Almost ASAP Semantics: From Timed Models to Timed Implementations by Martin De Wulf et al.
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
 
"
!
$
#
&
%
(
’
*
)
+
#
-
,
(
.
0
/
0
!
2
1
4
3
(
5
7
6
8
’
(
9
(
:
<
;
*
!
&
5
>
=
*
?
*
?
4
@
B
A
D
C
*
@
E
G
F
I
H
K
J
<
L
N
M
O
E
Q
P
R
E
T
S
P
V
U
W
H
Y
X
[
Z
\
M
^
]
￿
_
^
L
a
‘
c
b
N
d
2
J
R
H
e
￿
]
f
H
K
U
\
g
h
J
￿
g
[
U
<
F
7
L
G
M
>
J
e
￿
]
I
H
i
U
\
g
j
k
H
l
[
F
m
U
n
H
K
U
W
Z
o
M
p
X
q
M
^
]
r
J
R
Z
\
L
s
￿
,
2
5
7
6
f
)
t
’
v
u
p
!
a
w
x
9
(
.
y
{
z
N
|
4
,
(
9
(
5
}
!
&
’
~
6
￿
u
p
3
~
￿
￿
!
2
’
￿
z
￿
￿
~
!
$
,
(
’
$
￿
k
￿
(
5
￿
,
(
’
&
￿
￿
3
￿
)
￿
￿
/
"
,
￿
￿
￿
￿
￿
)
￿
’
%
~
6
￿
6
￿
1
￿
￿
￿
￿
*
￿
￿
￿
￿
￿
￿
￿
8
A
￿
9
(
.
￿
;
￿
A
￿
,
&
#
4
A
￿
;
*
!
$
￿
4
￿
￿
)
D
￿
&
￿
￿
￿
￿
￿
￿
￿
4
#
￿
y
￿
￿
 
o
%
*
)
+
￿
^
￿
￿
3
(
5
￿
￿
￿
￿
￿
,
￿
￿
a
1
&
,
2
5
￿
6
f
)
￿
,
(
.
t
.
￿
n
￿
k
9
(
1
(
1
*
3
(
5
7
6
{
!
-
￿
R
;
￿
￿
￿
,
v
￿
￿
/
￿
￿
(
￿
￿
￿
¡
5
}
,
￿
’
~
6
￿
￿
￿
=
B
A
￿
C
*
@
(
¢
4
?
B
A
￿
?
4
=Almost ASAP Semantics: from Timed Models to Timed
Implementations 
Martin De Wulf, Laurent Doyenyand Jean-Fran cois Raskin
D epartement d'Informatique
Facult e des Sciences
Universit e Libre de Bruxelles
Abstract
In this paper, we introduce a parametric semantics for timed controllers called the Almost ASAP
semantics. This semantics is a relaxation of the usual ASAP
1 semantics (also called the maximal progress
semantics) which is a mathematical idealization that can not be implemented by any physical device no
matter how fast it is. On the contrary, any correct Almost ASAP controller can be implemented by a
program on a hardware if this hardware is fast enough. We study the properties of this semantics and
show how it can be analyzed using the tool HyTech.
1 Introduction
Timed and hybrid systems are dynamical systems with both discrete and continuous components. A paradig-
matic example of a hybrid system is a digital embedded control program for an analog plant environment,
like a furnace or an airplane: the controller state moves discretely between control modes, and in each control
mode, the plant state evolves continuously according to physical laws. A natural model for hybrid systems
is the hybrid automaton [Hen96], which represents discrete components using nite-state machines and con-
tinuous components using real-numbered variables which evolution is governed by dierential equations or
dierential inclusions. Several verication and control problems have been studied for hybrid automata and
interesting subclasses have been identied (see for example [HKPV98]). Tools like HyTech [HHWT95]
have proven useful to analyze high-level descriptions of embedded controllers in continuous environments.
When a high level description of a controller has been proven correct it would be valuable to ensure that
an implementation of that design can be obtained in a systematic way in order to ensure the conservation of
correctness. This is often called program renement: given a high-level description P1 of a program, rene
that description into another description P2 such that the \important" properties of P1 are maintained.
Usually, P2 is obtained from P1 by reducing nondeterminism. To reason about the correctness of P2 w.r.t.
P1, we often use a notion of simulation [Mil80] which is powerful enough to ensure conservation of LTL
properties for example.
In this paper, we show how to adapt this elegant schema in the context of real-time embedded controllers.
To reach this goal, there are several diculties to overcome. First, the notion of time used by hybrid automata
is based on a dense set of values (usually the real numbers). This is unarguably an interesting notion of
time at the modeling level but when implemented, a digital controller manipulates timers that are digital
clocks. Digital clocks have nite granularity and take their values in a discrete domain. Furthermore, those
This is a preliminary version of a paper accepted for publication in the Formal Aspects of Computing journal, c Springer-
Verlag. The nal version of this publication will be available at http://www.springerlink.com.
yResearch fellow supported by the Belgian National Science Fundation (FNRS).
1ASAP stands for \as soon as possible"
1clocks may also be subject to drifts and so may not be perfectly accurate. As a consequence, any control
strategy that requires clocks with innite precision can not be implemented. Second, hybrid automata
can be called \instantaneous devices" in that they are capable of instantaneously react to time-outs or
incoming events by taking discrete transitions without any delay. Again, while this is a convenient way to
see reactivity and synchronization at the modeling level, any control strategy that relies for its correctness on
that instantaneity can not be implemented by any physical device no matter how fast it is. Those problems
are known and have already attracted some attention from our research community. For example, it is
well-known that timed automata may describe controllers that control their environment by playing a so
called zeno strategy, that is, by taking an innite number of actions in a nite amount of time. This is widely
considered as unacceptable even by authors making the synchrony hypothesis [AFP+03]. But even if we
prove our controller model non-zeno, that does not mean that it can be implemented. In fact, we recently
showed in [CHR02] that there are (very simple) timed automata that enforce faster and faster reactions,
say at times 0; 1
2;1;11
4;2;21
8;3;3 1
16;:::. So, timed automata may model control strategies that can not be
implemented because the control strategy does not maintain a minimal bound between two control actions.
A direct consequence is that we can not hope to dene for the entire class of timed automata (using the
traditional semantics) a notion of renement such that if a model of a real-time controller has been proven
correct then it can be systematically implemented in a way that preserves its correctness.
The innite precision and instantaneity characteristics of the traditional semantics given to timed au-
tomata is very closely related to the synchrony hypothesis that is commonly adopted in the community of
synchronous languages [Ber00]. Roughly speaking, the synchrony hypothesis can be stated as follows: \the
program reacts to inputs of the environment by emitting outputs instantaneously". The rationale behind the
synchrony hypothesis is that the speed at which a digital controller reacts is usually so high w.r.t. the speed
of the environment that the reaction time of the controller can be neglected and considered as nil. This
hypothesis greatly simplies the work of the designer of an embedded controller: he/she does not have to
take into account the performances of the platform on which the system will be implemented. We agree
with this view at the modeling level. But as any hypothesis, the synchrony hypothesis should be validated
not only by informal arguments but formally if we want to transfer correctness properties from models to
implementations. We show in this paper how this can be done formally and elegantly using a semantics
called the Almost ASAP semantics (AASAP-semantics).
The AASAP-semantics is a parametric semantics that leaves as a parameter the reaction time of the
controller. This semantics relaxes the synchrony hypothesis in that it does not impose the controller to
react instantaneously but imposes on the controller to react within  time units when a synchronization or
a control action has to take place (is urgent). The designer acts as if the synchrony hypothesis was true,
i.e. he/she models the environment and the controller strategy without referring to the reaction delay. This
reaction delay is taken into account during the verication phase: we compute the largest  for which the
controller is still correct w.r.t. to the properties that it has to enforce (to avoid the environment to enter
bad states for example).
We show that the AASAP semantics has several important and interesting properties. First, the semantics
is such that \faster is better". That is, if the controller is correct for a reaction delay bounded by  then
it is correct for any smaller 0. Second, any controller which is correct for a reaction delay bounded by
 > 0 can be implemented by a program on a hardware provided that the hardware is fast enough and
provides suciently ne granular digital clocks. Third, the semantics can be analyzed using existing tools
like HyTech.
Structure of the paper. The paper is organized as follows. In section 2, we recall the notions of timed
transition systems and safety control. We also dene a notion of simulation that will ensure the conservation
of safety properties imposed by the controller. In section 3, we review the syntax and classical semantics of
timed automata. In section 4, we dene formally the AASAP semantics and study some of its properties. In
section 5, we introduce a very simple and naive notion of real-time program to make clear that any correct
real-time controller for the AASAP semantics can be implemented. In section 6 we enrich this notion of real-
time program with a modelization of clock drifts and prove that even with this additional issue, the AASAP
2semantics remains implementable. In section 7, we explain how the AASAP semantics can be analyzed and
used in practice.
2 Preliminaries
In this section, we introduce the denition of timed transition systems and how to compose them. We recall
the notion of simulation which will be the formal basis for our notion of renement. Finally, we introduce
the problem of safety control and show how the notion of simulation can be used in that context.
Denition 1 [TTS] A timed transition system T is a tuple hS;;;!i where S is a (possibly innite) set
of states,  2 S is the initial state,  is a nite set of labels, and ! S   [ R0  S is the transition
relation where R0 is the set fx 2 R j x  0g of the nonnegative real numbers. 
A state s 2 S of a TTS T = hS;;;!i is reachable if there exists a nite sequence s0s1 :::sn of states
such that s0 = , sn = s and for any i, 0  i < n, there exists  2  [ R0 such that (si;;si+1) 2!. The
set of reachable states of T is noted Reach(T ).
We need to compose TTS. For that purpose, we need TTS with structured set of labels. We say that
a nite set of labels  is structured if it is partitioned into three subsets: in the set of input labels, out
the set of output labels, and  the set of internal labels. Let  be a structured alphabet and 0   be
a subset of labels, then we note 0 for the set f  j  2 0g, and assume this set is such that 0 \  = ?.
This operator on alphabets will be used later: intuitively, for an event,  represents its occurrence in the
environment and   its perception by a controller.
Denition 2 [STTS] A structured timed transition system T is a tuple hS;;in; out;;!i, where S is a
(possibly innite) set of states,  2 S is the initial state, the set of labels is partitioned into three subsets:
in is the nite set of incoming labels, out is the nite set of outgoing labels,  is the nite set of internal
labels, and ! S  in [ out [  [ R0  S is the transition relation. 
In the sequel, we use one STTS to model a timed controller and one to model the environment in which
the controller is embedded. We model the communication between the two STTS using the mechanism of
synchronization on common labels. This is a blocking communication mechanism. Nevertheless, on one
hand we want to verify that the controller does not control the environment by refusing to synchronize on its
output, and on the other hand, we do not want our controller to issue outputs that can not be accepted by
the environment. To avoid such problems we impose input enabledness of the STTS that we compose, which
means that input labels have the property of being enabled in every state. Input enabledness is a concept
introduced in [LT87]. Formally :
Denition 3 [Input enabled STTS] A STTS T = hS;;in; out;;!i is input enabled if for all  2 in,
for all s1 2 S there exists s2 2 S such that (s1;;s2) 2!. 
We chose this semantics for inputs because it claries the presentation, but other semantics are possible:
for instance in a preliminary version of this work [DDR04], we imposed receptiveness of controllers. Under
this assumption, a controller must be fast enough to treat each occurrence of an event before the next
occurrence arrives. One could also imagine a semantics where inputs arriving at the wrong time are simply
ignored. Those aspects are orthogonal to the implementability aspects of the AASAP semantics.
We now dene when and how two input enabled STTS can be composed to dene a timed transition
system.
Denition 4 [Composition of STTS] Two input enabled STTS T1 = hS1;1;in
1 ;out
1 ;
1;!1i and T2 =
hS2;2;in
2 ;out
2 ;
2;!2i are composable if in
1 = out
2 and in
2 = out
1 . Their composition, noted T1kT2 is the
TTS T = hS;;;!i such that S = f(s1;s2) j s1 2 S1 and s2 2 S2g,  = (1;2),  = out
1 [ out
2 [ 
1 [ 
2,
and ! is such that for any  2  [ R0, we have that ((s1;s2);;(s0
1;s2)) 2! i one of the following three
assertions holds:
3  2 out
1 [ out
2 [ R0 and (s1;;s2) 2!1 and (s0
1;;s0
2) 2!2
  2 
1 and (s1;;s0
1) 2!1 and s2 = s0
2
  2 
2 and (s2;;s0
2) 2!2 and s1 = s0
1

For the sake of simplicity, we dened composition of two STTS only. The construction can be easily
generalized if we assume that two STTS never share an output label as in [LT87].
Implementations of controllers are also formalized using STTS. To reason about the correctness of im-
plementations w.r.t. higher level models, we use a notion of simulation [Mil80].
Denition 5 [Simulation relation for STTS] Given two STTS T1 = hS1;1;in
1 ;out
1 ;
1;!1i and T2 =
hS2;2;in
2 ;out
2 ;
2;!2i, let  = out
1 [ in
1 [ 
1, we say that T2 is simulable by T1, noted T2 v T1, if there
exists a relation R  S2  S1 (called a simulation relation) such that:
 (2;1) 2 R;
 for any (s2;s1) 2 R, for any  2  [ R0, for any s0
2 such that (s2;;s0
2) 2!2,
there exists s0
1 2 S1 such that (s1;;s0
1) 2!1 and (s0
2;s0
1) 2 R.

Simulation can be used to dene a notion of renement. We say that the STTS T2 renes the STTS
T1, if T2 v T1. In the following, we use simulation relations because they preserve safety properties [AL91],
but they also preserve stronger properties such as the ones expressed in the logics LTL [Pnu77] or ACTL
[CBG88].
We are now equipped to dene the notion of safety control. This notion together with the notion
of renement we have introduced above allow us to formalize in section 4 and 5, the notion of correct
implementation of an embedded timed controller.
Denition 6 [Safety Control] Let T1 = hS1;1;in
1 ;out
1 ;
1;!1i (the controller) and T2 = hS2;2;in
2 ;out
2 ;

2;!2i (the environment) be two composable STTS. Let B  S2, we say that T1 controls T2 to avoid B if
Reach(T1kT2) \ f(s1;s2) j s1 2 S1 ^ s2 2 Bg is empty. 
We can now state two theorems linking our notion of renement with the notion of safety control.
Theorem 1 Let T1 and T2 be two composable STTS, let T3 be a STTS such that T3 v T1, and let B  S2,
if T1 controls T2 to avoid B then T3 controls T2 to avoid B.
Theorem 2 Let T1 = hS1;1;in
1 ;out
1 ;
1;!1i and T2 = hS2;2;in
2 ;out
2 ;
2; !2i be two composable STTS,
let T3 be a STTS such that T3 v T2, and let B  S3  S2, if T1 controls T2 to avoid B then T1 controls T3
to avoid B.
Theorem 1 shows that safety control is preserved by renements of the controller. This has practical interest
since it may require less resources (time, memory) for automatic tools to check safety control of a coarser
model of the controller. In the same way, an over-approximation of the environment can be sucient for
proving safety in practice. In this case, we can also infer safety control for the rened environment, as stated
by Theorem 2. Again this can be useful in practice.
43 Timed automata
The STTS of previous section are specied using the formalism of timed automata. We recall their denition
in this section.
Let X be a nite set of real-valued variables. A valuation for X is a function v : X ! R0. We
write [Y ! E] for the set of all valuations of set of variables Y to domain E. For a set V  [X ! R0]
of valuations, and x 2 X, dene V (x) = fv(x) j v 2 V g. A rectangular constraint over X is a formula
of the form \x 2 I" where x belongs to X, and I is one of the intervals (a;b);[a;b);(a;b] or [a;b] where
a;b 2 Q0[f+1g. Q0 denotes the positive rational numbers and, in the sequel, we also use Q>0 to denote
the strictly positive rational numbers. A rectangular predicate is a nite set of rectangular constraints. For
a rectangular predicate p and a valuation v, we write v j= p if v(x) 2 I for all \x 2 I" appearing in p.
For a rectangular predicate p, [[p]] denotes the set fv j v j= pg. We say that a rectangular predicate over
X is in normal form if it contains at most one rectangular constraint for each variable x 2 X, with the
convention that the empty predicate p (such that [[p]]= ?) is represented by fx 2 [+1;+1] j x 2 Xg; any
rectangular predicate can be put in that normal form. Let g be a rectangular predicate in normal form,
then g(x) denotes the rectangular constraint x 2 I if \x 2 I" is the constraint over x in g and true if there
is no constraint over x in g. We note Rect(X) the set of rectangular predicates built using variables in X.
Rectc(X) is the subset of rectangular predicates containing only closed rectangular constraints. Let g(x)
denote the closed rectangular constraints \x 2 [a;b]", lb(g(x)) denotes the value a and rb(g(x)) denotes the
value b. Let v : E1 ! E2 be a valuation, let E3  E1, and c 2 E2, then v[E3 := c] denotes the valuation v0
such that
v0(e) =

c if e 2 E3
v(e) if e 62 E3
In the sequel, we sometimes write v[e := c] instead of v[feg := c]. Let v : X ! R0 be a valuation, for
any t 2 R0, v t is a valuation in [X ! R] such that for any x 2 X, (v t)(x) = v(x) t. We dene v+t in
a similar way. We extend this denition to valuation v in [X ! R0 [f?g] as follows: (v +t)(x) = v(x)+t,
if v(x) 2 R0, and (v + t)(x) = ? otherwise. We are now equipped to dene timed automata and their
classical semantics.
Denition 7 [Timed automata - syntax] A timed automaton is a tuple hLoc;l0;Var;Inv;Labin;Labout;Lab;
Edgi where
 Loc is a nite set of locations representing the discrete states of the automaton.
 l0 2 Loc is the initial location.
 Var = fx1;:::;xng is a nite set of real-valued clocks which value continuously increases as time passes
with rst derivative equal to one.
 Inv : Loc ! Rect(Var) is the invariant condition. The automaton can stay in location l as long as each
variable x has a value in the interval [[Inv(l)(x)]]. We require that for any x 2 Var, 0 2[[Inv(l0)(x)]], to
ensure the existence of an initial state.
 Lab = Labin [Labout [Lab is a structured nite alphabet of labels, partitioned into input labels Labin,
output labels Labout, and internal labels Lab.
 Edg  Loc  Loc  Rect(Var)  Lab  2Var is a set of edges. An edge (l;l0;g;;R) represents a discrete
transition from location l to location l0 with guard g, label  and a subset R  Var of the variables to
be reset.

Denition 8 [Timed automata - semantics] Let A = hLoc;l0;Var;Inv;Labin;Labout;Lab;Edgi be a timed
automaton, the semantics of A is the input enabled STTS [[A]]= (S;;in; out;;!) where:
5 S = f(l;v) j l 2 Loc ^ v 2[[Inv(l)]]g.
  = (l0;v0) such that for any x 2 Var : v0(x) = 0.
 in = Labin, out = Labout, and  = Lab.
 the transition relation ! is dened as follows:
{ For the discrete transitions, ((l;v);;(l0;v0)) 2! i
 either there exists an edge (l;l0;g;;R) 2 Edg such that v j= g, v0 = v[R := 0];
 or there does not exist such an edge,  2 Labin and (l;v) = (l0;v0).
{ For the continuous transitions, ((l;v);t;(l0;v0)) 2! i l = l0 and for each variable x 2 Var we
have the two following conditions satised : v0(x) = v(x) + t and 8t0 2 [0;t] : v + t0 2[[Inv(l)]].

This semantics for a timed automaton is an input enabled STTS. Indeed, if no transition has been foreseen
in the syntax for a given state and a given input label, the semantics allow a self loop on that state for that
label.
A timed word is a pair (;) where  = 012 ::: is an innite sequence of labels j 2 Lab and
 = 012 ::: is an innite sequence of real numbers. A timed word (;) is accepted by A if there
exists a sequence s0;s0
0;s1;s0
1;s2;s0
2;::: of states sj;s0
j 2 S such that s0 =  and for all i  0 we have
(si;i   i 1;s0
i) 2! (with  1 = 0) and (s0
i;i;si+1) 2!.
For simplicity, we restrict ourselves in this paper to environments modeled as timed automata. Neverthe-
less, all the results presented below hold if the environment is modeled using any class of hybrid automata,
unless explicitly stated.
Running example. Consider Figure 1. A \!" corresponds to an output event and a \?" to an input
event. The timed automaton of Figure 1(b) models a simple environment (a plant): when a request A is
received, the response B is emitted when y = 1, and then the event C is accepted which reset the clock y.
Moreover, the event A must occur at least every 2 time units, and the reaction C should occur before the
timeout condition x   become true. If it is not the case, the environment enters the location Bad modeling
a fatal error. We want to control the environment for  = 1 and  = 2.
The role of the controller is to produce an event A at least every 2 time units, to accept the subsequent
event B and to output C respecting the timing constraint. An example of such a controller is given in
Figure 1(a). The designer has chosen here to output an A every 1 time unit, and to react to the event B as
quickly as possible by emitting a C. Given this controller for the system, we must verify that it gives orders in
such a way that any resulting behavior of the environment avoids to enter the set of bad states (all the states
in which the environment is in control location Bad). Observe that since the semantics of timed automata
is input enabled, we are sure that the controller could not simply control the environment to avoid Bad by
refusing to synchronize with B.
The reader can check that, with the classical semantics of timed automata, the controller controls the
environment such that the location Bad is not reachable for  = 1 and  = 2. Later, we will see that if  = 1
then the controller is not implementable, on the other hand, if  = 2 then the controller can be implemented
and controls the environment to avoid Bad.
4 Elastic Controllers and AASAP semantics
Main ingredients of our approach. As we already pointed out in the introduction, the classical se-
mantics given in Denition 8 is problematic for the controller part if our goal is to transfer the properties
veried on the model to an implementation. Below, we illustrate the properties of the classical semantics
61
w  1
2
3
z  0
w  1 A!
w := 0
B?
z := 0
C!
(a) The ASAP controller
1 2
y  1
3
Bad
A?
x := 0
B!
y  1
C?
y := 0
x  
x  
x  
(b) The environment
Figure 1: Running example.
that makes it impossible to both implement the controller and ensure formally that the properties of the
model are preserved.
First, note that invariants (grayed constraints in the example of Figure 1(a)) are used to force the
controller to take actions. Invariants can be removed if we assume an ASAP semantics for the controller: any
action is taken as soon as possible, this is also called the maximal progress assumption. So, in the example,
the transition labeled with A! res exactly when w = 1, and the transition labeled with C! proceeds exactly
when z = 0, i.e. instantaneously. Clearly, no hardware can guarantee that the transition will always be taken
without any delay. Second, synchronizations between the environment and the controller (e.g. transitions
labeled B) cannot be implemented as instantaneous: some time is needed by the hardware to detect the
incoming event B and for the software that implements the control strategy to take this event into account.
Third, the use of real-valued clocks is only possible in the model: implementations use digital clocks with
nite granularity. It is then necessary to show that digital clocks can replace the real-valued clocks while
preserving the veried safety properties.
These three problems illustrate that even if we have formally veried our control strategy, we can not
conclude that an implementation will conserve any of the properties that we have proven on the model. This
is unfortunate. If we simplify, there are two options to get out of this situation: (i) we ask the designer
to give up the synchrony hypothesis and ask her/him to model the platform on which the control strategy
will be implemented, as in [IKL+00], or (ii) we let the designer go on with the synchrony hypothesis at the
modeling level but relax the ASAP semantics during the verication phase in order to formally validate the
synchrony hypothesis.
We think that the second option is much more appealing and we propose in the next section a framework
that makes the second option possible theoretically but also feasible practically. The framework we propose is
centered on a relaxation of the ASAP semantics that we call the AASAP semantics. The main characteristics
of this semantics are summarized below:
 any transition that can be taken by the controller becomes urgent only after a small delay  (which
may be left as a parameter);
 a distinction is made between the occurrence of an event in the environment (sending ), and in the
controller (receiving  ), however the time dierence between the two events is bounded by ;
 guards are enlarged by some small amount depending on .
7We will now dene formally this semantics and we will show in section 5 that it is robust in the sense
that it denes a tube of strategies (instead of a unique strategy as in the ASAP semantics) which can be
rened in a formal way into an implementation while preserving the safety properties imposed by this tube
of strategies.
As stated previously, invariants are useful when modeling controllers with the classical semantics in order
to force the controller to take actions but they are useless with an ASAP semantics. This is also true with the
semantics we dene in this section. So, we restrict our attention to the subclass of timed automata without
invariants and with closed guards. In the rest of the paper, we call the controller specied by this subclass
Elastic2 controllers.
Denition 9 [Elastic Controllers] An Elastic controller A is a tuple hLoc; l0;Var;Labin;Labout;Lab;
Edgi where:
 Loc is a nite set of locations;
 l0 2 Loc is the initial location;
 Var = fx1;:::;xng is a nite set of clocks;
 Lab = Labin [Labout [Lab is a nite structured alphabet of labels, partitioned into input labels Labin,
output labels Labout, and internal labels Lab;
 Edg is a set of edges of the form (l;l0;g;;R) where l;l0 2 Loc are locations,  2 Lab is a label,
g 2 Rectc(Var) is a guard and R  Var is a set of clocks to be reset.

Before dening the AASAP semantics we need some more notations:
Denition 10 [True Since] We dene the function \True Since", noted TS : [Var ! R0]  Rectc(Var)
! R0 [ f 1g, as follows:
TS(v;g) =

t if v j= g ^ v   t j= g ^ 8t0 > t : v   t0 6j= g
 1 otherwise

This denition is meaningful since g 2 Rectc(Var) denes a closed set.
Denition 11 [Guard Enlargement] Let g(x) be the rectangular constraint \x 2 [a;b]", the rectangular
constraint g(x) with  2 Q0 is the formula \x 2 [a   ;b + ]" if a     0 and \x 2 [0;b + ]"
otherwise. If g is a closed rectangular predicate then g is the set of closed rectangular constraints
fg(x) j g(x) 2 gg. 
We are now ready to dene the AASAP semantics. Intuitions are given right after the denition.
Denition 12 [AASAP semantics] Given an Elastic controller
A = hLoc;l0;Var;Labin;Labout;Lab;Edgi
and  2 Q0, the AASAP semantics of A, noted [[A]]
AAsap
 is the STTS
T = hS;;in;out;;!i
where:
2Elastic stands for Event-based LAnguage for Simple TImed Controllers; we also give to those timed controllers a semantics
which is elastic in a sense that will be clear to the reader soon.
8(A1) S is the set of tuples (l;v;I;d) where l 2 Loc, v 2 [Var ! R0], I 2 [in ! R0 [ f?g] and d 2 R0;
(A2)  = (l0;v;I;0) where v is such that for any x 2 Var : v(x) = 0, and I is such that for any  2 in,
I() = ?;
(A3) in = Labin, out = Labout, and  = Lab [ Labin [ fg;
(A4) The transition relation is dened as follows:
{ for the discrete transitions, we distinguish ve cases:
(A4:1) let  2 Labout. We have ((l;v;I;d);;(l0;v0;I;0)) 2! i there exists (l;l0;g;;R) 2 Edg such
that v j= g and v0 = v[R := 0] ;
(A4:2) let  2 Labin. We have ((l;v;I;d);;(l;v;I0;d)) 2! i
 either I() = ? and I0 = I[ := 0];
 or I() 6= ? and I0 = I.
(A4:3) let   2 Labin. We have ((l;v;I;d);  ;(l0;v0;I0;0)) 2! i there exists (l;l0;g;;R) 2 Edg,
v j= g, I() 6= ?, v0 = v[R := 0] and I0 = I[ := ?] ;
(A4:4) let  2 Lab. We have ((l;v;I;d);;(l0;v0;I;0)) 2! i there exists (l;l0;g;;R) 2 Edg,
v j= g, and v0 = v[R := 0] ;
(A4:5) let  = . We have for any (l;v;I;d) 2 S : ((l;v;I;d);;(l;v;I;d)) 2!.
{ for the continuous transitions:
(A4:6) for any t 2 R0, we have ((l;v;I;d);t;(l;v+t;I+t;d+t)) 2! i the two following conditions
are satised:
 for any edge (l;l0;g;;R) 2 Edg with  2 Labout [ Lab, we have that:
8t0 : 0  t0  t : (d + t0   _ TS(v + t0;g)  )
 for any edge (l;l0;g;;R) 2 Edg with  2 Labin, we have that:
8t0 : 0  t0  t : (d + t0   _ TS(v + t0;g)   _ (I + t0)()  )

Comments on the AASAP semantics. Rule (A1) denes the states that are tuples of the form hl;v;I;di.
The rst two components, location l and valuation v, are the same as in the classical semantics; I and d
are new. The function I records, for each input event , the time elapsed since its oldest \untreated"
occurrence. The treatment of an event  happens when a transition labelled with   is red. Once this oldest
occurrence is treated, the function returns ? for  until a new occurrence of , forgetting about the 's
that happened between the oldest occurrence and the treatment. The time elapsed since the last location
change in the controller is recorded by d. Rule (A2) and (A3) are straightforward. Rules (A4:1  6) require
more explanations. Rule (A4:1) denes when it is allowed for the controller to emit an output event. The
only dierence with the classical semantics is that we enlarge the guard by the parameter . Rules (A4:2)
denes how inputs from the environment are received by the controller. The controller maintains, through
the function I, a list of events that have occurred and are not treated yet. An input event  can be received
at any time, but only the age of the oldest untreated  is stored in the I function. Note that the rule ensures
input enabledness of the controller. Rule (A4:3) denes when inputs are treated by the controller. An input
 is treated when a transition with an enlarged guard and labelled with   is red. Once  has been treated,
the value of I() goes back to ?. Rule (A4:4) is similar to (A4:1). Rule (A4:5) expresses that the  event
can always be emitted. Rule (A4:6) species how much time can elapse. Intuitively, time can pass as long as
no transition starting from the current location is urgent. A transition labeled with an output or an internal
event is urgent in a location l when the control has been in l for more than  time units (d+t0 > ) and the
guard of the transition has been true for more than  time units (TS(v + t0;g) > ). A transition labeled
with an input event  is urgent in a location l when the control has been in l for more than  time units
9(d + t0 > ), the guard of the transition has been true for more that  time units (TS(v + t0;g) > ) and
the last untreated occurrence of  event has been emitted by the environment at least  time units ago
(I + t0() > ) (we dene ? to be smaller than any rational value). This notion of urgency parameterized
by  is the main dierence between the AASAP semantics and the usual ASAP semantics.
Problems formulation We now dene three problems that can be formulated about the AASAP semantics
of an Elastic controller.
Denition 13 [Parametric safety control problem] Let E be a timed automaton, for which [[E]] has the set
of states SE, let B  SE be a set of bad states and let A be an Elastic controller, the parametric safety
control problem asks
 [Fixed] whether [[A]]
AAsap
 controls [[E]] to avoid B for a given xed value of ;
 [Existence] whether there exists  > 0 such that [[A]]
AAsap
 controls [[E]] to avoid B;
 [Maximization] to maximize  such that [[A]]
AAsap
 controls [[E]] to avoid B.

As we will see later, the problem [Fixed] is useful when we know the characteristics of the hardware on
which the control will be implemented, the problem [Existence] is useful to determine if the controller is
implementable at all and the problem [maximization] is useful to determine what is the slowest hardware on
which the controller can be implemented.
A property of the AASAP semantics We now state a rst property of the AASAP semantics. The
following theorem and corollary state formally the informal statement \faster is better", that is if an envi-
ronment is controllable with an Elastic controller reacting within the bound 1 then this environment is
controllable by the same controller for any reaction time 2  1. This is clearly a desirable property.
Theorem 3 Let A be an Elastic controller, for any 1;2 2 Q0 such that 2  1 we have that
[[A]]
AAsap
2 v[[A]]
AAsap
1 .
Proof. It is clear that the identity relation between the set of states of the two STTS [[A]]
AAsap
2 and [[A]]
AAsap
1
is an appropriate simulation relation between them. 
Theorem 1 and Theorem 3 allow us to state the following corollary:
Corollary 1 Let E be a timed automaton, [[E]] be an STTS with set of states SE, B  SE be a set of bad
states, and A be an Elastic controller. For any 1;2 2 Q0, such that 1  2, if [[A]]
AAsap
1 controls [[E]]
to avoid B then [[A]]
AAsap
2 controls [[E]] to avoid B.
Remark. Note that in general, faster is not always better, for example in scheduling theory. Furthermore,
there is an extended research about the notion of \faster" in the eld of process algebras (see [LV04] for
example) which shows that it is better if you impose only upper bounds on the delays, exactly as in the
AASAP semantics.
105 Implementability of the AASAP semantics
In this section, we show that any Elastic controller which controls (with  > 0) an environment E for
a safety property modeled by a set of bad states B can be implemented provided there exists a hardware
suciently fast and providing suciently ne granular digital clocks.
To establish this result, we proceed as follows. First, we dene what we call the program semantics of
an Elastic controller. The so-called program semantics can be seen as a formal semantics for the following
procedure interpreting Elastic controllers. This procedure repeatedly executes what we call execution
rounds. An execution round is dened as follows:
 rst, the current time is read in the clock register of the CPU and stored in a variable, say T;
 the list of input events to treat is updated: the input sensors are checked for new events issued by the
environment;
 guards of the edges of the current locations are evaluated with the value stored in T. If at least one
guard evaluates to true then take nondeterministically one of the enabled transitions;
 the next round is started.
All we require from the hardware is to respect the following two requirements: (i) the clock register of
the CPU is incremented every P time units and (ii) the time spent in one loop is bounded by a xed value
L. We choose this semantics for its simplicity and also because it is obviously implementable. There are
more ecient ways to interpret Elastic controllers but as we only want to prove that the AASAP semantics
is implementable in a way or another, this implementation semantics is good enough. In section 7, we show
how to use this semantics in the context of the Lego Mindstorms
TM platform.
This semantics is close to the one of PLC-automata introduced by Dierks [Die01]. The main dierence
is that we explicitly model the granularity of clocks.
We proceed now with the denition of the program semantics. This semantics manipulates digital clocks,
so we need the following denition:
Denition 14 [Clock Rounding] Let T 2 R0; 2 Q>0, bTc = b T
c where bxc is the greatest integer k
such that k  x. Symmetrically, dTe = d T
e where dxe is the smallest integer k such that k  x. 
Lemma 1 follows directly from the denition above.
Lemma 1 For any T 2 R0, any  2 Q>0, T    < bTc  T and T  dTe < T + .
We are now ready to dene the program semantics. Intuitions are given right after the denition.
Denition 15 [Program Semantics] Let A be an Elastic controller and L; P 2 Q>0. Let S =
dL + PeP. The (L;P) program semantics of A, noted [[A]]
Prg
L;P is the structured timed transition
system T = hS;;in;out; ;!i where:
(P1) S is the set of tuples (l;r;T;I;u;d;f) such that l 2 Loc, r is a function from Var into R0, T 2 R0,
I is a function from Labin into R0 [ f?g, u 2 R0, d 2 R0, and f 2 f>;?g;
(P2)  = (l0;r;0;I;0;0;?) where r is such that for any x 2 Var, r(x) = 0, I is such that for any  2 Labin,
I() = ?;
(P3) in = Labin, out = Labout,  = Lab [ Labin [ fg;
(P4) the transition relation ! is dened as follows:
{ for the discrete transitions:
11(P4:1) let  2 Labout. ((l;r;T;I;u;d;?);;(l0;r0;T;I;u;0;>)) 2! i there exists (l;l0;g;;R) 2 Edg
such that bTcP   r j= SgS and r0 = r[R := bTcP].
(P4:2) let  2 Labin. ((l;r;T;I;u;d;f);;(l;r;T;I0;u;d;f)) 2! i
 either I() = ? and I0 = I[ := 0];
 or I() 6= ? and I0 = I.
(P4:3) let   2 Labin. ((l;r;T;I;u;d;?);  ;(l0;r0;T;I0;u;0;>)) 2! i there exists (l;l0;g;;R) 2 Edg
such that bTcP   r j= SgS, I() > u, r0 = r[R := bTcP] and I0 = I[ := ?];
(P4:4) let  2 Lab. ((l;r;T;I;u;d;?);;(l0;r0;T;I;u;0;>)) 2! i there exists (l;l0;g;;R) 2 Edg
such that bTcP   r j= SgS and r0 = r[R := bTcP].
(P4:5) let  = . ((l;r;T;I;u;d;f);;(l;r;T +u;I;0;d;?)) 2! i either f = > or the two following
conditions hold:
 for any   2 Labin, for any (l;l0;g;;R) 2 Edg, we have that either bTcP   r 6j= SgS
or I()  u
 for any  2 Labout [ Lab, for any (l;l0;g;;R) 2 Edg, we have that bTcP   r 6j= SgS
{ for the continuous transitions:
(P4:6) ((l;r;T;I;u;d;f);t;(l;r;T;I + t;u + t;d + t;f)) 2! i u + t  L.

Comments on the program semantics. Rule (P1) denes the states which are tuples (l;r;T;I;u;d;f),
where l is the current location, r maps each clock to the digital time when it has last been reset, T records
the (exact) time at which the last round has started; I, as in the AASAP semantics, records the time elapsed
since the arrival of the last untreated input event, u records the time elapsed since the last round was started
(so that T + u is the exact current time), d records the time elapsed since the last location change, and f
is a ag which is set to > if a location change has occurred in the current round. Rules (P2) and (P3) are
straightforward. We comment rules (P4:1   6). First, we make some general comments on digital clocks
and guards of discrete transitions of the controller. Note that in those rules, we evaluate the guards with
the valuation bTcP  r for the clocks, that is, for variable x, the dierence between the digital value of the
variable T at the beginning of the current round and the digital value of x at the beginning of the round
when x was last reset. This value approximates the real time dierence between the exact time at which the
guard is evaluated and the exact time at which the clock x has been reset. Let t be this exact time dierence,
then we know that: bTcP   r(x)   L   P  t  bTcP   r(x) + L + P. Also note that the guard
g has been enlarged by the value S = dL + PeP, this ensures that any event enabled at some point
will be enabled suciently long so that the change can be detected by the procedure. The reason of the
rounding to the least superior multiple of P is that S is a constant intended to be written in real code.
Thus it has to be be expressed in the unit of time of the system. Rule (P4:1) expresses when transitions
labeled with output events can be taken. Note that variables are reset to the digital time of the current
round. Rule (P4:2) records the exact time at which the last untreated occurrence of an input event from
the environment occurred. This rule simply ensures that the function I is updated when a new event, for
which no occurrence is pending, is issued by the environment. Note that this rule ensures input enabledness.
Rule (P4:3) says when an input of the environment can be treated by the controller: it has to be present
at the beginning of the current round and the enlargement of the guard labelling the transition has to be
true for digital values of the clocks at the beginning of the round, and no other discrete transitions should
have been taken in the current round. Rule (P4:4) is similar to rule (P4:1) but applies to internal events.
Rule (P4:5) expresses that the event  is issued when the current round is nished and the system starts a
new round. Note that this is only possible if the program has taken a discrete transition or there were no
discrete transition to take. This ensures that the program always takes discrete transitions when possible.
Rule (P4:6) expresses that the program can always let time elapse unless it violates the maximal time spent
in one round. This obviously ensures that the program semantics can not implement zeno strategies
12The following simulation theorem expresses formally that if the hardware on which the program is imple-
mented is fast enough (parameter L) and ne granular enough (parameter P) then the program semantics
can be simulated by the AASAP semantics.
Theorem 4 (Simulation) Let A be an Elastic controller, for any rationals ;L;P 2 Q>0 such that
3L + 4P < , we have [[A]]
Prg
L;Pv[[A]]
AAsap
 .
Proof. Let [[A]]
Prg
L;P= (S1;1;in
1 ;out
1 ;
1;!1) and [[A]]
AAsap
 = (S2;2;in
2 ;out
2 ;
2;!2). Consider the
relation R  S1  S2 that contains all the pairs:
(s1;s2) = ((l1;r1;T1;I1;u1;d1;f1);(l2;v2;I2;d2))
such that the following conditions hold:
(R1) l1 = l2;
(R2) for any x 2 Var, jv2(x)   (T1   r1(x) + u1)j  L + P
(R3) for any  2 Labin, I1() = I2();
(R4) d1 = d2;
(R5) there exists (l00
2;v00
2;I00
2;d00
2) such that: ((l2;v2;I2;d2);L   u1;(l00
2;v00
2;I00
2;d00
2)) 2!2.
Let us show that R is a simulation relation.
1. (1;2) 2 R. We have to check the 5 rules of the simulation relation.
(R1);(R2);(R3) and (R4) are clearly true.
(R5) To establish this property, we rst note that d2 = 0 and so d2 + L <  which implies 8t0 
L : d2 + t0 < . Hence the two conditions of rule (A4:6) are veried.
2. Let us assume that (s1;s2) = ((l1;r1;T1;I1;u1;d1;f1);(l2;v2;I2;d2)) 2 R and that (s1;;s0
1) 2!1
(with s0
1 = (l0
1;r0
1;T 0
1;I0
1;u0
1;d0
1;f0
1)). We must prove that for each value of , there exists a state
s0
2 2 S2 such that (s2;;s0
2) 2!2 and (s0
1;s0
2) 2 R.
Since (s1;s2) 2 R we know that:
(H1) s2 = (l1;v2;I1;d1)
(H2) 8x 2 Var : T1   r1(x) + u1   L   P  v2(x)  T1   r1(x) + u1 + L + P
(H3) there exists s00
2 = (l00
2;v00
2;I00
2;d00
2) 2 S2 such that: ((l2;v2;I2;d2);L   u1;(l00
2;v00
2;I00
2 ;d00
2)) 2!2.
The rest of the proof works case by case on the dierent possible types of :
case (a) let  2 in
Since (s1;;s0
1) 2!1 we know that:
s0
1 =

(l1;r1;T1;I1[fg := 0];u1;d1;f1) if I1() = ?
(l1;r1;T1;I1;u1;d1;f1) if I1() 6= ?
Let us rst prove that 9s0
2 2 S2 : (s2;;s0
2) 2!2. This is immediate since the AASAP semantics
is input enabled. Now that we know s0
2 exists we can say that:
s0
2 =

(l1;v2;I1[fg := 0];d1) if I1() = ?
(l1;v2;I1;d1) if I1() 6= ?
It is now easy to prove that (s0
1;s0
2) 2 R. Indeed, it is obvious that s0
2 fullls the ve conditions
of the simulation relation if (s1;s2) 2 R.
13case (b) let  2 out
Since (s1;;s0
1) 2!1 we know that:
(J1)

9(l1;l0
1;g;;R) 2 Edg : bT1cP   r1 j= SgS
s0
1 = (l0
1;r1[R := bT1cP];T1;I1;u1;0;>)
Let us rst prove that 9s0
2 2 S2 : (s2;;s0
2) 2!2. We use the same edge as in the implementation
semantics (see (J1)). This amounts to prove that: 8x 2 Var : v2(x) j= g(x). Let ax = lb(g(x))
and bx = rb(g(x)). We know that 8x 2 Var:
ax   S  bT1cP   r1(x)  bx + S (J1)
! ax   S   P  T1   r1(x)  bx + S + P (Lemma 1)
! ax   dL + PeP   P  T1   r1(x)  bx + dL + PeP + P (def. of S)
! ax   L   3P  T1   r1(x)  bx + L + 3P (Lemma 1)
! ax   2L   4P + u1  T1   r1(x) + u1   L   P^
T1   r1(x) + u1 + L + P  bx + 2L + 4P + u1
! ax   2L   4P + u1  v2(x)  bx + 2L + 4P + u1 (H2)
! ax   2L   4P  v2(x)  bx + 3L + 4P (0  u1  L)
! ax     v2(x)  bx +  (3L + 4P < )
! v2(x) j= g
Now that it is established that 9s0
2 2 S2 : (s0
1;;s0
2) 2!2 we know that s0
2 = (l0
1;v2[R := 0];I1;0).
It remains to prove that (s0
1;s0
2) 2 R which means we must check the ve rules of the simulation
relation. (R1),(R3),(R4) and (R5) are clearly true.
To prove (R2) we have to prove that:
8x 2 Var :

T1   r1[R := bT1cP](x) + u1   L   P  v2[R := 0](x)
v2[R := 0](x)  T1   r1[R := bT1cP](x) + u1 + L + P
This proposition is the same as (H2) for x = 2 R. For x 2 R, it amounts to prove:
T1   bT1cP + u1   L   P  0  T1   bT1cP + u1 + L + P:
which is implied by T1   P   bT1cP  0  T1 + P   bT1cP since u1   L  0. This is a
consequence of Lemma 1. This establishes (R2).
case (c) let  2 .  = Lab [ Labin [ fg. The proof for the rst two sets is similar to the previous
case. Let  = .
Since (s1;;s0
1) 2!1 we know by (P4:5) that
(K1) s0
1 = (l1;r1;T1 + u1;I1;0;d1;?)
(K2) f1 = > or
 for any   such that  2 Labin, for any (l1;l0;g;;R) 2 Edg, we have that either bT1
cP   r1 6j= SgS or I1()  u1
 for any  2 Labout, for any (l1;l0;g;;R) 2 Edg, we have that bT1cP   r1 6j= SgS
By rule (A4:5) of the AASAP-semantics, we know that there exists s0
2 2 S2 such that (s2;;s0
2)
and
(K3) s0
2 = s2 = (l1;v2;I1;d1).
Now we have to prove that (s0
1;s0
2) 2 R. (R1);(R3) and (R4) are clearly true. Proving (R2)
amounts to prove that
8x 2 Var : T1 + u1   r1(x) + 0   L   P  v2(x)  T1 + u1   r1(x) + 0 + L + P
14which turns out to be equivalent to (H2).
Let us now prove that there exists s00
2 s.t. ((l1;v2;I1;d1);L;s00
2) 2!2. According to rule (A4:6),
it amounts to prove that
(L1) for any edge (l1;l0;g;;R) 2 Edg with  2 Labout [ Lab, we have that:
8t0 : 0  t0  L : (d1 + t0   _ TS(v2 + t0;g)  )
(L2) for any edge (l1;l0;g;;R) 2 Edg with  2 Labin, we have that:
8t0 : 0  t0  L : (d1 + t0   _ TS(v2 + t0;g)   _ (I1 + t0)()  )
If f1 = > it implies that the program has made a discrete transition during the last loop, which
means that d1  L and thus that d1 + L  2L   because we know that, by hypothesis,
2L < , which makes (L1) and (L2) true for any t0.
If f1 6= >, the proof is less trivial. We rst make a proof for labels of (L1).
8(l1;l0;g;;R) 2 Edg with  2 Labout we have bT1cP 6j= SgS by (K2). Let ax = lb(g(x)) and
bx = rb(g(x)). There are two possible cases:
(a) 9x 2 Var such that
bT1cP   r1(x) < ax   S
! bT1cP   r1(x) < ax   dL + PeP (S = dL + PeP)
! T1   r1(x) < ax   L (Lemma 1)
! T1   r1(x) + u1 + L + P < ax + u1 + P
! v2(x) < ax + u1 + P (H2)
! v2(x) < ax + L (u1  L + P)
! 8t0 : 0  t0  L : v2(x) + t0  ax + 2L + P
! 8t0 : 0  t0  L : TS(v2(x) + t0;g(x))  2L + P
! 8t0 : 0  t0  L : TS(v2(x) + t0;g(x))   (2L + P < )
! 8t0 : 0  t0  L : TS(v2 + t0;g)  
(b) 9x 2 Var such that
bT1cP   r1(x) > bx + S
! bT1cP   r1(x) > bx + dL + PeP (S = dL + PeP)
! T1   r1(x) > bx + L + P (Lemma 1)
! T1   r1(x) + u1   L   P > bx + u1
! v2(x) > bx + u1 (H2)
! v2(x) > bx
! 8t0 : 0  t0  L : v2(x) + t0 > bx
! 8t0 : 0  t0  L : TS(v2(x) + t0;g(x))   (v2(x) + t0 6j= g(x))
! 8t0 : 0  t0  L : TS(v2 + t0;g)  
Thus, both cases imply that (L1) is true.
The proof for (L2) is the same if we have, by (K2), bT1cP 6j= SgS. If not, we have I1() < u1
which also proves (L2). Indeed
I1() < u1
! I1() < L (u1  L)
! 8t0 : 0  t0  L : I1() + t0 < 2L
! 8t0 : 0  t0  L : I1() + t0 <  (2L  )
case (d) let  2 R0. For the sake of clarity let us consider that  = t.
Since (s1;t;s0
1) 2!1 we know by (P4:6) that
(M1) s0
1 = (l1;r1;T1;I1 + t;u1 + t;d1 + t;f1);
(M2) u1 + t  L.
With those facts, we know that there exists s0
2 = (l0
2;v0
2;I0
2;d0
2) 2 S2 such that (s2;t;s0
2) 2!2
because (s2;L   u1;s00
2) 2!2 by (H3) and t  L   u1 by (M2).
Now we have (s2;t;s0
2) 2!2 and we know that:
15(M3) s0
2 = (l1;v2 + t;I1 + t;d1 + t)
We can now prove that (s0
1;s0
2) 2 R. We have to check the ve points of the simulation relation:
(R1);(R2);(R3) and (R4) are easy to prove using hypothesis (H1) to (H3) and (M1) to (M3).
For (R5), since by (H3), there exists s00
2 = (l00
2;v00
2;I00
2 ;d00
2) 2 S2 such that ((l2;v2;I2;d2);L  
u1;(l00
2;v00
2;I00
2;d00
2)) 2!2, we have ((l1;v2 + t;I1 + t;d1 + t);(L   u1   t);(l00
2;v00
2;I00
2 ;d00
2)) 2!2.

Theorem 5 (Simulability) For any Elastic controller A, for any  2 Q>0, there exists L;P 2 Q>0
such that [[A]]
Prg
L;Pv[[A]]
AAsap
 .
Proof. For any  > 0, since parameters L and P are in the rational numbers, they can always be chosen
such that 3L + 6P <  which implies S + 2L + 3P <  by Lemma 1. 
And so, given a suciently fast hardware with a suciently small granularity for its clock, we can
implement any controller that have been proved correct. This is expressed by the following corollary:
Corollary 2 (Implementability) Let E be a timed automaton , let [[E]] be a STTS with set of states SE,
B  SE be a set of bad states. For any Elastic controller A, for any  2 Q>0, such that [[A]]
AAsap
 controls
[[E]] to avoid B, there exist L;P 2 Q>0 such that [[A]]
Prg
L;P controls [[E]] to avoid B.
6 Implementability with clock drifts
In the previous section, we have shown that a control strategy that has been shown correct for the AASAP
semantics can be implemented with a suciently fast hardware equipped with a suciently ne granular
clock. To keep the proof and the exposition of the concepts simple, we have assumed that the hardware clock
was delivering exactly spaced ticks. If we want to model the imprecision due to clock drifts in the hardware,
we have to modify our program semantics. This is done in the Denition 16.
There are two modications in the denition of the program semantics :
1. The main change is in rule (Q4:5) : to model a possible drift of " every time unit, we change the way
the variable T holding the current time of the system is updated. T is not incremented by the exact
value u since its last update, but with a value u0 2 [(1   ")u;(1 + ")u]. This clearly models a drift
bounded by " every time unit.
2. As a drifting clock is less precise, we have to enlarge the guards more than in the previous semantics
to ensure that no guard is missed.
Denition 16 [Program Semantics with clock drifts] Let A be an Elastic controller, L; P 2 Q>0,
" 2 Q0 with " < 1. Let M 2 N be the largest constant a clock is compared with and nally, let S =
d(1 + ")(L + P) + "MeP. The (L;P;") program semantics of A, noted [[A]]
Prg
L;P;" is the input
enabled structured timed transition system T = hS;;in;out; ;!i where:
(Q1) S is the set of tuples (l;r;T;I;u;d;f) such that l 2 Loc, r is a function from Var into R0, T 2 R0,
I is a function from Labin into R0 [ f?g, u 2 R0, d 2 R0, and f 2 f>;?g;
(Q2)  = (l0;r;0;I;0;0;?) where r is such that for any x 2 Var, r(x) = 0, I is such that for any  2 Labin,
I() = ?;
(Q3) in = Labin, out = Labout,  = Lab [ Labin [ fg;
16(Q4) the transition relation ! is dened as follows:
{ for the discrete transitions:
(Q4:1) let  2 Labout. ((l;r;T;I;u;d;?);;(l0;r0;T;I;u;0;>)) 2! i there exists (l;l0;g;;R) 2 Edg
such that bTcP   r j= SgS and r0 = r[R := bTcP].
(Q4:2) let  2 Labin. ((l;r;T;I;u;d;f);;(l;r;T;I0;u;d;f)) 2! i
 either I() = ? and I0 = I[ := 0];
 or I() 6= ? and I0 = I.
(Q4:3) let   2 Labin. ((l;r;T;I;u;d;?);  ;(l0;r0;T;I0;u;0;>)) 2! i there exists (l;l0;g;;R) 2 Edg
such that bTcP   r j= SgS, I() > u, r0 = r[R := bTcP] and I0 = I[ := ?];
(Q4:4) let  2 Lab. ((l;r;T;I;u;d;?);;(l0;r0;T;I;u;0;>)) 2! i there exists (l;l0;g;;R) 2 Edg
such that bTcP   r j= SgS and r0 = r[R := bTcP].
(Q4:5) let  = . ((l;r;T;I;u;d;f);;(l;r;T + u0;I;0;d;?)) 2! where u0 2 [(1   ")u;(1 + ")u] i
either f = > or the two following conditions hold:
 for any   2 Labin, for any (l;l0;g;;R) 2 Edg, we have that either bTcP   r 6j= SgS
or I()  u
 for any  2 Labout [ Lab, for any (l;l0;g;;R) 2 Edg, we have that bTcP   r 6j= SgS
{ for the continuous transitions:
(Q4:6) ((l;r;T;I;u;d;f);t;(l;r;T;I + t;u + t;d + t;f)) 2! i u + t  L.

The following simulation theorem expresses formally that if the hardware on which the program is imple-
mented is fast enough (parameter L) ne granular enough (parameter P) and precise enough(parameter
") then the program semantics can be simulated by the AASAP semantics.
Theorem 6 (Simulation with drifting clocks) Let A be an Elastic controller. Let M be the largest
constant a clock is compared with in A. For any ;L;P 2 Q>0, " 2 Q0 with " < 1 such that
2"M+(3+")L+(4+2")P
1 " < , we have [[A]]
Prg
L;P;"v[[A]]
AAsap
 . 
Proof. The proof of this theorem follows closely the lines of the proof of Theorem 4.
Let [[A]]
Prg
L;P;"= (S1;1;in
1 ;out
1 ;
1;!1) and [[A]]
AAsap
 = (S2;2;in
2 ;out
2 ;
2;!2). Consider the relation
R  S1  S2 that contains the pairs:
(s1;s2) = ((l1;r1;T1;I1;u1;d1;f1);(l2;v2;I2;d2))
such that the following conditions hold:
(R1) l1 = l2;
(R2) for any x 2 Var,
T1 r1(x) (1+")(L+P)
1+" + u1  v2(x) 
T1 r1(x)+(1+")(L+P)
1 " + u1
(R3) for any  2 Labin, I1() = I2();
(R4) d1 = d2;
(R5) there exists (l00
2;v00
2;I00
2;d00
2) such that: ((l2;v2;I2;d2);L   u1;(l00
2;v00
2;I00
2;d00
2)) 2!2.
Let us show that R is a simulation relation.
171. (1;2) 2 R. We have to check the 5 rules of the simulation relation.
(R1);(R2);(R3) and (R4) are clearly true.
(R5) To establish this property, we rst note that d2 = 0 and so d2 + L <  which implies 8t0 
L : d2 + t0 < . Hence the two conditions of rule (A4:6) are veried.
2. Let us assume that (s1;s2) = ((l1;r1;T1;I1;u1;d1;f1);(l2;v2;I2;d2)) 2 R and that (s1;;s0
1) 2!1
(with s0
1 = (l0
1;r0
1;T 0
1;I0
1;u0
1;d0
1;f0
1)). We must prove that for each value of , there exists a state
s0
2 2 S2 such that (s2;;s0
2) 2!2 and (s0
1;s0
2) 2 R.
Since (s1;s2) 2 R we know that:
(H1) s2 = (l1;v2;I1;d1)
(H2) 8x 2 Var :
T1 r1(x) (1+")(L+P )
1+" + u1  v2(x) 
T1 r1(x)+(1+")(L+P )
1 " + u1
(H3) there exists s00
2 = (l00
2;v00
2;I00
2;d00
2) 2 S2 such that: ((l2;v2;I2;d2);L   u1;(l00
2;v00
2;I00
2 ;d00
2)) 2!2.
The rest of the proof works case by case on the dierent possible types of :
case (a) let  2 in
Since (s1;;s0
1) 2!1 we know that:
s0
1 =

(l1;r1;T1;I1[fg := 0];u1;d1;f1) if I1() = ?
(l1;r1;T1;I1;u1;d1;f1) if I1() 6= ?
Let us rst prove that 9s0
2 2 S2 : (s2;;s0
2) 2!2. This is immediate since the AASAP semantics
is input enabled. Now that we know s0
2 exists we can say that:
s0
2 =

(l1;v2;I1[fg := 0];d1) if I1() = ?
(l1;v2;I1;d1) if I1() 6= ?
It is now easy to prove that (s0
1;s0
2) 2 R. Indeed, it is obvious that s0
2 fullls the ve conditions
of the simulation relation if (s1;s2) 2 R.
case (b) let  2 out
Since (s1;;s0
1) 2!1 we know that:
(J1)

9(l1;l0
1;g;;R) 2 Edg : bT1cP   r1 j= SgS
s0
1 = (l0
1;r1[R := bT1cP];T1;I1;u1;0;>)
Let us rst prove that 9s0
2 2 S2 : (s2;;s0
2) 2!2. We use the same edge as in the implementation
semantics (see (J1)). This amounts to prove that: 8x 2 Var : v2(x) j= g(x). Let ax = lb(g(x))
and bx = rb(g(x)). We know that 8x 2 Var:
18ax   S  bT1cP   r1(x)  bx + S (J1)
! ax   d(1 + ")(L + P) + "MeP  bT1cP   r1(x)^
bT1cP   r1(x)  bx + d(1 + ")(L + P) + "MeP (def. of S)
! ax   (1 + ")(L + P)   "M   P  T1   r1(x)^
T1   r1(x)  bx + (1 + ")(L + P) + "M + 2P (Lemma 1)
!
ax 2(1+")(L+P ) "M P
1+" + u1 
T1 r1(x) (1+")(L+P)
1+" + u1^
T1 r1(x)+(1+")(L+P)
1 " + u1 
bx+2(1+")(L+P )+"M+2P
1 " + u1
!
ax 2(1+")(L+P ) "M P
1+" + u1  v2(x)^
v2(x) 
bx+2(1+")(L+P)+"M+2P
1 " + u1 (H2)
!
ax (2+2")L (3+2")P  "M
1+"  v2(x)^
v2(x) 
bx+(3+")L+(4+2")P+"M
1 " (0  u1  L)
! ax  
2"M+(2+2")L+(3+2")P
1+"  v2(x)^
v2(x)  bx +
2"M+(3+")L+(4+2")P
1 " (M  ax ^ M  bx)
! ax     v2(x)  bx +  (
2"M+(3+")L+(4+2")P
1 " < )
! v2(x) j= g
Now that it is established that 9s0
2 2 S2 : (s0
1;;s0
2) 2!2 we know that: s0
2 = (l0
1;v2[R := 0];I1;0)
It remains to prove that (s0
1;s0
2) 2 R which means we must check the ve rules of the simulation
relation. (R1),(R3),(R4) and (R5) are clearly true.
To prove (R2) we have to prove that
8x 2 Var :
(
T1 r1[R:=bT1cP ](x) (1+")(L+P)
1+" + u1  v2[R := 0](x)
v2[R := 0](x) 
T1 r1[R:=bT1cP ](x)+(1+")(L+P )
1 " + u1
This proposition is the same as (H2) for x = 2 R. For x 2 R, it amounts to prove:
T1   bT1cP   (1 + ")(L + P)
1 + "
+ u1  0 
T1   bT1cP + (1 + ")(L + P)
1   "
+ u1:
which is implied by T1   P   bT1cP  0  T1 + P   bT1cP, which is a consequence of
Lemma 1, and u1   L  0. This establishes (R2).
case (c) let  2 .  = Lab [ Labin [ fg. The proof for the rst two sets is similar to the previous
case. Let  = .
Since (s1;;s0
1) 2!1 we know by (Q4:5) that
(K1) s0
1 = (l1;r1;T1 + u0
1;I1;0;d1;?) where u0
1 2 [(1   ")u1;(1 + ")u1];
(K2) f1 = > or
 for any   such that  2 Labin, for any (l1;l0;g;;R) 2 Edg, we have that either bT1
cP   r1 6j= SgS or I1()  u1, and
 for any  2 Labout, for any (l1;l0;g;;R) 2 Edg, we have that bT1cP   r1 6j= SgS
By rule (A4:5) of the AASAP-semantics, we know that there exists s0
2 2 S2 such that (s2;;s0
2)
and
(K3) s0
2 = s2 = (l1;v2;I1;d1).
Now we have to prove that (s0
1;s0
2) 2 R. (R1);(R3) and (R4) are clearly true. Proving (R2)
amounts to prove that
8x 2 Var :
T1+u
0
1 r1(x) (1+")(L+P)
1+"  v2(x) 
T1+u
0
1 r1(x)+(1+")(L+P)
1 "
which is implied by (H2) and (1   ")u1  u0
1  (1 + ")u1 .
Let us now prove that there exists s00
2 s.t. ((l1;v2;I1;d1);L;s00
2) 2!2. According to rule (A4:6),
it amounts to prove that
19(L1) for any edge (l1;l0;g;;R) 2 Edg with  2 Labout [ Lab, we have that:
8t0 : 0  t0  L : (d1 + t0   _ TS(v2 + t0;g)  )
(L2) for any edge (l1;l0;g;;R) 2 Edg with  2 Labin, we have that:
8t0 : 0  t0  L : (d1 + t0   _ TS(v2 + t0;g)   _ (I1 + t0)()  )
If f1 = > it implies that the program has made a discrete transition during the last loop, which
means that d1  L and thus that d1 + L  2L   because we know that, by hypothesis,
 > 2L, which makes (L1) and (L2) true for any t0.
If f1 6= >, the proof is less trivial. We rst make a proof for labels of (L1).
8(l1;l0;g;;R) 2 Edg with  2 Labout we have bT1cP 6j= SgS by (K2). Let ax = lb(g(x)) and
bx = rb(g(x)). There are two possible cases:
(a) 9x 2 Var such that
bT1cP   r1(x) < ax   S
bT1cP   r1(x) < ax   d(1 + ")(L + P) + "MeP (def. of S)
! T1   r1(x)   P < ax   (1 + ")(L + P)   "M (Lemma 1)
!
T1 r1(x)+(1+")(L+P)
1 " + u1 <
ax+P "M
1 " + u1
! v2(x) < ax+P "M
1 " + u1 (H2)
! v2(x) < ax+P "M
1 " + L (u1  L)
! 8t0 : 0  t0  L : v2(x) + t0 
ax+P "M
1 " + 2L
! 8t0 : 0  t0  L : v2(x) + t0  ax +
"ax+2(1 ")L+P "M
1 "
! 8t0 : 0  t0  L : v2(x) + t0  ax +
2(1 ")L+P
1 " (M  ax)
! 8t0 : 0  t0  L : TS(v2(x) + t0;g(x)) 
2(1 ")L+P
1 "
! 8t0 : 0  t0  L : TS(v2(x) + t0;g(x))   (
2(1 ")L+P
1 " < )
! 8t0 : 0  t0  L : TS(v2 + t0;g)  
(b) 9x 2 Var such that
bT1cP   r1(x) > bx + S
bT1cP   r1(x) > bx + d(1 + ")(L + P) + "MeP (def. of S)
! T1   r1(x) > bx + (1 + ")(L + P) + "M (Lemma 1)
!
T1 r1(x) (1+")(L+P)
1+" + u1 > bx+"M
1+" + u1
! v2(x) > bx+"M
1+" + u1 (H2)
! v2(x) > bx+"M
1+" (u1  0)
! 8t0 : 0  t0  L : v2(x) + t0 > bx+"M
1+"
! 8t0 : 0  t0  L : v2(x) + t0 > bx +  "bx+"M
1+"
! 8t0 : 0  t0  L : v2(x) + t0 > bx +  "M+"M
1+" (bx  M)
! 8t0 : 0  t0  L : v2(x) + t0 > bx
! 8t0 : 0  t0  L : TS(v2(x) + t0;g(x))   (v2(x) + t0 6j= g(x))
! 8t0 : 0  t0  L : TS(v2 + t0;g)  
Thus, both cases imply that (L1) is true.
The proof for (L2) is the same if we have, by (K2), bT1cP 6j= SgS. If not, we have I1() < u1
which also proves (L2). Indeed
I1() < u1
! I1() < L (u1  L)
! 8t0 : 0  t0  L : I1() + t0 < 2L
! 8t0 : 0  t0  L : I1() + t0 <  (2L  )
case (d) let  2 R0. For the sake of clarity let us consider that  = t.
Since (s1;t;s0
1) 2!1 we know by (Q4:6) that
(M1) s0
1 = (l1;r1;T1;I1 + t;u1 + t;d1 + t;f1);
20(M2) u1 + t  L.
With those facts, we know that there exists s0
2 = (l0
2;v0
2;I0
2;d0
2) 2 S2 such that (s2;t;s0
2) 2!2
because (s2;L   u1;s00
2) 2!2 by (H3) and t  L   u1 by (M2).
Now we have (s2;t;s0
2) 2!2 and we know that:
(M3) s0
2 = (l1;v2 + t;I1 + t;d1 + t)
We can now prove that (s0
1;s0
2) 2 R. We have to check the ve points of the simulation relation:
(R1);(R2);(R3) and (R4) are easy to prove using hypothesis (H1) to (H3) and (M1) to (M3).
For (R5), since by (H3), there exists s00
2 = (l00
2;v00
2;I00
2 ;d00
2) 2 S2 such that ((l2;v2;I2;d2);L  
u1;(l00
2;v00
2;I00
2;d00
2)) 2!2, we have ((l1;v2 + t;I1 + t;d1 + t);(L   u1   t);(l00
2;v00
2;I00
2 ;d00
2)) 2!2.

One can observe that for " = 0 we get the same constraint as in Theorem 4.
We can now immediately state the following theorem and corollary, which are the counterparts with clock
drifts of Theorem 5 and Corollary 2 of the previous section.
Theorem 7 (Simulability with clock drifts) For any Elastic controller A, for any  2 Q>0, there
exists L;P;" 2 Q>0 with " < 1, such that [[A]]
Prg
L;P;"v[[A]]
AAsap
 .
Proof. Let M be the largest constant a clock is compared with in A. For any  > 0, since parameters L,
P and " are in the rational numbers, they can always be chosen such that
2"M+(3+")L+(4+2")P
1 " < .

And so, given a suciently fast hardware with a sucient precision and a suciently small granularity
for its clock, we can implement any controller that have been proved correct for the AASAP semantics. This
is expressed by the following corollary:
Corollary 3 (Implementability with clock drifts) Let E be a timed automaton , let [[E]] be a STTS
with set of states SE, B  SE be a set of bad states. For any Elastic controller A, for any  2 Q>0, such
that [[A]]
AAsap
 controls [[E]] to avoid B, there exist L;P;" 2 Q>0 with " < 1, such that [[A]]
Prg
L;P;" controls
[[E]] to avoid B.
7 In practice
In this section, we show how the AASAP semantics can be analyzed automatically using the model-checker
tool HyTech [HHWT95]. This is a direct corollary of the next theorem: for any  2 Q0, for any Elastic
controller A, the AASAP semantics of A can be encoded using the classical semantics of a timed automaton
A constructed from A and .
Theorem 8 For any Elastic controller A, for any  2 Q>0, we can construct eectively a timed automa-
ton A = F(A;) such that [[A]]
AAsap
 v[[A]] and [[A]]v[[A]]
AAsap
 .
Proof. We give the construction of F(A;). Let A be the tuple hLoc1;l0
1;Var1;Labin
1 ;Labout
1 ;Lab
1;Edg1i
and let F(A;) = hLoc2;l0
2;Var2;Inv2;Labin
2 ;Labout
2 ;Lab
2;Edg2i be the timed automaton such that:
 Loc2 = f(l;b) j l 2 Loc1 ^ b 2 [in ! f>;?g]g;
 l0
2 = (l0
1;b?) where b? is such that b?() = ? for any  2 in;
 Var2 = Var1 [ fy j  2 ing [ fdg;
21 Labin
2 = Labin
1 , Labout
2 = Labout
1 and Lab
2 = Lab
1 [ Labin
1 ;
 Edg2 is dened as follows.
((l;b);(l0;b0); g;;R0) 2 Edg2 i one of the following condition holds:
{  2 Labin
1 and
1. l0 = l
2. b() = ?
3. b0 = b[ := >]
4. g = true
5. R0 = fyg
{  2 Labin
1 and
1. l0 = l
2. b() = >
3. b0 = b
4. g = true
5. R0 = ?
{  2 Labout
1 and
1. there exists (l;l0;g;;R) 2 Edg1
2. b0 = b
3. R0 = R [ fdg
{  2 Lab
1 and
1. there exists
(l;l0;g;;R) 2 Edg1
2. b0 = b
3. R0 = R [ fdg
{  =   2 Labin
1 and
1. there exists
(l;l0;g;;R) 2 Edg1
2. b() = >
3. b0 = b[ := ?]
4. R0 = R [ fdg
{  =  and
1. l0 = l
2. b0 = b
3. g = true
4. R0 = ?
 The function Inv2 is dened as follows. Let EV T((l;b)) = f((l;l0;g;;R) 2 Edg1 j  2 Labin
1 ^b() = >g.
Let ACT((l;b)) = f(l;l0;g;;R) 2 Edg1 j  2 Labout
1 [ Lab
1g. Inv2((l;b)) = '1(l;b) ^ '2(l;b) where
'1(l;b) =
V
(l;l0;g;;R)2EV T((l;b))
 
d   _ :(g) _ y  

'2(l;b) =
V
(l;l0;g;;R)2ACT((l;b))
 
d   _ :(g)

and g(x) is the expression x 2 (a + ;b] if g(x) is the expression x 2 [a;b].
To establish that the construction above is correct, we proceed as follows. We show that:
(1) [[A]]
AAsap
 v[[F(A;)]]
(2) [[F(A;)]]v[[A]]
AAsap

Let [[A]]
AAsap
 = (S1;1;in
1 ;out
1 ;
1;!1) and [[F(A;)]]= (S2;2;in
2 ;out
2 ;
2;!2).
To prove (1) we can use the simulation relation R  S1  S2 such that ((l1;v1;I1;d1);((l2;b2);v2)) 2 R
i:
1. l1 = l2
2. for any  2 Labin,

b2() = ? i I1() = ?
b2() = > ^ v2(y) = I1() i I1() 6= ?
3. v2jVar1 = v1 ( vjX is the restriction of v to X)
4. v2(d) = d1
22Let us prove that R is a simulation relation.
 It appears obviously that (1;2) 2 R.
 Let us assume that (s1;s2) = ((l1;v1;I1;d1);((l2;b2);v2)) 2 R and that (s1;;s0
1) 2!1 (with s0
1 =
(l0
1;v0
1;I0
1;d0
1)).
For each value of , we must establish the existence of a state s0
2 2 S2 such that (s2;;s0
2) 2!2 and
(s0
1;s0
2) 2 R.
Since (s1;s2) 2 R we know that:
(H0) s2 = ((l1;b2);v2)
(H1) v2
1jVar1 = v1, v2(d) = d1, and v2(y) = I1() i I1() 6= ?.
Let  2 R0 (other cases are straightforward and left to the reader). For the sake of clarity, let
us consider that  = t.
Since (s1;t;s0
1) 2!1 we know by (A4:6) that
(H2) for any edge (l1;l0;g;;R) 2 Edg with  2 Labout
1 [ Lab
1, we have that:
8t0 : 0  t0  t : (d1 + t0   _ TS(v1 + t0;g)  )
(H3) for any edge (l1;l0;g;;R) 2 Edg with  2 Labin
1 , we have that:
8t0 : 0  t0  t : d1 + t0   _ TS(v1 + t0;g)   _ (I1 + t0)()  
It is easy to prove by (H1) that:
 d1 + t0   $ v2(d) + t0  
 (I1 + t0)()   $ v2(y) + t0  
 TS(v1 + t0;g)   $ v2 + t0 j= :(g)
The third proposition can be proved as follows (let ax = lb(g(x)) and bx = rb(g(x))):
TS(v1 + t0;g)  
$ (v1 + t0 j= g) ! 9x 2 Var1 : v1(x) + t0     ax
$ (v1 + t0 j= g) ! (9x 2 Var1 : ax  v1(x) + t0  bx ^ v1(x) + t0     ax)
$ (v1 + t0 6j= g) _ (9x 2 Var1 : ax  v1(x) + t0  min(bx;ax + ))
$ (9x 2 Var1 : v1(x) + t0 < ax _ v1(x) + t0 > bx)
_(9x 2 Var1 : ax  v1(x) + t0  min(bx;ax + ))
$ 9x 2 Var1 : v1(x) + t0  ax +  _ v1(x) + t0 > bx
$ 9x 2 Var1 : v1(x) + t0 = 2 (ax + ;bx]
$ v1 + t0 6j= g
$ v1 + t0 j= :(g)
$ v2 + t0 j= :(g)
Consequently, using (H2) and (H3), we have 80  t0  t : v2 + t0 j= Inv2(l2). Thus, the state
s0
2 = ((l2;b2);v0
2) where v0
2 = v2 + t is such that (s2;t;s0
2) 2!2.
The reader can easily check that (s0
1;s0
2) 2 R.
To prove (2) we can use the simulation relation R0 such that R0(s2;s1) i R(s1;s2). The proof is similar
since we only used equivalence in our reasonings.

Corollary 4 For any Elastic controller A, for any  2 Q>0, for any timed automaton E with state space
SE, for any set of states B  SE, we have that [[A]]
AAsap
 controls [[E]] to avoid B i [[F(A;)]] controls [[E]]
to avoid B.
23In practice, we use Theorem 8 to reduce the controllability problem to a reachability problem. We rst
construct F(A;) (where we can leave  as a parameter) and generate a HyTech le with a description of
F(A;) and E. We then use HyTech to synthesize the weakest constraint on  that ensures the correctness
of the control strategy for the AASAP semantics. In other words, we ask HyTech for which parameter value
Reach([[F(A;)]] k [[E]]) \ B = ?. If HyTech terminates, it returns a linear constraint  () over  which
allows to solve the three problems of Denition 13:
 [Fixed] For a given value D 2 Q0 for the parameter , answering the [Fixed] question amounts to
ask if  (D) is true.
 [Existence] To solve the [Existence] question, it suces to ask if there exists D 2 Q0 such that
 (D).
 [Maximization ] To solve the [Maximization] question, we ask if
{ either there exists Dmax 2 Q0 such that  (Dmax) and 8D > Dmax : : (D);
{ or there exists Dsup 2 Q0 such that : (Dsup) and 80  D < Dsup :  (D).
All those question are expressed as formulas of the additive theory of the reals and are thus solv-
able [Wei99] .
In case the HyTech analysis does not terminate, we still have a practical solution for two of the problems
of Denition 13 if the environment is specied as a timed automaton:
 [Fixed] In this case we can obviously respond to the [Fixed] version of the correctness problem as it
amounts to a reachability question on timed automata [AD94],
 [Maximization ] In this case, we can approximate as close as needed the solution of the [Maximization]
question thanks to the \faster is better" property of the AASAP semantics: by doing a binary search
on the value space of the parameter , using the [Fixed] question, we can approximate the maximal
value of  for which the controller is correct up to any precision.
To answer those two previous questions, we are not restricted to the use of HyTech or other parametric
tools and we for example can use Uppaal [PL00]. Finally, we prove in [DDMR04] the decidability of the
[Existence] question when the environment is a timed automata.
Running example If we apply the construction of Theorem 8 to our running example (Figure 1), we
can ask HyTech to establish for which value of , the tube of control strategies dened by the timed
automaton obtained by the construction of Theorem 8 is valid.
First, consider the case ( = 1). The condition of correctness is  = 0. We can interpret this as follows:
we have a correct model w.r.t to the classical ASAP semantics (the controller imposes the repetition of events
ABC, at integer points in time, that is the divergent timed word ((ABC)!;) with 3i = 3i+1 = 3i+2 = i+1; i 2
N). But if we accept a positive xed delay (no matter how small it is) between the event B and the reaction
C, we cannot anymore guarantee that the environment will not eventually reach Bad. The insightful reader
has maybe noticed that if the delay between B and C can vary (and here decrease), then it is possible to avoid
Bad. However, the greatest lower bound of the delays will be zero so that implementation is not possible. For
example, a (non-zeno) controller could issue orders such that  = (1;1;1 1
2)(2;21
2;23
4)(3;33
4;37
8)(4;47
8;415
16):::
Clearly this time sequence, however divergent, is not acceptable as the output of an implementable controller
because there is no lower bound on the dierence between two consecutive time instants. This shows that
not only zeno controllers require innitely fast hardware to be implemented. Hence, it must be admitted
that the synchrony hypothesis is not only a matter of non-zenoness; in this example, the condition  = 0
shows that it is impossible for a nite-speed hardware to implement the controller.
In the second case ( = 2), the model is correct for any  < 1
3. If we assume that the unit of time is
the second, Theorem 6 then tells us that, to preserve the desired property with a systematic implementation
24of the Elastic controller (as described in Section 5), we should have a platform with loop time L clock
granularity P and clock precision " such that
2"M+(3+")L+(4+2")P
1 " < 333ms, where M = 2 is the
greatest constant appearing in the controller. For instance, we can implement the controller on the Lego
Mindstorms
TM platform, since it allows L to be as low as 6ms, oers a digital clock with P = 1ms and
a drift certainly not greater than 1%.
7.1 Relaxing the AASAP semantics
The construction of Theorem 8 gives a model that can be used in practice to verify the implementability
of a controller (Corollary 4). This model is a timed automaton that contains exactly the same reachability
information than the AASAP semantics. This is why the construction is not as simple as one might expect.
Other constructions can be used (for example if it facilitates the verication), at the condition that it can
simulate the AASAP semantics. Also, if a controller controls an environment E0, it ensures that it can control
any renement E of E0. This results from Theorems 1, 2 and 8.
Corollary 5 For any Elastic controller A, for any  2 Q>0, for any timed automata E0 with state
space SE0, and E with state space SE  SE0 such that [[E]]v[[E0]]; for any timed automaton C such that
[[F(A;)]]v[[C]], for any set of states B  SE, we have that if [[C]] controls [[E0]] to avoid B then [[A]]
AAsap

controls [[E]] to avoid B.
In Corollary 5, the automaton C is an over-approximation of the AASAP semantics. For verication
concerns, a promising such over-approximation is, given a timed automaton T, to close and enlarge (left and
right) every guard by  to obtain the timed automaton we call X(T;). The model X(F(A;);) has
interesting properties. We show in [DDMR04] that the problem to decide whether there exists a rational
value  such that it controls X(E;) to avoid B is decidable .
8 Conclusion and related works
In this paper, we have introduced the notion of Almost ASAP semantics for timed automata. This semantics
is a relaxation of the usual ASAP semantics: the controller does not have to react instantaneously to events
and time-outs, it only has to do so within a given time bound (that can be leaved as a parameter). We
have shown that this semantics is useful to formally reason about the implementability of mathematical
models for timed controllers: any controller that has been shown correct for the Almost ASAP semantics
can be systematically implemented. The properties that have been proven on the model are transfered to the
implementation (without making the synchrony hypothesis) provided that the implementation is executed
on a hardware which is suciently fast and which uses a suciently ne granular digital clock subject to a
suciently small drift.
We now compare our work with some recent related works and also point out several future research
directions.
Related works. In [AFM+02, AFP+03], Yi et al present a tool called Times that generates executable
code (C code for the Lego Mindstorms
TM platform) from timed automata models. The code is generated
with the synchrony hypothesis. This work does not tackle the problem on which we concentrate in this
paper. The properties proved on the models are not guaranteed to be preserved by their code generation.
On the other hand, this work also integrate interesting schedulability analysis. In our paper, we have only
concentrated on simple control centered programs. In our approach, tasks that are computing expensive,
should be modeled explicitly (with their worst-case execution time for example). This is coherent with the
approach they propose.
In [KMTY04], the authors agree that an event must remain observable during some (usually small but
not singular) period. They propose a digitalized semantics for timed automata in order to model the fact
that the environment cannot be observed continuously, but only at discrete instants. However, they do
25not make a formal link with automatic code generation. On the contrary, we propose such a link, and our
semantics is more high-level in that it is continuous-time and thus closer to the designer's point of view.
In [AFILS03], Alur et al introduce a methodology to generate code from hybrid automata. The class of
models they consider is larger than the class we consider here, i.e. the Elastic controllers. As, in the work
of Yi et al, they adopt the synchrony hypothesis. Nevertheless, they plan to explore further this translation
in order to see how to achieve the translation without the synchrony hypothesis. The work in this paper
should be useful in that context.
In [HKSP03], Henzinger et al introduce a programming model for real-time embedded controllers called
Giotto. Giotto is an embedded software model that can be used to specify a solution to a given control
problem independently of an execution platform but which is closer to executable code than a mathematical
model. So, Giotto can be seen an intermediary step between mathematical models like hybrid automata
and real execution platform.
In [IKL+00], Larsen et al show how to model code for real-time controllers using Uppaal models in order
to formally verify the code behavior. Usually, they encounter the problem that the obtained description is
dicult to analyze because the time unit at the controller level (time slice of the real-time OS for example)
is much smaller than the natural time unit of the environment. This leads to what they call symbolic state
space fragmentation. They proposed in [HL02] a partial solution to that problem. In our framework, we
do not encounter that problem. In fact, the larger reaction delay computed during the analysis phase of
the AASAP semantics is usually close to the time unit of the environment to control, and usually, at least,
much larger than the time unit of the hardware on which the control program is executed. The program is
generated automatically from the Elastic model and is guaranteed to be correct by construction (no need
to verify it).
Future works As future works, we plan to:
 study in details the parameter synthesis problem dened by the AASAP semantics. Currently, we
analyze the semantics with HyTech using the standard x point algorithm with no guarantee of
termination. We do not know if the synthesis problem is decidable or not. If the problem turns out to
be undecidable, we will look for heuristics. Partial answers are given in [DDMR04].
 study Giotto as a possible intermediary step for code generation in the setting of our method. This
intermediary step may allow us to simplify parts of our construction.
 compare more extensively the practicability of our approach compared to the approach consisting in
verifying code.
Acknowledgements We thank the anonymous referees for their valuable criticism and useful comments.
In particular, one reviewer made useful suggestions about the notion of input enabledness that lead to nice
simplications.
References
[AD94] R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183{
235, 1994.
[AFILS03] R. Alur, J. Kim F. Ivancic, I. Lee, and O. Sokolsky. Generating embedded software from
hierarchical hybrid models. In Proc. of LCTES 2003, volume 38 of ACM SIGPLAN Notices,
pages 171 { 182, 2003.
[AFM+02] T. Amnell, E. Fersman, L. Mokrushin, P. Pettersson, and W. Yi. Times: A tool for modelling
and implementation of embedded systems. In Proc. of TACAS' 2002, volume 2280 of LNCS,
pages 460{464. Springer{Verlag, 2002.
26[AFP+03] T. Amnell, E. Fersman, P. Pettersson, H. Sun, and W. Yi. Code synthesis for timed automata.
Nordic Journal of Computing, 9(4), 2003.
[AL91] M. Abadi and L. Lamport. The existence of renement mappings. Theoretical Computer Science,
82(2):253{284, 1991.
[Ber00] G. Berry. The Foundations of Esterel. MIT Press, 2000.
[CBG88] E.M Clarke, M.C. Browne, and O. Grumberg. Characterizing nite kripke structures in propo-
sitional temporal logic. Theoretical Computer Science, 59:115{131, 1988.
[CHR02] F. Cassez, T.A. Henzinger, and J.-F. Raskin. A comparison of control problems for timed and
hybrid systems. In Proc. of HSCC' 02, volume 2289 of LNCS, pages 134{148. Springer-Verlag,
2002.
[DDMR04] M. De Wulf, L. Doyen, N. Markey, and J.-F. Raskin. Robustness and implementability of
timed automata. In Proc. of FORMATS-FTRTFT 2004, volume 3253 of LNCS, pages 118{133.
Springer-Verlag, 2004.
[DDR04] M. De Wulf, L. Doyen, and J.-F. Raskin. Almost ASAP semantics: From timed models to timed
implementations. In Proc. of HSCC' 04, volume 2993 of LNCS, pages 296{310. Springer-Verlag,
2004.
[Die01] H. Dierks. PLC-automata: a new class of implementable real-time automata. Theoretical Com-
puter Science, 253(1):61{93, 2001.
[Hen96] T.A. Henzinger. The theory of hybrid automata. In Proc. of LICS '96, pages 278{292. IEEE,
1996.
[HHWT95] T.A. Henzinger, P.-H. Ho, and H. Wong-Toi. A user guide to HyTech. In Proc. of TACAS 95,
volume 1019 of LNCS, pages 41{71. Springer-Verlag, 1995.
[HKPV98] T.A. Henzinger, P.W. Kopke, A. Puri, and P. Varaiya. What's decidable about hybrid automata?
Journal of Computer and System Sciences, 57:94{124, 1998.
[HKSP03] T.A. Henzinger, C.M. Kirsch, M.A. Sanvido, and W. Pree. From control models to real-time
code using Giotto. IEEE Control Systems Magazine, 23(1):50{64, 2003.
[HL02] M. Hendriks and K. G. Larsen. Exact acceleration of real-time model checking. In Proc. of
TPTS'02, volume 65 of ENTCS. Elsevier Science, 2002.
[IKL+00] T. Iversen, K. Kristoersen, K. Larsen, M. Laursen, R. Madsen, S. Mortensen, P. Petterson,
and C. Thomasen. Model-checking real-time control programs { verifying LEGO mindstorms
systems using UPPAAL. In Proc. of ECRTS '00, pages 147{155. IEEE, 2000.
[KMTY04] P. Kr c al, L. Mokrushin, P.S. Thiagarajan, and W. Yi. Timed vs time triggered automata. In
Proc. of CONCUR'04, volume 3170 of LNCS, pages 340{354. Springer{Verlag, 2004.
[LT87] N. Lynch and M. Tuttle. Hierarchical correctness proofs for distributed algorithms. In Proc. of
the 6 th PODC, pages 137{151. ACM, 1987.
[LV04] G. L uttgen and W. Vogler. Bisimulation on speed: worst-case eciency. Information and
Computation, 191(2):105{144, 2004.
[Mil80] R. Milner. A Calculus of Communicating Systems, volume 92 of LNCS. Springer-Verlag, 1980.
[PL00] P. Pettersson and K. G. Larsen. Uppaal2k. Bulletin of the European Association for Theoretical
Computer Science, 70:40{44, 2000.
27[Pnu77] A. Pnueli. The temporal logic of programs. In Proc. of FOCS 1977, pages 46{57. IEEE, 1977.
[Wei99] V. Weispfenning. Mixed real-integer linear quantier elimination. In Proc. of ISSAC 99, pages
129{136. ACM, 1999.
28