Abstract. Dynamic reconfigurable simulation based on Discrete Event System Specification (DEVS) requires efficient verification of simulation models. Traditional verification method of DEVS model is based on I/O test in which a DEVS model is regarded as a black box or a grey box. This method is low efficient and insufficient because input samples are often limited. This paper proposes a formal method which can translate Parallel DEVS model into a restrict kind of Timed Automata (TA) with equivalent behaviors. By this translation, a formal verification problem of Parallel DEVS model can be changed into the formal verification of according timed automata.
Introduction
One of the intended consequences of utilizing simulations in dynamic, data-driven application system (DDDAS) [1] is that the simulations will adjust to new data as it arrives. These adjustments will be difficult because of the unpredictable nature of the world and because simulations are so carefully tuned to model specific operating conditions. Accommodating new data may require adapting or replacing numerical methods, simulation parameters, or the analytical scientific models from which the simulation is derived. These all require simulation modules in DDDAS to be dynamically reconfigurable. Furthermore, the substitutions must be verified before they are injected into the running simulation so that they can behave required properties. So, how to verify simulation system and simulation component more efficiently is a critical problem for dynamic reconfigurable simulation. Formal verification is a kind of method which can search the whole state space in acceptable time. In contrast to traditional verification method based on I/O test, it has many advantages, such as the verification process can be automated and the resources are more limited etc. This paper will propose a formal verification method for models formalized with discrete event system specification (DEVS) [2] [3] which is a representative formalism in modeling time varying reactive discrete systems. This method is based on trace equivalence which can change the verification problem of DEVS model to the verification of TA [4] with equivalent behaviors.
Formal Semantic for Parallel DEVS Model
Though Parallel DEVS has a well-defined syntax, its behavior is given as a kind of abstract simulator informally. In order to verify Parallel DEVS models formally, a formal behavior semantic of it must be defined at first [5] [6] . In this paper, Timed Transition System (TTS) is selected as the semantic base of DEVS models' behaviors.
Parallel DEVS [2]
Parallel DEVS formalism consists of two parts, atomic and coupled models. An atomic model is a structure: 
M X Y S s ta
where, X is a set of input events; Y is a set of output events; D is a set of components names; The trajectory used usually is I -trajectory.
A I -trajectory is defined as a function : I S ω → , where I is a closed interval of real value beginning with 0. ω also satisfy following property: for , ' Discrete event transition: discrete events in parallel can be divided into two categories: input and output events. According to the execution of DEVS, when they occur concurrently, output events must be dealt first. As shown in abstract simulator of DEVS, when an atomic model is going to send output, it will receive a event " * " first, " * "event and output event can been seen as a pair because they must be concatenated simultaneity; if there is no input event when output event occurs, the component will receive an empty event φ . If 
Semantic of DEVS Model Based on TTS

M X Y S s ta
δ δ δ λ = < > ,ts M M M M M T M S init D T =< Σ >(4)
Semantic of Coupled Parallel DEVS Model Based on TA
Timed Automata
A timed automata consists of a finite automata augmented with a finite set of clock variables, and transitions with clock constraints, additionally the locations can contain local invariant conditions.
For a set of clocks noted X , clock constraint over it is defined by: A timed automata is defined as a 6-tuple:
where L is a finite set of location; 0 l is an initial location; Σ is a finite alphabet; C is a finite set of clock; : 
A D is a set of discrete event transition, for a state ( , ) l v and a transition , , , , ' l a l
From Atomic Finite DEVS to TA
TA has more expressiveness than DEVS model to model timed systems. In this section, we will seek to find a translation function aut T which can translate a Parallel DEVS model M to a trace equivalent TA noted ( ) aut T M . As shown in Fig.1 , TTS is selected as the common semantic base for these two models. Because infinite DEVS model cannot be formal verified for its infinite global state space, we only consider finite Parallel DEVS here, the finiteness of DEVS model include two aspects: first, the number of states is finite; second, the number of external transitions should be also finite, i.e. each external transition function should be a finite piecewise function. 
C is a clock set, because there is a time variable e in atomic DEVS model, so there is also a clock in Where "!" refers to output event, "?" refers to received event, "*" refers to an internal event sent by the coordinator of M , which will be discussed in section3.3.
Semantic of the Whole DEVS Model
A virtual simulation system is a closed system; the execution of the whole simulation model is controlled by a time management unit which is due to schedule the time advancement of the whole system. In DEVS based simulation, the time advancement is managed by a special coordinator named root coordinator, which has no interaction with outside environment and only be responsible for advancing global virtual time e G and translating the output of one of its child model to the input of another child model. It is a reduced coordinator and its according TA is showed in Fig.4 . Fig. 4 . Illustration of the translation from root coordinator of the whole DEVS simulation model to its according TA model. Where "r" refers to the root coordinator discussed here; "*Root" refers to an internal event for driven output of its child models; "e G " is the global virtual time; function Nexte G () is the function to update the value of e G when a simulation step has just passed. Internal event between it and its child models noted "X j " and "Y w " are also be defined as integer value or integer vectors like Fig.3 .
Conclusion
Trace equivalence is laid as the basis of the translation from Parallel model to Timed Automata model. This is an observable equivalence because trace can be observed from outside. This kind of equivalence can be used in DEVS component based simulation where the things we concerned most are not the internal detail of the components but the behaviors of them. Based on this equivalent translation, formal DEVS model verification can be realized easily using existing model checking methods and tools upon timed automata.
