A Compositional Approach on Modal Specifications for Timed Systems

Transcription

1 INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE A Compositionl Approch on Modl Specifictions for Timed Systems Nthlie Bertrnd Axel Legy Sophie Pinchint Jen-Bptiste Rclet N 7039 Septembre 2009 Thème COM pport de recherche ISSN ISRN INRIA/RR FR+ENG

2

3 A Compositionl Approch on Modl Specifictions for Timed Systems Nthlie Bertrnd, Axel Legy, Sophie Pinchint, Jen-Bptiste Rclet Thème COM Systèmes communicnts Équipes-Projets VerTeCs (INRIA Rennes/IRISA), S4 (INRIA Rennes/IRISA) et Pop Art (INRIA Grenoble) Rpport de recherche n 7039 Septembre pges Abstrct: On the one hnd, modl specifictions re clssic, convenient, nd expressive mthemticl objects to represent interfces of component-bsed systems. On the other hnd, time is crucil spect of systems for prcticl pplictions, e.g. in the re of embedded systems. And yet, only few results exist on the design of timed component-bsed systems. In this pper, we propose timed extension of modl specifictions, together with fundmentl opertions (conjunction, product, nd quotient) tht enble to reson in compositionl wy bout timed system. The specifictions re given s modl event-clock utomt, where clock resets re esy to hndle. We develop n entire theory tht promotes efficient incrementl design techniques. Key-words: Component-bsed system, interfce-bsed design, timed modl specifiction, conjunction, product, residution. This work ws funded by the Europen project COMBEST, IST-STREP INRIA Rennes/IRISA. prenom.nom@inri.fr Université Rennes 1/IRISA. sophie.pinchint@iris.fr INRIA Rhône-Alpes Grenoble. rclet@inrilpes.fr Centre de recherche INRIA Rennes Bretgne Atlntique IRISA, Cmpus universitire de Beulieu, Rennes Cedex (Frnce) Téléphone : Télécopie :

4 Spécifictions Modles Temporisées pour le Risonnement Compositionnel Résumé : Les spécifictions modles constituent un formlisme expressif dpté pour l représenttion des interfces des différents composnts d un système. Pr illeurs, le temps est un spect crucil lors de l conception d un système informtique, en prticulier, dns le contexte des systèmes embrqués. Cet spect est cependnt insuffismment étudié dns l littérture. Dns ce ppier, nous proposons une extension temporisée des spécifictions modles et définissons des opértions (conjonction, produit et quotient) fondmentles pour le risonnement compositionnel ppliqué ux systèmes temporisés. Les spécifictions sont données en terme d utomtes modux à horloges événementielles, c-à-d. pour lesquelles les réinitilistions d horloges sont fcilement identifibles. Nous développons une théorie complète qui conduit à des techniques efficces. Mots-clés : Composnt logiciel, conception pr interfces, spécifiction modle temporisée, conjonction, produit, résidution.

5 A Compositionl Approch on Modl Specifictions for Timed Systems 3 1 Introduction Nowdys, systems re tremendously big nd complex, resulting from the ssembling of severl components. These mny components re in generl designed by tems, working independently but with common greement on wht the interfce of ech component should be. As consequence, mthemticl foundtions tht llow to reson t the bstrct level of interfces, in order to infer properties of the globl implementtion, nd to design or to dvisedly (re)use components is very ctive reserch re, known s compositionl resoning [15]. In logicl interprettion, interfces re specifictions nd components tht implement n interfce re understood s models. Aiming t prcticl pplictions s the finl gol, the softwre engineering point of view nturlly leds to the following requirements for good theory of interfces. 1. Stisfibility/Consistency nd Stisfction. It should be decidble whether specifiction dmits model, nd whether given component implements given interfce. Moreover, for the synthesis of components to be effective, stisfible interfces should lwys hve finitely presentble models. 2. Refinement nd shred refinement. Refinement of specifictions [19, 22] expresses inclusion of sets of models, nd therefore llows to compre interfces. Relted to this impliction-like concept, the intersection, or gretest lower bound, is n optiml interfce refining two given interfces. 3. Compositionlity of the bstrction. The interfce theory should lso provide combintion opertor on interfces, reflecting the stndrd composition of models by, e.g. prllel product. 4. Quotient. Lst but not lest, quotienting opertion, dul to composition is crucil to perform incrementl design. Intuitively, the quotient enbles to describe prt of globl specifiction ssuming nother prt is lredy relized by some component. Together with the composition the quotient opertor enjoys the following fundmentl property t the component level: C 2 = S S 1 C 1 [C 1 = S 1 C 1 C 2 = S] ( ) where S, S i re interfces, C, C i components, nd = is the stisfction reltion. Building good interfce theories is the subject of intensive studies which hve led to theories bsed on models such s interfce utomt [11, 13], modl utomt or specifictions [18, 21, 22, 23, 5], nd their respective timed extension [12, 8]. Modl specifictions re deterministic utomt equipped with trnsitions of the following two types: my nd must. The components tht implement such interfces re deterministic lbeled trnsition systems; n lterntive lnguge-bsed semntics cn therefore be considered, s presented in RR n 7039

6 4 Bertrnd et l. [21, 22]. Informlly, must trnsition is vilble in every component tht implements the modl specifiction, while my trnsition needs not to be. Modl specifictions re interpreted s logicl specifictions mtching the conjunctive nu-clculus frgment of the mu-clculus [14]. As corollry, but lso proved directly in [21], stisfction nd consistency of modl specifictions re decidble, nd the finite model property holds. Refinement between modl specifictions coincides with stndrd notion of lternting simultion. Since components cn be seen s specifictions where ll trnsitions re typed must (ll possible implementtion choices hve been mde), stisfction is lso expressed vi lternting simultion. Shred refinement is effectively computed vi product-like construction. Combintion of modl specifictions, hndling synchroniztion products à l Arnold nd Nivt [6], nd the dul quotient combintors cn be efficiently hndled in this setting [22]. Recently, timed extension of the theory of modl specifictions hs been introduced [8], motivted by the fct tht time cn be crucil prmeter in prctice, e.g. in embedded system pplictions. In this piece of work, components re timed utomt s defined in [1], nd nturlly, n effective nd expressive region-bsed semntics llows to combine modlities nd timing constrints. In this pper, we build on this preliminry pper nd develop complete compositionl pproch for modl specifictions of timed systems. This frmework fvors methodologies for n incrementl design process: Assume globl system implementing specifiction S hs to be synthesized, nd ssume component implements interfce S 1. Computing S S 1 nd synthesizing model of S S 1 yields component tht, in -combintion with the component for S 1, will yield model for the globl interfce S, thnks to property ( ). As consequence, low complexity lgorithms re needed for computing product nd quotient, s well s for the stisfibility decision procedure. The synchronous product of timed objects requires tight control on clocks [1], nd so should its dul quotient. Actully, developing the theory in the generl frmework where components cn reset their clocks in n rbitrry mnner is difficult question. Indeed, computing the resets of clocks of product or of quotient depends on how the control of clocks is distributed mong the components. This informtion hs to be provided priori, which requires n extr formlism. We therefore restrict the presenttion to the clss of components definble by event-clock utomt [2]: in these timed utomt, resets re fully determined by the ctions. Interfces whose models re event-clock utomt re clled modl event-clock specifictions (mecs). Inheriting from the region-bsed semntics of timed modl specifictions [8], we study the stisfibility s well s the consistency problems for mecs. Stisfibility is PSPACE-complete, hence no hrder thn trditionl decision problems in the clss of timed utomt. Refinement serves s theoreticl bsis to develop the product nd the quotient of mecs. We propose two equivlent chrcteriztions of these opertions. Not surprisingly ccording to the semntics, inefficient EXPTIME constructions vi the region grphs of the mecs (seen s untimed specifictions) re provided. More interestingly, we present lterntive direct nd efficient PTIME constructions. The rest of the pper is orgnized s follows. In Section 2, we introduce the timed modl specifiction setting, with preliminries on untimed modl specifictions nd the definition of modl event-clock specifictions. Section 3 focuses INRIA

7 A Compositionl Approch on Modl Specifictions for Timed Systems 5 on mecs nd exposes effective techniques to compute the binry opertions of gretest lower bound, product, nd quotient. In Section 4, we compre our frmework with the existing literture. Section 5 concludes the pper. 2 Timed modl specifictions In this section we recll the frmework of modl specifictions defined in [17], further studied in [22], nd its timed extension, recently proposed in [8]: We discuss the semntic, the preorder refinement nd the stisfibility problem for untimed nd timed modl specifictions. 2.1 Preliminries on untimed specifictions A modl specifiction is n utomton equipped with two types of trnsitions: must-trnsitions, tht re required nd my-trnsitions, tht re llowed. We fix Σ finite set of ctions. Definition 1 (Modl specifiction) A modl specifiction (ms) is tuple R = (P, λ 0, m, M ) where P = P is finite set of sttes with P =, λ 0 P is the unique initil stte, nd M m P Σ P. M nd m correspond respectively to must-trnsitions nd my-trnsitions. We dditionlly ssume tht m is deterministic (hence so is M ) nd complete, tht is, for every stte p P nd every ction Σ, there is exctly one stte λ P such tht (p,, λ) m. We use p (resp. λ) s typicl element of P (resp. P ). Note tht completeness is not restriction since from ny incomplete specifiction, one cn derive complete one by dding my-trnsitions to possibly new stte. Intuitively, in stte p P -my trnsition to some stte λ lbelled by ction mens tht ction is forbidden in p. This interprettion will become clerer when we define the set of models of modl specifiction. The condition M m nturlly imposes tht every required trnsition is lso llowed; it gurntees the locl consistency of the modl constrints. The set of sttes denotes the bd sttes which crry locl inconsistency. Elements of re sink sttes with no outgoing trnsition since both M nd m re subsets of P Σ P. Globl inconsistency cn be derived s follows: we let I be the set of inconsistent sttes tht must led (tht is vi sequence of must-trnsitions) to locl inconsistency; sttes in P \ I re consistent. Formlly I = {λ 0 n 0, λ 1 λ n P 1 n Σ s.t. λ n nd (λ i, i+1, λ i+1 ) M }. Notice tht in prticulr I. We sy tht the modl specifiction R is consistent whenever its initil stte is consistent, i.e. λ 0 / I; otherwise R is inconsistent. In the following, we write or drw p λ (resp. p λ) to men (p,, λ) M (resp. (p,, λ) m \ M ); in other words, solid rrows denote required trnsition, wheres dshed rrow represent llowed but not required trnsitions. Exmple 1 Consider client for given resource vilble in system. The lphbet of ctions includes: get when the resource is requested; grnt in cse of ccess to the resource; nd, extr which occurs when privileged ccess with extended time is requested. RR n 7039

8 6 Bertrnd et l.!extr 0!get!extr 1?grnt () Client Cl!get!extr!get!get b c?grnt?grnt (b) Automton M Figure 1: The modl specifiction Cl ccepts the utomton M In order to simplify the figures, sttes in re not represented (except if they re necessry) nd trnsitions of the form q re not depicted. Action nmes my be preceded by some! or? when the occurrence of the ctions respectively stems from the designed component or by its environment. The modl specifiction Cl for the client in Fig. 1() specifies tht get request my be sent gin. Moreover every get request must be grnted. Additionlly the client my request extended time t ny moment. Models of ms re deterministic utomt 1, with possibly infinitely mny sttes, which we shortly cll utomt in the sequel. An utomton is structure of the form M = (M, m 0, ) where M is (possibly infinite) set of sttes, m 0 M is unique initil stte, nd M Σ M is prtil trnsition function. The model reltion = defined below is prticulr cse of lternting simultion [4] between the model nd the consistent prt, if ny, of the specifiction. Definition 2 (Model Reltion) Let R = (P, λ 0, m, M ) be ms. An utomton M = (M, m 0, ) is model of R, written M = R, if there exists binry reltion ρ M (P \I) such tht (m 0, λ 0 ) ρ, nd for ll (m, p) ρ, the following hold: (1) for every (p,, λ) M there is trnsition (m,, m ) with (m, λ) ρ, nd (2) for every (m,, m ) there is trnsition (p,, λ) m with (m, λ) ρ. We denote by Mod(R), the set of models of n ms R = (P, λ 0, m, M ). Remrk in Definition 2 tht inconsistent sttes of the specifiction cnnot pper in the reltion ρ. Consequently, trnsition of the form (p,, λ) m where λ I is inconsistent interprets s: in ny model, no -trnsition from stte in reltion with p is llowed. Moreover, for λ 0 I no ρ cn exist nd ctully we hve: Lemm 1 Let R be ms. Mod(R) if, nd only if, R is consistent. Proof ( ) Assume R is inconsistent, i.e. λ 0 I. For every utomton M = (M, m 0, ), there cnnot be ny binry reltion ρ M (P \ I) with (m 0, λ 0 ) ρ, since λ 0 I. Hence R hs no model. ( ) Assume R is consistent. Intuitively, (finite-stte) model is obtined by mimicking the must trnsitions of the specifiction. Let p 0 = λ 0 P, nd consider the utomton M obtined s follows. We let m 0 be the initil stte 1 lso clled deterministic lbeled trnsition systems. INRIA

9 A Compositionl Approch on Modl Specifictions for Timed Systems 7 of M, nd we let m 0 be relted to p 0 by binry reltion ρ M (P \ I) we incrementlly construct: ρ is the lest reltion such tht for every (m, p) ρ, if (p,, p ) M for some p P, then there is trget stte m in M of trnsition (m,, m ) with (m, p ) ρ. It is not difficult to verify tht by construction M = R vi the simultion ρ, which entils Mod(R). Exmple 2 The utomton M in Fig. 1(b) is model of the ms Cl in Fig. 1() s the binry reltion ρ = {(, 0), (b, 1), (c, 1)} witnesses. The semntic preorder between ms relies on n extension of Definition 2. Definition 3 (Modl Refinement Preorder) Given two ms, R 1 = (P 1, λ 0 1, m 1, M 1 ) nd R 2 = (P 2, λ 0 2, m 2, M 2 ), R 1 is refinement of R 2, written R 1 R 2, whenever there exists binry reltion ρ (I 1 I 2 ) (P 1 (P 2 \I 2 )) such tht (λ 0 1, λ0 2 ) ρ, nd for ll (λ 1, λ 2 ) ρ ((P 1 \ I 1 ) (P 2 \ I 2 )): (1) for every (λ 2,, λ 2 ) M 2 there exists (λ 1,, λ 1 ) M 1 with (λ 1, λ 2 ) ρ (2) for every (λ 1,, λ 1 ) m 1 there exists (λ 2,, λ 2 ) m 2 with (λ 1, λ 2 ) ρ. Definition 3 requires some explntions. First, by definition of the domin of ρ, n inconsistent stte of R 2 cn only be refined s n inconsistent stte in R 1 wheres consistent stte in R 2 cn either be linked to consistent or inconsistent stte in R 1. Moreover, for pirs of consistent sttes, Condition (1) ensures tht ll required trnsition in R 2 re lso required in R 1, nd Condition (2) gurntees tht ech possible trnsition in R 1 is lso llowed in R 2. Under our ssumption tht ms re deterministic, we cn show tht the preorder between ms mtches the model inclusion preorder. We estblish n intermedite result tht exploits the embedding of utomt into modl specifictions. Definition 4 (Embedding in ms) An utomton M = (M, m 0, ) cn be interpreted s modl specifiction M = (M { }, m 0, m, M ) where = M m, nd (m,, ) m \ M when (m, ) is undefined in M. Lemm 2 Given n utomton M nd ms R, M = R iff M R. Proof Observe first tht is the unique inconsistent stte in M. Let ρ be the simultion reltion stting tht M = R. For (m, p) ρ nd every (p,, λ) m with λ I, M hs no trnsition from m lbelled by. In M, in this sitution, there is by construction trnsition from m to lbeled by. We then dd (, λ) in ρ. The obtined simultion reltion llows to estblish tht M = R. For the converse direction, the pirs (, λ) with λ I chrcterized bove re removed from the simultion reltion stting tht M R in order to obtin the simultion reltion for M = R. Proposition 1 Let R 1 nd R 2 be two ms, then: R 1 R 2 if, nd only if, Mod(R 1 ) Mod(R 2 ). RR n 7039

10 8 Bertrnd et l. Proof ( ) Let R 1 R 2 nd M = R 1. Then, by Corollry 2, M R 1. By trnsitivity of the refinement preorder, M R 2, nd hence M = R 2. ( ) Suppose Mod(R 1 ) Mod(R 2 ). If R 1 is inconsistent, trivilly R 1 R 2. Assume now tht R 1 is consistent. Then so must be R 2. We cn write p 0 1 (resp. p 0 2 ) the initil stte of R 1 (R 2 ). As R 1 nd R 2 re deterministic, simultion reltion ρ stting tht R 1 is refinement of R 2, if it exists, is unique. We consider the binry reltion ρ s the lest reltion such tht with (p 0 1, p0 2 ) ρ nd for every (p 1, p 2 ) ρ ((P 1 \ I 1 ) (P 2 \ I 2 )), we let (λ 1, λ 2 ) ρ whenever (p 2,, λ 2 ) M 2 nd (p 1,, λ 1 ) M 1, or (p 1,, λ 1 ) m 1 nd (p 2,, λ 2 ) m 2 Ẇe show tht ρ (I 1 I 2 ) (P 1 (P 2 \ I 2 )), which entils tht ρ is witness for R 1 R 2. if (p 2,, λ 2 ) M 2 then λ 2 P 2 \ I 2 otherwise we would hve p 2 I 2. Moreover every model M which hs stte m relted to the stte p 2 of R 2 necessrily hs n -trnsition leving m. A weker clim for p 1 is not possible, otherwise we would not hve Mod(R 1 ) Mod(R 2 ). As result, (p 1,, λ 1 ) M 1 nd (λ 1, λ 2 ) P 1 (P 2 \ I 2 ). if (p 1,, λ 1 ) m 1 then (p 2,, λ 2 ) m 2 s R 2 is complete. We now prove tht (λ 1, λ 2 ) (I 1 I 2 ) (P 1 (P 2 \ I 2 )): if λ 1 P 1 \ I 1, we hve to prove tht λ 2 P 2 \ I 2. As λ 1 P 1 \ I 1, there exists M model of R 1 hving trnsition from p 1 lbeled by. As Mod(R 1 ) Mod(R 2 ) then M should lso be model of R 2 nd thus trnsition should be llowed in p 2. As result, λ 2 P 2 \ I 2 ; if λ 1 I 1 then for λ 2 P 2 we hve (λ 1, λ 2 ) ρ. Note tht the determinism of modl specifictions is crucil for the Proposition 1. In the nondeterministic cse, modl refinement is not complete [19], tht is Mod(R 1 ) Mod(R 2 ) does not imply R 1 R 2 in generl. As consequence of Definition 3, inconsistent ms refine ny ms, nd consistent ms cn only refine consistent ms. In the following, we write R 1 R 2, nd sy tht R 1 nd R 2 re equivlent, whenever R 1 R 2 nd R 2 R 1. Remrk tht by merging ll sttes of I, every ms is equivlent to ms where the set of inconsistent sttes is singleton. 2.2 Modl event-clock specifictions Let X be finite set of clocks nd let IR 0 denote the set of non-negtive rels. A clock vlution over X is mpping ν : X IR 0. The set of clock vlutions over X is denoted V; in prticulr, 0 V is the clock vlution such tht 0(x) = 0 for ll x X. Given ν V nd t IR 0, we let (ν + t) V be the clock-vlution obtined by letting t time units elpse fter ν, formlly, (ν + t)(x) = ν(x) + t for every x X. A gurd over X is finite conjunction of expressions of the form x c where x X, c IN is constnt, nd {<,, =,, >}. We then denote by ξ[x] the set of ll gurds over X. For some fixed N IN, ξ N [X] represents the set of gurds involving only constnts equl to or smller thn N. The stisfction INRIA

11 A Compositionl Approch on Modl Specifictions for Timed Systems 9 reltion = (V ξ[x]) between clock vlutions nd gurds is defined in nturl wy nd we write ν = g whenever ν stisfies g. In the following, we will often buse nottion nd write g to denote the gurd g s well s the set of vlutions which stisfy g. Event-clock utomt [2], form subclss of timed utomt where clock resets re not rbitrry: ech ction comes with clock x which is reset exctly when ction occurs. We consider event-clock utomt with possibly infinitely mny loctions. Definition 5 (Event-clock utomt) An event-clock utomton (ec) over Σ is tuple C = (C, c 0, δ) where C is set of sttes, c 0 C is the initil stte, nd δ C ξ N [X Σ ] Σ C is the trnsition reltion (for some N N). The pir (Σ, N) is the signture of C. The semntics of n ec is similr to the one of timed utomton [1], except tht the set of clocks tht re reset by trnsition is determined by the ction of tht trnsition: while firing trnsition lbeled by, precisely clock x is reset. Event-clock utomt do form strict subclss of timed utomt, but they enjoy nice properties: they re closed under union nd intersection, nd more interestingly they cn be determinized (s opposed to the clss of rbitrry timed utomt). The determinizbility of event-clock utomt comes from the wy clocks re reset nd this property significntly eses the definition of binry opertors (such s lower bound, product nd quotient) on modl vrints of event-clock utomt. For fixed signture (Σ, N), region is n equivlence clss θ of clockvlutions tht stisfy the sme gurds in ξ N [X Σ ]. We denote by Θ N, or simply Θ, the set of ll regions. Given region θ Θ, we write Succ(θ) for the union of ll regions tht cn be obtined from θ by letting time elpse: Succ(θ) = {θ ν θ ν θ t IR 0 s.t. ν = ν + t}. Definition 6 (Region utomton [1]) The region utomton ssocited to n ec C = (C, c 0, δ) is the utomton R(C) = (C Θ, (c 0, 0), ) over the lphbet Θ Σ, where the set of trnsitions is defined s follows: for ech c, c C, θ, θ, θ Θ, nd Σ, ((c, θ), θ,, (c, θ )) whenever there exists (c, g,, c ) δ with θ Succ(θ) g, nd θ = θ [x = 0] is the region obtined from θ by resetting clock x. Note tht the region utomt we consider extend the ones introduced in [1] since their trnsition lbels keep trck of the intermedite region where the ction is fired. As consequence, ny utomton over the lphbet Θ Σ uniquely defines n ec whose signture is of the form (Σ, N Θ ), with N Θ determined by the set of regions Θ. We denote by T the nturl injection of region utomt into ec; this mpping enbles us to distinguish between the two interprettions of the sme syntctic object: R(C) is n utomton wheres T(R(C)) is n ec. Definition 7 (Modl event-clock specifiction) A modl event-clock specifiction (mecs) over the finite lphbet Σ is tuple S = (Q, λ 0, δ m, δ M ) where Q := Q is finite set of loctions, with Q =, nd the initil stte is λ 0 Q. RR n 7039

12 10 Bertrnd et l. δ M δ m Q ξ[x Σ ] Σ Q re finite sets of respectively must- nd my-trnsitions. Given my-trnsition (q, g,, λ) δ m, q is the source stte, λ is the destintion stte, g ξ[x Σ ] is the gurd tht specifies the vlutions for which the trnsition cn be tken, Σ is the ction lbeling the trnsition recll tht the only clock tht is then reset is x. Moreover we require tht δ m is deterministic (hence, so is δ M ) nd complete: for ny stte q Q, ny ction Σ, nd ny clock vlution ν V, there is exctly one trnsition (q, g,, λ) δ m such tht ν = g. Exmple 3 As n exmple of mecs, we consider in Fig. 2() timed vrint of the client Cl introduced erlier. The clock corresponding to the ction get is x get. In this exmple gin, for simplifiction purposes, trnsitions of the form q g, re not depicted. As mecs re complete, these trnsitions cn esily be recovered by tking g = ( i g i) where the g i s re the gurds ppering in the trnsitions of the form q gi, λ or q gi, λ. When the gurd of trnsition is not indicted, it is implicitly true. The mecs Cl for the client in Fig. 2() specifies tht get request my be sent gin t most one time unit fter the lst request.!extr!get!extr 0 1?grnt!get x get 1?get 0?extr 1!grnt x get 2?get!grnt x get 4 () Client Cl (b) Access controller Acc Figure 2: Client Cl nd ccess controller Acc In the sequel, we generlize the grphicl convention lredy used for untimed objects by writing q g, λ whenever (q, g,, λ ) (δ m \δ M ) nd q g, λ whenever (q, g,, λ ) δ M. Remrk tht nturl untimed object ssocited to mecs S is its region modl utomton, obtined by generlizing Definition 6 from event-clock utomt to their modl extension. More precisely, R(S) reflects the modlities of S = (Q, λ 0, δ m, δ M ) s done in [8], the initil stte is (λ 0, 0) nd the set of loclly inconsistent sttes in R(S) is S Θ. A mecs S is sid to be inconsistent if R(S) is inconsistent; otherwise, it is consistent. Given modl event-clock specifiction S over signture (Σ, N), R(S) is modl specifiction over the extended lphbet Σ Θ N ; similrly, given n event-clock utomton C, R(C) is n utomton over lphbet Σ Θ N. Hving this in mind, the model reltion in the timed cse is inherited from the one in the untimed cse vi the region construction: Definition 8 (Model reltion) Let S be mecs. An event-clock utomton C is model of S, written C = S, if R(C) = R(S). INRIA

13 A Compositionl Approch on Modl Specifictions for Timed Systems 11 The set of models of mecs S, is defined by Mod(S) := {C C = S}. Observing tht given mecs S, R(T(R(S))) nd R(S) re isomorphic, we obtin the following: Lemm 3 Let S be mecs. Then, Mod(T(R(S))) = Mod(S). In the spirit of Def.8 for the model reltion, the modl refinement preorder between mecs lso relies on region-bsed construction: Definition 9 (Modl refinement preorder) Given two mecs S 1 nd S 2, S 1 refines S 2, written S 1 S 2, whenever R(S 1 ) R(S 2 ). As corollry of the nlogous results in the untimed setting on ms, it is decidble whether mecs refines nother one. Moreover, refinement nd inclusion of models mtch: Corollry 1 Let S, S 1 nd S 2 be mecs. Then, Mod(S) if, nd only if S is consistent; S 1 S 2 if, nd only if Mod(S 1 ) Mod(S 2 ). Proof The first item is consequence of the similr result for untimed specifictions (see Lemm 1), s well s the immedite observtion tht given n utomton M, M = R(S) implies T(M) = S. The second item is trivil consequence of Proposition 1 nd Definition 9. The clss of deterministic ec cn be embedded into the one of mecs; let C be n ec, we note C the mecs obtined by typing with must every existing trnsitions in C nd by completing it by dding my-trnsitions to stte in. Definition 10 (Embedding in mecs) An ec C = (C, c 0, δ) cn be interpreted s mecs C = (C { }, c 0, δ m, δm ) where δ = δm δ m, nd (λ, g,, ) m \ M with g = ( i g i) nd where the g i s re the gurds ppering in the trnsitions of the form (λ, g i,, λ ) in δ. Assuming determincy of event-clock utomt is not restrictive, since they re known to be determinizble [2]. We then hve: Corollry 2 Let C be n ec nd S mecs, C = S if nd only if C S. Proof This follows from Definition 8 which tells tht C = S whenever R(C) = R(S). Moreover, by Definition 9, C S if nd only if, R(C ) R(S). To conclude, it suffices to consider Corollry 2. About consistency. We recll tht specifiction is consistent if, nd only if, it dmits model. According to Lemm 1, checking whether n untimed specifiction is consistent mounts to checking tht the set of sttes cnnot be reched from its initil stte by sequence of must-trnsitions. The consistency problem is thus NLOGSPACE-complete for modl specifictions nd PSPACEcomplete in the timed cse. RR n 7039

14 12 Bertrnd et l. 3 Opertions on specifictions In this section, we introduce opertions on modl event-clock specifictions, which enble compositionl resoning. More precisely, we define the gretest lower bound, the product, nd the quotient over mecs. For ech of these opertions, we estblish importnt theoreticl properties. 3.1 Gretest lower bound of mecs We study the concept of gretest lower bound, which corresponds to the conjunction of two modl specifictions nd equivlently to their best shred refinement. We first recll the definition of the gretest lower bound in the untimed cse. Let R 1 = (P 1, λ 0 1, m 1, M 1 ) nd R 2 = (P 2, λ 0 2, m 2, M 2 ) be two ms. The gretest lower bound of R 1 nd R 2 is R 1 R 2 = (P, (λ 0 1, λ0 2 ), m, M ) with P := P 1 P 2, := ( 1 P 2 ) (P 1 2 ), nd whose trnsition reltions re derived from the following rules: λ 1 λ 1 λ 1 nd λ 2 λ 2 (λ 1, λ 2 ) (λ 1, λ 2) λ 1 nd λ 2 λ 2 (λ 1, λ 2 ) (λ 1, λ 2 ) (Glb1) (Glb3) λ 1 λ 1 λ 1 nd λ 2 λ 2 (λ 1, λ 2 ) (λ 1, λ 2) λ 1 nd λ 2 λ 2 (λ 1, λ 2 ) (λ 1, λ 2 ) (Glb2) (Glb4) Remrk in prticulr, tht if in stte λ = (λ 1, λ 2 ), we hve the contrdictory requirements tht is required (λ 1 λ 1 P 1) nd should not hppen (λ 2 λ 2 2 ), then λ is inconsistent. This is indeed gurnteed by the definition of R 1 R 2 which imposes P 1 2. Gretest lower bound of mecs. The notion of gretest lower bound esily extends to mecs. Let S 1, S 2 be two mecs. The modlities for the trnsitions in S 1 S 2 re derived from those induced in the untimed cse (Rules (Glb1) to (Glb4)), nd the lbels of the trnsitions re obtined by intersecting the gurds for common ctions. As n exmple, Rule (Glb1) becomes (tglb1) s follows. g 1, λ 1 λ 1 nd λ g 2, 2 λ 2 (λ 1, λ 2 ) g1 g2, (tglb1) (λ 1, λ 2 ) Thnks to Lemm 3, the set of models of mecs S mtches the set of models of its region version T(R(S)). The following proposition chrcterizes the gretest lower bound of two mecs vi the region grphs. Proposition 2 For ny two mecs S 1 nd S 2, R(S 1 S 2 ) R(S 1 ) R(S 2 ). Proof Consider the binry reltion R between sttes of R(S 1 S 2 ) nd of R(S 1 ) R(S 2 ) defined by: R = {( (λ1, θ), (λ 2, θ) ), ( (λ 1, λ 2 ), θ )) λ 1 Q 1, λ 2 Q 2 }. Notice tht ny rechble stte in R(S 1 ) R(S 2 ) is of the form ( ( λ 1, θ 1 ), (λ 2, θ 2 ) ) with θ 1 = θ 2. This cn be esily proved inductively since the gretest lower bound INRIA

15 A Compositionl Approch on Modl Specifictions for Timed Systems 13 for R(S 1 ) nd R(S 2 ) is computed on the extended lphbet Σ Θ, where the trget region is completely determined by the lter (since it contins the region when the trnsition is fired nd the clock to be reset). Let λ 1 Q 1, λ 2 Q 2 nd θ Θ. We show tht ny required trnsition from ( ( λ 1, θ), (λ 2, θ) ) in R(S 1 ) R(S 2 ) is lso mndtory from ( (λ 1, λ 2 ), θ ) in R(S 1 S 2 ), nd tht ny llowed trnsition from ( (λ 1, λ 2 ), θ ) in R(S 1 S 2 ) is possible from ( ( λ 1, θ), (λ 2, θ) ) in R(S 1 ) R(S 2 ). Let ( (λ 1, λ 2 ), θ) ) θ, ( (λ 1, λ 2), θ ) ) be my-trnsition in R(S 1 S 2 ). By g, construction of the region grph, there exists my-trnsition (λ 1, λ 2 ) (λ 1, λ 2 ) with θ Succ(θ) g in S 1 S 2. This trnsition cn only be obtined g 1, by pplying Rule (tglb1); hence there exist λ 1 λ g 2, 1 in S 1 nd λ 2 λ 2 in S 2 with g = g 1 g 2. Since θ g 1 g 2 these trnsitions give rise in R(S 1 ) nd R(S 2 ) respectively to trnsitions (λ 1, θ) θ, (λ 1, θ ) nd (λ 2, θ) θ, (λ 2, θ ). Hence, in the gretest lower bound R(S 1 ) R(S 2 ), thnks to Rule (Glb1), there is my-trnsition ( ( λ 1, θ), (λ 2, θ) ) θ, ( ( λ 1, θ ), (λ 2, θ ) ). Assume now ( ( λ 1, θ), (λ 2, θ) ) θ, ( ( λ 1, θ ), (λ 2, θ ) ) is must-trnsition in R(S 1 ) R(S 2 ). According to the rules (Glb2) to (Glb4) this trnsition comes from trnsitions in R(S 1 ) nd R(S 2 ), one of which being must-trnsition. W.l.o.g ssume (λ 1, θ) θ, (λ 1, θ ) nd (λ 2, θ) θ, (λ 2, θ ) ) (the ltter trnsition could lso be must). By construction of the region grph, there re trnsitions g 1, λ 1 λ 1 nd λ 2 g 2, λ 2 in S 1 nd S 2 respectively, with θ Succ(θ) g 1 nd lso θ Succθ g 2. In S 1 S 2 there is thus trnsition (λ 1, λ 2 ) g1 g2, (λ 1, λ 2 ); this yields trnsition ( (λ 1, λ 2 ), θ) ) θ, ( (λ 1, λ 2), θ ) ). To prove tht reltion R is witness for R(S 1 S 2 ) R(S 1 ) R(S 2 ), it now suffices to observe tht inconsistent sttes in R(S 1 ) R(S 2 ) cn only be linked in R to inconsistent sttes in R(S 1 S 2 ). This however is consequence of the fct tht must-trnsition in R(S 1 ) R(S 2 ) re lso required in R(S 1 S 2 ), together with the observtion tht bd sttes (sttes in on ech side) re linked through R. This ends the proof tht R(S 1 S 2 ) refines R(S 1 ) R(S 2 ) through R. Following exctly the sme lines, one cn prove the reverse refinement, nmely: R(S 1 ) R(S 2 ) R(S 1 S 2 ). Hence the desired result: R(S 1 S 2 ) R(S 1 ) R(S 2 ). Note tht reltion R estblishes moreover n isomorphism between R(S 1 S 2 ) nd R(S 1 ) R(S 2 ). In Proposition 2, opertor is overloded: on the right hnd side, it corresponds to the gretest lower bound of ms wheres on the left hnd side, it corresponds to the gretest lower bound of mecs. Computing the conjunction of two ms vi rules (Gbl1) to (Gbl4) is polynomil in the size of the rguments. Due to the construction of the region grphs, strting from two mecs S 1 nd S 2 computing R(S 1 ) R(S 2 ) is exponentil. The direct construction of the gretest lower bound by using the timed vrints of (Gbl1) to (Gbl4) is polynomil nd therefore worth dopting for effective methods. Corollry 3 S 1 S 2 is the -gretest lower bound of S 1 nd S 2. RR n 7039

16 14 Bertrnd et l. Proof From the untimed cse [22], we deduce: R(S 1 ) R(S 2 ) R(S i ), for i = 1, 2. Thus by Prop.2, we hve: R(S 1 S 2 ) R(S i ). Finlly s T is monotonic nd becuse T(R(S)) S (Lemm 3): S 1 S 2 S i. We now show it is the gretest element under S 1 nd S 2. Assume tht there exists S such tht S S i. Therefore, by definition of, R(S) R(S i ) which entils R(S) R(S 1 ) R(S 2 ). Now, we hve S T(R(S)) T(R(S 1 S 2 )) since T is monotonic nd by Prop.2; We then conclude tht S S 1 S 2. Finlly, ccording to the bove, one cn estblish tht the gretest lower bound yields the intersection of the models. Theorem 1 For ny two mecs S 1 nd S 2, Mod(S 1 S 2 )=Mod(S 1 ) Mod(S 2 ). Proof From Corollry 3 we hve S 1 S 2 S i. Then Corollry 1 entils, Mod(S 1 S 2 ) Mod(S i ). Thus Mod(S 1 S 2 ) [Mod(S 1 ) Mod(S 2 )]. Let C be ec such tht C [Mod(S 1 ) Mod(S 2 )]. By Corollry 2, C S 1 nd C S 2. By Corollry 3, C S 1 S 2 nd by Corollry 2, C = S 1 S 2. As result [Mod(S 1 ) Mod(S 2 )] Mod(S 1 S 2 ). Appliction of the gretest lower bound is the following: in the design of component one gives severl specifictions, ech of them describing prticulr requirement. The gretest lower bound of these specifictions enbles to check the comptibility of these requirements, by deciding consistency. 3.2 Product of mecs The product of mecs reltes to the synchronous prllel composition of models. For ms, it generlizes the synchronized product of utomt M 1 M 2 tht denotes the intersection of their behviors (lnguges). We first recll the product of ms: Let R 1 = (P 1, λ 0 1, m 1, M 1 ) nd R 2 = (P 2, λ 0 2, m 2, M 2 ) be two ms over the sme lphbet Σ. The product of R 1 nd R 2, denoted by R 1 R 2, is the ms (P, (λ 0 1, λ0 2 ), m, M ), with P := P 1 P 2, := ( 1 P 2 ) (P 1 2 ), nd whose trnsitions re derived from the following rules: λ 1 λ 1 λ 1 nd λ 2 λ 2 (λ 1, λ 2 ) (λ 1, λ 2 ) λ 1 nd λ 2 λ 2 (λ 1, λ 2 ) (λ 1, λ 2) (Prod1) (P rod3) λ 1 λ 1 λ 1 nd λ 2 λ 2 (λ 1, λ 2 ) (λ 1, λ 2 ) λ 1 nd λ 2 λ 2 (λ 1, λ 2 ) (λ 1, λ 2) (Prod2) (P rod4) Notice tht Rules (P rod1) to (P rod4) uniformly consider consistent nd inconsistent sttes. Product of mecs. The product of mecs extends the synchronized product of ec which consists in synchronizing trnsitions on ction nmes nd in tking the conjunction of the gurds of the combined trnsitions. Let S 1, S 2 be two mecs. The modlities for the trnsitions in S 1 S 2 re derived from those proposed in the untimed cse, nd the lbels of the trnsitions INRIA

17 A Compositionl Approch on Modl Specifictions for Timed Systems 15 re composed of the intersection of the gurds together with the common ction. For exmple, the timed version of (Prod1) becomes (tprod1) s follows. g 1, λ 1 λ 1 nd λ g 2, 2 λ 2 (λ 1, λ 2 ) g1 g2, (tprod1) (λ 1, λ 2 ) Similrly to Proposition 2 for the gretest lower bound, the product of mecs cn be lterntively computed by building the product of the region grphs. This construction however cuses n exponentil blow-up wheres the direct construction is polynomil. Notice tht opertor is overloded to ese the presenttion. Proposition 3 R(S 1 S 2 ) R(S 1 ) R(S 2 ). Proof Similrly to the proof of Proposition 2 the binry reltion R defined s: R = {( (λ1, θ), (λ 2, θ) ), ( (λ 1, λ 2 ), θ )) λ 1 Q 1, λ 2 Q 2 } is witness for R(S 1 S 2 ) R(S 1 ) R(S 2 ). The definitions of the gretest lower bound nd the product re relly similr except for the resulting modlities in some rules, nd in prticulr the definitions for, the set loclly inconsistent sttes, mtch. As consequence, Proposition 3 cn be proved by dpting the rgument in Proposition 2 in strightforwrd mnner; we omit it here. In the untimed setting, it is known [22] tht the product is monotonic with respect to the refinement, nd tht product of models is model of the product. Those properties extend to the timed cse s stted in the following theorem. Theorem 2 (Properties of the product) For ny mecs S 1, S 1, S 2, S 2, nd ny ec C 1, C 2, (S 1 S 2 nd S 1 S 2) = S 1 S 1 S 2 S 2; nd (C 1 = S 1 nd C 2 = S 2 ) = C 1 C 2 = S 1 S 2. Proof Given S 1, S 2, S 1 nd S 2 mecs, such tht: S 1 S 2 nd S 1 S 2. By Definition 9 this is equivlent to: R(S 1 ) R(S 2 ) nd R(S 1 ) R(S 2 ) As the product of simple modl specifictions is monotonic for the modl refinement reltion (see [22] for proof), we hve: R(S 1 ) R(S 1) R(S 2 ) R(S 2) According to Proposition 3, this is equivlent to: R(S 1 S 1 ) R(S 2 S 2 ) Thus, by Definition 9: S 1 S 1 S 2 S 2 Let us now prove tht given two ec C 1, C 2, we hve: (C 1 = S 1 nd C 2 = S 2 ) implies C 1 C 2 = S 1 S 2 RR n 7039

18 16 Bertrnd et l. Now suppose tht C 1 = S 1 nd C 2 = S 2 then C1 S 1 nd C2 S 2. By the first prt of the theorem, we hve C1 C 2 S 1 S 2. One cn esily prove tht C1 C2 (C 1 C 2 ) nd then we conclude tht: C 1 C 2 = S 1 S 2. As consequence, the product opertion stisfies the property of independent implementbility, in the sense of [11]: n implementtion of specifiction of the form S 1 S 2 cn be obtined by composing ny two independent implementtions of S 1 nd S 2 respectively. Exmple 4 The mecs Acc in Fig. 2(b) pge 10 specifies the behvior of n ccess controller; the ccess to the resource will be grnted for 2 time units fter the reception of get request. In cse of privileged ccess with n extr time, this durtion will be extended to 4 time units. The product Cl Acc is depicted in Fig. 3(). In the resulting specifiction, extr cn now only occur fter get request. Timing constrints on the grnt ction issued from the ccess controller re lso propgted. get 00 grnt 10 get x get 1 x get 2 extr get 01 grnt 11 x get 4 get x get 1 grnt x get < 5 get grnt x get < 2 c b extr () The product Cl Acc (b) A desired globl behvior G Figure 3: The globl model Cl Acc nd its specified behvior G 3.3 Quotient of mecs In this section, we define the quotient opertion. Intuitively, the quotient describes prt of globl specifiction ssuming nother prt will be relized by some component. We thus consider quotient of specifictions which is different from the constructions studied in [16] where t lest one of the opernd is system. We strt by reclling the quotient opertion on untimed modl specifictions, then extend it to mecs. In the untimed setting, we im t defining n opertion dul to the product of Section 3.2 in the following sense. Given two ms R = (P, λ 0, m, M ) nd R 1 = (P 1, λ 0 1, m 1, M 1 ), we wnt the quotient of R by R 1 to be the ms written R R 1 which stisfies the following properties. Proposition 4 For every utomton M 2, M 2 = R R 1 M 1. [M 1 = R 1 M 1 M 2 = R] (1) nd R R 1 is the gretest such one, nmely R 1 R 2 R R 2 R R 1 (2) INRIA

19 A Compositionl Approch on Modl Specifictions for Timed Systems 17 Proof The proof of similr proposition in [22] for untimed modl specifictions without inconsistent sttes cn esily be dpted in our context. The definition of the quotient follows [22], but it is here revisited with uniform wy to hndle both consistent nd inconsistent sttes, s opposed to the originl definition where so-clled pseudo-specifictions needed being considered. Formlly, the quotient of R = (P, λ 0, m, M ) by R 1 = (P 1, λ 0 1, m 1, M 1 ) is the ms R R 1 = (P, (λ 0, λ 0 1 ), m, M ), with P (P P 1 ) { }, where is fresh element, nd the set of loclly inconsistent sttes of R R 1 contins t lest n element but lso other elements: the rules below describe these elements s well s the set of trnsitions. Nottion λ I mens tht the -my-trnsition from λ leds to n inconsistent stte in I. We lso use nottions λ P \ I, λ I, nd λ P \ I with the expected mening, nd λ whenever there is no -must-trnsition from stte λ. λ I nd λ 1 / I 1 (λ, λ 1 ) I λ nd λ 1 I 1 (λ, λ 1 ) (I I1) ( Imust I1) λ I nd λ 1 I 1 (λ, λ 1 ) I λ nd λ 1 I 1 (λ, λ 1 ) (I I1) ( Imy I1) (top) Assume now tht both λ nd λ 1 re consistent, i.e., λ / I nd λ 1 / I 1 : λ I nd (λ 1 λ λ λ / I nd (λ 1 P 1 \ I 1 or λ 1 (λ, λ 1 ) nd λ 1 I 1 (λ, λ 1 ) (λ, λ 1 ) λ 1 / I 1 or λ 1 (λ, λ 1) λ λ nd λ 1 λ 1 (λ, λ 1 ) λ nd λ 1 λ 1 (λ, λ 1 ) (λ, λ 1) λ P 1 \ I 1 ) (my1) λ 1 / I 1) (inconsistency) (must) (mynot) (my2) We now give intuitive explntions for the rules bove in prticulr with respect to the first requirement of Proposition 4. To do so, let R λ be the ms informlly defined s the sub-specifiction of R with initil stte λ. When explining rule involving trnsitions outgoing λ in R nd λ 1 in R 1 we will thus spek bout models in R λ, R λ1 1 nd R λ R λ1 1. Rλ nd R λ1 1 re just introduced in order to be ble to regrd locl models of R nd R 1 from sttes λ nd λ 1. When, sy λ I, we hve Mod(R λ ) =. RR n 7039

20 18 Bertrnd et l. Rule (I I 1 ) ensures tht since there re no models for R λ nd there re models for R λ1 1, there should not be models of Rλ R λ1 1, otherwise we would not hve the right to left impliction of Eqution (1) in Proposition 4. For Rules ( Imust I1) nd ( Imy I1) (together with Rule (top)), since Mod(R λ1 1 ) =, the right hnd side of Eqution (1) is trivilly stisfied. Therefore in ( Imust I1), the -trnsition required from λ cnnot be gurnteed; hence the quotient is not consistent. On the other hnd for Rule ( Imy I1), since nothing prticulr is required from λ for the -trnsition, nothing either needs being required for models of the quotient; to gurntee Eqution (2) of Proposition 4 (which sttes the mximlity of the quotient) we set the quotient to be universl, i.e. it ccepts every model. Rule (I I 1 ) together with Rule (top), is the cse where both Mod(R λ ) = nd Mod(R λ1 1 ) =. In this cse, the universl ms tht ccepts every model cn be in the quotient, nd this is wht is chosen in order to get the gretest such ms, s required by Eqution (2). We now come to the set of rules where both λ nd λ 1 re consistent (λ / I nd λ 1 / I 1 ), which by Lemm 1 mounts to sy tht Mod(R λ ) nd Mod(R λ1 1 ). In Rule (my1), is not possible from λ 1, nd is not mndtory from λ, it cn therefore sfely be uthorized in the quotient. Rule (mynot) dels with the cse where is forbidden in R λ, but is uthorized or even mndtory in R λ1 1 : it should be forbidden in the quotient. Rule (my2) is very strightforwrd, s models of the quotient my hve n -trnsition irrespectively of wht is required in R λ1 1. Finlly, Rules (inconsistency) nd (must) consider the cse where we hve must trnsitions in R λ. Rule (inconsistency) corresponds to the inbility of gurnteeing the -trnsition required in R λ since it my not exist in some models of R λ1. Hence only n inconsistent ms cn be considered so tht Eqution (1) holds. Rule (must) is the simple cse of must requirements; notice tht we implicitly hve λ 1 / I 1, since by ssumption λ 1 / I 1. One cn esily verify tht the conditions of the premises of Rules from (I I 1 ) to (must) re exclusive, hence the quotient construction yields deterministic object. Also, the quotient ms is complete. Quotient of mecs. The quotient of mecs S = (Q, λ 0, δ m, δ M ) by mecs S 1 = (Q 1, λ 0 1, δm 1, δm 1 ) is the mecs S S 1 = (Q, (λ 0, λ 0 1 ), δm, δm ), where Q (Q Q 1 ) { } nd where the set of loclly inconsistent sttes nd the trnsition modlities follow the rules (I I 1 ) to (must) of the untimed cse; the gurd of trnsition is the conjunction of the locl gurds of S nd S 1. For exmple, the untimed rule (must) becomes (tmust) s follows. λ g, λ g 1, nd λ 1 λ 1 (λ, λ 1 ) g g1, (λ, λ 1 ) Besides, the rule (ttop) is the following: true, (ttop) (tmust) This quotient opertion for mecs cn be used on ec s the clss of deterministic ec cn be embedded into the one of mecs; it suffices to type with must every INRIA

21 A Compositionl Approch on Modl Specifictions for Timed Systems 19 existing trnsitions in the ec, nd to complete it by dding trnsitions typed by my to stte in. Assuming determincy of event-clock utomt is not restrictive, since they re known to be determinizble [2]. Observe tht then the quotient of two event-clock utomt is not n event-clock utomton since e.g. Rule ( Imy I 1 ) introduces my trnsition to the top stte. Finlly, the quotienting opertion yields deterministic nd complete specifiction. Hence: Lemm 4 Modl event-clock specifictions re closed under quotient. Proof We prove tht the my trnsition reltion δ m of S S 1 = (Q, (λ 0, λ 0 1 ), δ m, δ M ) is deterministic nd complete, tht is, for ll stte (q, q 1 ) Q, ction nd clock vlution ν, there is exctly one trnsition ((q, q 1 ), g,, λ) with λ Q such tht ν = g. By hypothesis, the my trnsition reltions of S nd S 1 re deterministic nd complete. As result, there is exctly one trnsition (q, g,, λ) with λ Q nd ν = g in S, nd one trnsition (q 1, g,, λ 1 ) with λ 1 Q 1 nd ν = g 1 in S 1. By definition of the quotient, there is trnsition T = ((q, q 1 ), g g 1,, λ ) with λ Q in S 1 S. As the possible gurds of this trnsition re conjunctions of mutully exclusive gurds, they re lso mutully exclusive, nd this is the unique trnsition lbeled by tht cn be fired t clock vlution ν. As for the product opertion, the quotient opertion in the timed nd untimed settings reltes vi the region construction (for the extended lphbet) s follows. Proposition 5 R(S S 1 ) R(S) R(S 1 ). Proof Consider the binry reltion R between sttes of R(S 1 S 2 ) nd of R(S 1 ) R(S 2 ) defined by: R = {( ((λ, θ), (λ1, θ) ), ( (λ, λ 1 ), θ )) λ Q, λ 1 Q 1 } {(, θ), )} {(, θ), )}. For the sme reson s in the proof of Proposition 2 for, ny rechble stte of the form ((q, θ), (q 1, θ 1 )) in R(S) R(S 1 ) is such tht θ = θ 1. Observe lso tht ( (λ, θ), (λ 1, θ) ) in R(S) R(S 1 ) is inconsistent if nd only if ( (λ, λ 1 ), θ ) is inconsistent in R(S S 1 ). We clim tht tht R nd R 1 re modl refinements, estblishing thus the sttement of the proposition. We simply desmonstrte tht R is modl refinement for the cse of my trnsition in R(S S 1 ), tht is trnsition derived from the Rule (tmy2), the timed version of Rule (my2). The other cses cn be derived in similr wy. Suppose then in R(S S 1 ) trnsition ((λ, λ 1 ), θ) θ, ((λ, λ 1), θ ) where λ, λ / I nd λ 1, λ 1 / I 1 re ll consistent sttes. Then by Rule (tmy2), there exists in S S 1 trnsition (λ, λ 1 ) g, (λ, λ 1) such tht g = g g 1, λ g, λ in S, nd λ 1 g 1, λ 1 or λ 1 g 1, λ 1 in S 1, nd θ Succ(θ) g. Hence, for every region θ nd ll region θ Succ(θ) g, there is trnsition (λ, θ) θ, (λ, θ ) in R(S), nd trnsition (λ 1, θ) θ, (λ 1, θ ) or (λ 1, θ) θ, (λ 1, θ ) in R(S 1 ). RR n 7039

22 20 Bertrnd et l. These trnsitions re reflected in the untimed quotient R(S) R(S 1 ) by the trnsition ((λ, θ), (λ 1, θ)) θ, ((λ, θ ), (λ 1, θ )), which concludes. The correctness of the quotient construction is stted by the following. Theorem 3 (Properties of the quotient) For ny mecs S, S 1, S 2, nd ny ec C 2, C 2 = S S 1 C 1 = S 1, C 1 C 2 = S, nd (3) S 1 S 2 S S 2 S S 1. (4) Proof The proof relies on the similr result for simple modl specifictions stted by Proposition 4 (see [22] for proof). We strt proving Eqution (3). By Definition 9, S 1 S 2 S if nd only if R(S 1 S 2 ) R(S), if, nd only if, R(S 1 ) R(S 2 ) R(S) (by Proposition 3). By Eqution (2), this is equivlent to R(S 2 ) R(S) R(S 1 ). As Proposition 5 gives R(S) R(S 1 ) R(S 1 S), we equivlently obtin R(S 2 ) R(S 1 S), which finlly, by Definition 9, is equivlent to S 2 S S 1. This concludes. Regrding Eqution (4), we pply Definition 8 nd obtin C 2 = S S 1 if, nd only if, R(C 2 ) = R(S S 1 ). By Proposition 5, this is equivlent to R(C 2 ) = R(S) R(S 1 ). Then, ccording to Proposition 4, M 1 = R(S 1 ), M 1 R(C 2 ) = R(S) (5) In [8], we proved tht tht ny model M of modl region grph R(S) is some R-imge of model of S, tht is of the form R(C) where C is timed utomton. This result cn esily be doted to ec, nd this llows us to replce M 1 by some R(C 1 ), nd obtin the following equivlent to Eqution 5: C 1 = S 1, R(C 1 ) R(C 2 ) = R(S). By Proposition 3, this is equivlent to C 1 = S 1, R(C 1 C 2 ) = R(S). We conclude by Definition 9. From prcticl point of view, the quotient opertion enbles incrementl design: consider desired globl specifiction S, nd the specifiction S 1 of preexisting component. By computing S S 1 nd by checking its consistency, one cn test whether component implementing S 1 cn be reused in order to relize S, or not. Note tht by (4) the specifiction S S 1 is mximlly permissive in the sense tht it chrcterizes ll components C 2 such tht for ny C 1 implementing S 1, the composed system C 1 C 2 implements S. Exmple 5 A desired globl behvior G is depicted in Fig. 3(b), pge 16. It specifies tht ny get request must be fulfilled; the ccess to the resource is grnted for 2 time units nd 5 time units in the privileged mode. A model of G/(Cl Acc) will ct s protocol converter between Cl nd the ccess controller Acc ; the overll obtined system will stisfy G. The mecs G/(Cl Acc) is represented in Fig. 4. Not surprisingly, the stte c/11 is inconsistent. This is becuse, in the stte 11 in Fig. 3(), the resource is grnted for 4 units of time wheres in the stte c of the desired behvior G in Fig. 3(b), it must be grnted for 5 units of time. To void this inconsistency, the trnsition extr from stte b/10 to c/11 will not be implemented in ny model of G/(Cl Acc). Thus, the protocol converter will disllow the privileged mode. INRIA

23 A Compositionl Approch on Modl Specifictions for Timed Systems 21 grnt 4 < x get < 5 get get /00 b/10 extr grnt c/11 grnt /01 b/11 x get 4 grnt x get < 2 x get < 4 grnt, extr get, x get > 1 grnt get, x get > 1 extr get, grnt, extr grnt extr get, x get>1 extr grnt, x get>4 Figure 4: The quotient G/(Cl Acc) The quotient opertion we gve hs nice properties: its construction is in essence crtesin product, thus yielding polynomil time complexity, s opposed to the exponentil blow-up cused by the region grph construction of Proposition 5. Also the quotient, defined t the level of specifictions nd bstrcting from prticulr choice of implementtions, mounts to quotienting logicl sttements denoted by specifictions. In the untimed setting, the quotient opertion is prticulr cse of the exponentil construction introduced by [7] for rbitrry mu-clculus sttements. However, we tke here dvntge of the restricted logicl frgment covered by the modl specifictions, nmely the conjunction nu-clculus [14], to get n d-hoc polynomil-time complexity of this quotient construction. The present contribution suggests similr sitution for timed extension of the mu-clculus. 4 Relted work Regrding theory of interfces, we compre our pproch with the following settings: Interfce utomt of [11], timed interfces of [12], nd timed extensions of modl specifictions of [9]. Interfce utomt. In interfce utomt [12], n interfce is represented by n input/output utomton [20], i.e., n utomton whose trnsitions re typed with input nd output rther thn must nd my modlities. The semntics of such n utomton is given by two-plyer gme: the input plyer represents the environment, nd the output plyer represents the component itself. As explined [23], interfces nd modlities re in essence orthogonl to ech other. Moreover, interfce utomt do not encompss ny notion of model, nd thus neither the model reltion nor the consistency, becuse one cnnot distinguish between interfces nd components. Alterntively, properties of interfces re described in gme-bsed logics, e.g., ATL [3], with high-cost complexity. Refinement between interfce utomt corresponds to the lternting refinement reltion between gmes [4], i.e., n interfce refines nother one if its environment is more permissive wheres its component is more restric- RR n 7039