A timed verification of the IEEE 1394 leader election protocol by Romijn, J.M.T. (Judi)
Centrum voor Wiskunde en Informatica
REPORTRAPPORT
A Timed Verification of the IEEE 1394 Leader Election Protocol
J.M.T. Romijn
Software Engineering (SEN)





1090 GB  Amsterdam
The Netherlands
CWI is the National Research Institute for Mathematics
and Computer Science. CWI is part of the Stichting
Mathematisch Centrum (SMC), the Dutch foundation
for promotion of mathematics and computer science
and their applications.
SMC is sponsored by the Netherlands Organization for
Scientific Research (NWO). CWI is a member of
ERCIM, the European Research Consortium for
Informatics and Mathematics.
Copyright © Stichting Mathematisch Centrum
P.O. Box 94079, 1090 GB  Amsterdam (NL)
Kruislaan 413, 1098 SJ  Amsterdam (NL)
Telephone +31 20 592 9333
Telefax +31 20 592 4199
A Timed Verication of the IEEE 1394 Leader Election Protocol 
Judi Romijn
CWI
P.O. Box 94079, 1090 GB Amsterdam, The Netherlands
judi@cwi.nl
ABSTRACT
The IEEE 1394 architecture standard denes a high performance serial multimedia bus that allows several com-
ponents in a network to communicate with each other at high speed. In the physical layer of the architecture,
a leader election protocol is used to nd a spanning tree with a unique root in the network topology. If there is
a cycle in the network, the protocol treats this as an error situation. This paper presents a formal model of the
leader election protocol in the language IOA as well as a correctness proof. The verication shows that under
certain timing restrictions the protocol behaves correct. The timing constants proposed in the IEEE 1394 standard
documentation obey the requirements found in this proof.
1991 Mathematics Subject Classication: 68M10, 68Q05, 68Q45, 68Q60, 94C15
1991 ACM Computing Classication System: F.1.1, F.4.1, G.2.2
Keywords and Phrases: protocol verication, I/O automata, safety, liveness, real time, renement, simulation
Note: The results reported in this paper have been obtained as part of the research project \Specication, Testing
and Verication of Software for Technical Applications", carried out by the Stichting Mathematisch Centrum for
Philips Research Laboratories under Contract RWC-061-PS-950006-ps.
The author’s current aliation is: Computing Science Institute, University of Nijmegen, P.O. Box 9010, 6500 GL
Nijmegen, The Netherlands.
1 Introduction
The IEEE 1394-1995 serial bus standard [10] denes an architecture that allows several compo-
nents to communicate at very high speed. Originally, the architecture was designed by Apple
(FireWire). Currently, more than 70 companies are involved in the standardisation eort. Al-
though the IEEE 1394-1995 standard has been nalised, the architecture is still being rened
and adapted. Part of this ongoing work is reflected in the IEEE P1394a standard proposal
document [11], which is intended to be a supplement to IEEE 1394-1995. In this paper, 1394
will refer to IEEE 1394-1995 unless otherwise stated.
The IEEE 1394 standard allows several components to be connected either with cables and
IEEE 1394 chips (cable environment), or with an IEEE 1394 backplane in one physical device
(backplane environment). We restrict our attention to the cable environment situation, and
refer to the whole of components, cables, etc. as the network.
Like in the OSI model, the IEEE 1394 architecture has several layers of which the physical
layer is the lowest. This layer takes care of the actual communication on the bus, which happens
 A short version of this report appeared in S. Gnesi and D. Latella, editors, Proceedings of the Fourth
International Workshop on Formal Methods for Industrial Critical Systems (FMICS’99), pages 3{29, May 1999.
1. Introduction 2
by sending signals on a wire by asserting voltages. The physical layer is responsible for the
knowledge that a component has of the network topology and of components present, and for
issues such as timing of asynchronous and synchronous communication and arbitration for use
of the bus. These tasks are taken care of in several phases. The rst phase in the physical layer
is the bus reset phase, which is entered whenever a component is powered up, when the network
topology changes or an error is discovered, or on request of higher layers in the architecture.
After completion of the bus reset phase, the tree identify phase starts. In the three identify
phase the network topology is determined by spanning a tree in the network. The root of the
tree will act as the bus master. After the tree identify phase, the self identify phase follows in
which all components inform the rest of the network of their capabilities and get a unique ID.
Finally, in the normal operation phase, the arbitration for and actual use of the bus by higher
layers and applications takes place.
In this paper we study the tree identify phase in the physical layer. The components employ
a leader election protocol to span a tree in the network, with the root acting as the leader. A
side eect of the protocol is that it detects whether there is a cycle in the network, and if so,
does not terminate with a leader but halts in the initial phase of the protocol and issues error
messages. Our intention is to prove that an abstraction of the protocol, which is as close to the
description in the IEEE 1394 documents [10, 11] as possible, works correct. There already are
some correctness proofs for other abstractions of this protocol [4, 26, 7, 28]. We reuse part of
this work for proving the correctness of our model of the protocol. This is done by establishing
an implementation relation between the most detailed model from [7] and our more detailed
model of the protocol. In this way, our verication adds to a stepwise renement of IEEE 1394
in which more detail is added to models in each step.
The verication is carried out by establishing timed trace inclusion between timed I/O au-
tomata through a timed renement [16, 17, 19]. The I/O automata are presented in the IOA
language [5]. We reuse an untimed I/O automaton from [7] to which we add a harmless time-
passage action to turn it into a timed I/O automaton and use timed renements as presented
in [19]. As mentioned in [19], we could equally well establish an untimed renement between
the timed I/O automata, so timed trace inclusion follows if the time-passage action is visible in
both models. Some related work that is interesting in the timed vs. untimed respect is the work
presented in [23], which discusses safety and failure renements between timed and untimed CSP
models [3]. Some results are presented for failure renements between communicating processes,
which may be useful in the I/O automata setting.
The proofs show that under the assumptions made, the behaviour of the models is correct
when we use the timing constants proposed in IEEE 1394-1195 and IEEE P1394a. It still remains
to be seen whether further renement of the models preserves the correctness.
This paper is organized as follows. Section 2 explains the IEEE 1394 tree identify, discusses
related verications and presents our abstraction. Section 3 introduces our I/O automata models
of the tree identify protocol and shortly discusses the IOA language. Section 4 is an intermezzo
about network topologies, in which general results are derived that we need in the verication.
Section 5 presents the formal verication of the protocol. In Section 6 we sum up the conclusions
that can be drawn from this exercise. We have added Appendix A to give the basic denition
and principles used in this verication. Here we also present a new result for reusing invariants
in a stepwise renement proof, which is used in Section 5, as well as new sucient conditions
for feasibility, which are used in Section 5.3.
Note that to improve readibility, we often use Lamport’s list notation [13] for conjunction or
disjunction in formulas.
2. The protocol 3
2 The protocol
In this section, the IEEE 1394 tree identify phase is described, other verications of this protocol
are discussed, and our our abstraction is introduced. The IOA models are presented in Section 3.
The tree identify phase has already been described in several articles. The following text and
pictures borrow from [4].
2.1 The IEEE 1394 tree identify phase
We refer to the components connected to 1394 bus as devices. Each device has a number of
ports which are used for bidirectional connections to other devices. Each port has at most one
connection. The device at the other side of the connection is called the peer device. The tree
identify phase follows on completion of the bus reset phase, which is started as soon as a total
reset of the network is demanded. This can occur on request of applications, or because the
network conguration has changed or an error situation has been detected. The bus reset phase
clears all topology information except local information on a device, namely which ports have
connections. During the tree identify phase a spanning tree is constructed in the network. After
the tree identify phase completes, the tree structure will be used in the normal bus operation.
An example of a network topology at the start of the tree identify phase is presented in Figure 1.
Figure 1: Initial network topology
parent?
Figure 2: Intermediate conguration
Informally, the basic idea of the protocol is as follows: each device starts in the initial phase, in
which it may receive a \parent request" on from a peer device on one of its ports. The receiving
device then sends an acknowledgement message to the peer device and adds the port to its
collection of children. A peer device which is connected to the child port, is then considered
to be a child in the tree structure. See Figure 2. When a device is in the initial phase and it
has no more than one port left on which no communication has taken place yet, it can send
a parent request on that port and leave the initial phase. It is obvious that leaf devices (i.e.
devices with one connected port) have exactly one such port at the start of the protocol, so they
can send their parent request and leave the initial phase immediately. In this manner, a tree is
constructed that grows from the leaves inward, until all ports of one device are children, and
that device is the root of the tree. See Figure 4.
It is possible that two devices end up asking each other to be the parent. This situation is
called \root contention". The devices both signal the reception of a parent request on a port on
which they already sent a parent request, and turn to a symmetry breaking protocol in which
random bits are used. See Figure 3. This root contention protocol has been formally specied
and veried in [28].
When a cycle is present in the network, all the devices that are on such a cycle will not get
a parent request from their peers on the cycle. So they will have more than one port on which
no parent request was received, and can therefore not send a parent request themselves or leave
2. The protocol 4
parent?
Figure 3: Two contending devices Figure 4: Final spanning tree
the initial phase. Also devices that are not on a cycle, but are wedged between two or more
cycles will not get a parent request on at least two ports, and will not send a parent request
themselves or leave the initial phase. Such a situation is solved by a timer which is started at
the start of the tree identify phase, and which is supposed to expire only in the situation of a
cycle in the network. When there is a cycle in the network, a root should not be elected, since
the operation of the bus in the following phases relies on the topology being a tree structure.
A device may influence its own chances at becoming root by waiting for some time before
sending the parent request, even if it is already possible to proceed. A device will only do so if
it has the flag force root set to true.
Devices may enter the tree identify phase at dierent times. This is due to the dierence
in the moments at which dierent devices signal that the bus reset phase (preceding the tree
identify phase) should be entered.
2.2 Other verications of the protocol
Parts of the IEEE 1394 architecture have been formally specied and/or veried in several
articles [14, 12, 4, 7, 27, 26, 28]. Of these, [14, 12, 27] focus on the link layer. The articles
[4, 26, 7, 28] study the tree identify phase of the physical layer, like this paper does. In Figure 5
we give an overview of the results of these articles, and their relation to the research presented
in this paper. The results of the dierent articles are in the dashed boxes. The names of the
formal models are listed, arrows between these indicate a (proved) implementation relation. The
vertical position of a model name indicates the level of abstraction of that model with respect
to the IEEE 1394 documentation. Very abstract models do not consider implementation details
such as timing, signals etc. The most detailed models incorporate more detail from the IEEE
1394 documentation. In the picture, we have given some models the same vertical position to
indicate that they have a comparable degree of detail. We now explain the results of each article
in short.
Devillers, Grioen, Romijn and Vaandrager [4] have shown that the election in the tree
identify phase works correct, under the assumption that there are no cycles in the network,
that the network topology is xed throughout the protocol, that a root contention situation is
solved in one atomic step, and that no device tries to become root by having the corresponding
force root flag set to true. The models are at a high level of abstraction: there is no timing and
communication is modelled with nite queues. The models are I/O automata [16, 17] presented
in a precondition/eect style. The proofs use invariants and simulation techniques from [18].
The proofs have been checked with the theorem prover PVS [22].
Shankland and van der Zwaag [26] have also shown that the election in the tree identify phase
works correct, under the assumption that there are no cycles in the network, that the network
topology is xed throughout the protocol, and that no device tries to become root by having
2. The protocol 5
abstract
detailed
A B = ‘A implements B’
1 = root election
2 = cycle detection



















1 1+3which part of the protocol:
Figure 5: An overview of research on the IEEE 1394 tree identify phase
the corresponding force root flag set to true. The models are at a high level of abstraction:
there is no timing and communication is modelled with nite queues. The models are presented
in CRL [8], a process algebra language with data. The proofs use invariants and the cones
and foci method from [9]. Note that the paper gives no proof that the root contention protocol
actually terminates within bounded time, since for the verication it is enough to show that it
can terminate.
Grioen and Vaandrager [7] have shown that the election in the tree identify phase works
correct, under the assumption that the network topology is xed throughout the protocol, that
a root contention situation is solved in one atomic step, and that no device tries to become
root by having the corresponding force root flag set to true. The models are at a high level
of abstraction: there is no timing and communication is modelled with nite queues. The
models are I/O automata [16, 17] presented in the IOA language [5]. The paper introduces a
new simulation proof technique, called normed simulations. The proofs use invariants and the
proposed simulation technique. The proofs have been checked with the theorem prover PVS
[22]. Note that cycle detection is done with a predicate that takes the structure of the whole
network into account, and does not use timing information, as in IEEE 1394. The predicate
used implies that nodes that are part of a cycle will detect this with an error message. In IEEE
1394 (and in the models presented in this paper), the error situation is also detected by nodes
that are not part of a cycle themselves, but wedged in between of two cycles.
Stoelinga and Vaandrager [28] have shown that the root contention solving protocol in the tree
identify phase works correct under the assumption that the network topology is xed throughout
the protocol. The models are at an intermediate level of abstraction: on the one hand timers
and probabilities are used, but on the other hand communication is modelled with nite queues.
The models are probabilistic timed I/O automata [24, 25] presented in the IOA language [5].
2. The protocol 6
The paper introduces two simulation proof techniques, which are special cases of the simulation
techniques in [24, 25]. The proofs use invariants and the proposed simulation techniques.
The model of the protocol that is presented in [4] is essentially the same as one of the I/O
automata examples in the book Distributed Algorithms by Lynch [15]. A correctness proof of
this protocol is not given in [15]. The models that either include cycle detection or the root
contention protocol are can be considered renements of the protocol in [15].
2.3 This verication
As can be seen in Figure 5, this paper aims to give an implementation relation between the
most detailed model from [7] and a more detailed model. In this way, our verication adds to a
layered verication of IEEE 1394 in which models are rened, that is, more and more detail is
added in each step. In order to keep our proof obligations manageable, we do not add too much
detail, and hence our model has an intermediate degree of detail with respect to IEEE 1394.
The verication is carried out by establishing trace inclusion between timed I/O automata
through a renement [16, 17, 19]. The I/O automata are presented in the IOA language [5].
The most detailed model of [7] is an untimed model. This means that the cycle detection
is done with a predicate that takes the structure of the whole network into account. In this
verication, we want to establish that cycle detection based on the timing in IEEE 1394 works
correct. In order to do this, we add timers to the model which expire when the leader election
takes too much time. We also add timing information to the messages sent, in order to model
the delay in communication in IEEE 1394. As argued above, this paper uses a dierent predicate
for cycle detection than the one used in [7], in order to conform to the error behaviour of IEEE
1394. As in [7] we assume that the network topology is xed throughout the protocol, that a
root contention situation is solved in one atomic step that no device has the force root flag set
to true, and that communication can be modelled with nite queues.
Since our aim is to show that whenever timers in the model expire, there is indeed a cycle
in the network, and that the timers will expire in case of a cycle in the network, we are trying
to show that the timers do not expire too soon or too late. In our proofs we use invariants
that express worst case scenarios in terms of delay. So we are actually performing a worst case
analysis on the timing proposed in IEEE 1394. In this way, we establish a relation between the
parameters of the protocol in terms of minimal and maximal values.
We expect that in a next renement step it is possible to include the result from [28], to get
closer to the IEEE 1394 behaviour without much eort. The next renement step could then
be to add a force root flag to the model, thus expressing that devices behave a little dierent
to increase their chances at leadership. In order to obtain a correctness statement about IEEE
1394 with all its detail, it still has to be shown that modelling the IEEE 1394 communication of
voltages on wires by messages and nite queues is correct. We expect that in this situation, we
will not just have a judgement on correctness, but we will also be able to say how the timing
constants in IEEE 1394 could/should be adjusted.
Our assumptions As a specication of the desired behaviour, we have taken the most detailed
model TIP3 from [7]. In [7] it is shown that the behaviour of TIP3 meets the requirements for
the tree identify phase.
TIP3 is a very abstract model of the tree identify phase, in the sense that it abstracts from
a lot of details. We introduce a model TIP4, which is more detailed than TIP3, and prove that
it is a renement of TIP3. In this way, the correctness of the behaviour of TIP4 can be derived
3. IOA models 7
from the correctness of the behaviour of TIP3.
Our justication for still leaving out many implementation details that may aect the cor-
rectness of the protocol, is that we intend to reuse as much as possible of the proofs already
established. This can only be done in a manageable way if we do not add too many details at
once. As it is, the proofs for our verication are already quite lengthy and involved. See also
Section 6 for a discussion of our results.
The abstractions have been chosen as follows.
 In TIP3, it is assumed that the devices signal a cycle by merely checking the network
topology. In TIP4, the devices use a timer, which conforms to IEEE 1394.
 In both TIP3 and TIP4, communication between devices is modelled by sending messages
on queues. In a IEEE 1394 network, the devices communicate by asserting signals (dened
in terms of voltages) on wires for a certain time.
 In both TIP3 and TIP4, it is assumed that no device has the force root flag set to true.
 In both TIP3 and TIP4, the network is assumed to be connected and to be xed throughout
the protocol. There may be cycles in the topology.
 In both TIP3 and TIP4, the root contention situation is solved in one atomic step, as
opposed to the IEEE 1394 protocol which involves picking random bits, and which repeats
until the symmetry is broken. Note that the root contention protocol has been formally
specied and proved correct in [28].
 In both TIP3 and TIP4, all devices enter the tree identify phase at the same time.
 In TIP3, no timing is used whatsoever. In TIP4, timing is used for determining whether
the network topology contains a cycle (see above), and for determining the actual delivery
time of messages. The IEEE 1394 delay between the moment of sending and reception
and processing of a signal is caused by dierence in clocks of the devices, the length and
propagation delay of the wires, and the dierence in the tree identify phase enter moment
of the sending and receiving device. In TIP4, the delay of message is determined at the
moment that the message is being received. This delay may vary between the bounds
caused by dierence in clocks of the devices, and by the length and propagation delay of
the wires. Although the second factor is constant, we have modelled the choice of delay
to be completely free for each receive operation. Since we are after the bounds on the
timing constants in relation to the network topology with respect to detecting cycles, we
are establishing the property that the cycle detection timer will not expire too soon or too
late. Therefore we are actually performing a worst case analysis. The worst case scenarios
for IEEE 1394 and our model are the same, under the assumption that all devices enter
the tree identify phase at the same moment.
3 IOA models
We present two models in the IOA language [5] of the tree identify protocol, namely TIP3 and
TIP4. The IOA model for TIP3 comes (almost) literally from [7] and gives an abstract and
untimed model of the protocol behaviour. It has been shown in [7] that this model has the
desired behaviour of electing exactly one device for root if there is no cycle in the network. If









Figure 6: Signature for TIP3 and TIP4.
there is a cycle in the network, all devices that are part of this cycle will detect this and give an
error message.
The IOA language The IOA language facilitates precise and readable descriptions of I/O
automata [16, 17]. Since our models are timed, we have added a time action, according to the
denition in [19].
IOA contains the basic types Bool, Nat, Int and Real with their standard operators. In
addition type constructors Array, Seq (nite sequences) and Set (nite sets) are part of the
language. The notation [ ] is used for array subscripting, an array with a value e in all cells
is denoted by const(e). The operation ‘ appends an element at the end of a sequence and
the operations head and tail have the usual meaning. We assume the type Time which is the
(predened) type Real restricted to nonnegative values.
We assume the extra types Mes to represent the dierent message contents that may be
exchanged between devices, as follows:
Type Mes enumeration of parent, ack
In Section 4 we give several denitions and operations that concern network topologies. Given
a network N = hD;P; dev; peeri, we assume the types Dev=D and Port=P and all operations
as dened in Section 4.
The TIP models The signature part for both models is shown in Figure 6. The connected
network N = hD;P; dev; peeri is a parameter for both models. In addition, the constants
MinDelay, MaxDelay, MinLpdtime, and MaxLpdtime are parameters for TIP4. We assume
MinDelay  MaxDelay and MinLpdtime  MaxLpdtime.
The IOA description of TIP3 is shown in Figure 7. The action denitions are almost equal to
those of TIP4, so we refer to the explanation below. The model TIP3 comes (almost) literally
from [7]. The rst change is the addition of the time action, whose precondition is true, and
whose eect is empty. The second change is the use of the oncycle predicate, which recognizes
not just devices that are on an ordinary cycle, but also devices that are on a path between
two cycles (see Section 4). Our verication shows that these devices also detect a cycle in the
protocol and give an error message (see property I12 in Denition 5.1, Section 5.1).
The IOA description of TIP4 is shown in Figure 8. The model TIP4 is a proper timed IOA
model: there is a state variable time which is used as a global clock, and per message queue
3. IOA models 9
automaton TIP3
states
child: Set[Port] := fg
mq: Array[Port,Seq[Mes]] := const(fg)
init: Array[Dev,Bool] := const(true)
rc, root, lpd: Array[Dev,Bool] := const(false)
transitions
internal childrenknown(d)
pre init[d] ^ size(ports(d)-child)  1
e init[d] := false;
for p in ports(d) do if p 2 child
then mq[p] := mq[p] ‘ ack
else mq[p] := mq[p] ‘ parent  od
internal addchild(d,p) where d = dev(p)
pre init[d] ^ head(mq[peer(p)]) = parent
e child := insert(p, child);
mq[peer(p)] := tail(mq[peer(p)])
internal receivemes(d,p,m) where d = dev(p)
pre : init[d] ^ ports(d)-child = fpg ^ head(mq[peer(p)]) = m
e if m = parent then rc[d] := true ;
mq[peer(p)] := tail(mq[peer(p)])
internal solverootcontent(d,p) where d = dev(p)
pre rc[d] ^ rc[dev(peer(p))]




pre : init[d] ^ : root[d] ^ ports(d)  child
e root[d] := true
output loopdetect(d)
pre oncycle(d) ^ : lpd[d]
e lpd[d] := true
time  where  > 0
pre true
e
Figure 7: Automaton TIP3.
3. IOA models 10
automaton TIP4
states
child: Set[Port] := fg
mq: Array[Port,Seq[Mes]] := const(fg)
delay: Array[Port,Time] := const(0)
init: Array[Dev,Bool] := const(true)
rc, root, lpd: Array[Dev,Bool] := const(false)
time: Time := 0
transitions
internal childrenknown(d)
pre init[d] ^ size(ports(d)-child)  1
e init[d] := false;
for p in ports(d) do delay[p] := 0;
if p 2 child
then mq[p] := mq[p] ‘ ack
else mq[p] := mq[p] ‘ parent  od
internal addchild(d,p) where d = dev(p)
pre init[d] ^ head(mq[peer(p)])=parent ^ delay[peer(p)]  Mindelay
e child := insert(p, child); mq[peer(p)] := tail(mq[peer(p)])
internal receivemes(d,p,m) where d = dev(p)
pre ^ : init[d] ^ ports(d)-child = fpg
^ head(mq[peer(p)])=m ^ delay[peer(p)]  Mindelay
e if m = parent then rc[d] := true ;
mq[peer(p)] := tail(mq[peer(p)])
internal solverootcontent(d,p) where d = dev(p)
pre rc[d] ^ rc[dev(peer(p))]
e child := insert(p,child);
rc[d] := false; rc[dev(peer(p))] := false
output root(d)
pre : init[d] ^ : root[d] ^ ports(d)  child
e root[d] := true
output loopdetect(d)
pre init[d] ^ : lpd[d] ^ time  MinLpdtime
e lpd[d] := true
time  where  > 0
pre 8 d,p:
^ : pre(childrenknown(d)) ^ : pre(root(d))
^ if init[d] ^ : lpd[d] then time+  MaxLpdtime 
^ if mq[p] 6=fg then delay(mq[p])+  MaxDelay 
e time := time+
for p in Port do delay[p] := delay[p]+ od
Figure 8: Automaton TIP4.
3. IOA models 11
there is a variable delay that is reset for each message sent on the corresponding queue. A
message is available at least after MinDelay time units have passed or ultimately after MaxDelay
time units have passed. The condition for detecting a cycle in the network also depends on time,
and not (as in TIP3) on the predicate oncycle which is based on the structure of the network.
It is our goal to show that cycle detection will occur if and only if there really is a cycle present
in the network.
We now give a short explanation of each action of TIP4. Whether a device is in the initial
phase is reflected in the state variable init. When init is true, only actions addchild and
childrenknown can be enabled. With addchild a parent request may be received (if the value
of delay indicates that the parent request is available) and the corresponding port is added to
the collection of children. The action childrenknown marks the end of the init phase. It can
only be performed when there is at most one port left which is not a child port, and when it is
performed, an acknowledgement is sent to all peer devices that are connected to a child port
and a parent request is sent to the peer device connected to the port that is not a child, if
any. If a device is on a cycle, then it does not ever reach the state in which childrenknown is
enabled, because two of its ports are connected to peer devices which are also on a cycle. In this
situation, the action loopdetect should be performed. In TIP3, the cycle is detected with the
oncycle predicate. In TIP4, a timer signals that the device stays in the init phase too long,
and therefore must be on a cycle. As soon as a device has left the init phase, it must wait for a
message on the one remaining port that is not a child. If there is no such port, then the device
is the root of the tree, and can perform the root action. If there is such a port, then the action
receivemes can be performed as soon as the message is available. The expected message is an
acknowledgement, after which the contribution of the device to the leader election is over. If an
unexpected parent request is received, then the device is in root contention with the peer device
that sent the parent request. The peer device has received or will receive the parent request
that was sent earlier, and thus has signalled or will signal the root contention. As soon as both
devices have signalled root contention, the action solverootcontent can be performed to break
the symmetry and add one of the two ports involved to the child collection. The device whose
port is added to child can then perform the root action. The time action signals the passing
of time, by increasing the value of time. Time passage may not occur if there are other actions
that cannot be delayed any further. Actions childrenknown and root are urgent, which means
that they should happen at the rst moment when they are enabled. Actions addchild and
receivemes are also urgent, but they are enabled only when a message becomes available. Since
the message is available only when the value of delay is in the interval [MinDelay; MaxDelay], we
require that the value of delay does not pass beyond the right-hand border of this interval. The
action loopdetect depends on the the value of time and can happen anywhere in the interval
[MinLpdtime; MaxLpdtime], so we require that time does not pass beyond MaxLpdtime. The only
action that is not mentioned in the precondition of the time action, is solverootcontent. The
reason for this is that in the IEEE 1394 documentation, there is a small sub-protocol with timers
that is used to break the symmetry, instead of the one action that represents this sub-protocol
in TIP4. Since this sub-protocol is not guaranteed to end in nite time (due to randomly drawn
bits), we cannot say at what time the action solverootcontent will take place. Hence we have
put not requirement on the time action for solverootcontent. The root contention solving
protocol is discussed and proved correct in [28].
4. Network preliminaries 12
4 Network preliminaries
This section gives some denitions and properties of network topologies which are needed in the
verication.
4.1 Networks
Denition 4.1 A network is a quintuple hD;P; dev; peeri, where
 D is a non-empty set of devices.
 P is a set of ports.
 dev : P ! D.
 peer : P ! P with for all p: peer(peer(p)) = p and p 6= peer(p).
For d 2 D, we dene the abbreviation ports(d) = fp 2 P jdev(p) = dg.
Given D0 and d 2 D0, the predicate leaf(D0; d) holds i 8p1; p2 2 ports(d) : dev(peer(p1)) 2
D0 ^ dev(peer(p2)) 2 D0 ! p1 = p2.
The network consists of a collection of devices, each of which has a set of ports. Each port is
connected to one other port with a cable, which is captured by the function peer. Each port
has a connection and no port is connected to itself. The cable connection itself is referred to as
a cable hop. Since for each p 2 P , dev(p) is dened, it follows that P = Sd2D ports(d).
Throughout this paper, we x a networkN = hD;P; dev; peeri and let variables p; p0; p00; p0; : : :
range over ports in P , and d; d0; d0; : : : over devices in D.
4.2 Paths, cycles
The following denitions and lemmas are necessary to identify paths, cycles, etc. in the network.
Denition 4.2 A path  is a non-empty sequence of ports  = p0p1 : : : pn, such that:
 n is odd
 p0 6= pn
 for all i > 0, if i is odd then pi−1 = peer(pi) else dev(pi−1) = dev(pi))
We denote the rst and last port of  with first() = p0 and last() = pn. We denote the
length of  with length() = (n + 1)=2. We denote the path obtained by reversing  with
reverse() = pn : : : p0.
Path  is a path from d1 to d2 if dev(first()) = d1 and dev(last()) = d2. We say that a
device d is on  i there is a port p in  such that d = dev(p). A cycle is a path  = p0 : : : pn
such that dev(p0) = dev(pn).
The predicate oncycle(p) is true i there is a cycle such that p is on it. The predicate oncycle(d)
is true i there is a port p 2 ports(d), such that oncycle(p) holds.
A path reflects a walk through the network by the concatenation of cable hops, in which a p1p2
cable hop may not be followed immediately by the reverse hop p2p1. The length of a path is
the number of cable hops included in that path. A cycle may include a path  which is wedged
in between smaller cycles  and  , resulting in the shape of a pair of glasses: reverse().
4. Network preliminaries 13
Ports that are part of a cycle (of whatever shape) remain inactive during the protocol, as we
will show later.
Lemma 4.3 If  = p0p1p2 : : : pn is a cycle, then p2 : : : pnp0p1 and reverse() are also cycles.
Lemma 4.4 oncycle(p)! oncycle(peer(p))
Lemma 4.5 oncycle(p)! size(fp0jp0 2 ports(dev(p)) ^ oncycle(p0)g)  2
Proof Let  = p0p1 : : : pn be a cycle such that p = pi.
If i = 0, then by denition of a cycle, dev(pn) = dev(p), and by denition of a path, pn 6= p.
If i is even and i > 0, then by denition of a path, dev(pi−1)− dev(p) and pi−1 6= p.
If i = n, then by denition of a cycle, dev(p0) = dev(p), and by denition of a path, p0 6= p.
If i is odd and i < n, then by denition of a path, dev(pi+1)− dev(p) and pi+1 6= p. 
Lemma 4.6 Let N = hD;P; dev; peeri be a connected network, and d1; d2 2 D.
If oncycle(d1), oncycle(d2), and  is a path from d1 to d2, then for each p 2  : oncycle(p)
Proof Let  be a cycle such that d1 is on it. Let  be a cycle such that d2 is on it. We will
show for each port p in  that oncycle(p), as follows.
Let  = p0 : : : pn. If pi is in  or  , then oncycle(pi). We take a fragment 0 = pi : : : pj from
 such that i > 0 implies that pi−1 in  or in  , and j < n implies that pj+1 in  or in  , and for
each port p on 0, p is not on  and not on  . If we can construct a cycle such that the fragment
0 is part of it, we are done.
Note that by denition, dev(pi) is on  or on  , and dev(pj) is on  or on  .
In the following case distinction we leave out all cases which are symmetric to a case proved
earlier.
1. pi = pj .
We assume w.l.o.g. that dev(pi) is on . Let  = 12 such that dev(pi) = dev(last(1)) =
dev(first(2)) and length(1) is even. By assumption, last(1) 6= pi = pj 6= first(2).
We construct the path 210 and see that it is a cycle.
2. pi 6= pj .
We assume w.l.o.g. that dev(pi) is on  and dev(pj) is on  . Let  = 12 such that
dev(pi) = dev(last(1)) = dev(first(2)) and length(1) is even. Let  = 12 such
that dev(pj) = dev(last(1)) = dev(first(2)) and length(1) is even. By assumption,
last(1) 6= pi 6= first(2) and last(1) 6= pj 6= first(2). We construct the path
21
021reverse(0) and see that it is a cycle.

4.3 Connected networks
The following denitions and lemmas are necessary to identify the distance of devices in the
network to the edge of the network, that is, how many times we have to take all the leaf devices
away before a device becomes a leaf in the remaining set. The distance measure dened here
will be used in the protocol to quantify the worst-case time that it takes for a device to complete
its part in the protocol.
Denition 4.7 N is connected if for each two devices d; d0 2 D there is a path from d to d0.
If N is connected, we denote the maximum length of the shortest path in N between any two
4. Network preliminaries 14
devices by MaxHop = max(fnjd1; d2 2 D ^ n = min(flength()j is path from d1 to d2g)g).
The function Steps is dened by the following equation:
Steps(D0; d) =

0 if leaf(D0; d) or oncycle(d)
1 + Steps(D00; d) otherwise
where D00 = D0 − fd0 2 D0jleaf(D0; d0)g
We abbreviate Steps(d) = Steps(D; d).
The function Shrink is dened by the following equation:
Shrink(D0; n0) =

D0 if n0 = 0
Shrink(D00; n0 − 1) otherwise
where D00 = D0 − fd0 2 D0jleaf(D0; d0)g
We abbreviate Shrink(n) = Shrink(D;n).
The value MaxHop, which is an upper bound to the mininum number of cable hops between any
two devices, is used in the IEEE documentation as a restriction on the networks on which the
protocol is to operate.
The function Steps gives the one but greatest distance between a device and a leaf in the
network. This number is determined by the number of steps it takes for such a device to become
a leaf, when in each step all leafs are removed. For a device that is part of a cycle, the value of
Steps has no meaning and will not be used.
The function Shrink gives the set of devices that remains when in each step the leaf devices are
removed and this is repeated for the indicated number of times, starting with the given set. The
correspondence between Steps and Shrink is obvious: if Steps(d) = n then leaf(Shrink(n); d)
holds and if Steps(d)  n then d 2 Shrink(n).
In the remainder of this paper, we assume that N is connected.
Lemma 4.8 Let d 2 D such that :oncycle(d).
If Steps(d) = n then size(fp0 2 ports(d)joncycle(dev(peer(p0)) _ Steps(dev(peer(p0))) 
ng)  1.
Proof By contradiction. Assume :oncycle(d) and Steps(d) = n. Let p; p0 2 ports(d) such
that p 6= p0 and oncycle(dev(peer(p))_Steps(dev(peer(p)))  n and oncycle(dev(peer(p0))_
Steps(dev(peer(p0)))  n. Since Steps(d) = n, either oncycle(d) or leaf(Shrink(n); d). Since
we assumed :oncycle(d), apparently leaf(Shrink(n); d). By our assumption dev(peer(p)) and
dev(peer(p0)) are both in Shrink(n). But p 6= p0, which contradicts leaf(Shrink(n); d). We
conclude that size(fp0 2 ports(d)joncycle(dev(peer(p0)) _ Steps(dev(peer(p0)))  ng)  1.

Lemma 4.9 For each d 2 D
Steps(d) 
 bMaxHop=2c if 8d0 2 D : :oncycle(d0)
max(0; MaxHop− 1) otherwise
Proof By contradiction.
1. Suppose 8d 2 D : :oncycle(d).
Suppose Steps(d) = m > bn=2c. We show that we can construct a shortest path  with
length() > n, by starting with d and extending the path in each step with one cable hop
4. Network preliminaries 15
in two directions. We use induction on n0 2 f1; : : : ;mg in the following hypothesis:
There is a path p0 : : : p4n0−1 with Steps(dev(p0))  m−n0 and Steps(dev(p4n0−1))  m−n0
and there is no other path from dev(p0) to dev(p4n0−1).
 (Base step) n0 = 1
Since m > 0, certainly :leaf(Shrink(m − 1); d), and since leaf(Shrink(m); d),
there must be p; q 2 ports(d) such that p 6= q and dev(peer(p)) and dev(peer(q)) in
Shrink(m−1). Fix p, q. Clearly, Steps(dev(peer(p)))  m−1 and Steps(dev(peer(q))) 
m − 1. Consider peer(p)pqpeer(q). This is a path if peer(p) 6= peer(q). Since
:oncycle(d0) for all d0 2 D, we see that dev(peer(p)) 6= dev(peer(q)), so peer(p) 6=
peer(q). If was another path from dev(peer(p)) to dev(peer(q)) then this would
contradict the assumption that :oncycle(d0) for all d0 2 D. We conclude that
 = peer(p)pqpeer(q) is a path that meets the requirements.
 (Induction step) n0 = n00 + 1  m and the hypothesis holds for n00
Let  = p0 : : : p4n00−1 such that Steps(dev(p0))  m− n00 and Steps(dev(p4n00−1)) 
m − n00 and there is no other path from dev(p0) to dev(p4n00−1). We abbreviate
d1 = dev(p0) and d2 = dev(p4n00−1) for the rst and last device of . Since n00 <
m, Steps(d1) > 0 and Steps(d2) > 0. So :leaf(Shrink(m − n00 − 1); d1) and
:leaf(Shrink(m − n00 − 1); d2). So there must be p; p0 2 ports(d1) and q; q0 2
ports(d2) such that p 6= p0, q 6= q0, and dev(peer(p)), dev(peer(p0)) dev(peer(q)),
and dev(peer(q0)) in Shrink(m−n00−1). Fix p, p0, q and q0. Now for x 2 fp; p0; q; q0g :
Steps(dev(peer(x)))  m − n00 − 1 = m − (n00 + 1) = m − n0 We assume without
loss of generality that p 6= p0 and q 6= p4n00−1. Consider peer(p)pqpeer(q). This
is a path if peer(p) 6= peer(q). Since :oncycle(d0) for any d0 2 D, we see that
dev(peer(p)) 6= dev(peer(q)), so peer(p) 6= peer(q). If there was another path
from dev(peer(p)) to dev(peer(q)) then this would contradict the assumption that
:oncycle(d0) for all d0 2 D. We conclude that peer(p)pqpeer(q) is a path that
meets all the requirements for the induction step.
We conclude that there is a shortest path in the network of length 2m. Since m > bn=2c,
certainly 2m > (2bn=2c) + 1  n. So 2m > n and we have a contradiction.
2. Suppose 9d0 2 D : oncycle(d0).
Suppose Steps(d) = m > max(0; n− 1). Then m > 0 and by denition of Steps, certainly
:oncycle(d). We show that we can construct a path  with length() > n, by starting
with d and a neighbour of d on a cycle, and extending the path in each step with one cable
hop to a neighbour which is not on a cycle. We use induction on n0 2 f0; : : : ;mg in the
following hypothesis:
There is a path p0p1 : : : p2n0+1 with oncycle(dev(p0)), Steps(dev(p2n0+1))  m− n0 and
for all 1  i  2n0 + 1: :oncycle(dev(pi)), and there is no shorter path from dev(p0) to
dev(p2n0+1).
 (Base step) n0 = 0
Suppose there is no p 2 ports(d) such that oncycle(dev(peer(p))). Since N is
connected, there must be , d0 such that  is a path  = p0 : : : pn from d0 to d with
oncycle(d0) and for each i > 0 : :oncycle(dev(pi)). Fix d0; . Since oncycle(d0)
and :oncycle(dev(p1)), we can use Lemma 4.8 to conclude that Steps(dev(p1)) >
max(fSteps(dev(p0)jp0 2 ports(dev(p1)) ^ p0 6= p1g). Then it is not hard to show
5. Verication 16
(using induction and Lemma 4.8) that 8i 2 f1; 3; : : : ; n − 2g : Steps(dev(pi)) 
Steps(dev(pi+2)). Then we easily have 8i 2 f1; 3; : : : ; ng : Steps(dev(pi))  m.
Since d is chosen arbitrarily with Steps(d) > n − 1, any of the devices on  except
dev(p0) would do. So we assume without loss of generality that there is a p 2 ports(d)
such that oncycle(dev(peer(p))). Fix p.
We now have Steps(d)  m, :oncycle(d), and oncycle(dev(peer(p)). We see that
peer(p)p is a path that meets the requirements, since there cannot be a shorter path
from dev(peer(p)) to d.
 (Induction step) n0 = n00 + 1  m and the hypothesis holds for n00
Let  = p0 : : : p2n00+1 such that oncycle(dev(p0)) , Steps(dev(p2n00+1))  m − n00
and for all 1  i  2n00 + 1: :oncycle(dev(pi), and there is no shorter path from
dev(p0) to dev(p2n00+1). We abbreviate d0 = dev(p2n00+1) to indicate the last device
in . Since n00 < m, Steps(d0) > 0. So :leaf(Shrink(m − n00 − 1); d. So there
must be p; p0 2 ports(d0) such that p 6= p0, and dev(peer(p)) and dev(peer(p0))
in Shrink(m − n00 − 1). Fix p, p0. Now for x 2 fp; p0g : Steps(dev(peer(x))) 
m − n00 − 1 = m − (n00 + 1) = m − n0. We assume without loss of generality that
p 6= p2n00+1.
Consider ppeer(p). This is a path if peer(p) 6= p0. Suppose that peer(p) = p0.
Then p = p1 and dev(p1) = d1, hence p2 : : : pn is a cycle, which contradicts our
assumption. We conclude that peer(p) 6= p0 and ppeer(p) is a path.
Suppose that oncycle(dev(peer(p))). Then by Lemma 4.6 we have that for all
1  i  2n00+1, oncycle(dev(pi)), which contradicts our assumption. So we conclude
that :oncycle(dev(peer(p))).
Suppose a shorter path than ppeer(p) exists from dev(p0) to dev(peer(p)). This
enables us to conclude that oncycle(dev(peer(pi))) with pi 2 , which contradicts
our assumptions. So we conclude that no shorter path than ppeer(p) exists from
dev(p0) to dev(peer(p)).
We see that the path ppeer(p) meets all the requirements for the induction step.
So there is a shortest path in the network of length m+ 1. Since m > n− 1, m+ 1 > n
and we have a contradiction.

5 Verication
In this section we prove that the IEEE 1394 tree identify protocol is correct relative to our
model. In Section 5.1 some properties are given which have been proved invariant for the model
TIP3in [7]. Some additional properties are given, which are be proved invariant for the model
TIP4, provided that the invariants for TIP3 are also invariant for TIP4. This provision is solved
in the next section, Section 5.2, in which it is proved that under certain timing restrictions
the behaviour of TIP4 is included in the behaviour of TIP3. The proofs in Section 5.2 allow
us to conclude that the safety aspects of cycle detection and root election in TIP4 meet the
IEEE 1394 requirements. In Section 5.3 we prove some liveness properties for TIP4. Finally, in
Section 5.4 we discuss whether the IEEE 1394 timing constants obey the restrictions that we
found in Section 5.2.
5. Verication 17
The proofs in Sections 5.1 and 5.2 use simulation techniques from [19] which are listed in
Appendix A. These appendices also present a new result for using invariants in stepwise re-
nement, which is useful for this verication because it allows us to reuse invariants properties
from [7] without extra eort. In Appendix A.2, some new sucient conditions for feasibility can
be found. These lessen the proof burden when proving that there are no time deadlocks in the
model.
Throughout this section we x a connected network N = hD;P; dev; peeri as the parameter
for TIP4. We let s,t range over states of TIP4,  over Time, and m over Mes.
5.1 Invariants for TIP3 and TIP4
We rst dene the properties, of which some are taken from the PVS code used to check the




= init[dev(p)]! mq[p] = fg
I3(p)
= init[dev(p)]! peer(p) 62 child
I4(d)
= init[d] _ size(ports(d)− child)  1
I5(p)
= length(mq[p])  1
I6(p)
= p 2 child! mq[peer(p)] = fg
I7(p)
= rc[dev(p)]! mq[peer(p)] = fg
I8(p)
= rc[dev(p)]! peer(p) 62 child
I9(p)
= _ init[dev(p)]
_ head(mq[p]) = parent
_ peer(p) 2 child
_ rc[dev(peer(p))]
_ p 2 child
I10(p)
= mq[p] 6= fg ! delay[p]  MaxDelay
I11(d)
= ^ :oncycle(d) ^ init[d]! time  Steps(d)  MaxDelay
^ :oncycle(d) ^ time > Steps(d)  MaxDelay
! 8p02 ports(d) :
head(mq[p0]) = parent
! time− delay[p0]  Steps(d)  MaxDelay
I12(d)
= ^ MinLpdtime > max(0; MaxHop− 1)  MaxDelay
^ init[d]
^ :oncycle(d)












p I2(p), et cetera.
Some of the properties in Denition 5.1 have been taken from [7], from which we also repeat the
following result.
Lemma 5.2 Properties I1, I2, I3, I4, I5, I6, I7, I8, and I9 are invariant for TIP3.
Even though the predicate oncycle has a dierent meaning in [7], we can assume that the proofs
[7] still hold here, since the oncycle predicate is not used in the proofs.
Now we prove that under the assumption that some of the properties from Denition 5.1 hold
in each reachable state for TIP4, it follows that others hold in each reachable state for TIP4 as
well. In Section 5.2, the assumptions will be fullled by the corresponding properties for TIP3.
Lemma 5.3 1. I10 is inductive relative to (I2 ^ I5) for TIP4.
2. I11 is inductive relative to (I1 ^ I3 ^ I5 ^ I9) for TIP4.
3. For each s 2 reachable(TIP4), s j= I11 implies s j= I12.
4. I13 is inductive relative to I3 for TIP4.




Initially, s:time = 0 and 8p : s:mq[p] = fg. Since Steps(d)  0, Steps(d)  MaxDelay 
0 = s:time. Since 8p 2 ports(d) : s:mq[p] = fg, it follows that s j= I11.
Suppose from s a! t and s j= I1 ^ I3 ^ I5 ^ I9 ^ I11. We have to show that t j= I11. Fix n
such that n  MaxDelay  s:time < (n+ 1)  MaxDelay.
We make the following case distinction.
(a) s:time > Steps(d)  MaxDelay
By s j= I11 we see that :s:init[d]. By the eect of a, we conclude that :t:init[d].
Now we just need to show for each p0 2 ports(d) that if head(t:mq[p0]) = parent, then
t:time−t:delay[p0]  Steps(d)MaxDelay. Assume p0 2 ports(d) and head(t:mq[p0]) =
parent. By :s:init[d], s j= I5 and the precondition and eect of a, head(s:mq[p0]) =
parent. Since s j= I11, it follows that s:time− s:delay[p0]  Steps(d)  MaxDelay.
i. 8 > 0 : a 6= 
Then by the eect of a, t:time = s:time, and by :s:init[d] and the precondition
and eect of a, t:delay[p0] = s:delay[p0]. So t:time − t:delay[p0] = s:time −
s:delay[p0]  Steps(d)  MaxDelay and it follows that t j= I11(d).
ii. a = 
Then t:time = s:time + , and t:delay[p0] = s:delay[p0] + . So t:time −
t:delay[p0] = s:time +  − (s:delay[p0] + ) = s:time− s:delay[p0]  Steps(d) 
MaxDelay and it follows that t j= I11(d).
(b) s:time  Steps(d)  MaxDelay
5. Verication 19
i. :s:init[d]
By the eect of a, :t:init[d]. The remainder is equal to the proof for Step 2a.
ii. s:init[d]
A. 8 > 0 : a 6= 
Then by the eect of a, t:time = s:time, so t:time  Steps(d)  MaxDelay,
hence for each p0 2 ports(d), trivially t:time − t:delay[p0]  Steps(d) 
MaxDelay and it follows that t j= I11(d).
B. a =  ^ s:time +   Steps(d)  MaxDelay
Then for each p0 2 ports(d), trivially t:time − t:delay[p0]  Steps(d) 
MaxDelay and it follows that t j= I11(d).
C. a =  ^ s:time +  > Steps(d)  MaxDelay
The eect of a leads to a violation of property I11, so we have to show that
our assumption on a leads to a contradiction.
First we prove by contradiction that for each d0 with :oncycle(d0) and
Steps(d0) < Steps(d), it follows that 8p0 2 ports(d0) : s:mq[p0] = fg _
head(s:mq[p0]) = ack. Suppose :oncycle(d0), Steps(d0) < Steps(d) and
head(s:mq[p0]) = parent. By s j= I11, we see that s:time − s:delay[p0] 
Steps(d0)MaxDelay. Since t:time− t:delay[p0] = s:time+−(s:delay[p0]+
) = s:time − s:delay[p0]  Steps(d0)  MaxDelay, and since s:time +  >
Steps(d)  MaxDelay  (Steps(d0) + 1)  MaxDelay, we get s:delay[p0] +  >
MaxDelay, which in contradiction with our assumption that s enables .
Now we prove by contradiction that for each d0 with :oncycle(d0) and
Steps(d0)  Steps(d), it follows that :s:init[d0]. Fix d0 such that :oncycle(d0),
s:init[d0] and there is no d00 with Steps(d00) < Steps(d0) and s:init[d00]. Let
P 0 = fp0 2 ports(d0)j:oncycle(dev(peer(p0))) ^ Steps(dev(peer(p0))) 
Steps(d0) − 1g. By Lemma 4.8, size(ports(d0) − P 0)  1. Fix p0 2 P 0
and d00 = dev(peer(p0)). Note that Steps(d00) < Steps(d0)  Steps(d). By
our assumption, :s:init[d00]. By s:init[d0] and s j= I3, we see peer(p0) 62
s:child. By s:init[d0] and s j= I1, we see :s:rc[d0]. Combining all of this
with our observation that s:mq[peer(p0)] = fg _ head(s:mq[peer(p0)] = ack
and s j= I9, we get p0 2 s:child. So size(ports(d0)) − s:child = 1. Since
s:init[d0], s enables childrenknown(d0) which is in contradiction with our
assumption that s enables . We conclude that :s:init[d0].
From this observation, it trivially follows that :s:init[d] which is in con-
tradiction with our assumption. It follows that a 6=  _ s:time +  
Steps(d)  MaxDelay.
3. Let s 2 reachable(TIP4) such that s j= I11. Assume MinLpdtime > max(0; MaxHop − 1) 
MaxDelay ^ s:init[d] ^ :oncycle(d). By s:init[d] ^ :oncycle(d) and s j= I11, s:time 
Steps(d)  MaxDelay. Note that for each n  0, bn=2c  max(0; n − 1). Combining this
with Lemma 4.9, we get Steps(d)  max(0; MaxHop− 1). So s:time  max(0; MaxHop− 1) 
MaxDelay < MinLpdtime and it follows that s j= I12.
4. Suppose oncycle(d).
Initially, s:init[d], hence s j= I13.
Suppose s a! t and s j= I3 ^ I13. By oncycle(d) and s j= I13, we see that s:init[d].
If a 6= childrenknown(d) then t:init[d] = s:init[d], so it suces to show that a 6=
5. Verication 20
childrenknown(d). By Lemma 4.5 and oncycle(d), there must be p1; p2 2 ports(d) such
that p1 6= p2 and oncycle(dev(peer(p1))) and oncycle(dev(peer(p2))). Since s j= I13,
we see that s:init[dev(peer(p1))] and s:init[dev(peer(p2))]. Since s j= I3, we see that
p1 62 s:child and p2 62 s:child. Since p1 6= p2, we see that size(ports(d) − s:child  2,
hence s does not enable childrenknown(d).
5. Trivial.

Note that by Items 2 and 3 it follows that I12 is inductive relative to (I1 ^ I3 ^ I5 ^ I9 ^ I11) for
TIP4.
5.2 TIP4 implements TIP3
We use the properties established in Section 5.1 to obtain that TIP4 implements TIP3. As an
implementation relation we take inclusion of admissible timed traces. From Section 5.1, it follows
that the behaviour of TIP4 meets these properties only when the parameters obey the following
relation: MinLpdtime > max(0; MaxHop− 1)  MaxDelay. Therefore, we assume throughout this
section that this relation holds.
In order to obtain the implementation relation, we construct a function that is to be proved
a weak timed renement from TIP4 to TIP3. Given the complicated relations between the
invariants for TIP3 and the properties for TIP4, we have been forced to either prove the properties
for TIP4 that depend on invariants for TIP3 anew, or to prove the invariance of the properties
for TIP4and the weak renement in one proof, or to come up with a more elegant solution.
The latter approach has given rise to some new sucient conditions, which are presented in
Appendix A.
To avoid confusion, all state variables from TIP3 are subscripted with 3, and all state variables
from TIP4 are subscripted with 4. Since the action signatures are equal, we do not use these
subscript on the action names.
Denition 5.4 The function ref from states of TIP4 to states of TIP3 is dened to be the
identity function on state variables with the same name.
Lemma 5.5 Let s 2 states(TIP3). For all I 2 fI1; I2; I3; I4; I5; I6; I7; I8; I9g, ref(s) j= I implies
s j= I.
Proof Trivial. 
Lemma 5.6 1. s 2 Start(TIP4) implies ref(s) 2 Start(TIP3).
2. s a!TIP4 t, s j= I10 ^ I11 ^ I12 ^ I13 ^ I14 and ref(s) j= I1 ^ I2 ^ I3^ I4 ^ I5 ^ I6 ^ I7 ^ I8 ^ I9
implies ref(s) a!TIP3 ref(t).
Proof
1. Suppose s 2 Start(TIP4).
Since the initial requirements are the same for every state variable in TIP3 as for the state
variable with the same name in TIP4, and the state variables with the same name have
the same value in s and in ref(s), ref(s) 2 Start(TIP3) follows from s 2 Start(TIP4).
5. Verication 21
2. Suppose s a!TIP4 t s j= I10^I11^I12^I13^I14 and ref(s) j= I1^I2^I3^I4^I5^I6^I7^I8^I9.
s 2 reachable(TIP4) and ref(s) 2 reachable(TIP3).
Since for each a, the eect in TIP3 is equal to the eect in TIP4 on all state variables from
TIP3, it follows that whenever ref(s) a!TIP3 t0, then t0 = ref(t).
If a 62 Sd loopdetect(d), then we see that the precondition of a in TIP4 trivially implies
the precondition of a in TIP3, hence if s a!TIP4, then ref(s) a!TIP3. So we just need to
show that if a = loopdetect(a), then ref(s) a!TIP3.
Suppose a = loopdetect(a). By precondition of a in TIP4, :s:lpd4[d] and s:time4 
MinLpdtime. From :s:lpd4[d] we see :ref(s):lpd3[d]. By s:time4 = lpdtime4[d] and
s j= I12 we see that either :s:init4[d] or oncycle(d). By precondition of a in TIP4 we see
that s:init4[d], and we conclude that oncycle(d). Hence ref(s) enables a.

Corollary 5.7 I1, I2, I3, I4, I5, I6, I7, I8, I9, I10, I11, I12, I13 and I14 are invariant for TIP4.
Proof By Lemmas 5.2, 5.3, 5.5 and 5.6 we can use Lemma A.2. 
Corollary 5.8 The function ref is a weak timed renement from TIP4 to TIP3 with respect
to (I10 ^ I11 ^ I12 ^ I13 ^ I14) and (I1 ^ I2 ^ I3 ^ I4 ^ I5 ^ I6 ^ I7 ^ I8 ^ I9)
Proof By Lemmas 5.2, 5.3, 5.5 and 5.6 we can use Lemma A.2. 
The implementation relation now follows easily.
Theorem 5.9 t-traces(TIP4)  t-traces(TIP3).
Proof Combine Corollary 5.8 with Theorem 6.14 from [19]. 
5.3 Liveness results for TIP4
In this section we show some liveness results for model TIP4. As in Section 5.2, we assume that
the parameters of TIP4 meet the following relation: MinLpdtime > max(0; MaxHop−1)MaxDelay.
The liveness results are the following. We rst show that TIP4 has no time deadlocks. For
this, some new sucient conditions are used, which are presented in Appendix A.2. Then we
prove that when a cycle is present, it will be detected, and that otherwise a root will be elected.
Notice that we cannot use results from TIP3, since notions as quiescence and fairness are not
present at the timed level.
First we need to dene a measure on reachable states, to indicate the number of discrete
actions that must be performed before passing of time will be enabled again.
5. Verication 22
Denition 5.10 The function Measure gives a pair for each state s from TIP4, as follows:
Measure(s) = hI; C +R+M + Li
where
I = size(fdjs:init[d]g)
C = size(P − s:child)
R = size(fdj:s:root[d]g)
M = size(fpjs:mq[p] 6= fgg)
L = size(fdj:s:lpd[d]g)
The ordering  is the lexicographic ordering on pairs of naturals, based on the ordering < on
naturals.
Since < is well-founded,  is also well-founded.
Now we prove the properties that we need for deadlock freedom, namely that when no discrete
action is enabled, then the passage of time is enabled, and that at every moment in time at most
a nite amount of discrete activity can occur.
Lemma 5.11 For each s 2 reachable(TIP4) the following holds:
1. s enables an action from acts(TIP4).
2. If s a! t and 8 > 0 : a 6= , then Measure(t)  Measure(s) otherwise Measure(t) =
Measure(s).
Proof
1. It suces to show that if s does not enable a for all a 2 acts(Tipvier) −S>0fg, then s
enables  for some  > 0, which we prove by contradiction.
Suppose that for all a 2 acts(TIP4), s does not enable a. Apparently s does not enable
any  > 0, so either s:time = MaxLpdtime and 9d : s:init[d] ^:s:lpd[d], or 9p : s:mq[p] 6=
fg ^ s:delay([p])  MaxDelay.
Suppose s:time = MaxLpdtime, s:init[d] and :s:lpd[d]. Then s enables loopdetect(d)
and we have a contradiction.
Suppose s:mq[p] 6= fg and s:delay[p]  MaxDelay. Let head(s:mq[p]) = m. Since MaxDelay 
MinDelay, s:delay[p]  MinDelay. Using Invariant I2, we get :s:init[dev(p)], and us-
ing Invariant I6 we get peer(p) 62 s:child. Suppose p 2 s:child. Using Invariant I3 we
get :s:init[dev(peer(p))]. Then s enables receivemes(dev(peer(p)); peer(p);m) and we
have a contradiction. So p 62 s:child. Using Invariant I7, we see that :s:rc[dev(peer(p))].
Combining all of this with I9 we get m = parent. Suppose s:init[dev(peer(p))]. Then s
enables addchild(dev(peer(p)); peer(p)) and we have a contradiction. So :s:init[dev(peer(p))].
Then s enables receivemes(dev(peer(p)); peer(p); parent) and we have a contradiction.
2. Let Measure(s) = hIs; Cs +Rs +Ms + Lsi and Measure(t) = hIt; Ct +Rt +Mt + Lti.
(a) a = childrenknown(d)
By precondition of a, :s:init[d] and by eect of a, t:init[d]. So It < Is. We conclude
that Measure(t)  Measure(s).
5. Verication 23
(b) a = addchild(d; p)
By eect of a, t:init = s:init, t:root = s:root and t:lpd = s:lpd, hence It =
Is, Rt = Rs and Lt = Ls. By precondition of a, head(s:mq[peer(p)] = parent.
Combining this with Invariant I5, we get s:mq[peer(p)] = fg ‘ parent. By the
eect of a, t:mq[peer(p)] = tail(s:mq[peer(p)]) = fg, so Mt = Ms − fpeer(p)g,
hence Mt < Ms. Combining head(s:mq[peer(p)] = parent with Invariant I6 we get
p 62 s:child. By eect of a, t:child = s:child[ fpg. So Ct < Cs. By eect of a We
conclude that Measure(t)  Measure(s).
(c) a = receivemes(d; p;m)
By eect of a, t:init = s:init, t:child = s:child, t:root = s:root and t:lpd =
s:lpd, hence It = Is, Ct = Cs, Rt = Rs and Lt = Ls. By precondition of a,
head(s:mq[peer(p)] = m. Combining this with Invariant I5, we get s:mq[peer(p)] =
fg ‘ m. By the eect of a, t:mq[peer(p)] = tail(s:mq[peer(p)]) = fg, so Mt =
Ms − fpeer(p)g, hence Mt < Ms. We conclude that Measure(t)  Measure(s).
(d) a = solverootcontent(d; p)
By eect of a, t:init = s:init, t:root = s:root, t:mq = s:mq and t:lpd = s:lpd, hence
It = Is, Rt = Rs, Mt = Ms and Lt = Ls. By precondition of a, s:rc[dev(peer(p))].
Combining this with Invariant I8 we get p 62 s:child. By eect of a, t:child =
s:child [ fpg. So Ct < Cs. We conclude that Measure(t)  Measure(s).
(e) a = root(d)
By eect of a, s:init = t:init, s:child = t:child, t:mq = s:mq and t:lpd = s:lpd,
hence It = Is, Ct = Cs, Mt = Ms and Lt = Ls. By precondition of a, :s:root[d], and
by eect of a, t:root[d]. So Rt < Rs. We conclude that Measure(t)  Measure(s).
(f) a = loopdetect(d)
By eect of a, s:init = t:init, s:child = t:child, s:root = t:root and s:mq = t:mq,
hence It = Is, Ct = Cs, Rt = Rs and Mt = Ms. By precondition of a, :s:lpd[d], and
by eect of a, t:lpd[d]. So Lt < Ls. We conclude that Measure(t)  Measure(s).
(g) a = 
By eect of a, s:init = t:init, s:child = t:child, s:root = t:root, s:mq = t:mq and
t:lpd = s:lpd. Hence It = Is, Ct = Cs, Rt = Rs, Mt = Ms and Lt = Ls, and we
conclude that Measure(t) = Measure(s).

Now we show that TIP4 cannot get into a time deadlock by its own discrete activity. A timed
I/O automaton that has this property is called feasible.
Theorem 5.12 TIP4 is feasible.
Proof It can easily be seen that TIP4 fullls the requirements for Lemma A.3. This lemma
fullls one of the requirements in Theorem A.4. The other requirement is fullled by the Measure
function and the result in Proposition 5.11. It follows from Theorem A.4 that TIP4 is feasible.

We now show that whenever there is a cycle in the network, it is detected by the protocol.
Theorem 5.13 Let  be an admissible execution of TIP4.
If oncycle(d) then  contains an occurrence of lpd(d).
5. Verication 24
Proof Since time proceeds in  without bound, and since initially s:lpd[d] is false and since
s:lpd[d] can only be made true by an occurrence of lpd(d), it suces to show that for each
reachable state s in TIP4, if s:time > MaxLpdtime, then s:lpd[d]. This follows easily from
Invariant I14. 
Unfortunately, it is not possible to prove that if there is no cycle in the network, then within
nite time a root will be elected. This is due to the unknown duration of the root contention
solving sub-protocol. The following theorem shows that if no root contention occurs, then indeed
a root is elected in nite time.
Theorem 5.14 Let  = s0a1s1 : : : be an admissible execution of TIP4.
If 8d : :oncycle(d) and 8i; d : :si:rc[d], then 9d such that  contains an occurrence of root(d).
Proof Assume 8d : :oncycle(d). We observe the following:
1. Time proceeds in  without bound.
2. In each reachable state s in TIP4 the following holds. For all d: if s is an initial state then
:s:root[d], and if s:root[d], then each execution leading to s must contain an occurrence
of root(d).
3. If there is a state s in  and a d such that ports(d) − s:child = fg, then  contains an
occurrence of root(d).
This is easily seen by a few observations. Fix s and d such that ports(d)− s:child = fg.
First, s:init[d] or s:root[d] or s enables root(d). If s:root[d], then by Item 2 we conclude
that  contains an occurrence of root(d). If s:init[d] then s enables childrenknown(d).
If s enables childrenknown(d) or root(d), then s does not enable any  > 0. If s enables
childrenknown(d) and s a! t then either a = childrenknown(d) and t enables root(d) or
t enables childrenknown(d). If s enables root(d) and s a! t then a = root(d) or t enables
root(d).
4. In each reachable state s in TIP4 the following holds. If 8p 2 P either p 2 s:child or
peer(p) 2 s:child, then there exists a d such that ports(d) − s:child = fg.
Suppose 8p 2 P either p 2 s:child or peer(p) 2 s:child and there is no d such that
ports(d) − s:child = fg. Construct a longest path  = p0 : : : pn such that for each
i 2 f0; 2; : : : ; n − 1g : pi 62 s:child and for all i; j 2 f0; 1; 3; 5; : : : ; ng : i 6= j ! dev(pi) 6=
dev(pj). Since pn−1 62 s:child, and pn = peer(pn−1) certainly pn 2 s:child. Suppose
that p 2 dev(pn) : p 62 s:child. If dev(peer(p)) = dev(pi) for some i 2 f0; : : : ; ng, then
we can construct a cycle, and we have a contradiction. So dev(peer(p)) 6= dev(pi) for all
i 2 f0; : : : ; ng. But then we can construct a longer path than  to meet the requirements,
and we have a contradiction. So we conclude that there is no p 2 dev(pn) : p 62 s:child,
hence ports(dev(pn))− s:child = fg.
We now show that there is a state s in  and a d such that ports(d) − s:child = fg. By
denition of , there exists an i such that si:time > (bMaxHop=2 + 1c + 1)  MaxDelay and
8j < i : sj :time  (bMaxHop=2c + 1)  MaxDelay. Fix i.
By Lemma 4.9 and 8d : :oncycle(d), we have 8d : Steps(d)  bMaxHop=2c, hence 8d :
(Steps(d) + 1)  MaxDelay < si:time. Using invariant I11 we get 8d : :si:init[d]. Using
invariant I4 we get 8d : size(ports(d)− si:child)  1.
5. Verication 25
constant value reference
min cable length 0 no restriction specied
max cable length 4.5 m Section 1.1, Page 1, 1394-1995
max cable hops 16 Section 1.1, Page 1, 1394-1995
propagation delay 5.05 ns/m Section 4.2.1.4.3, Page 74, 1394-1995
min CONFIG TIMEOUT 166.6 s Table 7-14, Page 89, 1394-1995
166.6 s Table 8-14, Page 90, P1394a
max CONFIG TIMEOUT 166.9 s Table 7-14, Page 89, 1394-1995
166.9 s Table 8-14, Page 90, P1394a
Table 1: IEEE 1394 timing constants
Suppose 9d : size(ports(d) − si:child) = 0. Fix d. It follows that ports(d) − si:child = fg.
By Item 3 we may conclude that  contains an occurrence of root(d).
Suppose 8d : size(ports(d) − si:child) = 1. Suppose 9p : p 62 si:child ^ peer(p) 62 si:child.
Fix p. By our assumption we have :s:rc[dev(peer(p))]. Combining this with :s:init[dev(p)]
and By invariant I9, we get head(si:mq[p]) = parent. Combining this with :oncycle(dev(p))
and Invariant I11, we get si:time− si:delay[p])  Steps(dev(p))  MaxDelay. Since si:time >
(Steps(dev(p)) + 1)  MaxDelay, we have si:delay[p] > MaxDelay which is in contradiction with
Invariant I10. We conclude that there is no p such that p 62 si:child^peer(p) 62 si:child. Since
8p : p 2 si:child_ peer(p) 2 si:child we can use Item 4 to conclude that there is a d such that
ports(d)− si:child = fg. Fix d. By Item 3 we may conclude that  contains an occurrence of
root(d).

5.4 Are the IEEE 1394 timing constants correct?
Table 1 gives the IEEE 1394 timing constants, and a reference to where they are to be found
in the documentation. Here, 1394-1995 refers to [10] and P1394a refers to [11]. Note that the
constants are the same for 1394-1995 and P1394a. From these numbers, we get the constants
used for the formal verication as follows:
MinDelay = min cable length  propagation delay = 0ns
MaxDelay = max cable length  propagation delay = 22:72ns
MinLpdtime = min CONFIG TIMEOUT = 166:6s
MaxLpdtime = max CONFIG TIMEOUT = 166:9s
MaxHop  max cable hops = 16
The question is then, do these constants meet the requirement for correct implementation?
We found in Theorem 5.9 that the model behaves correctly if the relation MinLpdtime >
max(0; MaxHop−1)MaxDelay holds. Since (16−1)22:72 ns = 340:80 ns < 166:9s, the answer
is yes. If the devices in IEEE 1394 enter the tree identify phase at the same time, if there is no
device with the force root flag set to true, and if our model of the IEEE 1394 communication is
correct, then we can say the following with certainty: If a loop is in the network, it is detected,
and that if there is no loop in the network, no loop will be detected and a root will be chosen.
The dierence between the actual MinLpdtime value and the minimal value as required by
6. Conclusions 26
our relation is rather large. One could wonder whether this implies that the limitations set by
IEEE 1394 and P1394a can be loosened. This could be done by decreasing the MinLpdtime
value, increasing the number of nodes allowed, increasing the delay between nodes (by allowing
greater cable lengths), or a combination of these. However, the times at which the tree identify
phase is entered can dier among nodes. The constant responsible for the duration of the bus
reset signal being sent is based on a worst-case scenario for any node to notice that a bus reset
period has started. This constant has a value of about 166 s, and can be used as an indication
of the dierence in starting times for the tree identify phase. If the times can indeed be that far
apart for peer nodes, the loop detection timer should be in the same order of magnitude to not
run the risk of detecting a loop when it is not there. Moreover, the use of the force root flag
increases the delay in participating in the tree identify phase even further. We conclude that it
is not yet clear whether the IEEE 1394 and P1394a bounds are correct and may be loosened.
6 Conclusions
The verication shows that under the assumptions made, the IEEE 1394 denition of the tree
identify phase meets the requirements. Exactly one root is chosen when there is no cycle present,
and a cycle is detected if and only if there is a cycle present in the network. It is obvious from
the proofs that the renement step from an untimed model to a timed model in combination
with the desired property of correct cycle detection is a complicated one. More proofs about
network topologies are needed to make a quantitative analysis of the worst case scenarios. Also
the invariant properties that are specic to the model TIP4 become more complicated. The
eort invested in the construction of these proofs adds up to about two months. We hope that
in further renement steps these proofs can be reused with little eort.
As to the remaining IEEE 1394 details that we have not considered, we believe that the
addition of the delay in entering the tree identify phase will not aect the correctness of the
protocol. Also the addition of the root contention solving protocol with its verication from
[28] will probably not touch the critical behaviour parts of the root election or cycle detection.
However, the correctness of a model obtained by adding the force root flag and the assumption
that the message queues model the IEEE 1394 signal communication is not that obvious. An
extension of this work may show that either IEEE 1394 timing bounds can be tightened or
should be loosened.
The advantage of the layered verication in this case is that we do not need to prove anything
about the safety properties of root election, since our renement proof give us safety immediately.
Establishing the renement was not as easy as expected, because of the complicated reuse
of invariants at the abstract level. The extra lemma that was needed shows that the proof
obligations can still be divided over small, clear proof steps.
Establishing the desired liveness properties that express that indeed a cycle is detected when
there is a cycle in the network topology and indeed a root is elected otherwise, do not follow
from the ‘implements’ relation, since we have only proved inclusion of admissible traces. In an
untimed verication, liveness properties are proved by showing a fair trace inclusion, that is,
each fair trace from the more detailed model is also a fair trace in the more abstract model.
In most cases, the liveness property holds trivially for any fair trace of the abstract model,
and therefore also for any fair trace of the detailed model. In a timed verication, liveness is
often expressed in terms of timing bounds. Then again the (admissible) trace inclusion yields
correctness. In our case, both of these methods do not work. We are comparing a timed model
REFERENCES 27
to an essentialy untimed model and hence have no fairness that carries over from the more
abstract level to the (timed) detailed level. On the other hand, we have no timing requirement
for when the root should be elected. So we have had to prove the liveness completely on the level
of model TIP4, without reusing proofs from the level of TIP3. In most cases and especially in
timed verications, proving safety involves many properties from which the greater part of the
proof obligations for the liveness properties already follows. It can be argued from Section 5.3
that here the remaining proof obligation is not trivial. Nevertheless, we consider model TIP4 to
be highly complex, and expect that in other timed verications it will be easier to show that once
time has proceeded beyond a certain point, the safety properties combined with the feasibility
proofs give the desired liveness properties.
We conclude that for proving safety and liveness properties in a situation with only untimed
models or with only timed models, a layered verication is a very suitable proof method which
allows one to ‘divide and conquer’ the proof obligations. In a situation where timed and untimed
behaviour are compared, we think that other methods should be used in addition, or the degree
of renement should be very low in order for a layered verication to diminish the amount of
work to be done in each layer. It would be very benicial if the proofs constructed for this paper
were checked with a proof checker. Careful manual inspection can never replace the condence
obtained by such automated inspection. Some results have been obtained in checking invariant
proofs for I/O automata, both timed and untimed, as can be seen in [2], and several papers which
are under construction [1]. We expect that such an eort will be considerable, but manageable.
Acknowledgements The following people have contributed to this paper. David Grioen
was my partner in nding the essence of the TIP behaviour in the IEEE standard. Besides being
the co-author of [4, 7], he also came up with an good version of model TIP4. Rudi Bloks explained
some details of the IEEE standard which were vital for getting the models right. At the point
where I got stuck in an early verication attempt of this protocol, Frits Vaandrager suggested
and initiated the layered verication, and later he came up with the sucient conditions for the
weak timed renement. Finally, the anonymous referees have given many helpful comments.
References
[1] M. Archer. Personal communication, March 1999.
[2] M. Archer and C. Heitmeyer. Mechanical verication of timed automata: A case study. In Pro-
ceedings 1996 IEEE Real-Time Technology and Applications Symposium (RTAS’96). IEEE Com-
puter Society Press, 1996. A full version is available as Report NRL/MR/5540{98-8180 from URL
http://www.itd.nrl.navy.mil/ITD/5540/publications/CHACS/1998/.
[3] J.W. Davies and S.A. Schneider. A brief history of timed csp. Theoretical Computer Science,
138(2):243{271, 1995.
[4] M.C.A. Devillers, W.O.D. Grioen, J.M.T Romijn, and F.W. Vaandrager. Verication of a leader
election protocol | formal methods applied to IEEE 1394. Technical Report CSI-R9728, Computing
Science Institute, University of Nijmegen, December 1997. Accepted, subject to revision, for Formal
Methods in System Design.
[5] S.J. Garland, N.A. Lynch, and M. Vaziri. IOA: A language for specifying, pro-
gramming, and validating distributed systems, December 1997. Available through URL
http://larch.lcs.mit.edu:8001/~garland/ioaLanguage.html.
[6] R. Gawlick, R. Segala, J.F. Sgaard-Andersen, and N.A. Lynch. Liveness in timed and untimed
systems. In S. Abiteboul and E. Shamir, editors, Proceedings 21th ICALP, Jerusalem, volume 820 of
REFERENCES 28
Lecture Notes in Computer Science. Springer-Verlag, 1994. A full version appears as MIT Technical
Report number MIT/LCS/TR-587.
[7] W.O.D. Grioen and F.W. Vaandrager. Normed simulations. In Proceedings CAV’98, volume 1427
of Lecture Notes in Computer Science, pages 332{344. Springer-Verlag, 1998.
[8] J.F. Groote and A. Ponse. The syntax and semantics of CRL. In A. Ponse, C. Verhoef, and
S.F.M. van Vlijmen, editors, Algebra of Communicating Processes ’94, Workshops in Computing.
Springer-Verlag, 1995.
[9] J.F. Groote and J.S. Springintveld. Focus points and convergent process operators | a proof strategy
for protocol verication. Technical Report 142, Logic Group Preprint Series, Utrecht University,
1995. This report also appeared as Technical Report CS-R9566, CWI, 1995.
[10] IEEE Computer Society. IEEE Standard for a High Performance Serial Bus. Std 1394-1995, August
1996.
[11] IEEE Computer Society. Draft Standard for a High Performance Serial Bus (Supplement). P1394a
Draft 3.0, June 1999.
[12] L. Ku¨hne, J. Hooman, and W.P. de Roever. Towards mechanical verication of parts of the IEEE
P1394 serial bus. In I. Lovrek, editor, Proceedings 2nd International Workshop on Applied Formal
Methods in System Design, Zagreb, pages 73{85, 1997.
[13] Leslie Lamport. How to write a long formula. Formal Aspects of Computing, 6:580{584, 1994. Also
appeared as SRC Research Report 119.
[14] S.P. Luttik. Description and formal specication of the Link layer of P1394. In I. Lovrek, edi-
tor, Proceedings of the 2nd International Workshop on Applied Formal Methods in System Design,
Zagreb, pages 43{56, 1997. Also available as Report SEN-R9706, CWI, Amsterdam. See URL
http://www.cwi.nl/~luttik/.
[15] N.A. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers, Inc., San Francisco, California,
1996.
[16] N.A. Lynch and M.R. Tuttle. Hierarchical correctness proofs for distributed algorithms. In Proceed-
ings of the 6th Annual ACM Symposium on Principles of Distributed Computing, pages 137{151,
1987. A full version is available as MIT Technical Report MIT/LCS/TR-387.
[17] N.A. Lynch and M.R. Tuttle. An introduction to input/output automata. CWI Quarterly, 2(3):219{
246, September 1989.
[18] N.A. Lynch and F.W. Vaandrager. Forward and backward simulations, I: Untimed systems. Infor-
mation and Computation, 121(2):214{233, September 1995.
[19] N.A. Lynch and F.W. Vaandrager. Forward and backward simulations, II: Timing-based systems.
Information and Computation, 128(1):1{25, July 1996.
[20] Z. Manna and A. Pnueli. Verifying hybrid systems. In R.L. Grossman, A. Nerode, A.P. Ravn, and
H. Rischel, editors, Hybrid Systems, volume 736 of Lecture Notes in Computer Science, pages 4{35.
Springer-Verlag, 1993.
[21] Z. Manna and A. Pnueli. Temporal Verication of Reactive Systems: Safety. Springer-Verlag, 1995.
[22] S. Owre, J. Rushby, N. Shankar, and F. von Henke. Formal verication for fault-tolerant architec-
tures: Prolegomena to the design of PVS. IEEE Transactions on Software Engineering, 21(2):107{
125, February 1995.
[23] S.A. Schneider. Timewise renement for communicating processes. Science of Computer Program-
ming, 28(1):43{90, 1997.
A. Safe and Timed I/O Automata 29
[24] R. Segala. Modeling and Verication of Randomized Distributed Real-Time Systems. PhD thesis,
Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology,
June 1995. Available as Technical Report MIT/LCS/TR-676.
[25] R. Segala and N.A. Lynch. Probabilistic simulations for probabilistic processes. Nordic Journal of
Computing, 2(2):250{273, 1995.
[26] C. Shankland and M.B. van der Zwaag. The tree identify protocol of IEEE 1394 in CRL. Formal
Aspects of Computing, 10:509{531, 1998.
[27] M. Sighireanu and R. Mateescu. Verication of the link layer protocol of the ieee-1394 serial bus
(rewire): an experiment with e-lotos. Springer International Journal on Software Tools for Tech-
nology Transfer (STTT), 2(1):68{88, December 1998.
[28] M.I.A. Stoelinga and F.W. Vaandrager. Root contention in IEEE 1394. In Proceedings 5th Int.
AMAST Workshop on Real-Time and Probabilistic Systems (ARTS’99). Springer-Verlag, 1999. To
appear.
A Safe and Timed I/O Automata
In this appendix we review some basic denitions from [6, 21, 19], and we give sucient condi-
tions for including invariants in renement proofs when the invariants at the rened level depend
on invariants at the abstract level. These conditions are presented in Lemma A.2. Lemma A.6
is the timed version, which is used in the verication in this paper.
A.1 Safe I/O automata
A safe I/O automaton B consists of the following components:
 A set states(B) of states (possibly innite).
 A nonempty set start(B)  states(B) of start states.
 A set acts(B) of actions, partitioned into three sets in(B), int(B) and out(B) of input ,
internal and output actions, respectively.
Actions in local(B) = out(B) [ int(B) are called locally controlled .
 A set steps(B)  states(B)  acts(B)  states(B) of transitions, with the property that
for every state s and input action a 2 in(B) there is a transition (s; a; s0) 2 steps(B).
We let s; s0,.. range over states, and a,.. over actions. We write s a!B s0, or just s a−! s0 if B is
clear from the context, as a shorthand for (s; a; s0) 2 steps(B).
Enabling of actions An action a of a safe I/O automaton B is enabled in a state s i s a−! s0
for some s0. Since every input action is enabled in every state, safe I/O automata are said to
be input enabled. The intuition behind the input-enabling condition is that input actions are
under control of the environment and that the system that is modeled by a safe I/O automaton
cannot prevent the environment from doing these actions.
A. Safe and Timed I/O Automata 30
Executions An execution fragment of a safe I/O automaton B is a nite or innite alternating
sequence s0a1s1a2s2    of states and actions of B, beginning with a state, and if it is nite also
ending with a state, such that for all i, si
ai+1−! si+1. An execution is an execution fragment that
begins with a start state. We write execs(B) for the set of nite executions of B, and execs(B)
for the set of all executions of B. A state s of B is reachable if it is the last state of some nite
execution of B. We write rstates(B) for the set of reachable states of B.
Traces Suppose  = s0a1s1a2s2    is an execution fragment of B. Let γ = a1a2    . Then
the trace of  is the sequence (γdin(B) [ out(B)), denoted by γ^. With traces(B) we denote the
set of traces of executions of B. For s; s0 states of B and  a nite sequence of input and output
actions of B, we dene s
)B s0 i B has a nite execution fragment with rst state s, last state
s0 and trace .
Invariants Let P;Q  states(B). P is invariant for B if it is a superset of the reachable states
of B, i.e. rstates(B)  P . P is inductive relative to Q if start(B)  P and if for each s0 2 P \Q:
s0 a!B s implies s 2 P .
Renements Let A and B be safe I/O automata. A renement from A to B is a function
r : states(A)! states(B) that satises:
1. If s 2 start(A) then r(s) 2 start(B).
2. If s0 a!A s then r(s0) )B r(s), where  = a^.
Let A and B be safe I/O automata with invariants P and Q, respectively. A weak renement
from A to B, with respect to P and Q, is a function r : states(A)! states(B) that satises:
1. If s 2 start(A) then r(s) 2 start(B).
2. If s0 a!A s, s0 2 P , and r(s0) 2 Q, then r(s0) )B r(s), where  = a^.
Theorem A.1 Let A and B be safe I/O automata. If there exists a (weak) renement from A
to B, then traces(A)  traces(B).
Using abstract and rened invariants in a renement Let A;B be safe I/O automata.
The following lemma gives sucient conditions for a weak renement from A to B when one
wants to use P1; P2; Q such that Q is invariant for B, P1 is invariant for A depending on Q and
the denition of the renement function, and P2 is invariant for A depending on P1.
Lemma A.2 Let A;B be safe I/O automata. Let Q be invariant for B and P2 be inductive
relative to P1 for A. Let r : states(A)! states(B) such that
1. r(s) 2 Q implies s 2 P1,
2. s 2 start(A) implies r(s) 2 start(B), and
3. s0 2 P2, r(s0) 2 Q and s0 a!A s implies r(s0) )B r(s), where  = a^.
Then
A. Safe and Timed I/O Automata 31
1. P1; P2 are invariant for A.
2. r is a weak timed renement from A to B with respect to P2 and Q.
Proof
1. By induction.
IH(n) = 8s;  : (s 2 rstates(A) ^  2 execs(A) ^  = s0 a1 s1 : : : sn ^ s = sn)
! (r(s) 2 rstates(B) ^ s 2 (P1 \ P2 ))
 Base step: n = 0.
By denition of , s 2 start(A). By denition of r, r(s) 2 start(B) so certainly
r(s) 2 rstates(B). Since Q is invariant for B, r(s) 2 Q. By denition of r, s 2 P1.
Since s 2 start(A), and since P2 is inductive relative to P1 for A, s 2 P2.
 Induction step: 8n  n0 : IH(n).
Let s 2 rstates(A) ^  2 execs(A) ^  = s0 a1 s1 : : : sn0an0+1 sn0+1 ^ s = sn0+1 . Since
s0a1s1 : : : sn0 2 execs(A), certainly sn0 2 rstates(A). Combining this with n0  n0,
we get IH(n0). Since IH(n0), r(sn0) 2 rstates(B) ^ sn0 2 (P1 \ P2 ). Since r(sn0) 2
rstates(B) and Q is invariant for B, r(sn0) 2 Q. Since sn0
an0+1! A sn0+1 and by
denition of r, r(sn0)
)B r(sn0+1) with  = [an0+1, hence r(sn0+1) 2 rstates(B),
hence r(sn0+1) 2 Q. By denition of r, sn0+1 2 P1. Since sn0 2 (P1 \ P2) and
sn0
an0+1! A sn0+1 and since P2 is inductive relative to P1 for A, sn0+1 2 P2.
2. By Item 1, the assumption that Q is invariant for B and by denition of r.

A.2 Timed I/O Automata
A timed I/O automaton A is a safe I/O automaton whose set of actions includes R+, the set
of positive reals. Actions from R+ are referred to as time-passage actions. Other actions are
referred to as discrete actions. Performing one or more consecutive time-passage actions is called
idling. We let d; d0; : : : range over R+ and, more generally, t; t0; : : : over the set R of real numbers.
The set of visible actions is dened by vis(A) = (in(A) [ out(A))− R+.
We assume that a timed I/O automaton satises the following axioms.
S1 If s0 d−! s00 and s00 d0−! s, then s0 d+d0−! s.
For the second axiom, an auxiliary denition is needed. A trajectory for a step s0 d−! s is a
function w : [0; d]! states(A) such that w(0) = s0, w(d) = s, and
w(t) t
0−t−! w(t0) for all t; t0 2 [0; d] with t < t0:
Now we can state the second axiom.
S2 Each step s d−! s0 has a trajectory.
Axiom S1 gives a natural property of time, namely that if time can pass in two steps, then it
can also pass in a single step. The trajectory axiom S2 is a kind of converse to S1; it says that
any time-passage step can be \lled in" with states for each intervening time, in a \consistent"
way. Executions of timed I/O automata correspond to what are called sampling computations
in [20].
A. Safe and Timed I/O Automata 32
Timed Traces The full externally visible behaviour of a timed I/O automaton can be inferred
from its executions as follows: suppose  = s0a1s1a2s2    is an execution fragment of a timed
I/O automaton A. For each index j, let tj be given by
t0 = 0;
tj+1 = if aj+1 2 R+ then tj + aj+1 else tj:
The limit time of , notation :ltime , is the smallest element of R0 [f1g larger than or equal
to all the tj . We say  is admissible if :ltime = 1, and Zeno if it is an innite sequence but
with a nite limit time. The timed trace t-trace() associated with  is dened by
t-trace() = (((a1; t1)(a2; t2)    )d(vis(A) R0 ); :ltime):
Thus, t-trace() records the visible actions of  paired with their times of occurrence, as well as
the limit time of the execution. A pair  is a timed trace of A if it is the timed trace of some nite
or admissible execution of A. Thus, we explicitly exclude the timed traces that originate from
Zeno executions. We write t-traces(A) for the set of all timed traces of A, t-traces(A) for the
set of nite timed traces (the timed traces derived from the nite executions), and t-traces1(A)
for the set of admissible traces (the timed traces derived from the admissible executions).
Moves We say s0 p;A s is a t-move of A if A has a nite timed execution fragment  =
s0a1s1 : : : sn such that s0 = s0, s = sn and p = t-trace().
Feasibility Let A be a timed I/O automaton. We say A is feasible if each element of
t-traces(A) is the prex of some element of t-traces1(A).
Giving the proof for feasibility can be hard or tiresome. However, in some cases it follows
rather straightforwardly from the denition of the timed I/O automaton. We give the following
sucient conditions, divided over two results, of which the rst is rather simple, and the second
is a bit more involved.
Lemma A.3 Let A be a timed I/O automaton with clock variables X and discrete variables
Y . If
1. The precondition of time action d is of the following form, in which ; 1; : : : ;  n are
Boolean expressions over variables in Y , x1; : : : ; xn 2 X and c1; : : : ; cn 2 R+:
: ^ ( 1 ! x1 + d  c1) ^    ^ ( n ! xn + d  cn)
2. The eect of time action d is of the following form:
8x 2 X : x := x+ d
3. For each s 2 reachable(A):
(s j= )! 9a : s a! ^ a is discrete
4. For each s 2 reachable(A) and 0  i  n:
(s j=  i ^ xi  ci)! 9a : s a! ^ a is discrete
A. Safe and Timed I/O Automata 33
then for each s 2 reachable(A) and d > 0, the following holds:
_ s d!
_ 9a : s a! ^ a is discrete
_ 9d0; a; s0 : d0 < d ^ s d0! s0 a! ^a is discrete
Proof Let s 2 reachable(A), d > 0 and s does not enable d. Then s j= :(:^ ( 1 ! x1 + d 
c1) ^    ^ ( n ! xn + d  cn)), which can easily be rewritten to s j=  _ ( 1 ^ x1 + d >
c1) _    _ ( n ^ xn + d > cn).
Suppose s j= . By Assumption 3, there is a discrete action a such that s a!, and the result
follows.
Suppose s j= :. Then s j= ( 1 ^ x1 + d > c1) _    _ ( n ^ xn + d > cn). Take J to be the
set of indices for which the disjunct is true, that is, J = fij1  i  n ^ s j=  i ^ xi + d > ci)g.
Suppose that for some i 2 J , s j= xi  ci. Then by Assumption 4, there is a discrete action a
such that s a!, and the result follows.
Suppose that for all i 2 J , s j= xi < ci. Take d0 to be the smallest value such that for
some i 2 J , s j= xi + d0 = ci. Fix i. It is clear that for each 1  j  n which is not in
J , s j= xj + d0  cj . By assumption, s j= :, so we now see that s enables d0. Let s d
0! s0.
By Assumption 2, and s j= xi + d0 = ci, the eect of d0 is such that s0 j= xi = ci. Now by
Assumption 4, there is a discrete action a such that s a!, and the result follows. 
Theorem A.4 Let A be a timed I/O automaton. If
1. For each s 2 reachable(A) and d > 0, the following holds:
_ s d!
_ 9a : s a! ^ a is discrete
_ 9d0; a; s0 : d0 < d ^ s d0! s0 a! ^a is discrete
2. Function M : states(A) ! D is a measure function,  is a well-founded ordering on D,
and C 2 R+ is a constant such that for each s; s0 2 reachable(A): s a! s0 implies that if a
is discrete and s does not enable C, then M(s0)  M(s), otherwise M(s0)  M(s).
then A is feasible.
Proof Suppose  2 t-traces1(A). We dene the function f that recursively builds an admissible
execution from any state, as follows:
f(s) =
8>><>>:
s C f(s0) if s C! s0
s a f(s0) if s
C
6! ^ s a! s0
s d s0 a f(s00) if s
C
6! ^ (8a0 : a is discrete ! s
a0
6!) ^ s d! s0 a! s00
Note that f(s) may pick a and d in an arbitrary way when s does not enable C. For the proof
this has no consequence.
Let  = 0as and let  be the execution resulting from 0af(s). By Assumption 1,  can be
constructed.
Suppose  is not admissible. Then there is an innite sux in  in which each occurrence
of a time step implies that the time passing is smaller than C. Without loss of generality we
A. Safe and Timed I/O Automata 34
assume that the sux starts after the prex 0, that is, in the part which is constructed by
f . By denition of f , no state in this sux enables C, so there are no two adjacent time
steps in this sux. We see that there are innitely many occurrences of discrete actions in the
sux. Combining this with the fact that each state in the sux does not enable C we have
a contradiction with Assumption 2, our decreasing measure function. We conclude that  is
admissible. 
Implementation relation LetA andB be timed I/O automata. A implements B if t-traces(A) 
t-traces(B).
Renements Let A and B be timed I/O automata. A timed renement from A to B is a
function r : states(A)! states(B) that satises:
1. If s 2 start(A) then r(s) 2 start(B).
2. If s0 a!A s then r(s0) p;B r(s), where p = t-trace(s0as).
Let A and B be timed I/O automata with invariants P and Q, respectively. A weak timed
renement from A to B, with respect to P and Q, is a function r : states(A) ! states(B) that
satises:
1. If s 2 start(A) then r(s) 2 start(B).
2. If s0 a!A s, s0 2 P , and r(s0) 2 Q, then r(s0) p;B r(s), where p = t-trace(s0as).
Theorem A.5 Let A and B be timed I/O automata. If there exists a (weak) timed renement
from A to B, then t-traces(A)  t-traces(B).
Using abstract and rened invariants in a timed renement We now present the timed
version of Lemma A.2, since the timed version is used in the verication in this paper.
Lemma A.6 Let A;B be timed I/O automata. Let Q be invariant for B and P2 be inductive
relative to P1 for A. Let r : states(A)! states(B) such that
1. r(s) 2 Q implies s 2 P1,
2. s 2 start(A) implies r(s) 2 start(B), and
3. s0 2 P2, r(s0) 2 Q and s0 a!A s implies r(s0) p;B r(s), where p = t-trace(s0as).
Then
1. P1; P2 are invariant for A.
2. r is a weak timed renement from A to B with respect to P2 and Q.
Proof Similar to the proof for Lemma A.2. 
