Modelando y verificando diseños de sistemas de tiempo real by Braberman, Víctor Adrián
Modelando y verificando diseños de sistemas de
tiempo real
Braberman, Víctor Adrián
2000
Tesis Doctoral
Facultad de Ciencias Exactas y Naturales
Universidad de Buenos Aires
www.digital.bl.fcen.uba.ar
Contacto: digital@bl.fcen.uba.ar
Este documento forma parte de la colección de tesis doctorales de la Biblioteca Central Dr. Luis
Federico Leloir. Su utilización debe ser acompañada por la cita bibliográfica con reconocimiento de la
fuente. 
This document is part of the doctoral theses collection of the Central Library Dr. Luis Federico Leloir.
It should be used accompanied by the corresponding citation acknowledging the source. 
Fuente / source: 
Biblioteca Digital de la Facultad de Ciencias Exactas y Naturales - Universidad de Buenos Aires
Depart amento de Computaci6n 
Facultad de Ciencias Exactas y Naturales 
Universidad de Buenos Aires 
Modeling and Checking Real-Time 
System Designs 
by 
Victor Adri in Bra berman, 
Director: Ph.D. Miguel Felder 
Pabell6n 1 - Planta Baja - Ciudad Universitaria 
(1428) Buenos Aires 
Argentina 
e-mail:vbra ber@dc.u ba.ar 
http://www.dc.u ba.ar/people/exclusivos/vbra ber 
Depart amento de Computaci6n 
Facultad de Ciencias Exactas y Naturales 
Universidad de Buenos Aires 
Modelando y Verificando Disefios de 
Sistemas de Tiempo Real 
Autor: 
Victor Adria'n Braberman 
Director: Doctor Miguel Felder 
w 
'&M\& 1 - PIanta Baja - Ciudad Univerdtaria 
(1428) Buenas f i res  
Argentina 
e-rna~il:vbxa$e~@dc,u ba .ar 
hat p.://w.dr. u ba .ar/people/exclusiv~s/~brabe~ 
Abstract 
Real-time systems are found in an increasing variety of application fields. Usually, they 
are embedded systems controlling devices that may risk lives or damage properties: they 
are safety critical systems. Hard Real-Time requirements (late means wrong) make the 
development of such kind of systems a formidable and daunting task. The need to predict 
temporal behavior of critical real-time systems has encouraged the development of an use- 
ful collection of models, results and tools for analyzing schedulability of applications (e.g., 
[log]). However, there is no general analytical support for verifying other kind of high level 
timing requirements on complex software architectures. On the other hand, the verification 
of specifications and designs of real-time systems has been considered an interesting appli- 
cation field for automatic analysis techniques such as model-checking. Unfortunately, there 
is a natural trade-off between sophistication of supported features and the practicality of 
formal analysis. 
To cope with the challenges of formal analysis real-time system designs we focus on three 
aspects that, we believe, are fundamental to get practical tools: model-generation, model- 
reduction and model-checking. Then, firstly, we extend our ideas presented in [30] and 
develop an automatic approach to model and verify designs of real-time systems for complex 
timing requirements based on scheduling theory and timed automata theory [7] (a well- 
known and studied formalism to model and verify timed systems). That is, to enhance 
practicality of formal analysis, we focus our analysis on designs adhering to Fixed-Priority 
scheduling. In essence, we exploit known scheduling theory to automatically derive simple 
and compositional formal models. To the best of our knowledge, this is the first proposal 
to integrate scheduling theory into the framework of automatic formal verification. To 
model such systems, we present 1/0 Timed Components, a notion and discipline to build 
non-blocking live timed systems. 110 Timed Components, which are build on top of Timed 
Automata, provide other important methodological advantages like influence detection or 
compositional reasoning. 
Secondly, we provide a battery of automatic and rather generic abstraction techniques 
that, given a requirement to be analyzed, reduces the model while preserving the relevant 
behaviors to check it. Thus, we do not feed the verification tools with the whole model as 
previous formal approaches. To provide arguments about the correctness of those abstrac- 
tions, we present a notion of Continuous Observational Bismulation that is weaker than 
strong timed bisimulation yet preserving many well-known logics for timed systems like 
TCTL [3]. 
Finally, since we choose timed automata as formal kernel, we adapt and apply their deeply 
studied and developed analysis theory, as well as their practical tools. Moreover, we also 
describe from scratch an algorithm to model-check duration properties, a feature that is 
not addressed by available tools. That algorithm extends the one presented in [28]. 
Agradecimientos 
Agradezco a las instituciones que me permitieron llevar a cab0 este proyecto: el Departa- 
mento de Computacibn, la Facultad de Ciencias Exactas y Naturales, UBA y el proyecto 
FOMEC. AS: mismo, extiendo mi agradecimiento a las actuales y pasadas autoridades, 
integrantes y ex-integrantes del Departamento de Computaci6n quienes me apoyaron in- 
condicionalmente. Merecen una especial mencibn, por su aporte y compromiso en esta 
tesis, mi director, el Dr. Miguel Felder, mis jurados: el Dr. Alfredo Olivero, el Dr. Mauro 
Pezzi! y el Dr. Sergio Yovine, 10s miembros suplentes del jurado: el Dr. Juan Vicente Ech- 
ague, y el Lic. Gabriel Baum. Tampoco puedo dejar de mencionar al coautor e inspirador 
del trabajo sobre propiedades de duracibn, el Dr. Dang Van Hung. Le doy las gracias 
a 10s miembros del Polit6cnico de Milan, del UNU/IIST, y del instituto VERIMAG que 
gentilmente me recibieron e inspiraron. Agradezco epecialmente a 10s "tesistas" Gabriela 
Finkelstein, Diego Garbervetski y Cecilia Schor por su importante contribuci6n en la vali- 
dacibn y correcci6n de parte de las ideas incluidas en esta tesis. Finalmente, por el enorme 
soporte ernocional que me brindaron durante todos estos aiios, le doy las gracias a mi 
familia, a mi novia y a mis amigos. 

Contents 
1 Introduction 
1.1 Prior Research . . .  
1.2 Working Examples . . . . . . . . . . . . . . .  
1.2.1 The Active Structural Control System . . 
1.2.2 The Mine Drainage Controller System . . 
1.3 Our Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
1.3.1 Summarizing the Achievements . . . . . . . . . . . . . . . . . .  
1.4 Structure of this Thesis . . . . . . .  
2 Background on Timed Systems Theory 15 
2.1 Prelirninar Definitions . . . . . . . . . . . . . . .  . 15 
. . . .  2.1.1 Sequences . . . . . . . . . . . .  . . . . .  . 15 
2.1.2 Timed Words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  16 
2.1.3 Clocks, Constraints and Valuations . . . . . . . . . . . . . . . . . . .  16 
2.2 Timed Automata . . . . . . . . . . . . . . . . . . .  17 
2.3 Semantics . . . . . . . . . . . . .  . . . . . .  . 18 
2.3.1 Runs and Non Zenoness . . . . . . . . . . . . .  . 19 
2.3.2 From Finite Runs to Finite Transition Language . . .  . . . 20 
2.4 Parallel Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . .  . 21 
2.5 Propositional Valuation of Locations . . . . . . . . . . . . . . . . . . . . . .  23 
2.6 Bisimulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  23 
. . . . . . . . . . . . . . . . . . . . . . .  2.7 Some Logics for Real-Time Models 25 
. . . . .  2.7.1 Timed Computational Tree Logic . . . . . . . . . . . .  25 
. . . . . . . . . . . . . . . . . . . . . . .  2.7.2 Linear Duration Invariants 26 
3 Extensions on Timed Systems Theory 29 
3.1 Property Preserving Simulations . . . . . . . . . . . . . . . . . . . . . . . .  29 
. . .  3.2 Property Preserving Bisimulations: CO-Bisimulations . . . 32 
. . .  3.3 I/O Timed Components . . . . . . . . . . . . . . . . . . . .  37 
3.3.1 110 Components, Composition and Non-Zenoness . . . . . . . . . .  40 
4 Describing RTS-Designs and Requirements 
4.0.2 Introduction to Fixed Priority Application Model . . . . . . . . . . .  
4.1 Describing the System Architecture . . . . . . . . . . . . . . . . . . . . . . .  
4.2 Task Dynamics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
4.2.1 A Structured Language to Define Task Dynamics: Design Language 
4.2.2 The Kernel Language: CDAGs . . . . . . . . . . . . . . . . . . . . .  
4.2.3 From Design Language to CDAGs . . . . . . . . . . . . . . . . . . .  
4.3 Communication and Environment: Constraining Components . . . . . . . .  
4.4 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
4.4.1 Safety Event Observers . . . . . . . . . . . . . . . .  
4.4.2 Biichi Observers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .  4.4.3 TCTL Observers 
4.4.4 Linear Duration Observers . . . . . . .  . . . . . . . . .  
5 Semantics of Tasks in terms of 1 / 0  Timed Components 7 7 
5.1 The Untimed Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  77 
5.2 Timed Model . . . . . . . .  . . . . . . . . . . . . . . . . . .  78 
5.3 The WCCT Calculus . . . . . . . . . . . . . . . . . .  82 
6 Model Reductions 
. . . . . . . . . . . . . . . . .  6.1 Exact Abstraction: The Relevance Calculus 88 
. . . . . . . . . . . . . . . . . . . . . . . . . . . .  6.2 Conservative Abstractions 93 
. . . . . . . . . . . . . . . . . . . . . . .  6.3 Correctness of Relevance Calculus 95 
7 Reducing the Composition of 110 Components 101 
. . . . . . . . . . . . . . . . .  . . . . . . . . . . . .  7.1 Relevance . . 102 
. . . . . . . . . . . . . . . . . . . . . . . . . . . .  7.2 The Quotient Automaton 105 
. . . . . . . . . . . . . . . . .  7.3 Results . . . . . . . . . . . . . . . . . . . .  109 
. . . . . . . . . . . . . . . . . . .  . . . . . . . . . . . . . . . .  7.4 Examples 111 
. . . . . . . . . . . . . . . . . . . . . . . . . . .  7.5 Conclusions and Discussions 116 
8 Fitting the Pieces Together 123 
. . . . .  8.1 An Architecture for the Checking Tool . . . . . . . . . . . . .  123 
. . . . . . . . . . . . . . . . . . .  8.1.1 Verifying Safety Observers . . .  124 
. . . . . . . . . . . . . . . . . . .  8.1.2 Verifying Biichi Observers . . .  126 
. . . . . . . . . . . . . . . . . . . . . . .  8.1.3 Verifying TCTL Observers 127 
. . . . . . . . . . . . . . . . . .  8.1.4 Verifying Linear Duration Observers 127 
. . . . . . . . . . . .  8.2 Summary . . . . . . . . . . . . . . . . . . . . . .  128 
9 Verifying Duration Properties 129 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  9.1 Introduction 129 
9.1.1 Related Work . . . . .  . . . . . . . . . . . . . . . . . . . . . . . .  12 9 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  9.2 A Case Study 131 
. . . . . . . . . . . . . . . . . . . . .  9.3 Time Constrained Regular Expressions 133 
. . . . . . . . . . . . . . . . . .  9.4 Problem Transformation in terms of TC-RE 135 
9.5 Verifying Finite TC-RE . . . . . .  . . . . . . . . . . . . . .  136 
. . . . . . . . . . . .  9.6 Infinite TC-RE . . . . . . . .  . . 137 
9.6.1 Well-Behaved TC-RE . . . . . . . . . . . . . . . . . .  . . . 138 
9.7 Problem Transformation in terms of Well-Behaved TC-RE . . . 140 
9.8 Principles for the model-checking Algorithm . . . . . . . .  . 144 
vii 
9.8.1 Past-Independence . . . . . . . . . . . . . . . . . .  . . . . .  144 
. . . . . . . . . . . . . . . . .  9.8.2 Obtaining Past-Independent Iterations 146 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  9.9 The Basic Algorithm 147 
. . . . . . . . . . . . . . . . . . . . . . . . . . .  9.10 Conclusions and Discussions 150 
. . . . . . . . . . .  9.11 Proofs of Lemmas and Theorems . . . . . . . . . .  151 
10 Conclusions and Future Work 
Bibliography 
A A Survey on RTS Design Notations and Analysis Tools 175 
A.l  Notations and Models for Physical Designs of RTS . . . . . . . . . . . . . .  175 
. . . . . . . . . . . . . . . . . . . . . . . . . . .  A.l . l  A Tool Classification 176 
A.1.2 Guiding Features and Characteristics . . . . . . . . . . . . . . . . . .  177 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  A.1.3 The Survey 179 
A.1.4 Some Remarks . . . . . . . . . . . . . . . . .  . . . . . . . . .  190 
B Abstract Code for the Working Examples 
- 
- - - 
-- 
. ,  - A,.. 
- -  - - - - 
- - - - - - - - 
- - 
- - 
= - I = -  ;;=; - A I 
I I 
- I 
List of Figures 
1.1 The Active Structural Control System . . .  
1.2 Mine Drainage Design . . . . . . . . . .  
1.3 The Tool Architecture . . . . . . . . . . . .  
2.1 The Railroad Crossing System . . . . . . . . . . . . . . . . . . . . . .  22 
2.2 The Railroad Crossing System with a Trap Location . . . . . . . . . . . . .  24 
. . . . . . . . . . .  3.1 Two Continuous Observational Equivalent Automata 33 
. . . .  3.2 Two compaible I/O components . . . . . . . . . . . . .  41 
3.3 I/O Components of the RCS . . . . . . . . . . . . . . . . . . . . . . . . . .  42 
3.4 I/O Components of the CSMA/CD Protocol . . 43 
3.5 Observer for Checking Non Zeno Regardless Input . 48 
4.1 Design Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  51 
4.2 Language Levels for Describing Tasks Dynamics . . . . . . . . . . . . . . .  54 
. . . .  4.3 CDAG for WaterFlow Sensor . . . . . . . . . . . .  59 
. . . . . . . . .  4.4 CDAG for ACK Handler . . . . . . . . . . . . . . . . .  59 
4.5 Connectors Modeled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  61 
4.6 The sensor, the actuator, and the communication for the Active Structure 
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  63 
. . .  4.7 Assumptions about CH4 sensor 
4.8 Assumptions about HLWLevel sensor . . . . . . . . . . . . . . . . . . . . . .  65 
4.9 Assumptions about the operator . . . . . .  
. . . . . . .  4.10 Observer for Freshness: From a read to an update of the model 66 
4.11 Observer for The Regularity: Interpulse Delay . . . . . . . . . . . . . . . .  66 
4.12 Observer for Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  68 
4.13 Observer for Response1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  68 
4.14 Observer for Response2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  68 
4.15 Observer for Response3: From CH4 to Console Proxy . . . . . . . . . . . .  69 
. . . . . .  4.16 Observer for Response3: From Console Proxy to ConsoleDisplay 69 
4.17 Observer for Freshness 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  69 
4.18 Observer for Correlation . . . . . . . . . . . . . . . .  . . . . . . . . .  69 
4.19 Observer for False Alarm for CO . . . . . . . . . . . . . . . . . . .  70 
4.20 Observer for Fault Detection HLW . . . . . . . .  . . . . . . . . .  70 
4.21 Observer for False Alarm for HLW . . . . . . . .  . . . . . . . . . . .  70 
4.22 Observer for Fault Detection NET . . . . . . . . . . . . . . . . . . . . . .  70 
4.23 Observer for Freshness 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  71 
4.24 Observer for Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  71 
4.25 Biichi Observer: Responsiveness . . . . . . . . . . . . . . . . . . . . . . . .  73 
4.26 TCTL Observer: From Dangerous State to  a Normal One . . . . . . . . . .  74 
4.27 LDI Observer: Energy Wasted . . . . . . . . . . . . . . . . . . . . . . . . .  75 
5.1 Semantics for the Modeler and the Pulser . 
5.2 Semantics for Tasks . . . . . . . . . . .  
6.1 CH4-Sensor Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  90 
'2 CH4-Sensor Semantics collapsed . . . . . . . . . . . . . . . . . . . . . . . .  91 
6.3 Conservative Abstraction Rules . . . . . . . . . . . . . . . . . . . . . . . . .  94 
6.4 CH4-Sensor ConservativeReduction . . . . . . . . . . . . . . . . . . . . . .  95 
. 7.1 Standard vs Reduced Composition . . . . . . . . . . . . . . . . . . . . . . . .  3 
7.2 Observer for Rail Cross System . . . . . . . . . . . . . . . . . . . . . . . . .  112 
7.3 Fault Detection Net Observer . . . . . . . . . . . . . . . . .  . . . . .  113 
7.4 Freshness Observer . . .  
7.5 Regularity Observer . . . . . . . . . . . . . . . . . . . . .  
7.6 Two Safety Observers for the Pulse Freshness Requirement . 
7.7 Collision Detection Observer for the CSMA/CD Protocol . . 
8.1 The Tool Architecture . . 
9.1 Timed Automata Model . . . . .  
9.2 No-Delay Constrained Iterations . . 
9.3 The Reachability Graph . . . . .  
9.4 The Conceptual Architecture . . 
10.1 The Voter and an Abstraction for the Fault Tolerant Sensor . . .  

List of Tables 
1.1 Computational Requirements for the Active Structural System . . . . . . .  5 
6.1 Components Needed for Requirements of Active Structure System . 
6.2 Components Needed for Requirements of Mine Drainage System . . 
7.1 Calculated Values . . . . . . . . . .  107 
7.2 Relevance Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  112 
7.3 Standard Composition vs . Quotient for Rail Crossing System n=4 . . . . .  112 
7.4 Relevance Function for Fault Detection Net . . . . . . . . . . . . . . . . . .  113 
7.5 Standard Composition vs . Quotient for FaultDetection NET Observer . . .  113 
7.6 Relevance Function for Freshness . . . . . . . . . . . . . . . . . . . . . . . .  115 
7.7 Standard Composition Vs Quotient for Freshness . . . 115 
7.8 Relevance Function for Regularity . . . . . . . . . . . .  . . 116 
7.9 Standard Composition Vs Quotient for Regularity . . . 116 
7.10 Relevance Function for Pulse Freshness (Observer 1) . . . . . . 118 
7.11 Relevance Function for Pulse Freshness (Observer 2) . . . . . . . . . .  118 
7.12 Standard Composition Vs Quotient for Pulse Freshness . . . . .  . . 119 
7.13 Relevance Function for Collision Detection . . . . . . . . . . . . . . . . . . .  120 
7.14 Standard Composition vs Quotient for Collision Detection . . . . . . . . . .  120 
7.15 Varying the Constants for the RCS Example . . . . 121 
. . . . . . . . .  8.1 Results of the Queries: Active Structural System 
8.2 Results of the Queries: Mine Pump System . . . . .  . . .  

Abstract 
Real-time systems are found in an increasing variety of application fields. Usually, they 
are embedded systems controlling devices that may risk lives or damage properties: they 
are safety critical systems. Hard Real-Time requirements (late means wrong) make the 
development of such kind of systems a formidable and daunting task. The need to predict 
temporal behavior of critical real-time systems has encouraged the development of an use- 
ful collection of models, results and tools for analyzing schedulability of applications (e.g., 
[109]). However, there is no general analytical support for verifying other kind of high level 
timing requirements on complex software architectures. On the other hand, the verification 
of specifications and designs of real-time systems has been considered an interesting appli- 
cation field for automatic analysis techniques such as model-checking. Unfortunately, there 
is a natural trade-off between sophistication of supported features and the practicality of 
formal analysis. 
To cope with the challenges of formal analysis real-time system designs we focus on three 
aspects that, we believe, are fundamental to get practical tools: model-generation, model- 
reduction and model-checking. Then, firstly, we extend our ideas presented in [30] and 
develop an automatic approach to model and verify designs of real-time systems for complex 
timing requirements based on scheduling theory and timed automata theory [7] (a well- 
known and studied formalism to model and verify timed systems). That is, to enhance 
practicality of formal analysis, we focus our analysis on designs adhering to Fixed-Priority 
scheduling. In essence, we exploit known scheduling theory to automatically derive simple 
and compositional formal models. To the best of our knowledge, this is the first proposal 
to integrate scheduling theory into the framework of automatic formal verification. To 
model such systems, we present I/O Timed Components, a notion and discipline to build 
non-blocking live timed systems. 110 Timed Components, which are build on top of Timed 
Automata, provide other important methodological advantages like influence detection or 
compositional reasoning. 
Secondly, we provide a battery of automatic and rather generic abstraction techniques 
that, given a requirement to be analyzed, reduces the model while preserving the relevant 
behaviors to check it. Thus, we do not feed the verification tools with the whole model as 
previous formal approaches. To provide arguments about the correctness of those abstrac- 
tions, we present a notion of Continuous Observational Bismulation that is weaker than 
strong timed bisimulation yet preserving many well-known logics for timed systems like 
generally, involving more than one component at design level) and other safety proper- 
ties "make or break" design correctness [77]. Some examples of these properties are: 1) 
responsiveness (bounds on response times for events); 2) timing requirements for sample 
and output rates; 3) freshness constraints (bounds on the age of data used in the sys- 
tem); 4) correlation constraints (the maximum time-skew between several inputs used to 
produce an output); 5) availability of data or space when asynchronous communication is 
performed; 6) no loss of signals; 7) guarantee on the consistency of distributed data, 8) 
duration properties (properties stating bounds on accumulated sojourn times in system 
states), etc. 
The problem we address in this thesis is the verification of such kind of requirements 
on physical designs of RTS. In what follows, we briefly describe previous approaches and 
motivate our approach. The interested reader can find in Annex [33] a further detailed 
survey on notations and analysis tools for RTS designs. 
1.1 Prior Research 
The desire to predict timed behavior of RTS has encouraged the development of a useful 
collection of results for run time scheduling (see for example [43, 1091). Furthermore, 
schedulability of applications satisfying studied assumptions can be efficiently analyzed 
and several tools have been developed (e.g., [122, 13, 97, 93, 981, etc.). However, these 
results and tools are mainly aimed at verifying schedulability. There is no general support 
for verifying distributed architectures for high-level timing requirements whose satisfaction 
depends on the complex interaction among several components. 
On the other hand, the verification of RTS designs has been considered an interesting 
application field for the research community working on automatic state-space analysis, 
generically called Model-Checking. Model-checking is a generic name for a set of automatic 
and (usually quite fast) techniques for verifying concurrent systems such as sequential 
circuit designs and communication protocols ([56, 95, 541,etc.). If the design contains an 
error, model-checking will produce a counterexample that can be used to pinpoint the 
source of the error. These widespread techniques (which were awarded the 1998 ACM 
Paris Kanellakis Award for Theory and Practice), has been used successfully in practice 
to verify real industrial designs, and companies are beginning to market commercial model 
checkers. Although there are many formal based tools to describe and analyze timed 
systems (see for example, [88, 33, 1381) few of them address a key issue of low level design 
descriptions: the fact that resources are shared by components. To address the processor- 
sharing phenomena (more specifically the preemption of tasks, which is commonly featured 
in many real-time OS platforms) some operational formal notations have been adapted 
and some tools have also been developed. Among others, we can mention RTSL [73], 
which is a process algebraic approach based on discrete time to analyze task schedulability 
on monoprocessor systems. The technique allows designers to define existing and new 
scheduling disciplines; reachability analysis can be applied to detect exceptions like missed 
deadlines. We can also mention GCSR [21, 1421, a graphical language based on a discrete 
time version of a process algebra which takes into account fixed priorities to share resources 
[ll?]. To model preemption designer should divide tasks into non-preemptable units. A 
further technique is VERUS [46, 471, which is based on discrete labeled edge systems to 
model applications running on a fixed-priority scheduled single processor. VERUS uses 
symbolic model-checking ([36, 1561, etc.) to verify time properties and to obtain timing 
information. 
There axe other approaches like [15, 381 based on a dense-time formalisms like Constant 
Slope Hybrid Automata [5]. Also, with a dense-time model it is possible to  build conserva- 
tive abstractions of real-time software, see [58]. Unlike the so far mentioned discrete-time 
based approaches, time granularity becomes largely irrelevant. By using such expressive 
dense-time formalism, it is possible to model applications which do not necessarily satisfy 
the assumptions of most studied scheduling theories. The drawback is that reachability 
is no longer decidable (although the authors claim to obtain responses in most cases). 
Other authors use a decidable class of Hybrid Automata to model preemption [I231 but 
complexity still is the big issue. 
Although focused on non-preemptive scheduling, it is worth citing [70] where a general 
model of non-preemptive aperiodic tasks based on Timed Automata is presented. Timed 
Automata specifies the possible arrival times of tasks, which are described as the worst 
case computation time and a relative deadline. Then, schedulability analysis and other 
safety properties are transformed into a model-checking problem. 
Finally, let us mention RTD [71] which is a family of notations based on a dense-time 
high-level version of Petri Nets (HLTPN [80]) inspired on POSIX standards [133]. The 
approach is mainly aimed at simulation, symbolic execution and bounded reachability. 
In conclusion, to deal with preemption, discrete time approaches resort to the "tick" reso- 
lution modeling capabilities (see [71, 46, 211) while dense-time formalism use "integrator" 
variables (see [38, 15, 71, 1521) to keep track of executed time. Unfortunately, those 
techniques have a negative impact on the decidability or the feasibility of the verification 
problems for the mentioned formal approaches (e.g., see discussions in [38,58,132]). More- 
over, the produced models are either monolithic or they are composed by a set of terms 
which behaviors are heavily interdependent since they share the same processing resource. 
We believe that this is an unsatisfactory situation; scalability becomes a very difficult issue 
since the whole model of the system must be always taken into account in the verification 
process. Indeed, the elimination of a data independent task may dramatically change the 
timed behavior of the remaining tasks. 
1.2 Working Examples 
We focus our proposal on designs which adhere to the assumptions of Fixed-Priority 
scheduling theory [log, 861. Fixed-priority scheduling has been successfully used by a 
large number of applications in the RTS field [log, 12, 40, 108, 139, 661,etc. It has also 
inspired real-time extensions to O.S. standards like POSIX [I331 and JAVA Real Time ex- 
tensions [135]. In particular, we propose an automatic verification technique for concrete 
architectures, featuring: 
Event and time-triggered tasks distributed in a net of processing resources and sched- 
uled by a preemptive fixed-priority policy (e.g., Rate Monotonic [log]). Data and 
control are communicated through shared variables, queues, circular buffers, signals, 
etc. 
Abstract description of tasks code (where relevant events do not necessarily occur at 
the end of them). 
Description of known assumptions about the environment behavior. 
We aim at assessing whether complex safety properties are valid for non-trivial designs built 
using those features. In this thesis, we propose the basis for an efficient automatic formal 
approach to complement manual reasoning and simulations. In this way, more confidence 
would be gained on the correctness of proposed detailed designs. 
In this section we present extensions of two working examples found in RTS literature. 
They will help us to illustrate different ideas, aspects and features of our proposal along 
this thesis. Also, they are useful to give an early flavor of our practital achievements. 
To present each example, we describe its goal, particularities, proposed design (graphi- 
cally sketched with a notation based on HRT-HOOD notation [42]), the requirements, and 
properties that the designer would like to check. The graphical notation shows three kind 
of objects: cyclic, sporadic, and protected objects (the initial letters in the left corner). 
Cyclic objects correspond to periodic tasks (i.e., time-triggered tasks awaken periodically). 
Sporadic objects are tasks that respond to events arriving with a minimum interarrival 
time. Protected Objects are monitor-like constructs that allow up to  one client object 
to perform an operation (the set of operations is 'annotated in the attached rectangle). 
Mutual exclusion is achieved using priority ceiling emulation scheme [log, 1411, i.e., the 
operation code executes at a priority higher than the priorities of the client object code 
(see Chapter4). Dotted arrows represent signal flows while solid lines are data flow. 
This thesis presents the theoretical and engineering concepts for a tool that formally checks 
such kind designs for their requirements. 
1.2.1 The Active Structural Control System 
In this section we describe the design of a well-known working example: the active struc- 
tural control system (see [69, 1041, etc). Active structures include an embedded system 
to  limit structural vibration due to earthquakes or strong winds. These structures include 
actuators that may be expanded or contracted to counteract the external forces applied 
I 
update PROCESSOR I 
Figure 1.1: The Active Structural Control System 
to  the structure. A controller measures the state of the structure (e.g., accelerations and 
displacements) and sends commands to the actuators when readings indicate an undesir- 
able state. To minimize vibration-induced earthquake damage, the natural frequencies of a 
structure should be located outside the frequency band of the seismic excitations produced 
by earthquakes. Then, schematically, a control system senses the seismic excitations with 
a high sampling rate and changes the natural frequencies of the structure by using the ac- 
tive members, according to the control algorithm. There are of course, timing constraints 
on the activity of actuators due to time bound required by the control algorithm (if not 
satisfied the structure may become unstable). The solution, proposed in [69] uses a pulse 
control algorithm. To limit vibratory displacement near resonance, those algorithms apply 
an opposing pulse at a higher frequency to break up the resonant forces. The mayor design 
variables are the time within pulse initiations At,,and the pulse duration At. These values 
are determined by the natural frequencies of the system, the expected forcing functions, 
and the desired level of displacement control. Traditional pulse-control theory requires that 
the interpulse delays be of exactly the same value, namely, At,. However, ensuring that 
these delays are invariant is almost impossible, owing to pay to  "play" in factors such us 
the time needed for calculating the pulse magnitudes and the rump-up times for actuators. 
We will suppose that the structure behaves correctly if the interpulse delays are at least 
32 msec * 10-I but no more than 145 msec * 10-I (hereafter, msec * 10-I are our time 
units, t.u.). The following table summarizes the timing information for different system 
activities: 
Table 1.1: Computational Requirements for the Active Structural System 
A soc~et-based communication is used. To establish a connection 10 t.u is required, when 
both pairs are ready to communicate it takes 5 t.u. to exchange message and acknowledg- 
ment. 
Unlike the model presented in [69], we deal with a low level description of the system 
where several tasks interact. That is, our solution is not a monolithic state machine 
like [69]. Indeed, several tasks share a single processor under fixed priority policy (see 
Fig. 1.1). In particular, the pulse-control algorithm is mapped into two tasks: the Modeler 
and the Pzsber. The Modeler is a sporadic task which, once initialized, serves the messages 
arriving from the sensor. Then, it updates in a predictive fashion a model stored in a shared 
protected object Model and starts a new communication with the sensor to  be served in the 
next invocation. The Pulser periodically reads the model, calculates the pulse magnitude 
and starts a communication with the actuator; the acknowledgement is not waited for the 
next iteration since the designer believes it always arrives before the next period starts 
(110 t.u.). 
There are two main timing requirements foi this system: 
Regularity: As mentioned earlier, the interpulse delays should be at least 32 t.u. but no 
more than 145 t.u. 
Freshness: The validity of the model updated by the Modeler is at most 130 t.u. That 
is the pulser should read a model not older than 130 t.u. (a model is "born" when 
the modeler updates the model object). 
1.2.2 The Mine Drainage Controller System 
The design of a mine drainage controller system is another example that commonly appears 
in the literature (e.g., [41, 1021, etc.) and it possesses many of the characteristics which 
typify embedded real-time systems. The original presentation assumes that the system 
will be implemented on a single processor; however we enriched the example with a remote 
processor running an application that allows an operator to monitor and command the 
system. 
We use Fig. 1.2 to explain the functionalities, design and basic timing requirements. The 
system is used to pump mine water, which collects in a sump at the bottom of the shaft, 
to the surface. The pump should not be operated when the level of methane gas (CH4) in 
the mine reaches a high value, due to the risk of explosion. Most environmental values - 
airflow, carbon monoxide (CO), and water flow - are polled periodically. High and low water 
sensor communicates via interrupts. The protected object Motor provides the services to 
operate the pump and reflect the motor status. The protected object CHd Status keeps 
the level of the last methane reading. Whenever there is a risky situation (gas levels or 
air flow become critical, water flow readings are not consistent with motor status, etc.) an 
alarm is informed to a protected object, Console, to be eventually signaled to the remote 
monitor system where the operator resides. Operations and readings are added to an object 
Log. There is a sporadic task, Command, to serve the operator requests arriving from the 
remote processor: inspect motor status, set pump on or off. CO and CH4 Sensors use 
the technique of period displacement [41] to perform the readings. That is, they request a 
reading which should be available in the next period (if this were not the case, a "faulty 
PROCESSOR 
I Display I 
Figure 1.2: Mine Drainage Design 
.< - .  . ,.#, : .$:'I . . .- 
device" alarm is generated). We added another fault detection mechanism to the original 
example: a watchdog task periodically checks the availability of the high-low water sensor 
device. Firstly, it sends a request, and secondly, extracts the acknowledges which were 
received and queued in a three-slot queue by a sporadic task (the Ack Handler) in previous 
cycles. Finally, if the queue is empty the watchdog signals this as a faulty condition. 
On the second processor, there is a sporadic task to serve the Console Prosy signals. The 
Console Proxy - which runs on the main processor - always sends a signal to indicate 
availability (usually, with the last values accumulated in the Console object). The T.Out 
Watchdog is awaken by a time out when no signal arrives from the proxy within 1 sec. There 
is an Command Capturer awaken by the interrupt generated from Operator Commands. 
This task communicates the command to its partner, Command, running on the local 
processor. 
Timing Requirements and Facts 
We summarize the main requirements, properties, and facts on the Mine Pump system 
according to [41]. 
Requirements : 
Separation: Two consecutive readings of Water-Flow sensor shall be within 960 ms and 
1,040 ms apart. 
Bounded Response 1: The system must respond to high and low water level changes 
by setting or by clearing the motor within 200 ms (if level of CH4 is Ok). 
Bounded Response 2: The deadline from CH4 going high to the pump being disabled 
is 200 ms. 
Bounded Response 3: The operator shall be informed within 1 sec of detection of crit- 
ically high CH4 or CO readings. 
Bounded Response 4: The operator shall be informed within 2 sec of detection of crit- 
ically low airflow readings. 
Facts: The following facts are derived from the physics of the application, the sensors 
and transmission delays: 
CH4 and CO facts: CH4 and CO sensors require at least 35 ms and at most 40 ms in 
order for a reading to become available. 
HLW-Level Fact: There are at least 6 sec. between High and Low water level changes. 
The transmission of those signals takes within 10 ms and 15 ms. 
We also add some new requirements and facts to illustrate some capabilities of the ap- 
proach. 
Requirements: 
Freshness 1: The ages of CO readings and air-flow readings shall be at most 100 ms when 
decisions are taken in the respective sensor tasks. 
Correlation: Correlation between CH4 and CO readings when written into the log shall 
be at most 100 ms. That is, the ages of CH4 and CO status paired into the log differ 
in at most 100 ms. 
False Alarm: A "faulty-device" alarm shall not be informed when the devices are working 
properly. 
Fault Detection HLW: If the high-low Water level device fails, it shall be informed to 
the remote operator within 2 sec. 
Fault Detection NET: If a fault on the main processor or the net occurs, it shall be 
informed to the remote operator 2 sec. 
Freshness 2: The data at CH4 status shall not be older than 100 ms. 
Compliance with Object Interface Assumptions: The CH4 Sensor shall not inform 
more than four alarms into the time intervals between two consecutive "Get Package" 
Operations. Get Package is an operation performed by the console proxy to obtain 
the information accumulated in the console object during the last period. 
HLW-ACK Fact: When the High Low water level sensor receives the ACK request from 
a watchdog, the signal arrives within 15 ms and 25 ms. 
Operator Fact: Operator Commands are separated at least by 1 sec. 
1.3 Our Approach 
To cope with the problem of checking requirements for RTS-Designs we believe it is nec- 
essary to deal with at least three kind of topics: 
Modeling Techniques. 
Model-Reduction Techniques. 
Model-Checking Techniques. 
We decided to present our work guided by this threefold approach. Roughly speaking, at 
the modeling level, we exploit the fact that we focus on a particular (yet useful) application 
model. This allows us to build rather simple and verifiable models. The model-reduction 
techniques we present are based on a notion of influence among automata. Influence is the 
base for our algorithms that get rid of automata when they have no future relevance in the 
property satisfaction. Finally; we point out tools and algorithms for checking the real-time 
requirements. Moreover, we propose a novel algorithm in the case of Duration Properties 
([106])(properties expressed in terms of accumulated sojourn times on particular system 
states). 
Modeling 
Motivated by the desire to improve practical feasibility of formal analysis, we decided to 
sacrifice the generality by fixing the architectural style of the applications to be designed. 
We believe that there is a natural trade-off between sophistication of supported features 
and the ability to efficiently verify obtained designs [30]. We chose to adhere to preemp- 
tive fixed-priority theory assumptions [log, 861. Such assumptions suit a large number of 
applications in the real-time field ([log, 40, 139, 1081, etc.). These assumptions allow us to 
exploit known scheduling theory and automatically derive simple formal models from de- 
sign notations. Some scheduling analysis techniques provide analytical tools for calculating 
worst-case completion time of certain code areas (WCCT). Bounds for the best-case com- 
pletion times (BCCT) can be derived from time estimates provided by designers. In few 
words, our proposal uses those calculated WCCT and BCCT to build an abstract model of 
the system based on Timed Automata (TA) [7] as kernel formalism. TA is a well-studied 
dense-time formalism simpler and more tractable than Hybrid Automata and HLTPN. 
TA are supported by some well established model-checking tools (e.g., [61, 23, 91, 1461, 
etc.) which were successfully applied in some application fields such as protocol and circuit 
verification (e.g., [54, 59, 62, 148, 1471,etc.). 
In the resulting models, neither the scheduler nor the priorities of tasks are explicitly 
represented. However, their influence on response-times of tasks is taken into account as 
timing information for the TA. Indeed, we regard the scheduler and the priority assignment 
mainly as a way to achieve fair computation and predictive response times. Therefore, we 
are able to build abstractions to automatically reason on combinations of response times. 
We also believe that, in general, this is the kind of reasoning that a designer would rely on 
to gain confidence on its design. Note also that schedulability analysis is not our concern: 
it can be solved -using scheduling theory. 
In our models, a timed automaton represents each task. The edges of that timed automaton 
stand for the end of the task relevant actions. By using the expressive power of TA, we 
describe that location changes occur within the best and worst-case response times of 
the corresponding event (i.e., BCCT and WCCT of associated actions). The model so 
produced is conservative as it might produce more behaviors than the actual system. 
Therefore, it is safe to verify safety properties (i.e., "nothing-bad-happens" properties). In 
real-time systems usually most interesting properties are safety properties [go]. We believe 
that abstracting away from scheduling details using BCCT and WCCT is faithful for most 
practical purposes. Indeed, in general, designers reason on worst cases to  informally gain 
confidence on design correctness. Our approach automates that kind of reasoning. Only 
properties that hold on the implementation due to subtle scheduling side effects may be 
reported as false by our approach. In the future work section, we show how extend this 
approach to be more faithful adding extra information if required to check a property (e.g., 
harmonic periods and priorities [77] may be used to ensure tasks precedence). 
.,,l', . I $ , -  I <rr' 1y1:
,.-. . , , , h 1 Z A  , 
*Conservative modeling or analysis of systems is a well-known and usefu.1 te6hhique t6' reduce complexity 
of verification process while preserving its correctness (e.g., [52, 68, 15, 281, etc.) 
Usually, designers want to know whether (and how) the system may violate the analyzed 
property. In our proposal, designers describe an "observer" timed-automaton, which syn- 
chronizes with those events that are relevant for checking whether the requirement is met 
or not (which are mainly the end of communication actions). The main kind of requirement 
we deal with is what we call "safety observers". A safety observer reaches a location stand- 
ing for an error if and only if the system may violate the requirement.3 TA allows designers 
to express rather complex timing requirements involving more than one component. 
Reduction 
Along with the modeling techniques we develop and prove a set of automatic reduction 
techniques to  reduce the verification effort. For example, we present a technique to auto- 
matically derive, given a set of observable events, a subset of components that is sufficient 
to perform the verification process. That is, one attractive aspect of this approach is that 
in general, only a small subset of components is needed to perform the verification step. 
Hence, the complexity of our approach mainly depends on the number of components 
involved in the requirement instead of the size of the complete model like the previous 
work. 
To further reduce the size of the models, we also provide a set of conservative abstraction 
rules. Besides, we develop a technique to reduce the size of the parallel composition of 
TA that uses a notion of influence to get rid of components that do not influence the 
future behavior of the system under analysis. Correctness of these techniques is based 
on extensions of bisimulation and simulation theory for timed systems we develop in this 
thesis . 
Checking 
We provide the basis, and in some cases, new algorithms to check requirements that can 
expressed using Safety Observers, Biichi Automata [149], Timed Computational Tree Logic 
[3], and Linear Duration Invariants [106]. It is worth mentioning that we resort to known 
tools and results to perform the analysis whenever that is possible. That is, we do not focus 
on the development of model-checking techniques but in the model-building and model- 
reduction issues. However, we present an algorithm to check Linear Duration properties 
and we describe as future work some improvements on the existing checking tools. 
3Similar techniques have also been used with untimed systems like in [52, 84, 11, etc) 
11 
1.3.1 Summarizing the Achievements 
One of the major contributions of this work is the integration of two research lines in real- 
time system verification: scheduling theory and automatic formal verification approaches.4 
Our proposal enlarges the applicability of scheduling theory to deal with requirements 
that involve interaction among components. We also show how known scheduling results 
could be used to enhance the practicality of formal analysis. The compositionality of our 
models implies that, generally, our analysis depends just on the components involved in the 
requirement; it does not require the presence of all components like previous approaches. 
To the best of our knowledge, it is the first proposal to model preemptive systems using 
a dense-time formalism which does not support time accumulation constraints (a feature 
supported by Hybrid Automata or HLTPN). We also provide the abstraction theory that 
supports the reduction methods (Chapter 3). That theory is based on notions of (somehow 
weak) simulation and bismulation which preserve linear and branching time structure of 
the original system respectively up to a set of state observers and events (and therefore, 
preserves the satisfaction problem for well-known logics). We introduce the notion of 
Timed I/O Components (Sect. 3.3) as TA where also an I/O interface is informed. That 
notion has nice modeling properties like non-zeno preservation, allows a rather intelligent 
parallel composition (Chapter 7), compositional reasoning [76, 1111 and, we believe, can 
be applied to any other timed or untimed formalism. 
Finally, we present an algorithm to model-check Duration Properties on Timed Automata. 
It is worth mentioning that verification of duration properties is not featured by any avail- 
able tools for the analysis of real-time designs. 
1.4 Structure of this Thesis 
This thesis is structured as follows. Firstly, in Chapter 2,we outline the basic notions of 
our kernel formalism, Timed Automata, and the logics to reason on the underlying timed 
transition system. In Chapter 3 we show all the theoretical concepts and results that 
we develop to support our techniques (weak bisimulations preserving the timed branching 
structure, the notions of 110 Timed Components, etc.). 
In our proposal, the designer describes the design and generic scenarios encompassing bad 
behaviors he/she wants to check are absent in the design. Chapter 4 presents notations to  
describe the design to be analyzed and to describe the undesired behaviors (observers). In 
Chapter 5 we show how the 110 Timed Components to model tasks are built. In Chapter 6 
we present a set of ad-hoc procedures to faithfully reduce the size of the model. Those 
4We should mention that [72] presents an integration of scheduling theory and program refinement. 
Unlike TA, timed program refinement calculus is a deductive formalism: designs are derived from the 
specification through sound rules. On the other hand, we automatically check designs for requirements. In 
their approach, schedulability tests become available as feasibility checks during system refinement while 
we use WCCT to build the model to be checked. 
Chapter 2 
Background on Timed Systems 
Theory 
As it is shown later, we use Timed Automata (TA) as the kernel formalism to model 
and analyze timed behaviors. Timed automata has become one of the most widely used 
formalism to  model and analyze timed systems. This formalism is supported by several 
tools (e.g., [61, 23, 146, 911, etc.) which were successfully applied to automatically check 
communication protocols and circuits (see [54] for some links) and are used by several 
research groups both in the academy and the industry. 
What follows is a brief outline of the basic notion of TA (for more thorough presentations, 
see for example [7, 128, 61, 158, 921, etc.). We also present classical equivalence relation 
between timed models and two well known logics to reason on timed systems : TCTL [3] 
and LDI [106, 1611. 
. 
2.1 Preliminar Definitions 
2.1.1 Sequences 
First, we introduce some basic notations for sequences that will be used in the sequel. Let 
s be a sequence. Then Is1 will denote the length of the sequence (i.e. number of elements) 
and sa will denote the ith element of the sequence s, for 0 5 i < Is[. For 0 5 i 5 j < Isl, 
let sa] denote the prefix of s that ends with the ith element, s[i the suffix of s that starts 
from the ith element and s[;,jl the subsequence that starts from the ith element and ends 
with the j th  element inclusively. If the sequence s is not empty, its first element (i.e., so) 
will be denoted by first(s) and its last element (i.e. s ~ ~ ~ - ~ )  will be denoted by last(s). 
The concatenation of two sequences s and s' will be denoted by ss', and a sequence with 
a single element will be identified with its element. 
Given a set E ,  a subset X of E and a sequence s over E ,  X n s will denote the intersection 
between X and the underlying set of s. 1ast-X-ins will denote the greatest natural number 
k such that sr, E X and Vl ,  k < 2 < Is1 it holds that sr 4 X if it exists, or 0 i f  not, 
2.1.2 Timed Words 
Now we define timed languages to describe the behavior of timed automata as required 
in some chapters of this thesis. By time sequence we mean a non-decreasing sequence of 
non-negative real numbers. 
For our convenience, we define the operation a between time sequences as follows. For time 
sequences T and T',  rar' rr", where T" ( ~ ~ + l o s t ( r ) ) ( ~ ~ + l a s t ( ~ ) ) .  . . ( ~ i ~ , , - ~ + l a ~ t ( ~ ) ) .  
Intuitively, the sequence r' is translated by the last element of T and is then concatenated 
to the sequence T to give the result of this operation. For example, (0  2 3 5.5) Q ( 1  5.3) = 
(0  2 3 5.5 6.5 10.8). 
Definition 1 (Timed Word) A (w-)timed word over T is a pair ( a ,  T ) ,  where a is  a 
(infinite) finite sequence of elements of T and r is  a (infinite) finite time sequence, both 
having the same length. 
A set of timed words over T is called a timed language over T .  
2.1.3 Clocks, Constraints and Valuations 
This presentation follows [158]. Given a finite set of variables X = { x l ,  x2,. . . , x,} a 
valuation is a total function v : X % P>o - where v(x i )  is the value associated with clock 
2;. 
We define Vx as the set [X ?J2>o] of total functions mapping X to ?J2>0. - 0 E Vx denotes 
the function that valuates to 0 dl clocks. Given v E Vx and S E ?J2>0, - v + S denotes the 
valuation that assigns each clock x E X tha value v ( x )  + S. 
Given X a set of clocks, p X and a valuation v we define Resetp(v)  as: 
si x E p, 
otherwise. 
Given X a set of clocks we define the sets of clock constraints lPx and ax, according to 
the following grammar: 
where x , x ' E X , + E  <,< y c E  LV 
A valuation v E Vx satisfies + E !l!x (v I= +) iff 
2.2 Timed Automata 
TA are finite automata where time is incorporated by means of clocks. As finite automata, 
TA are composed of a finite set of nodes (called locations in TA literature) and a set 
of labeled edges. There is no notion of final locations since executions are infinite. Edges 
model event occurrences while clocks serve to measure time elapsed since these occurrences. 
A set of clocks (noted between braces {)) is associated with each edge to indicate which 
ones are reset when the edge is traversed. A timing condition - a guard- is associated 
with an edge. A guard is constraint on clock values. An edge may be traversed only 
when its guard is true, if so it is executed instantaneously and associated clocks are reset. 
Time elapses at locations, and edge traversal is instantaneous. Also, timing conditions are 
associatld with each location -called an invariant- and determine the valid clock values 
for locations. Hence, it is possible to use an invariant to express that the control can not 
remain in the location more than a certain amount of time (a deadline). 
Definition 2 (Timed Automata) A timed automata is a tuple A =< S, X, C, E, I, so > 
where 
1. S is a finite set of locations. 
2. X is a finite set of clocks. 
3. C is a set of labels. 
4. E is a finite set of edges. Each edge e E E is a tuple < s ,  a, $, a, sf > where: 
(a) s E S is the source location 
(b)  sf E S is the target location 
(c) a E C is a label 
(d) .IC, E Qx is the guard 
(e) a X are the subset of clocks reset at the edge. 
5. I : S 5 ,tx is a total function associated with each location an Invariant. 
6. so E S is the initial location. 
Notation 1 Given A =< S ,  X ,  C, E ,  I ,  so > we define: 
Given e =< s ,  a,  $, a ,  s' > E E we define : 
2.3 Semantics 
A state of the timed automaton A is a pair ( s ,  v )  E S x Vx for which v + I ( s ) .  The set of 
states constitutes the State Space of the underlying labeled transition system of the timed 
automaton. 
Definition 3 (Discrete Transitions) Let e E E an edge. The state (src(e),  v )  has a 
Label(e) discrete transition to the state (tgt(e),  v') denoted (src(e),  v )  (tgt(e)7 v') if v I= 
Guard(e) and v' = ResetReset(,) ( v )  .
I IY -.- ., (5,. 
Definition 4 (Time Transitions) Let t E ?f2>o. The state ( s ,  v )  has time transition to 
( s ,  v + t )  denoted ( s ,  v )  ( s ,  v + t )  i f  for all 5 t v + t' C I ( s ) .  
A Labeled Transition System (LTS) for timed systems or State Space Graph, G = (Q, H O  
,I+', C) is any graph with two types of labeled edges, discrete and time edges. Discrete 
edges are labeled with labels of the alphabet C (i.e., Q x C x Q). Time edges are 
labeled in R>o and satisfy the time continuity property [I551 (i.e., for all c ,d  E R>o, 
p wiCd p" iff4 H: p' ~ h \  pl'). The elements of Q have a discrete part projected by means 
@, which does not change in time transitions. The semantics of TA A can be given in 
terms of the LTS of A, denoted GA, which is a graph which has as nodes the states of 
A and the two types of edges correspond to the discrete and time transitions of A, resp. 
Notice that GA has generally an uncountable set of nodes and uncountable branching. 
Usually, we need to identify an initial state of a LTS. In the case of GA that initial state 
is qo = (Init(A), 0 )  
Notation 2 Given q = (s, v) we denote: 
2.3.1 Runs and Non Zenoness 
A run r of A starting at qo is an infinite sequence qo ql ~ , 4 1  ... of states and transitions 
in GA. 
The time of occurrence of the nth transition is equal to ~1: ti and is denoted as rT(n). A 
divergent run is a run such that CEO t; = w. The set of divergent runs of a TA A starting 
at state q is denoted RT(q). 
A timed ZabeLsequence accepted by a run is the timed word over Labels(A) U {A) obtained 
by projecting the labels of the transitions with its time of occurrence (i.e., given r ,  (a, r) 
is such that a; = ai and T; = rT(i). The language of labels of the automaton A denoted 
as Lm(A) is the set of timed label-word over Labels(A) U {A} such that have an accepting 
infinite divergent run starting at the initial state. Given R 5 Labels(A) then L$(A) is the 
set of timed label -words of LW(A) filtered to show only labels that belong to R. 
A finite run starting at state q is simply a finite sequence of states and transitions starting 
at q. A timed automaton is Non-Zeno when any finite run starting at the initial state can 
be extended to  a divergent run that is, the set of finite runs is equal to the set of finite 
prefixes of divergent runs. 
A timed automaton is Strongly Non-Zeno when any infinite run is divergent [149]. 
Positions 
Given r E R A ( ~ )  a position is a par (i, t) E LV x 9?>0 such that t 5 ti. 
- 
We call II(r) the set of all positions of run r.  We define a total order << on II(r) as 
follows: 
(i , t)  << (j,tl) i < j V ( i  = j A t 5 t ' )  
Given (i,t) E II(r) its state is: 
The time of position (i, t) E II(r), denoted ~ , ( ( i ,  t)) is defined as r,(i) + t. 
We say that a state w is reachable from state q if there exists a run r E Ry(q), and a 
position (i, t) E II(r) such that w = r(i, t). 
2.3.2 From Finite Runs to Finite Transition Language 
Now we define some concepts that help us in defining LDI logics (section 2.7.2). Suppose 
that, given a label a there is at most one edge between to locations labeled a. Then, an 
edge is univocally identified by its source, target locations, and its label. 
The unique edge between locations s and s1 labeled a will be noted as a triple < s, a, s' >. 
The first component of the triple is called the source (src), the second is the label (label) 
and the last one is the target (tgt). 
Formally the set of edge identifiers Eid  is (Locs(A) x Labels(A) x Locs(A) U 
{(~,init , lnit(A))}. We will identify an edge by its source and target location avoid- 
ing its label, if there is no confusion, i.e., there is at most one edge between any pair of 
locations. Note that there is an element to denote the initial transition; I is its source 
location while its target location is an initial location of the TA. 
A timed word over Ead accepted by the finite run r is defined as the subsequence of 
discrete transitions of r and its times of occurrence where qn HE q,+l is converted into 
< q$, a, qz+l > and < I, init, so > at time 0 is the first transition. 
Note that given the ith transition of a timed word ( a , ~ ) ,  ai, we can reconstruct the 
value of the clocks when entering location tgt(ai) after the sequence a;] of transi- 
tions. The calculation is simple: the value of a clock x is ri - ~~,,t_s-i~,,~, where 6 
is the set of transitions that reset the clock x (including go). For example, let ( a , r )  
be ((I,O) (0, l)  (1,2) (2,3), 0 600 1000 1005) (a timed word accepted by finite run 
approach (090) H ~ O O  (07 600) -0 (1,O) wiOO (1,400) H; (2,400) H ~ X  (2,405) H; (3,405) 
of the train automaton of Fig. 2.1) and let x be the clock that is reset by the transitions 
in 6 = {(I, O), (0,l)). Then the value of the clock x when the automaton enters location 
3 is T3 - T l a s t ~ ~ n - a , l  = 1005 - 600 = 405. 
If a TA is no-zeno we can define the finite transition language of the timed automaton A 
simply as the set of timed words over Eid which have an accepting finite run. The finite 
transition language of A is denoted L(A). The untimed transition language of A is a set of 
transition sequences a such that there exists a time sequence T which (a, T) E L(A). 
2.4 Parallel Composition 
Given a pair of TA, A, B with disjoint set of clocks, the parallel composition (A 1 1  3) is 
built by means of the Cartesian product of their locations, the union of clocks, and the 
synchronization of edges by common labels. The invariant of a compound location is the 
conjunction of the invariants of the components. The guard of a synchronized edge is the 
conjunction of the local conditions, while the set of clocks to be reset is the union of the 
local sets. Formally: 
Definition 5 (Parallel composition) Given two TA A1 =< S1,X1, El, El, 11, so, >, 
and A2 =< S2, X2, C2, E2, 12 ,  soa > where XI n X2 = 0 
Let E = Cl n C2. The parallel composition A1 I  IA2 is defined as: A = < S1 x S2, Xl UX2, El U 
C2, E ,  I, < sol ,  soz >> such that: 
It is easy to see that ((sl, s2), v1v2) HE (s:, s',), viv;) iff either (1 E (El n C2) V t > 0) and 
(sa, v;) H: (s : ,  v:) for (i = 1,2), or 1 E C1 - Cg and (sl, vl) HL (s: , vi) and ( ~ 2 ,  v2) H; 
(s',, v;) = ( ~ 2 ,  v2), or 1 E C2 - C1 and (s2, v2) ~b (si, v$) and (sl , vl) (s:, 2);) = (31, ~ 1 ) .  
It is easy to see that the 1 1  operator is commutative and associative. We will denote I l i E I  A; 
the parallel composition of an indexed set of TA. If q is a state of that parallel composition 
TIA, (q) will denote the local state of automaton A; (locations and local clock values). 
Let us characterize when a parallel composition of n TA can perform a discrete or time 
transition. 
Fact 1 
That is, for a discrete transition labeled a, all TA featuring that label must have it enabled 
at their current local state. Then, those TA perform a a-transition while the rest remain 
at the same local state. For the timed transition of length t ,  all TA must be able to  make 
time elapse t t.u. 
Train Gate 
z loo (raise) 4 4;. .- 
Figure 2.1: The Railroad Crossing System 
Example: 1 The figure 2.1 shows the three components of the standard Railroad Crossing 
System presented in [d, 1041. They are synchronized at the labels: approach, exit, lower, 
down. When Train approaches the crossing, it sends a signal approach to Controller and 
enters the crossing at least 300 seconds later. When Train leaves the crossing it sends a 
signal exit to Controller within 500 seconds after the signal approach has been sent. 
Controller sends a signal lower to the gate exactly 100 seconds after it has received the 
signal approach, and sends raise signal within 100 seconds after it has received the signal 
exit. Gate responds to the signal lower by moving down within 100 seconds, and responds 
to the signal raise by moving up between 100 and 200 seconds. 
TA can also be extended to deal with shared variables over finite domains [61, 231. 
Although the problem of reachability of TA is P-SPACE hard [2], it appears to be perfectly 
feasibly in many interesting practical cases.l Several successful tools have been developed 
to solve reachability and other verification problems [61,23,146,91], etc. In general, those 
tools are based on some sort of symbolic representation of the infinite state space [158]. 
2.5 Propositional Valuation of Locations 
In order to model a real-time system, the automaton A is usually associated with a mapping 
P : Props H 2L0CS(A) which assigns to each location a set of propositional variables. If 
a location is in the image of some propositional variable then the proposition should be 
interpreted as true when the automaton stays at that location. These mappings are an 
abstraction mechanism to predicate on states of TA as we will show in next sections. 
Definition 6 ( State Valuation) Given an LTS G = (Q, n o ,  H', C), a valuation P : 
Props H 2Q0, and a states q in  Q then [q]? = {pr E ~ r o ~ s / ~ @  E P(pr ) ) .  
Example: 2 For the composition automaton of Fig. 2.2 (whose locations 
are triples indicating local locations of its three components), let Props = 
{Up, Down, Movingup,  MovingDown, Dangerous, T rap )  and P be 
2.6 Bisimulat ions 
As we will see later, there are some relations between states of a LTS that imply that 
they are equivalent in some sense. Here, we present two well-known notions of timed- 
bisimulation. Bisimulations for timed systems have been studied in literature often as- 
sociated to extensions of a Process Calculi (see, for instance, [137, 127, 155, 162, 1151, 
etc.). 
Definition 7 (Strong Timed-Bisimulations) Given a LTS G = (Q, H O ,  H', C) a 
symmetric binary relation B on Q is a strong timed bisimulation if (p ,  q)  E B implies 
'However, the size of the models -locations, transitions, clocks, constants is still a problematic issue 
23 
x -500 (exit) f 
Train Gate 
100 lower 
Controller 
Figure 2.2: The Railroad Crossing System with a Trap Location 
that for all label a E C U {A} and t E 
- 
, whenever p H: p' then, for some q', q I+: q' 
and (p' ,  q') E 3. 
As another example of relation in a LTS we have weak timed equivalence which is defined 
by abstracting from labels of discrete transitions [155, 162, 1151. 
Definition 8 Given t E %>o, - two states PO, p, then po -t p, i f l  there is a finite sequence 
a = po w H l o  ql HZ ...p, of states and transitions such that CZ; ti = t .  
Definition 9 (Weak Timed Bisimulation) Given a LTS G = (Q, H O ,  I+', C )  a sym- 
metric binary relation 3 o n  Q is a wealc timed bisimulation if ( p ,  q )  E 3 implies that for 
all label a E C U {A} and t E 32>0 - then whenever p I+: pf then, for some q', q -t q', and 
(P', q f )  E 3. 
2.7 Some Logics for Real-Time Models 
Later in this thesis, we will deal with requirements based on two Real-Time Logics to 
reason on the underlying LTS: TCTL [3] and Linear Duration Invariants [106, 1611. Now 
these logics also illustrate the flavor of branching and linear time logics respectively. 
2.7.1 Timed Computational Tree Logic 
TCTL (Timed Computational Tree Logic) has been introduced in [3] as a quantitative-time 
extension of CTL a very well-known branching-time logic introduced by [53]. 
Let Z denote a set of intervals of Y2>o of the form [c, c l ,  [c, c'), ( c ,  c l ,  ( c ,  c f ) ,  ( c ,  oo)  and [c, oo), 
where c,  C' E IiV. A formula in TCTL is defined according to the following syntax: 
where pr E Props  is an atomic proposition and I E Z is an interval. Let A be a Timed 
Automaton. Let P : Props H 2L0cs(A) be a function associating to each atomic proposition 
a set of locations of A. TCTL formulas are interpreted over states of GA. Given a formula 
4 and a state q, the satisfaction relation q k p  4 is defined inductively on the syntax of 4 
as follows (we ommit the subscript P for simplicity): 
q I= true 
4 k p r  i f f  Q@' E P(P~)  
q I= 74 iff not Q I= 4 
4 k h V 4 2  iff Q k 4 i  O r q b 4 2  
b ~ P I ~ U Z ~ E  iff 37- E Rz(q)and 
3k E II(r). r,(k) E I and r(k) 42 and 
Vm E n(r).m << k then either r(m) I= or (r(m) &nd ~ , ( m )  E I )  
Q I= ~ I W Z ~ E  iff Vr E Rz(q)then 
3k E II(r). r,(k) E I and r(k) I= 42 and 
Vm E n(r).m << k then either r(m) dl or (r(m) k 42and ~ , ( m )  E I) 
Example: 3 On the rail crossing system we can ask using TCTL whether whenever the 
train is in a dangerous state then the gate goes down within 200 time units:  danger V 
t r u e ~ [ I , E l l ] ~ 1 7  \ 
Some usual abbreviations are 3 01 4 =def  true3Uz-, V 01 4 zdef t r u e W ~ 4 ,  3014 =def 
1 V  01 14, and VUIq5 =def  1 3  01 14. 
2.7.2 Linear Duration Invariants 
Linear Duration Invariants (LDI in the sequel) [106, 1611 is a family of real-time properties 
over the finite runs of timed automata. LDI formulas are Duration Calculus (DC) formulas 
of the form 
P C b , , ~ b J b ~ M  
where B is a finite set of boolean expressions over Props, cb and M are reds, and WE ( 5  
, <, 2, >}. Given a run of the automaton A, the expression J b stands for the accumulated 
time in b evaluates to true, i.e. the time that the automaton stays in b-states. Note that 
accumulation is not featured neither by TA nor by TCTL. 
Given a TA A, a subset of locations F Loc(A), The LDI (y, F) is valid over the au- 
tomaton A when CbEB cb J b, the duration expression, satisfies the comparison to  A4 for 
those timed words accepted by finite runs of A which arrive to a location in F. (cp ,  F) is 
satisfiable over the automaton A when CbEB cb J b, the duration expression, satisfies the 
comparison to M over at least one timed word accepted by a finite run of A which arrives 
to a location in F. Clearly, an algorithm to solve validity can be used to solve satisfiability 
(by complementing the result of checking the negated comparison) and vice versa. 
Definition 10 
where 
and a : S -t 8 is the mapping assigning the contribution of each location to the linear 
duration expression defined as 
def 
a(s> = C cb 
{'€'I A p r E ~ r o p s l s c ~ ( p r )  p'*b) 
Definition 11 
A k p  ( c p ,  F )  gf ~ ( a ,  T )  E L ( A )  A tgt(last(a)) E F + ( a ,  T )  k p  cp 
Example: 4 Let A be the parallel composition of the rail crossing system of Fig. 2.2 and 
F the subset of locations of A such that validates Trap. Then (2  J(Dangerous A  trap) - 
J((MovingDown V MovingUp V Down) A  trap) > 0,  F )  is valid over A ifl the time the 
crossing is disabled is not greater than two times the time the train spent i n  the danger 
zone. Note that the analyzed runs must end with the up event. The mapping a associated 
with the mapping F is 
Let a = ( I ,  A, 000) (000, approach, 101) (101, lower, 112) (112, down, 122) and T = 
(0  600 700 750). Then f s , p ( ~ )  = 0 x 600 f 2 x 100 + 1 x 50 = -1750. 
Since LDIs are universal properties, it is obvious that 
Lemma 1 For any pair of automata A and A' such that L ( A )  L(A1) ,  and F E Locs(A)n 
Locs(A1) then A' b p  cp + A k p  cp. 
Proof 1 A' b p  ( c p ,  F )  gf V ( a , r )  E L(A1)  A tg t ( las t (a))  E F + ( a , r )  b p  cp. Since 
L ( A )  C L(A1)  then V(a ,  T )  E L ( A )  A tg t ( las t (a))  E F + ( a ,  T )  k p  and by definition 
A I=P ( c p ,  F )  

Chapter 3 
Extensions on Timed Systems 
Theory 
In this chapter we present the theoretical kernel of this work. Firstly, we present definitions 
and results which are the base of our abstraction techniques. Secondly, we present an 110 
version of TA that we call 110 Timed Components which satisfy some important modeling 
properties. 
3.1 Property Preserving Simulations 
We want to define the theoretical notions that support the correctness of some of our 
abstraction mechanisms. In order to do that, we define when a TA can simulate another 
one up to a set of labels considered as relevant (or visible) and a set of propositional 
variables to observe states. We will see that two TA so related are indistinguishable wrt. 
linear time properties. These simulations are inspired on the idea of observational timed- 
simulation found elsewhere ([155, lll],etc.) and state-event observers [I161 for discrete 
time, and takes into account not only visible events but propositional assignment as well. 
Definition 12 Let G an LTS of a timed system, Q@ the discrete locations of G. Given 
t E %>o, a set of labels R, Props a set of propositional variables, and P : Props I+ 2QQ a 
proPo~itional assignment to locations. The state qo has time transition to qn up to R and 
R-P P denoted qo A t  qn if and only if there is a finite sequence qo I+: q~ I+:: ...qn of states 
and transitions such that Cr.0' t; = t and for all 0 5 i < n : a; $- R and [qoIP = [Q;]? 
(1 5 i 5 n)  (remember I+: could be i.e., a stutter). 
Definition 13 (Simulation) Given two T A  A1 and A2, a set of labels R, Props a set of 
propositional variables, and pi : Props I+ 2QAiQ ( i  = 1,2) a propositional assignment to 
locations of QA, and QA, resp.; a relation SR between the state space GA1 and the state 
space of GA, (i.e., SR 2 QA, x QA,) is a simulation w.r.t. R and Pi (i = 1,2) i f l  for 
all pairs (p ,  q) E SR, then b ] p 1  = [qlp, and for all a E Labels(A) U {A) and t E 92>o the 
- following conditions hold: 
R,p2 R72 whenever p H: pi and a E R then, for some q', ql, q2, q - 0  ql I-+: q2 -0  q' and 
( ~ ' 7  Q') E SR, and 
R p2 whenever p H; p' and a 6 R then, for some q', q ht q' and (p', q') E SR. 
A timed automaton A2 simulates A1 up to R and Pi (i = 1,2) denoted A1 527p2 A2 if 
and only if there exists a relation SR G QAl x QA, a simulation w.r.t. R, Pi ( i  = 1,2) such 
that the initial states are related by SR. By using the identity relation, it is easy to  see 
that j21p2 is reflexive (i.e., A jP7" A )  and, by using the composition of simulations, it 
can be proved that it is a transitive relation (i.e. Al jZ'% A2 and A2 ~ 2 " ~  A3 then
A +plrp3 
1 ,R A3 ). 
We say that two TA A1 and A2 are simulation equivalent up to R, Pi (i = 1,2) denoted 
Al ~ 2 " ~  A2 if and only if A1 jc.p2 A2 and Az 527p1 Al.
Notation 3 Whenever the propositional assignment has no importance Props = 0 (states 
are unobservable) we just omit it as a superscript. The same criteria is applied when the 
set of Iabeb R is the empty set. 
The following results hold: 
s If Al S R  A2 then for any run of A1 there is run of A2 such that shows the same R 
-labels with the same occurrence times (ie., L g ( A 1 )  L g ( A 2 ) ) .  
On the other hand, A dLabe l s (~ )  A  /I C )  holds if C has the following property: for 
all a E Labels(A) for all reachable state q, there exists a state q' such that q I+; q' 
(non-blocking). 
Lemma 2 (Congruence) Given three T A  A*, A2, and C ,  such that A1 <R A2 and 
Labels(A1 n Labels(C) = Labels(A2) n Labels(C) 2 R, and T' : Props I+ 2L0CS(C) then 
C 1 1  Al 5i17p2 C 1 1  A2 where Pi(i  = 1,2)  are the natural extensions of P to the respective 
cartesian products. 
Proof 2 Let SR be the simulation between A1 and A2. We extend the simulation to Al 11 C 
and A2 11 C by also requiring that the C part of the state should be identical for related 
states (i.e., (p ,q)  E S*R ifl IIA,(p)SRIIA2(q) and IIc(p) = IIc(q)). This is indeed a 
simulation: In  fact, let (p ,  q) E S*R, firstly, note that, due to the characterization of the 
parallel composition, any discrete transition i n  G A I l l c  from state p to  state p' is a discrete 
transition of Al and/or a discrete transition of C.  If its just a local transition of C it follows 
that q can also perform the jump to a bisimilar state. IfIIAl ( p )  HZ TIAl (p') and a E R then 
R R for ~~~e q'7 ql q2 HA2 (q )  -0 ql H: q2 -0 HA2 (q') and ( $ 9  q') E S*R- From the fact 
that non relevant labels do not synchronize and IIc(q) can stutter and perform the same 
R R discrete jump that IIc(p), we conclude that q -0 sl s2 -0 q' and (p', q') E S*R. 
By using similar arguments, i f  p H: p' and a 6 R then it is easy to see that both projections 
R 
can perform non-synchronized runs and for some q', q --+t q' and (p', q') E S*R. 
It follows that 
Corollary 1 Given three T A  A; (i = 1,2) and 0,  a labeling function P : Props H 2L0CS(o) 
if Al Ehabe l s (0 )  A2 (simulation equivalent) then A1 ( 1  0 ~ 3 ~ 1 7 ~ 2  A2 11 0 where P;(i = 1,2) 
are the natural extensions of P to the respective cartesian products. 
Theorem 1 Given two T A  Ai (i = 1,2), a function associating to each atomic pmposition 
a set of locations of A; Pi : Props H 2L0cs(Aa) ( i  = 1,2). Assume, that Al 5P1*P2 A2 
then for any reachable state p E GA, there exists a reachable state q E GA, such that 
k l ~ l  = [ ~ I P ,  -
Proof 3 Naturally, simulations means that we can mimic runs at the propositional level. 
That is, given any finite run rl = qo ~2 ql HZ ...q, we can find a simulation of it, 
namely rg, of the same time length by applying n- times the simulation definition. 
Not only reachability is preserved through simulations; in general, logics based on linear 
time are preserved through simulations. Now, we will see that LDI is preserved through 
simulations. 
Theorem 2 Given two T A  A; (i = 1,2), a function associating to each atomic proposition 
a set of locations of A; P; : Props H 2L0cs(A*) ( i  = 1,2). Let 4-be a LDI-formula on 
Props. Assume that Al ~ ~ 1 7 ~ 2  A2 then A1 kpl 4 A2 (=p2 4. 
Proof 4 Simulations means that we can mimic runs at the propositional level. That is, 
given any finite run rl we can jind a ~imulation of it, namely r2, of the same time length 
by applying repeatedly the simulation definition. In its clear that, the timed words accepted 
by rl and rq when projected into the transitions which really change the propositional as- 
signment exhibit the same time sequence. Therefore the LDI has the truth value (see Sect. 
2.7.2). 
From the last Theorem and Corollary 1 it follows: 
Corollary 2 Given three TA A; (i = 1,2) and 0, a labeling function P : Props u 
~LOCS(O) , if Al M L ~ ~ ~ ~ ~ ( o )  A2 (simulation equivalent) then for all # LDI, A1 ( 1  0 /=p, # and 
A2 11 0 kp, 4 where P;(i = 1,2) are the natural extensions of P t o  the respective cartesian 
products. 
3.2 Property Preserving Bisimulations: CO-Bisimulat ions 
In this section, we present a notion of bisimulation which is weaker notion than the strong 
timed-bisimulation (see Chapter 2) and it still preserves the branching structure of a timed 
system. It is important to note that, traditional weak bisimulations like the one presented 
in Definition 9 respecting the propositional assignment (i.e., (p ,  q)  E B then k]p = [qlP) 
do not necessarily preserve TCTL. Actually, it does not preserve the branching structure. 
This fact is well-known for the untimed case where there is a concept to  solve this problem 
called "branching bisimulation" [81, 651. In [I571 there is a proposal for timed systems 
based on that branching bisimulation. Here we present a dual notion taking into account 
events and states. He proves TCTL preservation for a subset of timed systems (systems 
which states do not have a timed and a discrete jump simultaneously enabled). Roughly 
speaking, the main result of this section states that what we define as two Continuos 
Observational Bisimilar timed systems satisfy the same set of TCTL formula. In the next 
chapters, we show how to automatically build abstractions which are CO-bisimilar systems. 
Thanks to  the results shown in this chapter, we are able to conclude that the abstractions 
are exact up to TCTL satisfaction. 
Definition 14 Given G an LTS of a timed system. Given t E %>0, - R c C, a rela- 
tion between states B ,  two states qo and p such that ( p ,  qo) E B .  The state qo has a 
Bs,R 
observationally-T transition wrt. B ,  p and R, of lenght t to q, , denoted qo -4 q, 
$f there is a finite sequence r = qo H: q1 -2 ...qn of states and transitions such that 
ti = t ,  for every position k E II(r), such that p r:v(k) then ( p  + q(li), r ( k ) )  E B, 
and li 6 R (i = l..n) (remember -:; could be w; i.e., a stutter). 
Definition 15 (Continuous Observational Bismulations) Given a LTSG = (Q, H O  
, u< C )  and R c C ,  a propositional assigment P : Props u 2Q0 then a symmetric binary 
relation B on Q is a continuous observational bisimulation (CO-Bisimulation) wrt. R and 
P i f  (p ,  q) E 3 implies that kJp = [qlp and for all a E C, t E R>o, - 
B R 
whenever p H E  p' and a # R then, for some q', q" E Q ,  a' E C U {A} - R, q 5 0 q' -8' q'r, 
and (p', q") E 3, 
B ,P,R 
whenever p H E  p' and a E R then, for some qr, q" E Q, q + 0 q' -8 qN, and (p', ql') E B, 
B R 
whenever p H; p' then, for some q' E Q, q %, q' (which abo means that (p', q') E B . 
Two TA Al and A2 are Continuous Observational bisimilar (CO-Bisimilar) wrt. R and 
Pi(i = 1,2) (Al ~ 2 ' ' ~  A2) iff there exists a continuous observational bismulation wrt. R 
and PI U P2 in the union of their LTSs, GA, and GA2, such that their initial states are 
bisimilar . 
Notation 4 If the propositional assignment has no importance, (i.e., Props = 0 all states 
are identical) we just omit it as a superscript. The same criterion is applied when the set 
of labels R is the empty set. 
Note that since the definition of CO-bisimilarity is more restrictive than simulation equiv- 
alence (the definition requires B and B-l to  be a particular case of simulations, that is 
simulations that hold at  every time), A1 ~ 2 ' ~  A2, then A1 *2jP2 A2. 
As simulation equivalence, CO-bismilarity is an equivalence relation: that is, reflexive 
(identity relation), symmetric (the relation itself is symmetric) and transitive relation (i.e. 
A1 ~ 2 " ~  A2 and A2 ~ 2 " ~  A3 then A1 ~ 2 " ~  A3, composing relations). 
Figure 3.1: Two Continuous Observational Equivalent Automata 
Example: 5 In the example of Fig. 3.2, the CO-bisimulation is (s, x)B(sl, x', y) iflx = x' 
and (s  = 0 A ( S  = 0 V s' = 2) or s = 1 A (s' = 1 V s' = 3)). 
Let's prove the transitivity property: 
Proof 5 The proof is cumbersome but straightforward. 
33 
We know that A1 =Zvp2 A2 and At 12 '~  A3. Let B12 and B23 be the bisimulation 
relations resp. We define B13) or shortly B ,  as: ( p l ,  p3) E B u 3(p1,p2) E B12 A 
(p2, B) E B23. B is symmetric since B12 and B23 are so. Also b1Ip = b2IP = b3IP, 
where P =  Pl U P 2 U P 3 .  
B12 ,pi ,R Now, if p, H: pi and a 4 R, then p2 
---, 0 p; H:' pi, with a' 4. R, and (p i ,  p i )  E B12. 
Note that (pl,p;) E B12. By a Lemma (I), to be pmved afierwards, p3 B%Ro p! and 
B 2 3 3  (P!,p:) E B23, then p$ o w3 n:" pi, such that a" 4 R, and (p i ,  p i )  E B23. 
B,p1,R B,Pl,R B,Pl,R By Lemma(I1) p; - 0 203. Thus, putting a1 the results together: p3 - p: -
Bs1,R w3 HE' p:, such that (pi,pL) E B23, and finally p3 - 0 w3 -6" pi, such that a" $ R, 
and (P;,P;) E B .  
The case a E R is similar. 
B12 ,PI  ,R Now, if pl -2 pi, then we know that p2 + , p:, such that ( p i , p i )  E B12 and by Lemma 
B,pi,R ( I )  ~3 - t p; such that ( p i ,  p',) E Bag and then (p i ,  pi)  E B .  
It remains to state and prove Lemma I and Lemma II: 
B12,plrR Lemma I that pl, pl + fS E &, (p l ,  ~ 2 )  E Bl2, ( ~ ' 2  ~ 3 )  E B23. If p2 - t pi, 
B,pi,R 
then P3 -+ t p', and (p i  , pi) E B23. 
I W e  know that r = p2 H? ql -& .-.qn = pi, such that ti = t ,  and for every position 
k E TI(r), then (pl + r,(k), r ( k ) )  E B12, and 1; # R (for i = l..n). 
We can prove it by induction: 
1 B237~2,R 1 -1; Case n = 1 and to = 0: p2 ql = pi, since (p2,p3) E B23 then, p3 -+ 0 w3 
pL and (ph, pL) E B23. Since, (p1,p;) E B12, then (p l ,p i )  E B, then by Lemma (I . )  
B ,PI ,R B ,PI ,R p3 - o wi ,  therefore PS + o pi and (P:, PL)  E B23. 
A B23 rp2 ,R Case n = 1 and t o  > 0)  p2 wtO q1 = p;; then we know that p3 + to pi and 
B,pi,R 1 (pi,p',) E B23. That means, then by Lemma (11) p3 + ,, p,. 
B12,~i ,R Case n + 1, lo # A, and to = 0)  Then r = p2 I+$ q1 - t qn+l = pi, and 
we know that ( p l ,  ql) E B12. On the other hand, p3 B2*Ro q;' I+: q;?, such that 
(ql, q;) E B23, and 1; 6 R. Then, by Lemma (11) and the fact that (pl ,  ql) E B12, 
B,P,R p3 -4 0 q;? . NOW, we have also that (pl , ql) E B12 and we have (ql, q;?) E B23, then 
3 B,Pl,R 
we can apply the inductive hypothesis we got ql - t w,  such that (qn+1, w )  E B23. 
B,pl,R ~ B , P I , R  B,pi ,R Joining the results, p3 -+ 0 ql + t w ,and (qn+1, w )  E B23 and thus, p3 - t w 
with (p;; w )  E B23. 
Case n + 1 , lo = A, and to > 0)  Then r = p2 ~k ql Blz,(plto),R I t-to qn+1 = p27 
B23 9f)Z ,R 
and we know that (pl + t ,ql) E B12. On the other hand, p3 - to q;, such 
B ,PI ,R that (232 + t o ,  q;) E B23. Then, by Lemma (II) p3 - to q;. Now, we have also that 
(PI +t, qi = ~ 2 + t )  E Biz and we have (p2+t, q;) E B23, then (pl t t ,  q;) E B.  Applying 
B,pi+to ,R the inductive hypothesis and we got q; - w, such that (qn+1, w )  E BZ3. 
Bs,R Joining the results, p3 -to q; B'P*'R t-to w ,and (qn+17 w )  E B23 and thus, 
B,P,R p3 -t w with ( p i 7 w )  E B23. 
Lemma 11: Suppose that pl, pl + t E Q ,  (pl + t', p2 + t ') E B12 for t' 5 t ,  and (p2, p3) E 
B23 ,PZ ,R B ,PI 3 B23. If p3 - 1 p;, then p3 - p;. 
i Let r = p3 c: ql -4 ...qn = p;, such that ti = t ,  and for every position k E II(r), 
then (p2 + +d(L, r ( k ) )  E B23, and l; # R (for i = l..n). Since (pl + t1,p2 + t') E B12 for 
B,PI ,R t' 5 t then (pl + ~ , ( k ) ,  r ( k ) )  E B ,  and therefore p3 - t p; 
Now, we will prove a preservation result for TCTL following the scheme for bisimulation 
and CTL* (e.g., [56]) .  
Definition 16 (Correspondence) Given a LTS G and a bisimulation B. We say that 
a run r' of G is in correspondence with another run r of G i f  an only if there exists a total 
surjective mapping C:  from positions of r' to positions of r ,  C : II(rl) H II(r), such that: 
For every k E II(rl) then ( r (C(k ) ) , r l ( k ) )  E B and T , I ( ~ )  = r,(C(k)) (time and 
bisimulation preserving). 
kl <<,I k2 , then C ( k l )  <<, C(k2) (monotone). 
Note that C((0,O)) = (0,O) due to surjectivity and monotony. 
Lemma 3 If p and q are two states CO-bisimilar states then for every run r starting from 
p there is a run r' starting from q which is in correspondence with r .  
Proof 6 Let r = p c k  pl c k  .... Due to the dejkition of CO-bismulation i f  to = 0 then 
Bs,R lo q - o w -8' 4, that is ri = qo c0 ql ++$ ...qn = w and for every position k E II(ri)  
then (p ,  r i ( k ) )  E B ,  and (pl ,  qi) E B.  Then we can define C ( ( i ,  0 ) )  = (0,O) for 0 5 i 5 n 
and C ( ( n  + 1,O)) = (1,O) (that is, we map all the positions of this sequence but the last 
one to the first position of r and the last position to the second position of r).  
B,P,R If to > 0 a similar proEedure may be applied. q -t qi, that is ri = qo H'? q~ -'! 
to tl ... Qn 
n-1 I where x i = ,  ti = t o ,  and for every position k E II(ri)  then ( p  + r,;(k), r;(k))  E B .  In 
this case let C ( k )  be (0, r,;(k)). Therefore, we started to build r' and the correspondence 
with the first transition of r .  The least fixed point of this procedure is a sequence r' in 
correspondence with r . 
Lemma 4 Given the LTS of a TA  A GA, and a propositional valuation P : Props H 
2L0CS(A), and a TCTL-formula on Props 4. Let 3 a continuos observational bisimulation 
wrt. 0, P .  Assume that q, q' are bisimilar states. Then, q bp 4 u q' bp 4. 
Proof 7 We prove the lemma by induction on the structure of 4. Base: 
q k p  pr ifl q@ E P(pr)  ifl ql@ E P(pr)  (due to bisimulation respects prop. assignment) ifl 
4' b P  P T .  
Induction: There are several cases. All propositional cases are straightforward. 
q 3 4 1 2 4 ~ 4 ~  $737- = q H: ... E Rm(q). and 3k E II(r) : such that ~ , ( k )  E I and r ( k )  b 42 
V m  E II(r).m << k either r ( m )  41 or (r (m)  $2 and r,(m) E I ) .  We know that there 
exists a r' = q' I+$ ... E RW(q') in correspondence with r (i.e. there is an order preserving 
and surjective function C from the positions of r' to the position of r such that it relates 
bisimilar states). In particular, there exists a position k' of r' such that C ( k J )  = k. Then, 
(rl(k'), r ( k ) )  E B and r,l(kl) = rT(k )  E I and also, by inductive hypothesis, r (k l )  b q ! ~ ~ .  
Moreover, all m < < k' ( r l (m) ,  r l (C(m) ) )  E B and since C ( m )  < < C(k l )  = k then, 
by inductive hypothesis, r l (m)  I= (in case that r ( C ( m ) )  b d l )  or frf(m) b & and 
r,r(m) E I )  otherwise, since r ; (m)  = r,(C(m)) E I .  Thus, q' b 3c#124Zg5E. Note that, this 
argument is symmetric. 
q V ~ ~ U Z &  i8Vr = q H: ... s.t. E Rm(q) and 3k E II(r) : such that r,(k) E I and r ( k )  
4 2  'dm E II(r).m << k either r ( m )  k 41 or (r (m)  + 4 2  and r,(m) E I). Similarly to the ' 
previous case, we can see that every run leaving q' has a corresponding run leaving q which 
satisfies the formula. This argument is symmetric. 
Then it is easy to conclude that two bisimilar states satisfy the same set of TCTL formula. 
Theorem 3 Given two TA  A; (i=l,2), a function associating to each atomic proposition 
a set of locations of A; (i.e. Pi : Props H 2L0cs(Ac)) and a TCTL-formula on Props 4. 
Assume that A1 ~ ~ 1 7 ' 2  A2 then A1 bp, 4 A2 bp2 4. 
Now, we present some results to understand why events might be important to be taken 
into account. 
Theorem 4 Given three TA, A; (i = 1,2) and 0,  and a labeling function P : Props H 
2L0cs(o). If A1 EL,a,rS(o) A2 then A1 11 0 E ~ ~ P ' . ~ ~  A2 11 0 where P; (i = 1,2) are the natural 
extensions of P to the respective Cartesian products. 
Proof 8 If B is the continuos event bisimulation relating the initial states of A1 and Az, 
we can extend it to a continuos observational bisimulation between the states of A1 11 0 
and A2 11 0. Simply, (q ,  q') E B* ifl (IIA, (q), HA, (q')) E B and Do(q) = Ho(ql). Due 
the fact that B respects Labels(0) the T-observational transitions i n  GA; wrt. Labels(0) 
do not synchronize with 0, it can be easily seen that the relation we propose is indeed a 
bisimubation. Moreover, B* is such that for any (q, q') E B* then [q]?, = [q1Ip2 (since the 
0 projection is the same by definition). Then, by theorem 3, we have that they satisfy the 
same T C T L  formulae. 
By using the previous result, we conclude. 
Corollary 3 Given three T A  A; (i = 1,2) and 0,  and a labeling function P : Props I+ 
2L0cs(o). Assume that A1 =~,s,r,(o) A2 then A1 11 0 Cp, 4 * A2 11 0 kp2 q5 where Pi 
(i = 1,2) are the natural extensions of P to the respective Cartesian products. 
3.3 110 Timed Components 
In this section, we define 110 timed components as a timed automaton attached with an 
I/O interface information that classifies its labels. In Chapter 5, we give semantics to RTS 
Designs in terms of 110 Timed Components (instead of directly in terms of Timed Au- 
tomata). We believe that 110 Timed Components are natural models of timed non-blocking 
and non-zeno behavior (synchronization mechanisms like hand-shakes can be build more 
realistically on top of these features). There is some work done on preserving reactivity and 
activity of components. In [26], it is presented an algebraic framework based on the tempo- 
ral properties of synchronization operation (they aim at getting high level synchronization 
facilities). Our point of view is a functional classification of transitions, which is suitable 
for asynchronous modeling. On that line of reasearch, it is worth mentioning [Ill] where 
the authors present non-blocking Timed Processes to get a family of automata where they 
can apply an assume/guarantee reasoning. They do not address non-zenoness. Liveness 
and I/O interfaces have been considered in a general setting for simulation proof methods 
"a la" Lynch-Vaandrager [76]. In that work it is defined Live Timed I/O automata using 
a notion of "responsiveness" based on games which embeds several proposals for fair I/O 
timed systems [125, 1501, etc. Some of our concepts could be theoretically embedded into 
that framework, but we found more suitable for our framework I/O Timed Components 
(see bellow). 
110 components is a high-level architectural notion based on TA which has several advan- 
tages for our work. Among others: 
it allows us to define when a model is properly built (i.e., non-zenoness). In particular, 
we provide a set of syntactical constraints to ensure that the parallel composition is 
'we believe it is possible to integrate both views. 
37 
non-zeno. 
. L 
0 , i  It helps to calculate, in a quite precise way, the influence of a component on other 
cJ 5fl'I component behavior (see Chapters. 6 and 7). As far as we know, this is a completely 
I 6 new goal for I/O interfaces in formal timed systems. 
Since they are build on top of a simple notion of TA "a la" Alur-Dill they are 
immediately supported by several checking tools like [61, 231. We do not need to 
resort to games like in live I/O Timed Automata [76] and sufficient conditions for 
110 admissibility are easy to automate. 
we believe that they are more suitable than [ I l l ]  to model high-level non-blocking 
abstractions (see discussion at the end of this chapter). 
These notions are independent of the underlying timed (or untimed 2, formalism used 
to  describe the dynamics. 
Let us define these concepts formally: 
Definition 17 (Admissible Input/Output interface of TA) Given a non-zeno T A  
A, IA,OA C 2 Labers(A) (powerset of labels) is an admissible input/output interface for 
A ifl: 
1. There is a partition P of Labels(A) such that IA, O A  C P and IA n O A  = 0. Sets 
I E IA and 0 E OA are called input selections and output selections respectively. A 
label appearing i n  an input or an output selection is an input label or an output label 
respectively. The set of input and output labels constitutes the set of interface labels. 
The labels which are not in  the interface labels are internal lables. I n  other words, 
we can state the property as (a) no label can be an input and an output label at the 
same time, and (b) a label belongs to at most one Input or Output selection. 
2. For any reachable states q and for any input selections I E IA there exists a label 
i f I and a state q' such that q I+; q'. That is, at least one alternative of the selection 
is enabled. 
3. For any reachable states there exists a divergent rgp s$a~t,&g from that state and such 
that it does not contain any input label4 
4. For any reachable states q and for any output selections 0 E OA,  i f  q ~6 q' with 
o E 0 then forall o' E 0 there exists a state q" such that q I+$ qN. (i.e., all output 
labels of an "ou8put selection" are available simultaneously) 
2We believe that this I/O model can be adapted to the untimed framework by changing timed divergence 
conditions with fairness constraints [56, 761, which are an usual way to specify progress in the untimed 
framework. 
3which includes the empty set 
4This property is stronger than non-zenoness since we are requiring that non-zenoness does not depend 
on input labeled transitions. It is similar to Progressiveness of [143] and feasibility of [150] 
5. If a run contains an infinite number of occurrences of a transition which is 
not an Input-labeled transition, then that run is necessarily time-divergent (non- 
transientness of outputs and internal transitions 5 ) .  
Note that naturally an input can not block an output (at most, it can define which output 
of an output selection is enabled). Also, an input is not mandatory and that is why non- 
zenoness must be guaranteed without them. The non-transientness of output and internal 
transitions has a more technical motivation. It turns out to be a necessary condition to 
guarantee that the composition of I/O timed components is also an I/O timed component 
(see next definitions). In Sect. 3.3.1 we show how to check 110 admissibility. 
Perhaps, 110 selections is the concept that needs more rationale. A component providing 
a set of labels as an input selection I is guaranteeing that at least one transition with label 
in I is enabled at each reachable state. A component providing a set of labels as an output 
selection is guaranteeing that whenever there is a transition enabled with a label of the 
group there are transition enabled for all the rest of the labels. Historically, process algebra 
[I261 featured some kind of blocking synchronization to communicate agents. Usually, 
they were used to either model a hand-shake like communication between active agents 
(like ADA or CSP [94]) or to communicate the state of some agent (external choice). We 
do not want a blocking synchronization as primitive feature (we can build on top of this 
asynchronous 110 mechanism) but we still want a simple means to  communicate events or 
states. That is why, the Output selection models non-deterministic choices that are finally 
selected by the input enabled of the corresponding Input selection. That feature is not 
present in previous 110 models like [76, 111, 1501, etc. 
Definition 18 (110 Timed Component) An 1/0 Timed Component (or just compo- 
nent) is a tuple (A, (IA, OA)) where A is a timed automaton and (IA, OA) is an admissible 
1/0 interface for A. 
Given an I/O timed component C = (A, (IA,OA)), [C] will denote its underlying timed 
automaton A. 
Definition 19 (Compatible Components) Given two components Cl = (Al, (I1,Ol)) 
and C2 = (A2, (I2, 02)) ,  they are compatible if and only if : 
1. all the labels of Labels(A1) n Labels(A2) are interface in both Cl and C2 (i.e., 
Labels(Al) n Labels(A2) E (Il U 01) n (I2 U 0 2 ) ) ,  
2. for all I E Il and I' E I2 then if I n  I' # 0 then either #I = 1 or #I' = 1. 
3. for all 0 E 01,01 E 0 2  then 0 n 0' = 0. 
5 ~ h i s  requirement together with the previous divergence property and non-zenonnes of the underlying 
TA are closely related to the notion of Strong 1 / 0  Feasibility of [I501 
4. for all 0 E 01 U 0 2  and I E Il U I2 then I n  0 = 0 or I S 0. 
We refer to a set of pair-wise compatible components as a compatible set of components. 
I /O compatibility means that the underlying TA can not block each other and moreover, we 
will show that the composition of compatible components is itself a component (Sect. 3.3.1). 
Example: 6 In  
a writer of that 
according to the 
Fig. 3.2 we show two compatible 1/0 components: a 2-size queue and 
queue. Note how the input labels of the queue are enabled or disabled 
state of the queue (empty, full). 
Example: 7 In  Fig. 3.3 the reader can see a version of the Rail-Crossing System where 
the control part waits the gate going down before requiring it to go up. This version is for 
2 trains but it can parametrically extended to any number of trains just keeping the number 
of trains i n  the dangerous zone. 
Example: 8 CSMA/CD (Carrier Sense, Multiple Access with Collision Detection) is 
widely used protocol on LANs on the MAC sublayer. It solves the problem of sharing 
a single channel i n  a broadcast network (a multi-access channel). When a station has data 
to send it first listens to the channel to check whether it is idle or busy. If the b w  seems 
idle it begins sending the message, else it waits a random amount of time and then repeats 
the sensing operation. When a collision occurs, the transmission is aborted simultaneously 
in  all the stations that were transmitting and they wait a random time to start all over 
again. We formally model the timing aspects of the protocol using I/O timed components 
(see Fig.3.4) based on the model presented i n  [128]. Sender components sh.are a bus com- 
ponent. We-suppose that the bus is a 10Mbps Ethernet with worst case propagation delay a 
of 26 ms. Messages have a fixed length of 1024 bytes, and so the time X to  send a complete 
messages, including the propagation delay, is 808 ms. The bus is error-free, no buflering of 
incoming messages is allowed. Note that SendOK; and SendBusyi is an output selection 
of the sender and the selection depended on the input actually enabled i n  the bus state. In  
fact, SendBusy; is enabled when the head of a message has already propagated. It takes 
at most a to propagate the collision signal to all the senders. The sender stays at most S 
in  the transmission location. Note also that the sender non-deterministically makes a new 
attempt to send before 20 elapsed since the last attempt. 
3.3.1 I/O Components, Composition and Non-Zenoness 
Let us state some results that help to prove that a TA-model is non-zeno. Firstly, we 
will see how an admissible interface can be derived for the parallel composition of two 
compatible I /O components. This is a rather strong result which encompass the following 
fact: given two compatible components A1, A2 then the composition, which turns out to 
be non-blocking, is also a component (i.e., [A1] 11 [Az]  is non-zeno and moreover it can be 
given an admissible I /O interface). Briefly, the new input interface is constituted by the 
(a) QUEUE Size 2 H 
Figure 3.2: Two compaible I/O components 
TRAIN 1 GATE 
CONTROLLER 
I={ ~a~p~l,~a~~2l,~downl,~exitl ],{exit21 1 
0={ {lower],{raise) ) 
Figure 3.3: 110 Components of the RCS 
SENDER 1 
collision 
n sendlok 
BUS 
I={ {collision} } 
O={{sendlok,sendlbusyJ, {endl)} 
I={ {sendlok,sendlbusy},{endl},{end2}, { send2ok,send2busy}] ) 
0={ {collision} } 
*: 
Figure 3.4: 110 Components of the CSMAICD Protocol 
union of the original input selections which at most synchronizes with a singleton input 
selection, (which is indeed non-blocking thus preserving the "selectivity property" -point 2 
- of any input selection containing the singleton). Something similar can be done to  build 
the new output interface. Since output selections that intersect with input selections of size 
greater than one may loose the simultaneous availability property (point 4 of the definition 
of I /O) ,  they are not part of the new output selections. However, it can also be added 
as output selections of size 1 all the labels of those lost output selections (they trivially 
satisfy point 4). Note that due to the items of compatibility (in particular the second item) 
all interface labels of the components are promoted to interface labels of the composition 
component. This fact is important to prove that this construction can be generalized to 
the parallel composition of n components (see Lemma 4). 
In the example 6 the resulting interface of the parallel composition is 
I= { I ,  0 ={{QueueAddedoK}, {QueueAddedNoK), {QueueExtractedoK}, 
{QueueExtractedNolc) }. 
Formally, 
Lemma 5 Given two I/O-compatible components Cl = (A1,  (Il,  0 1 ) )  and C2 = 
( A 2 ,  (I2, 0 2 ) )  then C1,2 = (A1 11 ~ 2 ,  IC70') is an I/o Timed Component, where 
= { I E I ~ /  ~ I I E I ~ : I C I ' A  p O ~ o ~ : I n O # 0 )  
U{I  E I ~ /  ~ I ' E  : I  c IIA pO E O1 : I n 0  # 0 )  
and 
Proof 9 The most dificult point is the proof that A1 11 A2 is indeed non-xeno regardless 
input transitions: We will see that any reachable state by a finite run is not a timelock 
(i.e., that finite runs is the prefiz of a divergent run). Moreover, time can elapse avoiding 
input transitions. Let q be a reachable state by a finite run of A1 11 A2 then qal = TIA,(q) 
and qa, = IIA, ( q )  are reachable states (by finite runs) of A1 and A2 resp. Let k E 8>0 - be 
a constant. From the definition of component, there must be runs r l ,  r2 starting in  qal and 
qa2 resp. of time length equal to k such that rl does not contain any Il transition and 7-2 
does not contain any I2 transition (thus they do not contain any label in  Ic,,,). Now, we 
show a procedure to obtain a run of A1 11 A2 from r1 and r2. To obtain such a run, we 
would need to merge rl and r2. If the discrete transitions of rl and r2 are sorted according 
to the time of occurrence, it is easy to combine them and build a run of A1 1 )  A2 till the first 
output-labeled transition which must be shared by the other automaton is foand. To outline 
1 1: I the merge, lets rl = pa, r t i  ql c$ ...qn, and 7-2 = q,, c$ q; ...q,,. Now, suppose 
1 
that tl 5 ti (the other case is symmetrical) and l1 is not shared by A2 (or it is A). Then - 
thanks to the parallel composition interleaving semantics - the resulting run rl,2 can be build 
as follows: r1,2 = q (ql, q$ + t l )  concatenated with the run obtained using the same 
-1: procedure from (ql,  q,, + t i )  with q = ql c k  ..., and 7'2 = qa2 t tl I: I q; -,; ... qn.. 
Clearly this procedure can be iterated finitely till we reach the end of both runs (the variant 
is sum of the number of transitions of both runs), thus obtaining a run of A1 11 A2 of time 
length k ,  or till a shared label is found.6 
Without loss of generality, let us suppose that the earliest still non-synchronized shared 
output-transition qi H: q;+l belongs to rl and o E 0 E 01. Let I E 12, I C 0 the 
corresponding matching input selection (i.e., o E I ) .  By item 1, 3 and 4 of compatibility 
that label belongs to an input selection I such that I 0. By definition of input selection, 
there is a transition labeled i1 E I enabled in A2 at the time of occurrence of that ith 
transition. By definition of output selection, at q; there must be also a discrete transition 
q; H: S .  By applying this procedure, we can fix up both runs to get a finite run starting at q 
such that either it has time length k or it ends with an output transition into an intermediate 
state q'. Therefore, since both T A  are non-transient for output labeled transitions (item 5 
of I/O interface admissibility), by repeating the whole procedure from those intermediate 
states (i.e., obtained new r l ,  r2, etc.), a run of time length k is eventually built (if  not, 
either the projection of that infinite run on A1 or A2 would show an infinite number of 
output-labeled transitions, and since there is a finite number of labels at lest one output label 
would be repeated infinitely often thus violating the last item of 1/0 interface admissibility) 
Let's see the rest of the items of 1/0 interface: 
r the new input and output labels are disjoint (input selections intersecting with ma 
output selections are not part of the new interface). 
r Input selection property: given an state q of A1 11 A2 and an input selection I of 
Ic1,2, we know that I belongs either to Il or to 1 2 .  Without loose of generality, lets 
suppose that it belongs to 1;. Then, there exists i E I such that IIl(q) -i r .  We also 
know that i f  i E Labels(A2) then { i }  E I2 (input selection of size 1) and thus there 
exists s such that I12(q) H; s and then q -; ( r ,  s) .  
Output Selection Property: Similar to the previous one. 
finally, a run containing an infinite number of internal or output-labeled transitions 
is necessarily time-divergent. Indeed, since any run of A1 11 A2 can projected into a 
run of A1 and a run of A2 and one of those runs must exhibit an infinite number of 
outputs or internal transitions and therefore diverge. 
Corollary 4 Given an indexed set of n components S such that they are pair-wise com- 
patible then ( I J l l i < n  A;, ( I n ,  On) is a component where 
I n = U 1 5 i < n { I ~ I ~ / ~ k # i 7 1 1 E I k : I ~ 1 1 ~ $ k # i 7 0 ~ O k : I n O f  8) and, 
'Note that if one of the runs is empty then it just remains a set of discrete (0 time) transitions in the 
other run (both have originally the same time length) and therefore we can omit that suffix since we have 
already built a run of time length k. 
Proof 10 By induction. Base case is solved by the last theorem. Case n+l. By inductive 
hypothesis we know that 
is an admissible 1/0 interface for Ai. Let us call that component Cn. We know 
that Cn+1 = (An+,, (In+1, is c&patible with all Ci = (A i ,  (Ii ,  0 ; ) )  1 5 i 5 n. Let's 
see that is compatible with the interface for the n components but firstly lets pinpoint some 
facts about the interface ( I n ,  On) of Cn.  
1. An interface label of Ci (1 5 i < n )  is an interface label of Cn.  This comes from 
the following facts: (a) Input labels remain as input labels in the biggest input selec- 
tion containing it except in the case that the input selection matches with an output 
selection (in that case, I O)., and (b) Output labels remain in  the interface. 
2. Input selections of In  are input selections of some of its constituent components (i.e., 
If I E I n  then there exists k E I? : 1 5 k 5 n such that I E I k )  
3. If 0 is an output selection of On, then there exist k E lN : 1 5 k < n such that 
0 E Ok for some k : 1 5 k 5 n or there exists 0' E Ok and 0 = {a}  Or, and there 
exists m : 1 < m 5 n such that I' E Em and I' 0'. 
Therefore, suppose that An+l has a common label with Ai then, for instance, that 
label belongs to a kth automata and therefore belongs to the-interface of the components Ck 
and Cn+1. If that label is an output label of the Cn+1 component, that label still belongs to 
the interface Cn due to the first observation. 
The second compatibility item (I  n I' # 0 then either # I  = 1 or # I1  = 1)  is trivially 
true due to the observation that input selections of Cn are input selections of the original 
components and the pairwise compatibility. Similarly, i f  an output selection 0 of 
intersects with some input selection I of In  then that input selection must be an input 
selection of some component and therefore that input selection must be included in  the 
output selection (i.e., I 5 0 ) .  If an input selection of I of In+1 intersects with some 
output selection of On then either it is an input selection of size 1 and and it is trivially 
included, or, by the last observation, we know that there exists 0 E Ok and 0 E On and 
thus I g 0 (that is due to pairwise compatibility, I must be the only input selection of size 
greater than 1 intersecting with 0 and then by the hs t  observation 0 must belong to On). 
Therefore, they are compatible components and by Lemma 5: 
It is not dificult to see that this interface is equivalent to: (In+', On+') where 
In+' 
= U l l y n + l { I ~ I ; / ~ k # i , I ' ~ I ~ : I ~  I'A P k # i , O E O k : I n o # @ }  and 
In fact, i f  we write I~+' in terms of In  we need to add the input selections of In+' which 
are not strictly included in an Input Selection of other Ik and do not match with an output 
selection. On the other hand, we have to eliminate from I n  the input selections strictly 
included in  an input selection of In+' and the ones that match with an Output Selection of 
That is, In+' = ( I n  - Ulliln{I E Ii/31t E In+' : I C I' V 3 0  E On+' : I n O # 
8 ) ) U { I  E In+'/ ,Zlk # i , I I E  Ih : I C  I'A p k f  i ,O E O h :  I s  0 )  
Lets see that the definition of I"+' specifies that manipulation: Note that, though In may 
contain less Input Selections than the union of them (Ulli<n Ii), it is easy to see that (a) 
If an input selection of the union is not present in In  then either it is included on another 
input selection of In ,  or it intersects an output selection of On, and (b) 3 0  E On : In0  # 8 
iff 3k 5 n ,  0 E Ok : I n  0 # 8 (all output label remains). Therefore, the set { I  E In+'/ / 
3Jc # i , I ' E  Ik : I  C I'A PJc # i ,O E Ok : I  & 0 )  is equivalent to { I  E I,+'/ PI' E In : 
I C I'A PO E On : I n  0 # 0).  This proves that in fn+', the same input selections of In+l 
filtered by the In+' are present. Finally, In  - Ull,,{I E Ii/31' E In+' : I C I' V 3 0  E 
On+' : I n O  # 0 )  is equivalent to { I  E In /  PI' E In+' : I c I'A $0 E On+' : I & 0 )  and 
we can conclude that IIn+l = In+'. 
On the other hand, to write On+' in terms of On, the output selections of On+l that do not 
match with input selections of size greater than one must be added as well as the singletons 
for the ones that match. Besides, the output selections of On must be checked against the 
input selections of In+' to eliminate and convert into singleton output selections the ones 
that match with input selections of size greater than one. Again, this is specified by the 
definition of Om+'. 
Guaranteeing 1/0 Admissibility 
For the sake of self containment we provide sufficient syntactic constraints and checking- 
algorithms to guarantee that (A ,  (IA, O A ) )  is indeed a component. 
For example, to satisfy the property of input being non-blocking (2nd condition), we 
Figure 3.5: Observer for Checking Non Zeno Regardless Input 
can resort to the following syntactic property: VI1 E IA : Vl E Locs(A) : I(k) = 
V{e:Labe[(e)El'Asrc(e)=[l Guard(e). That is, while the invariant is valid at least one 1'-labled 
transition is labeled. 
To check that any output selection is simultaneously enabled (4th condition) one of the 
possible syntactic property is the following: Vl E Locs(A),VO E OA : (3e E Edges(A) : 
src(e) E 1 A Label(e) E 0) + (Vo E 03e1 E Edges(e) : src(e) = I A Label(el) = o A 
Guard(el) = Guard(e)). We are asking that we can find a set of edges with the same 
guards for the output selection (the property is enogh for our purposses). 
To check non-zenoness we use an observer automaton with three locations: Location 1 is 
entered non-deterministically from initial location 0 and it is left to go to  a trap location 2 
whenever input occurs. Then, we ask whether A 11 Observer satisfies the following TCTL 
[92] formula : VU@ = 1 -t 3 o>l @ = 1, i.e., whether time can elapse without traversing 
- 
an input edge (See Fig. 3.5). 
For non-transientness of outputs, it suffices to require that no pair of outputs or internal 
events can occur closer than one time unit. This can be done by resorting to  an observer TA 
or, alternatively, adding and checking some syntactic constraints on output and internal 
edges, for instance, having a minimum delay guard on a clock reset in the potential previous 
events . 
Discussion: 1/0 Components vs Non-Blocking Timed Processes 
Like our work, in [Ill] the notion of non-blocking I /O Timed Processes is introduced to deal 
with non-blocking avoiding games (like in [76]). Their approach is different from ours in 
subtle and mayor topics. On the one hand, I/O Timed Processes communicate themselves 
by "listening" the change of output mapping of their partners. Output mappings are 
associated with each location. Informally, to be non-blocking a process should satisfy two 
conditions: (a) a positive real amount of time can elapse (with an optional change of output 
mapping) (b) that can happen regardless the input change. That is, while the update of 
outputs is independent of the update of inputs, the update of internal variables (i.e., the 
location and the clocks) depends on it. Those rules are closely related to our non-blocking 
requirement for inputs and, partially, to the non-zenoness regardless inputs. However, in 
their setting there is no necessity of requiring non-zenoness. 
On the other hand, their communication approach is suitable for modeling circuits but 
it could become cumbersome for modeling high-level software abstractions. For example, 
to model a queue in the Timed Process setting, the reader process should receive queue 
state changes (even the ones not performed by itself, thus a fictious communication) to 
keep track of the queue state to output a successful or unsuccessful reading (if the reader 
process performs different changes of output depending on the queue output it would be 
violating condition (b)). That greatly complicates the readers/writers models. As seen in 
the examples, we can resort to I/O selections to perform different outputs according to  the 
partner state. As far as we know, that modeling feature is not present in any other I/O 
proposal. 

Chapter 4 
Describing RTS-Designs and 
Requirements 
When developing a RTS, designers usually should deal with four different descriptions: 
1. the system architecture; 
2. the internal dynamics of tasks; 
3. the behavior of communicating components and the environment where the system 
is embedded; and finally 
4. the requirements or properties the system must satisfy. 
We have considered analyzability of resulting designs as the main criterion for defining 
the features of the design notation. In particular, our technique is based on the use of 
known analytical scheduling theory for Fixed-Priority scheduling [log] to build a formal 
model. Thus, theory assumptions to calculate WCCT and the expressive power of selected 
target formalism set some restrictions for language features (e.g., there is no dynamic task 
creation, tasks are not migratable, tasks do not suspend themselves, etc.). Although we 
believe that some limitations can be overcome, there is a trade-off between sophistication 
of supported features and the ability to efficiently predict the behavior of the resulting 
designs. In the next sections, we present examples of such notations while we point out 
some of the essential issues which constrain their style and features. 
Figure 4.1: Design Elements 
5 1 
4.0.2 Introduction to Fixed Priority Application Model 
In this section, we outline the main features of the application model we adhere to. Our 
application model is strongly based on the Fixed-Priority application models (e.g.,[109]). 
It assumes a fixed set of tasks on each processor scheduled under Fixed-Priority policy. A 
base priority is assigned to them. A task execution (a job) can be preempted by any job 
of a task of higher priority. Jobs do not suspend themselves while executing. 
In these applications, two kinds of tasks coexist: periodic and sporadic tasks. For the 
periodic case, we require each job of a task to complete its execution within a task pe- 
riod. Sporadic tasks respond to signals (trigger events) which have a minimum separation 
assumption (minimum intearrival time) through a sporadic server scheme [144, 1091. In 
particular, our instantiation of the scheme works as follows: if -a signal arrives and more 
than the declared minimum interarrival time has elapsed since the last server job release 
then a new job is released. Otherwise, the signal is lost or latched according to  the de- 
signer decision. We require a job completes in less than the minimum interarrival time. 
Then, sporadic tasks can be treated as periodic ones for the analysis (for us, the minimum 
separation time plays the role of the period). 
To achieve mutual exclusion while accessing to data, the applications use an emulation of 
the Priority Ceiling Protocol [log, 1411. PCP emulation scheme requires the critical section 
(monitor server code) to execute at a level slightly higher than the priority of any client 
task that may try to perform an operation on the shared resource [86]. PCP emulation 
guarantees a bounded blocking time. 
The time required to perform scheduling, context switching and other overheads is ignored. 
Furthermore, to simplify the presentation of this notation, there are no explicit features to  
describe software mode change, jitter on clocks, phase offsets or suspension. 
To assess schedulability under the assumptions of a fixed-priority model, a worst case 
completion calculus is usually provided (see for example [86]). WCCT calculus is an 
analytical tool for computing the worst case response times of task or subtask measured 
from release times. Roughly speaking, the WCCT (or response time) for a task 7,. can be 
calculated as the least fixed point of an equation (see Chapter 5). That equation takes into 
account the worst-case interference of tasks of higher or equal priority plus the blocking 
time due to lower priority tasks accessing to mutual exclusion areas. In Sect. 5.3, we 
present the details of the WCCT calculus for our fixed-priority application model. 
4.1 Describing the System Architecture 
As already explained, we adapted elements of periodic application model to describe ex- 
ecution architectures. Thus, detailed designs may be composed of periodic and sporadic 
tasks distributed in a network of processors (see Fig. 1.2). Periodic tasks are released peri- 
odically while sporadic tasks are released by the arrival of a triggering event. The language 
also supports the definition of protected objects to model data and control communication 
among tasks. As we will see later in this chapter, bounded queues, signal nets, circular 
buffers and timers can be defined. Moreover, most finite and non-blocking abstractions 
could be easily incorporated into our proposal. That is, since the version of the WCCT 
calculus we present does not deal with unbounded suspension, we limit blocking only to 
achieve mutual exclusion (and an error is returned if the action cannot be performed due 
to "semantical" reasons; for example when writing to a full queue, etc.). 
Processing nodes may communicate through a signal net in an asynchronous fashion (i.e., 
a sporadic server attends the signal). On the other hand, the controller and the plant 
communicate by means of data written in and out at ports or signaling mechanism which 
triggers sporadic servers. 
As was shown in the introduction, we use a simple graphical notation based on HRT-HOOD 
[42] to define a net of processors, and the distribution and connection of the components. 
4.2 Task Dynamics 
Task behavior is specified at a level of abstraction where only the communication pat- 
terns and the estimates on the execution times of actions are described - neither data nor 
functionality are specified.' 
In this chapter we deal with three different language levels to describe task behaviors: 
Design Language, Basic Terms and CDAGs. In few words, CDAGs are annotated control 
DAGs while Basic Terms is a structured language translatable into CDAGs. Design Lan- 
guage is just a higher-level version of Basic Terms featuring macro-expansion mechanisms 
(e.g., it allows the designer to redistribute task code into protected objects) 
4.2.1 A Structured Language to Define Task Dynamics: Design Lan- 
guage 
Now we introduce a structured language featuring some syntactic sugar to ease the de- 
scription the abstract code performed by tasks. 
Basic Terms 
Abstract code is described using a very simple sequential external-internal action language 
to model asynchronous processes. The terms, which are the core of the language, are 
 he reader can see later in this chapter that finite state data domains could be represented and ma- 
nipulated. However, we suggest avoiding modeling data and functionality whenever those aspects seem 
irrelevant for the satisfaction of timing requirements. 
D e s i g n  L a n g u a g e  
I 
t 
Basic Terms 
CDAGs 
1/0 T i m e d  Components 
Figure 4.2: Language Levels for Describing Tasks Dynamics 
defined by a recursive type definition: 
T = action; T ( action; Set[branch]; T I c 
where 
action =< [Min, Max], Pty, f inabevents > where Min, Max are rational numbers, Pty 
is a natural number, finalevents is a set of strings; and branch =< EventConditions : 
Set[strings], Code : T > 
Note that a branch set is always preceded by an action. To be a valid term, the following 
properties must hold: 
Min 5 Max(whereMaa: > 0) are the minimum and maximum computation require- 
ments of the action. 
The priority of the first action is called the base priority and it is the minimum 
priority of all actions appearing in the term. The last actions of a term should have 
that base priority (this is a reasonable assumption to simplify WCCT calculus; note 
also that IH can have greater priority than the server but this case is treated specially 
by our method see Sect. 5.3). 
The union of the EventConditions of the branches should be equal to the set of final 
events of the precedent action. 
An event condition set can be empty only if the set of final events of the previous 
action is empty. 
Given A, B two actions in a term, if FinalEvents(A) n FinalEvents(B) # 0 then 
FinakEvents(A) = FinalEvents(B) 
That is, actions are described as the estimated range for the duration of the internal func- 
tionalities when running in a dedicated environment (the minimum and maximum compu- 
tation requirement measur.ed, for example, in milliseconds). The event names will denote 
possible endings of that operation. Those endings are, in principle, non deterministically 
chosen but in Sect. 4.3 we show how designers constrain the event occurrence by means of 
constraining components. A branch is a set of terms (which will be denoted separated by 
+ symbol). Branches models conditional computation. They are chosen according to the 
final events event of the precedent action (i.e., any branch such that its event conditions 
include the final event chosen in the last action). 
Design Language 
Based on HRT-HOOD [42], our design language uses three concepts: periodic tasks, spo- 
radic tasks and protected object. 
For a periodic task, its period, priority and abstract code description must be specified. 
In the case of the sporadic task, its triggering event, minimal interarrival time, priority 
and the abstract code must be specified. It is also possible to inform the priority and 
duration of its interruption handler whenever the sporadic server code is mapped into a 
different task, which is signaled by this interruption handler. Besides, the designer can 
specify a latching mechanism to retain disabled interruptions, it must specify when to 
latch them (no latch, latch while waiting for replenish time, or latch always) and the 
maximum number of interruptions that can be latched. For the sporadic case, the designer 
can also specify abstract code to be executed as initialization (see the design for the Active 
Structure Control System ). The designer may also define new protected objects simply 
as collections of operations: abstract code running at a priority ceiling. 
Abstract code are valid terms where no priority is specified since it is the priority of the 
corresponding task or protected object. To invoke protected object code, a macro expansion 
mechanism is featured by the abstract code. That is given an abstract code, a basic term 
may be obtained by marking internal actions with the base priority of the task and by 
macro-expanding operations on protected objects at their priority ceiling. As another 
syntactic sugar, event names are translated into the eventByTASKID where TASKID is 
the respective name of the task performing the code. The goal of this feature is to avoid 
name conflicts among events of tasks that would be misinterpreted as the same event 
otherwise (and therefore synchronized!). This feature can be disabled by adding a period 
at the end, to denote an absolute name for the event. 
To illustrate the use of this language, we provide some of the internal descriptions of task 
and objects for the examples. Note that when Max and Min computation requirement 
coincide we just write one of them. Also, it is not necessary, to write empty sets of final 
events. Branches are separated by the "+" sign. By default, if not specified, final events 
of an action preceding a set of branches is the union of condition events of the branches. 
The whole code can be find in the Annex B. 
Example: 9 Here we describe the dynamics of the sporadic task "Modelern by using the 
Design Language. Note that the Model. Update is an invocation (i.e., macro expansion) of 
the protected object "Model". Also, this example illustrate how initialization for sporadic 
tasks can be specified. 
Modeler (Sporadic, MAT = 100, Pty= 10, 
Interruption=DataReceived, LatchUpTo I at WaitingForReplenish) 
Init: [1O]~Modeler~ead~~or~omm.) 
Begin 
118 , 231 ; Model. UpDate ; [lo] (ModelerReadyEorCoom. ) 
End 
Model (Protected, PtyCeiling = 12) 
Begin 
Operation : UpDat e 
Begin 
[2] (ModelUpDat ed . 
End 
Operation: Read 
Begin 
[I] (MoldelRead. 3 
End 
End 
Example: 10 This example is taken from the Mine Pump Design. Here, the periodic 
watchdog tries to extract for the "ACKQn queue an acknowledgment and there are two 
course of actions according to the success or not of the operation. The actual dynamics of 
the queue will be given using constraining components as is shown in  the next section. 
HLW-WatchDog (Cyclic, Period = 500 ms, Pty= 6) 
Begin 
Ell ; AckQ .Extract (CAckQExtracted-<OK>. 3 
[I] (ackrequested) 
+ 
(AckQExtracted-(BOK).) 
Console.Alarm 
1; 1.51 
End 
AckQ (Protected, PtyCeiling = 13) 
Begin 
Operat ion : Add 
Begin 
[2]{AckQAdded-OK, AckQAdded-NOK) 
End 
Operation: Extracted 
Begin 
[2](AckQExtracted-OK, AckQExtracted-NOK) 
End 
End 
Example: 11 This is another example taken from the Mine Pump Design. Here, the 
periodic sensor firstly checks the availability of a result requested to the sensor device in 
the previous period. If it is not ready, then it annotates in the protected object "Console" 
the warning situation. If that value is available, it compares it with the value stored in the 
"CH4Statusn object and decides whether it is a safe or unsafe situation. Then it invokes 
the corresponding action of the "Motor" protected object. The actions are logged and a new 
value is requested to the CH4 sensor device. In the nest section we will show how can be 
specified the behavior of that device. "Motorn, "Logger", and "Console" actions are shown 
in the complete example (Annex 3). 
CH4-Sensor (Cyclic, Period = 80 ms, Pty= 10) 
Begin 
[a]; ((~~4sensorHotReady.) 
Console.Alarm 
+ 
(CH4done.) 
[ .51 (CH4read) ; [I] ; CH4Status. Read; [I] ; 
(CNotSaf e . ) 
Motor.NotSafe;CE4Status.Write; 
Console.Alarm 
-I- 
€Safe . ) 
Wotor.Safe;CH4Status.Write 
);Logger.Log 
) ; 
1.51 CCH4set. 3 
End 
4.2.2 The Kernel Language: CDAGs 
At a kernel level source code can be described using directed acyclic graphs with a single 
root (see Fig. 4.3 and Fig. 4.4) called CDAGs. In next section, we show how to give 
semantics to  CDAGs by means of 110 Timed Components. Non-empty sequences of actions 
are associated with all non-final nodes. An action is a tuple action =< [Min ,  Max],  Pty > 
where Min, Max are rational numbers such that Min 5 Max (Max > 0) are the minimum 
and maximum computation requirement respectively (denoted just [Maz] when Min = 
Max) and Pty is a natural number which defines the priority of that action. Edges are 
labeled and they model a possible final event of the associated sequence of actions of its 
source location (node). Those final events are, in principle, non-deterministically chosen 
but in the next section we show how event occurrences are constrained. 
Definition 20 Given a node n of a CDAG, let O(n) = d , j  {label(e)/Src(e) = n}, this is 
the set of final events for the location n. 
There are two conditions that a CDAG should satisfy to be well defined : 
the priority of the first action of a CDAG, called the base priority and denoted 
(Pmin), is the minimum priority of all actions appearing in the DAG. The last 
actions associated with last nodes should have that base priority (this is a reasonable 
assumption to simplify WCCT cal~ulus)~ ,  and 
Given two nodes n, n' of the CDAG such that O(n) n O(nt) # 0 then O(n) = O(nl). 
As we will show later, final events can be selected by the environment of the task 
(e.g., a connector or variable state); intuitively, we require the alternatives to be 
coherently the same through the CDAG. 
In a given design, CDAGs of two tasks should not share any event label. Note that this 
does not rule out one task executing the triggering event of another task since triggering 
events are not explicitly annotated in the CDAGs of sporadic tasks (see Sect. 5.1). 
As was previously claimed, CDAGs are the kernel language and Design Notation can be 
translated into them. 
4.2.3 From Design Language to CDAGs 
As already mentioned, abstract code written using the design language can be translated 
into basic terms by a simple macroexpansion mechanism. The semantics of basic terms can 
be described in terms of single-rooted directed acylcic graphs CDAGs using the following 
procedure: 
The term is translated into a single-rooted directed acyclic graph. Its locations are anno- 
tated with sequences of actions. This CDAG D satisfies the following properties: 
Ifp is a path of the control flow of the term, then there is a path in the CDAG D such 
that p can be obtained concatenating the associated sequences of actions of each path 
2Note also that, although Interruption Handlers for Sporadic Tasks can have greater priority than the 
sporadic server, this case is treated specially by our method (see Sect. 5.3). 
3This property is needed to get an 110 interface for tasks TA (See. Chapter 5). 
Figure 4.3: CDAG for WaterFlow Sensor 
Figure 4.4: CDAG for ACK Handler 
location (i.e., p E CtrlFlows(Term) U p E isl& ... &sn/s; = Actions(ki)~k 1...ln E 
Paths(D)) ) 
The edges leaving a location are labeled with the events associated with the last 
action of its annotated sequence of actions. 
The following algorithm builds such a CDAG according to the degree of accuracy required 
in the final model (by allowing or not to have sequences of actions not belonging to the 
control flow of the original term). 
Trans(A) is: 
Case A 
1. A = E then the result is a graph with a root and a leave locations. The root location 
annotated with 6. 
2. A =< [Min, Max], Pty, E > ; T  where E + 0: Add a root location annotated < 
[Min, Max], Pty, E > to Trans(T). For each e E E add a edge from this new 
location to the root of Trans(T) labeled e. 
3. A =< [Min, Max], Pty, 0 >; T : Add the action < [Min, Max], Pty, Q) > at the head 
of the sequence associated with the root of Trans(T). 
4. A =< [Min, Max], Pty, E >; (el<;<, Ei Ti); T. Build the following DAG: Root 
location annotated with < [Min, M-ax], Pty, E > linked to the root of Trans(T;; T )  
(1 5 i 5 n) subDAG with edges labeled e for each e E Ei. 
To obtain a smaller DAG (but loosing accuracy) apply the following procedure: Build 
a DAG with a root location annotated with < [Min, Max], Pty, E > linked with the 
Trans(Ti) subDAG (1 5 i 5 n) by using edges labeled e for each e E E;. Then, add 
edge from the leaves of this DAG to the root of Trans(T) labeled according to  the 
final events of their associated sequences. 
Communication and Environment: Constraining Com- 
ponents 
In principle, the occurrences of final events of operations and external triggering events 
- - 
for sporadic tasks are not constrained. In this section, we show how to constrain them by 
means of I /O Timed Components (see Chapter 3) and thus build connectors and environ- 
- 
ment descriptions. For example, in Fig. 4.5 shows how to model a timer, a non blocking 
queue -operations fail or succeed according to the queue state-, a perfect net (with la- 
tency) and a net which may fail. In particular, if we replace the queue generic event 
4 ~ t ~ 1 F l o w s ( e )  = (€1, CtrlFlows(a;T) = Map(Xa.X, CtrlFlows(T)),  C t~ lF lows(a ;  ( U I l i l ,  b ; ) ;  T) = 
U l l i l n  Ct~ iFlows(a ;  b,; T )  . 
(c) = 
I set 
I={ (Set) 1 
c=((TimeOutIl 
(b) FAULTY NET 
Figure 4.5: Connectors Modeled 
names with AckQAddedoK, AckQAddedNoK, AckQExtractedoK, A c k Q E z t r a c t e d ~ o ~  it 
becomes a constraining component for the task ACKQhandler of Fig. 4.4. 
Assumptions about the environment behavior where the software is embedded may be 
also modeled by means of Constraining Components (see Fig. 4.6, Fig. 4.7, 4.8, and 4.9). 
Using I/O Timed Components, designers can specify minimal separations between events, 
maximum number of events in a period, mode changes, etc. It is also possible to model 
separately physical events and the arrival of information into actuators and sensors. For 
instance, it is possible to take into account the time it takes a physical event to be informed 
by a sensor and the time it takes an actuator to achieve a physical change. 
In Fig. 4.6 we can see the model for the actuator, the sensor and a communication com- 
ponent. The sampling takes within 50 and 55 t.u., then the data is prepared within 10 
t.u. The actuator applies the pulse for a duration within 25 to 30 t.u., and then data is 
prepared for communication (10. t.u. as well). The Comm component exemplifies a model 
of communication; when both parties want to communicate (a handshake) it takes within 
3 and 5 t.u. to perform the communication (message and acknowledgement). 
Generically, we refer to connectors and environment I/O timed components as constraining 
components. Hence, although the behavior of the environment and the connectors could 
be given in terms of a more user-friendly language (with some built in templates), for the 
sake of presentation simplicity and expressive power, we decided to base our notation on 
TA. 
We require 110 compatibility presented in Section 3.3 within tasks and the constraining 
components. As it can be seen in Chapter 5, the I/O interface for a timed automaton A 
modeling a task is the following: I = {{triggering event)) if the task is sporadic or I = 0 
in the periodic case; 0 = {El31 E Locs(Dag(A)) A E = {label(e)/src(e) = 1)) (where 
Dag(A) is the underlying CDAG of the task automaton (see Sect. 5.1)). Two tasks TA 
are clearly I/O compatible among themselves if their CDAG do not share any label. In 
a system, correct constraining components must be I/O compatible with the tasks and 
constraining components they synchronize with. This would mean that given constraining 
component A and a location I of a task DAG if O(1) n Labels(A) f 0 then the set O(I)  
must be an input selection of A. 
It is easy to see that the components presented for modeling variable states, queues, nets, 
timers, as well as the components modeling assumptions about the environment, satisfy 
compatibility with the tasks of the corresponding examples. The designer can define con- 
straining components provided they are 110 compatible with the tasks they synchronize 
with. 
4.4 Requirements 
In our proposal, designers ask whether the system may behave in such a way that the 
analyzed property may be violated. The designer can describe an I/O Timed Component 
which synchronizes with those events relevant for expressing the requirement. We call 
those components Observer Components. 
The labels which are available to write an observer are the events appearing in the descrip- 
tions of tasks behavior and the labels that stand for the completion and release of tasks 
(e.g., New Period, ReplenishTime, etc.). 
An Observer Component is an 110 Timed Component compatible with all the components 
of the SUA (System Under Analysis). A sufficient condition to build a compatible compo- 
nent with the SUA is to build a component where all its shared labels with the SUA are 
input selections of size 1. Those are non-blocking TA "listening" to  the events of the 
5An observer could also be an active component interacting with the SUA. However, the designer should 
be more careful in order to guarantee compatibility with the SUA. 
A) SENSOR 
I=( ( D a t a R d d l  I 
-1 (ScnsnIcudyFnC~~m) 
B) C O W  
I=( ( M o d d a R d ~ F d - I , ( - m f  1 
c = ~ ( - v ~ l l  
Figure 4.6: The sensor, the actuator, and the communication for the Active Structure 
System 
I = { {CH4done, CH4Notready1, (nonfaultyCH4, faultyCH41, {CH4set] J 
O= { {faultCH4J J 
Figure 4.7: Assumptions about CH4 sensor 
For the sake of readability, stuttering edges are not shown in the figures. 
We present four types of requirements using observers, namely: Safety Observers, Biichi 
Observers, TCTL observers, and LDI observers. 
Experience shows us that safety observers are enough for most requirements (bounded 
response, freshness, etc.). However, we want to illustrate how other interesting properties 
can be stated (and verified) over the design. 
4.4.1 Safety Event Observers 
In the case of the Safety Observers, the underlying timed automaton evolves to an Emr 
location if the behavior of the system entails a potential invalidating scenario. Therefore, 
checking the requirement reduces to checking reachability in the parallel composition of 
the SUA and the observer. In next sections we will see how to apply techniques to do this 
in a rather efficient way. 
According to our experience, automata based notations turned out to  be simpler than 
most logics for describing expected sequences of events. By using TA observers, it is easy 
to express complex temporal requirements for control/data flows, to detect invalid use ' 
of bounded capacity objects as queues, lost of signals, etc. Similar ideas have also been 
applied in the untimed framework ([52, 84, 11, etc.) and in the timed one ([142, 581, etc). 
Other operational timed languages based on process algebras ([137, 127, 155, 162, 1151, 
etc.) could also be used but we prefer to use a notation closely related to our formal kernel. 
Observers provide us a nice notion to develop our results, they are also reasonable mean 
I={ I 
O={ {~ge),{DetectionReceived), {FaultHLW ] ) 
Faul qUesM 
Figure 4.8: Assumptions about HLWLevel sensor 
Figure 4.9: Assumptions about the operator 
Figure 4.10: Observer for Freshness: From a read to an update of the model 
Pulse 
n 
Figure 4.11: Observer for The Regularity: Interpulse Delay 
to express requirements in terms of event sequences. 
We should remark that some of the properties are expressed in terms of externally non- 
observable design events. Sometimes, this has to due to the nature of properties: for 
example, freshness involves read and write operations. Other properties, although they 
can be informally formulated as a "black box" property needs to be formally formulated on 
solution-level events. For instance, for some bounded response requirement it is necessary 
to map it in terms of the actual data/control flow to ensure the correspondence between 
incoming stimulus and outcoming responses. 
For the example of the Active Structural Control System, we show in Fig. 4.10 and Fig. 4.11 
the safety observers for the freshness constraint and the regularity property respectively. 
The Freshness automaton captures cases where the model read by the pulser is older than 
130 t .u. The regularity observer captures the scenarios where the pulse are separated by 
more than 145 t.u. or less than 32 t.u. 
To illustrate the flexibility of safety observers, we also map all the presented requirements 
in terms of data and control flow of our detailed architecture for the Mine Pump example.7 
6However, we are conscious that an user-friendlier notation built on our observers could be provided. 
7We also use minimum structural information to simplify some observers. For example, we use the fact 
that between a device set and a device read of a sensor there must be a done. 
Separation: Fig. 4.12 shows an observer automaton that accepts all the scenarios where 
the temporal distance between two consecutive readings of Water-Flow sensor is not 
in the interval [960 ms ; 1,040 ms]. 
Bounded Responsel: Fig. 4.13 shows an observer automaton that accepts all the sce- 
narios where the proposed solution does not respond to High and Low water level 
changes setting or clearing the motor within 200 ms (supposing CH4 levels are ok). 
Note that it also captures as errors cases where two detections arrives before the data 
is read (therefore, we also check that data is not overwritten). 
Bounded Response%: Fig. 4.14 shows an observer automaton that accepts all the sce- 
narios where it is violated the deadline of 200 ms for disabling the pump when CH4 
goes high. 
Bounded Response3: Actually, this requirement was broken into two subgoals in terms 
of this design: firstly, any presence of high CH4 levels shall be translated into the 
"AddAlarm" operation of the console proxy object within 200 ms., and secondly, the 
operator shall be informed within 350 ms of any operation on the console proxy object. 
Fig. 4.15 shows an automaton that accepts all the scenarios where the "AddAlarm" 
operation of the console proxy is not executed within 100 ms of critically high CH4 
value though the sensor device is working. Fig. 4.16 shows an observer automaton 
that accepts all the scenarios where the operator is not informed of an operation 
performed on the proxy within the 350 ms limit. 
Freshness 1: The observer automaton of Fig. 4.17 would detect scenarios where CO read- 
ings are more than 100 ms old in normal circumstances (i.e., "notready" event does 
not occur). 
Correlation: Fig. 4.18 shows an observer automaton that accepts all the scenarios where 
CH4 and CO readings, which are paired into the logger, are values which ages differ 
more than 100 ms. 
False Alarm CO: Fig. 4.19 shows an observer automaton that detects all the scenarios 
where a "faulty-device" alarm goes off although the CO device is working properly. 
Fault Detection HLW: Fig. 4.20 shows an observer automaton that accepts all the sce- 
narios where the high-low Water level device fails and the alarm is not informed to the 
console proxy within 1650 ms. Note that we are assuming that any operation on the 
console proxy shall be reflected into the console display within 350 ms. (Fig. 4.16). 
False Alarm HLW: Fig. 4.21 shows an observer automaton that detects all the scenarios 
where a "faulty-device" alarm goes off although the HLW device is working properly. 
Fault Detection NET: Fig. 4.22 shows an observer automaton that accepts all the sce- 
narios where a failure in the net is not informed to the remote controller within 2000 
ms. 
Figure 4.12: Observer for Separation 
Figure 4.13: Observer for Response1 
Freshness2: Fig. 4.23 shows an observer automaton that accepts all the scenarios where 
the data at CH4 status is older than 100 ms. 
Object Interface Assumptions: Fig. 4.24 shows an observer automaton that accepts all 
the scenarios where more than four alarms are informed by the CH4 Sensor within 
two Get Package Operations. 
In the next sections, we present other approaches to describe and verify properties not 
expressible using the formerly presented reachability approach. 
4.4.2 Biichi Observers 
This is a natural extension of the observer technique used in the former sections. This 
notion is a event-oriented version of Buchi TA presented in [7]. Buchi TA are real time 
extensions of Biichi automata [44]. 
Figure 4.14: Observer for Response2 
Figure 4.15: Observer for Response3: From CH4 to Console Proxy 
Figure 4.16: Observer for Response3: From Console Proxy to ConsoleDisplay 
COset 
{XI 
COset u 
Figure 4.17: Observer for Freshness 1 
Figure 4.18: Observer for Correlation 
69 
Figure 4.19: Observer for False Alarm for CO 
Figure 4.20: Observer for Fault Detection HLW 
Figure 4.21: Observer for False Alarm for HLW 
Figure 4.22: Observer for Fault Detection NET 
Figure 4.23: Observer for Freshness 2 
Figure 4.24: Observer for Console 
Definition 21 A Buchi TA B is a pair ( 0 ,  F) where 0 is TA and F Locs(0) (repeating 
locations). 
A run a of 0 starting from the initial state is accepting for B if for every position k E II(a) 
there exists i E TI(a): k 5 i such that a(i)@ E F (i.e. some locations of F are visited 
infinitely many times). The language of B denoted as Lm(B) is the set of all timed label- 
sequences with a supporting accepting non-zeno run for 0 (i.e., a subset of Lm(0) ). 
Definition 22 A Buchi observer B for a component A is a pair ( 0 ,  F) where 0 is an 
observer for A and F E Locs(0) (repeating locations). Obviously, the language of B, 
Lm(B) is the set of all timed label-sequences with a supporting accepting non-zeno run for 
[i)] (i.e., a subset of Lm([O]) ). 
Given a TA A and a Biichi observer 3, the problem we want to solve is to know whether 
Lm(A) n Lm(B) = 0. As remarked in [I491 our notion of satisfaction is based on lan- 
guage intersection rather than the usual automata-theoretic definition based on language 
inclusion. Since non-deterministic Biichi TA are not closed under complementation, the 
problem of inclusion is generally undecidable [2]. However, the problem of intersection is 
decidable. Unlike, [I491 our approach is event based (i.e. we do not look at traces but 
the execution of transitions). Since we aim at language intersection when trying to prove 
that the system satisfies a property (b we have to use Biichi Observer B expressing the 
negation of 4 which for most interesting properties can be found easily in practice [149]. In 
general, the can be useful for expressing liveness properties ("something good eventually 
happens"). 
Note that this generalizes the safety observer framework of previous sections where F is 
just the Error state. 
Example: 12 Figure 4.25 shows a Biichi Observer for the Mine Pump Design that cap- 
tures the following requirement: There is no more than two Command requests not served 
in the system and every command is eventually served. Actually, the first part can be ex- 
pressed (and solved) by using the safety observers. We have a T A  for each situation of the 
command (being the first in the system or arriving while there is another command not 
served yet). 
4.4.3 TCTL Observers 
Interesting properties can be stated by using an observer and a TCTL formula: Given an 
observer automaton 0 for a component SUA, a labeling function P : Props I+ 2L0CS(0), 
and (b a TCTL formula on Props the designer can ask whether [SUA (1 01 bp* 4 where 
P* is the natural extension of P to  the cartesian product. 
Note that by using observers we avoid requiring the designer to label states of SUA, this is 
important from a methodological point of view since designers should be unaware of the 
way the system is mapped into the Timed automata model (Chapter 5). 
Example: 13 In the Mine Pump example we want to know whether the system can always 
be driven to a safe state. The observer shows three diflerent levels of risk states due 
to water level. The higher the level the more it takes the system to normalize after the 
corrective action (motor on). The TCTL query is then: tlO(Danger -+ 3 o<k - Normal) 
(mode changes). See Figure 4.26. 
4.4.4 Linear Duration Observers 
To check duration properties over the SUA we can also use observer components. That is, 
given an observer automaton 0 with final locations F ,  a labeling function P : Props I+ 
2L0CS(0)7 and a LDI formula on Props we want to check whether S ( 1  0 bp* (4, F*). 
Where F* and P* are the natural extensions of F and P to the cartesian product. 
Example: 14 In Figure 4.27 we see an ezample for the working example. We  want to 
check that the accumulated time of the motor working though the water level is normal is 
72 
- 
InfStatusAdded InfStatusAdded InfStatusAdded u d d e d  
(a) More than two commands stored or command stored but not served. 
Command Command 
Co & tusNotR 
InfStatusAdded 
(b) Command recived but not served 
Figure 4.25: Biichi Observer: Responsiveness 
Figure 4.26: TCTL Observer: From Dangerous State to a Normal One 
at most 5% of the total amount of time in a window greater than 2000 time units: 
(20 / ( O N  A N O R M A L )  - True 5 0,151) S 
In the example we are assuming that the HLW-sensor issues the right command when it 
detects the change of level. 
Note that we can also ask whether there is a run which reaches an observer location such 
that it also satisfies a duration constraint (a satifiability problem) by just negating the 
comparison.8 
8By using satisfiablity we can ask things like whether it is possible for a system to fail though the fail 
rate of a faulty component is not higher than a certain value. 
Figure 4.27: LDI Observer: Energy Wasted 

Chapter 5 
Semantics of Tasks in terms of 110 
Timed Components 
In the last chapter we show how designs and properties in our proposal can be expressed 
by means of four elements: (a) task dynamics, (b) environment behavior (c) connector 
dynamics, and (d) observers. Note that, all but the CDAGs for tasks are essentially I /O 
Timed Components. The semantics of tasks in terms of I /O Timed Components -also 
used to perform the model-checking- can be given in three steps. Firstly, we show how 
the CDAG is embedded into an automaton that reflects the cyclic or sporadic nature of 
the task. Secondly, TA model is obtained by adding timing information by means of 
clocks. Finally, those TA can be attached with an I /O interface to become an 110 Timed 
Components. 
5.1 The Untimed Semantics 
The CDAG of a task is used as the basis to build the timed automaton that models the 
complete behavior of the task. Let us explain the final graph in terms of the underlying 
CDAG. In next section we explain how timing constraints of the referenced figures are 
derived. 
Periodic Tasks: A location labeled Idle replaces the leaves of the CDAG . Idle location 
is connected to the root of the underlying DAG (i.e., the first sequence of actions) 
(see Pulser task in Fig. 5.1). That edge represents a new release of the task when 
the period is completed. 
Sporadic Tasks: A location labeled Waiting for Replenish replaces the leaves of the 
CDAG. That location models the wait for the replenish time. This location is then 
connected to a location labeled Idle (see the TA structure of the ACK-Handler in 
Fig. 5.2). There is an edge from Idle to the root of the DAG. This edge is labeled 
with the event to be served (triggering event). This event is ignored in any other 
location by just looping since replenish time has not arrived yet. In Fig. 5.2 we also 
show how to model the fact that there is a hardware queue for accumulating at most 
one interruption: we add a variable to be set to one whenever an interruption arrives 
while the signaling mechanism is disabled. Right after the replenish time has elapsed 
control jumps directly to the root location of the underlying CDAG in case there 
is one accumulated interruption; otherwise it jumps to the Idle location to wait the 
next interruption. It is also possible to model that the latching mechanism is enabled 
only when the server is waiting for replenish time (see Modeler task in Fig. 5.1). If 
the task has an initialization code the corresponding CDAG precedes the former 
construction. That is, the final locations are 'replaced by the location labeled Idle 
(see Modeler task Fig. 5.1). 
5.2 Timed Model 
This section describes the way tasks are represented by TA. The key idea of this work is to 
use TA to analyze a conservative abstraction of system behavior. Following the "separation 
of concerns" criterion, we exclude the fact that processing resources are shared, but leave its 
influence on the temporal behavior of the system. The scheduler is not represented in our 
models. Each task is modeled as running in a dedicated processor but taking into account 
slowdowns previously calculated using the appropriate scheduling theory (WCCT calculus). 
It turns out that a conservative and compositional model can be built by just using time 
constraints as maximum and minimum distances between events. No accumulation is 
needed to model executed time like in previous dense-time approaches based on Hybrid 
Automata [15, 38, 1521, etc. In this section, we show how to add timing constraints to our 
untimed models. 
Let e be an edge of the underlying CDAG C and let src(e) be its source location. We know 
that, the label of e stands for one of the final events generated by the sequence of actions 
associated with src(e) denoted as Actions(src(e)). To express the Best-Case .occurrence 
time (BCCT) of this edge, we use a clock, for example x, which is reset a t  every incoming 
#Actions(src(e)) 
edges of src(e) and tested at e as Guard(e) = x 2 D where D = 
Actions(src(e))[i].Min}l where 1 is floor integer part (the minimum execution time to  
perform -with no interference- the associated sequence of actions ended in the event of e). 
To express the deadline for a sequence of actions locations, we use a clock, for instance 
z, reset at the edge that links Idle to the root location (the release instant of the task). 
We add the following invariant to all location 1 of the underlying CDAG: z 5 d where 
d = [Mas{WCCT(p)/p= Actions(ll)&.. .&Actions(l,)~l~ ...k, = I E Paths(Dag(C))}1 
(i.e., p is the concatenation of actions of a path) where fl is the ceiling integer part. This 
'Another option to translate these bounds into integer constants is scaling up al l  values by multiplying 
them with a suitable constant. However, it must be taken into account that the complexity of most model- 
checking algorithms is sensitive to the value of the maximum constant. 
Pulser (periodic) 
Modeler (Sporadic) 
Figure 5.1: Semantics for the Modeler and the Pulser 
Water Flow Sensor (Periodic) 
Figure 5.2: Semantics 
ACK Handler (Sporadic) 
for Tasks 
means that the control can not remain at that location more time than the maximum 
WCCT of the last action associated with that location (WCCT are measured from the 
release time). That is, the invariants at the control location of the figures are the WCCT for 
the underlying associated actions (and constitutes the deadline for the outcoming edges). 
We also use this clock z to  control the periodic release by adding an invariant to the Idle 
location z 5 P where P is the period of the task, and associating the guard z = P to the 
edge that links Idle location to the root (see Figures 5.2, 5.1). A similar mechanism is 
used for controlling the time elapsed at the Waiting for Replenish location and jumping to 
the Idle location (see Fig. 5.2,and Fig. 5.1). 
We can conclude that the model can be understood as the untimed formal model enriched 
by the following temporal rules: 
Releases of jobs of a periodic task with period T occurs exactly each T t.u. 
Sporadic tasks serve signals when the corresponding minimal interarrival time has 
elapsed since the previous served signal. 
An event which stands for the completion of a sequence of actions occurs at most at 
the WCCT of that sequence of actions relative to the release of the job. 
An event which stands for the completion of a sequence of actions occurs not earlier 
than the starting instant plus the minimum execution time of that sequence. 
Note that this semantic model combines independently the temporal behavior of all tasks. 
It may be the case that some combination of behaviors are not feasible in the actual 
implementation due to scheduling secondary effects (e.g., it may not be possible to see all 
tasks exhibing in a short interval their worst case completion times). However, we believe 
that conservative model is useful in most situations. Indeed, we may lose properties which 
are true in the actual implementation due to these side effects of the scheduler; in general, 
we believe that designer should not relaiant on complex hiden constraints (in our future 
work section we sketch how we could address some known relations between completion 
times). 
In lemma 6 we show that the resulting model can be see as an 1/0 timed component. 
Therefore, to build the formal model of the system it is necessary to synthesize WCCT 
for the events associated with the edges of task CDAG as explained in next section. The 
complexity of the explained procedure is dominated by the complexity of WCCT calcu- 
lus. Formally, the complexity of the translation procedure is O(s.n,.n2.L) where s is 
the maximum number of locations plus changes of priority (i.e., actions followed by an 
action of a different priority) of CDAG when converted into a tree (those are the points 
which WCCT is required by our method or by the calculus itself), n, is the number of 
relevant tasks (i.e., the tasks needed to perform the verification; see Chapter 6), n is 
the maximum number of tasks sharing a same processor than a task to be analyzed (i.e, 
& . ~ U X ( # A ~ / ~ T ~  to  be analyzed A Ak = { ~ ~ / P ~ o c e s s o r ( r ~ )  =  processor(^^)}), L is the 
ratio of the longest task period to the shortest task period. In practice, internal task 
descriptions are quite simple and the complexity is also insensitive to L (see [86]). There- 
fore, s,l are very small the total number of tasks becomes the scalability parameter of the 
complexity term (polynomial). 
Lets conclude that the semantics of a CDAG is indeed an 110 timed component. 
Lemma 6 A possible I/O interface for tasks-TA is I = {{triggering event}} i f  the task 
is sporadic or the empty set otherwise, and 0 = {O( l ) / l  is location of the taslc). 
Proof 11 Clearly 0,  I P where P is a partition of the set of labels of the CDAG. 
It is also clear that all events of a candidate output selection are enabled at the same 
time as required by Output selection definition. To show the non-zenoness regardless input 
transitions of task-TA let us observe some facts about locations of the abstract code: 
By definition (see Sect. 5.3), the WCCT for last action of location 1 (I(1)) is greater or 
equal than WCCT of its previous location, 1' (which is 1(11) or 0 i f  1 is the root of the single- 
rooted DAG) plus the upper bound for the execution time of the sequence associated with 1 
(let us recall that in  the calculus Eij+l(k) > Ei j (k )  + Cij+l ). All edges leaving at non-final 
#Actions(l) location 1 are guarded "x > Dl1 where D = [Min{Ci=l ions(l)[i].Min}] and 
then D is less or equal to upper bound for the execution time of the sequence associated 
with 1. From all previous observations we conclude that: Ye, el E Edges(Dag(A)) : tgt(e) = 
src(el) : W C C T ,  + Delay(el) < WCCT,, (where Delay(el) = D i f  Guard(el) = z 2 D 
or Delay(el) = 0 otherwise, I (src(e))  = " z  < WCCTF,  I(src(el))  = " z  < WCCTil) .  
This means that, no matter how late a location is entered (the latest is I (src(e))  for some 
incomming edge e)  time can elapse (0 or more t.u.) in order to satisfy the delay of a 
outcomming-transition guard and thus perform a discrete transition. We also know that, 
Waiting f orReplenish or Idle location are sink locations (i.e., runs eventually arrive to 
them). Those locations can also be abandoned since WCCT of the whole task is less or 
equal to the period. 
Hence, in  the case of periodic tasks, a run can be extended in such a way that it takes 
infinitely many Newperiod-labeled transitions. Thus, time diverges. In  the case of sporadic 
task runs can reach the location that waits for the trigger event (the input selection) but in 
that location time can progress unboundedly. 
We can also conclude that a run containing an infinite number of non-input tmnsitions 
must contain an infinite number of NewPeriod or ReplenishTime labels - depending of 
its cyclic or sporadic nature. Those runs must be time divergent. 
Finally, let us prove the following theorem 
Theorem 5 The parallel composition of the model SUA and an observer is non-zeno. 
8 1 
Proof 12 We know that tasks are I10  components by Lemma 6. Two tasks Components 
are clearly 1/0 compatible among themselves (at most they share a triggering event). In  
Section 4.3 we required constraining components to be 1/0 compatible with the tasks and 
with other constraining T A  they synchronize with. A n  observer component for a given SUA 
is compatible with all the SUA components. Thus all components are pairwise compatible 
then, applying Corollary 4 we know that the composition of the SUA with the observer is 
an I / 0  Timed Component and then we conclude the non-zenoness of the model composed 
with the observer. 
5.3 The WCCT Calculus 
WCCT calculus aims at assessing the schedulability of a set of periodic tasks running under 
Fixed-Priority scheduling ([log, 121,etc.). Roughly speaking, the WCCT (or response time) 
for a task ri can be calculated as the least fixed point of an equation. That equation takes 
into account the worst-case interference of tasks running on the same processor with higher 
or equal priority plus the blocking time due to lower priority tasks accessing to mutual 
exclusion areas. 
In our model, each job (invocation) of a task may perform a different path of its CDAG. A 
path is a sequence of subtasks. A subtask is just a set of actions with a common priority. 
, 
In fact, the sequence of actions associated with a location can be broken into subsequences 
of actions which share the same priority. Therefore, each path of the CDAG is a sequence 
of the subtasks associated with each location of the path. We adapt the technique of [86] 
to suit our assumptions. As was previously mentioned, that technique helps us to calculate 
the WCCT of subtasks which may be required for building the timed model presented in 
Sect. 5.2. In what follows, we recall some notions and results of [86] while pointing out the 
way we have instantiated or have generalized that work. 
Formally, in our framework, a task ri consists of p(i)  paths. Each path 6 of r; (1 5 
h 5 p(i) ) ,  consists of m ( i ,  h) subtasks /3i,1...&,m(i,hy In particular, a subtask &,i is 
characterized by Pilh,i which is the priority of subtask actions, and CiTh,i which stands for 
its worst case computation requirement (it is just the sum of the maximum requirements for 
each subtask action). We do not need a deadline since we are only interested in computing 
the worst case response time (or WCCT) of subtasks. 
Definition 23 A T;-idle instant is any time t such that 
all work of priority Pmini (the minimum priority of any subtask of 7;) or higher 
started before t, and 
all ri jobs also started before t have been completed at or before t. 
Definition 24 A ri-busy period is an interval of time [A,B] such that 
both A and B are T;-idle instants, and 
there is no time t E(A,B) such that t is a T;-idle instant. 
From the fact that in our model Pmin; (the base priority of T;)  is the priority of the first 
subtask of the task (which is indeed the first subtask of all task paths), we easily obtain 
the following result from Theorem 4 of [86]: 
Theorem 6 The longest response time for any subtask ,@ is found during ri-busy period 
initiated by T; . 
To calculate response times, tasks running on the same processor are placed into groups 
based upon the priorities of their subtasks relative to T;. The five groups of tasks defined 
in [86] are reduced in our case into three groups (corresponding to types 1,4, and 5 of [86] 
respectively. Types 2,3 are not possible due to our assumption that Pmini is the priority 
of the first subtask): 
1. Higher priority tasks: Task ~ r ,  belongs to this type if all its subtasks have priority 
equal to or greater than Pmin; (i.e. Pmina 2 Pmin; ). They can preempt T; more 
than once per  busy period. The phasing that produces the largest response time 
for any job of T; is to have such a task initiated at the same instant that T; is initiated. 
2. Lower priority tasks which have a blocking segment: Task belongs to this type if 
Pmink < Pmin; but there is at least one subtask with priority greater or equal than 
Pmini. Only one sequence of consecutive subtasks of priority equal to or higher than 
Pmin; (an H segment [86]) of one of this type of tasks may influence the response 
time of ~i (precisely that segment is running when T; is initiated). The length of the 
longest H-segment is called the blocking term of i (denoted B;). 
3. Lower priority ones: Task ~k belongs to this type if all its subtasks have less priority 
than Pmin; (i.e. V 1  5 h 5 p(k), 1 5 j 5 m(k, h)  : Pkhj < Pmini). All subtasks have 
less priority than Pmin;. Therefore, they can not influence the response time of T;. 
Taking into account that we need to deal with only three groups of tasks, we adapted 
the original technique to directly obtain the WCCT for intermediate subtasks without 
"canonization" .2 
Therefore, these are the steps to follow for analyzing T; subtasks: 
[Step I:] Determine the length of the T;-busy Period: 
Li := min(t > OIB; + [t/Til * Ci + [t/Tpl * Cp = t ) .  
PEMP,II 
'Canonization is a technique presented in [86] that changes priority of subtasks without altering the 
WCCT of the last subtask. 
Where: 
Pmin; is the base priority of task T; (remember tasks should start and end with the base 
priority which is the minimum priority of all subtasks). 
MPilh,j is the set of tasks that can preempt (i.e., {~, /p # i and Pmin, 2 
and Processor(i) = Processor(p)}. Note that, in this formula we refer to Pf,, 
which is the first subtask of any path of T,. 
T, is the Period of task T,. 
C, is the computation requirement of task T,. In our model, this value is the maximum 
computation requirement of the path of task T* (the computation requirement of a path is 
just sum of upper bounds of its associated  action^).^ 
B;: is the blocking time due to PCP emulation. 
[Step 2:] Analyze the WCCT for each Job. 
Let M; be [Li/Til, the number of jobs of the task where T; path belongs to  be executed 
during its busy period. Then for all k I N;, we must calculate the worst case response 
time of each subtask in each job to get the maximum in the busy period. 
The recursive definition of WCCT is: 
Ei,h,l(k) := min(t > O/Bi + (k - 1) * Ci + C;,h,l + [t/T,l * C, = t). 
PEMP,,~,~ 
This is the WCCT of the first subtask of task path for the k-th job (this is the subtask 
shared by all paths). 
Then, the response time of p i j + ,  for its k-th job is: 
where 
ni,h(j, P) = maz(n I j/p E MPi,hln). 
Finally, WCCT of gj is Ma~{Ei ,~ , j (k )  -Ti* k / l  5 k 5 Nil. It can be trivially checked, by 
using the calculated values, that each of the tasks jobs finishes its work before a new period 
(i.e., the replenish time for sporadic tasks) is started (one of the modeling assumptions). 
Note that, since paths intersect in common prefixes (at least the root), g, may also appear 
as ,B~t , j t  for h # h' with j = j'. However, WCCT calculus provides the same result in both 
cases, as expected. In fact, the calculus just depends on the sequence of precedent subtasks 
and those sequences coincide in both paths. 
Let us point out that there is a generalization w.r.t. the original work since we do not 
use canonical form. We calculate E;,h,n,,h(j,p) to know a point up to which all jobs of task 
T, have been executed (to see how many hits were already counted). In fact, we need at 
most to consider the computation requirements of the rest of the jobs of T, (potentially 
accumulated because of the precedent higher priority subtasks) to calculate the worst case 
3The paths of the initial code of a sporadic task are considered as part of the set of path of the task 
completion time of the subtask Pij+,. Note that these values ni,h(j,p) can be calculated 
previously in O(nT.s) where n, is the number of tasks to be analyzed, s is the maximum 
number of subtasks of those tasks.4 Nevertheless, the previous calculus is more general 
than required because at most the execution of one job would be pending due to the 
assumption that worst case response times should be smaller than periods. 
[86] shows that the complexity of solving those equations is O(M.n2.L) where n is the 
number of tasks M is the number of deadlines to be analyzed and L is the ratio of the longest 
task period to the shortest task period. By instantiating that complexity calculus and 
recalling the previous remarks on the computation of ni,h(j,p), it can be straightforwardly 
concluded that the complexity of this calculus is O(s.nT.n2.L) where nT is the number 
of tasks to  be analyzed, s is the maximum number of subtasks of those tasks, n is the 
maximum number of tasks sharing a same processor than a task to  be analyzed (i.e, 
Max,  to be a 7 1 a l y z e d l ( # { ~ i / P r ~ ~ e ~ ~ ~ r ( ~ i )  = P r o ~ e s s o r ( r ~ ) ) ) ) ,  and L is the ratio of the 
longest task period to the shortest task period. 
Associated with a sporadic task, an interruption handler [log] can be also described in our 
notation. An interruption handler (IH) has a priority greater than any subtask appearing 
in the corresponding task. At first sight, it seems that this* contradicts our assumptions 
on priority profile (actually the interruption handler followed by the task may become a 
single preemptive task for other tasks [86]). However, we can treat interruption handler 
as another task. In fact, we assume that WCCT of the task must be less or equal than 
minimal interarrival time and thus the IH will be counted at most one time using the 
calculus presented. Note also that WCCT of the first task of the server (&) is greater to 
or equal than WCCT of its IH plus Ci,l,l since the BIH 5 Bi and MPIH C MPi,l,l (IH has 
greater priority than the r;,1,1, the base priority of T ~ ) . ~  On the other hand, when analyzing 
the interference of task ri on lower priority tasks, the influence of the interruption handler 
and the server itself is counted as they were originally treated as a single tasks (both are 
multiple preemptive with the same period). 
Example: 15 Lets analyze WCCTs of task ri = ACK - handler (Mine Drainage case 
sttbdy) which has a minimal interarrival time of 500 ms. This task T; has one path, namely: 
( [ I ] ,  12) + ( [2] ,  13) + ([.5], 12). That is, we want to calculate the WCCT of PI , ,  ,pi,,, 
Note that there exists only one task which is multiple preemptive to this task: the 
interruption handler of the HLW-sensor which has a computational requirement of 1 ms. 
On the other hand, the blocking term of ri is 2 ms. This is the maximum computational 
time of the services provided by higher-priority protected objects: "CHd Status", "ACK- 
Queuen, and "Log". Therefore the lenght of the ri-busy Period: 
the result is 6.5 and thus only one job executes during the busy period (i.e., N; = 1). 
- 
4each subtask pi,, may store for each priority p 2 Pt,h,, the index a 5 j of the last previous subtask 
such that p 1 P+,h,n. Those values can be stored in one Depth-First traversal of tasks. 
'when dealing with task that completes before the end of the period like in our case 
'This property is used to explain why the models we build are non-zeno. 
Since only one job must be analyzed the WCCT of Pi , ,  ,pi,,, are Ei, l , l ( l ) ,  Ei,1,2(1), 
and Ei,1,3(1) aye respectively. 
Chapter 6 
Model Reductions 
Complexity of most model-checking methods depends heavily on the size of the model. Nor- 
mally a design conveys more information than actually needed to prove a certain property. 
Ad-hoc abstractions, applied by an expert are a common approach to tackle the complex- 
ity problem (e.g., see discussion in 11421). To avoid informal claims on the correspondence 
between the model and the abstraction, some approaches also provide a mathematically- 
sound framework, but they still require the user to build the abstraction (see for example 
[55, 831 in the untimed setting). Another group of techniques also provides an automatic 
mean to check the abstraction given by the user: In [lll], a compositional framework is de- 
veloped where an automata may be replaced with another automata under the assumption 
of language containment when composed with the same context. The user should provide 
a candidate abstraction of the automaton and a homomorphism (that preserves timed be- 
havior) as a proof that the abstraction actually holds. That proof is then automatically 
checked. 
Finally, like the authors of [89], we believe that mathematically-sound and efficient ab- 
straction techniques -without requiring too much user ingenuity- are also a paramount 
issue when developing practical tools. In this group we can found, among others, [89] in 
the untimed framework or [63, 1161 for the timed setting. Following this research line, we 
provide a set of automatic abstractions for our application model that preserves or enlarges 
the timed language for our models without compromising non-zenoness. 
In the next two subsections, we present an exact abstraction method and a set of rules 
which produce conservative models. In the first case, a method builds a model which is 
simulation equivalent w.r.t. the events of the observer (i.e., it is undistinguishable for the 
observer). In the second case, the rules produce models which can simulate the original 
one (i.e., it might enlarge the set of behaviors of the original model). Conservativeness 
means that properties valid in the abstract model are conserved in the original one. 
6.1 Exact Abstract ion: The Relevance Calculus 
Fortunately, in general, it is not necessary to make the parallel composition of all TA that 
compose the model of the application to observe the relevant system behavior. We exploit 
architectural information of our models to statically discover a subset of components and 
events that are sufficient to check whether a requirement is met or not. In [I101 it is 
proposed heuristics to localize a set of process to check a property. Unlike, that work 
we use our knowledge on the architectural style to build a technique that automatically 
detects a subset of components to perform a still-accurate analysis (it is not a try and error 
technique like the one presented in [110]). 
Definition 25 Given a CDAG C and a set of labels R ,  we define the Relevant Prefix of 
C for R (denoted l.R C to be the minimum set of nodes of C satisfying the following set of 
rules (i.e., Least Fixed Point): 
The irrelevant sufix, denoted lR C is the complement set of nodes. 
Definition 26 (Relevance Calculus) Given a set of constraining and task components 
S ,  given an observer component 0, the set of relevant components and the set of relevant 
events which are suficient to perform the verification are the smallest sets RC and R E  
respectively such that they satisfy the following rules: 
I .  All events of the observer are relevant (i.e., Labels(0) RE) .  
2. If a task or a constraining component A E S exports a relevant label which is not an 
input selection of A of size one then A is relevant (i.e., A E RC). 
3. All events of a relevant constraining component A are relevant (i.e., Labels(A) 2 
RE) .  
4. The triggering event of a relevant sporadic task is relevant. 
5. Given a task A and a location 1 of its underlying CDAG ,then the output selection 
O( l )  is relevant (i.e., O(1) R E )  i f  there exists a pair of locations 1' # 1" following 
1 (i.e., there exists e',el' E Edges(DAG(A)) Src(el) = 1, Src(eN) = 1, tgt(el) = l', 
and tgt(el') = l"), and one of them (or both) belongs to the relevant prefix (i.e., 
{1', lN}n rRE (DAG(A) )  # 0). 
Before going into further details, let us sketch the abstraction technique. Firstly, it is 
calculated the set of relevant components and events with a least fixed-point algorithm 
straightforwardly based on the former definition. Secondly, by using reduction rules of 
Def. 27, the relevant tasks automata are reduced to just show those relevant events as 
edges. The "submodel" so obtained is guaranteed to have the same behaviors than the 
whole model, up to the observational power of the observer automaton. That is, the 
set of (reduced) relevant components generates the same event-sequences captured by the 
observer than the whole model. Formally speaking, the submodel is simulation equivalent 
to the original system up to the relevant events. It is important to point out that, differently 
from former approaches, our method does not necessarily require all tasks belonging to a 
processing node to check a property that involves just some of those tasks. 
Definition 27 (Procedure for Collapsing Tasks Automata) Given a set of labels R ,  
an I/O timed component modeling a task C = ( A ,  ( I ,  0)) ,  then CR = (A,, ( I ,  0,)) denote 
a component where A, and 0, are obtained from A and 0 by applying the folbwing rules: 
1. Eliminate every pair of locations of the underlying CDAG a and b such that 
b # nil, 
they are in sequence (i.e., Ve : Edges(Dag([C])) : src(e) = a * tgt(e) = b), 
and 
Ve : src(e) = a : Labeb(e) $ R.  
then, add a location, namely c, with the same arriving edges than a and the same 
leaving edges and invariant than b. Change the delay guards of edges by adding to 
their constants the minimum delay of edges leaving a. 
2. Eliminate all nodes 1 (i.e., locations) of the underlying CDAG which do not reach 
R-labeled edges in the abstract code (i.e., 1 in the irrelevant sufiz: 1 C ) .  
3. 0, is obtained from 0 by eliminating the output selections which labels are not longer 
present in  A,. 
In Sect. 6.3 we show that these rules preserve the semantics up to labels in R (i.e., [C] %R 
[CR]). Notice that the application of these rules may alter the I/O interface of CR w.r.t. 
C by just eliminating output selections. Thus, if C and C' are I/O compatible then CR 
and C' are I/O compatible as well. 
Example: 16 In Fig. 6.1 we can see CH4Sensor while in Fig. 6.2 is de- 
picted CH4SensorRE where RE= { CB4Ready, CHdNotReady, AlarmAdded- 
ByCHdSensor, CHdRead,Safe, Notsafe). 
We assume that CR = C in the case that C is a constraining component. That is, in this 
presentation, we do not provide ZR preserving transformation rules for the general case of 
TA. 
The following theorem formally states what is claimed at the beginning of this section: 
Figure 6.1: CH4-Sensor Semantics 
Figure 6.2: CH4-Sensor Semantics collapsed 
Table 6.1: Components Needed for Requirements of Active Structure System 
I Requierement I Components I Locs I Edges I Clocks I Abs I 
Theorem 7 Given a compatible set of components SUA modeling the system under ana- 
lysis, the set of relevant components RC and events R E  defined by the relevance rules of 
Def. 26, then [SUA] ERE [RC] and therefore [SUA] =RE [RC-1. 
Freshness 
Regularity 
The proof is done by establishing the CO-bisimulation between the systems and show- 
ing that non-relevant components cannot affect the occurrences of relevant events (see 
Sect. 6.3). 
Since given an observer timed automaton 0,  Labels(0) c R E  by rules. then by Corollary 
1 and Theorem 1 it can be trivially inferred the following result: 
Sensor llCommllMode1erll Pulser 
PulserllCommlll Actuator 
Corollary 5 Given a compatible set of components SUA (the system), an observer corn- 
ponent 0,  and the set of relevant components RC and relevant events R E  defined by the 
relevance rules of Def. 26 , then the error location is reachable in [SUA 1 1  01 iff it is 
reachable in [RCRE 1 1  01. 
That means, that we only need to compose the TA obtained of the relevant components 
translated to the level of abstraction dictated by the relevant events to solve the original 
reachability problem. Note also that, if the collapsing part is not applied to the relevant 
components - even branching properties are preserved in the reduced model like TCTL as 
proved in Chapter 3 and summarized in Chapter 8. . 
126 
96 
Dealing with the working examples, Table 6.1 and Table 6.2 show which components are 
actually needed in the parallel composition to solve each requirement. It also shows size 
parameters of the resulting models (number of locations, edges, and clocks). Experience 
showed that, these relevant subsets are rather small, reducing the verification effort. Rea- 
sons for this encouraging observation are the use of non-blocking communication media 
and the fact that we do not model schedulers. Therefore, the technique generates rather 
"loosely coupled and asynchronous" models in terms of the influence among components. 
In many cases, our relevance calculus discovers that, in order to verify a given observer, 
it is sufficient to consider the set of components that generates the events named in the 
observer. Note that even in real size system, the number of interacting components which 
behavior must be considered for checking a given requirement may be significantly smaller 
than the number of total components (encouraging the use of this automatic verification 
approach for real life systems). 
299 
186 
5 
4 
NO 
NO 
1 Requierement 1 Components I Locs I Edges ( Clocks ( Abs I 
Table 6.2: Components Needed for Requirements of Mine Drainage System 
6.2 Conservative Abstractions 
Most of the research effort was focused on exact abstractions. They are very appealing 
due to the fact that they are equivalent with the original model up to the property to be 
checked. However, conservative techniques can be very useful in practice to dramatically 
reduce time and space in the verification process. To illustrate that other means to reduce 
the size of the models, we developed a small set of rules to further reduce the size of 
the obtained TA without eliminating any behavior. This idea is, in some sense, similar 
to the one of [I161 but we are based on the topology of our models and therefore we 
obtain more reduction. That is, by knowing the topology of the TA modeling tasks, we 
can state a set of conservative rules to further reduce the size of the underlying DAG, 
probably loosing accuracy, but without compromising the correctness of the find analysis 
(they do not eliminate behaviors). Our methodology allows the user to apply these simple 
rules to further abstract the model. We believe that this is a reasonable way to build 
an interactive wizard tool that preserves correctness of user manipulation when the full 
automation becomes infeasible. 
To illustrate the concept, we just present two rules (those used in the example): 
1. Given three locations a, b, c of the underlying DAG, such that b f nil, c # nib, and 
such that Ve : E : src(e) = a e tgt(e) = b V tgt(e) = c; then b and c may be 
eliminated by adding d target of the same set of edges than c and b and source of the 
union of edges leaving b and c. Its invariant constant must be the maximum between 
invariant constants of b and c (this rule can be easily generalized to more than two 
"next" locations). This rule forgets the history of the computation and considers 
worst case response times of all paths finalizing at the collapsed locations. 
2. Given two locations a and b (b # nil) in sequence perform the manipulation explained 
in item 1 of Def. 27. Note that, this 63le does not add any behavior provided any 
1 z<=a 
2 z e b  
u f: D3 
O4 
Figure 6.3: Conservative Abstraction Rules. 
automaton of the set does not share the labels that are eliminated. Obviously, it 
does not lose behaviors. 
In Fig. 6.3, we show a schema of the transformation rules. In column Abs of tables 6.1 and 
6.2, we point out in which verifications the former conservative rules were applied. Other 
conservative transformation rules not used in the example are the elimination of the guards 
and clocks used to guarantee the minimum delay, or the elimination of any constraining 
component, etc. It is easy to see that all those rules: 
1. Preserve the same language up to the remaining edges. In fact, the obtained Timed 
Automaton can simulate any run of the original Timed Automaton up to the remain- 
ing labels, 
2. Preserve non-zenoness. The reason for non-zenoness of these models is that they 
preserve the following relation: Ve, el E Edges(A) : tgt(e) = src(el) : I(src(e)) + 
Dekay(el) 5 I(src(el)) (see Sect.3.3.1 ), and 
3. Preserve the I/O compatibility - in particular, rule 2 just eliminates output selections 
or internal edges. 
I=( 1 
&((a4NotReady,a4Ready), (Safe, Notsafe), 
I-mYM4s) 1 
Figure 6.4: CH4-Sensor Conservative Reduction 
Example: 17 In  Fig. 6.4 we can see a further abstraction of CH4SensorRE where two 
paths where merged into one first using rule one and then rube two. 
6.3 Correctness of Relevance Calculus 
Before proving the theorem, let us observe some facts about the relevance calculus. 
Proposition 1 (On Including Relevant Components) The rules include as relevant 
a component A that synchronizes with a component B E R C  if and only if: 
A is a task or constraining component and B is a constraining component such that 
there is a common label which is not an input selection of A of size one (remember 
that all events of a relevant constraining component are relevant). 
A and B are tasks TA and A triggers B (they can only synchronize trigger events). 
B is a task automaton with a location 1 i n  the underlying DAG that precedes at least 
two different locations such that at least one of them belongs to the relevant prefix, 
and A is a constraining component fegturing O(1) as input selection. 
A is a constraining component that triggers a relevant task automaton B. 
Then, it is not dificult to see that there are two cases where A synchronizes with a relevant 
component B and it is not included as relevant by the rules: 
1. The common labels are a11 input selections of A of size one. 
2. A is a constraining component synchronizing with an output selection 0 of B but in  
all occurrences of 0 i n  the CDAG of B the target of 0-labeled edges are the same 
location or the locations belong to the irrelevant sufix (i.e., there is no relevant event 
before the new release of the task.) Note that the occurrence (and time) of an event 
just depends on previous events in the same release of the task since the WCCT of a 
task is less than its period. 
Note also that since all the events of  constraining components and trigger events are rele- 
vant, the synchronizing labels o f  [RC] (TA of  relevant components) must belong t o  RE. 
Lemma 7 Automata produced by applying collapsing rules (Definition 27), [CR] is simu- 
lation equivalent w.r.t. the original one [C] up to R. 
Proof 13 We will prove that the result of applying each rule once produces an automaton 
which is simulation equivalent to the input automaton. Since ER is an equivalent relation 
we straightforwardly conclude that the repeated application of rules produces a simulation 
equivalent automaton. Rule 1: 
Let us define a simulation between [C] and [CR] when [CR] diflers from [C] in  the fact that 
a, b were collapsed into c (first rule). We say that ( s ,  x ,  z )  S ( s f ,  x', z') iiff (s = s', s # a, 
s # b, x = X I ,  and z = z') or (s = a, st = c, x = X I ,  and z = z') or (s = b, s = c, 
x' 2 x + d, and z = z') where d is the minimum delay of edges leaving a. 
Now, the only non trivial cases is when s is either a or b. 
If (a ,  x ,  z )  HI) (b ,  0 ,  z )  then (c,  x', z') H; (c ,  x', z') and for sure x' 2 0 + d and z = z' 
R (since x = x' and to jump x must be 2 d). Then, (c ,  x ,  z )  -0 (c ,  x', z') and obviously 
(b ,  0 ,  z )  S (c ,  x', z'). 
If (a ,  x ,  z )  I+? (a ,  x + t ,  z + t )  then (c ,  x ,  z )  I+? (c ,  xl+ t ,  z' +t) (the invariant at c is weaker 
R 
than the invariant at a). Then, (c ,  x ,  z )  -t (c ,  x' + t ,  z' + t )  and obviously (a,  x + t ,  z + 
t )  S (c ,xl+t ,z '  +t).  
If ( b ,  x ,  z )  I+? (a,  x + t ,  z + t )  then (c ,  x ,  x )  I+: ( c ,  x' + t ,  z' + t )  (the invariant at c is the 
R 
same than the invariant at b); then (c,  x ,  z )  -t (c ,  X I +  t ,  z' + t )  and obviously (a,  x + t ,  z + 
t )  S ( c , x l+ t , z '+ t ) .  
If ( b ,  x ,  z )  HI) (n ,  0 ,  z )  using an edge guarded x 2 D then (c ,  x', z') I+:, ( n ,  0 ,  z') since 
R R 
x' 2 D + d and z = z' Then (c ,  x ,  z )  -0 (c ,  x ,  x)  HI) (n, 0, z') -0 (n, 0 ,  z') and obviously 
( n ,  O,z) S ( n ,  07 z'). 
It is easy to see that the initial states are related. 
Now, bet us define a simulation between [CR] and [C] we say that ( s ,  x ,  z )  S (s', x', z') i$ 
( s = s ' # c ,  x = x ' , z = z ' ) ~ r ( ~ = ~ , ~ ' = a , x = x ' ~ d ,  a n d z = z l ) o r ( s = c , s ' = b ,  
x > d, x' = x - d, and z = z'), where d is the minimum delay of edges leaving a. In  fact, 
1 let (c ,  x ,  z )  S ( s f ,  x', 2'). If (c ,  x ,  z )  H, (n ,  0,z') then s' = b ,  z = z' and x' = x - d since 
a: 2 D + d. Also, since x' 2 D then ( b ,  x', z') HL (n, 0, z'). 
If ( c ,  x ,  z )  H? ( C , Z  + t , z  + t )  and x < d. Then, we know that s' = a and x = x' 
then if x' + t 5 d (a ,  x', z') I+? (a ,  x' + t ,  z' + t )  (remeber that the task T A  are non- 
zeno then I(a)[z l  + t ] )  and the simulation holds. If x' + t > d then (a ,  x', z') I+;-, 
(a ,d ,z l+(d-2 ' ) )  HZ (b,O,zl+(d-2'))  c ~ - ( ~ - , , )  ( b 7 t  - (d - x ' ) ,  z l+ (d -x )+ t - (d -5 ' ) )  
R 
then (a ,  x', z') +t ( b ,  t - (d - x'), z' + t ) ,  x + t = x' + t 2 d, t - (d - X I )  = x + t - d, and 
z + t = z l + t .  
It remains to be proved: (c ,  x ,  z )  H? ( c ,  x + t ,  z + t )  and x > d. Then, we know that s1 = b ,  
z = z', and x' = x - d. We have ( b ,  x - d, z') H? (b ,  x - d + t ,  z' + t )  since the invariants 
are the same; then (c ,  x + t ,  z + t )  S (b ,  x - d + t ,  z + t )  
Rule 2: 
For the rule 2 the simulation is (q ,  x ,  z )  S (q', x', z') iff (q = q', q € I R  Dag(C)(the relevant 
prefix), and x = x' and z = z') or (q' = Idle ,q E J ~  Dag(C),  and z = z'). It is easy to 
see that S is actually a bisimulation due to the fact that a) the time of occurrence of the 
nezt relevant event in  the irrelevant sufix (i.e., Newperiod , ReplenishTime occurrence) 
depends on z clock value (which is the same in  related states), and b) [C] is non-zeno and 
then time can elapse to the next period where all clocks are reset. 
Theorem 7: Given a compatible set of  components SUA (modeling the whole system), 
the set of  relevant components RC and events R E  defined by the relevance rules of  Def. 26, 
then 
[SUA] ERG [RC]  
and therefore [SUA] "RE [RCRE] 
Proof 14 Let's understand why there exits a CO bisimulation between the systems. Now, 
we will define a CO bisimulation for a set of labels R equal to R E  plus the new period and 
replenish time events for all relevant tasks (clearly if we prove it for a bigger set we prove 
it for the original R E ) .  
The symmetrical bisimulation proposed B i n  the union of the sate space of [RC]  and [SUA] 
is : (p ,q)  E B i$VA E R C  
A is a constraining T A  then l l ~ ( p )  = IIA(Q). 
A is a task T A  then either 
- ~ A ( P )  = DA (q)  or, 
- ~ A ( P ) '  E l R  (Dag(A)) ,  ~ A ( P ) '  (Dag(A)) ,  and ~ A ( P ) ( z )  =  HA(^)(^), 
in both states the task is at a location of the irrelevant sufix (i.e., locations 
which next event in R is either the new period or the replenish time events) and 
with the same value for z clock. 
Note that the initial states are B-related (i.e., (initIRq,init[sUAl) E B and 
(init[,,], initlRq) E B). 
Our reasoning is focused on the relevant components. This can be done due to the following 
facts derived from the rules: 
Non-relevant components can not block the occurrence of any relevant discrete- 
transition (see Proposition 1). 
If e is an edge of the CDAG such that Label(e) E 0 where 0 is a non-relevant output 
selection, and-e' another edge such that src(ef) = src(e) and Label(e) E 0, then 
either tgt(e1) = tgt(e), or both target locations belong to the irrelevant sufix. 
Any output discrete-transition occurring in any non-relevant component does not 
synchronize with any relevant component. 
No input discrete-transition is mandatory to make time diverge in a component. 
We use the former facts to show that bisimulations are possible under the context of the 
non-relevant components: 
Let (P ,  q) € B with p E G[RA] and q E GpUA]. 
Since constraining components are in the same local state for global B-related states we 
concentrate our reasoning on the relevant tasks. If p H; p' and a E R then it is easy to 
see that each of the relevant timed automaton in q can execute the same discrete transition 
-perhaps executing some irrelevant transitions remaining at the equivalence class- and then 
it arrives into a B-related state. In fact, the relevant TA  are in the same state in p and 
in q except for the task TA  which are at diflerent locations of irrelevant suffixes. In the 
last case, if the discrete transition involves any of those TA, the transition must be a "new 
periodn or "replenish timen event. In those cases, since the z clock has the same value for 
both TA  they can perform that transition instantaneously afier, perhaps, performing some 
irrelevant transitions and end in a B-related state (the root location, with clocks reset). 
Secondly, if p H: p' and a 6 R then it is easy to see that each relevant timed automaton 
in q can execute a run of time length t such that (a) no relevant event appears, and (b) 
arrives to a locally related state of p' no matter the state and evolution of the non-relevant 
components. In fact, the relevant components are exactly in the same local state in global 
state p and in q except, perhaps, for the task TA  being in different locations of the irrelevant 
sufix (with the same value of z clock however). If t = 0 and the task involved in the 
transition labeled with a non-relevant label a is i n  its relevant prefix, then the irrelevant 
discrete transition is necessarily part of an output selection where all edges lead to the same 
location. Therefore, i n  q that task: automaton is exactly i n  the same state and any of those 
output transitions can be taken to arrive to a local state B-related to p' (actually, the same 
local state). If the task involved is in  the irrelevant sufix then that task -which is also 
necessarily at a location of the irrelevant sufix in  q- has the chance to stutter or traverse 
any edge i f  possible. In both cases, it will fall into a 3-related state. I f t  > 0 and the same 
tasks are at the same relevant location in  p and q respectively, the simulation is clearly 
possible letting time elapse i n  q. If the task control is in  its irrelevant sufix in  q and i n  p 
then, due to the fact that z clock is the same in  q, the simulation is possible. In  fact, this 
is done by elapsing time from q and changing location into the irrelevant sufix as many 
times as necessary - remember that both systems are non-zeno. 
On the other hand, it is easy to see that i n  the inverse case (p E GLSUAl and q E GLRAl) B 
also behaves as a CO bisimulation (by using similar arguments plus the fact that [RC]  is 
less or equally constrained than [SUA] for R E ) .  
To conclude that, in  egect, [SUA] %RE [RCRE] note that in  the previous lemma we see that 
[C] %RE [CRE] and therefore [RC]  %RE [RCRE] due to Lemma 2 and using the fact that 
whenever two TA of [RC]  synchronize the synchronization label belongs to R E  by the rules 
(all events of relevant constraining components are relevant indeed). We also know that i f  
two T A  are CO-bisimular then they are similaq in  this case [SUA] ERE [RC] .  Finally, by 
transitivity of we obtain the wanted result. 

Chapter 7 
Reducing the Composition of 110  
Components 
In this chapter, we develop an orthogonal technique to further reduce the size of the model 
to be fed into the model-checker. In the previous chapters we see how properties are 
checked by means of observer components. Those virtual components are composed in 
parallel with system under analysis (SUA) and evolve to different locations according to 
event occurrences. For instance, in our framework, observers allow designers to check safety 
linear properties (Sect. 4.4.1) and other kind of properties as we present in Sect. 4.4). 
In few words, we develop a technique to  calculate the components that may be forgotten at 
each observer location since their future behavior do not influence the future evolution of 
the SUA up to the observer. In many cases, those remaining sets (the relevant components) 
are proper subsets of the set of all components. Thus, we build compositions (we call 
them "quotient") which in many cases are smaller than the standard parallel composition 
(Sect. 2.4). It is important to remark that this general reduction technique is independent 
from our modeling approach for RTS ~ e s i ~ n s . '  Indeed, quite often, models are analyzed 
by means of observers. 
This section shows (a) the postulates that define a good relevance function (a function that 
determines the set of components potentially needed in each observer location) and how 
to calculate a relevance function, (b) how to build the "quotient automaton" based on a 
relevance function to replace the standard parallel composition (the quotient automaton 
can also be built on-the fly, that during the verification process), (c) how the parallel 
composition of the whole SUA and the observer is related with the quotient automaton 
'Relevance was inspired on the rather ad-hoc notion of relevant components presented in the last section. 
We inherit that name from the last chapter but we extended it to a more general setting. However, the 
method presented here and the Relevant Components Calculus are not comparable. The method presented 
at this section has granularity at observer location level. On the other hand, the previous calculus works 
does not make any distinction at the location level but it uses information about task component topology 
(the irrelevant prefix). As we wiU see later we can apply both methods. 
(bisimilarity), (d) some derived preserving corollaries, and finally (e) some examples that 
show the practical impact of these ideas. 
As related work we could mention the clock reduction technique of [63] where clock activity 
and equality are detected by fixed point processes. It is worth mentioning [I451 a timed 
automaton-based method for accurate computation of the delays of combinational circuits. 
Based on the topological structure of the circuit, a partitioning of the network and a cor- 
responding conjunctively decomposed OBDD representation of the state space is derived. 
The delay computation algorithm operates on this decomposed representation and, on a 
class of circuits, obtains performance orders of magnitude better than a non-specialized 
traversal algorithm. 
7.1 Relevance 
The core of our technique is a notion of potential 'direct influence" of an automata bevavior 
over another automata behavior when they are at some set of locations. We could simply 
say that an automata A influences another automaton B iff ther exist an edge of A and 
an edge of B sharinng the same label such that their source location are in the considered 
set of loactions. However, that would lead to a rather big symmetrical overestimation. 
Thanks to  the 110 interface attached to TA (the 1/0 timed components), we are able to 
define a set of necessary conditions to assure that a component A has no influence on (is 
irrelevant for) the behavior of another component B when they are at certain locations 
(for example, if A performs outputs which are stuttered at B locations). That is, we have 
a better overestimation of potential influence. 
Definition 28 Given an I/O component A and a TA B, we say that A is irrelevant to B 
for Sa C_ Locs(A),Sb C_ Locs(B), denoted A 5 B(Sa , Sb) iff 
For all 0 E OA such that OnLabels(B) # 8 then, either Be src(e) E Sa : label(e) E 0 
or for all e, src(e) E Sb, Label(e) E 0 then tgt(e) = src(e) A Reset(e) = 8, and 
For all I E IA such that I n  Labels(B) # 8 then Ve E Edges(B) : (src(e) E Sb A 
Label(e) E I) J (Vi E I : 3e1 : Edges(B) : src(el) = src(e)~Guard(e)  = Guard(e l )~  
Labeb(el) = i A tgt(e) = tgt(el) A Reset(e) = Reset(el)) (i.e. no matter which input 
selection is enabled the same change of state can be performed), 
Note that A 1: B(Sa , Sb) and SL Sa and Si & Sa then A 5 B(S;, Si). 
Definition 29 Given a set Ao, A1, ..., A, of TA, 1 E Ao, 1 I i I n Sl(i) = {IIi(s) E 
Loc(A;)/s is reachable in A. 11 Al 11 ... 11 A, n IIo(s) = 1). We define Sl(0) = (1). 
We can overestimate this set at least by two procedures: (a) {TI;(s) E 
Loc(Ai)/s reachable in A. x Al x ... x A, x nTIo(s) = 1) (reachable in the synchronized 
product from the initial locations), and 
(b){IIl(s) E Loc(A;)/ s is reachable in A. 11 A; n IIo(s) = 1). Also, the user can estimate 
this set. A tool can check whether this assumption is violated by arriving to a location not 
included in the estimation. 
Our goal is to define a relation defining the "Relevant Components" for each of the observer 
locations. Intuitively, Re1 is a sort of transitive closure of the direct relevance relation. That 
function called Re1 must satisfy the following postulates. 
Definition 30 (Postulates about Rel) Let Z = [l ... n] a finite set of index, {Ai/i E 1) 
a compatible set of components and A. a TA ; Let Re1 : Locs(Ao) H 2'. We say that Re1 
is a correct Relevance function for A. ifl for all 1 E Locs(Ao), i, k E I: 
1. 0 E Rel(1). 
2. Reb(tgt(e)) Rel(1) for all e E Edges(Ao) : src(e) = 6. 
3. k # i E Z, b E Rel(1) and l ( A i  5 Ak(Sl(i), Sl(k))) then i E Rel(1). 
The first postulate includes the components that may have a direct impact on the Ao 
behaviors. The second extends the relevance of a component to all locations from which 
a location where the relevance was detected can be reached (this gives the relevance a 
funnel-like shape). The third is a transitive closure of the influence relation, naturally the 
influence on the behavior of the A. may be indirect. Note that A. could be obtained for 
example composing the original observer with a subset of components. 
Re1 can be calculated as the minimum set satisfying those properties (by using a simple 
least fixed point procedure):. 
CalculateRel(Ao , A1, ..., A,) returns Re1 
// Step 1)1 nitilaire Re1 to satisfy item 1 
For each 1 E Locs(Ao) 
Rel(1) := (0) 
End For 
Step 2.1 y 2.2. Update Re1 to satisfy item 2 y 3 
// Repeat till a fixed point is reached Re1 
Repeat 
// Step 2.1 
RelOld := Re1 
For Each t E Edges(Ao) 
Rel(src(e)) := Rel(src(e)) U Rel(tgt(e))  
End For 
// Step 2.2 
For each 1 E Locs(Ao) 
For Each A;/ i  : o..n 
For each k E Rel(1) 
/ Check influence 
If1(& 1: Ak(Sf(i)r S f ( k ) ) )  
Rel(l)  := Rel(1) U { i }  
End For 
End For 
End For 
Until RelOld = Re1 
End CalculateRel 
Let us assume that the algorithm is fed with the original parallel composition. Although, 
this is not really necessary it provides a good estimation of S l ( i )  sets, and allows us to 
give simple characterization of the extra work that must be done to calculate the relevance 
function. Let V be the number of reachable nodes of this standard composition 
Lemma 8 The complexity of the procedure to calculate Re1 -when it is fed with the standad 
composition- is polynomial on the number of components n, the number of nodes of the 
2Examples has showed us that, in general, full analysis of timed systems becomes intractable even with 
relatively small Vs (just few thousand of locations), which is not the case for untimed systems. Therefore, 
it is not un~easonable to build "a priorin the reachable Cartesian product to overestimate Sl(i). However, 
the parallel composition of A, with the observer seems to provide good estimations as well and might be a 
good solution when we do not want to build the whole composition. This might be the case of trying to 
find a counterexample in a large location space using on the fly techniques. 
standard composition V ,  locations of & ( m  = #Locs(Ao)), and the maximum number of 
transitions of a component T .  
Proof 15 In fact the overestimation of S [ ( i )  for all 1 E Locs(Ao) and 1 5 i 5 n can be 
calculated traversing one time the parallel composition in n.V steps (assuming that we use 
direct access memory to store for each location 1' of each component i and each location 1 
of A. if 1' E Sf(i)) .  In each step of the calculus of the fixed point, the new Re1 includes 
the set of the previously calculated Re1 and it incorporates at least one component more 
in  one location. Therefore, it can be iterated at most m.n times. Let us assume that we 
use dynamic programming to keep the whether or not -(Ai -1: Ak(Sz(i) ,  S l ( j ) ) ) .  Then for 
the analysis we can assume that this takes no time and then calculate the complexity of 
getting those values. Thus, at each step k ,  for each location 1 the algorithm checks whether 
the components not detected as relevant influence the already detected ones. This takes 
at most n2 steps (following the previous observation about dynamic programming). Step 
2.1. takes at most T.n steps; The comparison between Re1 and RelOld can be done in m 
steps (Re1 are produced in a monotonic fashion and thus identity can checked by comparing 
cardinality of each location). Therefore, the algorithm takes at most m.n.(m.n2 + T.n + m) 
steps assuming no cost for the influence check. On the other hand, there are at most m.n2 
influence relations that must be really checked. To do such a check, let us suppose that 
a component provides a label-ordered list of transitions in O(1) .  Then, given the set of 
locations Sf( i )  and S f ( j )  the ordered lists of labels that are used in definition of influence 
can be built (jiltering the list of all transitions) and intersected (by merging) in O ( T ) .  
Finally, we can conclude that the complexity of the procedure is O(n.V + m.n2.T + m2.n3). 
7.2 The Quotient Automaton 
We define how to  build the parallel composition according to  a Re1 over Ao. 
First we define a function that takes a location of the parallel composition and returns a 
global location where only the relevant automata locations appear. 
pRel : ( n  + 1) - tuple de S + ( n  + 1 )  - tuple de S U (I) 
PRel ( < b , a ~  ,..., a n > ) =  <k,bl,  ..., b n > /  
a; si A; E Rel(1) b; = 
I en caso contrario 
Now, we can define the quotient automaton according to  Re1 as follows: 
where: 
XT = CEocks(X) 
n 
C, = U Labels(Ai) 
i=O 
I T  ( S T )  = A IA; ( S T )  
{i:O..n/i~Rel(II~(s))} 
so, = P R , ~  (Ini t (Ao 1 A1 I.. . I An))  
Let us characterize the transitions of the quotient automata. 
Fact 2 Let p, p1 E ST.  Let Rel, = ~ e l ( l I ~ ( ~ ) @ ) .  
Discrete Transitions 
a E u Ci A ( $ i  : O..n)(&(p) = 1 A e, E Output(A;))  A 
0<i<n:i€ Rel(?rF ( p ) )  
Temporal Transitions 
Example: 18 The figure shows a normal product of T A  and a quotient product. Shadows 
identify equivalence classes according to PRel; they are translated into one location in  the 
quotient automata. Table 7.1 shows some of the calculated values to conclude the quotient. 
Note that ~ ( A I  1: Ao(S,*(l), S,*(O))), l(A2 5 Ao(S?(l) ,  S,*(l))) .  
Table 7.1: Calculated Values 
Algorithm to Calculate the Quotient Automata using Rek The following algo- 
rithm receives a generic Rel satisfying the second postulate and builds the reachable 
part of the quotient automata. It uses a simple graph traversal-building scheme keep- 
ing the already processed nodes and the ones to explore. That is, it is very simi- 
lar to the algorithm that builds the standard composition. In our case, nodes repre- 
sent equidence classes, they are tuples with a bottom sign in the non-relevant compo- 
nents. For each node it is calculated all the enabled transitions as the definition states 
(TransEnabled(s, Ao, . . . ,A,) = {t E A,/Src(t) = s). Let us assume that (a) components 
provide a label-ordered list of transitions in O(1) for each location, and (b) the algorithm 
explores the labels following that order. Then, the algorithm executes O(V + E) steps 
where V is the number of nodes and E is the number of edges of the final quotient graph. 
This is due to the fact that each node and transition is generated once, and TransEnabled 
procedure only considers set of transitions that share the same label by applying a merge 
strategy to  traverse the lists of transitions of each location of s. 
It is not difficult to see that the quotient automaton can be easily build "on the fly", that 
is by demand by the verification engine like [61]. 
- 
y:=O I:a I:a 
0 1 0 1 
vuelta I:a 
0:b I:b 
z:=o Error OK 
3 
2 2 
I:a 
Figure 7.1: Standard vs. Reduced Composition 
ComposeR,~(Ao7 AI, ..., A,, Rel) returns < ST, XT7 AT, IT, so, > 
Let ~ ( 0 , )  such that n;(so,) = { 1 if A; $ Rel(Init(A0)) 
Init(Ai) otherwise 
ToProcess := {so,} 
While 3s E ToProcess 
Takes 
ST" := ST U {s} 
E = TransEnabled(s, Ao7 A17 .. . , A,) 
For each t, E E 
Build t, =< s, Labek(t,), $T, a,, s' > where 
+T = l\(ilir,(t,)f~ull} Guard(a;(te)) 
= U{i /x i ( t e ) f  Null) Reset(n; (t,)) 
{ I si Ai 6 Rel(na+l(s')) xi($) = tgt(n;(t,)) if n;(t,) # Null T;(s)  if ni(te) = Null 
I f t T 6 A  
AT := AT U { t T )  
I f  s' f ToProcess 
ToProcess = ToProcess U {s'} 
ST := ST U {s')  
End For 
IT(s) := Ari:o..n/xicslzl) I (A i ) (n i ( s ) )  
End While 
XT := ULO Cloclcs(Ai) 
End Compose 
TransEnabled(s, Ao, . . . , A,) returns E = set of ( n  + 1)-tuple of (Edges U { N u l l ) )  
E:= 0 
Foreach Label a 
I f  (V i : O..n/n;(s) # I + z ( a ,  s )  # 0~ (n; ( s )  = I A ( a  E Labels(A;) + a $! Output(A;)))  
then E := {< ti,. . . ,t, > /(Vi : O..n(ti E Ti(a,  s ) )  V (T;(a, S )  = 0 A ti = N u l l ) ) )  U E 
else E := 0 
Where T;(a, s )  = {e le  E Edges(Ai) A Label(e) = a A src(e) = n;(s ) )  
End TransEnabled 
7.3 Results 
Now we show that if we quotient according a relevance function satisfying the former 
postulates the quotient composition is CO-bisimilar wrt. the normal composition. 
Theorem 8 Given an indexed set of I/O Timed Components {Ai)oliln , and an as- 
signment mapping P : Props - 2L0cs(A~),  If Be1 is a relevance function satisfying the 
postulates of Def .30 then (Ao  IIRe"~i/l 5 i 5 n )  N ~ ' * ~ ~ *  [(Ao I !  A1 1 1  -.. 1 1  An)] where 
P* and PI* are the natural extensions of P on the locations of [Ao 1 1  Al 1 1  ... 1 1  A,] and 
( A o  1 1  Re' { A i / l  5 i 5 n ) )  tresp. 
Proof 16 Let A = [(Ao 1 1  A1 1 1  ... 1 1  A,)] and A' = ( A o  ]IRe' { A i / l  5 i 5 n) ) .  Now, 
we define the symmetrical relation that is our candidate bisimulation: (p ,  q)  E B i f f  ( p  E 
G A , ~  E G A ~  and VO L i 5 n : @II;(q) = 1 v II;(p) = IIi(q)) or ( p  E GAl,q E G A  and 
VO 5 i 5 n : @IIi(p) = I V IIi(p) = IIi(q)). 
Let us start analyzing the case p E G A ~ ,  q E GA.  Note that since Ao is always relevant 
(Item I of Def. 30) and thus IIo(p) = IIo(q), then b]; = [q]; 
Case I: p I+: pl. 
(a) If no irrelevant component exports the label "a" then, clearly q I+: q' with (pl,  q') E 
B In fact, the same discrete transition is taken by the relevant part while the irrelevant 
components stay in the same state local state. Note that Item I1 of Def. 30 is needed to 
know that the relevance function at a possible new A. location does not incorporate any 
new component wrt. to the source location. 
(b) An  irrelevant component exports the label "a7' as output label. This is not possible due 
to the definition of the quotient (Fact 2). 
(c) All irrelevant components export the label "an as input selections of size 1. Then, they 
are always enabled and q I+: q' with (p',ql) E B. In fact, the same discrete transition is 
taken by the relevant part while the irrelevant components perform the jumps dictated by 
that input. Note that Item I1 is needed to know that the relevance function at a possible 
new A. location does not incorporate any new component wrt. to the source location. 
(d) There is one irrelevant component Ah exporting "a" as part of an input selection I of 
size greater than one. Since it is irrelevant we know that all relevant components ezporting 
"a" can perform the same change of state with any other "an' E I actually enabled in 
IIk(q), therefore q q' with (pl, ql) E B (again using Item I ) .  
B , p , P ' * ~ P *  Note that in all cases I the q --t 0 q' part of the defintion of CO-bisimubation is a 
stutter. 
Case 11: p I+$ p1 and t > 0 Like from p, from p1 the relevant part can advance in t time 
units. On the other hand, due to component definition, we can make the irrelevant part 
advance t time units avoiding input transitions (and also selecting the output accordingly 
to the state of the relevant part). This correction can be done due to non-tmnsientness of 
output. Also, by definition of components, output and internal transitions cannot be blocked 
by the relevant part. Moreover, any discrete output transition of the irrelevant T A  A; does 
not change the A. location 1 by postulate I and does not influence (i.e. does not change the 
location or reset clocks) of relevant T A  Ak by postulate III (Le. (Ai  5 Ak(Sl ( i ) ,  Sdk)) ) ) .  
Therefore, in  every position of that run the corresponding state is CO-bisimilar to the one 
obtained from p delaying the time of that position. Then a state q1 is reachable from q such 
that (q,  q') E B (the relevance function remains the same). 
The proof for the case p E GA and q E GAl is easier. A' = (Ao IIRe"~;/l  5 i 5 n) is less 
copstrained than the original system A (except for the outputs that cannot be performed). 
Lets suppose that p p' and p and p1 difler in the relevant part (the other case is trivially 
solved by stuttering). Then, "a7' is a label exported by a relevant component. That, a- 
transition is enabled in  all relevant components except the case that a is an output label 
of a irrelevant component (see Fact 2). However, if Ak exports "a" as output then by 
postulates 111 and I it necessarily belongs to the relevant set (since p' differs from p in  the 
relevant part, it must perform a non-stutter input in  a relevant component). Therefore, 
q d and (pl,q') E B (due to postulate II). The time transition is straightforward due 
to the fact that the system is less or equally constrained (see Fact 2). 
It is clear that the continuos observational bisimulation between both LTS shown here re- 
spects the propositional assignment (moreover, the A. location and clocks are the same in 
observational timed bisimilar states). 
From Theorem 3 we obtain: 
Corollary 6 Given a TA A. and an indexed set of components {Ai}15iln, an assignment 
mapping P : Props I+ 2L0CS(A0), Re1 is a relevant function satisfying the postulates; let 
P* and PI* be the natural extensions of P on the locations of [Ao 1 1  A1 1 1  ... 11 A,] and 
(A0 IIRe"~;/l I i 5 n ) )  resp. Then, for all TCTL formula 4 then (Ao [IRe' {Aa/l J i J 
n ) )  I=F~*  4 [Ao 11 A1 1 1  1 1  An] FP* 4. 
Corollary 7 The local reachability problem on A. for (Ao \IRe1 {A;/1 J i 5 n ) )  is equiv- 
alent i n  [(Ao 11 A1 1 1  ... 1 1  A,)]. 
The proof is trivial. Reachability can be written as a TCTL formula. 
Also note that if Re1 does not satisfy the stated properties then the method is still conser- 
vative. 
7.4 Examples 
To validate the potential of this technique we develop a prototype preprocessing tool based 
on these ideas [74]. We present several examples to illustrate the reduction method. We 
vary the value of the constant in the observers to get cases where the error location is 
reachable and cases where it is unreachable. All cases were checked using backward analysis 
while reachable ones are also checked using forward analysis [61]. The backward verification 
column is measured in seconds while the forward information is given in terms of symbolic 
states and transitions. We applied KRONOS tool [61] (version 2.4.3) on a Windows 98 
platform (Pentium I11 400Mhz, 64 MB). In tables, bottom symbol (I) means that the 
verification tool has not finished after lOhs of processing for the backward case or after 
100.000 symbolic states were generated in forward mode. 
RCS Let us start applying the method to the Rail Crossing Example presented in Sect. 
3.3. We want to check that it is not possible that the train 1 traverses the rail cross when 
the gate is not completely down or very soon after it has gone down. Figure 7.2 shows a 
safety observer that follows the expected behavior of the system. That is, after the gate is 
risen a lower signal shall be issued and the gate shall go down before the train enters the 
rail cross (in1 event), then the train can not traverse the rail cross before 2 time units. 
Figure 7.2: Observer for Rail Cross System 
If we intuitively calculate the relevance of components we can conclude that the controller 
is no longer needed when the observer is at location number 2 (and therefore no other 
train but train 1). At location number 3 no component except the Train 1 is relevant. At 
location 4, a trap location, no component is relevant (see Fig 7.2). The Table 7.3 compares 
the sizes of the standard and the quotient system for the system with four trains. 
Table 7.2: Relevance Function 
0bs.Locs. 
0 
1 
2 
3 
4 
Relevants 
Obs, Trainl,  Train2, Train3,Train4, Gate, Controker 
Obs, Trainl ,  Train2, Train3, Train4, Gate, Cont~oker 
Obs, Trainl ,  Gate 
Obs, Train1 
Obs 
Table 7.3: Standard Composition vs. Quotient for Rail Crossing System n=4 
Composition 
Standard 
Quotient 
#Edges 
5180 
2218 
#Locs. 
1026 
437 
Reach False 
Backward 
41.19s 
1.57s 
Reach True 
Backward 
170.45s 
160.42s 
Forward 
26203 st. 3043% 
26176 st. 30402t 
Fault Detection Now, we apply the technique to the Fault Detection Net requirement 
for the Mine Pump (see Fig. 7.4), that is if a fault on the main processor or the net must 
be informed within 2 seconds to  the remote Operator. 
Figure 7.3: Fault Detection Net Observer 
Recall'that the relevance calculus detects that components involved in the query are: the 
Console Proxy, Net, Console Displayer, Timer, and the Display WatchDog. In Table 7.4 
it is depicted the relevance function while in Table 7.5 we show the sizes and verification 
times for this example. 
Table 7.4: Relevance Function for Fault Detection Net 
Observer Loc. 
0 
1 
2 
3 
Relevants 
Obs, Cons.Proxy, Net, ConsoleDisplayer, Timer, WatchDog 
Obs, ConsoleDisplayer, Timer, WatchDog 
Obs 
Obs 
Table 7.5: Standard Composition vs. Quotient for Fault Detection NET Observer 
Composition 
Loop-Back, Standard over Relevant Components 
Trap, Standard over Relevant Components 
Trap, Quotient over Relevant Components 
#Locs. 
225 
270 
152 
#Edges 
1050 
1206 
745 
Reach False 
Backward 
4634.91s 
4632.36s 
0.72s 
Reach True 
Backward 
1410.35s 
1412.04s 
21.10s 
Forward 
126 st. 132 t.  
126 st. 132 t.  
6 st. 5 t.  
Figure 7.4: Freshness Observer 
Figure 7.5: Regularity Observer 
Active Structural The second example shows how the reduction method works in the 
requirements for the design of the Active Structure Control System. Even if the prepro- 
cessing method of presented in Def. 26 is not applied the calculus of the relevance function 
presented in this chapter discovers the same irrelevant TA. In fact, in the case of the fresh- 
ness observer this method discovers the irrelevance of the actuator and the component 
that models the communication with the pulser task. Something similar occurs with the 
distance query where the calculus detects the irrelevance of the modeler task, the sensor, 
and the component modeling their communication. Table 7.7 shows the intractability of 
the standard compositions over all TA. We also present an standard parallel composition 
of the relevant components as calculated by the relevance calculus (see Def. 26). 
For the Active Structural System, we add a new requirement to further illustrate the power 
of the quotient method. In this case we want to check the age of the pulse wrt. to the time 
when the model was updated with the value used to calculate the pulse magnitude. We 
call this requirement Pulse Freshness. Two possible safety observer for this requirements 
Obs, Sensor, Comm, Modeler, Pulser 
Obs, Sensor, Comm, Modeler, Pulser 
Obs 
Table 7.6: Relevance Function for Freshness 
Table 7.7: Standard Composition Vs Quotient for Freshness 
can be seen in Fig. 7.6. The second one is a more detailed version that may illustrate how 
adding detail to  the observed sequence may lead to greater reduction. The tables show a 
dramatic time reduction. 
Composition 
Loop-back, standard with all TA 
Trap, standard with all TA 
Trap, Standard over Relevant Components 
Trap, Quotient over Relevant Components 
Reach True #Locs. 
768 
1008 
126 
62 
Backward 
12.37s 
11.28s 
Forward 
1 3 7 3 9 1  st. 45013 t. 
137391  st. 45013 t. 
644 st. 699 t. 
414 st. 459 t. 
#Edges 
2720 
3530 
331 
161 
Reach False 
Backward 
I 
I 
0.90s 
0.44s 
Observer Loc. Relevants 
Obs, Pulser, Comml, Actuator 
Obs, Pulser, Comml, Actuator 
3 Obs 
Table 7.8: Relevance Function for Regularity 
Table 7.9: Standard Composition Vs Quotient for Regularity 
Composition 
LoopBack, standard over Relevant Components 
Trap, standard over Relevant Components 
Trap, quotient over all TA 
CSMA To further illustrate the generality of the method, the method is applied to 
another generic compositions of 1 / 0  components (it is not real-time system design models 
as the previous two). This is the case of the CSMA/CD example (Sect.3.3). We want to 
check the bounded delay for collision detection [128]. Unlike that presentation we model 
the property by means of an observer automaton that would detect the case where a station 
messages collide and the collision detection is not received before 26 ms and the end events 
(Fig. 7.7).3 
7.5 Conclusions and Discussions 
#Locs. 
72 
96 
45 
We will try to answer some questions and guesses about the effectiveness of our method, 
namely: 
the less coupled the system the more reduction is obtained, 
#Edges 
153 
198 
87 
it is better to build safety observers with trap locations instead of observers that loop 
back to initial location when the sequence of events is not a counterexample, etc. 
is it possible to treat examples that are intractable with the standard composition?. 
Reach False 
Backward 
0.20s 
0.07s 
0.05s 
Graphically, the technique achieves interesting reductions when the system is "loosely 
coupled" like the model build from RTS Designs. We say that a model is loosely coupled 
when strongly connected components of a graph which nodes are the I/O timed components 
31n [128], the TCTL formula init + (V2TRANSl A TRANS2 -t V 0<26 RETRYI) is used instead. In 
our test bed, the verification of this formula took 56.5 sec over the system under analysis which size is 344 
Locs. and 2272 Trans. 
Reach True 
Backward 
0.09s 
0.07~38 
0.05~38 
Forward 
38 st. 38 t. 
st. 38 t. 
st. 38 t. 
Figure 7.6: Two Safety Observers for the Pulse Freshness Requirement 
and the edges are the influence relation between components are small. However, examples 
like the Rail Cross System and the CSMA/CD, which are rather standard and coupled 
examples, the technique still makes some reductions. This is due to  the fact that at some 
locations of the observer few components have real influence on the future behavior. 
Observers generally choose non-deterministically when to start a sequence of events that 
might exhibit a counterexample. When this is not the case, the observers can be built 
either to loop-back to the initial location or to enter into a trap location. Tables reveal 
that, despite the composition size, observers with trap locations are analyzed faster than 
observers that loops back when an event shows that the non-deterministic selection does 
no found a counterexample. Observers with trap locations are the ones used as the base of 
quotient compositions (note that a DAG topology is better for Item 11 of Def. 30 since all 
locations of a Strongly Connected Component of the observer must share the same relevant 
1/0 timed Components) . 
In the example of 7.12 it is shown that sometimes the more detailed the observer is (in 
the sense of the sequence of events) the more reduction is obtained. This is the case when 
the detail shows an expected sequence of events that may serve to detect the irrelevance 
Table 7.10: Relevance Function for Pulse Freshness (Observer 1) 
Observer Loc. 
0 
1 
2 
3 
4 
5 
6 
Relevants 
Obs, Sensor, Comm, Modeler, PuZser, Comml, Actuator 
Obs, Sensor, Comm, Modeler, Pulser, Comml, Actuator 
Obs, Pulser, Comml, Actuator 
Obs, Comml, Actuator 
Obs, Actuator 
Obs 
Obs 
Table 7.11: Relevance Function for Pulse Freshness (Observer 2) 
Observer Loc. 
0 
1 
2 
3 
4 
5 
6 
7 
of some I/O components. 
Relevants 
Obs, Sensor, Comm, Modeler, PuZser, Comml, Actuator 
Obs, Sensor, Comm, Modeler, Pulser, Comml, Actuator 
Obs, Modeler, Pulser, Comml, Actuator 
Obs, Pulser, Comml, Actuator 
Obs, Comml, Actuator 
Obs, Actuator 
Obs 
06s 
It is worth noting that in some cases we were able to treat cases where the original standard 
composition was not possible to analyze (more than 10hs of processing). There are several 
cases (in general medium-size to big-size examples) where the time reduction was quite 
dramatic. That is, in several cases, while the number of locations and transitions was 
halved, the verification time was reduced in a much greater factor (2 to 6000 times faster!), 
specially when backwards analysis is performed on a correct system (i.e., when an error 
location is not reachable). The time-savings when analyzing systems where the error is 
reachable are more modest but still interesting (counterexamples are smaller in forward 
analysis). We still do not have a clear explanation of such a difference in effectivity of the 
method in the reachable and not reachable cases.4 We did another experiment changing 
the constant appearing in an observer to relate the backwards verification times on the 
standard and the quotient composition. This was the case of the RCS observer(Fig. 7.2), 
where the constant of "train arrives too soon after gate comes down" was varied in the 
range 3 to 9. In all those cases the error is reachable. The table 7.15 shows that while 
the verification time on the quotient keeps more or less constant the verification effort on 
the standard composition explodes when the constant C is greater than 6 (in the guards, 
'We guess that sometimes it might be the case that the counterexample is found without traversing too 
much of the irrelevant part of the graph. We have no clear guess about the way the backwards analysis 
behaves when the error is reachable. 
Table 7.12: Standard Composition Vs Quotient for Pulse Freshness 
Figure 7.7: Collision Detection Observer for the CSMA/CD Protocol 
T1 > 6 and r > C appears always together). A reason that might explain that behavior is 
fact that in the quotient construction there is just one edge which guard depends on the 
observer clock T while in the standard construction the number of such edges is 108. We 
believe that this might become another source of time-savings of the method. 
Reach False 
Backward 
I 
6341.31s 
6140.94s 
Reach True 
Note also that there is always size reduction in the trap locations of the observer. Those 
reductions on the size do not immediately imply an important reduction on analysis time 
when systems are analyzed using backward  algorithm^.^ 
#Edges 
4554 
1856 
1665 
Composition 
Trap, Standard over all TA 
Trap, Quotient over all TA (observer 1) 
Trap, Quotient over all TA (observer 2) 
Backward 
1 
1 
1 
Besides, when a component becomes irrelevant its clocks become "not active" according to 
the definition of [63]. This might lead to further and important reduction in analysis time 
if activity of clock were taken into account by the verification engine. 
#Locs. 
1268 
543 
495 
Forward 
6670 st. 9253 t. 
1478 st. 1890 t. 
1478 st. 1820 t. 
Finally, let us draw some general conclusions. This is a rather orthogonal technique to 
reduce two parameters of model complexity: number of locations and edges. It can be fed 
naively with the components of the system under analysis, and an observer; it discovers the 
underlying dependence among components to finally discard the components that do not 
influence the behavior up to the observational point of view. It always gets size reductions 
that, sometimes, imply significant to dramatic time savings during the verification step. 
This is generally the case when it is applied to medium-size to big-size examples (it could 
even make them treatable). It is rather easy to use and integrate as a preprocessor for 
known tools, it just requires the user to declare the 110 interface of TA. Last but not least, 
5However, we believe there may be a significant time reduction when the system is analyzed forward 
and the error location is not reachable. Our guess is based on the fact that all the global locations that are 
locally a trap for the observer in the standard composition are reduced into one location in the quotient. 
Table 7.13: Relevance Function for Collision Detection 
Observer Loc. 
0 
1 
2 
3 
4 
Relevants 
Obs, Bus ,  Senderl, Sender2, Sender3, Sender4, Sender5 
Obs, Bus,  Senderl, Sender2, Sender3, Sender4, Sender5 
Obs, Bus,  Senderl,  Sender2 
Obs 
Obs 
Table 7.14: Standard Composition vs Quotient for Collision Detection 
Composition 
Loop-Back, Standard over all TA 
Trap, Standard over all TA 
R a p ,  Quotient over all TA 
this technique could be applied to untimed systems, they are special cases of these timed 
systems 
6Sl(i) sets can be overestimated without calculating the whole Cartesian product, like pair wise compo- 
sition ,i.e., procedure (b). 
#Locs. 
811 
1155 
443 
#Edges 
5605 
7877 
3148 
Reach False 
Backward 
3.082s 
3.079s 
0.324s 
Reach True 
Backward 
365.75s 
301.48s 
96.09s 
Forward 
71 st. 71 t.  
71 st. 70 t .  
66 st. 65 t. 
Table 7.15: Varying the Constants for the RCS Example 
Verif. Time on Quotient 
158.36s 
156.45s 
163.33s 
159.73s 
159.86s 
160.06s 
164.02s 
Constant Value C 
3 
4 
5 
6 
7 
8 
10 
Verif. Time on Standard 
186.92s 
165.97s 
177.04s 
176.42s 
823.57s 
1084.75s 
i 2000~  

Chapter 8 
Fitting the Pieces Together 
8.1 An Architecture for the Checking Tool 
Figure 8.1: The Tool Architecture 
We build a prototype to validate our technique, and currently, we are working on a deliver- 
able version of the tool. We believe that it is worth describing the conceptual architecture 
of that tool to understand how the modeling, reduction and checking methods are effec- 
tively integrated. We also present some performance results that show the feasibility of 
our approach. 
The architecture is depicted in Fig. 8.1. Designers use Designers Front-End to describe 
the physical design along with observers for the scenarios associated with properties and 
requirements (Chapter. 4). 
Given the events involved in a particular observer, the Relevance Abstractor determines 
the components and the level of abstraction actually required to perform the verification 
(see Sect. 6.1). The relevance abstractor has three functionalities: (a) it detects the Rel- 
evant Components and the Relevant Events (Def. 26), (b) it communicates the relevant 
tasks to be translated to the model-builder subsystem, and (c) it reduces the size of the 
resulting tasks models at the level of abstraction dictated by the relevant events (Def. 27). 
The Untimed-Model Builder produces the untimed model as explained in Sect.5.1. Then, 
the Timed-Model Builder produces the temporization by calculating best and worst case 
response times (Sect. 5.2).' 
Also, an Interactive Abstractor is available to further manipulate the model by applying 
conservative rules (Sect. 6.2). 
The preprocessing algorithm presented in chapter 7 is feed with the timed-automata model 
of the relevant components further reduce the size of the parallel composition (this could be 
done "on the fly" in the verification engine). Finally, the resulting timed-automata are the 
input of a back-end model-checking tool which provides the results. In the next section, we 
show which kind of model-checking technology/tool is needed for each kind of requirement. 
We also point out which reduction techniques produce equivalent models for each kind of 
requirement. It is worth saying that we will resort to existing and well-developed checking 
methods and tools whenever they are available. 
1 
8.1.1 Verifying Safety Observers 
Let us recall that for the safety observers case it must be checked whether a location 
satisfying the proposition Error is reachable in the parallel composition of the TA which 
model the system under analysis SUA and the observer automaton (Sect. 4.4). This problem 
can be solved by using any tool that supports TA verification (e.g., [61, 23, 146, 911, etc.). 
It is important to remark that the models obtained following the proposed rules are non- 
zeno, (see Sect. 3.3.1); which is a key property usually required to perform the verification 
procedures. In fact, if non-zenoness were not guaranteed, then finite runs reaching a "bad" 
state are not necessarily witnesses of reachability since it might be the case that those 
finite runs cannot be extended into a time-divergent runs (a necessary condition for a run 
to belong to the automaton semantics). Moreover, zenoness may "stop" time progress and 
an error may remain undetected. 
'Note that this i s  just one possible solution. For example, the whole model could be translated to the 
maximum detail. The abstract submodels for each requirement could be built afterwards. 
I Requirement I Result I Exec. (Secs.) I 
1 Freshness I OK 1 0.44 
Table 8.1: Results of the Queries: Active Structural System 
Bounded 3.0 I OK 10.025 I 
1 Requirement 1 Result I Exec. (secs) I 
Bounded 3.1 13.005 
Freshness 1 
Correlation 0.109 
False Alarm CO OK 0.009 
0.865 
Separation 
Response 1 
Res~onse 2 
Table 8.2: Results of the Queries: Mine Pump System 
OK 
OK 
OK 
False Alarm HLW 
Fault Detection NET 
Freshness 2 
Console 
As was remarked in Sect. 6, given a system under analysis SUA, and an observer 0 with a 
labeling P ;  [SUA] eRE [RC-] and Labels(0) R E  then, by Corollary 1 we got [SUA] 1 1  
[o]  =p1vp2 [RCRE] 11 [O]= [RCRE 1 1  O] where P;(i = 1..2) are the natural extensions of p 
to  the respective cartesian products. Thus by Theorem 1 the error location is reachable 
in [SUA 1 1  0 ]  if and only if it is reachable in [RCRE 1 1  01. Moreover, we can get a further 
reduction: by Theorem 8 ( 0  [IRe' RCRE) 1 1 ~ i * ~ 2  [RCRE 1 1  01. Thanks to  the fact that CO- 
bismulation implies simulation, transitivity of simulation, we got : ( 0  / IRez  RCRE eP;yP1 
[SUA 11 01. Finally, by Theorem 1, we can conclude that the original reachability problem in 
[SUA I I 0] is the same than the reachability problem in 0 1 1  RCRE, that is the problem in 
the quotient composition presented in Chapter 7. Thus, all the so claimed exact abstraction 
techniques we develop can be applied to reduce the model without sacrificing accuracy. 
0.005 
0.175 
0.074 
We applied KRONOS tool [61] (version 2.4.3) on a Windows 98 platform (Pentium I11 
400Mhz, 64 Mbytes) to  check the requirements. We run the backwards exploration option 
since the reachability option (forward exploration) showed a rather irregular pattern of 
execution times on the examples. We would use the reachability option when it is likely 
t o  have a counterexample. The results are summarized in Table 8.1.1 and seem really 
OK 
OK 
ERROR 
ERROR 
0.17 
0.72 
0.069 
1.635 
promissory. 
For the requirements not met by the proposed design, we have easily discovered - by 
experimenting with different parameter values - the properties which are actually satisfied 
by the design. Some of these values might be acceptable while others might imply a 
redesign guided by the counterexamples provided by the analysis tool. 
The CO readings are at most 130 ms old. 
The age difference for CO and CH4 values paired in the logger is at most 113 ms. 
The CH4 value at the CH4-status Object is not older than 180 ms. 
There are at most five alarms informed by the CH4 sensor within two "get package" 
operations. 
8.1.2 Verifying Biichi Observers 
It is easy to see that: 
Lemma 9 Let B = ( 0 ,  F )  a BGchi observer for A then A x B = ([A 11 01, {(s, f )  E 
Locs(A) x Locs(O)/ f E F)) is a BCchi TA such that LCO(A) n LCO(B) # 0 i$ Lm(A x B) 
is non-empty. 
To solve that problem for strongly non-zeno TA A we can resort to the time abstracting 
technique presented in [I491 for Timed Biichi Automata model checking. By definition of 
components, every infinite run of a closed system -that is a component with no input label- 
is time divergent. In fact, infinite runs with no-input labels must necessarily diverge. This 
hypothesis is enough use the techniques presented in [149]. That is, due t o  lemma 9 we 
what to check whether the Biichi TA A x  B has non-empty language. Given a Strong Time- 
abstraction Bisimulation N on [A 11 0] such that q N p then IIO(~)@ € F iff IIO(~)@ € F, 
let G the -quotient of [A I I 01. A node of G (i.e. a class) is called repeating if it contains 
only repeating states (i.e. states which 0-projection of its location is in F). Note that if a 
node is not repeating then it contains no repeating states, by the fact that - respects the 
repeating states. Then, we have the following result from [149]: 
Lemma 10 A x B has non-empty language if and only if G has a maximal Strongly Con- 
nected Component containing a repeating node. 
In [I491 it is shown how to solve this problem. 
Theorem 9 Given two components A1, A2 and an observer 0 for both of them such that 
[All N ~ ~ b ~ l ( 0 )  [A21 then Lm(0)  n LW(A1) = 0 $7 LW(0) n LCO(A2) = 0. 
Proof 17 Trivial since simulation equivalence means that the tined label-sequences are the 
same. 
This means that, like the case of the safety observers, all the exact abstraction techniques 
presented so far accurately preserve Biichi problem (Sect. 6.1 and Chapter 7). 
8.1.3 Verifying TCTL Observers 
TCTL requirements can be solved using model-checking tools like KRONOS [61]. 
As was shown, given a system under analysis SUA, and an observer 0 then [SUA] =RE [RC] 
and Labels(0) 5 RE. Then by Corollary3, given a propositional assignment P : Props H 
2L0cs(0), for all (b TCTL on Props, [SUA 11 01 b p ,  4 iff [RC 11 01 b p ,  4 where P;(i = 1,2) 
are the natural extensions of P to the respective cartesian products. 
We can get further reduction. In fact, by Theorem 8 (0 [IRe' RC e ? ; v p 2  [RC 1 1  01, by 
transitivity of bisimulation, (0 [ I R e '  RC [SUA 1 1  01. Thus, by Theorem 3, we can 
conclude that [SUA 1 1  0] satisfies the same TCTL formulae than 0 \IRe'  RC. 
8.1.4 Verifying Linear Duration Observers 
Constraints on the accumulated tiine spent at particular system states are among the possi- 
ble requirements for a real-time system. These requirements are called duration properties 
and, in general, they are can not be expressed by using previously presented types of ob- 
servers. Besides, up to this thesis, there were no automatic technique that directly supports 
the verification of duration requirements over physical designs of real-time software. 
To perform the verification of duration properties (actually, Linear Duration Invariants) 
over strongly non-zeno TA we present a new conservative technique in Chapter 9. Note 
that if we have a closed component, i.e. a component with no free input label, it must be a 
strongly non-zeno automaton. In fact, a cycle contains internal and/or output transitions 
and therefore any infinite run must be time-divergent. 
As was shown, given a system under analysis SUA, and an observer 0 ;  [SUA] zRE [RCRE] 
and Labels(0) & RE. Then, by Corollary 2, given a propositional assignment P : Props H 
2L0cs(o) for all 4 LDI, [SUA 11 01 b p ,  4 iff [RCRE 11 01 b p 2  (b where Pi(i = 1,2) are the 
natural extensions of P to the respective cartesian products. 
Moreover, we can get a further reduction: by Theorem 8 (0 [ IRe '  RCRE 2~';~'~ [RCRE 11 01. 
Thanks to the fact that CO-bismulation implies simulation, transitivity of simulation, we 
got : (0 [IRe' RCRE) ~ ~ 4 * ~ l  [SUA 1 1  01. Finally, by Theorem 2, we can conclude that 
the original reachability problem in [SUA 1 1  0] is the same than the LDI problem in 
0 [IRe'  RCRE, that is the problem in the quotient composition presented in Chapter 7. 
Thus, all the so claimed exact abstraction techniques we develop can be applied to reduce 
the model without scarifying accuracy. 
8.2 Summary 
To verify safety observers we just need to resort to a tool supporting reachability analysis 
of TA. Relevance calculus (Def. 26) (that is using only the detected Relevant Compo- 
nents), coarsening of the model (Def. 27), and quotient composition (Chapter 7) are exact 
abstraction techniques for these kind of requirements. 
Biichi TA can be checked adapting the technique presented in [I491 and supported by 
KRONOS. As in the case of safety observers, they are defined in terms of the linear time 
structure of the underlying LTS (indeed, safety observers are an special case of them). The 
same abstraction techniques are exact for them. 
TCTL observers can be checked using tools like KRONOS [61]. Since in general is based 
on the branching structure of the underlying LTS the procedure for coarsening of the 
model (Def. 27) does not necessarily produce an exact abstraction. Fortunately, The 
relevance calculus (Def. 26), and the quotient composition (Chapter 7) are exact abstraction 
techniques for TCTL. 
Duration Properties could be analyzed using the technique presented in Chapter 9. They 
are also based on the linear structure and all the abstraction techniques, namely relevance 
calculus (Def. 26), coarsening of the model (Def. 27), and quotient composition (Chapter 
7) are exact abstraction techniques for these kind of requirements. 
Chapter 9 
Verifying Duration Properties 
9.1 Introduction 
Constraints on the accumulated sojourn time at particular system states are among the 
possible requirements for a real-time system. These requirements are called duration prop- 
erties. In the previous chapter we see how Real-Time Systems Designs can be modeled by 
means of Timed Automata. We also point out that, unlike TCTL, there is no mature tool 
for verifying LDI (Linear Duration Invariants) over TA. This motivated our research on 
checking such kind of properties. Thus, in this chapter, we address the generd problem 
of automatically verify whether a timed automata satisfies a duration property written as 
a Linear Duration Invariant. We extend a conservative algorithm presented in [28] which 
solves the problem using linear programming techniques. That is, we provide a procedure 
to  translate timed automata into "timed" regular expressions for timed languages. Then, 
we apply a Linear programming-based approach to this algebraic notation for the timed 
automata. 
Our results in this chapter are more general than the ones presented in [154,28]. Namely, 
TA is our starting point, and we can provide an accurate answer to the problem for a larger 
class of them. 
9.1.1 Related Work 
In [I061 it is presented a computational model to identify a class of Hybrid Systems with 
decidable analysis problems: Integration Graphs. In that paper it is shown that reacha- 
bility problem of integration graphs boils down into checking satisfability of some kind of 
duration properties (later called Linear Duration Invariants [161]) for finitary timed au- 
tomata. Timed Automata [7] (TA) is one of the most widely used formalisms to model 
real-time systems. Linear Duration Invariants (LDI) are a fragment of Duration Calculus 
(DC) [I601 used to express linear constraints on the accumulated time for the presence of 
system states (see Chapter 2). - 
Thus, duration properties over Timed Automata allows to express more properties than 
standard reachability and they are still decidible [106]. In fact, runs that do not satisfy an 
accumulation relation can be detected or filtered out (e.g., "Does the Gas Burner system 
meet the requirement that leaking time should not be greater than the 5% of total time", 
"Does the protocol fail to  meet a bounded response requirement under the Quality of 
Service assumption that the media guarantees that it fails no more than 1% of total time", 
etc.). The price one pays is the high complexity of the verification procedures. Also in 11061 
the authors present an algorithm for solving the problem satisfaction of an LDI by a Timed 
Automaton based on two techniques: digitization and mixed integer linear programming. 
Digitization is a way to obtain a discrete time automaton which generates the integer runs of 
the original dense-time version. Naive digitization is based on the region graph construction 
which produces huge graphs depending on the size of the constants involved in comparisons 
[7].  Besides, mixed integer linear programming techniques possess high complexity. An 
implementation for single clock automata is found in [60] (to treat composition of single 
clock automata some linear constraints are added to model synchronization.) 
A related problem is treated in 161, the computation of accumulated delays. It does not 
cover the case of negative coefficients for durations and it is even more complex than 
the one presented in [I061 for checking the "positive" LDI. In [85] a general approach for 
model-checking discrete Duration Calculus is presented. This approach is based on the 
inclusion of regular languages. Obtaining regular languages through digitization of TA as 
well as transforming DC formula into finite state automata are the main sources of its high 
complexity. 
In order to obtain more practical algorithms, several proposals based on linear program- 
ming techniques were presented 1161, 154, 641. The common idea is to represent real-time 
systems by means of some sort of timed regular expression. These works are based on 
the fact that if the expression to verify is finite, i.e. there is no repetition in the expres- 
sion, the verification can done by using a linear programming procedure (i-e., minimiz- 
ing/maximizing the body of the LDI subject to the timing constraints in the form of linear 
inequalities on variables which stand for the duration of each locations visit). Therefore, 
most of the research effort is devoted to reduce the infinite case to the finite one, i.e. to 
eliminate repetition. The strength of these techniques is the reuse of well studied and 
efficient set of linear programming tools avoiding digitization. Their weakness lies on the 
fact that the starting points are those regular expressions, which can only represent a small 
class of TA. 
However, in [28] we presented an algebraic formalism for expressing the behavior of the 
whole class of TA along with a translation procedure. Based on the translation results, 
they provide a conservative analysis ("yes", "no", "don't know" answers) to the problem 
using linear programming techniques and avoiding digitization. Compared to  the methods 
in 1161, 1541, the method presented in [28] and here can work directly on the whole class of 
'In [9] is presented another algebraic formalism that is as expressive as TA. 
130 
TA and give the accurate answer to the problem for a larger subclass than any previously 
defined in these approaches. 
Following these ideas, we also extend that approach to cope with a larger class of duration 
constraints. That is, we allow comparison using the 5,  <, 2 or > operands, while in [28] 
we only consider 5. We therefore are able to check validity and satisfability questions for a 
duration property (i.e., Do all runs leading to a final location satisfy the duration property?, 
Is there a run leading to a final location that also satisfies the duration property?, resp.). 
The chapter was organized as follows. In the next section, we present a working example. 
An algebraic formalism, Time Constrained Regular Expressions (TC-RE), for expressing 
the behavior of TA is given in sect.9.3 and the problem is translated to this formalism. 
In section 9.5 the model-checking problem is solved for finite TC-RE (i.e., the ones gener- 
ating a finite number of words). Then, the well-behaved TC-RE are presented in Sect. 9.6 
which are TC-RE with good properties needed to deal with infinite TC-RE. Our model- 
checking procedure is finally presented in Sect. 9.8. Conclusions are summarized in the 
last section of the chapter. 
9.2 A Case Study 
In this section, we sketch some elements of an embedded-software design and a duration 
requirement for a machine that pumps medicine into the patient blood. That machine 
should pump the right dosage at the right rate. Since the medicine should be pumped 
into the patient rather continuously, the machine accepts several vessels and switches, in a 
timely fashion, from an empty vessel to a full one (and raises an alarm to indicate that 
the empty vessel should be replaced, if necessary ). The fastest a vessel may run out of 
medicine is 300 t.u. The main "Quality of Service" requirement is that, provided there are 
always full vessels available, during a time interval longer than 600 t.u., the patient should 
receive the medicine at least 95% of the time. 
The Physical Design The system design is composed of several tasks scheduled under 
fixed priority policy. The highest priority one is the Switcher task. As the name suggests, 
this task switches the machine from an empty vessel to a new one and then informs the 
event to a protected object proxy console which is eventually read by a task that sends the 
warning condition to a remote monitoring subsystem. It takes at most 5 t.u. to perform 
both subtasks in a dedicated environment. The Switcher task follows the sporadic server 
scheme [log] and has a minimum interarrival time of 300 t.u. That means that after serving 
an "empty" signal it is disabled until 300 t.u. have elapsed since the last signal arrival. 
However, in this case, it be can buffered up to one signal to be eventually served. 
2The solution of filling a big vessel with the medicine was discarded due to safety and economical reasons. 
In fact, if the medicine is suspended the remaining content should be thrown away. 
switch A) Environment 
switch 
Switcher Task 
Figure 9.1: Timed Automata Model 
In Fig. 9.1 (a) is depicted the environment automaton with conveys the information about 
the minimal separation between two consecutive "empty" signals. 
The Timed Automata Model and the Duration Property Although the Switcher 
task has the highest priority, it may be blocked by another client of the proxy console 
(e.g., the task that reads the alarm object and displays the alarm condition) due to PCP 
emulation [log]. Then, the WCCT calculus -see Sect. 5- returns 10 t.u. as the response 
time for the Switcher task. The TA shown in Fig. 9.1 (b) is the model produced by our 
technique for the Switcher task. 
Formally, the duration requirement should be expressed over the parallel composition of the 
environment with whole model (which is not shown in this presentation). The duration 
property actually predicates on the projection of the environment state. Moreover, the 
abstraction method presented in Chapter 6 detects that only the Switcher task model affects 
the behavior of the the environment TA. Therefore, the requirement can be expressed 
as cp = 20 Empty - Strue  5 0 with F = ((3, O), (3, I), (3,2), (3,3), (3,4)} using the 
following propositional assignment over the parallel composition of the environment with 
the Switcher task model: Props = {Empty} and P : Props H 2L0CS(A) be 
The mapping a associated with the mapping ? is 
For example given a = (1,OO) (00, l l )  (11,22) (22,20) and T = (0 200 205 500), then 
f$,p (')=de'Cl<i<lgl a(src(a;))(~; - T ~ - ~ )  = (-1) x 200 + 19 x 5 + (-1) x 295 = -400. 
9.3 Time Const rained Regular Expressions 
In this section, we present a descriptive and algebraic representation of the finite behavior 
of TA: timed constrained regular expressions (TC-RE) 1281. TC-RE provides us the 
necessary insight to formulate the principles of the model-checking algorithm proposed 
later in this chapter. Hereafter, we will focus on TA where guards are conjunctions of 
atoms of the form : x N c where x is a clock, WE {=, 5, >) and c E N.3 
Definition 31 (TC-RE) A TC-RE is a tuple (R,A) where R is a regular expression 
over Eid and A is a finite set of triples of the form (6, e,  N c), where S G Eid, e E Eia, 
WE {<, >, 5, >, =) and c E N. 
The intuition behind this definition is that the regular expression (see [96]) R gives 
the potential untimed sequences of transitions (remember that Eid identifies edges, see 
Sect. 2.3.2), while A establishes a set of constraints on the distance between edge transi- 
tions. A tuple (6, e,  w C) in A is the analogous of a clock test associated with the edge 
e (which appears as the second component of the tuple). Then, the first component S, 
hereafter called a clock, is the set of transitions which reset that clock. Roughly speaking, 
N c is a time constraint on the distance between e and the closest previous S-edge. 
Definition 32 Given a TC-RE (R, A), the language L(R, A) is the set of timed words 
(a,  T) that satisfy: 
a E R (i.e. a is a transition sequence described by the regular expression), 
TO = 0 (initialization), 
3This constraint is quite reasonable for practical applications and simplifies the integer programming 
techniques which we are based on. 
V 0 < i < la1 : (6, ai, C) E A A 6 n a,-,] # 8 S- 
- T i a ~ t ~ i ~ - o ; - ~ ~  c 
(i.e. T satisfies , .  the time constraints on the distance between edge instances). 
. 
Hereafter we write T E Sol(o,A) to express that ( a , ~ )  is a timed word satisfying the 
cbnditions of the last two items of Definition 32. 
Definition 33 Given an LDI formula y: 
(R, A) I=, cp q o ,  T) E L(R, A) : (a, T) y 
Example: 19 Let R = ( I ,  0) (0,1)((1,2)(2,1))*(1,2)(2,3)(3,3)* and 
Then (R, A) is a TC-RE that represents all the timed words leading to the location 3 of 
the Envimnment automaton in Figure 9.1. 
The notion of TC-RE leads to a clear separation between the untimed structure and the 
timing constraints. The structured nature of traditional Regular Expressions (RE) is ex- 
tremely helpful for developing the principles of the algorithm. Given a timed automaton, 
it is easy to write down a TC-RE to express the timed language of the timed automaton 
(we will see in section 9.7). 
Other kind of timed RE are also defined in [9], adding an intersection operator to define 
timed RE. As they proved, intersection is unavoidable with the "bound on length" style of 
timing constraints. Although their approach is elegant, we found rather difficult to  extend 
the method we are proposing to this kind of timed regular expressions (in particular when 
intersection is combined with the Kleene closed operator). We avoid intersection making 
less explicit timing constraint constructs that are, at the same time, easier to manipulate. 
The following facts are obvious from the above definition. 
Fact 3 Let R and R' be REs and let A be a set of constraints. 
1. If R and R' are equivalent (i.e. they recognize the same language) then L(R, A) = 
L(R1, A). 
2. If R recognizes a sub-language of R' then L(R, A) c L(R1, A). 
Fact 4 A A' + L(R, A') C L(R, A). 
! 
Definition 34 The Prefixes of a Regular Expression R is the set of words {8/301 : 88' E 
R l -  
Definition 35 A word o over Eid is repeatable, denoted Repeatable(o), i f f  
src( f i r s t (u) )  = tgt(last(o)).  
It is obvious that 
Fact 5 repeat able(^[;,^^) iff src(o;) = tg t (o j ) .  
Definition 36 Given a TC-RE ( R , A ) ,  we define the timing for a clock S in  a run 0 E 
Pre f ixes(R),  denoted Timess(0),  as {last(r) - T~,,~J;,-Q Ir E Sol(0, A ) } .  It represents 
the possible final values of clock S when timing is added to 0. 
Fact 6 The set Timess(0) has minimum and, if it has an upper bound) then it has max- 
imum too. We will note them resp. MinTimess(0) and MaxTimess(0), and we use 
MaxTimess(0) = 00 if it has no upper bound. 
Definition 37 Let (R, A )  be a TC-RE. Let S be a clock and 0 E Pre fixes(R).  Let M C  
be the maximum of the constants appearing in a time constraint in  A.  We define 
MIN,(S) gf { MinTimess(0) if MinTimess(0) 5 M C  
00 otherwise 
and 
MAXs(0) z { MaxTimes6(0) if MaxTimess(0) 5 M C  
00 otherwise 
9.4 Problem Transformation in terms of TC-RE 
To solve the validity problem ( A ,  F )  cp we will show how to obtain a TC-RE capturing 
all the timed words of A leading to F. Then we only have to check if that TC-RE satisfies y. 
Given a timed automaton A and a set of final locations F ,  we could apply a simple pro- 
cedure derived from the proof of Kleene theorem [96, 91 to ( A , F )  in order to obtain a 
regular expression that recognizes all the untimed words of transitions which lead to a 
final location in F. 
On the other hand, A can be obtained simply as follows. For each edge e =< s ,  a, $, a,  s' > 
follow this procedure: 
For each test x N c E 11) add the tuple (6, < s ,  a,  s' >, N c )  to A, where 6 is the set of 
transitions that reset the clock x (remember that this set includes also initial ones), 
7 3 y r  . For each test z N c E I ( s )  add the tuple (6, < s,a,sl >,N c)  to A, where S is the set 
of transitions that reset the clock x as above. 
We call the TC-RE constructed from (A, F) in this way AKleene(A, F). Note that the 
second item could be eliminated if we assume that $ +- I(s). 
It is easy to see that the obtained TC-RE recognizes exactly the language of timed words 
of A leading to a final location in F. That is: 
Fact 7 (a, 7) E L(AKleene(A, F))  iff (a, r) E L(A) A tgt(last(a)) E F. 
Then using the properties of the automaton A we immediately get that 
Theorem 10 For a LDI formula cp ,  AKleene(A, F) cp iff (A, F) k p  cp. 
So from the automaton A we obtain a TC-RE (R, A), where R is a regular expression on the 
set of transitions Eid over the set of locations of the timed automata S = {sl, sz ,  . . . , s,}. 
As it was mentioned earlier, R is obtained following the procedure of the Kleene theorem 
proof [96]. 
Namely, R can be obtained as the union of the RE R:, where s; is an initial location and 
sj is a final one. For any i, j, tl < n, R& is the set of words that lead the automaton A from 
location si to location sj without passing at locations in {sk+1. .s,), and it is defined 
inductively as: Rfj $ xk-l zk (R;E~)*R:;'; R;~ is {< si, a, sj >:< si, a, $, a, sj > E 
Edges(A)) if one of such transition exists, it is { E )  if i = j and it is the empty set 
ot h e r ~ i s e . ~  
9.5 Verifying Finite TC-RE 
In this section, we want to illustrate the formerly introduced concept by showing how to 
solve the model-checking problem for finite TC-REs. That is, we deal with the case of TC- 
REs which REs have no occurrence of the star operator (Kleene closed). Finiteness implies 
that the RE can be rewritten as a finite union of words (RE without Kleene operator or 
union occurrences). Then (a, r) C p  cp where y CbEB cb J b - M must be checked for 
all a in which the RE can be decomposed into (a finite number) and for all r E Sok(a, A). 
We show how to check a TC-RE whose RE part is a word, and hence we can solve the 
problem for any finite RE. Note that all words of a finite RE can be checked in parallel. 
Given a word a and a set of time constraints A, we can associate to it a set of variables 
and a set of linear constraints C(a,A) such that the set of solutions is precisely the set 
Sol(a, A). Formally, the set C(a, A) of inequalities on the variable set (T~) ;<~ ,~  is defined 
by 
{r,, = 0) U 
{ri - ri-1 > 0 : 0 < i < 1a1) U 
{T; - TlastJ_in_lr,-ll c : 0 < i < la1 A (S,q, C) E A A S n q-11 # 0) 
*Hereafter we will consider that RE do not contain empty set as a proper subexpression (they can be 
easily eliminated). 
Thus checking V r  E Sol(u, A) : (a, T) b p  CbEB cb J b M is exactly the same as checking 
whether the minimum of the function f;,?(~) subject to C(a, A) is than M if NE (2 ,  >}, 
or the maximum of the function f,",?(r) subject to C(a,A) is than M if WE {<,<I) 
which can be solved by linear programming techniques. 
Example: 20 Let a be (1,0)(0,1)(1,2)(2,1)(1,2)(2,3) and let A be as i n  the previous 
example. Then C(a, A) is the set of the following inequalities: 
Since we know the structure of these systems of constraints, we can outline some procedures 
which can be applied to simplify the linear programming problem. For example, if one 
variable stands for a transition where both source and target locations have the same 
contribution it could be eliminated provided it plays an irrelevant role in the inequality 
system. That is, the deletion of the transition should lead to a system equivalent to  the 
projection onto the rest of the variables. This can be achieved through efficient existential 
elimination procedures that take into account just the related variables. 
Another improvement of performance could be achieved through a divide and conquer 
technique. If we find a variable, namely b, such that there is no inequality ~j - ri N c E 
C(a, A) with i < b < j we can divide the linear problem into two independent problems 
(constraints naming variables indexed less than or equal to k and constraints naming 
variables indexed greater than or equal to k) and the minimum/maximum is obtained 
through addition of local minimums/maximums. To simplify the system of constraints, 
techniques like the ones presented in [I141 could be used. 
9.6 Infinite TC-RE 
In the previous section we show a straightforward way to derive from the timed automaton 
A a TC-RE that defines the set of timed words of A which lead to a location in F. However, 
we want a TC-RE with "good" properties which allow a simple treatment of Kleene closed 
subexpressions in our verification procedure. Such a TC-RE is said to be "well-behaved" 
TC-RE. 
The first step of our model-checking procedure is to obtain a well-behaved TC-RE from 
the timed automaton to be analyzed. Then, if the obtained TC-RE is finite, we can apply 
linear programming techniques to solve the problem as shown before. For the infinite case 
we present, in next sections, some techniques for either inferring that the LDI is violated 
or reducing the original expression to a finite TC-RE which is equivalent to the original 
one for the LDI. In the remainder sections we give more details of our idea. 
9.6.1 Well-Behaved TC-RE 
In this section, we show a special class of TC-RE satisfying properties that simplify our 
algorithm (for dealing with infinite RE) without sacrificing the expressive power. 
Definition 38 A TC-RE (R ,  A) is  fusion closed ift' for any sequences over Eid a, a' and 
0, it holds that a0 E R, a' E Pre f i xes (R)  and tgt( last (a))  = tgt(1ast(a1)) then a'@ E R. 
This is a natural property of TC-RE resulting from a AKleene procedure. 
Definition 39 A TC-RE (R,  A) is feasible iffb'a E R : Sol(a, A) # 8. 
This property means that any word described by the RE can be "time stamped" in such 
a way that the constraints imposed by A are satisfied. 
Definition 40 A TC-RE (R, A )  is no-deadline constraine'd iterations ift' V a  E 
R,Vk < lal,V(S,ak, 5 c)  E A : S n ~ k - ~ ]  # 0 , -  [3i, j : l a ~ t - S - i n - a ~ - ~ ~  < i < j < k : 
repeat able(^[;,^^)]. 
Definition 41 A TC-RE (R, A) is no-delay constrained iterations ift' V a  E R,Vk < 
lal,V(S,ak,> c )  E A : S n 0k-11 # @,'ti, j : l a~ t -S - in -a~ -~]  < i < j < k A 
R e p e ~ t a b l e ( a [ ~ , ~ ~ )  : MIN6(a;-ll) > c. 
The last two properties have a more technical nature and simplify the analysis of star 
subexpressions (Kleene closed). Intuitively, the property no-deadline constrained iter- 
ations rules deadlines ranging over a repeatable sub-word. 
On the other hand, the property no-delay constrained iterations that delay tests for 
clocks not reset in a previous repeatable subword are redundant. In fact, the minimum 
values for those clocks are greater than those test constants even before the repeatable 
subword. 
Roughly speaking, these properties imply that the number of iterations does not affect, 
and is not affected by timing constraints. Thus our algorithm can, in some extent, analyze 
Kleene closed subexpressions locally. 
Definition 42 A TC-RE is well-behaved iff it is fission closed, feasible, no-deadline 
constrained iterations and no-delay constrained iterations. 
Example: 21 Let 
Figure 9.2: No-Delay Constrained Iterations 
Then (R, A) is a well-behaved TC-RE. It is fusion closed, feasible and transition (1,3) tests 
for delay that is already true in (0,l) (see figure 9.2). 
Remember we are trying to verify if AKleene(A, F) cp. But, is the obtained TC-RE 
well-behaved ? Since transitions go from and to locations, the resulting language has the 
fusion closed property. 
But the last three properties of well-behavior are not guaranteed if we apply the Kleene 
procedure to an arbitrary timed automaton (the last two conditions are not true, in partic- 
ular, when there are timing constraints covering cycles). For instance, in the composition 
of both automata of the working case has infeasible paths and, moreover clock z constraints 
the number of iterations of cycles. 
Fortunately, a property called reachability equivalence will ensure the well-behaveness 
of a TC-RE. Some of the symbolic state space representations (e.g. [104]) produce au- 
tomata where all paths are feasible and, moreover, for which "reachability equivalence" 
holds. Given a timed automaton, these techniques produce an automaton which repre- 
sents all the reachable timed states of the original one. Generally, the resulting automaton 
is much smaller than the region graph. The reachability graph [I041 is among such kind of 
automata. 
To understand why the reachability graph solves our problem of getting a well-behaved 
TC-RE, lets first define the reachability equivalence property. 
The reachability equivalence property means that the minimum (resp. maximum) value 
for a clock S that may be tested in the future is the same for all paths leading to a location 
1. This minimum (resp. maximum) will be denoted MIN'~ (resp.  MA^^) 5 .  Note that 
all values greater than the maximum constant appearing in a time constraint in A are 
considered the same, and could be noted oo. Then we can check only one path leading to 
1. 
Definition 43 Let (R, A) be a TC-RE. A clock S has a test after location 2 ,  denoted 
FutureTest6(l), i$f 30 E R, 3j ,  k E N such that l a s t - S - i n - ~ ~ - ~ ~  5 j < k < 101 A 1 = 
tgt(aj) A (6, g k 7  C) E A. 
5Actually, this is a simplified version of the reachability equivalence property. In [29] we also require the 
same property for the difference of each pair of clocks which might be tested in the future. 
Definition 44 A TC-RE (R ,  A) satisfies the reachability equivalence property i$ for 
all clocks 6, for all locations 1 such that FutureTests(l), for all 0, 0' E Pre f ixes(R) such 
that tgt(last(0)) = tgt(last(O1)) = 1, then 
Example: 22 Suppose we have two histories leading to location 2 of the environment 
automaton: (1,0)(0,1)(1,2)  and (1, O ) ( O ,  1)(1,2)(2,1)(1,2). They have the same val- 
ues for that minimum (maximum) of clock x.  On the other hand, (1 ,0 ) (0 ,1 )  and 
( I ,  0)(0,1)(1,2)(2,1) are not considered equivalent since they do w t  share the same value 
(in the first history the minimum value is 0 while in the second one the minimum is 300). 
The next lemmas answer our question. 
Lemma 11 Reachability equivalence and strong non-zenoness imply no-deadline con- 
strained iterations. 
Proof 18 See Sect. 9.11. 
Lemma 12 Reachability equivalence, strong non-zenoness and fusion closed imply no- 
delay constrained iterations. 
Proof 19 See Sect. 9.11. 
In the next section, we show how to obtain a well-behaved TC-RE from a timed automaton 
using the reachability graph. This TC-RE will recognize the relevant language of timed 
words leading to a final location (the timed words to be analyzed for our validity problem). 
9.7 Problem Transformation in terms of Well-Behaved TC- 
RE 
Let us illustrate the idea of using the reachability graph technique. The reachability graph 
is a well known concept in many timed formalisms [99, 251. In particular, given a timed 
automaton A, the reachability graph R G ( A )  of A can be seen as an automaton that accepts 
(up to  renaming, let us call it ,f3 : Locs(RG(A)) + Locs(A)) the same language as A. It 
is built by unfolding symbolically the original graph in such a way that the language 
accepted by the underlying graph is feasible. This implies immediately the feasibility of 
its associated TC-RE. 
Moreover, the procedure equates paths when they satisfy the reachability equivalence 
property 11041. Let us sketch the conceptual phases of the RG construction (for more details 
see [104]). The first stage is the definition of an infinite tree-shaped automaton whose 
locations are the feasible sequences of transitions of the original automaton (elsewhere 
called histories). Then, a sufficient condition is used to identify strong transition bisimilar 
histories. To define such- condition, they remarked that given a history it is easy to calculate 
for each clock the minimum and the maximum values on the set of runs exercising that 
sequence of transitions (remember T i r n e ~ ~ ( O ) ) . ~  Then the condition says that two leading 
to the same location are equivalent if also those calculated minimum (maximum) for each 
clock are the same in both paths or alternatively they are greater than any constant that 
could occur in a future comparison. 
Given /? : Locs(RG(A)) + Locs(A), we define 
If F 5 Locs(A) are the final locations of A, the set of final locations of RG(A), 
denoted P-'(F), is the set of locations 1 E Locs(RG(A)) such that P(1) E F, 
If P : Props + 2Locs(A) is the mapping for A, the mapping /?-'(P) : Props + 
2L0cs(RG(A)) for RG(A) is / ? - ' ( ~ ) ( ~ r )  = / ? - ' ( ~ ( ~ r ) )  for pr E Props. 
Fact 8 There is a mapping /3 : Locs(RG(A)) + Locs(A) such that: 
1. V(a, T) E L(AKleene(RG(A), /?-'(F))) : (/?,(a), T) E L(AKleene(A, F))  
2. V(o, T) E L(AKleene(A, F)), 3a' : /?,(a1) 
L(AKleene(RG(A), P-l(F))) 
where p, is the natural extension induced by /3 to sequences. 
Lemma 13 AKleene(RG(A), j3-' (F)) satisfies the reachability equivalence property. 
Now we formulate the main result of this section. 
Theorem 11 Given a timed automaton A, a set of final locations F Locs(A), a valua- 
tion P : Props + 2L0cs(A) and a LDI formula cp then 
1. AKleene(RG(A), /?-'(F)) is a well-behaved TC-RE, 
2- AKleene(RG(A), P-'(F)) kp-l(?) cp $7 (A, F )  t=? cp .  
Proof 20 It  follows immediately from the Theorem 10, Fact 8 and Lemmas 11 and 12. 
6These values are calculated trough a longest path algorithm on a weighted graph which nodes are the 
transitions and the edges comes from the linear inequalities [104, 991 
141 
Then the well-behaved TC-RE we must built is AKleene(RG(A),  /F1(F)) .  Therefore in 
the rest of the chapter we can deal only with the problem of deciding whether ( R ,  A) k p  cp 
for a well-behaved TC-RE (R,  A). 
Definit ion 45  A word over Eid , a is non-transient for A, denoted NonTransientA(a),  
i83K < la1 : 3(S, ak, 2 c )  E A : 6 n a # 0 A c > 0. 
This means that if a non-transient repeatable word is infinitely iterated then time must 
diverge. 
Definit ion 46 A well-behaved TC-RE (R,  A) is s trongly  non-zeno i$Qo E R : V 0 5 
i 5 j < la1 : R e p e a t ~ b l e ( a [ ~ , ~ ] )  N o n T r a n ~ i e n t ~ ( o [ ~ , ~ ~ ) .  
T h e o r e m 1 2 I f  a timed automaton A is strongly non-zeno then 
AKleene(RG(A),  P- l (F))  is strongly non-zeno. 
Proo f21Supoose  that we have a transient repeatable subword of 
A K l e e n e ( R G ( A ) , , F 1 ( ~ ) )  (which is, indeed, a cycle of R G ( A )  and thus a cycle of 
A up to  renaming). 
W e  can build an infinite run of A as follows: take T of S ~ l ( a ~ ~ a [ ~ , ~ ~ , ~ ,  , A) (due to feasibility 
there exists such a temporization). It is easy to see that T ~ I  Q (0  ... 0 )  E Sol(ajla~i, j l ,  A). 
Infact, if a clock is tested for delay and was reset outside cycle, that test is already true i n  
the first iteration (which is included i n  aj l ) .  If the deadlines were true i n  T they must be 
also true i n  T ~ I  a (0 ... 0 )  (less time elapses), and due to transientness of a[i,jl there is no 
delay test using clocks reset i n  that word. This reasoning serves to conclude that we can 
build a non divergent run of A by repeating infinitely often with no time elapse. This 
contradicts strongly non-zenoness of A. 
Example:  23 The reachability graph for the SUA automaton is shown in  Figure 9.3. The 
pairs indicate the value of the @ renaming. 
A TC-RE that accepts all the time words of the RG in  Figure 9.3, which lead to  the final 
location 4 is the following: 
Figure 9.3: The Reachability Graph 
and 
def A = 
In  principle, AKleene does not produce economical TC-RE in  the number of resets. Indeed, 
i n  this examples many resets are unnecessary i n  the tuples due to graph topology. For 
example, ( 0 , l )  is never the last reset of the set ((0, 1), (2,3), (3,5), (7,8), (8,9), (1078)) for 
transition (1078). 
9.8 Principles for the model-checking Algorithm 
In this section we present some necessary concepts to explain the checking algorithm. As 
it will be shown later in this chapter, our algorithm processes, in a bottom up fashion, the 
Kleene closed subexpressions trying to reduce them into a finite subexpression or to find a 
counterexample, i.e. a violation of the LDI. 
9.8.1 Past-Independence 
Due to the global nature of timing constraints, it is hard to analyze compositionally the 
TC-RE. Valid time assignments for a word having a past context may depend on the values 
of clocks which are tested with no previous reset in the word. These clocks are called free 
clocks. 8 
Definition 47 (Free Clocks) FreeClocks(a, A) { b  I 0 < i < IoIA(S, aa, N c) E AA(i = 
0 v S n ai-11 = 0)). 
However, there are some cases where a word can be analyzed locally and then some valid 
conclusions can be drawn. 
Definition 48 Let (R,A) be a TC-RE. We say that 8 is past-independent i$ 
MIN~T~('O) s =  MAX^"(") 6 for all 6 E FreeClocks(8, A). 
The past-independence means that the minimum and maximum values for the free clocks 
of 8 coincide then the values are known constants when entering the first location of the 
word (i.e., the free clocks have fixed values and the word becomes "context free"). 
\ 
Definition 49 Let (R, A) be a TC-RE. A context for 8 is a pair (O', r') such that 8'8 E 
Pre  f ixes(R) A T' E Sol(8', A). 
Corollary 8 Let (R,A) be a TC-RE. If 8 is past-independent then for all time se- 
quences T it holds that 3 context (O',rl) for 8 : T' Q T E Sol(8'8, A) implies that 
V context (8", T") for 8 : r" a r E Sol(8"8, A). 
The past-independence implies that a solution r for a valid past context (Of, T') for a word 
8 is a solution for any valid past context (Ow, r") for the word 8. 
If a word 8 is past-independent then the following inequality system e(8,  A) on the variable 
set (yi);<lol provides all the valid relative time assignments y for 8 as subword of a word 
in R 
{y; - 7;-1 > 0 : 0 < i < 161) U 
7; - c 0 < i < (61 A (6, 6i7 c)  E A A 6 n 6;-11 
M I ~ ~ ( @ O )  +y; N c : 0 5 i < 161 A (6,6;,- c)  E A A  ( i  = oV6n6i-ll = 
The corollary 8 can be extended: 
Corollary 9 If 6 is past-independent then it holds that V r  solution of e(6,A) : 
V context (O', T') for 6 : r' Q T E Sol(6'6, A). 
The following results are the basis for the correctness of the algorithm shown in the next 
section. Firstly, we show the results when NE ( 5 ,  <}. For NE (2 ,  >} are analogous. 
Theorem 13 Let (R, A) be a strongly non-zeno and well-behaved TC-RE, let A* be a 
subexpression of R where 6 E A is a past-independent word. If the maximum value for the 
f&(y) subject to C(6, A) is greater than zero and the test NE {S, <} then (R,A) kp 9. 
Proof 22 See Sect. 9.1 1 
That is, if we detect a past-independent word 6 of a Kleene closed subexpression such that 
the maximum value for the duration expression is greater than zero, we can conclude that 
the LDI is violated by the whole expression. In fact, the duration expression will not be 
bounded (because that timed word can be repeated unboundedly). 
Theorem 14 Let (R, A) be a strongly non-zeno and well-behaved TC-RE, let A* be a 
subexpression of R such that all 6 E A are past-independent words. If the maximum value 
for the duration expression f$,?(y) subject to C(6, A) is less than or equal to zero and the 
test NE (5, <} then, by replacenq A* in  R with E $ A, we get a regular expression R' for 
which (8 A) I=P 'P ijgc (R', A) I=, 'P. 
Proof 23 See Sect. 9.11. 
This complementary result states that the Kleene closed subexpression can be replaced by 
some unfolds of the subexpression in order to obtain an equivalent expression w.r.t. the 
LDI (the repetitions do not contribute to the duration expression),. Analogously, 
Theorem 15 Let (R,A) be a strongly non-zeno and welLbehaved TC-RE, let A* be a 
subexpression of R where 6 E A is a past-independent word. If the minimum value for the 
f&(y) subject to ~ ( 6 ,  A) is lower than zero and the test NE {>, >} then (R,  A) kp q. 
Proof 24 Analogous to theorem 13. 
Theorem 16 Let (R,A) be a strongly non-zeno and well-behaved TC-RE, let A* be a 
subexpression of R such that all 0 E A are past-independent words. If the minimum value 
for the duration ezpression f&(7) subject to C(0, A) is greater than or equal to zero and 
the test N E  (2, >} then, by replacing A* in R with E $ A, we get a regular expression R' 
for which (R, A) kp (p iff (R', A) q. 
Proof 25 Analogous to theorem 14. 
Summarizing these four theorems 
Check " E  ( R , A ) b P  
maximum (fi,p(7)) > 0 { < 7  <I false 
maximum (f @ p ( ~ ) )  < 0 {<, <) replace R by R7 f ' 
minimum ( f 9 , p ( ~ ) ) < 0  {>,>I false 
minimum (f& (7)) > 0 {t , >} replace R by R' 
9.8.2 Obtaining Past-Independent Iterations 
This section proposes some manipulations that can be used to obtain past-independent 
iterations from dependent ones: 
Rotation. To obtain past-independent iterations, it may be applied the rewriting rule 
(AB)* - A(BA)*B $ E (a rotation). Obviously, that manipulation does not guarantee 
past-independence. 
Constraint Elimination. If rotation fails, there is a conservative treatment based on the 
elimination of non-fixed free clocks from the iterations. The basic idea is to eliminate non 
fixed free clocks from the iterations to make them past-independent. Let a; be a transition 
such that there is a (6, u;, N c) E A for which 6 n ui-~l = 0 and  MI^^(^^) # M A F ~ ( ~ ~ ) .  6 
Then we can simply eliminate these kind of tuples from A to achieve the past-independency 
7 
Tuple elimination produces a TC-RE which language is a superset of the original one (see 
Fact 4). Therefore, this step is conservative. If the duration is valid over a larger language 
it is also valid over the original one. On the other hand, any counterexample found using a 
so altered subexpression must be checked for membership. Thus, in some cases the method 
is not able to return a yes/no response (unconclusive: "don't know!"). 
' ~ c t u a l l ~ ,  the procedure first renames the transition a, producing a new (R', A') and a new mapping P' 
such that: (R', A') kp, cp iff (R, A) +p cp (see [29]). This renaming is done to achieve a local elimination. 
Otherwise, tests which are not troublesome for past-independence would be eliminated. 
Figure 9.4: The Conceptual Architecture 
.... 
...__ 
__.' 
r I 7 r 
9.9 The Basic Algorithm 
We have shown in previous sections how the original problem (A, F) bp y boils down into 
a verification in a well-behaved TC-RE (R, A) k p  y. Given the well-behaved TC-RE, a 
theoretical algorithm would process, in a bottom up fashion, the obtained Kleene closed 
subexpressions. Under the hypothesis of Theorems 13,14, 15 and 16 it is possible to either 
reduce the TC-RE into a finite expression or find a violation of the LDI. A scheme for our 
whole method is shown in Figure 9.4. 
RTS DESIGN 
C 
In this section, we present a sketch of an on-the-fly algorithm that shows that it is not 
necessary to  translate the whole automaton RG(A) to the TC-RE at the beginning. We 
use an n3-matrix to store R:~. The input is a strongly-non zeno TA such that its iterations 
can be written into past independent ones. 
'Remember that there are conservative treatments to convert them into past independent subwords as 
explained in the last section. Elimination of constraints can be included in the presented algorithm as well. 
\ / 
RG i 
C 
RdiJiq Graph 
ciemntor 
Tramlation 
Roeemne -- 
K1eene clousm. WB TC-RE 
C 
TA 
C 
Bottomup 
,\ W". L 2 \ J 
_... 
F&te Tc-RE 
A 
1 "YES" 
Linear 
bB=miw2 
"Basic A l g h x  
"NO" 
... 
-..___ 
,4 ---.... .......................... ..... ..-. 
Algorithm: for i ,  j < n 
RE := 
23 
if there is an edge < s;, a, $, a, sj >€ Edges(A) then 
{< S i ,  a,  sj >:< si, a, $, a , s j  >€ Edges(A)} 
else 
if i = j then { E }  else 0 end-if 
end-if 
end-for 
fork = 1 t o n  
if R;;;" = 0 then 
Ciclek := 0 
else 
let A, B such that AB = R;;' 
. ,if 38 E B A  that satisfy the conditions of Theorems 13 or 15 then 
exit with result counterexample was found 
else 
if ( A  = E) or (B = E) then (no rotation) 
Cyclek := E $  RE^' 
else 
Cyclek := E $ AB $ ABAB ' 
end-if 
end-if 
end-if 
for i ,  j < n 
RL. := RL-1 $ R~F' Ciclek R*-' 
z3 23 le j  
end-for 
end-for 
' (AB)* = e@A(BA)*B, and then applying theorems 14 or 16 (AB)* = e@A(e@BA)B = e@AB@ABAB. 
148 
Finally the regular expression is reduced lo. 
Hence, from Theorems 13,14, 15 and 16, with this procedure 
we either obtain a finite TC-RE (no occurrence of Kleene closed) that is equivalent 
up to  the duration problem to the original one (see its treatment in Sect. 9.5), 
or we discover a counterexample l l .  
Note that the calculus of each R t j  for a fixed k can be done in parallel. It is also possible 
to chose among several strategies of calculus reuse for the sets R t j  (e.g. either the sets of 
words can be stored explicitly in the matrix in order to avoid recalculation or they can be 
stored symbolically and calculated by demand). 
Example: 24 Consider the automaton in Figure 9.3. Observe that the algorithm ana- 
lyzes R::,lo = (10,8)(8,9)(9,10) (a Kleene closed subexpression). The cycle is not 
past-independent. Moreover, if its free clocks, x and y, are eliminated, the maximum of 
the duration expression is greater than 0. Thus, that consevative manipulation would be 
inconclusive and a rotation should be tried first. 
Indeed, R::,~: = E €8 [(lo, 8)~:%*(8,9)(9, lo)] where R:$ = (8,9)(9,10)(10,8), is a ro- 
tation. Again R;y8 is past-dependent. However, if the constrains on the free clock x are 
eliminated the following system is obtained: 
And, fortunately, the maximum value of the objective function for the LDI (in Example 4)  
subject to that system of constraints is 19 * 10 - 1 * 290 = -100. Then, due to theorem 14, 
the algorithm replaces R&* with E $ RAY8 obtaining the following sets of finite words: 
lousing rules like cA = Ae = A, (c @ A)' = ( A  @ c)' = A*, A $ A = A. 
"Remember that, if a conservative treatment was applied to make iterations past independent coun- 
terexamples must be tested for membership. If membership does not hold the procedure is inconclusive. 
149 
Calculating the maximum objective function on these words the algorithm concludes that 
.the duration property is satisfied. In fact, lets male some observations to conclude the same 
result. Let ri,j the variables that stand for the time of occurrence of (i, j ) .  Firstly, note that 
in all cases the positive contributions (1 9) are in the following intervab [71,2, T~,J],[T~,~, r3,5], 
and [ T ~ , ~ ~ ~ T ~ , ~ ] .  The maximum value that each interval can contribute is 190 (they length 
is at most 10). Therefore, since time length of words is at least 600 any of the former 
words showing two of those intervab have a maximum less than or equal to (-1)*500 + 2" 
190 = - 120. That leaves to the analysis the following words: 
Secondly, If we have variable 72,s involved in the system, since T Z , ~  -  TO,^ = 300 the con- 
tribution of location 2 is always less than or equal to -290. The same is true for 77,s with 
location 7 ,  and ~10,s  with location 10. For each word, we can count the number of positive 
locations (1,5 and 9)  which contributes at most 190 each against the occurrences of T2,3, T7,8 
and Tl0,8 that contributes less than or equal to -290. We can conclude for all words the 
maximum is less than zero. 
9.10 Conclusions and Discussions 
We have presented a conservative procedure that analyzes some paths of the Reachability 
Graph [104] (generally much smaller than the region graph) using linear programming. 
The procedure works for strongly non-zeno timed automaton A. Let us remark some facts 
about the technique: 
it is accurate when the TC-RE is finite. That happens, for example, when there are 
deadlines to arrive to final locations, 
its is also accurate when cycles can be rewritten in terms of past-independent it- 
erations. Some identified classes such as the Alternating RQ automata fulfill the 
condition of independent iterations [113]. In general, this condition is also satisfied 
when the tests in a cycle are always preceded by a reset in the iteration, 
0 in general it can verify conservatively the whole class of strongly non-zeno timed 
automata avoiding digitization (i.e., building the region graph), and 
we believe that in the near future we will be able to verify accurately the whole class 
of strongly non-zeno timed automata adding a local digitization technique to  convert 
non past-independent iterations into independent ones (using the possible integer 
values of free clocks). 
The practicality of the algorithm is still an empirical exercise. Although the estimated worst 
case complexity is not better than the procedure shown in [I061 there are some encouraging 
observations. First of all, techniques like [104] produce graphs which are, generally, much 
smaller than the Region Graph. The complexity of our RE conversion procedure seems to 
depend on the number of transitions and it is not necessarily exponential on the number 
of nodes. Also, the algorithm works on the fly and many steps can be done in parallel. 
FinaJly, we use linear programming instead of integer-linear programming. We were able 
to  check s m d  but yet interesting examples. 
Note also that, since the work is based on the reachability graph construction, it could 
be easily migrated to other formalisms like real-time versions of Petri Nets [25] and Mod- 
eCharts [99]. 
9.11 Proofs of Lemmas and Theorems 
Lemma 11 Reachability equivalence and strong non-zenoness imply no-deadline con- 
strained iterations. 
Proof 26 Suppose that the property no-deadline constrained iterations is violated. That 
means 30 E R, 3k < la[ ,  3(S,ak, 5 c) E A : S n ak-l] f 0 ,  3i ,  j : last-S-in-ak-ll < i < j < 
k A Repea t~b l e (a[ ; ,~~ ) .  
last-S-in-ak-ll < i means that reset of S occurs before the step i .  Then there is no reset of 
S i n  a[i,hl. 
Since last-S-in-ak-ll < j < k and (6, ak, 5 c)  E A then it holds FutureTest6(tgt(aj)) .  
But and ajl are sequences ending on the same location tg t (a j ) ,  because of 
Repeatable(a[i,jl). By reachability equivalence, MINs(a;-ll) = MINs(ajl). 
Due to feasibility, 37 E Sol(a, A). Since ( a ,  T) E L ( R ,  A), S is no reset i n  a[i,k] and a has 
a test 5 c for the clock S in  location tgt(ak)  then both MIN6(ai-ll) and M I f i ( a j l )  are not 
co. So MinTimess(a;-l l)  = MinTimess(a j l )  (1). 
But loop i n  a[;,jl is non-transient because of strongly non-zenoness, and the clock S is not 
reset in  a[i,jl. Then by Lemma 14 we conclude that MinTimes6(ai-ll) < MinTimess(aj l ) ,  
opposite to (1). 
Lemma 12 Reachability equivalence, strong non-zenoness and fusion closed imply no-delay 
constrained iterations. 
Proof 27 Let a E R, k < la[ ,  ( S , u k ,  2 C )  E A, S n uk-11 # 0,  and last-S-in-ak-ll < i < 
j < k A Repeatable(a[;,jl). We  have to prove that M I N ~ ( O ~ - ~ ] )  > c. 
l a s t - S - i n - ~ ~ - ~ ~  < i means that reset of S occurs before the step i. Then there is no reset of 
S in a[i,k]. Since there is no reset of S in a[;jl, we get by Lemma 14 M i n T i m e s s ( ~ ; _ ~ ] )  5 
MinTimess(ajl)  (1). 
Repeatabbe(a[iljl) +- src(ai) = tgt(aj) ,  then the concatenation 0jla[i,~1 is defined. Also, by 
fusion clousure, ajla[i,jl E Pre f ixes(R). By Lemma 14, because a[i,j] is non-transient, we 
get MinTimess(aj l )  < MinTimess(ajla~i,j l)  (2). 
From (1) and (2), we know that MinTimes6(ui-ll) < MinTimess(ajla[i,jl) (3). 
last-S-in-ak-ll < j < k and (6, ak, 2 C )  E A then it holds FutureTests(tgt(aj)). But 
and a j ~ a [ ~ ~ j l  are sequences ending on the same location tgt(aj) .  By reachability equivalence, 
hfIN6(ai-11) = MINs(ajla[i,jl). Because of (3) it is only posible ifl both are equal to oo. 
Therefore, MINs(ai-ll) > c. 
Lemma 14 V clock 6, VO, Of  such that 00' E Pre f ixes(R) and 0' doesn't reset clock 6: 
2. If 0' is non-transient then MinTimess(0) < MinTimess(0O1) 
Proof 28 Let y E Tirnes6(80'). Then 32 E Timess(0) such that x 5 y, because 0' does 
not reset 6. But MinTimess(0) 5 x because x E Timess(0). Then MinTimess(0) 5 y Vy. 
Therefore MinTimess(0) 5 MinTimess(OO'). 
And i f  0' is non-transient then it elapse time. So we conclude that MinTimess(9) < 
MinTimes6(88'). 
Theorem 13 Let ( R , A )  be a strongly non-zeno and well-behaved TC-RE, let A* be a 
subexpression of R where 0 E A is a past-independent word. If the maximum value for the 
f,&,(Y) subject to e ( 0 ,  A) is greater than zero and the test NE {s, <) then (R, A) k p  c p .  
Proof 29 We will construct a timed-word such that it will belong in  L(R,A)  but it not 
satisfies c p .  
We know by hypothesis that 3a, a' : aOal E R .  Also because offeasibility 37 = T~ a r , ~  E
Sol(aOa', A) with I T ,  1 = la] ,  = 101 A 1 ~ ~ 1 1  = 1 0 ' 1 .  The idea is to insert the loop 0 in this 
word many times as necesary so that it not satisfies cp. 
Because of the fusion closed property, aOn+la' = aOnOa' also are in R V n  E N .  Now we 
will modify the time assignment r to this family of words. 
Let 70 be a solution that assigns to f i ,p (7)  subject to e ( 0 ,  A) its maximum value. Then, 
by hypothesis, f:,p(70) > 0. We will prove that T, a 70 Q re a rut E Sol(oOOal, A). 
We know that T, E Sol(u, A) because r, a TO a rut E Sol(aBa', A). Then (u, 7,) is a context 
for 0. Since 0 is past-independent and yo is a solution under 6 ( 8 ,  A) then, by corollary 9, 
r, a ^/o E Sol(uB, A). 
The tests done in  the second 0 and reset in the previous iteration are satisfied since 0 is 
past-independent. And the clocks not being reset in the first 0 can be tested just by delays 
(because of the no-deadline constrained iterations property), and since those distances are 
increased they are also satisfied. Then T,, a yo TO E Sol(a00, A). 
Finally a' has two previous iterations. If the reset is done in  a or in the first 0, the former 
argument of the delay holds. If the reset occurs in the second 6, we just know that it is 
satisfied because T,, Q TO a T,,, E Sol(aOal, A). Thus we conclude that T,, a yo <I TO rut E 
Sol(aOOa', A). 
Using the previous reasoning it follows inductively that T,, a yon a TO a T,,, E S ~ l ( a O ~ + ~ a ' ,  A). 
Thus (aOn+la', T,, Q yg a TO a rut) E L ( R ,  A) Vn  E N .  
It only remains to observe that the objective function could be as big as we want iterating 
as many times as we like. 
Theorem 14 Let ( R ,  A) be a strongly non-zeno and well-behaved TC-RE, let A* be a 
subexpression of R such that all 6 E A are past-independent words. If the maximum value 
for the duration expression f$,?(y) subject to C(0,  A) is less than or equal to zero and the 
test N E  {I, <} then, by replacing A* in R with E $ A,  we get a regular expression R' for 
which (R,  A) k p  p iff (R', A) k ,  p. 
Proof 30 It is clear that R' recognises a sub-language of R then, by Fact 3, L(R1, A) C 
L(R7 A). So (R,  A) I=? p * (R',  A) I=, p. 
It remains to prove that ( R f , A )  k p  p + ( R , A )  k p  p. We do it by showing that if we 
have two consecutives iterations of A in  a timed word of ( R ,  A) then we can eliminate one 
of them and the resulting timed word satisfies p. 
Now suppose that (R',  A) k p  cp, (a ,  r )  E L(R ,  A) and 3il ,  i2,  i3 E N : 0 < 12il < i2 < i3 < 
I f f 1  A ff[;,,;,-l] and ff[i2,ia-11 E A. 
Consider the timed word where the loop a[i,,i,-l~ is eliminated. We have eliminated symbols 
o[sl i -11 whose sum has a non-positive contribution because f,,$ (T[~ , , ; , -~ I )  5 0 by hypothesis. 
Thus it is easy to see that f & ( ~ ' )  2 f;,,(r) where a' = oi,-l~o~i, and T' = T;,-,] a 
(7[i2-1 -map 7i2-1). 
If we can prove that actually (a', T')  E L(R ,  A), we arrive easily at the result that i f  the 
LDI is violated in  the original expression it will be also violated in  an expression using at 
most one unfold of the cycle. Therefore, let us prove that the new timed word is in the 
timed language. 
The fusion closed property ensures that a' E R. And we know that T; = TO = 0. So it 
remains to prove that T' E Sol(al, A). That is, we must check that all the constraints 
(6, uj, N c)  E A are satisjkd for all T:: r: - T ~ ~ ~ ~ - ~ ~ ~ - ~ : - ~ ~  N c.  
''Remember that init is the first transition. 
First at all, any constraint is satisfied by T;' when i 5 il - 1 since a, a' and T ,  r' coincide 
i n  the first il transitions. 
The other simple case is when 6 n o~l , i - l l  # 0, the distance between T[ and the last 6 
transition i n  a:-11 is the same as the distance of the corresponding i n  the original T ,  because 
the reset occurs after the eliminated iteration. 
Finally we have to deal with a test after the eliminated loop that have a reset before the 
eliminated loop. Now let i 2 il while l a ~ t - 6 i n - < - ~ ~  5 il - 1. 
Since l a s t J i n - ~ ~ - ~ ~  5 il - 1 then last4.ina:-ll = l a s t 4 - i n ~ ~ ~ - ~ ~ .  But a ,  a', T 
and r' coincide in  the first il transitions; then l a ~ t l i n - a ~ ~ - ~ ~  = last din^^^^-^^ and 
I - - 
- Tlast J-insil-ll . Thus ~;ast~-in-u;-l l  - Tlast J - i n ~ . ~  -11 . Therefom we have 
' 1  -11 
to prove that 
- TlastJ-in4il-ll N C. 
There are two cases: (a) i + ( i2  - il) 5 is - 1 and (b) i + (i2 - i l)  > is. 
In  the case (a) we are analyzing a constraint that goes from an iteration instance to another 
one. Thanks to independence we can argue that the constraint is  satisfied. 
In  the case (4) we know that 6 is not reset i n  aji2,i3-11 because l a s t - 6 i n - c ~ ~ - ~ ~  < il - 1 and 
a:-,] is the result of estructing q1,i2-1] from ui+(i2-il)-11. Then we have in  a' a test after 
location src(ai,) with a previous reset before i;. 
Because of the no-deadline constrained iterations property (u~i,,i3-ll is  a loop) the test must 
be a delay, i.e., (6, a,!, 2 c )  E A. SO we must prove that T: - T i a ~ t 4 - i n - u ~ ~  > C.  
Also it can be seen from the definition of a that T: = ri+(;,-i,) + 7i1-l - T;,. Since 
- r;+(iz-il) - ~ i , + ( i - i ~ )  2 q2 then T;' 2 ~ i , - 1 .  Then we get that is suficient to prove that 
Til-1 - Tlas t_~- in lr;~  - 1 ~  > C .  
By the no-delay constrained iterations property we conclude that MINs(u:l-ll) > c. 
- Then ~ ( a i l - l l )  > c since o ~ , - ~ I  - By the definition of MI&, it follows 
MinTimes6(ail-l l)  > c, since c is a constants appearing i n  a time constraint i n  A. In  
particular for 7 i l -~]  we get r;, -1 - ~ l ~ ~ t ~ i ~ , , ~  > c, as we need. 
Chapter 10 
Conclusions and Future Work 
The need to predict temporal behavior of critical real-time systems has encouraged the de- 
velopment of an useful collection of models, results and tools for analyzing schedulability of 
applications (e.g., [log]). However, there is no general analytical support for verifying other 
kind of high-level timing requirements on complex software architectures. On the other 
hand, the verification of specifications and designs of real-time systems has been considered 
an interesting application field for automatic analysis techniques such as model-checking. 
Unfortunately, practicality of previous formal approaches were limited due to several fac- 
tors, among them: complexity introduced by preemption modeling, and global analysis 
due to implicit interrelationship (the processor sharing) between "intuitively" independent 
components. 
To cope with the challenges of formal analysis RTS Designs, we have focused on three 
aspects that, we believe, are fundamental to get practical tools: model-generation, model- 
, . . , .  . . . .  
reduction and model-checking . - .. " 3' ". " : t~ 7 ;  k7i ';:t :d 
From the point of view of model-generation, we have presented a formal approach to verify 
a class of real-time distributed designs which adhere to the hypothesis of known analytical 
theory for fixed-priority scheduling. With this approach in mind, we have shown how to 
build rather simple and conservative formal models based on timed automata to improve 
practicality of verification. 
Following a the criteria of separation of concerns, we understand the scheduler and the 
priority assignment mainly as a way to achieve fair computation and predictive response 
times. Then, we abstract away the scheduler behavior including preemptiviness by using 
the WCCT and the resulting formal models could be understood as virtudy running on 
dedicate processors. CDAGs describe potential sequences of task events and WCCT-BCCT 
provides the bound for their occurrences. In our application models, we require that tasks 
should not suspend themselves, a common assumption for schedulability analysis. This 
rules out, for instance, general handshake synchronization. However, communication is 
achieved through shared protected objects, and signals. Mutual exclusion is achieved 
through Priority Ceiling Protocol emulation. This is another important property provided 
by the scheduler and captured by our modeling technique. 
Then, this "asynchronous" application model for RTS greatly simplifies WCCT calculus 
and some researches found reasonable for many applications. Shared objects are non- 
blocking from a semantics point of view and a bounded blocking time occurs just to  achieve 
mutual exclusion. Thus, the TA edges standing for the end of operations on shared objects 
are guarded with timing conditions that take into account blocking time due to mutual 
exclusion. Therefore, we are able to build abstractions to automatically reason on response 
times. We also believe that, in most cases, this is the kind of reasoning that a designer 
would rely on to gain confidence on its design. For instance, in our models two events 
standing for the end of mutual exclusive operations may be arbitrarily close (if dowed by 
timing conditions). Of course, this does not happen in the implementation but we believe 
that mutual exclusion is just a way to achieve "serializable reentrant" operations and that 
is what we actually model. That is, we believe that there are only two important properties 
that must be captured about mutual exclusion (a) operations work properly (b) there is a 
timing impact on tasks, the blocking time. 
Clearly, it may be argued that our scheduler abstraction may not be able to verify properties 
that hold due to subtle scheduling side-effects. That is the price we pay. The properties we 
are able to  check are properties which satisfaction just depends on response times and do - 
not depend in any other characteristic on the underlying scheduling discipline. This could 
be an informal way to understand the scope and limitations of our approach: a way to 
automatically reason on worst case behavior of a set of tasks checking properties which are 
independent from any other aspect of the scheduler but the achieved response times. Our 
experiments have shown that we could check reasonable estimations. For a more detailed 
analysis for scheduling dependent, we would recommend another more accurate but less 
feasible approach. One example of those lost properties, which might be expected by 
the designers, is task precedence produced by harmonic periods and a clever assignment 
of priorities [77]. In the future work section we mention the possibility of filtering the 
behavior with some rules that would hold in the actual implementation. 
To a certain extent, our proposal enlarges the applicability of scheduling theory to prove 
requirements which involve interaction among components. As another contribution, we 
have also shown how known scheduling results could help in reducing the complexity of 
models and their analysis (by making them more compositional). To model such systems, 
we present 1/0 Timed Components, a simple notion build on top of Timed Automata to 
get live non-blocking models, also providing some important methodological advantages 
like iduence detection (Chapter 7), compositional reasoning [Ill], etc. 
We have also provided a set of mechanisms to abstract the model according to  the observa- 
tion power needed to verify the requirement. Thus, we do not feed the verification back-end 
with the whole model as previous formal approaches. To provide arguments about the cor- 
rectness of those abstractions, we have developed a notion of continuous observational 
bismulation that is weaker than strong timed bisimulation yet preserving TCTL logic. 
Furthermore, by choosing timed automata, we have adapted and applied their deeply 
studied and developed analysis theory. Consequently, model-checking can be performed 
by the well-known automatic analysis tools for Timed Automata ([61, 23, 91, 1461, etc.), 
which were successfully applied to several case studies [54, 59, 62, 148, 1471,etc. Moreover, 
we have also described from scratch an algorithm to model-check duration properties, a 
feature that is not addressed by available tools. 
We have implemented prototype versions of some of the components of the described 
tool. They have served to experimentally validate the approach. The combination of the 
explained modeling approach with the reduction methods has shown to be very effective for 
checking middle size examples found in literature like the Mine Pump design [40] and the 
active structure system [69]. We believe in the scalability of the method to big-size examples 
due to the ability of our method to smartly focus on a submodel which is relevant- to the 
requirement to be checked. On the other hand, parallel composition reduction by relevance 
(Chapter7) has achieved dramatic speedups in several examples beyond the design models 
proposed in this thesis. 
Besides getting an deliverable and integrated version of the whole tool, there are at least 
three directions to enhance the approach: modeling aspects, model manipulation, and 
model- checking. 
Modeling Issues Further research in combining both scheduling theory and formal ana- 
lysis seems highly recommendable. That is, the fundamental modeling idea presented in 
this thesis can be summarized as the use of calculated response times to build a conser- 
vative, compositional and simple formal model in order to check complex requirements. 
That idea was applied to the Fixed-Priority Application model but we believe it is possi- 
ble to generalize the proposed method to cope with a broader set of run-time scheduling 
disciplines like EDF (Earliest Deadline First) [43], etc. We also think that it is possible 
to use these ideas to analyze systems which processing nodes are scheduled using differ- 
ent disciplines (e.g., processing nodes scheduled at pre-run time, processing nodes with 
n ~ n - ~ r e e k ~ t i v e  aperiodic tasks [70]). 
In future, we may be interested in analyzing designs of applications models with no under- 
lying analytical scheduling theory. For instance, imagine a cooperative scheduling where 
each task is composed by a sequence of non-preemptable subtasks and event arrival can not 
characterized as cyclic or sporadic due to jitter, etc [70, 151). In those cases, we may use an 
adequate formal model just to obtain the maximum and minimum response times. Then, 
it could be built another compositional, conservative and less detailed model -like the one 
presented in this thesis- to analyze complex requirements. Particularly - to obtain those 
maximum and minimum response times-, we can resort to hybrid automata for models like 
[15], symbolic model checking for models like [46], or reachability graph [I041 on models 
like [70]. 
On the other hand, the method can be extended to support more features and phenomena 
such as static and dynamic offsets for task release, task jitter [131], mode change (i.e., a 
reconfiguration of the set of tasks running), synchronous communication among tasks, etc. 
For instance, it is not difficult to add an "enabling-disabling" mechanism to  model changes 
of mode. Tasks are initially enabled but they can be specified to  be disabled. A task can 
be enabled by another task using the command enable applied to a set of task names. The 
language could provide special events Enable+TaskName to enable tasks. Intuitively, if 
an enabled task receives an enabling signal it just ignores it. If a task receives that signal 
while disabled it goes to an enabled state and behaves as normal. It is important to say 
that the time elapsed while disabled is taken into account when it becomes enabled again. 
That is, if the period has elapsed while disabled a periodic task is released immediately 
when enabled again. Similarly, if minimal interarrival time has elapsed a sporadic task will 
be able to serve a signal immediately after being enabled. A task can disabled itself at the 
end of its code. The enabling disabling graph over the tasks could be used to statically find 
out whether two tasks could be active at the same time and thus use this information for 
the WCCT calculus. It is worth mentioning these mechanisms could be used to perform 
remote calls (a task performs a call, it enables a task that should receive the answer and 
disables it self). 
More accuracy could be gained by filtering out behaviors of final models. That is, it is 
possible to  add observer automata to filter out some impossible temporal behaviors (using 
some "impossible" trap state). For instance, it could be filtered out impossible behaviors 
resulting from facts like precedence given by task priorities with harmonic periods [77]. It 
is worth warning that filtering should satisfy some kind of non-zeno property, namely, any 
non-rejected finite run (i.e. a run not arriving to trap state that stands for "impossible" 
behavior) could be extended to a (non-rejected) divergent run. 
Another "software engineering-line of research is the definition of a more user-friendly 
"pattern language" to replace the direct use of TA to express generic scenarios (e-g. [67]) 
and to display out counterexamples (e.g.[95]). 
A different line of research is the parametric modeling of Real-Time Systems ( [8] ). That is, 
some parameters of the system (e.g., the response time of a task) could remain unknown 
and the analysis may provide constraints on them. Several lines of research could emerge 
from it, namely, synthesis of maximum response times to met a requirement (for instance, 
to find out local deadlines during design), measuring the criticality of response times to  
meet a requirement (for example, to used in testing or reengineering activities), etc. 
Model Manipulation The engineering focus of this thesis has not required us to  study 
and solve some interesting theoretical open questions with respect to CO-bisrnilarity. How- 
ever, it is worth stating them as future work, namely, is CO-bisimilarity decidable?; are 
there two models satisfying the same set of TCTL formulas which are not CO-bsismilar 
models?, etc. 
Our reduction method for the parallel composition could be improved to deal specially 
with the notion of relevant clocks or relevant discrete variables to perform a more precise 
analysis. 
To cope with requirements involving large subsystems some extra abstraction mechanism 
may be useful. The idea is to provide automatic support for checking that an abstraction 
relation really holds (see for example [loll). On the one hand, we believe that we can 
check correspondence of our 110 timed components against specifications given in terms 
of Timed Automata by using the homomorphism technique under an "assume/guaranteen 
framework presented in [Ill]. On the other hand, it seems relatively easy to  check abstrac- 
tions for 110 Timed Component (similar ideas can be found in [loll). It is well-known 
that non-Deterministic Timed Automata are not closed under complementation [2]. How- 
ever, deterministic components (components which underlying TA is deterministic ) can 
be complemented and therefore language inclusion can be checked (building the parallel 
composition A 11 -13.). Given an alphabet C, the complementation is done by: (a) adding a 
trap location stuttering all the elements of C (b) for each location and for each label 1 E C, 
add a transition with label 1 to the trap location with a guard that negates the disjunction 
of the guards of original transitions with that location as source, (c) eliminate the invari- 
ants and add a transition with invariant negated to the trap location. The language that 
remains in the trap location is the complement of the language of the component. Thus, 
we can imagine a technique to check abstractions provided by the user as deterministic 
I/O components. It is just required to check whether there is a run leading to the trap 
location in the parallel composition of the component that want to be replaced and the 
complemented abstraction. As an example, in a fault tolerant version of an active structure 
control system [69], suppose that three sensors communicate with a voter which in turn 
communicates with the modeler. We can replace the three sensors, the 4 handshake com- 
munication mechanism and the voter with a component that behaves like a virtual sensor 
that needs within 20 and 90 t.u. to complete the sensing and start the communication 
with the modeler (see Fig. 10.1). 
Another rewarding effort may be a change of kernel formalism to analyze a discrete-time 
version of 110 timed components. For example, they can be translated into temporal 
process algebra with a maximal progress assumption. Then, we would be able to apply 
tool support of "component-wisen minimization like in [69]. 
Model Checking Although this thesis was not focused on model-checking technologies 
there might be a substantial number of improvements for these kind of applications. For in- 
stance, the topology of the composition of a safety observer with the system turns out into 
a non-trivial DAG of Strongly Connected Components (SCC). Model-Checking tools like 
KRONOS are based on a fixed point calculation on a symbolic state representation. Cur- 
rently we are working to improve the fixed point calculation for these topologies (following 
the DAG structure). 
The next step for the checking duration properties is the development of a tool. New 
results to enlarge the class of accurate analysis could be also be studied. As future work, 
we would like to adapt some recently presented optimization techniques to  our framework 
(e.g. [114, 221). In particular, we believe that partial order techniques (see [22]) can 
be adapted to check linear duration invariants that depends on the locations of just one 
Voter Abastract Sensor 
D eceived 
<=I5 
VoterReadyf xComm 
Figure 10.1: The Voter and an Abstraction for the Fault Tolerant Sensor 
automaton of a parallel composition. Another interesting topic of research is the study of 
on the fly techniques to avoid the construction of the whole reachability graph (unfolding 
the necessary subexpressions), making some kind of lazy evaluation of the composed phases 
of the algorithm mixed with some dynamic programming (like in the Kleene calculus). We 
also would like to analyze whet her other post-stable symbolic state space representation, 
like [149], are suitable for our application. On the other hand, the construction of the 
regular expression is also a key issue. The order in which nodes of the Reachability Graph 
are considered (e.g.,: depth first), might have an impact on the size of resulting Regular 
Expressions. Reduction rules might also be very helpful to keep the expression compact. 
On the other hand, the analysis over the Regular Expressions can be done symbolically by 
unfolding the Kleene definition by demand. Many mixed strategies are possible and should 
be studied. Another idea is to detect particular nodes of the graph that might help in 
reducing the size of the final result. For example, suppose that we have detected locations 
of the Reachability Graph such that all sequence starting from them are past independent 
(Def. 48 in Chapter 9), the "milestones" (we believe that a subset of them can be detected 
easily over the input timed automaton). Then, the maximum or minimum for all paths of 
with i ,  j milestones can be calculated locally and that value can be stored instead of 
the paths themselves. 
Although we did several experiments on some real-life medium-size problems found in 
literature we believe that only the accumulation of experiments coupled with the fine- 
tuning of tools will give the final word on the practical value of this approach. 
"Verifying Temporal Properties without Temporal 
mming Languages and Systems, Vol. 11, No. 1, 1989, 
@ Alur, Techniques for Automatic Verijication of Real-Time Systems, doctoral dis- 
Mation,  Stanford University, 1991. 
D. Dill, "Model-Checking for Real-Time Systems," 
of Let in Computer Science, IEEE Computer Society, Los Alamitos, 
Infomation and Computation,, vol. 104, no. 1, pp.2- 
albwachs, D. Dill, and H. Wong-Toi, ''An irnplemen- 
&#ion of Three Algorithms for Timing Verification based on Automata Emptiness," 
6 F ~ e d i s t g s  elf IEEE Real-Time Systems Symposium, 1992. 
Alur, C. Courcoubetis, N. Halbwachs, T. Henzinger, P. Ho, X. Nicollin, A. Olivero, 
,$ Sifakis, and S. Yovine, "The Algorithmic Analysis of Hybrid Systems," Theoretical 
$'amp~ter Science, vol. 138, 1995, pp.3-34. 
&. Alur, C. Courcoubetis, and T.A. Henzinger, "Computing Accumulated Delays in 
ga l -Time Systems," In Proceedings of the 5th International Conference on Computer 
bded Veri$ation, CAV993, Lecture Notes in Computer Science 697, pages 181-193. 
!$p~inger-~erlag, 1993. 
&. Alur and D. Dill, "A Theory of Timed Automata," Theoretical Computer Science, 
'bol. 126,1994, pp. 183-235. 
$. Mar, T. A. Henzinger, and M. Vardi, "Parametric Real-Time Reasoning," Pro- 
ceedings of the 25th Annual ACM Symposium on Theory of Computing (STOC 1993), 
E. Asarin, 0. Maler, and P. Caspi, "A Kleene Theorem for Timed Automata", In 
G .  Winskel, editor, Logics In Computer Science, 1997. 
E. Ashcroft and Z.Manna, "Formalization of Properties of Parallel Programs," Ma- 
chine Intelligence, vol. 6, pp. 17-41, 1971. 
161 
[ll] N.C. Audsley, Flex[ble Scheduling of Hard Real-Time Systems, Dissertation Thesis, 
Department Computer Science, University of York, UK, August 1993. 
1121 N.C. Audsley, A. Burns, M. Richardson, K. Tindell, and A. Wellings, "Applying New 
Scheduling Theory t o  Static Priority Preemptive Scheduling", Software Engineering 
Journal, Vol. 8, No. 5, Sept. 1993, pp. 284-292. 
[13] N.C. Audsley, A. Burns, M.F. Richardson, and A.J. Wellings, "STRESS: A Simulator 
For Hard Real-Time Systems," Software Practice and Experience, 1994. 
, - 
" + 
[14] G.S. Avrunin and J.C. ~ o r b e t t .  "A Practical ~echnique for Bounding the Time 
Between Events in Concurred Real Time Systems," Proceedings of the 1993 Inter- 
national Sy ware Testing and Analysis, Cambridge MA, pp. 110-116, 
June 1993. Software Engineeri es (18:3), guly 1993. 
--* 
@ 
[15] G.S. Avrunin, J.C. Corbett , and L.K. Dillon, "Analyzing Partidly Implemented Real- 
Time Systems," IEEE Trans. Software Eng.,, Vol. 24, No. 8, Aug. 1998. 
[16] G.S. Avrunin, J.C. Corbett, L.K. Dillon, and J.C. Weilden, "Automated Deriva- 
tion of Time Bounds in Uniprocessor Concurrent Systems," Transaction on Software 
Engineering, vol. 20, no. 9, September 1994. 
[17] J.C .M. Baetan, and W .P. Weijland, Process Algebra, Cambridge University press, 
1990. 
[18] T.P. Baker, "A Stack Based Allocation Policy for Real-Time Processes," Proceedings 
of the 1 l th  Real Time Systems Symposium, pp 191-200, December 1990. 
[19] L. Baresi, A. Orso, and M. Pezze, "Introducing Formal Specification Methods in 
Industrial Practice," Proc. IEEE International Conference On Software Engineering, 
1997. 
[20] C. Bellettini, M. Felder and M. Pezzh, "Merlot: A tool for analysis of Real-Time 
Specifications," Proc. of 7th International Workshop on Software Specification and 
Design, 1993. 
1211 H. Ben-Abdallah, Y. Si Kim, and I. Lee, "Schedulability and Safety Analysis in 
the Graphical Communicating Shared Resources," Proc. of IEEE WORDS796: 2nd 
Worlcshop on Object Oriented Real-Time Dependable Systems, Feb. 1996. 
[22] J Bengtsson, B Jonsson, J Lilius, and Wang Yi, "Partial Order Reductions for Timed 
Systems," In Proc. of CONCUR'98, September 1998. 
[23] J. Bengtsson, K.G. Larsen, F. Larsson, P. Pettersson, and W. Yi, "UPPAAL- A Tool 
Suite for the Automatic Verification of Real-Time Systems," Proc. Hybrid Systems 
III, Lecture Notes on Computer Science 1066, Springer Verlag, 1996, pp. 232-243. 
[24] R. Bettati, J.W.S. Liu, "End-to-End Scheduling to  Meet Deadlines in Distributed Sys- 
tems," Proceedindgs of the 12th International Conference on Distributed Computing 
Systems, Yokohama, Japan, Jun. 1992. 
[25] B. Berthomieu, M. Diaz. Modeling and Verification of Time Dependent Systems Using 
Time Petri Nets. IEEE Transactions On Software Engineering, vol. 17, no. 3, March 
1991. 
[26] S. Bornot, J. Sifakis. An Algebraic Framework for Urgency To appear in Information 
and Computation, Academic Press, 2000. 
[27] V. Braberman, "Integrating Scheduling Theory into Formal Models of Real-Time 
Systems," Proc. KIT 125 workshop, Como, Italy, Sept. 1997. 
[28] V. Braberman and Dang Van Hung, "On Checking Timed Automata for Linear Du- 
ration Invariants," Proc.IEEE 1998 Real Time Systems Symposium, IEEE Computer 
Sac. Press, Los Alamitos, Calif., Dec. 1998, pp. 264-273. 
[29] V. Braberman, Dang Van Hung. "On checking Timed Automata for Linear Duration 
Invariants," TR 185, UNU-IIST, February 1998. 
[30] V. Braberman, M. Felder, "Verification of Real-Time Designs: Combining Scheduling 
Theory with Automatic Formal Verification," Proc. 7th European Conf. on Soft- 
ware Eng./ 7th ACM SIGSOFT Symposium on the Foundations of Software Eng., 
(ESEC/FSE 99), Lecture Notes in Computer Science 1687, Springer Verlag, Sept. 
1999, pp.494-510. 
[31] S. Bracley, W. Henderson, D.Kendal1, and A. Robson, "Designing and Implementing 
Correct RTS," Technical Report University of Northumbria at  Newcastle. 
1321 P. Bremond-Gregoire, and I. Lee, "A Process Algebra of Communicating Shared 
Resources with Dense Time and Priorities," Technical Report, University of Pennsyl- 
vania, MS-CIS-95-08. 
[33] G. Bucci, M. Campanai, P. Nesi, "Tools for specifying Real-Time Systems," Real 
Time Systems Journal, vol. 8, issue 213, Kluwer Academic Publisher, MarchIMay 
1995. 
[34] G. Bucci, and E. Vicario, "Compositional Validation of Time-Critical Systems Using 
Communicating Time Petri Nets," IEEE Transactions On Software Engineering, vol. 
21, no. 12, December 1995. 
[35] T. Bultan, J. Fisher, and R. Gerber, "Compositional Verification by Model Checking 
for Counter Examples," Proc. of the International Symposium on Software Testing 
and Analysis, 1996. 
[36] J.R. Burch, E.M. Clarke, K.L. McMillian, and D.L. Dill, "Symbolic Model Checking. 
1020 states and beyond," Proc. 5th IEEE Symp. Logic in Computer Science, 1990, 
pp. 428-439. 
[37] A. Burgueno, and F. Boniol, "Un Modelo de Sitemas Hibridos Orientado a la plan- 
ificacion de procesos concurrentes," Proc. of the I1 Jornadas de Informatics, pages 
585-594, Alrnucar, Granada, pp. 15-19, July 1996. 
[38] A. Burgueno and V. Rusu, "Task-system Analysis Using Slope-Parametric Hybrid 
Automat a," Euro-Par'97 Workshop on Real- Time Systems and Constraints, Passau, 
Germany, Aug. 1997. 
[39] A. Burns, "Preemptive Priority Based Scheduling: An Appropriate Engineering Ap- 
proach," Technical Report, York University, YCS-93-214. 
[40] A. Burns and A. Wellings, Real-Time Systems: Specification, Verification and Analy- 
sis, Prentice Hall ,  1996. 
[41] A. Burns and A. Wellings, Real-Time Systems and Programming Languages, Addison- 
Wesley, 19 9 6. 
[42] A. Burns and A. Wellings, HRT-HOOD: A Structured Design Method for Hard Real- 
Time ADA Systems, Elsevier, 1995. 
[43] G. Buttazzo, Hard Real-Time Computing Systems: Predictable Scheduling Algorithms 
and Applications, Kluwer Academic Publishers, Boston, 1997. 
1441 J. Biichi, "On a Decision Method in Restricted Second-Order Arithmetic," Proc. Int. 
Congress on Logic, Methodology, and Philosophy of science 1960, pp. 1-12. Standford 
University press, 1962. 
[45] S. Campos, "The Priority Inversion Problem and Real Time Symbolic Model Check- 
ing," Technical Report, Carnegie Mellon University, CMU-CS-93-125. 
[46] S. Campos, E. Clarke, W. Marrero and M. Minea, "VERUS: A Tool for Quantita- 
tive Analysis of Finite State Real-Time Systems," Proc. of SIGPLAN Workshop on 
Languages, Compilers and Tools for Real- Time Systems, 1995. 
[47] S. Campos and 0. Grumberg, "Selective Quantitative Analysis and Interval Model 
Checking: Verifying Different Facets of a System,'' Proc. of Int'l Conf. Computer 
Aided Verification, Lecture Notes on Computer Science 1102, Springer Verlag, 1996, 
pp.257-268. 
[48] R. Cleaveland, S.A. Smolka, 0. Sokolosky, "The Concurrency Factory: A development 
Environment for Concurrent Systems," Proc. of Computer Aided Verification 1996. 
[49] P. Chan, and D. Van Hung, "Duration Calculus Specification for Tasks with Shared 
Resources," Proc. of Algorithms, Concurrency and Knowledge (Asian Computer Sci- 
ence Conference), Pathumthani, Thailand, December 1995. Lecture Notes in Com- 
puter Science 1023, Springer Verlag. 
[50] S. Chay Cheng, J. Stancovic, and K. Ramamritham, "Scheduling Algorithms for Hard 
Real Time Systems: A Brief Survey," 1987. 
[51] M.I. Chen, Schedulability Analysis of Resource Access Control Protocols in Real Time 
Systems, Ph.D. thesis, University of Illinois at  Urbana-Champaign, 1991. 
[52] S.C. Cheung and J. Kramer, "Checking Safety Properties Using Compositional Reach- 
ability Analysis," Trans. on Software Eng. and Methodology, Vol. 8, No. 1, Jan. 1999, 
pp. 49-79. 
[53] E. Clarke and E. A. Emerson, "Design and Synthesis of Synchronization Skeletons 
using Branching-Time Temporal Logic," Workshop on Logic Programs, Lecture Notes 
on Computer Science 131, 1981. 
[54] E. Clarke and J. Wing, "Formal Methods: State of the Art and Future Directions," 
ACM Computer Surveys, Vol. 28, No. 4, pp. 623-643, December 1996. 
[55] E. Clarke, 0. Grumberg and D. Long, "Model Checking and Abstraction," Proc., 
Principles of Programming Languages (POP&), 1994. 
[56] E. Clarke, 0. Grumberg and D. Peled, Model Checking, MIT Press, January 2000. 
[57] D. Clarke, I. Lee and H.L. Xie, "VERSA: A Tool for the Specification and Analysis 
of Resource-Bound Real-Time Systems" Journal of Computer Software Eng., Vol. 3, 
No. 2, 1995. 
[58] J.C. Corbett, "Timing Analysis of ADA Tasking Programs," IEEE Transaction On 
Software Eng., Vol. 22, No. 7, Jul. 1996, pp. 461-483. 
[59] P.R. D7Argenio, J.-P. Katoen, T.C. Ruys, and J. Tretmans, "The bounded retrans- 
mission protocol must be on time!," Proc. of the 3rd Int'l. Workshop on Tools and 
Algorithms for the C~nstruction and Analysis of Systems, Lecture Notes in Computer 
Science 1217, Springer Verlag. 1997, pp. 416-431. 
[60] C. Daws, "Verification de Systemes Temporises par Resolution de Systemes de Con- 
traintes Lineaires," In Memoire de DEA, Lnstitut Nationale Polytechnique de Greno- 
ble, June 1993. 
[61] C. Daws, A. Olivero, S. Tripakis and S. Yovine, "The Tool KRONOS," In Proc. of 
Hybrid Systems III, LNCS 1066, Springer Verlag, 1996, pp. 208-219. 
[62] C. Daws, S. Yovine, "Two examples of verification of multirate timed automata 
with KRONOS," Proc. of the 1995 IEEE Real- Time Systems Symposium, RTSS795, 
Dec.1995. IEEE Computer Society Press. 
[63] C. Daws and S.Yovine, "Reducing the Number of Clock Variables of Timed Au- 
tomata," Proc. IEEE Real-Time Systems Symposium '96, IEEE Computer Soc. 
Press, Los Alamitos, Calif., 1996. 
[64] Dang Van Hung and Pham Hong Thai, "On Checking Parallel Real-Time Systems for 
Linear Duration Invariants," Proc. of the Inter. Symposium on Software Engineering 
for Parallel and Distributed Systems, IEEE Computer Society Press, pages 61-71, 
1998. 
[65] R. De Nicolla, U. Montanari, and F.Vaandrager, "Back and Forth Bisimulations," 
Proc. CONCUR '90, Amsterdam, LNCS 458, Springer Verlag, pp.152-165, 1990. 
[66] B.P. Douglass, "Doing Hard Time: Developing Real- Time Systems with UML, Objects, 
Frameworks, and Patterns," Addison Wesley, Object Technology Series, 1999. 
[67] M. Dwyer, G. Avrunin, and J. Corbett, "Patterns in Property Specifications for Finite- 
state Verification ," Proc. of the 21st Intl. Conference on Software Engineering, May, 
1999. 
[68] M. Dwyer and C. Pasareanu, "Filter-Based Model Checking of Partial Systems," Proc. 
A CM SIGSOFT/FSE, November, 1998. 
[69] W. Elseaidy, R. Cleaveland, and J. Baugh Jr., "Modeling and Verifying Active Struc- 
tural Control Systems, " Science of Computer Programming, 29(1-2):99-122, July 
1997. 
[70] C. Ericsson, A. Wall, and Wang Yi, "Timed Automata as Task Models for Event- 
Driven Systems," Proc. of RTSCA999, IEEE Computer Soc. Press, Los Alamitos, 
Calif., Dec 1999. 
[71] M. Felder and M. Pezzk, "A Formal Approach to  the Design of Real-Time Systems," 
WorlcShop KIT125, September 1997, pp. 23-56. 
[72] C. Fidge, M. Utting, P. Kearney, and I. Hayes "Integrating Red-Time Scheduling The- 
ory and Program Refinement," Proc. Formal Methods Europe, March 1996, Lecture 
Notes in Computer Science 1051, Springer Verlag. 
[73] A.N. Fkedette and R. Cleaveland, "RTSL: A Formal Language for Real-Time Schedu- 
lability Analysis," Proc. IEEE Real-Time Systems Symposium, , December 1993, pp. 
274-283. 
[74] D. Garbervetski, Un Mdtodo de Reduccidn para la Composicidn de Sistemas Tempo- 
rizados, Master Thesis, Universidad de Buenos Aires, 2000. 
[75] D. Gaudreau, and P. Freedman, "Temporal Analysis and Object-Oriented Real-Time 
Software Development: a Case Study with ROOM/ObjecTime," Proceedings of IEEE 
Real-Time Technologies and Applications Symposium, Boston, June 10-12, 1996. 
[76] R. Gawlick, R. Segala, J. Sogaard-Andersen, N. Lynch "Liveness in Timed and Un- 
timed Systems," Proceedings of Int. Conference on Automata, Languages, and Pm- 
gramming, , Lecture Notes in Computer Science 820, Springer Verlag, pp. 166-177, 
1994. Also in, Information and Computation, March 1998. 
[77] R. Gerber, S. Hong and M. Saksena, "Guaranteeing Real-Time Requirements with 
Resource-Based Calibration of Periodic Process," IEEE Transaction On Software 
Eng., Vol. 21, no. 7, Jul. 1995. 
[78] R. Gerber, W. Pugh and M. Saksena, "Prametric Dispatching of Hard Real-Time 
Tasks," IEEE Transaction On Computers, Vol. 44, no. 3, March 1995. 
[79] R. Gerber and S. Hong, "Compiling Real-Time Programs with Timing Constraint 
Refinement and Strcutural Code Motion," IEEE Transaction On Software. Eng., Vol. 
21, no. 5, May 1995. 
[80] C. Ghezzi, D. Mandriolli, S. Morasca, and M. Pezzh, "A Unified High-Level Petri Net 
Formalism for Time Critical Systems," IEEE Transaction On Software Eng., Vol. 17, 
No. 2, Feb. 1991, pp.160-172. 
[81] R. Van Glabbeek, W. Weijland, "Branching Time and Abstraction in Bisimulation 
Semantics (extended abstract)," Information Processing 89, Pm. IFIP 11th World 
Computer Congress, San Francisco, North Holland, pp.613-618, 1989. 
[82] H. Gomaa, Software Design Methods For Concurrent and Real-Time Systems SEI 
Series in Software Engineering. 1994. 
[83] S. Graff, C. Loiseaux, "A Tool for Symbolic Program Verification and Abstraction," 
Proc. Computer Aided Verification, 1993, pp.71-84. 
[84] N.Halwachs, F.Lagnier, and P.Raymond, "Synchronous Observers and the Verification 
of Reactive Systems," Intl. Conf. on Algebraic Methods and Software Technology, 
AMAST793, Workshops in Computing, Springer Verlag, 1993. 
[85] M. Hansen, "Model-checking Discrete Duration Calculus," Formal Aspects of Com- 
puting, 6(6A):826-846, Nov-Dec 1994. 
[86] M.G. Harbour, M.H. Klein, and J.P. Lehoczky, "Timing Analysis for Fixed-Priority 
Scheduling of Hard Real-Time Systems," IEEE Transaction on Software Eng., Vol. 
20, No. 1, Jan. 1994, pp.13-28. 
[87] D. Hatley and I. Pirbhai, Strategies for Real-Time System Specification, Dorset House. 
New York. 1987. 
[88] C. Heitmeyer, D. Mandrioli, Formal Methods for Real-Time Computing, John Wiley 
& Sons, 1996. 
[89] C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj, "Using Abstractions 
and Model Checking to  Detect Safety Violations in Requirements Specifications," 
Transactions on Software Eng., vo1.24, No.11, Nov. 1998, pp. 927-948. 
[go] T.A. Henzinger, "Sooner is Safer than Later," Information Processing Letters, Vol. 
43, 1992, pp. 135-141. 
[91] T.A. Henzinger, P.H. Ho and H Wong-Toi, "A user guide to  HyTech," Proc. of Int'l. 
Workshop on Tools and Algorithms for the Construction and Analysis of Systems 
(TACAS'95), Lecture Notes in Computer Science 1019, Springer Verlag, 1995, pp. 
41-71. 
[921 T.A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine, "Symbolic model checking for 
real-time systems." Information and Computation, 111(2), pp.193-244, 1994. Special 
issue for LICS' 92. 
[93] M.R. Hill and M. Joseph, "Automated Timing Analysis of Real-Time Prototype," 
Software Engineering Journal, Sept. 1994, pp. 221-227. 
[94] C.A.R. Hoare, Communicating Sequential Processes, Prentice Hall ,  1985. 
[95] G. Holzmann, "The Model Checker Spin," IEEE Trans. on Software Engineering, 
Vol. 23, 5, pp. 279-295, May 1997. 
1961 J.E. Hopcroft and J.D. Ulman. Introduction to Automata Theory, Languages and 
Computation, Adison-Wesley, 1979. 
[97] M. Humprey and J. Stankovic, "CAISARTS: A Tool for Real-Time Scheduling Assis- 
tance," Proc. IEEE 1995 ReaTime System Symposium, IEEE Computer Soc. Press, 
Los Alamitos, Calif, 1995. 
[98] Introspect Technologies, Inc., Colorado Springs, CO. iRAT. Technical Overview. In- 
trospect Technologies, Inc., Colorado Springs, CO., 1994. 
[99] F. Jahanian and D. Stuart, "A Method for Verifying Properties of Modechart Spec- 
ifications," In Proc. of the 9th IEEE Real-Time Systems Symposium, IEEE Com- 
puter Society Press, Los Alamitos, Calif., 1988. 
[loo] M. Jackson, ('Software Requirements & Specifications: A Lexicon of Practice, Pn'n- 
ciples and Prejudicesn Addison Wesley, ACM press, 1995. 
[ lol l  H. Jensen, K.G. Larsen, and A. Skou, "Scaling up UPPAAL: Automatic Verifi- 
cation of Real-Time Systems using Compositionality and Abstraction," In Proc. of 
FTRTFT'O0,Springer-Verlag, 2000. 
[102] Real Time Systems: Specification, Verification and Analysis, M. Joseph, ed., Prentice 
Hall, 1996. 
[I031 M. Jourdan and F.Maraninchi, "Static Timing Analysis of Real-Time Systems," 
ACM SIGPLAN 95. 
[I041 I. Kang, I. Lee, and Y.S. Kim, "An Efficient Space Generation for the Analysis 
of Real-Time Systems". In Proceedings of the International Symposium on Software 
Testing and Analysis, 1996. Also in Trans. on Software Engineering, 1999. 
[I051 H. Kwak, I. Lee, A. Philippou, J .  Choi, and 0. Sokolsky, "Symbolic Schedulability 
Analysis of Real-Time Systems," Proceedings of the 1998 IEEE Real Time Systems 
Symposium, IEEE Computer Society Press, 1998. 
[I061 Y. Kesten, A. Pnueli, J. Sifakis, S. Yovine, Integration Graphs: A Class of De- 
cidable Hybrid Systems. In Proceedings of Workshop on Theory of Hybrid Systems, 
volume 736, pages 179-208. Springer-Verlag, June 1992. Also in In Information and 
Computation, Academic Press, 150(2), pages 209-243, 1999. 
[I071 M.H. Klein, J .  Goodenogh, and L. Sha, "Rate Monotonic Analisys for Real Time 
Systems," Technical report SEI/CMU. TR91-006. 1991. 
[I081 M.H. Klein, J.P. Lehoczky, and R. Rajkumar, "Rate Monotonic Analysis for Real- 
Time Industrial Computing," IEEE Computer, Jan. 1994, pp. 24-32. 
[log] M.H. Klein, T.  Ralya, P. Pollak, R. Obenza, and M.G. Harbour, A Practitioner's 
Randbook for Real-Time Analysis - Guide To Rate Monotonic Analysis for Real Time 
Systems, Software Engineering Institute ed., Kluwer academic Publishers, 1993. 
[I101 R. P. Kurshan, "Computer-Aided Verification of Coordinating Processes The 
Automata-Theoretic Approach", Princeton University Press, 1995. x I 
[Ill] R. P. Kurshan S. Tasiran, R. Alur, and R. K. Brayton, "Verifying Abstractions of 
Timed Systems", In Proc. of the 7th Int'l. Conf. on Concurrency Theory (CONCUR 
1996), Lecture Notes in Computer Science 1119, Springer Verlag, 1996. 
[I121 W. Lam and R. Brayton, "Criteria for the Simple Path Property in Timed Au- 
tomata," In Proceedings of the 6th International Conference on Computer Aided Ver- 
ification, CAV'94, number 818 in Lecture Notes in Computer Science, pages 27-40. 
Springer-Verlag, June, 1994. 
[I131 W. Lam and R.K. Brayton, "Alternating rq Timed Automata," In C. Courcou- 
betis, editor, proceedings of the 5th Inter. Conference on Computer Aided Vera'jcation, 
number 697 in Lecture Notes in Computer Science, pages 236-252. Springer-Verlag, 
June/ July 1993. 
[I141 K. Larsen, F.Larsson, P. Pettersson, and Wang Yi, "Efficient Verification of Real- 
Time Systems: Compact Data Structure and State-Space Reduction," In Proc. of 
the 18th IEEE Real-Time Systems Symposium, IEEE Computer Society Press, Los 
Alamitos, Calif., December 1997. 
[I151 K.G.Larsen and Wang Yi, "Time Abstracted Bisimulation: Implicit Specifications 
and Decidability," Information and Computation,Academic Press, 134, 75-101, 1997. 
[I161 M. Lawford and W.M. Wonham, "Equivalence Preserving Transformations for Timed 
Transition Models," IEEE Trans. on Automatic Control Vol. 40, No. 7, July 1995, 
pp. 1167-1179. 
11171 I. Lee, P. Bremond-Gregoire and R. Gerber, "A Process Algebraic Approach to  
the Specification and Analysis of Resource-Bound Real-Time Systems," Proc. of the 
IEEE, Special Issue on Real- Time Systems, Jan. 1994, pp. 158- 171. 
[I181 J.P. Lehoczky, L. Sha, and Y. Ding, "The Rate Monotone Scheduling Algorithm: 
Exact Characterization and Average Case Behavior," Proc. of the 10th Real-Time 
Systems Symposium, IEEE Computer Society Press, December 1989. 
[I191 Z. Liu, M. Joseph, and T. Janowski, "Verification of Schedulabiity for Real-Time 
Programs," Formal Aspects of Computing, 1995. 
[I201 Z. Liu and M. Joseph, "Specification and Verification of Fault Tolerance, Timing 
and Scheduling," Transaction On Programming Languages and Systems, vol. 21, no. 
1, pp:46-89, January 1999 
[I211 C. L. Liu and J.W. Layland, "Scheduling Algorithms for Multiprogramming in Hard 
Real Time Environment," Journal of the Association of the Computing Machinery, 
vol. 20, No 1, pp-46-61, January 1973. 
[122] J.W.S. Liu, J.L. Redondo, Z. Deng, T.S. Tia, W. Shih, and R. Beattati, "PERTS: 
A Prototyping Environment for Red-Time Systems," In Proc. IEEE 1993 Real Time 
Systems Symposium, IEEE Computer Soc. Press, Los Alarnitos, Calif., 1993. 
[123] J. McManis and P. Varaiya, "Suspension Automata: A Decidable Class of Hybrid 
Automata," Proc. of CAV 1993. 
[I241 P. Merlin and D.J.Farber, "Recoverability of Communicating Protocols," IEEE 
Transactions on Communications, vol. 24, no. 6, September 1976. 
[I251 M. Merritt, F. Modugno, and M. Tuttle, "Time Constrained Automata," Proc. 
CONCURy91, LNCS, Springer Verlag, vol. 527, 1991. 
[I261 R. Milner, "Communication and Concurrency, ". Prentice Hall, 1989. 
[I271 X. Nicollin, J-L. Richier, J. Sifakis, and J. Voiron, "ATP: an Algebra for Timed 
Processes," IFIP TC 2,1990. 
[I281 X. Nicollin, J. Sifakis, and S. Jovine, "Compiling Real-Time Specification into Ex- 
tended Automata," IEEE Trans. on Soft. Eng.,Specila Issue on Real-Time Systems, 
Vol. 18, 9, pp. 794-804, September 1992. 
[I291 A. Olivero, J. Sifakis, and S. Yovine, "Using Abstractions for Validation of Linear 
Hybrid Systems," Proc. of 6th Computer-Aided Verification, pages 81-94, California, 
July 1994. Lecture Notes in Computer Science 818, Springer-Verlag. 
[I301 J.S. Ostroff, "Deciding Properties of Timed Transition Models," IEEE Transactions 
on Parallel and Distributed Systems, vol. 1, no. 2, pp. 170-183, 1990. 
[131] J.C. Pdencia and M.G. Harbour, "Schedulability Analysis for Tasks with Static and 
Dynamic Offsets," Proc. of the Real-Time Systems Symposium, Dec. 1998, pp. 26-39. 
[I321 A. Parashkevov and J. Yantchev, "ARC - A Verification Tool for Concurrent Sys- 
tems," Proc. of the Third Australasian Parallel and Real-Time Conference, Brisbane, 
Australia, Sep. 1996. 
[I331 IEEE POSIX.4. Real-Time Extensions for Portable Operating Systems, IEEE Com- 
puter Society Press. 1992. 
[I341 R.L. Rajkumar, 1. Sha, and J.P. Lehoczky, "Real Time Synchronization of Multipro- 
cessors," Proc. 9th Real-Time Systems Symposium, Dec. 1988, pp. 259-269. 
[I351 Requiremenst Group for for Real-Time Extensions for Java Platform, Requirements 
for ReaLTime Extensions for Java Platform, National Institute of Standards and 
Technology, http://www.nist.gov/rt-java. Apr. 1999. 
[I361 Y. Ripoll, A. Crespo, and A.Mok, "Improvement in Feasibility Testing for Real Time 
Tasks," Real Time Systems Journal, vol. 9, no. 2, Kluwer, September 1995. 
[137] G.Reed and A. Roscoe, "A Tikmed Model far Communicating Sequential Processes," 
Theoretical Computer Science, vol. 58, pp. 249-261, 1998. 
[I381 , T. Rus, C. Rattray Theories and Experiences for Real-Time System Development, 
World Scientific Publishing Company, Inc., 1995. 
[139] M. Saksena, A. Ptack, P. Freedman, and P. Rodziewics, "Schedulability Analysis 
for Automated Implementations of Red-Time Object-Oriented Models," Proc. IEEE 
Real-Time Systems Symposium, Dec. 1998, pp. 92-103. 
[I401 L. Sha, R. Rajkumar,and J.P. Lehoczky, "Priority-Inheritance Protocols: An Ap- 
proach to  Real-Time Synchronization," IEEE Transactions On Computers, Vol. 39, 
No. 9, Sept. 1990, pp. 1175-1185. 
[I411 L. Sha and J. Goodenogh, "Real Time Scheduling Theory and ADA," IEEE Com- 
puter ,  Vol. 23, Apr. 1990, pp. 53-62. 
[142] 0. Sokolsky, I. Lee, and H.Ben-Abdallah, "Specification and Analysis of Real-Time 
Systems with PARAGON," Annals of Software Engineering, 1999. 
11431 J. Springintveld, F. Vaandrager, P. D'Argenio , "Testing Timed Automata ," To 
appear in Theoretical Computer Science, 2000. 
[I441 B. Sprunt, 1. Sha, and J.P. Lehoczky, "Aperiodic Task Scheduling for Hard Real-Time 
Systems," Journal of Real Time Systems, 1989, pp. 27-60. 
[I451 S. Tasiran, S. P. Khatri, S. Yovine, R. K. Brayton, and A. Sangiovanni-Vincentelli. , 
"A Timed Automaton-Based Method for Accurate Computation of Circuit Delay in 
the Presence of Cross-Talk," FMCAD'98, 1998. 
[I461 S. Tripakis, and C. Courcobetis, "Extending PROMELA and SPIN for Real Time," 
Proc. of the 2nd Int91. Workshop Algorithms for the Construction and of Systems 
(TACAS996), Lecture Notes in Computer Science 1055, Springer Verlag , 1996, pp. 
329-348. 
[I471 S. Tripakis, "Timed Diagnostics for Reachability Properties," Proceedings of Tools 
and Algorithms for the Construction and Analysis of Systems, TACAS799, Lecture 
Notes in Computer Science 1579, Springer-Verlag , 1999. 
[148] S. Tripakis, S. Yovine, "Verification of the Fast Reservation Protocol with Delayed 
Transmission using the tool Kronos," Proc. of the 4th IEEE Real-Time Technology 
and Applications Symposium, RTAS998, June 1998, IEEE Computer Society Press. 
[I491 S. Tripakis, and S. Yovine, "Analysis of Timed Systems based on Time-Abstracting 
Bisimulations," In Proceedings of the 8th Inter. Conference On Computer Aided Ver- 
ification, CAV796, Lecture Notes in Computer Science 1102, Springer-Verlag, July 
1996. To appear in Formal Methods in System Design, Kluwer Academic Publisher, 
2000. 
[I501 F. Vaandrager, N. Lynch, "Action Transducers and Timed Automata," Proc. CON- 
CUR792, LNCS, Vol 630, pp. 436-455, 1992. 
11511 J. Verhoosel, D. Hammer, and E. Luit "A Model for Scheduling of Object-Based 
Distributed Real-Time Systems," Real Time Systems Journal, Kluwer Academic Pub- 
lishers, Vol 8, pp. 5-34, 1995. 
[I521 S. Vestal, "Modeling and Verification of Real-Time Software using Extended Linear 
Hybrid Automata," 5th NSAS Langley Formal Methods Workshop, 2000. 
[I531 J.  Xu and D. Parnas "On Satisfying Timing Constraints in Hard-Real Time Sys- 
tems," IEEE Trans. On Software Eng., Vol. 19, NO. 1, January 1993. 
[154] Li Xuan Dong and Dang Van Hung, "Checking Linear Duration Invariants by Linear 
Programming," In Joxan Jaffar and Roland H. C. Yap, editors, Concurrency and 
Paralellism, Programming, Networking, and Securiry, Lecture Notes on Computer 
Science, vol. 1179 , pages 321-332, December 1996. 
[I551 Wang Yi, "Real-Time Behavior of Asynchronous Agents," Proc. CONCUR990, 
Lecture Notes in Computer Science 458, Springer Verlag, 1990. 
[I561 Jin Yang, Aloysius K. Mok and Farn Wang, "Symbolic Model Checking for Event- 
Driven Real-time Systems," ACM Trans. on Programming Languages and Systems, 
March 1997. 
[157] S. Yovine, "Me'thodes et Outiles pour la Ve'rification Symbolique de System& Tem- 
porisds, " doctoral disertation, Insitut National Polytechnique de Grenoble, 1993. 
[I581 S. Yovine, "Model- Checking Timed Automata," Embedded Systems, G. Rozemberg 
and F. Vaandrager eds., Lecture Notes in Computer Science, Springer Verlag, Vol. 
1494, October 1998. 
[I591 Zhou Chaochen, M.Hansen , A. Ravn, and H.Rishe1, "Duration Specifications for 
Shared Processors," IEEE Transactions on Parallel and Distributed Systems, vol. 1, 
no 2, pp. 170-183, 1990. Formal techniques in Real-Time and fault Tolerant Systems, 
vol. 571, Lecture Notes in Computer Science, Springer verlag, 1992. 
[I601 Zhou Chaochen, C. Hoare, and A. Ravn, "A Calculus of Durations," Information 
Processing letters, vol. 40, no. 5, pp:269-276, December 1991. 
[I611 Zhou Chaochen, Zhang Jingzhong, Yang Lu, and Li Xiaoshan, "Linear Duration In- 
variants," Proc. Formal Techniques in ReaGTime and Fault-Tolerant systems, Lecture 
Notes in Computer Science, vol. 863 , 1994. 
[I621 ~ . C e r a n s ,  "Decidability of Bisimulation equivalence for Parallel Timer Processes," ' 
Proc. of 4th Workshop on Computer Aided Verification, Lecture Notes in Computer 
Science, 1992. 

Appendix A 
A Survey on RTS Design 
Notations and Analysis Tools 
In this annex we present a classification and survey on design notations and models that are 
aimed at representing and reasoning on physical design for hard real-time systems. Then, 
we conclude some common characteristics and trade offs. Those remarks motivated our 
proposal that integrates techniques from two different fields (scheduling theory and state 
space exploration based methods) to cope with verification in usual application models. 
A.l  Notations and Models for Physical Designs of RTS 
We believe that in order to classify a technique as appropriate for physical design it should 
be able to deal with the temporal phenomena that arise from the processor sharing. 
These aspects are usually ignored in the requirement/specification phases where timing 
information is expressed without taking into consideration how the described behavior will 
be implemented [33]. However, it is worth mentioning that some authors consider that the 
designer should only be responsible for conveying the global real- time requirements to the 
real-time scheduler (e.g.[77, 78, 79, 105, 151, 1531,etc). These are "correct by construc- 
tion" or "synthesis approaches" (which are, in general, based on pre-run time scheduling). 
Although we believe that those approaches may be ideal for the development of real-time 
software, as far as we know, they are still limited in practice.' Then, since we decided 
to address with analysis methods, we left out the scope of this survey all these synthesis 
methods. 
' ~ h i s  might be due several different reasons: they might aim at particular timedriven applications, 
they might need not common OS platforms, the process of finding feasible solutions might posses high 
complexity, etc 
A . l . l  A Tool Classification 
There are many ways for classifying the approaches. As we are mainly concerned with 
correctness of designs, we choose to divide them according to the type and scope of the 
analysis which provide or suggest. 
Based on Scheduling Results. This group is constituted by formal and informal nota- 
tions that use the scheduling results for a periodic task model to asses timing requirements 
[50, 109, 12, 431. These are usually deadline satisfaction requirements which come from 
sampling rate or response time requirements. No functionality is taken into account for 
analysis. The control structure of the task might be represented as the abstract response 
structure of the event to be served (sequential, parallel or select ordering of actions). Each 
action is described in terms of the way it consumes resources (amount, preemtiveness, pri- 
ority, etc.) (e.g., [log]). AH tasks are considered periodic and interruptions are han'dled 
using some kind of sporadic serving scheme ([144]). They also support certain degree of 
analysis in certain multiprocessing environment model [134, 241. Their major strength is 
that they are of polynomial complexity on the number of tasks [86]. We can group these 
tools according to which kind of results are used. 
Based on Analytical Results. In this subgroup we find tools that use or suggest 
known results to statically asses the schedulability of a set of tasks. Examples are 
tools with a scheduling analyzer ([122, 13, 98, 971). We also include methods based 
on semiformal design notations that suggest to apply analytical methods to  carry on 
a timing correctness verification [42, 139, 82, 661. 
Based on Bounded Execution: Other tools use periodical and critical instant results 
for deriving schedulability property through a bounded simulation [93]. 
Based On State Space Exploration. This group is constituted by tools which use op- 
erational formal kernels whose verification techniques are based on state space exploration 
(reachability analysis, model checking). In general, they are able to  solve a broader family 
of queries than the former group. Also their hypothesis on the application model are less 
restrictive than in the former approach (i.e., they support richer process models than those 
considered by scheduling theory, complex environment could be modeled, etc.). Their 
major drawback is the fact that they suffer from state space explosion problem and hence 
their associated verification problem has high time/space complexity if decidable at all. 
Many operational formal methods and techniques were adapted to  tackle difficulties that 
arise on physical design modeling. Process algebraic approaches are the most numerous 
[73, 57, 132, 311 but there are also Petri Net [71] and automata [58] based approaches. 
Another way to classify these tools is through their ability to model the preemption of 
operations. On one hand, there are tools able to model directly the effect of processor 
sharing on execution time of actions. They can be based on dense time domain [71, 581 
or discrete time domain [46, 731. On the other hand, there are tools which assumes that 
actions execute atomically for an amount of time specified by the designer (preemptive 
disciplines can be somehow modeled by breaking a task into non-preemptive units). They 
can be based on a dense time domain 132, 701 or discrete time domain [132,21]. 
Based On Deductive Reasoning. These approaches are based on semiautomated 
syntactical reasoning in a refinement or verification fashion [theorem provers, transforma- 
tional tools, etc.]. By their own nature, deductive frameworks are much more prone to 
allow some integration with external knowledge (e.g. scheduling theory). For example, in 
[72] scheduling results are used to verify the feasibility of the transformations over a data 
flow net. In [I191 and [I201 a TLA approach is presented claiming for a separation of con- 
cerns between scheduler and the program correctness (abstracting away the scheduler as a 
scheduler policy when proving program correctness). Duration Calculus [I601 approaches 
suit very well the specification of execution environment since duration is a particularly 
adequate concept to describe the preemptive nature of some scheduling policies [159,49]. 
Based on Integer Programming. This group is the less numerous one. The key idea 
is to apply integer programming for synthesizing distance between events [16, 141. Thus 
they proposed an alternative to space exploration techniques to solve some questions about 
temporal distance between events. 
Note that, since we want to deal with hard real-time requirements stochastic techniques 
for performance evaluation were left out of the scope on purpose. 
A. 1.2 Guiding Features and Characteristics 
In this section, we explain the different aspects that were studied in each different proposal. 
As they are of different nature (notation/analysis models, formal/informal notations) some 
of the aspects might not be applied in particular cases. Anyway, our goal is to keep the 
description as homogeneous as possible to allow an easy comparison. 
In particular, the survey refers to the following features: 
Modeling Features . This is a brief review of the notational characteristics of each 
approach. We try to  point out some limitations on provided features that are circumstantial 
and do not respond to expressive constraints of the underlying formalism. 
Components and Connectors. Notations studied share some basic notion of 
concurrent sequential activities interacting and competing for resources to achieve 
systems goals. These are statically represented in the notation by some kind of soft- 
ware component. These components can be merely uncohesive tasks or the set of 
services provided by a class of objects. We describe the capabilities of the approach 
to express the distribution of the activities on processing resources. We also point 
out how many sequential activities of a component could coexist in a system.run. 
As notations should address the communication among sequential activities, we 
briefly describe the basic connectors provided by them. 
Functional and Control Description of Components. Some notations require 
/ allow some type of description of the behavior of these activities at a control 
and/or functional level. Informal notations may merely suggest pseudocode and 
timing information while formal ones may require precise functional descriptions. We 
also try to point out whether special control flow schemes (e.g. exception handling) 
are s ~ p p o r t e d . ~  
Time Issues. Another point in common is that notations require/allow the designer 
to  establish some timing information on software and external components that can 
be eventually used for the analysis. Indeed they serve as some sort of timing infoxma- 
tion repositories (local and global requirements like response times, sampling times, 
frequency of periodic outputs , estimations, etc.) [82, 87, 771. We also point out the 
underlying time domain model (dense or discrete). 
Processing Issues. We analyze the way that actions are supposed to evolve in 
time (i.e. which is the granularity of actions, are they monolithic or is preemption 
modeled?). In particular we focus on the limitations to model operative platform 
characteristics like the scheduling policies supported or the run time overhead. 
Environment Behavior Description. Environment description plays an impor- 
tant role in the development of control systems. Notations address at some degree 
the description of the assumptions about the system to be controlled (also known as 
the plant). 
Verification. 
Underlying Formalism [optional]. If the notation semantics is formally supported 
we report the class of formalism used. 
Processor Sharing Modeling [optional]. The formalisms that are used in this 
physical phase usually do not adhere the maximal parallelism assumption [73] which 
is a common feature of formalism aimed at specification phase where requirements 
are stated. One of the key aspects of a formal approach that supports preemption 
modeling is how the dichotomy between elapsed real-time and remaining processing 
time is handled. That is, we try to understand how maximal parallelism is abolished 
and how scheduling policy is modeled (i.e., it is built in, any one can be described, 
etc.). 
Verification Technique. To understand the verification approach we report the 
sort of technique applied (e.g. analytical worst case response time calculation, model 
checking or reachability analysis, etc.). 
2We also describe any special capabilities to define connectors or hardware components. 
178 
Queries. To understand the scope of the approach it is necessary to know what 
kind of properties can be queried (e.g. the ones provided by a logic or a fragment, ad 
hoc queries about minimal and maximal separations between events, etc.). It is also 
pointed out how they are formulated (logic, or manual adaptation to a reachability 
problem). 
Treatment of Functional Aspects [optional]. We believe that it is important to 
know to which extent data and functional aspects are taken into account in the veri- 
fication phase (e.g. can queries involve data?, are infinite domains for data allowed?, 
etc.). 
Complexity. The modeling and the querying capabilities impact on the complexity 
to solve the general verification problem in the approach (is it computable, tractable). 
Some reported observations are presented. 
Although approaches have different characteristics, goals and scopes they can be analyzed 
following the guide formerly presented. We think they could help to understanding the 
flavor, the utility and the limitations of approaches. 
A.1.3 The Survey 
The following detailed survey is not extensive but it describes some of the most represen- 
tative informal notations and automatic techniques on this field. Since were interested in 
automatic (or potentially automatic) techniques deductive formal methods are not treated 
in further detail. 
Approaches Based on Scheduling Results 
SAD an AAD of ADARTSICODARTS [82] 
SAD (Software Architecture Diagram Notation) is a notation to describe sys- 
tems through their task structure. AAD [82](Ada Architecture Diagram No- 
tation) introduces ADA specific tasking notation thus providing ADA direct 
features like packages and rendezvous. 
- Modeling Features. 
* Components and Connectors. Task structures following the periodic 
task model [log] can be described at each node of a statically distributed 
system. At any instant, there is at most one executing instance of each task 
(1 job per task). 
The notation presents various mechanisms for loosely (prioritized or no pri- 
oritized) and tightly coupled message communication. Three types of event 
synchronization are possible: external, timer, and internal. An external 
event is typically an interruption from external I/O devices. Information 
hiding modules are used for encapsulating data stores. Tasks access the 
data store indirectly via operations which manipulate the contents of data 
stores. 
* Functional and control Description. Although pseudocode serves as 
tasks behavior specification language, functional descriptions are ignored in 
the verification phase. 
* Time Issues. The Notation suggests the designer to define estimations 
of computation requirements, periodicity, deadlines, interarrival time for 
interruptions, etc. 
* Processing Issues. Each node is scheduled using a fixed priority policy. Its 
operative hypothesis could be as sophisticated as allowed by Rate Monotonic 
Analysis [log]. 
* Environment Behavior Description. This tool is aimed at studying ba- 
sically software artifacts behavior. The notation support the notion of event 
that can be externally generated. Timing information about the interarrival 
time of these external interruptions are used to perform the analysis of ape- 
riodic tasks that serve them. Dataflows of passive readlwrite information 
could also be depicted. I 
- .-- 
- Verification. 
* Verification Technique. Rate Monotonic Analysis [log] is suggested to 
be applied using the annotated estimations. 
* Queries. Local and end-to-end deadlines satisfaction, jitter requirements, 
average response time for sporadic events. 
* Complexity. The formulas are of polynomial complexity respect to the 
number of tasks. 
HRT-HOOD. [42] 
HRT-HOOD is an object oriented notation that guides the designer to  produce 
designs of high degree of analyzabiity in terms of scheduling theory (e-g. worst 
case blocking should be predictable). Another interesting semantical adaptation 
of an object oriented notation (ROOM) to deal with Hard Real-Time Systems 
development can be found in [75, 1391. 
- Modeling Features 
* Components and Connectors. Objects are the components shown in the 
static representation of the system. The notation provides object "classes" 
common in hard real-time active abstractions: cyclic objects (for periodic 
activities) and sporadic objects. Static distributive computing is supported. 
The activities communicate trough requests (asynchronous - Loosely Cou- 
pled : blocked until ready to serve, and highly synchronous execution re- 
quest: blocked until serviced, Rendezvous like) that might have an associ- 
ated time out. 
Passive (an information hiding version of shared memory) and protected 
objects (similar to Djykstra's Monitors) may act as data repositories. 
* Functional and control Description. There is no functional or con- 
trol description before the translation to ADA. Just the resource usage is 
described. 
* Time Issues. Timing attributes should be associated with objects: cyclic 
(period, deadlines, offsets), sporadic (minimum arrival interval, offsets, 
deadlines). Depending on the type of the scheduling approach other at- 
tributes might be annotated. 
* Processing Issues. Each node is scheduled using a fixed priority schedul- 
ing policy adhering to the models supported by the results of [39]. 
* Environment Behavior Description. This tool is aimed at studying 
basically software artifacts behavior. The notation supports the notion of 
event that can be externally generated. Timing information about the inter- 
arrival time of these external interruptions are used to perform the analysis 
of aperiodic tasks that attend them. Dataflows of passive readlwrite infor- 
mation could also depicted. 
- Verification. 
* Verification Technique. Schedulability analysis could be performed us- 
ing the corresponding analytical theory (Worst case estimation using fixed 
priority scheduling theory 1391). 
* Queries. Local and end-to-end deadlines satisfaction, jitter requirements, 
average response time for sporadic events. 
* Complexity. The formulas are of polynomial complexity on the number 
of tasks. 
PERTS [I221 
PERTS (A Prototyping Environment for Real Time Systems) its a prototyping 
environment for the evaluation of real-time systems. A key component is the 
schedulability analyzer. The basic version supports the analysis and validation 
of real-time systems built on framework of periodic task model. PERTS was 
chose as the example of analysis tool based on analytical results. A similar 
analysis capability is provided by STRESS [13]; in this case scheduling analyzer 
that provides is based on the results of [121, 118, 111 or commercial tools like 
iRAT [98] based on Rate Monotonic Analysis [log]. 
- Modeling Features Although a more complex task and resource model is 
available for the simulation environment it is not taken into account in the 
following description. 
* Components and Connectors. Tasks and resources can be represented 
into the model using the periodic task model assumptions. Aperiodic tasks 
can be scheduled according to a variety of schemes including pure or per- 
sistent polling, deferrable server and sporadic server [144]. At any instant 
there is at most one executing instance of each task (1 job per task). Tasks 
are statically assigned to processors. 
Shared resources controlled by priority ceiling protocols, non-preemptive 
critical approach, priority inheritance or stack based protocol [140, 181. 
* Functional and  Control Description. There is no functional or control 
description. Just the resource use is described. 
* Timing Aspects. Tasks are annotated with the worst case execution time, 
their deadline and their release time. 
* Processing Issues. Processing rate of processors can be specified. Re- 
sources can be preemptable or not preemptable. In each node can be sched- 
uled using a priority Driven scheduling (RM, Deadline Monotonic, EDF). 
* Environment Behavior Description. This tool is aimed at studying 
basically software artifacts behavior, thus there is a limited support to en- 
vironment modeling. External bounded or bursty events are treated as they 
were periodic. 
- Verification. 
* Verification Technique Analytical results for periodic task model are 
used [121,134,144,118,140, 18,511. The analysis of multiprocessor systems 
is based on the multiprocessor model [I341 and end-to-end scheduling model 
~ 4 1 .  
* Queries. Deadline satisfaction, worst case execution time, blocking time, 
Jitter satisfaction, End to End analysis. 
* Complexity. For monoprocessor systems, the formulas are of polynomial 
complexity on the number of tasks. 
Approaches Based O n  Sta te  Space Analysis 
RTD 1711 
It is a formal notation based on SA/RT requirement notation. Its semantics is 
given using High Level Timed Petri Nets 1801 through graph grammar rules [19]. 
- Modeling Features 
* Components and  Connectors. It allows to describe the system as a set 
of tasks and terminators. At any instant there is at most one executing 
instance of each task (1 job per task). The version studied models mono- 
processor systems. 3 
Connectors are inspired by POSIX [I331 standards: message queues, shared 
memories, signals (user /O .S) . 
+ Functional and control description. Each task comprises one or more 
sequential activities, the default thread and the exception threads (waken 
up by signals), that are executed in mutual exclusion. The internals of a task 
3There is a tool for graphical language definition and RTD is just a particdax instance of it [19]. 
are specified by means of data/control flow description. Functionality of the 
"bubbles" (processes) is expressed in an operational fragment of VDM. A 
Control specification facility is also available for controlling the activation 
of bubbles and describing the manipulation of signals. 
t Timing Aspects. An expression, that could be data dependent, defines the 
upper and the lower bound of functional activities (bubbles). The period for 
cyclic tasks is another timing parameter of the notation. It is a dense-time 
model. 
* Processing Issues. Actions are preemptable. The version studied allows 
fixed scheduling policy. Run time overhead is potentially modelable. 
* Environment Behavior Description. Terminators are modeled as data 
streams independent from the received signals (however it could be given 
semantics in many details). 
- Verification. 
* Underlying Formalism. It is formally defined using HLTPN [80] as base 
formalism. 
* Processor Sharing Modeling. In HLTPN the timestamps can be ma- 
nipulated in such way that remaining execution time of an activity can be 
kept in a token. The scheduler is modeled as a subnet. 
* Verification Technique. Simulation and symbolic execution is available. 
Also bounded reachability analysis and partial model checking. 
* Queries. A C based language is available for bounded time queries [20]. 
* Treatment of Functional Aspects. Functional aspects are annotated 
in a fragment of VDM and translated as the functions to  be performed by 
transition firings on the resulting tokens. Queries can predicate on data 
values. 
* Complexity. The general reachability and model-checking problem are 
not decidebla on HLTPN. 
a The approach of CORBETT [58] 
It is an approach aimed at analyzing ADA code based on Hybrid Automata. 
However, it can also be seen as a technique to analyze ADA-like design notation. 
An extension to this work was presented to deals with part idy implemented 
systems where queries are made in Graphic Interval Logic [15]. Another related 
approach can be found in [38] where parametric Hybrid Automata are used for 
synthesizing processor speeds or the amount of processor time given to each task 
to accomplish a performance goal. 
- Modeling features 
* Components and Connectors. Components are ADA tasks. At any in- 
stant there is at most one executing instance of each task (1 job per task). 
No dynamic task creation is modeled. This version deals with monoproces- 
sor environments. 
It supports Rendezvous communication and protected objects (similar to 
monitor) as communication media. It also models asynchronous transfer 
control which allows the completion of a blocking operation to abort the 
execution of a sequence of statements. 
* Functional and control Description. Code written in an ADA frag- 
ment. 
* Time Issues. Timing information is expressed by means of delay until 
operation and the estimations for bounding sequential code execution time. 
Continuous time make the time unit definition largely irrelevant. 
* Processing Issues. Actions are preemptable. The major advantage of 
this modeling technique is that potentially allows reasoning in scheduling 
context where non scheduling theory is known or where the system does 
not fit any theory hypothesis like periodicity. Currently, it supports static 
priority scheduling accounting for run time overhead (task synchronization, 
timer services, context switches and interrupts). 
* Environment Behavior Description. Separation between interruptions 
can be modeled to communicate the task system the occurrence of an ex- 
ternal event. 
- Verification. 
* Underlying Formalism This approach presents a way to model ADA 
code into a Slope Linear Hybrid Automata [5] which allows the preemption 
modeling. They use automata nodes to represent the different states that 
the application and O.S. could reach. As they work with continuous time 
domains they get conservative abstractions of the software. They use virtual 
coarsening techniques [lo] to reduce the size of the automaton. 
* Processor Sharing Modeling. The scheduler is modeled into the state 
transition representation. The Hybrid automata allows to express the 
derivative of clocks. Then, derivative equal to one models that the task 
is running while derivative equal to zero models that the task is waiting for 
the processor. 
* Verification Technique. They apply a symbolic model-checking tool for 
analyzing Hybrid Systems (HyTECH) [92]. 
* Queries. A property automaton is build to compose with the system and 
then reachabiity analysis is applied. 
* Treatment of Functional Aspects. Some finite domain data modeling 
is allowed. 
* Complexity. Unfortunately, the general model checking and reachability 
problem in Hybrid Automata is undecidable (they claim that most of the 
queries do terminate). State space explosion problem currently limits it to 
s m d  size system. They believe that since task scheduling is determinis- 
tic, most nondeterminism in the transition system is caused by the timer 
transition, delay statements/alternatives and unmodeled program variables. 
RTSL [73] 
RTSL is an approach mathematically founded in process algebra. RTSL is 
used to describe the control/communication behavior, timing behavior, and the 
timing constraints (deadlines) of a monoprocessor system. The algebra provides 
high level real-time constructs like watchdogs and exception handlers. 
- Modeling Features 
* Components and Connectors. The system is modeled as a set sequential 
processes using a process description language whose syntax and semantics 
are based loosely on those of CCS [I261 and ACP [17]. It models monopro- 
cessor platforms. 
Complementary synchronization actions models synchronization channels 
(as Ada Select statement without data passing). 
* Functional and control Description. Process are built from actions. No 
data is modeled. This process algebraic approach is aimed at representing 
communicating structure of processes but taking into account duration of 
internal and communication actions as well. Timing exception handling can 
be modeled. 
* Time Issues. Internal and communication actions are labeled with their 
durations measured in time units. There are operators to  express delay and 
deadline timing constraints. They use a discrete time model. 
* Processing Issues. It is a tick resolution approach that allows preemption 
modeling. The scheduling discipline is a modular component of the formal 
model so it can be changed. A parametric priority function arbiters the 
selection of the process to make it progress (RM, EDF can be modeled). 
* Environment behavior description. The environment can be modeled 
as processes which interact with the control software. All the language 
constructs are available for its description. 
- Verification 
* Underlying Formalism. RTSL is a process algebra with formal semantics. 
* Processor Sharing Modeling. The system semantics establishes that 
just a highest priority process advances while the others idle. The difference 
between elapsed time and executed time is reflected in time constructs where 
relative deadlines are reduced when the enclosed process idles. 
* Verification Technique. Reachability analysis is applied. 
t Queries. They present the deadline satisfaction problem as a reachability 
question since states record no-handled exceptions that arise when deadlines 
are missed. 
* Complexity. State space explosion problem may arise. However they hy- 
pothesize the filtering effect of scheduling disciplines and the regular struc- 
ture of many real-time systems will tend to control that problem in practice. 
VERUS [46] 
VERUS is a tool for quantitative analysis of finite state real-time systems based 
on Labeled Transition Systems. 
- Modeling Features 
* Components and Connectors. Task can be described in a C-like syn- 
tax. Each task corresponds to one executing sequential activity. It models 
monoprocessor platforms. 
Shared variables are available for task communication. The can be pro- 
tected accessing at a high priority level. Other protocols or communication 
models can be implemented as well. 
* Functional and control Description. It is done trough a C-like syntax. 
Data types allowed are integer and boolean. No interruption features can 
be directly modeled. 
* Time Issues. The language provides primitives to express timing aspects 
such as deadlines, priorities, and time delays in an imperative fashion. 
VERUS language has a wait operator to model discrete time duration of 
actions. 
* Processing Issues They adopt tick resolution interleaving. Like most 
timed formalism action visible state changes are instantaneous. The wait 
statement controls time elapse. The discipline modeled is fixed priority 
scheduling (subtasks can have different priorities). 
* Environment Behavior Description. This tool is aimed at studying 
basically software artifacts behavior. Periodic task statement is used to 
describe indirectly actions performed by a sporadic task serving external 
request. 
- Verification. 
* Underlying Formalism. The language is translated to untimed transition 
systems with global variables. 
* Processor Sharing Modeling. The interleaving semantics of transition 
Systems models the shared processor. 
* Verification Technique. It is an adaptation of the symbolic model check- 
ing technique of [36]. The algorithms provide valuable timing information 
as minimum, maximum delay (counting the number of transitions), condi- 
tion counting (max and min. number of times a given condition holds on 
any path from starting to final sate). 
t Queries. An Extension of symbolic CTL (RTCTL) is used for expressing 
time bounded properties. 
* Complexity Issues. Tick resolution interleaving might exacerbate the 
state space explosion phenomena [132]. 
+ Influence of Functional Aspects. Finite data can be used since the 
language is translated to a labeled transition graph. 
a ARC [I321 
It is formalism that extends CSP (Communicating Sequential Processes) [94] 
with a global clock. 
- Modeling Features 
* Components and Connectors. Components are the (CSP) processes 
(tasks). It models monoprocessor platforms. 
Basic connector is the synchronous Communication (CSP like). The two 
processes involved in the communication synchronize in an "out" and "in" 
operations. 
* Functional and control Description. The description is given by means 
of untimed CSP description showing the possible behavior in terms of the 
communication structure. No functional or data aspects are specified. No 
interruption features can be modeled. 
* Time Issues. W(n) events represents the advance of time in n units. The 
time model is discrete. 
* Processing Issues. The language only addresses non-preemptive fixed 
priority scheduling. Actions are monolithic. 
* Environment behavior description. The environment can be modeled 
as processes that interacts with the control software. All the language 
constructs are available for its description. 
- Verification 
* Underlying Formalism. Is an extension of untimed CSP. A Global, dis- 
crete clock is increased by time advancing W(n) events. 
* Processor Sharing Modeling. The interleaving semantics and the W(n) 
events models a shared processor environment. 
* Verification Technique. ARC is compiled into an Labeled Transition 
System. Then refinement and equivalence checking can be applied. 
* Queries. It can be asked if refinement or equivalence holds between terms 
modeling systems. 
* Complexity. It solves the extra production of states of tick resolution using 
action resolution. Anyway, as all state space exploration based approaches, 
it potentially suffers from state space explosion problem. 
r GCSR [21] 
Graphical Communicating Shared Resources is a graphical language to describe 
RTS in a Structured-Charts fashion. GCSR supports the explicit representation 
of system resources and priorities to arbitrate resource contentions. 
- Modeling Features 
* Components and Connectors. Real-time systems are basically sets of 
communicating processes. It supports multiprocessor platform modeling. 
Processes can synchronize through matching event names. The interruption 
or communication can occur during execution of a process. 
* Functional and control Description. Control description is given 
trough a set of nodes (to model time-consuming actions) connected through 
directed edges (modeling events like: communicatioq time-out, etc.). 
* Time Issues. In discrete model the actions takes one tick and it can be 
established which resources they use and the priorities over them, events 
are timeless and they also have priorities assigned to them. It  is possible to 
express the actions to be taken after a time-out an external or an internal 
interruption. 
* Processing Issues. It is ainied at modeling Fixed Priority scheduling. Pre- 
emption of actions can be modeled dividing the task into non-preemptable 
units [142]. 
* Environment behavior description. The environment can be modeled 
as agents that interact with the control software. All the language con- 
structs are available for its description. 
- Verification. 
* Underlying Formalism. The Graphical Language is translated into 
ACSR [117] a process algebraic approach that takes into account that re- 
sources are shared. Contention for resources is arbitrated according to fixed 
and static priorities. 
* Processor Sharing Modeling. Processors are resources. Actions that 
compete for them are arbitrated according a fixed priority scheme. 
* Verification Technique. There is a tool [57, 1421 supporting the process 
algebraic view that provides bisimulation algorithms to compare designs 
against specifications. Reachability analysis tools are also provided. 
* Queries. Queries can be solved if they are rephrased as a reachabiity 
problem. 
* Complexity. As all state exploration based approaches it suffers from 
state space explosion problem. 
Approaches Based On Linear Integer Programming. 
The approach of AUVRUNIN et al. [16] 
Avrunim et al. present a technique for deriving upper and lower bounds on the 
time that can elapse between two given events in an execution of a concurrent 
software system running on a single processor under arbitrary scheduling. 
- Modeling Features 
* Components and Connectors. A static set of processes. There is no 
possibility to model dynamic task creation. This version deals only with 
monoprocessors but it has been extended to treat distributed systems as 
we11 [14]. 
Synchronous or asynchronous communication events among processes can 
be modeled. 
* Functional and control Description. Only the control structure of 
processes is described as a deterministic finite automata. There is no guide 
to model interruption features. 
t Time Issues. Each event must be assigned a duration. Upper bounds 
for cycles must be provided by the user. Time domain is irrelevant in this 
approach. 
* Processing Issues. Events could be preemptable activities that do not 
overlap. Actually, atomicity has no importance in this approach due to the 
technique used for calculating the distance between events. They consider 
complex software characteristics where system developer has little control 
over scheduling beyond that provided by the semantics of interprocess com- 
munication (incapable of verifying properties when the scheduling policy is 
essential to timing correctness). 
* Environment Behavior Description. This tool is aimed at studying 
basically software artifacts behavior. No external behavior can be directly 
modeled (It is aimed at analyzing a complex interaction of aperiodic pro- 
cesses in a transaction firing). 
- Verification. 
* Underlying Formalism. A system run is a coherent interleaving the 
events that compose the processes. These potential runs are constrained by 
a set of inequalities. 
* Processor Sharing Modeling. The objective function to be optimized 
is the sum of the durations of events (no overlapping). The range of this 
function depends on the desired time domain. 
* Verification Technique. They model the executions using linear inequali- 
ties and they use linear programming techniques instead of generating state 
spaces. The inequalities system are deduced to constitute the necessary 
conditions that must be satisfied by subsequences of events 
* Queries. Upper and lower bounds for a pair of events in a system run. 
* Complexity It inherits the complexity of mixed integer linear program- 
ming problem however some good results are reported. 
* Treatment of Functional Aspects. Only finite state processes can be 
modeled. 
A.1.4 Some Remarks 
Informal notations are richer in high level features providing languages closer to user 
needs. Obviously, due to its informal nature there is no automatic support for verification 
phase and this procedure might be error-prone. Tools like scheduling analyzers solve this 
fact but they still just asses the deadline meeting of the set of task. On the other hand, 
in most formal languages it is difficult to describe the system in terms of the available 
mechanisms for its eventual implementation. A dual notation approach (i.e., user-friendly 
notation translated into a formal kernel) is a paramount issue [19]. Unfortunately, the 
expressive power of formal languages necessary to feature real phenomena impact the 
feasability of verification [58, 711. 
Functional aspects and data treatment are neither modeled nor taken into account 
in verification process of most approaches. .Timing properties are analyzed independently 
from functional characteristics. If "separation of concerns" were the criterion followed 
by designers then temporal correctness should not depend on data itself but in the 
estimations of worst-case computation time. As a consequence, most methods do not 
directly address data modeling which is conservatively replaced by the introduction of 
some non-determinism in control and timing description. 
Regarding the environment modeling, we can divide the approaches in two groups: 
the ones which can represent the interacting external agents in a rather complex patterns 
and the ones which indirectly address the issue through the possibility of modeling 
interruptions arrivals into the software system. Obviously, the former group usually allows 
a more sophisticated contextual analysis than the later where only interarrival parameters 
are given. 
We observe that most formalisms has the scheduling policy (generally, fixed prior- 
ity based) tacitly built in their semantics. The approaches that potentially provide more 
flexibility model the scheduler just as another component but with the drawback of 
generating some twisted and heavy dependence among components and the scheduler 
(e.g. [58, 711). A third group is constituted by formalisms where the scheduling has its 
own syntactical and semantical category providing certain flexibility and encouraging a 
smoother transition from requirements [73]. 
We can also conclude that one of the main obstacles in the efficiency of property 
verification is the granularity of actions. While in discrete fully preemptive models the 
tick resolution could produce unnecessary states [132], on the other hand, dense time 
preemptive models like Hybrid-Automata or HLTPN has undecidable verification problems 
[5] or its complexity could be prohibitive. Other well known specification formalisms like 
Temporal Automata [7, 130, 1031 based approaches, most process algebra and Petri Nets 
approaches are not able to model preemption. They are oriented to a maximal parallelism 
assumption that is the right approach for a specification. For example in the case of 
automata, time clocks can be used to measure the minimum and maximum elapsed time 
in a node. Unfortunately, as clocks can not be "stopped" as in a Hybrid-automata, it is 
not possible to  accurately model preemption. 
In the formal approaches, the RTS models are either monolithic or they are composed 
by a set of terms which behaviors are heavily interdependent since they share the same 
processing resource. At some extent, it is true that, as some authors says, scheduling policy 
reduces the number of behaviors of the system. However, if n is the number of tasks, in a 
system the possible configurations of a Ready queue is 2n, the number of subsets (imagine 
an event driven system) . We can guess that the states in which the preempted tasks were 
frozen are other possible sources of combinatorial explosion. That is, scheduling reduces the 
number of behaviors wrt. a system where an arbitrary scheduler is assumed. Nevertheless, 
the number of tasks still has a negative impact on the practicality [58]. 
Our last observation, that originally inspired our work, is that state space exploration 
methods are usually motivated by the need of reasoning on non standard situations where 
there is no known scheduling theory. Nevertheless, when scheduling theories are known 
they are not exploited in state based verification techniques. 

Appendix B 
Abstract Code for the Working 
Examples 
The Active Structure Control Design 
Modeler (Sporadic, MAT = 100, Pty= 10, 
Interruption=DataReceived, LatchUpTo 1 at WaitingForReplenish) 
Init: [lOlCModelerReadyEorCom.) 
Begin 
[18,23]; Model.UpDate; [lo] {ModelerReadyForCom.} 
End 
Pulser (Periodic, P = 110, Pty= 11) 
Begin 
[I] ;Model .Read; [38,431; [I01 CPulserReadyForComm. 1 
End 
Model (Protected, PtyCeiling = 12) 
Begin 
Operation: UpDate 
Begin 
[2l CModelUpDat ed. 1 
End 
Operation: Read 
Begin 
[ll CMoldelRead. 1 
End 
End 
The Mine-Pump Design 
This is the code of the Mine-Pump Design. 
Local Processor runs : 
HLY-Sensor (Sporadic, MAT = 6000 ms, Pty= 5, 
Interruption=ChangeReceived, LatchUpTo 1 at Always, IH=1 ms, 
PtyIH=l2) 
Begin 
[I] <dataread>;Motor .Setpump; Logger. Log; [I] 
End 
CH4-Sensor (Cyclic, Period = 80 ms, Pty= 10) 
Begin 
[2] ; ({CH4sensorMotReady. 3 
Console.Alarm 
+ 
CCH4done.l [. 51 CCH4read); [I] ; GH4Status.Read; [I] ; 
({NotSaf e. ) 
Hotor.NotSafe;CH4Status.Yrite; 
Console.Alarm 
+ 
{Saf e . I  
Motor.Safe;CH4Status.Write 
);Logger.Log 
1 ; [. 51 (CH4set. 3 
End 
AirFlow-Sensor (Cyclic, Period = 100 ms, Pty= 7) 
Begin [. 51 {f lowread. 3 ;  [I] ; 
({nok) Console.Alarm + {ok)); ~ogger.~og;[.51 
End 
GO-Sensor (Cyclic, Period = 100 ms, Pty= 9) 
Begin 
123 ; ({Codone. 1 
[.5] {coread.); [I] ; 
({nok) Console.Alarm + {ok)); 
+ 
{COnotready) 
Console.Alarm 
) ;Logger. Log; [. 51 {COset . ) 
End 
YaterFlow-Sensor (Cyclic, Period = 1000 ms, 
Pty= 8 )  
Begin [. 51 ; Motor .Requeststatus; [. 51 {wflowread.); 
151 ; ({nok) Console .Alarm + {ok)) ; 
[I] ;Logger. Log ; [ .51 
End 
HLW-WatchDog (Cyclic, Period = 500 ms, Pty= 6 )  
Begin 
[1];AckQ.Extract({AckqExtracted-{OK).) 
[I] {ackrequested) 
+ 
{AckqExtracted-{NOK).) 
Console.Alarm 
1; E.51 
End 
ACK-Handler(Sporadic, MAT = 500 ms, 
Latchupto 1 at WaitForReplenish,Pty= 12) 
Begin 
[I] ; Ackq . Add; [ .51 
Puro IH: Evento AckReceived. 
End 
Console-Proxy (Cyclic, Period = 300 ms, Pty= 12) 
Begin 
[.5] ; Console.GetPckg; ConsoleNet . Send; [. 51 
End 
Command (Sporadic, Period = 1000 ms, LatchUpTo 0, Pty= 4) 
Begin 
[I] ; (Motor.RequestStatus + Motor. Setpump) ; [I] ; 
({statusrequired) Console.InfStatus 
+Cnotrequired)) 
End 
Ackq (Protected, PtyCeiling = 13) 
Begin 
Operation: Add 
Begin 
[2]{AckqAdded_OK, AckqAdded-NOK) 
End 
Operat ion: Extracted 
Begin 
[2] {AckqExtracted-OK , AckQExtracted-NOK) 
End 
End 
ConsoleNet (Protected, PtyCeiling = 12) 
Begin 
Operation: Send 
Begin 
[I] {CNetSent-OK , CNet~ent-NOK) 
End 
End 
Console (Protected, PtyCeiling = 13) 
Begin 
Operation: Alarm 
Begin 
[21 {alarmadded) 
End 
Operation: GetPckg 
Begin 
C11 Ipckgget) 
End 
Operation: Inf Status  
Begin 
[I] {inf Statusadded) 
End 
End 
Logger (Protected, PtyCeiling = 13) 
Begin 
Operation: Log 
Begin 
C2l 
End 
End 
CH4Status (Protected, PtyCeiling = 12) 
Begin 
Operat ion: Read 
Begin [. 51 {statusread) 
End 
Operation: Write 
Begin [. 51 (statuswritten) 
End 
End 
Motor (Protected, PtyCeiling = 11) 
Begin 
Operation: NotSaf e 
Begin 
[I] ; ({motoron) [. 51 {motorclear); Logger. Log + 
{motoroff 3 )  ; C.51 ;Logger .Log; C.51 
End 
Operation: Safe 
Begin 
[l] ; ({motoron) [. 51Cmotorset); Logger. Log 
+ {motoroff) 
> ; 
1.51 ;Logger. Log; [. 51 
End 
Operat ion: Requeststatus 
Begin 
C11 
End 
Operation: SetPump 
BegiA 
[.51;({toset3C.51; 
({exceptionarisen3 
+ 
{ok)CH4. StatusRead; C.51; 
({exceptionarisen3 
+ 
{ok) [. 51 {motorset); 
Logger.Log 
1 
) 
+ 
{toclear) C. 51 ; (€I[. 51 Cmotorclear) ; 
Logger.Log 
+C3 
) 
1 ; 
C.51 
End 
End 
