Formal Specification, Verification and Simulation of Time-Dependent Systems: a Timed Process Algebra Approach  by de Camargo, Murilo S. et al.
Electronic Notes in Theoretical Computer Science  
URL httpwwwelseviernllocateentcsvolumehtml  pages
Formal Specication Verication and
Simulation of TimeDependent Systems a
Timed Process Algebra Approach
Murilo S de Camargo

 Ricardo F Martins
Roberto M Scheel

Departamento de Informatica e de Estatstica
Universidade Federal de Santa Catarina
Campus Universitario Trindade  Caixa Postal 
	 Florianopolis  SC
Brazil
Abstract
In this paper we present an approach to specication verication and validation
of concurrent timedependent systems which is centered on a timed process alge
bra language called RTL for real time LOTOS Our approach is supported by a
tool named RTLAnalyzer that allows automatic verication and validation of RTL
specications RTL is a temporal extension of basic LOTOS language which ex
presses and handles temporal constraints associated with actions First we present
and justify the use of RTL to specify concurrent timedependent systems Then
the main characteristics and functionalities of the RTLAnalyzer are presented with
details for systems verication and validation using our approach An example of a
timedependent system is given and it is specied and analyzed by our tool Finally
we compare our approach with others proposed in the literature
 Introduction
Correctness reliability and good performance are requirements usually de
manded in the development of computational systems The last two require
ments mentioned may have a larger or smaller degree of importance depend
ing on the application However for timedependent systems and particularly
for highly critical applications we must pay special attention to these require
ments The correctness concept itself changes because it depends not only on
the computed logical results but also on the time in which those results are
produced In general timedependent systems include three large classes of

Supported by CNPq Brazil
c
 Published by Elsevier Science B V Open access under CC BY-NC-ND license.
de Camargo
computational applications realtime systems communication protocols and
multimedia applications Some realtime systems such as air trac control
systems avionics systems and robotic applications and others have highly
critical characteristics ie an error occurring in the systems may provoke
faults which may lead to serious damages
Sofor timedependent systems the use of formal techniques in the several
phases of software development lifecycle specication design and implemen
tation	 has now become a necessary approach Timed extension of nite state
machines temporal logics Petri nets and process algebras are some of the most
used formalisms Each of them has its good and bad characteristics depending
on its application sequential or concurrent systems	 or its use specication
or verication phases	
In this work the interest is centered on the development of an approach for
specication verication and validation of timedependent systems In this
approach we propose to use the timed process algebra RTL as specication
language 
 RTL is a timed extension of the ISOs basic LOTOS language

 For verication of timedependent systems specied in RTL we have
developed a tool called RTLAnalyzer that allows us to verify via model
checking system properties specied in the realtime temporal logic TCTL

 The RTLAnalyzer tool also has a simulator functionality that makes it
possible to complement the analysis of a timedependent system by using of
interactive and automatic simulation
The remainder of this paper is organized as follows In section  we present
the timed process algebra RTL its basic concepts and its semantics In this
section we also present the Telephone central specications example which
we will use as a case study example in the next sections Section  gives
some details about our approach to verication and validation systems and
about the development of the RTLAnalyzer tool Section  relates our work
with others in the literature Finally section  gives some conclusions and
directions for future works
 The RTL Language
RTL is a timed process algebra that expresses and handles temporal con
straints associated with actions such actions are referred to as timed actions	
These constraints specied as temporal intervals have a direct inuence on
the way actions are oered and synchronized An important feature of this
model is that temporal constraints are imperative hence the name of RTL
RealTime LOTOS	 Specic actions are introduced into the model to ex
press temporal violations which are the consequence of certain nonrealized
actions Thus the proposed model becomes particularly attractive for the
formal specication of realtime systems and other time dependent systems
RTL is a timed extension of the standard LOTOS 
 language and hence as
LOTOS it has a marked similarity to CCS 
 and CSP 


de Camargo
 An intuitive view of RTL
We use Act to denote the set of the observable actions and i the internal action
of the RTL
In order to express time constraints in a specication we dene timed
actions by associating time intervals with actions These time intervals of
the form 
t
min
 t
max
 obviously with t
min
 t
max
 determine when the dierent
actions may be oered to their environment If no explicit time interval is
associated with an observable action we make the usual assumption that the
default interval is 
	 In other words in nontimed observable actions
there are no time limits
The fact of associating a maximal time t
max
with an action does not imply
that we intend to force the urgency of such a timed action since following
the process algebra paradigm the occurrence of an observable action depends
on its environment We just want to emphasize that if action 
t
min
 t
max
a
cannot occur within its specied time interval then it cannot occur outside
this time interval ie neither before t
min
nor after t
max
 In order to char
acterize this situation we dene a set of specic actions called Act

 which
contains as many actions as there are in set Act These specic actions called
temporal violations have the purpose of notifying the system during the exe
cution of some specication of the impossibility of performing timed actions
within their respective time intervals Hence let us call a

the specic action
characterizing the temporal violation associated with the nonrealization of
some timed action 
t
min
 t
max
a These specic actions are interesting as they
provide the designer with the capability of expressing in hisher specication
an exception handling mechanism to be performed when a temporal violation
occurs With this purpose in mind we propose a new operator the temporal
preemption operator for expressing such an exception handling mechanism
In our language we can put a time interval in ordinary internal action
i specication However the RTL semantics state that i action must occur
within its associated time interval Observable actions can be hidden as in
LOTOS However hidden actions must occur as soon as possible This is a
property called maximum progress 

The RTL actions are atomic and instantaneous They include

classical actions in LOTOS that include the observable actions Act	 the
internal action i and the successful termination action  We dene the sets
Act
i
 Act  i and Act

 Act  

specic RTL actions specically the temporal violations Act

	 There ex
ists a bijection between the sets Act and Act

 That is for each a  Act
action there is an action a

 Act

 and viceversa
For the timed actions of Act
i
the time domain D

can be dense or sparse
but it must be countable in the way that the underlying formalism be a labeled
transition system D

is dened in order to be a commutative monoid under

de Camargo
the usual  operator and with  as the null element
 The Language Syntax and Semantics
The behavior expressions of the RTL specications are generated by the fol
lowing syntax
E  stop  inaction 	
j exit  successful termination 	
j 
t
min
 t
max
aE  prex 	
j 
t
min
 t
max
iE  prex 	
j E
E

 choice 	
j Ej
LjE

 parallel composition 	
j hideLinE  hiding 	
j E  F  sequential composition 	
j E
 F  preemption 	
j E  Lfa

 Q

  a
n
 Q
n
g  temporal preemption 	
j P 
a

  a
n
  process instatiation 	
The operational semantics dened for RTL in the Plotkins SOS Struc
tured Operational Semantics	 style 
 is presented in Tables   and  and
includes the inference rules for the classical actions for temporal violation
actions and for time progress

de Camargo
Table 
RTL operational semantics
Inaction

stop
t
 stop
t  D


Successful termination

exit

 stop

exit
t
 exit
t  D


Action prex

	 t
aE
a
 E
t  D

 a  Act
i


	 	
aE
a

 stop
a  Act

	 t s
aE
s
 	 t
aE
t s  D

 s  	 a  Act
i


t

 s t

 s
aE
s
 t

 t


aE
s t

 t

 D

 s  	 a  Act
i

Choice
E
a
 E

E 
F
a
 E

F  
E
a
 E

a  Act
i

E
a

 E

E 
F
a

 E

 
F F  
E
a

 F  
E

a  Act
E
t
 E

 F
t
 F

E 
F
t
 E

 
F

t  D


Parallel composition
E
a
 E

 F
a
 F

EjL
jF
a
 E

jL
jF

a  L  fg
E
a
 E

EjL
jF
a
 E

jL
jF F jL
jE
a
 F jL
jE

a  L  fg
E
a

 E

EjL
jF
a

 E

jL
jF F jL
jE
a

 F jL
jE

E
t
 E

F
t
 F

EjL
jF
t
 E

jL
jF

t  D



de Camargo
Table 
RTL operational semantics
Hiding
E
a
 E

hide L in E
a
 hide L in E

a  L
E
a
 E

hide L in E
i
 hide L in E

a  L
E
a

 E

hide L in E
a

 hide L in E

a  L
E
t
 E

 a  L E 
a

hide L in E
t
 hide L in E

t  D


Sequential composition
E
a
 E

EF
a
 E

F
a  Act
i

E

 E

EF
i
 F
E
a

 E

EF
a

 E

F
a  Act
E 

  E
t
 E

EF
t
 E

F
t  D


Disabeling
E
a
 E

E F
a
 E

F
a  Act
i

F
a
 F

E F
a
 F

a  Act
i

E

 E

E F

 E

F
a

 F

E F
a

 E F

a  Act
E
a

 E

E F
a

 E

F
a  Act
E
t
 E

 F
t
 F

E F
t
 E

F

t  D



de Camargo
Table 
RTL operational semantics
Temporal preemption
E
a
 E

a  Act
i

E L
fa

Q

 a

Q

     a
n
Q
n
g
a
 E

 L
fa

Q

 a

Q

     a
n
Q
n
g
E

 E

EL
 fa

Q

 a

Q

     a
n
Q
n
g

 E

E
a

j
 E

EL
 fa

Q

 a

Q

     a
n
Q
n
g
i
 Q
j
a
j
 L
E
b

 E

b  Act L
EL
 fa

Q

 a

Q

     a
n
Q
n
g
b

 E

L
 fa

Q

 a

Q

     a
n
Q
n
g
E
t
 E

t  D


EL
 fa

Q

 a

Q

     a
n
Q
n
g
t
 E

L
 fa

Q

 a

Q

    a
n
Q
n
g
Process instantiation
Ea

a


     a
n
a

n


a
 E

 P a


     a

n

  E
P a

     a
n


a
 E

a  Act
i

Ea

a


     a
n
a

n


a

 E

 P a


     a

n

  E
P a

     a
n


a

 E

a  Act
Ea

a


     a
n
a

n


t
 E

 P a


     a

n

  E
P a

     a
n


t
 E

t  D


 Remarks on the RTL Semantics
There exists a dierence between a user specied internal action i urgency and
i actions generated by the hiding operator A user specied action internal i
is sure to occur in its interval and it becomes urgent and uncontrollable in the
upper limit of its interval On the other hand the i actions generated by the
hiding operator have a maximum progress semantics and they occur as soon
as possible even if they are seen by the environment as observable actions
As an example we consider the behavior expressions iP	 and
hide a in aP	 There is a strong behavioral dierence between
them In both cases the external progress of their expressions is made by
an internal action i However from the temporal viewpoint they behave
dierently In the rst case the i action will happen in any time instant
within the interval In the second case action a must occur at the time
instant  by the maximum progress property and externally it is the i action
occurrence that makes behavioral progress

de Camargo
 RTL Characteristics and Properties
The timed process algebra RTL has important properties In 
 we can nd
the formal establishment and demonstration of the following ones
i	 The RTL semantics is consistent
ii	 The time progress transitions in the RTL operational semantics are de
terministic
iii	 RTL has the time adding property ie if a process specication can
be delayed by d  d

time units then it can also be delayed by d and
afterwards by d

time units and viceversa with the same result
iv	 RTL has the property of persistence ie time progress actions do not
block the possibility of action occurrence
v	 RTL is a strict extension of the ISOs LOTOS language
vi	 Unlike some timed process algebras the main paradigm of process alge
bras remains in RTL ie actions occur when they are enabled and when
their environment is also ready to perform them
vii	 Time progress does not decide a choice operation
viii	 The occurrence of a time violation action does not decide a choice oper
ation
Besides RTL has a powerful temporal expressiveness and can express and
handle time constraints such as

time constraint specication tmim tmaxaE

time violations a


time exception handling EaF
and basic timed processes such as

Delay diE

Timeout E   diF

Watchdog E   diF

Periodic process F  E  diF
Therefore we dened in 
 two timesensitive observational equivalences
to RTL a weak one that abstracts time progress actions and a strong one
that considers all actions occurring in a specication As expected the strong
equivalence is substitutive for all RTL operators the weak observational equiv
alence does not have this property In spite of the sound fundamentals of both
observational equivalences we at rst were discouraged about searching for
algorithms for verication using the dened equivalence because there is a
potential combinatory explosion due to time progress actions However has
been a feasible approach to verication pf timeabstracted equivalence among
processes recently developed 
 their timeabstracted bissimulation is close

de Camargo
Central Terminal





o hook
on hook
ring
number
ready
Fig  Communication between the Telephone Central and Terminals
to those we have developed A preliminary analysis of the Larsen and Wangs
work shows that their theory is applicable in our case Even so we still need
to make an analysis concerning the practical usefulness of this approach
 A specication example
In order to certify the RTL usefulness and to clarify its semantics we give a
small specication example of a telephone central control system This exam
ple is taken again in next the sections to be analyzed by the RTL tools The
telephone central control system specication problem was formerly treated
in 
 and we use some results obtained there to compare with our approach
The system consists of a telephone central connected to several terminals The
terminals communicate with the telephone central through the gates off hook
on hook ring number and ready Figure  shows this communication
The telephone central is composed of three functional units Control Unit
CU	 Number Management Unit NMU	 and Sound Management Unit SMU	
The Control Unit coordinates the fullling of the communication requests A
request begins when a user lifts hisher handset When this happens the
Number Management Unit begins to act and waits for  numbers that will
be entered by the user The following constraints must be observed when a
phone number is being composed

the rst number will be entered up to tp seconds after the dialing tone

the time between two numbers can not be greater than the limit of ts sec
onds

the total number composition can not exceed the limit of tc seconds
The Sound Management Unit will generate a tone in the terminal called
with duration tn seconds after the dialing of the terminal number to be called
If the user of the terminal called do not lift hisher handset in tr seconds then
the call will be cancelled Otherwise the establishment of the connection is
signaled for the Control Unit The internal structure of the telephone central
is shown in gure 
In addition to the restrictions already dened for a number composition
the following restrictions should be carried out by the telephone central

de Camargo
Sound
Management
Unit
Central
Unit
Number
Management
Unit
 
 
 
ini sound
int sound
connect
ini comp
int comp
sound enable
Fig  Functional units of the Telephone Central

time connection a connection once established should be concluded up to
tm seconds both for the user or for the telephone central

time use after a request the central should be free in up to tc  tr  tm
seconds
The RTL specication of the telephonic central is presented below For lack
of space the instantiation gates in the processes are omitted but the spec
ication can still be easily understood since the relabeling operator is not
used
SPECIFICATION Central ring
offhook onhook intcomm ready number number number
number interrupt
BEHAVIOUR
hide free inicomp intcomp soundenable inisound intsound
connect syncend in
		UC



inicomp intcomp soundenable syncend
UGN



inisound intsound connect
UGS



WHERE
PROCESS UCfree offhook inicomp intcomp soundenable inisound
intsound connect onhook intcomm syncend 
free offhook inicomp
	 intcomp syncend UC



 soundenable syncend inisound
	 intsound UC



 connect 	onhook UC



 		i intcomm exit intcommintcomm exit 
UC



ENDPROC
PROCESS UGNinicomp soundenable onhook intcomp number number
number number interrupt syncend
inicomp
			  number  number  number
 number interrupt stop
 	 i intcomp exit

onhook intcomp exit

de Camargo
 number number number number interrupt
number intcomp exit
number intcomp exit
number intcomp exit
number intcomp exit
interrupt soundenable exit
  syncend UGN



ENDPROC
PROCESS UGSinisound ring intsound ready onhook connect
inisound 	 Makenewsoundring
 	 i intsound UGS



 ready connect UGS



 onhook intsound UGS



WHERE
PROCESS Makenewsoundring
	ring i exit  ring   ring  i exit 
 Makenewsoundring
ENDPROC
ENDPROC
ENDSPEC
The former example illustrates the use of the temporal operators of RTL
in the specication of systems with realtime characteristics These charac
teristics of quite a complex specication in untimed process algebras are
represented in a simple way using the RTL operators For example we can
observe the simple denition of watchdogs associating the urgent internal
action i with the preemption operator  In the process UNG if the com
position of the number exceeds  units of time then the internal action on
the right side of the preemption operator will abort the number being dialed
 A Tool for Verication and Simulation RTL Speci
cations
In order to analyze RTL specications our research group has developed
a tool that provides a way to verify and validate timedependent systems
This tool called RTLAnalyzer consists of two parts a RTL simulator
called RTLS to provide simulation facilities and a translator from RLT
specications into timed automaton called TESTRA to provide a way to
perform verication of time quantitative proprieties established in the real
time temporal logic TCTL 
 The RTLAnalyzer was entirely developed
in C Language and its latest version has approximately  of source
code The current version of the RTLAnalyzer is available on the URL
httpwww
inf
ufsc
brmuriloRTLA
html The general functional architec
ture of this tool is shown in gure 

de Camargo
























Simulator User interactionTimed automaton








Results Scenaries
TCTL Formula
KRONOS
Model Checker
Compilation
RTL Specication
Fig  Genaral architecture of RTLAnalyzer
 The verication tool
 General aspects
The method used in this work consists of model checking 
 through which we
attempt to verify whether the behavior of the system model satises a set of
properties This approach called dual represents the behavior of the system
through a state description formalism and the properties are represented by
using formulas of a modal logic where a set of system states that satises a
formula is dened as a characteristic set of a formula
In 
 it was found out that while it is normal to use bissimulation tech
niques to verify properties of a specication written in process algebra in the
case of the RTL language the use of this formalism is not a good idea The
main reason is the addition into the transition system of a great number of
transitions corresponding to time progress In this way the state space grows
innitely making the use of bissimulation techniques unfeasible The use of
Timed Automata to represent the behavior of a RTL specication decreases
considerably the state space to be analyzed so that verication process re
mains viable using model checking techniques 
The model checking algorithm used in this work is based on the symbolic
approach 
 that consists of representing the characteristic set through the
predicates and evaluating the formula directly through timed automaton This
approach avoids the possibility of a combinatory explosion because it is not

de Camargo




Stage  Verication








Stage  Translation








Verication Tool KRONOS









RTL Specication
Timed Automaton
Results
Timed Automaton
TCTL Formula
Results

Fig  Verication Process Architecture
necessary to build another model for the timed automaton and it can be
applied on systems where the model has an innite behavior although it is
necessary an ecient decision procedure that allows comparing the predicates
Figure  illustrates the verication process The rst thing to be done in
the verication of a system is to generate the timed automaton The transla
tion of RTL specications into timed automata is obtained by the TESTRA
translator tool 
 implemented by our group The verication of system
properties is done by the KRONOS tool 
 KRONOS is a model checker
developed by Verimag Laboratory Grenoble France	 and implements the
algorithm described above The input elements of KRONOS are the timed
automaton that represents the system behavior and its properties described
through TCTL temporal logic formulas 
 The results are conditions that
the timed automaton satises the formulas
 Characteristics of the TESTRA translator tool
First of all we need to dene what a timed automaton is According to 

a timed automaton is a representation of an automaton extended with a set
of real variables called clocks and there values increase uniformly as time
progresses
The formal denition of timed automata used to implement the translator
tool is found in 
 and this denition also corresponds to the formalism
adopted in the implementation of KRONOS
Denition  Let A be a vocabulary of actions and a denotes an element

de Camargo
of A Let also C	 be a set of temporal constraints over the set of clocks C
A timed automaton consists of the following components

S is a nite set of vertices also called locations

C is a nite set of clocks

L is a nite set of arcs also called transitions

SI  S is the initial vertex and

  S  C	 is a function that associates to each vertex an activity condi
tion
and each arc has the following layout
hs a  C

 s

i
where s s

 S are the input and output vertices respectively a  A is the
name of the occurring action  represents the clock conditions associated to
the arcs and C

is the set of clocks to be initialized
Thus starting at the initial location of the timed automaton all the clocks
are initialized but any clock can also be initialized by an arc of the automaton
see layout above	 Therefore the value of each clock is equal to the elapsed
time since its last initialization There are constraints on the clocks related to
the vertices and arcs of the automaton where the system will stay in a specic
vertex only while the constraints associated with this vertex are being veried
by the clock values In this way an arc will be red only if the current clock
values will satisfy the condition related to this arc
Mapping RTL specications into timed automata
To construct a timed automaton that represents a specication written in
RTL we need to dene how to construct it by analyzing each subexpression of
the specication leaving us to the denition of translation rules for each RTL
operator In 
 a way to solve this problem was presented and making
possible a translator implementation
The identication of the clocks to be initialized by the arcs depends on
a relation between the set of vertices and the set of clocks of the timed au
tomaton To help this identication we present a denition of an extension
of timed automata 

Denition  An Extended Timed Automaton is represented by the tuple
hSC L SI  F i where hSC L SI i is a timed automaton and F  SC
is a set of extensions
F s	  fx  C j s x	  Fg
Thus it will be possible to obtain the timed automaton of a process P
denoted by A
P through the extended timed automaton denoted by  
P

de Camargo


 


 
P 
ftg
t  t

i t

 t  t


F

SI	 	 C

so
SI

Fig  Extended timed automaton for an internal action prex
For example the prex operator can be represented in two ways t tiP
and t taP The dierence is in the type of action internal action i
or observable action a	 In case of an internal action the respective timed
automaton would be as shown in gure 
and formally described as
 

t tiP   hS

 fsog C

 ftg L

 feg so 

 

 F

 F

i
where
so 
 S

 t 
 C


e  hso i t

 t  t

 F

SI

	 	 C

 SI

i


 fso t  t

	g
F

 fso t	g
and  
P  hS

 C

 L

 SI

 

 F

i
The expression F

SI

	 	 C

establishes the set of clocks to be initialized
by the arc that correspond to the clocks related to the initial vertex of process
P When the clock t reaches the value t

at vertex so the action i will be
performed in an urgent and uncontrollable way in case it has not occurred
during the interval 
t

 t

	 remembering that iP implies a prex of type
iP  iP and tiP  ttiP
The description of other RTL operators in terms of timed automata can
be found in 

The translation process is divided into three steps Figure  shows the
translation stage in details
Step  Precompilation and generation of an intermediate formal
ism
This rst step is divided into two phases
Syntactic and lexical analysis This is the rst phase of the translator
which consists basically of the verication of the RTL specication accord
ing to the language grammar To do this job we use an auxiliary tool
called SYNTAX 
 and the theory of Abstract Trees 
 to construct
the abstract tree of the specication SYNTAX generates a skeleton of the
program of semantic analysis which will be the basis for the next phase
This same approach is used for the simulation tool to be presented in the
next section

de Camargo
Clock assignment




Step 

Petri net
Extended Petri net generation
Syntatic and semantic analysis






Extended Petri net generation
Syntatic and semantic analysis













Step  Step 
Stage  Translation
RTL specication
Abstract Tree
Timed automaton
Timed automaton
twin locations






Fig  Extended timed automaton for an internal action prex
Extended Petri net generation Although direct implementation of the
translation rules of RTL specications into timed automata can be carried
out this approach does not agree with the compiler performance 
 For
this reason we build an extended Petri net followed by the timed automa
ton The compiler generates the Petri net through the abstract tree of the
specication which has only the essential information for construction
Step  Clock assignment
The clock assignment is done only for transitions which will be red at a
deterministic instant or in a nite interval The algorithm does an optimiza
tion on all the transitions that are red instantaneously because for these
transitions we associate only one general clock that will represent the same
behavior for the whole net
Step  Generation of the timed automaton
This step is also divided into two phases
Timed automaton generation After concluding Petri net generation and
clock assignment it remais for us to map the net into timed automaton
The algorithm that allows net simulation and generates timed automaton
is similar to the algorithm presented in 
 This algorithm starts the gen
eration from the initial marks of the net M
I
	 and records all the accessible

de Camargo
marks from M
I
 and it nishes only when the set of marks to be visited are
empty
For each mark all the transitions that are made sensitive by this mark
are identied generating the arcs that start from the vertex related to
this mark The new marks generated by the transitions are also analyzed
and whether or not these marks have already been visited is veried The
conditions related to the vertices can be obtained through the transitions
red by the analyzed mark with the clocks and ranges associated with each
transition being observed Finally the clocks that will be initialized by each
arc are obtained through the end marks generated by the transitions red
from the related mark analyzing all the transitions that are sensitive to
these marks
Timed automaton reduction This phase has the aim of eliminating twin
vertices generated by the algorithm described above It occurs because the
algorithm identies in some cases distinct states with the same character
istics arcs and activity conditions	 Two states will be considered similar
however only if their relation to the set of clocks is the same
Thus the results generated by the TESTRA tool are the timed automa
ton that represents the RTL specication the corresponding Petri net and
error reports that can be treated automatically by the compiler depending
on the level of error
 A Verication Example
For a verication example again we take up the telephone central control
system presented in section  This example was also veried in 
 but
using a translator of ATP specications 
 The properties that will be
veried are given by the ve formulas described below and we will compare
the verication results with what is presented in 

connect 
t
m
free	
free comm 
t
c
t
r
t
m
free		
comm 
t
p
number  free		
comm 
t
c
number  free		
ring  
t
r
connect  free		
In this paper it was not our intention to describe the TCTL temporal
logic but the reader can obtain further information in 
 In each formula
we use some operators to describe the properties For example formula  uses
the operators  and 
t
m
 The rst operator represents an implication
and the second says that the formula free is always true for all the system
executions The formulas connect and free can represent a state or a set of
states called state regions
Thus formula  establishes connection time property	 that the user must
nish the conversation in up to tm seconds otherwise the telephonic system

de Camargo
will end the connection becoming idle again Formula  says using time
property	 that after a communication demand the telephonic system will be
free for no more than after tc  tr  tm seconds Formulas  and  establish
number composition time property	 that the rst digit must be pressed until
tp seconds and the complete number must be pressed until tc seconds other
wise the telephonic system will end the number composition and become idle
again Formula  says call time property	 that if the number called does not
respond until tr seconds after it starts ringing then the telephonic system will
end this demand and become idle again
Results
The timed automaton generated by TESTRA tool has  vertices  arcs
and  clocks The verication results are presented in table  These results
are computed in a Sun SPARCStation  computer with  Mbyte memory
and running SunOS  operating system The values used are tm  
seconds tc   seconds tp   seconds ts   seconds tr   seconds
and tn   seconds
Formula     
Iteractions   	  
Time Sec 	  	 	 		
Table 
Verication results of the telephonic system KRONOS
The results returned by KRONOS indicate that the characteristic set of
all the formulas above is equal to the set of vertices of the timed automaton
In other words the specication of the telephonic system satises all the
properties
In 
 the timed automaton has  vertices  arcs and  clocks The
verication results show some dierences in performance analysis values the
number of iterations needed to get the characteristic set of formulas  and
 were respectively  and  while our values were  and  This fact
is attributed to the dierence between the size of timed automata therefore
size aects the performance of KRONOS The reason for the greater timed
automaton generated in 
 is related to the representation of timed actions
Yovine used some mechanisms like timeout and watchdog to take the place
of this representation and these mechanisms are complex compared with the
representation of a timed action
On the other hand the timed automaton generated in 
 has only 
clocks while our timed automaton has  clocks The reason for this is in
the fact that in 
 he made a better optimization over the number of clocks
identifying the common clocks during the representation of some operators of
ATP

de Camargo
 The simulation tool
 Characteristics of the simulation tool
The simulation tool allows the specication behavior evaluation through the
its evolution attendence This tool has two functionalities to be used in the
validation of RTL specications interactive and automatic simulation
Interactive simulation in each state of the specication the user can choose
the actions to execute among the classic actions temporary violations and
the passage of time For each executed action a new state is reached The
tool makes it possible to mark each specication state and so allowing
the return to these marked states later on and the exploration of other
simulation traces It also allows visualization of the current state of the
specication given in the specication form RTL as well as the trace of ac
tions that have led to the current state Interactive simulation is important
for specication cleaning due to design errors since it allows accompanying
the specication evolution systematically
Automatic simulation allows those execution traces of the specication to
be generated with dierent parameters These parameters dene the mo
ment actions happen the occurrence or non occurrence of temporal viola
tions the size of the execution traces to be generated and also the trace
type to be shown Thus it is possible to analyze the specication evolution
under several conditions Automatic simulation also allows the generation of
a specication execution tree so that all the possible executions are shown
up to a certain execution depth Therefore depending on the specication
we can obtain a representation of all possible specication behaviors for
certain time intervals
In order to simulate a RTL specication the simulator translates the spec
ication to an internal representation When either an action occurs or time
progresses that internal representation is updated to express the new state of
the specication These transformations are implemented in the simulators
kernel The interactive and automatic functionalities of the simulation are
implemented in independent modules Figure  show the architecture of the
simulator
In interactive simulation the tool oers all the options previously de
scribed The options can be used through of a menu as shown below
  Exit
  Actions
  Undo
  Print Current State
  Print Specification
  Print Trace
  Mark Current State
  Go to State

de Camargo
	





























 









RTL specication
RTL Simulator
Simulation kernel
Sintatic and semantic analysis
Internal representation of specication
Funcions of simulation kernel
Interactions with the
simulation kernel
Interactions with the
simulation kernel
Evolution
Instructions
Getting simulation
instructions
Algorithms for
automatic simulation
Traces and
execution tree
Options
Getting options for
automatic simulation
Interactive
Automatic
Fig  RTL simulator architecture
Option 
In order to perform actions from the specication the user can choose the
action to perform from a list of all possible actions in the current state or from
time progress actions An example of this kind of menu of actions is
Current time 
   number
   onhook
  Time
Option   	  to exit	 
In the former example the user can perform action number or the action
on hook It is also possible to perform time progress actions In this case time
can progress up to  time units After  time units from the above state
and if neither action number nor action on hook occurs then the temporal
violation associated with action number will take place

de Camargo
 Related Work
In order to have good comparison parameters we divide the related works into
two dierent levels the timed process algebra level and the tool development
level
With respect to the timed process algebra level it is important to em
phasize that in the last decade there has been a tremendous interest in the
development of timed process algebra approaches to deal with timedependent
systems Many timed process algebras have appeared and we could see a sig
nicant advance in realtime semantics In 
 there is an excellent survey
about timed process algebra existing up to this year Many timed process al
gebras proposals evolved and converged to very close models Some are more
complex and with more expressiveness eg ELOTOS 
	 and others sim
pler with less expressiveness eg ATP 
	 Our RTL Language can be seen
as a midpoint between the two former ones A more recent analysis of timed
process algebras can be found in 

With respect to related works with the RTLAnalyzer tool we can separate
the discussion into levels of the simulation facility and the verication facility
Simulation Among other existing simulation tools for time dependent
systems we can cite the one presented in 
 This tool is based on the LO
TOS timed extension presented in 
 called TELOTOS Time Extended
LOTOS	 This tool is called TELOLA and is an extension of the other sim
ulation tool called LOLA 
 The main functionalities in this tool are ex
pansion parameterized expansion interleaved expansion timed testing and
timed simulationdebugging
Another tool is that presented in 
 It is based in a LOTOS timed
extension called RTLOTOS This tool simulates specications nevertheless
it does not compare the states reached with former ones To accompany the
specication the tool generates a list of all actions with their corresponding
occurrence times This tool also makes it possible to accompany actions at
isolated gates with their occurrence times and possible data Finally this
tool generates graphs about functions dened on variables and specication
actions with respect to occurrence time
Verication The verication of systems using timed automata has been
presented in several existing works in the literature 
 In 
 a transla
tor of ATP specications 
 into timed automata was developed neverthe
less the ATP language has strong constraints with respect to the representa
tion of an action occurring in a time interval and with respect to the handling
of temporal exceptions In 
 a proposal to mapping another LOTOS timed
extension called ETLOTOS for timed automaton is presented however no
automatic translating was developed or implemented Our work showed that
the methodology for generating the timed automata from RTL specications
presented in this paper is superior to the one presented in 
 because the
number of vertices of the timed automata could be reduced through RTLs

de Camargo
timed actions representation
It is important to emphasize that there are other tools with functionalities
close to those presented here for other timed process algebras However our
approach is in a context that extends from the full development of a new timed
process algebra with good properties to the development of verication and
simulation tools based on RTL
 Conclusion
In this paper we have presented an approach for specication verication and
validation of timedependent systems This approach consists of use of a highly
expressive formal specication language to describe the system behavior and
uses a model checking method of a realtime temporal logic with a high power
of expressiveness and analysis We used a timed extension of the LOTOS
language called RTL the syntax and the semantic aspects of which are briey
presented We also presented the RTLAnalyzer tool that makes it possible
to perform verication and simulation of RTL specications
With the RTLAnalyzer tool it is possible to carry out automatic and
interactive simulation and this allows its use for obtaining simulation scenarios
and for validating RTL specications
We used the following approach for properties verication from a RTL sys
tem specication the RTLAnalyzer generates a timed automaton with this
automaton it is possible to perform properties verication using a symbolic
model checking method The properties verication on the timed automaton
was performed by using the tool KRONOS 
 that implements a symbolic
model checking algorithm 
 The properties to be veried were written
using the formulas of realtime temporal logic TCTL 

As a case study we have presented the telephone central example This
example was specied in RTL and we have veried some of its important
properties
As a perspective for the continuation of this work we point towards an
integration of our tool with other verication tools based on models close to
timed automata eg Hytech 
	 so as to make it possible to analyze RTL
specications using that tool We are also enlarging the possibilities for using
our approach by adding to our tool the possibility of using a subset of the
newest ISOs ELOTOS language 
 as specication language
References

 Alur R C Courcoubetis and D Dill Model checking for realtime systems
 in
Proceedings of the th IEEE Symposium on Logic in Computer Science 	

 Alur R and D Dill The theory of timed automata
 Proceedings of the REX
Workshop Lecture Notes in Computer Science  

de Camargo

 Alur R and T A Henzinger Logics and models for real time a survey

Proceedings of the REX Workshop Lecture Notes in Computer Science 


 Boullier P et P Deschamp Le Systme SYNTAX Manuel dUtilisation et
de Mise en Oeuvre sous UNIX
 Project Langages et Traducteurs INRIA
Septembre 

 Boullier P et P Deschamp SYNTAX User Commands and C Library
Functions Project Langages et Traducteurs INRIA Juin 

 de CamargoM S Enhancing the LOTOS Language for Specication of
TimeDependent Systems PhD Thesis LCMIUFSC Florianopolis Brazil
January 

 de Camargo M S and JM Farines An approach for the specication and
verication of timedependent systems
 IX SBES  Brazilian Symposium on
Software Engineering Recife Brazil 

 Courtiat JP and R D Oliveira On RTLOTOS and its application to the
formal design of multimedia protocols
 In Annals of Telecommunications  no
  pp 	

 Daws C A Olivero S Tripakis and S Yovine The tool KRONOS
 In DIMACS
Workshop on Verication and Control of Hybrid Systems October 
Lecture Notes in Computer Science  
	
 Daws C A Olivero and S Yovine Verifying ETLOTOS programs with
KRONOS
 in Proceedings of the FORTE Berne Switzerland Outubro


 Henzinger T A and P H Ho HyTech The Cornell HYbrid TECHnology
Tool
 In Hybrid Systems II Lecture Notes in Computer Science  
SpringerVerlag pp 

 Henzinger T A X Nicollin J Sifakis and S Yovine Symbolic modelchecking
for realtime systems
 in Proceedings of th LICS IEEE Computer Society
Press 

 Hoare C A R Communication Sequential Processes Prentice Hall
International 

 Information Processing Systems  Open Systems Interconnection  LOTOS  A
formal description technique based on the temporal ordering of observational
behaviour IS	 ISO 

 Final Committee Draft on Enhancements to LOTOS ISOIECJTC
SCWG Project WI 	 September  Juan Quemada Ed

 Larsen K G and Yi Wang Timeabstracted bisimulation implicit specication
and decidability
 Information and Computation   Academic Press
pp 	

de Camargo

 Leduc G L Lonard et al BelgianSpanish proposal for a time extended
LOTOS
 in J Quemada editor Working Draft on Enhancements to LOTOS
IS I  IEC JTC  SC  WG October 

 Martins R F M S de Camargo and JM Farines A tool for aid in the process
of verication of RTLOTOS specications
 X SBES  Brazilian Symposium on
Software Engineering Sao Carlos Brazil October 

 Meyer B Introduction to the Theory of Programming Languages
International Series in Computer Science Prentice Hall 	
	
 Milner R Communication and Concurrency Prentice Hall London 

 Nicollin X ATP une algebre pour la specication et lanalyse des systemes
temp reel
 These Institut National Polytechnique de Grenoble France May


 Nicollin X and J Sifakis An overview and synthesis on Timed Process
Algebras
 Proceeding of REX Workshop Lecture Notes in Computer Science
  pp 

 Nicollin X J Sifakis and S Yovine Compiling realtime specications into
extended automata
 IEEE TSE Special Issue on RealTime Systems September


 Olivero A and S Yovine KRONOS A Tool for Verifying RealTime Systems
 Users Guide and Reference Manual Montbonnot Soint Martin France
August 

 Plotkin G D A structural approach to operational semantics
 Report DAIMI
FN Computer Science Department

Arhus University Denmark 

 Pavon G D Larrabeiti and G Rabay LOTOS Laboratory  User Manual
version R LOLA N  V 	 Departamento de Ingenieria Telematica
Universidad Politcnica de Madrid Madrid  Spain 

 Rabay Filho G State exploration in TELOTOS with time extended LOLA

COST th Management Committee Meeting Madrid Spain February 
 

 Yovine S Methodes et Outils pour la Verication Symbolique de Systemes
Temporises These de Docteur de lInstitut National Polytechnique de
Grenoble Grenoble France May 

