Revisiting Timed Specification Theories: A Linear-Time Perspective by Chilton, Chris et al.
Revisiting Timed Specification Theories:
A Linear-Time Perspective
Chris Chilton, Marta Kwiatkowska, and Xu Wang
Department of Computer Science, University of Oxford, UK
Abstract. We consider the setting of component-based design for real-
time systems with critical timing constraints. Based on our earlier work,
we propose a compositional specification theory for timed automata with
I/O distinction, which supports substitutive refinement. Our theory pro-
vides the operations of parallel composition for composing components at
run-time, logical conjunction/disjunction for independent development,
and quotient for incremental synthesis. The key novelty of our timed
theory lies in a weakest congruence preserving safety as well as bounded
liveness properties. We show that the congruence can be characterised by
two linear-time semantics, timed-traces and timed-strategies, the latter of
which is derived from a game-based interpretation of timed interaction.
1 Introduction
Component-based design methodologies can be encapsulated in the form of com-
positional specification theories, which allow the mixing of specifications and
implementations, admit substitutive refinement to facilitate reuse, and provide
a rich collection of operators. Previously [1], we developed a linear-time specifi-
cation theory for reasoning about untimed components that interact by synchro-
nisation of input and output (I/O) actions, inspired by interface automata [2].
Models can be specified operationally by means of transition systems augmented
by an inconsistency predicate on states, or declaratively using traces. The the-
ory admits non-determinism, a refinement preorder based on traces, and the
operations of parallel composition, conjunction and quotient. The refinement
is strictly weaker than alternating simulation and is actually the weakest pre-
congruence preserving inconsistent states. This implies that our refinement is
substitutive, meaning component A refines component B iff A can replace B in
any environmental context without introducing additional errors.
In this paper we target component-based development for real-time systems
with critical timing constraints. We formulate a timed extension of the linear-
time specification theory of [1], by allowing for both operational descriptions
of components, as well as declarative specifications based on traces. Our oper-
ational models are based on a variant of timed automata with I/O distinction
(although we do not insist on input-enabledness, cf [3]), augmented by two spe-
cial states: ⊥ for safety and bounded-liveness errors, and > for timestop. Trace-
based declarative specifications are shown to be a suitable semantic domain for
the operational models. In addition to timed-trace semantics, we present timed-
strategy semantics, which coincides with the former but relates our work closer
ar
X
iv
:1
20
6.
45
04
v1
  [
cs
.SE
]  
19
 Ju
n 2
01
2
2 Chris Chilton, Marta Kwiatkowska, and Xu Wang
to the timed-game frameworks used by [4] and [5]. The substitutive refinement of
our framework gives rise to the weakest congruence preserving ⊥, and is shown
to coincide across all our formalisms.
Amongst notable works in the literature, we briefly mention a theory of timed
interfaces [5] and a theory of timed specifications [4]. Timed interface theory
contributes a framework based on timed games to formalise notions such as
interfaces and compatibility, and also provides a parallel composition operator.
However, the work cannot be considered a specification theory as it does not
deal with the notion of refinement for component substitution or the operations
of conjunction, disjunction and quotient. In this respect, [4] provides a complete
theory; however, the refinement is a timed version of the alternating simulation
originally defined for interface automata [2]. Consequently, it is too strong for
determining when a component can be safely substituted with another (cf the
example in Figure 3).
Outline. In Section 2 we introduce timed I/O automata, their semantic mapping
to timed I/O transition systems, and supply the operational definitions for the
operations of parallel composition, conjunction, disjunction and quotient. In Sec-
tion 3 we use the timed-game framework to introduce timed-strategy semantics,
which we relate to the operational framework. Similarly in Section 4, we present
timed-trace semantics and relate these to the operational definitions. Section 5
discusses related work, and finally Section 6 concludes.
2 Formal Framework
In this section we introduce timed I/O automata, timed I/O transition systems
and a semantic mapping from the former to the latter. Timed I/O automata
are compact representations of timed I/O transition systems. Our theory will be
developed using timed I/O transition systems, which are endowed with a richer
repertoire of semantic machinery.
2.1 Timed I/O Automata
Clock constraints. Given a set X of real-valued clock variables, a clock constraint
over X , cc : CC (X ), is a boolean combination of atomic constraints of the form
x ./ d and x − y ./ d where x , y ∈ X , ./∈ {≤, <,=, >,≥}, and d ∈ N.
A clock valuation over X is a map t that assigns to each clock variable x in
X a real value from R≥0. We say t satisfies cc, written t ∈ cc, if cc evaluates to
true under valuation t . t + d denotes the valuation derived from t by increasing
the assigned value on each clock variable by d ∈ R≥0 time units. t [rs 7→ 0]
denotes the valuation obtained from t by resetting the clock variables in rs to
0. Sometimes we use 0 for the clock valuation that maps all clock variables to 0.
Definition 1. A timed I/O automaton (TIOA) is a tuple (C , I ,O ,L, l0,AT ,
Inv , coInv), where:
Revisiting Timed Specification Theories: A Linear-Time Perspective 3
– C ⊆ X is a finite set of clock variables
– A (= I ∪ O) is a finite alphabet, where I and O are disjoint sets of input
actions and output actions respectively
– L is a finite set of locations
– l0 ∈ L is the initial location
– AT ⊆ L × CC (C ) × A × 2C × L is a set of action transitions
– Inv : L → CC (C ) and coInv : L → CC (C ) assign invariants and co-
invariants to states, each of which is a downward-closed clock constraint.
We use l , l ′, li to range over L and use l
g,a,rs−−−−→ l ′ as a shorthand for (l , g , a, rs,
l ′) ∈ AT . g : CC (C ) is the enabling guard of the transition, a ∈ A the action,
and rs the subset of clock variables to be reset.
Our TIOAs are similar to existing variants of timed automata with in-
put/output distinction, except for the introduction of co-invariants and non-
insistence on input-enabledness. While invariants specify the bounds beyond
which time may not progress, co-invariants specify the bounds beyond which the
system will time-out and enter error states. Our TIOAs can be used to describe
both the assumptions made by the component on the inputs, together with the
guarantees provided by the component on the outputs. Such assumptions and
guarantees can be time constrained: guards on output transitions express safety
timing guarantees, while guards on input transitions express safety timing as-
sumptions; invariants (urgency) express liveness timing guarantees on outputs
while co-invariants (time-out) express liveness timing assumptions on inputs.
When components interact together, we check whether the guarantees they
provide meet the assumptions they make on each other. If not, there are two
types of errors:
– An input arrives in a state and at a time when it is not expected (i.e. not
satisfying the guards on the input transitions). This is a safety error.
– An input does not arrive in a state within a time bound (specified by a
co-invariant) as expected. This is a bounded-liveness error.
Example. Figure 1 depicts TIOAs representing a job scheduler together with a
printer controller. The invariant at location A of the scheduler forces a bounded-
liveness guarantee on outputs in that location. As time must be allowed to
progress beyond t = 100, the start action must be fired within the range 0 ≤ t ≤
100. After start has been fired, the clock x is reset to 0 and the scheduler waits
(possibly indefinitely) for the job to finish. If the job does finish, the scheduler is
only willing for this to take place between 5 ≤ t ≤ 8 after the job started (safety
assumption), otherwise an unexpected input error will be thrown.
The controller waits for the job to start , after which it will wait exactly 1
time unit before issuing print (forced by the invariant y ≤ 1 on state 2 and
the guard y = 1). The controller now requires the printer to indicate the job is
printed within 10 time units of being sent to the printer, otherwise a time-out
error on inputs will occur (co-invariant y ≤ 10 in state 3 as liveness assumption).
After the job has finished printing, the controller must indicate to the scheduler
that the job has finished within 5 time units.
4 Chris Chilton, Marta Kwiatkowska, and Xu Wang
Inv: x <= 100
Co:  true
Inv: y<=1
Co:  true
finish?
x:=0
5 <= x <= 8
start! x:=0
y==1
print!
y:=0
finish!
y<=5
Inv: y<=5
Co:  true
Inv: true
Co:  y<=10
A B
1 2
34
start?   y:=0
printed?   y:=0
Scheduler Printer_controller
Fig. 1. Job scheduler and printer controller.
2.2 Timed Actions and Words
In this section we introduce some notation relating to timed actions and timed
words that will be of use to us in later sections.
Timed actions. For a set of input actions I and a set of output actions O , define
tA = I unionmulti O unionmulti R>0 to be the set of timed actions, tI = I unionmulti R>0 to be the set of
timed inputs, and tO = O unionmultiR>0 to be the set of timed outputs. We use symbols
like α, β, etc. to range over tA.
Timed words. A timed word (ranged over by w ,w ′,wi etc.) is a finite mixed
sequence of positive real numbers (R>0) and visible actions such that no two
numbers are adjacent to one another. For instance, 〈0.33, a, 1.41, b, c, 3.1415〉 is
a timed word denoting the observation that action a occurs at 0.33 time units,
then another 1.41 time units lapse before the simultaneous occurrence of b and
c, which is followed by 3.1415 time units of no event occurrence. The empty
word is denoted by .
Operations on timed words. We use last(w) to denote the last element in the
sequence w , and l(w) to indicate the length, which is obtained as the sum of all
the reals in w . Concatenation of timed words w and w ′ is obtained by appending
w ′ onto the end of w and coalescing adjacent reals (summing them). For instance,
〈a, 1.41〉 a〈0.33, b, 3.1415〉 = 〈a, (1.41 + 0.33), b, 3.1415〉 = 〈a, 1.74, b, 3.1415〉.
Prefix/extension are defined as usual by concatenation, and we use ≤ for the
prefix partial order. We write w  tA0 for the projection of w onto timed alphabet
tA0, which is defined by removing from w all actions not inside tA0 and coalescing
adjacent reals.
2.3 Semantics as Timed I/O Transition Systems
The semantics of TIOAs are given as timed I/O transition systems, which are a
special class of infinite labelled transition systems.
Definition 2. A timed I/O transition system (TIOTS) is a tuple P = 〈I ,O ,S ,
s0,→〉, where: I and O are the input and output actions respectively, S is a set
of states, s0 is the designated initial state, and →⊆ S × I unionmultiO unionmultiR>0 × S is the
action and time-labelled transition system.
Revisiting Timed Specification Theories: A Linear-Time Perspective 5
The states of the TIOTS for a TIOA capture the configurations of the au-
tomaton, i.e. its location and clock valuation. Therefore, each state of the TIOTS
is a pair drawn from L×RC , which we refer to as the set of plain states, denoted
P . In addition, we introduce two special states ⊥ and >, which are required for
the semantic mapping of disabled inputs/outputs, invariants and co-invariants.
⊥ is called the inconsistent state, representing safety and bounded-liveness
errors. > is the so-called timestop state, representing the magic moment from
which no error can occur.1
An intuitive way to understand > and ⊥ is from an input/output game
perspective. The component controls output and delay while the environment
controls input. ⊥ is the losing state for the environment. So a disabled input at a
state p is equated to an input transition from p to ⊥. > is the losing state for the
component. So a disabled output/delay at p is equated to an output/delay tran-
sition from p to >. Thus we can have two semantics-preserving transformations
on TIOTSs.
The ⊥-completion of a TIOTS P, denoted P⊥, adds an a-labelled transi-
tion from p to ⊥ for every p ∈ PP and a ∈ I s.t. a is not enabled at p. ⊥-
completion will make a TIOTS input-receptive, i.e. input-enabled at all states.
The >-completion of a TIOTS P, denoted P>, adds an α-labelled transition
from p to > for every p ∈ PP and α ∈ tO s.t. α is not enabled at p.
Furthermore, for technical convenience (e.g. ease of defining time additivity),
the definition of TIOTSs requires that 1) > is a quiescent state, i.e. a state in
which the set of outgoing transitions are all self-loops, one for each d ∈ R>0,
and 2) ⊥ is a chaotic state, i.e. a state in which the set of outgoing transitions
are all self-loops, one for each α ∈ tA. The set of all possible states is denoted
S = P unionmulti {⊥,>}. We use p, p′, pi to range over P while s, s ′, si range over S .
The transition relation → of the TIOTS is derived from the execution se-
mantics of the TIOA.
Definition 3. Let P be a TIOA. The semantic mapping of P is a TIOTS
〈I ,O ,S , s0,→〉, where:
– S = (L× RC ) unionmulti {⊥,>}
– s0 = > providing 0 /∈ Inv(l0), s0 = ⊥ providing 0 ∈ Inv(l0) ∧ ¬coInv(l0)
and s0 = (l0, 0) providing 0 ∈ Inv(l0) ∧ coInv(l0),
– → is the smallest relation satisfying:
1. If l
g,a,rs−−−−→ l ′, t ′ = t [rs 7→ 0], t ∈ Inv(l) ∧ coInv(l) ∧ g, then:
(a) plain action: (l , t)
a−→ (l ′, t ′) providing t ′ ∈ Inv(l ′) ∧ coInv(l ′)
(b) error action: (l , t)
a−→ ⊥ providing t ′ ∈ Inv(l ′) ∧ ¬coInv(l ′)
(c) magic action: (l , t)
a−→ > providing t ′ ∈ ¬Inv(l ′).
1 For instance, a location with true as co-invariant and false as invariant is mapped
to >, while a location with true as invariant and false as co-invariant is mapped to
⊥. A location with false for both invariant and co-invariant is mapped to > since
invariants have priority over co-invariants according to our semantics; whereas a
location with x ≤ 0 as invariant and true as co-invariant is mapped to a plain state.
6 Chris Chilton, Marta Kwiatkowska, and Xu Wang
2. plain delay: (l , t)
d−→ (l , t + d) if t , t + d ∈ Inv(l) ∧ coInv(l)
3. time-out delay: (l , t)
d−→ ⊥ if t ∈ Inv(l) ∧ coInv(l), t + d /∈ coInv(l) and
∃ 0 < δ ≤ d : t + δ ∈ Inv(l) ∧ ¬coInv(l).
Note that our semantics tries to minimise the use of transitions leading to
>/⊥ states. Thus there are no delay transitions leading to >. This creates im-
plicit timestops, which we capture using the concept of semi-timestop (i.e. semi-
>). We say a plain state p is a semi-> iff 1) all output transitions enabled in
p or any of its time-passing successors lead to the > state, and 2) there exists
d ∈ R>0 s.t. p d−→ > or d is not enabled in p. Thus a semi-> is a state in which
it is impossible for the component to avoid the timestop without suitable inputs
from the environment.
TIOTS terminology. A TIOTS is time additive providing p
d1+d2−−−−→ s ′ iff p d1−→ s
and s
d2−→ s ′ for some s. In the sequel of this paper we only consider TIOTSs
that are time-additive.
We say a TIOTS is deterministic iff there is no ambiguous transition in the
TIOTS, i.e. s
α−→ s ′ ∧ s α−→ s ′′ implies s ′ = s ′′.
Given a TIOTS P, a timed word can be derived from a finite execution of
P by extracting the labels in each transition and coalescing adjacent reals. The
timed words derived from such executions are called traces of P. We use tt , tt ′, tti
to range over the set of traces and use s0
tt
=⇒ s to denote a finite execution that
produces trace tt and leads to s.
2.4 Operational Specification Theory
In this section we develop a compositional specification theory for TIOTSs based
on the operations of parallel composition ‖, conjunction ∧, disjunction ∨ and
quotient %. The operators are defined via transition rules that are a variant on
synchronised product.
Parallel composition yields a TIOTS that represents the combined effect
of its operands interacting with one another. The remaining operations must
be explained with respect to a refinement relation, which corresponds to safe-
substitutivity in our theory. A TIOTS is a refinement of another if it will work
in any environment that the original worked in without introducing safety or
bounded-liveness errors. Conjunction yields the coarsest TIOTS that is a refine-
ment of its operands, while disjunction yields the finest TIOTS that is refined
by both of its operands. The operators are thus equivalent to the join and meet
operations on TIOTSs2. Quotient is the adjoint of parallel composition, meaning
that P0%P1 is the coarsest TIOTS such that (P0%P1)‖P1 is a refinement of P0.
Let Pi = 〈Ii ,Oi ,Si , s0i ,→i〉 for i ∈ {0, 1} be two TIOTSs that are both ⊥
and >-completed, satisfying (wlog) S0 ∩ S1 = {⊥,>}. The composition of P0
2 As we write A v B to mean A is refined by B , our operators ∧ and ∨ are reversed
in comparison to the standard symbols for meet and join.
Revisiting Timed Specification Theories: A Linear-Time Perspective 7
Table 1. State representations under composition operators.
‖ > p0 ⊥
> > > >
p1 > p0×p1 ⊥
⊥ > ⊥ ⊥
∧ > p0 ⊥
> > > >
p1 > p0×p1 p1
⊥ > p0 ⊥
∨ > p0 ⊥
> > p0 ⊥
p1 p1 p0×p1 ⊥
⊥ ⊥ ⊥ ⊥
% > p0 ⊥
> ⊥ ⊥ ⊥
p1 > p0×p1 ⊥
⊥ > > ⊥
and P1 under the operation ⊗ ∈ {‖,∧,∨,%}, written P0 ⊗ P1, is only defined
when certain composability restrictions are imposed on the alphabets of the
TIOTSs. P0 ‖ P1 is only defined when the output sets of P0 and P1 are disjoint,
because an output should be controlled by at most one component. Conjunction
and disjunction are defined only when the TIOTSs have identical alphabets (i.e.
O0 = O1 and I0 = I1). This restriction can be relaxed at the expense of more
cumbersome notation, which is why we focus on the simpler case in this paper.
For the quotient, we require that the alphabet of P0 dominates that of P1 (i.e.
A1 ⊆ A0 and O1 ⊆ O0), in addition to P1 being a deterministic TIOTS. As
quotient is a synthesis operator, it is difficult to give a definition using just state-
local transition rules, since quotient needs global information of the transition
systems. This is why we insist on P1 being deterministic3.
Definition 4. Let P0 and P1 be TIOTSs composable under ⊗ ∈ {‖,∧,∨,%}.
Then P0 ⊗ P1 = 〈I ,O ,S , s0,→〉 is the TIOTS where:
– If ⊗ =‖, then I = (I0 ∪ I1) \O and O = O0 ∪O1
– If ⊗ ∈ {∧,∨}, then I = I0 = I1 and O = O0 = O1
– If ⊗ = %, then I = I0 ∪O1 and O = O0 \O1
– S = P0 × P1 unionmulti P0 unionmulti P1 unionmulti {>,⊥}
– s0 = s00 ⊗ s01
– → is the smallest relation containing →0 ∪ →1, and satisfying the rules:
p0
α−→0s ′0 p1 α−→1s ′1
p0⊗p1
α−→s ′0⊗s ′1
p0
a−→0s ′0 a /∈A1
p0⊗p1
a−→s ′0⊗p1
p1
a−→0s ′1 a /∈A0
p0⊗p1
a−→p0⊗s ′1
We adopt the notation of s0 ⊗ s1 for states, where the associated interpretation
is supplied in Table 1. Furthermore, given two plain states pi = (li , ti) for i ∈
{0, 1}, we define p0 × p1 = ((l0, l1), t0 unionmulti t1).
Table 1 tells us how states should be combined under the composition op-
erators. From the environment’s point of view, > refines plain states, which in
turn refines ⊥. For parallel, a state is magic if one component state is magic,
and a state is error if one component is error while the other is not magic. For
conjunction, encountering error in one component implies the component can be
discarded and the rest of the composition behaves like the other component. The
conjunction table follows the intuition of the join operation on the refinement
3 Technically speaking, the problem lies in that state quotient operator is right-
distributive but not left-distributive over state disjunction (cf Table 1).
8 Chris Chilton, Marta Kwiatkowska, and Xu Wang
preorder. Similarly for disjunction. Quotient is the adjoint of parallel composi-
tion. If the second component state does not refine the first, the quotient will
try to rescue the refinement by producing > (so that its composition with the
second will refine the first). If the second component state does refine the first,
the quotient will produce the least refined value so that its composition with the
second will not break the refinement.
An environment for a TIOTS P is any TIOTS Q such that the alphabet of Q
is complementary to that of P, meaning IP = OQ and OP = IQ. Refinement in
our framework corresponds to contextual substitutability, in which the context
is an arbitrary environment.
Definition 5. Let Pimp and Pspec be TIOTSs with identical alphabets. Pimp
refines Pspec, denoted Pspec v Pimp, iff for all environments Q, Pspec ‖ Q is
⊥-free implies Pimp ‖ Q is ⊥-free. We say Pimp and Pspec are substitutively
equivalent, i.e. Pspec ' Pimp, iff Pimp v Pspec and Pspec v Pimp.
It is obvious that ' induces an equivalance on TIOTSs and no equivalence
that preserves the ⊥ state can be weaker than '. In the sequel we will give two
concrete characterisations of ' and show that ' is also a congruence w.r.t. the
parallel composition, conjunction, disjunction and quotient operators.
The operational definition of quotient requires that P1 is determinised, which
can be accomplished by a modified subset construction procedure on (P⊥1 )>. If
the current state subset S0 contains ⊥, it reduces S0 to ⊥; if ⊥ /∈ S0 6= {>}, it
reduces S0 by removing any potential > in S0. As expected, the determinisation
of P, denoted PD , is substitutively equivalent to P.
Proposition 1. Any TIOTS is substitutively equivalent to a deterministic TIOTS.
Equipped with determinisation, quotient is a fully defined operator on any
pair of TIOTSs. Furthermore, we can give an alternative (although substitutively
equivalent) formulation of quotient as the derived operator (P¬0 ‖ P1)¬, where ¬
is a mirroring operation that first determinises its argument, then interchanges
the input and output sets, as well as the > and ⊥ states.
Example. Figure 2 shows the parallel composition of the job scheduler with the
printer controller. In the transition from B4 to A1, the guard combines the effects
of the constraints on the clocks x and y . As finish is an output of the controller,
it can be fired at a time when the scheduler is not expecting it, meaning that a
safety error will occur. This is indicated by the transition to ⊥ when the guard
constraint 5 ≤ x ≤ 8 is not satisfied.
3 Timed I/O Game
Our specification theory can be understood from a game theoretical point of
view. It is an input-output game between a component and an environment that
Revisiting Timed Specification Theories: A Linear-Time Perspective 9
Inv: y<=1
Co:  true
y==1
print!
y:=0
finish!
5 <= x <= 8
and y<=5
Inv: y<=5
Co:  true
Inv: true
Co:  y<=10
A1 B2
B3B4
start!   x,y:=0
printed?   y:=0
Inv: x <= 100
Co:  true
Scheduler || Printer_controller
not (5 <= x <= 8)
and y<=5
finish!
Fig. 2. Parallel composition of the job scheduler and printer controller.
uses a coin to break ties. The specification of a component (in the form of a TIOA
or TIOTS) is built to encode the set of strategies possible for the component in
the game (just like an NFA encodes a set of words).
– Given two TIOTSs P and Q with identical alphabets, we say P is a partial
unfolding [6] of Q if there exists a function f from SP to SQ s.t. 1) f maps
> to >, ⊥ to ⊥, and plain states to plain states, 2) f (s0P) = s0Q, and 3)
p
α−→P s ⇒ f (p) α−→Q f (s).
– We say an acyclic TIOTS is a tree if 1) there does not exist a pair of tran-
sitions in the form of p
a−→ p′′ and p′ d−→ p′′, 2) p a−→ p′′ ∧ p′ b−→ p′′ implies
p = p′ and a = b and 3) p d−→ p′′ ∧ p′ d−→ p′′ implies p = p′.
– We say an acyclic TIOTS is a simple path if 1) p
a−→ s ′ ∧ p α−→ s ′′ implies
s ′ = s ′′ and a = α and 2) p d−→ s ′ ∧ p d−→ s ′′ implies s ′ = s ′′.
– We say a simple path L is a run of P if L is a partial unfolding of P.
Strategies. A strategy G is a deterministic tree TIOTS s.t. each plain state in G is
ready to accept all possible inputs by the environment, but allows a single move
(delay or output) by the component, i.e. ebG(p) = I unionmultimvG(p) s.t. mvG(p) = {a}
for some a ∈ O or {} ⊂ mvG(p) ⊆ R>0, where ebG(p) denotes the set of enabled
timed actions in state p of LTS G, and mvG(p) denotes the unique component
move allowed by G at p.
A TIOTS P contains a strategy G if G is a partial unfolding of (P⊥)>. The
set of strategies4 contained in P is denoted stg(P). Since it makes little sense to
distinguish strategies that are isomorphic, we will freely use strategies to refer
to their isomorphism classes and write G = G′ to mean G and G′ are isomorphic.
Let us give some examples in Figure 3. For the sake of simplicity we use two
untimed transition systems P and Q, which have identical alphabets I = {e, f }
and O = {a, b, c}, to illustrate the idea of strategies. The transition systems use
solid lines while strategies use dotted lines. Plain states are unmarked while the
> and ⊥ states are marked by > and ⊥ resp.5 We show four strategies of P and
4 In this paper we use a set of strategies (say Π) to mean a set of strategies with
identical alphabets
5 To simplify drawing, multiple copies of > and ⊥ are allowed but the self-loops on
them are omitted.
10 Chris Chilton, Marta Kwiatkowska, and Xu Wang
a! a!
b!
f?e?
c!
a!
b! c!
b!
f? f?
c!
e? e?
f?
a!
f?
a!
a!
b!
f?
a!
f?
c!
e? e?
f?e? f?e?
a!
b!
f?
a!
f?
c!
e? e?
f?e? f?e?e?e?
P (1) (2) (3) (4)
Q (A) (B)
Fig. 3. Strategy example.
two strategies of Q on the right hand side of P and Q resp. in Figure 3. (They
are not the complete sets of strategies for P and Q.) Note that the strategies 3
and 4 own their existence to the > completion.
Comparing strategies. When the game is played, the component tries to avoid
reaching > while the environment tries to avoid reaching ⊥. Different strategies
in stg(P) vary in their effectiveness to achieve the objective. Such effectiveness
can be compared if two strategies closely resemble each other: we say G and G′
are affine if s0G
tt
=⇒ p and s0G′ tt=⇒ p′ implies mvG(p) = mvG′(p′). Intuitively, it
means G and G′ propose the same move at the ‘same’ states. For instance, the
strategies 1, 3 and A in Figure 3 are pairwise affine and so are the strategies 2,
4 and B .
Given two affine strategies G and G′, we say G is more aggressive than G′,
denoted G  G′, if 1) s0G′ tt=⇒ ⊥ implies there is a prefix tt0 of tt s.t. s0G tt0=⇒ ⊥ and
2) s0G
tt
=⇒ > implies there is a prefix tt0 of tt s.t. s0G′ tt0=⇒ >. Intuitively, it means G
can reach ⊥ faster but > slower than G′.  forms a partial order over stg(P), or
more generally, over any set of strategies with identical alphabets. For instance,
strategy A is more aggressive than 1 and 3, while strategy B is more aggressive
than 2 and 4.
When the game is played, the component P prefers to use the maximally
aggressive strategies in stg(P)6. Thus two components that differ only in non-
maximally aggressive strategies should be equated. We define the strategy se-
mantics of component P to be [P]s = {G′ | ∃ G ∈ stg(P) : G  G′}, i.e. the
upward-closure of stg(P) w.r.t. .
Game rules. When a component strategy G is played against an environment
strategy G′, at each game state (i.e. a product state pG × pG′) G and G′ each
propose a move (i.e. mvG(pG) and mvG′(pG′)). If one of them is a delay and
the other is an action, the action will prevail. If both propose delay moves (i.e.
mvG(pG),mvG′(pG′) ⊆ R≥0), the smaller one (w.r.t. set containment) will prevail.
6 This is because our semantics is designed to preserve ⊥ rather than >.
Revisiting Timed Specification Theories: A Linear-Time Perspective 11
Since a delay move proposed at a strategy state is the maximal set of possible
delays enabled at that state, the next move proposed at the new state after firing
the set must be an action move (due to time additivity). Thus a play cannot
have two consecutive delay moves.
If, however, both propose action moves, there will be a tie, which will be
resolved by tossing the coin. For uniformity’s sake, the coin can be treated as a
special component. A strategy of the coin is a function h from tA∗ to {0, 1}. We
denote the set of all possible coin strategies as H .
A play of the game can be formalised as a composition of three strategies,
one each from the component, environment and coin, denoted GP ‖h GQ. At a
current game state pP × pQ, if the prevailing action is α and we have pP α−→ s ′P
and pQ
α−→ s ′Q, then the next game state is sP ‖ sQ. The play will stop when it
reaches either > or ⊥. The composition will produce a simple path L that is a
run of P ‖ Q. Since P ‖ Q gives rise to a closed system (i.e. the input alphabet
is empty), a run of P ‖ Q is a strategy of P ‖ Q.
This is crucial since it reveals that strategy composition of P and Q is
closely related to their parallel composition: stg(P ‖ Q) = {GP ‖h GQ | GP ∈
stg(P),GQ ∈ stg(Q) and h ∈ H }.
Parallel composition. Strategy composition, like component (parallel) composi-
tion, can be generalised to any pair of components P and Q with composable
alphabets. That is, OP ∩ OQ = {}. For such P and Q, GP ‖h GQ gives rise to a
tree rather than simple path TIOTS. That is, at each game state pP×pQ, besides
firing the prevailing α ∈ tOP∪tOQ, we need also to fire 1) all the synchronised in-
puts, i.e. e ∈ IP ∩ IQ, and reach the new game state sP ‖ sQ (assuming pP e−→ sP
and pQ
e−→ sQ) and 2) all the independent inputs, i.e. e ∈ (IP ∪ IQ) \ (AP ∩AQ),
and reach the new game state sP × pQ or pP × sQ. It is easy to verify that
GP ‖h GQ is a strategy of P ‖ Q.
Conjunction/disjunction. Besides strategy composition, strategy conjunction (&)
and strategy disjunction (+) are also definable. They are binary operators defined
only on pairs of affine strategies. We define G&G′ = G ∧ G′ and G + G′ = G ∨ G′.
Note that if G and G′ are not affine, G ∧G′ and G ∨G′ do not necessarily produce
a strategy. For instance the disjunction of the strategies 1 and 2 in Figure 3 will
produce a transition system that stops to output after the a transition.
Refinement. Strategy semantics induce an equivalence on TIOTSs. That is, P
and Q are strategy equivalent iff [P]s = [Q]s . However, strategy equivalence is
too fine for the purpose of substitutive refinement (cf Definition 5). For instance,
transition systems P and Q in Figure 3 are substitutively equivalent, but are not
strategy equivalent, because 1, 2, 3 and 4 are strategies of Q (due to upward-
closure w.r.t. ), but A and B are not strategies of P.
However, we demonstrate that substitutive equivalence is reducible to strategy
equivalence providing we perform disjunction closure on strategies.
12 Chris Chilton, Marta Kwiatkowska, and Xu Wang
Lemma 1. Given a pair of affine component strategies G0 and G1, G0 ‖h G and
G1 ‖h G are ⊥-free for some environment strategy G and h ∈ H iff G0 + G1 ‖h G
is ⊥-free.
We say Π+ is a disjunction closure of Π iff it is the least superset of Π s.t.
G + G′ ∈ Π+ for all pairs of affine strategies G,G′ ∈ Π+. It is easy to see the
disjunction closure operation preserves the upward-closedness of strategy sets.
Theorem 1. Given TIOTSs P and Q, P v Q iff [Q]+s ⊆ [P]+s .
For instance, the disjunction of strategies 1 and 3 produces A, while the
disjunction of strategies 2 and 4 produces B . Thus [P]+s = [Q]+s ,
Relating operational composition to strategies. The operations of parallel compo-
sition, conjunction and disjunction defined on the operational models of TIOTSs
(Section 2.4) can be characterised by simple operations on strategies in the game-
based setting.
Lemma 2. For ‖-composable TIOTSs P and Q, [P ‖ Q]+s = {GP‖Q | ∃ GP ∈
[P]+s ,GQ ∈ [Q]+s , h ∈ H : GP ‖h GQ  GP‖Q}.
Lemma 3. For ∨-composable TIOTSs P and Q, [P ∨Q]+s = ([P]+s ∪ [Q]+s )+.
Lemma 4. For ∧-composable TIOTSs P and Q, [P ∧Q]+s = [P]+s ∩ [Q]+s .
Lemma 5. For %-composable TIOTSs P and Q, [P%Q]+s = {GP%Q | ∀ GQ ∈
[Q]+s , h ∈ H : GP%Q ‖h GQ ∈ [P]+s }.
Thus conjunction and disjunction are the join and meet operations and quo-
tient produces the coarsest TIOTS s.t. (P0%P1)‖P1 is a refinement of P0.
Lemma 6. For any TIOTS P, [P¬]+s = {GP¬ | ∀ GP ∈ [P]+s , h ∈ H : GP¬ ‖h
GP is ⊥-free}.
Theorem 2. ' is a congruence w.r.t. ‖, ∨, ∧ and % subject to composability.
Summary. Strategy semantics has given us a weakest ⊥-preserving congruence
(i.e. [P]+s ) for timed specification theories based on operators for (parallel) com-
position, conjunction, disjunction and quotient. Strategy semantics captures
nicely the game-theoretical nature as well as the operational intuition of the
specification theories. However, in a more declarative manner, the equivalence
can also be characterised by timed traces, as we see in the next section.
4 Declarative Specification Theory
In this section, we develop a compositional specification theory based on timed
traces. We introduce the concept of a timed-trace structure, which is an abstract
Revisiting Timed Specification Theories: A Linear-Time Perspective 13
representation for a timed component. The timed-trace structure contains essen-
tial information about the component, for checking whether it can be substituted
with another in a safety and liveness preserving manner.
Given any TIOTS P = 〈I ,O ,S , s0,→〉, we can extract three sets of traces
from (P⊥)>: TP (plain traces) is a set of timed traces leading to plain states,
TE (error traces) a set of timed traces leading to ⊥ and TM (magic traces) a set
of timed traces leading to >. The three sets contain sufficient but not necessary
information for our substitutive refinement, which is designed to preserve ⊥
rather than >. For instance, adding any trace tt ∈ TE to TP should not change
the semantics of the component; similarly it is true for removing any trace tt ∈
TP from TM . Based on a slight abstraction of the three sets we can define a
triple-trace structure as the semantics of P.
Definition 6 (Triple-trace structure). T T (P) := (I ,O ,TT ,TR,TE ), where
TT := TE ∪ TP ∪ TM is the set of all traces and TR := TE ∪ TP the set of
realisable traces.
Obviously, TE is extension-closed. TT is non-empty and prefix-closed. TR
is prefix-closed and fully branching7 w.r.t. TT (i.e. tta〈α〉 ∈ TT for all tt ∈ TR
and α ∈ tA). TT \ TR is time-extension closed (i.e. tt ∈ X ⇒ tt a 〈d〉 ∈ X )
and any pair of traces from TT \ TR that are related by extension are related
by time-extension.
From hereon let P0 and P1 be two TIOTSs with triple trace structures
T T (Pi) := (Ii ,Oi ,TTi ,TRi ,TEi) for i ∈ {0, 1}. Define i¯ = 1− i .
The substitutive refinement relation v in Section 2.4 can equally be charac-
terised by means of trace containment. Consequently, T T (P0) can be regarded
as providing an alternative encoding of the set [P0]+s of strategies.
Theorem 3. P0 v P1 iff TT1 ⊆ TT0, TR1 ⊆ TR0 and TE1 ⊆ TE0.
We are now ready to define the timed-trace structure semantics for the op-
erators of our specification theory. Intuitively, the timed-trace semantics mimic
the synchronised product of the operational definitions in Section 2.4. An im-
portant fact utilised in formulating these operations on traces is that for any
trace tt ∈ tA∗ and TIOTS P, either tt is a trace of P or there is some prefix tt0
of tt s.t. tt0 is an error or magic trace of P.
Parallel composition. The idea behind parallel composition is that the projection
of any trace in the composition onto the alphabet of one of the components
should be a trace of that component.
Proposition 2. If P0 and P1 are ‖-composable, then T T (P0 ‖ P1) = (I ,O ,TT ,
TR,TE ) where I = (I0 ∪ I1) \O, O = O0 ∪O1 and the trace sets are given by:
– TE = {tt | tt  tAi ∈ TEi ∧ tt  tAi¯ ∈ TRi¯} · tA∗
– TR = TE unionmulti {tt | tt  tAi ∈ (TRi \ TEi) ∧ tt  tAi¯ ∈ (TRi¯ \ TEi¯)}
7 This is due to >/⊥-completion.
14 Chris Chilton, Marta Kwiatkowska, and Xu Wang
– TT = TR unionmulti {tt | tt  tAi ∈ (TTi \ TRi) ∧ tt0 < tt  tAi¯ ⇒ tt0 ∈ (TRi¯ \
TEi¯)} · R≥0.
The above says tt is an error trace if the projection of tt on one component is
an error trace while the projection of tt on the other component is not a magic
trace. tt is a realisable trace if tt is either an error trace or a plain trace. tt is a
plain trace if the projection of tt on both components are plain traces. Finally,
tt is a magic trace if its projection on one component is a magic trace, while the
projection of all strict prefixes of tt on the other component is a plain trace.
Disjunction. From any composite state in the disjunction of two components,
the composition should only be willing to accept inputs that are accepted by
both components, but should accept the union of outputs. After witnessing an
output enabled by only one of the components, the disjunction should behave like
that component. Because of the way that ⊥ and > work in Table 1, this loosely
corresponds to taking the union of the traces from the respective components.
Proposition 3. If P0 and P1 are ∨-composable, then T T (P0 ∨ P1) = (I ,O ,TR0∪
TR1 ∪ TM ,TR0 ∪ TR1,TE0 ∪ TE1), where I = I0 = I1, O = O0 = O1 and
TM = {tt | tt ∈ (TTi \ TRi) ∧ ∃ tt0 ≤ tt : tt0 ∈ (TTi¯ \ TRi¯)} · R≥0.
Essentially, tt is a magic trace if it is a magic trace on one component while
one of its prefixes is a magic trace on the other component. The realisable and
error traces are simply the union of the corresponding traces on P0 and P1.
Conjunction. Similarly to disjunction, from any composite state in the con-
junction of two components, the composition should only be willing to accept
outputs that are accepted by both components, and should accept the union of
inputs, until a stage when one of the component’s input assumptions has been
violated, after which it should behave like the other component. Because of the
way that both ⊥ and > work in Table 1, this essentially corresponds to taking
the intersection of the traces from the respective components.
Proposition 4. If P0 and P1 are ∧-composable, then T T (P0 ∧ P1) = (I ,O , (TR0∩
TR1) ∪ TM , TR0 ∩ TR1,TE0 ∩ TE1), where I = I0 = I1, O = O0 = O1 and
TM = {tt | tt ∈ (TTi \ TRi) ∧ tt0 < tt ⇒ tt0 ∈ TRi¯} · R≥0.
A trace tt is a magic trace if it is a magic trace on one of the components,
and all strict prefixes of the trace are realisable by the other component. The
realisable and error traces are simply the intersection of the corresponding traces
on P0 and P1.
Quotient. Quotient ensures its composition with the second component is a
refinement of the first. Given the synchronised running of P0 and P1, if P0 is in
a more refined state than P1, the quotient will try to rescue the refinement by
taking > as its state (so that its composition with P1’s state will refine P0’s). If
P0 is in a less or equally refined state than P1’s, the quotient will take the worst
possible state without breaking the refinement.
Revisiting Timed Specification Theories: A Linear-Time Perspective 15
Proposition 5. If P0 dominates P1, then T T (P0%P1) = (I ,O ,TT ,TR,TE ),
where I = I0 ∪O1, O = O0 \O1, and the trace sets satisfy:
– TE = {tt | (tt ∈ TE0 ∧ tt0 < tt ⇒ tt0  tA1 /∈ TE1) ∨ (tt  tA1 ∈ (TT1 \
TR1) ∧ tt0 < tt ⇒ tt0 /∈ TT0 \ TR0)} · tA∗
– TR = TE unionmulti {tt | tt ∈ (TR0 \ TE0) ∧ tt  tA1 ∈ (TR1 \ TE1)}
– TT = TR unionmulti {tt | (tt ∈ (TT0 \ TR0) ∧ tt0 ≤ tt ⇒ tt0  tA1 ∈ TR1) ∨ (tt 
tA1 ∈ TE1 ∧ tt0 ≤ tt ⇒ tt0 /∈ TE0)}.
The above says tt is an error trace if either 1) tt is an error trace in P0, but
the projection of any strict prefix of tt on P1 is not an error trace, or 2) the
projection of tt on P1 is a magic trace, but no strict prefix of tt is a magic trace
in P0. tt is a magic trace if either 1) tt is a magic trace in P0, but the projection
of any prefix of tt is not a magic trace in P1, or 2) the projection of tt on P1 is
an error trace, but no prefix of tt is an error trace in P0.
Mirroring of triple trace structures is straightforward: T T (P0)¬ = (O0, I0,
TT0, TT0 \TE0,TT0 \TR0). This is because dealing with traces means we have
implicit determinism, so we can skip the determinisation step. Consequently,
quotient can also be defined as the derived operator (T T (P0)¬ ‖ T T (P1))¬.
5 Comparison with Related Works
Based on linear-time, our timed theory owes much to the pioneering work of
trace theories in asynchronous circuit verification, such as Dill’s trace theory
[7]. Our mirror operator is essentially a timed extension of the mirror operator
from asynchronous circuit verification. The definition of quotient based on mir-
roring (for the untimed case) was first presented by Verhoeff as his Factorisation
Theorem [8].
Our work is also deeply influenced by the work of [5] on timed games, with
some modifications. Firstly, a TIOTS is regarded as a set of component strate-
gies, rather than a timed game graph. We adopt most of the game rules in [5], ex-
cept that, due to our requirement that proposed delay moves are maximal delays
allowed by a strategy, a play cannot have consecutive delay moves. This enables
us to avoid the complexity of time-blocking strategies and blame assignment, but
does not ensure non-Zenoness8. Secondly, we do not use timestop/semi-timestop
to model time errors (i.e. bounded-liveness errors). Rather, we introduce the ex-
plicit inconsistent state ⊥ to model both time and immediate (i.e. safety) errors.
Timestop is used to model the magic state, which can simplify the definition
of parallel, conjunction and quotient and enables us to avoid the complexity of
having two transition relations and well-formedness of timed interfaces.
Last but not least, our work is related to [4], as both devise a complete
timed specification theory. The major differences lie in the use of timed alter-
nating simulation as refinement in [4], while ours is linear-time. An advantage of
8 Zeno behaviours (infinite action moves within finite time) in a play are not regarded
as abnormal behaviours in our semantics.
16 Chris Chilton, Marta Kwiatkowska, and Xu Wang
our work is that refinement is the weakest congruence preserving inconsistency,
while beneficial in [4] is the algorithmic efficiency of branching-time simulation
checking. Moreover, [4] has fully implemented the timed-game algorithms.
We briefly mention other related works, which include timed modal transition
systems [9,10], the timed I/O model [3] and embedded systems [11,12].
6 Conclusions
We have formulated a rich compositional specification theory for components
with real-time constraints based on a linear-time notion of substitutive refine-
ment. The operators of hiding and renaming can also be defined, according to our
past experiences [13]. We believe that our theory can be reformulated as a timed
extension of Dill’s trace theory [7]. Future work will include an investigation of
realisability and assume-guarantee reasoning.
Acknowledgments. The authors are supported by EU FP7 project CONNECT
and ERC Advanced Grant VERIWARE.
References
1. Chen, T., Chilton, C., Jonsson, B., Kwiatkowska, M.: A Compositional Specifica-
tion Theory for Component Behaviours. In Seidl, H., ed.: Programming Languages
and Systems, Proc. 21st European Symposium on Programming (ESOP’12). Vol-
ume 7211 of Lecture Notes in Computer Science., Springer-Verlag (2012) 148–168
2. de Alfaro, L., Henzinger, T.A.: Interface automata. SIGSOFT Softw. Eng. Notes
26 (2001) 109–120
3. Kaynar, D.K., Lynch, N.A., Segala, R., Vaandrager, F.W.: Timed i/o automata: A
mathematical framework for modeling and analyzing real-time systems. In: RTSS.
(2003)
4. David, A., Larsen, K.G., Legay, A., Nyman, U., Wasowski, A.: Timed I/O au-
tomata: a complete specification theory for real-time systems. In: Proc. 13th ACM
International Conference on Hybrid systems: computation and control. HSCC ’10,
ACM (2010) 91–100
5. de Alfaro, L., Henzinger, T.A., Stoelinga, M.: Timed interfaces. In Sangiovanni-
Vincentelli, A., Sifakis, J., eds.: Embedded Software. Volume 2491 of LNCS.
Springer-Verlag (2002) 108–122
6. Wang, X.: Maximal Confluent Processes. In: Proc. of PETRI NETS 2012. Volume
7347 of Lecture Notes in Computer Science., Springer-Verlag (2012)
7. Dill, D.L.: Trace theory for automatic hierarchical verification of speed-
independent circuits. ACM distinguished dissertations. MIT Press (1989)
8. Verhoeff, T.: A Theory of Delay-Insensitive Systems. PhD thesis, Dept. of Math.
and C.S., Eindhoven Univ. of Technology (1994)
9. Bertrand, N., Pinchinat, S., Raclet, J.B.: Refinement and consistency of timed
modal specifications. In: LATA. (2009) 152–163
10. Cerans, K., Godskesen, J.C., Larsen, K.G.: Timed modal specification - theory
and tools. In: CAV. (1993) 253–267
Revisiting Timed Specification Theories: A Linear-Time Perspective 17
11. Thiele, L., Wandeler, E., Stoimenov, N.: Real-time interfaces for composing real-
time systems. In: EMSOFT. (2006)
12. I. Lee, J.Y.T.L., Song, S.: Handbook of Real-Time and Embedded Systems. Chap-
man (2007)
13. Wang, X., Kwiatkowska, M.Z.: On process-algebraic verification of asynchronous
circuits. Fundam. Inform. 80 (2007) 283–310
