Incremental Verification of Component-Based Timed Systems by Julliand, Jacques et al.
Incremental Verification of Component-Based Timed
Systems
Jacques Julliand, Hassan Mountassir, Emilie Oudot
To cite this version:
Jacques Julliand, Hassan Mountassir, Emilie Oudot. Incremental Verification of Component-
Based Timed Systems. IJMIC, International Journal of Identification Modelling and Control
special issue on Formal Modeling and Verification of Critical Systems, 2010. <hal-00560817>
HAL Id: hal-00560817
https://hal.archives-ouvertes.fr/hal-00560817
Submitted on 30 Jan 2011
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Int. J. Modelling, Identiﬁcation and Control, Vol. 1, No. 3/4, 2010 1
Incremental Verification of Component-Based
Timed Systems
J. Julliand
LIFC - Laboratoire d’Informatique de l’Universite´ de Franche-Comte´
16, route de Gray
25030 Besanc¸on Cedex, France
Ph:+33 (0)3 81 66 61 51, Fax:+33 (0)3 81 66 64 50
E-mail: jacques.julliand@lifc.univ-fcomte.fr
H.Mountassir
LIFC - Laboratoire d’Informatique de l’Universite´ de Franche-Comte´
16, route de Gray
25030 Besanc¸on Cedex, France
Ph:+33 (0)3 81 66 66 65, Fax:+33 (0)3 81 66 64 50
E-mail: hassan.mountassir@lifc.univ-fcomte.fr
E. Oudot
LIFC - Laboratoire d’Informatique de l’Universite´ de Franche-Comte´
16, route de Gray
25030 Besanc¸on Cedex, France
Ph:+33 (0)3 81 66 20 78, Fax:+33 (0)3 81 66 64 50
E-mail: emilie.oudot@lifc.univ-fcomte.fr
Abstract: We are interested in the incremental development, by integration of
components, of component-based timed systems, and in particular, in the preservation of
their properties during such a development process. We model timed components with
timed automata. Their composition is achieved with the classic parallel composition
operator for timed automata. The speciﬁcations of these timed systems are expressed
with the timed linear logic Mitl (Metric Interval Temporal Logic).
To guarantee the preservation of properties during an incremental development process,
we propose to use τ -simulation relations, adapted for timed systems. First, we extend
the classic notion of τ -simulation with timed aspects. As in the untimed case, this
relation, called timed τ -simulation, preserves safety properties. To preserve more
properties, in particular liveness ones, we present another relation, called divergence-
sensitive and stability-respecting (DS) timed τ -simulation. This last relation preserves
all Mitl properties (and thus liveness ones), but also strong non-zenoness and deadlock-
freedom. Moreover, as we put ourselves in a component-based framework, we study if
the relations are appropriate to the use of the composition operator that we consider.
For this purpose, we study if the relations are compatible with this operator, and if
composability and compositionality hold. These three properties are a way to reduce
the cost of the veriﬁcation of the preservation, or even to get it for free. It results that
the timed τ -simulation is appropriate with the classic operator since the properties hold
without any assumption. However, this is not the case for the DS timed τ -simulation.
We implemented the algorithmic veriﬁcation of the simulations in a tool called
Vesta (Veriﬁcation of Simulation for Timed Automata). The structure of the tool was
inspired from the one of the Open-Kronos tool. This allows, as additionnal feature,
to connect the models considered in Vesta to the modules of the veriﬁcation platform
Open-Caesar. We show the interest of our method by applying it on a case study,
concerning a production cell example.
Keywords: Timed τ -simulation, component-based timed systems, incremental
development, preservation of properties, Mitl
Biographical notes:
J. Julliand is a full Professor in the Computer Science Laboratory LIFC at the University
of Franche-Comte´. He was the director of LIFC. Particular research interests include
modeling, testing and veriﬁcation of critical systems.
H. Mountassir is a Professor at the University of Franche-Comte´. His general research
interests are in veriﬁcation of protocols, embedded systems and assembly of components.
E. Oudot received a PhD degree in 2006 from Franche-Comte´ University. Her research
interests focus on veriﬁcation of real time systems. Since then, after a postdoc position
she is a software engineer at LIFC laboratory.
2 J.Julliand, H. Mountassir and E. Oudot
1 Motivations
Component-based modeling is a method which receives
more and more attention. In particular, timed systems
are often modeled this way. Instead of modeling an
entire system in one go, it consists in decomposing the
system into a set of sub-systems, called components,
and to model each component independently. The
complete model of the system is obtained by putting
together all the components thanks to some parallel
composition operator. We distinguish two main classes
of properties which can be expressed to guarantee
the correctness of such models: local properties and
global properties. Local properties express requirements
about the behaviour of a component (or subgroup
of components) while global properties concern the
behaviour of the whole system. Model-checking is a
veriﬁcation method which can be used to ensure that
properties hold on the model of the system. For both
kind of properties, the procedure consists in general
in performing the veriﬁcation on the complete model.
However, model-checking is known to be diﬃcult to
apply on large-sized systems. Indeed, it suﬀers of
the so-called state space explosion problem, which is
accentuated in the case of timed systems, due to the
presence of timing constraints.
Incremental development processes represent an
alternative to circumvent this problem. The idea is to
obtain the complete model of a system gradually, and,
from a veriﬁcation point of view, to check properties at
each step of the development, where the model is small
enough for the veriﬁcation to be run to completion.
The goal of this paper is to show how these incremental
development processes can be exploited for component-
based timed systems, and to study the impact in
practice of the use of such methods, compared to classic
veriﬁcation. We distinguish two kinds of incremental
development methods: integration of components and
reﬁnement. Given a set of components C1, · · · , Cn,
integration of components consists in considering one
component (or group of components), for instance C1,
and to check its properties in isolation before integrating
it with other components. An essential property in
this kind of development is composability, i.e., already
established properties of C1 must be preserved by the
integration. Reﬁnement is another kind of incremental
development. The principle is ﬁrst to establish an
abstract model of the system and to progressively add
details to it until getting to a model representing the
complete system. Of course, this reﬁnement process
must not bring incoherences w.r.t. the abstract model.
In particular, properties which hold on the abstract
model must be preserved on the detailed version. For
component-based systems, reﬁnement consists in giving
an abstract model for each component, and then adding
details to each one. From a veriﬁcation point of view,
the goal is double: checking local properties of the
components on their abstract model, and verifying
global properties on the entire abstract model, obtained
by the assembling of all abstract components. An
important property is compositionality, meaning that
if each detailed version of the components reﬁnes the
abstract one, then the complete detailed model is a
reﬁnement of the complete abstract model.
When using such incremental methods, a major issue
concerns the preservation of already checked properties.
A way to ensure preservation is to compare the
behaviour of the models, i.e., the model on which
veriﬁcation is performed and the model on which
preservation must be ensured. This comparison must
be done on some criteria, depending on the properties
which must be preserved. Several equivalence relations
or preorders have been deﬁned to compare two systems:
equivalence relations are generally used to test the
“equality” between two systems modulo the relation,
while preorders rather represent an implementation
relation. In (Glabbeck 1990), twelve equivalence
relations such as bisimulation, simulation or trace
equivalences, and their associated preorder, are deﬁned
for (untimed) transition systems and are ordered
according to a linear-branching time hierarchy. These
relations are reconsidered in (Glabbeck 1993) by taking
into account internal activity of the systems.
We are interested in the simulation preorder. Indeed,
this kind of relation has already been used in the
untimed case as a formalization of the reﬁnement
process to guarantee preservation of properties. For
instance, (Bellegarde, Julliand & Kouchnarenko 2000)
formalizes the reﬁnement of (untimed) transition
systems as a kind of τ -simulation which preserves
Ltl properties.
We present here two τ -simulation relations taking into
account the timing constraints of the systems: a timed
τ -simulation which preserves all safety properties, and
a so-called divergence-sensitive and stability-respecting
(DS) timed τ -simulation with the ability of preserving
all properties which can be expressed with the linear
timed logic Mitl (Metric Interval Temporal Logic),
strong non-zenoness and deadlock-freedom.
A way to show the usefulness of these relations for
incremental development and their impact in practice
is to examine if they preserve composability and
compositionality. Given components A and B, and
some composition operator ‖, composability is ensured
if A simulates A‖B. The direct consequence is that
local properties of A are automatically preserved
during its integration (the kind of properties preserved
depends on the notion of simulation considered). Given
components A, B, C and D, compositionality means
that if A simulates B and C simulates D then A‖C
simulates B‖D. We study these properties of the
simulations w.r.t. the classic composition operator for
timed systems, which uses a composition paradigm
a la CSP (Hoare 1985). We show that the timed τ -
simulation is well-adapted to incremental development
achieved with this operator, since composability and
Incremental Veriﬁcation of Component-Based Timed Systems 3
compositionality are guaranteed for free. However,
this is not the case for the DS timed τ -simulation.
Thus, to guarantee the preservation when using this
operator, the DS timed τ -simulation has to be checked
algorithmically. We implemented this veriﬁcation in
a tool named Vesta (Veriﬁcation of Simulation for
Timed Automata). With this tool, we performed
experiments to ensure that an algorithmic veriﬁcation
of the simulation (and thus of the preservation) does
not advances to incremental development comparing
to a direct veriﬁcation of the properties. The results
obtained are encouraging since they show that, even
when the DS timed τ -simulation is checked to ensure
preservation, incremental development can speed up
veriﬁcation and that models that are too large to be
veriﬁed in a whole can be checked this way.
The structure of the paper is the following. First,
in section 2, we recall some background on timed
systems. Section 3 presents the τ -simulations we deﬁne
for timed systems, and their preservation abilities. In
section 4, we show the usefulness of the simulations for
incremental development by studying composability and
compositionality w.r.t. the classic parallel composition
operator that we consider. Section 5 is dedicated to
the veriﬁcation in practice of the simulations, and to
experiments. We present some related works in section
6. Finally, section 7 contains the conclusion and plans
the future works.
2 Modeling timed systems and their
properties
In this section, we review some basics concerning
timed systems. First, we present the model we consider
for timed systems, i.e., timed automata, and timed
composition operators. We also present the logic
Mitl that we use to express properties of timed systems.
2.1 Timed Automata
Timed automata (TA) (Alur & Dill 1994) are amongst
the most studied models for continuous-time systems.
They are ﬁnite automata extended with real-valued
variables called clocks, modeling the time elapsing.
We consider as time domain the set of non-negative
reals R+. Before considering TA, we recall some usual
deﬁnitions about clocks. Then, we present the syntax
and semantics of TA, and the symbolic representation
of the state-space of a TA.
Clock valuations. Let X be a set of clocks. A clock
valuation over X is a function v : X → R+ mapping
to each clock in X a value in R+. Let 0 denote the
valuation assigning 0 to each clock in X .
Operations on valuations. Let v be a valuation over X
and t ∈ R+, the valuation v + t (respectively v − t) is
obtained by adding (resp. substracting) t to the value
of each clock. Given Y ⊆ X , the dimension-restricting
projection of v over Y , written vY is a new valuation
over Y containing only the values in v of clocks in Y .
The reset in v of the clocks in Y , written [Y := 0]v is the
valuation obtained from v by setting to zero all clocks
in Y , and leaving the values of other clocks (∈ X\Y )
unchanged.
Clock constraints and polyhedra. The set Cdf (X) of
diagonal-free clock constraints over X is deﬁned by the
following grammar:
g ::= x ∼ c | g ∧ g | true where x ∈ X , c ∈ N, and
∼ ∈ {<,≤,=,≥, >}.
Diagonal-free constraints do not allow comparisons
between clocks, of the form x− y ∼ c. A valuation v
over X satisﬁes a constraint x ∼ c, written v ∈ x ∼
c, if v(x) ∼ c. The satisfaction of other constraints is
deﬁned as usual. Note that a clock constraint over X
deﬁnes a convex X-polyhedron. Let zero denote the X-
polyhedron deﬁned by
∧
x∈X x = 0.
Operations on polyhedra. The dimension-restricting
projection and reset operations deﬁned on valuations
can be directly extended to polyhedra. The backward
diagonal projection of the X-polyhedron ζ deﬁnes an
X-polyhedron ↙ζ such that v′ ∈ ↙ζ if ∃δ ∈ R+ · v′ +
δ ∈ ζ. Similarly, the forward diagonal projection of ζ
deﬁnes an X-polyhedron ↗ζ such that v′ ∈ ↗ζ if
∃δ ∈ R+ · v′ − δ ∈ ζ. Given c ∈ N, the extrapolation of ζ
w.r.t c, written Approxc(ζ), is the smallest polyhedron
ζ′ ⊇ ζ deﬁned intuitively as follows: lower bounds of ζ
greater than c are replaced by c, and upper bounds
greater than c are ignored. All these operations preserve
the convexity of polyhedra. This property allows the
simulation graph (see Def. 3) on a ﬁnite set of polyhedra
and the inﬁnite semantic graph (see Def. 2) of a timed
automaton to be bisimilar.
Definition 1 (Timed Automaton) Let Props be a set
of atomic propositions. A timed automaton is a tuple
A =〈Q, q0,Σ,X,T, Invar,L〉 where:
• Q is a ﬁnite set of locations.
• q0 ∈ Q is the initial location of the automaton.
• Σ is a ﬁnite alphabet.
• X is a ﬁnite set of clocks.
• T ⊆ Q× Cdf (X)× Σ× 2X ×Q is a ﬁnite set of
edges.
• Invar : Q→ Cdf (X) is a function associating a
time-progress condition (called invariant) to each
location.
• L : Q → 2Props is the labelling function mapping a
set of atomic propositions to each location.
4 J.Julliand, H. Mountassir and E. Oudot
approach, {x}
x > 2,
x ≤ 5
x ≤ 5
exit
enter
far near
in
exit, {z}z ≤ 1
approach, {z} z ≤ 1
c0 c1
c2c3
raise z = 1,
lower
Train Controller
y < 1
1 ≤ y,
raise, {y}
lower, {y}
y ≤ 2
down
up
is down
coming downis up
going up
Gate
Figure 1 Timed automata of the train, the controller and
the gate
An edge is written as a tuple e = (q, g, a, r, q′) where
q and q′ are the source and target locations, g is a clock
constraint deﬁning the guard of the edge, a is the label
of the edge and r is the set of clocks to be reset by the
edge. In the sequel, we use the notations label(e) and
reset(e) to denote respectively a and r.
Example 1 As a running example, we use the well-
known railroad crossing taken from (Alur 1991). It is
made up of at least three elements: one or several trains,
a gate and the controller of the gate. Each element
is subject to strong timing constraints. The expected
global behaviour of this system is the following. When
a train arrives near the crossing, it sends a signal to
the controller to inform of its approach. One time unit
(t.u.) later, the controller commands the closing of the
gate which must be down within the following t.u. The
train enters the crossing, and its passage lasts at most
three t.u. When it exits the crossing, it sends a signal to
the controller which commands the opening of the gate
during the following t.u. The gate must respond and be
up within the next t.u. Fig. 1 shows the timed automata
modeling each component of this system. Each location is
designated by a name (the label associated by the function
L) and a clock constraint representing its invariant. For
more readability, guards and invariants equal to true are
omitted, as well as empty resets on edges.
Definition 2 (Semantic Graph) The semantics of a
TA A = 〈Q, q0,Σ,X,T, Invar,L〉 is an inﬁnite graph
where states are pairs (q, v), q ∈ Q and v is a clock
valuation over X such that v ∈ Invar(q). Its initial state
is the pair (q0,0). For a state s = (q, v), we call disc(s)
the discrete part q of s. The transitions of this graph can
be either discrete transitions or time transitions:
• Discrete transitions: given an edge e =
(q, g, a, r, q′) of A, (q, v)
g,a,r→ (q′, v′) is a discrete
transition in the semantics of A if v ∈ g. The
valuation v′ ∈ Invar(q′) is obtained by resetting in
v all clocks in r. We call (q′, v′) a discrete successor
of (q, v). We also directly write (q, v) e→ (q′, v′)
such a transition, or simply (q, v) a→ (q′, v′) when
the other elements are irrelevant.
• Time transitions have the form (q, v) t→ (q, v + t)
where t ∈ R+ and v + t ∈ Invar(q). We say that
(q, v + t) is a time successor of (q, v). Given a state
s = (q, v), we also use the notation s+ t for the
pair (q, v + t).
In the sequel, we directly say states and transitions
of the TA A, instead of states and transitions of the
semantic graph of A.
Runs. A run of a TA A is a path of its semantic graph.
Thus, a run is a ﬁnite or inﬁnite sequence ρ = (q0, v0)
t0→
(q0, v1)
e0→ (q1, v2) t1→ (q1, v3) t2→ (q1, v4) e1→ (q2, v5) · · · .
Note that we do not concatenate successive time
transitions in a run. In the rest of the paper, we note
(ρ, k) the kth state of ρ and Γ(A) represents the set
of runs of A. With the deﬁnition of runs, we can now
deﬁne what a reachable state is. A state (qi, vi) of A is
said reachable if there exists some run of A visiting it,
i.e. ∃ρ · (ρ ∈ Γ(A) ∧ ρ = (q0, v0) t0→ (q0, v1) e0→ (q1, v2) t1→
· · · (qi, vi) · · · ).
Non-zenoness. A run is called non-zeno if time can
diverge along the run. We write time(ρ, k) to denote the
time elapsed from the initial state of the run ρ until its
kth state, time(ρ, s) for the time elapsed from the initial
state of ρ until the state s and time(ρ) for the total
time elapsed in the run. Given a run ρ, if time(ρ) = ∞,
then ρ is non-zeno (Tripakis 1998). A TA is said strongly
non-zeno if all its runs are non-zeno. A weakest notion
of non-zenoness can also be considered, expressing that
there exists no reachable state which is zeno, i.e., such
that all runs leaving from it are zeno.
Remark 1 (Timed state sequences) The executions
of a TA can also be expressed in terms of timed
state sequences (TSS) instead of runs. A TSS is a
sequence σ = (q0, I0)
e0→ (q1, I1) e1→ · · · alternating pairs
and discrete transitions. The qi and ei are respectively
locations and edges of the TA, while the Ii are closed
intervals representing the time elapsing before some
discrete transition is taken. We say that a run ρ =
(q1, v1)
t1→ (q1, v′1) e1→ (q2, v2) t2→ (q2, v′2)
t′2→ (q2, v′′2 ) e2→
· · · is inscribed in a TSS σ = (q1, I1) e1→ (q2, I2) e2→ · · · if
∀i = 1, 2, ..., time(ρ, (qi, )) ∈ Ii.
Note that a run is inscribed in a unique TSS, and that
there exists an inﬁnite number of runs inscribed in a
single TSS, since successive time transitions are not
Incremental Veriﬁcation of Component-Based Timed Systems 5
concatenated. We use the notation σ(ρ) for the TSS in
which is inscribed the run ρ and (σ, i) the ith pair of the
TSS σ. Given t ∈ Ii, we write σt the suﬃx of a TSS σ
at time t, where σt = (qi, Ii − t) ei→ (qi+1, Ii+1 − t) ei+1→
(qi+2, Ii+2 − t) · · · .
Symbolic representation. The semantic graph of a
TA has an inﬁnite number of states. To get a ﬁnite
representation of this graph, the symbolic representation
currently used is based upon the notion of zones, and
leads to a symbolic graph called simulation graph.
Zones. A zone is a symbolic state which groups together
states of a TA A such that they have the same discrete
part, and the set of their valuations forms a convex
polyhedron. Thus, a zone z is a pair (q, ζ) where q is
a location of A and ζ is a convex polyhedron. We note
disc(z) the discrete part q of the zone z, and poly(z)
its polyhedron.
Operations on zones. The operations time-succ(z)
and time-pred(z) deﬁne respectively the set of time
successors and predecessors of some state in z.
The operations disc-succ(e, z) and disc-pred(e, z)
represent respectively the set of discrete sucessors and
predecessors of some state in z by taking a discrete
transition stemming from an edge e.
time-succ(z)
def
= {s′ | ∃s ∈ z, t ∈ R+ s t→ s′}
time-pred(z)
def
= {s | ∃s′ ∈ z, t ∈ R+ · s t→ s′}
disc-succ(e, z)
def
= {s′ | ∃s ∈ z · s e→ s′}
disc-pred(e, z)
def
= {s | ∃s′ ∈ z · s e→ s′}
Let us now deﬁne the successor and predecessor
operations for zones. The operation post(e, z, c) deﬁnes
the successor zone of z by the transition e (w.r.t. a
constant c), i.e., the set of states which can be reached
from some states in z by taking transition e and letting
time elapse. Note that the operator Approxc is also used
in the deﬁnition of post, to ensure the termination of
the construction of the simulation graph described below
and which is based on this notion of zone. For more
readability, in the deﬁnition of post, Approxc is applied
on a zone instead of the polyhedron of the zone. The
operation pre(e, z) deﬁnes the predecessor zone of z by
the discrete transition e, i.e., the set of states from which
a state in z can be reached, by taking e and letting some
time pass. Formally:
post(e, z, c)
def
= Approxc(time-succ(
disc-succ(e, z)))
pre(e, z)
def
= disc-pred(e,time-pred(z))
Definition 3 (Simulation graph) Let A =〈Q, q0,
Σ,X,T, Invar,L〉 be a timed automaton and c ∈ N
a constant greater or equal to the greatest constant
appearing in a constraint of A. The simulation graph
of A w.r.t. c, written SG(A, c), is a tuple 〈Z, z0,Σ,
T 〉 where:
(far)
2 < x
x ≤ 5
(near)(far)
(in)
2 < x ≤ 5
approach,
enter
x > 2,
{x}
{x}
exit
approach,
z ≤ 1
z ≤ 1
1 ≤ z
(c2)
(c0) (c1)
exit,
approach,
raise
lower
z = 1,
{z}
{z}
(c3)
Train Controller
1 ≤ y
y < 1
(is up)
down
y ≤ 2
(is down)(is up) (coming down)
(going up)
lower, {y}
{y}
raise,
1 ≤ y, up
{y}
lower,
Gate
Figure 2 Simulation graphs of the train, the controller
and the gate
• Z is the ﬁnite set of states of the graph, which is a
set of zones,
• z0 = (q0,↗ zero∩ Invar(q0)) is the initial zone,
• T ⊆ Z × T × Z is the ﬁnite set of transitions.
Given a zone z and an edge e ∈ T , if z′ =
post(e, z, c) = ∅, then z′ is a zone of the graph and
z
e→ z′ is a transition of the graph.
Example 2 Let us go back to the railroad crossing
example as presented in Fig. 1. The simulation graphs
built from each timed automaton are presented in Fig. 2.
The polyhedron of each zone is represented (graphically)
by a constraint given inside the zone.
Paths and non-zeno paths in a simulation graph. A
path in the simulation graph is a ﬁnite or inﬁnite
sequence π = z0
e0→ z1 e1→ z2 · · · . The set of paths of a
simulation graph SG is written Π(SG). A path is non-
zeno if, for each clock x ∈ X , either x is reset inﬁnitely
often in the path, or x remains unbounded from one
zone in the path. A formal deﬁnition can be found in
(Tripakis 1998).
Relation between runs and paths. Each run (respectively
non-zeno run) of A is inscribed in a unique path (resp.
non-zeno path) of SG(A, c), and for each path π of
SG(A, c) (resp. non-zeno path), there exists a run (resp.
non-zeno run) inscribed in π (Tripakis 1998).
2.2 The classic composition operator for timed
automata
We consider timed systems modeled in a compositional
way. Each component is modeled as a TA. To put timed
6 J.Julliand, H. Mountassir and E. Oudot
components together, parallel composition operators
which can handle timing informations have been deﬁned.
We focus on a particular kind of timed composition. We
call it classic parallel composition since it is the classic
composition used in the timed case.
This composition, written ‖, operates between TA
with disjoint sets of clocks. Intuitively, it is deﬁned
as a synchronized product where synchronizations are
done on actions with identical label, while other actions
interleave and time elapses synchronously between all
the components.
Formally, let us consider two TA Ai = 〈Qi, q0i ,Σi,
Xi,Ti, Invari,Li〉 for i = 1, 2, such that X1 ∩X2 = ∅.
The parallel composition of A1 and A2, written A1‖A2,
creates a new TA whose set of clocks is X1 ∪X2 and
whose labels are in Σ1 ∪ Σ2. The set Q of locations
consists of pairs (q1, q2) where q1 ∈ Q1 and q2 ∈ Q2. The
initial location is the pair (q01 , q02). The invariant of a
location (q1, q2) is Invar(q1) ∧ Invar(q2), and its label
is L(q1) ∪ L(q2). The set T of edges is deﬁned by the
following rules:
• Interleaving:
(q1,q2)∈Q , (q1,g1,a,r1,q′1) ∈ T1 , a∈Σ2
((q1,q2),g1,a,r1,(q′1,q2)) ∈ T
(q1,q2)∈Q , (q2,g2,a,r2,q′2) ∈ T2 , a∈Σ1
((q1,q2),g2,a,r2,(q1,q′2)) ∈ T
• Synchronization:
(q1,q2)∈Q, (q1,g1,a,r1,q′1) ∈ T1 , (q2,g2,a,r2,q′2) ∈ T2
((q1,q2),g1∧g2,a,r1∪r2,(q′1,q′2)) ∈ T .
Example 3 Let us go back to the railroad crossing
example. This system is modeled by at least three
components : one or several train, a gate and its
controller. The parallel composition of the three timed
automata representing respectively the train, the gate and
the controller (as they are presented in Fig. 1) leads to
the timed automaton given in Fig. 3.
2.3 Metric Interval Temporal Logic
Mitl (Metric Interval Temporal Logic) (Alur, Feder
& Henzinger 1996) is a logical formalism allowing
to express linear timed properties. It can be viewed
as an extension of the linear (untimed) logic Ltl
(Linear Temporal Logic) (Pnueli 1981), where each
temporal operator is constrained by a time interval.
Mitl formulas are deﬁned inductively by the following
grammar:
ϕ ::= ap | ¬ϕ | φ ∨ ψ | φ UI ψ
where ap is an atomic proposition and I is a non-
singular interval with integer bounds (a singular interval
is of the form [a, a], i.e., it is closed and its left and right
bounds are equal). Other classic temporal operators can
also be deﬁned: Iϕ = true UIϕ (eventually ϕ within
the interval I) and Iϕ = ¬I¬ϕ (always ϕ within the
interval I).
Mitl formulas are interpreted over timed state
sequences. The satisfaction of a Mitl formula ϕ over
a timed state sequence σ, written σ |= ϕ, is deﬁned as
follows:
• σ |= true is true,
• σ |= ap iﬀ ap ∈ L(disc((σ, 0))),
• σ |= ¬ϕ iﬀ it is not true that σ |= ϕ,
• σ |= φ ∨ ψ iﬀ σ |= φ or σ |= ψ,
• σ |= φ UI ψ iﬀ there exists t ∈ I such that σt |= ψ,
and ∀t′ ∈ (0, t), σt′ |= φ.
We say that a Mitl formula ϕ is valid on a TA A,
written A |= ϕ, iﬀ ϕ is true over all the runs of A, i.e.:
A |= ϕ iﬀ ∀ρ · (ρ ∈ Γ(A) ⇒ σ(ρ) |= ϕ).
Example 4 The following safety1 property must hold
on the railroad crossing example: the gate is never
open when the train is on the railroad crossing, or
equivalently the gate is never open between the moment
when the controller commands its lowering and the
moment when it receives a signal exit from the train (P1).
In M itl syntax, P1 is written (c2 ⇒ ¬is up). The
liveness2 property: the gate is closed within the two t.u.
after the controller received an approach signal from the
train (P2) is expressed by (is up ∧ c1 ⇒ <2is down).
3 Properties preservation using timed τ-
simulations
Consider the railroad crossing example. Both properties
P1 and P2 concern the behaviour of two components
of the system, namely the gate and the controller.
Therefore, it seems interesting to verify them only
on these two components, instead of performing the
veriﬁcation on the complete model, obtained by the
integration of one or several components train to these
two components. Indeed, the assembling of the gate and
the controller leads to a smaller-sized system than the
whole one, and thus model-checking is more applicable.
However, by performing such a veriﬁcation, it
must be ensured that properties established on
the composition gate/controller are preserved when
integrating the component(s) train. A way to ensure
such a preservation is to compare the behaviour of both
models, i.e., the one on which veriﬁcation is run, and
the one on which properties must be preserved. A way
to make such a comparison is to use equivalence or
preorder relations. Equivalence relations are generally
not adapted to incremental development, contrary to
preorders. A preorder already used in the untimed
case to guarantee preservation of properties during
Incremental Veriﬁcation of Component-Based Timed Systems 7
lower,
raise,
{y}
z = 1,
{y}
x ≤ 5 ∧
x ≤ 5 ∧
y < 1
z ≤ 1
approach, {x, z}
z ≤ 1
x ≤ 5x ≤ 5
y ≤ 2x ≤ 5 ∧z ≤ 1 ∧
y ≤ 2
approach, {x, z}
down
1 ≤ y, up
1 ≤ y, up
{near, c1, is up}
{in, c2, is down} {far, c3, is down}
{far, c0, going up}
{near, c1, going up}
{near, c2,
is down}
{near, c2, coming down}
{far, c0, is up}
x > 2, enter exit, {z}
Figure 3 Parallel composition of the train, the gate and the controller
a reﬁnement process for transitions systems is τ -
simulation (Bellegarde et al. 2000). We extend this
relation to take into account timing informations. By
doing so, we obtain two τ -simulation relations: a timed
τ -simulation dealing with the preservation of safety
properties, and a stability-respecting and divergence-
sensitive timed τ -simulation to handle the preservation
of all Mitl properties, in particular liveness ones3.
3.1 Timed τ -simulation / safety properties
Consider two TA A1 =〈Q1, q01 ,Σ1,X1,T1, Invar1,
L1〉 and A2 =〈Q2, q02 ,Σ1 ∪ {τ},X2,T2, Invar2,L2〉 such
that A2 is obtained from A1 either by reﬁnement or
by integration of components. Labels in Σ2\Σ1 concern
actions introduced by the development process and
are considered as being non-observable and renamed
by τ . Thus, Σ2 = Σ1 ∪ {τ}. Other actions are called
observable. The timed τ -simulation, called S, is deﬁned
informally by the following points:
(i) If A2 can make an observable action after some
amount of time, then A1 could do the same
observable action after the same amount of time.
In particular, this implies that observable actions
can not be taken later in A2 than they could be in
A1 (items 1, 2 and 5 of Deﬁnition 4).
(ii) Non-observable actions stutter (item 3 of
Deﬁnition 4).
These points are illustrated in Fig. 4, where s1 and
s′1 are states of the semantic graph A1, s2 and s′2 are
states of the semantic graph A2, a is a label of A1 and t
is a time delay.
We also use a so-called gluing predicate, deﬁned at
a syntactic level on the atomic propositions of A2 and
A1. This predicate is deﬁned by the following grammar,
where ap1 and ap2 are respectively atomic propositions
of A1 and A2:
Pg ::= ap1 | ap2 | ¬p | p ∨ p.
This gluing predicate induces a relation between
locations of A2 and A1. That is, two locations q2 ∈ Q2
and q1 ∈ Q1 are in relation w.r.t. the gluing predicate
Pg if they respect Pg, written (q1, q2) |=g Pg, where:
(q2, q1) |=g Pg iﬀ
∧
ap2∈L2(q2)
ap2 ∧ Pg ⇒
∧
ap1∈L1(q1)
ap1.
Definition 4 (Timed τ-simulation) Let A1 =〈Q1,
q01 ,Σ1,X1,T1, Invar1,L1〉 and A2 =〈Q2, q02 ,Σ1 ∪ {τ},
X2,T2, Invar2,L2〉 be two timed automata s.t. X1 ⊆ X2.
We call S1 and S2 the respective set of states of the
semantic graphs A1 and A2, and Pg the gluing predicate
provided between A2 and A1. The timed τ-simulation S
is the greatest binary relation included in S2 × S1. We
say that (q2, v2)S(q1, v1) if the following conditions hold:
1. Strict simulation:
(q2, v2)
e2→ (q′2, v′2) ∧ label(e2) ∈ Σ1 ⇒
∃(q′1, v′1) · ((q1, v1) e1→ (q′1, v′1) ∧ label(e1) =
label(e2) ∧ (q′2, v′2) S (q′1, v′1)).
8 J.Julliand, H. Mountassir and E. Oudot
a a τ
s2
s′2
s2s2
s′2s
′
2
s1
s′1
s1
s′1
s1
S
S
S
S
S
S
(a ∈ Σ1)
tt
Figure 4 Illustration of timed τ -simulation
2. Delay equality4:
(q2, v2)
t→ (q2, v2 + t) ⇒ ∃(q1, v1 + t) ·
((q1, v1)
t→ (q1, v1 + t) ∧ (q2, v2 + t) S (q1, v1 +
t)).
3. τ-transitions stuttering:
(q2, v2)
e2→ (q′2, v′2) ∧ label(e2) = τ ⇒
(q′2, v
′
2) S (q1, v1).
4. Location labelling respect:
(q2, q1) |=g Pg.
5. Common clock valuation equality:
v2X1 = v1.
We extend this notion of simulation to timed
automata. Given two TA A1 and A2, and their
respective initial state s01 and s02 , we say that A1
simulates A2 w.r.t. S, written A2 S A1 if s02Ss01 .
Remark 2 In Deﬁnition 4, we consider the greatest
relation included in S2 × S1 and satisfying the clauses
1 to 5. Note that such a relation exists. Indeed, let
us consider two relations R1 and R2, both included in
S2 × S1, satisfying the previous conditions. Trivially,
the union of these two relations satisfy these conditions
as well. Consider S as the union of all such relations
included in S2 × S1 and satisfying the conditions. Thus,
S contains them all. Therefore, it is the greatest relation
included in S2 × S1 satisfying the conditions.
Remark 3 The following conditions are necessary
syntactic conditions on A2 and A1 for the veriﬁcation
of the timed τ-simulation to succeed. First, consider
an observable action a modeled by an edge e2 =
(q2, g2, a, r2, q′2) in A2, and by the edge e1 =
(q1, g1, a, r1, q′1) in A1. The edge e2 must reset the same
clocks in X1 than e1, i.e., r2 ∩X1 = r1. Secondly, non
observable actions in A2 must only reset clocks which do
not exist in A1. Moreover, their guard must only involve
such clocks. Formally, given a non-observable action in
A2 modeled by an edge e = (q, g, τ, r, q′), we impose that
r ∩X1 = ∅ and that g ∈ Cdf(X2).
It is well-known that such a simulation relation
only preserves safety properties. To deal with the
preservation of all Mitl, in particular liveness, we
restrict the relation with two additional clauses, called
divergence-sensitivity and stability-respect.
3.2 Divergence-sensitive and stability-respecting
timed τ -simulation / MITL properties
The relation S between two TA A2 and A1 guarantees
that the sequences of observable actions of A2, with
possibly τ -actions inserted, are sequences of actions
which also exist in A1, and that each observable action
in A2 occurs at most after the same time delay than in
A1.
Consider the liveness property P2, expressed by
(is up ∧ c1 ⇒ <2is down), and recall that it
concerns the composition of the components gate
and controller. Intuitively, for this property to be
preserved when adding the component train, runs
of the obtained model must not be cut between the
moment when is up ∧ c1 holds and the moment when
is down is reached. However, during composition,
sequences of observable actions (i.e., actions of the gate
and the controller) can be cut, either by introducing
a deadlock when adding the component train or
by the introduction of an inﬁnite sequence of non-
observable actions. Thus, to preserve such a property,
the integration of the component train must not
introduce deadlocks neither inﬁnite sequences of non-
observable actions. These two criteria are respectively
called stability-respect and divergence-sensitivity
(Glabbeck 1993).
Stability-respect. To express this criterion, we use
the predicate free deﬁned in (Tripakis 1998) (free
stands for deadlock-free). Informally, given a location
q, free(q) is the set of all valuations (of states with q
as discrete part) from which a discrete transition can
be taken after some time elapsed. In other words, it is
the set of all valuations for which the location is not a
deadlock. The formal deﬁnition is:
free(q) =
⋃
e=(q,g,a,r,q′)∈T
↙ (g ∩ ([r := 0]Invar(q′))).
Divergence-sensitivity. The detection of inﬁnite
sequences of non-observable actions in a timed
automaton A consists in detecting non-zeno τ -cycles in
A (a cycle which only contains timed transitions and
discrete transitions labelled by τ is called a τ -cycle).
Formally, we say that A does not contain any non-zeno
τ -cycles if:
Incremental Veriﬁcation of Component-Based Timed Systems 9
τ
tτ
t
a
t
s2
s′2
b
s2s1
Sds
⇐
Figure 5 Stability-respect and divergence-sensitivity
∀ρ, k · (ρ ∈ Γ(A) ∧ time(ρ) =∞∧ k ≥ 0 ⇒ ∃k′, e · (k′ ≥
k ∧ (ρ, k′) e→ (ρ, k′ + 1) ∧ label(e) = τ)).
These two notions are illustrated in Fig. 5, where s1 is
a state of the semantic graph A1, s2 and s′2 are states of
the semantic graph A2 and a and b are common labels
between A1 and A2.
Definition 5 (Divergence-sensitive (DS) timed τ-
simulation) Consider two TA A1 = 〈Q1, q01 ,Σ1,X1,
T1, Invar1,L1〉 and A2 = 〈Q2, q02 ,Σ1 ∪ {τ},X2,T2,
Invar2,L2〉, such that X1 ⊆ X2. S1 and S2 are the
respective set of states of A1 and A2. The relation Sds
is included in S2 × S1. We say that (q2, v2)Sds(q1, v1) if
(q2, v2)S(q1, v1) and
• Stability-respect: v2 ∈ free(q2) ⇒ v1 ∈ free(q1),
• Divergence-sensitivity: A2 does not contain any
non-zeno τ-cycles.
Let A1 and A2 be two TA, with respective initial
state s01 and s02 . We say that A2 simulates A1 w.r.t.
Sds, written A2 Sds A1, if s02 Sds s01 .
3.3 Preservation of properties
We deﬁned the relation Sds to preserve a larger
spectrum of properties. We prove in this section that the
relation preserves all Mitl properties, as well as strong
non-zenoness and deadlock-freedom.
3.3.1 MITL.
Consider two TA A1 and A2 such that A2 Sds A1. We
prove that, for each run in A2, if the run of A1 which
simulates it satisﬁes a Mitl property ϕ, then this run of
A2 also satisﬁes ϕ. Before proving this, recall that the
satisfaction of a Mitl formula is not deﬁned on runs,
but on timed state sequences. Thus, the following result
is necessary to prove the preservation.
Lemma 1 Consider two runs ρ1 and ρ2, such that
ρ2 Sds ρ1. Let σ1 and σ2 be the timed state sequences
in which are respectively inscribed ρ1 and ρ2. Consider
t ∈ R+, and the suﬃxes σt1 and σt2 of σ1 and σ2 at time
t. We have:
∀ρ′2 inscribed in σt2, ∃ρ′1 inscribed in σt1 such that
ρ′2 Sds ρ′1.
Proof. Let us consider ρ′2 as the suﬃx of ρ2 at time t.
We distinguish two cases:
1. There exists a state (q2, v2) in ρ2 s.t.
time(ρ2, (q2, v2)) = t. As ρ2 Sds ρ1, there exists
(q1, v1) in ρ1 s.t. (q2, v2)Sds(q1, v1). By clause 2 of
Def. 4, we can deduce that time(ρ1, (q1, v1)) = t.
Let ρ′1 be the suﬃx of ρ1 from the state (q1, v1).
We have ρ′2 Sds ρ′1.
2. If such a state (q2, v2) does not exist in ρ2, it
means that this time value occurs during a time
transition. Then, it is enough to split the time
transition and create an intermediary state (q2, v2)
s.t. time(ρ2, (q2, v2)) = t. Then, if we also split the
corresponding time transition in ρ1 (this transition
exists since ρ2 Sds ρ1), the previous case applies.
The lemma is true for the particular case of the suﬃx
ρt2 of run ρ2 at time t built from σ
t
2. Without loss of
generality, we can aﬃrm that the lemma is also true for
each run inscribed in σt2 (as each run can be written as
ρt2 by splitting or concatenating time transitions).

Recall that the locations of A2 are not labelled
over the same set of propositions (called Props2)
than the locations of A1 (called Props1). A gluing
predicate is deﬁned between A2 and A1 to establish
a correspondence between propositions of A2 and
propositions of A1. As Mitl properties of A1 are
expressed over Props1, they will be satisﬁed (by
preservation) on A2 modulo the gluing predicate Pg. The
satisfaction by preservation of a Mitl formula ϕ over
Props1, written σ |=p ϕ, is deﬁned as follows (where σ
is a TSS of A2, and ap, ϕ, ψ and φ are Mitl formulas
over Props1):
• σ |=p true is true,
• σ |=p ap iﬀ
∧
ap2∈L2(disc((σ,0))) ap2 ∧ Pg ⇒ ap,
• σ |=p ¬ϕ iﬀ it is not true that σ |=p ϕ,
• σ |=p φ ∨ ψ iﬀ σ |=p φ or σ |=p ψ,
• σ |=p φ UI ψ iﬀ there exists t ∈ I such that σt |=p
ψ, and ∀t′ ∈]0, t[, σt′ |=p φ.
By extension, a TA A satisﬁes a Mitl property ϕ by
preservation if all its runs satisﬁes ϕ by preservation:
∀ρ · (ρ ∈ Γ(A) ⇒ σ(ρ) |=p ϕ).
10 J.Julliand, H. Mountassir and E. Oudot
Lemma 2 (Preservation of MITL properties on a run)
Let A1 and A2 be two TA such that A2 Sds A1, ρ1 a
run of A1 and ρ2 a run of A2. Consider a Mitl property
ϕ. We have:
ρ2 Sds ρ1 ∧ σ(ρ1) |= ϕ⇒ σ(ρ2) |=p ϕ.
Proof. We prove, by induction on the structure of the
formula, that Sds preserves Mitl properties. In the
following, for more readability, we write σ1 for σ(ρ1)
and σ2 for σ(ρ2).
The basis, i.e., when the formula is an atomic
proposition, comes directly from the fact that the
relation respects the gluing predicate. The cases ∨ and
¬ are trivial. The interesting case is when the type of
formula is ϕUIψ. Let us prove that this kind of formula
is preserved.
Since σ1 |= φ UI ψ, there exists a suﬃx σt1 at time t ∈ I
such that σt1 |= ψ. Consider now the suﬃx σt2 of σ2 at
time t. The relation Sds forbids inﬁnite sequences only
composed of non-observable actions in ρ2 (and thus, in
σ2). Thus, each discrete action which occurs in ρ1 (and
in σ1) also occurs in ρ2 (and thus in σ2). Moreover,
since Sds does not allow introduction of deadlocks in
ρ2, if time t can be reached in ρ1 (and in σ1), then
this time value t can also be reached in ρ2 (and in σ2).
Consequently, if the suﬃx σt1 exists, the suﬃx σt2 also
exists.
We now prove that σt2 satisﬁes ψ. We know that
σt1 satisﬁes ψ and that (induction hypothesis) ψ is
preserved. It remains to prove that each run inscribed in
σt2 is in relation w.r.t. Sds with a run inscribed in σt1.
By lemma 1, each run ρ′2 inscribed in σ
t
2 is in relation
(w.r.t Sds) with a run ρ′1 inscribed in σt1. Thus we have
that σt2 |=p ψ.
Since σ1 |= φ UI ψ, then ∀t′ ∈]0, t[, σt′1 |= φ. And thus, as
previously, with lemma 1 and the induction hypothesis
that φ is preserved, ∀t′ ∈]0, t[, σt′2 |=p φ.
Thus, σ2 |=p φ UI ψ.

Theorem 1 (Preservation of MITL properties)
Let ϕ be a Mitl formula, A1 and A2 be two TA. If
A1 |= ϕ and A2 Sds A1 then A2 |=p ϕ.
Proof. The proof is immediate. Since A2 Sds A1, then
∀ρ2 · (ρ2 ∈ Γ(A2) ⇒ ∃ρ1 · (ρ1 ∈ Γ(A1) ∧ ρ2 Sds ρ1)).
Since A1 |= ϕ, then all its runs also satisfy this property,
i.e., ∀ρ1 · (ρ1 ∈ Γ(A1)⇒ σ(ρ1) |= ϕ). By lemma 2, ϕ
also holds by preservation, for all runs of A2, and thus
A2 |=p ϕ.

3.3.2 Strong non-zenoness.
We prove that Sds preserves strong non-zenoness.
Proposition 1 Consider two TA A1 and A2. If A1 is
strongly non-zeno and A2 Sds A1, then A2 is strongly
non-zeno.
Proof. (sketch, by contradiction). We prove intuitively
this proposition. Consider that A1 is strongly non-
zeno, and that A2 is not. Thus, A2 contains a run
ρ2 which is zeno. As A2 Sds A1, then each inﬁnite
run of A2 is simulated by an inﬁnite run of A1.
Let ρ1 be the run which simulates ρ2. The clause
delays equality ensures that if the total time elapsed
in ρ2 converges, then the total time elapsed in ρ1 also
converges. This is contradictory with the assumption
that A1 is strongly non-zeno, and thus that it does not
contain any executions in which the total time elapsed
converges.
Recall that the run ρ2 contains the same sequence of
observable actions than ρ1, with also non-observable
actions which can be inserted between observable
actions. As the time delay between two observable
actions must remain the same than in A1, if an inﬁnite
number of non-observable actions is inserted in this
ﬁnite delay, then the run becomes zeno. But, this case
is excluded by the clause divergence-sensitivity, which
forbids such inﬁnite sequences of non-observable actions.

Remark 4 (Non-zenoness preservation) The
weaker notion of non-zenoness is not preserved by the
DS timed τ-simulation. Recall that non-zenoness is the
fact that there is not reachable state which is zeno. In
other words, non-zenoness expresses that there is no
reachable state such that all runs leaving from it are
zeno. Therefore, contrary to strong non-zenoness which
imposes that all runs are non-zeno, non-zenoness only
requires that there exists at least one run from each
reachable state.
In terms of runs, the simulations we deﬁned express
that each run in A2 is simulated by a run in A1. It is
thus possible that some runs in A1 do not simulate any
runs in A2. These runs somehow do not exist in A2.
Consider now a state s1 in A1 from which only one run
is non-zeno, and a state s2 in relation with s1. It can
be the case that the non-zeno run from s1 does not exist
any more from s2, and thus that only zeno runs leave
from s2. Non-zenoness is thus immediatly not preserved.
3.3.3 Deadlock-freedom.
Deadlock-freedom is preserved by the DS timed τ -
simulation, as a direct consequence of the deﬁnition of
the relation (with the clause stability-respect).
Proposition 2 Let A1 and A2 be TA. If A1 is deadlock-
free and A2 Sds A1, then A2 is deadlock-free.
4 Exploiting simulations for incremental
development
In the previous section, we deﬁned two relations: a timed
τ -simulation which preserves safety properties, and a
Incremental Veriﬁcation of Component-Based Timed Systems 11
divergence-sensitive and stability-respecting timed τ -
simulation, which preserves all Mitl properties, strong
non-zenoness and deadlock-freedom. To exploit these
relations, and thus their preservation abilities, during an
incremental development of a component-based timed
system, it is necessary to study the three following
properties:
• compatibility of the relations w.r.t. composition
operators,
• composability, which means that a component
simulates its integration with other components,
• and compositionality. This last property expresses
that, given components A, B, C and D, if
B simulates A and D simulates C, then the
composition of B and D simulates the composition
of A and C.
Composability is essential for integration of components
since it guarantees automatically the preservation
of properties during the integration (the kind of
properties preserved depends on the notion of simulation
considered). Compositionality is essential for reﬁnement
in order to verify it in a compositional way.
We study these properties in the case of the classic
parallel composition. In the sequel, we use the following
notations. Given a timed automaton A, we note SA its
set of states and ΣA its alphabet. A state of A is simply
written sA or s′A, which respectively represents the pairs
(qA, vA) or (q′A, v
′
A). The initial state of A is written s0A .
Proposition 3 (Composability) Let A and B be TA.
We have: A‖B S A.
Proof. By construction of A‖B, its initial state is the
pair (s0A , s0B ). To prove that A‖B S A, it is enough
to prove that (s0A , s0B )Ss0A . By deﬁnition, S is the
greatest relation included in SA‖B × SA which satisﬁes
clauses 1 to 3 of Deﬁnition 4. Thus, each relation
R ⊆ SA‖B × SA which satisﬁes these clauses is included
in S . Consider a relation R ⊆ SA‖B × SA such that
∀(sA, sB) ∈ SA‖B,
(sA, sB)R s′A if sA = s
′
A.
Consider ((sA, sB), sA) ∈ R.
1. Strict simulation: let (sA, sB)
a→ (s′A, s′B) in A‖B
such that a ∈ ΣA. By construction of A‖B, a
transition sA
a→ s′A exists in A. By deﬁnition of R,
(s′A, s
′
B)R s
′
A and R satisﬁes the strict simulation.
2. Delay equality: same arguments than those for
strict simulation can be used to prove that this
clause holds for R.
3. τ-transitions stuttering: consider a transition
(sA, sB)
τ→ (s′A, s′B) in A‖B. Recall that τ -
transitions represent non-observable actions
initially labelled by an action in ΣB\ΣA. By
construction of A‖B, s′A = sA. Thus, (sA, s′B)R sA
and R satisﬁes τ-transitions stuttering.
4. Location labelling respect : immediate by deﬁnition
of R.
5. Common clocks valuation equality: immediate by
deﬁnition of R and since XA and XB are disjoint.

Proposition 4 (Compatibility) Let A, B and C be
TA. If A S B then A‖C S B‖C.
Proof. The structure of the proof is similar to the
previous one. Details can be found in Appendix A.

Proposition 5 (Compositionality) Let A, B, C, D
be TA. If A S B and C S D then A‖C S B‖D.
Proof. Immediate with Proposition 4. Since A S B,
then A‖C S B‖C. Since C S D, then B‖C S B‖D.
By transitivity of the relation S , we have A‖C S
B‖D.

The timed τ -simulation is well-adapted to
incremental development with the classic parallel
composition operator, since composability, compatibility
and compositionality hold for free. This is not the
case for the DS timed τ -simulation when using such
a composition paradigm. Indeed, the fact that this
kind of composition generally introduces deadlocks
does not allow to beneﬁt of the three properties.
For composability for instance, this introduction of
deadlocks is incompatible with the stability-respect
clause of the DS timed τ -simulation. However, it remains
possible to beneﬁt of its assets in terms of preservation,
but at the cost of an algorithmic veriﬁcation of the
relation.
5 Simulations in practice
In the previous sections, we deﬁned the simulations
at a semantic level, on the states of TA. To check
algorithmically the DS timed τ -simulation, we extend it
on the symbolic representation of TA, i.e., on zones.
5.1 Symbolic timed τ -simulations
We focus directly on the symbolic version of the
DS timed τ -simulation. The deﬁnition for the timed
τ -simulation can be obtained by not considering
divergence-sensitivity and stability-respect.
Most of the clauses of this symbolic deﬁnition can be
obtained straightforward from the semantic deﬁnition.
The main changes concern the clauses delays equality,
common clocks valuations equality and strict simulation.
Consider two simulation graphs SG1 and SG2, z1 a
zone of SG1 and z2 a zone of SG2. In simulation
graphs, time elapsing does not appear explicitly as
12 J.Julliand, H. Mountassir and E. Oudot
transitions. Intuitively, time elapses inside zones. Thus,
delays equality and common clocks valuations equality
are checked by verifying that the polyhedron of the zone
z2 (projected on the set of clocks of SG1) is included in
the polyhedron of z1.
Let us now study strict simulation. The deﬁnition we
give at the symbolic level is based on the post-stability
property of the simulation graph. This property ensures
that, given a transition z e→ z′, all the successors of
(semantic) states in z and taking e are in z′. A part
of this clause is directly extended from the semantic
one, by imposing that if the transition z2
e2→ z′2 exists,
then a transition z1
e1→ z′1 exists with the same label.
But, as the simulation graph does not have the pre-
stability property (i.e., a symbolic transition z e→ z′ does
not imply that all the (semantic) states in z can take
the transition e), another condition is needed. Each
(semantic) state in z2 taking this transition e2 must
correspond to a state in z1 taking transition e1. This
clause is illustrated by Fig. 6. To express this condition,
we deﬁne a predicate named src val, deﬁned as follows:
src val(z, e, z′) = poly(pre(e, z′) ∩ z).
Definition 6 (Symbolic DS timed τ-simulation)
Let SG1 = 〈Z1, z01 ,Σ1, T1〉 and SG2 = 〈Z2, z02 ,Σ2,
T2〉 be two simulation graphs, obtained respectively from
two TA A1 and A2. Let X1 be the set of clocks of A1.
The symbolic DS timed τ-simulation Zds is the greatest
binary relation included in Z2 × Z1, such that z2Zdsz1 if
the following conditions hold:
1. Strict simulation:
z2
e2→ z′2 ∧ label(e2) ∈ Σ1 ⇒
∃z′1 · (z1 e1→ z′1 ∧ label(e1) = label(e2) ∧
src val(z2, e2, z′2)X1 ⊆ src val(z1, e1, z′1) ∧
z′2 Zds z′1).
2. Delay equality and common clock valuation
equality:
poly(z2)X1 ⊆ poly(z1).
3. τ-transition stuttering:
z2
e2→ z′2 ∧ label(e2) = τ ⇒ z′2 Zds z1.
4. Location labelling respect:
(disc(z2), disc(z1)) |=g Pg.
5. Stability-respect:
(poly(z2)\free(disc(z2))X1 ⊆
poly(z1)\free(disc(z1)).
6. Divergence-sensitivity:
SG2 does not contain any non-zeno τ-cycles5.
We extend this relation to simulation graphs.
Consider two simulation graphs SG1 and SG2. Their
initial zones are respectively z01 and z02 . We say that
SG1 simulates SG2 w.r.t. Zds, written SG2 Zds SG1,
if z02Zdsz01 .
We now prove that this symbolic relation Zds implies
the semantic relation Sds. This implication allows to
beneﬁt of the preservation abilities of Sds at the
symbolic level. The proof is decomposed into two parts.
First, we express Lemma 3, which is necessary for
the divergence-sensitivity clause, then we prove the
implication of the relations in Lemma 4.
Lemma 3 Let A be a TA and c be the greatest constant
appearing in a constraint of A. Let SG(A, c) be the
simulation graph associated to A. If A does not contain
any non-zeno τ-cycles, then SG(A, c) does not contain
any non-zeno τ-cycles, and conversely.
Proof. Immediate by the fact that each non-zeno run
of A is inscribed in a unique non-zeno path of SG(A, c),
and that for each non-zeno path of SG(A, c), there
exists a non-zeno run inscribed in this path.

Lemma 4 Let SG1 and SG2 be two simulation
graphs. Let (q1, ζ1) and (q2, ζ2) be two respective zones
of SG1 and SG2, such that (q2, ζ2)Zds(q1, ζ1). We
have the following. For each state (q2, v2) ∈ (q2, ζ2),
there exists only one state (q1, v1) ∈ (q1, ζ1) such that
(q2, v2)Sds(q1, v1). Formally:
(q2, ζ2) Zds (q1, ζ1)⇒ ∀v2 · (v2 ∈ ζ2 ⇒
∃v1 · (v1 ∈ ζ1 ∧ (q2, v2) Sds (q1, v1))). (
)
Proof. The proof is done by ﬁxed-point induction.
Consider the function F : Z2 × Z1 → Z2 × Z1 deﬁned
in the following way. If Zds ⊆ Z2 × Z1, then
((q2, ζ2), (q1, ζ1)) ∈ F(Zds) iﬀ the clauses 1 to 6 of
Deﬁnition 6 hold.
In the deﬁnition of Zds , we consider the greatest
ﬁxed-point of the function F . This function is trivially
monotonic (and the sets Z2 and Z1 are ﬁnite), thus
we can reason inductively about the pre-ﬁxed-points
of this function. The principle of this induction is the
following: given a predicate P , this induction allows to
prove P (Zds), by proving P (F(Zds)), with the induction
assumption that P (Zds) holds. We proceed clause by
clause. Details are given in Appendix B.

Theorem 2 Let A1 and A2 be two TA, and SG1 and
SG2 the simulation graphs respectively obtained from A1
and A2. If SG2 Zds SG1 then A2 Sds A1.
Proof. Since SG2 Zds SG1, we have z02 Zds z01 . Let
s02 and s01 be the respective initial states of A2 and A1.
By deﬁnition, s02 ∈ z02 and s01 ∈ z01 . By lemma 4, s02
is in relation (w.r.t. Sds) with a unique state s in z01 .
By deﬁnition of Sds, the valuations of s and s02 over X1
are equal. It follows that s = s01 and s02Sdss01 .

Incremental Veriﬁcation of Component-Based Timed Systems 13














z2
z′2
z1
z′1
⊇
(modulo projection
Zds
Zds
e2 e2 (label(e2) = label(e1))e1 e1
over X1)
Figure 6 Clause strict simulation at the symbolic level
5.2 The tool VeSTA
We implemented the veriﬁcation of the DS timed τ -
simulation Zds in a tool named Vesta6(Veriﬁcation
of Simulations for Timed Automata) (Bellegarde,
Julliand, Mountassir & Oudot 2006b). Vesta considers
component-based timed systems developed
incrementally using timed automata and the classic
parallel composition operator. The tool focuses on
the veriﬁcation of the simulation during incremental
development achieved by integration of components
using the classic composition ‖. Thus, it allows to ensure
that local properties of a component (or a group of
components) are preserved when it is merged with other
components.
Consider two TA A1 and A2. To check if A1‖A2 Zds
A1, two main algorithms are implemented in the tool.
The ﬁrst algorithm performs a joint on-the-ﬂy depth-
ﬁrst search of the simulation graphs of A1 and A2 and
checks the stability-respecting timed τ -simulation (i.e.,
clauses 1 to 5 of Zds). If the veriﬁcation of this part
of the simulation does not succeed, the tool reports
a diagnostic. This diagnostic consists in a symbolic
trace in A2 with a zone which does not satisfy the
relation, and the corresponding symbolic trace in A1.
The divergence-sensitivity part consists in the detection
of non-zeno τ -cycles in A2. Thus, we reuse the module
Profounder(Tripakis, Yovine & Bouajjani 2005),
which is part of the Open-Kronostool(Tripakis 1998)
to achieve this search. Profounder was initially
designed to check if a state is reachable in a TA, or to
check timed Bu¨chi automata emptiness. This second
possibility consists in detecting non-zeno cycles in a TA.
We adapted it to search only non-zeno τ -cycles.
5.3 A case study: the production cell
We present in this section7 a case study on which
we performed experiments to show the suitability of
timed τ -simulations for incremental development, even
when an algorithmic veriﬁcation of the simulation is
needed. The veriﬁcation of the properties was achieved
with the tool Kronos (Yovine 1997). Kronos is a
veriﬁcation tool for timed systems which performs
Tctl model-checking (Alur, Courcoubetis & Dill 1993),
in particular for component-based timed models
(indeed, Kronos can compute the parallel composition
of TA). Tctl is a logical formalism that allows to
express branching-time properties. It can be seen as
the timed extension of the untimed logic Ctl (Clarke
& Emerson 1981, Emerson & Halpern 1982). To our
knowledge, there is no tool performing Mitl model-
checking. Thus, we focused on linear-time properties
that can also be expressed in Tctl to perform the
veriﬁcation with Kronos. The veriﬁcation of the
simulations was achieved with Vesta.
The production cell case study was developed by FZI
(the Research Center for Information Technologies, in
Karlsruhe) as part of the Korso project. The goal was
to study the impact of the use of formal methods when
treating industrial applications. Thus, this case study
was treated in about thirty diﬀerent formalisms. We
treat it with timed automata, as it was in (Burns 2003).
5.3.1 Modeling.
The cell is made up of six devices, where pieces are
treated: a feed-belt, equipped with a sensor, where
pieces arrive, a deposit-belt from which pieces are
evacuated, an elevating-rotary table, a two-arms robot
and a press. The sensor detects when a piece is
introduced in the system, and sends a signal to the robot
to inform it of this arrival. When the piece is at the end
of the feed-belt, it is transferred to the table which goes
up and turns until being in a position from which the
arm A of the robot can take the piece. The robot turns
90◦ so that the arm A can put down the piece on the
press, where it is processed and then transported by the
arm B to the deposit belt.
The cell is presented in Fig. 7. It is modeled by
at least seven components: one for each device, and
one or several pieces. The cell is subject to timing
constraints, which are shown in Fig. 8. Each component
is modeled as a TA. These TA can be found in (Burns
2003). The complete model is obtained by making the
classic parallel composition of all these components.
14 J.Julliand, H. Mountassir and E. Oudot




press
robot
rotary table
elevating−
deposit belt
feed belt
sensor
arm B
arm A
Figure 7 The Production Cell
Device Description Time
Robot moves to press 5
Robot turns 90◦ 15
Robot moves to deposit belt 5
Robot from deposit belt to table 25
Robot from deposit belt to wait pos. 22
Robot from press to wait pos. 17
Robot from wait pos. to table 3
Robot from wait pos. to press 2
Robot at wait pos. 2
Feed Belt piece moves to sensor 3
Feed Belt piece moves to table 1
Table raises and turns 2
Table returns and turns 2
Press presses a piece 22-25
Press ready for a new piece 18-20
Deposit Belt evacuates a piece 4
Figure 8 Timing constraints for the production cell
Component Robot Press Feed belt Dep. Belt
States/Trans. 39/40 7/7 6/6 4/4
Component Table Sensor Piece Complete
Model
States/Trans. 6/6 2/2 7/7 1655/2395
Figure 9 Size of the simulation graphs of each
component of the production cell
Fig. 9 shows the size of the simulation graphs for each
component.
5.3.2 Veriﬁcation.
To ensure that the modeling is correct, there are several
properties to check. Recall that we focus on the local
properties of the components (or group of components).
We propose to perform the veriﬁcation locally, and
then to ensure that the properties hold on the global
model by preservation, by checking algorithmically
the DS timed τ -simulation. In particular, we consider
local properties concerning the robot. Here is a non-
exhaustive list of dynamic properties to check on this
component. Properties 1 and 2 are safety requirements,
properties 3 and 4 are liveness ones and properties 5 to
7 are bounded-response ones:
(1) When the robot is in wait position, its two arms
are empty,
(2) The robot is not waiting in front of the table if the
arm A is full,
(3) If there is a piece on arm B, the robot will
eventually go to the deposit belt,
(4) If there is a piece on arm A, the robot will
eventually go to the press,
(5) When the robot is in front of the deposit belt, then
it goes back to the table within 25 t.u. if there are
no pieces on the press,
(6) When the robot is in front of the deposit belt, then
it goes to the wait position within 22 t.u. if there
is a piece on the press,
(7) When it is in wait position, either the robot goes
to the press within 2 t.u. to unload it or it goes
back to the table within 3 t.u. to pick up a new
piece.
The following liveness property concerns the correct
interaction between the robot and the press :
(8) If arm A is full then the press will eventually be
free.
We use two approaches to verify these properties
on the plant. As a ﬁrst approach, we verify the
properties in a classic way, directly on the global
model, with one piece. As a result, we obtain that all
the properties hold on this model of the plant. The
second approach consists in verifying the properties
locally, i.e., on the robot component for properties 1
to 7, and on the composition robot‖press for property
8. Here again, the veriﬁcation succeeds. Next, to
guarantee the preservation of these properties, ﬁrst
when integrating the robot with the press, then when
integrating the composition robot‖press with the rest
of the components, we use the DS timed τ -simulation.
More precisely, we check that
robot‖press Zds robot
to ensure that properties 1 to 7 are preserved on the
composition robot‖press, and
complete model Zds robot‖press
to check the preservation of property 8 on the complete
model (as well as the preservation of properties 1 to 7
if their preservation on robot‖press is established). We
use our tool Vesta to check it for both cases, and obtain
as a result that the veriﬁcation of the simulation was
successful. Thus, properties are preserved.
Fig. 10 gives the detailed results of the comparison of
the two approaches in terms of veriﬁcation times (in
seconds). We can see that, even on this small example,
the second approach only needs 0.57 sec. of computation
time to ensure that the properties hold on the cell (0.06
Incremental Veriﬁcation of Component-Based Timed Systems 15
Property Global Local Preservation
veriﬁcation veriﬁcation checking
(Kronos) (Kronos) (VesTA)
Prop. 1 0.01 < 0.001
Prop. 2 0.01 < 0.001
Prop. 3 0.98 < 0.001
Prop. 4 15.79 0.04 0.05
Prop. 5 0.68 < 0.001
Prop. 6 0.48 < 0.001
Prop. 7 0.7 < 0.001
Prop. 8 0.93 0.02 0.46
Total 19.58 0.06 0.51
Figure 10 Production cell: local and global veriﬁcation
times (in seconds)
sec. for local veriﬁcation and 0.51 sec. for preservation),
whereas the classic approach consumes 19.58 sec.
Note that, in both approaches, we focused on a global
system which contains only one piece. The reason is
the following. First, in the case of the second approach,
adding other pieces to the global system does not aﬀect
the results of the preservation. As the component piece
already exists in the global system and that there are no
synchronizations between the pieces, no new deadlocks
can appear while adding a new piece. Indeed, the system
can behave like it did with only one piece, or synchronize
with the new piece. In this last case, as the environment
of the pieces could synchronize with one piece without
introducing deadlocks, then it will synchronize with the
new pieces in the same way, thus without introducing
deadlocks. On the other hand, in the ﬁrst approach,
adding pieces considerably increase the computation
time for the veriﬁcation of liveness or bounded-response
properties. Indeed, even with few pieces, the memory
needed to perform classic veriﬁcation of such properties
is too large for the veriﬁcation to be run to completion.
6 Related works
Several works have been devoted to study behavioral
equivalences, as well as their associated preorder, in the
timed case.
Concerning equivalences, timed bisimulation was
studied in (Cerans 1992). Three time-abstracting
bisimulations were introduced in (Tripakis &
Yovine 2001): strong time-abstracting bisimulation,
observational time-abstracting bisimulation and delay
time-abstracting bisimulation. Contrary to the timed
bisimulation, time-abstracting bisimulations abstract
away from quantitative aspects of time elapsing. Strong
time-abstracting bisimulation preserves reachability,
timed Bu¨chi automata and Ctl (Tctl is also preserved
modulo a transformation of the TA and of the formula as
presented in (Tripakis 1998)). Observational and delay
time-abstracting bisimulations preserve reachability
and timed Bu¨chi automata. Therefore, bisimulations
preserve a wide range of properties. However, they are
not really adapted to incremental modeling.
Preorders, to which we are interested in this paper, are
more adapted and have also been widely studied. Time-
abstracting simulation equivalence and preorder have
been studied in (Henzinger, Henzinger & Kopke 1995),
but timed properties are not preserved by these
relations. Timed simulation was deﬁned in (Tasiran,
Alur, Kurshan & Brayton 1996). The authors showed
that the problem of checking if a TA simulates
another one w.r.t. the relation they deﬁned is solvable
in Exptime. The relation has the properties of
composability, compatibility and compositionality
w.r.t. a totally synchronous composition operator.
However, non-observable actions are not considered in
the deﬁnition of this simulation.
The notion of simulation which seems the closest
to the one we deﬁned in this paper is the timed
ready simulation of (Jensen, Larsen & Skou 2000).
It is deﬁned on extended timed automata, i.e., timed
automata which can contain urgent actions and shared
variables. Non-observable actions are also considered.
The deﬁnition of this relation is almost equivalent to the
deﬁnition of our timed τ -simulation, and thus preserves
safety properties. But, it has not been extended to
handle the preservation of liveness properties. It has
the properties of composability, compatibility and
compositionality w.r.t. a composition operator which
paradigm is close to the one of the classic parallel
composition we considered. However, an assumption
concerning the absence of internal activity (i.e., the
absence of τ -transitions) in the automata is done
to beneﬁt of these properties, in particular, for the
compositionality property.
To our knowledge, there is no simulation preorder which
has been deﬁned in the timed case, taking into account
non-observable actions, and preserving in particular
liveness properties.
7 Conclusion and future works
The context of this paper is the veriﬁcation by model-
checking of component-based timed systems, modeled
by timed automata. To cope with the state-space
explosion problem of model-checking, we propose to
develop such systems incrementally, either by reﬁnement
or by integration of components. These methods allow to
check properties on smaller-sized models, where model-
checking is still applicable. The main issue for these
methods to be applicable concerns the preservation of
properties, established on these smaller-sized models,
on the complete model.
To guarantee the preservation, we deﬁned τ -
simulation relations for timed systems, with preservation
abilities: a timed τ -simulation which ensures the
preservation of safety properties, and a divergence-
sensitive and stability-respecting one which handles
16 J.Julliand, H. Mountassir and E. Oudot
the preservation of all Mitl properties, as well as
strong non-zenoness and deadlock-freedom. We have
shown that the timed τ -simulation is well-adapted
to incremental development with the classic parallel
composition operator for timed automata. Indeed, it is
compatible with the operator, and composability and
compositionality hold. This is not the case for the DS
timed τ -simulation, due to the fact that deadlocks often
appear when composition is achieved with this operator.
Composability is the fact that a component simulates
its integration with other ones. Its direct consequence is
thus that properties are automatically preserved during
integration of components. As this property does not
hold in the case of the classic operator for the DS
timed τ -simulation, it is essential to check that the
algorithmic veriﬁcation of the preservation, by means of
the simulation, does not remove interest to incremental
development. We implemented the veriﬁcation of the
DS timed τ -simulation in a tool named Vesta, in the
particular case of integration of components. We made
experiments to check if, even if the simulation is checked
algorithmically, the cost in practice of an incremental
veriﬁcation by integrating components is still lower than
the cost of a direct veriﬁcation on the complete model.
It turns out that, on a production cell example and
in terms of computation times, the methodology we
propose appears to be more eﬃcient.
This case study (as well as the study of the
CSMA/CD protocol that we presented in (Bellegarde,
Julliand, Mountassir & Oudot 2006a)) shows the
interest of the method for some kind of parameterized
systems, when a system S is likely to contain an
undetermined number of identical components Ci, i =
1..n, modulo some renaming. The number n of these
components can be viewed as a parameter of the system.
For instance, in the production cell example, the number
of pieces which are admitted in the cell is this parameter.
In the case of integration of components with the classic
operator, it would be interesting to be able to check
properties with a small ﬁxed number m of components,
such that preservation is ensured whatever the number
n of components, with n ≥ m. For this purpose, it seems
suﬃcient to get conditions on the C′is and/or on their
synchronizations to guarantee that adding more of these
components in the system does not introduce deadlocks
(in addition to the condition on the absence of non-zeno
cycles of internal activity in the components). Thus, an
interesting work is to study such conditions.
Another work direction concerns the problem of
implementability of timed automata. It consists in
studying if the properties which are established on a
timed automaton are preserved on the implementation
corresponding to it, on a given platform. The main
issue comes from the fact that the semantics of timed
automata is often considered as being ideal: execution
times of actions are ignored, clocks are inﬁnitely precise,
etc... In practice, these perfect concepts are not true.
To check properties on the implementation, (Altisen
& Tripakis 2005) proposes an approach based on
modeling, to beneﬁt of the existing veriﬁcation tools for
timed automata. They propose to model the execution
platform P as timed automata, and to transform
the timed automaton A modeling the system into an
untimed ﬁnite automaton. The composition of all these
automata, called the execution model M , represents
the execution of A on the platform P . An interesting
perspective would be to study the compatibility of the
simulations we deﬁned in the speciﬁc framework of the
timed automaton A and its execution model M , while
taking into account the way the platform is speciﬁed.
This could also allow to exhibit conditions on the
modeling of the platform (and thus on the real platform)
which guarantee the preservation of the properties of A
on its implementation on the platform.
References and Notes
Altisen, K. & Tripakis, S. (2005), Implementation of
Timed Automata : an Issue of Semantics or Modeling
?, Technical Report TR-2005-12, Verimag, Grenoble,
France.
Alur, R. (1991), Techniques for Automatic Veriﬁcation
of Real-Time Systems, PhD thesis, Department of
Computer Science, Stanford University.
Alur, R., Courcoubetis, C. & Dill, D. (1993), ‘Model-
Checking in Dense Real-time’, Information and
Computation 104(1), 2–34.
Alur, R. & Dill, D. (1994), ‘A theory of timed
automata’, Theoretical Computer Science 126(2), 183–
235.
Alur, R., Feder, T. & Henzinger, T. (1996), ‘The beneﬁts
of relaxing punctuality’, Journal of the ACM 43, 116–
146.
Bellegarde, F., Julliand, J. & Kouchnarenko, O. (2000),
Ready-simulation is not Ready to Express a Modular
Reﬁnement Relation, in ‘Proceedings of the 3rd
International Conference on Fondamental Aspects of
Software Engineering (FASE’00)’, Vol. 1783 of Lecture
Notes in Computer Science, Springer-Verlag, Berlin,
Germany, pp. 266–283.
Bellegarde, F., Julliand, J., Mountassir, H. & Oudot,
E. (2005), On the contribution of a τ -simulation
in the incremental modeling of timed systems, in
‘Proceedings of the 2nd International Workshop on
Formal Aspects of Component Software (FACS’05)’,
Vol. 160 of Electronic Notes in Theoretical Computer
Science, Elsevier, Macao, Macao, pp. 97–111.
Bellegarde, F., Julliand, J., Mountassir, H. & Oudot,
E. (2006a), Experiments in the use of τ -simulations
for the components-veriﬁcation of real-time systems,
in ‘Proceedings of the 5th International Workshop on
Incremental Veriﬁcation of Component-Based Timed Systems 17
Speciﬁcation And Veriﬁcation of Component-Based
Systems (SAVCBS’06)’, Portland, Oregon, USA. Also
available on ACM Digital Library.
Bellegarde, F., Julliand, J., Mountassir, H. & Oudot, E.
(2006b), The Tool VeSTA: Veriﬁcation of Simulations
for Timed Automata, Technical Report RT2006-01,
LIFC, Laboratoire d’Informatique de l’Universite´ de
Franche-Comte´.
Burns, A. (2003), ‘How to verify a safe real-time
system: The application of model-checking and timed
automata to the production cell case study’, Real-
Time Systems Journal 24(2), 135–152.
Cerans, K. (1992), Decidability of bisimulation
equivalence for parallel timer processes, in
‘Proceedings of the 4th workshop on Computer-Aided
Veriﬁcation (CAV’92)’, Vol. 663 of Lecture Notes in
Computer Science, Springer-Verlag, pp. 302–315.
Clarke, E. & Emerson, E. (1981), Design and synthesis
of synchronization skeletons using branching-time
temporal logic, in ‘Proceedings of Workshop on Logic
of Programs’, Vol. 131 of Lecture Notes in Computer
Science, Springer-Verlag.
Emerson, E. & Halpern, J. (1982), Decision procedures
and expressiveness in the temporal logic of branching
time, in ‘Proceedings of the 14th ACM Symp. Theory
of Computing (STOC’82)’, San Francisco, CA, USA,
pp. 169–180.
Glabbeck, R. v. (1990), The Linear Time - Branching
Time Spectrum, in ‘Proceedings of the 1st
international Conference on Concurrency Theory
(CONCUR’90)’, Vol. 458 of Lecture Notes in
Computer Science, Springer-Verlag, Amsterdam,
Netherlands, pp. 278–297.
Glabbeck, R. v. (1993), The Linear Time - Branching
Time Spectrum II ; The semantics of sequential
systems with silent moves, in ‘Proceedings of 4th
international Conference on Concurrency Theory
(CONCUR’93)’, Vol. 715 of Lecture Notes in
Computer Science, Springer-Verlag, Hildesheim,
Germany, pp. 66–81.
Henzinger, M., Henzinger, T. & Kopke, P. (1995),
Computing simulations on ﬁnite and inﬁnite graphs,
in ‘Proceedings of the 36th IEEE Symposium on
Foundations of Computer Science’, pp. 453–462.
Hoare, C. (1985), Communicating Sequential Processes,
Prentice Hall.
Jensen, H., Larsen, K. & Skou, A. (2000), Scaling
up Uppaal : Automatic veriﬁcation of real-time
systems using compositionnality and abstraction, in
‘Proceedings of the 6th international symposium on
Formal Techniques in Real-Time and Fault-Tolerant




















ΣB
ΣA ΣC
τ -transitions
case (ii) case (iii) case (i)
Figure 11 Diﬀerent types of transitions for the proof of
Proposition 4
Systems (FTRTFT’00)’, Springer-Verlag, London,
UK, pp. 19–30.
Pnueli, A. (1981), ‘The temporal semantics of
concurrent programs’, Theoretical Computer Science
13, 1–20.
Tasiran, S., Alur, R., Kurshan, R. & Brayton, R.
(1996), Verifying Abstractions of Timed Systems, in
‘Proceedings of the 7th Conference on Concurrency
Theory (CONCUR’96)’, Vol. 1119 of Lecture Notes in
Computer Science, Pisa, Italy, pp. 546–562.
Tripakis, S. (1998), The analysis of timed systems
in practice, PhD thesis, Universite Joseph Fourier,
Grenoble, France.
Tripakis, S. & Yovine, S. (2001), ‘Analysis of Timed
Systems using Time-abstracting Bisimulations’,
Formal Methods in System Design 18(1), 25–68.
Tripakis, S., Yovine, S. & Bouajjani, A. (2005),
‘Checking Timed Bu¨chi Automata Emptiness
Eﬃciently’, Formal Methods in System Design
26(3), 267–292.
Yovine, S. (1997), ‘Kronos: A veriﬁcation tool for
real-time systems’, Journal of Software Tools for
Technology Transfer 1(1/2), 123–133.
Appendix A. Proof of Proposition 4
Consider a relation R ⊆ SA‖C × SB‖C such that
(sA, sC)R(sB, s′C) if sASsB and sC = s′C . As previously,
we prove that R satisfy clauses 1 to 3 of Deﬁnition 4.
Let ((sA, sC), (sB, sC)) ∈ R,
1. Strict simulation : the proof is naturally divided
into three parts. Indeed, this clause concerns
transitions labelled in ΣA ∪ ΣC , divided in three
types of transitions in A‖C, comparing to B‖C, as
shown in Fig. 11:
(i) Transitions of C which do not synchronize
with an action of A (this case corresponds to
the right side of ΣC in Fig. 11),
18 J.Julliand, H. Mountassir and E. Oudot
(ii) Transitions in ΣB8 which do not synchronize
with an action of C (the part of ΣB in dark
grey in Fig. 11),
(iii) Transitions in C which synchronize with
a transition in A. They appear in B‖C
either as interleaving actions of C if the
synchronization is done with an action of A
which does not appear in B, or as an action of
B synchronized with an action of C otherwise
(the part in the center inside the bold line in
Fig. 11).
Let us detail these three cases:
(i) Consider a transition (sA, sC)
g,c,r→ (sA, s′C)
such that c ∈ ΣC\ΣA. By construction of
A‖C, a transition sC g,c,r→ s′C exists in C.
Therefore, g only involves clocks of C
and vC ∈ g. Thus, by construction of B‖C,
a transition (sB, sC)
g,c,r→ (sB, s′C) exists in
B‖C. Since sASsB , and by deﬁnition of R,
we have (sA, s′C)R(sB, s
′
C).
(ii) Consider a transition (sA, sC)
g,a,r→ (s′A, sC)
such that a ∈ (ΣA ∩ΣB)\ΣC (the state sC
is not modiﬁed). By deﬁnition of ‖, the
transition sA
g,a,r→ s′A exists in A. Since
sASsB, there is a transition sB g
′,a,r′→ s′B in B,
such that s′ASs′B . Thus, vB ∈ g′. Since g′ only
involves clocks of B and that the set of clocks
of B and C are disjoint (by hypothesis in the
construction of B‖C), then (vB , vC) ∈ g′ and
the transition (sB, sC)
g′,a,r′→ (s′B, sC) exists
in B‖C and (s′A, sC)R(s′B , sC) by deﬁnition
of R.
(iii) Consider a transition (sA, sC)
g,a,r→ (s′A, s′C)
such that a ∈ ΣA ∩ ΣC . By deﬁnition of ‖,
there is a transition sA
g1,a,r1→ s′A in A and a
transition sC
g2,a,r2→ s′C in C. There are two
cases: either a ∈ ΣA ∩ ΣB (a is an observable
action of A comparing to B and thus exists
in B), or a ∈ ΣA\ΣB (a is a non-observable
action of A which do not exists in B).
In the ﬁrst case, since sASsB , there
is a transition sB
g3,a,r3→ s′B in B such
that s′ASs′B . Thus, there is a transition
(sB, sC)
g′,a,r′→ (s′B, s′C) in B‖C, such that
(s′A, s
′
C)R(s
′
B, s
′
C) by deﬁnition of R.
In the second case, since sASsB , we have
s′ASsB. The transition (sB , sC)
g2,a,r2→
(sB, s′C) exists in B‖C since vB do not
involve clocks of C and vC ∈ g2. By deﬁnition
of R, we have (s′A, s
′
C)R(sB, s
′
C).
Thus, the relation R satisﬁes the strict simulation.
2. Delay equality: consider a time transition
(sA, sC)
t→ (s′A, s′C). By deﬁnition of ‖, the
transitions sA
t→ s′A and sC t→ s′C exist
respectively in A and C. Since sASsB , then the
transition sB
t→ s′B exists in B and s′ASs′B . The
transition (sB, sC)
t→ (s′B, s′C) exists also in A‖C
and, by deﬁnition of R, (s′A, s
′
C)R(s
′
B, s
′
C).
3. τ-transitions stuttering: in A‖C, comparing to
B‖C, τ -transitions are labelled in ΣA\(ΣB ∪ ΣC)
(the hatched part in Fig. 11). Consider a transition
(sA, sC)
τ→ (s′A, sC) (the state sC is not modiﬁed
since τ represents an action of ΣA\(ΣB ∪ ΣC)).
Since sASsB , we have s′ASsB . It follows that
(s′A, sC)R(sB , sC).
4. Location labelling respect : immediate since sASsB .
5. Common clocks valuation equality: immediate
since sASsB.
Appendix B. Proof of Lemma 4
The proof is done by ﬁxed-point induction. Consider the
function F : Z2 × Z1 → Z2 × Z1 deﬁned in the following
way. If Zds ⊆ Z2 × Z1, then ((q2, ζ2), (q1, ζ1)) ∈ F(Zds)
iﬀ the clauses 1 to 6 of Deﬁnition 6 hold.
In the deﬁnition of Zds , we consider the greatest
ﬁxed-point of the function F . This function is trivially
monotonic (and the sets Z2 and Z1 are ﬁnite), thus
we can reason inductively about the pre-ﬁxed-points
of this function. The principle of this induction is the
following: given a predicate P , this induction allows to
prove P (Zds), by proving P (F(Zds)), with the induction
assumption that P (Zds) holds.
Therefore, we suppose that (
) is true for Zds, and prove
that (
) holds for F(Zds). In other words, we prove that
((q2, ζ2), (q1, ζ1)) ∈ F(Zds)⇒ ∀v2 · (v2 ∈ ζ2 ⇒
∃v1 · (v1 ∈ ζ1 ∧ (q2, v2)Sds(q1, v1))).
We proceed clause by clause. For clarity’s sake, we
specify exactly the formula we intend to prove for
each clause. We begin with the clause common clocks
valuation equality since we use it in the rest of the proof.
1. Common clocks valuations equality: we prove that
((q2, ζ2), (q1, ζ1)) ∈ F(Zds)⇒ ∀v2 · (v2 ∈ ζ2 ⇒
∃v1 · (v1 ∈ ζ1 ∧ v2X1 = v1)).
By deﬁnition of the function F , if
((q2, ζ2), (q1, ζ1)) ∈ F(Zds), then ζ2X1 ⊆ ζ1. The
proof is immediate by deﬁnition of the operator .
2. Strict simulation: we prove
((q2, ζ2), (q1, ζ1)) ∈ F(Zds) ⇒ ∀v2 · (v2 ∈ ζ2 ∧
(q2, v2)
e2→ (q′2, v′2) ∧ label(e2) ∈ Σ1 ⇒
∃v1, v′1, q′1 · (v1 ∈ ζ1 ∧ (q1, v1) e1→
(q′1, v
′
1) ∧ label(e1) =
label(e2) ∧ (q′2, v′2)Sds(q′1, v′1))).
Incremental Veriﬁcation of Component-Based Timed Systems 19
Consider a transition (q2, v2)
e2→ (q′2, v′2) such that
label(e2) ∈ Σ1. By construction of the simulation
graph, if such a transition exists, then a transition
(q2, ζ2)
e2→ (q′2, ζ′2) exists in SG(A, c), such that
v2 ∈ ζ2 and v′2 ∈ ζ′2. Since ((q2, ζ2), (q1, ζ1)) ∈
F(Zds), there exists a transition (q1, ζ1) e1→ (q′1, ζ′1)
such that label(e1) = label(e2) which satisﬁes
the clause strict simulation of the deﬁnition of
F . In particular, we have (q′2, ζ′2)Zds(q′1, ζ′1). Since
this transition exists, and by construction of the
simulation graph, there exists at least one discrete
(semantic) transition inscribed in this transition.
Moreover, we prove that there
exists v1 ∈ ζ1 such that v2X1 = v1.
Since src val((q2, ζ2), e2, (q′2, ζ′2))X1 ⊆
src val((q1, ζ1), e1, (q′1, ζ
′
1)), there exists a discrete
transition (q1, v1)
e1→ (q′1, v′1) such that v′1 ∈ ζ′1.
It remains to prove that (q′2, v
′
2)Sds(q′1, v′1). The
action which labels e2 is an observable action
of A2. Thus, we know that the transition resets
exactly the same clocks in X1 than e1, i.e.,
reset(e2) ∩X1 = reset(e1). Moreover, since
v2X1 = v1, and that, by deﬁnition
v′2 = [reset(e2) := 0]v2 and
v′1 = [reset(e1) := 0]v1
we have v′2X1 = v′1. Since (q′2, ζ′2)Zds(q′1, ζ′1), and
(
) holds for Zds, we have (q′2, v′2)Sds(q′1, v′1).
3. Delay equality: we prove that
((q2, ζ2), (q1, ζ1)) ∈ F(Zds)⇒
∀v2 · (v2 ∈ ζ2 ∧ (q2, v2) t→ (q2, v′2)⇒ ∃v1, v′1 · (v1 ∈
ζ1 ∧ (q1, v1) t→ (q1, v′1) ∧ (q2, v′2)Sds(q1, v′1))).
Time transitions which appear in a semantic
transition system do not appear explicitly as
transitions in the associated simulation graph.
Time elapses intuitively inside zones. Consider
a transition (q2, v2)
t→ (q2, v′2) inside the zone
(q2, ζ2) (i.e., v2 ∈ ζ2 and v′2 ∈ ζ2). Consider also
the valuation v1 ∈ ζ1 such that v2X1 = v1 (this
valuation exists by the clause Common clocks
valuations equality). Since ζ2X1 ⊆ ζ1, there exists
a transition (q1, v1)
t→ (q1, v′1) such that v′1 ∈ ζ1
and v′1 = v
′
2X1 . With the induction assumption,
we know that there exists a valuation v′′1 such that
(q2, v′2)Sds(q1, v′′1 ) and v′′1 = v′2X1 . Thus, v′′1 = v′1.
It follows that (q2, v′2)Sds(q1, v′1).
4. τ-transitions stuttering: we prove that
((q2, ζ2), (q1, ζ1)) ∈ F(Zds)⇒
∀v2 · (v2 ∈ ζ2 ∧ (q2, v2) e2→ (q′2, v′2) ∧ label(e2) =
τ ⇒ ∃v1 · (v1 ∈ ζ1 ∧ (q′2, v′2)Sds(q1, v1))).
Consider a transition (q2, v2)
e2→ (q′2, v′2) such that
label(e2) = τ . By construction of the simulation
graph, a transition (q2, ζ2)
e2→ (q′2, ζ′2) exists in
SG(A, c), such that v2 ∈ ζ2 and v′2 ∈ ζ′2. Since
((q2, ζ2), (q1, ζ1)) ∈ F(Zds), and by deﬁnition of F ,
we have (q′2, ζ
′
2)Zds(q1, ζ1). We proved previously
that there exists a valuation v1 ∈ ζ1 such that
v1 = v2X1 . It remains to prove that v′2X1 = v1.
Since τ -transitions only reset clocks in X2\X1,
only the valuations of the clocks in X2 are changed
in v′2 in comparison to v2. Thus, v
′
2X1 = v1. Since
(q′2, ζ′2)Zds(q1, ζ1), and (
) holds for Zds, we have
(q′2, v
′
2)Sds(q1, v1).
5. Location labelling respect : immediate by the
deﬁnition of F .
6. Divergence-sensitivity: immediate by lemma 3.
7. Stability-respect : we prove that
if (ζ2\free(q2))X1 ⊆ ζ1\free(q1) then
∀v2 · (v2 ∈ ζ2 ∧ v2 ∈ free(q2) ⇒ ∃v1 · (v1 ∈
ζ1 ∧ v1 ∈ free(q1))).
This is equivalent to:
if ∀v · (v ∈ (ζ2\free(q2))X1 ⇒ ∃v′ · (v′ ∈
ζ1\free(q1) ∧ v′ = v))
then ∀v2 · (v2 ∈ free(q2) ⇒ ∃v1 · (v1 ∈
free(q1) ∧ v2X1 = v1)).
Therefore, we have immediately that (
) holds
F(Zds).
Notes
1Safety properties express that on some conditions,
something never happens.
2Liveness properties express that on some conditions,
something will eventually happen.
3The work presented in this section (except sections 3.3.2
and 3.3.3) was ﬁrst presented in (Bellegarde, Julliand,
Mountassir & Oudot 2005).
4Note that we do not intend to directly check
algorithmically this semantic deﬁnition. It will be extended
into a symbolic relation (see section 5) where this clause
delay equality consists in polyhedra inclusion and thus, is
decidable.
5In the simulation graph, only discrete transitions appear.
Thus, a τ -cycle is a cycle which only contains transitions
labelled by τ .
6Vesta at: http://lifc.univ-fcomte.fr/~oudot/VeSTA
7This case study, as well as other experimentations, was ﬁrst
presented in (Bellegarde et al. 2006a).
8These transitions are also in ΣA, since A S B and
therefore ΣB ⊆ ΣA.
