Models and temporal logical specifications for timed component connectors by Arbab, F. (Farhad) et al.
Softw Syst Model (2007) 6:59–82
DOI 10.1007/s10270-006-0009-9
SPECIAL SECTION PAPER
Models and temporal logical specifications for timed
component connectors
Farhad Arbab · Christel Baier · Frank de Boer ·
Jan Rutten
Received: 11 February 2005 / Accepted: 2 February 2006 / Published online: 22 August 2006
© Springer-Verlag 2006
Abstract Component-based software engineering
advocates construction of software systems through
composition of coordinated autonomous components.
Significant benefits of this approach include software
reuse, simpler and faster construction, enhanced reli-
ability, and dramatic reductions in the complexity of
construction of provably correct critical systems, many
of which involve real-time concerns. Effective, flexible
component composition by itself still poses a challenge
today and yet the special nature of real-time
constraints makes component-based construction of
real-time systems even more demanding. The coordina-
tion language Reo supports compositional system
construction through connectors that exogenously coor-
dinate the interactions among the constituent compo-
nents which unawarely comprise a complex system, into
a coherent collaboration. The simple, yet surprisingly
rich, calculus of channel composition that underlies
Reo offers a flexible framework for compositional
Communicated by Dr. Jorge Cuellar.
F. Arbab · F. de Boer (B) · J. Rutten
Department of Software Engineering,




Institut für Informatik I, Universität Bonn,
Bonn, Germany






construction of coordinating component connectors
with real-time properties. In this paper, we present an
operational semantics for the channel-based component
connectors of Reo in terms of Timed Constraint Auto-
mata and introduce a temporal-logic for specification
and verification of their real-time properties.
Keywords Coordination · Real-time · Composition ·
Reo · Constraint automata · Timed automata · Linear
temporal logic · Timed data streams
1998 ACM Computing Classsification C.2.4, D.1.3,
D.2.4, D.2.6, D.2.11, D.2.13, D.3.2, D.3.3, F.1.2, F.3.1,
F.3.2, F.3.3
1 Introduction
The task of designing a complex concurrent system with
several components requires a coordination model that
formalizes their mutual interactions. The internals of
black-box components cannot bemodified to implement
such coordinated interactions. Coordination, therefore,
becomes the responsibility of the “glue-code” that inter-
connects the constituent components of a composite sys-
tem, and of its underlying run-timemiddle-ware. Reo [6]
offers a powerful glue language for implementation of
coordinating component connectors based on a calculus
of mobile channels.
In this paper, we consider the real-time aspects of
Reo when the behavior specification of channels and
component interfaces can involve timing constraints.
Because connectors, not components, are the primary
concern in Reo, our primary interest here is with
channels whose behavior involves temporal constraints;
60 F. Arbab et al.
and with their composition. For instance, a deadline t
for the availability of some data can be formalized as
the behavior of a FIFO channel that associates an expi-
ration date, t, with every data item that enters its buffer:
the channel loses a data item in its buffer t units of time
after it enters through its source (unless, of course, it is
dispensed through its sink in the meanwhile). Another
example is a timer channel that becomes activated by
a data item through its source, after which it returns a
timeout signal through its sink, after a specified delay of
exactly t units of time.
As the operational model for Reo connector circuits,
we use timed constraint automata (TCA) which extend
their untimed version [9] with the concepts borrowed
from classical timed automata with location invariants
[2,16]. TCA have two kinds of transitions: (1) internal
changes of the locations caused by some time constraints
and (2) transitions that represent the synchronized exe-
cution of I/O-operations at some of the ports. Using
ideas similar to [9], the construction of a timed con-
straint automaton from a given timed Reo circuit can be
performed in a compositional manner, using composi-
tion operators on TCA that model Reo’s operators join
and hide to build complex connectors out of instances
of basic channel types.
One conceptual difference between TCA and clas-
sical timed automata is the treatment of immediate
actions or urgent synchronous channels, as they areused,
e.g., in the tools [20,17,37]. The assumption that syn-
chronous I/O-operations must be executed as soon as
they become enabledmakes no sense in our framework.
For instance, assume that we have a FIFO channel car-
rying data from node A to node B and a synchronous
channel from B to another node C. As soon as A places
a value in the FIFO buffer it becomes available for con-
sumption through node B, and thus, the synchronous
communication between B and C becomes enabled. On
the other hand, the input and output of the same data
item must not occur simultaneously through a FIFO
channel, by its definition. Thus, we need a delay for the
synchronization between B and C. Moreover, Reo al-
lows to explicitly specify deadlines of “shortly delayed”
activities or other time constraints (e.g., lower bounds
for thedelay) using anappropriate combinationof timed
channels.
The semantics of the TCA and timed Reo circuits
relies on timed data streams as in [7,9], comprising a for-
malization of the possible data-flow at each node over
time. To specify a desired coordination mechanism, we
use a variant of linear temporal logic (LTL) [22,27] with
real-time constraints, which we call timed scheduled-
data-stream logic (TSDSL) and has a semantics based
on timed data streams. TSDSL essentially relies on a
combination of the time-abstract temporal modalities
in LTL and timed regular expressions [10]. We show
through a series of examples how TSDSL can serve as a
specification formalism for (timed) Reo circuits, sketch
the ideas of amodel checking algorithm, and explain the
relation of TSDSL with refinement relations.
Related models. There are several other related real-
time models that also focus on aspects of coordina-
tion. Timed interface automata (TIA) [1] or real-time
variants of I/O-automata, e.g., [13,19,24], are related to
TCA in the same way as their untimed versions. I/O-
automata rely on the assumption of input-enabledness
which is not required (and would not make sense) in
constraint automata.
The purpose of TIA is orthogonal to our approach
involving timed Reo connectors and TCA. (There are
some conceptional differences, e.g., TIA use action
labels rather than port names, but these are not impor-
tant as the formal definition of TIA and TCA can be
adapted to eliminate these differences.) The major goal
of TIA is to provide a formalism to specify and to check
the compatibility of real-time components by means of
their interfaces. Our focus is on compositional reasoning
about (design and analysis of) channel-based coordina-
tion mechanisms, based on their data-flow. Thus, our
framework allows to design and analyze a coordination
context in which certain components are used and to
construct their interfaces, while the approach of inter-
face automata allows to check a-posteriori whether a
design makes the components work together in the de-
sired way.
Although compositionality in timed Reo and TCA
is in the spirit of real-time process algebras, e.g., [21,
29,36], Reo’s philosophy of composing connectors out
of a variety of basic channel types via join and hid-
ing and supporting any kind of synchronous or asyn-
chronous communication differs from classical process
algebra approaches which provide operators for model-
ing choice, parallelism, and recursion (all of which are
implicit in Reo).
In some respects, Reo circuits superficially resemble
Petri nets. However, there are major differences be-
tween the two. Petri nets are constructed out of a fixed
set of building blocks (i.e., places, transitions, and arcs),
each with a fixed behavior, that can be composed in
a prescribed fashion. In contrast, Reo defines a fixed
set of composition rules and allows an arbitrary set
of user defined channels as primitives with arbitrary
behavior, on which its composition rules can be applied
to construct connector circuits. This allows a harmonious
combinations of synchrony and asynchrony in the same
model which is not possible in Petri nets. It also allows
Models and temporal logical specifications for timed component connectors 61
incorporation of arbitrary computational entities into a
composedReo circuit. Specifically, as we show in this pa-
per, real-time constraints can be easily incorporated into
Reo simply by adding a few channels with time-sensi-
tive behavior to the user-defined repertoire of primitives
used in the construction of circuits, without any exten-
sion or revision of the Reo model or its composition
rules.On the other hand, to express temporal constraints
in Petri nets, various extended models have been pro-
posed and studied, each revising the semantics of a basic
Petri net model by associating temporal constraints with
(1) the availability of tokens in places, (2) transitions, or
(3) arcs [18,23,28,31].
Using proper time-sensitive channles, Reo can cov-
er the temporal constraints modeled in various timed
Petri nets. Timed or un-tiemd Petri nets differ fromReo
in that synchrony and exclusion constraints propagate
through (the synchronous sub-sections of) Reo circuits.
This is generally not the case in Petri nets, because
their transitions are local. Petri net transition nodes en-
able them to directly synchronize otherwise unrelated
events, thus enforcing a synchronous and of several
arcs/events. However, Petri nets have no primitive for
the dual synchronous or of several arcs. The or of several
arcs is possible only if they end in the same place, which
implies the commitment of moving a token into that
place. This means that events/arcs can be directly and-
synchronized to compose more complex synchronous
transitions (i.e., one-step atomic transactions), but a
synchronous or of events/arcs is not possible, i.e., two
transitions cannot be connected together without an
intervening place/commitment. This disallows a direct
modeling of composite atomic transactions in Petri nets
and prevents arbitrary combinations of synchrony and
asynchrony.
Organization of the paper. Timed constraint automata
are introduced in Sect. 2. Section 3 contains a brief over-
view of Reo. In Sect. 4 we introduce timed primitive
channels for constructing Reo circuits, provide some
examples for Reo circuits with timing constraints, and
explain how timed constraint automata can serve as
their operational model. Timed scheduled-data-stream
logic (TSDSL) is introduced in Sect. 5. In addition, we
provide some examples to illustrate how TSDSL can
serve to specify timed component connectors and sketch
the main steps of a TSDSL model checking algorithm.
Sect. 6 concludes the paper.
2 Timed constraint automata
The formal definition of timed constraint automata
arises by combining the concepts of constraint auto-
mata [9] and timed automata [2,16]. We first introduce
the syntax of TCA and provide some intuitive examples
(Section 2.1) and then provide their semantics by means
of an infinite state-transition graph and the induced lan-
guage of timed scheduled data streams (Sect. 2.2).
2.1 Syntax of TCA
Edges in timed constraint automata are labeled with
tuples (N,dc, cc,C) where N is a set of ports/nodes that
synchronously perform certain I/O-operations, dc is a
data constraint that specifies the concrete values that are
transferred through those I/O-operations, cc is a clock
constraint, and C is a set of clocks that are reset to 0.
If N = ∅ then the edge represents an internal move (in
which case dc = true).
Before presenting the formal definition, we give a
simple example. Figure 1 shows on its left a Reo cir-
cuit with a 1-bounded FIFO-channel with expiration,
connecting nodes A and B, and a synchronous chan-
nel connecting nodes B and C. A FIFO channel “with
expiration” is a lossy channel that loses any data item
that remains in its buffer longer than its “expiration
date” which in this case is 3 time units after it enters the
buffer of the channel. Thus, in this example, there is an
implicit deadline for the data transfer operation at node
B. The graph on the right shows the TCA corresponding
to this Reo circuit. In the TCA on the right-hand-side
in Fig. 1, location s stands for the initial configuration
where the buffer is empty, while location s¯(d) represents
the configuration where the buffer is filled with data ele-
ment d. If nodes B and C are ready for I/O-operations
within 3 time units, in location s¯(d), then we assume
that B takes an element d from the buffer and imme-
diately forwards it to C. This corresponds to the transi-
tion labeled with the set {B,C} and the data constraint
dB = dC = d. Although there is no explicit lower time
bound for the delay of the {B,C}-transition, our seman-
tics forces some time elapse in location s¯(d) before the
{B,C}-transition can fire, even ifB andC are waiting for
an input value. This is different in ordinary timed auto-
mata, but is needed here because a FIFO channel (by
its definition) does not allow for the synchronous trans-
Fig. 1 Reo circuit and timed constraint automation
62 F. Arbab et al.
fer of data from its source to its sink end. If B cannot
transfer the element out of the FIFO buffer (because
no I/O operation is available on C to synchronize with
B), the message is lost 3 time units after entering s¯(d).
This is modeled by the invariance condition x ≤ 3 at
location s¯(d) which forces the automaton to leave s¯(d) if
the current value of x is 3.
Notation 2.1 (Data assignments, data constraints) In the
sequel, we assume finite and non-empty sets Data con-
sisting of data items that can be transferred through
channels, andN consistingof nodenames.Adata assign-
ment denotes a function δ : N → Data where ∅ = N ⊆
N . We use notations like δ = [A → δA : A ∈ N
]
to describe the data-assignment that assigns the value
δA ∈ Data to every node A ∈ N. Data constraints can
be viewed as a symbolic representation of sets of data
assignments. Formally, data constraints (denoted dc) are
propositional formulas built from the atoms “dA ∈ P”
and “dA = dB” whereA,B ∈ N and P ⊆ Data (plus the
standard boolean connectors ∧, ∨, ¬, etc.). For N ⊆ N ,
DA(N) denotes the set of all data assignments for the
node-set N and DC(N) the set of data constraints that
at most refer to the terms dA for A ∈ N. We write DA
for
⋃
∅=N⊆N DA(N) and DC for DC(N ). 
unionsq
Notation 2.2 (Clock assignments, clock constraints) Let
C be a finite set of clocks. A clock assignment means a
function ν : C → R≥0. If t ∈ R≥0 then ν + t denotes
the clock assignment that assigns the value ν(x) + t to
every clock x ∈ C. If C ⊆ C then ν[C := 0] stands for
the clock assignment that returns the value 0 for every
clock x ∈ C and the value ν(x) for every clock x ∈ C \C.
A clock constraint (denoted cc) for C is a conjunction of
atoms of the form “x  n” where x ∈ C, ∈ {<,≤,>
,≥,=} and n ∈ N. CA(C) (or CA) denotes the set of all
clock assignments andCC(C) (orCC) the set of all clock
constraints. 
unionsq
The symbol | stands for the obvious satisfaction rela-
tion for data (or clock) constraints which results from
interpreting data (clock) constraints over data (clock)
assignments. Satisfiability, validity, logical equivalence
≡ and logical implication ≤ of data (clock) constraints
are defined as usual. For data constraints, we often use
simplified notations such as “dA = d” rather than
“dA ∈ {d}”.
Definition 2.3 (Timed constraint automata) A TCA is a
tuple T = (S, C,N , E ,S0, ic) where S is a finite set of con-
trol states (also called locations), C a finite set of clocks,
N a finite set of node names, and S0 ⊆ S a set of initial
locations. ic : S → CC is a function that assigns to any
location s an invariance condition ic(s). The edge rela-
tion E is a subset of S × 2N × DC × CC × 2C × S such
that dc ∈ DC(N) for any edge e = (s,N,dc, cc,C, s¯) ∈ E .
Moreover, we assume that all data and clock guards on
the edges and the invariance conditions are satisfiable.
(For edges with the empty node-set, we require a data
constraint dc with dc ≡ true.) 
unionsq
The automaton in Fig. 1 is a simplified picture for a
TCAwhere d is used as a data parameter. The presented
TCA has the location space S = {s} ∪ {s¯(d) : d ∈ Data}.
For instance, if Data = {0, 1} then the label “{A}, x :=
0,d := dA” in the parametric TCA for the edge leading
from location s to s¯(d) stands for the two edges
s
{A},x:=0,dA=0−−−−−−−−−→ s¯(0) and s {A},x:=0,dA=1−−−−−−−−−→ s¯(1)
in the non-parametric TCA. That is, the assignment
“d := dA” in the parametric version stands for the data
constraint dA = d in the TCA. These parametric TCA
only serve to simplify the pictures for TCA with data-
dependent edges.
An interface specification of a timed sequencer that
coordinates the data-flow of two components via syn-
chronous channels is shown in Fig. 2. Here and in the
sequel, we skip the guards (data or clock constraint) of
the edges when they are true. We assume the deadline
t= 3 for the write-operations, that is, the sequencer in
location s waits up to 3 time units to synchronize with
component 1. If it fails then the sequencer moves via the
edge labeled with the empty set to location s¯ and tries
to synchronize with component 2, and so on. Note that
a single clock x suffices since clock x serves to measure
the amount of time staying in one of the locations s or
s¯. After changing the location, clock x is “reused” to
measure the sojourn time in the new location.
Example 2.4 (Alternating Bit Protocol) We consider a
variant of the ABP where two components (the sender
and the receiver) are connected via lossy synchronous
channels. We follow here essentially the description in
[25] but do not assume unreliable channels thatmay lose
data in an unpredictable way. Instead, we assume lossy
synchronous channels (as in Reo, see Sect. 4) where a
data item written to the source end of such a channel
is lost if the sink end of the channel cannot perform a






Via its input port I, the sender is fed with some input
which it delivers to the receiver via the channel con-
necting ports A and C. The receiver acknowledges the
receipt of the message via the channel betweenD andB
and outputs the message through its port O. The sender
Models and temporal logical specifications for timed component connectors 63
attaches a bit to the messages and expects the corre-
sponding control bit as acknowledgment. If the expected
control bit b arrives through port B then the sender
switches its mode and sends the next message together
with the bit−b. If a certain deadline (tS in our example)
expires then the sender resends the message with the
same control bit b with a delay of at most ρS. The same
upper bound ρS is assumed for the time interval between
the receipt of a message d on input port I and the send-
ing a message from output port A. Acknowledgments
that contain a non-expected control bit are ignored as
they belong to the previous message.
The behavior of the receiver is complementary to that
of the sender. Inmodeb, the receiverwaits for the arrival
of an input (d,b) through its port C and acknowledges
its receipt with the bit b, while messages of the form
(d,−b) are ignored. The receiver resends the acknowl-
edgment if the next message with the expected control
bit b does not arrive within tR time units. (In particular,
the receiver resends the control bit of the last message
infinitelymany times if data-flow at port I eventually ter-
minates.) Moreover, we assume the upper time bound
ρR for the success of the write-operation on output port
O as well as the receiver’s acknowledgment by sending
the control bit.
Figure 3 shows the interface specifications for the
sender and the receiver as (data parametrized)TCA.We
assumehere thedata domainData = {0, 1}∪Msg∪Msg×
{0, 1} and writemsg to denote the projection of the pairs
(d,b) to the message-component (i.e., msg(d,b) = d).
For the sender we use the locations in(b), try(d,b) and
wait(d,b) where d ∈ Msg and b ∈ {0, 1} is the control
bit. In location in(b) the sender waits for the next input
value d. In location try(d,b), the sender tries to deliver
the obtained message d by sending (d,b) along channel
AC. Location wait(d,b) serves to wait for the acknowl-
edgement (control bit b) and to resend message d after
tS time units. The intuitive meaning of the locations of
the receiver is analogous: in location out(d,b) the re-
ceiver delivers the obtained data item d via output port
O, while locations wait(b) and ack(b) represent waiting
Fig. 2 Timed sequencer
for an input (d,b) via channel AC and acknowledging
the receipt of a message, respectively.
Figure 4 shows the “combined” TCA TABP for the
ABP. Essentially, this TCA is obtained by the join oper-
ator (see Definition 4.5), while taking care of the special
semantics of lossy synchronous channels, which forces
its sink and the source ends to synchronize if both can
perform I/O-operations 
unionsq
2.2 The state-transition graph of a TCA
So far we described the syntax of TCA and gave some
intuitive explanations for their meaning. The following
definition formalizes this intuitive behavior by means of
a state-transition graph. Following the standard seman-
tics of timed automata [2,16], we use a dense time
domain where the values of the clocks can be arbitrary
real numbers. Dense time models are more appropriate
than discrete timemodelswhendealingwith distributed,
asynchronous systems where the components are not
synchronized via a single global clock. The states consist
of the current location of the TCA and the current val-
ues of the clocks. The transitions corresponding to a set
of visible I/O-operations arise through passage of time,
followed by the I/O-operations specified by some edge
with a non-empty node-set. Invisible transitions (transi-
tions with no observable data flow) are obtained by the
edges with empty node-set. They can occur immediately,
i.e., without any passage of time, in the current location.
Definition 2.5 (State-transition graph of a TCA) Given
a TCA T as above, T induces a state-transition graph
AT = (Q,−→,Q0) as follows. The states are pairs q =
〈s, ν〉 consisting of a location s and a clock assignment
ν. Thus, the state space is Q = S × CC. The set of initial
states is Q0 = {〈s0, 0〉 : s0 ∈ S0, 0 | ic(s0)}where 0 stands
for the clock assignment that returns the value 0 for all
clocks. The transition relation −→ ⊆ Q × 2N × DA ×
R≥0 × Q is defined by the following rules:
(s,N,dc, cc,C, s¯) ∈ ε,
t > 0 s.t. ν + t¯ | = ic(s) for all 0 < t¯ ≤ t
(ν + t)[C := 0]| = ic(s¯) and ν + t | = cc
δ ∈ DA(N) s.t δ| = dc
〈s, ν〉 N,δ,t−−→ 〈s¯, (ν + t)[C := 0]〉
.
If N = ∅, we use in addition the same rule with t = 0:
(s,∅, true, cc,C, s¯) ∈ E , ν[C := 0] | ic(s¯), ν | cc
〈s, ν〉 ∅,∅,0−−→ 〈s¯, ν[C := 0]〉
.
Astate q = 〈s, ν〉 is called terminal iff it has nooutgoing
transitions, but allows the possibility for unbounded pas-
sage of time, i.e., ν + t | ic(s) for all t > 0. A time-lock
64 F. Arbab et al.
Fig. 3 TCA for the sender and the receiver of the ABP
refers to a state q = 〈s, ν〉 that has no outgoing transi-
tions and there exists some t〈0 with ν + t | ic(s). T is
called time-lock free iff AT does not contain a reachable
time-lock. 
unionsq
For instance, the reachable part of the state-transi-
tion graph of the timed sequencer in Fig. 2 consists of the
states
〈s, x = ϑ〉 and 〈s¯, x = ϑ〉 where ϑ ∈ [0, 3]. The out-
going transitions of the states 〈s, x = ϑ〉 with 0 ≤ ϑ < 3
are:
〈s, x = ϑ〉 {A},true,t−−−−→ 〈s¯, x = 0〉, where t > 0 and ϑ+t < 3
and 〈s, x = ϑ〉 ∅,true,3−ϑ−−−−−−→ 〈s¯, x = 0〉. For state 〈s, x = 3〉
there is only a single outgoing transition, namely
〈s, x = 3〉 ∅,true,0−−−−→ 〈s¯, x = 0〉,
which is taken without any further passage of time in
location s. The outgoing transitions of the states 〈s¯, x=ϑ〉
are analogous. Thus, the timed sequencer in Fig. 2 is
time-lock free. However, if we remove the clock reset
“x := 0” from the two edges with empty node-sets then
the resulting TCA has a time-lock in states 〈s, x = 3〉
and 〈s¯, x = 3〉 since the invariance conditions in s and s¯
do not allow for any passage of time.
Edges with non-empty node-sets can fire only after
some positive delay. This reflects the general idea of
constraint automata where all observable activities that
occur at the same time instant (i.e., atomically) are col-
lapsed into a single transition.
Notation 2.6 (Runs, time divergence) Let T be aTCAas
before and q = 〈s, ν〉 a state in AT . A q-run (or briefly
run) in T denotes any (finite or infinite) sequence of
successive transitions inAT starting in state q. Formally,
a q-run has the form
q = q0 N0,δ0,t0−−−−→ q1 N1,δ1,t1−−−−→ · · · ,
where q0 = q. The q-run q is called initial if q0 ∈ Q0.
The q-run q is called time divergent if q is infinite and
t0 + t1 + . . . = ω. Maximality of a run means that it is
either time divergent or finite and ends in a terminal
state. 
unionsq
Intuitively, Ni is the set of nodes in state qi that are
scheduled to synchronously perform the next set of I/O-
operations, while δi represents the concrete values that
are exchanged through those operations at the nodes
A ∈ Ni. The value ti stands for the delay.
We next define the notion of a TSD streamwhich will
serve to formalize the observable data flow of the runs
in a TCA. TSD streams are sequences of triples (N, δ, t¯)
where N is a nonempty node-set, δ a data assignment
for the nodes in N and t¯ a point in time. The intuitive
meaning of (N, δ, t¯) is that at time t¯ the nodes A ∈ N
simultaneously perform the I/O-operations specified by
the pair (N, δ).
Notation 2.7 (TSD stream) A timed scheduled data
stream for a node-set N denotes any (finite or infinite)
sequence  = (N0, δ0, t¯0), (N1, δ1,t¯1), . . . ∈ (2N ×DA×
R>0)
∞ such that Ni = ∅, δi ∈ DA(Ni), 0 < t¯0 ≤ t¯1 < . . .
and limi→∞ t¯i = ω if q is infinite. The empty TDS stream
is denoted by the symbol ε. The length || ∈ N ∪ {ω} is
defined as the number of triples (N, δ, t¯) in . The exe-
cution time τ() is ω if  is infinite, t¯k if || = k + 1,
Models and temporal logical specifications for timed component connectors 65
Fig. 4 TCA TABP for the ABP
and 0 if  = ε. We write TSDS(N ) or simply TSDS to
denote the set of all TSD streams for the node-set N . 
unionsq
Notation 2.8 (TSDS-language of a TCA) If q is a run
in a TCA T as above then the induced TSD stream
(q) = (Ni0 , δi0 , t¯i0), (Ni1 , δi1 , t¯i1), . . . is obtained from q
by (1) removing all transitions in q with the empty node
set, (2) building the projection on the transition labels,
and (3) replacing the sojourn times ti by the absolute
time points t¯i = t0 + · · · + ti. The generated language of
a state q in AT is
L(T ,q) = {(q) : q is a maximal q − run}.
The language L(T ) consists of all TSD streams (q)
where q is a maximal and initial run. 
unionsq
For instance, the language of the timed sequencer in
Fig. 2 consists of all TSD streams = ((Ni, δi, t¯i))i where
Ni ∈
{{A}, {B}} and t¯i+1 − t¯i > 3 if Ni+1 = Ni.
3 A Reo primer
Reo [6] is a channel-based exogenous coordination
model wherein complex coordinators, called connec-
tors, are compositionally built out of simpler ones. The
simplest connectors in Reo are a set of channels with
well-defined behavior supplied by users. Components
can instantiate, compose, connect to, and perform I/O
operations through connectors. Here, as in [7,9], we do
not consider the dynamic creation, composition, and re-
configuration of connectors by components. We restrict
our attention to connectors that have a static graphical
representation as a Reo circuit which coordinates the
data-flow through the channels connecting the input
/output ports of components.
Channels. Reo’s notion of channel is far more general
than its common interpretation and allows for any prim-
itive communicationmediumwith exactly two ends. The
66 F. Arbab et al.
channel ends are classified as source ends through which
data enter and sink ends through which data leave a
channel. Although Reo allows for an open-ended set of
channel-types with user-defined semantics, for our pur-
poses in this paper, we restrict ourselves to only a small
set of channel-types, defined below.
The simplest form of an asynchronous channel is aFI-
FO channel with one buffer cell (called a 1-bounded FI-
FO channel or simply a FIFO1 channel). It has a source-
and a sink-end. We graphically represent a
FIFO1 channel by a small box in the middle of an arrow.
The buffer is assumed to be initially empty if no data
item is shown in the box. The graphical representation
of a FIFO1-channel whose buffer initially contains a da-
ta element d shows d inside the box. FIFO channels with
two or more buffer cells can be produced by compos-
ing several FIFO1 channels, as for instance, explained
in [7,9].
A synchronous channel (depicted as a simple solid
arrow) has a source- and a sink-end, and no buffer. It
accepts a data item through its source end iff it can
simultaneously dispense it through its sink. A lossy syn-
chronous channel (depicted as a dashed arrow) is similar
to a synchronous channel, except that it always accepts
all data items through its source end. If it is possible for
it to simultaneously dispense the data item through its
sink (e.g., there is a take operation pending on its sink)
the channel transfers the data item; otherwise the data
item is lost.
More exotic channels permitted in Reo are synchro-
nous and asynchronous drains that have two source
ends. Because drains have no sink end, no data value can
ever be obtained from these channels. Thus, a synchro-
nous drain accepts a data item through one of its ends
iff a data item is also available for it to simultaneously
accept through its other end as well. All data accepted
by this channel are lost. An asynchronous drain accepts
and loses data items through its two source ends, but
never simultaneously. Synchronous and asynchronous
spouts are duals of their corresponding drain channel
types, as they have two sink ends.
Reo circuits. A complex connector has a graphical rep-
resentation, called a Reo circuit, as a finite graph where
the nodes are labeled with pairwise disjoint, non-empty
sets of channel ends and where the edges represent the
established channels. The major operations for creating
Reo connector circuits are join and hide.
To construct a Reo circuit, we start with several
instances of basic channels and organize them in a graph
where initially each channel end constitutes a separate
node, and each pair of nodes is connected by an edge
representing its respective channel. We then apply a
series of join operations, each of which takes as input
two nodes A and B and combines them into a new node
C. In this way, several channel endsmay coincide on one
node.
Reo nodes are not physical locations nor represent
components. A node is a fundamental concept in Reo
representing an important topological property: coin-
cidence of its channel ends. As described below, this
property entails specific implications in Reo regarding
the flow of data among the channel ends that coincide
on a node, irrespective of concern for their locations or
any component thatmay perform I/Ooperations on that
node.
The set of channel ends coincident on a node A is
disjointly partitioned into the sets Src(A) and Snk(A),
denoting the sets of source and sink channel ends that
coincide on A, respectively. A node is called a source
node if Src(A) = ∅ ∧ Snk(A) = ∅. Analogously, A is
called a sink node if Src(A) = ∅ ∧ Snk(A) = ∅. Node A
is called a mixed node if Src(A) = ∅ ∧ Snk(A) = ∅.
Intuitively, source nodes of a circuit are analogous to
the input ports, and sink nodes to the output ports of a
component, while mixed nodes are its hidden internal
details. Components cannot connect to, read from, or
write to mixed nodes. Instead, data-flow through mixed
nodes is totally specified by the circuits they belong to.
A component can write data items to a source node
of a Reo circuit that it is connected to. A write oper-
ation succeeds only if all (source) channel ends coinci-
dent on the node accept the data item, in which case the
data item is transparently written to every source end
coincident on the node. A source node, thus, acts as a
replicator.
A component can obtain data items from a sink node
of a Reo circuit that it is connected to through input
operations.1 A take operation succeeds only if at least
one of the (sink) channel ends coincident on the node
offers a suitable data item; if more than one coincident
channel end offers suitable data items, one is selected
nondeterministically. A sink node, thus, acts as a nonde-
terministic merger.
A mixed node is a self-contained “pumping station”
that combines the behavior of a sink node (merger) and
a source node (replicator) in an atomic iteration of an
endless loop: in every iteration a mixed node nondeter-
ministically selects and takes a suitable data itemoffered
by one of its coincident sink channel ends and replicates
it into all of its coincident source channel ends. A data
item is suitable for selection in an iteration only if it can
1 We consider only the destructive take operation here which,
e.g., on a FIFO channel, reads and removes the first data item in
its buffer.
Models and temporal logical specifications for timed component connectors 67
be accepted by all source channel ends that coincide on
the mixed node.
Reo nodes contain no memory. While a component
that performs a write operation on a source node may
suspend (if the circuit that the node belongs to is not
ready to allow the write to succeed), holding the value
in its blocked write operation (indefinitely or until an
optional time-out specified in the write operation), a
Reo node cannot “hold” or represent any data. All data
transfer through a Reo node is strictly synchronous (i.e.,
atomic).
The hide operator allows to create “components” by
putting a thick box around a circuit. This insulates all
mixed nodes of the circuit inside the box and allows
access to its sink and source nodes only, which are placed
on the border of the box. The idea is that mixed nodes
are internal to the component and no other component
can modify or connect to them. Formally, we make hid-
den (mixed) nodes invisible and abstract their names
away.
Example 3.1 (Exclusive router and shift-lossy FIFO1
channel)Fig. 5a showsan implementationof anexclusive
router built by composing five synchronous channels,
two lossy synchronous channels and a synchronous
drain. The intuitive behavior of this circuit is that
through its source node A, it obtains a data item d from
its environment and delivers d to one of its sink nodes
B or C. If both B and C are willing to accept d then the
exclusive router nondeterministically decides to deliver
d to either B or C.
The key to understanding the behavior of this circuit
is that for dataflow tooccur atA, data flowmust synchro-
nously also occur at the bottom node of the synchronous
drain in Fig. 5a. This is a mixed node, with two sink and
one source coincident channel ends. Data flow at this
node can occur only if one of the two lossy synchro-
nous channels actually transfers (rather than losing) the
data item available at A. This precludes the possibility
of both lossy synchronous channels losing this data item,
while the merger behevior of the mixed node prevents
the possibility of both making a transfer. If data flow is
possible atB orC, themerge behavior of themixed node
allows its respective lossy synchronous channel to pass
data, forcing the other to lose it. If data flow is possible
at both B or C, the merge behavior of the mixed node
non-deterministically selects the value available at one
of its two sink channel ends, allowing its corresponding
lossy synchronous channel to pass, and the other to lose,
its data.
The circuit in Fig. 5b shows an implementation of
a shift-lossy FIFO1 channel with source node A and
sink nodeB. This implementation uses four synchronous
channels, a synchronous drain, a FIFO1 channel whose
buffer initially contains a token data item, o, an empty
FIFO2 channel, and an instance of the exclusive router
of Fig. 5a shown as the box labeled EXR. A shift-lossy
FIFO1 channel behaves the same as a FIFO1 channel,
except that writing to its source end is never blocked.
If at the time of a write operation its buffer is full, the
stored data item in the buffer is lost and the new data
item replaces it in the buffer.
If the FIFO2 channel in Fig. 5b is not empty and
there is a pair of write and take operations pending,
respectively, on the nodes A and B, it is possible for this
circuit to either (1) lose the contents of the FIFO2 chan-
nel and accept the data item through A to replace it,
delaying the take on B; or (2) delay the write on A and
dispense the contents of the FIFO2 channel through B.
The non-deterministic behavior of theEXR circuit used
here makes the choice between these two alternatives
non-deterministic. Thus, the shift-lossy FIFO1 channel
constructed here breaks the tie non-deterministically,
when its buffer is full, and data flow is possible at both
of its ends (otherwise, i.e., when the FIFO2 channel is
empty, or data flow is not possible at A or B, the circuit
has no choice). While, generally, we prefer this non-
deterministic behavior, it is also possible to construct
similar shift-lossy FIFO1 channels that deterministically
prefer one of the two alternatives, by replacing theEXR
in Fig. 5b with a priority router.
Derivation of the constraint automata representing
the observable behavior of each of these Reo circuits as
compositions of the constraint automata representing
the behavior of the individual primitives used in their
respective Reo circuits appears in [9]. 
unionsq
In spite of its simplicity, the semantics ofReo is indeed
very rich, yielding a surprisingly expressive language [6].
For instance, the relational (as opposed to functional)
dependencies that result in “propagation of synchrony
and exclusion” as well as the way in which the local
behavior of, e.g., lossy synchronous channels imposes
non-local constraints on a circuit, are already evident in
the exclusive router of Fig 5a. Examples of Reo circuits
with more interesting behavior can be found elsewhere
and the reader is encouraged to see [30] (in [26]) and [7]
for the simple, rich, and expressive formal semantics of
Reo.
4 Timed Reo circuits
We now extend the set of primitive channels that we use
in the Reo framework by adding channels with timing
constraints for the enabledness of their I/O-operations.
68 F. Arbab et al.
Fig. 5 Exclusive router and
shift-lossy FIFO1 channel
a b
We first give some examples for “timed channels” and
provide their semantics by means of TCA (Sect. 4.1).
Next, we explain how the concepts of join and hiding
can be realized with TCA, which yields a compositional
way for constructing the TCA for a given Reo circuit
with timed channels (Sect. 4.3).
4.1 Untimed and timed primitive channels
Reo defines what a channel is and how channels, as
atomic connectors, can be composed into more complex
connectors; however, it offers no specific channels. In-
stead, it allows an open-ended set of user-defined chan-
nel types as primitives for constructing connector cir-
cuits. This makes it easy to extend Reo circuits to cover
timed behavior by introducing a few primitive channels
with time-sensitive behavior. In the sequel, we define a
number of channel types that we will later use in our
timed Reo circuit examples.
FIFO channels. Analogous to a FIFO1 channel, shown
on the left-hand-side of the figure below, on the right-
hand-side of this figure we show a timed-lossy variant of
this channel, called expiring FIFO1, where a data item
is lost if it is not taken out of buffer through the sink end





Figure 6 shows the TCA for the FIFO1 and expiring
FIFO1 channels. The edge from s to s¯(d) models A’s
write action. The two edges from s¯(d) to s stand for the
event where B takes the message out of the buffer and
for the event where the message is lost ifB’s read action
does not occur before t time units afterA’s write action.
The loop at location s¯(d) covers the case where A puts
a message d into the buffer at some point in time ϑ ,
followed by the next message d′ exacty three time units
later (at time ϑ + 3). In this case, the old message d is
replaced by d′ and the TCAmoves from location s¯(d) to
s¯(d′) without passing through location s.
If we skip the loop at s¯(d) the TCA will have a differ-
ent behavior. The modified TCA, shown later in Exam-
ple 4.1 (Fig. 12), is called a TCA for an expiring FIFO1
channel with delay. For instance, if B is never enabled
to take an element out of the buffer then the original
TCA allowsA to write at time points 0, t, 2t, 3t, . . ., while
the TCA for an expiring FIFO1 channel with delay re-
quires some delays between the loss of the stored mes-
sage (where the TCA moves from s¯(d) back to s) and
A’s next write operation. Formally,
({A},dA = d, 0), ({A},dA = d, t), ({A},dA = d, 2t),
({A},dA = d, 3t), . . .
is in the TSDS-language of the TCA shown on the right
of Fig. 6, but not of the TCA for an expiring FIFO1
channel with delay.
Synchronous channels. In the examples we discuss later,
we use different types of synchronous channels. Here,
we briefly explain their behavior and show how they can
be modelled by TCA. The TCA for these synchronous
channels do not have proper timing constraints (and do
not use any clock).
We start with a standard synchronous channel,
depicted as a solid arrow, where the write and take oper-
ations must synchronize. The behavior of a (standard)
synchronous channel, is formalized by a TCA with a
single location:
A P-producer is a synchronous channel that, like a
standard synchronous channel, allows write and take
operations to succeed atomically on its source and sink
ends, respectively, except that the value dispensed
Models and temporal logical specifications for timed component connectors 69
Fig. 6 TCA for a standard
and an expiring FIFO1
channel
through this channel’s sink end is always a data element
d ∈ P, regardless of the value it consumes through its
source end. If |P| ≥ 2 then the dispended data element




The figure below shows a TCA that captures the gen-
eral “possible” behavior of a lossy synchronous channel.
To model the context-sensitive behavior of a lossy chan-
nel where the {A}-transition is impossible ifB is ready to
synchronize, the concept of priorities can be used. The
rough idea is to assign a higher priority to the {A,B}-
edge than to the {A}-edge stating that A and B must
synchronize whenever possible. The technical details of
constraint automata with priorities are more difficult





The above mentioned types of synchronous channels
have one source and one sink ends. An example of a
channel with two source ends is a synchronous drain
that accepts a data item through one of its ends iff a
data item is also available for it to simultaneously ac-
cept through its other end as well. The values written at
the sources of a drain are irrelevant. The picture for a
synchronous drain and its TCA is as follows:2
A B {A, B}
Timers. We now describe a few timer channels that can
serve to measure the time between two events and pro-
duce timeout signals. Each of these timer channels has
one source end and one sink end.
The source endof a t-timer channel (seeFig. 7) accepts
any input value d ∈ Data and returns on its sink end a
timeout signal after a delay of t time units. The intuitive
2 Recall that we skip valid data constraints. That is, in the TCA for
the synchronous drain the data constraint true is not mentioned
in the label of the edge.
explanation for the loop at state s¯ is as for the expiring
FIFO1 channel.
A t-timer with the off-option allows the timer to be
stopped before the expiration of its delay when a special
“off” value is consumed through its source end. Simi-
larly, the reset-option allows the timer to be reset to 0
after it has been activated when a special “reset” value
is consumed through its source end. Figure 8 shows a
t-timer with both the reset- and the off-options.
A timer with early expiration, shown in Fig. 9, makes
the timer produce its timeout signal through its sink and
reset itself when it consumes a special “expire” value
through its source.
In some cases, it is useful to have a timer that is ini-
tially activated. In the graphical representation of this
timer, we simply put the word “on” under its circle-
symbol. In its TCA, we declare s¯ as the initial location
(rather than s).
4.2 Examples for timed Reo circuits
Before presenting the formal definitions of the compo-
sition operators join and hide on TCA, we provide a few
examples for timed Reo circuits. These are obtained by
combining channel instances through a series of join and
hide operations.
Figure 10 demonstrates how to build a Reo circuit via
join and hide.3 The resulting circuit repeatedly produces
a timeout signal throughT after t time units unless a data
transfer occurs from A to B within that interval. Mixed
node I serves as an initializer which activates the timer.
Either A and B synchronize before the timer expires
or the timeout signal occurs at T (after exactly t time
units). In either case, the buffer is refilled and the whole
procedure restarts.
In (timed) constraint automata models of Reo cir-
cuits, locations stand for the configurations of the circuits
(e.g., contents of the FIFO channels) while transitions
stand for the possible data-flow at one time instance and
its effect on the configuration. Intuitively, if we regard
a circuit itself as a component, the source nodes of the
3 In this picture, the buffer of the FIFO channel between F and
I is initially filled with the data item 0. The corresponding TCA
is as shown on the left of Fig. 6, except that s¯(0) serves as starting
location.
70 F. Arbab et al.
Fig. 7 t-timer and its TCA
Fig. 8 t-timer with off- and reset-option and its TCA
Fig. 9 t-timer with eraly expiration and its TCA
circuit act as the input ports, and its sink nodes as the
output ports of the component. The data-flow through
mixed nodes is totally specified by the circuit.
There is a subtle difference between the roles of the
sink and source nodes on the one hand and that of the
mixed nodes on the other. If an edge contains at least
one sink or source node A then the transition must be
regarded as conditional: it can be taken if and only if the
environment that controls the data-flow at node A (the
component that uses A as an in- or output port) per-
forms the corresponding I/O-operation. On the other
hand, any transition with a node-set consisting of mixed
nodes only can be taken without any involvement by the
environment.
Example 4.1 (Expiring FIFO1 channel) Figure 11
shows how an expiring FIFO1 channel with delay can
be constructed out of a standard FIFO1 channel and a
timer set to expire after t time units.
A successful write toAfills up the buffer of the FIFO1
channel CD, and (re)sets the timer channel FG.Another
write toAwill suspenduntil theFIFO1channel becomes
empty. While it is full, two things can happen: (1) the
timer may expire, and (2) a take can be performed on B.
If the timer expires, nodes G, H, and D can fire. GH acts
as a synchronous channel and DH accepts but loses the
data at D. So the value in the FIFO1 channel gets lost
in the drain DH. A take on B will replicate the value in
the FIFO1 channel at D and again at E. One copy goes
out through B to satisfy the take. The other two copies
get lost in the drain DH. Now that the FIFO1 chan-
nel is empty and the timer is still running, two things
can happen: (3) there is a new write on A, and (4) the
timer expires. If there is a new write on A, it succeeds
and resets the timer, and we are back to the first case
we considered. If the timer expires while the buffer is
empty, then its token is accepted and lost in the lossy
synchronous channel GH. The special case where the
take on B happens at exactly the same time when the
timer expires is non-deterministically resolved by the
merger behavior of the node H. It either accepts the
timer’s token from G, or the copy of the data item from
E. If it accepts the timer’s token first, then it is as if
the take has been performed after the expiration of the
timer. If it takes the data item first, it is as if the timer
expired after the take (which means the timer’s token
gets lost in the GH channel).
TheTCA in Fig. 12 yields a formalization of the above
explanation for the possible data flow in the Reo circuit
of Fig. 11, after hiding all mixed nodes, i.e., all nodes
execpt for A and B.
Example 4.2 (Lower and upper time bounds for I/O-
operations) Below we have a circuit that ensures the
lower bound “> t” for a take operation on B; it yields
a FIFO1 channel that guarantees every data item will
remain in its buffer at least t time units.
t
A B
Wemay also control the frequency of data transfer in
synchronous channels with time-constrained channels.
In the following figure, on the left, data-flow from A to





The t-timer with early expiration in the circuit on
the right ensures that as long as data items are avail-
able at A, they will be consumed at least once every t
time units. Whenever a take operation is performed on
C, the data item available at A is transferred through
B to C via the synchronous and the lossy synchronous
channels that connect these nodes. The transfer at A
simultaneously produces an “expire” signal (through the
Models and temporal logical specifications for timed component connectors 71
Fig. 10 Example construction of a Reo circuit
Fig. 11 Reo circuit for an expiring FIFO1 channel
Fig. 12 TCA for an expiring FIFO1 channels
P-producer connected toA, whereP is the singletondata
set {expire}) which prematurely fires the timer channel,
enabling the synchronous drain to allow the data trans-
fer at B. If no take operation occurs at C, the timer
produces its timeout-signal after t time units, enabling
the transfer of a data item from A to B, because the
lossy synchronous channel at B always accepts (and in
this case loses this data item). (Because the two ends
of the timer always have to synchronize in this circuit,
the assumption that the timer is initially on is essential,
since otherwise it can never be started.) 
unionsq
Example 4.3 (Timed sequencer) The timed sequencer
in Fig. 2 can be realized by the Reo circuit shown in
Figure 13 (and hiding all nodes except for A and B).
Here, we use a t-timer with early expiration which is
assumed to be initially switched on. A can transfer a
value only if D simultaneously also takes a value from
the upper buffer. The expiring FIFO1 channel allows
this to happen only at some point in time t0 < t. If this
happens, an expire-signal is sent (via the P-producer
from D to G where P is the singleton data set {expire})
which forces the timeout-signal to become available at
H. Because the buffer of the left FIFO1 channel is full
and it is connected atE through a synchronous drain and
a lossy synchronous channel via J toH, the availability of
the timeout-signal atH triggers the synchronous transfer
of the contents of the left FIFO1 channel into the right
FIFO1. The replication behavior of H also attempts to
simultaneously write a copy of the timeout-signal into
the top lossy synchronous channel connected toH.How-
ever, because at this point in time (i.e., t0), there is no
data available at C, the synchronous drain connected to
C prevents I from participating in the transfer of this
copy of the timeout-signal from H; therefore, the lossy
synchronous channel connecting H to I loses this data.
At this point, the same behavior symmetrically repeats
with B.
If A has no value to transfer within the first t time
units then D does not transfer the data element out the
buffer but the timeout signal becomes available at H
at time t. Simultaneously, the message in the buffer of
the upper expiring FIFO1 channel is lost. At this point
in time (i.e., t), there is no data available at C, and the
synchronous drain connected to C prevents I from par-
ticipating in the transfer of a copy of the timeout-signal
fromH; the lossy synchronous channel connecting H to
I loses this data. On the other hand, nodeE can take the
data element out of the buffer of the left FIFO1 chan-
nel. Also G is ready to start the timer again. Thus, H
synchronizes with the nodes J, E and G which yields a
configuration symmetric to the initial one withB instead
of A.
Fig. 14 shows the TCA (before hiding) where we skip
the data constraints.4
Remark 4.4 (Time-constraints for the I/O-operations)
In the Reo circuit in Fig. 15, node B is a mixed node
which is “always” ready to consume a message from
the buffer of the expiring FIFO1 channel because the
4 In addition to the node-names used in the circuit, we use the
names GE, GC, GD and GF to make clear which take-operation
is performed on nodeG. Such auxiliary names will also be used in
the compositional approach to model the merge semantics.
72 F. Arbab et al.
Fig. 13 Reo circuit for a timed sequencer
synchronous drain on its right is “always” ready to dis-
pose of any value.
The TCA for this circuit has a TSD stream of the
form ({A}, [A → d], 0), ({A}, [A → d], 4), ({A}, [A →
d], 8), . . .whereA continuously transfers data items into
the buffer of the expiring FIFO1 channel, which in turn
loses them all because the data transfer atB takes longer
than the specified expiration bound of 3 time units (e.g.,
because the synchronous drain is too slow). In fact, the
above circuit makes no assumptions about the possible
delay ofB’s data transfer operation. Its TCA involves an
enabled transition with a node-set consisting of a mixed
node with an unbounded delay.
One possibility to avoid such scenarios is to assign
deadlines to edges e = (s,N,dc, cc,C, s¯) where N con-
Fig. 14 TCA for the timed sequencer
Fig. 15 When does B perform a take-operation?
sists of mixed nodes. For instance, assigning a deadline
of 2 to the {B}-edge in the above example ensures that
all values transferred by A are eventually taken out of
the buffer by B. However, the timing behavior of the
nodes (deadlines or lower time bounds for I/O-opera-
tions) can also be made explicit at the syntax level of
Reo circuits, using an appropriate combination of Reo’s
timed channels. For instance, the deadline of 2 in the









4.3 Join and hide on TCA
The examples provided in the previous subsection
served to illustrate the Reo framework for composing
component connectors out of channel instances via join
and hide. We now provide composition operators on
TCA that capture the meaning of Reo’s join and hide
operators and that can serve to construct the TCA for a
Reo circuit in a compositional way.
Join (replicator semantics). We start with the join oper-
ator on TCA which captures the replicator semantics of
source (or mixed) nodes. It can serve as the semantic
operator for the join of two nodes where at least one of
them is a source node. We assume that we are given the
TCA T1 and T2 for two fragments R1 and R2 of a Reo
circuit and that we want to perform the join operations
for the nodesBi (in T1) and B˜i (in T2), i = 1, . . . ,n, where
at least one of the nodes Bi or B˜i is a source node (i.e.,
has no coincident sink channel end). We first rename B˜i
into Bi and then apply the following join operator to T1
and T2.
Definition 4.5 (Join for TCA) Given two TCA Ti =
(Si, Ci,Ni, Ei,S0,i, ici), i = 1, 2, with disjoint clock sets, i.e.,
C1∩C2 = ∅, the product T1  T2 is defined as a TCAwith
the location space S = S1 × S2, the set S0 = S0,1 × S0,2
of initial locations, the node-set N = N1 ∪ N2, and the
clock set C = C1 ∪ C2. The location invariance is given
by ic(〈s1, s2〉) = ic1(s1) ∧ ic2(s2). The edge relation E is
obtained through the following rules. The first rule con-
cerns the “synchronization case” where two edges with
common nodes are combined as well as the case where
Models and temporal logical specifications for timed component connectors 73
two edges with non-empty “local” node-sets are taken
simultaneously:
(s1,N1,dc1, cc1,C1, s¯1) ∈ E1,
(s2,N2,dc2, cc2,C2, s¯2) ∈ E2,
N1 ∩ N2=N2 ∩ N1, N1 =∅, N2 =∅,dc1 ∧ dc2 ≡false
(〈s1, s2〉,N1∪N2,dc1∧dc2, cc1∧cc2,C1∪C2, 〈s¯1, s¯2〉)∈E .
The second rule applies to edges all of whose involved
nodes are local to only one of the automata:
(s1,N1,dc1, cc2,C1, s¯1) ∈ E1, N1 ∩ N2 = ∅, s2 ∈ S2
(〈s1, s2〉,N1,dc1, cc1,C1, 〈s¯1, s2〉) ∈ E
and its symmetric rule. In particular, the latter rule applies
to transitions with empty node-sets. 
unionsq
Acorrectness result for the join operator is presented
in Lemma 4.9 and Corollary 4.10.
Join (merge semantics). To mimic the merge semantics
of sink (or mixed) nodes we use the same technique as
in [7,9]. To join two nodes A and B where each of them
contains at least one sink end we (1) choose a new node-
name, sayC, and (2) return TMerger(A,B,C)  TA  TB
where TA and TB are the TCA that model the sub-cir-
cuits containing A and B, respectively, and the TCA
TMerger(A,B,C) shown in Fig. 16.
Hide. Hiding a node-set M in a TCA removes all M-
nodes from its edges. However, given an edge with a
node-set consisting of M-nodes only, we must ensure
that this edge can be taken only after some positive
delay. We model this by using an additional clock.
Fig. 16 A merger and its TCA TMerger(A,B,C)
Fig. 17 TCA for the circuit in Figure 10 before and after hiding
Definition 4.6 (Hide for TCA) Given a TCA T =
(S, C,N , E ,S0, ic), a new clock y /∈ C, and M ⊆ N , we
define ∃M[T ] = (S, C ∪ {y},N \ M, E ′,S0, ic) where E ′ is
obtained by the rule:
(s,N,dc, cc,C, s¯)∈E , (N=∅∨N \ M =∅)
(s,N \ M,∨δ∈DA(M) dc[A/δA : A∈M], cc,C∪{y}, s¯)∈E ′
(s,N,dc, cc,C, s¯) ∈ E , ∅ = N ⊆ M
(s,∅, true, cc ∧ (y > 0),C ∪ {y}, s¯) ∈ E ′ .
Here, dc[A/δA : A ∈ M] is derived from dc by the syn-
tactic replacement of the term dA with the value δA ∈
Data for all A ∈ M. (More precisely, we replace “dA ∈
P” with true or false, depending on whether or not δA
belongs to P.) 
unionsq
Example 4.7 The TCA for the circuit in Fig. 10 can be
obtained by joining the TCA for all of its involved chan-
nels together with TMerger(F1,F2,F). The resulting TCA
before and after hiding are shown in Fig. 9 (For simplic-
ity, we skip the data constraints and irrelevant resettings
of y).
We state the correctness of the join andhideoperators
on TCA by means of their TSDS-languages (see Nota-
tion 2.8). For this, we define join and hide operators on
TSDS-languages and establish a compositionality result
in Lemma 4.9.
Notation 4.8 (Join and hide for TSD-streams andTSDS-
languages) Let  be a TSD stream over N and B ∈ N .
The projection |B ∈ (Data×R≥0)∞ of  onB denotes
the sequence of pairs (d, t) ∈ Data×R≥0 that is obtained
from  by (1) removing all triples (N, δ, t) whereB /∈ N;
and (2) replacing any remaining triples (N, δ, t) with the
pair (δB, t).
• If M ⊆ N then hide(,M) denotes the unique TSD
stream ¯ ∈ TSDS(M) such that ¯|B = |B for all
B ∈ M.
• Given two TSD streams 1 ∈ TSDS(N1) and 2 ∈
TSDS(N2), their join is undefined if there is a node
B ∈ N1 ∩ N2 such that 1|B = 2|B. Otherwise we
define their join 1  2 ∈ TSDS(N1 ∪ N2) as the
unique TSD stream such that (1  2)|A = i|A if
A ∈ Ni.
Given two TSDS-languages L1 ⊆ TSDS(N1) and L2 ⊆
TSDS(N2), their join L1  L2 ⊆ TSDS(N1 ∪ N2) con-
sists of all TSD streams that can be obtained by joining
the TSD streams 1 ∈ L1 and 2 ∈ L2. If M ⊆ N and
L ⊆ TSDS(N ) then ∃M[L] = {hide(,M) :  ∈ L}. 
unionsq
The following lemma can be proved using similar
arguments as in the untimed case (see [9]):
74 F. Arbab et al.
Fig. 18 A Reo circuit with a time-lock
Lemma 4.9 Let T , T1 and T2 be TCA. Then,
(a) L(T1  T2) = L(T1)  L(T2).
(b) L(∃M[T ]) = ∃M[L(T )].
The join of TSDS-languages with the same node-set
agrees with their intersection. Thus, we obtain:
Corollary 4.10 If T1 and T2 are TCAwith the same node-
set then L(T1  T2) = L(T1) ∩ L(T2).
4.4 The problem of time-locks in Reo circuits
Of course, using arbitrary combinations of timed chan-
nels can lead to TCA with time-locks (see below for an
example). However, using (modifications of) standard
region- or zone-graph algorithms [2,16] we may check
the time-lock freedom of a given Reo circuit.
An example of aReo circuit with a time-lock is shown
in the Fig. 18. Here, A starts the timer and simulta-
neously puts a data item into the buffer. On the one
hand, the synchronous drain forces B to take the data
item from the buffer simultaneously with the expiration
of the timer (which occurs exactly 4 time units after A’s
write operation). On the other hand, the data value writ-
ten byA in the buffer is lost exactly 3 time units afterA’s
write operation. Thus, the write operation at A causes a
time-lock.
5 Timed scheduled-data-stream logic
To specify the behavior of timed Reo circuits, one can
use a TCA T and require that the TSD-language gen-
erated by a given Reo circuit is contained in L(T ). In
this sense, T specifies the “legal” behavior of the circuit.
However, it is often easier to use a logical formalism
to express the desired properties rather than using an
automata model.
In this section, we introduce Time scheduled-data-
stream logic (TSDSL) which is a real-time variant of
LTLandallows to reasonabout theobservabledata-flow
of a Reo circuit by means of the TSD streams generated
by its underlying TCA. Instead of the modality © (next
step), TSDSL uses formulas of the type 〈α〉ϕ which con-
sist of a so-called timed scheduled-data expression α and
a formula ϕ. This type of formula is inspired by propo-
sitional dynamic logic [12] and extended temporal logic
[34]. The timed scheduled-data expressions are variants
of timed regular expressions [10] built from atoms of the
form 〈N,dc〉. The TSD expressions specify sets of finite
TSD streams. The intuitivemeaning of 〈α〉ϕ is that every
initial run has a finite prefix generating aword of the lan-
guage of α such that ϕ holds for its corresponding suffix.
5.1 Syntax of TSDSL
In the sequel, we assume a fixed finite and non-empty
set N of nodes. The abstract syntax of TSDSL-formulas






where α is a timed scheduled-data expression (TSD







Here, N is a non-empty node-set, dc a satisfiable da-
ta constraint for N, and I ⊆ R≥0 ∪ {ω} a (possibly
unbounded) time interval with its upper-bound in N ∪
{ω}. The meanings of α1 ∨ α2 (union, choice), α1 ∧ α2
(intersection)5, α1;α2 (concatenation, sequential com-
position), and α∗ (Kleene closure, finitely many repeti-
tions) are obvious. αI has the samemeaning as α, except
for the additional requirement that the total execution
time falls in the time interval I.
Intuitively, 〈α〉ϕ holds for a TCA iff all its TSD
streams have a finite prefix that generates an α-stream
and ϕ holds for its remaining suffix. The dual operator
for 〈α〉ϕ is [[α]]ϕ = ¬〈α〉¬ϕ which holds for a TCA iff
for each of its TSD streams  and all prefixes of  that
generate an α-word, the formula ϕ holds for the cor-
responding suffix of . Other boolean connectives, like
disjunction ∨ or implication →, are derived in the usual
way.
Remark 5.1 We can also allow for ω-regular TSD
expressions that result from adding an ω-operator.
Although this increases expressiveness, we skip this
option here. In contrast to the real-time extensions of
LTL, as, e.g., in [3,5,15], TSDSL does not use time-con-
strained temporal modalities such as U≤t. These can be
5 Standard regular expressions do not contain an intersection
operator (although regular languages are closed under intersec-
tion). However, as pointed out in [10], in timed settings, the class
of timed languages induced by timed regular expressions without
an explicit intersection operator is not closed under intersection.
Models and temporal logical specifications for timed component connectors 75
added to TSDSL, but in the examples (see below) it
turned out that the time-constraints in the TSD expres-
sions are sufficient to formulate the relevant properties
of Reo circuits. 
unionsq
Simplified notation. We often skip the semicolon for the
concatenation operator (i.e., αβ stands short for α;β).
We simply write 〈N〉 for 〈N, true〉 and often omit brack-
ets: e.g., 〈A,dc〉 is short-hand for 〈{A},dc〉 and 〈N〉 for
〈〈N〉〉. We write 〈. . .A . . .〉 to denote the disjunction of
the expressions 〈N〉 where N ranges over all subsets of
N that contain the node A. The construct 〈¬A〉 stands
for the disjunction of all expressions 〈N〉whereN ranges
over all non-empty node-sets that do not containA. The
construct 〈·〉 denotes the disjunction of all atoms 〈N〉
where N is an arbitrary non-empty node-set. The short-
hand 〈·〉ϕ stands for 〈〈·〉〉ϕ. We also often skip true and
write 〈α〉 for 〈α〉true: e.g., theTCAfor the normal FIFO1
channel (Fig. 6) satisfies the formula
[[(〈A〉〈B〉)∗]]〈A〉 ∧ [[(〈A〉〈B〉)∗〈A〉]]〈B〉
which states that the data-flows at nodes A and B alter-
nate, starting with A.
Derived operators. The standard next step operator is
derived as ©ϕ = 〈·〉ϕ. In particular, ©true asserts the
occurrence of some observable data-flow, while¬©true
states that data-flow has stopped. The modalities even-
tually and always can be derived as usual by definitions
♦ϕ = trueUϕ andϕ = ¬♦¬ϕ. For instance, the follow-
ing TSDSL formula specifies the behavior of a normal





[[〈A,dA = d〉]]〈〈B,dB = d〉〉
)
∧(〈B〉 → ©〈A〉)







(〈〈B,dB=d〉<t〉 ∨ ¬〈 < · ><t〉
)
)
which expresses the fact that within t time units after
A’s write-operation either B takes the element from the
buffer or there is no observable data-flow. For the timed
sequencer (Fig. 2 and Example 4.3) the following for-
mula holds
[[A]](〈〈B〉≤t〉 ∨ ¬〈〈·〉≤t〉)
stating that whenever data-flow is observed atA, within
the next t time units there is either data-flow at B or no
observable data-flow at all.
The weak variant U˜ of until is obtained as ϕ1U˜ϕ2 =
(ϕ1Uϕ2) ∨ (ϕ1). For instance, the t-timer with reset-
option (but without the off-option) fulfills the formula
[[A]](〈〈A,dA = reset〉<t〉U˜〈〈B,dB = timeout〉〉
)
.
5.2 Semantics of TSDSL
Toprovide the formal definition of the semantics of TSD
expressions and TSDSL-formulas we need some addi-
tional notation for working with TSD streams.
Notation 5.2 (Time cuts, concatenation, Kleene closure)
Let  = (N0, δ0, t¯0), (N1, δ1, t¯1), . . .. be a TSD stream as
in Notation 2.7. For a point in time t ∈ R≥0, we define
 ↑ t as the suffix of  that ignores every data-flow that
occurs before t and formalizes the observable behavior
in the time interval [t,∞[. Formally, if is as above then:
•  ↑ t = ε if || = k + 1 < ω and t¯k < t.
•  ↑ t = (Nk, δk, t¯k), (Nk+1, δk+1, t¯k+1), . . . if || = ω
and k is the smallest index such that t¯k ≥ t.
We use  ↓ t to denote the TSD stream that describes
the data-flow in the time interval [0, t]. That is, ↓ t = ε
if  = ε or t0 ≥ t. Otherwise,  ↓ t = (N0, δ0, t¯0), . . . ,
(Nk, δk, t¯k) where k is the largest index such that t¯k < t.
The concatenation of finite TSD streams is defined as
follows. We define ; ε = ε; = . If 1 = (N0, δ0, t¯0),










,(M0, σ0, t¯n + ρ¯0),. . . ,
× (Mm, σm, t¯n + ρ¯m
)
.
If L and L˜ are TSDS-languages with the same node-set
N then L; L˜ = { ; ˜ :  ∈ L, ˜ ∈ L˜} and L∗ =
⋃
n≥0 Ln where L0 = {ε}, Ln+1 = Ln;L. 
unionsq
Semantics ofTSD-expressions andTSDSL-formulas.We
define L(α) ⊆ TSDS by structural induction. L(〈N,dc〉)
is the set of all TSD streams of length 1 that have the
form (N, δ, t) where δ | dc. We define L(α1 ∨ α2) =
L(α1) ∪ L(α2), L(α1 ∧ α2) = L(α1) ∩ L(α2), L(α1;α2) =
L(α1);L(α2), andL(α∗) = L(α)∗. The semantics of time-
constrained expressions is formalized as
L(αI) = { ∈ L(α) : τ() ∈ I}.
Recall that τ() denotes the execution time of  (see
Notation 2.7). The satisfaction relation | for TDSL-for-
mulas and TSD-streams is defined by structural induc-
tion as shown in Fig. 19. For the derived [[. . .]]-operator,
76 F. Arbab et al.
Fig. 19 Satisfaction relation for TSDSL-formulas
we obtain
 | [[α]]ϕ iff for all t ≥ 0 we have :  ↓ t ∈ L(α)
× implies  ↑ t | ϕ.
With any TSDSL-formula, we associate a TSDS-
language as follows:
L(ϕ) = { ∈ TSDS(N ) :  | ϕ}.
Logical equivalence ≡ of TSDSL-formulas is defined as
usual by ϕ1 ≡ ϕ2 iff L(ϕ1) = L(ϕ2). If T is a TCA and q
a state in AT then q | ϕ iff L(T ,q) ⊆ L(ϕ). Moreover,
we define T | ϕ iff L(T ) ⊆ L(ϕ).
Remark 5.3 TSDSL as a logic on TSD streams has the
power to “separate” all TSD streams 1,2 where the
time-abstract data flows (formalized by the induced
sequences of node-set/data-assignment pairs) are differ-
ent. To see this, we may simply take a prefix (N1, δ1, t¯1),
. . . , (Nk, δk, t¯k) of one of the TSD streams, say 1, such
that 2 has no prefix of the form (N1, δ1, t¯1
′
), . . . ,(
Nk, δk, t¯k
′). Then,
1 | 〈〈N1, δ1〉; . . . ; 〈Nk, δk〉〉, while 2
| 〈〈N1, δ1〉; . . . ; 〈Nk, δk〉〉.
Here, the data assigments δi are viewed as data con-
straints. If, however, the time-abstract data flows in 1
and 2 agree then it possible that no TSDSL-formula
can distinguish between 1 and 2. The reason for this
is that we allow for natural (lower/upper) time bounds in
TSDSL-expressions only. For instance, the TSD streams
1 = ({A},dA = d, 0.5), ({A},dA = d, 1.5),
({A},dA = d, 2.5), ({A},dA = d, 3.5), . . .
2 = ({A},dA = d, 0.6), ({A},dA = d, 1.6),
({A},dA = d, 2.6), ({A},dA = d, 3.6), . . .
fulfill the same TSDSL-formulas.
5.3 Example: the alternating bit protocol
The properties of the ABP (see Example 2.4 and Fig. 4)




[[〈I,dI = d〉]]〈(〈¬I〉∗〈O,dO = d〉)≤t〉
for some time bound t. The formula ϕABP(t) states that
whenever the sender receives a message d at port I,
within its next t time units the receiver will output d at
port O during which time the sender does not accept a
new input message through port I.6
Arbitrary choice of the time-parameters. For an arbitrary
choice of the time-parameters tS, tR,ρS andρR we cannot
expect that TABP | ϕABP(t). For instance, if ρS ≥ ρR =
5 and tR = tS = 2 then the following behavior is possible.
The starting state is q0 = 〈in(0), wait(0), x = 0, y = 0〉.
Let us assume that the first input at I arrives at time
instant 3. The invariance condition “y ≤ tR = 2” of the
receiver-location wait(0) forces the receiver to move to
location ack(1) at time instant 2. Thus, we enter state
q1 = 〈in(0), ack(1), x = 2, y = 0〉.
After one time unit (i.e., at time instant 3), the sender
takes the input value d from port I which leads to state
q2 = 〈try(d, 0), ack(1), x = 3, y = 1〉. After another time
unit (at time instant 4), the sender tries to send (d, 0)
through port A and moves to location wait(d, 0). This
yields state
q3 = 〈wait(d, 0), ack(1), x = 0, y = 2〉.
At time instant 5, the receiver sends the control bit b = 1
which the sender ignores. Thus, we enter the global state
q4 = 〈wait(d, 0), wait(0), x = 1, y = 0〉.
Staying in these location for another time unit leads
to the state 〈wait(d, 0), wait(0), x = 2, y = 1〉 where the
invariance condition “x ≤ tS = 2” of the sender-location
wait(d, 0) forces the sender to move to location try(d, 0).
We are now in state
q5 = 〈try(d, 0), wait(0), x = 0, y = 1〉.
6 As input on I can occur simultaneously with the receiver resend-
ing its acknowledgment of the previous message via port D, the
atom 〈I,dI = d〉 can be replaced with the expression 〈I,dI =
d〉 ∨ 〈{I,D},dI = d〉.
Models and temporal logical specifications for timed component connectors 77
Fig. 20 TCA for the ABP for ρR < min{ρS, tS} and ρS < tR
One time unit later, clock y has the value 2 and forces the
receiver to leave location wait(0). We enter the global
state q6 = 〈try(d, 0), ack(1), x = 1, y = 0〉. After waiting
for 1 time unit, the sender resends the pair (d, 0) which
leads to the global state
q7 = 〈wait(d, 0), ack(1), x = 0, y = 1〉.
One time unit later, the receiver resends the control bit
1 which the sender ignores again. We now reenter state
q4 and may continue in the same way, without ever pro-
ducing an output at portO. Hence, for this choice of the
time-parameter we obtain
TABP | (〈I〉 → ♦〈O〉).
In particular, there is no t such that ϕABP(t) holds for
TABP.
Special choices of the time-parameters. Assuming ρR <
ρS < tR and ρR < tS then no message sent via the lossy
channel connecting A and C will be lost. In fact, it can
only happen that the receiver acknowledges more than
once the receipt of the last message (because no upper
time bound is assumed for the arrival of messages at
input port I). The reachable fragment of the TCA is
shown in Fig. 20. We obtain
TABP | ϕABP(ρS + ρR),
stating that the delay for the output at O is bounded
above by the maximal sojourn time of the sender in
location wait(d,b) plus the maximal delay ρR for the
receiver to send the acknowledgment after it receives a
message through port C. (This is the best bound we can
expect.) The fact that messages along the AC channel
are never lost can be formalized by the TSDSL formula
¬♦〈A〉
which states that it is not possible to observe a data-flow
at node A only (i.e., not together with C).
When ρR < tS < tR and ρS < tR − tS, messages sent
fromA to C may get lost. However, whenA resends the
78 F. Arbab et al.
Fig. 21 TCA for the ABP for ρR < tS < tR and ρS < tR − tS
message the receiver accepts the message through port
C. In this case, we have
TABP | ϕABP(ρS + ρR + tS),
stating that the delay for the output at port O is at most
the maximal delay for the sender and receiver to send
theirmessages along the lossy channels connecting them
plus the deadline tS which the sender uses for resending
message-bit pairs. The reachable part of the TCA under
these assumptions is shown in Fig. 21. The property that
a message sent along the AC channel can be lost only
once can be formalized by the TSDSL formula.
¬♦〈〈A〉〈¬I〉∗〈A〉〉.
5.4 TSDSL model checking
The TSDSL model checking problem addresses the
question of whether T | ϕ for a given TCA T and
TSDSL formula ϕ. We briefly sketch the main ideas of a
Models and temporal logical specifications for timed component connectors 79
Fig. 22 TCA Tγ ;β
TSDSL model checking algorithm that relies on a com-
bination of (slight variants of) standard automata-based
model checking algorithms forLTL [14,33,35] and timed
regular expressions [10].
The rough idea is to provide an algorithm that dis-
proves the satisfaction of ϕ for T and “searches” for a
witness for L(T ) ⊆ L(ϕ), i.e., a TSD stream in L(T )
where ϕ does not hold. The first step is to switch from
ϕ to ¬ϕ which is then turned into a TCA with Büchi
acceptance. Formally, a Büchi TCA denotes a pair F =
(T ,Sacc) consisting of a TCA T = (S,Q,N , E ,S0, ic)
and a set Sacc ⊆ S of accepting locations. A q-run in T
is called accepting iff it is either finite and ends in an
accepting location or visits infinitely often an accepting
location. L(F) denotes the set of TSD streams that can
be generated by an accepting maximal run. (Note that
for any TCA T we have L(T ) = L(FT ) where FT is the
Büchi TCA that results from T by declaring all locations
to be accepting.)
For the given formula ¬ϕ, we may apply roughly the
same techniques as suggested in [33,34] for extended
temporal logic, to construct aBüchi TCAF withL(F) =
L(¬ϕ). (The main steps for the construction of F are
sketched below.) Then, we have:
T | ϕ iff L(T  F) = L(T ) ∩ L(F) = L(T ) ∩ L(¬ϕ)
= ∅.
Assuming disjoint clock sets of T and F (otherwise
the clocks in F an be renamed to avoid name clash-
es), the join-operator T  F yields a Büchi TCA which
is obtained through the standard join operator (Defini-
tion 4.5) where the accepting locations 〈s, s′〉 in T  F
are those such that location s is an arbitrary location in
T and location s′ is an accepting location in F . Finally,
we may apply the standard region graph algorithms [2]
to check for the emptiness of T  F . Note that for the
emptiness check the Büchi TCA T  F can be regard-
ed as a standard timed automata à la Alur and Dill. We
just need to remove all edges with an unsatisfiable data
constraint, and then ignore the node-set/data-constraint
labels of the remaining edges.
What remains is to explain how to obtain a Büchi
TCA for TSDSL-formulas. We sketch here only the
main ideas of this rather complex construction, which
essentially uses techniques known from the literature,
and put the emphasis on the modifications that are nec-
essary for our purposes. The first step in the construction
of F is to generate a (normal) TCA Tα for every TSD-
expression α that appears in a subformula of ¬ϕ of the
form 〈α〉ψ . These automata Tα will serve as the basic
building blocks for the construction of F .
TCA for TSD-expressions. The TCA Tα can be con-
structed in a compositional way. The TCA Tα has a
unique initial location, called start(α), and a location
stop(α) such that L(α) is the set of all TSD streams 
that are induced by a finite run in Tα starting in start(α)
and ending in stop(α).
The construction of theTCA Tα is by structural induc-
tion, essentially as described in [10]. For the atoms
〈N,dc〉 we use a TCA with two locations start(α) and
stop(α) that are connected via the edge (start(α),N,dc,
true,∅, stop(α)). The invariance condition of both loca-
tions is true. If α is γ ;β then we use the construction
shown in Fig. 22. Here and in the sequel, edges with
no label in the figures are assumed to be labelled with
N = ∅,dc = true, cc = true and C = ∅.
A similar construction can be used for the choice
operator α = γ ∨ β where we use edges from start(α)
to start(γ ) and start(β) and from stop(γ ) and stop(β) to
stop(α). See Fig. 23.
Fig. 23 TCA Tγ∨β
80 F. Arbab et al.
Fig. 24 TCA Tγ ∗
For the Kleene closure α = γ ∗, we may use a similar
construction shown in Fig. 24.
The aboveTCA Tα do not use any clock. In fact, prop-
er timing constraints are needed only for TSD-expres-
sions with (non-trivial) time bounds. For α = γ I we
introduce one new clock x which is not used in Tγ and
use the construction for Tα as illustrated in Fig. 25. The
invariance condition “x ∈ I” ensures that the location
stop(α) can be entered only by runs where the execution
time lies within the time interval I. Here, the edges from
stop(γ ) to stop(α) are labelled with the empty node-set
and data and clock constraints true.
Büchi TCA for TSDSL-formulas. We now return to the
problem of generating a Büchi TCA for a given TSDSL-
formula ϕ. As mentioned above, we may apply adapta-
tions of standard automata-based techniques for extend-
ed LTLmodel checking [33].We first transform the orig-
inal TSDSL-formula ϕ into an equivalent formula of an
extended TSDS-logic. This logic is in the style of extend-
ed temporal logic ETLf à laVardi andWolper. Formulas
of extended TSDS-logic are built by boolean combina-
tors (¬ and ∧) and automata-formulas. The latter can
be viewed as a generalization of the until-operator and
formulas 〈α〉ψ . The automata-formulas have the form
T (ψ1, . . . ,ψn) where ψ1, . . . ,ψn are formulas of the ex-
tended TSDS-logic and T is a slight variant of a TCA:
the edges in T are either TCA-edges (i.e., labelled with
a node-set, a data constraint, a clock constraint and a set
of clocks) or edges with a label in {ψ1, . . . ,ψn}. The oth-
er components (starting location, invariance conditions)
are as in normal TCA. Moreover, T has a distinguished
accepting state. For thepurposeofTSDSL-model check-
ing, it suffices to deal with automata-formulas of the
Fig. 25 TCA Tγ I
form Tα(ψ) (as substitute for 〈α〉ψ) and A(ψ1,ψ2) (as
substitute for ψ1Uψ2):
• Tα(ψ) arises fromTα by adding aψ-labelled edge from
stop(α) to a new accepting state.
• A(ψ1,ψ2) consists of an initial state q0 with a ψ1-
labeled self-loop and an accepting state q1 which is
reached from q0 via an ψ2-labeled edge.
The syntax of extended TSDS-logic agrees with the
syntax of ETLf , except that we deal with TCA-like
automata rather than nondeterministic finite automata.
Roughly the same construction of Büchi automata for
given ETLf -formulas that has been suggested by Vardi
andWolper [33] can be applied in our setting, to obtain a
Büchi TCA F for the given TSDSL-formula, viewed as
a formula of extended TSDS-logic. The automaton F is
obtained by combining a so-called local automaton FL
with an eventually automatonFE. In the Vardi–Wolper-
construction, both automata FL and FE arise through
a certain combination of the edges in the automata
for the automata-subformulas. The same technique is
applicable in our setting and allows us to “lift” the time-
guards and invariance conditions in the TCA of auto-
mata-subformulas to obtain corresponding time-guards
and invariance conditions in the constructedBüchiTCA.
Complexity of TSDSLmodel checking. Themajor steps
of the above sketchedTSDSLmodel checking algorithm
are (1) the construction of the Büchi TCA F for the
negation of the given formula ϕ, and (2) checking emp-
tiness for T  F . While the TCA Tα for the sub-expres-
sions of ϕ are linear in the length of α, the number of
states in the resulting Büchi TCA F is exponential in
the length of ϕ. The exponential blow-up arises in the
construction of the local automaton FL whose locations
are sets of subformulas of ϕ (respectively, the corre-
sponding formula of extended TSDS-logic). Thus, the
number of locations in T  F is O(exp(|ϕ|) · |T |). The
cost for the analysis of the region graph of T  F for the
emptiness check is dominated by the number of regions.
These grow exponentially in the number of clocks (in
T and F) and linear in the number of locations in the
product. Thus, the running time of the sketched model
checking algorithm is linear in the number of locations
of T , and exponential in (a) the length of the formula
ϕ, (b) the number of clocks in T , and (c) the number of
time-bounded subexpressions αI of ϕ.
Remark 5.4 (TSDSL versus refinement relations) Let T1
and T2 be two TCAwith the same node-setN . Clearly, if
L(T1) ⊆ L(T2) then, for any TSDSL-formula ϕ, T2 | ϕ
implies T1 | ϕ. Thus, if L(T1) = L(T2) then T1 and T2
Models and temporal logical specifications for timed component connectors 81
satisfy exactly the same TSDSL-formulas. A sufficient
decidable criterion for checking (TSDLS- or) language-
equivalence of two TCA is to switch to a coarser equiva-
lence corresponding to timed bisimulation for ordinary
timed automata [11]. In our setting, a timed bisimula-
tion for a TCA T is the coarsest equivalence ∼ on the
state space Q of the induced state-transition graph AT
such that for all q1, q2 ∈ Q with q1 ∼ q2 and all N ⊆ N ,
δ ∈ DA(N), t ∈ R≥0:
∀q1 N,δ,t−−→ p1∃p2 ∈ Q s.t. q1 N,δ,t−−→ p2 and p1 ∼ p2.
The simulation relation is defined as the coarsest binary
relation  on the state space Q of AT such that for all
q1, q2 ∈ Q with q1  q2 and all N ⊆ N , δ ∈ DA(N),
t ∈ R≥0:
∀q1 N,δ,t−−→ p1∃p2 ∈ Q s.t. q1 N,δ,t−−→ p2 and p1  p2.
The relation is finer than language-inclusion, and thus,
preserves all TSDSL formulas in the sense that ifq1  q2
and q2 | ϕ then q1 | ϕ. The question of whether one
state of a TCA simulates another one can be answered




In this paper, we introduced a formal model to reason
about timing constraints forReo component connectors.
We presented composition operators for join and hide
that can serve as a basis for the automated construction
of an automaton-model from a given (timed) Reo cir-
cuit, and as a starting point for its formal verification.
Particularly, (slightly modified versions of) well-known
algorithms for checking time-lock freedom in ordinary
timed automata can serve for checking the realizabil-
ity of the coordination mechanisms of a Reo circuit with
timing constraints.Moreover, we suggested a linear-time
temporal logic for reasoning about the real-time behav-
ior of component connectors basedon their timed sched-
uled-data streams. Finally,we sketchedhow the standard
model checking algorithms for timed automata can be
adapted for our setting.
Our future work includes an implementation of the
presented model checking algorithms and case studies.
Moreover, we intend to study an alternating-time logic
in the style of [4] that allows to reason about the pos-
sibility for certain components to cooperate such that a
given (real-time) property holds.
References
1. de Alfaro, L., Henzinger, T.A., Stoelinga, M.: Timed inter-
faces. In: Proceedings of the second international workshop
on embedded software (EMSOFT), vol. 2491 of Lecture
Notes in Computer Science, pp. 108–122 (2002)
2. Alur, R., Dill, D.L.: A theory of timed automata. Theor Com-
put Sci 126(2) 183–235 (1994)
3. Alur, R., Henzinger, T.A.: A really temporal logic. J ACM,
41:181–204 (1994)
4. Alur, R., Henzinger, T.A., Kupferman, O.: Alternating-time
temporal logic. J ACM, 49:672–713 (2002)
5. Alur, R., Feder, T., Henzinger, T.A.: The benefits of relaxing
punctuality. J ACM bf 43(1) 116–146 (1996)
6. Arbab, F.: Reo: a channel-based coordination model for
component composition. Math Struct Comput Sci 14(3):1–38
(2004)
7. Arbab, F., Rutten, J.J.M.M.: A coinductive calculus of com-
ponent connectors. In: Pattinson, D., Wirsing, M., Hennicker,
R. (eds), Recent trends in algebraic development techniques,
proceedings of 16th international workshop on algebraic
development techniques (WADT 2002), vol. 2755 of Lec-
ture Notes in Computer Science, pp. 35–56. Springer Berlin
Heidelberg New York, (2003). http://www.cwi.nl/ftp/CWIre-
ports/SEN/SEN-R0216.pdf
8. Arbab, F., Baier, C., de Boer, F.S., Rutten, J.J.M.M., Sirjani,
M.: Modeling context-senstive behavior of component con-
nectors with priorities. (Forthcoming paper) (2006)
9. Arbab, F., Baier, C., Rutten, J.J.M.M., Sirjani, M.: Model-
ing component connectors in Reo by constraint automata.
In: Proc. international workshop on foundations of coor-
dination languages and software architectures (FOCLASA
2003), vol. 97(22) of Electronic Notes in Theoretical Com-
puter Science. Elsevier Science, July 2004. A full version will
appear in Science of Computer Programming and is avail-
able under http://web.informatik.uni-bonn.de/I/baier/publi-
kationen.html
10. Asarin, E., Caspi, P., Maler, O.: Timed regular expressions. J
ACM, 49(2):172–206 (2002)
11. Cerans, K., Decidability of bisimulation equivalences for par-
allel timer processes. In: Proc. 4th international workshop on
computer aided verification (CAV), vol. 663 of Lecture Notes
inComputer Science, pp. 302–315. SpringerBerlinHeidelberg
New York. (1993)
12. Fischer,M.J., Ladner, R.J.: Propositional dynamic logic of reg-
ular programs. J Comput Syst Sci 8:194–211 (1979)
13. Gawlick, R., Segala, R., Soegaard-Andersen, J., Lynch, N.:
Liveness in timed and untimed systems. Inform Comput
141(2):119–171 (1998)
14. Gerth, R., Peled, D., Vardi, M., Wolper, P.: Simple on-the-fly
automatic verification of linear temporal logic. In protocol
specification testing and verification, pp. 3–18. Chapman &
Hall, London (1995)
15. Harel, E., Lichtenstein, O., Pnueli, A.: Explicit clock temporal
logic. In: Proc. fifth annual IEEE symposium on logic in com-
puter science (LICS), pp. 402–413. IEEE Computer Society
Press Los Alamitos (1990)
16. Henzinger, T.A., Nicollin, X., Sifakis, J., Yovine, S.: Sym-
bolic model checking for real-time systems. Inform Comput
111(2):193–244 (1994)
17. Henzinger, T.A., Ho, P.-H., Wong-Toi, H.: Hytech: a model
checker for hybrid systems. Softw Tools Technol Transfer
1:110–122 (1997)
18. Holliday, M.A., Vernon, M.K.: A generalised timed petri
net model for performance analysis. IEEE Trans Softw Eng
13(12):1279–1310 (1987)
82 F. Arbab et al.
19. Kaynar, D.K., Lynch, N.A., Segala, R., Vaandrager, F.W.: A
framework formodelling timed systemswith restricted hybrid
automata. In: Proceedings 24th IEEE international real-time
systems symposium (RTSS’03), pp. 166–177. IEEEComputer
Society press, Los Alamitos (2003)
20. Guldstrand Larsen, K., Pettersson, P., Yi, W.: UPPAAL in a
nutshell. Int J Softw Tools Technology Transfer 1(1-2):134–
152 (1997)
21. Leonard, L., Leduc, G.: An enhanced version of timed lotos
and its application to a case study. In: Proc. formal descrip-
tion techniques VI, pp. 483–498. North-Holland, Amsterdam
(1994)
22. Manna, Z., Pnueli, A.: The temporal logic of reactive and
concurrent systems. Springer, Berlin Heidelberg New York
(1992)
23. Merlin, P.M.: A study of the recoverability of computing sys-
tems. PhD thesis, Department of Information and Computer
Science, University of California, Irvine (1974)
24. Merritt, M. Modugno, F., Tuttle, M.R.: Time-constrained
automata (extended abstract). In: Proc. 2nd international con-
ference on concurrency theory, vol. 527 of Lecture Notes in
Computer Science, pp. 408–423. Springer Berlin Heidelberg
New York, (1991)
25. Milner, R.: Communication and concurrency. Prentice Hall
International Series in Computer Science. Prentice Hall
(1989)
26. Panangaden, P., van Breugel, F. (eds): Mathematical tech-
niques for analyzing concurrent and probabilistic systems.
CRM Monograph Series. American Mathematical Society
(2004) ISSN 1065–8599
27. Pnueli, A.: The temporal logic of programs. In: Proceedings of
the 18th IEEE Symposium on the Foundations of Computer
Science (FOCS-77), pp. 46–57, Providence, Rhode Island,
October 31–November 2. IEEE Computer Society Press, Los
Alamitos (1977)
28. Ramchandani, C.: Analysis of asynchronous concurrent
systems by timed petri nets. Project MAC 120, MIT (1974)
29. Reed,G.M.,Roscoe,A.W.:A timedmodel for communication
sequential processes. Theor Comput Sci 58:249–261 (1988)
30. Rutten, J.J.M.M.: Component connectors. In [26], Chap. 5,
pp 73–87 (2004)
31. Sifakis, J.: Performance evaluation of systems using nets. In:
Brauer, W. (ed.) Proceedings of the advanced course on gen-
eral net theory, Appeared as Lecture Notes in Computer Sci-
ence 84 FRG, Springer, Berlin Heidelberg New York (1980)
32. Tasiran, S., Alur, R., Kurshan, R., Brayton, R.: Verifying
abstractions of timed systems. In: Proc. 7th conference on
concurrency theory (CONCUR), vol. 1119 of Lecture Notes
in Computer Science, pp. 546–562 (1996)
33. Vardi, M., Wolper, P.: Reasoning about infinite computations.
Inform Comput 115:1–37 (1994)
34. Wolper, P.: Specification and synthesis of communicating pro-
cesses using an extended temporal logic. In: Proc. 9th sym-
posium on principles of programming languages (POPL), pp.
20–33 (1982)
35. Wolper, P., Vardi, M., Sistla, A.: Reasoning about infinite
computation paths. In: Proc. 24th symposium on foundations
of computer science (FOCS), pp. 185–194. IEEE Computer
Society Press Los Alamitos (1983)
36. Yi, W.: CCS + time = an interleaving model for real time
systems. In: Proceedings of the 18th international colloquium
on Automata, languages and programming, vol. 510 of Lec-
tureNotes in Computer Science, pp. 217–228. Springer, Berlin
Heidelberg New York, (1991)
37. Yovine, S.: Kronos: a verification tool for real-time systems.
Softw Tools Technol Transfer 1(1–2): 123–133 (1997)
Author Biographies
Christel Baier received the
diploma degree in mathemat-
ics in 1990 from the Univer-
sity ofMannheim inGermany.
She received the PhD degree
(1994) and the venia legendi
(1999), both from the Depart-
ment of Computer Science at
the University of Mannheim.
Since autumn of 1999, she
has been a professor of
computer science at the
RheinischeFriedrich-Wilhelms
Universitaet Bonn. Her
research interests are the theory of concurrent and probabilis-
tic systems, verification, semantics of programming languages and
process calculi and mathematical logic.
Prof. Farhad Arbab received
his PhD in computer science
from University of Califor-
nia, Los Angeles, in 1982. Dr.
Arbab is a senior researcher at
the Dutch National Research
Center for Mathematics and
Computer Science (CWI) in
Amsterdam, and professor of
computer science at Leiden
University, in theNetherlands.
His fields of interest include
software composition, coordi-
nation models and languages,
service oriented computing,
component based systems, and concurrency.
Frank de Boer received his
PhD in computer science from
the Free University, Amster-
dam, 1991. In his thesis he
developed a first sound and
complete proof theory for a
parallel object-oriented lan-
guage. Dr. de Boer is a se-
nior researcher at the Dutch
National Research Center for
Mathematics and Computer
Science (CWI) in Amster-
dam, and associate professor
of computer science at Leiden
University, in theNetherlands.
His primary field of interest concerns the semantics and proof the-
ory of concurrent systems.
Prof. Dr. J.J.M.M. Rutten
is head of research theme
‘Coordination languages’ at
CWI (Centre forMathematics
and Computer Science) and
professor of computer sci-
ence at the VUA (Free
University Amsterdam). His
research interests are seman-
tics, applied logic, coalge-
bra and coinduction, with
applications to programming
languages and software engi-
neering.
