Extending Timed Automata for Compositional Modeling Healthy Timed Systems  by Braberman, Víctor & Olivero, Alfredo
p ( )
URL: http://www.elsevier.nl/locate/entcs/volume52.html 19 pages
Extending Timed Automata for Compositional
Modeling Healthy Timed Systems
Vctor Braberman
1;2
Computer Science Department, FCEyN,
Universidad de Buenos Aires,
Buenos Aires, Argentina
Alfredo Olivero
3;4
Department of Information Technology, FIyCE,
Universidad Argentina de la Empresa,
Buenos Aires, Argentina
Abstract
We introduce the notion of Timed I/O Components as Timed Automata \a la"
Alur & Dill where an \admissible" I/O interface is declared. That notion has, what
we consider, a key modeling property: non-zeno preservation under syntactically-
checkable \I/O compatibility" among interacting components. Also a reduced par-
allel composition is posssible based on the ability of statically detect inuence of
behavior between components [8,10,11]. On the other hand, with some simple extra
conditions, modular assume-guarantee style of reasoning like [15,19] is valid in our
model.
1 Introduction: on Non-Zeno and Non-Blocking Models
Well-dened models of timed systems usually are required to be \non-zeno".
Roughly speaking, non-zenoness means that any nite run can be extended to
a time-divergent innite run (i.e., no \black-alleys", time can always progress).
On the one hand, zenoness is usually a symptom of ill-modeling, on the other
hand non-zenoness is required to perform some verication procedures when
semantics is restricted to divergent runs.
1
Research supported by UBACyT grant X156 and TW72
2
Email: vbraber@dc.uba.ar
3
Research supported by UADE grant ING6-01
4
Email: aolivero@uade.edu.ar
c
2002 Published by Elsevier Science B. V.
 Open access under CC BY-NC-ND license.
Braberman and Olivero
Unfortunately, non-zenoness is not preserved by parallel composition. Non-
Zeno systems may produce time-locks when connected.
I/O Timed Components (I/O TCs) are compositional models developed for
expressing non-zeno timed behavior built on top of Timed Automata (TAs) [8].
They impose a modeling discipline for guaranteeing that parallel composition
among \compatible" I/O TCs is a natural way to constrain the behavior of
individual components without introducing zeno behavior. Let us pinpoint
some interesting aspects of I/O TCs:

I/O interfaces allow simple syntactic checks that ensure non-zeno preserva-
tion under parallel composition.

By using I/O interfaces it is possible to calculate, in a quite precise way,
the inuence of a component on the behavior of another component (see
[8,10,11]). As far as we know, this is a completely new goal for I/O inter-
faces.

Since I/O TCs are built on top of a simple notion of TAs \a la" Alur-
Dill -with a communication based on label sharing- they are immediately
supported by several checking tools like Kronos [13], Uppaal [6],etc.

I/O TCs are dened without resorting to \receptiveness games" like in
live I/O Timed Automata [15], Reactive Modules [5], etc. Conditions for
checking good I/O label division are easy to automate.

We believe that they are suitable to compactly model high-level non-blocking
abstractions (see discussion in [8] and Sect. 3).

With some extra constraints on I/O TCs, it is possible to apply \assume-
guarantee"-style rules (e.g.,[19]) for renement checking. Like in [19] those
constraints are not based on more general but complicated receptiveness
games [15,5]). Those constraints are not basic properties for I/O TCs (which
are mainly inspired in non-zeno preservation). We think that this separation
has theoretical and practical interest.

I/O notions are rather independent of the underlying timed (or untimed
5
)
formalism used to describe the dynamics.
It is worth mentioning related work on preserving \reactivity and activ-
ity" of components. In [7], an algebraic framework based on the temporal
properties of synchronization operation is presented (they aim at getting high
level synchronization facilities). Our point of view is a functional classication
of transitions. In that line of research, authors of [19] present non-blocking
Timed Processes to get a family of automata where they can apply an as-
sume/guarantee style of reasoning. Communication between components is
based on signal change instead of label sharing and it is suited to circuit mod-
5
We believe that this I/O model can be adapted to the untimed framework by chang-
ing timed divergence conditions with fairness constraints [12,15], an usual way to specify
progress in the untimed framework.
2
Braberman and Olivero
eling. Dierently from our approach, output changes are constrained to be
non-transient and the update of inputs is independent from the update of out-
puts. Since that model is focused on breaking circularity of assume-guarantee
rules, the underlying notion of non-zenoness does not need to rule out black-
alleys; instead denitions rule out forcing innitely many transitions within a
nite interval.
Liveness and I/O interfaces have been considered in a general setting for
simulation proof methods \a la" Lynch-Vaandrager [15] geared towards the-
orem provers. In that work, Live Timed I/O automata using a notion of
\responsiveness" is dened based on games which embeds several proposals
for fair I/O timed systems [20,24], etc. A closer model are the Reactive Mod-
ules of [5]. Unlike our notions, it is based on receptiveness games to dene
non-blocking and I/O variables to communicate modules.
In next section we recall Timed Automata. In Sect. 3, we formally present
I/O Timed Components. Some applications are mentioned in Sect. 4. Con-
ditions to get assume-guarantee rule are discussed in Sect. 5. Finally, we
summarize the results and mention some future work.
2 Timed Automata
Timed Automata (TA) is one of the most widely used formalism to model
and analyze timed systems and is supported by several tools (e.g., [13,6,18],
etc.). This presentation partially follows [26]. Given a nite set of clocks (non-
negative real variables) X = fx
1
; x
2
; : : : ; x
n
g, a valuation is a total function
v : X
tot
! R
0
where v(x
i
) is the value associated with clock x
i
. We dene V
X
as
the set [X
tot
! R
0
] of total functions mapping X to R
0
. 0 2 V
X
denotes the
function that evaluates to 0 all clocks. Given v 2 V
X
and t 2 R
0
, v+t denotes
the valuation that assigns to each clock x 2 X the value v(x)+t. Given a set of
clocks X, a subset   X and a valuation v we dene Reset

(v) as a valuation
that assigns zero to clocks in  and keeps the same value than v for the
remaining clocks. Given a set of clocksX we dene the sets of clock constraints
	
X
according to the grammar: 	
X
3  ::= x  cjx   x
0
 cj ^  j _  ,
where x; x
0
2 X;2 f<;;=;; >g and c 2 N .
A valuation v 2 V
X
satises  2 	
X
(v j=  ) i the expression evaluates
true when each clock is replaced with its current value specied in v.
Denition 2.1 [Timed Automata] A timed automaton (TA) is a tuple A =
hS;X;; E; I; s
0
i where S is a nite set of locations, X is a nite set of clocks,
 is a set of labels, E is a nite set of edges, (each edge e 2 E is a tuple
hs; a;  ; ; s
0
i where: s 2 S is the source location, s
0
2 S is the target location,
a 2  is the label,  2 	
X
is the guard,   X is the subset of clocks reset
at the edge), I : S
tot
! 	
X
is a total function associating with each location a
clock constraint called location's Invariant, and s
0
2 S is the initial location.
3
Braberman and Olivero
Given a TA A = hS;X;; E; I; s
0
i we dene Locs(A) = S, Clocks(A) =
X, Labels(A) = , Edges(A) = E, Inv(A) = I, Init(A) = s
0
, and given an
edge e = hs; a;  ; ; s
0
i 2 E we dene src(e) = s, Label(e) = a, Guard(e) =  ,
Rst(e) = , tgt(e) = s
0
. The State Space Q
A
of a TA A is the set of states
(s; v) 2 S  V
X
for which v j= I(s) and q
0
= (Init(A); 0) is its initial state.
Given a state q = (s; v) we denote: q+t = (s; v+t), q
@
= s, and q(x
i
) = v(x
i
).
The semantics of a TA A can be given in terms of the Labeled Transition
System (LTS) of A, denoted G
A
= hQ
A
; q
0
; 7!;i. The relation 7! is the
set of (time or discrete) transitions between states. Let t 2 R
0
; the state
(s; v) has a time transition to (s; v + t) denoted (s; v) 7!

t
(s; v + t) if for all
t
0
 t, v + t
0
j= I(s), where  is a ctitius label. Let 

denote  [ fg.
Let e 2 E be an edge; the state (src(e); v) has a discrete transition to the
state (tgt(e); v
0
) denoted (src(e); v) 7!
Label(e)
0
(tgt(e); v
0
) if v j= Guard(e) and
v
0
= Reset
Rst(e)
(v).
We write q 7!
l
0
(the label l 2  is enable at the state q 2 Q
A
) if q 7!
l
0
q
0
for some q
0
2 Q
A
. Given a subset 
0
 , we write q 7!

0
0
(all labels l 2 
0
are enable at the state q 2 Q
A
) if q 7!
l
0
for all l 2 
0
.
A nite run r of A starting at q is a nite sequence q 7!
a
0
t
0
q
1
7!
a
1
t
1
::: 7!
a
n 1
t
n 1
q
n
of states and transitions inG
A
. The time of occurrence of the k
th
(k  n 1)
transition is equal to
P
k 1
i=o
t
i
and is denoted as 
r
(k). The time length of the
run (denoted as 
r
) is equal to 
r
(n). An innite run is just an innit sequence
of states and transitions in G
A
. The set of nite and innite runs starting at
q is denoted as R
A
(q). We call Lab(r) the set of all labels in the run r.
A divergent run is an innite run such that
P
1
i=o
t
i
= 1. The set of
divergent runs of a TA A starting at state q is denoted R
1
A
(q). A TA is non-
zeno when any nite run starting at the initial state can be extended to a
divergent run, that is, the set of nite runs is equal to the set of nite prexes
of divergent runs. We say that the state q is reachable if there is a nite run
starting at the initial state which ends at q; we denote the set of all reachable
states in a TA A as Reach(A).
Given a run r = q 7!
a
0
t
0
q
1
7!
a
1
t
1
::: 7!
a
n 1
t
n 1
q
n
::: 2 R
A
(q), the exhibited
timed-event sequence of r, is a sequence r


= (a
0
; 
r
(0)); (a
1
; 
r
(1)); (a
2
; 
r
(2));
...(a
n 1
; 
r
(n  1)); ::: of pairs (l; t) 2 (

) R
0
.
Given a run r 2 R
A
(q) and a set of labels L  , the exhibited timed-event
sequence over L, denoted as r
L
, is the maximum subsequence of r


containing
pairs (l; t) such that l 2 L (the sequence r
L
shows the L-labeled transitions
and their time stamps). Given a timed-event sequence over L named r
L
, its
length is denoted as #r
L
, its k-th pair (with k < #r
L
) is denoted as r
L
[k] and
its prex up to the k-th pair (with k < #r
L
) is denoted as r
L
[0:::k]. Given a
pair p = (l; t) in r
L
, we dene lab(p) = l and time(p) = t.
Given two TAs A and A
0
and a set of labels L   \ 
0
, we say that
A 
L
A
0
(A is a renement of A
0
w.r.t L) i for all nite run r 2 R
A
(q
0
)
there exists a run r
0
2 R
A
0
(q
0
0
) such that 
r
= 
r
0
and r
L
= r
0
L
.
4
Braberman and Olivero
The parallel composition of TAs is dened over classical synchronous prod-
uct of automata.
Denition 2.2 [Parallel composition] Given two TA A
1
= hS
1
; X
1
;
1
; E
1
; I
1
; s
0
1
i,
and A
2
= hS
2
; X
2
;
2
; E
2
; I
2
; s
0
2
i where X
1
\X
2
= ;. Let E
0
be the set of edges
dened over the S
1
 S
2
as follows:
h(s
1
; s
2
); a;  ; ; (s
0
1
; s
0
2
)i 2 E
0
()
hs
1
; a;  ; ; s
0
1
i 2 E
1
^ a =2 
jj
^ s
2
= s
0
2
, or
hs
2
; a;  ; ; s
0
2
i 2 E
2
^ a =2 
jj
^ s
1
= s
0
1
, or
hs
i
; a;  
i
; 
i
; s
0
i
i 2 E
i
^ a 2 
jj
^  = ( 
1
^  
2
) ^  = 
1
[ 
2
where 
jj
= 
1
\ 
2
.
The parallel composition A
1
jjA
2
is dened as: A = hS;X
1
[ X
2
;
1
[

2
; E; I; (s
0
1
; s
0
2
)i where S  S
1
S
2
is the set of locations reachable traversing
the edges of E
0
from the initial location (s
0
1
; s
0
2
), E  E
0
is the subset of edges
with source and target in S, and for all (s
1
; s
2
) 2 E, I((s
1
; s
2
)) = I(s
1
)^I(s
2
).
The k operator is commutative and associative. We will denote k
i2I
A
i
the
parallel composition of an indexed set of TA. If q is a state of that parallel
composition 
i
(q) will denote the local state of TA A
i
(location and local-
clocks values).
3 I/O Timed Components
In this section we dene I/O concepts formally.
Given a TA A, we will divide Labels(A) (its set of labels) into three sets:
In
A
(input-labels), Out
A
(output-labels) and 
A
(internal-labels), such that
fIn
A
; Out
A
; 
A
g 2 Part(Labels(A)), where Part(S) is the set of all partitions
of the set S. We dene the set Exp
A
of exported labels (or interface labels) of
A as Exp
A
= In
A
[Out
A
.
A set of input selections of A is a set I
A
= fI
A
1
; I
A
2
; : : : ; I
A
k
g 2 Part(In
A
),
a set of output selections of A is a set O
A
= fO
A
1
; O
A
2
; : : : ; O
A
h
g 2 Part(Out
A
).
Note that I
A
[O
A
[ f
A
g 2 Part(Labels(A)).
Let us dene what is a correct I/O (uncontrollable/controllable) interface
labels for a TA.
Denition 3.1 [Admissible Input/Output interface for a TA] Given a non-
zeno TA A, and the sets I
A
; O
A
of input and output selections of A, the
pair (I
A
; O
A
) is an admissible input/output interface for A i the following
conditions hold:
For any state q 2 Reach(A)
(i) for any input selection I
A
n
2 I
A
there exists a label i 2 I
A
n
such that
q 7!
i
0
. That is, given any input selection I
A
n
2 I
A
, the TA can always
5
Braberman and Olivero
synchronize using some of the labels of I
A
n
(there is always at least one
alternative of every input selection enabled at each state).
(ii) there exists a run r 2 R
1
A
(q) such that Lab(r) \ In
A
= ;. Input is not
mandatory and thus non-zenoness must be guaranteed without them
6
.
(iii) for any output selection O
A
m
2 O
A
, if there exists a label o 2 O
A
m
such that
q 7!
o
0
then q 7!
O
A
m
0
. All labels of an output selection are simultaneously
enabled or disabled.
(iv) for any run r 2 R
A
(q), if a label o 2 Out
A
appears an innite number of
times in r, then necessarily r 2 R
1
A
(q) (non-transientness of outputs
7
).
In the Appendix A.1 we show how to check I/O admissibility.
Denition 3.2 [I/O TCs] An I/O Timed Component (or I/O TC) is a tuple
(A; (I
A
; O
A
)) where A is a non-zeno TA and (I
A
; O
A
) is an admissible I/O
interface for A.
An output selection of size greater than one models alternative behaviors
of the component according to the state of the component exporting those
labels as input selection (similar to an external non-deterministic choice in
Process Algebra-like notations, see example 3.4).
Given an I/O TC C = (A; (I
A
; O
A
)), C may also denote the underlying
TA A when it can be deduced from the context. Thus, operations performed
on I/O TCs should be understood as operations on its underlying TAs.
Denition 3.3 [Compatible Components] Given two I/O TCs C
1
= (A
1
,
(I
A
1
, O
A
1
)) and C
2
= (A
2
; (I
A
2
; O
A
2
)), they are compatible components if and
only if:
(i) Labels(A
1
) \ Labels(A
2
)  Exp
A
1
\ Exp
A
2
(i.e., all common labels are
exported by both A
1
and A
2
),
(ii) for all I
A
1
n
2 I
A
1
and I
A
2
m
2 I
A
2
if #I
A
1
n
> 1 and #I
A
2
m
> 1 then I
A
1
n
\I
A
2
m
=
; (intersection of input selections of size greater than one must be empty).
(iii) Out
A
1
\ Out
A
2
= ; (the components don't share output labels).
(iv) for all I 2 I
A
1
[ I
A
2
and O 2 O
A
1
[O
A
2
then either I \O = ; or I  O
(output selection covers all input alternatives).
We refer to a set of pair-wise compatible components as a compatible set
of components. I/O compatibility means that underlying TAs can not block
each other and moreover, we will show that the composition of compatible
components is itself a component and therefore a non-zeno automata.
6
Note that this property is stronger than non-zenoness since it also requires time divergence
avoiding input-labeled transitions. It is similar to progressiveness in [22] and feasibility in
[24].
7
This requirement together with the previous divergence property (item (ii) of Def. 3.1)
and non-zenoness of the underlying TA are closely related to the notion of Strong I/O
Feasibility of [24].
6
Braberman and Olivero
Example 3.4 CSMA/CD (Carrier Sense, Multiple Access with Collision De-
tection) is widely used protocol on LANs on the MAC sublayer. It solves the
problem of sharing a single channel in a broadcast network (a multi-access
channel). When a station has data to send it rst listens to the channel to
check whether it is idle or busy. If the bus seems idle it begins sending the
message, else it waits a random amount of time and then repeats the sensing
operation. When a collision occurs, the transmission is aborted simultaneously
in all the stations that were transmitting and they wait a random time to start
all over again. We formally model the timing aspects of the protocol using I/O
timed components (see Fig.1) based on the model presented in [21]. Sender
components share a bus component. We suppose that the bus is a 10Mbps
Ethernet with worst case propagation delay  of 26 ms. Messages have a xed
length of 1024 bytes, and so the time  to send a complete messages, includ-
ing the propagation delay, is 808 ms. The bus is error-free, no buering of
incoming messages is allowed. Note that fSendOK
i
; SendBusy
i
g is an output
selection of sender i and the selection depend on the input actually enabled
in the bus state. In fact, SendBusy
i
is enabled when the head of a message
has already propagated. It takes at most  to propagate the collision signal
to all the senders. The sender stays at most Æ in the transmission location.
Note also that the sender non-deterministically makes a new attempt to send
before 2 elapsed since the last attempt. In models like Timed Process [19], it
would be necessary for the sender component to issue a signal standing for the
sensing of the bus state, and then wait for the status answer of the bus com-
ponent (which can not arrive at zero time due to a \non-immediate response"
constraint in that model). That two phase modeling idiom, common in soft-
ware models, can be reduced in our modeling framework using appropriate
Input and Output selections.
In [8], the reader can found how several examples taken from the literature
are modeled as I/O TCs.
3.1 I/O Components: Composition and Non-Zenoness
Let us state some results that help to prove that a TA-model is non-zeno.
Firstly, we will see how an admissible interface can be derived for the parallel
composition of two compatible I/O TCs. This is a rather strong result which
implies the following fact: given two compatible I/O TCs C
1
and C
2
then the
composition, which turns out to be non-zeno, is also a I/O TC (i.e., A
1
k A
2
is
non-zeno and moreover it can be given an admissible I/O interface). Briey,
the new input interface is constituted by the original input selections that
do not loose \selectivity property" of item (i) of Def. 3.1. That property
is preserved for any input selection whenever there is no matching output
selection and it is not properly included into another input selection.
Something similar can be done to build the new output interface. Since
output selections that intersect with input selections of size greater than one
7
Braberman and Olivero
wait
send1ok
{y}
end1 I={{send1ok,send1busy},{end1},{end2}, { send2ok,send2busy}}}
O={{collision}}
end2
send2ok{y}
send1ok
send2ok
end2
end1
wait trans
retry
x1<52
collision
send1busy
collision
collision
{x1}
{x1}
{x1}
send1ok
{x1}
end1
x1=808
sendbusy1
{x1}
I={{collision}}
O={{send1ok,send1busy}, {end1}}
x1<=808
collision
y<26
y<26
y<26
send1ok
send2ok
send1busy
send2busy
y>=26
y>=26
SENDER 1
BUS
end2
end1
x1>=1
{x1}send1ok
x1>=1
y>1
Fig. 1. I/O Components of the CSMA/CD Protocol
may loose the simultaneous availability property (item (iii) of Def. 3.1), they
are not part of the new output selections. However, all the labels of those
\lost" output selections can be safely added as output selections of size 1
(singletons trivially satisfy item (iii) of Def. 3.1). Thus, all exported labels of
the components are exported in the composition. This fact is important to
prove that this construction can be generalized to the parallel composition of
n components:
Theorem 3.5 Given an indexed set S = f(A
i
; (I
A
i
; O
A
i
)g
1in
of n I/O TCs
such that they are pair-wise compatible, we dene the sets I
A
=
S
1in
I
A
i
,
I
A
>1
=
S
1in
fI 2 I
A
i
=#I > 1g, O
A
=
S
1in
O
A
i
.
(A; (I
A
; O
A
)) is a component where:
A =k
1in
A
i
I
A
= fI 2 I
A
= 8I
0
2 I
A
: I 6 I
0
^ 8O
0
2 O
A
: I \ O
0
= ;g and,
O
A
= fO 2 O
A
= 8I
0
2 I
A
>1
: I
0
\O = ;g[ffog=o 2 O 2 O
A
^9I
0
2 I
A
>1
:
I
0
\O 6= ;g
Proof. See Appendix A. The basic idea is that, from the point of view of
a component, its partners do not block its outputs: they just select them
8
Braberman and Olivero
(items (i) and (iii) of Def. 3.1), also it does not require inputs to allow time
elapse (item (ii) of Def. 3.1). On the other hand, a subset of I/O TCs can not
engage themselves in an innite activity in a nite interval of time since this
is ruled out by item (iv) of Def. 3.1. 2
In the example 3.4 the resulting interface of the parallel compositionA =
def
SENDER
1
k BUS is I
A
= ffSend2ok; Send2Busyg; fend2gg,O
A
= ffend1g,
fSend1okg, fSend1Busyg, fcollisiongg. Note that since simultaneous avail-
ability of output selection fSend1ok; Send1Busyg is lost, they became single-
ton output-selections.
4 Applications of I/O TCs
Non Zeno Models:
Compatibility is a syntactical condition that ensures non-zenoness of the
resulting parallel composition. As was already said, non-zenoness is a property
required to perform some verication procedures. In [8,9] we model Real-Time
System execution architectures by means of I/O TCs. We use I/O compati-
bility to ensure that I/O TCs modeling the connectors and the environment
do not block the rest of the system (the tasks). As was already explained,
I/O selections may be an useful mechanism to model in a single transition
action/result on software entities.
Reduction:
Safety requirements are commonly modeled by means of virtual compo-
nents (Observers) which are composed in parallel with the system under ana-
lysis (SUA) (e.g., [1,9]). In [8,10,11] we present a technique that, given the
SUA and an observer, builds a smaller parallel composition equivalent to the
original one up to the branching structure of the LTS. In a few words, we
develop a technique that calculates the components that may be forgotten at
each observer location since their future behavior do not inuence the future
evolution of the SUA up to the observer. Under some reasonable assumptions
on the topology of the observers, those remaining sets (the relevant compo-
nents) are proper subsets of the set of all components. The time needed for
verication is drastically reduced in some cases. The core of that technique
is a notion of potential \direct inuence" of an automaton behavior over an-
other automaton behavior. A naive solution would say that an automaton A
potentially inuences another automaton B i they share a label. Unfortu-
nately, this would lead to a rather large symmetrical overestimation. Then,
by using the I/O interface attached to TAs, we are able to dene an asymmet-
rical condition of behavioral inuence that could be statically checked. That
is, we provide a better overestimation of potential inuence than simple label
sharing. It is worth mentioning that the technique presented in [16] is based
on a simpler notion of I/O interface than the one presented in this article.
9
Braberman and Olivero
The details of that \relevance calculus" using the denitions of this paper can
be found in [8,10,11].
5 On Breaking Circularity in Assume-Guarantee Rules
The authors of [19] present a simple modularity principle for abstraction rela-
tions in Timed Processes. Assume-guarantee rule has an apparent circularity:
to prove that A k B is a renement of A
0
k B
0
it suÆces to prove that (1) A is
a renement of A
0
assuming that the environment behaves like B
0
, and (2) B
is a renement of B
0
assuming that the environment behaves like A
0
. For this
rule to be true in our setting, we have to add a couple of conditions. Firstly,
let us dene when an state is non urgent from the point of view of outputs.
Denition 5.1 [Non-Urgent state] Given a I/O TC C = (A; (I
A
; O
A
)), a
state q is not output urgent (denoted asNU(q)) i there exists a run r 2 R
A
(q)
such that 0 < 
r
and Lab(r)  
A
.
Denition 5.2 [Non-Blocking Extra Conditions] We say that an I/O TC
satises the Non-Blocking Extra Conditions if and only if:
(i) Guards and Invariants are closed predicates (i.e., its binary relations are
only , = or ).
(ii) Inputs do not disable nor enable urgent outputs: given a state q 2
Reach(A) and a label i 2 In
A
, if q 7!
i
0
q
0
then NU(q) i NU(q
0
)
8
.
It is easy to see that those properties are preserved by parallel composition
A =k
j2J
A
j
. Firstly note that guards and invariants of A are inherited from
the components A
j
. For the item (ii) of Def. 5.2, if q 7!
i
0
q
0
then i is an
unmatched input of one component, namely k, and thus q and q
0
just dier
in the local state of k. Also, NU(q) if and only if for all j 2 J NU(
j
(q))
(since the set of internal labels of the composition A is the union of internal
labels of components A
j
). Therefore, NU(q) i NU(q
0
) since NU(
k
(q)) i
NU(
k
(q
0
)) and the rest of the components remain the same.
Theorem 5.3 (Assume/Guarantee) Given the I/O TCs A;B;A
0
; B
0
sat-
isfying the non-blocking extra conditions such that A and B are I/O com-
patible, and A
0
and B
0
have the same I/O interface that A and B resp. If
(A k B
0
) 
Exp
A
A
0
and (A
0
k B) 
Exp
B
B
0
imply that (A k B) 
Exp
A
[Exp
B
(A
0
k B
0
).
Proof. See appendix. 2
8
This property can be checked, for instance, using the verication engine of Kronos
tool [13].
10
Braberman and Olivero
6 Conclusions and Future Work
We present I/O Timed Components, a simple compositional notion that ex-
tends Timed Automata \a la" Alur-Dill to get live non-zeno models [8], also
providing some important methodological advantages like inuence detection
[10]. Assume-guarantee modular reasoning like [19] is obtained by adding a
couple of constraints to I/O TCs without resorting to games. In our opin-
ion, keeping non-zeno preservation conditions apart from the ones that break
circularity in assume guarantee has practical and theoretical value.
We believe that admissible interfaces of a TA could be ordered according
to the information it provides about availability of labels. That is, (I
1
; O
1
) 
(I
2
; O
2
) i the admissibility of the interface (I
1
; O
1
) for a TA A implies the
admisibility of (I
2
; O
2
) for A. We would like to study if this relationship
between interfaces could be a declarative way to dene the I/O interface of
the composition.
We would like to study how to express and generalize our idea in term of
Interface Theories [14] framework.
Conditions for assume-guarantee could be weakened, for instance: it is
suÆcient for A and B to satisfy that inputs do not enable urgent outputs, and
for A
0
and B
0
to satisfy that inputs do not disable urgent outputs.
References
[1] Alpern, B., and F. Schneider, Verifying Temporal Properties without Temporal
Logic, ACM Trans. Programming Languages and Systems, 11 (1) (1989), 147{
167.
[2] Alur, R., \Techniques for Automatic Verication of Real-Time Systems," Ph.D.
thesis, Stanford University, 1991.
[3] Alur, R., C. Courcoubetis, and D. Dill, Model-Checking for Real-Time Systems
In Proceedings of Logic in Computer Science, IEEE Computer Society, Los
Alamitos, Calif, 414-425, 1990. Also in Information and Computation, 104 (1)
(1993) 2{34.
[4] Alur, R. and D. Dill, A Theory of Timed Automata, Theoretical Computer
Science, 126 (1994) 183{235.
[5] Alur, R., and T. Henzinger, Modularity for Timed and Hybrid Systems, In
Proceedings of CONCUR'97, LNCS 1243, 1997.
[6] Bengtsson, J., K.G. Larsen, F. Larsson, P. Pettersson, and W. Yi, UPPAAL- A
Tool Suite for the Automatic Verication of Real-Time Systems, In Proceedings
of Hybrid Systems III, LNCS 1066, Springer Verlag, 1996, 232{243.
[7] Bornot, S., and J. Sifakis. An Algebraic Framework for Urgency To appear in
Information and Computation, Academic Press.
11
Braberman and Olivero
[8] Braberman, V. \Modeling and Checking Real-Time System Designs," Ph.D
Thesis, Universidad de Buenos Aires, 2000. [Thesis]
[9] Braberman, V., and M. Felder, Verication of Real-Time Designs: Combining
Scheduling Theory with Automatic Formal Verication, In Proceedings of 7th
European Conf. on Software Eng./ 7th ACM SIGSOFT Symposium on the
Foundations of Software Eng., (ESEC/FSE 99), LNCS 1687, Springer Verlag,
Sept. 1999, 494{510.
[10] Braberman, V., D. Garbervetski, and A. Olivero, Improving the Verication of
Timed Systems using Inuence Information Submitted to TACAS 2002.
[11] Braberman, V., D. Garbervetski, and A. Olivero, \Inuence Information to
Improve the Verication of Timed Systems," Tech. Report DC-UBA 2001-003.
[12] Clarke, E., O. Grumberg and D. Peled, \Model Checking", MIT Press, January
(2000), 330pp..
[13] Daws, C., A. Olivero, S. Tripakis, and S. Yovine, The Tool KRONOS, In
Proceedings of Hybrid Systems III, LNCS 1066, Springer Verlag, 1996, 208{
219.
[14] de Alfaro, L., and T.A. Henzinger Interface Theories for Component-based
Design, In Proceedings of EMSOFT 01: Embedded Software, LNCS 2211,
Springer Verlag, 148-165, 2001.
[15] Gawlick, R., R. Segala, J. Sogaard-Andersen, N. Lynch Liveness in Timed
and Untimed Systems, In Proceedings of ICALP , LNCS 820, Springer Verlag,
166-177, 1994. Also in Information and Computation (1998).
[16] Garbervetsky, G. \Un Metodo de Reduccion para la Composicion de Sistemas
Temporizados" Master Thesis, Universidad de Buenos Aires, 2000.
[17] Henzinger, T.A., X. Nicollin, J. Sifakis, and S. Yovine, Symbolic model checking
for real-time systems. Information and Computation, 111(2) (1994), 193{244.
[18] Larsen, K.G., F. Laroussinie, CMC: A Tool for Compositional Model-Checking
of Real-Time Systems, In Proceedings of. FORTE-PSTV'98, 439-456, Kluwer
Academic Publishers, 1998.
[19] Kurshan, R. P., S. Tasiran, R. Alur, and R. K. Brayton, Verifying Abstractions
of Timed Systems, In Proceedings CONCUR 96, LNCS 1119, Springer Verlag,
1996.
[20] Merritt, M., F. Modugno, and M. Tuttle, Time Constrained Automata, In
Proceedings of CONCUR'91, LNCS 527, Springer Verlag, 1991.
[21] Nicollin, X., J. Sifakis, and S. Yovine, Compiling Real-Time Specication into
Extended Automata, IEEE Trans. on Soft. Eng.,Vol. 18 (9) (1992), 794{804.
[22] Springintveld, J., F. Vaandrager, P. D'Argenio , Testing Timed Automata, To
appear in Theoretical Computer Science, 254 (1-2) (2001), 225{257.
12
Braberman and Olivero
[23] Tripakis, S. \L'Analyse Formelle des Systemes Temporises en Practique", Phd.
Thesis, Univesite Joseph Fourier, December 1998.
[24] Vaandrager, F., N. Lynch, Action Transducers and Timed Automata, In
Proceedings of CONCUR'92, LNCS 630, 436-455, 1992.
[25] Yi, Wang, Real-Time Behavior of Asynchronous Agents, In Proceedings of
CONCUR'90, LNCS 458, Springer Verlag, 1990.
[26] Yovine, S., Model-Checking Timed Automata, Embedded Systems,
G. Rozemberg and F. Vaandrager eds., LNCS 1494, Springer Verlag, 1998.
Appendix
A On I/O Timed Components
Lemma A.1 Given two I/O-compatible components C
1
= (A
1
; (I
A
1
; O
A
1
))
and C
2
= (A
2
; (I
A
2
; O
A
2
)), we dene the sets I
A
= I
A
1
[ I
A
2
, I
A
>1
= fI 2
I
A
=#I > 1g, O
A
= O
A
1
[O
A
2
.
C = (A; (I
A
; O
A
)) is a component where:
A = A
1
k A
2
I
A
= fI 2 I
A
= 8I
0
2 I
A
: I 6 I
0
^ 8O
0
2 O
A
: I \ O
0
= ;g and,
O
A
= fO 2 O
A
= 8I
0
2 I
A
>1
: I
0
\O = ;g[ffog=o 2 O 2 O
A
^9I
0
2 I
A
>1
:
I
0
\O 6= ;g
Proof. The most diÆcult point is the proof that A
1
k A
2
is indeed non-zeno
regardless input transitions (item (ii), Def. 3.1). We will see that any state
reachable by a nite run is not a timelock. Moreover, time can elapse avoiding
input transitions. Let q be a reachable state by a nite run of A
1
k A
2
then
q
1
= 
A
1
(q) and q
2
= 
A
2
(q) are reachable states (by nite runs) of A
1
and
A
2
resp. Let k 2 R
0
be a constant. From the denition of component, there
must be runs r
1
and r
2
starting in q
1
and q
2
resp. of time length equal to k
such that r
1
does not contain any transition with label in In
A
1
and r
2
does
not contain any transition with label in In
A
2
(thus they do not contain any
label in I
A
). Now, we show a procedure to obtain a run r of A
1
k A
2
from
r
1
and r
2
. To obtain such a run, we would need to merge r
1
and r
2
. If the
discrete transitions of r
1
and r
2
are sorted according to the time of occurrence,
it is easy to combine them obtaining r till the rst output-labeled transition
which shared by the other automaton is found. To outline the merge, lets
r
1
= q
1
7!
l
1
t
1
q
1
1
7!
l
2
t
2
:::q
1
n
, and r
2
= q
2
7!
l
0
1
t
0
1
q
2
1
7!
l
0
2
t
0
2
:::q
2
n
0
. Now, suppose that
t
1
 t
0
1
(the other case is symmetrical) and l
1
is not shared by A
2
(or it is ).
Then - thanks to the parallel composition interleaving semantics - the resulting
run r can be build as follows: r = q 7!
l
1
t
1
(q
1
1
; q
2
+ t
1
) concatenated with the
run obtained using the same procedure from (q
1
1
; q
2
+ t
1
) with r
1
= q
1
1
7!
l
2
t
2
:::,
13
Braberman and Olivero
and r
2
= q
2
+ t
1
7!
l
0
1
t
0
1
 t
1
q
2
1
7!
l
0
2
t
0
2
:::q
0
n
0
. Clearly this procedure can be iterated
nitely till we reach the end of both runs (the variant is sum of the number
of transitions of both runs), thus obtaining a run of A of time length k, or till
a shared label is found.
9
Without loss of generality, let us suppose that the earliest still non syn-
chronized shared output-transition q
j
7!
o
0
q
j+1
belongs to r
1
and o 2 O 2 O
A
1
.
Let I 2 I
A
2
, I  O be the corresponding matching input selection (i.e., o 2 I)
by compatibility (item (iv), Def. 3.3). By denition of input selection, there
is a transition labeled i
0
2 I enabled in A
2
at the time of occurrence of that
j
th
transition. By denition of output selection, at q
j
there must be also a
discrete transition q
j
7!
i
0
0
s. By applying this procedure, we can x up both
runs to get a nite run starting at q such that either it has time length k or
it ends with an output transition into an intermediate state q
0
. Therefore,
since both TA are non-transient for output labeled transitions (item (iv) of
I/O interface admissibility), by repeating the whole procedure from those in-
termediate states (i.e., obtaining new r
1
, r
2
, etc.), a run of time length k is
eventually built (if not, either the projection of that innite run on A
1
or A
2
would show an innite number of output-labeled transitions, and since there is
a nite number of labels at least one output label would be repeated innitely
often thus violating item (iv) of I/O interface admissibility). The rest of the
items of I/O interface are proven as follows:

the new input and output labels are disjoint (input selections intersecting
with an output selections are not part of the new interface).

Input Selection Property (item (i)): given an state q of A and an input
selection I of I
A
, we know that I belongs either to I
A
1
or to I
A
2
. Without
loose of generality, lets suppose that it belongs to I
A
1
. Then, there exists
i 2 I such that 
A
1
(q) 7!
i
0
r. We also know that if i 2 Labels(A
2
) then
fig 2 I
A
2
(input selection of size 1) and thus there exists s such that

A
2
(q) 7!
i
0
s and then q 7!
i
0
(r; s).

Output Selection Property (item (iii)): Similar to the previous one.

nally, a run containing an innite number of internal or output-labeled
transitions is necessarily time-divergent (item (iv)). Indeed, since any run
of A can projected into a run of A
1
and a run of A
2
and one of those
runs must exhibit an innite number of outputs or internal transitions and
therefore diverge.
2
9
Note that if one of the runs is empty then it just remains a set of discrete (0 time)
transitions in the other run (both have originally the same time length) and therefore we
can omit that suÆx since we have already built a run of time length k.
14
Braberman and Olivero
Theorem 3.5
Given an indexed set S = f(A
i
; (I
A
i
; O
A
i
)g
1iN
of N I/O TCs such that
they are pair-wise compatible, we dene the sets I
A
n
=
S
1in
I
A
i
, I
A
>1
n
=
S
1in
fI 2 I
A
i
=#I > 1g, O
A
n
=
S
1in
O
A
i
.
C = (A; (I
A
; O
A
)) is a component where:
A = k
1iN
A
i
I
A
= fI 2 I
A
N
= 8I
0
2 I
A
N
: I 6 I
0
^ 8O
0
2 O
A
N
: I \ O
0
= ;g and,
O
A
= fO 2 O
A
N
= 8I
0
2 I
A
>1
N
: I
0
\ O = ;g [ ffog=o 2 O 2 O
A
N
^ 9I
0
2
I
A
>1
N
: I
0
\ O 6= ;g
Proof. By induction. Base case is solved by the last lemma. Case n+1. By
inductive hypothesis we know that
C
n
= (A
n
; (I
n
; O
n
)) is a component where:
A
n
=k
1in
A
i
I
n
= fI 2 I
A
n
= 8I
0
2 I
A
n
: I 6 I
0
^ 8O
0
2 O
A
n
: I \O
0
= ;g and,
O
n
= fO 2 O
A
n
= 8I
0
2 I
A
>1
n
: I
0
\ O = ;g [ ffog=o 2 O 2 O
A
n
^ 9I
0
2
I
A
>1
n
: I
0
\O 6= ;g
We know that C
n+1
= (A
n+1
; (I
A
n+1
; O
A
n+1
) (A
n+1
; (I
n+1
; O
n+1
)) is com-
patible with all C
i
= (A
i
; (I
A
i
; O
A
i
)) for 1  i  n. Let us show that is
compatible with the interface for the n components but rstly let pinpoint
some facts about the interface (I
n
; O
n
) of C
n
.
(i) An exported label of C
i
(1  i  n) is also exported by C
n
. This comes
from the following facts: (a) Input labels remain as input labels in the
biggest input selection containing it except in the case that the input
selection matches with an output selection (in that case, I  O), and (b)
Output labels remain in the interface.
(ii) Input selections of I
n
are input selections of some of its constituent com-
ponents (i.e., if I 2 I
n
then there exists k 2 N : 1  k  n such that
I 2 I
A
k
)
(iii) IfO is an output selection ofO
n
, if there exist k 2 N : 1  k  n such that
O 2 O
A
k
and no Input selection of size greater than one intersects it or
there exists O
0
2 O
A
k
and O = fag  O
0
, and there exists m : 1  m  n
such that I
0
2 I
A
m
and I
0
 O
0
.
Therefore, suppose that A
n+1
has a common label with k
1in
A
i
then, for
instance, that label belongs to a k
th
automata and therefore belongs to the
interface of the components C
k
and C
n+1
. If that label is an output label of
the C
n+1
component, that label is exported by C
n
due to the rst observation.
The compatibility (item (ii) of Def. 3.3) I \ I
0
6= ; then either #I = 1 or
#I
0
= 1 is trivially true due to the observation that input selections of C
n
are input selections of the original components and the pairwise compatibility.
Similarly, if an output selection O ofO
A
n+1
intersects with some input selection
15
Braberman and Olivero
I of I
n
then that input selection must be an input selection of some component
and therefore that input selection must be included in the output selection
(i.e., I  O). If an input selection I of I
A
n+1
intersects with some output
selection of O
n
namely O, then either it is an input selection of size one and it
is trivially included in O, or, by the last observation, we know that there exists
k such that O 2 O
A
k
and thus I  O (that is, due to pairwise compatibility,
I must be the only input selection of size greater than 1 intersecting with O
and then by the last observation O must belong to O
n
).
Therefore, C
n
and C
n+1
are compatible components and by Lemma A.1
the pair (I
0n+1
; O
0n+1
) is a compatible interface, where:
I
0n+1
= fI 2 I
n
[ I
A
n+1
= 8I
0
2 I
n
[ I
A
n+1
: I 6 I
0
^ 8O
0
2 O
n
[ O
A
n+1
:
I \O
0
= ;g and,
O
0n+1
= fO 2 O
n
[O
A
n+1
= 8I
0
2 I
n
[ I
A
n+1
^#I > 1 : I
0
\O = ;g [
ffog=o 2 O 2 O
n
[O
A
n+1
^ 9I
0
2 I
n
[ I
A
n+1
^#I > 1 : I
0
\O 6= ;g
It is not diÆcult to see that this interface is equivalent to (I
n+1
; O
n+1
)
where
I
n+1
= fI 2 I
A
n+1
= 8I
0
2 I
A
n+1
: I 6 I
0
^ 8O
0
2 O
A
n+1
: I \O
0
= ;g and,
O
n+1
= fO 2 O
A
n+1
= 8I
0
2 I
A
>1
n+1
: I
0
\O = ;g [
ffog=o 2 O 2 O
A
n+1
^ 9I
0
2 I
A
>1
n+1
: I
0
\ O 6= ;g
In fact, if we write I
n+1
in terms of I
n
we need to add the input selections
of I
A
n+1
which are not strictly included in an Input Selection of other I
A
k
and do not match with an output selection. On the other hand, we have to
eliminate from I
n
the input selections strictly included in an input selection
of I
A
n+1
and the ones that match with an Output Selection of O
A
n+1
. That is,
I
n+1
= (I
n
 fI 2 I
A
n
= 9I
0
2 I
A
n+1
: I  I
0
_9O 2 O
A
n+1
: I \O 6= ;g[fI
0
2
I
A
n+1
= 8I 2 I
A
n
: I
0
6 I ^ 8O 2 O
A
n
: I
0
\O = ;g
Let us show that the denition of I
0n+1
species that manipulation: note
that, though I
n
may contain less Input Selections than the union of them
(
S
1in
I
A
i
), it is easy to see that (a) If an input selection of the union is
not present in I
n
then, either it is included on another input selection of I
n
,
or it intersects an output selection of O
n
, and (b) 9O 2 O
n
: I \ O 6= ; i
9k  n;O 2 O
A
k
: I \ O 6= ; (all output label remains). Therefore, the set
fI
0
2 I
A
n+1
= 8I 2 I
A
n
: I
0
6 I ^ 8O 2 O
n
A
: I
0
\ O = ;g is equivalent to
fI
0
2 I
A
n+1
= 8I 2 I
n
: I
0
6 I ^ 8O 2 O
n
: I
0
\ O = ;g. This proves that
in I
0n+1
, the same input selections of I
A
n+1
ltered by the I
n+1
are present.
Finally, I
n
  fI 2 I
A
n
= 9I
0
2 I
A
n+1
: I  I
0
_ 9O 2 O
A
n+1
: I \ O 6= ;g is
equivalent to fI 2 I
n
= 8I
0
2 I
A
n+1
: I 6 I
0
^ 8O 2 O
A
n+1
: I \O = ;g and we
can conclude that I
0n+1
= I
n+1
.
On the other hand, to write O
n+1
in terms of O
n
, the output selections
of O
A
n+1
that do not match with input selections of size greater than one
must be added as well as the singletons for the ones that match. Besides, the
output selections of O
n
must be checked against the input selections of I
n+1
to eliminate and convert into singleton output selections the ones that match
16
Braberman and Olivero
NO INPUT
I1 . . . In
0 1
2
1I . . . In
Fig. A.1. Observer for Checking Non-Zeno Regardless Input
with input selections of size greater than one. Again, this is specied by the
denition of O
0n+1
. 2
A.1 Guaranteeing I/O Admissibility
For the sake of self containment we provide suÆcient syntactic constraints and
checking-algorithms to guarantee that (A; (I
A
; O
A
)) is indeed a component.
For example, to satisfy the property of input being non-blocking, we can
resort to the following syntactic property: 8I
0
2 I
A
: 8l 2 Locs(A) : Inv(l) =
W
fe:Label(e)2I
0
^src(e)=lg
Guard(e). That is, while the invariant is valid at least
one I'-labeled transition is enable.
To check that any output selection is simultaneously enabled one of the
possible syntactic property is the following: 8l 2 Locs(A); 8o; o
0
2 O 2 O
A
:
_
fe2Edges(A):src(e)=l^Label(e)=og
Guard(e) =
_
fe
0
2Edges(A):src(e
0
)=l^Label(e
0
)=o
0
g
Guard(e
0
)
To check non-zenoness we use an observer automaton with three locations:
location 1 is entered non-deterministically from initial location 0 and it is
left to go to a trap location 2 whenever input occurs. Then, we ask whether
A k Observer satises the following TCTL [17] formula : 82(@ = 1 !
9 
1
@ = 1), i.e., whether time can elapse without traversing an input edge
(See Fig. A.1).
For non-transientness of outputs, it suÆces to require that no pair of out-
puts or internal events can occur closer than one time unit. This can be done
by resorting to an observer TA or, alternatively, adding and checking some
syntactic constraints on output edges, for instance, having a minimum delay
guard on a clock reset in the potential previous events. Another alternative is
checking strong non-zenoness [23] for sequences containing an innite number
of output labels.
17
Braberman and Olivero
B Assume Guarantee
Lemma B.1 (Extending event sequences) Given a TA A with closed pred-
icates (item (i), Def. 5.2) and a set L of labels, if r 2 R
A
(q
0
) then there exists
r
0
2 R
A
(q
0
) such that,
(i) r
L
= r
0
L
,
(ii) 
r
 
r
0
, and
(iii) 9k : 0  k < #r
L
: 
r
0
  time(r
0
L
[k]) 2 N .
Proof. This can be done by following a procedure on r that, step by step,
shifts forward not visible transitions (i.e., not L-labeled transitions) to be at
integer distance of a visible transition. 2
Theorem 5.3
Given the I/O TCs A;B;A
0
; B
0
satisfying the non-blocking extra conditions
such that A and B are I/O compatible, and A
0
and B
0
have the same I/O
interface that A and B resp. If (A k B
0
) 
Exp
A
A
0
and (A
0
k B) 
Exp
B
B
0
imply that (A k B) 
Exp
A
[Exp
B
(A
0
k B
0
).
Proof. This is the sketch of the proof. Let L = Exp
A
[ Exp
B
. Let r 2
R
AkB
(q
0
) be a nite run such that there is no run in A
0
k B
0
of the same time
length exhibiting the sequence of timed events r
L
. First note there exists a
maximum k < #r
L
such that there exits r
0
2 R
A
0
kB
0
(q
0
0
) with r
L
[0:::k] = r
0
L
.
There are two cases:
(i) There exists r
0
2 R
A
0
kB
0
(q
0
0
) such that r
L
[0:::k] = r
0
L
, and time(r
0
L
[k+1]) 
time(r
L
[k + 1]).
(ii) For all r
0
2 R
A
0
kB
0
(q
0
0
), 
r
0
 time(r
L
[k + 1]) and r
L
[0:::k] = r
0
L
implies
time(r
0
L
[k+1]) < time(r
L
[k+1]) (something urgent must happen before).
Before treating the cases, let r be a run in A k B, and r
0
a run in A
0
k B
0
such that r
L
[0:::k] = r
0
L
. It is easy to see that we can project the run r into
a run of A and a run of B. On the other hand, run r
0
can be projected into
a run of A
0
and a run of B
0
. Due to the hypothesis on exported labels and
labeling, we can safely recombine those runs to get a run r
AB
0
of A k B
0
and a
run r
A
0
B
of A
0
k B with the same time length of r
0
. Let q
A
be the last state of
r
AB
0
projected into A, q
B
the last state of r
A
0
B
projected into B, q
A
0
the last
state of r
A
0
B
projected into A
0
, and q
B
0
the last state of r
AB
0
projected into
B
0
.
Case i:
Suppose that lab(r
L
[k+1]) = o 2 O
A
m
(the other case is analogous). Then,
at the last state of r
AB
0
it is possible to execute some o
0
2 O
A
m
(at q
A
A can
perform any output in O
A
m
and B
0
is receptive to at least one of them). From
18
Braberman and Olivero
the fact that (A k B
0
) 
Exp
A
A
0
, we can show the existence of a run r
A
0
of
A
0
such that r
A
0
Exp
A
0
is equal to r
0
L
[0:::k + 1] projected into Exp
A
0
(= Exp
A
).
Due to the fact that O
A
m
= O
A
0
s
is simultaneously enabled, there is a run r
0
A
0
of A
0
exhibiting r
L
[0:::k + 1] projected into Exp
A
0
. On the other hand, r
shows that o is enabled at q
B
. We can replace the original projection of r
A
0
B
on A
0
by the run r
0
A
0
. Then, from the fact that (A
0
k B) 
Exp
B
B
0
we can
conclude that there is a run r
B
0
in B
0
exhibiting r
L
[0:::k + 1] projected into
Exp
B
0
. Combining the new runs r
0
A
0
and r
B
0
for A
0
and B
0
resp., we conclude
that there is a run r

in R
A
0
kB
0
(q
0
0
) such that its exhibited sequence over L
r

L
[0:::k + 1] is equal to r
L
[0:::k + 1], a contradiction.
Case ii:
Let r
0
2 R
A
0
kB
0
(q
0
0
) such that 
r
0
 time(r
L
[k+1]) and r
0
L
[0:::k] = r
L
[0:::k],
let r
00
be the prex run of r
0
such that r
00
L
= r
L
[0:::k]. By the previous lemma
and the assumptions of this case, there exists another run  in A
0
k B
0
such
that 
L
= r
00
L
= r
L
[0:::k], 
r
00
 

< time(r
L
[k + 1]), and 9s : 0  s 
k : 

  time(r
L
[s]) 2 N . This means that, when runs show that in A
0
k B
0
something urgent must happen before time time(r
L
[k + 1]), there must exist
a maximum value for its ocurrence. As shown, this follows from the fact
that, for any r
00
such that r
00
L
= r
L
[0:::k] there exists a longer  such that

L
= r
00
L
= r
L
[0:::k] and there are a nite number of those  ( ends at integer
time distance of some event and before time(r
L
[k + 1]) ). We will show that
any such  ends at a state where time can ellapse arriving to an absurd.
We know that NU(q
A
) and NU(q
B
). From the fact that q 7!
i
p implies
NU(q) ) NU(p) (item (ii), Def. 5.2), A can wait, and any nite number
of inputs of A (outputs of B
0
) can not change this fact (an innite number
of outputs of B
0
would also imply time-divergence). Then, there exists w 2
R
AkB
0
((q
A
; q
B
0
)) such that 
w
> 0 and Lab(w)\Out
A
= ;. Since 
0
= r
AB
0
Æw
(r
AB
0
prolonged with w) is a run of A k B
0
there exists a run r
A
0
of A
0
such
that 
r
A
0
= 

0
and r
A
0
Exp
A
0
= 
0
Exp
A
0
. Thus, r
A
0
can be split as r
0
A
0
Æ r
00
A
0
such that 
r
00
A
0
= 
w
and r
00
A
0
Exp
A
0
= w
Exp
A
0
. Then from the last state of r
0
A
0
(denoted q
0
A
0
) there exists a non-transient run (r
00
A
0
) such that it exhibits no
Output label. Then, there exists a state s in the run r
00
A
0
such that NU(s).
Using Def. 5.1 and item (ii) of Def. 5.2 (q 7!
i
p implies NU(p)) NU(q)) we
can conclude NU(q
0
A
0
). Analogously, NU(q
0
B
0
). Therefore, the combination of
those runs shows the possibility of A
0
k B
0
to exhibit 
0
plus a positive time
increment (the minimum possible increment between A
0
and B
0
). Thus, we
arrive to an absurd. 2
19
