Automated high integrity reactive systems required in the control of defence, automotive, rapid mass transport, manufacturing and healthcare systems, among many others, accentuate the need for formal specification and design tools. Reconfigurability by design is an added requirement given the costly development processes. Many of these systems are hybrids of discreteevent and continuous-time subsystems. Statecharts (implemented as stateflow in Matlab) are increasingly being proposed as the language of choice for the discrete-event part. However, the complex semantics of statecharts make automated formal verification difficult and hence largely an unresolved problem. Formal verification, in preference to simulation/testing, is necessary to specify these systems at the required level of integrity and to maintain traceability along the different phases of design and operation. Drawing from a number of different approaches by others to develop formal semantics at requirement and implementation levels, a first attempt was made by the author to develop a modular formal verification strategy applicable to statechart based controller specifications for complex reactive systems and an early version of the original approach, which was completely based on regular languages (hence, finite state automata) and different compositions thereof, was published in 2005. The key idea was the implementation of these composition operations through suitably interpreted port structures between pairs of automata resulting from a decomposition of the statechart. Application development based on this model has been done with collaborators on an elevator test rig built for the purpose and still continuing. While many of the underlying concepts are still valid and there is much to be learnt from their practical implementation and extension, there are fundamental limitations in this model stemming from the rather basic computational and expressive power of regular languages. In the current paper the author attempts to extend the method to contextfree language based models (hence, pushdown automata, PDA) to include real-time semantics for internal (fast) events and general correctness properties expressed in temporal logic, posed as supervisory specifications of Ramage-Wonham type interpreted on the port structures between pairs of PDA whenever possible. It is shown that decidability problems limit this choice to restricted forms of context-free languages, and the development is done with Event-clock Visibly Pushdown Automata (ECVPA), which are closed under Boolean operations and determinisable. The ECVPA based verification model is presented with high-speed railway signalling as a target environment.
Introduction

1.1.
Automated high integrity reactive systems required in the control of defence (e.g., targettracking system), automotive (e.g., tractioncontrol system), rapid mass transport (e.g., collision avoidance system) and manufacturing (exception handling system) need formal verification to guarantee their fault-free operation. For these complex reactive systems, which continuously react to external stimuli (called events), we need methods and tools that permit specifying them in a precise, easy and safe way, maintaining traceability along the different phases of the design that facilitate analysis and verification of behaviour. Modularity, re-configurability, formal specification and compositional formal verification are crucial considerations.
Modelling languages, like UML [36] describe high-level structure and behaviour, rather than implementation of solutions. Simulators can help to validate systems, i.e., discover design flaws, if they occur in a simulation session. Similar to testing, simulators cannot show the absence of errors. In contrast, formal verification establishes correctness by mathematical proof. Logically expressed properties are completely unambiguous and could thus form the basis for automated verification and validation of systems.
1.2.
The general context of formal verification in this environment has been discussed in [35] and [6] and the preferred base models are finite state structures. Traditionally the verification problem is posed as determining whether a formula  evaluates to true or false in an interpretation  , written |    , where  represents a system modelled as a finite state structure and  represents a correctness property of this system. This task is generally known as model checking. The model checker either confirms that  is true in the model, which is a valuation of , or informs the user that it does not hold, in which case the model checker will also provide a counter-example: a run of the system that violates the property. However, in practical situations the resource requirements (execution time and memory requirement) could prohibit verifying more than an approximate model of the system. Hence, a positive outcome may not guarantee the correctness of the system any longer, and reciprocally, an error found by the model checker may be due to an inaccurate abstraction of the system. Nevertheless, this has been the preferred approach to system verification for computer scientists: for example, the model checkers SPIN [49] and NuSMV [50].
1.3.
On the other hand, the Supervisory Control Theory (SCT) for Discrete Event Dynamic Systems (DES) which integrates systems and control theory and formal computer science [2] formalises most of the applicable approaches stemming from control theoretic reasoning to this problem: Markov chains, automata, Max+ Algebra and Petri Nets. A discussion and comparison of these models can be found in [18] , [19] . The basic supervisory control framework for modelling DES is an un-timed logical model that is expressed in terms of the observation and inhibition of events [2] . Within this framework, system behaviours are described by languages (i.e. sets of strings of events) and the theory seeks to determine which behaviours can be achieved through inhibition of future events by a supervising agent.
Many aspects of this model have been studied: a partial list includes observability [20] , control based on partial observation [21] , [22] , modular control [23] , decentralized control [24] , nondeterminism [25] , timed aspects [26] and concurrency [27] . Complexity issues arise in the supervisory model due to combinatorial explosion on the number of states [28] . Hierarchical formulations for supervisory control have appeared in [29] . This body of research represents the most comprehensive set of formal verification and validation tools in controller design for asynchronous eventdriven systems up to now. The base model is always the finite state machine in its different forms or equivalently, language models. However, industrial adaptations have been very limited and SCT remains mostly confined to theorists.
controllers for complex reactive systems. Bhaduri and Ramesh [5] give a survey of existing approaches to the formal verification of statecharts using model checking [6] . In [30] a formal logical language is used, with real-time properties expressed in timed computation tree logic TCTL [31] . However, these specifications form only the input to a proprietary modelchecker. The basic approach followed in symbolic model checkers like SPIN and NuSPIN is to formulate logical and performance (temporal) specifications as wellformed-formulas (wff) and to test them using Binary Decision Diagram (BDD) on system models developed as Kripke structures (a labelled transition system). The common problems here are the limited semantics captured in the translation of statecharts to Kripke structures and state space explosion in the resulting flat model.
1.4.2.
In [17] the author proposed a modular formal verification strategy applicable to statechart based controller specifications for complex reactive systems which was completely based on regular languages (hence, finite state automata) and different compositions thereof. The key idea was the implementation of these composition operations through suitably interpreted port structures between pairs of automata resulting from a decomposition of the statechart. Application development based on this model has been done with collaborators on an elevator test rig built for the purpose and still continuing [58, 59, 60] . While most of the underlying concepts are still valid and there is much to be learnt from their practical implementation and extension, there are fundamental limitations in this model stemming from the rather basic computational and expressive power of regular languages, being the lowest in Chomsky hierarchy. In the current paper the author attempts to extend the method to context-free language based models (hence, pushdown automata, PDA) to include real-time semantics for internal (fast) event handling and general correctness properties expressed in temporal logics, posed as supervisory specifications of Ramage-Wonham type whenever possible. Then the verification task reduces to one of checking the controllability of these supervisory specifications for PDA interpreted as local plant models. As an outcome of this effort it is shown that decidability problems limit this choice to restricted forms of context-free languages, and that Event-clock Visibly Pushdown Automata (ECVPA), which are closed under Boolean operations and determinisable, are arguably the best available option. Hence, the development was done with ECVPA. The resulting compositional verification method is presented with high-speed railway signalling as a target application environment.
The remaining chapters are organised as follows: Ch. 2 gives a very brief introduction to Supervisory control theory for DES, followed by Establishing the need for a formal verification methodology applicable to statecharts in Ch. 3. Outstanding issues and available options for developing a suitable formal verification methodology are given in Ch. 4. Ch. 5 presents the proposed modular verification methodology and its application to railway signalling. Ch. 6 concludes the paper.
Supervisory control Theory for Discrete Event Systems (DES)
A plant to be controlled is modelled as a language generator defined as a 5-tuple [2] , G = (Q, , , qo, Qm ) Where,  is the alphabet of events; Q is the set of states; qo is the initial state; Qm is the set of final or marker states; and
The partial function, , is extended to event strings as
L(G) is the language generated by G. Lm (G) is the language marked by G. Some of the events in the alphabet  can be controlled (hence, called controllable), denoted c, while the other events are uncontrolled (or uncontrollable), denoted u:
means that any string that can be generated by G is a prefix of a marked string of G. G is trim if it is both reachable and coreachable. A supervisory control for G amounts to enabling some controllable events at each state: i.e., a map V: L (G)  . Each subset of enabled events (in a given state) is a control pattern; and the set of all control patterns is  = {  Pwr() |   u }. The pair (G,V) will be written as V/G to suggest 'G under the supervision of V': The controller tracks the state changes in the system and at each new state calculates a set of enabled events (and a set of disabled events). 
There exists a nonblocking supervisory control V for G such that Lm(V/G) = K if and only if K is controllable with respect to G, and
Let E   * . Then the set of all sublanguages of E that are controllable with respect to G is given by C(E) = {K  E | K is controllable with respect to
G}. C(E) always contains a unique supremal element, which we denote as sup C(E).
Let E   * be Lm(G)-marked, and let K = sup C(E  Lm(G)). If K  , there exists a non-blocking
In modular synthesis, even if separate local supervisor actions were non-blocking, concurrent action of these supervisors may lead to blocking or conflict. Therefore, it is important to check for conflict between supervisors. If supervisors Si, Si+1, Si+2, Si+3, … are non-blocking supervisors for generator G then the concurrent action Si  Si+1  Si+2  Si+3 … is non-blocking if and only if the languages Lc(Si/G), Lc(Si+1/G),… are non-conflicting, in other words [33] : (2.6) A more useful result related to modular control, in the author's opinion, is given by the combination of the following results: (2.5) above and propositions 5.1 and 5.2 of [2] taken with the fact that any two closed languages are non-conflicting.
(2.7) The importance of (2.7) derives from the fact that, if K1 and K2 are two closed and controllable languages for a plant G, then the existence of non-blocking modular supervisors S1 and S2, implementing K1 and K2 is guaranteed and that the controllability of K1K2 for G and the existence of a non-blocking supervisor S12 to implement K1K2 are also guaranteed.
(2.8) In general, local decisions of local supervisors are fused by a decision fusion rule in order to arrive at global control action of a decentralised supervisor. The permissive control of SCT implies a conjunctive fusion rule where a controlled event is enabled by default, and is disabled if at least one local supervisor decides to disable it. Taken as general rule this appears to pose a difficult problem for event forcing: event forcing is necessary in implementing logic control, particularly in real-time and safety-critical contexts. An event perfectly legally forced by one module could result in an illegal string for some other module. However, there are many controllable events that can safely be disabled by default and enabled if at least one supervisor decides to enable it [34] : disjunctive fusion rule. The condition (2.6) applies only if all controllable events are subject to the conjunctive decision fusion rule. Coobservability along with controllability have been proposed in [40] as a condition necessary and sufficient for guaranteeing (2.6). The D&A co-observability of [34] is a direct extension of this to include mixed fusion rules (disjunctive and conjunctive). D&A co-observability, controllability and Lm (G)-closure are necessary and sufficient conditions for the existence of non-blocking decentralised supervisors in this latter case.
(2.9) A polynomial time algorithm for finding whether there is a partition of controllable events into conjunctive and disjunctive sets in such a way that co-observability is satisfied and if such a partition exists, a polynomial time algorithm to compute it too are given in [34] .
( 2 . 1 0 ) Remark II.1: A common flaw we see in the approaches of both [40] and [34] [38] , [39] . The reader can get a good understanding of the basics of Supervisory Control Theory for DES from [1] and [2] . Hence, from the point of view of developing compositional procedures for checking controllability of logical and behavioural specifications on a distributed plant model, which forms the central idea in the proposed formal verification model, the current technology in supervisory control theory does not provide direct answers, particularly in view of the problems related to formal verification of statecharts as identified in the section 1. 4 .1 above and further demonstrated in Ch. 3 below. However, as will be seen in the suite of this paper, we manage to develop an effective strategy to address these issues based on a combination of these and some other results related to the extension of SCT to non-regular languages. Now we will take a closer look at individual features of statecharts and the verification challenges they pose.
3.
Establishing the need for a formal verification methodology applicable to statecharts 3.1.
The complex features of statecharts interact in intricate and unpredictable ways. Hence it is extremely difficult to provide a coherent formal semantics to these semantically rich features. This has resulted in a large number of proposals for statechart variants and their formal semantics [5] . In the model checking framework, which is by far the verification and validation method with widest acceptance in industry as well as research community, the system is represented as a transition system (equivalently, a Kripke structure [32] 
3.2.
Attempts have been made from a practical implementational perspective to formulate formal semantics that would restrain or remove some of these features as required, without compromising the representational/ computational power necessary for unambiguously specifying the requirements of a target application area: real-time systems, for instance. In this approach, one starts from what is required and attempts to build the formal semantics that would guarantee unambiguous expression of the design specifications and the realizability of the latter, and do this by borrowing the semantical possibilities offered by statecharts. This would permit one to retain the essential subset of features (targeted for the critical application area) that could be captured in a rigorous formal semantics. Notable in this kind of approach is the work reported in [51] related to real-time statechart semantics. The formal semantics would permit one to form well formed formulas, but it is also important to know decidability properties in the formalism when the focus is formal verification. In this regard, the formal semantics proposed for restricted statecharts derive basically from timed automata of Alur-Dill [52] type, for which most decision problems like language inclusion are undecidable. On the other hand, there are restricted forms of time constraints for which the reachability problem remain decidable. Likewise, compositionality results are available for restricted forms of timed input/output automata. We shall now look at key features of statecharts from the perspective of semantics necessary for formal verification of high integrity reactive systems specified with them.
3.3.
State Hierarchy The straightforward way to represent a statechart as a transition system is to flatten its hierarchy. While this would permit translation of the statechart to the input languages of standard model checking tools, the resulting exponential blow-up of states can limit the size of models that can be tested. Hence, there is a need for facilitating modular/compositional testing/verification. Non-compositionality: inter-level transitions A syntax-directed, hierarchical semantics and translation scheme for statecharts is crucial for efficient verification of their correctness. A compositional semantics would interpret the meaning of a composite statechart in terms of the semantics of its constituent components, without having to consult their internal structure. The semantics of inter-level transitions violate the state encapsulation hierarchy and hence compositionality. The most comprehensive treatment of compositional semantics for statecharts has been by Damm et al [61] , which focuses on asynchronous semantics or super-step semantics. A super-step consists of a chain of reactions (called steps) of the system being controlled to an external stimulus. Their compositional semantics developed in terms of compositional synchronous transition systems distinguish between external and internal events and provide them with different semantics. They consider that internal variables of two systems as disjoint: is this realistic always? What if an internal variable of one system is an external variable for the other? Notably, too they assume that each object has complete knowledge about the variables generate by other systems that can have any effect on it and that all local computations are carried out with this knowledge. This is almost like centralised control from the point of view of any given system! However, with these and other assumptions it becomes possible to perform compositional verification on their well-formed statecharts using symbolic model checking. Huizing et al [53] also have proposed a compositional semantics for statecharts using their Unvs or incomplete statecharts as constructs and the notion of observable behaviour they introduce. We have not gone deep into this, but there seem to be interesting possibilities stemming from this important work: we intend to pursue this line in our future work. [62] claim that the following choices have to be made for any semantics of statecharts, regardless of semantic level or design paradigm: A clock-synchronous and/or clockasynchronous semantics. In the clocksynchronous semantics, the system starts processing its input only at the tick of the clock. In the clock-asynchronous semantics, the system starts processing its input as soon as it receives it. Synchronous or asynchronous communication.
Conflicting Transitions and Transition Priority
In synchronous communication, the caller must wait until the callee has finished processing the communication.
In asynchronous communication, the caller continues without waiting for the receiver to finish processing the communication. 
Models of Time
The definition of what constitutes a step is central to the semantics of statecharts. The synchronous semantics of statecharts referred to above is simpler to model using transition systems. The greediness of transition execution inherent in the asynchronous semantics makes it difficult to model. As explained above, Eshuis et al [62] present two different ways of executing a step. In the clock-synchronous semantics, a step is executed when the clock ticks. In the clockasynchronous semantics, a step is executed immediately when new events arrive. Then the system becomes unstable and reacts infinitely fast to become stable again. This corresponds to the execution of a super-step in [61] and the synchronous assumption in synchronous languages. Since these are requirement level semantics for real-time systems, they are of relevance to our work. However, the CLKS on which they have developed their semantics imply all the limitations attributed to Kripke structures above.
Thus the infeasibility of formally verifying monolithic control specifications using the complete semantic richness of statecharts and the need for modular specification and verification methodologies applicable to statechart based controllers for reconfigurable reactive systems is established. The almost total dependence on model checking is seen as a consequence of early realisation that the satisfiability of behavioural properties stemming from rich statechart semantics is most often undecidable: this makes it unrealistic to expect formal proofs for largescale monolithic specifications.
4.
Outstanding issues and available options for developing a suitable formal verification methodology
The rest of the section is devoted to the progressive demonstration of the outstanding issues in the development of a formal verification methodology through critical examination of the available options. The solution proposed in the next section will be a natural development from the analysis here.
Remark IV.1: The main concern is how to find a way to bring in compositionality and then to develop a modular verification strategy in the presence of inter-level transitions.
Drusinsky and Harel [7] develop the statechart into a tree of interconnected finite state structures (FSMs) under the implicit assumption that there are no real outputs on states or transitions, in which case all input events are externally generated. However, their objective in this decomposition was hardware optimisation (substrate layout design to obtain reduced area and power consumption) for a PLA implementation of controllers specified using statecharts. They use the fact that the area of PLA is mainly determined by the number of minterm lines which are in the order of n 2 , where n is the number of states, with one minterm for each transition of an FSM [7] . They show that using their decomposition the number of minterms would be determined by the largest submachine (sub-FSM) and intramachine connections. In this manner, by keeping the sub-machine size small they achieve great layout economy. In this design process their design choices do not seem to be affected by real outputs (events) on states or transitions which could be inputs (internal events, also called fast events in [61] ) to trigger conditions of other transitions. In contrast, these internal events are a major concern in our design of a compositional formal verification scheme (the earlier regular language based proposal by the author did not consider these internal events).
Remark IV.2: The approach would look more appealing if internally generated event handling capacity could be incorporated into this development.
Remark IV.3: This seems to be possible using the results of Tiwari [41] in mapping Simulink stateflow models (Matlab implementation of statecharts) to a set of automata communicating through a global stack for events. The choice of a global stack is justified by the stateflow semantics which treat events sequentially, one at a time (in contrast to richly parallel semantics implied by the original statechart model). The preoccupation in [41] has been the provision of formal semantics to stateflow which lacked any. The unlimited memory provided by the stack is all what they needed to store the internally generated events and account for them in a pushdown-like interpretation. This, however, does not elevate their model to a communicating pushdown system (even though they call it so), because a pushdown automaton, by definition, should have its own infinite stack, not one shared with others. Nevertheless, for the restricted semantics implemented by stateflow, this scheme provides higher expressive power than a regular language based interpretation. However, in order to capture parallel semantics of statecharts it would be necessary to manage the internally generated events separately for AND states: i.e., using separate stacks. This suggests a set of communicating pushdown automata (PDA) with a single stack for each OR state and individual stacks for component FSMs of AND states. This would then make it possible to use the higher computing power of context-free grammars instead of regular grammars, and hence, first-order logic instead of propositional logic. While this is a plus point, how to capture synchronous interpretation of certain transitions and asynchronous firing of others on some of these PDA is not very clear. Also, the results known to us on the application of formal verification tools to a plant modelled as a PDA are limited to reachability analysis [41] , [46] . In what concerns model checking approaches, algorithms for various temporal logics have been proposed for pushdown systems: while the model-checking problem for branching-time logics is computationally intractable, linear-time logic can be solved in polynomial time (for a fixed formula). Since even these results, limited as they are, are related to monolithic PDA, implementation of statecharts as communicating PDA does not seem to be very promising from a compositionality point of view.
Remark IV.4: Griffin [46] considers a regular plant language, L and a context-free specification language, S, and manages to show that the controllability of LS is decidable. Now, LS is a context-free language for L context-free and S regular [54] . This is an important result. Then there is the work by Alur et al on visibly pushdown automata (VPA) [55] and event-clock automata [56] and event-clock visibly pushdown automata (ECVPA) by Tang et al [57] which provide compositional semantics for a restricted, but adequately powerful version of pushdown automata in the context of the control of reactive systems.
A (non-deterministic) visibly pushdown automaton on finite words is defined over a partitioned input alphabet c r  l , where c is a finite set of calls, r is a finite set of returns and l is a finite set of local actions. The restriction is such that it pushes onto the stack only when it reads a call, it pops the stack only at returns, and does not use the stack when it reads local actions. The input hence controls the kind of operations permissible on the stack. However, there is no restriction on the symbols that can be pushed or popped [55] . This mode of operation is adequate for the present task environment.
VPA are closed under Boolean operations, which property is fundamental in terms of compositionality of models. Further, the
is decidable for them: this in fact is a required property for formal verification of the models, because the verification problem amounts to determining whether the plant language is included in a given specification language.
Event-clock automata of Alur et al is a determinizable class of timed automata [56] constructed by restricting the use of clocks in timed automata. The clocks of an event-clock automaton have a fixed, predefined association with the symbols of the input alphabet. The event-recording clock, xa of the input symbol a is a history variable the value of which always equals the time of the last occurrence of a relative to the current time; the eventpredicting clock, ya of a is a prophecy variable the value of which always equals the time of the next occurrence of a relative to the current time (if no such occurrence exists, then the clock value is undefined). The class of eventclock automata is sufficiently expressive to model real-time systems with finite control, and to specify common real-time requirements.
Then, C  = {xa | a   }  {ya | a   } is the set of event-recording and event-predicting clocks. For each position j of a timed word , the clockvaluation function , then, is a mapping from
compare clock values to rational constants or to the special value  which indicates the absence of a future occurrence of a. It can also be a Boolean combination of such comparisons. For instance, the hard real-time requirements that "every request is followed by a response within 3 seconds" and that "every two consecutive requests are separated by at least 5 seconds" can be expressed using event-clock automata.
An event-clock visibly pushdown automaton (ECVPA) [57] on finite timed words over  is a tuple M = (Q, , Q0, , , F), where Q is a finite set of locations, Q0  Q is a finite set of initial locations,  is a finite stack alphabet that contains a special symbol  (bottom-of-stack symbol), F  Q is a set of final locations, and  = c r  l is the transition relation:
The intuitive meaning of the transition relation is as follows:
(q, a, , q', ) c is a push-transition, where on reading a when the clock valuation satisfies the clock constraint,, the symbol  is pushed onto the stack and the location changes to q'.
(q, a,, , q') r is a pop-transition, where on reading a when the clock valuation satisfies ,  is popped from the stack, the location q changes to q' (if  =, it is read but not popped).
(q, a, , q') l is an internal-transition, where the location, on reading a when the clock valuation satisfies , changes from q to q' without stack operations.
The class of ECVPA is expressive enough to specify common context-free real-time properties such as "if p holds when a procedure is invoked, then the procedure must return within d time units and q must hold at the return state". Besides, the class of ECVPAs is closed under all Boolean operations.
Remark IV.5: Again it should be mentioned that Simulink stateflow has restricted semantics and Tiwari's treatment which processes only one input event at a time has been demonstrated to be adequate for the purpose of doing reachability analysis on these models. Hence, our Remark IV.3 above could be used to develop more realistic simulation environments: with more than one event stack, for instance. This will be a future axis of investigation to be undertaken in the present research programme. Remark IV.6: On the other hand, in view of the Remark IV.3 above, another option would be to handle internal events in infinite queues as in Kahn process networks. This seems to be appropriate for addressed communication, but in order to handle event broadcast, it would be necessary to design networks of queues with multiple servers: in fact, theoretically the number of servers for each queue would be the total number of nodes (individual FSMs) in the network. This will be an approach closer to the synchronous interpretation of statecharts and hence, the synchronous semantics as seen in synchronous languages like Esterel [47] . This would be different from events generated and queued in [63] . This is the second axis intended to be pursued as future work.
The groundwork established through the above remarks can now be used to discuss issues related to the particular architectural choices to be made in this research. Certain elementary developments based on these choices will also be presented alongside when it is convenient to do so.
In the methodology of [7] each state, at each non-atomic level of the statechart hierarchy is represented by a machine implementing the FSM corresponding to its substates on the next immediate level. In the current adaptation the FSMs are transformed into ECVPAs. To illustrate this process we use the statechart in Fig. 6. Fig. 10 gives the ECVPA Speed_Ctrl substate. Part of the resulting machine interconnection scheme is given in Fig. 13 .
Remark IV.7: The salient aspects of the original decomposition in [7] and used in [17] concern state and event assignment and the introduction of an Idle state for each FSM. An event entered X is created by the machine one level higher in the hierarchy when it reaches state X. The left signals are the duals of the entered signals, and notify the lower level machines to move into their Idle state. The leave signals are created by the lower level states, to notify their predecessors about their termination. Similarly, the enter X signal is created by a high-level state when one of its sub-states (that is not the default) is required to start operating in the X. In [17] these were termed as virtual events,  i vir for a given module i.
An immediate consequence of this identified in [17] was that in any modular approach for verification of this implementation, the modules will now have unequal event alphabets.
The possibility of casting this decomposition of statecharts (with restricted semantics, though) as communicating FSM's was tempting. In this respect the work of Endsley et al [13] is relevant in that they interpret communication channels between pairs of FSM as port structures modelled using notions of controllability of events from SCT; but this work remains at an empirical level with very little support from the formal tools of SCT. Their modular synthesis results rest on the restrictive assumption that there can be no shared triggers (events) or shared responses (actions) between modules. They manage to bypass all the complex issues related to event forcing by pre-empting (through this assumption) the enabling of the same event by more than one module.
Remark IV.8: Also, their approach does not pay any attention to non-blocking behaviour of the composed system, and hence is not compositional. Nevertheless, if presented with sufficient rigour, the potential of such an interpretation of communication channels became clearly visible.
Remark IV.9: Immediately then the issue of handling controllability of internal and virtual events had to be addressed: the same event being an output for one FSM and an input to another. In order to stay within SCT, it became necessary to model the problem in terms of local plant models, Gi, with different controllability sets of events. As shown in section 2 above, this case has only been studied under very restrictive assumptions of separability of supervisory specification and/or disjoint local plant alphabets [38, 39] . Existence of non-blocking solutions for the general case is undecidable. Now we shall examine problems arising from non-deterministic behaviour of the proposed system models. A new model has been proposed in [13] based on the prioritized synchronization and trajectory models introduced by Heymann [14] . In this new type of interconnection, called prioritized synchronous composition (PSC), each system component is assigned a priority set of events. The following definition introduces the notion of prioritised synchronisation between two Non-deterministic State Machines (NSM). pecifications, ugh C&D coe [34] Figure  Figure 2 mputing the a function of in Figure 9 described in ted on these A tree for the wn in Figure  hat internal and GForce_Brake and taking the union of the two resulting LG's. Controllability check under prioritised-synchronous composition between P and G SPC2 and test for non-blocking behaviour succeed immediately. Same is true between P and GForce_Brake. Broadcast communication of events generated on state entry and state transition (BRAKE and STPPED, for instance) is implemented by pushing them into the respective stacks. They can be popped by any transition that can consume them. This is the asynchronous mode. In synchronous mode these variables are represented by FIFO queues of update values. The value at the head is consumed after a synchronous read by all receptive transitions. Port structures for these communications are built and tested in an analogous manner. Nonblocking simulation run of the simulinkstatechart model validated these results. We do not give finer details of the controllability check here because they were presented in [17] , albeit before the introduction of internal event stack/queue, as appropriately. We intend to include these in a separate communication. Similarly, we are making an effort to incorporate C&D co-observability checks for local supervisory specifications and the corresponding infimal controllable and coobservable super-languages, because they seem to be useful in highly decentralised systems like high-speed railway control. Difficulties to be overcome here are related to the undecidability 
of non-blocking distributed supervisor existence in the distributed plant case. Now we will demonstrate how performance and safety specifications given in temporal logics could be incorporated following the method given in section 4(v) above: One can think of two kinds of rules for this system. Some rules specify the way the system must respond to some particular input condition. These rules can be written using the following formula: G( <input>  F( <target> W <input>)). It says that the target station must be reached if the input happens, and the target station will stay at that target state until the input is reset.
Others rules specify the way the system must hold independently of the state of the inputs. These rules can be considered propositional invariants of the system. Such rules can have the following form: G( <invariant>) . For instance, when the track is free and signal turns green from red, it enables the train passage through its track. Thus, for safety reasons, it is necessary that both tracks must be locked in order to avoid any accident that may cause train derailment. This rule is inputindependent and may be stated by the invariant ( track TI for example): G(TI=free & SSI=green  TI=locked). Opposite signals must never be on at the same time. Consider track T2 and signals SSY and SS2 as example, and the corredponding rule could be: G (SSY=green & SS2=green). Several temporal logics have been shown to have exactly the expressive power of Buchi automata; in other words, the class of sets of sequences described by those logics coincides with the class of -regular languages [42] . One method to decide satisfiability for these logics is to build a Buchi automaton that accepts exactly the strings satisfying the formula. Since these logics are closed under negation, building this automaton involves complementing Buchi automata. That is, given a Buchi automaton A, one has to find a Buchi automaton ̅ such that L ( ̅ ) =   -L(A), where L(A) denotes the language accepted by A. Now, one direct way of verifying that the specification is satisfied is to show that L ( ̅ ) is not accepted by the controlled plant, S/G: i.e., L (S/G)  L ( ̅ ) = .
In [48] Ramadge gives polynomial time algorithms for computing the minimally restrictive supervisor satisfying the specification. For all specifications with local scope, controllability of the language specified by each supervisor automaton (representing a port structure) can be checked separately for each of the corresponding plant generators. Then the non-conflicting nature of each supervisor automaton (representing a port structure) can be verified separately with each of the corresponding plant generators, with no guarantee of globally non-blocking behaviour When this process of modular verification is completed for each pair of communicating FSM, the statechart can be considered as verified for the same properties, particularly when each port structure attached to a given module can be considered as the generator of a closed language (local supervisory specification). We base this conclusion on (2.8) given earlier. This is a requirement that can be enforced on port construction. Under this constraint, the combined action of several port structures on any local plant module would be controllable and non-blocking. The network of plant modules that result from the proposed decomposition of statechart specification would then remain non-blocking. In [17] we investigated verification of nonblocking and correct interaction among FSMs resulting from a D-H like distributed implementation of statecharts. In the present communication the analysis has been extended beyond the level of verification currently realised in (symbolic) model checkers.
Conclusion
The problem addressed in this research is the compositional (formal) verification of control specifications given using statecharts. The applicability of a compositional safe by design strategy being developed by the author for complex reactive systems is demonstrated. The proposed model is a decomposition of the statechart specification into a set of communicating pushdown automata (of a restricted kind). When this process of modular verification is completed for each pair of communicating event-clock-visually-pushdown automata (ECVPA), the statechart can be considered as verified for the same properties. The proposed new synthesis successfully confronts the modular verification/ implementation problem for statecharts. A regular language (hence, finite state automata) based version of this approach was reported in [16] and [17] . Application development on this version has been carried out with collaborators on a purpose built elevator test rig and reported in [58] , [59] and [60] . In the current paper the method has been extended to include internal event processing in real-time contexts by elevating the method to computationally more powerful context-free languages (and hence, pushdown automata) and facilitating the integration of supervisory specifications of RW type and general correctness properties expressed in temporal logic. The approach is demonstrated on a high-speed railway signalling application. A complete analysis and design process for the target system has been demonstrated using realistic problem scenarios. Subsequent changes in any particular module (FCVPA) corresponding to a change in hardware/software can be verified locally. The collaborative axis of this research programme using the regular language based approach continues, where a PLC based distributed implementation of the methodology using IEC 61499 standard function blocks and an FPGA based implementation have been carried out for controlling the elevator system and published, authored with collaborators [57, 58, 59] . This axis of research should produce results on redundancy based design, hardwarein-the-loop level testing and model-based design in Matlab/Simulink/Stateflow environment and will be published with collaborators.
