Correct Transformation of High-Level Models into Time-Triggered Implementations by Guesmi, Hela et al.
Correct Transformation of
High-Level Models into
Time-Triggered
Implementations (DRAFT)
EPFL IC IINFCOM RiSD Technical Report
 218459
http://infoscience.epfl.ch/record/218459
Hela Guesmi (CEA LIST), Simon Bliudze (EPFL),
Belgacem Ben Hedia (CEA LIST),
Saddek Bensalem (Verimag), Mathieu Jan (CEA LIST),
Briag Lenabec (CEA LIST)
October 27, 2016
Abstract: A number of component-based frameworks have been proposed to tackle the
complexity of the design of concurrent software and systems and, in particular, to allow
modelling and simulation of critical embedded applications. Such design frameworks usu-
ally provide a capability for automatic generation of C++ or Java code, which has to be
compiled for the selected target platform. Thus, guaranteeing hard real-time constraints is,
at best, difficult. On the other hand, a variety of Real-Time Operating System (RTOS), in
particular, those based on the Time-Triggered (TT) paradigm, guarantee the temporal and
behavioural determinism of the executed software. However, such TT-based RTOS do not
provide high-level design frameworks enabling the scalable design of complex safety-critical
real-time systems.
In this paper, we combine advantages of the two approaches, by deriving correct-by-
construction TT implementations from high-level componentised models. We present an auto-
matic semantics-preserving transformation from RT-BIP (Real-Time Behaviour-Interaction-
Priority) to PharOS—a safety-oriented RTOS, implementing the TT paradigm. The trans-
formation has been implemented; we prove its correctness and illustrate it with a realistic
case-study.
i
@TechReport{GBBH+16-BIP-to-TT,
author = {Guesmi, Hela
and Bliudze, Simon
and Ben Hedia, Belgacem
and Bensalem, Saddek
and Jan, Mathieu
and Lenabec, Briag},
title = {Correct Transformation of High-Level Models into
Time-Triggered Implementations},
institution = {EPFL IC IINFCOM RiSD},
month = oct,
year = 2016,
number = {EPFL-REPORT-218459},
note = {Available at: http://infoscience.epfl.ch/record/218459}
}
Contents
1 Introduction 3
2 Related Work 4
3 Background 5
3.1 The RT-BIP Component Framework . . . . . . . . . . . . . . . . . . . . . . . 5
3.2 The PharOS platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4 Formal Computation Model of the PsiC language 10
5 From RT-BIP to PharOS 12
5.1 Transformation challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.2 Formal translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6 Correctness of the transformation 18
7 Compatibility with composition 32
8 Case study 33
8.1 RT-BIP Modelisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
8.2 RT-BIP to TT-BIP transformation . . . . . . . . . . . . . . . . . . . . . . . . 34
8.3 TT-BIP to PharOS implementation . . . . . . . . . . . . . . . . . . . . . . . 34
8.4 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
9 Discussion & conclusion 36
To do
NB: In this draft version of the report, this theorem is not yet finilised. . . . . . . . . 19
1
Correct Transformation of High-Level Models into
Time-Triggered Implementations (DRAFT)
Hela Guesmi3, Simon Bliudze2, Belgacem Ben Hedia1, Saddek Bensalem3,
Mathieu Jan1 and Briag Lenabec1
1CEA, LIST, PC 172, 91191 Gif-sur-Yvette, France, Email: firstname.lastname@cea.fr
2EPFL IC IINFCOM RiSD, Station 14, 1015 Lausanne, Switzerland, Email:
simon.bliudze@epfl.ch
3Verimag, 38610 Gieres, France, Email: firstname.lastname@imag.fr
Abstract
A number of component-based frameworks have been proposed to tackle the complex-
ity of the design of concurrent software and systems and, in particular, to allow modelling
and simulation of critical embedded applications. Such design frameworks usually provide
a capability for automatic generation of C++ or Java code, which has to be compiled for
the selected target platform. Thus, guaranteeing hard real-time constraints is, at best,
difficult. On the other hand, a variety of Real-Time Operating System (RTOS), in par-
ticular, those based on the Time-Triggered (TT) paradigm, guarantee the temporal and
behavioural determinism of the executed software. However, such TT-based RTOS do
not provide high-level design frameworks enabling the scalable design of complex safety-
critical real-time systems.
In this paper, we combine advantages of the two approaches, by deriving correct-
by-construction TT implementations from high-level componentised models. We
present an automatic semantics-preserving transformation from RT-BIP (Real-Time
Behaviour-Interaction-Priority) to PharOS—a safety-oriented RTOS, implementing the
TT paradigm. The transformation has been implemented; we prove its correctness and
illustrate it with a realistic case-study.
Keywords—Component-based, correct-by-construction, time-triggered, transformation
1 Introduction
The Time-Triggered (TT) paradigm for the design of real-time systems was introduced by
Kopetz [17]. TT systems are based on a periodic clock synchronization in order to enable
a TT communication and computation. Each subsystem of a TT architecture is isolated
by a so-called temporal firewall. It consists of a shared memory element for unidirectional
exchange of information between sender and receiver task components. It is the responsibility
of the TT communication system to transport, by relying on the common global time the
2
information from the sender firewall to the receiver firewall. The strong isolation provided
by the temporal firewall is key to ensuring the determinism of task execution and, thereby,
allowing the implementation of efficient scheduling policies.
Developing embedded real-time systems based on the TT paradigm is a challenging task
due to the increasing complexity of such systems and the necessity to manage, already in
the programming model, the fine-grained temporal constraints and the low-level communica-
tion primitives imposed by the temporal firewall abstraction. Several Real-Time Operating
Systems (RTOS) implement the TT execution model, such as PharOS [3] and PikeOS [16].
However, they do not provide high-level programming models that would allow the developers
to think on a higher level of abstraction and to tackle the complexity of large safety-critical
real-time systems. Model-based design frameworks, such as RT-BIP [1] and SCADE [7], al-
low the specification, design and simulation of real-time systems. In particular, RT-BIP—a
component-based framework for the design of real-time systems—allows verification of be-
havioural properties, such as deadlock-freedom, and lends itself well to model transforma-
tions.
To the best of our knowledge, few connections exist between high-level component-based
design frameworks, allowing reasoning about application models and verification of their
functional behaviour and TT execution platforms, which guarantee temporal determinism of
the system.
In this work, we establish a link between the model-based design framework RT-BIP and
PharOS—a safety-oriented RTOS implementing the TT paradigm. The generation of PharOS
applications from high-level RT-BIP models is done by a two-step transformation. The first
step transforms a generic RT-BIP model into a restricted one, which lends itself well to an
implementation based on TT communication primitives. It has been the subject of a previous
work [11]. The second step, which is the contribution of this paper, transforms the resulting
model into a PharOS application. We have outlined this transformation in a previous work-
in-progress publication [12]. In this paper, we present more details about this step, identify
the key difficulties in defining this transformation, propose exhaustive solutions to address
these difficulties and prove that this transformation is semantics-preserving. This translation
is fully implemented, but due to the lack of space, we do not present the code generation tool.
The rest of the paper is organized as follows. Section 2 describes the related work. In
Section 3, we provide the necessary background on RT-BIP and PharOS. Section 4 presents a
formal computation model of PharOS application tasks. Section 5 details the transformation
form RT-BIP to PharOS. Section 6 and Section 7 deal with the correctness of the transforma-
tion, while Section 8 presents the case study. Section 9 summarises the paper and discusses
future work directions.
2 Related Work
A design framework based on UML diagrams and targeting the TT architecture (TTA) [18]
is presented in [21]. This approach relies on a decomposition of a system into clusters and
nodes to instantiate the communication mechanisms. It assumes the underlying TT protocol
to implement the FlexRay standard [22]. The framework does not support the earlier archi-
3
tectural design phase, nor the verification at model level. It requires a backward association
mechanism to link faulty runs obtained at the SystemC level to the UML model.
Methods relying on model transformations in order to automatically refine AADL models
are presented in [6, 9]. They are defined in order to reduce the gap between models used for
timing analysis and for code generation. However, these approaches do not rely on well-defined
formal semantics.
Our approach pursues the same goals as previous work coupling synchronous languages
with TT platforms: a tool-chain for code generation from Lustre [14] to the TT architec-
ture [10] and an automatic transformation from SCADE to PharOS [4]. Both these works are
limited to relatively simple temporal behaviours. Indeed, their source models define periodic
functional behaviour of the system, with the key real-time constraint being the duration of
the period. In contrast, in our approach, RT-BIP source models define real-time constraints
of arbitrary complexity.
Two model transformation approaches for generating distributed implementations from
non-real-time BIP models and RT-BIP models, are presented respectively in [5] and [23]. In
these approaches, the initial model is transformed into a 3-layer model relying exclusively on
simple message-passing interactions, which are implementable using basic message-passing
primitives. The third layer of this 3-layer model is reused by the transformation proposed in
this paper for conflict resolution. Another method for generating a mixed hardware/software
system model for many-core platforms from a high-level non-real-time application model
and a mapping between software and hardware components is presented in [8]. The above
approaches take advantage of the BIP framework to build correct-by-construction implemen-
tations based on a single semantic framework. Nevertheless, they do not target the platforms
based on TT execution model, thereby falling short of exploiting the strong temporal guar-
antees provided by the latter.
3 Background
3.1 The RT-BIP Component Framework
RT-BIP is a component framework for constructing systems by superposing three layers of
modelling: Behaviour, Interaction, and Priority. The Behaviour layer consists of a set of
components defined by timed automata [2] extended with data and C functions. Transition
labels of a component automaton are called ports. Interactions are sets of ports used for
synchronization. Thus, the Interaction layer describes all possible synchronisations among
components as a set of interactions. The third layer defines priorities among interactions,
providing a mechanism for conflict resolution. In this paper, we do not consider priorities.
Thus, we only consider RT-BIP models obtained by composing components with interactions.
Before formally defining RT-BIP components and their semantics, we introduce some
notations. For a variable x, denote D(x) its domain (i.e. the set of all values possibly taken
by x). A valuation on a set of variables X is a function v : X → ⋃x∈X D(x), such that
v(x) ∈ D(x), for all x ∈ X. We denote by V(X) the set of all possible valuations on X and
by GX = BV(X) the set of Boolean guards on X.
4
Task1
Task2 Task3
q
I1
r s
I2
L1
L2
i
fi p
1 ≤ c ≤ 3
reset c
c ≤ 2
xp
clock c, int x
Figure 1: RT-BIP example
Definition 1 (Clock constraints). Let C be a set of clocks. The associated set GC of clock
constraints CC is defined by the following grammar:
CC := True | False | c ∼ a | CC ∧ CC ,
with c ∈ C , ∼∈ {≤,=,≥} and a ∈ Z+. Notice that any guard CC can be written as:
CC :=
∧
c∈C
lc ≤ c ≤ uc, where ∀c ∈ C, lc, uc ∈ Z+ ∪ {+∞} . (1)
Definition 2. A component is a tuple B = (L,P,X,C, T, tpc), where L is a finite set of
locations; P is a finite set of ports; X is a finite set of local variables; C is a finite set of
clocks; T ⊆ L × (P × GX × GC × 2C × V(X)V(X)) × L is a finite set of transitions, each
labelled with a port, two Boolean guards (on variables and on clocks), a set of clocks to be
reset and a function updating a subset of variables of X; the function tpc : L → GC assigns
a time progress condition to each location, such that, for any l ∈ L, the constraint tpc(l) is a
conjunction of constraints of the form c ≤ uc.
Figure 1, shows a model comprising three RT-BIP components Task1, Task2 and Task3,
composed by two binary interactions. The automaton of Task1 is also shown in the figure.
First consider Task1 independently of the rest of the model and assume that the system
reaches the state L1 of Task1 with 1 ≤ c < 2. Since tpc(L1) = c ≤ 2, time can progress until
c = 2 or, since the guard 1 ≤ c ≤ 3 is also satisfied, transition p can be executed. If L1 is
reached with c = 2, the system cannot let the time progress and has to execute the transition
p immediately. Finally, if c > 2, the time cannot progress and the system is blocked.
Definition 3 (Semantics of a component). The semantics of a component B =
(L,P,X,C, T, tpc) is defined as a Labelled Transition System (LTS) (Q,P,−→), where Q =
L × V(X) × V(C) denotes the set of states of B and −→ ⊆ Q × (P ∪ R>0) × Q is the set of
transitions defined as follows. Let (l, vx, vc) and (l
′, v′x, v′c) be two states, p ∈ P and δ ∈ R>0.
 Jump transitions: We have (l, vx, vc)
p−→ (l′, v′x, v′c) iff there exists a transition τ =
(l, p, gX , gC , R, f, l
′) ∈ T , such that gC(vc) = gX(vx) = True, v′x = f(vx) and
v′c(c) =
{
0 , for all c ∈ R,
vc(c) for all c ∈ C \R.
5
 Delay transitions: We have (l, vx, vc)
δ−→ (l, vx, vc + δ) iff ∀δ′ ∈ [0, δ], tpc(l)(vc + δ′) =
True, where (vc + δ)(c)
def
= vc(c) + δ, for all c ∈ C.
A component B can execute a transition τ = (l, p, gX , gC , R, fτ , l
′) from a state (l, vx, vc)
if its timing constraint is met by the valuation vc. The execution of τ corresponds to moving
from control location l to l′, updating variables and resetting clocks of R. Alternatively, it
can wait for a duration δ > 0, if the time progress condition tpc(l) stays True. This increases
all the clock values by δ. Notice that execution of jump transitions is instantaneous; control
location cannot change while time elapses.
Components communicate by means of interactions. An interaction is a synchronization
between transitions of a fixed subset of components. It is possible only if all the participating
components can execute the corresponding transitions. A formal definition can be found in
[1], we omit it here for the sake of conciseness.
3.2 The PharOS platform
PharOS [3] is an operating system that allows designing, implementing and executing safety-
critical multitasking applications based on the ΨC language.
The main building block of a PharOS [3] application is the TT task which is a set of
successive jobs. Communication among tasks is through temporal variables, which are real-
time data flows available to all tasks. Successive values of a temporal variable are produced
by a single owner task at a predetermined temporal rhythm.
ΨC is a programming language designed for specifying different TT tasks and their syn-
chronization points. It preserves the operational semantics of C, but adds time constraints
to these semantics with the Ψ extension (this extension could be applied to any imperative
programming language). C control flow graphs are automata, so C’s instructions for control
flow can be used to express sequencing of blocks, loops, and choices. The basic Ψ addition
to C is the addition of the following instructions: before, after, and advance instructions
that respectively add before and after constraints, and synchronization points.
 After instruction (after(d)): defines d as the relative release date of the following job;
 Before node (before(d)): defines d as the relative deadline of the preceding job;
 Advance node (advance(d))— also called synchronization point: combines after(d) and
advance(d) instructions. It defines the absolute visibility date of the data produced by
the job;
A PharOS application consists of a set of clock definitions followed by a set of task—also
called agent—definitions. Recall that the set of parallel tasks communicates through (specific
shared) variables. PharOS applications are characterised by the following abstract syntax:
Application ::= Clock+.Agent+ ,
Clock ::= c = (φc, Pc) ,
Agent ::= {input tv}∗.{output tv}∗.Body ,
Body ::= {C code.[after(n)|before(n)|advance(n)] with Clock}∗ ,
6
where c is a clock, with φc and Pc being respectively the phase shift and period of c (see the
detailed definition below); tv is a temporal variable and n ∈ Z+ is a time step w.r.t. to an
associated clock.
Clocks Clocks are variables used to describe the temporal behavior of the application. A
clock defines a sequence of periodic instants called activation instants. These latter are used
by the agents for describing timing constraints and synchronizations. Each clock c has an
associated phase shift φc and a period Pc.
The global clock cBASE = (φBASE , PBASE ) is defined by its phase shift and period ex-
pressed in real time units, such as 1 second, 100 milliseconds etc. Formally, this clock defines
a sequence of instants (ti)i≥0 = (i ·PBASE +φBASE )i≥0. Other clocks c = (φc, Pc), are defined
w.r.t. cBASE , by putting c = Pc ∗ cBASE + φc. Activation instants (ri)i≥0 of c are computed
from those of cBASE as follows:
ri = (i · Pc + φc)PBASE + φBASE . (2)
Although it is not used in this paper, the ΨC language also provides—for the designers’
convenience—a possibility of defining new clocks in terms of clocks other than cBASE . Fig-
ure 2b depicts activation instants of the clock cBASE with period of one millisecond, a clock
c1 = (1, 3) derived from cBASE and a clock c2 derived from c1. Activation instants of c1 are
1ms, 4ms, 7ms etc.. The ΨC code declaring the clocks of this example is shown in Figure 2a,
where gtc1 is the ΨC primitive declaring a global clock with milliseconds as the time unit.
clock cBASE = gtc1(0,1)
clock c1 = 3 * cBASE + 1
clock c2 = 2 * c1 + 1 
(a)
0 1 2 3 4 5 6 7 8 9 10 11 12 13
Time (ms)
Activation 
instants of cBASE
Activation
instants of c1
Activation
instants of c2
(b)
Figure 2: Example of clocks and activation instants
In the remainder of this work, an instant ti of cBASE (resp. rj of c) is referenced by its index
i (resp. j). For example, in Figure 2, “instant 4 of cBASE ” refers to the physical activation
instant t4 = 4ms. Similarly, “instant 1 of c1” refers to the instant r1 = 4ms.
An instant ri of clock c = (φc, Pc) can be mapped into an instant tj of clock cBASE by the
function conv ccBASE : c→ cBASE , defined by letting
conv ccBASE (ri) = tj , with j = i · Pc + φc . (3)
Inversely, a global instant ti of clock cBASE can be mapped into an instant rj of a derived
7
clock c by using the function conv cBASEc , defined by letting
conv cBASEc (ti) = rj , with j =
⌊
i− φc
Pc
⌋
. (4)
For example, in Figure 2, the instant r = 1 of clock c1 is mapped to the instant conv
c1
cBASE
(1) =
4 of clock cBASE . The instant t = 5 of clock cBASE is mapped into instant conv
cBASE
c1 (5) = 1
of clock c1.
Agent An agent consists of an interface including declarations of input and output data
flows (temporal variables) followed by a body. This latter describes the behavior of the agent
through a block of timeless C code extended with after, before and advance statements. An
after(d) (resp. before(d), advance(d)) with a clock c = (φc, Pc), defines the release (resp.
deadline, synchronization) instant corresponding to d units of time after a reference instant.
This reference instant corresponds to the absolute instant recording the visit of the last after
or advance node.
body start
{
  // Job A
  ComputationA();
  // Job B
  after(1) with c;
  ComputationB();
  before(2) with c;
  // Job C
  ComputationC();
  advance(3) with c;
  // Job D
  ComputationD();
} 
Figure 3: Example of body ΨC code
Code of Figure 3 describes the behavior of a task with four jobs (labelled A to D). In this
example, all temporal constraints are defined over the same clock c. The release date of job
B is one unit of time after the initial instant or previous advance constraint, i.e. advance(3),
depending on the execution history. Two units of time later, job B must have ended. After
the execution of the job C, communication take place since advance statement is reached.
The visibility date of data produced by C is three units of time after the previous visit to the
statement after(1).
A computation model of PsiC language was provided in [19], where the behaviour of a
task is specified using a directed graph, where arcs represent the successive jobs and nodes
bear the temporal constraints. Nodes of the graph are of four types: After, before, advance
8
and no-constraint nodes. This model is not at the same abstraction level as the PsiC language
since it does not hold clocks and thus does not provide the possibility of specifying constraints
over different clocks. Also operational semantics are not provided.
In the next section, we provide a formal computation model of PsiC language and we
express its semantics in terms of LTS.
4 Formal Computation Model of the PsiC language
To define a formal translation from TT-BIP to PharOS application and to prove its correct-
ness, we need to provide a formal definition of operational semantics of the target formalism.
Moreover, we need that latter to be at the same abstraction level as the ΨC code, i.e. to
specify constraints (release, deadline and synchronization shifts) over different clocks.
In this subsection, we present the Time-Constrained Automata (TCA) model as the com-
putation model of PharOS applications. We detail first, how a PharOS task behavior can be
presented (Definition 4) as a tuple in order to handle the multi-clock constraints. Then we
provide its operational semantics(Definition 5).
A TCA automaton describes the behavior of a task, where nodes represent only the
control locations and arcs are labelled by the triplets of constraints defining respectively the
release, deadline and/or synchronization instants. Each component of such triplet is either
(−1,⊥), or a pair of a shift constraint and a clock over which this shift is defined. We denote
by M
def
= (Z+ × C) ∪ {(−1,⊥)} the set of all such labels. When a label is (−1,⊥), the
corresponding constraint is not defined.
Given a shift x ∈ Z+ over a clock c, and a reference instant λ over the global clock cBASE ,
we denote by shiftccBASE : cBASE × Z+ → cBASE the function computing the global instant
corresponding to the desired shift as follows:
shiftccBASE (λ, x) = conv
c
cBASE
(conv cBASEc (λ) + x), (5)
where conv ccBASE and conv
cBASE
c are defined in (3) and (4), respectively.
Definition 4 (TCA). A TCA is a tuple (N,K,X,C, T ) where N is a finite set of nodes, K
is a finite set of jobs, X is a set of local variables, C is a set of clocks, comprising a real-time
global clock cBASE and other clocks derived from cBASE , and T = N × GX × M3 × K ×
V(X)V(X)×N is a set of transitions. Thus, a transition is a tuple τ = (n, gX ,m, k, f, n′) ∈ T
where:
 gX ∈ GX is a Boolean guard on X;
 m = ((r, cr), (d, cd), (s, cs)) ∈ M3, is a triplet defining respectively, the release shift over
clock cr, the deadline shift over clock cd and/or the synchronization shift over clock cs.
If (s, cs) 6= (−1,⊥), then (d, cd) = (s, cs). If (r, cr) 6= (−1,⊥) and (d, cd) 6= (−1,⊥),
then shiftcrcBASE (λ, r) ≤ shiftcdcBASE (λ, d) for any λ ∈ cBASE (i.e. if defined, the global release
instant is always inferior than or equal to the global deadline instant);
9
 k ∈ K is a job;
 f ∈ V(X)V(X) is an update function on variables in X.
start
A
(-1,-1,-1)
B
(1,2,-1)
C
(-1,3,3)
D
(3,-1,-1)
Figure 4: Alternative representation of the task behavior of Figure 3
The automaton presenting the task behavior of Figure 3 is shown in Figure 4. Since
in the model of Figure 3 all constraints are defined over the same clock, we only show the
first component, i.e. the shift, of each pair of the triplet-label. This triplet-label depends
on timing instructions encompassing the job in the original body code. The label of the job
A is ((−1,⊥), (−1,⊥), (−1,⊥)) since in the original code, it is not preceded by an after
instruction, nor succeeded by a before or advance instruction. Notice that, in the labels of
job C, the deadline shift coincides with the corresponding synchronization shift, reflecting the
fact that in the original behavior code, this job is succeeded by an advance instruction.
Defining the operational semantics of TCA automaton requires a notion of state. The
state of a TCA automaton is described in four parts: the control state (i.e. control location),
the state of the data variables, the state of the clock variables and the state of a delay variable
(needed for absolute constraints computation). TCA semantics can be defined as a labelled
transition system:
Definition 5 (Semantics of TCA). The semantics of a time-constrained automaton
(N,K,X,C, T ) is defined as a labelled transition system (Q,K,−→), where Q = N × V(X)×
V(C)×R>0 and −→⊆ Q×K×Q is the set of transitions, defined as follows. Let (n, vx, vc, vλref )
and (n′, v′x, v′c, v′λref ) be two states, such that vc ≤ v′c for all c ∈ C. We have (n, vx, vc, vλref )
k−→
(n′, v′x, v′c, v′λref ) iff there exists a transition (n, gX , ((r, cr), (d, cd), (s, cs)), k, f, n
′) ∈ T such
that :
 gX(vx) = True,
 v′x = f(vx),
 vc = v
′
c, if ((r, cr), (d, cd), (s, cs)) = ((−1,⊥), (−1,⊥), (−1,⊥)), otherwise vc ≤ v′c,
 if (r, cr) 6= (−1,⊥), then ∀c ∈ C \ {cBASE}, shiftcrcBASE (vλref , r) ≤ conv ccBASE (v′c(c)),
 if (d, cd) 6= (−1,⊥), then ∀c ∈ C \ {cBASE}, conv ccBASE (v′c(c)) ≤ shiftcdcBASE (vλref , d),
10
 v′λref =

shiftcscBASE (vλref , s) , if s 6= −1,
shiftcrcBASE (vλref , r) , if s = −1 and r 6= −1,
vλref , if s = −1 and r = −1.
An execution sequence of a TCA automaton is a sequence of transitions from different
states of the system. It is defined as follows:
Definition 6 (Execution Sequence). A finite (resp. infinite) execution sequence of a time-
constrained automaton (N,K,X,C, T ) from an initial state (n0, v0x, v
0
c , v
0
λref
) is a sequence of
transitions:
(ni, vix, v
i
c, v
i
λref
)
ki−→ (ni+1, vi+1x , vi+1c , vi+1λref ) ,
where ki ∈ K and i ∈ [1, n] such that n ∈ Z+.
Lemma 1. Given a job ki ∈ K with i ∈ [1, n], such that qi ki−→ qi+1, then ∀c ∈ C,
conv ccBASE (v
i
c(c)) ≤ conv ccBASE (vi+1c (c)) ,
where vic denotes the clock valuation component of the corresponding state qi.
Notice that the combination of Lemma 1 with Definition 5 allows to extend implicitly
constraints of a transition to its succeeding or preceding ones, i.e. given a transition τi =
(n, gX , ((r, cr), (d, cd), (s, cs)), ki, f, n
′) ∈ T , where (r, cr) 6= (−1,⊥) and (d, cd) 6= (−1,⊥), the
deadline shift (d, cd) applies implicitly to all preceding transitions while the release shift (r, cr)
applies to all succeeding transitions. That is, for jobs ki−1, ki, ki+1 ∈ K with i ∈ [1, n], such
that: qi−1
ki−1−−→ qi ki−→ qi+1 ki+1−−→ qi+2, we have ∀c ∈ C,
conv ccBASE (v
i−1
c (c)) ≤ conv ccBASE (vic(c)) ≤ conv ccBASE (vi+1c (c)) ≤ shiftcdcBASE (viλref , d)
and
shiftcrcBASE (v
i
λref
, r) ≤ conv ccBASE (vi+1c (c)) ≤ conv ccBASE (vi+2c (c)) ,
where vic (resp. v
i
λref
) denotes the clock valuation component (resp. the component of λref
valuation) of the corresponding state qi.
5 From RT-BIP to PharOS
We transform an RT-BIP model into a PharOS application in two steps (cf. Figure 5).
RT-BIP TT-BIP TCA
step 1
[11]
step 2
Figure 5: From RT-BIP to the TCA model: a 2-step transformation.
11
Task1
Task2 Task3
q r s
TTCC1 TTCC2
CRP
L1
L
L2
i
fi
ps
p
c ≤ 2
c ≤ 2
xp x.. ps
clock c, int x
Figure 6: TT-BIP model derived from the example of Figure 1
Step 1: RT-BIP to TT-BIP. This transformation—published in [11] and proven to be
semantics-preserving—consists in adapting the initial model to comply with the TT commu-
nication pattern. The obtained model—called TT-BIP—is a structural restriction of RT-BIP
respecting the TT paradigm.
In this transformation, components are grouped into tasks by following a user-defined task
mapping. Each interaction involving several tasks is replaced by a protocol, implemented by a
dedicated TT communication component (TTCC). Interactions between task components and
TTCC components are binary synchronisations with unidirectional data transfer. A conflict
resolution protocol (CRP) component is used for resolving conflicts between interactions [5].
A task component can define several clocks, but we consider that each transition within a
task can be labelled only by a single-clock constraint and all clocks are never reset. CRP
and TTCC components rely on a common clock, which is computed as being the greatest
common divisor of all tasks clocks and is never reset. The set of all ports is partitioned into
send (Ps), receive (Pr) and internal ports (Pi). In the TT-BIP model, if a send port is enabled
at some global state, then all its receive ports are also enabled at that state. Figure 6 shows
the obtained TT-BIP model after applying step 1-transformation to the example of Figure 1.
Step 2: TT-BIP to TCA. In this step, we transform the TT-BIP model—obtained in
Step 1—into a TCA automaton.
In the remainder of this section, we discuss the challenges of the transformation in Step 2,
define the semantics of TCA in terms of LTS and the formal transformation rules allowing to
derive TCA from TT-BIP models.
5.1 Transformation challenges
Moving from absolute to relative constraints. In TT-BIP, all constraints are defined
in terms of absolute clock values. On the contrary, TCA nodes bear only relative constraints,
i.e. as an increment to previous .d or d node.
In order to address this issue, we make use of the variable λcref . It is initiated to zero
and updated whenever an after or an advance node is instantiated. Thus, it stores the
12
valuation of the clock c in the last visited after or advance node. Relative constraint drelative
is computed from its corresponding absolute constraint dabsolute following this formula:
drelative = dabsolute − λcref . (6)
Mapping of timing constraints. Both RT-BIP and TT-BIP models are based on an
abstract notion of time. In particular, actions that correspond to the computational steps
(jump transition) of the system are considered to be atomic and have zero execution times.
Thus only start instants of these actions have associated timing constraints. Delay steps,
are specified by timing progress conditions (tpc) indicating whether time can progress at a
given state of the system. However in TCA models, actions are considered to have both a
release date and a deadline. These dates can be easily specified by using after and before
instructions of the ΨC language, which correspond to a release and deadline labels in the
TCA model presented in Section 4.
This issue can be addressed by transforming each step of a TT-BIP automaton (compu-
tational or delay step) into one or more actions in the final TCA automaton as follows.
A computational step τ having a timing constraint of the form lc ≤ c ≤ uc in TT-BIP, has
only its start instant constrained. It is supposed to start at any instant between lc and uc. In
order to keep the same semantics in TCA, we can insert a job to mark the beginning of each
transition. The label of this job is the following: ((lc − λcref , c), (uc − λcref , c), (−1,⊥)). It has
no update actions and defines a release and deadline shifts. This ensures that the following
job will start at an instant respecting the constraint of τ . After the initiated job, the actions
of the original transition τ can be executed in a new job depending on whether the original
transition corresponds to internal computation or communication. The example in Figure 7a
illustrates the mapping rule of a transition having a constraint of the form lc ≤ c ≤ uc.
Delay steps are constrained by the time-progress conditions of the form c ≤ v. In TCA,
these can be encoded by a loop job labelled by ((−1,⊥), (v − λcref , c), (−1,⊥)), since in the
original model the start instant of the delay step is not specified and only its deadline d is
defined (see Figure 7b).
L1
L2
L2
lc ≤ c ≤ uc
a
((lc − λcref , c),(uc − λcref , c),(−1,⊥))
a
(a) Computational step constraint
L1
L2
c ≤ v
((−1,⊥),(v − λcref , c),(−1,⊥))
(b) Delay step constraint
Figure 7: Mapping of constraints
Communication mapping. In TT-BIP, all tasks are related to communication compo-
nents via binary interactions, which provide unidirectional data transfer and synchronization
13
between sending and receiving actions of, respectively, the sender and the receiver compo-
nents. In TCA, the communication is performed through the temporal variable model. New
values of temporal variables are made visible at each of the synchronization points of the
sender. These new values are consulted when the current time of receivers is greater than or
equal to the visibility date of the new values. In our transformation two requirements need to
be satisfied: (1) the receiver must consult an updated temporal variable (i.e. after the sending
action of the sender task) and (2) we need to respect communication semantics of the initial
model, i.e. the synchronisation between write and read actions.
We generate TCA synchronization points (advance instructions in ΨC language) that
depend on whether the TT-BIP transition is triggered by a send, receive or an internal
port. For each communicating transition in the original model, we instantiate —after jobs
guaranteeing respect of timing constraint (cf. Figure 7) —a job containing in its triplet-label
the synchronization component (1, cfg), where cfg is a fine-grained clock.
For example, consider —in the original model —a sender and a receiver components having
the same clock. Suppose they are meant to communicate in the same instant t in TT-BIP
model. We can define a finer clock cfg, allowing the instantiation of synchronisation points
(send and receive at t + ). For example, consider the time line in Figure 8. The visibility
instant of the sender data is 4∗t+1 of the clock cfg. The receiver will consult these data in the
instant 4 ∗ t+ 2 of the clock cfg. In this example both requirements cited above are satisfied:
fine-grained clock: cfg
(cfg = c/4)
4t
Sender clock: c
t
Receiver clock: c
t
visibility instant
4t+1
consultation instant
4t+2
Figure 8: Example of advance nodes defined over cfg
(1) the sender updates the variable before the receiver consults it; (2) when considering the
initial clock c over which the synchronization instant t was defined, these write and read
instants can be approximated to t since the instant t+ 1 over c is still not reached.
In order to address this challenge for an arbitrary initial model without resorting to ad hoc
solutions, we propose the following solution. We define a fine-grained clock cfg = cTTCC/2
where cTTCC is the clock of TTCC components in TT-BIP model. All synchronization points
(i.e. the third component of the triplet-label) are defined over this clock. To each sending
action we associate a job labelled by ((−1,⊥), (1, cfg), (1, cfg)) (i.e. advance(1) statement in
the PsiC code). Note that this job is instantiated after guaranteeing the respect of timing
constraint in the original model (i.e. after instantiating jobs as in Figure 7). We add a Boolean
flag in each transferred message, which will allow testing the freshness of the message. The
sender automaton changes the state of this flag whenever a sending transition is executed.
The receiver automaton, has a local flag used as reference. The value of that flag is set to
the value of the flag of the last received message. To each receiving transition, we associate a
loop job labelled by ((−1,⊥), (1, cfg), (1, cfg)) corresponding to successive reception attempts
until the message is detected to be fresh. That is until the value of the local flag is different
14
from the value of the flag of the message. Since in the TT-BIP model, all the receive-ports of
an interaction are enabled if the send port is enabled, we can be sure that the receiving job
in the obtained TCA automaton will occur at latest one instant after the sending one over
the clock cfg. The synchronization requirement over the clock cTTCC is thus satisfied.
5.2 Formal translation
In this section, we present a formal definition of the transformation outlined in Section 5.1
Definition 7. Let B = (L,P,X,C, T, tpc) be a TT-BIP component with P = Pi∪Ps∪Pr (see
the opening of Section 5). For l ∈ L, we denote Pl = {p ∈ P | l p−→} the set of ports enabled
in l. The TCA corresponding to B is defined by putting TCAB = (N,K,X ∪ X ′ ∪ Y,C ∪
{cBASE , cfg}, T ′), with
N = {N0l |l ∈ L} ∪ {lp|l ∈ L, p ∈ Pl} ∪ {N1lp |l ∈ L, p ∈ Pl ∩ Pr}
K = P ×{send, receive, internal}, X ′ = {flagp | p ∈ Ps ∪ Pr} and Y are the sets of flags and
variables used for managing communication and the set of transitions T ′ defined as follows.
For each transition τ = (l, p, gX , tc, r, f, l
′) ∈ T , with tc = (lb ≤ c ≤ ub) and tpc(l) = (c′ ≤ v),
c, c′ ∈ C, the set T ′ comprises the following transitions:
τ tpcl = (N
0
l ,True, ((−1,⊥), (v − λc
′
ref , c
′), (−1,⊥)), (p, internal), id,N0l ),
τ0lp =
{
(N0l , gX , ((lb− λcref , c), (ub− λcref , c), (−1,⊥)), (p, internal), fpflag , lp) , if p ∈ Ps,
(N0l , gX , ((lb− λcref , c), (ub− λcref , c), (−1,⊥)), (p, internal), id, lp) , if p ∈ Pi ∪ Pr,
τ1lp =
{
(lp,True, ((−1,⊥), (1, cfg), (1, cfg)), (p, internal), id,N1lp) , if p ∈ Ps,
(lp,¬gpfresh , ((−1,⊥), (1, cfg), (1, cfg)), (p, internal), id, lp) , if p ∈ Pr,
τlp =

(lp,True, ((−1,⊥), (−1,⊥), (−1,⊥), (p, internal), f,N0l′) , if p ∈ Pi,
(N1lp ,True, ((−1,⊥), (−1,⊥), (−1,⊥)), (p, send), f,N0l′) , if p ∈ Ps,
(lp, g
p
fresh , ((−1,⊥), (−1,⊥), (−1,⊥)), (p, receive), f ◦ fpupdate , N0l′) , if p ∈ Pr.
where λc
′
ref = conv
cBASE
c (λref , c
′), λcref = conv
cBASE
c (λref , c), id is the identity function,
fpflag : V(X ′)→ V(X ′) is the function that flips the value of the Boolean variable flagp before
sending a message, gpfresh is the guard verifying whether the value of flag
p is different from that
contained in the received message, fpupdate : V(X ∪ Y ) → V(X) is the function updating local
variables according to received values if p ∈ Pr and cfg is the clock having half of the period
of the smallest clock (i.e. clock cTTCC ) in the initial RT-BIP model (cf. the third paragraph
of Section 5.1).
Notice that the domain and co-domain of the function f in the transition τ above are given
by f : X → X. Hence the composition f ◦ fpupdate is well-defined.
For all types of triggering ports in the original transition, the instantiated τ tpcl transition,
maps the delay transition modelled by the tpc constraint associated to the source state of the
15
original transition. It does not execute any action, but allows waiting as long as the deadline v
is not reached. Transition τ0lp constrains the release date of the original transition actions and
is guarded by gX . For internal and receive ports, it does not execute any actions; for a send
port p, it executes fpflag, flipping the message flag. Transition τ
1
lp
is instantiated only for send
and receive ports. It allows the synchronization (communication) if the labelling port is a send
port. If the labelling port is a receive port, τ1lp is a loop transition on the node lp consisting in
synchronization attempts while the message is not fresh. Transition τlp—for internal or send
triggering ports—executes actions of the original transition and it has no guard nor timing
constraint. If the labelling port of the original transition is a receive port, the transition
τlp marks the end of synchronization attempts when the received message is detected to be
fresh (through the guard gpfresh). It also updates (through fupdate) local variables according
to received message before execution the function f of the original transition (i.e. it executes
the composition f ◦ fupdate). In case when the labelling port is a send (resp. receive) port,
the transition τlp is labelled by a different label from the rest of transitions which is (p, send)
(resp. (p, receive)).
Figure 9 displays the sets of transitions in the obtained TCA automaton corresponding
to a transition shown in Figure 9a and depending on the type of port p.
In the following paragraph, we provide more details about encoding of fpflag and g
p
fresh .
And we show how τ1lp and τlp allow the reception of the actual message.
Encoding of communication details. Consider a receive port p and the corresponding
local Boolean variable flagp. Denote the Boolean flag of the message received through p by
flagmsg . The guard gpfresh is defined by putting
gpfresh
def
= (flagp 6= flagmsg).
By construction, flagp and flagmsg are initiated to zero. Thus, initially, we have ¬gpfresh = True
and the loop transition τ1lp is enabled. This transition will perform a communication attempt
(through an advance(1) node) with no actions on local variables. Each communication at-
tempt leads to the implicit update of the guard gfresh depending on the flag of the received
message. If the sender has sent a new message—through its corresponding transition τ1lp′
—it
should have performed the function fp
′
flag in order to change the value of flag
msg with:
fp
′
flag = (flag
p′ := ¬flagp′) .
Recall that flagp
′
is a local variable of the sending component, whereof the value is incorpo-
rated into the message. This is the value that, upon reception of the message by the receiving
component, we denote flagmsg . Thus, upon reception of the message gpfresh evaluates to True,
enabling the transition τlp in the receiver automaton. Otherwise, if the sender did not send
the new message yet, gpfresh evaluates to False and the transition τ
1
lp
is again enabled.
Notice also that among the values contained in the message, only flagmsg is tested after
execution of transition τ1lp . This value is only used to evaluate the freshness of each received
message.
16
l
c′ ≤ v
l’
l ≤ c ≤ u
p
gX
f
(a) TT-BIP transition
N0l
lp
N0l′
((lb−λcref , c),(ub−λcref , c),(−1,⊥))
(p, internal)
gXτ0lp
((−1,⊥),(−1,⊥),(−1,⊥))
(p, internal)
f
τlp
((−1,⊥),(v − λc′ref , c′),(−1,⊥))
(p, internal)
τ tpcl
(b) Port p ∈ Pi
N0l
lp
N1lp
N0l′
((lb−λcref , c),(ub−λcref , c),(−1,⊥))
(p, internal)
gX , f
p
flagτ
0
lp
((−1,⊥),(1, cfg),(1, cfg))
(p, internal)
τ1lp
((−1,⊥),(−1,⊥),(−1,⊥))
(p, send)
f
τlp
((−1,⊥),(v − λc′ref , c′),(−1,⊥))
(p, internal)
τ tpcl
(c) Port p ∈ Ps
N0l
lp
N0l′
((lb−λcref , c),(ub−λcref , c),(−1,⊥))
(p, internal)
gXτ0lp
((−1,⊥),(1, cfg),(1, cfg))
(p, internal)
¬gpfresh
τ1lp
((−1,⊥),(−1,⊥),(−1,⊥))
(p, receive)
gpfresh , f ◦ fpupdate
τlp
((−1,⊥),(v − λc′ref , c′),(−1,⊥))
(p, internal)
τ tpcl
(d) Port p ∈ Pr
Figure 9: A TT-BIP transition (a) and the corresponding set of TCA transitions (b)–(d)
Since the transition τlp of the receiver automaton is executed when the received message
is fresh, it is in charge of making local copies of message variables through the function fpupdate
before executing the function f of the initial transition. The function fpupdate copies also the
value of flagmsg into flagp, thereby also changing the value of gpfresh from True to False.
6 Correctness of the transformation
In order to prove the correctness of the transformation from TT-BIP to TCA, we have to
show that the corresponding semantic LTS are equivalent. This is illustrated in Figure 10,
where F denotes the transformation from TT-BIP to TCA (Definition 7), G1 and G2 denote
the corresponding LTS semantics.
We define observational equivalence between transition systems based on the classical
notion of weak bisimilarity [20], where some transitions are considered unobservable.
17
We will use the following notation. Consider a binary relation R ⊆ X × Y . For x ∈ X,
we denote R(x)
def
= {y ∈ Y | (x, y) ∈ R}.
Definition 8. (LTS relations) Let A = (QA, PA,−→
A
) and B = (QB, PB,−→
B
) be two LTS.
Given a relation β ⊆ PA × PB, we write q β−→
A
q′, for q ∈ QA, iff there exists a ∈ PA, such
that q
a−→
A
q′ and a is not related by β to any label in PB, i.e. β(a) = ∅. The notation q β−→
B
q′,
for q ∈ QB, is defined symmetrically.
A weak simulation over A and B, is a pair of relations R ⊆ QA ×QB and β ⊆ PA × PB,
such that:
∀(q, r) ∈ R, ∀a ∈ PA,
(
β(a) 6= ∅ ∧ q a−→
A
q′ =⇒ ∃(a, b) ∈ β : ∃(q′, r′) ∈ R : r β
∗bβ∗−−−→
B
r′
)
and
∀(q, r) ∈ R,
(
q
β−→
A
q′ =⇒ ∃(q′, r′) ∈ R : r β
∗
−→
B
r′
)
.
A weak bisimulation over A and B is a pair of relations R ⊆ QA×QB and β ⊆ PA×PB,
such that both (R, β) and (R−1, β−1) are weak simulations. We say that A and B are weakly
bisimilar w.r.t. β ⊆ PA×PB, denoted A ∼β B, if there exists R ⊆ QA×QB total on both QA
and QB, such that (R, β) is a weak bisimulation.
TT-BIP
G1
LTS
TCA
G2
LTS∼β
F
Figure 10: Translation functions
Let B = (L,P,X,C, T, tpc) be a TT-BIP component. We need to prove equivalence
between G1(B) and G2(F (B)). To this end, we define the following relation on labels of the
two LTS:
β = {(p, (p, send)) | p ∈ Ps} ∪ {(p, (p, receive)) | p ∈ Pr} . (7)
NB: In this draft version of the report, this theorem is not yet finilised.
Theorem 1. The LTSs G1(B) and G2(F (B)) are weakly bisimilar w.r.t. β, i.e. G1(B) ∼β
G2(F (B)).
Proof. Let G1(B) = (QB, P,−→
B
) and G2(F (B)) = (QTCA,K,−−−→
TCA
). Recall (Definition 3)
that state space QB has three components: control location, clock and variable valuations
while the state space QTCA (Definition 5) has an extra fourth component—besides the three
components previously cited—consisting in the valuation of the delay λref . For a given state
q, we will denote vc(q) (resp. vx(q)) its clock (resp. variable) valuation component. For a
given state q ∈ QTCA, we will denote vλref (q) the corresponding valuation of λref .
18
Below, we will use variables qB, rB, ranging over QB, and qTCA, rTCA, ranging over QTCA
and denote their respective components as follows:
qB = (l, vx(qB), vc(qB)) , rB = (l
′, vx(rB), vc(rB)) ,
qTCA = (n, vx(qTCA), vc(qTCA), vλref (qTCA)) , rTCA = (n
′, vx(rTCA), vc(rTCA), vλref (rTCA)) .
We define the relation R ⊆ QB ×QTCA as follows:
R =
(qB, qTCA)
∣∣∣∣∣∣∣∣∣
n ∈ {N0l } ∪ {lp}p∈Pl ∪ {N1lp}p∈Pl∩Ps ,
vc(qB) = v
∗
c (qTCA),
vx(qB) = v
∗
x(qTCA)
 (8)
where v∗c (resp. v∗x) is the restriction of vc (resp. vx) to the set of clocks C (resp. variables
X). That is the valuation function v∗c (resp. v∗x) is defined only over clocks (resp. variables)
which are common between B and F (B), i.e. excluding clocks cBASE and cfg (resp. variables
X ′ ∪ Y ) of F (B).
The following four assertions prove that (R, β) is a weak bisimulation:
(i) ∀(qB, qTCA) ∈ R ,
qB
β−→
B
rB =⇒ ∃(rB, rTCA) ∈ R : qTCA β
∗
−−−→
TCA
rTCA ,
(ii) ∀(qB, qTCA) ∈ R ,
qTCA
β−−−→
TCA
rTCA =⇒ ∃(rB, rTCA) ∈ R : qB β
∗
−→
B
rB ,
(iii) ∀(qB, qTCA) ∈ R , ∀p ∈ P ,
β(p) 6= ∅ ∧ qB p−→
B
rB =⇒ ∃(p, k) ∈ β : ∃(rB, rTCA) ∈ R : qTCA β
∗kβ∗−−−−→
TCA
rTCA ,
(iv) ∀(qB, qTCA) ∈ R , ∀k ∈ K ,
β−1(k) 6= ∅ ∧ qTCA k−−−→
TCA
rTCA =⇒ ∃(p, k) ∈ β : ∃(rB, rTCA) ∈ R : qB β
∗pβ∗−−−−→
B
rB .
Hereafter, we detail proofs of each of these four points:
(i) If qB
β−→
B
rB, then by definition (7) of the relation β, the corresponding transition is
either labelled by an internal port or by a real number representing a delay transition.
Note that if β corresponds to an internal port p ∈ Pl∩Pi, by definition (8) of the relation
R, we have n ∈ {N0l , lp} (see Figure 9b), vc(qB) = v∗c (qTCA) and vx(qB) = v∗x(qTCA).
19
Case 1: β corresponds to an internal port p ∈ Pl∩Pi and n = lp. By Definition 3,
there is a transition l
p,gX ,gC ,∅,f−−−−−−−→ l′ in B (recall, Section 5, that no clocks are reset in
TT-BIP models), with
gX(vx(qB)) = gC(vc(qB)) = True, vx(rB) = f(vx(qB)), and vc(rB) = vc(qB) . (9)
By definition of F (Definition 7), there is a corresponding transition τlp :
lp
True,((−1,⊥),(−1,⊥),(−1,⊥)),(p,internal),f−−−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
in F (B). By construction (8) of R, we have qTCA = (lp, vx(qTCA), vc(qTCA), vλref (qTCA)),
such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (10)
Therefore, by definition of G2 (Definition 5), we also have qTCA
(p,internal)−−−−−−−→
TCA
rTCA, where
rTCA = (N
0
l′ , vx(rTCA), vc(rTCA), vλref (rTCA)), with
vc(rTCA) = vc(qTCA), vλref (rTCA) = vλref (qTCA) and v
∗
x(rTCA) = f(v
∗
x(qTCA)) . (11)
(For the latter equality, notice that, for internal ports p ∈ Pi, the function f in the
transition τlp only operates on variables in X, but not on those in X
′ ∪ Y .)
Combining (9), (10) and (11), we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) = vx(rB).
Thus, we have qTCA
β−−−→
TCA
rTCA and, by (8), (rB, rTCA) ∈ R.
Case 2: β corresponds to an internal port p ∈ Pl ∩ Pi and n = N0l . By
Definition 3, there is a transition l
p,gX ,gC ,∅,f−−−−−−−→ l′ in B (recall, Section 5, that no clocks
are reset in TT-BIP models), with gC = (lb ≤ c ≤ ub) and
gX(vx(qB)) = gC(vc(qB)) = True, vx(rB) = f(vx(qB)), and vc(rB) = vc(qB) .
(12)
By definition of F (Definition 7), there are two corresponding successive transition τ0lp
and τlp :
N0l
gX ,((lb,c),(ub,c),(−1,⊥)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−→ lp
True,((−1,⊥),(−1,⊥),(−1,⊥)),(p,internal),f−−−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
in F (B). By construction (8) of R, we have qTCA =
(N0l , vx(qTCA), vc(qTCA), vλref (qTCA)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (13)
Therefore, by definition of G2 (Definition 5), we also have
qTCA
(p,internal)−−−−−−−→
TCA
q′TCA
(p,internal)−−−−−−−→
TCA
rTCA ,
20
where
q′TCA = (lp, vx(q
′
TCA), vc(q
′
TCA), vλref (q
′
TCA)) ,
rTCA = (N
0
l′ , vx(rTCA), vc(rTCA), vλref (rTCA)) ,
with
vc(rTCA) = vc(q
′
TCA) = vc(qTCA) ,
vλref (rTCA) = vλref (q
′
TCA) 6= vλref (qTCA) ,
v∗x(rTCA) = f(v
∗
x(q
′
TCA)) = f(v
∗
x(qTCA)) .
(14)
Combining (12), (13) and (14), we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have qTCA
ββ−−−→
TCA
rTCA and, by (8), (rB, rTCA) ∈ R.
Case 3: β is a real number δ (i.e. delay step) and n = N0l , for some l ∈ L. By
Definition 3, there is a tpc constraint on location l in B, tpc(l) = (c ≤ δ). Therefore:
vx(rB) = vx(qB), and vc(rB) = vc(qB) + δ . (15)
By definition of F (Definition 7), there is a corresponding transition τ tpcl =:
N0l
True,((−1,⊥),(δ,c),(−1,⊥)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l
in F (B). By construction (8) of R, we have qTCA =
(N0l , vx(qTCA), vc(qTCA), vλref (qTCA)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (16)
Therefore, by definition of G2 (Definition 5), we also have qTCA
(p,internal)−−−−−−−→
TCA
rTCA, where
rTCA = (N
0
l , vx(rTCA), vc(rTCA), vλref (rTCA)), with
v∗c (rTCA) = v
∗
c (qTCA) + δ, vλref (rTCA) = vλref (qTCA) and v
∗
x(rTCA) = v
∗
x(qTCA) . (17)
Combining (15), (16) and (17), we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have qTCA
β−−−→
TCA
rTCA and, by (8), (rB, rTCA) ∈ R.
(ii) If (qB, qTCA) ∈ R, qTCA β−−−→
TCA
rTCA, then by definition (7) of the relation β, the tran-
sition β is neither labelled by (p, send) nor (p, receive). It can be labelled only by
(p, internal). Applying this to the definition (8) of the relation R, we deduce that this
transition can be enabled only from control locations N0l and lp, since from control lo-
cation N1lp the unique enabled transition is labelled by (p, send) (cf. Definition 7). Thus
this β transition corresponds in F (B) to one of these transitions; τ tpcl , τ
0
lp
, τlp if p ∈ Pi
and τ1lp if p ∈ Ps ∪ Pr.
21
Case 1: β corresponds to τ tpcl in F (B), for some l ∈ L. By definition of G2
(Definition 5), there is a transition τ tpcl :
N0l
True,((−1,⊥),(δ,c),(−1,⊥)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l
in F (B), with
vc(rTCA) = vc(qTCA) + δ, vλref (rTCA) = vλref (qTCA) and vx(rTCA) = vx(qTCA) . (18)
By definition of F (Definition 7), there is a corresponding tpc constraint tpc(l) = (c ≤ δ),
in B. By construction (8) of R, we have qB = (l, vx(qB), vc(qB)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (19)
Therefore, by definition of G1 (Definition 3), we also have qB
δ−→
B
rB,
where rB = (l, vx(rB), vc(rB)), with
vx(rB) = vx(qB), and vc(rB) = vc(qB) + δ . (20)
Combining (18), (19) and (20), we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have qB
β−→
B
rB and, by (8), (rB, rTCA) ∈ R.
Case 2: β corresponds to τ0l in F (B), for some l ∈ L. By definition of G2
(Definition 5), there is a transition τ0l :
N0l
gX ,((lb,c),(ub,c),(−1,⊥)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−→ lp
in F (B), with
vc(rTCA) = vc(qTCA) + δ ,
shiftccBASE (vλref (qTCA), lb) ≤ conv ccBASE (vc(qTCA) + δ) ≤ shiftccBASE (vλref (qTCA), ub) ,
vλref (rTCA) 6= vλref (qTCA) ,
gX(vx(qTCA)) = True ,
vx(rTCA) = vx(qTCA) .
(21)
By definition of F (Definition 7), this corresponds to a delay step before executing the
transition :
l
gX ,gC ,p,∅,f−−−−−−−→ l′ ,
in B where gC = (lb ≤ c ≤ ub). By construction (8) of R, we have qB =
(l, vx(qB), vc(qB)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (22)
22
Therefore, by definition of G1 (Definition 3), we also have qB
δ−→
B
rB, where rB =
(l, vx(rB), vc(rB)), with
vx(rB) = vx(qB), and vc(rB) = vc(qB) + δ . (23)
Combining (21), (22), (23), we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) = vx(rB).
Thus, we have qB
β−→
B
rB and, by (8), (rB, rTCA) ∈ R.
Case 3: β corresponds to τlp in F (B) for some l ∈ L and p ∈ Pl ∩ Pi. By
definition of G2 (Definition 5), there is a transition τlp :
lp
True,((−1,⊥),(−1,⊥),(−1,⊥)),(p,internal),f−−−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
in F (B), with
vc(rTCA) = vc(qTCA) + δ , δ ∈ Z+ ,
vλref (rTCA) = vλref (qTCA) ,
vx(rTCA) = f(vx(qTCA)) .
(24)
By definition of F (Definition 7), there is a corresponding transition
l
gX ,gC ,p,∅,f−−−−−−−→ l′
, in B, where tpc(l) = (c ≤ ub1) and tpc(l′) = (c ≤ ub2). By construction (8) of R, we
have qB = (l, vx(qB), vc(qB)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (25)
Therefore, by definition of G1 (Definition 3), we also have
qB
δ1−→
B
q′B
p∈Pi−−−→
B
q”B
δ2−→
B
rB ,
, where
q′B = (l, vx(q
′
B), vc(q
′
B)) ,
q”B = (l
′, vx(q”B), vc(q”B)) ,
rB = (l
′, vx(rB), vc(rB)) ,
with
gX(vx(q
′
B)) = gC(vc(q
′
B)) = True ,
vx(rB) = vx(q”B) = f(vx(q
′
B)) = f(vx(qB)) ,
vc(rB) = vc(q”B) + δ2 , δ2 ≤ ub2 ,
vc(q”B) = vc(q
′
B) = vc(qB) + δ1 , δ1 ≤ ub1 .
(26)
23
By Lemma 1, vc(rTCA) should perfectly respect constraints of preceding and succeeding
transitions, i.e. constraints mapped from transitions in B reaching l and coming out
from l′. Thus, we consider δ ∈ Z+, such that:
δ = δ1 + δ2 . (27)
Combining (27), (24), (25) and (26), we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have qB
β∗−→
B
rB (since β(p) = ∅) and, by (8), (rB, rTCA) ∈ R.
Case 4: β corresponds to τ1lp in F (B) for some l ∈ L and p ∈ Pl ∩ (Ps ∪Pr). By
definition of G2 (Definition 5), there is a transition τ
1
lp
in F (B). If p ∈ Ps, we have
lp
True,((−1,⊥),(1,cfg),(1,cfg)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
If p ∈ Pr, the transition τ1lp is
lp
¬gpfresh ,((−1,⊥),(1,cfg),(1,cfg)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ lp
In both cases, we have
v∗c (rTCA) = v
∗
c (qTCA), vλref (rTCA) = vλref (qTCA) + 1 and vx(rTCA) = vx(qTCA) (28)
(Notice that the transition τ1lp increments the valuation of the clock cfg. Recall that
this clock is excluded by the valuation v∗c ).
By construction (8) of R, we have qB = (l, vx(qB), vc(qB)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (29)
Combining (28) and (29), we obtain that v∗c (rTCA) = vc(qB) and v∗x(rTCA) = vx(qB).
Thus, we have qB −→
B
qB and, by (8), (qB, rTCA) ∈ R.
(iii) Let (qB, qTCA) ∈ R such that qB p−→
B
rB. If β(p) 6= ∅ ∧ qB p−→
B
rB, then by definition
(7) of the relation β, p ∈ Pl ∩ (Pr ∪ Ps). By definition (8) of the relation R, we have
n ∈ {N0l , lp} ∪ {N1lp}p∈Ps (see Figure 9b).
Case 1: p ∈ Pl∩Ps and n = N0l . By Definition 3, there is a transition l
p,gX ,gC ,∅,f−−−−−−−→ l′
in B (recall, Section 5, that no clocks are reset in TT-BIP models), where gC = (lb ≤
c ≤ ub), such that
gX(vx(qB)) = gC(vc(qB)) = True, vx(rB) = f(vx(qB)), and vc(rB) = vc(qB) .
(30)
24
By definition of F (Definition 7), there are three corresponding successive transitions
τ0lp , τ
1
lp
and τlp :
N0l
gX ,((lb,c),(ub,c),(−1,⊥)),(p,internal),fpflag−−−−−−−−−−−−−−−−−−−−−−−−−−→ lp
True,((−1,⊥),(1,cfc),(1,cfc)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−−−−→ N1lp
N1lp
True,((−1,⊥),(−1,⊥),(−1,⊥)),(p,send),f−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
in F (B). By construction (8) of R, we have qTCA =
(N0l , vx(qTCA), vc(qTCA), vλref (qTCA)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (31)
Therefore, by definition of G2 (Definition 5), we also have
qTCA
(p,internal)−−−−−−−→
TCA
q′TCA
(p,internal)−−−−−−−→
TCA
q”TCA
(p,send)−−−−−→
TCA
rTCA ,
where
q′TCA = (lp, vx(q
′
TCA), vc(q
′
TCA), vλref (q
′
TCA)) ,
q”TCA = (N
1
lp , vx(q”TCA), vc(q”TCA), vλref (q”TCA)) ,
rTCA = (N
0
l′ , vx(rTCA), vc(rTCA), vλref (rTCA)) ,
with
v∗c (rTCA) = v
∗
c (q”TCA) = v
∗
c (q
′
TCA) = v
∗
c (qTCA) ,
vλref (rTCA) = vλref (q”TCA) = vλref (q
′
TCA) + 1 6= vλref (q′TCA) ,
v∗x(rTCA) = f(v
∗
x(q”TCA)) = f(v
∗
x(q
′
TCA)) = f(v
∗
x(qTCA)) .
(32)
(For the latter equality, notice that, for send ports p ∈ Ps, the function fpflag in the
transition τ0lpoperates on variables of X
′ and the function f in the transition τlp only
operates on variables of X, but not on those of X ′ ∪ Y .)
Combining (30), (31) and (32) we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have
qTCA
β−−−→
TCA
q′TCA
β−−−→
TCA
q”TCA
k−−−→
TCA
rTCA ,
where k = (p, send) and, by (8), (rB, rTCA) ∈ R.
Case 2: p ∈ Pl∩Pr and n = N0l . By Definition 3, there is a transition l
p,gX ,gC ,∅,f−−−−−−−→ l′
in B (recall, Section 5, that no clocks are reset in TT-BIP models), where gC = (lb ≤
c ≤ ub), such that
gX(vx(qB)) = gC(vc(qB)) = True, vx(rB) = f(vx(qB)), and vc(rB) = vc(qB) .
(33)
25
By definition of F (Definition 7), there are three corresponding successive transitions
τ0lp , τ
1
lp
and τlp :
N0l
gX ,((lb,c),(ub,c),(−1,⊥)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−→ lp
¬gpfresh ,((−1,⊥),(1,cfg),(1,cfg)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ lp
lp
gpfresh ,((−1,⊥),(−1,⊥),(−1,⊥)),(p,receive),f◦fpupdate−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
in F (B). By construction (8) of R, we have qTCA =
(N0l , vx(qTCA), vc(qTCA), vλref (qTCA)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (34)
Therefore, by definition of G2 (Definition 5), we also have
qTCA
(p,internal)−−−−−−−→
TCA
q′TCA
(p,internal)∗−−−−−−−−→
TCA
q”TCA
(p,receive)−−−−−−→
TCA
rTCA
(notice that the second transition can happen more than one time before the guard
gpfresh evaluates to True), where
q′TCA = (lp, vx(q
′
TCA), vc(q
′
TCA), vλref (q
′
TCA)) ,
q”TCA = (lp, vx(q”TCA), vc(q”TCA), vλref (q”TCA)) ,
rTCA = (N
0
l′ , vx(rTCA), vc(rTCA), vλref (rTCA)) ,
with
v∗c (rTCA) = v
∗
c (q”TCA) = v
∗
c (q
′
TCA) = v
∗
c (qTCA) ,
vλref (rTCA) = vλref (q”TCA) = vλref (q
′
TCA) + n 6= vλref (q′TCA) and ,
v∗x(rTCA) = f(v
∗
x(q”TCA)) = f(v
∗
x(q
′
TCA)) = f(v
∗
x(qTCA)) ,
(35)
where n denotes the number of times the transition τ1lp (i.e. reception attempts) has
executed. For the last equality of (35), notice that, for receive ports p ∈ Pr, in the
transition τlp , the function f only operates on variables in X, but not on those in
X ′ ∪ Y .
Combining (33), (34) and (35) we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have
qTCA
β−−−→
TCA
q′TCA
β∗−−−→
TCA
q”TCA
k−−−→
TCA
rTCA ,
where k = (p, receive) and, by (8), (rB, rTCA) ∈ R.
26
Case 3: p ∈ Pl ∩ Ps and n = lp. By Definition 3, there is a transition l p,gX ,gC ,∅,f−−−−−−−→ l′
in B (recall, Section 5, that no clocks are reset in TT-BIP models), with
gX(vx(qB)) = gC(vc(qB)) = True, vx(rB) = f(vx(qB)), and vc(rB) = vc(qB) .
(36)
By definition of F (Definition 7), there are two corresponding successive transitions τ1lp
and τlp :
lp
True,((−1,⊥),(1,cfc),(1,cfc)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−−−−→ N1lp
True,((−1,⊥),(−1,⊥),(−1,⊥)),(p,send),f−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
in F (B). By construction (8) of R, we have qTCA = (lp, vx(qTCA), vc(qTCA), vλref (qTCA)),
such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (37)
Therefore, by definition of G2 (Definition 5), we also have
qTCA
(p,internal)−−−−−−−→
TCA
q′TCA
(p,send)−−−−−→
TCA
rTCA
, where
q′TCA = (N
1
lp , vx(q
′
TCA), vc(q
′
TCA), vλref (q
′
TCA)) ,
rTCA = (N
0
l′ , vx(rTCA), vc(rTCA), vλref (rTCA)) ,
with
v∗c (rTCA) = v
∗
c (q
′
TCA) = v
∗
c (qTCA) ,
vλref (rTCA) = vλref (q
′
TCA) = vλref (qTCA) + 1 ,
v∗x(rTCA) = f(v
∗
x(q
′
TCA)) = f(v
∗
x(qTCA)) .
(38)
For the latter equality, notice that, for send ports p ∈ Ps, the function fpflag in the
transition τ0lp operates on variables of X
′ and the function f in the transition τlp only
operates on variables in X, but not on those in X ′ ∪ Y .
Combining (36), (37) and (38) we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have
qTCA
β−−−→
TCA
q′TCA
k−−−→
TCA
rTCA ,
where k = (p, send) and, by (8), (rB, rTCA) ∈ R.
Case 4: p ∈ Pl ∩ Pr and n = lp. By Definition 3, there is a transition l p,gX ,gC ,∅,f−−−−−−−→ l′
in B (recall, Section 5, that no clocks are reset in TT-BIP models), with
gX(vx(qB)) = gC(vc(qB)) = True, vx(rB) = f(vx(qB)), and vc(rB) = vc(qB) .
(39)
27
By definition of F (Definition 7), there are two corresponding successive transitions τ1lp
and τlp :
lp
¬gpfresh ,((−1,⊥),(1,cfg),(1,cfg)),(p,internal),id−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ lp
gpfresh ,((−1,⊥),(−1,⊥),(−1,⊥)),(p,receive),f◦fpupdate−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
in F (B), where τ1lp can be executed n times before τlp . By construction (8) of R, we
have qTCA = (lp, vx(qTCA), vc(qTCA), vλref (qTCA)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (40)
Therefore, by definition of G2 (Definition 5), we also have
qTCA
(p,internal)∗−−−−−−−−→
TCA
q′TCA
(p,receive)−−−−−−→
TCA
rTCA
, where
q′TCA = (lp, vx(q
′
TCA), vc(q
′
TCA), vλref (q
′
TCA)) ,
rTCA = (N
0
l′ , vx(rTCA), vc(rTCA), vλref (rTCA)) ,
with
v∗c (rTCA) = v
∗
c (q
′
TCA) = v
∗
c (qTCA) ,
vλref (rTCA) = vλref (q
′
TCA) = vλref (qTCA) + n ,
v∗x(rTCA) = f(v
∗
x(q
′
TCA)) = f(v
∗
x(qTCA)) ,
(41)
where n denotes the number of times the transition τ1lp (i.e. reception attempts) has
executed. For the last equality of (41), notice that, for receive ports p ∈ Pr, in the
transition τlp , the function f only operates on variables in X, but not on those in
X ′ ∪ Y .
Combining (39), (40) and (41) we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have
qTCA
β∗−−−→
TCA
q′TCA
k−−−→
TCA
rTCA ,
where k = (p, receive) and, by (8), (rB, rTCA) ∈ R.
Case 5: p ∈ Pl ∩Ps and n = N1lp By Definition 3, there is a transition l
p,gX ,gC ,∅,f−−−−−−−→ l′
in B (recall, Section 5, that no clocks are reset in TT-BIP models), with
gX(vx(qB)) = gC(vc(qB)) = True, vx(rB) = f(vx(qB)), and vc(rB) = vc(qB) .
(42)
By definition of F (Definition 7), there is a corresponding transition τlp :
N1lp
True,((−1,⊥),(−1,⊥),(−1,⊥)),(p,send),f−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
28
in F (B). By construction (8) of R, we have qTCA =
(N1lp , vx(qTCA), vc(qTCA), vλref (qTCA)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (43)
Therefore, by definition of G2 (Definition 5), we also have
qTCA
(p,send)−−−−−→
TCA
rTCA
, where
rTCA = (N
0
l′ , vx(rTCA), vc(rTCA), vλref (rTCA)) ,
with
v∗c (rTCA) = v
∗
c (qTCA) ,
vλref (rTCA) = vλref (qTCA) ,
v∗x(rTCA) = f(v
∗
x(qTCA)) .
(44)
(For the latter equality, notice that, for send ports p ∈ Ps, the function f in the transition
τlp only operates on variables in X, but not on those in X
′ ∪ Y .)
Combining (42), (43) and (44) we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have qTCA
k−−−→
TCA
rTCA , where k = (p, send) and, by (8), (rB, rTCA) ∈
R.
(iv) If (qB, qTCA) ∈ R and k ∈ K such that qTCA k−−−→
TCA
rTCA, then by definition (7) of the
relation β, k = (p, send) or k = (p, receive). By definition of F (Definition 7), we have
n = lp if p ∈ Pl ∩ Pr and n = N1lp if p ∈ Pl ∩ Ps.
Case 1: k = (p, send) and n = N1lp ,, for some l ∈ L. By definition of G2 (Defini-
tion 5), there is a transition τpl :
N1lp
True,((−1,⊥),(−1,⊥),(−1,⊥)),(p,send),f−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
in F (B), with
vc(rTCA) = vc(qTCA) + δ , δ ∈ Z+ ,
vλref (rTCA) = vλref (qTCA) ,
vx(rTCA) = f(vx(qTCA)) .
(45)
By definition of F (Definition 7), there is a corresponding transition l
gX ,gC ,p,∅,f−−−−−−−→ l′, in
B where tpc(l) = (c ≤ ub1) and tpc(l′) = (c ≤ ub2).. By construction (8) of R, we have
qB = (l, vx(qB), vc(qB)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (46)
29
Therefore, by definition of G1 (Definition 3), we also have
qB
δ1−→
B
q′B
p−→
B
q”B
δ2−→
B
rB ,
, where
q′B = (l, vx(q
′
B), vc(q
′
B)) ,
q”B = (l
′, vx(q”B), vc(q”B)) ,
rB = (l
′, vx(rB), vc(rB)) ,
with
gX(vx(q
′
B)) = gC(vc(q
′
B)) = True ,
vx(rB) = vx(q”B) = f(vx(q
′
B)) = f(vx(qB)) ,
vc(rB) = vc(q”B) + δ2 , δ2 ≤ ub2 ,
vc(q”B) = vc(q
′
B) = vc(qB) + δ1 , δ1 ≤ ub1 .
(47)
By Lemma 1, vc(rTCA) should perfectly respect constraints of preceding and succeeding
transitions, i.e. constraints mapped from transitions in B reaching l and coming out
from l′. Thus, we consider δ ∈ Z+, such that:
δ = δ1 + δ2 . (48)
Combining (48), (45), (46) and (47), we obtain that v∗c (rTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have qB
βpβ−−→
B
rB and, by (8), (rB, rTCA) ∈ R.
Case 2: k = (p, receive) and n = lp,, for some l ∈ L. By definition of G2 (Defini-
tion 5), there is a transition τpl :
lp
gpfresh ,((−1,⊥),(−1,⊥),(−1,⊥)),(p,receive),f◦fpupdate−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ N0l′
in F (B), with
vc(rTCA) = vc(qTCA) , δ ∈ Z+ ,
vλref (rTCA) = vλref (qTCA) ,
v∗x(rTCA) = f(v
∗
x(qTCA)) .
(49)
Notice that even if the actual reception was performed in the β transition preceding
this k transition, the update of local variables according the received message is only
performed via the execution of the k transition (via fpupdate). The function f
p
update applies
to variables of X ∪ Y . Thus the composition f ◦ fpupdate preserves the valuation v∗x.
By definition of F (Definition 7), there is a corresponding transition l
gX ,gC ,p,∅,f−−−−−−−→ l′, in
B where tpc(l) = (c ≤ ub1) and tpc(l′) = (c ≤ ub2).. By construction (8) of R, we have
qB = (l, vx(qB), vc(qB)), such that
vc(qB) = v
∗
c (qTCA) and vx(qB) = v
∗
x(qTCA) . (50)
30
Therefore, by definition of G1 (Definition 3), we also have
qB
δ1−→
B
q′B
p−→
B
q”B
δ2−→
B
rB ,
where
q′B = (l, vx(q
′
B), vc(q
′
B)) ,
q”B = (l
′, vx(q”B), vc(q”B)) ,
rB = (l
′, vx(rB), vc(rB)) ,
with
gX(vx(q
′
B)) = gC(vc(q
′
B)) = True ,
vx(rB) = vx(q”B) = f(vx(q
′
B)) = f(vx(qB)) ,
vc(rB) = vc(q”B) + δ2 , δ2 ≤ ub2 ,
vc(q”B) = vc(q
′
B) = vc(qB) + δ1 , δ1 ≤ ub1 .
(51)
By Lemma 1, vc(rTCA) should perfectly respect constraints of preceding and succeeding
transitions, i.e. constraints mapped from transitions in B reaching l and coming out
from l′. Thus, we consider δ ∈ Z+, such that:
δ = δ1 + δ2 . (52)
Combining (52), (49), (50) and (51), we obtain that v∗x(cTCA) = vc(rB) and v∗x(rTCA) =
vx(rB). Thus, we have qB
βpβ−−→
B
rB and, by (8), (rB, rTCA) ∈ R.
7 Compatibility with composition
In Section 6, we prove that the transformation of individual TT-BIP components into TCA
automata is semantics-preserving. In this section, we explain why the composition of all ob-
tained TCA automata is equivalent to the initial TT-BIP model.
Both glues of TCA automata and TT-BIP components provide the same unidirectional trans-
fer of data. The unique difference is that in TT-BIP, interactions provide synchronisation on
top of data transfer while in TCA the communication is asynchronous. Constraints, nec-
essary to make synchronizations possible, are reflected in the time constraints of individual
components of the TT-BIP model. The transformation from TT-BIP to TCA —described in
Section 5.2—ensures that these synchronization constraints are respected in the obtained au-
tomaton. Asynchronous (sending and receiving) actions between interacting TCA automata
are ensured to happen at instants over a finer-grained clock as described in third paragraph of
Section 5.1. With respect to the clock over which the initial synchronization date is defined,
these actions are happening at the same instant.
Hence, the correctness of the TCA composition (after step 2 transformation) follows from
the correctness of the the transformation of individual components of TT-BIP model.
31
8 Case study
In order to illustrate the transformation from TT-BIP to TCA presented in the paper, we
use the medium voltage protection relay application of [15] as a case study.
A protection relay is a device designed to detect and isolate faults in an electrical network.
A sensor measures the current that flows on the network and transmits this information to the
relay. The relay receives this information, applies signal processing algorithms and protection
algorithms and takes control decisions.
The medium voltage protection relay [15] is first modelled using the RT-BIP framework.
Then we apply the transformation of [11] in order to obtain its corresponding TT-BIP model.
And finally we apply the transformation described in Section 5.2 in order to generate its
corresponding TCA automata. In order to evaluate the generated application, we compare
its traces and some other features (development time, size etc. ) with those of the manually
written version (i.e. PsyC code) of the application [15]. This comparison is relevant since
PsyC code corresponds to the same abstraction level as generated TCA automata.
8.1 RT-BIP Modelisation
A model of the application written in RT-BIP is represented by Figure 11. We can divide the
model in three stages: acquisition, measurement and protection stages.
The acquisition stage. It collects data and makes them available to the other components
of the system. Data are periodically collected every 555 µs. The component who performs
this collect and makes data available for the other component is called Acquisition.
The measurement stage. It computes different values that will be used in the protection
stage. In this case, three different values are computed. The average value is computed by the
Average component and consists in the computation of the average of the last three values
acquired by the Acquisition component. This component produces value every time the
Acquisition component acquires three new data, (i.e. every 1.665 ms). The crest value
is computed by the Crest component and consists in the computation of the crest value of
every value acquired by the Acquisition component. This value is computed for every data
acquired by the Acquisition (i.e every 555 µs). The computation of the magnitude of the
fundamental and some harmonics is made by the TRS component. This latter uses the last
12 values computed by the average component and the last value of the Crest component.
New values are computed every 12 new data (i.e. every 6.660 ms).
The protection stage. It detects failure by using different algorithms. In this model, we
consider two protection algorithms: a instantaneous over-current protection called Protection
50 and an inverse time over-current protection called Protection 51. The protection stage is
made of one component for each protection. They check if the safety function of the protection
relay must be activated whenever they receive data from the TRS component (i.e., every 6.660
ms).
32
Acquisition
A
cq
u
is
it
io
n
st
a
g
e
Crest Average
M
ea
su
rem
en
t
sta
g
e
TRS
Protection
P
ro
te
ct
io
n
st
a
g
e
Figure 11: RT-BIP example
Acquisition
TTCC TTCC
Crest Average
TTCC TTCC
TRS
TTCC TTCC
Protection
Figure 12: TT-BIP example
8.2 RT-BIP to TT-BIP transformation
We have applied the automatic transformation of [11] in order to obtain the TT-BIP model
from the RT-BIP model of the case study. We chose to gather the two protection components
in the same task. The rest of components are considered as independent tasks. The resulting
TT-BIP model is shown in Figure 12. We have also observed identical values of the output
flows generated by simulations –in BIP environment– of both RT-BIP and TT-BIP models.
8.3 TT-BIP to PharOS implementation
We have applied the implemented transformation described in Section 5 to the TT-BIP model
of the case-study described above. For each component in the TT-BIP model, we generate an
agent in PharOS. Communication between different component is performed through advance
nodes.
For evaluation purposes, some minor optimisations have been manually made on the gener-
ated code. These optimizations solely consist in removing the ”empty” generated transitions:
those with a constant guard True, label
(
(-1, ∅), (-1, ∅), (-1, ∅)
)
and without an update func-
tion. This optimization does not impact the performance of the generated code, nor the
correctness of the proofs. Although it could have been easily automated and formalized, that
have not been performed in order to simplify the presentation and the tool prototypes.
Preservation of the functional behaviour of each generated agent (compared to its corre-
sponding component in the TT-BIP model), has been tested as well. We have also observed
identical values of the output flows generated by simulations in both environments.
8.4 Evaluation
In this subsection, we compare the automatically generated code with a manually written
one [15] for the same case study (cf. Table 1).Notice that with the implemented code genera-
tion tool we gain in terms of development time, even if in the present state, we need to adapt
the generated code manually since some features are still not included in the implemented tool
33
Manually written code Generated code
Development time 2-3 months
1 week (RT-BIP model writing and
validation) + 2 days (code
adaptation)
Text section size 41.7 kB 71.2 kB
Application text section size (w/o
kernel) 13.9 kB 37.1 kB
Data section size 22.1 kB 31.1 kB
Number of Temporal variables 7 18
Table 1: Comparison between the generated and the manually-written source codes of the
case study
(e.g. optimisations). In the generated code we introduce almost two and a half times more
temporal variables compared to the initial model, this is due to the communication atomicity
breaking brought by the transformation from RT-BIP model into a TT-BIP model. These
added temporal variables lead to a larger memory footprint. When comparing text and data
segments sizes with the manually written version, we find out that segments of the automat-
ically generated code have almost two times bigger size. This ratio is rather reasonable and
very encouraging as we are not (yet) interested in optimizing the output model in terms of the
number of agents and communications. A comparison of the temporal evolution of computed
variables in both versions is also of interest. In Figure 13, we display the evolution of the
variables arga and crest in both versions. Values of variable arga are transmitted by the
sensor to the acquisition component, standing for the measures of the input current. crest
values are computed by the crest component. In Figure 13, solid lines are reserved to the
automatically generated application, and dotted lines are reserved for the manually written
one.
Visual inspection of different values of both variables in both versions, reveals that the
output of the automatically generated model is strictly similar to that of the manual model.
Figure 13: Execution trace
The evaluation of the generated code in terms of CPU overhead compared to the manually
written code, is subject of ongoing work.
34
9 Discussion & conclusion
In this paper, we have detailed our approach to generate correct-by-construction TT imple-
mentations from high-level RT-BIP models. This transformation is divided into two steps.
First, RT-BIP model is transformed in order to express intertask communication according
to the TT communication paradigm. Then, the obtained model is transformed into TCA
automata (the defined computation model of PharOS applications). The first step was de-
scribed in our previous work [11]. In this paper, we have presented the transformation of the
second step. First, we have discussed various challenges of this transformation, encoded both
initial and final models into a common semantic model (LTS) and presented in details the
formal transformation rules. We further have proved the correctness of this transformation
using the notion of observational equivalence. Details about the implemented tool for auto-
matic transformation have not been presented in this paper due to the lack of space. Our
experiments on an industrial case study show highly encouraging results.
We are planning to pursue with an exhaustive evaluation of the generated code of the case
study (CPU overhead, etc. ). Furthermore, we have identified several open challenges that
we believe should be addressed in future work:
 Identification of OS service patterns potentially existing in the initial model: any
OS has a number of services (communication, synchronization, etc.). We strongly think that
in some initial models, and in components intended for handling communication, we can
identify exactly the same behavioural pattern of one or more OS services. Transformation
should take this redundancy into account, and only transform into TCA automata the part
of the component which can not be mapped to an OS service. The identified pattern is thus
mapped to a system call.
 What about a generic transformation process? We strongly believe that the trans-
formation process defined above can be generalised to any RTOS-based implementation ap-
proach with TT execution model. In fact, we just need to present the semantics of the
computation model of the target platform as an LTS system.
References
[1] Tesnim Abdellatif. Rigourous Implementation of real-time systems. PhD thesis, UJF,
2012.
[2] Rajeev Alur and David L Dill. A theory of timed automata. Theoretical computer science,
126(2):183–235, 1994.
[3] C Aussagues, D Chabrol, V David, D Roux, N Willey, A Tournadre, and M Graniou.
PharOS, a multicore OS ready for safety-related automotive systems: results and future
prospects. Proc. of The Embedded Real-Time Software and Systems (ERTS2), 2010.
[4] Simon Bliudze, Xavier Fornari, and Mathieu Jan. From model-based to real-time exe-
cution of safety-critical applications: Coupling SCADE with OASIS. In Embedded Real
Time Software and Systems, ERTS2, page 10 pages, February 2012.
35
[5] Borzoo Bonakdarpour, Marius Bozga, Mohamad Jaber, Jean Quilbeuf, and Joseph
Sifakis. From high-level component-based models to distributed implementations. In
Proceedings of the tenth ACM international conference on Embedded software, pages
209–218. ACM, 2010.
[6] Etienne Borde, Smail Rahmoun, Fabien Cadoret, Laurent Pautet, Frank Singhoff, and
Pierre Dissaux. Architecture models refinement for fine grain timing analysis of embedded
systems. In Rapid System Prototyping (RSP), 2014 25th IEEE International Symposium
on, pages 44–50. IEEE, 2014.
[7] Jean-Louis Boulanger, Franc¸ois-Xavier Fornari, Jean-Louis Camus, and Bernard Dion.
SCADE: Language and Applications. Wiley-IEEE Press, 1st edition, 2015.
[8] Paraskevas Bourgos. Rigorous Design Flow for Programming Manycore Platforms. PhD
thesis, Grenoble, 2013.
[9] Fabien Cadoret, Etienne Borde, Sebastien Gardoll, and Laurent Pautet. Design patterns
for rule-based refinement of safety critical embedded systems models. In Engineering of
Complex Computer Systems (ICECCS), 2012 17th International Conference on, pages
67–76. IEEE, 2012.
[10] Paul Caspi, Adrian Curic, Aude Maignan, Christos Sofronis, Stavros Tripakis, and Peter
Niebert. From Simulink to SCADE/Lustre to TTA: A layered approach for distributed
embedded applications. ACM Sigplan Notices, 38(7):153–162, 2003.
[11] Hela Guesmi, Belgacem Ben Hedia, Simon Bliudze, Saddek Bensalem, and Jacques Com-
baz. Towards time-triggered component-based system models. In ICSEA15, pages 157–
169, Barcelone, Spain, November 2015. ThinkMind.
[12] Hela Guesmi, Belgacem Ben Hedia, Simon Bliudze, Mathieu Jan, and Saddek Bensalem.
Towards Correct Transformation: From High-Level Models to Time-Triggered Implemen-
tations. In RTAS, Work-in-Progress and Demo Proceeding, page 13, Vienna, Austria,
April 2016.
[13] Hela Guesmi, Belgacem Ben Hedia, Simon Bliudze, Mathieu Jan, Saddek Bensalem,
and Briag Lenabec. Correct transformation of high-level models into time-triggered
implementations. Technical Report EPFL-REPORT-218459, EPFL, May 2016.
[14] Nicholas Halbwachs, Paul Caspi, Pascal Raymond, and Daniel Pilaud. The synchronous
data flow programming language LUSTRE. Proceedings of the IEEE, 79(9):1305–1320,
1991.
[15] Mathieu Jan, Vincent David, Jimmy Lalande, and Maurice Pitel. Usage of the safety-
oriented real-time OASIS approach to build deterministic protection relays. In 5th Intl.
Symp. on Industrial Embedded Systems (SIES 2010), pages 128–135, Univ. of Trento,
2010.
36
[16] Robert Kaiser and Stephan Wagner. Evolution of the PikeOS microkernel. In Proceedings
of the 1st International Workshop on Microkernels for Embedded Systems, pages 50–57,
2007.
[17] Hermann Kopetz. The time-triggered approach to real-time system design. Predictably
Dependable Computing Systems. Springer, 1995.
[18] Hermann Kopetz and Gu¨nther Bauer. The time-triggered architecture. Proceedings of
the IEEE, 91(1):112–126, 2003.
[19] Matthieu Lemerre, Vincent David, Christophe Aussague`s, and Guy Vidal-Naquet. An
introduction to time-constrained automata. arXiv preprint arXiv:1010.5571, 2010.
[20] Robin Milner. Communication and Concurrency. Prentice Hall International (UK) Ltd.,
Hertfordshire, UK, UK, 1995.
[21] Kathy Dang Nguyen, PS Thiagarajan, and Weng-Fai Wong. A UML-based design frame-
work for time-triggered applications. In Real-Time Systems Symposium (RTSS 2007),
pages 39–48. IEEE, 2007.
[22] Traian Pop, Paul Pop, Petru Eles, Zebo Peng, and Alexandru Andrei. Timing analysis
of the FlexRay communication protocol. Real-time systems, 39(1-3):205–235, 2008.
[23] Ahlem Triki, Borzoo Bonakdarpour, Jacques Combaz, and Saddek Bensalem. Automated
conflict-free concurrent implementation of timed component-based models. In NASA
Formal Methods, pages 359–374. Springer, 2015.
37
