Revisiting Timed Specification Theory II : Realisability by Chilton, Chris et al.
Revisiting Timed Specification Theory II : Realisability
Chris Chilton, Marta Kwiatkowska, Xu Wang
Department of Computer Science, University of Oxford, UK
Abstract
In this paper we present an assume-guarantee specification theory (aka in-
terface theory from [14]) for modular synthesis and verification of real-time
systems with critical timing constraints. It is a further step of our earlier
work [10] which achieved an elegant algebraic specification theory for real-
time systems endowed with the capability to freeze time. In this paper we
relinquish such (unrealisable) capability and target more realistic systems
without the ability to stop time.
In comparison with related works [14, 11], we build our theory on a sur-
prisingly simple framework of timed I/O automata enhanced with invariant/co-
invariant distinction, which, nevertheless, suffices to specify the timed as-
sumption and guarantee of a component w.r.t. both safety and bounded-
liveness requirements. When two specifications are parallel composed, the
guarantee in one specification will be matched against the assumption in the
other. Any mismatch gives rise to an occurrence of incompatibility error.
Our theory, in a combined process-algebraic and reactive-synthesis style,
provides the operations of parallel composition for system integration, logical
conjunction/disjunction for viewpoint fusion and independent development,
and quotient for incremental synthesis.
We show that a substitutive refinement preorder, which is a coarsening of
the pre-congruence in [10], constitutes the weakest pre-congruence preserving
freedom of incompatibility errors. The coarsening requires a shift in the focus
of our theory to a more game-theoretical treatment, where the coarsening
constitutes a reactive synthesis game named normalisation and is efficiently
implementable by a novel local ⊥-backpropagation algorithm.
Previously, timed concurrent games have been studied in [1, 14, 13],
where one of the key concern is the removal of time-blocking strategies by
applying blame assignment [13]. Our timed games also have the issue of
time-blocking strategies, which may arise through the composition of spec-
Preprint submitted to Elsevier November 9, 2018
ar
X
iv
:1
30
4.
75
90
v1
  [
cs
.L
O]
  2
9 A
pr
 20
13
ifications. However, due to our distinctively different formulation of timed
games, we have found another elegant solution to the problem without blame
assignment. Our solution utilises a second reactive synthesis game called re-
alisation, which is dual to normalisation and implementable by the dual local
>-backpropagation algorithm.
Based on the timed game formulation and as a further step to previous
works, we also study the composition of synthesis games under different op-
erators, e.g. the distributivity of realisation over conjunction, which arises
through the composition of specifications, and which can also be usefully
exploited as a theoretical foundation for the compositional synthesis [16] of
timed processes.
Utilising such knowledge, we achieve the complete operational definition
to all the composition operators (on specifications) and prove the weakest
congruence result by applying the timed strategies semantics on the set of
operators.
Keywords: timed automata, timed interfaces, specification theory,
assume/guarantee verification, reactive/controller synthesis, weakest
congruence, substitutive refinement, conjunction, quotient
1. Introduction
Modular synthesis and verification of quantitative aspects (e.g. real-
time, probability, reward, etc.) of computational and physical processes
(e.g. cyber-physical systems) is an important research topic. For instance,
[3] gives a general discussion and motivation of the modular approach to
quantitative system design. In this programme of quantitative study, a spec-
ification of components consists of a combination of quantitative assumption
and quantitative guarantee. One of the crucial criteria for the success of
such a programme lies in a unified core theory, to which only minimal and
additive extensions are required for addressing the different aspects, so that
the amalgamation of the extensions does not entail overwhelming technical
complications.
As one step of the programme, this paper targets component-based devel-
opment for real-time systems with critical timing constraints, such as embed-
ded system components, the middleware layer and asynchronous hardware.
We propose a complete timed specification theory using a framework of min-
imal extension of timed automata.
2
The framework provides the operations of parallel composition for ex-
amining the structural behaviour of systems, logical conjunction/disjunction
for viewpoint fusion and independent development, as well as quotient for
incremental synthesis.
The refinement relation is defined relative to the notion of incompatibility
error. That is, parallel composition incurs the matching up of the assumption
and guarantee from different components. Any AG mismatch generates an
incompatibility error (denoted by ⊥) in the composed system. Refinement
thus means error-free substitutivity: there is no context in which replacing a
component by a refinement will introduce further incompatibility error.1
Previously, based on the framework, [10] introduced a compositional
linear-time specification theory for real-time systems, where the substitutive
refinement is the weakest pre-congruence preserving incompatibility errors
(for the four operations), and characterisable by a finite trace semantics. A
key novelty of [10] lies in the introduction of an explicit timestop operation
(denoted by >) that halts the progress of the system clock.
Equipped with timestop, an environment of [10] 1) can tell two compo-
nents apart by observing not only the occurrence of incompatibility errors
but also the timing difference in such occurrences, and 2) can steer any com-
ponent away from incompatibility errors no matter how error-prone it is.
Thus, it gives rise to a finest congruence over a set of fully defined operators
(esp. conjunction and quotient) as well as a greatly simplified theory.
While timestop is appropriate for a restricted class of applications, such
as embedded systems and circuit design [20], there are cases where the oper-
ation of stopping the system clock is neither meaningful nor implementable.
Similar observations have also been made in the works on concurrent timed
games [1, 14, 13], where there is no explicit timestop operation but the use
of implicit timestop by time-blocking strategies is considered unrealistic for
winning games. Thus, it is desirable to consider systems without explicit or
implicit timestops, which we call realisable systems.
For realisable systems, components, not substitutively-equivalent accord-
ing to [10], can become equivalent under realisability. This is a consequence
of the environment losing the power to observe the timing difference in error
1Note that the existence of incompatibility errors does not mean that the composed
system is un-usable; an environment can still usefully exploit the system by only exercising
the parts of its behaviours insulated from the incompatibility errors, as has been well
explained in [14].
3
occurrences (see the example in Figure 6). Thus, we need a new substitutive
refinement preorder, which is a coarsening of the pre-congruence in [10].
To best characterise the coarsening, our theory needs a shift in focus to a
more game-theoretical treatment2, where the coarsening constitutes a reac-
tive synthesis game called normalisation, and is efficiently implementable by
a novel local ⊥-backpropagation algorithm which repeatedly removes incom-
patibility errors from a system. The ⊥-backpropagation algorithm is strictly
more aggressive (i.e. classifying more states as winning states) than the clas-
sical timed reactive synthesis algorithms [1, 7] and is crucial for our weakest
congruence results.
Furthermore, similar to timed concurrent games [14, 13], where one of
the key concern is the removal of time-blocking strategies by applying blame
assignment, it is also crucial in our framework to remove timestopping be-
haviours since specification composition (e.g. conjunction and quotient) may
generate new unrealisable behaviours. However, unlike [14, 13], our frame-
work does not use blame assignment to remove unrealisable behaviours.
Rather, we have found a different elegant solution based on a dual reac-
tive synthesis game to normalisation called realisation, largely thanks to our
different formulation of timed games. Realisation can be efficiently imple-
mented by the dual >-backpropagation algorithm.
Furthermore, unlike previous works on timed concurrent games [1, 14,
13, 7, 11], which mostly concentrating on studying a single game, our work
also studies the composition of games under different operators. That is, each
specification is embedded with a pair of synthesis games. When specifications
are composed, we need to understand how the synthesis games interact or
interfere with one another across specification boundary and how should we
define the composition of such games correctly. This will form a basis for
both the compositional synthesis of timed processes and the full operational
definition of specification composition operators.
Finally, some further contributions of our theory lie in 1) the process-
algebraic techniques of deriving process composition operation from state
composition operation via state-to-process lifting, enabling the transfer of
algebraic properties from the state composition level to the process composi-
2In contrast, our early work [10] is based predominantly on a process-algebraic and
trace-theoretical framework, where the timed game part plays only the supportive role for
providing a general setting to timed strategies semantics.
4
tion level, 2) the robust and intuitive timed-strategies characterisation of the
refinement and operators, which serves as a simple correctness proof to the
operator definitions, 3) the linear-time (i.e. double trace sets) characterisa-
tion of the refinement and operators, which supports the explicit separation
of assumption and guarantee and interfaces well with automata and learn-
ing techniques, and 4) the elegant minimal extension of timed automata
that can distinguish, for the first time, the roles of I/O transition guards
and invariant/co-invariant as specifying resp. timed safety/liveness assump-
tions/guarantees, thus making our TIOAs an appealing model for practical
application of timed AG reasoning.
Outline. Section 2 introduces a minimal extension of timed automata as our
formal framework, i.e. timed I/O automata (TIOA) and timed I/O transition
systems (TIOTS). Based on TIOTSs, we introduce 1) the ⊥ state and the
auto-⊥/semi-⊥ states as incompatibility errors in closed systems and open
systems resp., and 2) the auto-> and semi-> states as explicit and implicit
timestop. Based on >- and ⊥- completed TIOTSs, we define the parallel
composition operator using the state-to-process lifting technique.
Section 3 introduces our formulation of timed I/O games, consisting of
three players, system, environment and coin. Then we define game rules and
strategies and show that the parallel composition of specifications can be
reduced to strategy composition. Finally we define refinement as error-free
substitutivity and give the corresponding strategy characterisation via a so-
called determinisation procedure that converts imperfect-information games
into perfect information games.
Section 4 introduces the concept of realisable specifications as well as the
coarsened refinement. Then, we introduce the timed synthesis game called
normalisation and shows that auto-⊥/semi-⊥ states are localised version of
⊥-winning states in such games. Finally, using the normalised strategies, we
illustrate what the expected semantics is for the operators like conjunction,
disjunction and quotient.
Section 5 gives the operational definition of the operators using a com-
bined process-algebraic and reactive-synthesis style. We first give the process-
algebraic definitions (i.e. state-to-process lifting) for the restricted cases
when operands are all normalised, and show 1) that the composition under
conjunction and quotient may generate new unrealisable (i.e. time-blocking)
strategies that is removable by another reactive-synthesis game called realisa-
tion, and 2) that semi->/auto-> states are localised version of the >-winning
5
states for the realisation game.
Then we give the reactive-synthesis operational definitions for the gen-
eral cases when specifications are not normalised. We study how the synthe-
sis games interfere with each other across the specification boundary under
different operators. We prove results like the distributivity of normalisa-
tion/realisation over operations like conjunction, quotient, and determinisa-
tion.
Finally, Section 6 uses a case study to illustrate how we can use our novel
backpropagation to synthesise controllers that can steer a component away
from undesirable behaviours. Related work is considered in Section 7, while
we conclude and suggest future work in Section 8.
2. Minimal TA Extension for Timed Specifications
In this section we introduce our timed framework, i.e. timed I/O au-
tomata (TIOA) and timed I/O transition systems (TIOTS). Our frame-
work has significant differences from the timed models defined by previous
works [17, 14, 11]. The distinction mostly lies in that our models are spe-
cially designed to support the mixed assume/guarantee specifications of com-
ponents. That is, given a component, we specify both its system guarantee
and environmental assumption, which are combined and mixed to be repre-
sented by a single automata. In this respect our specifications are similar to
timed interfaces proposed by [14].
The origin of our framework appeared earlier in our work [10]. However,
the version presented in this section contains important technical extension
as well as presentation improvements.
2.1. Timed I/O Automata
Specifications in our theory are modelled by timed I/O transition systems,
which can be compactly represented as timed I/O automata under certain
restrictions.
Clock constraints. Given a set X of real-valued clock variables, a clock con-
straint over X , cc : CC (X ), is a boolean combination of atomic constraints
of the form x ./ d and x − y ./ d , where x , y ∈ X , ./∈ {≤, <,=, >,≥}, and
d ∈ N.
Definition 1. A timed I/O automaton (TIOA) is a tuple (C , I ,O ,L, l0,AT ,
Inv , coInv), where:
6
• C ⊆ X is a finite set of clock variables (ranged over by x , y, etc.)
• A = I unionmulti O is a finite alphabet (ranged over by a, b, etc.) consisting of
the inputs I and outputs O
• L is a finite set of locations (ranged over by l , l ′, etc.)
• l0 ∈ L is the initial location
• AT ⊆ L × CC (C ) × A × 2C × L is a set of action transitions
• Inv : L → CC (C ) and coInv : L → CC (C ) assign invariants and
co-invariants to states, each of which is a downward-closed clock con-
straint.
In the rest of the paper we use l
g,a,rs−−−→ l ′ as a shorthand for (l , g , a, rs , l ′) ∈
AT . g : CC (C ) is the enabling guard of the transition, a ∈ A the action,
and rs the subset of clock variables to be reset.
Our TIOAs are an extension of timed automata that distinguish input
from output and invariant from co-invariant. They are designed for the
assume/guarantee specification of timed components, and can be regarded
as a simplification of the timed interface automata of [14]. In our frame-
work, a specification is a combination of the timing assumptions made by
the component on the inputs issued by the environment along with the tim-
ing guarantees provided by the component on its outputs. Specifically:
• Guards on output transitions express safety timing guarantees. The
component guarantees that an output will only be fired at a point in
time when it is allowed by a guard.
• Guards on input transitions express safety timing assumptions. The
component assumes that the environment will only issue an input at a
time when it is allowed by a guard.
• An invariant (at a location) expresses liveness timing guarantees. The
system guarantees that some output will be fired before the time bound
specified by the invariant has been exceeded.
• A co-invariant expresses liveness timing assumptions. The component
assumes that the environment will issue some input before the time
bound specified by the co-invariant has been exceeded.
7
Inv: x <= 100
Co:  true
Inv: y<=1
Co:  true
finish?
x:=0
5 <= x <= 8
start! x:=0
y==1
print!
y:=0
finish!
Inv: y<=5
Co:  true
Inv: true
Co:  y<=10
A B
1 2
34
start?   y:=0
printed?   y:=0
Scheduler Printer_controller
Figure 1: Job scheduler and printer controller.
Example. Figure 1 depicts TIOAs representing a job scheduler together with
a printer controller. The invariant at location A of the scheduler forces a
bounded-liveness guarantee on outputs in that location: as time must be
allowed to progress beyond x = 100, the start action must be fired before
x exceeds 100. After start has been fired, the clock x is reset to 0 and the
scheduler waits (possibly indefinitely) for the job to finish. In the case that
the job does finish, the scheduler expects this to take place only at a time
point satisfying 5 ≤ x ≤ 8 (i.e. safety assumption).
The controller waits for the job to start , after which it will wait exactly
1 time unit before issuing print (forced by the invariant y ≤ 1 on state 2
and the guard y = 1 on the print ! transition, acting together as a combined
liveness and safety guarantee). Then, the controller requires the printer to
acknowledge the job as having been printed within 10 time units (i.e. co-
invariant y ≤ 10 in state 3 acting as bounded-liveness assumption). After
receiving the acknowledgement, the controller must indicate to the scheduler,
within 5 time units, that the job has finished.
2.2. Timed I/O Transition Systems
Formally, the semantics of TIOAs are given by a minimal extension of
timed transition systems, which are a special class of infinite labelled transi-
tion systems enhanced with two distinguished states > and ⊥.
Definition 2. A timed I/O transition system (TIOTS) is a tuple P =
〈I ,O , S , s0,→〉, where I and O are the input and output actions respec-
tively, S = (L × RC ) unionmulti {⊥,>} is a set of states, s0 ∈ S is the designated
initial state, and →⊆ S × (I unionmultiO unionmultiR>0) × S is the action and time-labelled
transition relation.
8
Plain states. A clock valuation over C is a map t that assigns to each clock
variable x in C a real value from R≥0. A state of the TIOTS is a pair drawn
from L × RC (i.e. the location and clock valuation pair), which we refer to
as the set of plain states.
In addition, we introduce two special states ⊥ and >. These can be
explained from a game-theoretic perspective. ⊥ represents the violations of
the assumptions on the environment, while > represents the violations of the
guarantees by the system. Therefore, the system tries to avoid >, while the
environment tries to avoid ⊥. The trivial TIOTS with > (resp. ⊥) as the
initial state is called the >-TIOTS (resp. ⊥-TIOTS ).
Notation. In the rest of the paper we use p, p ′, pi to range over plain states
P = L × RC while s , s ′, si range over S . Furthermore we define tA = I unionmulti
O unionmulti R>0 to be the set of timed actions, tI = I unionmulti R>0 to be the set of timed
inputs, and tO = O unionmultiR>0 to be the set of timed outputs. Symbols like α, β,
etc. are used to range over tA.
A timed trace (ranged over by tt , tt ′, tti etc.) is a finite mixed sequence of
positive real numbers (R>0) and visible actions such that no two numbers are
adjacent to one another. For instance, 〈0.33, a, 1.41, b, c, 3.1415〉 is a timed
trace denoting the observation that action a occurs at 0.33 time units, then
another 1.41 time units elapse before the simultaneous occurrence of b and
c, which is followed by 3.1415 time units of no event occurrence. The empty
trace is denoted by . An infinite timed trace is an infinite such sequence.
We use l(tt) to indicate the duration of tt , which is obtained as the sum
of all the reals in tt , and use c(tt) to count the number of action occur-
rences along tt . Concatenation of timed traces tt and tt ′, denoted tt a tt ′,
is obtained by appending tt ′ onto tt and coalescing adjacent reals (summing
them). For instance, 〈a, 1.41〉 a〈0.33, b, 3.1415〉 = 〈a, (1.41+0.33), b, 3.1415〉
= 〈a, 1.74, b, 3.1415〉.
Prefix/extension are defined as usual by concatenation. We write tt  tA0
for the projection of tt onto timed alphabet tA0, which is defined by removing
from tt all actions not inside tA0 and summing up adjacent reals.
Determinism and Non-zenoness. We say a TIOTS is deterministic iff there
is no ambiguous transition, i.e. s
α−→ s ′ ∧ s α−→ s ′′ implies s ′ = s ′′. It is time
additive providing p
d1+d2−−−→ s ′ iff p d1−→ s and s d2−→ s ′ for some s .
For a TIOTS P , we use p tt=⇒ p ′ to denote a finite execution starting from
p that produces trace tt and leads to p ′. Similarly, we can define infinite
9
executions which produce infinite traces on P . An infinite execution is zeno
iff the action count is infinite but duration is finite.
We say a TIOTS P is non-zeno providing no plain execution is zeno. P
is strongly non-zeno iff there exists some k ∈ N s.t., for all plain executions
p
tt
=⇒ p ′, it holds that l(tt) = 1 implies c(tt) ≤ k . Here, we say a finite or
infinite execution is a plain execution iff the execution only visits plain states.
Assumption on TIOTSs. We only consider non-zeno time-additive TIOTSs
in this paper. For technical convenience (e.g. ease of defining time additivity
and trace semantics), the definition of TIOTSs requires that > and ⊥ are
chaotic states, i.e. a state in which the set of outgoing transitions are all
self-loops, one for each α ∈ tA.
The strong non-zenoness is not an assumption of our theory. But with
this additional requirement we can show that the synthesis and verification
theory in this paper is fully automatable.
2.3. From TIOAs to TIOTSs
In this section we show how to derive a TIOTS that represents the se-
mantics of a TIOA.
>/⊥ completion. We first introduce two semantics-preserving transforma-
tions on TIOTSs, which give an explicit representation for assumption and
guarantee violations. The ⊥-completion of a TIOTS P , denoted P⊥, adds an
a-labelled transition from p to ⊥ for every p ∈ P (= L×RC ) and a ∈ I s.t.
a is not enabled at p.3 The >-completion, denoted P>, adds an α-labelled
transition from p to > for every p ∈ P and α ∈ tO s.t. α is not enabled at
p. This coincides with our game-based interpretation of > and ⊥, since:
1. a disabled input at a plain state is represented as an input transition
to ⊥ (assumption violation)
2. a disabled output at a plain state is represented by an output transition
from that state to > (guarantee violation)
3. a disabled delay is represented by a delay transition to > (guarantee
violation).
3⊥-completion will make a TIOTS input-receptive, i.e. input-enabled at all states.
10
The mapping of disabled delays to > looks surprising, since time is neither
controlled by the system or environment. Our bias towards > is due to a
decision made relating to urgency semantics.
In classical semantics without I/O distinction, if a state has no delay
transition enabled, then some action becomes urgent for firing. For I/O
systems, if a state has no enabled delay transition, we have to choose either
the inputs or the outputs (enabled at that state) to become urgent.
The above mapping of disabled delays to > implies we choose to make
outputs urgent, since the pending > (guarantee violation) implies the system
cannot let time pass and so must fire with urgency other transitions under
its control (i.e. an output transition).
>/⊥ removal. The inverse operations of >/⊥ completion, called >/⊥ re-
moval, are also semantic-preserving transformations. For instance, >-removal
removes all output and delay transitions from plain states to> in the TIOTSs.
We can now give the execution semantics of TIOAs in term of >/⊥-
removed TIOTSs, since it will make the mapping simpler.
Clock valuation. We say a clock valuation t satisfies a clock constraint cc,
written t ∈ cc, if cc evaluates to true under valuation t . t + d denotes
the valuation derived from t by increasing the assigned value on each clock
variable by d ∈ R≥0 time units. t [rs 7→ 0] denotes the valuation obtained
from t by resetting the clock variables in rs to 0. Sometimes we use 0 for the
clock valuation that maps all clock variables to 0.
Definition 3. The semantic mapping of a TIOA P is a TIOTS 〈I ,O , S , s0,
→〉 with:
• set of states S = (L× RC ) unionmulti {⊥,>}
• initial state s0 = > providing 0 /∈ Inv(l0), s0 = ⊥ providing 0 ∈
Inv(l0) ∧¬coInv(l0) and s0 = (l0, 0) providing 0 ∈ Inv(l0) ∧ coInv(l0),
• a transition relation →⊆ S × (I unionmulti O unionmulti R>0) × S being the smallest
(time-additive) relation such that:
1. > and ⊥ are chaotic states,
2. If l
g,a,rs−−−→ l ′, t ′ = t [rs 7→ 0], t ∈ Inv(l) ∧ coInv(l) ∧ g, then:
(a) plain action: (l , t)
a−→ (l ′, t ′) providing t ′ ∈ Inv(l ′) ∧ coInv(l ′)
11
(b) magic action: (l , t)
a−→ > providing t ′ ∈ ¬Inv(l ′) and a ∈ I
(c) error action: (l , t)
a−→ ⊥ providing t ′ ∈ Inv(l ′) ∧ ¬coInv(l ′)
and a ∈ O.
3. plain delay: (l , t)
d−→ (l , t + d) if t , t + d ∈ Inv(l) ∧ coInv(l)
4. time-out delay: (l , t)
d−→ ⊥ if t ∈ Inv(l) ∧ coInv(l) and t + d ∈
Inv(l) ∧ ¬coInv(l).4
In TIOAs we do not have explicit > and ⊥. This is because we interpret
a configuration (l , t) as > if t violates the invariant in location l and we
interpret a configuration (l , t) as ⊥ if t violates the co-invariant in location l
(while the invariant holds). The two types of configurations are collectively
called illegal configurations. Sometimes we simply represent a location with
true as the invariant and false as co-invariant by ⊥. Dually, we have a >
location.
The TIOTS attempts to track the configuration of the TIOA, and directly
maps the illegal configurations to > and ⊥. Furthermore, our TIOTS does
not contain transitions that are >/⊥-removable. As a consequence, only
output and delay transitions go to ⊥ and only input transitions go to >.
Note that our interpretation gives priority to the invariant (cf the oc-
currences of the condition Inv ∧ ¬coInv in the above definition). If a delay
exceeds the invariant bound before exceeding the co-invariant bound, the
delay transition goes to >, which is modelled as a disabled transition; if a
delay exceeds the co-invariant bound before exceeding the invariant bound,
the delay transition goes to ⊥ (i.e. time-out delay). However, if a delay
exceeds both bounds simultaneously, the delay transition goes to > (i.e. as
a disabled transition).
2.4. Parallel composition
In the rest of the paper, we will develop our theory on top of TIOTSs,
which are endowed with a richer repertoire of semantic machinery.5 In par-
ticular, we will use >/⊥-completed TIOTSs extensively, since the nice dual-
ity possessed by >/⊥-completed TIOTSs can simplify our presentation a lot.
4Note that by time additivity and the chaotic nature of ⊥: p d−→ ⊥ implies p d
′
−→ ⊥ for
all d ′ ≥ d .
5Furthermore, we will not restrict ourselves to TIOTSs mapped from TIOAs.
12
a!
(A) (B)
X a? a!
(A||B)
X a?
(C) (D)
X a! a!
(C||D)
err
a!
(A’) (B’)
a? a!
(A’||B’)
a?
(C’) (D’)
a! a!
(C’||D’)
Figure 2: Parallel composition illustrated
But, from time to time, we will also use >/⊥-removed TIOTSs or even >/⊥-
free TIOTSs, because, without > and ⊥, the TIOTSs are essentially classical
I/O transition systems [17, 25], enabling us to tap into classical semantics.
Therefore, we will freely switch between the two levels of semantics in
the sequel: >/⊥-completed TIOTSs and >/⊥-removed TIOTSs. Sometimes,
when defining a new construct, the intuition is strong and clear on one level,
but not on the other. So we will formulate the construct on the former and
then extrapolate into the latter.
Let us start with the parallel composition operator, the most important
operator in a specification theory. We will define the operator on top of
>/⊥-completed TIOTSs. But the intuition comes from the definitions with
classical semantics.
The example A ‖ B of untimed I/O transition systems6 in Figure 2 shows
the case of parallel composition of two processes, one with output a disabled
and the other with input a enabled. According to classic semantics, this will
produce an output which is disabled. If we move the example into the level
of >/⊥-completed TIOTSs (i.e. A′ ‖ B ′), this means > in parallel with a
plain state gives rise to the product state > (i.e. > ‖ p = >). Similarly, if
we have two processes C ‖ D , on which input a is disabled on one process
and output a is enabled on the other, then their parallel composition should
generate an output action leading to err , which if mapped into the level of
>/⊥-completed TIOTSs gives rise to ⊥ ‖ p = err . The err state models
error-trapping states like those employed in the mechanisms of exception
6Convention: plain states are unmarked while the > and ⊥ states are marked by > and
⊥ resp. To simplify drawing, multiple copies of > and ⊥ are allowed but the self-loops on
them are omitted.
13
or timeout. Since we cannot interpret err as >, the only option left is to
interpret it as ⊥. This gives rise to our definition of the parallel composition.
Parallel composition. Starting with the parallel composition operator, this
paper will introduce a series of four operators for process composition, all of
which are a variant of the synchronised product operator. In order to obtain
a modular structure and factor out the variations amongst operators, we
adopt a two-step approach. In the first step we define a state composition
operator and an alphabet composition operator. In the second step, we
use the state-to-process lifting technique, defined as a generic synchronised
product operator, to lift the composition to the process level.
A generic synchronised product operation
∏
⊗ is a binary process compo-
sition operation parameterised by another binary polymorphic operation ⊗.
That is, ⊗ needs to be defined both as a state composition operation and as
an alphabet composition operation.
State-to-process lifting. Given two>/⊥-completed TIOTS, Pi = 〈Ii ,Oi , Si , s0i ,→i
〉 for i ∈ {0, 1}, satisfying S0 ∩ S1 = {⊥,>}, P0
∏
⊗P1 gives rise to a new
>/⊥-completed TIOTS P = 〈I ,O , S , s0,→〉 s.t. (I ,O) = (I0,O0)⊗ (I1,O1),
S = (P0×P1)unionmultiP0unionmultiP1unionmulti{>,⊥}, s0 = s00 ⊗ s01 and→ is the smallest relation
containing →0 ∪ →1,7 and satisfying the rules:
p0
α−→0s ′0 p1 α−→1s ′1
p0⊗p1
α−→s ′0⊗s ′1
p0
a−→0s ′0 a /∈A1
p0⊗p1
a−→s ′0⊗p1
p1
a−→1s ′1 a /∈A0
p0⊗p1
a−→p0⊗s ′1
The parallel composition operation is an instantiation of the generic syn-
chronised product by the polymorphic operation ‖, i.e. ∏‖. The associated
interpretation of s0 ‖ s1 is supplied in Table 1 while (I0,O0) ‖ (I1,O1) is
defined to be ((I0 ∪ I1) \ (O0 ∪ O1),O0 ∪ O1) under the assumption that
O0 ∩O1 = {}, i.e. P0 and P1 have ‖-composable alphabets.
In Table 1 the ‖-product state is in > (or ⊥) if one of the component
states is in > (or ⊥). If they are simultaneously (i.e. one each) in > and ⊥,
> will have priority and the product will be >.8
7Containment of →0 ∪ →1 is not required for parallel composition definitions but is so
for conjunction and disjunction definitions in the sequel.
8If the TIOTSs are derived from TIOAs with disjoint clocks, then we define p0× p1 for
plain states pi = (li , ti) with i ∈ {0, 1} as ((l0, l1), t0 unionmulti t1).
14
‖ > p0 ⊥
> > > >
p1 > p0×p1 ⊥
⊥ > ⊥ ⊥
Table 1: State ||-product.
The definition of the parallel operator can be lifted to TIOAs (c.f. Ap-
pendix A).
2.5. Incompatibility errors and timelocks
When two components are composed, the parallel composition automat-
ically checks whether the guarantees provided by one component meet the
assumptions required by the other. For instance, the arrival of an input at
a location and time of a component when it is not expected (i.e. the input
is disabled at the location and time) triggers a safety error (aka exception)
in the parallel composition. Or the non-arrival of an expected input at a
location before its timeout (specified by the co-invariant) triggers a bounded-
liveness error (aka timeout) in the parallel composition.
Formally, we have two possible ways to characterise the incompatibility
errors (i.e. exception and timeout), one based on closed systems while the
other on open systems.
For closed systems, it is obvious that safety errors are simply actions
(i.e. output) transitions leading to ⊥, while bounded-liveness errors are delay
transitions leading to⊥. Thus a closed system is free of incompatibility errors
iff it is free of ⊥, i.e. ⊥ is not reachable in the system. This characterisation
is very robust, working for both the theory with the timestop capability
and the theory without. Actually, we will use it as a basis for defining the
refinement relations in both theories. The first refinement will be used as an
stepping stone to build the second one.
For open systems, however, the characterisation is less obvious. Below
we use detailed analysis of two examples to illustrate incompatibility errors.
Note that the open-system characterisation is only meaningful for the theory
without the capability to stop time. For the theory with timestop capability,
since an environment can use > to steer any component out of ⊥, it is not
meaningful to examine incompatibility errors before a system is fully closed.
Examples: exception. Figure 3 shows the parallel composition of the job
scheduler with the printer controller (c.f. Appendix A). In the transition
15
Inv: y<=1
Co:  true
y==1
print!
y:=0
finish!
5 <= x <= 8
and y<=5
Inv: y<=5
Co:  true
Inv: true
Co:  y<=10
A1 B2
B3B4
start!   x,y:=0
printed?   y:=0
Inv: x <= 100
Co:  true
Scheduler || Printer_controller
not (5 <= x <= 8)
and y<=5
finish!
Figure 3: Parallel composition of the job scheduler and printer controller.
Inv: y<=4
Co:  true
finish?
start! x:=0
y>=2   finish!
A B 1 2
start?   y:=0
(P) (Q)
Inv: true
Co:  x<=3
(P || Q)
Inv: y<=4
Co:  x<=3
y>=2   finish!
A1 B2
start!  x,y:=0
Figure 4: Bounded liveness error.
from B4 to A1, the guard combines the effects of the constraints on the clocks
x and y . As finish is an output of the controller, it can be fired at a time
when the scheduler is not expecting it, meaning that an exception is raised
due to safety errors. This is indicated by the transition to ⊥ when the guard
constraint 5 ≤ x ≤ 8 is not satisfied.
Technically speaking, an exception is modelled by auto-⊥. We say a plain
state p is an auto-⊥ state iff p a−→ ⊥ for some a ∈ O . Obviously auto-⊥ is
insensitive to ⊥-removal.
Intuitively, an exception is an uncontrollable (i.e. by the environment)
action transition to ⊥, i.e. the system can independently execute the action
transition and go to ⊥ no matter how the environment behaves. In contrast,
a TIOTS might also have controllable action transitions to ⊥, e.g. input
transition to ⊥, whose occurrence depends more on the environment than
the system.
Examples: timeout. Another example to show bounded-liveness errors is
given in Figure 4. In the closed system P ‖ Q, at location B2 the sys-
tem is free to choose either output finish after y ≥ 2 or delay until x > 3. If
it chooses the latter, P component will time out in location B and the system
will enter ⊥. Note that the timeout here is due to the fact that the urgency
16
requirement at location 2 of Q (i.e. y <= 4) is weaker than the timeout
bound set at location B of P (i.e. x <= 3). (If it is otherwise, the invariant
at B2 will preempt the co-invariant at B2 and eliminate the possibility of
timeout.)
Technically speaking, a timeout is modelled by semi-⊥. We say a plain
state p is a semi-⊥ state iff 1) all input transitions in p or any of its time-
passing successors lead to ⊥, and 2) there exists d ∈ R>0 s.t. p d−→ ⊥. Thus
a semi-⊥ represents a point in time from which on the environment has no
safe input that it can use to interrupt the system’s delay process into ⊥.
Our definition is based on >/⊥-complete TIOTSs. It is easy to see semi-⊥
is not affected by ⊥-removal. Thus we can extrapolate the definition onto
>/⊥-removed TIOTSs as well.
Intuitively, a timeout is an uncontrollable delay transition to ⊥, i.e. the
system can independently execute the delay transition and go to ⊥ no matter
how the environment behaves. In contrast, a TIOTS might also have con-
trollable delay transitions to ⊥, e.g. delay transition to ⊥ with input exits,
where the environment can interrupt the delay process by inputting at the
proper moment. In Section 4 we will use timed games to formalise these
intuitions.
For open systems, a ⊥-free TIOTS is free of auto-⊥ but is not necessarily
free of semi-⊥. Indeed, ⊥-freedom here is neither a sufficient nor necessary
condition for an open system to be free of incompatibility errors, which,
instead, corresponds (informally) to a system free of auto-⊥ and semi-⊥. A
more formal definition will have to wait until Section 4.
Similarly to equating ⊥ to the error-trapping state of classical I/O sys-
tems, we can also explain > within the classical I/O framework (i.e. without
relying on intuitions like assumption/guarantee violations) by augmenting it
with a timestop state. Timestop models the operation of stopping the system
clock and in our context means the freezing of global time. We equate > to
timestop. Thus, > represents the magic moment from which the global time
(or the whole system) stops elapsing (or running), consequently eliminating,
once and for all, all subsequent possibility of errors. From an environment’s
point of view we assume that > refines plain states, which in turn refine
⊥. Timestop can explain the behaviour of > in parallel composition: the
equation ⊥ ‖ > = > holds because time stops exactly at the moment the
error-trapping mechanism is triggered, so the resulting state is a timestop,
17
rather than ⊥.
Dual to auto-⊥ and semi-⊥, we can also define notions like auto-> and
semi->. We say a plain state p in a >/⊥-complete TIOTS is an auto-> iff
p
a−→ > for some a ∈ I . We say a plain state p is a semi-> iff 1) all output
transitions in p or any of its time-passing successors lead to the > state, and
2) there exists d ∈ R>0 s.t. p d−→ >.
We cannot fully explain the intuitions behind auto-> at this stage. But,
for semi->, it models a generalisation of timelock to open systems. Here we
need to switch back to >-removed semantics for TIOTSs, where the intuition
of timelock is clearer.
On a closed (>-removed) TIOTS, the definition of timelock coincides with
that on classical TAs9 (i.e. TAs without I/O distinction). We call a plain
state p a timelock if 1) no action transition is enabled in p or any of its
time-passing successors, and 2) there exists d ∈ R>0 s.t. d is not enabled in
p.
Semi-> as timelock for open systems. The definition of semi-> can be spe-
cialised for >-removed TIOTSs. We say a plain state p is a semi-> iff 1)
no output transition is enabled in p or any of its time-passing successors,
and 2) there exists d ∈ R>0 s.t. d is not enabled in p. Obviously semi->
is a generalisation of timelock to open systems, which models the scenario
that the component has no option but to stop the progress of time if the
environment does not intervene in time.
Like the case for ⊥-freedom, a >-free TIOTS is free of auto-> but is not
necessarily free of semi->. Thus, timelock is independent of timestop, which
confer on the component an implicit capability to stop time.
Before moving on to the next section, we make a few observations as
summary:
• We model errors arising from assumption/guarantee mismatches by
auto-⊥ and semi-⊥ states and we model timelock by semi->.
• When two components are composed in parallel, new errors will be
generated but no new timelock (or auto->) will be generated.
9Due to our non-zenoness assumption, our timelock can be shown to be a local and
strengthened version of the timelock defined as in [2].
18
• This non-duality in the effect of parallel composition is largely due
to the non-symmetric treatment of input and output in the parallel
composition: the synchronisation of an input and an output gives rise
to an output. For example, in Figure 4, the component P in location
B is not a semi-⊥ since it has an outgoing input transition finish. But,
after parallel composition, the input becomes output and B2 contains
a semi-⊥.
3. Timed I/O Games and Refinement
We have used game-based intuitions to introduce > and ⊥ as assumption
and guarantee violations resp. Now let us elaborate further and formalise
the timed-game framework, whereby the component and an environment,
controlling timed outputs and inputs, respectively, play a >/⊥-reachability
game in which the component tries to avoid reaching >, while the environ-
ment tries to avoid reaching ⊥. Previously there have been works on timed
game framework [7, 14]. But our formulation has important differences (cf
the discussion at the end of Section 5.2).
3.1. Timed I/O Games
In our timed I/O game, a TIOTS encodes the set of strategies possible for
the component in the game. An environment for a TIOTS P is any TIOTS
Q such that P and Q have complementary alphabets, meaning IP = OQ and
OP = IQ. Q encodes the environmental strategies.
The formal definition of (timed) strategies is given below:
• A strategy G is a deterministic tree TIOTS10 s.t. each plain state in G
is ready to accept all possible inputs by the environment, but allows a
single move (delay or output) by the component.
That is, the set of enabled timed actions in any state p of G is IunionmultimvG(p),
where mvG(p) is the enabled component move, being either {a} for
10We say an acyclic TIOTS is a tree if 1) there does not exist a pair of transitions in
the form of p
a−→ p′′ and p′ d−→ p′′, 2) p a−→ p′′ ∧ p′ b−→ p′′ implies p = p′ and a = b and 3)
p
d−→ p′′ ∧ p′ d−→ p′′ implies p = p′.
19
some a ∈ O or a time interval11. The time interval here can be either
infinite, i.e. (0,∞), or finite, i.e. (0, d ] for some d ∈ R>0. (Note
that (0, d ] is the set of all enabled delay at a state. Thus, due to time
additivity, d should be the maximal delay allowable by the strategy
TIOTS from that state. In another word, the move proposed at the
new state after firing d must be an action move, say a.12)
• Given TIOTSs P and P ′ with identical alphabets (i.e. O = O ′ and
I = I ′), we say P is a partial unfolding [24] of P ′ if there exists a
function f : SP → SP ′ such that 1) f maps > to >, ⊥ to ⊥ and plain
states to plain states, and 2) f (s0P) = s
0
P ′ and p
α−→P s ⇒ f (p) α−→P ′ f (s).
• We say a TIOTS P contains a strategy G if G is a partial unfolding of
(P⊥)>.
• We say a simple-path TIOTS13 L is a run of P if L is a partial unfolding
of P .
The set of strategies14 contained in P is denoted as the extension [P ].
Since it makes little sense to distinguish strategies that are isomorphic, we
will freely use strategies to refer to their isomorphism classes and write G = G ′
to mean G and G ′ are isomorphic.
Let us give some examples in Figure 5. For the sake of simplicity we use
two untimed transition systems P and Q , with identical alphabets I = {e, f }
and O = {a, b, c}, to illustrate the idea of strategies. The transition systems
use solid lines while strategies use dotted lines. We show four strategies of P
and two strategies of Q on the right hand side of P and Q resp. in Figure 5.
(They are not the complete sets of strategies for P and Q .) Note that the
strategies 3 and 4 owe their existence to the >-completion.
11Note that all invariants and co-invariants are downward-closed. Thus, a delay move
can be represented as a time interval from 0 to some d ∈ R≥0 or to infinity.
12That is, at each state a strategy proposes either a 〈d , a〉 move (for d ≥ 0) or a ∞
move.
13We say an acyclic TIOTS is a simple path if 1) p
a−→ s ′ ∧ p α−→ s ′′ implies s ′ = s ′′ and
a = α and 2) p
d−→ s ′ ∧ p d−→ s ′′ implies s ′ = s ′′.
14In this paper we use a set of strategies (say Γ) to mean a set of strategies with identical
alphabets.
20
a! a!
b!
f?e?
c!
a!
b! c!
b!
f? f?
c!
e? e?
f?
a!
f?
a!
a!
b!
f?
a!
f?
c!
e? e?
f?e? f?e?
a!
b!
f?
a!
f?
c!
e? e?
f?e? f?e?e?e?
P (1) (2) (3) (4)
Q (A) (B)
Figure 5: Strategy example.
Game rules. When a component strategy G is played against an environment
strategy G ′, at each game state (i.e. a product state pG × pG′) G and G ′ each
propose a move (i.e. mvG(pG) and mvG′(pG′)). If one of them is a delay and
the other is an action, the action will prevail. If both propose delay moves
(i.e. mvG(pG),mvG′(pG′) ⊆ R≥0), the smaller one (w.r.t. set containment)
will prevail.
Since a delay move proposed at a strategy state is the maximal delay
allowable at that state and the next move must be an action move, a play
cannot have two consecutive delay moves.
If, however, both propose action moves, there will be a tie, which will be
resolved by tossing the coin. For uniformity’s sake, the coin can be treated
as a special component. A strategy of the coin is a function h from tA∗ to
{0, 1}. We denote the set of all possible coin strategies as H .
Remark. Our game rules are consistent with those found in [14, 1]. But our
use of the rules is different. In [14, 1], there is no restriction that the rules
must be applied on a pair of pre-determined strategies that propose only
maximal delay moves. So if both players propose delay moves in one round,
the winning side (with smaller delay) can still propose a second delay move
in the next round. This creates complications like time-blocking strategies
and blame assignment [14].
Strategy composition. A play of the game can be formalised as a composition
of three strategies, one each from the component, environment and coin,
21
denoted GP ×h GQ. At a current game state pP × pQ, if the prevailing action
is α and we have pP
α−→ sP and pQ α−→ sQ, then the next game state is sP ‖ sQ.
The play will stop when it reaches either > or ⊥. The composition will
produce a simple path L that is a run of P ‖ Q,15 i.e. either an infinite plain
run or a finite run ending in >/⊥. There is no possibility of finite plain run,
as is possible in [14, 1] by playing an infinite sequence of delay moves that
converges.
Strategy composition can be generalised to composition between any pair
of strategies GP ×h GQ with ‖-composable alphabets. That is, OP ∩OQ = {}.
For such P and Q, GP ×h GQ gives rise to a tree rather than a simple-path
TIOTS. That is, at each game state pP × pQ, besides firing the prevailing
α ∈ tOP ∪ tOQ, we need also to fire 1) all the synchronised inputs, i.e.
e ∈ IP ∩ IQ, and reach the new game state sP ‖ sQ (assuming pP e−→ sP and
pQ
e−→ sQ) and 2) all the independent inputs, i.e. e ∈ (IP ∪ IQ) \ (AP ∩ AQ),
and reach the new game state sP ‖ pQ or pP ‖ sQ.
The generalisation enables us to reduce parallel composition on processes
to strategy composition:
Lemma 1. For ‖-composable TIOTSs P and Q, [P ‖ Q] = [P ] × [Q], where
we define Γ × Γ′ = {G ×h G ′ | G ∈ Γ,G ′ ∈ Γ′ and h ∈ H }.
3.2. Refinement, Determinisation and Strategy Characterisation
A TIOTS is a refinement of another if it will work in any environment
that the original worked in without introducing safety or bounded-liveness
errors. Here we use the the closed system version of incompatibility errors
to formulate the definition.
Definition 4 (Substitutive Refinement). Let Pimp and Pspec be TIOTSs
with identical alphabets. Pimp refines Pspec, denoted Pspec v Pimp, iff for all
environments Q, Pspec ‖ Q is ⊥-free implies Pimp ‖ Q is ⊥-free. We say Pimp
and Pspec are substitutively equivalent, i.e. Pspec ' Pimp, iff Pimp v Pspec
and Pspec v Pimp.
Alternatively, if we view Pimp and Pspec as two ⊥-reachability games and
replace parallel composition by strategy composition, the refinement can be
15P ‖ Q gives rise to a closed system (i.e. the input alphabet is empty), a run of P ‖ Q
is a strategy of P ‖ Q.
22
defined as a comparison on how challenging each game is for the environment.
In the games, the component and coin collaborate trying to reach ⊥ whilst
the environment tries to avoid reaching ⊥. Therefore, Pspec v Pimp iff, all
environment strategies winning in game Pspec are also winning in game Pimp .
Here we say an environment strategy GE is winning in game P (or winning
against strategy set [P ]) iff GE ×h G is ⊥-free for all G ∈ [P ] and h ∈ H .
Obviously, P ' Q is related but not equivalent to the set containment
between [P ] and [Q]; [Q] ⊆ [P ] implies P ' Q but the converse is not true.
This failure of the equivalence is largely due to the phenomenon of implicit
strategies.
Formally, we say a strategy G /∈ [P ] is an implicit strategy of [P ] iff all en-
vironment strategy winning against strategy set [P ] are also winning against
[P ]∪{G}. Thus, a general principle to formulate a strategy-based semantics
is to perform some closure operation on [P ] s.t. all implicit strategies become
included.
Given [P ], the set of its implicit strategies depends on the refinement
order under consideration. With respect to' there are two sources of implicit
strategies.
The first is due to the existence of an ordering on strategies; some strate-
gies are by nature more aggressive than the others.
Comparing strategies. When the game is played, the component tries to avoid
reaching > while the environment tries to avoid reaching ⊥. Different strate-
gies in [P ] vary in their effectiveness to achieve the objective. Such effec-
tiveness can be compared if two strategies closely resemble each other: we
say G and G ′ are affine if s0G tt=⇒ p and s0G′ tt=⇒ p ′ implies mvG(p) = mvG′(p ′).
Intuitively, this means G and G ′ propose the same move at the ‘same’ states.
For instance, the strategies 1, 3 and A in Figure 5 are pairwise affine, and so
are the strategies 2, 4 and B .
Given two affine strategies G and G ′, we say G is more aggressive than G ′,
denoted G  G ′, if 1) s0G′ tt=⇒ ⊥ implies there is a prefix tt0 of tt s.t. s0G tt0=⇒ ⊥
and 2) s0G
tt
=⇒ > implies there is a prefix tt0 of tt s.t. s0G′ tt0=⇒ >. Intuitively,
it means G can reach ⊥ faster but > slower than G ′.  forms a partial
order over [P ], or, more generally, over any set of strategies with identical
alphabets. For instance, strategy A is more aggressive than 1 and 3, while
strategy B is more aggressive than 2 and 4.
When the game is played, the component P prefers to use the maximally
23
aggressive strategies in [P ]16. Thus, two components that differ only in non-
maximally aggressive strategies should be equated. We define the strategy
semantics of component P to be [[P ]] = [P ], i.e. the upward-closure of [P ]
w.r.t. .
The other source of implicit strategies is due to the imperfect information
of our game. That is, given a partial play tt of a non-deterministic game P ,
there are a number of possible states (say Stt) that can be reached. It is
the component and coin, not the environment, that knows which of Stt is
chosen as the next game state. This entitles the former to have implicit
strategies, which are hybrid strategies generated through decomposing and
re-combining the strategies of different states in Stt . For instance, strategy
A is a hybrid of strategies 1 and 3 in Figure 5.
Such implicit strategy can be made explicit by converting an imperfect
information game into an (equivalent) perfect information game. Below we
propose a modified subset construction procedure to perform such conversion.
We define the determinisation PD of a ⊥-complete TIOTS P as a modi-
fied subset construction procedure on P : given a subset S0 of states reachable
by a given trace, we only keep those which are minimal w.r.t. the state re-
finement relation. So if the current state subset S0 contains ⊥, the procedure
reduces S0 to ⊥; if ⊥ /∈ S0 6= {>}, it reduces S0 by removing any possible >
in S0.
17 For example, Figure 5 contains two >/⊥-removed TIOTSs P and
Q . If we apply the above procedure to P⊥ the resultant TIOTS will be Q⊥.
Given any TIOTS P , we can verify P ' PD even though [P ] ⊆ [PD ].
Proposition 1 ([10]). Any TIOTS P is substitutively equivalent to the de-
terministic TIOTS PD .
For instance, in Figure 5 we have (P⊥)D = Q⊥, but [P ] 6= [Q ] since 1,
2, 3 and 4 are strategies of [Q ] (due to upward-closure w.r.t. ) but A and
B are not strategies of [P ].
There might be further sources of implicit strategies with respect to
coarser refinements than '. But, for the two sources of ', we can give
a uniform and collective characterisation. That is, we say a strategy G ′ /∈ Γ
16This is because our semantics/refinement is designed to preserve ⊥ rather than >.
17For a more detailed definition of transforming non-deterministic systems into
substitutivity-equivalent deterministic systems, we refer readers to the Definition 4.2
in [25]. That is for the untimed case.
24
is a '-implicit strategy of the strategy set Γ iff s0G′ tt=⇒ s ′ implies there exists
s0G
tt
=⇒ s for some G ∈ Γ s.t. either both executions are plain executions or
execution s0G′
tt
=⇒ s ′ reaches > earlier or ⊥ later than s0G tt=⇒ s . We denote by
ΓE the '-implicit strategy closure of Γ.
Define [[P ]] = [P ]E . Then [[ · ]] characterises exactly the substitutive equiv-
alence '.
Theorem 1 ([10]). Given TIOTSs P and Q, P v Q iff [[Q]] ⊆ [[P ]].
4. Realisability Restriction and Coarsened Refinement
Section 3.2 gives a substitutive refinement and its strategy characterisa-
tion. [10] further prove that ' is a congruence w.r.t. the parallel, conjunc-
tion, disjunction and quotient operators, thus giving rise to a simple and
elegant compositional specification theory.18
However, one drawback of such a theory is that we allow unrestricted
strategies for the component and environment in the game play. In another
word, the component and environment may apply timestop-like operations
(i.e. timestop and timelock) directly against each other.
The timestop-like operations greatly increase the distinguishing power of
the environment, giving rise a finest possible equivalence '. It also equips
the environment with the capability to steer components away from incom-
patibility errors (⊥) under all possible situations, thus making conjunction
and quotient a fully defined operator.
In general, such capability is too powerful to be realistic. Certain real-
world systems might have an inherent ability to stop the system clock, e.g.
in embedded systems and circuit design [19, 20] or in a controlled execution
environment like simulation or testing. However, for even larger class of
applications, the suspension of clocks is arguably neither meaningful nor
realisable.
Thus, in the rest of the paper we will develop a theory that can remove
timestops and timelocks, to keep only the so-called realisable behaviours.
Note that, even for such timestop-free systems, > can play the important
role of being an imaginary state exploited at the intermediate steps of theory
18Actually the theory in [10] is developed in a more general setting, where the assumption
of non-zenoness is removed.
25
development and thus greatly simplifying operator definitions like quotient
and conjunction.
We focus on realisable systems from hereon, and simply call TIOTSs free
of > and semi->19 specifications. Therefore, we are returning to the classical
I/O systems equipped with error-trapping states. As can be demonstrated,
operations on components such as parallel composition, renaming, hiding
and determinisation preserve > and semi-> freedom20.
Hence, we offer a classical I/O system as a user interface so that compli-
cations like timestops and timelocks are hidden from view and components
and environments use only realisable strategies to interact with one another.
Formally we say a strategy is realisable iff it is free of > and semi->. We
often use L to denote a realisable strategy.
The rest of this section leaves the world of >/⊥-complete TIOTSs and
deals exclusively with specifications. Furthermore, we assume all specifica-
tions are ⊥-complete in order to simplify presentation.
The definition of
∏
‖ (and hence ‖) can be extended without modification
to work on ⊥-complete TIOTSs.21 As parallel composition preserves > and
semi-> freedom, ‖ can be directly used as an operation on specifications.
In addition, since strategies are ⊥-complete TIOTSs, we can freely parallel-
compose a strategy with a component in the sequel.
Realisable refinement. Based on the parallel operator we can re-define the
substitutive refinement on top of specifications: Let P andQ be specifications
with identical alphabets. P realisably refines Q, denoted Q vr P , iff, for all
environment specifications R, Q ‖ R is ⊥-free implies P ‖ R is ⊥-free. We
say P and Q are substitutively equivalent, i.e. Q 'r P , iff P vr Q and
Q vr P .
Note that in the definition 1) both the component and environment are
restricted to realisable ones and 2) the incompatibility errors utilised are
the closed system version. It is obvious that 'r is the weakest equivalence
preserving ⊥. In the sequel we show that 'r is a congruence w.r.t. the
19This, combined with our non-zenoness assumption on TIOTSs, implies that no com-
ponent in our realisable theory is time-blocking.
20This is in contrast to the case of synchronised product on timed components without
I/O distinction, where new timelocks can be generated.
21With the extension, synchronisation failures, i.e. an action being enabled on one
process but not so on the other, becomes possible.
26
parallel ‖, conjunction ∧, disjunction ∨ and quotient % operators.
Recall that our determinisation is directly defined on⊥-complete TIOTSs.
On specifications, it is easy to verify that determinisation preserves > and
semi-> freedom as well as the substitutive equivalence, i.e. P 'r PD .
With determinisation, imperfect-information games can be converted into
perfect-information games. Based on the latter, we can formalise the notion
of incompatibility errors for open systems.
Given a perfect-information game PD in which the collaboration of the
component and coin play against the environment for the objective of ⊥-
reachability, we say a plain state p in PD is ⊥-winning iff there is no (re-
alisable) environment strategy winning in game PD(p). In another word,
starting from state p, the component and coin can collaborate to win the ⊥-
reachability game. Here we use the notation P(p) to denote the specification
P with the initial state changed to p.
Obviously, semi-⊥ and auto-⊥ states are ⊥-winning states (under realis-
ability restriction) and without realisability restriction no state in game PD
is ⊥-winning.
Semi-⊥ and auto-⊥ are one of the most representative subclass of ⊥-
winning states; the absence of semi-⊥ and auto-⊥ effectively captures the
absence of ⊥-winning states.
Lemma 2. A deterministic specification is free of ⊥-winning states iff it is
free of semi-⊥ and auto-⊥.
Based on this observation we can formalise the notion of incompatibility
error freedom for open systems. We say an (open) TIOTS P is error-free iff
PD is free of auto-⊥ and semi-⊥. From this definition it is easy to see that
the perfect information requirement is necessary here since determinisation
can introduce new semi-⊥.
4.1. Strategy characterisation of 'r
The definition of strategies and notation [P ] can be reused on specifica-
tions. It is easy to verify that specifications contain only realisable strategies
and specification ‖-composition can be reduced to (realisable) strategy com-
position: [P ‖ Q] = {L ×h L′ | L ∈ [P ],L′ ∈ [Q] and h ∈ H } for all
specifications P and Q.
Similarly, we can compare realisable strategies and define r as a restric-
tion of  to realisable strategies. This gives rise to the implicit strategy
closure operation ΓEr and we define [[P ]]r = [P ]Er .
27
a! a!(P)
(Q)
(L)
a! a?(G)
a!
Figure 6: Distinguishing power of >.
It is easy to verify [[P ]]r = [[Q]]r implies P 'r Q, but the converse is not
true. Thus, 'r is strictly coarser than [[ · ]]r .
Example. In Figure 6, assuming the alphabet is A = {a}, we were able to
distinguish P from Q using [[ · ]]r , since strategy L is in [[Q ]]r but not in [[P ]]r .
On the other hand, P 'r Q holds since it is impossible to construct an
environment specification R s.t. P ‖ R is >-free but Q ‖ R is not.
The substitutive equivalence is due to the fact that the initial states of
P and Q are both ⊥-winning states. A ⊥-winning state is as bad as the
⊥ state since, once a specification reaches ⊥-winning states, no (realisable)
environment can steer it away from ⊥. Thus, according to r a component
in ⊥-winning states is indistinguishable to one in the ⊥ state.22 This gives
rise to the third source of implicit strategies, e.g. strategy L is an implicit
strategy of Q .
We can make such implicit strategies explicit by performing a further
normalisation on P .
Normalisation. The normalisation of a specification P , denoted PN , is ob-
tained by first determinising P and then collapsing all ⊥-winning states in
PD to ⊥.
An interesting observation here is that normalisation based on ⊥-winning
states can be reduced to normalisation based on semi-⊥ and auto-⊥, since
the latter are those ⊥-winning states which are precisely one-step away from
⊥. So we have an alternative local characterisation of normalisation.
PN may then be defined by⊥-backpropagation, which repeatedly collapses
semi-⊥ and auto-⊥ states in PD to ⊥, until semi-⊥ and auto-⊥ freedom is
obtained.
Since realisable strategies are specifications, normalisation is also defined
on realisable strategies.
22This is in contrast to unrealisable systems, where the environment can always distin-
guish the ⊥ state from the ⊥-winning states by stopping time immediately. For example,
the unrealisable strategy G in Figure 6 can distinguish P from Q .
28
Lemma 3. Given any component strategy L and environment specification
R, L ‖ R is ⊥-free iff LN ‖ R is ⊥-free.
The normalisation of a specification can be reduced to strategy normali-
sation. For a set of realisable strategies Γ, the normalisation closure, denoted
ΓN , is the least r -upward closed superset of Γ such that L ∈ ΓN implies
LN ∈ ΓN 23.
Lemma 4. Given any specification P, [[P ]]r = Γ implies [[PN ]]r = ΓN .
As a shorthand, we use [[P ]]n to denote ([[P ]]r)N or [[PN ]]r .
Theorem 2. Given two specifications P and Q, P vr Q iff [[Q]]n ⊆ [[P ]]n .
A specification P is inconsistent iff s0P is a ⊥-winning state. Under nor-
malisation, any inconsistent specification is reduced to the ⊥-TIOTS. For
consistent specifications, normalisation yields a deterministic error-free spec-
ification.
4.2. Desiderata of the operators
Before developing the operational definitions on conjunction, disjunction
and quotient, let us first describe the desired effects for these operators to
achieve.
We say a set of realisable strategies Γ is a specification semantics iff
Γ = (ΓEr )N . The domain of specification semantics combined with the ⊆
relation gives rise to a lattice, where conjunction (∧) and disjunction (∨) are
supposed to correspond to the join and meet operators respectively.24 That
is, conjunction yields the coarsest specification that is a refinement of its
operands, while disjunction yields the finest specification that is refined by
both of its operands.
Definition 5. For any pair of specification semantics Γ and Γ′ with identical
alphabets, we define Γ ∧ Γ′ = Γ ∩ Γ′ and Γ ∨ Γ′ = ((Γ ∪ Γ′)Er )N .
23The semantics normalisation operation preserves the disjunction closedness.
24As we write A v B to mean A is refined by B , our operators ∧ and ∨ are reversed in
comparison to the standard symbols for meet and join.
29
It is easy to verify Γ ∩ Γ′ is a specification semantics.
Quotient P0%P1 produces the coarsest specification P such that P ‖ P1
is a refinement of P0. In other words, if P1 is the plant and P0 is the overall
system specification, then P0%P1 synthesise the coarsest (or most permissive)
controller that can steer the plant away from behaviours violating P0.
Mirror P¬ gives the set of (realisable) environment strategies that can
steer P away from ⊥.
Definition 6. Given a specification semantics Γ, we define Γ¬ = {L¬ |
∀ L ∈ Γ, h ∈ H : L ×h L¬ is ⊥-free}. Given two specification semantics Γ
and Γ′ (with alphabets A′ ⊆ A and O ′ ⊆ O), we define Γ%Γ′ = {L% | ∀ L′ ∈
Γ′, h ∈ H : L% ×h L′ ∈ Γ}.
It is easy to verify Γ¬ and Γ%Γ′ as defined above give rise to specification
semantics.
5. Operational semantics
In the last section we outlined the desiderata for the four operators. Con-
junction and disjunction calculate the meet and join w.r.t. r , whilst mirror
and quotient synthesise realisable controllers to steer components away from
undesirable states/behaviours. In this section, we give the operational defini-
tions to the operators that fulfill the desiderata. The key challenge here lies
in understanding the interplay between synthesis games across specification
boundary.
We adopt a two-step approach here. Firstly we define the four operators
for the restricted case when the operands are all normalised specifications.
Since the synthesis game in a normalised specification has been pre-resolved,
the operator definitions need only to utilise the process-algebraic technique
of state-to-process lifting. The process-algebraic definitions may, however,
generate a new realistion game under some operators, which, we show, is
resolvable by a >-backpropagation procedure.
Then we analyse and understand the composability of different games
under different operators; and based on the knowledge we give the minimal
extension to the process-algebraic definitions so that the extended operators
indeed implement the desiderata for general specifications.
30
∧ > p0 ⊥
> > > >
p1 > p0×p1 p1
⊥ > p0 ⊥
∨ > p0 ⊥
> > p0 ⊥
p1 p1 p0×p1 ⊥
⊥ ⊥ ⊥ ⊥
% > p0 ⊥
> ⊥ ⊥ ⊥
p1 > p0×p1 ⊥
⊥ > > ⊥
¬
> ⊥
p p
⊥ >
Table 2: State composition operators.
5.1. Restricted case
Like parallel composition we define conjunction, disjunction and quo-
tient as variants of synchronised product, which operate over >/⊥-complete
TIOTSs and are parameterised by a polymorphic state/alphabet composition
operator.
Table 2 tells us how states should be combined under the composition
operators. Based on the refinement ordering on states, it is easy to see that
state conjunction (∧) and disjunction (∨) operations in Table 2 follow the
intuition of the join and meet operations (except for the case when both
operands are plain states) and that the state quotient (%) operation is defin-
able via the state parallel (‖) and mirror (¬) operations: s0/s1 = (s¬0 ‖ s1)¬.
We say (I0,O0) and (I1,O1) are ∧- and ∨-composable if (I0,O0) = (I1,O1),
and are %-composable if (I0,O0) dominate (I1,O1), i.e. A1 ⊆ A0 and O1 ⊆
O0. Then, we can define the alphabet composition operations under the
respective composability restriction: (I0,O0) = (I0,O0) ∧ (I1,O1), (I0,O0) =
(I0,O0) ∨ (I1,O1) and (I0 ∪O1,O0 \O1) = (I0,O0)%(I1,O1).
Remark. Note the subtlety in the transition rules of P0
∏
∧P1 and P0
∏
∨P1.
If we have p0
α−→ p ′0 in P0 and p1 α−→ > in P1, then we have p0 × p1 α−→ p ′0 in
P0
∏
∧P1. That is, process P1 is discarded after the transition and the rest
of the execution is the solo run of P0.
Like
∏
‖, the definition of
∏
∧ can be extended without modification to
work on ⊥-complete TIOTSs (cf Footnote 21). On specifications, ∏∧ pre-
serves the >-freedom but not semi-> freedom. Thus P∏∧Q may contain
semi-> and has to be converted to a specification.
In contrast, the definitions of
∏
∨ and
∏
% do not extend to ⊥-complete
TIOTSs. We have to perform>-completion on the operands. Then P>∏∨Q>
and P>∏%Q> produce a general TIOTS, which needs to be converted back
to a realisable one.
31
The rationale here is that the
∏
∨,
∏
∧ and
∏
% operators implement the
desiderata using the [[ · ]] semantics rather than the [[ · ]]r one. Thus, P
∏
∧Q
implements [[P>]] ∩ [[Q>]] rather than [[P ]]r ∩ [[Q]]r .
Example. Let P be a specification that waits exactly 3 time units before
firing output a, while Q is a specification that waits silently forever. Both
are characterised by their sets of realisable strategies. However, if P and Q
are put into conjunction using
∏
∧, then there is no realisable strategy in the
intersection [[P>]] ∩ [[Q>]] even though the intersection is non-empty.
However, it is interesting to observe that [[P ]]r ∩ [[Q]]r = RG([[P>]]∩ [[Q>]])
holds for normalised specifications P and Q, where the realisability filtering
function RG(Γ) extracts the subset of realisable strategies from Γ. Thus, our
conversion aims to implement the realisability filtering on top of TIOTSs.
There are two cases for such a conversion. In the first case when the
resultant TIOTS is free of auto-> and semi->, ⊥-removal suffices to remove
unrealisability. This is the case for P>∏∨Q> since∏∨ preserves the auto->
and semi-> freedom on >/⊥-complete TIOTSs.
In the second case when the resultant TIOTS contains auto-> and semi->
(the case for P∏∧Q and P>∏%Q>), we need a more sophisticated proce-
dure for unrealisability removal. Let us start with a deeper analysis of auto->
and semi->.
Auto-> and semi-> as >-winning states. Like auto-⊥ and semi-⊥, it is best
to understand auto-> and semi-> in terms of perfect-information games (as
determinisation does not preserve auto-> and semi->).
In a perfect-information game PD , a key observation is that a plain state
p is an auto-> or semi-> implies no strategy starting from p is realisable.
For instance, if p is an auto->, p has an input transition going to >.
Then all strategies starting from p have to unfold that input transition (due
to determinism) and thus are unrealisable.
If p is, on the other hand, a semi->, any strategy starting from p, if
realisable, has to make a delay move at p (since all output moves lead to >
due to the semi->). However, according to our strategy definition, after the
delay move, which has to be finite, the strategy will have to make an output
move, which unavoidably leads to >.
Auto-> and semi-> characterise only a subclass of those plain states from
which there is no realisable strategy. The characterisation of the full class
requires, surprisingly, a dual game of the ⊥-reachability game.
32
Given a perfect-information game PD in which the collaboration of the
environment and coin play against the component for the objective of >-
reachability, we say a (realisable) environment strategy LE and a coin strat-
egy h ∈ H is winning in game P (or winning against strategy set [P ]) iff
LE ×h G can reach > for all G ∈ [P ]. Then we say a plain state p in PD is
>-winning iff there is a pair of (realisable) environment and coin strategies
winning in game PD(p).
Remark. Note that >- and ⊥- winning states are dual to each other, and it is
possible that a state in a TIOTS is ⊥-winning and >-winning simultaneously.
However, the theory in this paper uses only a restricted class of TIOTSs, in
which it is impossible to be simultaneously ⊥-winning and >-winning.
It is easy to verify that semi-> and auto-> are both >-winning states
and that the absence of semi-> and auto-> implies the absence of >-winning
states.
Lemma 5. A TIOTS is free of >-winning states iff it is free of semi-> and
auto->.
Based on >-winning states, we can derive a procedure (dual to normali-
sation) to filter out unrealisable strategies for any TIOTS.
Extracting realisable strategies (realisation). Given a >/⊥-complete TIOTS
P , using a three-step procedure we can extract the realisable subsystem PR of
P (called the realisation of P). PR contains precisely the realisable strategies
in [[P ]], i.e. [[PR]]r = RG([[P ]]).
The first step determinises P and makes all strategies explicit. Then the
second step find and replace with > all the >-winning states in PD . Finally
the last step performs a>-removal on the resultant TIOTS (if it is not already
the >-TIOTS).
>-backpropagation. The alternative localised approach to generating PR,
called >-backpropagation, repeatedly collapses semi-> and auto-> states in
PD to > until semi-> and auto-> freedom is obtained.
Hence, PR produces either the unrealisable specification (i.e. the >-
TIOTS) or a (deterministic) specification. If we define [[PR]]r = {} for the
unrealisable specification, then we have the lemma below.
Lemma 6. For a >/⊥-complete TIOTS P, RG([[P ]]) = [[PR]]r .
33
Operator definitions. Given normalised specifications P and Q, we define
P ∨ Q to be the >-removal of P>∏∨Q> and define P ∧ Q = (P∏∧Q)R
and P%Q = (P>∏%Q>)R. The mirror operation, P¬, can be defined as
performing an I/O switch operation on P>, i.e. P¬ is the >-removal of
(P>)X . The I/O switch operation QX interchanges the input and output
sets, as well as the > and ⊥ states on >/⊥-completed Q.
Based on the mirror operator, we can give an alternative definition of
quotient as the derived operator (P¬0 ‖ P1)¬. This is a lifting of the derivation
of quotient from mirror and parallel on the state level.
Finally, we can verify that the above operator definitions implement the
desiderata.
Theorem 3. Given a pair of ⊗-composable normalised specification P and
Q with ⊗ ∈ {∧,∨,%}, we have [[P ⊗Q]]n = [[P ]]n ⊗ [[Q]]n and [[P¬]]n = [[P ]]¬n .
5.2. General case
For the general case when the specifications are not normalised, there is a
naively correct definitions by the application of a three-step recipe. We start
with normalisation, go on with applying the corresponding
∏
⊗ operators,
and finish with realisation.
However, this approach sheds little light on understanding the compos-
ability of synthesis games under the set of operators and may potentially
introduce unnecessary cumbersome steps in the operator definitions. For in-
stance, ‖ is defined above without any need of normalisation or realisation.
We can verify the natural definition is equivalent to the three-step recipe
definition.
Lemma 7. Given specifications P and Q, P ‖ Q gives rise to a specification
realisably equivalent to ((PN )>∏‖(QN )>)R.
The proof of the above lemma is based on the composability of normalisa-
tion games under the parallel operator, i.e. the distributivity of normalisation
operation over parallel composition.
Lemma 8. (P ‖ Q)D = PD ‖ QD and (P ‖ Q)N = (PN ‖ QN )N .
34
Lemma 9. Given specifications P and Q, for any product state p × q in
PD ‖ QD , p (or q) is a ⊥-winning state in PD (or QD) implies p × q is a
⊥-winning state in PD ‖ QD .
Then we can formally show that ‖-composition implements strategy com-
position.
Proposition 2. For any pair of ‖-composable specification P and Q, we
have [[P ‖ Q]]n = ([[P ]]n × [[Q]]n)N .
Disjunction. Like the parallel operator ‖, disjunction ∨ is also (nearly) a
natural operator to define.
Lemma 10. Given specifications P and Q, P∨Q gives rise to a specification
realisably equivalent to ((PN )>∏∨(QN )>)R.
The proof of the above lemma is based on the composability of normali-
sation games under disjunction.
Lemma 11. (P ∨Q)D = PD ∨QD and (P ∨Q)N = (PN ∨QN )N .
Lemma 12. Given specifications P and Q, for any product state p × q in
PD ∨ QD , p (or q) is a ⊥-winning state in PD (or QD) implies p × q is a
⊥-winning state in PD ∨QD .
The natural definitions will also work for hiding and renaming since like∏
‖ and
∏
∨ they do not generate new >-winning states, although they do
generate new ⊥-winning states.
However, for conjunction ∧ and quotient %, natural definitions do not
work. This is due to the subtle interferences the composition imposed on the
>- and ⊥- winning states in their operands.
Example. In Figure 7, we have two specifications P and Q. Q is normalised
while P is not. Normalisation will reduce P to the ⊥-TIOTS (simply de-
noted ⊥). It is easy to see that P∏∧Q (cf Appendix A) produces the third
specification, which is a normalised specification, rather than the ⊥-TIOTS
(according to ⊥∏∧Q = ⊥). This is due to the fact that with conjunc-
tion composition the ⊥-winning states at location A of P are interfered and
annulled by the urgency requirement on output e at location 1 of Q. Simi-
larly, P∏%Q (cf Appendix A) produces the fourth specification, which is
a normalised specification, rather than the ⊥-TIOTS.
35
Inv: true
Co:  x <= 10
e! x == 5
e!
Inv: x <= 5
Co:  true
A B
2
1
x == 5
e!
Inv: x<=5
Co:  true
B2
A1
x == 5
(P) (Q) Conjunction
e?
Inv: true
Co:  x<=5
B2
A1
x == 5
Quotient
Figure 7: Inter-component interference on winning states.
Conjunction. Technically speaking, conjunction will cause interferences on
the ⊥-winning states of its operands, which leads to the non-distributivity of
normalisation over
∏
∧, i.e. (P
∏
∧Q)N = (PN
∏
∧QN )N does not necessarily
hold. Conjunction will not cause interferences on the >-winning states of its
operands though. This, combined with the distributivity of determinisation
over
∏
∧, gives rise to distributivity of realisation over
∏
∧.
Lemma 13. Given two >/⊥-complete TIOTSs P and Q, we have (P∏∧
Q)D = PD∏∧QD and ((PR)>∏∧(QR)>)R = (P∏∧Q)R.
Furthermore
∏
∧ preserves the freedom of ⊥-winning states but not the
freedom of >-winning states.
Lemma 14. Given two >/⊥-complete TIOTSs P and Q, PD and QD are
free of ⊥-winning states implies PD∏∧QD is free of ⊥-winning states. For
any product state p × q in PD∏∧QD , p (or q) is a >-winning state in PD
(or QD) implies p × q is a >-winning state in PD∏∧QD .
Hence, we use the three-step recipe to define conjunction. Given specifi-
cations P and Q, we define P∧Q = ((PN )>∏∧(QN )>)R. Lemma 14 implies
that P ∧Q is a normalised specification.
For mirror and quotient, we use only part of the three-step recipe, since
some transformations in the recipe are not essential for interference cancel-
lation.
Mirror. The mirror of a specification P , denoted P¬, is defined by equation
P¬ = (((P>)D)X )R. That is, no normalisation is needed on the operand.
This is because the I/O switch operation RX (as defined in Section 5), rather
than causing interferences on >- and ⊥- winning states in R, only causes a
36
switch between the two types of winning states. Thus, P¬ is equivalent to
the three-step recipe definition, i.e. the >-removal of ((PN )>)X . Since P as
a specification is free of auto-> and semi->, P¬ gives rise to a specification
that is free of auto-⊥ and semi-⊥, i.e. a normalised specification.
Lemma 15. Given any specification P, P¬ is a normalised specification re-
alisably equivalent to the >-removal of ((PN )>)X ).
The lemma below is very useful, since it shows how mirror can reduce
the problem of refinement checking between two open systems to a non-
reachability problem on a closed system.
Proposition 3. For any specification P and Q, P vr Q iff P¬ ‖ Q is
⊥-free.
Quotient. Given specifications P andQ, we define P%Q = ((PN )>∏%(QD)>)R.
The crucial point here is that we do not need to normalise Q (i.e. the plant
in the controller synthesis framework). The definition can be shown to be
consistent with the one using the three-step recipe.
Lemma 16. Given any specification P and Q, P%Q is a normalised speci-
fication realisably equivalent to ((PN )>∏%(QN )>)R.
The proof of the above lemma is based on the composability of an order
pair of normalisation and realisation games under quotient.
Lemma 17. Given two deterministic >/⊥-complete TIOTSs P and Q, P is
free of ⊥-winning states and Q free of >-winning states implies 1) P∏%Q
is free of ⊥-winning states, 2) (PR∏%QN )R = (P∏%Q)R and 3) for any
product state p × q in P∏%Q, p is a >-winning state in P or q is a
⊥-winning state in Q implies p × q is a >-winning state in P∏%Q.
We can verify that P0%P1 gives rise to a normalised specification realis-
ably equivalent to (P¬0 ‖ P1)¬.
37
Inv: true
Co:  x <= 5
e? x <= 5
A B
Inv: true
Co:  x <= 3
e? x <= 3
1 2
Inv: x <= 3
Co:  x <= 5
e? x <= 3
A1 B2
x <= 2
  f!
C
x <= 2
  f!
C3x <= 2
  f?
3
Inv: x <= 2
Co:  true
A1
x <= 2
  f!
C3
(P) (Q) Pre-quotient Realisation
Figure 8: Generation and removal of >-winning states.
Example. We give an example to show how
∏
% can generate new >-winning
states and how realisation can remove them. In Figure 8, P and Q are both
normalised specifications. At location A, P can choose either (behaviour A)
to output f during the time window 0 to 2 or (behaviour B) to wait for input
e until time 5, at which point, if the environment fails to supply e, timeout
will occur. On the other hand, at location 1, Q can choose (behaviour C)
either to wait for input f during time window 0 to 2 or (behaviour D) to wait
for input e until time 3, at which point, if the environment fails to supply e,
timeout will occur. Obviously behaviour A should be matched to behaviour
C and behaviour B to D. However, the timeout bound of behaviour D is
stronger than that of B. Since it is impossible to weaken one component’s
input assumption by composing it with another component which has to
treat the action either as input or as outside the alphabet, matching D to B
generate an unrealisable behaviour in the pre-quotient P∏%Q, which can
be removed by the realisation.
Finally, we can formally show that the operator definitions implement the
desiderata.
Theorem 4. Given a pair of ⊗-composable specification P and Q with ⊗ ∈
{∧,∨,%}, we have [[P ⊗Q]]n = [[P ]]n ⊗ [[Q]]n and [[P¬]]n = [[P ]]¬n .
Based on the above theorem we can prove the congruence result.
Theorem 5. 'r is a congruence w.r.t. ‖, ∨, ∧ and %, subject to compos-
ability.
Double trace semantics. In addition to the timed strategy semantics, Ap-
pendix B also gives a double trace semantics like that in our earlier work [10].
38
Timed synthesis. Our formulation of timed synthesis games (realisation or
normalisation) recognises three players in the game, i.e. coin, component
and environment. On an abstract level, the two games actually belong to
the same class, in which two players with reachability objective collaborate
and play against the third with safety objective. Such a game has the nice
properties that it is determined and winning strategies are memoryless. (For
this paper we only consider the winning states for the two-player side.)
Our >- and ⊥- backpropagations share similarities with the classical al-
gorithms of timed synthesis games [1, 7]. Both implement some form of
backward fix-point computations of winning states; both can be adapted
into efficient on-the-fly algorithms [7].
However, there are some important differences. Our auto-⊥ and semi-⊥
states are related to but not equivalent to the controllable predecessors of ⊥
in [7]. For example, an auto-⊥ state will not be a controllable predecessor of
⊥ if it has an input outgoing transition leading to a plain state. Thus, our >-
and ⊥- backpropagations are strictly more aggressive than the classic algo-
rithms in classifying winning states, since the latter cannot back-propagate
through auto-⊥. This is crucial for our weakest congruence results.
Another advantage of the three-player formulation is that the composition
of the three strategies generates a run for closed systems or a strategy for open
systems, thus giving rise naturally to the strategy semantics. In contrast, the
composition of the two strategies in [7] does not generate a run or strategy
for the composed system.
Finally, with three-player formulation, we can clarify the reducibility of a
timed non-reachability (i.e. safety) game to a timed reachability game. For
the two-player formulation it seems such reduction is possible by exchanging
the role of the system and environment and complementing the target state
set [7]. However, this is not true according to the three-player formulation
since a game of two players with reachability objective and one player with
safety objective cannot be reduced to a game of two players with safety
objective and one player with reachability objective.
Compositional timed synthesis. Since a specification may involve both re-
alisation and normalisation, The composition of specifications involves the
composition of synthesis games. We now understand that 1) normalisation
games are composable under parallel and disjunction, 2) realisation games
are composable under conjunction and 3) an ordered pair of realisation and
normalisation games are composable under quotient.
39
Inv: y<=2
Co:  true
store?
collect?
x:=0
y==2
store!
Inv: true
Co:  y<=10
A B 1
2
3
initiate_print! 
y:=0
printed?
Job Buffer Print ServerInv: z<=2
Co:  true
z>=1
collect!
Inv: z<=10
Co:  true
H
S
P
wakeup?  
z:=0
printed!
Printer
Inv: true
Co:  x<=10
Figure 9: Specifications for a print server, job buffer and printer.
For instance, our Lemma 14 implies ((PR)>∏∧(QR)>)R = (P∏∧Q)R,
which essentially gives us a compositional method to synthesise timed pro-
cesses (cf [16] for the compositional process synthesis of the untimed case).
Based on such knowledge, when composing specifications by operator ⊗,
we now understand that only the synthesis games composable under ⊗ in
the specifications should be composed. The incomposable ones should be
removed by performing realisation or normalisation in advance.
6. A Printing Example
To illustrate our theory, we consider a simple printing system. Figure 9
shows specifications of three components in the system: a print server, job
buffer and printer. Intuitively, the print server decides when to initiate print
a document, after which it stores the job on the buffer. When the printer is
told to wakeup, it will collect the job from the buffer, and, after printing it,
confirm to the print server that the job has been printed . The invariants, co-
invariants and guards place constraints on when actions may and must occur.
For example, once the printer has been told to wakeup, it must collect a job
at least 1s, although no more than 2s, later and the document must have
been printed within 10s, in order to satisfy the invariants. After the job
buffer has been told to store a job, the co-invariant requires that the job is
collected within 10s. For the print server, after deciding to initiate print ,
the job must be stored exactly 2s later (imposed by the invariant and guard
on state 2), and requires that the job must have printed within 10s (imposed
by the co-invariant on state 3).
The three components can be composed under parallel. However, they
will not work together without external coordination. For example, the
wakeup input to the printer is not supplied by any of the other two compo-
nents. Thus, we need a scheduler which can connect the three components
40
y==2
store!
x:=0
A1H
initiate_print!
y:=0
wakeup?
 z:=0   
Inv: true
Co:  true
Printer || Job Buffer || Print Server
printed!
A2H A2S
wakeup?
 z:=0
z>=1
collect!
wakeup? 
 z:=0   
A3P
A1S
initiate_print!
y:=0
B3H B3S
z>=1
collect!
   z>=1
collect!
Inv: z <= 2
Co:  true
Inv: y <= 2
Co:  true
y==2
store!
x:=0
Inv: true
Co:  x<= 10
   & y <= 10
Inv: z<=2
Co:  x<= 10
   & y <= 10
Inv: z<=10
Co:  y <= 10
Inv: y <= 2 
      & z<=2
Co:  true
y==2
store!
 x:=0
A1H
initiate_print!
y:=0
 y >1
wakeup?
 z:=0   
Inv: true
Co:  true
printed!
A2H A2S
     y<=8
   wakeup?
     z:=0
z>=1 
collect!
wakeup? 
 z:=0   
A3P
A1S
initiate_print!
y:=0
B3H B3S
z>=1
collect!
  z>=1
collect!
Inv: z <= 2
Co:  z < 1
Inv: y <= 2
Co:  true
y==2
store!
x:=0
Inv: true
Co:  x<= 10
   & y <= 10
Inv: z<=2
Co:  y-z <= 8
   & y <= 10
Inv: z<=10
Co:  y <= 10
Inv: y <= 2 
Co:  z<1 &
       y-z > 1
After \bot-backpropagation and \bot-removal
Figure 10: Parallel composition of the print server, job buffer and printer, and ⊥-
backpropagation.
together and produce the wakeup at the right time. The clever bit here lies
in the synthesis of the scheduler strategies such that the printer is not told
to wakeup too early or too late.
Basically, we synthesise the scheduler by calculating the least refined en-
vironment such that the three can work together without violating any of
their timing constarints: (Printer ‖ Job Buffer ‖ Print Server)¬.
The left-hand side of Figure 10 shows the parallel composition of the three
components in Figure 9, i.e. System = Printer ‖ Job Buffer ‖ Print Server ,
which is essentially the synchronised product of the specifications by taking
the conjunction of invariants, co-invariants and guards. The ⊥-state is reach-
able due to non-input enabledness of the collect transition in the job buffer
(the printer collects the job too early or too late).
To perform mirroring on System, it must first be normalised. We imple-
ment the normalisation by a ⊥-backpropagation followed by ⊥-removal on
System.25 On the right-hand side of Figure 10, we show the resultant TIOA
after the two transformations.
Since the output transition collect at location A1S leads to ⊥, those
states associated with location A1S on which collect is enabled will be auto-
⊥ states. Collapsing them to⊥ is equivalent to strengthening the co-invariant
on A1S to keep only those states on which collect is not enabled. Thus the
25⊥-removal is not strictly necessary for mirroring, but it simplifies the result for better
readability.
41
co-invariant is changed to z < 1.26
After the change, however, the invariant at A1S becomes redundant.
Thus all the remaining states associated with A1S become semi-⊥ states
since there is no outgoing input transition at A1S . Thus, location A1S
can completely collapse to ⊥, culminating in the removal of its associated
transitions (indicated by dotted lines).
For location A2S , similarly its co-invariant can be changed to z < 1 due
to the auto-⊥ caused by its collect transition. But the new co-invariant will
not make its invariant completely redundant. Instead, it is only when the
co-invariant can reach its upper bound before the invariant reaches its (i.e.
when y − z <= 2 − 1) that the states at location A2S becomes semi-⊥.
Thus, the co-invariant needs to be changed to y − z > 1&z < 1. Then we
can perform ⊥-removal on the incoming wakeup transition by removing the
wakeup transition whose firing will make y − z <= 1 true. Thus, the guard
y > 1 is added to the wakeup transition.
Similarly, location B3S has semi-⊥ if y − z > 10 − 2. Thus its co-
invariant needs to be changed to y − z <= 8&y <= 10 and its incoming
wakeup transition needs to be strengthened with the guard y <= 8.
After the two transformations, we need to perform the mirror operation
on the resultant TIOA by exchanging input with output and invariant with
co-invariant. Then the final TIOA will be our synthesised scheduler. Due
to the synthesis procedure, infeasible strategies, such as issuing wakeup be-
fore receiving initial print or issuing wakeup after receiving initial print but
before clock y reaching 1s, are automatically eliminated.
7. Comparison with Related Work
Our framework can be seen as a linear-time alternative to the timed
specification theories of [14] and [11], albeit with significant differences. The
specification theory in [11] also introduces parallel, conjunction and quotient,
but uses timed alternating simulation as refinement, which does not admit
the weakest precongruence (cf P and Q in Figure 5). An advantage of [11] is
the algorithmic efficiency of branching-time simulation checking and imple-
mentation reported in [12].
26Note that we use shaded areas in the right-hand side of Figure 10 to mark the guards
and invariants/co-invariants changed by the transformations.
42
The work of [14] on timed games shares significantly more conceptual
and technical similarities with us, although they do not define refinement,
conjunction and quotient. We adopt most of the game rules in [14], except
that, due to our requirement that proposed delay moves are maximal delays
allowed by a strategy, a play cannot have consecutive delay moves.
This enables us to avoid the complexity of an infinite play (i.e. infinite
sequence of moves) generating a finite trace (cf Section 2.2 for the definition
of finite traces). So infinite plays generate only divergent traces (cf the non-
zenoness assumption). To completely eliminate time-blocking strategies, we
only need to tackle the remaining case that finite plays end in timestop or
timelock, which can be nicely solved using the realisation game. Thus the
need for blame assignment is removed.
Secondly, we do not use timelock (i.e. semi->) to model time errors (i.e.
bounded-liveness errors). Rather, we introduce the explicit inconsistent state
⊥ to model both time and immediate (i.e. safety) errors. This enables us to
avoid the complexity of having two transition relations and well-formedness
of timed interfaces.
Similar to our work, [11] uses semi-> to model timelock (so-called im-
mediate errors in [11]). However, the pruning of timelocks is based on the
synthesis game of [7]. Therefore, they cannot remove auto-> and the pruning
is strictly less aggressive.
Furthermore, incompatibility errors (so-called strictly undesirable states
in [11]) are not in the core of the theory for [11]. They are more ‘model-
related errors’ defined by the users, which are treated as plain states by the
definition of operators and refinement. So it is unclear (e.g. for conjunction
and qotient) what the product state will be if one component is in strictly
undesirable states.
This is in contrast to our theory, where the definition of the four operators,
substitutive refinement relations, and determinisation procedure are all based
on the manipulation of > and ⊥; and the algebraic properties from state
composition operators can be lifted to the process level.
More specifically, some further technical points of comparison with [11, 14]
are:
• Determinism: We can handle non-deterministic timed transition sys-
tems thanks to our modified determinisation procedure while [11, 14]
consider only deterministic timed transition system. That is where a
43
linear time theory have advantages. It is not obvious how such exten-
sion can work if the refinement is timed alternating simulation.
• AG reasoning: A specification in [11] is an input-enabled TIOA/TIOTS
without ⊥ or co-invariants. Thus a specification contains no assump-
tions on the environment before users mark out strictly undesirable
states. It is not a fully assume-guarantee specification theory in the
sense that a specification (or interface) combines and mixes assump-
tions and guarantees in a unified way.
• Implementation and strategy: A specification in [11] can be interpreted
as a set of implementations while our timed strategy semantics inter-
prets a specification as a set of strategies. There is some similarity.
However, the major differences are:
– Strategies are tree-like partial unfoldings of original transition sys-
tem while implementation are (potentially cyclic) transition sys-
tems alternating simulating the original system.
– We have implicit strategies which can be neither partial unfoldings
nor alternating simulation of the original systems.
– Strategies are based on game theory and use game rules like those
in [14]. However, implementation is less closely related to game
theory.
In comparison with the untimed specification theories [9], our timed ex-
tension requires new techniques (e.g. those related to timestop) to handle
delay transitions since time can be modelled neither as input nor as out-
put. Timestop enables us to discover the surprisingly simple and robust
notions like semi->/⊥ and >/⊥-backpropagation, whose definitions indicate
the canonicity of the notions. Furthermore, with the assistance of time,
bounded liveness in terms of clock bounds suffices to specify and verify most
liveness-related properties. Bounded liveness is especially simple and natural
to use and work with in timed models since invariant/co-invariant and finite
traces suffice to capture. In contrast, in the untimed world, bounded liveness
is cumbersome to specify and work with; people in most cases have to resort
to infinite traces to treat liveness properly.
Finally, we remark that our linear-time specification theory owes much to
the pioneering work on trace theories for asynchronous circuit verification,
44
such as Dill’s trace theory [15]. It is from this community that we take
inspiration for the timed extension of mirror and the derivation of quotient
from mirror27. In some sense, this work can be regarded as a combination
of this line of work with another line of work to which Dill has also made
the seminal contribution, timed automata. It is highly satisfying to see the
synergy between the two lines of works, as indicated by the results in this
work.
We briefly mention other related works, which include timed modal tran-
sition systems [5, 8], the timed I/O model [17, 4] and embedded systems [22,
18].
8. Conclusion and Future Work
We have devised a fully compositional specification theory for realisable
components with real-time constraints. The linear-time theory enjoys strong
algebraic properties, supports a full set of composition operators, and ad-
mits the weakest substitutive pre-congruence preserving safety and bounded-
liveness error freedom. The framework can be seen as an alternative to,
or refinement of, the timed theories of [14, 11]. Future work will consider
assume-guarantee reasoning for timed systems, as well as the implementa-
tion of our theory. The latter, we believe, can benefit from the timed-game
based algorithms and results from [11].
Acknowledgments. The authors are supported by EU FP7 project CON-
NECT, ERC Advanced Grant VERIWARE and EPSRC project EP/F001096.
Appendix A. Composing TIOA
We use ⊗ to range over the operator set {‖,∨,∧,%}, and use l and n to
range over the set of locations (i.e. L).
We say a TIOA, P = (C , I ,O ,L, n0,AT , Inv , coInv), is >-completed iff,
for all a ∈ O and l ∈ L, we have ∨{gk | l gk ,a,rsk−−−−→ l ′k ∈ T} = true. Note
that, unlike the definition for TIOTSs, TIOAs do not require >-completion
on delay transitions. We say P is ⊥-completed iff, for all a ∈ I and l ∈ L,
we have
∨{gk | l gk ,a,rsk−−−−→ nk ∈ T} = true.
27The mirror-based definition of quotient (for the untimed case) was first presented by
Verhoeff as his Factorisation Theorem [23].
45
Given two⊗-composable>/⊥-completed TIOAs with disjoint clocks (C0∩
C1 = {}), Pi = (Ci , Ii ,Oi ,Li , n0i ,ATi , Invi , coInvi) for i ∈ {0, 1}, their syn-
chronised product gives rise to another TIOA P = P0
∏
⊗P1:
• C = C0 ∪ C1, (I ,O) = (I0,O0)⊗ (I1,O1) and L = L0 × L1;
• n0 = n00 × n01 ;
• AT is the least relation that contains AT0, AT1 and {l0 × l1 g0∧g1,a,rs0∪rs1−−−−−−−−−→
n ′0 × n ′1 | l0 g0,a,rs0−−−−→ n ′0 ∈ AT0 ∧ l1 g1,a,rs1−−−−→ n ′1 ∈ AT1}
∪ {l0 × l1 g0,a,rs0−−−−→ n ′0 × l1 | l0 g0,a,rs0−−−−→ n ′0 ∈ AT0, a ∈ (A0 \ A1)}
∪ {l0 × l1 g1,a,rs1−−−−→ l0 × n ′1 | l1 g1,a,rs1−−−−→ n ′1 ∈ AT1, a ∈ (A1 \ A0)}};
• and (Inv(l0 × l1), coInv(l0 × l1)) = (Inv0(l0), coInv0(l0))⊗(Inv1(l1), coInv1(l1)).
We define the ⊗ invariant/co-invariant composition operation as follows:
• (Inv0, coInv0) ‖ (Inv1, coInv1) = (Inv0 ∧ Inv1, coInv0 ∧ coInv1)
• (Inv0, coInv0) ∧ (Inv1, coInv1) = (Inv0 ∧ Inv1, coInv0 ∨ coInv1)
• (Inv0, coInv0) ∨ (Inv1, coInv1) = (Inv0 ∨ Inv1, coInv0 ∧ coInv1)
• (Inv0, coInv0)%(Inv1, coInv1) = (Inv0 ∧ coInv1, coInv0 ∧ Inv1)
Note that in the above definition we exploit the fact that the addition or
removal of false-guarded transitions to AT will not change the semantics of
the automata.
Strongly non-zeno TAs are known to be determinisable. For instance,
[6] gives a symbolic procedure based on game and region construction. We
can easily modify the procedure to implement the TIOTS determinisation
defined in Section 2, giving rise to the new procedure DET (P) on TIOA P .
On deterministic TIOAs, we can implement both >- and ⊥- backpropaga-
tion procedures by fixpoint calculation on top of constraint backpropagation,
denoted as BP(P ,>) and BP(P ,⊥) resp.
With such transformations on TIOAs, all the operators in theory I and
II become definable on TIOAs from the
∏
⊗ operators on TIOAs.
46
Appendix B. Declarative Theory of Contracts
We now present a timed-trace characterisation of our compositional speci-
fication theory. For this purpose we adopt the contract framework promoted
in [3], which has the advantage of explicitly separating assumptions from
guarantees.
Given any TIOTS P = 〈I ,O , S , s0,→〉, three sets of traces can be ex-
tracted from ((P⊥)>)D :
• TP a set of timed traces leading to plain states
• TE a set of timed traces leading to the error state ⊥
• TM a set of timed traces leading to the magic state >.
TE and TM are extension-closed due to the chaotic nature of > and ⊥, while
TP is prefix-closed. Since TE ∪TP ∪TM is the full set of timed traces (i.e.
tA∗), we need only two of the trace sets to characterise P .
In the system-environment interaction (as explained in our timed game
framework), TE is the set of behaviours which the environment tries to steer
the interaction away from, whereas TM is the set of behaviours which the
component tries to steer away from. Thus, TE characterises the assump-
tions required on the environment while TM characterising the guarantees
provided by the system.
A contract based on TE and TM defines the semantics of P , character-
ising the congruence ' [10].
Definition 7 (Contract). A contract is a tuple (I ,O ,AS ,GR), where AS
and GR are two disjoint extension-closed trace sets. The contract of P is
defined as T T (P) := (I ,O ,TE ,TM ).
When P is a specification (including the unrealisable specification28), GR
in T T (P) is I-receptive. We say a trace set TT is I-receptive iff, for each
tt ∈ TT , we have 1) tt a 〈e〉 ∈ TT for all e ∈ I and 2) tt a 〈d〉 /∈ TT for
some d ∈ R>0 implies there exists w ∈ tO∗ s.t. tt a w ∈ TT and l(w) < d .
When P is a normalised specification (including the inconsistent specifi-
cation29), we have furthermore that AS in T T (P) is O-receptive. We say a
28When P is the unrealisable specification, i.e. the >-TIOTS, GR is empty.
29When P is the inconsistent specification, i.e. the ⊥-TIOTS, AS is empty.
47
trace set TT is O-receptive iff, for each tt ∈ TT , we have 1) tt a 〈e〉 ∈ TT
for all e ∈ O and 2) tt a 〈d〉 /∈ TT for some d ∈ R>0 implies there exists
w ∈ tI ∗ s.t. tt a w ∈ TT and l(w) < d .
Given a TIOTS P , the realisation of P , i.e. PR, can be implemented by
>-backpropagation on contracts:
Definition 8 (Realisation). Given a contract (I ,O ,AS ,GR), we define
(I ,O ,AS ,GR)R = (I ,O ,AS \GRR,GRR), where GRR is the least extension-
closed superset of GR s.t. no tt ∈ tA∗ is an auto-> or semi-> w.r.t. GRR.
We say a trace tt ∈ tA∗ is an auto-> w.r.t. TT iff tt /∈ TT and tta 〈e〉 ∈
TT for some e ∈ I . A trace tt ∈ tA∗ is an semi-> w.r.t. TT iff tt /∈ TT
and there exists some d ∈ R>0 s.t. tt a 〈d〉 ∈ TT and tt a 〈d0, e〉 ∈ TT
for all 0 ≤ d0 < d and e ∈ O . It is easy to verify GRR is I-receptive and
T T (P)R = T T (PR).
Given a specification P , the normalisation of P , i.e. PN , can be also
implemented by ⊥-backpropagation on contracts:
Definition 9 (Normalisation). Given a contract (I ,O ,AS ,GR) with I-
receptive GR, we define (I ,O ,AS ,GR)N = (I ,O ,ASN ,GR \ ASN ), where
ASN is the least extension-closed superset of AS s.t. no tt ∈ tA∗ is an auto-⊥
or semi-⊥ w.r.t. ASN .
A trace tt ∈ tA∗ is an auto-⊥ w.r.t. TT iff tta 〈e〉 ∈ TT for some e ∈ O .
A trace tt ∈ tA∗ is a semi-⊥ iff there exists some d ∈ R>0 s.t. tt a 〈d〉 ∈ TT
and tt a 〈d0, e〉 ∈ TT for all 0 ≤ d0 < d and e ∈ I . It is easy to verify that
ASN is O-receptive and T T (P)N = T T (PN ).
A coarsening of contracts gives a characterisation of 'r , which says P is
an refinement of Q iff P has less assumption and more guarantee than Q.
Definition 10 (Realisable contract). A contract (I ,O ,AS ,GR) is a re-
alisable contract iff AS is O-receptive and GR is I-receptive. The realisable
contract of a specification P is defined as CT (P) := T T (P)N .
Theorem 6. For specifications P0 and P1 with realisable contracts (I ,O ,AS0,
GR0) and (I ,O ,AS1,GR1) respectively, P0 vr P1 iff AS1 ⊆ AS0 and GR0 ⊆
GR1.
48
Given two specifications Pi for i ∈ {0, 1} and i¯ = 1 − i s.t. CT (Pi) =
(I ,O ,ASi ,GRi), we define the parallel, disjunction, conjunction and quotient
operations on realisable contracts. The core part of the operations is based
on the patterns originally discovered by [15, 21]. The specialisation required
for the timed theory to work lies in the application of closure conditions like
normalisation and realisation.
We first define the alphabet enlargement operation on realisable contracts
before carrying on defining the major operators.
Alphabet enlargement. Given a set ∆ of actions disjoint from I ∪O , we define
(I ,O ,AS ,GR)∆ := (I ∪∆,O ,AS ∆,GR∆), where TT ∆ := {tt : (tA ∪∆)∗ |
tt  tA ∈ TT} · (tA ∪∆)∗.
Parallel composition and disjunction.
Proposition 4. If specifications P0 and P1 are ‖-composable, then CT (P0 ‖ P1) =
(I ,O , (AS ∆00 ∪ AS ∆11 ) \ (GR∆00 ∪ GR∆11 ),GR∆00 ∪ GR∆11 )N , where I = (I0 ∪
I1) \O, O = O0 ∪O1, ∆0 = A1 \ A0 and ∆1 = A0 \ A1.
Intuitively, the above says that the guarantee of the parallel composition
is the combined guarantees provided by the components while the assumption
of the parallel composition is the combined assumptions of the components
minus those that have been fulfilled by their guarantees.
Proposition 5. If specifications P0 and P1 are ∨-composable, then CT (P0 ∨ P1) =
(I ,O , AS0 ∪ AS1,GR0 ∩GR1)N , where I = I0 = I1 and O = O0 = O1.
That is, disjunction unions assumptions and intersects guarantees.
Conjunction and quotient.
Proposition 6. If P0 and P1 are ∧-composable, then CT (P0 ∧ P1) = (I ,O ,
AS0 ∩ AS1,GR0 ∪GR1)R, where I = I0 = I1 and O = O0 = O1.
Proposition 7. If specification P0 dominates specification P1, then CT (P0%P1) =
(I ,O ,AS0 ∪ GR∆11 , (GR0 \ GR∆11 ) ∪ (AS ∆11 \ AS0))R, where I = I0 ∪ O1,
O = O0 \O1 and ∆1 = A0 \ A1.
Intuitively the above says that the quotient assumes the P0-assumption
combined with the P1-guarantee and it guarantees 1) the P0-guarantee not
covered by P1-guarantee as well as 2) the P1-assumption missing from P0-
assumption.
49
Mirror. The operation is straightforward, which simply exchanges assump-
tion and guarantee.
Proposition 8. CT (P¬) = (O , I ,GR,AS ).
Contract. The terminology of contract was coined by Meyer and Back. The
meta-theory of contract dates back to the trace theory of [15], esp. one of
its abstract reformulation by [21]. Both work draws upon earlier ideas from
asynchronous circuit verification.
References
[1] Eugene Asarin, Oded Maler, Amir Pnueli, and Joseph Sifakis. Controller
synthesis for timed automata. In Proc. IFAC Symposium on System
Structure and Control. Elsevier, 1998.
[2] Christel Baier and Joost-Pieter Katoen. Principles of model checking.
MIT Press, 2008.
[3] Albert Benveniste, Benot Caillaud, Dejan Nickovic, Roberto Passerone,
Jean-Baptiste Raclet, Philipp Reinkemeier, Alberto Sangiovanni-
Vincentelli, Werner Damm, Tom Henzinger, and Kim Larsen. Con-
tracts for systems design. Technical Report RR-8147, S4 team, INRIA,
November, 2012.
[4] Jasper Berendsen and Frits W. Vaandrager. Compositional abstraction
in real-time model checking. In FORMATS, volume 5215 of LNCS, pages
233–249. Springer, 2008.
[5] Nathalie Bertrand, Axel Legay, Sophie Pinchinat, and Jean-Baptiste
Raclet. A compositional approach on modal specifications for timed
systems. In ICFEM, volume 5885 of LNCS, pages 679–697. Springer,
2009.
[6] Nathalie Bertrand, Amelie Stainer, Thierry Jeron, and Moez Krichen. A
game approach to determinize timed automata. In FOSSACS, volume
6604 of Lecture Notes in Computer Science, pages 245–259. Springer,
2011.
50
[7] Franck Cassez, Alexandre David, Emmanuel Fleury, Kim Guldstrand
Larsen, and Didier Lime. Efficient on-the-fly algorithms for the analysis
of timed games. In CONCUR, volume 3653 of Lecture Notes in Computer
Science. Springer, 2005.
[8] Karlis Cerans, Jens Chr. Godskesen, and Kim Guldstrand Larsen.
Timed modal specification - theory and tools. In CAV, pages 253–267,
1993.
[9] Taolue Chen, Chris Chilton, Bengt Jonsson, and Marta Kwiatkowska.
A compositional specification theory for component behaviours. In
ESOP’12, volume 7211 of LNCS, pages 148–168. Springer-Verlag, 2012.
[10] Chris Chilton, Marta Kwiatkowska, and Xu Wang. Revisiting timed
specification theories: A linear-time perspective. FORMATS’12 (A full
version appears as the OUCL technical report CS-RR-12-04 available at
http://www.cs.ox.ac.uk/files/4837/CS-RR-12-04.pdf), 2012.
[11] Alexandre David, Kim G. Larsen, Axel Legay, Ulrik Nyman, and An-
drzej Wasowski. Timed I/O automata: a complete specification theory
for real-time systems. In HSCC ’10, pages 91–100. ACM, 2010.
[12] Alexandre David, Kim Guldstrand Larsen, Axel Legay, Ulrik Nyman,
and Andrzej Wasowski. Ecdar: An environment for compositional design
and analysis of real time systems. In ATVA, volume 6252 of LNCS, pages
365–370. Springer, 2010.
[13] Luca de Alfaro, Marco Faella, Thomas A. Henzinger, Rupak Majumdar,
and Marie¨lle Stoelinga. The element of surprise in timed games. In
CONCUR, volume 2761 of Lecture Notes in Computer Science, pages
142–156. Springer, 2003.
[14] Luca de Alfaro, Thomas A. Henzinger, and Marie¨lle Stoelinga. Timed
interfaces. In EMSOFT’02, volume 2491 of LNCS, pages 108–122.
Springer-Verlag, 2002.
[15] David L. Dill. Trace theory for automatic hierarchical verification of
speed-independent circuits. ACM distinguished dissertations. MIT Press,
1989.
51
[16] Emmanuel Filiot, Naiyong Jin, and Jean-Francois Raskin. Composi-
tional algorithms for ltl synthesis. In ATVA, volume 6252 of Lecture
Notes in Computer Science. Springer, 2010.
[17] Dilsun Kirli Kaynar, Nancy A. Lynch, Roberto Segala, and Frits W.
Vaandrager. Timed I/O Automata: A mathematical framework for
modeling and analyzing real-time systems. In RTSS, 2003.
[18] I. Lee, J.Y.T. Leung, and S.H. Song. Handbook of Real-Time and Em-
bedded Systems. Chapman, 2007.
[19] W. Lim. Design methodology for stoppable clock systems. Computers
and Digital Techniques, IEE Proceedings E, 133(1):65 –72, january 1986.
[20] S.W. Moore, G.S. Taylor, P.A. Cunningham, R.D. Mullins, and
P. Robinson. Using stoppable clocks to safely interface asynchronous and
synchronous subsystems. In AINT (Asynchronous INTerfaces) Work-
shop, Delft, Netherlands, 2000.
[21] Radu Negulescu. Process spaces. In CONCUR, volume 1877 of Lecture
Notes in Computer Science, pages 199–213. Springer, 2000.
[22] Lothar Thiele, Ernesto Wandeler, and Nikolay Stoimenov. Real-time
interfaces for composing real-time systems. In EMSOFT, 2006.
[23] Tom Verhoeff. A Theory of Delay-Insensitive Systems. PhD thesis,
Dept. of Math. and C.S., Eindhoven Univ. of Technology, May 1994.
[24] Xu Wang. Maximal Confluent Processes. In Petri Nets’12, volume 7347
of LNCS. Springer-Verlag, 2012.
[25] Xu Wang and Marta Z. Kwiatkowska. On process-algebraic verification
of asynchronous circuits. Fundam. Inform., 80(1-3):283–310, 2007.
52
