In the development of real-time communicating hardware/embedded-software systems, it is frequently the case that we want to refine/optimize the system's internal behavior while preserving the external timed I/O behavior. In such a design refinement, modification of the systems' internal branching structures, as well as re-scheduling of internal actions, may frequently occur. Our goal is, then, to ensure that such modification of internal branching structures and re-scheduling of internal actions preserve the systems' external timed behavior, which is typically formalized by the notion of (timed) failure equivalence since it is less sensitive to the difference of internal branching structures than (timed) weak bisimulation. In order to know the degree of freedom of such re-scheduling, parametric analysis is useful. One of the models suitable for such an analysis is a parametric timeinterval automaton(PTIA), which is a subclass of the existing model, a parametric timed automaton. It has only a time interval with upper-and lower-bound parameters as a relative timing constraint between consecutive actions. In this paper, at first, we propose an abstraction algorithm of PTIA which preserves timed failure equivalence. Timed failure equivalence is strictly weaker than timed weak bisimulation in the sense that it does not distinguish the difference of the timing when the internal resolution of nondeterminism has occurred, but it does distinguish the difference of the refusals of communicating actions observed by an external environment. Then, we also show that after applying our algorithm, the reduced PTIA has no internal actions, and thus the problem deriving a parameter condition in order that given two models are timed failure equivalent can be reduced to the existing parametric strong bisimulation equivalence checking.
Introduction
In recent years, an effective development methodology for embedded-hardware/software with real-time constraints is desired. Precise implementation of timing constraints for I/O behavior is becoming important not only in embedded systems like mobile phones but also in infrastructure systems for transportation, medicine, finance and defense. For such real-time systems, it is important to verify the equivalence of I/O timing behavior between the initially designed specification and its refined implementation.
In such a refinement process of the system development, it is frequently occur that the formally specified nondeterministic branches in the specification are refined to deterministic ones. Such an implementation may be done by using if-then-else and/or switch-case statements of some imperative programming language such as C, Java, etc. (for softwares), or VHDL, Verilog, etc. (for hardwares), and so on. However, in such an implementation the initially specified branching structure may be modified when it is viewed as a real-time communicating behavior, which is generally important for embedded systems containing I/O actions. For example, a nondeterminisic branch of some I/O actions a,b and c (these actions can be considered to any I/O actions such as read/write to I/O ports of some devices, and so on) in the initial specification may be implemented to the if-then-else statements such as "if (condition1) then a else if (condition2) then b else c". In this case, when we view the real-time communicating behavior of the implementation, the decision whether the action a is executed or not is already made after the time that the condition1 is evaluated. In the verification of equivalence between the specification and the refined implementation, we want to consider these behaviors as equivalent.
Some theoretical works on equivalence for real-time communicating systems while considering unobservable internal actions are proposed so far. Timed weak bisimulation equivalence was proposed to determine equivalence of processes considering both time and observability [9] , but as pointed out in [4] , timed weak bisimulation may not be suitable for equivalence checking of real-time systems when branching structures of a specification are modified in the implementation. Global timed bisimulation equivalence [4] is weaker than timed weak bisimulation equivalence and is less sensitive to the modification of branching structures. Unfortunately, global timed bisimulation equivalence is still too strong compared to timed failure equivalence [16, 3, 15] . Timed failure equivalence is considered to be a sufficient criterion of correct refinement of practical communicating systems in the sense that if two (finite state) systems P and Q are timed failure equivalent, then for any (finite state) external environment R, the composed communicating system of P and R behaves equivalently to that of Q and R. Therefore, we adopt timed failure equivalence 1 as the refinement relation between a specification and its refined implementation.
Moreover, it would be useful if we put real-time constraints containing parameters (e.g. upper-/lower-bounds), and derive automatically the constraint (e.g. the minimum or maximum value allowed) of parameters in which the equivalence is preserved. Such an analysis is called a parametric analysis [2, 17] . Parametric analysis is especially useful when the equivalence of the system strongly depends on the timings on its actions and we need to tune the timings to preserve the equivalence. Otherwise we need to do such a tuning in a try-and-error manner, that is, we fix all the timing parameters to some set of values, check the equivalence, and if it is failed, try again for another set of values, and so on. This is generally tedious.
To make such equivalence checking feasible, we abstract away the data dependent part of such an implementation and focus on the control part only. To capture the control flow of such system's specification and implementation with time constraints and perform a parametric analysis, we propose a parametric time-interval automaton (PTIA), which is a subset of a parametric timed automaton [2] having only a time interval with upper-and lower-bound parameters as a relative timing constraint between consecutive actions. We show that timed failure equivalence checking for PTIAs can be reduced to existing parametric strong timed bisimulation equivalence checking.
There are some proposals of parametric equivalence checking for communicating systems. For bisimulation equivalence without time, parametric strong/weak bisimulation equivalence checking algorithms on STG (Symbolic Transition Graph) and STGA (STG with Assignment) are already proposed [6, 11, 10] . For timed strong bisimulation equivalence (bisimulation equivalence where both time and all actions are considered observable), parametric equivalence checking is proposed in [14] . However, as far as we know, parametric equivalence checking algorithm has not been proposed for any other time related equivalence, even for timed weak bisimulation equivalence (bisimulation equivalence where time is considered observable and internal actions are not considered observable).
In this paper, we propose a method to abstract away the difference of branching structures of internal actions from a given real-time communicating system model written in a PTIA, while preserving timed failure equivalence. Specifically, the proposed method convert a given PTIA that may contain some internal actions into the PTIA which does not contain any internal actions and is timed failure equivalent to the given PTIA. Here, in this paper we assume that the given PTIA does not contain any loops (i.e. its transition graph is a DAG(Directed Acyclic Graph)), its initial action must be an observable action, and every internal action is observably bounded, that is, it must appear between some observable actions in any action execution sequences. By combining the proposed abstraction method and the parametric timed strong bisimulation equivalence checking method proposed in [14] , we can perform parametric timed failure equivalence checking.
The rest of this paper is organized as follows. In Section 2, we define the PTIA model and its operational semantics by defining a mapping from the model to a timed extension of labelled transition system (timed LTS). Section 3 describes the definition of timed equivalences on the timed LTS, including timed failure equivalence. We propose a transformation algorithm on the PTIA and prove that the transformation preserves timed failure equivalence in Section 4. In Section 5, we propose a parametric timed failure equivalence checking algorithm. Conclusions and future directions are given in Section 6.
Parametric Time-Interval Automata
Let Act and Var denote a set of actions and a set of variables, respectively. We denote the set of all real-numbers by R and the set of all non-negative real-numbers by R + . Let N 0 [N] be the set of all natural numbers including 0 [excluding 0, respectively]. Let Intvl(Var) denote a set of formulas of the form either e1 ≤ t, t ≤ e2, or e1 ≤ t ∧ t ≤ e2, where e1 and e2 are linear arithmetic expression (that is, only addition and subtraction are allowed) over variables in Var \ {t} and constants in R, and t ∈ Var is the special variable representing the elapsed time since the latest visit of the current control state. −→ s j means that the action a can be executed from s i when the values of both the clock variable t and parameters satisfy the formula P (called a guard condition), and after executed, the state moves into s j and the clock variable t is reset to zero. In any state s, the value of the clock variable t increases continuously, representing the time passage.
Formal semantics of parametric time-interval automata is similar to that of the parametric timed automata, which is defined as follows. The values of clocks and parameters are given by a function σ : ({t} ∪ PVar) → R. We refer to such a function as a value-assignment. We represent a set of all value-assignments by Val. We write σ | = P if a formula P ∈ Intvl(Var) is true under a value-assignment σ ∈ Val. The semantic behavior of a parametric timed automaton is given as a semantic transition system on concrete states. A concrete state is represented by (s, σ), where s is a control state and σ is a value-assignment. Let CS def = {(s, σ)|s ∈ S , σ ∈ Val} be a set of concrete states. The semantic model is a timed labelled transition system (timed LTS), which is defined as follows. A state of a timed LTS is a concrete state in CS . A transition of a timed LTS is either a delay-transition or an action-transition. A delay transition represents a time passage within the same control state s ∈ S , whereas an action transition represents an execution of an action which changes the control state to the next one s . Formally, a timed labelled transition system is defined as follows. 
Definition 2 A timed labelled transition system (a timed LTS for short) for a parametric time-interval automaton is a labelled transition system CS
−→ s , and σ | = P, where σ + v and σ[t → 0] are the value-assignments derived from σ, which is defined as follows: 
Timed Equivalences
In this section, we briefly recall the definition of timed failure equivalence [16, 3, 15] , as well as the definition of the traditional timed weak bisimulation equivalence [1, 9] and its relation to timed failure equivalence.
Timed Weak Bisimulation Equivalence
In this section, we will briefly give the definition of timed weak bisimulation equivalence. 
Definition 3 For any
By using this transition relation, timed weak bisimulation is defined as follows:
Definition 4 A binary relation R on states of a timed LTS is a timed weak bisimulation if the following condition hold:
We say that states (s 1 , σ 1 ) and (s 2 , σ 2 ) are timed weak bisimulation equivalent, denoted by (s 1 , σ 1 ) ≡ twb (s 2 , σ 2 ) if and only if there exists a timed weak bisimulation R such that (s 1 , σ 1 ) R (s 2 , σ 2 ). 2
Timed Failure Equivalence
Timed failure equivalence is a kind of equivalence between two (possibly nondeterministic) communicating processes such that their possibilities of communication failures are equivalent. Similar to many process algebras such as CCS [13] , CSP [8] , etc., we abstract every communication to the synchronization (rendezvous) of actions with the same action label (name) performed by multiple concurrent processes. That is, a communication happens between two processes P and Q if they perform the same action simultanously. We say that an action a in a process P is offered for communication if some other process in the external environment of P is ready to perform a and expect that P also performs a. An offered action a is called refused by P if P cannot perform a when offered. A communication failure occurs if the external environment has observed some sequence of actions performed by P and it offers some expected action a but P refuses it. This kind of communication failure possibility can be formally described by the pair (trace,refusal), where a trace is an observed sequence of performed actions by P by now and a refusal is a set of actions that may be refused by P after trace has been observed. Failure equivalence (or testing equivalence [5] , an operational semantic view of the failure equivalence by the notion of test), is an equivalence between (untimed) communicating processes that such possiblities of communication failures are equivalent. Since we consider nondeterminism, it is possible that traces are the same and refusals are different. Hence, failure equivalence is generally finer than trace equivalence, that is, the language equivalence in the traditional automata theory where any states are considered the accepting states. For timed communicating processes, we have to extend the notion of failure to the corresponding timed one. Several such extensions have been proposed in [7, 16, 3, 15, 12] . In this paper, we adopt the definition that is slightly modified from that of [16] for simplicity. Intuitively, a timed failure is a pair (timed trace, timed refusal), where a timed trace is an observed sequence of tuples of a performed action and its observed absolute time (the elapsed time from when the system has started), and a timed refusal is a set of tuples of a set of refused actions and the absolute time it is refused. The formal definition is as follows. 
Definition 5 (Timed Failures)
Let T A def = {(t, a)|t ∈ R + , a ∈ Act} denote the set of all timed actions. Let T T def = { (t 1 , a 1 ) · · · (t k , a k ) |k ∈ N 0 ∀i ∈ {1, . . . , k}, (t i , a i ) ∈ T A, ∀i, j ∈ {1, . . . , k}, (i ≤ j) ⇒ (t i ≤ t j )} denote the set of all (finite) timed traces. Let T R def = {R|R ⊆ R + × Act}
denote the set of all timed refusals. Then, the set of all timed failures is denoted by T F
def = {(w, X)|w ∈ T T, X ∈ T R}. 2
Definition 6 (Notations for Timed Traces and Timed Refusals) For w ∈ T T , we denote the length of w as |w|, that is, |w|
def = k if w = (t 1 , a 1 ) · · · (t k , a k ) . For X ∈ T R and t ∈ R + , X + t def = {(t + t, a)|(t , a) ∈ X}. 2
Definition 7 (Timed Failures of Concrete States of Timed LTSs) For any state (s, σ) ∈ CS of a Timed LTS CS
As for the relationship between timed weak bisimulation and timed failure equivalence, the following proposition holds.
Proposition 1 For any two states
(s 1 , σ 1 ) and (s 2 , σ 2 ) of a timed LTS, if (s 1 , σ 1 ) ≡ twb (s 2 , σ 2 ), then (s 1 , σ 1 ) ≡ t f (s 2 , σ 2 ). 2
Abstraction Algorithm
In this section, we propose some abstraction rules to eliminate internal actions of the PTIA, and show that their rules preserve timed failure equivalence.
In the following, first, we describe some restrictions on PTIAs which ensure the correctness of the proposed abstraction rules. Then, we describe the key idea and the details of the proposed abstraction rules. Finally, we show that the abstraction rules preserve timed failure equivalence.
Restrictions for Parametric Time-Interval Automata
In order to apply our proposed abstraction rules, we impose the following restrictions [RLoopFree] M contains no loops, that is, the transition graph of M is a DAG.
[RInitStability] The initial state s init of M must be either a stable state, or reachable to a stable state by deterministic internal transitions (i.e. there are no branches along a path from the initial state to a stable state). Here, a stable state is a state whose every outgoing transition is observable.
[RObsBounded] Any internal transition contained in M is observably bounded, that is, for any execution path π of M, there exists an extension π of the path π in that any internal transition is appeared between some observable transitions.
Formally, an internal transition s
−→ s contained in M is observably bounded if for any transition sequence s init
, . . . , k} such that α i ∈ Act, and for any transition sequence s
there exists an extension of the sequence s m
−→ s m+l (l ∈ N 0 , β m+1 , . . . , β m+l ∈ Act ∪ {τ}, Q m+1 , . . . , Q m+l ∈ Intvl(Var)) and there exists some j ∈ {1, . . . , m + l} such that β j ∈ Act.
Abstraction Rules for Parametric Time-Interval Automata
For any internal transition that directly follows some observable transition, we can eliminate the internal transition based on the following principles:
1. The internal nondeterminism caused by the internal transition can be converted into the corresponding nondetermistic choice of the directly preceding observable transition, just the same as the classical equational theory of testing equivalence [5] .
2. On the contrary, the time passage caused by the internal transition can be moved into those of the directly succeeding transitions which are either internal or observable.
This is the key idea for preserving timed failure equivalence. Since any internal action is observably bounded, by the restriction [RObsBounded], the sequence of internal actions can be completely eliminated from the beginning internal action (which directly follows some observable action) to the ending one (which is directly followed by some observable action). However, if we want to transform some subgraph of the entire transition graph of M, we must ensure that such a subgraph transformation preserves equivalence of the entire transition graph. To make the discussion simple, we impose the restriction . By this restriction, we focus on the case that the transition graph is a DAG. Furthermore, we prove that if the context of the subgraph under transformation is in some form, such subgraph transformation preserves equivalence of the entire transition system M. To ensure that all internal transition can be eliminated by such a context-sensitive transformation, we need the restriction [RInitStability].
The proposed abstraction rules are the followings:
1. abstraction for sequential structures 2. abstraction for branching structures
The details are described in the following sections.
Context Sensitivity of Abstraction Rules
Consider that some subgraph M sub of the entire transition graph of PTIA M is replaced into some equivalent subgraph M sub . Such a transformation does not always preserve equivalence of the entire transition graph. We will show that if M sub appears in the context shown in Fig 1, 
We will only prove that T F((ŝ 1 , σ)) ⊆ T F ((ŝ 2 , σ) ), since the converse is similar by symmetry and hence the theorem will be proved. Choose arbitrary timed failure (w, X) ∈ T F ((ŝ 1 , σ) ). We will show that (w, X) ∈ T F ((ŝ 2 , σ) ). w ∈ T T ((ŝ 1 , σ) ) can be expressed as w = (t 1 , a 1 ) · · · (t k , a k ) for some k ∈ N 0 , t 1 , . . . , t k ∈ R + , and
1 , σ
1 )
) for some t k+1 ∈ R + , s
1 , . . . , s ((ŝ 2 , σ) ) is reachable from (s 1 , σ). Thus, w ∈ T T ((s 1 , σ)) and X = T R((s
) and T R((s
(1) 2 , σ (1) 2 )) = T R((s (1) 1 , σ (1) 1 )). Then, from the definition ofŝ 2 , (ŝ 2 , σ) t 1 =⇒ w (s (1) 2 , σ (1) 2 ). Therefore, ( , X) ∈ T F(k+1) 1 , σ (k+1) 1 )) + t k+1 . Hence, (w, X) ∈ T F((s 1 , σ)). From the assumption that (s 1 , σ) ≡ t f (s 2 ,
σ) and Definition 8, (w, X) ∈ T F((s 2 , σ)). Thus, from Definition 7,
there exists some s
) also holds. Hence, (w, X) ∈ T F((ŝ 2 , σ)). 1 , σ) ) also holds. Therefore, (ŝ 1 , σ) ≡ t f (ŝ 2 , σ).
Similarly, (w, X) ∈ T F((ŝ 2 , σ)) can be proved for the case (2). Hence, T F((ŝ 1 , σ)) ⊆ T F((ŝ 2 , σ)). By symmetry, T F((ŝ 2 , σ)) ⊆ T F((ŝ

Abstraction for Sequential Structures
The abstraction for sequential structures is illustrated in Fig. 2 −→ s 5 }, respectively. Then, for any assignment σ ∈ Val, (s 1 , σ) ≡ t f (s 1 , σ). 1 , σ) ). We will show that (w,
Proof. Choose arbitrary timed failure (w, X) ∈ T F((s
1 , . . . , s 
1 is either s 2 or s 3 , and (s 1 , σ) ((s 1 , σ) ).
Similarly, we can prove that
Conversely, choose arbitrary timed failure (w, X) ∈ T F ((s 1 , σ) ). We will show that (w, X) ∈ T F(s 1 
, σ). Similar to the proof of T F((s
for some t k+1 ∈ R + , s
1 , . . . , s
∈ S and σ
1 is either s 2 or s 3 , and (s 1 , σ) s8 s9 ((s 1 , σ) ).
Similarly, we can prove that (w,
More general case is that there are some outgoing/incoming transitions on s 1 , s 2 and s 3 , as shown in Fig 3. In this case, all the source states of the incoming transition of s 2 must be stable in order to satisfy the congruence property in Theorem 1. In Fig 3,  the outgoing 
is a stable state, α i ∈ Act, β j , γ k ∈ Act ∪ {τ}, and P 1,i , P 2 , P 3, j , P 4,k ∈ Intvl(Var) for any i ∈ I, j ∈ J, k ∈ K.
If there are some other incoming transitions s l 6 
Abstraction for Branching Structures
The abstraction for branching structures is illustrated in Fig. 5 . It is clear that any external observer cannot find which branch is selected if each branch consists of one transition with the same action name, the same time constraint, and the same destination state. Thus, we leave just one of these branches. 
Terminating Property of Abstraction Algorithm
Our proposed abstraction algorithm is to apply repeatedly the abstraction rules in Section 4.2 until no changes occur. In this section, we show that this abstraction algorithm is ensured to terminate. Firstly, we define the abstraction algorithm more precisely.
Definition 12
Abstraction Algorithm is defined as follows:
Apply Abstraction Rule for Sequential Structures to M.
Apply Abstraction Rule for Branching Structures to M.
Repeat (2)-(3) until no changes occurred in M.
Output PTIA M. 2
Definition 13 Let Abs() be the abstraction function which represents the application of either AbsS eq() or AbsBranch(). 2
Then, the following theorem holds. 
Equivalence Checking
In this section, we show that parametric timed failure equivalence checking on PTIA is reduced to parametric timed strong bisimulation checking on PTIA without internal transitions. By applying the algorithm of Definition 12 to two PTIAs M 1 and M 2 , we obtain two PTIAs Abs(M 1 ) and Abs(M 2 ), which have no internal transitions and timed failure equivalent to M 1 and M 2 , respectively. On the other hand, from the result of Ref. [14] , we can obtain the parameter condition in order that Abs(M 1 ) and Abs(M 2 ) are timed strong bisimulation equivalent. Since timed strong bisimulation equivalence implies timed failure bisimulation equivalence, and timed failure equivalence satisfies the transitive law, the obtained parameter condition is also the parameter condition in order that M 1 and M 2 are timed failure equivalent.
Definition 14 A binary relation R on states of a timed LTS is a timed strong bisimulation if the following condition hold:
If (s 1 , σ 1 )R(s 2 , σ 2 ), then for any α ∈ Act ∪ R + ∪ {τ}, 
Conclusion
In this paper, we proposed a parametric time-interval automaton(PTIA) and its transformation algorithm to eliminate internal actions while preserving timed failure equivalence, and showed that parametric timed failure equivalence checking on PTIAs can be reduced to the existing parametric timed strong bisimulation equivalence checking method without internal transitions. The future work is to relax some of the restrictions imposed on target PTIAs, especially for the loops. For preserving timed failure equivalence, we confirmed that abstraction is still possible by the proposed abstraction rules in some cases containing loops, but there are some weird examples the proposed abstraction rules cannot be applied. On the other hand, for preserving timed trace equivalence, we are successfully developed the abstraction algorithm for unrestricted PTIAs. We are currently working on PTIAs containing various loop structures and developing more general abstraction algorithms for preserving timed failure equivalence and/or timed trace equivalence.
