Timed I/O automata:a complete specification theory for real-time systems by David, Alexandre et al.
 
  
 
Aalborg Universitet
Timed I/O automata
a complete specification theory for real-time systems
David, Alexandre; Larsen, Kim Guldstrand; Nyman, Ulrik; Legay, Axel; Wasowski, Andrzej
Published in:
Proceedings of the 13th ACM international conference on Hybrid systems: computation and control
DOI (link to publication from Publisher):
10.1145/1755952.1755967
Publication date:
2010
Document Version
Accepted author manuscript, peer reviewed version
Link to publication from Aalborg University
Citation for published version (APA):
David, A., Larsen, K. G., Nyman, U., Legay, A., & Wasowski, A. (2010). Timed I/O automata: a complete
specification theory for real-time systems. In Proceedings of the 13th ACM international conference on Hybrid
systems: computation and control : HSCC '10 Association for Computing Machinery.
https://doi.org/10.1145/1755952.1755967
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
            ? Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
            ? You may not further distribute the material or use it for any profit-making activity or commercial gain
            ? You may freely distribute the URL identifying the publication in the public portal ?
Take down policy
If you believe that this document breaches copyright please contact us at vbn@aub.aau.dk providing details, and we will remove access to
the work immediately and investigate your claim.
Downloaded from vbn.aau.dk on: November 29, 2020
Timed I/O Automata:
A Complete Specification Theory for Real-time Systems
Alexandre David
Computer Science
Aalborg University, Denmark
adavid@cs.aau.dk
Kim G. Larsen
Computer Science
Aalborg University, Denmark
kgl@cs.aau.dk
Axel Legay
INRIA/IRISA
Rennes Cedex, France
axel.legay@irisa.fr
Ulrik Nyman
Computer Science
Aalborg University, Denmark
ulrik@cs.aau.dk
Andrzej Wąsowski
IT University
Copenhagen, Denmark
wasowski@itu.dk
ABSTRACT
A specification theory combines notions of specifications and
implementations with a satisfaction relation, a refinement
relation and a set of operators supporting stepwise design.
We develop a complete specification framework for real-time
systems using Timed I/O Automata as the specification for-
malism, with the semantics expressed in terms of Timed
I/O Transition Systems. We provide constructs for refine-
ment, consistency checking, logical and structural composi-
tion, and quotient of specifications – all indispensable ingre-
dients of a compositional design methodology.
The theory is implemented on top of an engine for timed
games, Uppaal-tiga, and illustrated with a small case study.
Categories and Subject Descriptors
F.3.1 [Specifying and Verifying and Reasoning about
Programs]
General Terms
Theory, Verification
1. INTRODUCTION
Many modern systems are big and complex assemblies of
numerous components. The components are often designed
by independent teams, working under a common agreement
on what the interface of each component should be. Con-
sequently, compositional reasoning [20], the mathematical
foundations of reasoning about interfaces, is an active re-
search area. It supports inferring properties of the global
implementation, or designing and advisedly reusing compo-
nents.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
HSCC’10, April 12–15, 2010, Stockholm, Sweden.
Copyright 2010 ACM 978-1-60558-955-8/10/04 ...$10.00.
In a logical interpretation, interfaces are specifications and
components that implement an interface are understood as
models/implementations. Specification theories should sup-
port various features including (1) refinement, which allows
to compare specifications as well as to replace a specifica-
tion by another one in a larger design, (2) logical conjunc-
tion expressing the intersection of the set of requirements
expressed by two or more specifications, (3) structural com-
position, which allows to combine specifications, and (4) last
but not least, a quotient operator that is dual to structural
composition. The latter is crucial to perform incremental
design. Also, the operations have to be related by compo-
sitional reasoning theorems, guaranteeing both incremental
design and independent implementability [13].
Building good specification theories is the subject of in-
tensive studies [10, 12]. One successfully promoted direction
is the one of interface automata [12, 13, 22, 28]. In this
framework, an interface is represented by an input/output
automaton [26], i.e. an automaton whose transitions are
typed with input and output . The semantics of such an
automaton is given by a two-player game: the input player
represents the environment, and the output player represents
the component itself. Contrary to the input/output model
proposed by Lynch [26], this semantic offers an optimistic
treatment of composition: two interfaces can be composed
if there exists at least one environment in which they can
interact together in a safe way. In [15], a timed extension
of the theory of interface automata has been introduced,
motivated by the fact that time can be a crucial parameter
in practice, for example in embedded systems. While [15]
focuses mostly on structural composition, in this paper we
go one step further and build what we claim to be the first
game-based specification theory for timed systems.
Component Interface specification and consistency. We rep-
resent specifications by timed input/output transition sys-
tems [21], i.e., timed transitions systems whose sets of dis-
crete transitions are split into Input and Output transitions.
Contrary to [15] and [21] we distinguish between implemen-
tations and specifications by adding conditions on the mod-
els. This is done by assuming that the former have fixed
timing behaviour and they can always advance either by pro-
ducing an output or delaying. We also provide a game-based
methodology to decide whether a specification is consistent,
i.e. whether it has at least one implementation. The latter
reduces to deciding existence of a strategy that despite the
behaviour of the environment will avoid states that cannot
possibly satisfy the implementation requirements.
Refinement and logical conjunction. A specification S1 re-
fines a specification S2 iff it is possible to replace S2 with
S1 in every environment and obtain an equivalent system.
In the input/output setting, checking refinement reduces to
deciding an alternating timed simulation between the two
specifications [12]. In our timed extension, checking such
simulation can be done with a slight modification of the the-
ory proposed in [6]. As implementations are specifications,
Refinement coincides with the satisfaction relation. Our re-
finement operator has the model inclusion property, i.e., S1
refines S2 iff the set of implementations satisfied by S1 is
included in the set of implementations satisfied by S2. We
also propose a logical conjunction operator between specifi-
cations. Given two specifications, the operator will compute
a specification whose implementations are satisfied by both
operands. The operation may introduce error states that do
not satisfy the implementation requirement. Those states
are pruned by synthesizing a strategy for the component to
avoid reaching them. We also show that conjunction co-
incides with shared refinement, i.e., it corresponds to the
greatest specification that refines both S1 and S2.
Structural composition. Following [15], specifications inter-
act by synchronizing on inputs and outputs. However, like
in [21, 26], we restrict ourselves to input-enabled systems.
This makes it impossible to reach an immediate deadlock
state, where a component proposes an output that cannot
be captured by the other component. Unlike in [21, 26],
input-enabledness, shall not be seen as a way to avoid error
states. Indeed, such error states can be designated by the
designer as states which do not warrant desirable temporal
properties. Here, in checking for compatibility of the com-
position of specifications, one tries to synthesize a strategy
for the inputs to avoid the error states, i.e., an environment
in which the components can be used together in a safe way.
Our composition operator is associative and the refinement
is a precongruence with respect to it.
Quotient. We propose a quotient operator dual to composi-
tion. Intuitively, given a global specification T of a compos-
ite system as well as the specification of an already realized
component S, the quotient will return the most liberal spec-
ification X for the missing component, i.e. X is the largest
specification such that S in parallel with X refines T .
Implementation. Our methodology has been implemented
as an extension of Uppaal-tiga [3]. It builds on timed in-
put/output automata, a symbolic representation for timed
input/output transition systems. We show that conjunc-
tion, composition, and quotienting are simple product con-
structions allowing for both consistency and compatibility
checking to be solved using the zone-based algorithms for
synthesizing winning strategies in timed games [27, 8]. Fi-
nally, refinement between specifications is checked using a
variant of the recent efficient game-based algorithm of [6].
Example. Universities operate under increasing pressure
and competition. One of the popular factors used in de-
termining the level of national funding is that of societal
impact, which is approximated by the number of patent ap-
plications filed. Clearly one would expect that the number
(and size) of grants given to a university has a (positive)
influence on the amount of patents filed for.
grant patent
patent!
grant?grant?
grant?
u>2
u<=2
u<=20
grant?
u=0
patent! u=0
Specification
Figure 1: Overall specification for a University.
Figure 2 gives the insight as to the organisation of a very
small University comprising three components Administra-
tion, Machine and Researcher. The Adminsitration is respon-
sible for interaction with society in terms of aquiring grants
(grant) and filing patents (patent). However, the other com-
ponents are necessary for patents to be obtained. The Re-
searcher will produce the crucial publications (pub) within
given time intervals, provided timely stimuli in terms of cof-
fee (cof) or tea (tea). Here coffee is clearly prefered over
tea. The beverage is provided by a Machine, which given a
coin (coin) will provide either coffee or tea within some time
interval, or even the possibility of free tea after some time.
In Figure 2 the three components are specifications, each
allowing for a multitude of incomparable, actual implemen-
tations differing with respect to exact timing behavior (e.g.
at what time are publications actually produced by the Re-
searcher given a coffee) and exact output produced (e.g. does
the Machine offer tea or coffee given a coin).
As a first property, we may want to check that the com-
position of the three components comprising our University
is compatible: we notice that the specification of the Re-
searcher contains an Err state, essentially not providing any
guarantees as to what behaviour to expect if tea is offered
at a late stage. Now, compatibility checking amounts sim-
ply to deciding whether the user of the University (i.e. the
society) has such a strategy for using it that the Researcher
will avoid ever entering this error state.
As a second property, we may want to show that the com-
position of arbitrary implementations conforming to respec-
tive component specification is guaranteed to satisfy some
overall specification. Here Figure 1 provides an overall spec-
ification (essentially saying that whenever grants are given
to the University sufficiently often then patents are also guar-
anteed within a certain upper time-bound). To avoid clut-
ter, we have omitted looping guard free output edges for
the three actions (coin, cof and tea) which are present in all
the states. Checking this property amounts to establishing
a refinement between the composition of the three compo-
nent specifications and the overall specification. We leave
the reader in suspense until the concluding section before
we reveal whether the refinement actually holds or not!
2. SPECIFICATIONS & REFINEMENT
Throughout the presentation of our specification theory,
we continuously switch the mode of discussion between the
semantic and syntactic levels. In general, the formal frame-
work is developed for the semantic objects, Timed I/O Tran-
sition Systems (TIOTSs in short) [18], and enriched with
syntactic constructions for Timed I/O Automata (TIOAs),
which act as a symbolic and finite representation for TIOTSs.
coin cof
tea
pub
grant patent
pub?
coin!patent!
grant?
grant?
grant?
z = 0
z=0
z<=2
z<=2
pub?
pub?
pub?
grant?
z=0
Administration
cof! tea!
coin?
coin?
y>=2
y<=6
tea!
y=0
y>=4
Machine tea?
tea?
pub!
cof?
cof?
pub!
tea?
pub!tea?cof?
x>15
x>=2
x>=4
ERR
x<=4 x<=8
cof?
x=0 x=0
tea?
x<=15 x=0
x=0
Researcher
Figure 2: Specifications for and interconnections between the three main components of a modern University:
Administration, Machine and Researcher.
However, it is important to emphasize that the theory for
TIOTSs does not rely in any way on the TIOAs representa-
tion – one can build TIOTSs that cannot be represented by
TIOAs, and the theory remains sound for them (although
we do not know how to manipulate them automatically).
Definition 1. A Timed I/O Transition System (TIOTS)
is a tuple S = (StS , s0,Σ
S ,−→S), where StS is an infinite set
of states, s0 ∈ St is the initial state, ΣS = ΣSi ⊕ΣSo is a finite
set of actions partitioned into inputs (ΣSi ) and outputs (Σ
S
o )
and −→S : StS × (ΣS ∪ R≥0) × StS is a transition relation.
We write s a−→Ss′ instead of (s, a, s′) ∈ −→S and use i?, o!
and d to range over inputs, outputs and R≥0 respectively.
In addition any TIOTS satisfies the following:
[time determinism] whenever s d−→Ss′ and s d−→Ss′′ then s′=s′′
[time reflexivity] s 0−→Ss for all s ∈ StS
[time additivity] for all s, s′′ ∈ StS and all d1, d2 ∈ R≥0 we
have s d1+d2−−−−−→Ss′′ iff s d1−−→Ss′ and s′ d2−−→Ss′′ for an s′ ∈ StS
In the interest of simplicity, we work with deterministic
TIOTSs: for all a ∈ Σ∪R≥0 whenever s a−→Ss′ and s a−→Ss′′,
we have s′ = s′′ (determinism is required not only for timed
transitions but also for discrete transitions). In the rest of
the paper, we often drop the adjective ’deterministic’.
For a TIOTS S and a set of states X, write
predSa (X) =
n
s ∈ StS
˛̨
∃s′∈X. s a−→s′
o
(1)
for the set of all a-predecessors of states in X. We write
ipredS(X) for the set of all input predecessors, and opredS(X)
for all the output predecessors of X:
ipredS(X) =
S
a∈ΣSi
predSa (X) (2)
opredS(X) =
S
a∈ΣSo
predSa (X) . (3)
Also postS[0,d0](s) is the set of all time successors of a state s
that can be reached by delays smaller than d0:
postS[0,d0](s) =
n
s′∈StS
˛̨
∃ d∈ [0, d0]. s d−→Ss′
o
(4)
We shall now introduce a finite symbolic representation
for TIOTSs in terms of Timed I/O Automata (TIOAs). Let
Clk be a finite set of clocks. A clock valuation over Clk is
a mapping u ∈ [Clk 7→ R≥0]. We write u + d to denote a
valuation such that for any clock r we have (u+d)(r) = x+d
iff u(r) = x. Given d ∈ R≥0, we write u[r 7→ 0]r∈c for a
valuation which agrees with u on all values for clocks not in
c, and returns 0 for all clocks in c. Let op will be the set of
relational operators: op = {<,≤, >,≥}. A guard over Clk is
a finite conjunction of expressions of the form x ≺ n, where
≺ is a relational operator and n ∈ N. We write B(Clk) for
the set of guards over Clk using operators in the set op. We
also write P(X) for the powerset of a set X.
Definition 2. A Timed I/O Automaton (TIOA) is a tu-
ple A = (Loc, q0,Clk, E,Act, Inv) where Loc is a finite set of
locations, q0 ∈ Loc is the initial location, Clk is a finite set
of clocks, E ⊆ Loc×Act×B(Clk)×P(Clk)×Loc is a set of
edges, Act = Acti⊕Acto is a finite set of actions, partitioned
into inputs and outputs respectively, and Inv : Loc 7→ B(C)
is a set of location invariants.
If (q, a, ϕ, c, q′) ∈ E is an edge, then q is an initial location,
a is an action label, ϕ is a constraint over clocks that must
be satisfied when the edge is executed, c is a set of clocks
to be reset, and q′ is a target location. Examples of TIOAs
have been proposed in the introduction.
We define the semantic of a TIOA A=(Loc, q0,Clk, E,Act,
Inv) to be a TIOTS [[A]]sem = (Loc × (Clk 7→ R≥0), (q0,0),
Act,−→), where 0 is a constant function mapping all clocks
to zero, and −→ is the largest transition relation generated
by the following rules:
• Each (q, a, ϕ, c, q′) ∈ E gives rise to (q, u) a−→(q′, u′) for
each clock valuation u ∈ [Clk 7→ R≥0] such that u |= ϕ
and u′ = u[r 7→ 0]r∈c and u′ |= Inv(q′).
• Each location q ∈ Loc with a valuation u ∈ [Clk 7→ R≥0]
gives rise to a transition (q, u) d−→(q, u+ d) for each de-
lay d ∈ R≥0 such that u+ d |= Inv(q).
The TIOTSs induced by TIOAs satisfy the axioms 1–3 of
Definition 1. In order to guarantee determinism, the TIOA
has to be deterministic: for each action–location pair only
one transition can be enabled at the same time. This is
a standard check. We assume that all TIOAs below are
deterministic.
Having introduced a syntactic representation for TIOTSs,
we now turn back to the semantic level in order to define the
basic concepts of implementation and specification:
Definition 3. A TIOTS S is a specification if each of its
states s ∈ StS is input-enabled: ∀ i?∈ΣSi .∃ s′∈StS. s i?−−→Ss′.
The assumption of input-enabledness, also seen in many in-
terface theories [25, 17, 30, 33, 29], reflects our belief that an
input cannot be prevented from being sent to a system, but
it might be unpredictable how the system behaves after re-
ceiving it. Input-enbledness encourages explicit modeling of
this unpredictability, and compositional reasoning about it;
for example, deciding if an unpredictable behaviour of one
component induces unpredictability of the entire system.
It is easy to check if a TIOA induces an input-enabled
TIOTS. Thus we define Timed Input/Output Specification
Automata (Specification Automata in short) to be TIOAs,
whose semantic TIOTS is a specification. In practice tools
can interpret absent input transitions in at least two reason-
able ways. First, they can be interpreted as ignored inputs,
corresponding to location loops in the automaton. Second,
they may be seen as unavailable (’blocking’) inputs, which
can be achieved by assuming implicit transitions to a des-
ignated error state. Later, in Section 4 we will call such a
state strictly undesirable and give a rationale for this name.
The role of specifications in a specification theory is to
abstract, or underspecify, sets of possible implementations.
Implementations are concrete executable ralizations of sys-
tems. We will assume that implementations of timed sys-
tems have fixed timing behaviour (outputs occur at pre-
dictable times) and systems can always advance either by
producing an output or delaying. This is formalized using
axioms of output-urgency and independent-progress below:
Definition 4. An implementation P = (StP , p0,Σ
P ,−→P )
is a specification such that for each state p ∈ StP we have:
[output urgency] ∀ p′, p′′ ∈ StP if p o!−−→P p′ and p d−→P p′′ then
d = 0 (and consequently, due to determinism p = p′′)
[independent progress] either (∀d ≥ 0. p d−→P ) or
∃ d∈R≥0.∃ o!∈ΣPo . p d−→p′ and p′ o!−−→P .
Independent progress is one of the central properties in
our theory: it states that an implementation cannot ever
get stuck in a state where it is up to the environment to
induce progress. So in every state there is either an output
transition (which is controlled by the implementation) or an
ability to delay until an output is possible. Otherwise a state
can delay indefinitely. An implementation cannot wait for
an input from the environment without letting time pass.
A notion of refinement allows to compare two specifica-
tions as well as to relate an implementation to a specifica-
tion. Refinement should satisfy the following substitutabil-
ity condition. If P refines Q, then it should be possible
to replace Q with P in every environement and obtain an
equivalent system.
We study these kind of properties in later sections. It is
well known from the literature [12, 13, 6] that in order to
give these kind of guarantees a refinement should have the
flavour of alternating (timed) simulation [2].
Definition 5. A specification S = (StS , s0,Σ,−→S) re-
fines a specification T = (StT, t0,Σ,−→T ), written S ≤ T , iff
there exists a binary relation R⊆StS×StT containing (s0, t0)
such that for each pair of states (s, t) ∈ R we have:
1. whenever t i?−−→T t′ for some t′ ∈ StT then s i?−−→Ss′ and
(s′, t′)∈R for some s′∈StS
teacoin cof
cof!
coin?
coin?
y>=2
y<=5
tea!
y=0
y>=4
Machine2
Figure 3: A coffee machine specification that refines
the coffee machine in Figure 2.
2. whenever s o!−−→Ss′ for some s′ ∈ StS then t o!−−→T t′ and
(s′, t′) ∈ R for some t′ ∈ StT
3. whenever s d−→Ss′ for d ∈ R≥0 then t d−→T t′ and (s′, t′) ∈
R for some t′ ∈ StT
A specification automaton A1 refines another specification
automaton A2, written A1 ≤ A2, iff [[A1]]sem ≤ [[A2]]sem.
It is easy to see that the refinement is reflexive and tran-
sitive, so it is a preorder on the set of all specifications.
Refinement can be checked for specification automata by re-
ducing the problem to a specific refinement game, and using
a symbolic representation to reason about it. We discuss
details of this process in Section 6. Figure 3 shows a cof-
fee machine that is a refinement of the one in Figure 2. It
has been refined in two ways: One output transition has
been completely dropped and one state invariant has been
tightened.
Since our implementations are a subclass of specifications,
we simply use refinement as an implementation relation:
Definition 6. An implementation P satisfies a specifica-
tion S, denoted P sat S iff P ≤ S. We write [[S]]mod for the
set of all implementations of S, so [[S]]mod = {P | P sat S}.
From a logical perspective, specifications are like formulae,
and implementations are their models. This analogy leads
us to a classical notion of consistency, as existence of models.
Definition 7. A specification S is consistent, if there ex-
ists an implementation P such that P sat S.
All specification automata in Figure 2 are consistent. An
example of an inconsistent specification can be found in Fig-
ure 4. Notice that the invariant in the second state (x≤4)
is stronger than the guard (x≥5) on the cof edge.
We also define a soundly stricter, more syntactic, notion
of consistency, which requires that all states are consistent:
Definition 8. A specification S is locally consistent, iff
every state s ∈ StS allows independent progress.
Theorem 1. Every locally consistent specification is con-
sistent in the sense of Definition 7.
The opposite implication in the theorem does not hold
as we shall see later. Local consistency, or independent
teacoin cof
coin?
cof!
x <= 4
coin?
x >= 5
Inconsistent
Figure 4: An inconsistent specification.
progress, can be checked for specification automata estab-
lishing local consistency for the syntactic representation.
Technically it suffices to check for each location that if the
supremum of all solutions of every location invariant exists
then it satisfies the invariant itself and allows at least one
enabled output transition.
Prior specification theories for discrete time [22] and prob-
abilistic [7] systems reveal two main requirements for a defi-
nition of implementation. These are the same requirements
that are typically imposed on a definition of a model as a spe-
cial case of a logical formula. First, implementations should
be consistent specifications (logically, models correspond to
some consistent formulae). Second, implementations should
be most specified (models cannot be refined by non-models),
as opposed to proper specifications, which should be under-
specified. For example, in propositional logics, a model is
represented as a complete consistent term. Any implicant
of such a term is also a model (in propositional logics, it is
actually equivalent to it).
Our definition of implementation satisfies both require-
ments, and to the best of our knowledge, is the first exam-
ple of a proper notion of implementation for timed specifica-
tions. As the refinement is reflexive we get P sat P for any
implementation and thus each implementation is consistent
as per Definition 7. Furthermore each implementation can-
not be refined anymore by any underspecified specifications:
Theorem 2. Any locally consistent specificiation S refin-
ing an implementation P is an implementation as per Def. 4.
Just like the specifications, we represent implementations
syntactically using Timed I/O Automata. A TIOA P is an
implementation automaton if its underlying TIOTS [[P ]]sem
is an implementation. To decide whether a specification
automaton is an implementation automaton, one checks for
output urgency and independent progress.
We conclude the section with the first major theorem. Ob-
serve that every preorder  is intrinsically complete in the
following sense: S  T iff for every smaller element P  S
also P  T . This means that a refinement of two specifica-
tions coincides with inclusion of sets of all the specifications
refining each of them. However, since out of all specifications
only the implementations correspond to real world objects,
another completeness question is more relevant: does the re-
finement coincide with the inclusion of implementation sets?
This property, which does not hold for any preorder in gen-
eral, turns out to hold for our refinement:
Theorem 3. For any two locally consistent specifications
S, T we have that S ≤ T iff [[S]]mod ⊆ [[T ]]mod.
The restriction of the theorem to locally consistent specifi-
cations is not a serious one. As we shall see, any consistent
teacoin cof
cof! tea!
coin?
coin?
y<=6
y<=0
coin?
y=0y=0
y>=4
Partially Inconsistent
Figure 5: A partially inconsistent specification.
specification can be transformed into a locally consistent one
preserving the set of implementations.
3. CONSISTENCY AND CONJUNCTION
An immediate error occurs in a state of a specification
if the specification disallows progress of time and output
transitions in a given state – such a specification will break if
the environment does not send an input. For a specification
S we define the set of immediate error states errS ⊆ StS as:
errS=
˘
s
˛̨
(∃d. s6 d−−→) and ∀d ∀o! ∀s′.s d−→s′ implies s′6 o!−−→
¯
It follows that no immediate error states can occur in im-
plementations, or in locally consistent specifications.
In general, immediate error states in a specification do
not necessarily mean that a specification cannot be imple-
mented. Fig. 5 shows a partially inconsistent specification, a
version of the coffee machine that becomes inconsistent if it
ever outputs tea. The inconsistency can be possibly avoided
by some implementations, who would not implement delay
or output transitions leading to it. More precisely an im-
plementation will exist if there is a strategy for the output
player in a safety game to avoid errS . In order to be able to
build on existing formalizations [8] we will consider a dual
reachability game, asking for a strategy of the input player
to reach errS . We first define a timed predecessor operator
[14, 27, 8], which gives all the states that can delay into X
while avoiding Y :
cPredSt (X,Y ) = {s ∈ StS
˛̨
∃d0 ∈ R≥0. ∃s′ ∈ X.
s d0−−→Ss′ and postS[0,d0](s) ⊆ Y } (5)
Now the controllable predecessors operator is:
π(X) = errS ∪ cPredSt (X ∪ ipredS(X), opredS(X)) (6)
and the set of all inconsistent states consS (i.e. the states for
which the environment has a winning strategy) is defined as
the least fixpoint of π: consS = π(consS), which is guaran-
teed to exist by monotonicity of π and completeness of the
powerset lattice due to the theorem of Knaster and Tarski
[31]. For transitions systems enjoying finite symbolic rep-
resentations, automata specifications included, the fixpoint
computation converges after a finite number of iterations [8].
Now we define the set of consistent states, consS, simply
as the complement of consS . We obtain it by complement-
ing the result of the above fixpoint computation for consS .
For the purpose of proofs it is more convenient to formal-
ize the dual operator, say θ, whose greatest fixpoint directly
and equivalently characterizes consS . While least fixpoints
are convenient for implementation of on-the-fly algorithms,
characterizations with greatest fixpoint are useful in proofs
as they allow use of coinduction. Unlike induction on the
number of iterations, coinduction is a sound proof princi-
ple without assuming finite symbolic representation for the
transition system (and thus finite convergence of the fixpoint
computation). We avoid discussing θ in details here, since
it is a mere technicality.
Theorem 4. A specification S = (StS , sS0 ,Σ
S ,−→S) is con-
sistent iff s0 ∈ consS.
The set of (in)consistent states can be computed for timed
games, and thus for specification automata, using controller
synthesis algorithms [8]. We discuss it briefly in Section 6.
The inconsistent states can be pruned from a consistent
S leading to a locally consistent specification. Pruning is
applied in practice to decrease the size of specifications.
Theorem 5. For a consistent specification S = (StS , sS0 ,
ΣS ,−→S) and S∆ = (consS, s0,ΣS,−→S
∆
), where −→S
∆
= −→S ∩
(consS× (ΣS ∪ R≥0) × consS), S∆ is locally consistent and
[[S]]mod =[[S
∆]]mod.
For specification automata pruning is realized by apply-
ing a controller synthesis algorithm, obtaining a maximum
winning strategy, which is then presented as a specification
automaton itself.
Consistency guarantees realizability of a single specifica-
tion. It is of further interest whether several specifications
can be simultaneously met by the same component, with-
out reaching error states of any of them. We formalize this
notion by defining a logical conjunction for specifications.
We define a product first. Let S = (StS , sS0 ,Σ,−→S) and
T = (StT , sT0 ,Σ,−→T ) be two specifications. A product of
S and T , written S × T , is defined to be a specification
(StS × StT , (sS0 , sT0 ),Σ,−→), where the transition relation −→
is the largest relation generated by the following rule:
s a−→Ss′ t a−→T t′ a ∈ Σ ∪R≥0
(s, t) a−→(s′, t′)
(7)
In general, a result of the product may be locally incon-
sistent, or even inconsistent. To guarantee consistency we
apply a consistency check to the result, checking if (s0, t0) ∈
consS×T and, possibly, pruning the inconsistent parts:
Definition 9. For specifications S and T over the same
alphabet, such that S×T is consistent, define S∧T = (S×T )∆.
Clearly conjunction is commutative. Associativity of con-
junction follows from associativity of the product, and the
fact that pruning does not remove any implementations (The-
orem 5). Conjunction is also the greatest lower bound for
lcoally consistent specifications with respect to refinement:
Theorem 6. For any locally consistent specifications S,
T and U over the same alphabet:
1. S ∧ T ≤ S and S ∧ T ≤ T
2. (U ≤ S) and (U ≤ T ) implies U ≤ (S∧T )
3. [[S ∧ T ]]mod = [[S]]mod ∩ [[T ]]mod
4. [[(S ∧ T ) ∧ U ]]mod = [[S ∧ (T ∧ U)]]mod
We turn our attention to syntactic representations again.
Consider two TIOA A1 = (Loc1, q
1
0 ,Clk1, E1, Act
1, Inv1) and
A2 = (Loc2, q
2
0 ,Clk2, E2, Act
2, Inv2) with Act
1
i = Act
2
i and
Act1o = Act
2
o. Their conjunction, denoted A1 ∧ A2, is the
TIOA A = (Loc, q0,Clk, E,Act
1, Inv) given by: Loc = Loc1×
Loc2, q0 = (q
1
0 , q
2
0), Clk = Clk1]Clk2, Inv((q1, q2)) = Inv(q1)∧
Inv(q2). The set of edges E is defined by the following rule:
• If (q1, a, ϕ1, c1, q′1) ∈ E1 and (q2, a, ϕ2, c2, q′2) ∈ E2 this
gives rise to ((q1, q2), a, ϕ1 ∧ ϕ2, c1 ∪ c2, (q′1, q′2)) ∈ E
It might appear as if two systems can only advance on an
input if both are ready to receive an input, but because of
input enabledness this is always the case.
The following theorem lifts all the results from the TIOTSs
level to the symbolic representation level:
Theorem 7. Let A1 and A2 be two specifiation automata,
we have [[A1]]sem ∧ [[A2]]sem = [[A1 ∧A2]]sem.
4. COMPATIBILITY & COMPOSITION
We shall now define structural composition, also called
parallel composition, between specifications. We follow the
optimistic approach of [15], i.e., two specifications can be
composed if there exists at least one environment in which
they can work together. Parallel composition is made of three
main steps. First, we compute the classical product between
timed specifications [21], where components synchronize on
common inputs/outputs. The second step is to identify in-
compatible states in the product, i.e., states in which the
two components cannot work together. The last step is to
seek for an environment that can avoid such error states,
i.e., an environment in which the two components can work
together in a safe way. Before going further, we would like
to contrast the structural and logical composition.
The main use case for parallel composition is in fact dual
to the one for conjunction. Indeed, as observed in the pre-
vious section, conjunction is used to reason about internal
properties of an implementation set, so if a local inconsis-
tency arises in conjunction we limit the implementation set
to avoid it in implementations. A pruned specification can
be given to a designer, who chooses a particular implemen-
tation satisfying conjoined requirements. A conjunction is
consistent if the output player can avoid inconsistencies, and
its main theorem states that its set of implementation co-
incides with the intersection of implementation sets of the
conjuncts.
In contrast, parallel composition is used to reason about
external use of two (or more) components. We assume an
independent implementation scenario, where the two com-
posed components are implemented by independent design-
ers. The designer of any of the environment components can
only assume that the composed implementations will adhere
to original specifications being composed. Consequently if
an error occurs in parallel composition of the two specifi-
cations, the environment is the only entity that is possibly
in power to avoid it. Thus, following [12], we say that a
composition is useful, and composed components are com-
patible, if the input player has a strategy in the safety game
to avoid error states in the composition. The main the-
orem will state that if an environment is compatible with
a useful specification, it is also compatible with any of its
refinements, including implementations.
We now propose our formal definition for parallel compo-
sition. We consider two specifications S = (StS, sS0 ,Σ
S,−→S)
and T = (StT, sT0 ,Σ
T,−→T ) and we say that they are compos-
able iff their output alphabets are disjoint ΣSo ∩ ΣTo = ∅.
As we did for conjunction, before defining the parallel
composition we first introduce a suitable notion of product.
The parallel product of S and T , which roughly corresponds
to the one defined on timed input/output automata [21], is
the specification S ⊗ T = (StS ⊗ StT, (sS0 , sT0 ),ΣS⊗T,−→S⊗T ),
where the alphabet ΣS⊗T = ΣS∪ΣT is partitioned in inputs
and outputs in the following way: Σ
S|T
i = (Σ
S
i \ΣTo )∪ (ΣTi \
ΣSo ), Σ
S⊗T
o = Σ
S
o ∪ ΣTo .
The transition relation of the product is the largest rela-
tion generated by the following rules:
s a−→Ss′ a ∈ ΣS \ ΣT
(s, t) a−→S|T (s′, t)
[indep-l]
t a−→T t′ a ∈ ΣT \ ΣS
(s, t) a−→S|T (s, t′)
[indep-r]
s a−→Ss′ t a−→T t′ a ∈ ΣS|Ti
(s, t) a−→S|T (s′, t′)
[sync-in]
s d−→Ss′ t d−→T t′ d ∈ R≥0
(s, t) d−→S|T (s′, t′)
[delay]
s a−→Ss′ t a−→T t′ a ∈ (ΣSi ∩ ΣTo ) ∪ (ΣSo ∩ ΣSi )
(s, t) a−→S|T (s′, t′)
[sync-io]
Observe that if we compose to locally-consistent specifi-
cations using the above product rules, then the resulting
product is also locally consistent. Since we normally work
with consistent specifications in a development process, im-
mediate errors as defined for conjunction are not applicable
to parallel composition. Moreover, unlike [15], our specifi-
cations are input-enabled, and there is no way to define an
error state in where a component can issue an output that
cannot be captured by the other component.
The absence of “model-related” error states allows us to
define more elaborated errors, specified by the designer.
Those cannot easily be considered in [15]. We now give
more details. When reasoning about parallel composition
we use model specific error states, i.e., error states indi-
cated by the designer. These error states could arise in sev-
eral ways. First, a specification may contain an error state
in order to model unavailable inputs in presence of input-
enabledness (transitions under inputs that the system is not
ready to receive, should target such an incompatible state.
Typically universal states are used for the purpose, to signal
unpredictability of the behaviour after receiving an unantic-
ipated input). Second, a temporal property written in some
logic such as TCTL [1] can be interpreted over our specifi-
cation, which when analyzed by a model checker, will result
in partitioning of the states into good ones (say satisfying
the property) and bad ones (violating the property). Third,
an incompatibility in a composition can be propagated from
incompatibilities in the composed components. It should
alway be the case that a state in a product (s, t) is an in-
compatible state if s is an incompatible state in S, or t is an
incompatible state in T .
Formally we will model all these sources of incompatibility
as a set of error states. We will call this set of states, strictly
undesirable states and refer to it as undesirableS . In the rest
of the section, to simplify the presentation, we will include
the set of strictly undesirable states as a part of specification
definition.
We will say that a specification is useful if there exists an
environment E that can avoid reaching a strictly undesirable
state whathever the specification will do. The environment
E is said to be compatible with S. We are now ready to
define structural composition.
We now propose to compute the set of useful states of S
using a fixpoint characterisation. We consider a variant of
controllable time predecessor operator, where the roles of
the inputs and outputs are reversed:
ω(X) = undesirableS ∪ cPredt(X ∪ ipred(X), opred(X)) (8)
Now the set of useless states usefulS can be characterized
as the least fixpoint of ω, so usefulS ⊇ ω(usefulS). Again
existance and uniqueness of this fixpoint is warrented by
monotonicity of ω. The set of useful states is defined as the
complement: usefulS = usefulS .
Theorem 8. For a consistent specification S, S is useful
iff s0 ∈ usefulS.
The following theorem shows that pruning the specifica-
tion does not change the set of compatible environment.
Theorem 9. If S such that s0 ∈ usefulS and Sβ = (usefulS∪
{ u}, s0,ΣS ,−→S
β
, { u}). Then E is compatible with S iff E
compatible with Sβ.
Having introduced the general notion of usefulness of com-
ponents and specifications, we are now ready to define com-
patibility of specifications and parallel composition. We pro-
pose the following definition, which is in the spirit of [12].
Definition 10. Two composable specifications S and T
are compatible iff the initial state of S ⊗ T is useful.
Definition 11. For two compatible specifications S and
T define their parallel composition S|T = (S ⊗ T )β, and
undesirableS|T = {(s, t) | s ∈ undesirableS or t ∈ undesirableT }.
As we have discussed above, the set of strictly undesir-
able states, undesirableS|T , can be increased by designer as
needed, for example by adding state for which desirable tem-
poral properties about the interplay of S and T do not hold.
Observe that parallel composition is commutative, and
that two specifications composed, give rise to well-formed
specifications. It is also associative in the following sense:
[[(S|T )|U ]]mod = [[S|(T |U)]]mod (9)
Theorem 10. Refinement is a pre-congruence with re-
spect to parallel composition; for any specifications S1, S2,
and T such that S1 ≤ S2 and S1 composable with T , we have
that S2 composable with T and S1|T ≤ S2|T . Moreover if
S2 compatible with T then S1 compatible with T .
We now switch to the symbolic representation. Parallel
composition of two TIOA is defined in the following way.
Consider two TIOA A1 = (Loc1, q
1
0 ,Clk1, E1, Act1, Inv1) and
A2 = (Loc2, q
2
0 ,Clk2, E2, Act2, Inv2) with Act
1
o ∩ Act2o = ∅.
Their parallel composition which is denoted A1|A2 is the
TIOA A = (Loc, q0,Clk, E,Act, Inv) given by: Loc = Loc1 ×
Loc2, q0 = (q
1
0 , q
2
0), Clk = Clk1]Clk2, Inv((q1, q2)) = Inv(q1)∧
Inv(q2) and the set of actions Act = Acti ] Acto is given by
Acti = Act
1
i \Act2o∪Act2i \Act1o and Acto = Act1o∪Act2o. The
set of edges E is defined by the following rules:
• If (q1, a, ϕ1, c1, q′1) ∈ E1 with a ∈ Act1 \ Act2 then for
each q2 ∈ Loc2 this gives ((q1, q2), a, ϕ1, c1, (q′1, q2)) ∈E
• If (q2, a, ϕ2, c2, q′2) ∈ E2 with a ∈ Act2 \ Act1 then for
each q1 ∈ Loc1 this gives ((q1, q2), a, ϕ1, c1, (q1, q′2)) ∈E
• If (q1, a, ϕ1, c1, q′1) ∈ E1 and (q2, a, ϕ2, c2, q′2) ∈ E2
with a ∈ Act1 ∩Act2 this gives rise to ((q1, q2), a, ϕ1 ∧
ϕ2, c1 ∪ c2, (q′1, q′2)) ∈ E
Finally, the following theorem lifts all the results from
timed input/output transition systems to the symbolic rep-
resentation level.
Theorem 11. Let A1 and A2 be two specifiation automata,
we have [[A1]]sem | [[A2]]sem = [[A1||A2]]sem.
5. QUOTIENT
An essential operator in a complete specification theory
is the one of quotienting. It allows for factoring out behav-
ior from a larger component. If one has a large component
specification T and a small one S then T\\S is the specifica-
tion of exactly those components that when composed with
S refine T . In other words, T\\S specifies the work that still
needs to be done, given availability of an implementation of
S, in order to provide an implementation of T .
We have the following requirements on the sets of inputs
and outputs of the dividend T and the divisor S when ap-
plying quotienting: ΣSi ⊆ ΣTi and ΣSo ⊆ ΣTo .
We proceed like for structural and logical compositions
and start with a pre-quotient that may introduce error states.
Those errors are then pruned to obtain the quotient.
Given two specifications S = (StS, sS0 ,Σ
S,−→S) and T =
(StT, sT0 ,Σ
T,−→T ) the pre-quotient is a specification T h S =
(St, (s0, t0),Σ,−→), where St = (StS × StT ) ∪ {u, e} where u
and e are fresh states such that u is universal (allows arbi-
trary behaviour) and e is inconsistent (no output-controllable
behaviour can satisfy it). State e disallows progress of time
and has no output transitions. The universal state guar-
antees nothing about the behaviour of its implementations
(thus any refinement with a suitable alphabet is possible),
and dually the inconsistent state allows no implementations.
Moreover we require that Σ = ΣT with Σi = Σ
T
i ∪ΣSo and
Σo = Σ
T
o \ ΣSo . Finally the transition relation −→ThS is the
largest relation generated by the following rules:
t a−→T t′ s a−→Ss′ a ∈ ΣS ∪R≥0
(t, s) a−→ThS(t′, s′)
[all]
s 6 a−−→S a ∈ ΣSo ∪R≥0
(t, s) a−→ThSu
[unreachable]
t 6 a−−→T s a−→Ss′ a ∈ ΣSo
(t, s) a−→ThSe
[unsafe]
t a−→T t′ a ∈ ΣT \ ΣS
(t, s) a−→ThS(t′, s)
[dividend]
a ∈ Σ ∪R≥0
u a−→ThSu
[universal]
a ∈ Σi
e a−→ThSe
[inconsistent]
Theorem 12 states that the proposed pre-quotient oper-
ator has exactly the property that it is dual of structural
composition with regards to refinement.
Theorem 12. For any two specifications S and T such
that the pre-quotient T h S is defined, and for any imple-
mentation X over the same alphabet as T h S we have that
S|X is defined and S|X ≤ T iff X ≤ T h S.
Finally, the actual quotient, denoted T\\S, is defined if
T h S is consistent. It is obtained by pruning the states of
the prequotient ThS from where the implementation has no
strategy to avoid immediate errors states errT\\S using the
same game characterization like in Section 3. Effectively
we define the quotient to be T\\S = (T h S)∆. It follows
from Theorem 5 that Theorem 12 also holds for the actual
quotient operator \\ (as opposed to the prequotient).
Quotienting for TIOA is defined in the following way.
Consider two TIOA AT = (LocT , q
T
0 ,ClkT , ET , ActT , InvT )
andAS = (LocS , q
S
0 ,ClkS , ES , ActS , InvS) with Act
S
i ⊆ ActTi
and ActSo ⊆ ActTo . The quotient, which is denoted AT \\AS
is the TIOA given by: Loc = LocT × LocS ∪ {lu, l∅}, q0 =
(qT0 , q
S
0 ), Clk = ClkT]ClkS]{xnew}, Inv((qT , qS)) = Inv(lu) =
true and Inv(l∅) = {xnew ≤ 0}. The two new states lu and
l∅ are respectively universal and inconsistent. The set of ac-
tions Act = Acti ] Acto is given by Acti = ActTi ∪ ActSo ∪
{inew} and Acto = ActTo \ActSo .
The set of edges E is defined by the following rules:
• For each qT ∈ LocT , qS ∈ LocS and a ∈ Act this gives
((qT , qS), a,¬InvS(qS), {xnew}, lu) ∈ E.
• For each qT ∈ LocT , qS ∈ LocS this gives
((qT , qS), inew,¬InvT (qT ) ∧ InvS(qS), {xnew}, l∅) ∈ E.
• If (qT , a, ϕT , cT , q′T ) ∈ ET and (qS , a, ϕS , cS , q′S) ∈ ES
this gives ((qT , qS), a, ϕT ∧ ϕS , cT ∪ cS , (q′T , q′S)) ∈ E
• For each (qS , a, ϕS , cS , q′S) ∈ ES with a ∈ ActSo this
gives rise to ((qT , qS), a, ϕS ∧ ¬GT , {xnew}, l∅) where
GT =
W
{ϕT | (qT , a, ϕT , cT , q′T )}
• For each (qT , a, ϕT , cT , q′T ) ∈ ET and a /∈ ActS this
gives ((qT , qS), a, ϕT , cT , (q
′
T , qS)) ∈ E
• For each (qT , a, ϕT , cT , q′T ) ∈ ET with a ∈ ActSo this
gives rise to ((qT , qS), a,¬GS , {}, lu) whereGS =
W
{ϕS |
(qS , a, ϕS , cS , q
′
S)}
• For each a ∈ Acti this gives rise to (l∅, a, xnew =
0, {}, l∅)
• For each a ∈ Act this gives rise to (lu, a, true, {}, lu)
Finally, the following theorem lifts all the results from
timed input/output transition systems to the symbolic rep-
resentation level.
Theorem 13. Let A1 and A2 be two specifiation automata,
we have ([[A1]]sem h [[A2]]sem)∆ = ([[A1 hA2]]sem)∆.
6. TOOL IMPLEMENTATION
Our specification theory has been implemented using the
verification engine for timed games Uppaal-tiga.
Application of The Engine. The engine of Uppaal-tiga
supports the computation of winning strategies for timed
games with respect to a large class of TCTL winning ob-
jectives. The basic algorithm applied is that of [8] being
an on-the-fly algorithm performing forward exploration or
reachable states and back-propagation of (so-far) computed
winning states in an interleaved manner.
Crucial to the algorithm of [8] is the symbolic representa-
tion and efficient manipulation of state-sets using zones, i.e.
sets of clock valuations characterized by constraints on indi-
vidual clocks and clock-differences. In particular the opera-
tors cPredt, ipred and opred used in the fixpoint characteri-
zation of consistent and compatible states may be effectively
computed using federations (unions of zones).
The operations of conjunction and quotienting may pro-
duce specification with inconsistent states, which needs to
be determined and subsequently pruned away. For this, we
apply the algorithm of Uppaal-tiga to a timed reachability
game, where input transitions are controllable, output tran-
sitions uncontrollable, and where states that do not have
any outputs nor allow time to elapse are target states. The
additional effort in implementing this algorithm required an
on-the-fly detection of such states (instead of using ordinary
state predicates) and back-propagating these according to
the algorithm of Uppaal-tiga.
Dually, for the composition of component specifications
with designated error-states, we want to check for compos-
ability. For this we apply Uppaal-tiga to a timed safety
game, where input transitions are controllable, output tran-
sitions uncontrollable, and where error states in any of the
two (or more) components should be avoided.
Finally, the problem of checking the refinement S ≤ T
is solved as a turn-based game between two players. The
first player, or attacker, plays outputs on S and inputs on
T , whereas the second player, or defender, plays inputs on
S and inputs on T . The product of S and T according
to these rules is then constructed on-the-fly, which is the
forward exploration step. We detect error states on-the-
fly and we back-propagate them. There are two kinds of
error states: 1) Either the attacker may delay and violates
invariants on T , which is, the defender cannot match a delay,
or 2) the defender has to play a given action and cannot do
so, i.e., a deadlock. In this implementation we can specialize
our algorithm to simplify the operator cPredt analogously
to [6] with inverted rules wth respect to controllable and
uncontrollable transitions. This has been implemented and
the tool has been extended to handle open systems.
Using the Tool. Returning to the example of the University
of Figure 2, we may apply the extended version of Uppaal-
tiga for checking the desired properties of compatibility and
consistency. Checking for compatibility simply amounts to
checking for controllability of the following safety property:
control: A[] not Researcher.ERR
Checking for refinement between the University and the
stated overall specification Specification is checked using the
following new type of refinement property:
refinement: {Administration,Machine,Researcher}
\{coin,tea,cof,pub} <= {Spec}
We are now able to reveal that, unexpectedly, this refine-
ment does not hold! In fact the Administration’s ability to
take in publications and produce patents without a preceed-
ing grant, combined with the Machine’s ability to produce
Figure 6: A refinement counter-strategy in Uppaal
tea without any coin, violates the overall Specification’s re-
quirement that patents can only be produced given a pre-
ceeding grant. In Figure 6 a screen-shot of the extension of
Uppaal-tiga playing the counter-strategy against a (disbe-
lieving but to be convinced) user is shown.
7. CONCLUDING REMARKS
We have proposed a complete game-based specification
theory for timed systems, in which we distinguish between
a component and the environment in which it is used. To
the best of our knowledge, our contribution is the first game-
based approach to support both refinement, consistency
checking, logical and structural composition, and quotient.
Our results have been implemented in the Uppaal toolset [3].
There have been several other attempts to propose an
interface theory for timed systems (see [15, 11, 5, 4, 9, 32, 16,
24] for some examples). Our model shall definitely be viewed
as an extension of the timed input/output automaton model
proposed by Lynch et al. [21]. The majors differences are in
the game-based treatment of interactions and the addition
of quotient and conjunction operators.
In [15], de Alfaro et al. suggested timed interfaces, a model
that is similar to the one of TIOTSs. Our definition of com-
position builds on the one proposed in there. However, the
work in [15] is incomplete. Indeed there is no notion of im-
plementation and refinement. Moreover, conjunction and
quotient are not studied. Finally, the theory has only been
implemented in a prototype tool [11] which does not handle
continuous time, while our contribution takes advantages of
the powerful game engine of Uppaal-tiga.
In [22] Larsen proposes modal automata, which are deter-
ministic automata equipped with transitions of the following
two types: may and must . The components that imple-
ment such interfaces are simple labeled transition systems.
Roughly, a must transition is available in every component
that implements the modal specification, while a may transi-
tion need not be. Recently [5, 4] a timed extension of modal
automata was proposed, which embeds all the operations
presented in the present paper. However, modalities are or-
thogonal to inputs and outputs, and it is well-known [23]
that, contrary to the game-semantic approach, they cannot
be used to distinguish between the behaviors of the compo-
nent and those of the environment.
One could also investigate whether our approach can be
used to perform scheduling of timed systems (see [11, 19, 16]
for examples). For example, the quotient operation could
perhaps be used to synthesize a scheduler for such problem.
8. REFERENCES
[1] R. Alur and D. L. Dill. A theory of timed automata.
Theor. Comput. Sci., 126(2):183–235, 1994.
[2] R. Alur, T. A. Henzinger, O. Kupferman, and M. Y.
Vardi. Alternating refinement relations. In
CONCUR’98, volume 1466 of LNCS. Springer, 1998.
[3] G. Behrmann, A. Cougnard, A. David, E. Fleury,
K. G. Larsen, and D. Lime. Uppaal-tiga: Time for
playing games! In CAV, volume 4590 of LNCS.
Springer, 2007.
[4] N. Bertrand, A. Legay, S. Pinchinat, and J.-B. Raclet.
A compositional approach on modal specifications for
timed systems. In ICFEM, LNCS. Springer, 2009.
[5] N. Bertrand, S. Pinchinat, and J.-B. Raclet.
Refinement and consistency of timed modal
specifications. In LATA, volume 5457 of LNCS,
Tarragona, Spain, 2009. Springer.
[6] P. Bulychev, T. Chatain, A. David, and K. G. Larsen.
Efficient on-the-fly algorithm for checking alternating
timed simulation. In FORMATS, volume 5813 of
LNCS, pages 73–87. Springer, 2009.
[7] B. Caillaud, B. Delahaye, K. G. Larsen, A. Legay,
M. Peddersen, and A. Wasowski. Compositional
design methodology with constraint markov chains.
Technical report, Hal-INRIA, 2009.
[8] F. Cassez, A. David, E. Fleury, K. G. Larsen, and
D. Lime. Efficient on-the-fly algorithms for the
analysis of timed games. In CONCUR, 2005.
[9] K. Čerāns, J. C. Godskesen, and K. G. Larsen. Timed
modal specification - theory and tools. In Proceedings
of the 5th International Conference on Computer
Aided Verification (CAV’93), volume 697 of LNCS,
pages 253–267. Springer, 1993.
[10] A. Chakabarti, L. de Alfaro, T. A. Henzinger, and
M. I. A. Stoelinga. Resource interfaces. In R. Alur and
I. Lee, editors, EMSOFT 03: 3rd Intl. Workshop on
Embedded Software, LNCS. Springer, 2003.
[11] L. de Alfaro and M. Faella. An accelerated algorithm
for 3-color parity games with an application to timed
games. In CAV, volume 4590 of LNCS. Springer, 2007.
[12] L. de Alfaro and T. A. Henzinger. Interface automata.
In FSE, pages 109–120, Vienna, Austria, Sept. 2001.
ACM Press.
[13] L. de Alfaro and T. A. Henzinger. Interface-based
design. In In Engineering Theories of Software
Intensive Systems, Marktoberdorf Summer School.
Kluwer Academic Publishers, 2004.
[14] L. de Alfaro, T. A. Henzinger, and R. Majumdar.
Symbolic algorithms for infinite-state games. In K. G.
Larsen and M. Nielsen, editors, CONCUR, volume
2154 of LNCS, pages 536–550. Springer, 2001.
[15] L. de Alfaro, T. A. Henzinger, and M. I. A. Stoelinga.
Timed interfaces. In A. L. Sangiovanni-Vincentelli and
J. Sifakis, editors, EMSOFT, volume 2491 of LNCS,
pages 108–122. Springer, 2002.
[16] Z. Deng and J. W. s. Liu. Scheduling real-time
applications in an open environment. In in Proceedings
of the 18th IEEE Real-Time Systems Symposium,
IEEE Computer, pages 308–319. Society Press, 1997.
[17] S. J. Garland and N. A. Lynch. The IOA language and
toolset: Support for designing, analyzing, and building
distributed systems. Technical report, Massachusetts
Institute of Technology, Cambridge, MA, 1998.
[18] T. A. Henzinger, Z. Manna, and A. Pnueli. Timed
transition systems. In REX Workshop, volume 600 of
LNCS, pages 226–251. Springer, 1991.
[19] T. A. Henzinger and S. Matic. An interface algebra for
real-time components. In IEEE Real Time Technology
and Applications Symposium, pages 253–266. IEEE
Computer Society, 2006.
[20] T. A. Henzinger and J. Sifakis. The embedded systems
design challenge. In FM, volume 4085 of LNCS, pages
1–15. Springer, 2006.
[21] D. K. Kaynar, N. A. Lynch, R. Segala, and F. W.
Vaandrager. Timed i/o automata: A mathematical
framework for modeling and analyzing real-time
systems. In RTSS, pages 166–177. IEEE Computer
Society, 2003.
[22] K. G. Larsen. Modal specifications. In J. Sifakis,
editor, Automatic Verification Methods for Finite
State Systems, volume 407 of LNCS, pages 232–246.
Springer, 1989.
[23] K. G. Larsen, U. Nyman, and A. Wasowski. Modal
I/O automata for interface and product line theories.
In R. D. Nicola, editor, ESOP, volume 4421 of LNCS,
pages 64–79. Springer, 2007.
[24] I. Lee, J. Y.-T. Leung, and S. H. Son. Handbook of
Real-Time and Embedded Systems. Chapman, 2007.
[25] N. Lynch. I/O automata: A model for discrete event
systems. In Annual Conference on Information
Sciences and Systems, pages 29–38, Princeton
University, Princeton, N.J., 1988.
[26] N. A. Lynch and M. R. Tuttle. An introduction to
input/output automata. Technical Report
MIT/LCS/TM-373, The MIT Press, Nov. 1988.
[27] O. Maler, A. Pnueli, and J. Sifakis. On the synthesis
of discrete controllers for timed systems (an extended
abstract). In STACS, pages 229–242, 1995.
[28] R. Milner. Communication and Concurrency. Prentice
Hall, 1988.
[29] R. D. Nicola and R. Segala. A process algebraic view
of input/output automata. Theoretical Computer
Science, 138, 1995.
[30] E. W. Stark, R. Cleavland, and S. A. Smolka. A
process-algebraic language for probabilistic I/O
automata. In CONCUR, LNCS, pages 189–2003.
Springer, 2003.
[31] A. Tarski. A lattice-theoretical fixpoint theorem and
its applications. Pacific Journal of Mathematics,
5:285–309, 1955.
[32] L. Thiele, E. Wandeler, and N. Stoimenov. Real-time
interfaces for composing real-time systems. In
EMSOFT, pages 34–43. ACM, 2006.
[33] F. W. Vaandrager. On the relationship between
process algebra and input/output automata. In LICS,
pages 387–398, 1991.
