In this paper, an algebra of timed processes with real valued clocks is presented, which serves as a formal description language for real time communicating systems. We show that requirements such as a process will never reach an undesired state" can be veri ed by solving a simple class of constraint systems on the clock variables. A complete method for reachability analysis associated with the language is developed, and implemented as an automatic veri cation tool based on constraint solving techniques. Finally as examples, we study and verify the safety properties of Fischer's mutual exclusion protocol and a railway crossing controller.
INTRODUCTION
Correct timing plays an important role in ensuring the correct operation of real time systems. Since such systems are often embedded in safety critical environments, it is important to formally verify that certain crucial requirements are always met by the systems. This creates a need for formalisms to describe the abstract behavior of timed systems i.e. modeling and to check logical properties of the abstract descriptions i.e. veri cation. During the past few years, researchers have developed various formal techniques for modeling and verifying real time systems, e.g. automaton based, 1 3, 14 and process algebra based 24, 7, 9, 15, 22, 17, 13, 20, 29 . One of the most successful approaches is timed automata due to Alur and Dill 3 , which are the classical nite-state automata extended with variables modeling system clocks.
In this paper, we study real-time communicating systems. Such a system may consist o f a n umber of components with their own or shared clocks. The components may communicate with each other, and the environment through channels according to the timing constraints on the values of the clocks. Naturally, w e can use timed automata to describe the components. However, it is not obvious how to combine the component descriptions to achieve the whole system description. Originally, the parallel composition of timed automata is interpreted as logical conjunction, which is similar to the strong multi synchronization operator from process algebras, de ned by the rule: 
AN ALGEBRA OF PROCESSES WITH CLOCKS
Process algebras provide a clean and general paradigm for compositional speci cation of communicating processes. We present an algebra of timed automata, serving as a structural description language for real-time communicating systems. The idea is to use algebraic operators to construct complex system descriptions in terms of simpler ones or component descriptions. Following the tradition of process algebra, we shall call the algebraic terms processes instead of timed automata.
Syntax
Traditionally, a pre x expression :P in process algebras like CCS describes a process which m a y perform an -transition and then continue with P. But no timing information is given on when the transition may be taken.
Following Alur and Dill 3 , we assume a set of clocks to specify timing constraints on transitions. Conceptually, the clocks may be considered as the system clocks of a concurrent system, owned or shared by processes in the system. The processes may test the clocks by comparing the clock v alues with integer constants and reset the clocks i.e. assigning clock v alues to 0. Further, assume that all clocks proceed at the same rate and measure the amount of time that has been elapsed since they were reset or started.
We extend the action pre x :P to the form g; ; :P where g is a predicate over the clock v alues and is a subset of clocks to be reset. Intuitively, g; ; :P describes a timed process which m a y perform an -transition instantaneously when g is true of the current clock v alues and then continue with P with the clocks in being reset and the other clocks will proceed with their old values.
Enabling Conditions. We use C to denote the set of clocks, ranged over by x; y; z.
An enabling condition g is a logical formula generated by the following syntax: g ::= tt j j A j g^g where A is an atomic formula of the form: x n for 2 f; ; ; g and n being a natural number. We could allow a more general form of formulas such as disjunction g _f. H o wever, it will not give more expressive p o wer to the description language we are going to develop. In fact, logical disjunction can be modeled by the behavioural choice operator.
The language is essentially CCS extended with the timed action pre x g; ; :P . A s in CCS, we assume a set = 2 with = for all 2 , ranged over by ; representing external actions, and a distinct symbol representing internal actions. We use Act to denote the set f g ranged over by a; b; c representing both internal and external actions. Further, assume a set of process variables ranged over by X;Y and sequences of letters.
We shall see that the algebraic structure of a process expression P represents the control structure of a process. This will be clear when we present the operational semantics. We adopt a two-phase syntax according to two t ypes of control structures: regular and concurrent.
Processes with Regular Control-Structure. We start with processes whose controlstructure is regular in the sense that no concurrency is involved. The regular process expressions are generated by the following grammar:
E ::= nil X g; a; :E E + F X def = E We shall restrict expressions to be well-guarded in the following sense:
De nition 2.1 X is well-guarded in E if and only if every free occurrence of X in E is within a subexpression a guard of the pre x form g; a; :F in E. E is well-guarded if and only if every free variable in E is well-guarded in E, and for every subexpression of the form X def = F in E, X is well-guarded in F.
2 Let A denote the set of closed and well-guarded expressions generated by the grammar above. We call A regular timed processes. Note that if we consider the pre x g; a;
to be a single guard or structured action, A corresponds precisely to the set of CCS regular processes.
Processes with Concurrent C o n trol-Structure. We shall study concurrent processes in the form: P 1 j:::jP n nL where P i 2 A describing the components and L representing the set of internal channels connecting the components.
We u s e P to denote the set of timed concurrent processes, ranged over by P;Q and R. For simplicity, w e h a ve ignored the relabelling operator. The results of this paper can easily be extended to more general types of processes modeled by the combination of parallel composition, restriction and relabelling.
Semantics
We i n terpret P in terms of clock assignments. A clock assignment : C ,! R +0 is a function mapping each clock x to a non-negative real x. We assume that a process is always started with an initial clock assignment. Before going further, we need to de ne some notation. Assume that d is a non negative real and is a set of clocks. We use + d to denote the clock assignment w h i c h maps each clock x to x + d, and to denote the clock assignment w h i c h m a p s x t o 0 i f x 2 or x otherwise. Furthermore, given a predicate g over C, w e write g to mean the truth value of g, relative to assignment .
A global state or a con guration of a process is a pair P; w h e r e P 2 P stands for the current control-state and denotes the current clock v alues. A process may make t wo types of transitions from state to state: Mnil; = 1
Mg; a; :E; = supftjg + tg ME + F; = maxfME; ; M F; g MX; = ME; if X def = E MEjF; = minfME; ; M F; g MEnL; = ME; Intuitively, MP; is the maximal time that P; m a y s t a y in the same control-state i.e. P before it must switch to another control-state. This is also assumed by the maximal progress assumption adopted in timed process algebras 9, 29 . For example, the controlstate of X def = x 1; ; fg:Q will become Q by doing the action before the clock value of x proceeds to 1. However, when the value of x is larger than, or equal to 1, the control-state of Y def = x 1; ; fg:Q + x 1; a ; fxg:R will remain the same, i.e. Y , but action will be disabled and a action will be enabled. 
VERIFYING SAFETY PROPERTIES OF PROCESSES
The language developed in the previous section can be used as a tool to construct the abstract model of an existing system or a system to be designed. In this section, we discuss how t o v erify properties of such systems in terms of their abstract models.
Veri cation by Reachability Analysis
It has been pointed out in 12 and elsewhere that the practical goal of veri cation of real time systems, in particular safety critical systems is to verify simple safety properties. The type of properties is usually formalized as temporal logic formulas in the form 2:F read as it is impossible that F will be true in the future". Here, F describes a certain undesired situation or logical property. F or example, to verify a railway control system, the rst question to ask would be: is it possible that two trains are crossing a certain critical point at the same time? For nite state systems, this kind of properties can be veri ed simply by c hecking all reachable states whether they satisfy F or not, that is, by reachability analysis". Unfortunately, the systems concerned here are in nite state because the clock v alues range over the reals.
De nition 3.1 Simple Reachability Problem Assume P 0 ; P f 2 P and 0 ; f are clock assignments. We say that P f ; f is reachable from P 0 ; 0 i there i s a n a t u r al number n and a sequence o f t r ansitions starting from P 0 ; 0 and ending up with P f ; f , i.e. P 0 ; 0 1 ;P 1 ; 1 :::P n,1 ; n,1 n ;P f ; f for i 2 A ct R +0 .
2
More generally, w e will consider the reachability problem for sets of clock assignments.
De nition 3.2 General Reachability Problem Assume P 0 ; P f 2 P and D 0 ; D f are sets of clock assignments. We say that P f ; D f is reachable from P 0 ; D 0 i there exists 0 2 D 0 , and f 2 D f such that P f ; f is reachable from P 0 ; 0 .
We shall develop an algorithm based on constraint solving techniques, for solving the General Reachability Problem.
Reachability Analysis by Constraint Solving
Given a process to be analyzed, we assume that its clocks are ordered as a vector x 1 ; x 2 ; :::; x n . T h e n a c l o c k assignment can be considered as a vector of reals or a point i n t h e n-dimensional space R n +0 . W e shall use linear constraint systems to describe regions of points in such a space as their solution sets, and solve the reachability problems by manipulating a simple class of linear constraint systems.
A Class of Linear Constraint Systems
By a linear constraint system, w e simply mean a set of linear inequalities over a set of variables ranging over R +0 in our case, the clock v ariables. A solution to such a system is an assignment that maps each v ariable to a value, which satis es the set of inequalities. In general, a constraint system may h a ve more than one solution. In the rest of the paper, we shall simply call a constraint system D a region, which means its solution set. We We shall use these operations for backward reachability analysis. Similar operations such as strongest post condition can be de ned in order to do forward reachability a n a lysis.
An Algorithm and Its Correctness
Having introduced the notion of time regions, in the following we will simply call P;D a region of states, and extend the transition relation ; to regions.
De nition 3.5 Assume a 2 A ct and a new symbol " representing delays. 2
To a c hieve a decision algorithm for the problem, we shall take the approach of backward reachability analysis. Usually, t o v erify safety properties, a backward analysis algorithm may terminate much faster than a forward analysis algorithm for the following reason: In case that a system does not contain an undesired state, the backward analysis needs not to check the whole reachable state space of the system but the forward analysis does, and the probability for a safety critical system to contain a serious error is often very small.
The general principle of backward analysis is to start from the nal and search back t o the initial. If the initial is found, the algorithm terminates with answer yes", otherwise no". However, our backward analysis method can be easily adopted to forward analysis. First, we need to study the control structures more carefully. It has been said earlier that the algebraic structure of a term P describes the control structure of a process. In fact, the set of subexpressions of P is a superset of the control states of P, and the transitions among the control states obey the rules in Fig. 2. g; a; :E g;a;
, ,,!E , ,,!E 0 jF , ,,!E 0 nL It should be obvious that each term P 0 describes a timed automaton, i.e. C S ; P 0 ; ,! where C S is all control states reachable from P 0 , ,! is the least transition relation de ned by the transitional rules. In particular, note that C S is nite.
The reachability analysis algorithm is based on the following idea: Assume that we want to decide whether P 0 ; D 0 m a y reach P;D in one step i.e. without passing other control states or not. The rst thing to check is whether it is possible for P 0 to switch t o P directly. If this is not the case, that is, P 0 g;a;
, ,,!P for no P 0 ; g ; a ; , w e can conclude immediately t h a t P;D is not reachable from P 0 ; D 0 in one step. Now, assume P 0 g;a;
, ,,!P. That is, D 0 = wpg^ free ; border ; wpD . In fact, D 0 is the largest region of points that may 1 pass the guard g and 2 be reset by , and nally 3 reach D. In general, for any given g, and D, w e de ne imageg; ;D = wpg^ free ; border ; wpD . Now, we are ready to present the algorithm, shown in Fig. 3 for backward reachability analysis. We use two bu ers for saving regions of states: passed and waiting where passed stands for the set of regions that have been examined and waiting for the set of regions that are to be examined next. The algorithm is started with passed = fg and waiting = fP f ; D f g, and then repeatedly examines the regions in waiting. If a region P;D found in waiting is smaller than a region P;D 0 with the same control state in passed, then P;D does not need to be examined further. Otherwise, put all the regions that may reach P;D in one step into waiting to be examined later, and put P;D i n to passed. The algorithm will terminate when waiting is empty i.e. nothing is left to be examined, and therefore fails to nd the initial region or a region P 0 ; D 0 0 is found, which includes a part of the initial region P 0 ; D 0 i.e. D 0^D 0 0 6 = fg.
It is easy to prove the partial correctness soundness of the algorithm: given proper inputs, it always provides the right answer. It is slightly more di cult to prove the total correctness completeness of the algorithm: given proper inputs, it always terminates with an answer. Theorem 2 Total Correctness For all initial regions P 0 ; D 0 and nal regions P f ; D f , the algorithm always terminates with an answer which is either`yes' or`no'. 
Implementation
In describing the reachability algorithm, we did not explain how to 1 perform the four operations wp, free, border,^ de ned on time regions, 2 check the emptiness of a time region or satis ability of a constraint system, and 3 set inclusion i.e. b e t ween time regions. In fact, these functions are often provided by constraint s o l v ers or straight forward to implement using primitive functions of a constraint solver.
We h a ve implemented the algorithm as a tool, based on a constraint solver developed at the Swedish Institute of Computer Science called Prolog Constraint Solver PCS 21 . Several examples have been used to test the tool see next section, which show that the implementation is fairly e cient.
EXAMPLES
In this section, we present examples which h a ve been veri ed by our tool. In addition to clock v ariables, in describing the examples, we shall also use ordinary variables. These variables do not change their values automatically as the clock v ariables; they can only be assigned to values from nite domains, and therefore they will not cause in nite stateness. Fortunately, the implementation of our tool is based on a general constraint s o l v er which can handle logical constraints and assignments including ordinary variables in the same way as timing constraints and clock assignments.
Fischer's Mutual Exclusion Protocol
The protocol was proposed originally by Fischer and described by Lamport 18 . It is to guarantee mutual exclusion in a concurrent systems consisting of several processes using a shared variable among the processes and properly timing the processes in changing the shared variable. Each of the processes is assumed to have a local clock. The idea behind the protocol is that the timing constraints on the local clocks are set so that only one process can change the global variable to its own process number, then read the global variable later and if the shared variable is still equal to its own number, enter the critical section.
Assume a concurrent system with n processes P 1 :::P n . W e use x i to model the local clock for each process P i . The formal description of P i is given in Fig. 4 , and illustrated 4 in Fig 5. This is a simpli ed version of the original protocol and has been studied by researchers, e.g. 4, 25 , which permits only one process to enter the critical section and never exits it. Recovery actions from failure to enter the critical section are omitted. However, the protocol can be extended to an actual mutual exclusion algorithm.
The processes, P i , m a y be in either of the four local states A i ; B i ; C i ; CS i . Initially, a l l processes are in their A state and the shared variable v is initially 0. A process, P i , t h a t tries to enter the critical section changes state from A i to B i if it sees v=0. I n B i , i t w i l l move t o C i before the clock x i proceeds to const, and in doing so, reset the clock x i i.e. ensure that a process must reach B location before any process reach C location; otherwise, it will never move from A-location to B-location. The timing constraints on the clocks ensure that all processes in C location must wait until all processes in B location reach C location. The last process that reached C location and set v to its own process number gets the right t o e n ter its critical section. In fact, the protocol will guarantee mutual exclusion for any non zero constant const.
We need to verify that the mutual exclusion property is satis ed, i.e. there will never be more than one process which m a y r e a c h the critical section, CS i . The requirement c a n be formalized as follows: The concurrent system, with an initial state where the control state is A 1 j : : : jA n and arbitrary variable assignment, will never reach a state where the control state is in the form S 1 j: : : jCS k j: : : jCS l j: : : jS n for some k; l n and S i 2 f A i ; B i ; C i ; CS i g.
We h a ve used our tool and veri ed a system consisting of 10 processes and const = 1 , which satis es the property. W e are in progress to extend the tool to treat the number of processes as a variable and verify that the property is satis ed by systems with arbitrary number of processes.
A Simple Railway Control System
We consider a railway control system to automatically control trains passing a critical point such as a bridge. The idea is to use a computer to guide trains from several tracks crossing a single bridge instead of building many bridges. Obviously, a s a f e t y property o f such a system is to avoid the situation where more than one train are crossing the bridge at the same time.
Assume that the whole system consists of n trains and a simple controller. We model the system by the following process: Intuitively, when a train, Train i , approaches the bridge it sends a signal to the controller within a certain distance. If the bridge is occupied the controller sends a stop signal stop i within 10 time units to prevent the train from entering the bridge. Otherwise, if the approaching train does not receive a stop signal within 10 time units, it will start to cross the bridge within 20 time units but it will take at least 11 time units for a train to enter the bridge. The crossing train is assumed to leave the bridge within 3 We need to guarantee that the system will never reach a c o n trol state where two trains are in location Cross the clocks may h a ve a n y v alues. That is, a state in the form: S i jT 1 j:::jCross k j:::jCross l j:::jT n nfappr i ; stop i ; leave i ; go i g for some k; l n, S i 2 f Free; Occ 1 ; Occ 2 g and T i 2 f Safe i ; Appr i ; Slow i ; Stop i ; Start i g.
We h a ve v eri ed a system consisting of 6 trains by our tool, which satis es the safety requirement. As in the previous example Fisher's protocol, we can only check a system with a xed number of trains. We hope to extend our system to deal with any n umber of trains.
CONCLUSION
The rst contribution of this paper is an algebra of processes with clocks, which extends timed automata with algebraic operators. The algebra may serve as a formal description language for real time communicating systems. In particular, a parallel composition operator is introduced for timed automata to model communication and concurrency, w h i c h can be used to construct complex system descriptions in terms of component descriptions.
The second contribution of this paper is a reachability analysis algorithm for the description language, based on constraint solving techniques. The algorithm is proved to be sound i.e. always provides the right answer and complete i.e. always terminates with an answer. It has been implemented as an automatic veri cation tool, for verifying safety properties of real time communicating systems, based on an existing constraint solver. Several examples have been used to test the tool. In particular, we h a ve studied and veri ed Fisher's mutual exclusion protocol and a railway c o n troller using our tool.
There have been many proposals for verifying timed systems e.g. 2, 24, 1, 7, 14, 17 . However, most of them are intended to construct the whole reachability graph of a system or to obtain more e cient model checking algorithms with respect to a real time temporal logic, or to check equivalences between abstract speci cations. We believe in that the goal of verifying real time systems, in particular safety critical systems is to check simple logical properties, which can be done without constructing the whole reachability graph or the full power of model checking. We are of the opinion that our approach is simpler as it is based directly on constraint solving techniques and can be fairly e cient i n v erifying systems consisting of many components as it avoids to explore the whole state space.
We are in progress to extend our tool to deal with more general types of variables such as lists, in addition to clock v ariables. In particular, we will treat the number of components in a concurrent system as a parameter i.e. an ordinary variable in order to verify systems with many similar components such as the trains in the railway c o n troller and the processes in Fisher's protocol in a more e cient w ay.
