Real-time systems refinement : application to the verification of web services by Fares, Elie
&OWVFEFMPCUFOUJPOEV
%0$503"5%&-6/*7&34*5²%&506-064&
%ÏMJWSÏQBS
 
1SÏTFOUÏFFUTPVUFOVFQBS 
5JUSF
²DPMF EPDUPSBMF et discipline ou spécialité 
6OJUÏEFSFDIFSDIF
%JSFDUFVS	T
EFʾÒTF
                                             Jury  :

5)µ4&
le
Université Toulouse 3 Paul Sabatier (UT3 Paul Sabatier)
Elie FARES
mardi 12 mars 2013
Real-Time Systems Refinement
Application to the Verification of Web Services
ED MITT : Domaine STIC : Sureté de logiciel et calcul de haute performance
Institut de Recherche en Informatique de Toulouse (IRIT)
- M. Hassan Mountassir, Université de Franche-Comté - Rapporteur
- M. Pascal Poizat, Université Paris Ouest - Rapporteur
- M. Yamine Ait-Ameur, INP, Université de Toulouse - Examinateur
- M. Christian Attiogbé, Université de Nantes - Examinateur
- M. Jean Paul Bodeveix, UPS, Université de Toulouse - Directeur de thèse
- M. Mamoun Filali-Amine, CNRS, Université de Toulouse - CoDirecteur
- M. Jean-Paul BODEVEIX
- M. Mamoun FILALI

To all who supported me

Thanks
This is a life where we meet so many people. Some people may come
and go, but others will stay with us forever. In these last four years, even
though I spent most of my time in a small office, I came to meet and know
certain people who I would like to thank in this note.
I would like at first to thank my advisors, Jean-Paul Bodeveix and
Mamoun Filali with whom I took my first steps in the research world
during my Masters 2 Internship. Our work together is now crowned with
the end of my PhD in which their advices, help, availability and devotion
made this quest possible. For this I am and will be always grateful.
I would like also to thank Hassan Mountassir, Pascal Poizat, Yamine
Ait-Ameur and Christian Attiogbé for accepting to be my on jury board.
Special thanks especially to Hassan Mountassir and Pascal Poizat for their
reports. Their remarks have surely made this work even better.
A thank you to Antoine Leger, the coordinator of the ITEmIS project in
which I have participated. I thank him for his patience during the dead-
lines and his constant motivation towards reaching the goals of the project.
I have shared a good professional experience with Antoine.
A big thank you from the heart to my family, father, mother and
brother for believing in me and pushing me forward towards reaching
my dreams. I am blessed for their presence in my life.
I also thank my girl-friend Karen, who has been with me, hand in
hand, all the time. She knew how to deal with the ups and downs of my
PhD. Karen gave me the strength I needed to finish my PhD.
I finally thank all my friends, IRIT colleagues and especially the
ACADIE team members, Bertrand, Petra, Pascal, Selma, Iulia, Nadia,
Manuel... . Things would not have been the same without them. I thank
Jean-Baptiste as well for the recent conversations concerning my future
career.
Last but not least, I thank God, the one who was pulling the strings all
the way.

Chapter
Résumé
Aujourd’hui, et avec la rapidité des progrès technologiques à laquelle nous
assistons, nous pouvons dire que nous nous seront bientôt gouvernés par
des machines. Peut-être pas comme dans le film terminator, mais par notre
dépendance dans la vie quotidienne à l’égard du bon fonctionnement des
systèmes automatisés. Ces systèmes sont de plus en plus complexes et
sont utilisés dans de nombreux domaines tels que les télécommunications,
l’avionique, de l’automobile, l’aérospatial, le ferroviaire, le médical, la fi-
nance, les services Web et d’autres domaines connexes. Par conséquent,
un degré élevé de sécurité de ces systèmes est devenu une condition in-
dispensable à leurs bon fonctionnement.
En fait, les défaillances logicielles peuvent entraîner des pertes et
dégâts importants que ce soit financieres ou alors de vies humaines. Selon
Computerworld WASHINGTON dans un rapport qui remonte à 2002, "les
defaillances logiciels coûtent à l’économie américaine environ 59,5 milliards de
dollars chaque année, dont plus de la moitié du coût supporté par les utilisateurs
finaux et le reste par les développeurs et les fournisseurs".
Plusieurs événements dans le passé ont montré la multitude de dégâts
que les erreurs logicielles peuvent provoquer. Dans certains cas, les dom-
mages ont été décrits comme catastrophiques.
Rappelons-nous la panne bien connue de Northeast en 2003, où une
panne d’électricité massive s’est produit le 14 Août 2003 et a laissé de
vastes régions du nord-est et du Midwest des États-Unis et de l’Ontario au
Canada sans courant. En raison d’une erreur de programmation, de mul-
tiples systèmes ont tenté d’accéder simultanément aux mêmes informa-
tions. Ce chaos a provoqué un dysfonctionnement de l’alarme par lequel
le logiciel en question a envoyé un signal d’occupation à tous les sys-
tèmes. Cette bévue technologique coûteuse a conduit à une file d’attente
d’événements non traités et par conséquent a ralenti la performance qui
ensuite a causé le problème. En conséquence, les pertes ont été d’environ
7 à 10 milliards de dollars.
Un autre exemple notoire est le crash d’Ariane 5, le lanceur européen
de satellites dont l’Agence spatiale européenne a passé dix années à créer
avec un coût total de huit milliards de dollars. Le but ultime d’Ariane 5
devait donner à l’Europe un rôle pionnier dans le domaine de l’espace.
Malheureusement, le 4 Juin 1996, Ariane 5 a explosé dans le ciel de Gui-
enna française seulement 36,7 secondes après son lancement. L’accident
a été le résultat d’une conversion 64 bits à virgule flottante en un entier
16 bits. En effet, le nombre était trop grand et a entraîné une erreur de
débordement qui a bloqué les ordinateurs principaux et de sauvegarde.
Les pertes ont été de 3650 jours de travail ainsi que de 500 millions de
dollars en coûts de satellites et de 8 milliards de dollars de coûts de pro-
duction.
Tous ces événements regrettables qui ont causé d’immenses pertes de
temps, de travail, de vie humaine, d’argents, sont une preuve qu’il est
très important d’avoir une phase de vérification et de validation des sys-
tèmes critiques avant leur mise en oeuvre définitive dans le monde réel.
Afin de remplir cette obligation impérative, les méthodes formelles ont été
proposées.
0.1 Méthodes Formelles
Les méthodes formelles sont des techniques, languages et outils basés sur
les mathématiques qui sont utilisés pour la spécification et la vérification
des logiciels informatiques et du matériel. Les méthodes formelles sont
utilisées pour donner une garantie elevée de la spécification d’un système.
Cela augmente la confiance en son bon fonctionnement en révélant les
bugs qui pourraient autrement passer inaperçus.
0.1.1 Spécification des Systèmes
Les méthodes formelles peuvent être utilisées dans la phase de spécifica-
tion du système lorsque les exigences d’un système sont décrits.
Une spécification est un modèle formel qui représente les éléments sta-
tiques et dynamiques d’un système. Les aspects statiques sont représentés
par des états alors que les aspects dynamiques sont représentés par des
actions (transitions entre les différents états). Les réseaux de Petri [91],
CSP [96], CCS [83] et la Méthode-B [7] sont tous des exemples de lan-
gages de spécification formelle à base de modèles.
0.1.2 Vérification des Systèmes
Une fois une spécification formelle du système donnée, la spécifica-
tion peut être validée par la preuve de certaines propriétés. Plusieurs
techniques de vérification existent, qui varient entre des techniques au-
tomatiques ou des techniques manuelles. Les techniques de vérification
du système se répartissent en quatre catégories générales: la preuve de
théorèmes, le model checking, l’interprétation abstraite et le test de logi-
ciels.
La preuve de théorèmes consiste à prouver la satisfaction des pro-
priétés sur les systèmes au moyen de règles d’inférence et d’induction.
Bien que certaines de ces preuves soient manuelles, les autres sont soit au-
tomatique ou interactive. Il existe plusieurs outils qui offrent la possibilité
de développer des preuves automatiques ou interactives. Dans un outil de
preuves automatisé, une preuve automatique peut être construite à par-
tir d’une description du système, un ensemble d’axiomes logiques, et un
ensemble de règles d’inférences. Des exemples de ces outils sont les Sat-
isfiability Modulo Théories (Solveurs SMT) [46] (comme STP [51]) où le
viii
problème est de déterminer si une formule logique peut être satisfaite sur
une combinaison de théories exprimée en logique du premier ordre avec
égalité. Contrairement à une preuve automatique, un outil de preuve in-
teractive nécessite généralement une intervention humaine. Des exemples
de ces outils sont Coq [102], Isabelle [88] et B etc.
Une deuxième technique de vérification est l’interprétation abstraite.
L’interprétation abstraite [42] a été fondée par Patrick Cousot et Radhia
Cousot vers la fin des années 1970. C’est une méthode qui repose sur le
remplacement d’un domaine infini de valeurs concrètes d’un système par
un certain nombre de domaines abstraits finis où les opérations initiales
( concrétes) sont redéfinis. Des propriétés, telles que les bornes des inter-
valles et l’absence d’accès à des pointeurs nuls, sont ensuite vérifiées sur
le modèle abstrait.
Une autre technique consiste en des tests de logiciels. Le test de logi-
ciel est le processus de l’exécution du code réel d’un programme en spé-
cifiant ses paramètres et en vérifiant si il se comporte correctement. Le
test permet une vérification de la conformité du système par rapport à sa
définition et à examiner si le logiciel répond aux exigences. Le problème
de cette technique est la nécessité de générer des cas de tests suffisants
afin d’avoir une plus grande confiance dans le produit. Toutefois, étant
donné le nombre de cas de test tend à être infini, les tests peuvent pas
être exhaustive (au contraire du model checking: voir ci-dessous). Ainsi,
en faisant du test, on ne peut pas prouver qu’un produit se comporte cor-
rectement dans toutes les conditions, mais plutôt on peut démontrer qu’il
se comporte correctement sous certaines conditions.
Model checking
Le model checking est une technique de preuve automatisée dans lequel
une propriété est vérifiée par rapport à un système à l’aide d’une
recherche exhaustive de tous les états possibles d’une exécution du sys-
tème. Formellement, le model checking se réfère au problème suivant:
étant donné un modèle de système M et une propriété ϕ, nous examinons
si la véracité de la propriété suivante lue comme M satisfait ϕ, ou aussi
comme M est un modèle de ϕ.
M |= ϕ
Le modèle est généralement une abstraction du système écrit dans
un formalisme basé sur les systèmes de transitions tandis que les pro-
priétés sont des propriétés logiques écrites dans LTL [79] ou CTL [40]. La
vérification d’une propriété sur le système s’effectue via les algorithmes
d’exploration du model checking. Les premiers algorithmes proposés sont
ceux de [40] et [94].
Les avantages de la technique du model checking est qu’elle est en-
tièrement automatique et puisqu’elle s’agit d’une vérification exhaustive,
elle garantie un degré élevé de confiance par rapport aux propriétés satis-
faites. Un autre avantage du model checking est que dans le cas de non-
satisfaction d’une propriété, un contre-exemple est également donné.
Cependant, l’inconvénient principal du model checking est que son
application est limitée aux petits modèles. La vérification de modèle
souffre d’explosion combinatoire. Afin de combattre cet inconvénient,
plusieurs solutions ont été proposées. Ces solutions se basent principale-
ment sur quatre techniques. Les premières solutions sont des techniques
d’abstraction [41] qui visent à réduire la taille du modèle. Les secondes
sont des techniques de réduction d’ordre partiel [89] qui visent à réduire
la taille de l’espace d’état recherché par l’algorithme du model checking.
La troisième technique est celle de la vérification modulaire, où l’idée con-
siste à décomposer le système en sous-composants et de vérifier à part
chacun des sous-composant. Enfin, la quatrième technique est celle du
raffinement qui vise à construire un modèle d’une façon progressive et
incrémentale.
Un outil qui implémente la technique du model checking est appelé
un model checker. Comme exemples de model checkers, nous pouvons citer
le model checker Spin [62] pour les modèles de systèmes de transitions,
Tina [20] pour les reséaux de Petri Temporisés et Uppaal [73] pour les
automates temporisés.
0.2 Contexte et Problèmatique
Le contexte de ce travail de thèse est le projet ANR itemis [2]. Ce projet vise
à faciliter l’évolution du monde d’aujourd’hui de logiciels embarqués et de
services informatiques vers un monde des services intégrés de façon trans-
parente. Cette transition définit une nouvelle génération d’architectures
orientées services (SOA) qui permet l’integration des systèmes IT et des
systèmes embarqués. Ainsi, trois grands axes sont considérés à cet effet
et ce sont les axes de services d’infrastructure, de l’entreprise, et de la
vérification formelle. L’axe de vérification formelle aborde l’assurance de
bout en bout la qualité de service et de l’exactitude de la vérification des
modèles d’exécution.
Dans ce contexte, le travail nécessaire consistait à la vérification de
modèles BPEL via une transformation à un langage de spécification
formelle, FIACRE qui est un langage de spécification temps-réel. Les ré-
sultats de cette transformation (modèles FIACRE) peuvent être utilisés
soit pour donner une sémantique formelle pour BPEL permettant ainsi
l’analyse des constructions BPEL, ou à des fins de vérification (model-
checking de propriétés logiques). Cependant, même si la vérification de
modèle peut être envisagée pour les petits modèles BPEL (modèles FI-
ACRE après la transformation), la vérification des modèles de grandes
tailles n’est pas raisonnable. Le problème devait donc être abordé dif-
féremment, notamment en considérant la développement incrémental de
modèles FIACRE. Cela a conduit à l’étude du raffinement de systèmes
temporisés.
La méthode adoptée dans ce document est montré dans la figure 1.1.
La première étape est la transformation de BPEL vers FIACRE. Le ré-
sultat de cette transformation est ensuite abstrait (système abstrait) avant
d’être vérifié. L’implémentation effective (système concret) du résultat de
la transformation. On vérifie ensuite le raffinement entre le système con-
cret et le système abstrait.
x
Abstraction
Concrete
Observers
μ-calcul prop
     Refinement           Test
 
 
bpel2fcr
 
BPEL
LTL prop
    Diagnosis
 
FIACRE
Abstraction
Figure 1 – Overall Description
0.3 Raffinement de Systèmes Temps Réels
Commençons par définir les systèmes temporisés d’une manière générale
avant de définir d’une manière précise le modèle qu’on considère dans
cette thèse.
0.3.1 Systèmes Temporisés
Même si les modèles classiques tels que les systèmes de transition et les
réseaux de Petri peuvent exprimer le comportement d’un système, ils ne
peuvent pas exprimer ses contraintes temps-réel. Cependant, le temps est
une contrainte naturelle qui est explicitement présent presque partout. Des
exemples de contraintes de temps peuvent être des temps d’exécution, des
délais d’attente, des temps réponse, etc. Afin de répondre à ces exigences,
les systèmes temporisés ont été créés afin de capturer des contraintes tem-
porelles qui peuvent contrôler ou modifier le comportement d’un système.
Donc, plusieurs modèles et logiques ont été étendus par des notions de
temps.
La la plupart des travaux tournent autour les automates temporises,
qui est l’un des modeles les plus étudiés pour les systèmes temporises. Les
résultats les plus intéressants sur les automates temporises sont sans doute
la décidabilité les propriétés d’accessibilité [15] aussi bien que la décidabil-
ité du model-checking de TCTL (une variante temporise du CTL) [12]. En
revanche, l’inclusion des traces acceptés par deux automates temporisés
est indécidable [15].
Par conséquent, le développement de systèmes temporisés est sûre-
ment plus difficile, et sa vérification devient plus complexe. Le raffinement
est une technique qui permet de faciliter le développement et la vérifica-
tion des systèmes temporisés.
Commençons par definir la base sémantique de notre système tempo-
risé considéré dans cette thèfse :
Système de Transition Temporisé
Definition 0.1 (Système de Transition Temporisé TTS ) Etant donné un ensem-
ble d’étiquettes, Lτ et soit ∆ un domaine de temps, par exemple R+, un Système
de Transition Temporisé (Timed Transition System TTS) est un tuple 〈Q, Q0,→〉
sachant que Q est un ensemble d’états, Q0 ⊆ Q est un ensemble d’états initiaux,
et→ est une relation de transitions ⊆ Q× (L ∪ ∆)×Q.
Système de Transition Temporisé Contraint (CTTS)
Un système de transition temporisé contraint (Constrained Time Transi-
tion System CTTS) est une representation syntactique finie d’un TTS. On
le définit de la manière suivante :
Definition 0.2 (Constrained Time Transition System) Etant donné un ensemble
d’étiquettes Lτ, un ensemble d’intervalles I défini sur un domaine de temps ∆, un
CTTS [45] est définit par 〈Q, Q0, T, Lτ, ρ : T → 2Q×Q,λ : T → Lτ, ι : T 9
I, . ⊆ T × T〉 où Q est un ensemble d’états, Q0 ⊆ Q est un ensemble d’états
initiaux, T est un ensemble de transitions, ρ renvoie pour chaque transition un
ensemble de couples d’états (source et destination), λ associe une étiquette pour
chaque transition, ι associe un intervalle de temps pour chaque transition etiquet-
tée par un événement local, (les événements globaux ne sont pas contraints) et .
représente une relation de dépendance entre deux transitions.
A chaque transition t est associée implicitement une horloge. Cette hor-
loge est réinitialisée lorsque la transition devient tirable ou qu’une transi-
tion t′ avec t′ . t est déclanchée. Une transition tirable peut être effective-
ment tirée si son horlooge est comprise entre ses bornes min et max, sans
toutefois pouvoir dépasser le max.
CTTS Example Dans la figure 3.1, nous donnons un exemple de CTTS
dans lequel un port local est attaché à un intervalle de temps [1,2], alors
que pour le port global P n’est pas contraint. Il est également intéressant
de noter que l’activation l’une des 2 transitions possibles à partir de l’état
initial réinitialise l’horloge de l’autre.
s swait [ 1..2[
p
p [ 0..∞ [
s
t3 :
pt2 :t1 :
ρ(t  ) = (s  ,s )1 0 1
0 1
λ(t  ) = τ 1
ι(t  ) = [1..2[1
ρ(t  ) = (s  ,s  )2 1 2
λ(t  ) = p 2
ρ(t  ) = (s  ,s )3 0 2
λ(t  ) = p 3
2
Figure 2 – Example of CTTS
Nous donnons un autre exemple pour illustrer la relation .. Dans la
Fig. 3.2, nous montrons deux systèmes qui sont exactement les mêmes,
sauf qu’ils diffèrent dans la manière dont le . est défini entre leurs tran-
sitions. En fait, dans le premier système de la Fig. 3.2, t1 . t2, tandis que
xii
ce n’est pas le cas dans le second système. Dans le premier système, t2
n’est jamais tirée parce que, à l’état s0, après exactement 1 unité de temps
(u.t), seule la transition t2 serait capable d’être tirée car elle est associée
à l’intervalle de temps [1,1]. t2 ne serait jamais tirée comme sa contrainte
de temps n’est pas satisfaite. Maintenant, après le tir t1, et comme t1 . t2,
l’horloge de t2 est remise à zéro et le même mécanisme se répète indéfini-
tivement. Dans le cas du second système, à 1 u.t, la transition t1 est tirée
sans reinitialiser la transition t2. Lorsque le temps atteint 2 u.t, un choix
non-déterministe entre t1 et t2 est donc possible.
s0
t   : τ [1..1] 
t    :  τ [2..2] 2
1
t       t   1 2▷s0
t   : τ [1..1] 
t    :  τ [2..2] 2
1
t       t   1 2▷
Figure 3 – Fonction de réinitialisation d’un CTTS
0.3.2 Raffinement et Simulation
Comme nous l’avons indiqué, le principal inconvénient du model check-
ing est le risque d’explosion combinatoire. Le développement incrémen-
tal a été suggéré comme un moyen d’empêcher l’explosion combinatoire
ou au moins pour y faire face. La vérification compositionnelle et le
raffinement sont les deux techniques principales utilisées pour faire du
développement incrémental. La vérification compositionnelle permet la
vérification d’un système en vérifiant ses sous-composants.
Le raffinement, qui est la deuxième approche, est ce que nous consid-
érons dans cette thèse.
Le raffinement permet de construire progressivement des spécifica-
tions correctes en le rendant plus précis. À chaque étape du processus de
construction, une nouvelle spécification est dérivée d’une ancienne spéci-
fication en vérifiant que chaque nouveau niveau préserve les propriétés
de l’ancien. En d’autres termes, l’ensemble du système n’est pas modélisé
tout de suite, mais plutôt, il est construit progressivement par une série
de modèles, où chaque nouveau modèle est censé être un raffinement de
celui qui le précède. Pour pouvoir dire qu’un système raffine un autre, on
a besoin de l’inclusion de leurs traces. Par contre, comme l’inclusion de
traces temporisées est indécidable, on a été ramené à des conditions suff-
isantes qui sont les relations de simulations. Dans ce qui suit, on définit la
relation de simulation faible temporisée.
Simulation Faibe Temporisée
La relation de simulation faible temporisée (Timed Weak Simulation) est
définit entre deux TTS de la manière suivante :
Definition 0.3 (State-Event Timed Weak Simulation) Etant donné un ensemble
d’étiquettes Lτ et deux TTS A = 〈Qa, Q0a,→a〉 and C = 〈Qc, Q0c ,→c〉 définis
sur Lτ, un ensembLe de propositions P et deux fonctions de valuations vc : Qc →
2P and va : Qa → 2P, une simulation entre eux - est la plus grande relation de
sorte que :
∀qc qa, qc - qa ⇒
V. vc(qc) = va(qa) (Valuations)
E. ∀q′c e, qc e→c q′c ⇒ ∃q′a, qa τ
∗e→a q′a ∧ q′c - q′a (Visible Events)
T. ∀q′c, qc τ→c q′c ⇒ q′c - qa (τ Events)
D. ∀q′c δ, qc δ→c q′c ⇒ ∃q′a, qa δ
∗
=⇒a q′a ∧ q′c - q′a (Delay)
On dit que (C, vc) - (A, va) si ∀q0C ∈ Q0C, ∃q0A ∈ Q0A de telle sorte que (q0C, q0A) ∈
R.
Afin de préserver les propriétés du temps linéaire, des clauses supplé-
mentaires sont ajoutés à la simulation faible temporisée. Cela conduit au
Simulation Faibe Temporisée sensible au blocage (State-Event Deadlock-
Sensitive (DS) Timed Weak Simulation). Nous désignons cette relation par
-DS.
Definition 0.4 (Simulation Faibe Temporisée Sensible au Blocage ) Etant donné
un ensemble d’étiquettes Lτ et deux TTS A = 〈Qa, Q0a,→a〉 and C =
〈Qc, Q0c ,→c〉 définis sur Lτ, un ensembe de propositions P et deux fonctions
de valuations vc : Qc → 2P and va : Qa → 2P, une simulation entre eux -DS
est la plus grande relation de telle sorte que :
∀qc qa, qc -DS qa ⇒
V ∧ E ∧ T ∧D
N_C. C has no-τ-cycle (De f inition 3.3).
Dlk. ∀q′a e, qa e→a q′a ⇒ ∃q′c, qc e→c q′c ∧ vc(q′c) = va(q′a) (Deadlock)
On dit que (C, vc) -DS (A, va) si ∀q0C ∈ Q0C, ∃q0A ∈ Q0A tel que (q0C, q0A) ∈
R.
La cinquième clause (N_C) exprime que le raffinement n’autorise pas
les séquences infinies de τ transitions dans le système concret. Cela sig-
nifie qu’il doit toujours y avoir un moyen de sortir de ces cycles, via un
événement visible. La dernière clause exprime le fait que le système C
concret ne doit pas contenir de blocages qui n’existent pas dans le système
abstrait A.
Verification de la Simulation Faibe Temporisée
Composition des Systèmes Abstrait et Concret Notre technique partage
ses caractéristiques techniques avec le model-checking. En effet, la pre-
mière étape consiste à composer de manière asynchrone le système ab-
strait avec le système concret.
Etant donné un CTTS A = 〈Qa, Q0a, Ta, Lτ, ρa,λa, ιa, .a〉 et un CTTS
C = 〈Qc, Q0c , Tc, Lτ, ρc,λc, ιc, .c〉, les deux systèmes sont composés après
avoir renommé les événements de ces deux systèmes en indexant les ab-
straits (resp. concret) par a (resp. c). La composition se fait donc d’une
manière asynchrone (Fig. 3.12) afin d’être en mesure d’observer toutes
les transitions du système concret et vérifier si elles sont simulées par le
système abstrait ou non. La composition synchrone n’est pas applicable
xiv
Abstract e
n
a
e1a
τa1
τap
...
...
Concretee
m
c
e1c
τc1
τcq
...
...
Figure 4 – Systèmes
parce que les transitions du système concret risquent de disparaître dans
le système de produit. C’est le cas lorsqu’une transition concrète n’existe
pas dans le système abstrait.
Ajout des Observateurs dans le Cadre Temporisé Pour pouvoir vérifier
la simulation temporisée, nous définissons deux observateurs (Fig. 3.4 et
3.7) qui sont composés à la fois avec le système concret et le système
abstrait.
1. Le premier observateur Control Observer consiste à observer les
événements discrets des deux systèmes. Pour chaque transition du
concret, l’observateur va essayer de trouver un événement corre-
spondant dans l’abstraction se produisant en même temps.
2. Le deuxième observateur Time Observer modèlise l’écoulement
du temps dans les deux systèmes.
Control Observer Control Observer est représenté dans la Fig. 3.4.
Control Observer : Obs
Concreteec
m
ec
1
ea
1
ea
n
...
ok
e c e a
1
wait-1
1
e m e a
nc
wait-n
err
τ [0,0]
τ [0,0]
e a
1
e a
n
...
τ1c
τqc
...
τ1c
τqc
...
...
......
...
...
ec
m
ec
1
τ1c
τqc
...
...
Abstract ea
n
ea1
τ1a
τpa
...
...
Figure 5 – Control Observer
A l’état initial OK, l’observateur se synchronise avec l’un des événe-
ments eia, τic ou eic. Lors de la synchronisation avec l’un des événements
eai l’observateur signale une erreur (err) comme un événement abstrait
n’a pas été trouvé. Lors de la synchronisation avec n’importe lequel des
τiC l’observateur maintient l’état OK. Enfin, lors de la synchronisation
avec les événements concrets eic, il essaie de les faire correspondre avec
les événements abstraits eia. Après la reception d’événement concret eic,
l’observateur transite vers l’état waiti signifiant qu’il attend maintenant le
passage d’un événement abstrait correspondant eia. À ce stade, les scénar-
ios suivants peuvent se produire:
• Un événement abstrait correspondant est trouvé et l’observateur
transite à l’état OK.
• Le système abstrait viole la synchronisation du système concret
et l’observateur transite à l’état err. Cela veut dire qu’un événe-
ment abstrait correspondant n’est pas possible en même temps que
l’événement concret en question. Ceci est modélisé en signalant une
erreur dans 0 u.t.. Ainsi, si un événement correspondant est trouvé
en 0 ut, nous atteindrions un choix non-déterministe entre tran-
siter vers OK ou encore vers err. Les deux transitions seront alors
présentes dans le processus de composition. Comme nous le verrons,
ce choix est résolu dans le propriété de µ-calcul par la recherche d’un
chemin qui satisfait la simulation et en ignorant ainsi la transition
d’erreur.
Time Observer Le Control Observer vérifie seulement si les deux
événements correspondants peuvent se produire en même temps. Cepen-
dant, il ne dit rien sur le moment où un écoulement du temps s’est
produit. Cela conduit à la définition d’un observateur supplémentaire
Time Observer (Fig. 3.7) dans lequel deux aspects sont modélisés. Tout
d’abord, à l’état initial evt0, seules les transitions qui sont tirables dans
0 u.t peuvent se produire. Ceci est fait en spécifiant un choix simultané
entre un événement temporisé τ 0 contraint à [0, 0] d’un côté et tous les
événements des systèmes abstraits et concrets d’un autre côté.
Concrete ec
m
ec
1
τ1c
τqc
...
...
Abstract ea
n
ea
1
τ1a
τpa
...
...
Time Observer : Obs
evt0
delay ]0,∞[
τ_0 [0,0]
evtDly
e a
1 e a
n.. .
τ a1 τ ap.. . τ c1 τ cq.. .
e c
1 e c
m.. .
δ
ecm
ec
1
τ1c
τqc
...
...
ea
n
ea
1
τ1a
τpa
...
...
Figure 6 – Time Observer
Deuxièmement, elle rend visible l’écoulement implicite de temps. Dans
l’état Dlt, à chaque passage du temps, un événement temporisé delay
associé à la contrainte ]0,∞[ est signalé. Cet événement est utilisé plus tard
par la propriété µ-calcul comme un marqueur d’écoulement de temps.
Critère de Vérification de la Simulation Faibe Temporisée
Le test de la vérification de la Simulation Faibe Temporisée consiste en une
propriété µ-calcul sur le résultat de la composition du système abstrait, du
système concret et des deux observateurs (||| C)‖(Obs ‖
lτAr
Obsδ) où Obs
est Control Observer, Obsδ est Time Observer et Ar = {delay, τ 0}.
xvi
La simulation des transitions de temps consiste à vérifier si chaque délai
pris par le système concret peut également être fait par l’abstrait et con-
duire à un etat où la simulation reste verifiée. Le critère Timed Faible
Simulation est défini comme suit:
∀(q0a , q0c ) ∈ Q0a ×Q0c , (q0a , q0c , ok, evt0) |= νX.
(1)︷ ︸︸ ︷
Obs in ok ∧Obsδ in evt0∧
(2)Weak Simulation︷ ︸︸ ︷∧
i
[eic](EFτa 〈eia〉X) ∧
∧
j
[τ jc ]X ∧
(3)︷ ︸︸ ︷
(EFτa 〈delay〉>)⇒ EFτa (〈delay〉> ∧ [delay]X)
Event Deadlock︷ ︸︸ ︷∧
i
[eia]〈eic〉>
PropositionsRelation︷ ︸︸ ︷∧
p∈P
pc ⇔ pa
sachant que (qc, qa) |= pc si p ∈ vc(qc) et (qc, qa) |= pa si p ∈ va(qa).
Cette propriété caractérise un ensemble d’états du produit auquel l’état
initial doit appartenir. Cet ensemble d’états est défini sur la composition
des états de A, C et des deux observateurs. Nous commentons le critère:
• (1) désigne l’état dans lequel les événements concrets sont attendus.
• (2) est le critère de simulation faible non temporisée qui signifie
que pour chaque cas événement eic et pour chaque transition eti-
quettée par cet événement concret Eic, il existe un chemin d’un cer-
tain nombre d’événements locaux abstraites τa qui mène éventuelle-
ment à une transition marquée par l’événement abstrait eia tel que la
cible vérifie de manière récursive la propriété. En plus on demande
qu’après chaque transition etiquettée avec un événement local τ jc la
simulation est maintenue.
• (3) précise que si le temps peut s’écouler (cas de delay) dans le pro-
duit via une séquence d’événements locaux abstraits alors le temps
peut s’écouler et pour tous les événements delay possibles la simu-
lation est maintenue.
• (Event Deadlock) décrit la propriété de préservation du blocage.
En fait, il décrit que chaque événement visible abstrait est suivi d’un
événement concret correspondant.
• Propositions Relation : on dit que pour chaque proposition p, si p est
satisfaite par les variables du système concret xkc , alors les variables
du système abstrait xla la satisfont aussi. Évidemment, les variables
concrètes ou abstraites dépendent des systèmes qui sont comparés.
0.4 Méthodes Formelles pour la Vérification des Ser-
vices Web
Les services Web sont des applications distribuées qui sont conçues pour
réaliser une tâche spécifique de l’entreprise sur le web. Afin de réaliser
les objectifs de l’entreprise, ces services Web doivent être composés de
manière à interagir ensemble. Cette interaction se fait par échanges de
messages via des interfaces publiques décrites dans langages basés sur
XML tels que le Web Services Description Language WSDL [84].
L’orchestration est l’un des mécanismes qui addresse la composition
du service. WS-BPEL (Web Services Business Process Execution Lan-
guage) [18] ou tout simplement BPEL, est un langage de composition de
service Webs qui suit le modèle de l’orchestration. Il définit les processus
métier grâce à l’orchestration des différentes interactions partenaires.
Cependant, BPEL manque d’une sémantique formelle et est défini
en langage naturel. D’une part, ses constructions peuvent souffrir
d’ambiguïté, de l’incohérence et de l’incomplétude. Par exemple, comme
indiqué par le comité Web Services Business Process Execution Language
Technical Committee, de telles ambiguïtés et incomplétudes ont été détectés
dans la première version de BPEL. Ces ambiguïtés ont été modifiées
dans les versions ultérieures. D’autre part, la validité des exigences des
utilisateurs sur du BPEL ne peut être vérifiée qu’après l’implementation
effective du système. Cette faiblesse de BPEL peut être réparé par des
méthodes formelles.
L’utilisation des méthodes formelles pour la vérification de services
Web s’est avérée précieuse au sein de la dernière décennie. En fait, les
méthodes formelles ont été la pierre angulaire et la base mathématique
qui manquait dans le monde des services web.
Les méthodes formelles ont été utilisées afin d’élever le niveau de con-
fiance des utilisateurs dans les applications web en particulier en raison
des grandes quantités des mouvements monétaires qui transitent tous les
jours via le web. La sémantique formelle pour les langages de composition
de services, en particulier pour BPEL, ont été intensivement étudiés résul-
tant en plusieurs ouvrages. Des approches fondées sur les réseaux de Petri,
les algèbres de processus et les automates ont été proposées. Une trans-
formation de descriptions informelles à des modèles formels a donc été
introduite. En outre, puisque la sémantique formelle de ces formalismes
est définie, les modèles formels peuvent alors être utilisés pour vérifier le
bon fonctionnement des services Web. Cela se fait via la vérification des
propriétés écrites en logique temporelle comme LTL et CTL.
Dans ce qui suit, nous présontons l’idée de la transformation de BPEL
vers FIACRE.
0.5 Transformation de BPEL vers FIACRE
La modélisation décrite en FIACRE est basée sur la structure du processus
BPEL. La partie WSDL définit les points de communication du processus
BPEL. Ces connexions sont réalisées d’abord par la définition de Partner-
links. Un Partnerlink définit le rôle que joue le processus (le cas échéant)
xviii
et le rôle que joue le service partenaire (le cas échéant) à l’échange partic-
ulier. Selon le rôle, un processus peut utiliser les PortTypes pour envoyer
des appels/résultats ou recevoir des appels/résultats.
En conséquence, la partie statique de BPEL (WSDL) est modélisée dans
FIACRE par des types globaux. Quant à la partie dynamique constituée
de l’activité principale du processus BPEL et ses gestionnaires, ellecx est
modélisée comme une composante racine en FIACRE contenant la com-
position du modèle FIACRE correspondant à l’activité primaire avec les
modèles FIACRE correspondants aux gestionnaires (figure 7). Enfin, les
points de communication d’un processus BPEL sont modélisés par deux
ports FIACRE (I pour l’entrée (input) et O pour la sortie (output)).
type partnerlink_1 
type partnerlink_n 
...WSDL
   Primary     activityand handlers
component BPEL_process par      primary_act   || handlersend 
BPEL FIACRE
PartnerRole = r2 
myRole= r3 
I
O
: r3
: r2⇒⇒
Figure 7 – Structure de la Transformation
0.5.1 Partie Statique : Modélisation du WSDL
L’interaction avec l’environnement est pris en charge par les Partner-
links. En BPEL, chaque Partnerlink peut contenir deux rôles (myrole et
partnerRole) typés avec des Porttype. Chacun des Porttype déclare
plusieurs opérations servant à recevoir (Entrée) ou envoyer (sortie) des
messages (figure 8).
BPEL
Partnerlink_i
myRole
PartnerRole
PortType	Operation_jinputoutput
PortType	Operation_jinputoutput
Figure 8 – Connexions de BPEL
Par conséquent, cette structure est modélisée dans FIACRE en créant
deux types énumérés nommées inputs et outputs utilisés pour mod-
éliser respectivement les entrées et les sorties de chaque opération.
Le type inputs (resp. outputs) sera l’union des types :
• des arguments input (resp. output) des opérations du myRole de
chaque Partnerlink (1).
• des arguments output (resp. input) des opérations du
partnerRole de chaque PartnerLink (2).
0.5.2 Aspects Comportementaux de BPEL en FIACRE
La transformation est guidé par les concepts de BPEL. Un processus BPEL
est constitué de plusieurs activités BPEL réunies. En conséquence, chaque
constructeur de BPEL se traduit séparément en un composant FIACRE.
1. Les activités de base seront converties en des processus de FI-
ACRE.
2. Les activités structurées peuvent intégrer d’autres activités im-
briquées. Par conséquent, ils seront chacun convertis en un
Component de FIACRE.
Dans les deux cas, si une activité se traduit par un processus ou
component, elle va partager une interface commune. Cette interface se
compose de l’ensemble des ports FIACRE et des variables partagées que
chaque modèle devrait avoir afin de permettre leur composition.
0.6 Vérification de BPEL
Les modèles transformés sont utilisées à des fins de vérification. Notre
cadre de vérification prend en charge quatre types de propriétés.
1. Propriétés temporelles: ce sont les propriétés typiques rédigés en SE-
LTL.
2. Propriétés liés aux données: au cas où les types de données BPEL
sont finis, ils sont conservés dans la transformation BPEL / FIACRE.
Il est alors possible de vérifier des propriétés qui traitent ces don-
nées.
3. Propriétés structurelles: ils expriment la "bonne construction" du
code BPEL. Par exemple, nous sommes en mesure de vérifier qu’une
activité receive est toujours de suivie d’une activité reply, ou que
deux activités receive simultanées ne peuvent pas attendre pour
la même opération. Cela se fait par une vérification statique que les
excéptions résultants de ces situations ne sont pas levées.
4. Propriétés temporelles: elles peuvent être rédigées en MITL [16] qui
est une variante temporisée de LTL et sont traitées ici en utilisant des
observateurs temporisés et une propriété temporelle, codant ainsi
des propriétés telles que les propriétés d’accessibilité.
xx
0.7 Contributions et Résultas
• Contribution 1 : une technique automatique de vérification de la sim-
ulation faible temporisee (Timed Weak Simulation) entre des sys-
tèmes de transitions temporisés issus de systèmes FIACRE. La tech-
nique est une méthode basée sur l’observation, dans laquelle deux
systèmes de transitions temporisés sont composées avec un observa-
teur temporisé. Une propriété µ- calcul qui capte la simulation faible
temporisée est ensuite vérifiée sur le résultat de la composition. Une
caractéristique intéressante de la technique proposée est qu’elle re-
pose uniquement sur un µ-calcul atemporel sans algorithme spéci-
fique nécessaire pour analyser le résultat de la composition. Dans
cette contribution, nous avons étudié les points suivants:
1. Définition d’un cadre sémantique formel pour la langage FI-
ACRE.
2. Définition d’une relation de simulation qui implique des résul-
tats intéressants concernant l’inclusion de trace, la préservation
des propriétés et la compositionalité.
3. La technique a été testée et validée en utilisant les outils FI-
ACRE/TINA.
• Contribution 2: Application à la vérification de services Web:
1. Une transformation de BPEL à FIACRE: la vérification est basée
sur une transformation de BPEL vers FIACRE. Les avantages de
cette transformation sont de deux ordres. Tout d’abord, nous
proposons un cadre pour valider la bonne construction et la
préservation par transformation de la sémantique d’un sous-
ensemble des constructeurs BPEL. En outre, les constructions
temporisées de BPEL sont prises en compte dans la transfor-
mation. Deuxièmement, la structure hiérarchique d’un proces-
sus BPEL est maintenud dans FIACRE. Les deux langages etant
à base de composants, ceci rend la transformation modulaire.
2. Cadre de vérification pour BPEL: On propose un cadre riche de
vérification de BPEL, offrant plusieurs types de propriétés dont
des propriétes temporisées.
3. Une étude de cas montrant à la fois l’utilisation du test de sim-
ulation et la vérification de BPEL.
Contents
Résumé vii
0.1 Méthodes Formelles . . . . . . . . . . . . . . . . . . . . . . viii
0.1.1 Spécification des Systèmes . . . . . . . . . . . . . . . . . viii
0.1.2 Vérification des Systèmes . . . . . . . . . . . . . . . . . viii
Model checking . . . . . . . . . . . . . . . . . . . . . . ix
0.2 Contexte et Problèmatique . . . . . . . . . . . . . . . . . . x
0.3 Raffinement de Systèmes Temps Réels . . . . . . . . . . . . xi
0.3.1 Systèmes Temporisés . . . . . . . . . . . . . . . . . . . . xi
Système de Transition Temporisé . . . . . . . . . . . . xii
Système de Transition Temporisé Contraint (CTTS) . xii
0.3.2 Raffinement et Simulation . . . . . . . . . . . . . . . . . xiii
Simulation Faibe Temporisée . . . . . . . . . . . . . . xiii
Verification de la Simulation Faibe Temporisée . . . . xiv
Critère de Vérification de la Simulation Faibe Tem-
porisée . . . . . . . . . . . . . . . . . . . . . xvi
0.4 Méthodes Formelles pour la Vérification des Services
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
0.5 Transformation de BPEL vers FIACRE . . . . . . . . . . . xviii
0.5.1 Partie Statique : Modélisation du WSDL . . . . . . . . . xix
0.5.2 Aspects Comportementaux de BPEL en FIACRE . . . . . xx
0.6 Vérification de BPEL . . . . . . . . . . . . . . . . . . . . . . xx
0.7 Contributions et Résultas . . . . . . . . . . . . . . . . . . xxi
Contents xxii
List of Figures xxvii
I General Introduction 1
1 Introduction 3
1.1 Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.1 System Specification . . . . . . . . . . . . . . . . . . . . 4
1.1.2 System Verification . . . . . . . . . . . . . . . . . . . . . 4
Model checking . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Context and Problem . . . . . . . . . . . . . . . . . . . . . 6
1.2.1 Timed Systems . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.2 Refinement . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.3 Formal Methods for Web Services Verification . . . . . . 7
1.3 Contributions and Results . . . . . . . . . . . . . . . . . . 8
1.4 Thesis Structure . . . . . . . . . . . . . . . . . . . . . . . . . 9
xxii
II Theoritical Aspects 11
1 Timed Systems 13
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2 Temporal Logics . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.1 Linear Temporal Logic . . . . . . . . . . . . . . . . . . . 14
Linear Temporal Logic (LTL) . . . . . . . . . . . . . . 14
State-Event Linear Temporal Logic (SE-LTL) . . . . . 15
Time Domain . . . . . . . . . . . . . . . . . . . . . . . 16
Metric Interval Temporal Logic (MITL) . . . . . . . . 16
Stave/Event Metric Interval Temporal Logic (SE-MITL) 17
1.2.2 Branching Temporal Logic . . . . . . . . . . . . . . . . . 18
µ-Calculus . . . . . . . . . . . . . . . . . . . . . . . . . 18
Syntax of µ-Calculus . . . . . . . . . . . . . . . . . . . 18
Semantics of µ-Calculus . . . . . . . . . . . . . . . . . 19
1.3 Timed Systems Models . . . . . . . . . . . . . . . . . . . . . 19
1.3.1 Timed Transition Systems . . . . . . . . . . . . . . . . . 20
1.3.2 Timed Automata . . . . . . . . . . . . . . . . . . . . . . 20
Formal Definition . . . . . . . . . . . . . . . . . . . . . 21
Clocks and Constraints . . . . . . . . . . . . . . . . . 21
Semantics . . . . . . . . . . . . . . . . . . . . . . . . . 21
Example . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.3.3 Timed Game Automata . . . . . . . . . . . . . . . . . . 22
Timed Game Automata Definition . . . . . . . . . . . 23
Semantics of a TGA . . . . . . . . . . . . . . . . . . . 23
Example . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.3.4 Other Timed Models . . . . . . . . . . . . . . . . . . . . 23
CSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . . 24
Timing Extensions . . . . . . . . . . . . . . . . . . . . 25
1.3.5 The FIACRE Language . . . . . . . . . . . . . . . . . . 26
1.3.6 TINA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.4 Alternative Definitions : Use of Label Structures . . . 29
Labeled Transition Systems (LTS) . . . . . . . . . . . 30
1.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2 Refinement and Simulation 33
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.2 Simulation in the Untimed Context . . . . . . . . . . . . 33
2.2.1 Action-Based Simulation . . . . . . . . . . . . . . . . . . 34
Strong Simulation . . . . . . . . . . . . . . . . . . . . 34
Weak Simulation . . . . . . . . . . . . . . . . . . . . . 36
2.2.2 State-Based Simulation . . . . . . . . . . . . . . . . . . . 37
Simulation Order . . . . . . . . . . . . . . . . . . . . . 37
Stutter-based Simulations . . . . . . . . . . . . . . . . 37
2.2.3 Simulation and µ-calculus . . . . . . . . . . . . . . . . . 39
2.3 Simulation in the Timed Context . . . . . . . . . . . . . . 39
2.3.1 Timed Transition System Refinement . . . . . . . . . . . 40
Timed Strong Simulation . . . . . . . . . . . . . . . . 40
Timed Weak Simulation . . . . . . . . . . . . . . . . . 40
Preserved Logic . . . . . . . . . . . . . . . . . . . . . . 40
2.3.2 Timed Automata Refinement . . . . . . . . . . . . . . . 40
Timed Ready Simulation . . . . . . . . . . . . . . . . 41
τ Timed Simulation . . . . . . . . . . . . . . . . . . . 41
2.3.3 Timed Game Automata Refinement . . . . . . . . . . . . 42
2.4 Our Simulation Choice . . . . . . . . . . . . . . . . . . . . 44
2.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3 CTTS Timed Simulation 45
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2 Concrete/Abstract Systems . . . . . . . . . . . . . . . . . 45
3.2.1 Semantic Model . . . . . . . . . . . . . . . . . . . . . . 46
TTS Composition . . . . . . . . . . . . . . . . . . . . 46
TTS Properties . . . . . . . . . . . . . . . . . . . . . . 46
3.2.2 State-Related Properties . . . . . . . . . . . . . . . . . . 47
3.2.3 Timed Executions . . . . . . . . . . . . . . . . . . . . . . 48
3.2.4 Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.2.5 Constrained Time Transition System (CTTS) . . . . . . . 50
CTTS Composition . . . . . . . . . . . . . . . . . . . . 52
Compositional Semantics of a CTTS . . . . . . . . . . 53
CTTS Properties . . . . . . . . . . . . . . . . . . . . . . 58
3.3 Timed Weak Simulation . . . . . . . . . . . . . . . . . . . . 59
3.3.1 Traces Inclusion . . . . . . . . . . . . . . . . . . . . . . 60
3.3.2 Property Preservation . . . . . . . . . . . . . . . . . . . 61
3.3.3 Compositional Simulation . . . . . . . . . . . . . . . . . 62
3.4 Timed Weak Simulation Verification . . . . . . . . . . . . 65
3.4.1 Composing the Abstract/Concrete Systems . . . . . . . . 65
Untimed Weak Simulation Verification . . . . . . . . 66
Example of Untimed Weak Simulation Verification . 66
3.4.2 Extension to the Timed Context . . . . . . . . . . . . . . 67
Control Observer . . . . . . . . . . . . . . . . . . . . . 67
Time Observer . . . . . . . . . . . . . . . . . . . . . . 68
Timed Weak Simulation Verification . . . . . . . . . . 69
3.5 Soundness and Completeness of the Criterion . . . . . 71
3.5.1 Proof Method . . . . . . . . . . . . . . . . . . . . . . . . 71
3.5.2 Introduction of Auxiliary Set Functions . . . . . . . . . . 72
3.5.3 Proof of the Criterion . . . . . . . . . . . . . . . . . . . . 74
Soundness . . . . . . . . . . . . . . . . . . . . . . . . . 74
Completeness . . . . . . . . . . . . . . . . . . . . . . . 76
Discussion On the Assumptions . . . . . . . . . . . . 78
3.5.4 Extension to a Deadlock-Sensitive Timed Weak Simulation 79
3.5.5 Extension to a State-Event Timed Weak Simulation . . . . 79
3.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
III Application 81
1 Web Services 83
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
1.2 Service Oriented Architecture . . . . . . . . . . . . . . . 83
1.2.1 Web Services . . . . . . . . . . . . . . . . . . . . . . . . 84
xxiv
Web Services Layers . . . . . . . . . . . . . . . . . . . 84
1.2.2 Web-Services Composition . . . . . . . . . . . . . . . . . 85
Orchestration vs. Choreography . . . . . . . . . . . . 86
Business Process Execution Language BPEL . . . . . 86
1.3 Formal Methods for the Verification of Web Services
Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
1.3.1 BPEL to Petri Nets . . . . . . . . . . . . . . . . . . . . . 89
1.3.2 BPEL to process algebras . . . . . . . . . . . . . . . . . . 90
1.3.3 BPEL to Timed Formalisms . . . . . . . . . . . . . . . . 90
1.3.4 BPEL to Event_B . . . . . . . . . . . . . . . . . . . . . . 91
1.3.5 Formal Methods and BPEL Summary . . . . . . . . . . . 91
1.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
2 Modeling BPEL in FIACRE 93
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
2.2 BPEL Semantics . . . . . . . . . . . . . . . . . . . . . . . . . 94
2.3 Overview of the Transformation . . . . . . . . . . . . . . 95
2.4 Modeling the WSDL . . . . . . . . . . . . . . . . . . . . . . 95
2.5 Behavioral Aspects in FIACRE . . . . . . . . . . . . . . . . 97
2.5.1 Common Behavior of Activities in FIACRE . . . . . . . . 97
2.5.2 Basic Activities. . . . . . . . . . . . . . . . . . . . . . . . 100
2.5.3 Structured Activities . . . . . . . . . . . . . . . . . . . . 102
Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Scope Component. . . . . . . . . . . . . . . . . . . . . 104
2.5.4 BPEL Handlers . . . . . . . . . . . . . . . . . . . . . . . 106
Fault handlers . . . . . . . . . . . . . . . . . . . . . . . 106
Event Handler . . . . . . . . . . . . . . . . . . . . . . . 108
2.5.5 BPEL Timed Aspects in FIACRE . . . . . . . . . . . . . . 113
2.6 Correctness of FIACRE Patterns . . . . . . . . . . . . . . 115
2.6.1 Control Correctness . . . . . . . . . . . . . . . . . . . . 115
2.6.2 Links Semantics . . . . . . . . . . . . . . . . . . . . . . 116
2.6.3 Weak Termination . . . . . . . . . . . . . . . . . . . . . 116
2.6.4 Strong Termination . . . . . . . . . . . . . . . . . . . . . 116
2.6.5 Hierarchical Termination . . . . . . . . . . . . . . . . . . 117
2.6.6 Hierarchical Fault Propagation . . . . . . . . . . . . . . . 117
2.6.7 Event Handlers . . . . . . . . . . . . . . . . . . . . . . . 117
2.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
3 Verification Framework 119
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
3.2 Behavioral Verification with Tina . . . . . . . . . . . . . 119
3.3 Supported Properties . . . . . . . . . . . . . . . . . . . . . 119
3.3.1 Temporal and Data-Related Properties . . . . . . . . . . 120
3.3.2 Structural Properties . . . . . . . . . . . . . . . . . . . . 120
Adaptation of the receive and the reply . . . . . . . . 120
3.3.3 Timed Properties . . . . . . . . . . . . . . . . . . . . . . 121
Time Embedding in BPEL Constructs . . . . . . . . . 121
Timed Observers . . . . . . . . . . . . . . . . . . . . . 122
3.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4 Use Case 127
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.2 Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.2.1 Abstract Use Case Modeling and Verification . . . . . . . 128
Abstract Activity . . . . . . . . . . . . . . . . . . . . . 129
Abstract Fault Handler . . . . . . . . . . . . . . . . . 129
Abstract Use Case Modeling . . . . . . . . . . . . . . 130
Use Case Verification . . . . . . . . . . . . . . . . . . . 130
4.2.2 Concrete Modeling . . . . . . . . . . . . . . . . . . . . . 133
4.2.3 Proving the Refinement . . . . . . . . . . . . . . . . . . 135
Abstract and Concrete Activities Simulation . . . . . 135
Fault Handler Simulation . . . . . . . . . . . . . . . . 137
4.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
IV Conclusion and Perspectives 139
1 Conclusion and Perspectives 141
1.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
1.2 Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
1.2.1 Simulation Verification Technique . . . . . . . . . . . . . 143
1.2.2 FIACRE Extensions . . . . . . . . . . . . . . . . . . . . . 143
1.2.3 Run Time Verification of BPEL . . . . . . . . . . . . . . . 143
1.2.4 Tool Chain for the Simulation/ Verification of BPEL . . . 143
V Appendix 145
1 Appendix A : Building Systems with Label Structures 147
1.1 Label Structure . . . . . . . . . . . . . . . . . . . . . . . . . 147
1.1.1 Examples of Label Structures . . . . . . . . . . . . . . . 147
1.1.2 Composition of Label Structures . . . . . . . . . . . . . . 148
Product of Label Structures . . . . . . . . . . . . . . . 148
Sum of Label Structure . . . . . . . . . . . . . . . . . . 148
1.2 Labeled Transition Systems LTS . . . . . . . . . . . . . . . 149
LTS Composition . . . . . . . . . . . . . . . . . . . . . 149
LTS Sum . . . . . . . . . . . . . . . . . . . . . . . . . . 151
LTS Label Structure Transformations. . . . . . . . . . 151
1.2.1 Timed Transition Systems TTS . . . . . . . . . . . . . . . 152
1.2.2 Timed Automata TA . . . . . . . . . . . . . . . . . . . . 152
TA Semantics. . . . . . . . . . . . . . . . . . . . . . . . 153
2 Appendix B : BPEL To FIACRE Patterns 155
2.1 Modeling the WSDL . . . . . . . . . . . . . . . . . . . . . . 155
2.1.1 Example of WSDL Modeling . . . . . . . . . . . . . . . . 158
2.2 Basic Activities . . . . . . . . . . . . . . . . . . . . . . . . . 160
2.2.1 Rethrow . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
2.2.2 Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
2.2.3 Compensate . . . . . . . . . . . . . . . . . . . . . . . . 160
2.2.4 Compensate Scope . . . . . . . . . . . . . . . . . . . . . 160
2.3 Structured Activities . . . . . . . . . . . . . . . . . . . . . 161
xxvi
2.3.1 While and RepeatUntil . . . . . . . . . . . . . . . . . . . 161
2.3.2 If . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
2.3.3 Pick . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
2.3.4 Full Scope With Termination and Compensation Handlers. 166
2.4 BPEL Handlers . . . . . . . . . . . . . . . . . . . . . . . . . . 167
2.4.1 Termination Handler . . . . . . . . . . . . . . . . . . . . 167
2.4.2 Compensation handler . . . . . . . . . . . . . . . . . . . 168
2.4.3 Full Fault Handler : With Termination and Compensation
Handlers . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Bibliography 173
List of Figures
1 Overall Description . . . . . . . . . . . . . . . . . . . . . . . . xi
2 Example of CTTS . . . . . . . . . . . . . . . . . . . . . . . . . xii
3 Fonction de réinitialisation d’un CTTS . . . . . . . . . . . . . xiii
4 Systèmes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
5 Control Observer . . . . . . . . . . . . . . . . . . . . . . . . . xv
6 Time Observer . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
7 Structure de la Transformation . . . . . . . . . . . . . . . . . xix
8 Connexions de BPEL . . . . . . . . . . . . . . . . . . . . . . . xix
1.1 Overall Description . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1 Train Modeling in Timed Automata . . . . . . . . . . . . . . 22
1.2 Controller Modeling in Timed Input Output Automata . . . 23
1.3 Restaurant in Petri Net . . . . . . . . . . . . . . . . . . . . . . 25
1.4 Time Petri Net . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.5 Graphical notations . . . . . . . . . . . . . . . . . . . . . . . . 27
1.6 Timing Constraints in FIACRE . . . . . . . . . . . . . . . . . 28
2.1 Strong Simulation . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.2 Terminal State . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.3 Weak Simulation . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4 Divergent Path . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.5 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.6 Second Condition of the Stutter Simulation . . . . . . . . . . 38
2.7 Stutter Simulation and DS Stutter Simulation . . . . . . . . . 39
3.1 Example of CTTS . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.2 Reset Function of a CTTS . . . . . . . . . . . . . . . . . . . . 51
3.3 CTTS Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.4 Newly Enabled Transition . . . . . . . . . . . . . . . . . . . . 52
3.5 CTTS Transitions Composition . . . . . . . . . . . . . . . . . 52
3.6 Interval Composition . . . . . . . . . . . . . . . . . . . . . . . 53
3.7 Reset Function Composition . . . . . . . . . . . . . . . . . . . 53
3.8 Building/Destructing the TTS Synchronous Product Transi-
tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.9 Building/Destructing the TTS Semantics of a Synchronous
Product Transition . . . . . . . . . . . . . . . . . . . . . . . . 54
3.10 Building/Destructing the TTS Left Interleaving Product
Transition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.11 Building/Destructing the TTS Semantics of a Left Interleav-
ing Product Transition . . . . . . . . . . . . . . . . . . . . . . 57
3.12 Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.13 Example of Untimed Simulation Verification . . . . . . . . . 66
3.14 Control Observer . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.15 Time Observer . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.16 τ − δ Permutation . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.17 Sufficient Condition for τ − δ Permutation . . . . . . . . . . 70
3.18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.19 Counter Example . . . . . . . . . . . . . . . . . . . . . . . . . 78
1.1 Choreography . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
1.2 Orchestration . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
1.3 BPEL Structure: ex PurchaseOrder . . . . . . . . . . . . . . . 87
1.4 Brief BPEL verification tools coverage . . . . . . . . . . . . . 91
2.1 Transformation Structure . . . . . . . . . . . . . . . . . . . . 95
2.2 Connections of BPEL . . . . . . . . . . . . . . . . . . . . . . . 96
2.3 Common interface . . . . . . . . . . . . . . . . . . . . . . . . 98
2.4 Common Behavior . . . . . . . . . . . . . . . . . . . . . . . . 98
2.5 Receive pattern . . . . . . . . . . . . . . . . . . . . . . . . . . 100
2.6 Reply pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
2.7 Synchronous invoke pattern . . . . . . . . . . . . . . . . . . . 101
2.8 Assign pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
2.9 Throw pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
2.10 Sequence component . . . . . . . . . . . . . . . . . . . . . . . 103
2.11 sequence controller . . . . . . . . . . . . . . . . . . . . . . . . 104
2.12 Flow component . . . . . . . . . . . . . . . . . . . . . . . . . 104
2.13 Flow controller . . . . . . . . . . . . . . . . . . . . . . . . . . 105
2.14 Scope Component . . . . . . . . . . . . . . . . . . . . . . . . . 105
2.15 Fault handler component . . . . . . . . . . . . . . . . . . . . 107
2.16 Fault Handler Controller : No CatchAll . . . . . . . . . . . . 108
2.17 Event handler component . . . . . . . . . . . . . . . . . . . . 109
2.18 Event handler controller . . . . . . . . . . . . . . . . . . . . . 110
2.19 Event branch controller . . . . . . . . . . . . . . . . . . . . . . 111
2.20 For Alarm controller . . . . . . . . . . . . . . . . . . . . . . . 112
2.21 RepeatEvery Alarm controller . . . . . . . . . . . . . . . . . . 112
2.22 RepeatEvery Alarm controller specified with For/Until ex-
pression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
2.23 Absolute time treatment . . . . . . . . . . . . . . . . . . . . . 114
2.24 Absolute time treatment . . . . . . . . . . . . . . . . . . . . . 114
2.25 Absolute Time Adaptation . . . . . . . . . . . . . . . . . . . . 114
xxviii
3.1 Adaptation of the receive and the reply patterns . . . . . . . 121
3.2 Status Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . 121
3.3 Summary of timed constructs in FIACRE . . . . . . . . . . . 122
3.4 Bounded Response Observer . . . . . . . . . . . . . . . . . . 123
3.5 Maximal Duration Observer . . . . . . . . . . . . . . . . . . . 124
3.6 Minimal Duration Observer . . . . . . . . . . . . . . . . . . . 124
3.7 Observers at the FIACRE level . . . . . . . . . . . . . . . . . 125
4.1 Timed purchase example . . . . . . . . . . . . . . . . . . . . . 127
4.2 Abstract Activity in FIACRE . . . . . . . . . . . . . . . . . . 129
4.3 Abstract Fault Handler in FIACRE . . . . . . . . . . . . . . . 129
4.4 Modeling of the Abstract Use Case in FIACRE . . . . . . . . 131
4.5 Modeling of the Concrete : Purchase Flow . . . . . . . . . . 133
4.6 Modeling of the Concrete Fault Handler . . . . . . . . . . . . 134
4.7 Composition with the Observers . . . . . . . . . . . . . . . . 136
1.1 Semantics of TA via a Composition of Two LTS . . . . . . . 153
2.1 Connections of BPEL . . . . . . . . . . . . . . . . . . . . . . . 155
2.2 Rethrow pattern . . . . . . . . . . . . . . . . . . . . . . . . . . 160
2.3 Exit pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
2.4 Compensate pattern . . . . . . . . . . . . . . . . . . . . . . . 161
2.5 Compensate Scope activity . . . . . . . . . . . . . . . . . . . 161
2.6 While/RepeatUntil component . . . . . . . . . . . . . . . . . 161
2.7 (a) While controller / (b) Repeat Until controller . . . . . . . 162
2.8 If component . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
2.9 If controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
2.10 Pick component . . . . . . . . . . . . . . . . . . . . . . . . . . 165
2.11 Pick controller . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
2.12 Scope Component . . . . . . . . . . . . . . . . . . . . . . . . . 166
2.13 Termination Handler component . . . . . . . . . . . . . . . . 167
2.14 User defined termination Handler controller . . . . . . . . . 168
2.15 Default termination handler controller . . . . . . . . . . . . . 168
2.16 Compensation handler . . . . . . . . . . . . . . . . . . . . . . 169
2.17 User defined compensation handler . . . . . . . . . . . . . . 169
2.18 Default compensation handler . . . . . . . . . . . . . . . . . 169
2.19 Fault Handler Controller : No CatchAll . . . . . . . . . . . . 170
2.20 Fault Handler Controller : CatchAll . . . . . . . . . . . . . . 171

Part I
General Introduction

Chapter One
Introduction
Nowadays and with all the rapid technological progress that we are wit-
nessing, it is safe for us to say that we are getting closer to be ruled by
machines. Maybe not in the way the terminator movie shows it, but in
the way of our reliance on the well functioning of automated systems
in our daily life. These systems are getting complex by the day and are
being utilized in numerous fields, such as telecommunications, avionics,
automotive, aerospace, railways, medical, banking, web services and other
related professions. Accordingly, a high degree of safety in these systems
has become an indispensable prerequisite for their proper functioning.
In fact, software failures may result in profound deficit in the finance
ranks or even in losses in the human life. According to COMPUTER-
WORLD, WASHINGTON in a report that dates back to 2/2002, "software
bugs are costing the U.S. economy an estimated 59.5 billion dollars each year, with
more than half of the cost borne by end users and the remainder by developers and
vendors".
Several events in the past have shown the multitude of damage soft-
ware errors can cause when they occur. In some cases, the damages have
been described as catastrophic to say the least.
Let us remember the infamous 2003 Northeast blackout, where a mas-
sive power outage occurring on August 14, 2003, left vast regions of the
Northeastern and Midwestern areas of the United States and Ontario
Canada without power. Due to an error in programming, one system
failed to take precedence over the other, leading to multiple systems try-
ing to simultaneously access the same information at once. This havoc
triggered an alarm malfunction whereby the software in question sent,
in bulk, a busy signal to all systems. This costly technological blunder
queued up unprocessed events and consequently slowed down the per-
formance which caused the power outage. As a result, the losses were
reportedly an estimated and painful seven to ten billion dollars.
Another notorious example is the crash of Ariane 5, a European satel-
lite, which the European Space Agency spent ten years building with a
total cost of a staggering eight billion dollars. The ultimate purpose of
Ariane 5 was to give Europe a leadership role in the space business. Un-
fortunately, on June 4, 1996, Ariane 5 crashed only 36.7 seconds after being
launched into the skies of French Guienna. The crash was the outcome of
a 64-bit conversion floating point into a 16-bit integer value. Indeed, the
number was too big resulting in an overflow error crashing both the pri-
4 Chapter 1. Introduction
mary and backup computers. The losses were 3650 days of hard work and
labor as well as 500 million dollars worth of satellites and 8 billion dollars
of production costs.
All these unfortunate events, which caused immense losses in time,
labor, life, and dollars, are a proof that it is a responsibility to have such
critical systems closely and sharply authenticated and validated before
their definite implementation in the real world. In order to fulfill this im-
perative obligation, formal methods have been suggested.
1.1 Formal Methods
Formal methods are mathematically-based techniques, languages and
tools for the specification and verification of computer-based software
and hardware systems. Formal methods are used to secure a high-quality
guarantee in the correctness of a system’s specification. This increases con-
fidence in its well-functioning through revealing the bugs that might oth-
erwise go undetected.
1.1.1 System Specification
Formal methods may be used in the system specification phase when the
requirements of a system are described. A specification is a formal model
that represents the static and dynamic aspects of a system. While static
aspects are represented by states, the dynamic aspects are represented by
actions (transitions between the different states). Petri Nets [91], CSP [96],
CCS [83] and B-Method [7] can be cited in this case as examples of model-
based formal specification languages.
1.1.2 System Verification
Once a formal specification of the system is given, the specification may be
validated by the proof of some properties. Several techniques for verifica-
tion, which range from automatic to manual techniques exist. The system
verification techniques fall into four general categories and these are theo-
rem proving, model checking, abstract interpretation and software testing.
The theorem proving consists in proving the satisfaction of the prop-
erties on the systems by means of inference and induction rules. While
some of these proofs are manual, others are either automated or interac-
tive. There are several tools that offer the possibility to develop automated
or interactive proofs. In an automated theorem proving tool, an automatic
proof can be built given a description of the system, a set of logical axioms,
and a set of inference rules. Examples of such tools are the Satisfiability
Modulo Theories (SMT) [46] solvers (such as STP [51]) where the problem
is to determine if a logical formula may be satisfied over a combination
of theories expressed in classical first-order logic with equality. Unlike an
automated theorem, an interactive theorem proving tool usually requires
a human intervention. Examples of such tools are Coq [102], Isabelle [88],
and B etc.
A second verification technique is abstract interpretation. Abstract
interpretation [42] was formalized by both Patrick Cousot and Radhia
1.1. Formal Methods 5
Cousot in the late 1970s. It is a method that is based on replacing an infi-
nite domain of concrete values of a system by a number of finite abstract
domains on which the initial operations (concrete) are redefined. Proper-
ties, such as interval bounds and null pointer access, are then verified on
the abstract model.
Another technique is software testing. Software testing is the process
of executing the real code of a program by specifying its parameters and
verifying whether it behaves correctly. Testing allows a conformity check
of the system compared to its definition and an examining of whether
the software meets the requirements. The problem in this technique is the
need to generate sufficient test cases in order to have a higher confidence
in the product. However, since the number of test cases tends to be infi-
nite, testing cannot be exhaustive (at the contrary of model checking : see
below). Thus, it cannot prove that a product behaves correctly under all
conditions but can rather show that it does under specific conditions.
We are going to discuss now the fourth verification technique, which
is the technique adopted in this PhD.
Model checking
Model checking is an automated proof technique in which a property is
checked against a system by means of an exhaustive search of all the pos-
sible states of a system execution. Formally, model checking refers to the
following problem: given a model of a system M and a specification ϕ,
we investigate whether the following equation is true, which is read as M
satisfies ϕ or also as M is a model of ϕ.
M |= ϕ
The model is usually an abstraction of the system written in a formal-
ism based on transition systems while the properties are logic properties
written in LTL [79] or CTL [40]. The verification of a property on the sys-
tem is done via model checking exploration algorithms. The first proposed
algorithms were the ones of [40] and [94].
The advantages of model checking is that it is completely automatic
and since it is an exhaustive verification it gives a high degree of confi-
dence w.r.t the satisfied properties. Another advantage of model checking
is that in the case of non-satisfaction of a property, a counter example is
also given.
However, the main drawback of model checking is that its application
is limited to only small models. As such, in case there are large mod-
els, model checking will suffer from combinatorial explosion. In order to
trespass this drawback, several solutions mainly revolving around four
techniques have been suggested. The first is abstraction techniques [41]
which aim at reducing the size of the model. The second is partial or-
der reduction techniques [89] which aim at reducing the size of the state-
space to be searched by the model checking algorithm. The third is mod-
ular verification technique, where the idea is to decompose the system
into smaller sub-components and to undergo the verification of each of
the sub-component independently of the other. Finally, the fourth is the
6 Chapter 1. Introduction
refinement techniques which aim at building a model in an incremental
manner.
A tool that implements the model checking technique is conventionally
called a model checker. As examples of model checkers we can cite the Spin
model checker [62] for transitions systems models, Tina [20] for Time Petri
Nets, and UPPAAL [73] for timed automata.
1.2 Context and Problem
The context of this PhD work is the ANR project ITEmIS [2]. This project
aims at easing the evolution from today’s world of separate lightweight
embedded applications and IT services to the future world of seamlessly
integrated services. This transition qualifies and defines a new generation
of service oriented architecture (SOA) that enables IT and Embedded Inte-
grated Systems (ITEmIS systems). Thus, three main axis are considered for
this purpose and these are the service infrastructure axis, the business axis,
and the formal verification axis. The formal verification axis addresses
end-to-end assurance of Qos and correctness of verification of the execu-
tion models. In this context, the needed work consisted at the verification
of Business Execution Languages Processes (BPEL) via a transformation
to a formal specification language FIACRE, a real time specification lan-
guage. The results of this transformation (FIACRE models) could either be
used to give a formal semantics for the BPEL constructs allowing the anal-
ysis of the BPEL constructs, or for verification purposes (model checking
with logic properties). However, even though model checking may be con-
sidered for small BPEL models (FIACRE models after the transformation),
the verification of larger models is not reasonable. The problem needed to
be tackled differently, namely by considering the incremental development
of FIACRE models, by means of progressive refinements. This has led to
the study of the refinement of timed systems. Let us start introducing the
keywords of this PhD work.
1.2.1 Timed Systems
Even though classical models such as transition systems and Petri nets
can express the behavior of a system, they cannot express its real-time
constraints. However, time is a natural constraint that is explicitly present
almost everywhere and in everything. Examples of timing constraints may
be like execution delays, timeouts, system response and so on. In order to
meet this requirement, timed systems were created in order to capture tim-
ing constraints that may control or alter the behavior of a system. Several
models and logic were thus extended by timing notions (see next chapter).
Since dense time makes the state space infinite, its addition has surely
made the comprehension and the theoretical aspects of timed models
more complex. However, several results exist in the context of timed sys-
tems, most of which revolves around timed automata, one of the most
studied models for real-time systems. The most interesting result is prob-
ably that reachability properties are decidable [15] and the decidability of
TCTL (a timed variant of CTL) model-checking [12]. In contrast, language
inclusion for timed automata is undecidable [15].
1.2. Context and Problem 7
Consequently, the development of timed systems is surely harder,
and its verification becomes more complex. The incremental development
through time refinement is a technique that helps easing the development
phase.
1.2.2 Refinement
As we have stated earlier in this chapter, the main drawback of model
checking is the risk of combinatorial explosion. The incremental develop-
ment has been suggested as a way to prevent the combinatorial explosion
or at least to cope with it. Compositional verification and Refinement are
two main techniques used for incremental development. Compositional
verification allows the verification break up of a system into smaller tasks
that involves the verification of its sub-components. Each of its small ver-
ifications would then allow inferring the global verification of the compo-
sition.
Refinement, which is the second approach, is what we consider in this
PhD.
Stepwise-refinement allows building progressively correct specifica-
tions by making it more precise. At each stage of the building process,
a new specification is derived from a former specification by verifying
that each new one preserves the correctness w.r.t to the former one. In
other words, the whole system is not modeled altogether, but rather, it
is constructed gradually by a series of models, where each new model is
supposed to be a refinement of the one preceding it.
1.2.3 Formal Methods for Web Services Verification
Web services are distributed applications which are designed to achieve
a specific business task over the web. In order to carry out the business
goals, these web services should be composed in such a way to interact
together. This interaction is done by means of exchanging messages over
public interfaces described in XML-based languages such as the Web Ser-
vices Description Language WSDL[84]. Orchestration is one of the mecha-
nisms that address service composition. WS-BPEL (Web Services Business
Process Execution Language) [18] is a well known service composition
language addressing orchestration. It defines business processes through
the orchestration of different partner interactions.
However, BPEL lacks a formal semantics and is defined informally
in natural language. At one hand, its constructs may suffer from ambi-
guity, inconsistency, and incompleteness. For example, as stated by the
issues of the Web Services Business Process Execution Language Techni-
cal Committee such ambiguities and incompleteness were detected in the
first version of BPEL. These ambiguities were amended in later versions.
On the other hand, the validity of user requirements cannot be verified
over BPEL processes before the actual implementation of the system. This
BPEL weakness can be mended by formal methods.
The use of formal methods for web services verification has proven
to be valuable within the last decade. Actually, formal methods were the
mathematical cornerstone which the world of web services lacked.
8 Chapter 1. Introduction
They were used in order to elevate the degree of user confidence in
web applications especially because of the large amounts of daily money
transitions via the web. The formal semantics for web services composi-
tion languages, particularly for BPEL, were intensively studied resulting
in several works. Approaches based on Petri Nets, process algebras, and
automata were proposed. A transformation from informal descriptions to
formal models was then introduced. Moreover, since the formal semantics
of these formalisms is defined, the formal models may then be used to
verify the well-functioning of the work-flow of web services. This is done
via the verification of properties written in temporal logic such as LTL and
CTL.
1.3 Contributions and Results
• Contribution 1 : an automatic technique for checking the timed weak
simulation between timed transition systems based on models origi-
nating from FIACRE systems. The technique is an observation-based
method in which two timed transition systems are composed with
a timed observer. A µ-calculus property that captures the timed
weak simulation is then verified on the result of the composition.
An interesting feature of the proposed technique is that it only relies
on an untimed µ-calculus model-checker with no specific algorithm
needed to analyze the result of the composition. In this contribution,
we study the following points :
1. Definition of a basic formal semantic framework for the FI-
ACRE language.
2. Definition of timed weak simulation that supports interesting
results concerning trace inclusion and the preservation of prop-
erties. Our simulation also enjoy the compositionality feature.
3. The technique is tested and validated using the FIACRE/TINA
tool-set.
• Contribution 2 : Application to the verification of web services :
1. A Transformation from BPEL to FIACRE : the verification is
based on a transformation of BPEL constructs to the specifica-
tion language FIACRE. The advantages of this transformation
are twofold. Firstly, we provide a framework for validating the
correctness of a subset of constructs considered in the trans-
formations. Moreover the BPEL timed constructs are taken into
account in the transformation. Secondly, the hierarchical struc-
ture of a BPEL process is maintained in FIACRE because both
languages are component-based languages making the trans-
formation modular.
2. Model Checking Verification Framework for BPEL : a rich verifi-
cation framework is offered, taking into account several types of
properties. Timed properties through the use of time observers,
structural properties through annotations of the FIACRE code,
1.4. Thesis Structure 9
data-related properties (for finite types) and classical temporal
properties such as deadlock freeness and so on .
The method adopted in this document is depicted in Fig 1.1. The first
step is the transformation from BPEL to FIACRE. The result of this trans-
formation is then abstracted and verified. The real implementation of the
transformation’s result is then tested for refinement against the abstract
system.
Abstraction
Concrete
Observers
μ-calcul prop
     Refinement           Test
 
 
bpel2fcr
 
BPEL
LTL prop
    Diagnosis
 
FIACRE
Abstraction
Figure 1.1 – Overall Description
1.4 Thesis Structure
The rest of this PhD document is organized in three parts.
Part II introduces the scientific context of our work.
In Chapter One, we introduce the timed systems. We start by introduc-
ing the linear temporal logic and its time variant. We also present in this
thesis some real-time models such as Timed Automata and Time Game
Automata considered in the thesis. We then proceed by presenting the syn-
tax and semantics of the FIACRE language through different constructs.
We wrap up this chapter by presenting an alternative method that
represents to represent the formal semantics of models and specification
languages. As a matter of fact, we have identified a label-structure, based-
construction method with which the formal semantics of our models could
be eased. The complete work is given as an appendix : Appendix A.
Chapter Two is a presentation of the refinement and the simulation
concepts. We begin by introducing the concepts in the untimed context.
For this, we present the theory of refinement in both the state and action
based semantics. We later discuss about some of the existing studies in the
timed context.
Chapter Three includes our contribution in the topic of timed simu-
lation definition and verification. In this chapter, we start by formalizing
the context of the study. For this, we establish a definition to what we
call Constrained Time Transition System. We then give our definition of
10 Chapter 1. Introduction
timed weak simulation and show that it guarantees traces inclusion and
thus preserving linear time logic. We also show that our parallel operator
is monotonic w.r.t the simulation. Later in the chapter, we suggest a tech-
nique for the verification of our timed simulation and give the correctness
and completeness proof of the technique.
Part III consists in the integration of the timed simulation in the verifi-
cation chain of BPEL processes.
Chapter One consists of an introduction to service oriented architec-
ture. For this, we define the web services and their composition. This will
lead us to the BPEL, a web service composition language. After giving a
brief introduction to BPEL and its constructs, we finish this chapter by dis-
cussing the relation of web services to formal methods. We then present
some of the existing approaches in this context.
In Chapter Two, we present the transformation from BPEL to FIACRE.
We show a one to one transformation for most of the BPEL constructs. In
this transformation, the static part of BPEL (WSDL) is transformed into
FIACRE data types while the dynamic part of BPEL (activities) is trans-
formed to FIACRE components. We also show how some of the FIACRE
patterns may be validated w.r.t their BPEL semantics.
Chapter Three presents the verification framework of BPEL. Here we
illustrate how the timed properties are treated via the use of observers,
whether at the FIACRE or BPEL level. We also show how the structural
properties are verified via explicit annotations of the FIACRE code.
To finalize this part and to illustrate our approach, we present in Chap-
ter Four a case study that shows a transformation from BPEL to FIACRE,
through the use of our refinement technique. The use case is then model
checked using the Tina model checker.
In Part IV, we formulate a conclusion to the thesis and discuss several
perspectives of these works.
Part II
Theoritical Aspects

Chapter One
Timed Systems
1.1 Introduction
In order to respond to the need of real time constraints in the study of
hardware and software systems, several timed models and timed logic
were created. These were mostly extensions of existing formalisms used in
the untimed context. In these extensions, a quantitative elapse of time has
been integrated, either in the form of discrete time (for example, see [59])
or in the form of dense time (for example, see [14]). The dense nature of
time is closer to what we have in real life and represents an uncountable
set of values in an interval. This means that at any instant, it can be divided
to smaller units. This is not the case in a discrete time view since on the
contrary, a discrete time has a countable domain, like integers for example.
For this, the notion of dense time is more coherent for the representation
of real time systems. Here, we only consider formalisms where the time is
dense.
In this chapter we present some of the logics and their extensions that
are used to specify timed properties. We also present the timed models
used to specify the timing behavior of systems.
1.2 Temporal Logics
Temporal logic is a term to denote a category of logic that allows to rep-
resent temporal information within a logical framework. This means that
the propositions are qualified in terms of time. For example, if the propo-
sition is, "it will rain", then statements like, "it will always rain" or "it will
eventually rain" could be expressed in temporal logic.
Consequently, temporal logics have proven valuable in formal verifi-
cation of reactive systems, since they allow to express intuitive properties
such the mutual exclusion, the response properties, and so on. There are
two main temporal logics which are the branching temporal logic and
the linear time logic. In the linear view, a model is a sequence-like struc-
ture such as that at each moment there exists only one successor in time,
whereas in the branching view a model has a tree-like structure, where
future may split into multiple branches.
14 Chapter 1. Timed Systems
1.2.1 Linear Temporal Logic
Linear Temporal Logic (or Linear-time Temporal Logic) is a modal tempo-
ral logic with modalities referring to time. In LTL, one can encode formula
about q given future. For example, a condition will eventually be true, a
condition will be true until another fact becomes true, and so on.
We present in this section different variants of linear temporal
logic [80]. Such logic will play a major role in this PhD. The first role per-
tains to the motivation of the simulation definition, since we are interested
in choosing a definition that preserves such linear time logic properties.
Linear time logic will also be used to express the properties and the re-
quirements that need to be verified by a system.
Linear Temporal Logic (LTL)
We start by describing a state based LTL where atomic properties are ob-
servers on the system state.
Syntax The syntax is defined by means of the following grammar :
ϕ := > | p | ¬ϕ | ϕ1 ∨ ϕ2 | © ϕ | ϕ1 U ϕ2
Where p ∈ P = p1, · · · , pn is the set of propositions.
The LTL formulas are defined inductively in the following manner :
1. > is a formula.
2. A proposition p ∈ P is a formula.
3. If ϕ is a formula, then ¬ϕ is also a formula.
4. If ϕ1 and ϕ2 are formulas, then (ϕ1 ∨ ϕ2) is also a formula.
5. If ϕ is a formula then©ϕ is also a formula.
6. If ϕ1 and ϕ2 are formulas, then ϕ1Uϕ2 is also a formula.
From these we can derive other operators such as :
1. ⊥ is equal to ¬>.
2. ϕ1 ∧ ϕ2 is equal to ¬(¬ϕ1 ∨ ¬ϕ2).
3. ϕ1 ⇒ ϕ2 is equal to ¬ϕ1 ∨ ϕ2.
4. ♦ϕ is equal to >Uϕ.
5. ϕ is equal to ¬(>U¬ϕ).
6. ϕ1 R ϕ2 is equal to ¬(¬ϕ1U¬ϕ2).
7. Weak Until : ϕ1 W ϕ2 is equal to (ϕ1Uϕ2) ∨ϕ1.
1.2. Temporal Logics 15
LTL Semantics Given a set of states S, Tr = Sω the set of infinite se-
quences of elements of S, and v : S → 2P, a valuation function that asso-
ciates to each state its set of satisfied propositions, let pi = s0, s1, s2 . . . a
sequence of states and ϕ an LTL formula. We define ϕ is true on pi denoted
as pi |= ϕ, recursively on ϕ. For all i = 0, 1, ... we denote by pii the sequence
of states si, si+1, si+2....
1. pi |= >.
2. pi |= p if p ∈ v(pi0).
3. pi |= ϕ1 ∨ ϕ2 if pi |= ϕ1 or pi |= ϕ2.
4. pi |= ¬ϕ if pi 6|= ϕ (or¬pi |= ϕ).
5. pi |=©ϕ if pi1 |= ϕ.
6. pi |= ϕ1Uϕ2 if ∃k |pik |= ϕ2 and ∀k′ < k ,pik′ |= ϕ1.
State-Event Linear Temporal Logic (SE-LTL)
We have just seen the semantics of the state-based LTL. Here, we extend
this logic with event-based semantics leading to the definition of the SE-
LTL logic [37]. SE-LTL is an extension of LTL. The only syntactic difference
between LTL and SE-LTL is that the latter can have both state propositions
and event propositions allowing to refer to both states and events when
constructing specifications. An important distinction to be made between
the state-based traces and the event based traces is that in state properties,
it is possible to have multiple propositions satisfied at the same state, while
event properties are exclusive. Formally, the SE-LTL logic can be defined
in the following manner :
SE-LTL Syntax The syntax of SE-LTL is defined by means of the follow-
ing grammar :
ϕ := > | e |p | ¬ϕ | ϕ1 ∨ ϕ2 | © ϕ | ϕ1 U ϕ2
Where e ∈ E = e1, · · · , en is the set of events and p ∈ P = p1, · · · , pn a set
of propositions. The SE-LTL formulas are defined inductively in the same
way as in the Event LTL syntax.
SE-LTL Semantics Given a set of states S, Tr = (S× E)ω the set of alter-
nating infinite sequence of states and events, and v : S → 2P a valuation
function that associates to each state its set of satisfied propositions, let
pi = s0
e0→ s1 e1→ s2 · · · ∈ Tr a sequence of state/events in the set of traces
Tr and ϕ a SE-LTL formula. For all i = 0, 1, ... we denote by pii the sequence
of states/events si
ei→ si+1 ei+1→ si+2.... In addition to the semantics of LTL,
we have the following :
1. pi |= e if pi = s0 e→ ....
16 Chapter 1. Timed Systems
Time Domain
Before introducing timed logic, we introduce the timed domain describ-
ing the operations available over the time data type. We define a time do-
main [64] as a commutative monoid (∆, 0,+) with 0 as a neutral element.
We also assume :
1. + is left-cancelative : t + u = t + v⇒ u = v.
2. + is anti-symmetric : t + u = 0⇒ t = u = 0.
3. ∆ is ordered : u ≤ v , ∃x, u + x = v.
4. ≤ is total : u ≤ v ∨ v ≤ u.
Thus (N, 0,+) and (R+, 0,+) are respectively a discrete and dense time
domains.
Metric Interval Temporal Logic (MITL)
We have seen that in LTL and SE-LTL, an execution of a system is modeled
by a sequence of states or events. As noted, in this model, the precise
timing of occurrence of events or propositions is not specified. To address
this, many logics were extended by timing notions. This has lead to the
creation of the Metric Temporal Logic MTL [72]. MTL extends LTL by
adding interval of times to the temporal operators.
Unfortunately, it has been proven that the satisfiability and model
checking problems for MTL are undecidable [55]. Thus, some restrictions
on MTL were considered. It turns out that the problem of decidability
arises from what is called punctuality or punctual intervals [17, 56] which
is the ability to specify that a particular event is always followed exactly
one time unit later by another one: (p → ♦1q). But this is a little bit out
of the scope of this document. Here, we just say, that a restriction to MTL
which only considers non punctual intervals has been defined. This has
lead to the Metric Interval Temporal Logic MITL [16]. As LTL, we start by
describing a state-based version of MITL.
Syntax The syntax is defined by means of the following grammar :
ϕ := > | p | ¬ϕ | ϕ1 ∨ ϕ2 | ϕ1 UI ϕ2
Where p ∈ P = p1, · · · , pn the set of propositions and I is a non punc-
tual interval in ∆ with closed or opened bounds. The MITL formulas are
defined inductively in the following manner :
1. > is a formula.
2. A proposition p ∈ P is a formula.
3. If ϕ1 and ϕ2 are formulas, then ϕ1 ∨ ϕ2 is also a formula.
4. If ϕ is a formula, then ¬ϕ is also a formula.
5. If ϕ1 and ϕ2 are formulas, then ϕ1UIϕ2 is also a formula.
1.2. Temporal Logics 17
As in the case of LTL, we can derive other operators. Here, we just show
the operators specific to the MITL logic.
1. ♦Iϕ is equal to >UIϕ.
2. Iϕ is equal to ¬(>UI¬ϕ).
3. ϕ1 RI ϕ2 is equal to ¬(¬ϕ1UI¬ϕ2).
Intuitively, the formula Iϕ means that ϕ is always satisfied after any
delay of interval I. The formula ♦Iϕ means that ϕ will be satisfied after
some delay of interval I. Finally, ϕ1UIϕ2 means that ϕ1 is always satisfied
until a certain point in time t where ϕ2 becomes satisfied. This point of
time t needs to happen in the interval I.
MITL Semantics Given a set of properties P , the semantics of MITL for-
mulas are defined over timed state sequences [16]. A timed state sequence
is a sequence σ = (P0, I0) → (P1, I1) → ... where Pi ⊆ P and Ii are closed
intervals such that:
1. I0 is left-closed and its left bound is equal to 0,
2. For all i > 0, the right bound of the interval Ii is equal to the left
bound of the interval Ii+1,
3. Each instant t ∈ R+ is an element of a unique interval Ii of the timed
state sequence.
This means that each interval of the timed state sequence represents the
states when some propositions are satisfied. Given a time t ∈ Ii, we denote
by σt the suffix of a state sequence from the instant t : σt = (Pi, Ii − t) →
(Pi+1, Ii+1 − t)→ (Pi+2, Ii+2 − t) . . . and t ∈ Ii. We denote as well by σi the
ith couple (Pi, Ii) of the timed state sequence σ. Formally, for disc((s, I))
a function that returns the discrete part s of an element of a timed state
sequence and v : S → 2P a valuation function that associates to each state
its set of satisfied propositions, the MITL operators are defined over timed
state sequences σ in the following manner :
1. σ |= >.
2. σ |= p if p ∈ v(disc(σ0)).
3. σ |= ϕ1 ∨ ϕ2 if σ |= ϕ1 or σ |= ϕ2.
4. σ |= ¬ϕ if σ 6|= ϕ (or¬σ |= ϕ).
5. σ |= ϕ1UIϕ2 : ∃t ∈ I , σt |= ϕ2 and ∀t′ ∈ [0, t[ , σt′ |= ϕ1.
Stave/Event Metric Interval Temporal Logic (SE-MITL)
Just like the case of LTL, we define a version of MITL based on its event
semantics.
18 Chapter 1. Timed Systems
Syntax The syntax is defined by means of the following grammar :
ϕ := > | e | p | ¬ϕ | ϕ1 ∨ ϕ2 | ϕ1 UI ϕ2
Where e ∈ E = e1, · · · , en the set of events, p ∈ P = p1, · · · , pn the set of
propositions and I is an interval in R+ with closed or opened bounds. The
SE-MITL formulas are then defined inductively in the same way as in the
MITL case.
SE-MITL Semantics Just as before, the semantics of SE-MITL formulas
are defined over timed state event sequences. A timed event state sequence
is a sequence σ = (P0, I0)
e0→ (P1, I1) e1→ .... In addition to the semantics of
MITL, we have the following :
1. σ |= e if σ = (P0, I0) e→ ....
1.2.2 Branching Temporal Logic
There exists several branching temporal logic. The most known maybe
Computation tree logic CTL [40] or CTL variants and µ-calculus [32]. CTL
is a branching-time logic, meaning that its model of time is a tree-like
structure in which the future is not determined; there are different paths
in the future, any of which might be an actual path that is realized. In this
document, we will just discuss the µ-calculus logic which we will use in
the contribution part of this PhD.
µ-Calculus
Modal/Propositional mu-calculus (Lµ) [32] is a branching time temporal
logic used extensively in different fields of theoretical computer science,
in systems verification and model checking. This is mostly due to its high
expressive power, thereby, many branching time logic can be translated
into this logic. It can be viewed as a generalization of CTL thanks to the fix-
point operators µ and ν allowing to define respectively branching liveness
and safety properties.
Syntax of µ-Calculus
Let Var be a set of variable names, typically denoted by Z, Y, ...; let Prop
be a set of atomic propositions, typically denoted by P, Q,...; and let L be
a set of labels, typically denoted by a, b, ... . The set of Lµ formulas (w.r.t.
Var, Prop,L) is defined as follows:
ϕ ::= P | Z | ϕ1 ∧ ϕ2 | [a]ϕ | ¬ϕ | νZ.ϕ
From these we can derive other dual operators such as :
1. ϕ1 ∨ ϕ2 means ¬(¬ϕ1 ∧ ¬ϕ2).
2. 〈a〉ϕ means ¬[a]¬ϕ.
3. µZ.ϕ(Z) means ¬νZ.¬ϕ(¬Z)
1.3. Timed Systems Models 19
The meaning of the formula [a]ϕ is that ϕ holds after all a-actions. Its
dual 〈a〉ϕ means that it is possible to do an a-action to a state where ϕ
holds. Recursion operators are used for recursive formula µZ.ϕ(Z) and
νZ.ϕ(Z) where ν (resp. µ) is the greatest (resp. least) fixed point operator.
Semantics of µ-Calculus
The models for the µ-calculus are defined over a structure S of the form
〈S, L, T, v〉where 〈S, L, T〉 is a labeled transition system (introduced in Sec-
tion 1.3) and v : Prop → 2S is a valuation function that maps each atomic
proposition P ∈ Prop to sets of states where P holds. Given a structure S
and a function V : Var → 2S that maps the variables to sets of states in the
transition system, the set ‖ϕ‖SV of states satisfying a formula ϕ is defined
as follows :
• ‖P‖SV = V(P).
• ‖X‖SV = V(X).
• ‖¬ϕ‖SV = S - ‖ϕ‖SV.
• ‖ϕ1 ∧ ϕ2‖SV = ‖ϕ1‖SV ∩ ‖ϕ2‖SV.
• ‖[a]ϕ‖SV = {s | ∀t, s a→ t⇒ t ∈ ‖ϕ‖SV}.
• ‖νX.ϕ‖SV =
⋃{Q ∈ 2S | Q ⊆ ‖ϕ‖S
V[X 7→Q]} where V[X 7→ Q] is the
valuation which maps X to Q and otherwise agrees with V.
Notations We define the notations EF (exists finally) and AG which will
be helpful in the coming sections. These operators (existential and univer-
sal quantifiers) are CTL-like operators in a state-event based variant.
EFLP = µZ.P ∨
∨
l∈L
〈l〉Z (Liveness)
This is read as there exists (expressed by 〈l〉) a finite path labeled by
elements of L after which a state is reached where P holds. Since we have
used a µ this also means that P will eventually hold. We also define :
AGLP = ¬EFL¬P = νZ.P ∧
∧
l∈L
[l]Z (Safety)
This means that on all the paths that are labeled by l ∈ L, P holds on
all of its states. If L is the full set of labels, we get the usual definition of
the CTL EF and AG operators.
1.3 Timed Systems Models
In this section, we study briefly some timed system models. These are
Timed Automata, Timed Game Automata, and Timed transition systems,
followed by the FIACRE language, a component-based real time system
modeling language. For each of these models, we will give the syntax and
the semantics.
20 Chapter 1. Timed Systems
1.3.1 Timed Transition Systems
We start by giving the formal definitions of a transition system and its
timed variant, a timed transition system, which will be used to give the
semantics of the timed systems models given here. Formally, a labeled
transition system is :
Labeled Transition System LTS Given a set of labels L and a set of
atomic propositions P, a Labeled Transition System can be described as
〈Q, Q0,→〉 where :
• Q is a set of states,
• Q0 ⊆ Q is a set of initial states,
• →⊆ Q× L×Q is a set of transitions.
We denote by τ the silent action and define Lτ = L ∪ {τ}. We write
q l→ q′ for (q, l, q′) ∈→ and denote q l→ iff there exists a state q′ such that
q l→ q′. If l 6= τ then qi l⇒ qj is a shorthand for qi τ→
∗ l→ qj otherwise it is a
shorthand qi
τ→∗ qj. We define as well the direct successors of a state by the
following Post(q, α) = {q′ ∈ Q | q α→ q′} and Post(q) = ⋃α∈L Post(q, α). A
state q of a transition system is called terminal if Post(q) = ∅.
Now we extend the labeled transition system to the timed context by
adding time labels to the transitions.
Timed Transition System TTS Let ∆ be a time domain, a timed transi-
tion system TTS is a transition system where the transition relation → is
defined as ⊆ Q× (L∪∆)×Q. This means that a TTS is an LTS having two
kinds of transitions. Control transitions represented by action labels and
time transitions represented by continuous delay. Furthermore, we require
standard axioms for→ as defined in [44]:
1. time determinism : for all q, q′, q′′ ∈ Q and for all δ ∈ ∆ whenever
q δ→ q′ and q δ→ q′′ then q′ = q′′.
2. time reflexivity (zero-delay) : for all q, q′ ∈ Q, q 0→ q′ ≡ q = q′.
3. time additivity : for all q, q′, q′′ ∈ Q and for all δ1, δ2 ∈ ∆ if q δ1→ q′
and q′ δ2→ q′′ then q δ1+δ2→ q′′.
4. time continuity : for all q, q′ ∈ Q and for all δ ∈ ∆, if q δ→ q′ then
for every δ1, δ2 ∈ ∆ such that δ = δ1 + δ2, there exists q′′ such that
q
δ1→ q′′ δ2→ q′.
1.3.2 Timed Automata
A timed automaton [15] is a formalism for the modeling of reactive and
real-time systems. It is a finite automaton having a finite set of real-valued
clocks, that is, variables with values ∈ R+. In a timed automaton, time is
always synchronous, meaning that all the clocks increase at the same rate.
1.3. Timed Systems Models 21
Moreover, the values of these clocks may be tested during a run of a timed
automaton using a clock constraint language which forms the guard of
the transition. The clocks may also be reset. Timed automata have gained
a lot of popularity in recent years.This popularity for timed automata is
mainly because -thanks to restrictions on the constraints language of the
guards- its reachability problem is decidable [15]. This is why, lots of ver-
ification techniques, such as checking safety and liveness properties, sim-
ulation and bisimulation of timed automata have been a subject of study
during the last decade. Two main tools that are based on timed automata
have also been developed. These are the model checkers UPPAAL [73] and
KRONOS [104].
Formal Definition
Formally, a timed automaton is a tuple A = (Σ, Q, q0, X, I, T) that consists
of the following components :
1. Σ is a finite alphabet of actions.
2. Q is a finite set of states.
3. q0 ∈ Q is an initial state.
4. X is a finite set of clocks.
5. I : Q→ C(X) is a mapping function that assigns to each state a clock
constraint in X called the location invariant.
6. T ⊆ S × Σ × C(X) × 2X × Q is a set of transitions. Every element
e = 〈q, a, ϕ,λ, q′〉 ∈ T corresponds to a transition from the state q to
the state q′, with a label a, a guard ϕ, and a reset set λ ⊆ X.
Clocks and Constraints
A clock x is a variable with a value ∈ R+. For a set X of clocks, C(X) is
the set of clock constraints that is defined by the following grammar :
φ1, φ2 ∈ C(X) ::= true | x < c | x ≤ c | x > c | x ≥ c | φ1 ∧ φ2
where x ∈ X, c is a constant ∈ Q.
Semantics
The semantics of a Timed automaton A is a timed transition system with
an infinite set of states in the form of pairs (q, k) where q ∈ Q is a state of
A and k is a clock interpretation function over X that assigns a real value
to each clock such that k |= I(q). The transitions of the timed transition
system can be either discrete transitions or time transitions. Consider a
state (q, k). Given a transition t = (q, a, g, r, q′) of A and d ∈ R+ :
• (q, k) a→ (q′, k′) is a Discrete Transition where (k′ = [r := 0]k) if k |= g
and k′ |= I(q′).
• (q, k) d→ (q, k + d) is a Time transition if k + d |= I(q) and for all
0 ≤ e ≤ d, k + e satisfies the constraint I(q).
22 Chapter 1. Timed Systems
Example
This is a classic example for reactive systems which is the Railroad Cross-
ing [11]. It consists of three processes, a train, a gate and a controller. The
idea is that whenever the train arrives, the controller needs to guarantee
that the gate is open. In addition, the gate needs to be closed when the
train leaves. Here, we just show the modeling of the train. The real time
properties which are needed to be satisfied are the following :
1. The train signals its approach for at least 2 units of time after enter-
ing the gate (expressed through the approach action).
2. No more than 5 units of time should elapse between the approach
and the exit (expressed by the clock associated to the exit action).
Figure 1.1 – Train Modeling in Timed Automata
Far  Nearx <= 5
approach
x : = 0
   Inx <= 5
x > 2, in
 Afterx <= 5
  exit
out
The clock is initialized to 0 when the approach signal is received. The train
cannot enter the gate, if since its approach, the total elapsed time is less
than 2 units of time (satisfies the first property) which means it cannot
go too fast (minimal bound). Moreover, the time constraint associated to
the "In" state specifies that the total elapsed time since the approach must
be less that 5 units of time. The train leaves the "In" state respecting its
invariant. In the "After" state, the total elapsed time must always be less
than 5 units of time which means the train must go fast enough (maximal
bound). The exit event occurs at most 5 u.o.t after the approach signal,
thus satisfying the second property.
1.3.3 Timed Game Automata
Here, we talk about the timed game automata [78] or the Larsen’s and al
variant of timed input output automata [44]. Actually, these two have sim-
ilar definitions. For the case of the input/output automata, its actions are
split between input and output actions. Whereas in the case of timed game
automata, its actions are split between controllable and uncontrollable ac-
tions. Intuitively, the output actions correspond to controllable ones while
the input actions, since they are sent by the environment, correspond to
non-controllable ones. Even though these two formalisms are statically
different, they share a lot of common notions, especially the alternating
1.3. Timed Systems Models 23
simulation definition and the algorithm of its verification. In [44] the the-
ory of timed input output automata is presented where the simulation
and different composition operations over timed input output automata
are defined. However, the alternating simulation algorithm is based on a
timed game presented in [36] and implemented later in the UPAAL-TIGA
tool [22].
Timed Game Automata Definition
A Timed Game Automaton (TGA) G is a timed automaton with its set of
transitions T partitioned into controllable (Tc) and uncontrollable (Tu) tran-
sitions. Formally, it is defined as a timed automaton A = (Σ, Q, q0, X, I, T)
where Σ = Actc ⊕ Actu is a finite set of actions, partitioned into control-
lable and uncontrollable respectively.
Semantics of a TGA
Similarly, the semantics of timed automaton is a timed transition system,
by applying the same rules, the semantics of TGA is a transition system
where its set of actions are partitioned into controllable and uncontrol-
lable.
Example
We give the modeling in terms of a timed input output automata of the
controller of the Railroad Crossing. The controller is initially at the state
idle. Upon receiving the train’s approach signal, it transmits the lower
signal asking to lower the gate. When the train’s exit signal is received,
the controller transmits the raise signal asking to raise the gate. The
response time of the controller to the approach signal is 1 minute, and to
the signal exit is at most 1 minute. These constraints are expressed using
the clock z.
Figure 1.2 – Controller Modeling in Timed Input Output Automata
idle
approach ?
Z : = 0
lower !
Z : = 1
exit ?
Z : = 0
raise !
Opened Z <=1
ClosedZ <=1
1.3.4 Other Timed Models
Let us start by reviewing some notions in their original untimed versions.
CSP
CSP (Communicating Sequential Process) [96] is a process algebra for de-
scribing concurrent systems that was developed by Tony Hoare in an ar-
ticle published in 1978. Combining a synchronization mechanism based
24 Chapter 1. Timed Systems
on "appointments" with a simple and concise syntax, CSP allows an im-
plementation of traditional paradigms of concurrency. For this purpose,
it offers operators such as prefixing x → P which is a process that syn-
chronizes on the event x and then behaves as the process P, the recursion
(P = x → P) which is a process that can perform an indefinite number
of x, deterministic PQ and non deterministic choice P uQ between pro-
cesses, deadlock process (STOP) and parallel composition (P ‖ Q), and so
on.
Example: Here is an example of a coffee machine that offers the choice
between a big and a small cup of coffee. The machine accepts a 2 euro coin
and returns depending on the choice of the customer a big cup of coffee
or a small one with a 1 euro change. It accepts as well a 1 euro coin and
returns a small coffee or even two successive 1 euro coins and returns a
big coffee. However, a foolish customer insists at having a big cup of coffee
independently of the coins he enters. The composition of these processes
results in a satisfied customer upon the customer’s payment of 2 euros.
Otherwise the composition will block.
COFFEE = ( in2p → (large → COFFEE
 small → out1p → COFFEE)
 in1p → (small → COFFEE
 in1p → (large → COFFEE
 in1p → STOP)))
FOOLCUST = (in2p → large → FOOLCUST
 in1p → large → FOOLCUST)
SYSTEM = (FOOLCUST || COFFEE)
Petri Nets
A Petri Net [91] is a directed graph that contain places and transitions that
may by connected by directed arcs. Transitions represent actions while
places represent states. The arcs run from a place to a transition or vice
versa. Places may contain tokens, and a transition can be fired if there is
at least one token at each of its input places. In this case, the tokens may
move to other places. Formally, a Petri Net is a tuple (S, T, F, M0) where:
• P is a set of places.
• T is a set of transitions.
• F ⊆ (P× T) ∪ (T × P) is a set of arcs.
• M0 : S → N a function called initial marking that associates to each
place a set of tokens.
The marking of a Petri Net describes the number (possibly zero) of
tokens inside the places. A place is then empty or marked. If the place
represents a logical condition, (for ex : machine off), the presence of token
means that this condition is true while its absence means that the condition
1.3. Timed Systems Models 25
is false. If the place represents a resource (for ex : stock), it can contain
multiple tokens.
Example This example of Fig 1.3 shows how a waiter in a restaurant may
serve the customers. A customer can only be served if a waiter is free. As
an initial marking, we suppose that the waiter is free and that the two
customers have arrived to the restaurants.
Customer 1 Customer 2waiter free
take ordertake order
wait wait
order taken
serve food serve foodtell kitchen
eating eating
Figure 1.3 – Restaurant in Petri Net
Because of concurrency, there exists several possible executions of this
example. Here, we only discuss two of them
• Scenario 1: the waiter takes the order from customer 1 (places :
wait and order taken) before telling the kitchen (place : waiter
free). The waiter then serves customer 1 (places : eating and
waiter free). He then takes order from customer 2 and serves
customer 2 in the same way.
• Scenario 2: the waiter takes the order from customer 1 (places :
wait and order taken) before telling the kitchen (place : waiter
free). The waiter takes order from customer 2 (places : wait of
customer 2 and order taken), tells the kitchen (place : waiter
free) and serves customer 2 (places : eating of customer 2 and
waiter free). Afterwards, he serves customer 1 since a token is
still available in the wait place of customer 1.
Timing Extensions
Adding Time to Transition Systems Timed transitions systems [45] 1 are
an extension of transitions systems where real time constraints are added
by associating minimal and maximal time delays with the transitions. The
timing constraints means that an enabled transition should be fired after
1The name is an overload of the timed transition systems that we have seen earlier in
this chapter. Actually, the timed transition system of [45] is a higher level model than the
one we have seen.
26 Chapter 1. Timed Systems
its minimal bound and before its maximal bound unless it gets disabled.
In Timed Transition Systems, we suppose that all transitions happen in-
stantaneously while the timing constraints restrict the time in which the
transitions can be made.
Adding Time Constraints to Petri Nets As other timed models we can
cite the extensions that were made to existing models used in the un-
timed context. For example, different Petri Nets time extensions were sug-
gested [24] such as adding a duration to a place [71], a duration of a
transition (Timed Petri Nets [95]) or also a delay to a transition (Time Petri
Nets [81] where a time interval is associated with each transition specify-
ing the minimal and the maximal time elapsing after the enablement of the
transition. Time Petri Nets are supported by the Tina tool (Section 1.3.6)
and are used to define the semantic model of FIACRE (Section 1.3.5). For-
mally, a time Petri Net is a couple TP = (R, δ) where R = (S, T, F, M0) is
a petri net and δ is a function that associates a time interval to each transi-
tion. In the example of Fig 1.4, given a function f that returns the absolute
firing time of a transition then if f(T0) = 12 and f(T1) = 4 then f(T2) = 5, 6
or 7 since the tokens of P2 are created by either one of the transitions T0
and T1. We note here that since the maximal bound of T1 (6) is less than
the minimal bound of T0 (10) then T0 is never fired even though a token
is present in P0.
P0 P1
   T0[10,15]   T1[3,6]
   T2 [1,3]
P2 P3
P4
Figure 1.4 – Time Petri Net
Adding Time to CSP Process algebras such as CSP were also extended
by timing notions which lead to Timed CSP [5]. In Timed CSP, the oper-
ators were extended by time notions and new operators were added to
describe timeouts, explicit waiting (wait t), timed interrupt and so on.
1.3.5 The FIACRE Language
FIACRE [29], an acronym for Format Intermédiaire pour les Architectures
de Composants Répartis Embarqués (Intermediate Form for Architectures
of Embedded Distributed Components) is a formal intermediate language
dedicated to the modeling of both the behavioral and timing aspects of
systems. It is used for formal verification and simulation purposes. Basi-
cally, FIACRE is a process algebra where hierarchical components commu-
1.3. Timed Systems Models 27
nicate either through synchronous messages by means of ports or through
shared memory by means of variables. These ports and variables define
the interface of a component. A FIACRE program is a set of components
declarations (specifications) together with a "main" component. A specifi-
cation is either a Process which are the leaves of the FIACRE program or
Component which are its nodes.
• Process : describes a sequential behavior using symbolic transition
systems based on [58]. Accordingly, a process is defined by a set of
states and transitions. Each transition has a guard and a non de-
terministic action that may synchronize on a timed port and may
update local or shared variables.
• Component : describes the parallel composition of sub-components.
Moreover, the components may introduce variables and ports shared
by its sub-components. Real time constraints and priorities can be
attached to ports. The real time constraint attached to a port p is
a time interval I. This means that once the event p is enabled, the
execution should wait at least the minimum bound of I and at most
its maximum bound.
 process P [ping : none, pong : none]                  (& w : bool, first : bool) is  states s0, s1init if first then to s0 else to s1 from s0 ping ; w := not w ; to s1 from s1 pong ; to s0             
            
component C isport ping, pong : nonevariable w : bool := true par * in  
  P [ ping, pong ] (& w , true)
   | |  P [ pong, ping ] (& w,  false)   
end
ping
   
w
pong
P (true) P (false)
C
ww
pong ping
pong
s0 s1
ping / w := not w[first] not [first]
ping pong wP (first)
   | |  ...
Figure 1.5 – Graphical notations
In the example given in Fig 1.5, we show the textual syntax and the
graphical syntax where processes are illustrated as automatons and com-
ponents as communicating boxes through ports (•) or shared variables
(). We will use both notations in the rest of this document. In Fig. 1.5,
two process instances of P are composed together by synchronizing on
the ports ping, pong and by sharing the variable w. The Boolean vari-
able first allows to specify the instance of the process P that initiates
the game. Once this is done, the game proceeds by doing an infinite num-
ber of ping and pong events. The ping of an instance is the pong of the
other.
Adding Timing Constraints If we want to create a ping pong game that
is able to finish, we may do this by adding timing constraints that alter the
28 Chapter 1. Timed Systems
course of the game. For example, in Fig 1.6, if either one of the ping and
pong events is not made in 1 u.o.t the game may (or must, depending if
priorities are added) end via the transition to the state finish.
 process P [ping : none, pong : none, timeout                  : none] (& w : bool, first : bool) is  states s0, s1, s2init if first then to s0 else to s1 from s0 select ping ; w := not w ; to s1                        []                        timeout; to s2               endfrom s1 select pong ; to  s0                        []                        timeout to s2               end             
            
component C isport ping, pong : none,        timeout : none in [1,1]priority timeout > ping, pongvariable w : bool := true par * in    P [ ping, pong, timeout ] (& w , true)
   | |  P [ pong, ping, timeout ] (& w,  false)   
end
ping
   
w
pong
P (true) P (false)
C
ww
pong ping
pong
s0 s1
ping / w := not w[first] not [first]
ping pong wP (first)
   | |  ...
s2
timeouttimeout
timeout timeout
Figure 1.6 – Timing Constraints in FIACRE
1.3.6 TINA
TINA (TIme petri Net Analyzer) [20] is a toolbox developed at LAAS/C-
NRS which allows the edition and analysis of Petri Nets and Time Petri
Nets extended with data variables and priorities. The essential tools of
TINA that are used in this PhD are :
1. frac : FIACRE to tina compiler which compiles FIACRE specifica-
tions into high level time petri nets, the input language of most TINA
tools.
2. tina : a state space abstraction tool that generates a finite automa-
ton. As in most model checking tools, abstractions techniques are
used to help prevent state-explosion. However, these abstractions
need to preserve specific properties of the original specifications. To
cope with state explosion, TINA offers various abstract state space
constructions that preserve specific classes of properties of the state
spaces of nets, like absence of deadlocks, linear time temporal prop-
erties, and bisimilarity. For timed systems, TINA also provides vari-
ous abstractions based on state classes preserving reachability prop-
erties, linear properties, or branching properties.
3. selt : a linear time logic model checking tool. Selt is a tool that im-
plements a state/event variant of linear time logic LTL. This means,
that both state-based properties, such as the value of data-variables
or event-based properties, such as the occurrence of events, may be
1.4. Alternative Definitions : Use of Label Structures 29
checked using this logic. Moreover, real time properties expressed
in timed variants of CTL or LTL, are checked using the standard
technique of observers, encoding such properties into reachability
properties.
4. muse : a modal mu-calculus model checker. It is used to model check
the finite automata by modal mu-calculus formula. The muse tool
must be used to model check abstractions of the system preserving
branching properties (using the -A attribute) since mu-calculus is a
branching logic. Moreover, the priorities in this case cannot be used.
1.4 Alternative Definitions : Use of Label Structures
We are going to talk about an alternative work in the context of the study
of formal semantics of specification languages. As a matter of fact, we
have identified a construction method with which the formal semantics
of our models could be eased. This method is based on abstracting and
encapsulating the labels and the compositional behavior of systems in a
label structure.
The label structure is equipped with a composition operator which
specifies the specific composition laws of each language and would fur-
ther serve as a parameter of the behavioral framework. Such structure
could be instantiated differently depending on the choice of the target
language. Thanks to the separation between the composition laws and the
behavioral framework, the latter, which is based on LTS, offers a unique
partially synchronous LTS composition which is reused to define syntactic
composition of different extensions of LTS.
We show how the LTS and TTS notions are built following this method.
For the interested readers, we give in Appendix A a more complete work
in which we show how timed automata can be built by label structures.
We start with the definition of a label structure :
Definition 1.1 (Label Structure) A label structure is a tuple 〈L, LE,on〉 where L
is a set of labels, LE ⊆ L is a set of errors and (on: L× L 9 L) denotes a partial
binary composition operator over L.
In this structure we differentiate between a normal label and an error
label. The addition of a separate error label at this level may seem unnatu-
ral for those who are interested in model checking tooling. But note that in
this case, it is purposely done for semantic definition goals. The partiality
of the function comes from the fact that some composition may be blocked
since the composition operator on only describes the synchronous aspects
of the composition. As for the asynchronous aspects, they are described
later in the systems composition. The creation of an error label stems from
the fact that in certain languages, namely FIACRE, a distinction is made
between execution errors (blocking) and compilation errors. For instance,
reading two different values of the same variable leads to a blocking tran-
sition, while concurrent reading and writing and concurrent writing of the
same variable is an error.
We show an example of a label structure which is used later when
defining a timed model :
30 Chapter 1. Timed Systems
Time Label Structure. For ∆ a time domain (non-negative real numbers,
naturals . . . ) equipped with a binary associative operator + and a neutral
element 0, the time structure TS is given in the following where a syn-
chronization only takes place when the same value is present at the two
sides of the composition :
TS = 〈∆,∅, (δ1, δ2) 7→ δ1 if δ1 = δ2〉
Composition of Label Structures The label structures can also be com-
posed to create a new label structure. In practice, this is very helpful and
very useful, especially, when building progressively the models (for ex-
ample, by refinement). We define the product and the sum of two label
structures. The product operation builds new labels as couples of the com-
posed labels. This is particularly used when composing synchronization
and memory access labels. Unlike the product operation, the labels of the
sum operation are defined over the disjoint union of the composed labels.
This is especially used when composing synchronization and time labels
to specify that only one of the events may occur but not both simultane-
ously.
Product of Label Structures Given two label structures 〈L, LE,on〉 and
〈L′, L′E,on′〉, their product ranges over the set P = (L ∪ {e}) × (L′ ∪
{e′})\{(e, e′)} where e (resp. e’) is a new element of L (resp. L’) sup-
posed to be neutral for the on operator of its respective label structure. For
l1, l2 ∈ L and l′1, l′2 ∈ L′, the composition of (l1, l′1), (l2, l′2) is defined only
if the composition of l1 and l2 and the composition l′1 and l
′
2 are also both
defined.
〈L, LE,on〉 ⊗ 〈L′, L′E,on′〉 = 〈P, LE × (L′ ∪ {e′}) ∪ (L ∪ {e})× L′E,
(l1, l′1), (l2, l
′
2) 7→ (l1 on l2, l′1 on′ l′2) if (l1, l2) ∈ dom(on) ∧ (l′1, l′2) ∈ dom(on′) 〉
Sum of Label Structures Given 〈L, LE,on〉 and 〈L′, L′E,on′〉, their sum
ranges over the disjoint union of L• unionmulti •L′ where L• = {l• | l ∈ L} and
•L′ = {•l | l ∈ L′}. Formally, the sum is defined as:
〈L, LE,on〉 ⊕ 〈L′, L′E,on′〉 =
〈L unionmulti L′, LE unionmulti L′E,
(
l1•, l2• 7→ (l1 on l2)• if (l1, l2) ∈ dom(on)
•l1, •l2 7→ •(l1 on′ l2) if (l1, l2) ∈ dom(on′)
)
〉
The Sum operator would be used later to build the labels of a time labeled
transition system where its labels can be an event or a time value.
Labeled Transition Systems (LTS)
Now, we reformulate the definition of the labeled transition system by
taking into account our label structure. This leads into an LTS defined
over a label structure and that inherits its compositional behavior out of
the composition operator of the label structure.
1.5. Conclusion 31
Definition 1.2 (Labeled Transition System LTS) Given a label structure LS =
〈L, LE,on〉, a labeled transition systems L over LS -denoted as LLS- is defined as
〈Q, Q0 ⊆ Q, T, α : T → Q, β : T → Q,λ : T → L〉 where :
• Q, Q0, T denote respectively the sets of states, initial states, transitions.
• α, β and λ denote functions that return respectively, the source, the target
and the label of a transition.
Timed Transition System The construction could be extended into the
timing model TTS, by making use of our defined time label structure.
Definition 1.3 (Timed Transition Systems TTS) Given a label structure LS =
〈L, LE,on〉, a Timed Transition System TTS over LS is an LTS over LS⊕ TS.
We finish this section by discussing about the composition of the differ-
ent behavioral systems. In fact, since the composition is made at the label
structure level, the composition of different extensions of labeled transi-
tion systems (for example, the time transition system) would reuse the
composition defined at the labeled transition systems. This means that the
behavioral composition itself is intact. However, it is parameterized by a
label structure containing the composition laws specific to each extension
of labeled transition systems. For more details, see Appendix A.
1.5 Conclusion
We have seen in this chapter some of the logic and timed models that
are used in real time modeling and verification. Most of these definitions
are time extensions of general definitions in the untimed context. We have
also defined the FIACRE language which will be the used language in this
document. In the next chapter, we cover the simulation relations between
transitions systems.

Chapter Two
Refinement and Simulation
2.1 Introduction
The verification of real-time systems plays a major role in the conception
of highly trusted systems. Yet, the more complex the system is, the more
complex -in terms of space and time- and the less tractable its verification
tends to be. New techniques have been suggested in order to minimize,
in terms of space and time, the verification cost. Refinement is one of the
most interesting concepts.
Refinement is a technique that allows the incremental development of
systems. Indeed, it allows to model progressively -at different levels of
abstractions- the behavior of the system. When a system C is said to be a
refinement of an abstract system A, then all of the properties satisfied by
the abstract system are also satisfied by the concrete level. More generally,
we say that if C is a refinement of A then each time the system A is used,
the system C can be used instead. In model checking, this is very useful
since the errors could be found earlier in the modeling of the system,
without any concern about its implementation.
Several relations and sufficient conditions were suggested for refine-
ment checking. This chapter consists in an introduction to the simulation
relations in both the untimed and the timed context. These relations are
sufficient conditions for the refinement of systems.
2.2 Simulation in the Untimed Context
The refinement in the untimed context has been studied intensively in the
literature. This has lead to several relations, equivalences and preorders
defined on labeled transition systems that differ in their semantics and
the properties they preserve.
Generally, we can find two approaches followed for the definition of
these relations. These approaches are either state-based or action-based.
Classically, when the main interest is mostly model checking these rela-
tions are usually defined based on the observable state properties of the
transition system whereas its actions are ignored. Conversely, when the
interest is process algebras for example, these same relations are found
but focus on the actions of the systems and ignore the states. [52] provides
34 Chapter 2. Refinement and Simulation
an overview and comparison of existing behavioral equivalences in the
state-based context.
Whether in the action-based context or in the state-based context, a
wide range of behavioral equivalences and relations has been developed
to compare two systems. Here, we only emphasize on the simulation rela-
tions.
Simulation relations are often called implementation relations which
are used commonly for verification purposes. By implementation rela-
tions, it is meant that they are used to show that a concrete system imple-
ments an abstract system. Even though simulations are not equivalence
relations, they enjoy an important feature which is their transitivity thus
making them applicable in incremental developments via intermediate re-
finements. When a concrete model is proven to be simulated by an abstract
one -on which the properties are verified-, the latter can be replaced by the
concrete model.
In what follows, the simulations are all defined on labeled transitions
systems LTS which we have introduced in the Timed Systems Chapter.
Throughout this chapter, the transition systems under consideration may
have terminal states. However when talking about the temporal logic that
are preserved by these relations, the transitions systems are assumed to be
without terminal states. We explain the reason of this assumption in the
following sections. Concerning the temporal logic preservation, here we
are interested in the preservation of LTL, the logic adopted in this PhD.
When a relation preserves other logic than LTL we will just cite it but we
will not go beyond this since this is out of the scope of this PhD.
2.2.1 Action-Based Simulation
We start by introducing action-based definitions of the simulation rela-
tions. In the action-based view [61], a system is studied based on the se-
quence of actions it makes. There exists two variants of definitions for the
traces model depending on whether the silent actions are taken into con-
sideration or not. In the strong semantics, the system is studied based only
on its observable actions. However, apart of the observable actions that a
system can induce, it may also have an invisible behavior that is based
on silent actions or moves. A silent action, (usually denoted as τ) means
that the system may transit to another state without being noticed by the
environment. In the context of process algebra this may be the result of a
Hiding or a Renaming construct used on actions [61, 83]. This has lead to
the weak semantics.
Strong Simulation
Given a set of labels L, two LTS Systems A = (QA, Q0A,→A) and C =
(QC, Q0C,→C), a relation R ⊆ QC ×QA is a strong simulation relation [82]
iff ∀q0C ∈ Q0C, ∃q0A ∈ Q0A such that (q0C, q0A) ∈ R and for every (qC, qA) ∈ R
and for every action l ∈ L, if qC l→ q′C then there exists q′A such that
qA
l→ q′A and (q′C, q′A) ∈ R.
We write C - A, if there exists a strong simulation relation R between
C and A. Here we note that a relation R ⊆ SC× SA is a strong bisimulation
2.2. Simulation in the Untimed Context 35
relation iff both R and R−1 are strong simulations. We write C ∼ A, if there
exists a strong bisimulation relation R between C and A.
a
b cb c
s4 s5
s2 s3
s1
a a
q1
q3 q4
q2
LTS1 LTS 2
a a a a
Figure 2.1 – Strong Simulation
In the example of Fig 2.1, LTS1 - LTS2 through the relation R =
{(s1, q1), (s2, q2), (s3, q2), (s4, q3), (s5, q4)}. However, LTS2 6- LTS1 since
there is no state in LTS1 that can simulate the state q2 in LTS2.
Preserved Logic The strong simulation preserves the linear temporal
logic (LTL) if the systems have no terminal states. Actually, the strong
simulation preserves a fragment of the CTL* logic [40] (Universal/Exis-
tential fragment of CTL*) which is more expressive than LTL. Here we do
not discuss about the CTL* since it is out of the scope of this document.
Now let us explain by means of an example the reason behind the
assumption of transitions systems without terminal states.
q2
q1
a
q3
b
s2
s1
a
s3
a
s4
b
LTS1 LTS2
Figure 2.2 – Terminal State
In the example 2.2, LTS2 - LTS1 and all the properties satisfied by
LTS1 are preserved in LTS2. However, while also having LTS1 - LTS2,
q2 |=©b but s2 6|=©b. This is because s2 is a terminal state in LTS1 but q2
is not in LTS2. In this case, the strong simulation only preserves a fragment
of LTL which corresponds to the safety properties. The same explanation
will hold for all the relations we see later in this chapter. As an alternative
to the assumption of not having terminal states in the LTS, an additional
condition may be added to the definition the simulation [23]. This as-
sumption implies that any deadlock in the concrete system corresponds
to a deadlock in the abstract system which means that new deadlocks are
forbidden. For every (QC, QA) ∈ R this is formulated as the following :
qC 6→⇒ qA 6→. Note when adding this clause we would no longer have
LTS1 - LTS2 since s2 6→; q2 6→.
36 Chapter 2. Refinement and Simulation
Weak Simulation
Given a set of labels Lτ, two LTS Systems A = (QA, Q0A,→A) and C =
(QC, Q0C,→C), a relation R ⊆ QC × QA is a weak simulation relation [83]
iff ∀q0C ∈ Q0C, ∃q0A ∈ Q0A such that (q0C, q0A) ∈ R and for every (qC, qA) ∈ R
and for every action l ∈ Lτ, if qC l→ q′C then there exists q′A such that
qA
l⇒ q′A and (q′C, q′A) ∈ R.
We write C -w A, if there exists a weak simulation relation R between
C and A.
a
b
cb c
s4 s5
s2 s3
s1
a a
q1
q4 q5
q2
q3
τ
LTS1 LTS2
a a a a
Figure 2.3 – Weak Simulation
In the example of Fig 2.3, LTS1 -w LTS2 through the relation R =
{(s1, q1), (s2, q2), (s2, q3), (s3, q2), (s4, q4), (s5, q5)}. However, LTS2 6-w LTS1.
Preserved Logic The weak simulation only preserves a fragment of
LTL [53]. Actually, the liveness properties and, more precisely the even-
tual operator is not preserved by the weak simulation. This results from
the presence of divergent paths (infinite path with only silent actions). To
better understand this, we again take an example :
s2
s1
a
b
q4
q3b
s2
q1
a
τ
q2
τ
LTS1 LTS 2
a a
Figure 2.4 – Divergent Path
In the example 2.4, LTS1 -w LTS2. However, LTS2 |= ♦b but LTS1 6|=
♦b. This is because LTS1 may be stuck forever in s2 by doing silent ac-
tions, without ever leaving, and thus b may never be satisfied. This is why,
another hypothesis is added so that the weak simulation may preserve
LTL. This hypothesis forbids an infinite path composed only with a cy-
cle of silent transitions in the concrete system [23]. With the addition of
this hypothesis LTS1 would no longer weakly simulate LTS2 in the ex-
ample 2.4. We will revisit this when discussing the weak simulation in
2.2. Simulation in the Untimed Context 37
the timed context and when giving our simulation definition in the CTTS
timed simulation chapter of the PhD (Chapter three of Part I).
2.2.2 State-Based Simulation
The same behavioral definitions of the previous section may be given by
following a state-based approach [21]. In the state-based approach, the
behavioral relations on transition systems are given by referring to the
state labels. This means, the definitions are based on the propositions that
are satisfied in a state.
Simulation Order
Given a set of atomic propositions P, two transitions systems 〈QC, Q0C,→C〉
and 〈QA, Q0A,→A〉 with vC : QC → 2P and vA : QA → 2P two labeling
functions specifying the propositions that hold in a state, a simulation
relation [21] is a binary relation R ⊆ QC × QA such that ∀q0C ∈ Q0C, ∃q0A ∈
Q0A such that (q
0
C, q
0
A) ∈ R and for all (qC, qA) ∈ R :
• vC(qC) = vA(qA).
• if q′C ∈ Post(qC) then ∃q′A ∈ Post(qA) such that (q′C, q′A) ∈ R.
We write C  A, if there exists a simulation relation R between C and A.
a
c dc ds4 s5
s2 s3
s1
b
a q1
q3 q4
q2b b
LTS1 LTS2
Figure 2.5 – Simulation
In the example of Fig 2.5, LTS1  LTS2 through the relation R =
{(s1, q1), (s2, q2), (s3, q3), (s3, q4), (s4, q5)}.
Preserved Logic Just like its action-based variant, the simulation order
preserves the linear temporal logic (LTL). The same discussion applies
concerning the terminal states.
Stutter-based Simulations
Just like in the case of the action-based approach, the state-based relations
may be weakened by admitting the fact that invisible actions may happen
in the transition system. The state-based relations that we have seen so
far are strong variants of these relations. That is, they require that each
step at one level is matched by exactly one step at the second level. For
instance, if sC and sA are in relation, then weakening this condition means
that we admit that a step from sC may be matched by a sequence of steps
38 Chapter 2. Refinement and Simulation
which are invisible from sA. The steps (except the last state change) in such
sequences should not change the truth value of the atomic propositions
that hold in sA. Such state changes are called stutter steps.
Stutter Simulation Given a set of atomic propositions P, two transitions
systems 〈QC, Q0C,→C〉 and 〈QA, Q0A,→A〉 with vC : QC → 2P and vA :
QA → 2P two labeling functions specifying the propositions that hold
in a state, a stutter simulation relation [34],[77] is a binary relation R ⊆
QC ×QA such that ∀q0C ∈ Q0C, ∃q0A ∈ Q0A such that (q0C, q0A) ∈ R and for all
(qC, qA) ∈ R :
• vC(qC) = vA(qA).
• if q′C ∈ Post(qC) and (q′C, qA) /∈ R, then ∃qAq1A · · · qnAq′A with n ≥ 0
and (qC, qiA) ∈ R, i = 1 · · · n ∧ (q′C, q′A) ∈ R. 1
The second condition means that if qC and qA are related with R then for
every outgoing transition from qC to q′C, it must be matched by a path
fragment from qA to q′A such that q
′
C and q
′
A are equivalent and all inter-
mediate states in the path fragment are equivalent to qC.
							≲				
	 	stu 	 								≲		 stuqC
qA qA 	qA 	q'An1
q'C							≲		
			 stu
Figure 2.6 – Second Condition of the Stutter Simulation
We write C stu A, if there exists a simulation relation R between C
and A.
Observational Simulation Observational equivalence (simulation) was
originally defined in the action-based semantics by [83]. Here, we talk
about its state-based reformulation which can be seen as a variant of the
stutter bisimulation. Unlike the stutter bisimulation, in the observational
equivalence if qC and qA are related with a relation R and we need to
simulate the transition from qC to q′C, then it is not required that the inter-
mediate path fragment from qA to q′A to be equivalent to qA.
Preserved Logic Just like the weak simulation, both of the stutter simu-
lation and the observational simulation do not preserve LTL [21]. As be-
fore, the reason behind this is the divergent stutter paths. To understand
the problem of divergent paths in the state based semantics, we reformu-
late the example of Fig 2.4 in the state-based semantics which results of
Fig 2.7. In the example of Fig 2.7, LTS1 stu LTS2. However LTS2 |= ♦b
while LTS1 6|= ♦b. For this fact, the divergence sensitive stutter simulation
is defined. The divergence-sensitive (DS) stutter simulation is a variant of
stutter simulation which restricts the stutter simulation by allowing the
states that belong to the same equivalence class (same propositions sat-
isfied) to be related only if they both exhibit divergent paths or none of
1We note here that qAq1A · · · qnAq′A is a finite path fragment
2.3. Simulation in the Timed Context 39
them has a divergent path. Thus, the simulation between LTS1 and LTS2
is rejected based on the DS-Stutter simulation since s1 exhibits a divergent
path while q1 does not. The DS stutter simulation preserves LTL and a
fragment of CTL*.
b q2
q1a
bs2
s1 a
LTS1 LTS 2
Figure 2.7 – Stutter Simulation and DS Stutter Simulation
2.2.3 Simulation and µ-calculus
µ-calculus was used as means for simulation verification in the Mec 5
model checker [54, 28]. This model checker handles specifications written
in Altarica [19] and embeds the µ-calculus logic as a support for proper-
ties verifications on Altarica models. The authors propose several relations
checked in Mec 5 which are the strong simulation, weak simulation and
the bisimulation. In order to say that an Altarica model refines another,
one of these relations need to be established on the free product of the
LTSs corresponding to the two Altarica models. We add also that the pro-
posed relations are event-based, meaning that starting from two states c
and c′ that are in a relation, we check if for each possible event e of the ab-
stract system (enabled from state c), a corresponding event of the concrete
system can be found e′ enabled from the state t′ such that the sink states
of c and c′ are also in a relation. Concerning the flow variables in Altarica,
they are supposed to be equal between the abstract and concrete system.
An example of a Mec 5 formula Sim for the strong simulation equation is
given below :
Sim(c, c′) = eqC(c, c′)&([e][t](transA(c, e, t)⇒ 〈e′〉〈t′〉(transA′(c′, e′, t′)&Sim(t, t′))));
where eqC(s, s′) specifies the set of state pairs such that both states
associate the same values to the flow variables, transA and transA′ define
respectively transitions for nodes A and A′. Once all the pairs of states in
strong simulation are computed, the strong simulation between A and A′
is verified if their initial states verify the simulation.
Other µ-calculus properties were also used as a mechanism to capture
and to check simulation relations. We can cite the work of [70] where a
triple-nested µ-calculus formula is given to check the fair simulation [57].
2.3 Simulation in the Timed Context
Timed simulation relations have been studied for different timed for-
malisms ranging from timed transition systems, to timed automata [15,
40 Chapter 2. Refinement and Simulation
77], timed input output automata TIOA [68, 43] and timed modal specifi-
cations [30]. However, a less tackled aspect of this research is the automatic
verification of timed simulations and especially timed weak simulations.
In the following sections, we take a look on how the simulation relations
are extended to the timed context. We also present the main studies in the
subject of automatic verification of action-based timed simulations.
2.3.1 Timed Transition System Refinement
The action-based versions of both the strong and the weak simulations
have been extended to the timed context. They are defined on a timed
transition system that satisfies the executability axioms (additivity, conti-
nuity...) as already defined earlier in Chapter : Timed Systems.
Timed Strong Simulation
Given a set of labels L, two TTS Systems A = (QA, Q0A,→A) and C =
(QC, Q0C,→C), a relation R ⊆ QC × QA is a timed strong simulation rela-
tion [25, 26] iff ∀q0C ∈ Q0C, ∃q0A ∈ Q0A such that (q0C, q0A) ∈ R and for every
(QC, QA) ∈ R and for every label l ∈ L ∪ ∆, if qC l→ q′C then there exists
q′A such that qA
l→ q′A and (q′C, q′A) ∈ R.
This means that in the timed context, in addition to the simulation of
control transitions (labeled with actions), we require as well the simulation
of time transitions.
Timed Weak Simulation
Given a set of labels Lτ, two TTS Systems A = (QA, Q0A,→A) and
C = (QC, Q0C,→C), a relation R ⊆ QC × QA is a timed weak simulation
relation [24] iff ∀q0C ∈ Q0C, ∃q0A ∈ Q0A such that (q0C, q0A) ∈ R and for every
(qC, qA) ∈ R and :
1. for every action l ∈ Lτ, if qC l→ q′C then there exists q′A such that
qA
l⇒ q′A and (q′C, q′A) ∈ R.
2. for every δ ∈ ∆ if qC δ→ q′C then there exists q′A such that qA
(τ|δi)∗→ q′A
and Σδi = δ and (q′C, q
′
A) ∈ R.
Preserved Logic
The addition of time does not have an impact on the preserved logic. Thus,
the same discussion concerning the strong (resp. weak) simulation applies
in the case of the timed strong (resp. weak) simulation.
2.3.2 Timed Automata Refinement
We present two studies in the context of timed automata refinement. The
simulation relation for timed automata was first defined by Alur [15] as
follows :
For two timed automata A = (ΣA, QA, q0A, XA, TA, IA) and B =
(ΣB, QB, q0B, XB, TB, IB), a timed simulation is defined as a relation R that is
2.3. Simulation in the Timed Context 41
defined on the corresponding semantics of the two timed automata which
are two timed transition systems.
Now we discuss two studies in the context of verification of simulation
between timed automata.
Timed Ready Simulation
A work that studies the refinement of timed automata appears in [65] in
the context of the Uppaal [73] tool. In this work, the authors consider a
slight variant of timed automata with both urgent channels and shared
multi-reader/multi-writer variables. In addition to clocks, a timed au-
tomaton may then test variables in its guards and manipulate variables
in its reset sets. As before, the semantics of a timed automata are given
via a timed transition system, but this time it is equipped with a signature
which is a tuple (R,W,IW) that describes sets of shared variables that are
readable (R), writable (W), and internally writable (IW) by the transition
system. The authors proceed by giving an extension of the timed weak
simulation seen in the context of timed transition systems. This extension,
called timed ready simulation, is proven to be monotonic w.r.t the parallel
composition. In addition to the definition of the timed weak simulation,
the following two clauses are added : a first condition saying that the
variables of the concrete system are equal to the variables of the abstract
system. A second condition saying that an urgent state in the concrete
system is an urgent state in the abstract system.
The authors give an automatic technique for verifying the timed ready
simulation. The verification of the timed ready simulation is restricted for
fully observable (no silent actions τ) and deterministic abstract models
and it may be reduced to a reachability problem (which is supported by
UPPAAL). This is done via a composition with a testing automaton [9]
monitoring that the behavior of the concrete system is within the bounds
the abstract system and then by checking that an undesired state in the
testing automaton is never reached. The testing automaton namely checks
(1) that the invariant of the locations are satisfied, (2) that an abstract
urgent action is also urgent in the concrete system, and (3) that the guards
of the abstract system are also maintained in the concrete system. In case
one of these clauses is violated, the testing automaton transits to an error
state.
τ Timed Simulation
Now we discuss the work of Oudot [67]. This work studies the incremen-
tal development of component-based timed systems. The timed systems
considered are timed automata (and variants). The authors give a formal
definition of a τ-simulation and show how such definition is suitable for
the incremental development and more specifically for the preservation
of linear time properties written in MITL. Moreover, certain composabil-
ity notions of the timed automata are also studied when these timed au-
tomata are built in an incremental development under the τ-simulation
definition. In the following we cover briefly this work. We start by giving
the definition of the τ timed simulation considered :
42 Chapter 2. Refinement and Simulation
Let A = (ΣA, QA, q0A, XA, TA, IA) and C = (ΣC ∪ {τ}, QC, q0C, XC, TC, IC)
be two TA such that XA ⊆ XC. The timed simulation is defined on the
semantics of Timed Automata and is the greatest binary relation R ⊆
QC × QA such that for any sA = (qA, kA) ∈ QA and sC = (qC, kC) ∈ QC
the following conditions hold :
1. sC
a→ s′C ∧ a ∈ ΣA ⇒ ∃s′A, (sA a→ s′A ∧ s′CRs′A) Strict Simulation
2. sC
δ→ s′C ⇒ ∃s′A, (sA δ→ s′A ∧ s′C R s′A) Delay Equality
3. sC
τ→ s′C ⇒ s′CRsA Stuttering
Compared to the simulation definition of Alur, the timed τ simulation
correspond to the weak variant that takes into consideration the silent
actions.
Divergence-Sensitive and Stability-Respecting Timed τ Simulation As
we have explained in the untimed context, the weak simulation does not
preserve the linear time properties, mainly because of divergent paths and
terminal states. This also holds in the timed context. In order to treat this
problem, the definition of τ timed simulation is extended by deadlock
and divergence properties. Divergence-sensitivity states that there are no
non-Zeno (a non-Zeno run is a run in which time can diverge, meaning
thatoudot the total time elapsed along the run goes to infinity) τ-cycles in
B (a cycle in which discrete transitions are only labeled by τ is called a
τ-cycle). Stability-respect means that B must not contain deadlocks which
do not exist in A. This is expressed by the predicate f ree. Given a location
q, f ree(q) is the set of all valuations (of states with q as discrete part) from
which a discrete transition can be taken after some delay.
Adding the following two clauses to the timed τ-simulation allows to
preserve the timed linear logic MITL. The proof can be found in [67].
1, 2, 3
4. B does not contain any non− Zeno− τ − cycles. Divergence− Sensitivity
5. vB /∈ f ree(qB)⇒ vA /∈ f ree(qA) Stability Respect
Timed τ Simulation Verification The authors proceed by giving an al-
gorithm in order to verify the τ-simulation between two timed automata.
A tool called Vesta [66] is also developed that allows the automatic verifi-
cation of the simulation.
2.3.3 Timed Game Automata Refinement
Another work is the one of [36, 39, 43] which led to the creation of the EC-
DAR tool [1]. In this tool, a timed (weak) simulation between two TIOAs
is supported. The verification is done via an on-the-fly game-based al-
gorithm between the abstract and the concrete systems coupled with an
algorithm that back-propagates the error states denoting the violation of
the simulation [36].
2.3. Simulation in the Timed Context 43
Timed Weak Alternating Simulation Relation In the definition, it is as-
sumed that no τ transitions exist in the abstract model. This is because
permitting the τ transitions in the abstract model complicates the defi-
nition and the computation of the corresponding simulation relation. In
this case any delay in the concrete model can be matched by a series of
delays in the abstract model separated by τ transitions. The timed weak al-
ternating simulation between two TGAs A = (Σ, QA, q0A, XA\τ, InvA, TA)
and C = (QC, q0C,Σ, XC, InvC, TC) is a relation R ⊆ QA × QC such that
(q0A, q0C) ∈ R and for every (qA, qC) ∈ R and for every observable action
a the following rules are satisfied :
1. (qC
τ→c q′C)⇒ ((qA, q′C) ∈ R) (τ action)
2. (qC
a→c q′C)⇒ ∃q′A (qA a→c q′A ∧ (q′A, q′C) ∈ R) (controllable)
3. (qA
a→u q′A)⇒ ∃q′C (qC τ
∗→u a→u q′C ∧ (q′A, q′C) ∈ R) (uncontrollable)
4. (qC
δ→ q′C)⇒ ∃q′A (qA δ→c q′A ∧ (q′A, q′C) ∈ R) (delay)
On-the fly verification of the simulation relation Checking the refine-
ment is solved as a turn-based game between two players [36]. The first
player, or attacker, plays outputs on S and inputs on T, whereas the sec-
ond player, or defender, plays inputs on S and outputs on T. According to
these rule the product of S and T is then constructed and error states are
detected on-the-fly and are back-propagated. There are two kinds of error
states:
1. Either the attacker may delay and violates invariants on T, which
means that the defender cannot match a delay, or
2. the defender has to play a given action and cannot do so, i.e., there
is a deadlock.
Restrictions on the timed game automata
1. No τ events are allowed in the abstract system. This is due to the
problem of matching one delay in the implementation by series of
delays and τ transitions in the specification.
2. Invariants must have the form x ≤ k.
3. A specification automaton is a TIOA that is input-enabled meaning
that in each state all the inputs should be available.
4. The implementation must satisfy the two following conditions:
(a) Independent progress: implementations cannot get stuck in a
state where it is up to the environment to induce progress. In
each implementation state an output is always possible maybe
after some delay.
(b) Output urgency: if an output is available, then it cannot be de-
layed by the environment.
44 Chapter 2. Refinement and Simulation
2.4 Our Simulation Choice
In this chapter, we have seen a wide range of refinement relations and
sufficient conditions. Now, we motivate our refinement relation choice :
1. We need to preserve logical linear properties.
2. We need that the events of the concrete system should have been in-
troduced in the abstraction. In addition, the events of the abstraction
are not forced to occur in the concrete system. This leads to a need
of simulation.
3. We need that the concrete system would be able to add local events.
This means that we need the concrete to be able to have τ actions.
This leads to a need of a weak simulation.
4. Being in a timed context, this leads us to a need of a timed weak
simulation.
5. We need to detect deadlocks, thus an additional property needs to be
verified in the simulation concerning that the concrete system may
not deadlock if the abstract system does not.
6. We have seen that the weak simulation does not fully preserve linear
time properties (LTL for example), and this is because of the diver-
gent cycles (infinite cycles of τ actions) that may be present in the
systems. This leads to an additional hypothesis which is the diver-
gence sensitive property.
Here we have motivated our choice of the timed simulation we want to
consider. In the next part, we will give a formal definition of this simula-
tion.
2.5 Conclusion
We have seen in this chapter simulation definitions in both the untimed
and timed context. We have seen that timed simulations are either defined
at finite levels (timed automata) or at the semantic level (timed transition
system). In the next chapter, we start by defining our finite timed model,
give our simulation definition, give its properties and show how it can be
verified.
Chapter Three
CTTS Timed Simulation
3.1 Introduction
We have seen in the previous chapters that the combinatorial explosion
is generally the biggest problem of model checking-based techniques. We
have also introduced the refinement as a technique that plays a major role
in alleviating the risk of combinatorial explosion. Actually, instead of mod-
eling and verifying the system as whole, the idea is to follow mostly an
incremental development of the components, to verify the properties on an
abstract, usually smaller system, and prove their preservation by proving
the refinement between the concrete and the abstract system. This method
is also coupled with the property of monotony which allows to verify a
system and to replace abstract sub-components by their implementations
while preserving the property. As we know, from previous chapters as
well, several relations were suggested -maybe more in the untimed con-
text than in the timed context- as refinement relations and sufficient con-
ditions.
This chapter consists in the theoretical aspects of this PhD and is
mainly focused on the definition of a timed simulation that can be used
in the context of our timed systems. For this, we first give the formal def-
inition of our considered timed systems and prove that they are compo-
sitional (Section : 3.2.5). Afterward, we define our timed weak simulation
(Section : 3.3) and prove that our timed simulation guarantees trace in-
clusion (Section : 3.3.1) and thus preserves linear time properties (Section
: 3.3.2). Furthermore, we present an automatic technique to verify it (Sec-
tion : 3.4) and give its soundness and completeness proof w.r.t the math-
ematical simulation definition (Section : 3.5). We finish this chapter by
giving a proof of the compositionality of our simulation (Section : 3.3.3).
3.2 Concrete/Abstract Systems
The semantic model of our system is the Time Transition System TTS given
earlier in Chapter : Timed Systems 1.3.1. Here we recall its definition and
add a composition operation.
46 Chapter 3. CTTS Timed Simulation
3.2.1 Semantic Model
Definition 3.1 (Timed Transition System TTS ) Given a set of labels Lτ and let ∆
be a time domain, e.g R+, a Timed Transition System TTS is a tuple 〈Q, Q0,→〉
where Q is a set of states, Q0 ⊆ Q is the set of initial states, and→ is a transition
relation ⊆ Q× (L ∪ ∆)×Q. We write q l→ q′ for (q, l, q′) ∈→.
We define q a
∗→ q′ , q a→ q1 a→ q2 · · · a→ q′ and write q ab→ q′′ if there
exists q’ such that q a→ q′ b→ q′′. We define as well q
d
=⇒∗ q′ , ∃q0 δ0→ q′0 τ→
q1
δ1→ q′1 τ→ q2 · · ·
δn→ q′n such that Σn0δi = d ∧ q = q0 ∧ q′ = q′n and write
q
d
=⇒+ q′ when n > 0 (there exists at least one τ).
TTS Composition
Definition 3.2 (TTS composition) Given two TTSs defined over the set of la-
bels Lτ, a set of labels S ⊆ L denoting the allowed synchronizations, the TTS
composition is defined as follows :
〈Q1, Q01,→1〉‖
S
〈Q2, Q02,→2〉 = 〈Q1 ×Q2, Q01 ×Q02,→〉
where the set of transitions→ =
{t1  t2 | t1 ∈ T1 ∧ t2 ∈ T2} ∪ {t1 ↑1| t1 ∈ T1} ∪ {t2 ↑2| t2 ∈ T2}
is defined by the following rules :
t1:q1
l→ q′1, t2:q2 l→ q′2, l ∈ S ∪ ∆
t1  t2 : (q1, q2) l→ (q′1, q′2)
Synchronous
t1 : q1
l1→ q′1 , l1 /∈ S ∪ ∆
t1 ↑1: (q1, q2) l1→ (q′1, q2)
InterleavingL
t2 : q2
l2→ q′2 , l2 /∈ S ∪ ∆
t2 ↑2: (q1, q2) l2→ (q1, q′2)
InterleavingR
S is omitted when it is equal to L. This means that ‖ is a fully synchronous
composition operator while ‖
∅
is a fully asynchronous one and is denoted
by |||.
TTS Properties
Definition 3.3 (No-τ-cycle ) A TTS is said to have no-τ-cycle if it does not have
any infinite executions ending with transitions labeled exclusively by δτ.
Definition 3.4 (τ-Divergence) Given a set of labels Lτ, a TTS 〈Q, Q0,→〉 is
τ-divergent if for all q ∈ Q and for all δ ∈ ∆, there exists q′ such that q
δ
=⇒∗ q′.
This means that we require that time can always diverge via τ events.
Namely, for all d, there always exists a τδ execution that advances to the
date d.
Remark 3.1 A system may be τ-Divergent and with no-τ-cycle. It suffices to
reach via a finite number of τ transitions a state where time can elapse infinitely.
3.2. Concrete/Abstract Systems 47
Definition 3.5 (τ Zeno path ) A TTS is said to have a τ Zeno path if it has an
infinite time-convergent execution sequence (Σ∞i δi < ∞) in which only τ events
are executed. A TTS is τ non-Zeno if it does not have such execution sequence,
that is all the execution sequences that have infinite number of τ actions are also
time divergent.
The hypothesis of τ non-zeno will be used to show inductively that a
property is preserved through the elapse of time interleaved with τ tran-
sitions. The following lemma characterizes such a property.
Lemma 3.1 (τ Non-Zenoness Characterization) We give an induction-based
definition of the τ non-Zenoness of a TTS [5]. We denote as Pδ(s) a property P
that is satisfied at a state s at time δ. If the TTS is τ non-zeno, we have :
(1)︷ ︸︸ ︷
P0(q0)∧

∀q ∈ Q ∀δ2 < δ1, q0 δ2→ q ∧ Pδ2 (q)⇒
(2)︷ ︸︸ ︷
∃q′, q δ1−δ2→ q′ ∧ Pδ1 (q′) ∨
(3)︷ ︸︸ ︷
∃δ3 ∈ [δ2, δ1], ∃q′, q
δ3−δ2
=⇒+ q′ ∧ Pδ3 (q′)

∃q′,q0
δ1
=⇒∗q′∧Pδ1 (q′)
The τ non-Zenoness property leads to an induction principle. Here, we say that
for a property P to be true in δ, then it is sufficient to show that :
1. P is true at the current instant (1) and,
2. if P is true at a given time, then P must be made true either after a time
transition reaching δ (2) or after a τ transition (possibly preceded by a
delay) (3).
3.2.2 State-Related Properties
Let us recall the definition of a deadlock state. Actually, a deadlock state has
no outgoing transitions. Formally, given set of labels Lτ, a TTS 〈Q, Q0,→〉
and a state q ∈ Q, we define :
Deadlock(q) , ∀q′ ∈ Q, e ∈ L,¬q e→ q′
Now, in the timed context, this description is enforced by saying that a
state is in a deadlock if even after letting time pass, no discrete transitions
may be firable. This is defined [67] as :
TimedDeadlock(q) , ∀q′ ∈ Q, e ∈ L, δ ∈ ∆,¬q δ→ q′ e→ q′′
The Timed deadlock definition is slightly weakened by saying that a
state is in a weak deadlock if by doing τ events or by letting time pass, no
visible events may be fired. Such definition is not surprising since upon
the definition of the timed trace of a system the τ events are dropped. If
follows that the traces at the deadlocked state are the same. The reason
that led to the addition of the τ events stems from the definition of the
timed weak simulation definition that accepts τ events.
48 Chapter 3. CTTS Timed Simulation
Definition 3.6 (Weak Deadlock State) Formally, given a TTS 〈Q, Q0,→〉 and a
state q ∈ Q we define :
WeakDeadlock(q) , ∀q′, q′′ ∈ Q, e ∈ L, δ ∈ ∆,¬q δ∗=⇒ q′ e→ q′′
Now we define the notion of a divergent state as a state in which time
can advance infinitely.
Definition 3.7 (Divergent State) Formally, given a TTS 〈Q, Q0,→〉 and a state
q ∈ Q we define :
Divergent(q) , ∀δ∃q′ q δ→ q′
3.2.3 Timed Executions
Definition 3.8 (Timed Execution) A timed execution over a set of states Q and a
set of labels Lτ is a finite (resp. infinite) sequence of states separated by alternating
time and actions steps. Formally, it is defined as follows : ∀i, δi ∈ ∆, αi ∈ L,
qi ∈ Q
(q0
δ1α1→ q1 · · · qi δi+1αi+1→ · · · qn δn+1=∞→ )i∈{0..n−1}(resp.(qi
δi+1αi+1→ )i∈N)
We say that a timed execution is time divergent (resp. time convergent) if it
verifies Σiδi = ∞ (resp. Σiδi < ∞).
Definition 3.9 (TTS Timed Execution) A timed execution of a TTS 〈Q, Q0,→〉
is defined as a finite or infinite sequence of states separated by alternating time
and actions steps :
(q0
δ1α1→ q1 · · · qi δi+1αi+1→ · · · qn δn+1=∞→ )i∈{0..n−1} (resp.(qi
δi+1αi+1→ )i∈N)
where, every step in the timed execution corresponds to a transition in the TTS.
An initial execution is an execution starting from an initial state q0 of the TTS
and if finite, WeakDeadlock(qn) ∧ Divergent(qn). We define Exec(tts) as the
set of executions of a TTS.
It is interesting to note here that a TTS execution that ends in a diver-
gent state is time divergent. However, a time divergent execution may be
without a divergent state.
Definition 3.10 (τ-Reduced TTS Execution ) The reduction of a TTS execution
(↓) is obtained after the elimination of states and τ transitions. Here we suppose
that the propositions satisfied at a state are invariant through time and silent
transitions. It is defined by the following equations :
1. (q0
d→(δτ)
ω
→ ) ↓= q0 ∞→.
2. (q0
d→ τδ→ x¯) ↓= (q0 d+δ→ x¯) ↓.
3. (q0
dτ→ x¯) ↓= (q0 d→ x¯) ↓.
3.2. Concrete/Abstract Systems 49
4. (q0
dα→ x¯) ↓= (q0 dα→ x¯ ↓).
5. (q0
d→(∞)→ ) ↓ = q0 ∞→.
where δ ∈ ∆, e ∈ L and x¯ is a TTS execution.
Remark 3.2 The assumption that the states propositions are invariant through
time and silent transitions makes it possible to eliminate some state observations
in the trace. Concerning the case of time transitions, these transitions depend on
the clocks of the TTS, but the clocks cannot be accessed at the syntactic represen-
tation of a TTS (here CTTS, see Section : 3.2.5). Thus time transitions do not
change the values of the propositions. Concerning the silent transitions, this as-
sumption is true in state-based models. Namely, in a state-based semantics, the
silent action τ is assumed to loop in the same state (thus not changing the val-
ues of the propositions) [21]. However, in our state-event based context, a silent
transition (τ event) may cause a change of states and thus changing the satisfied
propositions. Our assumption will thus restrict a bit the properties verified on
models, namely properties such as "being in state s" where s is a state having an
outgoing silent transition will be forbidden.
Definition 3.11 (Projection of a TTS Execution ) Given a valuation function
v : Q → 2P which associates to each state of the considered TTS the set of
propositions satisfied by the state. Suppose that v is invariant through time and
silent transitions, the projection of a TTS execution is obtained by applying the
valuation function v to each state.
3.2.4 Traces
We define a state-event based trace. This definition is later used to prove
the inclusion of state-event traces and thus the preservation the State-
Event-based logic properties (SE-MITL, SE-LTL).
Definition 3.12 (Timed State-Event Trace) Given a set of propositions P and a
set of labels L, a timed state-event trace is a finite (resp. infinite) sequence of time-
steps, actions and state observations 〈(P0 δ1α1→ P1 · · · Pi+1 δi+1αi+1→ · · · Pn δn+1=∞→
)i∈{0..n−1}〉 (resp. 〈(Pi
δi+1αi+1→ )i∈N〉) where ∀i, δi ∈ ∆, αi ∈ L, Pi ⊆ P .
We say that a timed trace is time divergent (resp. time convergent) if it ver-
ifies Σiδi = ∞ (resp. Σiδi < ∞). Note that in these traces, we require that the
propositions are satisfied just after the occurrence of an event.
Definition 3.13 (TTS State-Event Timed Trace) Given a valuation function
v : Q → 2P which associates to each state of the considered TTS the set of
propositions satisfied by the state. Suppose that v is invariant through time and
silent transitions, a (finite or infinite) state-event timed trace is accepted by a TTS
〈Q, q0,→〉 if it is a projection of a τ-reduced TTS execution of a divergent initial
timed TTS execution. We denote by SE-Traces(T,v) the set of the state-event traces
of T.
The trace is defined from a divergent execution in order to eliminate
the possibility of having τ-Zeno traces (see Definition 3.5). Otherwise, such
Zeno traces would contradict our first rule in the definition of τ-Reduced
50 Chapter 3. CTTS Timed Simulation
TTS Execution (Definition 3.10) that associates the symbol ∞ when (δτ)ω
transitions are found.
Remark 3.3 If the TTS has no τ-cycle (Definition : 3.3), a finite trace is a result
of the τ reduction of a finite execution of the TTS.
Definition 3.14 (TTS timed state-event traces to timed state-event sequences
(TSES) ) The transformation of a TTS timed state-event trace (⇓) is obtained by
the following equations :
1. x¯ ⇓= (x¯, 0) ⇓
2. (Pi
∞→, d) ⇓= (Pi, [d,∞[).
3. (Pi
δi+1αi+1→ x¯, d) ⇓= (Pi, [d, d + δ[) α→ (x¯, d + δ) ⇓.
where δ ∈ ∆, α ∈ L and x¯ is a TTS timed state-event trace. For a TTS, T and a
valuation function v, we will denote the set of state-event timed sequence of T by
TSES(T, v).
3.2.5 Constrained Time Transition System (CTTS)
We give the definition of the CTTS which is a syntactic finite representa-
tion for the TTS. We also give the properties that need to be satisfied by
this finite representation in order to satisfy the assumptions made at the
semantic level.
Definition 3.15 (Constrained Time Transition System) Given a set of labels Lτ,
a set of intervals I over the time domain ∆, a Constrained Time Transition System
(CTTS) [45] is defined as 〈Q, Q0, T, Lτ, ρ : T → 2Q×Q,λ : T → Lτ, ι : T 9
I, . ⊆ T × T〉 where Q denotes the set of states, Q0 ⊆ Q is the set of initial
states, T denotes the set of transitions, ρ maps each transition to a set of state
couples (source,target), λ associates each transition with its label, ι associates
each transition labeled with a local event with a time interval (the global events
will then not be constrained) and . denotes a time reset relation between two
transitions. We write t : q l→ q′ for (q, q′) ∈ ρ(t) ∧ l = λ(t).
We comment on the . relation. Each transition interval of a CTTS is
represented implicitly by a clock at the semantic level. Whether the firing
of a transition resets the clocks of the enabled transitions or not is gov-
erned by the reset relation . : if t . t′, then the firing of t resets the clock
of t’.
CTTS Example In Fig 3.1, we give an example of a CTTS in which a
private port is attached to an interval of time [1,2], as for the global port
p it is not constrained. It is also interesting to note that the enabling of
whichever of the 2 possible transitions from the initial state will reinitialize
the clock of the other.
We give another example in order to illustrate the . relation. In Fig. 3.2,
we show two systems that are exactly the same except that they differ in
the way the . is defined between their transitions. Actually, in the first
system of Fig. 3.2, t1 . t2 while in the second system it does not. In the
first system, t2 is never fired. This is because, at the state s0, after exactly
3.2. Concrete/Abstract Systems 51
s swait [ 1..2[
p
p [ 0..∞ [
s
t3 :
pt2 :t1 :
ρ(t  ) = (s  ,s )1 0 1
0 1
λ(t  ) = τ 1
ι(t  ) = [1..2[1
ρ(t  ) = (s  ,s  )2 1 2
λ(t  ) = p 2
ρ(t  ) = (s  ,s )3 0 2
λ(t  ) = p 3
2
Figure 3.1 – Example of CTTS
1 unit of time (u.t), only the transition t1 would be able to fire since it is
associated to the time interval [1,1]. t2 would not be able to fire since its
timing constraint is not met. Now, after the firing of t1, and since t1 . t2, the
clock of t2 is reset and the same mechanism is repeated all over again. As
for the case of the second system, at 1 u.t, the transition t1 is fired without
resetting the clock of the transition t2. So when the time reaches 2 u.t, a
non-deterministic choice between t1 and t2 is thus possible.
s0
t   : τ [1..1] 
t    :  τ [2..2] 2
1
t       t   1 2▷s0
t   : τ [1..1] 
t    :  τ [2..2] 2
1
t       t   1 2▷
Figure 3.2 – Reset Function of a CTTS
CTTS Semantics as a TTS We define the semantics of a CTTS T =
〈Q, Q0, T, Lτ, ρ,λ, ι, .〉 to be a TTS [[T ]] = 〈Q× (T → ∆), (Q0 × {t : T 7→
0}),→, α, β,λ〉 such that→ is defined by the following rules :
t : q l→ q′,
v(t) ∈ ι(t)
∧∀t′, v′(t′) =
{
0 if (q, q′) ↪→ t′ ∨ t . t′
v(t′) else
(q, v) l→ (q′, v′)
DiS
(q, v) 0→ (q, v)
0-Dly
∀t ∈ T, q ∈ dom(ρ(t))⇒ v(t) + δ ∈ ←−ι(t)
(q, v) δ→ (q, v + δ)
Dly
Figure 3.3 – CTTS Semantics
where (v+ δ)(t) = v(t) + δ,
←−
I , {x ∈ ∆ | ∃y ∈ ∆, x+ y ∈ I} is the down-
ward closure of the interval I and (q, q′) ↪→ t′ , q /∈ dom(ρ(t′)) ∧ q′ ∈
dom(ρ(t′)) means that the transition t′ is newly enabled by the transition
q → q′ (Fig 3.4). We note here that the time properties associated to a
TTS are satisfied by the CTTS semantics. Namely, it is easy to prove that
the zero-delay, time determinism, time continuity and time additivity are
satisfied by the semantic of the CTTS.
52 Chapter 3. CTTS Timed Simulation
q q'
...δ
t
(q,q') ↪ t 
Figure 3.4 – Newly Enabled Transition
Definition 3.16 (CTTS Deadlock State) A CTTS state is a deadlock state if it has
no outgoing transition.
Remark 3.4 Based on the CTTS semantics, time diverges on deadlock states as
it is not constrained by intervals associated to outgoing transitions. 1
Definition 3.17 (CTTS Property Satisfaction ) Given a linear temporal formula ϕ
(written in SE-MITL, SE-LTL · · · ), a CTTS T and a valuation function v, we say
that T satisfies ϕ, denoted by (T, v) |= ϕ, if ∀σ, (σ ∈ SE-Traces([[T]], v o pi1)⇒
σ ⇓|= ϕ) where pi1 is the first projection of a couple.
Thus, a CTTS satisfies the property ϕ if all its traces satisfy ϕ, i.e., if all
its behaviors are admissible. Note here that the chosen valuation does not
take into account the clocks introduced by the semantic function. Thus it
is stable by the advance of time. Here we recall our assumption that state
propositions are invariant through time and silent transitions and what
does this assumption induce at the property verification level (see Remark
: 3.2).
CTTS Composition
Here we define the composition of two CTTSs. This composition is close
to the already seen operation at the TTS level. However, at the CTTS level,
this composition is extended to the ι and the . functions.
Definition 3.18 (CTTS Composition) Given two CTTSs CTTS1 =
〈Q1, Q01, T1, Lτ, ρ1,λ1, ι1, .1〉 and CTTS2 = 〈Q2, Q02, T2, Lτ, ρ2,λ2, ι2, .2〉,
a set of labels S ⊆ L, their composition CTTS1‖
S
CTTS2 is defined as
〈Q1 × Q2, Q01 × Q02, T, Lτ, ρ,λ, ι, .〉 where T = {t1  t2 | t1 ∈ T1 ∧ t2 ∈
T2} ∪ {t1 ↑1| t1 ∈ T1} ∪ {t2 ↑2| t2 ∈ T2} such that :
t1:q1
l→ q′1, t2:q2 l→ q′2, l ∈ S
t1  t2 : (q1, q2) l→ (q′1, q′2)
Synchronous
t1 : q1
l1→ q′1 , l1 /∈ S
t1 ↑1: (q1, q2) l1→ (q′1, q2)
InterleavingL
t2 : q2
l2→ q′2 , l2 /∈ S
t2 ↑2: (q1, q2) l2→ (q1, q′2)
InterleavingR
Figure 3.5 – CTTS Transitions Composition
The visible events are not time constrained. Thus, only the τ events may be
associated to time intervals. ι is only defined on τ transitions. The transitions of
1This is different than Timed Automata where time elapses can be constrained by state
invariants.
3.2. Concrete/Abstract Systems 53
the resulting CTTS are associated to the same time intervals they had before the
application of the composition operation. Formally, this is defined as :
ι(t ↑1) = ι(t) if λ(t) = τ TimeL ι(t ↑2) = ι(t) if λ(t) = τ TimeR
Figure 3.6 – Interval Composition
For ti, t′i ∈ Ti and i = {1,2}, the composition of the clock-reset function . is
defined as :
ti . t′i
ti ↑i . t′i ↑i
(1)
ti . t′i
t1  t2 . t′i ↑i
(2)
ti . t′i
ti ↑i . t′1  t′2
(3)
t1 . t′1
t1  t2 . t′1  t′2
t2 . t′2
t1  t2 . t′1  t′2
(4)
Figure 3.7 – Reset Function Composition
The meaning of the reset-clock rules is that if before the composition a
transition t resets the clock of another transition t′, then after the compo-
sition the result transition made out of t (either by the SYNCHRONOUS
rule or by either one of the INTERLEAVING rules) will reset the clock
of the transition made out of t′. Note here that in order for the forth rule
t1  t2 . t′1  t′2 to be satisfied, it suffices that one of the premises t1 . t′1
or t2 . t′2 is satisfied and not necessarily both. The intuition of this rule
is based on properties of the read arc of Petri Nets [6]. In the context of
Petri Nets, t . t′ means that t has consumed a resource (absence of a read
arc) needed by t′. Thus if t1 consumes the resource used by t′1 or t2 con-
sumes the resource used by t′2, we will have always t1  t2 consuming the
resource used by t′1  t′2.
Compositional Semantics of a CTTS
Given two CTTSs CTTS1 = 〈Q1, Q01, T1, Lτ, ρ1,λ1, ι1, .1〉 and CTTS2 =
〈Q2, Q02, T2, Lτ, ρ2,λ2, ι2, .2〉 a set of labels S ⊆ L, the proof of correctness of
the CTTS composition is based on proving the bisimulation between the
semantics of the composition of CTTS1 and CTTS2 and the composition
of the semantics of CTTS1 and CTTS2. This means that we need to prove
that the composition at the semantic level (TTS) leads to a same system as
the composition at the syntactic level (CTTS).
Theorem 3.1 (CTTS Compositionality) Let CTTS1 and CTTS2 be two CTTS,
we have :
[[CTTS1‖
S
CTTS2]] ' [[CTTS1]]‖
S
[[CTTS2]] (Compositional CTTS)
The proof of this theorem consists in showing that each transition of
the [[CTTS1 ‖
S
CTTS2]] can be found in [[CTTS1]]‖
S
[[CTTS2]] and vice versa.
Based on the TTS composition (Section : 3.2.1) and the CTTS composition
(Section : 3.2.5), there exists three types of transitions on the resulting
system. These are a transition built by the SYNCHRONOUS rule or a
54 Chapter 3. CTTS Timed Simulation
transition built by either one of the symmetrical INTERLEAVING rules. In
the following we consider these three cases. For presentation purposes, in
each of the three cases we tackle the proof from left to right and then from
right to left in the equivalence (Compositional CTTS). This proof structure
can be adopted here since left to right and right to left proof trees mirror
each other.
Synchronous Case
Lemma 3.2 The transition ((q1, v1), (q2, v2))
l→TTS ((q′1, v′1), (q′2, v′2))
exists on [[CTTS1]]‖
S
[[CTTS2]] iff the transition ((q1, q2), v)
l→TTS ((q′1, q′2), v′)
exists on [[CTTS1‖
S
CTTS2]], with v and v’ defined as:
∀t, v(t) =

0 i f t = t1  t2
v1(t1) i f t = t1 ↑ 1
v2(t2) i f t = t2 ↑ 2
and
∀t′, v′(t′) =
{
0 if ((q1, q2), (q′1, q
′
2)) ↪→ t′ ∨ t1  t2 . t′
v(t′) else
Proof.
ti : qi
l→CTTS q′i ,
∀t′, qi ∈ dom(ρ(t′))⇒ vi(t′) ∈ ι(t′)
∀t′, v′i(t′) =
{
0 if (qi, q′i) ↪→ t′ ∨ ti . t′
vi(t′) else
, (i=1,2)
(q1, v1)
l→TTS (q′1, v′1) , (q2, v2)
l→TTS (q′2, v′2) , l ∈ S ∪ ∆
DIS
((q1, v1), (q2, v2))
l→TTS ((q′1, v′1), (q′2, v′2))
SYN
Figure 3.8 – Building/Destructing the TTS Synchronous Product Transition
ti : qi
l→CTTS q′i
l ∈ S
(q1 ,q2)
l→CTTS(q′1 ,q′2)
SYN,
∀t1, t2, (q1, q2) ∈
dom(ρ(t1  t2))
⇒ v(t1  t2) ∈
ι(t1  t2)
∀ti , qi ∈ dom(ρ(ti))
⇒ vi(ti) ∈ ι(ti)
∀ti , (q1, q2) ∈
dom(ρ(ti ↑ i))
⇒ v(ti ↑ i) ∈
ι(ti)
TL ,TR
∀t, (q1, q2) ∈ dom(ρ(t))
⇒ v(t) ∈ ι(t)
, ∀t′, v′(t′) = 0 if
((q1, q2), (q′1, q
′
2))
↪→ t′ ∨ t1  t2 . t′
v(t′)else
(2),(4)
((q1, q2), v)
l→TTS ((q′1, q′2), v′)
DIS
Figure 3.9 – Building/Destructing the TTS Semantics of a Synchronous Product Tran-
sition
3.2. Concrete/Abstract Systems 55
first implication Let ((q1, v1), (q2, v2))
l→TTS ((q′1, v′1), (q′2, v′2)) be a tran-
sition of [[CTTS1]]‖
S
[[CTTS2]].
In Fig 3.8 the rules are read from bottom to top :
• By the SYNCHRONOUS rule of the composition of TTS (Fig 3.5), we
know that the transition ((q1, v1), (q2, v2))
l→TTS ((q′1, v′1), (q′2, v′2))
may not exist unless (q1, v1)
l→TTS (q′1, v′1) of [[CTTS1]] and
(q2, v2)
l→TTS (q′2, v′2) of [[CTTS2]] both exist and that the labels may
be synchronized.
• Since the transitions exist on the two TTS, then by our DIS rule
(Fig 3.3) we know that these two transitions also exist on the cor-
responding CTTS. By applying twice (one for each transition) the
DIS rule (Fig 3.3) we reach the transitions s1
l→CTTS q′1 of TI1 and
q2
l→CTTS q′2 of TI2. Additionally, we reach the specification of
the vi and v′i clocks which are defined respectively as ∀t′, v′i(t′) ={
0 if (qi, q′i) ↪→ t′ ∨ ti . t′
vi(t′) else
Now in Fig 3.9, the rules are read from top to bottom :
• The composition of q1 l→CTTS q′1 and q2 l→CTTS q′2 at the CTTS level
is also based on the SYNCHRONOUS rule (Fig 3.5) of the CTTS
composition. This leads to the transition (q1, q2)
l→CTTS (q′1, q′2).
• The clock vi of each of the CTTSi systems is projected on the result
of their composition. In the result of the composition of TTS there
exists three kinds of transitions :
1. t1 t2 : this leads directly to ∀t1, t2, (q1, q2) ∈ dom(ρ(t1 t2))⇒
v(t1  t2) ∈ ι(t1  t2) since in the synchronizing case v(t1 
t2) = 0.
2. ti ↑ i for i = (1,2) : this leads to ∀ti, (q1, q2) ∈ dom(ρ(ti ↑ i)) ⇒
v(ti ↑ i) ∈ ι(ti ↑ i). But based on the interval composition rules
TimeL and TimeR (Fig 3.6) of CTTS ι(ti ↑ i) = ι(ti).
Since the value of the clock v is known for all kinds of transitions at
the result of composition of CTTS, then we can generalize this fact to
every transition t as follows : ∀t, (q1, q2) ∈ dom(ρ(t))⇒ v(t) ∈ ι(t).
• The clock v′i is projected into the synchronization case of the compo-
sition of the CTTS.
1. Based on rules (2) and (4) of the clock reset relation (Fig 3.7) we
know that the clock transitions that were reset by v1 and v2 will
be reset by v’.
2. Based on the composition of the CTTS (Fig 3.5), we know that
the transitions that are enabled by (qi, q′i) will be enabled by
(q1, q2), (q′1, q
′
2).
56 Chapter 3. CTTS Timed Simulation
This leads to ∀t′, v′(t′) =
{
0 if ((q1, q2), (q′1, q
′
2)) ↪→ t′ ∨ t1  t2 . t′
v(t′) else
• Since we have the transition (q1, q2) l→CTTS (q′1, q′2) and the values of
the clocks v and v’ then we can apply the definition of the DIS rule
(Fig 3.3) which leads to the transition ((q1, q2), v)
l→TTS ((q′1, q′2), v′).
second implication Let ((q1, q2), v)
l→TTS ((q′1, q′2), v′) be a transition of
[[TI1‖
S
TI2]].
In Fig 3.9, the rules are read from bottom to top :
• The application of the DIS rule (Fig 3.3) leads to (q1, q2) l→TTS (q′1, q′2)
and to the valuation of the clock v as ∀t, (q1, q2) ∈ dom(ρ(t)) ⇒
v(t) ∈ ι(t) and the clock v’ (Synchronization) as ∀t′, v′(t′) ={
0 if ((q1, q2), (q′1, q
′
2)) ↪→ t′ ∨ t1  t2 . t′
v(t′) else .
• Since the transition exists on the composition result of CTTS1 and
CTTS2, then by our SYNCHRONOUS rule (Fig 3.5) of the compo-
sition of CTTS we know that q1
l→CTTS q′1 and q2 l→CTTS q′2 both
exist.
• The value of the clock v are projected to their values before the com-
position :
1. ∀t1, t2, (q1, q2) ∈ dom(ρ(t1  t2))⇒ v(t1  t2) ∈ ι(t1  t2) : This
is the case of synchronization. In this case, ι(t1  t2) is [0,∞[
and could be projected directly without any concern about the
values of the clocks.
2. For i = (1,2), ∀ti, (q1, q2) ∈ dom(ρ(ti ↑ i)) ⇒ v(ti ↑ i) ∈ ι(ti ↑
i) : these are the cases of interleaving that are only possible
on τ events. But since ι(ti ↑ i) is equal to ι(ti) based on the
interval composition of the CTTS (rules TimeL and TimeR of
Fig 3.6), then the values of vi before the composition are ∀ti, qi ∈
dom(ρ(ti))⇒ v(ti) ∈ ι(ti).
In Fig 3.8, the rules are read from top to bottom :
• For i ∈ {1, 2}, based on the composition rules (2) and (4) of the clock
reset relation (Fig 3.7), the values of the clock v′ leads to the clocks
vi where ∀t′, v′i(t′) =
{
0 if (qi, q′i) ↪→ t′ ∨ ti . t′
vi(t′) else
• Having the two transitions at the CTTS level along with the valua-
tion of vi and v′i, the DIS rule (Fig 3.3) is applied which leads into
(q1, v1)
l→TTS (q′1, v′1) of [[TI1]] and (q2, v2) l→TTS (q′2, v′2) of [[TI2]].
• Now the composition of these two transitions at the TTS level is
also based on the SYNCHRONOUS rule of the CTTS composi-
tion (Fig 3.5). This leads into the transition ((q1, v1), (q2, v2)
l→TTS
((q′1, v
′
1), (q
′
2, v
′
2)) which happens to be our awaited conclusion.
3.2. Concrete/Abstract Systems 57
Since the two implications hold we conclude that ((q1, v1), (q2, v2)
l→TTS
((q′1, v
′
1), (q
′
2, v
′
2)) ' ((q1, q2), v) l→TTS ((q′1, q′2), v′).
Left Interleaving Case
Lemma 3.3 The transition ((q1, v1), (q2, v2))
l1→TTS ((q′1, v′1), (q2, v2)) ex-
ists on [[TI1]]‖
S
[[TI2]] iff the transition ((q1, q2), v)
l1→TTS ((q′1, q2), v′) exists
on [[TI1‖
S
TI2]], with v and v’ defined as:
∀t, v(t) =

0 i f t = t1  t2
v1(t1) i f t = t1 ↑ 1
v2(t2) i f t = t2 ↑ 2
and ∀t′, v′(t′) =
{
0 if ((q1, q2), (q′1, q2)) ↪→ t′ ∨ t1 ↑ 1 . t′
v(t′) else
Proof.
t1 : q1
l1→CTTS q′1 ,
∀t′, q1 ∈ dom(ρ(t′))⇒ v1(t′) ∈ ι(t′)
∀t′, v′1(t′) =
{
0 if (q1, q′1) ↪→ t′ ∨ t1 . t′
v1(t′) else
(q1, v1)
l1→TTS (q′1, v′1) , l1 /∈ S ∪ ∆
DIS , (q2,v2)=(q′2,v
′
2)
((q1, v1), (q2, v2))
l1→TTS ((q′1, v′1), (q2, v2))
INTL
Figure 3.10 – Building/Destructing the TTS Left Interleaving Product Transition
t1 : q1
l1→CTTS q′1
l1 /∈ S
(q1 ,q2)
l1→CTTS(q′1 ,q2)
INTL ,
∀t1, t2, (q1, q2) ∈
dom(ρ(t1  t2))
⇒ v(t1  t2) ∈
ι(t1  t2)
∀ti , qi ∈ dom(ρ(ti))
⇒ vi(ti) ∈ ι(ti)
∀ti , (q1, q2) ∈
dom(ρ(ti ↑ i))
⇒ v(ti ↑ i) ∈
ι(ti)
TL ,TR
∀t, (q1, q2) ∈ dom(ρ(t))
⇒ v(t) ∈ ι(t)
, ∀t′, v′(t′) = 0 if
((q1, q2), (q′1, q2))
↪→ t′ ∨ t1 ↑ 1 . t′
v(t′)else
(1),(3)
((q1, q2), v)
l1→TTS ((q′1, q2), v′)
DIS
Figure 3.11 – Building/Destructing the TTS Semantics of a Left Interleaving Product
Transition
The proof of Lemma 3.3 is similar to Lemma 3.2. It suffices to reason
with the InterleavingL, rules (1) and (3) of the clock-reset.
Right Interleaving Case
Lemma 3.4 The transition ((q1, v1), (q2, v2))
l2→TTS ((q1, v1), (q′2, v′2))exists
58 Chapter 3. CTTS Timed Simulation
on [[TI1]]‖
S
[[TI2]] iff the transition ((q1, q2), v)
l2→TTS ((q1, q′2), v′) exists
on [[TI1‖
S
TI2]], with v and v’ are defined as:
∀t, v(t) =

0 i f t = t1  t2
v1(t1) i f t = t1 ↑ 1
v2(t2) i f t = t2 ↑ 2
and
∀t′, v′(t′) =
{
0 if ((q1, q2), (q1, q′2)) ↪→ t′ ∨ t2 ↑ 2 . t′
v(t′) else
Proof. This is the symmetrical case of the left interleaving case. For the
proof it suffices to reason with the (1) and (3) of the clock-reset rules.
Compositionality of the CTTS Semantics. Having Lemma 3.4, Lemma 3.3
and Lemma 3.2, then [[TI1‖
S
TI2]] ' [[TI1]]‖
S
[[TI2]]
CTTS Properties
Property 3.1 (Bisimilar States ) Given a CTTS T, two states (q, v) and (q, v′)
in [[T]] that associate the same valuations (w.r.t v and v′) to enabled τ transitions
are bisimilar.
This means that the states (q, v) and (q, v′) can only differ in the val-
uation associated to τ transitions that are not enabled in q. However the
valuations of clocks associated to transitions labeled by visible events can
differ because they are unconstrained.
Proof of Bisimilarity. To prove this property we introduce the relation R
defined as :
R((qc, vc), (qa, va)) ≡
(qc = qa ∧ (∀t,λ(t) = τ ∧ qc ∈ dom(ρ(t))⇒ vc(t) = va(t)))
The proof of this property consists in showing its preservation by the
three kinds of transitions (visible, τ and δ) available on a TTS (TTS Def-
inition 3.1). Suppose R(q1, v1), (q1, v′1). Suppose that (q1, v1)
l→ (q2, v2)
where α ∈ {α, τ, δ). We show that there exists a state (q2, v′2) such that
(q1, v′1)
l→ (q2, v′2) and R((q2, v2), (q2, v′2)).
1. Visible Event α : a visible event of CTTS is not time constrained,
it can thus happen unconditionally in q1 (at both the concrete and
the abstract levels). The firing of the transition leads in both cases
to the state q2. The effect of the transition firing on the clocks val-
uations is to reset a subset of clocks. Since resetting just induces
additional clock equalities w.r.t v2 and v′2, the relation R is preserved
: R((q2, v2), (q2, v′2)).
2. τ Event : a τ transition happens when the transition’s clock satisfies
its corresponding time interval constraint. By the definition of R, the
clocks for the τ transition have the same valuations (w.r.t v1 and
v′1). The firing of τ transition in both of (q1, v1) and (q1, v
′
1) happens
at the same time and leads in both cases to the state q2 where a
subset of clocks is reset. It follows that the relation R is preserved :
R((q2, v2), (q2, v′2)).
3.3. Timed Weak Simulation 59
3. Delay : a δ transition is fired if after adding δ to the clocks of the
enabled τ transitions, their maximal bounds are not reached. This
condition is satisfied at the same time at both the abstract and the
concrete level in q1. Adding δ to already equal clock values preserves
the equality, thus R is preserved.
Thanks to Definition 3.1, we conclude that the systems are bisimilar.
Definition 3.19 (1-τ) A CTTS is called 1-τ if it does not have two successive τ
actions. Formally, t : q τ→ q′ ∧ t′ : q′ l→ q′′ ⇒ l 6= τ.
We define now the following restriction on a CTTS. This restriction is
used when verifying the time weak simulation between two CTTSs.
Definition 3.20 (Upper Closure) A CTTS is called upper bounded closed if its
right bounded intervals are right closed .
Remark 3.5 The CTTS of Fig 3.1 is not upper bounded closed since the interval
associated to the transition t1 is right opened.
Property 3.2 (Upper Closure Preservation) Given two upper bounded closed
CTTS1 and CTTS2 and a set of synchronization labels S, their composition
CTTS1‖
S
CTTS2 is also upper bounded closed.
3.3 Timed Weak Simulation
We define our timed weak simulation relation between the TTSs.
Definition 3.21 (State-Event Timed Weak Simulation) Given the set of labels Lτ
and two TTS A = 〈Qa, Q0a,→a〉 and C = 〈Qc, Q0c ,→c〉 defined over Lτ, a set of
propositions P and two valuation functions vc : Qc → 2P and va : Qa → 2P, a
simulation between them - is the largest relation such that :
∀qc qa, qc - qa ⇒
V. vc(qc) = va(qa) (Valuations)
E. ∀q′c e, qc e→c q′c ⇒ ∃q′a, qa τ
∗e→a q′a ∧ q′c - q′a (Visible Events)
T. ∀q′c, qc τ→c q′c ⇒ q′c - qa (τ Events)
D. ∀q′c δ, qc δ→c q′c ⇒ ∃q′a, qa δ
∗
=⇒a q′a ∧ q′c - q′a (Delay)
We say that (C, vc) - (A, va) if ∀q0C ∈ Q0C, ∃q0A ∈ Q0A such that (q0C, q0A) ∈
R.
Remark that unlike other timed simulations definitions already seen
in Chapter : Timed Systems, in our timed weak simulation definition, the
abstract system may have τ events. This is needed in our FIACRE context,
since in FIACRE systems timing constraints are added to local events.
Allowing abstract τ events will thus enables us to add time to the abstract
system.
In order to preserve the linear time properties, additional clauses are
added to timed weak simulation. This leads to the State-Event Deadlock-
Sensitive (DS) Timed Weak Simulation. We will be denoting this relation
by -DS.
60 Chapter 3. CTTS Timed Simulation
Definition 3.22 (Deadlock-Sensitive Timed Weak Simulation ) Given the set of
labels Lτ and two TTS Systems A = 〈Qa, Q0a,→a〉 and C = 〈Qc, Q0c ,→c〉
defined over the same alphabet, a set of propositions and two valuation functions
vc : Qc → 2P and va : Qa → 2P, a simulation between them -DS is the largest
relation such that :
∀qc qa, qc -DS qa ⇒
V ∧ E ∧ T ∧D
N_C. C has no-τ-cycle (De f inition 3.3).
D. ∀q′a e, qa e→a q′a ⇒ ∃q′c, qc e→c q′c ∧ vc(q′c) = va(q′a) (Deadlock)
We say that (C, vc) -DS (A, va) if ∀q0C ∈ Q0C, ∃q0A ∈
Q0A such that (q
0
C, q
0
A) ∈ R.
The fifth clause (N_C) expresses that the refinement does not authorize
infinite sequences of τ transitions in the concrete system. This means that
there always must be a way out of these cycles, by doing a visible event.
The last clause expresses that the concrete system C must not contain
deadlocks which do not exist in the abstract system A. Remark that in
order to preserve deadlocks and to have a compositional definition (See
Theorem 3.3.3), we require that the existance of an abstract visible tran-
sition implies its existance at the concrete level with the same label and
compatible valuations.
3.3.1 Traces Inclusion
It has been known, for a couple of decades now that simulation relations
are a sufficient condition for traces inclusions. Actually, the reason behind
the definition of timed simulation relations, is the non-decidability of the
language inclusion for timed models like timed automata [15]. Depending
on the chosen definitions of the timed models, its traces and the timed
simulation relation, the result concerning the traces inclusion may differ.
Here we show that our chosen timed weak simulation is a sufficient con-
dition for timed traces inclusion.
Theorem 3.2 (SE-Traces Inclusion) Given a set of propositions P , two CTTSs,
A and C, and two valuation functions vc : Qc → 2P and va : Qa → 2P , if
(C, vc) -DS (A, va) then SE-Traces([[C]], vcopi1) ⊆ SE-Traces([[A]], vaopi1).
Proof. This proof is a standard one in the non-timed context. Let
A, C be two CTTS, such that (C, vc) -DS (A, va). We prove that
SE-Traces([[C]], vcopi1) ⊆ SE-Traces([[A]], vaopi1). Let tc be a trace ∈
SE-Traces([[C]], vcopi1). We show by a step-by-step construction that tc is
also a trace ∈ SE-Traces([[A]], vaopi1).
1. Based on our hypothesis that (C, vc) -DS (A, va), we show that we
can build an execution in the abstract system, denoted as execa, that
has the trace tc as a projection. Suppose that the initial state q0c of
exec(tc) and the initial state q0a of execa are in a simulation relation
q0c -DS q0a. Inductively we have :
(a) vc(q0c) = va(q0a).
3.3. Timed Weak Simulation 61
(b) For all qc ∈ Qc,qa ∈ Qa, assume that α is a discrete action from
qc
α→c q′c : in this case, based on the Visible Events rule of -DS
we know that ∃q′a α, qa τ
∗α→a q′a and q′c -DS q′a. This means that α
is reachable from qa and thus appears in execa prefixed by τ∗.
(c) For all qc ∈ Qc,qa ∈ Qa, assume that δ is a delay from qc δ→c q′c
: in this case, based on the Delay rule of -DS we know that
∃q′a, qa
(τ|δi)∗→a q′a ∧Σδi = δ∧ q′c -DS q′a. This also means that δ can
elapse from qa and thus appear in execa in the form of (τ|δi)∗.
(d) For all qc ∈ Qc,qa ∈ Qa, assume that τ is a local event qc τ→c q′c
: in this case, based on the τ Events rule of -DS we know that
q′c -DS qa.
If the concrete trace tc is infinite, the corresponding execution is also
infinite. In this case, the preceding rules build an infinite abstract ex-
ecution with the same trace. Otherwise, tc is finite. Based on our hy-
pothesis that the C has no τ-cycle, then we know that the execution
corresponding to the trace tc, denoted by exec(tc) is also finite. This
means that it ends in a concrete deadlock state. Given the property
D of our simulation definition (Definition 3.22), the corresponding
abstract state is also in deadlock.
We have shown that there exists an abstract execution execa that is
in a simulation relation with exec(tc) such that it only differs in its
τ events. But we know that in order to build a corresponding trace
of an execution, we first need to apply the τ-reduction transforma-
tion rule (Definition 3.10), followed by applying the projection rule.
Hence, the τ events are dropped when transforming the execution
into a corresponding τ-reduced execution. Applying the projection
rule to a τ-reduced version of execa leads into a trace ta which is
the same as the projection of the τ-reduced version of execc. Thus tc
coincide with ta.
3.3.2 Property Preservation
As we have shown, our simulation relation is a sufficient condition for
traces inclusion. However, this is just one piece of the puzzle. The comple-
mentary result is the relation between the traces inclusion and the preser-
vation of linear time properties. A strong relation between these last two
exists. Actually, this is a standard result in the untimed context. Here we
extend this result and its proof in our context. The original proof can be
found in [21].
Theorem 3.3 (Property Preservation) Given A = 〈Qa, Q0a, Ta, Lτ, ρa,λa, ιa, .a〉
and C = 〈Qc, Q0c , Tc, Lτ, ρc,λc, ιc, .c〉 with two valuation functions vc :
Qc → 2P and va : Qa → 2P saying that SE-Traces([[C]], vcopi1) ⊆
SE-Traces([[A]], vaopi1) is equivalent to saying that for any linear time property
62 Chapter 3. CTTS Timed Simulation
ϕ (expressed as a set of TSET): (A, va) |= ϕ⇒ (C, vc) |= ϕ.
SE-Traces([[C]], vcopi1) ⊆ SE-Traces([[A]], vaopi1)︸ ︷︷ ︸
traceInc
⇔ (A, va) |= ϕ⇒ (C, vc) |= ϕ︸ ︷︷ ︸
LTPres
Proof. For two CTTS, A = 〈Qa, Q0a, Ta, L, ρa,λa, ιa, .a〉 and C =
〈Qc, Q0c , Tc, L, ρc,λc, ιc, .c〉 with two valuation functions vc : Qc → 2P
and va : Qa → 2P :
(traceInc)⇒ (LTPres):
Assume that SE-Traces([[C]], vcopi1) ⊆ SE-Traces([[A]], vaopi1) and let ϕ
be an LT property such that A |= ϕ. From Definition 3.17 it follows
that ∀σ, (σ ∈ SE-Traces([[A]], vaopi1) ⇒ σ ⇓|= ϕ). Since by hypothe-
sis, SE-Traces([[C]], vcopi1) ⊆ SE-Traces([[A]], vaopi1), it now follows that
∀σ, (σ ∈ SE-Traces([[C]], vcopi1) ⇒ σ ⇓|= ϕ. By Definition 3.17 it follows
that (C, vc) |= ϕ.
(LTPres)⇒ (traceInc):
Assume that for all LT properties it holds that: (A, va) |= ϕ im-
plies (C, vc) |= ϕ. Let ϕ = TSET([[A]], vaopi1). Obviously, (A, va) |=
ϕ. By assumption, (C, vc) |= ϕ. Hence, TSET([[C]], vcopi1) ⊆
ϕ(= TSET([[A]], vaopi1)). It follows that SE-Traces([[C]], vcopi1) ⊆
SE-Traces([[A]], vaopi1).
3.3.3 Compositional Simulation
Our timed weak simulation relation preserves the compositionality of the
CTTS. By compositionality we mean that the parallel operator is mono-
tonic w.r.t our timed simulation. Given a component C inside of a com-
position C ‖ C1 ‖ C2...Cn the monotony of ‖ is informally described
as : if C is replaced by a component C′ such that C′ simulates C, then
C′ ‖ C1 ‖ C2...Cn simulates C ‖ C1 ‖ C2...Cn. Such a result is then one of
the cornerstones of incremental development and of modular verification.
We give in the following the theorem of the simulation compositionality.
Definition 3.23 (Valued CTTS Composition) Given two CTTS, CTTS1 =
〈Q1, Q01, T1, Lτ, ρ1,λ1, ι1, .1〉, CTTS2 = 〈Q2, Q02, T2, Lτ, ρ2,λ2, ι2, .2〉, with the
valuation functions v1 : Q1 → 2P1 , v2 : Q2 → 2P2 and the set of labels S, we
define their valued composition as the couple (CTTS, v) where :
• CTTS is the restriction of CTTS1‖
S
CTTS2 to coherent states belonging to
the following set :
I = {(q1, q2) ∈ Q1 ×Q2 | v1(q1) ∩ P2 = v2(q2) ∩ P1}
• v(q1, q2) = v1(q1) ∪ v2(q2).
We denote their composition by (CTTS1, v1)‖
S
(CTTS2, v2).
Coherent states are product states of which two projections do not have
contradictory properties : if p is a mutual property of P1 and P2, the two
projections of the states must agree on the truth value of p defined by v1
and v2.
3.3. Timed Weak Simulation 63
Theorem 3.4 (Simulation Compositionality) Given the valued CTTSs
(A1, va1),(A2, va2),(C1, vc1) and (A2, vc2) and the set of labels S. Let (A, va)
and (C, vc) be the composition of respectively the abstract and concrete CTTSs,
we have :
(C1, vc1) -DS (A1, va1) (C2, vc2) -DS (A2, va2)
(C, vc) -DS (A, va)
Proof. Given the CTTS, A1 = 〈Qa1 , Q0a1 , Ta1 , Lτ, ρa1 ,λa1 , ιa1 , .a1〉, A2 =
〈Qa2 , Q0a2 , Ta2 , Lτ, ρa2 ,λa2 , ιa2 , .a2〉, C1 = 〈Qc1 , Q0c1 , Tc1 , Lτ, ρc1 ,λc1 , ιc1 , .c1〉 and
C2 = 〈Qc2 , Q0c2 , Tc2 , Lτ, ρc2 ,λc2 , ιc2 , .c2〉 with the valuation functions vc1 :
Qc1 → 2P1 , vc2 : Qc2 → 2P2 , va1 : Qa1 → 2P1 , and va2 : Qa2 → 2P2 and the
set of labels S, we prove that :
(C1, vc1) -DS (A1, va1) ∧ (C2, vc2) -DS (A2, va2)⇒
(C, vc) -DS (A, va)
where :
• C is the restriction of (C1, vc1)‖
S
(C2, vc2) to coherent states of Ic =
{(qc1 , qc2) ∈ Qc1 ×Qc2 | vc1(qc1) ∩ P2 = vc2(qc2) ∩ P1}.
• vc(qc1 , qc2) = vc1(qc1) ∪ vc2(qc2)
• A is the restriction of (A1, va1)‖
S
(A2, va2) to coherent states of Ia =
{(qa1 , qa2) ∈ Qa1 ×Qa2 | va1(qa1) ∩ P2 = va2(qa2) ∩ P1}.
• va(qa1 , qa2) = va1(qa1) ∪ va2(qa2)
We define the relation R between the states of (C, vc) and (A, va) as
R((qc1 , qc2), (qa1 , qa2)) = qc1 -DS qa1 ∧ qc2 -DS qa2 . We verify whether R
satisfies the clauses of -DS.
Given (qc1 , qc2) ∈ Ic and (qa1 , qa2) ∈ Ia such that R((qc1 , qc2), (qa1 , qa2)) :
1. Propositions : By the hypothesis (C1, vc1) -DS (A1, va1) and
(C2, vc2) -DS (A2, va2) we know respectively that vc1(qc1) = va1(qa1)
and vc2(qc2) = va2(qa2). It follows that vc1(qc1) ∪ vc2(qc2) = va1(qa1) ∪
va2(qa2). Thus by definition we reach vc(qc1 , qc2) = va(qa1 , qa2). Thus
R satisfies the first clause of -DS.
Let tc be a transition in C1‖
S
C2 where λ ∈ {α, τ, δ}.
2. Visible Events : Let λ = α be a discrete action. Three cases need
to be investigated which belong to the synchronous and the two
interleaving cases of the CTTS composition (Fig 3.5) :
(a) Synchronous case : since tc : (qc1 , qc2)
α→ (q′c1 , q′c2) is present in
the composition (C, vc) then based on the SYNCHRONOUS
rule of the composition, tc1 : qc1
α→ q′c1 and tc2 : qc2
α→ q′c2
also exist at each side of the composition C1 and C2. Having by
hypothesis qc1 -DS qa1 and qc2 -DS qa2 then by applying the
rule Visible Events of -DS on each of tc1 and tc2 we conclude
64 Chapter 3. CTTS Timed Simulation
respectively that there exists q′a1 such that ta1 : qa1
τ∗a α→ q′a1 ∧
q′c1 -DS q′a1 and that there exists q′a2 such that ta2 : qa2
τ∗a α→ q′a2 ∧
q′c2 -DS q′a2 . Now, the composition of ta1 and ta2 would lead to
ta : (qa1 , qa2)
τ∗a α→ (q′a1 , q′a2). Having q′c1 -DS q′a1 and q′c2 -DS q′a2
then by our definition we reach ((q′c1 , q
′
c2), (q
′
a1 , q
′
a2)) ∈ R and R
verifies the second clause of -DS.
We are left with proving that (q′a1 , q
′
a2) is coherent, meaning that
it respects the invariant Ia. Particularly, we need to show that
va1(q
′
a1)∩P2 = va2(q′a2)∩P1. We know, that (q′c1 , q′c2) is coherent,
thus vc1(q
′
c1) ∩P2 = vc2(q′c2) ∩P1. Since q′c1 -DS q′a1 and q′c2 -DS
q′a2 , then by the rule V of -DS, we reach vc1(q′c1) = va1(q′a1) and
vc2(q
′
c2) = va2(q
′
a2). It follows that (q
′
a1 , q
′
a2) is coherent.
(b) Left Interleaving : in the left interleaving case, the transition
tc : (qc1 , qc2)
α→ (q′c1 , qc2) is present in the composition (C, vc) as
a result of the firing of the left-side transition of the composition
and α /∈ S. Based on the INTERLEAVINGL rule of the compo-
sition we can find tc1 : qc1
α→ q′c1 while C2 remains at qc2 state.
Based on our hypothesis, then by using the rule Visible Events of
-DS we can find q′a1 such that ta1 : qa1
τ∗a α→ q′a1 ∧ q′c1 -DS q′a1 . The
transition ta in the composition is then built as ta : (qa1 , qa2)
τ∗a α→
(q′a1 , qa2). Having q
′
c1 -DS q′a1 and qc2 -DS qa2 then by our defini-
tion we reach ((q′c1 , qc2), (q
′
a1 , qa2)) ∈ R and R verifies the second
clause of -DS.
Finally, by following a similar reasoning as in the synchronous
case, we show that (q′a1 , qa2) is coherent.
(c) Right Interleaving : this is the symmetrical case of the left inter-
leaving case.
3. τ Events : λ is a local action τ. Two cases need to be investigated
which belong the two interleaving cases.
(a) Left τ : in the left τ case, the transition tc : (qc1 , qc2)
τ→ (q′c1 , qc2)
is present in the composition (C, vc) as a result of the firing
of the left-side transition of the composition. Based on the
INTERLEAVINGL rule of the composition we can find tc1 :
qc1
τ→ q′c1 while C2 remains at qc2 state. Based on our hypothesis,
then by using the rule τ Events of -DS we have q′c1 -DS qa1 . In
the composition at the abstract level we then reach (qa1 , qa2)→.
Having q′c1 -DS qa1 and qc2 -DS qa2 then by our definition we
reach ((qc1 , qc2), (qa1 , qa2), (q
′
c1 , qc2), (qa1 , qa2)) ∈ R and R verifies
the third clause of -DS.
(b) Right τ : this is the symmetrical case of the Left τ.
4. Delay : λ is a time label λ = δ ∈ ∆. Since the advance of time is
always synchronous, only the SYNCHRONOUS composition is in-
vestigated. This leads to the case of the synchronous visible events,
except for the use of the rule Delay instead of the rule Visible Events
3.4. Timed Weak Simulation Verification 65
of the timed weak simulation definition. We may finally conclude
that ((qc1 , qc2), (qa1 , qa2), (q
′
c1 , q
′
c2), (q
′
a1 , q
′
a2)) ∈ R and R verifies the
fourth clause of -DS. Finally, by following a similar reasoning as
in the synchronous case, we show that (q′a1 , q
′
a2) is coherent.
5. Deadlock : Suppose the transition ta : (qa1 , qa2)
α→ (q′a1 , qa2) is present
in the valued composition (A, va) we have to prove that a corre-
sponding transition exists in (C, vc). For this, we investigate the three
following cases :
• Synchronous Case : since ta exists on (A, va) then based on the
SYNCHRONOUS rule of the composition, ta1 : qa1
α→ q′a1 and
ta2 : qa2
α→ q′a2 also exist at each side of the composition A1
and A2. Having by hypothesis qc1 -DS qa1 and qc2 -DS qa2
then by applying the rule Deadlock of -DS on each of ta1 and
ta2 we conclude respectively that there exists q
′
c1 such that
tc1 : qc1
α→ q′c1 and that there exists q′c2 such that tc2 : qc2
α→ q′c2
with va1(q
′
a1) = vc1(q
′
c1) and va2(q
′
a2) = vc2(q
′
c2).
Now, the composition of tc1 and tc2 would lead to tc :
(qc1 , qc2)
α→ (q′c1 , q′c2). The target state is coherent and has the
same valuation as its corresponding abstract state.
• Left/Right Interleaving Cases : Similar proof as the previous
Synchronous case.
We have shown that R satisfies the -DS clauses. Thus the
largest relation contains R. Since R contains the initial state couples
((qc1 , qc2), (qa1 , qa2)), we can conclude that the largest relation contains
it also. Consequently, the refinement property is satisfied by the two
products.
3.4 Timed Weak Simulation Verification
We start by introducing our technique in the untimed context by giving
a weak simulation µ-calculus-based property. This property is later ex-
tended to the timed context.
3.4.1 Composing the Abstract/Concrete Systems
Our technique shares its grounds and features with model-checking
techniques. Indeed, the first step consists in composing asyn-
chronously the abstract with the concrete system. Given an ab-
stract CTTS A = 〈Qa, Q0a, Ta, Lτ, ρa,λa, ιa, .a〉 and a concrete one
C = 〈Qc, Q0c , Tc, Lτ, ρc,λc, ιc, .c〉, the two systems are composed after hav-
ing renamed the events of the two systems by indexing the abstract(resp.
concrete) ones by a (resp. c). The composition is thus made asynchronous
(Fig. 3.12) in order to be able to observe all the transitions of the concrete
system and verify whether they are simulated by the abstract system or
not. The synchronous composition is not applicable because transitions of
66 Chapter 3. CTTS Timed Simulation
Abstract e
n
a
e1a
τa1
τap
...
...
Concretee
m
c
e1c
τc1
τcq
...
...
Figure 3.12 – Systems
the concrete system may disappear in the product system. This is the case
when a concrete transition is not matched by the abstract system.
Untimed Weak Simulation Verification
The composition result is analyzed to check the weak simulation between
A and C. To do so, the following Weak Simulation criterion [54, 28] which
corresponds intuitively to the first two rules of the relation - is verified
on A‖
∅
C :
∀(q0a, q0c) ∈ Q0a ×Q0c , (q0a, q0c) |= νX.
1︷ ︸︸ ︷∧
i
[eic](EFτa 〈eia〉X)∧
2︷ ︸︸ ︷∧
j
[τ jc ]X
1. The first part of the formula means that for each concrete event eic
and for each transition labeled by this concrete event eic, there exists
a path of a number of abstract local events τa that leads eventually
to a transition labeled by the abstract event eia such that the target
verifies recursively the property.
2. The second part of the formula means that after each transition la-
beled with a concrete local event τ jc the simulation is maintained.
Example of Untimed Weak Simulation Verification
We illustrate the intuition of the technique on an example of vending ma-
chine models [28].
coin
tea coffee tea coffee
hazard hazard
T T1 2
q0 q0
coin coin
pre
Figure 3.13 – Example of Untimed Simulation Verification
The following property is satisfied since from the initial state, for any
transition selected in T2, it is possible to select a transition in T1 labeled
with the same event. We then conclude that T2 simulates T1
3.4. Timed Weak Simulation Verification 67
(q0T1, q
0
T2) |=
νX.([coinT2](µY.(〈pre〉Y ∨ 〈coinT1〉X))
∧[co f f eeT2](µY.(〈pre〉Y ∨ 〈co f f eeT1〉X))
∧[teaT2](µY.(〈pre〉Y ∨ 〈teaT1〉X)) ∧ [hazard]X)
However, checking the following property will return false meaning
that T1 does not simulate T2. This is because after the coin event in T1, it is
possible to select either the coffee or the tea events, whereas in T2, the coin
transition leads to a state where only one of those events may be selected.
(q0T1, q
0
T2) 6|=
νX.([coinT1](µY.(〈hazard〉Y ∨ 〈coinT2〉X))
∧[co f f eeT1](µY.(〈hazard〉Y ∨ 〈co f f eeT2〉X))
∧[teaT1](µY.(〈hazard〉Y ∨ 〈teaT2〉X)) ∧ [pre]X)
3.4.2 Extension to the Timed Context
We have seen a rather simple property that checks the weak simulation
between two untimed systems via an asynchronous composition. How-
ever, this property could not be used directly in the timed context since it
assumes that concrete and abstract events are composed asynchronously,
while the composition of time transitions is necessarily synchronous be-
cause time advances at the same rate at the two sides of the composition.
Two alternatives are possible. The first is to specify these timing con-
straints in a timed variant of µ-calculus (for instance: [100]). This assumes
the existence of a model-checking tool that supports such logic. The sec-
ond is to specify the timing aspects with timed observers, compose the
analyzed system with these observers and then make use of an untimed
logic. We would rather follow the second technique.
For this purpose, we define two observers (Fig. 3.4 and 3.7) which are
composed with both the concrete and abstract systems.
1. The first observer ControlObserver consists in observing the con-
trol aspects of the two systems. Namely, for each event of the imple-
mentation, the control observer will try to find a matching event of
the abstraction that can happen at the same time.
2. The second observer TimeObserver models the elapse of time in
the two systems.
In the two observers, the reset relations are empty. This way, the observers
never impact the reset relations defined in the abstract and the concrete
systems.
Control Observer
The Control Observer is depicted in Fig. 3.4.
At the initial state ok, the observer synchronizes with either one of the
events eia, τic or eic. When synchronizing with any of the events eai the ob-
server signals an error (err state) since a concrete event is not yet found.
When synchronizing with any of τic the observer maintains the state ok.
Finally, when synchronizing with the concrete events eic, it tries to match
68 Chapter 3. CTTS Timed Simulation
Control Observer : Obs
Concreteec
m
ec
1
ea
1
ea
n
...
ok
e c e a
1
wait-1
1
e m e a
nc
wait-n
err
τ [0,0]
τ [0,0]
e a
1
e a
n
...
τ1c
τqc
...
τ1c
τqc
...
...
......
...
...
ec
m
ec
1
τ1c
τqc
...
...
Abstract ea
n
ea1
τ1a
τpa
...
...
Figure 3.14 – Control Observer
them with the abstract events eia. After a concrete event eic is received, the
observer transits to the state waiti meaning that it now awaits for a match-
ing abstract event eia. At this point, the following scenarios may happen
:
• A matching abstract event is found and the observer transits back to
the state ok.
• The abstract system violates the timing of the concrete system and
the observer transits to the state err. That is, a matching abstract
event is not possible at the same time as the corresponding concrete
event. This is modeled by signaling an error in 0 u.t.. Hence, in case a
matching event is found in 0 u.t, we would reach a non-deterministic
choice between transiting back to ok or also to err. The two transi-
tions would then be present in the composition process. As we will
see, this choice is resolved in the µ-calculus property by searching
for a path that satisfies the simulation and thus ignoring the error
transition.
Time Observer
The control observer only checks whether two corresponding events could
happen at the same time. However, it does not say anything about when
an elapse of time has occurred. This leads to the definition of an addi-
tional observer TimeObserver (Fig. 3.7) in which two aspects are mod-
eled. First, at the initial state evt0, only the transitions that are firable in
0 time can occur. This is done by specifying a concurrent choice between
a timed event τ_0 constrained with [0, 0] at one hand and all the events of
the abstract and concrete systems at the other.
Second it makes visible the implicit elapse of time. At the state Dly, on
each elapse of time, a timed event delay associated with the constraint
]0,∞[ is signaled. This event is later used by the µ-calculus property as a
marker of an elapse of time.
3.4. Timed Weak Simulation Verification 69
Concrete ec
m
ec
1
τ1c
τqc
...
...
Abstract ea
n
ea
1
τ1a
τpa
...
...
Time Observer : Obs
evt0
delay ]0,∞[
τ_0 [0,0]
evtDly
e a
1 e a
n.. .
τ a1 τ ap.. . τ c1 τ cq.. .
e c
1 e c
m.. .
δ
ecm
ec
1
τ1c
τqc
...
...
ea
n
ea
1
τ1a
τpa
...
...
Figure 3.15 – Time Observer
Timed Weak Simulation Verification
Before giving the µ-calculus property used to verify the timed weak sim-
ulation, we make the following assumptions on the abstract and the con-
crete systems which are needed for verification purposes.
Assumption 1 (Concrete/Abstract) A concrete system is any upper bounded
closed CTTS. An abstract system is any τ non-Zeno, τ divergent, 1-τ, upper
bounded closed CTTS.
The CTTS hypothesis 1-τ is a sufficient condition for the following τδ
permutation property.
Definition 3.24 (τ− δ Permutation ) Given a TTS, for all q q′ q1 q2 ∈ Q, δ ∈ ∆,
q δ→ q′ ∧ q τ→ q1 δ→ q2 ⇒ ∃q′′, q′ τ→ q′′ ∧ q2 ∼ q′′.
q1
q'δq
τ
q2δ
τ q''
~
Figure 3.16 – τ − δ Permutation
This means that from a state q, transitions τ and δ may be exchanged
leading to similar states q2 and q′′. This property is close to the persistency
of [87] that says that time cannot suppress the ability to do an action. How-
ever, our requirement that q2 ∼ q′′ is stronger. This property is not true in
general since the clocks newly reset at the state q′′ have different values at
q2. The 1-τ hypothesis is a sufficient condition on the CTTSs so that the
clock differences at q2 and q′′ would not affect the overall execution of the
system.
Theorem 3.5 (1-τ is a sufficient condition for τ− δ permutation) Given a CTTS
T that satisfies the 1-τ condition, its semantics [[T ]] verifies the property of per-
mutation.
Proof. Let T = 〈Q, Q0, T, Lτ, ρ,λ, ι, .〉 be a CTTS that satisfies the 1-τ con-
dition and let [[T ]] be its semantics. We suppose that ∀q q′ q1 q2 ∈ Q, δ ∈
70 Chapter 3. CTTS Timed Simulation
∆, q δ→ q′ ∧ q τ→ q1 δ→ q2 (1) is verified in [[T ]] . We prove that there exists
a state q′′ such that q′ τ→ q′′ ∧ q2 ∼ q′′ (2). Actually in [[T ]] (1) is writ-
ten as : (q, v) δ→[[T ]] (q, v + δ) ∧ (q, v) τ→[[T ]] (q′, v′) δ→[[T ]] (q′, v′ + δ) while
(2) is written as (q, v + δ) τ→[[T ]] (q′, v′′) ∧ (q′, v′ + δ) ∼ (q′, v′′). First, we
investigate whether we can find (q, v + δ) τ→[[T ]] (q′, v′′).
(q',v')
(q,v + δ)δ(q,v)
τ
(q',v' + δ)δ
τ (q',v'')
~
Figure 3.17 – Sufficient Condition for τ − δ Permutation
Based on the CTTS semantics, we know the following, namely that
t : q τ→T q′ exists:

t : q τ→T q′ →,
∀t′, q ∈ dom(ρ(t′))⇒ v(t′) ∈ ι(t′)
∀t′, v′(t′) =
{
0 if (q, q′) ↪→ t′ ∨ t . t′
v(t′) else
,
q ∈ dom(ρ(t))⇒ v(t) ∈ ←−ι(t) ∧ v(t) + δ ∈ ←−ι(t)
(q, v) δ→[[T ]] (q, v + δ) ∧ (q, v) τ→[[T ]] (q′, v′) δ→[[T ]] (q′, v′ + δ)

Since t : q τ→T q′ and (q, v) δ→[[T ]] (q, v+ δ) exist, it means that at the CTTS
level, τ is associated to an interval having a maximal bound greater or
equal to δ. Then at the q state, τ may be delayed and is still a firable tran-
sition after δ. This also means that the enablement condition of τ depends
only on q and not on the clock evolution. Thus, (q, v + δ) τ→[[T ]] (q′, v′′)
also exists.
Now in q’, because of the 1− τ hypothesis, no new τ events are en-
abled. Thus, the (q′, v′+ δ) and (q′, v′′) are bisimilar thanks to the bisimilar
states property 3.3.
Timed Weak Simulation Criterion The check of timed weak simula-
tion consists in a µ-calculus property verified on the composition re-
sult of the abstract system, the concrete system and the two observers
(A ||| C)‖(Obs ‖
Lτ−Ar
Obsδ) where Obs is the control observer, Obsδ is the
time observer and Ar = {delay, τ_0}. The simulation of time transitions
consists in verifying whether each delay made by the concrete system can
also be made by the abstract one. But unlike the asynchronous composi-
tion in the untimed context with which we were able to alternate between
the occurrence of the concrete and the abstract events, time is always syn-
chronous in each of A, C and the two observers. The idea of alternating
between the concrete and abstract systems does not apply to time transi-
3.5. Soundness and Completeness of the Criterion 71
tions. The Timed Weak Simulation criterion is defined as :
∀(q0a , q0c ) ∈ Q0a ×Q0c , (q0a , q0c , ok, evt0) |= νX.
(1)︷ ︸︸ ︷
Obs in ok ∧Obsδ in evt0∧
(2)Weak Simulation︷ ︸︸ ︷∧
i
[eic](EFτa 〈eia〉X) ∧
∧
j
[τ jc ]X ∧
(3)︷ ︸︸ ︷
(EFτa 〈delay〉>)⇒ EFτa (〈delay〉> ∧ [delay]X)
This property characterizes a set of product states to which the initial state
must belong. This set of states is defined over the composition of states of
A,C and the two observers. We comment on the Timed Weak Simulation
criterion :
• (1) denotes the state in which concrete events are awaited.
• (2) is the untimed weak simulation criterion.
• (3) specifies that if time can elapse (delay event) in the product via a
sequence of abstract local events -meaning that the time can elapse
in the concrete system since the abstract system is τ divergent- then
the time may elapse and for all possible delay events the simulation
holds.
Remark 3.6 We note here that the timed weak simulation criterion is correct
without the hypothesis 1− τ. However it is not complete. This is why we observe
τ sequences. We discuss this in the following section.
3.5 Soundness and Completeness of the Criterion
The proof of the correctness of the µ-calculus criterion w.r.t the mathemat-
ical definition of the timed weak simulation is based on the comparison
between two relations defined as the largest relations which can also be
seen as the greatest fixed points of monotone set functions.
In the following, we first present the adopted proof method. Then we
apply it for the proof of the correctness of the timed weak simulation
criterion.
3.5.1 Proof Method
In order to prove the inclusion between the greatest fixed points of two
monotone set functions Fc and Fa in a modular way, we suppose that the
two functions are defined as the intersection of k basic functions :
Fc(S) =
k⋂
i=1
Fci(S) , Fa(S) =
k⋂
i=1
Fai(S)
Then, we give the following sufficient condition that enables us to de-
compose the proof into k subproofs :
Definition 3.25 (Greatest Fixed Points Inclusion Criterion) Given two functions
Fc and Fa ∈ 2S → 2S , we define the inclusion criterion as :
72 Chapter 3. CTTS Timed Simulation
Fc v Fa ≡ ∀ScSa, Sc ⊆ Sa ∩ Fc(Sc)⇒ Sc ⊆ Fa(Sa)
Theorem 3.6 (Sufficient Condition for the Inclusion of Greatest Fixed Points)
Given a set S and two monotone functions Fc and Fa ∈ 2S → 2S such that
Fα(S) =
⋂k
i=1 Fαi(S), we have the following implication :
(∀i ∈ 1..k, Fci v Fai)⇒ max Fc ⊆ max Fa
Proof of the Sufficient Condition. We have ∀ScSai, Sc ⊆ Fci(Sc) ∧ Sc ⊆ Sa ⇒
Sc ⊆ Fai(Sa) and need to prove that max Fc ⊆ max Fa with max F is
defined as
⋂
n Fn(S) [32]. We instantiate the hypothesis with Sc = max Fc.
As max Fc ⊆ Fc(max Fc), so ∀i ∈ 1..k, max Fc ⊆ Fci(max Fc). Now, for
i ∈ 1..k we prove by induction on n that ∀n, max Fc ⊆ Fnai(S).
1. n = 0 : max Fc ⊆ S .
2. Suppose max Fc ⊆ Fnci (S). By our sufficient condition we get
max Fc ⊆ Fn+1ai (S).
Thus ∀i ∈ 1..k, max Fc ⊆ ⋂n Fnai(S). We conclude that max Fc ⊆ max Fa.
Definition 3.26 (Strengthened Greatest Fixed Points Inclusion Criterion) Given
a set S and two functions Fc and Fa ∈ 2S → 2S , and a property P over 2S we
define the inclusion criterion as :
Fc vP Fa ≡ ∀ScSa,P(Sc) ∧ Sc ⊆ Sa ∩ Fc(Sc)⇒ Sc ⊆ Fa(Sa)
Theorem 3.7 (Strengthened Sufficient Condition for the Inclusion of Greatest
Fixed Points) Given a set S and two monotone functions Fc and Fa ∈ 2S → 2S
such that Fα(S) =
⋂k
i=1 Fα i(S), we have the following implication :
(∀i ∈ 1..k, Fci vP Fai) ∧ P(max Fc)⇒ max Fc ⊆ max Fa
Proof of the Strengthened Sufficient Condition. The previous result cannot be
reused but the proof is similar.
The following proofs are made at the TTS level : we consider the
semantics of the composition (A ||| C)‖(Obs ‖
Lτ−Ar
Obsδ) where Ar =
{delay, τ_0}.
3.5.2 Introduction of Auxiliary Set Functions
The soundness and completeness of the µ-calculus criterion consists in
showing its equivalence with the mathematical definition of the timed
weak simulation. But while the mathematical definition is defined on two
independent concrete and abstract systems, the criterion is defined on a
time-synchronized composition. In order to allow their comparison, we
simplify the µ-calculus property. Since the µ-calculus property character-
izes a set of accepted states of the composition of the abstract and con-
crete systems with the two observers-for which the states are fixed (ok
3.5. Soundness and Completeness of the Criterion 73
and evt0)-, this set of states may be written as the largest relation -µ such
that :
∀q1 q2, q1 -µ q2 ⇒
(∀q′1 q′2 o ec, (q1, q2, ok, evt0)
ec→ (q′1, q′2, o, evt0)⇒
∃q′′1 q′′2 ea, (q′1, q′2, o, evt0)
τ∗a ea→ (q′′1 , q′′2 , ok, evt0) ∧ q′′1 -µ q′′2 ) ∧
(∀q′1 q′2 o, (q1, q2, ok, evt0)
τc→ (q′1, q′2, o, evt0)⇒ o = ok ∧ q′1 -µ q′2) ∧
(∃δ > 0, (q1, q2, ok, oδ) τ
∗
a δ→ −)⇒
∃q′1 q′2 o (q1, q2, ok, evt0)
τ∗a→ (q′1, q′2, o, evtDly)∧
(∃δ > 0, (q′1, q′2, o, evtDly) δ→ −)∧
(∀δ > 0 q′′1 q′′2 o′, (q′1, q′2, o, evtDly) δ→ (q′′1 , q′′2 , o′, evt0) ∧ q′′1 -µ q′′2 )
Based on the definition of the CTTS composition and of the two observers,
then by hiding the unused details of the composition, this property may
be simplified to :
∀q1 q2, q1 -µ q2 ⇒
(
(a)︷ ︸︸ ︷
∀q′1 ec, q1 ec→ q′1 ⇒ ∃q′2 ea, q2
τ∗a ea→ q′2 ∧ q′1 -µ q′2) ∧
(
(b)︷ ︸︸ ︷
∀q′1, q1 τc→ q′1 ⇒ q′1 -µ q2) ∧
(c)︷ ︸︸ ︷
(∃δ > 0, q1 δ→ −∧ q2 τ
∗
a δ→ −)⇒
∃q′2, q2
τ∗a→ q′2∧
(∃δ > 0, q1 δ→ −∧ q′2 δ→ −)∧
(∀δ > 0 q′1 q′′2 , q1 δ→ q′1 ∧ q′2 δ→ q′′2 ⇒ q′1 -µ q′′2 )
We now define -µ as the greatest fixed point of the monotone function Fµ
defined over Qc ×Qa where Fµ(S) = FµE(S) ∩ FµT(S) ∩ FµD(S) with
FµE(S) = {(q1, q2) | ∀q′1 ec, q1
ec→ q′1 ⇒ ∃q′2 ea, q2
τ∗a ea→ q′2 ∧ (q′1, q′2) ∈ S}
FµT(S) = {(q1, q2) | ∀q′1, q1
τc→ q′1 ⇒ (q′1, q2) ∈ S}
FµD(S) = {(q1, q2) | (∃δ > 0, q1 δ→ −∧ q2 τ
∗
a δ→ −)⇒
∃q′2, q2
τ∗a→ q′2∧
(∃δ > 0, q1 δ→ −∧ q′2 δ→ −)∧
(∀δ > 0 q′1 q′′2 , q1 δ→ q′1 ∧ q′2 δ→ q′′2 ⇒ (q′1, q′′2 ) ∈ S)}
We give in the following the definition of - already seen earlier in this
chapter. - is the largest relation such that :
∀q1 q2, q1 - q2 ⇒
(∀q′1 e, q1 e→ q′1 ⇒ ∃q′2 e, q2 τ
∗e→ q′2 ∧ q′1 - q′2) ∧
(∀q′1, q1 τ→ q′1 ⇒ q′1 - q2) ∧
(∀q′1 δ, q1 δ→ q′1 ⇒ ∃q′2, q2 δ
∗
=⇒ q′2 ∧ q′1 - q′2)
74 Chapter 3. CTTS Timed Simulation
Again we define - as the greatest fixed point of the monotone function F
defined over Qc ×Qa where F(S) = FE(S) ∩ FT(S) ∩ FD(S) with
FE(S) = {(q1, q2) | ∀q′1 e, q1 e→ q′1 ⇒ ∃q′2 e, q2 τ
∗e→ q′2 ∧ (q′1, q′2) ∈ S}
FT(S) = {(q1, q2) | ∀q′1, q1 τ→ q′1 ⇒ (q′1, q2) ∈ S}
FD(S) = {(q1, q2) | ∀q′1 δ, q1 δ→ q′1 ⇒ ∃q′2, q2 δ
∗
=⇒ q′2 ∧ (q′1, q′′2 ) ∈ S)}
3.5.3 Proof of the Criterion
The proof consists in a soundness and a completeness proof of the crite-
rion.
Soundness
Lemma 3.5 (Visible Events) Given two CTTS A and C, we have :
∀ScSa ∈ 2Qc×Qa , Sc ⊆ Sa ∩ FE(Sc)⇒ Sc ⊆ FµE(Sa)
meaning
∀Sc ⊆ Sa, ∀(q1, q2) ∈ Sc,
(H)︷ ︸︸ ︷
(∀q′1 ec, q1 ec→ q′1 ⇒ ∃q′2 ea, q2
τ∗a ea→ q′2 ∧ (q′1, q′2) ∈ Sc)
⇒ (∀q′1 e, q1 e→ q′1 ⇒
(G)︷ ︸︸ ︷
∃q′2 e, q2 τ
∗e→ q′2 ∧ (q′1, q′2) ∈ Sa)
Proof. Let Sc ⊆ Sa and (q1, q2) ∈ Sc. Let q′1e such that q1 e→ q′1. By the
hypothesis (H), we obtain q′2 and ea such that q2
τ∗a ea→ q′2 ∧ (q′1, q′2) ∈ Sc.
We choose them to be the witnesses for (G). As Sc ⊆ Sa we get (q′1, q′2) ∈
Sa.
Lemma 3.6 (τ Events) Given two CTTS A and C, we have :
∀ScSa ∈ 2Qc×Qa , Sc ⊆ Sa ∩ FT(Sc)⇒ Sc ⊆ FµT(Sa)
Proof. This is similar to the previous proof.
Lemma 3.7 (Delay ) Given two CTTS A and C supposed to be upper bounded
closed and such that A is τ non-Zeno and τ-divergent :
∀ScSa ∈ 2Qc×Qa , Sc ⊆ Sa ∩ FD(Sc)⇒ Sc ⊆ FµD(Sa)
meaning
3.5. Soundness and Completeness of the Criterion 75
∀Sc ⊆ Sa, ∀(q1, q2) ∈ Sc,
(H)︷ ︸︸ ︷
(∃δ > 0, q1 δ→ −∧ q2 τ
∗
a δ→ −)⇒
∃q′2, q2
τ∗a→ q′2∧
(∃δ > 0, q1 δ→ −∧ q′2 δ→ −)∧
(∀δ > 0 q′1 q′′2 , q1 δ→ q′1 ∧ q′2 δ→ q′′2 ⇒ (q′1, q′′2 ) ∈ Sc)
⇒ (∀q′1 δ, q1 δ→ q′1 ⇒
(G)︷ ︸︸ ︷
∃q′2, q2 δ
∗
=⇒ q′2 ∧ (q′1, q′2) ∈ Sa)
Proof. Let Sc ⊆ Sa.Let (q1, q2) ∈ Sc such that (H). Let q′1, δ such that q1 δ→
q′1. We have to prove (G) :
1. if δ = 0 : let q′2 = q2. We need to prove (q1, q2) ∈ Sa. But this is true
thanks to Sc ⊆ Sa.
2. if δ 6= 0 : using the τ non-Zeno induction principle, we suppose that
there exists a product state that is reached after δ1 < δ in Sc. Let st0
be such a state. Since the abstract system is τ-divergent, then q2
τ∗a δ→
of left-side of the implication of (H) is satisfied. Thus there exists
a state x ∈ Qc × Qa such that st0 τ
∗
a→ x δ>0→ − and ∀δ′, there exists
x′, x δ
′→ x′ ∧ x′ ∈ Sc. Three cases need to be investigated :
(a) The delay in state x is in a right opened interval. Based on
our hypothesis that the concrete and the abstract are upper
bounded closed and on Property 1, the interval cannot be but
unbounded. But this means that it is then possible to reach δ in
the product. Let x’ be the associated product state. Thus x′ ∈ Sc.
Since Sc ⊆ Sa, we conclude that x′ ∈ Sa.
(b) The delay in state x is in a right closed interval with a bound
greater or equal to δ. But this also means that it is possible to
reach δ in the product. idem.
δ
q2
δ
τ
q1
1 Scst0 ∈Sc(q1,q2) ∈
*
x
Scx' ∈δ0
τ+
Figure 3.18 –
(c) This corresponds to the case depicted in Fig 3.18. The delay in
state x is in a right closed interval with a bound less than δ. This
means that we reach the bound of the interval. Let δ0 be this
delay and x
δ0→ x′. In x′ ∈ Sc, it remains to reach δ− δ1− δ0 > 0.
But in the state x′ of the product, only τa can occur because we
have reached the bound of the interval. Using the τ non-Zeno
76 Chapter 3. CTTS Timed Simulation
induction principle, the property that the abstract system can
make a sequence (τa|δi) such that Σδi = δ is verified.
Completeness
For the purpose of the completeness proof we introduce the following
lemma.
Lemma 3.8 (Finiteness of Control) Given a CTTS = 〈Q, Q0, T, Lτ, ρ,λ, ι, .〉
and a monotonic property Pδ ⊆ 2Q such that ∀δδ′, δ ≤ δ′ ⇒ Pδ ⊆ Pδ′ , if the
CTTS has a finite control (T is finite) then its semantics [[CTTS]] satisfies the
following property allowing the quantifiers exchange :
(∀δ > 0, ∃q′, q τ→ q′ ∧ Pδ(q′))
∃q′, q τ→ q′ ∧ ∀δ > 0, Pδ(q′)
Proof. Given q ∈ Q, for any transitions t1 and t2 we say that t1 ≤ t2 if
{δ | ∃q′, (q, q′) ∈ ρ(t1) ∧ Pδ(q′)} ⊆ {δ | ∃q′, (q, q′) ∈ ρ(t2) ∧ Pδ(q′)}. ≤
is a total preorder because of the monotonicity of P. Since T is finite (by
hypothesis) and non empty then there exists a greatest element. We choose
its destination state.
Lemma 3.9 (Visible Events) Given two CTTS A and C, we have :
∀ScSa ∈ 2Qc×Qa , Sa ⊆ Sc ∩ FµE(Sa)⇒ Sa ⊆ FE(Sc)
Proof. This is similar to the Visible Events soundness proof.
Lemma 3.10 (τ Events) Given two CTTS A and C, we have :
∀ScSa ∈ 2Qc×Qa , Sa ⊆ Sc ∩ FµT(Sa)⇒ Sa ⊆ FT(Sc)
Proof. This is similar to the visible Events Soundness proof.
For the purpose of the following proof, we use the Strengthened crite-
rion by choosing for the property P(S) the stability of S ⊆ Qc ×Qa under
the strong bisimulation in Qa. This means if (qc, qa) ∈ S and qa ∼ q′a then
(qc, q′a) ∈ S. Recall that stability is verified by max F because the strong
simulation implies the weak timed simulation defined by max F.
Lemma 3.11 (Delay ) Given two CTTS A and C such that A has a finite
control 2 and is 1-τ :
∀ScSa ∈ 2Qc×Qa , Sa ⊆ Sc ∩ FµD(Sa) ∧ Sa is ∼ −stable⇒ Sa ⊆ FD(Sc)
meaning
2This is not a restriction since the CTTSs are user defined and their set of transitions is
always finite. The semantics of the CTTS may still be infinite due to time transitions.
3.5. Soundness and Completeness of the Criterion 77
∀Sc ⊆ Sa, ∀(q1, q2) ∈ Sc,
(H)︷ ︸︸ ︷
(∀q′1 δ, q1 δ→ q′1 ⇒ ∃q′2, q2 δ
∗
=⇒ q′2 ∧ Σδi = δ ∧ (q′1, q′′2 ) ∈ Sa)
⇒ (∃δ > 0, q1 δ→ −∧ q2 τ
∗
a δ→ −)⇒
∃q′2, q2
τ∗a→ q′2∧
(∃δ > 0, q1 δ→ −∧ q′2 δ→ −)∧
(∀δ > 0 q′1 q′′2 , q1 δ→ q′1 ∧ q′2 δ→ q′′2 ⇒ (q′1, q′′2 ) ∈ Sc)
Proof. Let Sa ⊆ Sc. Let (q1, q2) ∈ Sa such that (H). Let δ > 0 such that
hyp2 : q1
δ→ −∧ q2 τ
∗
a δ→ −. We need to prove that :(
∃q′2, q2
τ∗a→ q′2 ∧ (∃δ > 0, q1
δ→ −∧ q′2
δ→)∧
(∀δ > 0 q′1 q′′2 , q1
δ→ q′1 ∧ q′2
δ→ q′′2 ⇒ (q′1, q′′2 ) ∈ Sa)
)
(3.1)
Two cases need to be investigated which are whether from the state
(q1, q2) a delay event may occur or not:
1. Suppose hyp3 : (q1, q2) |= 〈delay〉> : Let q′2 = q2, so q2
τ∗a→ q′2 is verified
and by hyp3, (∃δ > 0, q1 δ→ − ∧ q′2 δ→) is also verified. We are left
with proving :
(∀δ > 0 q′1 q′′2 , q1
δ→ q′1 ∧ q′2
δ→ q′′2 ⇒ (q′1, q′′2 ) ∈ Sa)
Let δ > 0 q′1 q
′′
2 such that q1
δ→ q′1 ∧ q′2 δ→ q′′2 . By hyp1 we know
that ∃q′2, q2
(τa|δi)∗→ q′2 ∧ Σδi = δ ∧ (q′1, q′2) ∈ E2). Let q′2 such a state.
And since by hypothesis E2 ⊆ E1 then (q′1, q′2) ∈ E1. Now having
q2
δ→ q′′2 and q2
(τa|δi)∗→ q′2 then by the permutation property we have
q′2 ∼ q′′2 . By the stability of Sa for the strong bisimulation we obtain
(q′1, q
′′
2 ) ∈ E1. Since Sa ⊆ Sc, we have (q′1, q′′2 ) ∈ E1.
2. Suppose hyp4 : (q1, q2) 6|= 〈delay〉> : By hyp2 we know that there
exists st′ such that q2
τ∗a→ st′ and (q1, st′) δ→ −. Knowing that the
abstract system is 1-τ then either st′ = st or st τ→ st′. But by hyp4,
the first case is impossible, then st τ→ st′.
Let δ be a delay 6= 0 and q′1 such that q1 δ→ q′1. By hyp1, the ab-
stract system contains a path of τ− δ of whatever duration made by
the concrete system that preserves the refinement (∈ E2). This path
surely starts with a τ since time cannot elapse in (q1, q2). By the hy-
pothesis of finiteness of control of the abstract system, it is possible
to find a unique τ transition as a first step of all the paths.
Let q2
τ→ x0 be this transition. We choose x0 as the state q′2 of the
property (1) we are proving. Three conditions have to be satisfied :
(a) q2
τ∗a→ x0 : This is verified by construction of x0.
78 Chapter 3. CTTS Timed Simulation
(b) (∃δ > 0, q1 δ→ −∧ q′2 δ→ −) : This is also verified. We take δ al-
ready introduced. We have q1
δ→ q′1. We also have x0 δ→ − since
another τ is no longer possible because of the 1-τ hypothesis.
(c) Let δ0 > 0 q′1 q
′′
2 such that q1
δ0→ q′1 ∧ x0
δ0→ −. By our choice of x0,
there exists a path of duration δ0 starting from x0 in the abstract
system and preserving the refinement. Knowing that there is
only one τ, this path does not contain but a unique step, the δ0
delay. Let x1 such that x0
δ0→ x1. We have (q′1, x1) ∈ E2 ⊆ E1.
Discussion On the Assumptions
We discuss the two major restrictions made on the abstract system :
1. τ non-Zenoness and τ divergence: these two are standard assump-
tions made on timed systems. In our context they guarantee the
progress of time in the abstract system. This is necessary in our
composition-based method because time is always synchronous.
Blocking the time in the abstract system could thus result in blocking
time in the whole composition and hide concrete delays.
2. No successive τ transitions : permitting τ transitions in A compli-
cates the verification of the timed weak simulation, because in this
case any delay in C can be matched by a series of delays in A sepa-
rated by τ transitions [36]. An example that illustrates this problem
is depicted in 3.19. In the composition of the abstract and the con-
crete system, a trace where an event a2 is not matched with an event
a1 exists. This means that the mu-calculus property will not be sat-
isfied even though a simulation does hold. This belongs to the case
where an elapse of 3 u.o.t is consumed entirely by the first time in-
terval of the abstract system [0, 3]. The occurrence of a2 would thus
never be followed instantaneously by a matching a1 event.
Abstract A
Concrete C
A || C
s2[3,3]s1
s3a2  s2
s1
s4
s3a2
s2[0,3]s1 s3[1,1] s4
a1
δ 1 s5a1
δ 3
δ 2
s6
δ 1
s8
s7
a2
a1
s9
s10
a2
a1
Figure 3.19 – Counter Example
Now concerning our 1-τ restriction, general modeling techniques
of real time systems are still permitted. For instance, specifying a
maximal bound of a global event e is made by a choice between a
timed local event τ and the event e. Specifying a minimal bound of
a global event e is made by a sequential execution of a timed local
event τ and e.
3.5. Soundness and Completeness of the Criterion 79
3.5.4 Extension to a Deadlock-Sensitive Timed Weak Simulation
The check of Deadlock-Sensitive (DS) timed weak simulation consists
also in a µ-calculus property verified on the composition result of
the abstract system, the concrete system and the two observers (A |||
C)‖(Obs ‖
Lτ−Ar
Obsδ) where Obs is the control observer, Obsδ is the time
observer and Ar = {delay, τ_0}. The DS Timed Weak Simulation criterion is
written in µ-calculus as follows :
∀(q0a, q0c) ∈ Q0a ×Q0c , (q0a, q0c , ok, evt0) |=
TimedWeakSimulation︷ ︸︸ ︷
νX.Obs in ok ∧Obsδ in evt0∧
∧
i
[eic](EFτa〈eia〉X) ∧
∧
j
[τ jc ]X∧
(EFτa〈delay〉>)⇒ EFτa(〈delay〉> ∧ [delay]X)∧
Event Deadlock︷ ︸︸ ︷∧
i
[eia]〈eic〉>
This property characterizes a set of product states to which the initial
state must belong. This set of states is defined over the composition of
states of A,C and the two observers. We comment on the DS-Timed Weak
Simulation criterion :
• The first part is exactly the Timed Weak Simulation criterion.
• The second part describes the deadlock preservation property. Ac-
tually it describes that each abstract visible event is followed by a
corresponding concrete event.
The proof of equivalence of this criterion with the DS-timed weak sim-
ulation is direct their formulations are similar.
3.5.5 Extension to a State-Event Timed Weak Simulation
The DS-timed weak simulation criterion is extended to the case of the
state-event timed weak simulation with the addition of the relation be-
tween the concrete and the abstract propositions. For P the set of propo-
sitions and a proposition p ∈ P , the µ-calculus property is then extended
with this proposition relation as shown in the following :
∀(q0a, q0c) ∈ Q0a ×Q0c , (q0a, q0c , ok, evt0) |=
DSTimedWeakSimulation︷ ︸︸ ︷
νX.Obs in ok ∧Obsδ in evt0∧
∧
i
[eic](EFτa〈eia〉X) ∧
∧
j
[τ jc ]X∧
(EFτa〈delay〉>)⇒ EFτa(〈delay〉> ∧ [delay]EFτa X)∧
State−Event Deadlock︷ ︸︸ ︷∧
i
[eia]〈eic〉(
∧
p∈P
pc ⇔ pa)∧
PropositionsRelation︷ ︸︸ ︷∧
p∈P
pc ⇔ pa
80 Chapter 3. CTTS Timed Simulation
where (qc, qa) |= pc if p ∈ vc(qc) and (qc, qa) |= pa if p ∈ va(qa). We
comment on the addition of the propositions relation :
• We say that for each proposition p, if p is satisfied by the variables
of the concrete system xkc , then the variables of the abstract system
xla should satisfy it as well. Obviously, the concrete and abstract vari-
ables would depend on the systems that are verified.
The proof of equivalence of this criterion with the State-Event DS-
timed weak simulation is direct because their formulations are similar. We
just say here that in the given formula, the propositions are verified at the
initial state and then after the occurrence of the visible events. This is be-
cause the recursivity of the formula is applied after the event occurrence
in
∧
i[eic](EFτa〈eia〉X). This coincides with our mathematical definition of
the simulation.
3.6 Conclusion
We have given in this chapter our first main contribution. This contribution
consists in the study of timed simulation relations and their properties.
For this we have defined a timed weak simulation that holds in both the
state and the action based contexts. We have shown that in order for the
weak simulation to preserve linear logic properties, other clauses namely
the deadlock and divergence need to be verified. We have also given a
verification technique for the simulation. In the next chapter, we tackle the
application part of this document. For this, we start by introducing the
BPEL language and its relation with formal methods.
Part III
Application

Chapter One
Web Services
1.1 Introduction
With the emergence of distributed systems technologies and the fast evo-
lution of service oriented architecture, Web services are increasingly be-
coming a major part of our daily lives. Many web services composition
languages have been developed to describe the way a group of distributed
web services interact with each other. In this matter, the Web Services
Business Process Execution Language (WS-BPEL or simply BPEL) [18] is a
well known service composition language. However, BPEL lacks a formal
semantics and is defined informally in natural language. Several transfor-
mations to formal formalisms have thus been suggested. Their common
goal is the verification of BPEL processes and their composition.
This chapter consists of two main sections. In the first section we intro-
duce the web services and their composition. Afterward, we present the
BPEL, which is the web services composition language that will be used
all along this document. In the second section, we present the relation be-
tween BPEL and formal methods by covering a subset of transformations
from BPEL to formal languages.
1.2 Service Oriented Architecture
Service oriented architecture (SOA) is a form of a distributed architectural
approach that allows to create independent systems and applications that
communicate with each other by exposing and using services. In today’s
world, SOA is considered a key architectural pattern for prompt and rapid
integration, leading thus to a more agile Information Technology (IT). In-
deed, most of today’s greatest successes, in terms of bringing agility to
the whole enterprise through its IT backbone, have been provided by SOA
and its major technological counterparts that are the Web Services and the
Enterprise Service Bus (ESB) [98]. SOA is typically used as a communi-
cation way between enterprises and clients. An enterprise then offers its
products in the form of a set of Web services publishing operations.
84 Chapter 1. Web Services
1.2.1 Web Services
The Web Services represent a communication mechanism between two
distant applications over the web. The main characteristics of a web service
are the following :
1. They use mostly the HTTP protocol as a communication protocol.
2. They are specified in an XML-based notation to describe the ex-
changed messages and data.
3. They organize the order of messages invocations and responses.
Web Services Layers
The web services architecture is based on a layered model that contains
the following three main layers :
1. Messages : in this layer the structure of the exchanged messages
is described. This is done using the Simple Object Access Protocol
(SOAP) [3] that provides a messaging framework that allows the
exchange of messages coming from different protocols such as HTTP,
SMTP, FTP etc .
2. Descriptions : in this layer, the web services interface is de-
scribed. This is done using the Web Service Description Language
(WSDL) [84] which is an XML-based language that allows to de-
scribe the functionality offered by a Web service. A WSDL descrip-
tion of a web service provides the address of the web service (how it
can be called) as well as the operations (input/output parameters in
the form of messages) that the service offers.
3. Processes : in this layer, the dynamic behavior of a web service may
be described, such as the order in which certain messages invoca-
tions and responses is made etc. This can be written using the Busi-
ness Process Execution Language BPEL. In this layer also, the dis-
covery of services is made which allows to search for a specific web
service in the service registry of an enterprise.
In the context of this chapter we emphasize on two layers which are
the description layer in which the WSDL is used and the processes layer
in which the BPEL is used.
WSDL The Web Services Description Language WSDL [84] is an XML-
based language that describes the interface and the functionality offered
by a Web service. The web service interface defines the address of the
service, the operations it offers, the operation’s input and output param-
eters along with their data types. WSDL describes the functionality of a
web service with a set of operations which define the type of exchanged
messages. The operations are then encapsulated by an endpoint (or port)
that is linked to a concrete transport protocol such as SOAP, HTTP etc
which allows the transport of the messages between the web service and
its clients. We show the structure of a WSDL file :
1.2. Service Oriented Architecture 85
< d e f i n i t i o n s name = . . . >
<types> Data Types used by the messages </types>
<message name = . . . > Message D e f i n i t i o n </message>
<portType name = . . . >+ Set of operat ions
<operat ion name = . . . > Operation D e f i n i t i o n </operat ion>+
</portType>+
<binding name = . . . > messages l i n k with the implementation </binding>
< s e r v i c e name = . . . > S e r v i c e and URL D e f i n i t i o n </ s e r v i c e >
</ d e f i n i t i o n s >
A WSDL file starts with the root element definitions. It contains
the name of the web service and may also reference other name-spaces
that are used by the WSDL file. Inside the definitions the following
elements are defined :
1. types : defines the data-types used by the messages. The data-types
may be XML schema written in the XML Schema language [4] (also
known as XSD).
2. message : defines the exchanged data independently of the imple-
mentation and the transport protocol. The message contains the in-
formation needed to perform the operation of the web service.
3. operation : describes the functionality offered by a web service. An
operation defines the message exchange between a web service and
its clients. An analogy may be made between an operation and a
method or function call in a traditional programming language.
4. portType : a porttype encapsulates a set of operations. This porttype
is then associated to a transport protocol and is used as an endpoint
of the connection. A group of porttypes actually define the inter-
face of a web service, its operations and the messages that may be
performed by the operations.
5. binding : defines the real link between the operation messages and
the transport protocol. It also defines the SOAP binding style (RPC/-
Document) and transport (SOAP Protocol).
6. service : defines the access ports that attaches the bindings to the
URL.
1.2.2 Web-Services Composition
Until now we have only seen the way a web service can be described,
but did not talk about how it can be composed. Actually, a greater value
results of a composition of multiple web services - leading to a new web
service- each of them dedicated to the handling of one task in a business
procedure. For instance, a merchandising company can decide to create
two web services, one for invoice management and another for shipment
preparation. The composition of these two will create a new web service
describing the merchandising company. In the following we will describe
the two most used approaches for web services composition.
86 Chapter 1. Web Services
Orchestration vs. Choreography
The terms orchestration and choreography [90] describe two web services
composition approaches that allow to create new web services out of ex-
isting ones. Choreography is in nature a collaborative effort in which the
message sequences are tracked between the interacted web services. Each
web service describes the role it plays in the interaction by receiving or
sending messages. In a choreography, each web service knows exactly
when to do an interaction, the operations it needs to execute and the par-
ties with which it interacts. In Fig 1.1 we show a choreography of four
web services. The interaction is started by WS1 that invokes WS2. As WS2
turn comes up, it invokes WS3 and WS4 concurrently and then awaits for
their sequential responses before returning a response back to WS1.
WS1
WS2
WS3
WS4
1. in
voke
7. re
ply
2. invoke4. reply
3. in
voke5. invoke
2. invoke
6. reply
Figure 1.1 – Choreography
Unlike choreography, orchestration is an approach that is based on
having a central process called orchestrator that controls the order and the
way the different web services interact. This is done by means of business
tasks or activities. The interaction is also made by receiving and sending
messages but this time the interacting web services do not know they are
involved in a business composition, only the orchestrator is aware of this
business goal. So, in an orchestration the control is always represented
from the orchestrator’s perspective. In Fig 1.2, we show how SW2 plays
the role of the orchestrator. First it receives the SW1’s message, then it
communicates concurrently with SW3 and SW4 before replying to SW1.
Business Process Execution Language BPEL
BPEL4WS (or just BPEL) [18] is an XML-based language that describes the
behavior of web services in a business process interaction. The interaction
of different partner web services is done for orchestration purposes. BPEL
is defined over a WSDL file that describes the operations allowed by the
BPEL process, while the BPEL process defines the order in which these
operations are executed.
Structure of a BPEL process A BPEL process contains a primary activity
-containing nested activities- that may communicate with the partner web
services in order to allow their orchestration. Each web service consists of
1.2. Service Oriented Architecture 87
WS1 WS2 WS3
WS4
1. receive
5. reply
2. invoke
3. receive
2. invoke
4. receive
(orchestrator)
Figure 1.2 – Orchestration
a partnerlink, a portType and an operation that other web services may
invoke in order to start a specific communication. The communication
with the different partners is made by sending and receiving messages
via this tuple. The partnerlink is a BPEL communication point. Depend-
ing on whether the communication is synchronous or asynchronous, the
partnerlink contains one or two portTypes (see WSDL 1.2.1). The second
portType is used to enable callBacks in asynchronous communications.
PurchaseOrder  
     Process  
PartnerLink
purchasing
PartnerLink
Invoicing
PartnerLink
  shipping
purchaseOrderPT
shippingCallbackPT
shippingPT
invoiceCallbackPT
computePricePTActivity
Figure 1.3 – BPEL Structure: ex PurchaseOrder
In Figure 1.3, we show the structure of the PurchaseOrder process [18]
example. The process starts by receiving a purchase demand over the
Partnerlink purchasing and the portType purchaseOrderPT. It then in-
vokes two web-services (1) over the Partnerlink Invoicing and the Port-
Type ComputePricePT in order to prepare the invoice on one hand and
(2) over the Partnerlink shipping and the portType shippingPT to manage
the shipping at the other hand. Once a reply from each of these two web-
services is received respectively over the portTypes invoiceCallbackPT and
shippingCallbackPT, the BPEL process sends back an invoice on the same
partnerlink, the one that has received the purchase demand.
BPEL Language We show in the following a simplified structure of a
BPEL process :
88 Chapter 1. Web Services
<process name="NCName" targetNamespace=" anyURI "
. . .
<partnerLinks>?
< !−− N o t e : At l e a s t one r o l e must be s p e c i f i e d . −−>
. . .
</partnerLinks>
< v a r i a b l e s >?
. . .
</ v a r i a b l e s >
<faul tHandlers>?
< !−− N o t e : There must be a t l e a s t one f a u l t H a n d l e r −−>
. . .
</faul tHandlers>
<eventHandlers>?
< !−− N o t e : There must be a t l e a s t one onEvent or onAlarm . −−>
. . .
</eventHandlers>
a c t i v i t y
</process>
1. Partnerlinks represent the static part of a BPEL process and are de-
scribed in a WSDL document where the operations offered by a web
service are also given. The dynamic part of BPEL is described by
means of activities.
2. Variables are used to save the values of the input and output mes-
sages of the BPEL process. Their types may reference either a mes-
sage type in a WSDL file or an XML schema data type.
3. Basic Activities define the elementary operations of the business pro-
cess. They are the usual ones such as Receive, Reply, Invoke,
Assign, Throw or Rethrow, Exit, Empty, Wait to delay the
execution and the less usual ones such as Compensate and
CompensateScope to trigger the compensation handlers.
4. Structured Activities define the order in which nested activities are
executed. These are the Sequence and the Flow activities for
the sequential and parallel execution respectively, the While, the
RepeatUntil, the If, the Pick for a choice over message events or
alarm events and the ForEach. Finally, the Scope activity to which
one can attach the BPEL handlers may be used as a container of
BPEL activities.
5. Handlers : BPEL provides a fault handler for internal faults handling,
a compensation handler for undoing successfully finished scopes, a
termination handler that controls the forced termination of a scope
and an event handler that manages message and alarm events.
Moreover, links may be used inside a Flow activity to provide addi-
tional control over the order of execution of parallel activities. Each activ-
ity may have multiple outgoing links as well as multiple incoming links.
Every outgoing link has an associated transition condition. The transition
conditions are Boolean expressions based on the process data which are
written in other languages such as XPath [27]. When an activity com-
pletes, it sets its outgoing links by evaluating their transitions conditions.
Now before the start of activities, these transition conditions are evaluated
by the targeted activities in the form of a joinCondion. If the joinCondi-
tion evaluates to true, the activity is started. Otherwise the activity is not
1.3. Formal Methods for the Verification of Web Services Composition 89
started and a standard bpel:joinFailure fault MUST be thrown, unless the
value of suppressJoinFailure is yes in which case bpel:joinFailure is not
thrown [18]. In this latter case (suppressJoinFailure = yes), the outgoing
links of the activity MUST be assigned a false status. This approach is
called Dead-Path Elimination (DPE) [18].
Timed Constructs use relative time within the For Duration primitive
and absolute time within the Until deadline primitive. These features
are used by a wait activity or an <on alarm/> event of a pick activity
or of an event handler.
What’s Behind the Language Here we give in a nutshell some of the
interesting points of the BPEL language.
• BPEL is a hierarchical component-based language where structured
activities are the nodes of the process and basic activities are its
leaves.
• The concurrency is well integrated in BPEL, and concurrent BPEL
activities may communicate either by shared variables (BPEL vari-
ables) or by valued events (links and attached Join Conditions).
• Concerning the BPEL assignments, the WS-BPEL 2.0 specification
requires the assign activity to be atomic. That is, either all the copies
succeed or no changes are made.
These points are important to know in the context of the transforma-
tion to FIACRE. As we have seen, FIACRE is also a component-based lan-
guage where communications happens through shared variables or val-
ued events. Moreover the transitions in FIACRE are also atomic.
1.3 Formal Methods for the Verification of Web Ser-
vices Composition
Several works have been pursued in the area of modeling and verification
of BPEL processes (see [33] for an overview). Most of this work [97, 47, 74]
is based on using an intermediate formalism to model the activities of
BPEL and then applying verification techniques on the obtained system.
Usually, the obtained model is analyzed through the use of techniques
and tools built around the target formalism. These proving techniques
vary between automatic or semi-automatic ones. In the following we give
a subset of these techniques which we sort based on the target formalism.
1.3.1 BPEL to Petri Nets
The first group of work was interested in mapping BPEL constructs to
Petri Nets. The first to address an extensive mapping from earlier versions
of BPEL to Petri Nets was the work of [60] and [101]. In this transforma-
tion the data are abstracted, along with timed constructs. This transforma-
tion supports the verification of behavioral properties such as the absence
of deadlock. The obtained model is then used for this purpose. A tool,
BPEL2PN, that embeds this transformation is also developed [60].
90 Chapter 1. Web Services
The work of [60] has been extended in [74] in order to cover the new
features of BPEL 2.0. This transformation also abstracts from data and
time modeling, but it covers all the features of BPEL 2.0. Lohman has also
been interested about the composition of multiple BPEL processes [76] in
order to verify the composition as a whole. A tool for this transformation
also exists [75].
1.3.2 BPEL to process algebras
Mappings from BPEL to process algebras as CCS [83] and LOTOS [31]
have been suggested. Indeed, in [97] the authors show how CCS can be
exploited to treat BPEL constructs and to verify CTL properties. More-
over, a two-way mapping between BPEL and LOTOS is studied in [47].
This technique is quite interesting because it allows the conception of web
services at the two levels. It also allows to reason about the equivalences
between services by making use of the bisimulation notion.
Others have been interested in transformations towards Promela. In
the work of [85], a subset of the BPEL constructs are transformed into
Promela -via an intermediary formalism - and connected to other pro-
cesses in the description. LTL properties are then verified on the result
process by applying the Spin model checker [63] in order to detect dead-
lock in the execution traces [86]. [48], [49] and later [35] have studied the
modeling of a choreography of multiple BPEL processes with guarded
state-transition systems expressed in Promela. The Promela systems are
then verified using the Spin model checker. In [48] , the data-types ex-
pressed in XML and XPATH are modeled using Promela. However, this
is only used for the case of finite enumerated data-types because of state
explosion. A tool (WSAT) [50] has been also developed.
1.3.3 BPEL to Timed Formalisms
Some works were interested in modeling the timed aspects of BPEL. We
quote in this matter the work of [69] in which the timed behavior of
BPEL activities are captured by introducing a formalism called Web Ser-
vice Timed State Transition Systems (WSTTS) based on timed automata.
In this work, timeouts and the absolute time of BPEL are treated. In addi-
tion, they consider in this technique the temporal cost of activities and deal
with synchronous services. They support as well the expression of com-
plex timed properties in Duration Calculus and verify them using NuSmv.
However, in this technique, only a discrete notion of time is considered.
Another work based on a transformation towards timed automata (TA) is
also presented in [93]. An algorithm for mapping these patterns to timed
automata is later integrated [92] in the ActiveBPEL tool. This work cov-
ers both the relative and the absolute time of BPEL. The compensation and
the termination handlers are not modeled. Moreover, this transformation
does not provide a way to explicitly specify the duration of synchronous
calls or complex time-related properties.
In [99] the authors are interested in determining the execution time of
BPEL activities by modeling the timed behavior of BPEL in timed Petri
Nets. Nevertheless, the absolute time is treated by assuming that the cur-
rent time is given explicitly.
1.4. Conclusion 91
1.3.4 BPEL to Event_B
Approaches based on proof methods have also been used namely through
a mapping from BPEL to Event_B [8]. In this technique [10], the WSDL
file is translated to an Event-B context and the body of BPEL process is
translated to one or several Event_B machines. Unlike model checking
based techniques, this technique does not abstract from data. Thus, data-
based control is modeled. However, time is not modeled since it is not
supported by Event-B. Apart of this, all the BPEL 2.0 constructs are taken
into account. The advantage of this technique, is that it does not face the
problem of state explosion encountered in model checking techniques.
However, the proof obligations produced by the Event_B require an in-
teractive assistance and are usually complex to achieve. Now, concerning
the supported properties, the verification of all temporal logic properties
is not explicit. This is a consequence of the target formalism Event_B. The
verified properties are restricted to static properties such as type prop-
erties, to safety properties, deadlocks, simple liveness properties and to
properties related to transactions.
1.3.5 Formal Methods and BPEL Summary
To conclude this chapter, we give in the following a summary of the exist-
ing BPEL verification tools.
Project [97, 47][85] [60, 74] [10] [69] [93]
Formalisms LOTOS/CCS/Spin Petri Nets Event B WSTTS TA
BPEL 2.0 – + + + –
Coverage + ++ ++ + +
Logic temporal,LTL CTL 1st order DC CTL
Time Modeling – – – + +
Timed Properties – – – + –
Figure 1.4 – Brief BPEL verification tools coverage
1.4 Conclusion
We have introduced in this chapter the application part of this PhD. No-
tions such as web services, web services composition, and web services
verification were discussed. We have shown that a strong relation exists
between BPEL, a web service composition language, and formal methods.
In the next chapter, we tackle the second contribution of this PhD which
consists in a transformation from BPEL to FIACRE.

Chapter Two
Modeling BPEL in FIACRE
2.1 Introduction
Formal methods have been used to verify BPEL models and similar lan-
guages. This is done via a transformation from BPEL to several formal
specification languages. The goal of this transformation is either to give
formal semantics to languages that lack such feature (BPEL in our case),
or to use the resulted formal code for verification purposes.
In this chapter we define a transformation from BPEL to the formal
specification language FIACRE. The transformation covers a subset of the
BPEL constructs which will later appear in the use case that illustrates our
technique. Other constructs are given in the Appendix B. The interesting
point about this transformation is that it is (1) well-structured, (2) proven
to be semantically correct w.r.t some BPEL properties and (3) treats the
timed aspects of BPEL.
• By well-structured we mean that the same composition and hier-
archy of the BPEL activities are maintained in the transformation.
This comes essentially from the fact that the structure of BPEL is na-
tively present in FIACRE since both languages are component based
ones. This allows a compositional transformation. Moreover, the par-
allelism and the communication notions of BPEL (shared variables
and valued events) are close to the ones integrated in FIACRE. Fi-
nally, the atomicity of the BPEL assign activity is also maintained by
FIACRE.
• We show how the transformation can be proved correct by checking
BPEL semantic properties on the generated model.
• The timing aspects of BPEL are considered in this transformation.
FIACRE natively supports real time constraints.
In the next Section we start by identifying some BPEL semantic prop-
erties we want to preserve by our transformation. Afterward, we give our
transformation for a subset of BPEL constructs. Finally, we show how to
prove that the FIACRE patterns preserve these BPEL semantic properties.
94 Chapter 2. Modeling BPEL in FIACRE
2.2 BPEL Semantics
Even though the semantic properties of BPEL are given in natural lan-
guage, they are quite clear concerning some specific points. In the follow-
ing, we collect some of these clauses that we would like to be verified by
the FIACRE transformation. We note that these clauses are not exhaustive
but are rather a subset of the BPEL constructs. This work may be extended
to all of the BPEL constructs.
• Control Semantics : ignoring links, the semantics of the business pro-
cesses, <scopes>, and structured activities determine when a given
activity is ready to start. For example, the second activity in a <se-
quence> is ready to start as soon as the first activity completes. Sim-
ilarly, an activity nested directly within a <flow> is ready to start
when the <flow> itself starts (Links Semantics : page 105 of [18]).
• Links Semantics : when an activity completes without propagating
any fault it triggers all of its outgoing link. When an activity is ready
to start (part of the control flow) and the status of all its incoming
links are received, it evaluates its join condition (Links Semantics :
page 106 of [18]).
• Event Handlers Enablement and Disablement Semantics : the event
handlers associated with a scope are enabled when the parent scope
starts (Enablement of Events : page 142 of [18]). An exception to
this rule applies to scopes that contain a process initial start activity
(for ex : receive). If a scope contains an initial start activity then the
start activity MUST complete before the event handlers are installed
(Scope Initialization : page 116 of [18]).
When the primary activity of a scope is complete, all its contained
event handlers are disabled. However, the running event handlers
MUST be allowed to complete thus delaying the termination of the
whole scope (Disablement of Events : page 143 of [18]). .
• Termination Semantics : the termination of BPEL activities may be
forced to happen immediately (we call it strong termination) or may
be given some time to be done (we call it weak termination). This
depends on the type of the BPEL activity in question. For example,
the assign activities are sufficiently short-lived that they MAY be
allowed to complete rather than being interrupted when termina-
tion is forced while each wait, receive, reply and invoke activ-
ity MUST be interrupted and terminated prematurely (Termination
Handlers : page 135,136 of [18]).
• Scope Hierarchical Termination : upon a fault signal, a hierarchi-
cal termination is adopted for BPEL scopes. The behavior of fault
handling for scope C MUST begin by terminating all activities that
are currently active and directly enclosed within C (Fault Handlers :
page 132 of [18]).
• Hierarchical Fault Propagation : an unhandled fault in a scope is
propagated to its direct enclosing scope’s fault handler. Whenever a
2.3. Overview of the Transformation 95
<catchAll> fault handler (for any fault), <compensationHandler>, or
<terminationHandler> is missing for any given <scope>, they MUST
be implicitly created and implemented by a rethrow activity (Default
Fault, Compensation, and Termination Handlers : page 132 of [18]).
2.3 Overview of the Transformation
The modeling in FIACRE is based on the structure of the BPEL process.
The WSDL part defines the communication points of the BPEL process.
These connections are made first by the definition of partnerlinks. A part-
nerlink is a communication exchange between two partners. The process is
one of the partners, and another service is the other partner. A partnerlink
defines the role that the process plays (if any) and the role that the partner
service plays (if any) in the particular exchange. Depending on the role,
a process can use the porttypes in order to send calls/results or receive
calls/results.
Accordingly, the static part of BPEL (WSDL) is modeled in FIACRE
as global types (see Section 2.1). As for the dynamic part consisting of
the primary activity of the BPEL process and its associated handlers, it is
modeled as an outermost FIACRE component containing the composition
of the primary activity’s corresponding FIACRE pattern with the FIACRE
patterns of these handlers (Fig 2.1). Finally, the communication points of a
BPEL process are modeled by two ports in FIACRE (I for input and O for
output). These ports are typed with the global types modeling the WSDL
part.
type partnerlink_1 
type partnerlink_n 
...WSDL
   Primary     activityand handlers
component BPEL_process par      primary_act   || handlersend 
BPEL FIACRE
PartnerRole = r2 
myRole= r3 
I
O
: r3
: r2⇒⇒
Figure 2.1 – Transformation Structure
This outermost component builds a parallel composition of compo-
nent instances representing the BPEL nested activities. Moreover, BPEL
basic activities are transformed to FIACRE processes while BPEL struc-
tured activities and handlers – being able to contain other activities – are
transformed to FIACRE components.
2.4 Modeling the WSDL
The interaction with the environment is supported by partnerlinks.
In BPEL, each partnerlink may contain two roles (myRole and
partnerRole) typed with Porttype. Each of the Porttype declares
96 Chapter 2. Modeling BPEL in FIACRE
several operations used to receive (Input) or send (Output) messages
(Fig 2.1).
BPEL
Partnerlink_i
myRole
PartnerRole
PortType	Operation_jinputoutput
PortType	Operation_jinputoutput
Figure 2.2 – Connections of BPEL
Consequently, this structure is modeled in FIACRE by creating two dif-
ferent enumerated types named inputs and outputs used to model re-
spectively the inputs and the outputs of each operation. The type inputs
(resp. outputs) will be the union of the type of :
• the input (resp. output) arguments of operations of the myRole
of every Partnerlink (1).
• the output (resp. input) arguments of operations of the
partnerRole of every PartnerLink (2).
More precisely, the types encoded in FIACRE in order to model the
WSDL part are as follows :
1. Type inputs : The name of the constructor is built from the name
of the partnerlink and a suffix recv_call (vs. recv_result) in
case (1) (resp. in case (2)). As for the name of the constructor’s type
argument, it is built using the name of the partnerlink with the suffix
type_args (vs. type_results) in case (1) (resp. in case (2)). The
FIACRE code of the inputs type is shown in the following :
type inputs_BPELName i s union
partner l inkName_recv_cal l of partnerlinkName_type_args
| partner l inkName_recv_resul t of partner l inkName_type_resul ts
| . . .
end
2. Type outputs : The name of the constructor is built from the name
of the partnerlink and a suffix send_call (vs. send_result) in
case (2) (resp. in case (1)). As for the name of the constructor’s type
argument, it is built using the name of the partnerlink with the suffix
type_args (vs. type_results) in case (2) (resp. in case (1)). The
FIACRE code of the outputs type is shown in the following :
2.5. Behavioral Aspects in FIACRE 97
type outputs_BPELName i s union
partnerl inkName_send_cal l of partnerlinkName_type_args
| partnerl inkName_send_result of partner l inkName_type_resul ts
| . . .
end
Similarly, we define the mR_input_type and pR_output_type fam-
ily of types by considering the porttypes and eventually their operations.
Data Abstraction In our approach we have chosen to abstract from data
since variables in BPEL may have an infinite data domain. Actually, with
respect to model checking purposes, considering the actual values is not
realistic because of state explosion which leads to an impossibility of ver-
ification. For this, a constant is created for each data type that represents
the type of the message. So the operations will be typed by this constant
that represent the BPEL type of the message. This abstraction leads us to
a non-deterministic choice in some cases. Examples of such cases could
be in BPEL activities that depends on data in order to make a decision
(for example, if,while and repeat Until). On the other hand, if a treatment
involves finite data domains of type boolean or enumerated types, these
are preserved by the transformation to FIACRE. Particularly, in the case
of the transition and join conditions related to links which have positive
or negative status. These features will be detailed in further sections.
2.5 Behavioral Aspects in FIACRE
The transformation is guided by the constructs of BPEL. A BPEL process
consists of multiple BPEL activities put together. Accordingly, each con-
struct of the language is translated separately to a FIACRE component.
1. Basic activities will be translated to Fiacre Process.
2. Structured activities may embed other nested activities. Hence they
will each be translated to a Fiacre Component.
In both cases whether an activity is translated into a Process or a
Component, it will share a common interface. This interface will consist
of the set of FIACRE ports and shared variables that each pattern should
have in order to enable their composition. We will start by introducing a
basic interface (Fig 2.3) containing 2 ports : S and F (start,finish) used to
connect the activities in the composition. At the end of every activity, the
finish port is synchronized with the start port of another. We will extend
the interface progressively in the rest of the chapter.
2.5.1 Common Behavior of Activities in FIACRE
All of the activities in FIACRE share a common behavior. This behavior
consists in modeling the outgoing and incoming links with their respec-
tive conditions (Fig 2.4: behavior with suppJoinFailure = yes or with
suppJoinFailure = no [18]). Moreover, each activity will include ad-
ditional control events and shared variables used in FIACRE for modeling
98 Chapter 2. Modeling BPEL in FIACRE
S
F
Figure 2.3 – Common interface
the forced termination of activities or for reinitializing the activity in case
it is nested inside of a repeatable construct. In Fig 2.4, the activity body
square represents a specific FIACRE pattern depending on the type of the
modeled activity. This could be any basic or structured activity.
activity
  body
[ reinitialize] /finished := no ; counter := n;joinCond := false;skip := false;reinitialized
 [link =0 & skip] /set links activity ;skip := true...; ; finished := yes
[link =0 & not skip & joinCond] /
start
start_act
join_fail
links 
link:=link-1...; transCond:=...;status := finished ;finish
link:=link-1...; transCond:=false...;skip := true...;finished := yes;finish 
init_act
activity dependanttransition
activity dependanttransition
failure
reinit
DPE
[stop]
failure
[link = 0 &not skip& not joinCond] /        start
DPE
starting
starting finishing
finishing
(a) Behavior with SuppJoinFailure = yes
(b) SuppJoinFailure = no : from join_fail joinFailureError ;to init_act
Strong Termination : reinit, DPE, starting, noJoinCond, failure , finishing,                activity dependant transitions are prefixed with [ ! stop ];
[stop]/stpd
noJoinCond
noJoinCondreinit
Figure 2.4 – Common Behavior
Composing the activities: Fig 2.4(a)(b) : every activity waits for its start
signal by synchronizing on its start port. In the same way, at the end of
the activity, it signals its end by synchronizing on the finish port used
as the start of the subsequent activity.
Termination Modeling : Fig 2.4(a)(b) : we use a Boolean variable stop
and a port stpd which signal respectively the termination demand and
the occurrence of this termination. Once the stop variable evaluates to
True, the activity may respond by transiting back to its initial state from
which it would communicate its stpd port. Depending on whether a
strong or a weak termination is adopted, an activity may stop immedi-
ately or not. On the contrary to some other techniques [60, 74], we consider
here a strong termination. This is closer to the BPEL semantics (Termina-
tion Handlers : page 135,136 of [18]). Implementing a strong termination
2.5. Behavioral Aspects in FIACRE 99
means that whenever a stop is demanded, the activities are no longer per-
mitted to execute. This can be done in FIACRE by adding explicitly the
guard on not stop to each transition. Actually, a weak termination is
only modeled for the assign activity (see assign).
Links Modeling : in order to model the BPEL links, the common inter-
face is extended by four variables.
1. A counter variable initialized to the number of an activity’s incoming
links. At the end of every source activity it decrements the corre-
sponding counter of the targeted activities by 1. As for the targeted
activities, they will be able to execute whenever their counter evalu-
ates to 0.
2. A Boolean variable modeling the transition condition: having disre-
garded data values in our analysis, we only consider three transition
condition values. At the end of the source activity, an activity val-
uates its transition condition to either true, false, or any. The latter
represents the transition condition that is either true or false and cor-
responds to the only case that the BPEL data could not be treated
in FIACRE. In this case, the choice (between true or false) is non-
deterministic.
As for the incoming transition conditions, they will be tested in form
of join conditions (Links Semantics Page 106 of [18]). These Boolean
variables will be evaluated before the start of the targeted activities.
3. The skip variable : in the case of the normal execution of an activity,
the value of this variable corresponds to False. However whenever
this variable evaluates to True, this means the corresponding activity
should be skipped following the rule of the Dead-Path-Elimination 1
because it belongs to a branch which is not executed anymore.
4. A Boolean variable finished that designate the status of the activity,
whether it is finished or not. It is set to finished by the activity in the
case that it has finished normally without any forced termination.
It is also set to finished by the corresponding fault handler after a
forced termination is realized. The knowledge of the status of the
activity is important when dealing about setting the links of an ac-
tivity. In fact in case of a fault, the links are not set by their own
activities but by the enclosing scope that handles the fault. This is
explained in the Fault Handler pattern.
A source activity signals its end by decrementing the counter associ-
ated to its targeted activities by 1 and by updating its respective transition
conditions. The targeted activities are executed once their counter evalu-
ates to 0 and their join conditions evaluates to True. Nevertheless, if the
join condition evaluates to False :
1 The dead path elimination is the result of two cases : (i) The join condition of an activ-
ity evaluates to False. (ii) If during the execution of a structured activity A, its specification
says that an activity B nested within A will not be executed.
100 Chapter 2. Modeling BPEL in FIACRE
1. suppJoinFailure = yes : Fig 2.4(a) : the activity should set its outgo-
ing links to False before terminating (j-i).
2. suppJoinFailure = no : Fig 2.4(b) : a fault joinFailure is thrown and
no finish port is transmitted.
Furthermore, in case the activity in question is a structured activity, all
its nested activities should also set their outgoing links to False but only
after their incoming links are received based on the Dead Path Elimination
rule. This is modeled by valuating the skip variable to True which is
evaluated before the start of each activity.
Reinitialization Modeling : Fig 2.4(a)(b) : the same mechanim of termi-
nation is used to model the reinitialization (a shared variable reinit and
a port reinited). When a reinitialization is asked, the activity resets all
its control variables namely its links counter variables, transition condi-
tions and its skip variable before synchronizing on its reinited port.
2.5.2 Basic Activities.
In order to model the basic activities, we increment the interface by the
ports (msg_in, msg_out) used to communicate with the environment,
the shared variable vars that represents the BPEL variables and the port
Fa used to throw BPEL faults. Moreover, each of the basic activities -
discussed later here- includes the common behavior. Therefore, these ac-
tivities will implement the common behavior pattern already given all
along with additional implementations related to the body of the activity.
Receive The receive activity does a blocking wait for a message to ar-
rive. In the following pattern, the process associated to receive will wait for
a message of type call on a known partnerlink, porttype and operation.
Once the message is received, this message is either stored inside the cor-
responding variable of the t_var_record either a F_variableError is thrown.
This fault designates the faults the BPEL process may throw (like invalid-
ExpressionValue, invalidVariables, or uninitializedVariable). Because we
have abstracted data values, the choice between the two possible transi-
tions once the process is at the copy_var state is a non-deterministic choice.
The Fiacre process pattern for receive is given in Fig 2.5 :
var : = inpmsg_in ? (inp) links start_rec init_act
fa ! (variable error)
Figure 2.5 – Receive pattern
Reply Conversely to the receive activity, the reply activity will send a
message of type result on a specific partnerlink, porttype and operation. It
will at first extract the message to be sent from the corresponding variable
in the t_var_record. If succeeded, the reply activity may continue otherwise
the F_variableError fault is thrown.
The Fiacre process pattern for reply is given in Fig 2.6.
2.5. Behavioral Aspects in FIACRE 101
fa ! (variable error)
msg_out ! (out)
out := vars; linksstart_rep
Figure 2.6 – Reply pattern
Invoke The invoke activity is used to call the partners web services. Both
synchronous and asynchronous invocations exist. In synchronous invoca-
tions the BPEL process sends a call and waits for an answer of the called
web service. An asynchronous invocation does not block the calling ser-
vice and it continues after sending the call. Its pattern is exactly the same
as the reply pattern. As for a synchronous invoke, it starts by extracting
the message to be sent from the variable. It then awaits for a response to
arrive. The response can be an incoming message or also a fault sent from
the invoking partner. In the first case, the message is stored in the corre-
sponding variable. In the case that a fault is received, the invoke will then
throw an internal fault to be handled by the associated fault handler.
The Fiacre process pattern of the synchronous invoke in Fiacre is given
in Fig 2.7.
fa ! (variable error)
msg_out !(out)
out := vars ;
fa ! (variable error)
msg_in ? (inp) ;
vars:=inp
fa ! (faultname,faulttype)
start_inv result
fault_rec
links _cond
msg_in ? (error) 
Figure 2.7 – Synchronous invoke pattern
Assign The Fiacre process pattern for Assign is given in Fig 2.8.
fa ! (variable error)
(do assign) links _cond copywait[n,n]start_asg
Figure 2.8 – Assign pattern
Since we do not model all data values, the do_assign in the code below
will generate three cases :
1. The case that we assign Boolean variables in the form Boolean_var1
:= Boolean_var2 Op Boolean_var 3 with Op a Boolean operator. In this
case, the assignment is copied as it in the Fiacre code.
2. The case that we assign a Boolean variable with a Boolean expression
in the form Boolean_var := Boolean_expression and that we don’t know
102 Chapter 2. Modeling BPEL in FIACRE
how to translate the Boolean expression in Fiacre. In this case, the
Fiacre code will contain a non-deterministic assignment in the form
of Boolean_variable := any.
3. The case that the variables in the assign activity are not Boolean, we
assign the left hand variable with the default value associated to its
type. This type information can be used by error handlers.
Moreover, in order to model a weak termination, we add an explicit
wait n units of time before proceeding with the assign activity. This time
corresponds intuitively to the data base access time. At the contrary of
all other transitions, the transition labeled with this time interval is not
prefixed with on not stop that forces an immediate termination.
Empty The empty activity is an activity that does nothing. It is modeled
in FIACRE because it could be the source or the target of other activities.
Its process corresponds Fig 2.4 with no body associated.
Throw In BPEL we can explicitly signal errors using the throw activity.
The throw activity provides the name for the fault, and can optionally
provide further information about the fault. A fault handler can use such
data to handle the fault and to populate any fault messages that need to
be sent to other services. In Fiacre, the type of a fault will be the name
of the BPEL fault associated with a constant that represents the type of
the BPEL variable in case it was present. The Fiacre process pattern of the
throw activity is given in Fig 2.9.
           fa ! (faultname,faulttype) links _condstart_throw
Figure 2.9 – Throw pattern
2.5.3 Structured Activities
Structured activities specify the order in which their nested activities
are executed. The idea of the modeling in FIACRE consists in adding a
Controller process that has no equivalence in BPEL. Based on the type
of the BPEL structured activity, a different controller is created. This
will specify the way the nested components of structured activities are
executed (sequential, parallel, conditional...). Moreover, it will capture the
incoming and outgoing links of the structured activity. The components
of all of the structured activities in FIACRE consist of a composition of a
controller process with their nested activities.
We use the following notations in the specification of the patterns of
the structured activities : black dots designate ports, black square desig-
nate shared variables, a directed arrow between two ports means a trans-
mission of the event, namely a synchronization, the ports and shared vari-
ables underlined means that this interface (of a upper component) will be
2.5. Behavioral Aspects in FIACRE 103
transmitted (for synchronization purposes) to the interface of an embed-
ded component having the same color indicator, and the dashed squares
inside a component means that the contents of this square are declared as
local ports or variables to the component.
Sequence
The sequence activity executes its nested activities in a sequential man-
ner. Fig 2.10 gives the sequence pattern of two activities.
SA1
act1
I
SA2
var
F
F
SA1 SA2 FA
FA
SA2
act2
I var
FA2
Sequence Component
Sequence Controller
S I O Fa exit link stop stpd reinit reinited var
S
SA1
link stop stpd reinit reinited
...
n
n
...
....
SA
actn
I var
FA
....
n
...
n
Figure 2.10 – Sequence component
Whenever the start signal of the sequence (port S) is received and all
of the conditions hold, the sequence controller will signal the execution of
the first activity in the sequence by transmitting its start signal (SA1). At
this stage, the nested activities will run in a sequential order by synchro-
nizing on their start and finish ports. The end of the first activity (FA1)
as shown in the sequence component (Fig 2.10) will be the start of the
second activity and so on. Meanwhile, the sequence controller will do a
blocking wait until the last activity of the sequence signals its termination.
Whenever the finish signal of the last activity is received (FA2 in Fig 2.10),
the sequence controller will evaluate the outgoing links of the sequence
and then transmits its finish signal (F) indicating the end of the sequence
activity. The sequence controller of the sequence pattern is given in Figure
2.11.
104 Chapter 2. Modeling BPEL in FIACRE
start_act_1 finish_act_n
start_seq activity1 links _cond
Figure 2.11 – sequence controller
Flow
The flow activity executes its nested activities concurrently. In Fig 2.12,
the nested activities are composed with a flow controller that controls
their concurrent execution. The controller (Fig 2.13) starts by signaling
simultaneously the start of all the nested activities (SA1). Then, it does
a blocking wait until the finish signals of all the activities are received
asynchronously.
Figure 2.12 – Flow component
SA1
act1
I
FA1
var
F F
SA1 SA2 FA
FA
SA1
act2
I var
Flow Component
Flow Controller
S I O Fa exit link stop stpd reinit reinited var
S
SA1
link stop stpd reinit reinited
...
n
n
...
....
SA1
actn
I var
FA
....
n
...
FA1
FA2
...
FA2
The flow controller makes use of a variable named flow counter
that is initialized to the number of nested activities of the flow. Each time a
finish signal of a nested activity is received, the flow controller decreases
the flow counter variable by 1. Once all the finish signals are received
(flow counter = 0), the flow controller will signal the finish of the flow.
Scope Component.
The scope component in FIACRE is given in Fig 2.12. Here we only model
the primary activity of the scope, its event handler and its fault handler.
In addition to this, a scope in BPEL is associated to a termination and a
compensation handler. Here we abstract from the behaviors of these two.
Fig 2.12 contains two sub-components that respectively define nominal
execution and fault and stop handling. These components communicate
2.5. Behavioral Aspects in FIACRE 105
start_act
start_flow rec_flow links _cond
flow_counter := n
on flow_counter = 0
finish_act_i finish_counter :=flow_counter -1
i ∈ 1..nbAct
Figure 2.13 – Flow controller
with each other through local ports or variables, and they communicate
with the scope environment through the scope component interface.
FaScope component
scope 
S
S
scope ctrler
F
Fault_H
Fa
S I O link varsstpd reinit reinited
FaIN FaIN
stpdstpdIN
exit stop
stopIn stop
....
.... ....
...
EH
...
act
SA
FA1
SA
FF
stpdINstopIn
SA
FA1
Fe
Figure 2.14 – Scope Component
Nominal Execution : It designates the execution of the first sub-
component of the scope. The start signal (port S) of the scope component
is intercepted by its scope controller (scope ctrler) leading to the exe-
cution of the primary activity of the scope and its associated event handler
(port SA). The end of both of these constructs leads to the end of the
scope component (F). The scope controller behaves the same way as a
flow controller (Fig 2.13) where the variable flow counter is initialized
to 2 corresponding to the scope’s primary activity and its event handler.
Fault and stop handling : it designates the execution of the fault handler
associated with the scope. The fault handler in FIACRE is executed as a
result of two scenarios :
1. Fault thrown inside the scope : this is the result of a synchronization
on the port Fa_In. If the fault can be handled by the fault handler,
it will start by asking the termination of the scope by valuating the
StopIn variable to True. Then, it will wait until all of the activities
synchronize on stpdIn. After that, the fault handler will proceed by
executing its activities before eventually synchronizing on the finish
106 Chapter 2. Modeling BPEL in FIACRE
port F. If the fault could not be handled, it will be propagated di-
rectly to the enclosing scope by synchronizing on the Fa port shared
with the interface of the scope component.
2. Forced termination signaled by the enclosing scope : the Stop vari-
able shared with the scope component is valuated to True. As a re-
sult, the fault handler terminates the activities of the scope with the
same mechanism described earlier before signaling its termination
to the enclosing scope by synchronizing on the stpd port shared
with the scope component interface.
2.5.4 BPEL Handlers
In this chapter, we only treat the fault and the event handlers since they
will appear later in the use case. For the interested readers, the termination
handler and the compensation handler are given in Appendix B.
Fault handlers
The treatment of faults in BPEL are done by fault handlers. Each scope
as well as the BPEL process have its own fault handler associated. Fault
handlers may be of two types:
• A default fault handler which will be created in case no user defined
fault handler was specified. A fault caught by this fault handler trig-
gers the compensation of the direct child scope before being propa-
gated to the next enclosing scope. But since the compensation is not
modeled in this chapter, we say that the fault is directly rethrown
(Full Fault Handler in Appendix B).
• A user defined fault handler in which multiple catch branches and an
optional catchAll branch are specified. Each of the catch branches as
well as the catchAll are associated to a nested activity that is executed
when one of the branches is chosen. The nested activity will execute
whenever a match is found. In case no match is found :
– catchAll is specified : the catchAll branch will be chosen and then
its associated activity is executed.
– catchAll not specified : The fault handler will behave the same
way as the default fault handler.
In the transformation to Fiacre we will differentiate between two types
of Fault Handlers. One with a catchAll branch specified and the other with-
out it. A default fault handler is a variant of the No catchAll version where
No catch branches are specified. The fault handler component is depicted
in Fig 2.15. A fault handler starts whenever a synchronization on the port
FaIn takes place. Depending on the received fault type, a catch branch is
chosen and the activity of the branch is executed (SA1 or SA2 and FA1 or
FA2). We note particularly, that in case of an unhandled fault, or a fault
thrown inside the nested activities of the fault handler, the fault will be
propagated to the next enclosing scope Fault handler by synchronizing on
the Fa port.
2.5. Behavioral Aspects in FIACRE 107
FH component
Fault cont
Sa1
Sa1 San
Fa1
Sa1
act1
I
Fa1
var...
I O Fa exit link stop stpd reinit reinited var
link stop stpd reinit reinited
stpdInstopIn
San
Fan
...
...
Fa1 Fan
...
Fa ...
San
actn
I
Fan
var... Fa ...
FaIn
F
F
FaIn stpdInstopIn term Fa
Figure 2.15 – Fault handler component
Two versions of fault handler controllers are given depending on
whether a catchAll branch is specified or not.
Fault handler controller : no catchAll Fig 2.16 : at the start_catch state,
the controller will wait for either a fault signal on the port Fau1 or a ter-
mination demand from its upper scope (the scope that encloses the scope
to which the fault handler is associated). In case of a fault signal, then
depending on whether the fault is matched with one of the catch or no,
the controller will transit to one of the two states catch_bdy or not_handled.
Here we remind the reader that the fault matching in Fiacre will be based
on the name of the BPEL fault and on the constant that is associated with
the fault name which identifies the type of the variable associated with the
BPEL fault.
1. At the catch_bdy state the controller signals that a fault has been de-
tected by updating the error variable with the value other and the
stop variable to true. After receiving the stpd event, the fault han-
dler controller then executes the nested activity associated with the
matched fault by signaling its start event and by updating the value
of a local variable branch with an integer that points to the chosen
branch before transiting to the links_cond state. This branch vari-
able will be used to indicate which branch has been chosen by the
controller, so that the other activities that are associated to the other
branches are informed that they are no longer activated. In this case,
positive values of the skip variable are transmitted to the unchosen
activities. At this point, the fault handler will proceed by evaluating
the status of all the activities nested in the scope (not just the direct
nested activities). In the case the status was different than finished
-meaning that the outgoing links of the activity were not evaluated-
the fault handler controller will decrement their counters and will
108 Chapter 2. Modeling BPEL in FIACRE
links_cond2
catch_bdy
stopped
f ? other
start_catch
(err:=other,stop:=true)
(err:=other,
stop:=true)
reply_stop
on not stop_global; finish
f ? any
f ? any
body1
stop In
stpd  ; stop:=false 
f ? any
 
for all embeded activities   
(except child scopes) 
if not finished then 
                                finished := true
 
                        
           
set links embeded activities
set links branches FH
set links scope itself
stpd ; stop := false
on stop_global  ; stop := true
 
stpd_up ; 
on not stop_global
links_condfinish_FH
wait stpiwait stop
stopped_i
 
stpd ; stop := false
not hand
f ? fault1(tfault1; 
on not finished
f ? any
f ? any
on not finished
  
on stop_global  ; stop := true
 on err_glob = exit; err := exit
on stop_global  ; 
stop := true
 on err_glob = exit; 
err := exit
on stop_global  ; stop := true
 on err_glob = exit; err := exit
 for all embeded activities  (except child scopes) 
if not finished then 
      finished := true
 
 
 
set links embeded activities
set links scope itself
on reinitialize ; err:= no;
 stop := false;  
reinitialized
start_body
finish_body
branch:=1
on stop_global  ; 
stop := true
 
f2 ! other; 
on stop_global  ; 
stop := true
 
f2 ! fault1; 
# not_handled
Figure 2.16 – Fault Handler Controller : No CatchAll
set their conditions to False. Furthermore it will set their status to
finished to indicate that their outgoing links have been evaluated. As
for the links of the scope (the scope to which the fault handler is
attached), its outgoing links will be evaluated normally.
2. At the not_handled state, the controller will have the exact behav-
ior concerning the termination of activities. It will then proceed by
propagating the fault to the next enclosing scope using the Fau2 port.
Finally, in case of a termination demand made by valuating the
stop_global variable to True, the fault handler modifies its stop vari-
able to true and transits to the stop In state. At this state, the fault han-
dler proceeds by stopping the activities of its associated scope and then
by signaling a stopped signal (stpd_up event) to the upper scope.
Fault handler controller : catchAll The same explanation goes for this
controller. The only difference is that a fault is not rethrown to the next
enclosing scope, since a catchAll has been specified.
Event Handler
Each scope, including the process, can be associated to a set of event han-
dlers. These event handlers are run concurrently and are invoked when
2.5. Behavioral Aspects in FIACRE 109
the corresponding event occurs. There are two types of events. First, events
can be inbound messages. Second, events can be alarms, that go off after
user-set times [18]. Event handlers are executed as long as their attached
scope is in normal execution. When the primary activity of the scope fin-
ishes faultlessly, the event handler should also be finished. Whereas dif-
ferent incoming messages or timeout events are handled concurrently, if
two messages for a single event handler branch arrive concurrently, they
are handled sequentially. We give the component of the event handler in
Fig 2.17.
S
EH component
EH cont
link stop
F
event 1
S linkI O Fau
S
ev1 co
I
Fe1
SA1
FA1
var
var
Fe1 Fen
stpd reinit reinited stpd reinit reinited
SA1 FA1
SA1
act1
I
FA1
stpd
reinitdIn
...
S I O Fau link stop varstpd reinit reinited
reinitIn
reinitdIn
exit
stopexit
...
reinitIn
reinitInreinitdIn
...
reinit reinitd
alarm
S linkI O Fau
S
alarm cont
alarm
SAn
FAn
varstpd reinit reinited
SA2 FA2
SAn
actn
I
FAn
I link
stopexit
...
alarm
...
reinit reinitd
var
...
Fe1
FenFen
F
Figure 2.17 – Event handler component
Fig 2.17 : once the start signal is received by the event handler com-
ponent (S coming from the attached scope), the start signal is transmitted
concurrently to the eventHandler controller at one hand and to all of the
other entities (event1,...,alarm) that represent the branches of the event
handler. Here we assume that the scope to which the event handler is
associated does not contain a process initial start activity. 2.
2Otherwise, it is wrong to start the event handler with the start of its scope. It this
case it needs to be started after the finish of the start activity (receive). This is modeled in
our patterns by a counter variable that is decremented upon the finish of the receive (see
Chapter : Use Case)
110 Chapter 2. Modeling BPEL in FIACRE
Once the event handler controller (Fig 2.18) receives its start signal,
it will enter a waiting state in which it will wait for the reception of the
finish signals (Fe1,Fen) of all the branches of the event handlers. At the
time these events are received, the event handler controller is ready to
transmit the finish signal (F) of the event handler component indicating
the end of the event handler.
init_EH
(flow_counter=0)
finish
(flow_counter := 
flow_counter -1)
start
finish_event_i
(flow_counter := 
flow_counter -1)
finish_alarm
flow_counter := n
on stop; stpd
on stop  
start_EH# startEH
Figure 2.18 – Event handler controller
As for the branches of the event handler (event1,alarm), once they re-
ceive the start signal (S) they will transmit it to their controllers in order
to wait for a message or for a timeout to occur 3.
Message Event controller
Fig 2.19 : at the state init_event, the controller waits for the start signal
to be received in order to transit to start_event state in which two
transitions are possible :
1. The controller checks the scope’s finished status. If it evaluates
to True, the controller directly transits to the finish_event in or-
der to transmit its finish signal back to the event handler controller
(Fig 2.18).
2. Alternatively, the controller does a blocking wait until an input mes-
sages is received. In this case it will transit eventually to the body1 in
which the same test of the conditions of termination of the attached
scope is again evaluated. In the case the scope is still in normal ex-
ecution, the controller will transmit the start signal (start_body1)
of the attached activity and then transits to the body1_started state.
At this point the activity can no longer be stopped and is allowed to
finish even if the scope has stopped.
Once the body is finished (body1_started state), the controller
either finishes (finish_event state) if the whole scope has already
finished, or the controller reinitializes its nested activities and waits
for eventually another message to arrive (start_event state).
Finally we say that at each state, the event handler can be stopped
whenever a stop demand has been asked.
3Here we also note that the timeout treated is the relative time of BPEL. For the treat-
ment of the absolute time, refer to Section 2.5.5.
2.5. Behavioral Aspects in FIACRE 111
init_event
finish event
copy_var body1
start_event
body1_started
finish_body1start
on finished
finish
on finished
on finished
fault (variable error)
on not finishedmsg_in? (inp1)
start_body1
on not finished
finish_body1
on not finihsed
reinitialize
reinitialize:=true
reinitialize:=false
reinitialized
var:=inp1
on reinitiallize_up ; reinitialize := true ; reinitialized ; reinitalize:=false; reinitialized_up 
on stop;   stpd
on stop
Figure 2.19 – Event branch controller
Alarm event controller
The events of the alarm branch in BPEL can be of 2 types :
1. The for and until expressions. An alarm branch specified with the
For or the Until expression permit a single execution of the nested
activity.
2. The optional repeatEvery expression in which we also specify a
duration. With the repeatEvery expression the alarm will be fired
repeatedly each time the duration period expires while the parent
scope is active [18]. If the repeatEvery expression is specified alone,
the clock for the very first duration starts at the point in time when
the parent scope starts. If the repeatEvery expression is specified
with either the for or the until expression, the first alarm is not
fired until the time specified in the for or until expression ex-
pires; thereafter it is fired repeatedly at the interval specified by the
repeatEvery expression [18].
In the following we will give the alarm of the For attribute and the
alarm of the repeatEvery attribute. The case of the Until attribute is dis-
cussed in Section 2.5.5.
1. In the case of the For controller (Fig 2.20). At the point that the con-
troller is at the start_alarm state, it will wait for a timed event to
arrive. Since this is a relative time, the timed event is associated with
the time interval [duration,duration] where duration is the value
taken from the BPEL code.
2. Since the notion of time in the RepeatEvery is relative, it will
be treated the same way as in the case of the For duration.
So a timed event will be created and associated with the in-
terval [duration,duration]. Furthermore, the controller of the
RepeatEvery (Fig 2.21) will allow the repetitive execution of
the nested activity.
Now we model the case that the repeatEvery expression is specified
with the for expression (Until expression see Section 2.5.5). For this pur-
pose, slight modifications to both of the alarm controller given in Fig 2.20
112 Chapter 2. Modeling BPEL in FIACRE
init_event
finish event
body1
start_event
body1_started
finish_body1
start
on finished
finish
on finished on finished
start_body1
on not finished
on stop;    stpd
on not finished
For_timeout [n,n] on stop
Figure 2.20 – For Alarm controller
init_event
finish event
body1
start_event
body1_started
finish_body1
start
on finished
finish
on finished on finished
start_body1
on not finished
finish_body1
on not finihsed
reinitialize
reinitialize
reinitialize:=true
reinitialize:=false
reinitialized
on reinitiallize_up ; reinitialize := true ; reinitialized ; reinitalize:=false; reinitialized_up 
on stop;   stpd
on not finished
Repeat_timeout [n,n] 
on stop
Figure 2.21 – RepeatEvery Alarm controller
and 2.21 are made. These modifications are shown in Fig 2.22. In the con-
troller of the For (Fig 2.22 (a)), we add to the process an intermediary state
between the start_alarm and the body1 states, in which the controller will
evaluate a Boolean variable For_done to True once its alarm has expired.
This Boolean variable will be then tested by the controller of the Repeat-
Every before it could start its alarm as shown in Fig 2.22 (b). We just note
finally that this Boolean variable should be declared locally -because it
will be shared by the controllers of repeatEvery and For\Until- in the event
handler component given in Fig 2.17. Furthermore, it is reinitialized to
False by the the repeatEvery controller once the event handler is asked to
be stopped (Transition from body1_started to finish_alarm).
body1
start_event
Repeat_timeout [n,n] 
(on not stop &
not scope.finished) & For_done
body1
start_event
For_timeout [n,n] 
(on not stop &
not scope.finished)
signal_to_repeat For_done := true
Figure 2.22 – RepeatEvery Alarm controller specified with For/Until expression
2.5. Behavioral Aspects in FIACRE 113
2.5.5 BPEL Timed Aspects in FIACRE
As we have seen in several constructs before, the modeling of the rel-
ative time of BPEL (For duration) is straightforward in FIACRE and
it could be viewed as a timed event with the same minimal and max-
imal bounds. Concerning the absolute time of BPEL (namely the Until
deadline), it could be handled by explicitly fixing the starting time of the
process. In this way, we can easily bound the interval associated with the
timed event to : [deadline - start , deadline - start]. Still, this is hardly a
practical solution -especially in the context of verification- since one could
argue that the starting date is not always known. In fact, we are interested
in verifying the correctness of the system for any starting date.
Modeling of the Absolute Time : The idea is to add to the model a tran-
sition which makes it possible for a non-deterministic period of time to
elapse between a reference date and the start of the system. This is done
[69, 93] easily in formalisms based on timed automata. A clock H measur-
ing the absolute time is introduced. An initial transition reinitializes all
the clocks of the system except H. Moreover, this clock is tested in guards
(H ≥ D) in order to know if the absolute time D has been reached. In FI-
ACRE, we do not have explicit clocks, which makes this situation harder to
handle. In order to model the absolute time in FIACRE, the two following
problems should be considered :
1. Model a non deterministic elapse of time initially: a synchronization
on a timed port is introduced.
2. Test whether the absolute time has been reached. This is done by
introducing a synchronization on the port after being managed by
a timer process. Once the deadline is reached, this synchronization
becomes non-blocking
The system is built by composing the timer with the component modeling
the root activity of the BPEL process:
component BPEL_Process is
port after : none
par
after→ process_act [after,...,]
|| after→ timer [after]
end
Managing a Unique Absolute Time The Timer process runs concur-
rently with the real system and measures when the absolute deadline is
reached. We will start by treating the case of a system having one absolute
time. The behavior of the process is as given in Fig 2.23 :
In order to model the non deterministic delay, we identify two cases
in the timer process depending on whether the absolute date has been
reached or not. After choosing one of these cases, the process will either
wait until the time is reached in the former case or enable an immediate
synchronization on the after port in the latter case.
114 Chapter 2. Modeling BPEL in FIACRE
init
1 wait ] 0 , D  ]1
2 after
Figure 2.23 – Absolute time treatment
Managing Multiple Absolute Time Now that the idea is clear, we will
generalize the timer process (Fig 2.24) so that we can take into account the
case when several absolute times are used in the BPEL description.
0
init
1 ... nwait ]0 , D - D ]12wait ] 0 , D  ]1
after ?i (i=1) 
wait ] 0 , D - D    ] n-1n2 ...
 [ ] after ?i (i ≤ 2) ...  [ ] after ?i (i ≤ n) 
Figure 2.24 – Absolute time treatment
In Fig 2.24, all the absolute times of the system are sorted chronolog-
ically. Initially and non deterministically the process is set up to one of
the time intervals (i.e strictly before the first, exactly or after the first...).
Afterward, based on what interval has been reached, the process enables
a synchronization on the afteri ports associated to all the elapsed dates.
Absolute Time in BPEL Constructs In all the BPEL constructs we have
seen until now, we have only treated the relative time. Namely in the wait
activity and the alarm event of the event handler. Now with the handling
of the absolute time, the patterns of these activities need to be adapted.
This simply consists at replacing the former timed event with the after
event (Fig 2.25). These patterns will communicate with the after event of
the timer. The communication is synchronous between the timer process
and the root component in which all the FIACRE patterns are embedded.
However the communication on the after event is asynchronous between
the patterns themselves.
1
2
Wait Until Don alarm Until D
after ! i
i
Figure 2.25 – Absolute Time Adaptation
2.6. Correctness of FIACRE Patterns 115
2.6 Correctness of FIACRE Patterns
In this section we give our correctness criteria for the BPEL semantics
properties given in Section : 2.2. The correctness is based on describing
the semantics properties in the form of LTL properties. These properties
can be either verified on isolated patterns or on instances of the FIACRE
patterns. Here we follow the second technique and verify the correctness
properties directly on instances of the use case’s patterns (see Chapter
Use Case). The satisfaction of the properties is a correctness proof of the
preservation of the BPEL semantics by the FIACRE patterns.
2.6.1 Control Correctness
In the first category of properties, we consider the BPEL constructs while
ignoring the links and the possibility of faults. This means that the order
of execution of an activity depends only on the control flow and not on its
incoming links.
Sequence The correctness of the start of the sequence activity may be
given as follows :
¬startact1 W startsequence Sequence Start
That is, the first activity of the sequence cannot start unless the whole
sequence is started. Here we use the weak until operator W in order to
say that startsequence may not occur. We could have also generalized this
property as ¬startacti W f inishacti−1 . But this property is trivially verified
in our patterns since startacti and f inishacti−1 are the same event.
A sequence ends when its last activity does. For n designating the last
activity of the sequence, the end of the sequnce can be written as :
¬ f inishsequence W f inishactn Sequence Finish 1
That is, the whole sequence cannot finish unless the last activity of the
sequence is finished.
Another type of formulas can be tested also, which is the reverse of the
previous formula. The end of the last activity of the sequence eventually
leads to the end of the sequence in case no forced termination occurs.
( f inishactn ⇒ ♦( f inishsequence ∨ stpd)) Sequence Finish 2
Flow A flow starts when all its embedded activities do. Formally, for
i ∈ 1..NbActFlow the correctness of the start of the flow can be written in
the following way :
¬startacti W start f low Flow Start
That is, the activities of the flow cannot start before the flow does.
The end of the flow may be written as follows :∧
i
¬ f inish f low W f inishacti Flow Finish
That is the flow cannot finish before all of its nested activities do.
116 Chapter 2. Modeling BPEL in FIACRE
2.6.2 Links Semantics
In this category, we show how we analyze the semantics of the BPEL links.
An activity starts if the status of all its links have been received. Since
the links are represented by a decrementing counter in FIACRE, this is
checked by the following property :
(start⇒ act_counter = 0) Incoming Links
This means that the start of an activity can only be made if its incoming
links counter equals 0.
Concerning the setting of the outgoing links, the property that an ac-
tivity cannot finish without setting its outgoing links (in case they are
present) is trivially satisfied by our patterns since this is done in the same
transition. Blocking (resp. firing) this transition means blocking (resp. fir-
ing) the finish signal and the decrementing of the counter corresponding
to the outgoing links. Here remind the reader that in case of fault thrown
while setting the outgoing links, a finish event is not signaled.
Sequence With Links Now considering the links, the Sequence and the
Flow properties are adapted accordingly. Actually in the following prop-
erties we take into account both the links and the faults. For example, the
properties of the Sequence become the following :
(startsequence ⇒ ♦(counter_act1 = 0⇒ ♦(startact1 ∨ f a))) Sequence Links
That is, if the first activity of the sequence has received all its links and
no faults (fa) are generated then the start of sequence implies the start of
the first activity of the sequence.
2.6.3 Weak Termination
Being a weak termination, the stop demand is not considered instantly.
This means that the activities have the choice whether to take the stop de-
mand into consideration by transiting back to the init state or to remain
in their active states. This can be represented by :
(stopscope ⇒ ♦stpdscope) Weak Termination
That is, if a stop demand is signaled, the scope will eventually do its stpd
event. We note here that this characterization of Weak Termination of
BPEL is different than the Weak Until Semantics in LTL, since weak ter-
mination usually means that it may never happen.
2.6.4 Strong Termination
In the strong termination we want to guarantee that whenever a termi-
nation is demanded it will be taken immediately into consideration. For-
mally the strong termination can be written as follows :
(stopscope ⇒ (¬
∨
e∈eventscope
e)U stpd) Strong Termination
2.6. Correctness of FIACRE Patterns 117
That is, whenever a stop is demanded, none of the events of the scope may
occur before the occurrence of the stpd event.
2.6.5 Hierarchical Termination
Whenever a scope is asked to stop, the fault handler of the scope starts by
synchronizing with all the child activities nested in the scope. Once this
synchronization has occurred -meaning that these activities have stopped-
the fault handler controller proceeds with signaling the termination of
the whole scope by synchronizing with its upper scope’s fault handler.
Hence a hierarchical view of termination is respected in our implementa-
tion. More formally, for i denoting the activities nested in the scope, the
termination can be written in the following way :
(stop_up⇒ ♦(stpd_up ∧∧
i
initi)) Hierarchical Termination
That is, whenever a global stop is demanded, the scope (its fault handler)
signals the stpd_up event and all the nested activities are in their initial
states (where the local stpd event is available).
2.6.6 Hierarchical Fault Propagation
The fault propagation can be written in the following way :
(#not_handled⇒ ♦ f ault_up) Fault Propagation
This means that in case of receiving an internal fault via the firing
of the not_handled transition of the fault handler, then the fault_up
event will eventually be signaled. The keyword # is used in FIACRE to give
an alias to the transition. So, not_handled is the name of a fault handler
transition that leads to the not_handled state after receiving a fault that
cannot be handled by the fault handler.
2.6.7 Event Handlers
The enablement and the disablement of an event handler depends on the
nominal execution of the scope. In the following we give their correctness
criteria :
Enablement : If the scope does not contain an initial start activity, the
event handler is enabled upon the starting of the scope.
(#startEH ⇔ #startActScope) Enablement Event1
That is, starting the scope means starting the event handler as well.
startEH and startActScope are the aliases of respectively an event han-
dler transition that starts the event handler and a scope transition that
starts the primary activity of the scope.
Otherwise, the event handler is enabled once the inital start activity
(receive) is finished :
(#startEH ⇔ # f inishReceive) Enablement Event2
118 Chapter 2. Modeling BPEL in FIACRE
Disablement : We give two disablement properties :
(¬ f inishscope W f inishPact)∧ (¬ f inishscope W f inishEH) Disablement Event1
That is, the scope cannot finish unless both of its primary activity and its
event handler are finished.
((( f inishPact∧♦ f inishEH)∨ ( f inishEH ∧♦ f inishPact))⇒ ♦( f inishscope∨ f a))
That is, if the scope’s primary activity and the event handler finish in
whatever order and at different instants then the whole scope eventually
either finishes or a fault is thrown.
2.7 Conclusion
In this chapter, we have given the idea of the transformation from BPEL to
FIACRE. This transformation is a one-to-one transformation, meaning that
for each BPEL construct corresponds a FIACRE component. The transfor-
mation preserves the hierarchical composition of BPEL and treats its timed
features. Another important feature of the transformation is that it can be
proven correct via a verification of some BPEL semantic properties on the
FIACRE patterns. In the next chapter, we present our BPEL verification
framework.
Chapter Three
Verification Framework
3.1 Introduction
In this chapter, we discuss about the supported properties in our verifica-
tion framework. This discussion mainly consists either in describing the
properties already integrated and supported by our model checker or in
describing techniques that are used in order to verify properties that are
not supported.
3.2 Behavioral Verification with Tina
The verification is done using the Tina tool. Tina is particularly well suited
to the verification of systems subject to real time constraints. The proper-
ties to be verified are often described in temporal logic, such as linear tem-
poral logic (LTL). The result of the verification may lead to an accepting
status, meaning that the model of the system satisfies the requirements,
or exhibit an error. In the last case, it is often possible to extract a counter
example, which is an explanation at the level of the model (generally an
execution trace), which leads to a problematic state. In the Tina toolbox
some of the verified properties are natively supported. However others
need an additional treatment for their verification. This is going to be sub-
ject of the coming sections.
3.3 Supported Properties
The transformation patterns are used for verification purposes. Our veri-
fication framework supports four kinds of properties.
1. Temporal properties : these are the typical properties written in SE-
LTL.
2. Data-Related Properties : in case the BPEL data types are finite, they
are preserved in the BPEL/FIACRE transformation. It is possible
then to verify properties that involve these data.
3. Structural properties : they express the "well-formedness" of the
BPEL code. For instance, we are able to verify that a receive activity
120 Chapter 3. Verification Framework
is always matched with a reply activity, or that two concurrent re-
ceive activities cannot wait for the same operation. This is done by
verifying statically that the faults resulting from such situations are
not thrown.
4. Timed properties : they could be written in MITL [16] which is a
timed variant of LTL and are handled here using timed observers
and a temporal property, thus encoding such properties as reacha-
bility properties.
3.3.1 Temporal and Data-Related Properties
These are the properties that are supported natively by TINA. Examples of
temporal properties are the boundedness, deadlock freeness, liveness and
safety properties. These are verified directly by the model checker selt
of TINA and are written in the SE-LTL logic.
Data-related are also supported by TINA. More precisely properties
that manipulate or checks the value of a variable (i.e If condition for ex-
ample) may be verified by querying or testing the value of these variables.
3.3.2 Structural Properties
Structural properties describe BPEL-specific requirements. Such require-
ments are independent of the user requirements and are verified by the
BPEL engine dynamically. An example of such requirements is the or-
der of execution of the BPEL receive and reply activities. In fact in BPEL,
whenever a reply activity is not matched with a receive activity, a fault is
thrown dynamically. Another case of such thrown faults is whenever mul-
tiple concurrent receive activities are used to wait for the same message.
In this case, a fault is thrown because a conflict emerging from the choice
of the receive activity to be executed would then take place.
In our verification framework, we are able to verify such properties
via an instrumentation of the transformation itself. The receive and the
reply patterns in FIACRE are then modified in order to allow such veri-
fications. In order to model these aspects, the idea is to save the commu-
nication endpoint (partnerlink,porttype,operation) whenever a
receive activity is executed and then to compare this saved information
with the information of successive reply or receive activities. For this
purpose, for each tuple (partnerlink,porttype,operation) a status
variable of enumerated type is created. The enumerated type contains the
following constants:
1. wait_receive : describes the fact that a receive activity is yet to
be received.
2. wait_reply : describes the fact that reply activity is yet to be
received.
Adaptation of the receive and the reply
The receive and reply activities are thus adapted w.r.t the newly cre-
ated enumerated type.
The behavior of the status variable is as follows (Fig 3.2):
3.3. Supported Properties 121
fa ! (variable error)
msg_in ? pl(pt(op(inp))) ; links start_rec
on status    != wait_receive ; fa ! (multiple_receive)
    on status = wait_receive ; 
init_actvar := inp
fa ! (variable error)
out := vars ; msg_out ! (out) ; links start_rep
on status    != wait_reply ; fa ! (unmatched_reply)
on status = wait_reply ; 
Adapted Reply
Adapted Receive
status    := wait_receive
status    := wait_reply pl(pt(op))
pl(pt(op))
pl(pt(op))
pl(pt(op))
pl(pt(op))
Figure 3.1 – Adaptation of the receive and the reply patterns
1. The status variable is initialized by wait_receive.
2. At the start of a receive activity, the status is tested. If it evalu-
ates to wait_receive, it is updated to wait_reply. Otherwise
a multiple receive fault is thrown meaning that a concurrent
receive that awaits on the same connection is executed.
3. At the start of a reply activity, in case the status is different than
wait_reply, the fault reply_unmatched is thrown meaning that
a reply activity is found without having executed a receive ac-
tivity previously.
receive Err
wait_receive
wait_replyreceivereply
reply Err
Figure 3.2 – Status Behavior
After the modification of the receive and the reply patterns, we are
now able to observe the multiple receive and reply_unmatched
faults. This observation makes it possible to verify the occurrence of these
faults statically. This is done by using an event-based LTL formula that
verifies that such faults are always avoided. This could be written in LTL
as ¬multiple_receive and ¬reply_unmatched .
3.3.3 Timed Properties
Time Embedding in BPEL Constructs
In order to enhance the timed aspects of a BPEL composition and to handle
some QoS properties, it is interesting to assume some additional timing as-
pects on the BPEL constructs. In our verification framework we make some
122 Chapter 3. Verification Framework
default assumptions. First we assume that the elapsed time that represents
the waiting for the reception of requests is unbounded. Accordingly, we
associate a time interval of [0,∞[ with the synchronization events that
model a reception from the environment namely the receive activity
and the <on message/> events of both the pick activity and the event
handlers (port: Input).
Moreover, the BPEL code may be annotated with timing values in the
form of the attribute td = interval of time (as done in the ITEmIS
project [2]). Such annotations are used as an attribute of the synchronous
invoke in order to give insights of the expected delay associated with the
reception of responses resulting of previous invocations.
Moreover, we say that each activity may be annotated explicitly with
its duration in the form of td = interval of time.
The modeling in FIACRE of such time constraints consists in adding
an explicit wait instruction after the start of each activity. In case of syn-
chronous invoke activity the wait instruction is added after the port as-
sociated with the output call of the invoke. Apart from these constructs,
all of the other events are considered as instantaneous (Fig. 3.3).
1
2
Wait For Don alarm For DAssign    
1
2
Wait Until Don alarm Until D
after ! i
1
2
receiveon message 
I_rec [ 0 ,∞ [
1
2
synchronous invoke
O_inv [ 0 ,∞ [
1
2
other BPEL constructsFiacre control events
port [ 0 ,0 ]
(a) (b) (c) (d) (e)
i
iActivity	Duration
wait	[	D,	D]
Figure 3.3 – Summary of timed constructs in FIACRE
The BPEL code may be annotated with other more global constraints
(ITEmIS project [2]). Two main global constraints are used to annotate
the BPEL code. A Process Duration constraint which specifies that the
duration of the whole process is bounded by a certain time or a Duration
between two activities constraint which specifies that the delay between
two activities is bounded by a certain time.
Timed Observers
The verification of timed properties is done by timed observers. There
exists two ways of modeling these observers :
1. Incorporate the timed observers at the BPEL level. Since the BPEL
would be transformed to FIACRE, the verification would consists in
analyzing the FIACRE code corresponding to these observers.
2. Encode the observers directly at the FIACRE level.
BPEL level observers We have defined an original idea of giving the
observers at the BPEL level. The main advantage of this technique is that
these observers may be used independently of both of the verification
language and the BPEL editor.
3.3. Supported Properties 123
Bounded Response Property The bounded response property could be
written as (receive ⇒ ♦≤T f inish) which means that finish must oc-
cur within T time units after the end of the receive activity. In order to
verify such a property on the BPEL process, we need to measure the de-
lay between the reception of a request and its corresponding reply. This
verification is done on two levels :
1. Every receive activity is followed by a reply activity. It is the
same as verifying a structural property.
2. The elapse of time between the receive activity and the end of the
process is bounded by a fixed time T. This is achieved by defining a
timed observer at the BPEL code level (Fig. 3.4).
Receive    Event Handler
empty
<onAlarm>
   <for> T </for> 
   <assign>
     <copy>
        <from> true </from>
       <to variable = "err"</>
    </copy>
  </assign>
</onAlarm>
lnk1
lnk2
Flow
  
err : bool
Figure 3.4 – Bounded Response Observer
The observed system is encapsulated inside of a flow where another
scope that plays the role of the observer is added. This scope contains an
event handler in which the duration of the constraint is fixed. Whenever
this duration is reached, a variable err is valuated to True reflecting the
violation of the property. Furthermore, the event handler should start at
the moment of the reception of the first request. This is represented by
adding a link (lnk1) from the receive activity to the scope of the event
handler. Moreover, at the end of the observed activity, the event handler
should be terminated. That is why another link (lnk2) is added from the
observed activity to the primary activity of the scope (empty).
Maximal Duration Property The observer shown in Fig 3.7 measures the
maximal duration of an activity. For this purpose, the idea is to englobe
the activity in question in a sequence with an empty activity. The finish of
the empty activity -which happens to be the start of the studied activity-
will trigger the event handler by sending lnk1. The finish of the activity
in question will then end the observation by signaling lnk2. An error is
signaled in case the duration is reached before the arrival of lnk2.
Minimal Duration Property Conversely to the previous observer, the ob-
server shown in Fig. 3.6 measures the minimal duration of an activity. This
observer is similar to the one we have already seen. The only difference is
that the err variable is initialized to True.
124 Chapter 3. Verification Framework
Activity 
   Event Handler
empty
<onAlarm>
   <for> T </for> 
   <assign>
     <copy>
        <from> true </from>
       <to variable = "err" />
    </copy>
  </assign>
</onAlarm>
lnk1
lnk2
Flow
  
err : bool
Empty
Figure 3.5 – Maximal Duration Observer
Activity 
   Event Handler
empty
<onAlarm>
   <for> T </for> 
   <assign>
     <copy>
        <from> false </from>
       <to variable = "err" />
    </copy>
  </assign>
</onAlarm>
lnk1
lnk2
Flow
  
err : bool:= trueEmpty
Figure 3.6 – Minimal Duration Observer
FIACRE level observers The second alternative is to build the observers
at the FIACRE level. We show in Fig. 3.7 examples of observers that may
be used to verify the described constraints :
1. The first observer checks whether the delay between two signals is
bounded by a certain constant. The observer starts upon the recep-
tion of the event e1. An error is signaled only in the case the event
e2 takes more than k u.o.t to occur. This observer allows us to verify
both of the Process Duration property and the difference between
two activities property. Actually, the events e1 and e2 of the ob-
server can be assumed to be respectively either the start and the
finish of a single activity (Process Duration constraint) or the start of
an activity and the finish of another (Difference between two activi-
ties constraints). However, in case the required events of the observer
correspond to internal events of the system which means that they
do not appear at the external level, then there is a need to navigate
in the hierarchical structure of the component in order to reach these
events. A solution is to transform these events into global events so
they would appear in the interface of the system.
2. The second observer is used to verify the minimal duration property.
The observer starts upon the reception of the event e1. An error is
signaled only in the case the event e2 is enabled before the minimal
expected delay of k units of time. The same discussion concerning
the case of internal events also holds here.
Finally, in all of these observers, we verify that the error state is always
avoided. This could be written in LTL as ¬error.
3.4. Conclusion 125
wStart wFinish
e1
e2
error
wait [k,k]
(a) maximal duration observer
wStart wFinish
e1
e2
error
wait [k,k]
(b) minimal duration observer
wFinish
e2
Figure 3.7 – Observers at the FIACRE level
3.4 Conclusion
In this chapter, we have shown what kind of properties may be verified in
our framework. We have shown how an example of structural properties
can be verified via an instrumentation of the FIACRE code. Interesting
timed properties can also verified via timed observers which are either
build at the BPEL or at the FIACRE level. In the next chapter, we see by
means of a use case how the simulation can be integrated in the verifica-
tion of BPEL processes.

Chapter Four
Use Case
4.1 Introduction
In this chapter, we consider a use case to illustrate our technique. The use
case has two objectives : first, to demonstrate the use of the patterns by
building its corresponding FIACRE code. Second, to show how refinement
can be embedded in the transformation. We also prove some of the BPEL
correctness properties on instances of the FIACRE patterns.
4.2 Use Case
We consider a timed variant of the purchase order example taken from the
BPEL specification release [18].
In fact, upon receiving a purchase request, the process initiates si-
multaneously three sequences of activities which are used for calculat-
ing the final price, selecting a shipper, and scheduling the production
and shipment for the order. Once the three tasks are completed, the pro-
cess sends an invoice to the customer. However the final price cannot be
calculated before the reception of the shipping price and the shipping
date is needed for completing the scheduling task. This is represented re-
spectively by a link from the invoke shipping activity to the invoke
   Fault Handler
Reply Invoice          Reply Fault        
   Event Handler
Until date
Throw Fault
       
   
 
             Invoke Initiate     
           Price Calculation
   Invoke Complete
    Price Calculation
         Receive Invoice 
             CallBack
     Receive Shipping 
            CallBack
         
Invoke Shipping
Assign Purchase 
          Order
                Invoke Initiate     
           Production Scheduling
               Invoke Complete     
          Production Scheduling
2 u.o.t
1 u.o.t
Invoicing Sequence Shipping Sequence Schedueling Sequence
link1
link2
Receive Purchase
          Order
Figure 4.1 – Timed purchase example
128 Chapter 4. Use Case
final price calculation activity and a link from the receive
shipping callback activity to the invoke complete production
scheduling activity. However, a deadline inside of an event handler is
fixed. After this deadline is reached, the event handler will proceed by
signaling a fault meaning that the purchase instance is not treated. This
means that the service is only offered until a certain date. Likewise, when-
ever a fault is thrown during the execution of the purchase sequence, the
fault handler will terminate the process and reply a fault to the customer.
Finally, additional safety timed constraints are added to the use case.
These constraints describe the requirements that need to be satisfied by
the processes.
1. The total duration of the invoke activity Invoke Shipping takes 2
units of time (2 seconds).
2. An explicit wait of 1 u.o.t is added after the Receive Invoice
CallBack activity to say the invoicing sequence takes 1 u.o.t.
4.2.1 Abstract Use Case Modeling and Verification
There exists two approaches to build a modular system. A Top/Down
refinement-based approach where details are added progressively to the
system and a Bottom/Up abstraction-based approach where details are
abstracted progressively. BPEL follows a Top/Down approach but the lan-
guage does not support the specification of abstract activities, i.e activities
that allow a non-deterministic behavior. This is because BPEL is designed
to be an implementation language and not a specification language. In our
use case we thus follow a Bottom/Up approach : starting from the BPEL
process, we choose to abstract some BPEL pieces and give their abstract
specifications directly in FIACRE. The user properties are then verified on
an abstract modeling of the use case containing these abstract specifica-
tions. Afterwards, we prove the simulation between these abstract spec-
ifications and their concrete implementations corresponding to the real
BPEL code.
More precisely, for FHa (FHc) denoting the abstract (concrete) fault
handler, Pa (Pc) denoting the abstract (concrete) purchase sequence and
EH denoting the event handler what we do is the following :
((FHa‖Pa)‖EH) -DS ((FHc‖Pc)‖EH) Process Simulation
In order to prove this simulation we proceed by verifying the following
two simulation relations :
FHa‖Pa -DS FHa‖Pc Purchase Simulation
FHa -DS FHc FaultHandler Simulation
Here we note that in the Purchase Simulation clause, the FHa is added
because P and FH communicate via a shared variable stop that is put to
true whenever a stop is signalled by FH.
4.2. Use Case 129
Abstract Activity
We consider an abstract view (Fig 4.2) of the flow pattern of the purchase
example. This means, that the flow activity will be considered as a black
box. The only thing we know is that it behaves as a normal activity, it
starts, it finishes and between its start and finish, it may input or output
messages, faults or stops. Furthermore, we say that the duration of this
activity is not less than 1 u.o.t, meaning that the difference between the
start and the finish of the abstract activity is not less than 1 u.o.t.. This
corresponds to the time the activity remains in state s1 and is modeled
in FIACRE in a way that the events fault, O and I do not reinitialize
the clock of the event treat. The events highlighted in Fig 4.2 are local
events.
s0 s1
on not stop; finish
on not stop; i ? anyon stop; stpd
on not stop; start
on not stop; o ! ...
on not stop; fault on not stop and reinit; 
  reinited
s2
on not stop; treat 
         ] 1, ∞ [ 
on stop; stpd
on stop; stopping 
          [ 0, 0]
Figure 4.2 – Abstract Activity in FIACRE
Abstract Fault Handler
We consider an abstract view (Fig 4.3) of the fault handler of the purchase
example. What we know is that upon receiving a fault, the fault handler
starts a stopping mechanism to stop the activities of the process. In our
example, the fault handler proceeds by executing a reply activity 1.
s0 s1
fault ? ... ; stop := true
s2
stpd; stop := falseo ! ...
Figure 4.3 – Abstract Fault Handler in FIACRE
1Here we assume that this reply activity does not throw any faults. Otherwise a fault
thrown inside of the fault handler’s reply activity should be added so that it terminates
the whole BPEL process instance. But here the reply activity is the last activity to execute
and the process will terminate anyway.
130 Chapter 4. Use Case
Abstract Use Case Modeling
We give in the following the root component of the FIACRE code associ-
ated with the abstract case study. In this excerpt, only the useful ports and
shared variables are shown.
component PurchaseProcess [ I : inputs , O: outputs ] i s
port S , F , a f t e r , stpd : none ,
f a : f a u l t
var stop : bool= fa lse ,
l i n k : t _ l i n k ,
vars : t_var
par /∗ BPEL p r o c e s s p a t t e r n with t i m e r ∗ /
a f t e r , faIN , stpd →
p r o c e s s _ a c t [ S , F , I ,O, fa , stpd , a f t e r ](& l ink ,& stop ,& var )
|| faIN , stpd , e x i t →
f a u l t_ ha ndl er _a [ fa ,O, stpd ](& l ink , &stop , &var )
|| a f t e r → t imer [ a f t e r ]
end
On one hand, we compose the primary activity of the process which
contains the purchase sequence (and thus the abstract activity) and the
event handler and on the other the abstract fault handler. Additionally,
the Timer process runs concurrently and synchronizes on the after port
with the system. The process_act may generate faults by synchronizing
with the fault handler component on the Fau port. This triggers a termi-
nation mechanism done by communications through the shared variable
stop and the port stpd.
In Fig 4.4 we give in greater details the structure of the FIACRE code.
This structure consists of two interacting components. The Purchase
component containing the purchase sequence, the event handler compo-
nent and the Fault_H component. These two communicate via the Fau
event with which the purchase sequence and the event handler signal
their internal faults. The purchase sequence contains three activities that
run in sequence : each of the activities communicate its start signal with
the finish signal of the one preceding it in the sequence (con_2_rec,
rec_2_as,as_2_inv, rep_2_con). The event handler mainly contains
an alarm controller that synchronizes on a after event. This event is
communicated in a non-deterministic manner by a timer process that sig-
nals the reaching of the absolute time. In this case, a throw activity is run
by communicating a fault to the Fault_H_a component. In response, the
fault handler initiates a stopping mechanism by communicating respec-
tively with the stop shared variable and the stpd event followed by a
reply activity.
Use Case Verification
Now, properties may be verified on the underlying code. We will show ex-
amples of properties that may be verified in this use case. We will start by
verifying the correctness properties. Then we will check a user require-
ment property namely, the (bounded) response property in the timed
and the untimed contexts. For verification purposes, the system needs
to be closed, so we model an environment process Environment as an in-
put/output enabled process that runs concurrently with the purchase pro-
4.2. Use Case 131
PurchaseProcess
Purchase
S
S
purchas ctrl
AbstractFH
I O
Fau stpdstop
....
....
F
stpdstop
Sa
Fs
S
FFau
link
stop
reinit
varsstpdreinitd
Sequence Purchase
Ctrl
AbstractAct
... ...
con_2_reccon_2_rec rec_2_as
as_2_inv
rec_2_as
rep_2_con
Rec PO
Reply Inv
rep_2_con
...
...
...
...
...
after
EH component
EH cont alarm
alarm cont
after
f_alarm
SA1
FA1
SA1 FA1
Throw
...
... ...
...
Fau
F
f_alarm
f_alarm
Fs Fe
Sa
Sa
Fs
as_2_inv
Sa
Fs
SA1
FA1
Fe FeF
timer
after
O
Figure 4.4 – Modeling of the Abstract Use Case in FIACRE
cess. The verification is then made on the completely synchronous com-
position :
ClosedPurchaseProcess = Environment‖PurchaseProcess
Correctness Properties At this level we check the correctness of the event
handler (Fig 4.4).
Unlike what we have seen in the patterns, the start of the event handler
depends on the finish of the initial start activity which corresponds here
to the receive purchase activity.
ClosedPurProc |= (#startEH ⇔ # f inishReceivePurchase)
startEH and f inishReceivePurchase are the aliases of respectively the event
handler transition that starts the event handler and the last transition of
the receive activity.
132 Chapter 4. Use Case
Now we verify the two event handler disablement properties. Intu-
itively, we verify by the first property that the purchase process may not
finish unless the finish signals of the event handler and the purchase se-
quence are received.
ClosedPurProc |= (¬F W Fs) ∧ (¬F W Fe)
The second property means that if the purchase sequence and the event
handler finish in whatever order then the purchase process eventually ei-
ther finishes or a fault is thrown.
ClosedPurProc |= (((Fs ∧♦Fe) ∨ (Fe ∧♦Fs))⇒ ♦(F ∨ Fau))
User-Requierements Properties : Temporal Verification Starting with
the untimed context, the following response property guarantees that inde-
pendently of the starting date of the system, a purchase demand is always
followed by a reply. This reply can either be a positive reply in case of a
successful purchase or a negative reply in case the timing constraint of the
event handler was violated or simply in case a fault was thrown during
the treatment of the command.
ClosedPurProc |= ( purchase_demand⇒ ♦(Reply_Invoice∨Reply_Fault))
However the verification of either one of the following properties is not
satisfied. This is because, neither one of the two replies is always verified.
ClosedPurProc 6|= ( purchase_demand⇒ ♦(Reply_Invoice))
This property allows us to say that our use case does not ignore the faults.
ClosedPurProc 6|= ( purchase_demand⇒ ♦(Reply_Fault))
As for this property, it means that our use case may finish successfully.
User-Requierements Properties : Timed Verification As we have said
earlier, the verification of timed properties is made by using timed ob-
servers. We give in the following code the observers for the verification of
the total duration of the process property.
process checkProcessDuration [ s t a r t : none , f i n i s h : none ] i s
2 s t a t e s s0 , s1 , s2 , e r r o r
i n i t to s0
from s0
s t a r t ; to s1
from s1
7 s e l e c t
f i n i s h ; to e r r o r
 wait ] 1 , . . . [ ; to s2
end
from s2 f i n i s h ; to s0
4.2. Use Case 133
The minimal duration of the purchase is checked via an observer measur-
ing the time between the start and finish of the process. The observer is
enabled once the purchase process is started. This is done via a synchro-
nization with the start event event of the process (code line 5). Afterwards,
in state s1, the observer waits for either a finish signal to arrive (code line 8)
which is synchrnonized with the finish of the purchase process or for the
time constraint to be fullfiled (code line 9). Now in case the finish signal
arrives before the minimal duration of 1 units of time, an error is signaled
by transiting towards the error state. This means that the purchase process
has executed in less than 1 u.o.t and thus violates the time constraint.
Now, once the observer is composed with the actual system, we can
proceed by the verification of their attached properties. These properties
consists in verifying that an observer never reaches its corresponding error
states. This means that the transition that leads to the error state is never
taken. This would also mean that the properties are satisfied.
4.2.2 Concrete Modeling
The concrete system that implements the abstract activity consists in the
result of the transformation of the BPEL flow activity of the purchase
example. This transformation results in the FIACRE component shown
in Fig 4.5. The flow controller signals concurrently the start of three se-
quences by synchronizing on the Sa event. It then awaits for their respec-
tive finish signals (Fa1, Fa2 and Fa3). The three sequences correspond to
the invoicing, shipping and scheduling sequence of Fig 4.1.
PurchaseFlow
S
S
flow cntrler
F
I O
....
Sa
Fs1
Fs3
SA
Fs1
Fs2
Fs3
F
Fs2
Sequence Inv
Ctrl
Inv CPrice
Sa
Fs1
... ...
con_2_inv
con_2_inv
inv_2_inv
inv_2_rec
rec_2_con
Inv Price
Rec Inv
inv_2_rec
rec_2_con
...
...
...
...
...
Sa
Fs1
Sequence Ship
Ctrl
Inv Ship
Sa
Fs2
... ...
con_2_as
con_2_as
as_2_inv
inv_2_rec
as_2_inv
rec_2_con
Assign
Rec Ship
inv_2_rec
rec_2_con
...
...
...
...
...
Sa
Fs2
Sequence Sched
Ctrl
Inv CSche
Sa
Fs3
... ...
con_2_inv
con_2_inv
inv_2_inv
inv_2_con
inv_2_inv
inv_2_con
Inv Sched
...
...
...
...
Sa
Fs3
inv_2_inv
Fa stpdstop Freintdreinitvars
link
Figure 4.5 – Modeling of the Concrete : Purchase Flow
As for the concrete fault handler, it consists in the transformation of the
134 Chapter 4. Use Case
Fault handler of the purchase example. Upon the reception of a fault, the
fault handler stops the process and then executes the reply fault activity.
This is shown in Fig 4.6.
ConcreteFH
stpdstopFau
FHCtrl
ReplyFault
...
stpdstop ...Fau
s-rep
f-rep
s-rep
f-rep
...O
Figure 4.6 – Modeling of the Concrete Fault Handler
Verification of Additional Correctness Properties At this level we check
the correctness of the sequence, flow, BPEL links and fault handler. The
verification is made on the completely synchronous composition of the
PurchaseFlow (Fig 4.5), concreteFH (Fig 4.6) and an input/output enabled
environment process.
Concrete = Environment‖PurchaseFlow‖ConcreteFH
We start by checking the correctness of the succession of the start and
finish events of the subactivities of the sequence pattern. We consider the
invoicing sequence :
The initial price calculation invoke does not start if the invoicing se-
quence is not started :
Concrete |= ¬con_2_inv W Sa
Neither the invoicing sequence finishes if the invoice receive activity
is not finished :
Concrete |= ¬Fs1 W rec_2_con
Finally, the finish signal of invoice receive activity will either lead to the
sending of the invoicing sequence finish signal or to the sending of the
stpd signal.
Concrete |= (rec_2_con⇒ ♦(Fs1∨ stpd))
A flow is not started before the start of its embedded activities.
Concrete |= ¬Sa W S
A flow may not finish without receiving the finish signals of all of its
embedded activities. This is verified by the following three properties.
Concrete |= ¬F W Fs1
4.2. Use Case 135
Concrete |= ¬F W Fs2
Concrete |= ¬F W Fs3
Now, in order to check the BPEL links correctness property we con-
sider the complete price calculation invoke activity which accepts an in-
coming link. Intuitively, we want to verify that the start signal of the com-
plete price calculation invoke activity may not occur unless the activity has
received all its incoming links. This is verified by the following property :
Concrete |= (inv_2_inv⇒ link.InvCPrice.counter = 0)
Finally, a weak termination is verified. This means that the fault han-
dler behaves correctly.
Concrete |= (stop⇒ ♦stpd)
4.2.3 Proving the Refinement
In order to be able to conclude that the user-requierements properties
(temporal and timed) verified at the abstract level also hold at the con-
crete level, we need to verify that a simulation holds between the asbtract
specifications and their implementations. We shall then proceed by prov-
ing the refinement between these two.
Abstract and Concrete Activities Simulation
First we start by proving the following simulation :
AbstracFH‖AbstractAct -DS AbstractFH‖PurchaseFlow
Following our technique, two steps need to be done. First to compose
the systems with the control and time observers and second to verify the
satisfaction of the µ-calculus property on the composition.
Composition with the Observers The abstract and the concrete systems
are composed with the two observers after having renamed each of their
interface events with the corresponding suffix (_c for the concrete events
and _a for the abstract events) and their local events are made global (the
events of the dashed boxes are transformed to interface events). The names
of the local events of the abstract and concrete systems are left unchanged.
Actually it is not important whether they are changed or not since their
names are not shared between the abstract and the concrete system. The
systems are thus composed in the following way (Fig 4.7) :
(AbstractFH‖AbstractAct) ||| (AbstractFH‖PurchaseFlow)‖Obs‖Obsδ
136 Chapter 4. Use Case
Control Observer : Obs
Sa
Fa
...
Fc
Sc
trec
tinv
...
Time Observer : Obsδ
PurchaseFlow
S
I
O
Fa
stpd
stop
F
reintd
reinit
AbstractAct
S
I
O
Fa
stpd
stop
F
reintd
reinit
treat
] 1, ∞ [
WaitingInv
       [2,2]
WaitingRec
        [1,1]
a
a
a
a
a
a
a
c
c
c
c
c
c
c
Sa
Fa
...
Fc
Sc
trec
tinv
...
treat
Fs1 ] 0,0]
Fs2 ] 0,0]
FrecInv ] 0,0]
...FInvCPrice ] 0,0]
stopping
    ] 0,0]
c
a
AbstractFH
Oc
Fa
stpd
stop
c
c
c
AbstractFH
O a
Fa
stpd
stop
a
a
a
Figure 4.7 – Composition with the Observers
Simulation Verification The composition process is model checked by
the following state-event property that preserves the deadlock :
(q0a, q0c , ok, evt0) |=
DSTimedWeakSimulation︷ ︸︸ ︷
νX.Obs in ok ∧Obsδ in evt0∧
∧
i
[eic](EFτa〈eia〉X) ∧
∧
j
[τ jc ]X∧
(EFτa〈delay〉>)⇒ EFτa(〈delay〉> ∧ [delay]EFτa X)∧∧
i[eia]〈eic〉(stopc = stopa ∧ reinitc = reinita)∧
PropositionsRelation︷ ︸︸ ︷
(stopc = stopa ∧ reinitc = reinita)
where
eic = {Sc, Ic, Oc, FAc, stpdc, reinitedc, Fc}
eia = {Sa, Ia, Oa, FAa, stpda, reiniteda, Fa}
τa = {treat, stopping}
τc = {SAll, FS1, FS2, FS3, SRecInv, SInvPrice, SInvCPrice,
WaitingInv, SRecShip, WaitingRec, SInvShip, FRecShip, noWait,
SInvSch, SInvCSch, FInvCSch}
4.3. Conclusion 137
The formula is a direct instantiation of the DS-Timed Weak Simula-
tion property pattern we have given in Chapter : Timed Weak Simulation
Verification. The set of states returned by the µ-calculus property contain
the initial state of the process, the simulation is then verified. Now sup-
pose that the time interval of treat in the abstract system is changed to
]1, 2]. In this case, the µ-calculus property does not hold. This is because
the concrete system violates the time allowed (more than 2 u.t.) by the
specification.
Fault Handler Simulation
We are left with verifying the following simulation :
AbstracFH -DS ConcreteFH
For this, the same verification technique is applied for the case of the
fault handler and the simulation test on the composition AbstractFH |||
ConcreteFH‖Obs‖Obsδ also holds.
Finally, since in both of the simulation tests a deadlock preserving
simulation is satisfied then the properties verified on the abstract use case
are preserved by the concrete system.
4.3 Conclusion
In this use case, we have been able to accomplish two points. First, we
have shown how the BPEL correctness properties are satisfied on instances
of our FIACRE patterns. Second, we have shown how abstraction-based
model checking and simulation verification can be combined to verify
BPEL models. We started by considering abstract models of BPEL. Then,
we verified user properties on the abstract use case. Finally, we finished
by showing that a simulation actually holds between the abstract models
and their concrete implementations.

Part IV
Conclusion and Perspectives

Chapter One
Conclusion and Perspectives
1.1 Conclusion
The context of this PhD is the FIACRE language and more precisely the
verification, via model checking, of web services using the FIACRE lan-
guage. In order to ease this verification and trespass the shortcomings of
model checking, we were led to the notion of refinement of timed systems
in FIACRE. The idea is to integrate the refinement of timed systems in the
verification chain of web services (BPEL). Having this in mind, we would
need a refinement definition that allows to guarantee the preservation of
properties all along the system development. We also need it to be com-
positional, in the sense that replacing a component by another that refines
it would not affect the whole composition, i.e the global properties of the
composition remain preserved. A model checking verification chain for
BPEL could then be followed via a transformation from BPEL to FIACRE.
In this PhD document, we have achieved the above-stated objective by
suggesting the following contributions:
1. Definition of the timed model (CTTS) that captures the specificity of
FIACRE. We have shown as well that the defined model satisfies the
compositionality property.
2. Definition of a timed simulation relation. We have shown that the
adopted definition guarantees the important properties of trace in-
clusions and thus preserve linear properties. We have also proven
that our simulation is compositional.
3. A technique to verify the timed simulation between timed transi-
tions systems originating from CTTS. For this, we have followed a
standard technique in model checking –a timed observer and an un-
timed logic property– that is mostly used in the verification of timed
properties. The idea is in fact based on an observer with which A
and C are composed. The result of their composition is then ana-
lyzed using a µ-calculus property that captures the timed weak sim-
ulation definition. One important advantage of our approach is that
it is self-contained and relies exclusively on existing model checking
tools, that is, no specific algorithm for the simulation verification is
given. Moreover, some of the restrictions that exist in the literature
142 Chapter 1. Conclusion and Perspectives
have been relaxed, namely the silent actions in the abstract system.
However, since our verification technique is a model checking based
one, its main disadvantage remains the same as that of model check-
ing which is the state explosion for large systems.
4. We have shown that for a given class of systems, the µ-calculus cri-
terion used for the simulation verification is sound and complete.
5. Definition of a transformation from WS-BPEL 2.0 to the FIACRE
specification language : the transformation is mostly structural and
is based on a set of patterns covering both behavioral and timed
aspects of BPEL. Moreover, an interesting feature of this transfor-
mation is that the hierarchical composition of the BPEL activities is
preserved in FIACRE. This comes from the fact that FIACRE is a
component-based language which the same as BPELŠs. Another in-
teresting feature is that we have shown how a subset of the FIACRE
patterns may be proven correct w.r.t their BPEL semantics. This work
may be extended to all of the BPEL constructs of the transformation.
6. A Verification Framework that supports a rich set of properties: the
most noted advantage of our transformation to FIACRE compared
to the literature is the handling of time properties. These properties
could be written in MITL and are handled here using timed ob-
servers which are defined at either the BPEL or the FIACRE level.
The specification of observers at the BPEL level remains a novel idea
and may be a starting point for further studies.
7. A BPEL use case that illustrates our work and shows how
abstraction-based model checking and simulation verification can be
combined to verify BPEL models (and more generally component
based models).
1.2 Perspectives
We move now into discussing the perspectives of the work presented in
this document. Actually, this work opens the door to several key points,
in terms of optimization, of complementary studies, and even in terms of
new ideas to tackle and study. In terms of optimization, the studies could
be followed in the direction of relaxing or at best removing the hypothe-
sis made on the systems in the simulation verification technique. In terms
of complementary studies, the idea of refining FIACRE processes corre-
sponding to BPEL activities can be extended to the refinement of a whole
web service. This leads to the possibility of substituting a web service by
another in a web service composition. Also in terms of complementary
tasks, this work may strongly be considered for implementation. Finally,
in terms of new ideas to tackle, run time verification of BPEL is an inter-
esting idea that may be subjected to further studies and research by means
of BPEL-level observers.
1.2. Perspectives 143
1.2.1 Simulation Verification Technique
The simulation verification technique may be approached using two inde-
pendent techniques. In the first technique, we either relax the 1− τ or we
develop a dedicated algorithm as done in the ECDAR tool [1] or in the
Vesta tool [66].
The purpose of relaxing the main hypothesis of 1− τ in the abstract
system is to accept multiple successive silent actions τ. If this hypothesis is
removed, it will allow more space for design and will ease the progressive
development of systems. This is particularly true because a concrete sys-
tem at the previous level could then be used directly as an abstract system
at the next level.
Developing an algorithm may reduce the risks of state explosion of
model checking. However, we still need to investigate its cost, complexity,
and the number of hypothesis that may thus arise.
1.2.2 FIACRE Extensions
FIACRE Extension with composition operators at the components level
: actually, in FIACRE apart from the parallel composition which is done
at the components level, the sequence, the choice and other basic opera-
tions are all made at the process level. Extending FIACRE with component
level composition operators would ease the transformation from BPEL to
FIACRE. Most of the start/finish signals in the FIACRE patterns would
disappear. Moreover, a component level termination operator could be
easily applied without needing to prefix all the transitions by stop vari-
ables. For example, for C1 and C2 two FIACRE components, the syntax
could be extended as follows :
C1[...] terminate on guard ‖ C2[...]
The semantics of this operator reflects a termination request for the
components embedded in C1 whenever the component C2 evaluates the
guard to True.
Adding such operators would make the transformation from BPEL to
FIACRE more reusable.
1.2.3 Run Time Verification of BPEL
Define a wider range of BPEL observers and extend their study in order to
allow the run time verification of BPEL : The idea is to propose a library
of observers used by the developers in order to instrument their code for
verification purposes. The observers will thus run at the same time of
the real BPEL code and would monitor (or control) the execution of the
application. The observation results can be sent to log files in order to
save the execution trace of the BPEL code. Other associated actions are for
instance to halt the service in case of occurrence of undesired events etc.
1.2.4 Tool Chain for the Simulation/ Verification of BPEL
Developing tools for the simulation between timed systems at one hand,
and the verification of BPEL at the other, can offer several tasks. The first
144 Chapter 1. Conclusion and Perspectives
task is the interactive selection of the BPEL piece to abstract. This is fol-
lowed by an automatic generation of the abstract and concrete FIACRE
code of the selected piece. Now, in order to prove the refinement between
the abstract and concrete system without needing to manipulate complex
logical formulas, the tool should automatically generate the µ-calculus
simulation property to be verified. Finally, for verification purposes, the
tool may offer an interactive selection of property patterns and observers
used for model checking or for run time verification.
Part V
Appendix

Chapter One
Appendix A : Building
Systems with Label Structures
1.1 Label Structure
We start by describing the transition systems labels by means of a label
structure.
Definition 1.1 (Label Structure) A label structure is a tuple 〈L,on〉 where L is a
set of labels and (on: L× L 9 L) is a partial binary composition operator over L.
The function is partial because some composition may be blocked since
on describes exclusively synchronous compositions. The asynchronous as-
pects are covered later (see LTS composition). Our composition then mod-
els:
1. A successful synchronization between l and l′ that results in l on l′ ∈
L.
2. A blocking synchronization between l and l′ : (l, l′) /∈ dom(on).
Let the reader not confuse our label structure with other event structuring
propositions, namely with the event structures [103]. The event structures
models the occurrence of events during the system execution via an intro-
duction of a causal dependency relation and a conflict relation between
the events. While in our case, we introduce a label structure which models
the way the labels (i.e events) are statically composed.
Definition 1.2 (Associativity of a Label Structure) Given a label structure LS =
〈L,on〉, LS is said to be associative if its composition operator on is associative.
Formally, for l1, l2 and l3 ∈ L, LS is associative if :
1. (l1, l2) ∈ dom(on) ∧ ((l1 on l2), l3) ∈ dom(on) ⇔ (l2, l3) ∈ dom(on) ∧ (l1, (l2 on
l3)) ∈ dom(on).
2. (l1, l2) ∈ dom(on) ∧ ((l1 on l2), l3) ∈ dom(on)⇒ ((l1 on l2) on l3) = (l1 on (l2 on l3)).
1.1.1 Examples of Label Structures
Time Label Structure. For ∆ a time domain (non negative real numbers,
naturals . . . ) equipped with a binary associative operator + and a neutral
148 Chapter 1. Appendix A : Building Systems with Label Structures
element 0, the time structure TS is given in the following where a syn-
chronization only takes place when the same value is present at the two
sides of the composition :
TS = 〈∆, (δ1, δ2) 7→ δ1 if δ1 = δ2〉
Basic CSP Synchronizing Events Structure. Here, we model the case of
the completely synchronous composition of CSP. For C a set of communi-
cation ports, a synchronizing structure on C is the label structure :
SyncCSP = 〈C, (c1, c2) 7→ c1 if c1 = c2〉
CCS Synchronizing Events Structure. For C a set of events and C? =
{c? | c ∈ C} and C! = {c! | c ∈ C}, this is represented in our label
structure as follows :
SyncCCS = 〈C? ∪ C! ∪ {τ}, (c!, c? 7→ τ)〉
1.1.2 Composition of Label Structures
We define the product and the sum of two label structures. The product
operation builds new labels as couples of the composed labels. For ex-
ample, this is used when composing synchronization and memory access
labels. Unlike the product operation, the labels of the sum operation are
defined over the union of the composed labels. This is used when compos-
ing synchronization and time labels to specify that only one of the events
may occur but not both simultaneously.
Product of Label Structures
Given two label structures 〈L,on〉 and 〈L′,on′〉, their product ranges over
the set P = (L ∪ {e}) × (L′ ∪ {e′})\{(e, e′)} where e (resp. e′) is a new
element of L (resp. L′) supposed to be neutral for the on operator of its
respective label structure. For l1, l2 ∈ L and l′1, l′2 ∈ L′, the composition
of (l1, l′1), (l2, l
′
2) is defined only if the composition of l1 and l2 and the
composition l′1 and l
′
2 are also both defined.
〈L,on〉 ⊗ 〈L′,on′〉 =
〈P, ( (l1, l′1), (l2, l′2) 7→ (l1 on l2, l′1 on′ l′2) if (l1, l2) ∈ dom(on) ∧ (l′1, l′2) ∈ dom(on′) )〉
Sum of Label Structure
Given 〈L,on〉 and 〈L′,on′〉, their sum ranges over the disjoint union of L• unionmulti
•L′ where L• = {l• | l ∈ L} and •L′ = {•l | l ∈ L′}.
〈L,on〉 ⊕ 〈L′,on′〉 = 〈L unionmulti L′,
(
l1
•, l2• 7→ (l1 on l2)• if (l1, l2) ∈ dom(on)•l1, •l2 7→ •(l1 on′ l2) if (l1, l2) ∈ dom(on′)
)
〉
Proposition 1 (Preservation of Associativity) Given the label structures LS and
LS′, LS⊕ LS′ (resp. LS⊗ LS′) is associative if LS and LS′ are associative.
Proof. The proof is based on checking ∀l1, l2, l3 ∈ LS⊕ LS′ (resp. LS⊗ LS′)
whether (l1 on l2) on l3 and l1 on (l2 on l3) are defined simultaneously and
have the same value. It has been checked using the Coq [102] assistant
prover and is based on an automated case analysis. For instance, in the
LS⊗ LS′ case, this check induces 127 cases in which 83 are non trivial.
1.2. Labeled Transition Systems LTS 149
1.2 Labeled Transition Systems LTS
Definition 1.3 (Labeled Transition System LTS) Given LS = 〈L,on〉, a labeled
transition systems L over LS -denoted as LLS- is defined as 〈Q, Q0 ⊆ Q, T, α :
T → Q, β : T → Q,λ : T → L〉 where Q, Q0, T denote respectively the sets
of states, initial states, transitions and α, β and λ denote functions that return
respectively, the source, the target and the label of a transition.
We write q l→ q′, when there exists t ∈ T such as α(t) = q, β(t) = q′ and λ(t) =
l. Furthermore, we define the alphabet of an LLS -denoted as alphabet(LLS)- as
the set of labels that are actually used by the transitions of LLS.
LTS Composition
Given two LTS defined over 〈L,on〉, a set of labels S ⊆ L denoting the
allowed synchronization results, the label composition function on is ex-
tended to an LTS composition function 〈on
S
〉 as follows:
〈Q1, Q01, T1, α1, β1,λ1〉〈onS 〉〈Q2, Q
0
2, T2, α2, β2,λ2〉 = 〈Q1 ×Q2, Q01 ×Q02, T, α, β,λ〉
where the set of transitions T = {t1  t2 | t1 ∈ T1 ∧ t2 ∈ T2} ∪ {t1 ↑1| t1 ∈
T1} ∪ {t2 ↑2| t2 ∈ T2}, α, β and λ are defined by the following rules :
t1:q1
l1→ q′1, t2:q2 l2→ q′2, (lj, lk) ∈ dom(on) ∧ (lj on lk) ∈ S, j,k ∈ {1,2}, j 6= k
t1  t2 : (q1, q2)
ljon lk→ (q′1, q′2)
Synchronous
t1 : q1
l1→ q′1 , l1 /∈ S
t1 ↑1: (q1, q2) l1→ (q′1, q2)
InterleavingL
t2 : q2
l2→ q′2 , l2 /∈ S
t2 ↑2: (q1, q2) l2→ (q1, q′2)
InterleavingR
S is omitted when it is equal to L. In this case 〈on〉 is a fully synchronous
composition operator. The rule Synchronous is made symmetric in order
to maintain the commutativity of the LTS composition even if on is not
commutative.
Proposition 2 (Commutativity of 〈on
S
〉) 〈on
S
〉 is commutative thanks to the two
symmetric synchronous rules in the LTS composition.
Proposition 3 (Associativity of 〈on
S
〉) Given LS = 〈L,on〉, the label sets
S1, S2 ⊆ L and the LTSs L1LS ,L2LS and L3LS , L1〈on
S1
〉(L2〈on
S2
〉L3) '
(L1〈on
S1
〉L2)〈on
S2
〉L3 if the underlying label structure LS is associative and
commutative, S1 and S2 are stables over LS, S1 ⊆ S2, alphabet(L1) ⊆ S1 and
alphabet(L2) ⊆ S2.
This proposition is close to the weak associativity theorem of the CSP gen-
eralized parallel operator where this theorem is tackled by assuming that
S1 = S2 [96]. Here we consider a variant of this theorem, where the hy-
pothesis is generalized to S1 ⊆ S2. However, other hypothesis were added,
one of them is the commutativity of the composition. Off course, in CSP
the commutativity of the composition is always true since the composition
is made between two identical events.
150 Chapter 1. Appendix A : Building Systems with Label Structures
Proof. Given an associative label structure LS, two stable sets S1, S2 ⊆ L
over LS where S1 ⊆ S2, the LTSs L1LS ,L2LS and L3LS such as alphabet(L1) ⊆
S1 and alphabet(L2) ⊆ S2, we need to prove that L1〈on
S1
〉(L2〈on
S2
〉L3) 'R
(L1〈on
S1
〉L2)〈on
S2
〉L3 where R = {(q1, ((q2, q3)), ((q1, q2), q3) | q1 ∈ Q1 ∧ q2 ∈
Q2, q3 ∈ Q3}. The idea consists in showing that each transition of one can
be found in the other. Let t : (q1, (q2, q3))
l→ (q′1, (q′2, q′3)) be a transition of
L1〈on〉(L2〈on〉L3). Two cases need to be investigated which are whether
l ∈ S1 or not.
1. Suppose l ∈ S1: by unfolding the synchronizing rule we would
obtain the two transitions q1
l1→ q′1 and (q2, q3)
l23→ (q′2, q′3) where
l = l1 on l23 (by on commutativity) and l1, l23 ∈ S1 (By stability of S1).
Here, another two cases need to be investigated whether the label
l23 ∈ S2 or /∈ S2 :
(a) l23 /∈ S2 is impossible since l23 ∈ S1 (By S1 ⊆ S2).
(b) Suppose l23 ∈ L2 : by unfolding the synchronization rule we
would obtain the three transitions qi
li→ q′i where l23 = l2 on l3
(by on commutativity) and i ∈ {1, 2, 3}. Now by applying twice
the synchronization rule (since l1 ∈ S1 and l2, l3 ∈ S1 ⊆ S2)
starting with the composition of q1
l1→ q′1 and q2
l2→ q′2 and
then composing their result with q3
l3→ q′3 we would reach
((q1, q2), q3)
(l12)onl3→ ((q′1, q′2), q′3). Since LS is associative then
(l12) on l3 = l.
2. Suppose l /∈ S1 : since alphabet(L1) ⊆ S1 only the interleavingR
rule applies leading to the transition (q2, q3)
l→ (q′2, q′3). Here two
cases need to be investigated whether l ∈ S2 or /∈ S2 :
(a) Suppose l ∈ L2 : by unfolding the synchronization rule we
would obtain the transitions qi
li→ q′i where l = l2 on l3 (by on
commutativity) and i ∈ {2, 3}. Knowing that alphabet(L1) ⊆
S1 and l2, l3 ∈ S2 (By stability of S2) then by applying the
interleavingR on the composition of q1 and q2
l2→ q′2 we
would reach (q1, q2)
l2→ (q1, q′2) and then composing it with
q3
l3→ q′3 we would reach ((q1, q2), q3)
l2onl3→ ((q1, q′2), q′3) where
l2 on l3 = l (by on commutativity).
(b) Suppose l /∈ S2 : knowing that alphabet(L2) ⊆ S2, only the
interleavingR rule applies leading to the transition q3
l→ q′3.
Now applying twice the interleavingR rule we would reach
((q1, q2), q3)
l→ ((q1, q2), q′3).
By following a similar reasoning, we prove (L1〈on〉L2)〈on〉L3 'R−1
L1〈on〉(L2〈on〉L3).
1.2. Labeled Transition Systems LTS 151
LTS Sum
Given LS1 = 〈L1, LE1 ,on1〉 and LS2 = 〈L2, LE2 ,on2〉, and two LTS L1LS1 =
〈Q, Q0, T1, α1, β1,λ1〉 and L2LS2 = 〈Q, Q0, T2, α2, β2,λ2〉 defined over the
same state space Q, their sum is also an LTS LLS1⊕LS2 defined over the
same state space but in which the transitions are the sum of the transi-
tions of L1LS1 and L2LS2 . Formally the LTS sum [38] is defined as follows
:
〈Q, Q0, T1, α1, β1,λ1〉 ⋃ 〈Q, Q0, T2, α2, β2,λ2〉 = 〈Q, Q0, T1 unionmulti T2, α, β,λ〉
where
α(t1•) 7→ α1(t1) β(t1•) 7→ β1(t1) λ(t1•) 7→ λ1(t1)•
α(•t2) 7→ α2(t2) β(•t2) 7→ β2(t2) λ(•t2) 7→ •λ2(t2)
LTS Label Structure Transformations.
The label structure of an LTS may be changed for instance making local
a global event (CSP hide) or changing its name (CSP Rename). Here, we
consider some LTS labels transformations.
Left(Right) Embedding. For i, j ∈ {1, 2} and i 6= j, given LLSi =
〈Q, Q0, T, α : T → Q, β : T → Q,λ : T → Li〉 and LSj, a left (right) em-
bedding of LLSi is a transformation ↑LS1⊕LS2LSi : LLSi , LSj → LLS1⊕LS2 where
L ↑LS1⊕LS2LSi = 〈Q, Q0, T′, α : T′ → Q,λ : T′ → Q,λ : T′ → L1
⊎
L2〉 such as
T′ is defined:
i = 1
t : q l1→T q′, l1 ∈ L1
t ↑⊕ : q l1
•
→T′ q′
RenameL i = 2
t : q l2→T q′, l2 ∈ L2
t⊕↑ : q • l2→T′ q′
RenameR
Left(Right) Extension. For i, j ∈ {1, 2} and i 6= j, given LLSi =
〈Q, Q0, T, α : T → Q, β : T → Q,λ : T → Li〉 and LSj, a left (right) ex-
tension of LLSi is a transformation ↑LS1⊗LS2LSi : LLSi , LSj → LLS1⊗LS2 where
L ↑LS1⊗LS2LSi = 〈Q, Q0, T′, α : T′ → Q,λ : T′ → Q,λ : T′ → L1 × L2〉 and T′ is
defined:
i = 1
t : q l1→T q′, l1 ∈ L1
tl2
⊗↑ : q (l1,e
′)→ T′ q′
ExtensionL i = 2
t : q l2→T q′, l2 ∈ L2
tl1 ↑⊗ : q
(e,l2)→ T′ q
ExtensionR
Left(Right) Projection. For i ∈ {1, 2}, given LLS1⊕LS2 = 〈Q, Q0, T, α :
T → Q,λ : T → Q,λ : T → L1 ⊎ L2〉, a left (right) projection of
LLS1⊕LS2 is a transformation ↑LSiLS1⊕LS2 : LLS1⊕LS2 → LLSi where L ↑
LSi
LS1⊕LS2=
〈Q, Q0, T′, α : T′ → Q,λ : T′ → Q,λ : T′ → Li〉 such as T′:
i = 1
t : q l1
•
→T q′, l1 ∈ L1
t ↓⊕ : q l1→T′ q′
ProjectionL i = 2
t : q
• l2→T q′, l2 ∈ L2
t⊕↓ : q l2→T′ q
ProjectionR
152 Chapter 1. Appendix A : Building Systems with Label Structures
Left Embedding Application. Given LS and ↑LS2LS1 a transformation from
LS1 to LS2, a left embedding application of ↑LS2LS1 is a transformation of a
transformation ⇑⊕LS⊕LS : ↑LS2LS1 → ↑
LS2⊕LS
LS1⊕LS that is applied to an LTS LLS1⊕LS as:
LLS1⊕LS(↑LS2LS1⇑⊕LS⊕LS) = (L ↑
LS1
LS1⊕LS) ↑
LS2
LS1
⋃L ↑LSLS1⊕LS
1.2.1 Timed Transition Systems TTS
Definition 1.4 (TTS) Given a label structure LS = 〈L, LE,on〉, a Timed Transi-
tion System TTS over LS is an LTS over LS⊕ TS.
Definition 1.5 (TTS composition) Thanks to the introduction of our label struc-
ture, the TTS composition is the composition of the underlying LTSs.
1.2.2 Timed Automata TA
We consider a timed automata [15] in which no invariants are associated
to its locations (this is close to a timed graph [13] since neither invariants
nor committed states are modeled). The transitions are in the form of
guard/event/reset where the guards contain a conjunction of constraints
represented as clock intervals and the reset actions consist in a set of clocks
to be reset. This is represented as a product of two label structures. The
first manages the synchronization events while the second manages the
clock access. Formally, given a label structure LS = 〈L,on〉, a set of clock
variables C, a timed automata (TA) over LS is an LTS over LS⊗CM where
CM is a clock manager structure. For I ∈ I where I is the set of intervals
of R+, CM is defined as :
CM =
〈L = {R~I~c I Z~c′U~c′′ !, R
~I
~c I Z~c′U~c′′? | c, c′, c′′ ⊆ C ∧ c′ ∩ c′′ = ∅},
on
∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣
R
~I1
~c1
I Z~c′1
U~c′′1
! on R~I2~c2 I Z~c2 ′U~c′′1 ! 7→
R
~I1.~I2
~c1.~c2
I Z
~c1
′∪~c2 ′U~c1 ′′∪~c2 ′′ if c
′
1 ∩ c′′2 = ∅ ∧ c′′1 ∩ c′2 = ∅
R
~I1
~c1
I Z~c′1
U~c′′1
! on R~I2~c2 I Z~c2 ′U~c′′1 ? 7→
R
~I2
~c2
I Z
~c2 ′
U~c′′1
? if ~c1 ⊆ ~c2 ∧ (∀c ∈ ~c1, I2(c) ⊆ I1(c)) ∧ c′1 ⊆ c′2 ∧ c′′1 ⊆ c′′2
R~I~c I Z~c′U~c′′? on R
~I
~c I Z~c′U~c′′? 7→ R
~I
~c I Z~c′U~c′′?〉
The CM events are used to model the communication between a timed
automata and a process managing the clocks (See Semantics of TA). The
clock access orders are sent (!) by the timed automata and received (?) by
the clock manager. An event R~I~c I Z~c′U~c′′ means that if the clocks of ~c are
in the corresponding intervals of ~I then the clocks of ~c′ are reset while the
clocks of ~c′′ are kept unchanged. The composition of two sending events
leads to a third one in which its vectors are respectively the concatenation
(resp. union when the order does not matter) of the composed events
vectors. A receiving event is exclusively used to model the clock manager
events. The composition of a sending and a receiving event is defined
when the sending sets are included in the receiving ones. Finally, two
receiving events are only composed when they are identical.
Definition 1.6 (TA Composition) Thanks to our label structure, the TA compo-
sition is defined as the composition of the underlying LTS systems.
1.2. Labeled Transition Systems LTS 153
TA Semantics.
The semantics of a timed automaton ta is given via a composition with a
clock manager Clk defined over CM⊕ TS (Fig 1.1). Clk has two types of
transitions. Transitions of time evolution in which after each possible delay
all of the clocks are incremented by the amount of this delay. Transitions
in which certain clocks are checked against their timing intervals before
resetting others. Since Clk is diagonal, idempotent and deterministic, it
follows that Clk〈on〉Clk ' Clk.
	 					c'	:=	0		
	δ	/		||				c	:=	c	+	δc	∈	C
	[	]										 ∧	
	[	]					l,		r					z	u
c'	∈	Z
c	∈	Il,
	ta 	Clk
||
ϵ
(R ▶ Z	U)
▶
(c,I)	∈	R	
Figure 1.1 – Semantics of TA via a Composition of Two LTS
Furthermore, since the LTS composition is defined over the same label
structure, then the label structures on which ta and Clk are defined have
to be adapted. The systems ta and Clk are then extended respectively with
e transitions so that they both become defined over LS⊗ CM⊕ TS. More
precisely, by using the left embedding transformation function with the
TS label structure over ta we would obtain taLS⊗CM⊕TS and by applying
the left embedding application over Clk along with the transformation
↑LS⊗CMCM we would obtain ClkL⊗CM⊕TS. This is formally defined as [[ta]] =
(ta ↑LS⊗CM⊕TSLS⊗CM 〈 on
(LS⊗CM)•
〉 Clk ↑LS⊗CM⊕TSCM⊕TS ) where the composition of ta
and Clk is synchronous over LS⊗CM while Clk is asynchronous over TS.

Chapter Two
Appendix B : BPEL To FIACRE
Patterns
2.1 Modeling the WSDL
The interaction with the environment is supported by Partnerlinks.
In BPEL, each Partnerlink may contain two roles (myRole and
partnerRole) typed with Porttype. Each of the Porttype declares
several operations used to receive (Input) or send (Output) messages
(Fig 2.1).
BPEL
Partnerlink_i
myRole
PartnerRole
PortType	Operation_jinputoutput
PortType	Operation_jinputoutput
Figure 2.1 – Connections of BPEL
Consequently, this structure is modeled in FIACRE by creating two dif-
ferent enumerated types named inputs and outputs used to model re-
spectively the inputs and the outputs of each operation. The type inputs
(resp. outputs) will be the union of the type of :
• the input (resp. output) arguments of operations of the myRole
of every Partnerlink (1).
• the output (resp. input) arguments of operations of the
partnerRole of every PartnerLink (2).
More precisely, the types encoded in FIACRE in order to model the
WSDL part are as follows :
1. Type inputs : The name of the constructor is built from the name
of the partnerlink and a suffix recv_call (vs. recv_result) in
156 Chapter 2. Appendix B : BPEL To FIACRE Patterns
case (1) (resp. in case (2)). As for the name of the constructor’s type
argument, it is built using the name of the partnerlink with the suffix
type_args (vs. type_results) in case (1) (resp. in case (2)). The
FIACRE code of the inputs type is shown in the following :
type inputs_BPELName i s union
partner l inkName_recv_cal l of partnerlinkName_type_args
| partner l inkName_recv_resul t of partner l inkName_type_resul ts
| . . .
end
2. Type outputs : The name of the constructor is built from the name
of the partnerlink and a suffix send_call (vs. send_result) in
case (2) (resp. in case (1)). As for the name of the constructor’s type
argument, it is built using the name of the partnerlink with the suffix
type_args (vs. type_results) in case (2) (resp. in case (1)). The
FIACRE code of the outputs type is shown in the following :
type outputs_BPELName i s union
partnerl inkName_send_cal l of partnerlinkName_type_args
| partnerl inkName_send_result of partner l inkName_type_resul ts
| . . .
end
3. Type partnerlink_type_args (vs. partnerlink_type_results)
: Each of the partnerlinks types are also declared as a union type
containing all of the porttypes of the corresponding partnerlink. The
name of the constructor is built from the name of the porttype and a
suffix partnerlink_args (resp. partnerlink_result). As for
the name of the constructor’s type argument, it is built using the
name of the porttype with the suffix partnerlink_type_args
(resp. partnerlink_type_result). The corresponding FIACRE
code is shown in the following :
type partner l inkName_type_resul ts i s union
PortTypeName_partnerlinkName_result of
PortTypeName_partnerlinkNam_type_result
. . .
end
type partnerlinkName_type_args i s union
PortTypeName_partnerlinkName_args of
PortTypeName_partnerlinkNam_type_args
. . .
end
4. Type porttype_partnerlink_type_args : Each of the port-
type types are also declared as a union type containing all of
the operations of the corresponding partnerlink. Since an opera-
tion in BPEL always has an input attribute (whether the opera-
tion is synchronous or asynchronous), then the name of the con-
structor is built from the name of the operation and a suffix
2.1. Modeling the WSDL 157
porttype_partnerlink_args. The type of the constructor will
correspond to a record containing an abstracted version of the ac-
tual BPEL message types. The fields of each record will correspond
to the parts of the modeled BPEL message type. The corresponding
FIACRE code is shown in the following :
type PortTypeName_partnerlinkName_type_args i s union
operationName_PortTypeName_partnerlinkName_type_args of
record partName1 : a b s t r a c t _ t y p e end ,
. . .
end
5. Type porttype_partnerlink_type_results : Each of the port-
type types are also declared as a union type containing all of the
operations of the corresponding partnerlink. However, since an out-
put attribute for BPEL operations is optional (required only for syn-
chronous operations), then two cases are possible :
(a) In the case no output attribute is present, then the
porttype_partnerlink_type_results will be typed with
a constructor indicating that this fact. The name of the construc-
tor is built of a concatenation of the literal unused and a suffix
porttype_partnerlink_result.
(b) In the other case, the name of the constructor is
built from the name of the operation and a suffix
porttype_partnerlink_result. As for the name of
the constructor’s type argument, it is built of a concate-
nation of the literal op_result with the suffix containing
the name of the porttype and the name of the operation
(porttype_operation). The corresponding FIACRE code is
shown in the following :
type PortTypeName_partnerlinkName_type_result i s union
operationName_PortTypeName_partnerlinkName_type_result of
op_result_PortTypeName_operationName ,
. . .
end
6. Type op_result_porttype_operation : This type consists of
the possible results of a synchronous operation. This is why, it will
be the union of two kinds of constructors :
(a) The actual result of the message. The name of the constructor is
built from a concatenation of the literal resultat and the suf-
fix porttype_operation. This constructor will be typed with
a record containing an abstracted version of the actual BPEL
message types. The fields of each record will correspond to the
parts of the modeled BPEL message type.
158 Chapter 2. Appendix B : BPEL To FIACRE Patterns
(b) The BPEL faults. A fault in BPEL has a fault name, and a vari-
able to give additional information to the corresponding fault.
In Fiacre, a fault will be typed by the name of the fault and by
a constant that will represent the type of the variable associ-
ated to the fault. We then filter the faults based on their names,
and the type of the variable associated with it (in case it exists).
The name of the constructor is built from a concatenation of the
literal error and the suffix porttype_operation. This con-
structor will be typed with the fault type which will be the
union of all the user fault names in a BPEL process and some of
the BPEL default fault names. These fault names will be typed
with anytype that is declared as Boolean in order to indicate the
existence of a specified fault. The corresponding FIACRE code
is shown in the following :
type anytype i s bool
type f a u l t i s union u s e r _ f a u l t of bp_anytype | bp_F_var iableError
| bp_F_expressionError end
type op_result_PortTypeName_operationName i s union
resultat_PortTypeName_operationName
of record partName1 : a b s t r a c t _ t y p e end ,
. . .
| error_PortTypeName_operationName of f a u l t
. . .
end
Finally like we have already said, having discarded data values, a con-
stant will be created for each data type that represents the type of the
message. So the operations will be typed by this constant that represent
the BPEL type of the message. Note that for abstraction purposes, only
Boolean and enumerated types are preserved during this transformation.
Actually, with respect to model checking purposes, considering the actual
values is not realistic because of state explosion.
2.1.1 Example of WSDL Modeling
We give an example of a partnerlink containing one portType used in
a synchronous communication. Therefore the operation has two types of
messages, an Input and an Output message. Based on what was explained
earlier in this section, 2 types will be created in order to model this partner-
link in Fiacre. The first type, inputs will model the input message (POMes-
sage) of the partnerlink, as for the type outputs it will model the output
message (InvMessage or a fault CannotCompleteOrder).
2.1. Modeling the WSDL 159
<wsdl:message name=" POMessage ">
<wsdl :par t name=" customerInfo "
type=" sns:customerInfoType "/>
<wsdl :par t name=" purchaseOrder "
type=" sns:purchaseOrderType " />
</wsdl:message>
<wsdl:message name=" InvMessage ">
<wsdl :par t name="IVC"
type=" sns : InvoiceType " />
</wsdl:message>
<wsdl:message name=" orderFaultType ">
<wsdl :par t name=" problemInfo "
element=" sns :OrderFaul t " />
</wsdl:message>
<wsdl:portType name=" purchaseOrderPT ">
<wsdl :operat ion name=" sendPurchaseOrder ">
<wsdl : input message=" pos:POMessage " />
<wsdl:output message=" pos:InvMessage " />
< w s d l : f a u l t name=" cannotCompleteOrder "
message=" pos:orderFaultType " />
</wsdl :operat ion>
</wsdl:portType>
<plnk:partnerLinkType name=" purchasingLT ">
< p l n k : r o l e name=" purchaseService "
portType=" pos:purchaseOrderPT " />
</plnk:partnerLinkType>
type purchaseOrderPT_purchasing_type_args i s union
sendPurchaseOrder_purchaseOrderPT_purchasing_args of
record purchaseOrder : record purchaseOrderType : uni t end ,
customerInfo : record customerInfo : a b s _ s t r i n g end end end
type op_result_purchaseOrderPT_sendPurchaseOrder i s union
resultat_purchaseOrderPT_sendPurchaseOrder of
record IVC : record InvoiceType : uni t end end
| error_purchaseOrderPT_sendPurchaseOrder of f a u l t end
type purchaseOrderPT_purchasing_type_result i s union
sendPurchaseOrder_purchaseOrderPT_purchasing_result of
p_op_result_purchaseOrderPT_sendPurchaseOrder end
type purchas ing_type_resul t s i s union
purchaseOrderPT_purchasing_result of
purchaseOrderPT_purchasing_type_result end
type purchasing_type_args i s union
purchaseOrderPT_purchasing_args of
purchaseOrderPT_purchasing_type_args end
type outputs_purchaseOrderProcess i s union
i n v o i c i n g _ s e n d _ c a l l of invoic ing_type_args
| shipping_send_ca l l of shipping_type_args
| schedul ing_send_ca l l of schedul ing_type_args
| purchasing_send_resul t of purchas ing_type_resul t s
| i n v o i c i n g _ s e n d _ r e s u l t of i n v o i c i n g _ t y p e _ r e s u l t s
| shipping_send_resul t of s h ip p i n g _t y p e _ re s u l t s end
type inputs_purchaseOrderProcess i s union
purchas ing_recv_ca l l of purchasing_type_args
| i n v o i c i n g _ r e c v _ c a l l of invoic ing_type_args
| s h i p p i n g _ r e c v _ c a l l of shipping_type_args
| i n v o i c i n g _ r e c v _ r e s u l t of i n v o i c i n g _ t y p e _ r e s u l t s
| s h i p p i n g _ r e c v _ r e s u l t of s h ip p i n g _t y p e _ re s u l t s
| s c h e d u l i n g _ r e c v _ r e s u l t of s c h e d u l i n g _ t y p e _ r e s u l t s end
160 Chapter 2. Appendix B : BPEL To FIACRE Patterns
2.2 Basic Activities
2.2.1 Rethrow
We can also transmit errors explicitly to the next enclosing scope using
the rethrow activity. It can be used only within a fault handler (catch and
catchAll) to rethrow the caught fault. For this fact, the signature of this
activity is slightly different than other activities. The difference results
from the fact that this activity needs to receive the fault at first before it is
capable to rethrow it. That is why we create two ports of type fault in the
rethrow activity. The first f is used to receive the fault and the second f 2
to rethrow it.
The Fiacre process pattern for rethrow is given in Figure 2.2.
           fa ? (faultname,faulttype)            fa_up ! (faultname,faulttype) links _condrethrowstart_rethr
Figure 2.2 – Rethrow pattern
2.2.2 Exit
The exit activity terminates immediately the business process by disabling
all of its activities without any fault handler being invoked. In Fiacre, this
is done by setting all the shared variables error of all the scopes to exit
and by setting all the stop variables of the scopes to true, starting from the
root_stop variable. In order to do this, the pattern of the exit activity consist
of a synchronization on an event exit directly with the fault handler of
the root process.
The Fiacre process pattern for this activity is given in Figure 2.3.
exit links _condstart_ext
Figure 2.3 – Exit pattern
2.2.3 Compensate
The compensate activity is used in order to execute all of the compensa-
tion handlers of the child scopes. It may used inside the FCT handlers of
BPEL. In Fiacre this is done by valuating the comp variable of all the child
scopes to True (Fig. 2.4). The compensate activity will then do a block-
ing wait until all of the the comp variables are set back to False by the
corresponding compensation handlers. We note as well that a compensate
activity cannot throw any faults. Even though that the executed compen-
sation handlers may do. We have decided that these thrown faults are sent
directly to the Fault handler which will treat them or propagate them.
2.2.4 Compensate Scope
The compensate scope is similar to the compensate activity. It is used to
compensate a specific scope by specifying its name. In Fiacre we know ex-
2.3. Structured Activities 161
∀											compensate	:=	true; links _condstart_comp subScopes∀											on	not	compensatesubScopes
Figure 2.4 – Compensate pattern
actly what comp variable we set true by inspecting the BPEL code (Fig. 2.5).
compensate	:=	true; links _condstart_comp on	not	compensate
Figure 2.5 – Compensate Scope activity
2.3 Structured Activities
2.3.1 While and RepeatUntil
The while and the repeatUntil activities allow for repeated execution
of a nested activity. While the while’s nested activity may not be executed
in case the condition initially evaluates to false, the repeatUntil’s nested
activity is executed for at least one time. In Fig. 2.6 we show the pattern
associated to each of these activities.
act1
F
F
While/Repeat Component
While/Repeat Cont
S I O Fa exit link stop stpd reinit reinited comp var
S link ... reinited
...
reinitIN
reinitedIN
SA1 FA1
FareinitIN reinitedIN
reinitIN reinitedIN I varSac1
Fac1
Sac1
Fac1
Figure 2.6 – While/RepeatUntil component
Depending on whether the activity is a while or a repeatUntil, a dif-
ferent controller is created (Fig. 2.7). Here we note that conversely to the
controllers already seen, we show the init state which is normally a state
of the common behavior. This is done because the init state of the while
and the repeat controllers have a special treatment related to the reinitial-
ization of activities.
• For the case of the while controller: once at the init_while state, if
a reinitialization demand is received, the while controller will signal
162 Chapter 2. Appendix B : BPEL To FIACRE Patterns
init_repeat start_act
start
wait_body
start_act
links_cond
reinit_act
on not condition ; finish_act
on condition ; finish_act
reinit := true
reinited ; renit := false
(b)
init_while start_act
start
links_cond
reinit_act
on not condition
on condition ; start_act
reinit := true
reinited ; renit := false
(a)
wait_body finish_act; 
fa ! expression_error
fa ! expression_errorfinish_act
on reinit_up ; reinit := truereinited ; reinit := falsereinited_up ;to init
cond_error
on reinit_up ; reinit := truereinited ; reinit := falsereinited_up ;to init
Figure 2.7 – (a) While controller / (b) Repeat Until controller
this fact to its nested activities and will wait until the reinitialization
is done before transmitting a response to its upper activity.
• At the start_act state, three transitions are possible based on the con-
dition of the while activity. 1 :
1. in case the condition is violated, the process can transit directly
to the links cond state in order to set the outgoing links of the
while activity.
2. in case the transition is satisfied, the process can transmit the
start signal of the nested activity attached to the while before
transiting to the wait_body state.
3. The evaluation of the condition can fail and in this case
a standard BPEL fault will be throw (validExpressionValue).
1Here we note that the condition of Fig. 2.7 may be modeled in FIACRE in case it
manipulates simple data types such as Boolean. However, in case the data type were
complex such as strings, since we abstract these data the choice between the satisfaction of
the condition or not would be non-deterministic (as if we replace the condition by true)
2.3. Structured Activities 163
This corresponds to the transition labeled with the fault
expression_error
Once the while controller is at the wait_body state, it will do a block-
ing wait until the finish signal of the nested activity is received, then
it will transit to the reinit_act state in order to reinitialize the activities
nested in the while activity so that multiple instances of the while
body may be executed2. The reinitialization is done by valuating the
variable reinitialize reinit to true and then it awaits that the activities
synchronize on the port reinited.
• For the case of the repeatUntil controller, a slight difference is made
in order to force the execution of the nested activity for at least one
time before exiting the loop. More precisely, at the start_act state of
the repeat Until controller (Figure 2.7 (b)) the body activity is exe-
cuted directly before the test of the condition is made.
2.3.2 If
The If activity of BPEL controls the conditional execution of the nested ac-
tivities. The If activity contains multiple (if and else if) conditions to which
a nested activity is associated. The conditions are checked sequentially.
Depending on which of the conditions evaluates to True its associated ac-
tivity is executed. For the last branch of the IF activity, it corresponds to
the "else" branch. The activity associated to this branch is executed in case
all of the preceding conditions evaluated to False.
SA1 SA
If Component S I O Fa exit link stop stpd reinit reinited comp var
...
FAn
act1
I var
F
F
...
actn
I var....
Sac1
Fac1
Sac1
Fac1
Sacn
Facn
Sacn
Facn
...
If Controller
S link reinited...Fa
Figure 2.8 – If component
Whenever the start signal of the If is received, the If controller will
proceed by sending the start signal to one of the nested activities (one of
SA1 to SAn in Figure 2.8). It will then do a blocking wait until one of the
2All the variables used by the Fiacre components are reset to their initial values.
164 Chapter 2. Appendix B : BPEL To FIACRE Patterns
finish signal of the executed activity is received (FA). 3. Once it is received,
the If controller will signal the finish of the If activity.
start_if act_started
if condition1 then
start_act_1 ; branch:=1
if conditionn-1 then
start_act_n-1; branch := n-1
else  condition_n
start_act_n ; branch := n
on stop ; branch := 0 ; to init
links_condfinish
branch := 0 ; to init
fa ! (expression_error) ; to init
Figure 2.9 – If controller
In Fig 2.9 we show the controller of the If activity . The BPEL If
activity is modeled in FIACRE as an if statement. In each branch of
this statement the BPEL conditions are embedded. In case the condition
condition1 is satisfied, the first transition is taken. Otherwise the second
condition is tested and so on. The If controller starts by reading the condi-
tion of the first branch. The evaluation of the condition can fail and in this
case a standard BPEL fault will be thrown (validExpressionValue). 4
Each transition of the start_if state :
1. The process can transmit the start signal (start_act_1 to
start_act_n) of the corresponding nested activity attached to
the satisfied branch of the If activity before transiting to the
act_started state. Once the If controller is at the act_stated
state, it will wait for the finish signal of the nested activity to be
received, then it updates the value of a local variable branch with
an integer that points to the chosen branch before transiting to the
links_cond state. This branch variable will be used to indicate
which branch has been chosen by the If activity, so that the other
activities that are associated to the other branches are informed that
they are no longer activated. In this case, positive values of the skip
variable are transmitted to the unchosen activities.
2. In case the process got to the last transition of the start_if state
(corresponding to the else branch) -meaning that non of the pre-
ceding conditions were satisfied- it signals the start of the activ-
ity attached to the else branch before eventually transiting to the
link_cond state in order to evaluate the outgoing links of the If
activity.
Finally, whenever the activity is started (state act_started) and a
stop demand is asked, the branch variable needs to be reinitialized to
3We note here that all the activities share a single finish signal (FA), since the choice
between the execution of one of the nested activities of the IF is exclusive
4Again, when the BPEL data manipulate complex types, these data are abstracted in FI-
ACRE. That what makes the choice between throwing a fault or transiting to the branch1
state non-deterministic.
2.3. Structured Activities 165
0. This is because in this case none of the nested activities have updated
their outgoing links . Also at the links_cond state, the branch variable
is reinitialized in order to be ready for a new execution.
2.3.3 Pick
The pick activity waits for a message or an alarm to occur. A nested activity
is associated to each of the received events. It is similar to the event han-
dler with the only difference that the pick activity waits for exactly one
message or for a timeout to occur. Hence, the nested activity associated
to the received message is executed for exactly one time. In the pick com-
ponent (Figure 2.10), the pick controller will signal the start (SA1 · · · SAn)
depending on the received event. It will then waits for the executed activ-
ity to finish in order to signal the finish of the pick.
act1
I var
F
F
SA1 SA
Pick Component
Pick Controller
S I O Fa exit link stop stpd reinit reinited comp var
S I var
...
...
actn
I var....
FAn
...
timeout
timeout Sac1
Fac1
Sac1
Fac1
Sacn
Facn
Sacn
Facn
Figure 2.10 – Pick component
start_pick act_started
msg_in(inp1); 
var1 := inp1 ; branch :=1
msg_in(inp_n);
var_n := inp_n ; branch := n-1
wait [alarm] ;
on stop ; branch := 0 ; to init
links_cond
start_act1
branch := 0 ; to init
fa ! (variable_error) ; to init
...
start_actn-1
start_act1
start_actnbranch := n
finishstart_actn-1
start_actn
Figure 2.11 – Pick controller
The controller (Figure 2.11) of a Pick activity contains two types of
branches (a message event and an alarm). The Pick controller will do
166 Chapter 2. Appendix B : BPEL To FIACRE Patterns
a blocking wait until an event of the two occurs 5. Once one of these
events occur, the pick controller will execute the associated activity and
then it will have the same behavior of the If controller concerning the
branch local variable. We also note that the alarm event of the pick will be
treated exactly the same way as the notion of time is treated in the wait
activity. Here we note that unlike the If controller, at the start_pick
state a FIACRE select statement is modeled because the choice between
the events is non-deterministic. Finally, the explanation concerning the
branch variable in the If controller also holds here.
2.3.4 Full Scope With Termination and Compensation Handlers.
FaScope component
scope 
S
S
scope ctrler
F
Fault_H
Fa
TermH
S I_rec O_rep link varsstpd reinit reinited comp
FaIN FaIN
stpdstpdIN cmpIN
term
CH
comp Fa
exit stop
stopIn stop
....
.... .... .... ....
I_inv O_inv
...
EH
...
act
term
SA
FA1
SA
Fe
F
FF
stpdINcmpINstopIn
SA
FA1
Fe
stpdIN cmpINstopIn
termtd termtd
stpdIN cmpINstopIn
Figure 2.12 – Scope Component
Termination Handler: The termination handler is only executed when
an enclosed scope is forced to terminate by an enclosing scope. In FI-
ACRE, this is modeled by the variable term that is valuated to True by
the scope’s fault handler whenever a forced termination is demanded. In
addition, the scope should be in running mode in order for it to be termi-
nated. In FIACRE, these conditions are checked by the termination con-
troller (embedded in the TH component). If these conditions are fulfilled,
then the termination handler is executed. All the faults thrown inside of
the termination handler are treated internally and are never propagated.
This is why no fault ports appear in the interface of the termination han-
dler. Moreover, all the faults thrown inside of the termination handler are
treated internally and never propagated that is why no fault ports appear
in the interface of the termination handler. In FIACRE this is done by cre-
ating a local fault port (Fa2), a stop variable (stop2) and a stop port (stpd2).
We note that in our encoding, the innermost-first termination order of
BPEL is respected. It is so because the term variable is reset to False only
5Here we note that the alarm event represents a relative BPEL time. That is the For
duration attribute is used. It is treated in FIACRE as a wait instruction having the same
minimal and maximal bound of the specific BPEL alarm value wait [alarm, alarm].
More details about the modeling of the BPEL notion of time and especially the absolute
time is given later in this section (see section 2.5.5
2.4. BPEL Handlers 167
after the execution of the termination handler. Furthermore, it will valu-
ate another variable to True (namely termted). This variable is used by the
compensation handler as a certification that the termination handler of the
scope has been executed.
Compensation Handler: The compensation handler is triggered by a
compensate or compensateScope activity embedded in one of the Fault-
Compensation-Termination handlers of the enclosed scope. In FIACRE,
this is modeled by valuating the comp variable to True. Furthermore, the
compensation handler of a scope is only executed if the associated scope
has already been completed normally. This condition is verified by the
compensation handler controller before it is able to execute its body activ-
ity. Unlike the termination handler, the faults thrown by the activities of
the compensation handler are propagated to the scope which has called
the faulted compensation handler. This is done by synchronizing on the
Fa port shared with the scope component interface. Furthermore, in BPEL,
the compensation of scopes occurs in the reverse order of their completion.
In FIACRE, a simple way to handle such compensation order is to han-
dle it non-deterministically. Otherwise, we have to implement a dynamic
mechanism as it is done by [47].
2.4 BPEL Handlers
2.4.1 Termination Handler
Termination Handler Component The component of the termination
handler in Fiacre is given in Figure 2.13. It consists of two parts, a ter-
mination controller and its nested activity.
TH component
term controller
Sac
termtdterm
Fac
act1
var...
I O exit link stop stpd reinit reinited comp var
link stop stpd reinit reinited
termtdterm
Sac Fac FauIn
stopIn stpdIn
stopIn stpdInFauIn FauIn... ...stopIn stpdIn
Sac
Fac
Figure 2.13 – Termination Handler component
User Defined Termination Handler Controller A User defined termina-
tion controller 2.13may embed any activity.
Default Termination Handler Controller A default termination con-
troller which will only embed a compensate activity.
168 Chapter 2. Appendix B : BPEL To FIACRE Patterns
init TH
start_TH_actstart_TH_act
on finished OR err 
OR terminated & 
terminate ;
finish_TH_act
on not finished & not err;
& terminate & not terminated
terminate :=false
 terminate:=false;
terminated:= true
terminate:=false
terminated:= true start_catch
f ? any
f ? any
start_catch
stop:=true
f ? any
stpd ; stop := false
finish_TH
 
for all embeded activities 
(except child scopes)    
if not finished then 
     finished := true                            
 
                        
           set links embeded activities 
finish_TH_act terminate:=false;terminated:= true
on stop_glo ; stop := true; stpd; 
set links ; terminated := true 
 
on stop_glo ;  
   stpd_up
 
on reinitialize;
terminated := false; 
reinitialized
Figure 2.14 – User defined termination Handler controller
init TH
start_TH_actstart_TH_comp
on finished OR err 
OR terminated & 
terminate ;
finish_TH_comp
on not finished & not err;
& terminate & not terminated
terminate :=false
 terminate:=false;
terminated:= true
terminate:=false
terminated:= true ;
stpd_up start_catchstpd ; stop := false
finish_TH
                         
           
finish_TH_act
 terminate:=false;
terminated:= true
on stop_glo ;  
   stpd_up
 
on reinitialize;
terminated := false; 
reinitialized
on stop_glo; 
stop:=true
on stop_glo ; stop := true; stpd; 
set links ; terminated := true 
 
Figure 2.15 – Default termination handler controller
2.4.2 Compensation handler
A scope may be asked to be compensated by running its compensation
handler. In Fiacre, the component of the compensation handler (Fig 2.16)
is similar to other handlers and structured activities. It consists of two
parts which are a compensation controller and the nested activities. The
start of the compensation handler is treated by its compensation controller
(Fig. 2.17 and Fig. 2.18).
User Defined Compensation Controller A user defined compensation
handler is a wrapper in which we may nest any type of activities.
Default Compensation Controller In the case that a compensation han-
dler for a scope is not specified explicitly, a default compensation handler
is created that only contains a compensate activity.
2.4.3 Full Fault Handler : With Termination and Compensation Han-
dlers
2.4. BPEL Handlers 169
CH component
comp controller
Sac Fac
termtdcomp
cmptd
cmptd
act1
I var...
S I O Fa exit link stop stpd reinit reinited compIn var
link stop stpd reinit reinited
termtdcomp
compInSac
Fac
Sac
Fac
Figure 2.16 – Compensation handler
init CH start_CH_act
start_CH_act
finish_CH_act
finish_CH_act
on stop_glo ; 
     stpd
compensate :=false
compensated:=true
compensate:=false
on finished & not err 
& not terminated & compensate
& not compensated
on not finished OR err OR 
terminated OR compensated 
& compensate ; 
on reinitialize;
compensated := false; 
reinitialized
        on stop_glo ; 
compensated := true; stpd
Figure 2.17 – User defined compensation handler
init CH start_CH_comp
on stop_glo ; 
     stpd
compensate :=false
compensated:=true
compensate:=false
on finished & not err 
& not terminated & compensate
& not compensated
on not finished OR err OR 
terminated OR compensated 
& compensate ; 
on reinitialize;
compensated := false; 
reinitialized
        on stop_glo ; 
compensated := true; stpd
compensateALL
compensated
finish_CH_comp
Figure 2.18 – Default compensation handler
170 Chapter 2. Appendix B : BPEL To FIACRE Patterns
links
_con
d2
catc
h_b
dy
sto
ppe
d
f ?
 an
ysta
rt_ca
tch
(err
:=o
the
r,st
op:
=tru
e)
(er
r:=
oth
er,
sto
p:=
tru
e)
rep
ly_
sto
p
on n
ot s
top_
glob
al; f
inis
h
f ?
 an
y
f ?
 an
y
bod
y1
term
_ha
nd
wa
it te
rm stpd
  ; s
top:
=fal
se 
f ?
 an
y
 
for
 al
l e
mb
ede
d a
cti
vit
ies
 in
clu
ded
 TH
 at
tac
hed
 
(ex
cep
t c
hil
d s
cop
es)
 
if n
ot 
fin
ish
ed 
the
n 
    
    
    
    
    
    
    
    
fin
ish
ed 
:= 
tru
e
 
    
    
    
    
    
    
    
    
   
set
 lin
ks 
em
bed
ed 
act
ivi
tie
s
set
 lin
ks 
bra
nch
es 
FH
set
 lin
ks 
sco
pe 
itse
lf
stpd
 ; st
op :
= 
on
 st
op
_g
lob
al 
 ; s
top
 :=
 tr
ue
 
fini
sh_
term
stpd
_up
 ; on
 not
 sto
p_g
loba
l
links
_con
d
fini
sh_
FH
wa
it s
tpi
wa
it s
top
sto
ppe
d_i
 
stpd
 ; st
op :
= fa
lse
not 
handf 
? f
au
lt1
(tf
au
lt1
; 
on
  f
ini
sh
ed
prop
age o
n s
top
_g
lob
al 
 ; 
sto
p :
= t
ru
e
 f
2 !
 fa
ult
1; 
on
 no
t f
ini
sh
ed
f ?
 an
y
f ?
 fa
ult
1(
tfa
ult
1 
f? 
 fa
ult
1(
tfa
ult
1 f?
 fa
ult
1(
tfa
ult
1 
f ?
 an
y
f ?
 an
y
on
 no
t f
ini
sh
ed
  
on
 st
op
_g
lob
al 
 ; s
top
 :=
 tr
ue
 on
 er
r_
glo
b =
 ex
it;
 er
r :
= 
ex
it   o
n 
sto
p_
glo
ba
l  ;
 
sto
p :
= t
ru
e
 on
 er
r_
glo
b 
= e
xit
; 
err
 :=
 ex
it
on
 st
op
_g
lob
al 
 ; s
top
 :=
 tr
ue
 on
 er
r_
glo
b =
 ex
it;
 er
r :
= 
ex
it
 for
 al
l e
mb
ede
d a
cti
vit
ies
 in
clu
ded
 TH
 at
tac
hed
 
(ex
cep
t c
hil
d s
cop
es)
 
if n
ot 
fin
ish
ed 
the
n 
    
    
    
    
    
    
    
    
fin
ish
ed 
:= 
tru
e
 
    
    
    
    
    
    
    
    
   
set
 lin
ks 
em
bed
ed 
act
ivi
tie
s
set
 lin
ks 
sco
pe 
itse
lf
on
 re
ini
tia
liz
e ;
 er
r:=
 no
;
 st
op
 :=
 fa
lse
; te
rm
ina
te 
:=
 fa
lse
 ; 
rei
nit
ial
ize
d
com
pens
ate
fin
ish
_co
mp
ens
ate co
mp
ens
td on
 st
op
_g
lob
al 
 ; 
sto
p :
= t
ru
e
 on
 er
r_
glo
b =
 ex
it;
 
err
 :=
 ex
it
Figure 2.19 – Fault Handler Controller : No CatchAll
2.4. BPEL Handlers 171
links
_con
d2
catc
h_b
dy
sto
ppe
d
f ?
 an
ysta
rt_ca
tch
(err
:=o
the
r,st
op:
=tru
e)
(er
r:=
oth
er,
sto
p:=
tru
e)
rep
ly_
sto
p
on n
ot s
top_
glob
al; f
inis
h
f ?
 an
y
f ?
 an
y
bod
y1
term
_ha
nd
wa
it te
rm stpd
  ; s
top:
=fal
se 
f ?
 an
y
 
for
 al
l e
mb
ede
d a
cti
vit
ies
 in
clu
ded
 TH
 at
tac
hed
 
(ex
cep
t c
hil
d s
cop
es)
 
if n
ot 
fin
ish
ed 
the
n 
    
    
    
    
    
    
    
    
fin
ish
ed 
:= 
tru
e
 
    
    
    
    
    
    
    
    
   
set
 lin
ks 
em
bed
ed 
act
ivi
tie
s
set
 lin
ks 
bra
nch
es 
FH
set
 lin
ks 
sco
pe 
itse
lf
stpd
 ; st
op :
= 
on
 st
op
_g
lob
al 
 ; s
top
 :=
 tr
ue
 
fini
sh_
term
stpd
_up
 ; on
 not
 sto
p_g
loba
l
links
_con
d
fini
sh_
FH
wa
it s
tpi
wa
it s
top
sto
ppe
d_i
 
stpd
 ; st
op :
= fa
lse
not 
hand
catc
hbo
dyal
l
f ?
 fa
ult
1(
tfa
ult
1; 
on
  f
ini
sh
ed
prop
age
on
 st
op
_g
lob
al 
 ; 
sto
p :
= t
ru
e
 f
2 !
 fa
ult
1; 
on
 no
t f
ini
sh
ed
f ?
 an
y
f ?
 fa
ult
1(
tfa
ult
1 
f? 
 fa
ult
1(
tfa
ult
1 
f? 
fau
lt1
(tf
au
lt1
 
f ?
 an
y
f ?
 an
y
on
 no
t f
ini
sh
ed
fin
ish
_bo
dyA
ll_i
bra
nch
:= i
  o
n s
top
_g
lob
al 
 ; 
sto
p :
= t
ru
e
 on
 er
r_
glo
b =
 ex
it;
 
err
 :=
 ex
it
on
 st
op
_g
lob
al 
 ; s
top
 :=
 tr
ue
 on
 er
r_
glo
b =
 ex
it;
 er
r :
= 
ex
it
on
 st
op
_g
lob
al 
 ; 
sto
p :
= t
ru
e
 on
 er
r_
glo
b =
 ex
it;
 
err
 :=
 ex
it
on
 st
op
_g
lob
al 
 ; s
top
 :=
 tr
ue
 on
 er
r_
glo
b =
 ex
it;
 er
r :
= 
ex
it
 for
 al
l e
mb
ede
d a
cti
vit
ies
 in
clu
ded
 TH
 at
tac
hed
 
(ex
cep
t c
hil
d s
cop
es)
 
if n
ot 
fin
ish
ed 
the
n 
    
    
    
    
    
    
    
    
fin
ish
ed 
:= 
tru
e
 
    
    
    
    
    
    
    
    
   
set
 lin
ks 
em
bed
ed 
act
ivi
tie
s
set
 lin
ks 
sco
pe 
itse
lf
on
 re
ini
tia
liz
e ;
 er
r:=
 no
;
 st
op
 :=
 fa
lse
; te
rm
ina
te 
:=
 fa
lse
 ; 
rei
nit
ial
ize
d
Figure 2.20 – Fault Handler Controller : CatchAll

Bibliography
[1] http://ecdar.cs.aau.dk/. (Cité pages 42 et 143.)
[2] http://research.petalslink.org/display/itemis/itemis+overview.
(Cité pages x, 6 et 122.)
[3] http://www.w3.org/tr/soap/. (Cité page 84.)
[4] http://www.w3.org/xml/schema. (Cité page 85.)
[5] Review of "concurrent and real-time systems: the csp approach"
by steve schneider. wiley 1999. SIGACT News, 35:4–12, June 2004.
Reviewer-Petride, Sabina. (Cité pages 26 et 47.)
[6] N. Abid, S. Dal Zilio, and D. Le Botlan. A Verified Approach for
Checking Real-Time Specification Patterns. In VECoS 2012 – 6th
International Workshop on Verification and Evaluation of Computer and
Communication Systems, Electronic Workshops in Computing (eWiC).
BCS, Sept. 2012. (Cité page 53.)
[7] J.-R. Abrial. The B-book - assigning programs to meanings. Cambridge
University Press, 2005. (Cité pages viii et 4.)
[8] J.-R. Abrial, M. Butler, S. Hallerstede, T. S. Hoang, F. Mehta, and
L. Voisin. Rodin: an open toolset for modelling and reasoning in
Event-B. STTT, 12(6):447–466, 2010. (Cité page 91.)
[9] L. Aceto, A. Burgueño, and K. G. Larsen. Model checking via reach-
ability testing for timed automata. In Proceedings of the 4th Interna-
tional Conference on Tools and Algorithms for Construction and Analy-
sis of Systems, TACAS ’98, pages 263–280, London, UK, UK, 1998.
Springer-Verlag. (Cité page 41.)
[10] I. Ait-Sadoune and Y. Ait-Ameur. A proof based approach for mod-
elling and verifying web services compositions. In Proceedings of
the 2009 14th IEEE International Conference on Engineering of Complex
Computer Systems, ICECCS ’09, pages 1–10, Washington, DC, USA,
2009. IEEE Computer Society. (Cité page 91.)
[11] R. Alur. Timed automata. Theoretical Computer Science, 126:183–235,
1999. (Cité page 22.)
174 Bibliography
[12] R. Alur, C. Courcoubetis, and D. Dill. Model-checking in dense real-
time. Inf. Comput., 104(1):2–34, May 1993. (Cité pages xi et 6.)
[13] R. Alur, C. Courcoubetis, and D. Dill. Model-checking in dense real-
time. Information and Computation, 104:2–34, 1993. (Cité page 152.)
[14] R. Alur and D. L. Dill. Automata for modeling real-time systems. In
Proceedings of the seventeenth international colloquium on Automata, lan-
guages and programming, pages 322–335, New York, NY, USA, 1990.
Springer-Verlag New York, Inc. (Cité page 13.)
[15] R. Alur and D. L. Dill. A theory of timed automata. Theoretical
Computer Science, 126:183–235, 1994. (Cité pages xi, 6, 20, 21, 40, 60
et 152.)
[16] R. Alur, T. Feder, and T. A. Henzinger. The benefits of relaxing
punctuality. J. ACM, 43(1):116–146, Jan. 1996. (Cité pages xx, 16, 17
et 120.)
[17] R. Alur and T. A. Henzinger. Logics and models of real time: A
survey. In Proceedings of the Real-Time: Theory in Practice, REX Work-
shop, pages 74–106, London, UK, UK, 1992. Springer-Verlag. (Cité
page 16.)
[18] A. Alves, A. Arkin, S. Askary, B. Bloch, F. Curbera, Y. Goland,
N. Kartha, Sterling, D. König, V. Mehta, S. Thatte, D. van der Rijn,
P. Yendluri, and A. Yiu. Web Services Business Process Execution
Language Version 2.0. OASIS, May 2006 2006. (Cité pages xviii, 7,
83, 86, 87, 89, 94, 95, 97, 98, 99, 109, 111 et 127.)
[19] A. Arnold, G. Point, A. Griffault, and A. Rauzy. The altarica formal-
ism for describing concurrent systems. Fundam. Inf., 40(2,3):109–124,
Aug. 1999. (Cité page 39.)
[20] F. V. B. Berthomieu, P.-O. Ribet. The tool tina – construction of ab-
stract state spaces for petri nets and time petri nets. International
Journal of Production Research, Vol. 42, 2004. (Cité pages x, 6 et 28.)
[21] C. Baier and J.-P. Katoen. Principles of Model Checking (Representation
and Mind Series). The MIT Press, 2008. (Cité pages 37, 38, 49 et 61.)
[22] G. Behrmann, A. Cougnard, R. David, E. Fleury, K. G. Larsen, and
D. Lime. Uppaal-tiga: Timed games for everyone. (Cité page 23.)
[23] F. Bellegarde, J. Julliand, and O. Kouchnarenko. Ready-simulation
is not ready to express a modular refinement relation. In Proceedings
of the Third Internationsl Conference on Fundamental Approaches to Soft-
ware Engineering: Held as Part of the European Joint Conferences on the
Theory and Practice of Software, ETAPS 2000, FASE ’00, pages 266–283,
London, UK, UK, 2000. Springer-Verlag. (Cité pages 35 et 36.)
[24] B. Bérard, F. Cassez, S. Haddad, D. Lime, and O. H. Roux. Compar-
ison of different semantics for time petri nets. In D. A. Peled and
Y.-K. Tsay, editors, 3rd International Symposium on Automated Technol-
ogy for Verification and Analysis (ATVA 2005), volume 3707 of Lecture
Bibliography 175
Notes in Computer Science, pages 293–307, Taipei, Taiwan, Oct. 2005.
Springer-Verlag. (Cité pages 26 et 40.)
[25] B. Bérard, F. Cassez, S. Haddad, D. Lime, and O. H. Roux. Compar-
ison of the expressiveness of timed automata and time petri nets.
In Proceedings of the Third international conference on Formal Modeling
and Analysis of Timed Systems, FORMATS’05, pages 211–225, Berlin,
Heidelberg, 2005. Springer-Verlag. (Cité page 40.)
[26] B. Berard, F. Cassez, S. Haddad, D. Lime, and O. H. Roux. When
are Timed Automata weakly timed bisimilar to Time Petri Nets ?
In 25th Int. Conf. on Foundations of Software Technology and Theoretical
Computer Science (FSTTCS’05), pages 276–284, Chennai, Inde, 2005.
(Cité page 40.)
[27] A. Berglund, S. Boag, D. Chamberlin, M. F. Fernández, M. Kay, J. Ro-
bie, and J. Siméon. XML Path Language (XPath) 2.0 (W3C Recom-
mendation), Jan. 2007. (Cité page 88.)
[28] R. Bernard and et al. Altarica refinement for heterogeneous granu-
larity models analysis, 2008. (Cité pages 39 et 66.)
[29] B. Berthomieu, J.-P. Bodeveix, P. Farail, M. Filali, H. Garavel, P. Gau-
fillet, F. Lang, and F. Vernadat. Fiacre: an Intermediate Language
for Model Verification in the Topcased Environment. In ERTS 2008,
Toulouse France, 2008. (Cité page 26.)
[30] N. Bertrand, S. Pinchinat, and J.-B. Raclet. Refinement and consis-
tency of timed modal specifications. In Proc of., LATA ’09, pages
152–163, Berlin, Heidelberg, 2009. Springer-Verlag. (Cité page 40.)
[31] T. Bolognesi and E. Brinksma. Introduction to the iso specification
language lotos. Comput. Netw. ISDN Syst., 14:25–59, March 1987.
(Cité page 90.)
[32] J. Bradfield and C. Stirling. Modal mu-calculi. In HANDBOOK OF
MODAL LOGIC, pages 721–756. Elsevier, 2007. (Cité pages 18 et 72.)
[33] V. Breugel and M. Koshkina. Models and verification of bpel franck.
(Cité page 89.)
[34] M. C. Browne, E. M. Clarke, and O. Grümberg. Characterizing finite
kripke structures in propositional temporal logic. Theor. Comput. Sci.,
59(1-2):115–131, July 1988. (Cité page 38.)
[35] T. Bultan, X. Fu, and J. Su. Analyzing conversations of web services.
IEEE Internet Computing, 10:2006, 2006. (Cité page 90.)
[36] P. Bulychev, T. Chatain, A. David, and K. G. Larsen. Efficient on-the-
fly algorithm for checking alternating timed simulation. In Proc.,
FORMATS ’09, pages 73–87, Berlin, Heidelberg, 2009. Springer-
Verlag. (Cité pages 23, 42, 43 et 78.)
[37] S. Chaki, E. M. Clarke, J. Ouaknine, N. Sharygina, and N. Sinha.
State/event-based software model checking. In In Integrated Formal
Methods, pages 128–147. Springer-Verlag, 2004. (Cité page 15.)
176 Bibliography
[38] K. M. Chandy and J. Misra. Parallel program design - a foundation.
Addison-Wesley, 1989. (Cité page 151.)
[39] T. Chatain, A. David, and K. G. Larsen. Playing games with timed
games, 2009. (Cité page 42.)
[40] E. M. Clarke and E. A. Emerson. Design and synthesis of synchro-
nization skeletons using branching-time temporal logic. In Logic of
Programs, Workshop, pages 52–71, London, UK, UK, 1982. Springer-
Verlag. (Cité pages ix, 5, 18 et 35.)
[41] E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and
abstraction. In Proceedings of the 19th ACM SIGPLAN-SIGACT sympo-
sium on Principles of programming languages, POPL ’92, pages 343–354,
New York, NY, USA, 1992. ACM. (Cité pages x et 5.)
[42] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice
model for static analysis of programs by construction or approxima-
tion of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN
symposium on Principles of programming languages, POPL ’77, pages
238–252, New York, NY, USA, 1977. ACM. (Cité pages ix et 4.)
[43] A. David, K. G. Larsen, A. Legay, U. Nyman, and A. Wasowski.
Methodologies for specification of real-time systems using timed i/o
automata. In Proc., FMCO’09, pages 290–310. Springer, 2010. (Cité
pages 40 et 42.)
[44] A. David, K. G. Larsen, A. Legay, U. Nyman, and A. Wasowski.
Timed I/O automata: a complete specification theory for real-time
systems. In Proc. of, HSCC ’10, pages 91–100, New York, NY, USA,
2010. ACM. (Cité pages 20, 22 et 23.)
[45] J. W. de Bakker, C. Huizing, W. P. de Roever, and G. Rozenberg, ed-
itors. Real-Time: Theory in Practice, REX Workshop, Mook, The Nether-
lands, June 3-7, 1991, Proceedings, volume 600 of Lecture Notes in Com-
puter Science. Springer, 1992. (Cité pages xii, 25 et 50.)
[46] L. de Moura and N. Bjørner. Satisfiability Modulo Theories: An Ap-
petizer. In M. Oliveira and J. Woodcock, editors, Formal Methods:
Foundations and Applications, volume 5902 of Lecture Notes in Com-
puter Science, chapter 3, pages 23–36. Springer Berlin / Heidelberg,
Berlin, Heidelberg, 2009. (Cité pages viii et 4.)
[47] A. Ferrara. Web services: a process algebra approach. In ICSOC
’04: Proceedings of the 2nd international conference on Service oriented
computing, pages 242–251, New York, NY, USA, 2004. ACM Press.
(Cité pages 89, 90, 91 et 167.)
[48] X. Fu, T. Bultan, and J. Su. Analysis of interacting bpel web services.
In Proceedings of the 13th international conference on World Wide Web,
WWW ’04, pages 621–630, New York, NY, USA, 2004. ACM. (Cité
page 90.)
Bibliography 177
[49] X. Fu, T. Bultan, and J. Su. Model checking xml manipulating soft-
ware. SIGSOFT Softw. Eng. Notes, 29(4):252–262, July 2004. (Cité
page 90.)
[50] X. Fu, T. Bultan, and J. Su. Wsat: A tool for formal analysis of web
services. In the Proc. of 16th Int. Conf. on Computer Aided Verification
(CAV, pages 510–514. Springer, 2004. (Cité page 90.)
[51] V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and
arrays. In Proceedings of the 19th international conference on Computer
aided verification, CAV’07, pages 519–531, Berlin, Heidelberg, 2007.
Springer-Verlag. (Cité pages viii et 4.)
[52] R. J. v. Glabbeek. The linear time-branching time spectrum (ex-
tended abstract). In Proceedings of the Theories of Concurrency: Uni-
fication and Extension, CONCUR ’90, pages 278–297, London, UK,
UK, 1990. Springer-Verlag. (Cité page 33.)
[53] R. J. V. Glabbeek and W. P. Weijland. Branching time and abstraction
in bisimulation semantics. Journal of the ACM, 43:613–618, 1996. (Cité
page 36.)
[54] A. Griffault and A. Vincent. The mec 5 model-checker. In CAV:
International Conference on Computer Aided Verification, volume 3114
of Lecture Notes in Computer Science, pages 488–491. Springer, July
2004. (Cité pages 39 et 66.)
[55] T. Henzinger. Technical report, STAN-CS-91-1380, Stanford Univer-
sity, 1991. title = The temporal specification and verification of real-
time systems, type = Ph.D. Thesis, Technical Report, year = 1991.
(Cité page 16.)
[56] T. A. Henzinger. ItŠs about time: Real-time logics reviewed. In In
Proc. CONCURŠ98, pages 439–454. Springer, 1998. (Cité page 16.)
[57] T. A. Henzinger, O. Kupferman, and S. K. Rajamani. Fair simulation.
Inf. Comput., 173(1):64–81, Feb. 2002. (Cité page 39.)
[58] T. A. Henzinger, Z. Manna, and A. Pnueli. Timed Transition Sys-
tems. In REX Workshop, pages 226–251, 1991. (Cité page 27.)
[59] T. A. Henzinger, Z. Manna, and A. Pnueli. What good are digital
clocks. pages 545–558. Springer-Verlag, 1992. (Cité page 13.)
[60] S. Hinz, K. Schmidt, and C. Stahl. Transforming BPEL to Petri Nets.
In W. M. P. v. d. Aalst, B. Benatallah, F. Casati, and F. Curbera, ed-
itors, Proceedings of the Third International Conference on Business Pro-
cess Management (BPM 2005), volume 3649 of LNCS, pages 220–235,
Nancy, France, Sept. 2005. Springer-Verlag. (Cité pages 89, 90, 91
et 98.)
[61] C. A. R. Hoare. Communicating sequential processes (Prentice-Hall Inter-
national series in computer science). Prentice/Hall International, April
1985. (Cité page 34.)
178 Bibliography
[62] G. J. Holzmann. The model checker spin. IEEE Trans. Softw. Eng.,
23(5):279–295, May 1997. (Cité pages x et 6.)
[63] G. J. Holzmann. The SPIN Model Checker: Primer and Reference Man-
ual. Addison-Wesley Professional, Sept. 2003. (Cité page 90.)
[64] A. S. Jeffrey, S. A. Schneider, and F. W. Vaandrager. A comparison of
additivity axioms in timed transition systems. Technical report, Am-
sterdam, The Netherlands, The Netherlands, 1993. (Cité page 16.)
[65] H. E. Jensen, K. Guldstrand, and A. Skou. Scaling up uppaal: au-
tomatic verification of real-time systems using compositionality and
abstraction. In Proc. FTRTFT 2000. 84 ALTISEN ET AL, 2000. (Cité
page 41.)
[66] J. Julliand, H. Mountassir, and E. Oudot. Vesta: A tool to verify the
correct integration of a component in a composite timed system. In
M. Butler, M. G. Hinchey, and M. M. Larrondo-Petrie, editors, Formal
Methods and Software Engineering, 9th International Conference on For-
mal Engineering Methods, ICFEM 2007, Boca Raton, FL, USA, Novem-
ber 14-15, 2007, Proceedings, volume 4789 of Lecture Notes in Computer
Science, pages 116–135. Springer, 2007. (Cité pages 42 et 143.)
[67] J. Julliand, H. Mountassir, and E. Oudot. Incremental verification
of component-based timed systems. Int. J. Comput. Appl. Technol.,
42(2/3):159–176, Feb. 2011. (Cité pages 41, 42 et 47.)
[68] D. K. Kaynar, N. Lynch, R. Segala, and F. Vaandrager. The theory of
timed i/o automata. Technical report, 2003. (Cité page 40.)
[69] R. Kazhamiakin, P. Pandya, and M. Pistore. Representation, verifica-
tion, and computation of timed properties in Web Service Compo-
sitions. In Proceedings of the IEEE International Conference on Web Ser-
vices, pages 497–504, Washington, DC, USA, 2006. IEEE Computer
Society. (Cité pages 90, 91 et 113.)
[70] Y. Kesten, N. Piterman, and A. Pnueli. Bridging the gap between
fair simulation and trace inclusion. Inf. Comput., 200(1):35–61, July
2005. (Cité page 39.)
[71] W. Khansa, J. P. Denat, and S. Collart-Dutilleul. P-time Petri nets for
manufacturing systems. In Proceedings of the International Workshop
on Discrete Event Systems (WODES’96), 1996., pages 94–102, 1996.
(Cité page 26.)
[72] R. Koymans. Specifying real-time properties with metric temporal
logic. Real-Time Syst., 2(4):255–299, Oct. 1990. (Cité page 16.)
[73] K. G. Larsen, P. Pettersson, and W. Yi. Uppaal in a nutshell. Int.
Journal on Software Tools for Technology Transfer, 1:134–152, 1997. (Cité
pages x, 6, 21 et 41.)
[74] N. Lohmann. A feature-complete Petri net semantics for WS-BPEL
2.0. In K. v. Hee, W. Reisig, and K. Wolf, editors, Proceedings of the
Bibliography 179
Workshop on Formal Approaches to Business Processes and Web Services
(FABPWS’07), pages 21–35. University of Podlasie, June 2007. (Cité
pages 89, 90, 91 et 98.)
[75] N. Lohmann and J. Kleine. Fully-automatic translation of open
workflow net models into simple abstract bpel processes. In In:
Modellierung 2008. Volume 127 of LNI., GI, pages 57–72, 2008. (Cité
page 90.)
[76] N. Lohmann, P. Massuthe, C. Stahl, and D. Weinberg. D.: Analyzing
interacting wsbpel processes using flexible model generation. Data
Knowl. Eng, pages 38–54, 2008. (Cité page 90.)
[77] N. Lynch and F. Vandraager. Forward and backward simulations
- part ii: Timing-based systems. Information and Computation, 128,
1995. (Cité pages 38 et 40.)
[78] O. Maler, A. Pnueli, and J. Sifakis. On the synthesis of discrete con-
trollers for timed systems. In in E.W. Mayr and C. Puech (Eds), Proc.
STACS’95, LNCS 900, pages 229–242. Springer, 1995. (Cité page 22.)
[79] Z. Manna and A. Pnueli. Temporal verification of reactive systems:
safety. Springer-Verlag New York, Inc., New York, NY, USA, 1995.
(Cité pages ix et 5.)
[80] Z. Manna and A. Pnueli. Temporal verification of reactive systems:
safety. Springer-Verlag New York, Inc., New York, NY, USA, 1995.
(Cité page 14.)
[81] P. M. Merlin. A study of the recoverability of computing systems. PhD
thesis, 1974. AAI7511026. (Cité page 26.)
[82] R. Milner. An algebraic definition of simulation between programs.
In Proceedings of the 2nd international joint conference on Artificial in-
telligence, IJCAI’71, pages 481–489, San Francisco, CA, USA, 1971.
Morgan Kaufmann Publishers Inc. (Cité page 34.)
[83] R. Milner. A Calculus of Communicating Systems. Springer-Verlag
New York, Inc., Secaucus, NJ, USA, 1982. (Cité pages viii, 4, 34, 36,
38 et 90.)
[84] J. J. Moreau, R. Chinnici, A. Ryman, and S. Weerawarana. Web
Services Description Language (WSDL) version 2.0 part 1: Core
language. Candidate recommendation, W3C, Mar. 2006. (Cité
pages xviii, 7 et 84.)
[85] S. Nakajima. Model-Checking Behavioral Specification of BPEL Ap-
plications. Electron. Notes Theor. Comput. Sci., 151:89–105, May 2006.
(Cité pages 90 et 91.)
[86] S. Nakajima. Model-checking behavioral specification of bpel appli-
cations. Electron. Notes Theor. Comput. Sci., 151(2):89–105, May 2006.
(Cité page 90.)
180 Bibliography
[87] X. Nicollin and J. Sifakis. An overview and synthesis on timed pro-
cess algebras. pages 526–548. Springer-Verlag, 1991. (Cité page 69.)
[88] T. Nipkow, L. Paulson, and M. Wenzel. Isabelle/HOL. A Proof Assis-
tant for Higher-Order Logic, volume 2283 of Lecture Notes in Computer
Science. Springer Berlin / Heidelberg, May 2012. (Cité pages ix et 4.)
[89] D. Peled. Combining partial order reductions with on-the-fly model-
checking. pages 377–390. Springer-Verlag, 1994. (Cité pages x et 5.)
[90] C. Peltz. Web services orchestration and choreography. Computer,
36(10):46–52, Oct. 2003. (Cité page 86.)
[91] C. A. Petri. Communication with Automata. PhD thesis, UniversitÃd’t
Hamburg, 1962. (Cité pages viii, 4 et 24.)
[92] G. Pu, X. Zhao, S. Wang, and Z. Qiu. Towards the semantics and
verification of BPEL4WS. Electron. Notes Theor. Comput. Sci., 151:33–
52, May 2006. (Cité page 90.)
[93] Y. Qian, Y. Xu, Z. Wang, G. Pu, H. Zhu, and C. Cai. Tool Support
for BPEL Verification in ActiveBPEL Engine. In Software Engineering
Conference, 2007. ASWEC 2007. 18th Australian, pages 90–100, Apr.
2007. (Cité pages 90, 91 et 113.)
[94] J.-P. Queille and J. Sifakis. Specification and verification of concur-
rent systems in cesar. In Proceedings of the 5th Colloquium on Interna-
tional Symposium on Programming, pages 337–351, London, UK, UK,
1982. Springer-Verlag. (Cité pages ix et 5.)
[95] C. Ramchandani. Analysis of asynchronous concurrent systems by
timed petri nets. Technical report, Cambridge, MA, USA, 1974. (Cité
page 26.)
[96] A. W. Roscoe, C. A. R. Hoare, and R. Bird. The Theory and Practice of
Concurrency. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1997.
(Cité pages viii, 4, 23 et 149.)
[97] G. Salaun, L. Bordeaux, and M. Schaerf. Describing and reasoning
on web services using process algebra. Web Services, IEEE Interna-
tional Conference on, 0:43, 2004. (Cité pages 89, 90 et 91.)
[98] M.-T. Schmidt, B. Hutchison, P. Lambros, and R. Phippen. The en-
terprise service bus: making service-oriented architecture real. IBM
Syst. J., 44(4):781–797, Oct. 2005. (Cité page 83.)
[99] W. Song, X. Ma, C. Ye, W. Dou, and J. Lü. Timed modeling and
verification of BPEL processes using time petri nets. In Proceedings of
the 2009 Ninth International Conference on Quality Software, QSIC ’09,
pages 92–97, Washington, DC, USA, 2009. IEEE Computer Society.
(Cité page 90.)
[100] M. Sorea. A decidable fixpoint logic for time-outs. In Proceedings
of the 13th International Conference on Concurrency Theory, CONCUR
’02, pages 255–271, London, UK, UK, 2002. Springer-Verlag. (Cité
page 67.)
Bibliography 181
[101] C. Stahl. Transformation von bpel4ws in petrinetze. Technical re-
port, Humboldt-Universität zu Berlin,Berlin, Germany, 2004. (Cité
page 89.)
[102] C. D. Team. The Coq proof assistant reference manual, v. 8.2, 2009.
(Cité pages ix, 4 et 148.)
[103] G. Winskel. Event structures. In Advances in Petri Nets, pages 325–
392, 1986. (Cité page 147.)
[104] S. Yovine. Kronos: A verification tool for real-time systems. (kronos
user’s manual release 2.2). International Journal on Software Tools for
Technology Transfer, 1:123–133, 1997. (Cité page 21.)
