Abstract. We investigate design-level structural transformations that aim at easier subsequent verification of real-time systems with shared data variables, modelled as networks of extended timed automata (ETA). Our contributions to this end are the following: (1) we first equip ETA with an operator for layered composition, intermediate between parallel and sequential composition. Under certain non-interference and/or precedence conditions imposed on the structure of the ETA networks, the communication closed layer (CCL) laws and associated partial-order (po-) and (layered) reachability equivalences are shown to hold. (2) Next, we investigate (under certain cycle conditions on the ETA) the (reachability preserving) transformations of separation and flattening aimed at reducing the number of cycles of the ETA. (3) We then show that our separation and flattening in (2) may be applied together with the CCL laws in (1), in order to restructure ETA networks such that the verification of layered reachability properties is rendered easier. This interplay of the three structural transformations (separation, flattening, and layering) is demonstrated on an enhanced version of Fischer's real-time mutual exclusion protocol for access to multiple critical sections.
Introduction
Reasoning about networks of (real-time) systems is much easier when the execution of the system components is viewed sequentially, as opposed to corresponding distributed or concurrent representations. Transformations of distributed system representations to equivalent layered (i.e., sequential) representations were first explored in [EF82] through a notion of communication closedness between system components. Such a layered transformation was subsequently investigated in [Jan94] for a process algebra based on hierarchical graphs, with an operator for layered composition (intermediate between sequential and parallel composition) that formalized equivalences between the distributed and layered system representations through the communication closed layer (CCL) laws, by exploiting independence between system components. Real-time extensions to this process algebra were presented in [JPXZ94] , where CCL laws were shown to hold under certain timing conditions, even in the absence of crosscomponent independence.
Correspondence and offprint requests to: M. Swaminathan. E-mail: mani.swaminathan@informatik.uni-oldenburg.de. This work is supported by the German Research Foundation through the Trans-Regio Collaborative Research Center (SFB/TR 14) AVACS (www.avacs.org).
We adapted in [OS10] the layered transformation used in the assertion-based reasoning techniques of the above works for automatic verification of real-time systems modelled as timed automata (TA) [AD94] . Our layered transformation in [OS10] aimed at state-space reduction in TA networks, based on transition independence as studied for partial order reduction of TA [BJLY98, Min99, LNZ05, HP07] . In [OS13] , we recently enhanced the layered transformation for TA in [OS10] , and complemented this by the transformation techniques of separation and flattening. This paper is a an extended and revised version of [OS13] with the following structure.
We considered in [OS10] networks of TA under local time semantics, as in many works on partial order reduction for TA (cf. [BJLY98, Min99, LNZ05, HP07] ), where the clocks of each constituent TA evolve independently so as to reduce timing-based dependencies, but at the expense of extra reference clocks for resynchronization (cf. [BJLY98] ). In this paper, we instead work with networks of TA extended with shared data variables [termed extended timed automata (ETA)], having synchronous clocks across the constituent ETA, as supported by the well-established ETA model-checker UPPAAL [BDL04] . Dependencies in such ETA networks arise due to: (a) the read-write interference of the variables shared across the ETA, and (b) the global timing constraints induced by synchronous clocks.
Section 2 of this paper reviews ETA and their compositional constructs, while Sect. 3 establishes communication closed equivalences that exploit the absence of dependencies due to (a) and (b) above. Notions of non-interference are introduced for dealing with (a), while (b) is handled by wrapped ETA that mimic local time semantics in a network, even in the presence of globally synchronous clocks.
Section 4 of this paper establishes communication closed equivalences for ETA with synchronous clocks that exploit precedence relations, in the presence of shared variable and clock dependencies between ETA.
The explicit passage of control (from one sequential phase of the system to the next) necessary for applying (non-interference-or precedence-based) layered transformations may however not be directly apparent from the system's structure, owing to multiple nested cycles that often arise while modelling reactive distributed real-time systems as ETA networks. We therefore introduce in Sect. 5 the transformations of separation and flattening as (reachability preserving) pre-processing steps that (under certain cycle conditions on the ETA) reduce the nesting depth and the number of cycles in ETA networks. Communication closedness (via appropriate non-interference and/or precedence conditions) may be easily investigated on such separated and flattened ETA, so that the verification of layered reachability properties may be rendered almost trivial.
The interplay of the three structural transformations (separation, flattening, and layering) is illustrated in Sect. 6 on an enhanced version of Fischer's real-time mutual exclusion protocol for two critical sections. Section 7 concludes the paper.
ETA and composition operators
We briefly review the ETA model for (networks of) real-time systems enriched with shared data variables. Semantics of ETA are given in terms of the underlying timed transition system and the associated regions. Various compositional operators for ETA are also introduced -namely those for sequential, step, parallel, and layered composition, along with the notions of non-interference (for dealing with shared variables) and wrapping (for dealing with globally synchronous clocks).
Extended timed automata. We first introduce some notions that constitute the syntax of ETA, where the notation (x , y, . . . ∈) X indicates that we denote by x , y . . . the typical elements of the set X . Let (α, β, . . . ∈) be a finite alphabet of channels. For each channel α ∈ there are two actions: α? denotes input on α and α! denotes output on α, where α?, α! ∈ . We consider two different internal actions τ, ε ∈ , where τ results only from synchronization-in the context of parallel composition, input and output are complementary actions that can synchronize yielding τ . For an action a ∈ ?! \ {τ, ε}, its complementary action is denoted by a, i.e., α? α!, and vice-versa. The set of all actions over is denoted by (a, b, . . . ∈) ?! {α? | α ∈ } ∪ {α! | α ∈ } ∪ {τ, ε}.
Let (u, v , . . . ∈) V be a finite set of data variables ranging over a finite set D. The set (ψ D ∈) (V ) of data expressions over V is the set of expressions involving variables of V and the arithmetic operators +, −, . . ., interpreted in the usual way for integer-valued data variables. The set (φ D ∈) (V ) of data constraints over V is the set of Boolean constraints over variables in V involving the arithmetic (+, −, . . .) and relational (<, ≤, >, ≥) operators, interpreted in the usual way for integer-valued data variables. A data valuation assigns to each data variable in V a value in D. If | V | m, we denote by ( u, v , . . 
. ∈) D
m the set of data valuations. A reset operation is an assignment x : 0 to a clock x ∈ C , or an assignment v : ψ D to a data-variable v ∈ V , where ψ D ∈ (V ). By (r ∈) R(C , V ) we denote the set of lists of reset operations. In the sequel, we shall identify constraints with the respective sets of clock and data valuations satisfying them, so as to enable the application of set-theoretic operations.
We then define an extended timed automaton as follows:
• L is a finite set of locations, • is a finite alphabet of channels,
is a finite set of directed edges between locations, where an edge e (l , a, g, r , l ) from l to l involves an action a ∈ ?! over the alphabet , a guard g ∈ G(C , V ), and a list r of reset operations involving clocks in C and data variables in V .
Note that clock invariants, by definition, admit only upper bounds on the clock values. An edge e ∈ E is of the form e (l , a, g, r , l ) with l , l ∈ L, a ∈ ?! , g ∈ G(C , V ), and r a list of reset operations. Edges of the form e (l , ε, true, ∅, l ), which are ε-labelled, and which involve no guards or resets, are called stutter edges. Define target (e) l as the target location of the edge e, act(e) a as the action of e and edges A (a) {e ∈ E | act(e) a} as the set of edges in A with action a. For a pair of clock valuations x and y and a constant k ∈ N, we denote by x ≈ k y the k -region-equivalence between x and y, defined as follows:
Definition 2 (k -region-equivalence) The k -region-equivalence relation ≈ k on two n-dimensional clock valuations x and y is defined by
, where, for a clock valuation x ∈ R n ≥0 , x i denotes its i th component, i.e., the value of the i th clock, and int(x i ) and f r(x i ) denote the integer and fractional parts of x i , respectively. By [ x ] k we denote the k -region containing x , which is the equivalence class induced by ≈ k . The semantics of an ETA is given in terms of its timed transition system, which consists of a (potentially infinite) set of states of the form (l , x , v ), where l ∈ L, x ∈ R n ≥0 , and v ∈ D m . The transitions between such states result in the formation of paths through the timed transition system, defined as follows: Definition 3 (Path) A path π through a timed transition system is a (possibly infinite) sequence π
→ . . . of states with delays d i ∈ R ≥0 and edges e i ∈ E , subject to the following initiation and consecution conditions:
1. Initiation: l 0 is the initial location, and 0 and v 0 are the initial clock and data valuations, respectively: 2. Consecution (time-passage): for even i with (l i , 
r ( x i ) with x i+1 ∈ Inv (l i+1 ), and v i+1 r ( v i ), where r ( x ) denotes the clock valuation obtained from x after resetting all the clocks in r , while r ( v ) denotes the data valuation obtained from v by suitably updating all the data variables in r .
The reachable state space of the ETA A, denoted Reach(A), is then given by the set of states reachable from the initial state through transitions of all paths, with Reach i (A) denoting the set of reachable states of A after i iterations of its transition relation, defined as follows:
m is the reachable state space of an ETA A, consisting of a (potentially infinite) set of states of the form (l , x , v ), where l ∈ L, x ∈ R n ≥0 , and v ∈ D m . It is defined inductively as follows, with Reach i (A) denoting the reach-set under i ∈ N steps, starting from the initial state (l 0 , 0, v 0 ) and alternating between time-passage and discrete transitions:
. This leads to the notion of reachability equivalence denoted by ≡. Given two ETA A 1 and A 2 , we define
. Thus ≡ requires equal sets of reachable states after every iteration of the transition relation.
ETA compositions. So far we considered ETA operating in isolation. In practice, real-time systems communicate with each other and with their environment. This results in composite systems with communicating components. The communication is via synchronizing actions drawn from a shared alphabet and via shared data variables. We now consider four operators for constructing composite systems: sequential, step, parallel, and layered composi-
For modelling that the execution of A 1 is followed by that of A 2 , it is convenient to have two composition operators at hand. The sequential composition A 1 ; A 2 amalgamates the final location l F 1 of A 1 with the initial location l 02 of A 2 , while the step composition A 1 £ A 2 links l F 1 and l 02 by an explicit step transition t. Formally, Definition 5 (Sequential ; -composition) Let l 01 l F 1 and l 02 l F 2 , with l F 1 having no outgoing edges. Then the sequential composition of A 1 and A 2 is defined as the ETA
Structural transformations for ETA 731 and E is given by:
The first two lines in the construction of E in A 1 ; A 2 deal with edges of A 1 leading to l F 1 , while the last five lines deal with edges of A 2 that either leave or enter l 02 . Note that we assume Inv (l F 1 ) true by Definition 1. We require that there is no outgoing edge from l F 1 , as it would otherwise be possible to reenter A 1 from A 2 via incoming edges to l 02 and outgoing edges from l F 1 . The set of edges E is obtained by appropriately assigning l F 1 as the target or source location for edges in E 1 entering l F 1 and for edges in E 2 entering or leaving l 02 . In the step composition A 1 £ A 2 defined below, the stutter edge t steps from l F 1 to l 02 , and thus allows for l F 1 to have outgoing edges, as no location of A 1 will be re-entered once t has been executed.
Alternative definitions of sequential and step compositions for timed automata may be found in [BP99, DHQ + 08]. Parallel composition of ETA is in the CCS-style [Mil89] , i.e., parallel ETA synchronize on common actions but also act autonomously on all actions-the latter is modelled by interleaving. In order to avoid any read-write and write-write conflicts w.r.t the shared variables in the parallel ETA, we require that edges with synchronizing actions are non-interfering, as defined below. For an edge e (l , a, g, r , l ) of an ETA A its writeset wr (e) is the set of all clocks and data variables appearing on the left-hand side of one of the reset operations in r , while its read-set rd (e) is the set of all clocks and data variables appearing in the guard g or on the right-hand side of a reset operation in r .
Definition 7 (Non-interfering edges ) Let E 1 and E 2 be sets of edges. The non-interference relation ⊆ E 1 × E 2 is defined for e 1 ∈ E 1 and e 2 ∈ E 2 by: e 1 e 2 if rd (e 1 ) ∩ wr (e 2 ) wr (e 1 ) ∩ rd (e 2 ) wr (e 1 ) ∩ wr (e 2 ) ∅. If the latter condition does not hold, e 1 and e 2 interfere and we write e 1 e 2 .
The relation is canonically lifted to sets of edges (and consequently to ETA): E 1 E 2 iff for all e 1 ∈ E 1 and e 2 ∈ E 2 we have e 1 e 2 . For two ETA A 1 and A 2 with respective edge-sets E 1 and E 2 , we have that A 1 A 2 when (1) E 1 E 2 , i.e., their edge-sets are non-interfering, and (2) C 1 ∩ C 2 ∅, i.e., their clock-sets are disjoint so as to eliminate timing-induced dependencies between A 1 and A 2 by the wrapping construction (cf. Definition 10). In the context of parallel composition , we require a more relaxed notion of synchronized non-interference on the constituent ETA A 1 and A 2 in order for A 1 A 2 to be well-formed.
Definition 8 (Synchronized non-interfering ETA sync ) ETA A 1 and A 2 over alphabets 1 and 2 , respectively, are
The relation sync on ETA is only w.r.t synchronizing actions on common channels, and thus (unlike the more restrictive relation on ETA) does not preclude shared-variable and clock dependencies between actions on disjoint channels.
The parallel composition of two A 1 and A 2 , with A 1 sync A 2 , is then constructed according to a CCS-style synchronization and interleaving, as follows:
Inv 1 (l 1 ) ∧ Inv 2 (l 2 ) and E given by: • Interleaving:
Note that in the synchronization case it is not relevant whether we take r 1 r 2 (first the list r 1 of reset operations and then r 2 ) as above or the reverse order r 2 r 1 because we assume the synchronized non-interference e 1 e 2 . Our CCS-style interleaving allows A 1 and A 2 to act autonomously on all actions, thus leaving A 1 A 2 open to further (parallel) composition with an ETA A 3 , with which the interleaving edges of A 1 A 2 may synchronize. This contrasts with the semantics of UPPAAL for ETA networks, where every discrete transition is represented as having a τ -labelled internal action (obtained by synchronization of complementary ! and ? actions) for the symbolic computation of the state-space of a parallel composition. Thus UPPAAL views A 1 A 2 as a closed network having only τ -labelled edges. Such a closed network semantics may be obtained for our parallel composition by means of channel restriction (cf. Definition 4.13 on p. 146 of [OD08] ) for eliminating interleaving edges in A 1 A 2 .
A real-time distributed system often consists of (sequential) phases that execute in parallel on multiple platforms, wherein a transition (edge) within a given phase can execute only after all dependent transitions (edges) in each preceding phase have been executed. It is clear that the non-interference relation of Definition 7 sufficiently captures (in-)dependence in the untimed setting, where dependencies are induced only by shared variables. In the timed setting of ETA, however, the clocks of the various system components evolve synchronously, resulting in timing-induced dependencies even in the presence of disjoint sets of clocks. In contrast to several works on the partial order reduction of TA (e.g., [BJLY98, Min99, LNZ05] ) that deal with such timing-induced dependencies by imposing the semantic condition of local time (where, in addition to mutual disjointness, the clocks of the constituent components run entirely independent of each other), we retain here the synchrony between the clocks of the various components as in the UPPAAL model-checker, but decouple the timing influences between the components by wrapping an ETA with an initial location that admits idling for arbitrarily long periods before proceeding to its actual execution, as given below: The synchronous evolution of x and y however results in a timing induced dependency between the edges a and b, with a never occurring after b owing to the corresponding guards. Wrapping A and B decouples this timing induced dependency within a parallel composition (owing to the preceding clock resets).
We now introduce an asymmetric layered composition operator • (intermediate between parallel and sequential composition) that involves the non-interference relation on edges of ETA. The layered composition of A 1 and A 2 is given by A 1 • A 2 where A 1 sync A 2 , and Inv is as in the parallel composition A 1 A 2 , while E is a subset of the set of edges of A 1 A 2 , as an edge of A 2 is allowed to execute in A 1 • A 2 only after all dependent edges of A 1 have been executed. This layered composition is defined formally below:
where Inv is as in the parallel composition A 1 A 2 , while E now differs in part (2) of the interleaving case:
where l 1 * −→ l * 1 expresses that l * 1 is reachable from l 1 in the syntactic structure of A 1 through an arbitrary sequence of edges.
Thus only part (2) of the interleaving case differs from parallel composition: an interleaving edge of A 2 is allowed to execute only after all dependent edges of A 1 (in the sense of the -relation) have been executed. A natural setting for such asymmetric interleaving arises when A 1 edges write to variables that are then read by (dependent) A 2 edges.
The four operators for ETA compositions, namely those for sequential (;), step (£), parallel ( ), and layered (•) compositions, are illustrated in Fig. 2. 
CCL laws and equivalences
This section formalizes CCL equivalences for ETA networks under suitable non-interference conditions. We begin with an adaptation of the CCL law of [Jan94] to the setting of ETA. 
Theorem 1 (CCL with •-composition) For all ETA
Proof For the above CCL equality, we identify location tuples (
and an edge e (l , a, g, r , l ) starting at this location. By the definition of • and , the edge e could be due to either (a1) A 1 , (a2) B 1 , (a3) A 2 , (a4) B 2 individually, or as a synchronization involving (b1) A 1 and A 2 , (b2) A 1 and B 1 , (b3) A 1 and B 2 , (b4) A 2 and B 1 , (b5) A 2 and B 2 , (b6) B 1 and B 2 . We have to show that e also occurs at the location l of (A 1 B 1 ) • (A 2 B 2 ). The cases (a1) and (a2) are relatively straightforward, whereas the cases (a3) and (a4) require more care. Of these we consider (a3) in detail. Here e is permitted in the layered composition A 1 • A 2 , i.e., from l A 1 there is no location syntactically reachable where an edge e 1 starts that interfers with e. Then e can occur at l in A 2 B 2 by the interleaving case and in (A 1 B 1 ) • (A 2 B 2 ) as it is permitted by the layered composition with A 1 B 1 . This holds because e is permitted by A 1 and by B 1 due to the assumption B 1 A 2 . The case (a4) is symmetric. Of the synchronization cases we consider (b5) in detail. It combines arguments for the individual cases (a3) and (a4). There are edges with complementary actions occurring in A 2 and B 2 individually that can synchronize to an edge labeled with τ in the context of A 2 B 2 . The part of the τ -edge stemming from A 2 was permitted in A 1 • A 2 , and the part of the τ -edge stemming from B 2 was permitted in B 1 • B 2 . Furthermore, since A 1 B 2 and B 1 A 2 , the part of the τ -edge stemming from A 2 is non-interfering with all edges in B 1 , and the part of the τ -edge stemming from B 2 is non-interfering with all edges in A 1 . Thus the τ -edge itself occurs in (A 1 B 1 )•(A 2 B 2 ).
So indeed e occurs also at the location l of (
and an edge e (l , a, g, r , l ) starting at this location in (A 1 B 1 ) • (A 2 B 2 ). The same cases (a1)-(a4) and (b1)-(b6) need to be considered.
Remark 2 1. As equality is a congruence w.r.t. parallel composition, the CCL law holds also in the context of an arbitrary parallel ETA C . Thus we have (( 
The above equality between the parallel and layered versions is again upto a reordering of location tuples.
PO-equivalence.
We now formalize partial order (po-) equivalence as a means of relating step and layered compositions. For this relationship, we have to address the fact that in a layered composition A 1 • A 2 there may be τ -edges arising from synchronization of complementary actions, whereas such τ -edges do not arise in the step composition A 1 £ A 2 . For this purpose, we introduce for a path π of A 1 • A 2 (or of A 1 A 2 ) the operation split(π ) that splits every synchronization edge of π (labelled with τ ) into a sequence of its constituent output and input edges, which is possible owing to the synchronized non-interference assumed for edges labelled with complementary actions (see Definition 8). Note that this non-interference implies that the order in which synchronization edges are split into constituent output and input edges is irrelevant, such that we may always choose the (unique) representative path in which the output action always precedes the complementary input action with zero-delay in between.
Consider a finite path π of A 1 • A 2 or of A 1 A 2 with fragments π and π of the form
where the τ -action has resulted from synchronizing an action a α! ∈ 1 ?! with a α? ∈ 2 ?! . Then
where the intermediate valuations x and u are uniquely determined by the resets of the α!-labelled edge of A 1 on x and u. Following such a splitting of τ -edges, we may now define po-equivalence on paths of ETA.
Definition 12 (po-equivalence ≡ po on paths) Let A 1 and A 2 be two ETA sharing an alphabet , with 1 and 2 denoting the corresponding sets of finite paths terminating in their final locations l F 1 resp. l F 2 . Let ≈ be a relation between the locations of A 1 and A 2 . A path π 1 ∈ 1 is po-equivalent to π 2 ∈ 2 , denoted π 1 ≡ po π 2 , relative to ≈ on the corresponding locations, ≈ k on the final clock valuations (where k is the maximum constant of A 1 and A 2 ), and the identity relation on the final data valuations, if split(π 2 ) can be obtained from split(π 1 ), time-abstractedly and by ignoring ε-labelled stutter edges, by repeated permutation of adjacent (i.e., separated by only one time-passage) non-interfering edges.
For illustration, consider two (split and stutter-free) path fragments
and
, and e f . Thus, π 1 and π 2 (relative to ≈ on their locations and region-equivalence on their clock valuations, and the identity relation on their data valuations) differ only in the (permutative) ordering of independent transitions. Note that we need the k-region-equivalence ≈ k to relate the (final) clock valuations x 4 and y 4 owing to the intermediate delays in one path being time abstractedly (and not exactly) matched in the other path. Note also that we ignore ε-labelled stutter edges for ≡ po as such edges are only of the form (l , ε, true, ∅, l ) (cf. Definition 1). As a consequence, two po-equivalent paths may not necessarily have the same length. This definition of ≡ po is now lifted to ETA as follows:
Definition 13 (po-equivalence ≡ po of ETA) For ETA A 1 and A 2 sharing a common alphabet , with 1 and 2 denoting the corresponding sets of finite paths terminating in their respective final locations l F 1 and l F 2 , we write
The following notion of layered normal form (LNF) is then used for permuting paths of layered compositions. . , e n , occur in split(π ) before A 1 has reached its final location l F 1 , we permute these edges "to the right" so that they occur after l F 1 has been reached, thereby generating a path π ∈ L with π ≡ po π . Such permutations are possible, as by Definition 11 of •, the edges e 1 , . . . , e n satisfy e e i for all edges e of A 1 that need to be permuted "to the left", before the occurrence of l F 1 in split(π ). Note that regarding the global time, the edges e 1 , . . . , e n (that now have been permuted "to the right" of l F 1 ) are delayed, but this delay does not prevent e 1 (and subsequently e 2 , . . . , e n ) from occurring, because A 2 is wrapped. Moreover, as Inv (l F 1 ) true by Definition 1, it is possible for A 1 to spend any amount of time in l F 1 , irrespective of whether l F 1 is reached along π or π . Hence the intitial edge e 1 of A 2 can start after any delay, thereby resetting the clocks of A 2 (cf. Definition 10), thus enabling e 2 , . . . , e n to proceed according to their local time in A 2 , as would be the case for the path π ∈ L .
Definition 14 (Layered
normal form) A (finite, terminating) path π of A 1 •A 2 is in LNF if it consists of consecutive edges from E 1 passing through l F 1 , followed by consecutive edges from E 2 ending in l F 2 . In a path π of A 1 • A
Proposition 2 (≡ po between •-and £-compositions)
Proof We provide a sketch of the proof here by first introducing a relation ≈ that relates locations of
Let £ (resp.
• ) be the set of all finite paths of
where π is either in LNF, or is po-equivalent to another path in • that is in LNF (cf. Proposition 1).
The po-equivalence between π and π above is relative to ≈ between their respective locations (when π is in LNF), region equivalence (w.r.t the maximum of all constants of A 1 and A 2 ) between the final clock valuations, and identity between the final data valuations, modulo the ε-labelled stepping transition in π . A B , where it needs to be shown that P ≡ po S . Let P resp. S denote the set of finite paths of P resp. S terminating in their final location (l F A 2 , l F B 2 ), where l F A 2 resp. l F B 2 is the final location of A 2 resp. B 2 . Then clearly S ⊆ P . It then remains to show that ∀ π ∈ P ∃ π ∈ S : π ≡ po π . As π may contain synchronized τ -edges, we need to demonstrate that split(π ) may be suitably permuted into a (split) path of S . By construction, split(π ) has passed through the final location (l F A 1 , l F B 
2. Theorem 2 may also be generalized to multiple parallel and step instances of ETA: If there are no crossinterferences, i.e., A i,j A k ,l for i k and j l , and if all A i,j for 2 ≤ i ≤ n are wrapped, then
3. The ETA equivalences seen so far are related thus:
Localized reachability in non-terminating ETA. The po-equivalence ≡ po that relates parallel and stepcompositions of (wrapped) ETA under suitable "cross-independence" conditions (cf. Theorem 2) is restrictive, in the sense that ≡ po examines only finite paths (terminating in the final locations) for possible permutations. In practice it is often necessary to examine ETA with non-terminating paths (typically arising in distributed reactive real-time systems that (networks of) ETA seek to model). To this end, we introduce a location-based equivalence ≡ L that localizes reachability within a layer. As with ≡ po , this layered reachability equivalence ≡ L arises by the replacement of • by £ within the CCL law. However, unlike ≡ po , the equivalence ≡ L may also be applied to ETA with possibly non-terminating paths, and suffices for the preservation of mutual exclusion properties, as will be shown in Sect. 6.
Definition 15 (Layered reachability equivalence ≡ L ) Let Reachloc(A) denote the set of reachable locations of A.
Consider ETA P and S , with both having sub-ETA A 1 , A 2 , B 1 , B 2 with disjoint sets of locations. We define layered reachability equivalence P ≡ L S as follows:
The relation ≡ L is an equivalence relation on ETA with the structure as given above, where the sub-ETA A 1 , A 2 , B 1 , and B 2 are combined in P and S by means of parallel and step compositions. In the following theorem, we consider an ETA P with parallel composition as the top-most operator and an ETA S with the step composition as the top-most operator. In both ETA, the sub-ETA A 1 , B 1 constitute one layer and the sub-ETA A 2 , B 2 a second layer. Due to the localized property of ≡ L , wherein one considers only location reachability within a layer, the issue of (non-)termination is implicitly handled: for the two ETA P and S , with P ≡ L S as in Definition 15, we consider only the cases that either both P and S are still in their first layer (with control residing at a location pair drawn from locations in A 1 and B 1 ), or that both P and S have terminated their first layer (after having passed through its final location (l F A 1 , l F B 1 )) and are now in their second layer (with control residing at a location pair drawn from locations in A 2 and B 2 ).
Cross-layer properties are not necessarily preserved between P and S . Indeed, for a location-pair l a ∈ L A 2 , l b ∈ L B 1 , we may have (l a , l b ) ∈ Reachloc(P ) \ Reachloc(S ), because B 1 and hence the first layer (A 1 B 1 ) in S may not terminate.
Theorem 3 below establishes ≡ L between P and S when layered composition is replaced by step-composition in the CCL-law. 
Theorem 3 (≡ L -CCL with £-composition)
holds for the layered reachability equivalence ≡ L .
Now consider a location pair l a ∈ L A 2 , l b ∈ L B 2 in the second layer consisting of A 2 and B 2 . If (l a , l b ) ∈ Reachloc(S ) then clearly (l a , l b ) ∈ Reachloc(P ) as any path of P can mimic the path of S reaching (l a , l b ).
The only difficult case is (l a , l b ) ∈ Reachloc(P ). It implies that individually A 1 and B 1 have terminated and taken their steps to the initial locations of A 2 and B 2 before reaching l a ∈ L A 2 and l b ∈ L B 2 inside P . Since A 1 B 2 and B 1 A 2 , reaching l a ∈ L A 2 does not depend on events of B 1 , and vice versa, reaching l b ∈ L B 2 does not depend on events of A 1 . Furthermore, since A 2 and B 2 are wrapped, they may idle for an arbitrary time and then start taking one of their initial edges. Thus (l a , l b ) ∈ Reachloc(S ) by first waiting for the termination of both A 1 and B 1 , next taking the joint step to the initial locations of A 2 and B 2 , and then continuing in A 2 and B 2 to reach l a and l b .
Remark 4 1. We show that wrapped A 2 and B 2 are necessary for Theorem 3 to hold. In Fig. 3 the ETA A 2 and B 2 are not wrapped. On the left-hand side the parallel composition P is displayed and on the right-hand side the step composition S . In P the transition of A 2 can be taken after at most 25 s global time, setting the Boolean variable go to true, and the transition of B 2 checks the guard go after more than 29 s global time, which is then found true. Hence (l a , l b ) ∈ Reachloc(P ). However, in S the final location pair (l F A 1 , l F B 1 ) is reached only after 29 s global time (with x > 19 due to the local reset of x ). Thus the invariant x ≤ 15 in the initial location of A 2 is violated. So (l a , l b ) ∈ Reachloc(S ), violating Theorem 3. Even if the clocks x and y were reset anew at the joint step in S , the invariant y ≤ 2 of the initial location of B 2 would force the transition of B 2 to check its guard go when it is still false because the transition of A 2 setting go to true is taken only after 14 s. So (l a , l b ) ∈ Reachloc(S ), again violating Theorem 3. However, wrapping A 2 and B 2 will add new initial locations (with no constraining invariants) to A 2 and B 2 , and the transitions leaving this new location will reset the clocks x and y. Then (l a , l b ) ∈ Reachloc(P ) and (l a , l b ) ∈ Reachloc(S ), thus preserving Theorem 3. 
2. We may generalize Theorem 3 to multiple parallel and step instances of ETA, as with Theorems 1 and 2. Thus, if there are no cross-interferences, i.e., A i,j A k ,l for i k and j l , and if all A i,j for 2 ≤ i ≤ n are wrapped, then
Precedence CCL
We now introduce a semantic condition termed precedence and demonstrate its use in establishing equivalences analogous to Theorems 1, 2, and 3 for ETA networks that do not respect the non-interference conditions discussed in the previous section.
Definition 16 (Precedence ≺ in ETA) For ETA A 1 , A 2 and C 1 , C 2 , where the final location l F A 1 of A 1 has no outgoing edge, we say that A 1 precedes A 2 in the parallel context of C 1 and C 2 , denoted
and each edge e 2 of A 2 that is enabled at this state, l A 1 l F A 1 holds, i.e., A 1 is at its final location.
Informally, events of A 2 depend on the completion of A 1 , even in the parallel context with C 1 and C 2 . In practice, for this semantic property sufficient syntactic conditions on the data or clock parts of the guards of edges are checked.
For example, a timed precedence might be formalized by considering a single clock x shared between A 1 and A 2 , constrained at every location of A 1 except for l F 1 by the invariant x ≤ 10, with every edge of A 1 being unguarded and without resets on x , and with every initial edge of A 2 guarded by the clock condition x > 10. Thus, in this setting A 1 needs at most 10 s to terminate, and A 2 needs at least 10 s to start, which then ensures that A 1 precedes A 2 in any parallel context.
A data precedence might be formalized using a Boolean variable go that is initialized with false. If every initial edge of A 2 checks the Boolean condition go and only those edges leading to the final location of A 1 have the update go : true then A 2 can only start after A 1 has terminated, provided the parallel context with C 1 and C 2 does not set go to true.
While the po and layered reachability equivalences of the preceding section exploit non-interference together with (wrapping-simulated) local time, precedence exploits the implicit synchronization due to global time or the write-read order due to interference from having shared data variables, giving the stronger reachability equivalence ≡ under certain "cross-precedence" conditions in compositions of ETA, as indicated by the following theorem. For ETA A 1 , A 2 and B 1 , B 2 with the precedence conditions A 1 ≺ A 2 ,B 1 B 2 and B 1 ≺ A 1 ,B 2 A 2 the precedence CCL law
Theorem 4 (≺-CCL with •-composition)
holds for the reachability equivalence ≡ . 
) is easy to check, as the parallel composition operator dominates on the right-hand side and the layered composition operator on the left-hand side. The dominance of layered composition induces fewer interleavings on the basis of the respective dependencies, as seen from the earlier definitions.
We now show
Induction basis. This case i 0 is obvious.
Assume that the containment holds for some i .
) the proof is immediate from the induction hypothesis. We now examine ((l A 1 , l A 2 , l B 1 , l B The cases (a1) and (a2) are relatively straightforward. The cases (a3) and (a4) require more care. We consider case (a3) in detail. There then exist ((l A 1 , l A 2 , l B 1 , l B 2 ) ), x , u ) ∈ Reach i ((A 1 • A 2 ) (B 1 • B 2 )) and an edge e 2 (l A 2 , a, g, r , l A 2 ) of A 2 which can occur at the location (
Hence e 2 is permitted by the layered composition with A 1 , i.e., from l A 1 there is no location syntactically reachable where an edge e 1 with e 1 e 2 starts. Moreover, the precedence condition B 1 ≺ A 1 ,B 2 A 2 implies that l B 1 l F B 1 , i.e., B 1 is at its final location. Therefore e 2 can also occur at ((l A 1 , l B 
Each of the synchronization cases (b1)-(b6) combines two individual edges labeled with complementary actions yielding the label τ . For the individual edges the argument is the same as above.
Theorem 5 considers Precedence CCL with layered composition replaced by sequential composition. (PrecCCL-seq)
Proof We show (A 1 ; A 2 ) (B 1 ; B 2 ) ≡ (A 1 B 1 ); (A 2 B 2 ), i.e., the sets of reachable states are equal at every iteration i of their transition relations, where the locations appearing in the states on both sides are now of the form (l A , l B ). The proof has the same structure as that of Theorem 4, except that it now takes ; instead of • in account. We focus here on the induction step i −→ i + 1 of the proof of
A 2 ) (B 1 ; B 2 )) and case (a3) as in the proof of Theorem 4, where the transitions stems from A 2 . There then exist ((l A , l B ) , x , u ) ∈ Reach i ((A 1 ; A 2 ) (B 1 ; B 2 )) and an edge e 2 (l A , a, g, r , l A ) of A 2 which can occur at the location (l A , l B ) of ((A 1 ; A 2 ) (B 1 ; B 2 )) such that (
Clearly, e 2 occurs after termination of A 1 . Moreover, the precedence condition B 1 ≺ A 1 ,B 2 A 2 implies here that e 2 occurs after termination of B 1 . Therefore e 2 can also occur at ((l A , l B ), x , u ) ∈ Reach i ((A 1 B 1 ); (A 2 B 2 )), yielding ((l A , l B ), x , u) ∈ Reach i+1 ((A 1 B 1 ); (A 2 B 2 ) ).
Remark 5 1. Unlike the CCL law of Theorem 1, the Precedence CCL laws of Theorems 4 and 5 do not hold for the equality . Note also that Theorem 5 does not require the ETA A 2 and B 2 to be wrapped, in contrast to Theorems 2 and 3. This is because due to the precedence relation, even in (A 1 ; A 2 ) (B 1 ; B 2 ) the ETA A 2 and B 2 can only start when both A 1 and B 1 have terminated, and then A 2 and B 2 can start at the same global time as in (A 1 B 1 ); (A 2 B 2 ). As ≡ is not a congruence w.r.t. parallel composition, the Precedence CCL laws do not yield equivalences in an arbitrary parallel context. 2. Generalizations of Theorems 4 and 5 to multiple parallel, layered, and sequential instances of ETA require strong precedence conditions. Thus, if A i,j ≺ {A p,q } A k ,l for all i < k and j < l in the parallel context of all other A p,q , then:
This also holds also under identical precedence conditions with • replaced by ; .
Separation and flattening
In this section, we consider two transformations on cycles in ETA. Separation reduces the nesting of cycles, while flattening reduces the number of cycles. These transformations are sound (in the sense of reachability preservation) under the assumption that the ETA involved have memoryless cycles. Such an assumption is justified for protocols where each cycle performs some service, and there is no need to carry over some information from one service cycle to the next. Separation was studied in [Coh00] in the setting of Kleene algebras, where, under certain conditions, a nondeterministic iteration of the form (a + b) * could be separated into a sequence a * b * of iterations, with a and b being regular expressions for programs in a Kleene algebra. Iteration is implicit in ETA, as cycling through locations is permitted in the model (except possibly through the final location in some cases, cf. Definition 5). The + operator for non-deterministic choice on regular expressions is adapted to the setting of ETA as follows:
the choice composition of A 1 and A 2 is defined as the ETA
This operator + for choice composition of ETA implements the corresponding rules of operational semantics in CCS [Mil89] , where
In the above definition, the new initial location l 0 mimics the process algebraic expression A 1 +A 2 , with stutter edges leading from the final locations of A 1 and A 2 to the new final location l F (with Inv (l F ) true by Definition 1), while also accounting for the special case where A 1 and A 2 have identical initial and final locations (as encountered in Definition 18 and Sect. 6). Whereas the initial locations l 0 1 and l 0 2 may be re-entered in A 1 resp. A 2 , the initial edges of A 1 + A 2 from the new initial location l 0 unfold initial cycles, such that once an initial edge of A 1 has been executed in A 1 + A 2 , the other component A 2 will never be executed, and vice-versa. Such a non-deterministic choice between the executions of ETA components may be enforced in practice by invariants and guards on the clocks and data variables, as will be seen in Sect. 6. In some applications one component may have to be (re-)entered even after the other has been executed, as will again be seen in Sect. 6. To this end, the following union operator (adapted from the UNITY program notation [CM88] ) is needed to suitably glue the two component ETA together, where the initial and final locations of a given ETA are identical, and are thus (by Definition 1) not constrained by invariants.
, the union of A 1 and A 2 is defined by the ETA
, and E is given by
The first five lines in the construction of E in A 1 ∪ A 2 deal with edges of A 1 that either leave or enter l 01 , while the last five lines deal with edges of A 2 that either leave or enter l 02 . The set of edges E is obtained by appropriately assigning l 0 as the target or source location for edges in E 1 entering or leaving l 01 and for edges in E 2 entering or leaving l 02 . While in the sequential composition A 1 ; A 2 we require that l 01 l F 1 and l 02 l F 2 with no outgoing edges from l F 1 , which is amalgamated with l 02 into l F 1 , the union A 1 ∪ A 2 requires that l 01 l F 1 and l 02 l F 2 , which are then amalgamated into l 0 . Whereas in the union A 1 ∪ A 2 possible cycles of A 1 and A 2 are glued together in the new initial location l 0 , in A 1 £ A 2 the new step transition t separates the A 1 cycles from the A 2 cycles, so that all A 1 cycles are performed before the A 2 cycles, while in A 1 + A 2 either the cycles of A 1 are performed (possibly reaching l F via l F 1 ) or those of A 2 are performed (possibly reaching l F via l F 2 ), but not both. The ∪ and + operators are illustrated in Fig. 4 .
An alternate definition of the ∪ operator for TA may be found in [BP99] . The separation Theorems 6 and 7 examine (cyclic) behaviours of the ∪ and £ operators on ETA under memoryless initial locations, where the notion of a location being memoryless is as defined below:
Definition 19 (Memoryless locations in ETA) A location l of an ETA A is said to be memoryless if l is always entered with the same valuations of the clocks and the data variables. A sufficient syntactic condition for a location l to be memoryless is that all cycles through l have strong resets. A cycle of an ETA A through a location l is said to have strong resets if every transition entering l resets all clocks and all data variables to their initial valuations. To simplify the reasoning about cycles, we wish to transform the union of ETA with memoryless cycles into their step composition. The separation Theorem 6 shows that this transformation respects a weak reachability equivalence ≡ r that is sufficient for the preservation of safety properties, as seen next. 
Definition 20 (Weak reachability equivalence
where ≈ preserves location invariants, i.e., if l ≈ l then Inv (l ) Inv (l ).
Definition 20 of ≡ r is a relaxation of the notion of "emulation" introduced in Definition 2 of [CJ99] . The following theorem shows the preservation of ≡ r by separation. Proof Let A A 1 ∪ A 2 and (A) denote the set of all paths of A. Then a path π ∈ (A) may repeatedly cycle through A 1 and A 2 in any order. We show that such a path π may be transformed into one of A A 1 £ A 2 , consisting of consecutive paths of A 1 followed by consecutive paths of A 2 plus possibly some extra final part, while preserving weak reachability of states in the sense of ≡ r , relative to the location-relation ≈.
We have that Reach(A) π∈ (A) Reach(π ), where Reach(π ) denotes the states of A that are reachable along π . Consider a typical path π ∈ (A), for example of the form π {l 0 }π 1 {l 0 }π 2 {l 0 }π 1 {l 0 }π 2 {l 0 }π fin1 , where the assertion {l 0 } indicates that the control resides in the initial location l 0 . The paths π 1 andπ 1 represent cycles through A 1 , the paths π 2 andπ 2 represent cycles through A 2 , and π fin1 represents the (possibly empty) final part of π , say inside A 1 , that does not reach l 0 again. So π alternates twice between A 1 and A 2 before finishing inside A 1 . Since both l 01 and l 02 are memoryless, and owing to the preservation by ≈ of (downward closed) location invariants (cf. Definitions 1 and 20), the path π can be transformed into two paths of A A 1 £ A 2 , namely π {l 0 1 }π 1 {l 0 1 }π 1 {l 0 1 }t{l 0 2 }π 2 {l 0 2 }π 2 {l 0 2 } and π fin1 {l 0 1 }π fin1 , where t refers to the stepping transition between A 1 and A 2 in A 1 £ A 2 .
For Condition 1 of ≡ r , we calculate for any (l , x , v ) ∈ Reach(π ) the following: 
Remark 6 Generalization of Theorem 7 to multiple parallel, union, and step instances of ETA is possible under side-conditions similar to those required for the generalizations of Theorems 2 and 3, cf. Remarks 3 and 4. Thus, if there are no cross-interferences, i.e., A i,j A k ,l for i k and j l , and if all A i,j for 2 ≤ i ≤ n are wrapped, then
The next theorem states that an ETA with a memoryless location l can be flattened into one that contains fewer cycles through l , while preserving ≡ r .
Theorem 8 (Flattening)
E l E * \ {e | target(e) l and no cycle-free syntactic path from l 0 to l in A * contains e}.
Proof By construction, A l keeps all edges that are needed to reach l from l 0 along a cycle-free syntactic path. Consider a path π of A * , say of the form π {l 0 }π 1 {l } . . . π n {l }π fin , where the assertion {l 0 } (resp. {l }) indicates that the control resides in the location l 0 (resp. l ). As l is first reached along π 1 , each π i with i 2, . . . , n represents a subsequent cycle of A * through l , and π fin represents the (possibly empty) final part of π that does not reach l again. Since l is memoryless, every state that is reachable along the path π in A * is also reachable in A l along the following set of paths: π 1,2 {l 0 }π 1 {l }π 2 , . . . , π 1,n {l 0 }π 1 {l }π n , π 1,fin {l 0 }π 1 {l }π fin , where π i is the path π i without the last transition reentering the location l , for i 2, . . . , n. Thus A * ≡ r A l with identity as the location relation.
If E l ⊂ E * then A l is a flattened version of A * with a reduced number of cycles through l . Note that flattening at l 0 will remove every edge e with target(e) l 0 because no edge is needed to reach the initial location l 0 . So A l 0 is cycle-free at l 0 . Next, we consider flattening of A * in the context of a parallel composition A * B and state sufficient conditions for the preservation of location reachability. 4. Precedence layering. We prove that A1 B 1 satisfies M X . Consider the ETA A 01 , A 11 , A 21 , B 01 , B 11 , and B 21 shown in Fig. 10 . As before, x and y are clocks, and i is a shared data variable ranging over 0, 1, 2, initialized with 0. Remark 8 While the example of this section considers two parallel timed processes competing for access to two critical sections, it may be generalized to multiple critical sections and multiple parallel instances. The corresponding complex protocol however admits analysis via generalizations of our transformations to multiple step and parallel instances (cf. Remarks 2, 3, 4, 5, 6 and 7).
Related and future work
Early work on distributed systems considered "regularity" conditions [Boc79, Boc88] , under which the system behaviour is independent of communication delays, thus simplifying its (semi-formal) design and analysis. The regularity conditions therein (specified in a discrete-time setting) roughly correspond to our notion of wrapping, where timing influences from other parallel components are likewise decoupled. A constraint-based decompositional proof methodology was illustrated in [LSW96] on the standard Fischer's protocol, formalized as a timed modal specification. More recently, an analysis of TA networks with "disjoint phases of activity" has been carried out in [MWP12] , where it has been shown that the parallel composition of two TA (without shared data variables) is bisimilar to their sequential composition, if the TA exhibit certain periodic but non-overlapping behaviours.
In [CJ99] it was shown that any TA (possibly containing nested cycles, but again without shared data variables) may be transformed into one that is flat (in the sense that each location is part of at most one cycle), while preserving the reachability relation between states. Their (non-local) transformation, while applicable to all TA, is however not preserved in the context of parallel composition, and suffers from an exponential blow-up in the number of locations in the flattened TA, cf. Lemma 3 of [CJ99] . Our (local) separation and flattening transformations, on the other hand, are applicable (in the context of parallel composition) to the data-enriched setting of ETA networks, and maintain the same number of locations, while reducing the nesting depth and deleting those transitions that (re-)enter memoryless locations, cf. Theorems 7 and 9.
A layered transformation for distributed algorithms with (predominantly synchronous) message passing was presented in [SdR94] . Round-based communication closedness was considered in [CSCBM09] for fault-tolerant distributed algorithms with asynchronous message passing, with messages being considered only in the rounds during which they were sent. Consensus algorithms in such a setting were then brought under the scope of automatic verification, by means of "reduction theorems", cf. [CSCBM09] .
Our example of real-time mutual exclusion is small but instructive; it served to illustrate the interplay of the structural transformations of separation, layering, and flattening. Previously, in [OS10] , we have applied the layered transformation to conceptually simplify the collision avoidance protocol of an audio/video system of Bang and Olufsen, which was first modelled in [HSLL97] .
In [SKO12] , we presented a layered transformation of randomized distributed algorithms (modelled as compositions of probabilistic automata), and applied it to the conceptual simplification of a randomized algorithm for mutual exclusion, which was first presented in [KR92] . A reduction of the reachable state space of the algorithm of [KR92] based on our layered transformation in [SKO12] has been experimentally confirmed in [SK14b, SK14a] , which consider modal specifications and probabilistic extensions thereof.
For future work, it would be interesting to investigate whether the Gear Production Stack case-study in [PM09] admits state space reduction by our flattening transformation. Another possible direction could be the development of a structured extension to the slicing abstractions (SLAB) model-checker [DKFW10] , which would perform a pre-processing of the model according to our transformation rules, thus simplifying the model's subsequent verification.
