On the realization of reactive systems by Carmona Vargas, Josep & Cortadella, Jordi
On the realization of reactive systems 
Josep Carmona Jordi Cortadella
Software Department
Universitat Polite`cnica de Catalunya
Barcelona, Spain
fjcarmona,jordicg@lsi.upc.es
Abstract
A new notion of realization of reactive systems is defined. Realization is defined as a relation be-
tween the states of two transition systems, the specification and the implementation, in which events are
classified as input, output or internal. This new definition attempts to model the correct interaction be-
tween a system and its environment. The differences with other definitions of refinement and realization
are discussed.
1 Introduction
The concept of realization between a specification and an object implementing the specification’s be-
havior has been approached by some authors [LT87, Jos88, BS95, Neg98, YG01]. A new definition of
realization is defined here, in order to take into account the following facts:
1. The new realization notion must deal with Reactive systems, i.e., systems which react to changes
of the environment. The environment where such systems operate can not be modified.
2. It is not necessary to maintain the overall concurrency between the events of the specification.
Reducing the concurrency leads sometimes to simpler representations which are still correct real-
izations.
Basic definitions are given in Section 2. Section 3 summarizes some of the existing notions of realization
and refinement. Section 4 is devoted to explain in detail the new notion of realization. An example is
shown in Section 5.
2 Basic definitions
A Transition System (TS) [Arn94] is defined as a quadruple A   SE T s
in
 where S is a nonempty
set of states, E is a set of events, T   SES is the transition relation, and s
in
 S is the initial state.
The elements of T are called the transitions of TS and are denoted by s e s  or s e s . A transition
can also be denoted by s e if there is a state s   S such that s e s .
The reachability relation between states is the transitive closure of the transition relationT . A feasible
sequence is a (possibly empty) sequence of transitions  between states s and s  (denoted by s  s ). A
feasible trace is obtained from a feasible sequence by removing states.
 This work has been partially funded by CICYT (TIC 98-0410 and TIC 98-0949), ACiD-WG (ESPRIT 21949), a grant by Intel
Corporation, and CIRIT (1999SGR-150 and 2000FI-00472).
1
The set of events in E is partitioned into input events (E
I
), output events (E
O
) and internal events
(E
INT
). The events in the sets E
I
and E
O
are called observable events.
A TS can be viewed as an automaton with alphabet E where every state is an accepting state. For
a TS A, let LA be the corresponding language. We denote w nH the projection of w to the alphabet
E H. Correspondingly, given a set of words R, the set R nH   fw nH jw  Rg.
3 Previous work
A summary of the existing relations between systems is done in this section. First, a well-known equiv-
alence between systems is defined: the Observational Equivalence, defined in Milner’s book [Mil89].
Afterwards two refinement notions are shown: v
J
, defined in [Jos88] and v
N
, defined in [Neg98].
Finally, two realization notions are shown: j 
B
, defined in [BS95] and j 
Y
, defined in [YG01].
3.1 Observational Equivalence
Several notions of equivalence have been defined in the literature. In Milner’s work on theory of concur-
rent systems [Mil89], a notion of equivalence between two agents P and Q is defined.
Observational Equivalence (): Let A   SE T s
in
 and B   S  E  T   s 
in
 be two TSs. A
and B are observational equivalent (A  B) iff there exists a relation R   S  S   satisfying
1. s
in
 s
 
in
  R.
2. (a) s  S, s   S  s.t. s s   R.
(b) s   S , s  S s.t. s s   R.
3. (a) If s
 
 s
 
 
  R, e  E
I
	E
O
 and s
 
e
 s

then 
 
 

 E
 
INT

 such that s 
 

 
e

 s
 

,
and s

 s
 

  R.
(b) If s
 
 s
 
 
  R, e  E
I
	E
O
 and s 
 
e
 s
 

then 
 
 

 E
INT

 such that s
 

 
e

 s

,
and s

 s
 

  R.
The equivalence notion defined above is symmetric: the specification (implementation) can be either
A or B. According to our notion of realization, this is a rather strict relation because the same set of
observable traces must be maintained in the implementation.
3.2 [Jos88]’s Refinement
In [Jos88] a set of simple rules was presented for the purpose of proving that a process B can be shown
to be a refinement of process A. In order to deal with internal events, the refinement with the hiding
operator1 will be defined here. It allows to have internal events in B:
[Jos88]’s Refinement with hiding (v
J
): Let A   SE T s
in
, B   S
 
 E
 
 T s
 
in
 be two
TSs, where E 
I
  E
I
, E
 
O
  E
O
and E
INT
  . A v
J
B if there is a relation D   S  S  satisfying:
1. s
 
 S s
 
 
 S
 
 e  E  s
 
e
  s
 
 s
 
 
  D   s
 

 S
 
   E
 
INT


 s
 
 
e
 s
 

2. (a) s
 
 S s

 s
 

 S
 
 e  E
 
INT
 s

e
 s
 

 s
 
 s

  D   s
 
 s
 

  D
(b) s
 
 S s

 s
 

 S
 
 e  E  s

e
 s
 

s
 
 s

  D   s
 
 
 S  s
 
e
 s
 
 
s
 
 
 s
 

  D
3. s
in
 s
 
in
  D
Refinementv
J
does not distinguish the scope of the events (only events inC are considered internal).
Moreover, A and B must have the same set of observable events.
1This notion appears in the original paper as P
 
v P

n C , whereC is a set of internal events in P

.
2
3.3 [Neg98]’s Refinement
Negulescu defines in [Neg98] the Process Space Formalism, a generic theory which includes, among
others, the notion of process refinement. It regards the refinement as a relative notion of correctness: B
refines A means that A can be replaced by B without bad effects. The notion of refinement is used there
for verification purposes.
The theory of Process Spaces is briefly described here. Let E be an arbitrary set; the elements of E
are called executions. A process over E is a pair XY  of subsets of E such that X 	Y   E . The set of
all processes over E is called the process space of E and is denote by S
E
.
The main intuition is the following: a process can describe a device by means of an agreement
between the device and its environment, regarding executions. The agreement stipulates that only exe-
cutions from X  Y are allowed to occur in presence of the device. Set X contains executions where
the device violates the agreement, while set Y contains the executions in which the environment violates
the agreement. Accordingly, X contains executions where the device respects the agreement (but the
environment may or may not violate it), while Y contains executions in which the environment respects
the agreement (but the device may or may not violate it). For a process p   XY , set X is called the
accessible set of p and set Y is called the acceptable set of p.
The only parameter of a process space is the execution set; different models of processes can be
choosed depending on what the executions represent. The notion of refinement in the Process Space
formalism is quite simple:
[Neg98]’s Refinement (v
N
): Let p q  S
E
two processes. Process q   X

 Y

 refines process
p   X
 
 Y
 
 (p v
N
q) iff X
 
 X

and Y
 
  Y

.
Loosely speaking, when p v
N
q, q accesses fewer (accepts more) executions than p. Therefore,
depending on what is an execution, the refinement can be instantiated to several refinement notions
between real systems. For instance, in the scope of reactive systems, an execution set can be E
I
	E
O


or E
I
	E
O
	E
INT


. According to the definition of v
N
, no internal events can be inserted in q.
3.4 [BS95]’s Realization
Brzozowski and Seger [BS95] define a notion of realization between two behaviors: one denoting the
specification’s behavior and the other denoting the implementation’s behavior.
Brzozowski and Seger’s realization’s notion is defined over the languages of the two TSs denoting
specification’s and the implementation’s behavior. A   SE T s
in
 and B   S  E  T   s 
in
 denote
specification’s and implementation’s TS, respectively.
Let    PE
I
	 E
O
 and x   be a observable word in LA. A set Y of input variables,
Y   E
I
, is applicable in A after x if Y    or if there exists a    such that x  LA n E
INT
and   E
I
  Y. Word w  LB n E 
INT
is relevant to A if w  LA n E
INT
, or w   x, where
x  LA nE
INT
,    and  E
I
is applicable to A after x. Let LBA be the set of all the words
of B that are relevant to A. Loosely speaking, LBA contains those words in B that matter when
realizing A: suppose x is input and y is output and word x

y
 
x
 
y

is in LB, but no word in LA
allows x

to precede x
 
. Then the word x

y
 
x
 
y

is not relevant to A.
Definitions of “deadlock” and livelock relative to the specification are also defined: let w  LB 
LA be a observable word. B has deadlock with respect to A if w leads to a terminal state in B, but to a
nonterminal state in A. Respectively, B has a livelock with respect to A if w leads to a nonterminal state
in A, and to a state in B that has a cycle of internal events around it.
A TS is input-proper if, whenever q
 
w
 
 q

, q
 
w
  
 q
 

, x  E
I
, q

x
 q

and w  n E
INT
 
w
  
n E
INT
  w, then there also exists q 

such that q 

x
 q
 

. In other words, whether or not an input
change is permitted in a given state should depend only on the observable trace leading to that state.
[BS95]’s Realization (j 
B
): Let A   SE T s
in
 and B   S  E  T   s 
in
 be two TSs, with
E   E
I
	E
O
	E
INT
, E
 
  E
 
I
	E
 
O
	E
 
INT
, E
I
  E
 
I
and E
O
  E
 
O
. B realizes A (A j 
B
B) if
3
1. A and B are deterministic, and B is input-proper.
2. LBA nE
INT
  LA nE
 
INT
.
3. B is deadlock-free with respect to A.
4. B is livelock-free with respect to A.
Restriction 2 requires that the set of relevant observable traces of the implementation must be equal
to the set of observable traces of the specification. According to our intuition of realization, this is rather
restrict for real life examples.
3.5 [YG01]’s Realization
Recently Yoeli and Ginzburg defined in [YG01] a new notion of realization over “Circuit Transition
systems”, which are TSs where a partition exists in the set of events, separating input, internal and
output events. Let A   SE T s
in
 and B   S  E  T   s 
in
 be two TSs, with E   E
I
	 E
O
and
E
 
  E
 
I
	E
 
O
	E
 
INT
.
[YG01]’s Realization (j 
Y
): B realizes A (A j 
Y
B) iff
1. E
I
  E
 
I
, E
O
  E
 
O
.
2. LA   LB nE 
INT
3. Assume w  LA, z  E
O
, w
 
z  LB and w  nE 
INT
  w. Then wz  LA.
4. Assume w
 
w

 LA, and there exists w   LB, such that w  nE 
INT
  w
 
. Then there exists
w
  
, such that w   nE 
INT
  w

and w w    LB.
5. Let w  LA, w   LB, and w  nE 
INT
  w. Then there exists a positive integer k such that
for any word w    E 
INT


, w
 
w
  
 LB implies length(w  )  k.
Two comments must be done in this definition: firstly, the input-proper restriction can be violated in
the implementation. Secondly, Restriction 2 is rather restrict according to the notion of realization that
we want to represent.
4 I/O preserving realization
In this section the I/O preserving realization over reactive systems will be defined formally. It is inspired
on the realization relation of Brzozowski and Seger, together with the refinement idea of Negulescu.
We are interested in the combination of both approaches because the two relevant ideas presented in
the introduction are represented: j 
B
express the input-proper restriction on the implementation, which
contributes to preserve safely the dialog between the system and its environment. Secondly, Negulescu’s
idea of accessing the same or fewer executions represent the possibility of reducing the concurrency only
between non-input events.
Definition 4.1 (I/O preserving realization)
Let A   SE T s
in
 and B   S  E  T   s 
in
 be two TSs, with E   E
I
	 E
O
	 E
INT
, E
 
 
E
 
I
	E
 
O
	E
 
INT
, E
I
  E
 
I
and E
O
  E
 
O
. B realizes A (A j  B) iff there exists a relationR  S S 
such that:
1. s
in
 s
 
in
  R.
2. If s
 
 s
 
 
  R then:
(a) i  E
I
s.t. s
 
i
 s

: s 
 
i
 s
 

,  s

 s
 

  R.
(b) o  E
O
s.t. s 
 
o
 s
 

: s
 
o
 s

,  s

 s
 

  R.
3. B is deadlock-free with respect to A.
4. B is livelock-free with respect to A.
Condition 1 imposes that initial states must be related by R. Conditions 2(a)-(b) concern about the
enabledness of the observable events both in the specification and the implementation.
4
    A
a
b
c
x
z
y
w
(a)
a
c b
w
x
z
z
z
z
y
b
y
y
c
x
x
x
y
(b)
Figure 1: (a) Interface of system A, (b) Transition System model.
5 An example
The concepts will be presented with an example. Consider the system A, specified in Figure 1. It receives
messages x, y, z and w, and generates messages a, b and c (Figure 1(a)). The behavior of such system
is specified with the TS of Figure 1(b). Figure 2 depicts the TSs of four possible implementations of
system A.
The notions, v
J
, v
N
, j 
B
, j 
Y
and the new realization notion j  will be used for restricting the
set of implementations of system A. The following table depicts the restricted search spaces. An “x” in
cell (i,j) means that the element j belongs to the restricted state space when using relation i.
2 (a) 2 (b) 2(c) 2(d)
 x x
v
N
x
v
J
x x
j 
B
x
j 
Y
x x
j  x x
Table 1: Restrictions of the implementation space.
According to the input-proper property, TS 2(a) can not be considered as a correct realization, due
to the insertion of the internal event  before of the input messages x, y and z. The input-proper
restriction can be explained with this example: imagine that the realization of  takes three days: 2(a) is
imposing that after message a has been generated, the environment must wait for three days before of
generating the messages x, y and z. Therefore, if implementation 2(a) was selected, the system(s) in the
environment responsible of generating messages x, y and z must be resynthesized. The equivalence ,
the realization j 
Y
and the refinement v
J
include TS 2(a) in the restricted search space.
5
y
y
z
z
w
x
x
x
y
y
a
z
c
b
z
x
c
b
λ
(a)
w
x
z
b
c b
c
z
z
z
y
y
y
a
x
x
x
y
λ
(b)
a
x
x
c
b
w
x
x
z
y
y
y
y
z
z
z
(c)
w
y
a
x z
z x
c
bc
b
(d)
Figure 2: TS of different implementations of system A.
However, the insertion of the event  in 2(b) leads to an input-proper TS. Sometimes the specification
must be modified in order to fulfill some implementability conditions. The transformations usually
require the insertion of new internal events. The refinementv
N
does not include TS 2(b) in the restricted
search space.
According to our notion of realization, TS 2(c) is a correct implementation of system A, because it
represents a modification of the specification 1(b), where the concurrency of the output events b and c
is reduced: the environment will receive 2(c)’s messages in a more restricted (but still expected) order.
Realization j 
B
does not include TS 2(c) in its restricted search space.
6 Conclusions
A new realization notion over reactive systems have been defined. It is based on the idea that a reactive
system must operate in a distributed environment, where a fixed dialog exists between the system and
the external systems (the environment). Comparison with respect to other definitions of equivalence,
refinement and realization show the suitability of the new notion.
References
[Arn94] A. Arnold. Finite Transition Systems. Prentice Hall, 1994.
[BS95] Janusz A. Brzozowski and Carl-Johan H. Seger. Asynchronous Circuits. Springer-Verlag, 1995.
[Jos88] Mark B. Josephs. A state-based approach to communicating processes. Distributed Computing,
3:9–18, 1988.
6
[LT87] Nancy A. Lynch and Mark R. Tuttle. Hierarchical correctness proofs for distributed algorithms.
In Sixth Annual ACM Symposium on Principles of Distributed Computing, pages 137–151,
Vancouver, British Columbia, Canada, August 1987.
[Mil89] Robin Milner. Communication and Concurrency. Prentice-Hall, 1989.
[Neg98] Radu Negulescu. Process Spaces and Formal Verification of Asynchronous Circuits. PhD
thesis, Department of Computer Science, University of Waterloo, Waterloo, Ontario, Canada,
August 1998.
[YG01] M. Yoeli and A. Ginzburg. Lotos/cadp-based verification of asynchronous circuits. Report
CS-2001-09-2001, Technion - Computer Science Department, September 2001.
7
