Timing properties in real-time systems by Jahanian, Farnam

SPECIFICATION AND ANALYSIS OF TIMING PROPERTIES
IN REAL-TIME SYSTEMS
by
FARNAM JAHANIAN, B.S., M.S.C.S.
DISSERTATION
Presented to the Faculty of the Graduate School of
The University of Texas at Austin
in Partial Fulfillment
of the Requirements
for the Degree of
DOCTOR OF PHILOSOPHY







Effat and Gholamali Jahanian
Acknowledgements
I would like to thank my advisor, Professor A 1 Mok, whose support and
collaboration made this work possible. He has been a friend and mentor in the
full sense of the word. I would also like to express my appreciation to Professor
Mohamed Gouda, Professor Simon Lam, Professor Miro Malek, and Professor
Lou Rosier, the members of my committee, for their guidance in this endeavor.
I am grateful to Doug Stuart for countless hours of discussion on the for-
malism presented in this work. I wish to thank Prasanna Amerasinghe, Ray-
mond Lee, and Tom Porter for their helpful suggestions. Finally, I wish to
thank Tris Casey (soon to be Mrs. Jahanian), my brother Farzan, and my parents
for their encouragement and enthusiasm all along.
Famam Jahanian





This dissertation proposes a formalism for the specification and verification
of timing properties of real-time systems. Reasoning about properties of a real-
time system requires one to consider both relative and absolute timing of events.
Relative timing concerns the order in which events occur, such as mutual exclu-
sion and precedence constraint properties. Absolute timing concerns the
stringent timing restrictions imposed on a system, such as a response time dead-
line or a minimum elapsed time between occurrences of two events.
The approach is based on Real Time Logic (RTL), a logic invented pri-
marily for the specification of both relative and absolute timing of events. The
notion of an event occurrence is contra! to RTL; an event occurrence marks a
point in time which is of significance to the behavior of a system. Hence, con-
currency is modeled as a partial ordering of the event occurrences in the system.
A system specification and a property to be verified can be expressed as arith-
metical relations on algebraic expressions involving the event occurrences. To
verify the property with respect to the system specification, we prove that the
property is a theorem derivable from the specification. Relationship of RTL to
Presburger Arithmetic is discussed and a verification technique based on ine-
quality provers is explored.
The dissertation also introduces a specification language, Modechart, for
real-time systems. The semantics of Modechart is described in terms of RTL
formulas. In Modechart, we make use of the concept of modes which can be
thought of as partitioning the state space of a system. Intuitively, modes can be
viewed as control information that impose structure on the operation of a sys-
tem. Modes are arranged hierarchically. Furthermore, modes at the same level
of hierarchy can be related in one of two ways: in series or in parallel. A transi-
tion can be specified between two modes in series, but no transition is allowed
between modes in parallel. The language allows sporadic/periodic actions in
modes as well as constructs for specifying timing constraints such as delays and
deadlines on mode transitions. Verification procedures are introduced for show-
ing a Modechart specification satisfies a property expressed as an RTL formula.
VII
Table of Contents
Chapter 1 Introduction 1
1.1 Timing Constraints: Two Examples 2
1.2 Classifying Timing Constraints 5
1.3 Overview of the Dissertation 6
Chapter 2 Real Time Logic 9
2.1 Introduction 9
2.2 Real Time Logic 11
2.2.1 Overview 11
2.2.2 The Language of Real Time Logic 14
2.2.3 The Meaning of an RTL Formula 15
2.2.4 State Predicates 17
2.3 Example: Moving Control Rods in a Reactor 19
2.3.1 Specification 20
2.3.2 Safety Assertion 23
2.3.3 Verification 23
Chapter 3 Inequality Provers and RTL 25
3.1 Alternative RTL Notation: Occurrence Function 25
3.2 A Reasoning System Based on Inequality Provers 27
3.2.1 From RTL to Presburger Arithmetic 27
3.2.2 Inequality Theorem Provers 29
3.3 Remarks on the Undecidability of RTL 31
3.4 Efficiency Considerations 33
VIII
Chapter 4 A Graph-Theoretic Approach for Timing Analysis 36
4.1 Motivation 36
4.1.1 Subclass of RTL Formulas 39
4.2 Graph Representation 40
4.3 Positive Cycles and Unsatisfiability 44
4.4 Detecting Positive Cycles 47
4.5 Unsatisfiability Proof 55
4.6 Implementation of Verification Procedure 71
4.7 Example: Nuclear Reactor Problem Revisited 72
4.7.1 Specification 72
4.7.2 Safety Assertion 73
4.7.3 Verification 74
4.8 Concluding Remarks 78
Chapter 5 Modechart: a Spec. Language for Real-Time Systems
BO
5.1 Introduction 80
5.2 Hierarchical Decomposition: Parallel and Serial Modes 82
5.2.1 Well-Formed Modes 86
5.3 Specifying the Semantics of Modes and Transitions in RTL
B9
5.3.1 Comparison of Modes and State Variables 89
5.3.2 Transitions 91
5.4 Actions and Timing Constraints 95
5.4.1 Actions Upon Mode Transitions 96
IX
5.4.2 Actions in Modes 100
5.5 Entering and Existing Nested modes 108
5.5.1 Mode transition exclusion 112
5.5.2 Implicit mode exits 112
5.5.3 The transition assertion for nested modes 113
5.6 Absence of Anomalous Behavior 117
5.7 Conclusion 121
Chapter 6 Verification of Modechart Specifications 123
6.1 Introduction 123
6.2 The Approach 123
6.3 Computations of a Systems 126
6.4 Generating a Computation Graph 131
6.5 Example: Railroad Crossing 144
6.5.1 Specification 145
6.5.2 Safety assertion 148
6.5.3 Verification 148
6.6 Decidable Classes of Timing Properties 150
6.6.1 Preliminary Definitions 150
6.6.2 Class 1: Minimum/Maximum Separation of Related
Endpoints 153
6.6.3 Class 2: Exclusion/Inclusion of Interval and End-
points 154
6.7 Concluding Remarks 157
Chapter 7 Concluding Remarks and Future Research 158
Chapter 1
Introduction
With the rapid increase in the use of computers in real-time applications,
e.g., industrial plant control, avionic systems, and patient-monitoring instru-
ments, the need for a formal approach to the specification and verification of
these systems has become particularly important. For these applications, com-
puters are used to monitor and control potentially unsafe processes where a
run-time failure may result in catastrophic destruction of life and property. The
difficulty in designing and analyzing the software systems for these applications
is compounded by two important characteristics of the real-time environment,
namely, the requirement to continually satisfy stringent timing constraints, and
the need to guard against an imperfect execution environment.
This report proposes a formalism for the specification and analysis of tim-
ing properties in hard real-time systems. The primary goal of the proposed
approach is to describe and verify the design of systems for which the absolute
timing of events in addition to their relative ordering is important. Given a sys-
tem specification and a timing property under investigation, correctness of a
design is established by showing the timing property is consistent with the sys-
tem specification. The same mathematical notations are used in describing the
system specifications and the properties under investigation, thus the verification
can be carried out as proving theorems.
Although there has been wide interest among researchers in describing and
verifying concurrent systems, most of the work in this area does not consider the
real-time constraints that may be imposed on the behavior of systems. Since
timing constraints are crucial to the correct operation of systems in a real-time
environment, description and verification of properties of these systems must
consider the temporal restrictions imposed by the timing constraints. The work
1
2proposed in this report will focus on this issue. In particular, the proposed for-
malism is characterized by the following three attributes: First, it provides a uni-
form way for the specification and analysis of both relative and absolute timing
of events. Second, it puts much emphasis on the mechanical verification of pro-
perties under investigation. Third, the formalism is intended mainly for analyz-
ing system specifications instead of detailed program designs. This is important
for keeping the analysis manageable for mechanization, since automated
analysis of large finished designs is not likely to be practical.
1.1. Timing Constraints: Two Examples
The specification problem for real-time systems is more complex since the
absolute timing behavior (the timing of events measured by a real-time clock)
and not only the functional behavior of a system is important. Consequently,
reasoning about properties of a real-time system requires one to consider both
relative and absolute timing of events. Relative timing concerns the relative
order in which events occur. Properties such as mutual exclusion and pre-
cedence constraints fall within this category. Absolute timing concerns the
stringent timing restrictions imposed on a system. Response time deadline or
minimum elapse time between occurrences of two events are examples of abso-
lute timing properties.
We present two examples to illustrate the potential difficulties in the
specification and verification of time-critical systems.
Example I:
Consider a computer on board a train which is going into a railway crossing.
The train is to stop if, after 45 seconds, the controller at the crossing fails to
lower the gate.
The following piece of Ada code might be used for this purpose.
(The use of the timed entry call below follows the suggestion in the Ada





STOP_TRAIN; —controller not responding, stop the train
end select;
The select statement above has two alternatives. The first alternative is a ren-
dezvous with the gate controller (the entry call LOWER_GATE.REQUEST).
The other alternative simultaneously starts a watchdog timer. The semantics of
the timed entry call is given in the Ada Language Reference manual: "If a ren-
dezvous can be started within the specified duration (or immediately, as for a
conditional entry call, for a negative or zero delay), it is performed and the
optional sequence of statements after the entry call is then executed. Otherwise,
the entry call is canceled when the specified duration has expired and the
optional sequence of statements of the delay alternative is executed." Thus if the
controller does not respond within 45 seconds, the train will automatically be
stopped. However, if the rendezvous with the controller starts within the
specified time but takes a long time to complete (or it never completes due to a
controller breakdown in the middle of the rendezvous), then the watchdog timer
will not be able to take effect according to the Ada Language Reference
Manual. The train will therefore not stop even though the intended timing con-
straint is to stop the train when the controller fails to lower the gate within 45
t
seconds.
The above example illustrates two points. First, a timing constraint may
involve the execution of more than one action (task) in a distributed environ-
ment. Since different actions may synchronize and interact in many ways, the
specification model must allow a system designer to express at least the timing
constraints which are of practical importance. Second, execution of an action,
e.g., lowering of a gate, should not be viewed as a single event. To specify the
t There is no easy way to express liming constraints like this in Ada. In [Mok 88], an annotation system, based on
the logic proposed in this thesis, is introduced which provides a precise way to specify the intended timing property.
4timing behavior of real-time systems, it is crucial to model the execution of an
action by two events: one marking the initiation of an action and the other
denoting the completion of the action. In the above example, there would be no
ambiguity if one could specify the intended timing constraint as the train should
stop if the event marking the completion of the rendezvous does not happen in
bounded time.
Example 2:
Suppose an external event, e.g., pressing of a push button, invokes two con-
current processes P ±
and P
2
to update two input sensors X and Y, respectively.
We specify a timing constraint for each process which requires the sensors to be
updated within 1 time unit. The global state of the system can be represented by
the vector (x,y). The two variables x and y denoting the values of the input sen-
sors are initially zero. Two different computations for the system in the inter-
leaving model of concurrency are shown in Figure 1.1. It is unclear what time
value should be assigned to the second (intermediate) state in either computa-
tion. There are, of course, two choices: t or r+l. If time=r+l is associated with
the intermediate states, then it is unclear what the values of x and y are at time
r+l. (Similar ambiguity arises if time=r is associated with the intermediate
states).
Figure 1.1
5The point of the above example is that viewing a behavior of a system as a
total ordering of events may generate system states which may not reflect the
behavior intended by the specification. Furthermore, if a computation of a sys-
tem is defined as a sequence of states, the notion of a system state at a point in
time is not clear because the system state may be undergoing a transition right at
that point and the value of a variable may be undefined when it is changing.
There is, however, no ambiguity regarding a change in the value of a variable at
an instant of time because it refers to the occurrence of an event at a point in
time. The formalism proposed in this thesis models concurrency as a partial
ordering of events in the system. Hence, the notion of a system state is non-
existent. A system behavior is defined as the occurrences of events which are
partially ordered in time. We shall return to this issue in Chapter 2.
1.2. Classifying Timing Constraints
Since timing constraints are assertions specifying performance require-
ments of a system, they are crucial to the correct operation of systems in a real-
time environment. This section presents an overview of two classifications of
timing constraints in the hard real-time environment.
The first classification, often used in formulating scheduling problems,
catagorizes the timing constraints into two types: sporadic and periodic [Mok
1983]. This classification is based on the temporal restrictions imposed on the
execution of actions.
• A sporadic timing constraint requires some action to be executed before a
specified deadline after the occurrence of a certain event, e.g., upon press-
ing the down-pushbutton, issue command to lower reactor control rods
within 10 time units.
• A periodic timing constraint requires some action to be executed at fixed
intervals when some condition is true, e.g., while the plane is in the emer-
gency landing mode, sample velocity and altitude every 1 second.
6The second classification catagorizes timing constraints by three types of
temporal restrictions on the events in a system [Dasarathy 85]. These restric-
tions may be imposed on the behavior of a system or its users.
A maximum requirement imposes an upper limit on the amount of time
that may elapse between the occurrences of two events, e.g., the system
responds within 200 time units after the switch is turned to the ON posi-
tion.
• A minimum requirement imposes a lower limit on the amout of time that
may elapse between two events, e.g., if the computation time of an action
is 20 time units, it will stop at least 20 time units after it starts.
• A durational requirement imposes a restriction on the length of time that
a signal (stimulus or response) must last, e.g., press pushbutton 0 for at
least 3 seconds to access the operator.
The formalism introduced in this thesis provides a uniform way for
specification of both relative and absolute timing of events including the above
timing constraints regardless of the classification preferred by a system designer.
1.3. Overview of the Dissertation
Having discussed the motivation for this work and two classifications of
timing constraints in a hard real-time enviomment, the subsequent chapters pro-
pose a formalism for the specification and verification of timign properties of
real-time systems. The approach is based on Real time Logic (RTL), a logic
especially amenable for reasoning about timing properties of these systems.
Chapter 2 presents an overview of RTL followed by the formal syntax and
semantics of the logic. The notion of an event occurrence is central to RTL; an
event occurrence marks a point in time which is of significance to the behavior
of a system. Hence, concurrency is modeled as a partial ordering of the event
occurrences in the system. A system specification and a property to be verified
can be expressed as occurrence relations on the set of event instances, and as
7arithmetical relations on algebraic expression involving the time of occurrence
of instances of events. To verify the property with respect to the system
specification, we prove that the property is a theorem derivable from the
specification. The chapter also provides an example illustraing a RTL
specification of a system responsible for monitoring the control rods in a nuclear
reactor. A safety assertion about the system is verified by employing the first-
order logic inference rules.
Chapter 3 presents an alternative notation for RTL in which a system
specification and a property to be verified are expressed as artithmetical rela-
tions on algebraic expressions involving event occurrences. The relationship of
RTL formulas to Presburger arithmetic is exploited and a verification technique
based on inequality provers is discussed. The chapter concludes with a discus-
sion on the undecidability of RTL.
Chapter 4 introduces a graph-theoretic approach for the verification of a
class of timing properties in real-time systems which are expressible in a subset
of Real Time Logic formulas. The motivation for this approach is that the RTL
formulas describing real-time system in many cases consist of arithmetic ine-
qualities (which may be quantified) involving two functions and an integer con-
stant. The proposed technique exploits this class of formulas to obtain a more
practical verification procedure. Mechanical verification of the safety assertion
in the nuclear reactor example is shown using the approach described in this
chapter.
Chapter 5 introduces a specification language, Modechart, for real-time
systems. The semantics of Modechart is described in terms of RTL formulas.
In Modechart, we make use of the concept of modes which can be thought of as
partitioning the state space of a system. Intuitively, modes can be viewed as
control information that impose structure on the operation of a system. Modes
are arranged hierarchically. Furthermore, modes at the same level of hierarchy
can be related in one of two ways: in series or in parallel. A transition can be
8specified between two modes in series, but no transition is allowed between
modes in parallel. In addition to allowing sporadic/periodic actions in modes,
the language also provides the constructs for specifying timing constraints such
as delays and deadlines on mode transitions.
Chapter 6 is on the verification of systems specified in Modechart. Given a
Modechart specification and a timing property expressed as an RTL formula, the
goal is to verify that every computation of the system satisfies the desired timing
property. Chapter 6 defines the notion of a system computation and it presents
an algorithm for constructing a transition graph which represents the computa-
tions of a given Modechart system. The chapter also introduces two classes of
timing properties expressed in RTL. For each class, decision procedures are
described for proving whether a given transition graph satisfies a property in the
class.




This chapter introduces a formal language. Real Time Logic, especially
amenable for reasoning about timing properties of real-time system. Real Time
Logic (RTL) is invented to describe systems for which the absolute timing of
events and not only their relative ordering is important. RTL is a first-order
theory and has no modal operators. Although the analysis of real-time systems
necessarily involves reasoning about system behavior with respect to time, we
do not think that temporal logic is appropriate for the task at hand. However,
since a variety of temporal logics have been proposed by a number of research-
ers for reasoning about the temporal properties of real-time programs
(e.g., [Bernstein & Harter 81], [Schwartz et al 83], [Ostroff 87]).
In general, temporal logic is more concerned with the relative order in
which actions are executed rather than the absolute timing of events. Example 2
in the previous chapter discussed some of the potential problems with the inter-
leaving model of concurrency and viewing a system behavior as a sequence of
system states. Suppose a system consists of three actions A, B, and C such that
B and C are executed in parallel after completing action A. We represent this
system by the following notation
A; (BMC)
where and Ml* denote the sequential and parallel execution of actions, respec-
tively. The computations of the above system is characterized in temporal logic
by two execution sequences: ABC and ACB, but nothing is said about the com-
pletion time of C in the first sequence or the completion time of B in the second
sequence. For our purposes, these absolute time values may appear in a safety
9
10
assertion and are therefore important. Even for the same sequence ABC, we
may want to distinguish between the execution that schedules A at time=o, B at
time=l and C at time=2 from the execution that schedules A at time=o, B at
time=2 and C at time=3. For temporal logic, this distinction is unimportant.
Furthermore, it is at the least awkward in some cases to reason about system
behavior in terms of execution sequences alone. For example, if all three
actions A, B and C each takes 1 time unit to execute and the composite action
above must be completed by time=2, then B and C must be executed in parallel
on two processors. In this case, neither of the sequences ABC nor ACB cap-
tures the desired behavior.
It has been suggested by some researchers (e.g., [Lamport 83]) that real
time can be modelled in temporal logic simply as another global variable: the
clock. The assertions involving real time will simply be temporal logic formulas
involving the clock variable. The main problem with this approach is when to
increment the clock variable in relation to the other activities in the system. One
possible way to achieve this is to insert the assignment statement:
clock := clock+c
at the end of every action where c is the time required to execute the
corresponding action. If all actions are executed in some sequential order, such
as on a single processor, then the clock variable will indeed keep track of real
time. (For this to work, we should treat each action and the clock update state-
ment at its end to be one inseparable atomic action.) Unfortunately, this is not
true when two or more actions can be executed in parallel.
Another way to model real time in temporal logic is to create a process
whose body is an infinite loop which increments the clock variable ad infinitum
([Ostroff & Wonham 87]. This approach, however, only begs the question
since we must then find appropriate scheduling restrictions so as to meter the
progress of the clock process in relation to the other processes in the system.
Since most temporal logics dictate only minimal restrictions (usually a fairness
11
criterion) on process scheduling, imposing additional scheduling restrictions
seems to move against the original spirit of using temporal logic for program
verification. More importantly, these additional scheduling restrictions will
depend on the execution environment, e.g., the rate of scheduling the clock pro-
cess when there is one processor will differ when two processors are available to
execute all the processes. Proof rules which are sound under one execution
environment may not apply under a different execution environment.
The previous discussion brings out a fundamental issue in proving real-
time properties of time-critical systems, namely, the validity of the assertions
that we want to prove about these systems often cannot be established without
knowing more details about the run-time scheduler. This is unlike the usual
safety and liveness properties of non-time-critical systems which we want to
hold true in spite of the scheduler as long as we are assured that some fairness
criterion in scheduling is met. Our Real Time Logic promises to provide a uni-
form way to incorporate different scheduling disciplines in the inference
mechanism.
2.2. Real Time Logic
The first subsection describes an informal overview of RTL. The subse-
quent two subsections provide the formal syntax and the semantics of the logic.
The final subsection introduces a convenient notation in RTL for describing a
property of a system over a time interval.
2.2.1. Overview
Real Time Logic is a first order predicate logic invented primarily for rea-
soning about timing properties of real-time systems. It provides a uniform way
for the specification of both relative and absolute timing of events. In RTL, we
reason about individual occurrences of events where an event occurrence marks
12
a point in time which is of significance to the behavior of the system. There is
an important distinction between an action and an event in RTL. An action is an
operation which requires a non-zero but bounded amount of system resources.
However, events serve only as temporal markers. An occurrence of an event
defines a time value, namely its time of occurrence, and imposes no requirement
on system resources. The execution of an action is represented by two events:
one denoting its initiation and the other denoting its completion.
Events have unique names. Two classes of events are of particular
interest: (1) start/stop events marking the initiation and completion of an action,
and (2) transition events denoting a change in a state variable.
Start and Stop Events: We use the notation ?A to represent the event
marking the initiation of action A, and iA to denote the event marking the com-
pletion of action A. For instance, TS AMPLE and isAMPLE represent the
events corresponding to the start and the stop of action SAMPLE, respectively.
Transition Events: A state variable may describe a physical aspect or a cer-
tain property of a system, e.g., an autopilot switch which is either ON or OFF.
The execution of an action may cause the value of one or more state variables to
change. A state attribute, S is a predicate which asserts that a state variable
takes on a certain value in its domain. For example, S may denote the predicate;
the autopilot is ON. The corresponding state variable transition events,
represented syntactically by (S:=T) and (S:=F), denote respectively the events
that mark the turning on and off of the autopilot switch. Whenever it is unambi-
guous, we shall use state variable and state attribute interchangeably.
In addition to the above two classes, other classes of events can be
specified when modeling a real time system. For instance, the class of external
events can be introduced to denote the events that cannot be caused to happen
by the computer system but can impact a system behavior. We use the notation
of any name in capital letters prefixed by the special letter Q. (Omega) to denote
an external event. For example, OBUTTONI represents the external event
13
associated with pressing button 1.
The occurrence relation
,
denoted by the letter © (Theta), is introduced to
capture the notion of real time. The event constants introduced earlier represent
the things that can happen in a system. The occurrence relation assigns a time
value to each occurrence of an event which happens. Informally, @(e,i,t)
denotes that the ith occurrence of an event e happens at time t
,
where e is an
event constant, i is a positive integer term, and t is non-negative integer term.
For instance, ©(isAMPLE, I,*) denotes that the first occurrence of the event
marking the completion of action SAMPLE happens at time x .
The notion of an occurrence relation is central to RTL. In particular, a
specification of a system and the timing requirements on its behavior are restric-
tions on the occurrence relation and its arguments. Observe that the occurrence
relation does not require that all occurrence of an event must happen since an
event may occur only a finite number of times or even not at all.
RTL predicates are formed from the occurrence relation, or from the
mathematical relations (=, c, <, >, >) and algebraic expressions allowing integer
constants, variables, addition, and multiplication by constants. RTL formulas
are constructed using the occurrence relation, the equality/inequality predicates,
universal and existential quantifiers, and the first-order logical connectives
( Before presenting a formal treatment of Real time Logic in the next
section, a simple example will be shown to illustrate how the specification of a
system can be expressed in RTL.
Example:
Consider the English description of a simple system which samples and displays
information on demand from an external stimulus. Upon pressing button #l,
action SAMPLE is executed within 30 time units. During each execution of this
action, the information is sampled and subsequently transmitted to the display
t The standard precedence order is assumed for these connectives. —i has the highest precedence, A and V the next
highest precedence, and —￿ the lowest precedence.
14
panel. The computation time of action SAMPLE is 20 time units. The follow-
ing set of formulas is a partial description of the system in RTL:
Recall that a transition event marks a change in the value of a state vari-
able. RTL provides a notational device, called a state predicate, for asserting
the truth value of a state variable (e.g., the autopilot switch of an airplane being
in the ON position) during an interval. The syntax and formal definition of state
predicates are presented at the end of section 2.
2.2.2. The Language of Real Time Logic
We begin by introducing the language of Real Time Logic. The formulae
of RTL are made up of the following symbols:
• The truth symbols true andfalse
• A set of variable symbols
• A set of constant symbols C
• A set of event constant symbols D
• The function symbol ’+’
• The predicate symbols c, <, >, >, =
• The occurrence relation symbol 0
• The logical connectives A, V, —, and
• Existential and universal quantifier symbols 3»V.
The terms of RTL are expressions built up according to the following rules:
• The constant symbols in C are terms.





then the function application
ViYt O(QBUTTONI,i,t) -4 [3x,y O(TSAMPLE,i,x) A o(isAMPLE,i,y)
A t < X A y
< t + 30 ]
YiYx,y [ O(tSAMPLE,i,x) A O(iSAMPLE,i,y) ] x+2o < y
15
h + t 2
is a term.
The propositions of RTL are constructed according to the following rules:













are terms and e is an event constant, then
©(<? ,t lf t 2)
is a proposition.
The formulae of RTL are constructed from the propositions, logical connectives
and quantifiers in the usual fashion.
2.2.3. The Meaning of an RTL Formula
An interpretation for an RTL formula must assign a meaning to each of the
free symbols in the formula. It will assign elements from a domain to the con-
stants, functions (over the domain) to the function symbols, and relations (over
the domain) to the predicate symbols.
Let N be the set of natural numbers, and E be a set of events. An interpre-
tation / over the domain NuE assigns values to each of a set of constant, func-
tion, and predicate symbols, as follows:
Each element in the set of constant symbols C is assigned an element in N.
Each element in the set of event constant symbols D is assigned an element in
E. The function symbol ’+’ is integer addition. The predicate symbols c, <, >,
>, and = are assigned the usual equality/inequality binary relations. The predi-
cate symbol 0 is assigned an occurrence relation.
Definition: An occurrence relation is any relation on the set
16
where Eis a set of events, Z
+
is the set of positive integers, and Nis the set of
natural numbers, such that the following axioms hold:
Monotinicity Axioms: For each event e in the set E,
The first axiom requires that at most one time value can be associated with each
occurrence i of an event e
,
i.e., the same occurrence of an event cannot happen
at two distinct times. The second axiom expresses the requirement that if the
ith occurrence of an event e happens, then the previous occurrences of e must
have happened earlier. This axiom also requires that two distinct occurrences of
the same event must happen at different times.
Start!Stop Event Axioms: For each pair of start/stop events in the set E,
where TA and iA denote the events marking the start and stop of an action A,
respectively. The above axiom requires every occurrence of a stop event to be
preceded by a corresponding start event.
Transition Event /Axioms: For the transition events in the set E corresponding to
a state variable S,




ViVtVt’ [o(e,i,t) A o(e,i,t’)] -> t= t’
Vi Vt [ o(e,i,t) A i > 1 ] -> o(e,i-l,t’) A t’ct]
ViVt 0(4.A,i,t) -> [3'’ ©(TA,i,t’) A t’ct]
if S is initially true,
0((S:=T),1,O)
ViVt o((S:=F),i,t) —»[3l’ o((S;=T),i,t’) A t’ct]




The preceding transition event axioms define the order in which two comple-
mentary transition events can occur depending on whether S is initially true or
false.
2.2.4. State Predicates
A specification of a real-time system often refers to properties of the sys-
tem over time. One way to express these assertions is to introduce predicates
which are time-dependent, as is done in temporal logic. In RTL, these asser-
tions are expressed as formulae involving the occurrence relation on the
appropriate transition events and inequality relations on the time of occurrences
of these events. For convenience, RTL uses a notational device, called a state
predicate, for asserting the truth value of a state variable (e.g., the autopilot
switch of an airplane being in the ON position) during an interval.
Suppose S is a state variable whose truth value remains unchanged over an
interval. RTL provides nine different forms of state predicates to assert the
value of S over an interval, depending on the boundary conditions:
Each state predicate qualifies the timing of two events, one marking the transi-
tion event that changes the value of the state variable to true and the other mark-
ing the transition event that changes the value of S to false. The two arguments,
x and y, in the state predicates are used in conjunction with the symbols "[", "]",
"(", ")", "<" and ">" to denote an interval over which the state variable remains
true.
0((S:=F),1,O)
ViVt o((S:=T),i,t)->(3t’ o((S:=F),i,t’) A t’<t]
Vi Vt o((S:=F),i+l,t) —» [ 3 1
’
o((S:=T),i.t’) A t’<t]
S[x,y], S(x,y), S<x,y>, S[x,y), S[x,y>, S(x,y], S(x,y>, S<x,y], and S<x,y).
18
The convention we use for arriving at this syntax requires some explana-






occurs at time x,
"(x
"





occurs before time x,
"
y]" denotes that occurs at time y,
"
y)" denotes that Er does not occur before time y,
"
y>" denotes that does not occur before or at time y,
For example, the state predicate S[x,y] indicates that a state variable S is true
exactly during the interval between x and y. That is, a transition event making S
true occurs at time x; S remains true between x and y; and the transition event
making S false occurs at time y. Consider another example, the state predicate
S(x,y) denotes that a state variable is true during the interval between x and y,
but it says nothing about the value of S before time x or after time y. Observe
that we use this notation only when x < y and that we do not require the second
event to occur in all cases. The formal definitions of these state predicates fol-
low.
Definition:
If a state variable S is initially true, 0((S:=T),1,O),
S[x,y] = 3i o((S:=T),i,x) A o((S:=F),i,y)
S[x,y) =3i o((S:=T),i,x) A [Vt o((S:=F),i,t) y<t]
S[x,y> = 3i o((S:=T),i,x) A [Vt o((S:=F),i,t) ->y<t]
S(x,y) a 3i3t o((S:=T),i,t) A t<x A [Vf o((S;=F),i,f) -> y<f ]
S(x,y] = 3i3t o((S:=T),i,t) A t < x A o((S:=F),i.y)
S(x,y> = 3>3' 0((S:=T),U) A t<x A [Vf o((S:=F),i,t’) -» y<f ]
S<x,y> =3■ 3 1 o((S:=T),i,t) A t <x A [Vt’ o((S:=F),i,f) y<f ]
S<x,y] = 3i3t ©((S;=T),i,t) A t <x A o((S:=F),i,y)
S<x,y) > 3>3* o((S;=T),i,t) At< x A (Vf o((S:=F),i,t’) -» y<t’)
19
When both arguments of a state predicate are the same, two very useful
predicates are defined. Specifically, the state predicate S(x,x) says that a system
attribute S is true at an interval around time x. Similarly, S<x,x) denotes that S
is true prior to time x, i.e., S becomes true sometime before time x and it
remains true at least up to time x.
Similar state predicates can be defined for the case when a state variable is
false during an interval: S [x,y], S (x,y), S <x,y>, etc. The formal definitions for
these predicates are straightforward: replace each (S:=T) with (S:=F) and vice
versa in the above definitions.
2.3. Example: Moving Control Rods in a Reactor
This section describes an example illustrating the specification of a system
in RTL and it verifies a safety property with respect to the specification.
If a state variable S is initially false, ©((S:=F),1,0),
S[x.y] = 3i o((S:=T),i,x) A o((S:=F),i+l,y)
S[x,y) = 3i o((S;=T),i,x) A [Vt o((S:=F),i+l,t) -> y<t]
S[x,y> s 3‘ ®((S:=T),i,x) A [Vt o((S:=F),i+l,t) ->y<t]
S(x,y) s 3i3t o((S:=T),i,t) A t<x A [Vt* o((S:=F),i+l,t’) -> y<t’]
S(x,y] = 3i3t o((S:=T),i,t) A t <x A o((S:=F),i+l,y)
S(x,y> =3i 3t o((S:=T),i,t) At< x A [yt’ o((S:=F),i+l,t’) y<t’ ]
S<x,y> = 3i3t o((S:=T),i,t) A t <x A [yt’ o((S:=F),i+l,t’) -> y <t’ ]
S<x,y] = 3i3t o((S:=T),i,t) A t<x A o((S:=F),i,y)
S<x,y) = 3i3t o((S:=T),i,t) A t<x A [Vf o((S:=F),i+l,t’) -> y<t’]
20
2.3.1. Specification
This example involves a system used to monitor and control a reactor.
Specifically, it concerns the part of the system responsible for moving the con-
trol rods in a reactor. (Lowering a control rod slows down a nuclear reaction.)
For simplicity, we assume that the system is currently configured with two pri-
mary control rods. As shown in Figure 2.1, three asynchronous components are
involved in moving the control rods: Subsystem 1, Subsystem 2, and Manager.
Upon pressing pushbutton #l, Subsystem 1 executes an action to ensure
the conditions are satisfied for moving control rod #l, then it requests permis-
sion from the manager to move a rod. After the manager grants the request.
Subsystem 1 issues the appropriate commands to the reactor to move rod #l.
The specification imposes two timing constraints on Subsystem 1:
• When the request is granted by the manager, the action to move the rod
must be started within 5 time units, and
• at most 20 additional time units is required to complete the action to move
the rod.
Subsystem 2 performs similar tasks for moving control rod #2 with identical
timing constraints. The details about the behavior of Manager are hidden at this
level of specification. However, the following timing constraint is imposed on
Manager:
• After granting a request. Manager must wait at least 30 time units before
granting another request.
There is no signal from Subsystem 1 or Subsystem 2 to inform Manager after a
rod movement has been completed. Hence, Manager can only rely on the
enforcement of the preceding timing constraint to decide when a granted request





For ease of understanding, we list below the physical interpretation of the
events which will appear in the RTL specification of the above system.
QBUTTONI : external event denoting pushbutton #1 is pressed
Trai ; start of action to request access by Subsystem 1
'i'RAl : stop of action to request access by Subsystem 1
GRANTI:=T : event denoting request by Subsystem 1 is granted
GRANTI:=F : manager assumes the granted request is released
tMOVEI : start of action to move control rod #1
iMOVEI ; stop of action to move control rod #1
The remaining events ?RA2, iRA2, GRANT2:=T, GRANT2:=F, TMOVE2,
and iMOVE2 have similar meanings.
The preceding English description of the system can be specified formally
1*
in RTL, as shown below.
#
# specification of subsystem 1
# specification of subsystem 2
t Certain RTL axioms, as described in [Jahanian & Mok 86a], are omitted here since they










t’) A t < t* ] (SPI)
VxVt O(TrAI ,x,t) -> [3f 0(vlRAl ,x
,
t’) A t <t’ ] (SP2)
VxVt o(ißAl,x,t) -> [3t* O((GRANTI:=T) , x , O A t< t* ] (SP3)
YxVt ©((GRANT 1:=T) ,x,t) -> [3f ©(TmOVEI ,x,t’) a t<t’ a t’<t +s] (SP4)
YxVt ©(TmOVEI ,x,t) -> [3t* O((GRANTI:=T) ,x
,




, t) -» [3t* ©(nIMOVEI , x , t’) A t< t’ a t’ < t +2O (SPS)
#
#
Vx Vt O(£2BUTTON2 ,x, t) -* ot’ O(TRA2 ,x
,





t) -> [3t* o(ißA2,x,t’) a t<t’ ] (SP7)




t’) a t< t’ ] (SPB)
VxVt O((GRANT2;=T) ,x,t) -> [3f O(TmOVE2 ,x , t’) A t <t’ A t’<t+s] (SP9)
23
(SP10)
# specification of manager
#
2.3.2. Safety Assertion
Since Subsystem 1 and Subsystem 2 are asynchronous, the requests to
move the rods are made at arbitrary times. The desired safety property is that
the reactor rods should be moved one at a time. In other words, execution of the
action to move rod #1 may not overlap with the execution of the action to move
rod #2.
Safety Assertion in RTL:
2.3.3. Verification
The RTL formulas describing the system specification and the safety asser-
tion were presented in subsections A and B. The proof of the safety assertion
from the system specification is shown below.








VxVt ©((GRANT I:=T),x ,t) [3t’ ©((GRANT 1 :=F),x+l
,
t’) at + 30<t’] (SP11)




t’) At + 30 <t’ ] (SPI2)















Vi,jVt 1 ,f2,r3,t4 O(TmOVEI
A 0(-lMOVEl ,i,r 2) A
O(TmOVE2
,
j ,r 3 )
A O(iMOVE2, j, r 4)





t Assumption for ConditionalProof
t Modus Ponens
24
1. Show Safety Assertion
2. Show ©(TMOVEI ,I, T{) a ©(vIMOVEI ,I,T£ a
©(TMOVE2 ,J , T 3) a O(iMOVE2 .J. 74 )
-+ Ti<T x v 7 2 <7 3
3. a. ©(tMOVEI ,1,70 ACPI-









4. a. 3 1
’
O((GRANTI:=T), I, t’) At’<T\ A 7 1 <t’ + 5 V Instantiation, 3.a, SP4’,
MP^
b. O((GRANTI:=T), I 17 s)a7 5 <7l a7i<7s + 5 3 Elimination, 4.a
5. a. ®((GRANTI:=F), I+l, t’) a 7 S +3O <t’ V Instantiation, 4.b, SPII, MP
b. O((GRANTI:=F), I+l, 7 6 )a7 5 + 30<7 6 3 Elimination, 5.a
6. 7i+2s<7g Transitivity Axiom, 4.b, 5.b
7. a. j4t’©(4.MOVEI, 1, t’) a t’<7i+2o V Instantiation, 3.a, SPS, MP
b. ©(iMOVEI, I, 72) A7 2 <7i+ 20 3 Elimination, 7.a




6 Transitivity Axiom, 6,7. c
9. a. O((GRANT2:=T), I, 7 8)a7 8 <73 a73< 78 +5 similar to step 4.b
b. O((GRANT2:=F), I+l, 7
9





similar to step 8
10. 7 9 <7 s v76 <7 8 V Inst, 4.b, 5.b, 9.a, 9.b, MP
11. Show7 6 <7 8 —> 72 <7 3
a. 76 <7 8 ACP
b. 7 6 <7 3 Transitivity Axiom, 9.a, 11. a




s—>5 —>74 <7 x Similar to proof in step 11
13. 74 <7iV7 2 <7 3 Disj Exploitation 10, 11, 12
14. ViJVfl.f2.f3.f4 ©(TMOVEI ,i. fx) a ©(J/MOVEI ,i, f2) a
O(?MOVE2
, j ,f 3) a O(iMOVE2 .j . f 4)
—> f 4 <fi v f2< f 3 Universal Generalization
Chapter 3
Inequality Provers and RTL
This chapter presents an alternative notation for RTL which first appeared
in [Jahanian & Mok 86a]. Instead of using the occurrence relation © to relate
event instances to their time of occurrence, the alternative notation defines a
function which maps an instance of an event to a non-negative integer denoting
its time of occurrence. This occurrence function, denoted by the "@" symbol,
can be used in mathematical relations to specify the behavior of a system and
the property to be verified. The second part of this chapter discusses the appli-
cation of well-known inequality provers in mechanical verification of timing
properties of systems specified in RTL.
3.1. Alternative RTL Notation: Occurrence Function
In chapter 1, an occurrence relation was defined to be any relation on the
set
such that the monotonicity axioms, start/stop event axioms, and transition event
axioms hold. An important property of the H relation is that an instance of an
event e can be related to exactly one integer time value:
Consequently, one can define the following useful abbreviation. We define the
function
such that @(e,i)=t if and only if o(e,i,t) C€ E, ie Z
+
,
and te N. The @ function










zth occurrence of event e. For instance, (S)(TSAMPLE,!) denotes the time of
the first occurrence of the event marking the start of action SAMPLE.
RTL formulas are constructed from the equality/inequality predicates, state
predicates, universal and existential quantifiers, and the first-order logic connec-
tives. Relative and absolute timing requirements imposed by the system
specification and the property under investigation are restrictions on the @ func-
tion. Unless otherwise stated in the subsequent chapters of this report, a refer-
ence to an RTL formula refers to the notation described above.
Example 1:
Consider the English description of a simple system which samples and displays
information on demand from an external stimulus.
Specification: Upon pressing button #l, action SAMPLE is executed within 30
time units. During each execution of this action, the information is sampled and
subsequently transmitted to the display panel. The computation time of action
SAMPLE is 20 time units. The following set of formulas is a partial description
of the subsystem in RTL.
Vx @(QBUTTONI ,x) < @(TSAMPLE,x) A @(is AMPLE,x) < @(QBUTTONI,x) +3O
Vy @(tSAMPLE,y) + 20 < @(iS AMPLE ,y)
Safety Assertion: If the transmitted information is displayed within 10 time units
of the completion of action SAMPLE, we are assured that within 40 time units
of pressing button #l, the requested information will be displayed. The safety
assertion expressed in RTL follows.
VuVt @(4SAMPLE,u) < @(QDISPLAY,t) A @(QDISPLAY,t) < @(4sAMPLE,u) + 10
@(£2BUTTONI,u) < @{X2DISPLAY,t) A @(&DISPLAY,t) < @(aBUTTONI,u) + 40
27
3.2. A Reasoning System Based on Inequality Provers
The major components of a verification system can be divided into three
parts; system specification, property under investigation, and a verification pro-
cedure. A systems specification is a behavioral description of the real-time sys-
tem, i.e., a set of constraints imposed on the behavior of the system in question.
A property under investigation is an assertion (in RTL) which describes the pro-
perty of the system to be verified. Finally, a verification procedure describes
how to manipulate the known facts about the system to determine if the desired
property is consistent with the specification.
It is crucial to point out that a property to be verified can be viewed as just
another constraint added to the specification of the system. Thus we may
employ the same model used in specifying a system to express the property in
question. In other words, properties to be verified are expressed as RTL formu-
las. This allows the verification of a system to be carried out as proving a
theorem: the property is shown to be a theorem derivable from the specification.
3.2.1. From RTL to Presburger Arithmetic
We have thus far shown how to express a system specification and a pro-
perty to be verified in terms of RTL formulas. We now turn to the issue of rea-
soning about the timing properties of real-time systems. Even though there are
more than one type of constants, a
RTL formula currently consists of only alge-
braic relations and state predicates connected by first order logic operators. The
state predicates in turn can be expanded into simple algebraic relations (see sec-
tion 2.2.4). Hence the formulas that we have to analyze contain only integer
terms. This raises the possibility of using a procedure similar to those used for
deciding Presburger arithmetic. (Informally, Presburger formulas are those con-
structed from integer constants, integer variables, the addition function, the
predicates (c, <, >, >, =), and the first-order logical connectives.) However, RTL
formulas may contain constants other than integers (namely, event constants)
28
and these are not allowed in Presburger Arithmetic. We will show how RTL for-
mulas can be mechanically transformed into the equivalent formulas in Pres-
burger Arithmetic with uninterpreted functions.
Eliminating state predicates and non-integer constants from RTL formulas:
Given a system specification in terms of RTL formulas, the following
transformation procedure describes how state predicates and non-integer con-
stants can be eliminated.
1) In each formula, replace each state predicate with its definition as
described in section 3.7. This step in effect substitutes, for each state
predicate, a subformula containing only algebraic relations.
2) Recall that event constants only appear within occurrence functions of the
form @(e,i) where e is an event constant and i is an integer
variable/constant. For each event constant e, define an uninterpreted func-
tion f mapping from Wto W where Wis the set of non-negative integers.
Then replace each appearance of @(e,i) in RTL assertions by the
corresponding uninterpreted integer function f (i).
Example 2:
The RTL formulas describing the specification and the safety assertion in Exam-





(u)<h(t) A h(t) < g
2
(u) +lO —> f(u)<h(t) A h(t)<f(u) +4O
In the above formulas, x, y, u, and t are variables, f, gp g 2,
and h are
Vx A g2
(x) < f(x) +3O





uninterpreted integer functions which correspond to the occurrence functions for
pressing button #1 (event f2BUTTONI), start of action SAMPLE (event TsAM-
PLE), stop of action SAMPLE (event and the external event denot-
ing the display of information on the panel (event QDISPLAY), respectively.
3.2.2. Inequality Theorem Provers
Much research has been devoted to finding decision procedures for Pres-
burger Arithmetic and determining the complexity of such algorithms,
e.g., [Cooper 71], [Cooper 72]. Unfortunately, it has been shown that a decision
procedure for the full Presburger Arithmetic is inherently computationally
expensive and these algorithms are therefore not practical for nontrivial prob-
lems (see section 2 in
tShostak 79 i for a brief historical perspective). Other
works (e.g., [Bledsoe 74],[Shostak 77]) have concentrated on the subclass of
quantifier-free Presburger formulas. [Shostak 79] further extended the work on
quantifier-free Presburger logic to include uninterpreted functions. This allows
us to have unrestricted universal and existential quantifiers in the formulas: The
idea is to replace all the existentially quantified variables by the corresponding
Skolem constants or functions. In [Bledsoe & Hines 80], Bledsoe and Hines
describe a resolution-based procedure for proving theorems about general linear
inequalities. These last two procedures provide the necessary tools for analysis
of RTL formulas. As suggested earlier, applying the above transformation to
the specification of a system expressed in RTL allows us to use the existing ine-
quality theorem provers such as the one described in [Bledsoe & Hines 80].
Overview ofBledsoe & Hines’ Approach:
To show that a safety assertion SA is consistent with a system specification
SP, it must be proved that the formula F=SP —> SA is valid. This is
equivalent to showing that —iF is unsatisfiable.
30
Bledsoe and Hines based their approach on a modified resolution pro-
cedure to show that —iF is unsatisfiable. The formula —iF is transformed into
clausal form first. A special clause called TY is defined which is essentially a
conjunction of ground inequality literals. (Due to a splitting procedure, ground
literals are guaranteed to occur only in unit clauses.) The TY clause can be
checked for a contradiction by using a ground inequality prover, such as the one
described in [Shostak 77], [Shostak 79].
i*
During each resolution cycle, a chaining procedure is applied to generate
a new resolvent R. If R is false, the proof is successfully terminated. If R is a
ground inequality clause, it is added to TY, and then checked for a contradic-
tion. Otherwise, after removing eligible variables, R is simplified, split into
independent clauses if possible, and added to the set of clauses for subsequent
resolution cycles. This procedure is continued until a contradiction is detected,
thus proving the unsatisfiability of —iF.
The verification procedure by Bledsoe and Hines is shown to be
complete [Bledsoe el al 81]. However, completeness requires: 1) mandetory
variable elimination, and 2) retention of tautologies. Both requirements tend to
degrade the performance of this procedure, and therefore are not employed in
practice.
Example 3:
We now show how the safety assertion in Example 2 is shown to be a theorem
derivable from the system specification. The approach by Bledsoe and Hines is
applied for the mechanical verification of the property. First, the RTL formula
consisting of the system specification and the negation of the safety assertion is
+
transformed into clausal form.
T Then, the conjunction of these RTL clauses is
t The chaining procedure for producing new resolvents is essentially a "limited application" of the
transitivity axiom. Specifically, (a<c)9 is inferred from a<b and b’cc if b or b’ is an uninterpreted function
containing at least one variable, and b and b’ are unifiable with the most general unifier 0.
$ Most books on automated theorem proving and mathematical reasoning contain a discussion on
transforming first-order logic formulas into clausal form (see, e.g., [Chang & Lee 73], [Bundy 83], [Wos et
al 84]).
31
shown to be unsatisfiable, thus proving the safety assertion is consistent with the
specification.
The clausal form of the specification and the negation of the safety assertion in
Example 2 are shown below. U and T are Skolem constants corresponding to











Chaining, 1, c 5
Chaining, 2, cl
Chaining, 3, c 3
Ist literal in 4 unsat.
Chaining, 5, c 2
3.3. Remarks on the Undecidability of RTL
RTL in full was shown to be undecidable in[Jahanian et al 88a]. The
proof, due to Douglas Stuart, uses a reduction to the acceptance problem for
deterministic two counter machines. A formula is constructed which simulates






(z) f(z) + 30
g
x







h(T) < f(U) V f(U) + 41 <h(T)
1. g
2
(U) < f(U) v f(U) +4l < h(T)
2. g2










(U) +2o< g 2 V f(U) +3l < g2(U)
5. f(U) + 31 < g2 (U)
6. □
32
only if the machine does not accept the input. Therefore, if a procedure existed
to decide the satisfiability of any RTL formula, that procedure could be used to
decide the acceptance problem for two-counter machines, which is already
known to be undecidable.
The subclass of quantifier-free Presburger arithmetic with uninterpreted
integer functions has been shown to be decidable in [Shostak 79]. If a Pres-
burger formula containing uninterpreted functions (or predicates) is universally
quantified, Shostak shows that F can be reduced to an equivalid formula F’ free
of uninterpreted functions. The correctness of the reduction is straightforward;
given a model for —iF, one can construct a model for -iF’, and conversely. Since
F' is a Presburger formula, its validity can be checked by a decision procedure
for Presburger arithmetic.
The class of RTL formulas in [Jahanian & Mok 87] also has a subset for
which a decision procedure for determining the satisfiability (or unsatisfiability)
of a formula in the subclass can be shown. Suppose an RTL formula is of the
form
such that each C
{
is of the form
where Q
t
is the prefix (quantifiers) for the disjunction and each Lj is an arith-
metical relation. Furthermore, suppose that each inequality Lj is of the form
occurrence function ± integer constant < occurrence function
where the occurrence functions contain integer variables quantified by the
corresponding matrix. Note that the negation of an inequality can be replaced
by an equivalent inequality without the negation.
Theorem: The above subclass is decidable if the quantifiers in each prefix Q i





are either all V or all —t.
Proof: The proof of this theorem follows directly from Herbrand’s Theorem.
Suppose F is a formula in the above subclass. From the hypothesis, skolemizing
F produces a set of clauses S such that each skolem function in S is a 0-place
function, i.e., a constant. Furthermore, the integer variables in S (denoting
occurrences) appear only inside occurrence functions. Since the function
does not take an instance of itself as an argument, the Herbrand Universe is
finite. By Herbrand’s Theorem, the set of clauses in S is unsatisfiable iff there is
a finite unsatisfiable set S’ of ground instances of S. Since Herbrand’s universe
is finite, its powerset is finite and so there is a finite number of ground instances
of S which must be checked. Checking a finite set of ground clauses can be
done using any decision procedure for propositional logic.
□
3.4. Efficiency Considerations
In complex real-time systems, verifying an assertion against the full
specification of the system may be inefficient. For some systems, it may be the
case that only a subset of the specification can have a bearing on the validity of
a particular safety assertion. In this case, much effort can be saved if we can
"filter out" the irrelevant assertions from the systems specification before we
invoke the primary analysis procedure. For example, if a safety assertion can be
expressed in the form of a state predicate about a system attribute S, then we
may be able to conclude its validity just from the set of assertions which can
directly or indirectly cause a transition of S to occur. If we can determine such a
set of supporting assertions by an efficient procedure, e.g., by computing a tran-
sitive closure using the accountability and causal assertions, then the primary
procedure may only have to contend with a much smaller set of axioms.
34
Another possible source of efficiency gain is the operating characteristics
of the real-time system itself. The operation of many process control systems is
often structured according to different modes. Intuitively, a mode corresponds to
some assertion(s) about the values of a set of system attributes, e.g., an airplane
is in emergency landing mode if the hydraulic pressure in the landing gear sub-
system is below a critical value or if the fuel gauge indicates an empty tank. The
key here is that the assertions in a system specification are often qualified by a
collection of modes, i.e., they are required to be true only under those modes.
Under other modes, these assertions need not be true. If there is an easy way for
us to deduce that a given safety assertion is true in certain modes and these
modes include all the ones that qualify a certain assertion p in the system
specification, then we ought to be able to prove the validity of the safety asser-
tion without making use of p at all.
It is interesting to point out that techniques to improve the efficiency of the
inference mechanism such as the ones mentioned above often enable us to prove
the validity of a safety assertion independent of whether a feasible schedule (one
that meets all the performance requirements of the system) exists.
Although existing procedures for Presburger Arithmetic with uninterpreted
functions is suitable for our purposes, greater efficiency may be achieved by
inventing a procedure which is tailored specifically for our domain. For exam-
ple, consider the observation that the RTL assertions described in this paper do
not contain algebraic relations involving functions that take an instance of the
same function as an argument. An analysis procedure that takes this fact into
consideration may indeed provide a more efficient prover for checking ground
inequality unit clauses.
For large systems, general techniques for improving the efficiency of the
inference mechanism alone are probably inadequate to render the verification of
a complete design practical. In such cases, good software engineering methods
must be developed to ease the job of design verification by restricting design
35
complexity. A good design method should encourage designers to structure
their systems so that each safety property can be established from a readily
determinable subset of the systems specification.
Chapter 4
A Graph-Theoretic Approach for Timing Analysis
This chapter presents a graph-theoretic algorithm for safety analysis of a
class of timing properties in real-time systems which are expressible in a subset
of Real Time Logic (RTL) formulas. Our procedure is in three parts: The first
part constructs a graph representing the system specification and the negation of
the property to be verified. The second part detects positive cycles in the graph
using a node removal operation. The third part determines the consistency of
the desired property with respect to the system specification based on the posi-
tive cycles detected. The implementation and an application of this procedure
will also be described.
4.1. Motivation
In the preceding chapter, we presented a formal approach based on RTL
for the specification and verification of timing properties in real-time systems.
A property under investigation is shown to be consistent with respect to a sys-
tem specification by proving that the conjunction of the RTL formulas
representing the system and the negation of the timing property is unsatisfiable.
After transforming the RTL formulas into predicates in Presburger Arithmetic
with uninterpreted integer functions, it was shown that well-known procedures
(such as the resolution-based system in [Bledsoe & Hines 80]) for proving
theorems about general linear inequalities may be used to perform the analysis.
These procedures are in general semi-decision procedures since Presburger
Arithmetic with even a single uninterpreted function is undecidable [Downey
72]. In practice, however, it has been observed that existing procedures work
quite well with at least small problem instances.
36
37
Since a decision procedure for Presburger Arithmetic is at least double
exponential, any proof method for RTL based on existing methods is likely to
be impractical for large problems. In this chapter, we shall present a more prac-
tical procedure for the verification of timing properties which are expressible in
a subset of RTL. While our algorithm (like other well-known algorithms for
Presburger arithmetic with uninterpreted functions) is not a decision procedure,
it exploits an efficient constraint-graph technique in integer programming and
should work substantially faster for modularly designed systems for which the
violation of a safety property can be related to a small subset of the
specification.
There are two primary approaches for attaining greater efficiency. For
some systems, it may be the case that only a subset of the specification can have
a bearing on the validity of a particular property. Hence, much effort can be
saved if we can "filter out" the irrelevant assertions from the system
specification before invoking the primary decision procedure. The second
approach improves the efficiency of the inference mechanism by considering
subclasses of RTL formulas which are not too restrictive in describing the sys-
tem specifications, but allow the use of more efficient analysis procedures.
Alternative ways for improving efficiency based on the first approach will be
discussed in the subsequent chapters. This chpater describes a graph-theoretic
verification procedure for rather expressive subclass of RTL formulas.
In coming up with this procedure, we were motivated by the following
observations:
(1) The RTL formulas describing real-time systems in many cases consist of
arithmetic inequalities (which may be quantified) involving two terms and
an integer constant where a term is either a variable or a function.
(2) The RTL formulas of interest do not involve arithmetic expressions that
contain a function taking an instance of itself as an argument.
38
The preceding observations hold even after RTL formulas are translated
into the corresponding formulas in Presburger Arithmetic with uninterpreted
functions. The first observation suggests that a graph-theoretic approach may be
useful in the analysis. It is well known that an algorithm for finding the shortest
paths from a single source, [Lawler 76], can be used for the simple integer pro-






are variables and ±a is an integer constant. An alternative formulation of
this problem allows the construction of a constraint graph for a given set of ine-
qualities. Each variable is represented as a node in the graph, and an inequality
x- ±a-j <Xj
is represented by a directed edge with weight ±a-j connecting to
yj.
The given set of inequalities is unsatisfiable if and only if there is a cycle in
the graph with positive weight on it. However, the formulas in our analysis
involve quantifiers, functions, and disjunctive clauses, thus requiring a more
complex representation and a more complicated algorithm.
The organization of this chapter is as follows: The remainder of this sec-
tion introduces the proposed subclass of RTL formulas. Section 4.2 describes
how a special type of graph can be constructed for a given formula consisting of
the system specification and the negation of the timing property in question.
Section 4.3 gives a few preliminary definitions and describes the relationship
between the unsatisfiability of a formula and cycles in the corresponding graph.
Section 4.4 presents an algorithm for detecting positive cycles in a graph; Sec-
tion 4.5 introduces an algorithm for showing the unsatisfiability of the original
formula based on the positive cycles detected in the corresponding graph. Sec-
tion 4.6 discusses the implementation of the analysis procedure and Section 4.7
the mechanical application of the procedure to an example nuclear reactor con-
trol rod problem.
39
4.1.1. Subclass of RTL Formulas
This subsection describes and gives examples of the subclass of RTL for-
mulas for which a verification procedure will be presented in the subsequent
sections. Specifically, we restrict ourselves to arithmetic inequalities of the
form:
occurrence function ± integer constant < occurrence function
Of course, variables in an occurrence function can be arbitrarily quantified by V
and 3
•
Furthermore, inequalities may be connected using the usual logical con-
nectives (A ,V
,
—>). Negation of an inequality can always be replaced by an
equivalent inequality without the negation. For example, —i (@(Epi) <
can be replaced by @(£2o) + 1 < @(Epi).
The above subclass allows inequalities involving two occurrence functions
and an integer constant. Intuitively, this is consistent with the view that the tim-
ing constraints of a real-time system is often represented as imposing an integer
constant lower/upper bounds on occurrences of pairs of events, e.g., event E.
occurs 20 time units after occurrence of event Ej, or event
E. occurs at least 10
time units after event Ej.
The RTL formulas of Example 1 in Chapter 3 all subscribe to the above
restriction, thus they fall within the subclass. The formula
for example, is not a member of the subclass described above, because the first
argument of the predicate < is the sum of a function and a variable.
Given a systems specification SP and a safety assertion SA expressed in
the subclass of RTL, the objective is to show that SA is consistent with SP by
proving that the formula F
is unsatisfiable. As in Chapter 3, to perform the unsatisfiability proof, we
Vx 3 y @(TS AMPLE,x) + y < @(iSAMPLE,x),
SP A -,SA
40
transform the RTL formula F into the corresponding formula F’ in Presburger
Arithmetic with uninterpreted integer functions. For each event e, this transfor-
mation replaces each occurrence function @(e,i), where i is an integer or a vari-
able, by a function f (i). Observe that f is an uninterpreted function defined for
0 0
the event constant e. We then put F’ in clausal form and apply our procedure to
determine if it is indeed unsatisfiable.
Let F" denote the clausal form of F’, i.e., F" is a formula of the form:
Each C is a disjunctive clause






are uninterpreted integer functions (replacing the occurrence
functions), and I is an integer constant.
4.2. Graph Representation
Given a formula F" in the form described in the previous section, we con-
struct a weighted graph G in which nodes (vertices) denote the terms in F"
which are not integer constants, edges represent the literals, and the weights
denote the corresponding integer constants in literals.












± I < V
2
±l
V 1 »j v 2
41
Throughout this chapter, we shall use the letter v to denote vertices in graphs (or
corresponding terms in formulas), and <v,- , v
;
> to denote a directed edge from
node Vj to node Vj .
Nodes representing terms involving the same function symbol will be
clustered together so that we can keep track of the consistency among the dif-
ferent instances of the same function. For this purpose, we can view the nodes
in a graph G as being partitioned into a collection of disjoint clusters where each
cluster is a set containing one or more nodes. All nodes with the same function
symbol belong to a single cluster.
Example 1:
Consider the following formula containing two unit clauses:
f, g, and h are integer functions symbols,
x is a free variable,
X is a skolem constant.
The corresponding graph is shown in Figure 4.1. Notice that g(x) and g(X) are
in one cluster because they share the same function symbol. f(x) and h(X) each
belong to a cluster containing only one member. □
FIGURE 4.1
f(x) + 10 < g(x)
g(X) < h(X)
42
Given a formula F", Algorithm 1 below describes how the corresponding
graph G is constructed. Algorithm 1 iteratively adds all the literals in a clause to




labeled v { and v 2 are
added to the graph, and a directed edge <v x ,v 2 > with
weight ±1 is created. Obviously, if either v i or v 2 has already been added to the
graph, then it is not necessary to have duplicate nodes. For instance, consider
adding the literal
to the graph in Figure 4.2 which already has a node labeled h(X). Adding the
above literal produces the graph in Figure 4.3 with one additional node f(X) and
an edge connecting f(X) to h(X) with weight 20.
FIGURE 4.3
f(X) + 20 < h(X)
43
ALGORITHM 1: Graph Construction




(1) Find the cluster corresponding to the term v
(The cluster is associated with the function symbol of v 1 .)
If the cluster does not exist, create an empty one.
(2) Search the cluster from step 1 for a node labeled v
If not found, add the node to the cluster.
(3) Repeat steps 1 and 2 for the term v2.
(4) Add a directed edge <v l 5 v 2> with weight ±1 from node v to node v2.
Example 2:





Figure 4.4 illustrates the corresponding graph from Algorithm 1. In this exam-
ple, it is possible to replace y and z by x while constructing the graph, hence













h(T) <f(U) V f(U) + 41 <h(T)
44
FIGURE 4.4
4.3. Positive Cycles and Unsatisfiability
A graph G, constructed for a given formula F" using algorithm 1, has an
important property which can be used to show the unsatisfiability of F". Let us
first redefine the notions of a path and a cycle for our special graph.
Definition: Given a pair of nodes v 0 and v
n
in a graph G, there is a path from
v 0 to vn if there is a sequence of edges <v o ,v x > , <v' x , v 2> , <v' 2 , v 3 > ~.. ,










- for all l<i<n-l can be constructed, i.e., v,-'? = v',
vF where VjT' and
v'i'F denotes the terms after applying *P to v,- and v' t-, respectively.
Observe that the definition requires each pair of v,- and v\, l<i<n-l, either to be
the same or belong to the same cluster.
Definition: There is a cycle in a graph Gif there is a sequence of edges <v o ,
45





can be unified with the substitution
VF.




either are the same node or belong
to the same cluster.
Definition: The Weight of a path is the sum of the weights of the corresponding
edges forming the path. The weight of a cycle is defined similarly.
Example 3:









f(X)> form a cycle with the substitution {X/x}.
However, the sequence of edges <f(x)
,
g(x)>
, <g(X) , h(Y)> , <h(x) , f(x)>
does not form a cycle, because there is not a substitution which allows the















n _2 , v„_!> , <v'„_i , vn > and a substitution
such that
46
Let G be a graph constructed for a given formula F" using Algorithm 1. If a
cycle with positive weight exists in G, the formula P consisting of the conjunc-
tion of literals (inequalities) corresponding to the edges involved in the cycle is
unsatisfiable.
Proof: Let the following sequence of edges denote a positive cycle in a graph:
From the definition of a cycle, there is a substitution *P such that
v,




Since each edge corresponds to an inequality one can construct an instance
of the conjunction of L-s by applying *P to each L^:
where the I’s denote the integer constants in the inequalities.
If the above set of inequalities are added, v O, v1? V j,... ,vn cancel. The result-
ing inequality asserts that
This is clearly unsatisfiable because the cycle has a positive weight, i.e., sum of
the integer constants in the inequalities must be a positive integer. We proved
that an instance of the conjunction of the inequalities corresponding to the posi-
tive cycle is unsatisfiable, thus we conclude the original set of inequalities is
unsatisfiable.
<V o,v 1> , <v' I,V 2> , <v' 2,V 3> , , <v'„_2 , Vn_j> , <Vn_x ,V„ >
Vo'F + A








v'„_i'P + < V„<P
7
0 +/i + ..• +In -\
47
Since the literals corresponding to a positive cycle may belong to non-unit
disjunctive clauses, the preceding theorem does not guarantee that the detection
of a positive cycle in G implies the unsatisfiability of F". As we shall discuss in
Section 4.5, it may be necessary to detect several positive cycles to prove the
unsatisfiability of a formula F". The next section describes an algorithm for
detecting positive cycles in a given graph. The final algorithm for determining
the unsatisfiability of F" as positive cycles are detected in the corresponding
graph G will follow the next section.
4.4. Detecting Positive Cycles
The algorithm to be described for detecting positive cycles depends on an
operation for removing nodes within a cluster such that the positive cycles in the
original graph are preserved. Repeating this operation will eventually remove
all the nodes and subsequently all the clusters, so that positive cycles can be
detected.
Each iteration removes a node and its incident edges, and adds the
appropriate edges (and sometimes nodes to other clusters) to preserve the cycles
that
may have existed in the graph. A self-loop with positive weight denotes a
positive cycle in the original graph.
Since node removal is the core of Algorithm 2, we first illustrate this
operation using the graph shown earlier in Figure 4.5. As an example, let us
remove node g(x) (and its incident edges) from the graph without breaking the
existing cycles. Consider the pair of edges <f(x) , g(x)> and <g(x) , h(x)>.
Removing g(x) eliminates both edges, thus eliminating the path from f(x) to
h(x). Therefore, we need to add an edge from f(x) to h(x). Next consider the
pair of edges <f(x)
,
g(x)> and <g(X) , h(Y)>. Removing g(x) disconnects the
path from an instance of f(x), namely f(X), to h(Y) because the edge <f(x)
,
g(x)> would be removed. Hence, an edge from f(X) to h(Y) is necessary to
48
preserve the path and the potential cycles. Figure 4.6 illustrates the resulting
graph after removing g(x) and its incident edges.
FIGURE 4.6
ALGORITHM 2: Detecting Positive Cycles
For each cluster in the graph,
For each node v in the cluster.
(1) Let S = {v ls v 2, ... , vn ) be the cluster to which v belongs, i.e., all the v,s
have the same function symbol. Note that S also includes v itself.
For each v,- in S, if v and vt
- can be unified,
(a) Let be the most general unifier of v and v
t
-. (b) For each pair of
non-self-loop edges <v’ ,v> and <v,- , v"> with weights and
- add the nodes v
,vF and v' ,vF to the respective clusters if not






,vF denote the label for a node after applying 'F to v’,
v"W denote the label for a node after applying *P to v".
49





(2) Remove node v and all edges incident on it from the graph.
(3) While generating edges in steps 1 and 2,
A self-loop with a positive weight signifies a positive cycle in the graph.
(An edge from a node to another node in the same cluster is not a self-
loop).
A self-loop with a non-positive weight signifies a non-positive cycle in
the graph.
In the the implementation of this algorithm, after an edge is added to the
graph, a note is made of the two edges combined to generate the new edge. This
information is important in identifying the edges from the initial graph involved
in a cycle after detection. The reader may question why the negative cycles are
not discarded in step 3. As it will be described in Section 4.5, certain non-
positive cycles are used in the unsatisfiability checker.
Example 4:
Let us apply Algorithm 2 to detect the positive cycles in the graph of Figure 4.4.
Figures 4.7(a-d) illustrate the resulting graphs after the repeated applications of
node removal operation. Observe that non-positive cycles are ignored in this







The node removal operation described in Algorithm 2 preserves the cycles of
the original graph.
Proof: Let the sequence of edges
denote a cycle with a substitution W. Let S 9 be the sequence after applying *F to
s
r
The node removal step replaces two consecutive edges in S
by a single edge <v',-_ l O , v/+l o> where ois the most general unifier of v(
- and
v',-. We prove the theorem by showing that applying the substitution to the
sequence of edges
S3: <v o , V !>,</! , v 2>, ... , , Vi+l>, ... , , V„>





t+l o>, applying *¥ to each v in S 3 generates the corresponding u in 82* We
must still show that applying 'F to <v',_ l o , v J+lo> generates <m,_i , ui+i>, thus
preserving the cycle.
Let us consider the effect of the substitution 0 on the variables of first. For
each variable x in the following three cases are identified:
Case 2: 0 replaces x by a non-variable term t
Note that t is either a constant or a function. Since 0 is a most general unifier,
the substitution *F must also replace x by t (or an instance of t if t is a non-
Sy <V O , V !>,<v' 1 , V 2>, ... , <v'i-i , Vj>,<v'{- , v i+1>, ..., <v'n _! , vn >







Case 1: 0 has no effect on x






ground function). Since the same argument holds for each variable in t, apply-
ing 9 does not violate the substitution *F makes for x. Hence, applying *F to
v'i_iQ generates the same term as applying ¥to v'{-1 , i.e., = u^.
Case 3: 9 replaces x by a variable y
Since v,-9 = v'
z
-9, we conclude *F must replace x and yby the same term (or one
by the other). Therefore, it makes no difference that 9 first replaces x by a vari-
able y. Hence, applying 'F to generates the same terms as applying 'F to
v'j—i, i.e., v't _1 9
xF = Ui_v





9> produces <Wj_i , wt
-
+I
>. The cycle is preserved.
Theorem 4.3:
The node removal operation described in Algorithm 2 does not introduce any
new cycle which does not exist in the original graph.
Proof: Suppose the node removal operation replaces the two edges e ! and e 2
by an edge e 3
where 9is the most general unifier of Vj
and v'j . If e 3 is involved in a positive
cycle, one can apply a substitution to e ! and e 2 to make the two edges partici-
pate in the same cycle.
We now discuss the termination condition for Algorithm 2. Recall that
two types of functions appear
in the clausal form of our formulas: occurrence
ei- <v; , Vj>
e 2'- <v'j,vk >
<?3: <Vt-o,V*o>
54
functions corresponding to particular events, and skolem functions appearing as
arguments to the occurrence functions. Algorithm 2 as stated above may not
terminate if a function is allowed to take itself as an argument. We add the con-
dition to ensure that a function symbol does not appear more than once in a term
corresponding to a node in our graph. Step 1 of Algorithm 2 is rewritten to
include this condition:




- in S, if v and v
t
- can be unified,
(a) Let 'F be the most general unifier of v and v
t
-.












add the nodes v
,xF and v' ,xF to the respective clusters if not already










The added condition in step 1(b) that a function symbol may not appear more
that once in v
>vF and v' ,xF ensures the termination of Algorithm 2. (Same condi-
tion is also imposed on step 1(c)). Since an occurrence function does not take
an instance of itself as an argument, the condition in step 1(b) does not impose
any restriction on the occurrence functions. However, the condition prevents a
skolem function from taking an instance of itself as an argument. For example,
a node labelled f(h(h(x))) is not allowed in our constraint graph where f denotes
an occurrence function, and h is a skolem function.
Since a skolem function replaces an existentially quantified variable, the
clausal form of the initial set of formulas under investigation does not have any
55
term in which a skolem function appears more than once. Hence, the condition
in step 1(b) does not restrict the subclass of formulas described in this paper.
However, the node removal operation may in some cases produce nodes in
which a skolem function symbol appears more than once. The condition in step
1(b) prevents the generation of such terms. Although completeness cannot be
claimed for Algorithm 2 under this condition, we impose this condition in the
implementation of this algorithm since it seems to be a good compromise in
practice.
It is straightforward to show that Algorithm 2 terminates. In each iteration,
nodes in a cluster are removed one by one until the cluster is empty. However,
as nodes in a cluster are removed, new nodes may be added either to the same
cluster or to the remaining clusters (not yet processed). The number of nodes
which are added to the same cluster cannot grow without a bound because a
skolem function symbol is not allowed to appear more than once in any node. A
node which is added to a remaining cluster is eventually removed when the
respective cluster is being processed. Furthermore, after all the nodes in a clus-
ter are removed, the corresponding (occurrence) function symbol does not
appear in any node. Hence, all clusters are eventually removed, thus ensuring
termination.
4.5. Unsatisfiability Proof
Thus far we have seen how to construct a graph G from a formula F" and
to detect positive cycles in the graph. This section presents an algorithm for
determining unsatisfiability of F" as positive cycles are detected in the
corresponding graph G. It is straightforward to show that if all edges involved
in a positive cycle in G correspond to literals (inequalities) which belong to unit
clauses, F" must be unsatisfiable. The case where one edge corresponds to a
literal (inequality) which belongs to a non-unit disjunctive clause C- is more
difficult; it must be shown that each of the remaining literals in C- is also
56
involved in a different positive cycle.
For instance, recall the last clause in Example 2:
If the edge corresponding to the literal h(T) < f(U) is involved in a positive
cycle, it must be shown that the edge for f(U) + 50 < h(T) is also involved in a
positive cycle.
The problem becomes increasingly computationally intensive when more
edges in a positive cycle belong to non-unit disjunctive clauses. It will be seen
shortly that this problem is as hard as the CNF satisfiability problem of proposi-
tional logic where each disjunctive clause contains either all negated literals or
all unnegated (positive) literals.
The set of all clauses in a formula F" can be viewed as a collection (con-
junction) of m clauses Cp C2,..., C
m
where each is a disjunctive clause
Note that this is merely a notational convention and we are not requiring literals
in different clauses be distinct.
Let the following notation denote the list of literals, i.e., inequalities,
th
corresponding to the edges in the 1 positive cycle detected.
th th
where X-
. signify the j
n
literal (edge) in the i positive cycle detected and
hj
each X-
. is a literal in at least one of the Cs. Let P. denote the formula consist-
-I,J k i







From Theorem 4.1 we conclude that P- is unsatisfiable. Consequently, F" is
satisfiable if and only if F" A —,p. is satisfiable. Hence, the positive cycle can be













viewed as adding the clause —P., i.e.,
to the existing set of clauses. Now we can use —P. to refute F".
Theorem 4.4: (Variation ofHerbrand’s Theorem)
A set S of clauses is unsatisfiable if and only if there is a finite unsatisfiable set
of ground instances of S and -P. for l<i<n where each P- is the conjunction of
inequalities corresponding to the edges in a positive cycle detected in the con-
straint graph for S.
The above formulation permits one to use any method in propositional
logic to check for unsatisfiability as positive cycles are detected and the
appropriate clauses are added to the existing set of clauses. For example, the
Davis-Putnam method is one of the more efficient techniques for testing the
unsatisfiability of CNF formulas in propositional calculus, see Chapter 1
in l
Sahni 85 1
or pp. 62-66 in [Chang & Lee 73]. Since it is well known that CNF
satisfiability for propositional logic is NT-complete, one may hope that the spe-
cial form of our clauses (each clause in our the problem contains either only
negated literals or only un-negated literals: the literals X. . in clauses denoting
LJ
positive cycles are all negated, and the literals in each are all unnegated)
might lend itself to a more efficient decision procedure. Unfortunately, we can
show:
Theorem 4.5:
The CNF satisfiability of the propositional logic is NP-complete even if each
clause contains either all negated or all unnegated (positive) literals.
Proof: It is known that the CNF satisfiability problem for the propositional logic










complete. A simple transformation maps any instance of this problem into an
equivalent instance of the CNF satisfiability problem in which each clause con-
tains only negated or only un-negated literals. The idea is to replace a negated
literal -iL by an un-negated literal L’ and add the following clauses:
LVL’
—iL V —iL’
Clearly, the transformation can be done in polynomial time. □
The remainder of this section presents an algorithm for testing the
unsatisfiability for formulas in which each clause contains either only negated or
only unnegated literals. Our algorithm is more suited for safety analysis of real-
time systems for the following reasons.
First, it is desirable to have a dynamic algorithm in the sense that as each
new cycle is detected, the corresponding clause is added to the set of existing
ones, and is then checked for unsatisfiability. If it is shown to be unsatisfiable,
we can stop at once. Otherwise, we need to continue the node removal opera-
tion until another positive cycle is found. The well-known procedures (includ-
ing the Davis-Putnam method) require redoing the computation each time a new
clause is added, i.e., a positive cycle is detected. In contrast, the algorithm to be
described builds on top of the computation already done to check for
unsatisfiability as each new positive cycle is detected.
Second, even though the algorithm to be described has an exponential time
complexity in the worst case as one may expect, it is desirable to have an algo-
rithm whose running time in the worst case is exponential with respect to the
number of positive cycles detected rather than being exponential with respect to
the number of literals or the total number of clauses, the rationale being that we
expect to have only a few positive cycles detected in most cases.
59
Finally, while checking for satisfiability after detecting a positive cycle, if
the formula is still satisfiable, the proposed algorithm may terminate very
quickly after generating only a small part of the search tree. In contrast, the
Davis-Putnam method must still complete removing almost all of the literals
before concluding satisfiability.
Before presenting a detailed description, it helps to illustrate the algorithm
by means of an example. Consider the following set S j of clauses with only
unnegated literals (this corresponds to the set of original clauses Cs),
Cy A V B V c
C 2: A V F
C 3: D V C
C 4: B V E
F V C
F V E
and the following set S 2 of clauses with only negated literals (each clause
corresponds to a positive cycle detected),
—iA V -,D V —,F
-.B V —,F
iC V -,E
The goal of the algorithm is to construct a search tree from the set S 2 and deter-
mine the unsatisfiability of the collection of clauses in S i and S 2 while building
the tree. Figure 4.8 illustrates a worst case search tree constructed for the set
S2. Each node in the tree corresponds to the collection of one or more literals in
S2. The nodes in the first level correspond to the literals in the first clause of S
2,
i.e., literals —iA, —iD, and —iF. To construct the second level, we added the
literals in the second clause of S
2,
i.e., literals -iB and —iF, to each subtree
rooted by -iA, and -iF. The next level was constructed similarly. Thus,
each leaf node in a worst case search tree corresponds to a conjunction in the
disjunctive normal form of the clauses in S 2.
60





must show that each leaf node in the tree meets one of the following two condi-
tions:
(1) the conjunction of literals (inequalities) in the leaf node makes at least one clause in S
unsatisfiable, or
(2) the conjunction of literals (inequalities) in the leaf node is unsatisfiable by itself.
Let us first discuss condition 1. Observe that any node in the search tree
makes the set of clauses in S
!
unsatisfiable iff there exists a clause Cin S
!
such
that the negated form of each literal in Cis also a literal in the label of that
node. For instance, the leftmost leaf node, labeled (—iA
,
—iß, —iC), makes S i
unsatisfiable because the negated form of every literal in clause Cj is also
represented in the leaf node. Since every leaf node in the tree in Figure 4.8
makes unsatisfiable, we conclude that the conjunction of clauses in Sj and
S 2 is unsatisfiable.
Fortunately, in most cases we do not have to generate the entire search tree
to conclude unsatisfiability by condition 1. In particular, we make use of two
important properties to trim the search tree. First, if a node makes S j
unsatisfiable, then every node in the subtree rooted by that node has the same
property,
thus it is not necessary to generate the rest of the nodes in the subtree.
For instance, the nodes in the subtree rooted by the node labeled (—iA , —iF)
need not be generated because (—iA , —iF) makes S ! unsatisfiable. This property
clearly reduces the size of the search tree in many cases.
61
FIGURE 4.8
Another equally important property of the search tree further helps us in
reducing the size. Consider the subtree rooted by the node labeled —iD in Figure
4.8. The leftmost node in that subtree, labeled (-iD , —iß , -iC), makes S Y
unsatisfiable because the negated form of every literal in clause of Si is also
present in the leftmost node. However, observe that literal -iB does not have
any effect here. Therefore, we can consider the positive cycle denoted by the
clause -iC V -,E first, and generate a smaller subtree rooted by -iD as shown in
62
Figure 4.9. The reader must be cautioned that the preceding observation cannot
be used indiscriminately to reduce the size of the search tree. For instance, in




—i B) plays no
role in making S j unsatisfiable, we cannot reorder the clause to which it belongs
because —iD was committed earlier.
FIGURE 4.9
Let us now discuss condition 2. Since each literal in a leaf node is a nega-
tion of an inequality, the conjunction of these literals may be unsatisfiable by




may not make any of the clauses in the original set of formulas unsatisfiable.
However, if we rewrite the two literals as
-i (f(a) < g(a))






A —,j_ is unsatisfiable by itself. In fact, if we construct a graph for the two
edges —iLj and it forms a positive cycle with the weight 2, Unfortunately,
the constraint graph for the original set of clauses may not contain the edges
corresponding to and —However, the graph contains the edges for the
inequalities and The following theorem enables us to use the edges for
Lj and to detect if the set of inequalities containing
and is
unsatisfiable, i.e., if it forms a positive cycle.
Theorem 4.6:
A set Sof inequalities —Lp —... , —iL is unsatisfiable iff there is a cycle
involving the inequalities in a set S’ containing Lp L^,..., Lfl
and
(-Ij -I2 ... -I +n) > 0 where I. is the integer constant in the inequality L-.
Proof: If an inequality L- is denoted by an edge <v , u> with weight L, the ine-
quality —iU is represented by an edge in the opposite direction, <u,v>, with
weight -L+l. It is straightforward to show that -L-s form a cycle iff L-s form a
cycle. The sum of the weights for the backward edges, i.e. weights for —iL-s,
must be positive to obtain unsatisfiablity. Hence, ... -I +n) > O.D
Due to the above theorem, we can modify Algorithm 2 to detect if there are
cycles involving -iL-s. The following step can be added to Algorithm 2:
(4) After detecting a cycle with weight W consisting of n edges, check if -W+n >
0. If so, conclude that the negation of the literals in the cycle form a positive
cycle.
Let us now show how to check for condition 2 using the positive cycles
detected in step 4. Each new positive cycle in step
4 implies that a set of ine-
qualities
g(a) + 1 < f(a)
f(a) + 1 < g(a),
Lp --L2,...» Ln
64
is unsatisfiable. (Note that each L. is an inequality from the original set of
clauses.) One can view this new positive cycle as
or alternatively as the following clause
Observe that the above clause contains literals which are all unnegated. Hence,
if we add the clauses obtained in step (4) of Algorithm 2 to the original set of
clauses just prior to testing for unsatisfiability (Algorithm 3), it will not be
necessary to check for condition 2. In fact, checking the leaf nodes for condi-
tion 1 is sufficient while generating the tree as described above.
A few remarks regarding the termination condition for Algorithm 3 are in
order. Let S
j
denote the original set of clauses and the clauses which were
added due to step (4) of Algorihm 2. Let S 2 denote the clauses corresponding to
the positive cycles in the constraint graph, i.e., positive cycles detected in step
(3) of Algorihm 2. If each leaf node in the tree generated for S 2 makes a clause
in S
i unsatisfiable,
the algorithm terminates to conclude S i A S 2 is unsatisfiable.
On the other hand, while generating the search tree, if we reach a leaf node that
does not make S
t
unsatisfiable and there is no more clause in S2to be con-
sidered, then satisfiability is possible. The implication is that additional clauses,
i.e. positive cycles, are needed to prove unsatisfiability.
Algorithm 3 is the depth-first search approach to the construction of the
search tree. The two properties mentioned earlier are embbeded in the algo-
rithm to trim the tree.
ALGORITHM 3: Testing Unsatisfiability
th th
Let X. • denote the j
n
literal in the i
l
clause (positive cycles). Let m. denote
th
1
the number of literals in the i clause (positive cycle).
Let a denote the list of all the literals committed at a given point in the search
—i (—iL-. A —iL_ A ... A —iL )






tree, i.e., a represents the current leaf node in the search tree for which
unsatisfiability is yet to be shown.
Let (3 denote the list of the first literals of all clauses (positive cycles) which are
being considered in the search tree.
Let y denote the list of the first literals of all clauses (positive cycles) which
either were rejected or yet to be considered.
Upon detection of a positive cycle, Algorithm 3 is used to test for
unsatisfiability. Initially, upon detection of the first positive cycle, the main rou-







Upon detection of the i positive cycle, the main routine is invoked with fol
lowing parameters:
a = as left in the previous invocation
P = as left in the previous invocation
y = add X. to y left in the previous invocation
a = (X































(*** main routine ***}
invoke check(ot, (3, y)
if check returns true, then
exit denoting satifiability {still satifiable, must wait for the
next clause with negated literal, i.e., next positive cycle}
{a was shown to be unsatisfiable, now show unsatisfiability
for the next branch. Backtrack if necessary}
while a is non-empty,
get (X- •) (remove the last element (literal) added to a}
1J
(i is set to the clause (positive cycle) number}
(j is set to the literal number}
then do
if check returns true, then
exit denoting satifiability {still satifiable,






(every leaf node was shown to make unsatisfiable}
exit denoting unsatisfiability
(*** check function ***}
check (a, |3, y) returns true to denote satisfiability, or
false to denote unsatisfiability
for k=l to r (note ris number of elements in y}




add X. ~, to a
ij+l
invoke ckeck(a, (3, y)
67
if there is a clause Cin the set of clauses S such that the
negated form of every literal in C is either in a or p,
then do {a node in the search tree is shown unsatisfiable}
for each X.
.



















Consider the following set S containing clauses with only unnegated literals,
C,: A V D
Ci: C V B V D
Cf: A V F
C?: B V D V E
rf: B V F
A V B
Let -iA v be the first clause with only negated literals representing the
first positive cycle detected. Figure 4.10(a) illustrates the search tree generated
after detecting the first positive cycle. After generating the node labeled -iA,
the construction of the search tree stops because -iA does not make
unsatisfiable and there is no more positive cycles to consider. Consider three






Figure 4.10(b) shows the search tree after generating the leaf node at the next
level. Observe that the leaf node (-A
,
-iD) makes S unsatisfiable, thus we can
proceed to the next branch. Figure 4.10(c) shows the next leaf node generated;
it also makes Sj unsatisfiable. Figure 4.10(d) illustrates how the algorithm
backtracks up the search tree and then moves down the tree to locate another
node, labeled (—iß , -iD , -A), which makes unsatisfiable. Since literal -iD
plays no role in making unsatisfiable at this point, we reject the clause to
which it belongs, i.e., the second positive cycle. Figure 4.10(e) shows the
search tree after rejecting the clause corresponding to the second positive cycle,
the result is a smaller tree to explore. Observe that the second positive cycle can
be used later while exploring other branches of the tree. Figure 4.10(f) shows
the complete search tree. Every leaf node makes S unsatisfiable and there are





As mentioned earlier, Algorithm 3 has an exponential time complexity in
the worst case. We can also show that the running time of this algorithm in the
worst case is exponential with respect to the number of positive cycles detected.
Let k denote the number of positive cycles detected. Let denote the set of
clauses with only negated literals. (Each clause corresponds to a positive cycle.)
Recall that each leaf node in a worst case search tree corresponds to a conjunc-
tion in the disjunctive normal form of the clauses in s2* Hence, the running
time of Algorithm 3 is proportional to the number of conjunctions in the dis-
junctive normal form of the clauses in S? .




literal clauses, there are 2 leaf nodes (or conjunctions) in the worst case.
k
Therefore, the running time is proportional to 2 .
71
As with
any depth-first search algorithm, the space requirement is propor-
tional to the tree depth. In Algorithm 3, a new level may be added to the search
tree each time a positive cycle is detected. Therefore, in the worst case, the
height of the search tree is k, the number of positive cycles detected. Conse-
quently, the space requirements of Algorithm 3 is proportional to k.
4.6. Implementation of Verification Procedure
The first version of the safety analyzer based on the procedure presented in
this paper has been implemented as part of the SARTOR project. (SARTOR is
a design environment for real-time software based on a design theory developed
at the University of Texas at Austin [Mok 85].)
The current implementation of our analysis procedure uses the Logic
Machine Architecture (LMA) software package. LMA is a set of software tools,
developed at the Argonne National Laboratory, for constructing logic-based rea-
soning systems ([Lusk et al 82a], [Lusk et al 82b]). LMA has been implemented
as a layered architecture where each layer provides a set of well-defined ser-
vices. Layer 2 of LMA package, where list, clause, literal, and term are pro-
vided as abstract data types, was of particular importance in our implementa-
tion.
Algorithms 1 and 2 (graph construction and node removal operation) in our
analysis procedure do not directly involve the notions of clause and literal.
Hence, the two algorithms were implemented almost entirely independent of the
LMA software. Algorithm 3, the unsatisfiability prover, treats positive cycles as
clauses added to the existing set, and manipulates them to obtain contradictions.
Hence, the layer 2 abstract data types of LMA were very useful in implementing
Algorithm 3. In particular, clauses, literals, and terms are maintained in the
internal object representaion supported by LMA; the implementation also relies
extensively on the available procedures for their manipulation.
72
The current implementation, excluding the LMA software, consists of over
4000 lines of code written in the C programming Language.
4.7. Example: Nuclear Reactor Problem Revisited
This section describes a complete example illustrating the mechanical
verification of a safety assertion using the procedure described in this chapter.
4.7.1. Specification
Recall the example in Section 2.3 on the system responsible for moving the
control rods in a nuclear reactor. Three asynchronous components are involved
in moving the control rods: Subsystem 1, Subsystem 2, and Manager. The
specification of this system can be expressed in terms of RTL formulas which
are in the subclass of formulas introduced in this chapter.
#
# specification of subsystem 1
#
# specification of subsystem 2
f Certain RTL axioms, as described in chapter 2, are omitted here since they do not play a role in the
verification of this example.
Yxl @(QBUTTONI , xl) < @(TRAI , xl)
Vx2 @(TRAI
,
x2) +4O < @(iRAI
,
x2)
Vx3 (S)(-iRAl ,x3) < @((GRANT1:=T), x3)





x4) - 5 < @((GRANT 1:=T), x4)
Vx6 @(iMOVEI
,










VxB @(Tr.A2 , x8) + 40 < @('IRA2 , x8)
73
# specification of manager
To simplify, we list below the physical interpretation of the events which
appeared in the RTL specification above.
QBUTTONI : external event denoting pushbutton #1 is pressed
Trai : start of action to request access by Subsystem 1
iRAI : stop of action to request access by Subsystem 1
GRANTI:=T : event denoting request by Subsystem 1 is granted
GRANT 1 :=F : manager assumes the granted request is released
TmOVEI' : start of action to move control rod #1
iMOVEI : stop of action to move control rod #1
The remaining events TRA2, GRANT2:=T, GRANT2:=F, TMOVE2,
and sIMOVE2 have similar meanings.
4.7.2. Safety Assertion
As described in Section 2.3, the desired safety property is that the reactor
rods should be moved one at a time. In other words, execution of the action to
move rod #1 may not overlap with the execution of the action to move rod #2.
Safety Assertion in RTL:





x9) < @ ((GRANT2:=T), x9)
VxlO @((GRANT2:=T), xlO) < @(TMOVE2 , xlO)
@(TmOVE2
,
xlO) - 5 < @((GRANT2:=T), xlO)
Vxl2 @(sLmOVE2
,





Vxs @((GRANTI:=T), x5) +3O < @((GRANTI:=F)
,
x5)
Vxll @((GRANT2;=T), xl 1) +3O < @((GRANT2:=F), xll)
Vxl3Vxl4 @((GRANT1:=F), xl3) < @((GRANT2:=T), xl4) V
@((GRANT2:=F),xI4) < @((GRANT 1:=T), xl3)
74
4.7.3. Verification
RTL formulas describing the specification and the safety assertion in the
example fall within the subclass of RTL formulas introduced in Section 4.1.1.
This subsection gives a proof, based on the analysis procedure in this chapter,
showing that the safety assertion is a theorem derivable from the system
specification.
We start with a set of RTL formulas representing the specification and the
negation of the safety assertion. Prior to performing the analysis, we must
transform the RTL formulas to the corresponding formulas in Presburger Arith-
metic with uninterpreted integer functions. We replace each occurrence func-
tion with a specific event constant as its first argument by an uninterpreted
integer function. For instance, @(TMOVEI
,
i) is replaced by an integer func-
th
tion StartMOVEl(i) which returns the time of the i
in
occurrence of the start of
action MOVEI. (StartMOVEl is merely a function name with i as its integer
argument.)
After the above transformation, the formulas are put in clausal form, as
shown below. Symbols xl through xl4 are variables; I and J are Skolem con-
stants; the function symbols are easy to identify from the syntax.
#
# specification of subsystem 1
#
BUTTONl(xl) < StarlßAl(xl)
@(iMOVEI ,i) < @(TMOVE2 ,j)
Negation ofSafety Assertion in RTL:
3i3j @(tMOVEI
,
i) < @(iMOVE2,j) A




StartßAl(x2)+ 40 < StopßAl(x2)
StopßAl(x3) < GRANTltrue(x3)
GRANT 1 true(x4) < StartMOVEl(x4) A
StartMOVEl(x4) - 5 < GRANTltme(x4)
StopMOVEl(x6) - 20 < StartMOVEl(x6)
#
# specification of subsystem 2
#
BUTTON2(x7) < StartßAl(xV)
StartßA2(xB) + 40 < StopßA2(xB)
StopßA2(x9) < GRANT2tme(x9)
GRANT2true(x 10) < StartMOVE2(xlO)
StartMOVE2(x 10) -5 < GRANT2true(x 10)
StopMOVE2(xl2) - 20 < StartMOVE2(xl2)
#
# specification of manager
#
GRANTltme(xs) + 30 < GRANTIfalse(xS)
GRANT2tme(xl 1) + 30 < GRANT2false(xl 1)
GRANT 1 false(x 13) < GRANT2true(x 14) V
GRANT2false(x 14) < GRANTltrue(x 13)
#




The analysis procedure first puts the set of formulas in a graph representa-
tion as described in Algorithm 1. Figure 4.11 shows the corresponding graph
76
Repeated application of the node removal operation, Algorithm 2, reveals
several positive cycles in the original graph. Two of these cycles are labelled on




The edges in positive cycle 2 are labelled s ls s2, ... ,s 6. Thg inequalities
corresponding to the set of edges involved in the two positive cycles are as fol-
lows.
Inequalities in positive cycle 1:
r x
: GRANT2true(J) < StartMOVE2(J)
r 2: StartMOVE2(J) < StopMOVEI(I)
t 3: StopMOVEI(I) - 20 < StartMOVEl(l)
t 4: StartMOVEl(l) - 5 < GRANTItme(I)
t 5: GRANTltrue(I) + 30 < GRANTIfaIse(I)
t 6: GRANTIfaIse(I) < GRANT2true(J)
Inequalities in positive cycle 2:
s
x
: GRANTItrue(I) < StartMOVEl(l)
S
x
: StartMOVEl(l) < StopMOVE2(J)
s 3; StopMOVE2(J) - 20 < StartMOVE2(J)
5
4
; StartMOVE2(J) - 5 < GRANT2true(J)
s 5: GRANT2true(J) + 30 < GRANT2faIse(J)
5 6




Finally, Algorithm 3 is used to show the unsatisfiability of the specification
and the negation of the safety assertion given the positive cycles. Figure 4.12
illustrates the corresponding search tree as it is constructed by Algorithm 3.
FIGURE 4.12
4.8. Concluding Remarks
This chapter presented a graph-theoretic procedure for verification of pro-
perties of real-time systems expressible in a subclass of Real Time Logic. To
show that a timing property is consistent with a given specification, we need to
79
prove that the corresponding formula consisting of the specification in conjunc-
tion with the negation of the timing property is unsatisfiable. The analysis pro-
cedure is based on three algorithms. The first algorithm constructs a graph
representing the specification and the negation of the property under investiga-
tion. The second algorithm detects positive cycles in the graph using a node
removal operation. The third algorithm decides unsatisfiability based on the
positive cycles detected. A mechnical verification of a property using the pro-
posed procedure was also presented.
Since our goal is to provide practical tools for software engineers to use, it
is important that reasonably efficient algorithms be found to make use of our
theory. Like most practical design problems, optimal solutions are usually com-
putationally intractible in the worst case. It is important to make use of the
domain knowledge in an application area to reduce the execution time in "typi-
cal" cases. The work reported here is a step in this direction.
Chapter 5
Modechart: a Spec. Language for Real-Time Systems
In this chapter, we present a specification language for real-time systems
called Modechart. The semantics of Modechart is given in terms of RTL. The
semantics of Modechart has an important property that the translation of a
Modechart specification into RTL formulas will result in a hierarchical organi-
zation of the resulting RTL assertions. This gives us significant leverage in rea-
soning about properties of a system by allowing us to filter out assertions that
concern lower levels of abstraction. Some results about desirable properties of
Modechart specifications will be given. A graphical implementation of
Modechart has been completed.
5.1. Introduction
As software control of safety-critical functions in embedded systems
becomes more common, a means for precise and concise specification of their
behavior becomes increasingly important. As mentioned earlier. The
specification problem for these real-time applications is more complex since the
absolute timing behavior (the timing of events measured by a real-time clock)
and not only the functional behavior of a system is important. In addition to
being a valuable aid to the maintenance of complex real-time systems, a precise
and concise specification language can also be used to provide answers to
queries about system behavior without a full implemenation (rapid prototyping).
In this chapter, we shall present a specification language for real-time systems
called Modechart. The semantics of Modechart is defined in terms of Real Time
Logic. A graphical implementation of Modechart has also been completed.
80
81
Substantial work has been done by a number of researchers in the
specification and prototyping of complex real-time systems,
e.g.,[Zave 85], [Luqi & Berzins 87], [Alford 77], [Davis & Vick 77]. A notable
experiment in the application of specification methods is the Software Cost
Reduction project at the Naval Research Laboratory where a systematic metho-
dology was applied to document the software requirements of the A-7E aircraft
(see [Heninger 80], [Pamas et al 78]). More recently, Harel proposed a visual
language called Statechart
tHarel 86i which is an extension of conventional
state-transition diagrams. Hard's language provides a succinct way to represent
large systems since it supports hierarchical and modular decomposition of state
machines. A formal semantics of Statechart in terms of temporal logic and a
general theory of reactive systems are also being investigated by its inventors
[Hard et al 87].
Unlike previous work, our work emphasizes the specification of absolute
timing properties of systems. In Modechart, we make use of the concept of
modes from the work of Parnas et al at the Naval Research Laboratory. Modes
can be thought of as partitions of the state space of a system and are an effective
way for modular specification of large state machines. Modechart also borrows
from Statechart the very appealing compact representation of large state
machines. Our main contribution is in providing a semantics which explicitly
deals with the absolute timing of events and avoids some of the potential seman-
tic anomalies of Statechart. More importantly, the translation of a Modechart
specification into RTL formulas will result in a hierarchical organization of the
resulting RTL assertions. This gives us significant leverage in reasoning about
properties of a system by allowing us to filter out assertions that concern lower
levels of abstraction. The ability to avoid considering all the assertions defining
the behavior of a large system is a prerequisite to practical applications of
verification technology.
82
Modechart has been developed as a graphical specification tool in SAR-
TOR (Software Automation for Real-Time Opeßations), a design environment
for hard-real-time software currently under development at the University of
Texas at Austin. The goal of SARTOR is to mechanize the analysis and syn-
thesis of real-time software from systems specification. An implementation of
Modechart serves as a front-end for SARTOR which provides a suit of tools to
analyze a specification for satisfaction of safety requirements. A design can be
synthesized (rapid prototyping) if it is determined that there are sufficient
resources to do so. A review of SARTOR can be found in[Mok 85].
The rest of this chapter is organized as follows. Section 5.2 gives the syn-
tactic description of modes. Section 5.3 describes the RTL semantics of mode
transitions. Section 5.4 gives the RTL semantics of actions in modes. Section
5.5 deals with mode transitions that span more than one level of the mode
hierarchy. Section 5.6 presents some results about desirable properties of mode
specifications using Modechart. section 5.7 is the conclusion.
5.2. Hierarchical Decomposition: Parallel and Serial Modes
Intuitively, modes may be viewed as control information that impose struc-
ture on the operation of a system. Modes are arranged hierarchically. Further-
more, modes which are peers in this hierarchy can be related in one of two
ways: in series or in parallel.
The series relationship among several modes indicates that the system
operates in, at most, one of these modes at any time. For instance. Figure 5.1(a)
illustrates a two-level hierarchy where MO is the parent mode and Ml, M2, and
M 3 are embedded in MO. If the system is in mode MO, then it must also be in
either one of Ml, M 2 or M3. MO is said to be a serial mode, and Ml, M2, and
M 3 are said to be in series. A transition allows the system to go from one mode
to another. Since a specification may require a transition to go across different
83
levels of the hierarchy, transitions may not always be between modes at the
same level in a hierarchy. Also, entry into a serial mode M requires the designa-
tion of one of the child modes of M to be the default mode the system will be in.
If the transition arrow crosses into the serial mode, then the child mode that the
transition arrow points at is entered. Otherwise, a child mode which is labeled as
the initial mode is entered. As an example, mode MO of Figure 5.1(a) could
model the flight path monitoring mechanism for an aircraft. Modes Ml, M2,
and M 3 represent Monitor
, Signal, and Correction modes, respectively. When
the plane is detected to be off course, the monitor mechanism moves from the
Monitor mode into the Signal Mode. In the signal mode, the pilot is warned that
the plane is off course. The pilot corrects the flight of the aircraft, talcing the
system into the Correction mode. After making the correction, the pilot informs
the system (e.g., by pressing a button), returning the system to the monitor
mode. Monitor, Signal, and Correction modes are in series because the monitor
mechanism can only be in one of the three at a time.
The parallel relationship among several modes indicates that a system
operates
in all of these modes simultaneously. For instance, figure 5.1(b) illus-
trates a mode MO with two embedded modes. Ml and M2. If the system is in
mode MO, then it also must be in both Ml and M2. (MO is said to be a parallel
mode, and Ml and M 2 are said to be in parallel.) Transitions between modes in
parallel are not allowed. Entry into a parallel mode requires entry into all of its
immediate child modes. Hence, no member of a set of modes in parallel should
be specified as the initial mode. Similarly, a transition out of one mode requires
exit out of all the modes in parallel to it. Returning to the aircraft example,
mode MO of Figure 5.1(b) could model the plane’s instrument display system.
Modes Ml and M 2 might represent the Airspeed and Altitude display modes,
respectively. The airspeed and altitude displays are updated independently of
each other and so are in parallel under mode MO.
84
FIGURE 5.1
The preceding informal description of serial and parallel modes might give
a deceptively simple view of Modechart. In fact, there are many ambiguities
which must be resolved in providing a formal semantics for mode transitions.
For example, if transition between two modes is instantaneous, then a cyclic
sequence of transitions occuring at the same instant of time will lead to an ano-
maly. Consider the serial mode M in figure 5.2(a). If the system is in mode Ml
and condition Cl is true at time t, then the corresponding transition is taken and
the system exits from
mode Ml and enters mode M 2 at that instant of time.
However, if condition C 2 is also true at time t, then the system can exit M 2 and
enter Ml at the same instant of time. Hence, the modes in the cycle would be
entered and exited an infinite number of times at an instant in time. To avoid
this anomaly, one might require mode transitions to take finite time. The prob-
lem is that system behavior will then be ambiguous when an event occurs in
between modes and the response to that event is supposed to depend on which
mode the system is in, and any bound put on the duration of a transition is likely
85
to be ad hoc at the requirements specification stage. We shall model mode tran-
sitions as being instantaneous. In section 5.6, we shall present a condition for
preventing anomalies due to cyclic transitions.
FIGURE 5.2
Ambiguities can also arise due to the way one may model concurrency.
For example, consider the parallel mode M in figure 5.2(b). The system is in
modes Ml and M 3 initially. If the behavior of a system specified in Modechart
is viewed as a sequence of non-overlapping events (i.e., following the interleav-
ing model of concurrency), then the system in figure 5.2(b) cannot end up in
both modes M 2 and M 4 even though one may expect simultaneous transitions
from Ml to M 2 and from M 3 to M 4 to take the system into modes M 2 and M4.
This is due to the fact that two simultaneous events are regarded as equivalent to
JL
the occurrence of the two events in either order.
f
However, if concurrency in a
86
system is modeled by a partial ordering among events (i.e., two events are con-
currenct if neither precedes the other one), then the two transitions in figure
5.2(b) can be taken simultaneously. Hence, the system can be in both modes,
M 2 and M4. In defining the semantics of Modechart, we shall model con-
currency as a partial ordering on event occurrences.
Before providing a formal semantics for modes and transitions, we first
give a syntactic description of well-formed modes in section 5.2.1 below.
5.2.1. Well-Formed Modes
A mode with no internal modes is the primitive with which compound
(serial and parallel) modes are built. A compound mode is constructed from
other modes in three ways:
• constructing a serial mode from existing modes,
• constructing a parallel mode from existing modes, and
• connecting two modes via a mode transition.
Informally, a well-formed mode is one which either contains no other mode, or
the modes contained in it are nested properly and all the transitions in that mode
do not connect parallel modes. Furthermore, a well-formed serial mode may
have at most one initial mode and a well-formed parallel mode may not have an
initial mode. It should be noted that well-formedness is a syntactical property
which by itself does not guarantee that all initial modes are properly designated.
A well-formed mode may still be ambiguous in the sense that its initial mode
designations may be underspecified. We shall return to this point shortly.
Definition: Containment Partial Order






). The binary relation con-
tainment, denoted by c, defines a partial ordering of the elements of the set
f In this example, it is possible to allow the system to end up in both M 2 and M 4 in the interleaving
model by stipulating additional causality rules governing events that occur "at the same time". The seman-
tics of this approach is rather complicated [Pnueli 87].
87
M. Graphically, Mj <z Mj iff the box representing mode Mj is contained




is a primitive mode iff Vj M
]
<±M
A mode Mj is a compound mode iff 3j Mj a Mj.
A mode Mj is a root mode iff Vj Mj ctMj.
A mode Mj is an immediate child of a mode Mj (and conversly Mj is the
parent of Mj) iff
Mj cMj
A (Vk j*k AMjc Mk -» Mj c:Mk )
Graphically, a primitive mode contains no other mode; a compound mode con-
tains at least one other mode; a root mode is one which is not contained in any
other mode. Furthermore, the box representing a child mode is immediately
surronded by the box representing the parent. We now define a well-formed
mode.
Definition: well-formed modes are defined recursively as follows:
1. A primitive mode is well-formed.




are well-formed root modes, and at most
one mode Mj is labelled as the initial mode, then adding a serial mode M
consisting of only these modes as its immediate children makes M well-
formed.





are well-formed root modes, and none is
labelled as an initial mode, then adding a parallel mode M consisting of
only these modes as its immediate children makes M well-formed.
4. Let Mbe a well-formed mode, and Mj c M and M
;
<z M, Adding a transi-
tion from Mj to M
;





and M-. with respect to the c relation is a serial mode.
Informally, the above condition requires that the first mode containing both
Mj and Mj to be a serial mode. Observe that the least upper bound of the two
modes is either M or a mode inside M. Also notice that it is not necessary for
the children of a serial mode to be connected by any transition, since they can be
entered by distinct transitions from outside the parent. None of the children in
this case needs to be designated an initial mode.
As mentioned earlier, a well-formed mode can still be ambiguous if desig-
nation of the initial modes is underspecified. As an example, consider the case
where a transition enters a mode in parallel to a serial mode M, but none of the
immediate children of M is labeled as the initial mode. We first present a
definition which is useful in formulating a condition for ensuring proper desig-
nation of the initial modes.
Definition: A mode Mis a landing mode if any one
of the following conditions holds:
-
if M is the root mode,
- if a transition ends at mode M,
- if its parent M’ is a serial mode.
M’ is a landing mode, and
M is the initial mode,
- if its parent M’ is a parallel mode, and
M’ is a landing mode
- if its parent M’ is a parallel mode, and
t The least upper bound of M,- and Mj is a mode M' such that
Mi CM' A Mj CM' A (for each mode M" immediatechild of M\ Mi dIM" V Mj (tM")
89
there is a transition ending at or crossing
into a mode in parallel with M.
In a system whose root mode is well-formed, we define the UDIM condition (for
Unambiguous Designation of Initial Modes) as follows:
UDIM Condition: For each serial mode which is a landing mode, there is
exactly one initial mode.
To illustrate the above condition, assume that the system enters a serial
mode M. If M is not a landing mode, the only way to enter M is to have the
corresponding transition arrow cross into it. In this case, the transition identifies
a unique child of M to be entered, i.e., there is no ambiguity. However, ifM is a
landing mode, the UDIM condition requires M to have an initial mode, thus
ensuring against ambiguity.
In the subsequent three sections, the formal semantics of Modechart is
presented in terms of RTL formulas.
5.3. Specifying the Semantics of Modes and Transitions in RTL
In this section, we introduce additional classes of events to help capture the
formal semantics of modes in RTL. After presenting the syntax for the condi-
tions on mode transitions, we shall illustrate how mode transitions are specified
in RTL.
5.3.1. Comparison of Modes and State Variables
Since modes represent control information about the behavior of a system,
it may seem natural to use state variables to model modes in RTL. In fact, we
use a notation similar to state variables to represent modes in RTL. The seman-
tic distinctions between modes and state variables will be discussed shortly.
90
To capture the formal semantics of modes in RTL, we introduce two
events denoting mode entry and exit. For a mode M, the event (M:=T) denotes
entering M and the event (M:=F) represents exiting the mode. (To distinguish
these events from transition events for state variables, we shall refer to them as
the mode entry and the mode exit events.) Staying in a mode during an interval
is described through the use of a notation similar to state predicates. The nota-
tion, refered to as the mode predicate, also has nine variations for each mode M:
Each mode predicate qualifies the timing of two events, one denoting the entry
to a mode and the other denoting the exit from a mode. The two arguments, x
and y, in a mode predicate are used in conjunction with the symbols "[", "]","(",
")", "<", and ">" to denote an interval over which the system remains in a mode.
The convention we use for arriving at this syntax requires some explana-
tion. Suppose E and E’ denote the mode entry and the mode exit events for a
mode M, respectively. Informally,
”[x" denotes that E occurs at time x,
"(x" denotes that E occurs before or at time x,
"<x" denotes that E occurs before time x,
"y]" denotes that E’ occurs at time y,
"y)" denotes that E’ does not occur before time y,
"y>" denotes that E’ does not occur before or at time y.
For example, the mode predicate M[x,y] indicates that the system enters mode
M at time x and exits mode M at time y. Precisely, the mode entry event
(M:=T) occurs at time x, the system remains in mode M during the interval
between x and y, and the mode exit event (M:=F) occurs at time y. For another
example, M[x,y) indicates that the system enters mode M at time x and it
remains in this mode at least until time y. We define the notation M(x,x) to
M[x,y], M[x,y), M[x,y>, M(x,y), M(x,y], M(x,y>,
M<x,y>, M<x,y], and M<x,y).
91
denote that the system is in mode
M at time x. Due to the above definition,
when a transition from a mode Ml to another mode M 2 is taken, the system is in
both modes at that instant of time. However, as it will be shown in section 5.6,
the semantics of Modechart prevents the system to be in two modes in series
over a finite time interval. We stress that mode predicates are formally defined
in terms of the corresponding mode entry and exit events.
Despite the similarities in their notations, there are important semantic dis-
tinctions between modes and state variables. Intuitively, a state variable
represents information about data whereas a mode represents some control
information about the system. The value of a state variable is changed explicitly
by completing the execution of an action which takes non-zero units of time to
perform. Consequently, a state attribute S cannot become true and then become
false at the same instant of time, i.e., the two events (S:=T) and (S:=F) cannot
happen at the same instant of time. A mode entry or exit is implicit in that it
does not require the execution of an action; a mode transition is taken when a
certain condition is satisfied. Hence, a mode M can be entered and exited simul-
tanesouly if the condition for exit is also satisfied, i.e., we allow the two events
(M:=T) and (M:=F) to happen at the same instant of time.
5.3.2. Transitions
Transition between two modes represents a change in the control informa-
tion of the system. A mode transition is an instantaneous event which takes zero
time units. To capture the formal semantics of a transition, we introduce the
mode transition event to denote the occurrence of a transition from one mode to
another. Specifically, we use the notation to indicate the mode transi-
tion event from mode to mode Mj .
We associate a condition with each transition. The condition for a mode
transition is of the form
qVc 2
v ... M c
n
92
where each disjunct ck
is either (1) a triggering condition for taking the transi-
tion, or (2) a lower/upper bound restriction on when the transition may be taken.






a condition for taking the transition depending on the
occurrence of an event and/or the truth values of certain predicates. In particu-
lar, each subcondition p
}
is of one of the three forms shown below. {E denotes
an event, S is a state variable and t denotes the time at which the transition is
taken.)
(a) S (or S)
Enabling subcondition is a state variable S being true (or false) at time t.




Enabling subcondition is the system being in at least one of the specified modes
at a finite interval upto time t.
(c) E
Enabling subcondition is the occurrence of an event E at time t where E can be
an
• external event, e.g., HE,
• event denoting start of an action, e.g., ?A,
• event denoting completion of an action, e.g., iA,
• event setting a state variable to true, e.g., (.S:=T),
• event setting a state variable to false, e.g., (S:=F),
• event denoting entry into mode, e.g., (M7;=T), or
• an event denoting exit from mode, e.g., (MT=F).
93
A transition from a mode is taken at a time t iff all the subconditions are
satisfied at time t when the system is
in that mode. Each of the three forms of a
subcondition
pj can be expressed as an
RTL predicate:
In the above, t is the time at which the triggering condition for the transition
holds, i.e., the transition is taken at that instant of time. We will shortly illus-
trate how these predicates are used in RTL formulas to express a mode transi-
tion.
(2) Lower/Upper Bound Condition: A condition ck denoting a lower/upper
bound restriction is of the form
(r,d)
where r is a non-negative integer denoting a delay and d is a positive integer or
oo denoting a deadline. If a lower/upper bound is specified as the condition for a
transition from a mode, the transition can be taken after r time units and before d
time units has elapsed since entering the mode. Three special forms of
lower/upper bound condition are of particular interest. The condition
alarm r
is used to represent the case where the delay and the deadline on a transition are
equal. In this case, the transition is taken exactly after r time units has elapsed
since entering the mode. The condition
delay r
specifies a lower bound on when the transition can be taken without specifying
an upper bound, i.e., the condition (r,<>=>). The condition
(a) S(t,t) (or S(t,t))
(b) M M2 <t,t)
V •••V
(c) @(£,i) = t
94
deadline d
specifies a finite upper bound and no lower bound on the transition, i.e., the con-
dition (o,d). The lower/upper bound restriction imposed on a transition from a
mode M can be expressed as RTL predicates:
where t is the time at which mode M is entered and t’ is the time at which the
transition is taken.
FIGURE 5.3
Having discussed the two forms of conditions on mode transitions, the
triggering condition and lower/upper bound condition, we can show how a mode
transition is formally specified in RTL. Suppose there is a transition from mode
Ml to mode M 2 and this transition is the only one out of mode Ml. A trigger-
ing condition ck on the transition arrow from mode Ml to mode M 2 is captured
by the following RTL formula:
where (Ml-M2) is the mode transition event fom Ml to M2, C is the conjunc-
tion of RTL predicates specifying the subconditions (the pjS )
in ck , and tis the
time at which the transition is taken. As an example, consider the two modes
Ml and M 2 in Figure 5.3(a). The condition on the arrow states: while in mode
Ml, if the external event QE occurs when state variable S is true, the transition
from mode Ml to mode M 2 is taken. The corresponding RTL formula
representing this mode transition is as follows:
t+r < t’ A t’ <t + d
Vt AC j @((M1-M2),j) = t
95
A lower/upper bound condition ck on a transition arrow from
Ml to M 2 is
expressed by the following RTL formula:
where (Ml-M2) is the mode transition event from Ml to M2, B is the conjunc-
tion of of RTL predicates specifying the lower/upper bound restrictions on the
transition, t is the time of entering mode Ml, and t’ is the time at which the tran-
sition is taken. For example, consider the transition from Ml to M 2 in figure
5.3(b). The condition on the arrow states that the transition is taken only after
20 time units and before 50 time units has elapsed since entering mode Ml.
In the preceding formulas, it is assumed that the transition from Ml to M2
is the only way to exit Ml. In the case of multiple transitions and nested
serial/parallel modes, a transition out of a mode is captured by a larger formula
which is composed of formulas like the ones shown above. This will be dealt
with in section 5.5.
5.4. Actions and Timing Constraints
A real-time system may be required to execute certain actions while
operating in some mode, or upon transition from one mode to another. Further-
more, the initiation and completion of actions are often subject to timing con-
straints. This section discusses the RTL semantics of actions in relation to mode
transitions.
YtVi A A S(t,t) -> 3j @((M1-M2)j) = t
Vt -> 3t’3j @((M1-M2),j) =t’ a B
Vt -> 3t’3j @((M1-M2),j) = t’ A t + 20 < t’ < t + 50
96
5.4.1. Actions Upon Mode Transitions
A system designer may wish to specify an action to be performed when an
event triggering a mode transition occurs. For example, an action may be
required to set a state variable upon exiting a mode and entering another, as
shown in the system in figure 5.4. In this system, there are two modes in series:
MAGNET-ON and MAGNET-OFF. The transitions from MAGNET-ON to
MAGNET-OFF happens when pushbutton #1 is pressed (external event
OPRESSI); the transition from MAGNET-OFF to MAGNET-ON happens
when pushbutton #1 is released (external event ORELEASEI). The state vari-
able MAG must be set to false when OPRESSI (triggering one transition)
occurs and set to true when ORELEASEI (triggering the other transition)




Since mode transitions are instantaneous in Modechart, an action to be per-
formed upon a transition is performed in the destination mode. In other words,
the action is triggered by the transition and will be performed upon entering the
destination mode. For the example in figure 5.4, action A is performed after
entering MAGNET-OFF mode; the state variable MAG remains true even after
entering MAGNET-OFF until action A is completed (see figure 5.5).
In Modechart, we require each action in a system to be associated with a
mode. Furthermore, at most one action may be associated with a mode. The
action, referred to as the native action the mode, may be initiated some time
after entry into the mode. The exact time of execution is determined by the tim-
ing constraint imposed on the action. (In this paper, a timing constraint on an
action is either sporadic or periodic.) The requirement of at most one entry
action per mode may seem overly restrictive, since two or more actions with dif-
ferent timing constraints may need to be performed when a system is in a certain
mode. Our approach is to create a child mode for each action. This way, no
additional mechanism needs to be introduced in case execution of actions in the
same mode is also subject to precedence or mutual exclusion constraints.
98
For example, consider two actions, A and B which may be executed when
a system is in mode MO. Action A is executed subject to a certain timing con-
straint when condition becomes true and action B is executed when condi-
tion C 2 becomes true, subject to another timing constraint. An application may
require actions A and B to be performed in series, or the two actions must be
executed in parallel. Both choices can be specified unambiguously by designat-
ing actions A and B as entry actions of two modes inside mode MO. Figure 5.6




5.4.2. Actions in Modes
Since mode transitions are instantaneous, there is a need to be precise
about system behavior with respect to actions which are being executed when
the condition for taking a transition becomes true. Consider the two modes. Ml
and M 2 shown below. Suppose execution of action A is started in mode Ml.
The transition from Ml to M 2 should occur when C becomes true. If the execu-
tion of A has not completed, there are three different ways the execution of A
may be terminated: (1) The transition cannot be taken until A is completed. (2)
The transition aborts the action A. (3) The transition is taken and A is com-
pleted in the next mode. A scrutiny reveals that case (3) is unnecessary if the
action is instead associated with a mode at a higher level. Intuitively, if the
transition from Ml to M 2 is taken when action A is in progress, the control
information on the execution of action A will be lost. In other words, if action
A can be in progress while the system is in Ml or M2, then action A should be
associated with a mode parallel to Ml and M2. Of course, appropriate condi-
tions must be specified in the new mode to ensure that the action is invoked only
when the system enters mode Ml.
Cases (1) and (2), however, must be formally captured in the formulas
expressing mode transitions and the timing constraints imposed on actions. The
remainder of this section discusses the modeling of sporadic and periodic timing
constraints in Modechart. In each case, we give the RTL formulas capturing the




The syntax for a sporadic timing constraint in a mode Ml is:
When in mode Ml, if condition Cl is true.
execute action A with deadline=d, separation=s.
If condition Cl becomes true while the system is in mode Ml or if Cl is true
when the system enters mode Ml, the timing constraint is invoked requiring
action A to be performed before the deadline d. We say that the timing con-
straint is in effect from the time of its invocation (when in Ml and Cl holds) to
the time when action A is completed (before the deadline d). The separation
parameter s is the minimum time that must pass between two successive invoca-
tions of the sporadic timing constraint. Figure 5.8(a) illustrates how a sporadic
timing constraint can be modelled in Modechart. Mode Ml contains two modes
Ml’ and Ml". The system is initially in mode Ml’ upon entering Ml. When
condition Cl is true, the transition from Ml* to Ml" is taken. The timing con-
straint is in effect while the system is in mode Ml". Upon entering mode Ml",
action A is performed with the deadline d. When action A is completed, the
transition is taken back to the initial mode Ml*. The separation parameter




The transition arrow from Ml to M 2 represents the transition out of mode
Ml. The label C on the transition denotes an arbitrary condition specified by the
system designer for exiting mode Ml. We now consider the effect of a mode
transition on the action A while the timing constraint on A is in effect.
a) Transition upon completion of action A: If the timing constraint is in
103
progress, one may wish to prevent a transition from Ml unless the execution of
A is completed. In this case, figure 5.8(a) can be refined to figure 5.8(b). where
Ml" is further expanded into two modes: M 3 and M4. M 3 represents the mode
after invocation of the timing constraint and prior to the start of the execution of
action A. M 4 represents the mode during the execution of action A. The
motivation for exanding Ml" is to illustrate that one can model a more detailed
execution of action A by identifying the control information denoted by modes
M 3 and M4. However, the most important change from figure 5.8(a) to figure
5.8(b) is the source of transition into mode M2. In particular, figure 5.8(b)
shows that the transition from Ml to M 2 is taken if condition C is true and the
timing constraint to perform action A is not in progress. The following RTL
formula expresses the timing constraint on the execution of action A upon enter-
ing Ml":
The following assertion ensures the minimum separation as required by the tim-
ing constraint:
The mode transition assertion for the transition from Ml to M 2 follows from the
discussion in section 5.3.2. In particular, if the condition on the transition arrow
is a triggering condition, the following RTL formula captures the mode transi-
tion:
where C in the above formula is the corresponding RTL predicates specifying
the transition condition. However, if the condition on the transition arrow is a
lower/upper bound restriction, the following RTL formula is applicable:
Vt 3i t<@(tA,i) a @(iA,i) < t+d
ViVtVt’ @((Ml":=T),i) = t A @((Ml”:=T),i+l) = t* t + s<t’
Vt Ml ’(t,t) A C -> 3j @((Ml’-M2),j) = t
Vt 2MI \t \,t 2) Ml (r 2it2) A + —^
104
where r and d are the lower and upper bounds specified on the transition.
b) Transition aborting action A: One may wish to terminate action A or not
start it when a transition to a new mode occurs. In figure 5.8(a), if condition C
on the transition arrow becomes true while the system is in mode Ml, the transi-
tion from Ml to M 2 is taken even if the timing constraint is in effect. Hence,
the mode transition assertion is very similar to case (a), except that the formula
must now specify the transition from Ml to M2.
The RTL formula which expresses the timing constraint imposed on the
execution of action A in mode Ml" must now reflect the fact that action A may
be aborted due to a mode transition from Ml to M2. As shown in the diagram
below, there are two cases: (1) transition from Ml to M 2 is not taken until after
the completion of action A, or (2) transition from Ml to M 2 is taken prior to the
deadline imposed on action A, i.e., the action is not performed.
The following formula expresses the timing constraint on the execution of















action A which may be aborted. We assume that
action A is atomic. Hence, if
it is aborted due to a transition from Ml, it is up to the implementation to ensure
that no inconsistencies exit in the system state. The two cases mentioned above
are captured by the two disjuncts in the formula:
Periodic Timing Constraint
A periodic timing constraint in a mode Ml is of the form:
While in Ml, if condition Cl is true,
execute A with period = p and deadline = d.
If condition Cl is true while in mode Ml, the timing constraint requires an
action A to be executed at fixed intervals with period p and deadline d. After its
invocation (when condition Cl is true), the timing constraint is in effect during
each period from the beginning of the period to the time when an instance of
action A is completed before the deadline. Figure 5.8(c) illustrates how a
periodic timing constraint can be modelled in Modechart. Mode Ml contains
two modes Ml’ and Ml". The system is initially in mode Ml’ upon entering
Ml. When condition Cl is true, the transition from Ml’ to Ml" is taken denot-
ing the invocation of the timing constraint. Upon entering mode Ml", the action
is executed once every p time units, as long as the system remains in mode Ml".
The transition arrow from Ml to M 2 represents the transition out of mode Ml
when condition C is true.
Vt Ml"[t,t)
(3i t<@(TA,i) A @(iA,i)<t+d A
(Vj @((M1-M2),j) < t v @(iA,i)<@((Ml-M2),j)))
V
(3j t < @((M1-M2),j) < t+d A
(Vi @(J-A,i)St A @((Ml-M2),j)<@(TA,i)))
106
FIGURE 5.8
As before, we consider the two possible cases where a periodic timing con-
straint is in effect and the condition for taking a transition out of the mode is
true.
a) Transition upon completion of the action in the current period: if the
107
instance of action A in the current period has started, the transition is intended
to occur after the execution of action A is completed. In this case, we refine
figure 5.8(c) to figure 5.8(d) where Ml" is further expanded into two modes: M3
and M4. M 3 represents the mode after the beginning of a period and prior to the
start of action A; M 4 represents the mode during the execution of action A. The
following RTL formula captures the timing constraint imposed on the execution
of action A upon entering mode Ml":
The mode transition assertion for the transition from mode Ml to M 2 is as fol-
lows:
b) Transition aborting action A: In this case, the action in the current period is
aborted or not started when a transition to a new mode occurs. In figure 5.8(c),
if condition C becomes true while the system is in mode Ml, the transition from
Ml to M 2 is taken even if the timing constraint is in effect for the current
period. Hence, the mode transition assertion for the transition from Ml to M 2 is
as described in section 5.3.2. However, the RTL formula expressing the timing
constraint imposed on the execution of action A in mode Ml" must now reflect
the fact that action A may be aborted due to a a mode transition from Ml to M2.
The motivation of this formula is similar to that of the sporadic case.
YtVt’Vn A n*p < t-t’
3i t’+n*p < @(TA,i) A @(slA,i) t’+n*p+d
Vt [ v M3(t,t) ] a c -> 3j @((Ml’-M2),j) = t
VtYt’Vn>o A n*p < t-t’
t’+n*p <@(tA,i) A @(iA,i) < t’+n*p+d A
(Vj @((M1-M2),j) <t’ v @(iA.i)<@((Ml-M2)j)))
V
(3j t’+n*p < @((M1-M2),j) < t’+n*p+d A
(Vi @(iA,i) < t’+n*p V @((M1-M2),j) <@(tA,i)))
108
5.5. Entering and Existing Nested modes
We now give RTL formulas to capture the meaning of transitions out of
modes which are nested inside other modes. Firstly, entering and exiting nested
modes must be precisely defined:
Definition: (explicit and implicit entry)
A transition explicitly enters a mode M if
- the arrow ends at M, or
- the arrow crosses the boundary into M.
A transition implicitly enters a mode M if
Case 1: Mis an initial mode, M’ the immediate
parent of M is a serial mode, and
the arrow ends at M’, or
the transition implicitly enters M’.
Case 2: M’ the immediate parent of M is a parallel mode, and
- the arrow ends at M’, or
- the transition implicitly enters M’, or
- the transition explicitly enters a sibling of M.
Definition: (explicit and implicit exit)
A transition explicitly exits a mode M if
- the arrow originates from M, or
- the arrow crosses the boundary out of M.
A transition implicitly exits a mode M if
Case 1: M’ the immediate parent of M is a serial mode,
the system is in mode M, and
- the arrow originates from M’, or
- the transition implicidy exits M’.
Case 2; M’ the immediate parent of M is a parallel mode and
109
- the arrow originates from M’, or
- the transition implicitly exits M’, or
- the transition explicitly exits a sibling of M.
For example, in figure 5.9, the transition from M 4 to M 3 has explicit exits from
modes M 4 and Ml, an explicit entry into M3, and implicit entries into modes
M 6 and M7. The transition from M 3 to Ml has explicit exits from M3, implicit




Suppose mode M’ is an immediate child of mode M, then mode M’ is said to be
at level M.
In figure 5.9, mode Ml, M2, and M 3 are at level MO, and M 4 and M 5 are at
level Ml. Modes M 6 and M 7 are at level M3.
110
Secondly, since a Modechart system can be in more than one mode simul-
taneously and multiple transitions can originate from a mode, it is possible that
more than one transition can be taken at an instant of time. We identify a set of
rules which identify simultaneous transitions that violate the semantics of
Modechart. We motivate the discussion by considering three simple examples
shown in figure 5.10. In figure 5.10(a), two transitions (Ml-M2) and (Ml-M3)
originate from the same mode, thus both transitions cannot be taken at the same
instant of time. However, in figure 5.10(b), a transition inside Ml can happen
simultaneouysly with a transition inside M2, because Ml and M 2 are in parallel.
In contrast to the first two examples, figure 5.10(c) illustrates a potential prob-
lem due to simultaneous transitions at different levels of hierarchy. Consider
the two transitions (M2-M3) and (MO-M1). On one hand, one can view the
transition from M 0 to Ml as an abbreviation for a transition from M 2 to Ml.
Then, if the system is in M2, (M2-M3) and (MO-M1) cannot happen at the same
time because both originate from M2. On the other hand, one can view the tran-
sition from M 0 to Ml as an abbreviation for a transition from M 3 to Ml. Then,
simultaneous transitions (M2-M3) and (MO-M1) can be seen as the system mov-
ing from M 2 to M 3 and then to Ml. We resolve this potential problem by giv-
ing (MO-M1) a higher precedence over (M2-M3) when both have to be taken at
the same instant of time. Of course, one can allow the two transitions happen
simultaneouly by explicitly connecting an edge from M 3 to Ml. The pre-
cedence among transitions (explicitly or implicitly) exiting a mode is defined
below:
(1) Transitions originating from the same mode have the same precedence.
(2) Transitions originating from modes in parallel and at the same level have
the same precedence.
(3) Transitions originating from inside two distinct modes in parallel at level
M and exiting out of M have the same precedence.
(4) Transitions originating from a mode M have precedence over transitions
111
originating from the children of M.
(5) Transitions originating from a mode M have precedence over transitions
originating from children of a mode M’, where M and M’ are in parallel.
FIGURE 5.10
Referring to figure 5.9, (M4-M3) has the same precedence as (M4-M5)
because of precedence rule (1). By rule (2), both (M6-M2) and (M7-M2) have
the same precedence. (M3-M1) has precedence over both (M6-M2) and (M-
M2) by rule (4). Any transitions coming out from inside M 6 and M 7 would have
had the same precedence by rule (3). Lastly, by rule (5), (M6-M2) would have
had precedence over transitions coming from inside M 7 and (M7-M2) would
112
have had precedence over transitions coming from inside M6.
Having defined the notion of precedence among transitions from a mode,
we can now specify rules for simultaneous transitions. If two transitions out of
a mode must be taken at the same instant of time, then the transition with the
higher precedence is taken. If their precedence is the same, then either (but not
both) is taken. If no precedence is defined between the transitions then both
may be taken. The precedence among transitions will be captured formally by
the hierarchical way we organize the transition assertions in section 5.5.3. To
prevent two transitions with equal precedence from both being taken at the same
instant of time, we introduce a type of mutual exclusion assertion as shown in
the next section.
5.5.1. Mode transition exclusion
Let e
!
and e 2 be mode transition events corresponding to two distinct tran-
sitions with equal precedence, the exclusion assertion is:
Two transitions may have the same precedence if they fall under rules (1), (2)
and (3) in the previous section. For each pair of transitions which falls under
one of the three rules, an exclusion assertion is specified.
5.5.2. Implicit mode exits
When a transition is taken, a set of modes may be explicitly and implicitly
exited and another set of modes explicitly and implicitly entered. As will be
shown in section 5.5.3, a formula capturing a mode transition will specify expli-
cit and implicit mode entries and explicit mode exits. The reason for including
the explicit entries and implicit entries as part of a single mode transition asser-
tion (section 5.5.3) is that they cannot be specified independent of the specific
Vi Vj @(e hi) * @(* 2 j)
113
transition taken to enter a compound mode. For example, in figure 5.9, entering
mode Ml could mean entering M 4 or M 5 depending on the transitions. For
implicit mode exits, however, the corresponding RTL formula can be written
independent of the transitions.
Suppose a system exits at time t from a mode M which has as its immedi-
ate children the modes Mp M2, ,M.lf M is a serial mode, the following
assertion captures the exit from its immediate children.
If M is a parallel mode, the assertion to capture implicit exits is simply:
Finally, specifying explicit exits as part of the mode transition assertion
allows us to use the above assertion for exiting all modes which are exited
implicitly due to the transition.
5.5.3. The transition assertion for nested modes
We shall use a single assertion to capture the transitions in a set of nested
modes. The mode transition assertion is structured to reflect the serial and paral-
lel structure of the system. Intuitively, a formula at a level M describes the sys-
tem behavior specified by the modes nested in M, At a level M, we include all
the formulas describing the transitions originating from each immediate child
M’ of M. In turn, the level M* formulas describe the modes inside M’, their
transitions and timing constraints. (A complete specification will also include
the formulas capturing the timing constraints imposed on the actions in M’. For
the purpose of this section, we shall not be concerned with timing constraints.











M(t,t] -» Mj(t,t] A M2(t,t]




To deal with sporadic and periodic timing constraints, the transition assertion
given here can be modified in a straightforward manner in accordance with the
discussion in section 5.4.2.)
Suppose M is a serial mode and M’ is an immediate child of M. Let n be
the number of transitions from M’ with a triggering condition on the arrow and
let Ci, C2, ■• •, Cn be the corresponding triggering conditions. Let mbe the
number of transitions from M’ with a lower/upper bound condition on the arrow




be the corresponding bounds on the transitions. (The
C,-s and 5,-s are RTL predicates as described in section 5.3.2.) The following
formula captures the transitions originating from an immediate child M’ of
mode M:
{Level M transition assertion is the conjunction of formulas below for each M’}
(M’(t,t) ACi-> TO v (M’(t.t) aC 2 -> T 2) v





M’[t,t) -> [ (T
n +i ABO





is a predicate denoting the occurrence of the mode transition event
corresponding to the ilh transition from M’, and each 0 Z- is the conjunction of
• the mode predicates denoting explicit exits for the zth transition, and
• the mode predicates denoting explicit and implicit mode entries for the zth
transition
[(Tn+2 AB2)
v A t’<t + d2)] a
[(Tn+m A Bm )












A -1(7! vr2 v ••• v Tm+n ) —> {Level M’formulas}
115
Formula (1) specifies the transitions from M’ with triggering conditions. For-
mula (2) specifies the transitions from M’ with lower/upper bounds. Formula
(3) specifies the condition for level M* formulas by asserting that if the system
is in M’ and none of the transitions originating from M* has been taken at time t,
then the assertions about the mode transitions nested in M’ will hold.
FIGURE 5.11 FIGURE 5.12
For example, assume the conditions on the transitions in figure 5.11 are all
triggering conditions. The level MO mode transition assertion is:
{Level MO transition assertion}
(Ml(t,t) A Cl -> 3i @((M1-M2),i) =t) V
(Ml(t,t) A C 2 -> 3i @((M1-M3),i) =t)
Vi @((M1-M3),i) = t -> A MO(t,t] A M3[t,t)
Vi @((M1-M2),i) = t A M2[t,t)
Vi,j Ml(t,t) A @((M1-M3),i)*t A @((M1-M2),j) * t {Level Ml}
M2(t,t) AC3 3i @((M2-M3),i) = t
Vi @((M2-M3),i) = t -> M2(t,t] A MO(t,t] A M3[t,t)
116
If M is a parallel mode, the following formula captures the transitions ori-
ginating from all immediate children of mode M:
{Level M transition assertion is the conjunction of the following formulas}














are as described in the serial case earlier. Observe
that the above formulas holds when the the system is in mode M at time t. Since
M is a parallel mode, it is not necessary to specify the mode M’ in the
antecedents of the implications of the above formulas.
As an example, assume both conditions on the transitions in figure 5.12 are
triggering conditions. The level MO mode transition assertion is as follows:
Vi M2(t,t) A @((M2-M3),i) * t -* {Level M 2 formulas}
-> [{T
n+l





V A t’<t + rf
2)]
a















{Level MO transition assertion}
(Cl -> 3> @((M1-M3),i) =t) v
(C 2 -> 3i @((M2-M4),i) =t)
Vi @((M1-M3),i) = t -> A MO(t,t] A M3[t,t)
Vi @((M2-M4),i) = t M2(t,t] A MO(t,t] A M4[t,t)
Vi Vj @((M1-M3),i)*t A @((M2-M4),j) * t -> {Levels Ml and M2)
117
We conclude this section by discussing how the semantics of Modechart
deals with the potential ambiguities caused by simultaneous transitions. The
precedence rules and the transition exclusion assertions handle the case where
two transitions can (explicitly or implicitly) exit a mode. If the two transitions
have the same precedence, either one (but not both) can be taken. Otherwise,
the transition with higher precedence is taken. However, the semantics of
Modechart allows that any two concurrent transitions inside two modes in paral-
lel to be taken simultaneously. Recall the parallel mode Min figure 5.2(b). The
following assertion expresses the two mode transitions in M.
Vt M(t,t)
Assume that the system is in mode Ml and M 3 initially. The preceding asser-
tion allows the two transitions, from Ml to M 2 and from M 3 to M4, to occur at
the same time. If there are lower/upper bounds on the transitions, then the
semantics of Modechart does not require both transitions to be taken.
5.6. Absence of Anomalous Behavior
In the preceding sections, we described the syntax and provided a formal
semantics for Modechart in terms of Real Time Logic. In this section, we give a
theorem which shows that the well-formedness requirement and the UDIM con-
dition ensure the proper behavior of serial and parallel modes as described in
section 5.2. We also state a condition and give a theorem for preventing the
anomaly which arise from cycles of transitions.
Lemma 5.1:
(Level M’ transition assertion}
[ Ml(t,t) AM3(t,t) -> 3i @((M1-M2),i) = t] A
(Level M" transition assertion}
[ M3(t,t) A -> 3i@((M3-M4),i) = t]
118
If the root mode of a system is well-formed and the
UDIM condition holds, then
(a) if a transition (explicitly or implicitly) enters a serial mode M, it enters
exactly one of the immediate children of M.
(b) if a transition (explicitly or implicitly) enters a parallel mode M, it enters all
of the immediate children of M.
(c) if a transition exits from a (serial or parallel) mode M, it exits from all of the
immediate children of M.
Proof: The proof follows directly from the well-formedness assumption, the
UDIM condition, and the precedence rules described in the previous section. □
Theorem 5.2:
Suppose the root mode of a system is well-formed, and the UDIM condition
holds for the system. Suppose Mis a compound mode and Mit Mj are two of its
immediate children.
(a) If Mis a serial mode, then if the system is in mode M{- for a non-zero
interval
of time, it cannot be in another mode Mj for non-zero units of time in the
same interval.
(b) If Mis a parallel mode, then if the system is in mode Mt- for a non-zero inter-
val of time, it is also in each mode Mj during the same time interval.
Proof: We prove this theorem by induction. We start with the top-most mode
as the base case. We then show that if properties (a) and (b) hold for all ances-
tors of a mode, they also hold for the mode.
Base Case: (top-most mode)
(A) Consider the case where the top-mode mode Mis a serial mode. Let A/t- and
Mj be two immediate children of M. Lemma 1 implies that the system will
be in exactly one mode upon system start-up.
119
Assume that the system
is in mode M
t during the interval from to
where r,- < r',-. If the system enters another mode at time tj where
fj<tj<t\ , it cannot remain in mode Mj for any non-zero time interval. Oth-
erwise, the system must have exited Mt- at time tj and stayed out of M,- for a
non-zero time interval.
(B) Consider the case where the top-most mode M is a parallel mode. Let M,-
and Mj be two immediate children of M. We know by lemma 1 that the
system starts in both M{- and Mj . Furhermore, the well-formedness property
implies that there is no transition connecting the two modes M
t
- and Mj.
Hence, the system will remain in both modes.
Induction Step:
(A) Let M be a serial mode such that properties (a) and (b) in the statement of
the theorem hold for ancestors of M. We need to show that property (a)
holds for M. Again, let M
t- and Mj be two immediate children of M.
Assume the system is in mode M
{
- during the interval from r
t
- to t\ where r,-
< t'i. Furthermore, assume the system enters another mode Mj at time tj
where ti<tj<t\. The system cannot remain in mode Mj for any non-zero
time interval for the following reason.
Mj is entered because of the occurrence of a sequence of transitions at time
tj. The
first mode in this sequence of transitions can be either one of the
two cases:
(i) The sequence of transitions originated from mode M-t . But this is
impossible, because it means that the system is not in M{- from tj to
t'j+l.
(ii) The sequence of transitions originated from a mode M’ outside
mode M. From the well-formedness assumption, we know that M (or
its ancestor) is in series with M’ (or its ancestors). This fact implies
120
that the system was simulataneously in M and M’ right before time tj
for a non-zero interval of time. This is a contradiction to the
hypothesis of the induction step.
(B) Let M be a parallel mode such that properties (a) and (b) in the statement of
the theorem hold for ancestors of M. We need to show that property (b)
holds for mode M as well.
Assume the system is in mode M-t during the interval from rt- to t\ where rt-
< t'i . Furthermore, assume that the system is in mode Mj until it exist Mj at
time
tj
where <tj<t\ . If the system remains outside Mj in another mode
M’ for some non-zero time interval, then by the well-formedness assump-
tion we know that M (or its ancestor) is in series with M
f
(or its ancestor.
But this is a contradiction to the hypothesis of the induction step, because it
implies that the system is in two modes (in series) simultaneously during the
interval from
tj to tj+\. □
In section 5.2, we described an anomaly which may result from a cycle of
transitions. Clearly, it is too restrictive to disallow transition cycles in a
specification. However, if we can ensure that there is a positive delay or an
action is executed in one of the modes involved in a cycle of transitions, the
anomaly is avoided. The following definitions will be used in a sufficient condi-
tion for preventing the transition cycle anomaly.
Definition: (cycle of transitions)
Let Ti, T 2,
•• * ,T
m
denote a sequence of transitions. The transitions form a




- each transition T
t (implicitly or explicitly) exits ML and (implicitly or








A transition exiting mode M and entering mode M’ is blocked if
there is an action associated with mode M such that the transition cannot be
taken until that action completes, or
there is a positive delay imposed on the transitions.
Theorem 5.3:
A Modechart specification is free from the transition cycle anomaly if in each
cycle of transitions, at least one transition t exiting mode M and entering M’ is
blocked by M.
Proof: If a transition in a cycle is blocked by an action or a delay, the cycle
cannot be traversed instantaneously. Hence, the anomaly is avoided. □
For each transition cycle, the preceding theorem ensures that the system
remain in at least one mode for non-zero units of time. This is possible because
either at least one action is executed in one of the modes involved in the cycle,
or there is a positive delay on one of the transitions in the cycle. We remark that
the above condition is not necessary to prevent the transition cycle anomaly.
5.7. Conclusion
In this chapter, we have presented a language called Modechart for the
specification of real-time systems. Modechart owes its origin to the mode con-
cept of Pamas et al in their systems requirement work on the A-7E aircraft and
also to the Statechart language of Harel et al. The emphasis of Modechart, how-
ever, is in the specification of absolute timing properties. A formal semantics of
Modechart was given in terms of RTL (Real Time Logic).
The concept of modes is familiar to designers of process control systems.
Hence, Modechart should be an easy specification language to use for defining
122
real-time systems. More importantly, the specification of a system in terms of
modes gives us more leverage in the verification of timing properties. Serial and
parallel modes provide a way to organize the assertions about system behavior
(RTL formulas) in a hierarchical and compartmental organization. Proof tech-
niques can take advantage of this organization to focus on the set of relevant
assertions to establish a timing property. The ability to avoid considering all the
assertions defining the behavior of a large system is a prerequisite to practical
applications of verification technology.
A preliminary version of a software tool which allows a user to describe a
system specification in Modechart and a translator for generating the
corresponding RTL formulas has been developed as part of the SARTOR pro-
ject. The graphics-based tool for generating a Modechart specification, the
Modechart Constructor consists of two components; (1) an icon-driven user
interface for creating, displaying and modifying a specification, and (2) a data-
base manager from which the information is retrieved by the user interface
through message passing.
The software tool, TRANS for generating RTL formulas from a Modechart
specification performs the translation in two stages. First, TRANS converts the
Modechart specification in the database into an intermediate ASCII format.
Then it generates the appropriate RTL formulas as queried by the user. The pri-
mary advantage of a two-stage translation is that it allows the user to bypass the
Modechart Constructor tool when a bit-map workstation is not available. A sys-
tem specification in the ASCII format can also be used directly as input to the
TRANS software for generating the corresponding RTL formulas.
Chapter 6
Verification of Modechart Specifications
6.1. Introduction
The primary difficulty in deciding the satisfiability (or unsatisfiability) of
an RTL formula is the potentially infinite number of event occurrences that must
be considered. This problem arises due to the use of both arbitrary
quantification and the uninterpreted functions in RTL formulas. The occurrence
function does not pose a problem in obtaining decidability, because an
occurrence function cannot be an argument to an uninterpreted function. How-
ever, skolemizing an existentially quantified variable may yield an uninterpreted
function which may be an argument to other uninterpreted functions.
Even after using serial and parallel modes in specifying a system, the
corresponding RTL formulas involve arbitrary V and 3 for variables denoting
event occurrences. In order to take advantage of the hierarchical and orthogonal
control information that is provided by a Modechart specification, we must
avoid verifying a given property against the entire set of RTL formulas. The
objective of this chapter is to examine how a system property specified in RTL
can be verified with respect to a Modechart specification without explicitly exa-
mining all possible occurrences of events in the system.
6.2. The Approach
The objective is to use the Modechart specification to consider only a finite
number of event occurrences to verify a system property. First, we define the
computations of a system specified in Modechart as a directed tree augmented
with a set of relations expressing the lower/upper bounds on pairs of events. If
we can represent the potentially infinite computation tree by a finite graph, then
123
124
if a procedure can decide a class of properties for this graph, it is a decision pro-
cedure for the original Modechart specification.
Figure 6.1 and Figure 6.2 illustrate the proposed approach. A Modechart
specification is used to generate a finite computation graph. While generating
the graph, the corresponding RTL formulas can be used to prune the vertices
that are unreachable due to the timing constraints. These RTL formulas pose lit-
tle difficulty in an analysis because constants are used for event instances in the
occurrence functions. The key is in generating the computation graph so that it
accurately reflects the modechart specification. A model for a modechart
specification is an assignment of times to events. Likewise, a model of a com-
putation graph is an assignment of times to the events on a path in the graph. A
model for a Modechart specification, i.e., for the RTL formulas that capture the
formal semantics of the specification, must be shown to be a model for the com-
putation graph. Then if we prove a property about the computation graph, it
also holds for the original Modechart specification (Figure 6.1). However, if we
can also show that a model for the computation graph is a model for the
Modechart specification, then a decision procedure for a class of properties for





Although the approach proposed in this paper is similar to the reachability
analysis for timed-petri nets, e.g.,[Razouk & Phelps 84],[Zuberek 1980], [Ram-
chandani 74], [Merlin & Farber 76], there are three major differences. First, the
model of computation used in the petri net approach relies on interleaving.
Second, the restrictions imposed on the types of nets (such as decision free nets,
free choice nets and nets with conflict sets) and the restrictions on the timing
constraints limit the systems that can be described. Lastly, the reachability
algorithms, for example the one presented in[Razouk & Phelps 84], rely on the
presence of counters in the nodes of the reachability graph to measure elpsed
times. The approach in this paper allows nodes with different timer values to be
126
merged into a single node, resulting in a potentially smaller graph.
6.3. Computations of a Systems
The computations of a system specified in Modechart can be viewed as a
directed tree in which the nodes are labelled with events and the edges denote
causality. The nodes in a computation tree are referred to as points throughout
this chapter. The sink node of an edge represents the occurrence of an event
caused by the events on the path from the root to that point. A computation tree
is augmented by a set of timing requirements representing the lower/upper
bound requirements on separation between pairs of (not necessarily consecutive)
events in a path from the root. A lower bound separation requirement imposes a
non-negative minimum separation on the two events. An upper bound separa-
tion requirement imposes a maximum separation on the two events; it can be
either a natural number or «». (The timing requirements are obtained from the
Modechart specification.)
A computation of a system is defined to be an assignment of time values to
the events on a path (perhaps infinite) from the root of the tree such that it is
consistent with lower/upper bound requirements on the events. Consider a path
consisting of a sequence of points Pq, Pi, ￿ Each point Pt represents an event
occurrence. An edge from to Pl+l represents the occurrence of an event at
point Pi+i which was caused by the events from P 0 to Pt . The timing require-
ments of the system, as described by the Modechart specification, impose
minimum/maximum separation on the points (actually event occurrences) in the
path. For a pair of points PL and Pj on a path where i<j, the timing requirements
can be represented as
(lower bound separation requirement)
(upper bound separation requirement)




it is assumed that the minimum separation from Pi to Pj is at least zero, and the
maximum separation is
A point can be labelled with more than one event if the events are simul-
taneous. For example, a point labelled with the mode transition event (Ml-M2)
represents the simultaneous occurrence of two events, the mode exit event
(Ml:=F) and the mode entry event (M2:=T). However, two simultaneous events
are not necessarily labelled at the same point. Two distinct points can be
labelled each with one of the simultaneous events, but the lower/upper bound
separations must then require the events to happen at the same time.
Example 1:
Consider the computation tree in Figure 6.3. Each point (node) is labelled with
a set of events that happen at that point. The sequence of points
denotes a path from the root. The point P 0 is the root indicating that the system
is initially in modes Ml and M 3 and the state variable Sis false. The point P i
corresponds to the occurrence of the event (Ml-M2) which denotes that a mode
transition from Ml to M 2 is taken at that point. The following lower/upper
bound separations may be imposed on the points in the path segment Poto P 5 .
The inequalities are intended to denote bounds on the instances of events
corresponding to each point.
delay on transition Ml to M 2
computation time of action A
delay on transition from M 2 to M4
deadline on action A
(S:=T) happens at same time as >IA
The lower and upper bound separation between P 3 and P 4 are zero, thus the two
points (i.e., the corresponding events) are simultaneous. An assignment of time
values to the event occurrences in the above path such that they do not violate
P 0 + 10</>1
P 2 + 20<P3
P \ + 150 <P 5
P 3 <P { + 100
P4— P 2
128
the lower/upper bound requirements is a computation of the system
FIGURE 6.3
The set of bound separations on a path in a computation tree can in turn be
represented by a directed graph, referred to as a separation graph. The nodes in
this graph are the points in the corresponding path and the weights on the edges
denote the specified separation between the nodes. Specifically, given a pair of
points Pi and Pj on a path, a separation between the points,
Pi+ l< Pj
129
is represented in the graph by an edge from PL to Pj with the weight /. A
separation graph is connected, because by definition there is at least zero




i+l . Figure 6.4 illustrates the corresponding separation graph
for the path in Example 1.
FIGURE 6.4
Theorem 6.1:
The weight of a cycle in a separation graph is non-positive.
130
Proof: Suppose A is a point in a separation graph such that there is cycle of n edges





The following inequalities correspond to
the edges in the cycle with / lt /„ as the weights on the edges:
where each I
L
is a natural number. We obtain the following inequality by adding the
two sides of the above inequalities:
where I = 1 1+/2+ •*•+/«. Clearly, / must be non-positive for Atobe a point in a com-
putation. Hence, the sum of weights on the transitions forming the cycle is non-
positive. □
Definition: The distance from point A to point B in a separation graph, distance (A ,B ),
is defined to be the longest (largest weight) path from A to B.
The distance from A to B is the relative separation of A and B measured
from point A . Intuitively, if A precedes Bon a path in a computation tree, then
distance (A ,B ) in the separation graph is the earliest relative time B can happen
after the occurrence of A ; distance (B 4) is the earliest relative time A can hap-
pen before the occurrence of B (the longest time B can happen after the
occurrence of A ). As it will be shown in the next theorem, if A precedes B
distance (A ,B) is a non-negative integer and distance (B )is a non-positive
integer.
Refering again to example 1 and Figures 6.3 and 6.4, we will use the above
definitions to determine the distance from P
3 to P5, or the minimum time that
must elapse between the completion of action A and the entry of mode M4. The
longest path from P 3 to P 5 is the maximum weight of all paths from P 3 to P 5, a
non-negative integer. As shown in Figure 6.4, the longest path between the two
A +ll< B i













is the largest weight on a path from P x to P 2, a non-positive
integer. Again, refering to Figure 6.4, the longest path travels from P2to P 3 and
then to Pi. Hence, distance (P 2>P i)=-80.
Theorem 6.2:
Given two points A and B in a path in a computation tree such
that A precedes B,
(a) distance (A ,£) >O, and
(b) distance (£ yA ) <O.
Proof:
(a) It is possible that a negative path from A to £ exist in a separation graph.
However, distance (A ,B ) is defined to be the longest path from point A to point
B
.
Since A precedes B , A <£, there is a path with the weight of at least zero
from A to £ in a separation graph. Hence, distance (A ,£) >O.
(b) Suppose the distance from £ to A is an integer /. Therefore there is a path
from £ to A with weight /, so £•+/ < A. Furthermore, since A precedes £, we
know A<£ from part (a). Hence, there is a path from £ to itself with the weight
of /, so
By Theorem 6.1, each cycle in a separation graph must has a non-positive
weight. Hence, / <O. □
6.4. Generating a Computation Graph
In Section 5, the notion of an augmented computation tree for a Modechart
specification was introduced. Since a system computation is often infinite, our
goal is to construct a finite computation graph that represents the computations
B+l <B
132
of the system. In the subsequent section, we will describe how to verify a
desired property of the system with respect to the corresponding computation
graph. Since a mode is control information and may be viewed as a state, it is
crucial to discuss why a global state reachability graph is not sufficient for our
purposes. One reason concerns the timing constraints which are imposed on the
actions and transitions. We use two examples to illustrate several key issues in
justifying why a global reachability graph is inadequate here.
Example 2:
Consider the simple Modechart specification shown in Figure 6.5(a). It consists
of two parallel components. The initial modes for the two components are Ml
and M4. The enabling conditions for the three transitions in the system are all
true. However, the transition from mode Ml to mode M 2 must be taken after a
delay of 5 and before a deadline of 10 after starting in mode Ml. The transition
from M 2 to M 3 must be taken after a delay of 16 time units after entering M2.
The transition from M 4 to M 5 must be taken by a deadline of 20 from starting in
mode M4.
Figure 6.5(b) shows a typical global state graph for this system, although
the enabling conditions are true, not every global ‘state’ is reachable. For
instance, while the system is in modes M 2 and M4, the transition from M 2 to
M 3 cannot be taken before the transition from M 4 to M 5 because the time after
the minimum delay for transition M2-M3 is later than the deadline for the other
transition, M4-M5! Hence, it is necessary to consider the relative time ordering
to determine what is reachable. In the computation graph proposed at the end of
this section, the RTF formulas are used to prune the vertices in the graph which





Consider the Modechart specification in Figure 6.6(a). The system consists of two
components with the modes Ml and M 4 as the initial modes. The enabling conditions
on all the transitions are true. The transitions Ml-M2, M2-M3, and M3-M1 have the
deadlines of 100, 200, and 1, respectively. The transition from mode M 4 to M 5 cannot
be taken until the delay of 1000 time units after starting in M4. Figure 6.6(b) shows a
reachability graph for this system in which the delays and the deadlines are considered
to discard the unreachable vertices in the graph. Observe that the graph in Figure 6.6(b)
shows the mode M 5 to be unreachable because the transition M4-M5 is never taken.
However, if the system goes from Ml to M 2 to M 3 and back to Ml several times, the
delay of 1000 will eventually expire and the transition from M 4 to M 5 can be taken.
Hence, the graph in Figure 6.6(b) does not represent the computations of the system. It
fails to distinguish between the first and the second time that the system entered Ml
while it remained in M4. In particular, the edge labelled a in Figure 6.6(b) should go
from vertex ‘M3,M4’ to another instance of vertex ‘MI,M4’. Figure 6.6(c) illustrates
the revised graph. Observe that the vertices P \,P 2 and F 3 have the same label. How-
ever, each represents a different instance of mode M3. The transition from M 4 to M5










Having looked at some of the key issues, we can now discuss how to con-
struct a computation graph from a Modechart specification. Since a computa-
tion graph is intended to represent the computations of a given system, it is con-
structed similar to a computation tree. However, as a new point (vertex) is gen-
erated, it can be shown under certain conditions that the new point Pn is an
instance of a point P
m already in the graph; that is, the computation subtree
below P
n
is identical to the subtree below P
m
. Hence, the point Pn is not added





added to denote the occurrence of another instance of P
m
in the computations of
the system. As we shall illustrate shortly, the resulting computation graph is
finite, but each point in the graph may correspond to infinitely many occurrences
of events.
As in a computation tree, the points in a computation graph are labelled
with events, and the edges represent causality. Furthermore, for convenience,
each point is labelled with a set of predicates denoting the modes the system is
in and the values of the state variables. Informally, an edge in a computation
graph corresponds to a mode transition or a change in the value of a state vari-
able as prescribed by the corresponding Modechart specification. After each
point the system remains in the same modes and the values of the state variables
remain the same until the next point. We shall refer to the modes and state vari-
ables in a point as the components of that point. Furthermore, a mode or a state
variable is underlined in each point to indicate the component that changed from
the previous point.
For example, the computation graph in Figure 6.7 denotes a system which
is initially in modes Ml and M 3 (in parallel) and the state variable S is true.
The first edge takes the system from mode Ml to M2. The vertex labelled p \
denotes a point at which a mode transition from Ml to M 2 is taken while the
system is also
in mode M 3 and state variable S is true. The edge from p x to p 2
denotes a change in the value of the state variable S. The vertex labelled p 2
137
represents a point at which the value of S changed from T to F while the system
is in modes M 2 and M3.
FIGURE 6.7
We now present the conditions under which a point can be shown to be an
instance of another point in the graph.
Definition: The event set of a point P
m
is the set of events in P
m
or its predeces-
sors such that the events are assigned the same time value in at least one compu-















) =0 ] }
Definition: The event set reference points for a point P are all of those points
Q up to and including P such that distance (Q J 3 )=O.
Definition: A reference point for a mode component M of point P is the point
in the computation tree (or graph) closest to P such that M :=T is part of the
label of that point, and for no points between that point (exclusive) and P
(inclusive).
Notice that by this definition, if component M changes at P , then the refer-
ence point for M at P is P itself, otherwise, it is the most recent predecessor of
P at which M changed.
138
Definition: The reference points for a point P are all of the reference points for
the mode components of the point, together with its event set reference points.
Definition: A potential successor of a point P is a point that differs from P in
at most one component.
If that component is a mode component, then there
must be a mode transition from the mode of P to that of the potential successor.
If that component is a state variable component, then there must be an action
that can be executed in one of the modes of P that can result in the state variable
changing its value from the value it has in P to that in the potential successor.
Definition: An actual successor of a point P is a potential successor that
appears in the computation tree as a successor of P .
Note that a potential successor of a point is a point that could be reached if
timing requirements were ignored, while actual successors are those that do not





> are two points in a computation graph sharing
the same components and event sets. Let P a reference point for Pm and P' be
the corresponding reference point for P'
m
.
Also, suppose Ais the set of poten-
tial successors of P
m
and A' is the set of potential successors of P'
m ,
Note that
A and A' are isomorphic since Pm and P'm have the same mode components







holds if, for each pair of corresponding potential successors
A e A and A' e A', either
(a) distance (P A) = distance {P 'A')
distance (AJ
3
) = distance (A ',P ')
OR the following conditions are true:
(b) If for the reference points P and P
'
corresponding to a mode component M ,
d = 00, then
139
distance {P yA)> r
distance (P 'yA')> r
where d is the smallest deadline on any lower/upper bound transition from M ,
and r is the largest delay on any lower/upper bound transition from M.
AND
(c) If for the reference points P and P
'
corresponding to a mode component M ,
d * 00, then
where d is the smallest deadline on any lower/upper bound transition from M .
AND
(d) If the reference points P and P
'
correspond to an event from the event set.
distance {P A) > 0
distance (P
'
A ') > 0
Lemma 6.3 : Given a point P, with potential successors A iyA 2,... A n , is an
actual successor of P if and only if \fj distance (A Proof: If the
distance {A then the deadline on Aj expires before A- t can occur, so A L
cannot be an actual successor of P
,
because any computation that took that path
would miss the deadline on the transition corresponding to Aj. Likewise, if
distance {AjAi) 0. A,- can occur before the deadline on Aj expires.
distance (P )> d
distance {P'yA')> d
140
Therefore, since all pending deadlines at P are reflected in a potential suc-
cessor of P
,
if for a potential successor A,- of P , V j distance (AjyAi ) <O, then A,-
can be a successor of P in some computation, so is an actual successor of P .
Conversely, if there is some potential successor Aj of P such that
distance (.A
Jy








are two points in a computation graph sharing the same
components and the same event sets. Furthermore, suppose the distance






(i) A potential successor A of Pm is an actual successor iff the corresponding
potential successor A' of P’
m
is an actual successor.
(ii) For each actual successor A of P
m
and the corresponding actual successor A'
ofP'
m ,






share the same components and the same event sets, for
each potential successor A, of Pm , there is a potential successor A of P'm such
that the two successors share the same components. Since the deq condition




one can show that
where A,- and A
;
are potential successors of Pm , and A',- and A'j are the
corresponding successors of P'm . It follows from Lemma 6.3 that if a point Ais
an actual successor of P
m ,




distance (A,- yAj) > 0 iff distance (A j) > 0
141
FIGURE 6.8
(ii) Let Rbe the set of reference points at the point Pm . The reference points at A , a
successor of P
m ,
are in the set Ru{A }. For each reference point P (both for mode
components and event sets) at point A and for each reference point P' at point A ', we
need to show that one of the four conditions (a through d) in the definition of deq con-
dition holds for each B and B ', the corresponding potential successors of A and A ',
respectively. Thus, we need to calculate distance (P ,B ) and distance (B ,P ). (Similar
distances between P' and B
'
must be calculated). There are two cases based on the
component that changes at point B . Let Q be the reference point of a component Mat
point A that changes from A to B .
Case 1: If <2«=R, there is a potential successor of P
m
in Figure 6.8(a) such that the
same component M changes from P
m
to C. From the hypothesis, we know that the deq
142
condition holds for reference points Pat P
m




(a),(b),(c), or (d) holds for the reference points P and P', and A and A'. If condition
(a), the distance from P to B and from B to P in Figure 6.8(b) can be calculated based
on the distances between P and A
,
and between P and C in Figure 6.8(a).
distance (P ,B) = MAX { distance (P A )+O, distance (P ,C) }
distance (B ,P) = distance (C ,P)
Distances between P' and B' are calculated similarly. The newly calculated distances
between P and B are equal to the corresponding distances between P
'
and B '. If con-
dition (b), distance(P A)>t and distance (P'A')>r by the definition deq condition,
where ris the largest delay on a 1/u transition from M. Since B is a successor of A and





dition (c), distance (P A )>d where dis the smallest deadline on a 1/u transition from M.
This means that a transition from M must be taken first. Hence A cannot be an actual
successor of P
m .
Similar argument shows that A
'
cannot be an actual successor of P'
m
.
If condition (d), distance (P A )>O. We conclude that P is not a reference point at point
A
,




point at point A
Case 2: If Q -A
,
i.e. Q dR, the reference point of component Mat point A is A itself.
distance (P ,B) = distance (P A) + WA _B










on the transition from Bto A
.
The distance (P ',B') and distance (B 'J
3
') are calculated
similarly. For case 2, a similar argument shows that one of the four conditions in the
definition of deq condition holds for the reference points P and P ', and B and B ', the
successors of A and A repectively. □
Theorem 6.5:
Given the two points Pm and P'm in the previous lemma, the subtree generated from
point Pm is isomorphic to the subtree generated from point P'm .
143
Proof: The theorem can be directly proved from the previous lemma by induction on
the level of the subtree generated. □
Having shown the conditions under which two points are instances of each
other, we now present an algorithm for constructing a computation graph
equivalent to the computation tree.
ALGORITHM: (Computation Graph Construction)
1. Construct P
O,
the initial point in the computation graph, denoting the modes
that the system is in initially and the values of the state variables. Designate
P
o
as an unexpanded point.
2. Choose an unexpanded point Pm , let Pt be the immediate predecessor of Pm
if
one exists.
3. If there is a potential successor P
r




4. Otherwise, if there is another point P
n





the same components and the same event sets, and the distance equivalence








(b) Otherwise, let x b i 2,
•• •
,x* be the set of transitions that can be taken
from P
m




(2*. Add each Qt to the
graph, mark it as an unexpanded point and add an edge from the point Pm
to Qi. Mark Pm as an expanded point.
5. Repeat steps 2 through 4 until there are no unexpanded points left.
144
Lemma 6.6: The computation graph is finite.
Proof: Partition the points of the computation graph by their mode components
and event sets. For each mode, refine the partition as follows. If the smallest
deadline on any transition from the mode is «*>, then the refinement partitions the
points into classes 0 through r
,
where r is the largest delay on a transition from
the mode, according to the value of distance {P'P), where P' is the reference
point for P for the given mode component, with any value over r in the class of
r, because they all satisfy the deq condition for the component of P\ If the
smallest deadline on any transition from P
r
is finite, say d t then for each poten-
tial successor A of P ,choose the classes to be 0 through d+ l, and allocate the
points by the value of distance Further refine the partition by the values
of distance (A p ') for each A and P '. Alternatively, if the deadline on Ais finite,
then the distance (.A p ') is bounded by the sum of the two deadlines. Therefore,
this refinement also introduces only a finite number of equivalence classes.
The above partition divides the point space into a finite number of
equivalence classes, and within each class, the points pairwise satisfy the
requirements of Theorem 5, so the computation graph will contain at most one
copy of a point from each equivalence class. Therefore the graph is finite. □
6.5. Example: Railroad Crossing
In this section, a Modechart specification for a system which monitors and
controls a railroad crossing is presented. A safety assertion for the system is
proved using the approach presented here. This example is based on one that
appears in [Leveson & Stolzy 85].
145
6.5.1. Specification
Figure 6.9 illustrates a Modechart specification for a railroad crossing. The
system consists of two parallel components: a process monitoring the oncoming
trains and a controller interface to the guard gate. The monitoring process is in
one of four modes, depending on its view of the train:
APPROACH: The train is approaching, but very far from, the crossing.
BC: The train is less than a given distance, 1/2 mile, from theiv i t , il , crossing.
The monitor sends a signal to controller process to lower the gate.
CROSSING: The train is within the railroad crossing.
PASSED: The train has cleared the crossing, and the monitor
sends a signal to the controller process to raise the gate.
The controller process for the gate can be in one of the following modes:
UP: The gate is up.
MOVEDOWN: Signal is received to lower the gate, and
an action is initiated to lower the gate.
DOWN: The gate is down.
MOVEUP: Signal is received to raise the gate, and




Initially, the monitoring process is in APPROACH mode waiting for a
train and the gate is UP. As a train reaches the 1/2 mile mark, the system moves
from APPROACH to BC (before crossing) mode. Observe that there is no
lower/upper bound on when this transition is taken. After entering BC mode,
the monitoring process initiates an action to send a signal to the gate controller
to lower the gate. The delay on the transition from BC to CROSSING denotes
the minimum time that it will take for the train to reach the railroad crossing.
There is no upper bound on the transition. After the train passes, the system
moves from CROSSING to PASSED. Again, the train can take its time and
there is no timing constraint imposed on that transition. After entering PASSED
mode, the monitoring process initiates an action to send a signal to the gate con-
troller to raise the gate. Finally, the system can move from PASSED to
APPROACH after the delay of 100 to reflect that another train may be
approaching. The timing constraint on this transition indicates that there is a
minimum separation between a train that just passed and the next oncoming
train.
The controller process for the gate is initially in UP mode. When a signal
is received from the monitoring process to lower the gate (state variable
GATEUP is set to F), a transition to mode MOVEDOWN is taken. While in
MOVEDOWN, the action DOWNGATE is performed to lower the gate. Upon
completion of the action, the transition to DOWN mode is taken. When a signal
is received from the monitoring process to raise the gate (GATEUP is set to T),
a transition to mode MOVEUP is taken. While in MOVEUP, the action
UPGATE is done to move the gate up. Upon completion of the action, the tran-
sition to UP mode is taken. While executing the action Upgate in mode
MOVEUP, if another signal is received to lower the gate, the action is aborted
and a transition to mode MOVEDOWN is taken.
148
6.5.2. Safety assertion
In the above example, the system is unsafe if a train can cross while the
gate is up. Hence, a safety assertion for the above system requires that the gate
must be down while a train is crossing. Figure 6.10.
Safety Assertion in RTL:
FIGURE 6.10
6.5.3. Verification
Figure 6.11 illustrates the computation graph for the railroad crossing sys-
tem. The unreachable points (vertices) are shown to be unreachable by applying
Lemma 6.3. One edge in the graph is of particular interest because it illustrates
how deq condition and Lemma 5 are used. Consider the edge labelled a in the
Figure 6.11. It is a backward edge to vertex P,-. Observe that it was not neces-
sary to create the point P\ because P't - is an instance of P (- by
Lemma 5. The
mode components of P, and Pare the same, and the event set for each point is
{GATEUP:=F}. Furthermore, the corresponding reference points at P, and P'
t
satisfy the deq condition. Therefore, Lemma 5 guarantees that the subtree
below Pi is isomorphic to the subtree below P'
z
.
A similar argument produces
the edge labelled p.
Vi3j @((DOWN;=T)J) < @((CROSSING:=T),i) A @((CROSSING:=F),i) < @((DOWN:=F),j)
FIGURE 11.
150
An examination of the graph shows how the safety property holds for the
system. The point at which the system enters the mode CROSSING is preceded
by a point at which the system enters the DOWN mode. Furthermore, it
remains in DOWN mode even after the transition from the mode CROSSING to
PASSED is taken.
6.6. Decidable Classes of Timing Properties
In the preceding section, we described the construction of a computation
graph which represents the computations of a system specified in Modechart.
The objective of this section is to introduce two classes of timing properties
expressed in RTL. For each class, we shall present decision procedures for
determining whether a given computation graph satisfies a property in the class.
6.6.1. Preliminary Definitions
The RTL subclasses to be described later in this section include properties




where e 2 and e 2 are occurrence
function applications, and I is an integer con-
stant. The subclasses are surprisingly expressive and include the following pro-
perties:
• mutual exclusion of actions,
• mutual exclusion of modes.





• minimum separation of consecutive occurrences of an event,
• maximum separation of consecutive occurrences of an event,
• minimum separation of two distinct events,
• occurrences of an event within I units of another event.
The two subclasses and the corresponding verification procedures are described
151
in terms of intervals and endpoints. Informally, an endpoint is an occurrence
function application, i.e., the time of occurrence of an event. An interval is
denoted by two related endpoints.
Definition: An endpoint is defined to be an application of an occurrence func-
tion of the form
where E is an event, i is an integer variable, and c is a non-negative integer.
Definition: Two endpoints are related if both contain the same integer variable
in the occurrence index of their respective
’
function applications.
For example, @(E hj) and @{E2,j+2) are related endpoints, but @(sLA,j)
and ) are not related.
Definition: An interval consists of two endpoints of the form
where E
!
and E 2 are events, i is an integer variable, and c t and c 2 are non-
negative integer constants. Two endpoints denoting an interval are by definition
related.
RTL inequalities are employed to describe the relationship between the
endpoints of an interval or the relationship between endpoints of distinct inter-
vals. For instance.
are two endpoints defining an interval, and the inequality @((M:=T),i) + 100 <
@((M:=T),i+l) denotes that the successive occurrences of entering mode M
must be at least 100 time units apart. Similarly, the RTL formula
expresses the mutual exclusion relationship between the interval denoted by
@(TA,i) and @(iA,i) and the interval denoted by @(TB,j) and @(iß,j), i.e.,
mutual exclusion of actions A and B.
@{E ,i±c )
@(E hi±c 2), and
@{E 2,i±c 2)
@((M:=T),i) and @((M:=T),i+l)
Vi Vj @(iA,i)<@(tß,j) v @(iß,j)<@(tA,i)
152
The two classes of timing properties to be described shortly are defined in
terms of endpoints and intervals. Suppose we are given a computation graph
and two endpoints @(£ lti) and @(£ 2,i) whose relationship is to be verified with
respect to the graph. If each cycle in the graph is labeled with the same number
of E
i
and E 2 events, then by designating a point in the graph containing E j as
representing the zth occurrence of £], the point representing the z th occurrence
of E 2 follows in a bounded number of iterations of cycles of the graph. The
number of iterations must reflect both the number of additional occurrences of
E
i
before the cycle is entered, as well as the difference in the constants. How-
ever, if a cycle is labeled with different number of E { and E 2 events, then the
z th occurrence of E i is potentially a number of cycles from the ith occurrence
of £
2
that is bounded by a function of i .
Definition: Suppose G is a computation graph, @(£ 1,1 ±c i) and @(£ 2,z±c 2) are
related endpoints. A cycle in G is said to preserve the endpoints if the number
of vertices in the cycle labeled with £ i is the same as the number of vertices
labeled with £
2.
The graph is said to preserve an RTL formula if each cycle in
the graph preserves each set of related endpoints in the formula.
In the remainder of this paper, we are interested in the RTL formulas
which are preserved by a given computation graph. This does not appear to be a
very restrictive condition. It is trivially true that when £ i and £ 2 are the same
in the above definition, a computation graph preserves the endpoints. Further-
more, when £j and £ 2 are the entry and exit events for the same mode, the
related endpoints containing £ i and £ 2 are preserved by a computation graph of
a Modechart specification. The same holds when E x and £2 denote transition
events for a state variable, or when they are the start and stop events for an
action. Hence, for the above cases, it is trivial to check if each set of related
points in an RTL formula are preserved by a computation graph. However,
when two related points do not fit in the above cases, the check for the condition
can be performed in polynomial time. The remaining subsections introduce two
153
subclasses of timing properties expressed in RTL for which one can decide if a
computation graph satisfies the property.
6.6.2. Class 1: Minimum/Maximum Separation of Related Endpoints
In this subsection we are concerned with a class of timing properties which
specify the relative and absolute ordering of related endpoints. The class con-
sists of the RTL formulas of the form Q F where Q is either Vi or 3*, and Fis
a quantifier free formula such that each inequality in F is of the form
where e x and e 2 are related endpoints, and / is a natural number. Observe that
the endpoints in F are related because the same variable (plus/minus an integer
offset) appears as the occurrence index in each endpoint. For example, the fol-
lowing formula states that two successive entries to the mode M are either 100
time units apart or within 50 time units of each other:
As a different example, consider a formula specifying that an instance of action
A is performed once each time the system is in mode M;
Each inequality in a formula of class 1 can be rewritten as one of two
forms
The first inequality specifies a maximum separation of I on the two endpoints,
and the second inequality imposes a minimum separation of / on the endpoints.
Suppose G is a computation graph and F is a class 1 RTL formula which is
preserved by G. The objective is to determine if every computation in the graph
G satisfies the timing property expressed in the formula F. Since F has one
ei
± I < e 2
Vi @((M:=T),i) + 100 < @((M:=T),i+l) v @((M:=T),i+l) < @((M:=T),i) + 50
Vi @((M;=T),i)<@(tA,i) A @(iA,i) S @((M:=F)j)
ei-e 2 <l (1)
I <e
2 -e { (2)
154
quantifier, all the endpoints in the formula form one set S of related endpoints
which are preserved by every cycle in G:
where i is the occurrence index variable quantified by a V or 3» and n is the
number of endpoints in F. As mentioned in subsection 8.1. if we take a point P
in G labeled with an event E
}
(for some l<j<n) to mean the ith occurrence of
Ej, then all the corresponding end points in F (if any exist) can be located by
unrolling each cycle in G a constant number of times. For each inequality in F,
if it is of form (1), we find the maximum distance between the two points in the
unrolled graph and assign a truth value to the inequality. Otherwise, the ine-
quality is of form (2). Hence, we find the minimum distance between the two
points in the unrolled graph and assign a truth value to the inequality. In this
manner, a truth value can be obtained for F. However, this truth value applies to
all of the occurrences (perhaps infinitely many) corresponding to the point P in
the graph.
If the formula F is quantified by aV, then the above procedure must be
repeated for each point in the graph G which is labeled with the event Ej. A
true assignment to the formula F in each case is necessary to conclude that
every computation in G satisfies F. However, if Fis quantified by a 3» then it is
necessary to show that F is assigned true for at least one application of the pro-
cedure to a point labeled with the event Ej.
6.6.3. Class 2: Exclusion/Inclusion of Interval and Endpoints
In this subsection we are concerned with a class of timing properties
describing exclusion/inclusion of an endpoint or an interval with respect to
another interval. The timing properties in this class can be expressed as RTL
inequalities relating the endpoints of an interval to the endpoints of another
interval. Hence, the RTL formulas specifying the properties in this class have
two quantifiers, one for each interval. Recall that an endpoint was defined in
S = { @{E ui+ci),@(E 2,i+c 2),..., @{En ,i+cn ) }
155
subsection 8.1. to be of the form @(E,i±c). We extend that definition to
include an integer offset /:
The properties in this class can be in two general forms. Suppose e i and e 2
are the endpoints of an interval a and e 3 and e 4 are the endpoints of a second
interval (3. The first form specifies the inclusion of one interval inside the other:
(1)
where Q is a prefix of two quantifiers on the occurrence index variables for the
intervals. For instance, the following RTL formula states that each stay in mode
M contains some execution of action A which starts at least 100 time units after
entering the mode:
The second form specifies the exclusion of one interval from the other:
For instance, the following formula specifies the mutual exclusion of two
actions A and B:
Given a computation graph G and a RTL formula F specifying a timing
property
in class 2, the objective is to determine if every computation in G
satisfies F. We identify five cases for the inclusion property shown in form (1).
In each of the cases below, i is the occurrence index variable for the endpoints
e
!
and e 2 (interval a), and j is the variable for the endpoints e 3 and e 4 (interval
P).
This case specifies that every instance of interval a contains some instance
@(E,i±c) ± I
Q e[<« 3 A e 4 <« 2
Vi3j @((M:=T),i) + 100 < @(TA,j) a @(U,j) <@((M:=F),i)
Q e 4 <e 1
v e 2 <e 3 (2)








of interval p. The above formula is verified by checking each appearance
of interval a in G for the existence of interval p.
This case specifies that every instance of interval a is contained in some
instance of interval (3. The above formula is verified by first locating an
appearance of interval a in G, then checking if an instance interval (3 sur-
rounds it. Observe that only a finite number of instances of (3 needs to be
checked because there can be only a finite number of pairs of points in the
graph labeled with the events in e 3 and e 4 such that it encloses the points
corresponding to each appearance of a. The above procedure must be
repeated for each appearance of interval a in graph G.
This case specifies that some instance of interval a contains some instance
of interval (3.
This case specifies that some instance of interval a contains every instance
of interval p.
This case specifies that some instance of interval a is contained in every
instance of interval p.
Similarly, we identify four cases for the exclusion property shown in form
(2). In each of the cases below, i is the occurrence index variable for the end-
points e i and e 2 (interval a), and j is the variable for
the endpoints e 3 and e 4
(interval p).
This case specifies that every instance of interval a is mutually exclusive
with every instance of p. Cases 2b-2d are defined similarly below.
(lb)Vi3j e A e 2 <e 4
(Ic)3i3j e \- e 3 A £ 4 —e 2
(Id)3iVj A e 4 <^2
(le)3iVj e■s —e \ A e 2 <e 4
(2a)ViVj e 4 <e 1 v e 2^e3
157
The two classes of timing properties above obviously do not include all the
properties which one may wish to specify about a Modechart system. For exam-
ple, the following properties cannot be expressed in either of the above classes:
• Each instance of an interval a contains an instance of interval (3 or an
instance of interval y.
• The three intervals a, p, and yeach contain the next in the list.
For both properties, alternative decision procedures can be developed to verify
the properties with respect to a graph. An area of continuing research is the
discovery of other decidable classes of timing properties.
6.7. Concluding Remarks
The verification technique proposed in this chapter requires the construc-
tion of a transition graph for a given Modechart specification. System properties
are proved using the transition graph and the corresponding RTL formulas.
Although timing constraints are used to discard unreachable vertices, construct-
ing the entire transition graph suffers from the same drawbacks as similar tech-
niques based on reachability analysis. In particular, it is impractical to generate
the entire graph for a complex Modechart specification. A natural extension of
the proposed approach is to investigate the verification of properties by con-
structing a partial graph.
(2b)3i3j £4 v€ 2
(2c) Vi 3j e4< e i v e 3
(2d)3iVj v e 2
Chapter 7
Concluding Remarks and Future Research
The focus of this work has been on the modeling and verification of timing
properties in Real-Time Systems. The approach is based on two languages:
Real Time Logic, which is especially suitable for the specification of the relative
and absolute timing of events, and Modechart, a high-level specification
language for real-time systems. When a system specification and a timing pro-
perty are expressed as RTL formulas, the verification is performed by showing
that the property is a theorem derivable from the specification. Alternatively, a
Modechart specification is shown to satisfy a timing property expressed in RTL
by constructing a graph which denotes the computations of the system; then the
property is checked to be satisfied by every computation in the transition graph.
On the subject of the verification of timing properties of Modechart
Specifications, two immediate extensions of this work come to mind. One way
of extending this work is to explore other classes of timing properties for which
decidability can be obtained. Another way to extend this work is by investigat-
ing the verification of properties by generating partial transition graphs.
Although timing constraints are used to discard unreachable vertices, building
the entire transition graph suffers from the same drawbacks as similar tech-
niques based on reachability analysis. This makes it impractical to generate the
entire graph for a complex Modechart specification.
Other avenues of future research relate to the logic introduced in this work.
Since fault-tolerance is an important requirement in many time-critical systems,
it is relevant to examine the suitability of Real Time Logic for modeling fault-
tolerant systems. An alternative direction for future research would be to con-






M.W. Alford, “A Requirements Engineering Methodology for Real-Time Pro-
cessing Requirements,” lEEE Trans, on Software Engineering SE-3(l)(Jan.
1977).
[Bernstein & Harter 81].
A. Bernstein and P.K. Harter, ‘‘Proving Real-Time Properties of Programs with
Temporal Logic,” Proc. Bth Symposium on Operating System Principles, ACM
SIGOPS
, pp. 1-11 (1981).
[Bledsoe 74].
W.W. Bledsoe, ‘‘The SUP-INF Method in Presburger Arithmetic,” ATP-18,
Dept, of Math., University of Texas at Austin, Austin, Texas (Dec. 1974).
[Bledsoe & Hines 80].
W.W. Bledsoe and L.M. Hines, ‘‘Variable Elimination and Chaining in a
Resolution-based Prover for Inequalities,” pp. 70-87 in sth Conf. on Automated
Deduction: Lecture Notes in Computer Science
,
ed. R. Kowalski,Springer-
Verlag, New York, N.Y. (1980).
[Bledsoe el al 81].
W.W. Bledsoe, R. Neveln, and R. Shostak, ‘‘Some Completeness Results for a
Class of Inequality Provers,” ATP-60, University of Texas, Austin, Texas
(March 1981).
[Bundy 83].
A. Bundy, The Computer Modelling of Mathematical Reasoning, Academic
Press, London (1983).
[Chang & Lee 73].
C. Chang and R.C. Lee, Symbolic Logic and Mechanical Theorem Proving,
Academic Press, New York, N.Y. (1973).
[Cooper 71].
D.C. Cooper, ‘‘Programs for Mechanical Program Verification,” in Machine
Intelligence 6, ed. D. Michie,Edinburgh Univ. Press, Edinburgh (1971).
160
[Cooper 72].
D.C. Cooper, “Theorem Proving in Arithmetic without Multiplication,” in
Machine Intelligence 7, ed. D. Michie,Edinburgh Univ. Press, Edinburgh
(1972).
[Dasarathy 85].
B. Dasarathy, “Timing Constraints of Real-Time Systems: Constructs for Ex-
pressing Them, Methods of Validating Them,” lEEE Transactions on Software
Engineering SE-ll(l)(Jan. 1985).
[Davis & Vick 77].
C.G. Davis and C.R. Vick, “The Software Development System,” lEEE Trans.
on Software Engineering SE-3(1) pp. 69-84 (Jan. 1977).
[Downey 72].
Peter J. Downey, “Undecidabilily of Presburgcr Arith. with a Single Monadic
Predicate Letter,” Center for Research in Computing Technology 18-72, Har-
vard University (1972).
[Hard 86].
D. Hard, “Statccharts: A Visual Formalism for Complex Systems,” The
Weizmann Institute of Sci. Tech. Report, Israel (July 1986). (also in Science
of Programming 8, 1987)
[Hard et al 87].
D. Hard, A. Pnudi, J.P. Schmidt, and R. Sherman, “On the Formal Semantics
of Statccharts,” Proc. 2nd Symp. on Logic in Computer Science, pp. 54-64
(June 1987).
[Hcninger 80].
K.L. Heninger, “Specifying Software Requirements for Complex Systems;
New Techniques and their Application,” lEEE Transactions on Software En-
gineering, SE-6(1) pp. 2-13 (Jan. 1980).
[Jahanian & Mok 86bJ.
F. Jahanian and A.K. Mok, “A Graph-Theoretic Approach for Timing Analysis
in Real Time Logic,” Proc. of Real-Time Systems Symposium, pp. 98-108
(Dec. 1986).
161
[Jahanian & Mok 86a].
F. Jahanian and A.K. Mok, “Safety Analysis of Timing Properties in Real-
Time Systems,” lEEE Transactions on Software Engineering SE- 12(9) pp.
890-904 (Sept. 1986).
[Jahanian & Mok 87].
F. Jahanian and A.K. Mok, “A Graph-Theoretic Approach for Timing Analysis
and its Implementation,” lEEE Transactions on Computers C-36(8) pp. 961-
975 (August 1987).
[Jahanian et al 88a].
F. Jahanian, A. Mok, and D. Stuart, “Formal Specification of Real-Time Sys-
tems,” Department of Computer Sciences, TR-88-25, University of Texas at
Austin (June 1988).
[Jahanian & Mok 88].
F. Jahanian and A.K. Mok, “Modechart: A Specification Language for Real-
Time Systems,” to appear in lEEE Transactions on Software Engineering,
(1988).
[Jahanian et al 88b].
F. Jahanian, R.S. Lee, and A.K. Mok, “Semantics of Modechart in Real Time
Logic,” Proc. 21st Hawaii International Conference on System Sciences , (Jan.
1988.).
[Jain & Lam].
P. Jain and S.S. Lam, “Modeling and Verification of Real-Time Protocols for
Broadcast Networks,” lEEE Trans, on Software Engineering, pp. 924-37 (Au-
gust, 1987).
[Lamport 83].
L. Lamport, “What Good is Temporal Logic?,” pp. 657-668 in Proceeding of
IFIP, Information Processing, ed. R.E.A. Mason„North-Holland (1983).
[Lawler 76].
E.L. Lawler, Combinatorial Optimization: Networks and Matroids, Holt,
Rinehart and Winston, New York, N.Y. (1976).
[Leveson & Stolzy 85].
162
N. G. Leveson and J. L. Slolzy, “Analyzing Safety and Fault Tolerance Using
Time Petri Nets,” TAPSOFT: Joint Conference on Theory and Practice of
Software Development, Springer Vcrlag, (March 1985).
[Luqi & Berzins 87].
Luqi and V. Berzins, “Rapid Prototyping of Real-Time Systems,’’ Computer
Science Dept. Tech. Report 87-5, Naval Postgraduate School, Monterey, Cal-
if. (1987).
[Lusk et al 82a].
E.L. Lusk, W. McCunc, and R.A. Ovcrbcek, “Logic Machine Architecture:
Inference Mechanism,’’ pp. 85-108 in Proc. of the Sixth Conf on Automated
Deduction: Lecture Notes in Computer Science, Vol. 138, ed. E.W.
Lovcland,Springer-Verlog, New York, N.Y. (1982).
[Lusk ct al 82b].
E.L. Lusk, W. McCunc, and R.A. Ovcrbcek, “Logic Machine Architecture:
Kernel Functions,’’ pp. 70-84 in Proc. of the Sixth Conf on Automated Deduc-
tion: Lecture Notes in Computer Science, Vol. 138, cd. E.W.
Lovcland,Springcr-Vcrlog, New York, N.Y. (1982).
[Merlin & Farber 76J.
P.M. Merlin and D.J. Farbar, “Recoverability of Communication Protocols-
Implications of a Theoretical Study,’’ lEEE Trans, on Communications, pp.
1036-43 (Sept. 1976).
[Mok 1983].
A.K. Mok, “Fundamental Design Problems of Distributed Systems for the
Hard Real-Time Environment,’’ Ph.D. Disscrtaion, MIT, Boston, Mass (May,
1983).
[Mok 85J.
A.K. Mok, “SARTOR-a Design Environment for Real-Time Systems,’’ Proc.
9th lEEE COMPSAC, pp. 174-181 (Oct. 1985).
[Ostroff 87].
J. S. Ostroff, “Real-time Computer Control of Discrete Event Systems
Modelled by Extended Slate Machines: a Temporal Logic Approach,’’ Ph.D.
Dissertation, Department of Electrical Engineering, University of Toronto,
163
Toronto, Canada (January, 1987).
[Ostroff & Wonham 87].
J. S. Ostroff and W. M. Wonham, “Modelling, Specifying and Verifying Real-
time Embedded Computer Systems,” Proceedings of the Real Time Systems
Symposium, pp. 124-32 (December, 1987).
[Pamas et al 78].
D. Pamas, K.L. Hcningcr, J.W. Kallandcr, and J.E. Shore, “Software Require-
ments for the A-7E Aircraft,” NRL memorandum report 3876, Washington,
D.C. (Nov. 1978).
[Ramchandani 74].
C. Ramchandani, “Analysis of Asynchronous Concurrent Systems by Timed
Petri Nets,” TR 120, Project MAC, MIT (Feb. 1974).
[Razouk & Phelps 84].
R.R. Razouk and C.V. Phelps, “Performance Analysis of Timed Petri Nets,”
Proc. of 4th International Workshop on Protocol Spec, Verf and Testing, (June
1984).
[Sahni 85].
S. Salmi, Concepts in Discrete Mathematics, Second Edition, Camclot, Fridley,
Minnesota (1985).
[Schwartz et al 83].
R.L. Schwartz, M. Mclliar-Smith, and F.H. Vogt, “An Interval Logic for
Higher-Level Temporal Reasoning,” Proc. Second Annual ACM Symposium on
Principles ofDistributed Computing, pp. 173-185 (1983).
[Shankar & Lam 86].
A.U. Shankar and S.S. Lam, “Time-Dependent Distributed Systems: Proving
Safety, Liveness and Real-Time Properties,” Tech. Report TR-85-24 (revised),,
Computer Science Department, Univ. of Texas, Austin, Texas (Oct. 1986).
[Shostak 77].
R.E. Shostak, “On the SUP-INF Method for Proving Prcsburgcr Formulas,”
JACM, 24(4) pp. 529-543 (Oct. 1977).
164
[Shostak 79].
R.E. Shostak, “A Practical Decision Procedure for Arithmetic with Function
Symbols,” JACM, 26(2) pp. 350-361 (April 1979).
[Wos et al 84].
L. Wos, R. Overbeek, E. Lusk, and J. Boyle, Automated Reasoning, Prentice-
Hall, Englewood Cliffs, N.J. (1984).
[Zave 85].
P. Zave, ‘‘A Distributed Alternative to Finite-State-Machine Specifications,”
ACM Trans. Prog. Lang. Syst. 7 pp. 10-36 (1985).
[Zuberek 1980].
W.M. Zuberek, “Timed Petri Net and Preliminary Performance Eveluation,”
7th Annual Symposium on Computer Architecture, pp. 88-96 (1980).
The vita has been removed from the digitized version of this document.
