Expressivity of Timed Automata Models by Gebremichael-Tesfagiorgis, B.
PDF hosted at the Radboud Repository of the Radboud University
Nijmegen
 
 
 
 
This full text is a publisher's version.
 
 
For additional information about this publication click this link.
http://hdl.handle.net/2066/29872
 
 
 
Please be advised that this information was generated on 2014-11-20 and may be subject to
change.
Expressivity
of Timed Automata Models
A scientific essay in Natural Science,
Mathematics and Computer Science
Doctoral thesis
to obtain the degree of doctor
from the Radboud University Nijmegen
on the authority of the Rector, Prof. dr. C.W.P.M Blom,
according to the decision of the Council of Deans
to be defended in public on Monday, 11 December 2006
at 10.30 a.m. precisely
by
Biniam Gebremichael Tesfagiorgis
born in Asmara, Eritrea
on 23 August 1971
Supervisor:
Prof. Frits W. Vaandrager
Doctoral Thesis Committee:
Dr. Howard Bowman, University of Kent at Canterbury, UK
Prof. Herman Geuvers
Prof. Holger Hermanns, Saarland University, Germany
Prof. Bart Jacobs
Prof. Kim G. Larsen, Aalborg University, Denmark
Expressivity
of Timed Automata Models
Een wetenschappelijke proeve op het gebied
van de Natuurwetenschappen, Wiskunde en Informatica
Proefschrift
ter verkrijging van de graad van doctor
aan de Radboud Universiteit Nijmegen
op gezag van de Rector Magnificus
prof. dr. C.W.P.M. Blom
volgens besluit van het College van Decanen
in het openbaar te verdedigen op maandag 11 december 2006
om 10.30 uur precies
door
Biniam Gebremichael Tesfagiorgis
geboren op 23 augustus 1971
te Asmara, Eritrea
Promotor:
Prof. dr. Frits W. Vaandrager
Manuscriptcommissie:
Dr. Howard Bowman, University of Kent at Canterbury, UK
Prof. dr. Herman Geuvers
Prof. dr. Holger Hermanns, Saarland University, Germany
Prof. dr. Bart Jacobs
Prof. dr. Kim G. Larsen, Aalborg University, Denmark
to my family
Copyright c©2006 Biniam Gebremichael, Nijmegen The Netherlands
ISBN-10: 90-9021124-1
ISBN-13: 978-90-9021124-4
IPA Dissertation Series 2006-18
Typeset with LATEX 2ε
Printed by PrintPartners Ipskamp, Enschede
The work in this thesis has been carried out under the auspices of the
research school IPA (Institute for Programming research and Algorith-
mics). It was supported by the European Community Project IST-2001-
35304 AMETIST, and by NWO PROGRESS project HaaST.
Contents
1 Introduction 1
1.1 Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Real-Time Systems . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Timed Automata . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Bisimulation Relation for Timed Automata with Deadlines 13
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.3 Towards a Congruence Relation . . . . . . . . . . . . . . . . . 21
2.4 Symbolic Characterization of ∇-bisimulation . . . . . . . . . 24
2.5 The Coarsest Congruence Included in ∼ . . . . . . . . . . . . 31
2.6 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . 40
3 Axiomatization of Timed Automata with Deadlines 45
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2 Algebra for Timed Automata with Deadlines . . . . . . . . . 46
3.3 The Proof System . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.4 Properties of the Proof System . . . . . . . . . . . . . . . . . . 52
3.5 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.6 Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4 Specifying Urgency in TIOA 75
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.2 Timed (I/O) Automata with Urgency . . . . . . . . . . . . . 78
4.3 Expressivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.4 Proving Invariant Properties . . . . . . . . . . . . . . . . . . . 91
4.5 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . 94
5 Car Periphery Supervision System 97
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.2 Car Periphery Supervision System . . . . . . . . . . . . . . . 99
vii
5.3 Formal Modeling . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.4 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.5 Conclusion and Future Work . . . . . . . . . . . . . . . . . . 107
6 Smart Card Personalization System 109
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.2 Smart Card Personalization System . . . . . . . . . . . . . . . 112
6.3 The Super Single Mode . . . . . . . . . . . . . . . . . . . . . . 116
6.4 Error Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
7 Analysis of the Zeroconf Protocol Using UPPAAL 125
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
7.2 The Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
7.3 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
7.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Bibliography 145
Samenvatting (Dutch summary) 159
viii
Figures and Tables
List of Figures
1.1 Computers, models and real world (from [Smi85]) . . . . . . 2
2.1 TAD and compositionality . . . . . . . . . . . . . . . . . . . . 15
2.2 (Counter)examples for congruence . . . . . . . . . . . . . . . 22
2.3 T9 ∼x=y T10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4 T11 ∼∇ T12, T13 ∼∇ T14, and T15 ∼∇ T16 . . . . . . . . . . . . 42
3.1 Definitions of deadline (dl) and set of initial actions (I) . . . . 48
3.2 Transitional Semantics of A . . . . . . . . . . . . . . . . . . . 49
3.3 Symbolic semantics of A . . . . . . . . . . . . . . . . . . . . . 49
3.4 TAD for ssh login procedure . . . . . . . . . . . . . . . . . . 50
3.5 The equational axioms . . . . . . . . . . . . . . . . . . . . . . 51
3.6 The inference rules . . . . . . . . . . . . . . . . . . . . . . . . 52
4.1 A simple model of a train. . . . . . . . . . . . . . . . . . . . . 82
4.2 Time-bounded channel. . . . . . . . . . . . . . . . . . . . . . 83
4.3 A counterexample to axiom T5. . . . . . . . . . . . . . . . . . 84
4.4 The train model defined using a stopping condition. . . . . . 88
4.5 A time deadlock. . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.6 The train model defined with an invariant. . . . . . . . . . . 89
4.7 Specification of a strict upper bound on timing with an in-
variant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.8 Specification of a strict upper bound on timing with urgency. 90
5.1 The CPS system and its environment . . . . . . . . . . . . . . 99
5.2 Decomposition of CPS in timed automata. . . . . . . . . . . . 100
5.3 CPS environment template . . . . . . . . . . . . . . . . . . . . 102
5.4 Sensor Template . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.5 Sensor Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.6 Environment Description (ED) . . . . . . . . . . . . . . . . . 105
5.7 Modified Environment Description . . . . . . . . . . . . . . . 107
6.1 Simplified smart card personalization machine. . . . . . . . . 113
ix
6.2 The model of the smart card personalization machine. . . . . 113
6.3 Stabilization of the smart card personalization system. . . . . 118
6.4 Expanded model of the smart card personalization machine. 119
7.1 Interaction between Network automaton and hosts. . . . . . 130
7.2 Automaton Config. . . . . . . . . . . . . . . . . . . . . . . . . 131
7.3 Automaton InputHandler[j]. . . . . . . . . . . . . . . . . . 135
7.4 Function ihandler. . . . . . . . . . . . . . . . . . . . . . . . . 136
7.5 The Network automaton. . . . . . . . . . . . . . . . . . . . . . 139
List of Tables
5.1 CPS regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.1 System parameters and encoding of values. . . . . . . . . . . 114
6.2 The super single mode for 4 personalization stations. . . . . 117
6.3 The super single mode for 8 personalization stations with
error. Only card values in station is shown . . . . . . . . . . 120
6.4 Safety requirements for belt operations. . . . . . . . . . . . . 121
6.5 Defective card treatment for error type 2. . . . . . . . . . . . 122
Preface
I am greatful to many people, who made my PhD studentship a relaxed
and successful experience. My supervisor Frits Vaandrager is in the heart
of this successful experience. I was the lucky beneficiary from Frits’ great
knowledge in the area of formal methods and real-time systems. He was
my co-author on four papers and proof-reader on the rest of the papers.
His intelligent and quite-to-the-point comments on my draft papers have
improved the quality of the papers to great extent. I would also like to
thank my reading committee: Kim G. Larsen, Holger Hermanns, Howard
Bowman, Bart Jacobs and Herman Geuvers for their effort and valuable
comments that improved the quality of the thesis.
My research was funded by the EU project AMETIST. The quarterly
meeting of AMETIST is the source of my professional experience and a tour
to nice places in Europe. I have learned a lot from the AMETIST members;
my co-authors Pedro D’Argenio, Tomas Krilavicˇius, Yaroslav S. Usenko are
few of those whose inspiration was very rewarding. My life in Nijmegen
was made easy by continuous help from Mire`se Willems, Maria van Kup-
peveld, Hennie Claassen, De´ Reinders and the rest of ITA and SOS group
members. Thank you!
My parents, brothers and sisters have supported me through out the
years and they helped me out in so many different ways. Special thanks to
my best friends: Mewael, Yonas, John, Biniam Kahsu, Emma, Biniam Iyob,
Tamrat, Kidane, Ruud Leenders . . . have always been there for me when I
needed them.
I would like to reserve my final words of acknowledgment to my wife
Milen and my son Eben. Without their love, support and understanding
this thesis would not have happened.
Nijmegen 2006
xi
xii
Chapter 1
Introduction
We are all familiar and aware of desktop computers and laptops around us.
What we are less aware of are, the invisible computers embedded inside ve-
hicles, health equipment, household devices, and many others. We interact
with them continuously in our daily life, and despite their invisibility they
are far more numerous than the desktop computers.
On the one hand, the existence of these embedded computer systems
(embedded systems for short) has greatly improved our living standards. Ed-
ucation, health services, agriculture, . . . are now more efficient and safer
than they used to be. On the other hand, malfunctioning of these comput-
ers has consequences ranging from simple annoying behavior to multi mil-
lion Euros losses or even death. The destructive failures witnessed in Mars
Pathfinder [Jon97], Ariane 5 [J.L96] and the “Friendly Fire” death accident
in Afghanistan [Loe02] are some examples triggered by an error inside an
embedded system. The challenge facing today’s industries is thus, how to
ensure the safety and correctness of embedded systems under all possible
scenarios within the environment in which they are required to work.
The future seems even more challenging than the present. Nowadays,
embedded systems are more or less stand-alone systems. For instance,
electronic services inside a car, such as airbag control, parking assistance,
temperature control, belt tensioner and cruise control have dedicated com-
puting resources, and they operate separately. But as desktops were once
stand-alone and now they are fully networked, embedded systems will
soon integrate. As a matter of fact, the integration has already started. This
will certainly lead to more complex systems, and consequently the cost of
malfunctioning will be unbearable.
1.1 Formal Methods
Formal methods is the applied mathematics of computer system engineer-
ing. It is an approach used to formally (mathematically) specify systems in
1
2 1. Introduction
M
O
D
E
L
REAL WORLD
    tools
analysis
COMPUTER
Figure 1.1: Computers, models and real world (from [Smi85])
such a way that relevant properties of the system can be analyzed symbol-
ically prior to production or afterwards.
The application of formal specification and analysis is illustrated in Fig.
1.1. The box on the right-hand side represents real world systems. This
may include the environment, machines, controllers, etc. Real world sys-
tems are formally specified (modeled) in terms of mathematical languages
or modeling languages. The model is then rigorously analyzed against a
relevant property using computer programs represented by the box on the
left-hand side.
The ultimate goal, in this model based formal analysis, is to infer rel-
evant properties of the real world based on the results obtained from the
analysis of the model. The success of such practices obviously depends on
(1) the quality of the model in representing the real world, and (2) feasibil-
ity of the analysis of the model. These two requirements are often referred
to by the formal methods community as expressivity and computability of the
modeling language in question. A language with more expressive power is
often computationally expensive. Conversely, a language which is compu-
tationally inexpensive may hardly express real world problem adequately.
For a language to be usable, in this sense, it should find an optimal com-
promise between these two often conflicting requirements. A common ap-
proach to optimize expressivity versus computability is to focus on specific
problem areas. In this way the expressivity of the language is kept to a
minimum in order to optimize computability. One of these special sets of
problems is real time system, which is also the main focus of this thesis.
1.2 Real-Time Systems
Real-time systems are systems where correctness is determined by both
temporal and functional correctness of the system. Typical examples of real
time systems include train gate supervision, air-traffic control, and net-
worked multimedia systems. Real-time systems are usually embedded in-
side bigger systems that interact with their environment according to strict
1.2. Real-Time Systems 3
timing requirements. Train gate supervision, for instance, is part of train-
road safety system that is responsible for closing and opening the gate dur-
ing the time when the train crosses a multi-user road.
Due to industrial competition, the need to increase performance and
share resource among components, the complexity of real-time applica-
tions is increasing very fast, which in turn has lead to the introduction of
more errors into systems. Apparently the need to formally specify and
rigorously verify the correctness and safety of real-time systems is more
demanding than ever before.
Formal methods has achieved remarkable success in the VLSI (very
large scale integration) industry. Motivated by this, people started to
apply formal methods to real-time systems. Many achievements have
already been attained in the past two decades in the area of real-time
systems verification1, that have the potential to repeat the same success.
These include various theoretical foundations [ACH+95, FZ95, TY01, etc],
efficient verification tools [LPY97, BDM+98, BM02, HHWT97, BGO+04,
etc] and practical application of formal verification on real-world systems
[Feh99, BFK+98, BJMY02, BGK+02, Chap. 6, Chap. 7,etc]. As noted earlier,
successful application of formal methods on real-time systems depends on
the ability of the proposed formalisms to (1) express real-time systems ad-
equately and intuitively, while at the same time (2) providing an optimal
balance between expressivity and computability. The present thesis ad-
dresses these issues with a special focus on one type of formalism known
as timed automata – a popular and widely used framework for real-time sys-
tems specification and verification.
The thesis discusses the expressivity of timed automata models with
respect to the following two criteria.
1. “Theoretical expressivity”: One language is said to be (theoretically)
more expressive than another language, if whatever the later can ex-
press can also be expressed by the former, while the reverse is not
necessarily true.
2. “Practical expressivity”: deals with the ease and naturalness of a lan-
guage in expressing real-life systems. For instance, a Turing machine
is theoretically as expressive as a programming language, however
writing a usable program in a Turing machine language is far more
complex than in a programming language.
In what follows, we briefly introduce timed automata, and give pointers to
related work on the expressivity of timed automata and its variants.
1See, for example, [Wan04] for an extensive survey on formal verification of real-time
systems.
4 1. Introduction
1.3 Timed Automata
1.3.1 Modeling Time
In real-time system modeling, time can be represented as discrete – where
time readings constitute a monotonically increasing sequence of integers
[HMP92, Lam05], or as dense – where time readings form a monotonically
increasing sequence of reals [AD94, Dil89]. The advantage of discrete-time
models is that they can easily be transformed to existing un-timed mod-
els; however it is less natural to express physical systems that operate over
continuous time as discrete time. Another advantage of continuous-time-
models is that they can be represented symbolically (for instanse using dif-
ference bound matrices [AD94, BY03]) which is computationally efficient,
when compared to discrete-time representations, for many real-time appli-
cations.
Alur and Dill’s timed automata [AD94, ACD90] is one of the first dense-
time specification and analysis frameworks for real-time systems. A timed
automaton is a finite-state automaton equipped with a finite set of real-
valued clocks to measure the progress of time. It is structured as a directed
graph whose nodes are control locations and whose edges are transitions.
A transition is augmented with a label, clock comparison (as an enabling
condition) and clock resets. Clocks in timed automata can be reset to zero or
can be compared to an integer, and between two resets its derivative with
respect to time is equal to one. Two interesting results for the computability
of timed automata are that reachability analysis [Yov98] and the emptiness
problem [AD94] are decidable.
Timed automata is a sensitive language in the sense that a few changes
in respect to clock upgrade or the way clocks are compared may easily lead
to undecidability of reachability analysis. For instance, stopping clocks for
a while and resuming (commonly known as stop watches [KPSY99, CL00])
is a useful feature to model preemptive scheduling. However reachability
analysis for stopwatch automata is undecidable in general. Nevertheless,
timed automata allow some flexibility, provided that the changes are made
carefully without violating the decidability results or if they are applied to
a selective subclass of timed automata. For example, a more relaxed clock
update, which is more convenient than resetting clocks only to zero and
maintain decidability, has been proposed in [BDFP00, SV96]. For an exten-
sive discussion of different flavors of timed automata and their decidability
results we refer the reader to Alur and Madhusudan’s survey [AM04].
Note that, the original timed automata model [AD94, ACD90] allows
clocks to be compared only to constant integers (like x ≤ c, where x is a
clock and c is a constant non-negative integer.) People have straightfor-
wardly extended timed automata with constraints like x1 + c1 ≤ x2 + c2
[HNSY94]. However Bouyer [Bou03] showed that the model-checking al-
1.3. Timed Automata 5
gorithm in [ACD90, HNSY94] is not correct for such an extension.
One of the assumptions of the theory of timed automata is that clocks
grow with a constant rate. However in practice, physical clocks are not
perfect and they can not maintain a constant rate of growth. Several re-
searchers [ATM05, HVG03, KLSV03a] propose variants of timed automata
with perturbed clocks, where clocks are assumed to advance at a rate of
1±  with respect to time. These automata specify real-time systems more
accurately, but their behavior can only be analyzed approximately. A more
general approach is to allow clocks to progress with their own rate (given as
a differential equation w.r.t. time). This generalization of timed automata
leads to another class of systems known as hybrid systems [Hen96, LSV03,
etc].
Another important issue in modeling timing behavior of real-time sys-
tems is urgency. It is a common scenario in real-time systems that some
actions must be taken urgently without any further delay, or before a given
deadline expires. There are several approaches to express this scenario
within timed-automata-based modeling. Since urgency is one of the main
focuses of the present thesis, we give below a detailed discussion of this
issue.
1.3.2 Urgency for Timed Automata
The original definition of timed automata [AD94, ACD90] did not have
explicit syntax to control the progress of time. Instead a Bu¨chi style
acceptance criterion is used by requiring that some (sets of) locations
are visited infinitely often. A popular approach, which is advocated
in [HNSY94, AH94a, HKWT95] and implemented in the tool UPPAAL
[LPY97], is to add invariants in locations. An invariant imposes a hard dead-
line on the system by limiting the amount by which time may advance in
a given location/state. A similar approach pursued in [KLSV03a] is to use
stopping conditions. Here the idea is that when a system reaches a state in
which a stopping condition holds, time may not progress any further and
a transition has to occur immediately.
The last two approaches assume synchronization between two compo-
nents can always be taken before one of the components violates its invari-
ant (or stopping) condition. But not all real-time systems work this way.
Take the following as an example. When a customer pays the appropriate
fee and presses the coffee button on a coffee machine, a coffee should be
served as soon as possible. This may take some time – eg. depending on
the temperature of the water – but as soon as all ingredients are ready the
coffee should be ready without further delay. Location invariants and stop-
ping conditions are less appropriate for such type of behaviors, because
they are not time-reactive (unable to guarantee the existence of an enabled
transition, when time progress is blocked [BS00, Bow99].) Expressing this
6 1. Introduction
behavior using invariants/stopping conditions may result in unnecessary
errors, namely time deadlock (a state in which there is not transition enabled
and time is forbidden to proceed).
Based on this observation, Sifakis and his colleagues [BS00, SY96] advo-
cate the use of deadlines for the specification of time progress properties.
Each transition of a timed automaton [AD94] is decorated with an addi-
tional deadline predicate, which specifies when the transition becomes ur-
gent. An advantage of the deadline approach is that under some reasonable
assumptions it ensures absense of time deadlock. Timed automata with
deadlines are implemented in the IF tool suite [BGO+04], and partially by
UPPAAL[BLL+96].
The same approach, with slight modification, is presented in Chapter 4
which advocates urgency predicates instead of deadline predicates. Here
deadline predicates are computed as a disjunction of the guard and the
urgency predicate. As a result of this computation, the assumption that
deadline implies guard is guaranteed by construction. We have applied this
approach to Timed I/O Automata [KLSV03a] and it has resulted in shorter
specifications and better expressivity (in a practical sense), the “theoretical”
expressivity is essentially the same.
Another related work on modeling urgency is by Barbuti and Tesei
[BT04]. In this paper they study a different aspect of urgency, namely,
the semantics of as soon as possible with arbitrary non-zero precision. Their
study is based on timed automata with urgent predicates where urgency
predicates are assumed to be either true or false2.
1.3.3 Logic and Algebra for Real-time Systems
On another front, there has been extensive research on extending temporal
logic to real-time system modeling. Similar to the idea of extending finite
automata with time, temporal logic has also been extended by adding time
quantitatively. TPTL [AH94b] and MTL [Koy90] are the two main time
extensions of linear temporal logic [MP92, Lam83]. Interested readers may
refer to [MNP05, Hen98, Ras99] for a general survey on timed temporal
logic, and [BCM05] for the expressivity difference of MTL and TPTL. A
timed version of branching temporal logic known as TCTL also appears in
[ACD93] and its model checking algorithms are given in [ACD93, TY01,
CE81].
Process algebra models such as CCS [Mil89a], CSP [Hoa78] and ACP
[BK82] are also extended with time in [Yi91, NS91, FZ95, BM02]. Similarly
Timed Petri nets [Mer74, Ram74] have been proposed as a timed exten-
sion of Petri nets. Interested readers may consult [BCH+05] for a compar-
ison between timed automata [AD94] and timed Petri nets [Mer74], which
2Note that restricting urgent predicates to true or false does not reduce the expressivity
of the model, but may have more transitions than required by the unrestricted model.
1.4. Overview 7
shows both languages are equally expressive w.r.t timed language accep-
tance, while timed automata are more expressive w.r.t weak timed bisimi-
larity. Similar discussion can also be found in [BG06].
Extension of regular languages into timed regular languages [ACM02,
Dim01] is also interesting work that helped in the understanding of timed
languages in similar ways to the classical theory of regular languages. Re-
cently, Asarin [Asa04] published open questions and challenges in the area
of timed languages to fill the gaps that are left untouched by the research
communities which mainly focus on application and analysis tools.
1.4 Overview
The research in this thesis is conducted in the context and under the
auspices of the European project – advanced methods for timed systems
(AMETIST3) carried out during a period of three years and three months
(April 1 2002 - June 1 2005). The AMETIST consortium was composed of
seven academic and four industrial partners from five different countries.
One of the main objectives of the project was to develop a powerful modeling
methodology based on the timed automata model that can express real life situa-
tions in complex industrial systems.
The first part of the thesis (Chapters 2 - 4) compares theoretical ex-
pressiveness of timed automata models. The thesis focuses on the issue
of time progress in the light of the three most popular timed automata
models; namely, Timed Automata with Invariants (called Safety Timed Au-
tomata in [HNSY94]), Timed Automata with Deadlines [BS00] and Timed
Input/Output Automata [KLSV03a]. The second part of the thesis (Chap-
ters 5 - 7) concerns the practical application of timed automata. These
chapters test the expressivity of timed automata against complex indus-
trial case-studies and network protocols proposed in the context of the
AMETIST project. The results obtained from the specification and verifica-
tion of the case studies provide further evidence that timed automata mod-
els are mature enough to express complex industrial systems accurately
and naturally.
In the reminder of this section we give a brief introduction to each of
the chapters.
• Chapter 2 [DG05] presents a new bisimulation relation called drop
bisimulation. It has been known for several years that the delayabil-
ity of synchronization of TADs makes strong bisimulation [Mil89a]
fail to be a congrunce for parallel composition. Chapter 2 solves this
problem by characterizing a new bisimulation relation, which is the
3http://ametist.cs.utwente.nl
8 1. Introduction
coarsest congruence included in the bisimulation relation. An equiva-
lent symbolic bisimulation is also provided, which allows us to prove
that drop bisimulation is decidable.
• Chapter 3 [DG06] is a continuation of Chapter 2 and provides an alge-
braic proof system for direct derivation of equivalence (drop bisim-
ulation) by purely syntactic manipulation. In this chapter we show
that the proof system is sound and complete.
• Chapter 4 [GV05] can be viewed as an alternative solution to the
delayable synchronization and failing strong bisimulation. The so-
lution is to partition the set of synchronization actions into input
and output actions. In this way there is no need for a new bisimu-
lation relation, the strong bisimulation[Mil89a] is compositional by
construction. But the primary goal of the chapter is to introduce
a new modeling scheme for the time progress condition of TIOA
which is shorter and more natural than the earlier stop-when pred-
icate specification. The chapter also presents comparisons and trans-
lation schemes among the three ways of specifying time progress.
• Chapter 5 [GKU04] presents the formal modeling and analysis of the
Car Periphery Supervision (CPS) system using timed automata. This
case study was proposed by one of the AMETIST industrial partners,
Robert Bosch GmbH. The CPS system is a central supervision sys-
tem embedded inside a car. The system collects information from
the surrounding environment (For example, the distance and speed
of objects driving close to the car) and triggers applications such as
air bag inflation, belt tensioner or parking assistant. The CPS sys-
tem is hybrid in nature, however we made an appropriate abstrac-
tion of the environment, which permitted us to model it as a timed
automata model. All relevant properties have been verified using
the timed automata model checker UPPAAL. The abstractions em-
ployed in this case study preserve the sufficient conditions (as stated
in [HH95, ACH+95]) that ensures the validity of the verfication re-
sults.
• Chapter 6 [GV03a] reports the second case study proposed by another
AMETIST industrial partner, Cybernetics. The case study concerns
a smart card personalization machine. This machine takes piles of
blank smart cards as raw material, programs them with personalized
data, prints and tests them. One of the research problems in this case
study is to synthesis a controller that can recover the system from an
uncontrollable error. Control synthesis tools are not mature enough
to handle such a big system (> 1013 states). Therefore we model the
system using SMV and somehow “hack” SMV (automatically gener-
1.4. Overview 9
ating SMV models and feed them to the verification engine) to gen-
erate controllers that can recover the system from an erroneous state.
The work illustrates how a model checker can be used to synthesize
a controller that recovers the system from an uncontrollable error.
The reader may be surprised to see a case study concerning the appli-
cation of SMV, a model checker for (untimed) finite state machines,
within a thesis which for the rest is devoted to timed automata.
Within the research projects AMETIST and HaaST, by which this PhD
research was funded, the academic partners have been assigned the
task to solve practical problems proposed by the industrial partners.
It has been said that to a hammer everything looks like a nail, but
we believe that industrial problems should be tackled by the most
appropriate tool that is available. For the Cybernetics controller syn-
thesis problem, a discrete time model appeared to be most natural,
and the size of the state space required the use of a discrete time
model checker such as SMV. We have included this case study here
since we think it is a nice application of model checking techniques.
Elsewhere, Uppaal has been used to address different aspects of the
Cybernetics case study (see [Mad04]) and we believe it is a nice chal-
lenge for timed automata tools to deal with these different aspects in
an integrated manner.
• Chapter 7 [GVZ06a, GVZ06b] models and analyzes the Zeroconf pro-
tocol. This case study has been proposed by Philips in the context
of another research project HaaST4. The Zeroconf protocol allows the
configuration of IPv4 without the need for a third party server such as
DHCP. We decided to model the system in two phases. The first phase
makes a more realistic model of the system without taking consider-
ation of the complexity of the model. In the second phase we made a
careful abstraction of the model. It is constructed in such a way that
automatic verification is possible in UPPAAL. Every abstraction step
either preserves equivalence (modulo bisimulation) or is a result of
an explicitly stated assumption. The contribution of this chapter is
two fold. Firstly, it provides a formal specification of the most critical
part of the protocol. Our modeling efforts revealed several errors (or
at least ambiguities) in the protocol standard that no one has spotted
before. Secondly, relevant properties are verified against the specifi-
cation that reveals what properties are satisfied under what assump-
tion.
4HaaST (Verification of Hard and Softly Timed Systems) is a PROGRESS project
http://fmt.cs.utwente.nl/HaaST/
10 1. Introduction
1.5 Conclusion
The state space explosion problem was and still is the main challenge for
the scalability of formal verification. This is a problem that occurs due to
the huge number of states of large systems [BCM+92]. In recent years, there
have been significant improvements in tackling the problem. These im-
provements are not only due to the advancement of computer hardware
which doubles every 18 months (Moore’s law), but also due to algorithmic
techniques, such as abstraction, symbolic analysis and compact data struc-
tures. The thesis demonstrates the increasing power of model checkers in
Chapters 5, 6 and 7. It uses state-of-the-art modeling and verification tech-
niques to verify the desired properties. This would not have been possible
if it was not for the newly devised algorithmic techniques.
However, there are still many cases in which exhaustive space explo-
ration is not feasible. A different and promising approach to this problem
is compositional analysis. Efficient implementation of compositional anal-
ysis will still depend on clever algorithmic techniques, but the key success
comes from the expressivity power of the modeling languages in specify-
ing components separately with clearly defined interfaces, and a means to
infer properties of the system from its components.
Component-based analysis is widely used in VLSI industries, but for
real-time systems, it has not been exploited thoroughly. This is partly due
to the difficulty in reasoning about systems compositionally in the presence
of global time. The timing behavior of a component in real time system
depends on the global time which can be manipulated (in general) by every
component of the system.
A small but significant achievement toward compositional reasoning of
real time system is the approach of [BGS00, BS00, Bow99, BGS05] that guar-
antees the absence of time deadlock and zenoness by construction. The
contribution of the thesis in this regard is in providing a means to substi-
tute equivalent components within a system (see Chapter 2). This is an
important tool for component-based analysis of real-time systems, because
it allows a component to be replaced with an equivalent component with-
out affecting the parent system. Computing such equivalence is decidable
and an algebraic theory that allows syntactic derivation of equivalence is
given in Chapter 3.
There is still a long way to go until compositional analysis for real-time
systems is fully exploited, which could be an interesting research direction
for future. In the mean time, for systems that can not be verified auto-
matically, the specification part of formal methods alone can be of great
assistance in improving the quality of the system via simulation and doc-
umentation. Formal specification can reveal inconsistencies and ambigu-
ity in the early design process, and forces designers to clarify ambigui-
ties and overlooked details. For example, the numerous computer pro-
1.5. Conclusion 11
tocols that have been standardized by IEEE SA and other standardization
bodies are written in natural languages. These documents will obviously
inherit the ambiguity that is present in the natural languages. There are
several reports in the literature that demonstrate the usefulness of formal
specification in improving the quality of complex design documentation
(atleast for the critical part of a system). The thesis (see Chapter 7) pro-
vides further evidence that formal specifications are indeed useful in this
regard, some formal specification and verification tools (in particular UP-
PAAL) have reached a level where they can be used for this task. As a side
effect, the thesis proposes a number of improvements and additional fea-
tures to make specification languages (in particular UPPAAL) more “practi-
cally” expressive.
12 1. Introduction
Chapter 2
Bisimulation Relation for
Timed Automata with
Deadlines
with Pedro R. D’Argenio
Abstract Delaying synchronization of actions may reveal some hidden
behavior that would not happen if the synchronization met the specified
deadlines. This precise phenomenon makes bisimulation fail to be a con-
gruence for the parallel composition of timed automata with deadlines – a vari-
ant of timed automata where component synchronization is delayable, and
time progress is controlled by deadlines on transitions instead of invariants
on locations. This problem has been known and unsolved for several years.
In this chapter we give a characterization of the coarsest congruence that is
included in the bisimulation relation. In addition, a symbolic characteriza-
tion of such a relation is provided and shown to be decidable.
2.1 Introduction
Design and specification languages allow to model systems in a modular
manner by linking small modules or components using the language oper-
ations —such as sequential composition or parallel composition— in order
to build larger modules. Hence a desirable requirement is that the lan-
guage is compositional with respect to its semantics. By compositional we
mean that components can be replaced by behaviorally equivalent compo-
nents without changing the properties of the larger model in which they
are embedded. The preservation of such properties can be guaranteed
by means of semantic equivalences or preorders. For example branch-
ing bisimulation preserves CTL∗ [BCG88], language inclusion preserves
13
14 2. Bisimulation Relation for Timed Automata with Deadlines
LTL [Lam83] and, in particular, timed bisimulation preserves (timed) prop-
erties expressed in logics such as TCTL [TY01]. Hence, compositionality
amounts to requiring that relations like these are congruences (or precon-
gruences) for the different operations of the language.
Timed automata [AD94, HNSY94] are used to model real-time sys-
tems and have become popular as modeling language for several model
checkers because of their simplicity and tractability [BDL+01, BDM+98,
BGO+04]. Timed automata are automata with the additional ingredients of
clocks. Clocks are variables that increase at the same rate in order to regis-
ter time progress. Transitions are labeled with constraints on clocks, called
guards, that indicate when such transition may take place. Usually timed
automata are used to model real-time systems with hard constraints. In this
case, timed automata are equipped with an invariant, which is a constraint
on clocks that limits time progress in each control state [HNSY94]. For a
sytem composed of several components time can progress in the system
if all its components respect their time progress constraint. The problem
with such strong requirments on time progress is that they can easly intro-
duce time deadlock (the composed system has reached a state where time
is blocked forever [BS00, Bow99, Bow01]). For instance, when two com-
ponents are in a state from which they will never synchronize, it may be
desirable not to further constraint time progress.
The second problem with invariants is that, there is no way to insure
absence of time deadlock in a system from its components. Note that time
deadlock in timed automata is a serious issue because: (1) it is a generic
problem, that is, if an independent component is composed with a compo-
nent that is time-deadlocked, then the composed system inherits the time
deadlock; and (2) the verification of many properties explicitly depend on
the absence of time deadlock.
A variant of timed automata called Timed Automata with Deadlines
(TADs for short) is proposed by Bornot and Sifakis [BS00, SY96, GS05a]
to address the above issues. The work in [BS00, SY96, GS05a] shows how
time-deadlock-freedom of a system can be inferred from its components, in
such a way that, if all components satisfy some time-deadlock-freedom condi-
tion then it is guaranteed that the system is time-deadlock-free by construc-
tion. This model is nowadays embedded in modeling languages such as
IF [BGO+04] and MoDeST [DHKK01, BDHK04], and urgent transitions in
UPPAAL [BLL+96] can be seen as a particular instance of TAD transitions.
TADs do not have invariants. Instead, a TAD transition has associated
a second clock constraint, called a deadline, that indicates in which moment
such a transition must be taken. As a consequence, a deadline is required to
hold only if the corresponding guard holds ensuring the transition can be
taken after the deadline is reached. In this sense, the deadline imposes an
urgency constraint.
Contrary to the traditional timed automata setting, bisimulation in the
2.1. Introduction 15
s1
s2
s0
t2 t3
t1
t0
a
x := 0
b
γ : x ≥ 2
δ : x ≥ 3
T1
a
δ : x = 6
x := 0
b
γ : 4 ≤ x ≤ 6
δ : x ≥ 3
γ : x ≥ 2
c
T2
(a)
x := 0
b
T1 ||a stop
δ : x = 6
x := 0
b
c
γ : 4 ≤ x ≤ 6
T2 ||a stop
(b)
Figure 2.1: TAD and compositionality
TAD model is not preserved by parallel composition [BS00]. This is illus-
trated in the following example. T1 in Fig. 2.1.(a) depicts a TAD in which
circles represent control state and arrows are control transitions. In particu-
lar the small incoming arrow identifies the initial state. T1 performs first an
action b at any moment and sets clock x to 0. As time progresses, the value
of x increases and when it takes value 2, action a becomes enabled. This is
controlled by guard γ : x ≥ 2. At any point after x takes value 2, this transi-
tion may take place, but as time continues to progress and x takes value 3,
the deadline δ : x ≥ 3 obliges the execution of the transition. Notice that T2
shows a similar behavior since action c cannot be executed: the deadline of
a obliges its execution before the guard of c becomes enabled. In fact, T1
and T2 are timed bisimilar in the sense of [BS00].
Suppose now that T1 is composed in parallel with the automaton stop
requiring synchronization on action a. (stop is the automaton with a single
location and no transition; hence, it does not do anything but idle.) This
blocks the execution of action a in T1. The resulting automaton T1 ||a stop is
depicted in Fig. 2.1.(b). Similarly, the composition of T2 with stop in T2 ||a
stop also blocks the execution of a, but in this case time progresses beyond
3 time units allowing the execution of c after 4 time units (see Fig. 2.1.(b)).
As a consequence T1 ||a stop and T2 ||a stop are not bisimilar.
To the best of our knowledge there is no characterization of a congru-
ence for parallel composition on TADs. The only exception is what is called
strong congruence in [BS00], which is the usual bisimulation applied di-
rectly on TADs. This relation is, however, far too strong as it requires the
syntactic equality of guards, deadlines, and clock resets.
In this chapter we present a congruence relation for parallel composi-
tion and prove that it is the coarsest congruence included in the bisimula-
tion relation. This new relation, which we call ∇-bisimulation (read “drop-
bisimulation”), is in fact the usual bisimulation on an extended semantics
of TAD. Such semantics allows for time progressing beyond deadlines but
carefully accounting for the actions whose deadline have been overruled.
We also give a symbolic characterization of ∇-bisimulation, that is, a re-
lation defined directly on TADs. As a corollary of this characterization,
we obtain that ∇-bisimulation is decidable. Another particular contribu-
16 2. Bisimulation Relation for Timed Automata with Deadlines
tion of this chapter is that the proof of congruence is entirely carried out
at a symbolic level (i.e., without resorting to the underlying transition sys-
tem in which ∇-bisimulation is defined). We also discuss different kinds
of parallel compositions on TADs (mostly defined already in the literature)
reporting which of them preserves ∇-bisimulation and which do not and
why.
Related Work.
The failure of bisimulation to be a congruence becomes apparent when soft
deadlines are considered, that is actions that may be urgent in isolation are
required to wait if they are intended for synchronization i.e. synchroniz-
ing actions need to be patient. This problem has appeared in the context of
stochastic process algebra where synchronization is required to be patient
(e.g. [Hil96, Her02, D’A99]). It becomes evident (in a similar manner as
above) if bisimulation is considered for the underlying probabilistic transi-
tion system rather than for the finer symbolic model [D’A99]. The problem
of compositionality also showed up in other process algebras for perfor-
mance behavior [Cor98].
In [JLS00], compositionality is studied on timed automata with urgent
actions w.r.t. simulation. (An urgent action corresponds to an action in
TADs for which guard and deadline are the same.) In this case, it suffices
to add a condition of readiness on the urgent actions to achieve precongru-
ence. Recently, [GV05] defined a variant of TADs where actions are distin-
guished between input and output following the model of [SGSAL98] and
for which bisimulation is a congruence for the parallel composition. This is
possible due to input enabling and to the fact that only output actions are
allowed to be urgent (i.e. to have deadlines.) Therefore there is no need to
wait for synchronization as it is always possible. Though the restrictions
imposed by [GV05] makes the new model much simpler and tractable, us-
ing it to describe soft real-time systems may result in complex models.
In addition to the solution for the compositionality problem, we also
give a symbolic characterization of the congruence. Our work is based
on the result of Lin & Yi [LY02] who gave a symbolic characterization
of the bisimulation for timed automata. In turn, their result is based on
Cˇera¯ns’ who determined that bisimulation for timed automata is decid-
able [Cˇera¯ns92]. We use also this result to show the decidability of ∇-
bisimulation.
Outline
The chapter is organized as follows. Section 2.2 gives the preliminaries re-
calling timed automata with deadlines, its semantics in terms of transition
systems, the definition of bisimulation, and particularly, the definition of
2.2. Preliminaries 17
parallel composition. In Section 2.3 we discuss the pitfalls of the composi-
tion and progressively construct the semantics that leads to the definition
of ∇-bisimulation. The symbolic characterization is provided in Section 2.4
and shown to be the coarsest congruence in Section 2.5. Section 2.6 discuses
decidability of ∇-bisimulation and the different kind of synchronization in
parallel composition.
2.2 Preliminaries
Timed Automata with Deadlines.
A clock is a non-negative real-valued variable, which can be reset to zero
at the occurrence of an event, and between two resets, its derivative with
respect to time is equal to 1. We denote C = {x1, . . . , xN} to be a finite set
of clocks. A clock constraint F (C ) is a conjunction of formula(s) of atomic
constraints in the form of xi ./ n or xi − x j ./ m, where xi and x j are clocks
in C , ./ ∈ {<,>,≤,≥,=} and n,m are natural numbers. The constraints
tt and ff are used to denote, respectively, the atomic constraints which are
constantly true and false. We will assume that there is a global finite set of
actions A for all timed automata with deadlines.
Definition 2.1 A timed automaton with deadlines [BS00] (TAD for short) is
a structure T = (L , l0,C , -) where
• L is a finite set of locations,
• l0 ⊆ L is the set of initial locations,
• C is a finite set of clocks,
• - ⊆ L × (A ×F (C )×F (C )× 2C )×L , is a finite set of edges.
If (s, a, γ, δ,x, s′) ∈ - we write s a,γ,δ,x- s′ and require that δ⇒ γ holds, more-
over we assume δ is left-closed (left-closure is formally defined in Def. 2.5).
The notion s a,γ,δ,x- s′ represents an edge from location s to s′ that
executes action a whenever guard γ becomes true. In addition, deadline
predicate δ imposes an urgency condition: the transition cannot be delayed
whenever δ is satisfied. When executing the transition, clocks in x are set
to 0.
Parallel composition of TADs.
Parallel composition allows the independent execution of the activity of the
component automata except if they are intended to synchronize. We as-
sume CSP synchronization in which actions with equal name synchronize
18 2. Bisimulation Relation for Timed Automata with Deadlines
if and only if they belong to a set of synchronizing actions B ⊆ A . Since en-
abling of actions is determined by guards, we define the guard on the syn-
chronized transition to be the conjunction of the guards on the synchroniz-
ing transitions. Therefore synchronization takes place only if both partners
are able to execute the same synchronizing action. (Other compositions of
guards are discussed in Sec. 2.6). Similarly, the deadlines of the synchro-
nizing transitions should affect the deadline of the synchronization. In this
case, we do not fix any particular operation. Instead, we assume a given
operator ⊗ that, when applied to guards and deadlines of the synchroniz-
ing transitions, returns the deadline of the synchronization. We require that
⊗ satisfies the following:
1. (δ1, γ1)⊗ (δ2, γ2) ⇒ (γ1 ∧ γ2) whenever δ1 ⇒ γ1 and δ2 ⇒ γ2
2. ⊗ preserves left-closure, that is, if δ1 and δ2 are left closed, so is
(δ1, γ1)⊗ (δ2, γ2)
3. ⊗ distributes with respect to ∨ in all its arguments, that is( W
i
(
δi1, γ
i
1
)
⊗
(
δi2, γ
i
2
) )
⇔
(W
i δ
i
1,
W
i γ
i
1
)
⊗
(W
i δ
i
2,
W
i γ
i
2
)
4. There exists a constraint 0δ such that (0δ , tt) acts as a neutral element
for ⊗ in the following sense: ((δ1, γ1)⊗ (0δ , tt)) ⇔ δ1
(δ1, γ1)⊗ (δ2, γ2) has to imply the guard γ1 ∧ γ2 of the resulting transition
in order to preserve this property on the composed TAD. This is required
in 1. Similarly, condition 2 ensures that deadlines of the composed TAD
are left-closed. The distributivity of 3 is needed to prove congruence (see
proof of Theorem 2.2). As we will see in the next section, time passage in
a location is limited by the complement of the disjunction of the outgoing
deadlines. Therefore condition 3 states compositionality for ⊗, allowing to
represent the deadline of a synchronized action in terms of the deadlines
and guards of the component automata. Constraint 4 is only necessary to
show that our definition is the coarsest congruence included in the bisim-
ulation (see Lemma 2.6). For operators not meeting these conditions there
may exist coarser congruences than ours that are also bisimulation. Con-
straint 4 guarantees a way to test the validity of the original deadline in
a component’s transition by means of a synchronization. In Sec. 2.6 we
discuss different implementations of ⊗.
Definition 2.2 Let Ti = (Li, l0i,Ci, -i), be such that C1 ∩C2 = ∅ for i ∈ {1,2},
and let B ⊆ A be a set of synchronizing actions, and ⊗ be an operation for
synchronizing deadlines. The parallel composition T1 ||
⊗
B T2 is defined by the
TAD (L1 ×L2, l01 × l02,C1 ∪C2, -) where - is defined as the smallest relation
satisfying:
s1 a,γ,δ,x-1 s′1 a /∈ B
(s1, s2) a,γ,δ,x- (s′1, s2)
s2 a,γ,δ,x-2 s′2 a /∈ B
(s1, s2) a,γ,δ,x- (s1, s′2)
2.2. Preliminaries 19
s1 a,γ1,δ2,x1-1 s′1 s2
a,γ2,δ2,x2-2 s′2 a ∈ B
(s1, s2)
a,γ1∧γ2,(δ1,γ1)⊗(δ2,γ2),x1∪x2- (s′1, s′2)
The rules are fairly standard. Notice, in particular, that the last rule only
allows to synchronize guards when both of them are valid. This is a signifi-
cant restriction w.r.t. [BS00]. We later argue that this is nevertheless reason-
able and discuss the feasibility of compositions not considered here. From
now on, subscripts on edges will be omited.
Transition Systems and Bisimulation.
Definition 2.3 A transition system (TS for short) is a structure TS =
(S, s0,Σ,−→ ) where
• S is an infinite set of states,
• s0 is the set of initial states,
• Σ is a set of labels, and
• −→⊆ (S × Σ× S) is a set of transitions.
Since we use TSs to model timed systems, we consider two kind of labels:
those representing the execution of discrete actions and those representing
the passage of time. Then Σ = A ∪R≥0.
Definition 2.4 A bisimulation [Mil89a] is a symmetric relation R ∈ S× S such
that for all a ∈ Σ, whenever (p, q) ∈ R and p a−→ p′ then
q a−→ q′ and (p′, q′) ∈ R for some q′
We write p ∼ q if (p, q) ∈ R for some bisimulation relation R on TS .
Given two TSs, TS 1 and TS 2 with set of initial states, s01 and s02, respec-
tively, we say that they are bisimilar (notation TS 1 ∼ TS 2) if there is a
bisimulation R on the disjoint union of TS 1 ] TS 2 such that s0 j ⊆ R(s0i)
for {i, j} = {1,2}, i.e. every initial state of TS 1 is related to some initial
state of TS 2 and vice-versa.
20 2. Bisimulation Relation for Timed Automata with Deadlines
Semantics of TADs.
In the following we recall the semantics of TADs in terms of TSs. A state of
the timed system is divided in two parts, one indicating the current control
location in the TAD, and the other the current time values. This last part
is represented by means of a clock valuation which is a function ρ : C →
R≥0 mapping to each clock the time elapsed since the last time it was reset
to 0. Given a clock valuation ρ and d ∈ R≥0 the function ρ + d denotes
the valuation such that for each clock x ∈ C , (ρ + d)(x) = ρ(x) + d. The
function ρ{x:=0} denotes the valuation such that for each clock x ∈ x∩C ,
ρ{x:=0}(x) = 0, otherwise ρ{x:=0}(x) = ρ(x). We first define what it means
for a constraint to be left-closed, followed by the semantics of TADs.
Definition 2.5 A constraint φ is called left closed if and only if for all valuations
ρ,
ρ |= ¬φ ⇒ ∃ε > 0 : ∀ε′ ≤ ε : ρ+ ε′ |= ¬φ
Definition 2.6 Let T = (L , l0,C , -) be a TAD. Its semantics is given by
TS (T ) = (L× (C 7→R≥0), l0× (C 7→ 0),A ∪R≥0,−→ ), where−→ is the smallest
relation satisfying:
A1: discrete transition s a,γ,δ,x- s′ and ρ |= γ implies sρ a−→ s′ρ{x:=0}; and
A2: delay transition ∀d′ < d : ρ+ d′ |= tpc(s) implies sρ d−→ s(ρ+ d)
where tpc(s) = ¬W{δ | ∃a, γ,x, s′ : s a,γ,δ,x- s′} is the time progress condition
in s.
Rule A1 states that an edge s a,γ,δ,x- s′ defines a discrete transition in
current location s whenever the guard holds in current valuation ρ. After
the transition is taken, clocks in x are set to 0 in the new valuation. Ac-
cording to A2, time can progress in s only when tpc(s) is true, that is as
long as no deadline of an edge leaving s becomes true. Notice that tpc(s) is
required to hold for all d′ < d but not for d itself. Therefore it is indistin-
guishable whether tpc(s) holds in the limit or not. For instance, if ρ(x) = 0
both x< 3 and x≤ 3 hold in all ρ+ d′ with d′ < 3. Thus our assumption that
a deadline has to be specified as a left-closed predicate is not a limitation
but a preference to avoid technical complications which do not contribute
to the work.
As a consequence of Def. 2.6, the notion of bisimulation extends to
TADs straightforwardly: two TADs T1 and T2 are bisimilar (notation
T1 ∼ T2) if TS (T1) ∼ TS (T2).
Example 2.1 Consider automata T1 and T2 of Fig. 2.1. Using Def. 2.6 it is rou-
tine to check that relation
R = {(s0{x:=d}, t0{x:=d}) | 0 ≤ d}
2.3. Towards a Congruence Relation 21
∪ {(s1{x:=d}, t1{x:=d}) | 0 ≤ d ≤ 3}
∪ {(s2{x:=d}, t2{x:=d}) | 2 ≤ d}
is a bisimulation witnessing T1 ∼ T2. Besides, if stop = ({r},{r},∅,∅), then
T2 ||
⊗
a stop can execute the trace b 5 c, which is not possible from (s0, r){x:=0}.
Consequently, T1 ||
⊗
a stop 6∼ T2 ||
⊗
a stop.
2.3 Towards a Congruence Relation
In the following we discuss different proposals for congruence until find-
ing a satisfactory definition. All proposals are bisimulation relations on
different modifications of the transition system underlying the TAD.
The example in Fig. 2.1 suggests that action c could be distinguished if
time would be allowed to elapse beyond the deadline. Therefore, a first
naive proposal would be to let time progress beyond the time progress
condition but this would not be compatible with the bisimulation since
TADs with different deadlines but equal guards may become equated. So,
a modification of this semantics could consider separately a potential time
progress by adding a new kind of transition as follows
sρ [d]−−→ s(ρ+ d) for all d ≥ 0.
Though clearly stronger than bisimulation —notice that it would distin-
guish T1 and T2 in Fig. 2.1— it fails to be a congruence. This is shown in
Fig. 2.2(a). The relation would equate T3 and T4, but not their composi-
tions T3 ||
⊗
B T
′ and T4 ||
⊗
B T
′ with B = {a, b, c}. Notice that after realization
of action a, T3 ||
⊗
B T
′ lets (non-potential) time progress beyond 2 time units
while this is not possible in T4 ||
⊗
B T
′ due to the deadline on b.
As a consequence, we may think to consider different potential time
progress transitions for each edge in the TAD, but this turns out to be too
strong (apart from cumbersome). See automata T5 and T6 in Fig. 2.2(b)
which share some similitude with the previous example, only that c has
been renamed to b. They are expected to be congruent.
The new example suggests that time can potentially progress differently
for every action name since they can be delayed or preempted indepen-
dently. A possible solution seems to consider a different kind of potential
time progress for each action. Since time progress is associated to dead-
lines, we follow a different approach: instead of considering potential time
progress, we consider a new type of discrete action ∇D, D ⊆ A , that indi-
cates that from the moment action ∇D is issued, deadlines of actions in D
would be disregarded. We call this type of action “drop” (since it drops the
deadline). Notice that a drop action can be performed at any moment.
Let A∇ = {∇D | D ⊆ A}. To keep track of which deadlines have to be
disregarded, states also need to book keep the current set of actions whose
22 2. Bisimulation Relation for Timed Automata with Deadlines
x := 0
γ : x ≥ 1
δ : ff
c
γ : x ≥ 2
δ : x ≥ 2
a
b
T3
γ : x ≥ 1
δ : x ≥ 2
c
γ : x ≥ 2
δ : ff
b
x := 0
a
T4
(a)
T ′
a
b
T ′′
a
b
y := 0
γ : y ≥ 2
δ : y ≥ 2
(composing automata)
x := 0
a
b c
b
γ : x ≥ 1
δ : ff
b
γ : x ≥ 2
δ : x ≥ 2
T5
x := 0
a
b c
δ : x ≥ 2
b
γ : x ≥ 1
b
γ : x ≥ 2
δ : ff
T6
(b)
x := 0
a
b
γ : x = 1
δ : x = 1
b
γ : x ≥ 2
δ : x ≥ 2
T7
x := 0
a
δ : x = 1
γ : x = 1
b b
γ : x ≥ 2
δ : ff
T8
(c)
Figure 2.2: (Counter)examples for congruence
deadlines were dropped. The extended semantics of T = (L , l0,C , -) is
then given by the TS (L × 2A × (C 7→ R≥0), l0 × {∅} × (C 7→ 0),A ∪ A∇ ∪
R≥0,−→ ), where −→ is the smallest relation satisfying:
A1∇: discrete transition
s a,γ,δ,x- s′ and ρ |= γ implies (s,D)ρ a−→ (s′,∅)ρ{x:=0}
A2∇: delay transition
∀d′<d : ρ+d′ |= ¬dl(s,A − D) implies (s,D)ρ d−→ (s,D)(ρ+d)
A3: drop transition
(s,D)ρ ∇E−−→ (s,D∪ E)ρ
where dl(s,A) is the deadline collected by actions in A⊆A in location s and
is defined by
dl(s,A) = W{δ | s a,γ,δ,x- s′ and a ∈ A for some a, γ,x, s′}.
Bisimulation in this new semantics distinguish automata in Figs. 2.1(a)
and 2.2(a), and equate those in Fig. 2.2(b). Regarding the new predicate
dl(s,A) notice that for any location s, tpc(s) = ¬dl(s,A ).
Notice also that once a deadline is dropped, it cannot be observed any-
more. The example in Fig. 2.2(c) shows that this semantics does not yet
yield a congruence. According to this semantics, T7 and T8 are equated.
2.3. Towards a Congruence Relation 23
However, under the assumption that deadlines of synchronising transi-
tions are arranged in a conjunction1 (i.e.⊗ is ∧), the compositions T7 ||
⊗
B T
′′
and T8 ||
⊗
B T
′′, with B = {a, b}, are distinguished by the usual bisimula-
tion: after executing action a, T8 ||
⊗
B T
′′ let time progress beyond 2 time
units while this is not the case in T7 ||
⊗
B T
′′ due to the composed deadline
(x ≥ 2)∧ (y ≥ 2) in b.
This phenomenon is due to the fact that after action a is performed,
automaton T ′′ temporarily disregards the deadline of b during the first 2
units of time, but later it allows it to beobserved again. As a consequence,
we introduce a new action ∆ (read “undrop”) which indicates that in the
future all deadlines will be considered again.
Definition 2.7 The extended semantics of T = (L , l0,C , -) is given by
TS
∇
(T ) = (L × 2A × (C 7→ R≥0), l0×∅× (C 7→ 0),A ∪A∇∪{∆}∪R≥0,−→),
where −→ is the smallest relation satisfying A1∇, A2∇, and A3 above plus
A4: undrop transition (s,D)ρ ∆−→ (s′,∅)ρ
Note that the undrop action can be performed at any moment. Going back
to the privous example, the execution sequence a∇{b} 2 ∆ 1 is possible in T8
but not in T7. Hence, a bisimulation in this setting distinguishes T7 from
T8. We define such a relation as follows.
Definition 2.8 (∇-bisimulation) We say that automata T1 and T2 are ∇-
bisimilar, notation T1 ∼∇ T2, if TS∇(T1) ∼ TS∇(T2). We also say that lo-
cations s and t are ∇-bisimilar in some valuation ρ, notation sρ ∼∇ tρ, if
(s,∅)ρ ∼ (t,∅)ρ.
The following Propositon states that two ∇-bisimilar automata are also
bisimilar.
Proposition 2.1 For any T1 and T2, if T1 ∼∇ T2 then T1 ∼ T2.
Proof: It is routine to check that if R is a bisimulation that witness T1 ∼∇
T2, then {(s1ρ1, s2ρ2) | ((s1,∅)ρ1, (s2,∅)ρ2) ∈ R} is a bisimulation that wit-
ness T1 ∼ T2. ut
We conclude this section by stating two basic properties (lemmas) of∇-
bisimulation. They are needed to prove Theorem 2.1 which relates ∼∇ to a
symbolic bisimulation.
1Conjugating deadlines on synchronisation is an operation that can be used to model
patient synchronisation (also known as flexible synchronisation in [SY96]) in soft-real time
applications. For further discussion see Section 2.6 on page 42.
24 2. Bisimulation Relation for Timed Automata with Deadlines
Notice that the ability of dropping all the deadlines, letting time pass,
and then undropping the deadlines, ensures that if two locations are ∇-
bisimilar at a certain moment, no matter how long the activity is blocked,
these two locations will still be ∇-bisimilar. This is stated in Lemma 2.1.
Moreover, if two locations are ∇-bisimilar at some given valuation ρ then
both satisfy the deadline associated to some action in valuation ρ, or nei-
ther of them does. This is easy to check by dropping all the deadlines ex-
cept those associated to the action of interest. This is formally stated in
Lemma 2.2.
Lemma 2.1 If tρ ∼∇ uρ then t(ρ+ d) ∼∇ u(ρ+ d), for all d ≥ 0.
Proof: By A3 in Def. 2.7, (t,∅)ρ ∇A−−→ (t,A )ρ which implies (u,∅)ρ ∇A−−→
(u,A )ρ and (t,A )ρ ∼ (u,A )ρ (∼ is a bisimulation.)
Since dl(t,∅) = W ∅ = ff, ρ+ d |= ¬dl(t,A − A ), for all d ≥ 0. Hence,
by A2∇, (t,A )ρ d−→ (t,A )(ρ+ d) for any d ≥ 0. This implies that (u,A )ρ d−→
(u,A )(ρ+ d) and (t,A )(ρ+ d) ∼ (u,A )(ρ+ d) for all d ≥ 0.
Finally, since (t,A )(ρ + d) ∆−→ (t,∅)(ρ + d) by A4, (u,A )(ρ + d) ∆−→
(u,∅)(ρ+ d) and (t,∅)(ρ+ d) ∼ (u,∅)(ρ+ d) for all d ≥ 0. ut
Lemma 2.2 If tρ ∼∇ uρ then ρ |= dl(t,D) ⇔ dl(u,D), for any D ⊆ A .
Proof: Let (t,∅)ρ ∼ (u,∅)ρ. By A3 (t,∅)ρ ∇A−D−−−−→ (t,A − D)ρ, which im-
plies that (u,∅)ρ ∇A−D−−−−→ (u,A − D)ρ and (t,A − D)ρ ∼ (u,A − D)ρ.
We show that (t,A − D)ρ ∼ (u,A − D)ρ implies ρ |= dl(t,D) ⇒ dl(u,D)
which, by symmetry of ∼, suffices to show that ρ |= dl(t,D) ⇔ dl(u,D).
ρ |= ¬dl(u,D)
⇒ ∃d > 0 : ∀d′ : 0 ≤ d′ < d : ρ+ d′ |= ¬dl(u,D) (by Def. 2.5)
⇒ (u,A − D)ρ d−→ (by A2∇)
⇒ (t,A − D)ρ d−→ (since (t,A − D)ρ ∼ (u,A − D)ρ)
⇒ ∃d > 0 : ∀d′ : 0 ≤ d′ < d : ρ+ d′ |= ¬dl(t,D) (by A2∇)
ρ |= ¬dl(t,D) (in particular, for d′ = 0)
ut
2.4 Symbolic Characterization of ∇-bisimulation
We postpone the proof that ∇-bisimulation is a congruence until Sec. 2.5
and give first a symbolic characterization of ∼∇. That is, we give a rela-
tion directly on TADs which does not resort to the underlying transition
system and equates exactly the same automata as ∼∇ does. The symbolic
2.4. Symbolic Characterization of ∇-bisimulation 25
bisimulation we propose works in a similar fashion to that of [LY02]. The
construction of such a relation is based on zone and region manipulation.
A clock region or region for short, is a consistent conjunction of atomic con-
straints of the form,
ψ ≡
^
x∈C
ψx ∧
^
{x,y}⊆C ,x 6=y
ψ
{x,y}
where
• each ψx is either x = n, m < x < m + 1 or x > N, and
• each ψ
{x,y} is either x−y = n, m < x−y < m + 1 or x−y > N.
with n,m,N non-negative integers such that 0 ≤ n ≤ N, and 0 ≤ m < N.
Regions can be expressed by constraints as we defined above, and any con-
straint can be expressed as a disjunction of regions. Similar to the clock
resetting (ρ{x := 0}) and time successor (ρ+ d) of the clock valuation de-
fined earlier, we define below their symbolic counterpart.
Reset: For a constraint φ and a set of clocks x, the reset φ↓x is a predicate
such that for all ρ, ρ |= φ↓x iff ρ= ρ′{x := 0} and ρ′ |= φ for some ρ′.
Time successor: For a constraint φ, the time successor φ ⇑ is a pred-
icate such that for all ρ, ρ |= φ ⇑ iff ρ = ρ′ + d and ρ′ |=
φ for some ρ′ and d ≥ 0.
A constraint φ is⇑-closed if and only if φ⇑⇔ φ is valid (i.e. a tautology).
The operations above distribute through disjunction and are expressible in
terms of constraints (see e.g. [Yov98, LY02].) The following facts can be
derived from the definitions or have already appeared elsewhere [Yov98,
LY02].
Fact 2.1 1. Let ψ and φ be regions. Let ρ and ρ′ be valuations s.t. ρ |= ψ
and ρ′ |= ψ. If ρ + d |= φ for some d ≥ 0, then there exists d′ ≥ 0 s.t.
ρ′ + d′ |= φ.
2. If φ is a region then, for any constraint ψ, either φ⇒ ψ is valid or φ∧ψ is
a contradiction.
3. If φ is a region, so is φ↓x.
4. ρ |= φ implies ρ |= φ⇑.
5. φ⇑ is⇑-closed.
6. If φ is⇑-closed then ρ |= φ implies ρ+ d |= φ for all d ∈ R≥0.
7. If φ1 and φ2 are⇑-closed (resp. left-closed), so are φ1 ∧ φ2 and φ1 ∨ φ2.
26 2. Bisimulation Relation for Timed Automata with Deadlines
Given a constraint φ, a φ-partition [LY02] is a finite set of constraints Φ ifW
Φ⇔ φ and for any two distinct ψ,ψ ′ ∈Φ, ψ and ψ ′ are disjoint (i.e. ψ∧ψ ′
is a contradiction). A φ-partition Φ is called finer than another φ-partition Ψ
if Φ can be obtained from Ψ by decomposing some of its elements. R C (φ)
denotes the set of all regions that constitute φ. Notice that φ⇔ W R C (φ)
and that R C (φ) is the finest of all φ-partitions.
Lemma 2.3 Let ψ be a region and ρ be such that ρ |= ψ. For all φ ∈ R C (ψ⇑)
exists d ≥ 0 such that ρ+ d |= φ.
Proof: Let ρ′′ |= φ, then ρ′′ |= ψ⇑. By the definition of⇑, exists ρ′ and d′ ≥ 0
such that ρ′+ d′ = ρ′′ and ρ′ |= ψ. Since ρ |= ψ too, and ψ and φ are regions,
by Fact 2.1.1, exists d ≥ 0 such that ρ+ d |= φ. ut
The definition of symbolic bisimulation we propose is based on Lin &
Yi’s definition [LY02], which in turns is based on Cˇera¯ns’ result [Cˇera¯ns92].
A symbolic bisimulation is a relation containing tuples (s, t, φ) meaning
that locations s and t are related in any valuation that satisfies constraint
φ. Here φ is a constraint over the disjoint union of the set of clocks of the
two automata. In this way, the relation ensures that clocks in both automata
progress at the same rate. In turn, this guarantees that the related locations
can idle the same time until some given deadline becomes true.
Definition 2.9 (Symbolic Bisimulation) Let T1 and T2 be two TADs with dis-
joint set of clocks C1 and C2 and disjoint set of locations L1 and L2 respectively. A
relation S ⊆ (L1 ×L2 ∪L2 ×L1)×F (C1 ∪C2) (where F (C ) denotes the set of all
constraints with clocks in C ) is a symbolic bisimulation if for all (t,u, φ) ∈ S,
1. (u, t, φ) ∈ S,
2. φ is⇑-closed,
3. whenever t a,γ,δ,x- t′, there is a (φ∧ γ)-partition Φ such that for each φ′ ∈
Φ, u a,γ
′,δ′,y
- u′, φ′ ⇒ γ ′ and (t′,u′, φ′↓xy⇑) ∈ S, for some γ ′, δ ′, y and
u′; and
4. φ⇒ (dl(t,A) ⇔ dl(u,A)) is valid for all A ⊆ A .
We write t ∼φ u if (t,u, φ) ∈ S for some symbolic bisimulation S. We also write
T1 ∼
φ T2 if for every initial location t of T1 there is an initial location u in T2
such that t ∼φ u, and the same with the roles of T1 and T2 exchanged.
Property 1 states the symmetric characteristics of a bisimulation. The
requirement that φ is ⇑-closed (property 2) ensures that location t and u
show an equivalent behavior any time in the future which is necessary if
deadlines are dropped. Property 3 ensures the transfer properties of dis-
crete transitions. This is similar to [LY02] except that there is no invariant to
2.4. Symbolic Characterization of ∇-bisimulation 27
T10
δ : y ≥ 4
b
γ : tt
δ : ff
b
δ : x ≥ 4
γ : x ≤ 2
b
T9
γ : x > 2
Figure 2.3: T9 ∼x=y T10
consider. Finally, property 4 states that any possible combination of dead-
lines should match under the assumption that φ holds. This ensures that
the time elapsed until a deadline associated to a given action is the same
in both locations. Notice that property 4 is equivalent to requiring that
φ⇒ (dl(t,{a}) ⇔ dl(u,{a})) for all a ∈ A . This makes evident that dead-
lines may be “changed” from one edge to another as long as both edges
are labeled with the same action (see Fig. 2.2(b)). Moreover property 4 is
comparable to the property of invariants in [LY02]. Like in [LY02], the use
of partitioning allows that one edge is matched by several edges as is the
case in Fig. 2.3 where both T9 ∼∇ T10 and T9 ∼x=y T10.
The following theorem states that symbolic bisimulation completely
captures the notion of ∇-bisimulation.
Theorem 2.1 For⇑-closed φ, t ∼φ u iff tρ ∼∇ uρ for any ρ |= φ
Proof: (⇒) Let S be a symbolic bisimulation. Define
R = {((t,D)ρ, (u,D)ρ) | ∃φ : ρ |= φ : (t,u, φ) ∈ S and D ⊆ A} (2.1)
We show that R is bisimulation. The fact that it is symmetric follows by
symmetry of S. In the following we suppose that ((t,D)ρ, (u,D)ρ) ∈ R as
a consequence of (t,u, φ) ∈ S as indicated in (2.1), and prove the transfer
property by doing case analysis on the type of transition.
discrete transition:
(t,D)ρ a−→ (t′,D′)ρ′
⇒ {by A1∇}
∃γ, δ,x : t a,γ,δ,x- t′, D′ = ∅, ρ′ = ρ{x := 0}, and ρ |= γ (2.2)
⇒ {by prop. 3 in Def. 2.9, since (t,u, φ) ∈ S}
∃Φ : Φ is a (φ∧ γ)-partition : ∀φ′ ∈ Φ :
u a,γ
′,δ′,x′
- u′, φ′⇒ γ ′, (t′,u′, φ′↓xx′⇑) ∈ S,
 By (2.1) ρ |= φ and by (2.2) ρ |= γ, hence ρ |= φ ∧ γ. Since Φ is a(φ ∧ γ)-partition, then ρ |= φ′ for some φ′ ∈ Φ. Finally, since φ′ ⇒ γ ′
the ρ |= γ ′ also holds.


⇒ {by observation}
28 2. Bisimulation Relation for Timed Automata with Deadlines
u a,γ
′,δ′,x′
- u′, ρ |= γ ′, ρ |= φ′, and (t′,u′, φ′↓xx′⇑) ∈ S
⇒ {by A1∇, def. of ↓xx′ , and Fact 2.1.4}
(u,D)ρ a−→ (u′,∅)ρ{xx′ := 0},
ρ{x′ := 0} |= φ′↓xx′⇑, and (t′,u′, φ′↓xx′⇑) ∈ S
⇒ {by (2.1)}
(u,D)ρ a−→ (u′,∅)ρ{x′ := 0} and
((t′,∅)ρ{xx′ := 0}, (u′,∅)ρ{xx′ := 0}) ∈ R
⇒ {by def. of reset}
(u,D)ρ a−→ (u′,∅)ρ{x′ := 0} and,
((t′,∅)ρ{x := 0}, (u′,∅)ρ{x′ := 0}) ∈ R
delay transition:
(t,D)ρ d−→ (t′,D′)ρ′
⇒ {by A2∇}
∀d′ < d : ρ+ d′ |= ¬dl(t,A − D), t = t′, D′ = D, and ρ′ = ρ+ d

 By (2.1), ρ |= φ for some φ s.t. (t,u, φ) ∈ S. Moreover, by Fact 2.1.6,ρ+ d′ |= φ for all d′ ≥ 0, in particular if d′ < d. As a consequence of
prop. 4 in Def. 2.9, ρ+ d′ |= dl(t,A − D) ⇔ dl(u,A − D).


⇒ {by observation}
∀d′ < d : ρ+ d′ |= ¬dl(u,A − D)
⇒ {by A2∇}
(u,D)ρ d−→ (u,D)(ρ+ d)
⇒
{
by (2.1), since (t,u, φ) ∈ S and ρ + d |= φ (see previous
observation)
}
(u,D)ρ d−→ (u,D)(ρ+ d) and ((t,D)(ρ+ d), (u,D)(ρ+ d)) ∈ R
drop transition: Notice that both (t,D)ρ ∇E−−→ (t,D ∪ E)ρ and (u,D)ρ ∇E−−→
(u,D∪ E)ρ, by A3. Moreover, since (t,u, φ) ∈ S and ρ |= φ, by (2.1), ((t,D∪
E)ρ, (u,D∪ E)ρ) ∈ R.
undrop transition: Similarly, (t,D)ρ ∆−→ (t,∅)ρ and (u,D)ρ ∆−→ (u,∅)ρ, by
A4. Moreover, since (t,u, φ) ∈ S and ρ |= φ, by (2.1), ((t,∅)ρ, (u,∅)ρ) ∈ R.
(⇐) We prove that relation
S = { (t,u, φ) | φ is ⇑ -closed and
∀ψ ∈ R C (φ) : ∃ρ : ρ |= ψ : (t,∅)ρ ∼ (u,∅)ρ } (2.3)
2.4. Symbolic Characterization of ∇-bisimulation 29
is a symbolic bisimulation. Since ∼ is symmetric, S satisfies prop. 1 of
Def. 2.9 and by definition, it satisfies prop. 2 as well. In the following we
prove that S also satisfies properties 3 and 4 in Def. 2.9.
Property 3:
t a,γ,δ,x- t′ and (t,u, φ) ∈ S
⇒ {by (2.3)}
t a,γ,δ,x- t′ and ∀ψ ∈ R C (φ) : ∃ρ : ρ |= ψ : (t,∅)ρ ∼ (u,∅)ρ
[
Take Φ = R C (φ ∧ γ). Notice that it is a (φ ∧ γ)-partition and that
Φ ⊆ R C (φ) by Fact 2.1.2. Then ψ⇒ γ for all ψ ∈ Φ.
]
⇒ {by observation}
t a,γ,δ,x- t′ and ∀ψ ∈ Φ : ∃ρ : ρ |= ψ : (t,∅)ρ ∼ (u,∅)ρ ∧ ρ |= γ
⇒ {by A1∇}
∀ψ ∈ Φ : ∃ρ : ρ |= ψ :
(t,∅)ρ ∼ (u,∅)ρ and (t,∅)ρ a−→ (t′,∅)ρ{x := 0}
⇒ {∼ is a bisimulation}
∀ψ ∈ Φ : ∃ρ : ρ |= ψ :
(u,∅)ρ a−→ (u′,D)ρ′ and (t′,∅)ρ{x := 0} ∼ (u′,D)ρ′
⇒ {by A1∇}
∀ψ ∈ Φ : ∃ρ : ρ |= ψ :
u a,γ
′,δ′,x′
- u′, ρ |= γ ′, D′ = ∅, ρ′ = ρ{x′ := 0},
and (t′,∅)ρ{x := 0} ∼ (u′,∅)ρ{x′ := 0}
[
Since ρ |= ψ and ρ |= γ ′, ψ∧γ ′ is not a contradiction and hence ψ⇒ γ ′
by Fact 2.1.2.
]
⇒ {by observation}
∀ψ ∈ Φ : ∃ρ : ρ |= ψ : u a,γ
′,δ′,x′
- u′, ψ⇒ γ ′,
and (t′,∅)ρ{x := 0} ∼ (u′,∅)ρ{x′ := 0}
⇒ {by def. of reset}
∀ψ ∈ Φ : u a,γ
′,δ′,x′
- u′, ψ⇒ γ ′, and
∃ρ : ρ |= ψ : (t′,∅)ρ{xx′ := 0} ∼ (u′,∅)ρ{xx′ := 0}
⇒ {by Def. of ↓xx′}
∀ψ ∈ Φ : u a,γ
′,δ′,x′
- u′, ψ⇒ γ ′, and
30 2. Bisimulation Relation for Timed Automata with Deadlines
∃ρ : ρ{xx′ := 0} |= ψ↓xx′ : (t′,∅)ρ{xx′ := 0} ∼ (u′,∅)ρ{xx′ := 0}
⇒ {by Lemma 2.3, since ψ↓xx′ is a region by Fact 2.1.3}
∀ψ ∈ Φ : u a,γ
′,δ′,x′
- u′, ψ⇒ γ ′, and
∃ρ : ∀ξ ∈ R C (ψ↓xx′⇑) : ∃d ≥ 0 : (ρ{xx′ := 0}+ d) |= ξ
and (t′,∅)ρ{xx′ := 0} ∼ (u′,∅)ρ{xx′ := 0}
⇒ {by Lemma 2.1 and logics}
∀ψ ∈ Φ : u a,γ
′,δ′,x′
- u′, ψ⇒ γ ′, and
∀ξ ∈ R C (ψ↓xx′⇑) : ∃ρ : ∃d ≥ 0 :
(ρ{xx′ := 0}+ d) |= ξ and
(t′,∅)(ρ{xx′ := 0}+ d) ∼ (u′,∅)(ρ{xx′ := 0}+ d)
⇒ {taking ρ′ = ρ{xx′ := 0}+ d}
∀ψ ∈ Φ : u a,γ
′,δ′,x′
- u′, ψ⇒ γ ′, and
∀ξ ∈ R C (ψ↓xx′⇑) : ∃ρ′ : ρ′ |= ξ and (t′,∅)ρ′ ∼ (u′,∅)ρ′
⇒ {by (2.3), since ψ↓xx′⇑ is⇑-closed}
∀ψ ∈ Φ : u a,γ
′,δ′,x′
- u′, ψ⇒ γ ′, and (t′,u′, ψ↓xx′⇑) ∈ S
Property 4:
(t,u, φ) ∈ S
⇒ {by (2.3)}
∀ψ ∈ R C (φ) : ∃ρ : ρ |= ψ : (t,∅)ρ ∼ (u,∅)ρ
⇒ {by Lemma 2.2}
∀ψ ∈ R C (φ) : ∃ρ : ρ |= ψ : ∀D ⊆ A : ρ |= dl(t,D) ⇔ dl(u,D)
[
ρ |= ψ and ρ |= dl(t,D) ⇔ dl(u,D) implies ψ ∧ (dl(t,D) ⇔ dl(u,D)) is
not a contradiction.
]
⇒ {by Fact 2.1.2 and previous observation}
∀ψ ∈ R C (φ) : ∀D ⊆ A : ψ⇒ (dl(t,D) ⇔ dl(u,D))
⇒ {by logics using the fact that φ⇔ W R C (φ)}
∀D ⊆ A : φ⇒ (dl(t,D) ⇔ dl(u,D))
ut
Corollary 2.1 Let φ0 ≡
V
x,y∈C1∪C2(0 ≤ x = y). T1 ∼
φ0 T2 iff T1 ∼∇ T2.
2.5. The Coarsest Congruence Included in ∼ 31
2.5 The Coarsest Congruence Included in ∼
In this section, we shall show that ∼φ0 (and hence ∼∇, too) is the coarsest
congruence for the parallel composition included in bisimulation. The first
part of the section is devoted to proving that ∼φ0 is a congruence. It is in-
teresting to notice that the proof of congruence is carried out fully at the
symbolic level (in contrast to the usual proof using the underlying transi-
tion system). To the best of our knowledge, this is a novel approach. In the
second part we show that ∼∇ is the coarsest congruence included in ∼.
The next two lemmas are required for the proof of congruence. Lemma
2.4 implies that a deadline of a set of actions can be decomposed as a dis-
junction of the deadlines of each of the actions. Lemma 2.5 states that if
two locations t and u are symbolically bisimilar under a constraint φ, then
a given action a is enabled in t if and only if it is enabled in u for all val-
uations that satisfy constraint φ. In particular, these lemmas are needed
to check that property 4 of the symbolic bisimulation is preserved in the
congruence.
Lemma 2.4 dl(s,D∪ E) ⇔ (dl(s,D)∨ dl(s, E))
Lemma 2.5 Define gd(s, a) = W{γ | s a,γ,δ,x- s′ for some δ,x, s′}. If S is a sym-
bolic bisimulation s.t. (t,u, φ) ∈ S, then φ⇒ (gd(t, a) ⇔ gd(u, a)) is valid for all
a ∈ A .
Proof: Let S be a symbolic bisimulation with (t,u, φ) ∈ S. By symmetry
(property 1, Def. 2.9), it suffices to show that φ⇒ (gd(t, a) ⇒ gd(u, a)). By
definition of gd, this follows by the claim that, for all γ such that t a,γ,δ,x- t′,
φ⇒ (γ⇒ gd(u, a)) (that is (φ∧ γ)⇒ gd(u, a)) which is what we prove in the
following.
t a,γ,δ,x- t′
⇒ {by prop. 3 in Def. 2.9, since (t,u, φ) ∈ S}
∃Φ : Φ is a (φ∧ γ)-partition : ∀φ′ ∈ Φ : u a,γ
′,δ′,x′
- u′ and φ′⇒ γ ′
⇒ {γ ′⇒ gd(u, a) by def. of gd}
∃Φ : Φ is a (φ∧ γ)-partition : ∀φ′ ∈ Φ : φ′⇒ gd(u, a)
⇒ {(φ∧ γ) ⇔ W Φ}
(φ∧ γ) ⇒ gd(u, a)
ut
Now, we are in conditions to prove that ∼φ is a congruence for any
parallel composition defined as in Sec. 2.2. In particular, we notice that the
proof does not use constraints 1 and 4 imposed on ⊗.
32 2. Bisimulation Relation for Timed Automata with Deadlines
Theorem 2.2 Let T ji = (L ji , l0
j
i ,C ji , -), for i, j ∈ {1,2} such that C ji ∩C lk = ∅
if i 6= k or j 6= l. Then T 11 ∼φ T 12 and T 21 ∼φ T 22 imply T 11 ||
⊗
B T
2
1 ∼
φ T 12 ||
⊗
B T
2
2
for all B ∈ A , operation ⊗ and constraint φ.
Proof: Let S1 and S2 be two symbolic bisimulations that witness T 11 ∼φ T 12
and T 21 ∼φ T 22 respectively. Define
S = {((t1, t2), (u1,u2), φ1 ∧ φ2) | (t1,u1, φ1) ∈ S1 and (t2,u2, φ2) ∈ S2} (2.4)
We prove that S is also a symbolic bisimulation from which the theorem
follows. For this, we check that ((t1, t2), (u1,u2), φ1 ∧ φ2) ∈ S, obtained as in
(2.4), satisfy the four properties in Def. 2.9. Property 1 is immediate since
S1 and S2 also satisfy it. So is property 2: since φ1 and φ2 are⇑-closed, so is
φ1 ∧φ2 using Fact 2.1.7. We proceed to check the remaining two properties.
Property 3: Suppose (t1, t2) a,γ,δ,x- (t′1, t′2). Then three cases arise
Case: a /∈ B with t1 a,γ,δ,x- t′1 and t′2 = t2]
t1 a,γ,δ,x- t′1
⇒ {by prop. 3 in Def. 2.9, since (t1,u1, φ1) ∈ S1}
∃Φ : Φ is a (φ1 ∧ γ)-partition :
∀φ ∈ Φ : u1 a,γ
′,δ′,x′
- u′1, φ⇒ γ ′, and (t′1,u′1, φ↓xx′⇑) ∈ S1
⇒
{
by Def. of ||⊗B
}
∃Φ : Φ is a (φ1 ∧ γ)-partition :
∀φ ∈ Φ : (u1,u2) a,γ
′,δ′,x′
- (u′1,u2), φ⇒ γ ′,
and (t′1,u′1, φ↓xx′⇑) ∈ S1
⇒ {by (2.4) and since φ⇒ γ ′ implies (φ∧ φ2) ⇒ γ ′}
∃Φ : Φ is a (φ1 ∧ γ)-partition :
∀φ ∈ Φ : (u1,u2) a,γ
′,δ′,x′
- (u′1,u2), (φ∧ φ2) ⇒ γ ′,
and ((t′1, t2), (u′1,u2), (φ↓xx′⇑∧ φ2)) ∈ S


Notice that clocks in xx′ are not manipulated by automata T 21
and T 22 and hence irrelevant in φ2. W.l.o.g. we therefore can
assume that φ2 ⇒
V
{x≥ 0 | x ∈ xx′}. Consequently φ2↓xx′⇑= φ2
since φ2 is⇑-closed. (†)


⇒ {Fact 2.1.7 and observation}
∃Φ : Φ is a (φ1 ∧ γ)-partition :
2.5. The Coarsest Congruence Included in ∼ 33
∀φ ∈ Φ : (u1,u2) a,γ
′,δ′,x′
- (u′1,u2), (φ∧ φ2) ⇒ γ ′,
and ((t′1, t2), (u′1,u2), (φ∧ φ2)↓xx′⇑) ∈ S[
Take Φ′ = {φ∧ φ2 | φ ∈ Φ}. Then Φ′ is a (φ1 ∧ φ2 ∧ γ)-partition.
]
⇒ {by observation, taking φ′ = φ∧ φ2}
∃Φ′ : Φ′ is a (φ1 ∧ φ2 ∧ γ)-partition :
∀φ′ ∈ Φ′ : (u1,u2) a,γ
′,δ′,x′
- (u′1,u2), φ′⇒ γ ′,
and ((t′1, t2), (u′1,u2), φ′↓xx′⇑) ∈ S
Case: a /∈ B with t2 a,γ,δ,x- t′2 and t′1 = t1 Symmetric to the previous case.
Case: a ∈ B with t1 a,γ1,δ1,x1- t′1, t2
a,γ2,δ2,x2- t′2, γ ≡ γ1 ∧ γ2, and δ ≡
(δ1, γ1)⊗ (δ2, γ2)
t1 a,γ1,δ1,x1- t′1 and t2
a,γ2,δ2,x2- t′2
⇒
{
by prop. 3 in Def. 2.9, since (t1,u1, φ1) ∈ S1 and
(t2,u2, φ2) ∈ S2
}
∃Φ1 : Φ1 is a (φ1 ∧ γ1)-partition :
∀φ′1 ∈ Φ1 : u1
a,γ ′1,δ′1,x′1- u′1, φ′1 ⇒ γ ′1, and (t′1,u′1, φ′1↓x1x′1⇑) ∈ S1
and
∃Φ2 : Φ2 is a (φ2 ∧ γ2)-partition :
∀φ′2 ∈ Φ2 : u2
a,γ ′2,δ′2,x′2- u′2, φ′2 ⇒ γ ′2, and (t′2,u′2, φ′2↓x2x′2⇑) ∈ S2
⇒ {logics and notation}
∃Φ1,Φ2 : Φi is a (φi ∧ γi)-partition, for i = 1,2 :
∀φ′1 ∈ Φ1, φ′2 ∈ Φ2 :
u1
a,γ ′1,δ′1,x′1- u′1, φ′1 ⇒ γ ′1, (t′1,u′1, φ′1↓x1x′1⇑) ∈ S1,
u2
a,γ ′2,δ′2,x′2- u′2, φ′2 ⇒ γ ′2, and (t′2,u′2, φ′2↓x2x′2⇑) ∈ S2

φ′1 ⇒ γ
′
1 and φ′2 ⇒ γ ′2 imply (φ′1 ∧ φ′2) ⇒ (γ ′1 ∧ γ ′2).
Besides, (φ′1↓x1x′1⇑) ∧ (φ
′
2↓x2x′2⇑) ⇔ (φ
′
1 ∧ φ
′
2)↓x1x2x′1x′2⇑ because of
Fact 2.1.7 and by observation (†) in previous case since clocks
in xix′i do not appear in φ′j for i 6= j.


⇒
{
by def. of ||⊗B , (2.4), and observation, taking δ
′ ≡
(
δ ′1, γ
′
1
)
⊗(
δ ′2, γ
′
2
)
}
34 2. Bisimulation Relation for Timed Automata with Deadlines
∃Φ1,Φ2 : Φi is a (φi ∧ γi)-partition, for i = 1,2 :
∀φ′1 ∈ Φ1, φ′2 ∈ Φ2 :
(u1,u2)
a,γ ′1∧γ ′2,δ′,x′1x′2- (u′1,u′2), (φ′1 ∧ φ′2) ⇒ (γ ′1 ∧ γ ′2),
and ((t′1, t′2), (u′1,u′2), (φ′1 ∧ φ′2)↓x1x2x′1x′2⇑) ∈ S[
Take Φ = {φ′1 ∧ φ′2 | φ′1 ∈ Φ1 and φ′2 ∈ Φ2}. Notice that Φ is a
(φ1 ∧ φ2 ∧ γ1 ∧ γ2)-partition.
]
⇒ {by observation, taking φ′ = φ′1 ∧ φ′2}
∃Φ : Φ is a (φ1 ∧ φ2 ∧ γ1 ∧ γ2)-partition :
∀φ′ ∈ Φ : (u1,u2)
a,γ ′1∧γ ′2,δ′,x′1x′2- (u′1,u′2), φ′⇒ (γ ′1 ∧ γ ′2),
and ((t′1, t′2), (u′1,u′2), φ′↓x1x2x′1x′2⇑) ∈ S
Property 4: We have to show that
φ1 ∧ φ2 ⇒ (dl((t1, t2),A) ⇔ dl((u1,u2),A)) for all A ⊆ A .
By Lemma 2.4, it suffices to prove that
(φ1 ∧ φ2) ⇒ (dl((t1, t2),{a}) ⇔ dl((u1,u2),{a})).
Therefore, the following calculations are under the hypothesis that φ1 ∧ φ2
holds. We consider two different cases.
case: a /∈ B
dl((t1, t2),{a})
⇔ {def. of dl}
W
{δ | (t1, t2) a,γ,δ,x- (t′1, t′2) for some γ,x, t′1, t′2}
⇔
{
def. ||⊗B with a /∈ B
}
W
{δ | t1 a,γ,δ,x- t′1 for some γ,x, t′1}
∨
W
{δ | t2 a,γ,δ,x- t′2 for some γ,x, t′2}
⇔ {def. of dl}
dl(t1,{a})∨ dl(t2,{a})[
By (2.4), (ti,ui, φi) ∈ Si from which φi ⇒ (dl(ti{a}) ⇔ dl(ui,{a}))
by prop. 4 in Def. 2.9, for i = 1,2.
]
⇔ {by observation, recalling that we assume φ1 ∧ φ2 holds}
2.5. The Coarsest Congruence Included in ∼ 35
dl(u1,{a})∨ dl(u2,{a})
⇔ {reasoning as before}
dl((u1,u2),{a})
case: a ∈ B
dl((t1, t2),{a})
⇔ {def. of dl}
W
{δ | (t1, t2) a,γ,δ,x- (t′1, t′2) for some γ,x, t′1, t′2}
⇔
{
def. ||⊗B and a ∈ B
}
W
{(δ1, γ1)⊗ (δ2, γ2) | t1 a,γ1,δ1,x1- t′1 and t2
a,γ2,δ2,x2- t′2
for some x1,x2, t′1, t′2}
⇔ {change of notation and logic}
_
t1
a,γ1 ,δ1 ,x1-t′1
_
t2
a,γ2 ,δ2 ,x2-t′2
(δ1, γ1)⊗ (δ2, γ2)
⇔ {⊗ distributes w.r.t. ∨}
 _
t1
a,γ1 ,δ1 ,x1-t′1
δ1 ,
_
t1
a,γ1 ,δ1 ,x1-t′1
γ1

⊗

 _
t2
a,γ2 ,δ2 ,x2-t′2
δ2 ,
_
t2
a,γ2 ,δ2 ,x2-t′2
γ2


⇔ {def. of dl and gd}(
dl(t1,{a}),gd(t1, a)
)
⊗
(
dl(t2,{a}),gd(t2, a)
)

 By (2.4), (ti,ui, φi)∈ Si from which φi ⇒ (dl(ti,{a})⇔ dl(ui,{a}))by prop. 4 in Def. 2.9, and φi ⇒ (gd(ti, a) ⇔ gd(ui, a)) by
Lemma 2.5, for i = 1,2.


⇔
{
by observation and cond. 2 of ⊗, recalling that we assume
φ1 ∧ φ2 holds
}
(
dl(u1,{a}),gd(u1, a)
)
⊗
(
dl(u2,{a}),gd(u2, a)
)
⇔ {reasoning as before}
dl((u1,u2),{a})
ut
Because of Corollary 2.1 and Theorem 2.2, ∼∇ is also a congruence.
The next lemma is core to the proof that ∼∇ is the coarsest congruence
included in ∼. We notice that it does not use constraints 1, 2, and 3 im-
posed on ⊗. The lemma exhibits a test automaton Tt that distinguishes,
modulo bisimulation, two automata that are not ∇-bisimilar. Automaton
36 2. Bisimulation Relation for Timed Automata with Deadlines
Tt is built by adding extra actions in such a way that, when composed with
an automaton T , the composition can mimic in the original semantics the
behavior of T in the extended semantics. In fact, the extra actions are the
same drop (∇D) and undrop (∆) actions of the extended semantics.
Definition 2.10 The test automaton Tt = (Lt, l0t,Ct, -) is a TAD with
• set of locations Lt = {sD | D ⊆ A},
• initial location l0t = {s∅},
• set of clocks Ct = ∅ and,
• for all D,D′ ⊆ A , a /∈ D, define
– sD
a,tt,0δ ,∅- s∅,
– sD
∇D′ ,tt,ff,∅- sD∪D′ , and
– sD
∆,tt,ff,∅
- s∅.
Lemma 2.6 Let T1 and T2 be TADs with set of locations L1 and L2 respectively.
Let Tt be a test automaton. Suppose that
T1 ||
⊗
A Tt ∼ T2 ||
⊗
A Tt.
Then,
R = {((t1,D)ρ1, (t2,D)ρ2) | t1 ∈ L1, t2 ∈ L2, sD ∈ Lt,
and (t1, sD)ρ1 ∼ (t2, sD)ρ2 }
is a bisimulation relation that witnesses T1 ∼∇ T2.
Proof: The proof of the lemma is fairly straightforward except in the case
of the delay transition. Notice that a delay transition from (t,D) is governed
by satisfaction of ¬dl(t,A − D) (by A2∇) while in (t, sD), it is governed by
tpc(t, sD). To prove that both predicates are equivalent it is necessary that
(0δ , tt) is neutral for ⊗. We show that relation
R = {((t1,D)ρ1, (t2,D)ρ2) | t1 ∈ L1, t2 ∈ L2, sD ∈ Lt,
and (t1, sD)ρ1 ∼ (t2, sD)ρ2 } (2.5)
is a bisimulation that witness T1 ∼∇ T2. First notice that for all initial lo-
cation t01 of T1 there is an initial location t02 of T2 such that (t01, s∅)(C1 7→
0) ∼ (t02, s∅)(C2 7→ 0). Then ((t01,∅)(C1 7→ 0), (t02,∅)(C2 7→ 0)) ∈ R. Similarly,
we have that for all initial location t02 of T2 there is an initial location t01 of
T1 such that ((t01,∅)(C1 7→ 0), (t02,∅)(C2 7→ 0)) ∈ R. Then, provided R is a
bisimulation, T1 ∼∇ T2.
2.5. The Coarsest Congruence Included in ∼ 37
Notice, besides, that R is symmetric by symmetry of ∼. We proceed to
prove the transfer property by doing case analysis on the type of edge.
discrete transition:
(t1,D)ρ1
a
−→ (t′1,D′)ρ′1
⇒ {by A1∇}
∃γ1, δ1,x1 : t1 a,γ1,δ1,x1- t′1, D′ = ∅, ρ′1 = ρ1{x1 := 0},
and ρ1 |= γ1
⇒
{
by def. of ||⊗A and def. of Tt
}
∃γ1, δ1,x1 : (t1, sD) ∆,tt,ff,∅- (t1, s∅) a,γ1,(δ1,γ1)⊗(0δ ,tt),x1- (t′1, s∅)
and ρ1 |= γ1
⇒ {by A1}
(t1, sD)ρ1
∆
−→ (t1, s∅)ρ1
a
−→ (t′1, s∅)ρ1{x1 := 0}
⇒ {(t1, sD)ρ1 ∼ (t2, sD)ρ2}
(t2, sD)ρ2
∆
−→ (t′′2 , sD′′)ρ′′2 , (t1, s∅)ρ1 ∼ (t′′2 , sD′′)ρ′′2 ,
and (t1, s∅)ρ1
a
−→ (t′1, s∅)ρ1{x1 := 0}
⇒ {(t1, s∅)ρ1 ∼ (t′′2 , sD′′)ρ2}
(t2, sD)ρ2
∆
−→ (t′′2 , sD′′)ρ′′2
a
−→ (t′2, sD′′′)ρ′2,
and (t′1, s∅)ρ1{x1 := 0} ∼ (t′2, sD′′′)ρ′2
⇒ {by A1∇}
∃γ, δ,x : (t2, sD) ∆,γ,δ,x- (t′′2 , sD′′), ρ2 |= γ, ρ′′2 = ρ2{x := 0},
(t′′2 , sD′′)ρ2{x := 0}
a
−→ (t′2, sD′′′)ρ′2,
and (t′1, s∅)ρ1{x1 := 0} ∼ (t′2, sD′′′)ρ′2
⇒
{
γ = tt, δ = ff, x = ∅, D′′ = ∅, and t′′2 = t2, by defs. of ||
⊗
A and Tt
}
(t2, sD) ∆,tt,ff,∅- (t2, s∅),
(t2, s∅)ρ2
a
−→ (t′2, sD′′′)ρ′2, and (t′1, s∅)ρ1{x1 := 0} ∼ (t′2, sD′′′)ρ′2
⇒ {by A1∇}
∃γ2, δ2,x2 : (t2, s∅) a,γ2,δ2,x2- (t′2, sD′′′), ρ′2 = ρ2{x2 := 0},
ρ2 |= γ2, and (t′1, s∅)ρ1{x1 := 0} ∼ (t′2, sD′′′)ρ2{x2 := 0}
⇒
{
by def. of ||⊗A and def. of Tt
}
∃γ2, δ2,x2 : t2 a,γ2,δ2,x2- t′2, D′′′ = ∅, ρ2 |= γ2, and
(t′1, s∅)ρ1{x1 := 0} ∼ (t′2, s∅)ρ2{x2 := 0}
⇒ {by A1∇ and (2.5)}
38 2. Bisimulation Relation for Timed Automata with Deadlines
(t2,D)ρ2
a
−→ (t′2,∅)ρ2{x2 := 0}, and
(t′1,∅)ρ1{x1 := 0} ∼ (t′2,∅)ρ2{x2 := 0}
delay transition: We first notice that
¬dl(t,A − D) = ¬W{δ | t a,γ,δ,x- t′ and a ∈ A − D for some γ,x, t′}
[
Recall that sD a,γ
′,δ′,x′
- s′ implies a ∈ A − D, γ ′ = tt, δ ′ = 0δ , and
s′ = s∅, and that (0δ , tt) is neutral for ⊗. By def. of ||
⊗
A we obtain:
]
= ¬
_
{δ | (t, sD) a,γ,δ,x- (t′, s∅) for some γ,x, t′}
= tpc(t, sD) (2.6)
Now we calculate:
(t1,D)ρ1
d
−→ (t′1,D′)ρ′1
⇒ {by A2∇}
∀d′ < d : ρ1 + d′ |= ¬dl(t1,A − D), t′1 = t1, D′ = D, and ρ′1 = ρ1 + d
⇒ {by (2.6)}
∀d′ < d : ρ1 + d′ |= tpc(t1, sD) and ρ′1 = ρ1 + d
⇒ {by A2}
(t1, sD)ρ1
d
−→ (t1, sD)(ρ1 + d)
⇒ {(t1, sD)ρ1 ∼ (t2, sD)ρ2}
(t2, sD)ρ2
d
−→ (t′2, sD′′)ρ′2 and (t1, sD)(ρ1 + d) ∼ (t′2, sD′′)ρ′2
⇒ {by A2}
∀d′ < d : ρ2 + d′ |= tpc(t2, sD), t′2 = t2, D′′ = D, ρ′2 = ρ2 + d,
and (t1, sD)(ρ1 + d) ∼ (t2, sD)(ρ2 + d)
⇒ {by (2.6)}
∀d′ < d : ρ2 + d′ |= ¬dl(t2,D) and (t1, sD)(ρ1 + d) ∼ (t2, sD)(ρ2 + d)
⇒ {by A2∇ and (2.5)}
(t2,D)ρ2
d
−→ (t2,D)(ρ2 + d) and (t1,D)(ρ1 + d) ∼ (t2,D)(ρ2 + d)
drop transition:
(t1,D)ρ1
∇E−−→ (t′1,D′)ρ′1
⇒ {by A3}
D′ = D∪ E, ρ′1 = ρ1, and t′1 = t1
⇒
{
by def. of ||⊗A and def. of Tt
}
2.5. The Coarsest Congruence Included in ∼ 39
(t1, sD) ∇E,tt,ff,∅- (t1, sD∪E)
⇒ {by A2}
(t1, sD)ρ1
∇E−−→ (t1, sD∪E)ρ1
⇒ {(t1, sD)ρ1 ∼ (t2, sD)ρ2}
(t2, sD)ρ2
∇E−−→ (t′2, sD′)ρ′2 and (t1, sD∪E)ρ1 ∼ (t′2, sD′)ρ′2
⇒
{
by A2, def. of ||⊗A and def. of Tt
}
(t2, sD) ∇E,tt,ff,∅- (t2, sD∪E), t′2 = t2, D′ = D∪ E, ρ′2 = ρ2,
and (t1, sD∪E)ρ1 ∼ (t2, sD∪E)ρ2
⇒ {by A3 and (2.5)}
(t2,D)ρ2
∇E−−→ (t2,D∪ E)ρ2 and (t1,D∪ E)ρ1 ∼ (t2,D∪ E)ρ2
undrop transition:
(t1,D)ρ1
∆
−→ (t′1,D′)ρ′1
⇒ {by A4}
D′ = ∅, ρ′1 = ρ1, and t′1 = t1
⇒
{
by def. of ||⊗A and def. of Tt
}
(t1, sD) ∆,tt,ff,∅- (t1, s∅)
⇒ {by A2}
(t1, sD)ρ1
∆
−→ (t1, s∅)ρ1
⇒ {(t1, sD)ρ1 ∼ (t2, sD)ρ2}
(t2, sD)ρ2
∆
−→ (t′2, sD′)ρ′2 and (t1, s∅)ρ1 ∼ (t′2, sD′)ρ′2
⇒
{
by A2, def. of ||⊗A and def. of Tt
}
(t2, sD) ∆,tt,ff,∅- (t2, s∅), t′2 = t2, D′ = ∅, ρ′2 = ρ2,
and (t1, s∅)ρ1 ∼ (t2, s∅)ρ2
⇒ {by A4 and (2.5)}
(t2,D)ρ2
∆
−→ (t2,∅)ρ2 and (t1,∅)ρ1 ∼ (t2,∅)ρ2
ut
From Lemma 2.6, it follows that∼∇ and∼φ0 are the coarsest congruence
in ∼.
Theorem 2.3 Fix ⊗ satisfying conditions 1 and 2 in Sec. 2.2. Then ∼∇ (and
hence∼φ0) is the coarsest congruence included in∼ for the family of operators ||⊗B ,
with B ⊆ A .
40 2. Bisimulation Relation for Timed Automata with Deadlines
Proof: Define '⊗ to be the coarsest congruence for parallel composition
contained in ∼, that is T1 '⊗ T2 ⇔ ∀T , B : T1 ||
⊗
B T ∼ T2 ||
⊗
B T . We show
that ∼∇ = ∼φ0 = '⊗.
The fact that ∼∇ = ∼φ0 ⊆ '⊗ ⊆ ∼ follows from Lemma 2.1, Corol-
lary 2.1, Theorem 2.2 and the fact that '⊗ is the coarsest congruence in-
cluded in ∼.
On the other direction, that is '⊗ ⊆ ∼φ0 , notice that T1 '⊗ T2 implies
T1 ||
⊗
A Tt ∼ T2 ||
⊗
A Tt with Tt as in Lemma 2.6. Using Lemma 2.6 we can
conclude that T1 ∼∇ T2. ut
2.6 Concluding Remarks
Remark on Deciding ∇-bisimulation.
Our symbolic characterisation is based on [LY02] and [Cˇera¯ns92]. In par-
ticular, [Cˇera¯ns92] states that bisimulation is decidable for timed automata.
The same applies to our relation. Since the number of regions is finite so
is the number of (relevant) constraints (modulo logic equivalence) and as
a consequence also the number of relevant ⇑-closed constraints. There-
fore, any possible symbolic bisimulation relating two TADs will also be
finite. Besides, operations ↓x and⇑ are expressible in terms of constraints,
and it is possible to decide validity of the constraints on clocks. Follow-
ing [Cˇera¯ns92], checking that two TADs T1 and T2 are ∇-bisimilarity is
then possible by taking relation S = {(t,u, φ⇑) | φ ∈ R C (tt)} (which is the
finest partition possible since R C (tt) is the set of all regions) and checking
that the transfer rules in Def. 2.9 hold for all tuples reachable from some
set I ⊆ (S ∩ (ini1 × ini2 ×R C (φ0))) such that it relates all initial states of T1
(resp. T2) with some initial state of T2, (resp. T1).
Remark on Symbolic Bisimulation.
The third constraint in the definition of symbolic bisimulation (Def. 2.9) can
be relaxed as follows:
whenever t a,γ,δ,x- t′, there is a (φ∧γ)-partition Φ s.t. for each φ′∈Φ,
u a,γ
′,δ′,y
- u′, φ′ ⇒ γ ′, φ′↓xy⇑ ⇒ ψ, and (t′,u′, ψ) ∈ S, for some ψ, γ ′,
δ ′, y and u′.
the difference being in the existence of ψ such that φ′↓xy⇑ ⇒ ψ. It is not
difficult to check that the new characterisation is equivalent to the original
definition. This modification is important since it allows to obtain smaller
relations due to the fact that a tuple (t,u, φ) ∈ S is redundant if there is a
different tuple (t,u, φ′) ∈ S such that φ⇒ φ′.
2.6. Concluding Remarks 41
Remark on Synchronising Constraints in Parallel Compositions.
In [BS00] the synchronisation of guards and deadlines of synchronising ac-
tions are defined by two operations which we call here ⊕ and ⊗ respec-
tively. Some conditions are imposed on ⊕ and the only condition imposed
on ⊗ is that (δ1, γ1)⊗ (δ2, γ2) ⇒ (γ1 ⊕ γ2) whenever δ1 ⇒ γ1 and δ2 ⇒ γ2
([BS00] also suggest that (δ1, γ1)⊗ (δ2, γ2) ⇒ (δ1 ∨ δ2) should hold). We will
only discuss here some particular examples that have recurred in the work
of Sifakis et al. (see, e.g. [BST98, BS98a, BS00]). We first focus on the guard:
⊕ = ∧. This is the one we use and amounts to checking that both guards
are enabled in order to enable the synchronised transition.
⊕ = ∨. The synchronised transition can execute if any of the partners can
do so.
⊕ = max, where γ1maxγ2 = (γ1∧γ2⇑)∨ (γ2∧γ1⇑). In this case, a component
is willing to synchronise if the synchronising transition was enabled
in the past and the other component is ready to synchronise now.
⊕ = min, where γ1minγ2 = (γ1∧γ2⇓) ∨ (γ2∧γ1⇓) with ⇓ being the time pre-
decessor operator (the dual of⇑). In this case, the synchronised guard
anticipates the execution of the synchronising transitions.
Our congruence relation only works for ∧. It is debatable how reasonable
the other operations are. Synchronisation through ∨ is highly questionable.
It is expected that automata T11 and T12 in Fig. 2.4 are equivalent under any
reasonable criterion. Nevertheless, the composition T11 ||
⊗
a T
′′′ can perform
action a at any moment while T12 ||
⊗
a T
′′′ cannot.
Under min, a component may anticipate the future behaviour of the
synchronising partner. [BST98] and [BS00] suggest that the intention of this
synchronisation is that the earliest synchronising transition makes irrele-
vant the second one (e.g. a tram leaves a crossing and after a while it signals
to allow the change of the traffic light though it may be ignored if the light
has already changed [BS00]). This intuition does not completely match the
behaviour of min which will speed up the slower component allowing it to
do activity otherwise impossible. This is observed when automaton T ′′′ is
composed with T13 and with T14 synchronising on a (see Fig. 2.4). Notice
that T13 and T14 exhibit apparently equal behaviour since action a in T13
is always too late to execute b. However, the composition T13 ||
⊗
a T
′′′ may
hasten the synchronisation on a making b apparent.
Dually, under max, an automaton may allow the execution of the syn-
chronising action if it was enabled in the past. Notice that T15 and T16
in Fig. 2.4 exhibit equivalent behaviour: c cannot be executed in T15 since
clock y is always set too early. Instead, the composition with T ′′′′ synchro-
nising on a will delay the execution long enough to set y sufficiently late to
42 2. Bisimulation Relation for Timed Automata with Deadlines
T12
a
T11
γ : ff
T14
a
γ : x ≥ 5
T13
b
a
γ : x ≤ 1
γ : x ≥ 5
a
γ : x ≤ 1
T16
a
T15
y := 0
γ : x ≤ 1
γ : x ≥ 3
c
∧y ≤ 1
T ′′′ T ′′′′
a
γ : z ≥ 3
a
γ : tt
Figure 2.4: T11 ∼∇ T12, T13 ∼∇ T14, and T15 ∼∇ T16
enable the c transition. The intention behind this form of synchronisation
is that the fastest component can always wait for the slowest. This design
choice seems an adequate choice to use with soft deadlines. Notice also
that the appearance of new activity is reasonable since it may be important
to cope with the occasional delay. What is debatable is the need of max
since this type of synchronisation can easily be represented using ∧: Notice
that the max synchronisation does not allow any test automata to distin-
guish between γ and γ ⇑. Hence, it is more reasonable to model this kind
of synchronisation using ∧ instead of max and let all guards be⇑-closed.
With respect to deadlines, [BS00] is more liberal. The two type of syn-
chronising deadlines that stand out are:
Patient synchronisation: (δ1, γ1)⊗ (δ2, γ2) = δ1 ∧ δ2 with 0δ = tt, and
Impatient synchronisation: (δ1, γ1)⊗ (δ2, γ2) = (δ1 ∨ δ2)∧ (γ1 ∧ γ2) with 0δ =
ff.
The nomenclature corresponds to [DHKK01] but these definitions are al-
ready introduced in [SY96] with the names of flexible and stiff respec-
tively. Patient synchronisation allows to model soft deadlines, in the
sense that one of the components is always willing to wait for the other
(as long as its guards remain valid). On the other hand, impatient syn-
chronisation imposes urgency and obliges the execution as soon as both
partners are ready to execute the synchronising transition. Both [SY96]
and [DHKK01, BDHK04] give a weaker definition of impatient synchro-
nisation: (δ1, γ1)⊗ (δ2, γ2) = δ1 ∨ δ2. Taking 0δ = ff, our result is also valid
for this definition. The only problem with it is that it does not preserve time
reactivity, i.e. condition 1 on ⊗ (see Sec. 2.2) does not hold2.
We finally mention that ∇-bisimulation is still a congruence for ||⊗B if
condition 4 on ⊗ is dropped. However, it is not the coarsest congruence in
∼ any longer. (This can easily be seen by taking (δ1, γ1)⊗ (δ2, γ2) = ff).
2To strictly model hard deadlines, this composition requires some modification of the
rules in order to ensure the time-blockage produced when a component is ready to syn-
chronise but the other cannot do it at all. A possible solution appears in [BDHK04].
2.6. Concluding Remarks 43
Conclusion
We have characterised the coarsest congruence for parallel compositions
of TADs with soft and hard deadline synchronisation that is included in
bisimulation. We also gave a symbolic characterisation of it and show that
it is decidable. The novelty in our result is that the proof of congruence
was entirely carried out in the symbolic semantics rather than resorting to
the underlying transition system. The choice of this strategy is not fortu-
itous. It is mainly due to the complexity of defining an equivalent parallel
composition on transition systems. To begin with, any possible definition
needs to be tailored for a particular choice of deadline. Besides, it would
need complex bookkeeping to know which possible deadline is blocking
the passage of time. Many other different complications appear depending
on the choice of ⊗.
We finally discussed different types of synchronisation in parallel com-
position and conclude that our choice is both reasonable and sufficiently
expressive to consider the modelling of both soft and hard real-time con-
straints.
44 2. Bisimulation Relation for Timed Automata with Deadlines
Chapter 3
Axiomatization of Timed
Automata with Deadlines
with Pedro R. D’Argenio
Abstract It is known that the usual timed bisimulation fails to be a con-
gruence for timed automata with deadlines – a variant of timed automata
where component synchronization is delayable, and time progress is con-
trolled by deadlines on transitions instead of invariants on locations. In
the previous chapter we presented the ∇-bisimulation which is the coars-
est congruence relation that is included in timed bisimulation for timed
automata with deadlines. In the present chapter we provide an algebraic
proof system for direct derivation of such a relation by syntactic manipula-
tion. In the squel, we establish that the proof system is sound and complete.
3.1 Introduction
We begin by defining a CCS-style language [Mil89a] (denoted by A) to rep-
resent TAD algebraically. The language A shall have clock guard and dead-
line constructs to express enabling and enforcing conditions, action prefix,
clock resetting and recursive constructs. Semantically, A is equipped with
transitional semantics in terms of transition systems and symbolic transi-
tions in terms of TADs. A has a proof system with axioms and inference
rules to mimic the ∇-bisimulation of TADs. Similar to ∇-bisimulation (∼∇)
and symbolic bisimulation (∼φ) relations of TADs, the equivalence relation
in A is subject to clock values. Hence the equivalence relation of A is a
conditional equation of the form
φ ` t = u
where, φ is a clock constraint, and t and u are terms in A. To prove the
equivalence of = and ∼∇(or ∼φ), we shall show that the proof system is
45
46 3. Axiomatization of Timed Automata with Deadlines
sound and complete. The soundness proof follows a similar approach as in
[LY02]. That is, we shall define an intermediate but equivalent bisimulation
relation up to d, which helps to simplify the proof. The completeness proof
follows the arguments used by Milner [Mil84, Mil89b]. This approach is
also used in [AJ95, LY02]. The proof is divided into three parts. The first
part transforms the set of equations to a special equation called standard
equations. The second and third parts of the proof deals with the complete-
ness of guarded and unguarded equations, respectivily.
Axiomatizations of timed automata have already appeared in [DB96]
and [LY02]. The former one presents a sound axiomatization for safe timed
automata [HNSY94]. The latter one presents a sound and complete proof
system for bisimulation in the same class of automata. Our work is closely
related to this one, but is focused on a different model and a different type
of bisimulation. Apart from the different setting, the following new results
(w.r.t. [LY02]) are given: First, our algebra has only one sort (in [LY02], the
algebra contains two sorts —one with invariants and the other without).
On one hand, a one sort language is simpler and more general, on the other
hand the proof system became difficult, in particular defining the time pro-
gess condition dl(t,A) (Fig. 3.1) and the transformation of equations to
standard equations in the completness proof (Lemma 3.3) is complicated
as a result of the generalized language. The second result is a completeness
result also for unguarded recursion.
The chapter is organized as follows. Section 3.2 defines a CCS-style lan-
guage to describe TADs. Its semantics and bisimulation relation is defined
at the end of this section. Section 3.3 contains the axioms and inference
rules of the language, followed by Section 3.4 discussing some useful prop-
erties of the proof system. Section 3.5 proves the soundness of the proof
system, while Sections 3.6.2 and 3.6.3 prove completeness for guarded and
unguarded terms, respectively. Most of the symbols and terminology used
in this chapter are already defined in the previous chapter. Unless explicitly
stated, they retain their original meaning.
3.2 Algebra for Timed Automata with Deadlines
Let A be a finite set of actions, ranged over by a, b. Let X be a set of process
variables ranged over by X,Y, and let γ, δ ∈ F (C ) be clock constraints. The
Algebra for Timed Automata with Deadlines A over A ,C and X is given by the
following BNF grammar:
t ::= 0 | γ → t | δ : t | t + t | fixX t | a(x).t | X (3.1)
The expression a(x).t with a ∈ A is the action prefixing operator with clock
resetting. The clock constraints γ and δ are called guard and deadline con-
straints, respectively. The term γ → t represents a conditional construction
3.2. Algebra for Timed Automata with Deadlines 47
such that when the guard γ is true, it may perform any action t is able to per-
form. The term δ : t represents a deadline construction such that when the
deadline δ is true, the process must perform some action that t can perform.
We assume δ is left closed. The term 0 denotes an inactive process which
can do nothing except allowing time to pass. The process tt : t behaves the
same as t except it forces the execution of any enabled action before letting
time pass. We call tt : t an urgent process. As usual, t1 + t2 and fixXt are,
respectively, the non-deterministic choice and the recursion operation.
We say that a variable X occurs unguarded in a term t if such an oc-
currence is not within the scope of an action prefix. If X does not occur
unguarded in t we say that X is guarded in t. Hence, X occurs unguarded
in (x ≥ 5) : ((x ≥ 2) → X + a({y}).Y), but Y is guarded. (Note that that the
concept of guarded variable is not related the guard operation.) A term t is
guarded if all of its subterms of the form fixXu and X is guarded in u.
To reduce the number of parenthesis we, adopt the following binding
power in decreasing order on the operators: action prefix, fixX, deadline,
guard and summation.
Example 3.1 Consider the following simple ssh server login procedure. Initially
the server is idle, until a client program requests a connection via action a. The
server accepts the request and it waits for 2 minutes for the user to enter his/her
user name and password. If this is achieved the server passes control to a login
verifier via action b. If the user name and password matches (action e) the user
enters the system. Otherwise, the server loops back (action d) and asks the user to
enter his/her user name and password again. After waiting for 2 minutes if no user
name and password is entered, the connection is broken (action c) and the server is
back to its idle state. This can be modeled in A, using one clock variable x, by the
process ssh below
ssh ≡ s0
s0 ≡ fixX0(a({x}).s1)
s1 ≡ fixX1((x=2) : (x≤2 → b(∅).s2 + x≥2 → c(∅).X0))
s2 ≡ d({x}).X1 + e(∅).0
3.2.1 Transitional Semantics
The semantics of A is formally defined in terms of a timed transitions sys-
tem TS
∇
= (S,Σ,−→ ) where
• S ⊆ (A× 2A )× (C → R≥0) is set of states
• Σ = A ∪R≥0 ∪A∇∪ {∆} is set of vocabulary, where A∇ = {∇A | A ⊆
A} and ∆ are the drop and undrop actions as described in the previ-
ous chapter.
• −→ (the transition relation) is defined as in Fig. 3.2.
48 3. Axiomatization of Timed Automata with Deadlines
dl(t0 + t1,A) = dl(t0,A)∨ dl(t1,A)
dl(fixXt,A) = dl(t[fixXt/X],A)
dl(δ : t,A) =
{
(δ ∧ gd(t,A))∨ dl(t,A) if A∩ I(t) 6= ∅
ff otherwise
dl(γ → t,A) = γ ∧ dl(t,A)
dl(a(x).t,A) = dl(0,A) = dl(X,A) = ff
I(t0 + t1) = I(t0)∪ I(t1)
I(fixXt) = I(t[fixXt/X])
I(δ : t) = I(t)
I(γ → t) = I(t)
I(a(x).t) = {a}
I(0) = I(X) = ∅
gd(0,A) = ff gd(a(x).t,A) = gd(X,A) = tt
gd(γ→t,A) =
{
γ ∧ gd(t,A) if A∩ I(t) 6= ∅
ff otherwise
gd(t + u,A) = gd(t,A)∨ gd(u,A)
gd(fixXt,A) = gd(t[fixXt/X],A)
gd(δ : t,A) = gd(t,A)
Figure 3.1: Definitions of deadline (dl) and set of initial actions (I)
The transition relation (−→) is defined using eight rules in Fig. 3.2. Most
of the rules are fairly obvious except the DELAY rule. The DELAY rule uses
the predicate dl(t,A), which ensures the maximum delay time (or as com-
monly know as the time progress condition) of the term t. We shall first ex-
plain the definition of dl(t,A) given in Fig. 3.1, and then come back to the
definition of the transition relation.
Given a set of active (undropped) actions A, the maximum delay time
of a term t is based on the following two conditions.
1. The set of all actions such that a sub term a(x).u in t occurs out of
the scope of another action prefix is denoted by I(t) which is also for-
mally defined as the smallest set satisfying equations in Fig. 3.1. The
set A ∩ I(t) contains all active actions whose deadline is going to be
considered in dl(t,A).
2. To guarantee timelock freedom, we only consider deadlines that imply
the guard of an action they refer to. Let gd(t,A) be the enabling con-
dition in t of all actions in A, i.e. gd(t,A) is satisfied in valuation ρ iff
t can perform some actions a ∈ A in ρ. Formally, it is defined as the
weakest predicate satisfying equations in Fig. 3.1. To this end, every
deadline δ is conjugated with gd(t,A) as shown in Fig. 3.1.
The deadline of a term t considering only deadlines on actions in A ⊆ A is
the disjunction of all deadlines imposed on any enabled action a ∈ A∩ I(t)
and originating from t. Formally, dl(t,A) is defined as the weakest predicate
satisfying equations in Fig. 3.1.
The semantics of A is given in Fig. 3.2 in a structural way. The rule
GUARD allows the execution of an action only if guard γ is valid in the
current valuation. DEADLINE states that deadlines have no effect on dis-
crete actions. The rule ACTION allows the execution of discrete action and
clock reset. DELAY defines the time progress: a state (t,D)ρ can progress d
time units if no deadline under consideration is reached within the period
in which dl(t,A−D) is false. Rules DROP and UNDROP define the effect of
3.2. Algebra for Timed Automata with Deadlines 49
DELAY
∀d′ < d ρ+ d′ |= ¬dl(t,A − D)
(t,D)ρ d−→ (t,D)ρ+ d
ACTION
(a(x).t,D)ρ a−→ (t,∅)ρ{x:=0}
GUARD
(t,D)ρ a−→ (t′,D′)ρ′ ρ |= γ
(γ→t,D)ρ a−→ (t′,D′)ρ′
DEADLINE
(t,D)ρ a−→ (t′,D′)ρ′
(δ:t,D)ρ a−→ (t′,D′)ρ′
REC
(t[fixXt/X],D)ρ a−→ (t′,D′)ρ′
(fixXt,D)ρ a−→ (t′,D′)ρ′
DROP
(t,D)ρ ∇A−−→ (t,D∪A)ρ
UNDROP
(t,D)ρ ∆−→ (t,∅)ρ
CHOICE
(t,D)ρ a−→ (t′,D′)ρ′
(t + u,D)ρ a−→ (t′,D′)ρ′
(u + t,D)ρ a−→ (t′,D′)ρ′
Figure 3.2: Transitional Semantics of A
ACTION
a(x).t a,tt,ff,x- t
REC
t[fixXt/X] a,γ,δ,x- t′
fixXt a,γ,δ,x- t′
GUARD
t a,γ
′ ,δ′ ,x
- t′
γ → t a,γ∧γ
′,δ′∧γ,x
- t′
CHOICE
t a,γ,δ,x- t′
(t + u) a,γ,δ,x- t′
(u + t) a,γ,δ,x- t′
DEADLINE
t a,γ
′ ,δ′ ,x
- t′
δ : t a,γ
′ ,δ′∨(δ∧γ ′),x
- t′
Figure 3.3: Symbolic semantics of A
the drop and undrop actions respectively. Note that they can be performed
unconditionally.
The notion of equivalence underlying the algebra A is defined as fol-
lows. We say that two states p = (t,D)ρ and q = (u, E)η are ∇-bisimilar, no-
tation p ∼∇ q iff there exists a symmetric relation R (called ∇-bisimulation)
such that for any (p, q) ∈ R and l ∈ R≥0 ∪A ∪A∇∪ {∆}, whenever p l−→ p′
then ∃q′ : q l−→ q′ and p′Rq′. If p′Rq′ is changed to p′ ∼∇◦R◦∼∇ q′, R is a ∇-
bisimulation up to ∼∇ (◦ is the usual composition on relations). It is enough
to prove the existence of a∇-bisimulation up to∼∇ between p and q to state
that they are ∇-bisimilar [Mil89a].
3.2.2 Symbolic Semantics.
The symbolic semantics of an A term t in terms of TAD is defined by Tt =
(A , t,C , -), where - is the smallest relation satisfying the rules in Fig. 3.3
and A is the set of actions for TADs.
Example 3.2 The A model of the ssh server in Example 3.1 can be interpreted
in terms of a TAD using the rules in Fig. 3.3. The resulting TAD is given in
Fig. 3.4. The derivation is straightforward, the interesting part is how to “push”
50 3. Axiomatization of Timed Automata with Deadlines
γ : x≤2
δ : x=2
b
d
x:=0
e
c
a
x:=0
γ : x≥2
δ : x=2
0s2s1s0
Figure 3.4: TAD for ssh login procedure
the deadline (x=2) to both branches of s1. This is done by applying ACTION,
GUARD, CHOICE, and DEADLINE sequentially to both branches of s1.
Conversely, for a given TAD T = (L , l0,C , -), its equivalent A term
can be derived as follows. Suppose L = {l0, l1, . . . , ln} with li ≤ l j iff i ≤ j.
For each l ∈ L , let Jl = {e | e = (l, ae, γe, δe,xe, le) ∈ -} and define
tl
def
= fixXl
(
∑e∈Jl
(
γe → δe : ae(xe).ule
))
where
ule =
{
Xle if le ≤ l
tle otherwise
Example 3.3 ts0 is the A term associated to the TAD of Fig. 3.4, where:
ts0 ≡ fixXs0(ff : tt → a({x}).ts1)
ts1 ≡ fixXs1((x=2) : (x≤2) → b(∅).ts2 + (x=2) : (x≥2) → c(∅).Xs0))
ts2 ≡ fixXs2(ff : tt → d({x}).Xs1 + ff : tt → e(∅).ts3)
ts3 ≡ fixXs30
The semantics of T in terms of transition systems is given by the transi-
tional semantics of tl0 . It is routine to show that the semantics of T given in
this manner is the same as the one defined in the previous chapter. More-
over, by induction on the proof tree, it is also possible to show that the
transitional semantics of t is the same as the two step semantics of t (i.e.
interpret t as a TAD Tt and then obtain the transition system from Tt) pro-
vided that t is closed (i.e., it does not contain a variable X out of the scope
of a fixX.)
3.3 The Proof System
The proof system of A is given by the set of axioms and inference rules in
Fig. 3.5 and Fig. 3.6 respectively. The judgments of the inference system are
conditional equations of the form
φ ` t = u
3.3. The Proof System 51
S1 t + 0 = t
S2 t + t = t
S3 (t + u) + v = t + (u + v)
S4 t + u = u + t
U1 tt : tt : t = tt : t
U2 tt : δ : t = δ : tt : t
U3 tt : γ → t = γ → tt : t
U4 tt : (t1 + t2) = tt : t1 + tt : t2
U5 tt : t = tt : t + t
DL (δ ∧ γ1) : (γ1→a(x).t + γ2→a(y).u) = δ : γ1→a(x).t + γ2→a(y).u
UR fixX(t + δ : γ→X) = fixX(t + δ : γ→t)
Figure 3.5: The equational axioms
where φ is a constraint and t,u are terms. Its intended meaning is: t is
equivalent to u whenever φ holds. We will abbreviate tt ` t = u as t = u
and consider in general two logically equivalent constraints as the same
constraint (hence, e.g., tt ` t = u and (x+1 ≥ x) ` t = u are the same judg-
ment.)
Axioms S1-4 are standard summation laws and U1-5 are axioms to ma-
nipulate urgent processes. Axiom UR explains in which way unguarded
variables in recursion are redundant (notice the difference with Milner’s
[Mil89a] recursion axiom fixX(t + X) = fixXt). Axiom DL shows a particu-
larity of the ∇-bisimulation: a deadline on an action has the same impact
on another process as long as it is prefixed with the same action. Deadlines
cannot be shifted out of any arbitrary summation. As a simple example, the
term δ : a.(x).t + b.(y).u and δ : (a.(x).t + b.(y).u) will only be equivalent if
and only if a = b. This is precisely what usual bisimulation would allow
hence failing to be a congruence.
Each construct in the language has an entry in the set of inference rule of
Fig. 3.6. They show how to use the constructs, and what constraints must
be met (if any) before applying the rule. Three additional rules, namely,
ABSURD, PARTITION and CONSEQUENCE are also given. They are used
to manipulate the condition under which the equation holds. SUBSTITU-
TION rules handle substitution in the context of the choice operator and
urgency. Rule ACTION is for action prefix with clock resetting. Informally,
it states that the equivalence a(x).t = a(x).t under φ can be inferred pro-
vided that t = u under φ↓x⇑. The clock constraint φ↓x⇑ is obtained from φ
by first setting the clocks in x to zero and then removing upper bounds on
all clocks. GUARD does a case analysis on conditions, i.e. if
1. t behaves like u when the guard γ holds under φ (i.e., when φ ∧ γ
holds), and
2. t behaves like 0 if this is not the case,
then φ ` γ→t = u can be inferred. The rule DEADLINE is similar to GUARD
except that t is required to be urgent when φ ∧ δ holds. THINNING states
52 3. Axiomatization of Timed Automata with Deadlines
EQUIV t = t
φ ` t = u
φ ` u = t
φ ` t = u φ ` u = v
φ ` t = v
AXIOM t = u t = u an axiom instance
SUBSTITUTION
φ ` t = t′
φ ` t + u = t′ + u
φ ` t = u
φ ` tt : t = tt : u
ACTION
φ↓x⇑ ` t = u
φ ` a(x).t = a(x).u
GUARD
φ∧ γ ` t = u φ∧¬γ ` 0 = u
φ ` γ → t = u
DEADLINE
φ∧¬δ ` t = u φ∧ δ ` tt:t = u
φ ` δ:t = u
THINNING
φ ` a(xy).t = a(x).t y∩C (t) = ∅
REC fixXt = t[fixXt/X]
UFI
t = u[t/X]
t = fixXu
PARTITION
φ1 ` t = u φ2 ` t = u
φ1 ∨ φ2 ` t = u
CONSEQUENCE
ψ ` t = u
φ ` t = u φ⇒ ψ
ABSURD ff ` t = u
Figure 3.6: The inference rules
that clocks which are not free in t (denoted by C (t)) are redundant in a reset
set of a prefix of t. There are two rules for recursion: REC is for folding
or unfolding recursion expressions, while UFI states the uniqueness of the
solution of recursive equations provided that the variable of interest only
occurs guarded.
3.4 Properties of the Proof System
This section presents some selected properties of the proof system, which
are used to prove the soundness and completeness theorems. Readers
only interested in the soundness and completeness of the proof system can
safely skip this (rather technical) section when reading for the first time.
Lemma 3.1 1. If φ⇒ γ and φ ` t = u then φ ` γ → t = u.
2. If φ⇒¬δ and φ ` t = u then φ ` δ : t = u.
3.4. Properties of the Proof System 53
3. If φ⇒ γ ∧¬δ and φ ` t = u then φ ` γ→δ:t = u and φ ` δ:γ→t = u.
4. t = t + φ→ t.
5. γ1 → γ2 → t = (γ1 ∧ γ2) → t
6. γ → (t1 + t2) = γ → t1 + γ → t2.
7. γ1 → t + γ2 → t = (γ1 ∨ γ2) → t.
8. δ1 : δ2 : t = (δ1 ∨ δ2) : t.
9. δ : (t1 + t2) = δ : t1 + δ : t2.
10. If φ ` t = u then φ ` δ : t = δ : u for any δ.
11. δ1 : t + δ2 : t = (δ1 ∨ δ2) : t.
12. δ : γ → t = (δ ∧ γ) : γ → t.
13. δ : γ → t = γ → δ : t.
14. φ ` t = u ⇒ φ ` δ : t = δ : u.
15. ff → t = 0.
16. tt : 0 = 0.
17. From [LY02]: φ ` a(x).t = a(x).φ↓x⇑→ t.
18. From [LY02]: Suppose Ψ is a φ-partition and ψ ` t = u for each ψ ∈ Ψ,
then φ ` t = u.
Proof: (of Lemma 3.1.1)
(φ⇒ γ) ⇒ φ∧¬γ = ff (3.2)
⇒ {ABSURD and (3.2)}
φ∧¬γ ` 0 = u. (3.3)
⇒ {Applying PARTITION and the hypothesis φ ` t = u}
φ∧ γ ` t = u (3.4)
⇒ {Applying GUARD on (3.3), (3.4) }
φ ` γ → t = u.
ut
Proof: (of Lemma 3.1.2)
(φ⇒¬δ) ⇒ φ∧ δ = ff (3.5)
⇒ {ABSURD and (3.5)}
φ∧ δ ` tt : t = u. (3.6)
54 3. Axiomatization of Timed Automata with Deadlines
⇒ {Applying PARTITION and the hypothesis φ ` t = u}
φ∧¬δ ` t = u (3.7)
⇒ {Applying DEADLINE on (3.6), (3.7) }
φ ` δ : t = u.
ut
Proof: (of Lemma 3.1.3)
φ⇒ (γ ∧¬δ) and φ ` t = u (3.8)
⇒ φ⇒ γ and φ ` t = u
⇒ { By Lemma 3.1.1}
φ⇒¬δ and φ ` γ → t = u
⇒ { By Lemma3.1.2}
φ ` δ : γ → t = u
∧ { Similarly by (3.8)}
⇒ φ⇒¬δ and φ ` t = u
⇒ { By Lemma 3.1.2}
φ⇒ γ and φ ` δ : t = u
⇒ { By Lemma 3.1.1}
φ ` γ → δ : t = u
ut
Proof: (of Lemma 3.1.4)
⇒ { by Lemma 3.1.1 and since φ⇒ φ}
φ ` φ→ t = t
⇒ { By SUBSTITUTION, S2 and EQUIV}
φ ` t = t + φ→ t (3.9)
∧ { Since ¬φ∧ φ = ff and by ABSURD}
¬φ∧ φ ` t = 0 (3.10)
⇒ { By EQUIV}
¬φ∧¬φ ` 0 = 0 (3.11)
⇒ { Applying GUARD on (3.10) and (3.11)}
¬φ ` φ→ t = 0 (3.12)
⇒ { By SUBSTITUTION, S1 and EQUIV}
φ ` t = t + φ→ t (3.13)
⇒ { applying PARTITION on (3.9) and (3.13), and EQUIV}
t = t + φ→ t
ut
3.4. Properties of the Proof System 55
Proof: (of Lemma 3.1.5)
⇒ { by Prop 4.1 [LY02]}
γ1 → γ2 → t = (γ1 ∧ γ2) → t
ut
Proof: (of Lemma 3.1.6)
⇒ { by (3.12)}
¬γ ` γ → t1 = 0 and ¬γ ` γ → t2 = 0
⇒ { By S1 and EQUIV}
¬γ ` 0 = γ → t1 + 0 (3.14)
AND { By SUBSTITUTION}
¬γ ` γ → t1 + 0 = γ → t1 + γ → t2 (3.15)
⇒ { by EQUIV on (3.14) and (3.15)}
¬γ ` 0 = γ → t1 + γ → t2 (3.16)
AND {By Lemma 3.1.1}
γ ` γ → t1 = t1 and γ ` γ → t2 = t2
⇒ { By SUBSTITUTION}
γ ` γ → t1 + t2 = t1 + t2 and γ ` γ → t1 + γ → t2 = γ → t1 + t2
⇒ { By EQUIV}
γ ` t1 + t2 = γ → t1 + γ → t2 (3.17)
⇒ { Applying GUARD on (3.16) and (3.17)}
γ → (t1 + t2) = γ → t1 + γ → t2 (3.18)
ut
Proof: (of Lemma 3.1.7)
⇒ { by Lemma 3.1.4 and since φ⇒ φ}
tt ` t = t + γ2 → t
⇒ { since γ1 ⇒ tt, by PARTITION}
γ1 ` t = t + γ2 → t (3.19)
AND { By Lemma 3.1.1 and since γ1 ⇒ γ1}
γ1 ` t = γ1 → t
⇒ { by SUBSTITUTION }
γ1 ` t + γ2 → t = γ1 → t + γ2 → t (3.20)
⇒ { by EQUIV on (3.19) and (3.20)}
γ1 ` t = γ1 → t + γ2 → t (3.21)
AND {Applying the same procedure on γ2 }
γ2 ` t = γ1 → t + γ2 → t (3.22)
56 3. Axiomatization of Timed Automata with Deadlines
⇒ { By PARTITION on (3.21) and (3.22)}
(γ1 ∨ γ2) = γ1 + t + γ2 → t
ut
Proof: (of Lemma 3.1.8)
⇒ { by EQUIV and PARTITION}
¬(δ1 ∨ δ2) ` t = t
⇒ { By Lemma 3.1.2 and logics}
(¬δ1 ∧¬δ2) ` t = (δ1 ∨ δ2) : t (3.23)
AND { since ((¬δ1 ∧ δ2)∧¬(δ1 ∨ δ2)) = ff and by ABSURD}
((¬δ1 ∧ δ2)∧¬(δ1 ∨ δ2)) ` tt : t = t (3.24)
AND { by EQUIV }
((¬δ1 ∧ δ2)∧¬(δ1 ∨ δ2)) ` tt : t = tt : t (3.25)
⇒ { Applying DEADLINE on (3.24) and (3.25)}
¬δ1 ∧ δ2 ` tt : t = (δ1 ∨ δ2) : t (3.26)
⇒ { Applying DEADLINE on (3.23) and (3.26)}
¬δ1 ` δ2 : t = (δ1 ∨ δ2) : t (3.27)
AND {since (δ1 ∧¬(δ1 ∨ δ2)) = ff then by ABSURD }
(δ1 ∧¬(δ1 ∨ δ2)) ` tt : δ2 : t = t (3.28)
AND { by EQUIV and PARTITION}
(δ1 ∧¬δ2) ` tt : t = tt : t (3.29)
AND {By D1, EQUIV and PARTITION }
(δ1 ∧ δ2) ` tt : tt : t = tt : t (3.30)
⇒ { Applying DEADLINE on (3.29) and (3.30)}
δ1 ∧ (δ1 ∨ δ2) ` δ2 : tt : t = tt : t
⇒ { by D2}
δ1 ∧ (δ1 ∨ δ2) ` tt : δ2 : t = tt : t (3.31)
⇒ { Applying DEADLINE on (3.28) and (3.31) and EQUIV}
δ1 ` tt : δ2 : t = (δ1 ∨ δ2) : t (3.32)
⇒ { Applying DEADLINE on (3.27) and (3.32) and EQUIV}
tt ` δ1 : δ2 : t = (δ1 ∨ δ2) : t
ut
Proof: (of Lemma 3.1.9) First we prove the following small lemma
If δ⇒ φ then φ ` δ : t = tt : t (3.33)
(δ⇒ φ) ⇒ ((φ∧¬δ) = ff)
3.4. Properties of the Proof System 57
⇒ { By ABSURD}
(φ∧¬δ) ` t = tt : t (3.34)
AND { By EQUIV}
(φ∧ δ) ` tt : t = tt : t (3.35)
⇒ { Applying DEADLINE on (3.34) and (3.35) }
φ ` δ : t = tt : t
Now the proof of Lemma 3.1.9 follows
⇒ { by Lemma 3.1.2}
¬δ ` t1 = δ : t1
⇒ { By SUBSTITUTION}
¬δ ` t1 + t2 = δ : t1 + t2 (3.36)
AND { By Lemma 3.1.2 and SUBSTITUTION as above}
¬δ ` δ : t1 + t2 = δ : t1 + δ : t2 (3.37)
⇒ { By EQUIV of(3.36) and (3.37) }
¬δ ` t1 + t2 = δ : t1 + δ : t2 (3.38)
AND { by (3.33) and EQUIV}
δ ` tt : t1 = δ : t1
⇒ { Applying SUBSTITUTION}
δ ` tt : t1 + tt : t2 = δ : t1 + tt : t2 (3.39)
⇒ { Again (3.33) and EQUIV}
δ ` tt : t2 = δ : t2
⇒ { Applying SUBSTITUTION}
δ ` δ : t1 + tt : t2 = δ : t1 + δ : t2 (3.40)
⇒ { by EQUIV of (3.39) and (3.40)}
δ ` tt : t1 + tt : t2 = δ : t1 + δ : t2 (3.41)
⇒ {By D4 }
δ ` tt : (t1 + t2) = δ : t1 + δ : t2 (3.42)
⇒ { Applying DEADLINE on (3.38) and (3.42)}
tt : (t1 + t2) = δ : t1 + δ : t2
ut
Proof: (of Lemma 3.1.16)
⇒ { By Lemma 3.1.15}
ff → t = 0
⇒ { by SUBSTITUTION }
tt : ff → t = tt : 0
58 3. Axiomatization of Timed Automata with Deadlines
⇒ { by U3 and EQUIV}
ff → tt : t = tt : 0
⇒ { By Lemma 3.1.15 and EQUIV}
0 = tt : 0
ut
The proof of Lemmas 3.1.10 – 3.1.15 are straight forward applications of
the above lemmas, and their proofs are omitted.
The following Lemma helps to gather summands that only differ in
their guards and deadlines
Lemma 3.2 Let δ1, δ2, γ1, and γ2 be predicates, then the equation
δ1 : γ1→t + δ2 : γ2→t =
(
(δ1 ∧ γ1)∨ (δ2 ∧ γ2)
)
: (γ1 ∨ γ2)→t
is provable. In particular if δ1 ⇒ γ1 and δ2 ⇒ γ2 then
δ1 : γ1→t + δ2 : γ2→t = (δ1 ∨ δ2) : (γ1 ∨ γ2)→t
Proof: First we shall prove for the case when one of the deadlines (say δ2)
is false. That is we need to prove
δ1 : γ1→t + γ2→t = (δ1 ∧ γ1) : (γ1 ∨ γ2)→t (3.43)
by DEADLINE we need to prove that
¬δ1 ` δ1 : γ1 → t + γ2→t = (γ1 ∨ γ2)→t (3.44)
δ1 ` δ1 : γ1 → t + γ2→t = tt : (γ1 ∨ γ2)→t (3.45)
Using DEADLINE, ABSURD and EQUIV we can easily prove that
¬δ1 ` δ1 : γ1 → t = γ1 → t
Next, we can add γ2 → t on both sides using SUBSTITUTION. The right
hand side equation will be equal to (γ1 ∨ γ2)→ t using Lemma 3.1.7, which
proves equation (3.44).
In order to prove (3.45) we use GUARD, Lemma 3.1.12 and Lemma
3.1.13 to decompose the problem into the following equations.
(δ1 ∧ γ1)∧ (γ1 ∨ γ2) ` δ1 : γ1 → t + γ2→t = tt : t (3.46)
(δ1 ∧ γ1)∧¬(γ1 ∨ γ2) ` δ1 : γ1 → t + γ2→t = 0 (3.47)
⇒ {By DEADLINE, ABSURD and EQUIV}
(δ1 ∧ γ1) ` δ1 : t = tt : t
⇒ {Applying Lemma 3.1.1, Lemma 3.1.13 and EQUIV}
(δ1 ∧ γ1) ` δ1 → γ1 : t = tt : t
3.4. Properties of the Proof System 59
⇒ {By SUBSTITUTION}
(δ1 ∧ γ1) ` δ1 → γ1 : t + γ2 → t = tt : t + γ2 → t
⇒ {By Lemma 3.1.11 and EQUIV}
(δ1 ∧ γ1) ` δ1 → γ1 : t + γ2 → t = tt : t
⇒ {By CONSEQUENCE since (δ1 ∧ γ1) = (δ1 ∧ γ1)∧ (γ1 ∧ γ2) }
(δ1 ∧ γ1)∧ (γ1 ∧ γ2) ` δ1 → γ1 : t + γ2 → t = tt : t
This proves equation (3.46). Note that (δ1 ∧ γ1) ∧ ¬(γ1 ∨ γ2) = ff and by
ABSURD and CONSEQUENCE we prove (3.47), which completes the proof
of (3.45).
The same proof applies for the case when δ1 is false. Finally we group
these two cases and prove the present Lemma as follows.
(δ1 ∧ γ1) : γ1 → t + (δ2 ∧ γ2) : γ2 → t
= {Applying (3.45) twice}
(δ1 ∧ γ1) : γ1 → t + γ1 → t + (δ2 ∧ γ2) : γ2 → t + γ2 → t
= {By S1-S4 and Lemma 3.1.6}
(δ1 ∧ γ1) : γ1 → t + (γ1 ∨ γ2) → t + (δ2 ∧ γ2) : γ2 → t + (γ1 ∨ γ2) → t
= {Applying (3.45) twice}
(δ1 ∧ γ1) : (γ1 ∨ γ2) → t + (δ2 ∧ γ2) : (γ1 ∨ γ2) → t
= {By Lemma Lemma 3.1.11}
(δ1 ∧ γ1)∨ (δ2 ∧ γ2) : (γ1 ∨ γ2) → t
ut
Lemma 3.3 is a generalization of the axiom DL in which deadlines of an
action have the same impact on any number of summands as long as they
are prefixed with the same action.
Lemma 3.3 Let δi, γi be predicates, where i is a finite non-negative integer, then
the following generalization equation of axiom DL is provable.
n
∑
i=1
(
δi : γi → a(xi).ti
)
=
n_
i=1
(δi ∧ γi) :
( n
∑
i=1
γi → a(xi).ti
)
Proof: We will show for the case when n = 3. Using the same technique
recursively, it is straightforward to show for arbitrary n.
δ1 : γ1 → a(x1).t1 + δ2 : γ2 → a(x2).t2 + δ3 : γ3 → a(x3).t3
= {Applying S1-S4, Lemma 3.1.2, Lemma 3.1.11 and Lemma 3.1.12}
(δ1∧γ1) : γ1→a(x1).t1 + γ1→a(x1).t1 + (δ1∧γ1) : γ1→a(x1).t1 + γ1→a(x1).t1 +
(δ2∧γ2) : γ2→a(x2).t2 + γ2→a(x2).t2 + (δ2∧γ2) : γ2→a(x2).t2 + γ2→a(x2).t2 +
(δ3∧γ3) : γ3→a(x2).t3 + γ3→a(x3).t3 + (δ3∧γ3) : γ3→a(x2).t3 + γ3→a(x2).t3 +
60 3. Axiomatization of Timed Automata with Deadlines
= {Applying S1-S4}
(δ1∧γ1) : γ1→a(x1).t1 + γ2→a(x2).t2 + (δ1∧γ1) : γ1→a(x1).t1 + γ3→a(x3).t3 +
(δ2∧γ2) : γ2→a(x2).t2 + γ1→a(x1).t1 + (δ2∧γ2) : γ2→a(x2).t2 + γ3→a(x3).t3 +
(δ3∧γ3) : γ3→a(x3).t3 + γ1→a(x1).t1 + (δ3∧γ3) : γ3→a(x3).t3 + γ2→a(x2).t2
= {Applying DL six times}
(δ1∧γ1) :
(
γ1→a(x1).t1 + γ2→a(x2).t2
)
+ (δ1∧γ1) :
(
γ1→a(x1).t1 + γ3→a(x3).t3
)
+
(δ2∧γ2) :
(
γ2→a(x2).t2 + γ1→a(x1).t1
)
+ (δ2∧γ2) :
(
γ2→a(x2).t2 + γ3→a(x3).t3
)
+
(δ3∧γ3) :
(
γ3→a(x3).t3 + γ1→a(x1).t1
)
+ (δ3∧γ3) :
(
γ3→a(x3).t3 + γ2→a(x2).t2
)
= {Applying Lemma 3.1.9 and S1-S4 three times }
(δ1∧γ1) :
(
γ1→a(x1).t1 + γ2→a(x2).t2 + γ3→a(x3).t3
)
+
(δ2∧γ2) :
(
γ1→a(x1).t1 + γ2→a(x2).t2 + γ3→a(x3).t3
)
+
(δ3∧γ3) :
(
γ1→a(x1).t1 + γ2→a(x2).t2 + γ3→a(x3).t3
)
+
= {Applying Lemma 3.1.11 and S1-S4 twice }
3_
i=1
(δi ∧ γi) :
( 3
∑
i=1
γi → a(xi).ti
)
ut
3.5 Soundness
In the previous section, we provided axioms and inference rules to simplify
and manipulate terms in A. In this section, we prove the soundness of these
inference rules with respect to ∇-bisimulation. Formally, the soundness of
the proof system can be stated as follows
Theorem 3.1 If φ ` t=u and φ is⇑-closed then (t,D)ρ ∼∇ (u,D)ρ for any ρ|=φ
and D⊆A .
The usual way to prove soundness is to show that if φ ` t = u and φ is⇑-
closed then t∼φ u. However as it is already noticed in [LY02], this approach
will not work specially for GUARD and DEADLINE. For example, in order
to derive φ ` γ → t = u, we need to show φ ∧ γ ` t = u and φ ∧ ¬γ `
0 = u. Note that even if φ is⇑-closed, φ ∧ γ may not be⇑-closed. For this
reason, we will first define an intermediate bisimulation relation, called
bisimulation up to d denoted as ∼∇d . We start by defining ∼
∇
d formally.
Definition 3.1 (∇-bisimulation up to d) Two states p and q are ∇-bisimilar
up to dˆ for dˆ ∈ R≥0, notation p ∼∇dˆ q, if there is a family of symmetric relations
Rd ⊆ S × S, 0 ≤ d ≤ dˆ such that
1. ∀d′∈R≥0, d′<d, if (p, q)∈Rd and p
d′
−→ p′ then ∃q′ : q d
′
−→ q′ and (p′, q′) ∈
Rd−d′ .
3.5. Soundness 61
2. ∀l∈{∆}∪A∇, if (p, q) ∈ Rd and p l−→ p′ then ∃q′ : q l−→ q′ and (p′, q′) ∈
Rd.
3. ∀a∈A , if (p, q) ∈ Rd and p a−→ p′ then ∃q′ : q a−→ q′ and p′ ∼∇ q′.
Lemma 3.4 1. If p ∼∇d q for all d ∈ R≥0 then p ∼∇ q.
2. Let ρi and di, 0 ≤ i ≤ n, be s.t. ρi+1 = ρi + di, 0 ≤ i < n. If (t,D)ρi ∼∇di
(u,D)ρi for all i such that 0 ≤ i ≤ n, then (t,D)ρ0 ∼∇d (u,D)ρ0 where d =
d0+· · ·+dn.
3. (t,D)ρ∼∇dˆ (u,D)ρ implies (t,D)(ρ+dˆ
′)∼∇dˆ′′(t,D)(ρ+dˆ
′) for any dˆ′≤dˆ and
dˆ′′ ≤ dˆ−dˆ′.
4. ∼∇d is transitive.
Proof: Proofs of items 1 and 2 proceed as [LY02, Lemma 4.10]. Proof
of item 4 follows standard arguments. For item 3, suppose {Rd}d≤dˆ
witnesses (t,D)ρ ∼∇dˆ (u,D)ρ. First notice that for ((t,D)ρ, (u,D)ρ) ∈
Rdˆ, (t,D)ρ
∇A−−→ (t,A )ρ dˆ′−→ (t,A )(ρ+dˆ′) ∆−→ (t,∅)(ρ+dˆ′) ∇D−−→ (t,D)(ρ+dˆ′),
(by DROP, DELAY, and UNDROP in Fig. 3.2) implies, by Def. 3.1, that
(u,D)ρ ∇A−−→ (u,A )ρ dˆ′−→ (u,A )(ρ+dˆ′) ∆−→ (u,∅)(ρ+dˆ′) ∇D−−→ (u,D)(ρ+dˆ′)
and ((t,D)(ρ+dˆ′), (u,D)(ρ+dˆ′)) ∈ Rdˆ−dˆ′ . It is now straightforward to show
that {R(dˆ−dˆ′)+d}d≤dˆ′′ witnesses t(ρ+ dˆ′) ∼
∇
dˆ′′ u(ρ+dˆ
′). ut
In the following lemmas we state some properties of deadlines and guards,
which will be used later to prove soundness.
Lemma 3.5 For dˆ, d ∈ R≥0 and D ⊆ A
1. (δ : t,D)ρ ∼∇dˆ (t,D)ρ if for all d < dˆ : ρ+ d |= ¬δ
2. (δ : t,D)ρ ∼∇dˆ (tt : t,D)ρ if for all d < dˆ : ρ+ d |= δ
3. (t,D)ρ ∼∇dˆ (u,D)ρ implies (tt : t,D)ρ ∼
∇
dˆ (tt : u,D)ρ
4. (γ → t,D)ρ ∼∇dˆ (t,D)ρ if for all d ≤ dˆ : ρ+ d |= γ
5. (γ → t,D)ρ ∼∇dˆ (0,D)ρ if for all d ≤ dˆ : ρ+ d |= ¬γ
Proof: It is routine to prove that families {Rd ∪ R−1d }0≤d≤dˆ, respectively de-
fined in the following, satisfy conditions of Def. 3.1.
1. Rd = {((δ : t,D)ρ, (t,D)ρ) | ∀d′ < d : ρ+ d |= ¬δ}
2. Rd = {((δ : t,D)ρ, (tt : t,D)ρ) | ∀d′ < d : ρ+ d |= δ}
62 3. Axiomatization of Timed Automata with Deadlines
3. Rd = {((tt : t,D)ρ, (tt : u,D)ρ) | (t,D)ρ ∼∇d (u,D)ρ}
4. Rd = {((γ → t,D)ρ, (t,D)ρ) | ∀d′ ≤ d : ρ+ d′ |= γ}
5. Rd = {((γ → t,D)ρ, (0,D)ρ) | ∀d′ ≤ d : ρ+ d′ |= ¬γ}
ut
Soundness rests on the following lemmas.
Lemma 3.6 If φ ` t = u then (t,D)ρ ∼∇dˆ (u,D)ρ for all D ⊆ A , ρ, and dˆ ∈ R≥0
such that ∀d ≤ dˆ : ρ+ d |= φ.
Proof: The proof proceeds by induction on the depth of the proof tree. The
base case corresponds to all axioms. That is, for every axiom φ ` t = u find
a family {Rd}d≤dˆ witnessing (t,D)ρ∼
∇
dˆ (u,D)ρ. This is routine and we omit
it.
For the induction step, we consider the inference rules separately. For
each rule, we assume that the lemma holds in its premises and prove that
it also holds in its conclusion. We only show a few representative cases. In
particular, soundness of UFI is proved in Lemma 3.7.
ACTION: By induction (t,D)ρ ∼∇dˆ (u,D)ρ, for any D, ρ, dˆ, s.t. ∀d ≤ dˆ :
(ρ+d) |= φ↓x⇑. Since φ↓x⇑ is⇑-closed, by Lemma 3.4.1, (t,D)ρ ∼∇ (u,D)ρ.
We show that {Rd}d≤dˆ witnesses (a(x).t,D)ρ ∼
∇
dˆ (a(x).u,D)ρ for all ρ s.t.
∀d ≤ dˆ : (ρ+d) |= φ, where
Rd = {((a(x).t,D)ρ, (a(x).u,D)ρ) | D ⊆ A ∧ ∀d′ ≤ dˆ− d : ρ+d′ |= φ ∧
∀d′ ≤ d : (t,D)(ρ+d′){x:=0} ∼∇ (u,D)(ρ+d′){x:=0}}.
Assume ((a(x).t,D)ρ, (a(x).u,D)ρ) ∈ Rd. We do case analysis on all the four
possible type of transitions.
delay transition: By rule DELAY (Fig. 3.2), we have (for any d′′ ≤ d) that
(a(x).t,D)ρ d
′′
−−→ (a(x).t,D)(ρ+d′′) and
(a(x).u,D)ρ d
′′
−−→ (a(x).u,D)(ρ+d′′)
It remains to show that
((a(x).t,D)(ρ+d′′), (a(x).u,D)(ρ+d′′)) ∈ Rd−d′′
Since ∀d′ ≤ dˆ − d : ρ+d′ |= φ holds by assumption, ∀d′ ≤ dˆ − d :
(ρ+d′){x:=0} |= φ↓x⇑ also hods by Def. of↓x and⇑. By induction hy-
pothesis and observation above, ∀d′ ≤ dˆ− d : (t,D)(ρ+d′){x:=0} ∼∇
(u,D)(ρ+d′){x:=0}. In particular,
∀d′′′ ≤ dˆ− (d− d′′) : (ρ+d′′+d′′′){x:=0} |= φ↓x⇑
3.5. Soundness 63
∧
(t,D)(ρ+d′′+d′′′){x:=0} ∼∇ (u,D)(ρ+d′′+d′′′){x:=0}
By Def. of Rd−d′′ , we finally have that
((a(x).t,D)(ρ+d′′), (a(x).u,D)(ρ+d′′)) ∈ Rd−d′′
drop and undrop transition: Let l ∈ {∆} ∪A∇. Then, by DROP or UNDROP
(Fig. 3.2), (a(x).t,D)ρ l−→ (a(x).t, E)ρ and (a(x).u,D)ρ l−→ (a(x).u, E)ρ
for any E ⊆ A . Besides, ((a(x).t, E)ρ, (a(x).u, E)ρ) ∈ Rd, since for all
d′ ≤ dˆ− d, (ρ+d′) |= φ implies (ρ+d′){x:=0} |= φ↓x⇑ and by induction
(t, E)(ρ+d′){x:=0} ∼∇ (u,D)(ρ+d′){x:=0}
discrete transition: By ACTION (Fig.3.2), (a(x).t,D)ρ a−→ (t,∅)ρ{x:=0} and
(a(x).u,D)ρ a−→ (u,∅)ρ{x:=0}. Moreover, since ρ |= φ by assumption,
ρ{x:=0} |= φ↓x⇑, and hence (t,∅)ρ{x:=0} ∼∇ (u,D)ρ{x:=0} by induc-
tion.
DEADLINE: We need to prove that (δ : t,D)ρ∼∇d (u,D)ρ for all ρ s.t. ∀d≤ dˆ :
(ρ+ d) |= φ. The interval [ρ, ρ+ dˆ) can be divided by regions into finitely
many subintervals [ρ0, ρ1), [ρ1, ρ1], (ρ1, ρ2), . . . , [ρn, ρn], (ρn, ρn+1), where
ρ0 = ρ and ρi+1 = ρi + di for some d0, . . . , dn s.t. ∑ni=0 di = d in a way that
each point [ρi, ρi], or interval (ρi, ρi+di) is entirely contained in a region (so
they are entirely contained in φ ∧ ¬δ or in φ ∧ δ). By Lemma 3.4.2, it is
enough to prove (δ : t,D)ρi ∼∇di (u,D)ρi for all 1 ≤ i ≤ n. We only consider
the case of intervals (ρi, ρi+di), the others follow in a similar manner.
Case (ρi, ρi+di) |= φ ∧¬δ. By Lemma 3.5.1 (δ : t,D)ρi ∼∇di (t,D)ρi. Besides,
by induction and Lemma 3.4.3. (t,D)ρi ∼∇di (u,D)ρi. Hence, by transitivity
of ∼∇di , (δ : t,D)ρi ∼
∇
di (u,D)ρi.
Case (ρi, ρi+di) |= φ ∧ δ. By Lemma 3.5.2, (δ : t,D)ρi ∼∇di (tt : t,D)ρi By in-
duction and Lemma 3.4.3, (tt : t,D)ρi ∼∇di (u,D)ρi. Therefore, by transitivity
of ∼∇di , we have: (δ : t,D)ρi ∼
∇
di (u,D)ρi.
GUARD: Using similar argument as in DEADLINE, we only need to prove
that (γ→t,D)ρi ∼∇di (u,D)ρi for all 1 ≤ i ≤ n.
Case: (ρi, ρi+di) |= φ∧ γ
⇒ {By Lemma 3.5.4}
(γ→t,D)ρi ∼∇di (t,D)ρi
⇒
{
By transitivity of∼∇di since (t,D)ρi ∼
∇
di (u,D)ρi, by induction and
Lemma 3.4.3.
}
64 3. Axiomatization of Timed Automata with Deadlines
(γ→t,D)ρi ∼∇di (u,D)ρi
Case: (ρi, ρi+di) |= φ∧¬γ
⇒ {By Lemma 3.5.5}
(γ→t,D)ρi ∼∇di (0,D)ρi
⇒
{
By induction and Lemma 3.4.3, (0,D)ρi ∼∇di (u,D)ρi. Then, by
transitivity of ∼∇di , we have:
}
(γ→t,D)ρi ∼∇di (u,D)ρi
SUBSTITUTION on choice: Suppose (t,D)ρ ∼∇dˆ (u,D)ρ, and suppose
{Rd}0≤d≤dˆ witnesses it. We show that {R′d}0≤d≤dˆ with R′d = {((t +
s,D)ρ, (u + s,D)ρ) | ((t,D)ρ, (u,D)ρ) ∈ Rd}, witnesses (t + s,D)ρ ∼∇dˆ (u +
s,D)ρ. For all d ≤ dˆ, suppose ((t + s,D)ρ, (u + s,D)ρ) ∈ R′d. We show the
case of delay transition, the other cases are easier. For d′ < d we calculate:
(t + s,D)ρ d
′
−→ (t + s,D)(ρ+d′)
⇔ {By definition of DELAY}
∀d′′ < d′ : (ρ+d′′) |= ¬dl(t + s,D)
⇔ {By definition of dl}
∀d′′ < d′ : (ρ+d′′) |= ¬(dl(t,D)∨ dl(s,D))
⇔ {Logic}
∀d′′ < d′ : (ρ+d′′) |= ¬dl(t,D) and ∀d′′ < d′ : (ρ+d′′) |= ¬dl(s,D)
⇔ {By definition of DELAY}
(t,D)ρ d
′
−→ (t,D)(ρ+d′) and ∀d′′ < d′ : (ρ+d′′) |= ¬dl(s,D)
⇒ {Since ((t,D)ρ, (u,D)ρ) ∈ Rd}
(u,D)ρ d
′
−→ (u,D)(ρ+d′), ((t,D)(ρ+d′), (u,D)(ρ+d′)) ∈ Rd−d′ and
∀d′′ < d′ : (ρ+d′′) |= ¬dl(s,D)
⇔
{
By definition of DELAY and R′d−d′
}
∀d′′ < d′ : (ρ+d′′) |= ¬dl(t,D), ∀d′′ < d′ : (ρ+d′′) |= ¬dl(s,D) and
((t + s,D)(ρ+d′), (u + s,D)(ρ+d′)) ∈ R′d−d′
⇔ {Logic}
∀d′′ < d′ : (ρ+d′′) |= ¬(dl(u,D)∨ dl(s,D)) and
((t + s,D)(ρ+d′), (u + s,D)(ρ+d′)) ∈ R′d−d′
⇔ {By definition of dl and DELAY}
(u + s,D)ρ d
′
−→ (u + s,D)(ρ+d′) and
3.5. Soundness 65
((t + s,D)(ρ+d′), (u + s,D)(ρ+d′)) ∈ R′d−d′
SUBSTITUTION on urgency: First of all notice that if (t,D)ρ∼∇dˆ (u,D)ρ then
ρ |= gd(t,D) iff ρ |= gd(u,D). From Lemma 3.4.3 it follows that (ρ+d) |=
gd(t,D) iff (ρ+d) |= gd(u,D) for all d < d′. Call this observation (?).
From this observation notice that (ρ+d) |= gd(t, I(t)− I(u)) ⇔ ff for all
d < d′ and hence (ρ+d) |= ¬dl(tt : t, I(t)− I(u)) ⇔ dl(tt : u, I(t)− I(u)). Sym-
metrically, it holds for t and u exchanged. So, w.l.o.g., we will suppose that
I(t) = I(u).
Now, we proceed in a similar fashion as the previous case. Define
R′d = {((tt : t,D)ρ, (tt : u,D)ρ) | ((t,D)ρ, (u,D)ρ) ∈ Rd} provided {Rd}0≤d≤dˆ
witnesses (t,D)ρ∼∇dˆ (u,D)ρ. For all d≤ dˆ, suppose ((tt : t,D)ρ, (tt : u,D)ρ)∈
R′d. We show the case of delay transition, the other cases are easier, and in
this case we only consider I(t)∩ D 6= ∅ (and hence I(u)∩ D 6= ∅) since the
case I(t)∩ D = ∅ is simpler. For d′ < d we calculate:
(tt : t,D)ρ d
′
−→ (tt : t,D)(ρ+d′)
⇔ {By definition of DELAY}
∀d′′ < d′ : (ρ+d′′) |= ¬dl(tt : t,D)
⇔ {By definition of dl}
∀d′′ < d′ : (ρ+d′′) |= ¬((tt∧ gd(t,D))∨ dl(t,D))
⇔ {Logic}
∀d′′ < d′ : (ρ+d′′) |= ¬gd(t,D) and ∀d′′ < d′ : (ρ+d′′) |= ¬dl(t,D)
⇔ {By definition of DELAY}
∀d′′ < d′ : (ρ+d′′) |= ¬gd(t,D) and (t,D)ρ d
′
−→ (t,D)(ρ+d′)
⇒ {Since ((t,D)ρ, (u,D)ρ) ∈ Rd and by observation (?)}
∀d′′ < d′ : (ρ+d′′) |= ¬gd(u,D),
(u,D)ρ d
′
−→ (u,D)(ρ+d′), and ((t,D)(ρ+d′), (u,D)(ρ+d′)) ∈ Rd−d′
⇔
{
Following the inverse reasoning and by definition of R′d−d′
}
(tt : u,D)ρ d
′
−→ (tt : u,D)(ρ+d′) and
((tt : t,D)(ρ+d′), (tt : u,D)(ρ+d′)) ∈ Rd−d′
ut
The next lemma states soundness of UFI which amounts to proving that
every set of equation has a unique solution.
Lemma 3.7 Let terms vi (i∈I) contain at most variables Xi (i∈I) which occur
only guarded. Then, if
1. (t j,D)ρ ∼∇ (v j[ti/Xi | i∈I],D)ρ and
66 3. Axiomatization of Timed Automata with Deadlines
2. (u j,D)ρ ∼∇ (v j[ui/Xi | i∈I],D)ρ
then
(t j,D)ρ ∼∇ (u j,D)ρ
for all j ∈ I, D ⊆ A , and valuation ρ.
Proof: We show that
R = {((v[t˜/X˜],D)ρ, (v[u˜/X˜],D)ρ) | Vars(v) ⊆ {Xi | i∈I}}
is a timed bisimulation up to∼∇ (we let [s˜/X˜] denote [si/Xi | i∈I]). First no-
tice that R is symmetric. The proof of the transfer property proceeds by case
analysis on the type of the transition. Cases ∇A and ∆ are straightforward.
Case a ∈ A follows by induction on the proof tree doing case analysis on
the form of v like Proposition 14, Sec. 4.5 [Mil89a]. For the delay transition,
we first consider the case in which v ≡ X j.
Suppose that (X j[t˜/X˜],D)ρ
d
−→ (X j[t˜/X˜],D)(ρ + d). Notice that
X j[t˜/X˜] ≡ t j and (t j,D)ρ ∼∇ (v j[t˜/X˜],D)ρ. Hence (v j[t˜/X˜],D)ρ
d
−→
(v j[t˜/X˜],D)(ρ + d) and (X j[t˜/X˜],D)(ρ + d) ∼∇ (v j[t˜/X˜],D)(ρ + d) (†). By
DELAY, ∀d′ < d ρ+ d′ |= ¬dl(v j[t˜/X˜],A − D). Since all Xi are guarded in
v j, dl(v j[t˜/X˜],A −D) = dl(v j[u˜/X˜],A −D) and from here (v j[u˜/X˜],D)ρ d−→
(v j[u˜/X˜],D)(ρ + d). Noticing that v j[u˜/X˜] ≡ u j ≡ X j[u˜/X˜], we have
that (X j[u˜/X˜],D)ρ
d
−→ (X j[u˜/X˜],D)(ρ + d) and (v j[u˜/X˜],D)(ρ + d) ∼∇
(X j[u˜/X˜],D)(ρ+ d) (‡). Using (†) and (‡), conclude that (X j[t˜/X˜],D)(ρ+
d) ∼∇◦R◦∼∇ (X j[u˜/X˜],D)(ρ+ d). From here and Theorem 2.1, dl(t j,D) ⇔
dl(u j,D) for any j ∈ I and D⊆A . Using this fact and induction on the struc-
ture of v, it is routine to prove that dl(v[t˜/X˜],D)⇔ dl(v[u˜/X˜],D). Using this
equivalence, the proof of the transfer property on the delay transition for
an arbitrary v is straightforward.
ut
3.6 Completeness
In this section, we present the completeness theorem of the proof system,
that is, whenever t ∼φ u then φ ` t = u. The proof of the theorem follows
the arguments used by Milner [Mil84, Mil89b]. That is, we will first show
that any term t can provably satisfy a special kind of equation E, called the
standard equation (Lemma 3.8). Next we prove that if t ∼φ u then both t and
u provably satisfy a common standard equation E (Lemma 3.9). Finally
from these two results we shall conclude φ ` t = u (Theorem 3.2).
3.6. Completeness 67
3.6.1 Transforming Sets of Equations
First, we formally define equations, standard equations and what it means
for a term to provably φ˜-satisfy an equation.
Definition 3.2 An equation set
E : {Xi = ui | i ∈ I}
is a finite non-empty indexed set of declarations, where the Xi’s are pairwise dis-
tinct process variables, and the ui’s are terms.
Definition 3.3 Given a vector of conditions φ˜ = {φi | i∈I} and a vector of terms
t˜ = {ti | i∈I}, we say that
t˜ provably φ˜-satisfies a set of equations E : {Xi = ui | i∈I}
iff, for all i∈I,
φi ` ti = ui[φ˜→t˜/X˜]
Alternatively, we say that t provably φ-satisfies E, to mean that t˜ provably φ˜-
satisfies E when φ = φ1 and t = t1.
Definition 3.4 An equation set E is standard iff each equation of E is of the form:
Xi = ∑
a∈A
δia : ∑
k∈Kia
γika → a(xika).X f (i,k,a) + ∑
W∈V
δiW : γiW → W (3.48)
where the vector Xi is disjoint from the set V, for all a ∈ A , δia ⇒
W
k∈Kia γika, and
for all W ∈ V, δiW ⇒ γiW . We call Xi the formal variables of E, and W ∈ V the
free variables of E. The set of equation E is called closed if V = ∅.
For example, {X1 = (x1≥1) : (x1≥1) → a1(x2).X2 + ff : tt → W,X2 =
(2≤x2<3) : ((x2<x1) → a2(x1).X1 + (x2≥x1) → a2(x2).X2)} is a standard set
of equation, with formal variable set X = {X1,X2} and free variable set
V = {W}.
Lemma 3.8 For any guarded term t with free variables V there exists a set of stan-
dard equations E, with free process variables in V, which is provably tt-satisfied
by t. In particular, if t is closed so is E.
Proof: Like in [Mil89b], we proceed by induction on the structure of t. We
only report the most relevant cases
Case t ≡ 0: It is easy to check that E containing the only equation
X = ∑
a∈A
ff : ff → a(∅).X + ∑
W∈V
ff : ff → W
68 3. Axiomatization of Timed Automata with Deadlines
is satisfied by 0 (recall Lemma 3.1.15).
Case t ≡ X, X ∈ V: Again by Lemma 3.1.15 the equation
E :
{
X1 = ∑
a∈A
ff : ff → a(∅).X1 + ∑
W∈V−{X}
ff : ff → W + ff : tt → X
}
is satisfied by X.
Case t ≡ t′ + t′′: By induction, t′ and t′′ satisfy sets of standard equations.
Let them be E′ and E′′, respectively. Define the set of equations E contain-
ing all equations in E′ and E′′ and the new equation
X1 = ∑
a∈A
(δ ′1a ∨ δ ′′1a) :
(
∑
k′∈K′1a
γ ′1k′a→a(x1k′a).X′f ′(1,k′,a)
+ ∑
k′′∈K′′1a
γ ′′1k′′a→a(x1k′′a).X′′f ′′(1,k′′,a)
)
+ ∑
W∈V
(
δ ′W ∨ δ
′′
W
)
:
(
γ ′iW ∨ γ
′′
iW
)
→W (3.49)
provided
X′1 = ∑
a∈A
δ ′1a : ∑
k′∈K′1a
γ ′1k′a → a(x1k′a).X′f ′(1,k′,a) + ∑
W∈V
δ ′1W : γ ′1W → W (3.50)
in E′ and similarly X′′1 in E′′. Call r1 the right-hand side in equation (3.49).
Similarly, call r′1 and r′′1 the respective right-hand sides in equations for X′1
in E′ and X′′1 in E′′ (see equation (3.50)). Using Lemma 3.2 and 3.3 , the
reader should be able to show that r1 = r′1 + r′′1 from which this case is
proved.
Case t ≡ fixXt′: By induction, t′ satisfies a set of standard equations E′ with
free variables in V, X ∈ V. For every equation Xi = r′i in E′ (definitions
for E′ are like in (3.48)) we define a new equation Xi = ri in E where each
ri is defined from r′i by appropriately replacing variable X. For the distin-
guished variable X1 we define:
X1 = ∑
a∈A
δ1a : ∑
k∈K1a
γ1ka → a(x1ka).X f (1,k,a) + ∑
W∈V−{X}
δ1W : γ1W → W
Call r1 the right-hand side of the equation. Notice that r1 is like r′1 only that
it omits the summand ‘ff : ff → X’ (since X does not occur unguarded in t′,
X must be guarded by predicate ff). For 1 < i ≤ |E′| we calculate the new
equation as follows (calculations make use of Lemma 3.2 and 3.3).
Xi =r′i[r1/X]
3.6. Completeness 69
= ∑
a∈A
δia : ∑
k∈Kia
γika → a(xika).X f (i,k,a) + ∑
W∈V−{X}
δiW : γiW → W
+ δiX : γiX →
(
∑
a∈A
δ1a : ∑
k∈K1a
γ1ka → a(x1ka).X f (1,k,a) + ∑
W∈V−{X}
δ1W : γ1W → W
)
= ∑
a∈A
δia : ∑
k∈Kia
γika → a(xika).X f (i,k,a) + ∑
W∈V−{X}
δiW : γiW → W
+ ∑
a∈A
((δiX ∨ δ1a)∧ γiX ∧
W
k∈K1a γ1ka) : ∑
k∈K1a
(γiX ∧ γ1ka) → a(x1ka).X f (1,k,a)
+ ∑
W∈V−{X}
((δiX ∨ δ1W)∧ γiX ∧ γ1W) : (γiX ∧ γ1W) → W
= ∑
a∈A
(δia ∨ ((δiX ∨ δ1a)∧ γiX ∧
W
k∈K1a γ1ka)) :
∑
k∈K1a
(γiX ∧ γ1ka) → a(x1ka).X f (1,k,a) + ∑
k∈Kia
γika → a(xika).X f (i,k,a)
+ ∑
W∈V−{X}
(δiW ∨ ((δiX ∨ δ1W)∧ γiX ∧ γ1W)) : (γiW ∨ (γiX ∧ γ1W)) → W
Let t′i, i ∈ I, be the set of terms that witnesses that t′ (= t′1) satisfies E′.
Noticing the r1 + ff : ff → X ≡ r′1 the reader should not find difficulties
on proving that the set of terms ti ≡ t′i[t/X], i ∈ I, witnesses that t (= t1)
satisfies E. (The proof needs REC). ut
3.6.2 Completeness of the Proof System for Guarded Terms
Lemma 3.9 For closed terms t and u, if t ∼φ u then there exists φ′ such that
φ⇒ φ′ and a standard closed equation set E which is provably φ′-satisfied by both
t and u.
Proof: Let the set of clock variables of t,u be x, y, respectively, with x∩y =
∅. According to Lemma 3.8 let E1 and E2 be the standard closed equation
sets for which t and u provably tt-satisfy, respectively:
E1 : {Xi = ∑a∈A δia : ∑k∈Kia γika → a(xika).X f (i,k,a) | i ∈ I}
E2 : {Yj = ∑a∈A δ ′ja : ∑l∈L ja γ ′jla → a(xila).Xg( j,l,a) | j ∈ J}
So there are t˜ = {ti | i ∈ I} and u˜ = {u j | j ∈ J} such that t1 = t,u1 = u, and
ti = ∑a∈A δia : ∑k∈Kia γika → a(xika).t f (i,k,a) (3.51)
u j = ∑a∈A δ ′ja : ∑l∈L ja γ ′jla → a(xila).ug( j,l,a) (3.52)
For each pair of i, j let Φi j = {ω ∈ R C (xy) | ti ∼ω⇑ u j}. Set ϕi j =
W
Φi j.
By the definition of Φi j, ϕi j is the weakest condition over which ti and u j
are symbolically bisimilar, that is ψ ⇒ ϕi j for any ψ such that ti ∼ψ u j. In
particular, φ⇒ ϕ11. Also, for any ω ∈ Φi j and a ∈ A , ω |= δia ⇔ δ ′ja.
70 3. Axiomatization of Timed Automata with Deadlines
For each a ∈ A and ω ∈ Φi j, let
Iaωi j = {(k, l) | ω|=γika∧γ ′jla and t f (i,k,a)∼
ω↓xik yjl⇑ug( j,l,a)}
and define the set E containing equations
Zi j = ∑a∈A δia : ∑ω∈Φi j ω→ ∑(k,l)∈Iaωi j a(xikay jla).Z f (i,k,a)g( j,l,a)
We claim that E is provably ϕ11-satisfied by t (resp. u) when each Zi j is
instantiated with ti (resp. u j) over ϕi j. We only prove the case of t; the case
of u proceeds in a similar manner. For each i and j, we have to prove that
ϕi j ` ti = ∑a∈A δia : ∑ω∈Φi j ω→ ∑(k,l)∈Iaωi j a(xikay jla).ϕ f (i,k,a)g( j,l,a) → t f (i,k,a)
Because of (3.51) and soundness on the one hand, and CHOICE and
Lemma 3.1.10 on the other hand, it suffices to prove the equivalence of
each a-summand, that is, it suffices to prove that for all a ∈ A ,
ϕi j ` ∑k∈Kia γika → a(xika).t f (i,k,a) =
∑ω∈Φi j ω→ ∑(k,l)∈Iaωi j a(xikay jla).ϕ f (i,k,a)g( j,l,a) → t f (i,k,a)
Since the elements of Φi j are mutually disjoint, by Lemmas 3.1.1 and 3.1.18,
it is sufficient to show that, for each ω ∈ Φi j,
ω ` ∑k∈Kia γika → a(xika).t f (i,k,a) = ∑(k,l)∈Iaωi j a(xikay jla).ϕ f (i,k,a)g( j,l,a) → t f (i,k,a)
By definition of Iaωi j , we have that t f (i,k,a) ∼
ω↓xika yjla⇑ ug( j,l,a). Hence, from the
definition of Φ f (i,k,a)g( j,l,a),
ω↓xikayjla⇑ ⇒ ϕ f (i,k,a)g( j,l,a) (3.53)
Under the assumption ω holds, we calculate,
∑
(k,l)∈Iaωi j
a(xikay jla).ϕ f (i,k,a)g( j,l,a) → t f (i,k,a)
= {By Lemma 3.1.17 from left to right}
∑
(k,l)∈Iaωi j
a(xikay jla).ω↓xikyjl⇑→ ϕ f (i,k,a)g( j,l,a) → t f (i,k,a)
= {Lemma 3.1.5 and (3.53)}
∑
(k,l)∈Iaωi j
a(xikay jla).ω↓xikyjl⇑→ t f (i,k,a)
= {By Lemma 3.1.17 from right to left}
∑
(k,l)∈Iaωi j
a(xikay jla).t f (i,k,a)
3.6. Completeness 71
= {By THINNING}
∑
(k,l)∈Iaωi j
a(xika).t f (i,k,a)
= {By Lemma 3.1.1 and SUBSTITUTION, since ω |= γika}
∑
(k,l)∈Iaωi j
γika → a(xika).t f (i,k,a)
=
{
By claim below2 using Lemma 3.1.15 and S1–S4.(†)
}
∑
k∈Kia
γika → a(xika).t f (i,k,a)
It only remains to prove equality (†) and the proof of the lemma will be
complete. For this, notice that {k | (k, l) ∈ Iaωi j } ⊆ Kia. Therefore, to prove
(†), it suffices to show the following claim.
Claim 3.1 If k ∈ Kia −{k | (k, l) ∈ Iaωi j } then ω⇒¬γika.
Proof of claim. By contradiction suppose ω ⇒ ¬γika is not the case, which
is equivalent to say ω ⇒ γika since ω is a region. Suppose k ∈ Kia. Then
t a,γ,δ,xika- t f (i,k,a) with ω ⇒ γ. Besides, since ω ∈ Φi j, ti ∼ω⇑ u j. Then,
there is a (ω⇑ ∧γ)-partition Φ s.t. for all φ ∈ Φ, ui
a,γ ′,δ′,y′
- u′, φ⇒ γ ′ and
t f (i,k,a) ∼
φ↓xika y′
⇑ u′. In particular this occurs for some φ s.t. ω ⇒ φ. Then,
by soundness of equality, there must exist a summand γ ′jla → a(y jla).ug( j,l,a)
in (3.52), with y jla = y′, ug( j,l,a) ∼ω↓yjla⇑ u′, and ω ⇒ (γ ′ ∧ γ ′jla). But then
ω⇒ (γika ∧ γ ′jla), and hence, (k, l) ∈ Iaωi j , by def. of Iaωi j . ut
Lemma 3.10 If both t and u provably φ-satisfy an equation set E then φ ` t = u.
The proof of Lemma 3.10 proceeds as in Proposition 5.4 [LY02]. The com-
pleteness of the proof system is a direct consequence of Lemma 3.9 and
Lemma 3.10:
Theorem 3.2 For closed terms t and u, if t ∼φ u then φ ` t = u.
Proof: Since t∼φ u and t and u are closed terms, by Lemma 3.9, exists a set
of equations E which is φ′-satisfied by t and u and φ′⇒ φ. By Lemma 3.10,
φ′ ` t = u. Since φ⇒ φ′, φ ` t = u by RESTRICTION. ut
3.6.3 Completeness of the Proof System for all A
In the following we show completeness for all closed terms. The strategy
of proof is similar to [Mil89b] and it stands on the following lemma.
72 3. Axiomatization of Timed Automata with Deadlines
Lemma 3.11 Let t be a term in which X occurs free and unguarded only outside
the scope of a recursion. Then, there are predicates δ and γ and also a term u in
which X does not occur unguarded such that t = u + δ : γ→X.
Proof: The proof proceed by structural induction. For t having the form 0,
a(x).t′, fixZt′ (Z been X or any other variable), or a variable different from
X, the lemma holds trivially. For the other cases we proceed as follows.
Case t ≡ X: Using axioms S1 and Lemmas 3.1.1 and 3.1.2, it is easy to show
that X = 0 + ff : tt → X.
Case t ≡ t1 + t2: By induction ti = ui + δi : γi → X, i = 1,2. Using Lem-
mas 3.1.12 and 3.2, and axioms S3 and S4, it is possible to show that
t = u1 + u2 + ((δ1 ∧ γ1)∨ (δ2 ∧ γ2)) : (γ1 ∨ γ2)→X.
Case t ≡ γ → t′: By induction t′ = u′ + δ ′ : γ ′ → X. Then t = γ→u′ + δ :
(γ ∧ γ ′)→X by Lemmas 3.1.6 and 3.1.5.
Case t ≡ δ : t′: By induction t′ = u′ + δ ′ : γ ′ → X. Then t = δ : u′ + (δ ∨ δ ′) :
γ ′→X by Lemmas 3.1.9 and 3.1.8. ut
Theorem 3.3 For every term t there exists a guarded term t′ s.t. t = t′ is provable.
Proof: By induction we actually prove that for any t there is a t′ s.t.
1. X is guarded in t′;
2. no free unguarded occurrence of any variable Y in t′ lies within a
recursion t′; and
3. fixXt = fixXt′
from which the theorem follows. Suppose that 1, 2, and 3 hold for every
u with recursion depth less than that of t. (The case when t contains no
recursion follows in a similar manner.) Take a recursion fixYu in t which
lies within no recursion. By induction, there is a term u′ s.t. Y is guarded in
u′, no free unguarded recursion of any variable lies within a recursion, and
fixYu = fixYu′. Hence, no free unguarded occurrence of a variable occurs
within a recursion in u′[fixYu′/Y].
Let t1 be the result of simultaneously replacing every top recursion
fixYu in t by u′[fixYu′/Y]. Clearly t1 = t. Moreover, no free unguarded
occurrence of a variable in t1 lies within a recursion. By Lemma 3.11,
there are predicates δ and γ, and t2 in which X only occurs guarded, s.t.
t1 = t2 + δ : γ→X. Then
fixXt = fixXt1 = fixX(t2 + δ : γ→X)
UR
= fixX(t2 + δ : γ→t2)
which proves the theorem. ut
The following result is a consequence of Theorems 3.2 and 3.3.
Theorem 3.4 For all closed A terms t and u, if t ∼∇ u then φ ` t = u.
3.7. Conclusion 73
3.7 Conclusion
This chapter provides a sound and complete proof system for the coarsest
congruence for (finite) timed automata with deadlines that is included in
bisimulation.
The result on axiomatization can be extended to all A terms by notic-
ing that ∇-bisimulation for open terms can be characterized either by ex-
tending the operational semantics allowing X X−→ 0 or by extending the
symbolic semantics allowing X tt,ff,X,∅- 0 for any variable X. The proof
follows the lines of [Gla93].
By using standard ideas in [Mil89a, ABV94], it is possible to define ax-
ioms for static operations like hiding or parallel composition. Some oper-
ators have already been axiomatised in [BS00]. In particular, the following
expansion law for parallel composition can be proved sound for the opera-
tional rules given in [DG05] (⊗ is a 4-ary operation that returns a formula):
t ||⊗B t
′
= ∑
i∈I,ai /∈B
δi : γi → ai(xi).(ti ||
⊗
B t
′) + ∑
j∈J,b j /∈B
δ ′j : γ ′j → b j(y j).(t ||
⊗
B t
′
j)
+ ∑
i∈I, j∈J,
ai=b j∈B
((δi, γi)⊗ (δ ′j, γ ′j)) : ((γi ∧ γ ′j) → ai(xiy j).(ti ||
⊗
B t
′
j)
where t = ∑i∈I δi : γi → ai(xi).ti and t′ = ∑ j∈J δ ′j : γ ′j → b j(y j).t′j.
Acknowledgments
We thank Frits Vaandrager for his remarks on early drafts that helped to im-
prove the quality of the present and the previous chapter. CONCUR’05/06
and FOSSACS’06 referees are also acknowledged for their useful remarks.
74 3. Axiomatization of Timed Automata with Deadlines
Chapter 4
Specifying Urgency in Timed
I/O Automata
with Frits W. Vaandrager
Abstract Tools and techniques based on timed automata (such as Uppaal
and the timed I/O automata framework) have proven to be extremely use-
ful for the analysis of protocols and control software for real-time systems.
However, a significant limitation of these approaches is that, due to the
expressiveness of the modeling languages, timelocks — degenerate states
in which time is unable to pass — can freely arise and cannot, in the gen-
eral case, be detected. As a remedy to this problem Sifakis et al. advocate
the use of deadline predicates for the specification of progress properties of
Alur-Dill style timed automata. In this article, we extend these ideas to a
more general setting, which may serve as a basis for deductive verification
techniques. More specifically, we extend the TIOA framework of Lynch
et al with urgency predicates. We identify a suitable language to describe
the resulting timed I/O automata with urgency and show that for this lan-
guage time reactivity holds by construction. We also establish that the class
of timed I/O automata with urgency is closed under composition. The
use of urgency predicates is compared with three alternative approaches to
specifying progress properties that have been advocated in the literature:
invariants, stopping conditions and deadline predicates. We argue that in
practice the use of urgency predicates leads to shorter and more natural
specifications than any of the other approaches. Some preliminary results
on proving invariant properties of timed (I/O) automata with urgency are
presented.
75
76 4. Specifying Urgency in TIOA
4.1 Introduction
In the literature on real-time systems there appears to be broad consensus
on how to express quantitative timing constraints in state based modeling
formalisms. Following the approach advocated by Alur and Dill [AD94],
the idea is to designate certain state variables as clock variables. The values
of these clock variables change as time advances. Also, clocks may be reset
when discrete events occur. Timing constraints can be expressed, then, by
conditions on clock values.
One issue on which there is no general consensus yet is how to spec-
ify progress properties, that is, properties which assert that a system must
perform a certain action before a certain point in time. Merritt et al.
in [MMT91] propose a model with upper and lower bounds associated
with tasks (that is, sets of system actions). In the work of Alur and Dill
[AD94], progress is enforced via a Bu¨chi style acceptance criterion: by re-
quiring that some (sets of) locations are visited infinitely often the possibil-
ity is ruled out that a system stays in certain locations forever. A popular
approach, which is advocated in [HNSY94, AH94a] and implemented in
the tool UPPAAL [LPY97], is to use (state) invariants. An invariant typi-
cally enforces a system action by limiting the amount by which time may
advance in a given state. A related approach that is pursued in [KLSV03a]
is to use stopping conditions. Here the idea is that when a system reaches
a state in which a stopping condition holds, time may not progress any
further and a system action has to occur immediately. Sifakis and his col-
leagues [BS00, SY96] advocate the use of deadlines for the specification of
progress properties. Each transition of an Alur-Dill style timed automaton
is decorated with an additional deadline predicate, which specifies when
the transition becomes urgent. An advantage of the deadline approach
(which can be viewed as a generalization of the approach of [MMT91]) is
that under some reasonable assumptions, it ensures what is called time re-
activity in [BS00] and timelock freedom in [Bow99], that is, whenever time
progress stops there exists at least one enabled transition. Under certain
conditions, time reactivity is even preserved by parallel composition of au-
tomata [Bow99, BS00, BGS00]. Similar to the original TIOA [KLSV03a],
TIOA with urgency may still exibit Zeno behaviour – another type of time-
lock, where time is unable to pass beyond a certain point while actions
continue to be performed [BG06],. The notion of deadlines has been incor-
porated in several modeling frameworks, see for instance [Bow99, GO01],
and it has been implemented as part of the IF toolset [BGM02] and MoDeST
[DHKK01].
The work of Sifakis et al [SY96, BS00] takes place in a setting of Alur-
Dill style timed automata, a system model that has limited expressivity
in order to enable automatic state space exploration and model check-
ing. In this article, we study the specification of progress properties in
4.1. Introduction 77
the much more general model of timed I/O automata (TIOA) of Lynch
et al [KLSV03a]. Even though fragments of the TIOA framework can be
translated into timed automata [Rob04], analysis of general TIOA models
requires the use of deductive verification techniques and theorem provers
such as PVS [KLM04]. Inspired by the work of Sifakis et al, we introduce
a similar notion of urgency predicates within the TIOA framework, both
at the semantic level where we have infinite sets of states, transitions and
trajectories, and at the syntactic level where system behavior is described
finitely in terms of a logical language.
In the I/O automaton framework, transitions are typically specified us-
ing precondition/effect notation, that is, some type of guarded commands.
This means that, for a given action name b with parameters ~h a precondi-
tion predicate pre(~v,~h) is given that defines from which states ~v action b(~h)
is enabled, and an effect predicate eff (~v,~h, ~v′) that defines to which states
~v′ one may jump after doing action b(~h) in state ~v. For the specification of
timed systems we add a third predicate, the urgency predicate urg(~v,~h), to
every transition definition. The meaning of the urgency predicate is that if,
for some ~h, the state predicate
pre(~v,~h)∧ urg(~v,~h) (4.1)
becomes true at a time point t in a trajectory, then t must be the limit time
of that trajectory. Intuitively, the precondition specifies when a transition
may occur, and the urgency predicate specifies when the transition becomes
urgent, that is, either this or some other enabled discrete transition must oc-
cur immediately. A small but significant difference between our approach
and the one of Sifakis et al [SY96, BS00] is that Sifakis et al require that a
deadline predicate implies the precondition predicate, whereas we achieve
a similar effect by conjoining the urgency predicate with the precondition.
The main contributions of this article are:
1. Extension of the work of [SY96, BS00, BGS00] on deadline predicates
to a much more expressive setting, which may serve as a basis for
deductive verification techniques. More specifically, we extend the
TIOA framework of [KLSV03a] with urgency predicates at the se-
mantic level, and define a suitable language to describe the result-
ing timed I/O automata with urgency. For this language, time reactivity
holds by construction. We also establish that the class of TIOAs with
urgency is closed under composition. In general, under the usual
semantics, timed automata with urgency and timed automata with
deadlines are not closed under composition, this problem has been
studied in [DG05], where an alternative semantics is given that pre-
serves compositionality.
2. A comparison of urgency predicates with three alternative ways to
specify progress properties: invariants [HNSY94, AH94a], stopping
78 4. Specifying Urgency in TIOA
conditions [KLSV03a] and deadlines [SY96, BS00, BGS00]. Deadlines,
stopping conditions and urgency predicates are shown to be (essen-
tially) equally expressive. Invariants are slightly more expressive
since they allow to bound the time at which an action occurs by a
right open interval. Only use of urgency and deadline predicates
gives time reactivity by construction. We argue that in practice the
use of urgency predicates leads to shorter and more natural specifica-
tions than any of the other methods.
3. Some preliminary results on proving invariant properties of timed
(I/O) automata with urgency. A similar approach for discrete time
can also be found in [GB03].
The full version of the present paper appears as [GV04]. The proofs which
have been omitted here, due to space limitation, are available in this tech-
nical report.
4.2 Timed (I/O) Automata with Urgency
In this section, we describe our extension of the timed I/O automata frame-
work of Lynch et al [KLSV03a, KLSV03b] with urgency. In Subsections
4.2.1 and 4.2.2 we begin by recalling some definitions from [KLSV03a,
KLSV03b]: we introduce a basic vocabulary for describing timed behav-
iors and recall the notion of a timed automaton. In Subsection 4.2.3, we
add a notion of urgent transitions to timed automata, both at the semantic
and at the syntactic level. The class of timed automata with urgency is not
closed under composition, in general. In order to obtain compositionality,
we add, in Subsection 4.2.4, an input/output distinction. Subsection 4.2.5,
finally, defines a parallel composition operator and establishes that both the
class of timed automata and the class of timed I/O automata with urgency
are closed under composition.
4.2.1 Describing Timed System Behavior
In this section, we list the basic notions that are used in describing the be-
havior of a timed system, including both discrete and continuous changes.
We simply sketch this material, leaving the reader to consult [KLSV03a,
KLSV03b] for the details.
The time domain we use is the set R of real numbers (in [KLSV03a,
KLSV03b] also other time domains are considered). States of automata will
consist of valuations of variables. Each variable has both a static type, which
defines the set of values it may assume, and a dynamic type, which gives the
set of trajectories it may follow. We assume that dynamic types are closed
4.2. Timed (I/O) Automata with Urgency 79
under some simple operations: shifting the time domain, taking subinter-
vals and pasting together intervals. We call a variable discrete if its dy-
namic type equals the pasting-closure of a set of constant-valued functions
(i.e., the step-functions), and analog if its dynamic type equals the pasting-
closure of a set of continuous functions (i.e., the piecewise-continuous func-
tions).
A valuation for a set V of variables is a function that associates with
each variable v ∈ V a value in its static type. We write val (V) for the set
of all valuations for V. A trajectory for a set V of variables describes the
evolution of the variables in V over time; formally, it is a function from a
time interval that starts with 0 to valuations of V, that is, a trajectory defines
a value for each variable at each time in the interval. We write dom(τ ) for
the domain of trajectory τ . A point trajectory is one with the trivial domain
{0}. We write ℘(x) for the point trajectory for valuation x. The limit time of
a trajectory τ , τ .ltime, is the supremum of the times in its domain. τ .fval
is defined to be the first valuation of τ , and if τ is right-closed, τ .lval is the
last valuation. Suppose τ and τ ′ are trajectories for V, with τ closed. The
concatenation of τ and τ ′, denoted by τ _ τ ′, is the trajectory obtained by
taking the union of the first trajectory and the function obtained by shifting
the domain of the second trajectory until the start time agrees with the limit
time of the first trajectory; the last valuation of the first trajectory, which
may not be the same as the first valuation of the second trajectory, is the
one that appears in the concatenation. Trajectory τ is a prefix of trajectory
τ ′, denoted τ ≤ τ ′, if τ can be obtained by restricting τ ′ to a subset of its
domain. For every t ∈ dom(τ ), we define τ  t to be the trajectory obtained
by taking the part of τ from t onwards, and then shifting the domain so
that it starts with 0 again. Formally, dom(τ  t) = {u ∈ R | u + t ∈ dom(τ )}
and for all u in the domain, τ  t(u) = τ (u + t).
4.2.2 Timed Automata
A timed automaton in the sense of [KLSV03a, KLSV03b] is a state machine
whose states are divided into variables and that has a set of discrete actions.
The state of a timed automaton may change in two ways: by discrete transi-
tions, which change the state atomically, and by trajectories, which describe
the evolution of the state over intervals of time. Discrete transitions are la-
beled with actions, which are classified as either external or internal. The ex-
ternal actions are used to synchronize with the automaton’s environment,
while the internal actions are only visible to the automaton itself.
Formally, a timed automaton is a tuple A = (X,Q,Θ, E,H,D ,T ) with
• A set X of internal variables.
• A set Q ⊆ val (X) of states.
• A nonempty set Θ ⊆ Q of start states.
80 4. Specifying Urgency in TIOA
• A set E of external actions and a set H of internal actions, disjoint from
each other. We write A ∆= E∪ H.
• A set D ⊆ Q× A×Q of discrete transitions. An edge e = (x, a,x′) ∈D ,
also written as x a→ x′, represent a transition from state x to x′ labeled
with action a. We say that a is enabled in x if x a→ x′ for some x′.
• A set T of trajectories for X such that τ (t) ∈ Q for each τ ∈ T and
t ∈ dom(τ ). We require that the following axioms hold:
T0 (Existence of point trajectories) If x ∈ Q then ℘(x) ∈ T .
T1 (Prefix closure) For every τ ∈ T and every τ ′ ≤ τ , τ ′ ∈ T .
T2 (Suffix closure) For every τ ∈ T and every t ∈ dom(τ ), τ  t ∈ T .
T3 (Concatenation closure) Let τ0τ1τ2 . . . be a sequence of trajecto-
ries in T such that, for each non final index, i, τi is closed and
τi.lval = τi+1.fval . Then τ0 _ τ1 _ τ2 . . . ∈ T .
A trajectory τ is maximal in T if there exists no τ ′ ∈ T with τ < τ ′.
The following lemma (which as far as we know is new) states that each
trajectory can be extended into a maximal one. Intuitively this is an obvious
property, but the proof requires some work due to the fact that we know so
little about T .
Lemma 4.1 Let A be a timed automaton and let T be its set of trajectories. Then
each trajectory in T is a prefix of a trajectory that is maximal in T .
Proof: Let τ ∈ T be a trajectory. Suppose that τ can not be extended into
a maximal trajectory. We derive a contradiction. Let τ0 = τ , t0 = τ0.ltime
and let u0 be the supremum of the limit times of the trajectories in T that
extend τ . Suppose t0 = u0. Since τ0 is not maximal, this implies that it is
right-open, and can be extended with a single state. But then the extended
trajectory is maximal again, which is a contradiction. Hence t0 < u0. Let τ1
be a trajectory that extends τ0 such that if u0 =∞ then t1 = τ1.ltime = t0 + 1
else t1 = τ1.ltime > t0+u02 . Let u1 be the supremum of the limit times of the
trajectories in T that extend τ1. Then u1 ≤ u0. Continuing the construction,
we find an infinite chain of trajectories τ0 < τ1 < τ2 < · · · and real numbers
ti, ui such that t0 < t1 < t2 < · · ·u3 ≤ u2 ≤ u1 ≤ u0. In addition, we know
that (1) there exists a k such that for all j > k, u j <∞ (otherwise it would
be possible to extend τ0 into an infinite and hence maximal trajectory), (2)
t′ = limi→∞ ti = limi→∞ ui. Let τ ′ be the limit of the trajectories τi. Then
t′ = τ ′.ltime . We know that τ ′ ∈ T by axiom T3 (concatenation closure).
By assumption, since τ < τ ′, τ ′ is not maximal in T . Hence there exists a
trajectory τ ′′ with τ ′ < τ ′′ and t′ < τ ′′.ltime = t′′. But this contradicts the
fact that, for sufficiently large k, the supremum of the limit times of the
trajectories that extend τk is strictly less than t′′. ut
4.2. Timed (I/O) Automata with Urgency 81
4.2.3 Adding Urgency
We now extend timed automata with extra state predicates, urgency predi-
cates, one for each action.
A timed automaton with urgency is a pair (A ,U) of a timed automaton
A = (X,Q,Θ, E,H,D ,T ) and an urgency predicate U : Q × A → Bool. If
U(x, a) = tt then we say that action a is potentially urgent in a state x. Action
a is urgent in state x if it is potentially urgent and in addition enabled. We
require that the following two axioms hold:
T4 (Urgency) For every τ ∈ T , t ∈ dom(τ ) and a ∈ A: if a is urgent in τ (t)
then t = τ .ltime.
T5 (Maximality) For every τ ∈ T , if τ is maximal and finite then τ is right-
closed and some a ∈ A is urgent in τ .lval .
Axiom T4 states that as soon as an action becomes urgent, this action or
some other action that is enabled has to occur immediately1. Axiom T5
states that each maximal and finite trajectory enables an urgent action at
the end.
Timed automata with urgency can be conveniently specified in a slight
variation of the TIOA language [KLM04].
Example 4.1 To illustrate this language, we consider the simple model of a train
displayed in Figure 4.1. The automaton runs cyclically through states start , light
and gate. After spending between (2,5] time units in start the automaton jumps
to light , then within (5,10] time units after arrival in light the automaton jumps
to gate, and after exactly 2 time units in gate the automaton returns to the initial
state start .
The definitions of the signature, state variables, initial states, and transi-
tion in our language are similar to their counterparts in the IOA language.
We refer to the IOA user guide and reference manual [GLTV03] for addi-
tional information on this part of the language.2 In this article, we consider
only two types of state variables, which differ in their dynamic types: dis-
crete variables (such as control ), whose value remains unchanged along a
trajectory, and clocks (such as x), which are real-valued variables whose
value increases with rate 1 along a trajectory.3 The set of states consists
1The reader may wonder why we do not impose a stronger axiom stating that if an action
becomes urgent this action or some other urgent action has to occur immediately. Such an
approach, which involves the use of priorities, has been studied in [GS05b]. It is well-
known that priorities are incompatible with a trace based semantics. We feel that, for all
practical purposes, axiom T4 allows us to specify the desired urgency properties, while it is
still fully compatible with the trace based semantics which has been the preferred semantic
model for (timed) I/O automata since the first paper from 1987 [LT87].
2Since the emphasis in this article is on urgency we decided not to present all datatype
definitions. At this point, our specifications are (deliberately) a bit sloppy.
3Our results easily generalize to more general dynamic types and continuous behavior
defined by arbitrary differential equations and inclusions, such as studied e.g. in [KLSV03a,
LSV03].
82 4. Specifying Urgency in TIOA
type controlType = enumeration of start , light , gate
automaton Train
states control : controlType initially start
clock x initially 0
signature external coming ,approaching ,passing
transitions external coming
pre x > 2∧ control = start
urgent when x ≥ 5
eff control := light ; x := 0
external approaching
pre x > 5∧ control = light
urgent when x ≥ 10
eff control := gate; x := 0
external passing
pre x = 2∧ control = gate
urgent when true
eff control := start ; x := 0
Figure 4.1: A simple model of a train.
of all valuations of the state variables ~v. At the syntactic level, we have
a finite number of action names b and each action name comes with a list
~h of formal parameters. At the semantic level, the set of actions consists
of pairs of an action name b and a valuation h of the parameters ~h. The
transition relation is defined via a finite number of transition definitions.
Each transition definition consists of an action name b, a list ~h of formal pa-
rameters, a precondition predicate pre(~v,~h) that defines from which states
an action b(~h) is enabled, an urgent when predicate urg(~v,~h) that specifies
when that action becomes urgent, and an effect predicate eff (~v,~h, ~v′) speci-
fying to which states ~v′ one may jump after doing action b(~h) in state ~v. If no
parameters are mentioned, then the parameter list is assumed to be empty,
if no precondition is mentioned then it is implicitly assumed to equal tt,
and if no urgency predicate is mentioned this is assumed to equal ff. We
further assume that the effect relation is total, in the sense that for each state
x and parameter valuation h such that pre(x,h) holds, there exists at least
one state x′ such that eff (x,h,x′) holds. If the effect predicate is defined
using (deterministic) assignments, such as in Figure 4.1, this property triv-
ially holds. The set of trajectories is defined implicitly. For x a state and t a
non-negative real number, let x⊕ t be the state given by
x⊕ t(v) ∆=
{
x(v) if v is discrete
x(v) + t if v is a clock.
The state x	 t is defined similarly: replace + by − in the definition of ⊕.
For x a state and I a time interval that starts with 0, a pretrajectory from x
4.2. Timed (I/O) Automata with Urgency 83
over I is a function τ : I → Q such that for each t ∈ I, τ (t) = x ⊕ t. The
set of trajectories is defined to be the set of all pretrajectories τ satisfying
that if some action a is urgent in some state τ (t), for t in the domain of τ ,
t = τ .ltime.
Example 4.2 Figure 4.2 gives another example of a specification in our language.
It is a model of a reliable FIFO channel that delivers its messages within a certain
time bound, represented by the automaton parameter b, which is a positive real
number.
The other automaton parameter M represents the type of messages communi-
cated by the channel. The states of the automaton are valuations of the state vari-
ables queue and now. The discrete variable queue holds a finite sequence of pairs
consisting of a message that has been sent and its delivery deadline. The clock vari-
able now records the current real time. A send(m) action, which is always enabled
and never becomes urgent, adds to the queue a new pair whose first component
is m and whose second component is the deadline now + b. A receive(m) action
can occur when m is the first message in the queue and it results in the removal of
the first message from the queue. The receive(m) action becomes urgent when the
delivery deadline u of the first message equals the current time now.
automaton Channel(b,M) where b∈R+
states queue ∈ (M×R)∗ initially empty
clock now initially 0
signature external send(m), receive(m) where m ∈ M
transitions external send(m)
eff add (m,now + b) to the end of queue
external receive(m)
pre ∃u : (m,u) is first element of queue
urgent when ∃u:(m,u)∈queue and now≥u
eff remove first element of queue
Figure 4.2: Time-bounded channel.
By construction, the set of trajectories denoted by a specification in our
language satisfies axioms T0-T4. However, the example below shows that
axiom T5 does not need to hold in general.
Example 4.3 The timed automaton specified in Figure 4.3 has a transition with
precondition x > 4 ∧ b = ff and urgency predicate tt. Axiom T5 does not hold,
since time can only advance up to x = 4 but at that time the transition is not (yet)
enabled.
In order to avoid the counterexample of Figure 4.3, it is sufficient that
certain predicates derived from the transition definitions are left-closed in
the sense of [BGS00]. For each transition definition tr
84 4. Specifying Urgency in TIOA
automaton A
states b : Bool initially ff
clock x initially 0
signature external a
transitions external a
pre x > 4∧ b = ff
urgent when tt
eff b := tt
Figure 4.3: A counterexample to axiom T5.
b(~h) pre pre(~v,~h)
urgent when urg(~v,~h)
eff eff (~v,~h, ~v′)
let predicate Urg(tr ) be given by
Urg(tr )(~v,~h) ∆= ∃~h : pre(~v,~h)∧ urg(~v,~h) (4.2)
Following [BGS00], we define a state predicate ϕ to be left-closed if, for all ~v,
¬ϕ(~v) =⇒ ∃ > 0 ∀′ ≤  : ¬ϕ(~v⊕ ′) (4.3)
In practice, left-closedness can be easily obtained by only using non-strict
lower bounds on clocks. For instance, x ≥ 4 ∧ b = ff is left-closed but x >
4∧ b = ff is not. We can now formally state the following theorem.
Theorem 4.1 If the predicate Wtr Urg(tr ) is left-closed then axiom T5 holds.
Proof: Suppose that τ is a maximal and finite trajectory. Assume that the
domain of τ is right-open. Then, by T4, nowhere on τ an action becomes
urgent. But this means that the extension of τ with a single state at the end
gives a legal trajectory, thus contradicting the assumption that τ is maxi-
mal. Hence, without loss of generality, we may assume that the domain of
τ is right-closed. Assume that no action a is urgent in τ .lval . This means
that the disjunction Wtr Urg(tr ) does not hold in x. But this means that there
exists a small -extension of τ in which no action a is urgent. This extension
is then a legal trajectory, which contradicts with the (assumed) maximality
of τ . ut
4.2.4 Adding an I/O Distinction
In this section, we further refine the model of timed automata by distin-
guishing between input and output actions as in [KLSV03a].
A timed I/O automaton with urgency is a quadruple (A ,U, I,O) where
4.2. Timed (I/O) Automata with Urgency 85
• (A ,U) is a timed automaton with urgency, with A =
(X,Q,Θ, E,H,D ,T ).
• I and O partition E into input and output actions, that is E = I ∪ O
and I ∩ O = ∅. Actions in H ∪ O are called locally controlled. We
write L ∆= H ∪O and A ∆= E∪ H.
We require that the following axiom holds:
E0 (Inputs not urgent) For every x ∈ Q and every a ∈ I, U(x, a) = ff.
E1 (Input action enabling) For every x ∈ Q and every a ∈ I, there exists
x′ ∈ Q such that (x, a,x′) ∈D .
The input actions are assumed not to be under the automaton’s control—
they just arrive from the outside—while the automaton itself specifies what
output and internal actions should be performed. In line with these intu-
itions, axiom E0 states that input actions never become urgent. Axiom E1
is the usual input enabling condition of ordinary I/O automata [LT87]; it
says that a TIOA with urgency is able to accomodate an input action when-
ever it arrives. At the syntactic level, a sufficient condition for axioms E0
and E1 to hold is that, in each transition definition for an input action, the
precondition is tt and the urgency predicate is ff.
A desirable property for models of real-time systems is time reactivity.
This means that in each state, either time is allowed to advance forever, or
time may advance for a while up to a point where the system is prepared
to react with some locally controlled action. In [KLSV03a], an axiom E2 is
required for timed I/O automata which captures this property:
E2 (Time-passage enabling) For every x ∈ Q, there exists τ ∈ T such that
τ .fval = x and either
– τ .ltime =∞, or
– τ is right-closed and some locally controlled action l ∈ L is en-
abled in τ .lval .
For a TIOA with urgency, time reactivity is implied by the other axioms.
Theorem 4.2 Each timed I/O automaton with urgency satisfies axiom E2.
Proof: Assume that x is a state. Then, by axiom T1, ℘(x) is a trajectory in
T . By Lemma 4.1 there exists a maximal trajectory τ that extends ℘(x). By
construction, τ .fval = x. By axiom T5 either
• τ .ltime =∞ which completes the proof, or
• τ is right-closed and there is an action a that is urgent in x′ = τ .lval .
By axiom E0 this cannot be an input action. Thus x′ enables a locally
controlled action. ut
86 4. Specifying Urgency in TIOA
4.2.5 Composition
We say that timed automata A1 and A2 are compatible if they have no state
variables in common, and if neither automaton has an internal action that
is an action of the other automaton. If A1 and A2 are compatible then
their composition A1||A2 is defined formally to be the timed automaton
A = (X,Q,Θ, E,H,D ,T ) where
• X = X1 ∪ X2.
• Q = {x ∈ val (X)|xdXi ∈ Qi, i ∈ {1,2}}.
• Θ = {x ∈ Q|xdXi ∈ Θi, i ∈ {1,2}}.
• E = E1 ∪ E2 and H = H1 ∪ H2.
• For each x,x′ ∈ Q and each a ∈ A, x a→A x′ iff for i ∈ {1,2}, either (1)
a ∈ Ai and xdXi
a
→i x′dXi, or (2) a /∈ Ai and xdXi = x′dXi.
• τ ∈ T ⇔ τ ↓ Xi ∈ Ti, i ∈ {1,2}.
We refer to [KLSV03b] for a proof that A1||A2 is a timed automaton, that is,
the above structure satisfies axioms T0-T3.
Two timed automata with urgency, (A1,U1) and (A2,U2), are compatible
if the underlying timed automata A1 and A2 are compatible. In this case,
the composition is defined to be the structure (A ,U), where A = A1||A2 and
U is given by
U((x1,x2), a) = U1(x1, a)∨U2(x2, a),
where by convention Ui(xi, a) = ff if a is not in the signature of Ai. So an
action is urgent in a state of the composed system iff it is urgent in one of
the component states. In general, the composition is not a timed automa-
ton with urgency. The problem is due to axiom T5: if, for instance, we
compose a system in which action a becomes urgent at time 1 with a sys-
tem that has a in its signature but without any a-transition, then the com-
posed system has a maximal trajectory of length 1 in which no transition
is enabled. Several papers address the issue of how timelock freedom (or
more generally, liveness) can be preserved by composition, see for instance
[Bow99, BS00, BGS00]. In this article, we present one simple but useful
result along these lines: the class of timed I/O automata with urgency is
closed under composition.
We say that two timed I/O automata with urgency, (A1,U1, I1,O1) and
(A2,U2, I2,O2), are compatible if the underlying timed automata A1 and A2
are compatible, and also they have no output actions in common. A con-
sequence of these conditions is that each action is controlled by at most
one component. In this case, the composition is defined to be the struc-
ture (A ,U, I,O), where (A ,U) is the composition of (A1,U1) and (A2,U2),
I = (I1 ∪ I2)− (O1 ∪ O2), and O = O1 ∪ O2. That is, an external action of
the composition is classified as an output if it is an output of one of the
component automata, otherwise it is classified as an input.
4.3. Expressivity 87
Theorem 4.3 The composition of two compatible timed I/O automata with ur-
gency is again a timed I/O automaton with urgency.
Proof: Straightforward from the definitions. Axiom T5 holds because if
τ is a maximal and finite trajectory of the composition there exists at least
one component such that the projection of τ on that component is maximal.
Using T5 for the component gives that the projection is right-closed and
that some action a of the component is urgent in the final state. By axiom
E0 we know that a is a locally controlled action. We infer that τ is right-
closed and (by axiom E1 for the other component) that a is urgent in the
composed system in the final state of τ . ut
4.3 Expressivity
In this section, we compare the expressivity of urgency predicates with
that of the deadline predicates of [SY96, BS00], the stopping conditions of
[KLSV03a], and the invariants as used e.g. in [HNSY94, AH94a, LPY97].
4.3.1 Deadline Predicates
Instead of using urgency predicates, we could follow the approach of
Sifakis et al [SY96, BS00] even more closely by using deadline predicates.
This would mean that, for a given action name b with parameters ~h, besides
the precondition pre(~v,~h) and the effect eff (~v, ~v′,~h), also a deadline predicate
dl (~v,~h) is specified such that dl (~v,~h) =⇒ pre(~v,~h) holds. The semantics of
a deadline predicate is that if, for some ~h, the state predicate
dl (~v,~h) (4.4)
becomes true at a time point t in a trajectory, then t must be the limit time
of that trajectory.
Clearly, any definition of a timed automaton with urgency predicates
can be transformed into an equivalent (in the sense that the defined au-
tomata are semantically equal) definition with deadline predicates by re-
placing each urgency predicate urg(~v,~h) by a deadline predicate pre(~v,~h)∧
urg(~v,~h). Conversely, any definition with deadline predicates can be trans-
formed into an equivalent definition with urgency predicates by replacing
each deadline predicate dl (~v,~h) by an identical urgency predicate dl (~v,~h).
Studying the examples in Figure 4.1 and Figure 4.2, and the examples in
[KLSV03b] indicates that the use of urgency predicates leads to slightly
shorter specifications than the use of deadlines.
88 4. Specifying Urgency in TIOA
4.3.2 Stopping Conditions
Another alternative for urgency predicates are the stopping conditions as
used in [KLSV03a]. A stopping condition is a state predicate sc(~v) such that
if sc(~v) becomes true at a time point t in a trajectory, then t must be the limit
time of that trajectory.
We again checked the examples from Figure 4.1, Figure 4.2 and
[KLSV03b], and in each case urgency predicates lead to shorter and (in our
view) more natural specifications than stopping conditions. Figure 4.4, for
instance, shows how the transitions and trajectories of the example of Fig-
ure 4.1 can be rewritten using a stopping condition. The disadvantages
should be clear: upper bounds are no longer specified next to the corre-
sponding lower bounds, and parts of the preconditions have to be repeated
in the stopping condition.
transitions external coming
pre x > 2∧ control = start
eff control := light ; x := 0
external approaching
pre x > 5∧ control = light
eff control := gate; x := 0
external passing
pre x = 2∧ control = gate
eff control := start ; x := 0
trajectories stops when
(control = start ∧ x ≥ 5) ∨
(control = light ∧ x ≥ 10) ∨
(control = gate ∧ x = 2)
Figure 4.4: The train model defined using a stopping condition.
Any definition of a timed automaton with urgency predicates can be
transformed into an equivalent definition with stopping conditions by re-
placing the urgency predicates by a single stopping condition that is the
disjunction of the formula pre(~v,~h)∧ urg(~v,~h), for all transition definitions.
Stopping conditions are more expressive than urgency predicates since
they allow one to define timed automata that are not time reactive and in
which “the universe” may come to a halt. Figure 4.5 gives an example. Of
automaton Doomsday
states clock x initially 0
trajectories stops when x = 1
Figure 4.5: A time deadlock.
course this is a form of additional expressivity that we would rather not
4.3. Expressivity 89
have! For a timed automaton definition with a stopping condition sc(~v) it
seems reasonable to require that the following variation of axiom T5 holds:
T5’ (Maximality) For every τ ∈ T , if τ is maximal and finite then τ is right-
closed, sc(τ .lval ) and some (locally controlled) a ∈ A is enabled in
τ .lval .
If this property holds, the specification can be transformed into an equiva-
lent specification with urgency predicates: in case there is no I/O distinc-
tion we just add an urgency predicate sc(~v) to each transition definition, if
there is an I/O distinction we add urgency predicate sc(~v) to each locally
controlled transition and urgency predicate ff to each input transition.
4.3.3 Invariants
A popular way to specify progress properties, which has been advocated
in [HNSY94, AH94a] and implemented in UPPAAL [LPY97], is the use of
invariants. An invariant is a state predicate inv (~v) that is required to hold
for all states along all trajectories. Figure 4.6 shows how the transitions and
trajectories of the example of Figure 4.1 look with invariants. Again, like
transitions external coming
pre x > 2∧ control = start
eff control := light ; x := 0
external approaching
pre x > 5∧ control = light
eff control := gate; x := 0
external passing
pre x = 2∧ control = gate
eff control := start ; x := 0
trajectories invariant
(control = start ∧ x ≤ 5) ∨
(control = light ∧ x ≤ 10) ∨
(control = gate ∧ x ≤ 2)
Figure 4.6: The train model defined with an invariant.
stopping conditions, invariants allow one to define timed automata that
are not time reactive, a clear disadvantage of these specification styles. The
example of Figure 4.5, for instance, can easily be encoded using invariants
(replace the stopping condition by an invariant x ≤ 1).
Invariants also allow one to specify strict upper bounds on the timing
of events, as illustrated in Figure 4.7. The same timed automaton can not
be specified using urgency predicates, for the simple reason that it has a
maximal trajectory that is right-open, which is in violation of axiom T5. If
90 4. Specifying Urgency in TIOA
automaton BeforeOne
states discrete b : Bool initially ff
clock x initially 0
signature external a
transitions external a
pre b = ff
eff b := tt
trajectories invariant x < 1∨ b = tt
Figure 4.7: Specification of a strict upper bound on timing with an invari-
ant.
we are willing to consider timed automata up to some suitable equivalence
(for instance, the trace equivalence defined in [KLSV03a]) then it is possi-
ble to specify strict upper bounds with urgency predicates, but this requires
the use of auxiliary variables and unbounded nondeterminism. Figure 4.8
illustrates the specification of a strict upper bound with an urgency predi-
cate. The idea is to choose nondeterministically a value in the interval [0,1)
and then make a urgent when time has reached this value. Apart from the
automaton BeforeOne ′
states b : Bool initially ff
t : R initially 0 ≤ t < 1
clock x initially 0
signature external a
transitions external a
pre b = ff
urgent when x = t
eff b := tt
Figure 4.8: Specification of a strict upper bound on timing with urgency.
fact that the second specification is less intuitive, the use of unbounded
nondeterminism will constitute a serious obstacle to automatic verification
methods. In all practical applications of timed automata that we are aware
of, the use of only non strict upper bounds on timing is not a restriction. For
applications where use of strict upper bounds is essential, use of invariants
is probably more appropriate than use of urgency predicates.
Timed automata with urgency predicates can (in many cases) be trans-
lated to equivalent timed automata with invariants. Robson [Rob04] de-
scribes how a fragment of TIOA with urgency predicates can be trans-
lated to the input language of UPPAAL.4 Below we discuss a more general
4The UPPAAL syntax for invariant predicates is rather restricted. For each individual
location the invariant is a conjunction of conditions of the form x ≤ e or x < e where x is a
clock and e is an expression that evaluates to an integer. This restriction forces Robson to
4.4. Proving Invariant Properties 91
translation scheme. We say that a state predicate ϕ(~v) is stable (under time
progress) if
ϕ(~v) =⇒ ∀d > 0 : ϕ(~v⊕ d) (4.5)
Typically, a predicate will be stable if it only involves lower bounds on
clocks and no upper bounds.
The lower hull of state predicate ϕ(~v) is the set of valuations given by
LH (ϕ) ∆= {x | ϕ(x)∧ ∃ > 0 ∀0 < ′ ≤  : ¬ϕ(x	 ′)}
The upper hull of a state predicate can be defined similarly, just replace 	
by ⊕ in the above definition. If ϕ only involves (non-strict) lower bounds
on clocks then the lower hull can easily be expressed again as a predicate
by replacing the ≥ signs with =.
Now consider a definition of a timed automaton with urgency predi-
cates such that all predicates Urg(tr ) are left-closed and stable. An equiv-
alent timed automaton with invariants can be obtained by replacing the
urgency predicates with the invariant
inv = ¬
(
_
tr
Urg(tr )
)
∨ LH
(
_
tr
Urg(tr )
)
,
provided that the state predicate inv holds initially and after each discrete
transition, i.e.,
pre(~v,~h)∧ eff (~v,~h, ~v′) =⇒ inv (~v′).
The proof of the equivalence is straightforward and left to the reader.
Any timed automaton definition with right-closed invariants can be
easily translated to a timed automaton with stopping conditions: the stop-
ping condition is defined to be (a predicate denoting) the upper hull of the
invariant. The translation scheme of Section 4.3.2 can then be used (pro-
vided axiom T5’ holds) to translate the resulting timed automaton with
stopping conditions to a timed automaton with urgency.
4.4 Proving Invariant Properties
In this section, we discuss how to establish invariant properties for spec-
ifications that involve urgency predicates. It is important to distinguish
invariant properties from the invariant assertions that were discussed in
the previous section as a construct to specify progress. An invariant prop-
erty is a state predicate that holds for all reachable states of a given system.
split locations as part of her translation.
92 4. Specifying Urgency in TIOA
An invariant in the sense of previous section is an assertion that is actually
used to define (the trajectories of) a system. Any invariant in the sense of
the previous section is actually an invariant property of the system that it
helps to define. The converse implication typically does not hold.
An execution fragment of a timed automaton A is a sequence α =
τ0 a1 τ1 a2 τ2 . . ., where each ai is an action of A , each τi is a trajectory of
A , and for every i, τi.lval ai+1- τi+1.fval . An execution fragment records
what happens during a particular run of a system, including all the dis-
crete state changes and all the changes that occur while time advances. An
execution is an execution fragment whose first state is a start state of A . A
state is reachable in A if it is the last state of the last trajectory of a finite
execution of A . A state predicate ϕ is an invariant of A if it holds for all
reachable states of A .
In order to prove that an assertion ϕ is an invariant of A , it suffices to
prove that it holds initially and is preserved by all discrete transitions as
well as by all time(d) steps defined by
x time(d)−−−−−→ x′ ∆= ∃τ ∈ T : τ .fval = x ∧
τ .ltime = d∧ τ .lval = x′.
If we manage to give a simple and tractable characterization of the time(d)
predicate, then all the invariant proof techniques which are presented (for
instance) in [MP95] become available in our setting.
Let tr be a transition definition for an action name b with parameter ~h
with precondition pre(~v,~h), urgency predicate urg(~v,~h), and effect predicate
eff (~v,~h, ~v′). For d ≥ 0, the time progress predicate tp(~v, tr , d) expresses that
transition tr permits time to advance with an amount d from state ~v. The
predicate is formally defined in terms of the Urg(tr ) predicate of (4.2):
tp(~v, tr , d) ∆= ∀0 ≤ e < d : ¬Urg(tr )(~v⊕ e,~h) (4.6)
∆
= ∀0 ≤ e < d, ∀h :
pre(~v⊕ e,~h) =⇒ ¬urg(~v⊕ e,~h)
Using the time progress predicates, we characterize the time advance steps
time(d) as follows:
time(d)
pre
V
tr tp(~v, tr , d)
eff ~v := ~v⊕ d
In many cases it is possible to simplify the time progress predicates, by
eliminating the universal quantifications from their definition. As an exam-
ple, consider the timed automaton of Figure 4.1. The time progress predi-
cate for the coming transition is
∀0 ≤ e < d : ¬(x + e > 2∧ control = start ∧ x + e ≥ 5)
4.4. Proving Invariant Properties 93
⇐⇒ ∀0 ≤ e < d : ¬(control = start ∧ x + e ≥ 5)
⇐⇒ ¬(control = start ∧ x + d > 5)
⇐⇒ control = start =⇒ x + d ≤ 5
Similarly, the time progress predicates for the approaching and passing tran-
sitions can be written resp. as
control = light =⇒ x + d ≤ 10
control = gate =⇒ x + d ≤ 2
With these characterizations it is trivial to prove, for example, that
control = start =⇒ x ≤ 5
is inductive (and hence an invariant): it holds initially, and it is preserved
by all discrete transitions and all time(d) steps.
The above quantifier elimination can be generalized under some rea-
sonable assumptions. If ϕ(~v) is a state predicate then we write post(ϕ)(~v)
for the state predicate that holds for states that have a time predecessor
satisfying ϕ:
post(ϕ)(~v) ∆= ∃~w ∃e > 0 : (~v = ~w⊕ e)∧ϕ(~w) (4.7)
If ϕ only involves lower bounds on clocks, then post(ϕ) can typically be
obtained from ϕ by making these lower bounds strict, so quantifier elimi-
nation from post(ϕ) is easy. Hence, if preconditions and urgency predicates
only involve lower bounds on clocks (which appears to be a good specifi-
cation style anyway), then their conjunction is stable. One may use the fol-
lowing lemma to eliminate the quantification over e from the time progress
predicate (4.6).
Lemma 4.2 Let ϕ be a state predicate that is stable under time progress. Then
(∀0 ≤ e < d : ¬ϕ(~v⊕ e)) ⇔¬post(ϕ)(~v⊕ d) (4.8)
Proof: Equivalence (4.8) can be rewritten into
(∃0 ≤ e < d : ϕ(~v⊕ e)) ⇔ post(ϕ)(~v⊕ d) (4.9)
We prove both implications:
⇒ Assume ϕ(~v⊕ e), for certain e ∈ [0, d). Then post(ϕ)(~v⊕ d) holds since
there is a state, namely ~v⊕ e, that is a time predecessor of ~v⊕ d and
in which ϕ holds.
⇐ Assume post(ϕ)(~v⊕ d). Then by (4.7) there exists an e′ > 0 and a state
~w such that ϕ(~w) holds and ~v ⊕ d = ~w ⊕ e′. Depending on the rela-
tionship between d and e′ we have two cases:
94 4. Specifying Urgency in TIOA
Case e′ ≤ d: Then ~v⊕ (d− e′) = ~w. Choose e = d− e′. Then d ∈ [0, d)
and ϕ(~v⊕ e).
Case d < e′: Then ~v = ~w⊕ (e′ − d). Since ϕ(~w) holds and ϕ is stable
under time progress, also ϕ(~v) holds. So we may choose e = 0 to
obtain ϕ(~v⊕ e), as required. ut
4.5 Concluding Remarks
In this article, we introduced a notion of urgency predicates and compared
it with three other constructs for specifying progress properties that have
been proposed in the literature: invariants, stopping conditons and dead-
lines. We showed that under some rather realistic assumptions (use of clock
variables, no strict upper bounds on progress, absence of time deadlocks,...)
the four notions are equally expressive. Nevertheless, a clear advantage of
deadlines and urgency predicates in practice is that one gets absence of
time deadlocks (time reactivity) for free. A potential advantage of invari-
ants is that they allow one to bound the time at which a (locally controlled)
action occurs by a right-open interval. However, we are not aware of prac-
tical applications in which this feature is really needed. We argued that if
one uses a precondition/effect style specification language, urgency pred-
icates lead to shorter and more natural specifications than any of the other
constructs, in particular invariants. In the graphical syntax used by e.g.
UPPAAL, the use of urgency/deadline predicates would not lead to shorter
specifications than the use of invariants. Typically, in the first case one will
decorate an edge of the graph (i.e., a transition) with a label x ≥ 4, and in
the second case a label x ≤ 4 will be attached to a vertex of the graph (i.e., a
location). But whereas the use of invariants may easily lead to time dead-
locks, urgency/deadline predicates only stop time if there is a good reason
for it, that is a specific transition that must be taken, and in this manner
time deadlocks are avoided.
Folklore has it that urgency/deadline predicates are more difficult to
implement in model checkers than invariants because they easily lead to
non-convex zones. Non-convex zones indeed arise in the implementation
of timed automata with deadlines in the IF toolset [BGM02]. In partic-
ular, time transitions may lead from one convex zone to several convex
zones (not only one, as in standard timed automata with invariants). When
such a situation arises in IF, the non-convex zone is automatically split
into several, possibly overlapping, convex zones. The main reason why
non-convex zones do not arise in standard timed automata with invariants
(such as those implemented in UPPAAL) is that rather strong restrictions are
imposed on the syntax of invariants. Only conjunctions of upper bounds on
clocks—where the bounds are given by integer expressions—are allowed.
If similar restrictions would be imposed in a syntax for urgency predicates,
4.5. Concluding Remarks 95
then no non-convex zones would arise in that setting either! More specifi-
cally, one would have to require that each urgency predicate is the disjunc-
tion of lower bounds on clocks, where the (non-strict) bounds are given by
integer expressions. In addition, the urgency predicate of an input action
a? should always be ff. We think it would be a clear improvement to the
current version of UPPAAL (3.4.7) to add such a restricted notion of urgency
predicates to the syntax, replacing the notion of an urgent channel. Adding
general urgency predicates to UPPAAL would of course also be a possibility,
but this would require splitting of zones as in the IF toolset.
In the setting that we studied, urgency predicates appear to be a very
nice way to specify progress properties, with clear advantages over some
other constructs that have been advocated in the literature. Some remain-
ing questions for future research are:
1. Exploration of proof rules to reason with urgency predicates in simu-
lations and liveness proofs.
2. Establish versions of the compositionality results of [Bow99, BS00,
BGS00] in the setting of this paper.
3. Extension of our specification language and expressiveness results
to a hybrid setting in which besides clocks also other continuously
evolving variables are allowed.
Acknowledgements Thanks to Nancy Lynch and Dilsun Kaynar for de-
tailled comments on an earlier version of this note, and to Marius Bozga for
answering some of our questions about IF.
96 4. Specifying Urgency in TIOA
Chapter 5
A Formal Analysis of A Car
Periphery Supervision System
with Tomas Krilavicˇius and Yaroslav S. Usenko
Abstract This paper presents a formal model of the real-time service allo-
cation unit for the Car Periphery Supervision (CPS) system—a case study
proposed by Robert Bosch in the context of the EU IST project AMETIST.
The CPS system is a hybrid system, which is modeled in terms of timed
automata. It is done by splitting the values of nonlinear continuous vari-
ables into finite sets of regions and over-approximating the constraints on
continuous variables into clock constraints. Safety properties of the timed
model have been verified using UPPAAL. This is a sufficient condition for
validating the corresponding safety properties of the initial hybrid system.
The difference in time scale between the CPS components have also been
taken care of by over-approximating the timed model using the convex-hull
over-approximation feature available in UPPAAL.
5.1 Introduction
A number of modeling and verification tools for real-time and hybrid sys-
tems have been developed. For instance, the tools based on the theory
of timed automata, [AD94], such as KRONOS by [BDM+98] and UPPAAL
by [BDL+01]; and the theory of hybrid automata, [Hen96], such as HYTECH
by [HHWT97]. Recent developments in devising clever computational pro-
cedures have improved the ability of verification tools to handle industrial-
size problems automatically. Yet many essential problems, specifically in
the area of hybrid systems, remain unsolvable with these techniques.
Two major problems are (1) the lack of adequate abstraction concepts
for modeling large systems, [AHLP00], (2) the exploding consumption of
97
98 5. Car Periphery Supervision System
computing resources by the verification algorithms, [BCM+92].
The present paper addresses the first issue and provides evidence
that correct abstraction and appropriate over-approximation techniques in
modeling of large systems leads to verifiable models from which one can
infer properties of the original model.
This is illustrated by the real-time service allocation case study for Car
Periphery Supervision (CPS) system (cf. [KR03]) proposed by Robert Bosch
GmbH in the context of the EU IST project AMETIST. The CPS system is
a hybrid system that interacts with a continuous environment via a dis-
crete controller. Moreover, CPS safety properties are parametrized with
free variables, which should be determined in order to prove the safety of
the system. The CPS model presented in this paper is a timed automata
based abstraction of the system constructed manually by dividing the en-
vironment into a finite set of regions.
Related Work
Verifying whether a hybrid system H satisfies a property P can turn out
to be undecidable for most cases. Appropriate abstraction can extract a
finite discrete system F from H by partitioning the state space of H into
a finite number of regions. The survey by [AHLP00] aims to find a class
of hybrid systems which can be abstracted into F and whose verification
against a property P is decidable. The survey has shown that, proving that
F satisfies P is equivalent or sufficient for proving that H satisfies P.
The approach used in the present paper is similar to the one of [HH95],
where, nonlinear continuous variables of the original hybrid system are
over-approximated to define a time-constrained automaton, and the ap-
proximated automaton will satisfy strictly fewer safety properties.
Another problem that leads to the state-space blowup in timed au-
tomata is the time scale difference between the different components of
the system. This is often the case when an embedded system interacts with
its environment (cf. [IKL+00]). One way to solve such problems is to use
the convex-hull over-approximation method of [HPR94] when verifying
invariant properties.
Outline
The organization of the paper is as follows: Section 5.2 presents an infor-
mal description of the CPS system. Next, in Section 5.3, the CPS system is
formally modeled in a way that the desired properties are fully preserved
and the model of the system is abstracted to allow verification. Section 5.4
presents the properties and the verification results. Finally Section 5.5 con-
cludes the paper and lists some directions for future work.
5.2. Car Periphery Supervision System 99
An abstract of this paper appeared as [GHKU03]. The complete UP-
PAAL model of the CPS system is available via the AMETIST project web-
page.
5.2 Car Periphery Supervision System
Car Periphery Supervision (CPS) refers to the functionality and technology
for obtaining information about the environment of a car. Applications like
parking assistance, pre-crash detection and blind spot supervision depend
on CPS for the basic operation and information sharing. Short Range Radar
(SRR) sensors are mounted in-front of the car, and they scan the environ-
ment for nearby objects. The data collected by the sensors is sent to the
computing part of CPS known as the Electronic Control Unit (ECU). The
ECU processes the data and invoked applications based on the data. The
structure of CPS and its environment is depicted in Fig. 5.1. A detailed
description of the CPS system is given in [KR03], [Mor00] and [TFF+01].
E
C
U
θ
v
v
θ
Car
Applications Sensors
Environment
Figure 5.1: The CPS system and its environment
The CPS system and its environment can be viewed as a system consist-
ing of three parts, namely:
1. Environment: the environment of the CPS system is a dynamic sys-
tem with moving and stationary objects in-front of the car. Object
velocity and distance are important characteristics that determine the
behavior of the CPS system in a continuous manner. There are sev-
eral restrictive assumptions that apply to the environment in which
the CPS system is supposed to operate. This is done to make the sys-
tem more tractable.
2. Sensors: the Sensors are the interfaces through which the CPS is in-
formed about the behavior of the environment. Sensors operate in
100 5. Car Periphery Supervision System
discrete time, which can either be periodic or event-driven. The sen-
sor component includes not only the equipment for sending and re-
ceiving radar signals but also a processor for basic data processing
and control. Typically, the sensors that are situated in-front of the
car return the distance to the nearest object (from their perspective)
approaching the car.
3. ECU: the Electronic Control Unit is a board computer that performs
a collection of tasks running on top of the OSEK operating system1.
These tasks are used to control the operation of the sensors, and to
deliver accurate and on-time information about the environment to
the applications.
5.3 Formal Modeling
Each of the three parts of the CPS system are operating in different modes.
The environment is a dynamic and continuously changing system. The sen-
sors operate on a discrete time scale, while ECU tasks are real-time tasks. An
appropriate model for this system would be a hybrid automaton. How-
ever, proving correctness of a system using hybrid automata is difficult, if
at all possible.
Another approach is to abstract from the unnecessary details of the
model and transform it into a timed automata model, while preserving the
desired properties. In this section, the CPS system is modeled in timed
automata, and relevant properties are verified using UPPAAL. This model
consists of six timed automata that are put in parallel. The structure of
the system is shown in Fig. 5.2. The boxes represent the timed automata,
d
e
e
Sensor
Sensor
Object
Object
CPS DSCAN, CVSCAN
DSCAN, CVSCAN
ECU
sd
sd
DFusion Env. Descr.
Figure 5.2: Decomposition of CPS in timed automata.
the thin arrows represent the communication via shared variables, and the
thick arrows represent the multiparty action synchronization.
1http://www.osek-vdx.org/
5.3. Formal Modeling 101
5.3.1 CPS Environment
The environment is a collection of several objects moving with different
velocities at different distances in-front of the car. An object i in the en-
vironment has the approaching velocity vi and the angle θi relative to the
direction of the car’s movement (see Fig. 5.1).
Relative Velocity
Let T = R+ denote the time domain and let di denote the distance to an ob-
ject i from the middle of the front of the car. Then the relative velocity of an
object is defined as the function d˙i : T → R and it is given by the difference
between the velocity of the object and the velocity of the car (vcar):
d˙i = vi cos(θi)− vcar
The CPS system only tracks the objects that are close enough to the car.
The distances to the remote objects and their velocities do not affect the
behavior of the CPS system.
Regions
As will be described in more detail in Section 5.3.2, the sensors in the CPS
system scan for a nearest object, and return the distance to it. This can be
given as:
d(t) = min∀i(di(t))
The area in-front of the car is divided into twelve regions (see [KR03]
for details). These regions are ordered in descending order and numbered
from -1 to 9 (see Table 5.3.1).
Region name Region number (e)
FAR -1
PreCV 0
RGi 1...8
PreCrash 9
Table 5.1: CPS regions
Assumptions
The environment that can be handled by the limited capacity of the sen-
sors and other components of the CPS is rather small. The following three
criteria restrict the behavior of the environment that the CPS system can
interact with.
102 5. Car Periphery Supervision System
1. An object can approach the car with a relative velocity in the range
from 13m/s to 56m/s.
2. Only one object is present in the environment.
3. The CPS system will be externally reinitialized when an object
reaches the last region. In other words, the system terminates after
the crash.
Environment behaviors outside the above assumptions have rare occur-
rence. Extra recovery treatments as in [KR03], which are not included in the
current model, could be used to cope with such behaviors.
Timed Automaton of the Environment
Figure 5.3 shows a timed automaton model of the CPS environment, which
is based on the allowed relative velocity defined above. The automaton
has four locations which correspond to the regions names in Table 5.3.1.
Initially objects are far from the car (in location FAR and e:=-1). If an object
comes closer to the car it will reach the location PreCV.
PreCV
x<=zpreCV_maxFAR
RG
x<=CVStepmaxPreCrash
e:=PreCVReg, x:=0
x>=zpreCV_min
e:=firstRReg, x:=0
x>=CVStepmin,
e<lastRReg e++, x:=0
x>=CVStepmin,
e>=lastRReg
x:=0,e++
Figure 5.3: CPS environment template
The constants zpreCV max and zpreCV min are time bounds on the tran-
sition of the environment from PreCV to RG0. These time bounds are calcu-
lated from velocity bounds and the length of the PreCV region. Other time
bounds shown in Fig. 5.3 are calculated in a similar manner. This method of
substituting the maximal and minimal velocity constraints into clock con-
straints is done in accordance with the method of [HH95].
An object has to cross all the regions up-to the PreCrash region. (e
≥ lastRReg) before it can go into PreCrash. As soon as the object is in
PreCrash, an immediate action has to be taken by the ECU. The clock x is
reset to measure the amount of time that the object spends in the PreCrash
location before the ECU does something about it. Section 5.4 lists important
invariants that have to be satisfied when an object reaches the PreCrash
location.
5.3. Formal Modeling 103
5.3.2 Sensor
A sensor in the CPS system scans the environment for a nearest object in-
front of the car, and returns the region value of the scanned object. A sensor
has two modes of operation: DSCAN and CVSCAN, and one IDLE mode. These
modes of operation are used as locations in the timed automaton of the
sensor depicted in Fig. 5.4.
CVscan
x<=Tcv
IDLE Dscan
x<=TdMax
x:=0DSCAN?
x>=TdMin,
e>=PreCVReg
x:=0, sd:=PreCVReg
CVSCAN?
x:=0
x:=0,sd:=e
e>sd
e<PreCVReg,
x>=TdMin
x:=0, sd:=DScanReg
CVSCAN? x:=0
e<=sd x:=0
x==Tcv
Figure 5.4: Sensor Template
The sensor is initially in location IDLE and waits for a command from
the ECU. If it receives a DSCAN command, it conducts a long range scan
and, as soon as it finds an object in PreCV, the sensor’s distance reading sd
is updated:
sdi(t) = ei(t),
where t is the time when the ith sensor scans the environment from its own
perspective (ei). For a CVSCAN command, the sensor produces a maximum
of eight readings, one for each region RGi. It scans the environment every
Tcv time units, and sdi is updated in a similar manner.
The CPS system usually has several sensors placed in-front of the car.
In this paper only two sensors are considered. It is possible that the two
sensors return different readings. This may be a result of the fact that they
are situated at different positions, or the object may have an irregular form,
or simply there are several objects in-front of the car. Thus, in general,
there do not need to be correlations between the readings of the two sensors
(even though a visibility analysis shows that the difference is rather small).
104 5. Car Periphery Supervision System
5.3.3 Electronic Control Unit (ECU)
ECU stands for the collection of tasks running on a single processor. Ac-
cording to [KR03], the ECU executes more than two tasks. Most of these
tasks are sequential and run in a predictable manner. Thus, they can easily
be grouped into two tasks without affecting their behavior. These com-
bined tasks are called DFusion (sensor fusion) and EnvDescription (envi-
ronment description).
Sensor Fusion
DFusion is a part of the ECU which receives individual distance values
from all sensors and sends a “combined” single value to the remaining
tasks. Combining several readings (sdis) into one reading (d) can be done
by the triangulation function as suggested by [KR03]. The maximum func-
tion, instead of triangulation, is used here to compute the final value, since
our model deals with one-dimensional value of the sdis only. DFusion is a
periodic task and in every jth step it computes d( j) as follows:
d( j) = max∀i={1,2}(sdi( j))
The variable d( j) is a shared variable which is also readable by EnvDescrip-
tion. Figure 5.5 shows the timed automaton of DFusion.
x<=MT
x==MT, 
sd1<sd2
d:=sd2, 
x:=0
x==MT,
sd1>=sd2
d:=sd1,
x:=0
Figure 5.5: Sensor Fusion
Environment Description
EnvDescription is a part of ECU that receives environment data from DFu-
sion and maintains accurate information about the environment. While
doing so, EnvDescription controls the mode of operation of the sensors as
well. The sensor-controlling part is defined in [KR03] as the “situation anal-
ysis” task. In the present paper it is combined with the EnvDescription task
to avoid the state-space explosion.
The timed automaton of EnvDescription is shown in Fig. 5.6. Initially
EnvDescription is in location IDLE, from which it periodically reads the
value of d and broadcasts the DSCAN command to the sensors. If the value
of d shows that an object is present in the PreCV region, then the automa-
ton jumps to location (PreCV0), from which it sends the CVSCAN command.
5.4. Verification 105
IDLE
x<=MT,y<=DT
PreCV0
x<=CVComDL
RGi
x<=MT
CVSCAN!
x==CVComDL,
d>=PreCVReg
x:=0
x:=0,y:=0
d>=PreCVReg
d<PreCVReg,
x==MT
x:=0
d<PreCVReg
x:=0,y:=0
d>i, 
x==MT
i:=d,x:=0
y==DT
DSCAN!
y:=0
x==MT,
d<=i
x:=0
Figure 5.6: Environment Description (ED)
There is a time delay of CVComDL time units before this command happens.
Once the sensors receive the CVSCAN command, the EnvDescription counts
the number of RGi regions by reading d computed by DFusion.
5.4 Verification
5.4.1 Requirements
The primary goal of the CPS system is to provide accurate information
about the environment of the car to the applications such as airbag infla-
tion, parking assistance, pre-crash detection and others. The accuracy of
the information provided by ECU is measured by the time delay between
a change in the environment and the knowledge of the ECU about this
change. The properties are stated below as parametrized temporal logic
formulas, and they were verified using UPPAAL on a workstation with a
512MHz CPU and 256Mb of RAM. The time required to verify these prop-
erties was drastically reduced using the convex-hull approximation feature
of UPPAAL to less than a minute.
Property 1 (P1): EnvDescription has an accurate information about the po-
sition of the object in the collision course. This property is modeled
in the following way: the EnvDescription’s information ED.i about
the region of the object should not deviate too much from the envi-
ronment’s information e1 about the same object. The goal is to find
the maximal difference Q between these two values (the minimal Q
for which the formula is satisfied).
106 5. Car Periphery Supervision System
A[] (e1-ED.i <= Q and e2-ED.i <= Q)
Property 2 (P2): When an object reaches the pre-crash region (the envi-
ronment automaton is in location ENV1.PreCrash), EnvDescription
knows about this (ED.i == lastRReg+1) within a few time units
(ENV1.x > P). Here ENV1.x represents the time after the environment
automaton moved into location ENV1.PreCrash, and we are inter-
ested in finding the minimal value of P.
A[] ((ENV1.PreCrash and ENV1.x > P)
imply (ED.i == lastRReg+1))
Property 3 (P3): The ECU avoids false alarm. EnvDescription never re-
ports advancement of an object toward the car before the object (the
environment) actually does so.
A[] (ED.i <= e1 or ED.i <= e2)
Property 4 (P4): The system is deadlock free.
A[] (not deadlock)
5.4.2 Results
The CPS model satisfies properties P1 for Q ≥ 3, P2 for P ≥ 5, P3 and P4.
Note that Q can also be computed from P as Q = dP/CVStepmine, since the
difference in the number of regions can also be expressed as a difference in
time.
In the above model DFusion and EnvDescription run in arbitrary order,
no prior scheduling is assumed. It is possible, however, to schedule the
execution in such a way that, DFusion computes d and EnvDescription up-
dates its counter immediately. Under such synchronization EnvDescription
will update its information faster. Figure 5.7 shows the model of EnvDe-
scription using this alternative schedule. The model of the new DFusion is
not shown here, but it is similar to the one in Fig. 5.5 except that the new
model sends a synchronization signal (ND!) to the EnvDescription as soon
as a new value of d is computed. After the synchronization with DFusion,
EnvDescription makes its decision without a delay (see the urgent locations
5.5. Conclusion and Future Work 107
IDLE
x<=DT PreCV
x<=CVComDL
RG
x==DTDSCAN!
x:=0
ND?
d>=PreCVReg
x:=0
d<PreCVReg
d<PreCVReg
x:=0
d>=PreCVReg,
x==CVComDL
x:=0
CVSCAN!
ND?
ND?d<=i d>ii:=d
Figure 5.7: Modified Environment Description
in Fig. 5.7). For this setting the properties P1 for Q ≥ 2 and P2 for P ≥ 3 are
satisfied.
In both cases P is equal to the time needed for an information to propa-
gate from the environment to EnvDescription. That is the sum of the time
spent by the sensor (Tcv ), DFusion and EnvDescription.
P = Tcv + MT + MT
But in the scheduled model, both EnvDescription and DFusion need only
one MT to update their information, and propagation time is reduced to
P = Tcv + MT . These two cases show the worst and best cases for deter-
mining the value of P. In general, however, P is equal to Tcv + MT plus
the overhead associated with scheduling of the ECU tasks and the time
spent by each task. When OSEK operating system, is used to schedule the
ECU tasks, and if OSEK SchTime (Ti) is the time delay due to scheduling and
running the tasks Ti, then the value of P is
P = Tcv + MT + OSEK SchTime (Ti).
5.5 Conclusion and Future Work
The car periphery supervision is a hybrid system. Verifying properties for
hybrid systems is undecidable in general. However, the continuous vari-
ables of the model, the environment in this case, can be discretized to a
finite block of regions in order to make verification of the properties possi-
ble.
The different time scale between the environment and CPS compo-
nents have resulted in a state-space blow up. The convex-hull over-
108 5. Car Periphery Supervision System
approximation technique of UPPAAL was used to verify the safety prop-
erties of the system. Another approach could be the exact acceleration
method of [HL02].
The assumptions made on the environment of CPS are too restrictive.
Some of them can be omitted by introducing a recovery mode in case when
more than one object appears in the RG regions. As described in [KR03], the
recovery mode is a third mode of sensor operation, which scans for follow-
up objects when a nearest object disappears from the scene. This scenario
may happen when one object in the collision course changes its trajectory
and disappears; and later on, another object, which was close to the first
one, enters a collision course. Adding a recovery method to the model for
such a scenario would be an interesting future step.
Acknowledgments
The authors would like to thank (in reverse-alphabetic order) Frits Vaan-
drager, Stefan Kowalewski Holger Hermanns, Marko Auerswald and the
members of the Sensor Group at Robert Bosch GmbH for their valuable
comments and reviews.
Chapter 6
Control Synthesis for a Smart
Card Personalization System
using Symbolic Model
Checking
with Frits W. Vaandrager
Abstract Using the Cadence SMV symbolic model checker we synthe-
size, under certain error assumptions, a scheduler for the smart card per-
sonalization system, a case study that has been proposed by Cybernetix
Recherche in the context of the EU IST project AMETIST. The scheduler
that we synthesize, and of which we prove optimality, has been previously
patented. Due to the large number of states (which is beyond 1013), this
synthesis problem appears to be out of the scope of existing tools for con-
troller synthesis, which typically use some form of explicit state enumera-
tion. Our result provides new evidence that model checkers can be useful
to tackle industrial sized problems in the area of scheduling and control
synthesis.
6.1 Introduction
Background
Model checking involves analyzing a given model of a system and ver-
ifying that this model satisfies some desired properties. System models
are typically described as finite transition systems, while properties are de-
scribed in terms of temporal logic. Once the definition of the system, S, and
its property, ψ, are fixed, the model checking problem is easily described
109
110 6. Smart Card Personalization System
as S |= ψ? (does S satisfy ψ?). Thanks to the symbolic representation of
transition systems, state-of-the-art model checking tools are now capable
of solving such problems for models with more than 1020 states [BCM+92].
Control synthesis, on the contrary, does not assume the existence of a
model of the full system. Instead, it considers the uncontrolled plant and
tries to synthesize a controller by finding a possible instance of a model that
satisfies a desired property. Control synthesis for Discrete Event Systems
(DES) has been extensively studied over the past two to three decades, and
a well-established theory has been developed by Ramadge and Wonham
[RW89]. The Ramadge and Wonham framework (RW) is based on the for-
mal (regular) language generated by a finite state machine. The RW plant
model P (generator) is obtained by describing the plant processes in terms
of a formal language which is generated by a finite automaton. A means
of control is adjoined to this generator by identifying the events that can be
enabled or disabled by the controlling agent. The specifications Sp are de-
scribed in terms of the formal language generated by P. The controller is
then constructed from a recognizer for the specified language given by Sp.
Control synthesis problems for Discrete Event Systems like the Cyber-
netix smart card personalization system [Alb02] are covered by the Ra-
madge and Wonham supervisory control theory. In the present paper, how-
ever, we (partially) solve the problem using a model checker, namely SMV
[McM93].1 This approach allows us to benefit from the (BDD-based) sym-
bolic representation technique of SMV and to solve the problem which,
because of its size (more than 1013 states), would be intractable otherwise.
Our results demonstrate that model checkers can be useful to solve prob-
lems in the area of scheduling and control synthesis.
Outline
Using SMV we synthesize a scheduler for a smart card personalization sys-
tem, which has previously been patented by Cybernetix Recherche. We also
show that this scheduler, known as the “super single mode” [Alb02] is op-
timal in the absence of errors. Finally, we synthesize a set of schedulers for
defective card treatment that stabilize the system back to the super single
mode.
The paper is structured as follows: Section 6.2 provides a formal defi-
nition of the uncontrolled plant of the smart card personalization system,
and defines the correctness and optimality criteria. Section 6.3 explains the
super single mode, and how it was generated using SMV. Section 6.4 deals
with systems with faulty cards. We list the errors that may occur during
the operations of the machine, show how to deal with such errors, and give
1We use the version of SMV developed at Cadence Berkeley Laboratories, see
http://www-cad.eecs.berkeley.edu/~kenmcmil/smv/.
6.1. Introduction 111
an overview of the synthesized error treatment methods. We conclude the
paper by pointing out some observations and directions for future work in
Section 6.5. Extended version of this work appears in KUN technical re-
port [GV03b]. An electronic copy of SMV code and also of trace simulator
that we developed to visualize the schedules are available via the URL
http://www.cs.kun.nl/ita/publications/papers/biniam/cyber.
Related Work
The Ramadge and Wonham framework has been implemented by several
research groups and industries. One of the tools developed by Wonham
and his research team is CTCT (C based Toy Control Theory)2, a tool that
was basically built for research purposes only, and uses an exhaustive list to
represent the model. Its capacity, as the name indicates, has never extended
beyond toy examples. A new approach, Vector Discrete Event Systems, was
studied in [LW93, YL94] to alleviate the shortcoming of CTCT by exploit-
ing the structural properties of DES. Although this approach resulted in
better performance, its structural analysis approach cannot be generalized
[CL99].
Other notable developments on this area are: The UMDES-LIB library
from University of Michigan [SSL+95], Bertil Brandin’s tool for DES con-
trol synthesis with heuristics [Bra96], a tool for Condition/Event Sys-
tems [SK91], other tool by Martine Fabian and Knut A˚kesson [A˚F99].
All the above tools lack symbolic representation of state transitions,
and suffer from state space explosion problems. A Binary Decision Dia-
gram (BDD) like data structure called Integer Decision Diagram (IDD) has
been used to represent sets of states symbolically. For example, Gunnars-
son in [Gun97] and Zhang and Wonham in [ZW01] have used IDDs in their
implementation. This approach is quite promising for dealing with large
systems, but it is still in laboratory stage, and not available to the public.
Our main motivation for using SMV is thus to overcome this defi-
ciency and benefit from symbolic representation of SMV. The smart card
personalization system is quite a large system and cannot be handled with
a tool that does not use symbolic representation. Our paper shows how
the scheduler synthesis can be solved using a model checker and presents
new evidence that model checkers can be useful in solving problems in the
area of scheduling and synthesis. A similar technique was also employed
in [Feh99, HLP01, NY00] to synthesis scheduler for industrial size prob-
lems.
We were the first to model the smart card personalization system and to
synthesize a scheduler for it. However, the same case study has also been
addressed by other members of the AMETIST consortium. T. Krilavicius
2See http://odin.control.toronto.edu/people/profs/wonham.
112 6. Smart Card Personalization System
and Y. Usenko using UPPAAL and µCRL [KU03], T. Ruys in SPIN [Ruy03],
A. Mader using UPPAAL [Mad04] and G. Weiss in Life Sequence Charts
(LSC) [Wei03] have studied the same problem. But none of the mentioned
approaches deals with error handling.
6.2 Smart Card Personalization System
The “smart card personalization system” is a case study that has been
proposed by Cybernetix Recherche in the context of the EU IST project
AMETIST [Alb02]. The case study concerns a machine for smart card per-
sonalization, which takes piles of blank smart cards as raw material, pro-
grams them with personalized data, prints them and tests them.
The machine has a throughput of approximately 6000 cards per hour. It
is required that the output of cards occurs in a predefined order. Unfortu-
nately, some cards may turn out to be defective and have to be discarded,
but without changing the output order of personalized cards. Decisions
on how to reorganize the flow of cards must be taken within fractions of a
second, as no production time is to be lost.
The goal of the case study is to model the desired production require-
ments as well as the timing requirements of operations of the machine, and
on this basis synthesize the coordination of the tracking of defective cards.
More specifically, the goal is to synthesize optimal schedules for the person-
alization machine in which defective cards are dealt with, i.e., schedules in
which
1. cards are produced in the right order (safety). The order of cards is
important as no other sorting mechanism should exist in the system,
2. throughput is maximal (liveness).
6.2.1 The Uncontrolled Plant Model
Figure 6.1 shows a simplified smart card personalization machine. The ma-
chine consists of a conveyor belt and personalization stations mounted on
top of it. The machine also has an input station and an output station,
which are situated on the left and right side of the belt respectively. New
cards enter the system through the input station and advance to the right
one step at a time. At some point, a card is lifted up to one of the per-
sonalization stations, spends some time there (is personalized), and is then
dropped back onto the belt. The card then moves towards the output sta-
tion for testing and delivery. The actual machine is considerably more com-
plicated than the machine in Figure 1, but our aim is to find a scheduler that
effectively utilizes the personalization stations and optimizes throughput.
6.2. Smart Card Personalization System 113
Lifting and Dropping
OutputInput
Personalisation Stations
Conveyor belt
Forward move
Figure 6.1: Simplified smart card personalization machine.
{−1,−2}
N
M
outputinput
 a
 j j  (b , x )
j+1
Figure 6.2: The model of the smart card personalization machine.
The simplified model of the machine appears to be adequate for this pur-
pose.
The SMV model for the uncontrolled machine is a collection of pro-
cesses running concurrently: forward (moving a belt one step to the right)
and, for each personalization station j, lift drop j (lifting/dropping a card
from/to the belt to/from station j). We employ a discrete model of time,
in which one time unit is equivalent to one forward move of the belt. All
personalization stations are identical and need S time units to personalize
a card. We assume lifting and dropping takes no time.
We assume there are M stations (denoted by b j), and N = M+2 slots in the
belt (denoted by a j) as shown in Figure 6.2. To make model checking possi-
ble, the number of different personalizations is assumed to be bounded by
some value K, which is a multiple of M. Each slot or station will have a value
as shown in Table 6.1. An empty slot/station is coded twice (as -3 and -2)
in order to distinguish between the initial value (-3) and the slot/station
being emptied along the way (-2). This allows us to control intermediate
blank slots more efficiently, as will be explained below. We also use an in-
teger variable x j, (0 ≤ j < M) as a clock to record how long a card has been
held in station j.
Formally, the process forward is defined as follows.
114 6. Smart Card Personalization System
Table 6.1: System parameters and encoding of values.
parameter represents
M number of stations
N total number of slots
K different number of
personalizations
S time needed for
personalization
slot/station
value meaning
-3 empty (initial value)
-2 emptied
-1 new card
j, 0 ≤ j < K personalized with j
K defective card
module forward(a,b,x){
next(a[0]):={-1,-2}; /* a new card appears */
for(j=1;j<=N-1;j=j+1) /*non-deterministicaly */
next(a[j]):=a[j-1]; /* move the belt forward */
for(j=0;j<=M-1;j=j+1){
if(x[j]<S & b[j]>=0) /* increment clocks of */
next(x[j]):= x[j]+1; /* the busy stations */
}
}
and the processes lift drop j (0 ≤ j < M) are defined as:
module lift_drop(a,b,x,j){
if(b[j] <= -2 & a[j+1] = -1){ /* idle station and new card*/
next(b[j]):= 0..K; /* generate a personalization */
next(a[j+1]):=b[j]; /* reset the slot */
next(x[j]):=0; /* reset the clock */
}
else if(b[j] >= 0 & x[j] = S /* card personalized */
& a[j+1] = -2 ){ /* a blank slot beneath */
next(a[j+1]):=b[j]; /* drop the card */
next(b[j]):= -2; /* reset the station */
}
}
6.2. Smart Card Personalization System 115
Correctness
The desired correctness property is:
There exists a run that always produces personalized cards in the right
order.
To formalize the concept of “right order”, an observer process is introduced
that compares the output value with the expected value. Formally, the ob-
server is defined as follows. We introduce a new state variable out, which
initially is 0 and assume K is a multiple of M, say 2.M. The behavior of the
observer is specified by:
if(out = a[N-1]) next(out):= (out+1) mod K;
else if(a[N-1]>-2) next(out):= K;
If cards are not produced in the right order or if a card is output that has not
been personalized, the observer sets the value of out to the “error” value K.
The control objective then becomes to ensure that the observer will never
detect an error. We can synthesize a scheduler that realizes this (if it exists)
by asking SMV whether the following CTL formula holds:
AF¬(out < K). (6.1)
If this formula does not hold then there exists an infinite run in which for
all states out < K, i.e., the observer never detects an error. In this case SMV
will provide a counter example, which essentially is an infinite schedule for
the machine that meets the control objective.
Optimization
Obviously, there are many runs in which all states satisfy out < K, for in-
stance, a run in which the machine produces no cards at all. The interesting
runs are those with high throughput, or more specifically with less number
of blank slots in the output.
To minimize the blank slots in the output and in order to guide SMV
towards optimal schedules, we introduce the “blank tolerance condition”
of the machine, in the form of a new state variable tl, which is initially 0,
and is incremented and decremented as follows:
if(a[N-1]=-2) next(tl):=tl-1;
else if( a[N-1]>=0 & (a[N-1] mod S) = S-1) next(tl):=tl+1;
We add 1 to tl each time S cards have been produced (aN−1 modulo S =
S-1). We decrement tl with 1 whenever a blank slot arrives (aN−1 = -2).
However, we start decrementing only after the leading blank slots (a[N-1]
= -3) have passed. In all other cases we leave the value of tl unchanged.
116 6. Smart Card Personalization System
Now we ask SMV whether the following CTL formula holds:
AF¬(out < K∧ tl ≥ 0). (6.2)
If this formula does not hold, there exists an infinite scheduler that main-
tains the invariant tl ≥ 0. This means that each time when the system has
produced S cards, the observer tolerates a single blank slot.
6.3 The Super Single Mode
Using the approach outlined in the previous section, the example run in
Table 6.2 was generated. With a “normal-speed” PC we were able to gen-
erate example runs for M ≤ 5 (in the real machine M could be 8,16 or 32).
The runs exhibit the schedule of the super single mode as patented by Cy-
bernetix. Table 6.2 shows the first 19 configurations of the the super single
mode with M = 4, S = 4, K = 12. Each row represents a single configura-
tion at a given time. The upper part of the row shows the values of the
stations, while the lower part shows the values of the slots in the conveyor
belt. An empty cell means the slot or the station is idle, a box (2) represents
a new card, and a number represents the personalization value of the card
contained in the station or in the slot. Table 6.2 can be read as:
• time 0: the machine is empty.
• time 1: first new card arrives on the conveyor belt.
• time 2: the first card is lifted to station 0.
• time 4: the second card is lifted to station 1 and it continues likewise.
• time 5: there is no card from the input.
• time 6: station 0 finishes personalizing a card with value 0. In super
single mode, M (4 in this example) time units are required to person-
alize a card.
• time 7: station 0 proceeds with personalizing another card with a dif-
ferent value (namely 4). Note that value 3 is not taken yet. This pat-
tern shows that the order of output is exactly the same as the order
of the cards when they are fed into the machine, but the production
order is different, and there is an overlap between rounds. This over-
lap is even more clearly visible when a machine with 8 (instead of 4)
personalization stations is considered.
If in our model a station is allowed to take more than M time units for
personalizing a card, i.e., S > M, then CTL formula (6.2) holds. In other
6.4. Error Recovery 117
Table 6.2: The super single mode for 4 personalization stations.
in stations out
time put 0 1 2 3 put
0
1 2
0
2 2
0
3 2 2
0 1
4 2 2
0 1
5 2 2
1 2
6 2 0 2
4 1 2
7 2 0 2
4 2 3
8 2 2 1 0
4 5 2 3
9 2 2 1 0
4 5 3
10 2 2 2 1 0
5 6 3
11 2 4 2 2 1
8 5 6
12 2 4 2 3 2
8 6 7
13 2 2 5 4 3
8 9 6 7
14 2 2 5 4
8 9 7
15 2 2 6 5 4
9 10 7
16 2 8 2 6 5
12 9 10
17 2 8 2 7 6
12 10 11
18 2 2 9 8 7
words: if the conveyor belt is rolling faster than the personalization stations
can handle then personalizing M consecutive cards becomes impossible.
Similarly, for a personalization time of M time units, if we have M+1 con-
secutive new cards followed by empty slots (even with lots of empty slots),
then it becomes impossible to personalize all of them. This result implies
that the super single mode is optimal in the absence of errors.
6.4 Error Recovery
The control objective for the smart card personalization machine is to per-
sonalize cards in the right order even in the presence of errors. The super
single mode, as explained above, only works for a perfect machine that
makes no errors. In general, it is difficult to prevent errors from occur-
ring (even though errors are rare, approximately 1 in 6000 cards), and so it
118 6. Smart Card Personalization System
makes our approach more realistic if we allow for the occurrence of errors
in our model, and provide a means of recovering from them.
There are several methods to achieve fault-tolerant behavior. Our ap-
proach is inspired by the concept of self-stabilization [Dij74, Tel94], which
is well-known from the area of distributed algorithms. An algorithm is
called stabilizing if it eventually starts to behave correctly (i.e., according
to the specification of the algorithm), regardless of the initial configuration.
Figure 6.3 shows the production cycle of the personalization machine
under the super single mode. In the normal mode of operation the machine
Initial
recovery operation
an error
Figure 6.3: Stabilization of the smart card personalization system.
loops on the super single mode cycle (the continuous line). This loop is also
shown in Table 6.2 with actual figures. The configurations of the machine
at time 9, 10, 11, 12, 13 are equivalent (personalization value modulo M =
4) to the configurations at time 14, 15, 16, 17 and 18 respectively. Thus the
super single mode enters the loop at time 9 and loops forever with a period
of 5 time units.
However, when an error occurs (dashed line in figure 6.3), an error re-
covery treatment (dotted line) should be conducted to stabilize the system
and bring it back to the loop. We use SMV to synthesize an error recovery
treatment that brings the machine back to the loop. Basically, our approach
is as follows:
1. Use SMV to synthesize a regular super single mode run, as described
in the previous section.
2. Pick a state on this run and manually introduce an error; the new
error state s now becomes the start state of the model.
3. Pick an arbitrary state t on the super single mode cycle, and encode
this as an SMV state formula ϕ.
4. Ask SMV whether the following formula holds
AG¬ϕ. (6.3)
6.4. Error Recovery 119
input outputsweep
D N
M
(b ,x )
aj
 j
 d
 j
 i
Figure 6.4: Expanded model of the smart card personalization machine.
If formula (6.3) does not hold then SMV generates a counterexam-
ple; this counterexample is the schedule for a recovery operation that
brings the system from state s back into super single mode.
Note that, unlike the theory of self-stabilization, we do not consider arbi-
trary initial configurations, but only configurations that have been obtained
by introducing a single error into a super single mode configuration.
6.4.1 Types of Errors
It is easy to list many scenarios that can make the system behave erratically.
In this paper we will only consider errors that may occur in the card. That
is:
1. Type 1 errors (E1) are errors in a smart card originating from physical
damage or other reasons. This type of error is detected by the per-
sonalization stations. In E1a and E1b in Table 6.3 are examples of E1
error.
2. Type 2 error (E2) are errors originating from the personalization sta-
tion when cards are personalized wrongly, which makes them unus-
able. This type of error is detected by a tester situated at the end of
the personalization stations. E2a in Table 6.3 is an example of E2 error.
To make our system recoverable from these errors, we will modify our
model in two ways: by adding extra operations and by expanding the belt
in both directions.
6.4.2 Recovery Operations
If a defective card is detected in the tester then, in order to maintain cor-
rectness (i.e., produce personalized cards in the right order), the defective
card has to be removed, a replacement card has to be produced, and in-
serted in the right position. In order to realize this, first the defective card
120 6. Smart Card Personalization System
Table 6.3: The super single mode for 8 personalization stations with error.
Only card values in station is shown
time input personalization stations output
0 1 2 3 4 5 6 7 (tester)
9
10 2 4
11 2 8
12 2 5
13 2 E1a
14 2 E1b
15 2 10?
16 2 7?
17 2 11?
18 0
19 2 12? 1
20 2 16? 2
21 2 13? E2a
22 2 17? 4
23 2 14? 5
24 2 18? E1b
25 2 15? 7?
26 2 19?
27 8
has to be swept off the belt, and then the belt has to go back to one of the
personalization stations to retrieve a replacement card and place it in the
right position. For these purpose we enrich our model with ‘backward’
and ‘sweep’ operations.
The backward move is the same as the forward move except that it
moves the belt in the opposite direction. The forward move is the “nor-
mal” way of moving the belt, the backward move is used only to handle
defective cards [Alb02]. We assume that a backward move takes 1 time
unit per step.
When the belt moves backward, the leftmost cards on the belt are also
pushed back to the edge. For technical reasons explained in [Alb02], the
preferred way of treatment is to expand the belt to the left. As shown in
Figure 6.4, the gap between the input station and the first personalization
station, denoted by di (0 ≤ i ≤ D, D = M), is important for backward
movement. Similarly, the belt is also expanded to the right: N (= M+2) covers
the extended slots in the right side.
A sweeper is a device that kicks defective cards from the belt. In the
6.4. Error Recovery 121
Table 6.4: Safety requirements for belt operations.
Operation Safety requirements meaning
backward d0 < 0 no processed card reaches input station,
unprocessed (new) cards can return
back to the input station
forward aN−1 = out ∨ no unexpected card reaches
aN−1 = -2 the tester station
sweep aM = K only defective cards are swept
physical machine, a sweeper is situated after the personalization station.
Formally the sweep operation is defined as:
module sweep(a){
if(a[M]=K) next(a[M]):=-2;
}
6.4.3 Safety Requirements
During the stabilization process, the machine executes operations that are
not performed in super single mode. Even if the machine is allowed to
perform these special operations, there are some safety requirements that
have to be obeyed by the control program. These are shown in Table 6.4.
6.4.4 Results
For a single error scenario as defined above, there are 2.M possible error
configurations in one cycle of the super single mode. Using these error
configurations as an initial state and the formula (6.3) we generated a re-
covery path that could stabilize the system back to the super single mode.
Obviously, each path is different for different initial state, however, they
share similar pattern. Thus we group similar paths together and explain
their property below.
1. When the error type is E1 and the faulty card was detected in the
first half stations (bi: 0 ≤ i ≤ bM2 c), then the faulty card remain in the
station until a free slot is available. And the personalization value
remains unused until next. For example When the faulty card E1a
in Table 6.3 was detected the personalization value (which is 9) was
used in station 2
2. Using the same technique, for E1 errors in the second half stations (bi:
bM2 c< i ≤ M− 1) will not solve the problem, instead it will introduce
122 6. Smart Card Personalization System
Table 6.5: Defective card treatment for error type 2.
time input personalization stations tester
0 1 2 3 4 5 6 7
12 2 5
21 2 13 3
22 2 17 4
23 2 14 (E2)
24 2 5 6
25∗ 2 2 10 9 8 2 7 6
26∗ 2 10 9 8 2 7 6
32∗ 2 7 6 5
38 2 14 5
another error. The generated recovery path for this scenario is to skip
the personalization value for now and let the error evolve to E2 error.
The personalization value (6) of E1b in Table 6.3 was skipped and E1b
will be again an error of type E2 at time 24.
3. The recovery path for E2 errors consists:
• finding a station with a fresh card, this station should be in the
first half. Otherwise an error like E1b will happen again. See also
Example 6.1.
• rolling the belt backward to this station,
• personalizing the card with the personalizations value which is
missing, and
• dropping the card to the belt and forward it to the tester.
Example 6.1 In Table 6.5, at time 23 the 5th card is found defective. At the same
time station 6 starts with a fresh card. If a replacement card would be produced
in this station, then personalization number 14 would be skipped. But this will
introduce another error, because the 16th and 17th cards are already in preparation
and they can not be altered. Instead we can produce the card in the next station
(station 2) that becomes available.
6.4.5 Cost of Error Recovery
An upper bound on the number of time units spent recovering from an
error can be calculated as follows.
1. Once an error is detected by the tester, one step forward may be nec-
essary if it is an error like in Example 6.1.
6.5. Conclusions 123
2. To reproduce a replacement card we will require S = M time units,
during this time the belt rolls back to the station.
3. Once the card is reproduced, it will take another M time units for the
new card to reach the tester. In practice the belt can move forward
faster than M time units, and the time spent to reach the tester will be
smaller.
Thus, based on the above observation, 2.M + 1 time units are required in
the worst case to recover from a single error. It is possible to tighten this
upper bound by introducing fast forward and fast backward moves.
6.5 Conclusions
Using SMV, we rediscovered the super single mode that has previously
been patented by Cybernetix. This result gives us new evidence that model
checking can also be useful as a design aid for new machines. Our approach
also allowed us to generate defective card treatments, that may arise due to
damaged cards and wrong personalization. The present work shows error
treatments for single error, we believe the same technique can be easily
extended to multiple error treatment.
The input language of Cadence SMV is sufficiently expressive to encode
in a natural and compact way a simplified model of the personalization
machine. However, safety and liveness properties for multiple error treat-
ments (of single or multiple types) are complicated to express in temporal
logic, especially when dealing with the uncontrolled plant. Nevertheless,
by decreasing the degree of uncontrollability of the plant, we believe mul-
tiple errors can be handled and more complex discrete time models of the
actual Cybernetix design (including the controller) can be described.
A possible disadvantage of our approach is that the SMV descriptions
are difficult to understand for people who are not familiar with formal
methods (unlike say Petri nets). However, a clear advantage is that our
description can serve directly as input for a powerful model checker.
124 6. Smart Card Personalization System
Chapter 7
Analysis of the Zeroconf
Protocol Using UPPAAL
with Frits W. Vaandrager and Miaomiao Zhang
Abstract We report on a case study in which the model checker UPPAAL is
used to formally model parts of Zeroconf, a protocol for dynamic configu-
ration of IPv4 link-local addresses that has been defined in RFC 3927 of the
IETF. Our goal has been to construct a model that (a) is easy to understand
by engineers, (b) comes as close as possible to the informal text (for each
transition in the model there should be a corresponding piece of text in the
RFC), and (c) may serve as a basis for formal verification. Our conclusion is
that UPPAAL, which combines extended finite state machines, C-like syn-
tax and concepts from timed automata theory, is able to model Zeroconf
in a faithful and intuitive manner, using notations that are familiar to pro-
tocol engineers. Our modeling efforts revealed several errors (or at least
ambiguities) in the RFC that no one else spotted before. We also identify a
number of points where UPPAAL still can be improved. After applying a
number of abstractions, UPPAAL is able to fully explore the state space of
an instance of our model with three hosts.
7.1 Introduction
Our society increasingly depends on the correct functioning of modern
communication technology. The most important and most often used pro-
tocols that describe the operation of this technology are standardized. It is
surprising that protocols that are of such immense importance to our soci-
ety are typically written in informal language, with frequent ambiguities,
omissions and inconsistencies. They also fail to state what properties are
expected of a network running the protocol, and what it means for an im-
125
126 7. Analysis of the Zeroconf Protocol Using UPPAAL
plementation to conform to a standard. By now there is ample evidence
that formal (mathematical) techniques and tools may help to improve the
quality of protocol standards (see e.g. [CGH+93, BS98b, vLRG03, Sto03,
Hol03, Rom04]). In order to avoid holes and ambiguities in standards the
obvious way to go is to describe critical parts using programming and/or
formal specification languages. There have been joint attempts of academia
and industry to arrive at formal description languages for protocols. Inter-
estingly — to the best of our knowledge — these languages have never
been used in the authoritative part of protocol standards. Apparently, stan-
dardization bodies either did not trust/understand the formal specifica-
tions themselves or were afraid implementors would misinterpret them.
Some protocol standard have extended finite state machines (EFSMs) in-
side, but these are mostly illustrative, not completely formal, and some-
times contain mistakes. Bruns and Staskauskas [BS98b] used C to describe
the SONET Automatic Protection Switching (APS) protocol and report that
developers found their C description easy to understand and superior to
that which appeared in the APS standard. The lack of abstraction mecha-
nisms is an obvious drawback of C.
The relationships between an (abstract) formal model of a protocol and
the corresponding informal standard is typically obscure. As pointed out
by [BM04], “current research seems to take the construction of verification
models more or less for granted, although their development typically re-
quires a coordinated integration of the experience, intuition and creativity
of verification and domain experts. There is a great need for systematic
methods for the construction of verification models to move on, and leave
the current stage that can be characterized as that of model hacking. The ad-
hoc construction of verification models obscures the relationship between
models and the systems that they represent, and undermines the reliability
and relevance of the verification results that are obtained.”
In this chapter, we try to address the above problems and report on a
case study where we use UPPAAL to formally model parts of Zeroconf, a
protocol for dynamic configuration of IPv4 link-local addresses. Our goal
has been to construct a model that (a) is easy to understand by engineers,
(b) comes as close as possible to the informal text (for each transition in the
model there should be a corresponding piece of text in the RFC), and (c)
may serve as a basis for formal verification.
UPPAAL[BDL04], available at www.uppaal.com, is an integrated tool en-
vironment for formal specification, validation and verification of real time
systems modeled as networks of timed automata [AD94]. The language
for the new version UPPAAL 3.6 features a subset of the C programming
language, a graphical user interface for specifying networks of EFSMs, and
timed automata syntax for specifying timing constraints between events.
Due to these extensions, the UPPAAL syntax appears to be sufficiently ex-
pressive for the description of critical parts of protocol specifications.
7.1. Introduction 127
Zeroconf We describe and analyze (critical parts of) Zeroconf [CS05], a
protocol for dynamic configuration of IPv4 link-local addresses that has
been defined by the IETF Network Working Group in RFC 3927 [CAG05].
There are many situations in which one would like to use IP for local com-
munication, for instance in the setting of in home digital networks or to
establish communication between laptops. For these type of applications
it is desirable to have a plug-and-play network in which new hosts auto-
matically configure an IPv4 address, without using external configuration
servers, like DHCP and DNS, or requiring users to set up each computer by
hand. The Zeroconf protocol has been proposed by the IETF to achieve ex-
actly this. It describes how a host may automatically configure an interface
with an IPv4 address within the 169.254/16 prefix that is valid for commu-
nication with other devices connected to the same physical (or logical) link.
The most widely adopted Zeroconf implementation is Bonjour from Apple
Computer, but several other implementations are available.
Contribution The contribution of this chapter is, first of all, a formal
model of a critical part of Zeroconf — a protocol with clear practical rel-
evance — that is easy to understand, faithful to the RFC, and with an ex-
tensive discussion of the relationship between the model and the RFC. Our
efforts revealed several errors (or at least ambiguities) in the RFC that no
one else spotted before. We also identify several directions where UPPAAL
still can be improved. Finally, after applying several abstractions we man-
age to establish some key correctness properties of an instance of our model
with three hosts.
Related Work Zeroconf involves a number of probabilistic aspects that
are not incorporated in our UPPAAL model: hosts select IP-addresses ran-
domly using a pseudo-random number generator, and at some point dur-
ing the protocol they wait for a random amount of time selected uniformly
from an interval. The probabilistic behavior of Zeroconf has been studied
in [BSHV03, KNPS03]. The primary goal of [BSHV03] was to investigate
the trade off between reliability and effectiveness of the protocol using a
stochastic cost model. The model of [BSHV03], which only involves a sin-
gle host, is quite appropriate in capturing the probabilistic behavior of IP
address configuration and conflict handling, but the analysis takes place at
a level that is much more abstract than the RFC. Based on an earlier ver-
sion of [GVZ06b], a more detailed model has been presented in [KNPS03]
using the probabilistic model checker PRISM [KNP04]. The model check-
ing results reported in [KNPS03] are very interesting, but the precise re-
lationship between the model and the RFC is unclear (for instance, in the
model of [KNPS03] address defense only occurs before a host is using an IP
address). Our motivation for using UPPAAL instead of PRISM was that the
128 7. Analysis of the Zeroconf Protocol Using UPPAAL
input language of PRISM is too primitive for our purposes (no GUI, just a
few datatypes, no support of C-like syntax,..). A toolset that combines the
functionality of UPPAAL and PRISM would be ideal for dealing with the
Zeroconf protocol.
7.2 The Protocol
We now describe the Zeroconf protocol, our UPPAAL model of it, and the
relationship between our model and RFC 3927 [CAG05], the official proto-
col standard.
A Zeroconf network is composed of a set of hosts on the same link.
Hosts in the Zeroconf network can be devices that are present at home,
office, embedded systems “plugged together” as in an automobile, or the
laptops of three friends who are writing a joint paper and want to share a
file. The goal of Zeroconf is to enable networking in the absence of configu-
ration and administration services. The core of RFC 3927 [CAG05] concerns
the dynamic configuration of IPv4 link-local addresses, and this is the part
on which we will focus in this chapter.
The basic idea of Zeroconf is trivial and easy to explain. A host that
wants to configure a new IP link-local address randomly selects an address
from a specified range and then broadcasts a few identical messages to the
other hosts, seperated by some delay, asking whether someone is already
using the address. If one of the other hosts indicates that it is using the
other address, the host starts all over again. Otherwise, it may start using
the address after waiting a certain amount of time.
One may view Zeroconf as a distributed mutual exclusion algorithm in
which the resources are IP addresses. A goal of Zeroconf is to prevent that
at any point two different hosts are using the same IP address. The un-
derlying algorithm used in Zeroconf is similar to Fisher’s mutual exclusion
algorithm [AL94] and makes essential use of timing. However, whereas
Fischer’s algorithm uses a shared variable for communication between pro-
cesses, Zeroconf uses broadcast communication. Within Zeroconf, hosts do
not aim at acquiring access to a specific critical section (IP address); it is
enough to obtain access to one of the 65024 available critical sections (IP
addresses).
7.2.1 Basic Modelling Assumptions
RFC 3927 assumes a set of hosts. This set is not fixed and host may join
and leave while the protocol is running. Since UPPAAL does not support
dynamic process creation, we assume a fixed number of k hosts. It may
take arbitrary long before a host becomes active in the protocol and one
may argue that in this way creation of new hosts is being captured. We
7.2. The Protocol 129
do not model host failure or termination but it would be easy to add this.
In our model, a host that has configured an IP address may stop sending
messages. From an observational point of view this is the same as a (stop-
ping) failure. A phenomenon that may occur in practice, and which we
have also not modeled here, is that previously separate Zeroconf networks
are joined.
The behavior of each host is modeled by three timed automata that are
composed in parallel: Config, InputHandler and Regular. Automaton
Config models the configuration of a new IP address, InputHandler takes
care of the incoming messages, and Regular is an abstract model of the
activity of all the other processes running on the host. All three automata
are parametrized by the hardware address of the host they belong to. For
convenience, in our model a hardware address is a natural number in the
range 0 to k− 1. Within UPPAAL, the scalarset type scalar[k] denotes the
set {0, . . . ,k− 1}: typedef scalar[k] HAType
On scalarsets, only restricted operations are permitted. As a conse-
quence, a scalarset is a fully symmetric type and the behavior of a model
is invariant under arbitrary permutations of the elements of a scalarset
[ID93, HBL+03]. By defining a scalarset type rather than a subrange, we
tell UPPAAL that all the hardware addresses (and therefore also the hosts)
play a fully symmetric role, which makes it possible to exploit this symme-
try during exploration of the state space.
7.2.2 The Network
RFC 3927 states the following assumption about the underlying network
[page 4, section 1.3]:
“This specification applies to all IEEE 802 Local Area Networks
(LANs) [802], including Ethernet [802.3], Token-Ring [802.5]
and IEEE 802.11 wireless LANs [802.11], as well as to other link-
layer technologies that operate at data rates of at least 1 Mbps,
have a round-trip latency of at most one second, and support
ARP [RFC826].”
The Address Resolution Protocol (ARP [Plu82]) is widely used method for
converting protocol addresses (e.g., IP addresses) to local network (“hard-
ware”) addresses (e.g., Ethernet addresses). It allows dynamic distribution
of the information needed to build tables to translate protocol addresses
to hardware addresses. Within Zeroconf all messages are ARP packets.
For our model, the relevant information in an ARP packet consists of (1) a
sender hardware address, (2) a sender IP address, (3) a target IP address,
and (4) the type of the packet, which can be either “request” or “reply”.
Hence, an ARP packet can be defined as a UPPAAL C data type as follows:
130 7. Analysis of the Zeroconf Protocol Using UPPAAL
typedef struct{
HAType senderHA; // sender hardware address
IPType senderIP; // sender IP address
IPType targetIP; // target IP address
bool request; // is the packet a Request or a Reply
}ARP_packet;
Here we use the convention that the request field is true for ARP requests
and false for ARP replies. A host that is looking for the local network ad-
dress of another host with IP address x, broadcasts an ARP request packet
with the field targetIP set to x. A host with IP address x will then return an
ARP reply packet with the field senderHA set to its local network address.
In Zeroconf, all ARP packets are broadcast [page 13, section 2.5]:
“All ARP packets (*replies* as well as requests) that contain a
Link- Local ’sender IP address’ MUST be sent using link-layer
broadcast instead of link-layer unicast. This aids timely detec-
tion of duplicate addresses.”
We model the underlying network as a set of n identical Network au-
tomata. Each of these automata takes care of handling a single ARP re-
quest at a time. To express that all the automata are symmetric, we define
a scalar set NetworkType and parametrize each automaton by an element j
from this type.
The main reason for having n automata is that this allows us to model
round-trip latencies in UPPAAL. Fig. 7.1 schematically illustrates the op-
eration of a Network automaton. After a request from a host comes
Host
send_req
Host
answer
receive_msg
receive_msg
Network
Figure 7.1: Interaction between Network automaton and hosts.
in (send req), this is broadcast by a Network automaton to all hosts
(receive msg). In case there is a corresponding answer (this may be a re-
ply or a request packet) this is accepted (answer) and also broadcast to all
hosts (receive msg). All these interactions take place within 1 second. Af-
ter completing its task the Network automaton returns to its initial location,
ready to take care of a new request.
7.2. The Protocol 131
PRE_CLAIM
x<=ANNOUNCE_WAIT
WAIT
x<=PROBE_WAIT
COLLISION
x<=RATE_LIMIT_INTERVAL
PROBE
x <= PROBE_MAX
INIT
USE
counter < ANNOUNCE_NUM imply
x<=ANNOUNCE_INTERVAL
reset[j]?
IP[j]:=0,
UseIP[j]:=false
reset[j]?
IP[j]:=0,
x:=0
reset[j]?
IP[j]:=0,
x:=0
counter==PROBE_NUM
urg!
x:=0
counter:=0,
x:=PROBE_MAX
ConflictNum >= MAX_CONFLICTS &&
x==RATE_LIMIT_INTERVAL
reset[j]?
IP[j]:=0,
x:=0
counter<PROBE_NUM &&
x>=PROBE_MIN
send_req!
packet.senderHA:=j,
packet.senderIP:=0,
packet.targetIP:=IP[j],
packet.request:=true,
counter++,
x:=0
address:int[1,m]
IP[j]:=address,
x:=0
counter < ANNOUNCE_NUM &&
x== ANNOUNCE_INTERVAL
send_req!
packet.senderHA:=j,
packet.senderIP:=IP[j],
packet.targetIP:=IP[j],
packet.request:=true,
counter++,
x:=0,
UseIP[j]:=true
x==ANNOUNCE_WAIT
counter:=0,
ConflictNum:=0,
x:=ANNOUNCE_INTERVAL
ConflictNum < MAX_CONFLICTS
urg!
ConflictNum++
Figure 7.2: Automaton Config.
To simplify our model, we assume that a host handles an incoming ARP
request in zero time, i.e., we adopt the synchrony hypothesis that is well-
known from synchronous programming [BG92].
Before explaining our UPPAAL model of the Network automaton in de-
tail (in Section 7.2.6), we now turn our attention to the core part of RFC
3927, which concerns address configuration.
7.2.3 Address Configuration
Fig. 7.2 displays the automaton Config[j], which specifies how host j con-
figures a new IP address.
Each host starts in location INIT, where it resides until it has selected an
IP address. According to the RFC [page 9, section 2.1]:
“When a host wishes to configure an IPv4 Link-Local address,
it selects an address using a pseudo-random number genera-
tor with a uniform distribution in the range from 169.254.1.0 to
169.254.254.255 inclusive. The IPv4 prefix 169.254/16 is regis-
tered with the IANA for this purpose. The first 256 and last
256 addresses in the 169.254/16 prefix are reserved for future
use and MUST NOT be selected by a host using this dynamic
configuration mechanism.”
Just to keep the code simple, we abstract sligthly from the naming of IP
addresses. An IP address simply is a number in the range 0 to m, where m
132 7. Analysis of the Zeroconf Protocol Using UPPAAL
denotes the number of available link-local addresses: The address 0 corre-
sponds to the all zeroes IP address 0.0.0.0, which is used as a special ‘un-
known’ or ‘undefined’ value in the protocol, and the addresses 1 to m cor-
respond to the addresses registered with the IANA, listed in increasing or-
der. Due to the special role of the address 0, we cannot declare IPType as a
(fully symmetric) scalarset, and thus we declare it as a subrange instead. A
transition from location INIT to location WAIT takes place when an address
has been selected. Via the UPPAAL select statement address:int[1,m],
we nondeterministically bind identifier address to a value in the interval
[1,m]. This means that there is an instance of the transition for each num-
ber in this interval. In this way, we express that an IP address is chosen
nondeterministically. The selected address is stored in state variable IP[j].
The RFC continues [page 11, section 2.2.1]:
“When ready to begin probing, the host should then wait for
a random time interval selected uniformly in the range zero
to PROBE WAIT seconds, and should then send PROBE NUM
probe packets, each of these probe packets spaced randomly,
PROBE MIN to PROBE MAX seconds apart.”
The waiting period is modeled by resetting a local clock x upon entering
location WAIT and by bounding the time the host may stay in WAIT with
an invariant x <= PROBE WAIT. At any point the host may move to location
PROBE, where it starts sending “probes”. The notion of an ARP Probe is
specified in the RFC as follows:
“A host probes to see if an address is already in use by broad-
casting an ARP Request for the desired address. The client
MUST fill in the ‘sender hardware address’ field of the ARP Re-
quest with the hardware address of the interface through which
it is sending the packet. The ‘sender IP address’ field MUST be
set to all zeroes, to avoid polluting ARP caches in other hosts
on the same link in the case where the address turns out to be
already in use by another host. The ‘target hardware address’
field is ignored and SHOULD be set to all zeroes. The ‘target
IP address’ field MUST be set to the address being probed. An
ARP Request constructed this way with an all-zero ‘sender IP
address’ is referred to as an ”ARP Probe”.”
Sending ARP Probes is modeled via actions send req[j]! that synchro-
nize with the network. The actual packet is communicated via a global
shared variable packet of type ARP packet: in UPPAAL the assignments in
an output (!) transition are executed before the assignments in a synchro-
nizing input (?) transition, and this allows us to assign a value to packet
in a send req[j]! transition, which is then picked up by a corresponding
send req[j]? transition by a Network automaton. The lower and upper
bounds of the probe interval are expressed in our model with a guard x
7.2. The Protocol 133
>= PROBE MIN on the sending transition and an invariant x <= PROBE MAX
on location PROBE, respectively. By setting x to PROBE MAX in the transition
from WAIT to PROBE, we express that the first probe is sent immediately. A
local variable counter is used to record the number of probes that have
been sent. After the probing phase is successfully completed, the automa-
ton jumps to location PRE CLAIM. The urgent broadcast channel urg ensures
that this transition is taken as soon as it is enabled. As the reader can check,
the translation from the RFC description of the probing phase to UPPAAL
is straightforward.
According to the RFC:
“If, by ANNOUNCE WAIT seconds after the transmission of
the last ARP Probe no conflicting ARP Reply or ARP Probe has
been received, then the host has successfully claimed the de-
sired IPv4 Link-Local address.”
Clock x is used to ensure that exactly ANNOUNCE WAIT time units are spent
in location PRE CLAIM. A transition from location PRE CLAIM to location USE
is taken to indicate that the host has successfully claimed an address.
In our model, automaton InputHandler[j] (which will be ex-
plained in Section 7.2.4) takes care of handling incoming messages. If
InputHandler[j] decides that, due to some conflict, a new address must
be configured, it sends a reset[j] signal to automaton Config[j]. Upon
receiving this signal, Config[j] sets IP[j] to 0 and jumps to location
COLLISION. According to the RFC:
“A host should maintain a counter of the number of ad-
dress conflicts it has experienced in the process of trying to
acquire an address, and if the number of conflicts exceeds
MAX CONFLICTS then the host MUST limit the rate at which it
probes for new addresses to no more than one new address per
RATE LIMIT INTERVAL. This is to prevent catastrophic ARP
storms in pathological failure cases, such as a rogue host that
answers all ARP Probes, causing legitimate hosts to go into an
infinite loop attempting to select a usable address.”
A counter ConflictNum is used in our model to record the number of con-
flicts that have occurred during the process of acquiring an IP address.
Depending on the value of ConflictNum, the automaton returns to loca-
tion INIT immediately or first waits for RATE LIMIT INTERVAL time units.
Again, the correspondence between the RFC text and our UPPAAL model
is straightforward.
In location USE the host announces the new address that it has just
claimed [page 12, section 2.4]:
“Having probed to determine a unique address to use, the
host MUST then announce its claimed address by broadcasting
134 7. Analysis of the Zeroconf Protocol Using UPPAAL
as many as ANNOUNCE NUM ARP announcements, spaced
ANNOUNCE INTERVAL seconds apart. An ARP announce-
ment is identical to the ARP Probe described above, except that
now the sender and target IP addresses are both set to the host’s
newly selected IPv4 address. The purpose of these ARP an-
nouncements is to make sure that other hosts on the link do
not have stale ARP cache entries left over from some other host
that may previously have been using the same address.”
The above description is ambiguous/incomplete at 3 points. First of all,
the RFC does not specify upper and lower bounds on the time that may
elapse between sending the last ARP Probe and sending the first ARP An-
nouncement. However, according to the protocol designers upper and
lower bound both equal ANNOUNCE WAIT [Che06]. Also, the RFC does not
specify whether a host may immediately start using a newly claimed ad-
dress (in parallel with sending the ARP Announcements), or whether it
should first send out all announcements. According to the designers, a host
should send the first ARP Announcement, and then it can immediately
start using the address [Che06]. So the second announcement goes out
ANNOUNCE INTERVAL seconds later, but other traffic does not need to be held
up waiting for that. Finally, the RFC does not specify the tolerance that is
permitted on the timing of ARP Announcements. Since no physical device
can consistently send messages spaced exactly ANNOUNCE INTERVAL seconds
apart, strictly speaking it is impossible for an implementation to conform
to the RFC. According to the designers, the RFC does not specify accuracy
requirements, partly because the protocol is robust to a wide range of vari-
ations, so it does not matter [Che06]. We decided to follow the RFC and
not specify accuracy requirements, but if someone wants to use our model
for automatic generation of tests, for instance using the UPPAAL-TRON
toolset [LMN05], he or she will have to modify our model at this point.
With this additional information, the modeling of the announcement
phase in UPPAAL is straightforward and analogous to that of the probing
phase. After sending the first announcement, Boolean variable UseIP[j]
is set to true. This enables an automaton Regular[j], to start sending
out regular ARP request packets with the senderIP field set to IP[j] and
the targetIP field set to an arbitrary link-local address. However, even
when a host is using an IP address still at any moment a conflict may arise.
When this happens automaton Config[j] returns to its initial location and
UseIP[j] is set to false again.
7.2.4 Input Handler
Automaton InputHandler[j] receives incoming ARP packets and decides
what to do with them. Input handling is described at various places in
RFC 3937, which makes it nontrivial to determine the reaction to an ar-
7.2. The Protocol 135
response==false
no_answer!
conflict==false
reset[j]!
conflict==true
response==true
answer!
packet.senderHA:=j,
packet.senderIP:=IP[j],
packet.targetIP:=IP[j],
packet.request:=true,
y:=0
receive_msg[j]?
ihandler(false)
response==false
no_answer!
response==true
answer!
packet.targetIP:=packet.senderIP,
packet.senderHA:=j,
packet.senderIP:=IP[j],
packet.request:=false
y>DEFEND_INTERVAL
receive_msg[j]?
ihandler(true)
y:=DEFEND_INTERVAL + 1
Figure 7.3: Automaton InputHandler[j].
bitrary ARP packet, also because Zeroconf runs on top of the ARP pro-
tocol, which it sometimes follows but sometimes overrules. Automaton
InputHandler is displayed in Fig. 7.3. When a new packet arrives, that
is, when a receive msg[j]? transition occurs, the automaton calls a func-
tion ihandler to find out what to do. This function computes two bits,
conflict and response: if conflict==true then some other host is using
or trying to use the IP address the host has selected and if response==true
then a packet will be send in response. Thus the value of the two bits de-
termines the reaction of the input handler to the incoming packet:
1. If conflict==true and response==false, a reset[j] signal is sent.
2. If conflict==true and response==true, an ARP Announcement is
broadcast.
3. If conflict==false and response==true, an ARP Reply is broadcast.
4. If conflict==false and response==false, the packet is ignored.
Clock y is used to measure the time since the last conflict. The defini-
tion of ihandler is listed in Fig. 7.4. Function ihandler has a parameter
defend which may be either false or true. This parameter, which indi-
cates that a host will defend its IP address in case of a conflicting ARP
request, may be true only if there has been no other conflict during the
last DEFEND INTERVAL time units. Altogether, the input handler has to dis-
tinguish 9 scenarios (A)-(I). These scenarios are described in detail below.
The systematic classification of these scenarios revealed two more ambigu-
ities/mistakes in the standard.
136 7. Analysis of the Zeroconf Protocol Using UPPAAL
void ihandler(bool defend) {
if (IP[j]==0) // Scenario A: I have not selected an IP address
{response:=false; conflict:=false;}
else if (packet.senderHA==j) // Scenario B: I have sent the packet myself
{response:=false; conflict:=false;}
//There is a conflict: somebody else is using my IP address!
else if (packet.senderIP==IP[j])
{ conflict:=true;
if (not UseIP[j]) // Scenario C: select a new address
response:=false;
else if (defend) // Scenario D: I am going to defend my address
response:=true;
else // Scenario E: I will not defend my address
response:=false; }
else if (not UseIP[j])
{ response:=false;
// Scenario F: conflicting probe
if (packet.targetIP==IP[j] && packet.request && packet.senderIP==0)
conflict:=true;
else //Scenario G: Packet is not conflicting with IP address that I want to use
conflict:=false; }
else // Incoming packet is not conflicting with IP address that I am using
{ conflict:=false;
// Scenario H: answer regular ARP request
if (packet.targetIP==IP[j] && packet.request)
response:=true;
else // Scenario I: no reply message required
response:=false; } }
Figure 7.4: Function ihandler.
7.2.5 Scenarios for Input Handler
Scenario A Clearly, if a packet comes in when a host has not yet selected
an IP address it should be ignored. This scenario is not listed explicitly in
the RFC but should be obvious.
Scenario B Packets that a host has sent itself can be ignored. Also this
scenario is implicit in the RFC.
Scenario C A conflict may arise when another host sends a packet with
the senderIP field set to IP[j]. This occurs in Scenario C, which is de-
scribed on [page 11, section 2.2.1]:
“If during this period, from the beginning of the probing pro-
cess until ANNOUNCE WAIT seconds after the last probe
packet is sent, the host receives any ARP packet (Request *or*
Reply) on the interface where the probe is being performed
where the packet’s ‘sender IP address’ is the address being
probed for, then the host MUST treat this address as being in
use by some other host, and MUST select a new pseudo-random
address and repeat the process.”
7.2. The Protocol 137
Scenarios D and E In the previous scenario, UseIP[j]==false. The case
with UseIP[j]==true is also described in the RFC [page 12, section 2.5]:
“Address conflict detection is not limited to the address selec-
tion phase, when a host is sending ARP Probes. Address con-
flict detection is an ongoing process that is in effect for as long
as a host is using an IPv4 Link-Local address. At any time, if
a host receives an ARP packet (request *or* reply) on an inter-
face where the ‘sender IP address’ is the IP address the host has
configured for that interface, but the ‘sender hardware address’
does not match the hardware address of that interface, then this
is a conflicting ARP packet, indicating an address conflict.
A host MUST respond to a conflicting ARP packet as described
in either (a) or (b) below:
(a) Upon receiving a conflicting ARP packet, a host MAY elect
to immediately configure a new IPv4 Link-Local address as de-
scribed above, or
(b) If a host currently has active TCP connections or other rea-
sons to prefer to keep the same IPv4 address, and it has not
seen any other conflicting ARP packets within the last DE-
FEND INTERVAL seconds, then it MAY elect to attempt to de-
fend its address by recording the time that the conflicting ARP
packet was received, and then broadcasting one single ARP An-
nouncement, giving its own IP and hardware addresses as the
sender addresses of the ARP. Having done this, the host can
then continue to use the address normally without any further
special action. However, if this is not the first conflicting ARP
packet the host has seen, and the time recorded for the previous
conflicting ARP packet is recent, within DEFEND INTERVAL
seconds, then the host MUST immediately cease using this ad-
dress and configure a new IPv4 Link-Local address as described
above. This is necessary to ensure that two hosts do not get
stuck in an endless loop with both hosts trying to defend the
same address.
A host MUST respond to conflicting ARP packets as described
in either (a) or (b) above. A host MUST NOT ignore conflicting
ARP packets.”
Case (a) corresponds to our scenario E. This scenario occurs when the right
receive msg? transition in the automaton is taken, which sets defend to
false, Case (b) corresponds to scenario D. This scenario occurs when the
left receive msg? transition is taken, which sets defend to true.
The interpretation of “and it has not seen any other conflicting ARP
packets within the last DEFEND INTERVAL seconds” in the previous quo-
tation from the RFC is not clear. Is a host allowed to defend its address if
138 7. Analysis of the Zeroconf Protocol Using UPPAAL
there has been a recent conflict concerning a different address (but no pre-
vious conflict concerning the current address)? Strictly speaking, the host
has seen a conflicting packet and it may not defend. However, the conflict
concerned a different address, and the motivation for recording the time
since the last conflict has been to rule out a scenario in which two hosts get
stuck in an endless loop trying to defend the same addess. Thus one could
also argue that in this situation a host may defend its address.
To model this interpretation, one would have to add an assignment y
:= DEFEND INTERVAL+1 to the reset transition of the input handler.
Scenarios F and G The RFC specifies one more conflict scenario [page 11,
section 2.2.1]:
“In addition, if during this period [from the beginning of the
probing process until ANNOUNCE WAIT seconds after the last
probe packet is sent] the host receives any ARP Probe where
the packet’s ‘target IP address’ is the address being probed for,
and the packet’s ‘sender hardware address’ is not the hardware
address of the interface the host is attempting to configure, then
the host MUST similarly treat this as an address conflict and
select a new address as above. This can occur if two (or more)
hosts attempt to configure the same IPv4 Link-Local address at
the same time.”
In the ihandler code, this corresponds to scenario F. Scenario G, which is
implicit in the RFC, occurs when the incoming packet is not conflicting and
the host is not yet using an IP address. In this case the incoming packet is
ignored.
Scenario H and I The Address Resolution Protocol (RFC 826) [Plu82]
specifies that if a host receives an ARP request packet, it should return an
ARP reply packet if it uses an IP address that equals the target protocol ad-
dress of this request. In the reply packet the hardware and protocol field
should be swapped, putting the local hardware and protocol addresses in
the sender fields. Zeroconf (RFC 3927) is not explicit about conformance to
RFC 826, but in our model we take the view that once a host is using an IP
address, it answers regular ARP requests in agreement with RFC 826 ex-
cept when (a) the request has been broadcast by the host itself, or (b) there
is a conflict. This is scenario H in our model. The final Scenario I occurs
when the incoming packet is not conflicting with the IP address that the
host is using, and no reply packet needs to be sent.
Note that in automaton InputHandler[j] some of the locations are
committed (C). In UPPAAL, when a system reaches a committed location,
the next transition has to be an outgoing transition from that location. The
7.2. The Protocol 139
DELIVER
z<=1
IDLE
no_answer?
no_answer?
answer?
answer_buffer:=packet
host:HAType
answer_buffer.senderIP!=0 && replied[host]==false
receive_msg[host]!
replied[host]:=true,
packet:=answer_buffer
host:HAType
sent[host]==false
receive_msg[host]!
sent[host]:=true,
packet:=send_buffer
all_sent()
urg!
init_vars()
send_req?
send_buffer:=packet,
z:=0
Figure 7.5: The Network automaton.
use of committed locations here is a modeling trick. When a network au-
tomaton delivers a packet to an input handler via a receive msg synchro-
nization, the input handler has to return an answer (if there is one) instanta-
neously (by the synchrony hypothesis). But since in general there are many
network automata active, we need to ensure that the answer is picked up by
the right automaton. Introducing separate channel names for each network
automaton or pi-calculus like private channels would create too much over-
head. Our trick is that a network automaton may only synchronize on an
answer action right after performing a receive msg action. By making the
locations of the input handler following a receive msg transition commit-
ted, we ensure that the reply is picked up by the right network automaton.
Essentially, the receive msg and answer synchronizations take place in a
single atomic transaction. In case the input handler does not generate an
answer, it uses a no answer action to inform the network automaton about
this. This synchronization is an artifact of our model since in reality no
signal is sent.
7.2.6 The Network Automaton
The Network automaton is shown in Fig. 7.5. Initially the automaton is in
its IDLE location. As soon as it receives a packet from a host via send req,
it jumps to the DELIVER location. Since there is no lower bound on mes-
sage delivery time, message delivery may start immediately. A local clock
z is reset to zero and an invariant z ≤ 1 ensures that within 1 second the
network broadcasts the packet (and the answer if there is one) to all hosts.
In our model we assume that there is at most one host that wants to an-
swer any given request, and that an answer does not induce subsequent
answers. It is possible to modify the Network automaton so that it can han-
140 7. Analysis of the Zeroconf Protocol Using UPPAAL
dle multiple and successive answers, but this requires additional state vari-
ables and more complicated data structures. Our Network automaton has
two local buffers: send buffer stores the packet that was sent by the host
and answer buffer stores an answer when it arrives. In addition, Network
maintains Boolean arrays sent and replied to record to which hosts the
packets have already been delivered. Using the UPPAAL select statement,
the automaton non deterministically selects in which order a packet is de-
livered to the different hosts. A host may return an answer upon receipt
of a request, as explained in Subsection 7.2.4. The lower transition la-
beled with receive msg is enabled as soon as there is an answer packet
in answer buffer. The network returns to its IDLE location and resets its
buffers, as soon as all messages have been sent. This is checked by the
Boolean function all sent. Upon return to the IDLE location all variables
are re-initialized.
7.2.7 Dimensioning the Complete Model
The RFC [page 25, section 9] specifies the following values for the differ-
ent timing constants. These definitions are copied almost verbatim in the
UPPAAL declaration section of our model.
"PROBE_WAIT 1 sec (initial random delay)
PROBE_NUM 3 (number of probe packets)
PROBE_MIN 1 sec (minimum delay till repeated probe)
PROBE_MAX 2 sec (maximum delay till repeated probe)
ANNOUNCE_WAIT 2 sec (delay before announcing)
ANNOUNCE_NUM 2 (number of announcement packets)
ANNOUNCE_INTERVAL 2 sec (time between announcement packets)
MAX_CONFLICTS 10 (max conflicts before rate limiting)
RATE_LIMIT_INTERVAL 60 sec (delay between successive attempts)
DEFEND_INTERVAL 10 sec (minimum time between defensive ARPs)."
A Zeroconf network has 65024 IP addresses available and it is suitable
for up to 1300 hosts [CAG05]. These values are too big for automatic verifi-
cation and with 3 hosts and 65024 IP addresses also the UPPAAL simulator
runs out of memory. A next issue regarding the dimensioning of the model
is the number n of Network automata, i.e., the maximal number of ARP re-
quests that may be in transit at any given point. In our model, a host may
select an IP address, send a probe, and return to the initial location via a
reset in zero time. In fact, this behavior may be repeated MAX CONFLICTS
times in a row in zero time. Once a host is using an IP address, the num-
ber of messages in transit may increase even further (in fact unboundedly)
since there is no lower bound on the time between successive ARP requests.
UPPAAL forces us to bound the number of Network automata to some num-
ber n.
7.3. Verification 141
7.3 Verification
The model described in Section 7.2 is very close to the RFC definition of
the protocol. However, it is too big for UPPAAL to do a complete state
space exploration for nontrivial instances, even when we use symmetry
reduction.
The RFC does not specify what properties the protocol must satisfy.
However, it is clear that at least the following two correctness properties
are desirable:1
1. Mutual exclusion, i.e., no two hosts may use same IP address:
ME = A[] forall (i: HAType) forall (j: HAType)
(UseIP[i] && UseIP[j] && IP[i]==IP[j])
imply i==j.
2. The network has no deadlock, i.e, in each reachable state a transition
is possible: DL = A[] not deadlock.
Using the latest version of UPPAAL (3.6 beta), we only managed to estab-
lish ME and DL for the instance with 2 hosts, 1 IP address and 2 network au-
tomata. Nevertheless, it is rather obvious that Zeroconf satisfies the mutual
exclusion property and is free of deadlocks. In the remainder of this sec-
tion, we first discuss a manual proof of mutual exclusion and then outline
an abstracted version of our model that can be fully explored by UPPAAL
in the case of 3 hosts and used to prove mutual exclusion automatically for
this instance. We claim that the full model has no deadlocks but do not
present the (long and tedious) proof here. Since the abstract model overap-
proximates the full model, absence of deadlock in the first does not imply
absence of deadlock in the second.
In the full version of our paper, we present a short, manual, operational
proof of the mutual exclusion property for the general model. Inspection
of the proof indicates that Zeroconf is extremly robust: the protocol has
been designed to handle all kinds of error scenarios (loss of messages, fail-
ure of hosts, merge of networks) which do not occur within our idealized
model. Without these errors, it suffices (for mutual exclusion) to send out
a single probe (PROBE NUM=1), there is no need for sending announcements
(ANNOUNCE NUM=0), and a host may start using an address after waiting any
time longer than the maximal communication delay. For a model of this
simplified protocol with 3 hosts UPPAAL can verify ME and DL in a few sec-
onds on a standard PC.
To make automatic verification of mutual exclusion possible for the full
protocol in the case with 3 hosts, we had to apply a combination of sev-
1Mutual exclusion will not hold in an extension of our model in which Zeroconf net-
works can be merged. In such an extension the specification should be weakened: mutual
exclusion may be violated after a join, but as soon as the violation is detected (due to an
ARP packet) mutual exclusion will be restored within a specified amount of time (provided
meanwhile no further joins occur).
142 7. Analysis of the Zeroconf Protocol Using UPPAAL
eral abstractions (on top of the abstractions that are already applied by UP-
PAAL): dead variable reduction, as it has been studied in the PhD thesis
of Yorav [Yor00], and also overapproximation by weakening guards or by
making an urgent channel non-urgent. We refer to the full version of this
paper for details. Also, we had to make the additional assumption that at
any time for each host there is at most one outgoing message in transit. This
allows us to associate a single network automaton to each host, which only
accepts packets from this host when empty. Using the combination of the
above abstractions, we were able to prove mutual exclusion for instances
of Zeroconf with 2 hosts and up to 5 IP addresses, and an instance with 3
hosts and 1 IP address.
We also did some experiments with the use of symmetry reduction for
IP addresses. Since in Zeroconf the IP address 0 (i.e., 0.0.0.0) plays a special
role, and UPPAAL can only handle fully symmetric data types, this required
some rewriting of the model. Using symmetry reduction for IP addresses,
we were able to establish mutual exclusion for a system with 2 hosts and
an arbitrary number of IP addresses. Essentially, this is due to a theorem
of Ip and Dill [ID93] on data saturation. This theorem (which was proved
in the setting of Murphi but can easily be shown to carry over to UPPAAL)
states that for certain (“data”) scalarsets, the state graph does not grow any
further once the size of the scalarsets grows beyond the number of scalarset
locations in the system. In the case of 2 hosts, the number of scalarset loca-
tions for IP addresses in the model equals 12 (1 for each Config[j] automa-
ton, 4 for each Network automaton, and 2 for the packet variable). In fact,
data saturation already happens starting from scalarsets of size 5. Actually,
we conjecture that there exists a bisimulation between a model with n IP
addresses, for any n, and the model with just one (nonzero) IP address, via
which a proof of ME for the general model can be reduced to a proof of ME
for the model with just one address.
7.4 Conclusions
Our goal has been to construct a model of Zeroconf that (a) is easy to un-
derstand by engineers, (b) comes as close as possible to RFC 3927, and (c)
may serve as a basis for formal verification. Did we succeed?
Understandability Of course, it is not to us to judge whether our model
is understandable for others. The present chapter aims to place the cards on
the table as a basis for a discussion. The UPPAAL syntax, which combines
extended finite state machines, C-like syntax and concepts from timed au-
tomata, will certainly be familiar to protocol engineers, except maybe for
the use of clock variables. However, our experience is that timed automata
notation is easy to explain, also to people without expertise in theoretical
7.4. Conclusions 143
computer science. Clocks provide a simple and intuitive means to spec-
ify the various timing constraints in Zeroconf. The automata Config and
InputHandler would be the obvious candidates for inclusion in a standard.
The only elements in these automata which may be considered less intu-
itive are the use of committed locations in the InputHandler and the send-
ing of a no reply signal in situations where no reply packet is sent (this is
an artifact of the model since in reality there is no such signal). However,
we can easily remove these elements from the InputHandler automaton at
the price of making the Network automata (somewhat) more complicated.
There are at least four extensions of the UPPAAL syntax that would help
us to further improve the readability of our model: (1) A richer syntax for
datatypes, for instance permitting us to write 0.0.0.0 for the all zero IP ad-
dress instead of 0. (2) The ability to initialize clock variables, allowing us
to eliminate the initial transition in the InputHandler[j] automaton. (3)
The ability to test clocks within the body of functions, allowing us to move
the test on y into the definition of ihandler, where it belongs conceptually.
(4) Urgent transitions as advocated in [GV05]. This would allow us e.g., to
replace the invariant
counter < ANNOUNCE NUM imply x <= ANNOUNCE INTERVAL
in automaton Config by an urgency predicate
x <= ANNOUNCE INTERVAL.
In our opinion urgency predicates are more intuitive than location invari-
ants. Once these extensions have been implemented, a good case can be
made for inclusion of the Config and InputHandler automata (with the
ihandler code) in a Zeroconf standard. These models definitely help to
clarify the RFC and to prevent incorrect interpretations due to ambiguity
in the textual part. The UPPAAL simulator is also very useful to obtain in-
sight in the protocol.
Our efforts revealed five places where RFC 3927 [CAG05] is incom-
plete/unclear:
1. No upper and lower bounds are given on the time that may elapse
between sending the last ARP Probe and sending the first ARP An-
nouncement.
2. It is not specified whether a host may immediately start using a
newly claimed address or whether it should first send out all ARP
Announcements.
3. No tolerance is specified on the timing of ARP Announcements.
4. Although Zeroconf requires an underlying network that supports
ARP (RFC 826), we identified some cases where Zeroconf does not
conform to RFC 826.
5. It is not exactly clear in which situations a host may defend its ad-
dress.
144 7. Analysis of the Zeroconf Protocol Using UPPAAL
Faithfulness and Traceability We have shown that UPPAAL is able to
model Zeroconf faithfully. Basically, for each transition in the model we
can point towards a corresponding piece of text in the RFC. The relation-
ships between our model and the RFC have been described in great detail
in this chapter, including the design choices and abstractions that we made.
Following [BM04], our aim has been to make the model construction trans-
parent, so that our model may be more easily understood and checked by
others, making its quality measurable in (at least) an informal sense.
We see at least three ways in which UPPAAL can be improved to allow
for even more faithful/realistic modeling of Zeroconf and better traceabil-
ity: (1) An extension with probabilities, along the lines of PRISM [KNP04],
is clearly desirable. (2) UPPAAL supports modeling of systems that are de-
scribed as networks of a fixed number of automata with a fixed communi-
cation structure. This modeling approach does not fit very well with the
highly dynamic structure of Zeroconf networks where hosts may join and
leave, subnetworks may be joined, etc. (3) To support traceability it would
help to add a feature to UPPAAL by which comments are displayed when
a user clicks on (or points at) a transition. Items (1) and (2) require a major
research effort, whereas item (3) should be easy to implement.
Complexity and Tractability The formal model of Zeroconf that we pre-
sented in Section 7.2 cannot be analyzed by UPPAAL for interesting in-
stances with 3 or more hosts. The full version of this chapter is reported
in [GVZ06a] and it includes a short manual proof of mutual exclusion for
the model that we considered (no message loss, host failure and merging of
networks). In order to verify a system with 3 hosts, we had to apply some
drastic abstractions. We have argued informally that these abstractions are
sound.
A challenging question for us is to come up with (automatically gen-
erated) additional abstractions that allow for the automated analysis of
larger instances of the protocol. One possibility here would be to try
to apply the technique of counterexample guided abstraction refinement
[CGJ+00, CFH+03]. A basic idea in the design of Zeroconf is that it does
not harm to send additional ARP messages; they have only been added
because they may help to ensure (or restore) mutual exclusion in the case
of faults. Thus far, we have not been able to come up with abstractions
that capture this idea. It is highly desirable to extend UPPAAL with (semi-
)automatic support for proving correctness of abstractions. Only abstrac-
tions can bridge the gap between realistic and tractable models.
Future Work We have only modelled/analyzed a few simple instances of
a part of Zeroconf in a restrictive setting without faulty nodes, merging of
subnetworks, etc. So clearly, there are many directions in which our model-
7.4. Conclusions 145
ing effort can be extended. The timing behavior of Zeroconf becomes really
interesting when studied within a setting in which also the probabilistic
behavior is modelled. The performance analysis of Zeroconf reported in
[BSHV03, KNPS03] has been carried out for an abstract probabilistic model
of Zeroconf. A challenging question is whether these results also hold for
a (probabilistic extension) of our more realistic model.
Acknowledgments
We thank Peter van der Stok (Philips Research) for suggesting the problem
to us, Stuart Cheshire (Apple Computer, Inc.) and Boris Cobbelens (Free
University, Amsterdam) for answering all our questions about Zeroconf.
Martijn Hendriks, Jasper Berendsen, Jozef Hooman and the students of the
Analysis of Embedded Systems course in Nijmegen commented on earlier
versions and came with modeling suggestions. Martijn also helped with
UPPAAL and noted the occurrence of data saturation. Guy Leduc, Hubert
Garavel, Judi Romijn and Ken Turner commented on the use of formal de-
scription languages within protocol standards.
146 7. Analysis of the Zeroconf Protocol Using UPPAAL
Bibliography
[ABV94] L. Aceto, B. Bloom, and F.W. Vaandrager. Turning SOS rules
into equations. Information and Computation, 111(1):1–52, May
1994.
[ACD90] R. Alur, C. Courcoubetis, and D. Dill. Model Checking for Real-
Time Systems. In IEEE Symposium on Logic in Computer Science,
pages 414–425, 1990.
[ACD93] R. Alur, C. Courcoubetis, and D.L. Dill. Model checking in
dense real time. Information and Computation, 104:2–34, 1993.
[ACH+95] R. Alur, C. Courcoubetis, N. Halbwachs, T.A. Henzinger, P.-
H. Ho, X. Nicollin, A. Olivero, J.Sifakis, and S. Yovine. The
algorithmic analysis of hybrid systems. Theoretical Computer
Science, 138:3–34, 1995.
[ACM02] Eugene Asarin, Paul Caspi, and Oded Maler. Timed regular
expressions. J. ACM, 49(2):172–206, 2002.
[AD94] R. Alur and D. Dill. A theory of timed automata. Theoretical
Computer Science, 126:183–235, 1994.
[A˚F99] K. A˚kesson and M. Fabian. Implementing supervisory control
for chemical batch processes. In International Conf. on Control
Applications, pages 1272–1277. IEEE Computer Society Press,
1999.
[AH94a] R. Alur and T.A. Henzinger. Real-time system = discrete sys-
tem + clock variables. In T. Rus and C. Rattray, editors, Theo-
ries and Experiences for Real-Time System Development — Papers
presented at First AMAST Workshop on Real-Time System Devel-
opment, Iowa City, Iowa, November 1993, pages 1–29. World
Scientific, 1994.
[AH94b] Rajeev Alur and Thomas A. Henzinger. A really temporal
logic. J. ACM, 41(1):181–204, 1994.
[AHLP00] R. Alur, T.A. Henzinger, G. Lafferriere, and G.J. Pappas. Dis-
crete abstractions of hybrid systems. Proc. IEEE, 88:971–984,
2000.
[AJ95] Luca Aceto and Alan S. A. Jeffrey. A complete axiomatization
of timed bisimulation for a class of timed regular behaviours
147
148 BIBLIOGRAPHY
(revised version). Theoretical Computer Science, 152(2):251–268,
December 1995.
[AL94] Martı´n Abadi and Leslie Lamport. An old-fashined recipe for
real-time. ACM Trans. Program. Lang. Syst., 16(5):1543–1571,
1994.
[Alb02] S. Albert. CYBERNETIX case study informal description, 2002.
Available through URLhttp://ametist.cs.utwente.nl.
[AM04] Rajeev Alur and P. Madhusudan. Decision problems for timed
automata: A survey. In Bernardo and Corradini [BC04], pages
1–24.
[Asa04] Eugene Asarin. Challenges in timed languages: from applied
theory to basic theory. Bulletin of the EATCS, 83:106–120, 2004.
[ATM05] Rajeev Alur, Salvatore La Torre, and P. Madhusudan. Per-
turbed timed automata. In Manfred Morari and Lothar Thiele,
editors, HSCC, volume 3414 of Lecture Notes in Computer Sci-
ence, pages 70–85. Springer, 2005.
[BC04] Marco Bernardo and Flavio Corradini, editors. Formal Methods
for the Design of Real-Time Systems, International School on Formal
Methods for the Design of Computer, Communication and Software
Systems, SFM-RT 2004, Bertinoro, Italy, September 13-18, 2004,
Revised Lectures, volume 3185 of Lecture Notes in Computer Sci-
ence. Springer, 2004.
[BCG88] M.C. Browne, E.M. Clarke, and O. Grumberg. Characterizing
finite Kripke structures in propositional temporal logic. Theo-
retical Computer Science, 59(1,2):115–131, 1988.
[BCH+05] Be´atrice Be´rard, Franck Cassez, Serge Haddad, Didier Lime,
and Olivier H. Roux. Comparison of the expressiveness of
timed automata and time petri nets. In Pettersson and Yi
[PY05], pages 211–225.
[BCM+92] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J.
Hwang. Symbolic model checking 1020 states and beyond.
I&C, 98(2):142–170, June 1992.
[BCM05] Patricia Bouyer, Fabrice Chevalier, and Nicolas Markey. On the
expressiveness of tptl and mtl. In R. Ramanujam and Sandeep
Sen, editors, FSTTCS, volume 3821 of Lecture Notes in Computer
Science, pages 432–443. Springer, 2005.
[BDFP00] Patricia Bouyer, Catherine Dufourd, Emmanuel Fleury, and
Antoine Petit. Expressiveness of updatable timed automata.
In Mogens Nielsen and Branislav Rovan, editors, MFCS, vol-
ume 1893 of Lecture Notes in Computer Science, pages 232–242.
Springer, 2000.
[BDHK04] H. Bohnenkamp, P.R. D’Argenio, H. Hermanns, and J.-P. Ka-
toen. MoDeST: A compositional modeling formalism for real-
BIBLIOGRAPHY 149
time and stochastic systems. CTIT Tech. Rep. 04-46, University
of Twente, 2004. Submitted for publication.
[BDL+01] G. Behrmann, A. David, K.G. Larsen, O. Mo¨ller, P. Pettersson,
and Wang Yi. UPPAAL – present and future. In Proceedings of
40th IEEE Conference on Decision and Control. IEEE Press, 2001.
[BDL04] G. Behrmann, A. David, and K.G. Larsen. A tutorial on Up-
paal. In Marco Bernardo and Flavio Corradini, editors, Formal
Methods for the Design of Real-Time Systems, International School
on Formal Methods for the Design of Computer, Communication and
Software Systems (SFM-RT 2004), Bertinoro, Italy, September 13-
18, Revised Lectures, volume 3185 of Lecture Notes in Computer
Science, pages 200–236. Springer, 2004.
[BDM+98] M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and
S. Yovine. KRONOS: A model-checking tool for real-time sys-
tems. In A.J. Hu and M. Vardi, editors, Proceedings of the 10th
CAV, volume 1427 of LNCS, pages 546–550. Springer, 1998.
[BFK+98] Howard Bowman, Giorgio P. Faconti, Joost-Pieter Katoen,
Diego Latella, and Mieke Massink. Automatic verification of
a lip-synchronisation protocol using uppaal. Formal Asp. Com-
put., 10(5-6):550–575, 1998.
[BG92] G. Berry and G. Gonthier. The ESTEREL synchronous program-
ming language: design, semantics, implementation. Science of
Computer Programming, 19(2):87–152, November 1992.
[BG06] H. Bowman and R.S. Gomez. Concurrency Theory, Calculi and
Automata for Modelling Untimed and Timed Concurrent Systems.
Springer, January 2006.
[BGK+02] Johan Bengtsson, W. O. David Griffioen, Ka˚re J. Kristoffersen,
Kim Guldstrand Larsen, Fredrik Larsson, Paul Pettersson, and
Wang Yi. Automated verification of an audio-control protocol
using uppaal. J. Log. Algebr. Program., 52-53:163–181, 2002.
[BGM02] M. Bozga, S. Graf, and L. Mounier. IF-2.0: A validation envi-
ronment for component-based real-time systems. In Proceeding
of CAV’02, volume 2404 of LNCS, pages 343–348, Copenhagen,
Denmark, 2002. Springer.
[BGO+04] Marius Bozga, Susanne Graf, Ileana Ober, Iulian Ober, and
Joseph Sifakis. The if toolset. In Bernardo and Corradini
[BC04], pages 237–267.
[BGS00] S. Bornot, G. Go¨ßler, and J. Sifakis. On the construction of live
timed systems. In 6th Proceeding of TACAS’00, volume 1785 of
LNCS, pages 172–202. Springer-Verlag, 2000.
[BGS05] Howard Bowman, Rodolfo Go´mez, and Li Su. A tool for the
syntactic detection of zeno-timelocks in timed automata. Electr.
Notes Theor. Comput. Sci., 139(1):25–47, 2005.
150 BIBLIOGRAPHY
[BJMY02] Marius Bozga, Hou Jianmin, Oded Maler, and Sergio Yovine.
Verification of asynchronous circuits using timed automata.
Electr. Notes Theor. Comput. Sci., 65(6), 2002.
[BK82] J.A. Bergstra and J. W. Klop. Fixed point semanitcs in process
algebra. Technical Report IW 208, CWI, Amsterdam, 1982.
[BLL+96] J. Bengtsson, K.G. Larsen, F. Larsson, P. Pettersson, and Wang
Yi. UPPAAL - A tool suite for automatic verification of real-
time systems. In R. Alur, T.A. Henzinger, and E.D. Sontag, edi-
tors, Hybrid Systems III: Verification and Control, volume 1066 of
LNCS, pages 232–243. Springer, 1996.
[BM02] J.C.M. Baeten and C.A. Middelburg. Process Algebra with Tim-
ing. EATCS Monographs. Springer, 2002.
[BM04] E. Brinksma and A. Mader. On verification modelling of em-
bedded systems. Technical Report TR-CTIT-04-03, Centre for
Telematics and Information Technology, Univ. of Twente, The
Netherlands, January 2004.
[Bou03] Patricia Bouyer. Untameable timed automata! In Helmut
Alt and Michel Habib, editors, STACS, volume 2607 of Lecture
Notes in Computer Science, pages 620–631. Springer, 2003.
[Bow99] Howard Bowman. Modelling timeouts without timelocks. In
Proceeding of ARTS’99, LNCS, page 20. Springer-Verlag, 1999.
[Bow01] Howard Bowman. Time and action lock freedom properties
for timed automata. In Myungchul Kim, Byoungmoon Chin,
Sungwon Kang, and Danhyung Lee, editors, FORTE, volume
197 of IFIP Conference Proceedings, pages 119–134. Kluwer, 2001.
[Bra96] B. A. Brandin. The real-time supervisory control of an experi-
mental manufacturing cell. In IEEE Transactions on Robotics and
Automation, volume 12, pages 1–13, 1996.
[BS98a] S. Bornot and J. Sifakis. On the composition of hybrid systems.
In Thomas A. Henzinger and Shankar Sastry, editors, Hybrid
Systems: Computation and Control, First International Workshop,
HSCC’98, volume 1386 of LNCS, pages 49–63. Springer, 1998.
[BS98b] G. Bruns and M.G. Staskauskas. Applying formal methods to a
protocol standard and its implementations. In Proceedings Inter-
national Symposium on Software Engineering for Parallel and Dis-
tributed Systems (PDSE 1998), 20-21 April, 1998, Kyoto, Japan,
pages 198–205. IEEE Computer Society, 1998.
[BS00] S. Bornot and J. Sifakis. An algebraic framework for urgency.
Information and Computation, 163:172–202, 2000.
[BSHV03] H. Bohnenkamp, P. van der Stok, H. Hermanss, and F.W. Vaan-
drager. Cost-optimisation of the IPv4 zeroconf protocol. In Pro-
ceedings of the International Conference on Dependable Systems and
Networks (DSN2003), pages 531–540, Los Alamitos, California,
2003. IEEE Computer Society.
BIBLIOGRAPHY 151
[BST98] S. Bornot, J. Sifakis, and S. Tripakis. Modeling urgency in timed
systems. In Roever W.-P. de, H. Langmaack, and A. Pnueli,
editors, Compositionality: The Significant Difference, volume 1536
of LNCS, pages 103–129. Springer, 1998.
[BT04] Roberto Barbuti and Luca Tesei. Timed automata with urgent
transitions. Acta Inf., 40(5):317–347, 2004.
[BY03] Johan Bengtsson and Wang Yi. Timed automata: Semantics, al-
gorithms and tools. In Jo¨rg Desel, Wolfgang Reisig, and Grze-
gorz Rozenberg, editors, Lectures on Concurrency and Petri Nets,
volume 3098 of Lecture Notes in Computer Science, pages 87–124.
Springer, 2003.
[CAG05] S. Cheshire, B. Aboba, and E. Guttman. Dynamic config-
uration of ipv4 link-local addresses (rfc 3927), May 2005.
http://www.ietf.org/rfc/rfc3927.txt.
[CE81] Edmund M. Clarke and E. Allen Emerson. Design and synthe-
sis of synchronization skeletons using branching-time tempo-
ral logic. In Dexter Kozen, editor, Logic of Programs, volume
131 of Lecture Notes in Computer Science, pages 52–71. Springer,
1981.
[Cˇera¯ns92] K. Cˇera¯ns. Decidability of bisimulation equivalences for par-
allel timer processes. In G. von Bochmann and D.K. Probst,
editors, Proceedings of the 4th CAV, volume 663 of LNCS, pages
302–315. Springer, 1992.
[CFH+03] Edmund M. Clarke, Ansgar Fehnker, Zhi Han, Bruce H. Krogh,
Joe¨l Ouaknine, Olaf Stursberg, and Michael Theobald. Abstrac-
tion and counterexample-guided refinement in model check-
ing of hybrid systems. Int. J. Found. Comput. Sci., 14(4):583–604,
2003.
[CGH+93] E. M. Clarke, O. Grumberg, H. Hiraishi, S. Jha, D. E. Long, K. L.
McMillan, and L. A. Ness. Verification of the Futurebus+ cache
coherence protocol. In Proc. CHDL, pages 15–30, 1993.
[CGJ+00] Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu,
and Helmut Veith. Counterexample-guided abstraction refine-
ment. In E. Allen Emerson and A. Prasad Sistla, editors, CAV,
volume 1855 of Lecture Notes in Computer Science, pages 154–
169. Springer, 2000.
[Che06] S. Cheshire. Personal communication, February 2006.
[CL99] C. G. Cassandras and S. Lafortune. Introduction to Discrete Event
Systems. KLuwer Academic, 1999.
[CL00] Franck Cassez and Kim Guldstrand Larsen. The impressive
power of stopwatches. In Catuscia Palamidessi, editor, CON-
CUR, volume 1877 of Lecture Notes in Computer Science, pages
138–152. Springer, 2000.
152 BIBLIOGRAPHY
[Cor98] F. Corradini. On performance congruences for process alge-
bras. Information and Computation, 145(2):191–230, 1998.
[CS05] S. Cheshire and D.H. Steinberg. Zero Configuration Networking:
The Definite Guide. O’Reilly Media, Inc., 2005.
[D’A99] P.R. D’Argenio. Algebras and Automata for Timed and Stochastic
Systems. PhD thesis, Department of Computer Science, Univer-
sity of Twente, November 1999.
[DB96] P.R. D’Argenio and E. Brinksma. A calculus for timed automata
(Extended abstract). In B. Jonsson and J. Parrow, editors, Procs.
of FTRTFT’96, Uppsala, Sweden, volume 1135 of LNCS, pages
110–129. Springer, 1996.
[DG05] P.R. D’Argenio and B. Gebremichael. The coarsest congruence
for timed automata with deadlines contained in bisimulation.
In 16th International Conference on Concurrency Theory (CON-
CUR05), volume 3653 of LNCS, pages 125–140, San francisco,
USA, August 2005.
[DG06] P.R. D’Argenio and B. Gebremichael. Axiomatizing timed au-
tomata with deadlines. Technical Report ICIS-R06xxx, ICIS -
Radboud University Nijmegen, 2006.
[DHKK01] P.R. D’Argenio, H. Hermanns, J.-P. Katoen, and R. Klaren.
MoDeST - a modelling and description language for stochastic
timed systems. In L. de Alfaro and S. Gilmore, editors, Pro-
ceedings of PAPM-PROBMIV 2001, volume 2165 of LNCS, pages
87–104. Springer, 2001.
[Dij74] E. W. Dijkstra. Self-stabilizing systems in spite of distributed
control. Communications ACM, 17:643–644, 1974.
[Dil89] David L. Dill. Timing assumptions and verification of finite-
state concurrent systems. In Joseph Sifakis, editor, Automatic
Verification Methods for Finite State Systems, volume 407 of Lec-
ture Notes in Computer Science, pages 197–212. Springer, 1989.
[Dim01] C. Dima. An algebric theory of real-time formal languages. PhD
thesis, Universite´ Joseph Fourier, Grenoble, France, 2001.
[Feh99] Ansgar Fehnker. Scheduling a Steel Plant with Timed Au-
tomata. In Sixth International Conference on Real-Time Computing
Systems and Applications (RTCSA’ 99). IEEE Computer Society
Press, 1999.
[FZ95] C. J. Fidge and J. J. Zic. An expressive real-time CCS. In
Second Australasian Conference on Parallel and Real-Time Systems
(PART’95). Fremantle, September 1995.
[GB03] R. Gomez and H. Bowman. Discrete Timed Automata and
MONA: Description, Specification and Verification of a Mul-
timedia Stream. In Proceeding of FORTE’03, volume 2767 of
LNCS, pages 177–192. Springer, 2003.
BIBLIOGRAPHY 153
[GHKU03] B. Gebremichael, H. Hermanns, T. Krilavicˇius, and Y.S.
Usenko. Hybrid modeling of a vehicle surveillance system
with real-time data processing. In Proc. Int. Conf. on Dynami-
cal Systems Modeling and Stability Investigation, page 419, Kyiv,
Ukraine, May 2003.
[GKU04] B. Gebremichael, T. Krilavicˇius, and Y.S. Usenko. A formal
analysis of a car periphery supervision system. In J. Zaytoon,
V. Carre-Mennetrier, and X. Cao, editors, Seventh International
Workshop on Discrete Event Systems WODES’04, pages 433–439,
Reims, France, September 2004. Elsevier Science Ltd. Also
available as Technical Report NIII-R0418, NIII, University of
Nijmegen.
[Gla93] R.J. van Glabbeek. A complete axiomatization for branch-
ing bisimulation congruence of finite-state behaviours. In
Proc. MFCS’93, volume 711 of LNCS, pages 473–484. Springer,
1993.
[GLTV03] S.J. Garland, N.A. Lynch, J. Tauber, and M. Vaziri. IOA user
guide and reference manual, 2003.
[GO01] S. Graf and I. Ober. A real-time profile for UML and how to
adapt it to SDL. In Proceeding of SDL Forum’03, volume 2165 of
LNCS, pages 55–76. Springer, 2001.
[GS05a] Gregor Go¨ssler and Joseph Sifakis. Composition for
component-based modeling. Sci. Comput. Program., 55(1-
3):161–183, 2005.
[GS05b] Gregor Go¨ssler and Joseph Sifakis. Composition for
component-based modeling. Sci. Comput. Program., 55(1-
3):161–183, 2005.
[Gun97] J. Gunnarsson. Symbolic Methods and Tools for Discrete Event Dy-
namic Systems. PhD thesis, Linko¨ping Studies in Science and
Technology, 1997.
[GV03a] B. Gebremichael and F.W. Vaandrager. Control synthesis for
a smart card personalization system using symbolic model
checking. In Proceedings First International Workshop on Formal
Modeling and Analysis of Timed Systems (FORMATS’03), volume
2791 of LNCS, Marseille, France, September 2003. Springer Ver-
lag.
[GV03b] Biniam Gebremichael and Frits Vaandrager. Control synthesis
for a smart card personalization system using symbolic model
checking. Technical Report NIII-R0312, Computing Science In-
stitute, University of Nijmegen, 2003.
[GV04] B. Gebremichael and F. Vaandrager. Specifying urgency in
timed I/O automata. Technical Report NIII-R0459, ICIS. Rad-
boud University Nijmegen, 2004.
154 BIBLIOGRAPHY
[GV05] B. Gebremichael and F.W. Vaandrager. Specifying urgency in
timed I/O automata. In Proceeding of 3rd IEEE International Con-
ference on Software Engineering and Formal Methods (SEFM05),
pages 64–73, Koblenz, Germany, September 2005. IEEE Com-
puter Society.
[GVZ06a] B. Gebremichael, F.W. Vaandrager, and M. Zhang. Analysis of a
protocol for dynamic configuration of IPv4 link local addresses
using UPPAAL. Technical Report ICIS-R06016, ICIS, Radboud
University Nijmegen, 2006.
[GVZ06b] B. Gebremichael, F.W. Vaandrager, and M. Zhang. Analysis of
the zeroconf protocol using UPPAAL. In Proceedings 6th Annual
ACM Conference on Embedded Software (EMSOFT). ACM Press,
October 2006. To appear.
[HBL+03] Martijn Hendriks, Gerd Behrmann, Kim Guldstrand Larsen,
Peter Niebert, and Frits W. Vaandrager. Adding symmetry
reduction to uppaal. In Kim Guldstrand Larsen and Peter
Niebert, editors, FORMATS, volume 2791 of Lecture Notes in
Computer Science, pages 46–59. Springer, 2003.
[Hen96] T.A. Henzinger. The theory of hybrid automata. In Proc. 11th
LICS’96, pages 278–292, New Brunswick, New Jersey, USA,
1996.
[Hen98] Thomas A. Henzinger. It’s about time: Real-time logics re-
viewed. In Davide Sangiorgi and Robert de Simone, editors,
CONCUR, volume 1466 of Lecture Notes in Computer Science,
pages 439–454. Springer, 1998.
[Her02] H. Hermanns. Interactive Markov Chains : The Quest for Quanti-
fied Quality, volume 2428 of LNCS. Springer, 2002.
[HH95] T.A. Henzinger and P.-H. Ho. Algorithmic analysis of nonlin-
ear hybrid systems. In P. Wolper, editor, Proc. 7th CAV’95, vol-
ume 939, pages 225–238. Springer, 1995.
[HHWT97] T.A. Henzinger, P.-H. Ho, and H. Wong-Toi. HYTECH: A
model checker for hybrid systems. Int. Journal on Software Tools
for Technology Transfer, 1:110–122, 1997.
[Hil96] J. Hillston. A Compositional Approach to Performance Modelling.
Distinguished Dissertation in Computer Science. Cambridge
University Press, 1996.
[HKWT95] Thomas A. Henzinger, Peter W. Kopke, and Howard Wong-Toi.
The expressive power of clocks. In Zolta´n Fu¨lo¨p and Ferenc
Ge´cseg, editors, ICALP, volume 944 of Lecture Notes in Com-
puter Science, pages 417–428. Springer, 1995.
[HL02] M. Hendriks and K.G. Larsen. Exact acceleration of real-time
model checking. ENTCS, 65(6): , April 2002.
BIBLIOGRAPHY 155
[HLP01] Thomas Hune, Kim G. Larsen, and Paul Pettersson. Guided
Synthesis of Control Programs usingUPPAAL. Nordic Journal of
Computing, 8(1):43–64, 2001.
[HMP92] Thomas A. Henzinger, Zohar Manna, and Amir Pnueli. What
good are digital clocks? In Werner Kuich, editor, ICALP, vol-
ume 623 of Lecture Notes in Computer Science, pages 545–558.
Springer, 1992.
[HNSY94] T.A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic
model checking for real-time systems. Information and Compu-
tation, 111(2):193–244, 1994.
[Hoa78] C. A. R. Hoare. Communicating sequential processes. Commun.
ACM, 21(8):666–677, 1978.
[Hol03] G.J. Holzmann. The Spin model checker: primer and reference man-
ual. Addison-Wesley, 2003.
[HPR94] N. Halbwachs, Y. Proy, and P. Raymond. Verification of lin-
ear hybrid systems by means of convex approximations. In
Proc. 1st. SAS’94, LNCS 864, pages 223–237, Namur, Belgium,
September 1994. Springer.
[HVG03] Jinfeng Huang, Jeroen Voeten, and Marc Geilen. Real-time
property preservation in approximations of timed systems. In
MEMOCODE, pages 163–171. IEEE Computer Society, 2003.
[ID93] C. Norris Ip and David L. Dill. Better verification through sym-
metry. In David Agnew, Luc J. M. Claesen, and Raul Cam-
posano, editors, CHDL, volume A-32 of IFIP Transactions, pages
97–111. North-Holland, 1993.
[IKL+00] T.K. Iversen, K.J. Kristoffersen, K.G. Larsen, M. Laursen, R.G.
Madsen, S.K. Mortensen, P. Pettersson, and C.B. Thomasen.
Model-checking real-time control programs — Verifying LEGO
mindstorms systems using UPPAAL. In IEEE Euromicro Conf. on
Real-Time Systems, pages 147–155, 2000.
[J.L96] J.L.Lions. Ariane 5 flight 501 failure: Report of the inquiry
board, July 1996. Available at http://www.esa.int.
[JLS00] H.E. Jensen, K.G. Larsen, and A. Skou. Scaling up UPPAAL au-
tomatic verification of real-time systems using compositional-
ity and abstraction. In Mathai Joseph, editor, FTRTFT 2000 pro-
ceedings, number 1926 in LNCS, pages 19–30. Springer-Verlag,
2000.
[Jon97] Mike Jones. What really happened on mars rover pathfinder,
1997. The Risks Digests 19:49.
[KLM04] D.K. Kaynar, N.A. Lynch, and S. Mitra. Specifying and prov-
ing timing properties with TIOA tools. In 25th Proceeding of
RTSS’04 WIP. IEEE Computer Society, 2004.
[KLSV03a] D.K. Kaynar, N.A. Lynch, R. Segala, and F.W. Vaandrager. A
framework for modelling timed systems with restricted hybrid
156 BIBLIOGRAPHY
automata. In 24th Proceedings of RTSS’03, pages 166–178. IEEE
Computer Society Press, 2003.
[KLSV03b] D.K. Kaynar, N.A. Lynch, R. Segala, and F.W. Vaandrager. The
theory of timed I/O automata. Technical Report MIT-LCS-TR-
917, MIT Laboratory for Computer Science, Cambridge, MA,
2003.
[KNP04] Marta Z. Kwiatkowska, Gethin Norman, and David Parker.
PRISM 2.0: A tool for probabilistic model checking. In Proceed-
ings of the 1st International Conference on Quantitative Evaluation
of Systems (QEST04), pages 322–323. IEEE Computer Society,
2004.
[KNPS03] M. Kwiatkowska, G. Norman, D. Parker, and J. Sproston. Per-
formance analysis of probabilistic timed automata using digital
clocks. In K. Larsen and P. Niebert, editors, Proc. Formal Model-
ing and Analysis of Timed Systems (FORMATS’03), volume 2791
of LNCS, pages 105–120. Springer-Verlag, 2003.
[Koy90] Ron Koymans. Specifying real-time properties with metric
temporal logic. Real-Time Systems, 2(4):255–299, 1990.
[KPSY99] Yonit Kesten, Amir Pnueli, Joseph Sifakis, and Sergio Yovine.
Decidable integration graphs. Inf. Comput., 150(2):209–243,
1999.
[KR03] S. Kowalewski and M. Rittel. IST Project AMETIST: Real-
time allocation for car periphery supervision. Technical report,
Robert Bosch GmbH, 2003. Preliminary Description (Deliver-
able No. 3.1.3) see http://ametist.cs.utwente.nl/.
[KU03] Tomas Krilavicius and Yaroslav Usenko. Smart card personal-
isation machine inUPPAAL and µCRL, 2003. In preparation.
[Lam83] L. Lamport. What good is temporal logic? In R.E. Mason, ed-
itor, Information Processing 83, pages 657–668. North-Holland,
1983.
[Lam05] Leslie Lamport. Real-time model checking is really simple. In
Dominique Borrione and Wolfgang J. Paul, editors, CHARME,
volume 3725 of Lecture Notes in Computer Science, pages 162–
175. Springer, 2005.
[LMN05] Kim G. Larsen, Marius Mikucionis, and Brian Nielsen. Test-
ing real-time embedded software using UPPAAL-TRON: an
industrial case study. In the 5th ACM International Conference
on Embedded Software, pages 299 – 306. ACM Press New York,
NY, USA, September 18–22 2005.
[Loe02] V. Loeb. ’Friendly Fire’ deaths traced to dead battery: Taliban
targeted, but US forces killed. Washington Post, page 21, March
2002.
BIBLIOGRAPHY 157
[LPY97] K. G. Larsen, P. Pettersson, and W. Yi. UPPAAL in a nutshell.
Int. Journal on Software Tools for Technology Transfer, 1(1–2):134–
152, October 1997.
[LSV03] N.A. Lynch, R. Segala, and F.W. Vaandrager. Hybrid I/O au-
tomata. Information and Computation, 185(1):105–157, 2003.
[LT87] Nancy A. Lynch and Mark R. Tuttle. Hierarchical correctness
proofs for distributed algorithms. In Proceedings of the 6th An-
nual ACM Symposium on Principles of Distributed Computing,
pages 137–151. MIT, 1987.
[LW93] Y. Li and W.M. Wonham. Control of vector discrete-event sys-
temsI - the base model. In IEEE Trans. on Automatic Control, vol-
ume 38, pages 1214–1227. IEEE Computer Society Press, 1993.
[LY02] Huimin Lin and Wang Yi. Axiomatizing timed automata. Acta
Informatica, 38(4):277–305, 2002.
[Mad04] A. Mader. Deriving schedules for a smart card personalisation
system, 2004.
[McM93] K.L. McMillan. Symbolic Model Checking: An Approach to the
State Explosion Problem. Kluwer Academic Publishers, 1993.
[Mer74] P. M. Merlin. A study of the recoverability of computing systems.
PhD thesis, University of California, irvine, CA, 1974.
[Mil84] R. Milner. A complete inference system for a class of regular
behaviours. J. of Comp. and System Sci., 28:439–466, 1984.
[Mil89a] R. Milner. Communication and Concurrency. Prentice Hall, 1989.
[Mil89b] R. Milner. A complete axiomatisation for observational con-
gruence of finite-state behaviours. Information and Computation,
81(2):227–247, 1989.
[MMT91] M. Merritt, F. Modugno, and M. Tuttle. Time constrained au-
tomata. In 6th Proceeding of CONCUR’91, volume 527 of LNCS,
pages 408–423. Springer-Verlag, 1991.
[MNP05] Oded Maler, Dejan Nickovic, and Amir Pnueli. Real time tem-
poral logic: Past, present, future. In Pettersson and Yi [PY05],
pages 2–16.
[Mor00] R. Moritz. Pre-crash sensing - functional. Technical report,
Robert Bosch GmbH, 2000.
[MP92] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Con-
current Systems: Specification. Springer, 1992.
[MP95] Z. Manna and A. Pnueli. Temporal Verification of Reactive Sys-
tems: Safety. Springer, 1995.
[NS91] Xavier Nicollin and Joseph Sifakis. An overview and synthe-
sis on timed process algebras. In Kim Guldstrand Larsen and
Arne Skou, editors, CAV, volume 575 of Lecture Notes in Com-
puter Science, pages 376–398. Springer, 1991.
[NY00] Peter Niebert and Sergio Yovine. Computing optimal opera-
tion schemes for multi batch operation of chemical plants. In
158 BIBLIOGRAPHY
Nancy A. Lynch and Bruce H. Krogh, editors, Hybrid Systems:
Computation and Control, Third International Workshop,HSCC’00,
volume 1790 of Lecture Notes in Computer Science, pages 338–
351. Springer, 2000.
[Plu82] David C. Plummer. An ethernet address res-
olution protocol (rfc 826), November 1982.
http://www.ietf.org/rfc/rfc826.txt.
[PY05] Paul Pettersson and Wang Yi, editors. Formal Modeling and
Analysis of Timed Systems, Third International Conference, FOR-
MATS 2005, Uppsala, Sweden, September 26-28, 2005, Proceed-
ings, volume 3829 of Lecture Notes in Computer Science. Springer,
2005.
[Ram74] C. Ramchandani. Analysis of asynchronous concurrent systems by
timed petri nets. PhD thesis, Massachusetts Institute of Technol-
ogy, Camvridge, MA, 1974.
[Ras99] J.-F. Raskin. Logics, Automata and Classical Theories for Deciding
Real-Time. PhD thesis, Univ. Namur, Namur, Belgium, 1999.
[Rob04] C.M. Robson. TIOA and UPPAAL. Master’s thesis, Depart-
ment of Electrical Engineering and Computer Science, Mas-
sachusetts Institute of Technology, Cambridge, 2004.
[Rom04] J.M.T. Romijn. Improving the quality of protocol
standards: Correcting IEEE 1394.1 FireWire net up-
date. Nieuwsbrief van de Nederlandse Vereniging voor
Theoretische Informatica, 8:23–30, 2004. Available at
http://www.win.tue.nl/oas/index.html?iqps/.
[Ruy03] T. C. Ruys. Optimal scheduling using branch and bound with
SPIN 4.0. In Proceedings of SPIN 2003, the 10th SPIN workshop,
2003. To appear.
[RW89] P.J.G. Ramadge and W.M. Wonham. The control of discrete
event systems. Proceedings of the IEEE, 77:81–98, 1989.
[SGSAL98] R. Segala, R. Gawlick, J.F. Søgaard-Andersen, and N.A. Lynch.
Liveness in timed and untimed systems. Information and Com-
putation, 141(2):119–171, 1998.
[SK91] R.S. Sreenivas and B.H. Krogh. On condition/event systems
with discrete state realizations. In Discrete Event Dynamic Sys-
tems. Theory and Applications 1, pages 209–236. Flumer Aca-
demic, 1991.
[Smi85] Brian Cantwell Smith. The limits of correctness. ACM SIGCAS
Computers and Society, 14:18–26, 1985.
[SSL+95] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and
D. Teneketzis. Diagnosability of discrete event systems. IEEE
Transactions on Automatic Control, 40(9):1555– 1575, September
1995.
159
[Sto03] Marie¨lle Stoelinga. Fun with firewire: A comparative study
of formal verification methods applied to the IEEE 1394 root
contention protocol. Formal Asp. Comput., 14(3):328–337, 2003.
[SV96] Jan Springintveld and Frits W. Vaandrager. Minimizable timed
automata. In Bengt Jonsson and Joachim Parrow, editors,
FTRTFT, volume 1135 of Lecture Notes in Computer Science,
pages 130–147. Springer, 1996.
[SY96] J. Sifakis and S. Yovine. Compositional specification of timed
systems. In Proceedings of the 13th Annual Symp. on Theoretical
Aspects of Computer Science, STACS’96, volume 1046 of LNCS,
pages 347–359, Grenoble, France, 1996. Springer.
[Tel94] G. Tel. Introduction to Distributed Algorithms. Cambridge Uni-
versity Press, 1994.
[TFF+01] S. Thiel, S. Ferber, T. Fischer, A. Hein, and M. Schlick. A case
study in applying a product line approach for car periphery su-
pervision system. Technical report, Robert Bosch GmbH, 2001.
[TY01] S. Tripakis and S. Yovine. Analysis of timed systems using
time-abstracting bisimulations. Formal Methods in System De-
sign, 18(1):25–68, 2001.
[vLRG03] Izak van Langevelde, Judi Romijn, and Nicolae Goga. Found-
ing firewire bridges through promela prototyping. In 8th In-
ternational Workshop on Formal Methods for Parallel Program-
ming: Theory and Applications (FMPPTA). IEEE Computer So-
ciety Press, April 2003.
[Wan04] F. Wang. Formal verification of timed systems: A survey and
perspective. Proceedings of the IEEE, 92(8):1283–1305, 2004.
[Wei03] G. Weiss. LSCs modeling and cybernetixCS, 2003. to appear.
[Yi91] Wang Yi. Ccs + time = an interleaving model for real time sys-
tems. In Javier Leach Albert, Burkhard Monien, and Mario
Rodrı´guez-Artalejo, editors, ICALP, volume 510 of Lecture
Notes in Computer Science, pages 217–228. Springer, 1991.
[YL94] W.M. Wonham Y. Li. Control of vector discrete-event systemsII
- controller synthesis. In IEEE Transactions on Autom. Control,
volume 39, pages 512–531, 1994.
[Yor00] K. Yorav. Exploiting Syntactic Structure for Automatic Verification.
PhD thesis, TECHNION - Israel Institute of Technology, June
2000.
[Yov98] S. Yovine. Model checking timed automata. In G. Rozenberg
and F.W. Vaandrager, editors, Lectures on Embedded Systems,
volume 1494 of LNCS, pages 114–152. Springer, 1998.
[ZW01] Z. Zhang and W.M. Wonham. STCT: An efficient algorithm
for supervisory control design. In Symposium on Supervisory
Control of Discrete Event Systems, 2001.
160
Samenvatting (Dutch summary)
Real-time systemen zijn computersystemen waarvan de correctheid niet
alleen afhangt van de (logische) uitkomst van een berekening, maar ook
van het moment waarop deze uitkomst beschikbaar komt. Typische voor-
beelden van real-time systemen zijn besturingen van spoorwegovergan-
gen, systemen ter ondersteuning van luchtverkeersleiding, en multimedia
netwerken. Real-time systemen zijn meestal ingebed in grotere systemen
die weer in interactie staan met hun omgeving. Zo vormt de computer-
besturing van een spoorwegovergang een onderdeel van een groter vei-
ligheidsysteem dat verantwoordelijk is voor het sluiten en openen van de
overgang wanneer er een trein langskomt.
Door concurrentie tussen bedrijven en de noodzaak functionaliteit en
prestaties te verbeteren met zo min mogelijk hardware, neemt de complexi-
teit van real-time toepassingen zeer snel toe. Dit leidt tot een toenemend
aantal fouten in deze systemen, waardoor de noodzaak om correctheid
nauwkeurig te specificeren en rigoreus te verifie¨ren groter wordt dan ooit.
Formele specificatie en verificatie is buitengewoon succesvol gebleken in
de VLSI industrie. Er zijn veelbelovende resultaten die suggereren dat een
vergelijkbaar succes ook mogelijk is voor real-time systemen.
Een van deze resultaten is de introductie van getimede automaten voor
het formeel specificeren en verifie¨ren van de correctheid van real-time sys-
temen. Getimede automaten worden ondersteund door een sterke theore-
tische fundering en efficie¨nt verificatiegereedschap zoals de model checker
UPPAAL. Succesvolle toepassing van formele verificatie vereist een taal
waarin enerzijds de te analyseren systemen accuraat gemodelleerd kun-
nen worden terwijl anderzijds verificatie toch mogelijk is. Dit proefschrift
onderzoekt de expressiviteit van getimede automaten zowel in theorie als
in de praktijk. Het theoretische onderzoek heeft betrekking op noties van
equivalentie tussen getimede automaten en vertalingen tussen formalis-
mes. Het praktische onderzoek richt zich op de vraag hoe geschikt ge-
timede automaten zijn voor het modelleren en analyseren van (relevante
aspecten van) complexe real-time systemen, zoals die ontwikkeld zijn of
worden door de industrie.
Dit promotieonderzoek is uitgevoerd in de context en onder de aus-
picie¨n van het Europese onderzoeksproject Advanced Methods for Timed
161
162
Systems (AMETIST)2 dat liep van April 2002 tot en met Juni 2005. Het
AMETIST consortium bestond uit zeven academische en vier industrie¨le
partners uit vijf verschillende landen. Een van de belangrijkste doelstellin-
gen van het project, en tevens het achterliggende doel van dit proefschrift,
was het ontwikkelen van een krachtige modelleermethodologie, gebaseerd op het
getimede automaten model, waarmee realistisch, complexe industrie¨le systemen
gemodelleerd kunnen worden.
Overzicht
Dit proefschrift bestaat uit een zestal (technische) hoofdstukken, die ge-
groepeerd kunnen worden in twee delen. Het eerste deel (Hoofdstuk 2-
4) vergelijkt de theoretische expressiviteit van diverse talen voor getimede
automaten. Hierbij wordt met name gekeken naar het aspect “tijdsvoort-
gang”: is het mogelijk om in een model de tijd stil te laten staan? Omdat
we er van uitgaan dat in de werkelijkheid de tijd altijd voortschrijdt, wil-
len we deze mogelijkheid liefst uitsluiten, zonder de expressiviteit verder
in te perken. Drie populaire getimede automatenformalismen worden be-
studeerd: getimede automaten met invarianten (Safety Timed Automata),
getimede automaten met deadlines (TAD), en getimede input/output au-
tomaten (TIOA). In het tweede deel van dit proefschrift (Hoofdstukken 5-7)
wordt de “praktische” expressiviteit van getimede automaten bestudeerd
aan de hand van complexe, industrie¨le case studies die zijn voorgesteld
binnen het AMETIST project. Onze resultaten laten zien dat getimede au-
tomatenformalismen in staat zijn om kritieke onderdelen van complexe in-
dustrie¨le systemen op een nauwkeurige en natuurlijke wijze te modelleren.
Hieronder vatten we de inhoud van de afzonderlijke hoofdstukken kort
samen.
• Hoofdstuk 2 presenteert een nieuwe bisimulatierelatie, drop bisimula-
tion genaamd, en lost daarmee een probleem op met het zgn. synchro-
nisation delay dat zich voordoet bij de bestaande bisimulatierelatie
voor TADs. De nieuwe bisimulatie wordt gekarakteriseerd in termen
van een symbolische bisimulatie, waaruit volgt dat drop bisimulation
beslisbaar is.
• Hoofdstuk 3 is een vervolg op Hoofdstuk 2 en presenteert een al-
gebraı¨sch bewijssysteem dat ons in staat stelt om drop bisimulation
equivalentie te bewijzen via syntactische manipulatie. In dit hoofd-
stuk laten we zien dat het bewijssysteem gezond en volledig is.
• Hoofstuk 4 introduceert een nieuwe manier om deadlines te specifi-
ceren in het TIOA formalisme, waardoor specificaties korter en na-
tuurlijker worden. De nieuwe specificatiestijl wordt vergeleken met
2http://ametist.cs.utwente.nl
163
andere manieren om deadlines te modelleren en tevens worden ver-
talingen tussen de specificatieformalismen gedefinieerd.
• Hoofdstuk 5 presenteert een formeel model en analyse van het Car
Periphery Supervision (CPS) syteem gebruikmakend van getimede
automaten. Het CPS systeem, ontwikkeld door AMETIST partner Ro-
bert BOSCH GmbH, is een radarsysteem dat is ingebouwd in een au-
to waarmee de directe omgeving in de gaten kan worden gehouden.
Het CPS systeem is hybride van aard, maar wij zijn er in geslaagd
om een passende abstractie te vinden die ons in staat stelde om het
systeem te modelleren met getimede automaten en relevante eigen-
schappen te verifie¨ren met behulp van de model checker UPPAAL.
• Hoofdstuk 6 rapporteert over een tweede case study, die is voorge-
steld door Cybernetix, een andere industrie¨le partner uit het AME-
TIST project. Deze case study gaat over een machine voor het per-
sonaliseren van smart cards. Een van de onderzoeksproblemen waar
we aan hebben gewerkt is het afleiden van een besturing die de ma-
chine weer in een reguliere toestand kan brengen na het optreden van
een fout. Bestaande programma’s voor het afleiden van besturingen
zijn niet krachtig genoeg voor zulke grote systemen (> 1013 toestan-
den). Daarom hebben we het systeem gemodelleerd gebruikmakend
van de model checker SMV en een “truc” bedacht om met behulp van
SMV een besturing te genereren waarmee het systeem fouten kan af-
handelen. Voor dit probleem was het gebruik van een klassieke (dis-
crete tijd) model checker het meest voor de hand liggend / natuurlijk.
Wij denken dat het een interessante uitdaging vormt om discrete tijd
en real-time model checkers met elkaar te integreren.
• Hoofdstuk 7 beschrijft een model en analyse van het Zeroconf proto-
col. Zeroconf maakt het mogelijk om een IPv4 netwerk te configure-
ren zonder gebruik te maken van een externe server zoals DHCP. De
bijdrage van dit hoofdstuk is tweeledig. Allereerst beschrijft het een
formele specificatie van kritieke onderdelen van het protocol. Ons
onderzoek bracht diverse fouten (of op zijn minst ambiguı¨teiten) aan
het licht in de protocolstandaard die nog door niemand anders wa-
ren opgemerkt. Ten tweede, zijn wij er in geslaagd relevante eigen-
schappen te verifie¨ren uit de specificatie, hetgeen inzicht oplevert ten
aanzien van welke eigenschappen gelden onder welke aannames.
Conclusie
Het toestandsexplosieprobleem was en is de belangrijkste uitdaging voor
het schaalbaar maken van formele verificatie. Dit probleem doet zich voor
ten gevolge van het enorme aantal toestanden van realistische systemen.
De laatste jaren is er belangrijke vooruitgang geboekt bij het aanpakken van
het toestandsexplosieprobleem. Deze vooruitgang is niet alleen te danken
164
aan de verbetering van computerhardware, waarvan de prestaties iedere 18
maanden verdubbelen (Moore’s wet), maar ook aan nieuwe algoritmische
technieken zoals abstractie, symbolische analyse en compacte datastructu-
ren. In Hoofdstukken 5, 6 en 7 van dit proefschrift laten we de toenemende
kracht van model checkers zien. We maken gebruik van state-of-the-art
modelleer- en verificatietechnieken om de gewenste eigenschappen te be-
wijzen. Zonder gebruik van recent ontwikkelde algoritmische technieken
was het ons niet gelukt om dit voor elkaar te krijgen.
Er zijn echter nog steeds veel gevallen waarin het niet mogelijk is om
toestandsruimtes geheel te doorzoeken. Een alternatieve en veelbelovende
aanpak van dit probleem is compositionele analyse. Efficie¨nte implementa-
tie van compositionele verificatietechnieken vereist slimme algoritmische
technieken. Een sleutel tot succes is echter de expressieve kracht van de
modelleertalen, het vermogen om componenten afzonderlijk te specifice-
ren met duidelijk gedefineerde interfaces, en het vermogen om eigenschap-
pen van het systeem af te leiden van eigenschappen van de componenten.
Componentgebaseerde analyse wordt veel gebruikt in de VLSI indu-
strie, maar voor real-time systemen wordt het nog niet echt toegepast. Dit
heeft te maken met de moeilijkheid om compositioneel te redeneren over
systemen in de aanwezigheid van een globale notie van tijd.
Een kleine maar belangrijke stap richting het compositioneel redeneren
over real-time systemen is de aanpak van Sifakis en collega’s, waarbij afwe-
zigheid van tijd deadlocks en Zeno gedrag (oneindig veel gebeurtenissen
in eindige tijd) gegarandeerd wordt per constructie. De bijdrage van dit
proefschrift is het cree¨ren van de mogelijkheid om equivalente componen-
ten voor elkaar te substitueren zonder daarbij het gedrag van het systeem te
veranderen (zie Hoofdstuk 2). Dit is een belangrijk hulpmiddel voor com-
ponentgebaseerde analyse van real-time systemen. Het probleem of twee
componenten equivalent zijn is beslisbaar en een algebraı¨sche theorie voor
het syntactisch afleiden van equivalentie wordt gepresenteerd (Hoofdstuk
3).
Er is nog een lange weg te gaan voordat compositionaliteit volledig be-
nut kan worden bij de analyse van real-time systemen en dit vormt een
interessante richting voor toekomstig onderzoek. Zolang het nog niet mo-
gelijk is om bepaalde systemen automatisch te verifie¨ren, kan het formeel
specificeren van deze systemen toch al een belangrijke bijdrage leveren aan
het verbeteren van de kwaliteit van het systeem, ook als startpunt voor
simulatie en documentatie. Formele specificatie kan inconsistenties en am-
biguı¨teiten detecteren in een vroeg stadium van het ontwerpproces. Het
dwingt ontwerpers onduidelijkheden te verhelderen die anders wellicht
over het hoofd zouden zijn gezien. Dit geldt in het bijzonder voor de tal-
rijke communicatieprotocollen die zijn gestandaardiseerd door de IEEE SA
en andere standaardiseringsinstanties in termen van natuurlijke taal. Deze
standaarden bevatten de ambiguı¨teit die inherent is aan het gebruik van na-
165
tuurlijke taal. Inmiddels is een aantal artikelen gepubliceerd waarin wordt
aangetoond dat formele specificatie kan helpen om de kwaliteit van com-
plexe ontwerpen te verbeteren. Dit proefschrift ondersteunt de these dat
formele specificatie hier inderdaad een bijdrage kan leveren. Sommige soft-
warepaketten voor formele specificatie en verificatie (in het bijzonder UP-
PAAL) zijn inmiddels krachtig genoeg dat ze hierbij kunnen helpen. Als
uitvloeisel van ons onderzoek stellen we in dit proefschrift een aantal ver-
beteringen en uitbreidingen voor waarmee de “praktische” expressiviteit
van specificatietalen (in het bijzonder die van UPPAAL) verder vergroot
kan worden.
(Special thanks to Frits Vaandrager, who translated this summary into the
Dutch language.)
166
167
Curriculum Vitae
1987 – 1990 High School. Asmara, Eritrea.
1991 – 1996 B.Sc. in Mathematics. Asmara Univerity, Eritrea.
1996 – 1997 Graduate Assistant. Asmara Univerity, Eritrea.
1997 – 1999 M.Sc. Computer Science. Uppsala Univerity, Sweden.
2000 – 2002 Assistant Lecturer. Asmara Univerity, Eritrea.
2002 – 2006 Junior researcher. Radboud University Nijmegen, The Netherlands.
Titles in the IPA Dissertation Series
J.O. Blanco. The State Operator in Process Al-
gebra. Faculty of Mathematics and Compu-
ting Science, TUE. 1996-01
A.M. Geerling. Transformational Develop-
ment of Data-Parallel Algorithms. Faculty of
Mathematics and Computer Science, KUN.
1996-02
P.M. Achten. Interactive Functional Pro-
grams: Models, Methods, and Implementation.
Faculty of Mathematics and Computer Sci-
ence, KUN. 1996-03
M.G.A. Verhoeven. Parallel Local Search.
Faculty of Mathematics and Computing
Science, TUE. 1996-04
M.H.G.K. Kesseler. The Implementation of
Functional Languages on Parallel Machines
with Distrib. Memory. Faculty of Mathema-
tics and Computer Science, KUN. 1996-05
D. Alstein. Distributed Algorithms for Hard
Real-Time Systems. Faculty of Mathematics
and Computing Science, TUE. 1996-06
J.H. Hoepman. Communication, Synchro-
nization, and Fault-Tolerance. Faculty of
Mathematics and Computer Science, UvA.
1996-07
H. Doornbos. Reductivity Arguments and
Program Construction. Faculty of Mathema-
tics and Computing Science, TUE. 1996-08
D. Turi. Functorial Operational Semantics and
its Denotational Dual. Faculty of Mathema-
tics and Computer Science, VUA. 1996-09
A.M.G. Peeters. Single-Rail Handshake Cir-
cuits. Faculty of Mathematics and Compu-
ting Science, TUE. 1996-10
N.W.A. Arends. A Systems Engineering Spe-
cification Formalism. Faculty of Mechanical
Engineering, TUE. 1996-11
P. Severi de Santiago. Normalisation in
Lambda Calculus and its Relation to Type In-
ference. Faculty of Mathematics and Com-
puting Science, TUE. 1996-12
D.R. Dams. Abstract Interpretation and Par-
tition Refinement for Model Checking. Facul-
ty of Mathematics and Computing Science,
TUE. 1996-13
M.M. Bonsangue. Topological Dualities in
Semantics. Faculty of Mathematics and
Computer Science, VUA. 1996-14
B.L.E. de Fluiter. Algorithms for Graphs of
Small Treewidth. Faculty of Mathematics
and Computer Science, UU. 1997-01
W.T.M. Kars. Process-algebraic Transformati-
ons in Context. Faculty of Computer Scien-
ce, UT. 1997-02
P.F. Hoogendijk. A Generic Theory of Data
Types. Faculty of Mathematics and Compu-
ting Science, TUE. 1997-03
T.D.L. Laan. The Evolution of Type Theory in
Logic and Mathematics. Faculty of Mathema-
tics and Computing Science, TUE. 1997-04
C.J. Bloo. Preservation of Termination for Ex-
plicit Substitution. Faculty of Mathematics
and Computing Science, TUE. 1997-05
J.J. Vereijken. Discrete-Time Process Alge-
bra. Faculty of Mathematics and Compu-
ting Science, TUE. 1997-06
F.A.M. van den Beuken. A Functional Ap-
proach to Syntax and Typing. Faculty of Ma-
thematics and Informatics, KUN. 1997-07
A.W. Heerink. Ins and Outs in Refusal Tes-
ting. Faculty of Computer Science, UT.
1998-01
G. Naumoski and W. Alberts. A Discrete-
Event Simulator for Systems Engineering. Fa-
culty of Mechanical Engineering, TUE.
1998-02
J. Verriet. Scheduling with Communication
for Multiprocessor Computation. Faculty of
Mathematics and Computer Science, UU.
1998-03
J.S.H. van Gageldonk. An Asynchronous
Low-Power 80C51 Microcontroller. Faculty
of Mathematics and Computing Science,
TUE. 1998-04
A.A. Basten. In Terms of Nets: System Design
with Petri Nets and Process Algebra. Facul-
ty of Mathematics and Computing Science,
TUE. 1998-05
E. Voermans. Inductive Datatypes with Laws
and Subtyping – A Relational Model. Facul-
ty of Mathematics and Computing Science,
TUE. 1999-01
H. ter Doest. Towards Probabilistic
Unification-based Parsing. Faculty of Com-
puter Science, UT. 1999-02
J.P.L. Segers. Algorithms for the Simulation
of Surface Processes. Faculty of Mathematics
and Computing Science, TUE. 1999-03
C.H.M. van Kemenade. Recombinative Evo-
lutionary Search. Faculty of Mathematics
and Natural Sciences, UL. 1999-04
E.I. Barakova. Learning Reliability: a Stu-
dy on Indecisiveness in Sample Selection. Fa-
culty of Mathematics and Natural Sciences,
RUG. 1999-05
M.P. Bodlaender. Scheduler Optimization
in Real-Time Distributed Databases. Facul-
ty of Mathematics and Computing Science,
TUE. 1999-06
M.A. Reniers. Message Sequence Chart: Syn-
tax and Semantics. Faculty of Mathematics
and Computing Science, TUE. 1999-07
J.P. Warners. Nonlinear approaches to satisfia-
bility problems. Faculty of Mathematics and
Computing Science, TUE. 1999-08
J.M.T. Romijn. Analysing Industrial Proto-
cols with Formal Methods. Faculty of Com-
puter Science, UT. 1999-09
P.R. D’Argenio. Algebras and Automata for
Timed and Stochastic Systems. Faculty of
Computer Science, UT. 1999-10
G. Fa´bia´n. A Language and Simulator for Hy-
brid Systems. Faculty of Mechanical Engi-
neering, TUE. 1999-11
J. Zwanenburg. Object-Oriented Concepts
and Proof Rules. Faculty of Mathematics and
Computing Science, TUE. 1999-12
R.S. Venema. Aspects of an Integrated Neural
Prediction System. Faculty of Mathematics
and Natural Sciences, RUG. 1999-13
J. Saraiva. A Purely Functional Implementati-
on of Attribute Grammars. Faculty of Mathe-
matics and Computer Science, UU. 1999-14
R. Schiefer. Viper, A Visualisation Tool
for Parallel Program Construction. Faculty
of Mathematics and Computing Science,
TUE. 1999-15
K.M.M. de Leeuw. Cryptology and Statecraft
in the Dutch Republic. Faculty of Mathema-
tics and Computer Science, UvA. 2000-01
T.E.J. Vos. UNITY in Diversity. A stratified
approach to the verification of distributed algo-
rithms. Faculty of Mathematics and Com-
puter Science, UU. 2000-02
W. Mallon. Theories and Tools for the De-
sign of Delay-Insensitive Communicating Pro-
cesses. Faculty of Mathematics and Natural
Sciences, RUG. 2000-03
W.O.D. Griffioen. Studies in Computer Ai-
ded Verification of Protocols. Faculty of Scien-
ce, KUN. 2000-04
P.H.F.M. Verhoeven. The Design of the Ma-
thSpad Editor. Faculty of Mathematics and
Computing Science, TUE. 2000-05
J. Fey. Design of a Fruit Juice Blending and
Packaging Plant. Faculty of Mechanical En-
gineering, TUE. 2000-06
M. Franssen. Cocktail: A Tool for Deriving
Correct Programs. Faculty of Mathematics
and Computing Science, TUE. 2000-07
P.A. Olivier. A Framework for Debugging He-
terogeneous Applications. Faculty of Natural
Sciences, Mathematics and Computer Sci-
ence, UvA. 2000-08
E. Saaman. Another Formal Specification
Language. Faculty of Mathematics and Na-
tural Sciences, RUG. 2000-10
M. Jelasity. The Shape of Evolutionary Search
Discovering and Representing Search Space
Structure. Faculty of Mathematics and Na-
tural Sciences, UL. 2001-01
R. Ahn. Agents, Objects and Events a com-
putational approach to knowledge, observation
and communication. Faculty of Mathematics
and Computing Science, TU/e. 2001-02
M. Huisman. Reasoning about Java programs
in higher order logic using PVS and Isabelle.
Faculty of Science, KUN. 2001-03
I.M.M.J. Reymen. Improving Design Pro-
cesses through Structured Reflection. Facul-
ty of Mathematics and Computing Science,
TU/e. 2001-04
S.C.C. Blom. Term Graph Rewriting: syntax
and semantics. Faculty of Sciences, Divisi-
on of Mathematics and Computer Science,
VUA. 2001-05
R. van Liere. Studies in Interactive Visualiza-
tion. Faculty of Natural Sciences, Mathema-
tics and Computer Science, UvA. 2001-06
A.G. Engels. Languages for Analysis and
Testing of Event Sequences. Faculty of Ma-
thematics and Computing Science, TU/e.
2001-07
J. Hage. Structural Aspects of Switching Clas-
ses. Faculty of Mathematics and Natural
Sciences, UL. 2001-08
M.H. Lamers. Neural Networks for Analy-
sis of Data in Environmental Epidemiology: A
Case-study into Acute Effects of Air Pollution
Episodes. Faculty of Mathematics and Na-
tural Sciences, UL. 2001-09
T.C. Ruys. Towards Effective Model Checking.
Faculty of Computer Science, UT. 2001-10
D. Chkliaev. Mechanical verification of con-
currency control and recovery protocols. Facul-
ty of Mathematics and Computing Science,
TU/e. 2001-11
M.D. Oostdijk. Generation and presentati-
on of formal mathematical documents. Facul-
ty of Mathematics and Computing Science,
TU/e. 2001-12
A.T. Hofkamp. Reactive machine control: A
simulation approach using χ. Faculty of Me-
chanical Engineering, TU/e. 2001-13
D. Bosˇnacˇki. Enhancing state space reduction
techniques for model checking. Faculty of Ma-
thematics and Computing Science, TU/e.
2001-14
M.C. van Wezel. Neural Networks for Intelli-
gent Data Analysis: theoretical and experimen-
tal aspects. Faculty of Mathematics and Na-
tural Sciences, UL. 2002-01
V. Bos and J.J.T. Kleijn. Formal Specificati-
on and Analysis of Industrial Systems. Faculty
of Mathematics and Computer Science and
Faculty of Mechanical Engineering, TU/e.
2002-02
T. Kuipers. Techniques for Understanding
Legacy Software Systems. Faculty of Natural
Sciences, Mathematics and Computer Sci-
ence, UvA. 2002-03
S.P. Luttik. Choice Quantification in Pro-
cess Algebra. Faculty of Natural Sciences,
Mathematics, and Computer Science, UvA.
2002-04
R.J. Willemen. School Timetable Constructi-
on: Algorithms and Complexity. Faculty of
Mathematics and Computer Science, TU/e.
2002-05
M.I.A. Stoelinga. Alea Jacta Est: Verification
of Probabilistic, Real-time and Parametric Sys-
tems. Faculty of Science, Mathematics and
Computer Science, KUN. 2002-06
N. van Vugt. Models of Molecular Compu-
ting. Faculty of Mathematics and Natural
Sciences, UL. 2002-07
A. Fehnker. Citius, Vilius, Melius: Guiding
and Cost-Optimality in Model Checking of Ti-
med and Hybrid Systems. Faculty of Science,
Mathematics and Computer Science, KUN.
2002-08
R. van Stee. On-line Scheduling and Bin Pac-
king. Faculty of Mathematics and Natural
Sciences, UL. 2002-09
D. Tauritz. Adaptive Information Filtering:
Concepts and Algorithms. Faculty of Mathe-
matics and Natural Sciences, UL. 2002-10
M.B. van der Zwaag. Models and Logics for
Process Algebra. Faculty of Natural Scien-
ces, Mathematics, and Computer Science,
UvA. 2002-11
J.I. den Hartog. Probabilistic Extensions of
Semantical Models. Faculty of Sciences, Di-
vision of Mathematics and Computer Sci-
ence, VUA. 2002-12
L. Moonen. Exploring Software Systems.
Faculty of Natural Sciences, Mathematics,
and Computer Science, UvA. 2002-13
J.I. van Hemert. Applying Evolutionary
Computation to Constraint Satisfaction and
Data Mining. Faculty of Mathematics and
Natural Sciences, UL. 2002-14
S. Andova. Probabilistic Process Algebra. Fa-
culty of Mathematics and Computer Scien-
ce, TU/e. 2002-15
Y.S. Usenko. Linearization in µCRL. Facul-
ty of Mathematics and Computer Science,
TU/e. 2002-16
J.J.D. Aerts. Random Redundant Storage for
Video on Demand. Faculty of Mathematics
and Computer Science, TU/e. 2003-01
M. de Jonge. To Reuse or To Be Reused:
Techniques for component composition and con-
struction. Faculty of Natural Sciences, Ma-
thematics, and Computer Science, UvA.
2003-02
J.M.W. Visser. Generic Traversal over Typed
Source Code Representations. Faculty of Na-
tural Sciences, Mathematics, and Compu-
ter Science, UvA. 2003-03
S.M. Bohte. Spiking Neural Networks. Fa-
culty of Mathematics and Natural Sciences,
UL. 2003-04
T.A.C. Willemse. Semantics and Verification
in Process Algebras with Data and Timing. Fa-
culty of Mathematics and Computer Scien-
ce, TU/e. 2003-05
S.V. Nedea. Analysis and Simulations of Ca-
talytic Reactions. Faculty of Mathematics
and Computer Science, TU/e. 2003-06
M.E.M. Lijding. Real-time Scheduling of Ter-
tiary Storage. Faculty of Electrical Engi-
neering, Mathematics & Computer Science,
UT. 2003-07
H.P. Benz. Casual Multimedia Process Anno-
tation – CoMPAs. Faculty of Electrical Engi-
neering, Mathematics & Computer Science,
UT. 2003-08
D. Distefano. On Modelchecking the Dy-
namics of Object-based Software: a Foundati-
onal Approach. Faculty of Electrical Engi-
neering, Mathematics & Computer Science,
UT. 2003-09
M.H. ter Beek. Team Automata – A Formal
Approach to the Modeling of Collaboration Bet-
ween System Components. Faculty of Mathe-
matics and Natural Sciences, UL. 2003-10
D.J.P. Leijen. The λ Abroad – A Functional
Approach to Software Components. Faculty of
Mathematics and Computer Science, UU.
2003-11
W.P.A.J. Michiels. Performance Ratios for the
Differencing Method. Faculty of Mathema-
tics and Computer Science, TU/e. 2004-01
G.I. Jojgov. Incomplete Proofs and Terms and
Their Use in Interactive Theorem Proving. Fa-
culty of Mathematics and Computer Scien-
ce, TU/e. 2004-02
P. Frisco. Theory of Molecular Computing
– Splicing and Membrane systems. Faculty
of Mathematics and Natural Sciences, UL.
2004-03
S. Maneth. Models of Tree Translation. Fa-
culty of Mathematics and Natural Sciences,
UL. 2004-04
Y. Qian. Data Synchronization and Browsing
for Home Environments. Faculty of Mathe-
matics and Computer Science and Faculty
of Industrial Design, TU/e. 2004-05
F. Bartels. On Generalised Coinduction and
Probabilistic Specification Formats. Faculty
of Sciences, Division of Mathematics and
Computer Science, VUA. 2004-06
L. Cruz-Filipe. Constructive Real Analysis:
a Type-Theoretical Formalization and Applica-
tions. Faculty of Science, Mathematics and
Computer Science, KUN. 2004-07
E.H. Gerding. Autonomous Agents in Bar-
gaining Games: An Evolutionary Investigation
of Fundamentals, Strategies, and Business Ap-
plications. Faculty of Technology Manage-
ment, TU/e. 2004-08
N. Goga. Control and Selection Techniques
for the Automated Testing of Reactive Systems.
Faculty of Mathematics and Computer Sci-
ence, TU/e. 2004-09
M. Niqui. Formalising Exact Arithmetic: Re-
presentations, Algorithms and Proofs. Faculty
of Science, Mathematics and Computer Sci-
ence, RU. 2004-10
A. Lo¨h. Exploring Generic Haskell. Facul-
ty of Mathematics and Computer Science,
UU. 2004-11
I.C.M. Flinsenberg. Route Planning Algo-
rithms for Car Navigation. Faculty of Mathe-
matics and Computer Science, TU/e. 2004-
12
R.J. Bril. Real-time Scheduling for Media Pro-
cessing Using Conditionally Guaranteed Bud-
gets. Faculty of Mathematics and Compu-
ter Science, TU/e. 2004-13
J. Pang. Formal Verification of Distributed
Systems. Faculty of Sciences, Division of
Mathematics and Computer Science, VUA.
2004-14
F. Alkemade. Evolutionary Agent-Based Eco-
nomics. Faculty of Technology Manage-
ment, TU/e. 2004-15
E.O. Dijk. Indoor Ultrasonic Position Estima-
tion Using a Single Base Station. Faculty of
Mathematics and Computer Science, TU/e.
2004-16
S.M. Orzan. On Distributed Verification and
Verified Distribution. Faculty of Sciences, Di-
vision of Mathematics and Computer Sci-
ence, VUA. 2004-17
M.M. Schrage. Proxima - A Presentation-
oriented Editor for Structured Documents. Fa-
culty of Mathematics and Computer Scien-
ce, UU. 2004-18
E. Eskenazi and A. Fyukov. Quanti-
tative Prediction of Quality Attributes for
Component-Based Software Architectures. Fa-
culty of Mathematics and Computer Scien-
ce, TU/e. 2004-19
P.J.L. Cuijpers. Hybrid Process Algebra. Fa-
culty of Mathematics and Computer Scien-
ce, TU/e. 2004-20
N.J.M. van den Nieuwelaar. Supervisory
Machine Control by Predictive-Reactive Sche-
duling. Faculty of Mechanical Engineering,
TU/e. 2004-21
E. A´braha´m. An Assertional Proof System for
Multithreaded Java -Theory and Tool Support-
. Faculty of Mathematics and Natural Sci-
ences, UL. 2005-01
R. Ruimerman. Modeling and Remodeling in
Bone Tissue. Faculty of Biomedical Enginee-
ring, TU/e. 2005-02
C.N. Chong. Experiments in Rights Control -
Expression and Enforcement. Faculty of Elec-
trical Engineering, Mathematics & Compu-
ter Science, UT. 2005-03
H. Gao. Design and Verification of Lock-free
Parallel Algorithms. Faculty of Mathematics
and Computing Sciences, RUG. 2005-04
H.M.A. van Beek. Specification and Analysis
of Internet Applications. Faculty of Mathe-
matics and Computer Science, TU/e. 2005-
05
M.T. Ionita. Scenario-Based System Architec-
ting - A Systematic Approach to Developing
Future-Proof System Architectures. Faculty
of Mathematics and Computing Sciences,
TU/e. 2005-06
G. Lenzini. Integration of Analysis Techni-
ques in Security and Fault-Tolerance. Facul-
ty of Electrical Engineering, Mathematics &
Computer Science, UT. 2005-07
I. Kurtev. Adaptability of Model Transforma-
tions. Faculty of Electrical Engineering, Ma-
thematics & Computer Science, UT. 2005-08
T. Wolle. Computational Aspects of Treewidth
- Lower Bounds and Network Reliability. Fa-
culty of Science, UU. 2005-09
O. Tveretina. Decision Procedures for Equali-
ty Logic with Uninterpreted Functions. Facul-
ty of Mathematics and Computer Science,
TU/e. 2005-10
A.M.L. Liekens. Evolution of Finite Popula-
tions in Dynamic Environments. Faculty of
Biomedical Engineering, TU/e. 2005-11
J. Eggermont. Data Mining using Genetic
Programming: Classification and Symbolic Re-
gression. Faculty of Mathematics and Natu-
ral Sciences, UL. 2005-12
B.J. Heeren. Top Quality Type Error Messa-
ges. Faculty of Science, UU. 2005-13
G.F. Frehse. Compositional Verification of Hy-
brid Systems using Simulation Relations. Fa-
culty of Science, Mathematics and Compu-
ter Science, RU. 2005-14
M.R. Mousavi. Structuring Structural Ope-
rational Semantics. Faculty of Mathematics
and Computer Science, TU/e. 2005-15
A. Sokolova. Coalgebraic Analysis of Proba-
bilistic Systems. Faculty of Mathematics and
Computer Science, TU/e. 2005-16
T. Gelsema. Effective Models for the Structure
of pi-Calculus Processes with Replication. Fa-
culty of Mathematics and Natural Sciences,
UL. 2005-17
P. Zoeteweij. Composing Constraint Solvers.
Faculty of Natural Sciences, Mathematics,
and Computer Science, UvA. 2005-18
J.J. Vinju. Analysis and Transformation of
Source Code by Parsing and Rewriting. Facul-
ty of Natural Sciences, Mathematics, and
Computer Science, UvA. 2005-19
M.Valero Espada. Modal Abstraction and
Replication of Processes with Data. Faculty
of Sciences, Division of Mathematics and
Computer Science, VUA. 2005-20
A. Dijkstra. Stepping through Haskell. Fa-
culty of Science, UU. 2005-21
Y.W. Law. Key management and link-layer
security of wireless sensor networks: energy-
efficient attack and defense. Faculty of Electri-
cal Engineering, Mathematics & Computer
Science, UT. 2005-22
E. Dolstra. The Purely Functional Software
Deployment Model. Faculty of Science, UU.
2006-01
R.J. Corin. Analysis Models for Security
Protocols. Faculty of Electrical Enginee-
ring, Mathematics & Computer Science,
UT. 2006-02
P.R.A. Verbaan. The Computational Com-
plexity of Evolving Systems. Faculty of Sci-
ence, UU. 2006-03
K.L. Man and R.R.H. Schiffelers. Formal
Specification and Analysis of Hybrid Systems.
Faculty of Mathematics and Computer Sci-
ence and Faculty of Mechanical Enginee-
ring, TU/e. 2006-04
M. Kyas. Verifying OCL Specifications of
UML Models: Tool Support and Compositio-
nality. Faculty of Mathematics and Natural
Sciences, UL. 2006-05
M. Hendriks. Model Checking Timed Auto-
mata - Techniques and Applications. Faculty
of Science, Mathematics and Computer Sci-
ence, RU. 2006-06
J. Ketema. Bo¨hm-Like Trees for Rewriting. Fa-
culty of Sciences, VUA. 2006-07
C.-B. Breunesse. On JML: topics in tool-
assisted verification of JML programs. Facul-
ty of Science, Mathematics and Computer
Science, RU. 2006-08
B. Markvoort. Towards Hybrid Molecular Si-
mulations. Faculty of Biomedical Enginee-
ring, TU/e. 2006-09
S.G.R. Nijssen. Mining Structured Data. Fa-
culty of Mathematics and Natural Sciences,
UL. 2006-10
G. Russello. Separation and Adaptation of
Concerns in a Shared Data Space. Faculty of
Mathematics and Computer Science, TU/e.
2006-11
L. Cheung. Reconciling Nondeterministic and
Probabilistic Choices. Faculty of Science, Ma-
thematics and Computer Science, RU. 2006-
12
B. Badban. Verification techniques for Ex-
tensions of Equality Logic. Faculty of Scien-
ces, Division of Mathematics and Compu-
ter Science, VUA. 2006-13
A.J. Mooij. Constructive formal methods and
protocol standardization. Faculty of Mathe-
matics and Computer Science, TU/e. 2006-
14
T. Krilavicius. Hybrid Techniques for Hy-
brid Systems. Faculty of Electrical Engi-
neering, Mathematics & Computer Science,
UT. 2006-15
M.E. Warnier. Language Based Security for
Java and JML. Faculty of Science, Mathema-
tics and Computer Science, RU. 2006-16
V. Sundramoorthy. At Home In Service
Discovery. Faculty of Electrical Enginee-
ring, Mathematics & Computer Science,
UT. 2006-17
B. Gebremichael. Expressivity of Timed Au-
tomata Models. Faculty of Science, Mathe-
matics and Computer Science, RU. 2006-18
