Composing Families of Timed Automata by Cledou, Guillermina et al.
Composing Families of Timed Automata
Guillermina Cledou?, José Proença??, and Luis Barbosa? ? ?
HASLab INESCTEC and Universidade do Minho, Portugal
mgc@inesctec.pt, {jose.proenca,lsb}@di.uminho.pt
Abstract. Featured Timed Automata (FTA) is a formalism that en-
ables the verification of an entire Software Product Line (SPL), by cap-
turing its behavior in a single model instead of product-by-product. How-
ever, it disregards compositional aspects inherent to SPL development.
This paper introduces Interface FTA (IFTA), which extends FTA with
variable interfaces that restrict the way automata can be composed, and
with support for transitions with atomic multiple actions, simplifying
the design. To support modular composition, a set of Reo connectors are
modelled as IFTA. This separation of concerns increases reusability of
functionality across products, and simplifies modelling, maintainability,
and extension of SPLs. We show how IFTA can be easily translated into
FTA and into networks of Timed Automata supported by UPPAAL. We
illustrate this with a case study from the electronic government domain.
Keywords: Software Product Lines; Featured Timed Automata; Com-
positionality
1 Introduction
Software product lines (SPLs) enable the definition of families of systems where
all members share a high percentage of common features while they differ in
others. Among several formalisms developed to support SPLs, Featured Timed
Automata (FTA) [1] model families of real-time systems in a single model. This
enables the verification of the entire SPL instead of product-by-product. How-
ever, FTA still need more modular and compositional techniques well suited to
SPL-based development.
To address this issue, this paper proposes Interface FTA (IFTA), a mecha-
nism enriching FTA with (1) interfaces that restrict the way multiple automata
interact, and (2) transitions labelled with multiple actions that simplify the de-
sign. Interfaces are synchronisation actions that can be linked with interfaces
? Supported by the European Regional Development Fund (ERDF) through the Oper-
ational Programme for Competitiveness and Internationalisation (COMPETE 2020),
and by National Funds through the Portuguese funding agency, FCT, within project
POCI-01-0145-FEDER-016826 and FCT grant PD/BD/52238/2013.
?? Supported by FCT under grant SFRH/BPD/91908/2012.
? ? ? Supported by Programa Operacional da Região Norte, NORTE2020, within project
NORTE-01-0145-FEDER-000037 ( SmartEGOV)
from other automata when composing automata in parallel. IFTA can be com-
posed by combining their feature models and linking interfaces, imposing new
restrictions over them. The resulting IFTA can be exported to the UPPAAL
real-time model checker to verify temporal properties, using either a network of
parallel automata in UPPAAL, or by flattening the composed automata into a
single one. The latter is better suited for IFTA with many multiple actions.
We illustrate the applicability of IFTA with a case study from the electronic
government (e-government) domain, in particular, a family of licensing services.
This services are present in most local governments, who are responsible for
assessing requests and issuing licenses of various types. E.g., for providing public
transport services, driving, construction, etc. Such services comprise a number
of common functionality while they differ in a number of features, mostly due
to specific local regulations.
The rest of this paper is structured as follows. Section 2 presents some back-
ground on FTA. Section 3 introduces IFTA. Section 4 presents a set of Reo
connectors modeled as IFTA. Section 5 discusses a prototype tool to specify and
manipulate IFTA. Section 6 presents the case study. Section 7 discusses related
work, and Section 8 concludes.
2 Featured Timed Automata
This work builds on top of Featured Timed Automata (FTA) an extension to
Timed Automata, introduced by Cordy et al. [1] to verify real-time systems pa-
rameterised by a variability model. This section provides an overview of FTA
and their semantics, based on Cordy et al..
Informally, a Featured Timed Automaton is an automaton whose edges are
enriched with clocks, clock constraints (CC), synchronisation actions, and feature
expressions (FE). A clock c ∈ C is a logical entity that captures the (continuous
and dense) time that has passed since it was last reset. When a timed automaton
evolves over time, all clocks are incremented simultaneously. A clock constraint
is a logic condition over the value of a clock. A synchronisation action a ∈ A is
used to coordinate automata in parallel; an edge with an action a can only be
taken when its dual action in a neighbor automaton is also on an edge that can be
taken simultaneously. Finally, a feature expression (FE) is a logical constraint
over a set of features. Each of these features denotes a unit of variability; by
selecting a desired combination of features one can map an FTA into a Timed
Automaton.
Figure 1 exemplifies a simple FTA with 2 locations, `0 and `1, with a clock
c and 2 features cf and mk, standing for the support for brewing coffee and for
including milk in the coffee. Initially the automaton is in location `0, and it can
evolve either by waiting for time to pass (growing the clock c) or by taking one of
its 2 transitions to `1. The top transition, for example, is labelled by the action
coffee and is only active when the feature cf is present. Taking this transition
triggers the reset of the clock c back to 0, evolving to the state `1. Here it can
again wait for the time to pass, but for at most 5 time units, determined by the
`0 `1 c ≤ 5
cappuccino
cf ∧mk, c := 0
coffee
cf , c := 0
brew
c ≥ 2
[ fm = mk → cf ]
Fig. 1: Example of a Featured Timed Automata over the features cf and mk.
invariant c ≤ 5 in `1. The transition labelled with brew has a different guard:
a clock constraint c ≥ 2 that allows this transition to be taken only when the
clock c is greater than 2. Finally, the lower expression [ fm = mk → cf ] defines
the feature model. I.e., how the features relate to each other. In this case the mk
feature can only be selected when the cf feature is also selected.
We now formalize clock constraints, feature expressions, and the definition
of FTA and its semantics.
Definition 1 (Clock Constraints (CC), valuation, and satisfaction). A
clock constraint over a set of clocks C, written g ∈ CC(C) is defined as follows
g ::= c < n | c ≤ n | c > n | c ≥ n | g ∧ g | > (clock constraint)
where c ∈ C, and n ∈ N.
A clock valuation η for a set of clocks C is a function η : C → R≥0 that
assigns each clock c ∈ C to its current value ηc. We use RC to refer to the set
of all clock valuations over a set of clocks C. Let η0(c) = 0 for all c ∈ C be the
initial clock valuation that sets to 0 all clocks in C. We use η + d, d ∈ R≥0, to
denote the clock assignment that maps all c ∈ C to η(c) + d, and let [r 7→ 0]η,
r ⊆ C, be the clock assignment that maps all clocks in r to 0 and agrees with η
for all other clocks in C \ r.
The satisfaction of a clock constraint g by a clock valuation η, written η |= g,
is defined as follows
η |= > always
η |= c n if η(c)  n
η |= g1 ∧ g2 if η |= g1 ∧ η |= g2
(clock satisfaction)
where  ∈ {<,≤, >,≥}.
Definition 2 (Feature Expressions (FE) and satisfaction). A feature ex-
pression ϕ over a set of features F , written ϕ ∈ FE(F ), is defined as follows
ϕ ::= f | ϕ ∧ ϕ | ϕ ∨ ϕ | ¬ϕ | > (feature expression)
where f ∈ F is a feature. The other logical connectives can be encoded as usual:
⊥ = ¬>; ϕ1 → ϕ2 = ¬ϕ1 ∨ ϕ2; and ϕ1 ↔ ϕ2 = (ϕ1 → ϕ2) ∧ (ϕ2 → ϕ1).
Given a feature selection FS ∈ F over a set of features F , and a feature
expression ϕ ∈ FE(F ), FS satisfies ϕ, noted FS |= ϕ, is defined as follows:
FS |= > always
FS |= f ⇔ f ∈ FS
FS |= ϕ1 ♦ ϕ2 ⇔ FS |= ϕ1 ♦ FS |= ϕ2
FS |= ¬ϕ ⇔ FS 6|= ϕ
(FE satisfaction)
where ♦ ∈ {∧,∨}.
Definition 3 (Featured Timed Automata (FTA) [1]). An FTA is a tuple
A = (L,L0, A,C, F,E, Inv, fm, γ) where L is a finite set of locations, L0 ⊆ L
is the set of initial locations, A is a finite set of synchronisation actions, C is
a finite set of clocks, F is a finite set of features, E is a finite set of edges,
E ⊆ L × CC(C) × A × 2C × L, Inv : L → CC(C) is the invariant, a partial
function that assigns CCs to locations, fm ∈ FE(F ) is a feature model defined
as a Boolean formula over features in F , and γ : E → FE(F ) is a total function
that assigns feature expressions to edges.
Notation: We write A.L, A.L0, A.A, etc., to denote the locations, initial loca-
tions, actions, etc., of an FTA A, respectively. We write `1
cc,a,c−−−−→ `2 to denote
that (`1, cc, a, c, `2) ∈ A.E, whenever automaton A is clear from the context.
The semantics of FTA is given in terms of Featured Transition Systems
(FTSs) [2]. An FTS extends Labelled Transition Systems with a set of features
F , a feature model fm, and a total function γ that assigns FE to transitions.
Definition 4 (Semantics of FTA). Let A = (L,L0, A,C, F,E, Inv, fm, γ) be
an FTA. The semantics of A is defined as an FTS 〈S, S0, A, T, F, fm, γ′〉, where
S ⊆ L × RC is the set of states, S0 = {〈`0, η0〉 | `0 ∈ L0} is the set of initial
states, T ⊆ S × (A ∪ R≥0) × S is the transition relation, with (s1, α, s2) ∈ T
sometimes noted s1
α−−→ s2, and γ′ : T → FE(F ) is a total function that assigns
feature expressions to transitions. The transition relation is defined as follows.
〈`, η〉 d−→ 〈`, η + d〉 if η |= Inv(`) and (η + d) |= Inv(`), for d ∈ R≥0 (1)
〈`, η〉 a−→ 〈`′, η′〉 if ∃ ` g,a,r−−−−→ `′ ∈ E s.t. η |= g, η |= Inv(l),
η′ = [r 7→ 0]η, and η′ |= Inv(`′) (2)
where for each of the rules above, the associated featured expression is defined as
γ′(〈`, η〉 d−→ 〈`, η + d〉) = > and γ′(〈`, η〉 a−→ 〈`′, η′〉) = γ(` g,a,r−−−−→ `′).
3 Interface Featured Timed Automata
Multiple FTAs can be composed and executed in parallel, using synchronising
actions to synchronise edges from different parallel automata. This section intro-
















Fig. 2: Representation of 3 IFTA, depicting their interfaces (blue) and associated
feature expressions.
more explicit, and (2) allows multiple actions to be executed atomically in a tran-
sition. Synchronisation actions are lifted to so-called ports, which correspond to
actions that can be linked with actions from other automata. Hence composition
of IFTA is made by linking ports and by combining their variability models.
Definition 5 (Interface Featured Timed Automata). An IFTA is a tuple
A = (L, l0, A,C, F,E, Inv, fm, γ, I, O) where L,A,C, F, Inv, fm, γ are defined as
in Featured Timed Automata, there exists only one initial location l0, edges in E
contain sets of actions instead of single actions (E ⊆ L×CC(C)×2A×2C×L),
I ⊆ A is a set of input ports, and O ⊆ A is a set of output ports, I ∩O = ∅.
Given a port p ∈ P we write p? and p! to denote that p is an input or output
port, respectively, following the same conventions as UPPAAL for actions, and
write p instead of {p} when clear from context. The lifting of actions into sets
of actions will be relevant for the composition of automata. We call interface of
an IFTA A the set A.I ∪ A.O of all input and output ports of an automaton,
and assign to each of these ports a feature expression based on the feature
expressions of the edges as follows. Notation: we use i, i1, etc., and o, o1, etc.
to refer specifically to input and output ports of an IFTA, respectively.
Definition 6 (Feature Expression of an Action). Given an IFTA A, the
feature expression of any action a is the disjunction of the feature expressions of
all of its associated edges. More precisely, it is given by γA(a), defined below.
γA(a) =
∨
{A.γ(e) | e ∈ A.E ∧ e = ( , , S, , ) ∧ a ∈ S} (FE of an action)
Figure 2 depicts the interfaces of 3 different IFTA. The leftmost is a payment
machine that receives actions representing coins and publishes actions confirming
the payment, whose actions are dependent on a feature called pay. The rightmost
is the coffee machine from Figure 1. Finally, the middle one depicts a connector
Router that could be used to combine the payment and the coffee machines. This
notion of combining IFTA is the core contribution of this work: how to reason
about the modular composition of timed systems with variable interfaces.
The semantics of IFTA is given in terms of FTSs, similarly to the semantics
of FTA with the difference that transitions are now labelled with sets of actions.
We formalize this as follows.
Definition 7 (Semantics of IFTA). Let A be an IFTA, its semantics is an
FTS F = (S, s0, A, T, F, fm, γ), where S, A, F , fm, and γ are defined as in
Definition 4, s0 = 〈`0, η0〉 is now the only initial state, and T ⊆ S×(2A∪R≥0)×S
now supports transitions labelled with sets of actions.
We now introduce two operations: product and synchronisation, which are
used to define the composition of IFTA. The product operation for IFTA, unlike
the classical product of timed automata, is defined over IFTA with disjoint sets
of actions and clocks, performing their transitions in an interleaving fashion.
Definition 8 (Product of IFTA). Let A1 and A2, be two different IFTA with
disjoint actions and clocks, the product of A1 and A2, denoted A1 × A2, is a
new IFTA A, such that
A = (L1×L2, `01 × `02 , A1 ∪A2, C1 ∪C2, F1 ∪F2, E, Inv, fm1 ∧ fm2, γ, I1 ∪ I2, O1 ∪O2)
where E, Inv, and γ are defined as follows














– Inv(`1, `2) = Inv1(`1) ∧ Inv2(`2).
– The associated feature expression of the 3 rules above, is defined as follows.
γ(〈`1, `2〉
g,S,r−−−−→ 〈`′1, `2〉) = A1.γ(`1
g,S,r−−−−→1 `′1)
γ(〈`1, `2〉
g,S,r−−−−→ 〈`1, `′2〉) = A2.γ(`2,
g,S,r−−−−→2 `′2)
γ(〈`1, `2〉




The synchronisation operation over an IFTA A connects and synchronises two
actions a and b from A.A. The resulting automaton has transitions without
neither a and b, nor both a and b. The latter become internal transitions.
Definition 9 (synchronisation). Given an IFTA A = (L, `0, A,C, F,E, Inv,
fm, γ, I, O) and two actions a, b ∈ A, the synchronisation of a and b is given by
∆a,b(A) = (L, `0, A\{a, b}, C, F,E′, Inv, fm′, γ, I\{a, b}, O\{a, b}) where E′ and
fm′ are defined as follows
– E′ = {` g,S,r−−−−→ `′ ∈ E | a /∈ S and b /∈ S} ∪
{` g,S\{a,b},r−−−−−−−−→ `′ | ` g,S,r−−−−→ `′ ∈ E and a ∈ S and b ∈ S}
– fm′ = fm ∧ (γA(a)↔ γA(b)).
Together, the product and the synchronisation can be used to obtain in a
compositional way, a complex IFTA modelling SPLs built out of primitive IFTA.
Definition 10 (Composition of IFTA). Given two disjoint IFTA, A1 and
A2, with possible shared features, and a set of bindings {(a1, b1), . . . , (an, bn)},
where ak, bk ∈ (A1.I ∪A2.I ∪A1.O ∪A2.O), such that ak ∈ A1.A⇔ bk 6∈ A1.A,
1 ≤ k ≤ n, the composition of A1 and A2 is defined as A1 1a1↔b1,...,an↔bn A2 =
∆a1,b1 . . . ∆an,bn(A1 ×A2).
Figure 3 exemplifies the composition of the coffee machine (CM) and Router
IFTA from Figure 2. The resulting IFTA combines the feature models of the
CM and Router, imposing additional restrictions given by the binded ports,
E.g., the binding (o1, coffee) imposes that o1 will be present, if and only if,
coffee is present (which depends on the feature expressions of each port), I.e.,
(fi∧fo1 )↔ cf . In the composed IFTA, transitions with binded actions transition
together, E.g., transition (`2, `0)
i−→ (`2, `1) with feature expression fi ∧ fo1 ∧ cf
represents the joint transitions `0
i,o1−−−→ `0 and `0
coffee−−−−→ `1. The transitions from





cf ∧mk, c := 0
coffee





































fm = (fo1 ∨ fo2 )→ fi
fm = mk → cf




fi ∧ fo1 ∧ cf , c := 0
i
fi ∧ fo2 ∧ cf ∧mk, c := 0
{i,brew }
c ≥ 2, fi ∧ ¬(fo1 ∨ fo2 )
i
fi ∧ ¬(fo1 ∨ fo2 )
i
fi ∧ ¬(fo1 ∨ fo2 )
fm = mk → cf ∧ (fo1 ∨ fo2 )→ fi ∧ (fi ∧ fo1 )↔ cf ∧ (fi ∧ fo2 )↔ (cf ∧mk)
i?
fi ∧ (¬(fo1 ∨ fo2 ) ∨
(fo1 ∧ cf ) ∨
(fo2 ∧ cf ∧mk))
brew!=
Fig. 3: Composition of a Router IFTA (top left) with the CM IFTA (top right)
by binding ports (o1, coffee) and (o2, cappuccino), yielding the IFTA below.
To study properties of IFTA operations, we define the notion of IFTA equiva-
lence in terms of bisimulation over their underlying FTSs. We formally introduce
the notion of timed bisimulation adapted to FTSs.
Definition 11 (Timed Bisimulation). Given two FTSs F1 and F2, we say
R ⊆ F1.S×F2.S is a bisimulation, if and only if, for all possible feature selections
FS ∈ 2F1.F∪F2.F , FS |= F1.fm ⇔ FS |= F2.fm and for all (s1, s2) ∈ R we have:
– ∀ t = s1
α−−→1 s′1, α ∈ 2A ∪ R≥0, ∃ t′ = s2
α−−→2 s′2 s.t. (s′1, s′2) ∈ R and
FS |= F1.γ(t)⇔ FS |= F2.γ(t′),
– ∀ t′ = s2
α−−→2 s′2, α ∈ 2A ∪ R≥0, ∃ t = s1
α−−→1 s′1 s.t. (s′1, s′2) ∈ R and
FS |= F1.γ(t)⇔ FS |= F2.γ(t′)
where A = A1.A ∪ A2.A.
Two states s1 ∈ S1 and s2 ∈ S2 are bisimilar, written s1 ∼ s2, if there exists
a bisimulation relation containing the pair (s1, s2). Given two IFTA A1 and A2,
we say they are bisimilar, written A1 ∼ A2, if there exists a bisimulation relation
containing the initial states of their corresponding FTSs.
Proposition 1 (Product is commutative and associative). Given two
IFTA A1 and A2 with disjoint set of actions and clocks, A1 × A2 ∼ A2 × A1,
and A1 × (A2 ×A3) ∼ (A1 ×A2)×A3.
Proof. Follows trivially by definition of product and FTSs, and because ∪, ×,
and ∧ are associative and commutative.
The synchronisation operation is commutative, and it interacts well with product.
The following proposition captures these properties.
Proposition 2 (synchronisation commutativity). Given two IFTA A1 and
A2, the following properties hold:
1. ∆a,b∆c,dA1 = ∆c,d∆a,bA1, if a, b, c, d ∈ A1.A, a, b, c, d different actions.
2. (∆a,bA1)×A2 ∼ ∆a,b(A1 ×A2), if a, b ∈ A1.A and A1.A ∩ A2.A = ∅.
Proof. Property 1 follows trivially from the definition of synchronisation.
For property 2, for simplicity, let us assume A = (∆a,bA1) × A2, A′ =
∆a,b(A1 × A2), and A12 = A1 × A2, and let F1 and F2 be the underlying
FTSs of A and A′. It is easy to see that both resulting automata, A and A′,
share the same set of edges, and their feature models are not the same but are
equivalent. We have that, A.fm = A1.fm ∧ A2.fm ∧ (γA1(a) ↔ γA1(b)) and
A′.fm = A1.fm ∧ A2.fm ∧ (γA12(a) ↔ (γA12(b)). Without loss of generality we
consider only action a and show that γA1(a) is logically equivalent to γA12(a).




g1,S1,r1−−−−−−→ `′1) | `1
g1,S1,r1−−−−−−→ `′1 ∈ A1.E, a ∈ S1}




g1,S1,r1−−−−−−→ `′1) | `1
g1,S1,r1−−−−−−→ `′1 ∈ A1.E,
a ∈ S1} ∪
{A1.γ(`1
g1,S1,r1−−−−−−→ `′1) ∧ A2.γ(`2
g2,S2,r2−−−−−−→ `′2) | `1
g1,S1,r1−−−−−−→ `′1 ∈ A1.E,
`2
g2,S2,r2−−−−−−→ `′2 ∈ A2.E
a ∈ S1})
It is easy to see that for all FS ∈ 2A1.F∪A2.F · FS |= γA1(a) ⇔ FS |= γA12(a).
Then, for all FS ∈ 2A1.F∪A2.F · FS |= F1.fm ⇔ FS |= F2.fm. ut
4 Reo connectors as IFTA
Reo is a channel-based exogenous coordination language where complex coordi-
nators, called connectors, are compositionally built out of simpler ones, called
channels [3]. Exogenous coordination facilitates anonymous communication of
components. Each connector has a set of input and output ports, and a formal
semantics of how data flows from the inputs to the outputs. We abstract from
the notion of data and rather concentrate on how execution of actions associated
to input ports enables execution of actions associated to output ports.
Table 1 shows examples of basic Reo connectors and their corresponding
IFTA. For example, Merger(i1, i2, o) synchronises each input port, separately,
with the output port, and FIFO1 (i, o) introduces the notion of delay by exe-
cuting its input while transitions to a state where time can pass, enabling the
execution of its output without time restrictions.
Modelling Reo connectors as IFTA enables them with variable behavior based
on the presence of ports connected through synchronisation to their ports. We
associate a feature fa to each port a of a connector and define its behavior in
terms of these features. Table 1 shows Reo basic connectors as IFTA with variable
behavior. Bold edges represent the standard behavior of the corresponding Reo
connector, and thinner edges model variable behavior. For example, the Merger
connector supports the standard behavior, indicated by the transitions `0
{ik,o}−−−−→
`0, k = 1, 2 and the corresponding feature expression fk ∧ fo; and a variable
behavior, in which both inputs can execute independently at any time if o is
not present, indicated by transitions `0
{ik}−−−→ `0, k = 1, 2 and the corresponding
feature expression fk ∧ ¬fo.
The Sync connector behaves as the identity when composed with other au-
tomata. The following proposition captures this property.
Proposition 3 (Sync behaves as identity). Given an IFTA A and a Sync
connector, ∆i,a(A× Sync(i, o)) ∼ A[o/a] with
– A[o/a].fm = A.fm ∧ Sync.fm ∧ ((fi ∧ fo)↔ γA(a))
– A[o/a].γ(( , , S, , )) = A.γ(( , , S, , )) ∧ (fi ∧ fo)), s.t. a ∈ S
– A[o/a].F = A.F ∪ {fi, fo}
if i, o 6∈ A.A and a ∈ A.A. A[o/a] is A with all occurrences of a replaced by o.
Proof. First for simplicity, let AS = (A× Sync(i, o)), and A′ = ∆i,a(AS). Lets
note that the set of edges in A′ is defined as follows
A′.E ={(`1, `0)
g,S,r−−−−→ (`′1, `0) ∈ AS .E | i /∈ S and a /∈ S} ∪ (1)
{(`1, `0)
g,S\{i,a},r−−−−−−−−→ (`′1, `0) | (`1, `0)
g,S,r−−−−→ (`′1, `0) ∈ AS .E
and i ∈ S and a ∈ S} (2)
Table 1: Examples of basic Reo connectors and their corresponding IFTA.





































































fi ∧ ¬fo1 ∧ ¬fo2
fm = (fo1 ∨ fo2 )→ fi
where `0 is the initial and only location of Sync. Let F1 and F2 be the underlying
FTS of A′ and A[o/a], and note that R = {(〈(`1, `0), η〉, 〈`1, η〉) | `1 ∈ A[o/a].S}
is a bisimulation between states of F1 and F2. Let (〈(`1, `0), η〉, 〈`1, η〉) ∈ R.
The proof for delay transitions follows trivially from the fact that Inv(`1, `0) =
Inv(`1) for all `1 ∈ A[o/a].S.
Lets consider any action transition 〈(`1, `0), η〉
S−−→ 〈(`′1, `0), η′〉 ∈ F1.E. If
it comes from a transition in (1), then ∃ `1
g,S,r−−−−→ `′1 ∈ A.E s.t. a 6∈ S,
thus ∃ 〈`1, η〉
S−−→ 〈`′1, η′〉 ∈ F2.E; if it comes from (2), then ∃ `1
g,S′,r−−−−→
`′1 ∈ A.E s.t. a ∈ S′, thus ∃ 〈`1, η〉
S′[o/a]−−−−−→ 〈`′1, η′〉 ∈ F2.E, where S =
S′∪{i, o}\{i, a} = S′[o/a]. Conversely, if ∃ 〈`1, η〉
S−−→ 〈`′1, η′〉 ∈ F2.E and o 6∈ S,
then ∃ (`1, `0)
g,S,r−−−−→ (`′1, `0) ∈ AS .E s.t. i /∈ S ∧ a /∈ S, thus ∃ 〈(`1, `0), η〉
S−−→
〈(`′1, `0), η′〉 ∈ F1.E; if o ∈ S, then ∃ (`1, `0)
g,S′∪{o}\{a},r−−−−−−−−−−−→ (`′1, `0) ∈ (∆i,a(AS)).E,
such that S = S′[o/a] = S′∪{o}\{a}, thus ∃ 〈(`1, `0), η
S−−→ 〈(`′1, `0), η′〉〉 ∈ F1.E.
In both cases, we have F1.γ(〈(`1, `0), η〉
S−−→ 〈(`′1, `0), η′〉) = F2.γ(〈`1, η〉
S−−→
〈`′1, η′〉). Furthermore, A′.fm = A[o/a].fm. ut
5 Implementation
We developed a prototype tool in Scala1 consisting of a small Domain Specific
Language (DSL) to specify (networks of) (N)IFTA and manipulate them. Al-
though we do not provide the formal definitions and semantics due to space
constraints, informally, a network of any kind of automata is a set of automata
parallel composed (||) and synchronised over a set of shared actions.
Main features supported by the DSL include: 1) specification of (N)IFTA,
2) composition, product and synchronisation over IFTA, 3) conversion of NIFTA
to networks of FTA (NFTA) with committed states (CS), and 4) conversion of
NFTA to UPPAAL networks of TA (NTA) with features. Listing 1.1 shows how
the router connector from Table 1 can be specified using the DSL. A compre-
hensive list of functionality and more examples, including the case study from
Section 6 can be found in the tool’s repository1.
val router = newifta ++ (
0 --> 0 by "i,o1" when "vi" && "vo1",
0 --> 0 by "i,o2" when "vi" && "vo2",
0 --> 0 by "i" when "vi" && not("vo1" || "vo2")
) get "i" pub "o1 ,o2" when ("vo1" || "vo2") --> "vi"
Listing 1.1: Example specification of a router connector using the Scala DSL.
A NIFTA can be converted into a NFTA with committed states, which in
turn can be converted into a network of UPPAAL TA, through a stepwise con-
version, as follows. NIFTA to NFTA. Informally, this is achieved by converting
each transition with set of actions into to a set of transitions with single actions.
All transitions in this set must execute atomically (committed states between
them) and support all combinations of execution of the actions. NFTA to UP-
PAAL NTA. First, the NFTA obtained in the previous step is translated into a
network of UPPAAL TA, where features are encoded as Boolean variables, and
transition’s feature expressions as logical guards over Boolean variables. Second,
the feature model of the network is solved using a SAT solver to find the set
of valid feature selections. This set is encoded as a TA with an initial commit-
ted location and outgoing transitions to new locations for each element in the
set. Each transition initializes the set of variables of a valid feature selection.
The initial committed state ensures a feature selection is made before any other
transition is taken.
When translating IFTA to FTA with committed states, the complexity of
the model grows quickly. For example, the IFTA of a simple replicator with 3
output ports consists of a location and 8 transitions, while its corresponding FTA
consists of 23 locations and 38 transitions. Without any support for composing
variable connectors, modelling all possible cases is error prone and it quickly
becomes unmanageable. This simplicity in design achieved through multi-action
transitions leads to a more efficient approach to translate IFTA to UPPAAL
TA, in particular by using the composition of IFTA. The IFTA resulting from
composing a network of IFTA, can be simply converted to an FTA by flattening
the set of actions in to a single action, and later into an UPPAAL TA.
1 https://github.com/haslab/ifta
6 Case Study: Licensing Services in e-government
This section presents a case study of using IFTA to model a family of public
licensing services. All services in the family support submissions and assessment
of licensing requests. Some services, in addition, require a fee before submitting
(pa), others allow appeals on rejected requests (apl), or both. Furthermore, ser-
vices that require a fee can support credit card (cc) or PayPal payments (pp),
or both. Functionality is divided in components and provided as follows. Each
component can be visualized in Figure 4. We omit the explicit illustration of
interfaces and rather use the notation ?,! to indicate whether an action corre-
sponds to an input or output, respectively. In addition, we use the same action
name in two different automata to indicate pairs of actions to be linked. The
feature model, also omitted, is initially > for each of these IFTA.
App - Models licenses requests. An applicant must submit the required doc-
uments (subdocs), and pay a fee (payapp) if pa is present, before submitting
(submit). If the request is accepted (accept) or considered incomplete (incom-
plete), the request is closed. If it is rejected (reject) and it is not possible to
appeal (¬apl), the request is closed, otherwise a clock (tapl) is reseted to track
the appeal window time. The applicant has 31 days to appeal (App.Inv(`5 )), oth-
erwise the request is canceled (cancelapp) and closed. If an appeal is submitted
(appeal), it can be rejected or accepted, and the request is closed.
CC and PP - Handle payments through credit cards and PayPal, respectively.
If a user requests to pay by credit card (paycc) or PayPal (paypp), a clock is reset
to track payment elapsed time (tocc and topp). The user has 1 day (CC .Inv(`1 )
and PP.Inv(`1 )) to proceed with the payment which can result in success (paidcc
and paidpp) or cancellation (cancelcc and cancelpp).
Appeal - Handles appeal requests. When an appeal is received (appeal), a
clock is reseted to track the appeal submission elapsed time (tas). Authorities
have 20 days (Appeal.Inv(`1 )) to start assessing the request (assessapl).
Preassess - Checks if a request contains all required documents. When a
request is received (submit), a clock is reseted to track the submission elapsed
time (ts). Authorities have 20 days (Preasses.Inv(`1 )) to check the completeness
of the documents and notify whether it is incomplete (incomplete) or ready to
assessed (assessapp).
Assess - Analyzes requests. When a request is ready to be assessed (assess),
a clock is reseted to track the processing elapsed time (tp). Authorities have 90
days to make a decision of weather accept it (accept) or reject it (reject).
We use a set of Reo connectors to integrate these IFTA. The final integrated
model can be seen in Figure 5. For simplicity, we omit the feature expressions
associated to ports and the resulting feature model. Broadly, we can identify
two new components in this figure: Payment - (right of App) Orchestrates pay-
ment requests based on the presence of payment methods. It is composed by
componets CC, PP, and a set of connectors. A router synchronises payment
requests (payapp) with payment by CC or PayPal (paypp or paycc). A merger
synchronises the successful response (paidpp or paidcc), while other merger syn-
chronises the cancellation response (cancelpp or cancelcc) from either CC or PP.
On top of the composed feature model, we add the restriction pa ↔ cc ∨ pp to
ensure payment is supported, if and only if, Credit card or PayPal are supported;
and Processing - (left of App) Orchestrates the processing of licenses requests
and appeals (if apl is present). It is composed by Appeal, Preassess, Assess, a set
of trivial sync connectors and a merger that synchronises assessment requests
from either Appeal or Preassess (assessapl or assessapp) with Assess (assess).
By using IFTA, connectors are reused and it is simple to create complex con-
nectors out of simple ones. If in the future a new payment methods is supported,
the model can be updated by simple using a three output replicator and two three
inputs mergers. By composing the future model and inferring new restrictions
based on how interfaces are connected, it is possible to reason about the vari-
ability of the entire network, E.g., we can check if the resulting feature model
satisfies variability requirements or if the interaction of automata is consistent
with the presence of features. In addition, by using the DSL we can translate
this components to UPPAAL to verify properties such as: Deadlock free – A[]
not deadlock; Liveness – a submission and an appeal will eventually result in
an answer (App.`4 --> App.`0 and App.`6 --> App.`0, respectively); Safety –











pa, tpay := 0





































































Fig. 4: IFTA modelling domain functionality.
7 Related Work
Related work is discussed following two lines: 1) compositionality and modularity




























Fig. 5: IFTA for a family of Licensing Services
Compositionality and modularity of SPLs. An extension to Petri Nets, Fea-
ture Nets (FNs) [4] enables specifying the behavior of an SPL in a single model,
and supports composition of FNs by applying deltas FNs to core FNs. An ex-
tension to CCS process calculus consisting on a modular approach to modelling
and verifying variability of SPLs based on DeltaCCS [5]. resulting in models
of features that can be reused easily. A compositional approach for verification
of software product lines [6] where new features and variability may be added
incrementally, specified as finite state machines with variability information.
Interfaces and compositionality of automata. Interface automata [7] use in-
put interfaces to support incremental design and independent implementability
of components, allowing compatibility checking of interfaces for partial system
descriptions, without knowing the interfaces of all components, and separate
refinement of compatible interfaces, respectively. [8] presents a specification the-
ory for I/O TA supporting refinement, consistency checking, logical and struc-
tural composition, and quotient of specifications. In [9] Modal I/O automata are
used to construct a behavioral variability theory for SPL development and can
serve to verify if certain requirements can be satisfied from a set of existing as-
sets. [10] proposes a formal integration model based on Hierarchical TA for real
time systems, with different component composition techniques. [11] presents a
compositional specification theory to reason about components that interact by
synchronisation of I/O actions.
8 Conclusions
This paper introduced IFTA, a formalism for modelling SPL in a modular and
compositional manner, which extends FTA with variable interfaces to restrict
the way automata can be composed, and with multi-action transitions that sim-
plify the design. A set of Reo connectors were modeled as IFTA and used to
orchestrate the way various automata connect. We discussed a prototype tool to
specify and manipulate IFTA, which takes advantage of IFTA composition to
translate them into TA that can be verified using the UPPAAL model checker.
Delegating coordination aspects to connectors enables separation of concerns.
Each automata can be designed to be modular and cohesive, facilitating the
maintenance, adaptability, and extension of an SPL. In particular, facilitates the
replacement of components and enables changes in the way they interact without
affecting their internal definition. Using bare FTA for designing variable connec-
tors, can be error prone and it quickly becomes unmanageable. IFTA simplifies
this design by enabling the modeling of automata in isolation and composing
them by explicitly linking interfaces and combining their feature models.
Future work includes studying further properties of IFTA and the impact of
integrating this notion of composition and variability with well known specifica-
tion and refinement theories for I/O automata.
References
1. Cordy, M., Schobbens, P.Y., Heymans, P., Legay, A.: Behavioural modelling and
verification of real-time software product lines. In: Proceedings of the 16th Inter-
national Software Product Line Conference - Volume 1. SPLC ’12, New York, NY,
USA, ACM (2012) 66–75
2. Classen, A., Heymans, P., Schobbens, P.Y., Legay, A.: Symbolic model checking
of software product lines. International Conference on Software Engineering, ICSE
(2011) 321–330
3. Arbab, F.: Reo: A channel-based coordination model for component composition.
Mathematical. Structures in Comp. Sci. 14(3) (June 2004) 329–366
4. Muschevici, R., Proença, J., Clarke, D.: Feature nets: behavioural modelling of
software product lines. Software & Systems Modeling 15(4) (2016) 1181–1206
5. Lochau, M., Mennicke, S., Baller, H., Ribbeck, L.: Incremental model checking of
delta-oriented software product lines. Journal of Logical and Algebraic Methods in
Programming 85(1, Part 2) (2016) 245 – 267 Formal Methods for Software Product
Line Engineering.
6. Millo, J.V., Ramesh, S., Krishna, S.N., Narwane, G.K. In: Compositional Verifi-
cation of Software Product Lines. Springer Berlin Heidelberg, Berlin, Heidelberg
(2013) 109–123
7. de Alfaro, L., Henzinger, T.A.: Interface automata. SIGSOFT Softw. Eng. Notes
26(5) (September 2001) 109–120
8. David, A., Larsen, K.G., Legay, A., Nyman, U., Wasowski, A.: Timed i/o automata:
A complete specification theory for real-time systems. In: Proceedings of the 13th
ACM International Conference on Hybrid Systems: Computation and Control.
HSCC ’10, New York, NY, USA, ACM (2010) 91–100
9. Larsen, K.G., Nyman, U., Wasowski, A.: Modal i/o automata for interface and
product line theories. In: European Symposium on Programming, Springer (2007)
64–79
10. Jin, X., Ma, H., Gu, Z.: Real-time component composition using hierarchical timed
automata. In: Seventh International Conference on Quality Software (QSIC 2007).
(Oct 2007) 90–99
11. Chen, T., Chilton, C., Jonsson, B., Kwiatkowska, M. In: A Compositional Spec-
ification Theory for Component Behaviours. Springer Berlin Heidelberg, Berlin,
Heidelberg (2012) 148–168
