Runtime Enforcement of Regular Timed Properties by Suppressing and Delaying Events by Falcone, Yliès et al.
Runtime Enforcement of Regular Timed Properties by
Suppressing and Delaying Events
Ylie`s Falcone, Thierry Je´ron, Herve´ Marchand, Srinivas Pinisetty
To cite this version:
Ylie`s Falcone, Thierry Je´ron, Herve´ Marchand, Srinivas Pinisetty. Runtime Enforcement of
Regular Timed Properties by Suppressing and Delaying Events. Science of Computer Pro-
gramming, Elsevier, 2016, <10.1016/j.scico.2016.02.008>. <hal-01281727>
HAL Id: hal-01281727
https://hal.inria.fr/hal-01281727
Submitted on 2 Mar 2016
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Runtime Enforcement of Regular Timed Properties
by Suppressing and Delaying Events
Ylie`s Falconea,∗, Thierry Je´ronb, Herve´ Marchandb, Srinivas Pinisettyc
aUniv. Grenoble Alpes, Inria, LIG, F-38000 Grenoble, France
bINRIA Rennes - Bretagne Atlantique, Campus de Beaulieu, 35042 Rennes Cedex
cAalto University, Finland
Abstract
Runtime enforcement is a verification/validation technique aiming at correcting possibly incorrect ex-
ecutions of a system of interest. In this paper, we consider enforcement monitoring for systems where
the physical time elapsing between actions matters. Executions are thus modelled as timed words (i.e.,
sequences of actions with dates). We consider runtime enforcement for timed specifications modelled as
timed automata. Our enforcement mechanisms have the power of both delaying events to match timing
constraints, and suppressing events when no delaying is appropriate, thus possibly allowing for longer
executions. To ease their design and their correctness-proof, enforcement mechanisms are described at
several levels: enforcement functions that specify the input-output behaviour in terms of transforma-
tions of timed words, constraints that should be satisfied by such functions, enforcement monitors that
describe the operational behaviour of enforcement functions, and enforcement algorithms that describe
the implementation of enforcement monitors. The feasibility of enforcement monitoring for timed prop-
erties is validated by prototyping the synthesis of enforcement monitors from timed automata.
Keywords: verification, monitoring, runtime enforcement, timed specifications.
1. Introduction
Runtime enforcement [1, 2, 3, 4, 5] is a verification and validation technique aiming at correcting
possibly-incorrect executions of a system of interest. In traditional (untimed) approaches, the enforce-
ment mechanism is a monitor modelled as a transducer that inputs, corrects, and outputs a sequence of
events. How a monitor transforms the input sequence is done according to a specification of correct5
sequences, formalised as a property. Moreover, a monitor should satisfy some requirements: it should
be sound in the sense that only (prefixes of) correct sequences are output; it should also be transparent
meaning that the output sequence preserves some relation with the input sequence, depending on the
authorised operations.
Runtime enforcement monitors can be used in various application domains. For instance, enforce-10
ment monitors can be used for the design of firewalls, to verify the control-flow integrity and memory
access of low-level code [6], or implemented in security kernels or virtual machines to protect the access
to sensitive system resources (e.g., [7]). In [8], we discuss some other uses of enforcement monitors
such as resource allocation and the implementation of robust mail servers.
∗Corresponding author
Email addresses: ylies.falcone@imag.fr (Ylie`s Falcone), thierry.jeron@inria.fr (Thierry Je´ron),
herve.marchand@inria.fr (Herve´ Marchand), srinivas.pinisetty@aalto.fi (Srinivas Pinisetty)
Preprint submitted to Science of Computer Programming March 2, 2016
In this paper, we consider runtime enforcement of timed properties, initially introduced in [5, 9]. In15
timed properties (over finite sequences), not only the order of events matters, but also their occurrence
dates affect the satisfaction of the property. It turns out that considering time constraints when specifying
the behaviour of systems brings some expressiveness that can be particularly useful in some application
domains when, for instance, specifying the usage of resources. In Section 2, we present some running
and motivating examples of timed specifications related to the access of resources by processes. We20
shall see that, in contrast to the untimed case, the amount of time an event is stored influences the
satisfaction of properties.
In [5], we propose preliminary enforcement mechanisms restricted to safety and co-safety timed
properties. Safety and co-safety properties allow to express that “something bad should never happen”
and that “something good should happen within a finite amount of time”, respectively. In [9], we gener-25
alise and extend the initial approach of [5] to the whole class of timed regular properties. Indeed, some
regular properties may express interesting behaviors of systems belonging to a larger class that allows
to specify some form of transactional behaviour. Regular properties are, in general, neither prefix nor
extension closed, meaning that the evaluation of an input sequence w.r.t. the property also depends on its
possible future continuations. For instance, an incorrect input sequence alone may not be correctable by30
an enforcement mechanism, but the reception of some events in the future may allow some correction.
Hence, the difficulty that arises is that the enforcement mechanism should take conservative decisions
and change its behaviour over time taking into account the evaluation (w.r.t. the property) of the current
input sequence and its possible continuations. Roughly speaking, in [5, 9], enforcement mechanisms
receive sequences of events composed of actions and delays between them, and can only increase those35
delays to satisfy the desired timed property; while in this paper, we consider absolute dates and allow to
reduce delays between events (as described in detail in the following paragraph).
Contributions. In this paper, we extend [9] in several directions. The main extension consists in in-
creasing the power of enforcement mechanisms by allowing them to suppress input events, when the
monitor determines that it is not possible to correct the input sequence, whatever is its continuation.40
Consequently, enforcement mechanisms can continue operating, and outputting events, while in our
previous approaches the output would have been blocked forever. This feature and other considerations
also drove us to revisit and simplify the formalisation of enforcement mechanisms. We now consider
events composed of actions and absolute dates, and enforcement mechanisms are time retardant with
suppression in the following sense: monitors should keep the same order of the actions that are not45
suppressed, and are allowed to increase the absolute dates of actions in order to satisfy timing con-
straints. Note, this allows to decrease delays between actions, while it is not allowed in [5, 9]. As
in [5, 9], we specify the mechanisms at several levels, but in a revised and simplified manner: the notion
of enforcement function describes the behaviour of an enforcement mechanism at an abstract level as
an input-output relation between timed words; requested properties of these functions are formalised as50
soundness, transparency, optimality, and additional physical constraints1; we design adequate enforce-
ment functions and prove that they satisfy those properties; the operational behaviour of enforcement
functions is described as enforcement monitors, and it is proved that those monitors correctly implement
the enforcement functions; finally enforcement algorithms describe the implementation of enforcement
monitors and serve to guide the concrete implementation of enforcement mechanisms. Interestingly,55
although all untimed regular properties over finite sequences can be enforced [10], some enforcement
limitations arise for timed properties (over finite sequences). Indeed, we show that storing events in
the timed setting influences the output of enforcement mechanisms. In particular, because of physical
1The two latter constraints are specific to runtime enforcement of timed properties.
2
time, an enforcement mechanism might not be able to output certain correct input sequences. Finally,
we propose an implementation of the enforcement mechanisms for all regular properties specified by60
one-clock timed automata (while [5, 9] feature an implementation for safety and co-safety properties
only).
Paper organisation. The rest of this paper is organised as follows. In Section 2, we introduce some
motivating and running examples for the enforcement monitoring of timed properties, and illustrate the
behaviour of enforcement mechanisms and the enforceability issues that arise. Section 3 introduces65
some preliminaries and notations. Section 4 recalls timed automata. Section 5 introduces our en-
forcement monitoring framework and specifies the constraints that should be satisfied by enforcement
mechanisms. Section 6 defines enforcement functions as functional descriptions of enforcement mech-
anisms. Section 7 defines enforcement monitors as operational description of enforcement mechanisms
in the form of transition systems. Section 8 proposes algorithms that effectively implement enforcement70
monitors. In Section 9, we present an implementation of enforcement mechanism in Python and eval-
uate the performance of synthesised enforcement mechanisms. In Section 10, we discuss related work.
In Section 11, we draw conclusions and open perspectives. Finally, to ease the reading of this article,
some proofs are sketched and their complete versions can be found in Appendix A.
2. General principles and motivating examples75
In this section, we describe the general principles of enforcement monitoring of timed properties,
and illustrate the expected input/output behavior of enforcement mechanisms on several examples.
2.1. General principles of enforcement monitoring in a timed context
Enforcement
Mechanism
delay suppr.
ϕ
o σEvent
Receiver
Event
Emitter
Figure 1: Illustration of the principle of enforcement monitoring.
As illustrated in Figure 1, the purpose of enforcement monitoring is to read some (possibly incorrect)
input sequence of events σ produced by a system, referred to as the event emitter, to transform it into80
an output sequence of events o that is correct w.r.t. a specification formalised by a property ϕ. This
output sequence is then transmitted to an event receiver. In our timed setting, events are actions with
their occurrence dates. Input and output sequences of events are then formalised by timed words and
enforcement mechanisms can be seen as transformers of timed words.
Figure 2 illustrates the behavior of an enforcement mechanism when correcting an input sequence.85
The dashed and solid curves respectively represent input and output sequences of events (occurrence
dates in abscissa and actions in ordinate). The behavior of an enforcement mechanism should satisfy
some constraints, namely physical constraint, soundness, and transparency. Intuitively, the physical
constraint states that an enforcement mechanism cannot modify what it has already output, i.e., the
output forms a continuously-growing sequence of events; soundness states that the output sequence90
should be correct w.r.t. the property (note, soundness is not represented in the figure, since this would
require to represent an area containing only the sequences admitted by the property); transparency states
3
time
actions
1 2 3 4 5
a1
a2
a3
a4
outputinput
Figure 2: Behavior of an enforcement mechanism.
that the output sequence is obtained by delaying or suppressing actions from the input sequence (and
not changing the order of actions); thus, if the events of the input curve are not suppressed, they appear
later in the output curve, in the same order. For example, actions a1, a3 and a4 are delayed but a2 is95
suppressed. Notice that by delaying dates of events the enforcement mechanism allows to reduce delays
between events. For example, action a4 occurs strictly after action a3, but both actions are released at
the same date. Moreover, the actions should be released as output as soon as possible, which will be
described by an optimality property.
2.2. Motivating examples100
We introduce some running and motivating examples related to the usage of resources by some
processes. We also provide some intuition on the expected behavior of our enforcement mechanisms,
and point out some issues arising in the timed context. We discuss further these issues and their relation
to the expected constraints on enforcement mechanisms.
Let us consider the situation where two processes access to and operate on a common resource.105
Each process i (with i ∈ {1, 2}) has three interactions with the resource: acquisition (acq i), release
(rel i), and a specific operation (opi). Both processes can also execute a common action op. System
initialisation is denoted by action init . In the following, variable t keeps track of global time. Figures 3,
4, and 5 illustrate the behavior of enforcement mechanisms for several specifications on the behavior of
the processes and for particular input sequences.2110
Specification S1. The specification states that “Each process should acquire the resource before per-
forming operations on it and should release it afterwards. Each process should keep the resource for at
least 10 time units (t.u). There should be at least 1 t.u. between any two operations.”
Let us consider the input sequence σ1 = (1, acq1) · (3, op1) · (3.5, op1) · (4.5, acq1) · (5, op1) ·
(10, rel1) (where each event is composed of an action associated with a date, indicating the time instant115
at which the action is received as input). The monitor receives the first action acq1 at t = 1, followed
by op1 at t = 3, etc. At t = 1 (resp. t = 3), the monitor can output action acq1 (resp. op1)
because both sequences (3, op1) and (1, acq1) · (3, op1) satisfy specification S1. At t = 3.5, when
the second action op1 is input, the enforcer determines that this action should be delayed by 0.5 t.u. to
ensure the constraint that 1 t.u. should elapse between occurrences of op1 actions. Hence, the second120
2We shall see in Section 3.2 how to formalise these specifications by timed automata.
4
actions
time
acq1
op1
op1
acq1
op1
rel1
input
output
Figure 3: Behavior of an enforcement mechanism for specification S1 on σ1.
action op1 is released at t = 4. At t = 4.5, when action acq1 is received, the enforcer releases it
immediately since this action is allowed by the specification with no time constraint. Similarly, at
t = 5, an op1 action is received and is released immediately because at least 1 t.u. elapsed since the
previous op1 action was released as output. At t = 10, when action rel1 is received, it is delayed
by 1 t.u. to ensure that the resource is kept for at least 10 t.u. (the first acq1 action was released125
at t = 1). Henceforth, as shown in Figure 3, the output of the enforcement mechanism for σ1 is
(1, acq1) · (3, op1) · (4, op1) · (4.5, acq1) · (5, op1) · (11, rel1).
Specification S2. The specification states that “After system initialisation, both processes should per-
form an operation (actions opi) before 10 t.u. The operations of the different processes should be sepa-
rated by 3 t.u.” Let us consider the input sequence σ2 = (1, init1) ·(3, op1) ·(4, op1) ·(5, op2) ·(6, op2).
time
actions
init1
op1
op1
op2
op2
input output
Figure 4: Behavior of an enforcement mechanism for specification S2 on σ2.
130
At t = 1, 3, 4, when the enforcement mechanism receives the actions, it cannot release them as output
but memorises them since, upon each reception, the sequence of actions it received so far cannot be de-
layed so that a known continuation may satisfy specification S2. At t = 5, upon the reception of action
op2, the sequence received so far can be delayed to satisfy specification S2. Action init1 is released at
t = 5 because it is the earliest possible date: a smaller date would be already elapsed. The two actions135
op1 are also released at t = 5, because there are no timing constraints on them. The first action op2 is
released at t = 8 to ensure a delay of at least 3 t.u. with the first op1 action. The second action op2,
5
received at t = 6, is also released at t = 8, since it does not need to be delayed more than after the
preceding action. Henceforth, as shown in Figure 4, the output of the enforcement mechanism for σ2 is
(5, init1) · (5, op1) · (5, op1) · (8, op2) · (8, op2).140
Specification S3. The specification states that “Operations op1 and op2 should execute in a transac-
tional manner. Both actions should be executed, in any order, and any transaction should contain one
occurrence of op1 and op2. Each transaction should complete within 10 t.u. Between operations op1
and op2, occurrences of operation op can occur. There is at least 2 t.u. between any two occurrences
of any operation.”
time
actions
op1
op1
op
op2
input output
Figure 5: Behavior of an enforcement mechanism for specification S3 on σ3.
145
Let us consider the input sequence σ3 = (2, op1) · (3, op1) · (3.5, op) · (6, op2). At t = 2, the
monitor can not output action op1 because this action alone does not satisfy the specification (and the
monitor does not yet know the next events i.e., actions and dates). If the next action was op2, then, at
the date of its reception, the monitor could output action op1 followed by op2, as it could choose dates
for both actions in order to satisfy the timing constraints. At t = 3 the monitor receives a second op1150
action. Clearly, there is no possible date for these two op1 actions to satisfy specification S3, and no
continuation could solve the situation. The monitor thus suppresses the second op1 action, since this
action is the one that prevents satisfiability in the future. At t = 3.5, when the monitor receives action
op, the input sequence still does not satisfy the specification, but there exists an appropriate delaying
of such action so that with future events, the specification can be satisfied. At t = 6, the monitor155
receives action op2, it can decide that action op1 followed by op and op2 can be released as output with
appropriate delaying. Thus, the date associated with the first op1 action is set to 6 (the earliest possible
date, since this decision is taken at t = 6), 8 for action op (since 2 is the minimal delay between those
actions satisfying the timing constraint), and 10 for action op2. Henceforth, as shown in Figure 5, the
output of the enforcer for σ3 is (6, op1) · (8, op) · (10, op2).160
Specification S4. The specification states that “Processes should behave in a transactional manner,
where each transaction consists of an acquisition of the resource, at least one operation on it, and then
its release. After the acquisition of the resource, the operations on the resource should be done within
10 t.u. The resource should not be released less than 10 t.u. after acquisition. There should be no more
than 10 t.u. without any ongoing transaction.”165
Let us consider the input sequence σ4 = (1, acq i) · (2, opi) · (3, rel i). Before t = 3, no output
can be produced, since no transaction is complete, and events must be stored. At t = 3, when the
monitor receives rel i, it can decide that the three events acq i, opi, and rel i can be released as output
with appropriate delaying. Thus, the date associated with the two first actions acq i and opi is set to
3, since this is the minimal decision date. Moreover, to satisfy the timing constraint on release actions170
6
after acquisitions, the date associated to the last event rel i is set to 13. The output of the enforcement
mechanism for σ4 is then (3, acq i) · (3, opi) · (13, rel i).
Let us now consider the input sequence σ′4 = (3, acq i) · (7, opi) · (13, rel i). The monitor observes
action acq i followed by an opi and a rel i actions only at date t = 13. Hence, the date associated with
the first action in the output should be at least 13, which is the minimal decision date. However, if175
the monitor chooses a date for acq i which is strictly greater than 10, the timing constraint cannot be
satisfied. Consequently, the output of the monitor remains always empty. Notice however that the input
sequence provided to the monitor satisfies the specification. Nevertheless, the monitor cannot release
any event as output as it cannot take a decision until it receives action rel i at date t = 13, which affects
the date (i.e., the absolute time instant when it can be released as output) of the first action acq i, thus180
falsifying the constraints.
Discussion. Specification S4 illustrates an important issue of enforcement in the timed setting, ex-
hibited in this paper: because input timed words are seen as streams of events with dates, for some
properties, there exist some input timed words that cannot be enforced, even though they either already
satisfy the specification, or could be delayed to satisfy the specification (if they were known in ad-185
vance). For instance, we shall see that specifications S1, S2, and S3 do not suffer from this issue, while
S4 does. Actually, it turns out that enforcement monitors face some constraints due to streaming: they
need to memorise input timed events before taking decision, but meanwhile, time elapses and this influ-
ences the possibility to satisfy the considered specification. Nevertheless, the synthesis of enforcement
mechanisms proposed in this paper works for all regular timed properties, which means that the synthe-190
sised enforcement mechanisms still satisfy their requirements (soundness, transparency, optimality, and
physical constraint), even though the output may be empty for some input timed words.
3. Preliminaries and notation
We first recall some basic notions on untimed languages (Section 3.1). We then introduce timed
words and languages (Section 3.2) and extend previous notions in a timed setting (Section 3.2). Finally,195
we introduce some orders on timed words that will be used in runtime enforcement (Section 3.3).
3.1. Untimed languages
A (finite) word over an alphabet A is a finite sequence w = a1 · a2 · · · an of elements of A. The
length of w is n and is noted |w|. The empty word over A is denoted by A, or  when clear from the
context. The set of all (respectively non-empty) words over A is denoted by A∗ (respectively A+). A200
language over A is any subset L of A∗.
The concatenation of two words w and w′ is noted w ·w′. A word w′ is a prefix of a word w, noted
w′ 4 w, whenever there exists a word w′′ such that w = w′ · w′′, and w′ ≺ w if additionally w′ 6= w;
conversely w is said to be an extension of w′.
The set pref(w) denotes the set of prefixes of w and subsequently, pref(L) def= ⋃w∈L pref(w) is205
the set of prefixes of words in L. A language L is prefix-closed if pref(L) = L and extension-closed if
L ·A∗ = L.
Given two words u and v, v−1 · u is the residual of u by v and denotes the word w, such that
v ·w = u, if this word exists, i.e., if v is a prefix of u. Intuitively, v−1 · u is the suffix of u after reading
prefix v. By extension, for a language L ⊆ A∗ and a word v ∈ A∗, the residual of L by v is the language210
v−1 · L def= {w ∈ A∗ | v · w ∈ L}. It is the set of suffixes of words that, concatenated to v, belong to L.
In other words, v−1 · L is the set of suffixes of words in L after reading prefix v.
For a word w and i ∈ [1, |w|], the i-th letter of w is noted w[i]. Given a word w and two integers
i, j, s.t. 1 ≤ i ≤ j ≤ |w|, the subword from index i to j is noted w[i···j].
7
Given two words w and w′, we say that w′ is a subsequence of w, noted w′ / w, if there exists an215
increasing mapping k : [1, |w′|] → [1, |w|] (i.e., ∀i, j ∈ [1, |w′|] : i < j =⇒ k(i) < k(j)) such that
∀i ∈ [1, |w′|] : w′[i] = w[k(i)]. Notice that, k being increasing entails that |w′| ≤ |w|. Intuitively, the
image of [1, |w′|] by function k is the set of indexes of letters of w that are “kept” in w′.
Given an n-tuple of symbols e = (e1, . . . , en), for i ∈ [1, n], Πi(e) is the projection of e on its
i-th element (Πi(e)
def
= ei). Operator Πi is naturally extended to sequences of n-tuples of symbols to220
produce the sequence formed by the concatenation of the projections on the i-th element of each tuple.
3.2. Timed words and languages
As sketched in Section 2, input and output streams are seen as sequences of events composed of a
date and an action, where the date is interpreted as the absolute date when the action is received by the
enforcement mechanism. In what follows, we formalise input and output streams with timed words, and225
related notions, generalising the untimed setting.
Let R≥0 denote the set of non-negative real numbers, and Σ a finite alphabet of actions. An event
is a pair (t, a) ∈ R≥0 × Σ, where date((t, a)) def= t ∈ R≥0 is the absolute time instant at which action
act((t, a))
def
= a ∈ Σ occurs.
A timed word over alphabet Σ is a finite sequence of events σ = (t1, a1)· (t2, a2) · · · (tn, an), where230
(ti)i∈[1,n] is a non-decreasing sequence in R≥0. We denote by start(σ)
def
= t1 the starting date of σ and
end(σ)
def
= tn its ending date (with the convention that the starting and ending dates are equal to 0 for
the empty timed word ).
The set of timed words over Σ is denoted by tw(Σ). A timed language is any set L ⊆ tw(Σ). Note
that even though the alphabet (R≥0×Σ) is infinite in this case, previous notions and notations defined in235
the untimed case (related to length, prefix, subword, subsequence etc) naturally extend to timed words.
The concatenation of timed words however requires more attention, as when concatenating two
timed words, one should ensure that the result is a timed word, i.e., dates should be non-decreasing.
This is ensured as soon as the ending date of the first timed word does not exceed the starting date of the
second one. Formally, let σ = (t1, a1) · · · (tn, an) and σ′ = (t′1, a′1) · · · (t′m, a′m) be two timed words240
with end(σ) ≤ start(σ′), their concatenation is σ ·σ′ def= (t1, a1) · · · (tn, an) · (t′1, a′1) · · · (t′m, a′m). By
convention σ ·  def=  · σ def= σ. Concatenation is undefined otherwise.
The untimed projection of σ is ΠΣ(σ)
def
= a1 · a2 · · · an in Σ∗ (i.e., dates are ignored).
Given t ∈ R≥0, and a timed word σ ∈ tw(Σ), we define the observation of σ at date t as the prefix
of σ that can be observed at date t. It is defined as the maximal prefix of σ whose ending date is lower
than t:
obs(σ, t)
def
= max4 {σ′ ∈ pref(σ) | end(σ′) ≤ t} .
3.3. Preliminaries to runtime enforcement
Apart from the prefix order 4 (defined in Section 3.1), the following partial orders on timed words245
will be useful for enforcement.
Delaying order <d. For σ, σ′ ∈ tw(Σ), we say that σ′ delays σ (noted σ′ <d σ) iff they have the same
untimed projection but the dates of events in σ′ exceed the dates of corresponding events in σ. Formally:
σ′ <d σ def= ΠΣ(σ′) = ΠΣ(σ) ∧ ∀i ∈ [1, |σ|] : date(σ′[i]) ≥ date(σ[i]).
Sequence σ′ is obtained from σ by keeping all actions, but with a potential increase in dates.
For example, (4, a) · (7, b) · (9, c) <d (3, a) · (5, b) · (8, c). Note that delays between events may be
decreased, e.g., between b and c, but absolute dates are increased.
8
Delaying subsequence order /d. For σ, σ′ ∈ tw(Σ), we say that σ′ is a delayed subsequence of σ
(noted σ′ /d σ) iff there exists a subsequence σ′′ of σ such that σ′ delays σ′′. Formally:
σ′ /d σ
def
= ∃σ′′ ∈ tw(Σ) : (σ′′ / σ ∧ σ′ <d σ′′) .
Sequence σ′ is obtained from σ by first suppressing some actions, and then increasing the dates of the250
actions that are kept. This order will be used to characterise output timed words with respect to input
timed words in enforcement monitoring when suppressing and delaying events.
For example, (4, a) · (9, c) /d (3, a) · (5, b) · (8, c) (event (5, b) has been suppressed while a and c
are shifted in time).
Lexical orderlex. This order is useful to choose a unique timed word among some with same untimed255
projection. For two timed words σ, σ′ with same untimed projection (i.e., ΠΣ(σ) = ΠΣ(σ′)), the order
lex is defined inductively as follows:  lex , and for two events with identical actions (t, a) and (t′, a),
(t, a) · σ lex (t′, a) · σ′ if t ≤ t′ ∨ (t = t′ ∧ σ lex σ′). For example (3, a) · (5, b) · (8, c) · (11, d) lex
(3, a) · (5, b) · (9, c) · (10, d).
Choosing a unique timed word with minimal duration minlex,end. Given a set of timed words with260
same untimed projection, minlex,end selects the minimal timed word w.r.t. the lexical order among
timed words with minimal ending date: first the set of timed words with minimal ending date are
considered, and then, from these timed words, the (unique) minimal one is selected w.r.t. the lexical
order. Formally, for a set E ⊆ tw(Σ) such that ∀σ, σ′ ∈ E : ΠΣ(σ) = ΠΣ(σ′) (i.e., such that all
words have the same untimed projection), we have minlex,end(E) = minlex (minend(E)) where265
σ end σ′ if end(σ) ≤ end(σ′), for σ, σ′ ∈ tw(Σ).
4. Timed languages and properties as timed automata
Timed automaton is a usual model used to specify properties of sequences of events where timing
between them matters. In this section, we introduce timed automata as a specification formalism for
timed properties (Section 4.1). We describe a partitioning of the states of timed automata (Section 4.2).270
The partitioning allows to distinguish behaviours according to i) whether they currently satisfy or violate
the property, and ii) whether or not this remains true for future behaviours. Finally, we present some
sub-classes of regular properties (Section 4.3).
4.1. Timed automata
A timed automaton [11] is a finite automaton extended with a finite set of real valued clocks. Let275
X = {x1, . . . , xk} be a finite set of clocks. A clock valuation for X is an element of RX≥0, that is, a
function from X to R≥0. For ν ∈ RX≥0 and δ ∈ R≥0, ν + δ is the valuation assigning ν(x) + δ to
each clock x of X . Given a set of clocks X ′ ⊆ X , ν[X ′ ← 0] is the clock valuation ν where all clocks
in X ′ are assigned to 0. G(X) denotes the set of guards, i.e., clock constraints defined as Boolean
combinations of simple constraints of the form x ./ c with x ∈ X , c ∈ N and ./ ∈ {<,≤,=,≥, >}.280
Given g ∈ G(X) and ν ∈ RX≥0, we write ν |= g when g holds according to ν.
Definition 1 (Timed automata). A timed automaton (TA) is a tuple A = (L, l0, X,Σ, ∆, F ), such
that L is a finite set of locations with l0 ∈ L the initial location, X is a finite set of clocks, Σ is a finite
set of actions, ∆ ⊆ L × G(X) × Σ × 2X × L is the transition relation. F ⊆ L is a set of accepting
locations.285
9
Example 1 (Timed automata). Let us consider again the specifications introduced in Section 2 where
two processes access to and operate on a common resource. The global alphabet of events is Σ def=
{init , acq1, rel1, op1, acq2, rel2, op2, op}. The specifications on the behaviour of the processes intro-
duced in Section 2 are formalised with the TAs in Figure 6. Accepting locations are denoted by squares.
S1 The specification is formalised by the automaton depicted in Figure 6a with alphabet Σi1
def
=290
{rel i, acq i, opi} for process i, i ∈ {1, 2}. The automaton has two clocks x and y, where clock x
serves to keep track of the duration of the resource acquisition whereas clock y keeps track of the
time elapsing between two operations. Both locations of the automaton are accepting and there
are two implicit transitions from location l1 to a trap state: i) upon action rel i when the value of
clock x is strictly lower than 10, and ii) upon action opi when the value of clock y is strictly lower295
than 1.
S2 The specification is formalised by the automaton depicted in Figure 6b with alphabet Σ2
def
=
{init , op1, op2}. The automaton has two clocks, where clock x keeps track of the time elapsed
since initialisation, whereas clock y keeps track of the time elapsing between the operations of
the two different processes.300
S3 The specification is formalised by the automaton depicted in Figure 6c with alphabet Σ3
def
=
{op, op1, op2}. Clock x keeps track of the time elapsing since the beginning of the transaction,
whereas clock y keeps track of the time elapsing between any two operations.
S4 The specification is formalised by the automaton depicted in Figure 6d with alphabet Σi4
def
=
{acq i, opi, rel i}. Clock x keeps track of the duration of a currently executing transaction, whereas305
clock y keeps track of the time elapsing between two transactions.
The semantics of a TA is defined as follows.
Definition 2 (Semantics of timed automata). The semantics of a TA is a timed transition system [[A]] =
(Q, q0,Γ,→, QF ) where Q = L × RX≥0 is the (infinite) set of states, q0 = (l0, ν0) is the initial state
where ν0 is the valuation that maps every clock in X to 0, QF = F ×RX≥0 is the set of accepting states,310
Γ = R≥0×Σ is the set of transition labels, i.e., pairs composed of a delay and an action. The transition
relation→⊆ Q× Γ×Q is a set of transitions of the form (l, ν) (δ,a)−−−→(l′, ν′) with ν′ = (ν + δ)[Y ← 0]
whenever there exists (l, g, a, Y, l′) ∈ ∆ such that ν + δ |= g for δ ∈ R≥0.
In the following, we consider a timed automaton A = (L, l0, X,Σ,∆, F ) with its semantics [[A]].
A is said to be deterministic whenever for any location l and any two distinct transitions (l, g1, a, Y1, l′1)315
and (l, g2, a, Y2, l′2) with source l and same action a in ∆, the conjunction of guards g1 and g2 is
unsatisfiable. A is said to be complete whenever for any location l ∈ L and any action a ∈ Σ, the
disjunction of the guards of the transitions leaving l and labelled by a is valid. In the remainder of this
paper, we shall consider only deterministic and complete timed automata, and, automata refer to timed
automata.320
Remark 1 (Completeness and determinism). Although we restrict the presentation to deterministic
TAs, results may easily be extended to non-deterministic TAs, with slight adaptations required to the
vocabulary and when synthesising an enforcement monitor. Regarding completeness, for readability of
TA examples, if no transition can be triggered upon the reception of an event, a TA implicitly moves to
a non-accepting trap location (i.e., where all actions are looping with no timing constraint).325
10
l0 l1
reli
acqi
y := 0
x := 0
y ≥ 1
opi
y := 0
acqi
x ≥ 10
reli
(a) A safety automaton for S1.
l0 l1
l2
l3
l4
Σ2 \ {init}
init
x := 0
op1
y := 0
op2
y := 0
op1
y ≥ 3 ∧ x ≤ 10
op2
op2
y ≥ 3 ∧ x ≤ 10
op1
Σ2
(b) A co-safety automaton for S2.
l0 l1l2
op1
x := 0
y := 0
op2
x := 0
y := 0
2 ≤ x ≤ 10 ∧ y ≥ 2
op2
y ≥ 2
op
y := 0
2 ≤ x ≤ 10 ∧ y ≥ 2
op1
y ≥ 2
op
y := 0
(c) A regular automaton for S3.
l0
l1
l2
y ≤ 10
acqi
x := 0
x ≤ 10
opi
x ≤ 10
opi
x ≥ 10
reli
y := 0
(d) A regular automaton for S4. Note
the implicit trap state reached from l0
when y > 10 ensuring that there is
no more than 10 t.u. without transac-
tion.
Figure 6: Some examples of timed automata.
Remark 2 (Other definitions of timed automata). The definition of timed automata used in this pa-
per is as the initial (and general) one proposed in [11] except that we do not use the Bu¨chi acceptance
condition because we deal with finite words. Even though we restrict constants in guards to be integers,
and will see in Section 7 that TAs with rational constants may be necessary in the computation, but those
TAs can be transformed into integral TAs. Other definitions of timed automata have been proposed (see330
e.g., [12] for details). For instance, timed safety automata [13] are a simplified version of the original
timed automata where invariants on locations replace the Bu¨chi condition, as used in UPPAAL [14].
Several classes of determinisable automata with restrictions on the resets of clocks have been proposed.
Event-recording (resp. event-predicting) timed automata [15] are timed automata with a clock associ-
ated to each action that records (resp. predicts) the time elapsed since the last occurrence (resp. the time335
of the next occurrence) of that action; event-clock automata have event-recording and event-predicting
clocks.
A run ρ of A from a state q ∈ Q is a sequence of moves in [[A]]: ρ = q (δ1,a1)−−−−→ q1 · · · qn−1 (δn,an)−−−−−→ qn,
for some n ∈ N. The set of runs from the initial state q0 ∈ Q is denoted Run(A) and RunQF (A)
denotes the subset of those runs starting in q0 and accepted by A, i.e., ending in an accepting state340
qn ∈ QF .
The trace started at date t of the run ρ is the timed word (t1, a1) · (t2, a2) · · · (tn, an) where ∀i ∈
[1, n] : ti = t +
∑i
j=1 δj (the date of ai is the sum of delays of the i first events plus t). We note
11
q
w→t qn in this case, and generalise to q w→t P when qn ∈ P for a subset P of Q. We note w−→ for
w→0 . We note L(A) the set of traces started at date 0 of Run(A). We extend this notation to LQF (A)345
as the set of traces of runs in RunQF (A). We thus say that a timed word is accepted by A if it is the
trace started at date 0 of an accepted run.
Example 2 (Runs and traces of a timed automaton). Consider the automaton in Figure 6a. A possi-
ble run of this automaton from the initial state (l0, 0, 0) is the sequence of moves (l0, 0, 0)
(1,acq1)−−−−−→
(l1, 0, 0)
(2,op1)−−−−→ (l0, 2, 0) (1,op1)−−−−→ (l1, 3, 0) (0.5,acq1)−−−−−−→ (l1, 3.5, 0.5) (0.5,op1)−−−−−−→ (l1, 4, 0). The trace350
starting at date 0 of this run is the timed word wt = (1, acq1) · (3, op1) · (4, op1) · (4.5, acq1) · (5, op1).
We have (l0, 0, 0)
wt−→ (l1, 4, 0).
We now introduce the product of timed automata which is useful to intersect languages recognized by
timed automata.
Definition 3 (Product of timed automata). Given two TAs A1 = (L1, l01, X1,Σ,∆1, F1) and A2 =355
(L2, l
0
2, X2,Σ,∆2, F2) with disjoint sets of clocks, their product is the TA A1 × A2 def= (L, l0, X,Σ,
∆, F ) where L = L1×L2, l0 = (l10, l20),X = X1∪X2 , F = F1×F2, and ∆ ⊆ L×G(X)×Σ×2X×L
is the transition relation, with ((l1, l2), g1 ∧ g2, a, Y1 ∪ Y2, (l′1, l′2)) ∈ ∆ if (l1, g1, a, Y1, l′1) ∈ ∆1 and
(l2, g2, a, Y2, l
′
2) ∈ ∆2.
It is easy to check that L(A) = L(A1) ∩ L(A2).360
4.2. Partition of states of [[A]]
Given a TA A = (L, l0, X,Σ, ∆, F ), with semantics [[A]] = (Q, q0,Γ,→, QF ), the set of states Q
of [[A]] can be partitioned into four subsets good (G), currently good (Gc), currently bad (Bc) and bad
(B), based on whether a state is accepting or not, and whether accepting or non accepting states are
reachable or not.365
Formally,Q is partitioned intoQ = GC ∪G∪BC ∪B whereQF = GC ∪G andQ\QF = BC ∪B
and
• GC = QF ∩ pre∗(Q \ QF ) i.e., the set of currently good states is the subset of accepting states
from which non-accepting states are reachable,
• G = QF \GC = QF \ pre∗(Q \QF ) i.e., the set of good states is the subset of accepting states370
from which only accepting states are reachable,
• BC = (Q \ QF ) ∩ pre∗(QF ) i.e., the set of currently bad states is the subset of non-accepting
states from which accepting states are reachable,
• B = (Q \ QF ) \ pre∗(QF ) i.e., the set of bad states is the subset of non-accepting states from
which only non-accepting states are reachable.375
where, for a subset P of Q, pre∗(P ) denotes the set of states from which the set P is reachable.
It is well known that reachability of a set of locations is decidable using the classical zone (or region)
symbolic representation (see [16]) and is PSPACE-complete. Since QF is the set of states with location
F , this result can be used to compute the partition of Q.
By definition, from good (resp. bad) states, one can only reach good (resp. bad) states. Conse-380
quently, a run of a TA traverses currently good and/or currently bad states, and may eventually reach a
good state and remain in good states, or a bad state and remain in bad states, or in pathological cases, it
can directly start in good or bad states. This partition will be useful to characterise the classes of safety
and co-safety timed properties, as explained in Section 4.3, and later for the synthesis of enforcement
mechanisms.385
12
4.3. Some sub-classes of regular timed properties
Regular, safety, and co-safety timed properties. In this paper, a timed property is defined by a timed
language ϕ ⊆ tw(Σ) that can be recognised by a timed automaton. That is, we consider the set of
regular timed properties. Given a timed word σ ∈ tw(Σ), we say that σ satisfies ϕ (noted σ |= ϕ) if
σ ∈ ϕ. Safety (resp. co-safety) properties are sub-classes of regular timed properties. Informally, safety390
(resp. co-safety) properties state that “nothing bad should ever happen” (resp. “something good should
happen within a finite amount of time”). In this paper, the classes are characterised as follows:
Definition 4 (Regular, safety, and co-safety properties). We consider the following three classes of
timed properties.
• Regular properties are the properties that can be defined by languages accepted by a TA.395
• Safety properties are the non-empty prefix-closed timed languages that can be accepted by a TA.
• Co-safety properties are the non-universal3 extension-closed timed languages that can be accepted
by a TA.
The sets of safety and co-safety properties are subsets of the set of regular properties.
Safety and co-safety timed automata. In the sequel, we shall only consider the properties that can be400
defined by deterministic and complete timed automata (Definition 1). Note that some of these properties
can be defined using a timed temporal logic such as a subclass of MTL, which can be transformed into
timed automata using the technique described in [17, 18].
We now define syntactic restrictions on TAs that guarantee that a regular property defined by a TA
defines a safety or a co-safety property.405
Definition 5 (Safety and co-safety TA). Let A = (L, l0, X,Σ,∆, F ) be a complete and deterministic
TA, where F ⊆ L is the set of accepting locations. A is said to be:
• a safety TA if l0 ∈ F ∧ @(l, g, a, Y, l′) ∈ ∆ : l ∈ L \ F ∧ l′ ∈ F ;
• a co-safety TA if l0 /∈ F ∧ @(l, g, a, Y, l′) ∈ ∆ : l ∈ F ∧ l′ ∈ L \ F .
It is then easy to check that safety (respectively co-safety) TAs define safety (respectively co-safety)410
properties4. Intuitively, a safety TA starts in the accepting location l0 and has no transition from non-
accepting to accepting locations. Thus, either all reachable locations are accepting (in this case, the TA
recognises the universal language since it is complete), or the TA stays in accepting locations before
possibly jumping definitively to non-accepting locations. At the semantical level a safety TA either has
only good states (case of the universal language), or its runs start in the set of currently good states and415
may definitively jump in either the set of bad or the set of good states (no currently bad state can be
reached). Thus, a safety TA defines a prefix-closed language. Conversely, a co-safety TA starts in the
non-accepting location l0 and has no transition from accepting to non-accepting locations. Thus, either
all reachable locations are non-accepting (in this case, the TA recognises the empty language), or it stays
in non-accepting locations before possibly jumping definitively to accepting locations. At the semantic420
level, a co-safety TA either only has bad states (case of the empty language), or its runs start in the set
of currently bad states and may definitively jump in either the set of good states or the set of bad states
(currently good state cannot be reached). Thus, a co-safety TA defines an extension-closed language.
3The universal property over R≥0 × Σ is tw(Σ).
4As one can observe, these definitions of safety and co-safety TAs slightly differ from the usual ones by expressing constraints
on the initial state. As a consequence of these constraints, consistently with Definition 4, the empty and universal properties are
ruled out from the set of safety and co-safety properties, respectively.
13
Example 3 (Classes of timed automata). Let us consider again the specifications introduced in Ex-
ample 6. We formalise specification Si as property ϕi, i = 1, . . . , 4. Property ϕ1 is a safety property425
specified by the safety TA in Figure 6a (leaving accepting locations is definitive). Property ϕ2 is a
co-safety property specified by the co-safety TA in Figure 6b (leaving non-accepting locations is defini-
tive). Property ϕ3 is specified by the TA in Figure 6c. Property ϕ4 is specified by the TA in Figure 6d.
Both properties ϕ3 and ϕ4 are regular, but neither safety nor co-safety properties. In the underlying
automata, runs may alternate between accepting and non-accepting locations, thus the languages that430
they define are neither prefix nor extension-closed.
5. Enforcement monitoring in a timed context
We now introduce our enforcement monitoring framework (Section 5.1) and specify the expected
constraints on the input/output behaviour of enforcement mechanisms (Section 5.2).
5.1. General principles435
To ease the design and implementation of enforcement monitoring mechanisms in a timed context,
we describe enforcement mechanisms at three levels of abstraction: enforcement functions, enforcement
monitors, and enforcement algorithms. An enforcement function describes the transformation of an
input timed word into an output timed word at an abstract level where the whole input timed word is
considered. In this section, we first formalise the constraints enforcement functions must satisfy, which440
reflect both physical constraints related to time, and required properties relating the input to the output.
In Section 6, we shall define such enforcement functions, and prove that they satisfy the constraints. An
enforcement monitor is a more concrete view and defines the operational behaviour of the enforcement
mechanism over time. In Section 7, we shall define enforcement monitors as an extended transition
systems and we prove that, for a given property ϕ, the associated enforcement monitor implements the445
corresponding enforcement function. In other words, an enforcement function serves as an abstract
description (black-box view) of an enforcement monitor, and an enforcement monitor is the operational
description of an enforcement function. An enforcement algorithm (see Section 8) is an implementation
of an enforcement monitor.
5.2. Constraints on an enforcement mechanism450
At an abstract level, an enforcement mechanism for a given property ϕ can be seen as a function
which takes as input a timed word and outputs a timed word. At this level, the input is considered as a
whole, and the output is the corresponding whole timed word eventually produced, after an unbounded
time elapse. In other words, the delay to observe the input and to produce the output is not considered.
This is schematised in Figure 7 and defined in Definition 6.455
Definition 6 (Enforcement function signature). For a timed property ϕ, an enforcement mechanism
behaves as a function, called enforcement function Eϕ : tw(Σ)→ tw(Σ).
Enforcement
function
ϕ
Eϕ(σ) σ
Figure 7: Enforcement function.
14
An enforcement function Eϕ models a mechanism that reads some input timed word σ from an event
emitter, which is possibly incorrect w.r.t. ϕ, and transforms it into a timed word that satisfies ϕ which
is output to the event receiver.460
Before providing the actual definition of enforcement function in Section 6, we define the constraints
that should be satisfied by an enforcement mechanism. The following constraints can serve as a speci-
fication of the expected behaviour of enforcement mechanisms for timed properties, that can delay and
suppress events.
An enforcement mechanism should first satisfy some physical constraint reflecting the streaming of465
events: the output stream can only be modified by appending new events to its tail. Second, it should
be sound w.r.t. the monitored property, meaning that it should correct input words according to ϕ if
possible, and otherwise produce an empty output. Third, it should be transparent, which means that it
is only allowed to shift events in time while keeping their order (we refer to such kind of mechanisms as
time retardants) and suppress some events. These constraints are formalised in the following definition:470
Definition 7 (Constraints on an enforcement mechanism). Given a timed property ϕ, an enforce-
ment function Eϕ : tw(Σ)→ tw(Σ), should satisfy the following constraints:
- Physical constraint:
∀σ, σ′ ∈ tw(Σ) : σ 4 σ′ =⇒ Eϕ(σ) 4 Eϕ(σ′) (Phy).
- Soundness:
∀σ ∈ tw(Σ) : Eϕ(σ) |= ϕ ∨ Eϕ(σ) =  (Snd).
- Transparency:
∀σ ∈ tw(Σ) : Eϕ(σ) /d σ (Tr).
The physical constraint (Phy) means thatEϕ is monotonic: the output produced for an extension σ′ of an
input word σ extends the output produced for σ. This stems from the fact that, over time, what is actually475
output by the enforcement function is a continuously growing timed word, i.e., what is output for a given
input timed word can only be modified by appending new events with greater dates. Soundness (Snd)
means that the output either satisfies property ϕ, or is empty. This allows to output nothing if there is no
way to satisfy ϕ. Note that, together with the physical constraint, soundness implies that no event can be
appended to the output before being sure that the property will be eventually satisfied with subsequent480
output events. Transparency (Tr) means that the output is a delayed subsequence of the input σ, thus the
enforcement function is allowed to either suppress input events, or increase their dates while preserving
their order.
It can be easily checked on the examples in Section 2 that the output sequences satisfy the constraints
of enforcement mechanisms.485
Remark 3. The soundness, transparency, and physical constraints describe the expected input/output
behaviour of an enforcement function for the whole input sequence. Note that it however does not
strongly constrain the output. In particular, an enforcement function that never produces any output
complies to these constraints. However, to be practical, an actual enforcement function should also
provide some guarantees on the output sequence it produces in terms of length and delay w.r.t. the input490
sequence. Such guarantees are specified by an optimality property in Section 6.
6. Enforcement functions: input/output description of enforcement mechanisms
We now define an enforcement function dedicated to a desired property ϕ. Its purpose is to define,
at an abstract level, for any input word σ, the output word Eϕ(σ) expected from an enforcement mech-
15
anism that works as a delayer with suppression, where suppression only happens upon the reception of495
an event that prevents any satisfaction of the property in the future.
First, we discuss some preliminaries (Section 6.1) regarding the consequences of the choice of
suppression strategy on efficiency and on the possible output sequences of the enforcement function.
Then, we define the enforcement function itself, and prove in Section 6.2 that this functional definition
satisfies the physical, soundness, and transparency constraints. We also prove that the enforcement500
function satisfies some optimality criterion with the chosen suppression strategy. Finally, in Section 6.3,
we explain how the enforcement function behaves over time (how a given input sequence is consumed
over time, and how the output is released in an incremental fashion).
6.1. Preliminaries to the definition of enforcement functions
An enforcement mechanism needs to memorise events since, for some properties (typically co-safety505
properties), upon the reception of some input timed word, the property might not be yet satisfiable by
delaying, but a continuation of the input may allow satisfaction. For more general properties (which are
neither safety nor co-safety properties), there may exist some prefix for which the property is satisfiable
by delaying the input, thus dates can be chosen for these events. For efficiency reasons, and for our
enforcement mechanisms to be amenable to online implementations, we also want to build the output510
in a fashion that is as incremental as possible. Enforcement mechanisms should thus take decisions on
dates of output events as soon as possible. Still for efficiency considerations, we impose that suppression
should occur only when necessary, i.e., when, upon the reception of a new event, there is no possibility to
satisfy the property, whatever is the continuation of the input. Moreover, we decide to suppress the last
received event only because it causes the unsatisfiability (even) if delayed. Note, when an enforcement515
mechanism decides not to suppress an action, it should not modify its decision in the future. Our choice
of suppression strategy mainly stems from efficiency reasons. We discuss our choice and possible
alternatives in Remark 4 in Section 6.2 (p. 18).
6.2. Definition of enforcement functions
As intuitively explained in the motivating examples of Section 2, during enforcement of an input
timed word σ, some subsequence of events σc is temporarily stored, until some new event (t, a) even-
tually allows to satisfy the property for the first time, or satisfy it again, by delaying the sequence
σ′c = σc · (t, a). For such a sequence σ′c, the definition of an enforcement function shall use the set
CanD(σ′c) of candidate delayed sequences of σ
′
c, independently of the property ϕ.
CanD(σ′c) = {w ∈ tw(Σ) | w <d σ′c ∧ start(w) ≥ end(σ′c)} .
The set CanD(σ′c) is the set of timed words w that delay σ
′
c, and start at or after the ending date of σ
′
c520
(which is the date t of the last event (t, a) of σ′c). As we shall see, w <d σ′c stems from the fact that we
consider enforcement mechanisms as time retardants, while start(w) ≥ end(σ′c) means that the eligible
timed words should not start before the date of its last event (which is the current date t), as illustrated
informally with specification S3 in Section 2 and further discussed in Section 6.3.
With this preliminary notation, the enforcement function for a property ϕ can be defined as follows:525
Definition 8 (Enforcement function). The enforcement function for a property ϕ is the function Eϕ :
tw(Σ)→ tw(Σ) defined as:
Eϕ(σ) = Π1 (storeϕ (σ)) ,
16
where storeϕ : tw(Σ)→ tw(Σ)× tw(Σ) is defined as
storeϕ() = (, )
storeϕ(σ · (t, a)) =

(σs ·minlex,end (κϕ(σs, σ′c)) , ) if κϕ(σs, σ′c) 6= ∅,
(σs, σc) if κpref(ϕ)(σs, σ′c) = ∅,
(σs, σ
′
c) otherwise,
with σ ∈ tw(Σ), t ∈ R≥0, a ∈ Σ,
(σs, σc) = storeϕ(σ), and σ′c = σc · (t, a),
where, for L ⊆ tw(Σ),
κL(σs, σ′c)
def
= CanD(σ′c) ∩ σ−1s · L.
For a given input σ, function storeϕ computes a pair (σs, σc) of timed words: σs, which is extracted by
the projection function Π1 to produce the output Eϕ(σ); σc is used as a temporary memory. The pair
(σs, σc) should be understood as follows:
• σs is a delayed subsequence of the input σ, in fact of its prefix of maximal length for which the530
absolute dates can be computed to satisfy property ϕ;
• σc is a subsequence of the remaining suffix of σ for which the releasing dates of events, still have
to be computed. It is a subsequence (and not the complete suffix) since some events may have
been suppressed when no delaying allowed to satisfy ϕ, whatever is the continuation of σ, if any.
Function Eϕ incrementally computes a timed word according to the input timed word, and is defined535
inductively as follows. When the empty word  is input, it produces (, ). Otherwise, suppose that for
the input σ the result of storeϕ(σ) is (σs, σc) and consider a new received event (t, a). Now, the new
timed word to correct is σ′c = σc · (t, a). There are three possible cases, according to the vacuity of the
two sets κϕ(σs, σ′c) and κpref(ϕ)(σs, σ
′
c). These sets are obtained respectively as the intersection of the
set CanD(σ′c) with σ
−1
s · ϕ and σ−1s · pref(ϕ). Let us recall that:540
• CanD(σ′c) is the set of timed words that delay σ′c, and start at or after the ending date of σ′c (i.e.,
the date of its last event (t, a)), since choosing an earlier date would cause the date to be already
elapsed before the event could be released as output;
• σ−1s · ϕ = {w ∈ tw(Σ) | σs · w |= ϕ} is the set of timed words that satisfy ϕ after reading σs;
similarly, since pref(ϕ) = {v ∈ tw(Σ) | ∃w′ ∈ tw(Σ) : v ·w′ |= ϕ} we get that σ−1s ·pref(ϕ) =545
{w ∈ tw(Σ) | ∃w′ ∈ tw(Σ) : σs · w · w′ |= ϕ}, and thus σ−1s · pref(ϕ) is the set of timed words
for which a continuation satisfies ϕ after reading σs.
Thus κϕ(σs, σ′c) is the set of timed words w that belong to the candidate delayed sequences of σ
′
c and
such that σs ·w satisfies ϕ; and κpref(ϕ)(σs, σ′c) is the set of timed words w that belong to the candidate
delayed sequences of σ′c, and such that some additional continuation w
′ may satisfy ϕ, i.e., σs ·w ·w′ |=550
ϕ. Note that, since κϕ(σs, σ′c) ⊆ κpref(ϕ)(σs, σ′c), we distinguish three different cases:
- If κϕ(σs, σ′c) 6= ∅ (and thus κpref(ϕ)(σs, σ′c) 6= ∅), it is possible to choose appropriate dates for the
timed word σ′c = σc ·(t, a) to satisfy ϕ. The minimal timed word in κϕ(σs, σ′c) w.r.t. the lexicographic
order is chosen among those with minimal ending date, and appended to σs; the second element of the
pair is set to  since all events memorised in σc · (t, a) are corrected and appended to σs.555
- If κpref(ϕ)(σs, σ′c) = ∅ (and thus κϕ(σs, σ′c) = ∅), it means that, whatever is the continuation of the
current input σ · (t, a), there is no chance to find a correct delaying for (t, a). Thus, event (t, a) should
be suppressed, leaving σc and σs unmodified.
17
- Otherwise, i.e., when κϕ(σs, σ′c) = ∅ but κpref(ϕ)(σs, σ′c) 6= ∅, it means that it is not yet possible to
choose appropriate dates for σ′c = σc · (t, a) to satisfy ϕ, but there is still a chance to do it in the future,560
depending on the continuation of the input, if any. Thus σc is modified into σ′c = σc · (t, a) in memory,
but σs is left unmodified.
Remark 4 (Alternative strategies to suppress events). When there is no possibility to continue cor-
recting the input sequence (i.e., κpref(ϕ)(σs, σc · (t, a)) = ∅), we choose to erase only the last received
event (t, a), since it is the one that causes this impossibility. However, other policies to suppress events565
could be chosen. In fact, one could choose to suppress any events in σc · (t, a), since dates of these
events have not yet been chosen. This would then require to choose among all such subsequences,
using an appropriate order. This may be rather complex to define, and, more importantly, computation-
ally expensive because one would have to face the combinatorial explosion induced when considering
the 2|σc·(t,a)| possible subsets of actions to suppress. Moreover, let us notice that enforcement mecha-570
nisms are purposed to work in an online fashion, hence making decisions on each reception of a new
event. For this purpose, not reconsidering the suppression choices makes them definitive and lowers the
computation related to suppression.
Proposition 1 Given some property ϕ, its enforcement function Eϕ as per Definition 8 satisfies the
physical (Phy), soundness (Snd), and transparency (Tr) constraints as per Definition 7.575
PROOF (OF PROPOSITION 1 - SKETCH ONLY). The proof of the physical constraint is a direct conse-
quence of the definition of storeϕ. The proofs of soundness and transparency follow the same pattern:
they rely on an induction on the length of the input word σ. The induction steps use a case analysis,
depending on whether the last input subsequence (i.e, the events in σc · (t, a)) can be corrected or not.
The complete proofs are given in Appendix A.1.580
In addition to the physical, soundness, and transparency constraints, the functional definition also en-
sures that each subsequence is output as soon as possible, as expressed by the following proposition.
Proposition 2 (Optimality of enforcement functions) Given some property ϕ, its enforcement func-
tion Eϕ as per Definition 8 satisfies the following optimality constraint:
∀σ ∈ tw(Σ) : Eϕ(σ) =  ∨ ∃m,w ∈ tw(Σ) : Eϕ(σ) = m · w(|= ϕ), with
m = maxϕ≺,(Eϕ(σ)), and
w = minlex,end{w′ ∈ m−1 · ϕ | ΠΣ(w′) = ΠΣ(m−1 · Eϕ(σ))
∧m · w′ /d σ ∧ start(w′) ≥ end(σ)}
where maxϕ≺,(σ) is the maximal strict prefix of σ belonging to ϕ, formally:
maxϕ≺,(σ)
def
= max ({σ′ ∈ ϕ | σ′ ≺ σ} ∪ {}) .
For any input σ, if the output Eϕ(σ) is not empty, then (it satisfies ϕ by soundness and) the output can
be separated into a prefix m which is the maximal strict prefix of Eϕ(σ) satisfying property ϕ, and a585
suffix w. The optimality condition focuses on this last part, which is the suffix that allows to satisfy
(again) the property. However, since the property considers any input σ, the same holds for every prefix
of the input that allows to satisfy ϕ by enforcement, thus for any such (temporary) last subsequence.
The optimality constraint expresses that, among those sequences w′ that could have been chosen
(see below), w is the minimal one in terms of ending date, and lexical order (this second minimality590
18
ensures uniqueness). The “sequences that could have been chosen” are those such that m · w′ satisfies
the property, have the same events (thus can be produced by suppressing the same events), are delayed
subsequences of the input σ, and have a starting date greater than or equal to end(σ), since end(σ) is
the date at which w′ is appended to the output, and thus a smaller date would be in the past of the output
event.595
PROOF (OF PROPOSITION 2 - SKETCH ONLY). The proofs rely on an induction on the length of the
input word σ. The induction step uses a case analysis, depending on whether the last input subsequence
(i.e, the events in σc · (t, a)) can be corrected or not. The proof is given in Appendix A.2 (p. 47).
Remark 5 (On the optimality condition). Note that the condition ΠΣ(w′) = ΠΣ(m−1 · Eϕ(σ)) in
Proposition 2 stems from the strategy chosen to suppress events (see Remark 4). If an enforcement600
function is defined, such that it is allowed to suppress any event in σc · (t, a), then the condition
ΠΣ(w
′) = ΠΣ(m−1 · Eϕ(σ)) in optimality should be removed. Moreover, note that optimality has
to be defined in a recursive manner. Indeed, since enforcement mechanisms should produce output se-
quences in an incremental fashion, the optimal output that should be produced for an input sequence
depends on the optimal outputs that have been produced for the prefixes of the input sequence. Be-605
cause of the performance reasons mentioned in Remark 4, defining a more general notion of optimality
(possibly parameterised by the suppression strategy) is left for future work.
6.3. Behavior of enforcement functions over time
At an abstract level, an enforcement function takes as input a timed word and computes as output
the timed word that is eventually produced by the enforcement mechanism after some unbounded delay.610
However, at a more concrete level, enforcement obeys some temporal constraints relative to the current
date t. Firstly, since the enforcement mechanism reads the input timed word σ as a stream, what it can
effectively observe from σ at date t is its prefix obs(σ, t). Consequently, at date t, what it can compute
from this observation is Eϕ(obs(σ, t)). Note that it is legal to do so since, by definition obs(σ, t) is a
prefix of σ, and thus, by the physical constraint (Phy), Eϕ(obs(σ, t)) is a prefix of the complete output615
Eϕ(σ). Now, Eϕ(obs(σ, t)) is a timed word where dates attached to events model the date when they
should eventually be released as output. But at date t, only its prefix obs(Eϕ(obs(σ, t)), t) is effectively
released as output. Now, notice that, since Eϕ behaves as a time retardant (i.e., dates attached to output
events exceed dates of corresponding input events), and Eϕ(obs(σ, t)) is a prefix of Eϕ(σ), we get
obs(Eϕ(obs(σ, t)), t) = obs(Eϕ(σ), t). From this, we conclude that the released output at date t is620
obs(Eϕ(σ), t). Finally, what is ready to be released at date t, but not yet released is the residual of
Eϕ(obs(σ, t)) after observing obs(Eϕ(σ), t) thus obs(Eϕ(σ), t)−1 · Eϕ(obs(σ, t)). The enforcement
monitor described in the next section, which implements the enforcement function, takes care of this
temporal behaviour.
Example 4 (Behavior of enforcement functions over time (see Figure 8)). Let us consider the input625
timed word σ = (t1, a1) · (t2, a2) · (t3, a3) · (t4, a4) · (t5, a5) · (t6, a6) · (t7, a7), and let the output of the
enforcement function be Eϕ(σ) = (t′1, a1) · (t′2, a2) · (t′4, a4) · (t′5, a5) · (t′7, a7). At time instant t:
- the observation of σ is obs(σ, t) = (t1, a1) · (t2, a2) · (t3, a3) · (t4, a4) · (t5, a5),
- the subsequence of remaining suffix of obs(σ, t) for which the releasing dates still have to be computed
is σtmc = (t5, a5) ,630
- the output that the enforcement function can compute from obs(σ, t) is Eϕ(obs(σ, t)) = (t′1, a1) ·
(t′2, a2) · (t′4, a4),
- the released output is obs(Eϕ(obs(σ, t)), t) = obs(Eϕ(σ), t) = (t′1, a1) · (t′2, a2);
- the timed word ready to be released, denoted by σtms, is obs(Eϕ(σ), t)
−1 · Eϕ(obs(σ, t)) = (t′4, a4).
19
σEϕ(σ)
time0 t
(t1, a1) (t2, a2) (t3, a3) (t4, a4) (t5, a5) (t6, a6) (t7, a7)
(t′1, a1) (t
′
2, a2) (t
′
4, a4) (t
′
5, a5) (t
′
7, a7)
obs(σ, t)
σtmc
σtms
obs(Eϕ(σ), t)
Eϕ(obs(σ, t))
Figure 8: Behavior of enforcement functions over time.
Example 5 (Enforcement function). We illustrate how Definition 8 is applied to enforce specification635
S3 (see Section 2), formalised by property ϕ3, recognised by the automaton depicted in Figure 6c with
Σ3 (= {op1, op2, op}), and the input timed word σ3 = (2, op1) · (3, op1) · (3.5, op) · (6, op2). Figure 9
shows the evolution of the observed input timed word obs (σ3, t), the output of the storeϕ function
when the input timed word is obs(σ3, t), and Eϕ3 . Variable t keeps track of physical time, i.e., it
contains the current date. When t < 6, the observed output is empty (since Eϕ3 (obs (σ3, t)) = ).640
When t ≥ 6, the observed output, is obs ((6, op1) · (8, op) · (10, op2) , t) (since Eϕ3 (obs (σ3, t)) =
(6, op1) · (8, op) · (10, op2)).
Example 6 (Enforcement function: a non-enforceable property). Consider specification S4 forma-
lised by property ϕ4, recognised by the automaton depicted in Figure 6d with Σi4 = {acq i, opi, rel i},
and the input timed word σ4 = (3, acq i) · (7, opi) · (12, rel i). Figure 10 shows the evolution of the645
observation of the input timed word obs(σ4, t), the output of the storeϕ function when the input timed
word is obs(σ4, t), and Eϕ4 . The output of the enforcement function is  at any date because delaying
action acq i for 9 t.u. (i.e., until observing action rel i) violates the timing constraint of 10 t.u. without
transaction.
Remark 6 (Simplified enforcement functions for safety properties). Because of the characteristics650
of safety properties, the enforcement function for such a property ϕ can be simplified. A safety property
ϕ is prefix closed thus pref(ϕ) = ϕ, which implies that the two functions κpref(ϕ) and κϕ are identi-
cal. Thus, the two first cases in the definition of storeϕ(σ · (t, a)) can be simplified and distinguished
according to whether κϕ(σs, σ′c) = ∅ or not; and the third case never happens. Moreover, since σc is
initially empty, and the the two first cases in the definition of storeϕ(σ · (t, a)) do not modify σc, by655
a simple induction on the input sequence, we observe that σc always remains empty. Thus, the second
output parameter of function storeϕ (i.e., the internal memory) can be suppressed. Additionally, in the
first case, the first argument of the output can be simplified as it is always called with the last read event
(t, a) (see below).
20
obs (σ3, t) = 
storeϕ3 (obs (σ3, t)) = (, )
obs (Eϕ3 (obs (σ3, t)) , t) = obs(, t) = 
obs (σ3, t) = (2, op1 )
storeϕ3 (obs (σ3, t)) = (, (2, op1 ))
obs (Eϕ3 (obs (σ3, t)) , t) = obs (, t) = 
obs (σ3, t) = (2, op1 ) · (3, op1 )
storeϕ3 (obs (σ3, t)) = (, (2, op1 ))
obs (Eϕ3 (obs (σ3, t)) , t) = obs (, t) = 
obs (σ3, t) = (2, op1 ) · (3, op1 ) · (3.5, op)
storeϕ3 (obs (σ3, t)) = (, (2, op1 ) · (3.5, op))
obs (Eϕ3 (obs (σ3, t)) , t) = obs (, t) = 
obs (σ3, t) = (2, op1 ) · (3, op1 ) · (3.5, op) · (6, op2 )
storeϕ3 (obs (σ3, t)) = ((6, op1 ) · (8, op) · (10, op2 ), )
obs (Eϕ3 (obs (σ3, t)) , t) = obs ((6, op1 ) · (8, op) · (10, op2 ) , t)
t ∈ [0, 2)
t ∈ [2, 3)
t ∈ [3, 3.5)
t ∈ [3.5, 6)
t ∈ [6,∞)
Figure 9: Evolution over time of the values of the enforcement function for property ϕ3 specifying the transactional execution of
actions op1 and op2.
obs (σ4, t) = 
storeϕ4 (obs (σ4, t)) = (, )
obs (Eϕ4 (obs (σ4, t)) , t) = obs (, t) = 
obs (σ4, t) = (3, acqi)
storeϕ4 (obs (σ4, t)) = (, (3, acqi))
obs (Eϕ4 (obs (σ4, t)) , t) = obs (, t) = 
obs (σ4, t) = (3, acqi) · (7, opi)
storeϕ4 (obs (σ4, t)) = (, (3, acqi) · (7, opi))
obs (Eϕ4 (obs (σ4, t)) , t) = obs (, t) = 
obs (σ4, t) = (3, acqi) · (7, opi) · (12, reli)
storeϕ4 (obs (σ4, t)) = (, (3, acqi) · (7, opi))
obs (Eϕ4 (obs (σ4, t)) , t) = obs (, t) = 
t ∈ [0, 3)
t ∈ [3, 7)
t ∈ [7, 12)
t ∈ [12,∞)
Figure 10: Evolution over time of the values of the enforcement function for property ϕ4 (a non-enforceable property).
The enforcement function for safety properties storesaϕ : tw(Σ)→ tw(Σ) can be defined as follows:
storesaϕ () = 
storesaϕ (σ · (t, a)) =
{
storesaϕ (σ) · (min (K (σ, (t, a))) , a) if K (σ, (t, a)) 6= ∅,
storesaϕ (σ) otherwise,
where K (σ, (t, a)) def= {t′ ∈ R≥0 | t′ ≥ t∧ storesaϕ (σ) · (t′, a) /d σ · (t, a)∧ storesaϕ (σ) · (t′, a) ∈ ϕ} is660
the set of dates t′ ≥ t that can be associated to a such that the extension storesaϕ (σ) ·(t′, a) of storesaϕ (σ)
is a delayed subsequence of σ · (t, a) and still satisfies property ϕ.
7. Enforcement monitors: operational description of enforcement mechanisms
The enforcement function defined in Section 6 describes inductively how an input stream of events
is transformed according to a property. It provides a functional view of enforcement mechanisms and665
21
could be implemented using functional programming constructs such as recursion and lazy evaluation.
However, a concern is that the computation of dates upon the reception of a new event also depends
on the sequence of events σs that have been already corrected, through functions κϕ and κpref(ϕ). Con-
sequently, implementing directly an enforcement function would require the enforcement mechanism
to store σs in its memory, that would grow over time and never be emptied.670
Instead, we implement an enforcement function Eϕ for a property ϕ specified by a TA Aϕ with an
enforcement monitor (EM). An EM has an operational semantics: it is defined as a transition system E ,
and has explicit state information. It keeps track of and uses information such as time elapsed, and the
state reached after reading (or simulating) σs in the underlying TA to release the actions stored in σs at
appropriate dates. Hence, an EM does not need to store σs.675
7.1. Preliminaries to the definition of enforcement monitors
In contrast with an enforcement function which, at an abstract level, takes a timed word as input and
produces a timed word as output, an enforcement monitor E also needs to take into account physical
time (i.e., the actual date t), the current observation obs(σ, t) of the input stream σ at date t, the release
of events to the environment which is obs(Eϕ(σ), t), and the residual of Eϕ(obs(σ, t)) after releasing680
obs(Eϕ(σ), t). Note, since storing these sequences would be impractical at runtime, an enforcement
monitor encodes equivalent information as described below.
An EM E is equipped with: a clock which keeps track of the current date t; two memories and a
set of enforcement operations used to store and release some timed events to and from the memories,
respectively. The memories are basically queues, each of them containing a timed word:685
• σmc manages the input queue, more precisely the subsequence of the input obs(σ, t) consisting
of non-suppressed events for which dates could not yet be chosen to satisfy the property. This
exactly corresponds to the timed word σc in function storeϕ (see Definition 8);
• σms is the output queue which manages the part of the output Eϕ(σ) which is computed at date
t but not yet released; since at date t only prefix obs(σ, t) has been observed, and obs(Eϕ(σ), t)690
has already been released, σms contains the residual obs(Eϕ(σ), t)−1 · Eϕ(obs(σ, t)), i.e., the
timed word that is ready to be released but not yet released.
An EM also keeps track of the current state q of the underlying LTS of the TA Aϕ that encodes ϕ and
the date tF at which q is reached. The current state q is the one reached after reading the timed word
Eϕ(obs(σ, t)) (that also corresponds to σs in the definition of Eϕ), which is the output that can be695
computed from the current observation obs(σ, t). By definition q is either q0 or a state in QF . The date
tF is the date end(Eϕ(obs(σ, t))) (and evaluates to 0 if Eϕ(obs(σ, t)) = ).
7.2. Function update
Before defining enforcement monitors, we introduce function update which takes as input the cur-
rent state q ∈ QF ∪ {q0} of [[Aϕ]]5 reached after reading Eϕ(obs(σ, t)), the arrival date tF in this state700
q, a timed word σmc ∈ tw(Σ) that has to be corrected, and the last received event (t, a). Function
update possibly updates the current state, and outputs a marker used by E to make decisions, according
to whether σmc can be corrected or not, and in the negative case, whether an extension could be.
5The partitioning of the states Q of [[A]] into four subsets G, GC , BC and B is defined in Section 4.2.
22
Definition 9 (Function update). update is a function from Q × R≥0 × tw(Σ) × (R≥0 × Σ) to Q ×
tw(Σ)× {ok, c bad, bad} defined as follows:
update(q, tF , σmc, (t, a))
def
=

(
q′, wmin, ok
)
if kQF (q, tF , σmc · (t, a)) 6= ∅ ∧ q wmin→ tF q′,
(q, σmc, bad) if kQF∪BC (q, tF , σmc · (t, a)) = ∅,
(q, σmc · (t, a), c bad) otherwise,
where, for Q ⊆ Q,
kQ(q, tF , σ) =
{
w ∈ tw(Σ) | q w→tF Q
}
∩ CanD(σ),
and wmin = minlex,end kQF (q, tF , σmc · (t, a)).
Recall that CanD(σ) (defined in section 6.2) computes the set of timed words that delay σ and start at705
or after end(σ). Function kQ explicitly uses the semantics [[Aϕ]] = (Q, q0,Γ,→, QF ) of the TA Aϕ
defining property ϕ, and, using function CanD, mimics the computation of the sets κϕ(σs, σ′c), and
κpref(ϕ)(σs, σ
′
c) defined in section 6.2. Function kQ is parameterised with a set of states Q ⊆ Q and
called with three parameters: the current state q, a date tF , and a sequence σ. It returns the set of timed
words leading to a state in Q from state q starting at date tF , among sequences in CanD(σ).710
The three cases in the definition of update encode the three cases in the definition of function
storeϕ, in the same order:
- In the first case,Q = QF and kQF (q, tF , σmc · (t, a)) is not empty, i.e., appropriate delaying dates can
be chosen for the events in σmc · (t, a) such that an accepting state q′ ∈ QF is reached from q, starting
at date tF . In this case, function update returns q′, wmin, and marker ok: wmin is the minimal word715
w.r.t. the lexical order among those timed words of minimal ending date in kQF (q, tF , σmc · (t, a)),
q′ ∈ QF is the state reached from q with wmin, and marker ok indicates that QF is reached.
- In the second case, Q = QF ∪ BC and kQF∪BC (q, tF , σmc · (t, a)) is empty; it is thus impossible to
correct σmc · (t, a) in the future, since no candidate sequence delaying σmc · (t, a) leads to a state in
QF ∪ BC , i.e., accepting states or states from which a path leads to an accepting state (they all lead720
to bad states B). This reflects the fact that κpref(ϕ)(σs, σc · (t, a)) is empty, since the set of accepting
states of pref(ϕ) is QF ∪ BC . In this case, function update returns state q and timed word σmc
unmodified, indicating that event (t, a) is suppressed, and marker bad indicates that no accepting state
could be reached in the future if (t, a) was retained in memory.
- In the third case, function update returns state q unmodified, but returns the timed word σmc · (t, a),725
and a marker c bad. The marker indicates that σmc · (t, a) can not be delayed to reach an accepting
state, but there it is still possible to reach a new accepting state after observing more events in the
future.
On the computation of function update. Function update can be computed using operations on TAs
and known algorithms solving classical problems, with the help of the standard symbolic representa-730
tion of behaviours of TAs by region or zone graphs, and refinement of these, using Difference Bound
Matrices (DBM) to encode timing constraints. However, one needs to adapt TAs following practical
considerations as explained below. We first introduce the sub-problems involved in the computation of
update and references to their algorithmic solutions. Next, we explain some considerations to extend
the kind of TAs handled by these algorithms. Finally, we explain how to encode the computation of735
update into these algorithms and standard operations on TAs.
Reachability problem: For a TA A = (L, l0, X,Σ, ∆, F ), check whether F is reachable. Recall that
reachability is PSPACE-complete in the size of the TA A [11] and can be solved using the sym-
bolic region or zone representations and forward or backward analysis, e.g., using UPPAAL [14].
23
Optimal reachability problem: For a TA A = (L, l0, X,Σ, ∆, F ), check whether F is reachable and740
if yes, find a run with minimal duration. It can be proven that this problem is also PSPACE-
complete in the size of A. PSPACE-hardness is a direct consequence of the fact that reachability
in TAs is already PSPACE-hard. PSPACE-easiness is a consequence of the fact that a more
general problem, the optimal cost reachability problem for weighted timed automata (WTAs), is
proven to be PSPACE-complete in [19], and can be solved by the exploration of the weighted745
directed graph. The weighted directed graph is a refinement of the region graph in which the
durations of time transitions are arbitrarily close to integers, and edges are augmented with cost
functions which are polynomials in the constants of A. Cost-optimal paths can be found among
those where the durations spent in locations are arbitrarily close to integers. Moreover, in the case
of TAs with only non-strict guards, the optimal timed words indeed have integral dates.750
We now state four considerations that allow to apply these algorithms in our context:
Consideration 1 In a real runtime environment, dates of input events are observed by a digital clock
with limited precision. Observed dates can thus be considered as rationals, more precisely integral
multiples of a sampling rate 1/D of a clock, rather than reals as in the idealized model of timed
words. As a consequence of this, of the computation of update and its use in the enforcement755
monitor, the computed output dates are also rationals (obtained by reverse scaling of integer dates
obtained by optimal reachability, see below).
Consideration 2 In our definition of TAs, all constants in guards are integers. These TAs are sometimes
called integral TAs. As will be clear later, and in particular because of Consideration 1, we shall
also consider rational TAs, i.e., TAs where constants can be rational. A rational TA can be760
transformed into an integral TA by considering 1/d as the new unit value, where d is the least
common multiple of all denominators of rational constants. Note that the value 1/d, which will
be useful in the sequel, will always be a multiple of the observation sampling rate 1/D, thus one
can simply take 1/D. Since the size of the regions/zones graph depends on the maximal constant,
there is a tradeoff between the precision of the observation and the cost of reachability analysis.765
Consideration 3 Still due to Consideration 1, in the use of update we will have to solve (optimal)
reachability not only from the initial state, but from some state q where the location l may differ
from l0 and clocks have a rational valuation ν. First, as is the case with Consideration 2, one can
scale this TA by multiplying all constants by the least common multiple of denominators of this
valuation (and constants if rational) in order to get an integral TA starting in an integral valuation770
ν′. Second, the construction of the region/zone automaton will be as usual, except that it should
start in (l, ν′).
Consideration 4 As seen above with optimal reachability, for TAs with strict (lower) guards, infimum
may not be realizable even though reachability is achieved. However, a timed word arbitrarily
close to the infimum exists as soon as reachability is achieved. Alternatively, one may approxi-775
mate the TA with a TA exhibiting only non-strict guards. Since output dates should be multiple
of the sampling rate 1/D, the approximation consists in transforming all strict guards of the form
x > c, where c is an integer, into guards of the form x ≥ c+ 1/D, and then use Consideration 2
to transform this rational TA into an integral TA, and get guards of the form x ≥ D ∗ c+ 1.
Remark 7. Most of the above considerations concern rational constants (or initial rational valuations)780
in TAs and have their roots in the precision of the observation (Consideration 1). An alternative way
to understand those considerations, and avoid problems of rational constants in all the algorithms, is
simply to consider the observation sampling 1/D as the new time unit, and thus to observe events at
24
integral dates and rescale TA Aϕ according to this new time unit. As a consequence, all TAs that have
to be built would be integral TAs.785
We now come back to the computation of function update. First, CanD(σmc ·(t, a)) can be represented
by a rational TA C with a new clock y /∈ X (that does not belong to the set of clocks of the TA Aϕ
of the property) initialized to 0, and |σmc · (t, a)| transitions in sequence, one transition per action in
σmc · (t, a), the first transition with constraint y ≥ t, the other ones with no timing constraint, no reset
on any transition, and one accepting location in set FC at the end, with no outgoing transition. Clearly,790
this automaton recognises timed words delaying σmc · (t, a) and starting after t. Since t is the date at
which a is observed, by Consideration 1 we suppose that it is a rational, multiple of the observation
sampling 1/D, thus C is a rational TA. For technical reasons, in the following we will rather consider
the rational TA C ′ obtained from C by replacing y ≥ t by y ≥ t− tF in the first transition, where tF is
the arrival date in state q (note that it can be easily proven by induction on the use of update that tF is795
rational, since computed output dates are rational). C ′ recognizes the same timed words as C, with all
dates decreased by the duration tF .
For the first case in the definition of update, one needs first to check whether kQF (q, tF , σmc ·
(t, a)) 6= ∅ and then to pick a timed word with minimal duration in this set. This can thus be done as
follows: let Aϕ(q) be the same TA as Aϕ, but starting in the initial state q, where q is a pair (l, ν) with800
l ∈ L and ν a rational valuation of the clocks in X . Now build the product TA Aϕ(q) × C ′ and check
whether F × FC is reachable. For this purpose, Consideration 4 is used to transform strict guards into
non-strict ones, and then Considerations 2 and 3 are used to transform this rational TA initialized with
a rational valuation into an integral TA initialized with an integral valuation. If F × FC is reachable,
computing the timed word with minimum duration can be done using the algorithm described in [19],805
resulting in an integral timed word. Next, one has to rescale this integral timed word into a rational
timed word by division by the scalings used to transform rational TAs to integral TAs. Finally, the
resulting timed word is increased by the duration tF to get the final result.
For the second case, one needs to check whether kQF∪BC (q, tF , σmc · (t, a)) = ∅. This can be done
as follows: let C ′′ be the same automaton as C ′, except that the accepting locations in FC loop on any810
action; C ′′ then recognises extensions of timed words in CanD(σmc · (t, a)), but again decreased by the
duration tF ; build the product Aϕ(q) × C ′′, and check whether F × FC is reachable in this TA, using
Considerations 2 and 3 again to transform this rational TA initialized with a rational valuation into an
integral TA initialized with an integral valuation. If the answer is no, kQF∪BC (q, tF , σmc · (t, a)) = ∅.
An operational definition of function update as an algorithm is described in Section 8.815
Complexity. Recall that for an integral timed automaton A = (L, l0, X,Σ,∆, F ), reachability can be
solved by first constructing the region graph or zone graph which size is in O((|∆| + |L|).(2M +
2)|X|.|X|!.2|X|), where M is the maximal constant appearing in guards, |L| is the number of locations,
|∆| the number of edges, and |X| the number of clocks, and solving reachability in this finite graph.
Since reachability in finite graphs is NLOGSPACE-complete (in the size of the finite graph), globally,820
this algorithm is in PSPACE, and it is proven that the problem is PSPACE-complete [11].
As previously mentioned, optimal reachability is PSPACE-complete in the size of A. It is a conse-
quence of the PSPACE-completeness of the more general problem of optimal reachability for weighted
time automata. Weighted timed automata are extensions of timed automata where a cost function C as-
signs integer costs to both locations and transitions, with the semantics that firing a transition e induces825
a cost C(e), and spending τ time units in a location l induces a cost C(l).τ . The optimal reachability
problem for TAs can thus be reduced to the cost optimal reachability problem for WTAs in which a null
cost is assigned to transitions and a cost of 1 is assigned to every location. The optimal reachability
problem is solved by first constructing the weighted directed graph, which refines the region graph by
25
focusing on what happens close to integral corners of regions, and labelling transitions with a cost func-830
tion. The size of the weighted directed graph is |X|+ 1 times bigger than the region graph. Optimality
is then solved by traversing on-the-fly this graph and comparing the weights of elementary paths.
For simplicity, the complexity of both algorithms are in general abstracted to O(2|A|) where |A|
takes into account the number of transitions, locations, the maximal constant, and the number of clocks
in A.835
Note that to solve those problems for a rational TA, one first needs to build an integral TA according
to the observation sampling 1/D, by multiplying constants by D. The size of the region graph thus be-
comesO((|∆|+|L|).(2.D.M+2)|X|.|X|!.2|X|), and both problems are still inO(2|A|). For the product
of two TAs A = (L, l0, X,Σ,∆, F ), and B = (L′, l′0, X ′,Σ,∆′, F ′), with respective maximal con-
stantsM andM ′, the size of the region graph thus becomesO((|∆|.|∆′|+ |L|.|L|′).(2.max(M,M ′)+840
2)|X|+|X
′|.(|X|+ |X ′|)!.2|X|+|X′|), and the complexity of (optimal) reachability becomesO(2|A|+|B|).
Now, let us come to the complexity of update, or more precisely to the orders of sizes of the region
graphs and weighted directed graphs that need to be traversed, since these are the key elements in the
complexity of the algorithms. For a given input memory σmc ·(t, a), the computation of update requires
to solve the optimal reachability problem on the automatonAϕ(q)×C ′ and the reachability problem on845
the automaton Aϕ(q)×C ′′ where C ′ and C ′′ are built from σmc · (t, a) as explained above, and Aϕ(q)
is obtained from a TA Aϕ = (L, l0, X,Σ,∆, F ) (with maximal constant M ) by shifting the initial
state to q. Firstly, note that the automaton Aϕ(q) is of same size as Aϕ, but is a rational TA, thus the
maximal constant of the corresponding integral automaton is M.D when scaling to integral automata
with observation sampling 1/D. Secondly, the automata C ′ and C ′′ both have O(|σmc|) locations and850
respectively O(|σmc|) and O(|σmc| + |Σ|) transitions. They both have one clock and the maximal
constant of their corresponding integral TAs is the integer D.(t− tF ).
For the product TAs Aϕ(q)× C ′ and Aϕ(q)× C ′′, we get O(|σmc|.|L|) locations and respectively
O(|σmc|.|∆|) and O((|σmc| + |Σ|).|∆|) transitions. The maximal constant is D.max(M, t − tF ) and
both automata have |X|+ 1 clocks.855
In the first case of function update, solving the optimal reachability problem in the TAAϕ(q)×C ′
induces the (partial) construction and traversal of a weighted directed graph which is of size O((|X|+
2).|σmc|.(|∆|+ |L|).(2.D.max(M, t− tF ) + 2)|X|+1.(|X|+ 1)!.2|X|+1).
In the second case, the reachability problem in the TAAϕ(q)×C ′′ can be solved by building a region
graph of sizeO(((|σmc|+ |Σ|).|∆|)+(|σmc|.|L|)).(2.D.max(M, t−tF )+2)|X|+1.(|X|+1)!.2|X|+1).860
In spite of these complexities, these problems can be efficiently solved, e.g., in UPPAAL [14], using
zones and their encoding with DBMs. One key to efficiency is the choice of the right observation
sampling 1/D which influences the size of the maximal constant in integral TAs. The smaller is 1/D,
the tighter is the observation, but the larger is the region graph. It should also be noted that even though
the maximal size of the product automata is in the product of sizes of component automata, in practice865
only paths in Aϕ along the untimed projection of σmc · (t, a) have to be considered, which strongly
restricts the region graph or weighted directed graph that need to be built when searching for (optimal)
accepted timed words. Finally, as will be clear later, update is called with sequences σmc · (t, a) of
increasing length (in the case where no suppression occurs), starting from 1, until it can be corrected to
satisfy ϕ, in which case its length is reinitialized to 1. The worst case complexity is reached when no870
prefix can be corrected (but a possible extension always could) before the arrival of the sequence. But
in general, we may expect that ϕ can be regularly satisfied by correcting the input.
7.3. Definition of enforcement monitors
We can now define the enforcement monitor using function update defined in Section 7.2.
26
Definition 10 (Enforcement Monitor). Let us consider a regular property ϕ recognised by the TA Aϕ875
with semantics [[Aϕ]] = (Q, q0,Γ,→, QF ). The enforcement monitor for ϕ is the transition system
Eϕ = (CEϕ , cEϕ0 , ΓEϕ , ↪−→Eϕ) s.t.:
- CEϕ = tw(Σ)× tw(Σ)×R≥0×Q×R≥0 is the set of configurations of the form (σms, σmc, t, q, tF ),
where σms, σmc are timed words to memorise events, t is a positive real number to keep track of time,
q is a state in the semantics of the TA and tF keeps track of the arrival date in q,880
- cEϕ0 = (, , 0, q0, 0) ∈ CEϕ is the initial configuration,
- ΓEϕ = ((R≥0 × Σ) ∪ {}) × Op × ((R≥0 × Σ) ∪ {}) is the alphabet, i.e., the set of triples com-
prised of an optional input event, an operation, and an optional output event, where the set of possible
operations is Op = {store-ϕ(·), storesup-ϕ(·), store-ϕ(·), release(·), idle(·)};
- ↪−→Eϕ⊆ CEϕ × ΓEϕ × CEϕ is the transition relation defined as the smallest relation obtained by the885
following rules applied with the priority order below:
- 1. store-ϕ:
(σms, σmc, t, q, tF )
(t,a)/store−ϕ(t,a)/
↪−→Eϕ (σms · w, , t, q′, end(w)), if update(q, tF , σmc, (t, a))) =
(q′, w, ok),
- 2. storesup-ϕ:890
(σms, σmc, t, q, tF )
(t,a)/storesup−ϕ(t,a)/
↪−→Eϕ (σms, σmc, t, q, tF ), if update(q, tF , σmc, (t, a)) = (q, σmc,
bad),
- 3. store-ϕ:
(σms, σmc, t, q, tF )
(t,a)/store−ϕ(t,a)/
↪−→Eϕ (σms, σmc · (t, a), t, q, tF ), if update(q, tF , σmc, (t, a)) =
(q, σmc · (t, a), c bad),895
- 4. release:
((t, a) · σ′ms, σmc, t, q, tF )
/release(t,a)/(t,a)
↪−→Eϕ (σ′ms, σmc, t, q, tF ),
- 5. idle:
(σms, σmc, t, q, tF )
/idle(δ)/
↪−→Eϕ (σms, σmc, t+ δ, q, tF ) if δ ∈ R>0 is a delay such that, for all δ′ < δ,
no other rule can be applied to (σms, σmc, t+ δ′, q, tF )6,900
where c
e/op(p)/e′
↪−→Eϕ c′ denotes the fact that the enforcement monitor moves from configuration c to
configuration c′ by reading e, executing operation op parameterised by p, and outputting e′.
A configuration (σms, σmc, t, q, tF ) of the EM consists of the following elements: σms is the sequence
which is corrected and can be released as output; σmc is the input sequence read by the EM, but yet to
be corrected, except for events that are suppressed; t indicates the current date; q is the current state of905
[[Aϕ]] reached after processing the sequence already released, followed by the timed word in memory
σms, i.e., Eϕ(obs(σ, t)); tF is the arrival date in q.
Semantic rules can be understood as follows:
• Upon the reception of an event (t, a) (i.e., when t is the date in the configuration and (t, a) is
read), one of the following rules is executed. Notice that their conditions are exclusive of each910
others.
– 1. Rule store-ϕ is executed if function update returns state q′ ∈ QF , timed word w and
marker ok, indicating that ϕ can be satisfied by the sequence already released as output,
6The allowed delays are obviously not known in the starting configuration of rule idle. In practice, at the implementation level,
allowed delays are determined using busy-waiting.
27
followed by σms, and followed by w which minimally delays σmc · (t, a) to satisfy ϕ. When
executing the rule, sequence w is appended to the content of output memory σms, the input915
memory σmc is emptied, q′ is the new state and end(w) is the new arrival date.
– 2. Rule storesup-ϕ is executed if the update function returns marker bad, indicating that
σmc · (t, a) followed by any sequence cannot be corrected. Event (t, a) is then suppressed,
and the configuration remains unchanged.
– 3. Rule store-ϕ is executed if the update function returns marker c bad, indicating that920
σmc ·(t, a) cannot be corrected yet. The event (t, a) is then appended to the internal memory
σmc, but σms, q and tF remain unchanged.
• When no event can be received, one of the following rules is applied, with decreasing priority:
– 4. Rule release is executed if the current date t is equal to the date corresponding to the first
event of the timed word σms = (t, a) · σ′ms in the memory. The event is released as output925
and removed from σms in the resulting configuration.
– 5. Rule idle adds the time elapsed δ to the current value of t when neither store nor release
operations are possible at any time instant between t and t+ δ.
Note, all rules except rule idle execute in zero time. Moreover, it is important to notice that the definition
of update entails that the state q inside a configuration is either initial (initially q = q0) or accepting (it930
is only modified by a store-ϕ rule which makes it jump to a state q ∈ QF as a result of update), one
case not excluding the other (e.g., for safety properties).
Example 7 (Execution of an enforcement monitor). We illustrate how the rules of Definition 10 are
applied to enforce property ϕ3 (see Section 2), recognised by the automaton depicted in Figure 6c
with Σ3 = {op1, op2, op}, and the input timed word σ3 = (2, op1) · (3, op1) · (3.5, op) · (6, op2).935
Figure 11 shows how semantic rules are applied according to the current date t, and the evolution of the
configurations of the enforcement monitor, together with input and output. More precisely, each line is
of the formO/c/I , whereO is the sequence of released events, c is a configuration, and I is the residual
of the input σ after its observation at date t. The resulting (final) output is (6, op1) · (8, op) · (10, op2),
which satisfies property ϕ3. Note that after t = 10, only rule idle can be applied.940
7.4. Relating Enforcement functions and enforcement monitors
We show how the definitions of enforcement function and enforcement monitor are related: given a
property ϕ, any input sequence σ, at any date t, the output of the associated enforcement function and
the output behaviour of the associated enforcement monitor are equal.
Preliminaries. We first describe how an enforcement monitor reacts to an input sequence. In the re-945
mainder of this section, we consider an enforcement monitor E = (CE , cE0 ,ΓE , ↪−→E), not related to a
property. Enforcement monitors, described in Section 7, are deterministic. By determinism, we mean
that, given an input sequence, the observable output sequence is unique. Moreover, given σ ∈ tw(Σ)
and t ∈ R≥0, how an enforcement monitor reads σ until date t is unique: it goes through a unique
sequence of configurations. Since rule idle does not read nor produce any event,  belongs to the input950
alphabet. Thus, given an input sequence σ and a date t, there is possibly an infinite set of corresponding
sequences over the input-operation-output alphabet (as in Definition 10). All these sequences are equiv-
alent: they involve the same configurations for the enforcement monitor and the same output sequence.
Consequently, the rules of transition relations are ordered in such a way that reading  will always be
28
/(, , 0, (l0, 0, 0), 0)/(2, op1) · (3, op1) · (3.5, op) · (6, op2)
/(, , 2, (l0, 0, 0), 0)/(2, op1) · (3, op1) · (3.5, op) · (6, op2)
/idle(2)/
/(, (2, op1), 2, (l0, 0, 0), 0)/(3, op1) · (3.5, op) · (6, op2)
(2, op1)/store-ϕ(2, op1)/
/(, (2, op1), 3, (l0, 0, 0), 0)/(3, op1) · (3.5, op) · (6, op2)
/idle(1)/
/(, (2, op1), 3, (l0, 0, 0), 0)/(3.5, op) · (6, op2)
(3, op1)/storesup-ϕ(3, op1)/
/(, (2, op1), 3.5, (l0, 0, 0), 0)/(3.5, op) · (6, op2)
/idle(0.5)/
/(, (2, op1) · (3.5, op), 3.5, (l0, 0, 0), 0)/(6, op2)
(3.5, op)/store-ϕ(3.5, op)/
/(, (2, op1) · (3.5, op), 6, (l0, 0, 0), 0)/(6, op2)
/idle(2.5)/
/((6, op1) · (8, op) · (10, op2), , 6, (l0, 4, 2), 10)/
(6, op2)/store-ϕ(6, op2)/
(6, op1)/((8, op) · (10, op2), , 6, (l0, 4, 2), 10)/
/release(6, op1)/(6, op1)
(6, op1)/((8, op) · (10, op2), , 8, (l0, 4, 2), 10)/
/idle(2)/
(6, op1) · (8, op)/((10, op2), , 8, (l0, 4, 2), 10)/
/release(8, op)/(8, op)
(6, op1) · (8, op)/((10, op2), , 10, (l0, 4, 2), 10)/
/idle(2)/
(6, op1) · (8, op) · (10, op2)/(, , 10, (l0, 4, 2), 10)/
/release(10, op2)/(10, op2)
(6, op1) · (8, op) · (10, op2)/(, , t, (l0, 4, 2), 10)/
/idle(t)/
t = 0
t = 2
t = 2
t = 3
t = 3
t = 3.5
t = 3.5
t = 6
t = 6
t = 6
t = 8
t = 8
t = 10
t = 10
t > 10
Figure 11: Execution of an enforcement monitor for ϕ3. The enforcement monitor ensures that if the automaton for ϕ3 reads the
(entire) output sequence, it remains in its accepting states.
29
the transition with least priority. Consequently, given an input sequence, reading  (and doing other955
operations such as outputting some event) is always possible when the monitor cannot read an input.
More formally, let us define E ioo(σ, t) ∈ (ΓE)∗ to be the unique sequence of transitions (triples
comprised of an optional input event, an operation, and an optional output event) that is “triggered”
from the initial configuration, when the enforcement monitor reads σ until date t:
Definition 11 (Input-Operation-Output sequence). Given an input sequence σ ∈ tw(Σ) and some
date t ∈ R≥0, we define the input-operation-output sequence, denoted as E ioo(σ, t), as the unique7
sequence of (ΓE)∗ such that:
∃c ∈ CE : cE0
Eioo(σ,t)
↪−→∗E c
∧ Π1(E ioo(σ, t)) = obs(σ, t)
∧ timeop(Π2(E ioo(σ, t))) = t
∧ ¬
(
∃c′ ∈ CE , e ∈ (R≥0 × Σ) : c
(,release(e),e)
↪−→E c′
)
,
where the timeop function indicates the duration of a sequence of enforcement operations and says that
only the idle enforcement operation consumes time. Formally:
timeop() = 0;
timeop(op · ops) =
{
d+ timeop(ops) if ∃d ∈ R>0 : op = idle(d),
timeop(ops) otherwise.
The observation of the input timed word σ at any date t, corresponding to obs(σ, t), is the concatenation960
of all the input events read/consumed by the enforcement monitor over various steps. Observe that,
because of the assumptions on ΓE , only rule idle applies to configuration c: rule release does not apply
by definition of E ioo(σ, t) and none of the store rules applies because Π1(E ioo(σ, t)) = obs(σ, t).
Relating enforcement functions and enforcement monitors. We now relate the enforcement functionEϕ
and the enforcement monitor Eϕ, for a property ϕ, using the input-operation-output behaviour E iooϕ of
Eϕ as per Definition 11. Seen from the outside, an enforcement monitor Eϕ behaves as a device reading
and producing timed words. Overloading notations, this input/output behaviour can be characterised as
a function Eϕ : tw(Σ)× R≥0 → tw(Σ) defined as:
∀σ ∈ tw(Σ),∀t ∈ R≥0 : Eϕ(σ, t) = Π3
(E iooϕ (σ, t)) .
The corresponding output timed word Eϕ(σ, t), at any date t, is the concatenation of all the output events
produced by the enforcement monitor over various steps of the enforcement monitor (where all ’s are965
erased through concatenation). In the following, we do not distinguish between an enforcement monitor
and the function that characterises its behaviour.
Finally, we define an implementation relation between enforcement monitors and enforcement func-
tions as follows.
Definition 12 (Implementation relation). Given an enforcement functionEϕ (as per Definition 8) and
an enforcement monitor (as per Definition 10) whose behaviour is characterised by a function Eϕ, we
say that Eϕ implements Eϕ iff:
∀σ ∈ tw(Σ),∀t ∈ R≥0 : obs(Eϕ(σ), t) = Eϕ(σ, t).
7The uniqueness of E ioo(σ, t) is discussed in Remark 9 in Appendix A.3.
30
Enforcement Monitor
Process
Release
Process
Store
Memory (σms)
σmcE(σ, t) σ, t
Figure 12: Realising an EM.
Proposition 3 (Relation between enforcement function and enforcement monitor) Given a property970
ϕ, its enforcement function Eϕ (as per Definition 8, p. 16), and its enforcement monitor Eϕ (as per Def-
inition 10, p. 26), Eϕ implements Eϕ in the sense of Definition 12.
PROOF (OF PROPOSITION 3 - SKETCH ONLY). The proof is given in Appendix A.4, p. 53. The proof
relies on an induction on the length of the input word σ. The induction step uses a case analysis,
depending on whether the input is completely observed or not at date t, whether the input can be delayed975
into a correct output or not, and whether the memory content (σms) is completely released or not at date
t. The proof also uses several intermediate lemmas that characterise some special configurations (e.g.,
value of the clock variable, content of the memory σms) of an enforcement monitor.
8. Enforcement algorithms: implementation of enforcement mechanisms
An enforcement monitor remains an abstract view of a real enforcement mechanism, and needs to980
be further concretised into an implementation. The implementation of an enforcement monitor consists
of two processes running concurrently (called hereafter StoreProcess and ReleaseProcess) and started
simultaneously, and a shared memory, as shown in Figure 12. StoreProcess implements the store rules
of the enforcement monitor. The memory contains the timed word σms: the corrected sequence that
can be released as output. The memory is realised as a queue, shared between the StoreProcess and985
ReleaseProcess, where the StoreProcess adds events, which are processed and corrected, to this queue.
ReleaseProcess reads the events stored in the memory σms and releases the action corresponding to
each event as output, when time reaches the date associated to the event. StoreProcess also makes use
of another internal buffer σmc (not shared with any other process), to store the events which are read,
but can not be corrected yet, to satisfy the property. In the algorithms, primitive await is used to wait990
for a trigger event from another process or to wait until some condition becomes true. Primitive wait is
used by a process to wait for some amount of time determined by the process itself.
In the following, we first present algorithm update used by algorithm StoreProcess, then present
algorithm StoreProcess, and finally algorithm ReleaseProcess.
Algorithm update (see Algorithm 1). Algorithm update implements function update from Defini-995
tion 9. It takes as input q, the current state, tF , the arrival date in state q, the events stored in the internal
memory σmc of StoreProcess, and the new event (t, a), and returns a new state q′, a timed word σ′mc,
and a marker in the set {ok, c bad, bad}, indicating whether σmc · (t, a) can be delayed to satisfy ϕ.
The algorithm makes use of the following functions. Function computeReach computes all the
reachable paths8 from the current state q upon events in σmc · (t, a) that start after date t, where time1000
starts at date tF , the arrival date in q. Formally, it computes
{
w ∈ tw(Σ) | q w→tF
}
∩CanD(σmc·(t, a)).
Function getAccPaths takes as input all the paths returned by computeReach and returns only those
8A path is a run in the symbolic (zone) graph.
31
Algorithm 1 update(q, tF , σmc, (t, a))
allPaths ← computeReach(σmc · (t, a), q, tF )
accPaths ← getAccPaths(allPaths)
if accpaths 6= ∅ then
σ′mc ← getOptimalWord(accPaths, σmc · (t, a))
return(post(q, σ′mc), σ
′
mc, ok)
else
isReachable ← checkReachAcc(allPaths)
if isReachable = ff then
return(q, σmc, bad)
else
return(q, σmc, c bad)
end if
end if
that lead to a state inQF . Formally it computes kQF (q, tF , σmc ·(t, a)) =
{
w ∈ tw(Σ) | q w→tF QF
}
∩
CanD(σmc ·(t, a)). Both functions use forward analysis, zone abstraction, and operations on zones such
as the resetting of clocks and intersection of guards [16].1005
Function getOptimalWord takes all the accepting paths and a sequence σmc · (t, a) and computes
optimal delays for events in σmc · (t, a). This function first computes an optimal date for each event,
for all accepting paths. Finally, it picks a path among the set of accepting paths whose ending date is
minimal, and returns it as the result. Function getOptimalWord implements the computation described
in Section 7.2 (§ On the computation of function update) using a simplified version of the algorithm1010
in [19]. Function post takes a state of the automaton defining the property, a timed word, and computes
the state reached by the automaton. Function checkReachAcc takes a set of paths as input. From the
last state in each path, it checks if an accepting state in the input TA is reachable or not (i.e., whether a
state in QF is reachable). It returns tt, if an accepting state is reachable, and ff otherwise. Formally it
checks whether kQF∪BC (q, tF , σ) is empty.1015
The algorithm proceeds as follows. If the set of accepting paths is not empty (i.e., a state in QF
is reachable upon delaying σmc · (t, a)), then function update returns ok, the optimal word computed
using getOptimalWord, and the state reached in the TA (computed using the function post). Oth-
erwise, it checks if it is possible to reach an accepting state in the future (computed using function
checkReachAcc). If it is impossible to reach an accepting state (i.e., from all the states reached upon1020
delaying σmc · (t, a), QF is not reachable), then function update returns bad, σmc, and the current state
q. Otherwise, it returns the current state q, σmc · (t, a), and c bad.
Algorithm StoreProcess (see Algorithm 2). Algorithm StoreProcess is an infinite loop that scrutinises
the system for input events. In the algorithm, q represents the state of the property automaton.
The algorithm proceeds as follows. StoreProcess initially sets its clock t to 0. This clock keeps1025
track of the time elapsed and increases with physical time. Variable tF is initialised to 0. This variable
contains the date of the last event of σms, if σms is not empty, and the date of the last released event
otherwise. The algorithm also initialises q to q0, and the two memories σms and σmc to . It then enters
an infinite loop where it waits for an input event (await(event)). When receiving an action a at date t,
it stores event (t, a). It then invokes function update with the current state q, the arrival date tF , the1030
events stored in σmc and the new event (t, a). Then, function update returns a new state q′, a timed
word σ′mc and the marker isPath . If marker isPath = ok, it means that σmc ·(t, a) can be corrected into
the timed word σ′mc computed by update and this word leads from state q to state q
′ in the underlying
32
Algorithm 2 StoreProcess
t← 0
(q, tF )← (q0, 0)
(σms, σmc)← (, )
while tt do
(t, a)← await(event) /* i.e., action a is received at date t */
(q′, σ′mc, isPath)← update(q, tF , σmc, (t, a))
if isPath = ok then
σms ← σms · σ′mc
σmc ← 
q ← q′
tF ← end(σ′mc)
else
σmc ← σ′mc
end if
end while
semantics of the timed automaton, at date end(σ′mc). Then, timed word σ
′
mc is appended to shared
memory σms (since σ′mc leads to an accepting state q
′ from state q), the internal memory σmc is cleared,1035
state q is updated to q′ and tF to end(σ′mc). In all other cases, σmc is set to σ
′
mc, the result of update,
which is either σmc if isPath = bad (it is impossible to correct the input sequence σmc whatever are
the future events) or σmc · (t, a) if isPath = c bad. Event (t, a) is thus deleted. In both cases, state q,
tF and memory σms are not modified.
Algorithm 3 ReleaseProcess
d← 0
while tt do
await(σms 6= )
(t, a)← dequeue(σms)
wait(t− d)
release(a)
end while
Algorithm ReleaseProcess (see Algorithm 3). Algorithm ReleaseProcess is an infinite loop that scruti-1040
nises memory σms and releases actions as output.
The algorithm proceeds as follows. Initially, clock d, which keeps track of the time elapsed, is
set to 0 and then increases with physical time. ReleaseProcess waits until the memory is not empty
(σms 6= ). Using operation dequeue, the first element stored in the memory is removed, and is stored as
(t, a). Since d time units elapsed, process ReleaseProcess waits for (t−d) time units before performing1045
operation release(a), releasing action a as output at date t (which amounts to appending (t, a) to the
output of the enforcement monitor).
Remark 8 (Launching StoreProcess and ReleaseProcess). In order to respect the semantics of the en-
forcement monitor, the two processes StoreProcess and ReleaseProcess should be launched simultane-
ously. This ensures that their current dates (encoded by t for StoreProcess and d for ReleaseProcess)1050
are always equal.
33
actions
max delays
increment
# of traces
events
events
execution time
of update
monitoring
metrics
property
Trace
Generator
Main
Test Method
Store
Figure 13: Experimental framework.
9. Implementation and evaluation
We implemented the algorithms in Section 8 and developed an experimentation framework called
TiPEX: (Timed Properties Enforcement during eXecution)9 in order to:
1. validate through experiments the architecture and feasibility of enforcement monitoring, and1055
2. measure and analyse the performance of the update function of the StoreProcess.
From [5], we completely re-implemented the synthesis of enforcement monitors. TiPEX supports now
all regular properties. The prototype presented in [5] handles only safety and co-safety properties, with
independent algorithms and prototype implementations for each class. Now, following the algorithms
proposed in this paper, TiPEX supports all regular properties defined by deterministic one-clock timed1060
automata. In [20], we describe the implementation of a simplified version of function update that does
not allow to suppress events. We recently implemented another version of function update based on
the enforcement mechanisms and algorithms described in Section 8. In this section, we compare the
performance of the implementations of these functions. Note, when we consider suppression, when an
accepting state is not reachable with the events received so far, we need to perform another additional1065
computationally-expensive analysis (checkReachAcc in Algorithm 1), to decide whether or not the last
event should be suppressed.
The rest of this section is organised as follows. Section 9.1 describes our experimental framework.
Section 9.2 present the properties used in the evaluation. Section 9.3 discusses the evaluation results.
9.1. Experimental framework1070
The experimental framework is depicted in Figure 13. As mentioned in [5], regarding algorithm
StoreProcess, the most computationally intensive step is the call to function update. We thus focus on
this function in the evaluation.
Module Main uses module Trace Generator that provides a set of input traces to test the module
Store. Module Trace Generator takes as input the alphabet of actions, the range of possible delays1075
between actions, the desired number of traces, and the increment in length per trace. For example, if
the number of traces is 5 and the increment in length per trace is 100, then 5 traces will be generated,
where the first trace is of length 100 and the second trace of length 200 and so on. For each event,
Trace Generator picks an action (from the set of possible actions), and a random delay (from the set of
9Available at http://srinivaspinisetty.github.io/Timed-Enforcement-Tools/.
34
possible delays) which is the time elapsed after the previous event or the system initialization for the1080
first event. For this purpose, Trace Generator uses methods from the Python random module.
Module Store takes as input a property and one trace, and returns the total execution time of the
update function to process the given input trace. The TA modelling the property is a UPPAAL [21]
model written in XML. Module Store uses the pyuppaal library to parse the UPPAAL model (input
property), and the UPPAAL DBM library to implement the update function.10 The sequence of events1085
received by the enforcement monitor is modelled by a second UPPAAL model. Module Main Test
Method sends this sequence to module Store (using the property), and keeps track of the result returned
by the Store module for each trace.
Experiments were conducted on an Intel Core i5-4210U at 1.70GHz CPU, with 4 GB RAM, and
running on Ubuntu 14.04 LTS.1090
9.2. Description of the properties
We describe the properties used in our experiments and discuss the results of the performance anal-
ysis.
The properties follow different patterns [22], and belong to different classes. They are inspired from
the properties introduced in Example 1. They are recognised by one-clock timed automata since this is1095
a limitation of our current implementation (extension to more than one clock is ongoing). We however
expect the trends exposed in the following to be similar when the complexity of automata grows, since
it induces heavier computation for each call to function update.
• Property ϕs is a safety property expressing that “There should be a delay of at least 5 time units
(t.u.) between any two request actions”.1100
• Property ϕcs is a co-safety property expressing that “A request should be immediately followed
by a grant, and there should be a delay of at least 6 t.u. between them”.
• Property ϕre is a regular property, but neither a safety nor a co-safety property, and expresses that
“Resource grant and release should alternate. After a grant, a request should occur between 15
to 20 t.u.”.1105
The automata defining the above properties can be found in [23].
9.3. Performance evaluation of function update
Results of the performance analysis for the properties are reported in Tables 1, 2, and 3. The re-
ported numbers are mean values over 10 runs. Note, 10 runs were sufficient to obtain 95% confidence
for all metrics, and the measurement error was less than 1%. The entry |tr | indicates the length of the1110
input trace (i.e., the number of events input to the enforcement monitor). The entry t update (resp.
t update-sup) indicates the total execution time of the function update without (resp. with) suppres-
sion in seconds. The entry mem (resp. mem-sup) indicates the maximum memory used by the Main Test
Method when using function update without (resp. with) suppression; both measured in megabytes.
10 The pyuppaal and DBM libraries are provided by Aalborg University and can be downloaded at http://people.cs.
aau.dk/˜adavid/python/.
35
Table 1: Performance analysis of enforcement monitors for ϕs.
|tr | t update t update-sup mem mem-sup
10, 000 6.44 6.64 17.8 17.9
20, 000 12.73 13.44 19.6 19.6
30, 000 19.51 20.16 21.3 21.3
40, 000 26.41 26.50 22.6 22.7
50, 000 31.88 33.10 24.3 24.3
60, 000 38.44 39.84 26.2 26.2
70, 000 45.16 45.92 27.7 27.8
80, 000 51.21 53.34 29.1 29.1
Strategy for generating traces.. To have a meaningful performance assessment of function update,1115
module Trace Generator uses a strategy to ensure that calls to function update yields computation using
σmc. For (the safety) property ϕs, module Trace Generator generates events so that each event of the
trace leads to a call to function update to correct the date of the input event. This strategy allows to
assess the performance of function update when it is extensively used with buffer σmc empty. For (the
co-safety) property ϕcs, module Trace Generator ensures that input sequences can be corrected only1120
on the last event (hence implying that, for a sequence of length n, function update is called n times
where the buffer containing σmc is of size i − 1 on the ith call). This strategy allows to assess the
performance of function update when σmc is used significantly. For (the regular property) ϕre, module
Trace Generator ensures that the property can be corrected every two events, which is the length of the
minimal path between accepting locations of the underlying automaton of ϕre. This strategy allows to1125
asses the performance of function update when alternating between finding a correction of the input
sequence using buffer σmc and buffering corrected events in buffer σms.
Safety property ϕs (see Table 1). We can observe that t update, and t update-sup increase linearly
with the length of the input trace. Moreover, the time taken per call to update (i.e., t update/|tr |) does not
depend on the length of the trace. This behaviour is as expected for a safety property. Indeed, function1130
update is always called with only one event which is read as input (the internal buffer σmc remains
empty). Consequently, the state of the TA is updated after each event, and after receiving a new event,
the possible transitions leading to a good state from the current state are explored. For the same input
trace, there is no significant variation in the values of t update, and t update-sup. This behaviour
is as expected because for the considered safety property (ϕs) and input traces, after receiving a new1135
event, it is always possible to compute a delay to satisfy the property. Thus, in the function update with
suppression, checkReachAcc is never invoked.
Regarding memory usage, we can notice that by increasing the length of the input trace by 10,000,
the peak memory usage increases by less than 2 MB. For the same input trace, there is no variation in
memory usage (mem and mem-sup are equal).1140
Regular property ϕre (see Table 2). Recall that the considered input traces are generated in such a way
that they can be corrected every two events. Consequently, function update is invoked with either one or
two events. For the considered input traces, the time taken per call to function update does not depend
on the length of the trace. Moreover, for input traces of same length, the value of t update (resp.
t update-sup) is higher for ϕre than the value of t update (resp. t update-sup) for ϕs. This stems1145
from the fact that, for a safety property, function update is invoked only with one event. Furthermore,
for the same input trace, t update-sup is greater than t update. This stems from the fact that, for
36
Table 2: Performance analysis of enforcement monitors for ϕre.
|tr | t update t update-sup mem mem-sup
10,000 10.21 20.33 17.6 17.6
20,000 20.56 39.32 19.0 19.0
30,000 30.95 61.20 20.2 20.2
40,000 42.37 82.23 21.6 21.6
50,000 53.67 101.46 22.8 22.8
60,000 62.06 121.55 24.2 24.2
70,000 81.63 137.49 25.4 25.4
80,000 91.89 167.16 26.8 26.8
the considered input traces (where it is possible to correct every two events) the function update with
suppression invokes function checkReachAcc |tr |/2 times.
Regarding memory usage, by increasing the length of the input trace by 10,000, the peak memory1150
usage increases by less than 2 MB. For input traces of same length, there is no significant variation in
the values of mem and mem-sup between ϕre and ϕs.
Table 3: Performance analysis of enforcement monitors for ϕcs.
|tr | t update t update-sup mem mem-sup
100 2.022 2.256 16.4 16.4
200 8.124 8.547 16.4 16.4
300 18.207 18.868 16.4 16.4
Co-safety property ϕcs (see Table 3). Recall that the considered input traces are generated in such a
way that they can be corrected only upon the last event. From the results presented in Table 3, notice
that t update, and t update-sup are now quadratic. Moreover, the average time per call to function1155
update increases with |tr |. For the considered input traces, this behaviour is as expected for a co-safety
property because the length of the internal buffer σmc increases after each event, and thus function
update is invoked with a growing sequence.
For the same input trace, t update-sup is greater than t update. For example, for input traces
of length 100, t update-sup is around 0.2 seconds greater than t update. Indeed, for the considered1160
input traces (where it is possible to correct the input sequence only upon the last event) the function
update with suppression invokes function checkReachAcc |tr | − 1 times. We can also observe that
t update-sup −t update increases linearly with |tr |.
Regarding memory usage, since we consider small increments of the input traces, we can not notice
significant variation. For input trace of length 100, peak memory usage noticed for ϕs is 16.5 MB. Thus1165
we can notice that, for input traces of same length, for ϕre, ϕs, and ϕcs, there is no significant variation
in the value of mem.
10. Related work
Several approaches for the runtime verification and enforcement of properties are related to the one
proposed in this paper.1170
37
10.1. Runtime verification
As a verification/validation technique, runtime enforcement is related to runtime verification. At an
abstract level, a runtime verification approach consists in synthesising a verification monitor (cf. [24]),
i.e., a decision procedure used at runtime. The monitor observes the system under scrutiny and emits
verdicts regarding the satisfaction or violation of the property of interest. See [25, 26, 27, 28] for short1175
tutorials and surveys on runtime verification. Runtime verification principles have been used in many
concrete application domains and for various purposes such as the safety checking of cyber-physical
systems [29, 30, 31, 32], the security of financial and IT systems [33, 34, 35], and many more.
10.2. Runtime verification of timed properties
We discuss more specifically some approaches for the runtime verification of timed properties for1180
real-time systems. One can also refer to the survey of Goodloe and Pike [36] which presents some
approaches to monitoring hard real-time systems and potential application-domains when monitoring
safety properties.
Several approaches consider the problem of synthesising automata-based monitors from formulae in
temporal logics that handle physical time (as opposed to logical time). Sokolsky et al. [37] introduced1185
an expressive first-order logic tailored for runtime verification. The logic features event attributes (aka
parametric events) and dynamic indexing of properties (to handle the dynamic creation of monitors at
runtime). Models of the logic also refers to physical time. Bauer et al. [38] synthesised monitors for
timed-bounded properties expressed in a variant of Timed Linear Temporal Logic tailored for monitor-
ing. Nickovic et al. [17, 18] synthesised timed automata from Metric Temporal Logic (a temporal logic1190
with a dense notion of time). Still for MTL, Thati [39] use rewriting of formulae for online monitoring.
All these approaches are compatible with ours since they are purposed to synthesise decision procedures
for logic-based timed specification formalisms. More specifically, the synthesised automata-based mon-
itors can be used as input in our approach as replacements of timed automata.
Basin et al [40] provided a general comparison of monitoring algorithms for real-time systems.1195
Time models are categorised as i) either point-based algorithms or interval-based, and ii) either dense
or discrete depending on the underlying ordering of time points (i.e., finitely or infinitely many time
points). Basin et al. presented and compared monitoring algorithms for the past-only fragment of
propositional metric temporal logic.
Several tools have been proposed for monitoring timed properties. RT-MaC [41] verifies timeliness1200
and reliability correctness properties at runtime. The Analog Monitoring Tool [42] verifies formu-
lae in Signal Temporal Logic over continuous signals. LARVA [43, 44] verifies properties (over Java
programs) expressed in several specification formalisms by translating input specifications into the so-
called Dynamic Automata with Timers and Events which basically resemble timed automata with stop
watches. Contrary to these approaches, the monitors presented in this paper differ in their objectives1205
and how they are interfaced with the system: the monitors are not intended to modify the internal state
of the system but rather to modify a sequence of timed events between two systems.
10.3. Runtime enforcement of untimed properties
Roughly speaking, the research efforts in runtime enforcement aims at defining and implementing
enforcement primitives that supplement the monitors used in runtime verification. Most of the work in1210
runtime enforcement was dedicated to untimed properties (see [45] for a short overview). Schneider
introduced security automata as the first runtime mechanism for enforcing safety properties [1]. Ligatti
et al. [3] later introduced edit-automata as enforcement monitors. Edit-automata can insert a new action
by replacing the current input, or suppress it. Similar to edit-automata are generic enforcement moni-
tors [4] which are finite-state machines augmented with a memory and parameterised with enforcement1215
38
primitives operating on the input and memory. Moreover, some variants of edit-automata differ in how
they ensure the transparency constraints (see e.g., [46]). Synthesis techniques of enforcement mech-
anisms from a property have been proposed only for generic enforcement monitors [4] and restricted
forms of edit-automata [3].
Note, several runtime verification tools allow the user to define some treatment of errors through1220
the (manual) definition of some form of enforcement primitives. For instance, JavaMOP and the RV
system [47] define the notion of code handler which are user-defined code-snippets that can be attached
to monitor states. LARVA allows the user to specify corrective actions [48] that can be used for undoing
the effects of previous actions carried out by the system.
10.4. Runtime enforcement of timed properties1225
The endeavours on runtime enforcement discussed in the previous subsection consider logical time,
as opposed to physical time. Moreover, storing an event is assumed without consequence on the ex-
ecution nor on the satisfiability of the property, i.e., the duration during which an event is retained in
memory has no influence. In the following of this subsection, we discuss the approaches on runtime
enforcement that consider physical time.1230
Basin et al. [49] refined the work of Schneider on security automata to take into account discrete-
time constraints by modelling the passing of time as uncontrollable events. Similarly, we consider
elapsing of time as uncontrollable but consider dense time. The enforcement mechanisms in [49] differ
from ours in several aspects: they consider only truncation automata (and they are thus limited to safety
properties, not necessarily regular). Moreover, our enforcement mechanisms have additional enforce-1235
ment primitives: buffering of actions (which basically amounts to letting time elapse) and suppression
of actions which allows for longer inputs to be processed by enforcement mechanisms.
In previous work [5, 9], we introduced the problem of runtime enforcement for timed properties.
We similarly proposed several notions of enforcement mechanisms: enforcement function, enforcement
monitor, and enforcement algorithms. In [5], only safety and co-safety properties are considered and1240
different definitions of mechanisms are proposed for each class. In [9], all regular properties are con-
sidered. Given a timed automaton, enforcement functions, monitors and algorithms are synthesised
according to one general definition. Also, for the enforcement of co-safety properties, the approach
in [5] assumes that time elapses differently for input and output sequences (the sequences are de-
synchronised). More precisely, the delay of the first event of the output sequence is computed from1245
the moment an enforcement mechanism detects that its input sequence can be corrected (that is, the
mechanism has read a sequence that can be delayed into a correct sequence). Compared to [5], the
approaches in [9] and this paper are more realistic as they do not suffer from this “shift” problem.
10.5. Monitorability and enforceability
In this paper, we identify some timed properties that are not enforceable by mechanisms that comply1250
to the constraints mentioned in Section 5.2 (see Example 6). Characterising monitorable properties (i.e.,
properties that can be runtime verified) and enforceable properties are two important endeavours. We
briefly discuss some of the main approaches on these topics in the following and discuss in Section 11.2
how we plan to characterise enforceable timed properties in the future.
Monitorable properties. Kim et al. [50] first defined monitorable properties as the co-recursively enu-1255
merable safety properties. Pnueli et al. [51] generalised the definition to the properties for which it is
always possible to determine a definitive satisfaction or violation at runtime. Bauer et al. [38] showed
that safety and co-safety properties are monitorable in the sense of [51]. Later, Falcone et al. [10]
showed that obligation properties form a strict subset of the set of monitorable properties in the sense
of [51], but that less properties should be monitored in practice. Sistla et al. [52] defined necessary and1260
39
sufficient conditions for the monitorability of hybrid systems where an Extended Hidden Markov sys-
tem is monitorable if there exists an arbitrarily-precise monitor stating verdicts on the system outputs.
More recently, Rosu [53] defined monitorable properties as safety properties arguing that these can be
specified by general (finite-state machine) monitors.
Enforceable properties. Enforceable properties are the properties for which a sound and transparent1265
enforcement monitor can be synthesised. The set of enforceable properties depends on the primi-
tives conferred to enforcement monitors. Security automata [1] can enforce safety properties. Note,
Schneider, Hamlen, and Morrisett [2] showed that security automata can only monitor co-recursively
enumerable safety properties because of computational limits exhibited by Viswanathan and Kim [54].
Edit-automata [3] can enforce infinite renewal properties. (The set of infinite renewal properties is a1270
super-set of safety properties and contains some liveness properties.) Generalised enforcement moni-
tors [4] can enforce response properties in the safety-progress classification. In addition to enforcement
primitives and computability constraints, enforceability limitations arise when properties are expressed
over infinite sequences (see [45, 4] for a comparison of enforceable untimed properties over infinite se-
quences). However, any property over finite sequences is enforceable with a monitor endowed with the1275
primitives of an edit-automaton (see Section 10.3 and [3]) [10]. More recently, Basin et al. [49] showed
that security automata can enforce the safety properties that cannot be violated through a sequence of
uncontrollable events.
11. Conclusions
11.1. Summary1280
This paper presents a general enforcement monitoring framework for systems with timing require-
ments. We show how to synthesise enforcement mechanisms for any regular timed property (modelled
by a timed automaton). The enforcement mechanisms proposed in this paper are more powerful than
the ones in our previous research endeavours [5, 9]. In particular, in this paper, we propose enforce-
ment mechanisms that delay the absolute dates of events of the observed input (while being allowed1285
to shorten the delay between some events). Moreover, suppressing events is also introduced. An event
is suppressed if it is not possible to satisfy the property by delaying, whatever are the future continua-
tions of the input sequence (i.e., the underlying TA can only reach non-accepting states from which no
accepting state can be reached). Formalising suppression required us to revisit the formalisation of all
enforcement mechanisms. Enforcement mechanisms are described at several levels of abstraction (en-1290
forcement function, monitor, and algorithms), thus facilitating the design and implementation of such
mechanisms. We propose a prototype implementation and our experiments demonstrate the feasibility
of enforcement monitoring for timed properties.
11.2. Future work
Several avenues for future work are open by this paper.1295
First, we believe it is important to study and delineate the set of enforceable timed properties. As
shown informally by this paper, some timed properties should be characterised as non-enforceable. For
this purpose, an enforceability condition should be defined and used to delineate enforceable properties.
Such a criterion should also ideally be expressible on timed automata. Note however that, even for
non-enforceable properties, enforcement monitors can be built, but may not be able to output some1300
correct input sequences. The output sequences of our enforcement mechanisms are however always
either correct or empty.
Specifications are currently modelled with timed automata. One can consider synthesising enforce-
ment mechanisms from more expressive formalisms. For instance, we could consider formalisms such
40
as context-free timed languages (which can be useful for recursive specifications) or introduce data into1305
requirements (which can be useful in some application domains, as shown for safety properties in [8]).
Implementing efficient enforcement monitors is another important aspect and should be done in a
particular application domain. We propose TiPEX, a Python implementation of enforcement mecha-
nisms with the objectives of i) making a quick prototype that shows feasibility of enforcement monitor-
ing in a timed context, and ii) reusing some existing UPPAAL libraries. In the future, we will consider1310
implementing our enforcement monitors in other languages such as C or Java, and we expect even better
performance and a more stand-alone implementation.
Acknowledgment
The authors would like to thank the anonymous reviewers for their remarks and suggestions on an
early version of this article.1315
The work reported in this article has been done in the context of the COST Action ARVI IC1402,
supported by COST (European Cooperation in Science and Technology).
Bibliography
[1] F. B. Schneider, Enforceable security policies, ACM Trans. Inf. Syst. Secur. 3 (1) (2000) 30–50.
doi:10.1145/353323.353382.1320
[2] K. W. Hamlen, G. Morrisett, F. B. Schneider, Computability classes for enforcement mecha-
nisms, ACM Trans. Program. Lang. Syst. 28 (1) (2006) 175–205. doi:10.1145/1111596.
1111601.
[3] J. Ligatti, L. Bauer, D. Walker, Run-time enforcement of nonsafety policies, ACM Trans. Inf. Syst.
Secur. 12 (3) (2009) 19:1–19:41. doi:10.1145/1455526.1455532.1325
[4] Y. Falcone, L. Mounier, J.-C. Fernandez, J.-L. Richier, Runtime enforcement monitors: com-
position, synthesis, and enforcement abilities, Formal Methods in System Design 38 (3) (2011)
223–262. doi:10.1007/s10703-011-0114-4.
[5] S. Pinisetty, Y. Falcone, T. Je´ron, H. Marchand, A. Rollet, O. L. N. Timo, Runtime enforcement
of timed properties, in: S. Qadeer, S. Tasiran (Eds.), Proceedings of the Third International Con-1330
ference on Runtime Verification (RV 2012), Vol. 7687 of Lecture Notes in Computer Science,
Springer, 2012, pp. 229–244. doi:10.1007/978-3-642-35632-2_23.
[6] B. Zeng, G. Tan, U´. Erlingsson, Strato: A retargetable framework for low-level inlined-reference
monitors, in: S. T. King (Ed.), Proceedings of the 22th USENIX Security Symposium, Washing-
ton, DC, USA, August 14-16, 2013, USENIX Association, 2013, pp. 369–382.1335
[7] U´. Erlingsson, F. B. Schneider, IRM enforcement of Java stack inspection, in: 2000 IEEE Sym-
posium on Security and Privacy, Berkeley, California, USA, May 14-17, 2000, IEEE Computer
Society, 2000, pp. 246–255. doi:10.1109/SECPRI.2000.848461.
[8] S. Pinisetty, Y. Falcone, T. Je´ron, H. Marchand, Runtime enforcement of parametric timed
properties with practical applications, in: J. Lesage, J. Faure, J. E. R. Cury, B. Lennartson1340
(Eds.), 12th International Workshop on Discrete Event Systems, WODES 2014, Cachan, France,
May 14-16, 2014., International Federation of Automatic Control, 2014, pp. 420–427. doi:
10.3182/20140514-3-FR-4046.00041.
41
[9] S. Pinisetty, Y. Falcone, T. Je´ron, H. Marchand, Runtime enforcement of regular timed prop-
erties, in: Y. Cho, S. Y. Shin, S.-W. Kim, C.-C. Hung, J. Hong (Eds.), Proceedings of the1345
ACM Symposium on Applied Computing (SAC-SVT), ACM, 2014, pp. 1279–1286. doi:
10.1145/2554850.2554967.
[10] Y. Falcone, J.-C. Fernandez, L. Mounier, What can you verify and enforce at runtime?, STTT
14 (3) (2012) 349–382. doi:10.1007/s10009-011-0196-8.
[11] R. Alur, D. L. Dill, A theory of timed automata, Theoretical Comp. Science 126 (1994) 183–235.1350
doi:10.1016/0304-3975(94)90010-8.
[12] J. Bengtsson, W. Yi, Timed automata: Semantics, algorithms and tools, in: J. Desel, W. Reisig,
G. Rozenberg (Eds.), Lectures on Concurrency and Petri Nets, Advances in Petri Nets, Vol.
3098 of Lecture Notes in Computer Science, Springer, 2003, pp. 87–124. doi:10.1007/
978-3-540-27755-2_3.1355
[13] T. A. Henzinger, X. Nicollin, J. Sifakis, S. Yovine, Symbolic model checking for real-time systems,
Inf. Comput. 111 (2) (1994) 193–244. doi:10.1006/inco.1994.1045.
[14] G. Behrmann, A. David, K. G. Larsen, A tutorial on UPPAAL, in: M. Bernardo, F. Corradini
(Eds.), Formal Methods for the Design of Real-Time Systems, International School on Formal
Methods for the Design of Computer, Communication and Software Systems, SFM-RT 2004,1360
Bertinoro, Italy, September 13-18, 2004, Revised Lectures, Vol. 3185 of Lecture Notes in Com-
puter Science, Springer, 2004, pp. 200–236. doi:10.1007/978-3-540-30080-9_7.
[15] R. Alur, L. Fix, T. A. Henzinger, Event-clock automata: A determinizable class of timed automata,
Theor. Comput. Sci. 211 (1-2) (1999) 253–273. doi:10.1016/S0304-3975(97)00173-4.
[16] J. Bengtsson, W. Yi, Timed automata: Semantics, algorithms and tools, in: J. Desel, W. Reisig,1365
G. Rozenberg (Eds.), Proceedings of the 4th Advanced Course on Petri Nets - Lecture Notes on
Concurrency and Petri Nets, Vol. 3098 of LNCS, Springer, 2003, pp. 87–124. doi:10.1007/
978-3-540-27755-2_3.
[17] O. Maler, D. Nickovic, A. Pnueli, From MITL to timed automata, in: E. Asarin, P. Bouyer (Eds.),
Proceedings of the 4th international conference on Formal Modeling and Analysis of Timed Sys-1370
tems (FORMATS 2006), Lecture Notes in Computer Science, Springer-Verlag, 2006, pp. 274–289.
doi:10.1007/11867340_20.
[18] D. Nickovic, N. Piterman, From MTL to deterministic timed automata, in: K. Chatterjee, T. A.
Henzinger (Eds.), Proceedings of the 8th International Conference on Formal Modelling and Anal-
ysis of Timed Systems (FORMATS 2010), Vol. 6246 of Lecture Notes in Computer Science,1375
Springer, 2010, pp. 152–167. doi:10.1007/978-3-642-15297-9_13.
[19] P. Bouyer, T. Brihaye, V. Bruye`re, J.-F. Raskin, On the optimal reachability problem of weighted
timed automata, Formal Methods in System Design 31 (2) (2007) 135–175. doi:10.1007/
s10703-007-0035-4.
[20] S. Pinisetty, Y. Falcone, T. Je´ron, H. Marchand, TiPEX: A tool chain for timed property en-1380
forcement during execution, in: Bartocci and Majumdar [56], pp. 306–320. doi:10.1007/
978-3-319-23820-3_22.
[21] K. Larsen, P. Pettersson, W. Yi, UPPAAL in a nutshell, STTT 1 (1-2) (1997) 134–152. doi:
10.1007/s100090050010.
42
[22] V. Gruhn, R. Laue, Patterns for timed property specifications, Electronic Notes in Theoretical1385
Computer Science 153 (2) (2006) 117–133. doi:10.1016/j.entcs.2005.10.035.
[23] S. Pinisetty, Y. Falcone, T. Je´ron, H. Marchand, A. Rollet, O. Nguena-Timo, Runtime enforcement
of timed properties revisited, Formal Methods in System Design 45 (3) (2014) 381–422. doi:
10.1007/s10703-014-0215-y.
[24] K. Havelund, G. Rosu, Synthesizing monitors for safety properties, in: J. Katoen, P. Stevens (Eds.),1390
Tools and Algorithms for the Construction and Analysis of Systems, 8th International Conference,
TACAS 2002, Held as Part of the Joint European Conference on Theory and Practice of Software,
ETAPS 2002, Grenoble, France, April 8-12, 2002, Proceedings, Vol. 2280 of Lecture Notes in
Computer Science, Springer, 2002, pp. 342–356. doi:10.1007/3-540-46002-0_24.
[25] K. Havelund, A. Goldberg, Verify your runs, in: B. Meyer, J. Woodcock (Eds.), Verified Software:1395
Theories, Tools, Experiments, First IFIP TC 2/WG 2.3 Conference, VSTTE 2005, Zurich, Switzer-
land, October 10-13, 2005, Revised Selected Papers and Discussions, Vol. 4171 of Lecture Notes
in Computer Science, Springer, 2005, pp. 374–383. doi:10.1007/978-3-540-69149-5_
40.
[26] M. Leucker, C. Schallhart, A brief account of runtime verification, J. Log. Algebr. Program. 78 (5)1400
(2009) 293–303. doi:10.1016/j.jlap.2008.08.004.
[27] O. Sokolsky, K. Havelund, I. Lee, Introduction to the special section on runtime verification, STTT
14 (3) (2012) 243–247. doi:10.1007/s10009-011-0218-6.
[28] Y. Falcone, K. Havelund, G. Reger, A tutorial on runtime verification, in: M. Broy, D. Peled,
G. Kalus (Eds.), Engineering Dependable Software Systems, Vol. 34 of NATO Science for Peace1405
and Security Series, D: Information and Communication Security, IOS Press, 2013, pp. 141–175.
doi:10.3233/978-1-61499-207-3-141.
[29] D. Seto, B. Krogh, L. Sha, A. Chutinan, The simplex architecture for safe online control system
upgrades, in: American Control Conference, 1998. Proceedings of the 1998, Vol. 6, 1998, pp.
3504–3508 vol.6. doi:10.1109/ACC.1998.703255.1410
[30] S. Bak, K. Manamcheri, S. Mitra, M. Caccamo, Sandboxing controllers for cyber-physical sys-
tems, in: 2011 IEEE/ACM International Conference on Cyber-Physical Systems, ICCPS 2011,
Chicago, Illinois, USA, 12-14 April, 2011, IEEE Computer Society, 2011, pp. 3–12. doi:
10.1109/ICCPS.2011.25.
[31] S. Bak, F. A. T. Abad, Z. Huang, M. Caccamo, Using run-time checking to provide safety and1415
progress for distributed cyber-physical systems, in: 2013 IEEE 19th International Conference on
Embedded and Real-Time Computing Systems and Applications, RTCSA 2013, Taipei, Taiwan,
August 19-21, 2013, IEEE, 2013, pp. 287–296. doi:10.1109/RTCSA.2013.6732229.
[32] S. Mitsch, A. Platzer, Modelplex: Verified runtime validation of verified cyber-physical
system models, in: Bonakdarpour and Smolka [55], pp. 199–214. doi:10.1007/1420
978-3-319-11164-3_17.
[33] C. Colombo, G. J. Pace, Fast-forward runtime monitoring - an industrial case study, in: S. Qadeer,
S. Tasiran (Eds.), Runtime Verification, Third International Conference, RV 2012, Istanbul,
Turkey, September 25-28, 2012, Revised Selected Papers, Vol. 7687 of Lecture Notes in Com-
puter Science, Springer, 2012, pp. 214–228. doi:10.1007/978-3-642-35632-2_22.1425
43
[34] D. A. Basin, G. Caronni, S. Ereth, M. Harvan, F. Klaedtke, H. Mantel, Scalable offline monitoring,
in: Bonakdarpour and Smolka [55], pp. 31–47. doi:10.1007/978-3-319-11164-3_4.
[35] A. Kassem, Y. Falcone, P. Lafourcade, Monitoring electronic exams, in: Bartocci and Majumdar
[56], pp. 118–135. doi:10.1007/978-3-319-23820-3_8.
[36] A. Goodloe, L. Pike, Monitoring distributed real-time systems: A survey and future direc-1430
tions, Tech. Rep. NASA/CR-2010-216724, NASA Langley Research Center, available at http:
//ntrs.nasa.gov (July 2010).
[37] O. Sokolsky, U. Sammapun, I. Lee, J. Kim, Run-time checking of dynamic properties, Electr.
Notes Theor. Comput. Sci. 144 (4) (2006) 91–108. doi:10.1016/j.entcs.2006.02.006.
[38] A. Bauer, M. Leucker, C. Schallhart, Runtime verification for LTL and TLTL, ACM Trans. Softw.1435
Eng. Methodol. 20 (4) (2011) 14:1–14:64. doi:10.1145/2000799.2000800.
[39] P. Thati, G. Rosu, Monitoring algorithms for metric temporal logic specifications, Electronic Notes
in Theoretical Computer Science 113 (2005) 145–162. doi:10.1016/j.entcs.2004.01.
029.
[40] D. A. Basin, F. Klaedtke, E. Zalinescu, Algorithms for monitoring real-time properties, in: Khur-1440
shid and Sen [57], pp. 260–275. doi:10.1007/978-3-642-29860-8_20.
[41] U. Sammapun, I. Lee, O. Sokolsky, RT-MaC: Runtime monitoring and checking of quantita-
tive and probabilistic properties, 2013 IEEE 19th International Conference on Embedded and
Real-Time Computing Systems and Applications 0 (2005) 147–153. doi:http://doi.
ieeecomputersociety.org/10.1109/RTCSA.2005.84.1445
[42] D. Nickovic, O. Maler, AMT: a property-based monitoring tool for analog systems, in: J.-F.
Raskin, P. S. Thiagarajan (Eds.), Proceedings of the 5th International Conference on Formal mod-
eling and analysis of timed systems (FORMATS 2007), Vol. 4763 of Lecture Notes in Computer
Science, Springer-Verlag, 2007, pp. 304–319. doi:10.1007/978-3-540-73368-3_12.
[43] C. Colombo, G. J. Pace, G. Schneider, Dynamic event-based runtime monitoring of real-time and1450
contextual properties, in: D. D. Cofer, A. Fantechi (Eds.), Formal Methods for Industrial Critical
Systems, 13th International Workshop, FMICS 2008, L’Aquila, Italy, September 15-16, 2008,
Revised Selected Papers, Vol. 5596 of Lecture Notes in Computer Science, Springer, 2008, pp.
135–149. doi:10.1007/978-3-642-03240-0_13.
[44] C. Colombo, G. J. Pace, G. Schneider, LARVA — safer monitoring of real-time Java programs1455
(tool paper), in: D. V. Hung, P. Krishnan (Eds.), Proceedings of the 7th IEEE International Con-
ference on Software Engineering and Formal Methods (SEFM 2009), IEEE Computer Society,
2009, pp. 33–37. doi:10.1109/SEFM.2009.13.
[45] Y. Falcone, You should better enforce than verify, in: H. Barringer, Y. Falcone, B. Finkbeiner,
K. Havelund, I. Lee, G. J. Pace, G. Rosu, O. Sokolsky, N. Tillmann (Eds.), Proceedings of the1460
First International Conference on Runtime Verification (RV 2010), Vol. 6418 of Lecture Notes in
Computer Science, Springer, 2010, pp. 89–105. doi:10.1007/978-3-642-16612-9_9.
[46] N. Bielova, F. Massacci, Do you really mean what you actually enforced? - edit automata revisited,
Int. J. Inf. Sec. 10 (4) (2011) 239–254. doi:10.1007/s10207-011-0137-2.
44
[47] P. O. Meredith, G. Rosu, Runtime verification with the RV system, in: H. Barringer, Y. Falcone,1465
B. Finkbeiner, K. Havelund, I. Lee, G. J. Pace, G. Rosu, O. Sokolsky, N. Tillmann (Eds.), Runtime
Verification - First International Conference, RV 2010, St. Julians, Malta, November 1-4, 2010.
Proceedings, Vol. 6418 of Lecture Notes in Computer Science, Springer, 2010, pp. 136–152. doi:
10.1007/978-3-642-16612-9_12.
[48] C. Colombo, G. J. Pace, P. Abela, Safer asynchronous runtime monitoring using com-1470
pensations, Formal Methods in System Design 41 (3) (2012) 269–294. doi:10.1007/
s10703-012-0142-8.
[49] D. A. Basin, V. Juge´, F. Klaedtke, E. Zalinescu, Enforceable security policies revisited, ACM
Trans. Inf. Syst. Secur. 16 (1) (2013) 3. doi:10.1145/2487222.2487225.
[50] M. Kim, S. Kannan, I. Lee, O. Sokolsky, M. Viswanathan, Computational analysis of run-time1475
monitoring - fundamentals of Java-MaC, Electr. Notes Theor. Comput. Sci. 70 (4) (2002) 80–94.
doi:10.1016/S1571-0661(04)80578-4.
[51] A. Pnueli, A. Zaks, PSL model checking and run-time verification via testers, in: J. Misra, T. Nip-
kow, E. Sekerinski (Eds.), FM 2006: Formal Methods, 14th International Symposium on Formal
Methods, Hamilton, Canada, August 21-27, 2006, Proceedings, Vol. 4085 of Lecture Notes in1480
Computer Science, Springer, 2006, pp. 573–586. doi:10.1007/11813040_38.
[52] A. P. Sistla, M. Zefran, Y. Feng, Runtime monitoring of stochastic cyber-physical systems with hy-
brid state, in: Khurshid and Sen [57], pp. 276–293. doi:10.1007/978-3-642-29860-8_
21.
[53] G. Rosu, On safety properties and their monitoring, Sci. Ann. Comp. Sci. 22 (2) (2012) 327–365.1485
[54] M. Viswanathan, M. Kim, Foundations for the run-time monitoring of reactive systems - Funda-
mentals of the MaC language, in: Z. Liu, K. Araki (Eds.), Proceedings of the First International
Colloquium on Theoretical Aspects of Computing (ICTAC 2004), Vol. 3407 of Lecture Notes in
Computer Science, Springer, 2004, pp. 543–556. doi:10.1007/978-3-540-31862-0_
38.1490
[55] B. Bonakdarpour, S. A. Smolka (Eds.), Runtime Verification - 5th International Conference, RV
2014, Toronto, ON, Canada, September 22-25, 2014. Proceedings, Vol. 8734 of Lecture Notes in
Computer Science, Springer, 2014. doi:10.1007/978-3-319-11164-3.
[56] E. Bartocci, R. Majumdar (Eds.), Runtime Verification - 6th International Conference, RV 2015
Vienna, Austria, September 22-25, 2015. Proceedings, Vol. 9333 of Lecture Notes in Computer1495
Science, Springer, 2015. doi:10.1007/978-3-319-23820-3.
[57] S. Khurshid, K. Sen (Eds.), Runtime Verification - Second International Conference, RV 2011,
San Francisco, CA, USA, September 27-30, 2011, Revised Selected Papers, Vol. 7186 of Lecture
Notes in Computer Science, Springer, 2012. doi:10.1007/978-3-642-29860-8.
45
Appendix A. Proofs1500
Recall that Eϕ : tw(Σ)→ tw(Σ) is defined as:
Eϕ(σ) = Π1
(
storeϕ(σ)
)
.
where storeϕ : tw(Σ)→ tw(Σ)× tw(Σ) is defined as
storeϕ() = (, )
storeϕ(σ · (t, a)) =

(σs ·minlex,end κϕ(σs, σ′c), ), if κϕ(σs, σ′c) 6= ∅,
(σs, σc) if κpref(ϕ)(σs, σ′c) = ∅
(σs, σ
′
c) otherwise,
with σ ∈ tw(Σ), t ∈ R≥0, a ∈ Σ,
(σs, σc) = storeϕ(σ), and σ′c = σc · (t, a)
where:
κϕ(σs, σ
′
c)
def
= CanD(σ′c) ∩ σ−1s · ϕ,
as defined in Section 6.2, with:
CanD(σ) = {w ∈ tw(Σ) | w <d σ ∧ start(w) ≥ end(σ)} ,
as defined in Section 6.1.
Appendix A.1. Proof of Proposition 1 (p. 18)
We shall prove that, given a property ϕ ⊆ tw(Σ), the associated enforcement function Eϕ :
tw(Σ) → tw(Σ), defined as per Definition 8 (p. 16), satisfies the physical constraint, is sound and
transparent. These constraints are recalled below:1505
• Physical constraint:
∀σ, σ′ ∈ tw(Σ) : σ 4 σ′ =⇒ Eϕ(σ) 4 Eϕ(σ′) (Phy).
• Soundness:
∀σ ∈ tw(Σ) : Eϕ(σ) |= ϕ ∨ Eϕ(σ) =  (Snd).
• Transparency:
∀σ ∈ tw(Σ) : Eϕ(σ) /d σ (Tr).
The proof of (Phy) is straightforward by noticing that function storeϕ is monotonic on its first output
(∀σ, σ′ ∈ tw(Σ) : σ 4 σ′ =⇒ Π1(storeϕ(σ)) 4 Π1(storeϕ(σ′))).
We now prove both (Snd) and (Tr) by an induction on the length of the input timed word σ. For
this purpose, we actually prove a slightly stronger property of Eϕ: for any σ ∈ tw(Σ), (i) Eϕ satisfies
(Snd)σ
def
= Eϕ(σ) |= ϕ ∨ Eϕ(σ) =  and (Tr)σ def= Eϕ(σ) /d σ, and (ii) ΠΣ(σs) · ΠΣ(σc) / ΠΣ(σ),1510
where σs and σc are as in the definition of storeϕ(), recalled above.
Induction basis (σ = ). The proof of the induction basis is immediate from the definitions of Eϕ,
storeϕ(), /, and /d.
46
Induction step. Let us suppose that for some σ ∈ tw(Σ), Eϕ(σ) |= ϕ ∨ Eϕ(σ) =  (Snd)σ , and
Eϕ(σ) /d σ (Tr)σ (induction hypothesis). Let us consider σ
′ = σ · (t, a), with t ∈ R≥0, t ≥ end(σ),1515
and a ∈ Σ. Suppose that storeϕ(σ) = (σs, σc) and σ′c = σc · (t, a), where end(σc) ≤ t. We distinguish
two cases:
• Case κϕ(σs, σ′c) 6= ∅. In this case, we have Eϕ(σ · (t, a)) = Π1 (storeϕ (σ · (t, a))) = σs ·
minlex,end κϕ(σs, σ
′
c). From the definition of function κϕ, we have κϕ(σs, σ
′
c) ⊆ σ−1s · ϕ, and
thus Eϕ(σ · (t, a)) ∈ ϕ. Thus Eϕ satisfies (Snd)σ′ .1520
From the induction hypothesis, we know that ΠΣ(σs) · ΠΣ(σc) / ΠΣ(σ). We deduce ΠΣ(σs) ·
ΠΣ(σc · (t, a)) /ΠΣ(σ · (t, a)) which shows that (ii) holds again for σ′.
Let w ∈ κϕ(σs, σ′c). From the definition of κϕ(), since w ∈ σ−1s · ϕ, we have start(w) ≥
end(σs), which implies that σs · w ∈ tw(Σ). Since w ∈ CanD(σ′c), we have start(w) ≥ t and
w <d σ′c, which entails that ΠΣ(w) = ΠΣ(σ′c). Moreover, from start(w) ≥ t, we know that1525
all dates of the events in w are greater than or equal to those of the events in σ · (t, a). Since i)
σc · (t, a) = σ′c, ii) w and σ′c have the same untimed projection (i.e., ΠΣ(w) = ΠΣ(σ′c)), and
iii) the concatenated untimed projections of σs and σ′c form a subword of the untimed projection
of σ · (t, a) (i.e., ΠΣ(σs) · ΠΣ(σ′c) / ΠΣ(σ · (t, a))), and hence we deduce ΠΣ(σs) · ΠΣ(w) /
ΠΣ(σ · (t, a)). Thus, using σs /d σ (from induction hypothesis), we obtain σs · w /d σ · (t, a) =1530
Eϕ(σ
′) /d σ′, i.e., Eϕ satisfies (Tr)σ′ .
• Case κϕ(σs, σ′c) = ∅. Note, this case encompasses the two last cases in function storeϕ. From
the definition of Eϕ, in both cases we have Eϕ(σ · (t, a)) = Π1
(
storeϕ(σ · (t, a))
)
= σs. Since
Eϕ(σ) = Π1
(
storeϕ(σ)
)
= σs, and using the induction hypothesis Eϕ(σ) |= ϕ, we deduce that
Eϕ(σ
′) |= ϕ (Snd)σ′ .1535
Moreover, Eϕ(σ · (t, a)) /d σ and thus Eϕ(σ · (t, a)) /d σ · (t, a). We deduce (Tr)σ′ .
Finally, from the induction hypothesis ΠΣ(σs) ·ΠΣ(σc) /ΠΣ(σ), we can conclude that ΠΣ(σs) ·
ΠΣ(σc · (t, a)) /ΠΣ(σ · (t, a)), proving (ii) for σ′.

Appendix A.2. Proof of Proposition 2 (p. 18)1540
The proof of Proposition 2 requires the following lemma related to storeϕ which says that, when
storeϕ(σ) = (σs, σc) and σc is not the empty timed word, there is no sequence delaying a prefix of σc,
starting after the ending date of σ, and allowing to correct σ.
Lemma 1 Let us consider σ ∈ tw(Σ), if storeϕ(σ) = (σs, σc) and σc 6= , then
∀w ∈ tw(Σ) : (start(w) ≥ end(σ) ∧ ∃v ∈ pref(σc) : w <d v) =⇒ σs · w /∈ ϕ.
PROOF. The proof is done by induction on σ ∈ tw(Σ).
Induction basis. For σ = , we have σc =  by definition of storeϕ, and the induction basis holds.1545
47
Induction step. Let us suppose that for some σ ∈ tw(Σ), if storeϕ(σ) = (σs, σc) and σc 6= , then
∀w ∈ tw(Σ) : (start(w) ≥ end(σ)∧∃v ∈ pref(σc) : w <d v) =⇒ σs ·w /∈ ϕ (induction hypothesis).
Let us consider σ · (t, a) ∈ tw(Σ), and let (σ′s, σ′c) = storeϕ (σ · (t, a)). Following the definition of
function storeϕ, we distinguish three cases:
• If κϕ(σs, σc · (t, a)) 6= ∅, then σ′c = , and the result holds.1550
• If κpref(ϕ)(σs, σc·(t, a)) = ∅, we have σ′c = σc 6= . Using the induction hypothesis, if σ′c = σc 6=
, we have: ∀w ∈ tw(Σ) : (start(w) ≥ end(σ) ∧ ∃v ∈ pref(σc) : w <d v) =⇒ σs · w /∈ ϕ,
which implies ∀w ∈ tw(Σ) : (start(w) ≥ end(σ · (t, a)) ∧ ∃v ∈ pref(σc) : w <d v) =⇒
σs · w /∈ ϕ, which shows that the property holds again for σ · (t, a) since σ′c = σc.
• Otherwise (κϕ(σs, σc · (t, a)) = ∅ and κpref(ϕ)(σs, σc · (t, a)) 6= ∅), we have σ′c = σc · (t, a).1555
Using the induction hypothesis, we have: ∀w ∈ tw(Σ) : (start(w) ≥ end(σ) ∧ ∃v ∈ pref(σc) :
w <d v) =⇒ σs · w /∈ ϕ, which implies ∀w ∈ tw(Σ) : (start(w) ≥ end(σ · (t, a)) ∧
∃v ∈ pref(σc) : w <d v) =⇒ σs · w /∈ ϕ. Since κϕ(σs, σ′c) = ∅, by definition we have
∀w ∈ tw(Σ) : (start(w) ≥ end(σ · (t, a))∧w <d σc · (t, a)) =⇒ σs ·w /∈ ϕ. Combining both
predicates, we obtain ∀w ∈ tw(Σ) : (start(w) ≥ end(σ · (t, a)) ∧ ∃v ∈ pref(σc · (t, a)) : w <d1560
v) =⇒ σs · w /∈ ϕ.

Let us now return to the proof of Proposition 2. We shall prove that, given a property ϕ, the associated
enforcement functionEϕ : tw(Σ)→ tw(Σ) as per Definition 8 (p. 16) satisfies the optimality constraint
(Op) (from Proposition 2, p. 18). That is, we shall prove that ∀σ ∈ tw(Σ) : (Op)σ , where:
(Op)σ
def
= Eϕ(σ) =  ∨ ∃m,w ∈ tw(Σ) : Eϕ(σ) = m · w(|= ϕ), with
mσ = max
ϕ
≺,(Eϕ(σ)), and
wσ = minlex,end{w′ ∈ m−1σ · ϕ | ΠΣ(w′) = ΠΣ(m−1σ · Eϕ(σ))
∧mσ · w′ /d σ ∧ start(w′) ≥ end(σ)}
The proof is done by induction on σ ∈ tw(Σ).
Induction basis. Since storeϕ() = (, ) we get Eϕ() = .
Induction step. Let us suppose that (Op)σ holds for some σ ∈ tw(Σ) (induction hypothesis). Let us1565
consider σ′ = σ · (t, a) with t ∈ R≥0, t ≥ end(σ), and a ∈ Σ. Let us prove that (Op)σ′ holds.
Suppose storeϕ(σ) = (σs, σc) and σ′c = σc · (t, a). We distinguish two cases depending on whether
κϕ(σs, σ
′
c) 6= ∅ or not:
• Case κϕ(σs, σ′c) 6= ∅. We haveEϕ(σ·(t, a)) = Π1
(
storeϕ(σ·(t, a))
)
= σs·minlex,end κϕ(σs, σ′c).
By definition of κϕ(σs, σ′c) we know that σs · minlex,end κϕ(σs, σ′c) ∈ ϕ. From the definition1570
of function storeϕ and the induction hypothesis, we know that σs corresponds to mσ′ in the
definition of (Op)σ′ : it is the maximal strict prefix of Eϕ(σ
′) = σs ·minlex,end κϕ(σs, σ′c) that
satisfies ϕ. Indeed, storeϕ(σ) = (σs, σc) and, either σc = , then Eϕ(σ′) = σs.(t′, a) for some
t′ and σs is the maximal strict prefix of Eϕ(σ′) satisfying ϕ; or σc 6=  and using Lemma 1, we
know that none of the prefixes of σc can be delayed in such a way that, when appended to σs, the1575
concatenation forms a correct sequence.
48
It follows that Eϕ(σ · (t, a)) = mσ′ · wσ′ with mσ′ = σs and
wσ′ = σ
−1
s · Eϕ(σ · (t, a)),
= minlex,end κϕ(σs, σ
′
c)
= minlex,end
w′ ∈ m−1σ′ · ϕ | w′ <d σc · (t, a)︸ ︷︷ ︸
σ′c
∧start(w′) ≥ end(σ′c)
 .
Since end(σ′c) = t, then
wσ′ = minlex,end
{
w′ ∈ m−1σ′ · ϕ | w′ <d σc · (t, a) ∧ start(w′) ≥ t
}
.
We shall prove that{
w′ ∈ m−1σ′ · ϕ | w′ <d σc · (t, a) ∧ start(w′) ≥ t
}
=
{
w′ ∈ m−1σ′ · ϕ | ΠΣ(w′) = ΠΣ(m−1σ′ · Eϕ(σ · (t, a)) ∧mσ′ · w′ /d σ · (t, a)
∧ start(w′) ≥ end(σ · (t, a))},
that is (since end(σ · (t, a)) = t):{
w′ ∈ m−1σ′ · ϕ | w′ <d σc · (t, a) ∧ start(w′) ≥ t
}
=
{
w′ ∈ m−1σ′ · ϕ | ΠΣ(w′) = ΠΣ(m−1σ′ · Eϕ(σ · (t, a)) ∧mσ′ · w′ /d σ · (t, a)
∧ start(w′) ≥ t}.
This amounts to prove that:
∀w′ ∈ m−1σ′ · ϕ : start(w′) ≥ t
=⇒ (w′ <d σc · (t, a)
⇐⇒ (ΠΣ(w′) = ΠΣ(m−1σ′ · Eϕ(σ · (t, a))) ∧mσ′ · w′ /d σ · (t, a)
)
.
(⇒) Since ΠΣ(m−1σ′ · Eϕ(σ · (t, a)) = ΠΣ(σc · (t, a)), by definition of <d, we have ΠΣ(w′) =
ΠΣ(m
−1
σ′ ·Eϕ(σ · (t, a))). From transparency, we know that σs /d σ and ΠΣ(σs) ·ΠΣ(σc ·
(t, a)) /ΠΣ(σ · (t, a)). Then, from start(w′) ≥ t, we deduce mσ′ · w′ /d σ · (t, a).
(⇐) From ΠΣ(w′) = ΠΣ(m−1σ′ · Eϕ(σ · (t, a)), w′ and m−1σ′ · Eϕ(σ · (t, a) = m−1σ′ · σc · (t, a)1580
have the same events. Moreover, since start(w′) ≥ t, all events in w′ have greater dates
than t (and hence, greater than those of all events in σc · (t, a)). Thus w′ <d σc · (t, a).
Thus, we conclude that Eϕ satisfies (Op)σ′ .
• Case κϕ(σs, σ′c) = ∅. We have Eϕ(σ · (t, a)) = Π1 (storeϕ(σ · (t, a))) = Π1
(
storeϕ(σ)
)
= σs
= Eϕ(σ). Thus, from the induction hypothesis, we deduce that (Op)σ′ holds.1585

Appendix A.3. Preliminaries to the proof of Proposition 3 (p. 31): characterising the configurations of
enforcement monitors
We define some notions and lemmas related to the configurations of any enforcement monitor E .
49
Remark 9. In the following proofs, without loss of generality, we assume that at any date, in addition1590
to rule idle, at most one of the store and release rules of the enforcement monitor applies. This simplifi-
cation does not come at the price of reducing the generality nor the validity of the proofs because i) rules
store and release of the enforcement monitor do not rely on the same conditions, and ii) the store and
release operations of enforcement monitors are assumed to be executed in zero time. The considered
simplification however reduces the number of (equivalent) cases in the following proofs.1595
Remark 10. Between the occurrences of two (input or output) events, the configuration of the enforce-
ment monitor evolves according to rule idle (since it is the rule with lowest priority). Moreover, from any
configuration, applying idle twice consecutively each delaying for δ1 and δ2, or applying idle once from
the same configuration, with delay δ1 + δ2 will result in the same configuration. To simplify notations
we will use a rule to simplify the representation of E ioo ∈ ((R≥0×Σ)∪{})×Op×((R≥0×Σ)∪{})
stating that
σ · (, idle(δ1), ) · (, idle(δ2), ) · σ′ is equivalent to σ · (, idle(δ1 + δ2), ) · σ′,
for any σ, σ′ ∈ ((R≥0×Σ)∪{})×Op×((R≥0×Σ)∪{}) and δ1, δ2 ∈ R≥0. Thus, for E ioo, we will
only consider sequences of
(
(R≥0 ×Σ) ∪ {}
)×Op× ((R≥0 ×Σ) ∪ {}) where delays appearing in
operation idle are maximal (i.e., there is no sequence of two consecutive events with an idle operation).
Appendix A.3.1. Some notations
Based on the assumption stated in Remark 9, there are at most two configurations for each date. Let1600
us define the two functions configin, configout : tw(Σ)×R≥0 → CE that give respectively the first and
last configurations of an enforcement monitor at some time instant, reading an input sequence. More
formally, given some σ ∈ tw(Σ), t ∈ R≥0:
- configin(σ, t) = ctσ such that c
E
0
w(σ,t)
↪→∗E ctσ where w(σ, t) def= min{w  E ioo(σ, t) | timeop(w) = t};
- configout(σ, t) = ctσ such that c
E
0
Eioo(σ,t)
↪→∗E ctσ .1605
Observe that, when at some date, only rule idle applies, configin(σ, t) = configout(σ, t) holds, because
there is only one configuration at this date. Moreover, when at some date, other rules apply (rules
release or store), configin(σ, t) and configout(σ, t) differ. Note, in all cases, from configout(σ, t) only
rule idle applies (which increases time).
Moreover, for any σ ∈ tw(Σ), for any two t, t′ ∈ R≥0 such that t ≤ t′, we note E(σ, t, t′) for1610
E(σ, t)−1 · E(σ, t′), i.e., the output sequence of an enforcement monitor between t and t′. Note that,
when t = t′, we have E(σ, t, t′) = , for any σ ∈ tw(Σ).
The following remark states that configurations keep track of global time, and is a direct conse-
quence of the rules of enforcement monitors in Definition 10 (p. 26).
Remark 11 (Value of the third component of configurations.). Only rule idle modifies the value of
the third component of configurations: it increments the third component as time elapses. That is:
∀σ ∈ tw(Σ),∀t ∈ R≥0 : Π3 (configin (σ, t)) = Π3(configout(σ, t)) = t.
Appendix A.3.2. Some intermediate lemmas1615
Before tackling the proof of Proposition 3, we give a list of lemmas that describe the behaviour of
an enforcement monitor, describing the configurations or the output at some particular date for some
input and memory content.
Similarly to the first physical constraint, the following lemma states that the enforcement monitor
cannot change what it has output. More precisely, when the enforcement monitor is seen as function E ,1620
the output is monotonic w.r.t. .
50
Lemma 2 (Monotonicity of enforcement monitors) Function E : tw(Σ) × R≥0 → tw(Σ) is mono-
tonic in its second parameter:
∀σ ∈ tw(Σ),∀t, t′ ∈ R≥0 : t ≤ t′ =⇒ E(σ, t)  E(σ, t′).
The lemma states that for any input sequence σ, if we consider two dates t, t′ such that t ≤ t′, then the
output of the enforcement monitor at date t is a prefix of the output at date t′.
PROOF (OF LEMMA 2). The proof directly follows from the definitions of the function E associated
to an enforcement monitor (see Section 7.4, p. 28) which directly depends on E ioo, which is itself1625
monotonic over time (because of the definition of enforcement monitors). 
As a consequence, one can naturally split the output of the enforcement monitor over time, as it is stated
by the following corollary.
Lemma 3 (Separation of the output of the enforcement monitor over time)
∀σ ∈ tw(Σ),∀t1, t2, t3 ∈ R≥0 : t1 ≤ t2 ≤ t3 =⇒ E(σ, t1, t3) = E(σ, t1, t2) · E(σ, t2, t3).
The lemma states that for any sequence σ input to E , if we consider three dates t1, t2, t3 ∈ R≥0 such
that t1 ≤ t2 ≤ t3, the output of E between t1 and t3 is the concatenation of the output between t1 and1630
t2 and the output between t2 and t3.
PROOF (OF LEMMA 3). Recall that for any t, t′ ∈ R≥0 such that t ≤ t′, E(σ, t, t′) is the output se-
quence of an enforcement monitor between t and t′. The lemma directly follows from the definition of
E(σ, t, t′) = E(σ, t)−1 · E(σ, t′). 
The following lemma states that, at some date t, the output of the enforcement monitor only depends1635
on what has been observed until date t. In other words, the enforcement monitor works in an online
fashion.
Lemma 4 (Dependency of the output on the observation only)
∀σ ∈ tw(Σ),∀t ∈ R≥0 : E(σ, t) = E(obs(σ, t), t).
PROOF (OF LEMMA 4). The proof of the lemma directly follows from the definitions of E ioo (Defi-
nition 11, p. 30) and obs (in Section 3). Indeed, using obs(σ, t) = obs(obs(σ, t), t), we deduce that
E ioo(σ, t) = E ioo(obs(σ, t), t), for any σ ∈ tw(Σ) and t ∈ R≥0. Using E(σ, t) = Π3(E ioo(σ, t)), we1640
can deduce the expected result. 
The following lemma states that after reading some input sequence σ entirely, only the memory content
σms and the value of the clock t influence the output of the enforcement monitor. More specifically, after
completely reading some sequence, if an enforcement monitor reaches some configuration containing
σms in its memory, its future output is fully determined by the memory content σms (containing the1645
corrected sequence) and the value of clock variable t, during the total time needed to output it.
Lemma 5 (Values of configout when releasing events)
∀σ, σms, σmc ∈ tw(Σ),∀t, tF ∈ R≥0,∀q ∈ Q :
t ≥ end(σ) ∧ configout(σ, t) = (σms, σmc, t, q, tF )
=⇒ ∀σ′ms  σms : configout(σ, end(σ′ms)) = (σ′−1ms · σms, σmc, end(σ′ms), q, tF ).
51
The lemma states that, whatever is the output configuration (σms, σmc, t, q, tF ) reached by reading some
input sequence σ at some date t ≥ end(σ), then for any prefix σ′ms of σms, the output configuration
reached at time end(σ′ms) (output date of the last event in σ
′
ms) is such that σ
′
ms has been released from
the memory (the memory is thus σ′−1ms · σms) and the clock value in this configuration is end(σ′ms).1650
PROOF (OF LEMMA 5). The proof is a straightforward induction on the length of σ′ms. It uses the fact
that the considered configurations occur at dates greater than end(σ), hence implying that no input event
can be read any more. Consequently, following the definition of the enforcement monitor (Definition 10,
p. 26), on the configurations of the enforcement monitor, only rules idle and release apply. Between
end(σ′ms) and end(σ
′
ms · (t, a)) where σ′ms  σ′ms · (t, a)  σms, the configuration of the enforcement1655
monitor evolves only using rule idle (no other rule applies) until configin(σ, end(σ′ms · (t, a))) = (σ′−1ms ·
σms, σmc, end(σ
′
ms · (t, a)), q, tF ). Rule release is then applied to get the following derivation (σ′−1ms ·
σms, σmc, end(σ
′
ms · (t, a)), q)
/release(t,a)/
↪→ ((σ′ms · (t, a))−1 · σms, σmc, end(σ′ms · (t, a)), q, tF ).
The following lemma relates the date of the last event of the corrected sequence and the value of the last
variable stored in the configuration of an enforcement monitor.1660
Lemma 6 (Relation between some elements in a configuration)
∀σ, σms ∈ tw(Σ),∀t, tF ∈ R≥0 : configout(σ, t) = (σms, , t, , tF ) ∧ σms 6=  =⇒ end(σms) = tF .
PROOF. The lemma is a straightforward consequence of the definition of enforcement monitors (Defi-
nition 10, p. 26). Indeed, only rule store-ϕ modifies these elements of a configuration, and it performs
it as expected.
The following lemma states that when an enforcement monitor has nothing to read in input anymore,
what it releases as output is the observation of its memory content over time.1665
Lemma 7 (Output of the enforcement monitor according to memory content)
∀σ, σms, σmc ∈ tw(Σ),∀t, tF ∈ R≥0,∀q ∈ Q :
t ≥ end(σ) ∧ configout(σ, t) = (σms, σmc, t, q, tF )
=⇒ ∀t′ ∈ R≥0 : t ≤ t′ ≤ end(σms) =⇒ E(σ, t, t′) = obs(σms, t′).
The lemma states that, if after some date t, after reading an input sequence σ, the enforcement monitor
is in an output configuration that contains σms as a memory content, whatever is the date t′ between t
and end(σms), the output of the enforcement monitor between t and t′ is the observation of σms with t′
time units.
PROOF (OF LEMMA 7). The proof is performed by induction on the length of σms and uses Lemma 5.1670
• Case |σms| = 0. In this case, σms =  and end() = 0. If t = t′ = 0, we have E(σ, t, t′) =  =
obs(σms, t
′). Otherwise, t ≤ t′ does not hold, and thus the lemma vacuously holds.
• Induction case. Let us suppose that the lemma holds for all prefixes of σms of some maximum
length n ∈ [0, |σms|−1] (induction hypothesis). Following Lemma 6, one can consider σms = σ′ ·
(tF , a) where σ′ is the prefix of σms of length n, and (tF , a) ∈ R≥0×Σ. On the one hand, at date
end(σ′), according to Lemma 5, we have configout(σ, end(σ′)) = ((tF , a), σmc, end(σ′), q, tF )
for some σmc ∈ tw(Σ) and q ∈ Q. For any t′ ≤ end(σ′), the lemma vacuously holds. On the
other hand, let us consider some t′ ∈ [end(σ′), tF ], we have:
E(σ, t, t′) = E(σ, t, end(σ′)) · E(σ, end(σ′), t′).
52
(Note, when t = t′ = end(σ′), the above equation reduces to  = .) Using the induction
hypothesis, we find E(σ, t, end(σ′)) = obs(σ′, end(σ′)) = σ′. Using the semantics of the
enforcement monitor (only rules release and idle apply, no new event is received), we obtain1675
E(σ, end(σ′), t′) = obs((tF , a), t′). Thus, E(σ, t, t′) = σ′ ·obs((tF , a), t′) = obs(σ′ ·(tF , a), t′).

The following lemma states that, for any input σ, after observing the entire input (that is, at any date
greater than or equal to end(σ)), the content of the internal memory (σc) of the enforcement function
and the enforcement monitor are the same.1680
Lemma 8 (Content of the internal memory)
∀σ ∈ tw(Σ),∀t ∈ R≥0 : t ≥ end(σ) =⇒ Π2(storeϕ(σ)) = Π2(configout(σ, t)).
PROOF (OF LEMMA 8). The proof is performed by induction on the length of σ. Recall that storeϕ(σ)
is defined in Section 6.2, and configout(σ, t) is defined in Appendix A.3.1.
• Case |σ| = 0. In this case, from the definition of the enforcement monitor (Definition 10, p. 26),
none of the store rules can be applied. Consequently, we have Π2(configout(σ, t)) = . Regarding
the enforcement function, as per Definition 8 (p. 16), we have Π2(storeϕ()) = .1685
• Induction case. Let us suppose that for some σ ∈ tw(Σ), we have ∀t ∈ R≥0 : t ≥ end(σ) =⇒
Π2(storeϕ(σ)) = Π2(configout(σ, t)) (induction hypothesis). Let us consider σ′ = σ · (tl, a),
where (tl, a) ∈ R≥0 × Σ.
From the induction hypothesis, for t ≥ end(σ), we have Π2(storeϕ(σ)) = Π2(configout(σ, t)),
and therefore, for any t ≥ tl, we also have Π2(storeϕ(σ)) = Π2(configout(σ, t)). Let σc =1690
Π2(storeϕ(σ)). Consequently, we also have configin(σ, tl) = ( , σc, tl, , ) = configin(σ ·
(tl, a), tl).
From the definition of storeϕ, we have Π2(storeϕ(σ · (tl, a))) = σ′c, where σ′c is either , σc ·
(tl, a), or σc depending on which case of the storeϕ function applies.
Regarding the enforcement monitor, from the update function (since each case in storeϕ has a1695
corresponding case in update), we also have configout(σ · (tl, a), tl) = ( , σ′c, tl, , ) (which is
obtained by applying one of the store rules based on the value returned by function update). For
t > tl, since none of the store rules can be applied, we can conclude that configout(σ ·(tl, a), t) =
( , σ′c, t, , ).
Thus, we have Π2(storeϕ(σ · (tl, a))) = Π2(configout(σ · (tl, a), t)).1700

Appendix A.4. Proof of Proposition 3: relation between enforcement function and enforcement monitor
We shall prove that, given a property ϕ, the associated enforcement monitor Eϕ as per Definition 10
(p. 26) implements the associated enforcement function Eϕ : tw(Σ) → tw(Σ) as per Definition 8
(p. 16). That is:
∀σ ∈ tw(Σ),∀t ∈ R≥0 : obs(Eϕ(σ), t) = Eϕ(σ, t).
The proof is done by induction on the length of the input timed word σ.
53
Induction Basis. Let us suppose that |σ| = 0, thus σ =  in tw(Σ). On the one hand, we have Eϕ(σ) =
, and thus ∀t ∈ R≥0 : obs(Eϕ(σ), t) = . On the other hand, the word E iooϕ (, t) over the input-1705
operation-output alphabet is such that ∀t ∈ R≥0 : Π1(E iooϕ (, t)) = . Thus, according to the definition
of the enforcement monitor, the rules store-ϕ, storesup-ϕ, and store-ϕ cannot be applied. Consequently,
the memory of the enforcement monitor σms remains empty as in the initial configuration. It follows
that rule release cannot be applied as well. We have then ∀t ∈ R≥0 : cEϕ0
/idle(t)/
↪→Eϕ (, , t, q0, 0), and
thus Eϕ(, t) = . Thus, ∀t ∈ R≥0 : obs(Eϕ(σ), t) = Eϕ(, t).1710
Induction Step. Let us suppose that obs(Eϕ(σ), t) = Eϕ(σ, t) for any timed word σ ∈ tw(Σ) of some
length n ∈ N, at any date t ∈ R≥0 (induction hypothesis). Let us now consider some input timed word
σ · (tn+1, a) for some σ ∈ tw(Σ) with |σ| = n, tn+1 ∈ R≥0, and a ∈ Σ. We want to prove that
obs(Eϕ(σ · (tn+1, a)), t) = Eϕ(σ · (tn+1, a), t), at any date t ∈ R≥0.
Let us consider some date t ∈ R≥0. Note that end(σ · (tn+1, a)) = tn+1. We distinguish two cases1715
according to whether tn+1 > t or not, that is whether σ · (tn+1, a) is completely observed or not at date
t.
• Case tn+1 > t. In this case, obs (σ · (tn+1, a), t) = obs(σ, t), i.e., at date t, the observations of
σ and σ · (tn+1, a) are identical.
On the one hand, from the definition of Eϕ (since function storeϕ and the delayed subsequence
are defined such that the date of each event in output is greater than or equal to the date of the
corresponding event in the input), we have:
obs (Eϕ (σ · (tn+1, a)) , t) = obs (Π1 (storeϕ(σ · (tn+1, a))) , t)
= obs
(
Π1
(
storeϕ(σ)
)
, t
)
= obs (Eϕ (σ) , t) .
On the other hand, regarding the enforcement monitor, since obs (σ · (tn+1, a) , t) = obs(σ, t),1720
using Lemma 4 (p. 51), we obtain Eϕ(σ ·(tn+1, a), t) = Eϕ(σ, t). Using the induction hypothesis,
we can conclude that obs (Eϕ (σ · (tn+1, a)) , t) = Eϕ (σ · (tn+1, a) , t).
• Case tn+1 ≤ t. In this case, we have obs(σ · (tn+1, a), t) = σ · (tn+1, a) (i.e., σ · (tn+1, a) is ob-
served entirely at date t). From Remark 11 (p. 50), we know that the configuration of the enforce-
ment monitor at date end(σ·(tn+1, a)) is configin (σ · (tn+1, a) , tn+1) = (σms, σmc, tn+1, qσ, tF )1725
for some σms, σmc ∈ tw(Σ), qσ ∈ Q, tF ∈ R≥0. Using Lemma 8 (p. 53), we also have
Π2(storeϕ(σ)) = σc = Π2(configin (σ · (tn+1, a) , tn+1)) = σmc. Observe that configin
(
σ,
tn+1
)
= configin
(
σ · (tn+1, a), tn+1
)
because of i) the definition of configin using the definition
of E iooϕ and ii) the event (tn+1, a) has not been yet consumed through any of the store rules by
the enforcement monitor at date tn+1.1730
We distinguish two cases according to whether σc ·(tn+1, a) can be delayed into a word satisfying
ϕ or not, i.e., whether κϕ(σs, σc · (tn+1, a)) = ∅, or not.
– Case κϕ(σs, σc · (tn+1, a)) = ∅. From the definition of function storeϕ, we have storeϕ(σ ·
(tn+1, a)) = (σs, σ
′
c), and Π1
(
storeϕ(σ ·(tn+1, a))
)
= σs. We also have Π1
(
storeϕ(σ)
)
=
σs. From the definition of Eϕ and obs, we have obs(Eϕ(σ · (tn+1, a)), t) = obs(Eϕ(σ), t).1735
Regarding Eϕ, according to the definition of function update, we have update(qσ, tF , σmc,
(tn+1, a)) = (qσ, σmc, bad) or (qσ, σmc · (tn+1, a), c bad). According to the definition of
the transition relation, we have:
(σms, σmc, tn+1, qσ, tF )
(tn+1,a)/store−ϕ(tn+1,a)/
↪→Eϕ (σms, σ′mc, tn+1, qσ, tF ).
54
where, σ′mc = σmc if update(qσ, tF , σmc, (tn+1, a)) = (qσ, σmc, bad), and σ
′
mc = σmc ·
(tn+1, a) otherwise. Thus configout(σ · (tn+1, a), tn+1) = (σms, σ′mc, tn+1, qσ, tF ).
Let us consider t ∈ R≥0 such that between tn+1 − t and tn+1, the enforcement monitor
does not read any input nor produce any output, i.e., for all t ∈ [tn+1 − t, tn+1], config(t)
is such that only the rule idle applies.1740
Let us examine Eϕ(σ · (tn+1, a), t). We have:
Eϕ(σ · (tn+1, a), t) = Eϕ(σ · (tn+1, a), tn+1 − t)
·Eϕ(σ · (tn+1, a), tn+1 − t, tn+1)
·Eϕ(σ · (tn+1, a), tn+1, t).
Let us examine Eϕ(σ, t). We have:
Eϕ(σ, t) = Eϕ(σ, tn+1 − t) · Eϕ(σ, tn+1 − t, tn+1) · Eϕ(σ, tn+1, t).
Observe that Eϕ(σ·(tn+1, a), tn+1−t) = Eϕ(σ, tn+1−t) because obs(σ·(tn+1, a), tn+1−
t) = σ according to the definition of obs. Moreover, Eϕ(σ · (tn+1, a), tn+1− t, tn+1) = 
since only rule idle applies during the considered time interval. Furthermore, accord-
ing to Lemma 7, since configout(σ · (tn+1, a), tn+1) = (σms, σ′mc, tn+1, qσ, tF ), we get
Eϕ(σ · (tn+1, a), tn+1, t) = obs(σms, t). Moreover, we know that configin(σ, tn+1) =1745
(σms, σmc, tn+1, qσ, tF ). Since the enforcement monitor is deterministic, and from Re-
mark 9 (p. 50), we also get that configout(σ, tn+1) = (σms, σmc, tn+1, qσ, tF ). Using
Lemma 7 (p. 52) again, we get Eϕ(σ, tn+1, t) = obs(σms, t).
Consequently we can deduce that Eϕ(σ · (tn+1, a), t) = Eϕ(σ, t) = obs(Eϕ(σ), t) =
obs(Eϕ(σ · (tn+1, a)), t).1750
– Case κϕ(σs, σc · (tn+1, a)) 6= ∅. Regarding Eϕ, from the definition of function storeϕ, we
have storeϕ(σ · (tn+1, a)) = (σs ·minlex,end κϕ(σs, σc · (tn+1, a)), ), and Π1
(
storeϕ(σ ·
(tn+1, a))
)
= σs ·minlex,end κϕ(σs, σc · (tn+1, a)). Regarding the enforcement monitor,
according to the definition of update, we have update(qσ, σmc, (tn+1, a), tF ) = (q′, w, ok)
with w = minlex,end κϕ(σs, σc · (tn+1, a)), since, σc = σmc and from the definition of κϕ
and update, the dates computed for σc · (tn+1, a) by both these functions are equal. From
the definition of the transition relation, we have:
(σms, σmc, tn+1, qσ, tF )
(tn+1,a)/store−ϕ(tn+1,a)/
↪→Eϕ (σms · w, , tn+1, q′, end(w)),
Thus configout(σ · (tn+1, a), tn+1) = (σms · w, , tn+1, q′, end(w)).
Let us consider t ∈ R≥0 such that between tn+1 − t and tn+1, the enforcement monitor
does not read any input nor produce any output, i.e., for all t ∈ [tn+1 − t, tn+1], config(t)
is such that only rule idle applies.
Let us examine Eϕ(σ · (tn+1, a), t). We have:
Eϕ(σ · (tn+1, a), t) = Eϕ(σ · (tn+1, a), tn+1 − t)
·Eϕ(σ · (tn+1, a), tn+1 − t, tn+1)
·Eϕ(σ · (tn+1, a), tn+1, t).
Let us examine Eϕ(σ, t). We have:
Eϕ(σ, t) = Eϕ(σ, tn+1 − t) · Eϕ(σ, tn+1 − t, tn+1) · Eϕ(σ, tn+1, t).
55
Observe that Eϕ(σ·(tn+1, a), tn+1−t) = Eϕ(σ, tn+1−t) because obs(σ·(tn+1, a), tn+1−1755
t) = σ according to the definition of obs. Moreover, Eϕ(σ · (tn+1, a), tn+1− t, tn+1) = 
since only rule idle applies during the considered time interval.
Furthermore, according to Lemma 7 (p. 52), since configout(σ · (tn+1, a), tn+1) = (σms ·
w, , tn+1, q
′, end(w)), we get Eϕ(σ · (tn+1, a), tn+1, t) = obs(σms · w, t).
Now we further distinguish two more sub-cases, based on whether end(σms·w) = end(w) >1760
t or not (whether all the elements in the memory can be released as output by date t or not).
∗ Case end(w) > t.
We further distinguish two more sub-cases based on whether end(σms) > t, or not.
· Case end(σms) > t. In this case, we know that obs(σms · w, t) = obs(σms, t).
Hence, we can derive that Eϕ(σ · (tn+1, a), t) = Eϕ(σ, t). Also, from the induction1765
hypothesis, we know that Eϕ(σ, t) = obs(Eϕ(σ), t).
Regarding enforcement function Eϕ, we have
storeϕ(σ · (tn+1, a)) = Π1
(
storeϕ(σ)
) ·minlex,end κϕ(σs, σc · (tn+1, a)).
Moreover,
obs (Eϕ (σ · (tn+1, a)) , t)
= obs (Π1 (storeϕ (σ · (tn+1, a))) , t)
= obs (Π1 (storeϕ (σ)) ·minlex,end κϕ(σs, σc · (tn+1, a)), t) .
One can have
obs (Eϕ (σ · (tn+1, a)) , t) = Π1
(
storeϕ(σ)
) · o,
where o 4 minlex,end κϕ(σs, σc · (tn+1, a)), which is equal to obs(Eϕ(σ), t) · o,
only if the dates computed by the update function are different from the dates com-
puted by Eϕ. This would violate the induction hypothesis stating that Eϕ(σ, t) =
obs(Eϕ(σ), t). Hence, we have obs(Eϕ(σ·(tn+1, a)), t) = obs (Π1 (storeϕ (σ)) , t)1770
= obs(Eϕ(σ), t). Thus, obs(Eϕ(σ · (tn+1, a)), t) = Eϕ(σ · (tn+1, a), t).
· Case end(σms) ≤ t. In this case, we can follow the same reasoning as in the
previous case to obtain the expected result.
∗ Case end(w) ≤ t.
In this case, similarly following Lemma 7 (p. 52), we have Eϕ(σ · (tn+1, a), tn+1, t) =1775
obs(σms ·w, t) = σms ·w. We can also derive that Eϕ(σ, tn+1, t) = σms. Consequently,
we have Eϕ(σ · (tn+1, a), t) = Eϕ(σ, t) · w. From the induction hypothesis, we know
that obs(Eϕ(σ), t) = Eϕ(σ, t), and we have Eϕ(σ · (tn+1, a), t) = obs(Eϕ(σ), t) · w.
Moreover, we have
storeϕ(σ · (tn+1, a)) = Π1
(
storeϕ(σ)
) ·minlex,end κϕ(σs, σc · (tn+1, a)),
and thus
obs (Eϕ (σ · (tn+1, a)) , t)
= obs (Π1 (storeϕ (σ)) ·minlex,end κϕ(σs, σc · (tn+1, a)), t) .
Henceforth, we have obs(Eϕ(σ · (tn+1, a)), t) = storeϕ(σ) · minlex,end κϕ(σs, σc ·
(tn+1, a)) = Eϕ(σ) · minlex,end κϕ(σs, σc · (tn+1, a)), since, σc = σmc and from1780
the definition of κϕ and update, we know the dates computed for the subsequence
σc · (tn+1, a) by Eϕ and Eϕ are equal. Finally, we have obs(Eϕ(σ · (tn+1, a)), t) =
Eϕ(σ · (tn+1, a), t).
56
57
