Operational and logical semantics for polling real-time systems by Dierks, H. et al.
PDF hosted at the Radboud Repository of the Radboud University
Nijmegen
 
 
 
 
The version of the following full text has not yet been defined or was untraceable and may
differ from the publisher's version.
 
 
For additional information about this publication click this link.
http://hdl.handle.net/2066/18689
 
 
 
Please be advised that this information was generated on 2017-12-05 and may be subject to
change.
Operational and Logical Semantics for Polling Real-Time Systems
H. Dierks, A. Fehnker, A. Mader, F.W. Vaandrager
Computing Science Institute/
CSI-R9813 April 1998
Computing Science Institute Nijmegen
Faculty of Mathematics and Informatics
Catholic University of Nijmegen
Toernooiveld 1
6525 ED  Nijmegen
The Netherlands
Operational and Logical Semantics
for Polling RealTime Systems
 
Henning Dierks
  
 Ansgar Fehnker
   
 Angelika Mader
 y
 and
Frits Vaandrager

 
Computing Science Institute University of Nijmegen
PO Box   GL Nijmegen the Netherlands
fansgarmaderfvaangcskunnl

University of Oldenburg Germany
HenningDierksInformatikUniOldenburgDE
Abstract PLC	Automata are a class of real	time automata suitable
to describe the behaviour of polling real	time systems PLC	Automata
can be compiled to source code for PLCs a hardware widely used in
industry to control processes Also PLC	Automata have been equipped
with a logical and operational semantics using Duration Calculus 
DC
and Timed Automata 
TA respectively
The three main results of this paper are 
 A simplied operational
semantics 
 A minor extension of the logical semantics and a proof
that this semantics is complete relative to our operational semantics
This means that if an observable satises all formulas of the DC seman	
tics then it can also be generated by the TA semantics 
 A proof
that the logical semantics is sound relative to our operational semantics
This means that each observable that is accepted by the TA semantics
constitutes a model for all formulas of the DC semantics
Keywords and Phrases Programmable Logic Controllers PLC	
Automata Semantics Real	time Timed Automata Duration Calculus
AMS Subject Classication  Q Q Q
CR Subject Classication  C D D F
 
A preliminary version of this paper appeared in AP Ravn and H Rischel editors
Proceedings FTRTFT Lecture Notes in Computer Science Springer	Verlag 
  
Supported by the German Ministery for Education and Research 
BMBF project
UniForM grant No FKZ  IS  B
     
Research supported by Netherlands Organization for Scientic Research 
NWO
under contract SION 		
y
Supported by the HCM Network EXPRESS
Table of Contents
 Introduction                                                     
 PLCAutomata                                                  
 Timed Automaton Semantics of PLCAutomata                     	
 Duration Calculus Semantics of PLCAutomata                      

 Relation between TA and DC Semantics                             
 From Runs to Interpretations                                 
 Equivalence of Interpretations                                 
	 Soundness                                                      
	 Technical Lemmas                                           
	 Basic Formulae                                             
	 State Change                                               
	 Stable State                                                
	 Initial Phase                                                
 Completeness                                                    
References                                                      
A Timed Automata                                                
B Duration Calculus                                                
C DC Semantics for the Initial Phase                                 
  Introduction
Programmable Logic Controllers PLCs are widely used in industry to control
realtime embedded applications such as railway crossings elevators and pro
duction lines PLCs are hardware devices that operate according to the simple
but powerful architectural model of polling realtime systems A polling realtime
system behaves in cycles that can be split into three parts the input values are
polled a new local state and output values are computed from the inputs and
the old local state and nally the new output values are written to the output
ports Depending for instance on the length of the computation the duration of
a cycle may vary but some upper bound   on the cycle time is assumed to be
available
In this paper we study the operational and denotational semantics of polling
realtime systems ie the relationships between the input and output signals
of such systems that are induced when a program is executed in realtime

Our
work builds on recent work within the UniForMproject  on PLCAutomata
	 PLCAutomata basically an extension of classical Moore machines 
can be viewed as a simple programming language for PLCs In 	 a compi
lation scheme is given that generates runnable PLCcode for any given PLC
Automaton Moreover a logical denotational and an operational semantics
 
The study of an algebraic semantics is left as an interesting topic for future research
of PLCAutomata are presented employing Duration Calculus DC 
 and
TimedAutomata TA  respectively However in 	 the relationships between
these semantics are not further investigated
The three main results established in this paper are
 A simplied operational semantics for PLCAutomata based on Timed Au
tomata
 A minor extension of the logical semantics with some additional formulae
and a proof that this restricted semantics is complete relative to our oper
ational semantics This means that if an observable satises all formulae of
the DC semantics then it can also be generated by the TA semantics
 A proof that the logical semantics is sound relative to our operational seman
tics This means that each observable that is accepted by the TA semantics
constitutes a model for all formulae of the extended DC semantics
An advantage of our operational semantics is that it is very intuitive and
provides a simple explanation of what happens when a PLCAutomaton runs
on PLC hardware Clearly the 
 rules of the operational semantics are easier
to understand than the  formulae of the DC semantics especially for readers
who are not experts in duration calculus The operational semantics can also
serve as a basis for automatic verication using tools for timed automata such
as Kronos  and UPPAAL  Our timed automata semantics uses  clock
variables which makes it more tractable for such tools than the semantics of 	
which requires  clocks plus one clock for each input value
The logical semantics also has several advantages Rather than modelling
the internal state variables and hidden events of PLC hardware it describes the
allowed observable behaviour on the input and output ports Duration Calculus
an interval temporal logic for realtime constitutes a very powerful and abstrac
t specication language for polling realtime systems Via the DC semantics
proving that a PLCAutomaton A satises a DC specication SPEC reduces to
proving that the duration calculus semantics A
DC
logically implies SPEC  For
this task all the proof rules and logical machinery of DCcan be used In fact in 
an algorithm is presented that synthesises a PLCAutomaton from an almost
arbitrary set of DC implementables a subset of the Duration Calculus that has
been introduced in  as a stepping stone for specifying distributed realtime
systems In  a fully developed theory can be found how implementables can
be obtained from general DC formulae Hence the synthesis algorithm provides
a powerful means to design correct systems starting from specications
The fact that the TA and DC semantics are so dierent makes the proof of
their equivalence interesting but also quite involved In order to get the complete
ness result we had to extend the original DC semantics of 	 with  additional
formulae Ten of these formulae are just variations on a theme and express the p
resence of certain causalities between events The eleventh formula is a variant of
a formula from 	 and restricts the time during which an input can be ignored in
a specic situation The new formulae are not required for the correctness proof
of the synthesis algorithm This indicates that they may not be so important in
applications Nevertheless we believe that the formulae do express fundamental
properties of polling realtime systems and it is not so dicult to come up with
examples of situations in which the additional laws are used
In this paper we only discuss the semantics of the simple PLCAutomata
introduced in 	 Meanwhile PLCAutomata have been extended with a state
charts like concept of hierarchy in order allow for their use in the specication of
complex systems  We claim that it is possible to generalise the results of this
paper to this larger class of hierarchical PLCAutomata An interesting topic for
future research is to give a low level operational semantics of PLCs including
hybrid aspects clock drift etc and to prove that this low level semantics is a
renement of the semantics presented in this paper Such a result would further
increase condence in the correctness of our semantic model
Acknowledgement We thank Alex Rabinovich for his questions
 PLCAutomata
In the UniForMproject  an automatonlike notion  called PLCAutomata
 of polling realtime systems has been developed to enable formal verica
tion of PLCprograms Basically Programmable Logic Controllers PLCs the
hardware aim of the project are just simple computers with a special realtime
operating system They have features for making the design of time and safety
critical systems easier
 PLCs have input and output channels where sensors and actuators resp
can be plugged in
 They behave in a cyclic manner where every cycle consists of three phases
 Poll all inputs and store the read values
 Compute the new values for the outputs
 Update all outputs
 There is an upper time bound for a cycle which depends on the program
and on the number of inputs and outputs that can be used to calculate an
upper time bound for the reaction time
 Convenient standardised libraries are given to simplify the handling of time
The following formal denition of a PLCAutomaton incorporates the upper
time bound for a polling cycle and the possibility of delay reactions of the system
depending on state and input
Denition  A PLCAutomaton is a tuple A  Q  q

   S
t
 S
e
  
where
 Q is a nonempty nite set of states
  is a nonempty nite set of inputs
   Q  Q is the transition function
 q

 Q is the initial state
    IR

is the upper bound for a cycle
 S
t
 Q  IR

is a function that tells for each state q how long the inputs
contained in S
e
q should be ignored the delay time
 S
e
 Q  

is a function that gives for each state q the set of delayed
inputs ie inputs that cause no state transition during the rst S
t
q time
units after arrival in q
  is a nonempty nite set of outputs
   Q   is the output function
We require that two technical restrictions hold for all q  Q and a  
S
t
q    a  S
e
q  q a 	 q 
S
t
q    S
t
q    
Restriction  is needed to ensure the correctness of the PLCsourcecode rep
resenting a PLCAutomaton wrt the semantics given in 	 It can be trivially
met by adding for each q all actions a with q a  q to the set S
e
q Restric
tion  which is introduced to avoid unnecessary complications in the logical
semantics says that delay times are either  or larger than twice the cycle upper
bound time 	
Figure  gives an example of a PLCAutomaton A box representing a state
eg q

 is annotated with the output eg q

  T  in the upper part of the
box and the pair of the delay time and the delay set in the lower part of the box
eg S
t
q

   S
e
q

  f g The automaton starts in state q with output
f g
 


T
fg
N
q q

q

X
f g
  Error
Error Error
Fig  PLC	Automaton
N and remains in this state as long as the polled input is  The rst time the
polled input is not  the automaton changes state according to the transition
function If following a input state q

is entered then the automaton will start
a timer Now the following cases are possible
 The polled input is  In this case the automaton checks the timer Only if
the timer says that S
t
q

   time units have elapsed the automaton takes
the transition back to state q Otherwise the automaton stays in q


 The polled input is  In this case the automaton remains in q

independently
from the status of the timer due to the fact that the transition leads to q

again
 The polled input is Error  In this case the automaton takes the Error
transition independently from the status of the timer because Error  S
e
q


We would like to stress that the range of applicability of PLCAutomata
is much wider than just PLCs In fact PLCAutomata are an abstract repre
sentation of a machine that periodically polls inputs and has the possibility of
measuring time
 Timed Automaton Semantics of PLCAutomata
In this section we present an operational semantics of PLCautomata in terms
of timed automata For the denition of timed automata the reader is referred
to Appendix A We rst present the components of the timed automaton T A
that is associated to a given PLCAutomaton A and then give some intuition
Each location
 
of T A is a tuple i a b q where
i  f   g describes the current status of the PLC program counter
a   contains the current input
b   contains the last input that has been polled and
q  Q is the current state of the PLCAutomaton
There are three clocks in use
x measures the time the current latest input is stable
y measures the time spent in the current state and
z measures the time elapsed in the current cycle
The edges of timed automaton T A are dened in Table 
i a b q
c true fxg

i c b q if c 	 a ta
 a b q
poll xz 

 a a q ta
 a b q
test yS
t
q 

 a b q if S
t
q    b  S
e
q ta
 a b q
test yS
t
q 

 a b q if S
t
q    b  S
e
q ta
 a b q
test true 

 a b q if S
t
q   
 b 	 S
e
q ta
 a b q
tick true fzg

 a b q ta	
 a b q
tick true fzg

 a b q if q  q b ta
 a b q
tick true fy zg

 a b q b if q 	 q b ta

Table  Transitions of timed automaton T A

Note that locations refer to the timed automaton and states to the PLC	
Automaton
The timed automaton models the cyclic behaviour of a polling system The
events within one cycle are polling input testing whether input has to be ig
nored producing new output if necessary and ending the cycle The program
counter models the phases of a cycle The picture below shows how these events
change the values of the program counter
  denotes the rst part of the cycle The input
has not yet been polled
  denotes that the polling has happened in the
current cycle The test whether to react has not
been performed yet
  denotes that polling and testing have hap
pened The system decided to ignore the input
  denotes that polling and testing have hap
pened The system decided to react to the input


 
test test
ticktick
poll
A clock z is introduced within the timed automaton to measure the time that
has elapsed within the current cycle This clock is not allowed to go above the
time upper bound   and is reset at the end of each cycle
In the rst phase of a cycle incoming input is polled In the timed automa
ton model there are no continuous variables available by which we can model
continuous input We have to restrict to a nite set  of inputs and introduce
for each a   a transition label a that models the discrete instantaneous event
which occurs whenever the input signal changes value and becomes a At any
time in the cycle the input signal may change its value The current value of the
input is recorded in the second component of a location of the timed automa
ton Within our semantic model the occurrence of input events is described by
transition ta in Table 
The timed automaton model allows inputs that last only for one point of
time ie it is not required that time passes in between input events However
it is of course realistic to assume that polling input takes some small amount of
time and that an input can only be polled if persists for some positive amount
of time Technically we require that input may only be polled if it has remained
unchanged throughout a leftopen interval In the semantics we model this by
a clock x that is reset whenever an input event occurs Polling is only allowed
if x is nonzero see transition ta The polled input is recorded in the third
component of a location of T A
Next we have to deal with input delay Whether input has to be ignored or
not depends on the state of the PLCautomaton and on the time during which
the system has been in this state The state of the PLCautomaton is recorded
in the fourth component of the locations of T A Furthermore we introduce a
clock y that measures how long the current state is valid Edges ta ta
and ta describe the cases that the testevent has to distinguish if a state
requires no delay or if it requires delay but the delay time is over then input
is not ignored and in the subsequent location the program counter has value 
otherwise the program counter is assigned value 
A cycle ends with an event tick see ta	 ta ta
 If the program
counter has value  then the PLCAutomaton state is updated in the new loca
tion according to the function  otherwise the PLCAutomaton state remains
unchanged After a tickevent the program counter gets value  and clock z is
reset to indicate that a new cycle has started If the state changes then also clock
y is reset
For each location i a b q we will to reason about the actual input state
and output Therefore we introduce as atomic propositions input  a state  q
and output   abbreviated by a q and  resp In fact we assume that each
state generates a unique output and will often use the propositions q and q
as synonyms
Formally timed automaton T A is dened as follows
Denition  Let A  Q  q

   S
t
 S
e
   be a PLCAutomaton We
dene T A to be the timed automaton SX L E  IP 
 S

 with
 S
df
 f   g   Q as locations
 X
df
 fx y zg as clocks
 L
df
   fpoll  test tickg as labels
 E the set of edges in Table  for i  f   g a b c   and q  Q
 Is
df
 z    as invariant for each location s  S
 P
df
  Q  as the set of propositions
 
i a b q
df
 a  q  q as propositions for each location i a b q  S
 S

df
 f a b q

ja b  g as set of initial locations
 Duration Calculus Semantics of PLCAutomata
In this section we give logical semantics for PLCAutomata in terms of the
Duration Calculus DC based on the semantics of 	 For a brief introduction to
DC the reader is referred to Appendix B In the previous section we modelled the
inner workings of a PLC using timed automata Now we change our perspective
instead of modelling the internal operational behaviour we use DC to describe
which behaviour can be observed externally
Let A  Q  q

   S
t
 S
e
   be a PLCAutomaton We will give a set
FA of DC formulae restricting the allowed interpretation of three observables
input state and output with domains  Q and  respectively In the formulae
below q ranges over Q and ABC range over subsets of  In DC formula
we write A for
W
aA
input  a and if X is a set of states then X abbreviates
W
qX
state  q By convention the empty set stands for false With q A we
denote the set of states fq a j a  Ag Each of the following formula should
be interpreted over all possible assignments to q ABC
First of all we want the system to start in the initial state which is expressed
by the formula
de 
 dq

e  true dc
Recall that q

abbreviates state  q


Next we dene that the output of the system changes synchronously with
the systems state
 dqe  dqe dc
The following set of formulae describes the general behaviour of PLCs Only
inputs that arrive after the system has switched into q may produce subsequent
state transitions dc Moreover due to the cyclic behaviour a transition can
only be triggered by an input which is not older than   time units dc
dqe  dq Ae  dq 
 q Ae dc
dq Ae


dq 
 q Ae dc
To ensure that the delay S
t
q is observed we add two formulae that corre
spond to dc and dc The rst formula dc states that the system is not
allowed to change the state due to an input contained in S
e
q for the rst S
t
q
time units The second formula dc	 allows changes during the rst S
t
q time
units only if the input is not in S
e
q and not older than   time units
S
t
q   dqe  dq Ae
S
t
q

dq 
 q AnS
e
qe dc
S
t
q   dqe  dqe  dq Ae

S
t
q

dq 
 q AnS
e
qe dc	
The formulae above do not force a state change they only disallow certain
transitions If we observe a state change then another cycle will be nished within
the next   time units If in this interval only inputs are valid that induce a state
change then we know that a state change will occur indeed at the end of the
cycle Formula dc forces a reaction within   time units after a state change
in the case that S
t
q  
S
t
q    q  q A  dqe  dq Ae

 dqe dc
Formula dc
 takes care of the case that input from a set A which satises
q  q A is followed by input from an arbitrary set B
S
t
q    q  q A  dqe  dqe

 dAe  dBe  dq Be dc

Figure  gives an example of what behaviour is disallowed by formula dc

It shows an interpretation of the input and output observables of the PLC
Automaton in Figure  that can not be realised according to the TA semantics
of Section  We know that at t

and t
 
a cycle ends The interval t

 t
 
 contains
at least two cycles since we assume t
 
 t

   The rst cycle produces no state
change therefore input  is polled in the interval t

 t
 
 Consequently input 
is also polled in the successive cycles including the last cycle which ends at t
 

This however implies that the change to state T at t
 
can not happen according
to the TA semantics Formula dc
 excludes this scenario take q  N  A  fg
and B  fg

t

t
 
t

 

N
T
Fig 	 Assume t
 
 t

  t

 t
 
  and t

 t

 
The next two formulae concern the cases with a delay in state q and are
similar to the previous ones Recall that by  S
t
q   and a  S
e
q implies
q 	 q a
S
t
q   A  S
e
q    dqe  dq Ae

 dqe dc
S
t
q   A  S
e
q   
dqe  dqe

 dAe  dBe
S
t
q

dq 
 q BnS
e
qe dc
If the state changes then we know that a cycle begins and will be completed
within the next   time units The previous four formulae reect that we have
either two types of input or only one and there is a delay in current state or
not If the state is stable for a period longer than   then we know that this
interval should also contain at least one cycle If we are in state q and the input
only enables transitions that leave q then we know that this situation cannot
hold for   time units in the worst case we need slightly less than   time units
to end the current cycle and an additional   time units to nish a subsequent
cycle that reacts to the input Therefore we have a set of formulae similar to
dcdc concerning intervals of length   with a stable state However for
this situation we do not only have to consider the cases no delay and delay active
but also the cases delay has expired and delay expires in that particular interval
If there is no delay active in state q then the following two formulae apply
S
t
q    q  q A   dq Ae      dc
S
t
q    q  q A  dqe
 
 dAe  dBe  dq Be dc
In the case where S
t
q   and the delay time has not expired only inputs
not contained in S
e
q can force a transition to happen
S
t
q  A  S
e
q     dq Ae      dc
S
t
q  A  S
e
q   
dqe  dqe  dqe
 
 dAe  dBe
S
t
q

dq 
 q BnS
e
qe dc
If the delay time is expired then the system behaves like a system with no
delay Consequently the following two formulae are the same as dc and

dc respectively except that the state is stable for an additional S
t
q time
units
S
t
q    q  q A   dqe
S
t
q
 dq Ae    S
t
q    dc
S
t
q    q  q A  dqe
S
t
q
 dqe
 
 dAe  dBe  dq Be dc	
To express that the delay time expires during an interval we need some more
complicated formulae but the idea is the same as in the foregoing cases In the
formulae u ranges over Time
S
t
q   A  S
e
q    q  q B 
 dqe  true dAe  dBe
u

 
   S
t
q  u dc
S
t
q   A  S
e
q    dqe
 
 dAe  dBe  dq 
 q Be dc

S
t
q   A  S
e
q    q  q B 
dqe  true dAe  dBe  dCe
u

 
S
t
qu

dq Ce dc
Some of the formulae given in this section are not applicable in the initial
phase The premise of this formulae is only true if the state changes in the
beginning of an interval which can of course not be true in the initial state The
corresponding formulae for the initial phase are listed in Appendix C
The DC semantics presented in this paper diers from the one presented in
	 by the additional formulae dc
 dc dc dc dc	 dc
dc
 and dc together with the corresponding formulae for the initial
phase We also use  instead of  in formulae dc dc and dc
Hence the conjunction of the formulae above is stronger than the semantics in
	
 Relation between TA and DC Semantics
The semantic objects of timed automata are runs the semantic objects of the
Duration Calculus are interpretations of observables see Appendices A and B
respectively In order to compare our two semantic models of PLCAutomata
we associate interpretations of observables to each run of a timed automaton
We will then show that for each PLCAutomaton A the set of interpretations
associated to timed automaton T A is in a very strong sense equivalent with
the set of interpretations associated to the DC formulae FA This plan is
illustrated in Figure  In this section we will dene the mapping from runs to
interpretations of observables and the equivalence


between sets of observables
 From Runs to Interpretations
Within the DC semantics we have three observables input state and output with
domains  Q and  respectively Within the TA semantics the values from
these domains occur as proposition symbols and for each location exactly one
proposition from  holds one proposition from Q and one proposition from 
We say that  Q and  are leagues



 
Timed Automaton T A
PLCAutomaton A
s

 v

 t

s
 
 v
 
 t
 
   
input state output
Duration Calculus Formulae FA
Interpretations IFA of
Runs RT A

input state output
RT A
Interpretations of runs
Fig 
 Relation between TA semantics and DC semantics
Denition  For a timed automaton T  SX L E  IP 
 S

 we dene a
set P  P of propositions to be a league if at each location one and only one
atomic proposition p  P is valid ie s  S 

p  P  p  
s  P  If P is a
league then we dene 

P
to be the function that assigns to each location s the
unique element of 
s  P 
Each timed automaton T A has three leagues corresponding to the three
observables in the DC semantics FA  corresponds to input Q to state and
 to output
Recall that the interpretation of a DC observable is a function from time
to the domain of this observable Therefore when mapping a run to an inter
pretation of an observable we have to associate to each point of time a unique
element of the domain ie a proposition of a league However within runs of a
timed automaton time needs not to increase strictly monotonically Therefore
if in a run there are consecutive states at the same point in time we use the last
one to dene the unique interpretation
Denition 	 Let T be a timed automaton with a run r  s
i
 v
i
 t
i

iIN
and
let o

     o
n
be observables such that the domains D

     D
n
are leagues of
T  Let  be the function that assigns to each t  Time the largest index i such
that t
i
 t Note that  is welldened due to the divergence of time in r We
dene 
o

   o
n
r to be the interpretion that assigns to each observable o
j
the
state function f
j
given by f
j
t  

D
j
s
t
 We omit subscript o

    o
n
when
clear from the context Also if R is a set of runs then we write R for the set
fr j r  Rg
 Equivalence of Interpretations
In DC the truth of a formula is dened by integrals of functions over intervals
Functions that are identical up to zerosets give the same truth values for all

formulae and can be identied We therefore dene two state functions f and g
to be equivalent notation f


g if they dier in at most countably many points
Two interpretations I and I

are equivalent notation I


I

 if obs
I


obs
I
 
for
each observable obs Hence by denition of


we see that for each formula F 
I


I

 I j F  I

j F 
Denition  Let o

     o
n
be observables with domains D

     D
n
 F a set
of DC formulae and IF the set of interpretations of o

     o
n
that satisfy the
formulae of F  Let T be a timed automaton with leagues D

     D
n
 We say
that F is
 sound with respect to T if for each run r  RT  there exists an interpreta
tion I  IF such that 
o

   o
n
r


I
 complete with respect to T if for each interpretation I  IF there exists
a run r  RT  such that 
o

   o
n
r


I
Note that F is sound wrt T i RT   IF i for each run r  RT 
and for each formula F  F  r j F  Conversely it may be the case that F is
complete wrt T even though IF 	 RT 
In Sections 	 and  we will show soundness and completeness respectively
of FA wrt T A for each PLCAutomaton A
 Soundness
In this section we will prove the following
Theorem 
 Let A be a PLCAutomaton Then the logical semantics FA is
sound wrt the operational semantics T A ie for each run r  RT A
and for each formula F  FA r j F 
Proof Throughout this proof we x a run r  s
i
 v
i
 t
i

iIN
and let I  r
For each of the  formulae F listed in Section  and Appendix C for each
possible value of the variables q ABC and u occurring in these formula and
for each e  Time we will prove that I  e j F 
The locations s of timed automaton T A are tuples to the components
of which we will refer as sphase sinput spolled and sstate We start with
some technical lemmas that are heavily used in the rest of the proof and then
proceed with a case distinction on F 

 Technical Lemmas
The rst lemma states that a polling transition can never follow another transi
tion without any intervening delay
Lemma  Suppose i   s
i
phase   and s
i
phase   Then t
i
 t
i


Proof According to the timed automata semantics a transition of type ta
brings the system from location s
i
to location s
i
 We distinguish the following
three cases
 i   Observe that v

x   and ta has guard x  
 Location s
i
is reached via a transition ta Observe that v
i
x  
and ta has guard x  
 Location s
i
is reached via a transition ta	 ta or ta
 Observe
that v
i
z   and ta has guard z  
The next lemma states that when the system is in its initial phase a state
change can only occur after some time has elapsed This means that each state
persists for a positive amount of time
Lemma  Suppose that for some i  IN and e  Time t
i
 e s
i
phase  
and s
i
state  q Then I t
i
 e j dqe  true
Proof Since time diverges there exists a smallest j  i such that t
j
 t
i

By Lemma  a transition ta always increases time Since in states s with
sphase   only transitions ta and ta are possible and transitions ta
leave the phase unchanged it follows that all states s
k
for i  k  j are reached
by transitions of type ta or ta Hence s
k
state  q for all i  k  j This
implies I t
i
 e j dqe  true
A major characteristic of PLCAutomata is their cyclic behaviour A cycle
takes at most   time units and in each cycle input is polled once The next two
lemmas state that this behaviour is captured by the timed automata semantics
of PLCAutomata
Lemma  For all i  IN there exists a j  i with t
j
 t
i
   s
j
phase  
and s
j
phase 	  If s
i
phase 	  then there exists a j  i with t
j
 t
i
  
s
j
phase   and s
j
phase 	 
Proof By contradiction Assume that there exists an i  IN such that for all
j  i t
j
 t
i
   or s
j
phase 	  or s
j
phase  
Since time diverges there exists a smallest j  i with t
j
 t
i
   Since
s
k
phase 	  or s
k
phase   holds for all k  i  k  j no transitions of type
ta	 ta or ta
 occur in states s
k
 for i  k  j Since these are the only
transitions that reset clock z and since v
i
z   it follows that v
j
z    But
this violates the invariant z    which holds for each location Contradiction
If s
i
phase 	  then there exists a largest k  i with s
k
state   and
s
k
  Since a transition of type ta takes place in state s
k
 v
k
z  
and therefore v
i
z   Similar to the previous case one can now prove the strict
inequality t
i
 t
j
  
Lemma  Suppose i j  IN with i  j s
i
phase   s
j
phase   and
s
j
phase 	  Then there exists a k with i  k  j s
k
phase  
s
k
phase   t
i
 t
k
and t
j
 t
k
  

Proof Since s
j
phase   and s
j
phase 	  a transition of type ta	 ta
or ta
 occurs at t
j
 Because s
i
phase   and s
j
phase 	  at least one
transition of type ta has to occur between t
i
and t
j
 Let t
k
be the time
of the last one of these transitions Then s
k
phase   and s
k
phase   By
Lemma  t
i
 t
k
 Also v
k
z   and for all k  l  j s
l
phase 	  This
implies that clock z is only reset at time t
j
 Thus t
j
 t
k
   must hold
Since DC identies interpretations that are identical almost everywhere we
need a lemma that ensures that only input can be polled which has persisted for
some time
Lemma  Suppose I t t

 j dAe Suppose further that for some j  
t
j
t t

 s
j
phase   and s
j
phase   Then s
j
polled  A
Proof By Lemma  t
j
 t
j
 By denition of I input
I
u  s
j
input for all
u  t
j
 t
j
 Since t
j
 t
j
 and t t

 have at least one point in common they
have a nonempty open interval in common Hence s
j
input  A and thus
s
j
polled  A

 Basic Formulae
First we have to show that the timed automata semantics fulll the initial con
ditions given by the DC semantics ie that the following formula holds in I for
each interval  e
Formula dc
de 
 dq

e  true
Proof If e   then the left disjunct holds If e   then since t

  s

phase 
 and s

state  q

 Lemma 
 implies that the right disjunct holds
Formula dc
 dqe  dqe
Proof Straightforward from the denitions
A basic feature of PLCAutomata is that the successor of a state depends on
the actual state and the input polled since the last state change Therefore the
we have to show that the following formula holds in I
Formula dc
dqe  dq Ae  dq 
 q Ae

Proof By contradiction Assume I  e j dqe  dq Ae  dq 
 q Ae
Then there are time points e

 e
 
 e

 e

such that
 I e

 e
 
 j dqe
 I e
 
 e

 j dq Ae and
 I e

 e

 j dq 
 q Ae
Moreover there are indices i j such that t
i
 e
 
 s
i
phase   t
j
 e


s
j
phase   and s
j
phase   Lemma  ensures that there exists a
largest k with i  k  j s
k
phase   s
k
phase   t
i
 t
k
and
t
j
 t
k
   Lemma  ensures that s
k
polled  A This implies that the re
sulting state after the next ticktransition at t
j
is in q A Now Lemma 

implies I e

 e

 j dq Ae  true Contradiction
The next formula restricts the time during which input is allowed to have
inuence on the state to  
Formula dc	
dq Ae

 dq 
 q Ae
Proof By contradiction Assume I  e j dq Ae

 dq 
 q Ae Then
there are time points e

 e
 
 e

such that
 e
 
 e

  
 I e

 e
 
 j dq Ae and
 I e
 
 e

 j dq 
 q Ae
Moreover there is an index j such that t
j
 e
 
 s
j
phase   and s
j
phase  
Let i be the largest index such that i  j and s
i
phase   note the i is always
welldened as s

phase   By Lemma  t
i
 e

 Lemma  ensures that
there exists a k with i  k  j s
k
phase   s
k
phase   and t
i
 t
k

Lemma  ensures that s
k
polled  A From this we infer that s
j
state  q A
Now Lemma 
 implies I e
 
 e

 j dq Ae  true Contradiction
The next formula states that input with a delay has to be ignored for S
t
q
time units
Formula dc
S
t
q    dqe  dq Ae
S
t
q
 dq 
 q AnS
e
qe
Proof Assume S
t
q   We prove the rhs of the implication by contradiction
Assume I  e j dqe  dq Ae
S
t
q
 dq 
 q AnS
e
qe Then there
are time points e

 e
 
 e

 e

such that
 e

 e

 S
t
q
 I e

 e
 
 j dqe

 I e
 
 e

 j dq Ae and
 I e

 e

 j dq 
 q AnS
e
qe
Moreover there are indices i j such that t
i
 e
 
 s
i
phase   v
i
y   t
j
 e


s
j
phase   and s
j
phase   Lemma  ensures that there exists a largest
k with i  k  j s
k
phase   s
k
phase   and t
i
 t
k
 Lemma  ensures
that s
k
polled  A Since e

 e
 
 S
t
q v
m
y  S
t
q for all i  m  j
From this we infer that there exists an index m with k  m  j such that
a transition of type ta occurs at time t
m
 This implies that s
m
polled 	
S
e
q In combination with the previous observation that s
k
polled  A this gives
s
j
polled  AnS
e
q Hence s
j
state  q AnS
e
q Now Lemma 
 implies
I e

 e

 j dq AnS
e
qe  true Contradiction
Formula dc

S
t
q    dqe  dqe  dq Ae

S
t
q
 dq 
 q AnS
e
qe
Proof Assume S
t
q   We prove the rhs of the implication by contradiction
Assume I  e j dqe  dqe  dq Ae


S
t
q
 dq 
 q AnS
e
qe Then
there are time points e

 e
 
 e

 e

 e
	
such that
 e

 e

  
 e

 e

 S
t
q
 I e

 e
 
 j dqe
 I e
 
 e

 j dqe
 I e

 e

 j dAe and
 I e

 e
	
 j dq 
 q AnS
e
qe
Moreover there are indices i j such that t
i
 e
 
 s
i
phase   v
i
y   t
j
 e


s
j
phase   and s
j
phase   Lemma  ensures that there exists a largest k
with i  k  j s
k
phase   s
k
phase   and t
j
 t
k
   Thus t
k
 e

and
we can use Lemma  to obtain s
k
polled  A Since e

 e
 
 S
t
q v
m
y 
S
t
q for all i  m  j From this we infer that there exists an index m with
k  m  j such that a transition of type ta occurs at time t
m
 This implies
that s
m
polled 	 S
e
q In combination with the previous observation that
s
k
polled  A this gives s
j
polled  AnS
e
q Hence s
j
state  q AnS
e
q
Now Lemma 
 implies I e

 e
	
 j dq AnS
e
qe  true Contradiction

 State Change
The next formulae are more explicit about when to change the state
Formula dc
S
t
q    q  q A  dqe  dq Ae

 dqe

Proof Assume S
t
q    q  q A We prove the rhs by contradiction
Assume I  e j dqe  dq Ae

 dqe Then there are time points e

 e
 

e

 e

such that
 e

 e
 
  
 I e

 e
 
 j dqe
 I e
 
 e

 j dAe and
 I e
 
 e

 j dqe
Moreover there is an index i such that t
i
 e
 
and s
i
phase   By Lemma 
there exists an index j  i such that t
j
 e

 s
j
phase 	  and s
j
phase  
By Lemma  there exists a largest k such that i  k  j s
k
phase  
s
k
phase   and t
i
 t
k
 By Lemma  s
k
polled  A By assumption S
t
q 
 there is a transition of type ta in between t
k
and t
j
 so it follows that
s
j
phase   and s
j
polled  A This implies that s
j
state  q A Now
Lemma 
 implies I t
j
 e

 j dq Ae  true This contradicts the assumption
q  q A and the fact I e
 
 e

 j dqe
Formula dc
S
t
q    q  q A  dqe  dqe

 dAe  dBe  dq Be
Proof Assume S
t
q    q  q A We prove the rhs by contradiction
Assume I  e j dqe  dqe

dAe  dBe dq Be Then there are time
points e

 e
 
 e

 e

 e
	
such that
 e

 e
 
  
 I e

 e
 
 j dqe
 I e
 
 e

 j dqe
 I e
 
 e

 j dAe
 I e

 e

 j dBe and
 I e

 e
	
 j dq Be
Using the soundness of formula dc we infer q  q B Thus there are indices
m j such that t
m
 e
 
 s
m
phase   t
j
 e

 s
j
phase   and s
j
phase  
Let i  j be the largest index with s
i
phase   Then e
 
 t
i
by Lemma  By
Lemma there exists a k such that i  k  j s
k
phase   and s
k
phase  
Now there are two cases
 t
k
 e

 Then by Lemma  s
k
polled  B Therefore it must be that
s
j
state  q B Now Lemma 
 implies I e

 e
	
 j dq Be  true Con
tradiction
 t
k
 e

 Then also t
i
 e

 By Lemma  there exists a largest n such that
m  n  i s
n
phase   s
n
phase   and t
m
 t
n
 Then by Lemma 
s
n
polled  A By assumption S
t
q   there is a transition of type ta
 in between t
n
and t
i
 so it follows that s
i
phase   This implies
s
i
polled  A and therefore s
i
state  q A Now Lemma 
 implies
I t
i
 e

 j dq Ae  true This contradicts the assumption q  q A and
the fact I e
 
 e

 j dqe

If input from the complement of S
e
q occurs during a delay then the system
has to react like in a situation without delay and with arbitrary input
Formula dc
S
t
q   A  S
e
q    dqe  dq Ae

 dqe
Proof Similar to the proof of dc Note that by formula  S
t
q   A 
S
e
q   implies q  q A
Formula dc
S
t
q   A  S
e
q   
dqe  dqe

 dAe  dBe
S
t
q
 dq 
 q BnS
e
qe
Proof Similar to the proof of dc
 Use again that by formula  S
t
q 
A  S
e
q   implies q  q A

	 Stable State
If input lasts   or more then we know for sure that it has been polled
Formula dc
S
t
q    q  q A   dq Ae  l   
Proof Assume S
t
q    q  q A We prove the rhs by contradiction
Assume I  e j dq Ae
 
 Then there are time points e

and e
 
such
that e
 
 e

   and I e

 e
 
 j dq Ae Let i be the largest index such that
t
i
 e

 Then I t
i
 e
 
 j dq Ae We distinguish two cases
 s
i
phase   By Lemma  there exists a j  i with t
j
 e
 
 s
j
phase 	 
and s
j
phase   By Lemma  there exists a largest k with i  k  j
s
k
phase   s
k
phase   t
i
 t
k
and t
j
 t
k
   Using the assumption
S
t
q   we infer that in between t
k
and t
j
a transition of type ta
takes place so that s
j
phase   By Lemma  we derive s
k
polled  A
and therefore s
j
polled  A Using assumption q  q A we obtain
s
j
state 	 q Now Lemma 
 implies I t
j
 e
 
 j dqe  true Contradiction
 s
i
phase 	  By Lemma  there exists an m  i with t
m
 e

   and
s
m
phase   Using Lemma  again we can nd a j  m with t
j
 e
 

s
j
phase 	  and s
j
phase   Now complete the proof as in the previous
case
A polling realtime system only makes transitions based on the last input
that has been polled

Formula dc
S
t
q    q  q A  dqe
 
 dAe  dBe  dq Be
Proof Assume S
t
q    q  q A We prove the rhs by contradiction
Assume I  e j dqe
 
dAe  dBe dq Be Then there are time points
e

 e
 
 e

 e

such that
 e

 e

  
 I e

 e

 j dqe
 I e

 e
 
 j dAe
 I e
 
 e

 j dBe and
 I e

 e

 j dq Be
Using the soundness of formula dc we infer q  q B Thus there is an index
j such that t
j
 e

 s
j
phase   and s
j
phase   Let i be the largest index
such that i  j s
i
phase 	  and s
i
phase   By Lemma  we know that
such an i exists and also that t
j
 t
i
   Lemma  ensures that there exists a
k with i  k  j s
k
phase   and s
k
phase   We distinguish two cases
 t
k
 e
 
 By Lemma  we infer s
k
polled  B Hence s
j
polled  B and it
follows that s
j
state  q B From this we can easily derive a contradiction
 t
k
 e
 
 Then also t
i
 e
 
 Let m be the largest index such that m  i
s
m
phase   and t
i
 t
m
   The existence of m is ensured by Lemma 
Since t
m
 e

 we can routinely infer that an input in A is polled in the
cycle from t
m
to t
i
 which by the assumptions leads to a state change at
time t
i
 Contradiction
Formula dc
S
t
q   A  S
e
q     dq Ae  l   
Proof Similar to the proof of dc Use again that by formula  S
t
q 
A  S
e
q   implies q  q A
Formula dc	
S
t
q   A  S
e
q   
dqe  dqe  dqe
 
 dAe  dBe
S
t
q
 dq 
 q BnS
e
qe
Proof Assume S
t
q    A  S
e
q   We prove the rhs by contradiction
Assume I  e j
dqe  dqe  dqe
 
 dAe  dBe
S
t
q
 dq 
 q BnS
e
qe
Then there are time points e

 e
 
 e

 e

 e
	
 e


such that
 e
	
 e

 S
t
q

 e
	
 e

  
 I e

 e
 
 j dqe
 I e
 
 e
	
 j dqe
 I e

 e

 j dAe
 I e

 e
	
 j dBe and
 I e
	
 e


 j dq 
 q BnS
e
qe
Moreover there are indices m j such that t
m
 e
 
 v
m
y   t
j
 e
	

s
j
phase   and s
j
phase   Let i be the largest index such that i  j
s
i
phase 	  and s
i
phase   By Lemma  we know that such an i exists
and also that t
j
 t
i
   Lemma  ensures that there exists a k with i  k  j
s
k
phase   and s
k
phase   We distinguish two cases
 t
k
 e

 By Lemma  we infer s
k
polled  B Since I t
m
 e
	
 j dqe and
e
	
t
m
 S
t
q we know that v
n
y  S
t
q for all k  n  j In combination
with the fact that s
j
phase   this allows us to infer that a transition
of type ta occurs at some state s
n
with k  n  j This implies that
s
j
polled  BnS
e
q Thus s
j
state  q BnS
e
q From this we can
easily derive a contradiction
 t
k
 e

 Then also t
i
 e

 Let p be the largest index such that p  i
s
p
phase   and t
i
 t
p
   The existence of p is ensured by Lemma 
Since t
p
 e

 we can routinely infer that an input in A is polled in the cycle
from t
p
to t
i
 which by the assumptions and formula  leads to a state
change at time t
i
 Contradiction
If input lasts longer than   we know for sure that it has been polled So if
after a delay period an input persists for   time then a PLCAutomaton should
take an appropriate transition
Formula dc
S
t
q    q  q A   dqe
S
t
q
 dq Ae  l  S
t
q   
Proof Assume S
t
q    q  q A We prove the rhs by contradiction
Assume I  e j dqe
S
t
q
 dq Ae  l  S
t
q    Then there are time
points e

 e
 
 e

such that
 e
 
 e

 S
t
q
 e

 e
 
  
 I e

 e

 j dqe and
 I e
 
 e

 j dAe
Let m be the largest index such that t
m
 e

and s
m
phase   Then
I t
m
 e

 j dqe Let i  m be the largest index such that t
i
 e
 
and
s
i
phase   By Lemma  there exists a j  i with t
j
 t
i
   s
j
phase   and
s
j
phase 	  By Lemma  there exists a k with i  k  j s
k
phase  
s
k
phase   t
i
 t
k
and t
j
 t
k
   We distinguish between two cases

 t
k
 e
 
 By Lemma  s
k
polled  A Since I e

 e

 j dqe and e
 

e

 S
t
q v
n
y  S
t
q for all k  n  j Thus a transition of type ta
or ta takes place in between t
k
and t
j
 and we obtain s
j
phase  
and s
j
polled  A Thus using the assumption s
j
state 	 q Now by
Lemma 
 I t
j
 e

 j dqe Contradiction
 t
k
 e
 
 Then t
i
 e
 
 and therefore t
j
 e
 
   By Lemma  there exists
an n  j with t
n
 e

 s
n
phase   and s
n
phase 	  By a similar
argument as in the previous case we infer that at time t
n
the system jumps
to a nonq state and derive a contradiction
Formula dc

S
t
q    q  q A  dqe
S
t
q
 dqe
 
 dAe  dBe  dq Be
Proof Assume S
t
q    q  q A We prove the rhs by contradiction
Assume I  e j dqe
S
t
q
 dqe
 
 dAe  dBe dq Be Then there are
time points e

 e
 
 e

 e

 e
	
such that
 e
 
 e

 S
t
q
 e

 e
 
  
 I e

 e

 j dqe
 I e
 
 e

 j dAe
 I e

 e

 j dBe and
 I e

 e
	
 j dq Be
Let p be the largest index such that t
p
 e

 Then I t
p
 e

 j dqe Thus v
q
y 
S
t
q for all q with t
q
 e
 
 Using the soundness of formula dc we infer
q  q B Thus there is an index j such that t
j
 e

 s
j
phase   and
s
j
phase   Let i be the largest index such that i  j s
i
phase 	  and
s
i
phase   By Lemma  we know that such an i exists and also that t
j
t
i
  
Lemma  ensures that there exists a k with i  k  j s
k
phase   and
s
k
phase   We distinguish two cases
 t
k
 e

 By Lemma  we infer s
k
polled  B Hence s
j
polled  B and it
follows that s
j
state  q B From this we can easily derive a contradiction
 t
k
 e

 Then also t
i
 e

 Let m be the largest index such that m  i
s
m
phase   and t
i
 t
m
   The existence of m is ensured by Lemma 
Since t
m
 e
 
 we can routinely infer that an input in A is polled in the
cycle from t
m
to t
i
 After the polling a testtransition changes the phase to
 use that v
q
y  S
t
q for all q with t
q
 e
 
 Hence by the assumption
q  q A a state change occurs at time t
i
 Contradiction
The next three formulae allow us to handle intervals where the delay expires
Formula dc
S
t
q   A  S
e
q    q  q B 
 dqe  true dAe  dBe
u

 
   S
t
q  u

Proof Assume S
t
q    A  S
e
q    q  q B We prove the rhs
by contradiction Assume I  e j dqe
S
t
qu
 true dAe  dBe
u

 
 Then
there are time points e

 e
 
 e

 e

such that
 e

 e

 S
t
q  u
 e

 e
 
  
 e

 e

 u
 I e

 e

 j dqe
 I e
 
 e

 j dAe and
 I e

 e

 j dBe
We sketch the rest of the proof Since e

 e
 
   the interval e
 
 e

 contains
at least one full cycle by Lemma  Polling for this cycle either occurs in the
subinterval e
 
 e

 or in the subinterval e

 e

 In the rst case an action fromA
is polled and we derive a contradiction since q  q A by the assumptions and
formula  the system jumps to a dierent state before e

 In the second case
an action from B is polled and we also derive a contradiction since the delay
time S
e
q has passed and q  q B there is a state transition state before e


Formula dc
S
t
q   A  S
e
q    dqe
 
 dAe  dBe  dq 
 q Be
Proof Assume S
t
q    A  S
e
q   We prove the rhs by contradiction
Assume I  e j dqe
 
 dAe  dBe dq 
 q Be Then there are time
points e

 e
 
 e

 e

such that
 e

 e

  
 I e

 e

 j dqe
 I e

 e
 
 j dAe
 I e
 
 e

 j dBe and
 I e

 e

 j dq 
 q Be
We sketch the rest of the proof Consider the PLC cycle that ends at time e


Let t
k
be the time at which polling occurs in this cycle We consider two cases
 If t
k
 e
 
then an action from B is polled If this action is ignored because it
is in S
e
q and the delay has not yet expired then the resulting state after
the transition at e

is q and we have a contradiction But if the action is not
ignored then a transition to a state in q B occurs at time e

and we are
also in trouble
 If t
k
 e
 
then we know that a full PLC cycle is contained in the interval
e

 e
 
 Because an action from A is polled in this interval we have again a
contradiction since by the assumption and formula  q  q A there
is a state jump before e
 


Formula dc
S
t
q   A  S
e
q    q  q B 
dqe  true dAe  dBe  dCe
u

 
S
t
qu

dq Ce
Proof Assume S
t
q    A  S
e
q    q  q B We prove the rhs by
contradiction Assume I  e j
dqe
S
t
qu
 true dAe  dBe  dCe
u

 
 dq Ce
Then there are time points e

 e
 
 e

 e

 e
	
 e


such that
 e
	
 e

 S
t
q  u
 e
	
 e
 
  
 e
	
 e

 u
 I e

 e
	
 j dqe
 I e
 
 e

 j dAe
 I e

 e

 j dBe
 I e

 e
	
 j dCe and
 I e
	
 e


 j dq Ce
We sketch the rest of the proof Using the soundness of formula dc we infer
q  q C Consider the PLC cycle that ends at time e
	
 Let t
k
be the time at
which polling occurs in this cycle We consider two cases
 If t
k
 e

then an action fromC is polled This means since y  S
t
q holds
for each time point greater or equal than e

 that a transition to a state in
q C occurs at time e
	
 Contradiction
 If t
k
 e

then we know that a full PLC cycle is contained in the interval
e
 
 e

 Let t
m
be the time at which polling occurs in this cycle Again we
consider two cases
 t
m
 e

 Then an action from B is polled and we derive a contradiction
since q  q B and the delay time has passed there is a state jump
before e


 t
m
 e

 Then an action from A is polled and we derive a contradiction
since by the assumption and formula  q  q A there is a state
jump before e



 Initial Phase
The proofs for the formulae for the initial phase are analogous to the proofs
of the corresponding formulae that we have proved above Instead of the state
change which is used to mark the beginning of a cycle in the above formulae we
use that initially s

phase   and v

y  v

z  

 Completeness
This section is entirely devoted to the proof of the following
Theorem  Let A be a PLCAutomaton Then the logical semantics FA is
complete with respect to the operational semantics T A ie for each interpre
tation I  IFA there exists a run r  RT A such that r


I
Proof Assume that I is an interpretation of observables input state and output
that fullls all formulae of FA Let I

be the unique interpretation such that
I



I and for each observable obs and for each interval b e Time there exists
a nite partitioning of b e in leftclosed rightopen subintervals such that obs
I
 
is constant on each subinterval existence and uniqueness of I

is ensured by
the nite variability of I We construct a run r such that r  I

 For that
purpose we start with all possibilities for the observable state and construct
for each case the possibilities for observable input that fulll FA In a second
step a run is constructed for which the mapping to observables coincides with
state input and output In the TA semantics the value of output is at any point
obtained from state via the function  Since in the DC semantics the same is
true except possibly for a countable number of time points due to dc we
may forget about output in the rest of this proof and concentrate on the relations
between input and state
The construction of r proceeds inductively by considering successive time
intervals each one lasting from one change of state to the next change of state
We construct a run of the timed automaton as follows We start at time t  
Iteratively for each interval we derive restrictions on the observable input from
the behaviour of the observable state and the set FA of DC formulae For
the resulting patterns of observables input and state we construct a sequence
of cycles as part of a run of the timed automaton The run constructed in this
way is diverging This follows from the nite variability of observables in each
nite interval there is only a nite number of dierent values for each observable
In the context of our construction we have only a nite number of intervals to
investigate within each nite interval of time For each nite interval that we
consider in the case distinction below we will only construct a nite number of
cycles for the run of the timed automaton
Basically we distinguish the following two cases of behaviour The interval
of interest is assumed to start at t The initial interval is subsumed by taking
t  
state changes eventually
q

q
q
 
t t

state is stable forever
q
 
q
t
 State changes eventually

 S
t

q    no input delay
 t

 t    state q is stable for at most 
In this case we know from dc or dc for the initial interval that
there has to hold an input i with q i  q
 
for an interval b e t t


Choose
eb
 
as polling point and t

as end of the cycle
t t 
q
i
t

q

q
 
   t

 t    state q is stable for more than  but for at most 
Formula dc or dc for the initial interval says that within
t t   there is some input i with q i  q Choose the rst iinterval
In the interval t

   t

 there is some input i
 
that is responsible for
the state change ie q i
 
  q
 
 which follows from dc Choose
q
i
i

q
 
q

t

t t 
the last of all i
 
intervals and denote it by b e We claim that input
i precedes input i
 
 Because suppose this is not the case Then e  t

and we obtain a contradiction by applying dc
 or dc
 for the
initial interval with A  fa j q a 	 qg ranging from t to e and
B  fb j q b 	 q
 
g ranging from e to t

 The cycles of the run
constructed are as follows the rst cycle starts at t and polls input
i within the rst  interval The rst cycle ends before input i
 
ends
later than t

   but not later than t   In the second cycle input i
 
is
polled and the cycle ends at t


 t

 t    state q is stable for more than 
As in the previous case we have that in the interval t

   t

 there must
be some input i
 
responsible for the state change ie q i
 
  q
 
 which

t t 
t

q
q
 
q

i i i ii
i

follows from dc We choose the last of all i
 
intervals and denote it
by b e Next we have to close the gap between t and b by a suitable
sequence of intervals such that in each of them there is some input i
valid

with q i  q According to dc or dc for the initial
state there is such an input i within the rst  interval t t  Now we
x a sequence of intervals b
j
 e
j

j  k
 for k   with the following
properties
i During b
j
 e
j
 only inputs i hold for which q i  q is valid
ii e
j
 b
j
for all j       k 
iii b

 t and e
k
 b
iv In between t b

 e
j
 b
j
 and e
k
 b no inputs i hold for which
q i  q is valid
The gaps between two intervals of the sequence is less than   which
follows from dc ie b
j
 e
j
   for   j  k If e  t

then
we infer by dc that t

 e
k
   Also if e  t

we can derive
t

 e
k
   assume t

 e
k
   and apply dc to the interval
t

   t

 with an Aphase ranging from t

   until e to obtain a
contradiction use the assumption that the b einterval is the latest
one Having xed this sequence of intervals we can construct cycles of
 
q
i i
b
j
e
j
b
j 
   

Polling points  in detail
the run of the timed automaton Intuitively we start at t and jump from
interval to interval as if they were ice oes until we reach input i
 
 In
each open interval we place a polling transition at the very beginning
followed by at least one complete cycle and a polling transition at the
very end More formally we choose the polling points as follows
i A point p
b

in b

 e

  t t  
ii A point p
e
k
in b
k
 e
k
  t

   t



It could be also some other input i

with 
q i

  q Wlog we call all of them i

iii For each   j  k two points p
e
j
b
j
 e
j
 and p
b
j
b
j
 e
j

such that the distance between both is less than   and such that
for each   j  k p
b
j
 p
e
j

iv If for some   j  k bp
e
j
 p
b
j
 c  n   then we add n
polling points such that the distance between the polling points in
the interval is less than  
Finally we place a testing transition right after each polling transition
and a cycle end right in the middle of each pair of adjacent polling points
 S
t

q    there is input delay
 t

 t  S
t

q  q holds for less than delay time
Basically this case works as case  The only dierence is that now
input from S
e
q that has to be delayed plays the same r ole as input
i with q i  q in  it causes q to continue in the next cycle
Substitute i  S
e
q for q i  q in the proofs for case  For the
q
 
t
t

S
t

q
q
q

formulae applied there take the versions for delay according to the
following table here dcx stands for dcxdcx
case  dc  dc dc  dc
  dc dc
here dc  dc	  dc  dc  dc dc 
 S
t

q  t

 t  S
t

q    q holds for at least delay time but less
than  more than delay time
Like in case  a sequence of intervals has to be identied where the
inputs cause state q to be stable also in the next cycle Before delay time
S
t
q has passed by input from S
e
q has this property afterwards it is
input i with q i  q By  we know that S
t
q    Hence by
dc or by dc for the initial interval there must be some input
i
e
 S
e
q within the interval t t   Next we use dc which says
that the distance between intervals of input from S
e
q is less than   to
construct a sequence of S
e
qintervals such that consecutive elements
of the sequence are less than   apart and the last interval ending some
where in t S
t
q   t S
t
q By dc we know that some input
i
 
responsible for the state change at t

so q i
 
  q
 
 occurs in the
interval t

   t

 We choose the latest subinterval of t

   t

 with

i
 
t
t

q
q
 
q

i
e
S
t

q
i

i
e
i
e
i
e
input i
 
and denote it by b e By placing the test transition for the
last cycle at t

we can ensure that the input i
 
is not ignored and the
required transition to q
 
is made We also need some input i in the inter
val t

  e that causes q to be stable in the last   interval t

  t


Because the end of the delay time tS
t
q happens to be in the interval
t

   t

 this input may occur before t  S
t
q in which case it is in
S
e
q or after t  S
t
q with q i  i In order to prove that input i
exists we distinguish between  cases
i t S
t
q  e  t


Apply dc with A from t

   to t  S
t
q B from t  S
t
q
to e and C from e to t

 Note that input i may overlap with i
 
if
b  t  S
t
q In this case we use input i
 
once to remain in state q
and once to jump out of it!
ii t S
t
q  e  t


Apply dc with A from t

  to tS
t
q and B from tS
t
q
to e Again input i may overlap with i
 

iii t S
t
q  e  t


Above we already showed that an input from S
e
q occurs in the
interval t S
t
q   t S
t
q By the assumptions this interval
coincides with t

   e
iv t S
t
q  e  t


Apply dc
 with A from t

  to tS
t
q and B from tS
t
q
to t

 Again input i may overlap with i
 

v t S
t
q  e
Apply dc
 with A from t

   to e and B from e to t


If e  t S
t
q then the distance between i and the last input i
e
 which
occurs in the interval t  S
t
q    t  S
t
q is less than   In the
case that e  t  S
t
q we can apply dc to show that the distance
between i and the last input i
e
is less than   Altogether we have the
desired sequence of intervals and nally we choose the polling testing
and cycle end points as in case 
 S
t

q    t

 t  q lasts at least  longer than delay time
Again the proof idea is very much the same as in case  We have
to nd a sequence of intervals with input that cause q to continue in
the next cycle For the interval t t  S
t
q input i
e
 S
e
q has this
eect afterwards in t  S
t
q t

 we need input i with q i  q

t
t

q
q
 
q

i ii
i

S
t

q
S
t

q
i
e
i
e
We now argue that a sequence of intervals with necessary input exists
Within the rst  interval t t   there must be some input i
e
 S
e
q
according to dc or dc for the initial interval We can conclude
from dc that the gaps between subsequent intervals of input
i
e
 S
e
q must be less than   The gap between the last input i
e
in
t tS
t
q and the rst input i after tS
t
q has to be shorter than  
due to dc From dc we know that after t  S
t
q the distance
between two intervals of some input i with q i  q is less than  
Finally according to dc there occurs some input i
 
responsible for
the state change ie q i
 
  q
 
 in the last  interval t

   t

 As in
case  we choose b e as the latest interval with inputs of kind i
 

Applying dc	 we can conclude that there must be some input i with
q i  q in t

   b Analogously to case  choose polling points
in the intervals of the sequence place the testing transitions right after
the polling transitions and add reasonable cycle ends
 State is stable forever
This case is analogous to previous ones if input is not delayed at q then we
x a sequence of intervals of input i with q i  q as in case  The
main dierence is that the sequence constructed is innite For the case with
delay we proceed as in case  also taking an innite sequence of suitable
intervals The polling points and cycles are constructed as in these cases
References
 R Alur C Courcoubetis and DL Dill Model	checking for real	time systems In
Proceedings 
th
Annual Symposium on Logic in Computer Science Philadelphia
USA pages  IEEE Computer Society Press 
 R Alur and DL Dill A theory of timed automata Theoretical Computer Science
 
 R Alur TA Henzinger and ED Sontag editors Hybrid Systems III volume
 of Lecture Notes in Computer Science Springer	Verlag 
 J Bengtsson KG Larsen F Larsson P Pettersson and Wang Yi UPPAAL
a tool suite for the automatic verication of real	time systems In Alur et al 
pages 
 C Daws A Olivero S Tripakis and S Yovine The tool kronos In Alur et al
 pages 

 H Dierks PLC	Automata A New Class of Implementable Real	Time Automata
In M Bertran and T Rus editors ARTS volume  of Lecture Notes in
Computer Science pages  Mallorca Spain May  Springer	Verlag
 H Dierks Synthesising Controllers from Real	Time Specications In Tenth Inter
national Symposium on System Synthesis pages  IEEE CS Press Septem	
ber 
 H Dierks and C Dietz Graphical Specication and Reasoning Case Study Gen	
eralized Railroad Crossing In J Fitzgerald CB Jones and P Lucas editors
FME volume  of Lecture Notes in Computer Science pages  Graz
Austria September  Springer	Verlag
 H Dierks and J Tapken Tool	Supported Hierarchical Design of Distributed Real	
Time Systems In Proceedings of EuroMicro   to appear
 TA Henzinger X Nicollin J Sifakis and S Yovine Symbolic model checking
for real	time systems Information and Computation  
 Z Kohavi Switching and Finite Automata Theory McGraw	Hill Inc 
 B Krieg	Bruckner J Peleska E	R Olderog D Balzer and A Baer UniForM
 Universal Formal Methods Workbench In U Grote and G Wolf editors Sta
tusseminar des BMBF Softwaretechnologie pages  BMBF Berlin March

 O Maler and A Pnueli Timing Analysis of Asynchronous Circuits using Timed
Automata In Proc CHARME	 volume  of Lecture Notes in Computer Sci
ence pages  Springer	Verlag 
 O Maler and S Yovine Hardware Timing Verication using Kronos In Proc th
Conf on Computerbased Systems and Software Engineering IEEE Press 
 B Moszkowski A Temporal Logic for Multilevel Reasoning about Hardware IEEE
Computer 
 
 X Nicollin J Sifakis and S Yovine Compiling Real	Time Specications into
Extended Automata IEEE Transactions on Software Engineering 

September 
 AP Ravn Design of Embedded Real	Time Computing Systems Technical Report
	 Technical University of Denmark 
 Zhou Chaochen Duration Calculi An overview In D Bjrner M Broy and IV
Pottosin editors Formal Methods in Programming and Their Application volume
 of Lecture Notes in Computer Science pages  Springer	Verlag 
 Zhou Chaochen CAR Hoare and AP Ravn A Calculus of Durations Inform
Proc Letters  
A Timed Automata
Timed automata are an automatonbased mathematical model for realtime sys
tems Although the basic concepts are very similar various denitions of syntax
and semantics can be found in the literature 	 Here we use a
variant of timed automata that is dened in 
Denition  A timed automaton T is a tuple SX L E  IP 
 S

 where
 S is a nite set of locations
 X is a nite set of realvalued variables called clocks whose values increase
uniformly with time

 L is a nite set of labels
 E is a nite set of edges of the form e  s L   s

 where s s

 S L  L
 is a clock constraint generated by the grammar
  x c  d j c  x d j x c  y  d j  j 

 
 
with x y  X and c d  IR and   X is the set of clocks which are to be
reset to  by the transition
 I assigns to each location a clock constraint that serves as an invariant
within the location
 P is a nite set of atomic propositions
 
 is a labelling of the locations with a set of atomic propositions over P
 S

 S is the set of initial locations
Usually only natural numbers are allowed as constants in the clock constraints
but in order associate a timed automaton to each PLCAutomaton our de
nition allows for realvalued constants The price we have to pay is that we
cannot modelcheck this kind of timed automata However as long as the PLC
Automaton uses only discrete delays and a discrete cycle time the corresponding
timed automaton semantics uses only discrete time constants too
Denition 	 A run of T is an innite sequence r  s
i
 v
i
 t
i

iIN
where
for each i  IN
 s
i
 S is a location
 v
i
 X  IR

is a valuation of the clocks
 t
i
 IR

is a time stamp
and r satises the following properties
 the initial location is contained in S

 s

 S


 initially all the clocks have value  x  X  v

x  
 time starts at  t

 
 the sequence of time stamps is monotonic and diverging t
i
 t
i
 for all
i  IN and lim
i	

t
i

 for all i  IN the invariant Is
i
 is fullled during t
i
 t
i

  t  t
i
 t
i
 Is
i
v
i
 t
with v
i
 tx
df
 v
i
x t for all x  X and Isv denoting the evaluation
of the constraint Is at valuation v
 for all i  IN there is an edge e  s
i
 L   s
i
 such that
 clock constraint  holds at time t
i
 v
i
 t
i
 t
i
 and
 valuation v
i
is updated according to 
x  X  v
i
x 

 if x  
v
i
x  t
i
 t
i
if x  
By RT  we denote the set of runs of a timed automaton T 

B Duration Calculus
In this section we recall the Duration Calculus DC 
 a realtime interval
temporal logic extending earlier work on discrete interval temporal logic of 
A formal description of a realtime system using DC starts by choosing a
number of timedependent state variables called observables obs of a certain
type An interpretation I assigns to each observable a state function obs
I

Time  D where Time is the time domain here the nonnegative reals and
D is the type of obs If D is nite then these functions obs
I
are required to be
nitely variable which means that any interval b e  Time can be divided into
nitely many subintervals such that obs
I
is constant on the open subintervals
Terms  have a certain type and are built from observables rigid variables
representing time independent variables and typed operators Terms of Boolean
type are called state assertions They are obtained by applying propositional
connectives to elementary assertions of the form obs  v v for short if obs is
clear for a v  D For a given interpretation I state assertions denote functions
P
I
 Time  f g
Duration terms are of type real and their values depend on a given time
interval b e The simplest duration term is the symbol  denoting the length
e b of b e For each state assertion P there is a duration term
R
P measuring
the duration of P  ie the accumulated time P holds in the given interval Se
mantically
R
P denotes
R
e
b
P
I
tdt on the interval b e Realvalued operators
applied to duration terms are also duration terms
Duration formulae are built from booleanvalued operations on duration
terms the special symbols true and false and they are closed under propositional
connectives the chopoperator  and quantication over rigid variables Their
truth values depend on a given interval We use F for a typical duration formula
Constants true and false evaluate to true resp false on every given interval The
composite duration formula F

F
 
read as F

chop F
 
 holds in b e if this
interval can be divided into an initial subinterval bm where F

holds and a
nal subinterval m e where F
 
holds
Besides this basic syntax various abbreviations are used
point interval de
df
   
everywhere dP e
df

R
P      
somewhere F
df
 trueF  true
always  F
df
 F
F
t
df
 F    t
F
t
df
 F    t
with  f g
We write I b e j F if F holds for interpretation I and interval b e Formula
F holds in I notation I j F  if I  e j F for each e  Time ie if F evaluates
to true in I and every interval of the form  e
The following socalled standard forms are useful to describe dynamic be
haviour

followedby F  dP e
df
  F  dP e
timed leadsto F
t

dP e
df
 F    t  dP e
timed upto F
t

dP e
df
 F    t  dP e
To avoid parentheses the following precedence rules are used

R
 real operators
 real predicates
    
 
	  

  
t


t


 quantication
C DC Semantics for the Initial Phase
Some formulae of the DC semantics in Section  require an explicit change of the
state as precondition For the initial phase those formulae are not applicable
Hence we require some additional formulae restricting the behaviour of the
system in the initial phase The numbering indicates the correspondence between
the formulae below and those in Section 
dq

Ae  dq


 q

 Ae  true dc
S
t
q

    dq

Ae
S
t
q


 dq


 q

 A n S
e
q

e  true dc
S
t
q

    dq

e  dq

Ae


S
t
q


 dq


 q

 A n S
e
q

e  true
dc	
S
t
q

    q

 q

 A  dq

Ae

 dq

e  true dc
S
t
q

    q

 q

 A  dq

e

 dAe  dBe dq

 Be  true
dc

S
t
q

   A  S
e
q

    dq

Ae

 dq

e  true dc
S
t
q

   A  S
e
q

   
dq

e

 dAe  dBe
S
t
q


 dq


 q

 B n S
e
q

e  true dc
S
t
q

   A  S
e
q

   
dq

e  dq

e
 
 dAe  dBe
S
t
q


 dq


 q

 B n S
e
q

e  true
dc
