Verification of timed process algebra and beyond by ZHANG XIAN




FOR THE DEGREE OF DOCTOR OF PHILOSOPHY
DEPARTMENT OF COMPUTER SCIENCE
NATIONAL UNIVERSITY OF SINGAPORE
2011
Acknowledgement
First and foremost, I am deeply indebted to my supervisor, Dr. Dong Jin Song, for his
guidance, advice and encouragement throughout the course of my doctoral program. He has
given me immense support both in various ways, and have also helped me stay on the track
of doing research.
I am grateful to Dr. Joxan Jaﬀar and Dr. Andrew Santosa for their valuable suggestions
and comments on my research works. I have special thanks to Dr. Sun Jun, Dr. Liu Yang,
Dr. Hao Ping, Dr. Zhang Daqing, Dr. Qin Shengchao, Dr. Mikhail Auguston, Dr. Kenji
Taguchi, etc for their research collaborations.
To my seniors, Dr. Li Yuanfang, Dr. Chen Chunqing, Dr. Sun Jing, Dr. Wang H. Hai and
Feng Yuzhang - Thank you for your support and friendships through my Ph.D. study.
This study was in part funded by the project “Rigorous Design Methods and Tools for Intel-
ligent Autonomous Multi-Agent Systems” and “Advanced Modeling Checking Systems” sup-
ported by Ministry of Education of Singapore and the project “Reliable Software Design and
Development for Sensor Network Systems” supported by National University of Singapore
Academic Research Fund and project “Model Checking System of Systems” supported by
Temasek Defence Systems Institute and the project “Activity Monitoring and User interface
Plasticity for supporting Ageing with mild Dementia at Home (AMUPADH)” supported by
Agency for Science, Technology and Research (A*Star) Institute. The School of Computing
also provided the ﬁnance for me to present papers in several conferences overseas.
Lastly, I wish to thank sincerely and deeply my parents Zhang Qiusheng and Li Yixia, who
have taken care of me with great love in these years.
Contents
1 Introduction 1
1.1 Motivation and Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Modeling Real-time systems . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Summary of Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Thesis Outline and Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Publications from the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Background Introduction 11
2.1 Communicating Sequential Processes (CSP) . . . . . . . . . . . . . . . . . . . 12
2.2 Timed CSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.1 Syntax of Timed CSP . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.2 Semantics of Timed CSP . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3 Constraint Logic Programming . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3.1 CLP and Reasoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.4 Veriﬁcation and Process Analysis Toolkit (PAT) . . . . . . . . . . . . . . . . . 18
i
CONTENTS ii
3 Encoding Timed CSP in CLP 23
3.1 Timed CSP Speciﬁcation in CLP . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.1.1 Syntax Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.1.2 Laws and Simpliﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2 Modeling Operational Semantics of Timed CSP in CLP . . . . . . . . . . . . 29
3.2.1 Primitive process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.2.2 Choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2.3 Concurrency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.2.4 Flow of control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.3 Modeling Denotational Semantics of Timed CSP in CLP . . . . . . . . . . . . 40
3.3.1 Handling Extensions to Timed CSP . . . . . . . . . . . . . . . . . . . 41
3.4 Veriﬁcation of Timed CSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4.1 Safety and Liveness Properties . . . . . . . . . . . . . . . . . . . . . . 44
3.4.2 Trace-based Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.4.3 Time Related Checking . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.5 HORAE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.5.1 Building Timed CSP Models . . . . . . . . . . . . . . . . . . . . . . . 49
3.5.2 Verifying Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.6 Case Studies and Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.6.1 Timed Vending Machine . . . . . . . . . . . . . . . . . . . . . . . . . . 51
CONTENTS iii
3.6.2 Dining Philosopher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.6.3 The Railway Crossing . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4 Timed Planning 57
4.1 Syntax of Extended Timed CSP . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.1.1 Timed Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.1.2 Syntax of Timed Planning . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.1.3 Healthiness Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.2 Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.3 Modeling Timed Planning in CLP . . . . . . . . . . . . . . . . . . . . . . . . 71
4.3.1 Encoding Extended Timed CSP in CLP . . . . . . . . . . . . . . . . . 71
4.3.2 Encoding Semantics in CLP . . . . . . . . . . . . . . . . . . . . . . . . 72
4.4 Veriﬁcation of Extended Timed CSP . . . . . . . . . . . . . . . . . . . . . . . 75
4.4.1 Feasibility Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.4.2 Reasoning about Safety and Liveness . . . . . . . . . . . . . . . . . . . 76
4.5 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.5.1 Extended Railway Crossing System . . . . . . . . . . . . . . . . . . . . 78
4.5.2 Real Time Multi-lift System . . . . . . . . . . . . . . . . . . . . . . . . 79
4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
CONTENTS iv
5 Job-shop Scheduling Problems 83
5.1 Deterministic Job-Shop Scheduling Problem . . . . . . . . . . . . . . . . . . . 84
5.1.1 Formal Deﬁnition of Deterministic Job-shop Scheduling Problem . . . 84
5.1.2 Modeling with Timed Planning . . . . . . . . . . . . . . . . . . . . . . 85
5.1.3 Optimal Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.2 Preemptive Job-Shop Scheduling Problem . . . . . . . . . . . . . . . . . . . . 91
5.2.1 Solving Preemptive Job-shop Scheduling Problems . . . . . . . . . . . 92
5.3 Extended Job-shop Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
6 Modeling and Veriﬁcation of Timed Security Protocols 99
6.1 Formal Speciﬁcation of Timed Security Protocols . . . . . . . . . . . . . . . . 100
6.2 Veriﬁcation of Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.2.1 Timed Authentication Property . . . . . . . . . . . . . . . . . . . . . . 105
6.2.2 Using Timing Information . . . . . . . . . . . . . . . . . . . . . . . . . 108
6.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
7 Modeling and Veriﬁcation of Pervasive Computing 111
7.1 Timed Reminding System for Dementia Elderly at Home . . . . . . . . . . . . 112
7.1.1 Reminding Service Classiﬁcations . . . . . . . . . . . . . . . . . . . . . 113
CONTENTS v
7.1.2 Modeling using Timed Planning . . . . . . . . . . . . . . . . . . . . . . 114
7.1.3 Medication Planner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
7.1.4 Speciﬁc domain: Elderly Reminding System . . . . . . . . . . . . . . . 122
7.2 Smart Nursing Home for Mild Dementia Elderly . . . . . . . . . . . . . . . . . 124
7.2.1 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
7.2.2 Veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
7.2.3 Modeling with PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
7.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
8 Conclusion 137
8.1 Summary of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
8.2 Future Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
8.2.1 Reduction and Optimization Techniques . . . . . . . . . . . . . . . . . 140
8.2.2 New Application Domains . . . . . . . . . . . . . . . . . . . . . . . . . 141
8.2.3 Tool Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
A Healthiness Conditions for Timed Planning 153
B Real-time Multi-lift System 155
C Complete Model of Smart Nursing Home 157
D Complete PAT Model of Smart Nursing Home 163
Summary
The design and veriﬁcation of real-time systems are notoriously diﬃcult problems. In this
thesis, we study the modeling and veriﬁcation of real-time systems using timed process
algebra, particularly Timed CSP.
Timed CSP is an elegant and intuitive modeling language for real-time systems. It has been
widely accepted and applied to a wide arrange of systems. However the veriﬁcation support
for Timed CSP is limited. The ﬁrst part of the thesis is to develop a reasoning mechanism for
Timed CSP by using Constraint Logic Programming (CLP) as underlying reasoning engine.
Our approach starts with a systematic translation of the syntax of Timed CSP into CLP.
Powerful constraint solver like CLP(R) is then used to prove traditional safety properties
and beyond, e.g., reachability, deadlock-freeness, timewise reﬁnement relationship, lower or
upper bound of a time interval, etc. Counterexamples are generated when properties are
not satisﬁed. Based on this translation, an interactive tool, named HORAE, which provides
composing and reasoning of Timed CSP process descriptions is developed.
The second contribution of this thesis is the proposal of a formal language, named Timed
Planning, for modeling real-time systems. Timed Planning extends Timed CSP with the
capability of stating complicated timing behaviors. A Timed Planning model is made up of
a hierarchical timed process and a set of constraints over processes, events and the data vari-
ables which are the requirements that the process should satisfy. Particularly, each process
is associated with a set of localized timing/untiming requirements with keyword Where
which can be speciﬁed in a compositional way. The full syntax and operational semantics
of Timed Planning are formally deﬁned. A reasoning mechanism for the Timed Planning
is hence developed based on CLP by extending our reasoning engine HORAE. Feasibility
checking and various property veriﬁcation can be applied to check systems modeled in Timed
Planning.
To show the usefulness of Timed Planning, we apply Timed Planning and HORAE to solve
three diﬀerent application domains. Firstly, we use Timed Planning to model classical job-
shop scheduling problems, in order to ﬁnd a shortest execution in terms of elapsed time. In
this case, the job-shop scheduling problem can be reduced to a problem of ﬁnding a complete
execution (an execution that terminates) with the minimum execution time. In our work,
Both deterministic and preemptive job-shop scheduling problems can be solved.
Secondly, security protocols are widely used for secure application-level data transport cross-
ing distributed systems. Designing security protocols is notoriously diﬃcult and error-prone.
The new challenges raise when diﬀerent timing aspects are required in the security protocol
design, such as timestamps, delays, timeout and a set of timing constraints. We focus on
using Timed Planning to accomplish the modeling and analyzing of timed security protocols.
The use of explicit timing information allows us to specify security protocols with times-
tamps, timeout and retransmissions which can be naturally modeled using Timed Planning
speciﬁcation. In the timing analysis, we could verify timed non-injective agreement authenti-
cation property which can be easily extended to other authentication property veriﬁcation.
Besides, we can model timing requirements/constraints and verify other timed sensitive
properties such as execution time of a protocol which is beyond the capability of existing
approaches.
Thirdly, pervasive computing environments encompass a spectrum of computation and com-
munication devices that seamlessly augment human thoughts and activities. They have been
used to assist elders with mild dementia to improve their level of independence and quality
of life through cognitive reinforcement. To support formal analysis, we propose to build a
context-aware reminding framework for elders living at home using Timed Planning speciﬁ-
cation. Then we demonstrate the eﬀectiveness of formal methods via modeling and verifying
an integrated smart space reminding system for monitoring and assisting people with mild
dementia in the nursing home.
Key words: Timed Process Algebra, Formal Veriﬁcation, Concurrent and Real-
time Systems, Constraint Logic Programming, Reﬁnement, Job-shop Scheduling
Problem, Security Protocol, Dementia
List of Figures
2.1 Architecture Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.1 Timed Vending Machine in CLP . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2 Overview of HORAE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.3 The Rail Way Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.1 The Multi-Lift System Communication Diagram . . . . . . . . . . . . . . . . 80
4.2 Internal Lift Communication Diagram . . . . . . . . . . . . . . . . . . . . . . 81
5.1 The Gantt-Chart representations of two schedules . . . . . . . . . . . . . . . . 86
5.2 The Gantt-Chart representations of a preemptive schedules . . . . . . . . . . 91
6.1 Timeout patterns: (a) typical (b) count-bounded (c) time-bounded . . . . . . 101
6.2 Analysis of Wide Mouth Frog protocols . . . . . . . . . . . . . . . . . . . . . 108
7.1 The Sensor Setup for Bedroom and Bath Room . . . . . . . . . . . . . . . . . 126
i
List of Tables
3.1 Library of Timed CSP processes in CLP . . . . . . . . . . . . . . . . . . . . . 25
3.2 Properties Veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.3 Experiment Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.1 The result for n jobs with 4 machines, where n = 2; :::; 6. ]j ; ]states; time
represents number of jobs, number of state space and the execution time. . . 96
5.2 The result for the ten hard bench marks deterministic job-shop scheduling
problems. The ﬁrst three columns give the problem name, no. of jobs and
no. of machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
7.1 Summary of needs and wants for mild dementia people living at home . . . . 113




The design and veriﬁcation of real-time systems are notoriously diﬃcult problems, especially
when systems often depend on quantitative timing. Modeling and veriﬁcation of real-time
systems are research topics which have important practical implication. Formal modeling
and analysis of real-time systems are the trend to systematic and automatic detecting the
design or implementation errors for complex systems.
1.1 Motivation and Goals
The correctness of many systems and devices in our modern society depends not only on the
eﬀects or results they produce but also on the time at which these results are produced. These
real-time systems range from the anti-lock braking controller in automobiles to the vital-sign
monitor in hospital intensive-care units. For example, when the driver of a car applies the
brake, the anti-lock braking controller analyzes the environment in which the controller is
embedded (car speed, road surface, direction of travel) and activates the brake with the
appropriate frequency within fractions of a second. Both the result (brake activation) and
the time at which the result is produced are important in ensuring the safety of the car, its
driver, and passengers.
1
1.1. MOTIVATION AND GOALS 2
Recently, computer hardware and software are increasingly embedded in a majority of these
real-time systems to monitor and control their operations. These computer systems are
called real-time computer systems, or simply real-time systems. Unlike conventional, non-
real-time systems, real-time systems are closely coupled with the environment being mon-
itored and controlled. Examples of real-time systems include computerized versions of the
braking controller and the vital-sign monitor, the new generation of airplane and space-
craft avionics, the planned Space Station control software, high-performance network and
telephone switching systems, multimedia tools, virtual reality systems, robotic controllers,
battery-powered instruments, wireless communication devices (such as cellular phones and
PDAs), astronomical telescopes with adaptive-optics systems, and many safety-critical in-
dustrial applications. These real-time systems must satisfy stringent timing and reliability
constraints in addition of functional correctness requirements.
In this thesis, our research focuses on the modeling and veriﬁcation of real-time systems. In
particular, we have tried to address four issues related to real-time systems: (i) proposing
a formal language to model real-time systems, (ii) exploring eﬃcient veriﬁcation techniques
to perform formal analysis of the models, (iii) implementing a toolkit to support eﬀective
real-time veriﬁcation, and (iv) applying the proposed techniques in diﬀerent domains.
1.1.1 Modeling Real-time systems
Real-time system modeling is of great importance and highly non-trivial. The choice of
modeling language is an important factor in the success of the entire system analysis or
development. The language should cover several facets of the requirements and the mod-
el should reﬂect exactly (up to abstraction of irrelevant details) an existing system or a
system to be built. The language should have a semantic model suitable to study the be-
haviors of the system and to establish the validity of desired properties. Many languages
have been proposed to model real-time systems, e.g., algebra of timed processes [79], timed
CCS [108], timed CSP [88, 18], etc. The most popular language is timed automata [5, 71].
Timed automata are ﬁnite state automata equipped with clocks. They are powerful in de-
1.1. MOTIVATION AND GOALS 3
signing real-time models by explicitly manipulating clock variables. Real-time constraints
are captured by explicitly setting or resetting clocks. A number of automatic veriﬁcation
support for timed automata based models have proven to be successful, e.g., Uppaal [62],
KRONOS [10].
Models based on timed automata often have a simple structure. For instance, the input
models of the Uppaal checker take the form of a network of timed automata with no
hierarchy [62]. The advantage of a simple structure is that eﬃcient veriﬁcation is made
feasible. Nonetheless, designing and verifying compositional real-time systems is becoming
an increasingly important task due to the widespread applications and increasing complexity
of real-time systems. High-level requirements for real-time systems are often stated in terms
of deadline, time out, and timed interrupt [60, 32, 63]. In industrial case studies of real-
time system veriﬁcation, system requirements are often structured into phases, which are
then composed in many diﬀerent ways. Unlike Statecharts equipped with clocks [49] or
timed process algebras [79, 108, 88], timed automata lack high-level compositional patterns
for hierarchical design. Users often need to manually cast those terms into a set of clock
variables with carefully calculated clock constraints. This process is tedious and error-prone.
On the other hands, real-time system modeling based on timed process algebras often suﬀers
from lack of language features (e.g., shared variables) or automated tool support.
One goal of this thesis is to design a modeling language for hierarchical real-time systems,
which is suﬃciently expressive, but is still subject to automatic veriﬁcation.
Requirement Speciﬁcation and Veriﬁcation
Critical system requirements like safety, liveness and fairness play important roles in system
speciﬁcation, veriﬁcation and development. Safety properties ensure that something unde-
sirable never happens. Liveness properties state that something desirable must eventually
happen.
In order to verify hierarchical real-time systems, more general speciﬁcations like reﬁnement
1.2. SUMMARY OF CONTRIBUTIONS 4
relation are needed. In these cases, the requirement is modeled using an abstract model
rather than a logic formula, which gives more expressive power. FDR (Failures-Divergence
Reﬁnement) [84] is the de facto reﬁnement analyzer for CSP, which has been successfully
applied in various domains. Based on the model checking algorithm presented in [84] and
later improved with other reduction techniques presented in [86], FDR is capable of handling
large systems. Nonetheless, when the system contains real-time constraints, new veriﬁcation
techniques and tools are required.
There are a few veriﬁcation support for Timed CSP, e.g. the theorem proving approach
documented in [11, 47], and the translation to Uppaal models [25, 26]. The PAT model
checker [1] is the ﬁrst dedicated veriﬁcation tool support for Timed CSP models by using dy-
namic zone abstraction. However, Timed CSP lacks support for stating system requirements
which constrain all behavioral traces of given processes, for example, deadline and execution
time of a process, time-related constraints among events which are common requirements for
many real time systems. To increase the expressiveness of Timed CSP, current veriﬁcation
support becomes inadequate.
In this thesis, we want to explore the new approach for veriﬁcation of powerful real-time
system modeling language. To add to our understanding of the ﬁeld, we aim to develop
eﬃcient model checker with the consideration of the above points.
1.2 Summary of Contributions
The main result of this thesis is a powerful modeling language for real-time systems together
with the complete veriﬁcation support. Several cases studies demonstrate the usefulness of
our approach. The contributions of this thesis can be summarized as follows:
Event-based speciﬁcation languages like the classic Communicating Sequential Process (C-
SP) of Hoare’s [51] and its timed extension Timed CSP [82, 18], have been proposed for
decades. Such speciﬁcation languages are elegant and intuitive as well as precise. They have
1.2. SUMMARY OF CONTRIBUTIONS 5
been widely accepted and applied to a wide arrange of systems, including communication
protocols, embedded systems, etc [85]. It is important that system speciﬁed using CSP or
Timed CSP can be proved formally and even better if the proving is fully automated.
The ﬁrst part of the thesis is building a reasoning mechanism for Timed CSP. Instead of
building a specialized reasoning engine for Timed CSP from scratch, we choose one of pow-
erful reasoning mechanisms, Constraint Logic Programming (CLP) [53, 54], as underlying
reasoning engine. CLP has been successfully applied to model programs and transition
systems for the purpose of veriﬁcation [48, 56], showing that their approach outperforms
the well-known state-of-art systems with higher eﬃciency. The XMC/RT system [37, 45]
showed how a Timed Safety Automata (TSA) represented in CLP can be comparable in
eﬃciency, by using a tabling logic programming framework. [4] employs a logic program
transformation based approach for inductive veriﬁcation of real-life parameterized proto-
cols. Our approach starts with a systematic translation of the syntax of Timed CSP into
CLP. Operational semantics are encoded into CLP in a systematic way. Powerful constrain-
t solver like CLP(R) [55] is then used to prove traditional safety properties and beyond,
e.g., reachability, deadlock-freeness, lower or upper bound of a time interval, etc. Coun-
terexamples are generated when properties are not satisﬁed. Based on this translation, an
interactive tool, named HORAE, which provides composing and reasoning of Timed CSP
process descriptions is developed.
One of the main contribution of this thesis is the proposal of a formal language for mod-
eling real-time systems, which is an extension of Timed CSP. We name this extension as
Timed Planning. Timed Planning speciﬁcation extends Timed CSP with the capability of
stating complicated timing behaviors for processes and events to model and verify complex
compositional real-time systems. A Timed Planning model is made up of a hierarchical
timed process and a set of constraints over processes, events and the data variables which
are the requirements that the process should satisfy. In this approach each process is associ-
ated with a set of localized timing/untiming requirements with keyword Where which can
be speciﬁed in a compositional way. The full syntax and operational semantics of Timed
1.2. SUMMARY OF CONTRIBUTIONS 6
Planning language are formally deﬁned. A reasoning mechanism for the Timed Planning is
hence developed based on CLP by extending our reasoning engine HORAE. Both syntax and
semantics of Timed Planning are formally translated into CLP. The operational semantics
is encoded to CLP, where a set of global and local variables need to be captured during
the execution. Feasibility checking and various property veriﬁcation can be applied to check
systems modeled in Timed Planning. Feasibility checking is necessary which helps users to
debug the conﬂicts of the set of timing constraints speciﬁed in the systems.
In many application domains, we are interested in selecting, among all possible behaviors,
one that optimizes some sophisticated performance measurement. We apply Timed Plan-
ning and HORAE to solve classical job-shop scheduling problems, where ﬁnding an optimal
schedule corresponds to ﬁnding a shortest execution (in terms of elapsed time) in the Timed
Planning. The observation underlying is that classical scheduling and resource allocation
problems can be modeled naturally using Timed Planning whose runs correspond to feasible
schedules. In this case, the job-shop scheduling problem can be reduced to a problem of
ﬁnding a complete execution (an execution that terminates) with the minimum execution
time. In our work, Both deterministic [58] and preemptive job-shop scheduling problems
can be solved. We also apply our approach to handle the extended job-shop scheduling
problems, where jobs can have more complex relations, such as a composition of operational
behaviors with communications, and jobs with deadlines and relative timing constraints,
which no other current work are able to support.
Another application of Timed Planning is to model and verify timed security protocol-
s. Security protocols are widely used for secure application-level data transport crossing
distributed systems. In general, designing security protocols is notoriously diﬃcult and
error-prone. Many protocols proposed in the literature and exploited in practice turned out
to be awed, or their well-functioning was found to be based on implicit assumptions. Since
the late 80s various approaches have been put forward for the formal veriﬁcation of securi-
ty protocols to overcome the problems of faulty implementations and hidden requirements.
The new challenges raise when diﬀerent timing aspects are required in the security protocol
1.2. SUMMARY OF CONTRIBUTIONS 7
design, such as timestamps, delays, timeout and a set of timing constraints. In the past
years, there has been an increasing interest in the formal analysis of timed cryptographic
protocols. However, there are few tool supports for modeling and analyzing security pro-
tocols with the capability of capturing various timing features. A particularly successful
approach to analyze untimed security protocols is modeled using CSP [51] and veriﬁed by
FDR model checker [87, 70]. Motivated by this approach, we focus on using Timed Plan-
ning to accomplish the modeling and analyzing of timed security protocols. Our approach is
diﬀerent from the previous approaches by taking the timing information into account. The
use of explicit timing information allows us to specify security protocols with timestamps,
timeout and retransmissions which can be naturally modeled using Timed Planning speciﬁ-
cation. In the timing analysis, we could verify timed non-injective agreement authentication
property which can be easily extended to other authentication property veriﬁcation [46].
We also propose to use the capability of Timed Planning to avoid such attacks without
changing the original speciﬁcations of the protocols. Besides, we can model timing require-
ments/constraints and verify other timed sensitive properties such as execution time of a
protocol which is beyond the capability of existing approaches.
Pervasive computing environments encompass a spectrum of computation and communica-
tion devices that seamlessly augment human thoughts and activities. Applications in this
type of environments are often context-aware, using various kinds of context such as location
and time to adapt to the evolving environments and provide smarter services. As the fast
development of context-aware systems (e.g. new sensors, new application domains), critical
system requirements like safety and liveness properties start to play more important roles.
For example, smart system deployed in hospital shall never reach a state which hazard-
s patients’ lives. Therefore, formal methods are desirable in the design and development
context-aware systems.
Pervasive computing techniques have been proposed to assist elders with mild dementia to
improve their level of independence and quality of life through cognitive reinforcement. To
support formal analysis, we propose to build a context-aware reminding framework for elders
1.3. THESIS OUTLINE AND OVERVIEW 8
living at home using Timed Planning speciﬁcation. Then we demonstrate the eﬀectiveness
of formal methods via modeling and verifying an integrated smart space reminding system
for monitoring and assisting people with mild dementia in the nursing home.
1.3 Thesis Outline and Overview
In this section, we brieﬂy present the outline of the thesis and overview of each chapter.
Chapter 2 introduces background information on speciﬁcation languages and tools used in
the presented work. We ﬁrstly review CSP and Timed CSP with their syntax and semantics.
Next we brieﬂy introduce Constraint Logic Programming (CLP) and its related works in
formal method domain.
Chapter 3 illustrates the veriﬁcation system for Timed CSP using Constraint Logic Pro-
gramming as underlying reasoning engine. We ﬁrstly show how the syntax of Timed CSP
is formally translated into CLP. The operational semantics of each and every operator of
Timed CSP are formally encoded into CLP. A reasoning tool for Timed CSP is presented in
Section 3.5. Last but not least, we demonstrate the eﬀectiveness of our approach through
benchmark real-time systems.
Chapter 4 introduces an extended Timed CSP language, namely Timed Planning. We ﬁrstly
deﬁne the syntax and operational semantics of Timed Planning formally. We further extend
the veriﬁcation system of Timed CSP to support Timed Planning using Constraint Logic
Programming.
Chapters 5, 6 and 7 are devoted to applying Timed Planning in various applications to solve
diﬀerent problems. Chapter 5 applies Timed Planning in Job-shop scheduling problems
where using underlying reasoning engine to ﬁnd optimal scheduler for both preemptive
and non-preemptive job-shop scheduling problems. Another piece of work has been done
is that we apply Timed Planning to model and verify timed security protocols, which is
1.4. PUBLICATIONS FROM THE THESIS 9
demonstrated in Chapter 6. In Chapter 7, we apply Timed Planning in pervasive computing,
more speciﬁcally, the mild dementia care for elderly at both home and nursing home.
Lastly, Chapter 8 concludes this thesis, summarizes the main contributions and discusses
possible future work directions.
1.4 Publications from the Thesis
Most of the work presented in this thesis has been published or accepted in international
conference proceedings or journals.
The work in Chapter 3 was presented at The 8th International Conference on Formal Engi-
neering Methods ICFEM’06 (December 2006) [28]. The tool horae in Section 3.8 is published
as a tool paper on The 13th International Symposium on Formal Methods FM’06 (Novem-
ber 2006) [27]. The work in Chapter 4 was the basis for the paper published at The 4th
International Conference on Secure Software Integration and Reliability Improvement (June
2010) [112]. The work in Chapter 5 was presented at The 1st Workshop on International
Conference on Secure Software Integration and Reliability Improvement (April 2010) [111].
The work in Chapter 6 was accepted at The 4th International Conference on Secure Software
Integration and Reliability Improvement (September 2010) [112].
A paper including the modeling smart reminding system presented in Section 7 has been
submitted for publication [98]. I also made contributions to other publications [24, 30, 31,
33, 99] which are remotely related this thesis.
For all the publications mentioned above, I have contributed substantially in both theory
development and tool implementation.




Real-time systems exhibit complex behaviors. System simulation and veriﬁcation become
more and more demanding as the complexity grows. It is highly desirable to have formal
modeling languages to describe the real-time system rigourously. Compared with Timed
Automata (with a ﬂatten structure), timed process algebra is a more powerful way to mod-
eling hierarchical real-times systems. Timed process algebra has a long history with various
proposed formalisms. Examples include Timed CCS [108], Timed Communicating Sequen-
tial Processes (Timed CSP) [89], Timed petri nets [77] and so on. In this thesis, we focus
on Timed CSP for its expressive power and wide usage.
Constraint logic programming (CLP) [54] is a form of constraint programming, in which logic
programming is extended to include concepts from constraint satisfaction. In this chapter,
we brieﬂy introduce the basic concepts and conventions of CLP, which are used in the rest
of the thesis.
The remainder of the chapter is organized as follows. Section 2.1 gives an introduction
to CSP. The timed extension of CSP is explained in Section 2.2 with formal syntax and
semantics. Section 2.3 presents the fundamental concepts of CLP. Section 2.4 introduces
the model checker PAT.
11
2.1. COMMUNICATING SEQUENTIAL PROCESSES (CSP) 12
2.1 Communicating Sequential Processes (CSP)
In computer science, Communicating Sequential Processes (CSP) [52] is a formal language
for describing patterns of interaction in concurrent systems. It is a member of the family
of mathematical theories of concurrency known as process algebras, or process calculi. CSP
was ﬁrst described in [51] by C. A. R. Hoare, but has evolved substantially since then.
FDR (Failures-Divergence Reﬁnement) [84] is the de facto reﬁnement analyzer for CSP,
which has been successfully applied in industry as a tool for specifying and verifying the
concurrent aspects of a variety of diﬀerent systems. The theory of CSP is still the subject
of active research, including work to increase its range of practical applicability. CSP has
passed the test of time. It has been widely accepted and inﬂuenced the design of many
recent programming and speciﬁcation languages including Ada [40], occam [75], Concurrent
ML [83], BPEL4WS [81], TCOZ [74, 72, 25, 73], OZTA [24, 30] etc.
As its name suggested, CSP allows the description of systems in terms of component process-
es that operate independently, and interact with each other solely through message-passing
communication. However, the “Sequential” part of the CSP name is now something of a
misnomer, since modern CSP allows component processes to be deﬁned both as sequential
processes, and as the parallel composition of more primitive processes. The relationships
between diﬀerent processes, and the way each process communicates with its environment,
are described using various process algebraic operators. Using this algebraic approach, quite
complex process descriptions can be easily constructed from a few primitive elements.
CSP is a formal speciﬁcation language where processes proceed from one state to anoth-
er by engaging in events. Processes may be composed by using operators which require
synchronization on events, i.e., each component must be willing to participate in a given
event before the whole system makes the transition. Synchronous communication, rather
than assignments to shared state variables, is the fundamental means of interaction between
agents. In the following, we present the syntax of CSP process and informal semantics. For
any process P in CSP language, it can be deﬁned using following syntax.
2.1. COMMUNICATING SEQUENTIAL PROCESSES (CSP) 13
P = Stop j Skip – primitives
j e ! P – event preﬁxing
j ch!exp ! P j ch?x ! P – channel communications
j P nX – hiding
j P ; Q – sequential composition
j P 2 Q j P u Q – choice operators
j [b]P – state guard
j P k Q – parallel composition
j P jjj Q – interleave composition
j P O Q – interrupt
j ref (Q) – process reference
where P ;Q are processes, e is a name representing an event with an optional sequential
program1 prog , X is a set of event names (e.g., fe1; e2g), b is a Boolean expression, ch is a
channel, exp is an expression, and x is a variable.
Stop is the process that communicates nothing, also called deadlock. Skip = X ! Stop,
where X is the special event of termination. Event preﬁxing e ! P performs e and after-
wards behaves as process P . Hiding process P n X makes all occurrences of events in X
not to be observed or controlled by the environment of the process. Sequential composition,
P ; Q , behaves as P until its termination and then behaves as Q . External choice P 2 Q
is solved only by the occurrence of a visible event2. On the contrast, internal choice P u Q
is solved non-deterministically. Process [b]P waits until condition b becomes true and then
behaves as P . Note that [b]P does not block and will be dropped in choice operators if other
choices are selected. Notice that it is diﬀerent from if b fPg else fQg. One distinguish-
ing feature of CSP is alphabetized multi-processes parallel composition. Let P ’s alphabet,
written as P , be the events in P excluding the special invisible event  . Process P k Q
synchronizes common events in the alphabets of P and Q excluding non-communicating
events. In contrast, process P jjj Q runs all processes independently (except for communi-
cation through shared variables and synchronous channels3). Process P O Q behaves as P
1The grammar rules for the sequential program can be found in PAT user manual.
2In CSP, symbol  is introduced as the internal action in the operational semantics only. Any event other
than  is called visible event.
3Note that in original CSP, P jjj Q does not allow communication through shared channels.
2.2. TIMED CSP 14
until the ﬁrst occurrence of a visible event from Q . A process expression may be given a
name for referencing. Recursion is supported by process referencing.
2.2 Timed CSP
2.2.1 Syntax of Timed CSP
Hoare’s CSP [51] is an event based notation primarily aimed at describing the sequencing of
behavior within a process and the synchronization of behavior (or communication) between
processes. Timed CSP extends CSP by introducing a capability to quantify temporal aspects
of sequencing and synchronization. Inherited from CSP, Timed CSP adopts a symmetric
view of process and environment. Events represent a cooperative synchronization between
process and environment. Both process and environment may control the behavior of the
other by enabling or refusing certain events and sequences of events.
Deﬁnition 1 (Timed CSP) A Timed CSP process is deﬁned by the following syntax,
P ::= Stop j Skip j Run j e t! P j e : E ! P(e) j e@t ! P(t)
j P1 2 P2 j P1 u P2 j P1 X jjY P2 j P1 j[X ]jP2 j P1 jjj P2
j P1; P2 j P1 O P2 j P1 d. P2 jWait d j P1 Od P2
j X  P(X )
Run is a process always willing to engage any event in . Stop denotes a process that
deadlocks and does nothing. A process that terminates is written as Skip. A process which
may participate in event e then act according to process description P is written as e@t !
P(t). The (optional) timing parameter t records the time, relative to the start of the process,
at which the event e occurs and allows the subsequent behavior P to depend on its value.
The process e t! P delays process P by t time units after engaging event e. The external
choice operator, written as P 2 Q , allows a process of choice of behavior according to what
events are requested by its environment. Internal choice represents variation in behavior
determined by the internal state of the process. The parallel composition of processes P1
2.2. TIMED CSP 15
and P2, synchronized on common events of their alphabets X , Y (or a common set of events
A) is written as P1 X jjY P2 (or P1 j[A ]jP2). The sequential composition of P1 and P2,
written as P1; P2, acts as P1 until P1 terminates by communicating a distinguished event
X and then proceeds to act as P2. The interrupt process P1 O P2 behaves as P1 until the
ﬁrst occurrence of event in P2, then the control passes to P2. The timed interrupt process
P1 Od P2 behaves similarly except P1 is interrupted as soon as d time units have elapsed. A
process which allows no communications for period d time units then terminates is written as
Wait d . The timeout construct written as P1
d
. P2 passes control to an exception handler P2
if no event has occurred in the primary process P1 by some deadline d . Recursion is used to
give ﬁnite representation of non-terminating processes. The process expression X  P(X )
describes processes which repeatedly act as P(X ). The detailed illustration of each process
can be found in [89].
2.2.2 Semantics of Timed CSP
The semantics of a Timed CSP process is precisely deﬁned either by identifying how the
process may evolve through time or by engaging in events (i.e., the operational semantics
deﬁned in [90]) or by stating the set of observations, e.g., traces, failures and timed failures
(i.e., the denotational semantics as deﬁned in [17]). In this work, Timed CSP is used to
specify interactive timed tasks.
In general, the behavior of a process at any point in time may be dependent on its internal
state and this may conceivably take an inﬁnite range of values. It is often not possible to
provide a ﬁnite representation of a process without introducing some notation for represent-
ing this internal state. The approach adopted by Timed CSP is to allow a process deﬁnition
to be parameterized by state variables. Thus a deﬁnition of the form P(x ) represents a
family of deﬁnitions, one for each possible value of x .
Example 2.2.1 (Timed Vending Machine) A user may insert some coins and then make
a choice between coﬀee or tea. Once the choice is made, the vending machine dispatches the
2.3. CONSTRAINT LOGIC PROGRAMMING 16
corresponding drink. Or the user may ask the machine to release the coins and walk away.
If the user idles more than 10 seconds after the coin is inserted, the machine will release the
coins.
TVM b= X  coin ! ((reqrelease ! release 2! X )
2 (coee
3! dispatchcoee ! X ) 2 (tea 2! dispatchtea ! X ))
10
. (release ! X )
2end
2.3 Constraint Logic Programming
Constraint Logic Programming (CLP) [54] began as a natural merger of two declarative
paradigms: constraint solving and logic programming. This combination helps to make
CLP programs both expressive and ﬂexible, and in some cases, more eﬃcient than other
kinds of logic programs. The CLP scheme deﬁnes a class of languages based upon the
paradigm of rule-based constraint programming. CLP(R) [55] is an instance of this class,
which is used in this thesis. We present some preliminary deﬁnitions about CLP in this
section.
Deﬁnition 2 (Atom, Rule and Goal) An atom is of the form p(~t), where p is a user
deﬁned predicate symbol and ~t is a sequence of terms ‘t1; t2; : : : ; tn ’. A rule is of the form
A :   ~B ;	 where the atom A is the head of the rule, and the sequence of atoms ~B and
the constraint 	 constitute the body of the rule. A goal has exactly the same format as the
body of the rule of the form ?   ~B ;	. If ~B is an empty sequence of atoms, we call this a
(constrained) fact . All goals, rules and facts are terms.
The universe of discourse D of CLP program is a set of terms, integers, and lists of integers.
A constraint is written using a language of functions and relations. They are used in two
ways, in the basic programming language to describe expressions and conditions, and in
user assertions, as deﬁned below. In this work, we will not deﬁne the constraint language
2.3. CONSTRAINT LOGIC PROGRAMMING 17
explicitly, but invent them on demand in accordance with our examples. Thus the terms
of our CLP programs include the function symbols of the constraint language. A ground
instance of a constraint, atom and rule is deﬁned in obvious way. A ground instance of a
constraint is obtained by instantiating variables therein from D. The ground instances of
a goal G, written [[G ]] is the set of ground atoms obtained by taking all the true ground
instances of G and then assembling the ground atoms therein into a set. We write G1 j= G2
to mean that for all groundings  of G1 and G2, each ground atom in G1 appears in G2.
Let G = (B1; :::;Bn ;	) and P denote a goal and program respectively. Let R = A :
 C1; :::;Cm ;	1 denote a rule in P , written so as none of its variables appear in G . Let
A = B , where A and B are atoms, be shorthand for equations between their corresponding
arguments. A reduct of G using R is of the form
(B1; :::;Bi 1;C1; :::;Cm ;Bi+1; :::;Bn ;Bi = A ^ 	 ^ 	1)
provided Bi = A ^ 	 ^ 	1 is satisﬁable. A derivation sequence is a possibly inﬁnite
sequence of goals G0;G1; ::: where Gi ; i > 0 is a reduct of Gi 1. If there is a last goal Gn
with no atoms, notationally (2;	) and called a terminal goal, we say that the derivation is
a successful and that the answer constraint is 	. A derivation is ground if every reduction
therein is ground.
Example 2.3.1 (Fibonacci) The following is typical CLP program:
b(0; 1): b(1; 1):
b(N ;X 1 +X 2) :  N > 1;b(N   1;X 1);b(N   2;X 2):
A relation ﬁb(N, X) is deﬁned, where X is the factorial of N , denoted as X = N !. There
are three atoms for the relation ﬁb(N, X), where the ﬁrst two atoms are facts and the last
one is a rule. We want to ﬁnd the number whose ﬁbonacci is greater than 3 but less than
8, by executing the goal ?  F > 3;F < 8;b(N ;F ): which returns N = 4;F = 5. 2end
CLP has been successful as a programming language, and more recently, as a model of
executable speciﬁcations. There have been numerous works which use CLP to model system
2.4. VERIFICATION AND PROCESS ANALYSIS TOOLKIT (PAT) 18
modeling or programs and which use an adaptation of the CLP proof system for proving
certain properties [57, 29]. In this work, we follow this trend and use existing powerful
constraint solvers for mechanized Timed Planning.
2.3.1 CLP and Reasoning
Constraint Logic Programming has been used to model programs and transitions systems
for purpose of veriﬁcation problems. In particular, it has been used to model Timed Safety
Automata (TSA) [50]. The main advantage of using CLP pertain to expressiveness. For
example, [48] demonstrates the proof of some standard properties, as well as properties such
timed bounds between important events, on a CLP representation of TSA.
[56] presented a CLP proof method for well-known state-of-art systems - Timed Automata.
They started with a systematic translation of TSA into CLP and then use a new CLP
inference method for proving assertions. They claimed that their assertion language can
specify important properties beyond traditional safety properties, one important of which is
the symmetric. They also gave a demonstration showing that their improvements over the
Timed Automata model checker - Uppaal [62].
Moreover, (Constraint) Logic Programming has been used in formal methods area, for ex-
ample, [106] uses Logic Programming Techniques for animating Z which could be used for
detecting errors in a formal speciﬁcation.
2.4 Veriﬁcation and Process Analysis Toolkit (PAT)
In this section, we introduce the veriﬁcation tool for Timed CSP. Due to the expressive
power, veriﬁcation of Timed CSP is a diﬃcult task with minimum tool support. To the
best of our knowledge, there are few veriﬁcation support for Timed CSP, e.g. the theorem
proving approach documented in [11, 47], the translation to Uppaal models [25, 26] and
the approach based on constraint solving [28]. Among them, the most established tool is
2.4. VERIFICATION AND PROCESS ANALYSIS TOOLKIT (PAT) 19
Process Analysis Toolkit (PAT) [1, 66, 95, 68, 64, 101, 113, 103]. PAT is a self-contained
toolkit to analyze real-time systems, which supports system modeling, animated simulation
and automatic veriﬁcation (based on advanced model checking techniques like dynamic zone
abstraction [99]).
PAT’s modeling language [99, 94, 102, 69, 97] is an extension of Timed CSP with mutable
variables and data structures (e.g., arrays, stacks or arbitrary data types), synchronous
or asynchronous channels, etc. The language adopts a dense-time semantics, where the
clock values are rational numbers. Hence, there may be inﬁnitely many transitions between
any two time points. To oﬀer eﬃcient veriﬁcation support, a fully automated abstraction
technique is developed to build an abstract ﬁnite state system from the (inﬁnite) model. It
has been prove that the abstraction has ﬁnite state and is subject to model checking [99].
Further, it weakly bi-simulates the concrete model and, therefore, it may perform sound
and complete safety property checking, Linear Temporal Logic (LTL) [91] model checking,
reﬁnement checking upon the abstraction.
Figure 2.1 shows the architecture design of PAT with four components, namely the editor,
the parser, the simulator and veriﬁers. The editor is featured with powerful text editing, syn-
tax highlighting and multi-documents environment. The parser compiles the system models
and the properties into internal representation. Due to inﬁnite timed transitions, abstraction
is applied to the input models so that a ﬁnite state abstract model is yielded internally. The
simulator allows users to perform various simulation tasks on the models: complete states
generation of execution graph, automatic simulation, user interactive simulation, trace re-
play and etc. The simulator is also used to visualize Büchi automata generated from the
negation of LTL assertions. Most importantly, PAT implements several veriﬁers catering
for checking deadlock-freeness, reachability, LTL properties with fairness assumptions [], re-
ﬁnement checking [23, 65] and etc. To achieve good performance, advanced optimization
techniques are implemented, e.g., partial order reduction, process counter abstraction [100],
parallel model checking [67], etc. All the veriﬁcation algorithms perform on-the-ﬂy explo-
ration of the state space [110]. If any counterexample is identiﬁed during the exploration,





Assersion Parser and Buchi Automata Translator
Graphic Viewer


























Figure 2.1: Architecture Design
then it can be animated in the simulator for the purpose of debugging. The correctness
of PAT is established by using various test cases and user feedback. In additional, PAT is
veriﬁed by performing model checking on its source code [93].
Real-Time System Modeling in PAT
In PAT, a system model is composed of multiple elements, i.e. constants, global vari-
ables/channels, a set of timed process deﬁnitions, a set of assertions, etc. The process
deﬁnitions identify the computational logic of a system. A timed process P (hereafter
process) can be deﬁned using a rich set of process constructs (similar to CSP processes).
Furthermore, a number of timed process constructs (similar to Timed CSP processes) can
be used to capture common real-time system behavior patterns. For example, let d be an
rational number. Process Wait [d ] idles for d time units. In process P timeout [d ] Q , the
ﬁrst observable event of P shall occur before d time units elapse. Otherwise, Q takes over
control after exactly d time units elapse. Process P interrupt [d ] Q behaves exactly as P
(which may engage in multiple observable events) until d time units elapse, and then Q
2.4. VERIFICATION AND PROCESS ANALYSIS TOOLKIT (PAT) 21
takes over control. Process P waituntil [d ] is constrained to ﬁnish only after d time units
have elapsed since the process starts. If P terminates early, then it idles until exactly d
time units have elapsed. Process P deadline[d ] constrains P to terminate before d time
units. In this setting, clock variables are made implicit and hence they cannot be compared
with each other directly, which potentially allows eﬃcient clock manipulation and hence
system veriﬁcation. In real-time systems, requirements are often structured into phases,
which is hierarchical in nature [78]. PAT modeling language is hierarchical and uses implicit
clocks, hence the modeling process is much simpler without complicated clock calculations.
The complete language syntax can be found in PAT’s user manual. The formal operational
semantics can be found in [99].
Abstraction and Veriﬁcation
Model checking requires a ﬁnite state system model. Hence, we assume that all variables have
ﬁnite domains and the process forbids unbounded non-tail recursion. However, the number
of system states (and hence the transition system) is still inﬁnite because of our dense-time
semantics. PAT adopts a zone abstraction [99] to build an abstract system. Diﬀerent from
zone abstraction applied to Timed Automata [21], PAT dynamically creates/deletes a set
of clocks to precisely encode the timing requirements. A zone is the maximal set of clock
valuations satisfying a set of primitive clock constraints. A primitive constraint on a clock
is of the form tm  d where tm is a timer, d is a constant and  is , =, or . Because
clocks are implicit, clock readings cannot be compared directly. In order to support eﬃcient
veriﬁcation, PAT uses diﬀerence bound matrices (DBM) [21] as an equivalent representation
for the zone.
To perform veriﬁcation on the original systems, PAT shows that the abstract transition
system is equivalent to the original transition system. It is shown that our zone abstraction
is sound and complete with respect to the following three properties using a specialized
bi-simulation relationship [99].
2.4. VERIFICATION AND PROCESS ANALYSIS TOOLKIT (PAT) 22
LTL Model Checking In this setting, the properties are linear temporal logic (LTL)
formulae, constituted by propositions on global variables and events. Notice that no clocks
are allowed in the property. In order to reﬂect model checking results on the abstract
transition system to the original system with respect to LTL formulae, it is need to establish
that the abstract transition system is equivalent to the concrete one with respect to LTL-X
formulae. The idea is to show stutter equivalence between traces of the abstract system and
the original system [99]. To verify the LTL formulae, PAT adopts the automata-based on-
the-ﬂy veriﬁcation algorithm [96], i.e., by ﬁrstly translating a formula to a Büchi automaton
and then check emptiness of the product of the system and the automaton.
Reﬁnement Checking In this setting, PAT investigates an alternative veriﬁcation ap-
proach. That is, to verify whether the system satisﬁes the property by showing a reﬁnement
relationship between the system and a model which models the property. In order to check
reﬁnement between two (timed) models, zone abstraction must be applied to both models.
In [99], it proves that it is sound and complete to show stable failures reﬁnement between
the two abstraction transition systems in order to show failures reﬁnement between the two
corresponding original models. The reﬁnement relationship is veriﬁed using an on-the-ﬂy
simulation checking approach.
Chapter 3
Encoding Timed CSP in CLP
Timed CSP is a powerful modeling language for real-time systems. However the veriﬁcation
support is limited. The ﬁrst piece of work we have done is building a reasoning mechanism
for Timed CSP. We choose CLP as the underlying reasoning support for Timed CSP, which
can provide a simple and intuitive way of representing real timing aspects of Timed CSP and
a ﬂexible way of specifying interesting properties, such as deadlock-freeness, trace related
properties, time related properties, and etc.
This chapter is organized as follows. In Section 3.1, we start with translating syntax of
Timed CSP into CLP. Section 3.2 encodes the operational semantics of Timed CSP into
CLP, by capturing both event transition and timed transition of every operator deﬁned in
Timed CSP (refer to Section 2.2). Section 3.3 encodes the denotational semantics of Timed
CSP into CLP. In Section 3.4, we demonstrate how to verify the properties of the Timed CSP
processes encoded in CLP based on the operational semantics. In Section 3.5, a prototype
tool HORAE is developed to support the veriﬁcation of the Timed CSP with the techniques
we developed in this chapter. Section 3.6 demonstrate our approaches using three examples
with experimental results. Section 3.7 concludes this chapter.
23
3.1. TIMED CSP SPECIFICATION IN CLP 24
3.1 Timed CSP Speciﬁcation in CLP
3.1.1 Syntax Encoding
In this section, we show how to encode every operator of Timed CSP deﬁned in Section 2.2
into CLP terms. All operators of the extended speciﬁcation which inherited from Timed CSP
are encoded into CLP rules in a compositional way. A translation library for all operators
is built. For example:
 a ! Skip : eventprefix(a, skip)
 a t! Skip : delay(a, skip, t)
 P1 jjj P2 : interleaving(P1,P2)
 P1; P2 : sequential(P1,P2)
In our library, eventprex (A;P) is deﬁned to denote a process A ! P . delay(A;P ;T )
is the CLP form of operator A T! P in Timed CSP. interleaving(P1;P2) is to represent
operator P1 jjj P2 where P1 and P2 are the CLP formate of process P1 and P2. Relations
sequential=21 is to represent a sequential operator “;”. We deﬁne a library of rules for all
Timed CSP processes in CLP, which is shown in Table 3.1.1.
The very initial step of our work is the syntax encoding of Timed CSP process in CLP syntax,
which can be automated easily by syntax rewriting. A relation of the form proc(N ;P) is
used to present a process P with name N . For instance, Figure 3.1 is the syntax encoding
of process TVM (Example 2.2.1) in CLP, which is a recursive process with name tvm.
12 means predicate “sequential” has two parameters.
3.1. TIMED CSP SPECIFICATION IN CLP 25




a ! P eventpreﬁx(a, P)
a t! P delay(a, t, p)
P1 2 P2 extchoice(P1, P2)
P1 u P2 intchoice(P1, P2)
P1 X jjY P2 parallel(P1, P2, X, Y)
P1 j[X ]j P2 parallel(P1, P2, X)
P1 jjj P2 interleave(P1, P2)
P1; P2 sequential(P1, P2)
P1 O P2 interrupt(P1, P2)
P1
d
. P2 timeout(P1, P2, d)
Wait d wait(d)
P1 Od P2 tinterrupt(P1, P2, d)
 X @ P(X) recursion(P)
Table 3.1: Library of Timed CSP processes in CLP
3.1.2 Laws and Simpliﬁcation
[89] introduces the concept of process equivalence P1 = P2 when P1 =T P2, P1 =SF P2 and
P1 = FDIP2 hold.
A set of laws are deﬁned associated with each operator, where some of them can be used for
process simpliﬁcation. For example, 2-idem law P 2 P = P , which states that oﬀering a
choice between two copies of the same process is identical to the process itself, can simplify
process P 2 P to P . A set of such laws are selected and implemented in the reasoning
engine to fulﬁl this purpose, which are shown below.
3.1. TIMED CSP SPECIFICATION IN CLP 26
proc(c1; delay(coee; eventprex (dispatchcoee; tvm); 3)):
proc(c2; delay(tea; eventprex (dispatchtea; tvm); 2)):
proc(c3; eventprexc(reqrelease; delay(release; tvm; 2))):
proc(choices; extchoice(extchoice(C ;T );R))
:  proc(c1;C ); proc(c2;T ); proc(c3;R):
proc(to; timeout(C ; eventprex (release; tvm); 10))
:  proc(choices;C ):
proc(tvm; eventprex (coin; tvm)))
:  proc(to;P):
Figure 3.1: Timed Vending Machine in CLP
P 2 P = P h2-idemi
P1 2 P2 = P2 2 P1 h2-symi
P 2 Stop = P h2-uniti
P u P = P hu-idemi
P1 u P2 = P2 u P1 hu-symi
Skip A jjB Skip = Skip hk-term1i
P A jjA P = P if (P)  A hk-idemi
Skip jjj Skip = Skip hjjj-term1i
P jjj Skip = P hjjj-uniti
P1 jjj P2 = P2 jjj P1 hjjj-symi
Skip; P = P h; -unit-I i
P ; Skip =T P h; -unit-rT i
Stop; P = Stop h; -zero-I i
Stop O P = P hO-unit-I i
P O Stop = P hO-unit-ri
Skip O P = Skip 2 P hO-termi
Laws for timed operators timeout P1
d
. P2, delay a
d! P , wait Wait and timed interrupt
3.1. TIMED CSP SPECIFICATION IN CLP 27
P1 Od P2 as shown as follows.
Stop
d










(Wait d ; Q1)
d+d 0
. Q2) =Wait d ; (Q1
d 0
. Q2) h.-delay-1i
(Wait(d + d 0); Q1)
d
. Q2) =Wait d ; Q2 h.-delay-2i
Wait d ; Wait d 0 =Wait(d + d 0) hdelay-sumi
a
d! P = a !Wait d ; P hdelay-prex i
(Wait d ; Q1) A jjB (Wait d ; Q2) =Wait d ; (Q1 A jjB Q2)hdelay-jj-disti
(Wait d ; Q1) jjj (Wait d ; Q2) =Wait d ; (Q1 jjj Q2) hdelay-jjj-disti
(Wait d ; Q1) j[A ]j (Wait d ; Q2) =Wait d ; (Q1 j[A ]jQ2)hdelay- j[A ]j -disti
Q1 Od (Q2 Od 0 Q3) = (Q1 Od Q2) Od+d 0 Q3 hOd -associ
Stop Od P =Wait d ; Q1 hstop-Od -delayi
(Wait d ; Q1) Od+d 0 Q2) =Wait d ; (Q1 Od 0 Q2) hO-delay-1i
(Wait(d + d 0); Q1) Od Q2) =Wait d ; Q2 hO-delay-2i
For the purpose of simpliﬁcation, we encode the laws described above into CLP clauses in
a structured way. A CLP relation law(P ;Q) is introduced to ﬁnd the simpliﬁed version of
process Q of P . law=2 rules for each operator are deﬁned recursively which is illustrated as
3.1. TIMED CSP SPECIFICATION IN CLP 28
follows.
law(extchoice(P ;P);P) :  !:
law(extchoice(P ; stop);P) :  !:
law(extchoice(stop;P);P) :  !:
law(intchoice(P ;P);P) :  !:
law(parallel(skip; skip; ); skip) :  !:
law(parallel(P ;P ;A;B);P) :  setequal(A;B); !:
law(parallel(skip; skip; ); skip) :  !:
law(parallel(P ;P ; );P) :  !:
law(interleave(P ; stop);P) :  !:
law(interleave(stop;P);P) :  !:
law(interleave(P ; skip);P) :  !:
law(interleave(skip;P);P) :  !:
law(sequential(skip;P);P) :  !:
law(sequential(P ; skip);P) :  !:
law(sequential(stop; ); stop) :  !:
law(interrupt(stop;P);P) :  !:
law(interrupt(P ; stop);P) :  !:
law(extchoice(P ;Q);S ) :  not(P = stop; Q = stop;P = Q);
law(P ;P1); law(Q ;Q1); (P1 = P ;Q1 = Q)  >
S = extchoice(P ;Q); law(extchoice(P1;Q1);S ); !:
law(intchoice(P ;Q);S ) :  not(P = Q); law(P ;P1); law(Q ;Q1);
(P1 = P ;Q1 = Q)  > S = intchoice(P ;Q); law(intchoice(P1;Q1);S ):
law(parallel(P ;Q ;A;B); parallel(P ;Q ;A;B)) :  
not(P = skip; setequal(A;B)); !:
law(parallel(P ;Q ;A;B);P) :  setequal(A;B);not(P = Q);
law(P ;P1); law(Q ;Q1); (P1 = P ;Q1 = Q)
  > S = parallel(P ;Q ;A;B); law(parallel(P1;Q1;A;A);S ):
law(parallel(P ;Q ;A);S ) :  not(P = Q); law(P ;P1); law(Q ;Q1);
(P1 = P ;Q1 = Q)  > S = parallel(P ;Q ;A); law(parallel(P1;Q1; );S ):
law(interleave(P ;Q);S ) :  not(P = skip; Q = skip);
law(P ;P1); law(Q ;Q1); (P1 = P ;Q1 = Q)
  > S = interleave(P ;Q); law(interleave(P1;Q1);S ):
law(sequential(P ;Q);S ) :  not(P = skip; P = stop; Q = skip);
law(P ;P1); law(Q ;Q1); (P1 = P ;Q1 = Q)
  > S = sequential(P ;Q); law(sequential(P1;Q1);S ):
law(interrupt(skip;P); extchoice(skip;P)) :  !:
law(interrupt(P ;Q);S ) :  not(P = skip; P = stop; Q = stop);
law(P ;P1); law(Q ;Q1); (P1 = P ;Q1 = Q)
  > S = interrupt(P ;Q); law(interrupt(P1;Q1);S ):
3.2. MODELING OPERATIONAL SEMANTICS OF TIMED CSP IN CLP 29
3.2 Modeling Operational Semantics of Timed CSP in CLP
Operational semantics provides a way of interpreting a language - of stepping through ex-
ecutions of programs written in that language. It therefore oﬀers a direct intuition of how
program constructs are intended to behave, in contrast with denotational semantics which
often abstract away from such considerations, and with algebraic approaches, where opera-
tors are deﬁned in terms of the algebraic laws when satisfy.
This section is devoted to an encoding of the semantics of Timed CSP in CLP. The practical
implication is that we may then use powerful constraint solver like CLP(R) [55] to do
various proving over systems modelled using Timed CSP. Both the operational semantics
and denotational semantics are encoded. The encoding of operational semantics serves most
of our purposes.
The operational semantics of Timed CSP is precisely deﬁned by Schneider [90] using two
relations: an evolution relation and a timed event transition relation. It is straightforward
to verify that our encoding conforms the two relations in [90].
A relation of the form tos(P1,T1,E,P2,T2) is used to denote the t imed operational semantics,
by capturing both evolution relations and timed event transition relations. Predicate tos(P1,T1,E,P2,T2)
is true if the process P1 may evolve to P2 through either a timed transition, i.e., let T2-
T1 time units pass, or an event transition by engaging an abstract event instantly2. The
relation tos deﬁnes a transition system interpretation of a Timed CSP process, where the
state is identiﬁed by the combination of the process expression and the time variable. Using
tabling mechanism oﬀered in some of the constraint solvers like CLP(R) [55] or XSB [105],
the termination of the derivation sequence based on relation tos depends on the ﬁniteness
of the reachable process expressions from the initial one. Therefore, if a process is irregu-
lar, proving of goals which need to explore all reachable process expressions is not feasible.
2Or both at the same time by engaging an nontrivial action which takes time (necessary for only extensions
to Timed CSP like TCOZ [74] where E could be a complicated computation)
3.2. MODELING OPERATIONAL SEMANTICS OF TIMED CSP IN CLP 30
However, even for irregular processes, interesting proving like existence of a trace is still
possible.
We deﬁne the tos relation in terms of each and every operator of Timed CSP. For the
moment, we assume the process is not parameterized and we shall handle parameterized
processes uniformly in Section 3.3.1.
3.2.1 Primitive process
Stop, Skipand Run
The operational semantics of the primitive process expressions in Timed CSP are deﬁned




The rules associated with the Skip, Stop and Run processes are as the following:
tos(stop;T1; []; stop;T2) :  D >= 0;T2 = T1 +D :
tos(skip;T ; [termination]; stop;T ):
tos(skip;T1; []; skip;T1 +D) :  D >= 0:
tos(run;T ; [ ]; run;T ):
tos(run;T1; []; run;T2) :  D >= 0;T2 = T1 +D :
The only transition for process Stop is time elapsing. Process Skip may choose to wait
some time before engaging event termination which is our choice of representation for event
X in CLP. Process Run may either let time pass or engage any event.
3.2. MODELING OPERATIONAL SEMANTICS OF TIMED CSP IN CLP 31
Event preﬁx
Event preﬁx expression a ! P describes a process which is prepared to engage in the event
a after which it will behave as P . The semantics of this event preﬁx expression is illustrated
in the following two rules:
(a ! P) a! P
(a ! P) d (a ! P)
The ! represents an event transition, whereas  represents an evolution transition. The
rules associated with the event preﬁx operator are as the following:
tos(eventprex (E ;P);T ; [E ];P ;T ):
tos(eventprex (E ;P);T1; []; eventprex (E ;P);T1 +D) :  D > 0:
The ﬁrst rule states that this process is initially able to perform only event a, and after
performing a it behaves as P . The second rule states the process remains the same, but
allows d time unites elapse without any event being engaged.
3.2.2 Choice
Timeout
The timeout operator P1
d
. P2 introduces a way of describing time-sensitive process behavior,
which oﬀers a time-sensitive choice between P1 and P2. The operational semantics is deﬁned















3.2. MODELING OPERATIONAL SEMANTICS OF TIMED CSP IN CLP 32
P1
d 0 P 01











Where the ﬁrst d time unites of any execution will have transitions identical to an execution
of P1, since all transitions before the timeout occurs correspond to transitions of P1. The
corresponding CLP rules of timeout process is speciﬁed as follows:
tos(timeout(Q1; ; );T ; [E ];P ;T ) :  tos(Q1;T ; [E ];P ;T ):
tos(timeout(Q1;Q2;D);T ; [tau]; timeout(P ;Q2;D);T ) :  tos(Q1;T ; [tau];P ;T ):
tos(timeout(Q1;Q2;D);T1; []; timeout(P ;Q2;D   T );T1 + T )
:  T > 0;T <= D ; tos(Q1;T1; [];P ;T1 + T ):
tos(timeout(;Q2; 0);T ; [tau];Q2;T ):
The ﬁrst rules states if P1 performs any external event (not  event), the timeout choice
is resolved in favor of P1, and P2 is discarded. The second rules states if P1 performs any
internal event (), it does not resolve the choice. The evolution transition relation is modeled
in the third rule where the process remains timeout with d 0 (given 0 < d’ 6 d) time unites
elapse. The last rule states if P1 has not perform any external event within its allotted time,
which means d reduced to 0, the choice is resolved in favor of P2.
Delay
The delay event preﬁx (delay process) a d! P delays process P by d time units after engaging
event a. In [90], a delay is deﬁned as a process immediately following the occurrence of an
event occurs frequently enough in process description to warrant its own abbreviated forms:
a
d! P = a ! a ! (Stop d. P)
We model the semantics of a d! P the same as a ! a ! (Stop d. P), where corresponding
tos=5 rule is deﬁned as:
tos(delay(A;Q ;D);T1;E ;P ;T2)
:  tos(eventprex (A; timeout(stop;Q ;D));T1;E ;P ;T2):
3.2. MODELING OPERATIONAL SEMANTICS OF TIMED CSP IN CLP 33
Wait
The Wait d process, which is the initial primitive Timed CSP added, delays for exactly d
time unites before terminating. It is deﬁned using a timeout construction [90]:
Wait d = Stop
d
. Skip
The process Wait d can perform no events for the ﬁrst d time units of its execution, but
after that delay it terminates and its subsequent behavior is that of Skip. The CLP relation




:  tos(timeout(stop; skip;D);T1;E ;P ;T2):
External Choice
Choice operators are very important in Timed CSP. The external choice P1 2 P2 oﬀers a
choice between processes P1 and P2, which is resolved at the instant the ﬁrst visible event
occurs, in favor of the process which performs it. The rules for deriving transitions of a










! P 01 2 P2
P2 2 P1
! P2 2 P 01
P1
d P 01 P2
d P 02
P1 2 P2
d P 01 2 P 02
3.2. MODELING OPERATIONAL SEMANTICS OF TIMED CSP IN CLP 34
The operational semantics of process P1 2 P2 is deﬁned as ﬁve tos=5 rules:
tos(extchoice(P1; );T ; [E ];P3;T ) :  tos(P1;T ; [E ];P3;T ):
tos(extchoice( ;P2);T ; [E ];P4;T ) :  tos(P2;T ; [E ];P4;T ):
tos(extchoice(P1;P2);T ; [tau]; extchoice(P3;P2);T )
:  tos(P1;T ; [tau];P3;T ):
tos(extchoice(P1;P2);T ; [tau]; extchoice(P1;P4);T )
:  tos(P2;T ; [tau];P4;T ):
tos(extchoice(P1;P2);T1; []; extchoice(P3;P4);T2)
:  T2 > T1; tos(P1;T1; [];P3;T2); tos(P2;T1; [];P4;T2):
Where the ﬁrst two rules captures the ﬁrst deriving rules. The second deriving rules are
modeled in the next two tos=5 rules and the last tos=5 states the evolution transition.
3.2.3 Concurrency
Alphabetized parallel
In the operational semantics, the event transition and evolution transition associated with
the alphabetized parallel composition operator the alphabetized parallel composition oper-
ator P1 X jjY P2 are illustrated as the following [90]:
P1
e! P 01
[ e 2 X \ fg nY ]
P1 X jjY P2 e! P 01 X jjY P2
P2
e! P 02
[ e 2 Y \ fg nX ]
P1 X jjY P2 e! P1 X jjY P 02
P1
e! P 01;P2 e! P 02
[ e 2 X \Y ]




P1 X jjY P2 d P 01 X jjY P 02
3.2. MODELING OPERATIONAL SEMANTICS OF TIMED CSP IN CLP 35
The ! represents an event transition, whereas  represents an evolution transition. The
rules associated with the alphabetized parallel composition operator are as the following:
tos(para(P1;P2;X ;Y );T ; [E ]; para(P3;P2;X ;Y );T )
:  tos(P1;T ; [E ];P3;T );member(E ;X );notmember(E ;Y ):
tos(para(P1;P2;X ;Y );T ; [E ]; para(P1;P4;X ;Y );T )
:  os(P2;T ; [E ];P4;T );member(E ;Y );notmember(E ;X ):
tos(para(P1;P2;X ;Y );T ; [E ]; para(P3;P4;X ;Y );T )
:  tos(P1;T ;E ;P3;T ); tos(P2;T ;E ;P4;T );
member(E ;X );member(E ;Y ):
tos(para(P1;P2;X ;Y );T1; []; para(P3;P4;X ;Y );T1 +D)
:  tos(P1;T1; [];P3;T1 +D); tos(P2;T1; [];P4;T1 +D):
clp relation para(P1;P2;X ;Y ) is to present a parallel process P1 X jjY P2. The ﬁrst two
rules state that either of the components may engage an event as long as the event is not
shared. The third rule states that a shared event can only be engaged simultaneously by both
components. The last expresses states that the composition may allow time elapsing as long
as both the components do. Other parallel composition operation, like j[X ]j and jjj, can be
deﬁned as special cases of the alphabetized parallel composition operator straightforwardly.
interleaving
Concurrency execution of two processes without synchronization is described by an inter-
leaving process, P1 jjj P2. The introduction of time to the interleaving operator is entirely
similar to the approach taken for the parallel composition. The operational semantics rules
for deriving the transitions for an interleaved combination are as follows:
P1
! P 01
[  6= X ]
P1 jjj P2 ! P 01 jjj P2
P2
! P 02
[  6= X ]
P2 jjj P1 ! P 02 jjj P1
P1
X! P 01 P2 X! P 02
P1 jjj P2 X! P 01 jjj P 02
3.2. MODELING OPERATIONAL SEMANTICS OF TIMED CSP IN CLP 36
P1
d P 01 P2
d P 02
P1 jjj P2 d P 01 jjj P 02
The rules associated with the interleaving composition operator are as the following:
tos(interleave(P1;P2);T ; [E ]; interleave(P3;P2);T )
:  tos(P1;T ; [E ];P3;T ):
tos(interleave(P1;P2);T ; [E ]; interleave(P1;P3);T )
:  tos(P2;T ; [E ];P3;T ):
tos(interleave(P1;P2);T ; [termination]; interleave(P3;P4);T )
:  tos(P1;T ; [termination];P3;T ); tos(P2;T ; [termination];P4;T ):
tos(interleave(P1;P2);T1; []; interleave(P3;P4);T1 +D)
:  D > 0; tos(P1;T1; [];P3;T1 +D); tos(P2;T1; [];P4;T1 +D):
The clp relation interleaving(P1;P2) is used to present the interleaving process P1 jjj P2.
The First two rules state that either of the component can perform an external event in-
dependently, which will be appended to the trace of this process. The ﬁfth rule models
the third transition rule of the operational semantics, which states that both components
must engage the termination event X simultaneously. The last expresses states that the
composition may allow time elapsing as long as both the components do.
3.2.4 Flow of control
Sequential
The mechanism for transferring control from a terminated process to another process is
sequential composition: P1; P2. It allows control to pass to a second process when the ﬁrst
one terminates successfully, as indicated by the occurrence of the termination event X. The




[  6= X ]
P1; P2
! P 01; P2






d P 01 P2
d P 02
P1 jjj P2 d P 01 jjj P 02
The rules associated with the sequential composition operator are as the following:
tos(sequential(P1;P2);T ; [E ]; sequential(P3;P2);T )
:  tos(P1;T ; [E ];P3;T );not(E = termination):
tos(sequential(P1;P2);T ; [tau];P2;T )
:  tos(P1;T ; [termination];;T ):
tos(sequential(P1;P2);T1; []; sequential(P3;P2);T1 +D)
:  D > 0; tos(P1;T1; [];P3;T1 +D);not(tos(P1; ; [termination]; ; )):
CLP relation sequentail(P1;P2) is deﬁned to denote the sequential process P1; P2. The ﬁrst
operational semantics rule is translated into the ﬁrst tos/5 rule of sequential/3, which states
that the sequential composition P1; P2 initially executes as P1 before P1 terminates. The
second rule states that when P1 terminates, its X event becomes internal to the composition
and it passes control to process P2. The last expresses states that the composition may
allow time elapsing as long as P1 does, only if P1’s termination event is not enabled. The
last rule constraints that the passing of control is urgent.
Interrupt
The interrupt construction P1 O P2 allows the ﬁrst process P1 to execute, but it may be
interrupted at any time by an event from process P2. The process P2 is also able to perform
internal events without triggering the interrupt, which means that external interrupt events
maybe oﬀered and retracted by P2 as the execution unfolds. The operational semantics rules
for deriving the transitions for an interrupt combination are as follows:
P1
! P 01
[  6= X ]
P1 O P2
! P 01 O P2
3.2. MODELING OPERATIONAL SEMANTICS OF TIMED CSP IN CLP 38
P1
X! P 01




! P1 O P 02
P2
a! P 02
P1 O P2 a! P2
P1
d P 01 P2
d P 02
P1 O P2 d P 01 O P 02
The rules associated with the interrupt composition operator are as the following:
tos(interrupt(P1;P2);T ; [E ]; interrupt(P3;P2);T )
:  tos(P1;T ; [E ];P3;T );not(E == tau):
tos(interrupt(P1;P2);T ; []; interrupt(P3;P2);T )
:  tos(P1;T ; [tau];P3;T ):
tos(interrupt(P1;P2);T ; [termination]; interrupt(P3;P2);T )
:  tos(P1;T ; [termination];P3;T ):
tos(interrupt(P1;P2);T ; []; interrupt(P1;P3);T )
:  tos(P1;T ; [tau];P3;T ):
tos(interrupt( ;P2);T ; [E ];P3;T )
:  tos(P2;T ; [E ];P3;T );not(E = tau):
tos(interrupt(P1;P2);T1; []; interrupt(P3;P4);T1 +D)
:  D > 0; tos(P1;T1; [];P3;T1 +D); tos(P2;T1; [];P4;T1 +D):
CLP relation interrupt(P1;P2) is deﬁned to denote the interrupt process P1 O P2. The
two expressions capture the ﬁrst operational semantics rule, which states that the process
is able to perform any execution of P1. The ﬁrst expression captures the situation that
P1 performing an external event E which will be appended to the trace, while the second
expression captures an internal event engagement which will not be added to the end of
the trace. The third expression states that if P1 terminate while it is executing then the
entire structure is terminated and P2 is discarded. The forth expression captures the third
semantics rule when P2 performs an internal event and the forth rule captures the moment
when the interruption occurs where P2 is executed to P3 by engaging an external event E .
The last expression illustrates the evolution transition.
3.2. MODELING OPERATIONAL SEMANTICS OF TIMED CSP IN CLP 39
Timed interrupt
The introduction of time allows an alternative approach to the interruption of processes. If
the process is permitted to run for no more than a particular length of time, then the passage
of time can itself trigger an interrupt to remove control from a process. The operational




[  6= X ]
P1 Od P2
! P 01 Od P2
P1
X! P 01
P1 Od P2 X! P 01
P1 O0 P2 ! P2
P1
d 0 P 01
[ d 0 6 d ]
P1 Od P2 d
0
 P 01 Od d 0 P 02
The rules associated with the interrupt composition operator are as the following:
tos(tinterrupt(;Q2; 0);T ; [tau];Q2;T ):
tos(tinterrupt(Q1;Q2;D);T ; [E ]; tinterrupt(Q3;Q2;D);T )
:  tos(Q1;T ; [E ];Q3;T );not(E == termination):
tos(tinterrupt(Q1; ; );T ; [termination];Q3;T )
:  tos(Q1;T ; [termination];Q3;T ):
tos(tinterrupt(Q1;Q2;D);T1; []; tinterrupt(Q3;Q2;D   T );T1 + T )
:  not(D == 0);T > 0;T <= D ; tos(Q1;T1; [t(T )];Q3;T1 + T ):
A CLP relation tinterrupt(P1;P2;D) is deﬁned to denote the timed interrupt process P1 Od
P2.
There is a clear one-to-one correspondence between our rules and the operators which are
fully illustrated in Appendix A. Therefore, the soundness of the encoding can be proved
by showing there is a bi-simulation relationship between the transition system interpreta-
tion deﬁned in [90] and ours, and the bi-simulation relationship can be proved easily via a
structural induction.
3.3. MODELING DENOTATIONAL SEMANTICS OF TIMED CSP IN CLP 40
3.3 Modeling Denotational Semantics of Timed CSP in CLP
In Section 3.2 operational semantics is encoded into CLP, where the encoding of operational
semantics serves most of our purposes. Nevertheless the encoding of the denotational se-
mantics oﬀers an alternative way of proving systems modelled in Timed CSP as well as the
correctness of the encoding itself.
In this section, we encode both the timed traces and the timed failures model of Timed
CSP, where the semantics of a Timed CSP process is represented by a set of timed traces
or a set of timed failures [89]. A timed failure is a record of an execution, consisting of a
timed trace which contains information about event performed, and a timed refusal which
contains information about when events could be refused. In contrast to the operational
semantics, which focuses on a single step at once, the denotational semantics captures all
possible observations of systems modelled using Timed CSP. Therefore, it is easier to prove
over all possible behaviors in the denotational semantics model.
In the following, we illustrate our encoding using only a few fundamental constructors for
the sake of space saving. A relation timedfailure(P, f(Tr, R)) is deﬁned to capture the timed
failure semantics, where P is a process expression and Tr is a sequence of timed events and
R is a set of timed refusals. For instance,
timedfailure(stop; failure([]; )):
timedfailure(skip; failure([];R))
:  sigma(R;S );notmember(termination;S ):
timedfailure(skip; failure([tevent(T ; termination)];R))
:  T >= 0; before(R;T ;Z ); sigma(Z ;N );
notmember(termination;N ):
The relation sigma(P, S) is used to retrieve all events S in a process expression P, i.e., S =
(P). Similarly, the relation before(R, T, Z) is deﬁned accordingly as Z = R  T , i.e., the
refusals before time T. Basically, the ﬁrst rule states that the failures of process Stop are an
empty trace with all possible refusals. Process Skip refuses everything until the occurrence
of event termination, and all events are refused afterwards. As for compositional operators,
3.3. MODELING DENOTATIONAL SEMANTICS OF TIMED CSP IN CLP 41
we take the interface parallel composition operator as an example.
timedfailure(parallel(Q1;Q2;A); failure(S ;N ))
:  timedfailure(Q1; failure(S1;N 1));
timedfailure(Q2; failure(S2;N 2)); union(N 1;N 2;N );
union(A; [termination];AT ); remove(N 1;AT ;N 11);
remove(N 2;AT ;N 22); setequal(N 11;N 22); tsynch(S1;S2;A;S ):
The relation union(X, Y, Z) is the set union, i.e., Z = X [ Y . The relation remove(X, Y,
Z) is the set subtraction, i.e., Z = X n Y . The relation tsynch deﬁnes the ways in which a
trace tr1 from component Q1 and a trace tr2 from component Q2 can be combined to form
a trace of the parallel (formal deﬁnition in [89]). The interface parallel operator requires
synchronization on events from the interface event set A, and interleaving on events not in
A.
Notice that the denotational semantics focuses on observations of the system, which allows
us to query the system behaviors as a whole. For instance, it is more straightforward to
check timewise reﬁnement using the denotational semantics, and irregular processes can
be handled if we replace the recursion using its ﬁxed point. However, because there is no
guarantee that the derivation sequence is terminating, we have to limit the height of the
proving tree.
3.3.1 Handling Extensions to Timed CSP
Timed CSP is introduced in [82]. Since then, various extensions of Timed CSP have been
proposed. In this work, we identify some of the eﬀective extensions and show that they
can be encoded in the CLP framework. For instance, the idea of signal by Davies [17] is a
simple yet useful extension to capture liveness as well as model broadcasting eﬀectively. The
motivation of the concept signal is that when describing the behavior of a real-time process,
we may wish to include instantaneous observable events that are not synchronization. For
example, an audible bell might form part of the user interface to a telephone network, even
though the bell may ring (a signal) without the cooperation of the user. Informally, signal
3.3. MODELING DENOTATIONAL SEMANTICS OF TIMED CSP IN CLP 42
events are distinguished events that will occur as soon as they become available, and will
propagate through parallel composition. A process may ignore any signal performed by
another process, unless it is waiting to perform the corresponding synchronization. For any
observation that can be extended into the future, the only events that must be observed
are signals. Therefore, signals are useful both for modelling broadcast communication and
specifying liveness conditions, i.e., some events must be engaged.
sigTF (eventprex (E ; ; ); sigfailure([];X ;T ))
:  not(E == sig( )); sigma(X ;Z );
notmember(E ;Z ); end(X ;T1);T >= T1:
sigTF (eventprex (E ;P ;D); sigfailure([tevent(T ;E ) j XS ];Y ;T1 +D + T ))
:  T >= 0;not(E == sig( ));
sigTF (P ; sigfailure(S ;Y 1);T1);
backthrough(Y ;T +D ;Y 1); begin(S ;T2);
T2 >= T +D ; end(S ;Y ;T3);max (T ;T3;T4);
T1 +D + T >= T4; before(Y ;T ;Z ); sigma(Z ;N );
notmember(E ;N ); delay(S ;T +D ;XS ):
sigTF (eventprex (sig(E );P ;D); sigfailure([]; []; 0)):
sigTF (eventprex (sig(E );P ;D); sigfailure([tevent(0;E ) j XS ];Y ;T ))
:  sigTF (P ; failure(S ;Y 1);T1);
backthrough(Y ;T +D ;Y 1);T = T1 +D ;
before(Y ;T ;Z ); sigma(Z ;N );
notmember(E ;N ); delay(S ;T +D ;XS ):
The relation sigTF (P ; sigfailure(Tt ;Tr ;T )) is used to capture this time failure semantics
for signals, where P denotes the process, Tt is the timed trace, Tr denotes the timed refusal
set and T denotes a time value. The CLP clauses illustrate the possible evolution of signal
event preﬁxing. The ﬁrst two clauses denote the semantics for event preﬁx process a ! P
where a is not a signal, while the last two denote the one with signal event a^, presented as
sig(a). In the above rules, end(X,T) computes the least upper bound of the time refusal
X . backthrough(Y,T,Y1) represents the relation: Y - T = Y1, i.e., timed refusal Y 1 is
generated from Y by translating it backwards through time T . begin(S, T) retrieves the
time of occurrence of the ﬁrst event in timed trace S .
Another extension of special interest is Timed CSP integrated with state-based languages
like Z [107] to model systems with not only complicated control ﬂow but also complex data
3.4. VERIFICATION OF TIMED CSP 43
structures [74, 92]. Instead of adopting a heavy language like TCOZ (Timed Communicating
Object-Z [74]), we allow a ﬁnite number of variables to be associated with a process3, called
state variables. In addition, we allow a state update transition, i.e., instead of engaging an
abstract event, the system may perform a state update which changes the valuation of the
state variables. A state update is speciﬁed as a predicate involving state variables before
and after the update, as in Z style where the after-variables are primed [107].
For instance, there is a fragment of the speciﬁcation of this vending machine, in which we
allow diﬀerent coins to be inserted via a channel communication coin?x where x is 10, 20
or 50, a data variable Quota is requested to accumulate the amount of all coins inserted by
the user.
Insert(Quota) b= coin?x ! AddQuota
where AddQuota is an operation deﬁned in Z , which is:
AddQuota b= [x?; quota; quota 0 : N j quota 0 = quota + x?]
This Timed CSP speciﬁcation corresponds to the following CLP clauses where both the pre
and post values of the process parameter are presented as the parameters, namely Quota1
and Quota2, of the relation proc. The user is responsible to specify exactly how an action
updates the data variables, e.g., adding the amount of the coin to Quota.
proc(coin; eventpreifx (coin(X 1); addquota);Quota1;Quota2)
:  action(addquota;X 1;Quota1;Quota2):
action(addquota;X 1;Quota1;Quota2) :  Quota2 = Quota1 +X 1:
3.4 Veriﬁcation of Timed CSP
This section is devoted to various proofs we may perform over systems modeled using Timed
CSP and then encoded in CLP. These kind of assertions can be proved or disproved against
3which are of types supported by current tools for CLP.
3.4. VERIFICATION OF TIMED CSP 44
a given real-time system. We also develope a number of shortcuts for easy querying and
proving.
In order to explore the full state space, we deﬁne the following4:
reachable(P ;P ; [];T1;T1):
reachable(P ;Q ;N ;T1;T2)
:  tos(P ;T1; [tau];P1;T3); reachable(P1;Q ;N ;T3;T2):
reachable(P ;Q ; [(E ;T1) j N ];T1;T2)
:  tos(P ;T1; [E ];P1;T3);not(E = t( ); E == tau);
reachable(P1;Q ;N ;T3;T2):
reachable(P ;Q ;N ;T1;T2)
:  tos(P ;T1; [];P1;T3); reachable(P1;Q ;N ;T3;T2):
The relation reachable(P, Q, N, T1, T2) states that it is possible to reach the process
expression Q at time T2 from P at time T1, with trace N.
reachable=5 is deﬁned in four rules where the ﬁrst states any process can remain at itself.
The second rule states process P at T1 would reach process Q with trace N by ﬁrstly
performing an internal event to process P1 at time T3 hence P1 would reach process Q
with trace N . The third rule models the case P at T1 will reach Q with trace [(E ;T1) j N ]
by ﬁrst performing an external event E at time T1 to process P1; then P1 is able to reach Q
with trace N . The last rule captures the evolution transition from process P to P1 without
appending any event to trace N .
3.4.1 Safety and Liveness Properties
Speciﬁcations are the properties that the design must satisfy. There are diﬀerent ways to
express properties. In state-based formalisms, properties are generally stated using temporal
logics to specify how the system evolves over time. These properties are divided into two
categories: safety properties and liveness properties.
We follow the informal classiﬁcation of safety and liveness properties suggested by Lamport
[61, 17]: a safety property is a requirement that ’nothing bad happens’, while a liveness
4The possible state variables and local clocks are skipped for simplicity.
3.4. VERIFICATION OF TIMED CSP 45
property insists that ’some good thing will eventually occur’. In either case, we must exclude
undesirable behaviors from the semantic set of the process in question. In our model, a
safety property corresponds to the requirement that a given event may not occur except
under certain condition. For example:
 event a does not occur within time t after event b happens;
 if event a occurs, it must do so within time t after event b happens;
 event a may occur only at speciﬁc times.
[17] deﬁnes a safety speciﬁcation on process Y in timed failure semantics as:
8 s;X  (s;X ) 2 Y ) s 62 U
where U is a set of undesirable traces which violate the safety property. (s;X ) is timed
observation in the denotational semantics where s is a timed trace and X is a timed refusal.
The formula says that if the safety speciﬁcation is to be satisﬁable, then there is no trace of
Y be an undesired trace.
Using CLP, we may make explicit assertion which is neither just a safety assertion, nor just
a liveness assertion. Yet it can be used for both purposes using a unique interpretation. An
assertion is deﬁned as Deﬁnition 3.
Deﬁnition 3 (Assertion) An assertion is of the form G j= G 0 where G is a nonterminal
goal and G 0 is a possible terminal goal.
An assertion can be used as a safety assertion by having G 0 as a terminal goal which should
be the property/constraint that the system should satisfy. A safety property is generally
expressed in the form:
G j= 	 ; or G ;:	 j= false
which means there is no trace of the process violates the desired safety property 	.
3.4. VERIFICATION OF TIMED CSP 46
Deadlock
One safety property of special interest is deadlock-freeness. The following clauses are used
to prove it.
deadlock(P ;T1) :  reachable(P ;P1;N ;T1;T2);
(not(tos(P1;T2; [];Q ;T ); tos(Q ;T ; [ ]; ; )); (tos(P1;T2; [];Q ; );
not(tos;P1;T2; [ ]; ; ))); printf ("deadlock at : %"; [N ]):
Basically, it states that a process P at time T1 may result in deadlock if it can reach the
process expression Q at time T2 where no event transition is available neither at T2 nor
at any later moment. The last line outputs the deadlocked trace as a counterexample.
Alternatively, we may present it as a result of the deadlock proving.
3.4.2 Trace-based Properties
We allow trace-based properties (safety or liveness5) that can be checked by exploring trace
set partially. The retrieve of a timed trace is done by the predicate trace(P ;N ;Q), which
ﬁnds a sequence of events through which process expression P evolves to Q :
timed trace(P ;N ;Q) :  reachable(P ;Q ;N ; 0; ):
trace(P ;N ) :  timed trace(P ;M ; ); remove time(M ;N ):
where remove time(M ;N ) is a predeﬁned CLP relation which removes times stamps of all
event from a timed trace M .
We may prove that some event will always eventually be ready to be engaged using the
following rule: where rule member(N ;E ) returns true if event E appears at least once in the
event sequence N , rulenotmember(N ;E ) returns true if event E is not an element of event
sequence N .
nally(P ;E ) :  nottraceWOMember(P ;N ;E ):
5Liveness in CSP is a bit diﬀerent from that in traditional temporal logic. In CSP, a process may wait
forever before engaging an available event.
3.4. VERIFICATION OF TIMED CSP 47
Predicate nally(P ;E ) captures the idea that there is no such trace without event E in this
process P . In other words, this process will eventually go to event E . Another property
based on traces would be identifying the relationship among events, e.g., event A can never
happen before (after) event B in a trace or trace fragment. Take the timed vending machine,
which is deﬁned in Example 2.2.1 for example, we would like to ensure that in a round of
using the machine, the event tea will never be followed by an event dispatchcoee.
Example 3.4.1 (Veriﬁcation) For the timed vending machine (Example 2.2.1), we would
like to check that it is deadlock-free by running the following goal and expecting failure:
?  proc(vending ;P); deadlock(P ; 0):
Moreover, we would expect that whenever we choose tea, it would never dispatch coee
instead of tea, which can be checked by the following goal:
?  proc(vending ;P); trace(P ;N ); (notmember(N ; tea); after(N ; dispatchcoee; tea)):
end
3.4.3 Time Related Checking
In addition to proving pre-speciﬁed assertions, one distinguished feature of our approach is
that implicit assertions may be proved. In real time systems, sometimes it is very useful to
ﬁnd the lower and upper bound of a (time or data) variable such the applications like worst
or best case analysis of execution time.
In our work, relation duration(P) is deﬁned to ﬁnd the maximum execution time of a process
P . If P is not terminating, value of max will be innity . duration(P) is deﬁned as following
rules:
duration(P) :  duration time(P ;T ; ); dump([T ]); fail :
duration( ):
durationt ime(P ;T ;N )
:  non termination(P)  > (T = innity ; fail); reachable(P ; stop;N ; 0;T ):
3.5. HORAE 48
where non termination(P) is a predeﬁned relation which is to check whether process P is
terminating or not. If non termination(P) returns true, T will be inﬁnity and the rule
checking is terminated.
We are also able to compute the duration of the engaging time of event e in some process
P . Relation engagedTime(P ;E ) is deﬁned to fulﬁll this purpose.
engagedTime(P ;E ) :  happenTime(P ;E ;T ; ); dump([T ]); fail :
engagedTime( ; ):
happenTime(P ;E ;T ;X ) :  reachable(P ; ;X ; 0;T ); last(X ; [E j ]):
Example 3.4.2 The process Wait(2); a 3! Skip should terminate in more than 5 time
units, which can be identiﬁed by the following goal and expecting T  5.
?  duration(sequential(wait(2); delay(a; skip; 3))):
After executing the goal, it would return result T 2 [5; innity ]. The duration of engaging
time of event a can be found by running the following goal and expecting T 2 [3; innity ].
?  engageTime(sequential(wait(2); delay(a; skip; 3)); a):
end
3.5 HORAE
Our engineering eﬀorts have realized the proposed techniques in this chapter into a prototype
HORAE, which is an interactive tool that provides composing and reasoning of Timed CSP
process descriptions.
HORAE uses Constraint Logic Programming (CLP [54]) as underlying reasoning mecha-
nism. CLP is designed for mechanized proving based on constraint solving. CLP has been
successfully applied to model programs and transition systems for the purpose of veriﬁ-
cation. The main advantage of using CLP pertains to expressiveness. For example, [48]
demonstrates the proof of some standard properties, as well as properties such as time
3.5. HORAE 49
bounds between important events, on a CLP representation of Timed Safety Automata.
[56] can even specify the property for testing whether a system of processes is symmetric,
on a CLP representation of Timed Automata.
Built on the powerful constraint solver CLP(R) [55], HORAE can encode both operational
and denotational semantics of Timed CSP processes in CLP(R) [29] and perform the veri-
ﬁcation of the Timed CSP models. The front-end of the tool is implemented in Java. The
main features of this tool are listed as follows.
 Modeling Timed CSP models
 Specifying properties in a systematic way
 Verifying various kinds of properties with counterexamples provided if any, and
 Generating LATEX presentation of the Timed CSP models.
An overview of HORAE is shown in Figure 3.2, which mainly consists of ﬁve components,
i.e., a powerful GUI editor to compose Timed CSP models, an encoder which translates
Timed CSP processes to CLP models, a property speciﬁer which is used to specify properties
in a systematic way, a veriﬁcation engine which is used to verify properties and a LATEX code
generator. The software is implemented in Java and the CLP(R) is the CLP reasoning engine
used inside.
3.5.1 Building Timed CSP Models
In our system, Timed CSP processes are in ASCII form, i.e., machine reachable Timed CSP
which is used to enable machine readability. HORAE has a user-friendly editor to build
Timed CSP models. The encoder tcsp2clp can automatically transform Timed CSP model






















Figure 3.2: Overview of HORAE
3.5.2 Verifying Models
The veriﬁcation engine is the core component of HORAE. The veriﬁcation is performed by
the engine which takes a Timed CSP model in .clpr -format from the encoder and a property
as input. This engine has two modules, which are opereng and denoeng, building on the
operational model and the denotational model respectively. Diﬀerent kinds of properties are
checked by diﬀerent modules.
Timed CSP Semantics in CLP
In the veriﬁcation engine, the semantics of Timed CSP processes are modeled in CLP. In
our tool, both the operational semantics and denotational semantics are encoded.
Operational semantics is modelled by capturing both evolution relations and timed event
transition relations of a process. In denotational semantics, we encoded the timed traces
and timed failures model of Timed CSP, where a Timed CSP process is represented by a set
of timed traces or a set of timed failures. Detailed theory and encoding of both semantics
can be found in Section 3.2 and Section 3.3 respectively.
3.6. CASE STUDIES AND EXPERIMENTS 51
Property Speciﬁcation and Veriﬁcation
The module Property Specier is used to specify three kinds of properties in a systematic
way, which can later be veriﬁed by the veriﬁcation engine.
Safety and Liveness Reachability properties are speciﬁed as: Reachable(P ;Q ;	) = N
which tests whether N is a possible trace from process Q to P , with some constraint 	.
Deadlock freeness of process P can be checked in Deadlock(P).
Variable Bounds We can identify the lower or upper bound of a variable. For example,
we can identify whether a given value of a time variable T is an upper or lower bound of
duration of the execution of one process P to its subsequent process Q . These properties
are speciﬁed as: Upper(P ; Q ; time) = T or Lower(P ; Q ; time) = T . Similarly, the lower
or upper bound of the duration between two events A and B in a process P can also be
speciﬁed as P :: Upper(A; B ; time) = T or P :: Lower(A; B ; time) = T .
3.6 Case Studies and Experiments
In this section, we compare our method to the mature model checker for CSP, namely
(Failures-Divergence Reﬁnement) [84] (version 2.78), in terms of ﬂexibility as well as eﬃ-
ciency. We implement a prototype as a normal CLP(R) program. In the following, we
demonstrate our experiments with three examples on a Unix system located at a Sunﬁre
sever with 1GB user memory. Because FDR is designed for CSP, the quantitative timing
aspects of the examples have been abstracted using discrete clock ticks ﬁrst, then FDR is
used to perform veriﬁcation.
3.6.1 Timed Vending Machine
The speciﬁcation of the timed vending machine is presented in Example 2.2.1. Figure 3.1
shows the timed vending machine model in CLP. This example is customized into a FDR
3.6. CASE STUDIES AND EXPERIMENTS 52
program (say P), in which the time-out operator is replaced with an external choice. The
following are the properties veriﬁed:
 tvm-1 Deadlock-freeness.
 tvm-2 Trace timewise reﬁnement:
– in CLP, whether the process TVM is a trace timewise reﬁnement of P .
– in FDR, whether the process P is a trace reﬁnement of TVM .
 tvm-3 Whether there is such a case that coﬀee is selected while tea is dispatched.
3.6.2 Dining Philosopher
The classic dining philosopher example is also experimented. The speciﬁcation is available
in [51]. We implement this example with N philosophers and N forks. The following
properties are experimented:
 philosopherN-1 It is not deadlock-free.
 philosopherN-2 No more than N+1/2 philosophers can eat at the same time.
 philosopherN-3 It is possible that one philosopher eat all the time with the others
starving. This property is checked with trace reﬁnement.
3.6.3 The Railway Crossing
The railway crossing system is modelled and checked, which is complex enough to demon-
strate a number of aspects of the modelling and veriﬁcation of timed systems. The system
consists of three components: a train, a gate and a controller. The gate should be up to
allow traﬃc to pass when no train approaching and lowered to obstruct traﬃc when a train
is coming. The controller monitors the approach of a train, and instructs the gate to be
3.6. CASE STUDIES AND EXPERIMENTS 53
Figure 3.3: The Rail Way Control System
lowered within the appropriate time. The train is modelled abstractly with behaviors: near-
ing, entering and leaving the crossing. The Timed CSP modelling is as follows (originally
presented in [89]):
TRAIN b= T  trainnear ! nearind 300! entercrossing
20! leavecrossing ! outind ! T
GATE b= G  downcom 100! down ! conrm ! G
2 upcom
100! up ! conrm ! G
CONTROLLER b= C  outind 1! upcom ! conrm ! C
2 nearind
1! downcom ! conrm ! C
CROSSING b= CONTROLLER C jjG GATE
SYSTEM b= TRAIN T jjC[G CROSSING
The timing information of the system is that: the train takes at least 5 minutes from
triggering the near :ind sensor to reach the crossing; and at least 20 seconds to get across
the crossing. The controller takes a negligible amount of time, say 1 second, from receiving
a signal from a sensor to relaying the corresponding instruction to the gate. The gate
3.6. CASE STUDIES AND EXPERIMENTS 54
Property Goal in CLP
deadlock-freeness proc(system, P), tdeadlock(P, 0) j= false
if train enters crossing, proc(system, P), supersetp(P, X),
the gate must be down last(X, entercrossing),ﬁlter(X, [up,down], X2),
last(X2, up) j= false
lower bound for a train proc(system, P), dur(delay(nearind, , ),
passes the crossing is 320s eventpreﬁx(outind, ), T1, T2),T2-T1<320 j= false
if the gate is up, the train proc(system,P), superstep(P, X),
must have left the crossing not(not in([up, entercrossing, leavecrossing], X);
after(X, leavecrossing, entercrossing))) j= false
legal trace checking proc(system, P),superstep(P, [trainnear, nearind,
downcomm, down, conﬁrm, entercrossing,
leavecrossing, outind])j= true
Table 3.2: Properties Veriﬁcation
process takes 100 seconds to get itself into position following an instruction. A number
of interesting properties can be formulated, evidenced in Table 5.1. The three properties
selected for comparing our approach with FDR veriﬁcation are:
 railway-1 Deadlock-freeness
 railway-2 Whether trace htrainnear ;nearind ; downcomm; down; conrm;
entercrossing ; leavecrossing ; outindi is a legal trace or not.
 railway-3 Whether the lower bound for a train passes the crossing is 320s.
We summarize our results in Table 3.3. We ran the examples in both CLP(R) and FDR
systems and we calculated the execution time of each property if the property is able to
be checked in that system. From the table, we can see that most of our timing analysis
performance are competitive with the well-known system, while in some cases, we are not
3.7. SUMMARY 55














Table 3.3: Experiment Results
so competitive. The important metric of our experiments is the ﬂexibility. The results show
that our reasoning method based on constraint solver.
3.7 Summary
In this chapter, we proposed a reasoning method for Timed CSP based on constraint logic.
we have shown that event-based process algebra Timed CSP can be encoded in CLP by
encoding both the operational and denotational semantics. This piece of work therefore
broadened real-time systems which can be speciﬁed and veriﬁed by CLP. It is a solid foun-
dation for the future research on extending Timed CSP and developing a reasoning engine
for this extended Timed CSP speciﬁcation.
This approach starts with a formal translation of Timed CSP syntax to CLP relations,
where a library of all Timed CSP operators is built. We have also developed a collection
of supplementary rules for encoding operational semantics of each operator into CLP rules.
These serve as a solid foundation in our veriﬁcation system. We can rigorously carry out
veriﬁcation of Timed CSP models with a high level of automation. We investigated a wide
range of properties that may be proved based on constraint solving, namely CLP(R), for
instance we showed that using a unique interpretation, traditional safety and liveness can
3.7. SUMMARY 56




As demonstrated in last chapter, Timed CSP is a powerful language to model real-time
reactive systems. However, limited by the expressive power, it lacks of support for stating
system requirements which constraints all behavioral traces of given processes, for example,
deadline and execution time of a process, time-related constraints among events which are
common requirements for many real time systems and etc. To increase the expressiveness of
Timed CSP, we propose an extension of Timed CSP, which named Timed Planning. Timed
Planning speciﬁcation extends Timed CSP with the capability of stating complicated timing
behaviors for processes and events to model and verify complex compositional real-time
systems. A Timed Planning model is made up of a compositional timed process and a set
of constraints over processes, events and the data variables which are the requirements that
the process should satisfy. In this proposed formalism, each process is associated with a set
of localized timing/untiming requirements with keywordWhere which can be speciﬁed in a
compositional way. The full syntax and operational semantics of Timed Planning language
are formally deﬁned in this chapter.
A reasoning mechanism for the Timed Planning is hence developed based on Constraint Logic
Programming (CLP) by extending the reasoning engine for Timed CSP. Both syntax and
semantics of Timed Planning are formally translated into CLP. The operational semantics
57
4.1. SYNTAX OF EXTENDED TIMED CSP 58
is encoded to CLP, where a set of global and local variables need to be captured during
the execution. Feasibility checking and various property veriﬁcation can be applied to check
systems modeled in Timed Planning.
4.1 Syntax of Extended Timed CSP
In the extended Timed CSP speciﬁcation, a process is extended with an optional Where
clause, which consists of a (ﬁrst order) predicate over a predeﬁned set of time variables.
4.1.1 Timed Variables
To capture the important timing information of a process, we introduce three time point
variables: Start, End, and Tes for processes and one time point variable Engage for
events, which are as explained as follows.
Starting and Ending Time of a Process
One important timing information of a process is when it is started and when it is ended.
Given a process P , the variable P :Start (P :End) denotes the exact starting (ending) time
of process P . More speciﬁcally, P :Start captures the starting time of a process P when
its ﬁrst event is enabled or when the “wait d ” process is enabled if P starts with a wait
process.
P :End is the ending time of the process P . If the process is terminating, P :End is the engage
time of the termination event X. If the process is non-terminating, then P :End = 1.
Naturally, condition P :End  P :Start holds all the time. Using the two variables, a
deadline property (a task must be accomplished within a certain time) is expressed as
P Where P :End P :Start 6 d where d is a constant (d 2 R+), if and only if this process
is terminating.
4.1. SYNTAX OF EXTENDED TIMED CSP 59
Example 4.1.1 Kate needs to attend a meeting which starts at 10:00 and lasts less than
two hours. She will go home after the meeting.
Kate b= arrive ! Meeting ; gohome ! Skip
Where arrive:Engage 6 10 ^ Meeting :Start=10
^ Meeting :End Meeting :Start 6 2
where we write 10 to represent 10:00 for simplicity. Meaning of Engage is explained below.
end
Engagement Time of Events
In many scenarios, there are requirements on an event to perform at some expected time, for
example attending a meeting at 10am or printing the job within 15 minutes after receiving
this job. A time variable Engage is attached to an event e to denote the exact time when
e is engaged, in the form of e:Engage.
In an evaluation, event e is likely to be engaged more than once, for example, P b= a 2! P .
The variable e:Engagei is introduced to denote the ith occurrence of e in an evaluation. For
instance, P b= a 2! P , one possible evaluation is h(0; a); (3; a); (5; a):::i. In this evaluation,
the engage time of event a is stored in a:Engagei , where i = 1:::N : (a:Engage1 =
0; a:Engage2 = 3; a:Engage3 = 5; : : :).
For event e engaged more than once in a trace, e:Engage is the set of all occurrences of
event e in the process it is attached to. More speciﬁcally, e:Engage is the set of e:Engagei ,
e:Engagei is the element of set e:Engage, i.e.,
e:Engage = fe:Engageig
e:Engagei 2 e:Engage
For simplicity, we deﬁne a set of rules to eliminate the 8 i to be used in our constraints. For
instance, to specify the constraint that event e must be engaged before time t , expression
e:Engage 6 t is used instead of 8 i  e:Engagei 6 t , if this process is terminating.
4.1. SYNTAX OF EXTENDED TIMED CSP 60
e:Engage 6 t  8 i  e:Engagei 6 t
0 6 e1:Engagei   e2:Engagei 6 t  8 i  0 6 e1:Engagei   e2:Engagei 6 t
0 6 e1:Engage  e2:Engage 6 t  8 i ; j  0 6 e1:Engagei   e2:Engagej 6 t ;
Constraint e1:Engagei   e2:Engagei 6 t is exactly the same as 8 i  e1:Engagei  
e2:Engagei 6 t , which means that each time after e2 is engaged, e1must be engaged within
t time units. While constraint e1:Engage  e2:Engage 6 t means 8 i ; j  e1:Engagei  
e2:Engagej 6 t , which speciﬁes the requirement that e1 is not allowed to be engaged after
t time units with any occurrence of e2.
Timed Event Set
In addition, the variable P :Tes is introduced to capture the evaluation of a process P up
to the current time, where Tes stands for T imed Event Set. Tes is a set of timed events.
A timed event is a pair (e  R+, where e 2 1) consisting of a time and an event engage
time variable.
Tes is used to record the engage time of all events engaged so far, which can be viewed as a
history of the execution. Traces of the speciﬁc evaluation are able to be retrieved from Tes.
We can also retrieve other information we are interested in from the set Tes. The following
example illustrates a constraint concerning the number of occurrences of events in P .
Example 4.1.2 In a restaurant, the staﬀ in the kitchen cook and supply food to the counter,
the staﬀ at the counter takes orders and delivers food to the customers.
Kitchen b= cook ! supply ! Kitchen
Counter b= order 30! serve ! Counter
Where serve:Engage  order :Engage 6 60
Mcd b= Kitchen k Counter
Where Tes # supply  Tes # serve ^ Tes # supply  Tes # serve 6 10
1 is the universal set of events.
4.1. SYNTAX OF EXTENDED TIMED CSP 61
where Tes # supply is the number of occurrences of event supply in the timed event set
Tes up to the current time. TheWhere clause guarantees for each order, there is available
food to be delivered. end
4.1.2 Syntax of Timed Planning
In this section, we present the formal syntax for Timed Planning process. A Timed Planning
process is a Timed CSP process attached with a optionalWhere predicate which is deﬁned
by the following syntax tree.
P(x1; :::; xn) ::= ProcExp [Where WherePred ]




j :WherePred j true j false
j WhereExpr WhereExpr ;
 2 f<;6;=; >;g
WhereExpr ::= [Name:]Start j [Name:]End
j [Name:]Tes
j Name:Engage j Name:Engagei
j WhereExpr WhereExpr ; 2 f+; g
j WhereExpr  R; 2 f; =g
j (WhereExp) j R
where P is the process name, x1; :::; xn is an optional list of process parameters and ProcExp is
a Timed CSP process expression. Each process can be attached with an optionalWherePred
with keyword Where. Process P without WherePred is exactly the same as a Timed CSP
process.
Name is a sequence of characters starting an alphabet, i.e., an event or a process. Note that if
Name is missing, it defaults to the process name on the left hand side. To diﬀerentiate events
of the same name in diﬀerent processes, we write P :a to denote the event a in P whenever
necessary. By using the syntax deﬁned above, common Timed Planning requirements can
be speciﬁed easily.
4.1. SYNTAX OF EXTENDED TIMED CSP 62
Example 4.1.3 Consider a printer system, which has a receiver and two printers. The
receiver receives jobs and the two printers print jobs.
Receiver b= accept ! Receiver
Printer1 b= print 30! print nish ! Printer1
Whereprint nish:Engagei   print :Engagei 6 120
Printer2 b= print 30! print nish ! Printer2
Whereprint nish:Engagei   print :Engagei 6 120
PrintSys b= Receiver jjj Printer1 jjj Printer2
WhereTes # print 6 Tes # accept
Process Receiver receives printing jobs and processes Printer1 and Printer2 are the two
printers printing documents. For each document printing process, it should be ﬁnished
within 2 minutes (120 seconds) and it must take at least 30 seconds for the whole process.
Since receiver and the two printers are working interleavingly, we need to make sure that for
each printing, there must be at least one unprinted jobs. Constraint Tes # print 6 Tes #
accept is used to capture this idea, where Tes # print is the number of occurrences of event
print in the event set Tes. 2end
Tes # e is to count the number of event e in an execution that has been engaged so far. It
is a unique feature of Timed Planning where Timed CSP or Timed Automata are unable to
achieve. To capture diﬀerent aspects of the execution, we deﬁne a set of build-in libraries
which can be directly used in the where predicates.
 Tes # e : the number of occurrences of event e in the timed event set Tes.
 rst(Tes): The ﬁrst event engaged in Tes.
 last(Tes): The last event engaged in Tesup to the current execution.
Since Tes is a set of pairs (e R+), Tes # e is easily calculated by counting the number of
appearances of e in Tes which have been engaged so far. rst(Tes) is retrieved by ﬁnding
the pair (e;T ) with the smallest T in Tes, while last(Tes) is to ﬁnd the largest T . Users
are free to add their own functions to the libraries.
4.1. SYNTAX OF EXTENDED TIMED CSP 63
Common requirements for a system can be easily speciﬁed. For instance, the deadline of a
process, order of events, separation time between events, etc as follows:
1. Process P must be ﬁnished within time d :
P :End  P :Start 6 d
2. Process P must be ﬁnished before time d :
P :End 6 d
3. Max separation time between two events e1, e2 is d :
e2:Engage  e1:Engage 6 d
4. e2 must be engaged before e1:
e1:Engage  e2:Engage 6 0
Data types
The Timed Planning speciﬁcation supports a wide range of primitive data types, including
integers, real numbers, boolean values and lists. We can deﬁne global variables or process
parameters of these types. To be speciﬁc, the data types we are supporting are: R (Real
Number), N (Integers), B (Boolean) and T [] (a list of elements of type T where T 2
fR;N;Bg).
4.1.3 Healthiness Conditions
As illustrated in the last section, each process has a Where clause, which restricts the set
of timed traces of the process. The constraints associated with a process are divided into
two groups, namely the explicit ones deﬁned in the Where clause and implicit ones. The
implicit constraints should always be satisﬁed, which is a set of healthiness conditions of
processes. The following are two examples of such healthiness conditions. The complete list
of healthiness conditions can be found in Appendix A.
4.2. OPERATIONAL SEMANTICS 64
 For every event e in process P , e must be engaged between the starting time and
ending time of P . Let
P
P be the alphabet of P .
8 e :PP  P :Start 6 e:Engage ^ e:Engage 6 P :End
 Let Pi be a sub-process of P , written as Pi 4 P . The starting time of Pi must be
greater than or equal to the starting time of P and its ending time must be less than
or equal to that of P .
8P ;Pi  Pi 4 P ) P :Start 6 Pi :Start ^ Pi :End 6 P :End
4.2 Operational Semantics
In the previous section, the syntax Timed Planning processes is illustrated. In this section,
we formally deﬁne the semantics of the new speciﬁcation. An operational semantics provides
a way of interpreting a language by stepping through executions of programs written in
that language. It describes an operational understanding of the language. The operational
semantics of Timed CSP is precisely deﬁned in Schneider [90] by using the combination of two
relations: event transition and evolution. The semantic model consists of three components:
the event and timed transitions which are inherited from Timed CSP, a Where predicate
which must be satisﬁed by this model, and an Timed stamped set.
A Timed stamped set (Tss) is a record of an execution, which is to store all the values of
the timed variables introduced in last section, namely Start;End;Engage;Engagei and
Tes. It consists of a set of process related time stamps, namely the starting and ending
times of processes, and a timed event set (Tes) which is a set of timed events. Tes is a
subset of Tss: Tes  Tss. A timed event is a pair drawn from e  R+ where e 2 ,
consisting of a time and an event engage time value.
We deﬁne the state of a process as a quadruple hP ; t ;W ;Tssi where P is the process, t
is the current time, W is the Where predicate and Tss is the timed stamped set of the
model. Tss keeps value for all variables. At each transition, an evaluation of the system
4.2. OPERATIONAL SEMANTICS 65
requirement W is performed. If the current state satisﬁes the requirement, the transition
can be enabled, otherwise not. The operational semantics of Timed Planning is deﬁned as
follows.
Deﬁnition 4 The operational semantics of the extended Timed CSP speciﬁcation is a timed
transition where the state is a quadruple hP ; t ;W ;Tssi, and event transitions and evolution
transitions are deﬁned by the rules:
 hP ; t ;W ;Tssi a! hP 0; t ;W ;Tss 0i where
a 6= X ^ 9 i : N  Tss [ f(a:Engagei ; t); (P :Start; t)g W
 hP ; t ;W ;Tssi X! hP 0; t ;W ;Tss 0i where
Tss [ f(P :End; t)g W
 hP ; t ;W ;Tssi d hP 0; t + d ;W ;Tss 0i where
d > 0 ^ Tss [ f(P :Start; t)g W
where P 0 is the subsequent process of P by involving either a event transition (!) or a timed
transition ( ). Tss 0 is a timed stamped set with updated Engage, Engagei , Start,
End and Tes variables. The a! represents an event transition, whereas d is a timed
transition. 9 i : N  Tss [ f(a:Engagei ; t); (P :Start; t)g  W is an evaluation of the
current state, which is used to check whether the current Tss fulﬁlls the system requirements
W or not. 2
In the operational semantics, we deﬁne both event transition and timed transition relations
for all primary and compositional operators in Timed Planning speciﬁcation.
Stop
In Timed Planning, process Stop is the same as it is in Timed CSP. It remains unable to
perform any internal or external events which must still be in the same state after any delay
has occurred. The inference rule for Stop is deﬁned as follows:
4.2. OPERATIONAL SEMANTICS 66
hStop; t ;W ;Tssi d hStop; t + d ;W ;Tssi
This states that process Stop can allow any amount of time d to elapse, and that the
resulting state will still be Stop. Tss remains unchanged.
Skip
The Timed CSP process Skip is the immediately terminating process. The inference rules
for the operational semantics of Skip are deﬁned as follows:
Tss [ f(X:Engage; t)g j=W
hSkip; t ;W ;Tssi X! hStop; t ;W ;Tss [ f(End ; t)gi
hSkip; t ;W ;Tssi d hSkip; t + d ;W ;Tssi
Event Preﬁx: a ! Q
The CSP expression a ! P describes a process which is prepared to engage in the event a,
after which it will behave as P . In Timed Planning, it remains in its initial state until event
a is able to be performed at the current environment and requirements. Alternatively, some
time may elapse without the event a being accepted. In this case, the process remains in
the same state, patiently maintaining the oﬀer. These two possibilities are described by the
two following transitions.
Tss [ f(a:Engagei ; t)g j=W
[ Tes # a = i   1 ]
ha ! Q ; t ;W ;Tssi a! hQ ; t ;W ;Tss [ f(a:Engagei ; t)gi
ha ! Q ; t ;W ;Tssi d hQ ; t + d ;W ;Tssi
4.2. OPERATIONAL SEMANTICS 67
Timeout: Q1 . fdgQ2
The timeout operator introduces a way of describing time-sensitive process behavior. Initial-
ly process Q1 is available, which means that the control is with process Q1 when execution
begins. If Q1 performs some external event before d units of time have elapsed, providing
that this event engaging at the current time satisﬁes the system requirements, then the
timeout choice is resolved in favor of Q1. In this case, Q2 is discarded without ever being
made available. Q1 performing an internal event would not resolve the choice. If Q1 does
not perform any visible event in the ﬁrst d time units, the process would pass control to
process Q2, where the timeout occurs.
Tss [ f(a:Engagei ; t)g j=W Q1 a! Q 01
[ Tes # a = i   1 ]
hQ1 d. Q2; t ;W ;Tssi a!
hQ 01; t ;W ;Tss [ f(a:Engagei ; t)gi
Q1
! Q 01
hQ1 d. Q2; t ;W ;Tssi ! hQ 01
d
. Q2; t ;W ;Tssi
hQ1 0. Q2; t ;W ;Tssi ! hQ2; t ;W ;Tssi
Q1
d 0 Q 01




. Q2; t + d
0;W ;Tssi
External Choice: Q1 2 Q2
The external choice operator oﬀers a choice between processes, which is resolved at the
instant the ﬁrst visible event occurs, in favor of the process which performs it. In Timed
Planning, the choice is resolved only by an external event of one of participating process.
The choice is preserved when any participating process performing an internal event. Since
time passes for both processes are at the same rate, they both participate in any evolution.
The operational semantics of external choice operator are illustrated by the following rules.
4.2. OPERATIONAL SEMANTICS 68
Tss [ fa:Engagei ; tg j= W
Q1
a! Q 01
[ Tes # a = i   1 ]
hQ1 2 Q2; t ;W ;Tssi a!
hQ 01 2 Q2; t ;W ;Tss [ f(a:Engagei ; t)gi
Tss [ fa:Engagei ; tg j= W
Q2
a! Q 02
[ Tes # a = i   1 ]
hQ1 2 Q2; t ;W ;Tssi a!
hQ1 2 Q 02; t ;W ;Tss [ f(a:Engagei ; t)gi
Q1
! Q 01
hQ1 2 Q2; t ;W ;Tssi ! hQ 01 2 Q2; t ;W ;Tssi
Q2
! Q 02
hQ1 2 Q2; t ;W ;Tssi ! hQ1 2 Q 02; t ;W ;Tssi
Q1
d Q 01 Q2
d Q 02
hQ1 2 Q2; t ;W ;Tssi d hQ 01 2 Q 02; t + d ;W ;Tssi
Parallel: Q1 X jjY Q2
The operational semantics of the alphabetized parallel composition operator Q1 X jjY Q2
are illustrated in the following rules.




[e 2 X [ fg nY ;Tes # e = i   1]
hQ1 X jjY Q2; t ;W ;Tssi e!
hQ 01 X jjY Q2; t ;W ;Tss[
f(Start; t); (e:Engagei ; t)gi




[e 2 Y [ fg nX ;Tes # e = i   1]
hQ1 X jjY Q2; t ;W ;Tssi e!
hQ1 X jjY Q 02; t ;W ;Tss[
f(Start; t); (e:Engagei ; t)gi
4.2. OPERATIONAL SEMANTICS 69
Tss [ f(Start; t); (e:Engagei ; t)g j= W
Q1
e! Q 01 Q2 e! Q 02
[ r3 ]
[e 2 X \Y   fXg;Tes # e = i   1]
hQ1 X jjY Q2; t ;W ;Tssi e!
hQ 01 X jjY Q 02; t ;W ;Tss[
f(Start; t); (e:Engagei ; t)gi
Tss [ f(Start; t); (X:Engage; t)g j= W
Q1
X! Q 01 Q2 X! Q 02
[ r4 ]
hQ1 X jjY Q2; t ;W ;Tssi e!
hQ 01 X jjY Q 02; t ;W ;Tss[
f(Start; t); (End; t)gi
Tss [ f(Start; t)g j=W
Q1
d Q 01 Q2
d Q 02
[ r5 ]
hQ1 X jjY Q2; t ;W ;Tssi d 
hQ 01 X jjY Q 02; t + d ;W ;Tss [ f(Start; t)gi
The ﬁrst two rules state that either of the components (Q1 or Q2) may engage an event
as long as the event is not shared if and only if the evaluation on whether the current Tss
appended with f(Start; t); (e:Engagei ; t)g still satisﬁes process requirement W is true.
Tss will be updated to Tss 0 = Tss[ f(Start; t), (e:Engagei ; t)g. Rule r3 states that
a shared event can be engaged simultaneously by both components as long as the event
satisﬁes the requirements. Rule r4 is a special case for the third rule, whereas the event
is the X which is a special event used purely to denote termination. A new pair (End, t)
is added to the Tss and hence checked. Rule r5 says that the composition may allow time
elapsing when both the components do.
Interleaving: Q1 jjj Q2
The introduction of time to the interleaving operator is entirely similar to the approach
taken for the parallel composition. In an interleaved combination each internal or external
4.2. OPERATIONAL SEMANTICS 70
event is performed by precisely only one of the components if and only if the evaluation on
the current Tss with this event satisﬁed the system requirements, while the other component
makes no progress at all. The passage of time occurs at the same rate in both processes,
so they must agree on timed transitions. The transitions reﬂecting operational semantics of
interleaving operator are deﬁned as follows:
Tss [ f(e:Engagei ; t)g j= W
Q1
e! Q 01
[ Tes # e = i   1 ]
hQ1 jjj Q2; t ;W ;Tssi e!
hQ 01 jjj Q2; t ;W ;Tss [ f(e:Engagei ; t)gi
Tss [ f(e:Engagei ; t)g j= W
Q2
e! Q 02
[ Tes # e = i   1 ]
hQ1 jjj Q2; t ;W ;Tssi e!
hQ1 jjj Q 02; t ;W ;Tss [ f(e:Engagei ; t)gi
Tss [ f(X:Engage; t)g j=W
Q1
X! Q 01 Q2 X! Q 02
hQ1 jjj Q2; t ;W ;Tssi X! hQ 01 jjj Q 02; t ;W ;Tss [ f(End; t)gi
Q1
d Q 01 Q2
d Q 02
hQ1 jjj Q2; t ;W ;Tssi d hQ 01 jjj Q 02; t + d ;W ;Tssi
Example 4.2.1 Take a printer process as an example. After the printer accepts a job, it
needs to print this job within 30 to 60 seconds. Assume the process starts at time 0.
Printer b= accept 30! print ! Printer
Where print :Engagei -accept :Engagei 6 60
W is the constraint print :Engagei -accept :Engagei 6 60. The following is one possible
execution sequence.
4.3. MODELING TIMED PLANNING IN CLP 71
haccept 30! print ! Printer ; 0;
fprint :Engage-accept :Engage 6 60g; f(Start; 0)gi 10 
haccept 30! print ! Printer ; 10;
fprint :Engage-accept :Engage 6 60g; f(Start; 0)gi accept!
hStop 30. print ! Printer ; 10; fprint :Engage-accept :Engage 6 60g;
f(Start; 0); (accept :Engage1; 10)gi 30 
hprint ! Printer ; 40; fprint :Engage  accept :Engage 6 60g;
f(Start; 0); (accept :Engage1; 10)gi 20 
hprint ! Printer ; 60; fprint :Engage  accept :Engage 6 60g;
f(Start; 0); (accept :Engage1; 10)gi print!
hPrinter ; 60; fprint :Engage  accept :Engage 6 60g
f(Start; 0); (accept :Engage1; 10); (print :Engage1; 60)gi
  
In this execution, event accept is ﬁrstly engaged at 10, we insert (accept :Engagei10)
to Tss. It is not likely for event print to be ﬁrstly engaged after 40 seconds while it is
enabled, where print :Engagei will be greater than 70, since it is guarded by print :Engagei -
accept :Engagei 6 60. end
4.3 Modeling Timed Planning in CLP
4.3.1 Encoding Extended Timed CSP in CLP
The very initial step is to encode the extended Timed CSP models in to CLP rules. This
step is automatically done by syntax rewriting. A process “Proc WhereWherePred" is
encoded to a relation tproc(N, P, W) in CLP. tproc(N, P, W) consists of three parts, where
N is the name of this process, P is the CLP representation of Proc and W represents the
WherePred . The syntax translation consists of two parts, process operators translation and
Where clause translation.
All operators of the extended speciﬁcation which inherited from Timed CSP are encoded
into CLP rules in a compositional way. A library of all operator translation is built. For
example:
4.3. MODELING TIMED PLANNING IN CLP 72
 a ! Skip : eventprefix(a, skip)
 a t! Skip : delay(a, skip, t)
 P1 jjj P2 : interleaving(P1,P2)
 P1; P2 : sequential(P1,P2)
In our library, eventprex (A;P) is deﬁned to denote a process A ! P . delay(A;P ;T )
is the CLP form of operator A T! P in Timed CSP. interleaving(P1;P2) is to represent
operator P1 jjj P2 where P1 and P2 are the CLP formate of process P1 and P2. Relations
sequential=2 is to represent a sequential operator “;”.
For each process, a Where clause WherePred is encoded into W in CLP. W is a list of the
form [W 1;W 2; :::;Wn]. Before we encode WherePred into a CLP list, we need to convert
WherePred into conjunctive normal form (CNF), which is a conjunction of Horn clauses.
Logically, W = W 1 ^ W 2 ^ ::: ^ Wn where each Wi is a Horn clause in the form of
or(Wi1;Wi2), not(Wik ) or an atom. If there are no Where predicates deﬁned for this
process, W = []. The syntax encoding of task Kitchen (Example 4.1.2) is as follows.
tproc(kitchen; eventprex (cook ; eventprex (supply ; kitchen)); [ ]):




leq(minus(number(tr(mc); supply);number(tr(mc); order)); 5)]):
where relations leq ; geq ;minus;number are built-in predicates deﬁned in our library, which
represent 6;; ; # respectively.
4.3.2 Encoding Semantics in CLP
Having deﬁned the corresponding CLP syntax for the extended Timed CSP speciﬁcations,
we devote the rest of this section to describe how to embed the operational semantics into
4.3. MODELING TIMED PLANNING IN CLP 73
CLP rules. A relation of the form tpos(P1, T1, E1, M, P2, T2, E2) is used to denote the
t imed protocol operational semantics, by capturing both event transition relations and evo-
lution relations with a set of constraints. Informally speaking, tpos(P1;T1;E1;M ;P2;T2;E2)
returns true if the process P1 evolves to P2 through either a time evolution, i.e., let T2 T1
time units elapse (so that M = []), or an event transition by engaging an event e instantly
(M = e), as long as both transitions satisfy the Where requirements stored in E1. After
this transition relation, the local environment might change to E2 by adding more predi-
cates. E1 (and E2) is the environment of the system, which consists not only the Where
predicates, but also the current values of the variables appeared in the Where predicates.
We deﬁne the tpos=72 relation for each and every operator of Timed CSP according to the
semantics presented previously in Section 4.2.
tpos(stop;T1;E ; []; stop;T2;E ) :  D >= 0;T2 = T1 +D :
tpos(skip;T ;E1; [termination]; stop;T ;E2)
:  sat(E ; termination;T ;E2):
tpos(skip;T1;E1; []; skip;T2;E2)
:  D >= 0;T2 = T1 +D ; sat(E1;T1;E2):
The only transition for process Stop is time elapsing. Process Skip may choose to wait
some time before engaging the X event. We use termination to denote this special event
in CLP. Process Skip may not be able to terminate immediately since there might be some
constraints involving P :End deﬁned in the Where clause. The relation sat is required to
be evaluated before the termination. Relation sat(E1;A;T ;E2) and sat(E1;T ;E2) are used
to test whether the current state fulﬁlls the requirements. Relation sat=3 handles event
transition and sat=2 handles timed transition. The sat=3 and sat=2 rules are deﬁnes as:
sat(E1; termination;T )
:  get process(E1;N ); insert(end(N ;T );E1;E2); evaluate(E2):
sat(E1;A;T )
:  get process(E1;N ); insert(engage(A;N ;T );E1;E2); evaluate(E2):
sat(E1;T ) :  evaluate(E1):
2tpos/7 indicates the relation tpos of arity 7, same for sat/3 and sat/4.
4.3. MODELING TIMED PLANNING IN CLP 74
The ﬁrst rule says that whenever there is a termination event, the predicate P :End = T need
to be validated in conjunction with all the current requirements in E1. Once the resultant
predicate is proved to be valid, we append this predicate to the current set of predicates.
The second rule is to validate the case when an event is engaged, by adding the predicate
A:Engagei = T to the environment. The last rule captures the timed transition relation by
evaluating the current environment with the current time. Relation get process(E ;N ) is to
ﬁnd the current named process being executed. evaluate(E ) is to evaluate the requirements,
namely the constraint store.
In the operational semantics, there is a set of composition operators which are more complex.
For instance, the rules associated with the semantics of alphabetized parallel composition
operator P1 X jjY P2 are as follows.
tpos(para(P1;P2;X ;Y );T ;E1;A; para(P3;P2;X ;Y );T ;E2)
:  member(A;X );not(member(A;Y ));
sat(E1;A;T ); tpos(P1;T ;E1;A;P3;T ;E3);
update(E3; engage(A;T );E2):
tpos(para(P1;P2;X ;Y );T ;E1;A; para(P1;P4;X ;Y );T ;E2)
:  member(A;Y );not(member(A;X )); sat(E1;A;T );
tpos(P2;T ;E1;A;P4;T ;E3); update(E3; engage(A;T );E2):
tpos(para(P1;P2;X ;Y );T ;E1;A; para(P3;P4;X ;Y );T ;E2)
:  member(E ;X );member(E ;Y );not(E = termination);
sat(E1;A;T ); tpos(P1;T ;E1;A;P3;T ;E3);
tpos(P2;T ;E1;A;P4;T ;E4); update(E3;E4;E2):
tpos(para(P1;P2;X ;Y );T ;E1; termination; para(P3;P4;X ;Y );T ;E2)
:  sat(E1; termination;T );
tpos(P1;T ;E1; termination;P3;T ;E3);
tpos(P2;T ;E1; termination;P4;T ;E4);
update(E3;E4; end(para(P1;P2;X ;Y );T );E2):
tpos(para(P1;P2;X ;Y );T1;E ; []; para(P3;P4;X ;Y );T2;E )
:  tpos(P1;T1;E ; [];P3;T2;E ); tpos(P2;T1;E ; [];P4;T2;E ):
Other parallel composition operation, like j[X ]j and jjj, can be deﬁned as special cases
of the alphabetized parallel composition operator straightforwardly. There is a clear one-
to-one correspondence between our rules and the operators which are fully deﬁned at [34].
4.4. VERIFICATION OF EXTENDED TIMED CSP 75
Therefore, the soundness of the encoding can be proved by showing there is a bi-simulation
relationship between the transition system interpretation deﬁned in Section 4.2 and ours,
and the bi-simulation relationship can be proved easily via a structural induction.
4.4 Veriﬁcation of Extended Timed CSP
Once we encode the semantics of processes as CLP rules, well-established constraint solvers
like CLP(R) [55] can be used to reason about those systems. Operational semantics deﬁned
in Section 4.2 are all encoded systematically.
4.4.1 Feasibility Checking
After specifying the tasks using extended Timed CSP in CLP(R), the very ﬁrst task is to
check whether the tasks are feasible before simulation or reasoning of the system. Feasibility
checking is necessary because there might be a conﬂict among the set of Where clauses
of a system, which potentially invalidates any proving result. To perform this task, the
conjunction of the Where predicates and the healthiness conditions are checked.
The output of the feasibility checking is either yes if the tasks are feasible or else no. In case
the tasks are infeasible, i.e., there is no way to satisfy all the constraints, a minimum set
of predicates which conﬂict each other can be generated so as to facilitate users to correct
easily. We use the CLP(R) predicate feasibility checking(N ;S ) to fulﬁll this purpose, where
N is the name of the process that is to be checked, and S is the minimum conﬂict set. If the
process N is a feasible process feasibility checking=2 returns false, otherwise the minimum
conﬂict set S is generated and returned. It is performed by a linear scan on a sequence of
constraints. We check whether after removing one constraint, the constraints store becomes
satisﬁable or not. If it does, then this constraint must be important and have to be put
back, otherwise it can be discarded. It is an iterative process until a minimum set is found.
4.4. VERIFICATION OF EXTENDED TIMED CSP 76
feasibility checking(N ;S )
:  get where(N ;W );min cons store(W ;S ):
min cons store(W ;S )
:  nd min(1;W ;S ):
nd min(N ;W ;W ) :  size(W ;L);L < N ; !:
nd min(N ;W ;S ) :  size(X ;L);L >= N ;
delete at(N ;W ;WS ); (satisfy(WS )  >
nd min(N + 1;W ;S ); ndm in(N ;WS ;S )):
Relation min cons store(W ;S ) is to generate the minimum conﬂict set S of W if W j=
false. It is performed by a linear scan on a sequence of constraints. We check whether after
removing one constraint, the constraints store becomes satisﬁable or not. If it does, then
this constraint must be important and have to be put back, otherwise it can be discarded.
It is an iterative process until a minimum set is found.
4.4.2 Reasoning about Safety and Liveness
Feasibility checking is to check whether the tasks modeled in extended Timed CSP are
feasible. Once it is proven to be feasible, we can reason about safety or liveness properties
by making explicit assertions.
Relation reachable(P ;Q ;E1;E2;T1;T2;Tr) is deﬁned to explore the full state space if
necessary. It states that “process P starts at T1 with environment E1 and is able to be
executed to Q at T2 with environment changed to E2 via trace Tr ”.
reachable(P ;P ; ; ;T ;T ; []):
reachable(P ;Q ;E1;E2;T1;T2;N )
:  tpos(P ;T1;E1;A;P1;T3;E3);
(A = t( ); A == tau; A = reccall( ));
nottable(P1); assert(table(P1));
reachable(P1;Q ;E3;E2;T3;T2;N ):
reachable(P ;Q ;E1;E2;T1;T2; [E j N ])
:  tpos(P ;T1;E1;A;P1;T3;E3);
not(A = t( ); A == tau; A = reccall( ));
nottable(P1); assert(table(P1));
reachable(P1;Q ;E3;E2;T3;T2;N ):
4.4. VERIFICATION OF EXTENDED TIMED CSP 77
reachable=73 is used to build assertions for various property checking. The ﬁrst property of
interest is to ﬁnd one particular feasible execution for process, provided that the process is
feasible. Relation trace(P ;Tr ;T ) is able to generate such feasible trace Tr of process P ,
whose execution time is T .
trace(P ;Tr ;T ) :  notfeasibilitychecking(N ; );
init Env(N ;E ); reachable(P ; ;E ; ; 0;T ;Tr):
Reachablity checking is performed by executing \?   trace(P ;Tr ;T ); property(Tr ;Prop)”,
which is to ﬁnd a trace Tr that satisﬁes some property Prop. For example, event a is always
engaged before b in Tr .
One property of special interest is deadlock-freeness. Relation deadlock(P ;Tr) is used to
check the deadlock-freeness property, by trying to ﬁnd a counterexample where P is dead-
locked at some trace Tr .
deadlock(P ;Tr) :  initEnv(P ;E );
reachable(P ;P1;E ;E2; 0;T2;Tr);
(tpos(P1;T2;E2; [t( )];Q1;T3;E3)  >
not(tpos(Q1;T3;E3;A; ; ; );notA = [t( )]);
not(tpos(P1;T2;E1;A;Q1;T3; );notA = [t( )])):
It states that a process P at time 0 may result in deadlock if it can evolve to the process
expression Q at time T2 where no event transition is available neither at T2 nor at any later
moment. The last line outputs the trace which leads to a deadlock. Alternatively, we may
present it as the result of the deadlock proving. Note that the above is diﬀerent from the
deadlock checking for standard Timed CSP as presented in [29]. Here the Where clauses
at each step must be fulﬁlled. In general, a deadlock-free Timed CSP process may become
a non deadlock-free process after it is enriched with certain Where clauses. It is, however,
also possible for a non deadlock-free process to become deadlock-free.
We can also ﬁnd the execution duration of a speciﬁc event, more speciﬁcally, the range of
time that the event is able to be engaged. Relation engage time(P ;E ;R) is deﬁned for the
3reachable/7 indicates the relation reachable of arity 7.
4.5. CASE STUDIES 78
purpose, which is to ﬁnd the range R of the engage time of event E in process P . The
detailed deﬁnition for all relations can be found in [34].
engage time(P ;E ; []) :  nothappen at(P ;E ; ):
engage time(P ;E ;R) :  happen at(P ;E ;T );
union(R;T ;R1); engage time(P ;E ;R1):
where R is the range of engaged time of event E in process P which is generated after
executing the relation.
4.5 Case Studies
4.5.1 Extended Railway Crossing System
We model a railway control system which is used to control trains passing a critical point
such as a bridge. When a train approaches the bridge it sends a signal to the controller
within a certain distance. If the bridge is occupied, then the controller sends a stop signal
within 10 time units to prevent the train from entering the bridge. Otherwise, if the train
does not receive a stop signal within 10 time units, it will start to cross the bridge within
20 time units. The crossing train is assumed to leave the bridge within 3 to 5 time units.
Traini b= approach:i ! ((stop:i 7!
start :i ! entercross:i 3! leavecross:i ! Traini)
410 entercross:i 3! leavecross:i ! Traini)
Where entercross:i :Engage  approach:i :Engage 6 20;
leavecross:i :Engage  entercross:i :Engage 6 5;
start :i :Engage  end :i :Engage 6 10
Controlhi b= approach:i ! Controlhii
Control
hj ias b= approach:i ! stop:i ! Controlhj iasahii 2
out :j ! Controls 2
start :j ! Control
hj ias
Where stop:i :Engage  approach:i :Engage 6 10
Trains b= Train1 jjj Train2 jjj Train3
System b= Trains k Controlhi
4.5. CASE STUDIES 79
After transferring this system into CLP(R) syntax, we can apply proving over this system.
Selected properties are shown as follows:
 Where it is a feasible system.
Property: feasible(system)
?  feasibility checking(system;S ):
Feasible
 Min and Max time for Train1 cross the bridge.
Property: Min = min(leavecross.1.Engage) , Max= max(leavecross.1.Engage)
?  set(approach:1 engage; 0); engage time(system; leavecross:1;R):
R>=13, R<=25
 Whether two trains can cross bridge at the same time
Property: -3<= entercross.1.Engage-entercross.1.Engage<=3
?  happen at(system; [entercross:1; entercross:2]; [T1;T2]);T2  T1 <= 3:
False
4.5.2 Real Time Multi-lift System
In this section, we model a real time multi-lift system in Timed Planning speciﬁcation and
hence verify various properties over the system. This real time multi-lift system is initially
described and modeled in TCOZ [74]. We also extend this multi-lift system with extra
requirements which cannot be modeled using Timed CSP or TCOZ.
The multi-lift system for a building consists of multiple lifts each providing transport between
the various ﬂoors for the building. The detailed description of the system is introduced in
[74].
4.5. CASE STUDIES 80
Figure 4.1: The Multi-Lift System Communication Diagram
Each component of the system is modeled as a Timed Planning process, where data infor-
mation of the system are modeled as global or local variables. Components of the system
are communicating with each other through channels. The system consists of several com-
ponents: Floors, Controller and lifts (Figure 4.1). Inside each lift, there are four parts: a
door for allowing access to and from the lift, a shaft for transporting the lift, an internal
queue for determining the lift itinerary and a lift controller (Figure 4.2). We model two
components Door and Shalf in this section and the speciﬁcation of the system is partially
shown in Appendix B.
Lift Door
Lift door is modeled as a separate process which can communicate with a servomechanism
that activate the door to open or close through a channel servo and on another channel
sensor to determine when the door is open or closed. When the door is closing, a user can
press the outside button to request the door for opening again. To be fair to other users
in the lift or other users waiting for the lift, it’s not possible to keep the door open if one
is always pressing the button. So one more constraint is added to the lift door controller
4.5. CASE STUDIES 81
Figure 4.2: Internal Lift Communication Diagram
which would force the door close within td after it’s opened.
OpenDoor(i) b= servo!(i ; toOpen)! sensor?(i ; opened)! Skip
CloseDoor(i) b= servo!(i ; toClose)! sensor?(i ; closed)! Skip
CycleDoor(i) b= OpenDoor(i); conrm ! (  CDWait[t ]; CloseDoor
O sensor?(i ; interrupt)! OpenDoor ; CD)
Door(i) b= open?i ! CycleDoor(i); close!i ! Door(i)
Whereclose:Engagei   open:Engagei 6 td
Shaft
Shaft would receive the number of ﬂoors to be moved from channel move and then it would
move to the destination ﬂoor. t is the time to move one ﬂoor up or down, delay is the
acceleration and braking delay. The time for the shaft to reach the destination ﬂoor will be
in the range of [t  n, t*n+delay]. The model of shaft is shown as follows where i is the
index of this shaft.
Shaft(i) b= move?n ! arrive ! Shaft(i)
Wheren  t 6 arrive:Engage move:Engage
^ arrive:Engage move:Engage 6 n  t + delay
4.6. SUMMARY 82
After encoding this system into CLP rules, veriﬁcation can be applied to the system. Selected
properties are shown as follows:
 Is it a feasible system?
?  feasibility checking(system;S ):
Feasible




In this chapter, we presented an extension of Timed CSP to support stating system re-
quirements which constraints all behavioral traces of given processes, for example, deadline
and execution time of a process, time-related constraints among events which are common
requirements for many real time systems and etc. A Timed Planning model is made up
of a compositional timed process and a set of constraints over processes, events and the
data variables which are the requirements that the process should satisfy. In this proposed
formalism, each process is associated with a set of localized timing/untiming requirements
with keyword Where which can be speciﬁed in a compositional way. The full syntax and
operational semantics of Timed Planning language are formally deﬁned in this chapter.
A reasoning mechanism for the Timed Planning is hence developed based on Constraint Logic
Programming (CLP) by extending the reasoning engine for Timed CSP. Both syntax and
semantics of Timed Planning are formally translated into CLP. The operational semantics
is encoded to CLP, where a set of global and local variables need to be captured during
the execution. Feasibility checking and various property veriﬁcation can be applied to check
systems modeled in Timed Planning. Feasibility checking is necessary which helps users to
debug the conﬂicts of the set of timing constraints speciﬁed in the systems.
Chapter 5
Job-shop Scheduling Problems
In many application domains, we are interested in selecting, among all possible behaviors,
one that optimizes some sophisticated performance measure. We apply Timed Planning
and its reasoning engine to solve classical job-shop scheduling problems, where ﬁnding an
optimal schedule corresponds to ﬁnding a shortest execution (in terms of elapsed time). The
observation underlying is that classical scheduling and resource allocation problems can be
modeled very naturally using Timed Planning whose runs correspond to feasible schedules.
In this case, the job-shop scheduling problem can be reduced to a problem of ﬁnding a
complete execution (an execution that terminates) with the minimum execution time. In
our work, Both deterministic [58] and preemptive [80] job-shop scheduling problems are
able to be solved. We also apply our approach to handle the extended job-shop scheduling
problems, where jobs can have more complex relations, such as a composition of operational
behaviors with communications, and jobs with deadlines and relative timing constraints,
which no other current work are able to support.
This chapter is organized as follows. In Section 5.1, we ﬁrst introduce the deterministic job-
shop scheduling problem, and then we present how the problems can be modeled and solved
using Timed Planning speciﬁcations. In Section 5.2, we formalize the preemptive job-shop
scheduling problems into Timed Planning and then solve the problem by ﬁnding its optimal
83
5.1. DETERMINISTIC JOB-SHOP SCHEDULING PROBLEM 84
scheduler using its underlying reasoning engine. Extended job-shop scheduling problem is
shown in Section 5.3. In Section 5.4, a set of experiments are carried out hard bench marks
for job-shop scheduling problems. A summary of the work is presented in Section 5.5.
5.1 Deterministic Job-Shop Scheduling Problem
The job-shop scheduling problem (JSSP) is a generic resource allocation problem in which
common resources (“machines") are required at various time points (and for given durations)
by diﬀerent jobs. The goal is to ﬁnd a way to allocate the resources such that all the jobs
terminate as soon as possible, which is a schedule with the minimum time interval to ﬁnish
all jobs. The diﬃculty is both theoretical (even very constrained versions of the problem
are NP-hard) and practical (an instance of the problem with 10 jobs and 10 machines,
proposed by Fisher and Thompson [41], remained unsolved for almost 25 years, in spite of
the research eﬀort spent on it). The diﬀerence between a deterministic and a preemptive
job-shop scheduling problem is for the latter case, jobs can use a machine for some time, stop
for a while and then resume from where they stopped. We deﬁne both problems formally
as follows.
5.1.1 Formal Deﬁnition of Deterministic Job-shop Scheduling Problem
Deﬁnition 5 (Job-shop scheduling problem) Given a set of O operations, a set M of m
machines, and a set J of n jobs. For each operation  2 O there is a processing time
p() 2 N, a unique machine M (v) 2 M on which it requires processing, and a unique job
J () 2 J to which it belongs.
It has the following requirements:
1. On O a binary relation A is deﬁned, which represents the precedences of operations:
if (, !) 2 A, then  has to be performed before !.
5.1. DETERMINISTIC JOB-SHOP SCHEDULING PROBLEM 85
2. Relation A induces a total ordering of the operations belonging to the same job; no
precedence exists between operations of diﬀerent jobs.
3. If (, !) 2 A and there is no  2 O with (, ) 2 A and (, !) 2 A, then M () 6=
M (!).
2
Deﬁnition 6 (Feasible Schedules for Deterministic Job-Shop Problem) A schedule is a func-
tion S : O ! N that for each operation  deﬁnes a start time S (). A schedule S is feasible
if
1:Covering :
8  2 O : S () > 0;
2:Non-Preemption :
8 ; ! 2 O; (; !) 2 A : S () + p() 6 S (!)
3:Mutual-Exclusion :
8 ; ! 2 O;  6= !;M () = M (!) :
S () + p() 6 S (!) or S (!) + p(!) 6 S ():s
The problem is to ﬁnd an optimal schedule, i.e., a feasible schedule with minimum processing
time. 2
Example 5.1.1 Consider M={m1,m2} and two jobs J 1 = (m2; 4) and J 2 = (m1; 3); (m2; 4);
(m3; 6). The schedules S1 and S2 are depicted in Figure 5.1. The length of S2 13 is the
optimal schedule for a deterministic problem.
end
5.1.2 Modeling with Timed Planning
In this section, we show how deterministic job-shop scheduling problems are modeled in
Timed Planning processes. Hence the existing reasoning engine of Timed Planning can be
5.1. DETERMINISTIC JOB-SHOP SCHEDULING PROBLEM 86
J1  J2  J2  J2M1M2M3 4 6 159(S1) J1  J2  J2  J2M1M2M3 4 7 13(S2)
Figure 5.1: The Gantt-Chart representations of two schedules
used to ﬁnd the optimal schedules.
In our approach, each job is deﬁned as a Timed Planing process and every machine that the
job runs on is modeled as an event.
Deﬁnition 7 (Timed Planning for a Job) Let J i = ho1; :::; oni be a job, which is a chain of
operations (ordered) on a set of machine M. Its associated process presentation Pi is
Pi b= m1 p(o1)! m2 p(o2)! :::mk p(ok )! Skip
where event mj in Pi denotes operation oj of job J i starting to process on machine mj
where mj = M(oj ). p(oj ) is the processing time required for oj on mj . Hence the delay
process mj
p(oj )! mj+1 p(oj+1)! ::: denotes that oj must process at machine mj for p(oj ) time
units; then oj+1 can start to process which does not need to start immediately. 2
As deﬁned in Deﬁnition 6, mutual exclusion is a requirement of a feasible schedule, which
is formalized in the following.
Deﬁnition 8 (Mutual Exclusion Constraints) Let J = fJ 1; :::; J ng be a job-shop speciﬁca-
tion and P = fP1; :::;Png be a set of timed planning processes deﬁned for each job.
mutual-exclusion(P) b=
8Pi ;Pj 2 P ; i 6= j ; 8m 2PPi [PPj 
m
ti! P 0i 4 Pi ^ m
tj! P 0j 4 Pj )
Pi :m:Engage+ ti 6 Pj :m:Engage _
Pj :m:Engage+ tj 6 Pj :m:Engage
2
5.1. DETERMINISTIC JOB-SHOP SCHEDULING PROBLEM 87
Deﬁnition 9 (Timed Planning for Job-Shop speciﬁcations) Let J = fJ 1; :::; J ng be a job-
shop speciﬁcation and P = fP1; :::;Png be a set of timed planning processes deﬁned for each
job. The timed planning presentation for the job-shop speciﬁcation J will be an interleaving
of all processes Pi with the non-delay and mutual exclusion constraints:
JSSP b= jjj0<i6n Pi Where mutual-exclusion(JSSP)
For every complete execution of JSSP (which terminates), its associated schedule S is a
feasible schedule. An optimal schedule is a trace of JSSP with the minimum ending time
min(JSSP :End). 2
The associated schedule of every complete execution of JSSP is a feasible schedule.
 Covering : For each Pi , every execution which terminates guarantees that each and
every event in Pi is engaged. JSSP which is an interleaving of all Pi also guarantees
that all events are engaged at every complete execution.
 Non-Preemptive : Non-Preemptive states that for every ordered pair of operations
(; !) of the same job, the later one must start after the full completion of the previous
one. The process m
p()! m! p(!)! ::: guarantees that operation ! is engaged after p()
time unit of !.
 Mutual Exclusion: This requirement is captured by the mutual -exclusion(JSSP)
deﬁned in Deﬁnition 8, which guarantees that no two jobs evolve the same machine at
the same time.
5.1.3 Optimal Schedulers
To ﬁnd the optimal schedule modeled in Timed Planning, we use a standard depth-ﬁrst
search algorithm to explore the full pathes.
5.1. DETERMINISTIC JOB-SHOP SCHEDULING PROBLEM 88
Deﬁnition 10 (Non-delay Run) Let A be the set of enabled events for process P . non-
delay constraint says that once process P starts executing, at least one of the enabled event
with no side eﬀects must be engaged at the same time.
non-delay b= 8P  9 e 2 enable(P) ^ e:Engage = P :Start
JSSP b= jjj0<i6n Pi
Wheremutual-exclusion(JSSP) ^ non-delay
2
The corresponding timed planning representation for the two jobs in Deﬁnition 5.1.1 are
depicted as follows:
P1 b= m1 4! Skip
P2 b= m1 3! m2 6! Skip
JSSP b= P1 jjj P2
Where(P1:m1:Engage+ 4 6 P2:m1:Engage _
P2:m1:Engage+ 2 6 P1:m1:Engage)
As illustrated in the above section, ﬁnding an optimal schedule is to ﬁnd a execution of
timed planning process JSSP with the minimum ending time, i.e., min(JSSP.End). In the
rest part of this section, we apply several approaches to reduce the size of the transition
system and arrive at a more heuristic search algorithm.
Max Non-delay Test
Partial order reduction is a technique for reducing the size of the state-space to be searched
by a model checking algorithm. It exploits the commutativity of concurrently executed
transitions, which result in the same state when executed in diﬀerent orders. For example:
P1 b= m1 4! Skip
P2 b= m2 5! Skip
JSSP b= P1 jjj P2
Wherenon-delay ^ mutual -exclusion(JSSP)
 m1 ! m2 5! Skip um2 ! m1 5! Skip
Wherenon-delay
5.1. DETERMINISTIC JOB-SHOP SCHEDULING PROBLEM 89
The JSSP process is a choice of two process, where the order of the events denotes decision
to whom to give the ﬁrst resource. The order of m1 and m2 does not aﬀect the result.
Hence, JSSP is equivalent to m1 ! m2 5! Skip Wherenon-delay . The non-delay predicate
in the process guarantees that once m1 is engaged, m2 must be engaged immediately, which
is m1.Engage= m2.Engage. The job-shop process JSSP can be further simpliﬁed to
“JSSP b= fm1;m2g 5! Skip", where {m1;m2} is a new notation, which indicates that event
m1 and m2 are engaged simultaneously.
Consider the case that n jobs whose ﬁrst operations are running on m machines where m<n
which means there are more or one jobs whose ﬁrst operations are running on the same ma-
chine. It cannot directly apply the partial order reduction rules which still need to expand
the transition system.
Deﬁnition 11 (Max Non-delay Run) Let A be the set of events for process P that are
enabled. Max non-delay constraint says that once process P starts executing, at least one
subset of A with maximum distinct events must be engaged at the same time.
max -non-delay b=
8P ; 9E 2 max sub(P)  E :Engage = P :Start
where enable(P) is the set of enabled events of P , max sub(P) is a set of max subset of
enable(P) with non duplicate events and no side eﬀects, which means that no pair of events
in max sub(P) evolving the same mi and does not preserves any order implicitly. 2
Never Better Test
The max non-delay test removes the redundant paths where order of events evaluates to
be the same. Since we are interested only in optimal executions, we can apply stronger
reductions that do not preserve all runs, but still preserve the optimal runs. During the exe-
cution, we always keep the latest most optimal schedule, shortest(M). Whenever we reach a
5.1. DETERMINISTIC JOB-SHOP SCHEDULING PROBLEM 90
subprocess, we do a never better test, by estimating the best length of each subprocess. By
comparing the best length of the subprocess with the shortest(M), if the recent subprocess
can never result a better schedule, which means even this subprocess can reach its best
length, it won’t be shorter than shortest(M), then we will not expand this subprocess.
Best First Test
The searching algorithms described above all require the full state space search. The next
improvement consists of using a more intelligent search. At each step, a set ofmax sub(jssp),
maximum subset of enabled events with no duplicates, are enabled. We deﬁne a pre-
evaluation ranking function Order(jssp) for ordering the max sub(jssp) of enabled events.
We deﬁne another evaluation function Est(jssp) for estimating the possible best length of
the process jssp.
Algorithm 1 Best First Test
procedure BestFirst test(jssp)
Optimal := 1
if jssp == stop then
Optimal:= 0;
else
if Est(jssp) < Optimal then
Sets:= Order(max sub(jssp))
for all s such that s 2 Sets do
p’ := next(jssp, s, T)





5.2. PREEMPTIVE JOB-SHOP SCHEDULING PROBLEM 91
J1  J2  J2  J2M1M2M3 2 5 11J1(S3)
Figure 5.2: The Gantt-Chart representations of a preemptive schedules
5.2 Preemptive Job-Shop Scheduling Problem
We extend the results on deterministic Job-shop scheduling problem to preemptive jobs, i.e.
jobs that can use a machine for some time, stop for a while and then resume from where
they stopped.
Example 5.2.1 Recall Example 5.1.1, two feasible schedule for the two jobs J 1 = (m2; 4)
and J 2 = (m1; 3); (m2; 4); (m3; 6) in shown in Figure 5.1. S2 is the optimal schedule if it is a
deterministic job-shop scheduling problem. Consider it is a preemptive problem, a feasible
schedule S3 is generated. In S3, J 1 is preempted at time = 2 on machine m3 to give the
machine to J 2. After J 2 has ﬁnished its operation on m3, J 1 resumes its previous operation
on m3. The length of S3 is 11 and it is a optimal schedule. end
The deﬁnition of a job-shop speciﬁcation (Deﬁnition 5 remains the same. The main diﬀerence
between deterministic and preemptive job-shop scheduling problem is the feasible schedules
where the latter one does not satisfy the Non   Preemption requirement in Deﬁnition 6.
Deﬁnition 12 (Feasible Schedules for Preemptive Job-Shop Problem) Let T (O; i) 2 N be
processing time of the ith step at which operation O executes. A schedule is a relation
S  O NT so that (, st, t) 2 S indicates that operation  starts to process on time st
and processes for time t . A schedule S is feasible if
5.2. PREEMPTIVE JOB-SHOP SCHEDULING PROBLEM 92
1:Ordering :
8 ; ! 2 O; (; !) 2 A;
(; st ; t) 2 S ; (!; st 0; t 0) 2 S : st + t 6 st 0 + t 0
2:Covering :
8  2 O :P(;st ;t)2S t = p()
3:Mutual-Exclusion :
8 ; ! 2 O;  6= !; (; st ; t) 2 S ; (!; st 0; t 0) 2 S ;
M () = M (!) : st + t 6 st 0 or st 0 + t 0 6 st :
2
5.2.1 Solving Preemptive Job-shop Scheduling Problems
Deﬁnition 13 (Timed Planning for a Preemptive Job) Let J i = ho1; :::; oni be a job, which
is a chain of operations (ordered) on a set of machine M. Each operation oi should process
on machine mj for p(oi) time unit. Its associated process presentation for oi is:
Oi b= X  ms ! me ! Skip; X 2 Skip
Where
P
me :Engage ms :Engage 6 p(oi) ^P
me :Engage-me :Engage = p(oi), End <1
Event ms denotes that operation oi starts to process on its corresponding machine m, me
denotes that it leaves m. Expression
P
me :Engage ms :Engage represents the total time
oi processes on m.
The associated process presentation Pi for each job is Pi b= Oi1 ; Oi2 ; :::; Oik . 2
Deﬁnition 14 (Mutual Exclusion Constraints) Let J = fJ 1; :::; J ng be a job-shop speciﬁ-
cation and P = fP1; :::;Png be a set of timed planning processes deﬁned for each job.
mutual-exclusion(P) b=
8Pi ;Pj 2 P ; i 6= j ; 8fms ;meg PPi \PPj 
(X  ms ! me ! ::: 4 Pi ^
X  ms ! me ! ::: 4 Pj ))
Pi :me :Engage 6 Pj :ms :Engage _
Pj :me :Engage 6 Pi :ms :Engage
5.2. PREEMPTIVE JOB-SHOP SCHEDULING PROBLEM 93
2
Deﬁnition 15 (Timed Planning for Preemptive Job-Shop speciﬁcations) Let J = fJ 1; :::; J ng
be a job-shop speciﬁcation and P = fP1; :::;Png be a set of timed planning processes deﬁned
for each job. The timed planning presentation for the preemptive job-shop speciﬁcation J
will be an interleaving of all processes Pi with mutual exclusion constraints:
PJSSP b= jjj0<i6n Pi
Wheremutual-exclusion(PJSSP)
2
For every complete execution of PJSSP (which terminates), its associated schedule S is
a feasible schedule. An optimal schedule is a trace of PJSSP with the minimum ending
time min(JSSP :End). The solution of this problem turns out to be ﬁnding the minimum
execution time of process PJSSP .
The associated schedule of every complete execution of PJSSP is a feasible schedule, which
satisﬁes the three requirements deﬁned in 12:
 Covering : For each Pi , every execution which terminates guarantees that each and
every event in Pi is engaged. JSSP which is an interleaving of all Pi also guarantees
that all events are engaged at every complete execution.
 Covering : Non-Preemptive generally says that for every ordered pair of operations
(; !) of the same job, the later one must start after the full completion of the previous
one. The process m
p()! m! p(!)! ::: guarantees that operation ! is engaged after p()
time unit of !.
 Mutual Exclusion: This requirement is captured by the mutual-exclusion(PJSSP)
deﬁned in Deﬁnition 8, which guarantees that no two jobs evolving the same machine
5.3. EXTENDED JOB-SHOP SCHEDULING 94
at the same time.
5.3 Extended Job-shop Scheduling
Timed Planning is ﬂexible to specify system behaviors with operational behaviors and criti-
cal timing constraints. Therefore, those extended job shop scheduling problems with several
additional features that are often speciﬁed in task scheduling problems can be easily and
naturally modeled and solved using Timed Planning. In this section, we focus on the com-
positional behaviors and the deadline and relative times extension. To the best of our
knowledge, no other approaches are capable for those extensions.
Compositional Job Behaviors
In traditional job-shop scheduling problems, all jobs are executed synchronously, which
means that they are enabled at the same time. In our approach, jobs can be constructed in
a more general way, for example, we can specify choices of jobs, sequences of jobs and inter-
ruption of one job by another job, by using the composition operators in Timed Planning.
For example, a job-shop scheduling problem consists of 4 jobs J = fJ 1; J 2; J 3; J 4g, where
either J 1 or J 2 is running concurrently with J 3 which is interrupted by J 4 in 10 time units
after execution. This scheduling problem can be speciﬁed as follows:
JSSP b= (P1 2 P2) jjj (P3 O10 P4)
Wheremutual -exclusion(JSSP) ^ non-delay
In our interpretation, jobs can communicate with each other through channels. A job P1
can activate another job P2 after some time t or after P1 ﬁnishes its ﬁrst ith operations. A
job can also stop another job for some time units.
An extended job-shop scheduling problem consists of 2 jobs J 1; J 2, J 1 = (1; 2); (0; 3); (2; 5),
J 2 = (2; 3); (0; 3); (1; 3). J 1 will activate J 2 after J 1 ﬁnishes its ﬁrst operation. The Timed
5.4. EXPERIMENTS 95
Planning model of this problem is speciﬁed as follows where a channel naming c is used to
fulﬁll this purpose.
P1 b= 1 2! c!activate ! 0 3! 2 5! Skip
P2 b= c?activate ! 2 3! 0 3! 1 3! Skip
JSSP b= P1 jjj P2
Wheremutual -exclusion(JSSP) ^ non-delay
Deadlines and Relative Timing Constraints
Another extension of job-shop scheduling problem is that we can specify the deadline, rel-
ative timing constraints of each job. Those constraints can be naturally handled in Timed
Planning by using its Where predicate. We formulate the constraints into 3 rules as follows:
Rule 1 Every operation oi must be imperatively terminate before time d(oi)
8 oi 2 O  S (oi) + p(oi) 6 d(oi)
Rule 2 Every job J i must terminate before time d(J i)
8 J i 2 J  J i :End 6 d(J i)
Rule 3 Relative timing constraints between operations
9 oi ; oj 2 O  p(oi) p(oj ) < t ;where 2 f+; g
5.4 Experiments
In order to show the eﬃciency of the optimization, we carry out an experiment for n jobs
with 4 operations, n = 2,...,61. We compare performance in terms of the state space and
execution time of algorithms employing, progressively, the max non-delay and the cut test.
The obtained results are depicted in Table 5.1 (m.o. indicates memory overﬂow), where
n = 2; :::; 6. ]j ; ]states; time represents number of jobs, number of state space and the
1The problems can be found in http://www.comp.nus.edu.sg/~zhangxi5/horae/jobshop1.txt
5.5. SUMMARY 96
Problem Size Max non-delay Never Better Test
]j ]states time(s) ]states time(s) ]states time(s)
2 764 0.07 16 0.01 12 0
3 6475 0.44 43 0.02 33 0
4 1.07e+06 40.8 202 0.04 96 0.01
5 m.o. m.o. 4813 0.5 584 0.2
6 m.o. m.o. 112299 5.9 4614 1.2
Table 5.1: The result for n jobs with 4 machines, where n = 2; :::; 6. ]j ; ]states; time
represents number of jobs, number of state space and the execution time.
execution time. The table shows the performance, in terms of execution time (in seconds) and
state space, of algorithms employing, progressively, none, max non-delay test and the never
better test. As we can see from Table 5.1, Never better test has much better performance
in turns of both state space and execution time.
We test ten problems among the benchmarks of the job-shop scheduling problems on Win-
dows XP with a 2.0 GHz Intel CPU and 2 GB memory. In Table 5.2, we compare our
best result on the problems with the result reported in Table 15 of the survey paper [58],
as well as the best result among randomly generated solutions for each problem. The ﬁrst
three columns give the problem name, no. of jobs and no. of machines. Out results (time
in seconds, length of the best schedule and the deviation) appear next. The following two
columns shows the best out of 2000 randomly-generated solutions, followed by the optimal
result of each problem.
5.5 Summary
In this chapter, we presented a novel approach of solving classic job-shop scheduling problem
using Timed Planning and underlying reasoning engine. We applied Timed Planning to solve
5.5. SUMMARY 97
Problem Timed Planning Random Opt
name ]j ]m time(s) length deviation length deviation length
FT10 10 10 18 1001 7.63% 1761 89.35% 930
LA02 5 10 2 720 9.90% 1056 61.68% 655
LA19 10 10 0.2 902 7.12 % 1612 91.45% 842
LA21 15 10 102 1104 5.54% 2339 123.61% 1046
LA24 15 10 66 1007 7.58% 2100 124.00% 936
LA25 15 10 19 1098 12.38% 2209 126.10% 977
LA27 20 10 25 1441 16.68% 2809 127.45% 1235
LA29 20 10 112 1357 17.79% 2713 135.50% 1152
LA36 15 15 35 1341 5.57% 2967 133.90% 1268
LA37 15 15 56 1489 6.58% 3188 128.20% 1397
Table 5.2: The result for the ten hard bench marks deterministic job-shop scheduling prob-
lems. The ﬁrst three columns give the problem name, no. of jobs and no. of machines
5.5. SUMMARY 98
both deterministic and preemptive job-shop scheduling problems. There are some work using
formal method approach to solve job-shop scheduling problems. [2] proposed a mechanism
for modeling the job-shop scheduling problems in Timed Automata and hence ﬁnding the
optimal solutions. [3] presented an approach of solving preemptive job-shop scheduling
problem using stopwatch Timed Automata where some of the clocks might be freezed at
certain states.
In our approach, the job-shop scheduling problem can be naturally modeled as Timed Plan-
ning processes. We also worked with the extended job-shop scheduling problems, where
all jobs have composition operational behaviors. Besides, jobs with deadline and relative
timing constrains are also able to be captured in our approach. We believe that the insight
gained from this point of view will contribute both to scheduling and to the study of timed
processes. We have demonstrated that the performance of the Timed Planning approach of
solving job-shop scheduling problem can be highly improved by applying a set of optimiza-
tions. There are still many potential improvements to be explored to reduce the execution
time, such as new partial-order methods and heuristics, etc.
Chapter 6
Modeling and Veriﬁcation of Timed
Security Protocols
Security protocols are widely used for securing application-level data transport crossing
distributed systems, typically by exchanging messages constructed using cryptographic op-
erations (e.g. message encryption). In general, designing security protocols is notoriously
diﬃcult and error-prone. Many protocols proposed in the literature and many protocols ex-
ploited in practice turned out to be awed, or their well-functioning was found to be based on
implicit assumptions. Since the late eighties various approaches [22, 46, 19, 15, 20, 16] have
been put forward for the formal veriﬁcation of security protocols to overcome the problems
of faulty implementations and hidden requirements.
The new challenges are raise when diﬀerent timing aspects are required in the security pro-
tocol design, such as timestamps, delays, timeout and a set of timing constraints. In the
past years, there has been an increasing interest in the formal analysis of timed crypto-
graphic protocols. However, there are few tool supports for modeling and analyzing security
protocols with the capability of capturing various timing features. A particularly successful
approach to analyze untimed security protocols is using CSP [51] to model and CSP mod-
el checker FDR [42] to analyze protocols [87, 70]. Motivated by this approach, we focus
99
6.1. FORMAL SPECIFICATION OF TIMED SECURITY PROTOCOLS 100
on timed extensions of CSP to accomplish the modeling and analyzing of timed security
protocols, particularly Timed Planning.
In this chapter, we show how to model timed security protocols by using Timed Planning
language proposed in this thesis. Our approach is diﬀerent from the previous approaches
by taking the timing information into account. The use of explicit timing information al-
lows us to specify security protocols with timestamps, timeout and retransmissions which
can be naturally modeled using the speciﬁcation. In the timing analysis, we could verify
timed non-injective agreement authentication property which can be easily extended to oth-
er authentication property veriﬁcation [46]. We also propose a novel approach of using the
capability of Timed Planning to avoid such attacks without changing the original speciﬁ-
cations of the protocols. Besides, we can model timing requirements/constraints and verify
other timed sensitive properties such as execution time of a protocol which is beyond the
capability of existing approaches.
6.1 Formal Speciﬁcation of Timed Security Protocols
In this section, we show how to model timed security protocols using Timed Planning in a
structured way. All the protocols we consider here have a similar objective: in each protocol,
an initiator A seeks to establish a session with a responder B , possibly with the help of a
sever S , where A, B , and S are principals.
Principals (including initiator, responder and server) and intruder are modeled as Time
Planning processes. The whole network would be the parallel execution of all processes.
Event send :S :R:M is introduced to denote the behavior sending the message M from sender
S to receiver R. Event receive:S :R:M denotes receiver R receives a message M from sender
S .
We use the Wide Mouth Frog protocol (WMF) [13] as a running example to illustrate
the ideas. The Wide Mouth Frog protocol is a computer network authentication protocol
6.1. FORMAL SPECIFICATION OF TIMED SECURITY PROTOCOLS 101
Figure 6.1: Timeout patterns: (a) typical (b) count-bounded (c) time-bounded
designed for insecure networks. The goal is to allow two principals A and B to exchange a
secret key Kab via a trusted server S . The model is described as follows, where Kas and Kbs
are shared keys of A and B with sever S respectively. Ta and Ts are timestamps generated
and sent by A and S respectively.
A;B ;S : principal
Kas;Kbs;Kab : Key
Ta;Ts : timestamp
1: A! S : A; fTa;B ;KabgKas
2: S ! B : fTs;A;KabgKbs
Timeout and Retransmissions
Look at the following simple protocol, where A sends a message MAB to B , and later B will
send an acknowledgement ACKBA to A after receiving MAB .
1:A! B : MAB
2:B ! A : ACKBA
After principal A sends a message in a session of a protocol, A starts a timer that will timeout
if A does not get ACKBA from the receiver B . When a timeout is reached, the principal A
6.1. FORMAL SPECIFICATION OF TIMED SECURITY PROTOCOLS 102
can execute two actions: retransmit or reset a session. We are able to model both actions,
where an implementation of the protocol should specify which action to perform. In some
study with the introduction of timeout [16], principal A will resend the message if it detects
a timeout. But they do not discuss the case if the resent message also gets timeout. In
our speciﬁcation, we introduce a bounded timeout, including count-bounded timeout and
time-bounded timeout discussed as follows.
 Count-bounded timeout After principal A sends a message in a session of a protocol, it
will start a timer and a counter. Once detecting a timeout, it will resend this message.
If the resent message also gets timeout, it would resend again, by increasing number
of resending by 1. If the number of times exceeds the max value, A will send request
to abort this protocol (see Figure 6.1 (b)).
 Time-bounded timeout After principal A sends a message in a session of a protocol,
it starts two timers. If it detects a timeout from the ﬁrst timer, it will resend this
message; if the resent message also gets timeout, A will resend again. Once the second
timer reaches a timeout for the whole sending message process, A will send a request
to abort this protocol (see Figure 6.1(c)).
Timed Planning speciﬁcation of both count-bounded timeout and time-bounded timeout are
shown in process CBTimeout(d ;max ) and TBTimeout(d1; d2), respectively, where d and d1
are the timeout for sending a message, max is the maximum retransmission times and d2 is
the timeout for the whole process. c = Tes # send :A:B :fmAB :Ag is the number of times of
retransmission.
CBTimeout(d ;max ) b= (X  send :A:B :fmAB :Bg
! (receive:B :A:fackBA:Bg ! Skip d. X ))
O ([c > max ]Skip)
Wherec = Tes # send :A:B :fmAB :Ag
TBTimeout(d1; d2) b= (X  send :A:B :fmAB :Bg !
(receive:B :A:fackBA:Bg ! Skip Od1 X ))
d2
. Skip
6.1. FORMAL SPECIFICATION OF TIMED SECURITY PROTOCOLS 103
Timestamps and Lifetime
Timestamp is a typical way to prevent replay attacks, by simply attaching the current time
value to a message. It is later used by the receiver of this message to make sure that it
was recently generated, not a replay. A timestamp of a message can be easily recorded
by m:Engage which is the engage time of the event m, where event m denotes sending the
message. In our implementation, we keep TES , a set of all timed events, which is a record of
all engage time of all event engaged so far. It is easy to check whether m:Engage is the most
recent one or not by using the predeﬁned predicate fresh(m;m:Engage;TES ) in Section 4.1.
Initiator, Responder and Server
We model each principal (initiator, responder, server) as a process. For the Wide Mouth
Frog protocol, the behavior of the initiator A is sending a message fTa ; b; kabg to Server S
using public key kas and waiting for acknowledgement from S , where ta is the timestamp.
The responder B receives message from the server and then send the acknowledgment to S .
The server receives message from A and then message fTs ; a; kabg to B with new timestamp
Ts . The three components are modeled as follows.
Initiator b= start encrpt ! end encrpyt !
(X  send :A:S :fTa :b:kabgkas
(receive:S :A:fackSAg ! Skip d1. X ))
Od2 Skip Where
Ta = send :A:S :fTa :b:kabgkas :Engage1
Responder b= receive:S :B :fTs :a:kabgkbs !
send :B :S :fackSBg ! start decrypt !
end decrypt ! Skip Where
Ts 6 receive:S :B :fTs :a:kabgkbs :Engage
^ fresh(receive:S :B :fTs :a:kabg;Ts ;Tes)1
1fresh(e,t,Tes) is deﬁned in Section 4.1.
6.1. FORMAL SPECIFICATION OF TIMED SECURITY PROTOCOLS 104
Server b= receive:A:S :fTa :b:kabgkas !
send :S :A:fackSAg ! start decrypt !
end decrypt ! (X 
send :S :B :fTs :a:kabgkbs !
(receive:B :S :fackbsg ! Skip d3. X ))
Od4 Skip Where
Ts = send :S :B :fTs :kabgkbs :Engage1
^ fresh(receive:A:S :fTa :b:kabg;Ta ;Tes)
Network b= Initiator jj Responder
jj Server jj Cryptograph
The network is a parallel composition of the three processes, as well as the Cryptograph.
Intruder
The intruder works basically as a Dolev-Yao intruder [22]. The diﬀerence is that our intruder
takes time. The intruder can impersonate each agent executing the protocol, so it can play
each of the roles in the protocol. Even thought the intruder has got its own keys, nonces
etc., it can also try to use all the information it is receiving in the protocol run as its own
(e.g., nonces). For the purpose of this paper, we restrict the behaviors of the intruder that it
cannot read the mind of other principals to get some secret and it is unable to guess values.
We restrict the behaviors of the intruder to the following actions:
 encrypt and decrypt a message
 intercept a message
 replay a message
 send a message to any principals
 delay a message with arbitrary time
The models of intruder and the new system with intruder are speciﬁed as follows:
6.2. VERIFICATION OF AUTHENTICATION 105
Intruder b= start encrypt ! end encrypt ! Intruder
2 start decrypt ! end decrypt ! Intruder
2 receive:S :I :M ! Intruder
2 send :I :R:M ! Intruder
2 receive:S :I :M
T! send :I :R:M ! Intruder
System b= Network k Intruder
where I is the identity of itself, S is the sender, R is the receiver and M is the message. The
intruder would intercept into the protocol sessions through channel send and receive.
We present a natural way for specifying security protocols using Timed Planning, including
the initiator, responder, server and intruder, with timestamps and timeout. It shows that
Timed Planning is a good mechanism to model timed security protocols in a compositional
way.
6.2 Veriﬁcation of Authentication
For verifying timed security protocols, protocols are ﬁrstly modeled in Timed Planning
models, and then translated into CLP programs. Properties which need to be veriﬁed are
encoded into CLP goals using relations deﬁned in Section 4.4. In this section, we show how
to deﬁne and verify timed security properties, including timed authentication properties.
Moreover, by using timing information of each protocol run, potential attacks are also to be
found.
6.2.1 Timed Authentication Property
Authentication property is very important in security protocols. Protocols need to accom-
plish authentication of the Initiator and Responder . [46] classiﬁed a set of authentication
requirements. We will focus on timed non-injective agreement, which is an extension of the
non-injective agreement deﬁned in [46].
6.2. VERIFICATION OF AUTHENTICATION 106
Deﬁnition 16 (Timed Non-Injective Agreement) A timed security protocol guaran-
tees timed non-injective agreement, only if responder B thinks it has completed a run of
the protocol with A using data D , then A was actually running the protocol with B using
data D . To check the authentication property, signals are added to principals to indicate
principal B has completed a protocol run with A and A is actually running a protocol with
B , whenever necessary. 2
Our method is to insert signals, which are special kind of events, into each process, and
then to check the corresponding relationship of these signals. In our approach, event
commit :B :A:D is used to denote that principal B has completed a protocol running with A
using data D , run:A:B :D as principal A is running a protocol with B using data M .
Initiator b= start encrpt ! end encrpyt !
run:a:b:fta :b:kabg !
(X  send :A:S :fta :b:kabgkas
! (receive:s:a:facksag ! Skip d1. X ))
Od2 Skip
Whereta = send :a:s:fta :b:kabgkas :Engage
Properties which need to be veriﬁed are speciﬁed as assertions. There is a one-to-one rela-
tionship between the runs of A and B for protocol satisfying timed non-injective agreement
property. The timed non-injective agreement means that once there is a commit event, there
should be at least one run event appearing previously. The assertion is deﬁned as:
non inj agr(P ;Tr) :  trace(P ;Tr ; );
end(Tr ; commit :B :A:M );not in(Tr ; run:B :A:M ):
This predicate is to ﬁnd a trace Tr , where there is no event run occurred before event
commit . Tr is an instance of an attack. Predicate trace(P ;Tr ;T ) is deﬁned in previous
section. After checking the timed non-injective agreement property over WMF protocol,
such attack has been found where responder B ﬁnds that it has more than one sessions with
initiator A but in fact there should be only one [6]. We also model the Needham-Schroeder
Public-Key protocol as process NSP , by executing the following goal:
?  non inj agr(NSP ;Tr):
6.2. VERIFICATION OF AUTHENTICATION 107
We are able to ﬁnd an attack where the responder B commits a session with the initiator
A, but A did not establish a protocol run with B , where A is running the protocol with the
intruder I [70]. The trace is:
hstart encrypt ; end encrypt ; send :A:I :M ;
receive:A:I :M ; send :I :B :M ; receive:I :B :M ;
send :B :I :M 2; receive:B :I :M 2; send :I :A:M 2;
receive:I :A:M 2; send :A:I :M 3; receive:A:I :M 3;
send :I :B :M 4; receive:I :B :M 4; commit :B :A:Di
Preventing Attacks
By preventing the authentication attack, we propose appending a constraint WhereTes #
run:A:B :D > Tes # commit :B :A:D to the protocol process to guarantee number of event
commit is always less than event run. The revised Wide Mouth Frog protocol is modeled
as WMF R1.
Another approach of preventing attacks is by changing the timeout values. There is a
particular timed authentication attack for Wide Mouth Frog protocol where the intruder
can extend the life time of a (possibly compromised) key Kab as wanted, whereas A and B
think that it has expired and been destroyed [87].
i :1: A! S : – A, {Ta, B, Kab}Kas
i :2: S ! I (B): – {Ts, A, Kab}Kbs
ii :1: I (B)! S : – B, {Ts, A, Kab}Kbs
ii :2: S ! A : – {T’s, B, Kab}Kas
iii :1:I (A)! S : – A, {T’s, B, Kab}Kas
iii :2: S ! B : – {T”s, A, Kab}Kbs
This attack cannot be checked using timed non-injection agreement because there is exactly
one session for both initiator and responder. For step i :2 I takes the place of B to get the
message from server S where S should be expecting an ack from B . If S does not get the ack
within the timeout window, it could choose to terminate the session. Let dn be the network
transaction delay for each message passing. S should be able to get the ack message from
B after 2  dn if there is no attack. By changing the timeout window for S to less than
6.2. VERIFICATION OF AUTHENTICATION 108
Property Protocol Description Result
P1 CoreWMF non-injection agreement Yes
P2 CoreWMF timed non-injection agreement Yes
P3 CoreWMF + Intruder timed non-injection agreement No
P4 CoreWMF + Intruder replay attack Yes
P5 CoreWMF + Intruder timed authentication attack Yes
P6 WMF R1 + Intruder timed non-injection agreement Yes
P7 WMF R1 + Intruder replay attack No
P8 WMF R1 + Intruder timed authentication attack Yes
P9 WMF R2 + Intruder timed non-injection agreement Yes
P10 WMF R2 + Intruder replay attack No
P11 WMF R2 + Intruder timed authentication attack No
Figure 6.2: Analysis of Wide Mouth Frog protocols
6  dn , this attack will be avoided because B can only send ack to S after step iii :2, which
takes more than 6  dn time unites. We model the Wide Mouth Frog protocol with bounded
timeouts in WMF R2.
We list a set of properties over Wide Mouth Frog protocols, where the results are shown
in Figure 6.2. CoreWMF is the protocol without intruder; and CoreWMF + Intruder is
the protocol with intruder I . The results are computed in minutes or even seconds in PC
with 2.83GHz Intel Q9550 CPU and 2 GB memory. Comparison with other approaches are
ignored since there is no other tool supporting timed analysis of security protocols.
6.2.2 Using Timing Information
We are able to check other timing properties of the protocol. For example, ﬁnd the minimum
and maximum execution time of a run of a protocol P by ﬁnding P :End, using predicate
engage time(P , termination, R) deﬁned in Section 4.4.
6.3. SUMMARY 109
execution time(P ;R) :  engage time(P ; termination;R):
where termination is a special event denoting the end of the execution, R is the range of
execution time of protocol P .
By using the minimum and maximum execution of a protocol run, we can also check timing
authentication properties. In our approach, if there is a run of a protocol between two
principals A and B , it must be ﬁnished within a time interval [Tmin ;Tmax ], without intruders.
If a protocol run ends before Tmin , this may be a result of an attack which omits at least
one instructions or performs at least one instructions faster than it is expected. If a protocol
run ends after Tmax , this may be a result of an attack performing with extra actions, such as
replays. We deﬁne a predicate time attack (P ;Tr ;Min;Max ) to ﬁnd a trace which exceeds
the time interval [min;max ], which is also an instance of an attack.
time attack(P ;Tr ;Min;Max ) :  
trace(P ;Tr ;T ); (T < Min; T > Max ):
Assume for a protocol run, once a sender sends a message to the receiver, the message reaches
the receiver within [2, 4] time units because of the network delay. for WMF protocol, without
introducing an intruder, the execution time of a protocol run is [4,8]. By executing goal ? 
time attack (WMF ;Tr ; 4; 8): We ﬁnd a trace whose execution time is more than 8. If the
execution time of a protocol run exceeds the expected time interval, there must be some
attack in this protocol run. But if the execution time is within the time interval, attack-free
is not guaranteed.
6.3 Summary
In this work, we have proposed a new method of modeling and analyzing timed security
protocols which consists of various timing aspects such as timestamps, delays, timeouts and
a set of timing constraints. To fulﬁll the aim, we substantially Timed Planning with capa-
bilities to stating complicated and critical timing requirements of timed security protocols,
6.3. SUMMARY 110
in a compositional way. Based on our previous work on building a reasoning tool for Timed
CSP, a prototype mechanized proving system, based on CLP(R) to verify various properties
over systems modeled in this extended speciﬁcation has been built. We model principals
as processes, as well as the cryptograph device, including timestamps, timeout, retrans-
missions and delays. The timed non-injective agreement authentication property can be
veriﬁed using our underlying reasoning engine, which can be easily extended to verify other
authentication properties. We propose a novel approach to ﬁnd timing attacks using timing
information of protocol sessions. We can also model timing requirements of the protocols in
our Wherepredicates and verify other timing properties of the protocols.
There are many works on analyzing security protocols. In literature, methods for formal
veriﬁcation of security protocols do not take time into account, and this choice simpliﬁes
the analysis [8]. Powerful theorem provers like Isabelle and PVS have been applied to verify
timed dependent security properties [7, 39]. A common practice in the area of modeling and
veriﬁcation of security protocols is to abstract away timestamps [9]. Our approach is similar
to [87] which uses CSP to model and analyze untimed security protocols. Recently there have
been also other approaches to verify such protocols [20], which does not discuss timeout and
retransmissions. One more recent work, using Timed Automata for verifying timed security
[16], also introduces timeout. The diﬀerence of our timeout and retransmissions is that we
propose a bounded timeout, which also consider timeout over retransmissions. Moreover,
they cannot model timedstamps which needs global synchronization on clocks.
As a future work, we will apply Timed Planning speciﬁcations to other domains, such
as timed scheduling problems, complex real-time systems and etc. For analyzing timed
security protocols, we will expand the veriﬁcation of security properties, such as secrecy,
integrity, fairness and the timing properties such as the time range for an easy attack. For
our underlying reasoning engine, there are many potential improvements to be explored to
reduce the execution time, such as symmetry reduction and heuristics.
Chapter 7
Modeling and Veriﬁcation of
Pervasive Computing
Timed Planning is a powerful modeling language. In this section, we demonstrate the
eﬀectiveness of this language by applying it into pervasive computing domain.
Alzheimerąŕs disease is characterized by progressive deterioration of the patientąŕs intellec-
tual capacities that evolves during a period of 7 to 10 years on the average [59]. In most
developed countries, the demographical, structural and social trends tend towards more and
more elderly people, which will create dramatic impact on the society on both ﬁnancial and
organizational aspects. Dementia is a progressive, disabling, chronic disease aﬀecting 5%
of all persons above 65 years old and over 40% of people above 90 [43, 44]. Elders with
dementia often have declining short-term memory and have diﬃculties to remember neces-
sary activities of daily living (ADLs) [38]. It is widely believed that the reminding system
is a potential way to assist elderly people to complete ADLs [35]. From the demographic
changes, we can expect a rise in the quantity of aging people with mild dementia. The
impact of such increment will be long waiting lists for sheltered housing projects, homes
for the elderly, nursing homes and other care facilities. It has been suggested that most
aging people prefer to stay at home as long as possible, even if they are at risk [14]. From
111
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 112
social, economic and elder’s perspectives, it is very important to enable the elders with mild
dementia to stay in their own homes safely and regularly as long as possible and to reduce
the burden of care givers. Even though, it is still a great pressure on nursing homes and
other similar type of care facilities. It also increases the pressure on care givers [12].
Pervasive computing techniques have been proposed to assist elders with mild dementia to
improve their level of independence and quality of life through cognitive reinforcement. To
support formal analysis, we propose an approach of using Timed Planning to model and
verify critical properties. In this chapter, we model and verify systems in two diﬀerent
settings. Firstly, in Section 7.1, a context-aware reminding framework for elders living at
home alone is built and modeled using Timed Planning. Secondly, in Section 7.2, a reminding
framework for elders living at nursing home is modeled using Timed Planning. The ﬁrst
case study focuses on the various reminders and conﬂicts between reminders. The second
case study focuses on the various sensors and reasoning about the rules.
7.1 Timed Reminding System for Dementia Elderly at Home
In smart home systems [109, 36], a centered design approach is adopted with user studied at
three diﬀerent sites [76, 38]: Amsterdam (Netherland), Belfast (UK) and Lulea (Sweden).
The summary of needs and wants from the three workshops is illustrated in Table 7.1.
As can be seen from the user study, a well designed reminding service is a fundamental
function for assisting elders with mild dementia living at home. The reminding system can
help them to perform daily activities properly and regularly, and also increase their feeling
of safety and security at home.
[109] identiﬁes the activities needed to be reminded to the elders are: meal preparation,
brushing teeth, making phone calls, appointments, turning oﬀ stoves, closing refrigerators,
taking medication, bringing the keys and locking doors when going outside. All of those
activities are modeled using Timed Planning and presented later, where we also consider
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 113
Area of Cognitive Reinforcement Summary of required services/solutions
for people with mild dementia
Remembering Item locator (keys, mobile devices)
Maintaining Social Contact Means to provide communication
support with carer/family network
Performing daily activities Support with daily activities
associated with pleasure
Control of household devices
e.g., television, radio, planning activities
Enhanced feeling of safety Warnings of doors left open
Warning for devices left on
General: way to contact others in
instances of emergency
Table 7.1: Summary of needs and wants for mild dementia people living at home
some other activities such as ﬂushing and washing hands after toilet, turning oﬀ lights/tv
when going to sleep.
7.1.1 Reminding Service Classiﬁcations
Based on the observations of elder’s daily activities described above, [36] classiﬁes the re-
minding services into four kinds of categories, based on time and event. Time-based services
are used to capture the daily schedule of the elder people based on calendar time. However,
the dynamic nature of people’s daily activities poses potential risks for the elderly where
prompting services based on activities are necessary.
Time-based Prompting Two kinds of prompting service relate to time are described be-
low.
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 114
 Timed ﬁxed prompting services: the prompting is issued at pre-deﬁned time such
that the subject understands the urgency of executing certain activity.
 Timed relevant prompting services: the prompting is relevant to a time, but can
be delayed within an acceptable time window.
Event-based Prompting Two kinds of prompting service triggered by events are de-
scribed below.
 Event urgent prompting services: triggered by events and need to be prompt
immediately.
 Event related prompting services: triggered by events, but can be delayed up to
an acceptable delay time, or must be delayed after an min delay time.
Timed ﬁxed promoting services are reminders be executed at certain time, such as time for
wake up, time for appointments, etc. Timed relevant prompting services are the reminders
that are more ﬂexible than time ﬁxed reminders, such as preparing lunch between 11:30am
to 12:30pm. Event urgent prompting services are those reminders must be prompted imme-
diately when some event is performed, for example, stove must be turned oﬀ if the elderly
is going to leave the house. Event related prompting services are reminders triggered by
events but can be delayed within an acceptable time window or must be delayed to some
time, for example, medication must be taken after 30 minutes of lunch.
7.1.2 Modeling using Timed Planning
Modeling time with calendar time
One important issue for timed reminding system is that how to model calendar time using
Timed Planning speciﬁcation. As we all know that Timed CSP only considers relative time
where all time are relative to the start time of the process.
There are two possible options to model the calendar time.
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 115
1. Abstract the detailed information, use a ‘channel’ to get the information required from
the environment.
2. Build extra functions to compute the current calendar time using the starting time of
the system and the relative current time to it. Most programming languages have the
library to support those functions.
In this work, we choose the second option, which uses extra techniques to model the calender
time in terms of (week, hour, minute and second). Every time the system starts, record the
start time of the system in the 4 terms. We can easily compute the current calendar time





Calendar : hWeek ;Hour ;Minute;Secondi
Calendar :week = Calendar(1)
Calendar :hour = Calendar(2)
Calendar :minute = Calendar(3)
Calendar :second = Calendar(4)
Calendar :time = (Calendar(2);Calendar(3);Calendar(4))
In the following, calendar time(c1; t) deﬁnes a function which returns the current time
according to the start time of the system; relative time(c1; c2) deﬁnes a function which
returns the current time according to the current relative time (in seconds).
convert(i ; j ) = f(s; t) j 8 i ; j ; s; t : R  t = i mod j ^ j  s + t = ig
calendar time(c1; t) =
fc2 j 8 c1; c2 : Calender ;w1;w2 : W ; h1; h2 : H ;m1;m2 : M ; s1; s2 : S ; t : R 
(w1; h1;m1; s1) = c1 ^ (w2; h2;m2; s2) = c2)
9 x ; y ; z ; d : R 
convert(s1 + t ; 60) = (x ; s2) ^ convert(m1 + x ; 60) = (y ;m2) ^
convert(h1 + y ; 24) = (z ; h2) ^ convert(w1 + z ; 7) = (d ;w2)g
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 116
relative time(c1; c2) =
ft j 8 c1; c2 : Calendar ;w1;w2 : W ; h1; h2 : H ;m1;m2 : M ; s1; s2 : S ; t : R 
(w1; h1;m1; s1) = c1 ^ (w2; h2;m2; s2) = c2)
9 x ; y ; z ; d : R 
convert(s1 + t ; 60) = (x ; s2) ^ convert(m1 + x ; 60) = (y ;m2) ^
convert(h1 + y ; 24) = (z ; h2) ^ convert(w1 + z ; 7) = (d ;w2)g
convert(i ; j ) is a function converting number i to a pair (s; t), where s is the multiple of
j and t is the mod of j . The purpose of this function is to convert seconds into minutes,
minutes into hours and hours into days. For example, converting 63 minutes (1 hours and 3
minutes) would use function convert(63; 60), returning pair (1; 3).
calendar time(c1; t) is a function converting the relative t time units passing starting on
initial calendar time c1 to the current calendar time c2. For example, the starting calendar
time c1 = (0; 0; 0; 0) (denoting time 0:00:00 am, Sunday), after 90061 seconds passing, the
current calendar time would be c2 = (1; 1; 1; 1) (denoting time 1:1:1 am, Monday).
relative time(c1; c2) is a function ﬁnd the relative time between calendar time c1 and c2,
providing c2 is later than c1.
The following deﬁnes a set of global variables:
c : Calendar
Modeling location and activities
In this reminding system, locations of the participant are modeled as global variables which
can be of type boolean, integer, string or tuple. We abstract the changes of the variables
which should be updated by the environment. The activities of the participant, which should
be detected by sensors, are modeled as events, such as getup, leaving , take medication,
pick phone and etc.
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 117
Timed ﬁxed reminders (TFR)
Timed ﬁxed reminders: the prompting is issued strongly at deﬁned time so that the subject
understands the urgency of executing certain activity. e.g.,
 get up at 7 a.m.
 catch ﬂight at 11:30 a.m.
 attend lecture/meeting/seminar at 2p.m.
Timed ﬁxed reminders can be modeled as processes whose starting time and prompting time
must be exactly as the required time.
TFR(t) b= [guard ]prompt ! Skip
Where calendar time(c;Start):time = t ^
prompt :Engage = Start
Example 7.1.1 The reminder which wakes up the elder at 7 a.m. would be:
wake up((7; 0; 0)) b= [athome ^ sleeping ]prompt ! Skip
Where calendar time(c;Start):time = (7; 0; 0) ^
prompt :Engage = Start
end
Timed related reminders (TRR)
Timed related reminders: prompting is related to a time, but can be delayed within an
acceptable time. e.g.,
 Start to cook dinner between 5 p.m and 5:30 p.m.
 Start to preparing tutorials/lectures at 3p.m.
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 118
At a speciﬁc time t , this reminder is enabled, but it does not need to prompt immediately
if there are other reminders prompting. It needs to be prompted within an acceptable delay
d .
TRR b= [guard ]prompt ! Skip
Where calendar time(c;Start) > t ^
calendar time(c; promp:Engage) 6 t + d
Example 7.1.2 Remind the elderly to start preparing his/her dinner at around 5:30 p.m.
to 5:30 p.m. every day if he/she is at home.
prep dinner((17; 0; 0); (17; 30; 0)) b= [athome ^ :sleeping ]prompt ! Skip
Where calendar time(c;Start):time > (17; 0; 0)
^ prompt :Engage 6 (17; 30; 0)
end
Event urgent reminders (EUR)
Event urgent reminders: reminders triggered by event, which must be prompted as soon as
the event is engaged.
 turnoﬀ the stove after cooking
 bring the key while going out
Event urgent reminders can be modeled as a process whose ﬁrst event is the triggering event.
To make sure the prompt event happen immediately, the constraints trigger event :Engage =
prompt :Engage is added in the Where clause.
EUR b= trigger event ! [guard ]prompt ! Skip
Where trigger event :Engage = prompt :Engage
Example 7.1.3 Remind the elderly to turnoﬀ the stove after he ﬁnishes cooking.
turno stove b= cooking end ! prompt ! Skip
Where cooking end :Engage = prompt :Engage
end
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 119
Event related reminders (ERR)
Event related reminders: prompting is triggered by an event, but can be delayed within an
accepted time. For example,
 wash hands after toilet within 3 minutes.
 take medication after 30 minutes of lunch.
We call the minimum delay time after the triggering event mdt , and the maximum delay
time after after the triggering event dt . Event related reminders can be modeled as a process
whose ﬁrst event is the triggering event. After that a delay of mdt occurs. The Where
clause makes sure that the engagement time of prompt event is bounded by the maximum
delay dt .
ERR b= trigger event mdt! [guard ]prompt ! Skip
Where prompt :Engage 6 trigger event :Engage+ dt
Example 7.1.4 Remind the elderly to wash hand after toilet in 3 minutes if there is no
phone call.
Wash hand b= nish toilet ! [:phonecall ]prompt ! Skip
Where prompt :Engage 6 nish toilet :Engage+ 3minute
end
Daily/ Weekly reminders
These reminders will prompt at a speciﬁc time every day, or every week with some conditions.
For example, the wake up reminder which will prompt 8 a.m. every weekdays. The attending
lecture reminder which will prompt every 10 a.m. every Monday if not public holidays.
We need other techniques (rules) to identify that whether today is weekday or weekend or
public holiday. We have two alternative options:
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 120
 retrieve the information of whether today is weekday or weekend from the environment
by channels and abstract the details.
 use Calendar Logic to calculate those information in our system. Therefore, Ontology
can be a good candidate for modeling Calendar Logic.
Daily promoting services: prompt at time t everyday.
Daily Reminder b= Reminder ; Wait 1day ; Daily Reminder
Where calendar time(c;Reminder :Start):time = t
Daily promoting services: prompt at time t everyday, except Saturday and Sunday
Daily Reminder b= Reminder ; Wait 1day ; Daily Reminder
Where 1 6 calendar time(c;Reminder :Start):week 6 5
^ calendar time(c;Reminder :Start):time = t
7.1.3 Medication Planner
In this subsection, we use a medication planner [104] to demonstrate the modeling of re-
minders using timed planning. The system requirements of the medication planner are
described below.
1. Never prompt outside the window: within a certain time interval: [st, st+dt]
2. Do not prompt if pill is already taken within the current window
3. Do not prompt if the participant is not at home: athome=true
4. Do not prompt if the participant is sleeping
5. Do not prompt if participant is on the phone
6. Resume prompting if the participant returns home before the window expires
7. Prompt at plan 2 if participant is leaving
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 121
8. Wait till the time the user usually takes the pill. If it is earlier than the recommended
pill taking time, start checking for plan 1 prompting opportunities at the usual pill
time.
9. If only less than 20 minutes left till the window expires, start prompting at plan 1
disregarding all other rules (except 1-3)
There are two kinds of promptings in the system.
Plan 1 Prompt using the nearest device. The chime is played 10 seconds each time and
lights stay on till location changes. Stop if pill is taken. Escalate to Plan 2 after 10
minutes.
Plan 2 Prompt using all prompting devices in the house every minute. Lights on devices
stay on and chime is played for 10 seconds every minute.
Plan1 b= prompt 10! Skip; Wait(10minute); Plan2 O taken?yes ! Skip
Plan2 b= prompt 10! Skip; Wait(1minute); Plan2 O taken?yes ! Skip
Medi b= ([athome ^ :taken ^ :onThePhone ^ :sleeping ]Plan1 – rule 2 - 6
2 leaving?yes ! Plan2) – rule 7
Odt 20minute Plan2 – rule 8
Where calendar time(c;Start) > st ^
calendar time(c; promp:Engage) 6 st + dt – rule 1
For rule 6: prompting will resume if the participant returns home before the window expires.
Our modeling is able to preserve this requirement in a more clever way. Once the participant
returns home, the boolean variable athome will be changed to true, hence this process is
able to be executed. So this model satisﬁes a more general requirement:
 Prompting will resume if the participant returns home or wakes up or ﬁnishes phone
call before the window expires.
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 122
7.1.4 Speciﬁc domain: Elderly Reminding System
In this section, we present the Timed Planning model for the elderly reminding systems.
The reminders required in the system are listed as follows.
 wake up reminder (Timed ﬁxed reminder)
 brush teeth (Timed related reminder)
 meal preparation (Timed related reminder)
 making phone calls (Timed related reminder)
 appointment (Timed related reminder)
 turn oﬀ stoves (Event urgent reminder)
 taking medication (Timed related reminder)
 bring keys while going out (Event urgent reminder)
 wash hands after toilet (Event related reminder)
There are four possible events, which would trigger new reminders, i.e., get up, toilet, going
out and go to toilet. There are several external events, which cannot trigger new reminders,
i.e., phone call, knock the door and come back. The Elderly can choose to either response or






There is one assumption about the system, i.e., the time stamp 00:00 a.m. is set to be 0.
Hence 1:00 a.m. is 60, 2:00 a.m. is 120, and so on. In the following, we introduce the
reminder models in the system.
7.1. TIMED REMINDING SYSTEM FOR DEMENTIA ELDERLY AT HOME 123
Wake up reminder
Wakeup reminder service is provided to wake up dementia patients at a speciﬁc time.
The template deﬁned for wakeup reminder is shown as:
Wakeup(t) b= [athome ^ sleeping ]prompt wakeup ! Skip
Where Start = calender time(c;Start) = t
^ prompt wakeup = Start
The wakeup reminder set at 7:00 am every morning is speciﬁed using processWakeup((7; 0; 0)),
where (7,0,0) represents time 7:00 am.
Watch TV
Reminders for the elderly to watch his favorite TV program at 10am, which is timed ﬁxed
reminder.
TV b= [athome]prompt tv ! Skip
Where calender time(c;Start) = (10; 0; 0) ^ prompt tv :Engage = Start
Bring key
Bringkey reminder service is provided to remind the elderly to bring his keys while going
out, which is an event urgent reminder.
channel:{bring key} is a sensor detecting whether the elderly brings his keys or not.
channel :{goingout}
Key b= goingout?yes ! ([:bringkey ]prompt bringkey ! Skip 2 [bringkey ]Skip)
Where prompt bringkey :Engage = goingout?yes:Engage
Wash hands
WashHands reminder service is provided to remind the elderly to wash hands after toilet,
if the elderly does not wash his hand in one minute. The maximum delay allowed in this
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 124
reminder is 5 minutes. This is an event related reminder, which is modeled below.
channel:{toilet, wash hands}
WashHands b= toilet?nish ! (wash hand?yes ! Skip O1minute
prompt washhand ! Skip)
Where prompt washhand :Engage  toilet?nish:Engage 6 5minute
Prepare Breakfast
WashHands reminder service is provided to remind the elderly to start preparing his break-
fast at around 8:30 a.m. to 9:00 a.m. every day if he/she is at home.
PrepareBreakfast b= [athome ^ :sleep](prompt breakfast 45minute! Skip)
Where calender time(c;Start) = (8; 30; 0) ^
prompt breakfast :Engage 6 Start+ 30
7.2 Smart Nursing Home for Mild Dementia Elderly
The primary goal of this project is to enable the person with mild dementia, through ambient
intelligence and assistive technologies, to maximize his physical and mental functions and
to continue to engage in social networks, so that he can lead an independent and purposeful
life. The person with mild dementia is usually able carry out the actual task in most basic
activities of daily living but is often handicapped by his poor memory and thus forgets to
carry out these tasks. These can include bathing, changing clothes and taking medication
on time. Ambient intelligence enables the capture of context information in a pervasive and
non-intrusive manner. Assistive technology that provides timely prompts and reminders will
enable him to preserve his abilities and independence.
This project focuses on the automated recognition of activities and behaviors in smart
nursing homes and providing assistance / intervention accordingly. We will carry out the
automated monitoring of basic Activities of Daily Living (bADL) and instrumental Activ-
ities of Daily Living (iADL) among single and multiple residents in smart nursing homes.
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 125
Technically, these objectives translate to signiﬁcant advances in sensitivity and speciﬁcity
in activity and plan recognition of ﬁner grained bADLs / iADLs for single subject; and
improved location tracking, object / human dissociation and activity recognition among
multiple subjects.
As mentioned above, the target is to support ageing people with mild dementia in performing
Activities of Daily Living (ADLs) at home. Elders with dementia often have declining short-
term memory and have diﬃculties in planning and performing the necessary activities of
daily living. It is conceivable that a system of timely reminders is a potential way to assist
elderly people to complete bADLs/iADLs, which moderates their memory impairment and
reduces the burden of care givers.
7.2.1 System Design
Activity Daily Living (ADLs)
Activities of Daily Living (ADLs) is a term used in health care to refer to daily self-care
activities within an individual’s place of residence, in outdoor environments, or both. Health
professionals routinely refer to the ability or inability to perform ADLs as a measurement
of the functional status of a person, particularly in regards to people with disabilities and
the elderly. Activity of Daily Living (ADL) monitoring is important in order to determine
the well being of elderly persons in their home settings.
In the current phase of this project, we mainly consider ADLs within bed room and shower
room which are important activities for early dementias patients living in the nursing home.
ADLs are including:
 Enter/Leave bed room
 Sitting/Sleeping on bed
 Go to the shower room for toilet
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 126
Figure 7.1: The Sensor Setup for Bedroom and Bath Room
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 127
 Go to the shower room to wash hands
 Go to the shower room to take shower
Process Residence(i ; status) is deﬁned below to model all the possible activities of a resi-
dence, where i is the identity of the patient and status is the current location of the residence.
Initially, each residence is outside of the room, status = outside. Activities happened in room
are composed of sub-activities, where each sub-activity is modeled as a process. EnterRoom
speciﬁes the activity entering the bed room if and only if the residence is outside of the
bedroom. LeaveRoom speciﬁes the activity leaving the bed room if and only if the residence
is inside the bedroom. BedActivity is deﬁned the capture the activities in bed, which can be
sitting on the bed, sleeping on the bed and get up. Detailed models of the three activities are
deﬁned as follows, where the complete model of all residence activities is shown in Appendix
C. Possible status of each residence: {outside, inRoom, inShowerRoom, inBed}
Residence(i ; status) b= (EnterRoom(i ; status); Residence(i ; inRoom))
2 (LeaveRoom(i ; status); Residence(i ; outside))
2 (Shower(i ; status); Residence(i ; status))
2 (BedActivity(i ; status); Residence(i ; status))
2 (Toilet(i ; status); Residence(i ; status))
EnterRoom(i ; status) b= [status == outside]enterRoom:i ! Skip
LeaveRoom(i ; status)) b= [status == inRoom]leaveRoom:i ! Skip
BedActivity(i ; status) b= [status == inRoom]gotoBed !
((sitonbed :0:i ! BedAct (i ; 0))
2 (sitonbed :1:i ! BedAct (i ; 1)))
BedAct (i ; j ) b= (SittingOnBed(i) 2 Sleeping(i));
(BedAct(i ; j ) 2 GetUp(i ; j ))
SittingOnBed(i) b= sitting :i ! Skip
Sleeping(i) b= laydown ! sleeping ! Skip
GetUp(i ; j ) b= leavebed :j :i ! Skip
Sensor Modalities
Various sensors are deployed in the environment to capture targeted activities. Sensors send
their current status to the control system via a wireless network. Sensors are used to monitor
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 128
the changes in the environment. In real life, sensors are sending signals representing their
status in certain interval according to their frequencies. Note that the details about signal
encoding/decoding and transmission between sensors and system are related to hardware
components, which are fairly reliable. Therefore we abstract out these details in our model
to simplify the modeling as well as the veriﬁcation.
Before modeling the sensor behaviors, we brieﬂy introduce diﬀerent sensors and their working
mechanism which are used in our system.
RFID Radio-frequency identiﬁcation (RFID) is a technology that uses communication via
electromagnetic waves to exchange data between a terminal and an object such as a
product, animal, or person for the purpose of identiﬁcation and tracking. Some tags
can be read from several meters away and beyond the line of sight of the reader. In
our project, RFID sensors are mainly used to:
 To detect the presence of subject at speciﬁc location
 To identify and infer who is doing what activity in the environment
Reed Switch is a small electromechanical device having two ferromagnetic reeds that are
hermetically sealed in a glass envelope. It is mainly used to:
 To detect the opening and closing status of the door, cabinet and drawers
 To infer the direction of entering/leaving with PIR
Motion Sensing (PIR) A Passive InfraRed sensor (PIR sensor) is an electronic device
that measures infrared (IR) light radiating from objects in its ﬁeld of view. PIR
sensors are often used in the construction of PIR-based motion detectors (see below).
Apparent motion is detected when an infrared source with one temperature, such as a
human, passes in front of an infrared source with another temperature, such as a wall.
In our project, PIR sensors are used to:
 To detect the presence of inhabitant at particular location
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 129
 To detect whether the inhabitant makes movements or not (coarse-grained)
Shake Sensing(Vibration)
 To detect the usage of water from inlet pipe (tap open/tap close)
 To infer the correct/incorrect activities inside bathroom with location information
Range Sensing (Infrared/Ultrasonic) To localize/detect the presence of subject/object
at speciﬁc location
Pressure Sensing (FSR) A Force-sensing resistor (FSR) is a material whose resistance
changes when a force or pressure is applied. In this project, we place a set of FSR
under the mattress of each bed to detect various activities in bed. The detailed usage
of FSR is:
 To detect the coarse-grained activities of the subject on the bed
 To activate/deactivate the RFID sensing according to the events detected from
pressure sensing push
In the modeling, each sensor is modeled as a process which is triggered by residence activities
and hence send signal to the control station. Process Sensors is an interleaving of all
individual sensor modeled in the system. DoorRFIDReader is a RFID sensor placed on the
bed room door to capture entering/leaving behavior of each residence. BedPressureS is a
pressures sensor place on each bed to detect residence activities on the bed. Once it detects
pressure sensing push on the bed, it would activate the BedRFID sensor to detect who is on
the bed. The three sensors are modeled as follows where the complete model of all sensor
behaviors are listed in Appendix C.
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 130
DoorRFIDReader b=
(EnterDoorRFID 2 LeaveDoorRFID); DoorRFIDReader
EnterDoorRFID b=
enterRoom:0! rd room!(0; outside)! Skip
2 enterRoom:1! rd room!(1; outside)! Skip
Where enterRoom:0:Engage = rd room!(0; outside):Engage
^ enterRoom:1:Engage = rd room!(1; outside):Engage
LeaveDoorRFID b=
leaveRoom:0! rd room!(0; inRoom)! Skip
2 leaveRoom:1! rd room!(1; inRoom)! Skip
Where leaveRoom:0:Engage = rd room!(0; inRoom)
^ leaveRoom:1:Engage = rd room!(1; inRoom):Engage
BedPressureS (i ; j ) b=
sitonbed :j :i ! bed pressure sensor !(j ; 0)! BedRFID(i ; j )
2 laydown:j :i ! bed pressure sensor !(j ; 1)! Skip
2 leavebed :j :i ! BedRFID( 1; j )
Where sitonbed :j :i :Engage = bed pressure sensor !(j ; 0):Engage
^ laydown:j :i :Engage = bed pressure sensor !(j ; 1):Engage
BedRFID(i ; j ) b= bed rd !j :i ! Skip
BedPressureSensor b=
(BedPressureS (0; 0) 2 BedPressureS (0; 1)) jjj
(BedPressureS (1; 0) 2 BedPressureS (1; 1));
BedPressureSensor
Sensors b= SRDoorRFIDReader jjj ShowerSensor Tap jjj BedPressureSensor
jjj DoorRFIDReader jjjWashSensor Tap
Controller and Reminding Service
When a sensor detects an activity in the environment, it will send signal to the control system
and then the system receives the signal and then make corresponding response to the change.
The main functions of the controller are i) updating system status, ii) activate/deactivate
related reminders. LocationMonitor receives signals from RFID sensor placed at the bed
room door and then updates the system of the status of the location of each residence.
ShowerTapMonitor receives signals from the shower tap shake sensor and then updates the
on/o status of the shower tap. BedMonitor monitors the bed pressure sensor and bed
RFID sensor and updates the bed activities as well as the occupation of each bed. The
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 131
three monitors are modeled as follows where the complete model of all monitors are listed
in Appendix C.
LocationMonitor b= (rd room?(i ; status)!
[status == outside]detectEnterRoom:i ! Skip
2 [status == inRoom]detectLeaveRoom:i ! Skip);
LocationMonitor
ShowerTapMonitor b= (showerroom tap?1! tapIsOn ! Skip
2 showerroom tap?0! tapIsO ! Skip);
ShowerTapMonitor
BedMonitor b= (bed pressure sensor?(j ; s)! bed rd?(i ; j )!
[i ! =  1 ^ i ! = j ]prompt sleepInWrongBed :i ! Skip
2 [i ! =  1 ^ i == j ]prompt goodnight :i ! Skip);
BedMonitor
Monitor b= LocationMonitor jjj ShowerRoomRFID jjj ShowerTapMonitor
jjj BedMonitor jjjWashTapMonitor ;
In this project, we studied the daily behaviors of residences of the nursing home and ﬁnal-
ly choose to implement six reminders. The reminders are customized under supervising.
Detailed descriptions of each reminder are as listed as follows:
Showering For Too Long Reminder Once the system detects a residence has been show-
ering for too long (e.g., more than 1 hour), it will send a reminder to him/her/nurse
to ﬁnish the shower and leave the shower room. If an elderly with mild dementia has
been showering for too long, is likely that he falls down or gets stuck in the shower
room; but it is not possible for the nurses to check each shower room from time to
time. The showering for too long reminder is of special importance in terms of safety
issue.
Sleeping in Wrong Bed Reminder Once the system detects a residence sleeps on other
residence’s bed, it will send a reminder to him/her to sleep on his/her own bed. It is
important because most of time, when a residence is sleeping on another residence’s
bed, they are very likely to argue withe each other.
Flushing Toilet Reminder Once system detects a residence forgets to ﬂush toilet after
using the toilet, the system will send a reminder to him/her to ﬂush toilet. Elderly
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 132
with mild dementia is very likely to forget ﬂushing after toilet which results in serious
hygiene issue.
Turnoﬀ Shower Tap Reminder Once system detects a residence forgets to turnoﬀ water
tap after showering, it will send a reminder to him/her to turnoﬀ the shower tap.
Turnoﬀ Wash Basin Tap Reminder Once the system detects a residence leaves the
wash basin tap on while ﬁnishing washing hands, it will send a reminder to him/her
to turnoﬀ the water tap.
Wake Up Reminder It is a morning wake-up alarm for each residence if they are required
to wake up by some time.
Selected reminders, more speciﬁcally, Sleep in wrong bed reminder, showering for too long
reminder and ﬂush toilet reminder , are speciﬁed as follows, where the complete model is
shown in Appendix C.
Reminder SleepingInWrongBed b=
(prompt sleepInWrongBed :0! prompt !(wrong bed ; 0)! Skip
2 prompt sleepInWrongBed :1! prompt !(wrong bed ; 1)! Skip);
Reminder SleepingInWrongBed
Where prompt !(wrong bed ; 0):Engage 
prompt sleepInWrongBed :0:Engage  60 ^ prompt !(wrong bed ; 1):Engage
  prompt sleepInWrongBed :1:Engage  60
Reminder Flushing(duration) b=
(start toilet ! nish toilet ! Skip duration.




detectLeaveShowerRoom:0! prompt !showertoolong ! Skip
2 detectEnterShowerRoom:1! Skip duration.
detectLeaveShowerRoom:1! prompt !showertoolong ! Skip);
Reminder ShowerLong(duration)
Prompting is the implementation of the prompting service which receives signals from prompt
channel and then send alarms according to the type of reminder received from the channel.
It is speciﬁed as:
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 133
Prompting b= prompt?status ! prompting ! Prompting ;
7.2.2 Veriﬁcation
With the Timed Planning model presented above, this section is devoted to the veriﬁcation
of various properties of the system. We categorize the properties according to the following
three types.
Deadlock Freeness
Deadlock is a common undesired state for safety-critical systems, especially in our case, a
smart nursing home for mild dementia patients. The existence of a deadlock state indicates
there might be potential error for the system which can lead to sensor erroneous or re-
minder erroneous. An assertion for verifying deadlock freeness is deﬁned in a CLP relation
deadlock(P ;Tr), where P is the reference of the smart nursing home model and Tr is a
deadlock witness trace. By executing the goal:
?  deadlock(smartnursinghome;Tr):
Reminder Correctness
The most important (safety) properties that we want to preserve are that whenever the
critical situation occurs, the reminders will work as designed. For example, if the shower
tap is left on and nobody is inside the shower room, will the Turnoﬀ Shower Tap Reminder
be sent out on time. It’s important to check the prompting of reminders based on time. To
check the correctness of each reminder, we list the following properties as follows.
 FTRP: After a residence has ﬁnished toilet for sometime and no ﬂushing action has
been taken, whether the ﬂushing toilet reminder would prompt within 1 minute (60
seconds) or not?
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 134









Table 7.2: Results of Experiment
 STLRP: If a residence is showering for more than the maximum time, will showering
for too long reminder prompt in 1 minute?
 SWBRP: If a residence sleeps in a bed which not his, whether the sleeping in wrong
bed reminder would prompt in 30 seconds?
 TSTRP: Once a residence exits the shower room and leaves shower tap on, will turnoﬀ
shower tap reminder would prompt in 1 minute?
 TWTRP: Once a residence exits the washing basin area and leaves the washing tap
on, whether the turnoﬀ wash basin tap reminder would be prompted or not?
Experiments
In this section, we discuss how each component is modeled as Timed Planning processes and
how the properties are deﬁned as CLP goals. We test seven properties deﬁned previously
among the Smart Nursing Home system on Windows XP with a 2.0 GHz Intel CPU and 2
GB memory. The result is shown in Table 7.2.
7.2. SMART NURSING HOME FOR MILD DEMENTIA ELDERLY 135
7.2.3 Modeling with PAT
To compare with PAT model checker, we model the smart nursing home system in PAT’s
syntax and verify the same properties.
Since the modeling language of PAT is also an extension of Timed CSP, the PAT module of
smart nursing home system is very similar to the Timed Planning model described in the
previous section, hence ignored here. The complete PAT model of the smarting home system
is shown in Appendix D. However, we remark that there are two diﬀerences in the modeling.
Firstly, PAT supports global variables but not Timed Planning. Therefore, Timed Planning
model of smart nursing home system adopts a diﬀerent approach in modeling the status
changes of the sensors. Secondly, Timed Planning supports Where clause but not in PAT.
Therefore, PAT model uses the timeout or ranged wait or within operators to achieve the
same eﬀects.
For the properties presented in Section 7.2.2, PAT can verify only partial of them due to
the diﬀerent approach in verifying the system. On the other hand, some LTL properties
that can be veriﬁed by PAT, but hardly encoded in the CLP syntax. We list some LTL
properties below that can be checked by PAT only.
 SWBRP: [](tapon nobodyin -> <>prompt TurnOﬀTap)
 TSTRP: [](laydown.0.1 -> <> prompt sleepInWrongBed.0)
 TWTRP: [](enterShowerRoom.0 || enterShowerRoom.1 -> <> showertapon)
In summary, PAT and Timed Planning provides diﬀerent ways to modeling and verifying
the real-time systems. Their modeling language is very similar and can be used to model
hierarchical real-time systems. PAT supports the global variables, which can make the
modeling easier sometimes. For the veriﬁcation support, PAT can support safety properties,




Pervasive computing techniques have been proposed to assist elders with mild dementia to
improve their level of independence and quality of life through cognitive reinforcement. In
this chapter, we demonstrate how to support formal analysis of pervasive computing systems
by using Timed Planning to model and verify critical properties.
To demonstrate the feasibility of our approach, we use model and verify systems in two
diﬀerent settings. Firstly,a context-aware reminding framework for elders living at home
alone is built and modeled using Timed Planning speciﬁcation. Secondly, a reminding
framework for elders living at nursing home is modeled using Timed Planning. The ﬁrst
case study focuses on the various reminders and conﬂicts between reminders. The second
case study focuses on the various sensors and reasoning about the rules. For the second case
study, we compare our approach with the PAT modeling techniques. The results shows that
PAT has better performance but cannot verify the properties related to timing, while our
approach has the advantage in expressing complication property. The future work for us




This chapter concludes the thesis. Section 8.1 summarizes the contribution of this thesis
and Section 8.2 discusses some on-going and future directions.
8.1 Summary of the Thesis
In this thesis, we focused on the modeling and veriﬁcation of real-time systems by using
timed process algebra. In particular, we have tried to address four issues related to real-
time systems modeling and veriﬁcation.
1. Proposing a formal language for modeling real-time systems with hierarchical strutures,
2. Exploring eﬃcient veriﬁcation techniques to perform formal analysis of the proposed
models,
3. Implementing a toolkit to support eﬀective real-time veriﬁcation, and
4. Applying the proposed techniques in diﬀerent domains.
137
8.1. SUMMARY OF THE THESIS 138
Timed CSP is a timed extension of CSP, which has been proposed for decades. Such speciﬁ-
cation languages are elegant and intuitive as well as precise, which have been widely accepted
and applied to a wide arrange of systems. The ﬁrst piece of work we have done is building a
reasoning mechanism for a timed process algebra, Timed CSP. The chosen underlying rea-
soning support is Constraint Logic Programming (CLP). We have shown that event-based
formalism like Timed CSP can be encoded in CLP by following its semantics. Our approach
therefore broadened real-time systems which can be speciﬁed and veriﬁed by CLP. This
setups a solid foundation for extending Timed CSP with more expressive operators and
developing a reasoning engine for this extended Timed CSP speciﬁcation. In details, our
approach started with a formal translation of Timed CSP syntax to CLP relations, where
a library of all Timed CSP operators is built. Next, a collection of supplementary rules for
translating the operational semantics of each Timed CSP operator into CLP relations were
deﬁned. We carried out veriﬁcation of Timed CSP models with a high level of automation.
We investigated a wide range of properties that may be proved based on constraint solving,
namely CLP(R), for instance we showed that using a unique interpretation, safety proper-
ties and liveness properties can be proved eﬀectively as well as properties such as lower or
upper bound of variables and timewise reﬁnement. A prototype tool HORAE, which is an
interactive software that provides composing and reasoning of Timed CSP models.
The second piece of work in the thesis is to propose a new formalism for real-time systems
by extending Timed CSP. This extension names Timed Planning. Due to the fact that the
semantics of Timed CSP lacks of support for stating system requirements which constraints
all behavioral traces of given processes, for example, deadline and execution time of a pro-
cess, time-related constraints among events which are common requirements for many real
time systems and etc. Timed Planning extends Timed CSP with the capability of stating
complicated timing behaviors for processes and events to model and verify complex compo-
sitional real-time systems. A Timed Planning model is made up of a compositional timed
process and a set of constraints over processes, events and the data variables which are the
requirements that the process should satisfy. In this approach each process is associated
with a set of localized timing/untiming requirements with keyword Where, which can be
8.1. SUMMARY OF THE THESIS 139
speciﬁed in a compositional way. The Timed Planning provided a framework to specify
a number of compositional timed/untimed behaviors to capture various requirements over
the system. It has more expressive power than Timed Automata, for example it has the
capability of keeping timed event set during execution and applying some operations on
the set. In this thesis, we formally deﬁned complete syntax and operational semantics of
Timed Planning. Due to the expressive power, CLP can express the syntax and semantics
of Timed Planning completely. A mechanized proving system, based on CLP(R), has been
developed by extending the reasoning mechanism for Timed CSP. For verifying systems built
using Timed Planning speciﬁcation, a set of rules for feasibility testing are deﬁned to ﬁnd
the conﬂict constraints among processes. Besides, various safety and liveness properties can
also be veriﬁed over systems modeled in Timed Planning. We believe that Timed Planning
is not just a syntax sugar over Timed CSP, but it has more expressive power than Timed
CSP.
An important goal of formal speciﬁcation languages is to solve problems in various domains.
In the thesis, we applied Timed Planning in three diﬀerent domains, namely, scheduling,
security protocols and pervasive computing. Firstly, we applied Timed Planning and its
reasoning engine to solve classical job-shop scheduling problems, where ﬁnding an optimal
schedule corresponds to ﬁnding a shortest execution (in terms of elapsed time) in the Timed
Planning. In our approach, the job-shop scheduling problem was naturally modeled as
Timed Planning processes. We also worked with the extended job-shop scheduling problems,
where all jobs have composition operational behaviors. Besides, jobs with deadline and
relative timing constrains are also able to be captured in our approach. We believe that the
insight gained from this point of view will contribute both to scheduling and to the study
of timed processes. We have demonstrated that the performance of the Timed Planning
approach of solving job-shop scheduling problem can be highly improved by applying a set
of optimizations. There are still many potential improvements to be explored to reduce the
execution time, such as new partial-order methods and heuristics, etc.
8.2. FUTURE WORKS 140
Another piece of work is we proposed a new method of modeling and analyzing timed security
protocols which consists of various timing aspects such as timestamps, delays, timeouts and
a set of timing constraints. To fulﬁll the aim, we substantially extended Timed Planning
with capabilities to stating complicated and critical timing requirements of timed security
protocols, in a compositional way. Based on our previous work on building a reasoning tool
for Timed CSP, a prototype mechanized proving system, based on CLP(R) to verify various
properties over systems modeled in this extended speciﬁcation has been built. We model
principals as processes, as well as the cryptograph device, including timestamps, timeout,
retransmissions and delays. The timed non-injective agreement authentication property
can be veriﬁed using our underlying reasoning engine, which can be easily extended to
verify other authentication properties. We propose a novel approach to ﬁnd timing attacks
using timing information of protocol sessions. We also modeled timing requirements of the
protocols in our Where predicates and verify other timing properties of the protocols.
8.2 Future Works
Based on this thesis, there are a number of directions for future work that may be beneﬁcial
to the veriﬁcation system of timed process algebra languages and the applications. In this
section, some of these possible research directions are brieﬂy discussed.
8.2.1 Reduction and Optimization Techniques
First, we plan to investigate methods to combine well-known state space reduction tech-
niques. We know that systems that accept an inﬁnite number of threads or unbound data
structures make model checking impossible. Symmetric properties among threads can re-
duce inﬁnite number of threads to a small number. Data abstraction for inﬁnite domain
data variables can also be incorporated into the model checking to handle unbounded data
size. Furthermore, combining the eﬀective search heuristics in the CLP(R) with the veriﬁ-
8.2. FUTURE WORKS 141
cation algorithm is always attractive for us. These solutions are valuable for our veriﬁcation
algorithms.
8.2.2 New Application Domains
As a future work, we will apply Timed Planning speciﬁcations to other domains, such
as timed scheduling problems, complex real-time systems and etc. For analyzing timed
security protocols, we will expand the veriﬁcation of security properties, such as secrecy,
integrity, fairness and the timing properties such as the time range for an easy attack. For
our underlying reasoning engine, there are many potential improvements to be explored to
reduce the execution time, such as symmetry reduction and heuristics.
8.2.3 Tool Development
To perform eﬃcient veriﬁcation, tool implementation is the key. Based on the current
prototype, we shall improve it in the following directions. Firstly, a user friendly GUI can
help users to input the model easily. Secondly, integrate the new version of CLP(R) into
the system. The current CLP(R) we are using is based on the IBM version released at
1992. The new version of CLP(R) is under active development with a lot of bug ﬁxing and
performance improvement. To adopt the new CLP(R) and investigate the new reduction
technique can be very eﬀective for the veriﬁcation of real-time systems. Lastly, we want




[1] PAT: Process Analysis Toolkit. http://pat.comp.nus.edu.sg/.
[2] Y. Abdeddaïm and O. Maler. Job-shop scheduling using timed automata. In CAV ’01, pages
478–492, 2001.
[3] Y. Abdeddaïm and O. Maler. Preemptive job-shop scheduling using stopwatch automata. In
TACAS ’02: Proceedings of the 8th International Conference on Tools and Algorithms for the
Construction and Analysis of Systems, pages 113–126, London, UK, 2002. Springer-Verlag.
[4] R. Abhik and I. Ramakrishnan. Automated Inductive Veriﬁcation of Parameterized Protocols.
In International Conf. on Computer Aided Veriﬁcation (CAV). Springer, 2001.
[5] R. Alur and D. L. Dill. A Theory of Timed Automata. Theoretical Computer Science,
126(2):183–235, 1994.
[6] R. Anderson and R. Needham. Programming satan’s computer. In in Computer Science
Today, pages 426–440. Springer-Verlag, 1995.
[7] G. Bella and L. C. Paulson. Kerberos version iv: Inductive analysis of the secrecy goals. In
ESORICS 98, LNCS 1485. Springer, 1998.
[8] M. Boreale and M. G. Buscemi. Experimenting with sta, a tool for automatic analysis of secu-
rity protocols. In SAC ’02: Proceedings of the 2002 ACM symposium on Applied computing,
pages 281–285, New York, NY, USA, 2002. ACM.
[9] L. Bozga, Y. Lakhnech, and M. P&#x00e9;rin. Pattern-based abstraction for verifying secrecy
in protocols. Int. J. Softw. Tools Technol. Transf., 8(1):57–76, 2006.
[10] M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine. Kronos: A Model-




[11] P. Brooke. A Timed Semantics for a Hierarchical Design Notation. PhD thesis, University of
York, 1999.
[12] A. B. Bruno Bouchard and S. Giroux. A keyhole plan recognition model for alzheimerąŕs
patients: First results. Journal of Applied Artiﬁcial Intelligence (AAI), 22:S10–5, 2007.
[13] M. Burrows, M. Abadi, and R. Needham. A logic of authentication. ACM Transactions on
Computer Systems, 8:18–36, 1990.
[14] D. Cook and S. Das. How smart are our environments? an updated look at the state of the
art. Journal of Pervasive and Mobile Computing, 2007).
[15] R. Corin and S. Etalle. An improved constraint-based system for the veriﬁcation of security
protocols. In SAS 2002, pages 326–341, 2002.
[16] R. Corin, S. Etalle, P. H. Hartel, and A. Mader. Timed analysis of security protocols. J.
Comput. Secur., 15(6):619–645, 2007.
[17] J. Davies. Speciﬁcation and Proof in Real-Time CSP. Cambridge University Press, 1993.
[18] J. Davies and S. Schneider. A Brief History of Timed CSP. Theor. Comput. Sci., 138, 1995.
[19] G. Delzanno and S. Etalle. Proof theory, transformations, and logic programming for debug-
ging security protocols. In LOPSTR 2001, pages 76–90, 2001.
[20] G. Delzanno and P. Ganty. Automatic veriﬁcation of time sensitive cryptographic protocols.
In TACAS 2004.
[21] D. L. Dill. Timing Assumptions and Veriﬁcation of Finite-State Concurrent Systems. In
Automatic Veriﬁcation Methods for Finite State Systems, pages 197–212, 1989.
[22] D. Dolev and A. C. Yao. On the security of public key protocols. In SFCS ’81, pages 350–357,
Washington, DC, USA, 1981. IEEE Computer Society.
[23] J. S. Dong, Y. Feng, J. Sun, and J. Sun. Sensor based design techniques for smart system space.
In ICMOCCA ’06: Proceedings of the First International Conference on Mobile Computing,
Communications and Applications, August 2006.
[24] J. S. Dong, P. Hao, S. Qin, and X. Zhang. The semantics and tool support of ozta. In
Proceedings of the 7th IEEEInternational Conference on Formal Engineering Methods (ICFEM
2005), pages 66–80, 2005.
BIBLIOGRAPHY 145
[25] J. S. Dong, P. Hao, S. C. Qin, J. Sun, and Y. Wang. Timed Patterns: TCOZ to Timed Automa-
ta. In J. Davies, W. Schulte, and M. Barnett, editors, Proceedings of the 6th IEEEInternational
Conference on Formal Engineering Methods (ICFEM 2004), volume 3308 of Lecture Notes in
Computer Science, pages 483–498. Springer, 2004.
[26] J. S. Dong, P. Hao, S. C. Qin, J. Sun, and W. Yi. Timed Automata Patterns. IEEE Trans-
actions on Software Engineering, 34(6):844–859, 2008.
[27] J. S. Dong, P. Hao, J. Sun, and X. Zhang. Reasoning about Timed CSP Models . In FM 2006.
http://fm06.mcmaster.ca/research exhibition.htm.
[28] J. S. Dong, P. Hao, J. Sun, and X. Zhang. A Reasoning Method for Timed CSP Based
on Constraint Solving. In Proceedings of the 8th IEEEInternational Conference on Formal
Engineering Methods (ICFEM 2006), volume 4260 of LNCS, pages 342–359. Springer, 2006.
[29] J. S. Dong, P. Hao, J. Sun, and X. Zhang. A Reasoning Method for Timed CSP Based on
Constraint Solving. In ICFEM 2006, pages 342–359, 2006.
[30] J. S. Dong, P. Hao, X. Zhang, and S. Qin. Highspec: a tool for building and checking ozta
models. In Proceedings of the 28th International Conference on Software Engineering (ICSE
2006), pages 775–778, 2006.
[31] J. S. Dong, Y. Liu, J. Sun, and X. Zhang. Veriﬁcation of Computation Orchestration Via
Timed Automata. In Proceedings of the 8th International Conference on Formal Engineering
Methods (ICFEM 2006), volume 4260 of LNCS, pages 226–245. Springer, 2006.
[32] J. S. Dong, B. P. Mahony, and N. Fulton. Modeling Aircraft Mission Computer Task Rates.
In FM 1999, page 1855, 1999.
[33] J. S. Dong, J. Sun, J. Sun, K. Taguchi, and X. Zhang. Specifying and verifying sensor net-
works: an experiment of formal methods. In Proceedings of the 10th International Conference
on Formal Engineering Methods (ICFEM 2008), volume 5256 of Lecture Notes in Computer
Science, pages 318–337. Springer, Oct 2008.
[34] J. S. Dong, J. Sun, and X. Zhang. Reasoning of Timed CSP and Extensions. In Technical
report. http://www.comp.nus.edu.sg/zhangxi5/tp.pdf.
[35] K. Du, D. Q. Zhang, M. Musa, M. Mokhtari, and X. Zhou. Handling activity conﬂicts in
reminding system for elders with dementia. In FGCN 2008 :Future Generation Communication
and Networking, volume 2, pages 416 – 421, 2008.
BIBLIOGRAPHY 146
[36] K. Du, D. Q. Zhang, X. Zhou, M. Musa, M. Mokhtari, and W. Qin. Hycare: A hybrid context-
aware reminding framework for elders with mild dementia. In ICOST 2008 :6th International
Conference on Smart Homes and Health Telematics, pages 9 – 17, 2008.
[37] X. Du, C. R. Ramakrishnan, and S. A. Smolka. Tabled resolution + constraints: A recipe for
model checking real-time systems. In In IEEE Real Time Systems Symposium (RTSS, pages
175–184. Society Press, 1999.
[38] C. N. et al. Home based assistive technologies for people with mild dementia. In ICOST 2007
: 5th International Conference on Smart Homes and Health Telematics, volume 4541/2007,
pages 63–69, Nara, Japan, 2007. Springer.
[39] N. Evans and S. Schneider. Analysing time dependent security properties in csp using pvs. In
ESORICS ’00, pages 222–237, London, UK, 2000. Springer-Verlag.
[40] D. A. Fisher. The interaction between the preliminary designs and the technical requirements
for the dod common high order language. In ICSE 1978, page 82ĺC83, 1978.
[41] M. L. Fisher. Optimal solution of scheduling problems using lagrange multipliers: Part i.
OPERATIONS RESEARCH, 21:1114–1127, 1973.
[42] Formal Systems (Europe) Ltd. Failure Divergence Reﬁnement: FDR2 User Manual. 1997.
[43] L. Fratiglioni, L. J. Launer, K. Andersen, M. M. Breteler, J. R. Copeland, J. F. Dartigues,
A. Lobo, J. Martinez-Lage, H. Soininen, and A. Hofman. Prevalence of dementia and major
subtypes in europe: A collaborative study of population-based cohorts. neurologic diseases in
the elderly research group. Neurology, 54(11 Suppl 5):S4–9, 2000.
[44] L. Fratiglioni, L. J. Launer, K. Andersen, and etc. Incidence of dementia and major subtypes
in europe: A collaborative study of population-based cohorts,neurol dis elderly res group.
neurology. Neurology, 54:S10–5, 2000.
[45] C. R. R. G. Pemmasani and I. V. Ramakrishnan. Eﬃcient real-time model checking using
tabled logic programming and constraints. In ICLP 2002: 18th International Conference on
Logic Programming, pages 100–114. Springer, 2002.
[46] G.Lowe. A hierarchy of authentication speciﬁcations. In CSFW’97, pages 31–44, 1997.
[47] T. Göthel and S. Glesner. Machine Checkable Timed CSP. In NFM 2009. NASA Conference
Publication, 2009.
BIBLIOGRAPHY 147
[48] G. Gupta and E. Pontelli. A Constraint-based Approach for Speciﬁcation and Veriﬁcation of
Real-time Systems. In RTSS ’97, page 230, 1997.
[49] D. Harel and E. Gery. Executable Object Modeling with Statecharts. IEEE Computer,
30(7):31–42, 1997.
[50] T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic Model Checking for Real-Time
Systems. Information and Computation, 111(2):193–244, 1994.
[51] C. A. R. Hoare. Communicating Sequential Processes. International Series in Computer
Science. Prentice-Hall, 1985.
[52] C. A. R. Hoare. Communicating Sequential Processes. International Series on Computer
Science. Prentice-Hall, 1985.
[53] J. Jaﬀar and J. Lassez. Constraint Logic Programming. In POPL, pages 111–119, 1987.
[54] J. Jaﬀar and M. J. Maher. Constraint Logic Programming: A Survey. Journal of Logic
Programming,1994.
[55] J. Jaﬀar, S. Michaylov, P. J. Stuckey, and R. H. C. Yap. The CLP(R) Language and System.
ACM Trans. Program. Lang. Syst., 14(3):339–395, 1992.
[56] J. Jaﬀar, A. E. Santosa, and R. Voicu. A CLP Proof Method for Timed Automata. In
Real-Time Systems Symposium, pages 175–186, 2004.
[57] J. Jaﬀar, A. E. Santosa, and R. Voicu. Modeling Systems in CLP. In ICLP’05, 2005.
[58] A. Jain and S. Meeran. Deterministic job-shop scheduling: Past, present, and future. In
European Journal of Operational Research 113 (2), pages 390–434, 1999.
[59] J. J.R. Absher. Dementia diagnosis and therapy in the elderly. In Compr Ther 1992, pages
28 – 33, 1992.
[60] L. M. Lai and P. Watson. A Case Study in Timed CSP: The Railroad Crossing Problem. In
HART 1997, pages 69–74, 1997.
[61] L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software
Engineering, 3:125–143, 1977.
[62] K. G. Larsen, P. Pettersson, and Y. Wang. Uppaal in a Nutshell. International Journal on
Software Tools for Technology Transfer, 1(1-2):134–152, 1997.
BIBLIOGRAPHY 148
[63] M. Lindahl, P. Pettersson, and Y. Wang. Formal Design and Analysis of a Gearbox Controller.
STTT 2001, 3(3):353–368, 2001.
[64] Y. Liu. Model Checking Concurrent and Real-time Systems: the PAT Approach. PhD thesis,
National University of Singapore, 2009.
[65] Y. Liu, W. Chen, Y. A. Liu, and J. Sun. Model Checking Lineariability via Reﬁnement. In
FM 2009, pages 321–337, 2009.
[66] Y. Liu, J. Sun, and J. S. Dong. An analyzer for extended compositional process algebras. In
ICSE Companion, pages 919–920. ACM, 2008.
[67] Y. Liu, J. Sun, and J. S. Dong. Scalable Multi-Core Model Checking Fairness Enhanced
Systems. In ICFEM 2009, pages 426–445, 2009.
[68] Y. Liu, J. Sun, and J. S. Dong. Developing model checkers using pat. In A. Bouajjani and
W.-N. Chin, editors, Automated Technology for Veriﬁcation and Analysis - 8th Internation-
al Symposium, ATVA 2010, Singapore, September 21-24, 2010. Proceedings, volume 6252 of
Lecture Notes in Computer Science, pages 371–377. Springer, 2010.
[69] Y. Liu, J. Sun, and J. S. Dong. Pat 3: An extensible architecture for building multi-domain
model checkers. In ISSRE, pages 190–199, 2011.
[70] G. Lowe. Breaking and ﬁxing the needham-schroeder public-key protocol using fdr. In TACAs
’96: Proceedings of the Second International Workshop on Tools and Algorithms for Construc-
tion and Analysis of Systems, pages 147–166, London, UK, 1996. Springer-Verlag.
[71] N. A. Lynch and F. W. Vaandrager. Action Transducers and Timed Automata. Formal Aspects
of Computing, 8(5):499–538, 1996.
[72] B. P. Mahony and J. S. Dong. Blending Object-Z and Timed CSP: An Introduction to TCOZ.
In Proceedings of the 20th International Conference on Software Engineering (ICSE 1998),
pages 95–104, Kyoto, Japan, 1998.
[73] B. P. Mahony and J. S. Dong. Network Topology and a Case Study in TCOZ. In Proceedings
of the 11th International Conference of Z Users (ZUM 1998), volume 1493 of LNCS, pages
308–327, 1998.
[74] B. P. Mahony and J. S. Dong. Timed Communicating Object Z. IEEE Trans. Software Eng.,
26(2):150–177, 2000.
BIBLIOGRAPHY 149
[75] D. May. OCCAM. SIGPLAN Notices, 18(4):69ĺC79, 1983.
[76] F. J. M. Merliand, D. Craig, F. Molaert, M. Mulvenna, C. Nugent, T. Scully, J. Bengtsson,
and R. M. Droses. Helping people with mild dementia navigate their day. In ICMCC 2007
:International Council on Medical and Care Compunetics, Amsterdam , Netherland, 2007.
[77] P. M. Merlin. A study of the recoverability of computing systems. PhD thesis, Department of
Information and Computer Science, University of California, 1974.
[78] T. K. Nguyen, J. Sun, Y. Liu, and J. S. Dong. A model checking framework for hierarchical
systems. In ASE, pages 633–636, 2011.
[79] X. Nicollin and J. Sifakis. The Algebra of Timed Processes, ATP: Theory and Application.
Information and Computation, 114(1):131–178, 1994.
[80] C. L. Pape and P. Baptiste. An experimental comparison of constraint-based algorithms for
the preemptive job-shop scheduling problem. In CP97 Workshop on Industrial COnstraint-
Directed Scheduling.
[81] N. M. R. Khalaf and S. Weerawarana. Service-Oriented Composition in BPEL4WS. In WWW
2003, 2003.
[82] G. M. Reed and A. W. Roscoe. A Timed Model for Communicating Sequential Processes. In
L. Kott, editor, ICALP, volume 226 of Lecture Notes in Computer Science, pages 314–323.
Springer, 1986.
[83] J. H. Reppy. CML: A Higher-Order Concurrent Language. In PLDI 1991, page 293ĺC305,
1991.
[84] A. W. Roscoe. Model-checking CSP. A classical mind: essays in honour of C. A. R. Hoare,
pages 353–378, 1994.
[85] A. W. Roscoe. The Theory and Practice of Concurrency. Prentice-Hall, 1997.
[86] A. W. Roscoe, P. H. B. Gardiner, M. Goldsmith, J. R. Hulance, D. M. Jackson, and J. B.
Scattergood. Hierarchical Compression for Model-Checking CSP or How to Check 1020 Dining
Philosophers for Deadlock. In Proceedings of the 1st International Conference of Tools and
Algorithms for Construction and Analysis of Systems (TACAS 1995), pages 133–152, 1995.
[87] P. Ryan, S. Schneider, M. Goldsmith, G. Lowe, and B. Roscoe. Modelling and Analysis of
Security Protocols, 2001.
BIBLIOGRAPHY 150
[88] S. Schneider. Concurrent and Real-time System: The CSP Approach. JOHNWILEY & SONS,
LTD, 2000.
[89] S. Schneider. Concurrent and Real-time Systems: the CSP Approach. John Wiley and Sons,
2000.
[90] S. A. Schneider. An Operational Semantics for Timed CSP. In Proceedings Chalmers Workshop
on Concurrency, 1991, pages 193 – 213.
[91] A. P. Sistla and E. Clarke. The Complexity of Propositional Temporal Logics. The Journal
of ACM, 32:733–749, 1986.
[92] G. Smith and J. Derrick. Speciﬁcation, Reﬁnement and Veriﬁcation of Concurrent Systems-An
Integration of Object-Z and CSP. Formal Methods in System Design, 18(3):249–284, 2001.
[93] J. Sun, Y. Liu, and B. Cheng. Model checking a model checker: A code contract combined
approach. In J. S. Dong and H. Zhu, editors, Formal Methods and Software Engineering - 12th
International Conference on Formal Engineering Methods, ICFEM 2010, Shanghai, China,
November 17-19, 2010. Proceedings, volume 6447 of Lecture Notes in Computer Science, pages
518–533. Springer, 2010.
[94] J. Sun, Y. Liu, J. S. Dong, and C. Q. Chen. Integrating Speciﬁcation and Programs for System
Modeling and Veriﬁcation. In TASE 2009, pages 127–135, 2009.
[95] J. Sun, Y. Liu, J. S. Dong, and J. Pang. Pat: Towards ﬂexible veriﬁcation under fairness.
volume 5643 of Lecture Notes in Computer Science, pages 709–714. Springer, 2009.
[96] J. Sun, Y. Liu, J. S. Dong, and J. Pang. PAT: Towards Flexible Veriﬁcation under Fairness.
In CAV, pages 702–708, 2009.
[97] J. Sun, Y. Liu, J. S. Dong, G. Pu, and T. H. Tan. Model-based methods for linking web service
choreography and orchestration. In APSEC 2010, pages 166 – 175, 2010.
[98] J. Sun, Y. Liu, J. S. Dong, and G. G. Pu. Model-based Methods for Linking Web Service
Choreography and Orchestration. Submitted for review.
[99] J. Sun, Y. Liu, J. S. Dong, and X. Zhang. Verifying stateful timed csp using implicit clocks
and zone abstraction. In K. Breitman and A. Cavalcanti, editors, Proceedings of the 11th
IEEEInternational Conference on Formal Engineering Methods (ICFEM 2009), volume 5885
of Lecture Notes in Computer Science, pages 581–600. Springer, 2009.
BIBLIOGRAPHY 151
[100] J. Sun, Y. Liu, A. Roychoudhury, S. Liu, and J. S. Dong. Fair model checking with process
counter abstraction. In A. Cavalcanti and D. Dams, editors, Proceedings of the Second World
Congress on Formal Methods (FM’09), volume 5850 of Lecture Notes in Computer Science,
pages 123–139. Springer, 2009.
[101] J. Sun, Y. Liu, S. Song, J. S. Dong, and X. Li. Prts: An approach for model checking
probabilistic real-time hierarchical systems. In S. Qin and Z. Qiu, editors, Formal Methods
and Software Engineering, volume 6991 of Lecture Notes in Computer Science, pages 147–162.
Springer Berlin / Heidelberg, 2011.
[102] J. Sun, S. Song, and Y. Liu. Model checking hierarchical probabilistic systems. In J. S.
Dong and H. Zhu, editors, Formal Methods and Software Engineering - 12th International
Conference on Formal Engineering Methods, ICFEM 2010, Shanghai, China, November 17-
19, 2010. Proceedings, volume 6447 of Lecture Notes in Computer Science, pages 388–403.
Springer, 2010.
[103] T. H. Tan, Y. Liu, J. Sun, and J. S. Dong. Veriﬁcation of orchestration systems using compo-
sitional partial order reduction. In S. Qin and Z. Qiu, editors, Formal Methods and Software
Engineering, volume 6991 of Lecture Notes in Computer Science, pages 98–114. Springer Berlin
/ Heidelberg, 2011.
[104] S. Vurgun, M. Philipose, and M. Pavel. A statistical reasoning system for medication prompt-
ing. In J. Krumm, G. D. Abowd, A. Seneviratne, and T. Strang, editors, Ubicomp, volume
4717 of Lecture Notes in Computer Science, pages 1–18. Springer, 2007.
[105] D. S. Warren. Programming with Tabling in XSB. In PROCOMET ’98: Proceedings of
the IFIP TC2/WG2.2,2.3 International Conference on Programming Concepts and Methods,
pages 5–6, London, UK, 1998.
[106] M. Winikoﬀ, P. Dart, and E. Kazmierczak. Animating z using logic programming techniques.
[107] J. Woodcock and J. Davies. Using Z: Speciﬁcation, Reﬁnement, and Proof. Prentice-Hall
International, 1996.
[108] W. Yi. CCS + Time = An Interleaving Model for Real Time Systems. In Proceedings of the
18th Colloquium on Automata, Languages and Programming (ICALP 1991), volume 510 of
LNCS, pages 217–228. Springer, 1991.
BIBLIOGRAPHY 152
[109] D. Q. Zhang, M. Hariz, and M. Mokhtari. Assisting elders with mild dementia staying at
home. Pervasive Computing and Communications, IEEE International Conference on, 0:692–
697, 2008.
[110] S. J. Zhang, J. Sun, J. Pang, Y. Liu, and J. S. Dong. On combining state space reductions
with global fairness assumptions. In M. Butler and W. Schulte, editors, FM 2011: Formal
Methods, volume 6664 of Lecture Notes in Computer Science, pages 432–447. Springer Berlin
/ Heidelberg, 2011.
[111] X. Zhang. Job-shop scheduling problems using timed planning. In Workshop on International
Conference on Secure Software Integration and Reliability Improvement (SSIRI 2010), pages
66–80, 2010.
[112] X. Zhang, Y. Liu, and M. Auguston. Modeling and analyzing timed security protocols using
extended timed csp. In SSIRI 2010: International Conference on Secure Software Integration
and Reliability Improvement, pages 217–226, 2010.
[113] M. Zheng, J. Sun, Y. Liu, J. S. Dong, and Y. Gu. Towards a model checker for nesc and
wireless sensor networks. In S. Qin and Z. Qiu, editors, Formal Methods and Software Engi-
neering, volume 6991 of Lecture Notes in Computer Science, pages 372–387. Springer Berlin /
Heidelberg, 2011.
Appendix A
Healthiness Conditions for Timed
Planning
Implicit predicates for most of the process operators are deﬁned as follows, where P denotes
process, e denotes event, X and Y are set of events.
Event Preﬁx: an ! P : 8 a ! P  an :Engage 6 P :Start
Sequence: P1; P2 : 8P1; P2  P1:End 6 P2:Start
Choice: P12P2 : 8P1 jjj P2  P1:Start = P2:Start ^ P1:End = P2:End
Timeout: P1 . fdg P2 : 8P1 . fdg P2  initfP1g:Engage <= d _ P2:Start = d
Interleaving: P1 jjj P2 : 8P1 jjj P2  P1:Start = P2:Start ^ P1:End = P2:End
Interrupt: P1 O P2 : 8P1 O P2  P1:Start 6 P2:Start
Timed Interrupt: P1 O fdgP2 : 8P1 Ofdg P2  P1:Start+ d 6 P2:Start
Parallel: P1 X jjY P2 : 8P1 X jjY P2;8 a 2 X \Y  P1:Start = P2:Start ^
P1:End = P2:End ^ P1:a:Engage = P2:a:Engage
153
Appendix A. Healthiness Conditions for Timed Planning 154
Appendix B
Real-time Multi-lift System
noOfFloor : N; noOfLifts : N
GroundFloor b= request?(1; up)! upbottomon ! enter !(1; up)! GroundFloor
2service?(1; up)! upbottomo ! GroundFloor
TopFloor b= request?(noOfFloor ; down)! downbottomon !
enter !(noOfFloor ; down)! TopFloor
2service?(noOfFloor ; down)! downbottomo ! TopFloor
MidFloor(level) b= request?(level ; up)! upbottomon !
enter !(level ; up)! MidFloor(level)
2request?(level ; down)! downbottomon !
enter !(level ; down)! Floor(level)
2service?(level ; up)! upbottomo ! MidFloor(level)
2service?(level ; down)! downbottomo ! MidFloor(level)
Floors b= (jjj1<i<noOfFloor MidFloor(i)) jjj GroundFloor jjj TopFloor
OpenDoor(i) b= servo!(i ; toOpen)! sensor?(i ; opened)! Skip
CloseDoor(i) b= servo!(i ; toClose)! sensor?(i ; closed)! Skip
CycleDoor(i) b= OpenDoor(i); conrm ! (  CDWait[t ]; CloseDoor
O sensor?(i ; interrupt)! OpenDoor ; CD)
Door(i) b= open?i ! CycleDoor(i); close!i ! Door(i)
Where close:Engagei   open:Engagei 6 td
Servomech b= servo?(i ; toOpen)! Servomech
2servo?(i ; toClose)! Servomech
2sensor !(i ; opened)! Servomech
2sensor !(i ; closed)! Servomech
2sensor !(i ; request)! Servomech
155
Appendix B. Real-time Multi-lift System 156
Shalf (i) b= move?n ! arrive ! Shalf (i)
Where n > 0 ^j n j t   delta 6 arrive:Engage move:Engage
^ arrive:Engage move:Engage 6j n j t + delta
Move1(i ; dest ;) b= move!(dest   )! arrive?dest !
open!i ! conrm ! Skip
Where :(dest = )
Move2(i ; dest ;) b= open!i ! conrm ! Skip
Where dest = 
Move(i ; dest ;) b= Move1(i ; dest ;)2Move2(i ; dest ;)
Get External(i ;) b= select?(dest ; dir)! Move(i ; dest ;);
service!( ; dir)! close ! Skip
Get Internal(i ; ;md) b= int sched !( ;md)! int sched?(dir)!
check !( ; dest ;md)! check ! Move(i ; dest ;);
init serv ! ! close?i ! Skip
LiftControl(i ; ;md) b= (Get Internal ;md)
2(Wait[tp ]; Get External()));
LiftControl(i ; ;md)
Lift(i) b= Door(i) jj Shalf (i) jj
LiftControl(i ; 0; 0) jj Internal Q(i ; [])
Appendix C
Complete Model of Smart Nursing
Home
Patient Behaviors:
Patient status: {inRoom, inShowerRoom, outside, inBed}
157
Appendix C. Complete Model of Smart Nursing Home 158
Residence(i ; status) b= (EnterRoom(i ; status); Residence(i ; inRoom))
2 (LeaveRoom(i ; status); Residence(i ; outside))
2 (Shower(i ; status); Residence(i ; status))
2 (BedActivity(i ; status); Residence(i ; status))
2 (Toilet(i ; status); Residence(i ; status))
EnterRoom(i ; status) b= [status == outside]enterRoom:i ! Skip
LeaveRoom(i ; status)) b= [status == inRoom]leaveRoom:i ! Skip
BedActivity(i ; status) b= [status == inRoom]gotoBed !
((sitonbed :0:i ! BedAct (i ; 0))
2 (sitonbed :1:i ! BedAct (i ; 1)))
BedAct (i ; j ) b= (SittingOnBed(i) 2 Sleeping(i));
(BedAct (i ; j ) 2 GetUp(i ; j ))
SittingOnBed(i) b= sitting :i ! Skip
Sleeping(i) b= laydown ! sleeping ! Skip
GetUp(i ; j ) b= leavebed :j :i ! Skip
Toilet(i ; status) b= [status == inRoom] start toilet 30!
(leave toilet ! Skip 2 ush ! leave toilet ! Skip);
(Skip 2WashHand(i))
WashHand(i ; status) b= [status == inRoom] turnonwash tap !
(washhand
20! (turno wash tap ! n washhand ! Skip
2 n washhand ! Skip))
Shower(i ; status) b= [status == inRoom] enterShowerRoom:i
! (Skip 2Wash()); leaveShowerRoom:i ! Skip
Wash() b= turnon shower tap ! start apply soap 60!
(Skip 2 turno shower tap ! Skip); getDressed ! Skip
Sensor Groups:
BedPressureS (i ; j ) b= sitonbed :j :i ! bed pressure sensor !(j ; 0)! BedRFID(i ; j )
2 laydown:j :i ! bed pressure sensor !(j ; 1)! Skip
2 leavebed :j :i ! BedRFID( 1; j )
Where sitonbed :j :i :Engage =
bed pressure sensor !(j ; 0):Engage
^ laydown:j :i :Engage =
bed pressure sensor !(j ; 1):Engage
BedPressureSensor b= (BedPressureS (0; 0) 2 BedPressureS (0; 1)) jjj
(BedPressureS (1; 0) 2 BedPressureS (1; 1));
BedPressureSensor
BedRFID(i ; j ) b= bed rd !j :i ! Skip
Appendix C. Complete Model of Smart Nursing Home 159
DoorRFIDReader b= (EnterDoorRFID 2 LeaveDoorRFID); DoorRFIDReader
EnterDoorRFID b= enterRoom:0! rd room!(0; outside)! Skip
2 enterRoom:1! rd room!(1; outside)! Skip
Where enterRoom:0:Engage =
rd room!(0; outside):Engage
^ enterRoom:1:Engage = rd room!(1; outside):Engage
LeaveDoorRFID b= leaveRoom:0! rd room!(0; inRoom)! Skip
2 leaveRoom:1! rd room!(1; inRoom)! Skip
Where leaveRoom:0:Engage = rd room!(0; inRoom)
^ leaveRoom:1:Engage = rd room!(1; inRoom):Engage
SRDoorRFIDReader b= (EnterSRRFID 2 LeaveSRRFID); SRDoorRFIDReader
EnterSRRFID b= enterShowerRoom:0! rd showerroom!(0; inRoom)! Skip






LeaveSRRFID b= leaveShowerRoom:0! rd showerroom!(0; inShowerRoom)
! Skip






ShowerSensor Tap b= turnon shower tap ! showerroom tap!1! Skip
2 turno shower tap ! showerroom tap!0! Skip);
ShowerSensor Tap
Where turnon shower tap:Engage =
showerroom tap!1:Engage
^ turno shower tap:Engage = showerroom tap!0:Engage
WashSensor Tap b= (turnon wash tap ! washbasin tap!1! Skip
2 (turno wash tap ! washbasin tap!0! Skip);
WashSensorTap();
Where turnonwash tap:Engage = washbasin tap!1:Engage
^ turno wash tap:Engage = washbasin tap!0:Engage
Sensors b= SRDoorRFIDReader jjj ShowerSensor Tap jjj BedPressureSensor
jjj DoorRFIDReader jjjWashSensor Tap
Appendix C. Complete Model of Smart Nursing Home 160
LocationMonitor = b= (rd room?(i ; status)!
[status == outside]detectEnterRoom:i ! Skip
2 [status == inRoom]detectLeaveRoom:i ! Skip);
LocationMonitor
ShowerRoomRFID b= (rd showerroom?(i ; status)!
[status == inRoom]detectEnterShowerRoom:i ! Skip
2 [status == inShowerRoom]detectLeaveShowerRoom:i
! tapo prompt ! Skip); ShowerRoomRFID
ShowerTapMonitor b= (showerroom tap?1! tapIsOn ! Skip
2 showerroom tap?0! tapIsO ! Skip);
ShowerTapMonitor
WashTapMonitor b=
(washbasin tap?1! basinTapIsOn ! Skip
2 washbasin tap?0! basinTapIsO ! Skip);
WashTapMonitor
BedMonitor b= (bed pressuresensor?(j ; s)! bed rd?(i ; j )!
[i ! =  1 ^ i ! = j ]prompt sleepInWrongBed :i ! Skip







Appendix C. Complete Model of Smart Nursing Home 161
Reminder Toilet(duration) b= (start toilet ! Skip duration.
nish toilet ! prompt !toilet ! Skip);
Reminder Toilet(duration)
Reminder Flushing(duration) b= (start toilet ! nish toilet ! Skip duration.
ush ! promptf lushtoilet ! Skip);
Reminder Flushing(duration)
Reminder ShowerLong(duration) b= (detectEnterShowerRoom:0! Skip duration.
detectLeaveShowerRoom:0
! prompt !showertoolong ! Skip
2 detectEnterShowerRoom:1! Skip duration.
detectLeaveShowerRoom:1
! prompt !showertoolong ! Skip);
Reminder ShowerLong(duration)
Reminder SleepingInWrongBed b= (prompt sleepInWrongBed :0
! prompt !(wrong bed ; 0)! Skip
2 prompt sleepInWrongBed :1
! prompt !(wrong bed ; 1)! Skip);
Reminder SleepingInWrongBed
Prompting b= prompt?status ! prompting ! Prompting
Appendix C. Complete Model of Smart Nursing Home 162
163
Appendix D. Complete PAT Model of Smart Nursing Home 164
Appendix D
Complete PAT Model of Smart
Nursing Home
#dene N 2; ==No: of residents; 2 residents per room
#dene Bed 2; == No: of beds
==channels
channel bed pressure sensor 0 0; ==pressure sensor for bed 0;
channel bed pressure sensor 1 0; == pressure sensor for bed 1;
channel chair pressure sensor 0 ;
channel rd room 0;
channel bed rd 0 0;
channel bed rd 1 0;
==channels
channel showerroom reed 0;
channel rd showerroom 0;
channel showerroom tap 0;




=  status of residences  =
var isInRoom[2] = [1; 1];
var isShowering [2] = [0; 0];
var bedStatus[2] = [ 1;   1];
var isInBed [2] = [ 1;   1];
var isInShowerRoom = [0; 0];
=  tap status  =
var isShowerTapOn = false;
var isBasinTapOn = false;
Appendix D. Complete PAT Model of Smart Nursing Home 165
==         ADLS         
Residence(i) = (Shower(i) 2 Sleep(i) 2 EnterRoom(i)
2 LeaveRoom(i) 2 Toilet(i)) ; Residence(i);
Sleep(i) = if (isInRoom[i ] == 1) fgotoBed !
(((sitonbed 0:i ! SittingOnBed(i);
(Sleeping(i) 2 Skip); GetUp(i ; 0))
2 (sitonbed 1:i ! SittingOnBed(i);
(Sleeping(i) 2 Skip); GetUp(i ; 1))))g;
SittingOnBed(i) = sitting :i ! Skip;
Sleeping(i) = laydown ! sleeping ! Skip;
GetUp(i ; j ) = if (j == 0)fleavesbed 0:i ! Skipg
elsefleavesbed 1:i ! Skipg;
EnterRoom(i) = ifb(isInRoom[i ] == 0)fenterRoom:i ! Skipg;
LeaveRoom(i) = ifb(isInRoom[i ] == 1 && isInBed [i ] ! = 1
&& isShowering [i ] == 0 )fleaveRoom:i ! Skipg;
Toilet(i) = if (isInRoom[i ] == 1) fstart toilet !Wait [30];
(leave toilet ! Skip 2 ush ! leave toilet ! Skip);
(Skip 2 WashHand(i))g;
WashHand(i) = if (isInRoom[i ] == 1) fturnon wash tap !
(washhand !Wait [20]; (turno wash tap !
n washhand ! Skip 2 n washhand ! Skip))g;
Shower(i) = readyForShower !Wait [30];
if (isInRoom[i ] == 1) f
enterShowerRoom:i ! (Skip 2 Wash());
leaveShowerRoom:i ! Skipg;
Wash() = turnon shower tap ! start apply soap !Wait [60; 2000];
(Skip 2 turno shower tap ! Skip);
getDressed ! Skip;
Appendix D. Complete PAT Model of Smart Nursing Home 166
=              Sensors             =
BedPressureSensor() =
((sitonbed 0:0! bed pressure sensor 0!0! BedRFID(0; 0))
2 (sitonbed 0:1! bed pressure sensor 0!0! BedRFID(1; 0))
2 (sitonbed 1:0! bed pressure sensor 1!0! BedRFID(0; 1))
2 (sitonbed 1:1! bed pressure sensor 1!0! BedRFID(1; 1))
2 (laydown ! bed pressure sensor 0!1! Skip)
2 (laydown ! bed pressure sensor 1!1! Skip)
2 (leavesbed 0:0! BedRFID( 1; 0))
2 (leavesbed 0:1! BedRFID( 1; 0))
2 (leavesbed 1:0! BedRFID( 1; 1))
2 (leavesbed 1:1! BedRFID( 1; 1))
); BedPressureSensor();
BedRFID(i ; j ) = if (j == 0) fbed rd 0!i ! Skipg
else fbed rd 1!i ! Skipg;
DoorRFIDReader() = ( atomicfenterRoom:0! rd room!0! Skipg
2 atomicfenterRoom:1! rd room!1! Skipg
2 atomicfleaveRoom:0! rd room!0! Skipg
2 atomicfleaveRoom:1! rd room!1! Skipg
); DoorRFIDReader();
ShowerRoomDoorRFIDReader() =
(atomicfenterShowerRoom:0! rd showerroom!0! Skipg
2 atomicfenterShowerRoom:1! rd showerroom!1! Skipg
2 atomicfleaveShowerRoom:0! rd showerroom!0! Skipg
2 atomicfleaveShowerRoom:1! rd showerroom!1! Skipg
); ShowerRoomDoorRFIDReader();
ShowerSensor Tap() =
2 i : f0::N   1g@(atomicfturnon shower tap
! showerroom tap!1! Skipg
2 (atomicfturno shower tap ! showerroom tap!0! Skipg)
); ShowerSensor Tap();
WashSensor Tap() =2 i : f0::N   1g@((
atomicfturnon wash tap ! washbasin tap!1! Skip g)







Appendix D. Complete PAT Model of Smart Nursing Home 167
=              Monitor System                
LocationMonitor() = atomicfrd room?i !
if (isInRoom[i ] == 0)ftaufisInRoom[i ] = 1; g ! Skipg
elsef
if (isInRoom[i ] == 1)f taufisInRoom[i ] = 0; g ! Skipg
gg; LocationMonitor();
ShowerRoomRFID() = atomicfrd showerroom?i !
if (isInShowerRoom[i ] == 0) f
taufisInShowerRoom[i ] = 1; g ! Skipg
elsef
if (isInShowerRoom[i ] == 1)f
taufisInShowerRoom[i ] = 0; g ! tapo prompt ! Skip gg
g; ShowerRoomRFID();
ShowerTapMonitor() = (atomicfshowerroom tap?1!
taufisShowerTapOn = true; g ! Skipg
2 atomicfshowerroom tap?0! taufisShowerTapOn = false; g !
Skipg); ShowerTapMonitor();
WashTapMonitor() = (atomicfwashbasin tap?1
! taufisBasinTapOn = true; g ! Skipg
2 atomicfwashbasin tap?0! taufisBasinTapOn = false; g
! Skipg) ; WashTapMonitor();
BedMonitor() = BedMonitor1() jjj BedMonitor2();
BedMonitor1() = (atomicfbed pressure sensor 0?i ! taufisInBed [0] = i ; g !
if (i ! =  1 && i ! = 0) fsleepInWrongBed :1! Skipgg
2 atomicfbed pressure sensor 1?i ! taufisInBed [1] = i ; g !
if (i ! =  1 && i ! = 1) fsleepInWrongBed :0! Skipgg);
BedMonitor1();
BedMonitor2() = (atomicfbed rd 0?i ! taufbedStatus[0] = i ; g ! Skipg







Appendix D. Complete PAT Model of Smart Nursing Home 168
=              Services=Reminders=Control System       
Toilet Reminder(duration) =
start toilet ! Skip timeout [duration] nish toilet !
prompt toilet ! Skip; Toilet Reminder(duration);
Flush Toilet Reminder(duration) =
start toilet ! Skip timeout [duration] ush !
prompt ushtoilet ! Skip;
Reminder Shower TooLong(duration) =
2 i : f0::N   1g@enterShowerRoom:i ! (leaveShowerRoom:i
! Skiptimeout [duration] prompt nishshower ! Skip);
SleepingInWrongBedReminder() =
2 i : f0::N   1g@atomicfsleepInWrongBed :i !
prompt wrong bed :i ! Skipg; SleepingInWrongBedReminder();
Reminder TurnO Tap() = atomicftapo prompt ! if (isShowerTapOn == true)
fif (isInShowerRoom[0] == 0 && isInShowerRoom[1] == 0 )
ftapon nobodyin ! Skipg; prompt TurnOTap !
CheckFalseAlarm(1) gg; Reminder TurnO Tap();
=              Errorness cases             
var falsealarm = false;
CheckFalseAlarm(type) = if (type == 1)fif (isInShowerRoom[0] == 1
k isInShowerRoom[1] == 1)ftauffalsealarm = true; g ! Skipgg;
=              Dene Smart Nursing Home System      
Reminders() = Toilet Reminder(1800) jjj Reminder Shower TooLong(1800)
jjj SleepingInWrongBedReminder() jjj Reminder TurnO Tap() ;
Residences() = Residence(0) jjj Residence(1) ;
SmartNursingHome() = (Residences() k Sensors() k Reminders()) k Monitor() ;
