applied in practice using any standard timed games solver such
as Uppaal Tiga [16] and Synthia [24].
To the best of our knowledge, no prior work on dynamic network of timed
automata considered private communication or open systems. This is also the first
work that provides two important features for industrial time-critical dynamic
open systems development: (i) compositional modeling with reusable designs for
different contexts and (ii) automated state-space reduction technique.
It would be interesting to consider a model transformation from subset of real-
time pi-calculus [25,26] to TPA. This transformation might enable controllability
analysis of pi-calculus for open systems. The converse reduction from TPA to real-
time pi-calculus could also give several advantages: understanding TPA semantics
in terms of the well-established pi-calculus formalism, access to tools developed for
real-time pi-calculus [25], which might permit the analysis of recursive processes;
it would also give a familiar automata-like syntax to pi-calculus formalisms. It
would also be relevant to minimize the number of subprocesses in controller
synthesis. One may consider synthesis under this objective in the future, possibly
by reduction to priced/weighted timed automata [27,28].
References
1. Maler, O., Pnueli, A., Sifakis, J.: On the synthesis of discrete controllers for timed
systems. In: STACS. (1995)
2. Alfaro, L.d., Henzinger, T.A., Stoelinga, M.: Timed interfaces. EMSOFT (2002)
3. de Alfaro, L., Faella, M., Henzinger, T.A., Majumdar, R., Stoelinga, M.: The
element of surprise in timed games. In: CONCUR. (2003)
4. David, A., Larsen, K.G., Legay, A., Nyman, U., W ↪asowski, A.: Timed I/O automata:
a complete specification theory for real-time systems. In: HSCC. (2010)
5. Waez, M.T.B., W ↪asowski, A., Dingel, J., Rudie, K.: Synthesis of a reconfiguration
service for mixed-criticality multi-core systems an experience report (to appear).
In: FACS. (2014)
6. Alur, R., Dill, D.L.: Automata for modeling real-time systems. In: ICALP. (1990)
7. Alur, R., Dill, D.L.: A theory of timed automata. TCS 126 (1994)
8. Waez, M.T.B., Dingel, J., Rudie, K.: A survey of timed automata for the development
of real-time systems. CSR (2013)
9. Kaynar, D.K., Lynch, N.A., Segala, R., Vaandrager, F.W.: The Theory of Timed
I/O Automata. (2006)
10. Henzinger, T.A., Manna, Z., Pnueli, A.: Timed transition systems. In: REX
Workshop. (1992)
11. Waez, M.T.B., W ↪asowski, A., Dingel, J., Rudie, K.: A model for industrial real-time
systems. Technical Report 2014-622, Queen’s University, ON (2014)
12. Brihaye, T., Henzinger, T.A., Prabhu, V.S., Raskin, J.F.: Minimum-time reachability
in timed games. In: ICALP. (2007)
13. Jurdzin´ski, M., Trivedi, A.: Reachability-time games on timed automata. In: ICALP.
(2007)
14. Cassez, F.: Timed games for computing WCET for pipelined processors with caches.
In: ACSD. (2011)
15. Gustavsson, A., Ermedahl, A., Lisper, B., Pettersson, P.: Towards WCET analysis
of multicore architectures using UPPAAL. In: WCET. (2010)
16. Behrmann, G., Cougnard, A., David, A., Fleury, E., Larsen, K.G., Didier, L.:
UPPAAL-Tiga: time for playing games! In: CAV. (2007)
17. Fersman, E., Krcˇa´l, P., Pettersson, P., Yi, W.: Task automata: Schedulability,
decidability and undecidability. Information and Computation (2007)
18. Campana, S., Spalazzi, L., Spegni, F.: Dynamic networks of timed automata for
collaborative systems: A network monitoring case study. In: ISCTS. (2010)
19. Boudjadar, A., Vaandrager, F., Bodeveix, J.P., Filali, M.: Extending UPPAAL for
the modeling and verification of dynamic real-time systems. In: FSE. (2013)
20. Go¨llu¨, A., Varaiya, P.: A dynamic network of hybrid automata. In: AIS. (1994)
21. David, A., Larsen, K.G., Legay, A., Poulsen, D.B.: Statistical model checking of
dynamic networks of stochastic hybrid automata. In: AVoCS. (2013)
22. Bornot, S., Sifakis, J., Tripakis, S.: Modeling urgency in timed systems. In:
COMPOS. (1998)
23. Barbuti, R., Tesei, L.: Timed automata with urgent transitions. Acta Informatica
(2004)
24. Ehlers, R., Mattmu¨ller, R., Peter, H.J.: Synthia: Verification and synthesis for
timed automata. In: CAV. (2011)
25. Posse, E., Dingel, J.: Theory and implementation of a real-time extension to the
pi-calculus. In: FMOODS/FORTE. (2010)
26. Barakat, K., Kowalewski, S., Noll, T.: A native approach to modeling timed behavior
in the pi-calculus. In Margaria, T., Qiu, Z., Yang, H., eds.: TASE. (2012)
27. Alur, R., Torre, S.L., Pappas, G.J.: Optimal paths in weighted timed automata.
In: HSCC. (2001)
28. Behrmann, G., Fehnker, A., Hune, T., Larsen, K.G., Pettersson, P., Romijn, J.,
Vaandrager, F.W.: Minimum-cost reachability for priced timed automata. In:
HSCC. (2001)
