Avoiding diamonds in desynchronisation by Beohar, H. & Cuijpers, P.J.L.
This is a repository copy of Avoiding diamonds in desynchronisation.
White Rose Research Online URL for this paper:
http://eprints.whiterose.ac.uk/158374/
Version: Accepted Version
Article:
Beohar, H. orcid.org/0000-0001-5256-1334 and Cuijpers, P.J.L. (2014) Avoiding diamonds 
in desynchronisation. Science of Computer Programming, 91, Part A. pp. 45-69. ISSN 
0167-6423 
https://doi.org/10.1016/j.scico.2013.12.002
Article available under the terms of the CC-BY-NC-ND licence 
(https://creativecommons.org/licenses/by-nc-nd/4.0/).
eprints@whiterose.ac.uk
https://eprints.whiterose.ac.uk/
Reuse 
This article is distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivs 
(CC BY-NC-ND) licence. This licence only allows you to download this work and share it with others as long 
as you credit the authors, but you can’t change the article in any way or use it commercially. More 
information and the full terms of the licence here: https://creativecommons.org/licenses/ 
Takedown 
If you consider content in White Rose Research Online to be in breach of UK law, please notify us by 
emailing eprints@whiterose.ac.uk including the URL of the record and the reason for the withdrawal request. 
Avoiding Diamonds in Desynchronisation
H. Beohara,∗, P. J. L. Cuijpersb
aCenter for Research on Embedded Systems,
Halmstad University,
301 18, Halmstad, Sweden
bDepartment of Mathematics and Computer science,
Eindhoven University of Technology,
PO Box 513, 5600 MB, Eindhoven, The Netherlands
Abstract
The design of concurrent systems often assumes synchronous communication between different parts of a system.
When system components are physically apart, this assumption becomes inappropriate. Desynchronisation is a tech-
nique that aims to implement a synchronous design in an asynchronous manner by placing buffers between the com-
ponents of the synchronous design. When queues are used as buffers, the so-called ‘diamond property’ (among others)
ensures correct operation of the desynchronised design. However, this property is difficult to establish in practice.
In this paper, we give sufficient and necessary conditions under which a concrete synchronous design (i.e., without
the unobservable action) is equivalent to an asynchronous design and formally prove that the diamond property is no
longer needed for desynchronisation when half-duplex queues are used as a communication buffer. Furthermore, we
discuss how the half-duplex condition can be further relaxed when the diamond property can be partially guaranteed.
To illustrate how this theory may be applied, we desynchronise the synchronous systems that are synthesised using
supervisory control theory.
Keywords: Synchrony to Asynchrony, Desynchronisation, Branching Bisimulation, Equivalence Checking of
Infinite State Systems
1. Introduction
Message passing [1] is a programming paradigm in which software components send and receive messages either
synchronously or asynchronously. In synchronous communication, components must be physically coupled making it
possible to execute corresponding send and receive messages simultaneously. Asynchronous communication is used
when components are placed physically apart. The corresponding send and receive messages are then decoupled and
the messages travel via a buffer from a sender to its recipient.
A problem with asynchronous communication is that the presence of buffers makes ensuring the correctness of
a system a non-trivial task. In general, if the buffers are modelled to have infinite capacity, analysing correctness of
such systems is undecidable [2]. But also, if the buffers are modelled to have finite capacity, we may still face the
state-space explosion problem.
It helps to separate concerns by first designing a correct synchronous system and then desynchronising it. The
challenge is then to design the synchronous system in such a way that the addition of communication buffers does not
alter its behaviour (in any relevant way) [3]. A synchronous system that is not altered by the addition of communica-
tion buffers is called desynchronisable.
In the context of web-services [4, 5], the focus is on effective analysis (like deadlock freedom, choreography anal-
ysis) of an asynchronous system by developing synchronisability techniques. Their idea is to make an asynchronous
system synchronous, which is in contrast to desynchronisability, where a synchronous system is made asynchronous.
∗Corresponding author
Email addresses: harsh.beohar@hh.se (H. Beohar), P.J.L.Cuijpers@tue.nl (P. J. L. Cuijpers)
Preprint submitted to Elsevier December 5, 2013
Thus, synchronisability techniques are applicable when the components of a system are designed under asynchronous
communication from the start (for instance, in web-services), whereas desynchronisability techniques are applicable
when the components of a system are designed under synchronous communication from the start (for instance, in
supervisory control [6]).
Despite these differences both approaches aim to establish an equivalence between a synchronous system and
its asynchronous version. In [4], the authors showed that the existence of a weak bisimulation relation between a
deterministic synchronous system and its asynchronous system with one place queues is sufficient and necessary for
synchronisability modulo weak bisimulation. Our work differs from [4] as we propose conditions for desynchronis-
ability solely on a given (possibly nondeterministic) synchronous system.
In this paper, we show that the conditions well-posedness, independence of external actions, input determinism,
and diamond property on a synchronous system are necessary and sufficient for desynchronisability. Intuitively,
• two communicating processes in a synchronous system are well-posed if both the processes are able to receive
each other’s requests.
• the external actions (i.e., actions that are not involved in synchronisation) are independent in a synchronous
system if the communicating processes can always delay the execution of their own external actions in favour
of receiving a sequence of messages, without any consequence on the future behaviour of the system.
• input determinism states that the communicating processes should not make nondeterministic choices upon the
reception of messages.
• the essence of the diamond property is that when two components both wish to communicate a message, say α
and β, then communication of α will not block communication of β, and vice versa. Furthermore, the order of
communication will not influence the future behaviour of the system.
In previous research [3, 7–9], well-posedness and the diamond property were already present as sufficient condi-
tions for desynchronisability, while the other two properties are new with respect to these references because external
actions were not allowed in the specification of communicating processes and the equivalences studied in these papers
were coarser than branching bisimulation1. Table 1 provides the list of buffers and equivalences studied previously in
the context of desynchronisation.
References Buffers Equivalences
Udding [9] Wires Trace equivalence
Balemi [7] Queues Trace equivalence
Fischer and Janssen [3] Bags Failure equivalence
Beohar and Cuijpers [8] Bags Branching bisimulation
Table 1: Buffers and equivalences studied previously in the context of desynchronisation.
As it turns out, the diamond property is difficult to establish in practice, while in particular input determinism
and independence of external actions can be easily obtained by construction, at least for supervisory control synthesis
[6]. As an example why diamond property leads to practical problems, consider a simplified model of a controlled
drive-motor [11]. The drive-motor can move in a forward direction ‘fwmove’ or in a backward direction ‘bwmove’,
and it has a signal ‘chdir’ indicating when it is safe to change this direction. A controller communicates with the
drive-motor to ensure that the event ‘chdir’ always executes before altering the direction of the motor. The models
of the drive motor, the controller, and the synchronous system are shown in Figure 1, where !a (?a) denotes that an
action a is sent (received) and a denotes the synchronization of !a and ?a.
Observe in the synchronous system of drive-motor that the execution of the event ‘chdir’ from state 1 to state
2 disables the execution of the event ‘fwmove’; thus, violating the commutativity of the traces chdir.fwmove and
1We claim that input determinism as a sufficient condition disappears when studying desynchronisability modulo any equivalence coarser than
contra-simulation cf. [10, Chapter 4].
2
Drive motor
Controller
1 2
Synchronous system
!chdir
?fwmove
?bwmove
?chdir
?chdir
!fwmove !bwmove
chdir
chdir
fwmove bwmove
Figure 1: An illustration showing the impossibility of establishing the diamond property in certain synchronous systems.
fwmove.chdir. Similarly, the commutativity of the traces chdir.bwmove and bwmove.chdir is prohibited in this syn-
chronous system. As a result, the synchronous system in Figure 1 does not satisfy the diamond property. In fact, the
control requirement implicitly requires the diamond property to be broken. Therefore, it is impossible to desynchro-
nise this system unless we adapt the model of plant or supervisor, or we adapt the way in which the desynchronisation
is performed.
Studying the origin of the diamond property, we notice that it is caused by the type of buffer that is used for
communication. The authors of [3, 7, 9] follow [2] in taking two unidirectional FIFO queues as a means of commu-
nication. In [3] a separate unidirectional FIFO queue is used for each type of message, which effectively leads to a
bag-type of buffering (cf. [8]). Both types of buffer are useful abstractions of a physical communication layer with
a protocol layer on top. For example, queues nicely represent the use of the TCP/IP protocol, while bags represent a
UDP-like protocol [12]. Note that both approaches require the diamond property, essentially because both approaches
allow the messages α and β to be present in the buffer at the same time and arrive in arbitrary order.
Our research hypothesis is that it may be possible to find better desynchronisability conditions by changing the
properties of the communication protocol. So far, research has focussed on the properties that the communicating
components should have in order to ensure desynchronisability. The buffer is usually taken to be a queue or, inciden-
tally, a bag. In this paper, we reconsider these properties, and alter them by changing the communication protocol if
desired.
A first step in that direction is shown in this paper. We prove that the troublesome diamond property can be
avoided by changing the type of buffer used for desynchronisation to so-called half-duplex communication (also used
in [13] for model-checking asynchronous systems). In the context of two communicating processes, half-duplex
communication means that a component is only allowed to send a message when its input buffer is empty. As a result,
the buffering between the two processes alternates in each direction, having to become empty before alternating. We
show that in this case a synchronous composition is desynchronisable if and only if it is well-posed, independent of
external actions, and input deterministic.
These properties are generally weaker than the properties in [3, 7–9], and we are able to give a general method to
adapt systems that are synthesised using supervisory control theory to satisfy these properties. In Section 4, we show
how to obtain a well-posed supervisor for a given plant, whenever there exists a supervisor for the same plant. Our
motivation in selecting supervisory control theory of Ramadge and Wonham [6] as our application domain is due to
the inexact synchronisation problem, which prevents in applying this theory in practice (see [14]). The issue is that
the existing supervisory control theory assumes synchronous interaction between a plant and its supervisor, whereas
in practice the interactions between a plant and its supervisor are implemented asynchronously.
The use of half-duplex communication to restrict the behaviour of an asynchronous system is not new; see, for
instance, [13, 15]. Furthermore, the authors of [13, 15] also gave conditions under which the behaviour of an asyn-
chronous system is insensitive with the use of half-duplex or full-duplex queues. Intuitively, these conditions prevent
the so-called mixed states (a state is mixed [13] if an input and output action is enabled from that state) in the specifi-
cation of the communicating processes. Thus, this provides an alternative way to avoid diamonds in an asynchronous
system. Nevertheless, we consider the prohibition of mixed states in a specification restrictive, at-least for control
purposes [6], where the plants and their supervisors are allowed to have mixed states (for instance, see the case-study
described in [11]). In addition, these mixed states also arise naturally when the communicating processes itself are
composed with the parallel composition operator, which we do allow in our setup.
3
It is our hope that this paper will initiate discussion on the separation of concerns regarding desynchronisation.
Our use of a half-duplex buffering strategy indicates that the communication protocol is essential in this separation.
Admittedly, the choice for half-duplex communication is an odd one from the perspective of efficiency. The half-
duplex protocol essentially makes components wait for each other, which makes communication slow. In Section 5,
we sketch a first step to remedy this by recognising when actions are independent of each-other. Independent messages
satisfy the diamond property and can therefore be processed in a full-duplex way. However, more research is needed
to complete this claim and to find out when the half-duplex condition is in fact necessary for desynchronisability, and
when it can be dropped for the sake of efficiency.
The methods we use for studying desynchronisability in this paper stem from process algebra and concurrency
theory (see e.g. [16]). We do not fix a set of desirable properties a priori, but rather aim for desynchronisability
modulo a behavioural equivalence that preserves a large set of possibly desirable properties. The desynchronisability
question is therefore posed as: given two processes p and s, under which conditions are the synchronous composi-
tion and the asynchronous composition of p and s behaviourally equivalent? To be as general as possible, we take
branching bisimulation as our behavioural equivalence of choice, which is the strongest equivalence used in interleav-
ing semantics [17]. Note, that in many of the earlier works, weaker equivalences were used, but this did not lead to
weaker desynchronisability conditions. Therefore, using a stronger equivalence does not pose a restriction here, while
it does improve the applicability of the desynchronisation theorem.
In this paper, we show that our sufficient conditions for desynchronisability are also necessary for concrete (with-
out silent steps) synchronous systems. To establish this result, we need to observe whether there are no more pending
messages in a channel of an asynchronous system. We model this observation by a predicate, called empty-buffer
predicate. Now by enriching the transfer condition of branching bisimilarity (just like how the termination predicate
is handled in the definition of branching bisimulation; see [16]) we ensure that an asynchronous system constructed
from a desynchronisable synchronous system has the following communication property: “every sent message is
eventually received”. Note that this property was already present in the previous works [3, 8, 9] on desynchronis-
ability; although, it was never made explicit with the respective equivalences studied previously. For instance, the
communication property was called absence of computation interference in [9]; while, [3] used sender domination to
satisfy the above property. Thus, by making the communication property explicit in our setup we are able to show
that our conditions are also necessary for desynchronisability, which was previously absent in [3, 7–9].
Organisation of the paper.. In Section 2, we describe the mathematical notations and formal definitions required
to define desynchronisability using two unidirectional FIFO buffers. Section 3 discusses necessary and sufficient
conditions for desynchronisability, including the unwanted diamond property and show how it can be eliminated by
using half-duplex buffers for desynchronisation. Section 4 considers how to apply desynchronisation in the context
of supervisory control. Lastly, Section 5 motivates the choice of abstraction scheme used to construct asynchronous
systems and discusses desynchronisation of non-concrete synchronous systems.
This article extends [18] in the following four aspects.
• First, this article contains proofs of all the lemmas and theorems, which were either sketched or left out in [18].
• Second, a new simplified sufficient condition for desynchronisability modulo branching bisimulation is given
in Subsection 3.6, which is derived from the characterisation obtained in [18].
• Third, a more detailed account of desynchronisability for synchronous systems that are synthesised using super-
visory control theory is given in Section 4. In contrast to [18], we allow external actions and nondeterminism
in the specification of the supervisors.
• Fourth, the different abstraction schemes of [8] are compared in Subsection 5.1 with the objective to find out the
abstraction scheme that yields in weakest conditions for desynchronisation (modulo branching bisimulation) in
the presence of (half-duplex) queues.
2. Basic definitions
In this paper, we model the world as a single transition system in which all behaviour of interest is represented.
Components of a system as well as their compositions are called processes and are represented by pointing out an
4
initial state q ∈ P in the labelled transition system. A process q is then formed by all reachable states from the initial
state q ∈ P.
Definition 1. A labelled transition system is a tuple (P, A,→,⊔), where
• P is a set of states.
• A is a set of actions.
• →⊆ P × (A ∪ {τ}) × P is a transition relation.
• ⊔ ⊆ P is the empty-buffer predicate and its purpose is to observe the states of an asynchronous system in which
all buffers are empty.
The notation q
α
q′ denotes an element (q, α, q′) ∈→, the notation q⊔ denotes that state q satisfies the empty-buffer
predicate. For a given state q ∈ P, the set of reachable states R(q) is defined as the smallest set such that:
• q ∈ R(q), and
• ∀q1, q2 ∈ P, α ∈ A ∪ {τ}.
[(
q1 ∈ R(q) ∧ q1
α
q2
)
⇒ q2 ∈ R(q)
]
.
In what follows, the letter q and its decorations like q′, q1, q2, · · · are used to reason about arbitrary processes,
whereas the letters p, s and their corresponding decorations are reserved to denote the communicating processes of a
given synchronous system.
p s
Mp
Ep
Ms
Es
(a) A synchronous system.
p s
Buffer
Buffer
!Mp ?Mp
!Ms?Ms
EsEp
(b) An asynchronous system.
Figure 2: From Synchrony to Asynchrony.
Considering a synchronous system as depicted in Figure 2(a), we identify two components p, s, which we assume
to be processes in our labelled transition system. These processes are composed into a synchronous process p ‖ s.
The process p ‖ s can perform four kinds of events; namely, the external actions of p and s that belong to the sets Ep
and Es, respectively, and messages from p and s that belong to the sets Mp and Ms, respectively.
When the system is desynchronised we obtain an asynchronous system as depicted in Figure 2(b), consisting of
the same processes p, s, which are now composed into an asynchronous process p |[ǫ, ǫ]| s (with ǫ indicating initially
empty buffer contents). In the asynchronous process, the external actions of p and s remain the same, but we now
make a distinction between the sending of a message (i.e., the set !Mp = {!m | m ∈ Mp}) and the receiving of a
message from p sent by s (i.e., the set ?Ms = {?m | m ∈ Ms}). We assume that the so obtained sets of actions are all
part of our alphabet and are all pairwise disjoint: Ep ⊎ Es ⊎ Mp⊎!Mp⊎?Mp ⊎ Ms⊎!Ms⊎?Ms ⊆ A.
Assuming that the processes p and s are already part of our labelled transition system, where p makes use of the
actions !Mp⊎?Ms⊎Ep and smakes use of the actions !Ms⊎?Mp⊎Es, we can define the synchronous and asynchronous
composition of p and s through Structural Operational Semantic (SOS) rules on the states of the transition system [19].
The premise of each rule states the assumption on the states of the composed processes, and the conclusion gives the
resulting transition for the composed state.
In Table 2, we give the SOS rules for synchronous composition and asynchronous composition using two unidi-
rectional lossless FIFO queues. The notation p ‖ s denotes the synchronous composition of processes p and s. Note
that one can construct the synchronous composition of processes, say p′ and p ‖ s, by renaming the synchronous in-
teraction (e.g. the renaming operator from TCP process algebra [16]) of p ‖ s into a send message or receive message
5
Table 2: SOS rules for synchronous and asynchronous parallel composition.
p1
!m
p2, s1
?m
s2, m ∈ Mp
p1 ‖ s1
m
p2 ‖ s2
p1
?n
p2, s1
!n
s2, n ∈ Ms
p1 ‖ s1
n
p2 ‖ s2
p1
α
p2, α ∈ Ep ∪ {τ}
p1 ‖ s1
α
p2 ‖ s1
s1
α
s2, α ∈ Es ∪ {τ}
p1 ‖ s1
α
p1 ‖ s2
(p ‖ s)⊔ (p |[ǫ, ǫ]| s)⊔
p
!m
p′, m ∈ Mp
(p |[µ, ν]| s)
!m (
p′ |[µ, ν.m]| s
)
s
!n
s′, n ∈ Ms
(p |[µ, ν]| s)
!n (
p |[µ.n, ν]| s′
)
p
?n
p′, µ = n.µ′, n ∈ Ms
(p |[µ, ν]| s)
?n (
p′ |[µ′, ν]| s
)
s
?m
s′, ν = m.ν′, m ∈ Mp
(p |[µ, ν]| s)
?m (
p |[µ, ν′]| s′
)
p
α
p′, α ∈ Ep ∪ {τ}
(p |[µ, ν]| s)
α (
p′ |[µ, ν]| s
)
s
α
s′, α ∈ Es ∪ {τ}
(p |[µ, ν]| s)
α (
p |[µ, ν]| s′
)
depending on the architecture. The notation p |[µ, ν]| s denotes the asynchronous composition of processes p and s
with sequences of messages ν ∈ M∗p, µ ∈ M
∗
s in the respective queues. Note how the empty-buffer predicate is always
true for synchronous compositions, while it is only true for asynchronous compositions if both queues are empty.
As explained in the introduction, a composition p ‖ s is desynchronisable if it is equivalent to its asynchronous
composition p |[ǫ, ǫ]| s. One problem with defining equivalence between the two is that asynchronous composition
needs two actions for the communication of a message while synchronous composition only needs one. The usual
process algebraic way to solve this issue is by defining an abstraction scheme, translating certain actions from the
asynchronous system to actions from the synchronous system while hiding others.
In Table 3, we define the abstraction operator ∆() that maps all the send-messages of the asynchronous system to
communicated messages in the synchronous system, while the receive-messages are mapped to a so-called internal
action, denoted by τ. Subsequently, we define branching bisimulation (see [16, 17]) as an equivalence between
processes that abstracts from internal actions. In Subsection 5.1, we discuss the impact of alternative choices of
abstraction schemes on desynchronisability modulo branching bisimulation.
Table 3: SOS rules for the abstraction operator ∆().
q1
!m
q2, m ∈ Mp ∪ Ms
∆(q1)
m
∆(q2)
q1
e
q2, e ∈ Ep ∪ Es
∆(q1)
e
∆(q2)
q1
?m
q2, m ∈ Mp ∪ Ms
∆(q1)
τ
∆(q2)
q⊔
∆(q)⊔
Definition 2. The reachability relation ⊆ P × A∗ × P is derived from the transition relation → as the smallest
relation satisfying:
q1
ǫ
q1 ,
q1
w
q′, q′
τ
q2
q1
w
q2
,
q1
w
q′, q′
α
q2, α , τ
q1
w.α
q2
.
6
Let x = xp⊎ xs and yM = yMp⊎yMs, where x ∈ {M, E} and y ∈ {!, ?}. By abuse of notations, define two renaming
functions ! : (M ∪ E)∗ → (!M ∪ E)∗, ? : (M ∪ E)∗ → ?M∗, and a projection function ¯ : (M ∪ E)∗ → M∗ in the
following way:
1. ?ǫ = ǫ, ?(e.w) = w, ?(m.w) =?m.?w, where e ∈ E and w ∈ (M ∪ E)∗.
2. !ǫ = ǫ, !(e.w) = e.!w, !(m.w) =!m.!w, where e ∈ E and w ∈ (M ∪ E)∗.
3. ǫ¯ = ǫ, e.w = w¯, and m.w = m.w¯, where e ∈ E and w ∈ (M ∪ E)∗.
Given a sequence of messages and external actions w ∈ (M ∪ E)∗, then, !w denotes a sequence of send messages and
external actions, ?w denotes a sequence of receive messages, and w¯ denotes the projection of the sequence w onto the
set of messages M.
Proposition 1. Let p ‖ s be a synchronous system.
1. If u ∈ (Ms ∪ Es)
∗ and p ‖ s
u
p′ ‖ s′ then p
?u
p′ ∧ s
!u
s′.
2. If v ∈ (Mp ∪ Ep)
∗ and p ‖ s
v
p′ ‖ s′ then s
?v
s′ ∧ p
!v
p′.
Proof. Straightforward by induction on u and v, respectively.
Definition 3. A binary relation B ⊆ P × P on the states of the transition system is a branching bisimulation relation
iff the following conditions are satisfied.
1. ∀q, q1, q
′, α.
[(
(q, q′) ∈ B ∧ q
α
q1
)
⇒
(
α = τ ∧ (q1, q
′) ∈ B
)
∨
∃q′1, q
′
2.
[
q′
ǫ
q′1
α
q′2 ∧ (q, q
′
1) ∈ B ∧ (q1, q
′
2) ∈ B
]]
,
2. ∀q, q′.
[(
(q, q′) ∈ B ∧ q ⊔
)
⇒ ∃q′′.
[
q′
ǫ
q′′ ∧ q′′ ⊔ ∧(q, q′′) ∈ B
]]
,
3. ∀q, q′, q′1, α.
[(
(q, q′) ∈ B ∧ q′
α
q′1
)
⇒
(
α = τ ∧ (q, q′1) ∈ B
)
∨
∃q1, q2.
[
q
ǫ
q1
α
q2 ∧ (q1, q
′) ∈ B ∧ (q2, q
′
1) ∈ B
]]
,
4. ∀q, q′.
[(
(q, q′) ∈ B ∧ q′ ⊔
)
⇒ ∃q′′.
[
q
ǫ
q′′ ∧ q′′ ⊔ ∧(q′′, q′) ∈ B
]]
.
Two processes q and q′ are said to be branching bisimilar, denoted q ↔b q
′, if there exists a branching bisimulation
relation B such that (q, q′) ∈ B.
Note that Conditions 1 and 3 are the conventional transfer properties of branching bisimulation, while Conditions 2
and 4 are reminiscent of the transfer properties involved with the termination predicate cf. [16]. Here, we interpret
Condition 2 (likewise Condition 4) as follows: if two processes q, q′ are branching bisimilar and q has empty buffer,
then q′ can empty its buffer contents by performing invisible actions and become branching bisimilar to q.
Now we have all the preliminaries that are necessary to define what desynchronisation formally means.
Definition 4. A synchronous system p ‖ s is desynchronisable if p ‖ s ↔b ∆(p |[ǫ, ǫ]| s).
3. Properties of desynchronisable systems
In this section, we prove a number of properties of desynchronisable systems modulo branching bisimulation. In
particular, Definition 5, Lemmas 1-2, and Theorem 1 are only required to establish the necessity of well-posedness,
input-determinism, independence of external actions, and diamond property for desynchronisation. A new result (cf.
[3, 7–9]) is that the observation of the empty-buffer predicate makes that these properties are necessary as well as
sufficient for desynchronisability. A technical assumption used to show necessity in this case, is that the components
p and s are concrete, meaning they do not have internal behavior themselves. Furthermore, in subsection 3.7, we
show that by just dropping the diamond property from the general characterisation of desynchronisation results in the
characterisation of desynchronisation when half-duplex queues are used to construct asynchronous systems.
7
Definition 5. A process q ∈ P is concrete if ∄q′, q′′.
[
q′ ∈ R(q) ∧ q′
τ
q′′
]
. A transition q1
τ
q2 is inert modulo
↔
b iff q1 ↔b q2.
Henceforth, due to the following proposition, we use strong bisimulation2 equivalence ↔ in favour of branching
bisimulation equivalence between any two concrete processes because of its simpler transfer properties.
Proposition 2. For any two concrete processes q, q′ ∈ P, we have q ↔b q
′ ⇐⇒ q ↔ q′.
Lemma 1. Let p ‖ s be a concrete and desynchronisable system. Then, all the τ-transitions in ∆(p |[ǫ, ǫ]| s) are inert
modulo branching bisimulation.
Proof. Since p ‖ s is a concrete process, none of the τ-transitions in the asynchronous system can be matched by any
related state in the synchronous system. Thus, all τ-transitions in the asynchronous system have to be inert [16].
A key step in understanding the necessary conditions for desynchronisability, is to see that any reachable state
p′ ‖ s′ ∈ R(p ‖ s) of some desynchronisable system p ‖ s is desynchronisable itself. This property seems both
desirable and trivial, but its proof turned out to be more involved than expected. In particular, the proof turns out to
rely on the chosen abstraction scheme, the fact that p and s are concrete processes, disjointness of the message sets,
and the fact that we observe the empty-buffer predicate.
Lemma 2. Let p1, s1, p2, s2 be any four concrete processes. Then,
p1 ‖ s1 ↔b p2 |[ǫ, ǫ]| s2 ⇒ p1 ‖ s1 ↔b p2 ‖ s2 .
Proof. Due to Proposition 2, it is sufficient to show that the above implication holds w.r.t strong bisimulation ↔ , i.e.,
p1 ‖ s1 ↔b p2 |[ǫ, ǫ]| s2 ⇒ p1 ‖ s1 ↔ p2 ‖ s2. Define the following relation S:
S =
{
(p3 ‖ s3, p4 ‖ s4) | p3 ‖ s3 ∈ R(p1 ‖ s1) ∧ p4 |[ǫ, ǫ]| s4 ∈ R(p2 |[ǫ, ǫ]| s2) ∧ p3 ‖ s3 ↔b p4 |[ǫ, ǫ]| s4
}
.
Next, we show that the relation S is indeed a strong bisimulation relation.
1. Let p3 ‖ s3
m
p5 ‖ s5 and (p3 ‖ s3, p4 ‖ s4) ∈ S for some m ∈ Mp, p5, s5 ∈ P. Then, by the construction
of S we have p3 ‖ s3 ↔b ∆(p4 |[ǫ, ǫ]| s4). Applying the transfer conditions of branching bisimulation under
the assumption of concrete processes and disjointness of sets Mp,Ms we get ∆(p4 |[ǫ, ǫ]| s4)
m
∆(p6 |[ǫ,m]| s4)
and p5 ‖ s5 ↔b ∆(p6 |[ǫ,m]| s4) for some p6 ∈ P. Since (p5 ‖ s5)⊔, branching bisimulation under concreteness
assumption gives us ∆(p6 |[ǫ,m]| s4)
τ
∆(p6 |[ǫ, ǫ]| s6) and p5 ‖ s5 ↔b ∆(p6 |[ǫ, ǫ]| s6), for some s6 ∈ P. Thus,
we derive p4
!m
p6 and s4
?m
s6; hence, p4 ‖ s4
m
p6 ‖ s6 and (p5 ‖ s5, p6 ‖ s6) ∈ S.
2. Let p3 ‖ s3
α
p5 ‖ s5 and (p3 ‖ s3, p4 ‖ s4) ∈ S for some α ∈ Ep ∪ Es ∪ Ms. Similar to the previous case.
3. Let p4 ‖ s4
m
p6 ‖ s6 and (p3 ‖ s3, p4 ‖ s4) ∈ S for some m ∈ Mp, p6, s6 ∈ P. Then, by the semantics we have
p4
!m
p6 and s4
?m
s6. Also, by the construction of S we have p3 ‖ s3 ↔b ∆(p4 |[ǫ, ǫ]| s4). Using the above
transitions at the state ∆(p4 |[ǫ, ǫ]| s4) we derive the following transitions: ∆(p4 |[ǫ, ǫ]| s4)
m
∆(p6 |[ǫ,m]| s4)
τ
∆(p6 |[ǫ, ǫ]| s6). Applying the transfer conditions of branching bisimulation under concreteness assumption we
get ∃p5, s5.
[
p3 ‖ s3
m
p5 ‖ s5 ∧ p5 ‖ s5 ↔b ∆(p6 |[ǫ,m]| s4)
]
. Now consider the transition ∆(p6 |[ǫ,m]| s4)
τ
∆(p6 |[ǫ, ǫ]| s6). Note that the synchronous system p1 ‖ s1 is concrete, thus this τ-transition can be only mapped
by zero τ-steps from the state p5 ‖ s5. Thus, p5 ‖ s5 ↔b ∆(p6 |[ǫ, ǫ]| s6). Hence, (p5 ‖ s5, p6 ‖ s6) ∈ S.
4. Let p4 ‖ s4
α
p6 ‖ s6 and (p3 ‖ s3, p4 ‖ s4) ∈ S for some α ∈ Ep ∪ Es ∪ Ms. Similar to the previous case.
2see [16] for a formal definition.
8
5. The transfer property for the empty buffer predicate ⊔ holds trivially because every state in the composition ‖
satisfies the predicate ⊔ by definition.
Theorem 1. Let p ‖ s be concrete and desynchronisable, then any p′ ‖ s′ ∈ R(p ‖ s) is desynchronisable.
Proof. As a base case, the initial state of p ‖ s is desynchronisable by assumption. By induction, assume that we have
a reachable desynchronisable state p′ ‖ s′ ∈ R(p ‖ s) and consider any p′′ and s′′ with p′ ‖ s′
α
p′′ ‖ s′′. Following
the SOS rules, one of the following transitions must exist in the asynchronous process:
1. a transition ∆(p′ |[ǫ, ǫ]| s′)
α
∆(p′′ |[ǫ, α]| s′) with α ∈ Mp and a τ-transition ∆(p
′′ |[ǫ, α]| s′)
τ
∆(p′′ |[ǫ, ǫ]| s′′)
that is inert because p ‖ s is concrete, i.e. ∆(p′′ |[ǫ, α]| s′) ↔b ∆(p
′′ |[ǫ, ǫ]| s′′);
2. a transition∆(p′ |[ǫ, ǫ]| s′)
α
∆(p′ |[α, ǫ]| s′′) with α ∈ Ms, and a τ-transition∆(p
′ |[α, ǫ]| s′′)
τ
∆(p′′ |[ǫ, ǫ]| s′′)
that is inert because p ‖ s is concrete, i.e. ∆(p′ |[α, ǫ]| s′) ↔b ∆(p
′′ |[ǫ, ǫ]| s′′);
3. a transition ∆(p′ |[ǫ, ǫ]| s′)
e
∆(p′′ |[ǫ, ǫ]| s′′) with e ∈ Ep, in which case we find that s
′ = s′′.
4. a transition ∆(p′ |[ǫ, ǫ]| s′)
e
∆(p′′ |[ǫ, ǫ]| s′′) with e ∈ Es, in which case we find that p
′ = p′′.
Because p′ ‖ s′ ↔b ∆(p
′ |[ǫ, ǫ]| s′), the properties of branching bisimulation (applied to concrete processes) dictate
that we can relate those asynchronous transitions to synchronous transitions. I.e. there exist p′′′ and s′′′ such that
p′ ‖ s′
α
p′′′ ‖ s′′′ and p′′′ ‖ s′′′ ↔b ∆(p
′′ |[ǫ, ǫ]| s′′). Furthermore, from Lemma 2 we get p′′ ‖ s′′ ↔b p
′′′ ‖ s′′′.
And by transitivity we conclude that p′′ ‖ s′′ is desynchronisable.
3.1. Well-posedness
The first actual implication of desynchronisability that we would like to discuss, is that a desynchronisable system
is always well-posed. This was already observed in [3] for desynchronisability modulo failure equivalence. Well-
posedness means that whenever a process p would like to send a message, s should be willing to receive it and vice
versa. In a synchronous composition such messages may be blocked, but in an asynchronous composition they lead to
orphans, i.e., messages that remain forever in the buffer. In turn, orphans lead to deadlocking communication (except
in a few pathological cases).
Definition 6. A binary relationW ⊆ P×P is called a well-posedness relation iff the following conditions are satisfied.
1. ∀p1, s1, p2,m.
[
p1
!m
p2 ∧ (p1, s1) ∈ W ⇒ ∃s2.
[
s1
?m
s2
]
∧ ∀s2.
[
s1
?m
s2 ⇒ (p2, s2) ∈ W
]]
,
2. ∀p1, s1, p2, e ∈ Ep.
[
p1
e
p2 ∧ (p1, s1) ∈ W ⇒ (p2, s1) ∈ W
]
,
3. ∀p1, s1, s2,m.
[
s1
!m
s2 ∧ (p1, s1) ∈ W ⇒ ∃p2.
[
p1
?m
p2
]
∧ ∀p2.
[
p1
?m
p2 ⇒ (p2, s2) ∈ W
]]
,
4. ∀p1, s1, s2, e ∈ Es.
[
s1
e
s2 ∧ (p1, s1) ∈ W ⇒ (p1, s2) ∈ W
]
.
A composition p ‖ s is well-posed if there exists a well-posedness relationW such that (p, s) ∈ W.
Proposition 3. Let p ‖ s be a concrete and a well-posed synchronous system with W being the witnessing well-
posedness relation, i.e., (p, s) ∈ W. Then,
∀p1, s1.
[
p1 ‖ s1 ∈ R(p ‖ s)⇒ (p1, s1) ∈ W
]
.
Lemma 3 (Generalised well-posedness). Let p ‖ s be a well-posed and concrete synchronous system.
1. If p1 ‖ s1 ∈ R(p ‖ s), u ∈ (Ms ∪ Es)
∗, and s1
!u
s2, then ∃p2.
[
p1 ‖ s1
u
p2 ‖ s2
]
.
2. If p1 ‖ s1 ∈ R(p ‖ s), v ∈ (Mp ∪ Ep)
∗, and p1
!v
p2, then ∃s2.
[
p1 ‖ s1
v
p2 ‖ s2
]
.
9
Proof. Straightforward from the induction on u (v) and application of well-posedness definition.
Theorem 2. If p ‖ s is concrete and desynchronisable then it is well-posed.
Proof. Define a relation W = {(p1, s1) | ∆(p1 |[ǫ, ǫ]| s1) ∈ R(∆(p |[ǫ, ǫ]| s))}. To show that W is a well-posedness
relation, assume a transition p1
α
p2 and (p1, s1) ∈ W, for some p1, s1, p2 ∈ P.
1. Let α ∈!Mp. Then, by the construction ofW we have ∆(p1 |[ǫ, ǫ]| s1) ∈ R(∆(p |[ǫ, ǫ]| s)) and using p1
!m
p2 we
get ∆(p1 |[ǫ, ǫ]| s1)
m
∆(p2 |[ǫ,m]| s1). Since p ‖ s is desynchronisable, we know that there exists q ∈ R(p ‖ s)
such that q ↔b ∆(p2 |[ǫ,m]| s1). Clearly, we have q⊔. Furthermore by the transfer property of branching
bisimulation and under the assumption of concrete processes we get
∃s2.
[
∆(p2 |[ǫ,m]| s1)
τ
∆(p2 |[ǫ, ǫ]| s2) ∧ ∆(p2 |[ǫ, ǫ]| s2)⊔
]
.
Thus, we showed that there exists s2 such that s1
?m
s2 and by the construction ofW it is clear that (p2, s2) ∈
W. But, well-posedness also asserts that for every s′
2
such that s1
?m
s′
2
and (p2, s
′
2
) ∈ W. So pick a s′
2
∈ P
such that s1
?m
s′
2
. Then we have ∆(p2 |[ǫ,m]| s1)
τ
∆(p2 |[ǫ, ǫ]| s
′
2
). Thus, (p2, s
′
2
) ∈ W.
2. Let α ∈ Ep. Then, by the construction of W we have ∆(p1 |[ǫ, ǫ]| s1) ∈ R(∆(p |[ǫ, ǫ]| s)) and using the
above transition we get ∆(p1 |[ǫ, ǫ]| s1)
e
∆(p2 |[ǫ, ǫ]| s1). And, from the construction of W we conclude
that (p2, s1) ∈ W.
Likewise, the symmetric case can be proved for the process s1.
3.2. Independence of external actions
The second implication of desynchronisability that we would like to discuss is independence of external actions.
Intuitively, it means that a receiver can always delay the execution of its own external action e in favour of receiving
a sequence of messages u from the other process, without any consequence on its future behaviour modulo ↔b, i.e.,
the traces e.u and u.e commute up to branching bisimulation. The reception of messages becomes independent of the
external behaviour in this way.
In the following, we define independence on the composition p ‖ s rather than on the separate processes p and
s because we aim for necessary conditions. The pathological case in which a process p is not independent in a
part of its state-space that becomes unreachable when interacting with s has no effects on desynchronisability. Of
course, independence of external actions of the separate processes would be a natural part of a sufficient condition for
desynchronisability.
Definition 7. A synchronous system p ‖ s is independent of external actions modulo ↔b if the following conditions
hold for every p1 ‖ s1 ∈ R(p ‖ s).
1. ∀p2, p
′
2, s2, u, e.
[(
e ∈ Ep ∧ u ∈ (Ms ∪ Es)
∗∧p1 ‖ s1
e
p2 ‖ s1
u
p′2 ‖ s2
)
⇒
∃p3, p
′
3.
[
p1 ‖ s1
u
p3 ‖ s2
e
p′3 ‖ s2 ∧ p
′
2 ‖ s2 ↔b p
′
3 ‖ s2
] ]
.
2. ∀p2, s2, s
′
2, v, e.
[(
e ∈ Es ∧ v ∈ (Mp ∪ Ep)
∗∧p1 ‖ s1
e
p1 ‖ s2
v
p2 ‖ s
′
2
)
⇒
∃s3, s
′
3.
[
p1 ‖ s1
v
p2 ‖ s3
e
p2 ‖ s
′
3 ∧ p2 ‖ s
′
2 ↔b p2 ‖ s
′
3
] ]
.
Theorem 3. If p ‖ s is concrete and desynchronisable then it is independent of external actions modulo ↔b.
10
Proof. Assume we have a reachable and desynchronisable (Theorem 1) state p1 ‖ s1 ∈ R(p ‖ s) with solid transitions
as in Figure 3, where e ∈ Ep and u ∈ (Ms ∪ Es)
∗. From Proposition 1 we get p1
e
p2, s1
!u
s2, and p2
?u
p′
2
.
As well-posedness is necessary for desynchronisability, we may use it to obtain p1
?u
p3 (for some p3) from
Lemma 3. Using the SOS-rules we get p1 ‖ s1
u
p3 ‖ s2 (dashed in Figure 3). From these transitions we then
derive the transitions in the asynchronous system depicted as solid lines in Figure 3, where u¯ = µ.
p1 ‖ s1
p2 ‖ s1
p′
2
‖ s2
p3 ‖ s2
p′
3
‖ s2↔b
∆(p1 |[ǫ, ǫ]| s1)
∆(p1 |[µ, ǫ]| s2)∆(p2 |[ǫ, ǫ]| s1)
∆(p2 |[µ, ǫ]| s2)
∆(p′
2
|[ǫ, ǫ]| s2)
∆(p3 |[ǫ, ǫ]| s2)
∆(p′
3
|[ǫ, ǫ]| s2)
e
u
u
e
u
e
u
e
e
↔
b
Figure 3: An illustration showing that an external action e by the process p1 can be delayed in favour of receiving the messages u such that the
traces e.u and u.e commute up to branching bisimulation.
Since τ-transitions are inert we have ∆(p1 |[µ, ǫ]| s2) ↔b ∆(p3 |[ǫ, ǫ]| s2). Branching bisimulation, under the
assumption of concrete processes and disjointness of the sets Ep and Es, gives us the existence of p
′
3
such that
∆(p3 |[ǫ, ǫ]| s2)
e
∆(p′
3
|[ǫ, ǫ]| s2) and ∆(p
′
3
|[ǫ, ǫ]| s2) ↔b ∆(p2 |[µ, ǫ]| s2). By the SOS-rules we get p3
e
p′
3
, thus,
p3 ‖ s2
e
p′
3
‖ s2. Next, we show that p
′
2
‖ s2 ↔b p
′
3
‖ s2. From above we have ∆(p
′
3
|[ǫ, ǫ]| s2) ↔b ∆(p2 |[µ, ǫ]| s2)
and since τ-transition are inert we have ∆(p2 |[µ, ǫ]| s2) ↔b ∆(p
′
2
|[ǫ, ǫ]| s2). By transitivity we get ∆(p
′
3
|[ǫ, ǫ]| s2) ↔b
∆(p′
2
|[ǫ, ǫ]| s2). By Theorem 1 we have p
′
3
‖ s2 ↔b ∆(p
′
3
|[ǫ, ǫ]| s2) and p
′
2
‖ s2 ↔b ∆(p
′
2
|[ǫ, ǫ]| s2), from which we
ultimately conclude p′
2
‖ s2 ↔b p
′
3
‖ s2. Likewise, Condition 2 of Definition 7 can be proved.
3.3. Input determinism
The next implication of desynchronisability, is that desynchronisable systems should be input deterministic. In
other words, the synchronous system p ‖ s should not make non-deterministic choices upon the reception of messages.
It may perform non-deterministic external behaviour, and it may also be non-deterministic when sending messages.
The reason for this, is that desynchronisation delays any non-deterministic choice on the input.
Like in the case of independence of external actions, we define the condition input-determinism on the syn-
chronous process p ‖ s rather than on the individual processes p and s (cf. [20]) because we are aiming for necessary
conditions. As before, input-determinism of the individual processes would be a natural part of a sufficient condition
for input-determinism of the composition.
Definition 8. A synchronous system p ‖ s is input deterministic modulo ↔b if every reachable state p1 ‖ s1 ∈ R(p ‖
s) satisfies the following conditions.
1. ∀p2, s2, p3, u.
[ (
p1 ‖ s1
u
p2 ‖ s2 ∧ p1 ‖ s1
u
p3 ‖ s2 ∧ u ∈ (Ms ∪ Es)
∗
)
⇒ p2 ‖ s2 ↔b p3 ‖ s2
]
.
2. ∀p2, s2, s3, v.
[ (
p1 ‖ s1
v
p2 ‖ s2 ∧ p1 ‖ s1
v
p2 ‖ s3 ∧ v ∈ (Mp ∪ Ep)
∗
)
⇒ p2 ‖ s2 ↔b p2 ‖ s3
]
.
Theorem 4. Let p ‖ s be concrete and desynchronisable, then it is input deterministic modulo ↔b.
Proof. Pick a reachable state p1 ‖ s1 ∈ R(p ‖ s) such that p1 ‖ s1
u
p2 ‖ s2 and p1 ‖ s1
u
p3 ‖ s2, for some
u ∈ (Ms ∪ Es)
∗, p2, p3, s2 ∈ P (see Figure 4). By Theorem 1 we have p1 ‖ s1 ↔b ∆(p1 |[ǫ, ǫ]| s1). Using the given
11
p1 ‖ s1
p2 ‖ s2 p3 ‖ s2↔b
∆(p1 |[ǫ, ǫ]| s1)
∆(p1 |[µ, ǫ]| s2)
∆(p2 |[ǫ, ǫ]| s2) ∆(p3 |[ǫ, ǫ]| s2)↔b
u u
u
ǫ ǫ
Figure 4: An illustration showing that nondeterministic reception of messages u in a desynchronisable synchronous system leads to branching
bisimilar states p2 ‖ s2, p3 ‖ s2.
transitions in Proposition 1 we get s1
!u
s2, p1
?u
p2 and p1
?u
p3. For the asynchronous system we then
find the transitions as shown in Figure 4, where µ = u¯.
As p ‖ s is concrete, all τ-transitions in the asynchronous system are inert (Lemma 1), so we get∆(p1 |[µ, ǫ]| s2) ↔b
∆(p2 |[ǫ, ǫ]| s2) ↔b ∆(p3 |[ǫ, ǫ]| s2). Finally, using Theorem 1 twice we ultimately conclude that p2 ‖ s2 ↔b p3 ‖ s2.
Likewise, Condition 2 of Definition 8 can be proved.
3.4. The diamond property
The final implication of desynchronisability that we would like is the diamond property. Intuitively, the diamond
property says that sending a message from one component does not disable the sending of message from the other
component. Moreover, any order of execution leads to behaviourally equivalent states.
Definition 9. A synchronous system p ‖ s has the diamond property modulo ↔b if for every reachable state p1 ‖ s1
and transitions p1 ‖ s1
m
p2 ‖ s2 and p1 ‖ s1
n
p3 ‖ s3 with m ∈ Mp and n ∈ Ms there exist transitions
p2 ‖ s2
n
p4 ‖ s4 and p3 ‖ s3
m
p5 ‖ s5 with p4 ‖ s4 ↔b p5 ‖ s5.
Lemma 4 (Generalised diamond property). Let p ‖ s be a concrete synchronous system such that it satisfies Defini-
tions 6-9. If p1 ‖ s1 ∈ R(p ‖ s), u ∈ (Ms ∪ Es)
∗, v ∈ (Mp ∪ Ep)
∗, p1 ‖ s1
u
p2 ‖ s2, and p1 ‖ s1
v
p3 ‖ s3 then
∃p4, s4, p5, s5.
[
p2 ‖ s2
v
p4 ‖ s4 ∧ p3 ‖ s3
u
p5 ‖ s5 ∧ p4 ‖ s4 ↔b p5 ‖ s5
]
.
Proof. We first prove the following claim if p1 ‖ s1
u
p2 ‖ s2, p1 ‖ s1
α
p3 ‖ s3, u ∈ (Ms ∪ Es)
∗, and
α ∈ Mp ∪ Ep then ∃p4, s4, p5, s5.
[
p2 ‖ s2
α
p4 ‖ s4 ∧ p3 ‖ s3
u
p5 ‖ s5 ∧ p4 ‖ s4 ↔b p5 ‖ s5
]
. Without loss of
generality, assume that u = u′.α′ and p1 ‖ s1
u′
p′
2
‖ s′
2
α′
p2 ‖ s2. Then, by induction hypothesis we have
∃p′4, s
′
4, p
′
5, s
′
5.
[
p′2 ‖ s
′
2
α
p′4 ‖ s
′
4 ∧ p3 ‖ s3
u′
p′5 ‖ s
′
5 ∧ p
′
4 ‖ s
′
4 ↔b p
′
5 ‖ s
′
5
]
.
We identify the following cases based on the types of α, α′.
1. Let α = e, for some e ∈ Ep, α
′ = e′, for some e′ ∈ Es. Trivial.
2. Let α = e, for some e ∈ Ep, α
′ = n, for some n ∈ Ms. The single step transitions from the above inductive
hypothesis are shown as solid lines in Figure 5. Note that s′
2
= s′
4
because of Rule 2. From the transition
p′
2
‖ s′
2
n
p2 ‖ s2 we have s
′
2
!n
s2. And from well-posedness (Definition 6) we get ∃p4.
[
p′
4
?n
p4
]
. Thus,
p′
4
‖ s′
2
n
p4 ‖ s2.
Now, applying independence of external actions (Definition 7) at the state p′
2
‖ s′
2
we get (see Figure 5)
∃p6, p
′
6.
[
p′2 ‖ s
′
2
n
p6 ‖ s2
e
p′6 ‖ s2 ∧ p
′
6 ‖ s2 ↔b p4 ‖ s2
]
.
12
p′
2
‖ s′
2
p2 ‖ s2
p6 ‖ s2
p′
4
‖ s′
2
p4 ‖ s2
↔
b
p′
6
‖ s2
p7 ‖ s2
↔ b
↔ b
e
n
n
n
e
e
Figure 5: Case 2 in Lemma 4.
From input-determinism (Definition 8) we get p2 ‖ s2 ↔b p6 ‖ s2. And from transfer conditions of branching
bisimulation under the assumption of concrete processes and disjointness of the sets Ep, Es we get
∃p7.
[
p2 ‖ s2
e
p7 ‖ s2 ∧ p
′
6 ‖ s2 ↔b p7 ‖ s2
]
.
Thus, by transitivity we get p7 ‖ s2 ↔b p4 ‖ s2. Recall from induction hypothesis that p
′
4
‖ s′
2
↔
b p
′
5
‖ s′
5
.
Again, from the transfer conditions of branching bisimulation under the assumption of concrete processes we
get ∃p5, s5.
[
p′
5
‖ s′
5
n
p5 ‖ s5 ∧ p4 ‖ s2 ↔b p5 ‖ s5
]
. Finally, by transitivity we have p7 ‖ s2 ↔b p5 ‖ s5.
3. Let α = m, for some m ∈ Mp, α
′ = e′, for some e′ ∈ Es. Similar to the previous case.
4. Let α = m, for some m ∈ Mp, α
′ = n, for some n ∈ Ms. Similar to Case 2, use Definition 9 instead of
Definition 7.
Likewise, the main statement can be proved by assuming v = v′.α for some α ∈ Ep ∪ Mp.
Theorem 5. Let p ‖ s be concrete and desynchronisable, then p ‖ s has the diamond property modulo ↔b.
Proof. Assume a state p1 ‖ s1 ∈ R(p ‖ s), p1 ‖ s1
m
p2 ‖ s2 (m ∈ Mp) and p1 ‖ s1
n
p3 ‖ s3 (n ∈ Ms), as
depicted in Figure 6. From Theorem 1 we know that pi ‖ si ↔b pi |[ǫ, ǫ]| si, for i ∈ {1, 2, 3}. From the SOS rules
we get p1
!m
p2, s1
?m
s2, p1
?n
p3, and s1
!n
s3. Using these transitions we find the transitions at the state
∆(p1 |[ǫ, ǫ]| s1) as shown in Figure 6.
p1 ‖ s1
p2 ‖ s2 p3 ‖ s3
p4 ‖ s4 p5 ‖ s5↔b
∆(p1 |[ǫ, ǫ]| s1)
∆(p2 |[ǫ,m]| s1) ∆(p1 |[n, ǫ]| s3)
∆(p2 |[n,m]| s3) ∆(p3 |[ǫ, ǫ]| s3)∆(p2 |[ǫ, ǫ]| s2)
nm
n m
τ τ
m n
n m
Figure 6: An illustration showing that the communication of two send messages m, n by different processes can be done in any order in a desyn-
chronisable synchronous system.
Since τ-transitions are inert we get ∆(p2 |[ǫ,m]| s1) ↔b ∆(p3 |[ǫ, ǫ]| s3). And from Theorem 1 we get p2 ‖ s2 ↔b
∆(p2 |[ǫ, ǫ]| s2). Thus, by transitivity we have p2 ‖ s2 ↔b p2 |[ǫ,m]| s1. And, the transfer conditions of branching
bisimulation gives the dashed transition labelled n shown in Figure 6 with p4 ‖ s4 ↔b ∆(p2 |[n,m]| s2). Likewise we
derive the dashed transition labelled m in Figure 6 with p5 ‖ s5 ↔b p2 |[n,m]| s3. Finally, by transitivity we conclude
that p4 ‖ s4 ↔b p5 ‖ s5.
13
3.5. Sufficient conditions for desynchronisability
Conversely, the four necessary conditions that we discussed in the previous subsections, together form a sufficient
condition for desynchronisability.
Theorem 6. Let p ‖ s be concrete, well-posed, independent of external actions modulo ↔b, input deterministic
modulo ↔b, and satisfies the diamond property modulo ↔b, then p ‖ s ↔b ∆(p |[ǫ, ǫ]| s).
Proof. We define a relation B in the following way:
B =
{(
p1 ‖ s1,∆(p2 |[µ, ν]| s2)
)
| p1 ‖ s1 ∈ R(p ‖ s) ∧ ∆(p2 |[µ, ν]| s2) ∈ R(∆(p |[ǫ, ǫ]| s)) ∧
∃p′2, s
′
2, q, q
′, u, v.
[
u ∈ (Ms ∪ Es)
∗ ∧ v ∈ (Mp ∪ Ep)
∗ ∧ u¯ = µ ∧ v¯ = ν ∧ p2 ‖ s
′
2 ∈ R(p ‖ s) ∧
p′2 ‖ s2 ∈ R(p ‖ s) ∧ p2 ‖ s
′
2
u
q ↔b p1 ‖ s1 ↔b q
′
v
և−−− p′2 ‖ s2
]}
.
Intuitively, two states p1 ‖ s1,∆(p2 |[µ, ν]| s2) are B-related if
1. the above states are reachable from their respective initial states, i.e., p1 ‖ s1 ∈ R(p ‖ s),∆(p2 |[µ, ν]| s2) ∈
R(∆(p |[ǫ, ǫ]| s); and
2. it is possible to read the contents of the input queues (because of the transitions p2 ‖ s
′
2
u
q, p′
2
‖ s2
v
q′
in the construction of B) such that an asynchronous state B-related to p1 ‖ s1 is reached.
Next, we show that B is a witnessing branching bisimulation. We first enumerate the cases that show every transition
from the state p1 ‖ s1 is simulated by the state ∆(p2 |[µ, ν]| s2) when (p1 ‖ s1,∆(p2 |[µ, ν]| s2)) ∈ B.
1. Let p1 ‖ s1
α
p3 ‖ s3, (p1 ‖ s1,∆(p2 |[µ, ν]| s2)) ∈ B, and α ∈ Mp (the case when α ∈ Ms ∪ Es ∪ Ep is similar).
From the construction of B we have p1 ‖ s1 ∈ R(p ‖ s) and there exists p
′
2
, s′
2
, p4, p
′
4
, s4, s
′
4
, u, v such that
p2 ‖ s
′
2
u
p4 ‖ s
′
4 ↔b p1 ‖ s1 ↔b p
′
4 ‖ s4
v
և−−− p′2 ‖ s2. (1)
Applying Proposition 1 we get p2
?u
p4 and s2
?v
s4. Thus, we get ∆(p2 |[µ, ν]| s2)
ǫ
∆(p4 |[ǫ, ǫ]| s4).
But from above we have p4 ‖ s
′
4
↔
b p1 ‖ s1 ↔b p
′
4
‖ s4. Now instantiating transfer properties of branching
bisimulation and since the processes p, s are concrete we get:
p4 ‖ s
′
4
m
p5 ‖ s
′
5 ↔b p3 ‖ s3 ↔b p
′
5 ‖ s5
m
←− p′4 ‖ s4,
for some p5, p
′
5
, s5, s
′
5
∈ P. Thus, ∆(p4 |[ǫ, ǫ]| s4)
m
∆(p5 |[ǫ,m]| s4). Finally, using the facts p5 ‖ s
′
5
↔
b p3 ‖
s3 ↔b p
′
5
‖ s5 and p
′
4
‖ s4
m
p′
5
‖ s5 in the construction of B we conclude that (p3 ‖ s3,∆(p5 |[ǫ,m]| s4)) ∈ B.
2. Let (p1 ‖ s1,∆(p2 |[µ, ν]| s2)) ∈ B and (p1 ‖ s1)⊔. By following the arguments of Case 1 we can derive
∆(p2 |[µ, ν]| s2)
ǫ
∆(p4 |[ǫ, ǫ]| s4), for some p4, s4 ∈ P. Clearly, (∆(p4 |[ǫ, ǫ]| s4))⊔. Now using the facts
p4 ‖ s
′
4
↔
b p1 ‖ s1 ↔b p
′
4
‖ s4 from (1) in the construction of B we get (p1 ‖ s1,∆(p4 |[ǫ, ǫ]| s4)) ∈ B.
The proof for the other direction is an intricate one and we distinguish the following cases.
1. Let ∆(p2 |[µ, ν]| s2)
α
∆(p4 |[µ
′, ν′]| s4), (p1 ‖ s1,∆(p2 |[µ, ν]| s2)) ∈ B, and α ∈ Es (the case when α ∈ Ep is
symmetric). Then, by semantics we get p2 = p4, s2
e
s4, µ
′ = µ, ν′ = ν. From the construction of B we get the
solid transitions depicted in Figure 7. Using the transition s2
e
s4 we get the dashed transition (1) in Figure 7.
Consider the transition p′
2
‖ s2
v
p′
3
‖ s3. From Proposition 1 we have p
′
2
!v
p′
3
. By generalised well-
posedness we get the dashed transition (2) in Figure 7. By independence of external actions we get the two
dashed transitions labelled as (3) in Figure 7. From input-determinism we get p′
3
‖ s′
6
↔
b p
′
3
‖ s3. And from
the transfer conditions of branching bisimulation (under the concreteness assumption) we get the remaining
dashed transitions (4) and (5).
14
p′
2
‖ s2
p′
2
‖ s4
p′
3
‖ s3
p′
5
‖ s′
5
p′
3
‖ s′′
3
p′
3
‖ s′
6
p′
3
‖ s6
↔
b
↔
b
↔
b
↔ b
↔
b
p2 ‖ s
′
2
p3 ‖ s
′
3
p′
4
‖ s′
4
v u
v
2
v
3
e
1
e
3
e
4
e
5
Figure 7: Case 1 of Theorem 6.
Furthermore, from the construction of B we have p3 ‖ s
′
3
↔
b p1 ‖ s1. And, from the transfer conditions of a
branching bisimulation (under concreteness assumption) we get there exists p′
1
, s′
1
such that p1 ‖ s1
e
p′
1
‖ s′
1
and p′
1
‖ s′
1
↔
b p
′
4
‖ s′
4
. Finally, using the transitions p2 ‖ s
′
2
u.e
p′
4
‖ s′
4
, p′
2
‖ s4
v
p′
3
‖ s′′
3
and the fact
that p′
3
‖ s′′
3
↔
b p
′
4
‖ s′
4
↔
b p
′
1
‖ s′
1
in the construction of B we conclude that (p′
1
‖ s′
1
,∆(p2 |[µ, ν]| s4)) ∈ B.
2. Let ∆(p2 |[µ, ν]| s2)
α
∆(p4 |[µ
′, ν′]| s4), (p1 ‖ s1,∆(p2 |[µ, ν]| s2)) ∈ B, and α ∈ Ms (the case when α ∈ Mp is
symmetric). Then, p2 = p4, µ
′ = µ.n, ν′ = ν, s2
!n
s4, where α = n, for n ∈ Ms. The remainder of the proof is
similar to the previous case; except we use the diamond property instead of applying independence of external
actions when both µ and ν are non-empty.
3. Let ∆(p2 |[µ, ν]| s2)
τ
∆(p4 |[µ
′, ν′]| s4), (p1 ‖ s1,∆(p2 |[µ, ν]| s2)) ∈ B. Since the communicating components
are concrete, the above transition is due to the removal of an element, either from µ or from ν. Thus,
(a) In case an element is removed from µ, then, p2
?n
p4, µ = n.µ
′, ν = ν′, s2 = s4, for some n ∈ Ms. From
the construction of B we have the transitions p2 ‖ s
′
2
u
p3 ‖ s
′
3
and p′
2
‖ s2
v
p′
3
‖ s3. Since
u¯ = µ = n.µ′, we can decompose the transition p2 ‖ s
′
2
u
p3 ‖ s
′
3
as shown by the solid lines in
Figure 8, where u¯1 = ǫ, and u¯2 = µ
′. As p2
?n
p4, we get the dashed transition (1) in Figure 8. By
generalised well-posedness, we get the dashed transition (2) in Figure 8, for some p5 ∈ P. And from
input-determinism we get p5 ‖ s
′
3
↔
b p3 ‖ s
′
3
. Finally, by using the transitions p4 ‖ s
′′
4
u2
p5 ‖ s
′
3
,
p′
2
‖ s2
v
p′
3
‖ s3 and the facts u¯2 = µ
′ and p5 ‖ s
′
3
↔
b p
′
3
‖ s3 ↔b p1 ‖ s1 in the construction of B
we conclude that (p1 ‖ s1,∆(p4 |[µ
′, ν]| s2)) ∈ B.
(b) In case an element is removed from ν, the proof is symmetric.
4. Let (∆(p2 |[µ, ν]| s2))⊔ and (p1 ‖ s1,∆(p2 |[µ, ν]| s2)) ∈ B. Trivial.
The next corollary states that substituting branching bisimulation equivalence by syntactical equivalence in the
conditions of Theorem 6 does not affect the desynchronisability of a synchronous system.
Corollary 1. Let p ‖ s be concrete, well-posed, independent of external actions modulo =, input deterministic modulo
=, and satisfies the diamond property modulo =, then p ‖ s ↔b ∆(p |[ǫ, ǫ]| s).
Note that the definition of the relation B given in the proof of Theorem 6 is independent of the size of queues. This
leads us to claim, without further proof, that the conditions of Theorem 6 are also sufficient in case we use lossless
queues of finite size with back-pressure to construct our asynchronous system (just like the main theorems of [8]).
15
p2 ‖ s
′
2
p2 ‖ s
′
4
p′
4
‖ s′′
4
p3 ‖ s
′
3
p′
3
‖ s3
p′
2
‖ s2
p4 ‖ s
′′
4
p5 ‖ s
′
3
↔
b
↔
b
u1
u2
v
u2 2
nn
1
Figure 8: Case 3 of Theorem 6.
3.6. A simplified sufficient condition for desynchronisability
In this subsection, we give an equivalent sufficient condition for desynchronisability which is much simpler to
verify on a given synchronous system than the preconditions of Corollary 1. The motive is to find the equivalent
formulations of independence of external actions (modulo =) and input determinism (modulo =) using the single step
transition relation→, instead of using the multiple steps transition relation .
Definition 10. A synchronous system p ‖ s is locally independent of external actions if the following conditions
holds for every p1 ‖ s1 ∈ R(p ‖ s).
1. ∀p2, p
′
2, s2, n, e.
[(
e ∈ Ep ∧ n ∈ Ms∧p1 ‖ s1
e
p2 ‖ s1
n
p′2 ‖ s2
)
⇒ ∃p3.
[
p1 ‖ s1
n
p3 ‖ s2
e
p′2 ‖ s2
] ]
.
2. ∀p2, s2, s
′
2,m, e.
[(
e ∈ Es ∧ m ∈ Mp∧p1 ‖ s1
e
p1 ‖ s2
m
p2 ‖ s
′
2
)
⇒ ∃s3.
[
p1 ‖ s1
m
p2 ‖ s3
e
p2 ‖ s
′
2
] ]
.
Lemma 5. A concrete synchronous system p ‖ s is locally independent of external actions iff it is independent of
external actions modulo =.
Proof. The only-if part follows directly from Definition 7. To prove the if part, assume the transitions p1 ‖ s1
e
p2 ‖ s1
u
p′
2
‖ s2, where p1 ‖ s1 ∈ R(p ‖ s), e ∈ Ep, and u ∈ (Ms ∪ Es)
∗. We show by induction on u that
there exists p3 such that p1 ‖ s1
u
p3 ‖ s2
e
p′
2
‖ s2. Without loss of generality, assume u = u
′.α such that
p2 ‖ s1
u′
p′
3
‖ s′
2
α
p′
2
‖ s2, for some p
′
3
, s′
2
∈ P and u′ ∈ (Ms ∪ Es)
∗ and α ∈ Ms ∪ Es. Then, by induction
hypothesis we have p1 ‖ s1
u′
p3 ‖ s
′
2
e
p′
3
‖ s′
2
, for some p3 ∈ P. Now performing case distinction on α we get
the following cases.
1. Let α = e′ for some e′ ∈ Es. Then, by the semantics we have p
′
3
= p′
2
and s′
2
e′
s2. Using this transition
at the state p3 ‖ s
′
2
we get p3 ‖ s
′
2
e′
p3 ‖ s2. But, from inductive hypothesis we have p3
e
p′
2
. Thus,
p3 ‖ s2
e
p′
2
‖ s2; hence, p1 ‖ s1
u
p3 ‖ s2
e
p′
2
‖ s2 as required.
2. Let α = n for some n ∈ Ms. Then, by applying Definition 10 we get p3 ‖ s
′
2
n
p4 ‖ s2
e
p′
2
‖ s2, for some
p4 ∈ P. Thus, p1 ‖ s1
u
p4 ‖ s2
e
p′
2
‖ s2 as required.
Definition 11. A synchronous system p ‖ s is locally input deterministic if every reachable state p1 ‖ s1 ∈ R(p ‖ s)
satisfies the following conditions.
1. ∀p2, s2, p3, n.
[ (
p1 ‖ s1
n
p2 ‖ s2 ∧ p1 ‖ s1
n
p3 ‖ s2 ∧ n ∈ Ms
)
⇒ p2 ‖ s2 = p3 ‖ s2
]
.
16
2. ∀p2, s2, s3,m.
[ (
p1 ‖ s1
m
p2 ‖ s2 ∧ p1 ‖ s1
m
p2 ‖ s3 ∧ m ∈ Mp
)
⇒ p2 ‖ s2 = p2 ‖ s3
]
.
Lemma 6. A concrete synchronous system p ‖ s is locally input deterministic iff it is input deterministic modulo =.
Proof. The only-if part follows directly from Definition 8. The if part follows by performing induction on sequences
u ∈ (Ms ∪ Es)
∗ (v ∈ (Mp ∪ Ep)
∗) and instantiating Definition 11.
Now, we are ready to prove the main result of this subsection.
Theorem 7. Let p ‖ s be concrete, well-posed, locally independent of external actions, locally input deterministic,
and satisfies the diamond property modulo =, then p ‖ s ↔b ∆(p |[ǫ, ǫ]| s).
Proof. By Lemmas 5,6 and Corollary 1.
3.7. Half-duplex communication eliminates the diamonds
In the previous subsections, we showed that the diamond property is a necessary condition for desynchronisability,
while we expressed a desire in the introduction to desynchronise systems that do not possess this property as well.
This leads us to rethink our model of desynchronisation.
Changing the notion of equivalence or the observation of the predicate is not likely to help. Previous research
[3, 7] has been performed on weaker notions of equivalence, and although the diamond property was not identified as
a necessary condition there, it did come up as a natural sufficient condition that the authors could not work around.
This is why we decided to experiment with the properties of the buffer instead.
Inspired by the observation that the problem occurs when both communicating parties would like to send a message
at the same time, we decided to see if half-duplex communication, in which only one party can communicate at a time,
would give a solution. We model half-duplex communication between processes p and s as a process p |[ǫ, ǫ]|h s, of
which the structured operational semantics are given in Table 4. Observe that the rules are similar to those we used
before, except that either the left or the right queue remains empty at all times.
Table 4: SOS rules for asynchronous systems with half-duplex queues.
p
!m
p′
(p |[ǫ, ν]|h s)
!m (
p′ |[ǫ, ν.m]|h s
)
s
!n
s′
(p |[µ, ǫ]|h s)
!n (
p |[µ.n, ǫ]|h s
′)
p
?n
p′, µ = n.µ′, n ∈ Ms
(p |[µ, ν]|h s)
?n (
p′ |[µ′, ν]|h s
)
s
?m
s′, ν = m.ν′, m ∈ Mp
(p |[µ, ν]|h s)
?m (
p |[µ, ν′]|h s
′)
p
α
p′, α ∈ Ep ∪ {τ}
(p |[µ, ν]|h s)
α (
p′ |[µ, ν]|h s
)
s
α
s′, α ∈ Es ∪ {τ}
(p |[µ, ν]|h s)
α (
p |[µ, ν]|h s
′) (p |[ǫ, ǫ]|h s)⊔ .
Definition 12. A synchronous system p ‖ s is half-duplex desynchronisable if p ‖ s ↔b ∆(p |[ǫ, ǫ]|h s).
Next, we find that the diamond property can be dropped from the necessary and sufficient conditions.
Theorem 8. Let p ‖ s be concrete and half-duplex desynchronisable, then it is well-posed, independent of external
actions, and input deterministic.
Proof. Along the same lines as the proofs in the previous section.
17
Theorem 9. Suppose a concrete process p ‖ s is well-posed, independent of external actions, and input deterministic,
then it is half-duplex desynchronisable.
Proof. Recall the relation B from Theorem 6 and replace the full-duplex operator with our new half-duplex operator.
This relation will serve as a witness for our theorem along the same lines set out in Theorem 6, except that in Case
2 we find for the queue contents that either µ or ν will be empty due to the half-duplex condition. As a result, the
necessity of the diamond property in this proof disappears.
Relaxing the half-duplex condition
As already mentioned, the half-duplex mechanism leads to an inefficient design of an asynchronous system be-
cause a sender is not allowed to send messages while its input queue is non-empty. Furthermore, our only reason for
wanting half-duplex communication is that we could not guarantee the diamond property for our synchronous system.
In essence, the half-duplex condition just ensures a certain level of synchronisation over the communication buffer.
In practice, half-duplex communication can only be implemented if some kind of semaphore is in place on top of the
physical layer.
Table 5: SOS rules for semi-duplex communication over a set I.
p
!m
p′, m ∈ Mp, (µ ∈ I
∗ ∨ m ∈ I)
(p |[µ, ν]|I s)
!m (
p′ |[µ, ν.m]|I s
)
s
!n
s′, n ∈ Ms, (ν ∈ I
∗ ∨ n ∈ I)
(p |[µ, ν]|I s)
!n (
p |[µ.n, ν]|I s
′)
p
?n
p′, µ = n.µ′, n ∈ Ms
(p |[µ, ν]|I s)
?n (
p′ |[µ′, ν]|I s
)
s
?m
s′, ν = m.ν′, m ∈ Mp
(p |[µ, ν]|I s)
?m (
p |[µ, ν′]|I s
′)
p
α
p′, α ∈ Ep ∪ {τ}
(p |[µ, ν]|I s)
α (
p′ |[µ, ν]|I s
)
s
α
s′, α ∈ Es ∪ {τ}
(p |[µ, ν]|I s)
α (
p |[µ, ν]|I s
′) (p |[ǫ, ǫ]|I s)⊔
Now, suppose that we do have the diamond property for certain pairs of actions in the synchronous system. In
such a case, a specialised semaphore could be put in place that verifies whether there are actions in the incoming
buffer that conflict with a specific outgoing action. For example, suppose we can identify a subset I ⊆ Mp ∪ Ms of
actions that satisfy the diamond property with respect to all other messages in Mp ∪ Ms. As long as there are only
actions from I in the buffer, it is safe to send any message, and at any time it is safe to send actions from I. Such a
type of communication is captured in the SOS rules of Table 5. We call this semi-duplex communication.
We conjecture that the necessary and sufficient conditions for desynchronisation using such a buffer are well-
posedness, independence of external actions, input determinism, and the diamond property for pairs of messages, one
of which is in the subset I. We actually expect the proof to be along the same lines as the other ones in this paper.
However, before going into detailed proofs of such theorems, we would like to point out that the selection of a
semi-duplex buffering strategy does not only depend on the particular diamonds that can be proven, but also on the
particular kinds of semi-duplex buffering strategies that are implementable. If we want to distinguish different classes
of messages that share the diamond property, we also need to use different semaphores to ensure the associated
semi-duplex buffer (reminiscent of [21]). Which semaphores are actually implementable is highly dependent on the
application domain, so we would like to concentrate future research on finding out which possibilities we have in
practice (in our case, in practical cases of supervisory control) to put semaphores on a communication buffer.
18
4. Desynchronisation in supervisory control
Regarding supervisory control theory of Ramadge and Wonham [6], we should still check whether the conditions
we have gotten so far are reasonable. That is the topic of this section. Furthermore, we are also interested in exploring
to what extent the assumptions of supervisory control theory of [6] can be relaxed without affecting the obtained
conditions of (half-duplex) desynchronisability. In this section, we will extend Theorem 9 of [18] by allowing external
actions and nondeterminism in the specification of a supervisor, which are usually prohibited in supervisory control
theory.
The three basic entities in supervisory control theory are a plant, a supervisor, and a requirement. Intuitively, a
plant is specified by an automaton that models the behaviour of a hardware that is to be controlled, a supervisor is an
automaton that forces the plant to meet the requirement by synchronously interacting with it, and a requirement is an
automaton that models the legal behaviour which the plant should perform.
Supervisory control theory [6] aims at controlling the behaviour of a plant to fit a requirement by synthesising a
supervisor such that the synchronous composition of a plant and its supervisor is equivalent to the requirement. In su-
pervisory control theory, the control problem is usually studied up to language equivalence (cf. [6]). Nevertheless, the
synthesis techniques developed in this paper are insensitive to the choice of equivalence used in the control equation,
provided that this equivalence is coarser than branching bisimulation.
To define a notion of controllability, a plant and its supervisor perform two kinds of actions: controllable and
uncontrollable actions. The idea behind this partition is that a supervisor can enable or disable controllable actions of a
plant, but it cannot disable the uncontrollable actions of a plant. In this paper, we follow the input-output interpretation
[7] between a plant and its supervisor, i.e., the uncontrollable actions are modelled as the send messages from a plant
to its supervisor, while the controllable actions are modelled as the send messages from the supervisor to the plant.
Definition 13. A concrete process p ∈ P is called a RW-plant3 if p is deterministic and Ep = ∅. Similarly, a concrete
process s ∈ P is called a RW-supervisor if s is deterministic and Es = ∅.
Observe that a RW-plant and RW-supervisor do not contain external actions in their alphabet. This is because in the
theory of Ramadge and Wonham [6] a plant can perform only either controllable or uncontrollable actions. Further-
more, the synthesis procedure ensures that a supervisor restricts the behaviour of a plant by synchronising with some
of the controllable actions and no extra transitions are introduced in a supervisor that a plant cannot execute. There-
fore, all the send messages from a plant are read by its supervisor; however, all the send messages from a supervisor
are not necessarily read by its plant. Thus, the synthesised supervisor in general is not well-posed with its plant. For
example, we generated the supervisor described in [11] and found that the generated supervisor was not well-posed
with plant.
4.1. Ensuring well-posedness
In order to synthesise a supervisor that is well-posed, consider the procedure of taking the process p ‖ s and
renaming all communication actions to send-actions if they originated from s and to receive actions if they originated
from p. In other words, define a function γ : P→ P such that
γ(m) =

!m ; if m ∈ Ms
?m ; if m ∈ Mp
m ; otherwise
and consider the process γ(p ‖ s) defined using the SOS rules of Table 6. Now the idea is that the process γ(p ‖ s) is
the new supervisor for the given plant p, which is always well-posed with p. Before we prove this result, we recall an
important property which every supervisor in the supervisory control theory of Ramadge and Wonham [6] satisfies.
Definition 14. A process p is controllable [6, 22] by a process s if
∀p1, s1, p2,m.
[
p1 ‖ s1 ∈ R(p ‖ s) ∧ p1
!m
p2 ⇒ ∃s2.
[
s1
?m
s2
]]
.
3The prefix RW stands for Ramadge and Wonham [6].
19
Table 6: SOS rules for renaming using a function γ.
p
m
p′
γ(p)
γ(m)
γ(p′)
p⊔
γ(p)⊔
Note that, in general, controllability does not imply well-posedness between a plant and its supervisor. This is
why we construct a new supervisor in the form of γ(p ‖ s), which always returns a well-posed supervisor for the plant
p. The following lemma proves this fact. Furthermore, observe that in the following lemma neither we require the
supervisor to be deterministic nor the set of external actions of the supervisor needs to be empty.
Lemma 7. Let p be a RW-plant and let s be a process such that p is controllable by s. Then p and γ(p ‖ s) are
well-posed.
Proof. Define a binary relation W = {(p1, γ(p1 ‖ s1)) | p1 ‖ s1 ∈ R(p ‖ s)}. Next, we show that W is a well-
posedness relation.
1. Let p1
!m
p2 and (p1, γ(p1 ‖ s1)) ∈ W. Since p is controllable by s, then there exists s2 ∈ P such that s1
?m
s2.
Thus, p1 ‖ s1
m
p2 ‖ s2. Using the definition of renaming function γ we get γ(p1 ‖ s1)
?m
γ(p2 ‖ s2). Thus,
(p2, γ(p2 ‖ s2)) ∈ W.
Furthermore, we need to show that for every p3, s3 such that γ(p1 ‖ s1)
?m
γ(p3 ‖ s3), we have (p2, γ(p3 ‖
s3)) ∈ W. Assume a transition γ(p1 ‖ s1)
?m
γ(p3 ‖ s3). Then by the semantics of ‖ and γ we have p1
!m
p3.
But, the process p is deterministic, thus, p2 = p3. Hence, (p2, γ(p3 ‖ s3)) ∈ W.
2. Let γ(p1 ‖ s1)
!n
γ(p2 ‖ s2) and (p1, γ(p1 ‖ s1)) ∈ W. By definition of renaming function γ we have
p1 ‖ s1
n
p2 ‖ s2 and n ∈ Ms. Since the sets Mp,Ms are disjoint we have p1
?n
p2 and s1
!n
s2. And, using
the construction of W we get (p2, γ(p2 ‖ s2)) ∈ W. Furthermore, we know that the plant p is deterministic.
Thus, for every p3 ∈ P such that p2
?n
p3 we have p2 = p3.
3. Let γ(p1 ‖ s1)
α
γ(p1 ‖ s2), α ∈ Es ∪ {τ} and (p1, γ(p1 ‖ s1)) ∈ W. Clearly, by the construction ofW we have
(p1, γ(p1 ‖ s2)).
The next lemma states that a RW-plant p cannot distinguish the behaviour between its old supervisor s and the
new well-posed supervisor γ(p ‖ s) up to strong bisimulation.
Lemma 8. Let p be a RW-plant and let s be a process. Then, p ‖ s ↔ p ‖ γ(p ‖ s).
Proof. Define a witnessing relation S = {(p1 ‖ s1, p1 ‖ γ(p1 ‖ s1)) | p1 ‖ s1 ∈ R(p ‖ s)}. Next, we need to show that
S is a strong bisimulation relation.
1. Let p1 ‖ s1
m
p2 ‖ s2, for some m ∈ Mp and (p1 ‖ s1, p1 ‖ γ(p1 ‖ s1)) ∈ S. Then, by the semantics we have
p1
!m
p2 and s1
?m
s2. And from the definition of the renaming function γ we get γ(p1 ‖ s1)
?m
γ(p2 ‖ s2).
Clearly, p1 ‖ γ(p1 ‖ s1)
m
p2 ‖ γ(p2 ‖ s2). Thus, we get (p2 ‖ s2, p2 ‖ γ(p2 ‖ s2)) as desired.
2. Let p1 ‖ s1
α
p2 ‖ s2, for some α ∈ Ms ∪ Es, and (p1 ‖ s1, p1 ‖ γ(p1 ‖ s1)) ∈ S. Similar to the previous case.
3. Let p1 ‖ s1
τ
p2 ‖ s2 and (p1 ‖ s1, p1 ‖ γ(p1 ‖ s1)) ∈ S. Note that the process p is a RW-plant, thus this
τ-transition is due to a move by s1. Then, by semantics we have p1 = p2 and s1
τ
s2. Clearly, we have
p1 ‖ γ(p1 ‖ s1)
τ
p1 ‖ γ(p1 ‖ s2) and (p1 ‖ s2, p1 ‖ γ(p1 ‖ s2)) ∈ S.
20
4. Let p1 ‖ γ(p1 ‖ s1)
m
p2 ‖ γ(p
′
2
‖ s2), for some m ∈ Mp and (p1 ‖ s1, p1 ‖ γ(p1 ‖ s1)) ∈ S. Using the fact that
the sets Mp,Ms are disjoint in the semantics, we get p1
!m
p2 and γ(p1 ‖ s1)
?m
γ(p′
2
‖ s2). Since m ∈ Mp
we have p1
!m
p′
2
and s1
?m
s2. But, the RW-plant process p is deterministic, i.e., p2 = p
′
2
. Furthermore,
p1 ‖ s1
m
p2 ‖ s2 and by the construction of S we conclude that (p2 ‖ s2, p2 ‖ γ(p2 ‖ s2)) ∈ S.
5. Let p1 ‖ γ(p1 ‖ s1)
n
p2 ‖ γ(p
′
2
‖ s2), for some n ∈ Ms and (p1 ‖ s1, p1 ‖ γ(p1 ‖ s1)) ∈ S. Similar to the
previous case.
6. Let p1 ‖ γ(p1 ‖ s1)
α
p2 ‖ γ(p
′
2
‖ s2), for some α ∈ Es ∪ {τ} and (p1 ‖ s1, p1 ‖ γ(p1 ‖ s1)) ∈ S. Note that the
process p is concrete and Ep = ∅. Thus, this α-transition is due to a move by s1. Then, by the semantics we
have p1 = p2 = p
′
2
and s1
α
s2. Clearly, we have p1 ‖ s1
α
p1 ‖ s2 and (p1 ‖ s2, p1 ‖ γ(p1 ‖ s2)) ∈ S.
4.2. Ensuring input-determinism, independence of external actions, and diamond property
Next we will show that the remaining conditions of (half-duplex) desynchronisability (i.e., input-determinism,
independence of external actions, and diamond property) are satisfied by the new synchronous system p ‖ γ(p ‖ s),
whenever the old synchronous system p ‖ s satisfies these conditions. In other words, we will show that input-
determinism, independence of external actions, and diamond property are strong bisimulation-closed. However, to
prove these results we need the following result (Lemma 10): if p ‖ s ↔ p ‖ γ(p ‖ s) then p1 ‖ s1 ↔ p1 ‖ γ(p1 ‖ s1),
for every p1 ‖ s1 ∈ R(p ‖ s).
Lemma 9. Let p be a RW-plant. Let s, s′ be any two processes. If p ‖ s ↔ p ‖ γ(p ‖ s′) then p ‖ s ↔ p ‖ s′.
Proof. Define a relation S in the following way:
S =
{(
p1 ‖ s1, p1 ‖ s
′
1
)
| p1 ‖ s1 ∈ R(p ‖ s) ∧ p1 ‖ s
′
1 ∈ R(p ‖ s
′) ∧ p1 ‖ s1 ↔ p1 ‖ γ(p1 ‖ s
′
1)
}
.
Next, we show that the relation S is a witnessing strong bisimulation relation.
1. Let p1 ‖ s1
α
p2 ‖ s2 and (p1 ‖ s1, p1 ‖ s
′
1
) ∈ W. Then, from the construction of S we have
p1 ‖ s1 ↔ p1 ‖ γ(p1 ‖ s
′
1)
⇒ ∃p2, p
′
2, s
′
2.
[
p1 ‖ γ(p1 ‖ s
′
1)
α
p2 ‖ γ(p
′
2 ‖ s
′
2) ∧ p2 ‖ s2 ↔ p2 ‖ γ(p
′
2 ‖ s
′
2)
]
(Definition of ↔ )
⇒ p2 = p
′
2 (p is deterministic)
⇒ p1 ‖ s
′
1
γ−1(α)
p2 ‖ s
′
2 (Semantics of ‖ and γ)
⇒ (p2 ‖ s2, p2 ‖ s
′
2) ∈ W (Using p2 ‖ s2 ↔ p2 ‖ γ(p2 ‖ s
′
2) in the construction of S).
2. Let p1 ‖ s
′
1
α
p2 ‖ s
′
2
and (p1 ‖ s1, p1 ‖ s
′
1
) ∈ W. Then based on the type of α we identify the following cases:
(a) Let α = m, for some m ∈ Mp. Then from the semantics of ‖ we have
p1
!m
p2 ∧ s
′
1
?m
s′2
⇒ p1 ‖ s1 ↔ p1 ‖ γ(p1 ‖ s
′
1) (Inductive hypothesis)
⇒ p1 ‖ γ(p1 ‖ s
′
1)
m
p2 ‖ γ(p2 ‖ s
′
2) (Semantics of ‖ and γ)
⇒ ∃p3, s3.
[
p1 ‖ s1
m
p3 ‖ s3 ∧ p3 ‖ s3 ↔ p2 ‖ γ(p2 ‖ s
′
2)
]
(Definition of ↔ and m ∈ Mp)
⇒ p1
!m
p3 ∧ p2 = p3 (Semantics of ‖ and p is deterministic)
⇒ (p2 ‖ s3, p2 ‖ s
′
2) ∈ W (Using p2 ‖ s3 ↔ p2 ‖ γ(p2 ‖ s
′
2) in the construction of S).
21
(b) Let α ∈ Es′ ∪ Ms′ ∪ {τ}. Similar to the previous case.
Note that the transfer conditions for the predicate ⊔ are trivially satisfied by the construction of S.
Lemma 10. Let p be a RW-plant and s be a process. If p ‖ s ↔ p ‖ γ(p ‖ s) then
∀p1, s1.
[
p1 ‖ s1 ∈ R(p ‖ s)⇒ p1 ‖ s1 ↔ p1 ‖ γ(p1 ‖ s1)
]
.
Proof. Without loss of generality, assume p1 ‖ s1 ↔ p1 ‖ γ(p1 ‖ s1) and p1 ‖ s1
α
p2 ‖ s2, for some p1 ‖ s1 ∈ R(p ‖
s) and p2, s2 ∈ P. Then, by the semantics we have p1 ‖ γ(p1 ‖ s1)
α
p2 ‖ γ(p2 ‖ s2). And from the transfer conditions
of strong bisimulation we have there exists p′
2
, s′
2
such that p1 ‖ s1
α
p′
2
‖ s′
2
and p′
2
‖ s′
2
↔ p2 ‖ γ(p2 ‖ s2).
1. Let α ∈ Es ∪ {τ}. Then by the semantics of ‖ under the assumption that p is a RW-plant we have p1 = p
′
2
and
p1 = p2. Thus, p1 ‖ s
′
2
↔ p1 ‖ γ(p1 ‖ s2). And, from Lemma 9 we have p1 ‖ s
′
2
↔ p1 ‖ s2. Finally, from
transitivity we conclude that p1 ‖ s2 ↔ p1 ‖ γ(p1 ‖ s2).
2. Let α ∈ Mp ∪ Ms. Then we have p2 = p
′
2
because the process p is deterministic. Thus, p2 ‖ s
′
2
↔ p2 ‖
γ(p2 ‖ s2). From Lemma 9 we get p2 ‖ s
′
2
↔ p2 ‖ s2. Finally, from transitivity we conclude that p2 ‖ s2 ↔
p2 ‖ γ(p2 ‖ s2).
The next lemma states that if the given synchronous system p ‖ s is input-deterministic then the new synchronous
system p ‖ γ(p ‖ s) is also input-deterministic.
Lemma 11. Let p be a RW-plant and s be a concrete process. If p ‖ s is input-deterministic modulo ↔ then
p ‖ γ(p ‖ s) is also input-deterministic modulo ↔ .
Proof. Recall the definition of input-determinism modulo ↔ (Definition 8). Thus, we need to prove the following
statements:
1. If p1 ‖ γ(p1 ‖ s1) ∈ R(p ‖ γ(p ‖ s)), p1 ‖ γ(p1 ‖ s1)
u
p2 ‖ γ(p
′
2
‖ s2), and p1 ‖ γ(p1 ‖ s1)
u
p3 ‖
γ(p′
2
‖ s2), then p2 ‖ γ(p
′
2
‖ s2) ↔ p3 ‖ γ(p
′
2
‖ s2), for some u ∈ (Es ∪ Ms)
∗.
2. If p1 ‖ γ(p1 ‖ s1) ∈ R(p ‖ γ(p ‖ s)), p1 ‖ γ(p1 ‖ s1)
v
p2 ‖ γ(p
′
2
‖ s2), and p1 ‖ γ(p1 ‖ s1)
v
p2 ‖
γ(p′
3
‖ s3), then p2 ‖ γ(p
′
2
‖ s2) ↔ p2 ‖ γ(p
′
3
‖ s3), for some v ∈ (Ep ∪ Mp)
∗.
The proof of the first statement follows directly from the reflexivity of ↔ because the process p is deterministic. In
other words, for the transitions p1
?u
p2 and p1
?u
p3 we have p2 = p3. Thus, p2 ‖ γ(p
′
2
‖ s2) ↔ p2 ‖
γ(p′
2
‖ s2).
To prove the second statement, using Lemma 10 we have p1 ‖ s1 ↔ p1 ‖ γ(p1 ‖ s1). Thus, from the transfer
conditions of strong bisimulation we have there exists p4, s4 such that p1 ‖ s1
v
p4 ‖ s4 and p4 ‖ s4 ↔ p2 ‖
γ(p′
2
‖ s2). Likewise, we can derive p1 ‖ s1
v
p5 ‖ s5 and p5 ‖ s5 ↔ p2 ‖ γ(p
′
3
‖ s3), for some p5, s5. From the
above transitions we have p1
!v
p4 and p1
!v
p5. But the process p is deterministic and thus we have p4 = p5.
Since the synchronous system is input-deterministic modulo ↔ we have p4 ‖ s4 ↔ p4 ‖ s5. And from transitivity we
get the desired result, i.e., p2 ‖ γ(p
′
2
‖ s2) ↔ p2 ‖ γ(p
′
3
‖ s3)
The next lemma states that if the given synchronous system p ‖ s is independent of external actions then the new
synchronous system p ‖ γ(p ‖ s) is also independent of external actions.
Lemma 12. Let p be a RW-plant and s be a concrete process. If p ‖ s is independent of external actions modulo ↔
then p ‖ γ(p ‖ s) is also independent of external actions modulo ↔ .
Proof. Note that Ep = ∅ since p is a RW-plant. As a result, Condition 1 of Definition 7 is vacuously satisfied. To
show Condition 2 of Definition 7 assume that we are given the following transitions
p1 ‖ γ(p1 ‖ s1)
e
p1 ‖ γ(p1 ‖ s2)
v
p2 ‖ γ(p
′
2 ‖ s2),
22
for some e ∈ Es, v ∈ Mp
∗. Note that p2 = p
′
2
because the process p is deterministic.
By Lemma 10 we know that p1 ‖ s1 ↔ p1 ‖ γ(p1 ‖ s1). Then, from the transfer conditions of strong bisimulation
we can derive the following transitions:
∃p′1, s
′
3, p3, s3.
[
p1 ‖ s1
e
p′1 ‖ s
′
3
v
p3 ‖ s3 ∧ p
′
1 ‖ s
′
3 ↔ p1 ‖ γ(p1 ‖ s2) ∧ p3 ‖ s3 ↔ p2 ‖ γ(p2 ‖ s2)
]
. (2)
Since e ∈ Es and Ep = ∅ we know that p1 = p
′
1
.
Now instantiating Condition 2 of independence of external actions on the state p1 ‖ s1 we get
∃s′4, s4.
[
p1 ‖ s1
v
p3 ‖ s
′
4
e
p3 ‖ s4 ∧ p3 ‖ s4 ↔ p3 ‖ s3
]
. (3)
Again using the transfer conditions of strong bisimulation to simulate the transitions derived in Equation (3) we get
∃p5, s5, p
′
5
, s′
5
.
[
p1 ‖ γ(p1 ‖ s1)
v
p5 ‖ γ(p
′
5
‖ s5)
e
p5 ‖ γ(p
′
5
‖ s′
5
) ∧ p5 ‖ γ(p
′
5
‖ s′
5
) ↔ p3 ‖ s4
]
. Note that p2 =
p5 = p
′
5
because the process p is deterministic, e ∈ Es, and Ep = ∅. And from Equations 2 and 3 we have
p2 ‖ γ(p2 ‖ s
′
5) ↔ p3 ‖ s4 ↔ p3 ‖ s3 ↔ p2 ‖ γ(p2 ‖ s2).
Lemma 13. Let p be a RW-plant and s be a concrete process. If p ‖ s satisfies the diamond property modulo ↔ then
p ‖ γ(p ‖ s) also satisfies the diamond property modulo ↔ .
Proof. Assume the following transitions in the synchronous system p ‖ γ(p ‖ s):
p1 ‖ γ(p1 ‖ s1)
m
p2 ‖ γ(p
′
2 ‖ s2) and p1 ‖ γ(p1 ‖ s1)
n
p3 ‖ γ(p
′
3 ‖ s3),
for some m ∈ Mp, n ∈ Ms, and p1 ‖ γ(p1 ‖ s1) ∈ R(p ‖ γ(p ‖ s)).
By Lemma 10 we know that p1 ‖ s1 ↔ p1 ‖ γ(p1 ‖ s1). From the transfer conditions of strong bisimulation we
get the following transition in the synchronous system p ‖ s: p1 ‖ s1
m
p4 ‖ s4 ∧ p4 ‖ s4 ↔ p2 ‖ γ(p
′
2
‖ s2) and
p1 ‖ s1
n
p5 ‖ s5 ∧ p5 ‖ s5 ↔ p3 ‖ γ(p
′
3
‖ s3), for some p4, s4, p5, s5. But the process p ‖ s satisfies the diamond
property modulo ↔ . Thus, we get there exists p′
4
, s′
4
, p′
5
, s′
5
such that p4 ‖ s4
n
p′
4
‖ s′
4
, p5 ‖ s5
m
p′
5
‖ s′
5
, and
p′
4
‖ s′
4
↔ p′
5
‖ s′
5
. Clearly by reflecting back these transitions in the synchronous system p ‖ γ(p ‖ s) using the
transfer conditions of strong bisimulation we get the desired result.
I.e., there exists p6, p
′
6
, s6 such that p2 ‖ γ(p
′
2
‖ s2)
n
p6 ‖ γ(p
′
6
‖ s6) and p
′
4
‖ s′
4
↔ p6 ‖ γ(p
′
6
‖ s6). Likewise,
there exists p7, p
′
7
, s7 such that p3 ‖ γ(p
′
3
‖ s3)
m
p7 ‖ γ(p
′
7
‖ s7) and p
′
5
‖ s′
5
↔ p7 ‖ γ(p
′
7
‖ s7). Finally, using the
equation p′
4
‖ s′
4
↔ p′
5
‖ s′
5
and by transitivity we conclude that p6 ‖ γ(p
′
6
‖ s6) ↔ p7 ‖ γ(p
′
7
‖ s7).
Now we are ready to prove the main result of this subsection that establishes half-duplex desynchronisability of
the synchronous system p ‖ γ(p ‖ s).
Theorem 10. Let p be a RW-plant and let s be a concrete process. If p is controllable by s, p ‖ s is input-deterministic
modulo ↔ , p ‖ s is independent of external actions modulo ↔ , and p ‖ s satisfies the diamond property modulo ↔ ,
then
p ‖ γ(p ‖ s) ↔b p |[ǫ, ǫ]| γ(p ‖ s).
Proof. Lemmas 7, 11, 12, and 13 ensures that the synchronous system p ‖ γ(p ‖ s) is well-posed, input-deterministic
modulo ↔ , independent of external actions modulo ↔ , and satisfies the diamond property modulo ↔ , respectively.
Finally, from Theorem 6 we conclude that the synchronous system p ‖ γ(p ‖ s) is desynchronisable.
Corollary 2. Let p be a RW-plant and let s be a concrete process. If p is controllable by s, p ‖ s is input-deterministic
modulo ↔ , and p ‖ s is independent of external actions modulo ↔ , then
p ‖ γ(p ‖ s) ↔b p |[ǫ, ǫ]|h γ(p ‖ s).
23
The following corollary states that every synchronous system synthesised using supervisory control theory of
Ramadge and Wonham [6] is half-duplex desynchronisable by construction.
Corollary 3. Let p be a RW-plant and s be its RW-supervisor. Then, p ‖ s ↔b p ‖ γ(p ‖ s) ↔b p |[ǫ, ǫ]|h γ(p ‖ s).
Proof. Recall that every RW-plant p is controllable by its RW-supervisor s which guarantees well-posedness of p ‖
γ(p ‖ s). Furthermore, the synchronous system p ‖ s is input-deterministic and independent of external actions
because a RW-plant p and its RW-supervisor s are deterministic and do not contain external actions. Thus, from
Theorem 10 we have p ‖ γ(p ‖ s) ↔b p |[ǫ, ǫ]|h γ(p ‖ s). Since a RW-plant and a RW-supervisor are concrete
processes, applying Lemma 8 give us the desired equation p ‖ s ↔b p ‖ γ(p ‖ s) ↔b p |[ǫ, ǫ]|h γ(p ‖ s).
In hindsight, the absence of external actions and nondeterminism in the plant model allowed us to fulfil the con-
ditions for half-duplex desynchronisability almost for free. The only thing required was the well-posedness between
a given RW-plant p and its supervisor s. To this end, we demonstrated that the process γ(p ‖ s) – if considered as a
new supervisor – will always be well-posed with the given RW-plant p.
Unfortunately, the above approach to achieve desynchronisability fails in general when the plant contains external
actions and nondeterminism. The following are two immediate problems in this new setting that needs to be addressed
in the future.
p1
p2 p3
p4 p5
s1
s2
s3 s4
p1 ‖ s1
p2 ‖ s2 p3 ‖ s2
p4 ‖ s3 p5 ‖ s4
p1 ‖ γ(p1 ‖ s1)
p2 ‖ γ(p2 ‖ s2) p2 ‖ γ(p3 ‖ s2) p3 ‖ γ(p2 ‖ s2) p3 ‖ γ(p3 ‖ s2)
p4 ‖ γ(p4 ‖ s3) p5 ‖ γ(p5 ‖ s4)
!m !m
?n1 ?n2
?m
!n1 !n2
m m
n1 n2
m
m m
m
n1 n2
Figure 9: Difficulty in establishing bisimilarity between p1 ‖ s1 and p1 ‖ γ(p1 ‖ s1) when p1 is nondeterministic.
1. First, the issue of ensuring p ‖ s ↔ p ‖ γ(p ‖ s) is more involved when the plant process p contains nondeter-
minism. Consider, for instance, the plant p1 and its supervisor s1 as shown in Figure 9. The problem here is
that a supervisor state is trying to control two different plant states, where the interaction of the supervisor with
one local plant state disables the interaction with the other. For example, the interaction of p3 with s2 disables
the sending of message n1; even though, s2 can send the message n1. As a result, the processes p1 ‖ s1 and
γ(p1 ‖ γ(p1 ‖ s1)) are not strongly bisimilar because the states p2 ‖ γ(p3 ‖ s2) and p3 ‖ γ(p2 ‖ s2) cannot be
related to any state in the process p1 ‖ s1 by a strong bisimulation relation.
2. Second, the construction of new supervisor as the parallel composition of the given plant and its old supervisor
is unsound in the presence of external actions from the plant. This is because the new supervisor γ(p ‖ s)
can now perform the external actions of the plant p, whereas the old supervisor s cannot. Thus, the equality
p ‖ s ↔ p ‖ γ(p ‖ s) (Lemma 8) does not hold when we drop the assumption Ep = ∅.
5. Discussion
In this section, we discuss the effects of using other abstraction schemes on desynchronisation and also consider
the issue of desynchronising synchronous systems with invisible actions.
24
5.1. Why abstraction scheme ∆( )?
Throughout this paper, we developed a theory of desynchronisation around a fixed abstraction scheme ∆() in
which the interactions between the communicating processes and their respective input queues were made invisi-
ble. At this juncture, it is interesting to find out whether is it possible to further weaken the obtained conditions of
desynchronisability by adopting the other abstraction schemes of [10].
p s
Buffer
Buffer
τ m
nτ
(a) Abstraction scheme ∆1.
p s
Buffer
Buffer
m τ
τn
(b) Abstraction scheme ∆2.
p s
Buffer
Buffer
m τ
nτ
(c) Abstraction scheme ∆3.
p s
Buffer
Buffer
τ m
τn
(d) Abstraction scheme ∆4.
Figure 10: Abstraction schemes [8].
The motivation for our work in this paper originates from supervisory control theory, although its application may
be far more general. This origin is reflected to some extent in the choice of the abstraction scheme ∆(), because
in supervisory control theory, the specification of what the controlled system should do is usually given in terms of
the observed communications. Hence, it is for example undesirable to choose an abstraction scheme in which all
communication is considered unobservable (as in some CCS-like formalisms).
Given that communications should remain visible, we have to make a choice whether they become visible when a
message is sent or when a message is received. In our setting, this leads to four possible abstraction schemes, shown
in Figure 10. The dashed boxes in Figure 10 denotes which interactions are to be made hidden in an asynchronous
system. For instance, the abstraction scheme ∆1 states that introduce buffers between the processes p and s such that
the interactions between the process p and the buffers are hidden (see Figure 10(a)). Similar explanations can be
given to the other abstraction schemes ∆2,∆3
4, and ∆4. For the sake of completeness, the abstraction schemes ∆1,∆2,
and ∆4 are formally defined in Table 7.
Of these four abstraction schemes, it is difficult to say which one is in fact more adequate. One might call an
abstraction scheme adequate if it preserves all desired properties. But the only difference between the abstraction
schemes is the interpretation of a ‘communication’ as something that is visible upon sending or upon receiving. The
properties of interest to us are assumed to be definable for synchronous models as well. And in synchronous models
this distinction is not yet made. Hence, the properties that are relevant for us, when properly interpreted, are preserved
by each of the four abstraction schemes. So the only reason to pick one or another, is the restrictions it puts on
our desynchronisation theorem. Next, we will argue that these conditions are indeed most convenient for abstraction
scheme ∆3.
One of the results of [10] is that the choice of the abstraction scheme is crucial in obtaining useful conditions for
desynchronisation. For instance, if we choose to construct an asynchronous system using the abstraction scheme ∆4
instead of ∆3, then we need an additional condition for desynchronisation saying that at any reachable state of p ‖ s
only one send-transition is allowed. This condition is known as X-singularity in [10], where X ⊆ A.
4For the sake of uniformity, we denote the abstraction operator ∆ by ∆3 in this subsection.
25
Table 7: SOS rules for the abstraction schemes ∆1,∆2, and ∆4, where  ∈ {!, ?}.
q1
m
q2, m ∈?Ms∪!Ms
∆1(q1)
m
∆1(q2)
q1
e
q2, e ∈ Ep ∪ Es
∆1(q1)
e
∆1(q2)
q1
m
q2, m ∈?Mp∪!Mp
∆1(q1)
τ
∆1(q2)
q⊔
∆1(q)⊔
q1
m
q2, m ∈?Mp∪!Mp
∆2(q1)
m
∆2(q2)
q1
e
q2, e ∈ Ep ∪ Es
∆2(q1)
e
∆2(q2)
q1
m
q2, m ∈?Ms∪!Ms
∆2(q1)
τ
∆2(q2)
q⊔
∆2(q)⊔
q1
m
q2, m ∈?Mp∪?Ms
∆4(q1)
m
∆4(q2)
q1
e
q2, e ∈ Ep ∪ Es
∆4(q1)
e
∆4(q2)
q1
m
q2, m ∈!Mp∪!Ms
∆4(q1)
τ
∆4(q2)
q⊔
∆4(q)⊔
Definition 15. Let X ⊆ A. A process q ∈ P is X-singular if every reachable state q1 ∈ R(q) satisfies the following
condition:
∀q2, q3, α1, α2 ∈ X.
[
q1
α1
q2 ∧ q1
α2
q3 ⇒ α1 = α2
]
.
Example. To see the role of Mp-singular in desynchronisation, consider the following transition systems of p1, s1:
(
{p1, p2, p3}, {p1
!m1
p2, p1
!m2
p3}
)
, and
(
{s1, s2, s3}, {s1
?m1
s2, s1
?m2
s3}
)
.
The transition system of the synchronous system p1 ‖ s1 and the asynchronous system ∆4(p1 |[ǫ, ǫ]| s1) constructed
using the abstraction scheme ∆4 are shown in Figure 11. An attempt to construct a branching bisimulation rela-
tion between the two systems will fail to relate the states p1 ‖ s1 and ∆4(p2 |[ǫ,m1]| s1). This is because the state
∆4(p2 |[ǫ,m1]| s1) cannot simulate the transition p1 ‖ s1
m2
p3 ‖ s3. Thus, the external deterministic choice of
p1 ‖ s1
p2 ‖ s2 p3 ‖ s3
m1 m2
∆4(p1 |[ǫ, ǫ]| s1)
∆4(p2 |[ǫ,m1]| s1) ∆4(p3 |[ǫ,m2]| s1)
∆4(p2 |[ǫ, ǫ]| s2) ∆4(p3 |[ǫ, ǫ]| s3)
τ τ
m1 m2
×
Figure 11: Non-inert τ transitions caused by the abstraction scheme ∆4.
messages from the p-side is transformed into an internal choice by the abstraction scheme ∆4 that cannot be resolved.
In contrast, suppose p1 ‖ s1 ↔b ∆4(p2 |[ǫ,m1]| s1). Then, from the transfer conditions of branching bisimulation
we have there exists q1, q2 such that
∆4(p2 |[ǫ,m1]| s1) q1
m2
q2 ∧ q1 ↔b p1 ‖ s1 ∧ q2 ↔b p3 ‖ s3.
26
Since, concrete processes p, s are used to construct the asynchronous system we have q1 = ∆4(p4 |[ǫ,m1.m2]| s2),
for some p4 ∈ P such that ∆4(p2 |[ǫ,m1]| s1)
τ
∆4(p4 |[ǫ,m1.m2]| s2). But, there cannot exists a process q2 with
∆4(p4 |[ǫ,m1.m2]| s2)
m2
q2 because queues are used as buffers and the message m2 can only be read by s2 after it
has read the message m1. Thus, this suggests that the condition Mp-singular is also a candidate for the necessary
conditions of desynchronisation modulo ↔b when queues and the abstraction scheme ∆4 are used.
Notice that if we had deterministic choice between the messages from the s-side in the previous example, we
would have required the condition Ms-singularity for desynchronisation. Furthermore, in the case of the abstraction
scheme ∆1 (∆2) we would have required exclusively the condition Mp-singularity (Ms-singularity) because only the
outputs from p-side (s-side) are made invisible in the abstraction scheme ∆1 (∆2). However, in the case of the
abstraction scheme ∆3, the send messages of both the processes p, s remains visible; thus, the choice present in the
synchronous system is preserved when it is made asynchronous. In other words, the abstraction scheme ∆3 prevents
an external choice from being transformed into an internal choice, which was the purpose of imposing the conditions
Mp-singularity or Ms-singularity.
Next, we argue that in the context of half-duplex mechanism, the abstraction scheme ∆3 again yields a less re-
strictive condition for desynchronisation in comparison to the other abstraction schemes. This is essentially due to the
abstraction scheme ∆3 that preserves the external choices between the messages of distinct local processes present at
a state in a synchronous system upon adding buffers. The abstraction schemes ∆1,∆2, and ∆4 fail to preserve these
nondeterministic choices, thus disallowing the two systems to be related by a branching bisimulation relation. Notice
that here we are highlighting the preservation of an external choice between the messages of distinct local processes;
whereas, in the previous paragraph, we focused on the preservation of an external choice between the messages of a
local process.
Consider the following transition system of a synchronous system p1 ‖ s1:
(
{p1 ‖ s1, p2 ‖ s2, p3 ‖ s3}, {p1 ‖ s1
n
p2 ‖ s2, p1 ‖ s1
m
p3 ‖ s3}
)
,
where n ∈ Ms and m ∈ Mp. In Figure 12, the transition systems induced by different abstraction schemes are drawn.
The dotted lines show an attempt to construct a branching bisimulation relation between the synchronous system and
the asynchronous systems with the respective abstraction schemes. Observe that a branching bisimulation relation
only exists in the case of abstraction scheme ∆3. For instance, consider the case of ∆1, where the states p1 ‖ s1 and
∆1(p3 |[ǫ,m]|h s1) are not branching bisimilar. This is due to the half-duplex mechanism which prevents the process s1
to send the message !n and thus, disallowing the state ∆1(p3 |[ǫ,m]|h s1) to simulate the matching message n. Similar
reasons can be given for the abstraction schemes ∆2 and ∆4.
Thus, in the context of (half-duplex) queues, the abstraction scheme ∆3 leads to less restrictive conditions for
desynchronisability than the abstraction schemes ∆1,∆2, or ∆4. This is because the abstraction scheme ∆3 is the
only abstraction scheme that preserves the external choice between the messages sent by the communicating pro-
cesses in a synchronous system. On the contrary, the other abstraction schemes ∆1,∆2, or ∆4 fail to preserve these
choices by transforming them into the internal choices in the corresponding asynchronous system and thus, an ad-
ditional constraint like every reachable state of the synchronous system has only one send-transition is required for
desynchronisability.
5.2. Desynchronisation of non-concrete synchronous systems
In this subsection, we focus on the desynchronisation of synchronous systems that allow τ-transitions in their
definitions. The introduction of τ-transitions in a synchronous system makes it impossible to know from the semantics
whether either the process p or s performed a τ-transition, whenever the synchronous system p ‖ s executes the τ-
transition. Such an information is vital in the definition of witnessing branching bisimulation relation between a
synchronous system, and its asynchronous version.
One possibility to circumvent this problem is by minimising the communicating processes p, s modulo branching
bisimulation into p′, s′, respectively. In case, there are no τ-transitions in the transition systems of the processes p′, s′,
then (half-duplex) desynchronisability of the original synchronous system p ‖ s follows directly from (Corollary 4)
Lemma 14.
27
p1 ‖ s1
p2 ‖ s2 p3 ‖ s3
∆1(p1 |[ǫ, ǫ]|h s1)
∆1(p1 |[n, ǫ]|h s2) ∆1(p3 |[ǫ,m]|h s1)
∆1(p2 |[ǫ, ǫ]|h s2) ∆1(p3 |[ǫ, ǫ]|h s3)
×
n m
n τ
mτ
(a) ∆1
p1 ‖ s1
p2 ‖ s2 p3 ‖ s3
∆2(p1 |[ǫ, ǫ]|h s1)
∆2(p1 |[n, ǫ]|h s2) ∆2(p3 |[ǫ,m]|h s1)
∆2(p2 |[ǫ, ǫ]|h s2) ∆2(p3 |[ǫ, ǫ]|h s3)
×n m
τ m
τn
(b) ∆2
p1 ‖ s1
p2 ‖ s2 p3 ‖ s3
∆3(p1 |[ǫ, ǫ]|h s1)
∆3(p1 |[n, ǫ]|h s2) ∆3(p3 |[ǫ,m]|h s1)
∆3(p2 |[ǫ, ǫ]|h s2) ∆3(p3 |[ǫ, ǫ]|h s3)
n m
n m
ττ
(c) ∆3
p1 ‖ s1
p2 ‖ s2 p3 ‖ s3
∆4(p1 |[ǫ, ǫ]|h s1)
∆4(p1 |[n, ǫ]|h s2) ∆4(p3 |[ǫ,m]|h s1)
∆4(p2 |[ǫ, ǫ]|h s2) ∆4(p3 |[ǫ, ǫ]|h s3)
××n m
τ τ
mn
(d) ∆4
Figure 12: Different behaviour induced by the abstractions schemes ∆1,∆2,∆3, and ∆4 in the presence of half-duplex mechanism.
Lemma 14. Let p1 ↔b p2 and s1 ↔b s2. Then, p1 |[ǫ, ǫ]| s1 ↔b p2 |[ǫ, ǫ]| s2.
Proof. Define a relation B =
{
(p1 |[µ, ν]| s1, p2 |[µ, ν]| s2) | p1 ↔b p2 ∧ s1 ↔b s2
}
. It is routine to verify that B is a
branching bisimulation relation.
Corollary 4. Let p1, s1, p2, s2 be any four processes such that p1 ↔b p2 and s1 ↔b s2. Then, p1 |[ǫ, ǫ]|h s1 ↔b
p2 |[ǫ, ǫ]|h s2.
Theorem 11. Let p, p′, s, s′ be any four processes such that p ↔b p
′ and s ↔b s
′. If p′ ‖ s′ is (half-duplex)
desynchronisable, then p ‖ s is (half-duplex) desynchronisable.
Proof. Direct from (Corollary 4) Lemma 14.
However, if the τ-transitions are present in the communicating processes even after branching bisimulation min-
imisation, it is still possible to desynchronise the synchronous systems in the following way. First, rename the label
τ of every τ-transitions present in the processes p and s by the labels τp and τs, respectively. Second, by assuming
28
that the labels τp, τs are present in the external actions of the processes p, s, respectively, the conditions of Theorem 6
(Theorem 9) can still be used to assert whether a non-concrete synchronous system is desynchronisable (half-duplex
desynchronisable) or not. Nevertheless, despite this soundness result, more research is required in order to examine
to what extent are these conditions necessary in the absence of concreteness assumption.
6. Conclusions
In this paper, we studied necessary and sufficient conditions for desynchronisability modulo branching bisimula-
tion, and we showed that reverting to half-duplex communication, or variants of it, can help in avoiding a troublesome
condition known as the diamond property. To the best of our knowledge, this is the first characterisation of desyn-
chronisability modulo branching bisimulation; moreover, the previous works (cf. [3, 7–9]) on weaker equivalences
focused only on giving sufficient conditions for desynchronisability. The study of necessity of those conditions is new
and only obtained by assuming observability of empty communication channels.
Our results indicate that the study of desynchronisability should no longer focus on the properties one needs to
retain equivalence of behavior in a certain communication context, but rather should focus on changing the communi-
cation context in such a way that these properties actually become attainable. Furthermore, we have shown that reason-
able desynchronisability results can be obtained even for the finest equivalence in the van Glabbeek spectrum. Perhaps
some of the necessary conditions can be relaxed by resorting to any equivalence weaker than contra-simulation [17].
For example, we know that we can eliminate the input determinism property by studying desynchronisability modulo
contra-simulation. But so far the properties obtained using weaker equivalences are very similar to the ones we found,
which indicates that there is not much to be gained there.
Another observation we made is that the choice of abstraction scheme is crucial in obtaining useful results. On the
one hand, if we had chosen to abstract from outputs rather than from inputs in our definition of the operator ∆(), there
would have been an additional necessary condition saying that at any reachable state of p ‖ s only one send-transition
is allowed (see Subsection 5.1). On the other hand, we obtained interesting results in [8] using an abstraction scheme
that abstracted from send- and receive actions from the plant using bags as a communication buffer, but that abstraction
scheme did not work out for queues.
For a deterministic and concrete plant without external actions, we showed that it is possible to synthesise a con-
troller that satisfies the well-posedness property by construction. Note that this technique even works for supervisors
that contain nondeterminism and external actions in their specifications (see Lemma 7). Furthermore, we also showed
that the remaining conditions of desynchronisability are preserved by bisimulation equivalence (Lemmas 11, 12, and
13). However, for a nondeterministic plant with external actions, such correct-by-construction results may be difficult
to obtain. Therefore, it would be beneficial if tools for model checking asynchronous systems, like mCRL2 [23] and
CADP [24], could be optimised to check the conditions of desynchronisability as well.
As another topic for future research, we would be interested to see if a different choice of abstraction scheme (for
example hiding all communication messages in the synchronous and asynchronous system, only leaving the external
actions) gives us the possibility to drop the condition of independence of external actions. So far we did not do this,
because in supervisory control theory the messages of p ‖ s are often part of the requirement r. Still, we might abstract
from those messages that are not used in r, so that their reception does not need to be independent of external behavior
anymore. To the best of our knowledge this scenario has not yet been systematically treated in the literature, and at
this point it is hard to tell what the necessary and sufficient conditions for such a desynchronisation would be.
Finally, we observe a similarity between our work and the work on choreographies and contracts, which turns out
to be useful in model checking of asynchronous systems [4, 5, 25]. Basically, such choreographies serve to restrict
the occurrence of diamonds in an asynchronous system, which means that it becomes synchronisable [5]. Perhaps
it is also possible to use this idea in the other direction, i.e., to desynchronise a system using a choreography on the
communication buffer. It would be interesting to see if, for example, the proposed semi-duplex buffering strategy
discussed in Subsection 3.7 can be implemented using a choreography.
Acknowledgement
The authors thank the anonymous reviewers for their feedbacks on an earlier draft of this paper. The authors also
thank Jos Baeten, Koos Rooda, Bert van Beek, and Damian Nadales, for various discussions regarding this work and
29
for putting us on the track of this problem.
This work has been performed as part of the “Integrated Multi-formalism Tool Support for the Design of Net-
worked Embedded Control Systems” (MULTIFORM) project, supported by the Seventh Research Framework Pro-
gramme of the European Commission (Grant agreement number: INFSO-ICT-224249).
References
[1] C. A. R. Hoare, Communicating sequential processes, Commun. ACM 21 (8) (1978) 666–677.
[2] D. Brand, P. Zafiropulo, On Communicating Finite-State Machines, J. ACM 30 (1983) 323–342, ISSN 0004-5411.
[3] C. Fischer, W. Janssen, Synchronous Development of Asynchronous Systems, in: U. Montanari, V. Sassone (Eds.), Proceedings of CON-
CUR’96, vol. 1119 of Lecture Notes in Computer Science, Springer-Verlag, 735–750, 1996.
[4] S. Basu, T. Bultan, Choreography conformance via synchronizability, in: Proceedings of the 20th international conference on World wide
web, WWW ’11, ACM, New York, NY, USA, 795–804, 2011.
[5] S. Basu, T. Bultan, M. Ouederni, Synchronizability for Verification of Asynchronously Communicating Systems, in: V. Kuncak, A. Ry-
balchenko (Eds.), Verification, Model Checking, and Abstract Interpretation, vol. 7148 of Lecture Notes in Computer Science, Springer
Berlin / Heidelberg, 56–71, 2012.
[6] P. J. Ramadge, W. M. Wonham, Supervisory Control of a Class of Discrete Event Processes, SIAM Journal on Control and Optimization
25 (1) (1987) 206–230.
[7] S. Balemi, Control of Discrete Event Systems: Theory And Application, Ph.D. thesis, Swiss Federal Institute of Technology, Automatic
Control Laboratory, ETH Zurich, 1992.
[8] H. Beohar, P. J. L. Cuijpers, Desynchronizability of (Partial) Synchronous Closed Loop Systems, Scientific Annals of Computer Science 21
(2011) 5–38.
[9] J. Udding, Classification and Composition of Delay-Insensitive Circuits, Ph.D. thesis, Eindhoven University of Technology, Eindhoven, 1984.
[10] H. Beohar, Refinement of communication and states in models of embedded systems, Ph.D. thesis, Eindhoven university of technology,
Eindhoven, The Netherlands, 2013.
[11] S. T. J. Forschelen, Supervisory control of theme park vehicles, Master’s thesis, Eindhoven University of Technology, System Engineering
Group, Dept. of Mechanical Engineering, 2010.
[12] A. Tanenbaum, Computer Networks, Prentice Hall Professional Technical Reference, 4th edn., 2002.
[13] G. Ce´ce´, A. Finkel, Verification of programs with half-duplex communication, Inf. Comput. 202 (2005) 166–190.
[14] M. Fabian, A. Hellgren, PLC-based implementation of supervisory control for discrete event systems, Proceedings of the 37th IEEE Confer-
ence on Decision and Control, 1998 3 (1998) 3305–3310.
[15] R. Hennicker, S. Janisch, A. Knapp, Refinement of Components in Connection-Safe Assemblies with Synchronous and Asynchronous Com-
munication, in: C. Choppy, O. Sokolsky (Eds.), Foundations of Computer Software. Future Trends and Techniques for Development, vol.
6028 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, 154–180, 2010.
[16] J. C. M. Baeten, T. Basten, M. A. Reniers, Process Algebra: Equational Theories of Communicating Processes, Cambridge University Press,
New York, NY, USA, 1st edn., 2009.
[17] R. J. v. Glabbeek, The Linear Time - Branching Time Spectrum II, in: Proceedings of the 4th International Conference on Concurrency
Theory, CONCUR ’93, Springer-Verlag, London, UK, 66–81, 1993.
[18] H. Beohar, P. J. L. Cuijpers, Avoiding Diamonds in Desynchronisation, in: C. Pasareanu, G. Salau¨n (Eds.), 9th International Symposium on
Formal Aspects of Component Software, Springer Link, Mountain View, California, USA, 2012.
[19] G. D. Plotkin, A Structural Approach to Operational Semantics, Tech. Rep. DAIMI FN-19, University of Aarhus, 1981.
[20] L. Alfaro, T. Henzinger, Interface-Based Design, in: M. Broy, J. Grnbauer, D. Harel, C. A. R. Hoare (Eds.), Engineering Theories of Software
Intensive Systems, vol. 195 of NATO Science Series, Springer Netherlands, 83–104, 2005.
[21] K. Peters, J.-W. Schicke, U. Nestmann, Synchrony vs Causality in Asynchronous Pi-Calculus, in: B. Luttik, F. Valencia (Eds.), 18th Interna-
tional Workshop on Expressiveness in Concurrency, EXPRESS, vol. 64 of EPTCS, 89–103, 2011.
[22] M. Fabian, B. Lennartson, On non-deterministic supervisory control, in: Decision and Control, 1996., Proceedings of the 35th IEEE Confer-
ence on, vol. 2, 2213–2218, 1996.
[23] J. F. Groote, A. Mathijssen, M. Reniers, Y. Usenko, M. van Weerdenburg, The Formal Specification Language mCRL2, in: E. Brinksma,
D. Harel, A. Mader, P. Stevens, R. Wieringa (Eds.), Methods for Modelling Software Systems, Dagstuhl Seminar Proceedings, Internationales
Begegnungs- und Forschungszentrum fu¨r Informatik (IBFI), Schloss Dagstuhl, Germany, Dagstuhl, Germany, 2007.
[24] R. Mateescu, Modeling and Verification of Real-Time Systems, chap. Specification and Analysis of Asynchronous Systems using CADP,
ISTE, ISBN 9780470611012, 141–169, 2010.
[25] G. Salau¨n, T. Bultan, Realizability of Choreographies Using Process Algebra Encodings, in: Proceedings of the 7th International Conference
on Integrated Formal Methods, IFM ’09, Springer-Verlag, Berlin, Heidelberg, 167–182, 2009.
30
