The construction of R, the process encapsulating the timing information, is not as e cient as it could be. Any method for making timing veri cation more e cient, such as partial order reductions, could in principle be incorporated into our current scheme.
A all by constructing and verifying a homomorphism as before. We will refer to this as the \overall" abstraction.
The Seitz circuit has the property that the center stage can be repeated n times to construct a FIFO queue of length n. Veri cation techniques similar to the above can be used to verify such a queue with only a polynomial increase in complexity, contrasted with the exponential dependency of the state space on n.
The data from the experiments is listed in Table 1 . The homomorphismcheck was performed within Cospan using BDDs as an implicit representation for sets and relations. Cospan has the capability to return a counterexample if the desired relation does not hold. This was instrumental in obtaining a correct abstraction by iteration. Tests were run on an SGI machine with 1 GB memory. To act as a comparison, we attempted to run timed reachability analysis on Table 1 . (Env) denotes the veri cation corresponding to equation (3). The same environment abstraction was used for both center blocks. Since timing constants must be integers, a 20% variation in a gate delay of k is represented by specifying the delay to be between 5k and 6k.
the complete circuit without using any compositional rules and abstraction. The computation did not complete: the computer ran out of memory after running for several hours.
Conclusion and Future Work
We proposed a framework for hierarchical reasoning about real-time systems. Our framework supports modular and compositional veri cation rules. We proved that the problem of checking for timed simulation relations is decidable. On the application side, we generalized the notion of state homomorphisms to timed processes, and gave an algorithm to check if a given map between the locations of two processes preserves timed behavior. The proposed algorithm was implemented in Cospan, and as a case study, we dealt with the Seitz queue circuit. Our experience was that it can be di cult to specify a correct homomorphism and one usually has to go through several iterations. Therefore, it would be valuable to have the capability to check for timed simulation relations without the user needing to provide the relation. The only concern is that such an algorithm may be too complex. Heuristics can be devised for certain application domains.
which can pass one hazardous pulse (see Rok93]), which involve two clocks each. This is not necessarily the most e cient way of modeling this circuit. The main purpose of this example was to demonstrate the techniques that we proposed for assumption-guarantee reasoning and homomorphism checks.
The circuit can be viewed as consisting of four blocks. The block marked \input stage" is responsible for passing on to the rest of the circuit the request for new data to be read in, and signaling an acknowledge to the requester when the queue element is ready to receive the data. Similarly, \output stage" signals a request for passing on the data to the circuit connected to \reqout", and when this request is acknowledged and data passed on, signals to the rest of the circuit that new data can be read in. The \center left" and \center right" stages are responsible for storing the input data and passing it to the output, and isolating the stored data from the data that is requested to be input. The timed process for each block consisted of the composition of the timed processes for its gates.
Let A inp , A cl , A cr and A out be the timed processes describing the input, center left, center right and output stages respectively.
The veri cation consisted of two phases. In the rst phase, an abstraction for each circuit block was constructed by hand. Let these be denoted by A abs inp , A abs cl , A abs cr and A abs out . These abstractions described the qualitative functioning of each block, and hid the information about particular signals. In other words, the abstract processes encapsulated the \interface timing behavior" of each block. Untimed state homomorphisms were speci ed and it was veri ed as described above that each circuit block is an implementation of its abstraction. (2) where A env inp is a timed process that incorporates the information about A abs cl k A abs cr k A abs out that is necessary for proving (2). We then veri ed A abs cl k A abs cr k A abs out S A env inp (3) With some manipulation, we can infer (1) from (2) and (3) by Propositions 5 and 6. The same methodology was used for each of the circuit blocks. In some cases, when checking the equivalent of (3) it was possible to \free" some of the processes on the left hand side, i.e., disregard their transition structures and consider them as processes that pose no restriction on their inputs and outputs. This was useful in reducing the computation involved in checking (3). The conclusion from the rst phase was that A inp k A cl k A cr k A out S A abs inp k A abs cl k A abs cr k A abs out In the second phase of the veri cation, a high level abstraction A all of the whole circuit was constructed, and it was shown that A abs inp k A abs cl k A abs cr k A abs out S Assume that (() holds for k. Cospan supports timing veri cation and homomorphism checks (see AK96] for an overview). Our implementation integrates these two capabilities. Given R and B, conditions (1) and (2) of Theorem 14 can be checked simultaneously by Cospan by an on-the-y search. If (1) fails, this points to the fact that h does not preserve untimed behavior in the reachable parts of A and B. If (2) fails, on the other hand, then B can not follow A due to timing constraints.
We applied the assumption-guarantee reasoning paradigm and the homomorphism checking algorithm described above to the veri cation of an asynchronous circuit: the Seitz queue element given in Figure 3 . The Seitz queue element is a self-timed circuit that constitutes one stage of a FIFO queue. It was studied in detail in Rok93]. The functioning of this circuit depends critically on the ranges of gate delays: if the deviation of the gate delays from the speci ed values exceeds 20%, the circuit does not function correctly Rok93]. We model each gate by a . h is a mapping to be supplied by the user capturing the intuition regarding the correspondence of locations at di erent levels. The syntax of S/R, the input language of Cospan, allows speci cations of such maps. The veri er Cospan checks, using either an on-the-y depth-rst-search or a BDD-based symbolic search of the product of the two processes, whether the user-supplied mapping h preserves untimed behavior. Let us generalize this to timed behavior. Observe that for a mapping to preserve timed or untimed behavior, it must map initial locations to initial locations. We restrict our attention to such mappings.
The remaining part of this section describes a method for checking if a given mapping h preserves timed behavior. This is achieved by converting the problem to an untimed homomorphism check, which can then be performed by a tool such as Cospan Kur94]. The basic idea is to construct an untimed transition structure R in the fashion of the region automaton of AD94]. This approach has the added advantage that we use the homomorphism checking in Cospan as a black-box, and thus, we can use either an on-the-y DFS or a BDD-based symbolic search.
R has no outputs and the same inputs as A, with an additional input specifying the location that B is at. For notational convenience, an input event of R will be given as an input event of A together with the old and new locations of A user-given simulation relation has these properties as well, but is harder to specify.
i.e., the time increment in replaced with r. A ! A , since r and t are both less than 1?u kA , which means that the same timing predicates are satis ed by A , A + t and A + r. By the fact that X is a symbolic simulation, and r 2 Times, B ! B for some B such that h A ; B i 2 R X . We claim that B ! B , which will imply the desired result. This claim follows from the fact that B + t satis es the same clock predicates as B + r, since no clock value crosses an integer value between these two clock valuations. (II) t > t max . Let us consider all points in time when a clock of A takes on an integer value as A waits for time t starting from state A . Clearly there must be a nite number of such points since t is nite and there are a nite number of clocks. More precisely, let A 1 ; A 2 ; :::; A k be the maximal sequence of states such that (1) A i is reached from A by waiting for time i , and has some clock with an integer value, and (2) We will prove the original claim in (() by induction on k. The case where k = 0 follows from (I). Let us assume that the claim holds for k. We will show that the claim holds for k + 1. Thus, the problem of checking whether a timed process A timed-simulates another process B can be reduced to computing the maximalsymbolic simulation relation over the equivalence classes EQ AkB . For this purpose, any of the existing algorithms for computing simulation (eg. see KS90, HHK95]) can be adopted to obtain an algorithm with complexity polynomial in the size of EQ AkB . The size of EQ AkB is polynomial in the number of locations and exponential in the number of clocks and the size of binary encodings of the clock constraints. This gives an exponential algorithm for checking timed simulation:
Theorem12. Given two timed processes A and B, the problem of checking whether A timed-simulates B is solvable in Exptime. We conjecture that Exptime is also a lower bound for this problem.
Veri cation Using Homomorphisms
In this section, we propose homomorphisms as an alternative way of proving timed re nement. Homomorphisms can roughly be viewed as mappings from the locations of one process to those of the other which conserve the transition structure. There are several reasons for exploring this alternative approach. First, the algorithm of the previous section is computationally expensive, and we do not yet have good heuristics to proceed with an implementation. Second, the tool Cospan already supports the use of homomorphisms for proving Theorem 10. Let Theorem 10 is important, because it implies that the maximal timed simulation relation consists of a union of equivalence classes of . In the following, we will develop machinery to show that given A and B, the problem of deciding if a timed simulation from A to B exists can be converted to a condition on the equivalence classes of which can be checked in nitely many steps. From this we will infer that the problem is decidable. 
with the convention that u k+1 = 1. If we imagine the fractional parts of clocks ordered on the real line and if we also include the mid-points between each two adjacent fractional parts, Times consists of the distances between these points and the next integer point.
We say that X EQ AkB is a symbolic simulation from A to B i for each EQ( A ; B ) 2 X the following condition is satis ed. For every t 2 Times(h A ; B i) and a timed event = ht; f; f 0 i, if A ! A , then (1) B ! B for some B such that EQ( A ; B ) 2 X, and (2) If A can wait in A for time t, then so can B in state B . Note that, by Lemma 9, the conditions above are independent of what representative is chosen for each equivalence class.
Theorem 11. Given X EQ AkB let R X = h A ; B i EQ( A ; B ) 2 X . R X is a timed simulation relation from A to B i X is a symbolic simulation from A to B. Proof. The ()) direction is straightforward. We will prove the (() direction.
Suppose that X is a symbolic simulation from A to B. Let h A ; B i 2 R X and let A ! A for some timed event = ht; f; f 0 i. We need to show that there exists a B such that B ! B and h B ; B i 2 R X . If t 2 Times(h A ; B i) the claim holds by the de nition of a symbolic simulation. Otherwise, let t max be the largest element of Times(h A ; B i). We will denote the latter with Times in the rest of the proof. There are two cases. (I) t t max . Then, p < t < q for some p and q in Times. One of p and q has the form 1 ? 0:5(u i + u i+1 ) (call this one r) and the other has the form 1 ? u j , for some i and j. Let A = hs A ; A i and B = hs B ; B i. De ne = hr; f; f 0 i, where i = h i ; f; fi and P 1 i=0 i < . We will now show that this can not be the case. Since the sum of the i 's converges, there must exist l such that P 1 i=l i < 1. Let r > l be such that no clock value assumes a non-zero integer value after the edge corresponding to r . Such an r must exist for the following reason: The non-zero integer crossing points corresponding to a clock must be separated by 1 time unit, so there can not be more than one such crossing per clock after r . But there are a nite number of clocks, therefore only nitely many such points, which means there is a last one. We argue that after r , the same set of clock predicates of the form x k are satis ed. This is because no clocks cross integer boundaries other than 0, and the clocks that get reset after r satisfy 0 < x 1 on all edges after r . Let us choose any q > r. By the preceding argument, q could have been increased to P 1 i=q i , which contradicts the maximality of q .
Decidability of Timed Simulation
A language inclusion check between non-deterministic timed processes is undecidable in the general case 3 while C92] has proved that computing timed bisimulation is decidable. We have shown the existence of a timed simulation relations is a su cient condition for language inclusion. In the following, we will show that the problem of checking the existence of a timed simulation relation is decidable. We achieve this by converting this check to a nite check on the nitely many equivalence classes of an equivalence relation de ned on AkB .
Our argument generalizes that of C92] for the decidability of bisimulations.
Preliminaries Let A be a timed process and for each x 2 X let K x denote the integer such that x K x appears in an X-predicate on some edge of A. Also let Fr(x) = x?bxc, the fractional part of x. The region equivalence AD94] relation on A is de ned as follows: hs; i ht; i i s = t, and for all x 2 X either both (x) and (x) are larger than K x , or the following hold b (x)c = b (x)c, and For all x 0 2 X, Fr( (x)) Fr( (x 0 )) i Fr( (x)) Fr( (x 0 )), and Fr( (x)) = 0 , Fr( (x)) = 0.
The following lemma will enable us to pick an arbitrary representative of an equivalence class in the rest of the paper. The following assumption-guarantee rule is useful in modular reasoning.
Proposition8 (Assumption-Guarantee). For nonblocking timed processes
Observe the apparent circularity in the rule: to prove that A k B is a re nement of C k D, it su ces to prove that (1) A is a re nement of C assuming that the environment behaves like D, and (2) B is a re nement of D assuming that the environment behaves like C. The proof relies on the fact that all processes are nonblocking. Let us note a few observations before we give a detailed proof. First, the rule is incorrect if we remove the requirement of nonblocking. Second, the rule is incorrect if we replace L by the simulation preorder S . Third, recall that we have required all X-predicates to be closed, (i.e. all invariants labeling the locations are conjunctions of non-strict inequalities). If we allow predicates that de ne open sets (e.g. invariants of the form x < 5), the rule fails again.
In the proof below, we show that a timed process cannot force in nitely many transitions within a nite interval (the so-called condition of non-Zenoness). This does not hold automatically with open invariants. In this case, the nonblocking requirement needs to be strengthened by replacing requirement (1) in the de nition of nonblocking using games. In GSSL94], such a framework is developed for (asynchronous) timed I/O automata. However, that complicates the development considerably (indeed, the proof that the nonblocking requirement is preserved under composition runs many pages in GSSL94]). 
The composed process is an implementation of each component:
Both the timed equivalence relations are congruences with respect to the com-
The compositionality principle tells us that to prove that A k B is a timed re nement of C k D it su ces to show separately that A is a timed re nement of C and B is a timed re nement of D.
Modularity
In this section, we examine assumption-guarantee style reasoning principles for the abstraction relations. It is not clear if such principles hold for the simulation preorder, however, for the language preorder, with certain restrictions, a simple and powerful modularity principle can be obtained.
A timed process A = hS; S 0 ; O; I; X; ; ; Ei is said to be nonblocking i for all states in A ,
(1) ! for some timed event , and (2) The intuition behind this de nition is that a non-blocking process should be able to generate a trace no matter what the sequence of input events is. The execution of a nonblocking timed process can be viewed operationally as follows.
Consider the timed process in state = hs; i with output f = (s). The process chooses a timed delay 0 such that wait( ; 0 ), and simultaneously, the environment chooses a time delay 00 . Let be the minimum of 0 and 00 . The next observable event happens after a delay of . The timed process decides to update its output from f to f 0 . The environment decides to update the input from g to g 0 independently. The timed process updates its state to 0 = hs 0 ; 0 i with The two timed processes are timed simulation equivalent, written A =S B, i both A S B and B S A. It follows that the relation =S is an equivalence relation. Similarly, the timed language equivalence =L is the equivalence induced by L . Timed simulation is a stronger requirement than timed implementation. { E is the nite set of edges. Each edge e is a tuple hs; t; '; ; Y i consisting of the source location s, the target location t, the X-predicate ', the inputpredicate , and the set Y X of clocks to be reset. It is required that E contains the edge hs; s; true; stutter(I); ;i for each location s and for given source and target locations, there is at most one edge between them.
Proposition3 (Languages and timed simulation
Consider a state = hs; i of the timed process A and a positive time increment Example Figure 1 depicts a timed process representing an inertial delay bu er with non-deterministic delay between d min and d max . According to the inertial delay model, an input pulse must have duration at least d min to be re ected at the output, and any input pulse of duration more than d max has to create a corresponding pulse at the output. Note that any logic gate with inertial delay can be modeled as a delayless logic gate followed by an inertial delay bu er. Observe that, in our model of timed processes, a process spends nonzero time The use of simulation mappings or homomorphisms to prove re nements is common in the literature (see, for instance, Kur94, Sha92, AL91, LT87]). Among automated tools, Cospan provides support to check whether the usersupplied mappings actually de ne a homomorphism. Our work generalizes this to checking the preservation of timed behaviors.
Timed Abstractions
Preliminaries Let X be a nite set of real-valued variables. An X-valuation assigns a nonnegative real value (x) to each variable x 2 X. Let be an X-valuation. For a real number 0, + denotes the X-valuation that assigns the value (x)+ to each variable x, and 0 denotes the X-valuation that assigns the value 0 to all x 2 X. For a subset Y X, Y := 0] denotes the X-valuation that assigns the value 0 to each x 2 Y and the value (x) to each x 6 2 Y . An X-predicate ' is a boolean combination of constraints of the form x k, where k is a nonnegative integer constant, x 2 X is a variable, and is one of the binary comparison relations: , , =. We write j = ' if the valuation satis es the formula '. Note that the set of X-valuations satisfying the X-predicate ' is closed. Let P be a nite set of variables, each ranging over a nite type. A Pvaluation f is an assignment of values to variables in P. For a P-valuation f and a subset Q P, f(Q) denotes the Q-valuation obtained by the restriction of f to the variables in Q. A P-event is a pair hf; f 0 i consisting of P-valuations f and f 0 denoting the old and the new values of the variables in P. A P-predicate is a subset of P-events. While writing P-predicates as formulas, we use primed variables to refer to the updated values. For instance, the P-predicate p 0 6 = p is the set of all P-events hf; f 0 i such that f 0 (p) 6 = f(p). We use stutter(P ) as an abbreviation for the predicate^p 2P p 0 = p. With these conventions, we proceed to de ne timed processes as a model for real-time systems. All real-time systems that can be speci ed in the S/R language of Cospan can be described as timed processes. { is the invariant function that assigns the X-predicate (s) to each location s 2 S. A state of A is a pair hs; i containing the location s 2 S and the X-valuation 2 (s). The set of all states is denoted A . The state hs; i is initial if s 2 S 0 and (x) = 0 for all x 2 X. { is the output function that assigns the output (s) to each location s 2 S.
Timed processes
(1) the composition of A and D implements C, and (2) the composition of B and C implements D. Note the circularity in the assumption-guarantee rule. Its correctness requires that the processes involved are nonblocking in the sense that they are willing to accept any inputs and do not block the progress of time.
While the relation of timed language inclusion is a natural choice for abstraction relation, it was proved in AD94] that language containment is undecidable for non-deterministic systems. Since abstract descriptions often involve non-determinism, we propose timed simulation relations as a su cient condition for implementation. In Section 4 we prove that it is decidable (in Exptime) to check whether such a relation exists between two systems.
In Section 5, we investigate homomorphisms, which are restricted forms of simulation relations, as an alternative way of specifying and verifying timed abstractions. This approach requires the user to specify a correspondence between the locations of the abstract and re ned versions, but is computationally more feasible, and is a generalization of the existing homomorphism checks supported by the system Cospan. We present an algorithm for checking if a given mapping between the locations of two timed systems implies inclusion of timed languages. Our algorithm is implemented in Cospan. We used this algorithm and assumption-guarantee style reasoning to verify abstractions of an asynchronous queue circuit. The algorithm and the results of the experiments are presented in Section 5.
Related research In recent years, many tools have been developed to support veri cation of real-time systems (for instance, Kronos DOY94], Orbits Rok93], timed Cospan AK96] and Uppaal LPY95]). These tools consider the problem model checking, that is, verifying that a mathematical model of a system satis es its speci cation. The problem of proving re nements of timed systems has been considered only in the context of manual proofs (see, for instance, AL91, Sha92, LA92]).
We have emphasized compositionalityand modularity.Compositionalitymeans that the implementation relation is a congruence with respect to parallel composition, and is exhibited by any reasonable formalism. Modularity makes explicit distinction between which variables are updated by the system and which are updated by the environment so as to support assume-guarantee style reasoning (an example of such a framework is I/O automata LT87]). Assume-guarantee style proof rules for untimed systems have been proposed by many researchers (for instance, GL94, AL93, AH96]). When the rule is symmetric and involves circularity, it is necessary to require that a process is nonblocking LT87, AH96]. In the case of timed systems, these issues have been considered for timed I/O automata in GSSL94]. Our framework uses synchronous composition and a much simpler de nition of nonblocking without resorting to games.
For timed systems, a variety of implementation relations can be considered. Timed language containment is undecidable AD94]. Timed bisimulation is decidable C92], but is not appropriate for re nements. Time-abstract simulation is considered in HHK95], but does not preserve timed properties. As far as we know, there is no previous study of timed simulations. Abstract. Given two descriptions of a real-time system at di erent levels of abstraction, we consider the problem of proving that the re ned representation is a correct implementation of the abstract one. To avoid the complexity of building a representation for the re ned system in its entirety, we develop a compositional framework for the implementation check to be carried out in a module-by-module manner using assumeguarantee style proof rules. On the algorithmic side, we show that the problem of checking for timed simulation relations, a su cient condition for correct implementation, is decidable. We study state homomorphisms as a way of specifying a correspondence between two modules. We present an algorithm for checking if a given mapping is a homomorphism preserving timed behaviors. We have implemented this check in the veri er Cospan, and applied our method to the compositional veri cation of an asynchronous queue circuit.
Introduction
We address the problem of re nement for real-time systems such as control protocols and asynchronous circuits. We want to prove that, of the two given representations of a system, the more re ned one \implements" the more abstract one. By doing so, one would be assured that the properties proved about the abstract description continue to hold in the re ned version. This scenario may arise either because the design is being carried out in a top-down fashion by re ning the system iteratively, or because the system is too complex and an abstraction of the system needs to be used to verify properties. This work addresses the following two problems: proving that one timed system is an abstraction of the other, and developing a compositional veri cation framework so that this proof can be carried out modularly.
Typically, a model of a system is described as a collection of coordinating components. The aim of compositional veri cation is to decompose the problem of verifying re nement into subproblems so that a monolithic representation for the system does not have to be built. Performing veri cation in this way has the important bene t of scaling with the increasing complexity of real-time systems encountered in practice. With this goal, in Section 2 we present a model for real-time systems. De ning timed language inclusion as the weakest notion for \implementation", we prove compositionality properties and show the soundness of an assumption-guarantee paradigm for modular veri cation in Section 3. To prove that a re ned system with two components A and B implements an abstraction consisting of two components C and D, the compositionality principle asserts that it su ces to prove A implements C and B implements D, separately, while the stronger assumption-guarantee rule asserts that it su ces to prove that
