Extensional equivalences for transition systems

Summary Various notions of systems equivalence based on the reactions of systems to stimuli from the outside world are presented and compared. These notions have been proposed in the literature to allow abstraction from unwanted details in models of concurrent and communicating systems. The equivalences, already defined for different theories of concurrency, will be compared by adapting their definitions to labelled transition systems, a model which underlies many others. In the presentation of each equivalence, the aspects of system behaviours which are ignored and the identifications which are forced will be stressed. It will be shown that many equivalences, although defined very differently by following different intuitions about systems behaviour, turn out to be the same or to differ only in minor detail for a large class of transition systems.     

Compositional semantics and behavioral equivalences for P Systems

The aim of the paper is to give a compositional semantics in the style of the Structural Operational Semantics (SOS) and to study behavioral equivalence notions for P Systems. Firstly, we consider P Systems with maximal parallelism and without priorities. We define a process algebra, called P Algebra, whose terms model membranes, we equip the algebra with a Labeled Transition System (LTS) obtained through SOS transition rules, and we study how some equivalence notions defined over the LTS model apply in our case. Then, we consider P Systems with priorities and extend the introduced framework to deal with them. We prove that our compositional semantics reflects correctly maximal parallelism and priorities.     

Unifying proof methodologies of duration calculus and timed linear temporal logic

Linear temporal logic (LTL) has been widely used for specification and verification of reactive systems. Its standard model is sequences of states (or state transitions), and formulas describe sequencing of state transitions. When LTL is used to model real-time systems, a state is extended with a time stamp to record when a state transition takes place. Duration calculus (DC) is another well studied approach for real-time systems development. DC models behaviours of a system by functions from the domain of reals representing time to the system states. This paper extends this time domain to the Cartesian product of the real and the natural numbers. With the extended time domain, we provide the chop modality with a non-overlapping interpretation. This allows some linear temporal operators explicitly dealing with the discrete dimension of time to be derivable from the chop modality in essentially the same way that their continuous-time counterparts are in the classical DC. This provides a nice embedding of some timed LTL (TLTL) modalities into DC to unify the methods from DC and LTL for real-time systems development: Requirements and high level design decisions are interval properties and are therefore specified and reasoned about in DC, while properties of an implementation, as well as the refinement relation between two implementations, are specified and verified compositionally and inductively in LTL. Implementation properties are related to requirement and design properties by rules for lifting LTL formulas to DC formulas.On leave from the Department of Mathematics Computer Science the University of Leicester England.Received June 1999Accepted in revised form September 2003 by M. R. Hansen and C. B. Jones     

Deciding properties of timed transition models

Real-time distributed systems are modeled by a times transition model (TTM). For any finite-state TTM, decision procedures are provided for checking a small but important class of properties (specified in real-time temporal logic). The procedures are linear in the size of the system reachability graph. The class of properties includes invariance, precedence, eventuality and real-time response specifications     

Unifying user-to-user messaging systems

Unification of user-to-user messaging systems facilitates message exchange independent of time, place, protocol, and end-user device. This article describes an approach to unification that is based on introducing a middleware layer instead of employing gateways. It entails a single system that provides common services such as email, fax, and short messaging, but that can also enable novel services that current messaging systems can't support. The authors also describe how the model can be efficiently implemented on a global scale.     

Model-based testing of stochastically timed systems

Innovations in Systems and Software Engineering - Many systems are inherently stochastic: they interact with unpredictable environments or use randomised algorithms. Classical model-based testing...     

Supervisory control of timed discrete-event systems

The Ramadge-Wonham framework for control of discrete event systems is augmented with timing features by use of Ostroff's semantics for timed transition models. It is shown that the RW concept of controllability and the existence of maximally permissive supervisory controls can be suitably generalized. The enhanced setting admits subsystem composition and the concept of forcible event as an event that preempts the tick of a global clock. An example of a simple manufacturing cell illustrates how the new framework can be used to solve synthesis problems which may include logic-based, temporal and quantitative optimality specifications     

Supervision localization of timed discrete-event systems

We study supervisor localization for real-time discrete-event systems (DES) in the Brandin–Wonham framework of timed supervisory control. We view a real-time DES as comprised of asynchronous agents which are coupled through imposed logical and temporal specifications; the essence of supervisor localization is the decomposition of monolithic (global) control action into local control strategies for these individual agents. This study extends our previous work on supervisor localization for untimed DES, in that monolithic timed control action typically includes not only disabling action as in the untimed case, but also “clock preempting” action which enforces prescribed temporal behavior. The latter action is executed by a class of special events, called “forcible” events; accordingly, we localize monolithic preemptive action with respect to these events. We demonstrate the new features of timed supervisor localization with a manufacturing cell case study and discuss a distributed control implementation.     

Hierarchical control of timed discrete-event systems

An abstract hierarchical control theory is developed for a class of timed discrete-event systems (TDES) within the discrete-event control architectural framework proposed earlier by the authors. For this development, a control theory for TDES is introduced in the spirit of a prior theory of Brandin. A notion of time control structures is introduced, and on its basis a general property of hierarchical consistency is achieved by establishing control consistency — namely preservation of time control structures through the aggregation mapping in a two-level hierarchy.     

Unifying software engineering and systems engineering

The author describes CMMI (Capability Maturity Model Integration) and the emerging project methods which demonstrate the opportunities for process improvement gains open to organizations. The organization that changes from separated software and system engineering processes to a more unified approach will find itself far more suited to developing dynamically changing, software-intensive systems. Culture change is never easy, but the alternative is even less palatable     

Reduced supervisors for timed discrete-event systems

The design of reduced supervisors, suboptimal but easier to compute, is placed in a general perspective. From this vantage point, we consider a timed discrete-event system, and compute a reduced supervisor based on an abstraction of the plant model in which time is measured with a slower clock. Such a model is simpler than the original, but has richer untimed behavior. Thus, a time-independent specification met by the closed-loop reduced system is also met by the original system when controlled by the same supervisor. The idea is illustrated with a simple example.     

A timed calculus for wireless systems

We propose a timed broadcasting process calculus for wireless systems where time-consuming communications are exposed to collisions. The operational semantics of our calculus is given in terms of a labelled transition system. The calculus enjoys a number of desirable time properties such as (i) time determinism: the passage of time is deterministic; (ii) patience: devices will wait indefinitely until they can communicate; (iii) maximal progress: data transmissions cannot be delayed, they must occur as soon as a possibility for communication arises. We use our calculus to model and study MAC-layer protocols with a special emphasis on collisions and security. The main behavioural equality of our calculus is a timed variant of barbed congruence, a standard branching-time and contextually-defined program equivalence. As an efficient proof method for timed barbed congruence we define a labelled bisimilarity. We then apply our bisimulation proof-technique to prove a number of algebraic laws.     

A timed discrete-event abstraction of continuous-variable systems

The paper concerns continuous-variable systems whose state can only be observed through a quantizer, which indicates the time instant and the direction of the change of the quantized state value. These changes are considered as events. The problem is to find a concise representation of the quantized system, which allows to determine for a given initial event all timed event sequences that the quantized system can generate. Since the quantized system does not possess the Markov property, the modelling aim is to find a semi-Markov process which describes a superset of the event sequences of the quantized system. The paper shows how such a semi-Markov process can be obtained for a given quantized system. The model provides information about the occurrence time of the events and about the probability of the occurrence. The modelling problem and its solution are illustrated by considering a quantized oscillator.     

On d-inversion in interruptive timed discrete-event systems

The authors consider the problem of extracting event lifetimes from partial observations of an interruptive timed discrete-event system. The extraction of the lifetime of an occurring event is based on observations of all previous transitions and d-subsequent transitions. We refer to this notion as d-inversion. We give necessary and sufficient structural conditions for an event to be d-invertible in a given system     

Modelling timed reactive systems from natural-language requirements

At the very beginning of system development, typically only natural-language requirements are documented. As an informal source of information, however, natural-language specifications may be ambiguous and incomplete; this can be hard to detect by means of manual inspection. In this work, we present a formal model, named data-flow reactive system (DFRS), which can be automatically obtained from natural-language requirements that describe functional, reactive and temporal properties. A DFRS can also be used to assess whether the requirements are consistent and complete. We define two variations of DFRS: a symbolic and an expanded version. A symbolic DFRS (s-DFRS) is a concise representation that inherently avoids an explicit representation of (possibly infinite) sets of states and, thus, the state space-explosion problem. We use s-DFRS as part of a technique for test-case generation from natural-language requirements. In our approach, an expanded DFRS (e-DFRS) is built dynamically from a symbolic one, possibly limited to some bound; in this way, bounded analysis (e.g., reachability, determinism, completeness) can be performed. We adopt the s-DFRS as an intermediary representation from which models, for instance, SCR and CSP, are obtained for the purpose of test generation. An e-DFRS can also be viewed as the semantics of the s-DFRS from which it is generated. In order to connect such a semantic representation to established ones in the literature, we show that an e-DFRS can be encoded as a TIOTS: an alternative timed model based on the widely used IOLTS and ioco. To validate our overall approach, we consider two toy examples and two examples from the aerospace and automotive industry. Test cases are independently created and we verify that they are all compatible with the corresponding e-DFRS models generated from symbolic ones. This verification is performed mechanically with the aid of the NAT2TEST tool, which supports the manipulation of such models.     

Testing timed systems modeled by Stream X-machines

Stream X-machines have been used to specify real systems where complex data structures. They are a variety of extended finite state machine where a shared memory is used to represent communications between the components of systems. In this paper we introduce an extension of the Stream X-machines formalism in order to specify systems that present temporal requirements. We add time in two different ways. First, we consider that (output) actions take time to be performed. Second, our formalism allows to specify timeouts. Timeouts represent the time a system can wait for the environment to react without changing its internal state. Since timeous affect the set of available actions of the system, a relation focusing on the functional behavior of systems, that is, the actions that they can perform, must explicitly take into account the possible timeouts. In this paper we also propose a formal testing methodology allowing to systematically test a system with respect to a specification. Finally, we introduce a test derivation algorithm. Given a specification, the derived test suite is sound and complete, that is, a system under test successfully passes the test suite if and only if this system conforms to the specification.     

Unifying stabilization and termination in message-passing systems

The paper dispels the myth that it is impossible for a message-passing program to be both terminating and stabilizing. We consider a rather general notion of termination: a terminating program eventually stops its execution after the environment ceases to provide input. We identify termination-symmetry to be a necessary condition for a problem to admit a solution with such properties. Our results do confirm that a number of well-known problems (e.g., consensus, leader election) do not allow a terminating and stabilizing solution. On the flip side, they show that other problems such as mutual exclusion and reliable-transmission allow such solutions. We present a message-passing solution to the mutual exclusion problem that is both stabilizing and terminating. We also describe an approach of adding termination to a stabilizing program. To illustrate this approach, we add termination to a stabilizing solution for the reliable transmission problem.Published online: 15 November 2004Anish Arora: Supported in part by DARPA contract OSU-RF #F33615-01-C-1901,NSF grant NSF-CCR-9972368, Ohio State University Fellowship,and 2002-2003,2003-2004 grants from Microsoft Research.Mikhail Nesterenko: Supported in part by DARPA contract OSU-RF #F33615-01-C-1901 and byNSF CAREER Award 0347485Some of the results in this paper were presented at the 21st International Conference on Distributed Computing Systems, Mesa, Arizona, April 2001, pp 99-106. Correspondence to: Mikhail Nesterenko     

Distributed inversion in timed discrete event systems

We consider a discrete event system (DES) modeled by a timed automaton with partial state and event observations. We view the system as an input-output system, where the input is a sequence of event lifetimes, and the output is the resulting sequence of events, states, and transition epochs. We consider the problem of extracting event lifetimes (input) from observations of the output trajectory, which we callinversion. We give necessary and sufficient conditions forinvertibility, and an algorithm that extracts event lifetimes from any given output observation of an invertible system. We describe a distributed timed DES model based on the prioritized synchronous product of subsystems, and study the inversion problem in this framework. We show that invertibility in the subsystems implies invertibility in the global system. To illustrate our results, we provide an example of a tandem network.     

Schedulability analysis of fixed-priority systems using timed automata

In classic scheduling theory, real-time tasks are usually assumed to be periodic, i.e. tasks are released and computed with fixed rates periodically. To relax the stringent constraints on task arrival times, we propose to use timed automata to describe task arrival patterns. In a previous work, it is shown that the general schedulability checking problem for such models is a reachability problem for a decidable class of timed automata extended with subtraction. Unfortunately, the number of clocks needed in the analysis is proportional to the maximal number of schedulable task instances associated with a model, which is in many cases huge. In this paper, we show that for fixed-priority scheduling strategy, the schedulability checking problem can be solved using standard timed automata with two   extra clocks in addition to the clocks used in the original model to describe task arrival times. The analysis can be done in a similar manner to response time analysis in classic Rate-Monotonic Analysis (RMA). The result is further extended to systems with data-dependent control, in which the release time of a task may depend on the time-point at which other tasks finish their execution. For the case when the execution times of tasks are constants, we show that the schedulability problem can be solved using n+1$n+1$ extra clocks, where n$n$ is the number of tasks. The presented analysis techniques have been implemented in the Times tool. For systems with only periodic tasks, the performance of the tool is comparable with tools implementing the classic RMA technique based on equation-solving, without suffering from the exponential explosion in the number of tasks.     

Verification of continuous dynamical systems by timed automata

This paper presents a method for abstracting continuous dynamical systems by timed automata. The abstraction is based on partitioning the state space of a dynamical system using positive invariant sets, which form cells that represent locations of a timed automaton. The abstraction is intended to enable formal verification of temporal properties of dynamical systems without simulating any system trajectory, which is currently not possible. Therefore, conditions for obtaining sound, complete, and refinable abstractions are set up.