Real-Time Specifications

HAL Id: hal-01087799

https://hal.archives-ouvertes.fr/hal-01087799

Submitted on 26 Nov 2014

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

Real-Time Specifications

Alexandre David, Kim Guldstrand Larsen, Axel Legay, Ulrik Nyman,

Louis-Marie Traonouez, Andrzej Wasowski

To cite this version:

Alexandre David, Kim Guldstrand Larsen, Axel Legay, Ulrik Nyman, Louis-Marie Traonouez, et al..

Real-Time Specifications. Software Tools for Technology Transfer (STTT), Springer, 2015, 17 (1),

pp.29. �10.1007/s10009-013-0286-x�. �hal-01087799�

(willbeinsertedbytheeditor)

Real-Time Spe i ations

⋆

Alexandre David

1

and Kim. G. Larsen

1

and Axel Legay

2

and Ulrik Nyman

1

and Louis-Marie

Traonouez

2

and Andrzej W¡sowski

3

1

ComputerS ien e,AalborgUniversity,Denmark,e-mail:adavid s.aau.dk, kgl s.aau.dk, ulrik s.aau.dk

2

INRIA/IRISA,RennesCedex,Fran e,e-mail:axel.legayinria.fr, louis-marie.traonouezinria.fr

3

ITUniversityofCopenhagen,Denmark,e-mail:wasowskiitu.dk

Re eived:date/A epted:date

Abstra t A spe i ation theory ombines notions of

spe i ations and implementations with a satisfa tion

relation, a renement relation, and a set of operators

supporting stepwise design. We develop a spe i ation

framework for real-time systems using Timed I/O

Au-tomataasthespe i ationformalism,with the

seman-ti sexpressedintermsofTimedI/OTransitionSystems.

Weprovide onstru tsforrenement, onsisten y

he k-ing, logi aland stru tural omposition,and quotientof

spe i ationsallindispensableingredientsofa

ompo-sitionaldesignmethodology.

Thetheory isimplementedin the newtoolE dar.

Wepresentsymboli versions ofthealgorithms usedin

E dar, and demonstrate the use of the tool using a

small asestudyin ompositionalveri ation.

Key words: Real-time systems, Stepwise-Renement,

CompositionalVeri ation,Timed I/OAutomata

1 Introdu tion

Many modern systemsare big and omplex assemblies

ofnumerous omponents.The omponentsareoften

de-signedbyindependentteams,workingundera ommon

agreementonwhattheinterfa eofea h omponentshould

be.Consequently, ompositionalreasoning[41℄,the

math-emati alfoundationsofreasoningaboutinterfa es,isan

a tiveresear h area.It supports inferring properties of

theglobalimplementationfromthe omponents,or

ad-visedlydesigningandreusing omponents.

⋆

Thispaperisanextendedversionoftheworkpreviously

pre-sentedin[24,23,26℄.Themainadditionsare(1)aunied

presenta-tion,(2)adeeperlinkbetweenthetheoryandthetool,(3)proofs

oftheorems,and(4)thedes ription of asestudies.

In a logi al interpretation, interfa es are

spe i a-tions,while omponentsthatimplementaninterfa eare

understoodasmodels/implementations.Spe i ation

the-oriesmaysupport variousfeatures in luding(1)

rene-ment,whi h allowsusto omparespe i ationsaswell

asto repla ea spe i ation byanother onein alarger

design, (2) logi al onjun tion, expressing the

interse -tionofthesetofrequirementsexpressedbytwoormore

spe i ations, (3) stru tural omposition, whi h allows

us to ombine spe i ations, and (4) a quotient

opera-torthat isdual to stru tural omposition.Weshallsee

thatquotientisusefultoperformin rementaldesignand

to reasonaboutassumptions and guarantees.Also, the

operationshaveto be relatedby ompositional

reason-ingtheorems,guaranteeingbothin rementaldesignand

independentimplementability[32℄.

Buildinggoodspe i ationtheoriesisthesubje tof

intensivestudies[20,31℄.Onesu essfullydire tionisthe

theoryofinterfa eautomata[31,32,45,52℄.Inthis

frame-work,aninterfa eisrepresentedbyaninput/output

au-tomaton [50℄, i.e. an automaton whose transitions are

typed with input and output. The semanti s of su h

an automaton is given by a two-player game: the

in-put player represents the environment, and the output

playerrepresentsthe omponentitself. Contraryto the

input/outputmodelproposedbyLyn h[50℄,this

seman-ti oers an optimisti treatment of omposition: two

interfa es an be omposed if there exists at least one

environment in whi h they an intera t together in a

safeway.In [34℄, atimedextensionof thetheory of

in-terfa eautomatahasbeenintrodu ed,motivatedbythe

fa t that time an be a ru ial parameter in pra ti e,

for example in embedded systems. While [34℄ fo uses

mostly on stru tural omposition, in this paper we go

one step further and build a game-based spe i ation

theoryfortimed systemsthat embedsthefourfeatures

automata [42℄, i.e., timed automata whose sets of

dis- retetransitions aresplit into inputand output

transi-tions(seeSe tion 4). Contraryto [34℄and [42℄,we

dis-tinguish betweenimplementationsandspe i ationsby

adding onditionsonthemodels.Thisisdoneby

assum-ingthattheformerhavexedtimingbehaviourandthey

an always advan e either by produ ing an output or

delaying.Wealsoprovideagame-basedmethodologyto

de idewhetheraspe i ationis onsistent,i.e.whether

it hasat least one implementation. The latter redu es

to de iding existen eof astrategy that despitethe

be-haviouroftheenvironmentwillavoidstatesthat annot

possiblysatisfytheimplementationrequirements.

Our theory is equipped with a renement relation

(seeSe tion5).Roughlyspeaking,aspe i ation

S

1

re-nes a spe i ation

S

2

i it is possible to repla e

S

2

with

S

1

in everyenvironmentand obtainanequivalent system that satises thesamespe i ations.In the

in-put/output setting, he king renement redu es to

de- idinganalternatingtimedsimulationbetweenthetwo

spe i ations[31℄.Inourtimedextension, he kingsu h

simulation anbedonewithaslightmodi ationofthe

theory proposed in [15℄. As implementations are

spe -i ations, renement oin ides with thesatisfa tion

re-lation.Ourrenementoperatorhasthemodelin lusion

property,i.e.,

S

1

renes

S

2

ithesetofimplementations satisedby

S

1

isin ludedin thesetofimplementations satisedby

S

2

.Wealsoproposealogi al onjun tion op-eratorbetweenspe i ations(seeSe tion6).Giventwo

spe i ations,theoperatorwill omputeaspe i ation

whose implementations are satisedby both operands.

The operation may introdu e error states that do not

satisfytheimplementationrequirement.Thosestatesare

prunedbysynthesizing astrategyforthe omponentto

avoidrea hingthem.Wealsoshowthat onjun tion

o-in ideswithsharedrenement,i.e.,it orrespondstothe

greatestspe i ationthatrenesboth

S

1

and

S

2

.

Following [34℄,spe i ationsintera tby

syn hroniz-ingoninputsand outputs.However,likein [42,50℄, we

restri tourselvestoinput-enabled systems.This makes

itimpossibletorea hanimmediatedeadlo kstate,where

a omponent proposes an output that annot be

ap-turedbytheother omponent.Here,in he kingfor

om-patibility ofthe omposition of spe i ations,one tries

tosynthesizeastrategyfortheinputstoavoidtheerror

states,i.e.,anenvironmentinwhi hthe omponents an

beusedtogetherin asafeway.Our omposition

opera-toris asso iativeandtherenementisapre ongruen e

withrespe ttoit(seeSe tion7).Weproposeaquotient

operatordualto omposition(seeSe tion8).Intuitively,

given aglobalspe i ation

T

of a ompositesystemas well as the spe i ation of an already realized

ompo-nent

S

,thequotient willreturnthemostliberal spe i- ation

X

forthemissing omponent,i.e.

X

isthelargest spe i ationsu hthat

S

in parallelwith

X

renes

T

.

toolE darthatisanextensionofUppaal-tiga[9℄(see

Se tion 9). It builds on timed input/output automata,

asymboli representationfortimed input/output

tran-sitionsystems.Weshowthat onjun tion, omposition,

andquotienting anberedu edto simpleprodu t

on-stru tionsallowingforboth onsisten yand

ompatibil-ity he kingtobesolvedusingthezone-basedalgorithms

forsynthesizing winning strategiesin timed games [51,

17℄. So while our theory is learly new, our redu tion

allowsus toexploit well-establishedalgorithms and

im-plementationswhi hmakesitrobust.Finally,renement

betweenspe i ations is he ked using avariantof the

re ente ientgame-basedalgorithmof[15℄.The

poten-tialofourtoolisillustratedontwo asestudies,ea hof

them showing the utility of thevarious features of our

theory(seeSe tions10and11).

2 Introdu tory Example

Wewill nowgive aroughoverviewof thetheory using

anexample.Consideravendingma hinethat anserve

teaor oee. Its spe i ationisshownin Fig.1(a). We

usethesyntaxoftimed I/Oautomata[42℄.Thedashed

edges represent outputs and the solid ones orrespond

toinputs.Intheexample,tea!isanoutputand oin?

isan input. Thema hine waits for oins andserves

ei-ther tea or oee with dierent timing onstraints. It

analso servefree teaafter two time units.A possible

implementationofthisma hineisgiveninFig.1(b).

Ourmodelssharethefollowing hara teristi s:

 Both spe i ations and implementations are

deter-ministi . This assumptionree ts ourexperien eof

workingwith engineers,who prefer to reate

deter-ministi spe i ations.Italsoallowsto reatea

the-orywithgoodpropertiesfor ompositionalreasoning.

 Outputtransitionsoftheimplementation

Implemen-tation must arrive at a xed moment in time and

annot be delayed.We saythat an implementation

isoutput-urgent.Spe i ationsareallowedtobe

im-pre ise about timing of outputs, while

implementa-tionshavexed timing. Intuitively, this meansthat

not only the hoi e of a tion, but also the timing

(ofoutputs) isdeterministi .Wedonotrestri t the

timingofinputsastheenvironmentmaywellbenot

predi table.

 InImplementation,we anobservethatea htimethe

output tea! from Idle to Idle is taken,Clo k y is

re-set. Without this reset, the time would be stopped

andtheexe utionwouldbestu kinthelo ationIdle.

Adesirablepropertyisthateither a omponent an

delay or it must be able to produ e some output.

This property, alled independent progress,

guaran-tees that the progress of time an happen without

tea

coin

cof

tea!

coin?

tea!

cof!

coin?

Idle

Serving

y=0

y>=4

y<=6

y>=2

tea

coin

cof

coin?

tea!

y=0

cof!

coin?

Idle

y<=5

Serving

y = 0

y==5

y <= 6

y==6

pub

cof

tea

tea?

tea?

pub!

cof?

pub!

x=0

pub!

tea?

cof?

Idle

x<=8

x<=4

Stuck

Coffee

Tea

x=0

x=0

x<=15

x=0

x>15

x>=4

x>=2

Figure 1:a) Spe i ation of a oee and tea Ma hine, b) an implementation that renes the spe i ation and )

aResear her that usestheMa hine.Initial lo ations aredouble ir led.Transitionguardsare written in greenand

lo kresetsinblue, whilelo ationinvariantsareinpurple.

 Bothspe i ationsandimplementationsareassumed

to be input-enabled. This is a natural requirement

that a omponent annot prevent the environment

from sending an input. Instead we should be able

to des ribe the failure of the system, when an

un-expe ted input arrives.This assumption is madein

manyspe i ationtheories[49,38,56,61,53℄.

Implementations relateto spe i ationsthrough

re-nement.Morepre isely,ourimplementationmodel

Im-plementationrenesourspe i ationMa hineinthesense

thatwheneverImplementationwantstoprodu ean

out-put,thatoutputisallowedbyMa hine,and

Implementa-tiona eptsalltheinputsspe iedbyMa hine.Thenan

implementationisreusableinanyenvironmentwhi h

a - eptsthespe i ation.Alsoanimplementationwillnot

produ e more intera tions than what the spe i ation

allows in su h an environment. We will see later that

he kingrenementredu estoatwo-playergamewhere

theatta kerplaysdelaysandoutputsonImplementation,

andinputsonMa hine,whilethedefenderrespondswith

outputsand delaysonMa hine,and inputsfrom

Imple-mentation.

Moregenerally,therenement anbe usedto

om-parespe i ations.Thankstotheassumptionsof

deter-minismandinput-enabledness,ourrenement oin ides

with implementation set in lusion,that isSpe i ation

A

S

renesSpe i ation

A

T

ifand onlyifthesetof im-plementationsof

A

S

isin ludedinthesetof implemen-tationsof

A

T

.

Considernowthespe i ationof UniSpe inFig.2.

Agooduniversityprodu espatentsasaresultof

re eiv-inggrants.Observethetiming onstraintsthat onstrain

howoftentheuniversityshouldprodu epatents.Our

ob-je tiveistorenethisspe i ationbyanotheronethat

ismorepre iseregardingthebehavioroftheresear hers

and administration sta of the university. We onsider

resear hers who will publish, if provided with tea and

oee,anadministrationthatwillturngrantsinto oins

(to fundtea and oee)while turningpubli ations into

patents, and a oee ma hine that a epts oins and

produ es hotbeverages forthe resear hers.In order to

reasonaboutea h omponentindividually,wewill split

grant

patent

patent!

grant?

grant?

grant?

u>2

u<=2

u<=20

grant?

u=0

patent!

u=0

UniSpe

Figure 2: Spe i ation of the university omponent

(UniSpe ).

the university spe i ation into multiple spe i ations

that wewill ombine using omposition operators.The

resultingspe i ationshall thenbe he kedagainstthe

originaloneusingrenement.

Thespe i ationsforthe oeema hineandthe

re-sear heraregivenin gures1(a)and1( ),respe tively.

We assume that resear hers publish more e iently if

drinking oeethanwhendrinkingtea.Furthermore,

re-sear hersdisliketea,soifteaisservedafteralongperiod

of waiting (15 units of time) the subsequent behaviour

isundenedsupposedlyduetoirritation.Publi ations

areprodu edwiththeoutputpub!.

The ase of the administration is somewhat more

ompli ated.Indeed,administrationshouldnotonlyturn

grantsinto oins,butalsoturnpubli ationsintopatents

a onjun tionof tworequirements.Wewill model ea h

requirement individually and then ompute their

on-jun tion, i.e, the spe i ation that represents the set

oftheir ommonimplementations:Administrationis the

onjun tionof HalfAdm1andHalfAdm2,bothpresented

inFig.3.Observethat bothspe i ationsareinput

en-abled and allow patents and oins as outputs. Given

grants(grant?),resp.publi ations(pub?), oinsare

pro-du ed within 2 time units (with oin!), resp. patents

(with patent!). In general, onjun tion an introdu e

badbehaviorsin spe i ations,i.e,behaviorsthat

an-notbeimplementedbe ausethey donotrespe t

prop-ertiessu hasindependentprogress.Inourtheory su h

grant

patent

pub

coin

pub?

patent!

patent!

coin!

grant?

A

B

pub?

grant?

x<=2

x=0

grant

patent

pub

coin

grant?

coin!

coin!

patent!

pub?

C

D

pub?

grant?

y<=2

y=0

Figure3:Two onjun tsthattogethermodelthe

Admin-istration omponent.

Wearenowreadyto omposeourspe i ationsin

or-dertoderivearenementoftheuniversitymodel.Fig.4

gives the overview of this renement he k. The grey

partof thegure des ribesthe pro essesperformedby

the veri ation engine.The operators aredisplayed

in-sidethe ir les,whilethesquareboxesdenote the

om-putation of an internal representation for the TIOAs.

We put in parallel the omponents for the resear her,

the oee ma hine,and theadministration. Our

veri- ationenginethen he ksifthis ompositionrenesthe

spe i ation of our university. The veri ation is done

in a ompositionalmannerin thesensethat every

om-ponent is explored lo ally, bad behaviour is eliminated

(pruned), and ombinedwith theappropriateoperator,

showninthegure.

Slightlysurprisingly, the renement he k of Fig.4

fails. It turns outthatsin e thema hine allowsthe

re-sear herstogetfreetea,they anpublishforfree,whi h

angivepatentsforfreea s enariothat hasnot been

anti ipatedinthespe i ation.

3 Related Work

Theobje tiveofthisse tionismainlytosurveya

state-of-theartforinterfa etheory,nottomakeanexhaustive

listofallexistingtimed spe i ationtheories.

Ithasbeenargued[31,27,32℄that games onstitute

a naturalmodel for interfa etheories: ea h omponent

is represented by an automaton whose transitions are

typedwith input andoutput modalities.Thesemanti s

ofsu hanautomatonisgivenbyatwo-playergame:the

input player represents the environment, and the

out-put player represents the omponent. Contrary to the

input/outputmodelproposedbyLyn handTuttle[50℄,

this semanti oers(among manyother advantages)an

optimisti treatmentof omposition:twointerfa es an

be omposed ifthereexists atleastoneenvironmentin

whi h they anintera t together in a safeway.

Game-basedinterfa eswererstdevelopedforuntimedsystems

[32,28℄ and implemented in toolssu h asTICC[2℄ and

CHIC[21℄forbothsyn hronousandasyn hronous

mod-els. Therst dense time extension of the theory of

in-terfa eautomatahasbeendevelopedin [34℄,motivated

bythefa tthatrealtimeisa ru ialparameterinsome

systems.Thetheory,whi hextendstimedinput/output

automata[42℄, waslater implementedin TICC,but

us-ingdis retizedrealtimeonly[29℄.Theideaissimilarto

theuntimed ase: omponentsaremodeledusingtimed

input/outputautomata(TIOAs)withatimedgame

se-manti s[17℄. The theory of [34℄ has never been

om-pleted, in the sense that it la ks support for

onjun -tion and renement (in ontrast to the one presented

here).Theusefulnessofsu htheoriesfor ompositional

designof realtime systemsis thuslimited. While

tool-ing is notthe fo us of this paper,let us mention that,

elsewhere[14℄, we show how the E dar tool and our

timed interfa e theory an be used to solve problems

that are beyond the s ope of lassi al Uppaal timed

input/automataextensions[13,11℄.

In [45℄ Larsen proposes modal automata, whi h are

deterministi automataequippedwithtransitionsofthe

following two types: may and must. The omponents

thatimplementsu hinterfa esaresimplelabeled

tran-sitionsystems.Roughly,amusttransitionisavailablein

every omponentthat implements the modal

spe i a-tion,whileamaytransitionneednotbe.Re ently[12℄a

timedextensionofmodal automata wasproposed.This

seriesofworks,whi h generalizesanearlyattempt[19℄,

embeds all the operationspresentedin the present

pa-per. However, modalities are orthogonal to inputs and

outputs,and itis well-known [47℄ that, ontraryto the

game-semanti approa h,they annotbeusedto

distin-guishbetweenthebehaviorsofthe omponentandthose

oftheenvironment.

Among other modeling languages for spe i ation,

one nd those that use logi al representations su h as

TimedComputationalTreeLogi (TCTL),Metri T

em-poral Logi (MTL), or duration. While su h logi s are

generally onvenienttoreasononindividualrequirements

[54℄, they are generally not suited for operations su h

asstru tural omposition and quotient. Tothe best of

ourknowledge,theexpressivenessrelationbetween

log-i alformalismandtimedI/Oautomataortimedmodal

spe i ations remains unknown. There are also timed

extensionsoflanguagessu hasCSP.A omparison

be-tweenCSP(andrelatedpro essalgebralanguages)and

interfa etheories anbefoundin[8℄.

Finally,letusaddthatnumerousauthorshave

stud-iedinterfa etheoriesand omponentbaseddesign.

Am-ongthem,onendsaseriesofverypra ti alworksthat

donotstudyquotientand onjun tion,butratherfo us

onri her ompositionoperationsand spe i modelsof

omputationforinter onne tionandsoftwaredesign[1,

36,37℄.Anotherexampleistheseriesofmorere ent

pa-persthatfo uson ompositionandperforman eanalysis

ors hedulingforembeddedsystems[40℄.Whileour

Engine

tea!

coin?

tea!

cof!

coin?

Idle

Serving

y=0

y>=4

y<=6

y>=2

Ma hine

pub?

patent!

patent!

coin!

grant?

A

B

pub?

grant?

x<=2

x=0

HalfAdm1

grant?

coin!

coin!

patent!

pub?

C

D

pub?

grant?

y<=2

y=0

HalfAdm2

tea?

tea?

pub!

cof?

pub!

x=0

pub!

tea?

cof?

Idle

x<=8

x<=4

Stuck

Coffee

Tea

x=0

x=0

x<=15

x=0

x>15

x>=4

x>=2

Resear her

grant?

grant?

grant?

patent!

patent!

grant?

Grant

Start

End

u=0

u<=2

u=0

u<=20

u>2

explore and prune in ternal TIO A && onjun tion

k

omp osition

ombinewithoperator

≤

renemen t he k yes/no+strategy

Figure4:Illustrationofthestepsperformedina on reterenement he k.Thegrayboxrepresentsthepart arried

outinternallybytheveri ationengine.

learnfromthosemodelsandthe asestudiestheyhandle

in ordertoextendour omposition operation.

Thereareof ourseothertoolsandtheoriesfortimed

systems.Asanexample,anothertoolsupporting

rene-ment is PAT [57,58℄. Unlike E dar, it builds on CSP

with afailure,divergen e,andrefusal semanti s,whi h

makesadire t omparison di ult. However,the CSP

theory does not support quotienting nor simple

on-jun tion of spe i ations.And thus, in ontrastto

E -dar,PATdoesnotsupportassume/guaranteereasoning

aboutsystems.This relatedwork surveyonlythe

posi-tionofourworkin theinterfa etheorysetting.

4 Spe i ations and Implementations

Weuse four lassesofobje tsin our

theoryspe i a-tions,andmodels(implementations)togetherwiththeir

respe tive behavioral semanti s as transition systems.

Twokindsofrelationsareusedbetweenthefour lasses:

operationalsemanti sandsatisfa tion.Fig. 5showsan

overviewofthefour lassesof obje tsand relations

be-tweenthem.

Wedistinguishspe i ations and models. Intheleft

partofFig.5,aspe i ation

A

andamodel

X

anbe re-lated throughasatisfa tionrelation

|=

, relatingmodels andspe i ations.ThelefthalfofFig.5,showssynta ti

obje ts(spe i ationsand implementations), while the

right half shows the semanti obje ts (spe i ation

se-manti s andimplementationsemanti s). Horizontal

ar-rowspointfromsynta ti obje tstotheirsemanti s.

Ver-ti alarrowspointfromspe i ationsdownwardstotheir

models(bothin thesynta ti andthesemanti halves).

Traditionallyspe i ationsarelogi alformulas,and

models are witnesses of onsisten y of these formulas.

This is the view that most of the model- he king [22,

7℄ resear h takes. In our ase, spe i ations are timed

games[51℄, resembling timed automata[3℄. Sin e these

are symboli nite representations des ribing

ontinu-ous state behavior, it is onvenient to distinguish

an-other semanti layer,whi h des ribesthis behavior

op-A

X

S

=

J

A

K

sem

P

=

J

X

K

sem

|=

|=

J

·

K

sem

J

·

K

sem

timed I/O

transition systems

(infinite)

timed I/O

automata

(finite)

sp

ec

ifi

ca

ti

o

n

s

(i

m

p

le

m

en

ta

ti

o

n

s)

m

o

d

el

s

Figure5:Semanti Layer'sinourspe i ationtheory

erationally. Thus we will say that the semanti s of a

spe i ation

A

(respe tivelyofanimplementation

X

)is given by a Timed I/O Transition System

J S K

sem

(re-spe tivelyof aTimed I/OTransitionSystem

J X K

sem

).

Ourtransitionsystemsareverysimilartothoseindu ed

bypro essesin[63℄,ex eptthattheirdis retea tionsare

splitintoinputsandoutputs,likeinI/Oautomata[49℄.

UnlikeinI/Oautomatawegivethemagamesemanti s,

notthelanguagesemanti s.

Throughoutthepresentationofourspe i ation

the-ory,we ontinuously swit h themodeof dis ussion

be-tweenthesemanti and synta ti levels.Ingeneral,the

formalframeworkisdevelopedforthesemanti obje ts,

Timed I/OTransition Systems (TIOTSsin short) [39℄,

andenri hedwithsynta ti onstru tionsforTimedI/O

Automata (TIOAs),whi h a tas asymboli and nite

representation for TIOTSs. However, the theory for

TIOTSsdoesnotrelyinanywayontheTIOAs

represen-tationone an build TIOTSs that annot be

repre-sentedbyTIOAs,andthetheoryremainssoundforthem

(althoughwewould notknowhowto manipulatethem

symboli ally).

Denition1. ATimedI/OTransitionSystem(TIOTS)

isatuple

S = (

St

S

_{, s}

0

, Σ

S

, −

→

S

)

,whereSt

S

set ofstates,

s

0

∈

St istheinitialstate,

Σ

S

_{= Σ}

S

i

⊕ Σ

S

o

isanitesetofa tionspartitionedintoinputs(

Σ

S

i )and outputs(

Σ

S

o ),and

−

→

S

_:

St

S

_×(Σ

S

_∪R

≥0

)×

St

S

isa

transi-tionrelation.Wewrite

s

a

−→

S

_s

′

insteadof

(s, a, s

′

_{) ∈ −}

_→

S

, andwewrite

s

a

−→

S

if

∃s

′

_.s

_−→

a

S

_s

′

,anduse

i?

,

o!

and

d

to rangeoverinputs,outputsand

R

≥0

respe tively. T ran-sitions that are labelled by a tions (inputs oroutputs)

are alleddis rete transitions,whiletransitionslabelled

by real values are alled timed transitions. In addition

anyTIOTSsatisesthefollowing:

[timedeterminism℄if

s

d

−→

S

_s

′

and

s

d

−→

S

_s

′′

then

s

′

_{= s}

′′

[timereexivity℄

s

0

−→

S

s

forall

s ∈ St

S

[time additivity℄forall

s, s

′′

_∈

St

S

andall

d

1

, d

2

∈ R

≥0

, we have

s

d

1

+d

2

−−−−→

S

s

′′

i

s

d

1

−−→

S

s

′

and

s

′ d

2

−−→

S

s

′′

for an

s

′

_∈

St

S

.

Weonlyworkwithdeterministi TIOTSsinthispaper:

for all

a ∈ Σ ∪ R

≥0

whenever

s

a

−→

S

s

′

and

s

a

−→

S

s

′′

, we have

s

′

_{= s}

′′

(determinismisrequirednotonlyfortimed

transitions,butalsofordis retetransitions).Intherest

of the paper, we often drop the adje tive

'determinis-ti '. Of ourse, this denition of determinismdoesnot

preventfromissuingseverala tionsfromthesamestate,

theonlyrestri tionisthatonegivena tion anonlytake

thesystemto adeterministi lo ation.

ForaTIOTS

S

andasetofstates

X

,wewrite:

pred

S

a

(X) =

n

s ∈

St

S





∃s

′

∈ X. s

−→s

a

′

o

(1)

forthesetofall

a

-prede essorsofstatesin

X

.Wewrite ipred

S

_(X)

for the set of all input prede essors, and

opred

S

_(X)

foralltheoutputprede essorsof

X

:

ipred

S

_{(X) =}

S

a∈Σ

S

i pred

S

a

(X)

(2) opred

S

_{(X) =}

S

a∈Σ

S

o pred

S

a

(X) .

(3) Also post

S

[0,d

0

]

(s)

is the set of all time su essors of a

state

s

that anberea hedbydelayssmallerorequalto

d

0

: post

S

[0,d

0

]

(s) =

n

s

′

∈

St

S





∃ d ∈ [0, d

0

]. s

−→

d

S

s

′

o

(4)

Following[51℄ we will later use these operators to nd

strategiesforsafetyandrea habilityobje tivesimposed

onTIOTSs.

Weshallnowintrodu eanitesynta ti symboli

repre-sentationforTIOTSsin termsofTimedI/OAutomata

(TIOAs). Let Clk be anite set of lo ks. A lo k

val-uation overClk is a mapping

u ∈ [

Clk

7→ R

≥0

]

. Given

d ∈ R

≥0

,wewrite

u + d

todenoteavaluationsu hthat forany lo k

r

wehave

(u + d)(r) = x + d

i

u(r) = x

. Wewrite

u[r 7→ 0]

r∈c

foravaluation whi h agreeswith

u

onall valuesfor lo ksnotin

c

,and returns0forall lo ks in

c

. Let op be the set of relational operators: op

= {<, ≤, >, ≥}

.AguardoverClkis anite onjun -tion of expressions of the form

x ≺ n

, where

≺

is a

relationaloperator and

n ∈ N

. Wewrite

B(Clk)

forthe setofguardsoverClkusingoperatorsinthesetop,and

U(Clk)

forthesubsetofupperboundguardsusingonly theoperators

{<, ≤}

.Wealsowrite

P

(X)

forthe pow-ersetofaset

X

.

Denition2. A Timed I/O Automaton (TIOA) is a

tuple

A = (

Lo

, q

0

,

Clk

, E, Act,

Inv

)

whereLo isanite setoflo ations,

q

0

∈

Lo istheinitiallo ation, Clk isa nitesetof lo ks,

E ⊆

Lo

×

A t

×B(

Clk

)×P(

Clk

)×

Lo is a set of edges, A t

=

A t

i

⊕

A t

o

is a nite set of

a tions,partitionedintoinputsandoutputsrespe tively,

andInv

:

Lo

7→ U(Clk)

isaset oflo ationinvariants.

If

(q, a, ϕ, c, q

′

_{) ∈ E}

isanedge,then

q

isaninitial lo a-tion,

a

is ana tion label,

ϕ

is a onstraint over lo ks thatmust besatisedwhentheedgeis exe uted,

c

isa setof lo ksto bereset,and

q

′

isatargetlo ation.We denoteNextInv

(q

′

_{, c) =}

_{V{x ≺ n | x ≺ n ∈}

Inv

(q

′

_{) ∧ x /}

_∈

c}

the invariant of the next lo ation that restri t the guardoftheedge.ExamplesofTIOAshavebeenshown

intheintrodu tion.

Wedene thesemanti ofaTIOA

A = (

Lo

, q

0

,

Clk

,

E,

A t

,

Inv

)

to be a TIOTS

J A K

sem

= (

Lo

× (

Clk

7→

R

≥0

), (q

0

,

0

),

A t

, −

→)

,where0isa onstantfun tion map-ping all lo ks to zero, and

−

→

is the largesttransition relationgenerated bythefollowingrules:

(q, a, ϕ, c, q

′

_{) ∈}

E

u

∈ [

Clk

7→ R

≥0

]

u

|= ϕ

u[r 7→ 0]

r

∈c

|=

Inv

(q

′

₎

(q, u)

a

−

−

→(q

′

_{, u[r 7→ 0]}

_r

∈c

)

q

∈

Lo

u

∈

ˆ

Clk

7→ R

≥0

˜

d

∈ R

≥0

u

+ d |=

Inv

(q)

(q, u)

d

−→(q, u + d)

TheTIOTSsindu edbyTIOAs,a ordingtotheabove

rules,satisfytheaxiomsofDenition1:time

determin-ism,timereexivity,timeadditivity.Moreover,inorder

toguaranteedeterminismof

J A K

sem

,theTIOA

A

hasto bedeterministi : forea ha tionlo ationpaironlyone

transition anbeenabledat thesametime.

This anbe he kedalgorithmi allywithastandard

he k for disjointnessof guards of transitions with the

same a tion. For ea h lo ation

q

and ea h a tion

a ∈

A t, he kwhetherallitsguardsaremutuallyex lusive.

Formally, let

G

q,a

bethe set of strengthenedguardsof all

a

transitionsleaving

q

:

G

q,a

= {ϕ ∧

NextInv

(q

′

_{) |}

whenever

(q, a, ϕ, c, q

′

_{) ∈ E}}

(5)

Toguarantee determinism he kfor ea h pair

ψ

1

, ψ

2

∈

G

q,a

whetherthe onjun tionInv

(q) ∧ ψ

1

∧ ψ

2

is in on-sistent,anddothatforalllo ations.

Weassumethat allTIOAsbelowaredeterministi .

4.1 Spe i ations

Wewillnowintrodu eournotionsofspe i ationsand

Denition3(Spe i ation). A TIOTS

P = (

St

P

_,

p

0

, Σ

P

, −

→

P

)

isaspe i ationsemanti sifea hstate

s ∈

St

P

isinput-enabled:forea hinput

i? ∈ Σ

P

i there exists astate

s

′

_∈

St

P

su hthat

s

i?

−−→

P

_s

′

.

ATIOA

A

isaspe i ation iitssemanti s

J A K

sem

isinput-enabled.

Theassumptionofinput-enabledness,alsoseeninmany

spe i ationtheories[49,38,56,61,53℄,ree tsourbelief

that aninput annotbepreventedfrom beingsenttoa

system, but it might be unpredi table howthe system

behavesafter re eivingit. A standardway of modeling

adisallowedinputin su hasettingistoredire tittoa

spe ial universal state, where all a tionsare enabled

thebehaviourofthesystembe omesunpredi tableafter

rea hingthisstate.

Input-enablednessen ouragesexpli itmodelingofthis

unpredi tability, and ompositional reasoningabout it;

for example, it allows asking if an unpredi table

be-haviour of one omponent indu es unpredi tability of

theentiresystem.

Inpra ti e,toolsshouldnotrequiretheusersto

spe -ifyinput-enabledautomata,asthisqui klybe omes

te-dious.Therearehowevergoodstrategiesformaking

au-tomata input-enabled. First, absent inputs an be

in-terpreted as ignored inputs, orresponding to lo ation

loopsintheautomatonthat anbeaddedautomati ally.

Se ond,absentinputs anbeinterpretedasunavailable

(blo king) inputs, whi h are modeled by adding

im-pli it transitions to adesignatederror lo ation(for

ex-ample auniversal lo ation as suggested above). Later,

inSe tion7,wewill allsu hastatestri tlyundesirable

andgivearationaleforthisname.

Inorder to he kthat aTIOA

A

indu es an input-enabled TIOTS

J A Ksem

, de ide for ea h lo ation

q ∈

Lo

A

andea h inputa tion

i? ∈

A tifa disjun tionof guardsofoutgoingtransitions labelledby

i?

is entailed by Inv

(q)

. Formally, if

G

q,i?

is the set of strengthened guards (see (5)) of all

i?

transitions leaving

q

, then in orderto he kif

i?

isalwaysenabledinlo ation

q

, he k

Inv

(q)

entails

_

ψ∈G

g,i?

ψ

(6)

To he kiftheentirespe i ationautomatonis

input-enabledjustrepeatthe he kforalllo ationinputpairs.

4.2 Implementations

The roleof spe i ationsin a spe i ationtheory is to

abstra t, or underspe ify, sets of possible

implementa-tions.Wewillassumethatimplementationsoftimed

sys-temshavexedtimingbehaviour(outputso urat

pre-di tabletimes)andsystems analwaysadvan eeitherby

produ ing anoutput ordelaying.This isformalized

us-ing axioms of output-urgen y and independent-progress

below:

Denition4(Implementation). ATIOTS

P = (

St

P

_,

p

0

, Σ

P

, −

→

P

)

is an implementation semanti s if it is a spe i ation semanti sthat fullls the output urgen y

andindependentprogress onditions,soifforea hstate

p ∈

St

P

werespe tivelyhave: [outputurgen y℄

∀ p

′

_{, p}

′′

_∈

St

P

if

p

o!

−−→

P

p

′

and

p

d

−→

P

p

′′

then

d = 0

(andthus, duetodeterminism

p = p

′′

)

[independentprogress℄either

(∀d ≥ 0. p

d

−→

P

₎

or

∃ d ∈ R

≥0

. ∃ o! ∈ Σ

P

o

. p

d

−→p

′

and

p

′ o!

_−−→

P

.

A TIOA

A

is an implementation i

A

is a

spe i- ation and its semanti s,

J A K

sem

, fullls independent

progressandoutputurgen y.

Independentprogressisoneofthe entralproperties

in ourtheory: it states that an implementation annot

evergetstu kinastatewhereitisuptotheenvironment

toindu etheprogressoftime.Soineverystatethereis

either an output transition (whi h is ontrolled by the

implementation) or anability to delay until an output

ispossible.Otherwiseastate andelayindenitely. An

implementation annotwaitforaninputfromthe

envi-ronmentwithoutlettingtimepass.

Remark1. Ournotionofimplementationremainsatthe

theorylevel.Generatingexe utable odeandtaking

ro-bustnessintoa ountisnotthetopi ofthispaper.

How-ever,one ouldexploit existingworks[5℄togenerate

ro-bustC odefromagiventimedautomaton.

In Se tion 9 we des ribe how to he kfor

indepen-dentprogressandotherimportantpropertiesof

spe i- ations.

4.3 Spe i ationsasTimedGames

Spe i ationsareinterpretedastwo-playerreal-time

ga-mesbetweentheoutputplayer (the omponent)andthe

inputplayer (the environment).Theinputplayerplays

with a tions in A t i

and the output playerplays with

a tionsinA t o

.Astrategyforaplayerisafun tionthat

deneshismoveatanystate(eitherdelayingorplaying

a ontrollablea tion).Aswewillexplaininthefollowing

se tions,strategiesforoutput(respe tivelyinput) anbe

interpretedasimplementations(respe tively ompatible

environments).

Astrategyis alledmemoryless ifthenextmove

de-pendssolelyonthe urrentstate.Weonly onsider

mem-orylessstrategies,asthese su e forsafetygames [30℄.

Forsimpli ity, we only dene strategiesfor the output

player(i.e.outputistheverier).Denitions forthe

in-putplayerareobtainedsymmetri ally.

Denition5. Amemorylessstrategy

f

o

fortheoutput playerontheTIOA

A

isapartial fun tion St

J A K

sem

7→

A t o

∪ {delay}

,su h that If

f

o

(s) ∈

A t o then

∃s

′

_.s

_{−−−−→}

f

o

(s)

S

_s

′

.

If

f

o

(s) = delay

then

∃s

′′

_.s

_−→

d

S

_s

′′

forsome

d > 0

,and

f

o

(s

′′

) = delay

.

The game pro eeds asa on urrent game between the

twoplayers.Then,byapplyingastrategy

f

o

,theoutput player restri tsthe set of rea hable statesfrom the

se-manti s.This denestheout ome of thestrategy,su h

that for a state

s ∈

St

J A K

sem

, Out ome

(s, f

o

)

is the set ofstatesdenedindu tivelyby:



s ∈

Out ome

(s, f

o

)

,  if

s

′

_∈

Out ome

(s, f

o

)

and

s

′ a

_−→s

′′

,then

s

′′

_∈

Out ome

(s, f

o

)

if one the following onditions holds: 1.

a ∈

A t

i

, 2.

a ∈

A t

o

and

f

o

(s

′

_{) = a}

, 3.

a ∈ R

≥0

and

∀d ∈ [0, a[ .∃s

′′′

_{. s}

′ d

_−→s

′′′

and

f

o

(s

′′′

_{) = delay}

.

Inasafetygame,thewinning onditionistoavoidaset

Badof bad states.A strategy

f

o

is awinningstrategy from state

s

if andonlyifOut ome

(s, f

o

) ∩

Bad

= ∅

. A state

s

iswinningifthereexistsawinningstrategyfrom

s

,andthegameiswinningifandonlyiftheinitialstate iswinning.Solvingthisgameisde idable[51,17,24℄.

5 Satisfa tion, Renementand Consisten y

Anotionofrenement allowsto omparetwo

spe i a-tionsaswellasto relateanimplementationto a

spe i- ation. Renementshould satisfythefollowing

substi-tutability ondition. If

P

renes

Q

, then it should be possibleto repla e

Q

with

P

in everyenvironmentand obtainanequivalentsystem.

Westudythesekindofpropertiesinlaterse tions.It

iswellknownfromtheliterature[31,32,15℄thatinorder

togivethesekindofguaranteesarenementshouldhave

theavourofalternating (timed)simulation[4℄.

Denition6(Renement

≤

). ATIOTS

S = (

St

S

_{, s}

0

,

Σ, −

→

S

)

renes a TIOTS

T = (

St

T

_{, t}

0

, Σ, −

→

T

)

, written

S ≤ T

,ithereexistsabinaryrelation

R ⊆

St

S

_×

St

T

on-taining

(s

0

, t

0

)

su hthatforea hpairofstates

(s, t) ∈ R

wehave: 1.whenever

t

i?

−−→

T

t

′

forsome

t

′

_∈

St

T

then

s

i?

−−→

S

s

′

and

(s

′

_{, t}

′

_{) ∈ R}

forsome

s

′

_∈

St

S

2.whenever

s

o!

−−→

S

s

′

forsome

s

′

_∈

St

S

then

t

o!

−−→

T

t

′

and

(s

′

, t

′

) ∈ R

forsome

t

′

_∈

St

T

3.whenever

s

d

−→

S

s

′

for

d ∈ R

≥0

then

t

d

−→

T

t

′

and

(s

′

_{, t}

′

_{) ∈}

R

forsome

t

′

_∈

St

T

A spe i ationautomaton

A

1

renesanother spe i a-tion automaton

A

2

, written

A

1

≤ A

2

, i

J A

1

K

sem

≤

J A

2

K

sem .

Itiseasytoseethattherenementisreexiveand

tran-sitive,soitis apreorderon theset ofall spe i ations

tea

coin

cof

Ma hine2

Figure6:A oeema hinespe i ationthatrenesthe

oeema hinein Fig.1.

(and, of ourse, also on the set of all spe i ation

se-manti s). Renement an be he ked for spe i ation

automata by redu ingthe problem to a spe i

rene-mentgame,andusingasymboli representationto

rea-sonabout it. We dis uss details of this pro ess in

Se -tion9.

Fig.6showsa oeema hinethatisarenementof

theonein Fig.1. It hasbeenrened in two ways: one

outputtransitionhasbeen ompletelydroppedandone

stateinvarianthasbeentightened.

Sin e ourimplementations area sub lass of

spe i- ations,wesimplyuserenement asanimplementation

relation:

Denition7(Satisfa tion). An implementation

se-manti s TIOTS

P

satises aspe i ationsemanti s

S

, written

P |= S

, i

P ≤ S

. An implementation

I

sat-isesaspe i ation

A

i

J I Ksem

|= J A Ksem

. Wewrite

J A Kmod

forallsemanti modelsof

A

,so

J A Kmod

= {P |

P

isaTIOTSand

P |= J A K

sem

}

.

Fromalogi alperspe tive,spe i ationsarelike

for-mulae,andimplementationsaretheirmodels.This

anal-ogyleadsusto a lassi alnotionof onsisten y,as

exis-ten eofmodels.

Denition8(Consisten y). A spe i ation

seman-ti sTIOTS

S

is onsistentifthereexistsaninput-enabled TIOTS

P

su hthat

P |= S

,and

P

isanimplementation semanti s.Aspe i ation

A

is onsistentifits spe i a-tionsemanti s,

J A K

sem

,is onsistent.

Allspe i ationsshownuntilnoware onsistent.An

exampleofanin onsistentspe i ation anbefoundin

Fig.7:noti ethattheinvariantinthese ondstate(

x≤4

) isstrongerthantheguard(

x≥5

)onthe of!edge; there-forethis statedoes notfulll the independent progress

ondition,andit annotbeimplemented.

Wealsodeneasoundlystri ter,moresynta ti ,

no-tionof onsisten y,whi hrequiresthatallstatesare

tea

coin

cof

In onsistent

Figure7:An in onsistentspe i ation.

Denition9(Lo al Consisten y). A state

s

of a

spe i ation semanti s

S

is lo ally onsistent if it ful-llsindependent progress.

S

is lo ally onsistenti ev-erystate

s ∈

St

S

islo ally onsistent.Aspe i ation

A

islo ally onsistentif

J A Ksem

is lo ally onsistent.

Lemma1. Everylo ally onsistentspe i ation

seman-ti s

S

is onsistentinthe sense ofDef. 8.

Proof (Lemma1). Letusbeginwithdeningan

auxil-iaryfun tion

δ

whi h hoosesadelayandanoutputfor everylo ally onsistentstate

s

:

δ

s

=











d

forsome

d

su hthat

s

d

−→

S

s

′

and

∃o!. s

′ o!

_−−→

S

+∞

if

∀d ≥ 0. s

d

−→

S

(7)

Notethat

δ

isafun tion,soitalwaysgivesaunique valueofadelayforanystate

s

,thusintherst asewe meanthat anarbitrary xedvalueis hosenoutof

un- ountablymanypossiblevalues.Itisimmaterialforthe

proofwhi hofthemanyvaluesis hosen.Itisimportant

howeverthat

δ

istimeadditiveinthefollowingsense:if

s

_−→s

d

′

and

d ≤ δ

s

then

δ

s

′

+ d = δ

s

.Itisalwayspossible to hoosesu hafun tion

δ

duetotimeadditivityof

−

→

S

,

andlo al onsisten yof

S

.

Wewantto synthesizeaTIOTS

P = (

St

P

_{, p}

s

0

, Σ

P

_,

−

→

P

)

, where St

P

_{= {p}

s

| s ∈

St

S

_}

,

Σ

P

_{= Σ}

S

with the

same partitioning into inputs and outputs, and

−

→

P

is

thelargesttransitionrelationgeneratedbythefollowing

rules:

s

_−−→

i?

S

_s

′

_{i? ∈ Σ}

S

i

p

s

−−→

i?

P

p

s

′

(8)

s

_−−→

o!

S

_s

′

_{o! ∈ Σ}

S

o

δ

s

= 0

p

s

−−→

o!

P

p

s

′

(9)

s

_−→

d

S

_s

′

_{d ∈ R}

≥0

d ≤ δ

s

p

s

−→

d

P

p

s

′

(10)

Sin e

P

only takes asubset oftransitions of

S

, the determinismof

S

impliesdeterminismof

P

.The transi-tionrelationof

P

istime-additiveduetotimeadditivity of

−

→

J A K

sem

andof

δ

.It isalso time-reexivedueto the

last rule (

0 ≤ δ

s

for every state

s

and

−

→

S

was time

reexive).So

P

isaTIOTS.

Thenew transitionrelation isalso input-enabledas

it inherits input transitions from

A

, whi h was input enabled. The se ond rule guarantees that outputs are

urgent(

P

onlyoutputswhennofurther delaysare pos-sible).Moreover

P

observesindependentprogress. Con-siderastate

p

s

.Then,if

δ

s

= +∞

, learly

p

s

andelay indenitely.If

δ

s

isnite,thenbydenition of

δ

andof

P

, thestate

p

s

andelayand thenprodu e anoutput. Thus

P

satises onditionsofDef.8.

Now,thefollowingrelation

R ⊆

St

P

_×

St

S

witnesses

P |= S

:

R =

n

(p

s

, s) | p

s

∈

St

P

and

s ∈

St

J A K

sem

o

(11)

This is argued using an unsurprising oindu tive

argu-ment.Obviously,

(p

s

₀

, s

0

) ∈ R

.Nowforany

(p

s

, s) ∈ R

:

 If

s

i?

−−→

S

_s

′

with

i? ∈ Σ

S

i

, then a ording to rule 8

p

s

−−→

i?

P

p

s

′

.  If

p

s

o!

−−→

P

_p

s

′

with

o! ∈ Σ

S

o

, thena ordingto rule 9

s

_−−→

o!

S

_s

′

.

 If

p

s

d

−→

P

_p

s

′

with

d ∈ R

≥0

,thena ordingtorule10

s

_−→

d

S

_s

′

.

Thisprovesthat

R

isarenementrelation.

⊓

⊔

Itfollowsdire tly that:

Corollary1. Everylo ally onsistentspe i ationis

on-sistent(inthe sense ofDef.8).

We shall see later (Figure 8) that the impli ation

oppositetotheone ofCorollary1doesnothold.To

es-tablishlo al onsisten y,orindependentprogress,fora

TIOA,itsu esto he kforea hlo ationifthe

supre-mum of all solutions of its invariant exists, whether it

satises the invariantitself and allows at least one

en-abledoutputtransition.

Priorspe i ationtheoriesfordis retetime[45℄and

probabilisti [16℄systemsrevealtwomainrequirements

foradenitionofimplementation.Thesearethesame

re-quirementsthataretypi allyimposedonadenitionofa

modelasaspe ial aseofalogi alformula.First,

imple-mentationsshouldbe onsistentspe i ations(logi ally,

models orrespond to some onsistent formulae).

Se -ond, implementations should befully spe ied(models

annotberenedbynon-models),asopposed toproper

spe i ations,whi hshouldbeunderspe ied.For

exam-ple, in propositionallogi s, amodel is representedasa

omplete onsistentterm.Anyimpli antofsu haterm

is also a model (in propositional logi s, it is a tually

equivalenttoit).

Our denition of implementation satises both

re-quirements, and to the best of our knowledge, is the

rst exampleof a proper notion of implementation for

timed spe i ations. As the renement is reexive we

get

P |= P

foranyimplementation and thus ea h im-plementation is onsistent as per Def. 8. Furthermore

underspe iedspe i ations:

Lemma2. Any lo ally onsistent spe i ation

seman-ti s

S

reninganimplementationsemanti s

P

isan im-plementationsemanti s asperDef. 4.

Proof (Lemma 2). Observe rst that

S

is already lo- ally onsistent, soallstatesof

S

warrantindependent progress. We only need to argue that they also verify

outputurgen y.

Withoutlossofgenerality,assumethat

J S K

sem

only

ontainsstatesthatarerea hableby(sequen esof)

dis- reteortimedtransitions.

If

S

only ontainsrea hablestates,everystateof

S

hastoberelatedtosomestateof

P

inarelation

R

wit-nessing

S ≤ P

(outputanddelaytransitionsneedtobe mat hedintherenement;inputtransitionsalsoneedto

bemat hedas

P

isinputenabledand

S

isdeterministi ). This anbearguedforusingastandard,thoughslightly

lengthyargument,by formalizing rea hable statesasa

xpointofamonotoni operator.

Now, that we know that every stateof

S

is related tosomestateof

P

onsideranarbitrary

s ∈

St

S

andlet

p ∈

St

P

besu hthat

(s, p) ∈ R

.Thenif

s

o!

−−→

S

s

′

forsome state

s

′

_∈

St

S

and an output

o! ∈ Σ

S

o , it mustbethat also

p

o!

−−→p

′

for some state

p

′

_∈

St

P

(and

(s

′

_{, p}

′

_{) ∈ R}

).

But sin e

P

is animplementation, itsoutputs mustbe urgent,so

p 6

d

−−→

P

forall

d > 0

,and onsequently

s 6

d

−−→

S

for all

s > 0

.We have shown that all statesof

S

have urgentoutputs(ifany)andthus

S

isanimplementation.

⊓

⊔

Corollary 2. Any lo ally onsistentspe i ation

S

re-ninganimplementation

P

isanimplementationitself.

We on ludethese tionwiththerstmajortheorem.

Observethat everypreorder



is intrinsi ally omplete inthefollowingsense:

S  T

iforeverysmallerelement

P  S

also

P  T

.Thismeansthat arenementoftwo spe i ations oin ides with in lusion of sets of all the

spe i ationsreningea hofthem:

S ≤ T

i

{P | P ≤ S} ⊆ {P | P ≤ T }

(12)

However, sin eout of all spe i ations onlythe

imple-mentations orrespond to real world obje ts, another

ompletenessquestionismorerelevant:doesthe

rene-ment oin idewiththein lusionofimplementationsets?

Thisproperty,whi hdoesnotholdforpreordersin

gen-eral,turns outtoholdfor ourrenement:

Theorem1(RenementIsThorough). Foranytwo

lo ally onsistentspe i ations

A

,

B

wehave that

A ≤ B

i

J A K

mod

⊆ J B Kmod

(13)

Wesplit theproofofTheorem1intotwolemmas.

Lemma3(Soundness). Foralllo ally onsistent

spe -i ation semanti s

S

and

T

,if

S ≤ T

then for any im-plementationsemanti s

P

,

P |= S

implies

P |= T

.

transitivityof the renementrelation. Consideran

im-plementationsemanti s

P

of

S

.Then

P ≤ S

and

S ≤ T

,

implies

P ≤ T

,whi h provesthat

P |= T

.

⊓

⊔

Lemma4(Completeness). For alllo ally onsistent

spe i ationsemanti s

S

and

T

,if forany implementa-tionsemanti s

P

,

P |= S

implies

P |= T

,then

S ≤ T

.

Inthefollowingwewrite

p |= s

forstates

p

and

s

of TIOTS

P

(respe tively

S

)meaning that there exists a relation

R

′

witnessing

P |= S

that ontainsthepairof states

(p, s)

.

Proof (Lemma 4). Assume that every model of

S

is a

modelof

T

.Considertherelation

R ⊆

St

S

_×

St

T

:

R = {(s, t) |

forea himplementationTIOA

P

itholdsthat

(p

P

0

|= s =⇒ p

P

0

|= t)} ,

(14)

where

p

P

0

denotes theinitialstateof

P

.Weshall argue that

R

witnesses

S ≤ T

. It follows dire tly from the denition of

R

and the assumption on model in lusion that

(s

0

, t

0

) ∈ R

.Now onsider apair

(s, t) ∈ R

.There aretwo asesto be onsidered:

 For any input

i?

there exists

t

′

_∈

St

T

su h that

t

_−−→

i?

T

_t

′

.Weneedtoshowexisten eofastate

s

′

_∈

St

S

su hthat

s

i?

−−→

S

_s

′

and

(s

′

_{, t}

′

_{) ∈ R}

.

Observethatduetoinput-enabledness,forthesame

i?

,thereexistsastate

s

′

_∈

St

S

su hthat

s

i?

−−→

J S K

sem

s

′

.

Weneedto showthat

(s

′

_{, t}

′

_{) ∈ R}

.ByTheorem1we

havethat there existsan implementation semanti s

P

with initial state

p

P

0

su h that

p

P

0

|= s

′

(te h-ni ally speaking,

s

may be a non-initial state of

S

, but thenwe an onsideraversionof

S

withinitial state hangedto

s

to apply Theorem 1, on luding existen eoftheimplementation

P

asabove).

We will now argue that arbitrary implementation

semanti s (not only

P

) satisfying the state

s

′

also

satises

t

′

.So onsideranimplementationsemanti s

Q |= S

andits initial state

q

Q

0

su hthat

q

Q

0

|= s

′

. Weshowthat

q

Q

0

|= t

′

. Create an implementation

Q

′

by merging

Q

and

P

aboveandaddingafreshstate

q

Q

′

0

withallthesame

transitionsliketheinitiallo ationof

P

(sotargeting lo ationsofthe

P

-part),ex eptforthetransition

la-beledby i?, whi h should go to

q

Q

0

; so:

q

Q

′

0

−−→

i?

Q

′

q

Q

0

and otherwise

q

Q

′

0

−→

a

Q

′

p

whenever

p

P

0

−→

a

P

p

for

a 6=

i?

. Thetransitions for alltheother statesof

Q

′

are

likein

P

and

Q

,depending towhi h ofthetwo im-plementationsemanti sthestateoriginallybelonged.

Now

q

Q

′

0

|= s

as

p |= s

anditfollowsallevolutions of

p

for

a 6= i?

and

q

i?

−−→

Q

′

q

0

and

q

0

|= s

′

.By

implementationsemanti sof

t

,so

q

Q

′

0

|= t

and on-sequently

q

0

|= t

′

as

q

Q

′

0

isdeterministi on

i?

. Summarizing, for any implementation

q

0

|= s

′

we

were able to argue that

q

0

|= t

′

, thus ne essarily

(s

′

, t

′

) ∈ R

.

 Consider any a tion

a

(whi h is an outputor a de-lay) for whi h exists

s

′

su h that

s

a

−→

S

_s

′

. Similarly

asabove,one an onstru t(andthus postulate

ex-isten e) ofanimplementation

P

ontaining

p ∈

St

P

su hthat

p |= s

whi hhasatransition

p

a

−→

P

_p

′

.Sin e

then also

p |= t

we havethat there exists

t

′

_∈

St

T

su hthat

t

a

−→

T

t

′

.Itremainstoarguethat

(s

′

_{, t}

′

_{) ∈ R}

.

This is donein thesamewayaswiththe rst ase,

by onsideringanymodelof

s

′

,thenbyextendingit

deterministi allyto amodelof

s

, on ludingthat it is nowamodelof

t

andtheonly

a

-derivative,whi h is

p

′

,mustbeamodelof

t

′

.Consequently

(s

′

_{, t}

′

_{) ∈ R}

.

⊓

⊔

A omplete renement in the above sense is also

sometimes alled thorough (see e.g.[6℄). Therestri tion

ofthetheoremtolo ally onsistentspe i ationsisnota

seriousone.Asweshallseelater(Theorem2), any

on-sistent spe i ation an be transformed into a lo ally

onsistentonepreservingthesetofimplementations.

6 Consisten y and Conjun tion

6.1 Consisten y

We will now study how onsisten y and renement

in-tera t with time lo k errors (violation of independent

progress)inspe i ations.Inparti ularwewillgivean

operational hara terizationofDef.8.

An immediateerror o ursin astateof a

spe i a-tionsemanti sifthestatedisallowsprogressoftimeand

outputtransitionssu haspe i ationwillbreakifthe

environmentdoesnotsendaninput.Foraspe i ation

semanti s

S

wedenetheset ofimmediateerrorstates err

S

_⊆

St

S

as: err

S

_=s





(∃d. s6

−−→)

d

and

∀d ∀o! ∀s

′

_.s

_−→s

d

′

implies

s

′

₆

_−−→

o!

It follows that no immediate error states an o urin

implementations,orin lo ally onsistentspe i ations.

Ingeneral,immediate errorstates in aspe i ation

do not ne essarilymean that aspe i ation annotbe

implemented.Fig.8showsapartiallyin onsistent

spe i- ation,aversionofthe oeema hinethatbe omes

in- onsistentifiteveroutputstea.Thein onsisten y anbe

possiblyavoidedbysomeimplementations,whi hwould

notimplementdelayoroutputtransitionsleadingtoit.

Morepre iselyanimplementationwillexistifthereisa

strategyfortheoutputplayerinasafetygametoavoid

err

S

.

tea

coin

cof

coin?

cof!

coin?

tea!

coin?

y<=0

y<=6

y>=4

y=0

y=0

PartiallyIn onsistent

Figure8:Apartiallyin onsistentspe i ation.

Wewillsolvethesafetygame,byseekingstateswhi h

andelayuntilasafemove,withoutpassingthroughany

unsafestates(or statesfrom whi h aspoiling move

ex-ists).Werstdenethesafetimedprede essoroperator

[33,51,17℄,whi hgivesallthestatesthat ansafelydelay

untilanoutput into

X

whileavoidingtheset ofunsafe states

Y

: Pred

S

t

(X, Y ) = {s ∈

St

S





∃d

0

∈ R

≥0

. ∃s

′

∈ X. s

−−→

d

0

S

s

′

andpost

S

[0,d

0

]

(s) ⊆ Y }

(15)

Sin einourgameitispossibletoplaybydelaying

indef-initely (not ne essarilyuntil anoutput is possible),we

need another operator,Idle t

, that aptures states that

an delay indenitely without passing through unsafe

states.This operatorisanalogousto theaboveone,

ex- ept that it delays indenitely. Again,

Y

denotes the unsafestates: Idle

S

t

(Y ) = {s ∈

St

S

_{| ∀d ∈ R}

≥0

. ∃s

′

∈ Y . s

−→s

d

′

}

(16)

Now the set of safestates is omputed as the greatest

xpointofthefollowingoperator

π

,whi hisan adjust-mentofthestandard ontrollableprede essors operator

[33,51℄that a ountsforinnitedelaymoves:

π(X) =

err

S

_∩

h

Idle

S

t



ipred

S

(X)



∪

Pred

S

t



opred

S

(X),

ipred

S

(X)

i

(17)

The

π

operatorformalizesatwoplayergame,whenboth players hooseadelay, possibly zero,andamoveto be

made.Themovewithashorterdelayisexe uted.Ifthe

twodelaysareequalthenthemoveisnondeterministi ,

and thus theoperator omputing thestrategy requires

thatbothmoveshavetobenon-losing.

Theset ofall onsistentstates ons

S

(i.e.thestates

for whi h the environment has a winning strategy) is

denedasthegreatestxpointof

π

: ons

S

_{= π(}

ons

S

₎

,

whi h is guaranteed to exist by monotoni ity of

π

and ompleteness of the powerset latti e due to the