The reliability of software is an increasingly important demand, especially for safety critical systems like train control systems or banking systems, for which failures may have very severe consequences. Mathematically based methods for speci cation and stepwise development of software have been invented in order to increase the reliability of software. A number of Formal Speci cation Languages have been designed and developed, for instance, Z, VDM, RAISE Speci cation Language, Extended ML, etc. Some of these languages provide facilities to specify concurrent systems, and therefore, they can capture various qualitative aspects of system behaviour, such as deadlock, synchronisation and safety. However, in a safety critical system, usually we need not only to study the nal result of program or the logic ordering of events occurring in a computation process, but to study real-time properties of the result as well. For example, we want to say, the time of a communication on channel c should be exactly 5 seconds before that of a communication on channel d. Then, it is wrong that the communication on channel c takes place 4.5 seconds earlier than the communication on channel d does. These requirements are usually called real-time requirements and these systems with real-time requirements (properties) are called real-time systems.
RAISE is a mathematically based method which has been shown to be useful in the industrial development of many kinds of software systems. However, RAISE has no particular features for specifying real-time requirements, which often occur in industrial process controller systems etc.
Adding real-time features to RAISE Speci cation Language (RSL) is not only an interesting topic for theoretical computer science researcher, but also a demand of RAISE users in industrial elds.
Integrating RSL with a real-time logic, e.g. Duration Calculus (DC) ZHR91], is a good choice to achieve the above aim. We divide this research into two steps. The rst is extending original RSL to Timed RSL (TRSL) by introducing some real time construct, such as wait t. The second step is relating DC with TRSL.
In this paper, we will focus on the rst step, or more speci cally on the following three topics:
Operational Semantics of TRSL, which will be discussed in Section 3. Time Test Equivalence of TRSL expressions, which will be discussed in Section 4. Soundness of TRSL Proof Rules, which will be discussed in Section 5.
We have proposed TRSL, the syntax extension to RSL, and its proof system in Geo97], which can also be found in Appendix A, B.
After establishing TRSL in Syntax, we should now nd the theoretical foundation for this new speci cation language. Based on the initial idea in Geo97], we give an Operational Semantics of TRSL and de ne an equivalence relation among TRSL expressions for the purpose of future proof of soundness for TRSL proof rules.
Adding time to RSL
We would like the addition of time to RSL to be the smallest extension that gives us a useful language, and if possible for it to be a conservative extension, i.e. for it to leave the existing proof rules unchanged.
The simplest extension to RSL to include time would seem to be to add a wait expression. Since we want eventually to relate timed RSL (TRSL) to DC we will make the parameter type of wait non-negative reals, which we will de ne as the type Time. For convenience, we allow natural numbers as arguments of wait by overloading it. A Nat argument is converted to Time by the existing pre x operator real. For example, wait 1 is equivalent to wait 1.0.
If we need a parallel expansion rule, it seems necessary also to add a new construct, \time dependence", to input and output. An input, as well as returning the value input, will also return a time value representing the time elapsed between the input being ready and the the communication taking place. Similarly, an output will return the time elapsed between the output being ready and the the communication taking place.
The extension de ned here owes much to the work of Wang Yi Wang91] . He in particular introduced time dependence. We also follow him in making only wait expressions, and input and output, cause or allow time to elapse. All other evolutions of expressions are regarded as instantaneous.
We also follow Wang Yi in adopting the maximal progress assumption. This means that the time between an input or output being ready and the communication taking place is minimised. In other words, when an expression can evolve without waiting for the environment, it will not wait.
This raises a question of what we mean by an internal (non-deterministic) choice like e1 de wait 1 ; e2 where e1 and e2 do not initially wait. Blindly applying the maximum progress assumption leads to this expression evolving only to e1. But this would remove the possibility of specifying an expression that might immediately perform e1, or might (non-deterministically) wait for one time unit and then perform e2. We want to allow this possibility in speci cation. This leads, as we shall see, to the need for a new operator to replace internal choice in the parallel and interlock expansion rules. It is precisely in these rules that we need the maximum progress assumption. We assume time out() can not itself initially wait.
Conservative extension
Conservative extension of RSL to make TRSL, i.e. all existing RSL proof rules being unchanged, would be ideal but does not seem to be achievable. There are two problems.
First, introducing time can remove non-determinacy. For example, specifying an expression like that we considered earlier, that will take a special action (time-out) if some event does not occur within a speci ed period, can only be speci ed without time as a non-deterministic choice between the normal and time-out behaviour. When time is included we may be able to calculate which behaviour will be taken; the non-determinacy may be removed.
Secondly, there are are some rules in RSL that we expect not to hold because of the kind of properties we are interested in when we want to relate TRSL to DC. DC is concerned with the duration of states, i.e. for how long properties hold. We expect properties to be re ected in the values of imperative variables in RSL. Now consider the following equivalence in RSL, for an expression e that does not involve input or output: c? ; v := e v := e ; c?
The assignment and the input can be commuted. In TRSL in general we have to introduce a let expression for the time dependence. We would expect from the RSL proof rules, provided again e does not involve input or output, and add the condition that t is not free in e, to be able to derive the following: These two examples do seem, however, to encompass the problems. It also seems likely (though this is the subject of further work) that there is a reduction from TRSL to RSL (just throwing away the timing information) that is consistent with a "more deterministic" ordering. That is, any behaviour of a timed speci cation will be a possible behaviour of its reduction to an untimed one. The second problem involves the strengthening of applicability conditions for commuting sequential expressions.
Operational Semantics
For the sake of clarity and in order to avoid distraction, we will follow the way of HI93] BD93] Deb94].
(the operational semantics in this paper for untimed part of TRSL is closely based on them), and only consider a core syntax of TRSL instead of the whole syntax. Our operational semantics can be viewed as a version of Timed CCS Wang91] without 's.
The Core Syntax
For simplicity we restrict the types of expressions to be Unit, Bool and Real. The set of allowed expressions includes:
Constants such as reals, the booleans true and false, a distinguished value (). The basic expression skip models a statement that immediately terminates successfully. We consider also basic expression stop which represents deadlock and the basic expression chaos which stands for the divergent process. Three binding operators that are the abstraction, the recursion and the let de nition ( , rec, let). The reader should notice that the rec is not an RSL binding operator. RSL does not syntactically distinguish recursion. In the core syntax, it is convenient to include it where recursion may occur. In other words, two interlocked expressions will communicate if they are able to communicate with one another. If they are able to communicate with other concurrently executing value expressions but not with each other, they deadlock unless one of them can terminate. The formal semantics of this operator will be given later. Notice that the interlocking operator is the main novelty in the RSL process algebra. It has been devised mainly to allow implicit concurrency speci cation.
; : Sequencing operator. Expressions may communicate through unidirectional channels. The expression let t = c!E1 in E2 means: evaluate E1, and then send the result of E1 evaluation on the channel c. And then evaluate E2. Notice that t records the time delay between the communication (sending a message) on c being ready and it occurring. The expression let t = c?x in E means: assign any value received on the channel c to variable x, and then evaluate E. Notice that t records the time delay between the communication (receiving a message) on c being ready and its occurring.
More formally the BNF syntax of our language is: 3.1. 
Expression
The BNF grammar of expressions is:
V ::= id : j id : , V E ::= () j true j false j r j T j id j x j skip j stop j chaos j x := E j if E then E else E j let id = E in E j wait E j let t = c?
E j E E j rec id : E j
In fact E ; E' is equivalent to let id = E in E' provided id is chosen so as not to be free in E'.
We include E ; E to give a conventional presentation.
3. Silent events " denotes internal moves, including internal behaviors of communication ( which is denoted as \ " in CCS).
Time Model
We assume that all silent events can perform instantaneously and will never wait unnecessarily.
Once both sides of a channel are ready for communication, the communication will happen without any delay (unless some other Visible event or Silent event happens instead.) and the communication takes no time.
The above assumptions are conventional and the reason for adopting them is just to make proof theory easier.
Notations
Here, we introduce some notations will be used in following operational rules and the de nition of equivalence relations. 
Con gurations
Our operational semantics is based on the evolution of con gurations.
The set of basic con gurations BC is de ned as: BC = f< ev; s > j ev 2 EV^s 2 Storeg
The set of con gurations, C, is the least set which satis es: Assume that and is one of Basic Forms. there are some other processes, which are not explicitly speci ed in the environment, will be ready for complementary communication, c! (c?), on channel c.
Commentary on Operational Rules
The transition relation is de ned as the smallest relation satisfying the axioms and rules given in our operational rules. Now, we will give more explanation :
Time Measurable Event A con guration will evolve with a time measurable event if and only if all its sub-con gurations in both sides of combinators: de bc, k and { k, (could) evolve with this same time measurable event.
Maximal Progress Maximal progress in RSL means that once a communication on a channel is ready, it will never wait. In rules for interlocking, the semantic function, Sort d , is used to illustrate that only if no pair of actions, each from one side of combinator, { k, is ready for communication, could this con guration evolve with time measurable event. In rules for parallel combinator, the condition is stronger: a con guration will involve with time measurable event, when no complement a available (including environment) for any action a in it (c.f. Section ?? 
Time Model
We view processes under a super-dense model as a trajectory in a two dimensional time space. We suppose there are countably in nite time axes, indexed by natural numbers. Events and processes happen and evolve in this space. A process starts at some time on a time axis. When the process executes a Time Measurable event, time progresses horizontally, and the process stays in the same time axis as before. When the process executes Visible events and Silent events , it jumps to another time axis, and makes a change to a new state there. A trajectory of a super-dense behavior is shown in Figure 1 .
There are two types of turning point. One is called a start turning point (points a, b, c, d in Figure 1) , from which the process will execute a Time Measurable event. The other is called an end turning point (points a', b', c', d' in Figure 1) , from which the process will execute a Visible event or a Silent event.
In our Time Test Equivalence de nition, for two equivalent processes (expressions), and , asking for A( , l) = A( , l) is to guarantee the same temporal order of Visible events and Time Measurable events of two processes.
Asking for W( , l) = W( , l) is to guarantee that the stores (variable states) of two processes (expressions) on every start turning point are just same to each other.
Asking for R( , l) = R( , l) is to guarantee that two expressions, if they terminate, can return the same sets of possible results.
Maximal Progress
Maximal progress property demands that whenever two processes can communicate with each other via a channel, they will never wait. A typical example is given as follows, and we hope those two TRSL expressions are equivalent with respect to our semantic model (Operational Semantics + Equivalence De nition). We would like to show that The original RSL Proof Rules for the TRSL expressions not involving time (e.g. simple assignment expressions) still hold in our semantic model. Most of the original RSL Proof Rules for TRSL expressions involving time (e.g. input expressions, output expressions) with newly added side conditions hold in our semantic model.
New rules applied to extended operators are sound in our semantics In our semantic model, no new rules for the Original RSL syntax are generated.
Soundness
As mentioned before (c.f. Section 2.1), not all the original RSL proof rules are sound with respect to our semantic model. However, it is trivial to prove that all the original proof rules for TRSL expressions not involving time still hold in our semantical model, because our semantics and the de nition of equivalence are just the same as the original one, if we ignore the transitions of \"(d)".
For the same reason, it is clear that no new rules for the Original RSL syntax are generated in our semantic model. We need to add side conditions to some of the proof rules for TRSL expressions involving time. We are interested in proving the soundness of these rules with respect to our semantic model (most rules that we need to study are listed in Page 457 of RMG95]).
Of course we should also prove the soundness of rules for the extended operators too.
Recommendations to TRSL expressions
Just as RSL, we have some recommendations to TRSL expressions:
1. Expressions in sides of parallel and interlock operators must be assignment disjoint (one many not access a variable assigned by the other). 2. When giving speci cations involving constructs for concurrency (especially at the time, we want to apply expansion law), we should always write TRSL expression in standard form Geo97] RMG95] (c.f. Appendix B.3.3).
During the proof, we assume that all the expressions comply with the above recommendations. case (l1, l2) of (<>, ) ! l = l2, ( , <>) ! l = l1, We can get the conclusion using the similar techniques as the above proof. Actually, each case in parallel expand just corresponding to one operational semantics rule. for instance, parallel exts corresponds to the third rule of Parallel-Operational rules, parallel ints corresponds to the second rule. We will not list all those tedious proofs here.
NOTE :
What we would like to emphasise is as follows. The proofs of other rules are similar or easier.
Discussion

Future Work
This paper gives a set of proof rules and an operational semantics for TRSL. Denotational semantics and its formal interrelations with proof rules (axiomatic semantics) and operational semantics need be further investigated. What is more, a formal relation between an eventbased process algebra and a state-based logic like the Duration Calculus is a non-trivial research topic Rav94] PG96]. Actually, Geo98b] gives a DC (denotational) semantics of TRSL, and an \operational semantics with explicit states", which relates TRSL with DC, has been proposed in Xia98]. We need more time to give further results.
The method for developing timed RSL speci cations is also an important research direction for TRSL. Some initial results can be seen in Geo98a].
Related Work
Over the past decade, a number of formal calculi (also called process algebras) for real-time, concurrent systems have been developed; examples are TCCS Wang91], TCSP Dav93] etc. These calculi are suitable speci cation languages to describe real-time system requirements. They give us a hint on our construction of Timed RSL and its operational semantics.
However, if one uses those speci cation languages, the design part of the program has to be given in another language. Using TRSL, we can stay with the same language in all the processes of development. The above reason is a major motivation for us to add real-time features to RSL.
There is another way to add real time features to a wide-spectrum language. ?] represents RTL formulae in Z and ?] embeds DC into RSL high order logic. Those approaches make those languages has the ability to specify real-time properties. However, those speci cations are hard to directly transformed into a low level programming language, if we don't introduce some real-time constructors to the design part of those wide-spectrum languages. Meaning A wait expr of the form wait t has the e ect of delaying the evaluation of any expression that sequentially follows it by t time units.
In addition, skip is given the context-independent expansion of wait 0.0. Time is added to the type literals. Its maximal type is Real and it is short for fj r : Real r 0.0 jg.
A.2 Time Dependence
New forms of input and output expressions have been introduced as let (b,t) = c? in e end let t = c!e1 in e2 end
As noted by Wang91], the introduction of \time dependence" is mainly for the expansion rule (c.f. the next subsection).
To understand this, consider the expression e wait 1 ; c1!1 k wait 2 ; c2!2
The parallel behaviour will be an external choice between two sequential behaviours.
One sequential possibility is simple: wait 2 ; c2!2 ; c1!1
If c2 communicates rst, there will be a delay of at least 2 time units before c1 becomes ready, and this is consistent with e, where c1 must be delayed by at least 1 time unit.
But for the other possibility we have wait 1 ; c1!1 ; wait k ; c2!2
And we need to choose k so that c2!2 is delayed by at least 2 time units from the beginning of the execution. But this depends on how long the environment causes c1!1 to idle. To avoid any possibility of miracles, we treat negative waits as zero ones. For convenience we de ne a number of \dot" arithmetic operators in terms of an up function on reals.
up ( In particular this means that _ min and _ max (treated as in x binary operators) are associative and commutative and may be applied (as pre x functions) to sets of arguments, both returning 0.0 for an empty set and up(x) for a singleton set fxg.
We also have the identities To describe \Time Maximal Progress", all the \de" operators, which are used in de ning parallel ints, interlock ints and parallel expand will be replaced by _ u. Actually, it is impossible for us to write the rule without knowing the details of eu'. That is the reason in our operational semantics, we introduce Sort d and SORT d (c.f. Section 3.5).
B.3.2 Special Functions in RSL
The \special functions", which appear in this Appendix, convergent, pure, readonly, express, no capture etc are de ned in RMG95]. In order to make this article self-contained, we list their brief de nitions as follows.
readwriteonly : value expr ! logic-value expr readwriteonly(e) is equivalent to true only if e does not dynamically access any channels. It is used when we need to know that an expression cannot be waiting to do an input or an output. readwriteonly is de ned by the rule readwriteonly(e) ' 9 id : Unit ! write a T (id() e) where T is the maximal type of e and the access a is the possible variable accesses of e. Possible accesses are actual mentions of variables and the read and write accesses in the signatures of functions that are applied. are di erent : name name ! logical-value expr are di erent(name1, name2) is equivalent to true only if name1 and name2 denote di erent entities. assignment disjoint : value expr value expr ! logical-value expr assignment disjoint(e1, e2) is equivalent to true only if neither of the value expressions can write to variables that can be read (or written to) by the other. It is used when the evaluation order changes. assignment disjoint(e1, e2) is de ned in terms of are di erent applied to the possible read accesses of e1 and the possible write accesses of e2, and vice versa. Possible accesses are actual acesses (mentions of a variable name) and access rights from the signatures of functions that are applied.
subst expr : value expr binding value expr ! value expr subst expr(e1, b, e) is only de ned if e1 has a maximal type the same as the maximal type of b (a well-formedness condition on rules in which it is used). For example subst expr(e, x, x+x) ' e + e
The maximal type of the resulting value expression is the same as the maximal type of the third parameter. 
B.3.3 Standard Form
