Formal modelling and analysis of broadcasting embedded control systems by Kendall, David
Formal Modelling and Analysis of 
Broadcasting Embedded Control Systems 
David Kendall 
Ph.D. Thesis 
NEWCASTLE UNIVERSITY LIBRARY 
-- -------_ ..... _----
---------_._--
201031322 
----------------------------
September 2001 
University of Newcastle upon Tyne 
Department of Computing Science 
In memory of William Kendall (1908 - 1994) 
ABSTRACT 
Embedded systems are real-time, communicating systems, and the effective 
modelling and analysis of these aspects of their behaviour is regarded as essential 
for acquiring confidence in their correct operation. In practice, it is important 
to minimise the burden of model construction and to automate the analysis, 
if possible. Among the most promising techniques for real-time systems are 
reachability analysis and model-checking of networks of timed automata. We 
identify two obstacles to the application of these techniques to a large class of 
distributed embedded systems: firstly, the language of timed automata is too 
low-level for straightforward model construction, and secondly, the synchronous, 
handshake communication mechanism of the timed automata model does not fit 
well with the asynchronous, broadcast mechanism employed in many distributed 
embedded systems. As a result, the task of model construction can be unduly 
onerous. 
This dissertation proposes an expressive language for the construction of 
models of real-time, broadcasting control systems, and demonstrates how effi-
cient analysis techniques can be applied to them. 
The dissertation is concerned in particular with the Controller Area Network 
(CAN) protocol which is emerging as a de facto standard in the automotive 
industry. An abstract formal model of CAN is developed. This model is adopted 
as the communication primitive in a new language, bCANDLE, which includes 
value passing, broadcast communication, message priorities and explicit time. 
A high-level language, CANDLE, is introduced and its semantics defined by 
translation to bCANDLE. We show how realistic CAN systems can be described 
in CANDLE and how a timed transition model of a system can be extracted for 
analysis. Finally, it is shown how efficient methods of analysis, such as 'on-the-
fly' and symbolic techniques, can be applied to these models. The dissertation 
contributes to the practical application of formal methods within the domain 
of broadcasting, embedded control systems. 
ACKNOWLEDGEMENTS 
I would like to express my gratitude to my supervisor Maciej Koutny for his 
patient support throughout the years it has taken me to produce this thesis. 
He has been extraordinarily generous in finding time for me, and his insistent 
probing of my ideas and rigorous attention to detail have helped me immensely. 
Of course, I am indebted to the many researchers whose work is mentioned 
in this thesis, but I would like to acknowledge a personal debt to the following: 
Sergio Yovine and Stavros Tripakis for their help with KRONOS and OPEN-
KRONOS, respectivelYj Hubert Garavel for support with CADPj and Gerard 
Holzmann and Jean-Charles Gregoire for sharing their code, from which I have 
learnt much about efficient implementation. 
I have been fortunate to do this work surrounded by good friends and col-
leagues. Chris Phillips gave me vital support during my M.Sc. studies and 
has been a stalwart friend and adviser ever since. Everyone in the High In-
tegrity Embedded Systems Group has provided friendly encouragement and 
contributed to a stimulating environment in which to do research. Steven 
Bradley, William Henderson and Adrian Robson have always been willing to 
listen to my ideasj they are responsible for thrashing out much of the chaff. 
Ljerka Beus-Dukic has never been short of an encouraging word, as I struggled 
through the final stages of 'writing up'. I consider myself particularly fortunate 
to have shared an office with William Henderson for more than a decade. He 
has been an unfailing source of good humour, good music, good advice and 
good friendship. 
I would like to thank the School of Computing and Mathematics at the 
University of Northumbria, both for financial support and for the time which 
it has allowed me to devote to this research. In this regard, I am particularly 
grateful to Adrian Woolley for supporting my application for a secondment to 
get the work started, and for managing my teaching allocation sympathetically 
in subsequent years. 
Above all others, I am grateful to Marilyn, my wife, best friend and greatest 
ally, without whose loving support I would have given up long ago, and to my 
children Caitlin, Martha and Josie, who always help to keep things in perspec-
tive, and whose love makes everything seem worthwhile. 
PUBLISHED WORK 
Preliminary versions of some of the work in this thesis have been presented at 
a number of conferences and workshops. Steven Bradley, William Henderson 
and Adrian Robson are co-authors of many of the following papers. The work 
presented in the thesis is entirely my own, except where explicitly acknowledged. 
The papers, in chronological order, are 
• A formal basis for tool-supported simulation and verification of real-
time CAN systems. In Proceedings of 4th International CAN Conference 
(iCC'91), pages 719-727, Berlin, October 1997. 
• bCANDLE: Formal modelling and analysis of CAN control systems. In 
Proceedings of 4th IEEE Real Time Technology and Applications Sympo-
sium (RTAS'9S), pages 171-177. IEEE Computer Society Press, June 
1998. 
• CANDLE: A high level language and development environment for high 
integrity CAN control systems. In Proceedings of 4th lEE Workshop on 
Discrete Event Systems, pages 58-63, August 1998. 
• Using sharing trees in the automated analysis of real-time systems with 
data. In Proceedings of lEE Colloquium: Applicable Modelling, Verifica-
tion and Analysis Techniques for Real-Time Systems, Ref. No.1999/006, 
pages 6/1-4. IEE, London, UK, January 1999. 
• CANDLE: A tool for efficient analysis of CAN control systems. In Pro-
ceedings of the 1st Workshop on Real-Time Tools (RT-TOOLS'2001), Aal-
borg, Denmark, Technical Report 2001-014, University of Uppsala, August 
2001. 
My ideas concerning the translation from a process language to timed au-
tomata were developed first for the AORTA language. That work appears in 
• Validation, verification and implementation of timed protocols using AORTA. 
In P. Dembinski, editor, Proceedings of the Fifteenth International Sym-
posium on Protocol Specification, Testing and Verification, pages 205-220. 
Chapman and Hall, June 1995. 
CONTENTS 
1. Introduction .. 1 
1.1 Embedded Control Systems 1 
1.2 Formal Methods 3 
1.3 Broadcast Communication . 6 
1.3.1 Controller Area Network. 6 
1.4 The dissertation 8 
1.4.1 Justification . 8 
1.4.2 Structure and contribution 9 
2. Models, Specifications and Correctness 11 
2.1 Introduction. 11 
2.2 Models of Time 11 
2.3 Transition Systems 13 
2.3.1 Labelled Transition Systems. 13 
2.3.2 Timed Transition Systems . 15 
2.3.3 Composition of transition systems 16 
2.4 Process Algebra. 17 
2.4.1 Basic concepts 17 
2.4.2 Timed Extensions 18 
2.5 Timed Automata. 19 
2.5.1 Introduction 19 
2.5.2 Clocks. .. 20 
2.5.3 Clock Constraints 20 
2.5.4 Syntax and informal semantics 21 
2.5.5 Formal Semantics . 22 
2.5.6 Composition of timed automata 24 
2.6 Property Specification 25 
2.6.1 State Properties 26 
2.6.2 Automata. 27 
2.6.3 Temporal Logic . 29 
2.6.4 Discussion . 32 
2.7 Verification 33 
2.7.1 Region Equivalence. 33 
2.7.2 Region Graph . 34 
2.7.3 Complexity of reachability . 36 
2.7.4 Constraint Solving 38 
2.7.5 Difference Bound Matrices . 43 
Contents 
2.7.6 Implementing constraint solving ... 
2.7.7 Other attacks on state space explosion 
2.7.8 Tools 
2.8 Conclusions ................. . 
3. bCANDLE: A low level modelling language 
3.1 Introduction ..... . 
3.2 Informal system model 
3.3 The Data Model . . . . 
3.3.1 Formal Definition. 
3.4 The Network Model 
3.4.1 Structure . 
3.4.2 Behaviour. 
3.5 The Process Model 
3.5.1 Syntax ... 
3.5.2 Informal Semantics . 
3.6 Formal system model 
3.6.1 Well-formed systems 
3.6.2 Operational semantics 
3.6.3 Strong equivalence 
3.6.4 Equational laws . . . . 
3.7 A simple example. . . . . . . 
3.8 Conclusions and Related Work 
3.8.1 Broadcast communication and Real-Time 
3.8.2 Process Operators . . 
4. Analysis via Timed Automata 
4.1 A bCANDLE System and its Timed Automaton 
4.2 Models with explicit clocks .. 
4.2.1 Clocked Networks ... 
4.2.2 Clocked Process Terms. 
4.2.3 Safe Clock Allocations . 
4.2.4 Clocked bCANDLE systems. 
4.3 Timed Automaton Construction .. 
4.3.1 Principles of construction .. 
4.3.2 Construction of the automaton 
4.3.3 Commentary on the construction 
4.3.4 Correctness of the construction 
4.4 Implementation of the construction 
4.4.1 Nets .............. . 
4.4.2 Constructing the net for a clocked term 
4.4.3 Final stage of timed automaton construction 
4.5 A simple example. 
4.6 Conclusions ...................... . 
vii 
48 
52 
56 
57 
59 
59 
59 
61 
62 
64 
65 
71 
76 
77 
79 
81 
81 
82 
84 
87 
88 
91 
91 
92 
93 
93 
95 
96 
97 
100 
102 
102 
102 
· 103 
· 104 
107 
· 108 
· 109 
· 112 
· 121 
122 
· 125 
Contents viii 
5. Space-Efficient, On-the-fly Reachability Analysis 126 
5.1 Introduction. .. 126 
5.2 On-the-fly reachability analysis l'r • _I 
5.2.1 Basic algorithm . p-
• _I 
5.2.2 Clock activity reduction 
· 128 
5.3 A Minimised Automaton Representation of Reachable States 
· 132 
5.3.1 Minimised Deterministic Finite State Automata 133 
5.4 Implementing a MA state store for bCANDLE 135 
5.4.1 The state vector .. 135 
5.4.2 Mapping the state vector to MA layers . 137 
5.4.3 Variable Ordering 138 
5.5 An experimental platform 139 
5.5.1 The bCANDLE Compiler 139 
5.5.2 State Space Storage Modes 139 
5.6 Experiments . .. 141 
5.6.1 System models 141 
5.6.2 Experimental results . 141 
5.6.3 Discussion of experimental results 142 
5.7 Related work 
· 1--1:3 
5.8 Conclusions and further work 145 
6. CANDLE: Modelling and Analysis in Practice 146 
6.1 Introduction. 146 
6.2 A Tour of CANDLE 146 
6.2.1 Modules. 147 
6.2.2 Data declarations . 148 
6.2.3 Expressions 151 
6.2.4 Statements 152 
6.3 SDML: Simple Data Modelling Language 159 
6.3.1 Types 160 
6.3.2 Constants · 161 
6.3.3 Expressions · 161 
6.3.4 Functions and Procedures · 161 
6.3.5 Statements · 162 
6.3.6 Semantics · 163 
6.4 Constructing a Formal Model · 164 
6.4.1 Declarations . · 165 
6.4.2 Behaviour . · 167 
6.4.3 An example. · 172 
6.5 The CANDLE Development Environment · 17.5 
6.5.1 Overview .. · 175 
6.5.2 Validation Environment 177 
6.5.3 The OPEN/ClESAR Architecture · 178 
6.5.4 Model Generation · 178 
6.5.5 Model Exploration · 179 
6.6 An example · 180 
6.6.1 The CANDLE program · 180 
Contents 
6.6.2 The bCANDLE model . 
6.6.3 Analysis of the model . 
6.7 Conclusions and Related Work 
6.7.1 Conclusions .. 
6.7.2 Related Work . . . . . . 
7. Conclusions and Further Work. 
7.1 Conclusions. 
7.2 Further Work ......... . 
Appendix 
A. Flow Regulator TA 
A.1 KRONOS. tg Format 
A.2 Flow Regulator TA . 
B. Proofs ......... . 
B.1 Correctness of the translation 
C. The CANDLE Grammar 
C.1 Syntax Notation .. 
C.2 Lexical Conventions 
C.3 Modules ...... . 
C.4 Declarations. . . . . 
C.4.1 Type Declarations 
C.4.2 Constant Declarations 
C.4.3 Variable Declarations 
C.4.4 Function and Procedure Declarations 
C.4.5 Channel Declarations . 
C.4.6 Exception Declarations 
C.5 Expressions ..... . 
C.6 Behaviour ........ . 
C.6.1 Send statement .. 
C.6.2 Receive statement 
C.6.3 Elapse statement . 
C.6.4 Assignment statement and Procedure Call . 
C.6.5 If statement ..... . 
C.6.6 Repetition statements 
C.6.7 Select statement . . . 
C.6.8 Trap statement .... 
C.6.9 Module Instantiation. 
D. The SDML Grammar 
D.1 Introduction .. 
D.2 Data Modules .. . 
D.3 Declarations ... . 
D.3.1 Type Declarations 
ix 
182 
183 
· 187 
187 
187 
189 
189 
189 
191 
192 
192 
192 
195 
195 
· 209 
· 209 
· 210 
· 210 
· 210 
· 211 
· 211 
· 211 
· 211 
· 212 
· 212 
· 212 
· 213 
· 214 
· 214 
· 214 
· 214 
· 214 
· 214 
· 215 
· 215 
· 215 
· 216 
· 216 
· 216 
· 216 
· 216 
Contents 
D.3.2 Constant Declarations ........ . 
D.3.3 Function and Procedure Declarations 
D.3.4 Variable Declarations 
D.4 Expressions . . . . . . . . . . . . . . . . . . . 
D.5 Statements .................. . 
D.5.1 Assignment statement and Procedure Call . 
D.5.2 Return statement ..... . 
D.5.3 If statement and Repetition 
E. Glossary . ............... . 
Bibliography 
x 
.217 
· 217 
· 218 
.218 
· 219 
.219 
· 219 
.220 
· 221 
226 
LIST OF FIGURES 
1.1 Simple Embedded Control System 2 
1.2 CAN Frame - Standard Format. 8 
2.1 A simple timed automaton 22 
2.2 Product construction for timed automata 2-1 
2.3 Level Crossing Control System . . . . 25 
2.4 Test automaton for bounded response . . 28 
2.5 TBA for bounded response ........ 29 
2.6 Clock regions on {hI, h2 } with CI = C2 = 2 35 
2.7 Region graph reachability . . . . . 37 
2.8 Convex and Non-convex Polyhedra. . . . 41 
2.9 Operations on Polyhedra. . . . . . . . . . ..12 
2.10 Representation of a convex polyhedron by DBM's . 4-1 
2.11 Weighted graph interpretation of a DBM ..... 45 
2.12 Procedure to compute the canonical form of a DBM 46 
2.13 Convex decompositions of a non-convex polyhedron. 48 
2.14 An algorithm for reachability based on the simulation graph 51 
3.1 Control system model . . . . . . . . . . . . . . . . . . . 60 
3.2 Transmission Status Notation (m E M and tl, t2 E lRoo) 68 
3.3 Rules for Network Behaviour . 75 
3.4 Example of network behaviour ... . . . . . . . . . . . 76 
3.5 Rules for Basic Systems . . . . . . . . . . . . . . . . . . 83 
3.6 Rules for Guard, Sequential Composition, Choice and Recursion 84 
3.7 Rules for Interrupt and Parallel Composition 85 
3.8 Flow regulator in bCANDLE . . . . . . . . . 89 
3.9 Simulator trace of the flow regulator example 90 
4.1 One-shot flow regulator in bCANDLE . . . . 94 
4.2 A timed automaton for the one-shot flow regulator 95 
4.3 Rules for Network Edges. . . . . . . . . . . . . . . 104 
4.4 Rules for Basic System Edges . . . . . . . . . . . . 105 
4.5 Rules for Guard, Sequential Composition, Choice and Recursion 
Edges " . . . . . . . . . . . . . . . . . . . . . . . . 106 
4.6 Rules for Interrupt and Parallel Composition Edges 107 
4.7 Invariant function I : bCAN --t 1l17{ 108 
4.8 Example Net . . . . 110 
4.9 Rules for fire .... 113 
4.10 Net for a basic term 113 
List of Figures 
4.11 Net for a sequential composition 
4.12 Net for a data-guarded term. 
4.13 Net for a choice ... 
4.14 Net for an interrupt .... . 
4.15 Net for a recursion ..... . 
4.16 Compact net for a recursion. 
4.17 A recursion with indirections 
4.18 A recursion with indirections removed 
4.19 Algorithm to remove indirections ... 
4.20 Algorithm to construct a timed automaton 
4.21 The flow regulator revisited 
4.22 Net for the flow regulator ......... . 
5.1 Algorithm for on-the-fly reachability for bCANDLE 
5.2 A minimised automaton . . . . . . . . 
5.3 Structure of a bCANDLE state vector .... 
5.4 Simple DBMs . . . . . . . . . . . . . . . . . . 
5.5 State vector representation of a 3-clock zone. 
5.6 Orderings of the cells of DBM Mil (see Figure 5.4) 
6.1 Flow Regulator: Instantiated and Renamed ... . 
6.2 Flow Regulator in CANDLE ........... . 
6.3 CANDLE Development Environment: Architecture. 
6.4 CANDLE Validation Environment: Architecture 
6.5 The Steam Boiler module . . . . . . . 
6.6 Water-level Sensor and Pump modules 
6.7 Controller module .......... . 
6.8 Steam Boiler Data Module. . . . . . . 
6.9 A bCANDLE model for a simple boiler controller. 
xii 
· 11-1 
· 114 
· 115 
· 116 
· 118 
· 118 
· 119 
· 120 
· 120 
· 122 
· 123 
123 
128 
· 134 
· 135 
136 
137 
139 
· 159 
· 173 
· 176 
· 177 
· 180 
· 181 
182 
183 
184 
LIST OF TABLES 
3.1 Example of Transmission Latency Functions. 6, 
3.2 Equational laws . 87 
5.1 Test systems .. 141 
5.2 Comparison of storage modes 142 
5.3 Impact of variable ordering on minimised automaton modes 142 
1. INTRODUCTION 
This dissertation is concerned with the formal modelling and analysis of em-
bedded control systems. We adopt the view that the construction and analysis 
of a formal model can contribute significantly to increased confidence in correct 
system operation. Attention is directed to distributed systems whose compo-
nents communicate using a broadcast communication network. The deployment 
of such systems is becoming increasingly common, and ensuring the reliable 
fulfilment of their intended function is a challenging problem. In the rest of 
this chapter, the topics of embedded systems, formal methods and broadcast 
communication are introduced. The chapter concludes with a review of the 
approach and contribution of the dissertation. 
1.1 Embedded Control Systems 
Embedded computer systems [Kop97] are pervasive in the electronic equipment 
upon which we all are coming to depend. Applications range from household 
products such as microwave ovens, video recorders and cellular phones to con-
trol systems for the transportation, chemical, electrical, gas, oil and nuclear 
industries. What these computer systems have in common is that they are em-
bedded in a physical environment with which they are required to interact for 
the purpose of control or monitoring. The role of the computer system in such 
interaction is typically 
• to monitor significant variables of the environment such as temperature, 
pressure, flow or level; 
• to execute a control algorithm which takes as its input the values of en-
vironmental variables and compute output values in accordance with one 
or more mathematical models of the physical system; 
• to use values computed by the control algorithm to generate signals to the 
environment in order to control its function or optimise its performance. 
The function of monitoring the environment is performed by physical sensors 
within it. For example, a thermocouple produces an analogue signal (a voltage) 
which varies with the temperature of the environment in which it is placed. A 
digital value is obtained from an analogue signal by AID conversion, calibration 
and transformation to standard measurement units (e.g. degrees Celsius) in a 
process known as signal conditioning. Such digital values are the inputs to the 
control algorithms of the computer system. 
1. Introduction 
---------
Computer 
Control 
System 
Control Valve Row Sensor 
Row Setpoint 
Fig. 1.1: Simple Embedded Control System 
2 
Control algorithms are developed by control engineers who understand the 
behaviour of the physical environment. The function of a control algorithm 
is to generate output signals to the environment to influence its behaviour so 
that some performance criterion is satisfied, even in the presence of random 
disturbances. 
Output from control algorithms is transmitted to the environment in digital 
or analogue form. For example, a digital output may cause a heating element 
to be turned on or a valve to be closed, or an analogue output, generated by 
a D / A converter, may vary a demand voltage to an electric motor in order to 
control its speed. 
Figure 1.1 illustrates a simple embedded control system [Kop97]. The ob-
jective of the control system is to maintain the flow of liquid through a pipe 
at a set rate, despite changing environmental conditions: varying level of liq-
uid in the vessel or temperature sensitive viscosity of the liquid, for example. 
The computer interacts with its physical environment by monitoring the rate 
of flow, using the flow sensor F, and adjusting the position of the control valve 
to bring the flow rate as close as possible to the set-point. 
In many systems, control is distributed among several computing nodes 
interconnected by a communication network [Tor98]. A distributed comput-
ing system architecture is often a 'good fit' with the distributed nature of the 
physical environment. Cooperating control units can be placed close to the 
physical devices which they control, communicating with each other via a sim-
ple computer network rather than the expensive and heavy wiring harness of 
traditional control systems. A distributed architecture also accords with sound 
design principles such as modularity, dependability and scalability [Kop97]. 
The emphasis in this work is on techniques for increasing confidence in as-
pects of distributed system dependability. Laprie [Lap90] identifies dependabil-
ity as being concerned with those attributes of a computer system pertaining 
to the quality of service which it delivers to its users over an extended period 
of time. It is clear that failure of an embedded system to deliver an acceptable 
quality of service may have catastrophic consequences, either for the safety of 
the physical environment or for the economic soundness of the system's sup-
plier, which may suffer as a result of the need to recall or repair many faulty 
units of a mass produced commodity. 
A crucial aspect of the dependability of an embedded system is its ability 
to react to stimuli from the environment in a timely way. More precisely, an 
1. Introduction 3 
embedded control system is a real-time system whose correctness depends not 
only on the logical results of computations, but also on the physical instants 
at which those results are produced [Sta88]. Real-time systems are classified 
as either hard or soft. A hard real-time system is a real-time system in which 
a single failure to produce a correct result within a specified interval of time is 
regarded as unacceptable. A soft real-time system is one in which a (usually 
small) number of such failures, over a given period of time, can be tolerated. 
In this dissertation, we treat hard real-time systems, and are particularly 
concerned with techniques which seek to contribute to the assurance of sys-
tem dependability by demonstrating that temporal requirements are satisfied 
under all possible workloads. Such techniques rely upon the predictability of 
the temporal properties of all aspects of system behaviour, including worst case 
execution times of application code and operating system services, and also 
communication latencies and hardware performance [CVGH98, Ha193, HS91]. 
The requirement for predictability demands simplicity in system design, and 
when necessary, flexibility and resource utilisation are sacrificed by adopting 
static structures which can be analysed at design time. 
1.2 Formal Methods 
Formal methods entail the use of mathematically based languages, techniques 
and tools for developing and reasoning about computer hardware and software. 
The mathematics required is usually discrete mathematics, incorporating ideas 
from set theory and logic. The use of mathematics has an impact both on the 
descriptive and on the analytical tasks which are required in the development 
of a computer system. For example, a descriptive task, such as specifying a 
set of requirements, can be accomplished precisely, concisely, and unambigu-
ously using a mathematical language. Similarly, an analytical task, such as 
demonstrating that a program function correctly implements a high-level de-
sign, can be discharged convincingly using a mathematically rigorous argument. 
The objectives in applying a formal method are to achieve clarity and precision 
in description, and to reduce reliance on human intuition and judgement in 
analysis, making greater use of mathematical calculation. 
This broad framework allows for a variety of levels of formality in the ap-
plication of formal methods within a project. The NASA guidebook [Nat97] 
identifies the following: 
1. Level 1 methods involve the use of notations and concepts derived from 
discrete mathematics in order to develop more precise requirements state-
ments. Analysis, if any, is informal. There are no mechanical tools (com-
puterised algorithms) to support the writing or analysis of formal expres-
sions. 
2. Level 2 methods involve the use of formalised specification languages 
with mechanised support tools ranging from syntax checkers and pretty-
printers to type checkers, interpreters and animators. Usually, tool sup-
port for eliciting or checking mathematical arguments is not available. 
1. Introduction 4 
3. Level 3 methods involve the use of formal languages with rigorous seman-
tics and correspondingly formal methods of semantical analysis which 
support mechanisation. 
Wolper [WoI97] categorises methods at levels 1 and 2 as 'weak' formal methods 
and methods at level 3 as 'strong'. His opinion is that 
Without semantical analysis formal methods are of limited value 
with respect to their stated goal of ensuring the correctness of soft-
ware systems: their formal syntax and semantics are just theoretical 
properties, not assets that are exploited in a substantial way. From 
the point of view of the author, a strong formal method even with 
limited applicability is more meaningful than a weak one that is 
perfectly general. 
There is a similar latitude in the scope of application of formal methods 
within a project. For example, some stages in the development life cycle may 
be singled out for particular attention, certain system components may be iden-
tified as critical to mission success or safety, and some system properties may 
be judged particularly important and worthy of special attention. 
Careful decisions are needed about the appropriate level of formality and 
scope of application for each individual project, so that a good balance can be 
achieved between the costs and benefits of formalisation. 
In this work, we consider the problem of constructing formal models of 
distributed embedded control systems, and of providing mechanical assistance 
for the analysis of their functional and temporal properties. So the focus is 
on 'strong' formal methods, in Wolper's sense. As to scope of application, it 
is often acknowledged that a formal model is useful in the design stages of a 
computer system, as it facilitates the early detection of bugs and helps to avoid 
expensive implementation of a faulty design. This is certainly the case. In 
addition, however, we wish to emphasise the usefulness, for embedded systems 
particularly, of a formal model of (some features of) the implementation. The 
satisfaction of temporal properties of the system usually depends crucially on 
implementation decisions whose details may not be available in the early stages 
of design. For example, choice of processors and communication mechanisms, 
task and message allocation and priorities, scheduling policies, and so on, can 
all have a significant effect on real-time performance. It is important to take 
steps to gain assurance that temporal requirements which are satisfied by the 
design are also preserved in the implementation. 
Experience suggests that successful application of formal methods in an 
industrial setting depends upon a number of factors, including 
• the use of expressive languages which are accessible to system designers, 
being 'intuitive' and 'easy to use'; 
• the availability of computer-based tools which provide prompt and useful 
feedback to their users; and 
1. Introduction 5 
• the ability to integrate the formal method into a familiar development 
methodology, so that the method augments, rather than replaces, tradi-
tional techniques. 
Many prominent formal methods are very expressive within a given context: 
e.g., Z [Spi88] and VDM [Jon90] offer the full generality of set theory and pred-
icate calculus; Petri nets [Mur89] offer a general model of concurrency, and Hy-
brid Automata [Hen96] allow the expression of a wide variety of timed systems. 
However, there is a growing interest in domain specific languages [JW96], which 
sacrifice generality of expression in order to offer the system designer a more 
familiar syntax, a greater ease of expression for typical applications within their 
domain, and the possibility of tractable analysis supported by software tools. 
It is hoped that these advantages can weaken resistance to the application of 
formal methods in industry by reducing the cost of model building and analysis. 
This is the approach followed here. 
The need for automation and the provision of useful feedback to the user 
has led to the increasing popularity of a style of analysis known as model check-
ing [CGP99]. Model checking is a technique which relies on building a finite 
state transition model of a system and checking that a desired property holds 
in that model. The basic procedure in model checking is exhaustive state space 
search, which is guaranteed to terminate since the model is finite. Once the 
model has been constructed and the property of interest specified, the checking 
is entirely automatic. Furthermore, in the case that the property does not hold 
in the model, a counterexample is generated, which can provide the designer 
with valuable insight into the behaviour of the system and aid in debugging. 
The main obstacle in the application of model checking to industrial scale 
systems is the size of the state spaces which arise in exhaustive search. This 
is known as the state explosion problem. There are many techniques for at-
tacking this problem (§2. 7. 7). Here, we mention the importance of abstrac-
tion [LGS+95]. An abstract model omits detail from the system description. 
However, it retains sufficient detail to preserve system properties of interest. 
In this way, the size of the state space to be searched is reduced and useful 
questions can be decided in practice. Some abstract models are exact, i.e., for 
all properties of interest, the property holds for the model iff it holds for the 
system. Other abstract models are conservative approximations, i.e., if a prop-
erty holds for the model, it also holds for the system; but, if it does not hold 
for the model, its status with respect to the system is undecided. Clearly, an 
exact abstraction is desirable, but a conservative approximation may lead to a 
greater reduction in the size of the state space. If a property fails to hold in 
a conservative approximation, further investigation is required to determine if 
the failure is a genuine feature of the system, or an aberration caused by the 
approximation. Conservative approximations have been used successfully to 
analyse the behaviour of embedded system implementations [BHKR94, Cor96] 
and they are used extensively in the rest of the dissertation. 
Even an abstract formal model can produce a state space which is too large 
to search completely in a reasonable amount of time or memory. Nevertheless, 
the model can be used effectively for debugging the design or implementation 
1. Introduction 6 
from which it is derived. The focus here changes from verification based on 
exhaustive search to falsification based on semi-exhaustive search [FKFV99]. 
Techniques motivated by this point of view include state storage methods which 
allow a small probability that some reachable states are not explored [HoI95, 
Ste97] and simulation techniques which aim for a saturated coverage of the 
state space [GA98, YSAA97]. The coverage provided by these methods can 
improve significantly on traditional validation techniques such as simulation 
and testing [Mye79]. 
In summary, formal methods are one important approach among several 
for gaining increased confidence in system dependability. The benefits include 
increased understanding gained from the construction and analysis of formal 
models, improved communication made possible by formal documentation, and 
a formal basis provided for the construction of software tools to assist in system 
development. 
1.3 Broadcast Communication 
The communication architecture encountered most frequently in the implemen-
tation of distributed embedded control systems is the broadcast bus [UK94]. In 
broadcast communication, a message transmitted from a single sending node 
can be received directly by all nodes connected to the network. This contrasts 
with point-to-point communication in which messages are transmitted from a 
single sender to a single receiver. The use of a broadcast bus simplifies im-
plementation of the common requirement in an embedded system to provide 
a consistent view of the state of the physical environment to a number of dif-
ferent nodes, e.g., to a man-machine interface, a process control node and an 
alarm-monitoring node [Kop97]. It can also simplify the implementation of 
clock synchronisation and the tolerance of individual node failures. 
A wide variety of broadcast protocols is seen in practice, each offering a solu-
tion to the problems posed by a particular application area, e.g., Profibus [DIN89] 
for process control, LON [Ech91] for building automation and CAN [18092], 
TTP [KG93] and QWIK [J099] for automotive applications. It is not our in-
tention to review this extensive field here. Surveys of the relevant principles 
and applications can be found in [Kop97, K897, UK94, Ver97b]. However, we 
do offer a more detailed consideration of one such protocol, CAN, which is the 
basis of the formal model presented later in the dissertation and will serve as 
our canonical example of broadcast communication. 
1.3.1 Controller Area Network 
Controller Area Network (CAN) [Bos91, 18092] is a simple, deterministic, 
broadcast communication protocol which is not only attractive to system de-
velopers but also amenable to formal modelling and analysis. It is gaining 
increasing importance and attention in the implementation of distributed real-
time systems, as evidenced by the variety of contributions in the proceedings 
of recent International CAN Conferences [CiA99]. 
1. Introduction 7 
CAN provides multi-master, priority-based bus access using a CSMAJCD 
protocol similar to Ethernet's, but with a deterministic collision resolution pol-
icy which makes it suitable for use in hard real-time systems. It is a robust 
protocol offering high reliability even in harsh electromagnetic environments 
and is suitable for the transmission of short messages over a small area at 
speeds of up to 1 MbitJs. CAN was developed by Bosch in the mid-eighties 
in order to reduce the need for complex wiring harnesses in the automotive 
industry. Its use in the European car industry has grown to the point where 
it is an acknowledged industry standard and its popularity is growing in the 
USA where it has been accepted as a standard by the SAE for bus and truck 
manufacture [SAE92]. The availability of low cost components from a vari-
ety of manufacturers, who are seeking to satisfy the high volume requirements 
of the automotive industry, has encouraged the use of CAN in an expanding 
range of application areas, including: medical, packaging control, agricultural 
machinery, lift control, measurement, robot control and PLC controlled manu-
facturing. 
CAN Operation 
Information is transmitted as fixed format frames which consist of a message 
identifier, 0 to 8 data bytes and sundry control bits as shown in figure 1.2. The 
physical medium is usually twisted pair cable over which frames are transmitted 
using NRZ encoding with stuff bits inserted when needed to preserve synchro-
nisation. When the bus is idle, any connected node may start to transmit a new 
frame. If two or more nodes start to transmit frames at the same time, the bus 
access conflict is resolved by non-destructive bitwise arbitration which is based 
upon the message identifier. The bitwise arbitration mechanism classifies bits 
as either dominant or recessive. During transmission of the arbitration field, 
transmitting nodes monitor the bus. Transmission of a dominant bit by any 
node causes all nodes to monitor a dominant bit on the bus; only if all transmit-
ting nodes send a recessive bit is the monitored bit recessive. If the transmitted 
bit is recessive, but a dominant bit is detected on the bus, the transmitting 
node recognises that it has lost the bus arbitration, ceases transmission of its 
frame and behaves as a receiver of the highest priority competing frame. In 
a standard CAN frame, the arbitration field consists of the message identifier 
and the RTR (Remote-Transmit-Request) bit. A message identifier consists of 
11 (29) bits in the standard (extended) frame format and is interpreted as a 
non-negative integer assigning a priority to the frame. Priorities are assigned 
in monotonically decreasing order starting from O. The transmitter with the 
frame of highest priority gains bus access without experiencing any delay due 
to the access conflict, i.e. it behaves as if it were the only node seeking access 
to the bus. This property makes the bus particularly suitable for predictable, 
real-time communication. Frames which are disturbed either by losing arbi-
tration or by the occurrence of errors during transmission are retransmitted 
automatically when the bus becomes idle again. A frame which is retransmit-
ted is handled like any other frame, i.e. it participates again in the arbitration 
process in order to gain bus access. 
1. Introduction 8 
Conuol Eodof Bus 
1 
ArbilIalion FieW Field Data FieW CRC Field Act Frame IDl Idle 
_ .. -----. 1---" ---. 1--' ----. 1--· -_. 1---1-1-1-
S 11 bi", R I r 4m"" 0-8BytcS ISm'" ~ill~l 7~ 3 0 IDENTIFIER T D o DLC DATA CRC £OF bils F R E 
Fig. 1.2: CAN Frame - Standard Format 
In addition to giving a priority to a frame, the message identifier is also 
used by each receiving node to determine whether or not it wishes to 'accept' 
the frame. There is no address associated with a frame to indicate its intended 
recipient. Each node connected to the bus performs an acceptance test during, 
or shortly after, the transmission of a frame. If the frame passes the test, its 
data field is made available to the accepting node, otherwise the node ignores 
the frame. 
CAN-based protocols and analysis 
There has been much interest in developing CAN-based protocols and analysis 
to solve a variety of typical distributed system problems. Tindell et al. [THW94] 
show how fixed priority pre-emptive scheduling analysis can be applied in order 
to bound message response time for systems with a suitably restricted compu-
tational model [TBW95]. Another approach to message scheduling is presented 
in [LKJ99], in which hard real-time messages are allocated off-line to slots in a 
Time Division Multiple Access (TDMA) schedule [KS97], with redundant time 
slots provided to achieve some fault tolerance; the redundant slots are used in 
the Earliest Deadline First (EDF) scheduling [KS97] of soft real-time messages, 
in the case of error-free transmission. Verissimo et al. [VRM97] derive bounds 
for bus inaccessibility under a variety of fault scenarios. Protocols for achiev-
ing atomic broadcast in the presence of network faults are given in [RVA +98] 
and [LK99]. A solution to the problem of fault-tolerant clock synchronisation 
is presented in [RGR98]. The only other formal study of CAN-based communi-
cation, so far as we know, is the Z specification of the protocol by Benzekri and 
Bruel [BB97]; however, real-time and performance aspects are not discussed in 
their work. 
1.4 The dissertation 
1.4.1 Justification 
The work presented in this dissertation addresses the problem of providing a 
high-level language for modelling embedded systems which communicate using 
broadcast communication, with a view to exploiting efficient, automated analysis 
techniques in order to increase confidence in the satisfaction of temporal system 
properties. We briefly justify our belief in the need for work in these areas. 
High-level language We have argued that a formal approach to system de-
velopment is an important component in the construction of dependable 
1. Introduction 9 
systems, and that high-level languages and computer-aided analysis are 
required if formal methods are to be of practical use in industry. Much 
recent research on formal analysis of real-time systems has concentrated 
on techniques based on timed automata [AD90]. However, the language of 
timed automata is generally acknowledged to be too low-level for general 
use [AD94, BFK+98, Tri98, Pet99]. Therefore, there is a need for re-
search on methods to exploit the analysis techniques developed for timed 
automata in the context of high-level languages for modelling and devel-
opment. 
Broadcast communication An increasing number of distributed embedded 
systems are implemented which rely on broadcast communication. CAN 
is a simple, predictable broadcast protocol which is coming to dominate a 
large sector of this market. As it is often employed in systems which de-
mand high dependability, there is considerable interest in the question of 
how to apply formal methods in the development of CAN-based systems. 
Currently available methods, however, do not offer a straightforward way 
to model systems which communicate via the CAN protocol. Our work 
is aimed at providing such a method. 
Efficient analysis A high-level language for modelling broadcast systems will 
only be useful in so far as there are efficient techniques for analysing 
the models which are described with it. Our work shows how existing 
techniques can be applied and also proposes new techniques for efficient 
analysis. 
1.4.2 Structure and contribution 
Chapter 2 introduces labelled timed transition systems as a basic model for real-
time systems and describes how such models can be derived using either timed 
automata or timed process algebra. The use of automata and temporal logic 
for the specification of system properties is presented. Techniques for verifying 
that a timed model possesses specified properties are described in some detail. 
This chapter presents no new results but is the foundation on which the rest of 
the dissertation is built. 
Chapter 3 presents a new system modelling language, called bCANDLE, 
which allows the expression of process behaviour using a small set of process 
operators, includes primitives for broadcast communication based on a CAN-
style protocol, and permits the modelling of both data and control structures. 
It is shown that the language satisfies a number of algebraic laws and is ex-
pressive enough to model essential features of CAN communication, including 
message priorities and channel latency, as well as standard real-time constructs, 
such as timeouts and watchdog timers. So far as we know, this is the first for-
mally defined language which treats broadcast communication with prioritised 
message passing over latent channels in a dense time framework. 
Chapter 4 defines a translation to timed automata for a large subset of 
bCANDLE systems. An efficient method for performing the translation is de-
scribed and implemented. This work builds upon and extends the approach 
1. Introduction 10 
developed by Garavel in the translation of LOTOS [Gar92] and of Yovine in 
the translation of ATP [Yov93]. We demonstrate the use of the method by 
applying it to a simple bCANDLE model which is analysed using the KRO-
NOS [BDM+98] model-checking tool. 
Chapter 5 presents two techniques for efficient analysis of bCANDLE mod-
els: firstly, an on-the-fly generation of the simulation graph, incorporating clock 
activity reduction; secondly, a BDD-like, compact representation of the state 
space which treats discrete data variables and clock variables in a uniform man-
ner. The application of the latter technique to timed systems is entirely novel. 
The former technique is based upon a combination of methods which is pre-
sented here for the first time. 
Chapter 6 serves to validate the ideas presented in Chapters 3-5, and to 
point the way to future developments. It presents a high-level modelling lan-
guage whose semantics are given by translation to bCANDLE, so providing a 
route to the use of the numerous analysis techniques based on timed automata, 
including those introduced in Chapter 5. The framework of a practical mod-
elling and analysis environment is outlined. The utility and limitations of the 
techniques are illustrated in a small case study. 
Chapter 7 summarises the work and suggests lines of future enquiry. Related 
work is referred to and discussed in context. 
2. MODELS, SPECIFICATIONS AND 
CORRECTNESS 
2 .1 Introduction 
Very simply, the use of formal methods in the development of a computing 
system involves: 
1. the construction of a symbolic representation of (part of) the system, 
which captures what are believed to be essential features of its structure 
or behaviour. We call this symbolic representation a model. 
2. the construction of a symbolic representation of some desired property of 
the system's structure or behaviour. We call this symbolic representation 
a specification. 
3. the demonstration that the property described by a specification is exhib-
ited by a model of the system. Such a demonstration is said to establish 
the correctness of the model with respect to its specification. 
There is a wide variety of languages for expressing models and specifications, 
and of methods for establishing correctness. In this chapter, we introduce in 
some detail those languages and methods which are relied upon later in the 
dissertation. We also give a brief review of alternatives. 
Most models of real-time systems, and specifications of their properties, em-
ploy a representation of Time. The representation which we use is introduced 
in §2.2. In §2.3, we introduce labelled transition systems and their executions, 
which serve as a unifying model of computation for both system models and 
specifications. Labelled transition systems can be described using several lan-
guages, including process algebra and automata which are the topics of §2.4 and 
§2.5, respectively. Specifications can also be given as automata, but in addition 
we use temporal logic; these approaches are discussed in §2.6. Verification is 
the topic of §2.7. Finally, in §2.8 we summarise and mention briefly some other 
approaches to modelling, specification and verification which have appeared in 
the literature. 
2.2 Models of Time 
Notation. In this section, and throughout the dissertation, the following nota-
tion is used to denote sets of numbers: IR - the set of non-negative real numbers: 
2. Models, Specifications and Correctness 12 
Q - the set of rational numbers; Z - the set of integers; and N - the set of natural 
numbers. 
The model of time used in this work is the non-negative reals, which we denote 
by lR and use with the usual operations of equality (=), ordering (~), addition ( + ), and multiplication (.). As usual, we write t < t' if t ~ t' and t i=- t'. It is 
sometimes convenient to augment this domain with a value, 00, which is defined 
to be strictly greater than any other time value. We write lRoo for lRu {oo} and 
assume that the arithmetic operators and relations are extended to lRoo in the 
usual way: for every t E IR, t < 00, and for every t E lRoo, t + 00 = 00 + t = 00. 
We also make use of an operator for subtraction, ..... : lRoo x IR -t lRoo, which 
satisfies, 
This model of time is one of a number which have been proposed for use 
in the analysis of real-time systems [AH91, Jos91, Koy91, Nic92]. We briefly 
draw attention to some salient features and their relationship to the model of 
computation which will be used. 
An important choice is the one between a dense or a discrete time domain. 
In a dense domain, such as lR or Q, any two distinct time points are separated 
by a set of intervening points which are also elements of the domain. In a 
discrete domain, such as Z, each time point has a unique successor. Formally, 
IR is a dense domain since it satisfies 
(3 t, t' E lR . t < t') /\ (V t, t' E IR I t < t' . 3 til E IR . t < til < t') 
whereas N is a discrete domain since it satisfies 
V t, t' EN. t < t' => (3 til EN. t < til /\ V til' EN. t < till => til ~ till). 
Alur [Alu91] has argued convincingly that dense time is more appropriate in 
the modelling of asynchronous systems, where an arbitrarily small amount of 
time may separate event occurrences. If a discrete domain is chosen, then 
continuous physical time must be approximated by fixing a time granularity a 
priori, and no matter how fine the granularity chosen, for some systems the 
discrete model is not accurate enough to ensure that all possible erroneous 
behaviours will be detected [ACD93]. This problem has been noted also by 
Asarin et al. [AMP98] who exhibit a class of cyclic circuits as an example. 
Moreover, even when it is possible to choose a sufficiently fine granularity, it 
may be so fine that the size of the state space becomes too large for verification 
to be feasible. A dense domain is also more convenient when it comes to the 
composition of systems, since there is no need to worry about matching the 
time granularities of the components, as is the case for a discrete model. A 
possible advantage of the discrete model is that it facilitates the application of 
efficient verification techniques known from the analysis of untimed systems, in 
particular symbolic state space representation using binary decision diagrams 
2. Models, Specifications and Correctness 13 
(BDDs) [Bry86, McM92]. It remains to be seen whether or not efficient symbolic 
representations will be discovered for dense time systems; the clock difference 
diagrams of [LWYP98] show some promise in this respect. Another interesting 
approach is to consider when it is possible to construct a discrete time model 
which is known to preserve dense time properties, since then we can have the 
expressiveness of the dense time model together with the efficient analysis of 
the discrete model [ABK+97, AMP98, BMPY97, HMP92]. 
An alternative to a point-based domain, such as lR, is a domain based on 
intervals, in which statements concerning the duration of events may be more 
conveniently expressed, see [Koy91] for further details. In its favour, we find 
that the domain lR fits naturally with a simple computational model of time-
stamped event sequences or trees. In this model, events are assumed to happen 
instantaneously, and system behaviour consists in a sequence of two-phase steps. 
In the first phase of a step, time passes by some finite or infinite amount. In 
the second phase, a finite, though arbitrarily large, number of instantaneous 
events occur in some well-defined order. A new step begins when the second 
phase terminates. This two-phase model has proven very effective in practice 
and is widely used; further arguments in its defence can be found in [NS91]. In 
this approach, a duration can be modelled by introducing instantaneous events 
representing its beginning and end. 
It is convenient to assume that event sequences respect a weakly mono-
tonic ordering, i.e., for a sequence ((el' tt}, (e2' t2)," .), where ei represents an 
event and ti its time-stamp, then ti is required to be less than or equal to 
tHl, rather than strictly less than, as would be required by a strongly mono-
tonic ordering. This allows concurrency to be modelled by the interleaving of 
events: for example, a computation in which the events a and b occur concur-
rently, can be modelled by the pair of sequences ( ... , (a, td, (b, tHt}, ... ) and 
( ... , (b, td, (a, ti+1)," .), where ti = tHl in each case. 
One further point about the structure of time, which is also intimately re-
lated to the underlying computational model, concerns views of time as either 
a linear or a branching structure [EH86, Lam80, Pnu85]. In the linear model 
of time, it is assumed that at any moment there is only one possible next mo-
ment; system behaviour is represented as a set of possible execution sequences. 
In the branching model, time has a tree-like structure where it is assumed that 
each moment has at most one directly preceding moment, but perhaps many 
next moments, representing different possible futures; system behaviour is rep-
resented as a tree and an execution is a path through the tree. Each view 
supports the statement of system properties which cannot be expressed in the 
other. We regard the two views as complementary and make no commitment 
to either, but use whichever seems appropriate in the circumstances. 
2.3 Transition Systems 
2.3.1 Labelled Transition Systems 
A method of modelling systems and their behaviour, which has been success-
fully applied in a wide variety of circumstances, is based on the idea that it 
2. Models, Specifications and Correctness 14 
is possible to identify a set of states which characterise certain aspects of the 
system which are of interest to the modeller. A system begins its operation in 
some initial state. During the operation of the system, its state may change. 
A change of state is called a transition and a system model consisting of states 
and transitions is a state transition system (usually abbreviated to transition 
system). It is often useful to associate a label with a transition. The label 
can be used for a variety of purposes: perhaps to identify an action which has 
caused the transition, or an event whose occurrence is indicated by the tran-
sition. A transition system in which labels are associated with transitions is 
called a labelled transition system (LTS). Within this basic framework, a system 
modeller has wide discretion in the choice of states, transitions and labels in 
the construction of a useful model. These ideas are presented formally below. 
Definition 2.1 (Labelled Transition System) A labelled transition system 
8 = (~, u I , L, ----+) is a tuple where ~ is the set of states, u'I E ~ is the initial 
state, L is the set of labels and ----+ ~ ~ x L x ~ is the set of transitions. 0 
Notation. We write u~u' for (u, A, u') E ----+. If u~u' for some label A E L 
then u' is said to be a A-successor of u and u is a A-predecessor of u'. If u' is a 
A-successor (resp. -predecessor) of u, then u' is a successor (resp. predecessor) 
of u. If u has a A-successor, we note this by u~. If u has no A-successor, we 
A AQ Al An-2 An-l 
write u -f+. We use Uo ----+n un to denote UO---=+U1---=+··· ----+Un-1----+Un' for 
o :::; i < n and Ai E L, and Uo ----+. u f if Uo ----+n U f for some n E N. 
Definition 2.2 (Finite, Finitely Branching, Deterministic) A transition 
system, 8 = (~, u I , L, ----+ ), is finite if the set of states ~ and the transition 
relation ----+ are finite. 8 is finitely branching if for all u E ~ and A E L, the 
set {(A, u') I u~u'} is finite. 8 is deterministic if, for any state u and label 
A, if u~u' and u~u" then u' = u". 0 
Definition 2.3 (Isomorphism) 
Let 81 = (~1' of, L, ----+1) and 82 = (~2' of, L, ----+2) be transition systems. 81 
and 8 2 are said to be isomorphic iff there exists a bijection! : ~1 -+ ~2 such 
that 
1. !(of) = u~, and 
2. for every u, u' E ~I, A E L, u~W' iff !(U)~2!(U') o 
Definition 2.4 (Path) Let 8 = (~, u'I, L, ----+) be a transition system. Let 
u E ~. A path in 8 from u is a finite or infinite sequence, p = UOAOUI AW2 A2 ... , 
of alternating states and labels which satisfies 
1. p starts with state u = uo, known as the source of p, and 
2. Models, Specifications and Correctness 15 
2. for all i = 0,1, ... , ai+l is a Ai-successor of ai. o 
A path of length n is a finite path p = aoAoalAI ... An-Wn. Let p = aoAoalAI ... 
be a finite or infinite path. For i = 0,1,2, ... , the i-th state of p, denoted p{i), 
is defined to be ai and the i-th label ofp, denoted labelp{i), is defined to be Ai. 
Definition 2.5 (Reachability) A state a' is reachable from state a iff there 
is a path in S from a which contains a'. The state a is reachable in S iff a is 
reachable from the initial state, iI. 0 
2.3.2 Timed Transition Systems 
A real-time system can be modelled as a labelled transition system. The actions 
of the system are represented by transitions whose labels are drawn from some 
set A of actions. Such transitions are known as discrete transitions and are 
assumed to be atomic and instantaneous. The passage of time is modelled by 
transitions whose labels are drawn from the set of non-negative real numbers 
1R; these transitions are called time transitions. The set of labels is thus A u lit 
We assume An IR = 0. In order to serve as a model of a real-time system, 
we require that the transition system S = (~, iI, L, ---+) satisfies the following 
properties: 
Time determinism The evolution of the system is deterministic with respect 
to the passage of time [NS91, Nic92, Yi90], i.e., for a given state and a 
given time, there is at most one state which can be reached in a single 
step by taking the time transition. Formally, 
Va, a', a" E ~; t E 1R. a~a' 1\ a~a" => a' = a" 
Time additivity The evolution of the system is continuous with respect to the 
passage of time [NS91, Nic92, Yi90]. If a time transition is possible from 
some state, then all smaller time transitions are also possible. Formally, 
t+t' t t' Va, a' E ~; t, t' E IR . a---+a' {:} :J a" E ~ . a---+a" 1\ a" ---+a' 
Definition 2.6 (Timed Transition System) A timed transition system S = 
(~, iI, L, ---+) is a labelled transition system whose set of labels L is Au IR for 
some set A such that A n IR = 0, and which satisfies the properties of time 
determinism and time additivity. 0 
Definition 2.7 (Execution, Run) An execution or run of a timed transition 
system S, starting from a state a, is an infinite path in S from a. We denote 
the set of all executions from a by 3 5{a), and by 35 = UO"E~ 35{a) the set of 
executions of S. 0 
2. Models, Specifications and Correctness 16 
We are primarily interested in those runs which can be regarded as a model 
of some physical system. In particular, we wish to ensure that basic physical 
laws concerning Time are respected: 
1. a system cannot act with infinite speed, and 
2. a system cannot block the progress of Time. 
These ideas are captured for a timed transition system in the definition of a 
time-divergent run. 
Definition 2.8 (Time-divergent run, Non-Zeno system) 
Let 8 = (E, CTI , L, ---7) be a timed transition system, ( E 35 an execution in 
8 and i, n E No The i -th delay in (, denoted <5{ (i), is defined to be la bel{ (i) 
if label{(i) E lR, otherwise <5{(i) is O. The time elapsed in ( from ((0) to ((n), 
denoted ~{( n ), is defined 
A run ( is time-divergent (or simply divergent) iff limi-+oo ~{(i) = 00. The set 
of time-divergent runs from CT E E is denoted 3~(CT) and the set UUE~ 3~(CT) 
of all time-divergent runs in 8 is denoted 3~. 
8 is a Non-Zeno (well-timed) system iff every reachable state CT E E is the 
source of some time-divergent run. 0 
Remark 2.1 (Finite Variability, Time Progress) It follows directly from 
Definition 2.8 that there are a finite number of transitions represented in any 
bounded time interval of a divergent run, (. It is also apparent that for any 
t E lR, there is a number n E N such that ~{( n) > t, i.e., time progresses 
beyond any bound. 
2.3.3 Composition of transition systems 
A complex system can be modelled by identifying and modelling smaller com-
ponents of the whole system and then by stating precisely what is the behaviour 
of the system which is obtained by combining components. 
A standard form of combination for transition systems is a product which 
models the parallel execution of two or more transition systems as a single 
system. We now define a commonly used product of transition systems. Let 
8 1 = (E1,o{,L1,---71) and 82 = (E2,of,L2,---72) be two transition systems 
which we assume to represent system components. In the product of 81 and 
82, a state is a pair (CT1, CT2) where CTI E El and CT2 E E2. The transitions of 
the product take their labels from the set Ll U L2. If A is a label which occurs 
both in Ll and in L2, then we require each of 81 and 82 to perform a A-labelled 
transition together in order for the product to perform a A-labelled transition. 
If the label A occurs in the set of labels of only one component, then that 
component can perform a A-labelled transition independently in the product. 
The systems are said to synchronise on their shared labels, otherwise they act 
independently. 
2. Models, Specifications and Correctness 17 
Definition 2.9 (Product of transition systems) 
Let 51 = (~1' of, L l , ---+1) and 52 = (~2, of,~, ---+2) be two transition sys-
tems. The transition system product of 51 and 52, which is written 51 152, is 
the transition system (~1 x ~2' (of, of), Ll U~, ---+) where ((}1, (}2)~(~' ();) 
iff 
1. >. E Ll n ~ and (}1 ~w~ and (}2~2();' or 
2. >. E Ll \ L2 and (}1 ~1()~ and (); = (}2, or 
3. >. E L2 \ Ll and (}2~2(); and ()~ = (}1. o 
2.4 Process Algebra 
2.4.1 Basic concepts 
The understanding of distributed systems has been advanced considerably by 
the study of process algebra. In this approach, a system is regarded as a process, 
which is constructed from smaller processes using a set of process constructors 
(operators). Some processes are regarded as primitive - not subject to further 
investigation - and larger processes are constructed from them using the process 
operators, resulting in an algebraic structure. Processes are investigated by 
considering equivalences between them, which leads to an equational style of 
reasoning. There are several different approaches to the algebraic treatment of 
processes. They can be characterised by: 
• the choice of basic processes and process operators, 
• the methods and models used to give a meaning to processes, and 
• the notion of equivalence between processes. 
The well known process algebras CCS [Mil89], CSP [Hoa85] and ACP [BW90] 
exemplify the main variations within each of these categories; these references 
should be consulted for a thorough introduction to the field. Here we mention 
some aspects which may be helpful in understanding the rest of the dissertation. 
In process algebra, system events are modelled as atomic actions. In the 
family of ACP algebras, atomic actions are basic processes and act as the con-
stants of the algebra. There is a sequential composition operator which models 
the execution of one process followed by the execution of another process. CCS 
adopts a different approach in which an atomic action a is not regarded as a 
basic process in its own right, but can be composed with some process P using 
an action prefix operator, to yield a new process a.P, which is capable of first 
performing the action a and then behaving as process P. In this approach, 
the nil process, which cannot perform any action, serves as a basic process. 
Given the possibility for modelling very simple systems such as these, more 
complex systems can be constructed using a variety of other operators includ-
ing: choice, disabling, parallel composition and abstraction. Other features of 
2. Models, Specifications and Correctness 18 
system behaviour can also be modelled within the process algebraic framework, 
e.g., process priority, memory state and shared resources [BV95, LBGG94]. 
The formal description technique LOTOS [IS088b] offers both a variety of use-
ful process operators and a data language for modelling the data values which 
are stored and communicated by a system. It has been used extensively for 
modelling and analysing systems of practical interest. 
Currently, the predominant method for giving a meaning to the terms of 
a process algebra is structural operational semantics (SOS) [Pl081]. SOS gen-
erates a labelled transition system, whose states are the terms of the process 
algebra, and whose transitions are obtained inductively from a set of transition 
rules of the form c~:~~!~~~B' An example of a typical transition rule is 
p~pl 
P+Q~PI 
from which we can conclude the existence of an a-labelled transition from any 
term of the form P + Q to a term of the form pI, if we can demonstrate 
the existence of an a-labelled transition from P to P'. In general, validity 
of the premises of a transition rule, under a certain substitution, implies the 
validity of the conclusion of this rule under the same substitution [AFV99]. This 
operational style of semantic definition gives a meaning to a process description 
in terms of its effect upon the behaviour of some abstract machine. Other 
semantic approaches are the denotational method of CSP [BHR84] and the 
axiomatic method of ACP [BK84]. 
A variety of process equivalences are studied in the literature [vG90, vG93]. 
They range from a weak equivalence, in which processes are equated iff they 
can perform the same set of transition sequences, to a strong equivalence in 
which they are equated iff their derivation trees are isomorphic. The former 
equivalence may equate processes P and Q even though there are environ-
ments in which P deadlocks while Q does not. The latter equivalence may 
distinguish processes even if they can perform the same actions in all envi-
ronments. Useful equivalences are found somewhere between these extremes. 
The variety of useful equivalences is greater in settings which distinguish be-
tween a set of actions which are observable and a set of actions which are 
hidden or silent [vG93]. The process equivalence of most relevance to our 
work is based on the idea of strong bisimulation [Mil89] and equates pro-
cesses P and Q iff for every action a, every a-successor of P is equivalent 
to some a-successor of Q, and vice versa (cf. §3.6.3). This is generally re-
garded as the strongest of the useful equivalences. To be really useful, an 
equivalence should also be a congruence, i.e., equivalent processes should be-
have the same in all contexts, e.g., assume op is an arbitrary process operator 
and P and Q are equivalent processes, then op(PI , ... , Pi-I, P, Pi+l'" Pn ) and 
op(PI , ... , Pi-I, Q, PHI ... Pn ) should also be equivalent processes. 
2.4.2 Timed Extensions 
In the process algebras considered so far, there is not the possibility to model 
and reason about the quantitative aspects of the passage of time. This defi-
2. Models, Specifications and Correctness 19 
ciency has been addressed by many researchers and, consequently, there are 
now many timed process algebras which can be used in the analysis of real-time 
systems. Vereijken [Ver97a] gives a very comprehensive review which covers 
almost 40 different timed process algebras. Nicollin and Sifakis [NS91] present 
a helpful unifying framework. Corradini et al. [CDI99] give a detailed study 
of the relationship between four CCS-like variants. Here we aim to give just a 
flavour of the main themes. 
In general, timed process algebras introduce constants ranging over some 
time domain, either discrete or dense, and a number of time constraining oper-
ators, into the framework of an untimed algebra. A typical time constraining 
operator is one which delays a process, e.g., let t be a constant of the time 
domain, t > 0, then the process (t).P is one which behaves just like P after 
exactly t time units. Such an operator is used in Temporal CCS [MT90], Timed 
CCS [Yi90], Real-Time CSP [Dav93] and Urgent LOTOS [BL91]. ACPp [BB91] 
adopts a different approach in which actions are time-stamped. Time stamps 
can be absolute or relative. In the absolute case, a(t) performs the action a 
after t time units following the start of the process; in the relative case, a [t] 
performs a after t time units following the execution of the previous action. 
The time-stamp operator has the effect of allowing the modelling both of de-
lays and also of urgent actions; a delayed action becomes urgent when the time 
delay expires. Urgency can also be modelled by the introduction of immediate 
actions, which do not admit the possibility of time passing until either they are 
executed or disabled. This approach is adopted in ATP [NS94]. Other time 
constraining operators which have appeared in several algebras, and which are 
of practical interest for modelling real-time systems, are the timeout and watch-
dog operators. Real-time CSP offers both operators. Each takes two process 
arguments P and Q and a time parameter t. The timeout P I>{t} Q behaves 
as P if an initial action of P is performed within time t, otherwise it behaves as 
Q, after time t. The watchdog P .,/ { t} Q behaves as P until time t. At time 
t, P is aborted and Q is started. Similar operators are found in other algebras, 
e.g. ATP. 
Schneider [Sch95] discusses the operational, denotational and axiomatic 
styles of semantic definition in timed process algebras, and surveys the associ-
ated approaches to process equivalence. The decidability of timed bisimulation 
is shown in [Cer92]. 
We return to some of the ideas mentioned in this section in Chapter 3, where 
their influence on the design of the language which is introduced there will be 
evident. 
2.5 Timed Automata 
2.5.1 Introduction 
One of the most successful research areas of the last few years, in the mod-
elling and analysis of real-time systems, features the use of timed automata, 
which were introduced in the seminal paper of Alur and Dill [AD90]. Early 
work concentrated on the theoretical aspects of the decidability and complex-
2. Models, Specifications and Correctness 20 
ity of the model-checking and satisfiability problems for timed temporal logics 
such as TCTL [ACD90, AD94, AH91, Alu91]. Later, attention turned to the 
development of practical algorithms [HNSY94, YPD94]. More recently, the ap-
plication of timed automata to the modelling of industrial problems [HSLL97, 
LPY98, TY98], and the development of software tools to support their analy-
sis [BLL +98, BDM+98], have been receiving considerable attention. 
Informally, a timed automaton is a finite state automaton in which the sys-
tem states are augmented by a finite number of real-valued variables called 
clocks. All clocks are synchronised and are assumed to keep perfect time. Tran-
sitions between states can be constrained to occur when the values of the clocks 
satisfy some specified property. On the occurrence of a transition, one or more 
clocks can be reset to zero. In this way, it is possible to model the "real time" 
of occurrence of events and the time elapsed between events. Timed automata 
are presented formally below. 
2.5.2 Clocks 
Let 1l be a finite set ofreal-valued variables called clocks. A 1l-valuation (clock 
valuation) is a total function v : 1l -+ R which assigns to each clock h E 1l a 
non-negative real number v{h). The set of 1l-valuations is denoted R1l. The 
1l-valuation which assigns 0 to every clock in 1l is denoted O. Let v E R1l and 
H ~ 1l. v[H := 0] denotes the valuation v' such that for all h E 1l, v'{h) is 
o if h E H and is v{h) otherwise. This models the operation of resetting some 
clocks while leaving the values of the other clocks unchanged. The elapse of 
time is modelled by advancing the values of all clocks in a valuation by the 
same amount. Let v E R1l and t E llt v + t denotes the valuation v' in 
which v'(h) = v(h) + t for all clocks h E 1l. Occasionally, we will need the 
operation t . v where for t E R and v E R1l, t . v is the valuation v' such that 
v'(h) = t . v{h), for all h E 1l. 
2.5.3 Clock Constraints 
Let 1l denote a set of clocks ranged over by h, h'. An atomic constraint on 1l 
is an expression of the form h tx:l C or h - h' tx:l c, where tx:l E {<, :S, 2:, >} and 
c E N. The set of clock constraints on 1l, denoted W1l, is generated by the 
grammar: 
'ljJ ::= X I 'ljJ 1\ 'ljJ I --, 'ljJ 
where X is an atomic constraint. The set of clock zones on 1l, denoted Zrl, 
with Z1l C W1l, is the set of conjunctions of atomic constraints. Let (, (' range 
over Z1l. 
The restricted grammar of clock constraints is necessary in order to ensure 
that some important verification questions, such as model-checking, remain 
decidable. It is possible to extend the range of c to the non-negative rational 
numbers Q+, but the restriction to N simplifies the presentation at no cost to 
expressive power [AD94]. 
2. Models, Specifications and Correctness 21 
A clock valuation v E ]R.1l is said to satisfy a clock constraint t/J E 1l11l' 
denoted v f= t/J, if 
vf=htx:lc 
V f= h - h' tx:I C 
v f= t/J /\ t/J' 
vf=,t/J 
iff v( h) tx:I C 
iff v(h) - v(h') tx:I c 
iff v f= t/J and v f= t/J' 
iff v ~ .,p 
The set of all clock valuations satisfying a clock constraint t/J E 1l11l is denoted 
[.,p], i.e., [.,p] = {v E]R.1l I v f= .,p}. 
We use tt to denote a clock constraint such as h ~ 0 which is satisfied by 
any clock valuation, and if to denote a clock constraint such as h < 0 which is 
not satisfied by any clock valuation, i.e., [tt] = ]R.1l and [if] = 0. It is also useful 
to have a notation for the clock constraint which requires that all clocks have 
the value 0, zero1l denotes such a constraint, i.e., zero1l ~ I\hE1l h = 0, (we will 
just write zero when 1i is clear from the context). 
2.5.4 Syntax and informal semantics 
We can now give a formal definition of the syntax of timed automata. We also 
provide some simple examples and an informal explanation of semantics. 
Definition 2.10 (Timed Automaton) A timed automaton (TA) is a tuple 
A = (Q, qI, A, 1i, E, 1) where: 
• Q is a finite set of control locations. 
• qI E Q is the initial control location. 
• A is a finite set of action labels. 
• 1i is a finite set of clocks. 
• E <;;; Q X 21l X A X 21l X Q is a finite set of edges. 
Each edge e E E is of the form (q, (, a, H, q') where q, q' E Q are control 
locations, denoted src(e), tgt(e), respectively; ( E 21{ is a clock zone, 
called the guard of e and denoted guard ( e); a E A is an action label, 
denoted label( e) and H <;;; 1i is a set of clocks to be reset, denoted reset( e). 
• I : Q -+ 21l is a function which associates a time progress condition (or 
invariant) with each control location. Control can remain at a location 
while time passes so long as the invariant associated with the location 
remains true. 
We use cmax(A, h) to denote the greatest constant to which the clock variable 
h is compared in any guard or invariant condition of A, and Cmax (A) to denote 
max{cmax(A, h) I h E 1i}. 0 
2. Models, Specifications and Correctness 22 
a, { HI I 
HI >= I,b 
Fig. 2.1: A simple timed automaton 
Example 2.1 We can explain some of these details informally by reference to 
Figure 2.1 which shows a simple example of a TA. The set of control locations 
is {O, I}. Location 0 is assumed to be the initial location. The set of action 
labels is {a, b}. The set of clocks is {HI}. The invariant associated with lo-
cation 0 is tt; this means that the system can spend an arbitrary amount of 
time in location O. In the absence of an explicit clock constraint, the edge from 
o to 1 is assumed to have the clock constraint tt, and so an a-transition from 
o to 1 is possible at any time. If an a-transition occurs, clock HI is reset to 
O. While in location 1, the value of clock HI shows the amount of time for 
which control has been at this location. Control can remain here for no more 
than 2 time units, as shown by the invariant HI ~ 2, i.e., the invariant serves 
as a way of enforcing progress: some transition via an outgoing edge must be 
taken before the location invariant becomes false. The constraint HI ~ I on 
the edge from I to 0 ensures that a b-transition cannot occur until control 
has resided at location I for at least I time unit, when a b-transition becomes 
possible, taking control back to location O. It is assumed that no clocks are 
reset by a b-transition (the missing reset set on the edge from I to 0 is taken 
to be 0). The timing requirement expressed by this automaton is that every 
a action is inevitably followed by a b action after a delay of I to 2 time units. 0 
2.5.5 Formal Semantics 
The semantics of the timed automaton, A, is defined by assigning a timed 
transition system to it. A state in the transition system is a pair (q, v) where 
q is a location of A and v is a clock valuation satisfying the invariant of q. 
The initial state consists of the initial location and the clock valuation in which 
all clocks are set to O. The transition relation ---+ comprises both discrete 
transitions and time transitions. In a discrete transition, the location of control 
may change by following an outgoing edge. In a time transition, the location 
of control remains the same while time passes; the location invariant must be 
satisfied throughout the passage of time. Formally, the semantics is defined as 
follows: 
Definition 2.11 (Timed Automaton Semantics) The semantics ofthe timed 
automaton A = (Q, qI, A, 1l, E, 1) is given by the timed transition system 
7 [A] = (~, tiL, L, ---+) where 
• ~ = {(q, v) I q E Q A v E lR.1{ A v F I(q)}. 
2. Models, Specifications and Correctness 
• fiI = (qI, 0) is the initial state. 
• L = A URis the set of labels. 
• --+ ~ ~ x L x ~ is the transition relation defined by: 
- Discrete transitions 
TA.1 (q, (, a, H, q') E E ~ v ~ ( /\ v[H := 0] F I(q') 
(q, v)--+(q , v[H := 0]) 
We say that (q', v[H := 0]) is a discrete successor of (q, v). 
Time transitions 
t E IR /\ V t' E IR I t' ~ t . v + t' F I ( q) 
TA.2 t (q, v)--+(q, v + t) 
We say that (q, v + t) is a time successor of (q, v). 
23 
o 
Notation. If a = (q, v), then a + t denotes the state (q, v + t) and a[H := 0] 
denotes (q,v[H:= 0]). 
Example 2.2 Referring again to Figure 2.1, we can see that the state space 
~ ~ {O,l} x ({HI} -+ 1R). The initial state is (O,{HI t--+ O}). The label set 
L = {a, b} U IR and some possible transitions are: 
(0, {HI t--+ O} )~(O, {HI t--+ 1.7} )~(l, {HI t--+ O} )~(I, {HI t--+ 0.2})~ 
(1, {HI t--+ 1.5})~(0, {HI t--+ 1.5})~(0, {HI t--+ 51.5})~(I, {HI t--+ O}) ... 
o 
We define a notion of deterministic timed automata by analogy with the 
classical notion of determinism for finite state automata, viz., the state reached 
by following an edge with a given label is uniquely determined by the current 
state. However, in the case of timed automata, it is not necessary to prohibit 
the use of the same label on distinct outgoing edges of every location, but, 
instead, it is required only that for any pair of such edges, the associated clock 
constraints are mutually exclusive, so that at any time at most one of them is 
enabled. 
Definition 2.12 (Deterministic Timed Automaton) A timed automaton 
is said to deterministic iff for all q E Q, for all a E A and for every pair of 
distinct edges of the form (q, (1, a, HI, q') and (q, (2, a, H2, q"), there is no clock 
valuation v which satisfies both of the following conditions: 
1. v F (1 and V[HI := 0] F I(q'), 
2. v F (2 and V[H2 := 0] F I(q"). o 
2. Models, Specifications and Correctness 24 
Fig. 2.2: Product construction for timed automata 
2.5.6 Composition of timed automata 
By defining a product for timed automata, we can model a complex system 
using several smaller, interacting component automata. 
Let Al = (Ql, qr, AI, 1-1.1, El , h) and A2 = (Q2, qr, A2, 1-1.2,~, h) be two 
timed automata. Assume that the clock sets 1-1.1 and 1-1.2 are disjoint. Then 
the product, denoted Al I A 2, is the timed automaton (Ql x Q2, (qr, qf), Al U 
A2, 1-1.1 U1-I.2, E, 1), where I(ql, q2) is defined to be h(ql) 1\ h(q2) and the edges 
E are given by: 
1. For a E Al nA2 , for every (ql,(l,a,Hl,qU EEl and (q2'(2,a,H2,q~) E 
~, E contains ((ql,q2)'(11\(2,a,HlUH2,(qLq~)) 
2. For a E Al \ A2, for every (ql, (, a, H, qf) E El and every q2 E Q2, E 
contains (( ql, q2), (, a, H, ( q~ , q2)) 
3. For a E A2 \ AI, for every (q2, (, a, H, q~) E ~ and every ql E Ql, E 
contains (( ql, q2), (, a, H, ( ql, q~)) 
From this we can see that the locations of the product are just pairs of 
component locations and the invariant of a compound location is the conjunc-
tion of the invariants of its component locations. The edges are obtained by 
synchronising edges with identical labels. 
For timed automata Al and A2, it can be shown that the product of the 
models of Al and A2 is the same as the model of the product of Al and A2; 
i.e., T [Ad I T [A2] is isomorphic to T [AI I A2] [AD94]. Figure 2.2 shows a 
simple example of a product construction of timed automata. 
Example 2.3 (Train Gate Controller) The level crossing controller is a ubiq-
uitous introductory example. We consider a simple system consisting of three 
2. Models, Specifications and Correctness 25 
Train 
Controller 
H3>= 1. lower 
Fig. 2.3: Level Crossing Control System 
components: a train, a gate and a controller. Each of these can be modelled 
as a TA (see Figure 2.3). Timing constraints are expressed using 3 clocks: HI 
for the train, H2 for the gate and H3 for the controller. The train advises the 
controller of its approach more than 2 minutes before it enters the crossing. 
The approach of the train is indicated by the action approach, and entry into 
the crossing by the action in. Notice that the guard on the edge labelled in 
is H1 > 2. The maximum delay between the actions approach and exit is 5 
minutes. The gate is open in location Gate. 0 and closed in location Gate. 2. 
The actions raise and lower are used to indicate requests for service from 
the gate by the controller. The actions up (resp. dOwn) indicate that the gate 
has been completely raised (resp. lowered). The controller idles in location 
Controller. O. Whenever it detects that the train is approaching, it requests 
that the gate should be lowered. Similarly, whenever it detects that the train 
has left the crossing, it requests that the gate should be raised. The com-
plete system is expressed as the composition of the three components Train I 
Gate I Controller. The safety requirement for the system is straightforward: 
whenever the train is in the crossing, the gate should be closed. 0 
2.6 Property Specification 
The main point of constructing a formal system model is to check it for the 
presence of desirable properties and the absence of undesirable properties. A 
2. Models, Specifications and Correctness 26 
first step in this direction involves formally stating the properties of inter-
est. A classification of properties which has proved of enduring usefulness is 
the distinction between safety and liveness properties, introduced by Lam-
port [Lam77, LamSO]. Informally, a safety property specifies that 'nothing bad 
ever happens', while a liveness property specifies that 'something good even-
tually happens'. There is a variety of approaches to expressing both safety 
and liveness properties of timed transition system models. We consider some 
of them in this section. The remainder of the section is structured as follows. 
In §2.6.1, we consider the expression of properties of individual states using 
state formulas. This allows us to state simple safety invariants which can be 
checked by exploring all reachable states and testing them for satisfaction of 
the invariant property. More complicated properties, involving system execu-
tions, can be expressed using specification automata or temporal logic. These 
approaches are considered in §2.6.2 and §2.6.3, respectively. The relationship 
between automata and temporal logic is considered in §2.6.4. 
2.6.1 State Properties 
For a state transition model, S, the simplest properties to assert and check are 
those concerned only with individual states, i.e. given some state (T determine 
whether or not a property p holds at (T. What structure we attribute to a 
state will depend on the circumstances. At the least, we assume that a state is 
associated with a unique identifier; sometimes, in addition, we assume that a 
state gives a valuation for a set of typed variables. Let Var be such a set and 
let x range over Var. The value of x at state (T is denoted (T.X. We assume 
that a state formula p is a boolean expression constructed in the usual way 
from variables, function symbols, predicate symbols and boolean connectives, 
and that there is a valuation function [P]u' which gives the value of p at (T. 
We write (T IF p iff [P]u = true. The reader should refer to [MP92] for further 
explanation of state formulas, if required. 
Let S = r [A] be a transition system, where the TA A = (Q, qI, A, 1i, E, I) 
is either a simple TA, or a composition of TA AII···I An. Then enable(a) and 
Ai@q can be encoded as state formulas, where a E A is an action and q E Q is 
a location. Informally, enable(a) is true if it is possible to take an a-transition 
from the current state, and Ai @q is true if control in the TA Ai currently 
resides at location q. 
Formally, 
(q, v) IF enable(a) iff :3(q, (, a, H, q') E E . v F ( /\ v[H := 0] F I(q') 
and, for 1 ~ i ~ n, 
Example 2.4 Let S = r [Train I Gate I Controller], where Train, Gate 
and Controller are as given in Figure 2.3. Let q = (1,1,0), i.e. q is a com-
pound location in which the components are: Train at location 1, Gate at lo-
cation 1 and Controller at location O. Let v = {hI f--t 1.5, ~ f--t 0.5, h3 f--t 1.5} 
2. Models, Specifications and Correctness 27 
be a clock valuation. Let u = (q, v). Then, we have u F enable(down) and 
ull= Gate@l, but ullb enable(in) and ullb Controller@1. 0 
Example 2.5 Let u be a state over integer variables x, y and boolean variable 
Z, such that u = {x t--+ 5,y t--+ 7,z t--+ true}. Then, u 1= z, u tt= x > y, 
u 11= x + y < 15 and u 11= z ::::} (y - x = 2). 0 
Example 2.6 In the level crossing control system of Figure 2.3, the safety 
requirement can be stated as the absence of any reachable state u satisfying 
u 11= Train@2 1\ ..., Gate@2. 0 
2.6.2 Automata 
We can go beyond checking simple state properties and check properties of 
executions by reasoning about the system in the context of a testing (observer) 
automaton. Given a TA AM which models the behaviour of a system, a test 
TA As is constructed to capture a property specification, and the composition 
AM I As is checked to see if some error state is reachable. Using this technique 
it is possible, for example, to test a bounded response property, i.e., that the 
occurrence of a stimulus is followed by a response within a bounded period of 
time. 
Example 2.7 Figure 2.41 shows a test automaton for the level crossing control 
system. The test automaton is used to check the bounded response property 
'the gate is always raised strictly within 10 minutes of being lowered'. We con-
sider the behaviour of the composition Train I Gate I Controller I Test. 
A down action in Gate synchronises with a down action in Test, causing a tran-
sition in Test to location 1, resetting the test clock Ht. The invariant Ht <= 
10 ensures that control can reside at Test.l for no more than 10 minutes. At 
any time before 10 minutes, an occurrence of any action other than up leaves 
control at Test .1; an up action returns control to Test. o. When 10 minutes 
have passed at Test .1, the only possible action for Test is fail, which takes 
control to the error location Test. 2. The bounded response property for the 
system is satisfied iff it is not possible to reach a state satisfying Test@2. 0 
The approach to property checking via test automata is closely related to 
classical verification methods based on language containment [AD94, Kur94, 
Tho90]. We give a brief introduction to the use of such a method for timed 
systems. 
Let AM be a TA defining a system model and As a TA, extended with 
an acceptance condition, which defines a property specification. Let eM = 
1 Standard abbreviations are used in the figure to reduce its size: an edge labelled with a 
set of actions A represents a set of edges, one for each action in A; for any action a E A, the 
notation \ a stands for the set A \ {a}. 
2. Models, Specifications and Correctness 28 
\down Ht<IO, \up 
-5 down,{Ht\ B 
Ht<IO, up Ht<=IO 
r-____ H_t=~lO~,f=~~ __ .~ 
Fig. 2.4: Test automaton for bounded response 
3 00 (0"1-) be the set of non-Zeno executions of AM and Ls = {e E 3 00 (01) I 
e satisfies the acceptance condition of As} the set of those non-Zeno executions 
of As which satisfy its acceptance condition, LM is called the language of AM 
and Ls the language of As. The system model satisfies the specification iff 
LM ~ Ls, i.e., if the language LM n Ls = 0. Intuitively, As defines the set 
of all allowed executions and AM defines the set of all possible executions of 
the system. The verification problem is to show that all possible executions are 
allowed or, equivalently, that no disallowed execution is possible. Attention is 
restricted to the non-Zeno executions since they are the only ones which can 
reasonably be judged to model the behaviour of a physical system. 
Several acceptance conditions have been proposed in the literature [Tho90). 
For timed systems, Biichi acceptance and Muller acceptance have received most 
attention [AD94]. Here we concentrate on Biichi acceptance. 
Biichi acceptance is defined for a TA A = (Q, qI, A, 1£, E, I) augmented 
with a set F ~ Q of accepting locations. In any execution, one or more loca-
tions are visited infinitely often. Let inf(e) be the set of all infinitely occurring 
locations of the execution e. e is accepted iff inf(e) n F i- 0, i.e. if some ac-
cepting state occurs infinitely often in it. A timed automaton extended with a 
Biichi acceptance condition is called a timed Biichi automaton (TBA). 
In practice, the test for language containment LM ~ Ls is usually imple-
mented by constructing the automaton AM I As and checking for the absence 
of any acceptance cycle, A problem with this approach is the requirement to 
construct the complement As of the specification automaton As, since TBA 
are not closed under complementation. However, if As is deterministic then 
it can be complemented effectively. The restriction to deterministic TBA still 
allows the expression of a wide range of specifications. An even more pragmatic 
approach to the problem of complementation is to avoid it entirely by requiring 
the specifier to provide As directly, rather than As. This approach is adopted, 
for example, in [Tri98] where an efficient algorithm is given for testing TBA 
emptiness. 
Example 2.8 Figure 2.52 shows a deterministic TBA which specifies the bounded 
response property for the level crossing control system. 0 
2 Accepting locations are shown as a double circle, as usual. 
2. Models, Specifications and Correctness 29 
\down Ht<lO, \up 
down,{Ht} 
Ht<lO, up 
Fig. 2.5: TBA for bounded response 
2.6.3 Temporal Logic 
Temporal logic [Eme90] was developed originally in the field of philosophy, 
where it was used to describe and reason about how the truth values of asser-
tions vary with time. For some assertion </>, typical temporal operators include 
sometime </>, which is true now if </> will become true at some time in the 
future, and always </>, which is true now if </> is true now and forever more. 
Pnueli [Pnu77] was the first to show how temporal logic could be used to rea-
son about the behaviour of computer programs, particularly reactive programs 
such as operating systems and communication protocols. This early work often 
involved a difficult manual construction of the proof of some program property. 
Interest in the use of temporal logic for program specification increased when 
it was shown that the validity of a specification for a given program could be 
determined automatically by model checking [CE81, QS81], i.e., by checking 
the truth or falsehood of the specification when interpreted using the program 
as a model. The EMC model checker, developed at Carnegie Mellon, allowed 
small programs to be checked automatically in linear time for satisfaction of 
specifications written in the branching time logic CTL [CES86]. Activity in the 
area intensified with the introduction of symbolic methods [BCM+92, McM92] 
which facilitate the storage of the large state spaces which arise in the checking 
of realistic programs. The extension of temporal logics with explicit references 
to time quantities was motivated by the desire to apply temporal logic to the 
specification and verification of real-time programs, where, for example, it is 
not enough to assert just "sometime </>", but rather "sometime within the next 
5 seconds </>". Early quantitative temporal logics were based upon a discrete 
model of time [AH93, Eme91, EMSS90, HLP90, Ost86]. However, the decid-
ability of the model-checking problem for a dense time model was demonstrated 
in [ACD90] which introduced Timed Computation Tree Logic (TCTL), a timed 
extension of CTL. The usefulness of this result was advanced by [HNSY94] 
which gave a practical method for implementing the model-checking of timed 
automata with respect to TCTL specifications; this method has been imple-
mented in the verification tool KRONOS [BDM+98]. An efficient, on-the-fly 
implementation of model-checking for TECTL~, a logic strictly more expressive 
than TCTL, is proposed in [BTY97]. 
It is outside the scope of this dissertation to provide a detailed survey of 
temporal logics and model-checking, for which we refer the reader to the liter-
2. Models, Specifications and Correctness 30 
ature [AH91, CGP99, Eme90, Yov97]j however, we do provide an introduction 
to TCTL, since it is used in the rest of the dissertation for specifying real-time 
properties. 
TCTL: Syntax and Semantics 
Let I denote the set of all intervals of lR of the form [e, e'], [e, e'), (e, e'], (e, e'), 
[e, 00] and (e, (0) where e, e' E N. The set of TCTL formulas is defined by the 
following syntax: 
where p is a state formula and I E I is an interval. 
Let A be a TA. TCTL formulas are interpreted with respect to the transition 
system T [A] = (~, a'I, L, --t ), and a satisfaction relation IF for state formulas 
p. The fact that a state a E ~ satisfies a TCTL formula 4> is denoted a F(A,I=) 4> 
(the subscript is usually omitted to avoid clutter). The dense nature of the 
time model requires us to take some care in the definition of satisfaction for 
TCTL and it is helpful to introduce some further notation before giving a 
formal definition. For a state a, the temporal modalities 3 U/ and V U/ are 
interpreted with respect to the non-Zeno executions starting from a, i.e., SA(a). 
Suppose e E SA'(a) is such an execution, along which we see the partial sequence 
... ai-4ai+1 .... In interpreting a formula such as 4>1 3U/ 4>2, we are required, 
by the dense nature of time, to consider the truth values of the sub-formulas 4>1 
and 4>2, not only at ai and ai+1, but also at all states between them, as time 
passes for t time units. This motivates the introduction of the idea of a position 
along an execution, where for an execution e E SA(a) a position of e is a pair 
(i, t) EN x lR such that t ::; 8~(i). We denote by I1~ the set of all positions of e. 
Positions are ordered lexicographically so that (i, t) ::; (j, t') iff i < j, or i = j 
and t ::; t'. Given an execution e and a position (i, t) of e, we use e (i, t) to 
denote the state e(i) + t, and ~~(i, t) to denote ~di) + t. We can now define 
a F 4> as follows: 
a FP iff alFP 
a F -, 4> iff a ~ 4> 
a F 4>1 V 4>2 iff a F 4>1 or a F 4>2 
a F 4>1 3U/ 4>2 iff 3e E SA'(a) . 37f E I1~ . ~~(7f) E I A e(7f) F 4>2 A 
V 7f' ::; 7f . e(7f') F 4>1 V 4>2 
VeE SA (a) . 3 7f E I1~ . ~~ (7f) E I A e (7f) F 4>2 A 
V 7f' ::; 7f . e(7f') F 4>1 V 4>2 
A TA A is said to satisfy a TCTL formula 4>, denoted A F 4>, if the initial state 
a'I satisfies 4>. 
The only tricky parts in the definition of satisfaction concern the operators 
3U/ and VU/. The intention is that a state a satisfies the formula 4>1 3U/ 4>2 
if there is some position along a non-Zeno run starting from a which satisfies 
4>2, and the time elapsed in the run up to that position lies within the interval 
I, and finally that 4>1 is satisfied continuously throughout the run up to that 
2. Models, Specifications and Correctness 31 
position. In fact, the formal statement of the final condition is that ¢l V 4>2 is 
satisfied continuously until ¢2 is satisfied. This modification is required to com-
ply with the dense nature of the time domain, as explained in [HNSY94]. The 
interpretation for VUI is similar, the only difference being that the conditions 
must be satisfied by all non-Zeno runs from a. 
A number of abbreviations are commonly used: 
:3°1 ¢ -
VO I ¢ 
30 I ¢ 
VOI ¢ 
true :3UI ¢ 
true VUI ¢ 
-,VO I -,¢ 
-, :3°1 -, ¢ 
Other abbreviations are used to simplify the notation for intervals: for example, 
V0:55 ¢ is equivalent to VO[0,5] ¢ and :30 ¢ is equivalent to 30[0,00) ¢. 
Property Specification Patterns 
It is not always easy to construct a temporal logic formula which specifies pre-
cisely a given property, e.g. the specification of a property of periodicity with 
bounded jitter will be seen shortly to require some effort. This problem has 
received some attention with respect to the qualitative logics LTL and CTL, 
for which specification patterns have been identified for a variety of commonly 
required properties [DAC98]. It is possible to apply this approach also to quan-
titative logics like TCTL. We give here a small selection of some simple property 
patterns. 
Invariance VO ¢ - ¢ is invariantly true, i.e., it holds in all states along all 
executions 
Bounded Invariance VO I ¢ - ¢ is satisfied continuously throughout the in-
terval I. 
Bounded Inevitability VOl ¢ - ¢ is satisfied eventually at some time within 
the interval I j 
Bounded Potentiality :3°1 ¢ - ¢ is satisfied eventually at some time within 
the interval I, along at least one execution. 
Upper Bounded Response VO(¢l ::::> VO<t ¢2) - ¢2 is satisfied within at 
most t time units of the satisfaction of<Pt 
Lower Bounded Response VO (¢1 ::::> -, 30 <t ¢2) - satisfaction of ¢2 is 
separated by at least t time units from the-satisfaction of ¢1 
Non-Zenoness init ::::> VO :30=1 true - Assume that in it uniquely charac-
terises the initial state of a system. Then, the truth of this formula 
implies that the system is non-Zeno, i.e. that from any reachable state, 
time can progress without bound [HNSY94]. 
2. Models, Specifications and Correctness 32 
Periodicity with bounded jitter YO if; /\ Yo (if; ~ YO 9 ((YO <tl"'" if;) /\ 
(YO <tz if;))) - Assume that if; stands for enable(a) which holds iff the 
action a is enabled. Assume also that a always occurs within t time 
units of becoming enabled. Then the formula above specifies that a oc-
curs periodically, the distance between occurrences being in the interval 
[tI,0 + t]. 
There is a need for a more systematic approach to the development of property 
patterns for TCTL, with a view to developing a useful library. 
Example 2.9 Consider again the level crossing controller of Figure 2.3. The 
safety property 'the gate is closed whenever the train is in the crossing' can 
be expressed in TCTL as init ~ yo (TrainOO ~ Gate 00), and the bounded 
response property 'the gate is always opened within 10 seconds of being closed' 
as init ~ YO(GateOO ~ YO<10Gate@()). 0 
2.6.4 Discussion 
Naturally enough, the literature on both timed and untimed formalisms is 
replete with discussions concerning the pros and cons of specification using 
automata and temporal logic, and of the relationship between them [AH91, 
BVW94, DW99, GPVW95, HKV96, Var96, VW86, VW94]. A prevalent view 
is that automata, because of their explicit structure and simple, operational se-
mantics, are better suited to the construction of verification algorithms, while 
temporal logics, because of their concise, more readable syntax, are better suited 
to the expression of specifications. An obvious direction to follow in the search 
for practical and usable formal methods is to see to what extent it is possible to 
automate the translation of specifications expressed in temporal logic to equiva-
lent automata which can be used for verification. In the case of the qualitative, 
linear-time logic LTL, this has been achieved [GPVW95] and found to lead to 
an efficient, on-the-fly model checking procedure which has been implemented 
in the verification tool SPIN [HoI96]. 
A similar relationship between the branching-time logic CTL and alter-
nating tree automata has been established in [BVW94]. This work has been 
extended to TCTL in [HKV96] and the relationship between TCTL and timed 
alternating tree automata is further developed in [DW99]. Although, this 
work lays the theoretical foundations for efficient, on-the-fly model checking 
for TCTL, we know of no implementations of the ideas or experimental results 
which demonstrate their effectiveness in practice. 
The relationship between temporal logic and testing automata is studied 
in [ABL98]. The authors introduce a restricted safety and bounded liveness 
logic (SBLL) and demonstrate that for any closed formula if; of SBLL and any 
TA AM, there is a test automaton As such that AM satisfies if; iff no error 
state is reachable in AM I A s3. Moreover, they show how to construct As 
3 The notions of satisfaction and parallel composition used in [ABL98] differ somewhat from 
those used in this dissertation, but their work is of interest and relevance, even so. 
2. Models, Specifications and Correctness 33 
automatically from ¢. In [ABBL98], a complete characterisation is provided 
of the class of properties of TA for which model-checking can be reduced to 
reachability analysis in the context of testing automata. 
In conclusion, we remark that a variety of techniques are useful in property 
specification. Most often, specifications are more succinctly and clearly ex-
pressed with temporal logic than with automata. Even so, support in the form 
of a library of specification templates would be welcome. Restricting oneself 
to a logic such as SBLL allows for the automatic generation of test automata 
which can be used in model-checking based on efficient reachability techniques. 
However, the use of a logic such as TCTL permits the expression of a wider 
range of properties. Quite often, human ingenuity enables us to construct a test 
automaton or annotate an existing automaton in such a way that a verification 
problem can be solved more efficiently, but in adopting this approach, we need 
to be especially vigilant that we have really specified the property that was 
intended. 
2.7 Verification 
Verification is the conclusive demonstration that a system model possesses some 
well-specified property. It can take many forms, depending on the form of 
the model and the property. In this work, we are concerned primarily with 
reachability analysis. We assume that a system model is given as a TA A and 
that the property of interest is the reachability of some set of target states from 
a specified source state, along some time-divergent run in the transition system 
r [Al As we have seen, verification of safety properties of real-time systems can 
be formulated as reachability problems for TA. Also, the techniques developed 
in the solution of the reachability problem provide the basis for solutions to a 
wide variety of other verification problems such as model checking and language 
emptiness. The difficulty of the reachability problem for TA is caused by the 
infinite state spaces which inevitably arise because of the dense nature of the 
time domain. Solutions to the problem are based upon the identification of a 
finite number of classes of equivalent states which partition the infinite state 
space. We introduce the main ideas below. 
2.7.1 Region Equivalence 
The classic equivalence which is the foundation for most of the verification re-
sults on timed automata is the region equivalence [AD90, Alu91, ACD93, AD94]. 
Region equivalence has the crucial property of inducing a finite partition of the 
state space while preserving both linear time properties (such as reachability 
and TBA-emptiness) and branching time properties (such as TCTL satisfac-
tion). Informally, clock valuations are region equivalent if they agree on the 
integral parts of all clock values and on the ordering of the fractional parts of 
all clock values. This idea on its own does not lead to a finite number of equiv-
alence classes, since clock values can grow arbitrarily large. However once the 
value of a clock exceeds the largest constant c to which it is compared in a clock 
constraint, then its actual value is of no further interest - it is simply greater 
2. Models, Specifications and Correctness 34 
than c. These ideas, taken together, give the basis for a finite partitioning of 
the infinite space of clock valuations, which is presented formally below. 
Definition 2.13 (Region Equivalence) Let t E R We denote by LtJ the 
greatest integer smaller than or equal to t and by (t) the value t - l t J. Let A be 
a timed automaton with set of clocks 1l = {hI'~' ... , hn}. For i = 1,2, ... , n, 
let Ci ~ cmax(A, hi). Two 1l-valuations v and v' are region equivalent, denoted 
v ~ v', iff for 1 :::; i,j :::; n the following conditions hold: 
1. V(hi) > Ci iff V'(hi) > Ci 
2. if v(hi ) :::; Ci then 
( a) l v (hi) J = Lv' (hi) J 
(b) (v(hi ») = 0 iff (v'(hd) = 0 
(c) (v(hi »):::; (v(hj») iff (V'(hi») :::; (v'(hj») o 
It can be shown that ~ is an equivalence relation, whatever the values of 
Ci, and that it partitions ]R1i into a finite number of equivalence classes, called 
clock regions. The clock region including v is denoted [v). A clock region of 1R1i 
is known as a 1l-region. A clock region p is said to be unbounded if for all v E p, 
V(hi) > Ci, for i = 1,2, ... ,n. Clearly, the values of all clocks in an unbounded 
region p may grow without bound and [v + t) = p, for all t E R It is a useful 
property of region equivalence that every clock region can be characterised 
uniquely by a clock constraint which it satisfies. When convenient, we will 
identify a clock region with the constraint which characterises it. 
Example 2.10 Figure 2.6 shows an example of the region equivalence for two 
clocks hI and h2 with maximal constants CI = C2 = 2. Some characteristic 
constraints are shown. 0 
The number of clock regions is finite and bounded from above [ACD93) by 
n!· 27'1 . I1i~7'I(2. Ci + 2) 
It can be shown that for any clock constraint 'Ij; of A, if v ~ v' then v p 'Ij; iff 
v'p'lj;. 
2.7.2 Region Graph 
The region equivalence ~ over clock valuations can be extended to an equiva-
lence relation over the state space of A. Let (:E, (YI, L, --t) be the transition sys-
tem of A. Two states from :E are equivalent if they have identical locations and 
their clock valuations are region equivalent. Formally, for (q,v),(q',v') E:E, 
(q, v) ~ (q', v') iff q = q' and v ~ v'. The region (equivalence class) of 
(Y = (q, v) is denoted [(Y). The key property of region equivalence is its stability 
with respect to the transition relation of A, stated as follows: 
2. Models, Specifications and Correctness 35 
Fig. 2.6: Clock regions on {hI, hd with CI = C2 = 2 
Proposition 2.1 (Stability of region equivalence) LetT[A] = (L:,crI,Au 
JR, ---+) be the transition system of A. Let crl ~ cr2. 
1. For all a E A, whenever crI ~ cr~, there exists cr; such that cr2 ~ cr; and 
cr' '" cr' I - 2' 
2. For all t E JR, whenever crl ~ cr~, there exists cr; and t' E JR su.ch that 
o 
We can gain an informal understanding of stability by considering again the 
regions of Figure 2.6. A state change can occur either through a discrete tran-
sition or a time transition. For a discrete transition. if two states are in the 
same region then they satisfy the same set of guards and so if the transition 
is possible for one state then it is also possible for the other. In taking the 
transition, one or more of the clocks hI, h2 may be set to O. Assume that h2 is 
reset. This give a projection onto the hI axis. It can be seen that equivalent 
states are projected to equivalent states. For a time transition, since both hI 
and h2 increase at the same rate, the state change occurs along the diagonal 
at 45° to the hI axis. Again it can be seen that for any region and any pair 
of states within it, the sequence of regions encountered on the diagonal is the 
same. 
Definition 2.14 (Region Graph [ACD93, Yov97]) Let T [A] = (L:, crI , Au 
JR, ---+ ). Let be a region equivalence for A over L:. Let T tJ. A and 
AT = AU {T}. The region graph RG(A) is given by (L:::::c, [crIl, AT' ---trg ) where 
1. L:~ = {[crl I cr E L:} 
2. ---trg ~ L:~ X AT X L:~ is such that 
(a) for all a E A and for all p, p' E L:::::c, P~rgP' iff there exists cr, cr' E L: 
such that p = [cr], p' = [cr'l. and cr~cr'. 
2. Models, Specifications and Correctness 36 
(b) for all p, p' E E~, P~rgpl iff 
i. p = p' is an unbounded region, or 
11. p =I p' and there exists a, a
' 
E E and t E ]R such that a~a' , 
and p = [a] and p' = [a'], and for all t' E IR, if t' ~ t then [a + t] 
is either p or p'. 0 
In the region graph, the passage of time is indicated by the occurrence of a T-
transition which records the fact that time has passed but abstracts the exact 
amount of time elapsed. RG(A) is known as a time-abstract transition system. 
From the stability of the region equivalence, it is clear that a state a
' 
is 
reachable from a state a in the transition system of A iff [a'] is reachable 
from [a] in the region graph of A. It is also clear that RG(A) is finite since 
E~ = {(q, [v]) I q E Q /\ v E ]R1l /\ v 1= I(q)} is finite, AT is finite and 
therefore --+rg ~ E~ X AT X E~ is finite. It follows that reachability can be 
decided automatically by constructing and searching the region graph. Both 
forward and backward traversals of the region graph lead to effective algorithms. 
For example, a method based on forward traversal consists in starting from [a] 
and visiting the set of its successors and the successors of those and so on, until 
all reachable regions have been visited. In this way, we construct the sequence 
Zo ~ Zl ~ ... , such that 
Zo [a] 
Zi+l Zi U {p I 3Pi E Zi . Pi--+rgP} 
Assume that Z = limi~o Zi. Then, [a'l is reachable from [a] iff [a'l E z. 
2.7.3 Complexity of reachability 
A timed automaton A with m locations and n clocks, in which c ~ cmax(A), 
gives rise to a region graph with at most m . n! . 2n . (2c + 2)n nodes. This 
bound is linear in the number of locations but exponential both in the number 
of clocks and the size of the constants appearing in the clock constraints. It can 
be shown that the number of edges in the region graph is similarly related to 
the number of locations and clocks and the size of constants [AD94]. In order 
to determine if a state a is reachable in T [A], we search the region graph to 
see if [a] is reachable in RG(A) - Figure 2.7 outlines an algorithm to achieve 
this. Such a search is linear in the number of nodes and edges of the region 
graph. Therefore, the complexity of the reachability problem for A is linear in 
the number of locations, exponential in the number of clocks and exponential 
in the size of the constants in the clock constraints. Formally, the problem 
is shown to be PSPACE-complete [AD94]. In fact, it is usually the case, in 
practice, that A is a product of component automata, so the region graph can 
be seen as being exponential also in the number of component automata. To 
summarise the causes of complexity, we can identify the following factors: 
1. the number of component automata 
2. Models, Specifications and Correctness 
VISITED := {(qI, [O])} 
WAITING:= {(qI, [O])} 
while WAITING i 0 do 
remove some p from WAITING 
suee := {Ps I P--+rgps} 
foreach Ps E suee do 
od 
od 
if Ps f/. VISITED 
add Ps to VISITED 
add Ps to WAITING 
fi 
Fig. 2.7: Region graph reachability 
2. the number of clocks 
3. the size of the constants in the clock constraints 
37 
The combination of these factors cause a rapid growth in the number of states 
which must be considered, as the size of the problem description increases. This 
rapid growth is known as the state explosion problem and is currently the most 
challenging of the technical difficulties to be addressed in the application of 
automated analysis to formal verification problems in the analysis of real-time 
systems. 
The state explosion problem 
Consider again the algorithm for generating reachable regions in Figure 2.7. It 
can be seen that the algorithm stores each region from the region graph in the 
set VISITED. For the purposes of this algorithm, a 'state' is equated with a 
region. Storing the set of VISITED states makes termination of the algorithm 
easy to determine and ensures that states are not explored (have their successors 
generated) more than once. However, because the number of states can be very 
large, the available computational resources may become exhausted before the 
problem is solved. A number of attacks on the state explosion problem can be 
suggested: 
1. generate fewer 'states', 
2. store fewer 'states', 
3. compress the 'state' store so that it requires less memory. 
Such methods may be orthogonal and so can be combined to produce even 
greater benefits. In the following section, we consider one such approach which 
has proven successful in practice and is the basis for some of the most effective 
verification tools currently in use. 
2. Models, Specifications and Correctness 38 
2.7.4 Constraint Solving 
The partitioning of the space of clock valuations which arises in the construc-
tion of the region graph, although finite, is very fine-grained. Consequently, 
implementations based directly on the region graph turn out to be not very 
efficient. In [HNSY94] a symbolic technique was proposed which works di-
rectly with the clock constraints which arise in the calculation of discrete- and 
time-predecessors (and successors). This technique leads to a much coarser par-
titioning of the state space. The method of [HNSY94] works in a 'backward' 
manner, whereby starting from a set of target locations, the set of all states 
from which it is possible to reach those locations is calculated - it is then sim-
ple to test if an initial state lies within this set. In fact, this method is used in 
solving the model-checking problem for TCTL rather than simple reachability. 
The main problems with a backward traversal of the state space are: 
• the whole of the potential state space may be considered rather than just 
that part which is reachable from an initial state; 
• an answer cannot be returned until the complete state space exploration 
terminates; 
• it is not easy to provide a diagnostic trace in the case that a violating 
state is found to be reachable. 
The idea of working symbolically with clock constraints in a 'forward' man-
ner seems to have arisen independently, at about the same time, in several 
groups [ACD+92, Oli94, YPD94]. This approach is often more efficient in prac-
tice, allows for a diagnostic trace to be provided when a property is found to 
be violated and is the basis of successful implementations [BLL +95, DOTY95]. 
We rely on 'forward' constraint solving techniques in Chapter 5 and provide an 
introduction below. 
Symbolic states 
A node in the region graph of a TA A is a 'symbolic' state which represents a 
(possibly infinite) number of states in the transition system of A. Each node 
is of the form (q, p) where q is a location of A and p is a clock region. Such a 
symbolic state represents the set of states (q, v) where v E p. We have seen that 
every clock region can be characterised by a clock constraint, so a node (q, p) 
can be written as (q, 'lj;) where 'lj; is the characteristic formula of the region p. 
This idea can be extended by allowing 'lj; to be a constraint which characterises 
a union of perhaps many clock regions. Formally, a symbolic state is defined 
as follows. 
Definition 2.15 (Symbolic state) Let A = (Q, qI, A, H, E, 1) be a timed 
automaton. A symbolic state of A is a pair (q, 'lj;) where q E Q is a location of 
A and 'lj; E 'I!1£ is a clock constraint. 
The meaning of a symbolic state (q, 'lj;), denoted [( q, 'lj;)], is the set of states 
{(q,v) Ivp'lj;}. 0 
2. Models, Specifications and Correctness 39 
Let Z be a set of symbolic states. We denote by [Z] the set U{[ (q, 'I/J)] I 
(q,'I/;) E Z} and by locations(Z) the set oflocations {q 13'1/; E 'l11i . (q,'I/J) E Z}. 
The state space may be covered by a much smaller set of symbolic states 
of this form, and so the problem of state space explosion may be mitigated to 
some extent. In particular, a set of regions Z can be represented as a united set 
of symbolic states Z' = {(q,'I/;q) I q E Q 1\ 'l/;q E 'l11i} in which there is at most 
one element (q, 'I/; q) for each location q, and 'I/J q is the characteristic formula for 
the set of all clock regions in Z which are paired with the location q. 
Let Z be a set of symbolic states. We denote by '1/;: the clock constraint char-
acterising the set of clock valuations associated with q in Z, i.e., ['I/J:] = U{['I/J] I 
(q, '1/;) E Z}. We use unite(Z) to denote the set {(q, 'I/J:) I q E locations(Z)}, 
and Zl l±! Z2 to denote unite(Zl U Z2) and l!JiEI Zj to denote unite(UiEI Z;). 
In the following section, we discuss the calculation of the discrete and time-
successors of symbolic states, and show how united sets of symbolic states can 
be used in the forward computation of reachable states. 
Forward computation of clock constraints 
Let q E Q, 'I/; E 'l11i and e = (q,(, a, H, q') E E. We consider predicate 
transformers suce('I/;) and suc~('I/J) which are needed in the calculation of discrete 
and time-successors, respectively, of a symbolic state (q, '1/;). 
On the one hand, suce('I/;) denotes a clock constraint over 1£ which charac-
terises the set of clock valuations which are reachable from the clock valuations 
in 'I/; when a discrete transition is taken via the edge e, i.e., suce('I/;) denotes a 
predicate satisfying 
[SUCe('I/;)] = {v[H := OJ I v E ~1i 1\ (v F 'I/; 1\ () 1\ v[H:= OJ F I(q')} 
On the other hand, su~('1/;) denotes a clock constraint over 1£ which charac-
terises the set of clock valuations which are reachable from the clock valuations 
in 'I/; as time passes while control resides at q, i.e., suc~('1/;) denotes a predicate 
satisfying 
[ sucH'I/;)] = {v + t I v E ~1i 1\ t E ~ 1\ v F 'I/; 1\ 
\if t' E ~ . t' ::; t =} v + t' F I ( q)} 
Together, suce ('I/;) and sucH'I/;) can be used in solving the reachability prob-
lem by computing the sequence of sets of symbolic states Zo, Zl,··· as follows: 
Zo {(q,'I/;)} 
Zi+1 {(q',suce('I/;)) I (q,'I/;) E Zj 1\ e = (q,(,a,H,q') E E}l±! 
{( q, suc·H '1/;)) I (q, '1/;) E Zi} 
Notice that Zj ~ {(q,sucH'I/;)) I (q,'I/;) E Zil. Let Z = limi2:oZj. All 
states in a symbolic state (q', '1/;') are reachable from some state in (q, '1/;) iff 
(q', '1/;") E Z and ['1/;'] ~ ['1/;"], i.e., '1/;' implies '1/;". 
2. Models, Specifications and Correctness 40 
Implementing the constraint solving approach 
In order to exploit these ideas in practice, it is necessary to see how it is possible 
to represent clock constraints and to implement the operations l±J, suc
e 
and SUCT 
using this representation. As a first step, we observe that W1£ is closed under 
these operations for any timed automaton, i.e., the operations are always well-
defined - the reader is referred to [Oli94] for a proof. Next, we note that the 
adoption of a 'geometric' perspective leads to natural definitions of many of the 
operations which are needed and helps in acquiring an intuitive understanding 
of them. We follow this approach below. 
Polyhedra 
Let 1l = {hI'~' ... ' hn } be a set of clocks. A union of 1l-regions is a 1l-
polyhedron in the n-dimensional Euclidean space, where a 1l-polyhedron is 
simply the set of 1l-valuations satisfying a clock constraint 1/J E W1£. It is 
often convenient, notationally, to identify a constraint with the 1l-polyhedron 
which it defines, and so, for example, we will write v E 1/J for v E [1/J], or 1/Jl U1/J2 
for [1/JI] U [1/J2]. 
A polyhedron is said to be convex, if for any two points within it, all points 
on the line segment joining them are also within it. Formally, a 1l-polyhedron 
( is convex iff for any VI, v2 E ( and t E ~ such that 0 < t < 1, we have 
t . VI + (1 - t) . V2 E (. This means that if v and v + t are clock valuations, both 
of which lie within a convex polyhedron 1/J, then all valuations v + tl, where 
tl ::; t, also lie within 1/J. 
It can be shown that the set of convex 1l-polyhedra coincides with the set 
Z1£ of clock zones, i.e., any convex 1l-polyhedron can be expressed as a conjunc-
tion of atomic constraints, and any conjunction of atomic constraints defines 
a convex 1l-polyhedron. Note that any non-convex 1l-polyhedron, 1/J, can be 
expressed as the union of a finite set of convex 1l-polyhedra, U{(I, (2,···, (m}. 
Example 2.11 Figure 2.8 shows (a) one convex and (b,c) two non-convex poly-
hedra, which are unions of clock regions and are defined by the constraints: 
a) 1::; hI ::; 3 /\ 1 ::; h2 ::; 3 /\ -1 ::; h2 - hI ::; 1 
b) (0::; hI ::; 3 /\ 0 ::; h2 ::; 1 /\ 0 ::; hI - h2 ::; 2) V 
(1 ::; hI ::; 2 /\ 2 ::; h2 ::; 3) 
c) (0::; hI ::; 1/\ 1 ::; ~ ::; 3) V (1 ::; hI ::; 2 /\ 1 ::; h2 ::; 2) 
Operations on polyhedra 
o 
In this section, we define a number of operations on polyhedra which are needed 
in the rest of the dissertation. Some of the operations are illustrated in Fig-
ure 2.9 where the result of each operation is indicated by the shaded part in 
each case. 
2 . Mode ls, Specifica t ions and Correctness 4 1 
't '1 '. '. 
I ",,": " .. ": , 
I .. t " , 
I .. I .. 
',," t,' I ,, " I----,j<-' ,-' -----,<'------,f' " 
o 2 o 2 
<a) (b) (el 
Fig. 2.8: Convex and Non-convex Polyhedra 
Basic operations Intersection, union and complementation are given imm -
dia tely by conjunction , disjunction and negat ion resp ctively, i.e., 'l/Jl n 'l/J2 = 
{v E IR'H I v 1= 'l/J l 1\ 'l/J2 } 'l/Jl U 'l/J2 = {v E IR'H I v 1= 'l/Jl V 'l/J2} and 1[; = {v E 
IR'H I v 1= -, 'I/J} - examples of intersection and union are given in Figure 2.9 (a) 
and (b) , respect ively. Differen ce is defined as usual by 'l/Jl \ 'l/J2 = 'l/Jl n 'l/J2 and 
the inclusion 'l/Jl S;;; 'l/J2 is equivalent to 'l/Jl \ 'l/J2 = 0. 
Convex hull The convex hull of two H-polyhedra 'l/Jl and 'l/J2 is d noted 'l/Jl U 
'02, and is defined to be the smallest convex H -polyhedron ( which contain 
both '01 and '02, i.e., '01 S;;; ( and '02 S;;; (. Figure 2.9(c) gives an exampl of the 
convex hull operat ion. 
Projections The f orward projection of a H -polyhedron 'I/J denoted /' 'I/J i 
the largest set of H-valuat ions which can be ob tained from the valuat ion in 'I/J 
by the passage of t ime. Formally, 
/' '0 ~ {v + t I v E 'I/J 1\ t E IR} 
For a polyhedron '0 on {hi , h2} , since hi and h2 advance together in lock- tep 
with the passage of time, t he forward project ion /' 'I/J encompas e a ll tho e 
valua tions which can be reached from a valuation in 'I/J by following the diagonal 
a t 45° to t he horizontal axis . Figure 2.9 (d ) shows an example. 
The operation giving t he reset successors of a H -polyhedron 'I/J, for a given 
reset set H S;;; H , is denoted 'I/J[H := 0] and is defined by: 
'0[H := 0] ~ {v[H := 0]1 v E '0} 
Intuitively, the reset of a clock h2, for a polyhedron 'I/J, involves a projection of 
'I/J onto t he hI axis - see F igure 2.9 (e) . 
c-closure T he opera t ion of c-closure defi ned on convex polyhedra. i based 
on t he idea t hat if the value of some clock exceeds a pecified con tant c in each 
of two clock valuations, t hen t hat clock is not regarded as ignificant in di tin-
guishing between them . The c-closure operation i u ed to en ure the finitene 
2. Models , Specifications and Correctness 
-12 
fV2 fV2 h 
'l/Jl n 'l/J2 
, 
, 
\ / 
'l/J2 'l/J1 - ~ ~ G1Ul" ~ -->'l/Jl U'l/J2 
'l/J1 V lp2/ I 
hl hl hi 
(a) (b) (e) 
h2 h2 
~-
/''l/J ~ closec ( 
,,'l/J[h2 := 0] 'l/J 
~' 
hl hI e hi 
(d) (e) (f) 
Fig. 2.9: Operations on Polyhedra 
of partitionings of the infini te space of clock valua tion . We have een a imilar 
idea already in connection with the region gra ph (§2.7.2 ). c- 10 m appear 
in t he litera ture under a variety of name, e.g ., rounding [Won9 ], extrapola-
tion [DT98] and normalisation [P t99]. The definition given her follow [Tri9 ]. 
Let c E N and v , v ' E lR1{. We ay tha t v and v' are c-equivalent if: 
1. for any clock h, either v (h) = v '(h) , or v (h) > c and v ' (h) > c, and 
2. for any pair of clocks hl h2, either v (hd - v (h2) = v' (hd - v' (h2), r 
v (hd - V(h2) > c and v' (hd - v ' (h2) > c. 
For a convex H-polyhedron (, the c-clo m e of ( . denoted close c ((). i defi n d 
to be the greatest convex H-polyhedron ( ' :2 ( such t hat for a ll v ' E (' there 
exists v E ( and v , v ' are c-equivalent . ( is aid to be c-clo ed if close c (() = (. 
Figure 2.9(f) shows an example of c-clo m e. 
Proposition 2.2 c-closure satisfies the f ollowing properties: 
1. If ( is c-closed then it is c' -closed. f or any c' ~ c. 
2. If (1 and (2 are c-closed then (1 n 2 i al 0 c -clo ed. 
3. For any (, there exists a con tant c such that i c-clo ed. 
4. For any con tant c, there is a finite number of c-clo ed con vex H-polyhedra. 
) 
2. Models, Specifications and Correctness 43 
Proof cf. Tripakis [Tri98] o 
Properties of polyhedral operations 
Firstly, we identify those operations of the previous section which preserve 
convexity. 
Proposition 2.3 Let (, (1, (2 be convex ll-polyhedra. Let H C 1£ and c E N. 
Then, (1 n (2, (1 U (2, ?(, ([H := 0] and closec (() are all con-;;ex. 
Proof cf. Tripakis [Tri98] o 
Proposition 2.4 Let A be a timed automaton with a set 1£ of clocks and a set 
E of edges with e = (q, (, a, H, q') E E. Let'ljJ be a ll-polyhedron. The following 
equalities hold. 
SUCe('ljJ) = (('ljJ n ()[H := 0]) n I(q') 
suc$('ljJ) ?'ljJ n I(q) 
Proof The equalities can be derived directly from the definitions of sucT , suce 
and the polyhedral operations. 0 
Proposition 2.4 leads some way towards an implementation of the constraint-
solving approach. In order to make further progress, we need to define an 
efficient representation for clock constraints and show how the polyhedral oper-
ations can be implemented on it. It is also necessary to consider the implications 
of the use of the l±J operator, which, in the general case, gives rise to non-convex 
polyhedra. The issues raised by this consideration are more easily discussed fol-
lowing the introduction of the difference bound matrix representation of clock 
constraints which is presented in the following section. 
2.7.5 Difference Bound Matrices 
The efficient implementation of algorithms for automatic analysis based on con-
straint solving relies upon a representation of polyhedra which is compact and 
which supports the operations identified in section 2.7.4. Dill [Di189] introduced 
difference bound matrices (DBMs) for this purpose4 and this data structure 
remains pre-eminent in the implementation of analysis tools for dense-time sys-
tems - KRONOS and UPPAAL are examples. We now present those details 
of DBMs and their use which will be needed later in the dissertation; more 
detailed presentations, including proofs, can be found in [Dil89 , Oli94, Tri98, 
Yov93, Yov97]. 
4 In fact, the data structure was known many years earlier [BeI57] and later had been used 
in the analysis of Time Petri nets [MB83] but Dill's paper revived interest and pointed the 
way to their use in the analysis of timed automata. 
2. Models , Specifications and Correctness 
'" '1 '" ' . 
.. I ,,/ I I I;, 
I ;' I .. I .. I .. 
1'-'-' --,I'L/ _7I" -' '-~' ,-' ----,/" / 
M hQ hl h 
hQ (0, :::; ) (- 2. :::; ) (-1.:::; ) 
hl (4 . :::; ) (0. :::; ) ( . < ) 
h2 (3 :::; ) (00. <) (0. :::; ) 
" 
M' hQ hl h2 
hQ (0, :::;) (-2, :::; ) (-1. :::; ) 
o 2 4 hl (4. :::;) (0 . :::;) (3. :::;) 
h2 (3, :::;) (1 :::;) (0. :::;) 
Fig. 2.10: Representa tion of a convex polyhed ron by DB l' 
Bounds 
A bound is a pair (c , -<) E Zoo x {< , :::;} , where Z = Z u { }. Bound ar 
ordered as follows : c < 00 , for any c E Z, and < is trict ly I than :::;; w th n 
take the usual lexicographic ordering where for all (c, -<) , (c' -<') E Z x {< :::;}, 
(c, -<) < (c' , -< ' ) if either c < c' , or c = c' and -«-<'. (c -<) :::; (c' , ') if 
(c,-< ) < (C' ,-<' ) or c = c' and -<=-<'. 
The minimum of two bounds (c , -<) (c' , -<') , denoted min ((c -<) , (c' -<')) , i 
(c, -<) if (c, -<) :::; (c' , -< ' ) and (c' , -< ' ) ot herwise. The maximum of two bo und 
(c, -< ), (c' , -< ' ), denoted max((c , -<), (c' , -< ')) is (c, -<) if (c' , -<') :::; (c, -<) and 
(c' , -< ') otherwise. The addition of bounds is defined by th following tab l : 
+ (c' , :::;) (c' , <) 
(c , :::;) (c + c' , :::;) (c + c' <) 
(c , <) (c + c' , <) (c + c' , <) 
Note that as usual c + 00 = 00 + c = for any c E Z 
Representation of convex polyhedra 
Let 11. = {hI , h2 , ... , hn } be a set of clocks. The et 0.t of convex H-polyhedra 
contains elements which are given as the conjunction of atomic con traint . An 
atomic constraint of the form hi - hj -< c can be repre ented by as ociat ing the 
bound (c, -<) with the pair of clocks hi, hj. A constraint such as hi - h) 2 c 
is equivalent to hj - hi :::; - c and so can be represented by as ociating the 
bound (- c, :::;) with hj, hi . In order to achieve a uniform repre entation , a new 
fictitious clock variable hQ is introduced to repre ent the con tant O. Thi a llow 
constraints such as hi -< c to be represented as hi - h{J -< c. In thi way, a convex 
H-polyhedron can be encoded a a (n + 1) x (n + 1) quare matrix i\1 who e 
elements are bounds. Such a matrix is said to have dimen ion n. The element 
M i,j gives the upper bound on the clock difference hi - hj . For example. the 
constraint h2 < 9 is encoded as M2,o = (9, <) and h5 2 6 by MO.5 = (-6 . :::; ). If 
hi -hj is unbounded then we set M i,j = (00, <) . The et ofH-valuat ions defined 
by the DBM M denoted [M] , is the set {v E 'H. I Vi,j E {O .. n} . \lIJ = (c.-< 
) :::::} v (hd - v (hj ) -< c}. Notice that we ilently extend v by requiring v (h{J) = O. 
2. Models, Specifications and Correctness 45 
Fig. 2.11: Weighted graph interpretation of a DBM 
Example 2.12 Let ( = 2 ~ hI ~ 4 1\ 1 ~ h2 ~ 3 be a clock constraint. Fig-
ure 2.10 illustrates the convex polyhedron defined by ( and the DBM M which 
represents it. 0 
A DBM can also be regarded as the adjacency matrix of a fully connected, 
weighted directed graph, where each clock is a node in the graph and each entry 
Mi,j gives the weight on the arc from hi to hj. Figure 2.11 shows the weighted 
graph corresponding to DBM M in Figure 2.10. We will use this interpretation 
whenever it is convenient in a given context. 
Notice that there may be many DBMs which represent a given convex poly-
hedron, i.e., the representation is not unique. This can be observed in Fig-
ure 2.10 where M' represents the same polyhedron as M. A canonical repre-
sentation is desirable since it allows certain semantic operations on polyhedra 
- the testing of equality, emptiness and inclusion, for example - to be reduced 
to syntactic operations on DBMs. An ordering on DBMs is induced by the 
ordering on bounds: M ~ M' iff Mi,j ~ MId' for all ° ~ i, j ~ n where n is 
the dimension of M and M'. This ordering allows a canonical form M( to be 
defined for any non-empty convex polyhedron (: we require that M( ~ M, for 
any DBM M representing (, i.e., in the canonical form, all bounds are as 'tight' 
as possible. The empty polyhedron is defined by any inconsistent set of con-
straints. We choose its canonical form arbitrarily to be one of the many possible 
representations, denoting it M0, where M!,j ~ (0, <), for ° ~ i,j ~ n. If M is 
a DBM, then cf(M) denotes the canonical form of M and [cf(M)] = [M]. In 
Figure 2.10, M' = cf(M). It is now simple to test if two matrices represent the 
same constraint: M and M' represent the same constraint if cf(M) = cf(M'). 
Notice that [M0] = 0 and so represents the constraint f. The universal 
matrix U, which imposes the minimal constraints that clock differences should 
be at least ° and less than 00, is defined by: Ui,j = (o,~) if i = ° or i = j 
otherwise UiJo = (00, <). [U] = ]R1l and so represents the constraint tt. 
2. Models, Specifications and Correctness 
mLcanonical(M) 
begin 
for k = 0 to n do 
for i = 0 to n do 
od 
for j = 0 to n do 
Mi,} := min(Mi,j, Mi,k + Mk,j) 
od 
if Mi ,. < (O,~) then return M0 fi 
od 
return M 
end 
Fig. 2.12: Procedure to compute the canonical form of a DBM 
Implementation of polyhedra operations 
46 
Canonical Form The canonical form M', of a DBM M of dimension n, 
can be computed from the interpretation of M as a weighted directed graph 
by requiring that, for all 0 ~ i,j ~ n, the weight M[,j = min{weightM(p) I 
p is a path from hi to hj }, where a path p from hi to hj is any sequence of 
nodes hi = hil' hi2, ... , him = hj and its weight in M, denoted weight M (p), is 
given by Mil,i2 + M i2 ,i3 + ... + Mim_l,im· If there is a cycle hi = hip hi2 ,··., him = 
hi, such that weightM(hjp hj2 , ... , him) < (0, ~), then M represents the empty 
polyhedron - clearly, it cannot be the case that hi - hi < 0 - and its canonical 
form is M0, otherwise the canonical form of M is given by M'. We can calculate 
the canonical form of a DBM by using a version of the Floyd-Warshall all-
pairs shortest path algorithm, as shown in Figure 2.12. It is apparent that the 
complexity of the algorithm is O«n + 1)3) for a DBM of dimension n. 
Intersection Given two DBMs M and M' of dimension n, representing the 
convex polyhedra (, (', respectively, then the intersection ( n (' is represented 
by the DBM Mil, where MI:j = min(MjJ, MI,j) for 0 ~ i,j ~ n. This is true 
even if M and M' are not in canonical form. However, Mil is not necessarily in 
canonical form even if both M and M' are. 
Inclusion Let M and M' be the DBMs of dimension n which are the canonical 
representatives of the convex polyhedra ( and (', respectively. ( ~ (' iff Mi,j ~ 
MI,j' for 0 ~ i,j ~ n. 
Convex hull Let the DBMs M and M' of dimension n be the canonical 
representatives of the convex 1l-polyhedra ( and (', respectively. The DBM Mil 
given by MI~' = max(Mi,j, M[,j)' for 0 ~ i,j ~ n, is the canonical representative 
of the convex 1l-polyhedron (" = (U('. If M and M' are not in canonical form, 
Mil still represents a convex polyhedron containing those represented by M and 
M', but it may not be the smallest one and it may not be in canonical form. 
2. Models, Specifications and Correctness 47 
Projections Let ( be a convex H-polyhedron and let M be a DBM which 
represents (. 
In the forward projection, /" (, which models the elapse of time, all clock 
differences remain the same, since all clocks increase at the same rate; lower 
bounds also remain unchanged, since clock values never decrease; however all 
upper bounds are removed, since time can advance beyond any bound. There-
fore, if M is in canonical form, then M' is the canonical DBM representing /"(, 
where for 0 :::; i,j :::; n: 
M(. = { (00,<), 
I,J M·. I,J' 
ifi>Ot\j=O 
otherwise 
If M is not in canonical form, then M' represents a superset of the forward 
projection. 
The operation giving the DBM M', representing the reset successors ([H := 
OJ of the polyhedron (, for the set of clocks H ~ H, is computed quite simply. 
First, notice that resetting a single clock hi E H is the same as setting the value 
of hi to the value of ho. So, all constraints on ho in M become constraints on 
hi in M'. If a pair of clocks hi, hj are both reset, then clearly the differences 
hi - hj and hj - hi become equal to o. Finally, if neither of a pair of clocks 
hi, hj is reset then the differences hi - hj and hj - hi remain unchanged in M'. 
Formally, if M is the canonical representative of (, then M' is the canonical 
representative of ([H := 0], where for 0 ~ i,j ~ n, the entry for MIJ satisfies 
the following: 
(0, :::;), 
Mo,j, 
Mi,O, 
Mij, 
if hi E H t\ hj E H 
if hi E H t\ hj tI. H 
if hi tI. H t\ hj E H 
if hi tI. H t\ hj tI. H 
If M is not in canonical form, then M' represents some convex ll-polyhedron 
(' ;2 ([H := OJ. 
c-closure Given the canonical DBM M representing a polyhedron (, the c-
closure of (, closec ((), is canonically represented by the DBM M', where, for 
0:::; i,j :::; n: 
(00, <), 
(-c, <), 
Mij, 
if MiJ > (c,:::;) t\ i i= j 
if Mij + (c,:::;) < (O,~) t\ i i= j 
otherwise 
That is, an upper bound such as h ~ c', where c' > c, is replaced by h < 00. 
Also, a lower bound such as h 2: c', where c' > c, is replaced by h > c. All 
other bounds remain unchanged. 
Union and Complementation Clearly, ~ is not closed under union; this 
can be seen easily in Figure 2.9(b) which shows two convex polyhedra whose 
union is obviously non-convex. Similarly, complementation does not preserve 
2. Models, Specifications and Correctness 48 
[b 
Fig. 2.13: Convex decompositions of a non-convex polyhedron 
convexity. However, as we have observed, any non-convex polyhedron t/J can 
be expressed as a finite union U{ (1, (2, ... ,(m} of convex polyhedra. This 
means that we can represent t/J as the set {Ml, M2, ... , Mm} where each Mi 
is the DBM encoding (i. The representation of non-convex polyhedra as sets 
of DBMs has been implemented in tools such as KRONOS. It has been found 
that some polyhedral operations, projections for example, can still be imple-
mented efficiently, but that others, such as intersection, are more expensive. A 
major problem, however, is that, in general, there is no obvious canonical form 
for a non-convex polyhedron. This is apparent in Figure 2.13 which shows a 
non-convex polyhedron and three of the possible ways in which it can be de-
composed into convex polyhedra [Tri98]. It is not clear which, if any, of the 
decompositions is the most suitable canonical representative. The lack of a 
canonical form militates against the efficient testing of inclusion and equality. 
It is also difficult to check whether the union of two or more polyhedra is in 
fact convex, and so could be represented using a single DBM in order to reduce 
storage requirements. 
2.7.6 Implementing constraint solving 
Avoiding non-convex polyhedra 
In the previous section, we have seen a number of pragmatic reasons for avoiding 
the use of non-convex polyhedra in implementing a constraint-solving approach 
to the reachability problem. This has motivated the investigation of meth-
ods which rely exclusively on convex polyhedra. Recall that the reachability 
problem can be solved by computing the limit of the sequence Zo, ZI,"" where 
Zo {(q,t/J)} 
Zj+l {(q', suce(t/J)) I (q, t/J) E Zj 1\ e = (q, (e, a, H, q') E E} ttl 
{(q,sucHt/J)) I (q,t/J) E Zd 
It has been shown already that SUCT and suce preserve convexity. However, 
ttl can give rise to non-convex polyhedra, because of the union of clock zones 
which is implicit in its definition. This union can be avoided simply by re-
placing it with a convex hull. In order to do this, we redefine t/J;, so that, 
2. Models, Specifications and Correctness 49 
for a set of symbolic states Z, ['IjJ;] = U{'IjJ I (q,'IjJ) E Z}. If we modify the 
definitions of unite and l±l to make use of this new definition, then all opera-
tions required in computing Zo, Zl,"" preserve the convexity of polyhedra and 
so every clock constraint can be represented by a single DBM, with all of the 
efficiency gains which that implies. This approach has been adopted directly 
by Balarin [Ba196] who combines it with a representation of the complete state 
space using BDDs. The main problem with this method is that the convex 
hull gives only an (over-) approximation of the set of clock valuations associated 
with any location, and so, while the set of reachable states is clearly included 
in Z = limi~o Zi, it is clear that Z may also include states which are not in fact 
reachable. Moreover, the approximation errors accumulate over the sequence 
Zo, Zl, ... · The consequence of this is that the verification problem runs the 
risk of being answered by a 'false negative': i.e., we may be told that a specifi-
cation is not satisfied because a violating state is reachable, when, in fact such 
a state occurs only among those 'extra' states added by the approximation. 
Wong-Toi [Won95] proposes a solution to this problem in which a succession of 
over- and under-approximations is computed. If a violating state is reachable in 
an under-approximation, then the specification is not satisfied. If no violating 
state is reachable in an over-approximation, then the specification is satisfied. 
An increasingly accurate sequence of approximations is computed until the ver-
ification problem can be answered in this way. However, in some cases, it may 
be necessary to compute an approximation which captures the set of reachable 
states exactly, before the verification problem can be answered - this is less 
efficient than a direct computation of the exact set of reachable states. An 
alternative approach, which avoids the use of non-convex polyhedra and also 
avoids the use of approximations, is considered below. 
Simulation Graph 
In this section we consider a construction, the simulation graph [Oli94, DT98], 
which has appeared often in the literature of dense-time verification under 
a variety of names, including: set-graph [ACD+92, Won95], zone automa-
ton [AD96, AK95] and symbolic semantics [LPY95, Pet99]. We first give details 
of the construction and then consider the advantages and disadvantages of its 
use. 
Definition 2.16 (Simulation Graph) Let A = (Q, qI, A, 1£, E, J) be a TA. 
Let c be a constant at least as great as cmax(A). The simulation graph of A with 
respect to c, starting at the symbolic state zo = (qo, (0), is denoted SG(A, c, zo), 
and is given by (Z, zI, A, ---tsg), where Z ~ Q x 21{ and ---7sg ~ Z x A x Z 
are the smallest sets satisfying: 
1. zI = (qO, suc$O«(o» E Z 
2. for every z = (q,() E Z and for every e = (q,(e,a,H,q') E E, if 
(' = closec(sud (suce «(») =I 0, then z' = (q', (') E Z and Z~sgZ' 0 
2. Models, Specifications and Correctness 50 
Notation. The simulation graph of A with respect to c, starting at the initial 
state (qI, zero), is denoted simply by SG(A, c), and SG(A) denotes SG(A. cmax(A)). 
Intuitively, a simulation graph of A is constructed by starting with a given 
symbolic state, and then allowing time to pass - rule 1, above; we then consider 
all the edges of A and look for any which can be taken from a node already in 
the graph; any possible edge transition is taken and time allowed to pass again, 
the successor node being added to the graph - rule 2, above; c-closure is used 
to ensure that the graph is finite; this process continues until all possible nodes 
and edges have been added to the graph. 
Let A = (Q, qI, A, 'H., E, 1) be a TA with T [A] = P:, aI, L, -+). Let 
c 2: Cmax (A) and z a symbolic state. We now state the two key properties of 
the simulation graph SG(A, c, z) = (Z, zI, A, -+sg). 
Proposition 2.5 SG(A, c, z) is finite. 
Proof This follows immediately from the fact that the locations and edges of 
any TA are finite sets together with proposition 2.2(4). 0 
Proposition 2.6 (Correctness of simulation graph) Assume, without loss 
of generality, that z is the symbolic state (qO, (0), where (0 denotes the convex 
'H.-polyhedron which contains the single point Vo. Then, 
• (Soundness) whenever (qO,(o) -+;g (qf,(f) then (qO,vo) -+. (qf,vf), 
for all Vf E (f; 
• (Completeness) whenever (qO,vo) -+. (qf,vf) then (qO,(o) -+;g (qf,(f) 
for some (f such that v f E (f· 
Proof Straightforward adaptation of theorem 4.1 in Pettersson [Pet99] 0 
It is clear from Proposition 2.6 that the reachability problem can be solved 
by searching the simulation graph: in order to determine if (q', v') is reachable 
from (q, v) in the transition system of A, it suffices to construct the simulation 
graph SG(A,cmax(A),z) where z = (q,{v}); if there is a node (q",(") such 
that q' = q" and v' E (" then the answer is 'yes', otherwise the answer is 'no'. 
Figure 2.14 outlines an algorithm which implements this approach. 
There are several reasons why reachability analysis based on the simulation 
graph has been applied successfully: 
• Only convex polyhedra are needed in the implementation of the algorithm. 
We have already seen that there are efficient algorithms for manipulat-
ing the DBM representation of convex polyhedra which ensures that the 
membership test at line 9, the generation of successors at lines 12-13, the 
test for emptiness at line 13 and the implicit equality test at line 15 can 
all be computed effectively. 
2. Models, Specifications and Correctness 
1 input 
2 A = (Q, qI, A, H, E,I), e = Cmax(A), 
3 initial state (q,v), final state (q',v') 
4 begin 
5 VISITED := {( q, {v})}; 
6 WAITING:= {(q, {v})}; 
7 while WAITING "# 0 do 
8 remove some (q", (") from WAITING 
9 if (q' = q") /\ (v' E (") 
10 then return 'yes' 
11 else 
12 suee:= {(q.,(.) I e = (q",_,_,_,q.) E E /\ 
13 (. = closec(suc$'(SUCe«("))) "# 0}; 
14 foreach (q., (.) E suee do 
15 if (q., (.) ¢ VISITED 
16 add (q.,(.) to VISITED; 
17 add (q.,(s) to WAITING 
18 fi 
19 od 
20 fi 
21 od; 
22 return 'no' 
23 end 
Fig. 2.14: An algorithm for reachability based on the simulation graph 
51 
• The reachability test is performed 'on-the-fly', i.e., it is not necessary to 
generate explicitly the complete product automaton of several TA, nor is 
it necessary to generate the full state space, before checking whether or 
not a particular state is reachable. The test (at line 9) can be performed 
as the state space is constructed, and, indeed, in many cases the algorithm 
will terminate when only a small fraction of the total number of states 
has been generated. 
• A diagnostic trail can be provided based on the contents of WAITING, 
assuming a stack implementation. In practice, this is of great assistance 
to the user in the modification of an incorrect system. 
• Although the theoretical bound on the size of the simulation graph is 
exponential in the number of clock regions [ACD+92J, in practice, far 
fewer states are generated than in region graph algorithms - sensitivity 
to the size of constants in clock constraints is alleviated. 
More heuristics 
The size of the set VISITED of stored states can be reduced by employing two 
further heuristics, one of which preserves reachability exactly and the other of 
which preserves it conservatively. 
2. Models, Specifications and Correctness 52 
• Inclusion abstraction is based on the idea that for two symbolic states Zl 
and Z2 such that Zl ~ Z2, Zl need not be explored, since any state in Zl 
also belongs to Z2, and any successor of Zl is also a successor of Z2. The 
implementation of this idea simply involves a modification of the test at 
line 15 from (qa,(s) fj. VISITED to ..., 3( E Zrt. (qs,() E VISITED /I. 
(8 ~ (. The effect of this is that instead of checking that a successor state 
is not already in the set of visited states, we check that there is no visited 
state which 'covers' the successor state, in the sense of having the same 
control location and being associated with a set of clock valuations which 
includes all those of the successor. Clearly, this modification may reduce 
the number of symbolic states which are stored, while ensuring that all, 
and only, reachable states are considered. This technique is used in the 
tool UPPAAL [LPY97] and in later versions of KRONOS [BDM+98]. A 
proof of correctness can be found in [DT98, Tri98]. 
• Convex hull abstraction implements the proposal mentioned above, in 
the section on avoiding non-convex polyhedra. Once again, the idea is 
to tolerate an over-approximation of the set of reachable states with the 
compensation that it is necessary to keep only a single symbolic state 
(q, () for each control location q. This can be implemented by replacing 
lines 15-18 with the following: 
if 3 ( E Z1i . (qs, () E VISITED 
then 
else 
fi 
if (s ~ ( 
then 
fi 
add (qs, ( U (s) to VISITED 
add (qs, (U (s) to WAITING 
add (qs, (s) to VISITED 
add (qs, (s) to WAITING 
The advantages and disadvantages of this approach have been discussed 
already. 
2.7.7 Other attacks on state space explosion 
In addition to the symbolic constraint solving algorithms of the previous section, 
there are several other techniques which have been applied to the problem of 
state space explosion in the analysis of timed systems. It is outside the scope of 
this dissertation to give a detailed survey of the literature; instead, we briefly 
review some of the most significant ideas. 
Large grain partitions 
As we have seen, the primary objective of any verification algorithm for TA, is to 
identify a finite partitioning of the infinite space of clock valuations, where the 
2. Models, Specifications and Correctness 53 
partitioning respects the transition relation. Although the region graph satisfies 
this requirement, it produces a very fine partitioning with a large number of 
classes, and so leads to algorithms which often require more computational 
resources (memory and time) than are available. An interesting question is 
whether or not it is possible to construct a partitioning with the smallest number 
of classes needed to solve a given verification problem. This question can be 
answered positively in the case of timed bisimulation equivalence and model 
checking. 
The problem of constructing the quotient of a LTS with respect to an equiv-
alence relation is well-known in the setting of untimed systems, and generic 
algorithms exist to solve the problem [BFH+92, LY92]. These algorithms have 
been adapted to TA in [ACD+92, ACH+92], where it is shown how to simul-
taneously generate and minimise the reachable sub-LTS of a TA. Tripakis and 
Yovine [TY96] have shown how such minimisation can be performed more ef-
ficiently by adapting the idea from [YL93] of avoiding the costly operation of 
set complementation. Once constructed, the minimal model of a TA may be 
reduced still further with respect to untimed abstractions, and then checked 
for equivalence with an untimed specification automaton using a tool such as 
CADP [FGK+96]. 
A similar use of large-grained partitions is made by Sokolsky and Smolka [SS95, 
Sok96] to solve the full model-checking problem for a timed modal J.L-calculus. 
In their approach, partition refinement is applied to a structure which models 
the 'product' of the symbolic state space and a graph representation of the 
property specification; their algorithm strives to construct the coarsest possible 
partitioning which allows the validity of the specification to be decided. Recent 
work by Lutje-Spelberg et al. [LSTA98] seeks to improve on this approach by 
using a more compact representation of the set of regions which a partition 
comprises. 
Partial Order Reduction 
In asynchronous system models, state space explosion is due partly to the mod-
elling of concurrency by interleaving, whereby the simultaneous occurrence of 
two or more events is represented by a set of executions which contains all pos-
sible orderings of those events. Partial order reduction exploits the observation 
that it is not always necessary to consider the whole set of such executions, but 
rather to consider only one representative from each of the classes of 'equivalent' 
executions [God96, Pe192, VaI93]. The application of partial order techniques 
in tools for the analysis of untimed systems has demonstrated significant state 
space reduction [HoI96, HP94]. However, similar success has not (yet) been 
demonstrated for real-time systems. A major difficulty seems to be that the in-
dependence of system components is reduced by their need to synchronise with 
each other in respect of the passage of time [yS96, Pag96, Pag97]. Bengtsson et 
al. [BJLY98] have recently proposed the use of 'local' clocks in TA, which usu-
ally advance independently and are synchronised only when there is a need for 
communication. Dams et al. [DGKK98] suggest a different approach which in-
corporates a generalised notion of independence, called 'covering'. Both of these 
2. Models, Specifications and Correctness 54 
approaches are intended to allow a greater potential for independent behaviour 
and so to give a coarser partitioning of the set of executions into 'equivalent' 
classes. So far as we know, there are as yet no successful implementations of 
partial order reduction methods for dense real-time systems. 
Abstraction 
All modelling and analysis relies upon abstracting details from the system un-
der investigation, while keeping what is necessary to preserve the properties 
of interest. An extreme example of abstraction can be seen in approaches 
which abstract all details of data values from their models, leaving only con-
trol information. Less extreme methods of property-preserving abstraction, 
set within the framework of abstract interpretation [CC77], have been proposed 
in [CGL94, LGS+95, SBLS99]. Application to the verification ofLTL properties 
is discussed in [KP98]. In the case of timed systems, the possibility of abstract-
ing all timing information initially, adding it only when it is known to be needed 
to demonstrate a given property, has been investigated in [AIKY95]. A different 
approach is adopted in [TY96], where timed models are constructed initially 
and then reduced according to a time-abstracting bisimulation. Daws and Tri-
pakis have placed a number of standard techniques for reducing the size of timed 
systems within the framework of property-preserving abstractions [DT98]. The 
problem of demonstrating that a timed system model is a correct abstraction 
of a more concrete system is considered in [TAKB96]. A combination of ab-
straction with other techniques is the norm. When used in conjunction with 
modular reasoning and/or theorem proving, it can extend the scope of model 
checking to systems with infinite state spaces [AAB+99, DF95, RSS95, SS99]. 
On-the-fly techniques 
A system model comprising a set of concurrent tasks exhibits state explosion 
when the product space is constructed. On-the-fly methods combat state ex-
plosion by solving a problem during the construction of the product space, 
rather than after it. This means that the full product space may not need to 
be constructed at all, and so state explosion can be avoided. This technique 
has been applied successfully in solving reachability problems [JJ91], computing 
behavioural equivalences and preorders [FM91], checking temporal logic prop-
erties [GPVW95, VW86] and minimising state graphs [BFH+92]. Extension of 
the technique to the solution of similar problems in timed systems has been 
considered in [BTY97, HKV96, TY96]. On-the-fly methods are most useful 
when debugging a system, i.e. when checking properties which turn out not to 
hold. It is difficult to avoid considering all reachable states when checking a 
true property. 
Symbolic methods 
The model checking approach was given a big boost by the work of McMillan in 
the late eighties [McM92]. He discovered that regularly structured state spaces, 
such as those derived from models of hardware components or communication 
2. Models, Specifications and Correctness 55 
protocols, can be represented very compactly using binary decision diagrams 
(BDDs) [Bry86]. The operations needed for model checking can be adapted to 
work with sets of states, represented as BDDs, rather than individual states. 
U sing this technique, it is possible to verify systems having more than 1020 
states [BCM+92]. So far, the benefits of such symbolic techniques have not 
been realised completely in the analysis of timed systems. We consider this 
problem in more detail in Chapter 5. 
Modular / Compositional Verification 
We have seen that many systems are implemented and modelled as the composi-
tion of several components. Yet another approach to avoiding the construction 
of the product of the component state spaces is to decompose a global system 
property into a number of local properties of one or more components, and then 
to prove that, if the local properties are satisfied, the global property is satis-
fied also. The intention here is to transform a single, large verification problem 
into several smaller problems [GL94]. In proving a local property, it is often 
convenient to assume that the environment behaves in a certain mannerj it is 
then necessary for the other system components to guarantee this behaviour. 
The assume/guarantee paradigm is discussed in [HQR98]. The task of decom-
posing a problem can require significant insight and often defies automation. 
An approach which can be automated involves the computation of a quotient 
property with respect to some component which is then removed from the sys-
tem model, such that proving the quotient property in the reduced model is 
equivalent to proving the original property in the original model. Iteration of 
this technique allows a property to verified automatically without having to 
construct the product state space. This approach has been applied to timed 
systems [KLL +97] and implemented in the model checker CMC [LL98]. A differ-
ent approach to automating compositional analysis is introduced in [LAB+98]. 
In this approach, backwards reachability analysis is performed using only those 
components which are required to determine the property of interest. De-
pendency analysis is used to determine which components are relevant. The 
technique has been applied successfully to embedded systems but its scope has 
not yet been extended to include timed systems. 
Clock reductions 
The state explosion problem in timed systems is compounded by the need to 
take account of clock values [AD94]. The most significant attack on this aspect 
ofthe problem is the work of Daws and Yovine [DY96] which shows two methods 
for reducing the number of clocks needed in a TA: 
• Clock activity reduction relies on identifying for each TA location those 
clocks which do not affect the behaviour of the TA before they are reset. 
Such clocks are said to be inactivej the other clocks are said to be active. It 
is only necessary to record the values of the active clocks in each location, 
so reducing the memory requirements for a set of timed states. 
2. Models, Specifications and Correctness 56 
• Clock equality reduction is achieved by identifying those clocks whose val-
ues are equal in all locations. Such a set of equal-valued clocks can be 
replaced by a single clock. 
Another technique, with a similar purpose, has been introduced in [LLPY97]. 
The aim here is to replace a DBM M with a minimal set of clock constraints 
whose solution set is the same as M's. An algorithm is given which computes 
a minimal set of constraints for any DBM. Memory requirements are reduced 
by storing this minimal set rather than the full DBM. 
2.7.8 Tools 
There is now a large number of well-developed computer programs which im-
plement automatic verification of finite state systems (see [CK96] for a survey). 
Here we concentrate exclusively on those tools which have been shown to be 
effective in the analysis of dense real-time systems, and which implement the 
techniques mentioned earlier in this section. 
COSPAN has been developed at AT&T and applied to a number of industrial-
scale examples, being the basis of the commercial tool FormalCheck. It is 
based on the theory of w-automata [Kur94] and allows both enumerative 
and BDD-based search [TBK95] and homomorphic reductions [TAKB96]. 
Real-time verification can be performed using either the region graph 
or the simulation graph [AK95] and timing constraints can be checked 
incrementally [AIKY95]. 
HYTECH is a symbolic model checker for linear hybrid automata [HHWT97], 
which may be seen as generalising TA by allowing the use of continuous 
variables to model other aspects of system state than time, e.g., temper-
ature or pressure. A system is described as a set of coordinating linear 
hybrid automata and a symbolic fixpoint computation is used to check 
the validity of a specification given as an expression in a branching real-
time logic which extends TCTL [ACH+95]. The tool has been used to 
verify a number of small examples [AHP96], including the Philips audio 
transmission protocol [HWT95]. A key feature of HYTECH is its ability 
to perform parametric analysis, i.e., to determine the values of design pa-
rameters for which a linear hybrid automaton satisfies a temporal logic 
requirement. 
KRONOS was developed originally by Sergio Yovine to implement the model-
checking of TA with respect to TCTL specifications using the symbolic 
method proposed in [HNSY94]. It has since been extended with proce-
dures for: on-the-fly checking of TBA emptiness [BTY97], generation of 
minimal models by time-abstracting bisimulation [TY96], automatic re-
duction of the number of clock variables [Daw98b, DY96], inclusion and 
convex hull abstraction [DT98], and symbolic state space representation 
using BDDs [BMPY97]. The PhD dissertations of Tripakis [Tri98] and 
Daws [Daw98a] give detailed descriptions of the most recent technical ad-
vances which are implemented in the current version of the tool. The 
2. Models, Specifications and Correctness 57 
effectiveness of KRONOS has been demonstrated through its application 
to several case studies, including: the Philips audio transmission proto-
col [DY95], the CNET protocol [TY98] and the STAR! chip [BMPY97]. 
UPPAAL allows the checking of networks of TA based on reachability analy-
sis of the simulation graph as described earlier. The underlying principles 
of this approach were described in [YPD94]. The property specification 
language allows the expression of safety properties, including bounded 
response, and also simple liveness properties of the form 3D p and "10 p, 
where p is a 'locally' checkable state property. The tool also reports all 
deadlocked states (Le., states where no discrete transition will be possible 
in the future) encountered during a verification. Since its first release 
in 1995 [BLL +95], UPPAAL has been improved by the introduction of a 
more efficient representation of clock constraints, a new termination algo-
rithm which requires the storage of fewer visited states [LLPY97], and an 
improved hash table implementation of the set of visited states [BLL +98]. 
An important feature of UPPAAL, from the point of view of usability, is a 
graphical interface which integrates the various features of the tool, such 
as system description, property specification, simulation and verification. 
UPPAAL is now sufficiently mature to have been used in a number of 
industrial case studies, including the analysis of communication protocols 
such as the Bang & Olufsen audio/video protocol [HSLL97], the Bounded 
Retransmission protocol [DKRT97], the Dacapo startup protocol [LP97] 
and a lip synchronisation algorithm for the transmission of multimedia 
data [BFK+98]. It has also been used in a collaborative project with the 
automotive industry to assist in the design of a gear controller [LPY98]. 
Other interesting approaches for which tools exist, although perhaps less well-
developed and case-tested than those mentioned above, include: VERlTI [Won95] 
which implements Wong-Toi's method based on successive over- and under-
approximation; RT-SPIN [TC96] which extends ProMela, the language of the 
model-checker SPIN [HoI96], with simple time guards and performs constraint-
based reachability analysis on the derived TA; SGM [HW98] which provides an 
environment in which it is possible to experiment with different combinations 
of several state graph manipulators [WH98b, WH98a] in order to reduce the 
size of the state space; PMC [LSTA98] which implements the partition refine-
ment algorithm of Lutje-Spelberg et al.; and CMC [LL98] which implements an 
improved version of the compositional approach to model checking which was 
first introduced in [LL95]. 
2.8 Conclusions 
This chapter has reviewed an approach to the formal modelling and analysis of 
real-time systems. Systems are modelled as labelled timed transition systems 
over a dense time domain. We have considered the expression of such mod-
els using timed process algebra and timed automata. Specifications are given 
2. Models, Specifications and Correctness 58 
either as expressions in a timed temporal logic such as TCTL, or as specifi-
cation automata. Analysis techniques are based upon exhaustive state space 
search, where the major difficulty is the state explosion problem. We have dis-
cussed in detail approaches to this problem in which sets of clock valuations are 
represented as linear constraints, implemented efficiently using DBMs. These 
languages and methods are the foundation for the work presented in the rest of 
the dissertation. 
This review has necessarily omitted consideration of many other approaches 
to the modelling and analysis of timed systems, which have appeared in the lit-
erature in recent years. We take a small step to fill this gap by briefly mentioning 
some of them now. 
There is a large Petri net community which has established many theoret-
ical results and practical techniques for modelling and analysis. In this con-
text, a variety of timed Petri nets have been suggested for use with timed 
systems [BD91, Rok93 , Sif77]. 
Graphical modelling languages are of interest since many designers find a 
visual syntax 'intuitively' clear. Hierarchical structures are needed in order 
to manage the size of the diagrams for all but the simplest systems. State-
charts [Har87] allow such a hierarchical representation of untimed state transi-
tion models. Modecharts [JLM88, JM87, YMW93] extend this approach with 
explicit timing constraints; another timed Statechart extension, which can be 
used for modelling hybrid systems also, is given in [KP92]. 
Lynch and Vaandrager have introduced timed I/O automata, which offer a 
similar model of timed systems to the timed automata discussed in this chap-
ter; rather than verification via model-checking, they propose refinement and 
simulation proof techniques [LV95]. 
Cardell-Oliver [C092] proposes the use of higher order logic both to model 
the behaviour of a system and its environment, and also to specify require-
ments. The task of proving that the combined system and environment sat-
isfy the requirements is supported by the use of a mechanical theorem prover. 
Hooman [Ho091, Ho096] offers a related assertional style of modelling and spec-
ification using extended Hoare triples [Hoa69]. Duration Calculus [CHR91, 
Liu96] is yet another approach in which modelling and verification is conducted 
within a single logical framework. 
Validation of real-time systems by means of formally constructed test suites 
is considered in [COG98, SVD97]. 
3. bCANDLE: A LOW LEVEL 
MODELLING LANGUAGE 
3.1 Introduction 
This chapter introduces a new modelling language called bCANDLE. The pur-
pose of bCANDLE is to serve as a language for modelling embedded, real-time 
systems which are organised as a collection of distributed processes communicat-
ing via a broadcast network. The broadcast communication primitive adopted 
by bCANDLE is an abstraction of the CAN protocol [1S092] and bCANDLE 
has been designed specifically with this protocol in mind. It should be possi-
ble to adapt the approach described here to the modelling of other styles of 
broadcast communication but this idea is not pursued in this thesis. 
bCANDLE is a system modelling language, i.e., it is a language intended to 
allow the expression of models of real-time systems. It is not a programming 
language nor is it a language for specification. It is assumed that programs an' 
developed using a programming language with a range of real-time and commu-
nication constructs to simplify the task, and that system requirements are spec-
ified more abstractly using some sort of temporal logic language. bCANDLE 
is a low-level language in the sense that it contains a minimal set of constructs 
for capturing the behaviour of realistic systems. Here minimal is not used with 
some precise meaning, but is intended to imply that it is difficult to see how any 
of the features of the language could be omitted without adding significantly to 
the task of the user in constructing models. However, it is possible to imagine 
higher-level languages which would further ease the task of the model-builder. 
Such a high-level language is discussed in Chapter 6. 
The rest of this chapter is organised as follows: in §3.2 an informal intro-
duction is given to the class of systems to be modelled; the main components of 
a bCANDLE model, namely the data environment, the network model and the 
process behaviour model are introduced in §3.3, §3.4 and §3.5, respectively; the 
formal semantics is presented in §3.6 and a simple example of a system model 
is shown in §3.7. The chapter concludes with a brief discussion of related work 
in §3.8. 
3.2 Informal system model 
We address a class of control systems (Figure 3.1) which can be identified by a 
number of properties: 
3. bCANDLE: A low level modelling language 60 
: -------- --------- - ----- . 
"0 " """"""'" 
""'" 
. -
8 .. 
Fig. 3.1: Control system model 
• Control is distributed over a set of processes which are taticallyallocat d 
to computing nodes. 
• A computing node consists of at least a central processing unit , which has 
access to some local memory, one or more communication controller and 
a programmable timer. 
• Several processes may be allocated to a single computing node and hare 
its processing unit using some fixed scheduling policy. The approach 
taken in this work to the construction of t imed models of control sy tern 
requires the choice of scheduling policy to be restricted to one which al low 
static calculat ion of computat ion response t imes: e.g. round-robin or 
cyclic executive. This allows the effects of scheduling to be accounted for 
when the model is constructed , without requiring the model to repre ent 
the scheduler explicitly. Future work will address how this con traint may 
be relaxed. 
• Processes communicate by using one or more communication channel 
to send and receive broadcast messages. Each channel implements an 
abstraction of the CAN protocol as discussed below. 
• Even processes which share a processor communicate by broadcasting 
messages, rather than by unconstrained access to shared memory, i.e., 
all processes communicate using (logically) a single mechanism, whether 
they share a computing node or not. This requirement simplifie the 
model and can be satisfied with acceptable efficiency in practice. For 
example a CAN-style channel can be implemented using shared memory 
techniques such as condition variables [IS0 96J or the mutable variables of 
Concurrent Haskell [P JF96J. The latency of such a (pseudo- ) channel i 
clearly different from that of a 'real' CA channel but can be modelled 
using the same techniques. 
• There is no interference between communication on different channels, 
i.e. the transmission of a message on some channel a has no effect on 
3. bCANDLE: A low level modelling language 61 
any other channel b, unless a and b are the same channel. This require-
ment can be satisfied simply by requiring that every node has a dedicated 
communication controller for each channel which it uses. 
• Each computing node may have access to a number of sensors and actua-
tors which form part of the interface to the controlled system. In the case 
of multi-tasking, it is assumed that each sensor and actuator is accessed 
exclusively by a single process. 
In constructing a formal model of a system of the sort described above, it 
is essential to abstract from some of the details, in order to ensure that an 
analysis of the model is tractable. With this in mind, the following features of 
an abstract model are identified: 
• The data model is an abstraction of the set of local memories of the 
computing nodes. We adopt a single global mapping from data variables 
to data values and assume that locality is ensured by the syntax of a 
high-level modelling language. 
• The communication model abstracts entirely from communication con-
trollers and represents the communication channels only. It is assumed 
that communication channels operate without errors or failures. Also, 
the details of bit-level data transmission are abstracted by adopting the 
assumption that messages are transmitted atomically . 
• The process model represents the dynamic behaviour of processes, while 
abstracting from the allocation of processes to computing nodes, and from 
the scheduling policies adopted by multi-tasking nodes. We assume that 
an a priori analysis accounts for these factors in determining bounds 
on the completion times of computations. This assumption restricts the 
systems which can be modelled to those with simple cyclic scheduling 
policies, but seems essential for tractable analysis. 
We present the formal description of each of these aspects of the system models 
in the following sections. 
3.3 The Data Model 
Many approaches to the description of concurrent and real-time systems have 
adopted the point of view that the data environment in which a system acts 
can be either completely disregarded, or else encoded in the system's behaviour 
in some way [Mil89, Dav93]. This assumption can simplify the semantic model 
and its analysis. However, for many systems, the effects of data-dependent be-
haviour cannot be ignored or abstracted from entirely, and the need to develop 
an artificial encoding can be tiresome. Therefore we have chosen to include an 
explicit model of (at least part of) the data environment in our system models, 
and to employ appropriate abstractions in their analysis when it becomes clearer 
which properties of the data environment are relevant to the system properties 
of interest. A similar approach has been adopted in AORTA [BHKROl]. 
3. bCANDLE: A low level modelling language 62 
Unlike the LOT08 family of languages [18088b, 18098, 8ig98], for exam-
ple, which give a very detailed description of a particular data sub-language, 
bCANDLE specifies only a minimal set of requirements which a data language 
must satisfy. In principle, this allows the system modeller to derive models 
from a variety of different data languages, so long as they are well-defined with 
respect to the properties described below. For example, a high-level language 
such as B [Abr96]' a programming language such as 8park Ada [Bar96] or a 
simple guarded command language, as introduced in Chapter 6, can be used as 
the data language for bCANDLE. Although some effort is required to establish 
the necessary semantic relations, it is rewarded by the flexibility in the choice 
of language and the simplification in the presentation of bCANDLE. 
3.3.1 Formal Definition 
There are three kinds of syntactic object relating to data which can occur in a 
bCANDLE description: data variables, operation names and predicate names 
(or guards). The necessary formal definitions are introduced below. 
Let Var be a finite set of data variables. Each variable x E Var takes its 
value from some non-empty, finite set of values type(x) ~ V, where V is the set 
of data values. We assume that V contains at least the distinguished value 1.., 
where 1.. fj. UXEVar type(x), which is taken to be the "undefined" data value. In 
modelling the behaviour of a system, the current valuation of the data variables 
is given by a total function from variables to values. The set of valuations is 
defined by: 
Valuation ~ Var ~ V 
where for any val E Valuation and x E Var, either val(x) E type(x) or val(x) = 
1... 
Data operations are modelled as relations on valuations. This allows the 
use of non-deterministic operation specifications, which are often useful in the 
construction of abstract system models. Let n be a finite set of operation names. 
Each operation name wEn is interpreted by a total relation on valuations. The 
set of operations is defined by: 
Operation ~ Valuation f-+ Valuation 
where it is required that for every operation 0 and for every valuation val, there 
is at least one valuation to which val is related by 0, i.e. 
v 0 E Operation. dom( 0) = Valuation. 
Predicates on data are modelled simply as the sets of valuations which satisfy 
them. Let r be a finite set of predicate names. Each predicate name 'Y E r is 
interpreted by the set of valuations which satisfy it. The set of predicates is 
defined: 
Predicate ~ 2 Valuation 
3. bCANDLE: A low level modelling language 63 
In defining a data environment D with respect to given sets of data vari-
ables Var, operation names n and predicate names r, we say that D is a data 
environment over Var, nand r, and denote the set of such environments by 
DataEnvvar,n,r. We can now formally define our notion of a data environment. 
Definition 3.1 (Data Environment) Let Var be a finite set of variable names, 
n a finite set of operation names and r a finite set of predicate names. Let V 
be the set of data values. A data environment Dover Var, n and r is a tuple 
D = (type, operation, predicate, val) 
where (type, operation, predicate, val) E DataEnvvar,n,r iff 
• type : Var -t 2 v is a total function, giving for each variable x E Var, a 
non-empty, finite set of data values type(x) ranged over by Xj 
• operation : n -t Operation is a total function, giving for each operation 
name wEn, an operation operation(w) which interprets itj 
• predicate : r -t Predicate is a total function, giving for each predicate 
name 'Y E r, a predicate predicate h) which interprets itj 
• val: Var -t V is a total function which, for each variable x E Var, gives 
the current valuation of x, where val(x) E type(x) or val(x) = -.L. 0 
We assume that for a given bCANDLE description, the interpretations of 
the variable, operation and predicate names are fixed but that the current 
valuation may change as the system evolves. 
Notation. It is convenient to establish some notational conventions. Let D = 
(type, operation, predicate, val) be a data environment. Let x, y E Var be data 
variables, and v E V a data value. 
• D. type, D. operation, D. predicate and D .val denote type, operation, predicate 
and val, respectively. 
• D.x denotes the value val(x). 
• D[x := v] denotes the data environment D' = (type, operation, predicate, val') 
where val'(x) = v and val'(y) = val(y) for all y:$ x (= denotes syntactic 
identity and:$ its negation). 
• D~dD' abbreviates the condition 
(val, val') E operation(w) /\ D' = (type, operation, predicate, val') 
We reserve the operation name ID and require that it is interpreted in 
any data environment by the operation operation(ID), where 
operation(ID) ~ {(val, val) I val EValuation} 
i.e., operation(ID) is the identity relation on valuations. 
3. bCANDLE: A low level modelling language 64 
• D 1= 'Y abbreviates the condition val E predicate(,,(). We write D ~ 'Y for 
val tt. predicate(,,(). We reserve the predicate names true and false and 
require that V D . D 1= true 1\ D ~ false, i.e., true and false are inter-
preted in every data environment by predicate(true) and predicate(Jalse), 
as follows: 
predicate( true) - Valuation 
predicate(Jalse) 0 
Let Di = (typei, operationi' predicatei, vali) for i E {1,2} be two data environ-
ments. DI and D2 are said to be compatible iff typel = type2, operation I = 
operation2' and predicatel = predicate2' If DI and D2 are compatible data en-
vironments, and additionally vall = val2, then DI and D2 are said to be equal, 
denoted DI = D2· Here it is assumed that all component equalities are defined 
extensionally in the usual way. 
3.4 The Network Model 
A network model is an abstraction of a CAN network. It consists of one or more 
broadcast channels, each implementing an abstraction of the CAN protocol, as 
follows: 
• Each channel operates fault-free, i.e. without the need for error or over-
load frames. 
• A transmitting node only attempts to transmit its highest priority mes-
sage. (This requirement may seem obvious but in fact needs some effort 
to satisfy when using some CAN controllers.) 
• A node which has messages to transmit attempts to transmit its highest 
priority message as soon as the channel is free. This implies that each 
communication controller does not release the channel between transmis-
sions, i.e. it enters a message for arbitration in every arbitration phase 
if it has a message to transmit. This is important in ensuring that lower 
priority messages cannot delay the transmission of pending messages of 
higher priority by beginning transmission during a "gap" between message 
transmissions. 
• It is guaranteed that a message is "simultaneously" accepted either by all 
nodes which are configured to accept it, or by none of them. There is no 
possibility of a "partially successful" transmission. 
• We assume that we can determine the point during the transmission of 
a message when a controller begins its acceptance test for the message. 
In normal operation, a controller which becomes configured to accept 
messages at any time before it begins its acceptance test, will accept all 
messages which pass the test thereafter. 
In the rest of this section, the structure of channels and networks is consid-
ered first; this is followed by a consideration of network behaviour. 
3. bCANDLE: A low level modelling language 65 
3.4.1 Structure 
A network is a collection of broadcast channels, each of which is capable of 
transmitting messages from a single sending node to one or more receiving 
nodes. Messages comprise a message identifier and a data value. The identifier 
serves both to identify the type of data contained in the message and also to give 
a priority to the message for use in the arbitration of transmission collisions. 
The remainder of this section expands and formalises these ideas. 
Messages 
The following example will be used throughout this section to illustrate the 
ideas which are introduced. 
Example 3.1 Consider a simple system for monitoring the temperature of a 
liquid in a chemical tank and the state of a heater which is used to regulate the 
temperature. The monitoring system receives messages broadcast by a pair of 
intelligent sensors, one giving the temperature of the liquid and one giving the 
state of the heater. Let I = {HEATER, TEMPERATURE} be the set of mes-
sage identifiers and V = {ON, OFF} U {-275 .. 275} be the set of data values. 
A message consisting of message identifier i and data value v is denoted i.v. 
Some possible messages are HEATER. ON and TEMPERATURE. 127. The set 
of all possible messages is given by I x V. Notice, however, that some combi-
nations of message identifier and data value are not sensible, e.g., HEATER.75 
and TEMPERATURE. OFF. 0 
Example 3.1 suggests that it is helpful to identify the messages which a 
channel is allowed to transmit and leads us to the following definitions. 
Definition 3.2 (Messages) Let I be a finite set of message identifiers. Let 
V be the set of data values. A set of messages over I is any finite subset 
M ~ I x V. 0 
Notation. A message (i, v) EM is written i.v. 
Message Priority 
Referring again to Example 3.1, it is clear that a mechanism is needed to resolve 
the conflict which arises if the temperature and heater sensors try to transmit 
their messages simultaneously on the same channel. Such a conflict is resolved, 
as in the CAN protocol, by assigning a priority ordering to the set of message 
identifiers associated with the channel. Let HEATER -< TEMPERATURE de-
note that HEATER is a higher priority identifier than TEMPERATURE. Then, 
for example, if transmission of the messages HEATER. ON and 
TEMP ERAT URE .127 is initiated simultaneously, the transmission of the higher 
priority message HEATER. ON will succeed, and the message 
3. bCANDLE: A low level modelling language 66 
TEMPERATURE. 127 will compete again for the channel when it next becomes 
idle. 
Definition 3.3 (Priority Ordering) Let I be a set of message identifiers and 
V a set of data values. Let M ~ I x V be a set of messages. A priority ordering 
is a strict total ordering -< : I f-t I on the message identifiers. The reflexive 
ordering:::; is defined as usual: for all i, i' E I, 
i :::; i' {:} i -< i' V i = i'. 
A priority ordering on identifiers induces a partial ordering on the message set 
M. The derived ordering -< : M f-t M satisfies for all m, m' E M, 
m -< m' {:} i -< i' 
and the reflexive ordering :::; : M f-t M satisfies 
m :::; m' {:} i :::; i' 
h . d' .". h Th d' were m = z. v an m = z . v , III eac case. ese or enngs on messages are 
also referred to as priority orderings, and the overloading is resolved by context. 
o 
Message Transmission 
Before transmission of a message can begin, it is required that no other mes-
sage is already being transmitted on the communication channel; in this case, 
the channel is said to be free. At some time following the commencement of 
message transmission, all nodes which are listening to the channel perform a 
test to determine whether or not the message should be accepted. This decision 
depends on the identifier of the transmitted message. If the message identifier 
matches a message identifier in the acceptance set of a node, then the node 
accepts the message and the message data is made available to processes resid-
ing on it, otherwise the node ignores the message. It is assumed that all nodes 
perform the acceptance test instantaneously at the same time. At some time 
after the acceptance test, the channel becomes free again and is available to 
transmit another message. 
Three phases can be clearly identified in the transmission of a message. 
The acceptance phase is the point during the transmission of a message when 
listening nodes perform their acceptance test. The pre-acceptance phase extends 
from the start of transmission to the point of acceptance. The post-acceptance 
phase extends from the acceptance point to the instant at which the channel 
next becomes free. 
The transmission latency of a message is the time which passes during 
the pre-acceptance and post-acceptance phases of message transmission. It is 
assumed that upper and lower bounds can be determined for the pre-acceptance 
and post-acceptance latency of all messages. 
3. bCANDLE: A low level modelling language 67 
HEATER._ (J-Ls) TEMPERATURE._ (J-Ls) 
811> 43 55 
8ub 53 65 
81B 10 10 
8uB 12 12 
Tab. 3.1: Example of Transmission Latency Functions 
Definition 3.4 (Transmission Latency) Let M be a set of messages. A 
transmission latency function for M is a function 8 : M -t Roo x Roo x Roo x Roo, 
where 8(m) = (I, u, I', u') implies that 1 ~ u, [' ~ u' and that the lower and 
upper bounds on the pre- (resp. post-) acceptance phase of the transmission of 
m are given by I and u (resp. [' and u'). 
The derived functions 81b , 8ub , 81B ,8uB : M -t Roo satisfy 
V m EM. 8Ib(m) = [/\ 8Ub (m) = u /\ 8IB (m) = [' /\ 8UB (m) = u' 
¢:} 8(m) = (I, u, [', u') 
o 
Notation. The notation Ib (resp. ub, IB, uB) is used as an abbreviation for 
8Ib (m) (resp. 8Ub(m),8IB(m),8UB(m)) when m is clear from the context. 
Example 3.2 Refer again to Example 3.1. Let the transmission latency func-
tion be defined as in Table 3.1, where HEATER._ stands for the messages 
HEATER. ON and HEATER. OFF and TEMPERA TURE._ stands for any mes-
sage TEMPERATURE.v with v E {-275 .. 275P. Some example interpreta-
tions are: the lower bound on the time taken to complete the pre-acceptance 
phase of transmission of the message HEATER. OFF is 43 J-LSj the upper bound 
on the time taken to complete the pre-acceptance phase of the transmission of 
the message TEMPERATURE.127 is 65J-Lsj and the lower (resp. upper) bound 
on the time taken to complete the post-acceptance phase of any message is 10 J-Ls 
(resp. 12 J-Ls). 0 
The transmission status of a channel identifies whether the channel is free 
or is transmitting a message and, if transmitting a message, whether it is in the 
pre-acceptance, acceptance or post-acceptance phase. If a channel is in its pre-
acceptance or post-acceptance phase, the bounds on the time to completion of 
the phase are deemed to be part of its transmission status, since they determine 
the time at which the channel may next influence the behaviour of a system. 
As time passes, the bounds on the time to completion of a phase are reduced 
equally until the lower bound becomes 0, after which the upper bound may 
approach the lower bound until it too becomes O. 
1 Notice that here and throughout, we make use of _ to denote an arbitrary value taken 
from whatever set of values is appropriate in its context. 
3. bCANDLE: A low level modelling language 68 
I Notation I ASCII Transmission Status 
4- \I FREE 
tl,t2 
--tl,t2->m (PRE, m, tI, ~), pre-acceptance phase of trans-"'-t m 
mission of message m with bounds tl , t2 on time 
to completion, 0 < tl < Ib, 0 < t2 < ub 
tm I\m (ACCEPT, m), acceptance point in transmission 
of m 
tt ,t2 
m--tl,t2-> (POST, m, tl, ~), post-acceptance m "'-t phase of 
transmission of message m with bounds tl, t2 
on time to completion, 0 < tl < IB, 0 < t2 < uB 
Fig. 3.2: Transmission Status Notation (m E M and tl, t2 E Roo) 
Definition 3.5 (Transmission Status) Let M be a set of messages and 6 : 
M --t ~ X ~ X ~ X ~ a transmission latency function for M. Let 
{FREE, PRE, ACCEPT, POST} be a set of distinct constant symbols. The set 
StatusM,o is defined: 
StatusM ° , {FREE} U PreAcceptanceM,O U ({ACCEPT} x M) 
U PostAcceptanceM,O 
where, for a message m E M, a lower bound tl E ~ and an upper bound 
t2 E~: 
1. (PRE, m, tl, t2) E PreAcceptanceM,O iff tl ~ 6Ib (m), t2 ~ 6ub (m), and 
t2 - tl = 6ub (m) - 6Ib (m) if tl > 0, otherwise t2 - tl ~ 6ub (m) - 6Ib (m); 
2. (POST, m, tl, t2) E PostAcceptanceM,O iff tl ~ 6IB (m), t2 ~ 6uB (m), and 
t2- t l = 8uB (m)-8IB (m) iftl > 0, otherwise t2-tl ~ 8uB (m)-8IB (m). 0 
Notation. In the rest of the dissertation, the notation shown in Figure 3.2 is 
often used as a shorter and more suggestive notation for transmission status. 
Message Queues 
If it is attempted to transmit a message on a channel which is not free, the 
message must be stored and offered for transmission again some time after the 
current transmission has finished. Since messages succeed in their transmis-
sion attempts according to their priority, the storing of messages is modelled 
naturally as a priority ordered queue. If an attempt is made to transmit a 
message m, whose identifier is the same as that of another message m' which is 
already in the message queue, then m replaces m' in the queue and m' is lost 
forever, i.e. m' is 'overwritten' by m. This represents the behaviour of most 
implementations of the CAN protocol. 
3. bCANDLE: A low level modelling language 69 
Definition 3.6 (Message Queue) Let I be a finite set of message identifiers 
and V a set of data values. Let M ~ I x V be a set of messages and ~ a 
priority ordering for M. QueueM,-< is defined to be the set of all sequences over 
the message set M which satisfy the following two invariant properties: 
T/ u E QueueM,-<; j ,j' E dom u . j < j' => u(j) ~ u(j') (3.1) 
T/ u E QueueM,-<; i E I . #{j I j E dom u 1\ u(j) = i._} ~ 1 (3.2) 
i.e. All message queues preserve the priority ordering of messages and contain 
at most one message with a given message identifier. 0 
A corollary of property 3.2 is that all message queues are of finite length. 
Proposition 3.1 Let I be a finite set of message identifiers and V a set of 
data values. Let M ~ I x V be a set of messages and ~ a priority ordering for 
M. For all u E QueueM,-<, u is of finite length. 
Proof 
finite. 
Immediate from property 3.2 of Definition 3.6 and the fact that I is 
o 
Notation. An empty queue is denoted (). A queue with highest priority mes-
sage m and remaining messages u is written m:u. 
The queueing of a message is modelled by the following operation. 
Definition 3.1 (Message Queue Insertion) Let I be a set of message iden-
tifiers and V a set of data values. Let M ~ I x V be a set of messages and ~ a 
priority ordering for M. The insertion operator +-P: QueueM,-< x M ~ QueueM ,-< 
is defined: 
u +-P i.v = 
( i.v) 
i.v:u' 
i.v:m:u' 
,if u = () 
,if u = i._:u' 
,if u = m:u' 1\ i.v ~ m 
m:(u' +-P i.v) ,if u = m:u' 1\ m ~ i.v 
It is easy to show that +-P preserves the message queue invariants. 
o 
Proposition 3.2 Let M be a set of messages and ~ a priority ordering for M. 
For all u E QueueM,-< and all m E M, u +-P m satisfies properties 3.1 and 3.2 
of Definition 3.6. 
Proof Induction on the length of u. o 
3. bCANDLE: A low level modelling language 70 
Channels 
All of the prerequisites for the definition of communication channels have now 
been introduced. 
Definition 3.8 (Channel) Let I be a set of message identifiers. Let V be 
the set of data values. A channel over I is a tuple (M, -<, 8, s, u). The set of 
channels over I is denoted Channell, and (M, -<, 8, s, u) E Channel] iff 
• M ~ I X V is a set of messages, 
• -<: I t7 I is a priority ordering, 
• 8: M ~ ~ x ~ X ~ X ~ is a transmission latency function, 
• s : Status M 0 is a transmission status , 
• u: QueueM,-<. is a message queue o 
Let (M, -<, 8, s, u) be a channel. It is assumed that M, -< and 8 are static, 
i.e., defined at system initialisation and unchanging thereafter. On the other 
hand, sand u are used to model the current transmission status and message 
queue of a channel as a system evolves, and are therefore dynamic. 
The variables 'fI, 'fI', 'fI1 etc. are used to range over channels. Let 'fIi = (Mi' -<i, 
8i , Si, Ui) be two channels. 'fI1 and 'fI2 are said to be equal, denoted 'fI1 = 'fI2, iff 
M1 = M 2 , -<1 = -<2, 81 = 82, Sl = S2 and U1 = U2, where the component 
equalities are defined extensionally as usual. 
Networks 
A network is a collection of channels in which each channel is associated with 
its own unique identifier. 
Definition 3.9 (Network) Let K be a finite set of channel identifiers and I 
a finite set of message identifiers. A network N over K and I is a mapping 
N: K ~ Channell. The set of networks over K and I is denoted NetworkK,I, 
where NetworkK,I ~ K ~ Channel[. 0 
Notation. Let K be a set of channel identifiers and N a network over K. Let 
k E K be a channel identifier. We write Nk for the function application N(k), 
i.e. Nk denotes the channel associated with the identifier k in the network N. 
Network equality is defined extensionally as usual. 
3. bCANDLE: A low levellllodelling language 71 
3.4.2 Behaviour 
Each channel in a network can act independently by making a discrete change 
in its transmission status or its message queue. Alternatively, the state of 
the whole network may be affected as time progresses. We consider first the 
modelling of discrete state changes. 
When a channel 'fJ makes a discrete change, it gives rise to a new network 
state in which 'fJ is in its new state and the state of all the other channels is 
the same as before. It is convenient to introduce an operator which models the 
effect on a network of a change of state in a single channel. 
Definition 3.10 (Network Update) Let K be a set of channel identifiers 
and I a set of message identifiers. Let N E NetworkK,I be a network. Let 
'fJ E Channel[ be a channel. The notation N[k := 'fJl denotes the network N
'
, 
where Nt. = 'fJ and Nt., = Nk', for all k' E K \ {k}. 0 
Network behaviour is modelled by a relation --+n ~ Network x (An U 
IR) x Network which represents possible changes in network state. As usual, 
(N, Ant, N') E --+n is written N ~nN' and represents a change of state from 
N to N' annotated with the label Ant which ranges over An U llt An is the 
set of network action labels which are used to annotate discrete state changes. 
Elements of IR are used to annotate state changes due to the passage of time. 
Definition 3.11 (Network Action Labels) Let V be the set of data values. 
The set An of network action labels over K and I is defined by: 
An {k'"'-+ i. V IkE K 1\ i E I 1\ V E V} 
U { kt i. V IkE K 1\ i E I 1\ V E V} 
U {i.v'"'-+k IkE K 1\ i E 11\ V E V} 
U {k.I- IkE K} 
(* pre-acceptance *) 
(* acceptance *) 
(* post-acceptance *) 
(* free *) 
where K and I are sets of channel identifiers and message identifiers, respec-
tively. 0 
Notation. In describing the behaviour of a network, it is often convenient to 
mention only the dynamic components of each network channel. For example, 
the channel (M, -<,6, s, u) may be written (s, u). The static components (M,-< 
and 8) are inferred from the context. 
The relation --+n is given by a set of Plotkin-style inference rules, as intro-
duced below. 
Pre-Acceptance 
A channel which has a non-empty queue of pending messages, and whose trans-
mission status is free, starts transmission of its highest priority message. The 
3. bCANDLE: A low level modelling language 72 
transmitted message m is removed from the pending queue and the trans-
mission status of the channel shows that it is in the pre-acceptance phase of 
transmission of m. The lower and upper bounds on the time to completion of 
the pre-acceptance phase are given by olb(m) and oub(m), respectively. This is 
expressed formally by the rule N.! below: 
Nk = Q., m : u) 
Acceptance 
When the lower bound on the time to completion of the pre-acceptance phase 
of the transmission of the message m becomes 0, a channel can change state to 
the acceptance phase of the transmission of m. This is expressed formally by 
the rule N.2 below: 
Post-Acceptance 
A channel in the acceptance phase of the transmission of a message m can enter 
the post-acceptance phase, whose bounds on time to completion are given by 
oIB(m) and oUB(m). This is expressed formally by the rule N.3 below: 
N.3 Nm--....kN[k ._ ( IB,uB )] 
-----tn .- m ~ ,u 
Nk = (tm, u) 
Free 
When the lower bound on the time to completion of the post-acceptance phase 
of the transmission of the message m becomes 0, a channel can change its state 
to free. This is expressed formally by the rule N.4 below: 
Time Progress 
In order for time progress to be possible for a network N, it must be possible for 
all channels in N; the rate of progress is the same in all channels. A free channel 
allows time to pass indefinitely if its message queue is empty, but must begin 
transmission of its highest priority message without delay otherwise. Similarly, 
a channel at its acceptance point does not allow time to pass. Passage of time 
in the pre-acceptance and post-acceptance phases of message transmission is 
bounded by the time to completion of the phase. We define a function tcp 
which determines, for any given channel, the maximum amount of time that 
can pass before the channel must make a discrete state change. 
3. bCANDLE: A low level modelling language 73 
Definition 3.12 (Time Progress) Let 11 be a channel. The maximum time 
progress allowed for 11 is given by tCP{l1), where 
II () ~ II) ~ 0 (_,t ) ~ tcpw-, = 00 tcpw-,_: _ = tcp ~_,_ = t 
(t ) ~ 0 ( -, t ) ~ tcp _,_ = tcp _~,_ = t 
Let K be a set of channel identifiers and N a network over K. The maximum 
time progress allowed for N is given by tcp{N), which is defined by 
tcp{N) :; min{tcp(Nk ) IkE K} 
where min S returns the minimum of the finite, ordered set S. o 
When time passes, the state of the network changes accordingly. We use 
the notation 11 + t (resp. N + t) to denote the state of the channel 11 (resp. 
network N) after the passage of t units of time. 
Definition 3.13 (Effect of time progress: Channels) Let 11 be a channel. 
Let t E R The state of the channel 11 after the progress of t units of time is 
denoted 11 + t, where 11 + t is defined by: 
(1., () + t 
(-I-, m : u) + t 
(t~2 m, u) + t 
(tm,u)+t 
(m t~\u) + t 
(-I-, () ) 
if t = 0 then (,!., m : u) else .1 
tl -=- t t2.!.. t if t ~ t2 then ( ~ m, u) else .1 
if t = 0 then (tm, u) else .1 
tl.!.. t t2.!.. t 
= if t ~ t2 then (m ~ , u) else .1 
where 11 + t = .1 is interpreted to mean that the result is not a well-defined 
channel. 0 
Proposition 3.3 Let 11 be a channel. Then, 11 + 0 = 11· 
Proof Immediate from Definition 3.13. o 
Definition 3.14 (Effect of time progress: Networks) Let K be a set of 
channel identifiers and N a network over K. Let t E R The state of the 
network N after the progress of t units of time is denoted by N + t, where 
N+t = {
{k t-t (Nk + t) IkE K}, 
.1, 
V k E K . Nk + t '" .1 
otherwise 
where N + t = .1 is interpreted to mean that the result is not a well-defined 
network. 0 
3. bCANDLE: A low level modelling language 
Proposition 3.4 Let N be a network. Then, N + 0 = N. 
Proof By Definition 3.14 and Proposition 3.3. 
14 
o 
Proposition 3.S For any network N and time t E JR, if 0 ~ t ~ tcp(N) then 
N + t is well-defined, i.e., N + t t= .i. 
Proof Immediate from definitions 3.12 and 3.14. o 
If all channels in a network N can allow time to progress by t time units, 
then N can allow time to progress by t time units, changing state to become 
N + t. This is expressed formally by the rule N.S below: 
N.S 0 ~ t ~ tcp(N) 
N~nN+t 
o Proposition 3.6 Let N be a network. Then, N --tnN. 
Proof Immediate from N.5, Proposition 3.4 and Definition 3.12. 
Summary 
o 
For ease of reference, we summarise the discussion of network behaviour by 
giving the following definition: 
Definition 3.1S (Network Behaviour) Let V be the set of data values. Let 
K and I be sets of channel identifiers and message identifiers, respectively. Let 
An be the set of action labels over K and I. The network behaviour relation 
--tn ~ NetworkK,I X (An U JR) X NetworkK,I is given by the rules of Figure 3.3, 
where for all N, N' E Network and Ant E An U lR, N ~nN' iff this can be 
inferred from the rules N.1 - N.S. 0 
It is clear that --tn is well-behaved in that, if N ~nN', then N' is a well-
defined network and all of the static components are the same in Nand N'. 
Proposition 3.7 Let K be a set of channel identifiers and N a network over 
K. If N ~n N', then N' t= .1, and, for any channel identifier k, where Nk = 
(M,-<,8,s,u) and N~ = (M',-<',8',s',u'), the following properties hold: 
1. M=M', -< = -<' and8=8'; 
2. s' E Status M,8 
3. u' E QueueM,-< 
3. bCANDLE: A low level modelling language 
N Nk = (.1.., m : u) 
.1 N~N[k:= (I~b m, u)] 
N Nk = (~m,u) 
.2 k~ 
N~nN[k:= (tm, u)] 
N Nk = (tm,u) 
.3 Nm ..... kN[k ._ ( IS,uS )] 
--+n .- m "-+ ,u 
Nk = (_~,u) 
N.4 kj, 
N --+nN[k := (-1., u)] 
N.5 0 ::; t t::; tcp(N) 
N--+nN + t 
Fig. 3.3: Rules for Network Behaviour 
75 
Proof The proofs of all properties follow directly from case analysis of the 
rules N.1 - N.5 by which N ~nN' is inferred. That N' :I 1.. is immediate 
from N.5 and Proposition 3.5. Properties 1-3 follow from N.1 - N.5 and Def-
initions 3.5 and 3.6. 0 
Example of network behaviour 
We now give an example of the possible behaviour of a simple network. 
Example 3.3 Consider a network consisting of a single channel which can 
transmit messages of type temperature or of type pressure. Assume that the 
values transmitted are abstractions of actual sensor readings, where 0 represents 
a reading in the low range, 1 a reading in the normal range, and 2 a reading in 
the high range. The network can be defined as follows. 
The message identifiers are given by the set I = {temperature, pressure}, 
with priority order -< given by temperature -< pressure. The set of data values 
is V = {O, 1, 2} and the set of messages is M = I x V. There is a single channel 
identifier given by the set K = {k}. The function 0 specifies transmission 
latencies in I-Lsecs, as follows: 
temperature ._ pressure._ 
010 43 32 
oub 53 42 
OIB 10 10 
ouB 12 12 
The network is N = {k t-t (M,-<,0,.!.-,(temperature.1,pressure.O))}. Notice 
that we are assuming that the messages temperature.1 and pressure.O have 
3. bCANDLE: A low level modelling language 
Q.., (temperature.I, pressure.O}) 
43,53 
{"-+ temperature. 1 , (pressure.O}) 
{~temperature.I, (pressure.O}) 
{t temperature. 1 , (pressure.O}) 
10,12 {temperature.I "-+ ,(pressure.O}) 
{temperature.I~, (pressure.O}) 
Q.., (pressure.O}) 
32,42 
( "-+ pressure.O, ()) 
(~O pressure.O, ()) 
(t pressure.O, ()) 
10,12 (pressure.O "-+ ,()) 
(pressure.O ,u, ()) 
(-I-, ()) 
(-I-, ()) 
(-1-, ()) 
k--...tempemture.1 
~n 
47 
-tn 
k1tempemture.1 
-=---tn 
tempemture.1,,-, k 
-tn 
12 
-tn 
~n 
k""fJressure .0 
-tn 
32 
-tn 
k1}lressure.0 
-tn 
pressure.Q--....k 
-tn 
11 
-tn 
~n 
5 
-tn 
2 
-tn 
500 
-tn 
Fig. 3.4: Example of network behaviour 
already been placed in the message queue of k. 
(N.I) 
(N.5) 
(N.2) 
(N.3) 
(N.5) 
(N.4) 
(N.I) 
(N.5) 
(N.2) 
(N.3) 
(N.5) 
(N.4) 
(N.5) 
(N.5) 
(N.5) 
76 
Now a possible trace of the network behaviour from this initial state is given 
in Figure 3.4. 0 
The behaviour given in this example is very simple, since messages are trans-
mitted but not received. How a network interacts with receiving processes is 
considered in the following section. 
3.5 The Process Model 
We use a simple process language to describe the behaviour of processes. In 
choosing the operators of the language, we have been concerned to identify a 
small set which allows us to express naturally the behavioural models in which 
we are interested, while allowing the definition of a timed transition semantics 
in a direct manner. The syntax and informal semantics of the language are 
presented in this section. Section 3.6 gives a formal semantics and the work of 
the numerous researchers which has influenced the language design is discussed 
in §3.8. 
3. bCANDLE: A low level modelling language 77 
3.5.1 Syntax 
Definition 3.16 (Process terms) Let K and I be finite sets of channel iden-
tifiers and message identifiers, respectively. Let Var be a finite set of data vari-
ables, n a finite set of operation names and r a finite set of predicate names. 
Finally, let Roo be the time domain and X a countable set of process variables. 
The set of process terms over K, I, Var, n and r is denoted Proc I I Var n r' and 
is defined inductively by: " " 
P k!i.x 
k?i.x 
[w : tl, ~] 
,-+P 
P;P 
P+P 
P[>P 
PIP 
recX.P 
X 
(* send broadcast message *) 
(* receive broadcast message *) 
(* time-bounded computation *) 
(* data guard *) 
(* sequential composition *) 
(* non-deterministic choice *) 
(* interrupt *) 
(* parallel composition *) 
(* recursion *) 
(* process variable *) 
where k E K, i E I, x E Var, wEn, , E r, X E X and tl ~ t2 E !Roo. 0 
Notation. The subscript is dropped from ProcI,I, Var,n,r if it is not relevant or 
can be inferred from the context. 
Terms of the form k!i.x, k?i.x and [w : tl, t2] are called basic terms. We 
use variables /3, /31, /32'" to range over basic terms. The precedence of the 
operators, from high to low is: -+,;, +, [>, rec, I. We use a number of syntactic 
abbreviations: 
[w : tl] ~ [w : tl, tl] 
idle ~ [ID : 00] 
[tl] ~ [ID : tl] 
null ~ [ID : 0] 
Free and bound variables are defined as usual. 
Definition 3.17 (Free and bound variables) 
Let P E Proc+ and !Xl E {;, +, [>,I}. The free (process) variables and bound 
(process) variables of P are given by fv(P) and bv(P) respectively, which are 
defined as the least sets satisfying: 
fv(k!i.x) = 0 
fv(k?i.x) = 0 
fv([w : tI, t2]) = 0 
fv(-y -t P) = fv(P) 
fv(X) = {X} 
fv(recX.P) = fv(P) \ {X} 
fv(P C><l Q) = fv(P) U fv( Q) 
bv(k!i.x) = 0 
bv(k?i.x) = 0 
bv([w: tI'~]) = 0 
bv(-y -t P) = bv(P) 
bv(X) = 0 
bv(recX.P) = bv(P) U {X} 
bv(P C><l Q) = bv(P) U bv( Q) o 
3. bCANDLE: A low level modelling language 78 
Definition 3.18 (Closed term) For any P E Proc+, P is a closed term. if 
fv(P) = 0. 0 
The use of sequential composition as a basic operator, rather than action 
prefix, requires some care in the definition of guarded terms. 
Definition 3.19 (Guarding, Guarded process variable, Guarded term) 
Any basic term f3 E Proc+ is guarding. A term of the form PI ; P2 or PI I P2 
is guarding if PI is guarding or P2 is guarding. A term of the form PI + P2 or 
PI [> P2 is guarding if PI and P2 are guarding. A term of the form rec X.P is 
guarding if P is guarding. 
Let P E Proc+ be a term containing one or more occurrences of a variable 
X EX. An occurrence of X is guarded in P if P has a subterm of the form 
PI; P2 where the occurrence of X is contained in P2 and PI is guarding. Oth-
erwise this occurrence of X is unguarded in P. A process variable X is guarded 
in a term P if every occurrence of X is guarded in P. A term P is guarded if 
all of its process variables are guarded in P. 0 
Definition 3.20 (Closed, guarded terms) The set Proc C Proc+ is defined 
to be the set of closed, guarded terms in Proc+. 0 
Equational Presentation 
In practice, the use of the recursion operator rec X . P is often inconvenient 
and the use of a set of mutually recursive equations is preferable. We will 
use whatever form is more convenient in its context and regard a term defined 
using a set of simultaneous equations as denoting its corresponding term given 
in terms of the recursion operator. 
Definition 3.21 Let E be a finite set of equations {Xl ~ PI, X2 ~ P2, ... , Xn ~ 
Pn } where UiE{1..n} fV(Pi) ~ {Xl, .. " X n }. Let P be a process term, fv(P) ~ 
{Xl, .. , X n }. Then, the process term corresponding to P is given by the normal 
form of pE under the rewrite relation ----+rw, defined by: 
(k?i.x)E 
----+rw k?i.x 
(-y -t p)E 
----+rw 'Y -t (p)E 
(P+ Q)E 
----+rw (p)E + (Q)E 
(P I Q)E ----+rw (p)E I (Q)E 
0 
3. bCANDLE: A low level modelling language 
Example 3.4 Consider the equational presentation 
A 
where 
A = [a:1] B 
B = [b: 1] A 
Let EA ~ {A ~ [a : 1] j B}, EB ~ {B ~ [b : 1] j A}, and E ~ EA U EB. 
Then, with respect to E, A is taken to stand for the term 
AE ---+rw recA.([a: 1] j B)EB 
---+rw recA.[a: 1]EB j BEB 
---+rw rec A.[ a : 1] j BEB 
---+rw recA.[a: 1] j recB.([b: 1]; A)0 
---+rw rec A.[a : 1] ; rec B.[b : 1]0; A0 
---+rw recA.[a: 1] j recB.[b: 1]; A0 
---+rw recA.[a: 1] j recB.[b: 1] j A 
3.5.2 Informal Semantics 
79 
o 
Each process term represents a potential process which, when given a context 
(Le., a network and a data environment), is capable of exhibiting some be-
haviour. We give an informal introduction to the behaviour of process terms in 
the remainder of this section. The formal semantics is deferred to §3.6. 
Send The term, k!i.x, denotes a process which causes a message to be queued 
for transmission on channel k. The message consists of the message identifier, 
i, and the data value associated with the variable, x. Sending is asynchronous. 
The process k!i.x cannot be delayed. It causes its message to be queued in-
stantaneously and terminates immediately. 
Receive k?i.x is a process which waits to accept a message from channel k. 
It will only accept a message with the identifier i. It ignores messages with 
any other identifier, simply allowing time to pass and other network activity 
to occur. When an i-message reaches its acceptance point during transmission 
on channel k, then k?i.x must accept the message instantly, causing the data 
variable x to become associated with the message's data value. k?i.x then 
terminates immediately. 
Compute [w : tl, t2] is a process which transforms the data state according to 
the specification of the operation w. It begins execution immediately and is 
guaranteed to terminate no later (resp. no sooner) than t2 (resp. tl) time units 
after it has started. The specified change to the data state occurs in a single, 
instantaneous action at the moment of termination. Two forms of the compute 
process are deemed important enough to warrant giving them their own names: 
the idle process, defined as [ID : 00], which never performs any action but 
3. bCANDLE: A low level modelling language 80 
simply allows time to pass forever; and the null process, defined as [ID : 0], 
which terminates immediately, leaving the data state unchanged. 
Evaluate Guard , -+ P causes the evaluation of the guard 'Y (which is a 
predicate on data states) in the current environment. If the guard is satisfied, 
the process carries on immediately to behave as P; otherwise 'Y -+ P simply 
idles, allowing time to pass and network activity to occur. 
Sequential Composition P; Q behaves just as P until P terminates. It then 
carries on immediately to behave as Q, using the state of the network and the 
data environment at P's termination. If P does not terminate then Q is never 
started. 
Choice P + Q behaves either as P or as Q. The choice is resolved in favour of 
whichever process can first perform an action. If both P and Q can perform 
an action simultaneously, the choice is resolved arbitrarily in favour of one of 
them. Network activity and the passage of time must be allowed by both P 
and Q in order to occur; neither resolves the choice. The choice operator can 
be used quite simply to model a timeout, e.g., 
k?i.x; P + [Timeout: 4] ; Q 
denotes a process which is able to receive a message with identifier i from 
channel k and then behave like process P, or, alternatively, may execute the 
Timeout operation at time 4 and then behave like process Q. Notice that if an 
i message becomes available for reception before time 4 then it will be received 
and the timeout branch will be discarded. On the other hand, if an i message 
does not become available at any time up to, and including, time 4 then the 
timeout branch will be taken and the possibility of the message reception will 
be discarded. If an i message becomes available at exactly time 4 then one or 
the other branch will be taken non-deterministically, i.e., the view is taken that 
when two or more actions are possible at the same moment in time, we cannot 
determine the order in which they may occur but must consider all possible 
interleavings. 
Interrupt P [> Q behaves as P until either Q performs an action or P termi-
nates. In the first case, the system carries on to behave as Q with whatever is 
the current state of the network and data environment (P is aborted); in the 
second case, the whole process, P [> Q, terminates. If both P and Q can per-
form an action simultaneously, the choice is resolved arbitrarily in favour of one 
of them. Network activity and the passage of time both require the willingness 
of P and Q to allow them to occur. When time passes, it does so in both P and 
Q. An interrupt is forced when Q can perform an action but cannot allow time 
progress, and, at the same time, neither P nor the network can perform any 
action. In effect, the interrupt operator behaves just like the choice operator, 
except that the occurrence of an action a in the left operand does not cause the 
right operand to be discarded unless a is a terminating action. 
Parallel Composition The parallel operator, PI Q, gives a simple interleaving 
of the actions of P and Q. As with the other operators, network activity and 
3. bCANDLE: A low level modelling language 81 
the passage of time require the willingness of both P and Q to allow them to 
occur. 
Recursion The process rec X.P denotes a recursive process which has the po-
tential for repetitive behaviour. 
3.6 Formal system model 
The formal model of an embedded control system, of the sort which was intro-
duced informally in §3.2, is given by a tuple {P, N, D}, where P is a process 
term describing the behaviour of the system processes, N is a network consisting 
of one or more communication channels, and D is a data environment. There 
are some obvious 'sanity' properties which a model {P, N, D} must satisfy in 
order to be considered well-formed. This section specifies what it means for a 
model to be well-formed. A well-formed model is called a bCANDLE system. 
A formal semantics is given to a bCANDLE system {P, N, D} in a standard 
way, using structured operational rules in the style of Plotkin [Pl081]. A strong 
equivalence is defined for bCANDLE systems and some simple equational laws 
are identified. 
3.6.1 Well-formed systems 
Clearly, there are some models {P, N, D} to which we need not attempt to give 
a semantics, e.g., if k!i.x is a sub-term of P and either k does not identify 
a channel in N or D.x is undefined. We rule out such models by defining 
the set of well-formed models, which we call bCANDLE systems. Essentially, a 
model {P, N, D} is well-formed iff P, Nand D agree on their channel identifiers, 
messages identifiers, data variables, operation names and predicate names, and 
it is both transmit-safe and receive-safe. A model {P, N, D} is transmit-safe 
iff any message which may be sent by P on some channel k is a transmissible 
message for k in the network N. A model is receive-safe iff, for any message i.v 
which may be received by P into a data variable x, v is in the type of x. 
The send and receive sub-terms of a term P are defined simply. 
Definition 3.22 (snd{P), rcv{P» Let P E Proc+ and !Xl E {;, +, [>, I}. The 
send and receive sub-terms of P are given by snd{P) and rcv{P} respectively, 
which are defined as the least sets satisfying: 
snd(k!i.x) = {k!i.x} 
snd(k?i.x) = 0 
snd([w : tl, t:2]) = 0 
snd(')' -t P) = snd(P) 
snd(X) = 0 
rev(k!i.x) = 0 
rev(k?i.x) = {k?i.x} 
rev([w ; t!, t:2]) = 0 
rev(')' -t P) = rev(P) 
rev(X) = 0 
snd(rec X .P) = snd(P) rev (rec X .P) = rev(P) 
snd(P!Xl Q) = snd(P) U snd( Q) rev(P!Xl Q) = rcv(P) U rcv( Q) 
o 
3. bCANDLE: A low level modelling language 82 
We are now in a position to define the set of bCANDLE systems. 
Definition 3.23 (bCANDLE system) Let K and I be finite sets of channel 
identifiers and message identifiers. Let Var, n and r be finite sets of vari-
able names, operation names and predicate names, respectively. Let V be 
the set of data values. The set of bCANDLE systems over K,I, Var, n and 
r is denoted beAN K,I, Var,n,r and a tuple (P, N, D) E beAN K,I, Var,n,r iff 
P E ProcK,I,Var,n,r, N E NetworkK,I, D E DataEnvVar,n,r and the following 
two properties are satisfied: 
k!i.x E snd{P) 1\ Nk = (M,_,_,_,_) => {i.v I v E D.type(x)} ~ M (3.3) 
k?i.x E rcv(P) 1\ Nk = (M,_,_,_,_) => {v I i.v E M} ~ D.type(x) (3.4) 
o 
Conditions 3.3 and 3.4 express the requirements for transmit-safe and receive-
safe models, respectively. 
Notation. As usual, the subscript is dropped from beAN K,I, Var,n,r when it 
can be inferred from the context. 
3.6.2 Operational semantics 
The semantics of a bCANDLE system is given by a labelled timed transition 
system. The set of labels consists of the network action labels An, the time 
passage labels ~, and the process action labels Ap, defined as follows. 
Definition 3.24 (Process Action Labels) Let K and I be sets of channel 
and message identifiers, respectively. Let n be a set of operation names and r 
a set of predicate names. Let V be the set of data values. The set Ap of process 
action labels over K, I, nand r, is defined 
Ap = n u r U {k!i.v IkE K 1\ i E I 1\ v E V} 
U {k?i.v IkE K 1\ i E I 1\ v E V} 
o 
Definition 3.25 (bCANDLE semantics) The semantics ofasystem BE beAN, 
is given by the timed transition system T [B] = (L:, err, L, ---+) where 
• L: = beAN, is the set of states of the system. 
• The initial state, err, is B. 
• L = Ap U An U ~ is the set of transition labels. 
3. bCANDLE: A low level m.odelling language 83 
Snd.l Nk = (8, u) 1\ v = D.x 
(kl' N D)k! •. l1( [ . • l.X, , --t.f, N k := (8, u +-P l.v)], D) 
Snd.2 N~nN' 
(k!i.x, N, D)~(k!i.x, N', D) 
Snd.3 0 (k!i.x, N, D)--t(k!i.x, N, D) 
R 1 Nk = (ti.v,_) CV. k?' (k?i.x,N,D)~(.f,N,D[x:= v]) 
R 2 
N~nN' 1\ (Nk f. (ti._,_) V Nk = Nn 
CV. A (k?i.x, N, D)--.!!t(k?i.x, N', D) 
N~nN' 
Rcv.3 t (k?i.x, N, D)--t(k?i.x, N', D) 
N~nN' Com.p.2 A 
([w: tl'~], N, D)--.!!t([w : tl'~], N', D) 
C 3 N ~nN' 1\ t < ~ om.p. t 
([w: tl , ~],N,D)--t([w: tl ~ t, ~ ~ t],N',D) 
Fig. 3.5: Rules for Basic Systems 
• -? ~ (~X L x~) is the least relation which is closed under the structured 
operational rules of Figures 3.3, 3.5, 3.6 and 3.7. These rules make use of 
generic labels Ap, An, Ant and A where Ap ranges over Ap, An ranges over 
An, Ant ranges over An U lR. and A ranges over L. We assume that t ranges 
over lR., whereas t1, t2 range over lR.oo. 0 
Termination 
The distinguished process name ./ is used in the semantic rules to indicate suc-
cessful termination. It is used only in giving the semantics and is not available 
to a user of the language as a process term. This side-steps many of the tricky 
issues which arise in attempting to give a proper treatment of termination in a 
timed setting and permits a standard approach to be taken to the definition of 
the operational semantics and strong bisimilarity. The reader who is interested 
3. bCANDLE: A low level modelling language 
D 1= 'Y Gu.1 "Y (-y ~ P,N,D)~(P,N,D) 
N~N' Gu.2 A n 
(-y ~ P,N,D)~(-y ~ P,N',D) 
G N ~nN' 1\ (D ~ 'Y V t = 0) u.3 t (-y ~ P,N,D)~(-y ~ P,N',D) 
S 1 (P,N,D)~(P',N',D') 1\ P':$ ./ eq. A 
(P; Q,N,D)~(P'; Q,N',D') 
S 2 (P,N,D)~(./,N',D') eq. A 
(Pj Q,N,D)~(Q,N',D') 
(P,N,D)~(P',N',D') 
Ch.1 A 
(P+ Q,N,D)~(P',N',D') 
(Q N D)~(Q' N' D') 
Ch.2 " " 
(P+ Q,N,D)~(Q',N',D') 
Ch.3 (P,N,D)~(P',N',D) 1\ (Q,N,D)~(Q',N',D) 
(P + Q,N,D)~(P' + Q',N',D) 
(P[recX.P IX], N, D)~(P', N', D') 
Rec A (recX.P, N, D)~(P', N', D') 
84 
Fig. 3.6: Rules for Guard, Sequential Composition, Choice and Recursion 
in some of the issues which arise when a more satisfying algebraic approach is 
attempted is referred to [BV97, Ver97a, BROO]. 
Proposition 3.8 (Time determinism, time additivity) For any 
bCANDLE system, B, r [B] is a timed transition system. 
Proof By Definition 2.6 and induction on the depth of the inferences which 
justify the time transitions. 0 
3.6.3 Strong equivalence 
We define a strong equivalence for bCANDLEsystems using bisimulation [Mil89]. 
The standard notion of bisimulation is adapted by requiring that bisimilar states 
have identical contexts, Le., their networks and data environments must be the 
3. bCANDLE: A low level Illodelling language 
(p N D)~(P' N' D') /\ P' ± ./ Int.l ' , " T 
(P [> Q, N, D)~(P' [> Q, N', D') 
Int.2 (P,N,D)~(./,N',D') 
(P [> Q,N,D)~(./,N',D') 
(Q N D)~(Q' N' D') 
Int.3 " " 
(P [> Q,N,D)~(Q',N',D') 
Int.4 (P,N,D)~(P',N',D) /\ (Q,N,D)~(Q',N',D) 
(P[> Q,N,D)~(P'[> Q',N',D) 
(p N D)~(P' N' D') /\ P' ± ./ Par.l ' , " T 
(P I Q,N,D)~(P'I Q,N',D') 
(P, N, D)~(./, N', D') 
Par.2 A 
(P I Q,N,D)~(Q,N',D') 
Par.3 (Q,N,D)~(Q',N',D') /\ Q':$ ./ 
(P I Q, N, D)~(P I Q', N', D') 
P 
(Q,N,D)~(./,N',D') 
ar.4 A 
(P I Q, N, D)~(P, N', D') 
Par.5 (P,N,D)~(P',N',D) /\ (Q,N,D)~(Q',N',D) 
(P I Q,N,D)~(P'I Q',N',D) 
Fig. 3.7: Rules for Interrupt and Parallel Composition 
85 
same. This seems essential intuitively and accords with other treatments of 
bisimulation for systems whose states contain an explicit context [GP94, BV94]. 
Firstly, the standard definition of bisimulation is given with respect to an 
equivalence relation between states. 
Definition 3.26 (Strong Bisimulation) Let S = (~,~, L, ---+) be a LTS. 
Let :::::i be an equivalence relation on~. A binary relation R ~ ~ x ~ is a strong 
:::::i-bisimulation if (J'lR(J'2 implies 
1. (J'l :::::i (J'2 
2. for all ). E L, if (J'l ~(J'~, then (J'2~(J'~ for some (J'~ such that (J'~ R(J'~ 
3. for all ). E L, if (J'2~(J'~, then (J'l ~(J't for some (J'~ such that (J'~ R~ 0 
3. bCANDLE: A low level Illodelling language 86 
Notice that one obtains the standard definition of strong bisimulation by taking 
~ to be E x E. 
Definition 3.27 (Strong equivalence) Let S = (E, cfI, L, ----+) be a LTS. 
at, a2 in E are strongly equivalent (~-bisimilar), denoted al +--+~ a2, iff there is 
a strong ~-bisimulation R such that alRa2. 0 
Strong equivalence is extended to transition systems, as follows. 
Definition 3.28 Let Sl = (El' ar, Ll , --+d and S2 = (E2, of,~, ----+2) be 
LTS's. A ~-bisimulation between Sl and S2 is a binary relation R ~ El X E2, 
satisfying ar Ra'f and the three clauses of Definition 3.26. Sl is strongly equiv-
alent (~-bisimilar) to S2, denoted Sl t+~ S2, iff there is a ~-bisimulation 
between them. 0 
Notation. We write a1 t+ a2 for al t+~ a2, and Sl +--+ S2 for SI +--+~ S2, when 
the relation ~ is clear from the context. 
In order to develop a notion of strong equivalence for bCANDLE systems, 
we define context equivalence which simply requires that networks and data 
environments are identical. 
Definition 3.29 (Context equivalence) Let a1 = (PI, Nl , Dd and a2 = 
(P2, N2, D2) be two bCANDLE system states in beAN. a1 is context equiv-
alent to a2, denoted a1 ~ND a2, iff N1 = N2 and Dl = D2. 0 
Clearly, ~ND is an equivalence relation. Now, strong equivalence for bCANDLE 
systems is defined simply as ~ N D-bisimilari ty. 
Definition 3.30 Let B1, B2 E beAN. Bl is strongly equivalent to B2, denoted 
Bl t+ B2 iff their transition systems are ~ND-bisimilar, i.e. T[B1] +--+~ND 
T[B2] 0 
We also extend the notion of strong equivalence to the set Proc of closed, 
guarded process terms. 
Definition 3.31 Let P, Q E Proc be closed, guarded process terms. P is 
strongly equivalent to Q, denoted P t+ Q, iff (P, N, D) t+ (Q, N, D) for all 
bCANDLEsystems (P,N,D),(Q,N,D) E beAN. 0 
Notation. beAN F P t+ Q denotes the fact that P is strongly equivalent to 
Q with respect to the semantics of beAN. 
Proposition 3.9 (Congruence) The relation +--+ between terms in Proc, is a 
congruence with respect to all process operators. 
3. bCANDLE: A low level modelling language 87 
+.1 P+Q=Q+P 
+.2 P + (Q + R) = (P + Q) + R 
+.3 P+P=P 
+.4 P + idle = P 
;.1 (P; Q); R = P; (Q ; R) 
;.2 (P + Q) ; R = P ; R + Q j R 
j.3 idle j P = idle 
[>.1 idle [> P = P 
[>.2 P [> idle = P 
[>.3 (P [> Q) [> R = P [> (Q [> R) 
P PIQ=QIP 
1·2 PI (Q 1 R) = (P 1 Q) 1 R 
1·3 P 1 idle = P if P is persistent 
rec.1 recX.P = P[recX.P IX] 
rec.2 If P[QIX] = Q and X is guarded in P then recX.P = Q 
Tab. 3.2: Equational laws 
Proof The structured operational rules which define the semantics fall within 
the Super-SOS format of [BV94]. The proof of the proposition then follows from 
the fact that strong equivalence is a congruence with respect to any set of op-
erators defined by such a set of rules. 0 
3.6.4 Equational laws 
Our primary approach to verification is via graph-based exploration techniques 
such as model checking and reachability analysis, rather than by algebraic rea-
soning. However, we observe that many of the usual laws are satisfied. Table 3.2 
summarises the known laws for bCANDLE systems. Consideration of a frame-
work in which it is possible to derive a complete axiomatisation, and useful 
theorems such as an expansion theorem, is of interest but has been judged, so 
far, to be of secondary importance to the development of algorithmic analysis 
techniques. 
Notation. We write beAN f- P = Q, if P and Q are equivalent modulo the 
laws of Table 3.2. 
Proposition 3.10 (Soundness) For all process terms P, Q E Proc, 
beAN f- P = Q => beAN 1= P H Q 
Proof The proof is a standard application of bisimulation. o 
Notice that the law 1.3 holds only for persistent systems, where a bCANDLE 
system is regarded as persistent if it cannot reach a state of the form (.(, N, D). 
For example, (k!i.x j idle, N, D) is persistent, whereas (k!i.x, N, D) is not per-
sistent, for any Nand D. 
3. bCANDLE: A low level modelling language 88 
Definition 3.32 (Persistent bCANDLE system) 
A bCANDLE system (P, N, D) is said to be persistent if there is no transition 
sequence (P,N,D) --t* ('/,N'D'), for any network N' and data environment 
D'. A process term P is said to be persistent if every bCANDLE system 
(P, N, D) is persistent. 0 
It is apparent that the law P I idle = P does not hold unless P is persistent. 
Consider, for example, the systems (null I idle, N, D) and (null, N, D), for any 
Nand D. The former has a transition (null I idle, N, D)~(idle, N, D) (by 
Comp.1 and Par.2), while the latter has a transition (null, N, D)~(./, N, D) 
(by Comp.1). It is clear that (idle, N, D) it (./, N, D). 
It is not difficult to see that for any non-persistent system (P, N, D), there 
is a persistent system (P', N, D) which has the same behaviour up to the point 
when P becomes ./ and which, thereafter, only allows the completion of network 
activity and the progress of time. For example, we can take P' to be either 
P ; idle or P I idle. 
From now on we assume that we are only dealing with persistent systems, 
unless stated otherwise. 
3.7 A simple example 
In this section the use of bCANDLE is illustrated by modelling the simple 
flow control system which was introduced in §l.l. The purpose of the system 
is to maintain the flow of liquid through a pipe at a preset constant rate. 
Assume that the system is implemented using two distributed processors: one 
for reading the flow sensor, the other for adjusting the control valve. The 
processors are connected by a CAN bus operating at 1Mbit/sec. Figure 3.8 
shows a bCANDLE model of the system. It consists of two processes: Flow 
and Valve. 
Flow models a process which periodically reads a flow sensor and broadcasts 
its value in a flow message. It is assumed that the implementation requires 
between 85 and 90 f-£secs to sample the flow sensor, condition the signal and 
configure a CAN controller to transmit the flow message. A hardware timer, 
which implements the periodic behaviour of the process, interrupts at intervals 
of approximately 10 msecs. 
Valve models a process which repeatedly waits to receive a flow message, 
executes a control algorithm to calculate a new value for the valve position, 
and instructs an actuator to move the valve to its new position. It is assumed 
that it takes between 200 to 300 f-£secs from receipt of a flow message to the 
configuration of the valve actuator. 
The network section of the bCANDLE model gives the static attributes of 
the communication channel implemented by the CAN bus. Channel k models a 
CAN bus which transmits flow messages with a transmission latency of between 
43 and 53 f-£secs from start of transmission to acceptance test, and a latency of 
between 10 and 12 f-£secs from acceptance test to bus idle. 
3. bCANDLE: A low level modelling language 
Flow I Valve 
where 
Flow = [ReadSensor:85,90] ; k!flow.x ; idle 
[> [PERIOD: 10000, 10250] ; Flow 
Valve = k?flow.y ; [AdjustValve:200,300]; Valve 
network 
/* pri dlb dub dlB duB */ 
k = (flow: 1, 43, 53, 10, 12) 
data x, y 
Fig. 3.8: Flow regulator in bCANDLE 
89 
The data section introduces the names of data variables used in the model. 
Initially, the values of all variables are undefined. Variable types, operation 
specifications and predicate definitions are assumed to be defined externally. 
Currently, a bCANDLE model can be explored using simulators implemented 
in either Prolog or C. Both simulators require the necessary data definitions to 
be provided in the host language. In this example, we abstract entirely from 
the effects of data by assuming that all variables are of type unit and all data 
operations leave the data state unchanged. The modelling of data is discussed 
in more detail in §6.3. 
Our Prolog simulator for bCANDLE is a direct implementation of the tran-
sition semantics. This approach allows the exploration of bCANDLE system 
models and also helps in gaining confidence in the operational semantics. A 
similar approach to the animation of the hardware description language VER-
ILOG [GoI96] has been proposed recently by Bowen [Bow99]. 
A (slightly modified) simulator trace of the flow regulator example is shown 
in Figure 3.9. The following conventions are adopted: 
• A system state is shown as a tuple (P, N) - the data component D is 
omitted since it is not of interest here. 
• The network component N shows only the dynamic attributes of the single 
channel k. 
• The unit value is written as 1. 
• Time delays are chosen arbitrarily from the allowable range of values. 
Exploration of a system model in this way can lead quickly to a good under-
standing of system behaviour. A more thorough exploration can be achieved 
by applying the model-checking techniques introduced in the next chapter. 
3. bCANDLE: A low level modelling language 90 
(Flow I Valve, Q., ())) 90 ----t 
(Flowl I Valve, Q., ())) ReadSensor 
----t 
(Flow2 I Valve, Q., ())) k!fiow.l ----t 
(Flow3 I Valve, Q., (flow .1})) k--...fiow.l ~ 
(Flow3 I Valve, (4~3 flow.1, ())) 50 ----t 
(Flow41 Valve, (~ flow.1, () ) ) k1fiow.l ----t 
(Flow41 Valve, (t flow .1, ())) k?fiow.l ----t 
(Flow4 I Valvel, (t flow.1, () ) ) fiow.l--....k ----t 
(Flow41 Valvel, (flow.1 l~p, ())) 10 ----t 
(Flow5 I Valve2, (flow.1 £J, ())) ~ 
(Flow5 I Valve2, (4., ())) 200 ----t 
(Flow6 I Valve3, Q., ())) Adjust Valve ----t 
(Flow6 I Valve, Q., ())) 9700 ----t 
(Flow7 I Valve, (.!-, ())) PERIOD ----t 
(Flow I Valve, (.!-, () )) ----t 
where the process identifiers are defined as follows: 
Flowl [ReadSensor : 0,0] ; k!flow.x ; idle [> [PERIOD: 9910,10160] ; Flow 
Flow2 = k!flow.x; idle [> [PERIOD: 9910,10160] j Flow 
Flow 3 = idle [> [PERIOD: 9910,10160] ; Flow 
Flow4 = idle [> [PERIOD: 9860,10110] ; Flow 
Flow5 idle [> [PERIOD: 9850,10100] ; Flow 
Flow6 idle [> [PERIOD: 9650,9900] ; Flow 
Flow 7 idle [> [PERIOD: 0,200] ; Flow 
Valve 1 [Adjust Valve : 200,300] ; Valve 
Valve 2 = [Adjust Valve : 190,290] ; Valve 
Valve3 = [Adjust Valve : 0,90] ; Valve 
Fig. 3.9: Simulator trace of the flow regulator example 
3. bCANDLE: A low level modelling language 91 
3.8 Conclusions and Related Work 
The language introduced in this chapter draws on ideas from a variety of sources, 
mainly in the field of process algebra. Our concern, however, has not been to 
develop a new process algebra but to design a language with a formal semantics, 
which is suitable for the pragmatic purpose of modelling a particular class of 
broadcasting embedded control systems, and which is amenable to analysis by 
model checking as discussed later in Chapters 4 and 5. Therefore, whenever 
we have had to choose between an intuitively 'natural' syntax or semantics, 
on the one hand, and truly satisfying algebraic properties, on the other hand, 
we have erred in favour of the former. The result is a practical modelling lan-
guage which accommodates prioritised, CAN-style communication over latent 
channels, has a dense time semantics, and is amenable to a variety of efficient 
analysis techniques, known from the study of timed automata. 
3.8.1 Broadcast communication and Real-Time 
The bCANDLE communication mechanism is an asynchrono'Us, broadcast of 
messages with explicit transmission latency. These characteristics seem to be 
natural for the performance modelling of CAN-like systems. However, there 
appears to be no other formal language which combines all three properties in a 
single communication primitive. We provide a short review of those approaches 
which seem to come closest to providing what is required. 
An early recognition of the importance of broadcast communication is seen 
in [Geh84]' which describes a number of programming examples in a CSP-like 
language, extended with both unbuffered and buffered broadcast primitives. 
Some notion of the passing of time is offered by a delay construct, but com-
munication is instantaneous and the formal semantics of the language is not 
considered. The inadequacy of a point-to-point communication primitive for 
modelling broadcast networks is addressed in [CA91], where a proposal is made 
for the extension of the formal description technique Estelle [IS088a] with prim-
itive broadcast channels. The synchronous programming languages, such as 
ESTEREL [BG92], Lustre [HLR92]' Argos [Mar92] and Statecharts [Har87], of-
fer a broadcast primitive, but their reliance on the synchrony hypothesis makes 
them unsuitable for use in distributed systems. This problem is addressed 
in [BRS93], which envisages a distributed system as a collection of locally re-
active ESTEREL nodes communicating asynchronously with each other. How-
ever, the proposed asynchronous communication is the CSP rendezvous, not 
an asynchronous broadcast. Prasad has developed the Calculus of Broadcast-
ing Systems (CBS) [Pra95], which offers an asynchronous, unbuffered broadcast 
primitive. A timed version of the calculus is introduced in [Pra96]. His concerns 
are primarily with algebraic properties of the language, such as an expansion 
theorem and a complete axiomatisation, rather than with the development of 
an expressive language for modelling embedded systems. For this reason, there 
are some features of bCANDLE which would be difficult to capture in CBS, e.g., 
the interrupt operator and transmission latency. In his thesis [HoI94], Holmer 
discusses the relationship of CBS and SCCS [Mil89] and gives a translation from 
3. bCANDLE: A low level modelling language 92 
CBS to SCCS. This opens the possibility of automated analysis of CBS mod-
els using the Concurrency Workbench [CPS93]; however, dense real-time is not 
addressed in this framework. A language which is closer to bCANDLE is the 
Timed Statechart language of [KP92], which offers an asynchronous broadcast 
primitive and an expressive, timed process language; however, broadcasts are 
instantaneous, so modelling of transmission latency requires the introduction 
of a process to capture the delay in each broadcast channel. A similar ap-
proach needs to be adopted to make use of the broadcast primitive introduced 
into Real-Time CSP in [DJS92]. The importance of broadcast communication 
as a primitive concept has been recognised again more recently in [EFM99], 
which addresses the model-checking problems for safety and liveness properties 
in broadcast protocols; once again, real-time issues are not considered. 
3.8.2 Process Operators 
Clearly, the process language of bCANDLE has been influenced by a number 
of other languages. Here, we briefly acknowledge our debts. 
The relative time-stamped actions, sequential composition and choice opera-
tors are as seen in ACP p [BB91]' while our parallel composition is the standard, 
asynchronous, interleaving operator. The interrupt operator has the same se-
mantics as the operator of ET-LOTOS, which allows time to pass in both argu-
ments, rather than the corresponding operator of Real-Time esp, which allows 
time to pass only in its left argument [BDS94]. This allows us to omit RT-
esP's watchdog operator, at no cost to expressiveness. Our treatment of state, 
particularly with respect to the modelling of asynchronous broadcast channels 
and the associated send and receive operations has been influenced by the work 
of Kesten and Pnueli [KP92]. 
4. ANALYSIS VIA TIMED AUTOMATA 
In this chapter we define a method for generating timed automata (TA) from 
bCANDLE system descriptions. The method described supports the auto-
matic construction of a TA which is equivalent, in a well-defined sense, to a 
given bCANDLE description. This introduces the possibility of using the pow-
erful verification techniques and tools, described in §2.7, for the analysis of 
bCANDLE systems. 
Translation from modelling languages to automata has been studied in 
a variety of settings. Early approaches were concerned with the family of 
synchronous programming languages which includes ESTEREL [BG92], Lus-
tre [HLR92] and Argos (JM95]. The problem has also been studied for the un-
timed process algebra LOTOS [Gar92] and for the timed languages ATP [Nic92, 
NSY92, Yov93], AORTA [BHKR95] and ET-LOTOS [Her98]. This is the first 
treatment which considers a language which combines latent broadcast commu-
nication with data and dense time. 
The organisation of the rest of the chapter is as follows. Section 4.1 gives an 
informal introduction to the objectives of the chapter using a simple example. 
In §4.2 we revise our system models to include explicit clock variables. This 
modification facilitates the construction of a TA for a bCANDLE description. 
The construction and its correctness are considered in §4.3. Section 4.4 pro-
vides the foundations for the practical implementation of the construction. The 
application of the method is demonstrated with an example in §4.5 and finally 
we present our conclusions in §4.6. 
4.1 A bCANDLE System and its Timed Automaton 
We can illustrate our objectives in this chapter with a modified version of the 
flow regulator example (§3.7). The example is curtailed in order to simplify the 
presentation. 
Consider the bCANDLE description shown in Figure 4.1. The example 
models a one-shot flow regulator, in which a single interaction occurs between 
a flow sensor and a valve controller. The system consists of two processes, Flow 
and Valve, and a broadcast channel k. The Flow process takes a single reading 
from a flow sensor. We abstract from the actual value read by the ReadSensor 
operation. Flow broadcasts the flow message on channel k and then idles 
forever. We assume that k can transmit only one type of message, namely 
flow messages, and that it does so within the bounds shown in its declaration 
in the network section. The Valve process waits to receive the flow reading 
from channel k. When the message is received, Valve executes its Adjust Valve 
4. Analysis via Timed Automata 94 
Flow I Valve 
where 
Flow = [ReadSensor:85,90] ; k!flow.x ; idle 
Valve = k?flow.y ; [AdjustValve:200,300]; idle 
network 
1* pri dlb dub dlB duB *1 
k = (flow: 1, 43, 53, 10, 12) 
data x, y 
Fig. 4.1: One-shot flow regulator in bCANDLE 
operation and then also idles forever. 
An equivalent behaviour can be expressed using the TA of Figure 4.2. We 
recall from §2.5.4 that a TA is a tuple A = (Q,qI,A,ll,E,I) of locations, 
initial location, action labels, clocks, edges and invariant function. The exam-
ple automaton has eleven locations, twelve edges and four clocks. The initial 
location is (0). The set of TA labels is the set comprising the network action 
labels and process action labels of the bCANDLE system. Now consider the 
behaviour of the TA. Clock H4 is active in location (0). It constrains the con-
trol in the automaton to reside in this location for not more than 90 time units. 
After 85 time units the ReadSensor transition can be taken. This captures 
the behaviour of [ReadSensor : 85,90] and is typical of the translation of a 
bCANDLE computation. The edge from location (1) to location (2) models 
the instantaneous queueing of the message flow on channel k. The urgency of 
the action is captured by the invariant condition HI ~ 0 attached to location 
(1). Edges from (2) to (3) and from (3) to (4) represent the transmission of 
the message up to the point at which it is available for reception by waiting 
processes. Notice that clock H2 has been allocated to channel k and is used 
to capture all non-urgent timing constraints on the behaviour of this channel. 
The edge from (4) to (5) represents the reception of the message by the Valve 
process. Subsequent edges capture the possible interleavings of actions as the 
channel enters its post-acceptance phase and becomes free, while the Valve 
process completes its Adjust Valve operation. When control eventually reaches 
location (10), the system idles forever. 
It is not difficult to convince oneself that the TA describes the same system 
as the bCANDLE modeL Notice, however, that some of the edges in the TA 
are redundant. For example, the edge between locations (5) and (6) has a 
guard, H3 2: 200, which can never be satisfied, since both HI and H3 are reset 
on entry to location (5), and the invariant at (5) requires HI ~ O. Similarly, 
the guard on the edge between locations (7) and (8) is unsatisfiable, since H2 
and H3 must be 0 on entry to location (7). The inclusion of such redundant 
edges does not compromise the equivalence between the TA and the bCANDLE 
4. Analysis via Timed Automata 
m>:200. 
AdjustVAIve. 
(HI 
H2>=1. 
W. 
(HI) 
OJ. 
now·>I<, 
(HI.H2) 
H2>=10, 
W. 
IHI) 
>=200. 
AdjU5lVolve. 
IHI) 
Fig. 4.2: A timed automaton for the one-shot flow regulator 
95 
model, but the efficiency of automatic analysis procedures based on the TA may 
be degraded. This problem is addressed in Chapter 5. 
The purpose of the remainder of this chapter is to define a translation from 
bCANDLE models to their equivalent TA, and to show how the translation can 
be implemented efficiently. 
4.2 Models with explicit clocks 
Timed automata model the passing of time by using explicit clock variables. On 
the other hand, timed process algebra represent either absolute or relative time 
in the syntax of process terms, without the use of explicit clock variables. This 
is the case for bCANDLE. As a first step in the translation from bCANDLE to 
timed automata, explicit clock variables are introduced into bCANDLE models. 
The approach is similar to that adopted in the translation of ATP [Nic92]. 
As an example, look again at the one-shot flow regulator of Figure 4.1. Its 
TA is constructed on the assumption that the process term has been decorated 
4. Analysis via Thned Autolllata 96 
with clock variables as follows: 
[ReadSensor : 85,90]H4; k!ftow.x; idle 
I 
k?ftow.y; [Adjust Valve : 200,300]H3; idle 
Similarly, it is assumed that the network channel k has been decorated with the 
clock variable H2. The clock HI is reserved to enforce urgent actions, such as 
k!i.x, which must be either executed or disabled without delay. Now, imagine 
that time advances by 10 time units from the initial state, and consider the 
effect of this time passage on the term [ReadSensor : 85,90]. In an unclocked 
scenario, we expect to see this term evolve to [ReadSensor : 75,80]. However, 
when using explicit clock variables, we find that [ReadSensor : 85,90] remains 
unchanged but the value of clock H 4 advances from 0 to 10. In this case, 
a ReadSensor transition becomes enabled when the value of H 4 reaches 85. 
Network transitions are controlled similarly by clock H2. 
The remainder of this section formalises this idea by introducing the basic 
definitions of explicitly clocked bCANDLE models. Throughout, it is assumed 
that 1{ is the set of clock variables and h ranges over 1{. 
4.2.1 Clocked Networks 
In the case of the network model, each network channel is simply associated with 
a clock variable which is used to measure the passage of time during message 
transmission. 
Let K be a finite set of channel identifiers and I a finite set of message 
identifiers. 
Definition 4.1 (Clocked Network) A clocked network over K and I is a 
mapping N : K -+ Channeh x 1{. The set of clocked networks over K and I is 
denoted Net;;;;;:;'kK,I, where Net;;;;;:;'kK,l ~ K -+ Channell x 1{. 0 
Remark 4.1 Recall that the constants occurring in the clock constraints of 
the invariant function and edges of a TA are required to be natural num-
bers (§2.5.3). Therefore, it is necessary to restrict attention to clocked networks 
in which the transmission latency function of every channel is defined by a func-
tion {) : M -+ Noo x Noo x Noo x Noo , where Noo ~ N U {(X)} (cf. Definition 3.4). 
We require that all clocked networks N E NdwOrk satisfy this constraint. 0 
Notation. Let N be a clocked network and Nk = ("" h). The notation ",h is 
used as an abbreviation for ("" h). In fact, we sometimes omit the clock variable 
entirely when we do not intend to refer to it in some context, and simply write 
Nk =",. 
Definition 4.2 (Clock Variables: Network) Let K be a set of channel iden-
tifiers. The clock variables used in a clocked network are given by the function 
4. Analysis via Timed Automata 97 
o 
Definition 4.3 (Unclocked Network) The unclocked network correspond-
ing to a clocked network is given by the function unclk : Ner;;;;;rkK ---t Network 
-- -- , 
where unclk(N) ::;: {k t-+ 'fll k E K /\ Nk = ('fl,-H. 0 
4.2.2 Clocked Process Terms 
In defining the set of clocked process terms, we also introduce a number of 
syntactic restrictions which ensure that a TA can be constructed in a straight-
forward manner: 
1. Constants tl, ~ in time-bounded computations [w : tl'~] are required 
to be natural numbers. This is for similar reasons to those discussed in 
Remark 4.1. 
2. The use of the parallel operator is restricted to the top-level. This restric-
tion simplifies the implementation of the TA translation. 
3. All terms are required to have static control. This is discussed in more 
detail below. 
In practice, these restrictions do not severely curtail the models which can be 
expressed. In fact, we will see that the high-level language CANDLE allows the 
expression of a wide variety of systems, and yet all CANDLE programs can be 
translated into bCANDLE models which satisfy these syntactic constraints. 
The first two restrictions are captured in the following definition of clocked 
process terms. 
D~nition 4.4 (Clocked Process Terms) The set of clocked process terms, 
Proc+, over K, I, Var, nand r is defined inductively by: 
P ::= Q 
I PIP 
Q ::= k!i.x I k?i.x I [w: tI, t2]h I 'Y ---t Q 
I Q; Q I Q + Q I Q [> Q 
I recX.Q I X 
.-. ---+ .-
where 1£ is a set of clocks, h E 1£, tI, t2 E Moo, P ranges over Proc , Q ranges 
over the terms in Pr;+ except those containing the parallel operator, and the 
other variables are defined as usual (Definition 3.16). 0 
In keeping with our previous convention, we use the variables {3, {3',;81 etc. to 
range over the clocked basic terms, which are of the form k!i.x, k?i.x and 
[w: tl, t2]h. 
4. Analysis via TiUled AutoUlata 98 
The definitions over the structure of terms given in §3.5 are easily extended 
to clocked terms, and we shall refer to closed and guarded clocked process terms 
without furt~ explanation. The set of closed, guarded, clocked process terms 
is denoted Proc. 
Static control 
There are some bCANDLE systems which cannot be represented by any finite 
TA. For example, consider a system (P,N,D) E bCAN where the process P is 
defined as 
P 2 recX.(([a : 0]; X) [> ([b : 0]; idle)). 
This can give rise to an unbounded expansion 
((recX.[a : 0]; X [> [b : 0]; idle) [> [b : 0]; idle) [> ... [> [b: 0]; idle 
by repeatedly unwinding the recursion. In the general case, an infinite number 
of locations are required in a TA generated by the translation of systems contain-
ing an unbounded expansion of this sort. Similar difficulties can be seen with 
recursion involving parallel and sequential composition. Clearly, such terms 
should be excluded from consideration when proposing a translation scheme to 
finite TA. 
Although, it is difficult to provide a precise characterisation of the offending 
terms, it is possible to identify a larger set which clearly contains all non-finite 
cases; we call this the set of terms which compromise static control. Roughly 
speaking, a term compromises static control if it contains a recursion through 
the parallel operator I or to the left of the sequential composition or interrupt 
operators,- ; and [>. This idea is stated formally in the following definition: 
Definition 4.5 (Static control) A term P E Proc compromises static con-
trol if P is of the form rec X .PI and any of the following conditions hold: 
1. PI contains a sub-term of the form Q I R and X E fv( Q) U fv(R); 
2. PI contains a sub-term of the form Q; R and X E fv( Q); 
3. PI contains a sub-term of the form Q [> R and X E fv( Q). 
A term P E Proc has static control iff P does not contain any term which com-
promises static control. A bCANDLE system (P, N, D) E bCAN has static 
control iff P has static control. 0 
This definition is extended naturally to clocked process terms. However, notice 
that by restricting the use of the parallel operator to the top-level in clocked 
terms, there is no possibility of static control being compromised by a clocked 
term satisfying condition (1). The benefits of restricting attention to systems 
having static control can be summarised as follows [Gar92]: 
• A finite TA can be constructed for systems with static control. 
4. Analysis via Timed Automata 99 
• The property of static control is decidable using a simple and efficient 
algorithm. 
• It is easy for the system developer to understand the constraint and to 
develop models which satisfy it. 
• TA construction for systems with static control can be implemented effi-
ciently. 
• Most systems of practical interest can be modelled within the required 
constraint. 
Unless stated otherwise, we assume from now on that clocked process terms 
have static control. 
Operations on clocked process terms 
There are a number of operations on the syntax of clocked terms which are 
useful. The functions elk, ielk and unelk are defined below. 
Definition 4.6 (Clock Variables) The clock variables of a clocked process 
term are identified by the function elk : P;;;+ --+ 211., defined as the least set 
satisfying: 
elk(k!i.x) 
elkb --+ PI) 
elk(PI ~ P2) 
elk(rec X .PI) 
elk(k?i.x) = elk(X) = 0 
= elk(PI) 
= elk(Pd u elk(P2), ~ E {;, +, [>, I} 
= elk(PI) 
o 
Definition 4.7 (Initial Clock Variables) The initial clock variables of a 
clocked process term, P, are identified by the function ielk : P;;;+ --+ 211., 
defined as the least set satisfying: 
ielk{[w: tl, t2]h) = {h} 
ielk{k!i.x) = ielk{k?i.x) = 0 
ielkb --+ PI) = 0 
ielk(PI ; P2) ielk(PI ) 
ielk{PI ~ P2) = ielk{PI) u ielk(P2), t><l E {+, [>, I} 
ielk{rec X . PI) = ielk{PI[rec X.PI! X]) 
where ielk{P) is well defined iff P is guarded. o 
4. Analysis via Timed Automata 100 
Definition 4.8 (Unclocked process term) The unclocked process term cor-
responding to a cloc~ed process term is given by the function unclk : P-;:;;+ --+ 
Proc+, where unclk{P) is defined by: 
unclk{k!i.x) = k!i.x 
unclk{k?i.x) = k?i.x 
unclk{[w: tl, ~]h) [W:tl'~] 
unclk(J --+ i\) 'Y --+ unclk{i\) 
unclk{PI I><l P2) = unclk(Pd I><l unclk(P2), I><l E {;,+,[>,I} 
unclk{rec X ,PI) = rec X .unclk(Pd 
unclk(X) = X 
These operations are illustrated in the following small example. 
Example 4.1 Let P be the clocked process term defined by 
P ~ recX.{[Init : tl]HI ; k?ftow.x; [TestFlow : ~]H2; 
0 
(FlowOk --+ [Delay: t3]H3 + FlowHigh --+ k!alarm.x ; idle)) ; X 
Then, clk(P) gives the set of all clock variables used in P, i.e. clk(P) = 
{HI, H2, H3}. The set iclk(P) = {HI} gives the set of clocks which can influ-
ence the initial behaviour of P. Finally, the unclocked term unclk(P) is just P 
with all clock variables removed: 
unclk{P) = recX.{[Init : tl] ; k?ftow.x ; [TestFlow : t2]; 
(FlowOk --+ [Delay: t3] + FlowHigh --+ k!alarm.x ; idle)) ; X 
o 
4.2.3 Safe Clock Allocations 
So far, we have imposed no constraints on how clocks can be allocated to 
process terms and networks. Efficiency suggests that we should use as few 
clock variables as possible. However, it is clear that some clock allocations will 
cause problems. For example, consider the clocked term 
[ReadSensor : lO]Hl ; [LogData : 20]Hl ; idle I [ComputeSetPoint : 15]Hl; idle. 
The ReadSensor transition should reset HI so that it can be used to mea-
sure the progress of LogData. On the other hand, if ReadSensor resets HI, 
then the passage of time for the ComputeSetPoint computation will not be 
measured properly: the reset of HI at time 10 will delay the execution of 
ComputeSetPoint until time 25, which is clearly not the intended behaviour. 
Similar difficulties can be observed with clock allocations to network channels. 
4. Analysis via Timed Automata 101 
The problem exists when two or more system components share the use of a 
clock variable but do not agree on the instants when it should be reset. In this 
case, we say that the system exhibits clock (variable) contention, otherwise it 
is said to be contention free. 
In the absence of recursion, we can be sure that a system can never evolve 
to one which exhibits clock contention if the sets of clock variables allocated to 
process terms involved in an interrupt or parallel composition are disjoint, and 
each network channel also has its own distinct clock variable. However, with 
recursion, even this restriction is not enough to remove the possibility of clock 
contention. 
Example 4.2 Consider the term 
P ~ recX.[a : 2]HI ; ([b : l]HI ; [c: 2]HI [> X). 
Ignoring network and data environment, we see that P can evolve by the passage 
of two units of time, and the execution of an a-action, to the term 
[b : l]HI ; [c: 2]HI [> (rec X.[a : 2]HI ; ([b : l]HI ; [c : 2]HI [> X)). 
Now, when the b-action is executed after the passage of one further time unit, 
we see the problem of clock variable contention. On the one hand, clock HI 
should be reset in order to begin timing the computation [c : 2]HI, but, on the 
other hand, HI must not be reset since it is currently required in timing the 
computation [a : 2] HI. 0 
This example prompts us to introduce one final restriction on the syntax of 
process terms, namely, that in any term of the form PI [> P2, the term P2 must 
be guarded. 
These ideas are summarised by the notion of a safely clocked process term. 
Definition 4.9 (Safely clocked process term) P E fuc is said to be safely 
clocked iff all sub-terms pI of P satisfy 
1. if pI is of the form PI [> P2, then P2 is guarded, and the initial clock 
variables of P2 do not occur in the clock variables of PI, i.e clk(Pd n 
iclk(P2 ) = 0, and 
2. if pI is of the form PI I P2, then the clock variables of PI and P2 are 
disjoint, i.e. clk(PI) n clk(P2) = 0. 0 
Clearly, if P is a safely clocked process term, then P is contention free. 
For the sake of completeness, the formal definition of a safely clocked network 
is given as follows. 
Definition 4.10 (Safely clocked network) A clocked network N E Netw;rkK 
is said to be safely clocked if each channel is associated with a distinct clock 
variable, i.e. if 
\;/k,k
' 
E K I k =1= k'. Nk = (_,h) /\ Nkl = (_,h')::::} h =1= h'. 0 
4. Analysis via Timed Automata 102 
It can be shown that the edge relation of a TA constructed by the method 
of §4.3 preserves the safety of clock allocation, i.e. if a location q is safely 
clocked and there are 1/;1, ... , 1/;n, A!, ... , An and HI, ... , H n (n ~ 0) such that 
1/Il,Al jH1 1/In,AnsHn I I . q = qo q1 . . . qn = q, then q IS safely clocked. The property 
of static control is essential for the proof, which is a long but straightforward 
induction and is omitted. An obvious corollary is that if the initial location is 
safely clocked, then all reachable locations are contention free. 
The requirement of safe clock allocation is stronger than strictly necessary 
to ensure that the sort of problems mentioned above are avoided. However, 
it is a simple property which can be checked statically, and will be enforced 
throughout, unless its relaxation is explicitly stated and justified. 
4.2.4 Clocked bCANDLE systems 
The definitions are extended to bCANDLE systems in an obvious way. 
Definition 4.11 (Clocked bCANDLE systems) The set bCAN of clocked 
bCANDLE systems is the set of triples (p, N, D) where P E fuc is a safely 
clocked process term with static control, N is a safely clocked network in 
Ndwork, D is a data environment in DataEnv, and the following conditions 
are satisfied: 
• the sets of process and network clocks are disjoint, i.e. elk(p)nelk(N) = 0; 
• the corresponding unclocked system (unelk(P), unelk(N), D) is a bCANDLE 
system in bCAN. 0 
Definition 4.12 (Clock Variables: bCANDLE system) The clock variables 
of a bCANDLE system B E bCAN are identified by the function elk : bCAN -+ 
211., where elk(P,N,D):;: elk(P) Uelk(N). 0 
Definition 4.13 (Unc1ocked bCANDLE system) The unclocked bCANDLE 
system corresponding to a clocked bCANDLE system is given by the function 
unelk: bCAN -t bCAN, where unelk(P, N, D) :;: (unelk(P), unelk(N), D). 0 
4.3 Timed Automaton Construction 
4.3.1 Principles of construction 
The TA for a clocked bCANDLE system BE bCAN has some subset of bCAN 
as its set of locations with B as the initial location. The set 1£ of clocks com-
prises the set elk(B) of clocks occurring in B, together with a distinct urgent 
clock hu ¢:. elk(B), used in enforcing immediate actions. The set A of actions 
contains the sets of process and network actions Ap U An· The definition of 
the construction of the edges of the TA closely follows the standard semantic 
4. Analysis via TiIned Automata 103 
rules for the corresponding unclocked system (§3.6). For each rule in the se-
mantics which justifies a transition labelled with a discrete action, there is a 
corresponding rule which introduces an edge in the automaton. Similarly, the 
rules which justify the time transitions are captured by the definition of the 
invariant function I. This style of presentation, adopted also in [Nic92, DB96], 
emphasises the relationship between the semantics of a system model and its 
associated TA. 
4.3.2 Construction of the automaton 
We begin by explaining the notion of structurally reachable location which is a 
useful auxiliary concept in the definition of the TA construction. 
A location q is structurally reachable if there is a sequence of edges from the 
initiallocation qI to q, i.e. there are 1/J1,"" 1/Jn, .A1, ... ,.An and H1 , ... , Hn (n ~ 
) h h I 7/Jl,Al)Hl 7/Jn,An)Hn Th all ach bl o suc t at q = qo q1 . . . qn = q. e structur y re a e 
part of an automaton A is the automaton sreach(A) which is given by the 
restriction to structurally reachable locations. We use the term "structural 
reachability" for this concept since it is based on the structure of an automaton 
as a directed graph, and is different from the usual concept of reach ability in 
the transition system of the automaton (see Definitions 2.5 and 2.11). 
Definition 4.14 Let A = (Q, qI, A, 11., E, 1) be an automaton. Then, the 
structurally reachable part of A is denoted sreach(A} and is defined to be the 
automaton (Q',qI,A,li,E',I'), where 
• Q' is the least set satisfying 
1. qI E Q' 
2. if q E Q' and (q,_,_,_, q') E E then q' E Q' 
and 
• E' = En (Q' x W1i X A X 21i X Q') 
• I' = I n (Q' x W1i) o 
Remark 4.2 For any TA A, it is clear that the transition systems of A and 
sreach(A) are strongly equivalent. 
Now, we can formally define the construction of a TA corresponding to a 
bCANDLE system. 
Definition 4.15 (Timed automaton construction) The timed automaton 
for a clocked bCANDLE system B E bCAN is denoted g(B}, where g(B} ~ 
sreach(g+(B)) and 9+(B) is the automaton (Q, qI, A, 11., E, 1), where 
• Q = bCAN is the set of locations. 
• qI = B is the initial location. 
4. Analysis via Timed Automata 104 
Fig. 4.3: Rules for Network Edges 
• A = Ap U An is the set of action labels. 
• 1£ = c1k(B) U {hu} is the set of clock variables, where hu rt c1k(B). 
• E is the least set of edges which is closed under the rules of figures 4.3, 
4.4, 4.5 and 4.6. The rules make use of generic labels Ap, An and A, where 
Ap ranges over Ap, An ranges over An and A ranges over A . 
• I : Q ---7 'iJ!1I. is the invariant function as defined in Definition 4.16. 0 
Definition 4.16 (Invariant Function) Let 1£ be a set of clock variables and 
let B E bCAN be a clocked bCANDLE system, where c1k(B) U {hu} ~ 1£. The 
invariant junction, I: bCAN ---7 'iJ!1I. is as defined in Figure 4.7. 0 
4.3.3 Commentary on the construction 
The translation of a bCANDLE system to its associated TA is straightforward 
for the most part. However, there are some aspects which require clarification. 
These concern the treatment of data and the enforcement of urgent transitions. 
These points are considered below. 
Treatment of Data 
The TA constructed by the method described here are exactly the timed safety 
automata (TSA) defined in [HNSY94]. These automata have been studied ex-
tensively and can be analysed automatically using tools such as 
KRONOS [BDM+98]. The choice of TSA as the target of the translation from 
bCANDLE directs the translation process in a number of ways. In the treat-
ment of data, it requires that each distinct reachable data environment gives rise 
to at least one distinct location in the corresponding TA. Very often, this leads 
4. Analysis via Timed Automata 105 
E-.S d 1 Nk = (s, u) 1\ v = D.x 
n. (kf . N~ D)II:,k!i,tI,{hu}(.f N~ [ ( , 
.lox" ---'f ,k:= s, u <-p I.V)]' D) 
N~HN' 
E-.Snd.2 ~ 1/> ~ ~ ~ 
(k!i.x, N, D) ~ (k!i.x, N', D) 
E n 1 Nk = (ti.v,_) 
.-n.cv. k?' {~} (k?' N~ D)II:, ,I,tlt, .. u ( ~ [ 
.LX" -7 .f,N,Dx:=v]) 
Fig. 4.4: Rules for Basic System Edges 
to the creation of a TA with a large number of locations. Other approaches 
which accommodate explicit data in TA models have avoided this problem by 
working with extended automata; the usual extension being to allow the use 
of conditions over data variables on edges, in addition to conditions over clock 
variables, see for example [Tri98, Her98, BLL +98, BLSTV99]. A single location 
may then represent many control states, each having a different data environ-
ment. If the user is expected to create a system model explicitly as a network of 
TA, then the handling of data is done most sensibly using extended automata 
of this sort. Certainly, one would not wish to construct by hand the automata 
which are created by our method. However the situation is not so clear when 
creating automata automatically from some other input language, as is the case 
here for bCANDLE. For although the construction may give rise to many more 
locations in the TA than a construction for extended automata, it does not lead 
to an increase in the number of states in the simulation graph (§2.7.6), which 
is the primary structure over which most analyses are performed and whose 
size is their main constraining factor. This point will be considered further in 
Chapter 5. 
Urgent transitions 
There are several operations in bCANDLE which must either be executed or 
disabled without delay, such operations are called urgent. The urgent operations 
of the process component of a bCANDLE model are 
• all send operations, k!i.x, 
4. Analysis via Timed Automata 106 
(p N D)"'~H(p' N' D') E_Ch.l " , , 
(P+ Q,N,D)"'~H(p',N',D') 
(Q~ N D)"'~H(Q~' N' D') E_Ch.2 " , , 
(P + Q,N,D)"'~H(Q',N',D') 
(p N D)"'~H(p N' D) /\ (Q~ N D)"'~H(Q~ N'D) E Ch3 ' , " " " 
_. (P+Q,N,D)"'~H(p+Q,N',D) 
E-R (P[reeX.P/ Xl, N, D)"'~~.:r(p" N', D') 
ee (ree X P N D)~H(p' N' D') 
. , , " 
Fig. 4.5: Rules for Guard, Sequential Composition, Choice and Recursion 
Edges 
• data guarded operations, 'Y --+ P, when the guard 'Y is satisfied, and 
• computations for which the upper bound is 0, i.e. computations of the 
form [w : 0, OJ. 
The urgent network operations are 
• the commencement of the transmission of the highest priority pending 
message when a channel is free and its message queue is not empty, i.e. 
transitions of the form k"-+ m, and 
• the commencement of the post-acceptance phase of message transmission, 
i.e. transitions of the form m "-+k. 
The urgency of these operations is enforced in a TA by using a single distinct 
clock variable hu, which is reset on every edge and which is used in the invariant 
hu ~ 0, attached to all locations in which an urgent transition is enabled. Notice 
that the clock guard on all urgent transitions is tt. 
4. Analysis via Timed Automata 
(p N D)1/J~H(p' N' D') 1\ p~' ± ./ EJnt.l ' , " T 
(P [> Q,N,D/~H(p' [> Q,N',D') 
(p N D)1/J~H(./ N' D') EJnt.2 " , , 
(P [> Q,N,D)1/J~H(./,N',D') 
(Q~ N D)1/J~H(Q~' N' D') EJnt.3 " , , 
(P [> Q, N, D)1/J~H(Q', N', D') 
EJnt.4 (P,N,D)1/J~H(p,N',D) 1\ (Q,N,D)1/J~H(Q,N',D) 
(P[> Q,N,D)1/J~H(p[> Q,N',D) 
E--.Par.1 (P,N,D)1/J~H(p',N',D') 1\ P' =1= ./ 
(P I Q,N,D)1/J~H(p'l Q,N',D') 
(p N D)1/J~H(./ N' D') 
E--.Par.2 " " (P I Q,N,D)1/J~H(Q,N',D') 
E--.Par.3 (Q,N,D)1/J~H(Q',N',D') 1\ Q' =1= ./ 
(PI Q,N,D)1/J~H(PI Q',N',D') 
(Q~ N D)1/J~H(./ N' D') 
E--.P 4 " " 
ar. (P I Q,N,D)1/J~H(p,N',D') 
(p N D)1/J~H(p N' D) 1\ (Q~ N D)1/J~H(Q~ N' D) E--.P 5 ' , " " " 
ar. (P I Q,N,D)1/J~H(p I Q,N',D) 
Fig. 4.6: Rules for Interrupt and Parallel Composition Edges 
107 
Proposition 4.1 Let 53 E bCAN be a clocked bCANDLE system and g(8) = 
(Q, qI, A, 1-l, E, 1) the TA constructed from 8 according to Definition 4·15. 
Then, for any edge e = (q, 'IjJ, A, H, q') E E, the urgent clock is reset bye, 
i.e. hu E H. 
Proof Induction on the depth of the inference justifying the existence of the 
edge. Intuitively, one can see that hu is reset by every basic process and network 
edge and that the resets are propagated by all process operators. 0 
4.3.4 Correctness of the construction 
The TA generated from a bCANDLE system model yields a transition system 
which is strongly equivalent to that given by the standard bCANDLE semantics. 
Therefore, we can be confident that conclusions reached by analysing the TA 
4. Analysis via Timed Automata 108 
I(P,N,D) ~ I(P, D) 1\ leN) 
l(kli.x, D) hu :S 0 
l(k?i.x, D) ~ tt 
l([w : tl, t:!]\ D) ~ if t:! E N then h :S t:! else tt 
lb -tP, D) ~ if D F 'Y then hu :S 0 else tt 
I(Pt j P2, D) - I(Pb D) 
I(PI IXl P2, D) = I(PI , D) 1\ I(P2, D) IXlE{+,(>,1} 
l(rec X.P, D) ~ I(P[recX.P IX], D) 
leN) 1\ I(Nk ) 
kEK 
IQ,.,()h = tt 
l(t, m : u)h ~ hu :S 0 
IC1,t2 )h 
"'-'t m,u 
- if t:! E N then h :S t2 else tt 
l(tm, u)h hu :S 0 
l( tl,t2 )h m "'-'t,u if t2 E N then h :S t2 else tt 
Fig. 4.7: Invariant function I : bCAN -t Wll 
are valid for the system model. We state the equivalence formally below but 
relegate the details of the proof to Appendix B. 
Proposition 4.2 Let E E bCAN be a clocked bCANDLE system and B ~ 
unclk(E) the corresponding unclocked system. Let geE) be the TA given by 
Definition 4.15. Then, the transition systems ofg(E) and B are strongly equiv-
alent. 
T[g(E)] +-t T[B] 
Proof Appendix B. o 
4.4 Implementation of the construction 
Although §4.3.2 gives a precise description of the TA which corresponds to a 
bCANDLE system, it does not give a practical method for constructing it. 
A significant difficulty, in practice, concerns the size of the representation 
of locations (!, N, D) E b CAN. In particular, the representation of the control 
component P by an algebraic term results in implementations which are ex-
tremely inefficient in their use of computer memory. Moreover, a construction 
of the TA based upon repeated construction and/or comparison of the TA of 
the sub-systems, is not time-efficient. 
4. Analysis via TiUled AutoUlata 109 
Similar problems have been observed by Garavel in the translation of LO-
TOS [Gar92], and by Yovine in the translation of ATP [Yov93]. We adapt their 
solutions to our system models, in developing an approach which accommodates 
both explicit data values and dense real-time. In this approach, the translation 
of a system model into a TA is performed in two stages: 
• in the first stage, a compact, intermediate form, similar to a Petri net [Mur89], 
is constructed for the system model; 
• in the second stage, the TA itself is constructed efficiently using the net 
built in the first stage. 
The main advantage of using a net as an intermediate representation is that 
it is then possible to represent the control component of a system state by a 
marking of the net. This representation is likely to be much more compact 
than the abstract syntax tree of the corresponding process term, and it leads 
to algorithms with a reduced need to manipulate sub-terms. 
The remainder of this section is concerned with the development of an effi-
cient method for constructing the TA of a bCANDLE system B, i.e. with the 
construction of 9 (B). 
4.4.1 Nets 
Introduction 
The nets which are used in this work are not strictly Petri nets but are close 
to the extended nets of [Yov93]. As usual, a net consists of a set of places and 
a set of transitions; the convention used here is to denote a set of places by 
W, W', WI etc. and a set of transitions bye, e', e 1 etc. Two main extensions 
are introduced. 
1. Each transition has an associated attribute which is used in determining 
whether or not the transition is fireable in a given system context, where 
a context consists of a network and a data environment. This is in accord 
with many of the varieties of generalised or interpreted Petri net [Ke176, 
Sif77]. 
2. In addition to a source set of places which must be marked in order for 
a transition to be fireable, and a target set of places to which control 
flows when a transition fires, each transition is also associated with a set 
of places which are said to be vulnerable to the firing of the transition. 
When a transition fires, control is removed not only from the places in 
its source set but also from all those places which are vulnerable to it. 
This extension allows a compact representation of the interrupt operator 
in particular. 
Example 4.3 Figure 4.8 shows an example net. It represents the process term 
k?flow.y; [Adjust Valve : 200, 300]H1 [> [450, 500]H2 ; idle. The places of the net 
are shown as circles and the transitions as boxes. The shaded circles represent 
4. Analysis via Timed Automata 
Q---1 k'?flow.y ~ [AdjustValve:200,300I"Hl ~ 
, ,f 
, , 
: .... ----------------------------' : 
, ' 
, ' 
, : 
,. -- -- -- - ---- - - - - - - --- - - -- - - -- -- - - -- -- -- - --.-
, 
, 
~~A"~., ~f----....j.~f----.O 
, 
Fig. 4.8: Example Net 
110 
a distinguished place tick!, modelling termination. A label inside a transition 
box denotes the transition attribute, e.g., k?flow.y. The standard flow relation 
is shown using solid lines, e.g., if place 2 is marked, and the context allows, the 
transition k?flow.y can fire, removing a token from place 2 and adding a token 
to place 1. The vulnerability relation is shown using dashed lines, e.g., places 1 
and 2 are vulnerable to the firing of the transition [ID : 450, 500]H2, so a token 
in either of those places is removed when the transition fires. The small black 
circles in places 2 and 4 show that those places are marked. 0 
Nets are introduced formally below. 
Definitions and Notation 
Let fuc be a set of clocked process terms over process variables X, predicate 
names r and clocks 1i. The set Attribute of transition attributes is defined: 
a ::= ,B I b) I X 
where a E Attribute is a transition attribute, jj E fuc is a clocked basic term 
and X E X is a process variable. We use the notation b) to denote a transition 
attribute consisting of the predicate name 'Y E r. 
The set of clocks associated with a transition attribute a is denoted clk{a), 
where clk([w : tI, t2]h) ~ {h}, and clk(a) ~ 0, for any attribute a of the form 
k!i.x, k?i.x, b), and X. 
A net can now be defined as follows. 
Definition 4.17 (Net) A net is a tuple n = (W, e, WI) where 
• W is the set of places 
1 In the diagram of a net, we often have more than one shaded circle, in order to simplify 
the layout. All such shaded circles should be interpreted as representing the same tick place. 
4. Analysis via Timed Automata 111 
• e ~ W X 2 W X Attribute X 2 w,( is the set of transitions. W,f denotes the 
set of places W U {tick} in which tick ct. W is a distinguished place used 
in the representation of the terminal process ,(. 
• WI ~ W is the set of initial places o 
Let R = (W,e, WI) be a net and () = (w, WV,a, WT) E e a transition. We 
adopt the following conventions: 
• w E W is the trigger of (), denoted • (). 
• WV ~ W is the set of places vulnerable to (), denoted O(} 
• a E Attribute is the attribute of (), denoted a(} 
• WT ~ W is the target set of (), denoted (). 
In the case that a place w is the trigger of exactly one transition, the tran-
sition triggered by w is denoted by (}w. Every place in a net constructed from 
a bCANDLE system according to the method of §4.4.2 is the trigger of exactly 
one transition. 
A marking is a set of places. The marking WI is the initial marking. Let W 
be a marking. For each transition (), if • () E W, then () is said to be conditionally 
enabled in W. 
Let Ri = (Wi, ei, W{) for i E {1,2}, be two nets. RI and R2 are said to 
be disjoint iff WI n W2 = 0. 
The set of clocks associated with a set W of places is denoted clk( W), where 
clk(W) ~ UwEwclk(a(}w). 
Behaviour 
The semantics of a net is given with respect to a system context which comprises 
a network and a data environment. The semantics is given as a transition system 
between states consisting of a marking of the net and a context. Given a net 
R = (W, e, WI), a state (P, N, D) E bCAN can be represented by (WI, N, D) 
where WI ~ W is a marking of R which represents the control component 
P. Intuitively, a system can evolve from one state (WI, N, D) to another state 
( W2, N', D') as the result of either a process transition or a network transition. 
For a process transition, assume w E WI and that w is the trigger of some 
transition (). If the context N, D satisfies the conditions required by the at-
tribute a(}, then a new marking W2 is created from WI by removing w and 
any places which are vulnerable to (), and then including all of the target places 
of (). The new context, N', D' is created according to the requirements of the 
attribute a(}. 
In the case of a network transition, the system may evolve to a new state, in 
which the network component is modified, but the marking and data environ-
ment remain unchanged. However, notice that a network transition is inhibited 
by a marking as follows: 
4. Analysis via Timed Automata 112 
• a message offer cannot be removed if some process is ready to accept it, 
i.e., a network transition to the post-acceptance phase of transmission 
of a message with identifier i on a channel k is not allowed if the cur-
rent marking contains a place which is the trigger of a transition whose 
attribute is k?i.x for some data variable x. 
These ideas are presented formally in the rules R.1 and R.2 below. 
Definition 4.18 Let n = (W, e, WI) be a net, WI ~ W. Let N be a clocked 
network over sets K of channel identifiers and I of message identifiers. Let D 
be a data environment. 
The process transitions of (WI, N, D) are given by the rule: 
wE WI /\ (w, WV,a, WT) E e /\ fire(a, N, D,'ljJ,.x, H', N', D') /\ 
W2 = WI \ ({ w} U WV) U WT /\ H = H' U clk( WT) R.1 --------~~----~---~~A~H~------~--~--------(WI ,N,D)..c.2...fn (W2 , N', D') 
and the network transitions by the rule: 
N~,A'),~ N' /\ 
'if k E K, i E I . (-, awaited( W, k, i) V Nk :I (ti._,_) V Nk = Nn 
(w N D)~,H(W N' D) 
" n" 
R.2 
where 
• the fire relation, as given in Figure 4.9, simply recasts the semantic rules 
for basic terms and guards, in defining the behaviour of each transition 
attribute in a given system context, and 
• awaited( W, k, i) holds iff, in the marking W, it is possible to receive from 
channel k a message with identifier i. Formally, 
awaited(W,k, i) ~ {w E WI aOw = k?i._}:1 0 0 
4.4.2 Constructing the net for a clocked term 
Let eli, N D) E bCAN be a bCANDLE system. In this section, it is shown , ~ ~ 
how to construct the net for P, denoted N[P]. We begin by considering the 
construction of nets for the basic terms. The construction of a net for a com-
pound term, PI; P2, PI + P2, PI [> P2 and I'll P2, proceeds compositionally 
from the nets for PI and P2 . 
Basic Terms 
The net for each of the clocked basic terms, 13 E & is constructed in the same 
way for each. A new place is created to act as the trigger of a transition whose 
attribute is the term itself and whose outgoing arc leads to the distinguished 
place, tick. 
4. Analysis v ia Timed Automata 113 
F _Snd A ilk = (s, u) /\ ~ = D.x 
fire (k!i.x , N, D, tt , k!i.v , {hu}, N[k := ( ,u ....p i.v)]. D) 
F 
D ilk = (ti.v, _) 
~cv A A 
fire (k?i.x , N , D , tt , k?i. v, {hu}, N. D[x := v]) 
D F 'Y F _Gu >< >< 
fire ( (r) , N , D , tt , 'Y, {hu}, N , D) 
Fig. 4.9: Rules for f ire 
Ex~mple 4.4 Let (3 be the term k?fiow.y. Figure 4. 10 show the net giv n by 
N[(3]. The figure shows the ini tial marking of the net. The terminal place tick 
Fig. 4.10: Net for a basic term 
is shown as a shaded circle. P lace (1) is the trigger of the net ' only tran ition , 
whose attribute is shown inside t he box, and whose target set is the ingleton 
{tick} . 0 
Definition 4.19 ~et (3 be one of the basic terms k!i.x , k? i .x or [w : tl , t2 ]h . 
Then the net for (3, is constructed as follow : 
N[,B] ~ ({w},{(w , O ,,B, {tick})} , {w}) 
where w =I- tick is a place. o 
Sequential Composition 
In constructing the net of the sequential composition, i\ ; P2 , all that needs to be 
done is to combine the nets of PI and P2 and then modify each tran ition e of PI 
which leads to the immediate termination of PI, so that it leads in tead to the 
initial places of P2 . This represents the transfer of control from a termination 
point in PI to the starting point (s) of P2 . A transition e lead to immediate 
termination iff its target set , ee, is {tick}. The transfer of control i implemented 
simply by making ee equal to the initial places of P2· 
4 . A nalysis via T imed Automata 114 
Example 4 .5 Consider the term k?fiow.y . [Adjust Valve : 200.300 HI. It net 
is constructed very simply, as shown in Figure 4.11. 0 
Fig. 4.11 : Net for a sequential compo ition 
Definition 4.20 Let (Wi, 8 i, W{) = N[i\] , for i E {l,2} be di joint n t . 
The net N[J\ ; P2] for the sequential compo ition PI . P2 i given b 
where 
8~ {e l eE 8 1 /\ eo f= {tick}} 
u {(Oe °e, ae w£) leE 8 1 /\ eo = {tick}} 
o 
Guard 
A guarded process, -+~P evaluates the guard , in its current data environm nt 
and then behaves as P if the guard is true or simply idles otherwi e. We 
construct a net rather as if , is a basic term and -+ i sequential compo it ion. 
Example 4.6 Let P be the term Shutdown -+ idle. Figure 4. 12 how the net 
given by N[P]. 0 
I--------i' 0 1------1· 81----· 0 
Fig. 4. 12: Net for a data-guarded term 
Definition 4. 21 Let N[P] = (W, 8 , WI ) then the net of, -+ P i given by 
Nb-+ P] 2 (Wu{w} , 8 U{(w,{} ,(f), WI)} {w}) 
where w rt. W / is a place. o 
4 . A nalysis via Timed Automata 115 
Choice 
A choice, P1 + P2 is resolved in favour of the proce which i fir able to 
perform an initial transition, the possibility of action then being remo ed from 
the other process . The removal of control is represented in the net for P1 P2 by 
adjusting the vulnerable sets of the transitions of each proces , 0 that control 
is removed from one process whenever an action occur in the other. 
Example 4 .7 
Let P1 = k?flow.y ; [Adjust Valve : 200 , 300]H1 and P2 = [450 500]H2 ; idle. 
The term P1 + P2 models the situation in which one of two po ible behaviour 
can occur: either a flow message is received on channel k within 500 ime uni t 
and t hen the process adj usts a valve; or a flow mes age i not r ceived for at 
least 450 t ime units , after which the timeout may elap e and the pro e idl 
forever. F igure 4. 13 shows the net which is constructed for N [Pj + P2 otice 
Q---1 k?fl Ot oY ~[AdjUSlValVe : 200.300)AH I r--O 
t-------- -
G)-1''''''I"'''' ~'------l' ~J.---~O 
. - - - - - - - - - -- --------- - , 
Fig. 4. 13: et for a choice 
that the marking of the net shows the initial possibili ty of both behaviour . The 
places which are vulnerable to a transition are indicated with a dashed line, di-
rected from each vulnerable place to the transition(s) to which it is vulnerable. 
For example, place 4 is vulnerable to the transition k?flow .y o This means that 
if k?flow.y fires , then a token residing at place 4 will be removed, and so the 
transit ion which is t riggered by it will be disabled. 0 
Definition 4.22 Let (Wi , 8 i, W{) = N[Pi], for i E {I 2} , be di joint nets. 
T hen 
where 
8 {e l eE81 !\ ee~W{} 
u {(ee, °e U W£ , ae , ee) l eE 8 1 !\ ee E Wi} 
U {e l eE 8 2 !\ e e ~ W£} 
U {(ee, °e U wi ae ee) l eE 8 2 !\ ee E wO 0 
4. Analysis via Timed Automata 116 
Interrupt 
An interrupt , PI [> P2, differs from choice in that control i only remoyed from 
P2 when a terminating transition of PI occurs. SO PI can perform tran itio 
while P2 retains the possibility of action. Wherever control re ide in Pl. it i 
removed upon the occurrence of an ini t ial transit ion of P2. 
Example 4.8 
Let PI = ~?fiow.;"y ; [Adjust Valve : 200 ,100J H~ and P2 = [450,500]H2 ; idle. 
The term PI [> P2 behaves similarly to PI + P2 which was considered in Ex-
ample 4.7; the primary difference being t hat [450, 500JH2 act as a \Va chdog 
tim~r rather than a timeou t: i .e . ,~i t remain act ive throughout the b hav ioUl" 
of PI and is only disabled when PI terminate. Thi difference i r fl ec d in 
the construction of the net for PI [> P2 shown in Figure 4. 14. Attention hould 
G)--1 "",., ~ '''''''"''"/00.,"",,, ~ 
, " 1_ -- --- ---------------- --- ----' 
Fig. 4.14: Net for an interrupt 
be given to the following points: 
• the triggers of all trans~ions associated with PI are made vulnerab le to 
the initial transition of P2, and 
• the trigger of the inil ial t ransition of P2 is vulnerable only to the termi-
nating transition of Pl · 
The effect of this is that [ID : 450 , 500JH2 remains fi.reable even after k?fiow.y 
has fired , and, if[ID : 450 , 500JH2 is fired , then both k?fio w.y and [Adjust Valve : 
200 , 300J HI are disabled . Contrast this with the net for choice in Figure 4.13 . 0 
Definition 4.23 Let (Wi, Gi, Wi) = N[Pi], for i E {1, 2}, be di joint net. 
Then 
4. Analysis via Timed Automata 
where 
8 {010 E 8 1 /\ O· # {tick}} 
U {(·O, °Ou W~,aO,O·) 10 E 8 1 /\ O· = {tick}} 
U {O I 0 E 8 2 /\ • 0 fJ. W~} 
U {(·O, °0 U WI, aO, 0·) 10 E 8 2 /\ ·0 E W~} 
Parallel Composition 
117 
o 
Control in a parallel composition, i\ I P2 , is maintained independently in each 
process. Moreover, the parallel operator occurs only at the top-level, i.e. we 
never encounter terms such as (PI I P2 ) j P3 . In this case, the net for PI I P2 
can be constructed simply as the independent nets for PI and P2 . 
Definition 4.24 Let (Wi, 8 j , W[) = N[Pi], for i E {1,2}, be disjoint nets. 
Then 
o 
The benefits of the restricted use of parallelism can be seen here in the very 
simple net translation and in the fact that it is possible to support the trans-
lation of bCANDLE into nets in which every transition requires only a single 
trigger. The use of such simple nets has consequent benefits in the efficiency of 
the implementation of the TA construction which is based on them. 
Process Variable 
A process variable, X, represents a recursion point. As such, it has a net 
representation consisting of a place which is the trigger of a single transition 
whose target set is empty initially and is finalised later in the construction, on 
encountering the binding, rec X. There is sure to be such a binding since we 
are dealing only with closed terms. Notice also that because of the restriction 
to systems with static control, a free process variable cannot be encountered 
on the left of a sequential composition and so the target set of the net for the 
process variable remains unchanged until the binding is encountered. 
Definition 4.25 Let X be a process variable. The net of X is defined: 
N[X] ~ ({w}, {(w, U, X, U)}, {w}) 
where w # tick is a place. o 
4. Analysis via Timed Automata 118 
Recursion Operator 
The construction of the net for the recursion operator, rec X.F, involves the 
resolution of the target sets of all those transitions in the net for F whose 
attribute is the free process variable X. If (W, e, WI) is the net constructed 
for!, then each such target set is made equal to the set, WI, of initial places 
of P; i.e., the 'knot is tied'. 
Example 4.9 Consider the term 
rec Flow. [ReadSensor : 85, 90]Hl ; k!flow.x ; Flow 
which models control in a system which repeatedly reads a flow sensor, storing 
the reading in the variable x, and transmits its value on channel k. Its net is 
shown in Figure 4.15; the knot is tied simply in this case by returning control 
A I ~ [ReadSensor:85.901'HI ~ k!flow.x ~ Row I 
Fig. 4.15: Net for a recursion 
to the beginning of the process. Notice that control is returned indirectly from 
k !flow.x to the start of the process at place 1 via the transition Flow triggered 
by place 3. A more compact net can be used in which the redundant place 
and transition (place 3 and Flow) are omitted and in which control is returned 
directly from k!flow.x to the beginning of the process (see Figure 4.16). It will 
[ReadSensor:85,90]AH 1 
Fig. 4.16: Compact net for a recursion 
be shown later how such indirections can be systematically removed and we 
will assume that this is always done in the nets which we construct. 0 
Definition 4.26 Let N[F] = (W, e, WI), then the net ofrecX.F is given by 
N[recX.F] ~ (W, e', WI) 
where 
e' = {O I 0 E e t\ aO # X} 
u {(eo, °O,aO, WI) 10 E e t\ aO = X} 
o 
4 . Analys is via Timed Autom ata 119 
Removing indirections 
The net of a recursive process , constructed using the approach de cribed above. 
contains places and t ransit ions whose only purpose i to redirect the flow of con-
trol via a recursion point. Such transitions, which we have called indirection. 
have a process variable for their attribute. We can remove each of the e transi-
tions from the net , and also the places which trigger them, and transfer control 
directly to the start of t he process . T his avoids the generation of redundant 
locations and edges in the construction of the TA of the proce . An algorithm 
is presented short ly which gives a method for the removal of indirections. Fir t. 
we give an example which has been constructed to illu trate it mo t ignificant 
features. 
Example 4.10 Consider the term 
p :=; rec X. [a : 1JHl; (X + stop -+ [b: OJHl; idle) 
which models a process which repeatedly executes an a action until the predi-
cate stop becomes true when it executes a single b act ion and then idle forev r. 
The net for this process, including indirect ions , is shown in F igure 4. 17. For 
Fig. 4 .17: A recursion wit h indirection 
the most part , the net is unremarkable. But , notice that the unguarded proce 
variable X, in the term (X + stop -+ [b : OlHl ; idle) , does not cause problems 
in the net representa tion : the term P is represented by the net as shown, and 
the term P + stop -+ [b : OJHl ; idle, which is reached after the recursion i 
unwound , is represented by t he same net wit h the marking {1 , 3}. The net 
contains a single indirection , namely the transition whose attribute i X and 
whose t rigger is the place labelled 2. T he result of removing thi indirection i 
shown in Figure 4. 18. In order to remove the indirection we need to perform 
the following steps: 
1. Modify those transit ions which are directed towards the indirection - in 
this case there is just one such transition, [a : 1JHl - so that they bypas 
the indirection and are directed to its target set instead - in thi case, the 
place labelled 1. 
2. Modify vulnerable sets to take account of the above change. There are 
two cases in which vulnerable set need to be altered: 
4. Analysis via Timed Automata 120 
Fig. 4.18: A recursion with indirection removed 
1 input 
2 A net ( W, 0 , WI) constructed as de cribed in §4.4.2 
3 output 
4 A new, equivalent net , (W', 0' , WI ), which does not contain indirection . 
5 begin 
6 I := { g I o.g = X , for any process variable X} 
7 W' := W \ { · i li E I} 
8 0' := 0 \ I 
9 foreach g E 0' do 
10 foreach i E I do 
11 if · i E g. then g. := g. \ {· i} U i · fi 
12 if· i E 0g then 0g := 0g \ { . i} U i · fi 
13 if .g E i · then 0g := 0g U ° i fi 
14 od 
15 od 
16 end 
Fig. 4.19: Algorithm to remove indirect ions 
(a) If an indirect ion is vulnerable to some tran ition e then all plac s 
to which it directs control should become vulnerable to e. In Fig-
ure 4. 17, 2 is vulnerable to (stop ), so in the modified net (Figure 4. 18) 
1 has become vulnerable to t his transition. 
(b) Any places which are vulnerable to the indirection hould in tead 
be made vulnerable to those transitions to which control is directed 
by it. Notice in Figure 4. 17 that 3 is vulnerable to X , whereas in 
the modified net of Figure 4. 18, this place is vulnerable in tead to 
[a:l]Hl. 0 
The algorithm in Figure 4. 1 9 formalises a method for the removal of indirections. 
The following remarks are intended to explain this algorithm. I i t he et of 
indirections, 8' is the set of all transitions except indirections, W' i the et of all 
places except those which are the t rigger of some indirect ion. For each transition 
e E 8' and for each indirection i E I , the algorithm first cause the indirection 
to be bypassed (line 11 ); then all those places to which the indirect ion direct 
control are made vulnerable to e, if i is vulnerable to e (line 12); finally. if i 
4. Analysis via Timed Automata 121 
directs control to 0 then all places vulnerable to i are made vulnerable to 0 
(line 13). 
4.4.3 Final stage of timed automaton construction 
The final stage of the construction of the TA for a system (P, N, D) is to build 
the automaton itself, based on the net N[P] constructed in the previous stage. 
If R = (W, e, WI) is the net for P, then a simple and efficient algorithm can 
be used to generate the TA for (P, N, D) by starting from the initial location 
( WI, N, D) and visiting all reachable locations under the relation ----+'R. as de-
fined by rules R.l and R.2 (Definition 4.18). A standard reachability algorithm 
is employed for this purpose (Figure 4.20). The following definition gives the 
details. 
Definition 4.27 Let (P, N, D) E beAN be a clocked bCANDLE system. Let 
I -. ,-"""" ........ I R= (W,e, W )bethenetN[P]. Then, theTA 9 (P,N,D) = (Q,q ,A,lI.,E,I) 
is built as follows: 
• The set Q of locations is as given when the algorithm in Figure 4.20 
terminates. 
• The initial location qI is (WI, N, D). 
• The set A of action labels is Ap U An. 
• The set 11. of clocks is the set of clocks associated with the attributes 
of the transitions in e, together with the network clocks and the urgent 
clock hu, i.e., 11. ~ clk( W) U clk(N) U {hu}, where hu f/. clk( W) U clk(N). 
• The set E of edges is as given when the algorithm in Figure 4.20 termi-
nates. 
• The invariant function I : Q -7 W1i is given by 
1(W,N,D) 
1(W,D) = 
1( W, D) 1\ 1(N) 
1\ 1(aOw , D) 
wEW 
where 1((3, D) and 1(N) are as in Definition 4.16 and 
1((-r),D) ~ if D F'Y then hu::; 0 else tt 
o 
For any clocked bCANDLE system B E beAN, we conjecture that 9'(B) 
is isomorphic to 9(B), and so, from Proposition 4.2, we conclude that its tran-
sition system is strongly equivalent to the corresponding bCANDLE system 
unclk(B). The proof of the conjecture is left to future work. 
4. Analysis via Timed Automata 122 
1 input 
2 A bCANDLE system (p,N,D) 
3 A net n = (W,e, WI) =N[P] 
" output 
5 The set of locations Q 
6 The set of edges E 
7 begin 
8 Q := {(WI ,N, D)} 
9 WAITING:= {(WI,N,D)} 
10 E:= 0 
11 while WAITING f:. 0 do 
12 remove some q from WAITING 
13 E':= {(q,(,A,H,q') I qiq~q'} 
14 E:= EU E' 
15 foreach (_,_,_,_, q') E E' do 
16 if q' ~ Q 
17 add q' to Q 
18 add q' to WAITING 
19 fi 
20 od 
21 od 
22 end 
Fig. 4.20: Algorithm to construct a timed automaton 
4.5 A simple example 
In order to illustrate the automatic TA construction method, we return to 
the example of the simple flow regulator (§3.7). For ease of reference, the 
bCANDLE model is presented again in Figure 4.21. We briefly describe the 
various stages of the translation of the model to a TA. 
Initially, the source file containing the model description is parsed, and 
equational definitions are rewritten as recursive process terms. Next, the clock 
variables are allocated. This gives the following clocked process term: 
{{rec Flow.{{[ReadSensor : 85, 90]H3 j (k!flow.xj idle)) 
[>([PERIOD : 10000,10250]H5 j Flow))) 
I 
{rec Valve.{k?flow.yj ([Adjust Valve : 200,300]H4 j Valve)))) 
The static components of each network channel are constructed from the details 
given in the network section of the model. A unique clock variable is allocated 
to each network channel. In this case, there is only one network channel k 
whose static components are: 
• Clock H2, 
• Message set M = {flow.I}, 
• Priority relation _ -< _ = {}, and 
4 . Analysis via Timed Automata 
Flow I Valve 
where 
Flow = [ReadSensor:85,90] ; k! fl ow . x ; idl e 
[> [PERIOD: 10000 , 10250] ; Flow 
Valve = k?fl ow.y ; [AdjustValve:200,300]; Valve 
net wor k 
/* pr i dlb dub dlB duB */ 
k = (f l ow: 1, 43, 53, 10, 12) 
data x, y 
Fig. 4.21: The flow regulator rev i ited 
IReadSensor:85 .90JAH3 ---1 k!fl ow.x 
k?Oow.y ~----i IAdiustValVe:200.300IAH41 
Fig. 4 .22 : Net for the flow regulator 
• Transmission latency functions 81b = {flow. 1 1--7 43} , 8ub 
53} , 81B = {flow .1 1--7 10} and 8uB = {flow. 1 1--7 12}. 
Clock H 1 is used as the urgent clock. 
123 
{flow. 1 1--7 
The next stage of the transla tion is the construct ion of the net for the 
clocked process term. F igure 4.22 shows the net for our example. 
Finally, the TA is constructed by applying the algorithm of Figure 4.20, 
starting from the initial location (W , Fr , D ), where the ini t ial marking W = 
{1, 4, 5} ; the initial state of the network Fr = {k 1--7 ( , ())) i. e .. t he condit ion of 
channel k is free and its pending message queue is empty; and the initial data 
environment D = {x 1--7 ..1 , y 1--7 ..l}. 
The final TA has 48 locations , 146 edges , and use 5 clock variable. It i 
shown in fu ll in Appendix A. Many of the location and edge in the generated 
TA are redundant, in the sense that some location are unreachable and orne 
edges are guarded by clock constraints which are un ati fiable. Thi i typical of 
many automatic translators [Yov93 , Bra95, Her9 ]. ince the clock constraint 
are not used to guide the construction of the TA . the \yor t-ca e complexity of 
4. Analysis via Timed Automata 124 
the translation is comparable to that for an untimed language, i.e., exponential 
in the number of processes, channels and data variables. A more careful analysis 
of the clock constraints would allow many of the redundancies to be eliminated, 
although the fundamental complexity of the problem remains the same. This 
approach has not been implemented. Instead, it will be seen that an alternative 
approach presented in Chapter 5 addresses the problem in a way which appears 
to be effective in practice. Note also that it is possible to improve the quality of 
the generated TA by using a clock optimisation tool such as OptiKron [Daw98b], 
which produces an equivalent TA having a reduced number of clocks. For the 
example given here, OptiKron reduces the number of clocks required from 5 
to 4. 
Once the TA has been generated, a model-checking tool, such as KRONOS, 
can be used to ensure that the model exhibits desirable properties. For example, 
the simple bounded response property that the Adjust Valve operation is always 
enabled within 300 time units of the enabling of the ReadSensor operation, can 
be expressed in TCTL as 
init => 'to ( enable (ReadSensor) => 'to 900 enable (Adjust Valve)) 
Let flow. tctl be a file containing a statement of this property in the syntax 
expected by KRONOS: 
init IMPL AB (enable(OP_ReadSensor) IMPL 
(AD{<=300} enable(OP_AdjustValve))) 
Let flow. tg be a file containing the TA generated from the bCANDLE model. 
The property can be checked in a forward reachability analysis using the com-
mand 
kronos -forw flow.tg flow.tctl 
giving the result 
kronos: release 2.4.4 (i686) date Tue Aug 29 16:16:08 WET DST 2000 
kronos: file flow.kro already exists 
kronos: reading file flow.kro ... 
kronos: begin evaluation of flow.tctl 
kronos: begin forward analysis 
kronos: 14 simulation states generated 
kronos: 14 simulation transitions generated 
kronos: Invariance *** TRUE *** 
kronos: end evaluation of flow.tctl 
kronos: compacting 
---------------------------------------------------------------------------
kronos: fixpoint 
kronos: compact time 
kronos: forward analysis 
kronos: total time 
system 
: system 
: system 
: system 
0.010s * user 
O.OOOs * user 
O.OOOs * user 
0.0105 * user 
3.410s * .iterations 17 
0.0005 * 
0.0105 * 
3.460s • 
---------------------------------------------------------------------------
Another property can be stated and checked, concerning the periodicity and 
jitter of the enabling of AdjustValve, for example, 
init => 'to enable (Adjust Valve) 1\ 
'to ( enable (Adjust Valve) => 
'to<lOO(('tO<9885 -, enable (Adjust Valve)) 1\ 
- ('to <=10165 enable (Adjust Valve)))) 
4. Analysis via Timed Automata 125 
which states that Adjust Valve is eventually enabled and, whenever enabled, 
it fires within 100 time units, remaining disabled thereafter until it becomes 
enabled again after no less than 9885, and no more than 10165, time units. 
KRONOS verifies this property also. 
The stated bounds (9885 and 10165) are as tight as possible for this example 
and, even for such a simple model, are not obvious by inspection. An analysis 
of this sort helps to build confidence in the quality of control which may be 
supplied by an implementation of the flow regulator. 
In fact, there is a hidden assumption in the interpretation, given above, 
of the periodicity property: that whenever Adjust Valve is enabled, it becomes 
disabled only by firing, and not as the result of an interrupt or timeout. In this 
case, the correctness of the assumption can be seen immediately by inspection of 
the model. However, in general, this may not be straightforward and one would 
like to be able to state the property in TCTL and check it using KRONOS. As 
Hernalsteen has observed [Her98], it is not so easy in TCTL to state properties 
concerning the firing of transitions as opposed to their enabling. This is because 
TCTL is a state-based, rather than an event-based, logic. The firing of a 
transition can be checked only by encoding this event somehow in the discrete 
state of the model. If the encoding is done by the modeller in an ad-hoc fashion, 
there is the possibility that errors will be introduced into the model; if it is done 
automatically for all events by the translator, the size of the state space will be 
increased, perhaps unnecessarily. One possible solution is to allow some events 
to be marked by the user for 'tracking' in the model, so that the translator 
can automatically add the encodings required only for those events of interest. 
Alternatively, one could consider the use of a logic in which both states and 
events can be referenced. 
4.6 Conclusions 
In this chapter, we have presented a translation to timed automata of the timed 
process language bCANDLE. The translation closely follows the semantic rules 
of the language and can be shown to be correct in a straightforward manner. 
We have also described an efficient method by which the translation can be 
implemented. The method adapts and extends techniques which have proved 
effective in similar settings [Gar92, Yov93]. A translator has been implemented 
and has been applied to a number of examples. As a result of this work, it is 
now possible, for the first time, to apply automatic analysis techniques, such as 
model checking, to system models which are described using a timed language 
which provides value-passing, prioritised, broadcast communication over latent 
channels as a primitive construct. 
5. SPACE-EFFICIENT, ON-THE-FLY 
REACHABILITY ANALYSIS 
5.1 Introduction 
We have seen that reachability analysis and model checking of TA are well-
established and successful techniques in the analysis of real-time systems. In 
Chapter 4, we have shown how bCANDLE models can be translated into TA , 
and thus have provided a way by which these verification methods can be ap-
plied to bCANDLE systems. As usual, the state space explosion problem is the 
major limiting factor in the use of such techniques, from a technical point of 
view. Much current research in TA verification is aimed at alleviating the worst 
effects of this problem: in particular, on-the-fly and symbolic approaches have 
proven effective in this respect. In this chapter, we consider how such methods 
can be adapted for use in the analysis of bCANDLE models. 
Traditionally, a system model is presented as a network of small component 
TA, and on-the-fly methods, especially, derive their benefit from the fact that 
it may be unnecessary to construct their product automaton completely, be-
fore the verification question can be decided. Unfortunately, in the approach 
taken in Chapter 4, it is necessary to construct a monolithic TA for the sys-
tem model as a whole, before verification begins. This is contrary to the spirit 
of on-the-fly verification, since, even though the verification problem may be 
decided during construction of the simulation graph, the monolithic TA itself 
may be very large. Recall that we need to build a monolithic TA if we wish 
to stay within the framework of the standard timed safety automata (TSA) of 
Henzinger et al. [HNSY94], since the product construction for TSA does not 
allow a satisfactory modelling of broadcast communication as we have defined 
it in Chapter 3. It may be possible to define a translation of bCANDLE models 
into networks of TA if we allow the use of TA extended with data variables 
and guards [ALST98, Boz98, LPY97]. This would allow us to take advantage 
of existing on-the-fly techniques. However, we do not pursue that line of en-
quiry in this work, but rather propose a novel solution to the problem: namely 
to generate the simulation graph of a system directly from the extended net 
created for the construction of its TA, but without ever constructing the TA 
explicitly. In this way, we obtain full on-the-fly verification for bCANDLE. Al-
though several proposals have been published for the verification of real-time 
languages by means of translation to TA [DOY94, Her98, JM95, NSY91], we 
believe that this is the first time that the approach described here has appeared 
in the literature. 
5. Space-Efficient, On-the-fty Reachability Analysis 127 
In addition, we combine on-the-fly verification with a compact represen-
tation of the state space. Binary decision diagrams (BDD's) have been used 
successfully, mainly in the analysis of hardware systems where the need for a 
compact representation of boolean functions is prevalent [Bry86]. However, the 
modelling of software systems commonly employs a richer set of data types 
and this fact motivates the investigation of different encodings of sets of states 
than by their characteristic functions. In this chapter, we consider the use of 
minimised deterministic finite state automata (MA's) [HP99] for the storage of 
the set of visited states in the reachability analysis of bCANDLE models. This 
state space representation promotes sharing of common parts of a set of state 
vectors, and seems to be particularly useful in mitigating the effects of state 
explosion caused by interleaving in asynchronous models. So far as we know, 
this is the first time that this state compression technique has been investigated 
in the analysis of timed systems. 
The rest of this chapter is organised as follows: in §5.2 the algorithm for on-
the fly reachability analysis is described; minimised automata are introduced in 
§5.3 and their use in the representation of the set of visited states is described 
in §5.4; salient features of an experimental platform are outlined in §5.5 and 
experimental results are discussed in §5.6; in §5.7, we consider related work; and 
finally, in §5.8, we present our conclusions and suggestions for further work. 
5.2 On-the-fly reachability analysis 
5.2.1 Basic algorithm 
We consider the problem of determining whether or not it is possible for a given 
bCANDLE system (P, N, D) to reach a state which satisfies some state formula 
p. Recall that the validity of any state formula p can be determined locally for 
any state cr, and that cr 11= p denotes the fact that cr satisfies p. 
In fact, all the machinery needed to solve this problem is already in place. 
The algorithm for constructing a TA from a bCANDLE system is given in 
Figure 4.20 and the algorithm for reachability in the simulation graph of a 
TA is given in Figure 2.14. Clearly, we can solve our problem by executing 
these algorithms consecutively. However, it is straightforward to combine them 
into a single algorithm which solves the reachability problem without explicitly 
constructing the TA. Such an algorithm is shown in Figure 5.1, to which we 
refer in the following explanatory comments. 
We assume that (p, N, D) is a safely clocked bCANDLE system and that 
cmax(p, N, D) gives the value of the largest constant appearing in a computa-
tion [w : tl, t2] in P, or a message transmission latency bound 8ub (m), 8uB (m) 
in N. The net R = (W, e, WI), given by N[P], is constructed as described 
in §4.4.2. We wish to check whether a state satisfying the state formpa p 
is reachable from the initial state comprising the location qI = (WI, N, D) 
and the clock zone suet (zero). The rest of the algorithm shows a standard 
depth-first or breadth-first search of the reachable state space. The only sec-
tion warranting further comment concerns the calculation of succe~or states 
at lines (14-15). Notice here that a location q is of the form (W, N, D) and 
5. Space-Efficient, On-the-f1y Reachability Analysis 
1 input 
2 initial system (P,N,D), c = Cmax(P, N,D) 
3 net R = (W,e, WI) = N[P] 
4 state formula P 
5 begin 
6 qI:= (WI,N,D) 
7 VISITED := {( qI, suc;z (zero))) 
8 WAITING:= {(qI,suct(zero))} 
9 while WAITING :I 0 do 
10 remove some (q, () from WAITING 
11 if(q,()lFp 
12 then return 'yes' 
13 else 
(" A H 14 succ:= {(ql, (I) I q=----'-+'nql 1\ e = (q, (II, A, H, ql) 1\ 
15 (I = closec(suc;' (suce (())) :I 0} 
16 foreach (q., (.) E succ do 
17 if (q., (.) ~ VISITED 
18 add (q., (.) to VISITED 
19 add (q., (.) to WAITING 
20 fi 
21 od 
22 fi 
23 od 
24 return 'no' 
25 end 
Fig. 5.1: Algorithm for on-the-fly reachability for bCANDLE 
128 
that the relation q ("V~,q' yields successor locations q' = (W', N', D') accord-
ing to the rules R.1 and R.2 (Definition 4.18). Each such successor determines 
an edge e = (q, (", A, H, q') which can be used in the calculation of the clock 
zone successors of ( in the usual way: (' = dosec(suct (suce (())). This al-
lows the algorithm to follow the usual pattern for simulation graph reachability 
(Figure 2.14). 
5.2.2 Clock activity reduction 
The memory requirements of the basic on-the-fly reachability algorithm can 
be reduced considerably by reducing the number of clock variables which are 
used in the model to be analysed. Daws and Yovine [DY96] have proposed an 
important technique, known as clock activity reduction, which ensures that only 
the active clocks are recorded in each symbolic state in the simulation graph. A 
clock is considered to be active if its value will be tested before it is next reset. It 
is clear that there is no need to record the values of the other clocks, since they 
can have no effect upon the behaviour of the system until their current values 
have been destroyed by a clock reset. The remainder of this section shows how 
clock activity reduction can be employed in the on-the-fly reachability algorithm 
for bCANDLE. 
5. Space-Efficient, On-the-fly Reachability Analysis 129 
Active clocks 
Let A be a TA with set Q of locations, set 11 of clocks and set E of edges. Define 
an edge path of length n, over E, to be a sequence e of edges, eo, eI,"" en-I. 
where n E N, ej E E, and, for 0 < i < n, src(ed = tgt(ei-t}. Let E-path 
denote the set of edge paths over E, and lei denote the length of edge path 
e E E-path. 
We say that a clock h E 11 is tested in location q E Q, if h occurs in the 
invariant I(q) or in the guard of some outgoing edge of q. We denote by tclk(q) 
the set of clocks tested in q. A clock h is said to be active in location q iff it is 
either tested in q or is tested in some location q' E Q which is connected to q 
by an edge path along which h is never reset. 
Definition 5.1 (Active clocks) Let A = (Q, qT, A, 1£, E, I) be a TA. Let 
tclk : Q -+ 211. define, for each location q E Q, the set of clocks occurring either 
in the invariant I(q), or in the clock constraint of some outgoing edge of q. 
Then, for any location q E Q, the set of active clocks of q is denoted act(q), 
and is defined by 
act(q) ~ tclk(q) U H(q) 
where a clock h is in H (q) iff h is not tested in q but is tested in some location 
connected to q by an edge path along which h is never reset, i.e. 
H(q) ~ {h E 1£1 h tJ. tclk(q) A 
Activity graph 
(3e E E-path, q' E Q. q = src(eo) A q' = tgt(elel-d A 
h E tclk( q') A h tJ. UO:9 <lel reset( ed)} 0 
An activity function act : Q -+ 211. can be used in a dimension-restricting 
projection of the convex ll-polyhedron (, occurring in a symbolic state (q, (), 
in order to produce a new symbolic state (q, ('), where (' is a polyhedron on 
act(q) ~ 11 instead of on 1£. If act(q) c 11, then the DBM representation of (' 
can be smaller than the representation of (. In practice, for a TA constructed 
from a bCANDLE description, as described earlier, the savings are usually very 
significant and allow the analysis of many models which would be intractable 
without this reduction. 
Definition 5.2 (Dimension restricting projection [Tri9S]) 
Given a ll-polyhedron ( and a subset of clocks H ~ 11, the dimension-restricting 
projection of ( to H, denoted (JH, is the H-polyhedron (' such that 
v' E (' iff 3v E ( . V hE H . v(h) = v'(h) 0 
Definition 5.3 (Activity Graph [Tri9S]) Let A = (Q, qT, A, 1£, E,I) be a 
TA with c 2 cmax(A). Let act: Q -+ 211. be an activity function for A. 
The activity graph of A with respect to c, starting at the symbolic state ZQ, is 
5. Space-Efficient, On-the-fly Reachability Analysis 130 
denoted AG(A, c, ZO), and is obtained from the simulation graph SG(A, c, zo) by 
the following modification: 
• For each node (q, () of SG(A, c, zo), the node (q, (Jact(q») is a node of 
AG(A, c, ZO) 
• For each edge (q, ()~ (q', (') of SG(A, c, ZO), (q, (Jact(q) )~( q', (' Jact(q'») 
is an edge of AG(A, c, ZO). 0 
Notation. The activity graph of A with respect to c, starting at the initial state 
(qI, zero), is denoted simply by AG(A, c), and AG(A) denotes AG(A, cmax(A)). 
Tripakis [Tri98] shows that the activity graph preserves the same proper-
ties as the simulation graph. In particular, the correctness theorem (Propo-
sition 2.6) is preserved, and so we can safely use the activity graph to decide 
reachability properties. In fact, it is trivial to modify the algorithm of Fig-
ure 5.1 to achieve this. We simply replace the calculation of successors (lines 
14-15) so that each clock zone is restricted to the active clocks, as follows 
{ ( , r'J ) I (" ,>.,H , 1\ (I''' \ H ') succ:= q ,., act(ql) q~nq e = q,., ,A, ,q 1\ 
(' = closec(suct (suce (())) :I 0} 
Calculating active clocks in bCANDLE 
In [DY96], an algorithm is given to compute the activity function act from the 
syntactic structure of a single TA modelling the entire system. It is shown 
in [DT98] how to compute and apply act on-the-fly, during construction of the 
simulation graph of the parallel composition of a set of TA. In order for activity 
reduction to be useful in the reachability analysis of bCANDLE, it is necessary 
to achieve a similar on-the-fly computation of act. We see from the modification 
above, to the on-the-fly algorithm for bCANDLE, that the only point at which 
act is required is during the calculation of successors, when, given an edge 
e = (q,_,_,_, q'), we need to be able to compute act(q'). Before considering 
the calculation of active clocks, we first identify the clocks which are tested in 
a given location. ..... 
A location q, in the TA of a bCANDLE system, is a tuple (W, N, D). The 
set of tested clocks of such a location is defined below. 
Definition 5.4 (Tested Clocks) Let E E bCAN be a clocked bCANDLE 
system and g'(E) = (Q, qI, A, 1£, E,I) the TA constructed by Definition 4.27. 
Let (W, N, D) E Q. The tested clocks of (W, N, D) are denoted tclk( W, N, D), 
5. Space-Efficient, On-the-Hy Reachability Analysis 131 
where 
tclk(W,N,D) ~ tclk( W, D) U tclk(N) 
tclk( w, D) :::: U tclk(aOw , D) 
wEW 
tclk(k!i.x, D) = {hu} 
tclk(k?i.x, D) ~ 0 
tclk([w: h, ~]h, D) :::: if tl E N V ~ E N then {h} else 0 
tclk( (T), D) ~ if D F'Y then {hu} else 0 
tclk(N) :::: U tclk(Nk ) 
kEK 
tclk(.!-, (})h ~ 0 
tclk(.!-, m:u)h :::: {hu} 
tclk(t,;12 m, u)h :::: if tl E N V t2 E N then {h} else 0 
tclk(tm, u)h :::: {hu} 
tclk(m t,;12, u)h :::: if tl E N V t2 E N then {h} else 0 
0 
It is easy to see that a clock h appears in the invariant, or the guard of an 
outgoing edge, of a location (W,N,D) iff h E tclk(W,N,D). This follows 
directly from the definitions of tclk, rules R.l and R.2 (Definition 4.18) and 
the invariant function (Definition 4.27). 
Now we observe that, in fact, for any location q = (W,N,D), the set of 
clocks active in q is identical to the set of clocks tested in q. 
Proposition 5.1 
Let B E bCAN be a clocked bCANDLE system and (}'(B) = (Q, qI, A, 1£, E, I) 
its TA. Then, for any q E Q, it is the case that act(q) = tclk(q). 
Proof By definition, act(q) = tclk(q) U H(q). We show that H(q) = 0, for any 
q E Q. The following lemma is required: 
Lemma 5.1 For any clock h E 1£ and any edge e E E, if h fI. tclk(src(e)) and 
h E tclk( tgt( e)), then h E reset ( e) 
Proof Let src(e) = (WI,N,D) and tgt(e) = (W2,N',D'). Observe that e 
must be derived using one of the rules R.l or R.2. We consider a clock hE 1£ 
such that h fI. tclk(WI,N,D) and either h E tclk(W2,D') or h E tclk(N'). We 
show that h E reset ( e). There are two cases to consider. 
(Case h E tclk( W2, D')) By definition, tclk( W2, D') = Ut/J2E W2 tclk( a0t/J2, D'). 
By R.l, we have that for all 'W2 E W2 , either there is some WI E Wl and 
transition OWl = (WI, WV,a, WT) such that 'W2 E WT, or 'W2 E Wl \ WT. If 
'W2 E W T then, since tclk( WT, D') ~ clk(WT) ~ reset(e), we have h E reset(e). 
5. Space-Efficient, On-the-By Reachability Analysis 132 
On the ~ther hand, if 'W2 E WI \ W T , then h == hu; this must be so since, by 
assumptIOn, h tf. tclk( WI, D), and, therefore, must be tested in D' by reason of 
the fact that a(}1lI2 = (-r) for some data guard 'Y such that D ~ 'Y and D' F 'Y. 
Since the urgent clock is reset on every edge, again, we have h E reset ( e). 
(Case h E tclk(N')) If h E tclk(N') then either h == hk' for some channel iden-
tifier k, such that Nk = (-, hk), or h == hu. If hk tf. tclk{N) and hk E tclk{N') 
then e must be derived by R.2 using either E~.l or E~.3. In both cases, 
h == hk E reset(e). On the other hand, if h == hu, then h E reset(e). In either 
case, the result follows. 
Now, observe that H(q) = Un~o Hn(q), where Ho(q) ~ 0, and, for n > 0, 
Hn(q) ~ {h E 11.1 h tf. tclk(q) 1\ 
o 
(:Je E E-path, q' E Q. lei = n 1\ q = src(eo) 1\ q' = tgt(en-d 1\ 
h E tclk(q') 1\ h tf. UO~i<n reset(edn 
The proof of the proposition then follows by induction on the length of an 
E-path. 0 
This result has significant implications for the efficiency of the analyses 
which can be performed on bCANDLE systems, which surpasses that which can 
be achieved for general TA models where this property may not be exhibited. 
Most significantly, the result justifies the use of tclk as the activity function in 
the construction of the activity graph. Clearly, tclk can be calculated locally for 
any given location and, therefore, can be implemented efficiently and applied 
on-the-fly to achieve clock activity reduction during construction of the graph. 
The experimental data presented in §5.6 and §6.6.3 provides evidence for the 
utility of this technique in practice. 
5.3 A Minimised Automaton Representation of 
Reachable States 
Even with the clock activity reduction described in the previous section, the 
size of the state space, which arises in the analysis of a system model, can grow 
too big to be stored in computer memory. There are many proposals in the 
literature for reducing the memory required to store a set of states - see §5.7. 
In this section, we consider an approach in which a state vector is regarded as 
being encoded as a string over some alphabet, and the set of visited states is 
represented by a minimised deterministic finite automaton (MA) which recog-
nises the language comprising the set of state vector strings. This technique 
has been implemented in the model checker SPIN [HP99], where it has been 
shown to achieve even better compression for many systems than that obtained 
by the use of BDD's [Vis96]. Similar results have been reported in experiments 
using sharing trees [GGZ95, Zam97] (also known as GE-SETS [Gre96]); the 
implementation of the sharing tree data structure is very similar to the MA 
implementation described here. By comparison with other techniques which 
5. Space-Efficient, On-the-fly Reachability Analysis 133 
also ensure complete state space coverage, the space reductions achieved by the 
use of MA's are among the best reported in the literature. It is of considerable 
interest to see if this performance is observed also in the storage of the state 
spaces which arise in the analysis of timed systems. Our work is the first to 
report such experiments. 
In the remainder of this section, we introduce the basic ideas and definitions 
for the use of MA's in state space storage. Later, we discuss their application 
in the implementation of a state store for bCANDLE. 
5.3.1 Minimised Deterministic Finite State Automata 
Definition 5.5 A k-Iayer deterministic finite state automaton (DFA) is a tuple 
A = (Q, A, E) where 
• Q = U{ Qi I 0 ~ i ~ k} is the set of states. Qi, 0 C Qi C Q, is the set 
of states at the ith layer and Qi n Qj = 0 for i 1= j. Qo is a singleton 
containing the initial state and Qk = {T, F}, where T is the accepting 
final state and F is the rejecting final state. The set Q \ Qk is denoted 
Q-. 
• A is the alphabet. 
• E : Q - x A -+ Q is a total function such that for all states q E Q - and 
symbols a E A, if q E Qi then E{q, a) E Qi+l' 0 
A string a of length n is a sequence of symbols a = ao, al,'" ,an-I, where 
ai E A for 0 ~ i < n. An denotes the set of strings of length n over the alphabet 
A. A string a = ao, al,"" an-l generates a state sequence qo, ql,"" qn from 
state q = qo, where %+1 = E{qj, aj) for 0 ~ j < n. For a state q E Qi, we 
denote the language of q by 'cA{q). 'cA{q) is the set of strings which generate 
a state sequence from q ending with the terminal state T. Formally, for q E Qi, 
'cA{q) :;: {a E Ak- i I a generates the state sequence qo, ql,"" qk-i 
from q, and qk-i = T} 
We define 'c{A) = 'cA{ qo) where qo E Qo. A DFA is minimised provided 
'c{qi) = 'c(%) iff qi = qj. 
Example 5.1 The MA of Figure 5.2 is A = ({ Qi}1=O' A, E), where Qo = 
{O}, Ql = {1,2,3}, Q2 = {4,5}, Q3 = {6,7} and Q4 = {T,F} is the ~et of 
states; A = {a, b, c} is the alphabet; and E is the set of edges as shown III the 
figure. A represents the set S ~ A4 of strings where 
S = {aaaa, aaba, aaca, abaa, abba, abca, acaa, acba, acca, 
baab, baba, baca,bbab,bbba,bbca, bcaa,bcba,bcca, 
caab, caba, caca, cbaa, cbba, cbca, ccab, ccba, ceca} 
o 
5. Space-Efficient, On-the-fly Reachability Analysis 134 
a 
Fig. 5.2: A minimised automaton 
It can be seen that a MA achieves a compact representation of a set of strings 
by a combination of prefix merging and suffix merging. The requirement that 
a MA is deterministic ensures that all shared prefixes are recorded only once. 
Similarly, the requirement of minimisation ensures that many shared suffixes 
are also recorded only once. Furthermore, for any MA, the amount of sharing 
in prefixes and suffixes is optimal, in the sense that any other MA recording 
the same information is guaranteed to be isomorphic. In fact, a MA gives a 
canonical representation of a language - there is only one MA (up to isomor-
phism) representing a given language, and different languages are represented 
by different MA's [HU79]. An effective use of MA's for state space represen-
tation will require that state vectors are organised so as to promote as much 
prefix and suffix merging as possible. It is worth noting that the compactness 
of sharing trees (GE-SETS) relies on the same idea. The relationship between 
MA's and sharing trees is discussed in [Zam97]. 
MA Operations 
There are three basic operations on MA's which are required to implement a 
state store for reachability analysis: 
initialise - create a MA A having an empty language, i.e., ensure A satisfies 
C(A) = 0; 
insert - given a MA A and a string a, create a MA A' such that £(A') = 
C(A) U {ali 
5. Space-Efficient, On-the-fly Reachability Analysis 135 
Marking (W) { WI, 'llI2, ... , wm } 
LOCATION (q) Network (N) {(Sl' ud, (S2, 'U2), ... , (Sn, Un)} 
Data (D) {VI, 'V2, ... , Vd} 
ZONE(() {bl'~"'" bz } 
Fig. 5.3: Structure of a bCANDLE state vector 
member - given a MA A and a string a, return true if a E £(A), otherwise 
return false. 
Holzmann and Puri [HP99] give efficient algorithms for each of these operations. 
To be precise, for a k-layer MA A over an alphabet A, their insert algorithm 
is o(kIAI), member is O(k) and initialise is 0(1). We refer the reader to the 
cited work for a detailed description of the algorithms. 
5.4 Implementing a MA state store for bCANDLE 
In order to use a MA for the state store in a reachability analysis of a bCANDLE 
system, it is necessary to partition the state vector and allocate partitions to 
layers in the MA. How this is done can have a significant effect upon the effi-
ciency of the state store. In this section, we discuss the structure of a bCANDLE 
state vector and consider some principles which may be applied in determining 
an effective partitioning. 
5.4.1 The state vector 
A bCANDLE state vector has the general form shown in Figure 5.3, where it 
can be seen that a state vector represents a location q = (W, N, D) and a clock 
zone (. The representation is discussed in more detail below. 
Marking The marking W = {WI, 'llI2, ... , wm } is the set of marked places of 
the system net (§4.4.1) which represents the state of the system processes. 
Network For each channel in the system network, its dynamically changing 
components are recorded in the state vector, i.e., the status s and the 
queue u of messages pending transmission. The status consists of one 
of the four values FREE, PRE, ACCEPT, or POST, and, optionally, an 
associated message, comprising a message identifier and a data value. The 
message queue can be modelled in a variety of ways. In the following, we 
will assume a fixed length sequence of messages. 
Data Let VaT = {Xl, X2,"" Xd} be the set of data variables, where each vari-
able Xi ranges over a domain of values, VXi ' The data environment D 
is represented by recording its valuation function val = {Xl t-+ VI, X2 t-+ 
'V2, ... ,Xd t-+ Vd}. This is done simply by fixing the order of the variables 
and storing the corresponding values {VI, 'V2, ... ,Vd}' 
5. Space-Efficient, On-the-fly Reachability Analysis 136 
M 0 1 2 3 
0 4 (-3, ::;) (-5, ::;) (-2, ::;) 
1 (7, ::;) III]. (2, ::;) (5, ::;) 
2 (6, ::;) (3, ::;) hs (4, ::;) 
3 (8, ::;) (5, <) (3, <) h7 
(a) 
M' 0 1 2 3 Mil 
0 3 (-3, ::;) (-5, ::;) 1. 
1 (7, ::;) III]. (2, ::;) 1. 
2 (6, ::;) (3, ::;) hs 1. 
3 1. 1. 1. 1. 
0 1 2 
0 3 (-3, ::;) (-5, ::;) 
1 (7, ::;) h2 (2, ::;) 
2 (6, <) (3, <) hs 
(b) (c) 
Fig. 5.4: Simple DBMs 
Zone The clock zone ( is represented as a DBM (§2.7.5), i.e. a set of bounds 
{ bl , ... , bz }. Here, the main issue is how to take advantage of clock activ-
ity reduction in order to reduce the storage requirements. For example, 
consider a TA A with clock set H = {hI, h2, ... , h7}, whose set of reachable 
states contains no state in which more than 3 clocks are active simultane-
ously, and many states which have fewer than 3 active clocks. It is sensible 
to take advantage of this observation in the state vector representation 
of the DBM's. We illustrate this with an example. Figure 5.4(a) shows 
a DBM in which only the clocks h2, hs and h7 are active. First, notice 
that the diagonal of any DBM contains redundant information: for any 
H-polyhedron (, h - h = 0, for all h E H. So this information need not 
be stored explicitly in a DBM representing (. Instead, we can use the 
diagonal to store the size of the (active part) of the DBM and the names 
of the active clocks, whose differences are represented in the DBM. In 
Figure 5.4(a), the value of Mo,o indicates that M is a DBM of size 4; the 
value of MI,I shows that row (1) and column (1) represent clock ~; the 
value of M2,2 shows that row (2) and column (2) represent clock hs; and 
so the value of MI,2 shows that h2 - hs ::; 2. 
In representing a zone containing fewer than 3 active clocks, we can use 
a DBM of the same size as that for a 3-clock zone, marking as unused 
those cells which are not required. Figure 5.4(b) shows a DBM M' which 
represents a zone having 2 active clocks, h2 and hs. M~,o shows that the 
active part of the DBM has size 3. We use 1. to show that the entries 
in row (3) and column (3) are unused. In this way we can use DBMs 
of constant size in all states. This is useful in conjunction with a :vIA 
state store, where all state vectors are required to be the same length. 
Naturally, we choose the smallest size which is large enough to represent 
the maximum number of active clocks occurring in any state. 
5. Space-Efficient, On-the-Oy Reachability Analysis 137 
Fig. 5.5: State vector representation of a 3-clock zone 
Alternatively, we can choose to use DBMs of variable dimension in which , , 
for each state, there are only as many entries as are required to store the 
values of the active clocks for that state [Tri98]. Figure 5.4{c) shows the 
DBM Mil, which represents the same zone as M' but has fewer entries. 
This representation can reduce memory requirements when clock zones 
are stored in an auxiliary hash table, and only a pointer to a clock zone 
is stored in each state vector entry in the MA. 
In the following, we will use DBMs of both constant and variable di-
mension. Figure 5.5 shows a typical state vector representation of the 
DBMM. 
5.4.2 Mapping the state vector to MA layers 
It is clear that the way in which a state vector is partitioned, and the partitions 
allocated to layers, will have a major impact on the memory reduction achieved 
when storing a set of state vectors in a MA. Consider an extreme case in which 
the whole state vector is allocated to a single layer. All possibility for sharing 
is lost and there is no compensation for the overheads of implementing the 
MA. At the other extreme, one can consider a bit-level allocation, in which 
each bit of the state vector is allocated to a layer in the MA, giving, for a 
state vector of n bits, a MA of n + 1 layers over the alphabet {a, I}. This 
scheme allows the possibility of maximal sharing, but increases the overheads 
incurred in implementing the layers: each bit of the state vector needs 2 pointers 
to encode it. It is easy to envision similar schemes with a different unit of 
allocation: byte or word, for example. The height of a MA is given by the 
number of layers, the width is the largest number of nodes on a layer, and is 
proportional to the size of the alphabet, IAI. A small unit of allocation leads to 
a 'tall, thin' MA, a large unit of allocation to a 'short, fat' MA. It is not clear, 
analytically, which scheme will lead to the most compact encoding, in general. 
Holzmann and Puri [HP99] show experimental data suggesting that a byte-level 
partitioning is a reasonable choice for the state spaces which they consider. 
Another approach to partitioning the state vector seeks to maintain the 
integrity of state variables within a single layer of the MA. A simple application 
of this idea is a partitioning in which each variable is allocated to its own MA 
layer. A modification of this approach allows variables over small domains to 
be clustered together in a single layer. Only when the domain of a variable is 
considered to be too large, is it split over two or more layers. This approach 
is adopted effectively in the GE-SET implementation of [Gre96]. However, it 
5. Space-Efficient, On-the-f1y Reachability Analysis 138 
is not so easy to implement this partitioning automatically, and the byte-level 
partitioning of [HP99] appears to be just as effective. 
5.4.3 Variable Ordering 
In common with other compact encodings, such as BDD's [Bry86] and GE-
sets [Gre96], MA's are sensitive to variable ordering, i.e., the size of a MA 
representing a set of state vectors can be affected by the ordering of variables 
within the state vector: for some variable orderings, growth in memory usage 
may be linear in the number of states; for others, growth may be exponential. 
In the construction of MA's, the following guidelines have proved useful in 
achieving an acceptable growth. 
• Ensure that the least frequently changing components of the state vector 
occur as prefixes and suffixes, in order to promote as much sharing as 
possible. 
• Group together variables which are strongly related, i.e., which show 
clearly identifiable patterns of recurrence in the set of reachable state 
vectors. 
These ideas have been confirmed frequently in applications of sharing trees [GGZ95, 
Gre96, Zam97]' and the latter idea is familiar also to users of BDD's, where it 
arises in the well-known recommendation to interleave the variables of the pre-
and post-states in representing a transition relation [Bry92]. 
In applying these principles to the construction of a MA state store for 
bCANDLE, we have considered the following possibilities: 
• permutations of the major state vector components: marking W, context 
C (network and data environment) and zone Z. 
• placement of cells within the encoding of the DBM representing the clock 
zone (see Figure 5.6): 
- 00 is the standard row-major matrix encoding; 
- 01 removes clock names from the diagonal, stores them before all 
other cells and then follows row-major ordering of the remaining 
cells; 
- 02 removes clock names from the diagonal, as for 01, and addition-
ally, stores contiguously both the lower and upper bounds for each 
clock difference. 
Of course, there is no guarantee that this framework leads to the discovery of 
an optimal variable ordering. However, the experimental results indicate that, 
in many practical applications, it does lead to the discovery of an ordering 
whereby substantial reductions in memory requirements can be achieved. 
5. Space-Efficient, On-the-fly Reachability Analysis 139 
Fig. 5.6: Orderings of the cells of DBM Mil (see Figure 5.4) 
5.5 An experimental platform 
No state storage technique can escape the known worst-case complexity of reach-
ability analysis. The best that can be hoped is that heuristics are identified 
which improve performance on a range of examples which arise in practice. This 
can only be confirmed empirically. In this section, we introduce the salient fea-
tures of an experimental platform which has been developed in order to allow 
us to explore a variety of approaches to the analysis of bCANDLE systems. 
5.5.1 The bCANDLE Compiler 
We have implemented a prototype 'compiler' for bCANDLE. The compiler is 
written in ML and generates C code to perform a given task on a system model. 
The user can choose to 
1. generate the timed automaton for the model (in KRONOS . tg format), 
2. perform reachability analysis of the simulation graph on-the-fiy, without 
first generating the timed automaton, 
3. explore the simulation graph interactively. 
It is the second facility which is of interest here. An important feature of the 
reacbability analyser is that it provides the user with a wide choice of techniques 
for the storage of the state space. 
5.5.2 State Space Storage Modes 
The bCANDLE compiler is able to generate C code for a variety of state space 
storage modes. Each mode is based upon essentially the same state vector 
encoding, as introduced below. 
5. Space-Efficient, On-the-fly Reachability Analysis 140 
State vector encoding 
A state vector comprises a marking, network, data environment and clock zone. 
Marking The marking is represented by a bitmap in which, for each place in 
the control system net, there is a corresponding bit, whose value is 1 if 
the place is marked and 0 if it is not. 
Network The network is represented by a pair of arrays: a channel status 
array and a message array. The channel status array records the status 
of each channel, where a channel status is encoded in two 16 bit integers. 
Two bits of the first integer are allocated for the representation of the con-
dition of the channel (FREE, PRE, ACCEPT or POST), 11 bits store the 
message identifier, and the remaining bits are unused. The second integer 
records the message value. If the channel condition is FREE, the message 
identifier and value are unused. The message array is a fixed length array 
of messages where each message is encoded in two 16 bit integers. Five 
bits of the first integer are used for the channel identifier, and the re-
maining 11 bits for the message identifier. The second integer records the 
message value. The length of the message array is user-definable, the op-
timallength being the maximum number of messages which are pending 
transmission simultaneously in the network of some system state. 
Data environment The data environment {Xl t--t VI, X2 t--t 'V2, .•• , Xd t--t Vd} 
is encoded by fixing an order for the data variables and storing the values 
only. A data value Vi E VXi is encoded using ni = pog(l Vx.I)l bits, and 
the set of values is represented by r(L: xiE Varni)/81 bytes. 
Zone The zone is represented by an array of bounds. Each bound (c, -<) E 
Zoo X {<,~} is encoded using a 16 bit integer in which 15 bits are used 
for the constant value c and 1 bit to distinguish between the comparison 
operators, < and ~. 
Storage modes 
The following storage modes are defined: 
H The state vector encoding is as described above. In each state, storage is 
allocated for the maximum number of clocks required system-wide, even 
though there may be many states in which fewer clocks are active (§5.2.2). 
The set of visited states is stored in a single hash table. This mode corre-
sponds to the 'naive' approach, as adopted in early versions of UPPAAL 
and KRONOS. 
M As for H, except that the set of visited states is stored as a MA. In con-
structing the MA, the state vector is treated as a string of bytes. A state 
vector of n bytes gives rise to a MA of n + 1 layers. In this mode, the 
user has further options to control the ordering, within the state vector, 
of the location components: marking W, context C (network and data 
environment) and zone Z. Any permutation of the location components 
5. Space-Efficient, On-the-fly Reachability Analysis 141 
System Procs Vars Chans Mtypes Clocks Zones States 
Boilerl 2 2 1 1 5 22824 115660 
Boiler2 2 3 1 1 3 588 1110198 
Disbmut 4 10 1 6 6 46561 223604 
Tab. 5.1: Test systems 
is permissible. In addition, it is possible to choose one of the orderings 
00, 01 and 02, which modify the placement of cells within the encoding 
of the DBM representing the clock zone, as discussed in §5.4.3. 
HV Each state vector is encoded as for mode H, except that the clock zone is 
represented by a pointer to a variable dimension matrix. The set of state 
vectors is stored in one hash table and the associated variable dimension 
matrices in another. This means that for each state, only sufficient storage 
is allocated for the number of clocks active in it, and that only one copy 
of each distinct clock zone is stored for the whole system. This mode 
corresponds closely to the storage method adopted in the most recent 
implementations of KRONOS [Tri98]. 
MV As for HV, except that the hash table storing the state vectors is replaced 
by a MA, constructed as for mode M. 
For any of these storage modes, the user can choose whether or not to apply 
the clock activity reduction of §5.2.2. 
5.6 Experiments 
5.6.1 System models 
We have tested our implementation on some example system models: Boiler 1 
and Boiler2 model part of a boiler control system; Disbmut models a CAN im-
plementation of a standard algorithm for distributed mutual exclusion [Tan92]. 
The model included here is for a single coordinator and three competing pro-
cesses. Table 5.1 gives information regarding the scale of the examples: number 
of processes, variables, CAN channels, message types and clocks required by 
each system, and the number of distinct zones and symbolic states identified in 
generating the whole of the reachable state space in the simulation graph. 
5.6.2 Experimental results 
Performance measurements for each system and each state space storage mode 
are given in Table 5.2. We show the time taken and the total memory used in 
generating the reachable state space. We take mode H as the basis of compar-
ison and show memory compression and time overheads as percentages of the 
requirements of mode H. It should be noted that clock activity reduction was 
applied in all cases. The measurements were taken on a 233MHz Pentium II 
5. Space-Efficient, On-the-fly Reachability Analysis 142 
System Mode Mem (Mb) Comp% Time (s) Over % 
Boiler1 H 11.90 100 15 100 
M 7.89 66 73 486 
HV 5.48 46 15 100 
MV 2.99 25 24 160 
Boiler2 H 56.45 100 89 100 
M 3.79 7 205 230 
HV 25.44 45 81 92 
MV 3.30 6 140 157 
Disbmut H 34.53 100 66 100 
M 15.10 44 266 403 
HV 16.02 46 65 98 
MV 9.55 28 89 135 
Tab. 5.2: Comparison of storage modes 
System Mode Order Nodes Edges Mem (Mb) 
Boiler! M ZWC, 01 140757 429127 7.89 
M WZC, 02 310224 879807 15.57 
MV WZC 4659 57194 2.99 
MV CZW 4420 73846 3.61 
Boiler2 M CWZ, 00 14002 49372 3.79 
M ZCW, 00 54041 139680 5.33 
MV CWZ 4988 28657 3.30 
MV ZCW 45674 120875 5.04 
Disbmut M CWZ, 01 258518 718351 15.10 
M WZC, 02 - - >63.43 
MV CWZ 74085 376663 9.55 
MV WCZ 209094 651873 15.59 
Tab. 5.3: Impact of variable ordering on minimised automaton modes 
having 64Mb RAM (58Mb available) and 128Mb swap, running RedHat Linux 
5.0. 
Table 5.3 shows the state space usage of the variable orderings which show 
the best, and the worst, performance for each system and each MA mode. The 
nodes (resp. edges) column shows the total number of nodes (resp. edges) used 
in the final MA. 
5.6.3 Discussion of experimental results 
Reference to Table 5.2 shows that the most economical use of space, for all 
examples, involves the use of a MA. The memory reductions achieved range 
approximately from a factor of 4 to a factor of 17, with reductions at the lower 
end of this range for realistic systems. When considering the effect of the inclu-
5. Space-Efficient, On-the-fly Reachability Analysis 143 
sion of timing information, we observe that the inclusion of the zone encoding 
in the MA (mode M) gives a worse use of space than that given by the use 
of variable dimension matrices (mode MV). This suggests that a MA repre-
sentation does not enable sufficient sharing to compensate for the inclusion of 
redundant bounds within clock zones, nor does it allow for significant sharing 
of bounds, either in a union of zones associated with a single discrete state, 
or between zones associated with different discrete states. However, it is clear 
that the MA representation is effective in encoding the discrete state variables. 
Moreover, the inclusion of timing information, in the form of variable dimen-
sion matrices, although having a somewhat adverse effect, allows for significant 
memory reductions - compare the average reduction factor of 6.5, achieved for 
the timed systems analysed here, with that of 7.1 for systems without timing 
information as reported in [HP99]. 
As expected, we pay a time performance penalty for the use of MA, the av-
erage increase being by a factor of about 1.5. Notice, however, that in all cases, 
it is possible to find a MA mode in which the memory reduction significantly 
outweighs the time overhead. 
Achieving good compression requires the use of a good variable ordering. 
From Table. 5.3, we observe that in 4 of 6 cases the best ordering for the state 
vector components is context, marking, zone (CWZ), and in 2 of 3 cases the 
best ordering for cell elements is 01. Although not shown here, we note that 
in the exceptional cases, the performance of CWZ and 01 is only slightly 
worse than the best. Notice, however, that use of a bad variable ordering can 
be disastrous, as witnessed by the worst casel for Disbmut, mode M, which 
increases memory requirements by a factor of more than 2. 
5.7 Related work 
Courtiat and de Oliveira have proposed a similar approach to on-the-fly reach-
ability analysis of a timed process algebra [Cd095]. Our approach has been 
developed independently and differs in several important respects. Firstly, 
it keeps within the framework of timed safety automata, which have been 
studied extensively [HNSY94, NSY91, NSY92, Sok96, Yov93 , Yov97] and are 
well-understood; in their paper, Courtiat and de Oliveira propose a different 
model, called Dynamic Timed Automata, which appears not to be used else-
where. Secondly, it is able to take advantage of a standard clock reduction 
technique [Daw98a, DT98, DY96, Tri98]. Finally, it is based upon a compact 
net representation of control states, which allows each state vector to be en-
coded very efficiently. By contrast, the method of Courtiat and de Oliveira 
uses structural configurations which are closely related to the abstract syntax 
of process terms, and consequently appears to suffer from a bloated state vector 
representation [ACdP97]. However, an interesting feature of their work is its 
use of the algorithm of Yannakakis and Lee [YL93] to minimise the reachability 
graph as it is constructed. We intend to investigate whether our approach can 
1 In fact, the worst case for Disbmut failed to terminate with the available resources; hence 
the approximation shown in the table. 
5. Space-Efficient, On-the-fly Reachability Analysis 144 
benefit from this idea. 
The use of binary decision diagrams (BDDs) for compact state space rep-
resentation is well-known [BRB90, Bry86, Bry92]. However, there is a growing 
body of evidence which supports the view that, in the analysis of asynchronous 
systems, explicit state enumeration, combined with other compaction methods, 
often provides better performance - see for example the paper of Visser [Vis96] 
in which BDDs are compared unfavourably with sharing trees for representing 
the state space in the SPIN model checker. 
If one is prepared to allow a very small probability that not all reach-
able states are considered in an analysis, then the bitstate technique of Holz-
mann [Ho195] and the probabilistic hash compaction of Stern [Ste97] can achieve 
memory reductions of one or two orders of magnitude. 
The stack storage method of [Ho190] allows reachability analysis without 
the need to store the set of visited states at all, but at the cost of a potentially 
exponential increase in run time. Run time performance can be improved by 
adapting this technique with the maintenance of a state space cache [HoI85, 
JJ91]. This method is particularly effective in combination with partial order 
reduction [GHP95]. 
Representation of timing constraints by DBMs was proposed by Dill [Di189] 
and has been preferred in the most efficient verification tools for timed systems, 
such as KRONOS [HNSY94] and UPPAAL [LPY97]. 
Wong-Toi and Dill [WTD94] and Balarin [BaI96] have each shown tech-
niques for encoding the transition relation of timed systems using BDD's, ap-
proximating unions of zones using convex hulls. Bozga et. al. [BMPY97] of-
fer a canonical representation of discretised sets of clock configurations using 
NDDs2 [ABK+97], which are a BDD-based encoding amenable to combination 
with a symbolic representation of the discrete part of the system. The difficulty 
with these techniques is that they are very sensitive to the size of the constants 
in the timing constraints of the system model. If the constants are large then 
state space explosion is not controlled effectively. 
Larsen et. al. [LLPY97] propose a compact encoding for DBMs which pro-
vides a minimal and canonical representation of clock constraints and allows for 
efficient inclusion checking between constraint systems. They do not consider 
how this representation may be combined with a compact representation of the 
rest of the system. 
Behrmann et. al. [BLP+99] have recently proposed clock difference diagrams 
(CDD's) as a data structure for the compact representation of unions of zones. 
On a variety of case studies, they report space savings of between 46%-99% 
over their earlier DBM implementation. Difference decision diagrams (DDD's) 
are a similar data structure developed by M011er et.al. [ML98]. As yet, they 
are relatively untried in practice, although experimental results of their appli-
cation in the analysis of a timed version of Milner's cyclic scheduler are very 
promising [MLAH99]. Other work in this area are the Interval Diagrams of 
Strehl [Str99], the Region Encoding Diagrams of Wang [WanOO] and the timed 
polyhedra of Bournez and Maler [BMOO]. 
2 Numerical Decision Diagrams 
5. Space-Efficient, On-the-fly Reachability Analysis 145 
5.8 Conclusions and further work 
In this chapter, we have introduced an on-the-fiy algorithm for reachability 
analysis of bCANDLE systems. The algorithm allows for the analysis of a sys-
tem model during construction of its simulation graph, without first requiring 
construction of its equivalent TA. We have also shown how clock activity re-
duction can be applied on-the-fiy. This is essential, in practice, for the analysis 
of even moderately sized models. In addition, we have proposed the use of 
MA's for the representation of the state space in the reachability analysis of 
timed systems. The advantage of this approach is that a compact representa-
tion of the discrete state variables can be combined very simply with a DBM 
representation of clock zones. Experimental results suggest that this leads to 
significant space reductions, which are achieved in spite of the inclusion of tim-
ing information. The impact of MA's on the space requirements of clock zones 
is less promising and shows no improvement over the use of variable dimension 
DBM's. For this reason, we expect to see the greatest benefits in the analysis 
of asynchronous, data-bearing systems, where the value of this approach has al-
ready been demonstrated in untimed settings [GGZ95, Gre96]. The CAN-based 
systems which we consider fall mainly within this class. 
Further work includes applying MA state storage to a wider range of ex-
amples in order to confirm the findings reported here. In addition, it may be 
possible to discover more effective partitionings and variable orderings than 
those considered so far: techniques based on a static analysis of variable de-
pendencies may offer a promising line of attack. It would also be worthwhile to 
consider combining MA state storage with orthogonal state vector compression 
techniques such as the collapse method of [Vis96], the tightening of variable 
ranges of [GdV99] and the compact DBM encoding of [LLPY97]. It is also 
necessary to compare the performance of MA state storage with CDD's and 
DDD's. It is clear that a MA gives a more natural encoding of the discrete 
state variables, however CDD/DDD's are likely to be more effective in the 
compact representation of clock zones. More substantial work is needed in or-
der to assess the effectiveness of MA state storage in conjunction with partial 
order reduction. A potential advantage of the MA approach over CDD/DDD's 
is that a MA state store does not hinder a standard implementation of p.o. re-
duction, based on depth-first search with tagging of states already on the stack. 
It is not yet clear how p.o. reduction can be be combined with a fully symbolic 
use of CDD/DDD's. 
In a wider context, we expect that a MA option would be a useful addition 
to KRONOS and UPPAAL, now that both tools handle system descriptions 
with discrete variables. 
6. CANDLE: MODELLING AND 
ANALYSIS IN PRACTICE 
6.1 Introduction 
This chapter presents CANDLE - a CAN Development Language and Environ-
ment. The purpose of CANDLE is to demonstrate 
• a programming language for distributed embedded systems whose com-
ponents communicate using the CAN protocol, and 
• a development environment which integrates a variety of tools to support 
both system implementation and formal analysis. 
Our approach is very much influenced by ESTEREL [BG92]' a program-
ming language and tool set for the construction and analysis of uni-processor 
embedded systems. We aim to provide support for the view that bCANDLE 
offers an effective formal basis to support the ESTEREL philosophy of WYVI-
WYE ('What You Verify Is What You Execute') in the case of CAN-based 
distributed systems. The emphasis in this chapter is on the construction and 
analysis of models, rather than on code generation and system implementation, 
which are mentioned only in connection with model construction. 
Work on CANDLE continues. Both the language and the development 
environment are evolving. This chapter provides a snapshot of the current 
status. The chapter is organised as follows. An informal 'tour' of the language, 
in the style of the ESTEREL Language Primer [Ber98a], is presented in §6.2 
and a simple data modelling language is introduced in §6.3. The translation 
to bCANDLE is discussed in §6.4. Section 6.5 outlines the main features of 
the development environment which support the construction and analysis of 
formal models of a CANDLE system. A simple example is described in §6.6. 
Finally, conclusions and related work appear in §6.7. 
6.2 A Tour of CANDLE 
The CANDLE language is intended as a simple, high-level programming lan-
guage for use in the construction of distributed, CAN-based, embedded systems. 
It can be used to describe the implementation of CAN system designs, which 
may have been developed and explored at an abstract level using bCANDLE. 
Particular care has been taken to ensure that a formal model of a system can 
be automatically extracted from its CANDLE implementation. This has the 
6. CANDLE: Modelling and Analysis in Practice 147 
benefits of removing the task of model construction from the system developer 
and ensuring that the model which is analysed is up to date with the current 
implementation. A CANDLE program can be translated automatically into a 
program written in a host language, such as C or Ada, in order to construct a 
system implementation, or it can be translated automatically into a bCANDLE 
model, and thence to a Prolog or C implementation of the corresponding la-
belled transition system, for the purposes of simulation and verification. This 
section provides an informal introduction to CANDLE. A complete grammar 
appears in Appendix C and details of the construction of a formal model are 
given in §6.4. 
6.2.1 Modules 
A CANDLE program consists of a collection of modules. The CANDLE module 
system is modelled on that of ESTEREL. A module has a name and, optionally, 
a declaration part and a body which is an executable statement. One module 
is designated as the main program module. Modules can use sub-modules by 
executing module instantiation statements. If module A uses another module 
B, then A is said to depend on B. The module dependency relation is required 
to be acyclic, i.e. recursive module instantiation is prohibited. 
Here is a simple example of a CANDLE module: 
module Flow is 
canst 
PERIOD : duration 
type 
flow_reading 
procedure 
ReadSensor(out flow_reading) 
channel 
k (flow. flow_reading) 
var 
x flow_reading 
behaviour 
every PERIOD do 
ReadSensor(x); 
snd(k,flow.x) 
end every 
end module 
The name of the module is Flow and it implements the behaviour of the 
flow sensor task described in §3.7. This is a task which periodically reads a flow 
sensor and broadcasts its value on a communication channel. This behaviour is 
shown in the module following the keyword behaviour. The preceding sections 
are declarations of constants, types, procedures, channels and variables. These 
language features are explained below. 
6. CANDLE: Modelling and Analysis in Practice 148 
6.2.2 Data declarations 
As with ESTEREL, CANDLE provides only a very limited facility for de-
scribing data types and operations, instead it relies on an external data lan-
guage to provide the necessary definitions. This approach occasionally appears 
rather cumbersome but is extremely flexible in practice. It provides porta-
bility, and more importantly, facilitates the use of different languages for data 
modelling and implementation. This allows the user to choose an abstract, non-
deterministic language, such as Z, for modelling, and a traditional programming 
language, such as C or Ada, for implementation. 
A simple data modelling language, SDML, is introduced later in §6.3 in 
order to illustrate the use of an external data language with CANDLE for the 
purpose of constructing system models. With some additional work, more fully 
developed modelling languages such as B [Abr96], VDM [Jon90] and Z [Spi88] 
could be used instead of SDML. This would require the reconcilation of different 
styles of semantic definition, e.g. the denotational style of Z with the operational 
style of bCANDLE. The restriction of CANDLE to finite data types should 
simplify this problem and future work will seek to exploit this benefit. 
Data objects in CANDLE are either pre-defined or user-defined. A few 
primitive data operations are provided in order to ease the expression of some 
typical idioms: assignment, comparison and so on. All data objects are global 
to a program. Each data object used within a module must be declared in 
that module. In the case that a data object is declared in several modules of a 
multi-module program, it is required that the declarations are compatible (see 
module instantiation §6.2.4). 
Types and Operators 
CANDLE provides the primitive types unit, boolean, id and duration. 
• The unit type contains the single value uvalue. 
• The boolean type contains the constants true and false. The operations 
and, or and not are defined. 
• The id type is the set of message identifiers. For any CANDLE program, 
id contains the message identifiers occurring in the channel declarations 
of the program. 
• The duration type is the set of time units for CANDLE programs. There 
are pre-defined functions Secs, Msecs, Usecs and Cycles which can be 
used to convert to the duration type an integer expression representing 
seconds milliseconds microseconds and clock cycles, respectively. For , , 
example, the expression Msecs(30) denotes the value of type duration 
which is equivalent to 30 milliseconds. 
CANDLE allows the use of integer constants 0, 1, -1, 2, -2, .,. and ex-
pressions involving the operators +, -, *, / and mod. However, there is no 
unbounded, primitive type integer. It is assumed that integer expressions 
evaluate to an element of some user-defined, finite integer subrange. 
6. CANDLE: Modelling and Analysis in Practice 149 
User-defined types are introduced into a CANDLE program simply by 
declaring their names in a type declaration, for example: 
type flow_reading 
Several type names can be introduced in a single type declaration, as follows: 
type 
byte; 
command; 
resource_status 
As has been mentioned, user-defined types are abstract, the concrete definitions 
being given in an external data language. 
The relational operators =, /=, <, <=, >=, and> can be used with any data 
type. If they are used, they must be adequately defined in the external data 
language. 
Constants 
Constants are introduced by declaring their name and type, as follows: 
const N : byte 
const PERIOD : duration 
The value of a constant is defined either in the external data language or 
through module instantiation. There is no explicit constant value definition 
in CANDLE. 
Variables 
Variables are assignable objects which have a name and a type. Variables are 
declared with the var declaration, as follows: 
var x : flow_reading 
var wI : water_level 
The variable declarations of a set of program modules give rise to a single global 
state space. If a variable is declared in two or more modules of a multi-module 
program then all declarations must be type compatible. CANDLE inherits the 
notion of type compatibility defined by the external data language. 
A variable may be modified by assignments, procedure calls and message 
receptions. It is not possible to assign a value to a variable in its declaration. 
Each variable must be initialised explicitly by an executable statement before it 
is used. It is an error if any variable is referenced by distinct behaviour expres-
sions occurring as the arguments of a parallel composition, i.e. concurrently 
executing processes cannot communicate via shared variables. 
6. CANDLE: Modelling and Analysis in Practice 150 
Functions and Procedures 
Functions and procedures are introduced by declaring their names and the type 
of their parameters. Parameters must be declared to have one of the modes 
in, out or inout, so that an appropriate parameter-passing mechanism can 
be chosen for the host language, for example: call-by-value for in parameters 
and call-by-reference for out and inout parameters. The following example 
illustrates: 
procedure 
ReadSensor(out flow_reading); 
UseResource 0 
function 
IsFullQueue(queue) : boolean 
If a parameter mode is not specified explicitly, the mode is assumed to be in. 
So the declaration of IsFullQueue above is equivalent to 
IsFullqueue(in queue): boolean. 
All parameters to a function must be in parameters. Neither procedures nor 
functions can have access to variables, other than local variables, except through 
their parameter lists. It follows that function evaluation in CANDLE is side-
effect free. 
Channels 
Channels are the objects through which processes communicate by passing mes-
sages. Message passing is by broadcast using an abstracted CAN protocol. A 
message consists of a message identifier and an optional data value. A channel 
declaration introduces the name of a channel and optionally a set of priority 
ordered message templates which defines the messages which can be communi-
cated by the channel. For example, 
channel 
k : (ok. unit , node.command) 
declares a channel called k which can transmit two kinds of messages: those 
consisting of the message identifier ok and the unit value uvalue, and those 
consisting of the message identifier node and any value of the type command. 
The order of the message templates is significant: higher priority messages are 
declared first. So, for channel k, ok messages have higher priority than node 
messages. 
In a multi-module program, the complete declaration of a channel is derived 
from the (possibly partial) declarations of the channel in all modules where they 
occur. Not every declaration of a channel is required to be complete in itself. 
A channel declaration is complete when the identifier, priority ordering and 
value type of every message mentioned in the program body can be determined. 
Multiple channel declarations must be compatible, which means that they must 
agree on the priority ordering and value type of all messages. For example, the 
following are compatible declarations of the channel k declared above: 
6. CANDLE: Modelling and Analysis in Practice 151 
declare the name only channel k 
channel k 
channel k 
(ok. unit) 
(ok, node) 
not all message templates declared 
message types not yet specified 
Whereas these declarations are not compatible: 
channel k 
channel k 
Exceptions 
(node. command, ok. unit) 
(node.unit) 
wrong priority ordering 
incompatible type 
CANDLE allows exceptions to be declared and used in trap and exit state-
ments. An exception has a name and can carry a value. An exception is declared 
like a variable, by giving its name and the type of value carried: 
exception SensorFailure : unit 
exception Alarm : alarm_t 
As with variables, exceptions form part of the global state space of a program. 
If an exception is declared in two or more modules of a multi-module program, 
the declarations must be type compatible. 
6.2.3 Expressions 
The expression language of CANDLE is very simple. It is built from: 
• constant values of the predefined types unit, boolean, id and duration, 
together with the integer constants from some finite integer subrangej 
• variable identifiersj 
• a small number of built-in operators, including: and, or, not, +, -, *, /, 
mod, =, /=, <, <=, >= and >j 
• the pre-defined functions Secs, Msecs, Usecs and Cyclesj 
• the exception value operator?, which returns the value bound to a named 
exceptionj 
• user-declared function calls. 
Here are some examples of CANDLE expressions: 
temperature > maxTemperature 
count mod N = 0 or count < 10 
Alarm2String(?Alarm) 
Usecs(30) 
CANDLE adopts the type compatibility rules of the external data language. 
6. CANDLE: Modelling and Analysis in Practice 152 
6.2.4 Statements 
null and idle statements 
The simplest CANDLE statements are null and idle. Execution of the null 
statement terminates instantaneously with no effect on the state of the network 
or data environment. Execution of the idle statement similarly leaves the 
program context unchanged but delays forever without terminating. 
Send and Receive statements 
Broadcast message transmission is initiated by the snd statement, as follows: 
snd(k, node.req) 
snd(k, ok) 
The first parameter names the communication channel on which the message 
is to be transmitted. The second parameter consists of a message identifier 
and, optionally, a data value, which together constitute the message to be 
transmitted, e.g. node. req where node is the message identifier and req is the 
data value. In the case that no data value is given, the unit value is assumed, 
e.g. snd(k, ok) is equivalent to snd(k, ok.uvalue). The snd statement is 
non-blocking. 
Willingness to receive a broadcast message is indicated by the rev state-
ment, as follows: 
rev(k, node.x) 
rev(k, ok) 
The first parameter names the communication channel from which the message 
is to be received. The second parameter gives the required message identifier 
and, optionally, the data variable to which the received data value is to be 
assigned, e.g. rev (k, node. x) can receive a message having the identifier 
node and will assign the data value of the message to the variable x. In the 
case that a message carries the unit data value, it is not necessary to specify 
a data variable to receive it, e.g. rev(k, ok) succeeds when an ok message is 
available on channel k. 
The rev statement is blocking - if there is no suitable message available, 
the calling process waits. 
Elapse statement 
The elapse statement is used to cause a process to wait for a specified period 
of time. 
elapse Sees(5) 
elapse Msees(10) 
elapse Cyeles(50) 
6. CANDLE: Modelling and Analysis in Practice 153 
The constant expression denoting the extent of the delay is required to be 
evaluable at compile-time and must be of type duration. 
It is assumed that a compiler will generate code for the elapse statement 
which, starting from the initiation of its execution, will produce a delay which 
is as close as possible to the requested value. Construction of the model of the 
elapse statement needs to take into account how the generated code and the 
run-time environment operate in creating the delay. This is discussed in more 
detail in §6.4. 
Assignment and Procedure Call 
The assignment statement has the form 
x := e 
where x is a variable and e is a data expression. The variable and the expres-
sion must be type compatible. The bounds on the time taken to execute an 
assignment statement for a given variable type are determined either by analy-
sis of the code which is generated to perform the assignment, or by an explicit 
bounds declaration in the external data model, as discussed in §6.3. 
A procedure call has the form 
where el ... en are data expressions, whose mode and type are compatible with 
the corresponding parameters in the declaration of the procedure P. Bounds on 
the procedure execution time are determined as for the assignment statement. 
Sequential and Parallel statements 
CANDLE allows statements to be combined both in sequence and in paral-
lel. The sequencing of behaviours is described by the sequential composition 
operator ";", e.g. 
ReadSensor(x) ; snd(k,flow.x) 
where execution of the procedure ReadSensor is immediately followed by exe-
cution of the communication statement snd(k,flow. x). 
In the behaviour 
the statement SI is started as soon as the sequence is started. If SI terminates, 
then S2 is started at once. If SI does not terminate, then S2 is never started. 
The parallel statement is written using the parallel composition operator 
"I", e.g. 
ReadSensor(x) snd(k,flow.x) I rcv(k,flow.y) AdjustValve(y) 
6. CANDLE: Modelling and Analysis in Practice 154 
The parallel composition operator has lower precedence than sequential com-
position. It is only allowed at the top-level of a behaviour. 
In the behaviour 
the statements 81 and 82 are both started as soon as the parallel behaviour 
is started, and are assumed to execute concurrently. The parallel behaviour 
terminates when both 81 and 82 terminate. Parallel composition in CANDLE is 
asynchronous and communication is restricted to message passing via broadcast 
channels. In order to guard against interference between the behaviours S1 and 
82, it is required that the sets of variables and exceptions to which they refer 
are disjoint. 
If statement 
The if statement is used to allow the execution of a program to depend upon 
the value of boolean data expressions. The general form of an if statement is 
if eo then 80 
elsif el then 81 
elsif en then 8n 
else 8 
end if 
where eo to en are boolean expressions and 80 to 8n are statements, as is 8. The 
elsif and else parts of the statement are optional. The expressions eo to en 
are evaluated in sequence. The first true expression causes the corresponding 
statement to be executed. If none of the expressions evaluates to true, then 
the else statement 8 is executed if it is present, otherwise the if statement 
terminates. 
Iteration statements 
Repetitive behaviours can be described in CANDLE using a variety of iteration 
constructs. The simplest iteration construct is the basic loop statement which 
allows the expression of a behaviour which is executed repeatedly forever. The 
named loop statement extends the basic loop by providing a name which can be 
used in an exi t statement to cause the named loop to be terminated. The every 
statement allows the description of a behaviour which is executed periodically. 
A ba8ic loop statement has the form 
loop do 
8 
end loop 
where 8 is a statement. A basic loop executes the statement 8 repeatedly 
forever. 
6. CANDLE: Modelling and Analysis in Practice 155 
Here is an example of the use of a basic loop in implementing the Valve 
process for the flow regulator example of §3.7: 
module Valve is 
type 
flow_reading 
procedure 
AdjustValve(flow_reading) 
channel 
k (flow. flow_reading) 
var 
x flow_reading 
behaviour 
loop do 
rcv(k,flow.x); 
AdjustValve(x) 
end loop 
end module 
The process repeatedly waits to receive a flow message and then adjusts a valve 
accordingly. 
A named loop statement has the form 
loop LoopName do 
s 
end loop 
where s is a statement and LoopName is an identifier. 
In the case of a named loop, an exit statement, occurring as part of the 
statement s, causes the loop to be terminated, e.g. 
x := 0; 
loop Transmit do 
snd(k, value.x); 
x := x + 1; 
if x = 10 then exit Transmit end if 
end loop 
The Transmit loop is terminated after ten iterations. 
Another form of repetition is introduced in CANDLE by the every state-
ment, which has the form: 
every T do 
s 
end every 
where T is a statically evaluable constant expression of type duration and s 
is a statement. The every statement causes s to be executed periodically, with 
execution beginning every T time units. For example, 
6. CANDLE: Modelling and Analysis in Practice 
every Msecs(10) do 
ReadSensor(x)j 
snd(k, flow.x) 
end every 
156 
causes execution of the statement body to be initiated immediately and to be 
executed periodically every 10 msecs thereafter. 
Select statement 
A basic select statement allows a choice to be made from several alternative 
statements, depending on the reception of a message or the elapse of a time 
delay. It has the general form: 
select 
rcv{kl' il.Xl) j 81 
rcv{k:!, i:!.X2) j 82 
rcv{kn, in.xn) ; 8n 
.. elapseT; 8 
end select 
If one of the rcv{ kj, ij .Xj) statements succeeds, then the program continues by 
executing the statement 8j. If more than one of the rcv statements can succeed 
simultaneously, then a choice between them is made non-deterministically. If 
no rcv statement can succeed before T time units have elapsed, then statement 
8 is executed. 
CANDLE also offers an extended select statement, which has the form 
select 
in 
rcv{kl' il.Xl) ; 81 
rcv{k2' i2.X2) j 82 
rcv{kn, in.xn) j 8n 
elapseT j 8 
body 
end select 
and behaves like a basic select statement, except that the statement body is 
executed while a message reception or timeout is awaited. If a message is 
received or the time delay elapses before body terminates, then the execution 
of body is aborted and execution of the corresponding statement is started. If 
body terminates before a message is received or the time delay elapses then the 
select statement terminates. 
6. CANDLE: Modelling and Analysis in Practice 
The following example illustrates both forms of the select statement: 
select 
in 
:: rcv(k,shutdovn); ShutDovn(); idle 
loop do 
select 
:: rcv(k,pump_on) ; PumpOn() 
:: rcv(k,pump_off) j PumpOff() 
end select 
end loop 
end select 
157 
The body of the outer select statement is a loop which repeatedly waits 
for either a pump_on or pump_off message and then executes the appropriate 
procedure. However, if a shutdovn message is received, the loop is aborted, 
the ShutDovn procedure is executed and the process idles. 
Trap and Exit statements 
The trap statement can be used to trap exceptions raised in a program block 
and to define an appropriate behaviour for handling each trapped exception. 
The trap statement has the general form: 
trap 
.. Xl => 81 
X2 => 82 
.. Xn => 8n 
in 
body 
end trap 
where each Xi is a previously declared exception identifier and each 8i is a 
statement which acts as the handler for exception Xi. Execution of the trap 
statement begins by executing the statement body. An exception can be raised 
in body by using the exit statement. If an exception is raised, the execution 
of body is aborted and, if the exception is trapped, execution of the exception 
handler is started. In the case of a valued exception, the exit statement is used 
to define the value of the exception, e.g. 
exit Alarm(flowHigh) 
raises the Alarm exception and binds to it the value flowHigh. Notice that the 
value of an exception can be referred to in its handler by using the? operator, 
6. CANDLE: Modelling and Analysis in Practice 158 
as in 
trap 
Alarm => if ?Alarm = flowHigh then '" end if 
in 
exit Alarm(flowHigh); 
end trap 
It is an error to attempt to refer to the value of an exception outside its handler. 
Module Instantiation 
A module can be instantiated within another module by using a module instan-
tiation statement. This has the forms 
M 
M[R] 
module identifier, no renaming 
module identifier, with renaming 
where M is the name of a module and R is a list of renamings. The instantiation 
is syntactically replaced by the body of the module M renamed according to R. 
A renaming e / I causes all occurrences of the identifier I in M to be replaced 
with the expression e. This is simple textual replacement; e is not evaluated 
at this point. The resulting module must be well-formed. 
All declarations are global to a CANDLE program. Therefore, the decla-
rations of the instantiated module are exported to the parent module. If the 
parent and child modules both declare objects having the same name, then the 
declarations must be compatible. Compatibility for constants, variables, pro-
cedures and functions is simply type compatibility as defined by the external 
data language. Compatibility for channels is described in §6.2.2 page 150. 
Here is an example of the use of module instantiation, which uses the Flow 
and Valve modules declared earlier. 
module FlowRegulator is 
behaviour 
Flow [Msecs (10)/PERIOD] I Valve[y/x] 
end module 
The details for the expansion of a module instantiation are as given below. 
Firstly, a module is called independent if it does not contain any module 
instantiation statements in its body; otherwise it is said to be dependent . 
• To expand an independent module instantiation M1[R] in a parent mod-
ule M: 
6. CANDLE: Modelling and Analysis in Practice 
module FlowRegulator_E is 
type 
flow_reading 
procedure 
ReadSensor(out flow_reading); 
AdjustValve(flow_reading) 
channel 
k (flow. flow_reading) 
var 
x flow_reading; 
y flow_reading 
behaviour 
every Msecs(10) do 
ReadSensor(x); 
snd(k,flow.x) 
end every 
loop do 
rcv(k,flow,y)j 
AdjustValve(y) 
end loop 
end module 
Fig. 6.1: Flow Regulator: Instantiated and Renamed 
1. Apply the renaming R to MI, giving the renamed module MI'. 
159 
2. Textually replace the module instantiation statement with the body 
of the module MI'. 
3. Merge the declarations of MI' with the declarations of its parent 
module M . 
• To expand a dependent module instantiation MI[R] in a parent module 
M: 
1. Recursively expand any module instantiations in the body of M1. 
2. Expand the remaining independent module instantiation in M, as 
described above. 
The effect of applying these rules in expanding the instantiations in the 
module FlowRegulator is shown in the module FlowRegulator --.E of Figure 6.1. 
6.3 SDML: Simple Data Modelling Language 
We require an external data language in order to provide complete examples of 
the modelling of systems using CANDLE. It is outside the scope of this thesis 
to discuss the connection of CANDLE to a standard data language such as Z. 
Instead, we introduce a simple data modelling language, SDML, which is an ex-
tension of Dijkstra's non-deterministic language of guarded commands [Dij76]. 
6. CANDLE: Modelling and Analysis in Practice 160 
A SDML program is just a sequence of type, constant, function and procedure 
declarations. This section gives an informal introduction to SDML. A complete 
grammar is given in Appendix D. 
6.3.1 Types 
SDML has the same pre-defined types as CANDLE: unit, boolean, id and 
duration. In addition, the following types can be constructed: 
• enumeration types, which are declared by enclosing between braces a 
comma-separated list of the values of the type, e.g. {low, ok, high}; 
• subrange types, which have the form low .. high, where low and high 
are expressions which are evaluable at compile-time and denote values 
of some ordered type; values of the subrange type are all those of the 
underlying ordered type from low to high inclusive, e.g. o .. 4 defines the 
values 0,1,2,3 and 4; 
• record types, which are are tuples of named elements, enclosed by the 
delimiters {I and I}, e.g. 
{I numerator: 0 .. 9999; denominator: 0 .. 9999 I} 
consists of a pair of integers in the range o .. 9999; 
• array types, which are sequences of values of some previously defined type, 
indexed by a subrange of some ordered type, e.g. array 0 .. 4 of boolean. 
A type can be given a name in a type declaration, as follows: 
type flow_reading is unit 
type water_level is {low, ok, high} 
type byte is 0 .. 255 
type rational is {I numerator : 0 .. 9999; 
denominator: 0 .. 9999 I}; 
byte_array is array 0 .. 3 of byte 
Recursive type declarations are not allowed. 
In modelling the data of a system, it is usually the case that we abstract 
from the full set of data values of the underlying implementation and use a 
smaller set of values which is large enough to preserve the system properties 
of interest. For example, in the declaration of flow-.reading above, we have 
abstracted entirely from the set of flow readings and use the unit type instead. 
However, in order to calculate the communication latency of messages which 
contain flow -.reading data, it is necessary to know the size of its representation 
as implemented. We extend type declarations to allow this information to be 
included: 
type flow_reading is unit size Bytes(4) 
where the size clause introduces an expression giving the size of the imple-
mented data representation of the type. The pre-defined functions Bytes and 
Bits can be used in size expressions. 
6. CANDLE: Modelling and Analysis in Practice 
6.3.2 Constants 
Constants are declared using the keyword const: 
const 
req 
NUMBER_OF_NODES 
MAX_TEMPERATURE 
command; 
O .. 255 is 10; 
0 .. 65535 is 25000 
161 
where each constant is declared by giving its name, its type and, optionally, its 
value. The value of a constant is given by an expression following the keyword 
is, as in 
const NUMBER_OF_NODES : 0 .. 255 is 10. 
An expression used in a constant definition must be evaluable at compile-time. 
6.3.3 Expressions 
Expressions in SDML are the same as in CANDLE, with the following exten-
sions: 
• The pre-defined functions Bytes and Bits are provided for use in size 
declarations. 
• The non-deterministic expression any typeldentifier, evaluates to anyone 
of the values of the type denoted by typeldentifier. For example, the 
expression any water-level evaluates to anyone of low, ok or high. 
The use of the any expression is restricted to simple assignment, e.g. 
loll : = any water -level. 
• A field selector expression has the form x.f, where x is a record vari-
able and f is a field. For example, if x is a record variable whose value is 
{I numerator = 1; denominator = 2 I}, then the value of x • numerator 
is 1 and the value of x. denominator is 2. 
• An array element selector expression has the form a [i], where a is an 
array variable and i is an expression denoting a value of the index type of 
a. For example, if a is an array variable whose value is [I 0; 2; 4; 8 I], 
then a [2] is an expression whose value is 4, assuming that the index type 
of a is O .. 3. 
6.3.4 Functions and Procedures 
Function and procedure declarations consist of a header, which has the same 
syntax as in CANDLE and a body which is written after the keyword is: 
function IsEmptyQueue(q : queue) : boolean is 
bounds Cycles(30) ; Cycles(45) 
begin 
return (q.rear = 0) 
end 
6. CANDLE: Modelling and Analysis in Practice 162 
procedure Swap(inout x ; byte; inout y byte) is 
bounds Usecs(100) ; Usecs(125) 
var temp ; byte 
begin 
temp := x; 
x := y; 
y ;= temp 
end 
The body of the function or procedure consists of a bounds declaration, a lo-
cal variable declaration and a statement. The bounds declaration allows the 
user to state lower and upper bounds on the execution time of the function or 
procedure. In the declaration 
bounds Cycles(30) ; Cycles(45) 
the lower (resp. upper) bound is 30 (resp. 45) clock cycles. The expression 
for each bound must be of type duration. It is usual to state bounds in clock 
cycles and to allow a duration value to be calculated automatically when the 
execution environment is fixed for a particular invocation of the sub-program. 
However, it is possible to state bounds which are independent of the execution 
environment, as in the declaration of Swap. In the declaration bounds tlb ; tub, 
it is required that t lb ~ tUb. The 'infinite bound' 00 can be used and is written 
as -, e.g. bounds Cycles(30); -. 
A function declaration is required to respect the following constraints: 
• the non-deterministic assignment statement is not allowed in a function 
body, nor in the body of any procedure which is called by a functionj 
• all function parameters are required to have the mode inj 
• the only variables which can be referred to in the body of a function are 
actual parameters and local variables. 
6.3.5 Statements 
A SDML statement is either an atomic statement or a sequential statement. 
The atomic statements are: 
• the skip statement which terminates leaving the data state unchangedj 
• the assignment statement x : = e which causes the value of the expression 
e to be bound to the variable Xj 
• the procedure call statement P( el, ... en), where P is the name of a pro-
cedure and el to en are the actual parametersj 
• the return statement return e which is used in a function body to indi-
cate that the value of the function is ej 
6. CANDLE: Modelling and Analysis in Practice 163 
• the non-deterministic if statement 
if 
fi 
where each ei is a boolean expression, called a guard, and each Si is 
a statement which can be chosen for execution if the associated guard 
evaluates to true. When more than one guard is true, the statement to 
be executed is chosen non-deterministically from among the statements 
whose guards are true. It is required that at least one of the guards in an 
if statement is true. 
• the non-deterministic do statement 
do 
od 
whose branches are as for the if statement. If some guard evaluates to 
true, a statement is chosen for execution and the do statement is repeated. 
The do statement terminates when no guard evaluates to true. The user 
is required to establish the termination of every do statement in a SDML 
program. 
In a sequential statement S1 ; S2, the statement S1 is executed and, when the 
execution of S1 terminates, execution of S2 begins. 
6.3.6 Semantics 
SDML is a block-structured, statically-scoped, sequential programming lan-
guage. It introduces a few familiar mechanisms for declaring types, constants, 
functions and procedures. Statements are essentially as in Dijkstra's guarded 
command language [Dij76]. We assume the existence of a semantic function 
which gives the meaning of SDML statements. This function is required later 
in constructing a bCANDLE model from a CANDLE program where SDML is 
used as the external data language. 
Let Statement be the set of SDML statements. For a SDML program, 
let Var be the set of data variables and V be the set of data values. Let 
Valuation ~ Var -t V be the set of valuations. Then, the semantic function 
S : Statement -t Valuation -t 2 Valuation 
6. CANDLE: Modelling and Analysis in Practice 164 
gives the meaning of SDML statements, where S [s ]val denotes the set of valua-
tions which are possible results of executing the statement s under the valuation 
val. 
Notice that because SDML is a non-deterministic language, a statement 
maps a valuation to a set of result valuations. Nevertheless, the definition of 
the semantic function is quite straightforward; the interested reader is referred 
to standard texts such as Schmidt [Sch86] or Winskel [Win93] for further details. 
6.4 Constructing a Formal Model 
This section describes how a CANDLE program can be translated into bCANDLE, 
so that its behaviour can be simulated or verified. The construction of a 
bCANDLE model, which conservatively approximates the implemented sys-
tem, depends not only on the CANDLE program but also on features of the 
code generator and the execution environment. It is outside the scope of this 
thesis to discuss these aspects fully. The intention here is to provide a general 
framework for the translation, which can be adapted to accommodate particular 
requirements. 
It is assumed, without loss of generality, that a bCANDLE model is con-
structed from a single CANDLE module of the form: 
module moduleName is 
type typeDech; ... ; typeDecln 
const constantDech; ... ; constantDecln 
var variableDech; ... ; variableDecln 
function functionDech; ... ; functionDecln 
procedure procedureDech; ... ; procedureDecln 
channel channelDecll; ... ; channelDecln 
exception exceptionDech; ... ; exceptionDecln 
behaviour statement 
end module 
and a single SDML module of the form: 
data moduleName is 
type typeDech; ... ; typeDecln 
const constantDech; ... ; constantDecln 
function functionDech; ... ; functionDecln 
procedure procedureDech; ... ; procedureDecln 
end data 
That is to say, module instantiation statements are expanded, and declarations 
are collected, to give a well-formed, stand-alone CANDLE module; and the 
external data definitions are presented as a single SDML module. 
Recall that a bCANDLE model is a tuple (P, N, D), where P is a process 
term, N is a network and D is a data environment (§3.6). In the rest of this 
section, we show how each component of the model can be constructed from a 
6. CANDLE: Modelling and Analysis in Practice 165 
CANDLE program. First, we consider how the data environment and network 
model are constructed from CANDLE declarations; then, how a process term 
is constructed from a behaviour section. 
6.4.1 Declarations 
Data 
A bCANDLE data environment is a tuple (type, operation, predicate, val) (§3.3). 
This section shows how a CANDLE program defines a bCANDLE data envi-
ronment. 
A valuation val: Var -+ V is a mapping from variables to values. The set 
Var of variables is defined by the CANDLE var and exception declaration 
sections. There is one bCANDLE variable for each declared CANDLE variable 
and exception. In addition, Var includes a number of system variables which 
are not referred to in the CANDLE program but are used to hold the values 
of expressions occurring in the behaviour section. In constructing the formal 
model, we assume that there is a unique system variable for each program ex-
pression. In practice, a smaller number of variables are used and expressions are 
assigned to them according to principles which ensure that conflict is avoided. 
The type of a variable is given either directly by its declaration or, in the case 
of a system variable, can be inferred from the type of the expression whose 
value is bound to it. Furthermore, each SDML type expression clearly denotes 
a finite set of values. So each variable x E Var is associated with a finite set 
Vx of values, which is given by the type of x. The set V of all program data 
values is then given by 
V ~ UXEVar Vx U {.i}, 
where .i represents the distinguished "undefined" value. The function type: 
Var -+ 2 v is defined simply by 
type (x) ~ Vx 
for all x E Var. A valuation val: Var -+ V maps each variable x to some value 
v, where either v E type(x) or v = .i. For any CANDLE program, the initial 
valuation maps every variable to .i. 
The operation symbols and predicate symbols of the bCANDLE model are 
determined during the translation of the behaviour section, as are their inter-
pretations. Consideration of the details is deferred to §6.4.2. 
Network 
A bCANDLE network is a mapping from channel identifiers to channels (§3.4), 
w here a channel is defined by its static and dynamic attributes. This section 
shows how a CANDLE channel declaration section 
channel channeLDeclt; ... ; channeLDecln 
defines a bCANDLE network. 
6. CANDLE: Modelling and Analysis in Practice 166 
Each channel declared in a CANDLE channel declaration is modelled by its 
own distinct bCANDLE channel, whose attributes are constructed as follows: 
Static attributes In constructing the static attributes of a channel, we need to 
identify the message set M, the priority ordering -< and the transmission 
latency function 8. The message set and priority ordering are constructed 
from the CANDLE declaration of the channel and the declaration of the 
message data types, e.g. the declarations 
type command is (req, reI) 
channel k : (ok.unit, node.command) 
define a message set 
M = {ok.uvalue,node.req,node.rel} 
and a priority ordering 
ok -< node. 
The construction of the transmission latency function 8 depends not only 
on the CANDLE channel and data declarations, but also on the char-
acteristics of the physical communication links to which the channels 
are mapped by the system architecture. For example, assume that k 
is mapped to a CAN bus operating at 5 x 105 bit / s, in which the accep-
tance test coincides with the leading edge of bit ACKO (see Figure 1.2). 
Assume also that 1 unit of duration = 1 j.Lsecs. Then, the transmission 
latency function is as follows: 
8 units of duration 
ok.uvalue node.req node.rel 
8'D 70 86 86 
8ub 86 106 106 
81B 24 24 24 
8uB 24 24 24 
Here, the calculation of 8 assumes CAN packets of 0 data bytes for ok 
messages and 1 data byte for node messages. As an illustration of the 
calculation, consider 8ub (node .req). In a CAN packet with 1 data byte, 
there are 43 bits from SOF up to, but not including, ACKO. A stuff bit is 
inserted after every 5 consecutive transmitted bits of the same value. Bit 
stuffing occurs from SOF up to, but not including, the CRC delimiter. 
The pattern of transmitted bits containing the maximum number of stuff 
bits is of the form 
00000[1]1111[0]0000[1]1111[0] ... 
where the inserted stuff bits are shown in brackets. So, in the example, 
there are at most L41/4J = 10 stuff bits, and thus, at most 43 + 10 = 53 
6. CANDLE: Modelling and Analysis in Practice 167 
transmitted bits, before the acceptance test of a node. req packet. At a 
data rate of 5 x 105 bit / s, 53 bits are transmitted in 106 "sees. The other 
values for 0 are calculated similarly. Notice that it is only coincidence 
that oub(ok.uvalue) = olb(node.req). It just happens that the maximum 
number of stuff bits for a CAN packet containing 0 data bytes is 8 bits, 
just the same as the number of extra bits in a CAN packet containing 1 
data byte and no stuff bits. 
Dynamic attributes The dynamic attributes of a channel are its status and 
its pending message queue. The initial status of a channel is defined to 
be FREE and the initial pending message queue is empty. 
6.4.2 Behaviour 
A bCANDLE process term is constructed from the behaviour section of a 
CANDLE program as described below. The translation of a CANDLE be-
haviour depends upon the semantic function S which gives the meaning of 
SDML statements (§6.3.6). This is required to define the results of executing 
an assignment statement or procedure call. A semantic function is similarly 
required to give a meaning to CANDLE expressions. Let Expression denote 
the set of CANDLE expressions. For a CANDLE program, let Var be the set 
of data variables and V the set of data values. Let Valuation ~ Var -+ V be 
the set of valuations. Then, 
t: : Expression -+ Valuation -+ V 
is the semantic function which gives a meaning to CANDLE expressions, and 
t: [e ]val denotes the value of the expression e under the valuation val. 
Now, the translation from a CANDLE program to a bCANDLE model can 
be given inductively, as follows. 
Null and Idle statements 
Both null and idle leave the data state unchanged. The difference is that 
null terminates immediately whereas idle never terminates. They have direct 
counterparts in bCANDLE: 
• [nUll] ~ null 
• [idle] ~ idle 
Send and Receive statements 
Each communication, snd(k, i.e) and rcv(k, i.x), requires some computation 
time both before and after it, not only to evaluate the expression e in the case 
of snd, but perhaps also to configure a communication controller or modify the 
process status; the particular details depend upon the execution environment, 
which must be analysed in order to calculate the required execution bounds. 
Let prcsnd (resp. posLsnd) denote the bounds on the execution time 
needed before (resp. after) the completion of the snd operation. Let prcrcv 
6. CANDLE: Modelling and Analysis in Practice 168 
and post-rev denote the corresponding bounds for the rev operation. Then, 
the snd and rev operations are modelled as follows: 
• [snd(k, i.e)] ~ [w : pre_snd] ; k!i.x ; [post-snd]' 
where x is a system variable allocated to hold the value of the expression 
e, and w is a new operation symbol defined by: 
operation (w) ~ 
{(val, val') E Valuation x Valuation I val' = val[x := [, [e]val]} 
• [rev(k, i.x)] ~ [pre_rev] ; k?i.x ; [post-rev] 
Elapse statement 
The implementation of the elapse statement requires access to a timer ser-
vice provided by the execution environment. It is assumed that some time-
consuming operations are required both before and after the requested delay. 
What operations are needed, and how much time they consume, is determined 
by the particular implementation, and may include: calling a timer service rou-
tine, configuring a hardware timer, rescheduling a process after a delay expiry, 
and so on. In addition, the duration of the implemented delay may only ap-
proximate the requested delay. The model of the elapse statement seeks to 
account for such implementation details. 
Let pre_timer (resp. post-timer) denote the bounds on the computation 
time required before (resp. after) a request to use a timer service. Let approx T 
denote the bounds on the actual delay delivered by a request for a delay of T 
time units. Then, the elapse statement is modelled as follows: 
• [elapse(T)] ~ [pre_timer]; [approx T]; [post-timer] 
Assignment and Procedure Call 
An assignment statement of the form x : = e, where x is a variable whose type 
is denoted by type_id, is treated as syntactic sugar for a procedure call: 
which is assumed to have the declaration 
The translation of an assignment statement is then given by the translation of 
its corresponding procedure call, as explained below. 
A procedure call has the form: 
where P is the name of the procedure and each ei is an expression denoting an 
actual parameter of P. It is assumed that all parameters are evaluated before 
the procedure executes. Let tJb (resp. tib) denote the lower bound (resp. upper 
6. CANDLE: Modelling and Analysis in Practice 169 
bound) on the time required to complete the evaluation of ej. Let tlb(p) (resp. 
tUb(P)) denote the lower bound (resp. upper bound) on the time required to 
execute the procedure P once all its parameters have been evaluated. Then, 
the translation of P ( el, ... , en) is given by: 
• [P(et, ... , en)] ~ [w : tlb, tUb], 
in which w is a new operation symbol defined by: 
operation(w) ~ 
{(val,val') E Valuation x Valuation I val' E S[P(el, ... , en)]val} 
where tlb ~ tlb(p) + ~f=1 tlb and tub ~ tUb(P) + 'Ef=1 qb. 
If statement 
The if statement has the form: 
if el H SI, ... , en-l H Sn-l, true H Sn end if 
where each ei is a boolean expression and each Sj is a statement. The imple-
mentation of the if statement evaluates each expression ei in turn and executes 
the corresponding statement Sj of the first expression whose value is true. 
• [if el H SI, ... , en H sn end if ] ~ 
[tib, tfb] ; (rl -+ [S1] + II -+ [if e2 H S2,.·., en H Sn end if]), 
where tib (resp. tfb) denotes the lower bound (resp. upper bound) on the 
time required to complete the evaluation of e1 and, for 1 ~ i ~ n, Ii and 
Ii are new predicate symbols defined by: 
predicate(ri) ~ {val E Valuation I e[ei]val = true}, 
and 
predicate(ri) ~ {val E Valuation I e [ei]val = false}. 
• [if true H S end if] ~ [s]. 
Select statement 
Consider a select statement of the form: 
select :: gl; sl . .. :: gn; Sn end select 
where each gi is either a rcv statement or an elapse statement. The statement 
gi acts as a guard to entry ofthe ith alternative in the select statement. Notice 
that the translation of an individual guard statement 9 has the form 
[g] = [pre_g] ; f3 ; [posLg], 
where, [pre_g] is either [pre_rev] or [pre_timer], f3 is either k?i.x or [approx T], 
and [posLg] is either [posLrev] or [posLtimer]. However, there is a variety 
6. CANDLE: Modelling and Analysis in Practice 170 
of different ways in which a set of guards can be implemented when used in 
a select statement. Clearly, some computation is required to configure at 
least one communication request or delay before one of the select guards 
can be executed. However, when several communications and delays must be 
configured, an implementation has several degrees of freedom, including: 
• the order in which the configurations are completed; 
• whether all configurations must be completed before one of the select 
alternatives can begin execution. 
The translation given below assumes that before a select alternative can be 
chosen: 
• at least one configuration has been completed, giving a minimum set up 
time 
tlb = min{t!b 11 < i < n} 1 - - , 
• possibly, all configurations have been completed, giving a maximum set 
up time 
where [gi] = [t~b, tib]; f3i ; [posLgi]; 
The translation of the select statement is then: 
• [select :: gl; Sl . .. :: gn; Sn end select] ~ 
[tlb, tUb] ; 
(131 ; [posLg1] ; [Sl] + 132; [posLg2] ; [S2] + ... + f3n ; [posLgn] ; [sn]), 
where [gi] = [tJb, tib] ; f3i ; [posLgi] , tlb = min{tJb I 1 ~ i ~ n} and 
tub = E~ t!Jb 1:=1 1 • 
Of course, it is possible to modify this model to accommodate more elaborate 
assumptions about the implementation, and this may lead to a tightening of 
the bounds which are derived using the weak assumptions given here. 
Now consider an extended select statement of the form: 
select :: gl; sl . .. :: gn; Sn in s end select 
It is translated in a similar way. The difference is that execution of the state-
ment s is started immediately on entry to the extended select statement and 
continues until termination or until interrupted by the execution of one of the 
guards gi. This gives the following translation: 
• [select :: gl; Sl . .. :: gn; Sn in s end select] ~ 
[tlb, tUb] ; 
([s] [>131; [POSLg1]; [Sl] +132; [posLg2]; [S2]+ .. ·+f3n; [posL9n]; [sn]), 
where [gd = [tJb, tib] ; f3i ; [posLgd, tlb = min{ tJb I 1 ~ i ~ n} and 
tub = "'~ t!Jb LJ,:=l , • 
6. CANDLE: Modelling and Analysis in Practice 171 
Trap and Exit statements 
The trap statement has the form: 
trap :: Xl => 81 ... :: Xn => 8n in 8 end trap 
where each Xi is an exception identifier and each 8i is a statement. 
There are several possible implementations of the trap statement. In con-
structing the corresponding bCANDLE model, it is assumed that an exception 
is represented by a record variable of type 
{I raised : boolean; value : 80metype I}, 
where for an exception X, x.raised is assigned the value true when the excep-
tion X is raised, and otherwise has the value false. x.value holds the value 
assigned to X when it was last raised, and can be referred to in expressions 
using the notation ? x . 
The translation of the trap statement is then given by 
• [trap: : Xl => 81 ... :: xn => 8n in 8 end trap] 2 
[8] [> b1 -+ [W1 : t 1b , tUb] ; [8t] 
+,2 -+ [W2 : t 1b , tUb] ; [82] 
+ ... +,n -+ [Wn : t 1b, tUb] ; [8n ]) , 
where each ,i is a new predicate symbol which is true just when the corre-
sponding variable xi.raised is true, i.e. 
predicatebd 2 {val E Valuation I val(xi.raised) = true}. 
Each Wi is a new operation symbol which simply resets xi.raised, i.e. 
operation(wd ~ 
{(val, val') E Valuation x Valuation I val' = val[xi.raised := false]} 
and t 1b (resp. tUb) gives the lower bound (resp. upper bound) on the time 
required to clear an exception and transfer control to its handler. 
The exit statement has the form exit x(e), where x is an exception iden-
tifier and e is an expression denoting the value to be associated with x. The 
translation of the exit statement is defined simply to set x .raised and bind 
the value of e to x.value: 
• [exit x(e)] ~ [w : t 1b , tUb]; idle, 
where w is a new operation symbol defined by 
operation(w) ~ 
{(val, val') E Valuation x Valuation I val' = val[x.raised:= true, 
x.value := £ [e]val]}, 
and t 1b (resp. tUb) gives the lower bound (resp. upper bound) on the time 
required to evaluate e and raise the exception. 
6. CANDLE: Modelling and Analysis in Practice 172 
Loop statement 
The basic loop statement has the form: 
loop do 8 end loop 
where 8 is a statement. It is translated simply using a recursive bCANDLE 
process: 
• [loop do 8 end loop] :;: recLOOP. [8]; LOOP, 
where LOOP is a new process variable. 
The named loop statement has the form: 
loop loopName do 8 end loop 
where loopName is the name of the loop and 8 is a statement. It is treated as 
syntactic sugar for a trap statement which encloses a basic loop statement, as 
follows: 
• [loop loopName do 8 end loop ] ~ 
[trap :: x_loopName => null in loop do 8 end loop end trap], 
where x_loopName is a new exception of type unit. 
Every statement 
The everyT statement is just syntactic sugar for a loop which executes its body 
every T time units. It is translated as follows: 
• [every T do 8 end every] ~ 
[loop do select :: elapse T in 8 ; idle end select end loop] 
Notice that execution of the statement 8 ; idle begins immediately on enter-
ing the every statement. It is assumed that 8 terminates and idle is started 
before the elapse of T time units. After T time units, idle is interrupted and 
the loop repeats. 
Sequential and Parallel Composition 
The sequential and parallel composition statements of CANDLE have direct 
counterparts in bCANDLE and their translation is simple: 
• [Sl S2] :;: [Sl] ; [S2] 
• [Sl I S2] ~ [Sl] I [S2] 
6.4.3 An example 
The flow regulator example is used to illustrate the translation from CANDLE 
to bCANDLE. The CANDLE program for the example is reviewed in Fig-
ure 6.2. In the following, we consider how each component of the bCANDLE 
model (P, N, D) is derived from the CANDLE program. 
6. CANDLE: Modelling and Analysis in Practice 
module FlowRegulator_E is 
type 
flow_reading 
procedure 
ReadSensor(out flow_reading); 
AdjustValve(flow_reading) 
channel 
k (flow. flow_reading) 
var 
x flow_reading; 
y flow_reading 
behaviour 
every Msecs(lO) do 
ReadSensor(x); 
snd(k.flow.x) 
end every 
loop do 
rcv(k.flow.y); 
AdjustValve(y) 
end loop 
end module 
data FlowRegulator_E is 
type flow_reading is unit size Bytes(l) 
procedure ReadSensor(out r : flow_reading) is 
bounds Usecs(85) ; Usecs(90) 
begin 
r := any flow_reading 
end 
procedure AdjustValve(in r : flow_reading) is 
bounds Usecs(200) ; Usecs(300) 
end data 
Fig. 6.2: Flow Regulator in CANDLE 
Data Environment 
173 
The data environment D = (type, operation, predicate, val) is constructed as 
follows. 
• There are two program variables x and y, each of type flow Jeading. 
The data module declares flowJeading to be a synonym for the unit 
type. So we have 
type (x) = type(y) = {uvalue} 
• There are two procedure calls in the behaviour section of the CANDLE 
module: ReadSensor(x) and AdjustValve(y). So, the set of operation 
symbols is 
n = {ReadSensorx , AdjustValvey}, 
where the definition of ReadSensorx is derived from its data module dec-
laration and gives the effect of applying the operation in any data envi-
6. CANDLE: Modelling and Analysis in Practice 
ronment: 
operation (ReadS ensor x) 
{ 
{x t---+ l.., y t---+ l..} t---+ {x t---+ uvalue, y t---+ l..}, 
{x t---+ l.., y t---+ uvalue} t---+ {x t---+ uvalue, y t---+ uvalue}, 
{x t---+ uvalue, y t---+ l..} t---+ {x t---+ uvalue, y t---+ l..}, 
174 
} 
{x t---+ uvalue, y t---+ uvalue} t---+ {x t---+ uvalue, y t---+ uvalue} 
operation (Adjust Valvey) is defined similarly (with the roles of x and y 
reversed). 
• The set r of predicate symbols is empty, so 
predicate ~ 0. 
• Finally the initial valuation maps each variable to the undefined value 
val ~ {x t---+ l..,y t---+ l..}. 
Network 
In constructing the static attributes of the network, we need to identify, for 
each channel, the message set M, the priority ordering -< and the transmis-
sion latency function 8. The message set is constructed from the declarations 
of the channel and the message data types. In the example, the declaration 
of channel k comprises a single message template flow. flow Jeading, where 
flowJeading is a synonym for the unit data type. So the message set M 
for k is the singleton {flow.uvalue}. Since there is only a single message in 
M, the priority relation -< is just the empty set 0. In order to construct the 
transmission latency function 8 for the channel k, it is necessary to know some 
details of the physical channel which implements it. Let us assume as before 
that k is implemented by a CAN bus operating at 5 x 105 bit / s. Then, the 
transmission latency function is as follows: 
8 units of duration 
flow.uvalue 
81b 70 
8ub 86 
81B 24 
8uB 24 
All other assumptions are as in §6.4.1. 
Behaviour 
The process term P, modelling the system behaviour, is derived from the 
behaviour section of the CANDLE program. In our example, this comprises 
6. CANDLE: Modelling and Analysis in Practice 175 
the parallel composition of two processes: every Msecs (10) '" and loop do 
rcv (k, flow. y) .... We illustrate by considering the translation 
[every Msecs(10) do 
ReadSensor(x)j 
snd(k, flow.x) 
end every] 
In the first translation step, the every statement is unpacked, giving 
[loop do select:: elapse Msecs(10) in 
ReadSensor(x)j snd(k,flow.x) ; idle end loop] 
Next, the loop statement is translated into a recursion 
ree LOOP.[select :: elapse Msecs(10) in 
ReadSensor(x); snd(k, flow.x); idle]; LOOP 
The translation of the select statement depends upon the translation of 
elapse Msecs(10), which is given by [prctimer]; [approx 10000]; [posLtimer]. 
As before, we assume that 1 unit of duration is equivalent to 1 J,Lsec. We now 
have 
ree LOOP.[pre_timer]; 
([ReadSensor(x); snd(k, flow.x); idle] 
[>[approx 10000] j [posLtimer]) ; LOOP 
The final steps translate the remaining simple statements, giving the result 
rec LOOP.[prctimer]; 
([ReadSensorx : 85,90] ; [pre_snd] ; k!ftow.x ; [posLsnd] ; idle 
[>[approx 10000] ; [posLtimer]) ; LOOP 
where all that remains is to 'plug in' the bounds denoted by pre_timer, approx 10000, 
posLtimer, pre_snd and posLsnd. 
The remaining process is translated similarly, giving 
rec LOOP.[pre_rev]; k?ftow.y; [posLrev]; [AdjustValvey : 200,300]; LOOP 
6.5 The CANDLE Development Environment 
6.5.1 Overview 
The development of a high-integrity embedded system requires the use of a 
wide variety of software tools, including: text editors, compilers, simulators, 
model-checkers, theorem-provers and test case generators. A computer-aided 
development environment is required which 
• is open and extensible, making it possible to combine different tools to 
provide implementation and validation functions as required; 
6. CANDLE: Modelling and Analysis in Practice 
.ds 
. can 
.sa 
.ps 
~------g-----g-----f · . 
· . 
· . 
System 
Execution and Testing 
User commands for all tools are entered using a graphical 
user interface to the development environment which checks 
consistency. 
Specification files for the data state and sequential opera-
tions of each system process. Model-based specification lan-
guages such as B, Z or VDM can be used. Sequential code 
is developed from specifications using a standard method-
ology, e.g. refinement. Abstract data model is extracted 
from the same specifications for system verification. 
CANDLE program modules: contain a description of the 
dynamic behaviour of processes including communication 
and synchronisation. Declare broadcast channels, including 
message identifiers and their priorities. 
System architecture files: map processes to processors, com-
munication channels to CAN buses, etc.; describe the prop-
erties of system components, e.g. processors, CAN buses 
and hardware timers in order to allow the prediction of tim-
ing properties. 
Property specification file: a specification of system prop-
erties using a logic such as TCTL, a specification TA, or 
a regular expression. Can be used by model generator to 
optimise model for verification of specific properties. 
Fig. 6.3: CANDLE Development Environment: Architecture 
176 
• ensures that all tools have a consistent view of a development project, so 
that the principle of 'What You Verify Is What You Execute' is respected. 
The CANDLE development environment is intended to meet these requirements 
in supporting the development of CAN-based embedded systems. It allows the 
integration of a variety of tools for implementation and validation. A key aspect 
of the environment in maintaining consistency and promoting usability is its use 
of the same set of inputs for system implementation and model generation, as 
shown in Figure 6.3. It is intended that system implementation in CANDLE 
will follow a similar path to ESTEREL [Ber98b] and AORTA [Bra95]. This will 
be the subject of a future research project and is not considered further here. 
The remainder of this section is devoted to the model generation and analysis 
6. CANDLE: Modelling and Analysis in Practice 
LIBRARIES 
I CANDLE I 
I OPEN/CAESAR I 
Code Tuning 
Aoalysis 
Module EJtpansion 
CAN2BCAN 
BCAN2C 
SDMUC 
KRONOS 
-------- UPPAAL 
'----,---' IF 
I xsimulatorl ~ I prorounderl ~ I evaluator I 
. code Source and object code files of implemented system; pro-
duced by system generation component and required by 
model generation component for code timing analysis . 
. c Source code of the LTS module; combined with CANDLE 
and OPEN/ClESAR libraries to produce executable analy-
sis program . 
. out Output of symbolic analysis: Reachability graph, Yes/No 
answer, Timed/Untimed diagnostic trace etc. 
Fig. 6.4: CANDLE Validation Environment: Architecture 
components of the validation environment. 
6.5.2 Validation Environment 
177 
The validation environment of CANDLE consists of components for model gen-
eration and analysis. The core of the validation environment is organised ac-
cording to the principles of the OPEN/ClESAR architecture [Gar98]. This ap-
proach means that the CADP tool box [FGK+96] and OPEN /KRONOS [Tri98] 
are immediately applicable to CANDLE programs; it also provides a very flexi-
ble mechanism for extending the validation environment in the future. The ar-
chitecture of the CANDLE validation environment is illustrated in Figure 6.4. 
Its main features are discussed in more detail below. 
6. CANDLE: Modelling and Analysis in Practice 118 
6.5.3 The OPEN/ClESAR Architecture 
The design of the OPEN/ClESAR architecture evolved during the course of 
projects to extend the functionality of the ClESAR compiler [Gar92], a transla-
tor from LOTOS programs to labelled transition systems. Functional extensions 
included tools for random execution, interactive simulation, behavioural equiv-
alence checking, temporal logic model-checking and test case generation. The 
desire to allow these tools to be used with languages other than LOTOS led to 
a design which encapsulates all language-dependent aspects. The final design 
offers a flexible and practical basis for the development of an open, extensible 
validation environment. 
Encapsulation of language dependencies is achieved in OPENjClESAR by 
requiring that any source program is seen by the validation environment as 
simply a labelled transition system which implements a well-defined application 
programming interface (API). The LTS API provides access to a representation 
of states and labels, and primitive operations to compute the transition relation 
(Le., the initial state and successors of a given state). Knowledge of a source 
program by validation tools is restricted to the LTS API, which is implemented 
by a C program generated by an OPENjClESAR-compliant compiler for the 
source language. 
6.5.4 Model Generation 
CANDLE-OPEN is the OPENjClESAR-compliant compiler for CANDLE (Fig-
ure 6.4). It translates a CANDLE program into a C program which implements 
the OPENjClESAR LTS API, generating the CANDLE program's simulation 
graph on demand. CANDLE-OPEN defines interfaces which integrate a num-
ber of loosely coupled components. These components are described briefly 
below. 
• Code Timing Analysis: This component provides a connection to a 
program for calculating execution time bounds on sequential code frag-
ments. This can be used to obtain bounds for the data operations and 
expressions of the CANDLE program by analysing their implementations. 
Access to the source and object code files of the implementation is pro-
vided by the system generation module (Figure 6.3). The process map 
and processor models are given by the system architecture files. So far, 
we have experimented with the use of the CINDERELLA code timing 
analysis tool for 68000 micro-processors [LMW95]. Other code timing 
tools remain to be investigated. 
In the case that the implementation of some data operation is not avail-
able for analysis, as will be the case quite often in the early stages of a 
design, execution time bounds are obtained from the bounds clause of 
the SDML model of the operation. The user can configure the develop-
ment environment to obtain the bounds on each data operation either by 
analysis of its implementation, by examination of its bounds clause, or 
by user input via the keyboard. This allows the design to be explored in 
whatever way is judged to be most convenient or interesting. 
6. CANDLE: Modelling and Analysis in Practice 179 
• Network Analysis: This component constructs the static network model 
which defines for each communication channel, its message set, message 
priorities and message transmission latencies. The message set and mes-
sage priorities of each channel are stated explicitly in the CANDLE pro-
gram. Calculation of transmission latencies depends upon the character-
istics of the physical communication links implementing the channels and 
upon the size of message packets. 
, 
• Data Abstraction: This component constructs an abstract data model 
from a data specification. The abstract data model is described in SDML 
and currently is generated by the user. The integration into CANDLE-OPEN 
of a tool such as InVeSt [BL098] to support the construction of the ab-
stract model is envisaged. 
• Module Expansion: This component constructs a 'flattened' CANDLE 
program by in-line expansion of all module instantiations. 
• CAN2BCAN, BCAN2C, SDML2C: These components combine to 
generate the C program which implements the LTS module. CAN2BCAN 
translates the flattened CANDLE program to its equivalent bCANDLE 
representation, using the techniques described in §6.4. BCAN2C gen-
erates the C functions to implement the algorithm described in §5.2 to 
compute the transition relation of the simulation graph. SDML2C gen-
erates C functions to implement the data operations and predicates. As 
an alternative to generating code to construct the simulation graph on-
the-fly, the user can choose to construct a TA in KRONOS . tg format, 
for later analysis. Although not yet implemented, other outputs which 
could be easily generated include UPPAAL . ta format [LPY97] and IF 
code [BFG+99b]. These may give access to a wider range of analyses and 
optimisations. 
Optimisation 
A variety of optimisations can be applied at several stages of the model gen-
eration process, in order to combat state explosion. For example, variable 
analysis [BFG99a, SS98] can improve the quality of C functions generated by 
BCAN2C and SDML2C, by identifying dead variables which can be consis-
tently reset. In addition, it seems possible to take advantage of program slicing 
techniques [CDH+OO, HDZOO, LS98], which can reduce the size of a model by 
removing those parts of it which cannot affect the outcome of the analysis of 
some specified property. Application of such optimisations remains to be inves-
tigated. 
6.5.5 Model Exploration 
A variety of tools can be applied to the exploration of generated LTS models. 
Many are provided by exploration modules from CADP or OPEN /KRONOS; 
the generator module has been developed specifically for CANDLE, in order 
to experiment with the MA state storage technique described in Chapter 5. 
6. CANDLE: Modelling and Analysis in Practice 
module Boiler is 
behaviour 
WaterLevel[Msecs(5)/WL_READY_PERIOD, 
Msecs(10)/WL_NORHAL_PERIOD, vi/v] 
Controller [Msecs (15)/SENSOR_TlKEDOUT , v2/v] 
end module 
Fig. 6.5: The Steam Boiler module 
180 
• xsimulator is an interactive simulator allowing step-by-step exploration 
of the simulation graph in a window-based environment. 
• evaluator implements local and global algorithms for on-the-fly model-
checking of branching /-L-calculus. 
• exhibitor performs a depth-first or breadth-first search for a finite un-
timed trail matching an input regular expression. 
• profounder is an OPEN/KRONOS module which implements an algo-
rithm to. test for language emptiness of the simulation graph and a spec-
ification TBA. 
• generator builds the simulation graph of the system, using one of several 
user-specified state storage mechanisms. 
6.6 An example 
In this section, we give an example of the use of CANDLE in modelling a 
slightly larger control system. The example is a modified version of the steam 
boiler control problem [ABL96]. 
6.6.1 The CANDLE program 
We consider a system comprising a steam boiler, a pump, and a water-level 
sensor. We assume that the pump controls the flow of water into the boiler and 
that steam is drawn off via a steam outlet pipe. The water-level sensor gives 
the level of water in the tank. The purpose of the control program is to ensure 
that the water level is maintained within minimum and maximum bounds, or 
to shutdown the system if failure of the water-level sensor is detected. 
The main program module is Boiler, shown in Figure 6.5. It shows that the 
system is structured as the parallel composition of three processes: Water Level, 
Pump and Controller, which are described in Figures 6.6 and 6.7. Figure 6.8 
shows the data module for the system. 
Each process executes three phases: local initialisation, ready and normal. 
• In the local initialisation phase, a process resets its devices and initialises 
its local data. It is assumed that the system is started with the water 
level in the boiler between low and high, and the pump off· 
6. CANDLE: Modelling and Analysis in Practice 181 
module WaterLevel is 
const 
WL_READY_PERIOD duration; 
WL_NORMAL_PERIOD duration 
type 
procedure 
InitSensor(out vater_level); 
ReadSensor(out vater_level) 
channel 
k : (shutdown. unit , 
level.vater_level, 
start.unit, 
sensor_ready.unit) 
var 
v vater_level 
behaviour 
InitSensor(v); 
select 
:: rcv(k,start) 
in 
every WL_READY_PERIOD do 
snd(k,sensor_ready) 
end every 
end select; 
select 
:: rcv(k,shutdown) ; idle 
in 
every WL_NORMAL_PERIOD do 
ReadSensor(v); 
snd(k,level.v) 
end every 
end select 
end module 
(a) 
module Pump is 
const 
duration 
pump_status 
procedure 
InitPump(out pump_status); 
PumpOn(out pump_status); 
PumpOff(out pump_status) 
channel 
k : (shutdown. unit , 
pump_off.unit, 
pump_on. unit , 
start.unit, 
pump_ready. unit) 
var 
P pump_status 
behaviour 
InitPump(p) ; 
select 
:: rcv(k,start) 
in 
every PUMP_READY_PERIOD do 
snd(k , pump_ready) 
end every 
end select; 
select 
:: rcv(k,shutdovn); PumpOff(p); idle 
in 
loop do 
select 
:: rcv(k,pump_on) ; PumpOn(p) 
:: rcv(k,pump_off) ; PumpOff(p) 
end select 
end loop 
end select 
end module 
(b) 
Fig. 6.6: Water-level Sensor and Pump modules 
• In the ready phase, the WaterLevel and Pump processes repeatedly trans-
mit a ready message until they receive a start message from the Controller. 
The start message is broadcast by Controller after it has received a ready 
message from both Waterlevel and Pump . 
• In normal operation, WaterLevel, repeatedly reads the water-level sensor, 
updating a data variable with the current sensor value before broadcast-
ing the value on channel k. The Controller process receives the sensor 
value from channel k and stores it in a data variable. IsLowLevel and 
IsHighLevel are boolean functions on the data state, used to test the 
value of the water level variable. If the level is too high, a message is sent 
to turn off the pump, if the level is too low, a message is sent to turn on 
the pump, otherwise the pump is left in its current state. If Controller 
does not receive a water-level message before timing out, it is assumed 
that the water-level sensor is faulty and a shutdown message is broadcast 
which brings the operation of the system to a halt with the pump turned 
off. We assume that the system is then made safe manually. 
6. CANDLE: Modelling and Analysis in Practice 
module Controller is 
const 
SENSOR_TlKEDOUT duration 
type 
procedure 
InitController(out vater_level) 
function 
IsHighLevel(vater_level) boolean; 
IsLovLevel(vater_level) boolean 
channel 
k : (shutdovn.unit, pumpoff.unit, pumpon.unit, 
level.vater_level, start.unit, pump_ready.unit, 
sensor_ready.unit) 
var 
v vater_level 
behaviour 
InitController(v); 
select 
:: rcv(k,sensor_ready); rcv(k,pump_ready) 
:: rcv(k,pump_ready); rcv(k,sensor_ready) 
end select; 
snd(k,start); 
loop do 
select 
.. rcv(k,level.v); 
if IsHighLevel(v) then snd(k,pump_off) 
elsif IsLovLevel(v) then snd (k,pump_on) 
end if 
.. elapse SENSOR_TlKEDOUT; snd(k,shutdovn); idle 
end select 
end loop 
end module 
Fig. 6.7: Controller module 
6.6.2 The bCANDLE model 
182 
The CANDLE program for the steam boiler can be translated into a bCANDLE 
model, as shown in Figure 6.9. 
We have made a number of simplifying assumptions in order to clarify the 
relationship between the program and its model: 
• Each process is allocated to its own dedicated processor. 
• All processors run at the same speed, where 1 clock cycle is assumed to 
be l/Lsec, which is assumed to be equivalent to 1 unit of duration. 
• The bus implementing channel k runs at 106 bit / s, i.e. 1 bit is transmitted 
in l/Lsec. 
• The bounds on all pre_snd, posLsnd, pre_rev and posLrev operations 
are 0, and so these operations have been omitted from the model. 
The description of process behaviour in Figure 6.9 has been derived using 
the translation method described earlier, with the assumptions stated above and 
with some small modifications to aid readability: recursion is expressed using 
the equational style, rather than by using explicit ree tenns; 'extra' equational 
6. CANDLE: Modelling and Analysis in Practice 
data Boiler is 
type vater_level is {lov. ok. high} 
type pump_status is {on. off} 
procedure 
InitSensor(out vI : vater_level) is bounds Cyeles(300); Cyeles(350) 
begin vI := ok end ; 
InitPump(out p : pump_status) is bounds Cyeles(2S0); Cyeles(lSOO) 
begin p := off end ; 
InitController(out vI : vater_level) is bounds Cyeles(400); Cyeles(SOO) 
begin vI := ok end; 
PumpOn(out p : pump_status) is bounds Cyeles(200); Cyeles(300) 
begin p := on end; 
PumpOff(out p : pump_status) is bounds CyeIes(200); Cyeles(300) 
begin p := off end 
ReadSensor(out vI : vater_level) is bounds Cyeles(SO); Cyeles(7S) 
begin vI := any vater_level end 
function 
IsHighLevel(vl : vater_level) : boolean is bounds Cyeles(lO); Cyelas(lS) 
begin return (vI = high) end; 
IsLovLevel(vl : vater_level) : boolean is bounds CyeIes(lO); Cyeles(lS) 
begin return (vI = lov) end 
end data 
Fig. 6.8: Steam Boiler Data Module 
183 
definitions have been introduced to emphasise the initialisation, ready and nor-
mal phases of process behaviour. 
The network section of the model is derived from the CANDLE channel 
declarations and the assumptions about the underlying communication mech-
anism. It defines the network structure - in this case, simply a single channel 
- giving the priority of messages and the transmission latency function. Notice 
that all messages, except level messages, consist only of a message identifier, 
whereas level messages contain a water level value in addition to the message 
identifier, and hence have a greater pre-acceptance latency. 
The data section declares the names of the data variables used in the model. 
The bCANDLE data environment is constructed from the SDML data module 
in a straightforward way, as described in §6.4.3. We do not elaborate the data 
environment here. 
6.6.3 Analysis of the model 
The CANDLE-OPEN environment can be used to generate the simulation 
graph of the bCANDLE model, and to explore it interactively, or exhaustively, 
to ensure that it exhibits desirable behaviour. In this case, generator produces 
the graph in less than a second on a 233MHz Pentium II, running RedHat Linux 
5.2. The output 
6. CANDLE: Modelling and Analysis in Practice 
WaterLevel I Pump I Controller 
vhere 
WaterLevel = [InitSensor: 300,350]: WL_Ready; WL_Hormal 
WL_Ready = WL_ReadyO [> k?start._ 
WL_ReadyO k!sensor_ready._: idle 
[> [WL_ReadyPeriod: 5000,5100] ; WL_ReadyO 
WL_Hormal {WL_HormaIO [> k?shutdovn._ ; idle} 
WL_NormaIO = 
[ReadWaterLevel:50,75]; k!level.w1 ; idle 
[> 
[WL_NormaIPeriod:10000,10250]; WL_HormalO 
Pump = [InitPump:250,1500]; P_Ready; P_Hormal 
P_Ready = P_ReadyO [> k?start._ 
P_ReadyO = k!pump_ready._ : idle 
[> [P_ReadyPeriod: 5000,5100] ; P_ReadyO 
P_Normal = {P_NormaIO [> k?shutdovn._: [PumpOff:200,300] 
P_NormalO = {k?pumpon._ ; [PumpOn:200,300] + 
k?pumpoff._ ; [PumpOff:200,300]}; 
P_NormalO 
Controller = [InitController:400,500]; C_Ready; C_Normal 
C_Ready = {k?sensor_ready._ ; k?pump_ready._ + 
k?pump_ready._ ; k?sensor_ready._}; 
k!start._ 
C_Normal k?level.v2; 
+ 
[TestHighLevel: 10,15]; 
{HighLevel -> k!pumpoff._ + 
notHighLevel -> 
[TestLowLevel: 10,15]; 
(LovLevel -) k!pumpon._ + 
notLovLevel -> null»; 
C_Normal 
idle} 
[SensorTimedOut: 15000,15500]; k!shutdovn._ idle 
network 
/* Pri dlb dub dlB duB */ 
k = {shutdovn 1, 35, 43, 11, 13; 
pumpoff 2, 35, 43, 11, 13; 
pumpon 3, 35, 43, 11, 13; 
level 4, 43, 53, 11, 13; 
start 5, 35, 43, 11, 13; 
pump_ready 6, 35, 43, 11, 13; 
sensor_ready 7, 35, 43, 11, 13 
} 
data v1, w2, p 
Fig. 6.9: A bCANDLE model for a simple boiler controller 
184 
6. CANDLE: Modelling and Analysis in Practice 
generator: Release 1.1.1 Thu Oct 27 22:03:15 GMT 2000 
Simulation Graph: Boiler 
#states 1963 
#trans 2661 
#matrices 1123 
185 
shows the number of states and transitions in the simulation graph. The number 
of matrices indicates the number of distinct clock zones explored. It is worth 
noting that the simulation graph for the boiler control system is very much 
smaller than the equivalent TA generated from the bCANDLE model using the 
standard techniques of Chapter 4. That TA has more than 500,000 locations, 
exceeding the capacity of model checkers such as KRONOS. This is a clear 
indication of the benefit of generating the simulation graph 'on-the-fly'. The 
application of clock activity reduction to the example reduces the number of 
clocks required from 12 to 5. This also has a significant effect on the size of the 
model, reducing the number of states in the simulation graph from> 115,000 
to 1963. 
The simulation graph can be checked for a variety of properties, which 
increase confidence in the correctness of the control system. A number of simple 
properties, which the graph satisfies, are discussed below. 
Notation. Notice that the properties are expressed using predicates over the 
state variables, rather than using a propositional encoding as required by KRO-
NOS. The status and pending message queue of a channel k are denoted k.status 
and k.queue, respectively. See §3.4.1 for an explanation of other channel nota-
tion. 
1. Basic 'sanity' checks: 
(a) The model is non-Zeno. 
init ::::} VO 30=1 true 
(b) Whenever the channel is not busy, and there are messages pending 
transmission, the channel begins transmitting a message immedi-
ately. 
VO((k.status = FREE 1\ k.queue =I- 0) ::::} VO=o k.status = 
PRE) 
In fact, it can be shown that any persistent bCANDLE model satisfies 
these properties. However, failure to satisfy either property alerts the 
user to a fundamental error in the construction of the model. 
2. Properties of the communication system: 
(a) A pending message is never overwritten, i.e. once a message is 
queued, it will be transmitted before another message with the same 
identifier is queued. 
VO(enable(k!i._) ::::} V j E dom(k.queue) . k.queueU] =I- i._) 
(b) When any message transmission reaches the acceptance point, some 
process will be able to accept the message. 
VO(enable(ktm) ::::} VO=o enable(k?m)) 
6. CANDLE: Modelling and Analysis in Practice 186 
(c) The time between acceptance tests for any type of message is at least 
t. 
Of course, there are many systems for which these properties are not 
required. But, very often, the failure of one or more of them is an indica-
tion of a flaw in the implementation of the control system. For example, 
property (c) is helpful in checking the behaviour of a multi-tasking node 
implemented with round robin scheduling and polled communication, as 
the value of t for any channel and message type should not be less than 
the quantum of the scheduler, otherwise messages may be lost. 
3. Basic response properties: 
(a) If a low water level is detected, then the pump will be on within 
Imsec. 
VO(wl = low => VO~1000(P = on)) 
(b) If a high water level is detected, then the pump will be off within 
Imsec. 
VO(wl = high => V09000 (p = off)) 
4. Further response properties: 
(a) If it is not possible for the Controller to receive a level message 
immediately, then, within 16msecs, it can receive such a message, or 
it will transmit the shutdown message. 
'10(-, enable(k?level._) => 
V096000(enable(k?level._) Venable(k!shutdown))) 
(b) If transmission of the shutdown message is enabled, then, within 
Imsec, the pump is turned off and the system idles. 
VO(enable(k!shutdown) => V09000 (p = off 1\ '10(-, enable(_)))) 
Verification of some control system properties is most conveniently under-
taken by an analysis of the control system model in conjunction with a model 
of its environment. For example, to verify that the boiler control system al-
ways maintains the level of water within acceptable bounds, a model of the 
boiler can be constructed, including aspects of its behaviour such as: the rate 
of flow of water from the pump; the response lag of the pump to a control 
command; the rate of flow of steam from the boiler, and so on. Henzinger and 
Wong-Toi [HWT96] describe a hybrid automata model of a steam boiler, which 
could form the basis of a suitable environmental model for composition with 
our model of the boiler control system. As usual, the limiting factor is the 
state explosion problem. A benefit of our approach is that it is possible to take 
advantage of a minimisation tool, such as minim [Tri98], in order to reduce the 
size of the control system model before composing it with an environmental 
model. 
6. CANDLE: Modelling and Analysis in Practice 187 
6.7 Conclusions and Related Work 
6.7.1 Conclusions 
We have defined a programming language for broadcasting embedded control 
systems. The language has many of the constructs which one would expect 
in a modern, real-time language [BWOl], and it has been shown that the pro-
cess language bCANDLE is expressive enough to give a semantics to these 
constructs in a natural way. We have described a development and validation 
environment which integrates a variety of languages and tools. In particular, 
the environment supports the translation of CANDLE programs to TA, en-
abling the application of tools such as KRONOS and CADP for validation. 
Future work will include further development of the language, in particular to 
improve the module system, and also further development of the tool support. 
Automation of the development of executable abstract data models from B or 
VDM specifications is also of interest. An important focus of future work will be 
the efficient composition of control system models with environmental models 
in order to allow validation of a wider range of system properties. Finally, more 
experience is needed of applying both language and tools to a wider range of 
case studies, so that the techniques can be tested on examples which are more 
realistic in terms of their size and complexity than those which are described 
in this chapter. 
6.7.2 Related Work 
ESTEREL [BG92] is the classical example of a language which supports both 
the development and validation of embedded systems. It represents the syn-
chronous approach which has been so effective in the uniprocessor domain. 
Interest in the application of model-checking to asynchronous systems is com-
paratively recent. One of the first tools for untimed systems is VeriSoft [God97j 
which supports stateless search in the verification of C programs. Holzmann and 
Smith [HS99] describe an approach in which a SPIN [Ho197j model is extracted 
from an annotated C program, allowing the checking of properties specified in 
LTL. Related approaches to the verification of Java programs are described by 
Havelund and Pressburger [HPOO] and Corbett et al. [CDH+OOj. The latter 
work builds upon experience gained in applying similar techniques to the ver-
ification of Ada programs [DPC98]. Huch [Huc99] has developed a dedicated 
model checker for a subset of Erlang - an untyped higher-order concurrent 
functional language with asynchronous communication primitives. All of these 
approaches employ techniques to construct an abstract model using only the 
source code of the program to be verified. Our approach enforces a clear sepa-
ration of control algorithms and sequential data operations, and assumes that 
abstract specifications are available for the latter. We believe that these speci-
fications will prove to be a better starting point for the construction of efficient 
models. 
In the case of timed systems, the work of Corbett [Cor96j is the most am-
bitious in its choice of input language. He describes a method for translating 
(a subset of) Ada programs into hybrid automata, so enabling the checking of 
6. CANDLE: Modelling and Analysis in Practice 188 
a variety of temporal properties using the HyTech [HHWT97] model checker. 
His models can accommodate fixed priority pre-emptive scheduling of concur-
rent tasks but he considers only uniprocessor systems, deferring distributed 
systems to further work. Hune [Hun99] considers the problem of using UP-
P AAL [LPY97] for verifying programs executing on the LEGO RCX brick. 
The LEGO RCX brick is part of the LEGO MIND STORMS range of LEGO 
toys. It contains a micro-processor and is equipped with three sensors, three 
actuators and an infra-red port for communication to enable program down-
loading. Hune describes a translation from the RCX assembly language into 
a network of TA described using the UPPAAL input language. Again, the 
work is restricted to uniprocessor systems; the scheduling policy is round-robin. 
Iversen et al. [IKL +00] also consider the same problem, but allow the use of 
a more expressive programming language, NQC (Not Quite C), which is a re-
stricted form of C. Dierks [DieOl] introduces PLC-automata with a view to 
developing and analysing real-time systems implemented with programmable 
logic controllers. He describes a method for translating PLC-automata to timed 
automata so that KRONOS and UPPAAL can be used for the analysis. 
This brief survey of related work is evidence of the recent interest in apply-
ing model-checking to the analysis of embedded system implementations. We 
believe that the work described in this chapter is the first to present a gen-
eral method for real-time model-checking of distributed, high-level programs 
implemented on an industry-standard, broadcast network. 
7. CONCLUSIONS AND FURTHER 
WORK 
7.1 Conclusions 
Formal methods can be useful for gaining confidence in the correct behaviour of 
systems. Expressive languages and automatic analysis techniques are needed to 
promote the acceptance of formal methods in industry. For embedded systems, 
such languages and techniques should allow the expression of, and reasoning 
about, real-time properties. For a large class of embedded systems, broad-
cast communication is an implementation primitive and should be accommo-
dated comfortably within a formal method intended for application in that 
domain. This dissertation has proposed a formal language which is claimed to 
satisfy these requirements, at least partially. Our approach has been to define 
a language in which process behaviour can be described using a few primitive 
operators, including operators for the sending and receiving of broadcast mes-
sages. The communication semantics is an abstraction of the CAN protocol 
and models both message priority and communication latency. This language 
has proved suitable as a bridge between the high-level expression of embedded 
system models and their low-level representation in a form which is appropriate 
for the application of a wide variety of analysis techniques. We have demon-
strated how the most efficient of current methods can be applied to models 
expressed in our language. In particular, we have given an algorithm for on-
the-fly generation of the simulation graph, including clock activity reduction. 
This provides a foundation for the application of methods such as reachabil-
ity analysis, model checking, TBA emptiness, minimisation and time-abstract 
bisimulation, as implemented in tools such as KRONOS, UPPAAL and CADP. 
In addition, we have demonstrated the use of minimised automata for compact 
state space representation. Minimised automata have been employed in the 
model checking tool SPIN for the analysis of untimed, asynchronous models. 
They are applied here, for the first time, in the analysis of timed system models 
and we give experimental data to confirm their utility. 
7.2 Further Work 
The expressiveness of our language is restricted in several ways. For example, 
we do not allow control to depend explicitly on the time of event occurrences, 
nor is it possible for an interrupted task to resume execution from its point of 
interruption. Both features are available in ET-LOTOS [Her98], for example. 
7. Conclusions and Further Work 190 
More seriously, we cannot model multi-tasking systems in which the CPU re-
source is allocated to tasks using a more sophisticated scheduling policy than 
round-robin, e.g., a fixed priority preemptive policy. It also remains to consider 
the modelling of the occurrence of faults in broadcast message transmission. 
It is not difficult to see how some of these additional features could be ac-
commodated, e.g. an explicit scheduler could be added to the execution model, 
as could a 'daemon' for fault injection. The problem is to cope with the ex-
tra complexity and its effect on state explosion. The addition of such features 
almost certainly leads to a hybrid system model for which many verification 
problems become either undecidable or, at best, even more resource demand-
ing [HKPV95]. 
Even without adding to the complexity of the language, further work is 
needed on state space explosion. Some obvious lines of inquiry are suggested at 
the end of Chapter 5, where work on variable ordering and live variable analysis 
has the potential to bring reductions in the size of the discrete state space. Also 
of interest is investigation of the use of partial order reduction and symbolic 
clock constraint representations. In particular, research is needed to compare 
the performance of DDD's with that of MA's when applied to typical asyn-
chronous broadcast systems, especially when considered in combination with 
reduction techniques such as partial order and inclusion/convex hull abstrac-
tions, where the use of MA's seems to offer a prima facie advantage. 
One can imagine that more use can be made of the high-level, algebraic 
structure apparent in the models, to transform them into more space-efficient, 
equivalent representations. This should be possible at all levels, from the high-
level CANDLE model, through the bCANDLE and net representations, to the 
timed automaton. Undoubtedly, compositional techniques will be required in 
order to extend a fully automated approach to industrial-scale systems. 
Finally, further work remains on a number of pragmatic issues affecting 
industrial usage of the technology: at a high-level, the issue of requirements 
capture and their relationship to formal specifications; at a low-level, the formal 
specification and implementation of an execution environment which satisfies 
the abstraction assumptions of Chapter 3. 
Some progress has been made but much remains to be done before it will 
be possible to realise Pnueli's vision of a seamless development process [Pnu99] 
for broadcasting embedded control systems. 
APPENDIX 
A. FLOW REGULATOR TA 
A.I KRONOS .tg 
Format 
The KRONOS .tg format adopts the following conven· 
tions in the presentation of a TA. Each location is identi-
fied by a. unique integer introduced by the keyword stat •. 
The loca.tion invariant is shown following the keyword 
invar and outgoing edges following the keyword tr ..... 
Each edge is of the form guard => label ; re •• t Hi goto 
target, where =>, re.et and goto aTe keywords, guard is 
a clock condition, label is the edge label, B is a set of 
clocks and target is an integer identifying the target lo-
cation of the edge. The bCANDLE translator introduces 
further conventions with respect to the structure of la-
bels: communications of the form k!i.x and k?i.z are la-
belled SND....k-1_v and aCV...i-i_v, respectively, where k and 
i are shown as their internal integer representations and 
v is the value of x in the current data environment. Sim-
ilarly, the network action labels, k __ i.v, kri.v, I.V __ k, 
and kl. are shown as FP-k-i_v, P~_v, AP-k. and PP-k. 
respectively. Operation names are prefixed with OP_ and 
predicate names with PRElL. 
A.2 
.stat.s 
Itrens 
'clocks 
Flow Regulator TA 
48 
146 
HI H2 H3 H4 H5 
stat.: 
inver: H3 <- 90 AND H5 <- 10250 
trans: 
83 >- 85 -> OP _ReaciSensor i RESBT{ 81 } i goto 1 
H5 )- 10000 -) OP .PEIIIOD; Rl!SET{ HI B3 H5 }; goto ° 
state: 
invar: 81 <- 0 AND 86 <- 10260 
B5 )= 10000 -) OP _PERIOD; Rl!SET{ HI R3 H5 }; go.o 6 
R2 ). 43 =) Pl_0_0_0; Rl!SET{ HI }; go.o 9 
state: 7 
invar: 81 <= 0 1JfD H5 <- 10250 
trans: 
as )- 10000 -) OP _PERIOD; Rl!SET{ HI H3 115 }; ",'0 9 
true .) llCV_O_O_O; Rl!SET{ HI B4 }; goto 10 
state: 
invar: 112 <- 63 .l!lD 81 <- ° UD 85 <- 10250 
tran.: 
true -) SRD_O_O_O; Rl!SET{ BI }; go.o 11 
85 )- 10000 .) OP _PERIOD; Rl!SET{ 81 H3 as }; ,"'0 e 
R2 )- 43 -) Pl_0_0_0; Rl!SET{ 81 }; ,"'0 12 
stat. : 
invar: 81 <- 0 .l!lD B3 <- 90 .um B6 <- 10250 
trans: 
83 >- 85 -> OP _ReaclSensor j RESET{ H1 }; Iota 12 
B5 )- 10000 -) OP _PERIOD; Rl!SET{ 81 H3 115 }; 10'0 9 
.rue -) RCV_O_O_O; Rl!SET{ BI H4 }; 10'0 13 
state: 10 
invar: H1 <- lND B5 <- 10260 .lHD 84 <- 300 
trans: 
B5 )- 10000 .) OP .PERIOD; Rl!SET{ HI H3 as }; loto 13 
84 >- 200 -> OP _ldjustVal ve j RESET{ 81 }; goto 1 
true => 1P _0; RESET{ 81 B2 }; goto 14 
stat.: 11 
invar: 112 <- 63 lND 86 <- 10250 
trllJU;: 
B5 )- 10000 .) OP .PERIOD; Rl!SET{ 81 H3 85 }; 10'0 15 
R2 ). 43 -) Pl_0_0.0; Rl!SET{ 81 }; 10'0 15 
stat.: 12 
inver: BI <- ° AND 81 <- ° AND as <. 10250 
trans: 
true .) SHD_O_O_O; Rl!SET{ HI }; loto 16 
85 )- 10000 -) OP _PERIOD; Rl!SET{ BI H3 85 }; loto 9 
true -> RCV_O_O_O; RESET{ H1 84 }; goto 17 
trane: stat.: 13 
true -) SHD_O_O_O; Rl!SET{ HI }; goto 2 
B5 )- 10000 -) OP _PEIIIOD; Rl!SET{ BI H3 B5 }; goto ° 
.tate: 
inver: HI <- ° AND H5 <- 10250 
trans: 
H5 )- 10000 -) OP _PEIIIOD; Rl!SET{ HI B3 H5 }; goto 3 
true .) FP_O_O_O; Rl!SET{ HI H2 }; goto 4 
stat.: 
inver: HI <- ° AND B3 <- 90 AND B5 <- 10250 
trane: 
83 >- 85 -> OP _ReadSeneor i RESET{ 81 }; goto 
H5 )- 10000 =) OP_PEIIIOD, Rl!SET{ HI B3 85 }, go.o 3 
true -) FP_O_O.O; Rl!SET{ HI R2 }; goto 6 
8tate: 4 
invar: H2 <= 63 .urn 85 <= 10250 
trans: 
B5 )- 10000 =) OP _PEIIIOD, Rl!SET{ 81 H3 B5 }; goto 6 
H2 )- 43 -) Pl.O_O_O, Rl!SET{ Bl }; goto 7 
8tate: 6 
invar: 81 <= 0 AND H1 <= 0 lHD 85 <= 10250 
trans: 
true -) SHD_O_O_O; RBSET{ Bl }, goto 2 
H5 )- 10000 -) OP _PEIIIOD; Rl!SET{ HI B3 85 }; goto 3 
true -) FP_O_O.O, Rl!SET{ HI H2 }, goto 8 
etat.: 6 
inver: R2 <- 53 AND 83 <- 90 AND H5 <- 10250 
trans: 
83 >- 85 -> OP _ae.elSeneor; RESET{ B1 } i goto 8 
inver: HI <- ° AND 83 <. 90 AND 85 <- 10250 AND 84 '" 300 
trans: 
83 >- 85 -> OP _ReadS.neor; RESET{ 81 }; loto 17 
85 ). 10000 .) OP _PEIIIOD; Rl!SET{ 81 H3 H5 }; goto 13 
84 )- 200 -) OP.ldjuotVal.v.; Rl!SET{ 81 }; goto 9 
true -> 1P_Oi RESET{ 81 B2 }; goto 18 
stat.: 14 
invar: B2 <- 12 .urn H5 <- 10250 .urn 84 <- 300 
trans: 
85 )= 10000 =) OP _PEIIIOD, Rl!SET{ HI H3 as }; g"'o 18 
H4 )= 200 =) OP_ldjuotVal.v., Rl!SET{ HI }; ,"'0 19 
R2 )= 10 -) PF_O, Rl!SET{ HI }; goto 20 
.tat.: 15 
inver: B2 <= 53 .urn B3 <= 90 lND H5 <- 10250 
tran8 : 
H3 >= 85 -> OP _aeadSeneor; BESET{ 81 }; goto 21 
H5 )= 10000 -) OP _PEIIIOD; Rl!SET{ 81 H3 85 }; goto 16 
R2 )= 43 -) Pi_O_O.O; Rl!SET{ HI }; goto 22 
state: 16 
invar: 81 <= 0 .urn B5 <= 10250 
trans : 
H5 )= 10000 =) OP_PERIOD; Rl!SET{ HI H3 85 }; goto 22 
true => RCV_O_O_O, Rl!SET{ HI H4 }; goto 23 
state: 17 
invar: 81 <= ° AJfD Ht <= 0 iID B5 <- 10250 ilfD 84 <- 300 
trans: 
true _> SID_O_O_Oj RESET{ 81 }i gcto 23 
as )_ 10000 .> OP.PEIIIOD, Rl!SET{ Bl H3 115 }; loto 13 
H4 )= 200 -) OP.ldjuotVal.v.; Rl!SET{ 81 }; goto 12 
A. Flow Regulator TA 
tne .) AP_O; lIESET{ Hl 82 }; goto 24 
.t.t.: 18 
inver: B2 <. 12 AIID B3 <. 90 AIID B5 <. 10250 AIID 84 <- 300 
trODs: 
R3 )- 86 .) OP Jl,eadSeJ18or; RESB1'{ 91 }; goto 24 
B5 ). 10000 .) OP _PERIOD; lIESET{ Hl B3 B5 }; goto 18 
84 ). 200 .) DP _UjWltVal.vo; lIESET{ 81 }; goto 25 
B2 ). 10 .) PP_O; Rl!SET{ 81 }; goto 26 
.tat.: 19 
inver: 82 <- 12 AIID B5 <- 10250 
trana! 
B5 ). 10000 .) OP_PERIOD; lIESET{ 81 B3 B5 }; goto 25 
B2 ). 10 .) PP _0; Rl!SET{ 81 }; goto 27 
_tat.: 20 
inver: B5 <. 10250 AIID 84 <. 300 
trana: 
B5 )- 10000 .) OP _PERIOD; Rl!SET{ 81 B3 B5 }; goto 25 
84 ). 200 .) OP_UjWlWal.vo; Rl!SET{ 81 }; goto 27 
.t.t.: 21 
inver: B2 <. 63 AIID Bl <. ° .lIID B5 <. 10250 
truJ: 
true .) SND_O_O_O; lIESET{ Bl }; goto 11 
86 ). 10000 .) OP _PERIOD; Rl!SET{ 81 B3 86 }; goto 15 
B2 ). 43 .) Pl_O_O_O; Rl!SET{ 81 }; goto 28 
.tat.: 22 
inver: Bl <. ° .lIID 83 <. 90 .lIID 85 <. 10260 
trans: 
B3 )- 86 -) OP _ReadS en. or; RESET{ H1 }; goto 28 
86 ). 10000 .) OP _PERIOD; Rl!SET{ 81 B3 B5 }; goto 22 
true .) RCV_O_O_O; Rl!SET{ 81 84 }; goto 29 
.tat.: 23 
inver: 81 <. ° AND 85 (. 10260 .lIID 84 <. 300 
tran.: 
B5 ). 10000 .) OP _PERIOD; Rl!SET{ 81 83 86 }; goto 29 
94 ). 200 -) OP _1djUltValVI; RESET{ H1 }; goto 16 
true .) lP _0; Rl!SET{ 81 82 }; goto 30 
atat.: 24 
inver: 82 (. 12 .lIID 81 <. ° .lIID 85 <. 10250 .lIID 84 <. 300 
tran.: 
true .) SND_O_O_O; Rl!SET{ 81 }; goto 30 
85 ). 10000 .) OP _PERIOD; lIESET{ 81 83 85 }; goto 18 
84 ). 200 .) OP _ldjuetVal.v.; Rl!SET{ 81 }; goto 31 
82 ). 10 .) PP _0; Rl!SET{ 81 }; goto 32 
.tat.: 25 
inver: 82 <. 12 .lIID 83 (. 90 .lIID 85 <. 10250 
tran.: 
83 )- 85 -) OP _ReadS.nlor; RESBT{ H1 } i goto 31 
85 ). 10000 .) OP _PERIOD; Rl!SET{ 81 83 85 }; goto 25 
82 ). 10 .) PF_O; Rl!SET{ 81 }; goto ° 
atat.: 26 
inver: 83 (- 90 .lIID 85 (- 10250 .lIID 84 <. 300 
tranl: 
93 )- 85 -) OP _ReadSen.or j RESET{ 81 } i goto 32 
85 ). 10000 .) OP _PERIOD; Rl!SET{ 81 83 B5 }; goto 26 
84 )- 200 -) OP_.ldjultValvl; RESET{ H1 }; goto 0 
Itat.: 27 
inver: 85 (. 10250 
tran. : 
85 )- 10000 .) OP _PERIOD; Rl!SET{ 81 83 85 }; goto ° 
.tat.: 28 
inver: 81 <= ° .lIID 81 <= ° .lIID 85 <. 10250 
tran.: 
true -) SND_O_O_Oj RESET{ H1 }; goto 16 
85 ). 10000 =) OP_PERIOD; Rl!SET{ 81 83 85 }; goto 22 
true -) RCV _0_0_0; Rl!SI!1'{ 81 84 }; goto 33 
.tat.: 29 
inver: 81 (- ° .lIID 83 <. 90 .lIID 85 <= 10250 .lIID 84 (= 300 
tran.: 
83 )- 85 -) OP _ReadSlnsor; RESET{ 81 }i goto 33 
85 )- 10000 .) OP _PERIOD; lIESET{ 81 83 85 }; goto 29 
84 ). 200 -) OP_ldjuetVal.v.; lIESET{ 81 }; goto 22 
truo .) AP_O; Rl!SET{ 81 B2 }; goto 34 
atat.: 30 
invar: H2 <- 12 AND B5 <- 10250 11m H4 <- 300 
true: 
85 ). 10000 .) OP _PERIOD; lIESET{ 81 B3 H5 }; goto 34 
H4 >- 200 -> OP_AdjuetValvei RESET{ H1 }j goto 35 
B2 >= 10 .> PF _0; lIESET{ 81 }; goto 36 
stat.: 31 
inver: B2 <= 12 11]) 8.1 <- 0 1JID H5 <= 10250 
tr~: 
true => SXD_O_O_O; lIESET{ B1 }; soto 35 
B5 )- 10000 -) DP_PHlUDD; lIESET{ 81 B3 H5 }; goto 2fi 
B2 )= 10 =) PF _0; lIESET{ B1 }; goto 1 
state: 32 
inver: 81 <= ° AIID H5 <- 10250 lID 84 <- 300 
tr~: 
true => SID_O_O_O; B.P.SET{ H1 }; goto 36 
B5 )- 10000 -) DP JERIDD; lIESET{ 81 B3 B5 }; goto 26 
84 ). 200 .) DP _Uj .... Val.n; lIESET{ Hl }; goto 1 
atate: 33 
193 
inver: 81 <- ° lID 81 <. ° AIID B5 <. 10250 .llID B4 <. 300 
treJUI : 
true -, SXD_O_O_O; lIESET{ 81 }; goto 23 
B5 ). 10000 .) DP JERIOD; lIESET{ 81 B3 B5 }; goto 211 
84 ). 200 .) DP _Adj .... Val.vo; lIESET{ Bl }; soto 28 
true .) AP_O; lIESET{ 81 B2 }; soto 37 
atate: 34 
iDvar: B2 <- 12 1JID B.3 <- 90 AJII) 115 <- 10250 1JII) B4 <- 300 
trana : 
83 ). 85 .) OP_RoadS .... or; lIESET{ 81 }; soto 37 
85 ). 10000 .) OP _PHlUOD; Rl!SET{ Bl B3 86 }; goto 34 
B4 ). 200 .) OP_ldjuotYalv.; lIESET{ Bl }; soto 38 
B2 ). 10 .) PP _0; lIESET{ 81 }; soto 3V 
atat.: 35 
iDv&%': B2 <- 12 AJlD H5 <- 10250 
trana: 
85 ). 10000 .) OP _PERIOD; lIESET{ 81 B3 B5 }; loto 38 
B2 ). 10 .) PP _0; lIESET{ 81 }; loto 2 
atat.: 36 
inver: Hl <- ° .lIID 85 <. 10250 1IID 84 <. 300 
trana: 
85 ). 10000 -) OP _PERIOD; lIESET{ 81 B3 85 }; loto 311 
84 ). 200 ., OP_ldjuotVal.n; lIESET{ Bl }; soto 2 
true -> FP_O_O_O; IlESET{ B1 B2 }; loto 40 
atat.: 37 
invar: B2 <- 12 .um H1 <- 0 !HI) as <- 10250 l.ND 84 <- 300 
tran.: 
true .) SIID_O_O_O; lIESET{ 81 }; loto 30 
85 ). 10000 .) OP _PERIOD; lIESET{ Bl B3 B5 }; loto 34 
84 ). 200 .) OP _ldjuotValn; Rl!SET{ Bl }; soto 41 
B2 ). 10 .) PF_O; lIESET{ 81 }; loto 42 
atat.: 38 
invar: H2 <- 12 .um R3 <- 90 AJIl) B5 <- 10250 
trans: 
H3 ). 85 .) OP _RoadS.neor; Rl!SET{ 81 }; loto 41 
85 ). 10000 .) OP _PERIOD; lIESl!1'{ 81 B3 B5 }; loto 38 
B2 ,. 10 .) pp_O; lIESl!1'{ 81 }; goto 3 
atat.: 39 
invar: H1 <- ° .lND B.3 <- 90 1J1) B5 <- 10250 AJII) 84 <- 300 
trana: 
83 ). 85 .) OP _RoadSol1Oor; lIESET{ 81 }; soto 42 
85 ). 10000 .) OP _PHlUOD; Rl!S1!1'{ 81 B3 B5 }; soto 311 
H4 ). 200 .) OP_ldjuotVal.ve; lIESET{ 81 }; soto 3 
true _> FP_O_O_O; RESET{ H1 B2 }i soto 43 
atate: 40 
inver: R2 <= 53 ABD H5 <- 10250 AID 84 <- 300 
trana: 
85 )- 10000 .) OP _PERIOD; lIESET{ 81 B3 H5 }; soto 43 
84 )- 200 =) OP _ldj .... Val.v.; Rl!SET{ 81 }; goto 4 
B2 ). 43 =, Pl_O_O_O; lIESET{ 81 }; goto 10 
atate: 41 
inver: H2 <= 12 11fD B1 <= 0 AJlD lIS <- 10250 
tran.: 
true =) SND_O_O_O; lIESET{ 81 }; soto 35 
85 ,= 10000 =) OP_PERlOD; lIESET{ 81 B3 B5 }; goto 38 
B2 )= 10 =) pp_O; lIESET{ Hl }; goto 5 
.tat.: 42 
inver: H1 <= 0 1JlD H1 <- 0 1JD 115 <- 10250 lID 84 <- 300 
trans: 
true =, SND_O_O_O; lIESl!1'{ 81 }; goto 36 
85 ). 10000 .) OP _PERIOD; lIESET{ 81 B3 B5 }; soto 311 
84 ). 200 .) DP_ldjuotVal.n; lIESET{ 81 }; loto 5 
true .) FP_O_O_O; lIESET{ 81 B2 }; goto 44 
A. Flow Regulator TA 
stat.: 43 
inver: B2 <- 63 AJfD H3 <- 90 .urn B5 <= 10250 JRD B4 <= 300 
trans: 
B3 )- 85 .) OP _BudS .... or; BESIlT{ H1 }; goto 44 
B5 ). 10000 .) OP _PERIOD; BESIlT{ H1 B3 B5 }; goto 43 
H4 ). 200 .) OP_AdjultValve; 1II!S1lT{ H1 }; goto 6 
H2 ). 43 .) Pl_0_0_0; BESIlT{ H1 }; goto 13 
Itate: 44 
inver: H2 <. 63 1/11) H1 <= 0 1/11) B5 <= 10260 1/11) H4 <= 300 
tranJI : 
true .) SIID_O_O_O; RESIlT{ H1 }; goto 45 
H6 ). 10000 .) OP _PERIOD; RESIlT{ H1 H3 B5 }; goto 43 
B4 >- 200 -> OP_AcljultVa.lve; RESET{ H1 }; goto 
H2 ). 43 .) Pl_O_O_O; RESIlT{ H1 }; goto 17 
8tat.: 46 
invar: B2 <- 63 AND H5 <- 10250 AND B4 <- 300 
tranl: 
H6 ). 10000 .) OP _PERIOD; BESIlT{ H1 H3 B5 }; goto 46 
B4 ). 200 -) OP_AdjultValve; 1II!S1lT{ H1 }; goto 11 
H2 ). 43 .) Pl_O_O_O; RESIlT{ H1 }; goto 23 
stat.: 46 
b,yer: H2 <- 63 1/11) H3 <. 90 1/11) H5 <. 10260 1/11) H4 <. 300 
trans: 
B3 >- 86 -> QP _R_.dSen.or; RESET{ H1 }; goto 47 
B6 ). 10000 .) OP _PERIOD; RESIlT{ H1 H3 H5 }; goto 46 
H4 ). 200 .) OP_ldjultValv.; RESIlT{ H1 }; goto 16 
H2 ). 43 .) PA_O_O_O; RESIlT{ H1 }; goto 29 
stat.: 47 
inver: H2 <. 63 1/11) H1 <. 0 AIID H6 <- 10250 1/11) H4 <- 300 
tranl: 
true .) SIID_O_O_O; RESIlT{ H1 }; goto 45 
B6 ). 10000 .) OP _PERIOD; BESIlT{ H1 H3 H6 }; goto 46 
B4 >- 200 -> OP_AdjultValve; RESET{ H1 }; goto 21 
H2 ). 43 .) Pl_O_O_O; RESIlT{ H1 }; goto 33 
194 
B. PROOFS 
B.1 Correctness of the translation 
This section is concerned with demonstrating the correctness of the translation 
of bCANDLE system models to timed automata. Its purpose is to prove the 
validity of Proposition 4.2, which we state again here. 
Proposition B.l Let B E beAN be a clocked bCANDLE system and B ~ 
unclk(B) the corresponding un clocked system. Let Q(B) be the TA given by 
Definition 4.15. Then, the transition systems ojQ(B) and B are strongly equiv-
alent. 
T [Q(B)] +-t T [B] 
The proof of the proposition depends upon demonstrating the existence 
of a strong bisimulation relation between T [ Q (B)] and T [B]. A number of 
auxiliary definitions and lemmas are required. 
Firstly, we define the set of states which can occur in the transition system 
of a clocked bCANDLE system, where it is required that in any such state 
(B, v), the clock valuation v satisfies the location invariant I (B). 
Definition B.l Let H be a set of clock variables and B E beAN a clocked 
bCANDLE system whose clocks are taken from the set H, i.e. clk(B) ~ H. 
It is assumed that H also contains the distinguished urgent clock hu, i.e. 
hu E H \ clk(B). We denote by L,bCAN,li the states of the transition system of 
the TA for B, i.e. 
L,bCAN,li ~ {(B, v) I B E beAN 1\ v E 1R1i 1\ v 1= I(B)} 0 
Now, a clocked bCANDLE system B is related to an equivalent bCANDLE 
system B, by the notion of aging: 
Definition B.2 (Aging) Let H be a set of clock variables. Let B E beAN be 
a clocked bCANDLE system where clk(B) ~ H. Then, age: L,bCAN,li -+ beAN 
is a function giving an aged bCANDLE system, where 
age(P,N,D),v) ~ (age(P,v),age(N,v),D). 
B. Proofs 
The function age : fuc x }R1l ~ Proc is defined by 
age(k!i.x, v) = 
age(k?i.x, v) -
age([w: tl, ~]h, v) 
age(-y ~ P,v) 
age(P; Q, v) -
age(P!Xl Q, v) 
age(rec X.P, v) 
k!i.x 
k?i.x 
[w: tl -'- v(h), t2 -'- v(h)] 
'Y ~ unclk{P) 
age(P, v) ; unclk(Q) 
age(P, v) !Xl age(Q, v), 
age(P[rec X.P / X], v) 
196 
!Xl E {+, [>, I} 
As usual, we rely on the fact that P is guarded to ensure that age(P, v) is 
well-defined. 
The function age: Net-:;;;;;rkK x }R1l ~ NetworkK is defined by 
age(N, v) ~ {k t-+ age(Nk' v) IkE K} 
where 
age( (+, u)h, v) = (+, u) 
age(C;J2 m, u)h, v) 
age((tm, u)h, v) 
age((m t;J2, u)h, v) 
( tl ~ V(h),t2 ~ v(h) ) ~ m,u 
= (tm, u) 
~ ( tl.!..v(h),t2~V(h) ) 
m ~ ,u 
o 
The main proof makes use of the standard technique of demonstrating a 
strong bisimulation up to f-t. It is necessary to adapt the usual notion of 
strong bisimulation up to f-t to :=::::-bisimulation. 
Definition B.3 (Strong bisimulation up to f-t) Let S = (~, riL, L, ---+) be 
a LTS. Let:=:::: be an equivalence relation on ~. A binary relation R ~ ~ x ~ is 
a strong :=::::-bisimulation up to f-t if alRa2 implies 
1. al :=:::: a2 
2. for all ). E L, if al ~a~, then a2~a~ for some a~ such that a~ f-t R f-t 
a~ 
3. for all ). E L, if a2~a~, then al ~a~ for some a~ such that a~ f-t R f-t 
a~ 0 
Proposition B.2 If R is a strong :=::::-bisimulation up to f-t, then f-t R f-t is a 
strong :=::::-bisimulation. 
B. Proofs 197 
Proof As the proof of Lemma 4.5 in Milner [MiI89]. o 
In order to apply the notion of strong bisimulation in the context of the 
main proof, it is necessary to extend ~ ND-bisimulation to clocked states and to 
pairs of clocked and unclocked states. This requires us to revise our definition 
of context equivalence. 
Definition B.4 (Context Equivalence) Let 0"1,0"2 E bCAN U ~ - be 
either clocked or unclocked bCANDLE system states. We denote by ;~A:~~ 0"2 
that 0"1 is context equivalent to 0"2, and define ~ND~ bCANu~ - x bCANU ~ b . . h . bCAN,11. 
LJ bCAN 11. Y requmng t at 0"1 ~ ND 0"2 Iff one of the following conditions is 
satisfied: 
l. 0"1 = (P1,N1,D1) E bCAN, 0"2 = (P2,N2,D2) E bCAN, Nl = N2 and 
D1 = D2 
2·0"1 = (P,N,D) E bCAN, 0"2 = ((P,N,D),v) E ~bCAN11.' N = age(N,v) 
andD=D ' 
3. as (2) with the roles of 0"1 and 0"2 reversed 
4.0"1 = ((P1,N1,D1),vd E ~bCAN,11.' 0"2 = ((P2,N2,D2),V2) E ~bCAN11.' 
age(N1' VI) = age(N2' V2) and D1 = D2. ' 0 
Proposition B.3 ~ND is an equivalence relation. 
Proof Immediate from Definition B.4. o 
Strong equivalence of both clocked and unclocked bCANDLE states is de-
fined simply as ~ ND-bisimilarity, and related definitions are obtained in the 
obvious way. 
Remark B.l Notice that Propositions 3.9 and 3.10 are valid when extended 
to clocked systems, i.e. B is a congruence for the operators of fuc and the 
equational laws are sound for beAN. 
Now, we turn our attention to addressing a technical point concerning the 
use of ./. We wish to obtain a compositional proof and to avoid the need to 
reason about the persistence of systems. In order to achieve this, it is conve-
nient to treat ./ as a (distinguished) process term and to introduce locations 
( ./ , N, D) corresponding to systems (./, N, D). We silently extend beAN and 
beAN to contain these additional systems. The definition of age is extended by 
age(./, v) ~ ./, and the invariant function I by 1(,/, N, D) ~ hu ~ 0 1\ I(N). 
Now, as currently defined, a system ( ./ , N, D) has no transitions. But if a clock 
-- -- 0 --valuation v satisfies 1('/, N, D), then ((./, N, D), v) ~ (( ./ , N, D). v). To re-
solve this discrepancy, we assume that the semantics of bCANDLE is extended 
B. Proofs 198 
with a rule 
P-v' 0 
(v',N,D)~(v',N,D) 
Now it is clear that (( v', N, D), v[hu := 0]) is strongly bisimilarto age((v', N, D), 
v[hu := aD, each state having only a a-transition to itself. 
The following proposition asserts that v' really is a distinguished process 
term. 
Proposition B.4 For any bCANDLE system (P, N, D) E bCAN, 
if (P, N, D) ++ (v', N, D), then P = v' . 
Proof A standard induction. Intuitively, we can see from the semantics that 
.( is the only process which does not allow either the immediate execution of 
some discrete action or the passage of time by some strictly positive amount. 
o 
We now introduce several lemmas which will be useful in the main proof. 
Each lemma is introduced by a few words of informal explanation. 
The first two lemmas simply assert that network behaviour is both indepen-
dently determined and non-intrusive in both clocked and unclocked systems. 
Network behaviour is independently determined in the sense that each new 
network state is uniquely determined by a current network state and a network 
action, irrespective of the system context. It is non-intrusive in that the process 
and data components of a system state are unchanged by network transitions. 
Lemma B.1 Let (Pi, N, Dd, (P{, N
'
, DD, (P2, N, D2) and (P2, Nil, D2) be 
bCANDLE system states in bCAN. Let). E An U IR be a network transition 
label. Then, if 
(Pi, N, Dl)~(P{, N', DD and (P2, N, D2)~(P2' Nil, D2) 
we have 
1. the new network state is uniquely determined, i.e. N' = Nil, and 
2. the data component is unchanged, i. e. Dl = Dr· 
Additionally, for). E An, we have 
3. the process component is unchanged, i. e. Pi = pr· 
Proof It is clear from the network rules (Definition 3.15) that a new network 
state is uniquely determined by the current state and the network action. When 
included in a system context, the rules for basic systems and data-guarded sys-
tems show that the new network state is unaffected by the process and data 
components, which are themselves unchanged by the network transition in the 
case of a network action (only the data component being unchanged in the case 
of a strictly positive delay action). This property is preserved by all the process 
operators (Definition 3.25). 0 
B. Proofs 199 
Lemma B.2 Let E E bCAN be a clocked bCANDLE system and 9(E) = 
(Q, qI)..1£'.,..E, 1) its corresponding TA. Let (PI, N, DI ), (Pf, N', Dfl, (P2, N, D2) 
and (P~, Nil, D~) be locations in Q. Let An E An be a network action label. 
Then, if E contains edges 
(PI, N, DSh'An)Hl(pf, N', DD and (P2, N, D2f"2'An)H2(p~, Nil, D~) 
we have 
1. the new network state is uniquely determined, i. e. N' = Nil, 
2. 0:e process and data components are unchanged, i. e. PI = P~ and Dl = 
DL and 
3. the clock guards and reset sets are identical, i.e. "pI =="p2 and HI = H2 • 
Proof Similar to Lemma B.1, using Definition 4.15. o 
The next three lemmas are concerned with the effect of clock resets on the 
satisfaction of location invariants. 
If a clock valuation satisfies a location invariant, then any clock valuation 
derived from it by resetting some clocks also satisfies the location invariant. 
Lemma B.3 Let 1£ be a set of clock variables, H ~ 1£ and v E ]R1i a 1£-
valuation. Let E E beAN be a clocked bCANDLE system, where clk(E) ~ 1£. 
If v ~ I(E), then v[H := 0] ~ I(E). 
Proof Induction on the number of steps in the expansion of I(E), using Def-
inition 4.16. 0 
If a clock valuation satisfies the invariant of a process term in some data 
environment, then any clock valuation derived from it by resetting some clocks 
satisfies the invariant in any compatible data environment, provided the urgent 
clock hu is reset. 
Lemma B.4 Let 1£ be a set of clock variables and v E 1R1i a 1£-valuation. Let 
P E fuc be a clocked process term, where clk(P) ~ 1£. Let H ~ 1£ with hu E H. 
Then, if there is some data environment D E DataEnv such that v ~ I(P, D), 
it is the case that for all D' E DataEnv, such that D' and D are compatible, we 
have v[H := 0] ~ I(P, D'). 
Proof By induction on the number of steps in the expansion of I (P, D), using 
Definition 4.16. 0 
If the initial clocks of a process term, together with the urgent clock hu, are 
all reset in some clock valuation, then the resulting clock valuation satisfies the 
process term invariant. 
Lemma B.5 Let 1£ be a set of clock variables, v E ]R1i a 1£-valuation ~and 
P E fuc a clocked term, where clk(P) ~ 1£. Let H ~ 1£. Then, if iclk(Ptu 
{hu} ~ H, it is the case that v[H := 0] ~ I(P, D), in any data environment D. 
B. Proofs 200 
Proof By induction on the number of steps in the expansion of 1(1), D), using 
Definitions 4.7 and 4.16. 0 
The remaining lemmas are concerned with properties of the age function. 
Only the values of network clocks can affect the result of aging a network, 
and only the values of initial clocks can affect the result of aging a process term. 
Lemma B.6 Let 1£ be a set of clock variables and v, v' E]R.ll be 1£-valuations. 
1. Let N E N et;;iOrk be a clocked network. Then, 
(age(N, v) = N /\ V h E clk(N) . v'(h) = v(h)) =} age(N, v') = N 
2. Let P E fuc be a clocked process term. Then, 
(age(P, v) = P /\ V hE iclk(P) . v'(h) = v(h)) =} age(P, v') = P 
Proof Immediate from Definition B.2 for N and by induction on the number 
of steps in the expansion of age(P, v) for P. 0 
If the initial clocks of a process term are all reset in some clock valuation, 
then the aging of the term by that clock valuation produces a term which is 
equivalent to the corresponding unclocked term. 
Lemma B.7 Let 1£ be a set of clock variables, v E ]R1l a 1£-valuation and 
P E fuc a clocked term, where clk(P) ~ 1£. Let H ~ 1£. If iclk(P) ~ H, then 
age(P, v[H := 0]) H unclk(P). 
Proof By induction on the number of steps in the expansion of age(P, v[H := 
0]) using Definitions 4.7,4.8 and B.2. Intuitively, we can see that for all terms, 
except those containing terms of the form recX.P, age and unclk give results 
which are syntactically identical. In the case of rec X.P, unclk simply removes 
the clock variables, whereas age unwinds the recursion until there is no leading 
rec, and then removes the clock variables. In either case, it is clear that the 
results are equivalent. 0 
If a clock valuation can be increased by time t, while satisfying the invariant 
of a clocked network, then the corresponding aged network allows the passage 
of time t. 
Lemma B.8 Let 1£ be a set of clock variables. Let K be a finite set of channel 
identifiers and N E Netw;;rkK a network over K, where clk(N) ~ 1£. Let 
v E]Rll be a 1£-valuation and t E lIt Then, 
v + t F I(N) =} t ~ tcp(age(N, v)) 
Proof We assume that v+t F 1(N) and show that V k E K . t ~ tcp(age(Nk , v)). 
The result follows directly from Definition 3.12 and N.S. The proof proceeds 
• . ~ (t1,t2 )h by case analYSIS on channel status. We Illustrate for the case Nk = ~ m, U • 
B. Proofs 201 
"'" tl ~ h 1. Case: Nk = ( ~ m, u) . 
B D fi .. B ("'" tl-'-v(h),t2-'-V(h) y e mtlOn .2, age Nk , v) = ( "-+ m, u). By Definition 3.12, 
tl-'- v(h),~-'- v(h) "'" 
tcp( "-+ m, u) = 0. --'- v(h). But, if v + t p I(Nk ), then v + t P 
if 0. E N then h ::; 0. else tt, and 
0.EN ~ v+tph::;0. 
~ v(h) + t ::; t2, by Definition of p 
~ t::; 0. - v(h) 
~ t ::; tcp(age(A\, v)) 
0.=00 ~ 0. --'- v(h) = 00 
~ t ::; tcp(age(Nk, v)) 
The other cases are similar. o 
Main Proof 
It is now possible to state the proof of Proposition B.l. 
Let T[g+(i~)] = (~l,crf,Ll,---+d and T[B] = (~2,a~'~'---+2)' We 
show that the relation R is a ;:::;ND-bisimulation up to f-t, where 
R ~ {((B, v), age(B, v)) I (B, v) E ~bCAN,ll} 
and af f-t R f-t crr The proof of the proposition follows from Remark 4.2 and 
the transitivity of f-t. 
To show that R is a ;:::; ND-bisimulation up to f-t, we reason as follows. Let 
aRa. 
1. It is clear from Definitions B.2, B.4 and the definition of R, that a ;:::;ND a. 
2. It is enough to show that for all A E L, if a = (P, N, D)~(P', N', D'), 
................................. A --- ........... -. 
then a = ((P,N,D),v)---+((P',N',D'),v'), and there exist P" f-t P' 
and P" f-t P' such that ((P",N',D'),v')R(P",N',D'). The proof is by 
induction on the number of steps in the calculation of age(a). We proceed 
by case analysis on the structure of a. 
(a) Case: (i == ((k!i.x, N, D), v). 
So cr == (k!i.x, N, D), where age(N, v) = Nand D = D. 
There are three sub-cases to consider: 
1. Sod.l: A = k!i.v, cr' == (./, N', D), where Nk = (s, u), v = D.x, 
and N' = N[k := (s, u +-fJ i.v)]. 
"'" "'" h In this case, since age(N, v) = N, then Nk = (8, fL) , where 
age(s, fL)h, v) = (s, ~ which impli!s, by Definition B.2, that 
u = U. And, since D = D, then D.x = v. So by E.-Sod.l, 
. . "'" "'" tt,k!i.!I,{h,.} ""', "'" ~, 
there IS an edge (klz.x, N, D) --f (./, N ,D), where N = 
B. Proofs 202 
N[k := (8, u +-f> i.v)h]. Clearly, v 1= tt and, since v 1= [(N), 
then, by Definition 4.16, v[hu := 0] 1= [(N'), so by TA.l, there 
is a transition ((k!i.x, N ;))), v)~((.f, N', D), v[hu := 0]). It 
is eas)' t~ see that age(N', v[hu := 0]) = N', and, therefore, 
((.f,N',D),v[hu := O])R(.f,N', D). 
11. Snd.2: >. E An, a' == (k!i.x, N', D). 
There are four sub-cases to consider: one for each of the ways 
in which the network transition can be derived. 
A. N .1: similar to the following case. 
B. N.2: >. = ktm, Nk = (~m, u), N' = N[k := (tm, u)] 
In this case, since age(N, v) = N, then, by Definition B.2, 
Nk = (U2 m, u)h and v(h) 2: tl' So by E_Snd.2 and 
E 1\.T • ( • ~ ~ h>tl,k1m {hv} ~ ~ 
-L"4.2J,..therelsanedge k!~.x,N,D) - ---+' (k!i.x,N',D), 
where N' = N[k := (tm, u)h]. Clearly, v 1= h 2: tl, and 
v[hu := 0] 1= [(k!i.x, N', D), so by TA.1, there is a transi-
tion ((k!i.x, N, D), v) k~ ((k!i.x, N', D), v[hu := 0]). Obvi-
ously, ((k!i.x, N', D), v[hu := O])R(k!i.x, N', D). 
C. N .3: similar to the previous case. 
D. N.4: similar to the previous case. 
lll. Snd.3: >. = 0, a' == (k!i.x, N, D). 
Since v f= I(k!i.x,N,D), then by TA.2, ((k!i.~~D),v)~ 
((k!i.x, N, D), v). We already have that ((k!i.x, N, D), v)R(k!i.x, N, D). 
(b) Case: (j == ((k?i.x, N, D), v): similar to the previous case. 
(c) Case: (j == (([w : tI, t2]h, N, D), v): similar to the previous case. 
(d) Case: (j == ((r ----t P, N, D), v): similar to the following case. 
(e) Case: (j == ((F i Q, N, D), v) 
So, since (jRa, we have a == (P i Q, N, D), where P = age(F, v), 
Q = unclk(Q), N = age(N, v), and D = D. 
There are two sub-cases to consider: 
i. Seq.l: >. E Ap U An U lR, a' == (P' ; Q, N', D'), P' =$ .f 
By Seq.l, (P, N, D)~(P', N', D'), where P' =$ .f, and so, by 
i.h., ((F, N, D), v)~((F', N', D'), v'), and there exist F" t-+ F' 
and P" ++ P' such that ((F", N', D'), v')R(P", N', D'). There 
are now two sub-cases to consider: 
A. >. E Ap U An: SO ((F, N, D), v)~((F', N', D'), v') must be 
----t/JAH- ---. 
derived by TA.l from an edge (P, N, Dl ' .2 (l!:, N', D'), 
where v 1= 'ljJ and v' = v[H := 0] 1= [(P', N', D'). Now, 
by E_Seq.l, there must be an edge (F; Q, N, Dt~(F' ; 
Q, N', fY). We already have v 1= 'ljJ and, sin;:e v(ti :~ 011= (F', N', D'), we also have v[H := 0] 1= [(P' ; Q, N', D.:..), 
by Definition 4.16. So, by TA.1, there is a transition ((P ; 
Q, N, D), v)~((F'; Q, N'D'), v'). Since ((F", N', D'). v')R 
B. Proofs 203 
(P", N ' , D'), and unclk(Q) = Q, then ('Em j Q, H' fy) v)R 
(P" Q I I ~ ~ A ~ , , I j ,N, D ~. Moreover, P"; Q +-t pI j Q and P" j Q +-t 
P ; Q, as requITed. 
B. A=tElR: 
.-.-. ....... t -..-...-S~ ((PJ..~ ?-~)J...~)----t(JP~, If, D'), v) must be derived by TA.2 
wIth (P , N , D J ~ (f, N, D), v' = v + t, and V t' E IR I t ' ~ 
t. v + t' F I(P,N,D). By Definition 4.16 we have Vt' E 
IR I t' ~ t. v + t' F I(P; Q,H,D), and so'by TA.2, there 
-_ .................... t ----is a transitio~((Pj g, N, D), v)----t((P'j Q, N, D), v'). From 
i.h., we have P" +-t P' and P" +-t P' such that ((P", H, Dl, v)R 
Cf''';.. N:': D'), and so, since unclk(Q) ~ Q,~we h~ve (JP" j 
Q, N, D), v')R(P" j Q, N', D'), where P" j Q +-t pI j Q and 
P" ; Q +-t P'; Q. 
11. Seq.2: A = Ap E Ap, a' == (Q, N', D') 
B S ( Ap ( " ~ ~ ~ y eq.2, P, N, D)---+ .f, N ,D), and so, by i.h., ((P, N, D), v) 
Ap -- ......... -. ..- ......... 
---+((P',N',D'),v'), where there exist P" +-t P' and P" +-t .f, 
such that ((P", H', D'),v')R(P",N',D'). But, by definition of 
age and Proposition B.4, we must therefore have P" == P' == 
P" == .f. 
.- ................ A .......... -
The transition ((P, N, D), v)-.!.t((.f, N', D'), v') must be de-
~~~1/1ApH ~ ~ 
rived by TA.1 from an edge (P,N,D) ~ (.f,N',D'), where 
v F 'IjJ and v' = v[H := 0] F I(.f, H', D'). SO, by E~eq.2, 
~ ~ ~ ~ 1/1 Ap HUiclk( Q) ~ ~ ~ 
there is an edge (P ; Q, N, D) "----t (Q, N', D'). We al-
ready have v F 'IjJ and, by Lemmas B.3 and B.5, we have 
v[H U iclk(Q) := 0] F (Q, H', D'). SO, by TA.1, there is a tran-
---- Ap ---sition ((P j Q, N, D), v)---+(( Q, N', D'), v"), where v" = v[H U 
iclk(Q) := 0]. Since ((.f,H',D'),v')R(.f,N',D'), then, D' = 
D', and, b~ L~m~a B.6, N'~ age(H', v"). Let Q = agelQ, v"). 
Clearly, ((Q,N',D'),v")R(Q,N',D'). But, Q = unclk(Q), and 
by Lemma B.7, unclk(Q) +-t Q, so Q +-t Q, as required. 
(f) Case: a == ((P + Q, H, D), v): similar to the following case. 
(g) Case: a == ((P [> Q, H, D), v). ~ 
So, since aRa, we have a == (P [> Q, N, D), where age(P, v) = P, 
age(Q, v) = Q, age(H, v) = Nand D = D. 
There are four sub-cases to consider: 
i. Int.1: A=ApEAp,a'==(P'[>Q,N',D'),P'$.f. 
A ......... .......... .-
By Int.1, (P, N, D)-.!.t(P', N', D') and so, by i.h., ((P, N, D), v) 
A - -. ....... ..-." P~ I d P" pI 
-.!.t((P I , N ', D'), v'), and there exist P +-t an +-t 
such that ((P", H', D'), v/)R(P", N ', D'). But this transition 
- ......... ........ t/J,Ap H -, --, .......... , 
must be derived by TA.1 from an edge (P, N, D) ~ JP )...N )... D), 
where pI $ .f, v F 'IjJ and v' = v[H := 0] F I(PI, N', D'). 
~ ~ ~ ~ 1/J,Ap H ~, 
So, by E---.lnt.1, there is an edge (P [> Q, N. D) ~ (P [> 
B. Proofs 204 
Q, N', Q') ___ '!i.e already have v[H := 0] F [(p', N', D') and 
v 1= [( Q, N, D). Since the urgent clock fLu is reset by every edge, 
then, by Lemmas B.3 and B.4, we have v[H := 0] F [(Q, D'). 
SO, by Definition 4.16, we have v[H := 0] F [(pi [> Q, N', D'). 
Moreover, v 1= 1/1, so by TA.!, there is a transition ((P [> 
--- Ap"- ---Q, N, D), V)--'-t((pl [> Q, N ' , D'), v[H := 0]). 
Since P" f-+ P' and P" f-+ pi, then P" [> Q f-+ pi [> Q and 
P" [> Q f-+ pi [> Q. To see that ((P" [> Q, N', D'), v[H := 
O])R(PII [> Q, N
'
, D'), we reason as follows. By construction of 
R, pll = age(plI, v[H := 0]). Furthermore, by safety of clock 
varial>le allocation, H n iclk(Q) = ~ so, by Lemma B.6, Q = 
age( Q, v[H := 0]) and N' = age(N', v[H := 0]). The result 
follows by construction of R. 
ii. Int.2: similar to previous case. 
iiL Int.3: similar to previous case. 
IV. Int.4: A = Ant E An U R, a
' 
== (Pi [> Q', N', D') 
There are two sub-cases to consider: 
A. A = An E An: 
In this case, by Lemma B.1, we have pi [> Q' == p [> Q 
and D' = D. So, by Int.4, (P,N,D)~(P,N',D) and 
(Q,N,D)~(Q,N',D). Moreover, byi.h. and LemmaB.2, 
--- A --- ---.A ((P,N, D), v)~((P,N',D), Vi) and (Q, N, D), v)~ 
((Q, N
'
, D), Vi), and there exist p lI f-+ P, QII H Q, pll H P 
and Q" f-+ Q such that ((P II , N ' , D), V')R(PIl, N', D) and 
((QII, N
'
, D), v')R( Q", N', D). 
--- A ---But ((P, N, D), v)~((P, N
'
, D), v'), must be derived by 
~~~1/J>'H~~ ~ 
TA.1 from an edge (P, N, D) ~ (P, N ' , D), where v F 1/1 
and Vi = v[H:= 0] F [(P,N/,D). Similarly for ((Q,N,D),v) 
~((Q, N', D), Vi) - Lemma B.2 ensures that this edge 
will have the same clock guard and reset set as the edge for 
___ -. ---1jJ An H (P, N, D). So by EJnt.4, there is an edge (P[?Q, N, D) q 
(P[> Q, N
'
, D), and, since v F 1/1 and Vi F I(P[> Q, N' , D), 
there is a transition ((P[>Q, N, D), vl~UP[;::Qfl', D), v'). 
Clearly, by Lh. and DefinitionB.2, ((PII[?QII, N', D), v/)R(P II [> 
Q", N', D), where p lI [> Q" f-+ P [> Q and p lI [> Q" H 
P[> Q. 
B.A=tElR: 
In this case, by Lemma B.1, we have D' = D. So, by Int.4, 
(P, N, D)~(PI, N', D) and (Q, N, D)~( Q', N', D). More-
t --- ---
over, by Lh., ((P, N, D), v)-t((P', N', D'), v') and (Q, N, D), v) 
~((~Q' Nil D") v") and there exist p lI f-+ P, Q" H Q, 
, , " -. ...... -. 
p lI f-+ P and Q" f-+ Q such that ((P II , N' , D'), V')R(PIl, N'. D) 
- ...... .-. -. t 
and ((QII, Nil, D"), v")R( Q", N', D). But, ((P, N, D). v)-t 
B. Proofs 205 
((f,P,p), v'), must be derived by TA.2, where (p', N', fy) == 
(P)...N).Pl, v' = v + t anj. Vt' E JR. ! t' ~ t.v + t' F 
I(P, N, D). Similarly for Q. SO, from Definition 4.16, it is 
clear that V t' E JR.! t' ~ t . v + t' F I(P [> Q, N, V), and, 
therefore., by TA.2, ((P[>Q, N, V), v)~((Pl>Q~ ~ V), v+ 
t). By l.h and construction of R, (P II [> Q" N D) v + 
t)R(PII [> QII,N',D), where plI [> QII H P [> Q ~d pll [> 
Q" H P' [> Q'. 
(h) Case: a == ((P ! Q, N, V), v): similar to the previous case. 
(i) Case: a== ((recX.P1,N,V),v) 
So, since aR~ we have a == (P, N !-D), where P = age(recX.Pl, v), 
N ~ age(~ v), and D = D. But age(rec X.P l , v) = 
age(Pdrec X .Pl/ X], v), which is derived by a shorter calculation, 
and so, if (P, N, D)~(P', N', D'), then, by i.h., 
UP1[recX.Pl/ X], N, V), v) ~) ((f',p', V'), v') and there exist plI H 
P' and p lI H P' such that ((PII, N', D'), v')R(PII , N', D'). There are 
two sub-cases to consider: 
L AEApUAn: 
.- .- -- A ---So ((PdrecX.Pl/X],N,D),v)-t((P',N',D'),v') must be de-
rived by TA.! from an edge (P1[rec X.Pl/ X], N, V)1/J'A'~(p', N', V'), 
where v F 'IjJ and v' = v[H := 0] F I(P', N', V'). But then, 
.- --WAH-'-'''''''' by K . ..Rec, there is an edge (rec X.Pl , N, D) ~ (P', N', D'), 
.-. .-..-. A 
and so, by TA.!, there is a transition ((recX.Pl,N,D),v)-+ 
((P', N', V'), v'). By Lh., we have ((P", N', V'), v')R(PII , N', D'), 
where plI H P' and p lI H P'. 
iL A = t E lR: 
..-.. .- -- t ---So ((Pl[rec X .Pl/ X], N, Q), ~)-:::t((P', ~', D'), v'l must ~e ~e-
rived by TA.2, where (P', N', D') == (P!lres..X . .fl/ X], N, D), 
v' = v+t and Vt' E lR! t' < t . v+t' F I(P', N', D'). But then, 
by Definition 4.16, Vt' E lRl t' ~ t. v+t' F I(recX.Pl,N',V'), 
.-. - .-. t 
and so, by TA.2, there is a transition ((rec X.P l , N, D), v)-+ 
((recX.PI,iJ',V'),v'). By Lh., we have ((PII,N',V'),v')R 
(P",N',D'), where plI H P' == Pt[recX.Pl/Xj H recX.Pl , 
and p lI H P', as required. 
.-. .-..-. A 
3. It is enough to show that for all A E L, if a = ((P, N, D), v)-t 
UP', N', D'), v'), then a = (P, N, DL A ~(P', N', D'), and there exist plI H 
P' and p lI H P' such that ((P",N',D'),v')R(P",N',D'). Again, the 
proof is by induction on the number of steps in the calculation of age(a} 
The proof is symmetrical to the previous case. We provide some illustra-
tive variations. 
(a) Case: a == (([w : tl, t2]\ N, D), v) ~ __ 
Since aRa, then a == (P, N, D), where P = age(P, v), N = age(N, v) 
and D = D. There are three sub-cases to consider: 
B. Proofs 206 
1. A = wE Ap 
A transition (([w : tI, ~]\ N, D), v)~((P', N', V'). v') must be 
derived by TA.! from an edge ([w: tl, ~]h, N, pt:::·riP'. N', V'), 
where v 1= 'IjJ and v' = v[H := 0] 1= I(P',N',D'). Such 
an edge can be constructed only by E_Comp.1, so tl E N, 
'IjJ == h ~ tl, H = {hu}, P' = ./, N' = N and V~dV'. 
Since v 1= h ~ tl and v 1= h ::; t2, then t2 ~ v(h) ~ t1 
and s.£ ~ = __ age([w : tI, t2]h, v) = [w : 0, t2 ..... v(h)]. Also, 
D = I?.-tdD'. So by 9o~p.!, (P, N, D)~('/, N, D') where 
D' = D'. Clearly, ((./, N, D'), v')R(./, N, D'). 
ii. A = An E An 
-- .A ---A transition (([w : tI, t2]\ N, D), v)~((P', N', D'), v') must be 
-- ~ t/J>' H ~ ~ --derived by TA.! from an edge ([w : tI, t2]h, N, D) ~ (P', N', D'), 
where v 1= 'IjJ and v' = v[H := 0] 1= I(P', N', V'). Such an edge 
can be constructed only by E_Comp.2, so p' = P, V' = V and 
-- >. --N ~nN'. There are four sub-cases to consider: one for each of 
the ways in which N ~nN' can be derived. We show the case 
E~ .4. Cases E~.1 - E~.3 can be proved similarly. 
A. E~.4. 
-- >. --If N ~nN' is derived by E---.N.4, then, for some chan-
__ t lb tub ~ --
nel identifier k E K, Nk = (m ~ ,u)hk , N' = N[k := 
(!.,u)hk ], 'IjJ == hk ~ tlb, An = k.j.. and H = {hu}. We have 
v 1= hk ::; tub and v 1= hk ~ t lb , so tlb ::; V(hk) ::; tub, 
__ O,tub .!.. V(hk) 
and therefore Nk = age(Nk'v) = (m ~ , u). It fol-
lows, by N.4, that N ~nN', where N' = N[k := Q.., u)]. 
So, by Cornp.2, we have (P,N,D)~(P,N',D). To show 
that ((P, N', D), v')R(P, N', D), we reason as follows. Since 
H = {hu}, then v' = v[hu := 0]. Now, for the process term, 
we have P = age([w: tI, t2]h, v) = age([w: tI, ~]h, v'), since, 
by safety of clock variable allocation, h :I hu' For the net-
work, we have N' = N[k := (.J.., u)hk ]. But age(N, v) = N 
and age((!., u)h\ ... v') = (.J.., u), so, by safety of ~lock variable 
allocation, age(N', v') = N'. Finally, D = D. The result 
follows. 
lll. A = t E lR 
-- -.. t -, -,"'-', I 
A transition (([w : tb t2]:: N.J.. DJ, v)-t((P , N , D );....v 1 must be 
derived by TA.2, so (P', N'D') = ([w : it, t2]h, N, D) , __ v' ~ = 
v + t, and Vt' E lR I t' ::; t. v + t' 1= IUw : t1, ~]\N,D). 
By Definition 4.16, v + t 1= h ::; t2 1\ I(N). Now, we have 
P = age([w : tl, t2]\ v) = [w : tl ..... v(h), t2 ..... v(h)], and, 
since v(h) + t ::; t2, then t ::; t2 - v(h). Also, we have N = 
age(N, v), and, by Lemma B.8, t ::; tcp(N), so, by N.4. we 
have N~nN', where N' = N + t. Therefore, by Comp.3, we 
derive (P, N, D)~(P', N', D'), where P' = [w : tl ..... v(h) ..... 
B. Proofs 207 
t, t;. ~ v(h) ~ t], and D' = D. It is a simple application of the 
definitions to show that ((PI, N I, D'), v')R(PI, N
'
, D'). 
(b) Case: (j == ((P [> Q, N, D), v). 
Sinc~ (jRa, then a ==~ (P [> Q, N, D1 where P = age(P, v), Q = 
age( Q, v), N = age(N, v) and D = D. There are five sub-cases to 
consider: four for each of the ways in which an edge can be con-
structed which justifies a discrete transition by TA.1, and one for 
the justification of a time transition by TA.2. 
i. EJnt.1 
~ ~ ~ ~ t/lA H ~ P tEis ~ase, the edge is of th~form (P [> Q, N, D) ~ (PI [> 
Q, N
'
, D'), with A = Ap E A, pI =$ .(, v 1= 1/J, and v[H := 0] F 
I(PI [> Q, N', D'). But this edge must be derived from an edge 
---t/JApH.-.. -...-.. (P, N, D) ~ (PI, N ' , D'). Now, by TA.1, this edge justifies 
- .-...-.. Ap -...-...-.. 
a transition ((P, N, D), v)--=-+ ((Pi, N
'
, D'), v[H := 0]). So, by 
i.h., there is a transition (P, N, D)~ (PI, N
'
, D'), where there 
exist P" f-+ pI and p lI f-+ pI such that ((PIl,NI,D'),v[H := 
O])R(PIl, N
'
, D'). Since pI =$ .( then, by Definition B.2 and 
Proposition B.4, we have pI =$ .(, and so it follows by Int.1 
that there is a transition (P [> Q, N, D)~(P' [> Q, N ' , D' ). 
Since pll f-+ pI and p lI f-+ pI, then pll [> Q f-+ pI [> Q and 
pll [> Q f-+ pI [> Q. To see that ((Pll [> Q, N ' , D'), v[H := 
O])R(PII [> Q, N ' , D'), we reason as follows. By construction of 
R, pll = age(pll, v[H := 0]). Furthermore, by safety of clock 
variable allocation, H n iclk(Q) = 0, so, by Lemma B.6, Q = 
age(Q, v[H := 0]) and N
' 
= age(N
'
, v[H .- 0]). The result 
follows by construction of R. 
11. EJnt.2 Similar to previous case. 
iii. EJnt.3 Similar to previous case. 
IV. EJnt.4 ~ ~ ~ ~ t/I An H ~ 
In this case the edge is of the form (P [> Q, N, D) q (P [> 
Q, N
'
, D), where A = An E An, V 1= 1/J, and v' = v[H := 0] F 
I(P [> Q, N
'
, D). But the existence of this edge depends upon 
.-.. -.. -1jJ,X H-'-" -- .-...-.. -)t/JAnH(~Q ~ID~) 
edges (P,N,D) q (P,N',D) and (Q,N,D q ,N, . 
.-. .-...-.. A 
Now, by TA.1, these edges justify transitions ((P, N, D), v)~ 
((P, N
'
, D), v') and ((P, N, D), v)~((P, N ' , D), v'). SO, by 
i.h. and Lemma B.1, there are transitions (P, N, D)~(P, N' , D) 
A ~II P~ p lI 
and (Q, N, D) ~(Q, N' , D), where there exist P f-+, f-+ 
P, QII f-+ Q, and Q" f-+ Q such that ((Pll, N ' , D), v')R(PII, N ' , D) 
and ((QII, N ' , D), v')R( Q", N ' , D). Therefore, by Int.4, (P [> 
Q, N, D)~i?[> Q, N
'
, D). Clearly, by i.h. and D~nitio~ B.2, 
Upll (? Q", N ' , D), v')R(PII [> Q", N ' , D), where p lI [> Q" f-+ 
P [> Q and p lI [> Q" f-+ P [> Q. 
v. A = t E ~ 
B. Proofs 208 
T~s ~a~ition is derived by TA.2, where ((P[> Q, ii, V), v)~ 
((P, N, D), v'), where VI = v+ t. The transition is possible only 
if V t' E lR I t' :::; t . y ± t' F Z(PJ> Q, fi., D). SO, by Defini-
tion4.16, v+t F I(P,D) A I(Q,D) A I(N), and, therefore, by 
TA.2, ((P, N, D), v)~((P, ii, V), v'), and ((Q, ii, D), v)~ 
((Q,N,D),v'). ByLh. and Lemma B.1, (P,N,D)~(P',N',D) 
( 
t ~ ~ 
cp.d Q,y, D)--+( Q', N', D) and ther~ e~t f." f-t P, p lI f-t P', 
Q" f-t .9 a~d ~Q" f-t Q' such that ((PII, N, D), v')R(P', N', D) 
and (( Q", N, D), v')R( Q', N', D). Therefore, by IntA, (P [> 
9., N.-!.. Dl~(P' [> Q', N', D), and, by co~truc!ion of~R, ((f"[> 
Q", N, D), v')R(P" [> Q", N', D), where plI[> Q" f-t P [> Q and 
p lI [> Q" f-t P' [> Q'. 
(c) Case: (i == ((rec X.PI , ii, V), v) 
So, since (iRa, we have a == (P,N,D), where P = age(recX.PI,v), 
N = age(N, v), and D = V. There are two sub-cases to consider: 
1. >. E Ap U An: 
--- .oX ---Then, the transition ((rec X.PI, N, D), v)--+((P', N', D'), v') must 
.-. --WAH-'-'-be derived by TA.! from an edge (recX.PI,N,D) ~ (P',N',D'), 
where v F 1jJ and v' = v[H := 0] F I(P', N', V'). This edge 
must be justified by E-Rec from an edge (PI [rec X.Pl/ X], N, V) 
-rpAH ~ ~ ~ ~ (P', N', D'). So, by TA.!, there is a transition 
-. -- -- A --- .-((Pt[re.£X.Pl/ XJ, N, D), v)--+((P', N', D'), v'). But age(rec X .PI, v) 
= age(PI[recX.Pl/X], v), which is derived by a shorter calcula-
tion, and so, by i.h., we have (P, N, D)~(P', N', D') and there 
exist plI f-t P' and p lI f-t P' such that ((PII, N', V'), v')R(PII , N', D'). 
ii. >. = t E IR: 
~ ~ ~ ) t ((~, N~' D--') ') Then, the transition ((rec X.PI, N, D), v --+ P, , , v must 
be derived by TA.2, where (P', N', V') == (recX·ft.~, Q), 
v' = v + t and Vt' E IR I t' :::; t. v + t' F I(recX.PI,N,D). 
But then, by Definition 4.16, we have V t' E lR I t' :::; t . v + t' F 
I(PI[rec X.Pl/ X], N, V), and so, by TA.2, there is a transition 
((PI [rec X.PI/ X], N, V), V)~((Pl[rec X.PI/ X], N, V), v'). By 
Lh., we have (P, N, D)~(P', N', D') a~d there !xist P~' ~ 
PdrecX.PI/ X] and f." f-t P~ such th<;! ((Pdrec X.PI/!], N, D), v') 
R(PII,N',D'). But p lI f-t PI[recX.PI/X] f-t recX.PI, as re-
quired. 
o 
c. THE CANDLE GRAMMAR 
C.l Syntax Notation 
The grammar of CANDLE is described III an extended Backus-Naur-Form 
(BNF). 
• Italicized words are used to denote syntactic categories (non-terminal 
symbols), for example: 
module 
formalParameter 
statement 
• Typewriter font is used for lexical elements of the language (terminal 
symbols) such as keywords and special symbols, for example: 
function 
>= 
every 
• A list of alternative items is written with each alternative occurring on a 
new line, for example: 
parameterMode ::= 
in 
out 
inout 
Indentation is used to show that a new line is intended as a continuation 
of the previous item, rather than the beginning of a new alternative. 
• [.] denotes an optional item, for example: 
loopStatement ::= 
loop [loopldentifier] do seqStatement end loop 
is a rule for a loop statement, in which a loopldentifier may be present 
but is not required. 
• {.} * denotes zero or more occurrences of an item, and {.} + denotes one 
or more occurrences of an item, for example 
C. The CANDLE Grrunmar 210 
module ::= 
module moduleldentifier is {decISection} * [behaviour] end module 
is a rule which shows that zero or more occurrences of a declSection item 
may occur in a module declaration. 
C.2 Lexical Conventions 
The lexical conventions of CANDLE are standard: 
• Whitespace characters are space, tab and newline. Any string starting 
with two dashes "--" and ending with a newline is a comment. Multiple-
line comments start with the string" (*" and end with the string u*)". 
• A number is any sequence of digits. 
• An identifier is any sequence of characters in the set {A - Z, a - z, 0 - 9, _} 
which starts with a letter, excluding the reserved words shown below. All 
characters in an identifier are significant, and case is significant. 
• The reserved words are: 
and behaviour channel 
else elsif end 
if idle in 
module not null 
return select snd 
C.3 Modules 
program ::= 
{module}* 
module ::= 
const 
exception 
inout 
or 
then 
do elapse 
exit every 
is loop 
out procedure 
trap type 
module moduleldentifier is {declSection} * [behaviour] end module 
C.4 Declarations 
declS ection :: = 
typeDeclSection 
constantDeclSection 
variableDeclSection 
functionDeclSection 
procedureDeclS ection 
channelDeclSection 
exceptionDeclSection 
function 
mod 
rcv 
var 
c. The CANDLE Grammar 
CA.l Type Declarations 
typeDeclSection ::= 
type typeDecl {; typeDecl} * 
typeDecl ::= 
typeI dentifier 
CA.2 Constant Declarations 
constantDeclSection ::= 
const constantDecl {; constantDecl} * 
constantDecl ::= 
constantIdentifier : type!dentifier 
CA.3 Variable Declarations 
variableDeclSection ::= 
var variableDecl {; variableDecl} * 
variableDecl ::= 
variableI dentifier : type! dentifier 
CAA Function and Procedure Declarations 
functionDeclSection ::= 
function functionDecl {; functionDecl}* 
functionDecl ::= 
functionIdentifier ( [jormalParameter {; formalParameter} *J ) 
type! dentifier 
procedureDeclSection ::= 
procedure procedureDecl {; procedureDecl} * 
procedureDecl ::= 
procedureIdentifier ( [jormalParameter {; formalParameter} *J ) 
formalParameter ::= 
[parameterMode] typeIdentifier 
parameterMode ::= 
in 
out 
inout 
211 
C. The CANDLE Grammar 
CA.5 Channel Declarations 
channelDeclSection ::= 
channel channelDecl {; channelDecl} * 
channelDecl ::= 
channelldentifier [channelSpec] 
channelSpec ::= 
: ( messageSpec {. messageSpec} * ) 
messageSpec ::= 
messageldentifier [. typeldentifier] 
C.4.6 Exception Declarations 
exceptionDeclSection ::= 
except ion exceptionDecl {; exceptionDecl} * 
exceptionDecl ::= 
exceptionldentifier : typeldentifier 
C.5 Expressions 
expression ::= 
constantLiteral 
identifier 
? exceptionldentifier 
function Call 
- expression 
expression * expression 
expression / expression 
expression + expression 
expression - expression 
expression mod expression 
expression = expression 
expression /= expression 
expression < expression 
expression <= expression 
expression > expression 
expression >= expression 
not expression 
expression and expression 
expression or expression 
( expression ) 
212 
The precedence of operators is given below. Operators of equal precedence 
are shown on the same line. Operators of lower precedence are shown first. All 
c. The CANDLE Granunar 213 
operators are left-associative, except unary minus and logical negation which 
are non-associative. 
or 
and 
not 
= /= < <= 
+ 
* 
/ mod 
constantLiteral ::= 
uvalue 
false 
true 
number 
function Call ::= 
>= > 
functionldentifier ( [expression {, expression} *] ) 
C.6 Behaviour 
behaviour ::= 
behaviour statement 
statement ::= 
seqStatement I statement 
seqStatement 
seqStatement ::= 
atomicStatement seqStatement 
atomicStatement 
atomicStatement ::= 
null 
idle 
sndStatement 
rcvStatement 
elapseStatement 
assignmentStatement 
procedure Call 
if Statement 
loopStatement 
everyStatement 
selectStatement 
trapStatement 
exitStatement 
modulelnstantiation 
c. The CANDLE Grammar 
C.6.1 Send statement 
sndStatement ::= 
snd ( channelldentifier , messageIdentifier [. expression] ) 
C.6.2 Receive statement 
rcvStatement ::= 
rev ( channelIdentifier , messageIdentifier [. variableIdentifier] ) 
C.6.3 Elapse statement 
elapseStatement ::= 
elapse expression 
C.6.4 Assignment statement and Procedure Call 
assignmentStatement ;:= 
variableIdentifier : = expression 
procedure Call ::= 
procedureIdentifier ( [expression {, expression} *] ) 
C.6.5 If statement 
if Statement ::= 
if thenPart {elsifPart} * [elsePart] end if 
thenPart ::= 
expression then seqStatement 
elsifPart ::= 
elsif expression then seqStatement 
elsePart ::= 
else seqStatement 
C.6.6 Repetition statements 
loopStatement ::= 
loop [loop Identifier] do seqStatement end loop 
everyStatement ::= 
every expression do seqStatement end every 
214 
c. The CANDLE Grammar 
C.6.7 Select statement 
selectStatement ::= 
select {selectAlternative} + [in seqStatement] end select 
selectAlternative ::= 
:: rcvElapseOrModuleInstantiation [; seqStatement] 
rcvElapse Or M oduleInstantiation ::= 
rcvStatement 
elapseStatement 
moduleInstantiation 
C.6.8 Trap statement 
trapStatement ::= 
trap {trapAlternative} + in seqStatement end trap 
trapAlternative ::= 
: : exceptionIdentifier =) seqStatement 
exitStatement ::= 
exi t exception Identifier [( expression)] 
C.6.9 Module Instantiation 
moduleInstantiation ::= 
moduleIdentifier [[ renaming {, renaming} * ]] 
renaming ::= 
expression / identifier 
215 
D. THE SDML GRAMMAR 
D.l Introduction 
SDML is a simple data modelling language which can be used with CAXDLE 
for describing the data objects and operations in CAI\-based systems. 
The notation used in giving the grammar of SD.\IL is the same as the 
notation of Appendix C, as are the lexical conventions, except for the reserved 
words, which are as follows: 
and any array begin boolean bounds const 
data do end fi function if 
is 
out 
inout 
procedure 
mod 
return 
D.2 Data Modules 
program ::= 
{ dataM odule} * 
dataModule ::= 
not 
skip 
od 
type 
of 
uvalue 
data dataModuleldentifier is {declSection}* end data 
D.3 Declarations 
declSection ::= 
typeDeclSection 
constantDeclSection 
functionDeclS ection 
procedureDeclS ection 
D.3.1 Type Declarations 
typeDeclSection ::= 
type typeDecl {; typeDecl} * 
typeDecl ::= 
typeldentifier is typeExpr [size expression] 
typeExpr ::= 
enumeration Type 
subrange Type 
in 
or 
var 
D. The SDML Grammar 
recordType 
array Type 
typeI dentifier 
enumeration Type ::= 
{ enumElement {, enumElement} * } 
enumElement ::= 
constantI dentifier 
number 
subrangeType ::= 
expression .. expression 
record Type ::= 
{I variableDecl {; variableDecl} * I} 
arrayType ::= 
array typeExpr of typeExpr 
D.3.2 Constant Declarations 
constantDeclSection ::= 
const constantDecl {; constantDecl} * 
constantDecl ::= 
constantIdentifier : typeIdentifier [is expression] 
D.3.3 Function and Procedure Declarations 
functionDeclSection ::= 
function functionDecl {; functionDecl} * 
functionDecl ::= 
functionIdentifier ( [formalParameter {; formalParameter}*] ) 
typeIdentifier 
is [bounds] [variableDeclSection] statementPart 
procedureDeclSection ::= 
procedure procedureDecl {; procedureDecl} * 
procedureDecl ::= 
procedureIdentifier ( [formalParameter {; formalParameter} *] ) 
is [bounds] [[ variableDeclS ection] statementP art] 
formalParameter ::= 
[parameterMode] variableIdentifier : typeIdentifier 
217 
D. The SDML Grammar 
parameterMode ::= 
in 
out 
inout 
bounds ::= 
bounds bound ; bound 
bound ::= 
expression 
D.3.4 Variable Declarations 
variableDeclSection ::= 
var variableDecl {; variableDecl} * 
variableDecl ::= 
variableldentifier : typeExpr 
D.4 Expressions 
assignableExpression ::= 
expresswn 
any typeldentifier 
expresswn ::= 
designator 
constantLiteral 
function Call 
- expresswn 
expression * expresswn 
expression / expression 
expression + expresszon 
expression - expression 
expression mod expression 
expression = expression 
expression /= expression 
expression < expression 
expression <= expression 
expression > expression 
expression >= expression 
not expression 
expression and expression 
expression or expression 
( expression ) 
218 
D. The SDML Grammar 
designator ::= 
variableI dentifier 
designator . fieldIdentifier 
designator [ expression] 
constantLiteral ::= 
uvalue 
false 
true 
number 
fieldAssignment :;= 
identifier = expression 
function Call ::= 
functionIdentifier ( [expression {, expression} *] ) 
D.5 Statements 
statementPart ;;= 
begin statement end 
statement ::= 
atomicStatement statement 
atomicStatement 
atomicStatement ::= 
skip 
assignmentStatement 
procedure Call 
returnStatement 
if Statement 
doStatement 
D.5.1 Assignment statement and Procedure Call 
assignmentStatement ;:= 
designator : = assignableExpression 
procedure Call ::= 
procedureIdentifier ( [expression {, expression} *] ) 
D.5.2 Return statement 
returnStatement ::= 
return expression 
219 
D. The SDML Grammar 
D.5.3 If statement and Repetition 
if Statement ::= 
if {guarded Command} + fi 
doStatement ::= 
do {guardedCommand} + od 
guarded Command ::= 
:: expression => statement 
220 
E. GLOSSARY 
Below are the notations used in this Labelled Transition 
dissertation together with the section in Systems (LTS) 
which each notation is defined or first ap-
pears. S Labelled transition 2.3 
system (LTS) 
Sets of Numbers 1: Set of states of a 2.3 
LTS 
N Natural numbers 2.2 aX Initial state of a LTS 2.3 
Noo NU{oo} 4.2.1 a State of LTS in l: 2.3 
Z Integer numbers 2.2 p Path aoAoa1 A1 ... 2.3 
Zoo ZU{oo} 2.7.5 in LTS 
Q Rational numbers 2.2 labelp(i) Label of i-th action 2.3 
IR Non-negative real 2.2 in the path p 
numbers 2s(a) Set of executions 2.3.2 
lRoo IRU{oo} 2.2 (infinite paths) from 
state a in LTS S 
Actions € Execution in 2s 2.3.2 
8{(i) Duration of i-th 2.3.2 
IR Set of delay actions 2.3.2 action in the 
t Delay action of 2.3.2 execution € 
duration t in IR ~{(n) Time elapsed in € 2.3.2 
T Time-abstracted 2.7.2 from ao to an 
delay action 2s(a) Set of time divergent 2.3.2 
An Set of network 3.4.2 executions from a 
actions Sll S2 Parallel composition 2.3.3 
An Network action in 3.6.2 of LTS's 
An 
Ant Network or delay 3.6.2 Transition Relations 
action in An U IR 
Ap Set of process 3.6.2 
--+ Transition relation 2.3 
actions --+n n-ary composition of 2.3 
Ap Process action in Ap 3.6.2 --+ 
A Set of discrete 2.3.2 . n-ary composition of 2.3 
--+ 
actions --+ for some n E N 
a Discrete action in A 2.3.2 
--+n Network transition 3.4.2 
AT Au {T} 2.7.2 relation 
L Set of all actions 2.3 
--+rg Region graph 2.7.2 
A Any action in L 2.3 transition relation 
--+sg Simulation graph 2.7.6 
transition relation 
E. Glossary 222 
Equivalence Relations Timed Automata (TA) 
P=.Q Syntactic identity 3.3 A Timed 2.5 
PHQ Strong bisimulation 3.6.3 Automaton 
P=Q Equality (modulo 3.6.4 Q Set of locations 2.5.4 
equational theory) qI Initial location 2.5.4 
q Location in Q 2.5.4 
Clocks E Set of edges 2.5.4 
e Edge in E 2.5.4 
1i Set of clock variables 2.5.2 guard( e) Guard of edge e 2.5.4 
h Clock 2.5.2 label(e) Action label of 2.5.4 
(meta-) variable edge e 
ranging over 1i reset(e) Reset clocks of 2.5.4 
]R1i Set of clock 2.5.2 edge e 
valuations I Invariant 2.5.4 
v Clock valuation in 2.5.2 function 
]R1i cmax(A) Largest constant 2.5.4 
0 Clock valuation with 2.5.2 value in guard 
all clock variables or invariant of A 
equal to 0 All A2 Parallel 2.5.6 
v[H:= 0] Reset of all clocks 2.5.2 composition of 
hEH TA 
v+t v after delay of 2.5.2 T[A] LTS derived 2.5.5 
duration t from TA A 
W1i Set of clock 2.5.2 (q, v) State in the LTS 2.5.5 
constraints ofa TA 
X Atomic clock 2.5.2 (q,v)+t Alternative to 2.5.5 
constraint (q,v+t) 
Z1i Set of conjunctions 2.5.2 (q, v)[H := 0] Alternative to 2.5.5 
of atomic clock (q, v[H := 0]) 
constraints, convex RG(A) Region graph of 2.7.2 
clock constraints the TA A 
( Convex clock 2.5.2 SG(A) Simulation 2.7.6 
constraint, ( E Z1i graph of the TA 
'IjJ Clock constraint, 2.5.2 A 
'IjJ E W1i AG(A) Activity graph 5.2.2 
vF'IjJ Clock valuation v 2.5.2 of the TA A 
satisfies clock 
constraint 'IjJ 
['IjJ] Characteristic set of 2.5.2 
'IjJ 
tt,f True and False clock 2.5.2 
constraints 
E. Glossary 223 
Polyhedra Data Environment 
1/J ll-polyhedron, 2.7.4 Var Set of data 3.3.1 
1/J E 'I!1l variables 
( Convex 2.7.4 x Data variable in 3.3.1 
ll-polyhedron, Var 
( E .0t. V Set of data 3.3.1 
suce (1/J) Polyhedron 2.7.4 values 
denoting v Data value in V 3.3.1 
successors of 1/J type(x) Type of data 3.3.1 
via TA edge e variable x 
suc'}. (1/J) Polyhedron 2.7.4 Valuation Set of data 3.3.1 
denoting valuations, 
successors of 1/J Var -+ V 
as time passes val(x) Value of data 3.3.1 
at TA location q variable x 
1/Jl n 1/J2 Intersection of 2.7.4 n Set of data 3.3.1 
polyhedra operation names 
1/Jl U 1/J2 Union of 2.7.4 w Data operation 3.3.1 
polyhedra name in n 
1/Jl \ 1/J2 Difference of 2.7.4 operation(w) Operation which 3.3.1 
polyhedra interprets the 
1/Jl ~ 1/J2 Inclusion of 2.7.4 operation name 
polyhedra w 
1/Jl U 1/J2 Convex hull of 2.7.4 r Set of data 3.3.1 
polyhedra predicate names 
7j) Complement of 2.7.4 'Y Data predicate 3.3.1 
polyhedron name in r 
/'1/J Forward 2.7.4 predicate( 'Y) Predicate which 3.3.1 
projection interprets the 
1/J[H := 0] Reset projection 2.7.4 predicate name 
closec (() c-closure 2.7.4 'Y 
DataEnvvar,n,r Set of data 3.3.1 
environments 
Difference Bound over Var, n and 
Matrices (DBM) r D Data 3.3.1 
environment in 
(c, -<) Bound in 2.7.5 DataEnv 
Zoo x {<,~} D.x Value of data 3.3.1 
M Difference Bound 2.7.5 variable x given 
Matrix by D 
M·· Bound at row i, 2.7.5 I,J D[x :=v] Update value of 3.3.1 
column j in DBM M x to become v 
[M] Set of clock 2.7.5 D~dD' Data 3.3.1 
valuations denoted environment 
by DBM M transformation 
M0 Empty DBM, i.e. 2.7.5 by operation w 
[M0] = 0 ID Identity data 3.3.1 
U Universal DBM, i.e. 2.7.5 operation [U] = ]R1l true,jalse True and False 3.3.1 
cfM Canonical form of 2.7.5 data predicates 
DBMM 
E. Glossary 224 
Channels Networks 
I Set of message 3.4.1 K Set of channel 3.4.1 
identifiers identifiers 
M Set of messages, 3.4.1 k Channel identifier in 3.4.1 
M~Ix V K 
i.v Message with 3.4.1 NetworkK •1 Set of networks, 3.4.1 
identifier i and K -+ Channell 
data value v N et;;;;;;'k K. I Set of clocked 4.2.1 
m -< m' Message m has 3.4.1 networks, 
higher priority K -+ Channell x 1£ 
than m' Nk Channel k in 3.4.1 
Transmission 3.4.1 network N 
latency function, Nk Channel k in clocked 4.2.1 
derived network N 
functions are N[k := 1]] Update of channel k 3.4.2 
81b , 8ub , 81B , and in network N 
8uB tcp{N) Maximum time 3.4.2 
StatusM.O Set of 3.4.1 progress for network 
transmission N 
statuses N+t State of network N 3.4.2 
s Transmission 3.4.1 after delay of 
status in Status duration t 
.j. Free status 3.4.1 
tl.t:z 
"-+ m Pre-acceptance 3.4.1 
phase of 
message 
transmission 
tm Acceptance 3.4.1 
point in message 
transmission 
tl.t2 Post-acceptance 3.4.1 m "-+ 
phase of 
message 
transmission 
QueueM.-< Set of message 3.4.1 
queues 
u Message queue 3.4.1 
in Queue 
() Empty message 3.4.1 
queue 
m:u Message queue 3.4.1 
with highest 
priority message 
m 
u +-P m Prioritised 3.4.1 
insertion of m 
into u 
Channell Set of channels 3.4.1 
over I 
1] Channel in 3.4.1 
Channel 
E. Glossary 225 
Process Constructions Minimised Automata 
k!i.x Send broadcast 3.5 (MA) 
message 
k?i.x Receive broadcast 3.5 A Minimised 5.3.1 
message deterministic finite 
[w : tl, t.z] Time bounded 3.5 state automaton 
computation Q Set of states of a 5.3.1 
,,(-+P Data guard 3.5 MA 
P;P Sequential 3.5 Qi Set of states at layer 5.3.1 
composition i in a MA 
P+P Non-deterministic 3.5 Q- Q \ Qk, for a k-Iayer 5.3.1 
choice MA 
P[> P Interrupt 3.5 A Alphabet of a MA 5.3.1 
PIP Parallel composition 3.5 E Transition relation 5.3.1 
recX.P Recursion 3.5 of aM A 
idle [ID: 00] 3.5 T,F Accepting and 5.3.1 
null [ID : 0] 3.5 rejecting final states 
Proc+ Set of process terms 3.5 in a MA 
Proc Set of closed, 3.5 a A string 5.3.1 
guarded process ao, al,···, Iln-I 
terms £A(q) Language of A from 5.3.1 
P,Q Process terms in 3.5 state q 
Proc + or Proc £(A) £A(qO) 5.3.1 
/3 Basic term in Proc + 3.5 
or Proc 
fuc Set of clocked, 4.2.2 
closed, guarded 
process terms 
F,Q Clocked p~ess 4.2.2 
terms in Proc 
1J Clocked basic term 4.2.2 
in fuc 
Nets 
R A net (W,e, WI) 4.4.1 
W Set of places 4.4.1 
w Place in W 4.4.1 
e Set of transitions 4.4.1 
0 Transition in e 4.4.1 
WI Set of initial places 4.4.1 
eo Trigger place of 0 4.4.1 
°0 Vulnerable places to 4.4.1 
0 
oe Target places of 0 4.4.1 
nO Attribute of 0 4.4.1 
Ow Transition triggered 4.4.1 
by place w 
BIBLIOGRAPHY 
[ABBL98] 
[ABL96] 
[ABL98] 
[Abr96] 
[ACD90] 
[ACD+92] 
P. Abdulla, A. Annichini, S. Bensalem, A. Bouajjani, P. Haber-
mehl, and Y. Lakhnech. Verification of infinite-state systems by 
combining abstraction and reachability analysis. In N. Halbwachs 
and D. Peled, editors, Proceedings of the 11th International Con-
ference on Computer Aided Verification (CAV'99), volume 1633 
of Lecture Notes in Computer Science. Springer Verlag, 1999. 
L. Aceto, P. Bouyer, A. Burgueno, and K. Larsen. The power 
of reachability testing for timed automata. Technical Report 
RS-98-48, BRICS,Department of Computer Science, University of 
Aarhus, December 1998. 
E. Asarin, M. Bozga, A. Kerbrat, O. Maler, A. Pnueli, and 
A. Rasse. Data structures for the verification of timed automata. 
In O. Maler, editor, Proceedings of 1st International Workshop on 
Hybrid and Real-Time Systems (HART'97), volume 1201 of Lec-
ture Notes in Computer Science, pages 346-360. Springer Verlag, 
March 1997. 
J.-R. Abrial, E. Borger, and H. Langmaack, editors. Formal 
Methods for Industrial Applications: Specifying and Programming 
the Steam Boiler Control, volume 1165 of Lecture Notes in Com-
puter Science. Springer Verlag, 1996. 
L. Aceto, A. Burgueno, and K. Larsen. Model checking via reach-
ability testing for timed automata. In B. Steffen, editor, Pro-
ceedings of 4th International Conference on Tools and Algorithms 
for the Construction and Analysis of Systems (TACAS'98), vol-
ume 1384 of Lecture Notes in Computer Science, pages 263-280. 
Springer Verlag, 1998. 
J.-R. Abrial. The B Book - Assigning Programs to Meanings. 
Cambridge University Press, 1996. 
R. Alur, C. Courcoubetis, and D. Dill. Model-checking for real-
time systems. In Proceedings of 5th IEEE Symposium on Logic in 
Computer Science, pages 414-425. IEEE Computer Society Press, 
June 1990. 
R. Alur, C Courcoubetis, D. Dill, N. Halbwachs, and H. Wong-
Toi. An implementation of three algorithms for timing verification 
Bibliography 
[ACD93] 
[ACdP97] 
[AD90] 
[AD94] 
[AD96] 
[AFV99] 
[AH91] 
227 
based on automata emptiness. In Proceedings of the 13th IEEE 
Real-Time Systems Symposium, pages 157-166, 1992. 
R. Alur, C. Courcoubetis, and D. Dill. Model-checking in dense 
real-time. Information and Computation, 104{ 1 ):2 - 34. May 
1993. 
L. Andriantsiferana, J.-P. Courtiat, R. de Oliveira, and L. Picci. 
An experiment in using RT -LOTOS for the formal specifi-
cation and verification of a distributed scheduling algorithm 
in a nuclear power plant monitoring system. In Proceedings 
of IFIP Joint International Conference on Formal Description 
Techniques and Protocol Specification, Testing and Verification 
(FORTE-PSTV'98), Osaka, Japan. Chapman and Hall, Novem-
ber 1997. 
R. Alur, C. Courcoubetis, N. Halbwachs, D. Dill, and H. Wong-
ToL Minimization of timed transition systems. In Cleaveland 
[Cle92], pages 340-354. 
R. Alur, C. Courcoubetis, N. Halbwachs, T. Henzinger, P-H. Ho, 
X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine. The algorithmic 
analysis of hybrid systems. Theoretical Computer Science, 138:3-
34, 1995. 
R. Alur and D. Dill. Automata for modelling real-time systems. 
In M. Paterson, editor, Proceedings of 17th International Collo-
quium on Automata, Languages and Programming (ICALP'90), 
volume 443 of Lecture Notes in Computer Science, pages 322-335. 
Springer Verlag, 1990. 
R. Alur and D. Dill. A theory of timed automata. Theoreti-
cal Computer Science, 126(2):183-236, 1994. Preliminary version 
appears in Proceedings of 17th ICALP, 1990, LNCS 443. 
R. Alur and D. Dill. Automata-theoretic verification of real-time 
systems. In Formal Methods for Real- Time Computing, Trends 
in Software Series, pages 55-82. John Wiley & Sons Publishers, 
1996. 
L. Aceto, W. Fokkink, and C. Verhoef. Structural operational 
semantics. Technical Report RS-99-30, BRICS,Department of 
Computer Science,Aarhus University, 1999. 
R. Alur and T. Henzinger. Logics and models of real time: A sur-
vey. In J. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozen-
berg, editors, Proceedings of REX Workshop, Real-Time:Theory 
in Practice, volume 600 of Lecture Notes in Computer Science, 
pages 74-106. Springer Verlag, 1991. 
Bibliography 228 
[AH93] R. Alur and T. Henzinger. Real-time logics: complexity and ex-
pressiveness. Information and Computation, 104(1):35-77, 1993. 
Preliminary version appears in the Proceedings of 5th LICS, 1990. 
[AHP96] R. Alur, T. Henzinger, and Pei-Hsin Ho. Automatic symbolic 
verification of embedded systems. IEEE Transactions on Software 
Engineering, 22(3):181-201, March 1996. 
[AHS95] R. Alur, T. Henzinger, and E. Sontag, editors. Proceedings of DI-
MACS/SYCON Workshop on Verification and Control of Hybrid 
Systems (Hybrid Systems III), volume 1066 of Lecture Notes in 
Computer Science. Springer Verlag, October 1995. 
[AIKY95] R. Alur, A. !tai, R. Kurshan, and M. Yannakakis. Timingverifica-
tion by successive approximation. Information and Computation, 
118:142-157, 1995. 
[AK95] R. Alur and R. Kurshan. Timing analysis in COSPAN. In Alur 
et al. [AHS95], pages 220-23l. 
[ALST98] M. Ammerlaan, R. Lutje-Spelberg, and W. Toetenel. XTG-
an engineering approach to modelling and analysis of real-time 
systems. In Proceedings of the 10th Euromicro Workshop on Real-
Time Systems, pages 88-97. IEEE Computer Society Press, 1998. 
[Alu91] R. Alur. Techniques for Automatic Verification of Real-time Sys-
tems. PhD thesis, Stanford University, 1991. 
[AMP98] E. Asarin, O. Maler, and A. Pnueli. On discretization of de-
lays in timed automata and digital circuits. In R. de Simone 
and D. Sangiorgi, editors, Proceedings of the 9th International 
Conference of Concurrency Theory (CONCUR '98) , volume 1466 
of Lecture Notes in Computer Science, pages 470-484. Springer 
Verlag, 1998. 
[BaI96] F. Balarin. Approximate reachability analysis of timed automata. 
In Proceedings of 17th IEEE Real Time Systems Symposium, 
pages 52-61. IEEE Computer Society Press, 1996. 
[Bar96] J. Barnes. High Integrity Development with SPARK Ada. Addison 
Wesley, 1996. 
[BB91] J. Baeten and J. Bergstra. Real time process algebra. Formal 
Aspects of Computing, 3(2):142-188, 1991. 
[BB97] A. Benzekri and J.-M. Bruel. Controller Area Network: A for-
mal case study. In Proceedings of IFAC Workshop on Factory 
Communications. IFAC, 1997. 
[BCM+92] J.R. Burch, E.M. Clarke, K.L McMillan, D.L. Dill, and L.J. 
Hwang. Symbolic model checking: 1020 states and beyond. In-
formation and Computation, 98(2):142-170, 1992. 
Bibliography 
[BD91] 
[BDS94] 
[BeI57] 
[Ber98a] 
[Ber98b] 
[BFG99a] 
[BG92] 
229 
B. Berthomieu and M. Diaz. Modeling and verification of time-
dependent systems using time Petri nets. IEEE Transactions on 
Software Engineering, 17(3):259-273, 1991. 
M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and 
S. Yovine. Kronos: a model-checking tool for real-time systems. 
In Hu and Vardi [HV98], pages 546-550. 
J. Bryans, J. Davies, and S. Schneider. Real-time CSP and ET-
LOTOS. Technical report, Oxford PRG, 1994. 
R. Bellman. Dynamic Programming. Princeton University Press, 
1957. 
G. Berry. The Esterel v5 Language Primer, Version 5.10, release 
2. O. Centre de Mathematiques Appliquees, Ecole des Mines and 
INRIA, 2004 Route des Lucioles, 06565 Sophia-Antipolis, 1998. 
G. Berry. The Esterel v5 Manual, Version 5.10, release 2.0. Cen-
tre de Mathematiques Appliquees, Ecole des Mines and IN RIA , 
2004 Route des Lucioles, 06565 Sophia-Antipolis, 1998. 
M. Bozga, J .-C. Fernandez, and L. Ghirvu. State space reduction 
based on live variables analysis. In A. Cortesi and G. File, edi-
tors, Proceedings of 6th Static Analysis Symposium, volume 1694 
of Lecture Notes in Computer Science, pages 164-178. Springer 
Verlag, 1999. 
M. Bozga, J.-C. Fernandez, L. Ghirvu, S. Graf, J.-P. Krimm, and 
L. Mounier. IF: An intermediate representation and validation en-
vironment for timed asynchronous systems. In J. Wing, J. Wood-
cock, and J. Davies, editors, Proceedings of FM'99, Toulouse, 
France, volume 1709 of Lecture Notes in Computer Science, pages 
307-327. Springer Verlag, 1999. 
A. Bouajjani, J-C. Fernandez, N. Halbwachs, P. Raymond, and 
C. Ratel. Minimal state graph generation. Science of Computer 
Programming, 18:247-269, 1992. 
H. Bowman, G. Faconti, J.-P. Katoen, D. Latella, and 
M. Massink. Automatic verification of a lip synchronization algo-
rithm using UPPAAL. In Proceedings of the 3rd International 
Workshop on Formal Methods for Industrial Critical Systems, 
1998. 
G. Berry and G. Gonthier. The ESTEREL synchronous pro-
gramming language: design, semantics, implementation. Science 
of Computer Programming, 19:87-152, 1992. 
Bibliography 
[BHKR94] 
[BHKR95] 
[BHKR01] 
[BHR84] 
[BJLY98] 
[BK84] 
[BL91] 
[BLL+95] 
[BLL+98] 
[BL098] 
230 
S. Bradley, W. Henderson, D. Kendall, and A. Robson. Design-
ing and implementing correct real-time systems. In H. Lang-
maack, W.-P. de Roever, and J. Vytopil, editors, Formal Tech-
niques in Real-Time and Fault-Tolerant Systems FTRTFT '94, 
Lubeck, Lecture Notes in Computer Science 863, pages 228-246. 
Springer Verlag, September 1994. 
S. Bradley, W. Henderson, D. Kendall, and A. Robson. Vali-
dation, verification and implementation of timed protocols using 
AORTA. In P. Dembinski, editor, Proceedings of the Fifteenth 
International Symposium on Protocol Specification, Testing and 
Verification, pages 205-220. Chapman and Hall, June 1995. 
S. Bradley, W. Henderson, D. Kendall, and A. Robson. A for-
mal design language for real-time systems with data. Science of 
Computer Programming, 40(1):3-29, May 2001. 
S. Brookes, C. Hoare, and A. Roscoe. A theory of communicating 
sequential processes. Journal of the ACM, 31(3):560-599, 1984. 
J. Bengtsson, B. Jonsson, J. Lilius, and W. Vi. Partial order re-
ductions for timed systems. In R. de Simone and D. Sangiorgi, 
editors, Proceedings of the 9th International Conference of Con-
currency Theory (CONCUR'98), volume 1466 of Lecture Notes 
in Computer Science, pages 485-500. Springer Verlag, 1998. 
J. Bergstra and J. Klop. The algebra of recursively defined pro-
cesses and the algebra of regular processes. In J. Paredaens, ed-
itor, Proceedings of 11th International Colloquium on Automata, 
Languages and Programming (ICALP'84),Antwerp,Belgium, vol-
ume 172 of Lecture Notes in Computer Science, pages 82-95. 
Springer Verlag, 1984. 
T. Bolognesi and F. Lucidi. Timed process algebras with ur-
gent interactions and a unique powerful binary operator. In 
J. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, ed-
itors, Proceedings of REX Workshop, Real-Time:Theory in Prac-
tice, volume 600 of Lecture Notes in Computer Science, pages 
124-148. Springer Verlag, 1991. 
J. Bengtsson, K. Larsen, F. Larsson, P. Pettersson, and W. Vi. 
UPPAAL - a tool suite for automatic verification of real-time 
systems. In Alur et al. [AHS95], pages 232-243. 
J. Bengtsson, K. Larsen, F. Larsson, P. Pettersson, W. Vi, and 
C. Weise. New generation of Uppaal. In Hu and Vardi [HV98]. 
S. Bensalem, Y. Lakhnech, and S. Owre. InVeSt: A tool for 
the verification of invariants. In A. Hu and M. Vardi, editors, 
Proceedings of the 10th International Conference on Computer 
Bibliography 
[BLSTV99] 
[BMOO] 
[BMPY97] 
[Bos91] 
[Bow99] 
[Boz98] 
[BROO] 
[Bra95] 
[BRB90] 
231 
Aided Verification (CAV'98), volume 1427 of Lecture Notes in 
Computer Science, pages 505-510. Springer Verlag, 1998. 
G. Behrmann, K. Larsen, J. Pearson, C. Weise, and W. Yi. 
Efficient timed reachability analysis using clock difference dia-
grams. In N. Halbwachs and D. Peled, editors, Proceedings of the 
11th International Conference on Computer Aided Verification 
(CAV'99), volume 1633 of Lecture Notes in Computer Science, 
pages 341-353. Springer Verlag, 1999. 
A. Burns, R. Lutje-Spelberg, H. Toetenel, and T. Vink. Modeling 
and verification using XTG and PMC. In Proceedings of 5th An-
nual Conference of Advanced School for Computing and Imaging, 
Heijen, The Netherlands, June 1999. 
O. Bournez and O. Maler. On the representation of timed poly-
hedra. In U. Montanari, J. Rolim, and E. Wetzl, editors, Proceed-
ings of 21th International Colloquium on Automata, Languages 
and Programming (ICALP'OO), volume 1853 of Lecture Notes in 
Computer Science. Springer Verlag, 2000. 
M. Bozga, O. Maler, A. Pnueli, and S. Yovine. Some progress 
in the symbolic verification of timed automata. In O. Grumberg, 
editor, Proceedings of the 9th International Conference on Com-
puter Aided Verification (CAV'97), volume 1254 of Lecture Notes 
in Computer Science, pages 179-190, Haifa, Israel, June 1997. 
Springer Verlag. 
R. Bosch GmbH. CAN specification version 2.0, September 1991. 
J. Bowen. Animating the semantics of VERILOG using Pro-
log. Technical Report UNU JIIST Report No. 176, International 
Institute for Software Technology, United Nations University 
(UNU JIIST), 1999. 
M. Bozga. SMI: An open toolbox for symbolic protocol verifica-
tion. Technical report, VERIMAG, April 1998. 
J. Baeten and M. Reniers. Termination in timed process algebra. 
Technical Report CSR 00-13, Department of Computing Science, 
Eindhoven University of Technology, 2000. 
S. Bradley. An Implementable Formal Language for Hard Real-
Time Systems. PhD thesis, University of Northumbria, 1995. 
K. Brace, R. Rudell, and R. Bryant. Efficient implementation of 
a BDD package. In Proceedings of the 21th ACMjIEEE Confer-
ence on Design Automation, pages 40-45. IEEE Computer Soci-
ety Press, 1990. 
Bibliography 232 
[BRS93] G. Berry, S. Ramesh, and R. Shyamasundar. Communicating re-
active processes. In Conference Record of the Twentieth Annual 
ACM SIGPLAN-SIGACT Symposium on Principles of Program-
ming Languages, pages 85-98, Charleston, South Carolina, 1993. 
[Bry86] R. Bryant. Graph-based algorithms for boolean function manipu-
lation. IEEE Transactions on Computers, 8(C-35):677-691, 1986. 
[Bry92] R. Bryant. Symbolic boolean manipulation with ordered bi-
nary decision diagrams. ACM Computing Surveys, 24(3):293-318, 
September 1992. 
[BTY97] A. Bouajjani, S. Tripakis, and S. Yovine. On-the-fly symbolic 
model-checking for real-time systems. In Proceedings of 18th 
IEEE Real Time Systems Symposium, pages 25-34. IEEE Com-
puter Society Press, 1997. 
[BV94] B. Bloom and F. Vaandrager. SOS rule formats for parameterized 
and state-bearing processes. Unpublished manuscript, July 1994. 
[BV95] J. Baeten and C. Verhoef. Concrete process algebra. In S. Abram-
sky, D.M. Gabbay, and T.S.E. Maibaum, editors, Handbook of 
Logic in Computer Science, Volume IV, Syntactical Methods, 
pages 149-268. Oxford University Press, 1995. 
[BV97] J. Baeten and J. Vereijken. Discrete-time process algebra with 
empty process. Technical Report CSR 97-05, Department of Com-
puting Science, Eindhoven University of Technology, P.O. Box 
513, NL-5600 MB, Eindhoven, The Netherlands, 1997. 
[BVW94] O. Bernholtz, M. Vardi, and P. Wolper. An automata-theoretic 
approach to branching-time model checking. In Proceedings of 
the 6th International Conference on Computer Aided Verification 
(CAV'94), volume 818 of Lecture Notes in Computer Science, 
pages 142-155. Springer Verlag, 1994. 
[BW90] J. Baeten and W. Weijland. Process Algebra. Cambridge Tracts 
in Theoretical Computer Science 18. Cambridge University Press, 
1990. 
[BW01] A. Burns and A. Wellings. Real-Time Systems and Programming 
Languages. Addison Wesley, 3rd edition, 200l. 
[CA91] S. Chamberlain and P. Amer. Broadcast channels in Estelle. 
IEEE Transactions on Computers, 40(4):423-436, 1991. 
[CC77] P. Cousot and R. Cousot. Abstract interpretation: A unified 
lattice model for static analysis of programs by construction or 
approximation of fixpoints. In Proceedings of 4th ACM Sympo-
sium on Principles of Programming Languages (POPL'77), 1977. 
[CDH+OO] J. Corbett, M. Dwyer, J. Hatcliff, S. Laubach, C. Pasareanu, 
Robby, and H. Zheng. Bandera: Extracting finite state models 
from Java source code. In Proceedings of the 22nd International 
Conference on Software Engineering, June 2000. 
[CDI99] F. Corradini, D. D'Ortenzio, and P. Inverardi. On the relation-
ships among four timed process algebras. Fundamenta Informat-
icae, 34:1-19, 1999. 
[Cd095j J.-P. Courtiat and R. de Oliveira. A reachability analysis of 
RT-LOTOS specifications. In G. von Bochmann, R. Dssouli, 
and O. Rafiq, editors, Proceedings of International Conference 
on Formal Description Techniques VIII (FORTE'95), Montreal, 
Canada, pages 117-124. Chapman and Hall, October 1995. 
[CE81] E. Clarke and E. Emerson. Design and synthesis of synchronisa-
tion skeletons using branching time temporal logic. In Proceedings 
of Workshop on Logic of Programs, volume 131 of Lecture Notes 
in Computer Science, pages 52-71. Springer Verlag, 1981. 
[Cer92] K. Cerans. Decidability of bisimulation equivalence for parallel 
timer processes. In Proceedings of the 4th International Con-
ference on Computer Aided Verification (CAV'92), volume 663 
of Lecture Notes in Computer Science, pages 302-315. Springer 
Verlag, 1992. 
[CES86j E. Clarke, E. Emerson, and A. Sistla. Automatic verification 
of finite-state concurrent systems using temporal logic specifica-
tions. A CM Transactions on Programming Languages and Sys-
tems, 8(2):244-263, 1986. 
[CGL94] E. Clarke, O. Grumberg, and D. Long. Model checking and ab-
straction. A CM Transactions on Programming Languages and 
Systems, 16(5):1512-1542, September 1994. 
[CGP99] E. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT 
Press, 1999. 
[CHR91] Z. Chaochen, C. Hoare, and A. Ravn. A calculus of durations. 
Information Processing Letters, 40(5):269-276, December 1991. 
[CiA99] CiA. Proceedings of the 6th International CAN Conference. CAN 
in Automation, 1999. 
[CK96] E. Clarke and R. Kurshan. Computer-aided verification. IEEE 
Spectrum, 33(6):61-67, 1996. 
[Cle92] W. Cleaveland, editor. Proceedings of the 3rd International Con-
ference of Concurrency Theory (CONCUR'92). Springer Verlag, 
1992. 
Bibliography 234 
[C092] R. Cardell-Oliver. The Formal Verification of Hard Real-Time 
Systems. PhD thesis, University of Cambridge, 1992. 
[COG98] R. Cardell-Oliver and T. Glover. A practical and complete al-
gorithm for testing real-time systems. In Proceedings of Interna-
tional Conference on Formal Techniques in Real Time and Fault 
Tolerant Systems (FTRTFT'98), volume 1486 of Lecture Notes 
in Computer Science, pages 251-261. Springer Verlag, September 
1998. 
[Cor96] J. Corbett. Timing analysis of Ada tasking programs. IEEE 
Transactions on Software Engineering, 22(7):461-483, July 1996. 
[CPS93] R. Cleaveland, J. Parrow, and B. Steffen. The concurrency work-
bench: A semantics-based tool for the verification of concurrent 
systems. A CM Transactions on Programming Languages and Sys-
tems, 15(1):36-72, January 1993. 
[CVGH98] M. Colnaric, D. Verber, R. Gumzej, and W. Halang. Implemen-
tation of hard real-time embedded control systems. Journal of 
Real-Time Systems, 14:293-310, 1998. 
[DAC98] M. Dwyer, G. Avrunin, and J. Corbett. Property specification 
patterns for finite-state verification. In M. Ardis, editor, Proceed-
ings of 2nd Workshop on Formal Methods in Software Practice, 
pages 7-15. ACM Press, March 1998. 
[Dav93] J. Davies. Specification and Proof in Real- Time CSP. Distin-
guished Dissertations in Computer Science. Cambridge Univer-
sity Press, 1993. 
[Daw98a] C. Daws. Methodes d'analyse de systemes temporises: de la 
theorie Ii la pratique. PhD thesis, Institut National Poly technique 
de Grenoble, 1998. (In French). 
[Daw98b] C. Daws. Optikron: a tool suite for enhancing model-checking of 
real-time systems. In Proceedings of the 10th International Con-
ference on Computer Aided Verification (CAV'98), volume 1427 
of Lecture Notes in Computer Science, pages 542-545. Springer 
Verlag, 1998. 
[DB96] P. D' Argenio and E. Brinksma. A calculus for timed automata. In 
B. Jonsson and J. Parrow, editors, Proceedings of the 4th Interna-
tional Conference on Formal Techniques in Real- Time and Fault-
Tolerant Systems (FTRTFT'96), volume 1135 of Lecture Notes 
in Computer Science, pages 110-129. Springer Verlag, 1996. 
[dBHdRR91] J. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, ed-
itors. Proceedings of REX Workshop, Real- Time: Theory in Prac-
tice, volume 600 of Lecture Notes in Computer Science. Springer 
Verlag, 1991. 
Bibliography 235 
[DF95J J. Dingel and T. Filkorn. Model checking for infinite state sys-
tems using data abstraction, assumption-commitment style rea-
soning and theorem proving. In P. Wolper, editor, Proceedings of 
the 7th International Conference on Computer Aided Verification 
(CAV'95), volume 939 of Lecture Notes in Computer Science, 
pages 54-69. Springer Verlag, 1995. 
[DGKK98] D. Dams, R. Gerth, B. Knaack, and R. Kuiper. Partial-order re-
duction techniques for real-time model-checking. Formal Aspects 
of Computing, 10:469-482, 1998. 
[DieOl) H. Dierks. PLC-automata: a new class of implementable real-
time automata. Theoretical Computer Science, 253:61-93, 2001. 
[Dij76] E. Dijkstra. A Discipline of Programming. Prentice Hall, Engle-
wood Cliffs, N.J., 1976. 
[Di189] D. Dill. Timing assumptions and verification of finite state con-
current systems. In J. Sifakis, editor, Automatic Verification 
Methods for Finite State Systems, volume 407 of Lecture Notes 
in Computer Science, pages 197-212. Springer Verlag, 1989. 
[DIN89] DIN. Profibus standard - Deutsche Industrie Norm (DIN 19245) 
(2 parts). Beuth-Verlag, Berlin, 1989. 
[DJS92] J. Davies, D. Jackson, and S. Schneider. Broadcast communica-
tion for real-time processes. In J. Vytopil, editor, Proceedings of 
International Conference on Formal Techniques in Real-time and 
Fault-tolerant Systems, volume 571 of Lecture Notes in Computer 
Science, pages 149-170. Springer Verlag, January 1992. 
[DKRT97] P. D'Argenio, J.-P. Katoen, T. Ruys, and J. Tretmans. The 
bounded retransmission protocol must be on time! In 
E. Brinksma, editor, Proceedings of 3rd International Workshop 
on Tools and Algorithms for the Construction and Analysis of 
Systems (TACAS'97), volume 1217 of Lecture Notes in Computer 
Science, pages 416-431. Springer Verlag, 1997. 
[DOTY95] C. Daws, A. Olivero, S. Tripakis, and S. Yovine. The tool KRO-
NOS. In Alur et al. [AHS95], pages 208-219. 
[DOY94] C. Daws, A. Olivero, and S. Yovine. Verifying ET-LOTOS pro-
grams with KRONOS. In Proceedings of International Confer-
ence on Formal Description Techniques VII (FORTE'94), pages 
227-242. Chapman and Hall, 1994. 
[DPC98] M. Dwyer, C. Pasareanu, and J. Corbett. Translating Ada pro-
grams for model checking: A tutorial. Technical Report 98-
12, Department of Computing and Information Sciences, Kansas 
State University, 1998. 
Bibliography 
[DT98] 
[DW99] 
[DY95] 
[DY96] 
[Ech91] 
[EFM99] 
[EH86] 
[Eme90] 
[Eme91] 
[EMSS90] 
236 
C. Daws and S. Tripakis. Model checking of real-time reachability 
properties using abstractions. In Steffen [Ste98], pages 313-329. 
M. Dickhofer and T. Wilke. Timed alternating tree automata: 
The automata-theoretic solution to the TCTL model checking 
problem. In Proceedings of the International Colloquium on Au-
tomata, Languages and Programming (ICALP'99), volume 1643 
of Lecture Notes in Computer Science, pages 281-290. Springer 
Verlag, 1999. 
C. Daws and S. Yovine. Two examples of verification of multirate 
timed automata with Kronos. In Proceedings of 16th IEEE Real 
Time Systems Symposium, pages 66-75. IEEE Computer Society 
Press, December 1995. 
C. Daws and S. Yovine. Reducing the number of clock variables 
of timed automata. In Proceedings of 17th IEEE Real Time Sys-
tems Symposium, pages 73-81. IEEE Computer Society Press, 
December 1996. 
Echelon Corp. Enhanced media access control with Echelon's 
LonTalk protocol. Lon Works Engineering Bulletin, August 1991. 
J. Esparza, A. Finkel, and R. Mayr. On the verification of broad-
cast protocols. In Proceedings of 14th IEEE Symposium on Logic 
in Computer Science (LICS'99), pages 352-359. IEEE Computer 
Society Press, 1999. 
E. Emerson and J. Halpern. 'Sometimes' and 'Not Never' revis-
ited: on branching versus linear temporal logic. Journal of the 
ACM, 33(1):151-178, 1986. 
E. Emerson. Temporal and modal logic. In J. Van Leeuwen, edi-
tor, Handbook of Theoretical Computer Science, volume B, pages 
995-1072. Elsevier Science, 1990. 
E. Emerson. Real-time and the Mu-calculus. In J. de Bakker, 
C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Pro-
ceedings of REX Workshop, Real-Time:Theory in Practice, vol-
ume 600 of Lecture Notes in Computer Science, pages 176-194. 
Springer Verlag, June 1991. 
E. Emerson, A. Mok, A. Sistla, and J. Srinivasan. Quantitative 
temporal reasoning. In R. Kurshan and E. Clarke, editors, Pro-
ceedings of the 2nd International Conference on Computer Aided 
Verification (CAV'90), volume 531 of Lecture Notes in Computer 
Science, pages 136-145. Springer Verlag, 1990. 
J. Fernandez, H. Garavel, A. Kerbrat, L. Mounier, R. Mateescu, 
and M. Sighireanu. CADP a protocol validation and verifica-
tion toolbox. In Proceedings of the 8th International Conference 
Bibliography 
[FKFV99] 
[FM91] 
[GA98] 
[Gar92] 
[Gar98] 
[GdV99] 
[Geh84] 
[GGZ95] 
[GHP95] 
[GL94] 
[God96] 
237 
on Computer Aided Verification (CAV'96), volume 1102 of Lec-
ture Notes in Computer Science, pages 437-440. Springer Verlag, 
1996. 
R. Fraer, G. Kamhi, L. Fix, and M. Vardi. Evaluating semi-
exhaustive verification techniques for bug hunting. Electronic 
Notes in Theoretical Computer Science, 23(2), 1999. 
J. Fernandez and L. Mounier. "On the Fly" verification of be-
havioural equivalences and preorders. In K. Larsen, editor, Pro-
ceedings of the 3rd International Conference on Computer Aided 
Verification (CAV'91), volume 575 of Lecture Notes in Computer 
Science, pages 238-250. Springer Verlag, July 1991. 
M. Ganai and A. Aziz. Efficient coverage directed state space 
search. In Proceedings of International Workshop on Logic Syn-
thesis, Lake Tahoe, CA, 1998. 
H. Garavel. Compilation et Verification de Programmes LOTOS. 
PhD thesis, Institut National Poly technique de Grenoble, July 
1992. (In French). 
H. Garavel. OPEN/ClESAR: An open software architecture for 
verification, simulation and testing. In B. Steffen, editor, Proceed-
ings of 4th International Conference on Tools and Algorithms for 
the Construction and Analysis of Systems (TACAS'98), volume 
1384 of Lecture Notes in Computer Science, pages 68-84. Springer 
Verlag, March 1998. 
J. Geldenhuys and P. de Villiers. Runtime efficient state com-
paction in SPIN. In Proceedings of 5th International SPIN Work-
shop, Trento, Italy. Springer Verlag, July 1999. 
N. Gehani. Broadcasting sequential processes (BSP). IEEE 
Transactions on Software Engineering, 1O(4):343-351, July 1984. 
F. Gagnon, J.-C. Gregoire, and D. Zampunieris. Sharing trees for 
"on-the-fly" verification. In Proceedings of International Confer-
ence on Formal Description Techniques VIII (FORTE'95), Mon-
treal, Canada. IEEE Computer Society Press, 1995. 
P. Godefroid, G. Holzmann, and D. Pirottin. State-space caching 
revisited. Formal Methods and System Design, 7(3):1-15, Novem-
ber 1995. 
O. Grumberg and D. Long. Model checking and modular verifi-
cation. A CM Transactions on Programming Languages and Sys-
tems, 16(3):843-871, May 1994. 
P. Godefroid. Partial-Order Methods for the Verification of Con-
current Systems, volume 1032 of Lecture Notes in Computer Sci-
ence. Springer Verlag, Berlin, 1996. 
Bibliography 238 
[God97] P. Godefroid. Model checking for programming languages using 
Verisoft. In Proceedings of the 24th ACM Symposium on Princi-
ples of Programming Languages (POPL'97), pages 174-186. ACM 
Press, 1997. 
[GoI96] U. Golze. VLSI Chip Design with the Hardware Description Lan-
guage VERILOG. Springer Verlag, Berlin, 1996. 
[GP94] J. Groote and A. Ponse. Process algebra with guards: Combining 
Hoare logic with process algebra. Formal Aspects of Computing, 
6:115-164, 1994. 
[GPVW95] R. Gerth, D. Peled, M. Vardi, and P. Wolper. Simple on-the-fly 
automatic verification of linear temporal logic. In P. Dembin-
ski, editor, Proceedings of the Fifteenth International Symposium 
on Protocol Specification, Testing and Verification, pages 1-18. 
Chapman Hall, 1995. 
[Gn§96] J.-Ch. Gregoire. State space compression in SPIN with GE-sets. 
In Proceedings of 2nd SPIN Workshop, Rutgers University, New 
Jersey, USA, August 1996. 
[HaI93] W. Halang. Contemporary computers considered inappropriate 
for real-time control. Control Engineering Practice, 1(4):613-621, 
1993. 
[Har87] D. Harel. Statecharts: A visual approach to complex systems. 
Science of Computer Programming, 8:231-274, 1987. 
[HDZOO] J. Hatcliff, M. Dwyer, and H. Zheng. Slicing software for 
model construction. Higher Order and Symbolic Computation, 
13(4):315-353, 2000. 
[Hen96] T. Henzinger. The theory of hybrid automata. In Proceedings of 
the 11th Annual IEEE Symposium on Logic in Computer Science 
(LICS'96), pages 278-292. IEEE Computer Society Press, 1996. 
[Her98] C. Hernalsteen. Specification, Validation and Verification of Real-
Time Systems in ET-LOTOS. PhD thesis, Universite Libre de 
Bruxelles, August 1998. 
[HHWT97] T. Henzinger, P.-H. Ho, and H. Wong-Toi. HyTech: A model 
checker for hybrid systems. Springer International Journal of 
Software Tools for Technology Transfer, 1(1-2):110-122, October 
1997. 
[HKPV95] T Henzinger, P. Kopke, A. Puri, and P. Varaiya. What's de-
cidable about hybrid automata? In Proceedings of 27th Annual 
Symposium on Theory of Computing, pages 373-382, 1995. 
Bibliography 239 
[HKV96] T. Henzinger, O. Kupferman, and M. Vardi. A space-efficient on-
the-fly algorithm for real-time model checking. In Proceedings of 
the 7th International Conference of Concurrency Theory (CON-
CUR'96), volume 1119 of Lecture Notes in Computer Science, 
pages 514-529. Springer Verlag, 1996. 
[HLP90] E. Harel, O. Lichtenstein, and A. Pnueli. Explicit clock tem-
poral logic. In Proceedings of 5th IEEE Symposium on Logic in 
Computer Science, pages 402-413. IEEE Computer Society Press, 
1990. 
[HLR92] N. Halbwachs, F. Lagnier, and C. Ratel. Programming and 
verifying real-time systems by means of the synchronous data-
flow language LUSTRE. IEEE Trans. on Software Engineering, 
18(9):785-793, September 1992. 
[HMP92] T. Henzinger, Z. Manna, and A. Pnueli. What good are digital 
clocks? In 19th International Colloquium on Automata, Lan-
guages and Programming, volume 623 of Lecture Notes in Com-
puter Science, pages 545-558. Springer Verlag, 1992. 
[HNSY94] T. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic 
model checking for real-time systems. Information and Compu-
tation, 111(2):193-244, 1994. 
[Hoa69] C. Hoare. An axiomatic basis for computer programming. Com-
munications of the ACM, 12(10):576-583, 1969. 
[Hoa85] 
[HoI85] 
[Ho190] 
[HoI94] 
[HoI95] 
[HoI96] 
[HoI97] 
C. Hoare. Communicating Sequential Processes. Englewood 
Cliffs. Prentice Hall International, 1985. 
G. Holzmann. Tracing protocols. AT&T Technical Journal, 
64(12):2413-2434, 1985. 
G. Holzmann. Algorithms for automated protocol validation. 
AT&T Technical Journal, 69(1):32-44, 1990. 
U. Holmer. On broadcast and real time in process calculi. PhD 
thesis, University of Goteborg, 1994. 
G. Holzmann. An analysis of bitstate hashing. In P. Dembinski, 
editor, Proceedings of the Fifteenth International Symposium on 
Protocol Specification, Testing and Verification, pages 301-314. 
Chapman & Hall, June 1995. 
G. Holzmann. The model checker SPIN. IEEE Transactions on 
Software Engineering, 22(6):279-295, June 1996. 
G. Holzmann. State compression in SPIN: Recursive indexing and 
compression training runs. In Proceedings of 3rd SPIN Workshop, 
Twente University, Enschede, Netherlands, April 1997. 
Bibliography 
[Hoo91] 
[Hoo96] 
[HP94] 
[HP99] 
[HPOO] 
[HQR98] 
[HS91] 
[HS99] 
[HSLL97] 
[HU79] 
[Huc99] 
240 
J. Hooman. Compositional verification of real-time systems us-
ing extended Hoare triples. In J. de Bakker, C. Huizing, W.-P. 
de Roever, and G. Rozenberg, editors, Proceedings of REX Work-
shop, Real-Time:Theory in Practice, volume 600 of Lecture Notes 
in Computer Science, pages 252-290. Springer Verlag, 1991. 
J. Hooman. Assertional specification and verification. In 
M. Joseph, editor, Real-time Systems: Specification, Verification 
and Analysis, pages 97-146. Prentice Hall International, 1996. 
G. Holzmann and D. Peled. An improvement in formal verifica-
tion. In Proceedings of International Conference on Formal De-
scription Techniques VII (FORTE'94), pages 197-211. Chapman 
and Hall, 1994. 
G. Holzmann and A. Puri. A minimized automaton representa-
tion of reachable states. Software Tools for Technology Transfer, 
3(1), 1999. 
K. Havelund and T. Pressburger. Model checking Java programs 
using Java Pathfinder. Springer International Journal of Software 
Tools for Technology Transfer, 2(4), April 2000. 
T. Henzinger, S. Qadeer, and S. Rajamani. You Assume, We 
Guarantee: Methodology and case studies. In A. Hu and 
M. Vardi, editors, Proceedings of the 10th International Confer-
ence on Computer Aided Verification (CAV'98), volume 1427 of 
Lecture Notes in Computer Science, pages 440-451. Springer Ver-
lag, 1998. 
W. Halang and A. Stoyenko. Constructing Predictable Real Time 
Systems. Kluwer Academic Publishers, 1991. 
G. Holzmann and M. Smith. A practical method for verifying 
event-driven software. In Proceedings of the 21st International 
Conference on Software Engineering (ICSE'99), pages 597-607, 
May 1999. 
K. Havelund, A. Skou, K. Larsen, and K. Lund. Formal model-
ing and analysis of an audio/video protocol: An industrial case 
study using UPPAAL. In Proceedings of 18th IEEE Real Time 
Systems Symposium, pages 2-13. IEEE Computer Society Press, 
December 1997. 
J. Hopcroft and J. Ullman. Introduction to automata theory, 
languages and computation. Addison Wesley, 1979. 
F. Huch. Verification of Erlang programs using abstract interpre-
tation and model checking. In Proceedings of the Fourth A CM 
SIGPLAN International Conference on Functional Programming 
(ICFP'99), pages 261-272, September 1999. 
Bibliography 241 
[Hun99] T. Hune. Modelling a real-time language. In Proceedings of the 
4th Workshop on Formal Methods for Industrial Critical Systems 
(FMICS'99), Trento,Italy, June 1999. 
[HV98] A. Hu and M. Vardi, editors. Proceedings of the 10th Interna-
tional Conference on Computer Aided Verification (CAV'98), vol-
ume 1427 of Lecture Notes in Computer Science. Springer Verlag, 
1998. 
[HW98] P.-A. Hsiung and F. Wang. A State Graph Manipulator tool for 
real-time system specification and verification. In Proceedings of 
5th International Conference on Real-Time Computing Systems 
and Applications (RTCSA '98). IEEE Computer Society Press, 
October 1998. 
[HWT95] P.-H. Ho and H. Wong-ToL Automated analysis of an audio con-
trol protocol. In P. Wolper, editor, Proceedings of the 7th Inter-
national Conference on Computer Aided Verification (CAV'95), 
volume 939 of Lecture Notes in Computer Science, pages 381-394. 
Springer Verlag, 1995. 
[HWT96] T. Henzinger and H. Wong-ToL Using HYTECH to synthesize 
control parameters for a steam boiler. In Abrial et al. [ABL96), 
pages 265-282. 
[IKL +00] T. Iversen, K. Kristoffersen, K. Larsen, M. Laursen, R. Mad-
sen, S. Mortensen, P. Pettersson, and C. Thomasen. Model-
checking real-time control programs. In Proceedings of 12th Eu-
roMicro Conference on Real- Time Systems. IEEE Computer So-
ciety Press, June 2000. 
[IS088a] ISO. Estelle - a formal description technique based on an ex-
tended state transition model. International Standard 9074, In-
ternational Organization for Standardization - Information Pro-
cessing Systems - Open Systems Interconnection, Geneva, 1988. 
[IS088b] ISO. LOTOS - a formal description technique based on the 
temporal ordering of observational behaviour. International Stan-
dard 8807, International Organization for Standardization - In-
formation Processing Systems - Open Systems Interconnection, 
Geneva, September 1988. 
[IS092] ISO /DIS 11898: Road Vehicles - interchange of digital informa-
tion - Controller Area Network (CAN) for high speed communi-
cation, 1992. 
[1S096] 
[1S098] 
ISO. Iso/iec tr 14252:1996, information technology - guide to the 
posix open system environment (ose), December 1996. 
ISO. ISO/IEC JTC1/SC21 WG7 Enhancements to LOTOS, May 
1998. 
Bibliography 242 
[JJ91] C. Jard and T. Jeron. Bounded-memory algorithms for verifi-
cation on-the-fly. In Proceedings of the 3rd International Con-
ference on Computer Aided Verification (CAV'91), volume 575 
of Lecture Notes in Computer Science, pages 189-196. Springer 
Verlag, 1991. 
[JLM88] F. Jahanian, R. Lee, and A. Mok. Semantics of Modecharts in real 
time logic. In Proceedings of 21st Hawaii International Confer-
ence on System Science, pages 479-489. IEEE Computer Society 
Press, 1988. 
[JM87] F. Jahanian and A. Mok. A graph-theoretic approach for timing 
analysis and its implementation. IEEE Transactions on Comput-
ers, C-36(8):961-975, 1987. 
[JM95] M. Jourdan and F. Maraninchi. Static timing analysis of real-
time systems. ACM SIGPLAN Notices: Workshop on Languages, 
Compilers and Tools for Real-Time Systems, 30(11):79-87, June 
1995. 
[J099] L. Johansson and J. Ohlsson. QWIK, a concept for short distance 
data communication in vehicles and similar applications. HiSafe 
Development Research Report Version 1.0, 1999. 
[Jon90] C. Jones. Systematic Software Development Using VDM. Prentice 
Hall International, second edition, 1990. 
[Jos91] M. Joseph. Problems, promises and performance: Some ques-
tions for real-time system specification. In J. de Bakker, C. Huiz-
ing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings 
of REX Workshop, Real-Time:Theory in Practice, volume 600 
of Lecture Notes in Computer Science, pages 315-324. Springer 
Verlag, 1991. 
[JW96] D. Jackson and J. Wing. Lightweight formal methods. IEEE 
Computer, 29(4):21-22, April 1996. 
[Ke176] R. Keller. Formal verification of parallel programs. Communica-
tions of the ACM, 19(7):371-384, 1976. 
[KG93] H. Kopetz and G. Gruensteidl. TTP - a time-triggered pro-
tocol for fault-tolerant real-time systems. In Proceedings of the 
23rd IEEE International Symposium on Fault- Tolerant Comput-
ing (FTCS'93), Toulouse, France, pages 524-532. IEEE Com-
puter Society Press, 1993. 
[KLL +97] K. Kristoffersen, F. Laroussinie, K. Larsen, P. Pettersson, and 
W. Yi. A compositional proof of a real-time mutual exclusion pro-
tocol. In Proceedings of 7th International Joint Conference on the 
Theory and Practice oj Software Development (TAPSOFT'97), 
Bibliography 
[Kop97] 
[Koy91] 
[KP92] 
[KP98] 
[KS97] 
[Kur94] 
[LAB+98] 
[Lam77] 
[Lam80] 
[Lap90] 
243 
volume 1214 of Lecture Notes in Computer Science, pages 565-
579. Springer Verlag, April 1997. 
H. Kopetz. Real-Time Systems: Design Principles for Distributed 
Embedded Applications. Kluwer Academic Publishers, 1997. 
R. Koymans. (Real) time: A pbilosopbical perspective. In 
J. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, ed-
itors, Proceedings of REX Workshop, Real-Time: Theory in Prac-
tice, volume 600 of Lecture Notes in Computer Science, pages 
353-370. Springer Verlag, 1991. 
Y. Kesten and A. Pnueli. Timed and hybrid statecbarts and their 
textual representation. In J. Vytopil, editor, Fonnal Techniques 
in Real Time and Fault Tolerant Systems, volume 571 of Lec-
ture Notes in Computer Science, pages 591-620. Springer Verlag, 
January 1992. 
Y. Kesten and A. Pnueli. Modularization and abstraction: The 
keys to practical formal verification. In Proceedings of Mathemat-
ical Foundations of Computer Science (MFCS'98), volume 1450 
of Lecture Notes in Computer Science, pages 54-71. Springer Ver-
lag, 1998. 
C. Krishna and K. Shin. Real- Time Systems. The McGraw Hill 
Companies, Inc., 1997. 
R. Kurshan. Computer-Aided Verification of Coordinating Pro-
cesses: The A utomata- Theoretic Approach. Princeton University 
Press, 1994. 
J. Lind-Nielsen, H. Andersen, G. Behrmann, H. Hulgaard, 
K. Kristoffersen, and K. Larsen. Verification of large state/event 
systems using compositionality and dependency analysis. In 
B. Steffen, editor, Proceedings of 4th International Conference on 
Tools and Algorithms for the Construction and Analysis of Sys-
tems (TACAS'98), volume 1384 of Lecture Notes in Computer 
Science, pages 201-216. Springer Verlag, March 1998. 
L. Lamport. Proving the correctness of multiprocess pro-
grams. IEEE Transactions on Software Engineering, 3(2):125-
143, March 1977. 
L. Lamport. 'Sometimes' is sometimes 'Not Never' - on the tem-
porallogic of programs. In Proceedings of 7th ACM Symposium 
on Principles of Programming Languages, pages 174-185, 1980. 
J.-C. Laprie. Dependability: Basic concepts and associated ter-
minology. Technical Report PDCS 31, Predictably Dependable 
Computing Systems (ESPRIT BRA Project 3092), 1990. 
Bibliography 244 
[LBGG94] 1. Lee, P. Bremond-Gregoire, and R. Gerber. A process algebraic 
approach to the specification and analysis of resource-bound real-
time systems. Proceedings of IEEE, pages 158-171, January 1994. 
[LGS+95] C. Loiseaux, S. Graf, J. Sifakis, A. Bouajj ani , and S. Bensalem. 
Property preserving abstractions for the verification of concurrent 
systems. Formal Methods in System Design, 6:1-35, 1995. 
[Liu96] Z. Liu. Specification and verification in DC. In M. Joseph, edi-
tor, Real-time Systems: Specification, Verification and Analysis, 
pages 182-228. Prentice Hall International, 1996. 
[LK99] M. Livani and J. Kaiser. A total ordering scheme for real-time 
multicasts in CAN. In Proceedings of the 24th IFAC/IFIP Work-
shop on Real-Time Programming, pages 173-178. IFAC, 1999. 
[LKJ99] M. Livani, J. Kaiser, and W. Jia. Scheduling hard and soft real-
time communication in the controller area network (CAN). Con-
trol Engineering Practice, 7(12):1512-1523, December 1999. 
[LL95] F. Laroussinie and K. Larsen. Compositional model checking of 
real-time systems. In Proceedings of the 6th International Confer-
ence of Concurrency Theory (CONCUR '95), volume 965 of Lec-
ture Notes in Computer Science, pages 27-41. Springer Verlag, 
1995. 
[LL98] F. Laroussinie and K. Larsen. CMC: A tool for composi-
tional model checking of real-time systems. In Proceedings 
of IFIP Joint International Conference on Formal Description 
Techniques and Protocol Specification, Testing and Verification 
(FORTE-PSTV'98), pages 439-456. Kluwer Academic Publish-
ers, November 1998. 
[LLPY97] K. Larsen, F. Larsson, P. Pettersson, and W. Yi. Efficient veri-
fication of real-time systems: Compact data structure and state-
space reduction. In Proceedings of 18th IEEE Real Time Systems 
Symposium, pages 14-24. IEEE Computer Society Press, Decem-
ber 1997. 
[LMW95] S. Li, S. Malik, and A. Wolfe. Efficient microarchitecture mod-
eling and path analysis for real-time software. In Proceedings of 
16th IEEE Real-time Systems Symposium, pages 298-307, 1995. 
[LP97] H. Lonn and P. Pettersson. Formal verification of a TDMA proto-
col startup mechanism. In Proceedings of the Pacific Rim Inter-
national Symposium on Fault- Tolerant Systems, pages 235-242, 
December 1997. 
[LPY95] K. Larsen, P. Pettersson, and W. Yi. Model-checking for real-
time systems. In Proceedings of Fundamentals of Computation 
Bibliography 245 
Theory, volume 965 of Lecture Notes in Computer Science, pages 
62-88. Springer Verlag, August 1995. 
[LPY97] K. Larsen, P. Pettersson, and W. Yi. UPPAAL in a Nutshell. 
Springer International Journal on Software Tools for Technology 
Transfer, 1(1-2}:134-152, October 1997. 
[LPY98] M. Lindahl, P. Pettersson, and W. Yi. Formal design and analysis 
of a gear-box controller: an industrial case study using UPPAAL. 
In Steffen [Ste98], pages 281-297. 
[LS98] M. Lowry and M. Subramaniam. Abstraction for analytic verifi-
cation of concurrent software systems. In Proceedings of Sympo-
sium on Abstraction, Reformulation and Approximation, Pacific 
Grove, California, May 1998. 
[LSTA98] R. Lutje-Spelberg, H. Toetenel, and M. Ammerlan. Partition re-
finement in real-time model checking. In Proceedings of Interna-
tional Conference on Formal Techniques in Real Time and Fault 
Tolerant Systems (FTRTFT'98), volume 1486 of Lecture Notes 
in Computer Science, pages 143-157. Springer Verlag, September 
1998. 
[LV95] N. Lynch and F. Vaandrager. Forward and backward simulations: 
Part II: Timed Systems. Information and Computation, 128(1}:1-
25, July 1995. 
[LWYP98] K. Larsen, C. Weise, W. Yi, and J. Pearson. Clock difference 
diagrams. Technical Report Nr 98/99, DoCs, Uppsala University, 
August 1998. ISSN 0283-0574. 
[LY92] D. Lee and M. Yannakakis. On-line minimization of transition 
systems. In Proceedings of 24th ACM Symposium on Theory of 
Computing, pages 264-274, 1992. 
[Mar92] F. Maraninchi. Operational and compositional semantics of syn-
chronous automaton compositions. In Proceedings of the 3rd In-
ternational Conference of Concurrency Theory (CONCUR'92), 
volume 630 of Lecture Notes in Computer Science. Springer Ver-
lag, 1992. 
[MB83] M. Measche and B. Berthomieu. Time Petri nets for analyzing 
and verifying time dependent protocols. In H. Rudin and C. West, 
editors, Protocol Specification, Verification and Testing III. IFIP, 
North Holland, 1983. 
[McM92] K. McMillan. Symbolic Model Checking: An approach to the state 
explosion problem, CMU-CS-92-131. PhD thesis, School of Com-
puter Science, Carnegie Mellon University, May 1992. 
[Mi189] R. Milner. Communication and Concurrency. Prentice Hall, 1989. 
Bibliography 246 
[ML98] J. MlIlller and J. Lichtenberg. Difference decision diagrams. Mas-
ter's Thesis, Department of Information Technology, Technical 
University of Denmark, August 1998. 
[MLAH99] J. MlIlller, J. Lichtenberg, H. Andersen, and H. Hulgaard. On 
the symbolic verification of timed systems. Technical Report IT-
TR-1999-024, Department of Information Technology, Technical 
University of Denmark, 1999. 
[MP92] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and 
Concurrent Systems: Specification. Springer Verlag, New York, 
1992. 
[MT90] F. Moller and C. Tofts. A temporal calculus of communicat-
ing systems. In J. Baeten and J. Klop, editors, Proceedings of 
the 1st International Conference on Concurrency Theory (CON-
CUR'90), volume 458 of Lecture Notes in Computer Science, 
pages 401-415. Springer Verlag, 1990. 
[Mur89] T. Murata. Petri nets: Properties, analysis and applications. 
Proceedings of the IEEE, 77(4):541-580, April 1989. 
[Mye79] G. Myers. The Art of Software Testing. John Wiley & Sons Ltd., 
1979. 
[N at97] National Aeronautics and Space Administration. Formal meth-
ods specification and analysis guidebook for the verification of 
software and computer systems. Volume II: A practitioner's com-
panion. NASA-GB-001-97, May 1997. 
[Nic92] X. Nicollin. ATP: Une algebre pour la specification des systemes 
temps reel. PhD thesis, Institut National Poly technique de Greno-
ble, France, May 1992. (In French). 
[NS91] X. Nicollin and J. Sifakis. An overview and synthesis on timed 
process algebras. In de Bakker et al. [dBHdRR91], pages 526-548. 
[NS94] X. Nicollin and J. Sifakis. The algebra of timed processes, ATP: 
Theory and application. Information and Computation, 114:131-
178, 1994. 
[NSY91] X. Nicollin, J. Sifakis, and S. Yovine. From ATP to timed graphs 
and hybrid systems. In de Bakker et al. [dBHdRR91], pages 549-
572. 
[NSY92] X. Nicollin, J. Sifakis, and S. Yovine. Compiling real-time specifi-
cations into extended automata. IEEE Transactions on Software 
Engineering, 18(9):794 - 804, 1992. 
[Oli94] A. Olivero. Modelisation et Analyse de Systemes Temporises et 
Hybrides. PhD thesis, Institut National Poly technique de Greno-
ble, France, September 1994. (In French). 
Bibliography 247 
[Ost86] J. Ostroff. Real-time computer control of discrete event systems 
modelled by extended state machines: A temporal logic approach. 
Technical Report 8618, Systems Control Group, Dept. of Elec-
trical Engineering, Univ. of Toronto, September 1986. Revised 
January 1987. 
[Pag96] F. Pagani. Partial orders and verification of real time systems. 
In B. Jonsson and J. Parrow, editors, Formal Techniques in Real 
Time and Fault Tolerant Systems, volume 1135 of Lecture Notes 
in Computer Science, pages 327-346. Springer Verlag, 1996. 
[Pag97] F. Pagani. Ordres Partiels Pour la Verification de Systemes 
Temps Reel. PhD thesis, Institut National Poly technique de 
Grenoble, 1997. (In French). 
[PeI92] D. Peled. Sometimes "some" is as good as "all". In Cleaveland 
[Cle92], pages 192-206. 
[Pet99] P. Pettersson. Modelling and Analysis of Timed Systems: The-
ory and Practice. PhD thesis, Department of Computer Science, 
Uppsala University, February 1999. 
[PJF96] S. Peyton Jones and S. Finne. Concurrent Haskell. In Proceedings 
of the 23rd A CM Symposium on the Principles of Programming 
Languages (POPL'96), St. Petersburg Beach, Florida, USA, Jan-
uary 1996. 
[Plo81] G. Plotkin. A structural approach to operational semantics. Tech-
nical Report DAIMI-FN-19, Aarhus University, 1981. 
[Pnu77] A. Pnueli. The temporal logic of programs. In Proceedings of 18th 
IEEE Symposium on Foundations of Computer Science, pages 
46-77. IEEE Computer Society Press, 1977. 
[Pnu85] A. Pnueli. Linear and branching structures in the semantics 
and logics of reactive systems. In Proceedings of 12th Inter-
national Colloquium on Automata, Languages and Programming 
(ICALP'85), pages 15-32. Springer Verlag, 1985. 
[Pnu99] A. Pnueli. From requirements to implementations: A seamless 
development process for embedded systems. In N. Halbwachs 
and D. Peled, editors, Proceedings of the 11th International Con-
ference on Computer Aided Verification (CAV'99), volume 1633 
of Lecture Notes in Computer Science. Springer Verlag, 1999. 
[Pra95] K. Prasad. A calculus of broadcasting systems. Science of Com-
puter Programming, 25, 1995. 
[Pra96] K. Prasad. Broadcasting in time. In COORDINATION, volume 
1061 of Lecture Notes in Computer Science. Springer Verlag, April 
1996. 
Bibliography 248 
[QS81] J. Queille and J. Sifakis. Specification and verification of concur-
rent systems in Cesar. In Proceedings of 5th International Sympo-
sium on Programming, volume 137 of Lecture Notes in Computer 
Science, pages 337-351. Springer Verlag, 1981. 
[RGR98] L. Rodrigues, M. Guimara.es, and J. Rufino. Fault-tolerant clock 
synchronization in CAN. In Proceedings of 19th IEEE Real Time 
Systems Symposium. IEEE Computer Society Press, 1998. 
[Rok93] T. Rokicki. Representing and Modeling Digital Circuits. PhD 
thesis, Stanford University, 1993. 
[RSS95] S. Raj an, N. Shankar, and M. Srivas. An integration of model 
checking with automated proof checking. In P. Wolper, edi-
tor, Proceedings of the 7th International Conference on Com-
puter Aided Verification (CAV'95), volume 939 of Lecture Notes 
in Computer Science, pages 84-97. Springer Verlag, 1995. 
[RVA +98] J. Rufino, P. Verissimo, G. Arroz, C. Almeida, and L. Rodrigues. 
Fault-tolerant broadcasts in CAN. In Digest of Papers, 28th IEEE 
International Symposium on Fault- Tolerant Computing Systems, 
Munich, Germany. IEEE Computer Society Press, 1998. 
[SAE92] SAE. Controller Area Network CAN, an in-vehicle serial commu-
nication protocol. In SAE Handbook, pages 20.341 - 20.355. SAE 
Press, 1992. 
[SBLS99] K. Stahl, K. Baukus, Y. Lakhnech, and M. Steffen. Divide, ab-
stract and model-check. In Proceedings of 5th International SPIN 
Workshop, Trento,Italy, July 1999. 
[Sch86] D. Schmidt. Denotational Semantics: A Methodology for Lan-
guage Development. Allyn and Bacon, Inc., 1986. 
[Sch95] S. Schneider. An operational semantics for timed CSP. Informa-
tion and Computation, 116(2):193-213, 1995. 
[Sif77] J. Sifakis. Use of Petri nets for performance evaluation. In H. Beil-
ner and E. Gelenbe, editors, Measuring, Modelling and Evaluating 
Computer Systems, pages 75-93. North Holland, 1977. 
[Sig98] M Sighireanu. LOTOS NT User Manual and Report. INRIA, 
1998. 
[Sok96] O. Sokolsky. Efficient Graph-Based Algorithms for Model Check-
ing in the Modal Mu-Calculus. PhD thesis, State University of 
New York at Stony Brook, May 1996. 
[Spi88] M. Spivey. Understanding Z: A Specification Language and its 
Formal Semantics, volume 3 of Cambridge Tracts in Theoretical 
Computer Science. Cambridge University Press, 1988. 
Bibliography 249 
[SS95] O. Sokolsky and S. Smolka. Local model checking for real time 
systems. In P. Wolper, editor, Proceedings of the 7th Interna-
tional Conference on Computer Aided Verification (CAV'95), vol-
ume 939 of Lecture Notes in Computer Science, pages 211-224. 
Springer Verlag, 1995. 
[SS98] D. Schmidt and B. Steffen. Program analysis as model checking 
of abstract interpretations. In G. Levi, editor, Proceedings of 
5th Static Analysis Symposium, volume 1503 of Lecture Notes in 
Computer Science, pages 351-380. Springer Verlag, 1998. 
[SS99] H. Saldi and N. Shankar. Abstract and model check while you 
prove. In N. Halbwachs and D. Peled, editors, Proceedings of the 
11th International Conference on Computer Aided Verification 
(CAV'99), volume 1633 of Lecture Notes in Computer Science, 
pages 443-454. Springer Verlag, July 1999. 
[Sta88] J. Stankovic. Tutorial: Hard Real-Time Systems, chapter Real-
Time Computing Systems: The Next Generation, pages 14-37. 
IEEE Computer Society Press, 1988. 
[Ste97] U. Stern. Algorithmic Techniques in Verification by Explicit State 
Enumeration. PhD thesis, Department of Computer Science, 
Stanford University, 1997. 
[Ste98] B. Steffen, editor. Proceedings of 4th International Conference 
on Tools and Algorithms for the Construction and Analysis of 
Systems (TACAS'98), volume 1384 of Lecture Notes in Computer 
Science. Springer Verlag, 1998. 
[Str99] K. Strehl. Interval diagrams: Increasing efficiency of symbolic 
real-time verification. In Proceedings of International Conference 
on Real- Time Computing Systems and Applications (RTCSA '99), 
pages 188-191. IEEE Computer Society Press, 1999. 
[SVD97] J. Springintveld, F. Vaandrager, and P. D'Argenio. Testing timed 
automata. Technical Report CSI-R9712, Computing Science In-
stitute, University of Nijmegen, August 1997. 
[TAKB96] S. Trujlran, R. Alur, R. Kurshan, and R. Brayton. Verifying ab-
stractions of timed systems. In Proceedings of the 7th Interna-
tional Conference of Concurrency Theory (CONCUR'96), vol-
ume 1119 of Lecture Notes in Computer Science, pages 546-562. 
Springer Verlag, 1996. 
[Tan92] A. Tanenbaum. Modern Operating Systems. Prentice Hall Inter-
national, 1992. 
[TBK95] H. Touati, R. Brayton, and R. Kurshan. Testing language con-
tainment for w-automata using BDDs. Information and Compu-
tation, 118:101-109, 1995. 
Bibliography 250 
[TBW95] K. Tindell, A. Burns, and A. Wellings. Analysis of hard real-time 
communications. Real Time Systems, 9:147-171, 1995. 
[TC96] S. Tripakis and C. Courcoubetis. Extending Promela and Spin 
for real time. In T. Margaria and B. Steffen, editors, Proceedings 
of 2nd International Workshop on Tools and Algorithms for the 
Construction and Analysis of Systems (TACAS'96), volume 1055 
of Lecture Notes in Computer Science, pages 329-348. Springer 
Verlag, 1996. 
[Tho90] W. Thomas. Automata on infinite objects. In J. Van Leeuwen, ed-
itor, Handbook of Theoretical Computer Science, volume B, pages 
133-164. Elsevier Science, 1990. 
[THW94] K. Tindell, H. Hansson, and A. Wellings. Analysing real-time 
communications: Controller Area Network (CAN). In Proceed-
ings of 15th IEEE Real Time Systems Symposium, pages 259-263. 
IEEE Computer Society Press, December 1994. 
[Tor98] M. Torngren. FUndamentals of implementing real-time control 
applications in distributed computer systems. Journal of Real-
Time Systems, 14:219-250, 1998. 
[Tri98] S. Tripakis. The Formal Analysis of Timed Systems in Practice. 
PhD thesis, Universite Joseph Fourier, Grenoble, December 1998. 
[TY96] S. Tripakis and S. Yovine. Analysis of timed systems based on 
time-abstracting bisimulations. In Proceedings of the 8th Inter-
national Conference on Computer Aided Verification (CAV'96), 
volume 1102 of Lecture Notes in Computer Science, pages 232-
243. Springer Verlag, 1996. 
[TY98] S. Tripakis and S. Yovine. Verification of the Fast Reservation 
Protocol with Delayed Transmission using KRONOS. In Proceed-
ings of 4th IEEE Real Time Technology and Applications Sympo-
sium (RTAS'98), Denver, Colorado, pages 165-170. IEEE Com-
puter Society Press, June 1998. 
[UK94] B. Upender and P. Koopman. Communication protocols for em-
bedded systems. Embedded Systems Programming, 7(11):46-58, 
1994. 
(Val93] A. Valmari. On-the-fly verification with stubborn sets. In 
C. Courcoubetis, editor, Proceedings of the 5th International Con-
ference on Computer Aided Verification (CAV'93), volume 697 of 
Lecture Notes in Computer Science, pages 397-408. Springer Ver-
lag, 1993. 
(Var96] M. Vardi. An automata-theoretic approach to linear temporal 
logic. In Logics for Concurrency: Structure versus Automata, 
Bibliography 
[Ver97a] 
[Ver97b] 
[vG90] 
[vG93] 
[Vis96] 
[VRM97] 
[VW86] 
[VW94] 
[WanOO] 
[WH98a] 
251 
volume 1043 of Lecture Notes in Computer Science, pages 238-
266. Springer Verlag, 1996. 
J. Vereijken. Discrete- Time Process Algebra. PhD thesis, Eind-
hoven University of Technology, 1997. 
P. Verissimo. Real-time communication. In S. Mullender, edi-
tor, Distributed Systems (2nd edition), pages 447-486. Addison 
Wesley, 1997. 
R. van Glabeek. The linear time - branching time spectrum. In 
J. Baeten and J. Klop, editors, Proceedings of the 1st Interna-
tional Conference on Concurrency Theory (CONCUR '90), vol-
ume 458 of Lecture Notes in Computer Science, pages 278-297. 
Springer Verlag, 1990. 
R. van Glabeek. The linear time - branching time spectrum 
II: the semantics of sequential processes with silent moves. In 
E. Best, editor, Proceedings of the 4th International Conference 
of Concurrency Theory (CONCUR '93), volume 715 of Lecture 
Notes in Computer Science, pages 66-81. Springer Verlag, 1993. 
W. Visser. Memory efficient state storage in SPIN. In Proceedings 
of 2nd SPIN Workshop, Rutgers University, New Jersey, USA, 
August 1996. 
P. Verissimo, J. Rufino, and L. Ming. How hard is hard real-time 
communication on field-buses? In Digest of Papers, 27th IEEE 
International Symposium on Fault- Tolerant Computing Systems, 
Washington, USA. IEEE Computer Society Press, June 1997. 
M. Vardi and P. Wolper. An automata-theoretic approach to au-
tomatic program verification. In Proceedings of 1st IEEE Sympo-
sium on Logic in Computer Science, pages 332-344. IEEE Com-
puter Society Press, 1986. 
M. Vardi and P. Wolper. Reasoning about infinite computations. 
Information and Computation, 115(1):1-37, November 1994. 
F. Wang. Efficient data structure for fully symbolic verification 
of real-time software systems. In S. Graf and M. Schwartzbach, 
editors, Proceedings of 6th International Conference on Tools 
and Algorithms for the Construction and Analysis of Systems 
(TACAS'2000), volume 1785 of Lecture Notes in Computer Sci-
ence. Springer Verlag, 2000. 
F. Wang and P.-A. Hsiung. Automatic verification on the large. 
In Proceedings 3rd IEEE High Assurance Systems Engineering 
Symposium (HASE'98). IEEE Computer Society Press, Novem-
ber 1998. 
Bibliography 
[WH98b] 
[Win93] 
[Wol97] 
[Won95] 
[WTD94] 
[Yi90] 
[YL93] 
[YMW93] 
[Yov93] 
[Yov97] 
[yPD94] 
252 
F. Wang and P.-A. Hsiung. Iterative refinement and condensation 
for state graph construction. Technical Report TR-IIS-98-009, In-
stitute of Information Science, Academia Sinica, Taipei, Taiwan, 
1998. 
G. Winskel. The Formal Semantics of Programming Languages. 
Foundations of Computing Series. MIT Press, 1993. 
P. Wolper. The meaning of "formal": from weak to strong formal 
methods. Springer International Journal of Software Tools for 
Technology Transfer, 1(1-2):6-8, 1997. 
H. Wong-Toi. Symbolic Approximations for Verifying Real- Time 
Systems. PhD thesis, Department of Computer Science, Stanford 
University, March 1995. 
H. Wong-Toi and D. Dill. Approximations for verifying timing 
properties. In T. Rus and C. Rattray, editors, Theories and 
Experiences for Real-time System Development. World Scientific 
Publishing, 1994. 
W. Yi. Real-time behaviour of asynchronous agents. In J. Baeten 
and J. Klop, editors, Proceedings of the 1st International Confer-
ence on Concurrency Theory (CONCUR '90), volume 458 of Lec-
ture Notes in Computer Science, pages 502-520. Springer Verlag, 
1990. 
M. Yannakakis and D. Lee. An efficient algorithm for minimizing 
real-time transition systems. In C. Courcoubetis, editor, Pro-
ceedings of the 5th International Conference on Computer Aided 
Verification (CAV'93), volume 697 of Lecture Notes in Computer 
Science, pages 210-224. Springer Verlag, 1993. 
J. Yang, A. Mok, and F. Wang. Symbolic model checking for 
event-driven real-time systems. In Proceedings of 14th IEEE Real-
Time Systems Symposium, pages 23-32. IEEE Computer Society 
Press, December 1993. 
S. Yovine. Methodes et Outils pour la Verification Symbolique 
de Systemes Temporises. PhD thesis, Institut National Poly tech-
nique de Grenoble, May 1993. (In French). 
S. Yovine. Model checking timed automata. In G. Rozenberg 
and F. Vaandrager, editors, Embedded Systems, Papers from the 
European Educational Forum School on Embedded Systems, Veld-
hoven, The Netherlands, volume 1494 of Lecture Notes in Com-
puter Science, pages 114-152. Springer Verlag, 1997. 
W. Yi, P. Pettersson, and M. Daniels. Automatic verification of 
real-time systems by constraint solving. In Proceedings of 7th In-
ternational Conference on Formal Description Techniques, 1994. 
Bibliography 253 
[YS96] 
[YSAA97] 
[Zam97) 
T. Yoneda and B.-H. Schlingloff. Efficient verification of parallel 
real-time systems. Journal of Formal Methods in System Design, 
1996. 
J. Yuan, J. Shen, J. Abraham, and A. Aziz. On combining formal 
and informal verification. In Proceedings of the 9th International 
Conference on Computer Aided Verification (CAV'91j, volume 
1254 of Lecture Notes in Computer Science, pages 376-387, 1997. 
D. Zampunieris. The Sharing Tree Data Structure. PhD thesis, 
Facultes Universitaires Notre-Dame de la Paix, Namur, Belgium, 
May 1997. 
