An extended Petri Net model which considers modular partitioning along with timing restrictions and environment models is presented. Module constructs permit the speci cation of a complex system as a set of message passing modules with the timing semantics of Time Petri Nets. The state space of each individual module can be separately enumerated and assessed under the assumption of a partial speci cation of the intended module operation environment. State spaces of individual modules can be recursively integrated, to permit the assessment of module clusters and of the overall model, and to check the satisfaction of the assumptions made in the separate analysis of elementary component modules. In the intermediate stages between subsequent integration steps, the state spaces of module and module clusters can be projected onto reduced representations concealing local events that are not essential to the purposes of the analysis. The joint use of incremental enumeration and intermediate concealment of local events allows for a exible management of state explosion, and permits a scalable approach to the validation of complex systems.
duced representations concealing local events that are not essential to the purposes of the analysis. The joint use of incremental enumeration and intermediate concealment of local events allows for a exible management of state explosion, and permits a scalable approach to the validation of complex systems. 3 , via Santa Marta, 50139, Firenze, Italy, email:bucci@ing 1.ing.uni .it, vicario@aguirre.ing.uni .it . The work described in this paper was partially supported by MURST under grant 40% \Architetture Convenzionali e non Convenzionali per Sistemi Distribuiti" This paper has been accepted for publication in IEEE Transactions on Software Engineering (publication scheduled for December 1995). Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
Introduction
Reachability analysis permits the automatic translation of behavioral speci cation models into a state transition graph made up of a set of states, a set of actions, and a succession relation associating states through actions 13] 23]. This representation makes explicit such properties as deadlock freedom and reachability 23] 27], and allows the automatic veri cation of ordering relationships among actions execution times 12] 5].
With the emergence of real-time computing 32] 33], a considerable e ort is being made to extend reachability analysis to the development of those systems where correctness depends not only on the ordering of actions, but also on their execution times. This extension requires state transition graphs be augmented with timing information and constraints, so as to permit the quantitative representation of the dwelling time between subsequent actions 18]. Unfortunately, in one such model, the same action executed after di erent dwelling times generally yields di erent resulting states. This either blows up (for discrete-valued time) or denitely prevents (for dense-valued time) the enumeration of the state space and the succession relation of the graph 16] 3].
Di erent approaches have been proposed to cope with this intrinsic di culty involved in the exhaustive analysis of time-dependent systems. These include the symbolic representation of the state space of a model 19] , and the use of equivalence state classes collecting a multiplicity of states 8]. In particular, in this latter approach, two major enumeration techniques have been proposed which exploit the basic models of Finite State Machines and Time Petri Nets.
In 2], action sequencing and timing constraints are expressed through a Finite State Machine with edge-annotated constraints limiting inter-times between actions. Considerable work has been done around this model. In particular, its translation into a succession relation among equivalence classes is expounded in 3] along with a model checking algorithm for the automatic veri cation of ordering and metric relationships among actions execution times 4].
In 8] 9], an enumerative technique is proposed which supports reachability analysis of Time Petri Net models 29] . Using this formalism, action synchronizations are represented in terms of a set of pre-and post-conditions associated with each individual action of the system, and timing constraints are expressed in terms of minimum and maximum times elapsing between the enabling and the execution of each action. This facilitates model speci cation by permitting a compact representation of the state space and an explicit modeling of concurrence and parallelism.
Despite of this modeling capability, the use of Time Petri Nets to realistic cases is still limited by the lack of modularization capabilities. Some extensions have been proposed to augment Petri Nets with module constructs 21] 37] 7], but none of them addresses the case of Time Petri Nets, and, moreover, none of them is accompanied by adequate analysis techniques exploiting modularization not only in the speci cation but also in the validation stage. The joint use of timing and module constructs has been addressed in 10], with respect to the expressive power deriving from di erent ways of introducing timing semantics in Petri Nets. Also in this case, however, no technique is proposed to exploit modularity in the analysis stage.
The purpose of this paper is to show that a compositional approach to the speci cation and validation of Time Petri Net models can be accomplished if module constructs are associated with timing restrictions and environment modeling. To this end, an extended model, referred to as Communicating Time Petri Nets (CmTPN) is introduced, which permits the speci cation of a complex time-critical system as a set of message passing Time Petri Nets. The state space of each of these modules can be separately enumerated and assessed under the assumption of a required interface which closes the module with a set of timing restrictions providing a partial speci cation for the expected module operation environment. Results of the analysis of individual modules can be recursively integrated to accomplish an incremental enumeration of the state space of module clusters and of the overall composed system. This incremental approach has a number of well known methodological advantages, such as helping the early detection of design faults and the reusability of validation results in the presence of environment changes. In particular, it permits the use of projections concealing local events in the intermediate stages between subsequent integration steps so as to manage the state explosion problem in the analysis of complex systems.
The paper is organized in six sections and an appendix. CmTPNs are introduced in Sect.2. The unit analysis of individual CmTPN modules and the integration analysis of composed CmTPN systems are expounded in Sects.3 and 4, respectively. In Sect.5, an application example is discussed which exempli es the use of CmTPNs in the compositional validation of a case where the usual at analysis is prevented by huge complexity conditions. Conclusions, related and future researches are expounded in Sect. 6 . For the sake of readability, demonstrations are deferred to Appendix A.
Communicating Time Petri Nets
CmTPNs augment the basic model of Petri Nets with inhibitor arcs, the timing constraints of Time Petri Nets, and a module construct which permits the decomposition of a complex model into simpler sub-models.
As in the basic model of Petri Nets 1] 30], a
CmTPN is a bipartite oriented graph made up of two classes of nodes referred to as places and transitions. Places are connected to transitions and viceversa through pre-and post-condition arcs, respectively. A place p is said to be an input-or an output-place for a transition t if there exists a preor a post-condition arc connecting p to t or viceversa, respectively. Places may contain tokens which constrain the execution of transitions: a transition is enabled to re when all its input places contain at least one token. When a transition res, one token is removed from each of its input places and one token is added to each of its output places.
Inhibitor arcs connecting places to transitions are added to this basic model to restrict the enabling condition: a transition is not enabled if any of the places connected to it through an inhibitor arc contains at least one token 30] . Inhibitor arcs, which permit the expression of priorities among transitions, do not basically a ect the essence of our treatment, but they are considered here since they largely simplify the construction of even simple examples such as those that are considered in the following.
According to the semantics of Time Petri Nets 28] 29], the time at which an enabled transition t res is constrained through: (1) a couple of state variables referred to as the earliest and the latest dynamic ring time; and (2) a couple of constants referred to as the static earliest and latest ring time. At any moment, for any enabled transition t, the earliest and latest dynamic ring times express the minimumand the maximum values for the time to re of t. These dynamic ring times are set to their respective static values whenever t becomes enabled, and they are shifted left as time passes. According to this semantics, a transition cannot re before being continuously enabled for a time longer than its earliest static ring time, and it cannot be continuously enabled without ring for a time longer than its latest static ring time.
To support modularization, CmTPNs are provided with writing and reading ports. These can be associated through communication links with transitions and places that are thus referred to as writing transitions and reading places, respectively. Writing and reading ports can be connected through one-to-one channels so as to build composed CmTPN systems made up of multiple CmTPN modules. In this composition, channels and links establish a connection between writing transitions and reading places (usually) belonging to di erent modules. As a result of this connection, whenever a writing transition res, a token is added to each of its connected reading places, as it would occur in the presence of post-condition arcs from the writing transition to all its connected reading places.
This preliminary sketch of CmTPNs is expounded in the rest of this section, through the formal description of their syntax and semantics and through the discussion of a simple toy example.
Static Model
A CmTPN is a tuple:
CmTPN =< P; T; A; A ; FI s ; Port; Link > :
The rst three members correspond to the basic Petri Net model: P is a set of places; T is a set of transitions; A is a set of pre-and postconditions which associate places with transitions and transitions with places, respectively:
A place p is said to be an input or an output place for a transition t if < p; t >2 A and < t; p >2 A, respectively.
A is a set of inhibitor arcs associating places with transitions:
A place p is said to be an inhibitor place for a transition t if < p; t >2 A . (5) Link is a relation associating places and transitions with reading and writing ports, respectively:
For the sake of notation, transitions associated with a writing port are referred to as writing transitions, and places associated with a reading port as reading places.
Writing and reading ports (usually belonging to different modules) can be connected through one-toone channels so as to form a composed CmTPN system. Ports that remain unconnected after the composition (i.e. ports that are not attached to any channel) comprise the set of communicating ports of the composed net. These ports can be used to iterate the composition process and to include a composed CmTPN within a layered model.
Dynamic Behavior
A composed CmTPN system has a dynamic behavior which comes into view at the execution of transitions through a transformation of the marking and the ring intervals of component CmTPN modules. 1 The assumption that ring intervals are expressed through rational numbers ensures boundedness characteristics that are not guaranteed by real numbers 9].
The state of an individual CmTPN module is a couple s =< M; FI >, where M is an application associating each place p of the module with a non-negative integer number M(p) (the marking), and FI is an application associating each transition t of the module with a dynamic ring interval made up of an earliest and a latest dynamic ring time (EFT(t) and LFT(t), respectively):
The Only rable transitions can be red. If the set of rable transitions is not empty, the next transition to re in system S , say t o belonging to module N o , will re after the elapsing of a ring time (t o ) which is constrained to be longer than the earliest ring time of t o and shorter than the latest ring time of every other enabled transition of every module in system S . Firing clause: When a transition t o belonging to a module N o res, the markings of the component modules of system S are changed through the following three subsequent (atomic) steps: a) a token is removed from each of the input places of t o ; b) a token is added to each of the output places of t o ; c) for every writing port out linked to t o , if out is attached through a channel to a reading port in of a module N in in system S , then a token is added to each of the places of N in that are linked to in. After moving tokens, the ring times of all the transitions of the system S that are enabled by the new resulting marking are updated. This occurs in a di erent manner for persistent transitions, i.e. those transitions that are enabled before the ring and after step a), and for newly enabled transitions, i.e. those transitions that are not enabled before the ring or after step a): d) for any persistent transition t 6 = t o , the dynamic ring interval is shifted left by the value of (t o ):
EFT(t) := maxf0; EFT(t) ? (t o )g LFT(t) := maxf0; LFT(t) ? (t o )g (8) e) for any newly enabled transition t, the dynamic ring interval is reset to its static value:
f) if transition t o is still enabled after its own ring, its dynamic ring interval is reset to the static value as for newly enabled transitions. Please note that the dynamic ring times of disabled transitions are not relevant to the behavior of the net as they do not condition to any extent any of the three clauses of the ring rule. For this reason, dynamic ring intervals of disabled transitions are not updated in the ring clause.
Step f) marks a di erence between the timing semantics of CmTPNs and Time Petri Nets 29] . In CmTPNs, a transition which is still enabled after its own ring is always considered as newly enabled, independent of the fact that it is enabled or not by the temporary marking occurring after step a) and before steps b) and c). This simpli es the treatment of states in which a transition has su cient tokens in its input places to permit multiple rings. The treatment of this condition, usually referred to as multiple enabledness, requires multiple ring intervals be associated with a single transition and involves a number of semantic subtleties that are not relevant to the purposes of our discussion.
A Simple Example
A simple example will provide an intuitive comprehension of the above de nitions. Let us then consider the case of the two interacting modules, referred to as N 1 and N
2
, that are graphically dened in Figs.1 and 2 . Here, each module is represented through an external view accounting for communicationports (Figs.1a and 2a), and through an internal view describing the net by means of an annotated Petri Net graph (Figs.1b and 2b ). In the internal view, inhibitor arcs are represented as dot-terminated lines (e.g. the arc from place p 2 to transition t 2 in Fig.1b ) and the static ring intervals of transitions are annotated as usual in Time Petri Nets (e.g. the static interval (5; 11) associated with transition t 2 in Fig.1b ). Reading and writing links with a port port are annotated as port? or port!, respectively (e.g. the writing link right! associating transition t 2 with the writing port right in Fig.1b) .
The composition of N In the initial state, let the places p 2 and p 4 contain one token each, and let the dynamic ring intervals of t 3 and t 5 be set to the values (5; 10) and (2; 4), respectively: both t 3 and t 5 are enabled but, while transition t 5 can re with any ring time in the interval (2; 4), t 3 cannot re as its earliest ring time is higher than the latest ring time of t 5 . Let us consider the case in which t 5 res after 3 time units. At this ring, one token is removed from place p 4 and, due to the connection between ports right and left (see Fig.3 ), one token is added to both places p 0 and p 1 ; transition t 3 is persistent and its dynamic ring interval is shifted left (by 3 time units) to the value (2; 7). Besides, transition t 1 is newly enabled and its dynamic ring interval is set equal to the static value (2; 4). Note that, due to the inhibitor arc from place p 2 , transition t 2 is not enabled.
Unit Analysis
The compositional validation of a composed CmTPN system starts from the separate analysis of its component modules. This analysis, that we refer to as unit analysis, is carried out for each individual component module under the assumption of a required interface which partially speci es the intended behavior of the environment where the module will operate. This permits the assessment of reachability and timeliness properties that are exhibited by the module when this operates within any environment complying with the constraints of the required interface.
Constraining the Environment through Required Interfaces
In the operation of a CmTPN module included within a composed system, the arrival of tokens into reading places is determined by writing transitions (usually) belonging to outer modules. To carry out the separate analysis of one such open module, this must be closed through the assumption of restrictions about the possible behavior patterns of its environment. The complete speci cation of the entire composed system in which the module is embedded is the most straightforward approach to accomplish this restriction. However, this type of analysis prevents any incremental validation and largely hurdles maintenance and reuse of validation results: any change in any of the component modules, or in the composition topology itself, invalidates all the results of the assessment.
To overcome these limitations, the separate analysis of each individual CmTPN module is carried out under the assumption of an incomplete specication of its intended environment. To this end, the module is augmented with ctitious transitions accounting for the arrival of tokens into reading places, and the ring times of these transitions are constrained through restrictions re ecting expected limitations on the environment operation. These restrictions do not de ne constraints enforced by the module, but they rather stand for a set of assumptions about the expected behavior of the environment where the module will operate. For this reason, they are referred to as a required interface.
The result of the extension of the module with a required interface is a closed system which features all the possible behavior patterns that the module can follow within any environment complying with the constraints of its required interface.
Static Model
A required interface extends a module with a set of ctitious transitions and post-conditions accounting for the arrival of tokens into reading places and with a number of timing constraints limiting the ring of these ctitious transitions. This extension is expressed as a triple Required Interface =< T in ; A in ; FI s ri > (10) T in is a set of ctitious reading transitions, one for each reading port of the module (for instance, in Fig.4 , transition t left is associated with port left ). A in is a set of ctitious post-condition arcs associating each reading transition t in with each of the reading places that are linked with the corresponding reading port in (see for instance the arcs from the reading transition t left to places p 1 and p 0 in Fig.4 
Note that the static earliest ring time of a reading transition may be equal to 1.
Dynamic Model
The extension of a module with a required interface makes up a closed system whose state is a triple < M; FI; FI ri >, where M and FI are the marking of places and the ring interval of (regular) transitions of the module, and FI ri is a required dynamic ring interval associating each ctitious reading transition t in with a required dynamic earliest and latest ring time (EFT ri (t in ) and LFT ri (t in ), respectively):
The composition of the module with its required interface is operated according to an execution rule which basically corresponds to that of transitions. Speci cally, the rability clause, the progress clauses, the token moves and the updating of ring intervals of regular transitions are de ned as in the rule of Sect.2.2, except for the fact that the set T of transitions is augmented to T T in . The only di erence is in the rule by which the dynamic ring intervals of ctitious reading transitions are changed over time: the dynamic ring interval of each reading transition, say t in , is initially set equal to the static value FI s ri (t in ; init), and it is changed at the ring of any transition t according to the following rule: It is worth noting that required interfaces do not permit the expression of constraints on inter-times between not subsequent communication events. For instance, it is not possible to assume an explicit constraint on the overall time elapsing from the rst to the tenth ring of a transition. As a consequence, required interfaces cannot include assumptions about average arrival rates. While making di cult the use of CmTPNs in performance evaluation, this limitation does not constitute a relevant restriction in the validation of time-critical systems which is usually oriented towards a worstcase analysis.
An Enumerative Technique for the Analysis of CmTPN Modules
After its dependency on the environment has been replaced through a required interface, an individual CmTPN module can be regarded as a closed model. Since this is basically similar to a Time Petri Net, it can be analyzed through the enumeration technique proposed by Berthomieu and Diaz for the analysis of Time Petri Nets 8] 9]. In order to cope with the dependency of the model state on timing variables (i.e. the ring times) taking values in dense sets (i.e. the ring intervals), this technique enumerates the reachability relation among a set of state classes each collecting an in nite set of states. In this way, the native den-sity of the state space is encapsulated within state classes, and reachability analysis is carried out by enumerating a discrete reachability relation among state classes rather than states. In 36], it is proven that one such canonical representation exists uniquely, and an algorithm is presented which computes with polynomial complexity the canonical form of a generic system of inequalities in the form of Eq.13.
State Classes and Firing Domains

Enumerating Reachable State Classes
Given 3) eliminate the variable (t o ) from the system; 4) for every non-persistent transition t i , eliminate the unknown value (t i ) from D 0 . To this end, remember that, at the ring of t o , a reading transition t in is considered to be either newly enabled or persistent whether the couple < t in ; t o > belongs or not to BI ri ; 5) for every newly enabled transition t i , add to D 0 the inequality constraining (t i ) in its static ring interval. Speci cally: if t i is a regular transition, then add to the system the inequality EFT s (t i ) ( 
A Simple Example
Consider again the CmTPN module N 1 of Fig.1 . In the unit analysis, a ctitious transition t left is added to the model so as to account for the arrival of tokens into place p 1 (see Fig.4 ). By construction, no input places are in the pre-condition of the ctitious transition t left in that its ring accounts for the ring of a (writing) transition falling beyond the scope of the module. Thus its ring must be limited through timing restrictions re ecting the expected behavior of its embedding environment. For instance, assume we want to analyze N 1 under the following restrictions:
a token arrives at port left within 12 time units after the beginning of the execution (i.e. FI s ri (t left ; init) = (0; 12)); after a token arrives at port left, the next token will arrive neither sooner than 20 nor later than 30 time units (i.e. FI s ri (t left ; t 0 ) = (20; 30)); whenever a token is transmitted through the writing port right (i.e. transition t 2 is red), the expectancy about the next arrival at the reading port left is changed so as to request the next token to arrive neither sooner than 12 nor later than 20 time units (i.e. FI s ri (t left ; t 2 ) = (12; 30)) These assumptions are captured by the required interface shown in Tab.5, where the element in row t i column t j stands for the expectancy about the next ring of t i after the ring of t j (i.e. FI s ri (t i ; t j )). The reachability graph computed for N 1 with this required interface is reported in Fig.6 . In the graph, constraints referring to newly enabled transitions are annotated through a ag which is later used to distinguish persistent and newly enabled transitions during the composition of the reachability graphs of multiple modules.
Timeliness Analysis
The graph of reachable state classes of a CmTPN model comprises a complete description of the set of its executable runs: a sequence of transitions (i.e. a trace) is a run of the model if and only if it corresponds to a path in the graph 36]. As a consequence, a state s o is reachable through a system run from some of the states collected in the root class S root if and only if s o is collected in some class S o which is reachable from S root through a path in the graph.
Since the reachability graph enumerates state classes rather than states, any trace corresponding to a path in the graph can be executed with several di erent timings. By exploiting the timing information embedded in the ring domains of the classes of the graph, a timing pro le can be evaluated for each run so as to make explicit the minimum and maximum time elapsing between any two steps of the trace. This kind of evaluation, that we call timeliness analysis of traces, can be separately carried out for each CmTPN module (either simple or composed).
For each trace, the execution times of all the red transitions are derived as the unknown values of a system of inequalities which encompasses all the constraints encountered during the execution of the overall trace. A thorough description of the algorithm which builds up this system can be found in 36]. Here, we will limit our discussion to the description of a speci c example which addresses all the relevant aspects of the algorithm, but avoids the notational complexities that are needed for a general treatment. The example refers again to the net N 1 in Fig.4 and, speci cally, to trace r = t left ! t 1 ! t 3 ! t 2 leading from class S 0 to class S 4 in the reachability graph of Fig.6 .
In the initial state class S 0 , the ring domain is:
where symbol has been augmented to 0 to denote time to the ring of transition t as measured since entering state class S 0 . Since t left precedes t 3 in the execution of trace r, an additional inequality imposing t left to re before t 3 must be added to the set of constraints limiting the timing of trace r :
The ring of transition t left leads into a state class S 5 which is a subset of class S 5 appearing in the reachability graph: while S 5 collects all those states that are reached from any state in S 0 through the ring of t left with any possible ring time, S 5 collects the states that are reached from any state in S 0 through the ring of t left with a ring time equal to 0 (t left ). According to this, in S 5 , the limits for the ring time of any persistent transition (t 3 in our example) are derived by shifting left the constraints of the previous state class (i.e. S 0 ) by the value of 0 (t left ). On the other hand, for the newly enabled transitions, the ring time is subject to the same limits appearing in the ring domain of the state class S 5 .
As in the previous step, an additional constraint is added to impose the next transition in the trace to be red before any other enabled transition (in our example, t 1 before t 3 ). As a result, the set of constraints associated with the class S 5 is expressed as: 
The system of inequalities constraining the execution of trace r can now be constructed by collection of the inequalities of Eqs. (15), (16), (17), (18) and (19) and then simpli ed by eliminating dependent inequalities. To this end, for any transition t, the ring time measured since the entering of class S n can be expressed as the di erence between the absolute ring time of t and the absolute ring time of the transition t n which enters class S n :
The repetitive exploitation of Eq.(20) permits the elimination of all the inequalities constraining the ring time of persistent transitions, and reduces the resulting system is in the form of Eq. (13) 36]. Using the algorithm mentioned in Sect.3.2.1, the resulting system can thus be reduced in its canonical form. For our example, this is expressed as: (21) This system makes explicit the timing pro le of the possible executions for trace r :
The earliest and latest possible execution times for any transition in the sequence are equal to the extreme values constraining the transition absolute ring time. For instance, the inequality 0 0 (t left ) 8 shows that the execution of t left occurs within 8 time units since the beginning of the execution of the trace. Note that this is a non trivial result: while the constraints of the ring domain of class S 0 permit the ring of t left with any ring time in the interval 5; 12], only a ring time in the interval 0; 8] is compatible with the execution of trace r; in other words, a ring time in the interval (8; 12] is possible for transition t left , but it prevents the system from executing trace r. As a particular case, the extreme values constraining the ring time of the last transition of the trace represent the minimum and maximum possible durations for the execution of the trace; in our example, the last transition is t 2 and thus the inequality 10 0 (t 2 ) 21 shows that trace r has a minimum and maximum durations equal to 10 and 21, respectively. The minimum and maximum delays between the execution of any two (not necessarily subsequent) transitions in the trace can be determined by the inspection of the extreme values of the di erence between their corresponding ring times. For instance, the inequality 7 0 (t 2 ) ? 0 (t left ) 21 implies that, in every execution of trace r, transition t 2 is red within 21 and after 7 time units since the ring of t left .
It is worth remarking again that all these estimates are optimal in that: i) all the feasible runs of the model are bounded by them; and ii) any stronger estimate is exceeded by some feasible run of the trace 36].
Integration Analysis
The objective of the integration analysis is the validation of a composed CmTPN system through the integration of the results of the unit analysis of its component modules. To this end, an integration algorithm is introduced which merges the reachability graphs of component modules. The resulting integrated graph has the same form as that of the graphs of component modules. Thus, it can be investigated through the same algorithm of Sect.3.3 to assess timeliness properties of the composed system and, in particular, to check the satisfaction of the required interfaces of component modules.
The integration algorithm supports the decomposition of reachability analysis in separate steps of unit and integration analysis. This permits the intermediate simpli cation of the graphs of component modules in the step from the unit to the integration analysis. To this end, reachability graphs of component modules can be projected onto reduced representations concealing local events that are not essential to the purposes of the analysis. By permitting a systematic concealment of local events, this allows a exible management of state explosion, and permits a scalable approach to the validation of complex systems.
Integration Algorithm
In this subsection, the integration algorithm which merges the reachability graphs of multiple CmTPN modules connected within a composed CmTPN system is presented and assessed. For the sake of simplicity, our treatment will be limited to the case of a system jj made up of the parallel composition of two single components and . We will also assume that channels do not connect ports in the same module. While reducing the complexity of notation, these assumptions do not change the essence of the treatment with respect to the general case.
Enumerating Reachable State
Classes A state class for jj is a triple < S . Since a reading transition t in accounts for the ring of its connected writing transition t out , when both t in and t out fall within the scope of the analysis (i.e. when the analysis comes to the integration of the modules including t in and t out ), the ring time of t in must be made equal to that of t out . To this end, t in and t out are assumed to re synchronously, and their common ring time is determined only by the inequalities on the ring time of t out . The constraints limiting the ring time of t in are not used in the construction of the integrated graph of jj but they are only annotated as required conditions that are later used to check the satisfaction of the assumptions taken in the required interface of the module including transition t in . Due to this special role, writing and reading transitions that are connected through channels internal to the composed system jj under integration are referred to as masters and slaves, respectively. Mirroring the algorithm of Sect.3.2.2, the rest of the graph is computed through the recursive application of two clauses which identify outcoming edges and compute successor nodes. In the latter of the two clauses, two di erent error conditions may be detected which prevent the correct computation of the integrated graph, and which require the algorithm be terminated with a failure report. One such error condition may occur only if the system allows for an execution which does not comply with the required interface of a component module. In this case, the unit analysis of this module must be repeated with a di erent required interface re ecting in a more appropriate way the actual interaction between the components of the system under analysis. S is the successor of S through t o in the reachability graph of . If S has no successors through t o , then the algorithm is terminated with a failure. If t o is not a master transition, then S is equal to S . If t o is the master of a transition, say t in , then S is the successor of S through t in in the reachability graph of . If t o is the master of t in , but S has no successors through t in , then the algorithm is terminated with a failure. The ring domain D is expressed in the form of Eq. (13), except for the fact that the set T(M) is replaced by the union of all the nonslave transitions of and that are enabled by S and S , respectively. Coe cients of the system are computed through the same ve steps executed in the second clause of the algorithm of Sect.3.2.2 with three minor differences in step 5 which permit to carry out the integration without an explicit reference to the CmTPN origin of the graphs under integration: -newly enabled transitions and persistent transitions are distinguished by the ag appearing in the inequalities of the ring domains of component modules.
-for any newly enabled non-slave transition t i , the inequality constraining (t i ) in its static interval is taken in D as it appears in the ring domain of the module including t i ; -for any newly enabled slave transition t sl i , the inequality constraining (t sl i ) in its static interval is annotated in D as it appears in the ring domain of the belonging module of t i . This annotation, which has no relevance to the purposes of the construction of the reachability graph, will be later used for the veri cation of the required interfaces of component modules.
Termination and Failures
The termination of the reachability analysis of an individual CmTPN module is not generally guaranteed. In fact, following the treatment of 9], the boundedness for the reachability graph of an individual CmTPN can be shown undecidable. This negative result is relieved by the following statement which permits to restrain the problem of termination undecidability from complex systems to low-level simpler modules: Theorem 4.1 If the graphs of and are nite, then the graph of jj is also nite, provided that no error conditions are encountered in the execution of the integration algorithm.
As a consequence of this result, if and have bounded graphs, then the integration algorithm for jj always terminates, either because it detects an error condition or because it successfully completes the enumeration.
In the light of this result, we now need some appropriate means to manage failure terminations. According to the integration algorithm, these occur when any of the two following conditions is detected: Following the steps of the demonstrations of Theorems 4.2 and 4.3 (see Appendix A), for any failing termination of the integration algorithm, it is possible to identify a run of the model which violates the assumptions taken in the required interfaces of either or . In the light of this run, the analysis can be repeated with the assumption of a more appropriate required interface. This results in a counter-example mechanism supporting the stepwise re nement of required interfaces of component modules.
Soundness
The reachability graphs that are computed in the unit analysis provide a constrained representation of the behavior of component modules and in that they do not consider the possible executions which could occur when the interaction between and violates the constraints of required interfaces. This raises a soundness problem about the actual meaning of the integrated graph derived from the merging of the graphs of and .
To solve this problem we demonstrate that, if no failure conditions are detected, then the integration of the constrained graphs of and produces the same graph as that which would be computed by the integration of two unconstrained graphs representing the behavior of and in the absence of any constraint about the arrival times of tokens in their reading places.
To provide a precise formulation of the problem, let ?( ) and ?( ) denote the reachability graphs computed for and under the assumption of the constraints in their required interfaces. Besides, let?( ) and?( ) denote the reachability graphs for and without any limitation for the ring times of reading transitions, i.e. without the assumption of the constraints of required interfaces. Even if?( ) and?( ) cannot be explicitly enumerated through a nite computation, we can assume that their hypothetical integration provides a sound representation for the reachability graph To ensure termination, which could be prevented by graph loops, traces that are equal up to intermediate loops can be collected within equivalence classes: the minimum trace duration for the members of the equivalence class is equal to the minimum duration of the trace which skips all the loops; besides, if the class includes any loop with a nonnull duration, then the maximum possible duration for the members of the class is not nite, otherwise, it is equal to the maximum duration of the trace which skips all the loops.
Managing the Complexity through Concealment
The decomposition of the validation process in two separate stages of unit and integration analysis permits an incremental approach to the validation and facilitates the early detection of design errors within individual modules. However, when it comes to the validation of the interaction among distinct modules, this compositional approach does not necessarily reduce the computational e ort of the analysis.
To attain an actual reduction of complexity, the results of the unit analysis can be simpli ed before tackling the integration stage. The straightforward approach to accomplish this simpli cation is the concealment of local transitions (occurring within individual modules) that are not essential for the analysis of the overall composed system. To this end, the reachability graph of any individual module can be replaced through a projection which hides a number of transitions and state classes, but which accepts any execution which is compatible with the original graph of the module.
In the rest of this section, a technique is presented which permits the automatic computation of a projection for the reachability graph of a module by neglecting the dependency on the marking and on the ring of any given set of concealed transitions. This is not the only possible type of projection that can be considered for reachability graphs of CmTPNs, but it has the characteristics of being semantically complementary to required interfaces: while a required interface speci es the expectancy of the module about the timing of the next environment action, this type of projection describes the timing constraints of the next module action as enforced by the module itself. For this reason, this projection is referred to as a provided interface.
Static Model of Provided Interfaces
A provided interface is a couple:
Provided Interface =< T obs ; FI s pi > : (23) T obs is a set of observable transitions which is made up of any given subset of transitions (either regular or ctitious) of the module plus the ctitious event init corresponding to the beginning of the execution:
T obs T T in finitg: (24) 
Dynamic Model of Provided Interfaces
A provided interface is operated according to an execution rule associated with the transitions of T obs , which basically corresponds to that of a transition without pre-conditions (and thus always enabled). The state of the interface is de ned by a provided dynamic ring interval FI pi which associates each element of T obs with a provided earliest and latest dynamic ring times (EFT pi and LFT pi , respectively): 
Computing a Provided Interface
According to its operational semantics, a provided interface can be regarded as a transition system in which the current state depends only on the last ring of an observable transition and on the time elapsed since then. This transition system is completely de ned by the set T obs and by the values assigned to the provided static ring interval FI s pi . The selection of the observable transitions that are included in T obs is guided by methodological considerations about the speci c objectives of validation: the number and the type of transitions that are made observable determine the number and the type of behavior patterns that are captured by the provided interface. Di erent selections can be made for the same module so as to obtain di erent external descriptions of its behavior, each tailored to a speci c objective of validation.
The values of FI s pi are derived from the reachability graph of the module so as to ensure that any execution which is possible for the module is also possible for the provided interface. To this end, for any given couple < t o ; t f > , the provided static interval FI s pi ( It is worth noting that, once the set of observable transitions T obs has been de ned, the provided interface of the module can be generated automatically using the algorithm of Sect.3.3.
A Simple Example
As an example, referring again to module N 1 in Fig.4 , let us consider some steps in the construction of a provided interface for the reachability graph of Fig.6 .
Since the objective of a provided interface is to o er an external representation of the behavior of a module, the set of observable events is limited to the init event and to the transitions t left and t 2 which are directly involved in the interaction of the module with its environment (t left stands for the reception and t 2 for the transmission of a token). The interface computed for this set of observable events is reported in Tab.7, where the couple in row t o and column t f stands for the static ring interval (EFT s pi (t o ; t f ); LFT s pi (t o ; t f )) i.e. the expectancy of the next ring time of t o after the ring of t f . Fig.8 reports the graph of reachable state classes which represents this provided interface.
Using Provided Interfaces
To reduce the computational complexity of the integration analysis of a composed system, the reach-ability graphs of component modules can be replaced through the graphs which represent their provided interfaces. In this case, the integration algorithm produces a projection of the graph that would be obtained from the integration of the complete graphs of component modules. Note that this permits the derivation of a projection of the integrated graph from the provided interfaces of its components without the prior computation of the complete representation of the integrated graph itself. This gives means for the construction of a layered representation of reachability which conceals the ring of local transitions that are not relevant to the purposes of the integration analysis.
Since a projection is a weaker representation of the timing constraints enforced by a module, the projection of the composed system can be exploited to provide su cient conditions about the behavior of the composed system, and, in particular, it can be used to prove the satisfaction of the required interfaces of component modules. To this end, for each module, the set of observable transitions must be selected so as to include all the transitions that are directly referenced within the required interface. In this case, if the checking algorithm of Sect.4.1.4 does not detect any violation, the correctness of required interfaces is proven.
After their required interfaces have been veri ed on the projection of the integrated graph, individual component modules can be analyzed in isolation by investigating the properties of their individual (either complete or projected) reachability graphs. This largely facilitates the maintenance of complex systems and the reuse of components within di erent compositions.
In general, the reachability graph of an individual CmTPN module captures the reachability relation of the module itself under the assumption that the embedding environment does not violate its required interface. Both safeness and liveness properties that are derived from the analysis of the graph of the individual module will be preserved in the several possible environments which satisfy the required interface of the module itself. However, it must be remarked that, in the derivation of liveness properties, no assumptions of fairness can be made about the choices appearing in the graph that are taken by the environment. In particular, it may be the case that, within certain composition environments, regions of the graph are never reached by the module.
Validation of Time Critical Systems Using CmTPNs
In this Section, a case example is discussed, which reports some experience in the use of a software tool implementingthe analysis technique of the previous sections 2 , and which highlights how the validation of CmTPN models circumvents the state explosion problem by the joint use of incremental enumeration and intermediate projections. The example addresses the case of two independent producerconsumer pairs which exchange data through a common bidirectional transport connection implemented on top of an unreliable network layer 34]. In both Source 1 and Source 2 , data production is constrained within a periodic slot of time, and it is limited by an explicit stop-and-wait handshaking with the underlying transport nodes (messages data and ready). On the other hand, Sink 1 and Sink 2 accept messages from the transport layer with no explicit handshaking (messages data ), and consume them within a periodic slot of time. The reliable transfer is implemented by the transport nodes AB l and AB r through an alternate acknowledged exchange of datagrams through channels Ch 1 and Ch 2 . In this alternate exchange, blocking due to channel losses is prevented by a timeout recovery in AB l , and transmission continuity is ensured by transmitting stu ng datagrams when no data messages are produced by any of the two source modules; stu ng datagrams are marked with a bit in their header and ltered out at the receiving node. Data sequencing is ensured by an alternating bit retransmission procedure 6]: each of the two nodes maintains a local bit of sta-tus and transmits a header bit in the control head of each datagram; AB l always sets the header bit equal to the local bit, whereas, AB r always sets the header bit opposite to the local bit; the local bits of the two nodes are initially equal and they are independently toggled by each of the two nodes on reception of each datagram with the header bit equal to the local bit. According to this procedure, each node recognizes each received datagram as new or as retransmitted whether the header bit is equal or opposite to the local bit of the receiving node itself.
The internal CmTPN representation of the ve modules Source 1 , Sink 1 , Ch 1 , AB l , and AB r are separately reported in Figs.10 through 14. Source 2 , Sink 2 , and Ch 2 are omitted as they can be derived from the models of Source 1 , Sink 1 and Ch 1 , respectively, by adding a constant o set to place and transition subscript indexes. Note that the internal representations are augmented with ctitious transitions associated with reading ports (drawn as double bars).
Unit Analysis
The rst step of the unit analysis consists in associating each component module with a required interface restricting the expected behavior of its embedding environment. The selection of this restriction is instrumental to the speci c objectives of validation and basically depends on the actual knowledge about the module's embedding environment. In a top-down approach, the prior knowledge of the modular decomposition of the overall system permits the required interfaces of individual modules be selected so as to re ect the behavior of their connected cooperating modules. Whereas, in a bottom-up approach, the composition environment is not known, and the required interface of each individual module is to express intrinsic requirements that are su cient to ensure a correct and bounded behavior. In general, a loose interface makes the results of validation robust to changes occurring in the composition environment, thus helping reuse and maintenance. Conversely, precise assumptions reduce the analysis complexity and may help in the attainment of speci c validation goals.
For the sake of presentation, we pursue an intermediate approach. For Sink 1 and Sink 2 , Ch 1 and Ch 2 , required interfaces are taken with no reference to their actual environment, with the sole purpose of imposing that interarrival rates are lower than the processing rates. Whereas, the interfaces of Source 1 , Source 2 , AB l and AB r are taken so as to re ect some knowledge about the logical sequencing in the exchange of messages among the modules. The interfaces are reported in Figs.15 through  19 . Again, the interfaces of Source 2 , Sink 2 , and Ch 2 are omitted as they are equivalent to those of Source 1 , Sink 1 , and Ch 1 , respectively. With the assumption of these required interfaces, the state spaces of individual modules have been enumerated through the above mentioned tool. Resulting graphs are not reported here, but their complexity is described in Fig.20 in terms of depth and number of nodes.
Integration Analysis
Integration analysis starts with the veri cation of the interfaces that have been assumed for the separate analysis of individual modules. In the most straightforward approach, this can be done by integrating in a single step the reachability graphs of all its component modules. But, while still permitting the early detection of design faults within individual modules, this approach does not pro t of the potential computational advantages of incremental enumeration as it produces the same graph as that obtained in a conventional, at analysis. In the case of our example, this at graph has huge dimensions, which basically prevent any validation: using the above mentioned tool, we obtained a lower estimate of the complexity of the at graph, whose enumeration was stopped in the construction of the 16th level when it included more than 16000 state classes and was still growing exponentially with a doubling factor per level.
The use of projections supporting the concealment of local events permits to circumvent this complexity by exploiting the potential modularity involved in the incremental enumeration of CmTPN state spaces. In our case, the satisfaction of required interfaces is veri ed through the following sequence of projection and integration steps:
1. replace modules Source 1 and Source 2 with the provided interfaces (Source 1 ) and (Source 2 ) which make observable the transitions associated with the transmission of a data message and with the reception of a ready message (i.e. transitions t 6 , i 0 , and t 806 , i 800 , respectively); replace modules Sink 1 and Sink 2 with the provided interfaces (Sink 1 ) and (Sink 2 ) which make observable the transitions associated with the reception of a data message (i.e. transitions i 100 , and i 900 , respectively); 2. compute the graphs (Source 1 ) AB l and (Source 2 ) AB r integrating (Source 1 ) with (AB l ), and (Source 2 ) with (AB r ). In synthesis, the overall integration is computed by evaluating the following expression: Fig.21 reports the complexity of the nal integrated graph (last row) and of all the graphs computed in the intermediate integrations. Note that these numbers are by far less than those involved in the at graph enumeration; in particular compare 140 in the modular approach against 16000 in the at one, and consider that 16000 is only a lower estimate (and supposedly much lower) of the nal number of state classes in the at graph.
The veri cation of required interfaces validates the graphs computed in the unit analysis and in the intermediate integration steps as correct representations of both the individual modules and their intermediate compositions. This permits separate reasoning about the properties of modules and module clusters by means of conventional graph inspection techniques, or by computing provided interfaces which make observable the events that are involved in execution sequences of speci c interest. A pair of examples will highlight some reasoning mechanisms that are made possible by the compositional enumeration of CmTPN state spaces: composition of estimates deriving from the separate reasoning on multiple modules, use of ad-hoc projections in the derivation of timing estimates, re nement of required interfaces and recomputation of tighter representations for the state space of modules and module clusters.
In the rst example, the objective of validation is the estimation of the roundtrip delay between a transmission and the subsequent reception of a datagram by any of the two transport nodes AB l and AB r in the absence of losses over channels Ch 1 and Ch 2 . For the sake of presentation, we focus our attention on the roundtrip delay after the transmission by AB l of a datagram with the header bit set to 1 (i.e. on the delay between the ring of transition t 202 and that of t 710 or t 711 ), and we derive the estimate in two di erent ways.
i) The time delay between a transmission and the subsequent reception is the sum of delays in the three modules Ch 1 , AB r , and Ch 2 that are transversed in the datagram roundtrip. The time delay in Ch 1 falls in the interval 6; 8], as emerging from the interface which makes observable transitions i 602 , t 602 , and t 610 (i.e. the arrival of a datagram with the header set to 1, its loss , and its correct delivery, respectively). The same estimate holds also for channel Ch 2 . The reaction time between the reception of a datagram and the trans-mission of a datagram in AB r is made explicit by the provided interface which projects the individual graph of AB r so as to make observable the communication events involved in the interface between AB r and the two channels Ch 1 and Ch 2 . This interface, reported in Fig.22 , shows that the reaction time between an input transition ( i 300 , i 301 , i 302 , or i 303 ) and the subsequent writing towards a channel ( t 300 , t 302 , t 307 , or t 309 ) is constrained within the interval 1; 9]. By composition of the three estimates, the overall roundtrip delay can be estimated to fall in the interval 6; 8]+ 1; 9]+ 6;8] = 13 ; 25] .
ii) In a more direct approach, the same estimate can be derived from the analysis of any graph integrating the state spaces of all the modules transversed in the datagram roundtrip. Fig.23 reports part of the graph corresponding to the provided interface which projects the graph ( (Source 1 ) AB l ) ch1 ch2 ( (Source 2 ) AB r ) (previously computed in the veri cation of required interfaces) so as to make observable the events involved in the datagram roundtrip, and the transitions corresponding to message losses over Ch 1 and Ch 2 .
The inspection of this graph shows that, starting from the state class reached with the transmission by AB l of a datagram with the header set to 1 (i.e. state class S 1 reached with the ring of transition t 200 ), there are only two sequences of observable events which lead to a reception by AB l (transitions t 710 or t 711 ) without going through any intermediate datagram loss (transitions t 602 , t 603 , t 702 , or t 703 ). These sequences are t 307 ! t 710 and t 309 ! t 711 , for both of which the time duration can be estimated in the interval 7; 17]+ 6;8] = 13 ; 25] .
Note that this estimate of the roundtrip delay permits to re ne the timeout setting within AB l so as to reduce it from 36 to any value higher than 25. In the second example, the objective of validation is the estimation of an upper bound for the number of messages enqueued to be consumed within module Sink 2 . This bound can be estimated as the maximum reachable marking of place p 906 , which can be derived from the inspection of any graph enumerating the state space of Sink 2 .
The inspection of the individual graph of Sink 2 computed during the unit analysis shows that the maximum number of tokens in place p 906 is not higher than 5. This number is much probable to be largely over-estimated as it derives from the separate analysis of Sink 2 under a very generic required interface, which does not re ect any knowledge about the actual module operation environment: while the minimum roundtrip delay in the exchange between AB l and AB r has been estimated to be equal to 13, the graph of Sink 2 has been enumerated under the assumption of a minimum intertime between two subsequent message arrivals equal to 8.
To obtain a tighter estimate, the graph of Sink 2 is recomputed with a three-steps re nement. First, the graph of AB l is recomputed under the required interface of Fig.24 which embodies the knowledge of the fact that the roundtrip delay between a transmission and the subsequent reception is not lower than 13 (compare 13 against 4 in the columns associated with writing transitions t 207 , t 209 , t 200 , and t 202 ). Afterwards, the state space of AB l is recomputed under this required interface, and then projected on the events of its interfaces towards module Sink 2 and the channels Ch 1 and Ch 2 . The inspection of the graph of this projection, which is partially reported in Fig.25 , shows that the minimum time between two subsequent messages passed from AB l to Sink 2 is not lower than 15. Finally, using this estimate, the graph of Sink 2 is recomputed under the re ned interface of Fig.26 . The resulting graph (not reported here) is made up of 277 nodes on 60 levels, and its inspection shows that it is never the case that place p 906 contains more than 2 tokens.
Note that this estimate opens the way to the evaluation of the maximum latency of a message between its delivery to Sink 2 and its consumption by transition t 904 .
Conclusions and Future Research
Reachability analysis provides a casting help in the validation of Time Petri Net models, but stateexplosion problems limit its usability 9]. Modularization, environment models, and concealment are the key elements by which CmTPNs attempt to overcome this limit. Using CmTPNs, a complex model is speci ed as a layered composition of message passing Time Petri Nets, and its validation is partitioned in two subsequent stages of unit and integration analysis.
In the rst stage, each elementary component module is separately assessed under the assumption of a set of stimulus/response constraints on the behavior of its intended environment. In the second stage, the overall model is validated through recursive composition of the results of the unit analysis, and the assumptions made for the assessment of elementary component modules are veri ed. The use of intermediate projections allows a systematic exploitation of concealment to limit integration complexity.
A number of works in the literature testify the search for modularity and concealment to manage the complexity of reachability analysis in Petri Nets and other related models. The use of projections is expounded in 25] for the separate representation of di erent services provided by a communication protocol which is represented through a nite state model. The perspective use of projections concealing local transitions is suggested in 24] for reachability analysis of an Adalike composition of communicating state machines. Environment models are also proposed to tailor the projection of a module state space to the characteristics of its intended environment. The most noticeable di erence with respect to our approach is that, in 24], time is not considered and the proposed projection techniques cannot be extended to the case of Time Petri Nets. A subtler (but perhaps more relevant) di erence is that, in 24] elementary component modules are supposed to have nite state spaces, independent of the behavior of their embedding environment. This excludes a large variety of models which exhibit bounded behavior only under adequate rating conditions in their interaction with the environment. Similarly to 24], in 31], a hierarchical organization of the reachability graph of an ADA-like modularization of Petri Nets is proposed, which allows to manage state explosion by compression of intermediate graphs. As in 24], time is not considered and individual modules are supposed to be intrinsically bounded, with no reference to their environment. In 11], this limitation is circumvented by enumerating in a single step the state spaces of all the individual modules and of a synchronization graph which coordinates the interaction of the modules within a given composition topology. This limits the enumeration of state spaces of individual modules to the states that they can actually reach in the given composition, but it de nitely prevents incremental enumeration.
Though considering validation through assertion proving in the Hoare style rather than through reachability analysis, the rely and guarantee approach in 22] addresses the use of environment modeling for the validation of individual modules. The idea of environment modeling is somehow suggested also in 35] , where the behavior of a Petri Net model is constrained by Temporal Logic statements. However, these constraints are intended to embed liveness requirements in the safenessoriented expressivity of Petri Nets rather than to express environment restrictions, and reachability analysis is not considered at all.
In our opinion, the real essence of our validation method consists in the joint use of module constructs and timing expressivity to support environment modeling. While modularity permits the decomposition of a complex system, timing assumptions permit to relate the processing time of the module with rating conditions limiting the arrival of messages from the environment. This permits a nite enumeration of the state spaces of individual open modules even under an incomplete speci cation of their expected environment, and opens the way to the incremental enumeration of the state space of complex systems. This has a number of outstanding advantages.
Support for Concealment: The replacement of reachability graphs of intermediate modules through projections permits the concealment of local transitions to manage the computational and spatial complexity involved in the reachability analysis of complex models.
Inherent Properties Assessment: By replacing the dependency on the environment through required interfaces, individual modules can be assessed with respect to inherent properties that will be maintained in di erent embedding environments. This has a pro table e ect on both maintenance and reuse, which become applicable not only in design and coding but also in the validation stage.
Support for Rely and Guarantee Reasoning: The joint use of provided and required interfaces permits each module be regarded as a black box characterized by an input-output speci cation: if the timing of messages sent from the environment to the module satis es the required interface, then the messages sent back from the module will satisfy the provided interface. This information hiding mechanism provides a systematic basis for the separate reasoning on the properties of each individual module so as to derive properties for their possible compositions and to verify the satisfaction of their required interfaces.
Incremental Validation: The analysis of individual modules can be accomplished before the complete speci cation of their embedding environment; this allows an incremental approach to testing and validation and largely eases the early detection of design faults.
Boundedness Compositionality: The integration algorithm always terminates, either for a failure detection or for the successful completion of enumeration (Sect.4.1.2). This restrains the problem of termination decidability 9] to the analysis of lowlevel individual modules.
Integration with Heterogeneous Speci cation Models: Since the integration algorithm relies on reachability graphs of component modules without an explicit reference to their CmTPN origin, reachability graphs of CmTPNs can be integrated with those of other timed transition systems 18], thus permitting the joint use of heterogeneous speci cation languages.
The joint use of module constructs and timing expressivity to support environment modeling appears to be portable from Time Petri Nets to a variety of speci cation models, such as Petri Nets with other timing semantics 10] or process algebras with timing restictions in the form of minimumand maximum delay. In order to augment the impact on current software engineering practices, we are presently working towards the use of this analysis approach in the modular validation of software systems speci ed in the CCITT Speci cation and Description Language (SDL). Further work is also in progress aimed at re ning the projection technique used to build provided interfaces, and at devising model checking algorithms allowing for the automatic veri cation of metric and ordering properties in the execution sequencing of CmTPN models. Proof of Theorem 4.5:
1. It is immediately veri ed that any error condition detected by the algorithm is a violation of a required interface. 2. To prove that all the possible violations are detected by the algorithm as error conditions, suppose there exists a violation of the required interface in a state s belonging to a class S. In particular, let us consider the case that, in a state s, an early arrival occurs for the couple of slave and master transitions t in and t out (the case of the late arrival can be treated with the same reasoning). 3. Let r be the trace executed by the system since the beginning of its operation up to the execution of t out (t out included) in the state s. Scanning back along trace r, let s 0 be the latest state before s such that t in is newly enabled in s 0 and in its belonging class S 0 , and let r s 0 s be the tail of trace r including all the rings subsequent to s 0 . left? [5, 11] [4, 4] Figure 10: The internal representation for module Source 1 (Source 2 has the same topology and ring times, but the indexes of places and transitions are augmented by an o set of 800 so that p 0 becomes p 800 , t 3 becomes t 803 , and so on). The production of a new data message and its transfer to the underlying transport node are modeled by transitions t 4 and t 3 , respectively; data transfer is preconditioned by place p 5 which holds ready signals received from the transport layer; data production is constrained to occur when p 3 is empty, which happens within a slot of four time units (see transition t 2 ) within every period of 16 units (t 0 ), with a jittering delay not longer than 8 time units (t 1 ). i 0 (0s?) 0; 1 9; 1 9; 1 9; 1 9; 1 i 1 (0?) 0; 1 9; 1 9; 1 9; 1 9; 1 i 2 (1s?) 0; 1 9; 1 9; 1 9; 1 9; 1 i 3 (1?) 0; 1 9; 1 9; 1 9; 1 9; 1 Figure 19 : Required interface of AB r . After the reception of a message with the header bit set to 0 (input transitions i 300 or i 301 ), no messages with the header bit set to 1 are expected to ever arrive, and no messages with the header bit set to 0 are expected to arrive before 24 time units. After the next writing action, this expectance is relaxed so as to permit messages to arrive after a minimum delay of 4 time units. Dual assumptions are made for arrivals after the reception of a message with the header bit set to 1. In the interface towards the upper Source module, no two subsequent reading actions can occur on port data? (input transition i 304 ) without an intermediate writing on port ready! (writing transitions t 305 and t 311 ).
levels State Classes Figure 21 : Complexity of the graphs enumerated in the integration analysis for the veri cation of the required interfaces.
