TIMED CONCURRENT STATE MACHINES by Daszczuk, Wiktor B.
Wiktor B. Daszczuk∗
TIMED CONCURRENT STATE MACHINES
Timed Concurrent State Machines are an application of Alur Timed Automata concept to
coincidence-based (rather than interleaving) CSM modeling technique. TCSM support the
idea of testing automata, allowing to specify time properties easier than temporal formulas.
Also, calculation of a global state space in real-time domain (Region Concurrent State Ma-
chines) is deﬁned, allowing to store a veriﬁed system in ready-to-veriﬁcation form, and to
multiply it by various testing automata.
Keywords: formal methods, model checking, real time veriﬁcation, timed automata
WSPÓŁBIEŻNE MASZYNY STANOWE Z CZASEM
Współbieżne maszyny stanowe z czasem TCSM są aplikacją automatów czasowych Alura
w środowisku koincydencyjnym współbieżnych maszyn czasowych CSM (w przeciwieństwie
do środowisk przeplotowych). TCSM pasują do idei automatów testujących, które pozwalają
wyspecyﬁkować zależności czasowe łatwiej niż poprzez formuły temporalne. Ponadto zdeﬁn-
iowano sposób wyznaczania globalnej przestrzeni stanów w dziedzinie czasu (współbieżne
maszyny stanowe regionów RCSM), co pozwala przechowywać badany system w postaci
gotowej do weryﬁkacji i mnożyć go przez różne automaty testujące.
Słowa kluczowe: metody formalne, weryﬁkacja modelowa, weryﬁkacja w czasie rzeczy-
wistym, automaty czasowe
1. Introduction
In [1, 2] Alur presented a successful idea of introducing real time to the speciﬁcation
of concurrent system. A kind of Buchi automata (with real-valued clocks added) is
used. The strength of this method is compositionality, i.e. an automaton representing
a concurrent system is compound from individual automata of components. In ICS
WUT, another modeling technique called CSM (Concurrent State Machines) is used
[9]. The components of concurrent CSM system, called automata for simplicity, diﬀer
from Buchi automata in several aspects, the most important are:
• Transitions are triggered by compositions of signals (the domain of transition
function is 2InputAlphabet rather than InputAlphabet itself); this means parallelism
related to input alphabet.
∗ Institute of Computer Science, Warsaw University of Technology, Warszawa, Poland,
wbd@ii.pw.edu.pl
Computer Science • Vol. 8 Special Edition • 2007
23
• A state may ganerate more than one symbol; this means parallelism related to
output alphabet.
• Transitions in distinct automata are executed in parallel rather than interleaved;
this means parallelism in actions.
The main notions of TCSM are deﬁned quite similarly to TA. However, the main
extension of TCSM is that the product operation is deﬁned for RCSM (corresponding
to Region Automata). This unique feature allows a veriﬁcation system to store a state
space of a system under test in a form of RCSM, called “automaton under test”.
A system in form of RCSM can be checked against temporal formulas, but we prefer
other veriﬁcation technique, consisting of three phases:
• construction of an RCSM testing automaton representing needed (or conversely,
unneeded) feature; the automaton may be designed by a user or obtained au-
tomatically from other form deﬁning the behavior (for example UML sequence
diagram, collaboration diagram or state diagram);
• calculation of a product of the automaton under test with testing automaton;
• reduction of output product using the reduction algorithm presented in [7,11–13];
• safety features are veriﬁed by checking the existence of error states in reduced
output product;
• liveness features are veriﬁed by testing output product against stuttering of given
symbols generated by testing automaton (this technique elaborated by Jerzy
Mieścicki is a subject of a separate paper under preparation).
The presented veriﬁcation technique is useful for a designer which does not know
a temporal logic, or when it is diﬃcult to express the desired feature in terms of
a temporal logic. Also, behavioral conditions may be automatically converted to test-
ing automata from other modeling formalisms.
2. Deﬁnition of CSM
Before introduction of real time, a timeless version of CSM will be deﬁned.
• Universe U – a countable set of elementary symbols called signals x ∈ U .
• Alphabet A ⊆ U (ﬁnite subset).
• Atomic Boolean formula x1; a formula x is satisﬁed if a signal x occurs.
• Boolean formula w – a sentence in traditional Boolean algebra over atomic
Boolean formulas x|x ∈ U and special symbols {false, true},∨,∧,¬2.
• sig(w) – set of signals occurring in Boolean formula w.
• W – set of all Boolean formulas w.
1 The usage of signal names is abiguous: x is a name of a signal generated in a state, and it is
an atomic Boolean formula expressing the fact that the signal x is being generated in a while.
The meaning of tha phrase x may be retrieved from context.
2 For compatibility with the COSMA environment, the conjunction of signals’ occurrences is
denoted as ∗ (instead of ∧) or no symbol between signals. Disjunction of signals’ occurrences is
denoted as + (instead of ∨). This notation is used by other authors as well, for example [14].
24 Wiktor B. Daszczuk
We will identify a formula w with a Boolean function f such that for every set
of occurrences of signals the formula w is satisﬁed iﬀ the function f gives the value
true. The values of special Boolean formulas are: 0 is always false, 1 is always true.
CSM automaton p =df< S, form, out, sinit >3:
• S – ﬁnite set of states (nodes in a graph representation);
• transition function form : S × S → W (labels of transitions in graph); form
is assumed total, i.e. deﬁned for every pair (s, s′) ∈ S × S (formulas 0 and 1
are valid values of form); void transitions (s, s′) such that form(s, s′) = 0 are
usually skipped in a graph representation;
• output function out : S → 2U is a function assigning subsets of signals to states
(if x ∈ out(s) then we say that the signal x is generated by state s);
• unique initial state sinit ∈ S.
The CSM automaton is assumed to be transition-complete, i.e. for any s ∈ S
the disjunction of formulas for all pairs (s, s′) ∈ S × S is true. Alphabets of an
automaton p:
• Input alphabet INP (p) ⊆ U – a set of all signals referred to in form’s range;
• Output alphabet OUT (p) ⊆ U – union of all sets out(s);
• External input alphabet EXT (p) ⊆ U – set of input signals coming from the
environment; EXT (p) = INP (p)−OUT (p);
• Total alphabet ALL(p) ⊆ U – union of input and output alphabets.
There is no requirement for sets INP (p) and OUT (p) to be disjoint: a signal
may be generated in a state of an automaton and accepted on a transition in the
same automaton. An output formula ω(s) of the state s ∈ S is a conjunction of
aﬃrmation of all signals belonging to out(s) and negations of all signals belonging to
OUT (p)− out(s).
A state s′ ∈ S is a successor of state s ∈ S; srs′; iﬀ form(s, s′) ∗ ω(s) = 0. Note
that some non-void transitions may lead to states that are not successors due to signals
appearing in output formula, for example if for the state s and its successors s1, s2
in automaton p: form(s, s1) = ab, form(s, s2) = ¬a+ ¬b, out(s) = {a, b}, OUT (p) =
{a, b, c}, then s1 is a successor of s because form(s, s1)∗ω(s) = (ab)∗ (ab∗¬c) = ab∗
¬c = 0, while s2 is not a successor of s as form(s, s2)∗ω(s) = (¬a+¬b)∗(ab∗¬c) = 0.
Reachability relation (denoted R) is a transitive extension of r.
Let p be a CSM automaton, w ∈ W be a Boolean formula and X ⊆ ALL(p).
We replace in w all atomic Boolean formulas x referring to signals x ∈ X by symbol
1 and all atomic Boolean formulas referring to y ∈ OUT (p) − X by symbol 0. The
formula w′ thus obtained is called reduced by X, denoted w′ = w\\X. For example,
if OUT (p) = {a, c, d} then the formula w = ab+ ¬c+ d reduced by the set {a, c} is:
w′ = w\\{a, c} = 1b+ ¬1+ 0 = b+ 0+ 0 = b.
3 The symbol =df denotes equality by deﬁnition.
Timed concurrent state machines 25
The Reachability Graph (RG) of a CSM automaton is the automaton restricted
to states reachable from sinit : RG =df< GS, form, out, sinit >, where: GS ⊆ S is a
set of all reachable states: (GS =df {s : s ∈ S ∧ sinitRs} ∪ {sinit}) (where ∧ denotes
conjunction); formulas on arcs leading out of a given state s are reduced by the set
out(s); all void transitions are removed (domain of form is restricted to pairs of states
belonging to GS).
Let P be a ﬁnite set of CSM automata:
Pdf = {pi|i = 1..n, pi =< Si, formi, outi, si,init >}.
The CSM automaton p =< S, form, out, sinit > is a product of CSM automata
from P (denoted p =df ⊗pi∈P pi which means p1⊗p2⊗ ⊗pn) if sets OUT (pi), i = 1..n
are pairwise disjoint and:
• S ⊆ ×pi∈PSi, (×pi∈PSi denotes Cartesian product S1 × S2 × × Sn));
• elements of S (composite states) are tuples of the form: s =df (sj1, sj2, . . . , sjn);
• sinit ∈ S is a tuple containing si,init of all component automata pi ∈ P , sinit =df
(s1,init, s2,init, . . . , sn,init);
• for any s ∈ S : out(s) =df ∪pi∈P outi(sji), sji ∈ Si;
• for any pair (s, s′) ∈ S × S, s = (sj1, sj2, . . . , sjn); s′ = (s′j1, s′j2, . . . , s′jn):
form(s, s′) =df ∧pi∈P formi(sji, s′ji); sji, s′ji ∈ Si.
Note that for a product p of CSM automata p = ⊗pi∈P pi, the sets INP (p),
OUT (p) and ALL(p) are unions of sets of component automata, while EXT (p) is not
(EXT (p) = INP (p)−OUT (p)).
The semantics of CSM is deﬁned formally in [7]. A new state of the system is
taken from the transition leading from the current state, according do set of signals
on input. Single-step semantics, path semantics and fair path semantics are deﬁned.
From now on, we deal with fair CSM automata (with fair path semantics).
3. Introduction of real time
A real time is added to CSM model similarly to Alur’s Timed Automata (TA) [1].
• The global time runs for all automata, getting all values in R+.
• Every automaton has a set of clocks, running synchronously with global time or
being reset on transitions.
However, there are major diﬀerences. The main features of TCSM are:
• In TA time elapses in states of an automaton. Because in CSM there is no concept
of staying in a state other than executing of a self-loop (called an ear due to its
graphical image), therefore the ﬂow of time is associated with ears. A state with
no ear is instantaneous, i.e. it is left as soon as reached. As in TA, only a ﬁnite
number of instantaneous states may be visited without elapse of time. A time
constraint put on an ear is called invariant (similarly to TA).
26 Wiktor B. Daszczuk
• Because of the fairness condition if there is an escape from a cycle in an au-
tomaton, if must be followed after a ﬁnite number of loops in a cycle. Therefore,
a zero-time loop is not a tragedy if the run may diverge from the loop. Only an
ending (with no escape) strongly connected subgraph containing no ear is invalid.
Also, an automaton containing such a subgraph is invalid.
• Due to the manner of multiplication of automata, an ending strongly connected
zero-time subgraph may outcome from a product of valid automata (as in TA).
• Every timeless CSM automaton is transition-complete, i.e. it acts somehow in
every situation (it never can be inexecutable, like TA [1]). Formally, a sum of
all formulas on arcs outgoing from a state must be 1. In TCSM, to keep the
transition-completeness, all formulas must sum up to 1 in every point in time.
• The important diﬀerence between TCSM and TA is the manner of communica-
tion. In TA, the communication occurs on common letters of alphabet, and the
direction of communication (which automaton is a sender and which is a receiver)
is speciﬁed separately. In TCSM, signals (symbols of alphabet) are generated in
states and accepted on transitions, therefore the direction of communication is
deﬁned strictly. The example of a system of TA (coming from [2]) converted to
TCSM system is presented in Figure 1. Time dependencies in TRAIN model
physical delays between sensor signals, in CONTROLLER they model reaction
times and in GATE – closing and opening time.
GATE 
lower, 
 y:=0 
¬lower 
t0 t1/down
t3’
/up
raise 
y:=0 t2t3
, y≤1  
¬raise 
, y≤2 
,   y≥1 
CONTROLLER 
u0u2
exit,
z:=0 u1
approach,
 z:=0 
u1’
/lower
u2’
/raise
¬approach*¬exit 
, z<1 
, z=1 
, z<1 
s0
TRAIN 
s0’
/approach
s3’
/exit
, x:=0 
s2
/passing
, x≤5 
, x>2 , x≤5 
s3
/o
, x≤5 
s1
Fig. 1. Train-gate controller, Timed CSM
Timed concurrent state machines 27
4. Deﬁnition of TCSM
TCSM automata are based on CSM, therefore only the diﬀerences will be deﬁned. Let
X be a ﬁnite set of clocks (clock variables). Clock constraints are simple constraints:
∞, x ≤ c, c ≤ x, x < c, c < x (c is nonnegative real) and Boolean formulas over simple
constraints and ∧ (denoted ∗). The symbol ∞ (equals R+) denotes no constraint and
may be skipped. A clock interpretation ν (from [1]) assigns a real value to every clock
in X; ν satisﬁes constraint ϕ over X iﬀ ϕ evaluates to true according to the values
given by ν. For δ ∈ R+, ν+ δ denotes the clock interpretation which maps every clock
x to the value ν(x) + δ. For Y ⊆ X, ν[Y := 0] denotes the clock interpretation for
X which assigns 0 to each x ∈ Y , and agrees with ν over the rest of the clocks. The
TCSM automaton is a 5-tuple p =df< TS, out,X, lab, sinit >: ﬁnite set of timed states
TS (a shortcut t.state will be used); output function out : TS → 2U as in CSM; set
of clock variables X; unique initial t.state sinit ∈ TS; set of timed transitions lab ⊆
TS×form×Φ(X)×2X×TS (a shortcut t.transition will be used, analogously t.ear).
In a t.transition (s, w, π, λ, s′) from s ∈ S to s′ ∈ S:
• transition function w ∈ form triggers the t.transition (as in CSM);
• clock constraint π ∈ Φ(X) speciﬁes when the t.transition is enabled;
• set of clocks to be reset λ ⊆ X.
As a pair (s, s′) uniquely appoints a t.transition (multiple t.transitions between
states are not allowed), elements of a t.transition are extracted using a notation
w(s, s′), π(s, s′), λ(s, s′).
The TCSM automaton is assumed to be transition-complete, i.e. for any s ∈ S and
for every clock interpretation, the disjunction of Boolean formulas for all t.transitions
outgoing from s is true.
The succession relation cannot be deﬁned for TCSM, because void transitions
may occur due to clock interpretations allowed in preceding states (similarly to TA,
Region CSM (RCSM), together with succession relation and reachability will be de-
ﬁned in the next section). However, the product of TCSM can be deﬁned.
Let P be a ﬁnite set of TCSM automata:
P =df {pi|i = 1..n, pi = 〈TSi, outi, Xi, labi, si,init〉}.
The TCSM automaton p = 〈TS, out,X, lab, sinit〉 is a product of TCSM automata
from P (denoted p =df ⊗pi∈P pi which means p1⊗p2⊗⊗pn) if sets OUT (pi), i = 1..n
are pairwise disjoint, sets Xi, i = 1..n are pairwise disjoint and:
• X =df ∪pi∈PXi;
• TS ⊆ ×pi∈PTSi; elements of TS (composite states) are n-tuples of the form:
s =df (sj1, sj2, . . . , sjn);
• sinit ∈ TS is a tuple containing si,init of all component automata pi ∈ P : sinit =df
(s1,init, s2,init, . . . , sn,init);
28 Wiktor B. Daszczuk
• for any s ∈ TS : out(s) =df ∪pi∈P outi(sji), sji ∈ TSi;
• for any t.transition (s, w, π, λ, s′) ∈ lab, s = (sj1, sj2, . . . , sjn); s′ = (s′j1, s′j2,
. . . , s′jn):
w(s, s′) =df ∧pi∈Pw(sji, s′ji); sji, s′ji ∈ TSi;
π(s, s′) =df ∧pi∈Pπ(sji, s′ji); sji, s′ji ∈ TSi;
λ(s, s′) =df ∪pi∈Pλ(sji, s′ji); sji, s′ji ∈ TSi.
The algorithm of obtaining a product of TCSM automata is similar to that
for CSM [9] and requires additionally to take on resulting t.transitions conjunctions
of time constraints of component t.transitions and sums of clocks to be reset on
component t.transitions.
Single step semantics of TCSM can be found in [8]. However, due to lack of
reachability relation for t.states, path semantics and fair path semantics cannot be
deﬁned for TCSM.
5. Region CSM
The single step semantics is not suﬃcient to express behavior of TCSM automata
because of:
• time constraints appearing on transitions (see Fig. 2 showing a transition that is
persisting in CSM but void in TCSM)
• a fairness condition imposed on the model (Section 2).
, x<2 
, x≥2 
, x≤2
, x≥2
, x≥1
,   x<2 
,   x<1 
s4
s5
s3
s1
s2
s0
Fig. 2. TCSM automaton
Therefore, a Region CSM automaton is deﬁned which allows to observe succession
relation and to build a Reachability Graph of a TCSM automaton. It is similar to
Region Automaton (RA) of TA [1].
Timed concurrent state machines 29
Similarly to RA, constants in time constraints are limited to integral ones (for
every TA with real constraints there exists a similar automaton with integral con-
straints, see [1]). Then, by multiplication of all constants by least common multiple
of denominators the set of natural constraints is achieved.
A timed location is a pair (s, ν). In TCSM, there are inﬁnitely many pairs of timed
locations ((s, ν), (s′, ν′)) referring to the same pair of states (s, s′). Building RCSM,
we achieve ﬁnite equivalence classes of these transitions. The regions are sets of clock
interpretations that have the same integral part for all clocks and the same fractional
part ordering for all clocks. Clock interpretations that exceed a highest constant cx to
which a clock x is compared in constraints (clock bound) are not divided into regions.
A region is deﬁned over the set of all clock interpretations for X. The automaton
of regions where the succession is deﬁned as succession of regions with operations ν+δ
and ν[Y := 0] is stable, i.e. if ν1 and ν2 belong to common region and some operation
(+δ or [Y := 0]) over ν1 moves ν1 to ν′1 then there exists a ν
′
2 such that the same
operation moves ν2 to ν′2 and ν
′
2 belongs to the same region as ν
′
1. The stability solves
the reachability problems. For example, see Figures 2 and 3. In TCSM automaton it
is not clear if state s4 is reachable from s2 through s3, while in RCSM automaton it
is obvious that it is not (but s5 is). Region states in RCSM are pairs (s,R) where s is
a state of TCSM and R is a region. Region index is a range of time interpretations of
the clock x in the region. Transition marked 1 are zero-time (non-ear) and transitions
marked T are progress transitions (an ear in TCSM, 1 is skipped).
T 
T 
T 
T 
T 
T 
T 
T T 
T
T 
T T 
T
T 
T
T 
T
s5R2
s3R2
s2R2
s4R1
s3R1
s2R1
s2R0
s1R1
s1R0
s0R0
s4R2
s4R>2
s5R>2
s4R(1,2)
s3R(1,2)
s2R(1,2)
s1R(0,1)
s2R(0,1)
T
Fig. 3. RCSM automaton
The proof of region graph stability is given in [2].
Formally (see [1]), for any δ ∈ R+, let frac(δ) denote the fractional part of δ
and int(δ) – the integral part of δ (so that δ = int(δ) + frac(δ)). For two clock
30 Wiktor B. Daszczuk
interpretations ν1 and ν2, they are in common region iﬀ all the following conditions
hold (we call them region integrity conditions):
• For all x ∈ X, either int(ν1(x)) = int(ν2(x)) or both ν1(x) and ν2(x) exceed cx.
• For all x, y ∈ X with ν1(x) ≤ cx and ν1(x) ≤ cy, frac(ν1(x)) ≤ frac(ν1(y)) iﬀ
frac(ν2(x)) ≤ frac(ν2(y)).
• For all x ∈ X with ν1(x) ≤ cx, frac(ν1(x)) = 0 iﬀ frac(ν2(x)) = 0.
The succession of regions can be easily formulated due to ﬁxed ordering of clock
interpretations in a region.
The succession of regions (due to progress of time) results from linear change
of values of all clocks (except for clocks being reset), and resets of clocks. A region
R =df {I, Y>, Y0, Yf1, , Yfm} is characterized by a tuple I of integral parts of all clocks
(or clock bound if a clock interpretation exceeds it), a set of clocks exceeding their
bounds Y>, a set of clocks with fractional parts equal to zero Y0, and sets of clocks Yfi
with equal, non-zero fractional parts in each set; the latter sets ordered from greatest
to smallest fractional part. For a setX, the sets Y>, Y0, Yf1...Yfm are pairwise disjoint,
and they sum to X. The rules of succession of regions can be found in [8].
The set of operations over clock interpretations must preserve region integrity
conditions, which is necessery to obtain a region succession relation. For example,
to the operations deﬁned in TCSM (+δ, [Y := 0]) two additional operations may be
added:
1) assignment of a natural number (if the greatest number assigned is larger than
cx, then cx must be expanded to this value),
2) increment by a natural number (cx must be enlarged by the greatest number
added).
An RCSM automaton is a tuple p =df 〈RS, out,X, lab, sinit〈, where:
• RS is a ﬁnite set of region states (s,R), where s is a TCSM t.state and R is a
region a set of time interpretations over X (a shortcut r.state will be used for a
region state);
• out : RS → 2U is a function assigning subsets of signals to r.states; the function
out is called output function; if x ∈ out((s,R)) then we say that the signal x is
generated by r.state (s,R);
• X a ﬁnite set of clock variables;
• (sinit, R[X := 0]) ∈ RS is a unique initial r.state; (R[X := 0] will be denoted
Rinit);
• a set of region transitions lab ⊆ RS×form×2X×RS (a shortcut r.transition will
be used); for an r.transition ((s,R), w, λ, (s′, R′)) from r.state (s,R) to (s′, R′):
– w ∈ form is a Boolean formula triggering the r.transition as before;
– λ ⊆ X is a set of clocks to be reset in this r.transition;
– for an r.transistion ((s,R), w, λ, (s′, R′)) either s′ = s and R′ = (R+δ)[λ :=
0] or R′ = R[λ := 0].
Timed concurrent state machines 31
An r.transition with s = s′ is called progress r.transition, and an r.transition
with s = s′ is called zero-time r.transition or action r.transition. As a pair
((s,R), (s′, R′)) uniquely appoints an r.transition (multiple r.transitions between
states are not allowed), elements of an r.transition are extracted using notation
w((s,R), (s′, R′)), λ((s,R), (s′, R′)). A clock constraint of an r.ear is called an in-
variant of an r.state appointed by the r.ear. The RCSM automaton is assumed to be
transition-complete, i.e. for any (s,R) ∈ RS and for every clock interpretation that
ﬁts the region R, the disjunction of Boolean formulas w for all r.transitions outgoing
from (s,R) is true.
The RCSM automaton is constructed from TCSM using region succession and
by removing void transitions:
1. For any constructed r.state (s,R), out((s,R)) = out(s).
2. The initial r.state is (sinit, Rinit).
3. Construction of RCSM transitions (for w′ see item 4 below):
(a) For any constructed r.state (s,R), if there is a t.ear (s, w, π, λ, s) in TC-
SM, λ = ∅, then construct a progress self-loop (r.ear) from (s,R) to (s,R):
((s,R), w′, ∅, (s,R)).
(b) For any constructed r.state (s,R), if there is a t.ear (s, w, π, λ, s) in TC-
SM, λ = ∅, then construct a progress r.transition from (s,R) to (s,R′):
((s,R), w′, λ, (s,R′)), R′ = R[λ := 0].
(c) For any constructed r.state (s,R), if there is a t.ear (s, w, π, λ, s) in TC-
SM, and if π agrees with R, and if R′ = R is a successor of R with
[λ := 0], then construct a successor (s,R′), and a progress r.transition
((s,R), w′, λ, (s,R′)).
(d) For any constructed r.state (s,R) and any t.transition (s, w, π, λ, s′), s′ = s
in TCSM, if π agrees with R, then construct an r.state (s′, R′) and a zero-
time r.transition ((s,R), w′, λ, (s′, R′)) where R′ = R[λ := 0].
4. The formula w in every constructed transition is reduced by out(s) : w′ =
w\\out(s) and if the result is 0 then the transition is rejected.
The rules of RCSM construction guarantee that only reachable part of the graph
of the system remains. Some transitions are discarded due to time constraints and
some due to output signals are being or not being generated. Having the succession
relation between r.states deﬁned, we may deﬁne succession and reachability in RCSM.
Succession will be deﬁned for RCSM just as for CSM, taking conjunction of outgo-
ing r.transitions with the output formula. Given a pair of RCSM automaton r.states
belonging to RS, ((s,R), (s′, R′)) ∈ TS × TS, r.state (s′, R′) is a region successor of
(s,R) iﬀ form((s,R), (s′, R′))∗ω((s,R)) = 0. The region succession relation is denot-
ed srrs′. Region Reachability relation (denoted RR) is a transitive extension of rr.
The Region Reachability Graph (RRG) of an RCSM automaton is the automaton
restricted to r.states reachable from (sinit, Rinit). As the construction of RCSM from
TCSM keeps only reachable states, RRG is simply equal to RCSM. The single step
32 Wiktor B. Daszczuk
semantics, path semantics and fair path semantics are deﬁned quite similarly to that
of CSM and can be found in [8].
6. Product of region automata
The disadvantage of “traditional” method of veriﬁcation is that the whole system of
timed automata must be multiplied by every new testing automaton constructed, and
then RCSM may be constructed from the product. It is because a multiplication of
region automata is not deﬁned for TA (perhaps the reason is interleaving nature of
product of TA, which cannot be applied to regions). The product of RCSM is deﬁned
below.
Let P be a ﬁnite set of RCSM automata:
P = {pi|i = 1..n, pi = 〈RSi, outi, Xi, labi, (si,init, Ri,init)〉}.
The RCSM automaton p =< RS, out,X, lab, (sinit, Rinit) > is a product of RCSM
automata from P (denoted p =df ⊗pi∈P pi which means p1 ⊗ p2 ⊗ ⊗ pn) if sets
OUT (pi), i = 1..n are pairwise disjoint, sets Xi, i = 1..n are pairwise disjoint and:
1. X =df ∪pi∈PXi.
2. RS ⊆ ×pi∈PRSi, (×pi∈PRSi denotes Cartesian product RS1×RS2× ×RSn).
3. Elements of RS (composite states) are pairs of the form:
(s,R) =df ((sj1, sj2, . . . , sjn), R)
where R is a region over X.
4. R|i is a projection of R onto a set of clocks Xi:
R|i = {I, Y>, Y0, Yf1, , Yfm}|i = {Ii, Y>i, Y0i, Yf1i, , Yfmi}
where Ii is a tuple of integral parts of clocks restricted to Xi, all sets indexed by
i are conjuncted with Xi, then empty sets Yfji are extracted.
5. For any (s,R) ∈ RS : out((s,R)) =df ∪pi∈P outi(sji)), sji ∈ RSi,
6. Construction of r.transitions:
(a) Initial r.state (sinit, Rinit) ∈ RS contains si,init of all component automata
pi ∈ P :
sinit =df (s1,init, s2,init, . . . , sn,init), Rinit =df R[X := 0].
(b) For any already constructed r.state (s,R), s = (s1, . . . , sn): take ev-
ery set of r.transitions of a form H = {h1, . . . , hn} outgoing from
(s1, R|1), . . . , (sn, R|n) in component RCSM automata p1 . . . pn; for every
H, λH =df ∪hi∈Hλi.
(c) If a set H contains only progress r.transitions hi, then for one or both region
successors of R (one of them is R[λH := 0], the other one is R′ = R a
progress successor of R with [λH := 0]) construct progressive r.transitions:
Timed concurrent state machines 33
• ((s,R), w, ∅, (s,R[λ := 0])) (a progress r.ear),
• ((s,R), w, ∅, (s,R′[λ := 0])) (a progress r.transition with R′ = R), where
w is a conjunction of wi in all r.transitions belonging to H, reduced by
out((s,R)).
(d) If a set H contains at least one action r.transition, then construct an r.state
(s′, R′) = ((s′1, , s
′
n), R[λH := 0]) in which for every action r.transition
hi, the r.state s′i is a target r.state of the r.transition hi, and for every
progress r.transition hi, s′i = si. Then, construct an action r.transition
((s,R), w, λ, (s′, R[λH := 0])), where w is a conjunction of wi of all transi-
tions belonging to H reduced by out((s,R)).
7. If w in any constructed r.transition is equal to 0 then the r.transition is rejected
(and an r.state constructed in p.d as well, if no other t.transition leads to it).
Multiplication of RCSM automata makes it possible to store a set of automata
specifying a concurrent system in a form of product RCSM automaton, and multiply
it by various testing RCSM automata for veriﬁcation of desired features. RCSM of
system under test once calculated, does not change. Such a procedure cannot be
performed if a product of RCSM automata does not exist, in such situation every
TCSM test automaton must be multiplied by TCSM system and then RCSM must
be calculated.
7. Example veriﬁcation
TCSM may be used for model checking of temporal properties [3]. For example, Alur
in [1] deﬁnes a correctness condition for a system shown in Fig. 1: if the TRAIN is
in s2, then the GATE should be in t2. This condition can be veriﬁed for the system
as follows:
• add a signal lowered to the t.state t2,
• construct a testing automaton as shown in Figure 4.
q0
q1
/error
passing * ¬lowered 
¬passing + lowered 
Fig. 4. Testing automaton
The veriﬁcation consists of the following steps (the case is safety property):
1. Multiplication of timed automata TRAIN, GATE and CONTROLLER, cal-
culation of system RCSM.
2. Conversion of testing automaton (Fig. 4) to testing RCSM.
34 Wiktor B. Daszczuk
3. Calculation of RCSM as product of system RCSM with testing RCSM.
4. Reduction of the product [7, 11–13].
5. Observation of the result, the t.state q1 (safety condition) occurs unreachable as
needed.
8. Conclusions
CSM automata allow for modeling of real parallelism, without interleaving in concur-
rent systems. Timed CSM enhances the formalism to real-time delays .The presented
veriﬁcation technique over TCSM makes it possible to verify concurrent systems with
user-speciﬁed or automatically generated testing automata. The deﬁnition of product
of RCSM (which is not deﬁned for Region Automata) allows to store a system under
veriﬁcation in a form ready-to-multiplication with testing automata.
The veriﬁcation is based on multiplying system RCSM with testing RCSM, re-
ducing the obtained product and searching for reachability of given states (safety
properties) or checking the stuttering of given symbols in reduced product (liveness
properties).
9. Future work
In further research, a veriﬁcation will be expanded to zone CSM (corresponding to
zone automata), which will allow to store state spaces in more compact form.
References
[1] Alur R., Dill D. L.: A Theory of Timed Automata. Theoretical Computer Science,
Vol. 126, 1994, p. 183–235
[2] Alur R.: Timed Automata. in 11th International Conference on Computer-Aided
Veriﬁcation, LNCS 1633, Springer-Verlag, 1999, p. 8–22
[3] Alur E., Courcoubetis C., Dill D. L.: Model-checking in dense real-time. Informa-
tion and Computation, Vol 104, No. 1, 1993, p. 2–34
[4] Daszczuk W.B.: Veriﬁcation of Design Decisions in Communication Protocol by
Evaluation of Temporal Logic Formulas. Institute of Computer Science, WUT,
ICS Research Report No 22, 1998
[5] Daszczuk W.B., Mieścicki J., Nowacki M., Wytrbowicz J.: System Level Speciﬁ-
cation and Veriﬁcation Using Concurrent State Machines and COSMA Environ-
ment. Proc. 8th International Conference on Mixed Design of Integrated Circuits
and Systems, MIXDES 2001, June 21–23, Zakopane, Poland, 2001, p. 525–532
[6] Daszczuk W.B., Grabski W., Mieścicki J., Wytrębowicz J.: System Modeling
in the COSMA Environment. Proc. Euromicro Symposium on Digital Systems
Design Architectures, Methods and Tools, September 4–6, Warsaw, Poland, IEEE
Computer Society, Los Alamos, CA, 2001, p. 152–157
Timed concurrent state machines 35
[7] Daszczuk W.B.: Veriﬁcation of Temporal Properties in Concurrent Systems,
Ph.D. thesis, Warsaw University of Technology, 2003
[8] Daszczuk W.B.: Timed Concurrent State Machines, Institute of Computer Sci-
ence, WUT, ICS Research Report No 27, 2003
[9] Mieścicki J.: Concurrent System of Communicating Machines, Institute of Com-
puter Science, WUT, ICS Research Report No 35, 1992
[10] Mieścicki J., Baszun M., Daszczuk W.B., Czejdo B.: Veriﬁcation of Concurrent
Engineering Software Using CSM Models, Proc. 2nd World Conf. on Integrated
Design and Process Technology, Austin, Texas, USA, 1 4 Dec. 1996, 322–330
[11] Mieścicki J., Czejdo B., Daszczuk W.B.: Model checking in the COSMA environ-
ment as a support for the design of pipelined processing. Proc. European Congress
on Computational Methods in Applied Sciences and Engineering ECCOMAS
2004, Jyvaskyla, Finland, 24–28 July 2004
[12] Mieścicki J., Czejdo B., Daszczuk W.B., Multi-phase model checking of a three-
stage pipeline using the COSMA tool, Proc. European Congress on Computational
Methods in Applied Sciences and Engineering ECCOMAS 2004, Jyvaskyla, Fin-
land, 24–28 July 2004
[13] Mieścicki J.: Veriﬁcation of UML State Diagrams Using Concurrent State Ma-
chines, IFIP Working Conference on Software Engineering Techniques SET’2006,
October 17–20 2006, Warsaw, Poland
[14] Zhang Z.: An Approach to Hierarchy Model Checking via Evaluating CTL Hier-
archically. Proc. of the 4th Asian Test Symposium, ATS’95, IEEE 1995, 45–49
36 Wiktor B. Daszczuk
