Timed CSP = Closed Timed Automata1  by Ouaknine, Joël & Worrell, James
p ( )
URL: http://www.elsevier.nl/locate/entcs/volume68.html 18 pages
Timed CSP = Closed Timed Automata 1
Joe¨l Ouaknine2,3 and James Worrell
Department of Mathematics, Tulane University,
New Orleans LA 70118, USA
Abstract
We study the expressive power of an augmented version of Timed CSP and show
that it is precisely equal to that of closed timed automata—timed automata with
closed invariant and enabling clock constraints. We also show that this new version
of Timed CSP is expressive enough to capture the most widely used speciﬁcations
on timed systems as reﬁnements between processes, and moreover that reﬁnement
checking is amenable to digitisation analysis. As a result, we are able to verify some
of the most important timed speciﬁcations, including branching-time liveness prop-
erties such as timestop-freedom and constant availability, using the model checker
FDR (a commercial product of Formal Systems (Europe) Ltd.).
1 Introduction
The formal analysis of real-time systems usually involves both an implemen-
tation and a speciﬁcation formalism, together with a mechanism for deciding
whether a particular implementation meets a given speciﬁcation. For exam-
ple, one may choose the framework of timed automata [4] as implementation
formalism, and some (quantitative) temporal logic to express speciﬁcations [6].
Veriﬁcation can then be carried out using model checking [3]. In Reed and
Roscoe’s dense-time process algebra Timed CSP [22,21], speciﬁcations usually
consist of allowable sets of behaviours, often described mathematically. Ver-
ifying that processes meet their speciﬁcations then usually proceeds through
some kind of proof system [24,11,25].
In the case of dense-time modelling paradigms, there have been very few
attempts to express speciﬁcations using the implementation framework, and
satisfaction as reﬁnement (reverse inclusion of sets of behaviours). The only
instance we are aware of is the use of event-clock automata to express spec-
iﬁcations of (arbitrary) timed automata [5]. More recently, we have shown
1 This research was supported by the U.S. ONR and the NSF.
2 Now at CMU School of Computer Science, 5000 Forbes Ave., Pittsburgh PA 15213, USA.
3 Email: joelo@andrew.cmu.edu
c©2002 Published by Elsevier Science B. V. Open access under CC BY-NC-ND license.
Ouaknine and Worrell
in the context of Timed CSP that discrete reﬁnement techniques could be
used to verify speciﬁcations on certain dense-time systems using the model
checker FDR [16,17]. The main disadvantage of a reﬁnement-based approach
for Timed CSP is that expressiveness was, until now, spectacularly poor.
This problem is not an intrinsic feature of a reﬁnement approach, but is
rather an artefact of Reed and Roscoe’s version of Timed CSP. For instance,
to express the speciﬁcation ‘the process P cannot perform the event a’, one
must show that P reﬁnes RUN Σ−{a}, where RUN Σ−{a} is a process which can
communicate any sequence of events other than a’s. The semantic assumption
of well-timedness made by Reed and Roscoe (required for processes to be well-
deﬁned) however bans such arbitrarily speedy (or Zeno) processes.
A natural solution is therefore to attempt to ease some of the restrictions
imposed on the language in order to obtain a more expressive version of Timed
CSP, one in which such processes, able to communicate arbitrarily many events
at any given point in time, are allowed. Another desirable feature is the
addition of signals to the language, to be able to express speciﬁcations such
as ‘the process must perform an a within two time units’. (‘Soft’ signals were
incorporated into Timed CSP in [11]; the ‘hard’ approach we propose, which
potentially introduces timestops, diﬀers in important respects.) Naturally, it
is highly desirable that the path we follow retain suﬃciently robust ties to
CSP to preserve the use of such techniques as FDR model checking.
As a result, we are able to show that the most widely used speciﬁcations on
timed systems can be captured as reﬁnements between Timed CSP processes,
and moreover that such reﬁnements can be veriﬁed on the model checker FDR
by means of digitisation techniques. In fact, we even show that a number
of branching-time liveness properties such as timestop-freedom and constant
availability can be veriﬁed through digitisation (and FDR), in contrast to the
situation with timed automata.
We characterise the expressive power of this augmented version of Timed
CSP (when restricted to ﬁnite-state processes) as precisely that of closed timed
automata. Closed timed automata are the timed safety automata of [13]
with exclusively closed invariant and enabling clock constraints (of the form
x  3 rather than x < 3, for example). Timed CSP appears to be the most
general modelling formalism systematically yielding processes closed under
digitisation (and thus amenable to digitisation techniques), making it a prime
candidate for the practical formal analysis of timed systems.
2 Timed CSP Syntax and Semantics
We present the syntax and semantics of our augmented version of Timed CSP.
Further details can be found in [19], where in particular we address the ques-
tion of detecting livelocked processes (able to perform inﬁnitely many internal
transitions). In this paper, we only consider processes that are livelock-free.
Let Σ be a ﬁnite set of events, with  /∈ Σ. We write Σ to denote Σ∪{}.
2
Ouaknine and Worrell
In the notation below, we have a ∈ Σ and A ⊆ Σ. The parameter n ranges
over the non-negative integers N. R denotes a (renaming) relation on Σ. The
variable X is drawn from a ﬁxed inﬁnite set of process variables VAR.
Timed CSP terms are constructed according to the following grammar:
P ::= STOP | TIMESTOP | a −→ P | a !−→ P | SKIP | RANDOM |
P1
n
✄ P2 | P1
n
 P2 | P1 ✷ P2 | P1 
 P2 | P1 ‖
A
P2 | P1  P2 |
P \ A | P [R] | X | µX  P .
STOP is the deadlocked process which is only capable of letting time pass.
TIMESTOP is similar to STOP except that time itself is also blocked; it
represents inconsistent timing requirements. The preﬁxed process a −→ P
initially oﬀers at any time to engage in the event a, and subsequently behaves
like P . The signalling preﬁxed process a
!−→ P communicates a immediately
and subsequently behaves like P . SKIP represents successful termination,
and is willing to communicate  at any time. RANDOM nondeterministically
waits for a real-valued amount of time, and then becomes SKIP . P
n
✄ Q is the
timeout process that initially oﬀers to become P for n time units, after which
it silently becomes Q if P has failed to communicate any visible event. P
n
 Q
is the interrupt process that behaves like P for the ﬁrst n time units, and then
silently starts behaving like Q (assuming P has not successfully terminated
in the meantime). P 
 Q denotes the nondeterministic choice between P and
Q, whereas P ✷ Q represents the deterministic alternative. P ✷ Q is willing
to behave either like P or like Q, the decision being taken on the ﬁrst visible
event. The parallel composition P1 ‖
A
P2 requires P1 and P2 to synchronise
on all events in A, and to behave independently of each other with respect to
all other events. P  Q is the sequential composition of P and Q: it denotes
a process which behaves like P until P chooses to terminate (silently), at
which point the process seamlessly starts to behave like Q. P \ A is a process
which behaves like P but with all communications in the set A hidden; the
assumption ofmaximal progress, or τ -urgency, dictates that no time can elapse
while hidden events are on oﬀer—in other words, hidden events happen as soon
as they become available. The renamed process P [R] derives its behaviours
from those of P in that, whenever P can perform an event a, P [R] can engage
in any event b such that a R b. Lastly, the recursion µX  P represents the
unique solution to the equation X = P .
The requirement that all delays (parameters n in the terms P1
n
✄ P2,
P1
n
 P2) be integral is very benign—thanks to the possibility of scaling time
units, we could have equally well required rational delays instead, with only
minor modiﬁcations to our presentation.
We write TCSP to denote the collection of closed terms of the language
thus generated. (A term is closed if every occurrence of a variable X in it is
3
Ouaknine and Worrell
within the scope of a µX operator).
We occasionally use the following derived constructs: if S = {P1, . . . , Pk}
is a ﬁnite set of processes, 
S represents P1 
 . . . 
 Pk, and similarly for
✷S. The interleaving operator  denotes parallel composition over an empty
interface. Lastly, we usually express recursions by means of the equational
notation X = P , rather than the functional µX  P .
As an example, let us deﬁne a process VM intended to model a vending
machine with the following behaviours: initially, the vending machine is at
any time willing to accept a coin. Once a coin has been introduced in the
machine, the customer can choose between ordering a chocolate or a biscuit;
however, if he fails to make his choice within 60 seconds, his money is returned
and the vending machine reverts to its initial state.
We describe this vending machine below both as a Timed CSP process and
as a timed automaton (cf. Section 4).
✲✚✙
✛✘
✲coin.in
reset x
✞ ✎ biscuit
✬ ✩
❄
choc
✚✙
✛✘
x60
✚ ✙✻ coin.out
x=60?
VM = coin.in −→

choc −→ VM
✷
biscuit −→ VM

 60✄ (coin.out !−→ VM )
We now sketch the dense-time denotational semantics of this augmented
version of Timed CSP; a congruent operational semantics is also given in
Appendix A. The denotational semantics is a hybrid mix of Reed and Roscoe’s
timed failures model [22,21,23,27] and refusal testing [20].
A timed event is a pair (t, a) ∈ R+ × Σ. A (timed) refusal is a set of
timed events and may also include special timed events of the form (t, time),
where time is a symbol indicating that time cannot pass. From now on, we
abbreviate Σ∪{time} as Σtime . We require in addition that refusals be time-
bounded (the set of times associated with a refusal’s timed events must be
bounded).
A (timed) refusal trace is a sequence 〈ℵ0, (t1, a1),ℵ1, (t2, a2), . . . , (tk, ak),ℵk〉
(with k  0), where each ℵi is a refusal and each (ti, ai) is a timed event, sub-
ject to the condition that timestamps be non-decreasing. The set of all refusal
traces is written RT.
We interpret a refusal trace T as a summary of an experimenter’s inter-
action with a process, in which events that were refused were recorded in the
various refusals of T , whereas events that were observed were recorded in be-
tween refusals. No refusal is however recorded while silent actions are on oﬀer.
The refusal of time itself is communicated to the experimenter via, say, the
ﬂashing of a red light.
Refusal traces are essentially linear-time behaviours that encapsulate a
modicum of branching-time information. The primary motivation for consid-
4
Ouaknine and Worrell
ering refusal traces as opposed to simple timed traces is that the latter do not
allow for a compositional model, as was shown in [21].
A notable feature of Timed CSP is the phenomenon of point nondetermin-
ism, whereby distinct behaviours are nondeterministically enabled or disabled
at the precise instant at which a silent transition (such as a timeout) occurs.
Point nondeterminism, discussed at much greater length in [23], arises natu-
rally in models of Timed CSP for compositionality reasons. Interestingly, one
of its chief consequences in the present context is that it allows for digitisation
analysis of dense-time liveness properties (such as timestop-freedom), which
other modelling paradigms, such as timed automata, usually lack. We shall
return to this point in Section 5.
One can deﬁne a compositional semantic map R

· : TCSP −→ P(RT )
which associates with every process P its set of (dense-time) refusal traces
R

P . This map can also be described through the operational semantics,
as shown in Appendix A.
One can also compositionally deﬁne R

P , the set of integral-time refusal
traces of a process P . A refusal trace is integral-time if each of its events has
an integral timestamp, and if each of its refusals can be written as a union
of refusal tokens with integral endpoints. A refusal token is a set of the form
[t, t′]×A, (t, t′]×A, [t, t′)×A, or (t, t′)×A, where t, t′ ∈ R+ are the endpoints of
the refusal token, and A ⊆ Σtime are the events refused over the corresponding
interval.
Finally, we let T

P  and T

P  respectively stand for the sets of dense-
time and integral-time timed traces of P .
3 Speciﬁcations as Reﬁnements, and Veriﬁcation
We consider the questions of expressing speciﬁcations on processes as reﬁne-
ments (reverse inclusion of sets of behaviours), and of verifying such speciﬁca-
tions. We are interested both in trace reﬁnements (capturing safety properties:
‘nothing bad happens’) and refusal trace reﬁnements (capturing both safety
and liveness: ‘good things are not prevented from happening’).
Note that liveness is for us a branching-time concept, diﬀerent from Alpern
and Schneider’s related linear-time deﬁnition [1]. The latter can be para-
phrased as ‘something good must eventually happen’: messages are eventu-
ally delivered, the printer is eventually online, etc. In our case, examples of
liveness include ‘the eject button is always enabled once the aircraft is in the
air’, ‘the network is deadlock-free (or timestop-free)’, ‘the nuclear warheads
are permanently launch-ready’, etc. Observe that there is no requirement that
the live behaviour in question actually ever take place; indeed, the security
provided by, say, a nuclear deterrent, lies precisely in the fact that it need not
ever be used.
Real-time speciﬁcations are usually expressed in some temporal logic, such
as MTL (linear-time) or TCTL (branching-time) [6]. The question of delin-
5
Ouaknine and Worrell
eating the exact expressive power of reﬁnement with respect to such logics
is studied in [15] in the untimed case and shown to be a subtle problem.
The addition of time naturally compounds the diﬃculties. A comprehensive
treatment of the question is therefore a challenging topic for further work;
nonetheless, we show here that many, if not most, interesting real-time prop-
erties can indeed be captured as Timed CSP reﬁnements.
An implementation P ∈ TCSP meets a speciﬁcation S ∈ TCSP if all
the behaviours of P are also behaviours of S. This leads to four possible
deﬁnitions of satisfaction, according to whether the behaviours considered are
traces or refusal traces, and according to whether time is dense or discrete
(integral):
P T

S ⇔ T

P  ⊆ T

S
P T

S ⇔ T

P  ⊆ T

S
P R

S ⇔ R

P  ⊆ R

S
P R

S ⇔ R

P  ⊆ R

S .
We present below three paradigmatic linear-time safety speciﬁcations (safe
reachability, bounded invariance, and bounded response), and brieﬂy describe
how they can be expressed as Timed CSP processes. We also present two
paradigmatic branching-time liveness speciﬁcations (constant availability and
timestop-freedom) and likewise show that they are captured by Timed CSP
processes. For simplicity, we have ignored the possibility of global successful
termination (communication of ’s).
Four of the speciﬁcations are given their corresponding MTL or TCTL
formulas as names, but no knowledge of these logics is required or assumed.
Safe reachability (¬a): ‘The event a is never performed.’ According
to [10], this is the most common speciﬁcation on timed systems, since “most
properties [on timed systems] can be encoded as exceptions [the event a in
this case]”. This is a trace speciﬁcation which is captured by the process
RUNΣ−{a}. Here RUNB =✷{b −→ RUNB | b ∈ B}. RUNB can perform any
trace containing only events in B.
Constant availability (∀a): ‘The event a is never refused.’ The
process LIVE =
(
RANDOM  (
{b !−→ LIVE | b ∈ Σ} 
 TIMESTOP)) 
a −→ LIVE captures this refusal trace liveness speciﬁcation.
Timestop-freedom (TSF): ‘The process never exhibits timestops.’ The
process TSF = RANDOM  (
{a !−→ TSF | a ∈ Σ} 
 STOP) captures this
refusal trace liveness speciﬁcation. TSF is the most nondeterministic process
which has no timestops.
[12] lists the two speciﬁcations that follow as the most commonly encoun-
tered in practice; note that safe reachability is essentially a special case of
bounded invariance.
Bounded invariance ((a⇒ I¬b)): ‘Whenever the event a occurs, the
6
Ouaknine and Worrell
event b is prevented from occurring during the time interval I, as measured
from the time of occurrence of a.’ Here I = (k, k′) is an open interval of length
at least two with integral (or inﬁnite) endpoints.
This trace speciﬁcation can be captured by a process containing 2 k
k′−k+2
parallel processes. All but one of these are ‘alarm’ clocks: whenever an a
occurs, two alarm clocks are set up, one to ring in k time units, indicating
that b’s should be disabled, the other to ring in k′ time units, to end the
prohibition on b’s. Now should a second a occur within k′ − k time units
(a single clock is used to keep track of this time period), the second of the
two alarm clocks just described is simply reset to ring k′ time units in the
future. A single discrete controller easily manages all these clocks. Note that
the ‘alarm rings’ are internal, i.e., globally hidden.
(Strong) bounded response ((a ⇒ ♦Jb)): ‘Whenever the event a
occurs, the event b must occur during the time interval J , as measured from
the time of occurrence of a.’ Here J = [k, k′] is a closed interval with integral
endpoints and k < k′ or k = k′ = 0.
In general the most nondeterministic process satisfying a bounded response
property will be inﬁnite-state (require inﬁnitely many clocks); however we can
deﬁne a ﬁnite-state process which captures the integral behaviours of this
trace speciﬁcation. Such a process consists of a discrete controller along with
k′ + 1 clocks. Again, for a given occurrence of the event a, an alarm clock is
set to ring after k time units have passed. This indicates the beginning of the
period during which the event b must occur. Having rung, the clock is reset
to ring k′ − k time units later, at the very end of the period in question. b’s
are constantly on oﬀer, and as soon as one occurs, the monitoring of b’s is
disengaged. Otherwise, a b is signalled (and thus must happen on the spot)
when the second alarm goes oﬀ. The fact that this process only captures
the integral behaviours of the corresponding bounded response property is
suﬃcient for veriﬁcation purposes, as we now demonstrate.
We employ digitisation techniques [12,16,17] as a means of verifying that
a process meets its speciﬁcation. (A brief review of digitisation is presented in
Appendix B.) The following theorem, extending a result of [16,17], is central
to our approach:
Theorem 3.1 Any P ∈ TCSP is closed under refusal trace (and hence also
trace) digitisation.
Proposition 3.2 Safe reachability, bounded invariance, and bounded response
are closed under inverse trace digitisation [12]. Timestop-freedom and con-
stant availability are closed under inverse refusal trace digitisation.
Corollary 3.3 Let P ∈ TCSP be a Timed CSP process. Then
P T

¬a⇔ P T

¬a
P R

∀a⇔ P R

∀a
7
Ouaknine and Worrell
P R

TSF ⇔ P R

TSF
P T

(a⇒ I¬b)⇔ P T

(a⇒ I¬b)
P T

(a⇒ ♦Jb)⇔ P T

(a⇒ ♦Jb) .
The right-hand side discrete checks can all be performed on the model checker
FDR; see [16,17] for details.
4 Closed Timed Automata
We deﬁne the class of closed timed automata. These are essentially the timed
safety automata of [13] with exclusively closed invariant and enabling con-
straints.
An example of a closed constraint is x  3, where x is a clock, as opposed
to x < 3. Since any timed automaton can be inﬁnitesimally approximated
by one with closed constraints, this restriction appears to be rather benign in
practice, an opinion shared by several researchers (see, e.g., [7]).
This class of timed automata corresponds exactly to ‘ﬁnite-state’ Timed
CSP processes, in a sense which we make precise shortly. Since the semantics
of Timed CSP is based on ﬁnite behaviours, we must give up Alur and Dill’s
Bu¨chi acceptance conditions [4], and instead consider every state to be accept-
ing. To simplify our exposition, we assume that automata cannot terminate
successfully (communicate ).
Let C be a ﬁnite set of clocks, denoted x, y, x1, x2, etc. The grammar
σ ::= true | x  c | x  c | x1 + c1  x2 + c2 | σ1 ∧ σ2 | σ1 ∨ σ2 deﬁnes the
set FC of clock constraints over C. (Here c, c1, c2 are non-negative integers.)
Note that all constraints are closed : interpreted over the non-negative reals,
they always deﬁne closed subsets in the usual topology.
Deﬁnition 4.1 A closed timed automaton is a tuple (Σ, S, S0, C, E, inv), where
• Σ is a ﬁnite alphabet,
• S is a ﬁnite set of states,
• S0 ⊆ S is a set of start states,
• C is a ﬁnite set of clocks,
• E ⊆ S × S × Σ×P(C)× FC is a set of transitions, and
• inv : S −→ FC speciﬁes state invariant constraints.
The class of closed timed automata is denoted CTA.
The dense-time refusal trace semantics R

A of a timed automaton A
can now be deﬁned in the standard way; we have relegated the precise details
to Appendix C.
The sets T

A, R

A, and T

A, representing respectively the dense-
time traces of A, the integral-time refusal traces of A, and the integral-time
8
Ouaknine and Worrell
traces of A are all derived from R

A in the same manner as for Timed CSP
processes.
5 Timed Automata as Timed CSP Processes (and Back)
Given any timed automaton A ∈ CTA, we construct two corresponding
Timed CSP processes PA

and PA

, capturing respectively the dense-time and
integral-time behaviours of A. Our constructions use some ideas introduced
in [9].
We begin by giving the construction of PA

. Let A = (Σ, S, S0, C, E, inv) be
an automaton with k clocks x1, x2, . . . , xk ∈ C. We build PA

as the parallel
composition of k + 2 processes: a network CLOCKS of k processes for the
clocks, a process REGIONS to mimic the clock regions graph, and a process
CONTROL for the discrete state controller.
For each clock xi ∈ C of A, let cxi be the largest constant that xi is ever
compared to in the enabling and invariant constraints of A. We assume the
reader is familiar with the clock regions construction [2,3], which partitions
(R+)k (the space of valuations of clocks) into k! · 2k · ∏1ik(2cxi + 2) or
fewer equivalence classes. Two clock interpretations lie in diﬀerent equivalence
classes if either they diﬀer in the integral parts of the readings of a clock xi
(and one of these numbers is less than cxi +1), or if they diﬀer in the ordering
of the fractional parts of all the clocks.
Each equivalence class, or clock region, r is modelled as a process REGr .
REGr is at any time willing to accept, on some internal (i.e., globally hidden)
channel, the event query .r from CONTROL; upon entering a new discrete
state, CONTROL can thus check whether or not the invariant constraint is
satisﬁed. Now suppose that r′ is the region immediately following r tempo-
rally. (In the case of ‘extremal’ regions r, no such r′ exists, and the next
sentence does not apply.) The region-process REGr is at any time willing to
accept, again on some internal channel, the command (i.e., event) switch.r′,
which transfers control to the region-process REGr ′. The command switch.r′
is initiated by CLOCKS , and also requires the participation of CONTROL,
as a means to enforce the state invariant constraints. A region-process is also
at any time willing to accept any one of the commands reset .xi , again on
some internal channel, and subsequently transfer control to the process as-
sociated with the region reached by resetting xi. Lastly, for any a ∈ Σ, the
region-process REGr is always willing to accept the ‘r-annotated event’ r.a.
Although this latter communication is external (not hidden), a subsequent
global renaming operation restores all such communications to their nominal
values (the simple event a in this case). The composite clock regions graph
process is denoted REGIONS .
Each clock xi is modelled by a process CLxi . This process can be in any of
the 2cxi+2 following states (represented as disjoint subsets of R
+): {0}, (0, 1),
{1}, (1, 2), . . . , (cxi − 1, cxi), {cxi}, (cxi,∞). CLxi switches from state to state
9
Ouaknine and Worrell
by means of the interrupt operator; it spends unit-duration periods in bounded
‘interval’ states, and null-duration periods in ‘singleton’ states. Prior to en-
tering a new state, it oﬀers as signals a choice of all the events of the form
switch.r, where r is any region compatible with the value of xi in the new state.
Moreover, all the clocks for which r is temporally a ‘border’ region must par-
ticipate in the event switch.r. CLxi is also at any time—even while oﬀering a
switch—willing to accept the command reset .xi , which prompts the jump to
state {0}. The parallel composition of all the CLxi ’s is denoted CLOCKS .
Any clock constraint σ ∈ FC can be identiﬁed with a subset {r | r  σ}
of clock regions. Whenever the automaton A communicates an event a under
a particular clock valuation ν, the process PA

is meant to communicate a
corresponding region-annotated event r.a, where r is the region corresponding
to ν. 4 Recall that this event is subsequently renamed to a at the outermost
level.
The discrete controller is modelled by a process CONTROL, which mimics
the various states in S of the automaton. Initially, CONTROL nondeterminis-
tically begins in one of the start states in S0. Upon entering a new state s ∈ S,
the ﬁrst thing CONTROL does is signal to REGIONS a choice of events of
the form query .r , where r ∈ inv(s). If REGIONS cannot synchronise on any
of these events, this means a state has been reached in which the invariant
constraint is violated, and a timestop automatically ensues. Otherwise, while
in state s the discrete controller is always willing to accept events of the form
switch.r , as long as r ∈ inv(s). For every edge e = (s, s′, a,D, σ), CONTROL,
while in state s, continuously oﬀers a choice of region-annotated events of the
form r.a, where r ∈ σ. If any of these transitions is accepted, then CONTROL
immediately proceeds to signal the events reset .x, for every clock x ∈ D to
be reset. Finally, it enters the new state s′, subject to the initial satisfaction
check of s′’s invariant constraint.
CONTROL, REGIONS , and CLOCKS are combined in parallel and re-
quired to synchronise on all appropriate events. Events on internal channels
are then hidden, and, ﬁnally, a global renaming operator converts all commu-
nications of the form r.a back to their nominal Σ-value. The resulting process
is denoted PA

.
It turns out that PA

has exactly the same timed traces as A, but not quite
the same refusals: because of point nondeterminism, whenever A refuses a set
of events over an open time interval (t, t′), PA

is able to refuse the same set
over [t, t′). Interestingly, it is precisely point nondeterminism which makes
Timed CSP processes closed under refusal trace digitisation. Closed timed
automata, on the other hand, do not have this property, as can be seen from
examining the timed automaton A below:
4 The inﬁnitesimal uncertainty introduced by point nondeterminism however imposes the
caveat that a given clock interpretation may belong to two diﬀerent regions, at least as far
as PA
R
is concerned.
10
Ouaknine and Worrell
✲✖✕
✗✔
✲a
reset x ✖✕
✗✔
x=0 ✲✖✕
✗✔
b
y1∨y2?
It is plain that A will timestop if the ﬁrst transition is taken at any time
strictly between 1 and 2. Note, however, that the integral refusal tracesR

A
of A do not exhibit any timestop.
Having noticed such phenomena, Bosˇnacˇki comments in [8] that digitisa-
tion techniques appear to be inadequate to handle the requirement of timestop-
freedom. Corollary 5.2 shows that this is not the case (although our region-
graphs-based method is certainly no more eﬃcient than the algorithm of [13]).
The following result establishes that the expressiveness of Timed CSP is
at least that of closed timed automata; the ‘left-closure’ operator
←−
(·) is deﬁned
in Appendix C.
Theorem 5.1 For any timed automaton A ∈ CTA, R

PA

 =
←−−−−R

A.
In particular, T

PA

 = T

A. Thus closed timed automata are closed
under trace digitisation.
Corollary 5.2 Let A ∈ CTA be a timed automaton. The following are equiv-
alent:
(i) A is timestop-free (A R

TSF).
(ii) PA

is timestop-free (PA

R

TSF).
(iii) The integral refusal traces of PA

are timestop-free (PA

R

TSF).
The last of these is a discrete check which can be performed on FDR.
A legitimate question is whether Timed CSP is any more expressive than
closed timed automata. Since Timed CSP is Turing-complete, the answer must
be aﬃrmative; however, we ﬁnd that both formalisms are equally expressive
if we restrict ourselves to ﬁnite-state processes, as deﬁned below.
Any P ∈ TCSP has an associated labelled transition system, calculated
using the operational semantics of Appendix A. The sub-labelled transition
system of P in which all evolutions have unit duration is the discrete labelled
transition system of P . We say that P is ﬁnite-state if its discrete labelled
transition system is ﬁnite.
Theorem 5.3 Let P ∈ TCSP be a ﬁnite-state process. Then there exists a
closed timed automaton A ∈ CTA such that R

P  = R

PA

.
This theorem signiﬁcantly improves a previous result of Jackson [14], in
that our ‘ﬁnite-state’ criterion is clearly both necessary and suﬃcient. In op.
cit., severe syntactic restrictions are imposed on the Timed CSP syntax in
order to derive the corresponding (weaker) result.
The construction of PA

, meant to capture integral-time traces of A, is very
similar to that of PA

. The essential diﬀerence is that the REGIONS process is
much coarser (and correspondingly so are the other two components): the only
clock regions considered are those of the form {(j1, j2, . . . , jk)}, i.e., integral
11
Ouaknine and Worrell
singletons in (R+)k. Note that the number of regions is then
∏
1ik(cxi + 2).
The basic mechanisms to ensure the proper running of the process and to
enforce the satisfaction of the invariant and enabling constraints (on integral
behaviours) are engineered in the obvious way along the lines of those of PA

.
The resulting process is denoted PA

.
Theorem 5.4 For any timed automaton A ∈ CTA, T

PA

 = T

A.
The signiﬁcance of this result comes from the applicability of digitisation
techniques to the veriﬁcation problem, as detailed in Section 3.
We conclude by noting that in general, it does not always seem necessary
to construct the full regions graph to capture the dense-time behaviours of a
given timed automaton. Likewise, even for discrete behaviours, it is not always
necessary to consider every lattice point. The minimal graph that needs to
be constructed depends on both the speciﬁcation to be checked and on the
set of invariant and enabling constraints of the automaton. How to construct
the minimal discrete controller seems to be an interesting topic for further
research.
6 Conclusion and Future Work
We have characterised the precise expressive power of (ﬁnite-state) Timed
CSP as that of closed timed automata—timed safety automata [13] with closed
invariant and enabling clock constraints.
We have also shown that Timed CSP is expressive enough to capture some
of the most important speciﬁcations on timed systems as reﬁnements; such
speciﬁcations include safe reachability, bounded invariance, and bounded re-
sponse, as well as the branching-time liveness properties of timestop-freedom
and constant availability.
We have established that Timed CSP processes are closed under refusal
trace digitisation [16,17], and that since all the speciﬁcations listed above are
closed under inverse (refusal) trace digitisation, the corresponding veriﬁcation
problems discretise and can be handled by the model checker FDR.
A number of questions remain open. One concerns the expressiveness of
Timed CSP as a speciﬁcation formalism. Following the lead of [15] in the un-
timed case, it would be interesting to determine precisely which fragment of a
quantitative linear-time temporal logic such as MTL can be captured through
reﬁnement. Another interesting project would be to develop techniques to
minimise the number of discrete states needed to capture the behaviours of a
given timed automaton. Lastly, although deciding whether a process or timed
automaton is closed under inverse digitisation is undecidable [18], it would
be very useful to devise simple criteria that would guarantee closure under
inverse digitisation.
As well as pursuing the above research topics, we are actively engaged in
applying our results to case studies.
12
Ouaknine and Worrell
References
[1] B. Alpern and F. B. Schneider. Deﬁning liveness. Information Processing
Letters, 21(4):181–185, 1985.
[2] R. Alur, C. Courcoubetis, and D. Dill. Model-checking for real-time systems.
In Proceedings of LICS 90, pages 414–425. IEEE Computer Society Press, 1990.
[3] R. Alur, C. Courcoubetis, and D. Dill. Model-checking in dense real-time.
Information and Computation, 104(1):2–34, 1993.
[4] R. Alur and D. Dill. A theory of timed automata. Theoretical Computer
Science, 126:183–235, 1994.
[5] R. Alur, L. Fix, and T. A. Henzinger. Event-clock automata: A determinizable
class of timed automata. Theoretical Computer Science, 211:253–273, 1999.
[6] R. Alur and T. A. Henzinger. Real-time logics: Complexity and expressiveness.
Information and Computation, 104(1):35–77, 1993.
[7] E. Asarin, O. Maler, and A. Pnueli. On discretization of delays in timed
automata and digital circuits. In Proceedings of CONCUR 98, volume 1466,
pages 470–484. Springer LNCS, 1998.
[8] D. Bosˇnacˇki. Digitization of timed automata. In Proceedings of FMICS 99,
1999.
[9] R. Chapman and M. Goldsmith. Translating timer automata to TCSP. Formal
Systems Design and Development, Inc., 1995.
[10] E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. MIT Press,
Cambridge, MA, 1999.
[11] J. Davies. Speciﬁcation and Proof in Real-Time Systems. PhD thesis, Oxford
University, 1991.
[12] T. A. Henzinger, Z. Manna, and A. Pnueli. What good are digital clocks? In
Proceedings of ICALP 92, volume 623, pages 545–558. Springer LNCS, 1992.
[13] T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic model checking
for real-time systems. Information and Computation, 111(2):193–244, 1994.
[14] D. M. Jackson. Logical Veriﬁcation of Reactive Software Systems. PhD thesis,
Oxford University, 1992.
[15] M. Leuschel, T. Massart, and A. Currie. How to make FDR Spin: LTL model
checking using reﬁnement. In Proceedings of FME 01, volume 2021, pages 99–
118. Springer LNCS, 2001.
[16] J. Ouaknine. Discrete Analysis of Continuous Behaviour in Real-Time
Concurrent Systems. PhD thesis, Oxford University, 2001. Technical report
PRG-RR-01-06.
13
Ouaknine and Worrell
[17] J. Ouaknine. Digitisation and full abstraction for dense-time model checking.
In Proceedings of TACAS 02, volume 2280, pages 37–51. Springer LNCS, 2002.
[18] J. Ouaknine and J. B. Worrell. Some decidability and undecidability results for
timed automata. Submitted, 2002. www.math.tulane.edu/∼joelo.
[19] J. Ouaknine and J. B. Worrell. Towards speciﬁcation as reﬁnement in timed
systems. In Proceedings of AVoCS 02. The University of Birmingham, 2002.
[20] I. Phillips. Refusal testing. Theoretical Computer Science, 50(3):241–284, 1987.
[21] G. M. Reed. A Mathematical Theory for Real-Time Distributed Computing.
PhD thesis, Oxford University, 1988.
[22] G. M. Reed and A. W. Roscoe. A timed model for communicating sequential
processes. In Proceedings of ICALP 86, pages 314–323. Springer LNCS, 1986.
Theoretical Computer Science, 58:249–261.
[23] G. M. Reed and A. W. Roscoe. The timed failures-stability model for CSP.
Theoretical Computer Science, 211:85–127, 1999.
[24] S. A. Schneider. Correctness and Communication in Real-Time Systems. PhD
thesis, Oxford University, 1989.
[25] S. A. Schneider. Using CSP with Z in the mine pump case study. Unpublished,
1994.
[26] S. A. Schneider. An operational semantics for Timed CSP. Information and
Computation, 116:193–213, 1995.
[27] S. A. Schneider. Concurrent and Real Time Systems: the CSP approach. John
Wiley, 2000.
A Timed CSP Operational Semantics
The contents and style of this appendix are similar to [26]. We present a
collection of inference rules which allow us to assign to any Timed CSP process
a set of dense-time executions.
To this end, we must relax the syntactic requirement that all delays (pa-
rameters n in the terms P1
n
✄ P2, P1
n
 P2) be integral, and allow arbitrary
non-negative real numbers instead (written t in place of n). This expanded
collection of closed terms is written TCSP .
We list a few notational conventions: a and b stand for visible events, i.e.,
belong to Σ. A ⊆ Σ and A= A ∪ {}. γ can be a visible event or a silent
one (γ ∈ Σ∪ {τ}). P γ−→ P ′ means that the closed term P can perform
an immediate and instantaneous γ-transition, and subsequently become P ′
(communicating γ in the process if γ is a visible event). P
γ
−→ means that
P cannot possibly do a γ at that particular time. P
t P ′ means that P can
become P ′ simply by virtue of letting t units of time elapse, where t ∈ R+.
14
Ouaknine and Worrell
P  means that P can let no strictly positive amount of time elapse. In what
follows, u ∈ R+. If P is a term with a single free variable X and Q is a closed
term, [Q/X]P represents the closed term P with Q substituted for every free
occurrence of X.
STOP
t STOP
(a −→ P ) t (a −→ P ) (a −→ P ) a−→ P
(a
!−→ P ) a−→ P
SKIP
t SKIP SKIP −→ STOP
RANDOM
τ−→WAIT u
WAIT u
tWAIT (u− t)
[ t  u ]
WAIT 0
τ−→ SKIP
P1
t P ′1
P1
u
✄ P2
t P ′1
u−t
✄ P2
[ t  u ]
P1
0
✄ P2
τ−→ P2
P1
τ−→ P ′1
P1
u
✄ P2
τ−→ P ′1
u
✄ P2
P1
a−→ P ′1
P1
u
✄ P2
a−→ P ′1
P1
t P ′1
P1
u
 P2
t P ′1
u−t
 P2
[ t  u ]
P1
0
 P2
τ−→ P2
P1
−→ P ′1
P1
u
 P2
−→ P ′1
P1
γ−→ P ′1
P1
u
 P2
γ−→ P ′1
u
 P2
[ γ  =  ]
P1
t P ′1 P2
t P ′2
P1 ✷ P2
t P ′1 ✷ P ′2
P1
τ−→ P ′1
P1 ✷ P2
τ−→ P ′1 ✷ P2
P2
τ−→ P ′2
P1 ✷ P2
τ−→ P1 ✷ P ′2
P1
a−→ P ′1
P1 ✷ P2
a−→ P ′1
P2
a−→ P ′2
P1 ✷ P2
a−→ P ′2
P1 
 P2 τ−→ P1 P1 
 P2 τ−→ P2
P1
t P ′1 P2
t P ′2
P1 ‖
A
P2
t P ′1 ‖
A
P ′2
P1
γ−→ P ′1
P1 ‖
A
P2
γ−→ P ′1 ‖
A
P2
[ γ /∈ A] P2
γ−→ P ′2
P1 ‖
A
P2
γ−→ P1 ‖
A
P ′2
[ γ /∈ A]
15
Ouaknine and Worrell
P1
a−→ P ′1 P2 a−→ P ′2
P1 ‖
A
P2
a−→ P ′1 ‖
A
P ′2
[ a ∈ A]
P1
t P ′1 P1

−→
P1  P2
t P ′1  P2
P1
−→ P ′1
P1  P2
τ−→ P2
P1
γ−→ P ′1
P1  P2
γ−→ P ′1  P2
[ γ  =  ]
P
t P ′ ∀ a ∈ A  P a−→
P \ A t P ′ \ A
P
a−→ P ′
P \ A τ−→ P ′ \ A [ a ∈ A ]
P
γ−→ P ′
P \ A γ−→ P ′ \ A
[ γ /∈ A ]
P
t P ′
P [R]
t P ′[R])
P
τ−→ P ′
P [R]
τ−→ P ′[R]
P
a−→ P ′
P [R]
b−→ P ′[R]
[ a R b ]
µX  P τ−→ [(µX  P )/X]P .
Note that there are no rules for TIMESTOP .
For P ∈ TCSP , we deﬁne the set of events immediately refused by P ,
ref(P ) ⊆ Σtime , as follows: if P τ−→, then ref(P ) = ∅. Otherwise, for a ∈ Σ,
a ∈ ref(P ) ⇔ P a−→, and time ∈ ref(P ) ⇔ P . (Recall that time is a
special ‘event’ not belonging to Σ.)
For P ∈ TCSP , we deﬁne an execution of P to be a sequence e = P0 z1"−→
P1
z2"−→ . . . zn"−→ Pn, where P0 = P and each subsequence Pi zi+1"−→ Pi+1 of e is
either a transition Pi
γ−→ Pi+1 (with zi+1 = γ), or an evolution Pi t Pi+1
(with zi+1 = t). In addition, every such transition or evolution must be validly
allowed by the operational inference rules listed above. The set of executions
of P is written exec(P ).
Let T = 〈ℵ0, (t1, a1), . . . ,ℵk〉 and T ′ = 〈ℵ′0, (t′1, a′1), . . . ,ℵ′l〉. We deﬁne
their glueing TT ′ =̂ 〈ℵ0, (t1, a1), . . . , (tk,ℵk),ℵk ∪ ℵ′0, (t′1, a′1), . . . ,ℵ′l〉.
The operator &, on the other hand, denotes simple sequence concatena-
tion.
If T is a refusal trace and t ∈ R+, we let T + t be the refusal trace in
which all timed events of T (observed and refused) have had their timestamps
increased by t.
Given an execution e of some process P , we produce an associated canon-
ical refusal trace rt(e) (the largest possible given the execution e), deﬁned
inductively on e as follows.
rt(P ) =̂ 〈{0} × ref(P )〉
rt((P
τ−→)&e) =̂ rt(e)
rt((P
a−→)&e) =̂ 〈{0} × ref(P ), (0, a)〉&rt(e)
rt((P
t)&e) =̂ 〈[0, t)× ref(P )〉(rt(e) + t) .
16
Ouaknine and Worrell
We deﬁne a partial order ≺ on refusal traces, which orders refusal traces
according to how much information they contain. If T = 〈ℵ0, (t1, a1), . . . ,ℵk〉
and T ′ = 〈ℵ′0, (t′1, a′1), . . . ,ℵ′l〉 are refusal traces, we let T ′ ≺ T in case l  k ∧
ℵ′0 ⊆ ℵ0 ∧ ∀(1  i  l)  a′i = ai ∧ ℵ′i ⊆ ℵi. This deﬁnition gives rise to an
operator ↓: for P a set of refusal traces, ↓P is the smallest ≺-downward-closed
set containing P .
The congruence theorem reads:
Theorem A.1 For any P ∈ TCSP, R

P  = ↓rt(exec(P )).
B Digitisation
Digitisation techniques were ﬁrst introduced in [12], and later extended from
traces to refusal traces in [16,17]. We review the main points, adapted to the
present framework.
Let t ∈ R+, and let 0  ε  1 be a real number. Decompose t into its
integral and fractional parts, thus: t = %t& + t′. If t′ < ε, let [t]ε =̂ %t&,
otherwise let [t]ε =̂ t.
We can then extend [·]ε to timed traces by pointwise application to the
timestamps of the trace’s events. We then further extend [·]ε to sets of traces
in the usual way.
Let A ⊆ R+ × Σtime be a refusal. Write A =
⋃
i∈I{Ii × Ai}, where each
Ii is an open, half-open, or closed interval with endpoints ui, vi ∈ R+, and
Ai ⊆ Σtime . Assume moreover that this representation is maximal in that
the intervals Ii are as large as possible. We then deﬁne [A]ε by pointwise
application to the endpoints ui, vi of the intervals Ii.
Naturally, this extends [·]ε to refusal traces, and hence sets thereof, in the
obvious way. The overloading of the notation causes no confusion since the
arguments of [·]ε are of disjoint types.
Deﬁnition B.1 A set P of (refusal) traces is closed under (refusal) trace
digitisation if, for any 0  ε  1, [P ]ε ⊆ P .
A set S of (refusal) traces is closed under inverse (refusal) trace digitisation
if, whenever a (refusal) trace s is such that [s]ε ∈ S for all 0  ε  1, then
s ∈ S.
For P and S Timed CSP processes, the above deﬁnitions apply respectively
to T

P  (R

P ) and T

S (R

S).
If P is a set of (refusal) traces, we let Z(P ) stand for the subset of integral
(refusal) traces of P .
The main veriﬁcation result is as follows:
Theorem B.2 Let P be a set of (refusal) traces closed under (refusal) trace
digitisation, and let S be a set of (refusal) traces closed under inverse (refusal)
trace digitisation. Then P ⊆ S if and only if Z(P ) ⊆ Z(S).
17
Ouaknine and Worrell
C Closed Timed Automata Semantics
We assume a timed automaton A = (Σ, S, S0, C, E, inv) ∈ CTA. We deﬁne
the set of refusal traces of A in a manner similar to [4,13].
A clock interpretation is a function ν : C −→ R+. Clock interpretations
allow one to assign truth values to clock constraints in the obvious way; we
write ν  σ to indicate that the clock interpretation ν makes the clock con-
straint σ true. For ν : C −→ R+ a clock interpretation and t ∈ R+, we let ν+t
be the clock interpretation such that (ν + t)(x) = ν(x) + t for all x ∈ C. For
D ⊆ C a set of clocks to be reset, we let [reset D]ν be the clock interpretation
which evaluates clocks in D to 0 and agrees with ν on clocks outside of D.
Given a state s and a clock interpretation ν, let ref(s, ν) ⊆ R+ × Σtime be
deﬁned as follows: if ν  inv(s), then ref(s, ν) =̂ {0} × Σtime . Otherwise, for
t ∈ R+ and a ∈ Σ, we let (t, a) ∈ ref(s, ν) if, for all δ ∈ [0, t], ν + δ  inv(s),
and also if there is no s-originating, a-labelled, and σ-enabled transition e ∈ E
(i.e., e = (s,−, a,−, σ)) with ν + t  σ. Lastly, we let (t, time) ∈ ref(s, ν) if
t is the largest ﬁnite real number with the property that, for all δ ∈ [0, t],
ν + δ  inv(s).
A run over A is a ﬁnite sequence e = (s0, t0, ν0)
α1−→ (s1, t1, ν1) α2−→ . . . αn−→
(sn, tn, νn), where each state si ∈ S, the ti’s ∈ R+ are non-decreasing, each νi :
C −→ R+ is a clock interpretation, each transition αi = (si−1, si, ai, Di, σi) ∈
E, and all of which are subject to the following conditions:
(i) s0 ∈ S0, t0 = 0, and ν0(x) = 0 for all x ∈ C.
(ii) For all 0  i  n− 1, for all δ ∈ [ti, ti+1], νi + δ  inv(si).
(iii) For all 0  i  n− 1, νi + (ti+1 − ti)  σi+1.
(iv) For all 0  i  n− 1, νi+1 = [reset Di](νi + (ti+1 − ti)).
The set of runs of A is written run(A).
Given a run e = (s0, t0, ν0)
α1−→ (s1, t1, ν1) α2−→ . . . αn−→ (sn, tn, νn), we pro-
duce an associated refusal trace rt(e) = 〈ℵ0, (t1, a1),ℵ1, (t2, a2), . . . , (tn, an),ℵn〉
as follows: 5 The ai’s are extracted from the αi’s, and for 0  i  n−1, we let
ℵi =̂ (ref(si, νi) + ti) ∩ ([ti, ti+1]× Σtime). Lastly, we let ℵn =̂ ref(sn, νn) + tn.
We can thus derive the set of (dense-time) refusal traces associated with a
timed automaton A: R

A =̂ ↓rt(run(A)).
Finally, we deﬁne the left-closure operator
←−
(·) as follows:
Let R ⊆ R+ × Σtime be a refusal. Deﬁne a new refusal ←−R ⊇ R such that,
for any t ∈ R+ and a ∈ Σtime , whenever {δi} ⊆ R+ is a set of positive real
numbers with inﬁmum 0, if {(t+ δi, a)} ⊆ R, then (t, a) ∈ ←−R . This deﬁnition
extends to refusal traces by pointwise application to the refusal components
of the refusal trace.
For P a set of refusal traces, let
←−
P =̂ ↓{←−T | T ∈ P}.
5 For convenience, we allow the last refusal of rt(e) to be unbounded.
18
