When dealing with timing constraints, the Z.120 standard of Message Sequence Charts (MSCs) is still evolving along with several proposals. This paper rst reviews proposed extensions of MSCs to describe timing constraints. Secondly, the paper describes an analysis technique for timing consistency in iterating and branching MSC speci cations. The analysis extends e cient current techniques for timing analysis of MSCs with no loops nor branchings. Finally, the paper extends our syntactic analysis of process divergence to MSCs with timing constraints.
INTRODUCTION
Various avours of Message Sequence Charts (MSCs) have been used in software engineering of telecommunications systems as well as object-oriented analysis and design notations, e.g. (Selic, Gullekson & Ward 1994 , Algayres, Lejeune, Hugonment & Hantz 1993 , Jacobson & et al. 1992 , Ichikawa, Itoh, Kato, Takura & Shibasaki 1991 . The increasing popularity of MSCs recently motivated a standardization e ort that produced the ITU-T Recommendation Z.120 (ITU-T 1996) . The Z.120 standard de nes two main concepts: basic MSCs (bMSCs) and High-Level MSCs (hMSCs) . A bMSC consists of a set of processes that run in parallel and exchange messages in a one-to-one, c IFIP 1997. Published by Chapman & Hall asynchronous fashion. An hMSC combines references to basic MSCs to describe parallel, sequential, iterating, and non-deterministic execution of basic MSCs. In addition, an hMSC can describe a system in a hierarchical fashion by combining hMSCs within an hMSC.
To facilitate the speci cation of real-time systems, a few extensions to MSCs have been proposed to express timing constraints: timers (ITU-T 1996) , interval delays (Alur, Holzmann & Peled 1996 , Meng-Siew 1993 and timing markers (Booch, Jacobson & Rumbaugh 1996) . The proposed extensions evolved independently and di er in terms of their expressiveness and support for formal analysis. Further, all proposed analysis of MSCs with timing constraints have been so far limited to basic MSCs (Alur et al. 1996 , Meng-Siew 1993 .
In an e ort to help consolidate the proposed timing extensions possibly within the standard, in this paper we rst review the various proposed syntactic annotations of basic MSCs with timing constraints. For each of the proposed timing extensions, we highlight the syntactic features, expressiveness and limitations, and we discuss ambiguities that must be addressed when bMSCs are composed within an hMSC.
Another motivation for this paper is to extend the timing consistency analysis for bMSCs to deal with iterating and branching MSC speci cations. The analysis technique we present has been implemented within our prototype toolset for requirements engineering based on MSCs (Ben-Abdallah & Leue 1996) . In addition, in this paper we extend our syntactic analysis of the process divergence problem in MSC speci cations (Ben-Abdallah & Leue 1997b) in the presence of timing constraints. We use the example of an automatic teller machine system to illustrate our selected timing extension and the presented timing analysis.
TIMING CONSTRAINTS IN BASIC MSCS
There are essentially four classes of syntactic constructs to express timing constraints in MSCs and MSC reminiscent notations: timers (ITU-T 1996, Alur et al. 1996) , delay intervals (Alur et al. 1996 , Meng-Siew 1993 , drawing rules (Booch et al. 1996) , and other timing markers (Booch et al. 1996). Timers. Recommendation Z.120 provides timers to express timing constraints in a basic MSC. Within a single process, a timer can be set to a value, reset to zero, and observed for timeout. A timer cannot be shared among concurrent processes in a basic MSC. Figure 1 (a) shows an example of a basic MSC with timing constraints expressed through two timers. In this example, for instance if the timer T3.1 is set to 5, then P3 must exchange its messages within at most ve time units relative to the timer setting event. Process P1, on the other hand, rst sets the timer T1.1 say to three time units, receives message a, then resets its timer. Since process P1 does not explicitly use a timeout event for the timer T1.1, the implicit assumption here is that the timer T1.1 does not expire before it is reset. As this example illustrates, a timer can be used to express a maximal delay between two or more consecutive events in one process. In addition, a timer can be also used to express a minimal delay between two consecutive events in one process. Delay Intervals. Depending on how delay intervals annotate a bMSC, they express three types of timing constraints: 1) event-associated timing constraints (Meng-Siew 1993) which are denoted as an interval that is associated with an event in the basic MSC; 2) message delivery delays (Alur et al. 1996 , Meng-Siew 1993 which are expressed as a time interval over a message arrow; and 3) Processor's speed constraints (Alur et al. 1996 , MengSiew 1993 which are expressed as time intervals between two consecutive events in a process.
An event-associated timing constraint is a global constraint on the timed occurrence of an event: the event must occur within the speci ed minimal and maximal time delays with respect to any previous event, whenever it occurs in an execution trace of the bMSC. Figure 2 (a) shows sample event-associated timing constraints.
In the message delivery and processor's speed constraints, a delay interval is delimited with respect to the occurrence of the two consecutively, visually ordered events it constrains. Figure 1 augments the timing constraints in Figure 1 with message delays (i.e., intervals on message arrows) and processor's speed constraints (i.e., intervals on vertical lines). In this version, message b takes between two and three time units from the time it is sent by process P1 to the time it is received by process P3. In addition, process P3 requires that message b be received between one and two time units from the time it sends message e.
In (Meng-Siew 1993) , the author generalizes the message delivery and processor's delay intervals (called trace-associated timing constraints) by using 
Figure 2 (a) Event-associated and (b) trace-associated timing constraints a semantic notion of consecutive events: two events are consecutive if they can be executed one after the other. In addition, this work extends the use of trace-associated timing constraints to express timing constraints between events that are not related. For this, the syntax of bMSCs is extended with precedence edges that connect unrelated events. The user can then annotate the extended bMSC with timing constraints to impose on unrelated events. Figure 2 (b) shows sample trace-associated timing constraints where the precedence edges are drawn with dashed-line, bidirected edges. As this example illustrates, while precedence edges allow the expression of more timing constraints, they may result in a cumbersome graph.
Drawing rules and timing markers. Sequence diagrams within the Unied Modeling Language (Booch et al. 1996) extend the Z.120 MSCs with additional information, e.g., focus of control to show the time when a process has a thread of control. Timing constraints are represented in a sequence diagram in two ways: the drawing rules of message arrows and timing markers. A horizontal message arrow indicates the simultaneous occurrence of the send and receive events of the message. A downward slanted message arrow, on the other hand, indicates a required delay between the send and receive events of the message. In addition, within each object outgoing message arrows can be drawn at a single point to indicate the simultaneous sending of a message. (Incoming message arrows are not allowed to meet at the same point within an object.)
To describe more quantitative timing constraints, timing markers are attached to a sequence diagram. Timing markers are boolean expressions placed in braces and attached to the diagram (Booch et al. 1996) . The boolean expressions can constrain particular events or the whole diagram. However, since neither the precise syntax of timing markers nor their formal semantics is dened, we cannot completely assess their expressiveness. In addition, no formal analysis of timing constraints has been proposed within the Uni ed Modeling Language.
Timing Analysis Based on Timers and Delay Intervals. Timing analysis consists of validating a timing assignment and verifying timing consistency. A timing assignment is essentially a time-stamp function that associates with the MSC events occurrence times with respect to a global clock. A timing assignment is valid if it respects the timing constraints in the MSC. A bMSC is timing consistent if there is at least one valid timing assignment that allows the MSC to have a behavior where the events occur according to the speci ed timing constraints.
For bMSCs extended with timers and timing delays, one can use the temporal constraint network techniques in (Dechter, Meiri & Pearl 1991) to reduce timing analysis to computing all-pairs-shortest-paths in a labeled directed graph. In the worst case, this can be computed in O(n 3 ) time where n is the number of events in the bMSC. We will discuss timing consistency analysis with this technique in detail in Section 4.
The MSC analyzer tool (Alur et al. 1996) o ers in addition to the above timing analysis for bMSCs, timed analysis based on a semantics that accounts for the queuing strategies in a bMSC. To analyze MSC speci cations within this tool, the user would have to select the various bMSCs that compose one sequential path in the hMSC and analyze each path separately. However, in the presence of loops in the hMSC, this tool o ers no hints on how many times the user is supposed to unfold a loop to conclude timing consistency of the loop. Further, analysis based on path selection should resolve certain issues about the usage of timer events and the interpretation of the timing constraints in the MSC speci cation as we discuss in the next section.
INTERPRETING TIMING CONSTRAINTS IN MSC SPECIFICATIONS
The hMSC in an MSC speci cation connects basic MSCs to describe sequential, possibly iterating and non-deterministic behavior. The presence of timing constraints as described in the previous section in MSC speci cations requires attention for one essential reason: timing constraints can be spread across sequentially connected basic MSCs. We next illustrate how the Z.120 standard syntax (ITU-T 1995) is ill-de ned when timers are used in hMSCs, and outline possible choices of interpreting timing consistency in MSC speci cations with branchings.
Interpreting Iterations
Current analyses of iterations in an hMSC rely on unfolding loops a nite number of times and analyzing resulting basic MSCs (Alur et al. 1996) . In the case of timed behavior, this technique raises several questions about: 1) interpreting multiple occurrences of the set event of the same timer, 2) resolving the correspondence between several timers' set and timeout events, and 3) the syntactic well-formedness of MSC speci cations with timers.
Consider the MSC speci cation of Figure 3 As control iterates through the basic MSCs M1 and M2, it is unclear whether the system generates a new instance of the timer, or uses the same timer during all iterations. Both interpretations can be justi ed by the common interpretation of a loop in an hMSC through a nite unfolding to a basic MSC. More speci cally, Consider the following execution scenario: M1, M2, M1, M2, and then M3. Using loop unfolding, this sequence of basic MSCs represents a syntactically legal basic MSC. It then seems that a new timer is generated each time M1 is executed. Therefore, we need to resolve the association of the one timeout event in M3 with the two timer setting events. The choice obviously a ects the timing consistency analysis. Let us try to derive the semantics of repeatedly invoked timers from that of repeatedly sent messages. Ladkin and Leue (Ladkin & Leue 1995) use a nite state argument to interpret multiple sends of a message as deactivated by one receive of the message. (At the time of writing Z.120 does not deal with the semantics of iterating system behavior.) In the case of timers, this interpretation translates into associating the timeout event with any of the two timer setting events. A more reasonable choice is to associate it with the rst timer since it would time out rst. For T1.1 set to 5 and T1.2 set to 3, this interpretation makes the above execution scenario timing inconsistent. Another alternative is to associate the timeout event with the last timer setting event. This coincides with the interpretation where the same timer is reset then reused during all iterations. In this case, the same execution scenario for the example of Figure 3 (a) is timing consistent in the sense that the last timer set does not expire before sending the event Creq; however, such an analysis is misleading when the overall behavior is considered: the rst time the message Dreq was sent and sending the event Crq are separated by at least 6 time units and thus one timeout event, i.e., deadline was obviously missed.
The above ambiguity in interpreting timers within loops results from the ill-de ned syntax of hMSCs when timers are involved. The Z.120 syntax of an hMSC assumes the well-formedness of the bMSCs used in the hMSC. The Z.120 syntax of bMSCs only restricts the usage of timers such that a reset or timeout event may occur only after a timer is set (ITU-T 1995) ; that is, this syntax neither forces the reset or timeout event to occur after a timer set event, nor does it restrict multiple occurrences of a timer set event prior to its reset or timeout event. As the above example illustrates, this relaxed syntax of bMSCs can lead to ambiguities when a loop in an hMSC contains bMSCs where one timer is set but neither its timeout nor reset event occurs in the loop.
In a broader context, the above example raises a fundmental question about what an MSC speci cation means: does it describe all behaviors of a system, or does it describe a set of sample behaviors of a system? In the rst case, the standard syntax must be further restricted to disallow the above example. In the second case, the above example should be allowed and interpreted according to the second alternative; that is, timers may expire without explicitly being modeled in the MSC speci cation. However, this interpretation may create practical di culties since timers' expirations are usually implemented as interrupts and thus can not be ignored in some occasions and handled at other times.
Interpreting Branchings
When an MSC speci cation contains branchings, we can determine whether its timing constraints are satis able in two ways:
Local semantics: select one path at a time and analyze its timing constraints, independently of other paths that may branch out of the selected path (Alur et al. 1996) . This interpretation of timing constraints allows the derivation of several timing assignments, one for each path in the hMSC. In other words, any particular basic MSC that is shared by di erent paths may have di erent timed behavior depending on both the past and future behavior of the system. Global semantics: all paths must be analyzed simultaneously. This analysis technique assumes that any timing assignment for the hMSC must be valid along all shared portions of all paths in the hMSC. In this approach, each basic MSC will have the same timed behavior independently of the execution path on which it resides, hence independently of the future behavior of the system. This approach produces tighter timing constraints than the local semantics.
To illustrate the di erences between the two approaches, consider the timed MSC speci cation show in Figure 3 (b) and which describes a simple connection establishment. The example is locally timing consistent. However, it is not globally timing consistent since there is no timing assignment for the common pre x of its two paths and that allows both paths to be simultaneously timing consistent. Timing consistency of the path leading to MSC2 requires that receive CR occurs at most 1 time unit after it is sent, whereas timing consistency of the path leading to MSC 3 requires that receive CR not to occur before 2 time units after it is sent.
TIMING ANALYSIS OF MSC SPECIFICATIONS
In this section, we rst de ne the syntax of timed MSC speci cation we will use. Second, we augment the timing analysis for bMSCs presented in (MengSiew 1993 , Alur et al. 1996 to handle the possibility that a timer is set in a bMSC but no reset nor timeout event follows the timer setting in the bMSC. We then extend it to analyze MSC speci cations with branchings and iterations. For the proofs of the lemmas and theorems in this and the following Sections see (Ben-Abdallah & Leue 1997a).
Timed MSC Speci cations
In remainder of this paper, we assume that the untimed bMSCs contain only message exchanges drawn in accordance to Z.120. To express timing constraints we use the Z.120 timer events together with (non-standard) timing delay intervals. A timer can be set to a positive integer value, and rest to zero. In compliance with the Z.120 standard (ITU-T 1995), a reset and timeout event must be preceded by a timer setting event. In addition, a timer is private to a process and thus its events can be used by a single process only. Further, to distinguish between timers, we assume that each timer has a unique identi er associated with it.
A timing delay interval is a label over either a message arrow, or a control ow segment, i.e., a portion in a process's line that is delimited by two consecutive events. (We use the generic term event to denote one of the following types of events: the start of a process, the end of a process, sending a message, receiving a message, or a timer event.) A delay interval labeling a message arrow denotes the relative minimal and maximal delays between the events of sending the message and receiving it. A delay interval labeling a control ow segment denotes the relative minimal and maximal delays between the events delimiting the control ow segment. Delay intervals can be of the form a In compliance with the Z.120 standard we allow timer events to be split
We assume that an MSC speci cation contains one level of nesting; however, the de nitions and results presented in this paper can be easily extended to deal with MSC speci cations where nodes refer to other hMSCs.
across bMSCs in an hMSC. The Z.120 standard restriction that each timeout and timer resetting event must be preceded by a timer setting event in bMSCs is extended to paths in the MSC speci cations, i.e., in every path timeout and timer resetting events must be preceded by a timer setting. However, to avoid the ambiguities described earlier, we require that every simple loop in an MSC speci cation has matched timer events: 1) every timer setting event in the loop must be followed by either a timeout or reset event; and 2) every timeout event must be preceded by a timer setting event in the loop. The rst restriction disallows the example in Figure 3 (a). Note that this restriction is for loops only; that is, it does not force the use of a timeout or reset event in non-looping paths. As we see in the next section, our timing analysis will ensure that the absence of these events does not mean the speci cation is incomplete. The second restriction disallows the possibility that time ellapes in the loop making the timeout event obsolete.
Timing Consistency of bMSCs
To determine the timing consistency of a basic MSC, we adopt an approach similar to the ones presented in (Meng-Siew 1993, Alur et al. 1996) . First the bMSC is translated into a directed, labeled graph that we call temporal constraint graph. The vertices and edges in the graph re ect the control ow and message exchanges in the bMSC. The edge labels represent the timing constraints in the bMSC. Once a temporal constraint graph is constructed, to verify that the bMSC is timing consistent, we just check that the temporal constraint graph has no cycles with a negative cost (Dechter et al. 1991 , MengSiew 1993 , Alur et al. 1996 . Since it is unclear whether the informal translation presented in (Alur et al. 1996) handles the possibility that a timer is set but no reset nor timeout event is explicitly included in the bMSC, we next present the translation we assume in our analysis of timing consistency of MSC speci cations. It is straightforward to represent a bMSC as a directed, labeled graph. A node in the graph represents one of the following events: the start of a process, the end of a process, sending a message, receiving a message, or setting, resetting or timeout a timer. An edge in the graph can have one of three types that represent the dependencies between events: 1) a \signal" edge (x; y) represents sending a message from one process to another; 2) a \next event" edge (x; y) represents the control ow within a process where event x appears before event y on the vertical line of the process; and 3) a \temporal" edge (x; y) connects a timer setting event x with a timer reset or timeout event y. The label of an edge is the timing delay and for a signal edge the message type in addition. (For details, the reader is referred to (Ladkin & Leue 1995) where basic MSCs without timing constraints are represented as Message Flow Graphs. This translation is easily augmented with the temporal edges to represent timing constraints.) Given a bMSC M , its temporal graph T g (M) is obtained as follows:
Each node in M is represented by a node in T g (M).
Each next event edge, each signal edge and each temporal edge (e; e 0 ) with timing label I in M is represented by two labeled edges in T g (M): edge (e; e 0 ) with label ?L(I), and edge (e 0 ; e) with label U(I).
For each process P i in M , for each of its set timer event e i with value t and no matching reset or timeout event, the following two edges are added in T g (M): edge (e i ; e 0 i ) with label ?t, and edge (e 0 i ; e) with label t, where the node e 0 i is the node that corresponds to the end node of process P i in M . The above translation could di er from previous translations in the last step. As mentioned earlier, this additional step allows us to cover the lose Z.120 syntax (ITU-T 1995) which does not force a set timer to have a reset or timeout event in the same bMSC. The analysis of the temporal constraint graph as constructed above ensures that those timers that were not explicitly reset or timeout, in fact, did not expire. Hence, the analysis results of the extended temporal constraint graph are coherent with the implicit assumption that a missing timeout/reset event in a process is interpreted as the set timer not having expired prior to the process's end of execution.
A bMSC is timing consistent if and only if its temporal constraint graph has no cycles with a negative cost (Dechter et al. 1991 , Meng-Siew 1993 , Alur et al. 1996 . Detecting cycles in the temporal constraint graph can be done through the Floyd-Warshall's algorithm (Papadimitriou & Steiglitz 1982) which computes all-pairs-shortest paths in the graph in a worst case time of O(n 3 ) where n is the number of events in the graph.
Timing Consistency of hMSCs
Our notion of timing consistency of an MSC speci cation relies on a local interpretation of the timing constraints.
De nition 4.1 An MSC speci cation S is timing consistent if every path that starts from the start node in S is timing consistent. S is partially timing consistent if some of its paths are timing consistent. S is timing inconsistent if none of its paths is timing consistent.
The above de nition of timing consistency is impractical since in the presence of iterations in the MSC speci cation, the number of paths is in nite. We Addition over the natural numbers N N is extended over N N N N ? f1;?1g in a straightforward way.
next present a syntactic approach to determine the consistency of an MSC speci cation based on a nite subset of its paths. In the sequel, we adopt the following notation to ease readability: given two bMSCS, M 1 and M 2 , we denote the MSC speci cation that consists of the sequential composition of M 1 followed by M 2 as M 1 M 2 .
Lemma 4.1 If the MSC speci cation M 1 M 2 M 1 is timing consistent with M 1 M 2 having matched timer events, then the MSC speci cation M 1 M 2 M 1 M 2 is also timing consistent.
The above Lemma allows us to deduce the timing consistency of a loop from the timing consistency of an augmented version of the simple path that the loop contains, without unfolding the loop. Thus, to decide the timing consistency of an MSC speci cation, we can focus on simple paths and augmented simple paths that represent loops in the speci cation. We next de ne these paths.
De nition 4.2 Let S = (B; > I ?; suc; ref ) be an MSC speci cation.
A sequential component in S is a simple path n 1 ; n 2 ; ; n k in S such that: (s; n 1 ) 2 suc for the start node s 2 >; and either (n k ; e) 2 suc for an end node e 2 ?, or there exists n j 2 fn 1 ; n 2 ; ; n k g such that (n k ; n j ) 2 suc.
Informally, a sequential component is either a simple path from the start node to an end node, or a path that starts with a simple path and ends with a simple loop. We call the rst type nite sequential components, and the second in nite sequential components. In addition, we say that a path n 1 ; n 2 ; ; n j ; ; n k ; n j in an MSC speci cation S is a closed in nite sequential component if n 1 ; n 2 ; ; n j ; ; n k is an in nite sequential component in S .
Theorem 4.1 An MSC speci cation S is timing consistent if 1) each nite and each closed in nite sequential component in S is timing consistent; and 2) each in nite sequential component in S has matched timer events.
The condition on the in nite sequential components is stronger because the loop in the component allows time to progress an arbitrary amount, and thus possibly missing a timeout event. If a set timer is missing a reset or timeout event inside the loop, our analysis can not conclude from one iteration that the timer will never expire. In fact, if a timing consistent, in nite component has unmatched timer events, then the speci cation is partially timing consistent is the best we can predict.
Timing consistency algorithm. To examine the timing consistency of an MSC speci cation, we have implemented within our MSC tool (Ben-Abdallah & Leue 1996) the algorithm shown in Table 1. Step 1 is carried out through a depth-rst-search algorithm of the the hMSC of S . To construct the temporal constraint graph of a sequence of bMSCs, step 3 extends the bMSC to temporal graph translation of Section 4 in a straightforward way based on the construct the temporal constraint graph T g (L) 4.
compute all-pairs-shortest paths in T g (L) 5.
report all events involved in a negative cost cycle End following fact: the behavior of M 1 M 2 is equivalent to the behavior of the bMSCs obtained by gluing M 2 after M 1 , with the timing delays at the end of a process in M 1 added to the timing delays of the same process at the beginning of M 2 .
Step 4 uses the Floyd-Warshall's algorithm on a matrix representation of the temporal constraint graph. In step 5 an event is in a cycle with a negative cost if its corresponding diagonal element in the all-pairs-shortest-path matrix is negative.
Process Divergence in Timed MSC Speci cations
In the presence of loops, an MSC speci cation may su er from process divergence: a system execution where a process sends messages an unbounded number of times ahead of the messages being received (Ben-Abdallah & Leue 1997b ). An MSC speci cation with a process divergence can be either unimplementable as it requires message queues with an in nite size, or it can be implementable with discrepancies, e.g., unexpected deadlocks since message queues are nite and messages must be dropped or over-written. In (Ben-Abdallah & Leue 1997b), we have syntactically characterized process divergence in untimed MSC speci cations by examining the communication patterns of its processes. Informally, we proved that an (untimed) MSC speci cation su ers from process divergence if and only if it has a loop where at least one of its processes does not depend on, i.e., sends to but never receives directly or indirectly from another concurrent process in the loop.
In the presence of timing constraints through timers and/or delay intervals, our syntactic characterization of process divergence can be extended as follows.
Theorem 4.2 Given an MSC speci cation S that has untimed process divergence through the processes P 1 ; ; P n in a loop L which can jointly race ahead of the remaining processes. S has timed process divergence i either 1) the sum of all minimal delays in the processes P 1 ; ; P n within L is equal to zero; or 2) the minimum of all maximal delays of the processes receiving messages from P 1 ; ; P n including delays on the received messages is equal to 1. Initially, the ATM controller waits to receive the customer's bank card. Then, it either receives a request to cancel the transaction within 0; 4] seconds (bMSC EndTrans), or receives the customer's pin number within 5; 60] seconds (bMSC ProcessPin). If the ATM receives a request to cancel the transaction (bMSC EndTrans), it returns the customer's card and takes between 2; 3) seconds to return to its initial state. The ATM expects a reply from the bank within T 1 seconds. This timing constraint is expressed through the T1 timer as well as the 0; T 1 ] delay interval. In (bMSC TryAgain), when T1 times out, the card is returned, an appropriate message is then displayed, and the ATM takes again between 2; 3) seconds to return to its initial state. Our speci cation also describes the following constraints: a customer expects a withdraw request to be processed within W 1 ; W 2 ] seconds relative to the time of entering an amount; a customer takes Q 1 ; Q 2 ] seconds to decide whether to make another transaction while the ATM has the card; the ATM takes B 1 ; B 2 ] seconds for book-keeping after dispensing cash; the ATM takes 3; 5) seconds to print a receipt after receiving the balance information from the bank. Each ATM-customer communication has a delay of 0; 2) seconds and each vertical line without a time delay has a default delay of 0; 1), which we do not explicitly represent in the chart. Note that when timing constraints extend over more than just one bMSC it is necessary to use auxiliary 0; 0] constraints. Table 2 shows sample results. The tool generated 43 in nite closed sequential components whose temporal graphs were then examined for cycles with a negative cost. For the case (1) in Table 2 , the user does not impose any timing constraints on the system, which in fact makes any value acceptable for the remaining variables. In the case (2), the user expects the ATM to process their withdraw request within 0; 3] seconds which leads to a timing inconsistency. The tool detects the event send ENT AMOUNT as being in a cycle with a negative cost of ?1. This gave us the hint to increase the upper-bound of the delay to 4 which gave us timing consistency (case (3)). In the cases (4) and (5), we examine the e ects of the book-keeping time B 1 ; B 2 ]. Due to the implicit 0; 1) bounds we only needed to vary the lower bound. Case (6) proves the dependency between the minimum book-keeping delay B 1 and the delays between consecutive customer requests while the ATM holds the customer's card, interval Q 1 ; Q 2 ]. In the above cases, when a timing inconsistency is detected, the cost of the cycle and the involved events reported by the tool helped us to focus on which variables to adjust by which amount.
CONCLUSION
We have reviewed four proposed extensions of MSCs to express timing constraints and available analysis techniques for timing consistency of basic MSCs. The Z.120 standard timers together with delay intervals as suggested in (MengSiew 1993 , Alur et al. 1996 can describe timing constraints for events within a process and events that are directly related, i.e., via the control edge or message arrow. To express more general timing constraints, e.g., to relate events within di erent basic MSCs or processes, these extensions must be further augmented with temporal predicates (Booch et al. 1996) . Following the analysis techniques of temporal constraint networks (Dechter et al. 1991) , timing consistency of a basic MSC is reduced to checking cycles with negative cost in a directed graph (Meng-Siew 1993 , Alur et al. 1996 . To extend this analysis to MSC speci cations with iterations and branchings, we highlighted syntactic issues that the Z.120 standard syntax must address. Based on speci c syntactic recommendations, we have extended the analysis of timing consistency of bMSCs with timers and delays to the analysis of MSC speci cations with branchings and iterations. To deal with branchings, we adopted a local interpretation of the timing constraints. To handle iterations, we showed that, under a reasonable assumption, a loop in the MSC speci cation can be analyzed by analyzing a simple extension of it, hence eliminating the need to unfold the loop to examine its timing consistency. Furthermore, we have extended in this paper our syntactic analysis of process divergence in iterating MSCs in the presence of timing constraints.
