Formalization and Correctness of the PALS Pattern for Asynchronous Real-Time Systems by Jose Meseguer and Peter Olveczky
Formalization and Correctness of the PALS
Pattern for Asynchronous Real-Time Systems
Jose´ Meseguer1 and Peter O¨lveczky2
1 University of Illinois at Urbana-Champaign
2 University of Oslo
Abstract. Due to physical requirements, what in essence and at a higher
level of abstraction is a logically synchronous real-time system has to
be often realized as a distributed, asynchronous system. Getting asyn-
chronous real-time systems right is a very error prone and labor-intensive
task. The Physically Asynchronous Logically Synchronous (PALS) ar-
chitectural pattern can greatly reduce the design and verification com-
plexities of achieving logical synchrony in a distributed real-time sys-
tem implementation. The PALS philosophy is to provide a correct-by-
construction pattern of very wide applicability. The main goal of this
work is to make the PALS correctness property —applying to a wide
range of designs— mathematically precise. For this, we define a formal
model of the PALS transformation, and give formal requirements for
the allowed logically synchronous system designs, and for the operating
environments in which a resulting PALS distributed design is to be de-
ployed. Based on such a formal model and formal requirements, we also
give a mathematical proof of correctness for PALS, and a proof of op-
timality, showing that the PALS period is shortest possible. The PALS
proof of correctness can greatly facilitate the formal verification effort,
because it reduces the verification of a complex asynchronous real-time
system to that of its much simpler synchronous high-level design. Our
formal model is developed in rewriting logic using the Real-Time Maude
specification language. Since such formal specifications are executable,
they can be used as a basis for correct-by-construction code generation
implementations of PALS.
1 Introduction
Physical requirements often necessitate distributed, asynchronous implementa-
tions of what in essence and at a higher level of abstraction are logically syn-
chronous real-time architectures. However, getting an asynchronous real-time
systems right is a very error prone and labor-intensive task. This has a direct
bearing on safety-critical systems, for which the cost of certification can also be
quite high. The Physically Asynchronous Logically Synchronous (PALS) archi-
tecture developed by researchers at Rockwell-Collins and UIUC (see [5, 1, 8]) can
greatly help in generating, from a synchronous design, a correct-by-construction
asynchronous real-time implementation.
2We believe that PALS, as a complexity-reducing formalized architectural
pattern, can greatly increase system quality and can greatly reduce both the cost
of design, implementation, and verification of distributed real-time systems, such
as avionic systems, and the cost of certifying highly critical systems of this kind.
Specifically, certification of Level A safety critical system requires full coverage
of the verification of its design and the validation of its implementation. This
may easily become unfeasible for a distributed design; but full design verification
may be achieved by automatic model checking verification of the semantically
equivalent, but much simpler, synchronous design thanks to the PALS formally
verified architectural pattern.
This document focuses on PALS’s mathematical model, its timeline and the
optimality of its logical time period, the formal executable specification of the
wrappers that make the PALS transformation possible, and a formal correctness
proof which justifies why verification of the much simpler synchronous system
ensures the correctness of its PALS asynchronous version. This work has been
developed in close interaction with all the other members of the PALS team at
UIUC and Roockwell-Collins and should be viewed as a key component of the
PALS architecture; specifically, as the formalization of such an architecture. In
this way, PALS becomes a formalized architectural pattern, which can be safely
applied with very strong correctness guarantees to a very wide range of real-time
synchronous designs. Given the importance of fully documenting PALS formal
model and its correctness, we think that the topics we study here deserve being
spelled out in detail; this complements other documents on PALS, and provides
both an in-depth mathematical presentation of the PALS architecture and a
detailed reference for PALS’s formal properties and underpinnings.
Besides documenting the PALS mathematical aspects, a more practical ap-
plication of this work is that the formally specified wrappers that are added to
the components of a synchronous real-time system in order to obtain their PALS
counterpart can support correct-by-construction code generation schemes that
can be used to automatically generate an asynchronous system PALS implemen-
tation from a simpler synchronous system implementation.
Main Contributions. The main contributions of this work are:
1. A precise formal model in rewriting logic of the PALS transformation, ex-
pressed in Real-Time Maude, including precise assumptions about the al-
lowable synchronous designs to which PALS can be applied and about the
underlying operating conditions of the network and clock synchronization
infrastructures.
2. A precise derivation of the PALS period, as well as a proof of its optimality,
showing that it is shortest possible under the given assumptions about the
network and clock synchronization infrastructures.
3. A bisimulation theorem, showing that the original synchronous design and
the so-called stable states of the corresponding PALS asynchronous design
constitute bisimilar systems.
4. A justification of the method that reduces the formal verification of tem-
poral logic safety and liveness properties of an asynchronous PALS design
3—typically unfeasible due to the enormous state space explosion caused by
concurrency— to the model checking verification of its synchronous coun-
terpart; and
5. A formal specification of the PALS wrappers, which are used to encapsulate
the different synchronous state machines in order to obtain the corresponding
asynchronous system; since such formally-specified wrappers are executable,
they can support correct-by-construction code generation schemes to gener-
ate the code of a PALS system from that of its synchronous code.
The logical framework in which we have developed this model is rewriting logic
[4], and in particular, the Real-Time Maude formal specification language [7],
which supports formal executable specification and model checking verification
of rewriting logic models of real-time systems.
1.1 Key Ideas of the PALS Formal Model
The formalization of PALS is achieved by:
1. Defining a synchronous system as an synchronous ensemble of state machines
E , connected together by a wiring diagram.
2. Giving a specification Γ of the following performance bounds:
– the clock skew of the local asynchronous clocks for each state machine
should be strictly smaller than 
– minimum and maximum duration times 0 ≤ αmin ≤ αmax for any ma-
chine to consume inputs, make a transition, and produce outputs;
– minimum and maximum message transmission delays 0 ≤ µmin ≤ µmax
for the network.
3. Defining PALS as a formal model transformation
(E , Γ ) 7→ A(E , Γ )
where a synchronous design E and its performance bounds Γ generate an
asynchronous design A(E , Γ ).
4. Using rewriting logic and Real-Time Maude to make the formal asynchronous
model A(E , Γ ) executable.
5. Viewing theA(E , Γ ) model as the executable specification of correct wrappers
for the state machines of E . Such executable wrapper specifications could
then be used as a basis for automatically generate code that implements the
PALS system A(E , Γ ) based on an implementation or a design of E .
All the results presented in this work, such as the time period calculation, the
proof of its optimality, and the bisimulation theorem, are based on the above
formal model of PALS; and on simple extensions of it, such a the associated
Kripke structures that are used as the semantic basis of temporal logic properties.
The rest of this document is organized as follows. In Section 2 we sum-
marize the basic ideas about rewriting logic and Real-Time Maude needed to
define our formal model of PALS. In Section 3 we give a formal definition of the
4synchronous models that are legal input designs for the PALS transformation,
including precise formal defintions of typed machines, synchronous ensembles,
and synchronous composition. In Section 4 we define in detail the assumptions
about clock drift, network delays, and machine execution times that, together
with the given synchronous ensemble are the inputs to the PALS transforma-
tion. We then give a precise time-line analysis of the period that must be chosen,
based on these parameters, for the PALS asynchronous system to achieve log-
ical synchrony. Based on this analysis, we then give a formal specification in
Real-Time Maude (parametric on the input ensemble E and the performance
bounds Γ ) of the resulting PALS-transformed asynchronous system, and collect
in Section 5 some facts about the consequences of the extra generality gained by
allowing local clock functions that are only piecewise continuous instead of just
continuous. In Section 6 we state and prove the main bisimulation result, con-
necting the states of the synchronous system with the so-called stable states of
its PALS-transformed asynchronous counterpart; some key lemmas for this the-
orem are collected in Section 7. A detailed proof of the optimality of the PALS
period used to achieve logical synchrony is Section 8, an some final conclusions
are drawn in Section 9.
Acknowledgments. This work is part of a broader collaboration with Steve
Miler and Darren Cofer at Rockwell-Collins and with Lui Sha, Abdulla Al-
Nayeem, and Mu Sun at UIUC on the PALS architecture. The ideas presented
here have been developed in close interaction with all these people, who have
provided very useful comments on earlier versions of this work. We thank par-
ticularly Lui Sha and Mu Sun for their very careful and insightful comments
on an earlier version that has led to substantial improvements. We gratefully
acknowledge funding for this research from the Rockwell-Collins corporation.
Partial support has also been provided by the National Science Foundation un-
der Grants IIS 07-20482 and CNS 08-34709, and by the Research Council of
Norway.
2 Real-Time Maude
A Real-Time Maude [7] timed module specifies a real-time rewrite theory of the
form (Σ,E, IR,TR), where:
– (Σ,E) is a membership equational logic [3] theory with Σ a signature3 and
E a set of confluent and terminating conditional equations. (Σ,E) speci-
fies the system’s state space as an algebraic data type, and must contain a
specification of a sort Time modeling the (discrete or dense) time domain.
– IR is a set of (possibly conditional) labeled instantaneous rewrite rules spec-
ifying the system’s instantaneous (i.e., zero-time) local transitions, written
rl [l] : t => t′, where l is a label. Such a rule specifies a one-step transi-
3 i.e., Σ is a set of declarations of sorts, subsorts, and function symbols
5tion from an instance of t to the corresponding instance of t′. The rules are
applied modulo the equations E.4
– TR is a set of tick (rewrite) rules, written with syntax
rl [l] : {t} => {t′} in time τ .
that model time elapse. {_} is a built-in constructor of sort GlobalSystem,
and τ is a term of sort Time that denotes the duration of the rewrite.
The initial state must be a ground term of sort GlobalSystem and must be
reducible to a term of the form {t} using the equations in the specifications.
The Real-Time Maude syntax is fairly intuitive. For example, a function
symbol f is declared with the syntax op f : s1 . . . sn -> s, where s1 . . . sn
are the sorts of its arguments, and s is its (value) sort. Equations are written
with syntax eq t = t′, and ceq t = t′ if cond for conditional equations. The
mathematical variables in such statements are declared with the keywords var
and vars. We refer to [3] for more details on the syntax of Real-Time Maude.
In object-oriented Real-Time Maude modules, a class declaration
class C | att1 : s1, ... , attn : sn .
declares a class C with attributes att1 to attn of sorts s1 to sn. An object of class
C in a given state is represented as a term < O : C | att1 : val1, ..., attn : valn >
of sort Object, where O, of sort Oid, is the object’s identifier, and where val1
to valn are the current values of the attributes att1 to attn. In a concurrent
object-oriented system, the state is a term of the sort Configuration. It has
the structure of a multiset made up of objects and messages. Multiset union
for configurations is denoted by a juxtaposition operator (empty syntax) that
is declared associative and commutative, so that rewriting is multiset rewriting
supported directly in Real-Time Maude.
The dynamic behavior of concurrent object systems is axiomatized by spec-
ifying each of its transition patterns by a rewrite rule. For example, the rule
rl [l] : m(O,w) < O : C | a1 : x, a2 : O’, a3 : z > =>
< O : C | a1 : x + w, a2 : O’, a3 : z > dly(m’(O’),x) .
defines a parametrized family of transitions (one for each substitution instance)
message m, with parameters O and w, is read and consumed by an object O of class
C. The transitions have the effect of altering the attribute a1 of the object O and
of sending a new message m’(O’) with delay x (see [7]). “Irrelevant” attributes
(such as a3, and the right-hand side occurrence of a2) need not be mentioned in
a rule (or equation).
A subclass inherits all the attributes and rules of its superclasses.
4 E is a union E′∪A, where A is a set of equational axioms such as associativity, com-
mutativity, and identity, so that deduction is performed modulo A. Operationally, a
term is reduced to its E′-normal form modulo A before any rewrite rule is applied.
6Formal Analysis. A Real-Time Maude specification is executable, and the tool
offers a variety of formal analysis methods. The rewrite command simulates one
fair behavior of the system up to a certain duration. It is written with syntax
(trew t in time <= τ .), where t is the initial state and τ is a term of sort
Time. The search command uses a breadth-first strategy to analyze all possible
behaviors of the system, by checking whether a state matching a pattern and
satisfying a condition can be reached from the initial state. The command which
searches for n states satisfying the pattern search criterion has syntax
(utsearch [n] t =>* pattern such that cond .)
Real-Time Maude also extends Maude’s linear temporal logic model checker
to check whether each behavior, possibly up to a certain time bound, satisfies a
temporal logic formula. State propositions, possibly parametrized, can be predi-
cates characterizing properties of the state and/or properties of the global time
of the system. They are operators of sort Prop, and their semantics is defined
by (possibly conditional) equations of the form {statePattern} |= prop = b,
for b a term of sort Bool, which defines the state proposition prop to hold in
all states {t} where {t} |= prop evaluates to true. A temporal logic formula
is constructed by state propositions and temporal logic operators such as True,
False, ~ (negation), /\, \/, -> (implication), [] (“always”), <> (“eventually”),
and U (“until”). The time-bounded model checking command has syntax
(mc t |=t formula in time <= τ .)
for initial state t and temporal logic formula formula .
3 Formal Definition of the Synchronous Model
This section formally defines the synchronous model of computation as a collec-
tion of deterministic typed machines and an environment, and a set of connec-
tions that connect output ports of the machines and the environment to input
ports.
3.1 Typed Machines
A typed machine is a component in the synchronous model.
Definition 1. A (deterministic) typed machine is a 4-tuple
M = (Di, S,Do, δM )
where
– Di, called the input set, is a nonempty set of the form Di = Di1 ×· · ·×Din ,
for n ≥ 1, where Di1 , . . . , Din are called the input data types.
– S is a set, called the set of states.
7– Do, called the output set, is a nonempty set of the form Do = Do1×· · ·×Dom ,
for m ≥ 1, where Do1 , . . . , Dom are called the output data types.
– δM , called the input-output-transition (i-o-t) function, is a function
δM : Di × S → S ×Do
We call M finite iff Di, S, and Do are all finite sets.
That is, such a machine has n input ports and m output ports; an input to
port k should be an element of the set Dik , and an output from port j should
be an element of the set Doj . Pictorially, we represent a typed machine as a box
with typed input and output wires as shown in Fig. 1.
M
1 : Di1
.....
n : Din
1 : Do1 m : Dom
.....
Fig. 1. Graphical representation of a machine.
3.2 Synchronous Ensembles of Typed Machines
Typed machines can be “wired together” into arbitrary sequential and parallel
compositions by means of a “wiring diagram,” as the one shown in Fig. 2, where
the types are left implicit, but where it is assumed that the type in an output
wire must match any types in the input wires connected with it:
Definition 2. A (typed) synchronous machine ensemble is a 4-tuple
E = (J ∪ {e}, {Mj}j∈J , E, src)
where
8M1
M3
M2
Fig. 2. A machine ensemble.
– J is a finite set, called the set of indices, and e is an element, called the
environment index, with e 6∈ J .
– {Mj}j∈J is a J-indexed family of typed machines.
– E, called a typed environment, is an ordered pair of sets
E = (Dei , D
e
o)
where Dei , called the environment’s input set (inputs to the environment),
is a nonempty set of the form
Dei = D
e
i1 × · · · ×Deine , for ne ≥ 1
and Deo, called the environment’s output set (outputs from the environment),
is a nonempty set of the form
Deo = D
e
o1 × · · · ×Deome , for me ≥ 1
– src is a function that assigns to each input port (j, n) (the input port number
n of machine j) the corresponding output port (or “source” for that input)
src(j, n). Formally, we define the set of input ports and output ports, respec-
tively, as follows:
• InE = {(j, n) ∈ (J ∪ {e})× N | 1 ≤ n ≤ nj}
• OutE = {(j, n) ∈ (J ∪ {e})× N | 1 ≤ n ≤ mj}
Then src is a surjective function
src : InE → OutE
assigning to each input port the output port to which it is connected, and such
that “the types match”. That is, if we denote by Djik the set of data allowed
9as input in the kth input port of machine Mj (resp. kth input port of the
environment if j = e), and same with output ports, then if src(j, q) = (k, l)
we should have Dkol ⊆ Djiq .
In addition, we require that there are no self-loops from the environment to
itself; that is, for (e, q) ∈ InE , if src(e, q) = (k, p), then k ∈ J .
As its name suggests, a synchronous ensemble E has a lock-step synchronous
semantics, in the sense that the state-and-output transitions of all the machines
are performed simultaneouly, and whenever a machine has a feedback wire to
itself and/or to any other machine, then the corresponding output becomes an
input for any such machine at the next instant. As explained below, what this
means mathematically is that any ensemble E is semantically equivalent to a sin-
gle state machine, called the synchronous composition of all the machines in the
ensemble E . This has enormous practical importance for formal verification pur-
poses, since the composed state machine is much simpler than an asynchronous
system realizing such a design in a distributed way. In particular, model checking
a single state machine is much more efficient and feasible than verifying a system
of asynchronously interacting machines, which can esily become unfeasible due
to the combinatorial explosion caused by the system’s concurrency.
Example 1. In the machine ensemble in Fig. 2,
– J = {1, 2, 3}
– {Mj}J is the mapping 1 7→M1, 2 7→M2, 3 7→M3.
– ne = 3 (the number of inputs to the environment) and me = 2 (number of
outputs from the environment).
– With an ordering of ports from left to right, the wiring function src is:
• (1, 1) 7→ (3, 1)
• (1, 2) 7→ (e, 1)
• (2, 1) 7→ (3, 3)
• (2, 2) 7→ (e, 2)
• (3, 1) 7→ (1, 1)
• (3, 2) 7→ (e, 1)
• (e, 1) 7→ (3, 1)
• (e, 2) 7→ (3, 2)
• (e, 3) 7→ (2, 1)
Intuitively, we can enclose the typed machines M1, M2, and M3 in the box
with thin lines, hiding the internal details of how the machine ensemble is de-
composed. The single machine resulting in this way from the composition of
machines M1, M2, and M3 is called the synchronous composition of M1, M2,
and M3, according to the given wiring diagram, and can itself be seen as a typed
machine. The general definition is as follows.
Definition 3. Given a synchronous machine ensemble E = (J∪{e}, {Mj}j∈J , E, src),
its synchronous composition is the typed machine
ME = (DEi , S
E , DEo , δE)
where
10
– DEi = D
e
o (the input set of the composed machine is the output set of the
environment)
– DEo = D
e
i (the output set is the input set of the environment)
– SE = (Πj∈JSj)× (Πj∈JDjOF ), where if Djo = Djo1 ×· · ·×Djomj is the output
set of Mj, then D
j
OF is the set D
j
OF = D
j
OF1
× · · · × DjOFmj , where, for
1 ≤ m ≤ mj, DjOFm = Djom if (j,m) = src(l, q) for some l ∈ J , and
DjOFm = 1 otherwise, with 1 = {∗} a one point set. Intuitively, D
j
OF stores
the “feedback outputs” of machine Mj. We then have an obvious “ feedback
output” function
foutj : Djo → DjOF
where for 1 ≤ m ≤ mj, we have pim(foutj(d1, . . . , dmj )) = dm if (j,m) =
src(l, q) for some l ∈ J , and pim(foutj(d1, . . . , dmj )) = ∗ otherwise, with
pim the m-th projection from the Cartesian product D
j
OF . Similarly, for each
k ∈ J we have an obvious input function
ink : Deo ×Πj∈JDjOF → Dki
where for 1 ≤ n ≤ nk, with src(k, n) = (l, q), we have pin(ink(d, {dj}j∈J)) =
if l = e then piq(d) else piq(dl) fi, where piq denotes the q-th projection from
the corresponding Cartesian product.
– The i-o-t function for ME is the function
δE : DEi × SE → SE ×DEo
where for each (d, ({sj}j∈J , {dj}j∈J)) ∈ DEi ×SE we define δE(d, ({sj}j∈J , {dj}j∈J)) =
(({s′j}j∈J , {d′j}),d′), where for each l ∈ J we have
s′l = pi1(δMl(inl(d, {dj}j∈J), sl))
d′l = foutl(pi2(δMl(inl(d, {dj}j∈J), sl)))
and for each 1 ≤ n ≤ ne with src(e, n) = (j′, r)
pin(d′) = pir(pi2(δMj′ (inj′(d, {dj}j∈J), sj′))).
3.3 Environment Constraints.
In our model of the behaviors of a system, we assume a nondeterministic envi-
ronment where there could be some constraints on the values generated by this
environment. In this report, we assume that the environment constraint can be
defined as a predicate
ce : Deo → Bool
so that ce(de1, . . . , d
e
ome
) is true if and only if the environment can generate output
(de1, . . . , d
e
ome
).
11
3.4 The Transition System and the Kripke Structure Associated to
a Machine Ensemble
To each machine ensemble that operates in an environment with a given envi-
ronment constraint, we can associate a transition system defining the behaviors
of the system.
Definition 4. Given a machine ensemble E = (J ∪ {e}, {Mj}j∈J , E, src) with
environment constraint ce, the corresponding transition system is defined as a
pair (SE ×DEi , −→Ece ), where the transition relation −→Ece is defined by
(s, i) −→Ece (s′, i′)
iff a machine ensemble in state s and with input i from the environment has a
transition to state s′, and the environment can generate output i′ in the next
step:
(s, i) −→Ece (s′, i′) ⇐⇒ s′ = pi1(δE(i, s)) ∧ ce(i′).
Let E be a typed machine ensemble with environment constraint ce, AP a
set of atomic propositions, and let L : SE ×DEi → P(AP ) be a labeling function
that assigns to each state (s, i) ∈ SE ×DEi the set L(s, i) of atomic propositions
that hold in (s, i). Then (SE ×DEi , −→Ece , L) is the Kripke structure associated
to (E , ce, L).
Notice that, since the machine ensemble’s output is a function of the machine
state (including content in the feedback loops) and the input from the environ-
ment, we may also define atomic propositions that talk about the output from
the machines. For example, we can define a parametric atomic proposition out,
so that out(v) holds in a state (s, i) if the machine ensemble generates output v
to the environment, can be defined by out(v) ∈ L(s, i) ⇐⇒ v = pi2(δE(i, s)).
4 The PALS Asynchronous Model
This section presents the rewriting logic model of the asynchronous PALS trans-
formation of a synchronous machine ensemble in detail.
Section 4.1 makes explicit some assumptions about clock drifts and compu-
tation and communication times, and defines some constant values. Section 4.2
gives a brief overview of the asynchronous system, and Section 4.3 focuses on the
time line. Sections 4.4 to 4.8 then specify the asynchronous model as a rewrite
theory in Real-Time Maude. Finally, Section 4.9 defines the initial states.
4.1 Some System Assumptions
Time Domain. The type of time (discrete or dense) is a parameter of the
model. It could be N, or R≥0, or Q≥0, for example. (If it is N, we can scale up
things so that one “logical time step” can correspond to many basic steps.) For
simplicity and fullest generality, in what follows we will assume that all is done
in R≥0.
12
Clock Drifts and Clock Synchronization. A basic assumption is that a
clock synchronization algorithm is executing “in the background” and guarantees
a certain bound on the imprecision of the local clocks. We assume an external
clock synchronization; that is, the difference between the time of a local clock
and “real” global time is always strictly less than a given bound .
To reason about clock drift in a general way, we assume a local clock function
cj for each machine Mj that assigns to each global instant r the local clock value
cj(r):
Definition 5. A function c : R≥0 → R≥0 is called an -drift local clock function
if and only if the following conditions are satisfied:
1. c is monotonic and piecewise continuous,
2. ∀x ∈ R≥0, |c(x)− x| < , and
3. ∀x ∈ R≥0, inf{t | c(t) ≥ x} ∈ {t | c(t) ≥ x}.
The assumption of monotonicity is very good to have, particularly to have
a clear idea of when and where to tick the global clock. Synchronization can be
achieved while preserving monotonicity. The idea is the same as when one has
an expensive clock that typically does not allow to be wound backwards. How do
you adjust such a clock to the precise time? Well, if the clock is too fast, then
you can just “stop” your clock and wait until “real” time has caught up with
your clock time. If the clock is slow, then you quickly adjust it forward to the
“real” time. This is an isolated discontinuity which happens only from time to
time. Furthermore, the third condition above ensures that the time at which a
discontinuity of a local clock function c occurs is well-defined. Alternatively, one
can achieve effect of the -drift local clock function c to always be continuous
by increasing the “ticking rate” of the local clock by a small factor whenever
the clock is detected to be slow, and likewise decreasing its “ticking rate” by
a small factor whenever it is detected to be fast. Continuity is preferable for
applications where control of physical parameters is involved; but our results,
although having a slightly simpler formulation for the continous case, do not
require continuity, but only piecewise continuity of the local clocks satisfying
(1)–(3) above.
Execution Times. The shortest, respectively longest, time required for pro-
cessing input, executing a transition, and generating output is supposed to be,
respectively, αmin and αmax.
Network Delays. The point-to-point message transmission time is assumed to
always be greater than or equal to a minimum value µmin ≥ 0, and smaller than
or equal to some maximum time value µmax ≥ µmin.
4.2 The Asynchronous System with Clock Drifts: Overview
The system is made out of a J-indexed family of objects and an environment,
with each object behaving like an “asynchronous typed machine” whose inputs
13
and outputs are received and sent by asynchronous message passing. The system
is supposed to execute in rounds according to “ticks” of a “logical clock.” Let T
denote the time between such “ticks of the logical clock” (or the period of the
logical clock). We often write ti for the time of the ith tick of the logical clock;
i.e., ti = i · T .
Each object j is equipped with two timers:
roundTimer is a timer that should expire at the tick of each logical clock; that
is, at the end of each period.
outputBackoffTimer is a backoff timer used to ensure that output from a ma-
chine is not sent into the network too early.
The actions of each object j can be summarized as follows:
– When roundTimer expires, input from the input buffer is read, a transition is
executed, and the generated output is put in the output buffer. In addition,
this timer is reset to the value T (denoting the period of the “logical clock”).
– When the outputBackoffTimer timer expires, the messages in the output
buffer are sent, provided that they have been generated. If the execution of
the transition generating the outgoing messages is not yet finished when the
timer expires, then the messages are sent when the execution of the transition
is finished. This timer is started and set to dlyout = 2 ·  monus µmin, where
monus is defined by x monus y = max(0, x− y), each time the roundTimer
expires.
4.3 Time-line Analysis
The “time-line analysis” for object j is therefore as follows:
1. At each local logical clock tick (that is, when the local clock cj shows ti),
the object gets the messages from the input buffer, executes the transition,
and puts the output messages in the output buffer. This starts somewhere
in the global time interval (ti − , ti + ] for round i. This process may end
at any global time in the interval (ti − + αmin, ti + + αmax].
2. Since the messages cannot be sent into network before the backoff timer
expires, and before the messages are “ready,” the messages from the output
buffers are therefore sent into the network at a global time that is strictly
greater than max(ti + − µmin, (ti − ) + αmin) and is less than or equal to
max(ti + 3 · − µmin, (ti + ) + αmax).
3. At any global time in the time interval (max(ti + , (ti − ) + αmin +
µmin), max(ti + 3 ·  − µmin, (ti + ) + αmax) + µmax], a message could
arrive at an object, at which time it is entered into the object’s input buffer.
4. When the local clock shows ti+1, the object starts all over from the first
point above.
An overview of this timeline is depicted in Fig. 3. It is worth remarking that
some of the time intervals are right-closed. For example, the “local clock tick” in
14
Fig. 3. PALS timeline.
item (1) above could happen at any time in the global time interval (ti−, ti+]
instead of the right-open interval (ti − , ti + ) that might seem more intuitive,
given that the clock synchronization should ensure a difference that is strictly
smaller than  between the local clock time and global time. However, the “local
tick” could happen at time ti +  as well: At all global times ti + −∆ for small
∆ > 0, the local clock shows ti − ∆/2, and at global time ti +  the local
clock jumps to, say ti + . This scenario satisfies the assumptions on the clock
synchronization, yet the “local logical tick” happens at time ti + . Section 5
gives further explanations on this issue.
Constraints. For this to work, we must ensure that messages generated for
round i+1 should be received sometime in the global time interval (ti+, ti+1−],
which is (ti+, ti+T−]. Therefore, the message arrival interval (max(ti+, (ti−
) + αmin + µmin), max(ti + 3 ·  − µmin, (ti + ) + αmax) + µmax] must be a
subset of (ti + , ti + T − ]. This implies that we must have
15
1. ti +  ≤ (max(ti + , (ti − ) + αmin + µmin), and
2. max(ti + 3 · − µmin, (ti + ) + αmax) + µmax ≤ ti + T − .
(1) holds trivially. (2) implies that
T ≥ µmax + 2 · + max(2 · − µmin, αmax).
4.4 Some Sorts
From here on, we present the formal specification of the asynchronous PALS
system associated to a synchronous machine ensemble with environment con-
straint ce, under the assumptions in Section 4.1, as a rewrite theory in Real-Time
Maude. We start by discussing some sorts used in this specification.
Local States. The state component of a machine j has sort Sj . For convenience,
we add a supersort State of all such states:
sort State . --- supersort of local states
subsorts S1 ... S|J| < State .
It may take some time to compute the next local state of a machine. During
this transition computation time, the local state has the value [s, t], where s is
the next state, and t is the time remaining until the execution of the transition
is finished. Such a term [s, t] is called a delayed state, where the sort DlyState
is defined as follows:
sort DlyState .
subsort State < DlyState .
op [_,_] : State Time -> DlyState [ctor right id: 0] .
Likewise, during the execution of a transition generating the messages for the
next round, these messages are not yet ready to be sent, and hence the output
buffer has the value [msgs, t], which we call a delayed configuration:
sort DlyConfiguration .
subsort Configuration < DlyConfiguration .
op [_,_] : Configuration Time -> DlyConfiguration [ctor] .
The sort Configuration denotes multisets of objects and messages, formed with
an “empty syntax” multiset union operator “__” (juxtaposition) which is de-
clared to be associative (assoc) and commutative (comm) and have identity none
(id: none).
We also introduce a supersort Data of the sorts D1 . . .Dn of the data in the
wires:
16
sort Data .
subsorts D1 ... Dn < Data .
Each object is also assumed to know its local wiring diagram; that is, which
objects and ports are connected to its output ports in the synchronous system.
This knowledge is stored in a data structure called a local wiring, where the sort
LocalWiring is defined as follows:
sort LocalWiring .
op _-->_._ : Nat Oid Nat -> LocalWiring [ctor] .
op noWiring : -> LocalWiring [ctor] .
op _;_ : LocalWiring LocalWiring -> LocalWiring
[ctor assoc comm id: noWiring] .
Here, a connection p --> j. p′ says that the output port p of the current object
is connected to the input port p′ of object j. A local wiring is then a set of such
single connections formed with the associative-commutative union operator _;_
with identity the empty set constant noWiring.
4.5 The Class Declarations
Each machine Mj is translated into an object instance of a subclass C[j] of the
class Machine declared as follows:
class Machine | state : DlyState,
inBuffer : MsgConfiguration,
outBuffer : DlyConfiguration,
roundTimer : Time,
outputBackoffTimer : TimeInf,
clock : Time,
localWiring : LocalWiring .
class C1 .
...
class Ck .
subclass C1 ... Ck < Machine .
Note that several typed machines, say, Mj1 , . . . ,Mjr , can all be of the same type,
and can therefore all belong to the same subclass, i.e., C[j1] = · · · = C[jr]. The
state attribute denotes the local state of the machine. The inBuffer attribute
is the buffer of incoming messages. outBuffer is the output message buffer.
The timers roundTimer and outputBackoffTimer have been explained above.
The clock attribute shows the value of the local clock of the object. Finally,
the localWiring attribute assigns to each output port number the set of input
ports to which this port is connected. However, notice that here a connection
17
is only a reference for asynchronous message passing, and not a real “wired”
connection as in the synchronous model.
We assume that the environment also has input and output buffers, and that
it satisfies the same timing requirement as all the other objects. The environment
is therefore modeled as an object instance of a class Env that is declared as a
subclass of Machine:
class Env .
subclass Env < Machine .
Since we do not explicitly represent the internal “state” of the environment,
the state attribute for the environment is given the constant default value *:
op * : -> State [ctor] .
4.6 Messages
Messages have the general form
to j from j′ (p, d)
where j, j′ ∈ J ∪ {e}, 1 ≤ p ≤ nj , and d ∈ Djip . Therefore, p is the input port of
the intended recipient j, where data d from j′ is to be received.
We also use the dly operator on messages to model the delay of such messages
when they are in transit through the network, as explained in [7].
4.7 The Instantaneous Rewrite Rules
The following actions of the system are modeled by corresponding instantaneous
rewrite rules:
1. Receive an incoming message and put it into the inBuffer.
2. When the roundTimer expires, the inBuffer is emptied, a transition is ap-
plied, and the output is put into the outBuffer. Note that, since performing
a transition takes time, as already mentioned this is manifested by the fact
that the results are “delayed”.
3. When the outputBackoffTimer expires if the generated output is ready to
be sent, then the contents in the output buffer are sent into the network,
with appropriate message delays.
4. Otherwise, as soon as the generated output is ready to be sent after the
outputBackoffTimer has expired (i.e., the outputBackoffTimer has the
infinity value INF, as in the rule outputMsg2 below), then the generated
output is sent into the network.
18
Receive a Message. A message is received by an object and is inserted into
its inBuffer:
vars j j′ : Oid .
var B : MsgConfiguration . --- multiset of messages
var p : Nat .
var d : Data .
var S : State .
rl [receiveMsg] :
(to j from j′ (p, d))
< j : Machine | inBuffer : B, state : S >
=>
< j : Machine | inBuffer : B (to j from j′ (p, d)) > .
Given that S has sort State, this rule can only be applied when a transition is
not executing, i.e., when the state is not “delayed”.
Reading Input and Executing a Transition. When roundTimer expires,
the messages B in the inBuffer are read, and a transition is taken. Since dif-
ferent classes will have different transitions, executing transitions is modeled by
a family of rewrite rules, one for each class C[j]. Notice that the resulting state
and messages are delayed by a value αmin ≤ X-DLY ≤ αmax. In addition, the
roundTimer must be reset to expire at the same time in the next round; i.e., it
must be reset to the round time T , adjusted for possible clock jumps as explained
in Section 5. Likewise, the outputBackoffTimer must be set to 2 · − µmin:
vars X-DLY LT : Time .
var S : Data .
var W : LocalWiring .
crl [applyTrans] :
< j : C[j] | inBuffer : B, roundTimer : 0, state : S,
localWiring : W, clock : LT >
=>
< j : C[j] | inBuffer : none,
state : [pi1(δMj (vect[j](B), S)), X-DLY],
roundTimer : T - adjust(LT, T, 0),
outputBackoffTimer :
(2 ·  monus µmin) monus adjust(LT,T, 0),
outBuffer : [makeMsg(j, W, pi2(δMj (vect[j](B), S))), X-DLY] >
if X-DLY >= αmin and X-DLY <= αmax .
Here, given a complete set B of messages of the form
(to j from j′1(1, d1)) ... (to j from j
′
nj(nj , dnj)) (†)
19
the function vect[j](B) maps B to the vector of inputs (d1, . . . , dnj ). makeMsg is
the obvious (but a bit tedious to spell out in detail) function that looks at the
local wiring diagram W, takes the vector of output data from j, and produces the
set of messages for the machines and environment getting inputs from that wire.
For example, for the system in Fig. 2, makeMsg(3, src, (d1, d2, d3)) produces the
message configuration
(to 1 from 3 (1, d1))
(to e from 3 (1, d1))
(to e from 3 (2, d2))
(to 2 from 3 (3, d3))
Expiration of the outputBackoffTimer. When the outputBackoffTimer ex-
pires, and the messages are already generated (that is, the output buffer matches
MSG MSGS), the messages in the output buffer are sent into the network one by
one, each message with its own nondeterministic delay (NTW-DLY). The timer is
turned off (i.e., set to the infinity value INF) after the last message has been
sent:
var MSGS : Configuration .
var MSG : Msg .
var NTW-DLY : Time .
crl [outputMsg1] :
< j : Machine | outBuffer : MSG MSGS, outputBackoffTimer : 0 >
=>
< j : Machine | outBuffer : MSGS,
outputBackoffTimer :
if MSGS == none then INF else 0 fi >
dly(MSG, NTW-DLY)
if µmin <= NTW-DLY and NTW-DLY <= µmax .
If the execution of the transition and the generation of the outgoing messages
is not finished when the outputBackoffTimer expires (that is, the output buffer
has the form [msgs, t] for t > 0), the timer is just turned off:
var NZT : NzTime .
rl [turnOffOutTimer] :
< j : Machine | outBuffer : [MSGS, NZT], outputBackoffTimer : 0 >
=>
< j : Machine | outputBackoffTimer : INF > .
End of a Transition with Possible Immediate Output. When the exe-
cution of a transition and the generation of outgoing messages is finished, the
“delay” of the generated messages in the output buffer is 0. If, in addition,
20
the outputBackoffTimer has expired (is INF), then the messages in the output
buffer are immediately sent into the network one by one, each message with its
own delay (rule outPutMsg2); otherwise the outgoing messages are kept in the
output buffer, but the delay wrappers on the generated messages disappear (rule
transitionFinished):
crl [outputMsg2] :
< j : Machine | outBuffer : [MSG MSGS, 0],
outputBackoffTimer : INF >
=>
< j : Machine | outBuffer :
if MSGS == none then none else [MSGS, 0] fi >
dly(MSG, NTW-DLY)
if µmin <= NTW-DLY and NTW-DLY <= µmax .
var TI : TimeInf .
rl [transitionFinished] :
< j : Machine | outBuffer : [MSGS, 0], outputBackoffTimer : T >
=>
< j : Machine | outBuffer : MSGS > .
Environment Behavior. Since the environment class Env is a subclass of
Machine, the environment inherits the rules for receiving and sending messages.
The “machine” rules for reading the input buffer and executing a transition
are replaced by one rule that consumes the messages in the input buffer, and
generates the output nondeterministically, but ensuring that the environment
constraint ce is satisfied:
var D1 : Deo1 .
...
var DME : Deome .
crl [consumeInputAndGenerateOutput] :
< e : Env | inBuffer : B, roundTimer : 0, clock : LT, wiring : W >
=>
< e : Env | inBuffer : none,
roundTimer : T - adjust(LT, T, 0),
outputBackoffTimer :
(2 ·  monus µmin) monus adjust(LT,T, 0),
outBuffer : [makeMsg(e,W,(D1, ..., DME)), X-DLY] >
if ce(D1, ..., DME) /\ X-DLY >= αmin and X-DLY <= αmax .
4.8 Time Behavior
This section describes the time behavior of the asynchronous system.
21
State and Tick Rule. The global state of the system has the form {C; t}, where
C is the configuration consisting of the objects and messages in the asynchronous
system, and t is the global time.
The tick rule, advancing the global time in the system, is the following slight
modification of the “usual” tick rule for object-oriented systems [7]:
var C : Configuration .
vars T T’ : Time .
crl [tick] :
{C ; T} => {delta(C, T, T’) ; T + T’} in time T’
if T’ <= mte(C, T) .
Here, delta is the function that defines how the passage of time affects the state,
and mte is the function that defines the smallest time until a timer becomes zero.
These functions are declared in the expected way:
op delta : Configuration Time Time -> Configuration [frozen (1)] .
op mte : Configuration Time -> TimeInf [frozen (1)] .
These functions distribute over the objects and messages in the state in the
expected way, and must be defined for individual objects and messages.
We first define delta: how does time elapse affect the timers? If from time t,
time advances by ∆, then the local clock has advanced from cj(t) to cj(t+∆),
that is, by cj(t+∆)− cj(t), where cj(t) is assumed to be the value T4 given in
the clock attribute:
vars t ∆ T1 T2 T3 T4 T5 : Time .
eq delta(< j : Machine | roundTimer : T1, outputBackoffTimer : TI,
state : [S, T3], clock : T4,
outBuffer : [MSGS, T5] >, t, ∆) =
< j : Machine | roundTimer : T1 monus (cj(t + ∆) - T4),
outputBackoffTimer : TI monus (cj(t + ∆) - T4),
state : [S, T3 monus ∆],
clock : cj(t + ∆),
outBuffer : [MSGS, T5 monus ∆] > .
eq delta(< j : Machine | roundTimer : T1, clock : T4,
outBuffer : none >, t, ∆) =
< j : Machine | roundTimer : T1 monus (cj(t + ∆) - T4),
clock : cj(t + ∆) > .
As for mte, it will be smallest of the mte’s of objects and messages in the
configuration, where the mte of an object is just defined as the smallest time until
one of the two timers become zero, or until the delay on the outgoing messages
in the output buffer reaches 0. This is not a constructive definition, but this
22
just reflects the fact that we do not model the underlying clock synchronization
“constructively”. The assumption of monotonicity of the local clock functions is
crucial to make this definition of mte well defined.
Finally, defining delta and mte on messages is trivial:
eq delta(dly(MSG, T1), T2, T) = dly(MSG, T1 monus T) .
eq mte(dly(MSG, T1), T2) = T1 .
4.9 Initial States
We define the the initial states of the system to start at time t0, defined by
t0 = T − . We do not start at time 0 since:
– local clocks could be less than the global clock;
– transitions are only taken (and hence output produced) when input is avail-
able.
At global times (i · T ) + t0, for all i ∈ N, the state components are undelayed
and consistent, and all the input buffers are full.
What are the “initial” values of the object attributes at time t0?
– The clock attribute of each object is cj(T − ), and we have 0 ≤ T − 2 <
cj(T − ) < T .
– The outputBackoffTimer should be turned off at this time, as all outgoing
messages have been sent.
– The roundTimer, which is supposed to expire at each (local) time i·T should
be initialized to T − cj(t0), where it follows from the above clock values in
the initial state that 0 < T − cj(t0) < 2.
– The state attribute should be an initial state of the expected sort.
– The inBuffers are full of messages.
– The outBuffers should be empty.
– There are no messages in transit in the network.
– The local wiring is constant and maps the ports to the input wires as illus-
trated below.
– The initial input (deo1 , . . . , d
e
ome
) from the environment should satisfy the
environment constraint ce.
In addition, the input buffers should be consistent w.r.t. the src function. That
is, if src(j, l) = src(j′, l′) = (j′′, l′′), then the data value d in the message (to j
from j′′ (l,d)) in the inBuffer of object j must equal the data value d′ in the
message (to j′ from j′′ (l′,d′)) in the inBuffer of object j′.
For example, an initial state corresponding to the synchronous machine in
Fig. 2 could be the following:
{< 1 : C1 | clock : c1(t0), roundTimer : T − c1(t0),
outputBackoffTimer : INF,
inBuffer : (to 1 from 3 (1, d3o1))
23
(to 1 from e (2, deo1)),
outBuffer : none, state : s1,
localWiring : 1 --> 3.1 >
< 2 : C2 | clock : c2(t0), roundTimer : T − c2(t0),
outputBackoffTimer : INF,
inBuffer : (to 2 from 3 (1, d3o3))
(to 2 from e (2, deo2)),
outBuffer : none, state : s2,
localWiring : 1 --> e.3 >
< 3 : C3 | clock : c3(t0), roundTimer : T − c3(t0),
outputBackoffTimer : INF,
inBuffer : (to 3 from 1 (1, d1o1))
(to 3 from e (2, deo1)),
outBuffer : none, state : s3,
localWiring : 1 --> 1.1 ; 1 --> e.1 ;
2 --> e.2 ; 3 --> 2.1 >
< e : Env | clock : ce(t0), roundTimer : T − ce(t0),
outputBackoffTimer : INF,
inBuffer : (to e from 3 (1, d3o1))
(to e from 3 (2, d3o2))
(to e from 2 (3, d2o1)),
outBuffer : none,
localWiring : 1 --> 1.2 ; 1 --> 3.2 ; 2 --> 2.2 >
;
t0 }
for values s1, d1o1 , . . . of appropriate sorts.
5 Consequences of Clock Synchronization
The following, perhaps slightly surprising, facts are two consequences of having
local clock functions that are only piecewise continuous. They do not apply when
the clock functions are continuous.
Fact 1. Although the clock synchronization ensures that the difference between
any local clock and the global time is always strictly less than , it may happen
that a timer that is set to expire at (local) time t expires exactly  time “units”
later; that is, the timer could expire at global time t+ .
Proof. We can have a clock c(t) obeying |c(t) − t| <  and such that it has
a discontinuity at global time 11 but gets arbitrarily close to the value 10 for
t < 11, i.e., lim
t<11, t→11
c(t) = 10. Instead at time 11, the clock jumps to a value
10 < c(11) < 12.
The above fact has a practical consequence in that timer-driven events that
are supposed to happen at (“local”) time T may happen at any global time in
the interval (T − , T + ] (instead of in the right-open interval (T − , T + )).
24
Note that if all clocks are continuous, this behavior is impossible so that a
timer set to expire at local time t must indeed expire within the global time
interval (t− , t+ ).
Fact 2. In the presence of only piecewise continuous clock with maximum drift
strictly less than , a periodic timer of period p reset when the local timer expires
can drift from the ideal time strictly beyond .
Proof. It is sufficient to show a concrete example. Let  = 1, p = 10, and c(0) = 0.
As shown by Fact 1, we can have lim
t<11, t→11
c(t) = 10 but c(11) = 11.9. Then the
timer is reset to 10, and we can have c(21.9) = 22.8. Therefore, the second time
the timer is set, namely at time 21.9, the time has drifted 1.9 time units from
the ideal timer. Note that, by repeating this type of behavior, it is possible for
the timer to drift an arbitrary distance from the ideal timer.
This second fact implies that we must set the timers not to the round time T ,
but must adjust the new timer value to account for the possible “clock jump”.
Fortunately, in our asynchronous model, this “offset” can be computed without
knowing anything except the local clock value, the length of the period, and the
“starting time” of the first period:
Fact 3. It is possible to keep a timer with a local clock c(t) set to expire at
times k · p + τ (with 2 ≤ p) with a drift less than or equal to  from the ideal
timer by resetting it each time it expires, say at time c(t), to the new value
p− adjust(c(t), p, τ), where adjust(c(t), p, τ) = c(t)− ((b(c(t)− τ)/pc ∗ p) + τ).
Therefore, given the current local time t, the round time T , and the start
time of the timer in the first round (τ), the value which should be subtracted
from the new timer value is adjust(t, T, τ).
This need to explicitly incorporate into the model the adjustment for clock
resets when the timers expire is not due to peculiarities with our way of modeling
clock synchronization, but must be done for the system whenever we have a clock
synchronization algorithm that can adjust the clocks in “jumps”. Of course, if
the clock functions are not only monotonic but also continuous (and not just
piecewise continuous), this adjustment is not needed, because no such “jumps”
can occur.
6 Correctness of the PALS Transformation
Given a typed machine ensemble E with associated environment constraint ce,
and values αmin, αmax, µmin, µmax, T, , and a vector c of -drift clock functions,
we have defined in Section 4 its asynchronous PALS transformation
A(Ece , αmin, αmax, µmin, µmax, T, , c) as an object-oriented Real-Time Maude
model. This section establishes a precise relationship between the synchronous
composition ME of the ensemble E defined in Section 3 and the asynchronous
model A(Ece , αmin, αmax, µmin, µmax, T, , c).
25
Notation. When the various parameters of the PALS transformation are im-
plicit, we sometimes write A(E) for A(Ece , αmin, αmax, µmin, µmax, T, , c).
Each synchronous transition step in the synchronous composition ME cor-
responds to multiple rewrite steps in A(E). The key idea is to define “larger”
transition steps that consist of multiple rewrite steps in A(E), so that each of
these large transitions corresponds to a single transition step in ME .
Definition 6. A state {C;t} in A(E) is called stable iff
– all input buffers in C are full,
– all output buffers are empty (none), and
– there are no messages “in transit” in C.
Intuitively, a stable state corresponds to a state (s, i) in ME , and a sequence
of rewrite steps between two stable states corresponds to a transition in ME .
However, due to time ticks, there could be a rewrite sequence from one sta-
ble state to another (very similar) stable state that does not correspond to a
transition in ME .
6.1 The Transition System of Stable Configurations
Definition 7. A behavior in A(E) is a sequence
{C0 ; t0} −→ {C1 ; t1} −→ {C2 ; t2} −→ · · ·
of rewrite steps in A(E), where {C0 ; t0} is an initial state of the form described
in Section 4.9.
Definition 8. Let Stable(A(E)) denote both the set of states and the transition
system whose states are the stable states of A(E), and where the transitions,
denoted
{C ; t} −→st {C ′ ; t′}
are defined as follows: {C; t} −→st {C ′; t′} iff there exists a behavior of A(E)
of the form
{C0 ; t0} −→ {C1 ; t1} −→ · · · −→ {Cn ; tn} −→ {Cn+1 ; tn+1} −→ · · ·
and numbers k, k′ with k < k′ such that
– C = Ck and C ′ = Ck′ are stable configurations, t = tk and t′ = tk′ , and
– {Ck ; tk} −→ {Ck+1 ; tk+1} −→ · · · −→ {Ck′ ; tk′} is a subsequence of
rewrites in such a behavior such that
• the sequence contains at least one application of an instantaneous rewrite
rule, and
• if Cj is not a stable state, for k < j < k′, then there is no j < l < k′
such that Cl is a stable state.
26
6.2 Relating the Synchronous and the Asynchronous Models
In this section we prove that Stable(A(E)) and ME are bisimilar by first relating
stable states to states in the synchronous ensemble composition, and then by
showing that each synchronous transition has a corresponding stable transition,
and vice versa.
The relation between a stable state and the corresponding state in the syn-
chronous composition is fairly obvious:
Definition 9. Let
sync : Stable(A(E)) → SE ×DEi
be a function that maps each stable state of the asynchronous model to the cor-
responding state of the synchronous system as follows:
– The local state of each object j, given in the object’s state attribute, deter-
mines the local state in Mj. This is well defined, since in a stable state, the
state attribute does not have a “delayed” value.
– The messages in the input buffers determine the state of the environment
input and feedback wires using the functions foutj , j ∈ J defined in Defini-
tion 3 of Section 3.
More precisely, sync({C; t}) is defined to be the tuple
(((s1, . . . , sj), ((d1o1 , . . . , d
1
om1
), . . . , (djo1 , . . . , d
j
omj
))), (deo1 , . . . , d
e
ome
))
where:
– the state attribute of the object i has the value si in C,
– dik (for i 6= e) equals ∗ iff for all “connections” of the form k --> o.p (for
the given k) in the localWiring attribute of object i in C, the object o is
the identifier of the environment object of class Env, and
– otherwise, dik, for i ∈ J ∪ {e}, equals the value d in a message
to l from i (p, d)
in the inBuffer of object l in C for some l, p for which the localWiring
attribute of object i contains a connection k -->l .p.
The requirement that the messages in the inBuffers in the initial states are
“wiring consistent” (see Section 4.9) ensures that sync is well-defined for all
reachable stable states.
Example 2. Let t0 be the initial state given in Section 4.9. Then sync(t0) is the
machine ensemble in Fig. 2, where the internal state of machine Mi is si, where
the value in the feedback wire from M1 to M3 is d1o1 , and so on. That is, sync(to)
is the tuple
(((s1, s2, s3), (d1o1 , ∗, (d3o1 , ∗, d3o3))), (deo1 , deo2)).
27
The main result we want is the following:
Theorem 1. sync defines a bisimulation between the transition systems Stable(A(E))
and (SME ×DEi ,−→ME ).
Proof. We need to prove:
1. If (s, i) −→ME (s′, i′), then, for each stable state c such that sync(c) =
(s, i), there must exist a transition c −→st c′ of stable states c, c′ such that
sync(c′) = (s′, i′).
2. If c −→st c′, then it must be the case that sync(c) −→ME sync(c′).
These two properties are proved as, respectively, Lemmas 9 and 8. 2
Furthermore, a CTL∗ formula holds in the associated Kripke structure (SE×
DEi ,−→ME , L) if and only if the formula holds in the corresponding Kripke struc-
ture (Stable(A(E)),−→st, sync;L) associated with Stable(A(E)):
Theorem 2. For any formula φ ∈ CTL∗(AP ) and for any stable initial config-
uration {C0; t0} of the form described in Section 4.9, we have
(Stable(A(E)),−→st, (sync;L)), {C0 ; t0} |= φ
m
(SE ×DEi ,−→ME , L), sync({C0 ; t0}) |= φ.
Proof. The function sync defines not only a bisimulation between transition sys-
tems, but also one between the Kripke structures (Stable(A(E)),−→st, sync;L)
and (SE × DEi ,−→ME , L), since if sync({C ; t}) = s, then {C ; t} and s sat-
isfy the same atomic propositions in their respective Kripke structures, since
(sync;L)({C ; t}) = L(sync({C ; t})) = L(s). It is well-known that bisimilar
structures satisfy the same CTL∗ formulas (see, e.g., [2]). 2
7 Lemmas for the Bisimulation Theorem
Lemma 1. Let a timer in an object have value q at time t0. Then, the timer
expires at some global time in the interval (q + c(t0)− , q + c(t0) + ] for c the
local -drift clock function of the object.
Proof. Some helpful lemmas, such as that the effect of two applications of the
function delta equals one delta application for the sum of the time advances,
etc., are proved below.
At global time t, the timer has the value q monus (c(t)− c(t0)) if everything
is done using one application of the delta function, which we will argue below
in Lemma 2 can be assumed. The timer will expire the first time that the above
value reaches 0. This happens at the first global time t1 when c(t1)− c(t0) ≥ q,
which is the same as c(t1) ≥ q + c(t0). This may happen at time t1 either when
1. c(t1) = q + c(t0), or when
28
2. c(t1) > q + c(t0) and there is no t′ < t1 such that the timer expires at time
t′.
Let us consider case (1) first. By definition of drift functions, t1 is in the
global time interval (c(t1) − , c(t1) + ), which in case (1) equals the interval
(q + c(t0)− , q + c(t0) + ), which is inside the interval in the theorem.
Let us now consider case (2). Now, c(t1) > q + c(t0), and hence we have
c(t1)−  > q + c(t0)− . In addition, due to the assumption of -drift functions,
we have t1 > c(t1) − . Together, these last inequalities give t1 > c(t1) −  >
q + c(t0) − , which proves the lower bound in the interval in the theorem.
Furthermore, t1 cannot be greater than q+c(t0)+, because at time q+c(t0)+,
the clock must be at least q+ c(t0) and the timer would expire then. This proves
the upper bound. 2
In the above proof, we reasoned about the expiration of a timer given that
the tick rule and the delta function are only applied once. We notice that the
timer value is only changed by either the tick rule, or when the timer expires.
The following shows that we can contract multiple tick steps into one for the
sake of reasoning about timers:
Lemma 2. For any object in state o, we have
delta(delta(o, t0, ∆), t0 +∆,∆′) = delta(o, t0, ∆+∆′)
for any time values t0, ∆,∆′.
Proof. The proof of this lemma follows directly from the equations defining the
semantics of the delta function in Section 4.8. Mathematically, this just follows
from the general fact that those equations imply that delta is an action on
the additive monoid of time (R≥0,+, 0) over the configurations of objects and
messages. The details are left to the reader. 2
Lemma 3. The roundTimer for each object expires somewhere in the global
time interval (i · T − , i · T + ] for all i ∈ N, from any initial state of the form
assumed in Section 4.9.
Proof. In the initial state, the value of roundTimer for object j is T − cj(T − ),
and the local clock is cj(T − ). It follows directly from Lemma 1 that the timer
expires somewhere in the global time interval (T−, T+]. In addition, it follows
trivially that the local clock is greater than or equal to T .
Assume that at the time when the roundTimer first expires, the local clock
is T +∆ for some 2 > ∆ ≥ 0 (where ∆ will be strictly greater than 0 only if the
timer expired in a “clock jump”). In the rules applyTrans, the roundTimer is
reset to T −((T +∆)−bT+∆T c·T ), which equals T −∆, since T is greater than 2
according to our constraints. The sum of the local clock and the newly set timer
is therefore 2 · T , and the timer will therefore expire the next time sometime in
the global time interval (2T − , 2T + ] according to Lemma 1. This reasoning
can be replicated for any round i. 2
29
Lemma 4. The outputBackoffTimer of each object in states reachable from
the initial states of the given form expires somewhere in the global time interval
((i · T ) + (2 monus µmin)− , (i · T ) + (2 monus µmin) + ] for each i ∈ N with
i ≥ 1.
Proof. In the initial state, the outputBackoffTimers are turned off. This timer
is set in the rule applyTrans and, for the environment, rule consumeInputAnd-
GenerateOutput, when the roundTimer expires. According to the proof of Lemma 3,
the local clock is T + ∆ the first time this happens (for ∆ as described in the
above proof of Lemma 3). In these rules, the outputBackoffTimer is set to
(2 monus µmin) monus ∆. We need to consider three cases: (1) 2 ≤ µmin, (2)
2 > µmin and (2 − µmin) < ∆, and (3) 2 > µmin and (2 − µmin) ≥ ∆.
In case (1), the outputBackoffTimer expires when it is set, which accord-
ing to Lemma 3 takes place in the global time interval (i · T − , i · T + ],
which equals the time interval in Lemma 4 when 2 ≤ µmin. In case (2), the
outputBackoffTimer is also set to 0, but the desired time interval in Lemma 4
is now ((i ·T ) + (2−µmin)− , (i ·T ) + (2−µmin) + ]. According to Lemma 1,
the timer can expire no earlier than at time T + ∆ − , which is later than
or equal to the lower bound T + (2 − µmin) −  in Lemma 4, since case (2)
assumes (2 − µmin) < ∆. The upper bound T + (2 − µmin) +  follows from
Lemma 3, since the timer expires at latest at time T + , and we have as-
sumed that in case (2) that (2 − µmin) > 0. Finally, for case (3), the local
clock of the object under consideration is T +∆, and the outputBackoffTimer
is set to (2 − µmin) − ∆ ≥ 0. It then follows from Lemma 1 that this local
outputBackoffTimer expires for the first time somewhere in the global time
interval (T + (2− µmin)− , T + (2− µmin) + ]. Again, this reasoning can be
replicated for any round i. 2
Remark. The above lemmas should be read as safety and not as liveness
guarantees. That is, if time advances at all that far, then the timers expire in
the given intervals.
Lemma 5. Messages are sent from the output buffers in the global time interval
(iT −  + max(2 − µmin, αmin), iT +  + max(2 − µmin, αmax)] during round
each round i ≥ 1.
Proof. Messages are only generated into the output buffers when the roundTimers
expire. Then, the outputBackoffTimers are set, and expire within the time in-
tervals given in Lemma 4. At the same time (that is, when the roundTimer
expires), the execution delay is set to somewhere between αmin and αmax. Mes-
sages are only sent when the output backoff timer has expired and when the
execution delay has elapsed. Furthermore, we see that the backoff timer is only
turned off when it has expired (that is, when it has value 0). From Lemma 4, the
backoff timer expires strictly later than global time iT −  + (2 monus µmin);
furthermore, since the roundTimer expires strictly later than global time iT − ,
the execution delay ends strictly later than at global time iT −  + αmin, to-
gether giving the lower bound in the lemma, since max(2 monus µmin, αmax) =
max(2− µmin, αmax) since αmax ≥ 0.
30
As for the upper bound, the roundTimer expires at latest at time iT + , and
hence the messages are ready to be sent at latest at global time iT + + αmax.
Likewise, the latest time the backoff expires is at time iT + + (2 monus µmin),
together giving the upper bound. 2
We continue our timeline proof by showing that the messages generated in
round i are received at the appropriate times:
Lemma 6. The messages sent into the configuration in round i will be received
at times within the global time interval (i · T + , (i+ 1) · T − ].
Proof. As seen in Lemma 5, each message is sent out in round i somewhere in
the global time interval (iT −+max(2−µmin), iT ++max(2−µmin, αmax)],
and is given a delay between µmin and µmax. We see that the remaining delay
of a message decreases by the same amount that global time advances, and
that mte(m) = 0 for an undelayed message (which by the identity attribute
of the message delay operator is the same as a message with delay 0) implies
that the message must be received when its delay reaches 0 “for the first time.”
Therefore, each of these messages is created in the interval (iT −  + max(2 −
µmin, αmin), iT +  + max(2 − µmin, αmax)] and is received at some time in
the global interval (iT −  + max(2 − µmin, αmin) + µmin, iT +  + max(2 −
µmin, αmax) + µmax].
To prove the lemma, we must therefore show
1. (i · T ) +  ≤ iT − + max(2− µmin, αmin) + µmin and
2. iT + + max(2− µmin, αmax) + µmax ≤ ((i+ 1) · T )− .
Requirement (1) follows by arithmetic. The upper time limit requirement (2)
reduces to proving + max(2−µmin, αmax) +µmax ≤ T − , which follows from
the global requirement that T ≥ µmax + 2+ max(2− µmin, αmax). 2
These theorems, together with a trivial inspection of the rules and the well-
known timed behavior, together prove the time line described in Section 4.3:
Lemma 7. For all (time diverging [6]) behaviors from the given initial states,
the behaviors have the following time line for all i ∈ N:
– at times in the global time interval (iT − , iT + ] the roundTimers ex-
pire, all input buffers are read, and the transitions corresponding to those
in the synchronous system are applied. The resulting states and output mes-
sages (stored in the output buffers) are undelayed no later than at global
time iT +  + α, and the backoff timer expires at latest at time iT +  +
(2 monus µmin), ensuring that all these messages are sent to the global con-
figuration in the global time interval (iT −  + max(2 − µmin, αmin), iT +
+ max(2−µmin, αmax)]; furthermore, also the messages generated nonde-
terministically by the environment are sent into the global configuration in
this interval;
31
– these messages are received at times within the global time interval (i · T +
, (i + 1) · T − ], ensuring that all messages are received and stored in the
respective input buffers before or at global time (i+ 1) · T − ;
– a new round therefore begins at times in the global time interval ((i + 1) ·
T − , (i+ 1) ·T + ]: the roundTimers expire, all input buffers are read, and
the transitions corresponding to those in the synchronous system are applied,
and so on. 2
The above lemma defines the behaviors from the given initial states, and are
crucial in the proof of the following:
Lemma 8. Let {C ; t} −→st {C ′ ; t′} be a transition in Stable(A(E)) for a
machine ensemble E. Then there is a transition (s, i) −→ME (s′, i′) such that
sync({C ; t}) = (s, i) and sync({C ′ ; t′}) = (s′, i′).
Proof. (Sketch) Since C is a stable configuration, all its input buffers are full, all
the output buffers are empty, and there are no (delayed or undelayed) messages in
C outside of these buffers. In addition, the backoff timers are turned off. It is easy
to see by inspecting the rules that only the tick rule, the rule applyTrans, or the
rule consumeInputAndGenerateOutput can be applied. Repeated applications of
the tick rule leave us in stable states, until eventually the roundTimers start ex-
piring. At these times, the rules applyTrans and consumeInputAndGenerateOutput
generates new messages and delayed states, and by the above time line, all these
messages will reach the input buffers before the roundTimers expire, hence we
have reached a new stable state C ′ when all input buffers are full, but before
transitions for the “next” round are applied.
The above reasoning shows that from a stable state {C ; t} we can always
reach another stable state {C ′ ; t′} by a transition {C ; t} −→st {C ′ ; t′}.
Now, we must show that such a stable transition {C ; t} −→st {C ′ ; t′}
actually corresponds to a transition synch({C ; t}) −→ME synch({C ′ ; t′}) in
ME . In particular, assume that synch({C; t} = ((s, (d1, . . . ,d|J|)), e) and that
synch({C ′; t′}) = ((s′, ((d1)′, . . . , (d|J|)′)), e′). Then, we must prove that
((s, (d1, . . . ,d|J|)), e) −→E ((s′, ((d1)′, . . . , (d|J|)′)), e′); that is,
1. (s′, ((d1)′, . . . , (d|J|)′)) = pi1(δE((s, (d1, . . . ,d|J|)), e)), and
2. ce(e′).
The second requirement is immediate, as the rule consumeInputAndGenerateOutput
only generates input from the environment that satisfies ce.
For the first requirement, we must therefore prove that pi1(δE(e, pi1(synch({C ; t}))))
is equal to pi1(synch({C ′ ; t′})).
Consider δE(e, pi1(synch({C ; t}))). After this (synchronous) transition has
been taken, the resulting “internal” state s′l in machine l is given by
s′l = pi1(δMl(inl(e, pi2(pi1(synch({C ; t})))), sl))
for sl the current internal state of machine l (this sl can be extracted from
synch({C ; t})). The kth element in inl(d, pi2(pi1(synch({C ; t})))) is defined to
32
be di if src(l, k) = (e, i), and is the defined to be the ith element of the jth
component of pi2(pi1(synch({C ; t}))) if src(l, k) = (j, i). By Definition 9, this
latter element equals the data v in the message (to l from j (k,v)) in the
outBuffer of object j in C.
Now, consider the rule applyTrans for object l for the messages in C and
those created by the environment. After applying the rule, the resulting state
attribute will be pi1(δMl(vect[l](B), sl)) (after the delay on the result has dis-
appeared). By definition, the kth element of vect[l](B) has the value v if the
object just read a message (to l from j′ (k,v)) from its input buffer. This
means that the message must also have been in j′’s outBuffer in C, and is only
sent to l if src(l, k) = (j′, r) for some r. By assumption, src(l, k) = (j, i), hence
this message is the same as the above, as we assume consistent messages in the
output buffers (the function makeMsg is not further defined).
We have now shown that the resulting states in C ′ and δE(e, pi1(synch({C ; t})))
are the same.
It is equally straight-forward, although somewhat tedious, to prove that the
values in the resulting feedback wires correspond to the generated messages in
the round. 2
Lemma 9. Let ((s, (d1, . . . ,d|J|)), e) −→E ((s′, ((d1)′, . . . , (d|J|)′)), e′) be
a transition in ME for a machine ensemble E. Then, for all {C ; t} such that
synch({C ; t}) = ((s, (d1, . . . ,d|J|)), e), there exists a {C ′ ; t′} such that
synch({C ′ ; t′}) = ((s′, ((d1)′, . . . , (d|J|)′)), e′) and {C ; t} −→st {C ′ ; t′}.
Proof. (Sketch) The new environment output e′ can be generated by the en-
vironment object as long as it as valid output. For any stable state C whose
feedback wire states and internal states define (s, (d1, . . . ,d|J|)), the time-line
reasoning then implies that these messages will all be read in the correct time
interval, and the next feedback states will be generated. The remaining details
are left to the reader. 2
8 Optimality Results
This section shows that the period T = 2+µmax+ max(αmax, 2−µmin) is the
smallest possible for PALS.
Proposition 1. Assume that each object reads its input buffer at its local time
t0, and at that time starts performing a transition and generating new messages.
To ensure that all such generated messages are read by all other objects at or
before their local times t0 + T , we must have
T ≥ 2+ µmax + αmax.
Proof. Assume for a proof by contradiction that T is strictly smaller than 2+
µmax + αmax. Then, T = 2+ µmax + αmax −∆ for some ∆ > 0. Furthermore,
let k be a number k ≥ 3 such that ∆ < k · .
33
Now, assume two objects with local clocks c1 and c2 such that c1(t0+−∆k ) =
t0 and c2(t0+T −+ ∆k ) = t0+T . That is, at global time t0+− ∆k , the object 1
generates messages that should arrive no later than at global time t0+T −+ ∆k ,
when object 2 reads messages for the next round. However, it is easy to see that,
in the worst case (longest execution time and network delay), the messages from
object 1 arrive at global time t0+−∆k +µmax+αmax, which is strictly later than
global time t0 + T − + ∆k = t0 + + µmax + αmax − (k−1)∆k , since (k−1)∆k > ∆k
for k ≥ 3, so that object 2 misses the messages sent from object 1.
Proposition 1 proves optimality of T when αmax ≥ 2 − µmin. For the con-
verse, and highly unlikely, case where 2− µmin > αmax, it is harder to claim a
“general” optimality result. PALS uses a backoff timer to avoid that messages
arrive too early. One could imagine variations of PALS where there were no such
backoff timers are used, but where messages are instead equipped with, e.g., se-
quence numbers denoting the round in which they were generated. In such cases,
a backoff timer would not be needed, and T ≥ 2 + µmax + αmax might suffice
as a smallest period.
However, if we want to ensure that each message arrives in the right round
by using backoff timers, then the backoff timers must be set to at least 2−µmin:
Proposition 2. To ensure that a message generated in round i (i.e., at local
time i ·T ) does not arrive too early (i.e., is read by another object at that object’s
local time i ·T ), the message must not be sent before local time i ·T + 2−µmin.
Proof. Assume that object 1 sends a message to object 2 before local time i ·T +
2− µmin. That is, it sends the messages at its local time i · T + 2− µmin −∆
for some ∆ > 0. Again, we let k ≥ 3 be some number such that ∆ < k · .
Furthermore, suppose that c1(i · T + 2 −  + ∆k − µmin − ∆) = i · T +
2 − µmin − ∆. That is, the messages from object 1 are sent at global time
i · T + 2 −  + ∆k − µmin −∆. With the smallest possible network delay, these
messages may arrive at global time i ·T +− (k−1)∆k , whereas it could be the case
that c2(i · T + − ∆k ) = i · T , and, therefore, object 2 would read the messages
from object 1 one round too early.
The optimality of the period follows immediately:
Proposition 3. If each message for round i+ 1 is sent no earlier than at local
time i · T + 2− µmin, then we must have
T ≥ 4+ µmax − µmin
to ensure that each object has received these messages at its local time i ·T +T .
Proof. Assume for a counterexample that T = 4+ µmax − µmin −∆ for ∆ > 0
with ∆ < k ·  for some k ≥ 3.
Let us assume two objects with local clocks c1 and c2, where c1(i · T + 2−
µmin + (− ∆k )) = i ·T + 2−µmin. That is, object 1 does not send its messages
34
for round i + 1 earlier than at global time i · T + 2 − µmin + ( − ∆k ). In the
worst case, these messages arrive at global time i · T + 3 − µmin + µmax − ∆k .
However, it could well be the case that c2(i ·T +T − + ∆k ) = i ·T +T . That is,
the messages arriving at time i · T + 3−µmin +µmax− ∆k arrive later than the
global time i · T + T − + ∆k = i · T + 3+ µmax − µmin − (k−1)∆k when object 2
reads its messages for round i+ 1.
9 Conclusions
This work has presented a formal mathematical model of, and formal require-
ments for legal instances of, the generic PALS architectural pattern for obtaining
correct-by-construction real-time systems. Based on the PALS formal model, we
have given proofs of correctness of PALS, and of optimality of the PALS period.
We have also given formal executable specifications of the wrappers used to build
PALS as a collection of wrapped abstract machines communicating through mes-
sage passing. This latter, executable aspect is of practical importance as a basis
on which correct-by-construction PALS implementations could be developed by
code generation, or, more precisely, by code “weaving.”
We believe that PALS as a complexity-reducing formalized architectural pat-
tern can greatly increase system quality and can greatly reduce the cost of design,
implementation, and verification of distributed avionic systems; and also the cost
of certifying highly critical systems of this kind.
This work should be seen as a contribution to the broader joint effort with our
colleagues at Rockwell-Collins and at UIUC to advance all aspects of the PALS
architecture; in this regard, the main contribution here is to the mathematical
foundations of PALS as a formal architectural pattern with strong correctness
guarantees. We refer to [5] for a broader discussion of PALS and its applications,
and also for a discussion of other research related to PALS. Here we give only
some comments on one such related work, namely, the work by Tripakis et al.
[9], because it has also a formal model with which we can make some compar-
isons. That work deals also, as ours, with the problem of mapping a synchronous
architecture consisting of a synchronous interconnection of state machines to an
asynchronous architecture. In their case, this is a loosely timed triggered archi-
tecture, where processes communicate asynchronously and have local clocks that
can advance at different rates and where no clock synchronization is assumed.
This mapping is achieved through an intermediate translation into a Kahn-like
dataflow network. The main result in [9] is the preservation of streams and
therefore the correctness of the asynchronous architecture’s implementation of
the original synchronous sytem. In some sense their result shows the robustness
of their mapping, since correctness is achieved in spite of unpredictable commu-
nication delays and highly different clock rates in the different processes. The
main differences with this work, and with the PALS idea more generally, is that,
due to the quite minimal assumptions made on their asynchronous dataflow
model, it does not seem possible to give hard real time bounds for the behavior
of the asynchronous system realization; and it seems also problematic to deal
35
with the freshness of environment data coming from sensors that must be re-
sponded to within specific time bounds. Because our concern is with systems,
such as avionics ones, whose distributed implementation must satisfy hard real-
time constraints just as stringent as those of the original synchronous systems
they implement, the model in [9], while very useful and flexible for correctness
purposes, does not seem to meet the real-time needs of such systems.
References
1. A. Al-Nayeem, M. Sun, X. Qiu, L. Sha, S. P. Miller, and D. D. Cofer. A formal
architecture pattern for real-time distributed systems. In Proc. IEEE Real Time
Systems Symposium. IEEE, 2009. To appear.
2. E. Clarke, O. Grumberg, and D. A. Peled. Model Checking. MIT Press, 1999.
3. M. Clavel, F. Dura´n, S. Eker, P. Lincoln, N. Mart-Oliet, J. Meseguer, and C. Talcott.
All About Maude - A High-Performance Logical Framework, volume 4350 of Lecture
Notes in Computer Science. Springer, 2007.
4. J. Meseguer. Conditional rewriting logic as a unified model of concurrency. Theo-
retical Computer Science, 96:73–155, 1992.
5. S.P. Miller, D. Cofer, L. Sha, J. Meseguer, and A. Al-Nayeem. Implementing logical
synchrony in integrated modular avionics. In Proc. 28th Digital Avionics Systems
Conference. IEEE, 2009.
6. P. C. O¨lveczky and J. Meseguer. Abstraction and completeness for Real-Time
Maude. Electronic Notes in Theoretical Computer Science, 176(4):5–27, 2007.
7. P. C. O¨lveczky and J. Meseguer. Semantics and pragmatics of Real-Time Maude.
Higher-Order and Symbolic Computation, 20(1-2):161–196, 2007.
8. L. Sha, A. Al-Nayeem, M. Sun, J. Meseguer, and P. C. O¨lveczky. PALS: Physically
asynchronous logically synchronous systems. Technical report, University of Illinois
at Urbana-Champaign, 2009. Available at http://hdl.handle.net/2142/11897.
9. S. Tripakis, C. Pinello, A. Benveniste, A. Sangiovanni-Vincentelli, P. Caspi, and
M. DiNatale. Implementing synchronous models on loosely time triggered architec-
tures. IEEE Trans. on Computers, 1, 2008.
