Verification of Complex Real-time Systems using Rewriting Logic by Mustapha Bourahla
Journal of Computing and Information Technology - CIT 17, 2009, 3, 265–284
doi:10.2498/cit.1001272
265
Verification of Complex Real-time
Systems Using Rewriting Logic
Mustapha Bourahla
Computer Science Department, University of Biskra, Algeria
This paper presents a method for model checking dense
complex real-time systems. This approach is imple-
mented at the meta level of the Rewriting Logic system
Maude. The dense complex real-time system is specified
using a syntax which has the semantics of timed automata
and the property is specified with the temporal logic
TLTL (Timed LTL). The well known timed automata
model checkers Kronos and Uppaal only support TCTL
model checking (a very limited fragment in the case
of Uppaal). Specification of the TLTL property is
reduced to LTL and its temporal constraints are captured
in a new timed automaton. This timed automaton will
be composed with the original timed automaton repre-
senting the semantics of the complex real-time system
under analysis. Then, the product-timed automaton will
be abstracted using partition refinement of state space
based on strong bi-simulation. The result is an untimed
automaton modulo the TLTL property which represents
an equivalent finite state system to be model-checked
using Maude LTL model checking. This approach is
successfully tested on industrial designs.
Keywords: complex real-time systems, rewriting logic,
Maude LTL model checking, timed automaton, strong
bi-simulation, partition refinement
1. Introduction
Many formal frameworks that have been pro-
posed to reason about complex real-time sys-
tems are based on timed automata [2]. These
automata are equipped with clocks, variables
used to measure time, ranging over the non
negative real numbers (R+). Consequently, the
state space is infinite and cannot be explicitly
represented by enumerating all states. Among
the different description languages for specify-
ing real-time requirements, we are particularly
interested in the temporal logic TLTL [16, 28].
Real-time model checking techniques based on
partition refinement [30, 33] build a symbolic
state space that is as coarse as possible. Start-
ing from some (implicit) initial partition, the
partition is iteratively refined until the verifica-
tion problem can be decided.
In this paper, we have augmented the LTL syn-
tax used by Maude LTL model-checker [17] by
operators to specify TLTL properties. Then,
we have proposed a reduction technique from
TLTL model-checking to LTL model-checking.
This reduction will help us to analyze our sys-
tem using Maude LTL model checker. Given a
complex real-time system specification, a writ-
ten parser with Maude [12, 13], will generate
an equivalent timed automaton A. For a TLTL
property specificationψ , we construct an equiv-
alent LTL formula ϕ and a new timed automa-
ton capturing its temporal behavior. Then, the
captured behavior will be composed with the
original timed automaton. This is noted by A+.
We prove that A satisfies ψ if and only if A+
satisfies ϕ.
The labeled transition system modeling the be-
havior of the constructed timed automaton A+
comprises two kinds of transitions,namely time-
less actions representing the discrete evolutions
of the system, and time lapses corresponding to
the passage of time. Due to density of time,
there are infinitely many time transitions. A
finite model can be obtained by defining an ap-
propriate equivalence relation inducing a finite
number of equivalence classes. The main idea
behind these relations is that they abstract away
from the exact amount of time elapsed. An
important problem consists in constructing the
quotient of a labeled transition system (repre-
senting a timed automaton) with respect to an
equivalence relation.
266 Verification of Complex Real-time Systems Using Rewriting Logic
In this paper we have defined an equivalence re-
lation based on strong bi-simulation [24], which
is used by our algorithm to generate the quo-
tient graph. Each edge in the timed automaton
represents a discrete transition which has infor-
mation concerning the source and target states,
the enabling condition and the set of clocks to be
reset after making this transition. Initially, the
timed automaton represents the states of com-
plex timed system as blocks (zones) of states
(also called symbolic states). We call this the
initial partition of states. We refine any source
block of states if there is an outgoing edge with
an enabling condition (which is a constraint)
formula different from true, using the invariant
of the block of states and the enabling condi-
tion of this transition. The produced sub-blocks
represent classes of equivalent stateswhere each
sub-block has new invariant that either satisfies
or does not satisfy the enabling condition. The
refinement process will terminate if there is no
block of states to be refined.
1.1. Related work
While LTL model checking is PSPACE com-
plete, the TLTL model checking is undecidable
[5]. To our knowledge, it doesn’t exist until
now a tool for TLTL model checking. How-
ever, there are different techniques [6, 22] us-
ing TLTL for the diagnosis of reactive systems
and runtime verification. The problem is less
severe in the case of branching-time timed log-
ics, where TCTL model checking is PSPACE
complete [4, 1] (whereas CTL model checking
is possible in polynomial time). In contrast to
TLTL model checking, there are industrial tools
for TCTL model checking (KRONOS and UP-
PAAL) used successfully.
In our previous work [10], an approach is pro-
posed to reduce TCTL model checking to CTL
model checking. This approach is implemented
and tested using the SMV tool. Another simi-
lar work can be found in [8], where the model
checking is based on the on-the-fly exploration
of a simulation graph. The simulation graph is
the graph reachable, generated from the region
graph [1] and from an initial region. A region
is a set of states with the same location and a
convex set of clock valuations. This forward-
reachability approach is used in tools such as
KRONOS [15] and UPPAAL [23]. Thus, be-
cause the nodes in the simulation graph are re-
gion sets and only discrete transitions are ex-
plicit, while time passes implicitly inside the
nodes, the simulation graph is much smaller
than the region graph. The simulation graph is
used to solve the model checking problem for a
proposed automata-based branching-time tem-
poral logic (TECTL∗∃). The on-the-fly model
checking procedure consists in solving the empti-
ness problem, that is, in checkingwhether an au-
tomaton (the automaton product of the system
automaton and the property automaton) has an
infinite execution sequence that satisfies a given
acceptance condition. In our work, the property
automaton capturing the temporal constraints, is
automatically generated from the TLTL specifi-
cation. Our quotient graph is produced directly
from the initial automaton of timed system spec-
ification, which resembles the simulation graph,
without passing by the region graph. On the
other hand, as it has been shown in [8], the sim-
ulation graph preserves only linear-time proper-
ties and it is used in practice mainly for reacha-
bility properties. Moreover, symbolic states in
the simulation graph are not necessarily disjoint,
so that this graph can be much larger than the
quotient graph. The quotient graph is coarser
than the initial automaton but finer, and there-
fore bigger, than the initial graph. Another al-
gorithm that also combines the on-the-fly and
the symbolic approaches has been proposed in
[29]. In that work, a symbolic graph is dy-
namically constructed by the verification pro-
cedure, according to the formula (specified in
an extended temporal logic of μ-Calculus) to
be checked. A similar reduction for a derivate
of dense time TCTL (TCTL with freeze quan-
tifiers [3]) is given in [18]. This approach aug-
ments the region graph used in [1] by a new
atomic proposition and new transitions to han-
dle the reset quantifier. Another related work
can be found in [11], where verification is per-
formed by translating TCTL (interpreted over
discrete time) into CTL by adding an additional
specification clock to the model. So, to model-
check the augmented model, the CTL logic is
extended, and thus the model-checker, too.
The closest work to ours for the time abstrac-
tion based on equivalence can be found in [32].
Where the algorithm in [7] for minimal-model
generation (which is an enhancement of the al-
gorithm of Paige and Tarjan [27] to avoid refin-
Verification of Complex Real-time Systems Using Rewriting Logic 267
ing unreachable classes) is adapted to infinite
state space of timed automaton. This new al-
gorithm which generates a finite region graph
using partitioning, uses decision procedures for
computing intersection, set difference and pre-
decessors of classes, and testing whether a class
is empty. Also, the TCTL specification is re-
duced to CTL logic extended with new atomic
propositions to deal with the specification con-
straints. Then, a TCTL model checker has
been developed based on techniques of the clas-
sic CTL model-checker. The generated region
graph has size exponential in the number of
clocks and the highest constant used in the def-
inition of timing constraints. The other closest
work is in [21], where the authors propose an ap-
proach to produce a compact reachability graph
from a timed automaton. In this work, a state
is defined as a history: execution upto the state.
It is defined as a pair (location, timed history)
instead of (location, clock valuation). A timed
history is a set of pairs (transition, time) upto
the location of the state. An execution is de-
fined as the transitions between the states (de-
fined as histories). To generate an infinite state
space, the algorithm uses the notion of history
equivalence (states with the same untimed his-
tories are merged into an equivalence class). To
generate a finite state space, a transition bisim-
ulation technique (the states that have the same
future behaviors are further collapsed) is used to
produce equivalent classes. The resultant state
space is finite and can be used to analyze real-
time properties. The authors have implemented
this approach and analyzed applications, where
the real-time properties to be verified are ex-
pressed as timed automata to be composed with
the system timed automata. Other techniques
are based on abstraction of the constraints spec-
ified in the system and in the property, using the
framework of predicate abstractions as abstract
interpretation [9, 25].
The rest of the paper is organized as follows.
Section 2 presents a background about Rewrit-
ing Logic and Maude LTL Model-Checker. In
Section 3, we present the semantics based on
Rewriting Logic for specification of complex
real-time systems and their semantics based on
the formalism of timed automata. Our approach
for transformation of the TLTL specifications to
LTL specifications is presented in Section 4. In
Section 5, we present our method for generat-
ing finite bi-similar graphs of the complex timed
systems. In Section 6, we explain how to use
these graphs for Maude LTL model checking
and how the results can be projected back to
original complex timed systems. Complexity
and implementation results of our approach are
presented in Section 7. At the end, a conclusion
is given.
2. Rewriting Logic and Maude
LTL Model-Checker
Maude specifications are executable logical the-
ories in Rewriting Logic [12, 13], a logic that
is a flexible logical framework for expressing
a very wide range of concurrency models and
distributed systems.
A term is constructed by function and constant
symbols. Each term belongs to one or sev-
eral sorts. Equations specify equivalent terms.
Rewriting rules specify how to transform a term
into another. A rewrite theory R = (Σ, E, R)
consists of equations and rewriting rules for
terms. If a rewrite theory does not contain any
rewriting rules, we also call it an equational the-
ory (Σ, E).
In Rewriting Logic, function and constant sym-
bols are declared by the keyword op. Sorts are
declared by the keyword sort. Equations are
specified by eq lhs = rhs; conditional equa-
tions are specified by ceq lhs = rhs if cond.
Similarly, rewriting rules and conditional rewrit-
ing rules are defined by rl [l] : lhs => rhs
and crl [l] : lhs => rhs if cond respecti-
vely, where l is the label of the rule. The left-
hand side of equations and rewriting rules al-
lows pattern matching. Since there may be sev-
eral ways to match a term, applying a rewriting
rule to a given term may yield multiple results.
All results obtained by any of these applications
are admissible in Rewriting Logic.
Two terms are equivalent if they can be reduced
to the same normal form by the equations of
a rewrite theory. Equations therefore define
equivalence classes of terms. For any term t,
we write [t] for its equivalence class. Let R be
a rewrite theory and t, t′ two terms in R. We
write
R l [t] → [t′]
if there is a rule labeled l in R that rewrites [t]
to [t′].
268 Verification of Complex Real-time Systems Using Rewriting Logic
In Rewriting Logic, there is a universal theory
U such that any rewrite theory R and a term t
can be presented as meta-level terms R and t in
U respectively. Furthermore, we have
R l [t] → [t′] ⇔ U l,n [R, t] → [R, t′]
if t′ is the n-th result obtained by applying the
rewriting rule labeled l to t. By the universal the-
ory U , we can manipulate meta-level terms at
object level. We call the feature that can repre-
sent meta-level objects at object level as reflec-
tion. Wehave used this feature during the imple-
mentation of our approach. The system Maude
has metalevel operators for moving between re-
flection levels as upModule, upTerm, downTerm,
and others. Other operators are used to act on
metalevel terms as for parsing (metaParse) and
pretty-printing (metaPrettyPrint) terms.
Since no domain-specific model of concurrency
is built into the logic, the range of applica-
tions that can be naturally specified is indeed
very wide. Another advantage of Maude as the
system specification language is that integra-
tion of model checking with theorem proving
techniques becomes quite seamless. The same
rewrite theory R = (Σ, E, R) can be the input
to the LTL model checker and to several other
proving tools in the Maude environment [17].
Thus, a Maude module is a rewrite theory R =
(Σ, E, R). Fixing a distinguished sort State, the
initial model TR of the rewrite theory R =
(Σ, E, R) has an underlying Kripke structure
K(R, State) given by the total binary relation
extending its one-step sequential rewrites. In
the framework, the Kripke structure is specified
as a rewrite theory K. The states are equiva-
lence classes of terms defined in K. The tran-
sitions of the Kripke structure correspond to
rewriting rules in K. Since the Kripke struc-
ture is specified as a rewrite theory and system
configurations as equivalence classes of terms,
the universal theory U can be used to explore
successors of the current system configuration.
To the initial algebra of states TΣ/E we can like-
wise associate equationally-defined computable
state predicates as atomic predicates for such a
Kripke structure. In this way we obtain a lan-
guage of LTL properties of the rewrite theory
R.
Maude supports on-the-fly LTL model check-
ing [17] for initial states [t], say of sort State,
of a rewrite theory R = (Σ, E, R) such that the
set {[t′] ∈ TΣ/E|R l [t] → [t′]}, of all states
reachable from [t] is finite. The rewrite theoryR
should satisfy reasonable executability require-
ments, such as the confluence and termination
of the equations E and coherence of the rules R
relative to E.
In Maude the rewrite theory R is specified as a
module, say M. Then, given an initial state, say
init of sort StateM, we can model check differ-
ent LTL properties beginning at this initial state
by doing the following [17]:
• defining a new module, say CHECK-M, that
includes the modules M and the predefined
module MODEL-CHECKER as submodules;
• giving a subsort declaration,
subsort StateM < State .
where State is one of the key sorts in the
module MODEL-CHECKER;
• defining the syntax of the state predicates
we wish to use by means of constants and
operators of sort Prop, a subsort of the sort
Formula (i.e., LTL formulas) in the mod-
ule MODEL-CHECKER; we can define parame-
terless state predicates as constants of sort
Prop, and parameterized state predicates by
operators from the sorts of their parameters
to the Prop sort.
• defining the semantics of the state predicates
by means of equations.
Once the semantics of each of the state predi-
cates has been defined, we are then ready, given
an initial state init, to model check any LTL
formula, say form, involving such predicates.
We do so by evaluating in Maude, the expres-
sion init |= form . Two things can then hap-
pen: if the property form holds, then we get the
result true; if it doesn’t, we get a counterex-
ample expressed as a finite path followed by a
cycle.
3. Complex Real-time Systems
Specification
A complex real-time system can be the com-
position of many timed sub-systems called pro-
cesses. The semantics of each process will be
Verification of Complex Real-time Systems Using Rewriting Logic 269
represented by a timed automaton. The pro-
cesses can communicate by sending and receiv-
ing messages via channels. This mechanism
of communication will be used as synchroniza-
tion between the different processes to compute




NeTokenList GProcesses Bubble ->
GTProblem .
The first argument is the system identifier. A list
of atomic propositions is the second argument.
The third argument is a list of channels iden-
tifiers. The fourth argument will represent the
semantics of system processes. The last argu-
ment is for the semantics of the TLTL formula.
The semantics of a process is defined with the
following operator. It has an identifier, a list of
clock variables, a list of states, an initial state
and a list of transitions.
op process_:’clocks_state_init_trans_; :
Token
NeTokenList Bubble Token Bubble ->
GProcess .
Clocks are real-valued variables increasing uni-
formly with time. Several independent clocks
may be defined for the sameprocess. A state can
have an invariant formula and a list of atomic
propositions holding at this state.
op _:_{_} : Token NeTokenList
NeTokenList -> GTState .
A transition is between two states (source and
target, first and second argument, respectively).
The transition is conditioned by a temporal con-
straint. As actions, a transition can reset clocks
and it can send and receive messages via the
specified channels. This mechanism of sending
and receiving messages will be used for syn-
chronization.
op _->_:_{_}{_} : Token Token
NeTokenList NeTokenList
NeTokenList -> GTTransition .
A temporal constraint has the following seman-
tics.
ops True False : -> TConstraint .
op _=_ : Token Time -> TConstraint .
op _>_ : Token Time -> TConstraint .
op _>=_ : Token Time -> TConstraint .
op _<_ : Token Time -> TConstraint .
op _<=_ : Token Time -> TConstraint .
op _/\_ : TConstraint TConstraint ->
TConstraint [id: True] .
op _\/_ : TConstraint TConstraint ->
TConstraint [id: False] .
The following is an example, which has two
atomic propositions, p and r. One communica-
tion channel C. This complex real-time system
is composed of one process with three states:
a, b, and c and three transitions. The real-
time specification is followed by specification
of a TLTL property which can be omitted and
given separately to allow the specification of
different TLTL properties.
system Example :





a : { }
b : x <= 1 { p }
c : { r }
init a
trans
a -> b : x = 1 { x } { }
a -> c : x >= 2 { } { !C }
b -> c : x = 1 { } { } ;
|= True U { >= 2 } r
The semantics of a complex real-time system
is represented by timed automata [2] which ex-
tend the automata formalism by adding clocks.
These semantics will be defined by the follow-
ing two main operators. The first partial opera-
tor (getSystem) is called when the parsing of a
complete specification is succeeded (the result
of the parsing is a Term), to generate needed
semantics as system identifier, atomic propo-
sitions, and channels identifiers. This opera-
tor calls the second (solveProcesses) to con-
struct the timed automaton for the whole com-
plex real-time systemby composition of the pro-
cesses timed automata.
270 Verification of Complex Real-time Systems Using Rewriting Logic
op getSystem : Term ~> TimedSystem .
op solveProcesses : Term ~>
TimedAutomaton .
A timed automaton A is a tuple
〈Q,X ,Σ, E ,L1,L2, I〉 , where:
• Q is a finite set of locations. We denote by
q0 ∈ Q the initial location.
• X is a finite set of clocks. A valuation v is
a function that assigns a non negative real-
value v(x) ∈ R+ to each clock x ∈ X . The
valuation v[X := δ ] assigns the value δ to
all clocks in the set X. The set of valuations
is denoted VX . For δ ∈ R+, v + δ denotes
the valuation v′ such that v′(x) = v(x) + δ
for all x ∈ X .
• Σ is a finite set of labels (message channels).
• E is a finite set of edges. Each edge e ∈ E is
a tuple 〈 q, θ, X,σ, q′〉 where
– q, q′ ∈ Q are the source and the target
locations respectively,
– θ ∈ Θ is an associated clock constraint
which governs the triggering of the tran-
sition. It is called its enabling condition
or its guard. We denote the set of con-
straints over X by Θ. A constraint is
defined as a conjunction of atoms of the
form x ∼ c, where x ∈ X , ∼∈ {=, >,
≥, <,≤} and c is a natural constant.
– X ⊆ X is the set of clocks to be reset
after making this transition.
– σ is a subset of synchronization events
from the set Σ. A synchronization event
is the combination of a channel name pre-
ceded by the symbol ! to indicate send
event, or ? for receive event.
• L1 : Q → 2AP is a function that associates
to each location a set of atomic propositions
from the set AP.
• L2 : E → 2Σ is a function that associates
to each edge a set of synchronization events
from the set Σ. We have two kinds of syn-
chronization events (send events and receive
events).
• I is a function that associates a condition
I(q) ∈ Θ to every location q ∈ Q called the
invariant of q.
Figure 1 shows an example of a timed automa-
ton representing the semantics of the example
above. AP = {p, r} and Q = {a, b, c}. A
state of A is a pair 〈 q, v〉 ∈ Q × VX such that
v satisfies I(q). The initial state is the pair
〈 q0, v0〉 such that v0(x) = 0 for all x ∈ X .
Let S denote the set of states of A. We will
refer to L1(s) by L1(q), for all s ∈ S, where
s = 〈 q, v〉 . The set S can be partitioned to
zones (symbolic states). A zone z = (q,Vz) is
a set of states from S which are associated with
the same discrete state q ∈ Q and a convex set of
valuations Vz = {v | ∃〈 q, v〉 ∈ S}. The state
of a timed system can be changed through an
edge that changes the location and resets some
of the clocks (discrete transition), or by letting
time pass without changing the location (time
transition).
Let e = 〈 q, θ, X,σ, q′〉 ∈ E be an edge. The
state 〈 q, v〉 has a discrete transition to 〈 q′, v′〉 ,
denoted 〈 q, v〉 d→ 〈 q′, v′〉 , if v satisfies θ and
v′ = v[X := 0] (we should note that the set of
valuations respecting θ is always in the set of
valuations respecting I(q)). Let δ ∈ R+. The
state 〈 q, v〉 has a time transition to 〈 q, v + δ〉 ,
denoted 〈 q, v〉 τ→ 〈 q, v + δ〉 , if for all δ ′ ≤ δ ,
v + δ ′ satisfies the invariant I(q).
For timed automata, we label each discrete tran-
sition with a label (or an action) a. The label
is composed of a temporal constraint to exe-
cute the transition when it holds and an ac-





x = 1, {x}, ∅
x ≥ 2, ∅, {!C}
{p}
b




Figure 1. Timed automaton.
Verification of Complex Real-time Systems Using Rewriting Logic 271
have a particular label named τ denoting time
elapse which is considered as an internal or hid-
den action. Let A be the set of actions and
Aτ = A ∪ {τ}. We note M = (S, Aτ , T , s0,L)
the labeled transition system of A (its seman-
tics),S is the set of reachable states from s0 with
respect to T . L : S → 2AP and L(s) = L1(q),
for each s ∈ q. T ⊆ S×Aτ×S the (discrete or
time) transition relation and s0 the initial state.
For each label a and each state s, we consider
the image set Ta(s) = {s′ ∈ S | (s, a, s′) ∈
T }. We extend this notation for sets of states:
Ta(B) = ∪{Ta(s) | s ∈ B}. T −1 denotes the
inverse relation.
A run r of M is an infinite sequence of states
and transitions. We denote R the set of runs
of M. A run is divergent if
∑∞
i=0 δi (the sum
of all delays δi on this run) diverges. We de-
note R∞ the set of divergent runs of M. In
the following, we will consider timed automata
with only divergent runs (if the automaton has
non-divergent runs, called also zeno runs, it is
possible to restrict the behavior to divergent runs
[19]).
A complex real-time system is composed of
many processes using the operator Compose.
Their different timed automata will be com-
posed to construct the timed automaton of the
overall complex real-time system.
op Compose : TimedAutomaton
TimedAutomaton ->
TimedAutomaton .
The parallel composition of two timed automata
(‖) is defined as follows. LetAi be 〈Qi, Xi, Σi,
Ei, L1i , L2i , Ii〉 , for i = 1, 2. We assume
that Q1 ∩ Q2 = ∅ and X1 ∩ X2 = ∅. The
product-timed automaton A = A1 ‖ A2 =
〈Q,X ,Σ, E ,L1,L2, I〉 is such that: Q = Q1×
Q2, X = X1 ∪X2, Σ = Σ1 ∪Σ2, I(〈 q1, q2〉 ) =
I1(q1) ∧ I2(q2), L1(〈 q1, q2〉 ) = L11(q1) ∪
L12(q2), L2 is defined during the composition
of edges. The set E of edges is obtained as
follows.
1. for all 〈 q1, θ1, X1,σ1, q′1〉 ∈ E1 and
〈 q2, θ2, X2,σ2, q′2〉 ∈ E2:
• if receive(σ1)
⊆ send(σ2) ∧ receive(σ2) ⊆ send(σ1)
then E includes 〈 (q1, q2), θ1 ∧ θ2, X1 ∪
X2, send(σ1 ∪ σ2), (q′1, q′2)〉 .
• if receive(σ1) ⊆ send(σ2)∧(receive(σ2)
= ∅∨receive(σ2) ⊆ send(σ1)) thenE in-
cludes 〈 (q1, q2), θ1, X1, send(σ1 ∪ σ2)∪
receive(σ2) \ send(σ1), (q′1, q2)〉 .
• if receive(σ2) ⊆ send(σ1)∧(receive(σ1)
= ∅∨receive(σ1) ⊆ send(σ2)) thenE in-
cludes 〈 (q1, q2), θ2, X2, send(σ1 ∪ σ2)∪
receive(σ1) \ send(σ2), (q1, q′2)〉 .
2. for all 〈 q1, θ1, X1,σ1, q′1〉 ∈ E1, if channel
(σ1) ∈ Σ1 ∩ Σ2 then ∀q2 ∈ Q2, E includes
〈 (q1, q2), θ1, X1, σ1, (q′1, q2)〉 .
3. for all 〈 q2, θ2, X2,σ2, q′2〉 ∈ E2, if channel
(σ2) ∈ Σ1 ∩ Σ2 then ∀q1 ∈ Q1, E includes
〈 (q1, q2), θ2, X2, σ2, (q1, q′2)〉 .
receive(σ) and send(σ) are used to extract
channel names used by receive and send events,
respectively. channel(σ) returns the name of
the communication channel used by the event
(receive or send) σ. Note that receive(∅) =
send(∅) = channel(∅) = ∅. A transition wait-
ing reception of messages from transitions in
other processes via defined transmission chan-
nels, will be composed only with those transi-
tions delivering these messages.
The first case of (1) indicates that the receive
events on both transitions are sent mutually by
these two transitions. The second case of (1)
indicates that the receive events of the first tran-
sition are all sent by the second transition, but
the receive events of the second are empty or
not all sent by the first transition. The third
condition of (1) is the symmetry of the second.
The cases (2) and (3) are for automata not shar-
ing communication channels. The composition
of two automata without synchronization events
equals to their Cartesian product. This compo-
sition of timed automata representing different
processes of a system, terminates by producing
one timed automaton without synchronization
events. The produced system timed automaton
will be composed with the property timed au-
tomaton generated from theTLTL specification.
4. Transformation of TLTL Specifications
Many important properties of complex timed
systems find a natural expression in the real-
time temporal logic TLTL, which extends the
272 Verification of Complex Real-time Systems Using Rewriting Logic
linear time logic LTL [16, 3, 28]. This exten-
sion either augments temporal operators with
time bounds, or uses reset quantifiers. We use
a version of TLTL with time bounds.
Maude LTL model checker [17] provides the
common LTL operators U, W, R, ,  and
O, written as until, until weak, releases, al-
ways, eventually, and next in addition to the
well known set of Boolean operators : ¬, ∧, ∨,
⇒ and ⇔. The formulas ϕ of the linear tem-
poral logic LTL are defined inductively by the
grammar:
ϕ ::= true | p | ¬ϕ | ϕ ∧ ϕ | ϕUϕ | ϕWϕ |
ϕRϕ | ϕ | ϕ | Oϕ.
Where p ∈ AP is an atomic proposition. The
LTL semantics over a labeled transition system,
are defined using the satisfaction relation, de-
noted by s |= ϕ, on the syntax of ϕ:
• s |= true
• s |= p iff p ∈ L(s)
• s |= ¬ϕ iff s |= ϕ
• s |= ϕ ′ ∧ ϕ ′′ iff s |= ϕ ′ ∧ s |= ϕ ′′
• s |= ϕ ′Uϕ ′′ iff ∀r ∈ R∞ and r(0) = s, ∃i
and r(i) |= ϕ ′′ and ∀j < i.r(j) |= ϕ ′
• s |= ϕ ′Wϕ ′′ iff s |= ϕ ′Uϕ ′′ ∨ s |= ϕ ′
• s |= ϕ ′Rϕ ′′ iff s |= ϕ ′′Wϕ ′
• s |= ϕ iff ∀r ∈ R∞ and s = r(0), ∀i ≥
0.r(i) |= ϕ
• s |= ϕ iff s |= trueUϕ
• s |= Oϕ iff ∀r ∈ R∞ and r(0) = s, r(1) |=
ϕ
The added TLTL (Timed LTL) operators are:
O∼cϕ states that the next occurrence of ϕ is
within the time bounds ∼ c. ϕU∼cψ states that
ϕ is true until the next occurrence ofψ , and that
this occurrence of ψ is within the time bounds
∼ c. ∼cϕ states that ϕ must always be true
within the time bounds ∼ c. ∼cϕ states that
ϕ must be true at some point within the time
bounds ∼ c, where ∼∈ {=, >,≥, <,≤} and
c ∈ N (N is the set of natural numbers).
The formulas ψ of the timed linear temporal
logic TLTL are defined inductively by the gram-
mar:
ψ ::= ϕ | O∼cψ | ψU∼cψ | ∼cψ | ∼cψ .
Where ϕ is an LTL formula. The formulas of
TLTL are interpreted over the set of states of
a timed automaton represented by a transition
system M. Let 〈 q, v〉 ∈ S be a state reachable
in M and let a TLTL-formula ψ . The satis-
faction relation, denoted by 〈 q, v〉 |=M ψ , is
defined inductively on the syntax of ψ :
• 〈 q, v〉 |=M ϕ Its semantics is defined using
the semantics of the logic LTL.
• 〈 q, v〉 |=M O∼cψ iff ∀r ∈ R∞ and r(0) =
〈 q, v〉 , ∃i.Σj≤iδj ∼ c and r(i) |=M ψ and
∀j < i.r(j) |=M ψ
• 〈 q, v〉 |=M ψ ′U∼cψ ′′ iff ∀r ∈ R∞ and
r(0) = 〈 q, v〉 , ∃i.Σj≤iδj ∼ c and r(i) |=M
ψ ′′ and ∀j < i.r(j) |=M ψ ′ if∼∈ {=,≥, >}
then r(j) |=M ψ ′′
• 〈 q, v〉 |=M ∼cψ iff 〈 q, v〉 |=M TrueU∼cψ
• 〈 q, v〉 |=M ∼cψ iff ∀r ∈ R∞ and r(0) =
〈 q, v〉 , ∃i.Σj≤iδj ∼ c and∀j ∼ i, r(j) |=M ψ
We augmented the LTL syntax used by Maude
LTL model-checker by the following operators
to specify TLTL properties.
op O’{=_}_ : Time Formula -> Formula .
op O’{>_}_ : Time Formula -> Formula .
op O’{>=_}_ : Time Formula -> Formula .
op O’{<_}_ : Time Formula -> Formula .
op O’{<=_}_ : Time Formula -> Formula .
op _U’{=_}_ : Formula Time Formula ->
Formula .
op _U’{>_}_ : Formula Time Formula ->
Formula .
op _U’{>=_}_ : Formula Time Formula ->
Formula .
op _U’{<_}_ : Formula Time Formula ->
Formula .
op _U’{<=_}_ : Formula Time Formula ->
Formula .
op <>’{=_}_ : Time Formula -> Formula .
op <>’{>_}_ : Time Formula -> Formula .
op <>’{>=_}_ : Time Formula -> Formula .
op <>’{<_}_ : Time Formula -> Formula .
op <>’{<=_}_ : Time Formula -> Formula .
op []’{=_}_ : Time Formula -> Formula .
op []’{>_}_ : Time Formula -> Formula .
op []’{>=_}_ : Time Formula -> Formula .
op []’{<_}_ : Time Formula -> Formula .
op []’{<=_}_ : Time Formula -> Formula .
Verification of Complex Real-time Systems Using Rewriting Logic 273
Our objective is to transform a TLTL formula
ψ to an LTL formula ϕ. Any TLTL formula ψ
will introduce a new set of specification clocks
Xψ . This set of specification clocks does not
control the behavior of any system under con-
sideration. The transformation process reduces
the TLTL formula ψ recursively by decompos-
ing ψ . At the end, it generates an equivalent
LTL formulaϕ and a timed automatonAψ , cap-
turing the timed behavior specified in the TLTL
formulaψ . If the formula does not contain tem-
poral constraint (it is already an LTL formula),
the transformation process returns this formula
and an empty timed automaton.
On the other hand, if the TLTL formula con-
tains temporal constraints, these can be of one
of the forms presented below. The constructed
timed automaton Aψ , is almost the same for
all the forms which have a set of one clock
variable Xψ = {z}, two discrete states Qψ =
{qψ0 , q
ψ
1 } with invariants z ≤ c and true re-
spectively (these two discrete states are labeled
according to the formula), and one edge Eψ =
{(qψ0 , z = c, ∅ or {z}, ∅, q
ψ
1 )}. This timed au-
tomaton will be composed (using the operator
TCompose of linear composition) with the prod-
uct of the two timed automata Aψ ′ and Aψ ′′
constructed by the recursive call to the functions
Transform(ψ ′, Pr) and Transform(ψ ′′, Pr) re-
spectively. The second argument is used to label
one of the two discrete states (Qψ = {qψ0 , q
ψ
1 }).
The following is an example for transformation
of the formulas of the form ϕU≥cψ and ϕU≤cψ
respectively.
op Transform : Formula Id ->
AutomatonFormula .





("U" : { "z" } ; { "q1" } ;
{ ("q1" : "z" <= T { empty }) ,
("q2" : True { Pr }) } ;
{ ("q1" -> "q2" : "z" = T { empty }













Transform(F, Pr + "1") /\
AF2:AutomatonFormula :=
Transform(F’, Pr + "2") .





("U" : { "z" } ; { "q1" } ;
{ ("q1" : "z" <= T { Pr }) ,
("q2" : True { empty }) } ;
{ ("q1" -> "q2" : "z" = T { empty }










Transform(F, Pr + "1") /\
AF2:AutomatonFormula :=
Transform(F’, Pr + "2") .
The transformations for the other TLTL opera-
tors are coded almost by the same manner. The
formulas using the timed operators O and  are
converted to equivalent formulas before trans-
formation as follows.
*** Operator timed O
eq Transform(O { = T } F, Pr) =
Transform(([] { < T } (~ F)) /\
(True U { <= T } F), Pr) .
eq Transform(O { > T } F, Pr) =
Transform((~ F) /\ ((~ F) U { > T }
F), Pr) .
eq Transform(O { >= T } F, Pr) =
Transform((~ F) /\ ((~ F) U { >= T }
F), Pr) .
eq Transform(O { < T } F, Pr) =
Transform((~ F) U { < T } F, Pr) .
eq Transform(O { <= T } F, Pr) =
Transform((~ F) U { <= T } F, Pr) .
274 Verification of Complex Real-time Systems Using Rewriting Logic
*** Operator timed <>
eq Transform(<> { > T } F, Pr) =
Transform(True U { = T } F, Pr ) .
eq Transform(<> { > T } F, Pr) =
Transform(True U { > T } F, Pr ) .
eq Transform(<> { >= T } F, Pr) =
Transform(True U { >= T } F, Pr ) .
eq Transform(<> { < T } F, Pr) =
Transform(True U { < T } F, Pr ) .
eq Transform(<> { <= T } F, Pr ) =
Transform(True U { <= T } F, Pr ) .
Example 1. For the TLTL formula ψ = ≥2r
(which is equivalent to trueU≥2r), the function
Transform generates the equivalent LTL for-










ϕ = (¬Prop(′r))U(Prop(′Z) ∧ Prop(′r))
Figure 2. Generated timed automaton A with LTL
formula ϕ for ψ = ≥2r.
The following is the result of the Maude com-
mand.
reduce in VRTS : Transform(<>{>= 2}Prop
(’r), "Z") .
rewrites: 13 in -157072442571ms cpu
(0ms real)
(~ rewrites/second)
result AutomatonFormula: {"U" :{"z"};
{"q1"};
{("q1" : "z" <= 2{empty}),"q2" :
True{"Z"}};{"q1" -> "q2" : "z" =
2{empty}{empty}} ;
(~ Prop(’r)) U (Prop(’Z) /\
Prop(’r))}
Example 2. This is another example. Let the
TLTL formula ψ = ≤2(a ∧ ≤1b). The func-
tion Transform generates the equivalent LTL
formula ϕ and the timed automaton Aψ shown
in Figure 3.
red Transform(<> { <= 2 } (Prop(’a) /\
(<> { <= 1 }
Prop(’b))), "Z") .
reduce in VRTS : Transform(<>{<= 2}((<>
{<= 1}Prop(’b))
/\ Prop(’a)), "Z") .
rewrites: 79 in -3902117295ms cpu
(0ms real)
(~ rewrites/second)
result AutomatonFormula: {"UU" :{"z"};
{"q1q1"};
{("q1q1" : "z" <= 2{"Z","Z2111"}),
("q1q2" : "z" <= 2{"Z"}),("q2q1" :
"z" <= 3{"Z2111"}),"q2q2" :
True{empty}};
{"q1q1" -> "q2q1" : "z" =
2{empty}{empty},
"q2q1" -> "q2q2" : "z" =
3{empty}{empty}} ;
(Prop(’Z)) U ((((Prop(’Z2111)) U
(Prop(’b)))
/\ Prop(’a)))}
The constructed timed automaton Aψ will be
composed with the original timed automaton A
(A ‖ Aψ). The operator Transform is using
the operator TCompose to realize a linear com-
position (denoted by⊕) of two timed automata.
It is defined to compose the constructed timed
automata Aψ ′ and Aψ ′′ , where ψ ′ and ψ ′′ are
sub-formulas of ψ , to get only one timed au-
tomaton Aψ with one clock variable z. Its dif-
ference from the operator ‖ is in the construc-
tion of the set of edges E , which is obtained
as follows. Let ei ∈ Ei of the form 〈 qi, zi =
ci, ∅, ∅, q′i〉 , for i = 1, 2. Then, if c1 < c2,
we add e = 〈 (q1, q2), z = c1, ∅, ∅, (q′1, q2)〉
to E , where I(〈 q1, q2〉 ) = z ≤ c1. We re-
place e2 in E2 by 〈 q2, z2 = c2 − c1, ∅, ∅, q′2〉













ϕ = Prop(′Z)U((Prop(′Z2111)UProp(′b)) ∧ Prop(′a))
Figure 3. Generated timed automaton A with LTL formula ϕ for ψ = ≤2(a ∧ ≤1b).
Verification of Complex Real-time Systems Using Rewriting Logic 275
we add e = 〈 (q1, q2), z = c2, ∅, ∅, (q1, q′2)〉 to
E , where I(〈 q1, q2〉 ) = z ≤ c2. We replace
e1 in E1 by 〈 q1, z1 = c1 − c2, ∅, ∅, q′1〉 and we
remove e2 from E2. Else, e = 〈 (q1, q2), z =
c1, ∅, ∅, (q′1, q′2)〉 , where I(〈 q1, q2〉 ) = z ≤ c1
and we remove e1 from E1, e2 from E2.
This process will continue until Ei = ∅, for
i = 1, 2 or one of the following two cases
is satisfied. In the case where E1 = ∅ and
E2 = {〈 q2, z2 = c2, ∅, ∅, q′2〉 }, we assume
that q1 ∈ Q1 is the discrete state without out-
going edge. Then, we add the edge e =
〈 (q1, q2), z = c2, ∅, ∅, (q1, q′2)〉 to E , where
I(〈 q1, q2〉 ) = z ≤ c2. In the other case where
E2 = ∅ and E1 = {〈 q1, z1 = c1, ∅, ∅, q′1〉 },
we assume that q2 ∈ Q2 is the discrete state
without outgoing edge. Then, we add the
edge e = 〈 (q1, q2), z = c1, ∅, ∅, (q′1, q2)〉 to
E , where I(〈 q1, q2〉 ) = z ≤ c1. At the
end, if there are discrete states in the produced
timed automaton, without ingoing and outgo-
ing edges, they will be removed from the set of
discrete states Q.
Theorem 1. Let M be the transition system of
the timed automaton A modeling a real-time
system. If the function Transform produces
an LTL formula ϕ and a timed automaton Aψ
from a TLTL formula ψ , and if 〈 q, v〉 |=M ψ
(the state 〈 q, v〉 satisfies the TLTL formula
ψ), and 〈 q, v〉 |=M+ ϕ (the state 〈 q, v〉 sat-
isfies the LTL formula ϕ (M+ is the tran-
sition system of A+ = A ‖ Aψ )). Then,
〈 q, v〉 |=M ψ ⇔ 〈 q, v〉 |=M+ ϕ
Proof . The proof proceeds by induction on the
structure of ψ . The basis case where ψ is of the
form ϕ (an LTL formula) is immediate. In this
basis case Aψ = ∅; andM+ = M, this means
〈 q, v〉 |=M ψ ⇔ 〈 q, v〉 |=M+ ϕ.
We will prove the case ψ = ψ ′U≥cψ ′′ and the
other cases can be proved by the same way.
Consider a state 〈 q, v〉 in M. Assume that
〈 q, v〉 |=M ψ . Then, by the semantics of TLTL,
for any run r = 〈 q0, v0〉 , 〈 q1, v1〉 , · · · , 〈 qi, vi〉 ,
· · · ∈ R∞ with 〈 q0, v0〉 = 〈 q, v〉 , where i ≥ 0
such that Σik=0δk ≥ c and 〈 qi, vi〉 |=M ψ ′′,
and for all 0 ≤ j < i we have 〈 qj, vj〉 |=M
ψ ′ ∧ ¬ψ ′′.
If the timed automaton Aψ = Aψ ′ ⊕ {Q =
{qψ0 , q
ψ
1 },X = {z},Σ = ∅, eψ = (q
ψ
0 , z =
c, ∅, ∅, qψ1 ),L1 = {L1(q
ψ
0 ) = True,L1(q
ψ
1 ) =
“Z"},L2 = ∅, I = {I(qψ0 ) = z ≤ c, I(q
ψ
1 ) =
True}} ⊕ Aψ ′′ and the TLT formula ϕ = ϕ ′ ∧
¬ϕ ′′Uϕ ′′∧“Z" are the results of Transform(ψ =
ψ ′U∼cψ ′′), where ⊕ is the operator TCompose
as defined before, {Aψ ′ ,ϕ ′} and {Aψ ′′,ϕ ′′} are
the results of Transform(ψ ′) and Transform
(ψ ′′), respectively.
By the induction hypothesis, 〈 qi, vi〉 |=M ψ ′′ ⇔
〈 (qi, qψ ′′), vi〉 |=M+
ψ ′′
ϕ ′′ (M+ψ ′′ is the model
of A ‖ Aψ ′′) and 〈 qj, vj〉 |=M ψ ′ ∧ ¬ψ ′′ ⇔
〈 (qj, qψ ′), vj〉 |=M+
ψ ′
ϕ ′ ∧ ¬ϕ ′′ (M+ψ ′ is the
model of A ‖ Aψ ′). It is clear from the parallel
composition that 〈 (qi, qψ ′, qψ ′′), vi〉 |=M+
ψ ′ψ ′′
ϕ ′′ and 〈 (qj, qψ ′ , qψ ′′), vj〉 |=M+
ψ ′ψ ′′
ϕ ′, where
M+ψ ′ψ ′′ is the model of A ‖ (Aψ ′ ⊕Aψ ′′) (⊕ is
the operator TCompose as defined before).
If M+ is the model of A ‖ Aψ , then it is clear
that vi(z) ≥ c and using the property of parallel
composition, we have 〈 (qi, qψ ′, qψ ′′ , qψ1 ), vi〉
|=M+ ϕ ′′∧“Z" (L1(q
ψ
1 ) = “Z") and for all 0 ≤
j < i we have 〈 (qj, qψ ′, qψ ′′, qψ0 ), vj〉 |=M+
ϕ ′ ∧ ¬ϕ ′′. By the semantics of TLTL, we have
〈 q, v〉 |=M+ ϕ ′ ∧ ¬ϕ ′′Uϕ ′′ ∧ “Z".
5. Generating Bi-similar Finite System
The model of a timed automaton is an infinite
transition-state system due to dense time. Then,
it is not possible to perform a model checking.
In this section we present our method that gen-
erates a strongly bi-similar finite system based
on a defined equivalence where exact delays are
abstracted away while information on the dis-
crete changes of the system is retained.
5.1. Strong Bi-simulation
For a labeled transition systemM = (S, Aτ, T ,
s0,L), a partition ℘ (or equivalence relation on
S) of the elements ofS is a set of disjoint blocks
{Bi | i ∈ N} such that ∪i∈NBi = S. Let ℘ and
℘′ be partitions of S. ℘′ is a refinement of ℘
(℘′  ℘) if and only if ∀B′ ∈ ℘′ : ∃B ∈ ℘ :
(B′ ⊆ B). Intuitively, two states s1 and s2 are
bi-similar if for each state s′1 reachable from s1
by execution of an action a ∈ Aτ (see Section
276 Verification of Complex Real-time Systems Using Rewriting Logic
3) there is a state s′2, reachable from s2 by ex-




Definition 1. Given a labeled transition sys-
tem M = (S, Aτ , T , s0,L), a binary relation
℘ ⊆ S ×S is a strong bi-simulation if and only
if the following conditions hold ∀(s1, s2) ∈ ℘
and ∀a ∈ Aτ:
1. L(s1) = L(s2),
2. ∀s3(s3 = Ta(s1) ⇒ ∃s4(s4 = Ta(s2) ∧
(s3, s4) ∈ ℘)) and
3. ∀s4(s4 = Ta(s2) ⇒ ∃s3(s3 = Ta(s1) ∧
(s3, s4) ∈ ℘)).
The set of bi-simulations onS, ordered by inclu-
sion has a minimal element which is the identity
relation denoted by ℘0 and it has a maximal el-
ement denoted by ℘max which is an equivalence
relation on (or a partition of) S. We will be in-
terested in the maximal element which induces
the smallest number of equivalence classes in
terms of relation inclusion. ℘max (which is
unique) may be obtained as the limit of a de-
creasing sequence of relations ℘i.
Most algorithms used to solve the bi-simulation
problem are based on some form of partition re-
finement, i.e. they perform successive iterations
in which blocks of the current partition are split
into smaller blocks, until no block can be split
any more. While splitting a block, states that
cannot be distinguished are kept in the same
block. Two states can be distinguished if one of
the states allows a transition with a certain label
to a state in a certain block and the other state
does not have a transition with the same label
to a state in the same block. This means that in
our case of timed automata the time associated
to a state doesn’t satisfy the temporal constraint
labeling the transition.
Let ℘ be a partition of S. ℘ is compatible with
T (it is also called stable) if and only if the
following property P holds:
P(℘) ≡ ∀a ∈ Aτ : ∀B, B′ ∈ ℘ :
(B′ ⊆ T −1a (B) ∨ B′ ∩ T−1a (B) = ∅).
Correctness of a partition refinement algorithm
follows from two facts. First, a stable partition
is a bi-simulation relation (states are equiva-
lent if they are in the same block). Second,
each computed partition by the refinement of
the previous one respects the property P .
Definition 2. Let M = (S, Aτ, T , s0,L) be a
labeled transition system and ℘ an equivalence
relation which is a strong bi-simulation, the
quotient labeled transition system denoted by
M/℘ is defined as follows: M/℘ = (S/℘, Aτ ,
T /℘, s0,L/℘), where:
• S/℘ is the set of equivalence classes noted
C, C = B ⊆ S | ∀s1, s2 ∈ B : (s1, s2) ∈ ℘)
• ((B = Ta(B′)) ∈ T /℘) if and only ifT −1a (B)
∩ B′ = ∅
• ∀C ∈ C : L/℘(C) = L(s), where s ∈ C.
• C0 = [s0] is the equivalence class of s0.
M/℘max is the normal form of M with respect
to ℘max. We present below the implementation
with Maude of our partition-refinement algo-
rithm based on strong bi-simulation. We start
from an initial partition of the state space in
zones. Each time a zone Z is to be refined, it is
split with respect to all its discrete successors by
some edge e. We can prove that if all successors
are zones, then the result of the split is also a set
of zones, that is, convexity is preserved by the
split operation.
5.2. Partition-refinement Algorithm
A product timed automaton A = 〈Q,X ,Σ, E ,
L1,L2, I〉 can contain spurious behaviors. This
means that there are paths in the product-timed
automaton that will never be executed. These
spurious behaviors are due to parallel compo-
sition which doesn’t predict them. Thus, it is
necessary to get rid of them before the pro-
cess of (time abstraction) partition refinement.
If not, these spurious behaviors will be part
of the overall system behavior and will yield
false negative counterexamples. There are tech-
niques to remove spurious behaviors. We have
used simulation of the product-timed automa-
ton. The unfired transitions during simula-
tion will be removed from the timed automa-
ton. The result of simulation is a timed graph
G = 〈Q,X , E ,L, I〉 , where E is the set of
edges without event labels, and L is defined ex-
actly as L1. Let e = 〈 q, θ, X, q′〉 ∈ E be an
edge such that its guard is θ different from true.
We will refine the block of source states (q, v)
of e represented as a convex zone Z = (q,VZ).
Verification of Complex Real-time Systems Using Rewriting Logic 277
The objective of refinement is to abstract the
quantitative aspect of time needed to measure
the constraint θ . So, this block of states (zone)
is refined into sub-zones. The invariant of one of
these sub-zones satisfies the constraint θ . But,
the invariants of the other sub-zones don’t sat-
isfy this constraint. This process of refinement
will continue until there are no blocks to refine.
The operators over temporal constraints, used in
the algorithm of partition refinement are defined
as follows.
1. Var(θ) is the set of clock variables in the
formula θ .
2. With(θ , x) is the constraint θ reduced to a
constraint defined only on the clock variable
x (e.g. With(x = 1 ∧ y < 2 ∧ z ≤ 3, x)
≡ x = 1)
3. Without(θ , x) is the constraint θ reduced to
a constraint defined without the clock vari-
able x (e.g. Without(x = 1∧ y < 2∧ z ≤ 3,
x) ≡ y < 2 ∧ z ≤ 3)
4. & is the intersection operator (e.g. x ≤ 2 &
x ≥ 2 ≡ x = 2). θ1 & θ2 = ∅ if Var(θ1) ∩
Var(θ2) = ∅.
5. \ is the set difference operator (e.g. x ≤ 2 \
x = 1 ≡ x < 1 ∨ (x > 1 ∧ x ≤ 2), it is not
convex).
6. floor(θ) if θ is convex, then this operator
will return θ itself, else it returns the con-
straint representing the lower convex valua-
tions. The constraint θ is defined on one
clock variable (e.g floor(x < 1 ∨ (x >
1 ∧ x ≤ 2)) ≡ x < 1).
7. ceil(θ) if θ is convex, then this operator
will return ∅, else it returns the constraint
representing the upper convex valuations.
The constraint θ is defined on one clock vari-
able (e.g ceil(x < 1 ∨ (x > 1 ∧ x ≤ 2))
≡ x > 1 ∧ x ≤ 2).
Our defined Maude operator split splits a zone
that is a source of an edge e = 〈 q, θ, X, q′〉 ,
taken arbitrarily from the set E of the current
partition, where θ = true. The refinement
(splitting) is based on a clock variable x taken
also arbitrarily from the set of clock variables in
the constraint θ . The zone is split into at most
three sub-zones. These sub-zones have the same
location q, but with different invariants. Their
union equals to I(q). Because their invariants
are different and for algorithm simplicity, we
will denote their location q differently to distin-
guish them. This will not have any effect on the
algorithm results.
The first sub-zeno (with discrete state qx) has
the invariantI(qx) = With(θ , x)∧ Without(I(q),
x) and an outgoing edge 〈 qx, Without(θ , x), ∅, q′〉 .
If floor(With(I(q), x) \ With(θ , x)) = ∅, we
have a second sub-zone with a discrete state ql
with an invariant I(ql) = floor(With(I(q), x)
\ With(θ , x)) ∧ Without(I(q), x). This sub-
zone has an outgoing edge 〈 ql, true, ∅, qx〉 .
If ceil(With(I(q), x) \ With(θ , x)) = ∅, then
we have a third sub-zone with a discrete state
qu and an invariant I(qu) = ceil(With(I(q),
x) \ With(θ , x)) ∧ Without(I(q), x). This
sub-zone has an ingoing edge 〈 qx, true, ∅, qu〉 .
The three new sub-zones will be marked by the
same set of atomic propositions L(q).
At the end of this iteration, the edge e and the
zone Z will be removed and replaced by the new
edges and the new sub-zones. The other outgo-
ing and incoming edges from and to the zone Z
will be updated according to the new partition.
The non-zenoness of the timed automaton and
the convexity of its constraints guarantee that
the produced partition has zones preserving the
convexity and the non-zenoness. Moreover, the
algorithm terminates.
5.3. Quotient Graph
The partition-refinement algorithm generates a
stable partition℘max which is the coarsest. Each
block in this partition is characterized by an
invariant and a unique discrete state. These
blocks are reachable and their invariants are
convex. The edges of this partition are of the
form 〈 q, true, ∅, q′〉 . This partition can be eas-
ily represented by a graph, we call it the quo-
tient graph G℘max . The set C of nodes of G℘max
is the set of the partition blocks. Thus, a node
corresponding to block Bi is denoted Ci. The
edges of G℘max are the edges in the partition
℘max between the different blocks in addition to
edges of the form 〈 q, true, ∅, q〉 if the invari-
ant I(q) is bounded only from below or a state
doesn’t have an outgoing edge. The strong bi-
simulation quotient graph (G℘max) is generated
278 Verification of Complex Real-time Systems Using Rewriting Logic
by the algorithm of partition refinement and, as
it is defined, has the following properties:
G℘max-Property 1: G℘max is stable which means
that ∀C1, C2 ∈ G℘max , then by definition, if
C1
τ→ C2 then ∀s1 ∈ C1 there exists s2 ∈ C2,
such that s1
δ→ s2, for some δ ∈ R+ and if
C1
e→ C2, for some edge e, then ∀s1 ∈ C1 there
exists s2 ∈ C2, such that s1
e→ s2.
G℘max-Property 2: Given a path ρ = C1 ⇒
C2 ⇒ · · · of G℘max (⇒ means discrete or time
transition) and a run r = s1 ⇒ s2 ⇒ · · ·, we say
that r is inscribed in ρ if for all i ≥ 1 : si ∈ Ci
and, if Ci
τ→ Ci+1 then there exists δ > 0 such
that si
δ→ si+1, if Ci
e→ Ci+1 then si
e→ si+1. It
is easy to conclude that every run r is inscribed
in a unique path ρ in G℘max . And inversely, if
ρ = C1 ⇒ C2 ⇒ · · · is a path in G℘max then for
all s1 ∈ C1 there exists a run r starting from s1
and inscribed in ρ.
G℘max-Property 3: Any time transition tra-
verses a unique (finite) set of classes. Also,
if (s, s′) ∈ ℘max then for any time transition
s
δ→ s + δ , there exists a time transition s′ δ
′
→
s′ + δ ′ such that (s + δ, s′ + δ ′) ∈ ℘max and the
two transitions traverse the same classes.
Example 3. The following is the generated
Maude module representing the quotient graph
of the example (the specification of the complex
real-time system and its property) presented in
Section 3. Each name ("a-q2x", for example) of
an equivalent class is separated to two names.
One is known from the system specification (a),
and the other is transparent produced by the
transformation of the TLTL formula and by the
bi-simulation process (q2x). The equations are
used to mark the different states by propositions





subsort ’String < ’State .
op ’Z : nil -> ’Prop [none] .
op ’p : nil -> ’Prop [none] .






















rl ’"a-q1zlx".String => ’"a-q1zlxu"
.String [none] .
rl ’"a-q1zlx".String => ’"a-q1zxux"
.String [none] .
rl ’"a-q1zlx".String => ’"b-q1zl"
.String [none] .
rl ’"a-q1zlxl".String => ’"a-q1zlx"
.String [none] .
rl ’"a-q1zlxl".String => ’"a-q1zxux"
.String [none] .
rl ’"a-q1zlxu".String => ’"a-q1zlxu"
.String [none] .
rl ’"a-q1zlxu".String => ’"a-q1zxux"
.String [none] .
rl ’"a-q1zx".String => ’"a-q1zxuxl"
.String [none] .
rl ’"a-q1zx".String => ’"a-q2xl"
.String [none] .
rl ’"a-q1zx".String => ’"b-q1zl"
.String [none] .
rl ’"a-q1zxl".String => ’"a-q1zx"
.String [none] .
rl ’"a-q1zxl".String => ’"a-q2xl"
.String [none] .
rl ’"a-q1zxux".String => ’"a-q1zxux"
.String [none] .
rl ’"a-q1zxux".String => ’"a-q2xl"
.String [none] .
rl ’"a-q1zxux".String => ’"c-q2"
.String [none] .
rl ’"a-q1zxuxl".String => ’"a-q1zxux"
.String [none] .
rl ’"a-q1zxuxl".String => ’"a-q2xl"
.String [none] .
rl ’"a-q2x".String => ’"a-q2x"
Verification of Complex Real-time Systems Using Rewriting Logic 279
.String [none] .
rl ’"a-q2x".String => ’"c-q2"
.String [none] .
rl ’"a-q2xl".String => ’"a-q2x"
.String [none] .
rl ’"b-q1z".String => ’"b-q2xl"
.String [none] .
rl ’"b-q1zl".String => ’"b-q1z"
.String [none] .
rl ’"b-q2x".String => ’"c-q2"
.String [none] .
rl ’"b-q2xl".String => ’"b-q2x"
.String [none] .
rl ’"c-q2".String => ’"c-q2"
.String [none] .
endm
6. Maude LTL Model Checking
In this section we show that the strong bi-
simulation ℘max preserves the LTL properties.
The timed automaton model checking can be
reduced to model checking a finite graph, the
strong bi-simulation quotient graph (Gmax) gen-
erated by the algorithm of partition refinement.
Consider a labeled transition system M =
(S, Aτ, T , s0,L) modeling a strongly non-zeno
timed automaton A and an LTL formula ϕ. We
want to check whether M satisfies ϕ. Let
℘max be a strong bi-simulation on M. From
G℘max-Property 3 of G℘max , we can conclude that
for any LTL formula ϕ and any pair of states
(s, s′) ∈ ℘max, s |=M ϕ if and only if s′ |=M ϕ.
A formula is said to hold in a node C of G℘max
if it is satisfied in some state of C (this implies
that the formula is satisfied in any state of C).
Now, the problem of verifying if a state s ∈ S
satisfies the LTL formula ϕ (s |=M ϕ) is re-
duced to checking if the node C ∈ C containing
the state s satisfies the formula ϕ (C |= ϕ). The
following lemma gives the correctness of the
model checking.
Lemma 1. Let M = (S, Aτ , T , s0,L) be a
labeled transition system modeling a strongly
non-zeno timed automaton,L is a labeling func-
tion associating to each discrete state a set of
atomic propositions from AP. Let ℘max be a
strong bi-simulation onM and G℘max is its quo-
tient graph with the set of nodes C. Let C be in
C and ϕ an LTL formula. C |= ϕ if and only if
∀s ∈ C, s |=M ϕ.
Proof. The proof is by induction on the syntax
of ϕ. The basis (ϕ is an atomic proposition)
comes from the fact that ℘max respects L.
Consider the case where ϕ = ¬ϕ1. By the
semantics of LTL, C |= ¬ϕ1 if and only if
C |= ϕ1. Now using the induction hypothe-
sis, C |= ϕ1 if and only if ∀s ∈ C, s |=M ϕ1 (i.e.
∀s ∈ C, s |=M ¬ϕ1).
Consider the casewhereϕ = ϕ1∧ϕ2. By the se-
mantics of LTL C |= ϕ1 ∧ϕ2 ⇔ C |= ϕ1 ∧C |=
ϕ2. By induction hypothesis, C |= ϕ1 ⇔ ∀s ∈
C, s |=M ϕ1 and C |= ϕ2 ⇔ ∀s ∈ C, s |=M ϕ2.
Using the semantics of LTL, ∀s ∈ C, s |=M
ϕ1 ∧ ϕ2.
The case where ϕ is of the form ϕ1Uϕ2 can be
proved by the fact that if C |= ϕ, we can ex-
tract a run r which falsifies ϕ, from the path
ρ starting from the node C using the property
G℘max-Property 2.
Consider the case where ϕ = ϕ1. By the se-
mantics of LTL, C |= ϕ1 if and only if any node
C′ on any path starting from C, C′ |= ϕ1. By
the induction hypothesis, C′ |= ϕ1 if and only if
∀s ∈ C′, s |=M ϕ1. Then, using G℘max-Property
1, G℘max-Property 2, and the LTL semantics,
C |= ϕ if and only if ∀s ∈ C, s |=M ϕ.
Example 4. The TLTL model checking of the
problem 〈 a, x = 0〉 |= ≥2r on the model of
the timed automaton of Figure 1 is then re-
duced to Maude LTL model checking of C0 |=
(¬Prop(′r))U(Prop(′Z)∧Prop(′r)) on themodel
represented by the graph shown as a Maude
module in the previous section, where C0 = a-
q1zlxl. This LTL formula is not satisfied and
the model checking returns a trace as a coun-
terexample.
The property is not satisfied ...
This is a counter example:
a-q1zlxl -> a-q1zlx -> a-q1zlxu -> a-
q1zxux ->
a-q2xl -> a-q2x
By mapping to the concrete timed automaton,
the discrete states of the nodes (classes) a-
q1zlxl, a-q1zlx, a-q1zlxu, a-q1zxux, a-q2xl,
and a-q2x are a. Thus, the concrete trace
is 〈 a, x = 0〉 δ0→ 〈 a, x = δ0〉
δ1→ 〈 a, x =
δ0 + δ1〉
δ2→ · · ·.
280 Verification of Complex Real-time Systems Using Rewriting Logic
7. Complexity and Implementation Results
We denote the size of a timed automaton A =
〈Q,X ,Σ, E ,L1,L2, I〉 by the pair (|Q|, |E|),
where |Q| is the number of discrete states and
|E| is the number of edges. For a TLTL for-
mula ψ with n temporal constraints, the algo-
rithm Transform generates a timed automaton
Aψ with one clock variable, |Qψ | ≤ n + 1 and
|Eψ | ≤ n. The size of A ‖ Aψ is at most
(|Q| × |Qψ |, |E| × |Eψ | + |E| + |Eψ | − 1).
The size of the quotient graph G℘max is defined
by the pair of the number of its nodes and num-
ber of its edges, which are at most (3 × (|E| ×
|Eψ |+ |E|+ |Eψ |−1), |Q|× |Qψ |+3× (|E|×
|Eψ |+|E|+|Eψ |−1)). The partition-refinement
algorithm generates the quotient graph in a time
of O(|Q|× |Qψ |+ 3× (|E|× |Eψ |+ |E|− 1)).
To obtain confidence in the correctness of the
implementation, our first experiments concen-
trated on existing case studies taken from real-
time model checking literature. The first case
study is the analysis of The CSMA/CD (Carrier
Sense, Multiple Access with Collision Detec-
tion) protocol which works as follows [31, 20].
When a station has data to send, it first listens to
the channel. If it is idle (i.e., no other station is
transmitting) the station begins sending its mes-
sage. However, if it detects a busy channel, it
waits a random amount of time and then repeats
the operation. When a collision occurs, because
several stations transmit simultaneously, then
all of them detect it, abort their transmissions
immediately and wait a random time to start all
over again. If two messages collide then they
are both lost.
The propagation delay of the channel plays
an important role in the performance of the
CSMA/CD protocol. It is possible that just
after a station begins sending, another one be-
comes ready to send. If it senses the channel
before the signal of the former arrives, it will
find the channel idle and will start sending too.
Hence, a collision will happen. Let σ be the
time for a signal to propagate between the two
farthest stations. Suppose that at time t0 a sta-
tion S0 begins sending a message. Thus, within
the time interval [t0, t0 + σ), it is still possible
that some station Si transmits if it has data, caus-
ing a collision. However, after time t0 + σ, the
channel will be sensed busy by all the stations
until the current message is delivered. Hence,
the maximum time the channel could be sensed
idle by any station after the beginning of a trans-
mission is σ.
Based on the fact above, we might think that a
station that does not hear a collision for a time
equal to σ, could be sure that no other station
would interfere. However, this conclusion is
wrong. Due to the propagation delay, the noise
burst caused by the collision could take a time
σ to arrive. In fact, in the worst case it would
take 2 × σ for a station to detect a collision.
In case of collision, each station waits randomly
a time between 0 and 2×σ before trying again.
In general, after i collisions, a station waits a
random time between 0 and 2i × σ. Moreover,
after too many retrials (e.g., 16 as in the 802.3
standard [20]) a failure signal could be reported
to the higher layers.
Assume that only messages of equal length are
sent and let λ be the time to send a message.
Then if no collision occurs, a message will be
completely delivered in a time equal to λ + σ.
For instance, for a 10Mbps Ethernet with a typ-
ical worst case round trip propagation delay of
51.2us, we set 2 × σ to be 51.2us and for stan-
dard frames of 1024bytes, λ is approximately
782us.
The system consists of n stations S1, · · · , Sn and
the medium M. The behavior of the medium
is as follows. Initially, it is ready and it can
accept a message from any station. Suppose
that one station begins transmitting (TRANS-
MIT). There is a time interval of lengthσ within
which the medium can accept data from the
other station, causing a collision (CD). This
is modeled with a watchdog which is canceled
when a collision occurs. In the case of a col-
lision, it takes time σ to the medium to propa-
gate it. This is naturally modeled with a time-
out. If no collision occurs, the medium waits
for the termination signal. When it arrives,
the medium returns to the initial state. The
overall specification is obtained putting all the
above (stations and the medium) in parallel.
CSMA/CDn = Medium ‖ S1 ‖ · · · ‖ Sn. The
following is the specification of a system com-
posed of two senders (the process specification
of the second sender is the same as for Sender1)
and a medium.
Verification of Complex Real-time Systems Using Rewriting Logic 281
(
system CSMA-CD :
prop INIT1 SEND1 TRANSM1 CD1
INIT2 SEND2 TRANSM2 CD2
INITM TRANSMM CDM ;





s1 : x1 = 0
{ SEND1 }
s2 : x1 <= 782
{ TRANSM1 }




s0 -> s1 : { x1 }
{ SEND1 }
s0 -> s0 : { }
{ ?CD }
s1 -> s2 : { x1 }
{ !BEGIN }
s1 -> s3 : { x1 }
{ ?BUSY }
s1 -> s3 : { x1 }
{ ?CD }
s2 -> s3 : { x1 }
{ ?CD }
s2 -> s0 : x1 = 782 { x1 }
{ !END }
s3 -> s3 : { }
{ ?CD }













m0 -> m1 : { m }
{ ?BEGIN }
m1 -> m2 : m < 26 { m }
{ ?BEGIN }
m1 -> m1 : m >= 26 { }
{ #BUSY }
m1 -> m0 : { m }
{ ?END }
m2 -> m0 : m <= 26 { m }
{ #CD }
;
|= [] ( ( TRANSM1 /\ TRANSM2 ) =>
<> { <= 26 } ( CD1 /\ CD2 ) ) . )
#BUSY means broadcast send via channel BUSY.
We have verified the following real-time prop-
erty expressed in the logic TLTL. When a colli-
sion occurs, because two stations k = j transmit
simultaneously, they both detect it at most σus
later:
ψ ≡ (TRANSMITk ∧ TRANSMITj
⇒ ≤σCDk ∧ CDj).
The second case study is the analysis of FDDI
(FiberDistributedData Interface) (example taken
from [14]). FDDI is a high performance fiber
optic token ring Local Area Network. We con-
sider a network composed by n identical stations
S1, · · · , Sn and a ring, where the stations can
communicate by synchronous messages with
high priority and asynchronous messages with
low priority. The timed automaton that models
the protocol is obtained as the parallel compo-
sition FDDIn = Ring ‖ S1 ‖ · · · ‖ Sn, where
the automata synchronize through actions. The
following is the specification of a system com-
posed of two stations (the process specification




prop ZIDLE1 ZSYNC1 ZASYNC1 YIDLE1 YSYNC1
YASYNC1
ZIDLE2 ZSYNC2 ZASYNC2 YIDLE2
YSYNC2 YASYNC2
RTO1 RING1 RTO2 RING2 ;
chan TT1 TT2 RT1 RT2 ;
process Station1 :
clocks x y z
state s1_z_idle :
{ ZIDLE1 }
s1_z_sync : x <= 20
{ ZSYNC1 }




s1_y_sync : x <= 20
282 Verification of Complex Real-time Systems Using Rewriting Logic
{ YSYNC1 }




s1_z_idle -> s1_z_sync :
{ x , y } { ?TT1 }
s1_z_sync -> s1_z_async :
x >= 20 /\ z < 120
{ } { }
s1_z_sync -> s1_y_idle :
x >= 20 /\ z >= 120
{ } { !RT1 }
s1_z_async -> s1_y_idle :
{ } { !RT1 }
s1_y_idle -> s1_y_sync :
{ x , z } { ?TT1 }
s1_y_sync -> s1_z_idle :
x >= 20 /\ y >= 120
{ } { !RT1 }
s1_y_sync -> s1_y_async :
x >= 20 /\ y < 120
{ } { }
s1_y_async -> s1_z_idle :














ring_to_1 -> ring_1 : x <= 0
{ } { !TT1 }
ring_1 -> ring_to_2 :
{ x } { ?RT1 }
ring_to_2 -> ring_2 : x <= 0
{ } { !TT2 }
ring_2 -> ring_to_1 :
{ x } { ?RT2 }
;
|= [] ( ( ZIDLE1 => <> { <= 120 }
ZASYNC1 ) /\
( YIDLE1 => <> { <= 120 }
YASYNC1 ) /\
( ZIDLE2 => <> { <= 120 }
ZASYNC2 ) /\
( YIDLE2 => <> { <= 120 }
YASYNC2 ) ) . )
The formula of TLTL that describes the property
of the bounded time for sending asynchronous
message where each idle station in the FDDI
system will send asynchronous messages be-
fore a time c is:
ψ = ((Si = idle) ⇒ ≤c(Si = async)),
where Si = idle is any state s ∈ S verifying the
condition that the automaton corresponding to
station number i is in the location idle.
The experiments were done on a Pentium IV at
1GHz with 512MB of memory. Our approach
has been able to generate the quotient graph for
up to 5 processes (for the CSMA/CD protocol,
including the medium) and 6 processes (for the
FDDI protocol, including the ring).
Table 1 presents the results of the different ex-
periments. The reported results are expressed
number of stations CSMA/CD FDDI
nodes edges time (s) nodes edges time (s)
2 48 298 95 36 196 50
3 92 1012 200 72 624 170
4 264 4896 4200 212 3048 3700
5 – – – 416 7012 6900
6 – – – – – –
Table 1. Experimental results.
Verification of Complex Real-time Systems Using Rewriting Logic 283
by number of nodes, number of edges for each
quotient graph generated using different config-
urations and the time consumed (in seconds).
The symbol - means the tool fails due to lack of
memory.
First experiments thus show that our real-time
model checking technique performs relatively
well. Although these positive results are only
based on limited experience with the tool, we
believe that further experiments will show that
they are of a more general character. Thiswould
show that combination of transformation and
partition refinement is a useful approach to real-
time model checking, that could be at least as
valuable as the currently followed approaches.
To our knowledge, it doesn’t exist a tool for
TLTL model checking to compare with our ap-
proach (it is known that the model checking for
the logic TLTL is undecidable).
8. Conclusion
In this paper, we have presented a technique for
model checking dense complex real-time sys-
tems implemented with Maude. This method is
based on the reduction of TLTL specifications
to LTL. The timed behavior of the TLTL spec-
ification is captured and represented as a timed
automaton. This timed automaton is composed
with the original timed automaton modeling the
timed system. Then, a time abstraction tech-
nique based on strong bi-simulation, is used to
generate a finite graph modulo the TLTL spec-
ification. Then, the Maude LTL model checker
is used for performing LTL model checking on
this graph. We have taken advantage of the re-
flective aspect of Rewriting Logic to implement
this tool.
The correctness of this technique is mathemat-
ically proved and tested on many small exam-
ples. Relatively complex specifications of the
protocols CSMA/CD and FDDI were also suc-
cessfully tested. Our future work is to gener-
alize this technique to accept real-time seman-
tics defined in Real-Time Maude (RT-Maude)
[26]. Thus, a real-time system specified with
RT-Maude could be analyzed using thismethod.
References
[1] R.ALUR, C. COURCOUBETIS AND D. L.DILL, Model
checking in dense real time. Information and Com-
putation, 104(1):2–34, 1993.
[2] R. ALUR AND D. DILL, Automaton for model-
ing real-time systems. In Lecture Notes in Com-
puter Science (17th ICALP), number 443. Springer-
Verlag, 1990.
[3] R. ALUR AND T. A. HENZINGER, Logics and models
of real time: a survey. In Lecture Notes in Computer
Science (Real Time: Theory in Practice), number
600, pages 74–106. Springer-Verlag, 1992.
[4] R. ALUR AND T. A. HENZINGER, Real time logics:
Complexity and expressiveness. Information and
Computation, 104:35–77, 1993.
[5] R. ALUR AND T. A. HENZINGER, A really temporal
logic. J. Assoc. Comput. Mach., 41:181–204, 1994.
[6] A. K. BAUER, Model-based runtime analysis of
distributed reactive systems. PhD thesis, University
of Munchen, Germany, 2007.
[7] A. BOUAJJANI, J. C. FERNANDEZ, N. HALBWACHS,
P. RAYMOND AND C. RATEL, Minimal state graph
generation. Science of Computer Programming,
18:247–269, 1992.
[8] A. BOUAJJANI, S. TRIPAKIS AND S. YOVINE, On-the-
fly symbolic model-checking for real-time systems.
In IEEE RTSS’97. IEEE Computer Society Press,
1997.
[9] M. BOURAHLA AND M. BENMOHAMED, Verifica-
tion of real-time systems by abstraction of time
constraints. In IPDPS(FMPPTA). IEEE Computer
Society Press, 2003.
[10] M. BOURAHLA AND M. BENMOHAMED, Analysis of
real-time systems with ctl model checkers. Elec-
tronic Notes in Theoretical Computer Science, El-
sevier, 133:41–60, 2005.
[11] U. BROCKMEYER AND G. WITTICH, Real-time ver-
ification of statemate designs. In Lecture Notes in
Computer Science (Computer Aided Verification),
number 1427, pages 537–541. Springer-Verlag,
1998.
[12] M. CLAVEL, Maude: specification and program-
ming in rewriting logic. Theoretical Computer
Science, 285:187–243, 2002.
[13] M. CLAVEL, Maude 2.3 Manual.
http://maude.cs.uiuc.edu/manual, 2005.
[14] C. DAWS, A. OLIVERO, S. TRIPAKIS AND S. YOVINE,
The tool kronos. In Lecture Notes in Computer Sci-
ence (Verification and Control of Hybrid Systems),
number 1066. Springer-Verlag, 1995.
[15] C. DAWS AND S. TRIPAKIS, Model checking of
real-time reachability properties using abstractions.
In Lecture Notes in Computer Science (Tools and
Algorithms for the Construction and Analysis of
Systems), number 1384. Springer-Verlag, 1998.
284 Verification of Complex Real-time Systems Using Rewriting Logic
[16] D. D’SOUZA, A logical characterisation of event
clock automata. Int. Journ. Found. Comp. Sci.,
14(4):625–639, 2003.
[17] S. EKER, J. MESEGUER AND A. SRIDHARA-
NARAYANAN, The Maude LTL model checker and
its implementation. In Lecture Notes in Computer
Science (10th Intl. SPIN Workshop), number 2648,
pages 230–234. Springer-Verlag, 2003.
[18] T. A. HENZINGER AND O. KUPFERMAN, From quan-
tity to quality. In Lecture Notes in Computer
Science (Workshop on Hybrid and Real-Time Sys-
tems), number 1201, pages 48–62. Springer-Verlag,
1997.
[19] T. A. HENZINGER, X. NICOLLIN, J. SIFAKIS AND
S. YOVINE, Symbolic model checking for real-
time systems. Information and Computation,
111(2):193–244, 1994.
[20] IEEE, ANSI/IEEE 802.3, ISO/DIS 8802/3. IEEE
Computer Society Press, 1985.
[21] I. KANG, I. LEE, AND Y. S. KIM, An efficient state
space generation for the analysis of real-time sys-
tems. IEEE Transactions on Software Engineering,
26(5):453–477, 2000.
[22] F. LAROUSSINIE, N. MARKEY AND PH. SCHNOEBE-
LEN, Efficient timed model checking for discrete-
time systems. Theoretical Computer Science,
353:249–271, 2006.
[23] K. G. LARSEN, P. PETTERSON AND W. YI, Uppaal in
a nutshell. Software Tools for Technology Transfer,
1(1), 1997.
[24] R. MILNER, A calculus of communicating systems.
In Lecture Notes in Computer Science, number 92.
Springer-Verlag, 1980.
[25] M. O. MOLLER, H. RUEB AND M. SOREA, Predicate
abstraction for dense real-time systems. Electronic
Notes in Theoretical Computer Science, Elsevier,
65, 2002.
[26] P. C. ÖLVECZKY AND J. MESEGUER, Semantics and
pragmatics of real-time maude. Higher-Order and
Symbolic Computation, 2006.
[27] R. PAIGE AND R. TARJAN, Three partition refine-
ment algorithms. SIAM Journal on Computing,
16(6), 1987.
[28] J. F. RASKIN AND P. Y. SCHOBBENS, The logic of
event clocks - decidability, complexity and ex-
pressiveness. Journ. of Autom. Lang. and Comb.,
4(3):247–286, 1999.
[29] O. SOKOLSKY AND S. A. SMOLKA, Local model
checking for real-time systems. In Lecture Notes
in Computer Science (CAV), number 939. Springer-
Verlag, 1995.
[30] R. SPELBERG, H. TOETENEL AND M. AMMERLAAN,
Partition refinement in real-timemodel checking. In
Lecture Notes in Computer Science (Formal Tech-
niques in Real-Time and Fault-Tolerant Systems),
number 1486. Springer-Verlag, 1998.
[31] A. S. TANENBAUM, Computer Networks. Prentice-
Hall, Englewood Cliffs, 1989.
[32] S. TRIPAKIS AND S. YOVINE, Analysis of timed sys-
tems using time-abstracting bi-simulations. Formal
Methods in System Design, 18:25–68, 2001.
[33] M. YANNAKAKIS AND D. LEE, An efficient algo-
rithm for minimizing real-time transition systems.
In Lecture Notes in Computer Science, number 697,








BP 145 RP, Biskra 07000, Algeria
e-mail: mbourahla@hotmail.com
MUSTAPHA BOURAHLA has PhD degree in computer science from the
University of Biskra, Algeria (2007) and he has the Master degree in
computer science from the University of Montreal, Canada (1989). He
was a member of the VHDL group at Bell-Northern Research, Ottawa,
Canada (1989-1993). He worked for Bell Canada for one year. Now,
he is teacher-researcher at the University of Biskra (Algeria). He has
publications in the domains of VLSI and formal methods. His current
research interests are formal methods, especially model checking crit-
ical systems. Dr. Bourahla is a member of a research group working
in the domains of VLSI and formal methods at the University of Biskra
(Algeria).
