Qualitative Verification of Finite and Real-Time DEVS ... - Google Sites

1

Qualitative Verification of Finite and Real-Time DEVS Networks Moon Ho Hwang Arizona Center for Integrative Modeling & Simulation [email protected], http://sites.google.com/site/moonhohwang/

Abstract—This paper introduces a qualitative verification methodology for a subclass of RTDEVS(Real-Time Discrete Event System Specification) [4], called Finite RTDEVS(FRTDEVS). Sub-classing FRTDEVS from RTDEVS aims to generate a finite structure of reachability graph for a given network of FRTDEVS. Since the reachability graph is isomorphic to a given FRTDEVS network in terms of their behaviors, it enables us to verify some qualitative properties of the target system. In order to demonstrate a practical usage of the reachability graph, we illustrate how to check safety and liveness monorail systems modeled by FRTDEVS networks.

I. I NTRODUCTION Real-Time DEVS (RTDEVS) [4] was introduced in public to provide a seamless procedure from specification to realtime system implementation. We can see the formalism as an extension of Discrete Event System Specification (DEVS) to the direction of allowing nondeterminism in time advance mechanism [11]. Since its birth, the class of RTDEVS has been researched to show the continuity of model development, especially combining simulation and execution[4],[6]. As an analysis methodology, simulation of RTDEVS is based on the principle - it traces a set of behaviors from the sample space [4]. Even thought the simulation methodology has the scalability advantage, it also has a downside: lack of decidability of behavioral properties. From the opposite side another technique called verification has been massively researched [2] to overcome the disadvantage of the sampling based simulation of discrete event dynamic systems. With this background, verification of RTDEVS networks has started in the middle of 2000 and 2010. [10] showed the possibility of RTDEVS verification focusing on a traffic gate control example. Even though [10] illustrated the overall concept, it did not prove completeness to achieve the reachable state space of RTDEVS network. In 2010 [8] attempted to convert a subclass of RT-DEVS, called Rational Time-Advance DEVS(RTA-DEVS) to timed automata (TA) [1] to take advantages of verification capabilities of a TA-based tool:UPPAAL. Unfortunately, the conversion completeness RTA-DEVS to TA[8] especially considering with the arbitrary resetting of elapsed time of RTA-DEVS when arbitrary input events are allowed has not been proven yet. [10] also has sketched the verification concept of RTDEVS networks, however, did not provide any algorithm to show the verification method. As a consequence, qualitative verification of RTDEVS networks is still an open problem.

Fig. 1.

Class Relations: A → B denotes that A is a supper class of B.

Like [8], this paper introduces another subclass of RTDEVS, called FRTDEVS. However, we attempt to generate its reachability graph as the author did in [7]. The reason why we would take the direct generation of the isomorphic finite structure is that the generating reachability graph and its analysis is one of most fundamental techniques in verification. Without having this technique we will not be able to verify other classes of DEVS’s extension from which conversion to TA might be impossible because of their broader expressiveness. We organize this paper as follows. Section II introduces the timed event language and Dynamic Systems that provides the foundations of system behaviors and behavioral equivalence. Based on Dynamic Systems, Section III defines the behavior sets of atomic FRTDEVS models and coupled FRTDEVS models. To capture the behaviors of FRTDEVS models requiring the infinite state space into a finite structure, Section IV shows algorithms to generate a isomorphic finite graph, called the reachability graph. In addition, Section V shows a technique for solving the decidability problems of system safety and liveness of monorail systems using the corresponding reachability graph. Section VI concludes this paper and gives the future research directions. Figure 1 shows the relationships among the classes introduced in the paper. II. DYNAMIC S YSTEMS This section defines the prerequisite framework along with variable trajectories (especially, time event language) and a class of dynamic systems. A. Timed Languages First, we would like to introduce two symbols of time: T = [0, ∞) and T∞ = [0, ∞) ∪ {∞}

2

where T is the set of non-negative real numbers, while T∞ is T with infinity ∞ where ∞ + t = ∞ and ∞ − t = ∞ for any t ∈ T. A variable is a storage to represent statuses. Associated with dynamic systems, a variable changes the value over time. Base on this idea, a segment of a variable over a time is captured by a partial function ω : T → Z where Z can be an arbitrary set. We denote the domain of a given segment ω by dom(ω) = {t ∈ T : ω(t) is defined.}. We assume that dom(ω) for a variable’s segment ω is a time interval [tl , tu ] = {t : tl ≤ t ≤ tu } ⊆ T where tl and tu are the lower and upper bounds of it. The length of an interval [tl , tu ] is denoted by len([tl , tu ]), and is tu − tl . A time interval [tl , tu ] is said to be a singleton if tl = tu . Therefore, a singleton interval has the zero length. The length of a segment ω is the length of its domain: len(ω) = len(dom(ω)). There are several classes of segments that we are interested in this paper. A segment ω is said to be constant if ω(t) = ω(t0 ) where t, t0 ∈ dom(ω). A segment ω : [tl , tu ] → R is said to be linear if ω(t) = c × (t − tl ) + ω(tl ) where c ∈ R is the slope or the derivative of ω. We assume that c = 1 or c = 0 for all linear segments in this paper. The constant segment is a special linear segment when c = 0. There is an another segment we will also pay attention is an event segment. An event is a label that indicates a system change. When the codomain Z of a given segment ω is a set of events, then ω is an event segment. A segment ω is called a timed event if ω(t) is defined over a singleton interval, i.e. dom(ω) = [t, t] and t ∈ T. Since the domain of such a segment ω is t as ω(t) = z ∈ Z, we would sometimes use an ordered pair notation (t, z) instead of the function notation ω(t) = z. Given an event set Z,  6∈ Z is called the null event denoting nothing happens in Z. A segment ω is called the null segment if ω(t) =  for t ∈ dom(ω). For convenience, we would use [tl ,tu ] standing for ω(t) =  for t ∈ [tl , tu ]. An event segment is either one of a timed event or a null segment. An event trajectory is concatenations of event segments. Given a set of events Z, the notation Ω[tl ,tu ],Z denoting the set of all event trajectories ω : [tl , tu ] → Z ∗ where Z ∗ is Kleene closure[5] of Z. A timed language is a set of event trajectories. If L is a timed language, then L ⊆ Ω[tl ,tu ],Z . B. Dynamic Systems We define here the structure, the behaviors, and equivalence of dynamic systems. 1) Structure of Dynamic Systems: Definition 1 [Dynamic System] A dynamic system (DS) is a structure G = (Z, Q, Q0 , QA , ∆)

where • Z is a set of interface values; • Q is a set of states; • Q0 ⊆ Q is a set of initial states; • QA ⊆ Q is a set of accepting states; • ∆ ⊆ Q × Ω[tl ,tu ],Z × Q is a set of state transition trajectories that are transitive: (q, ω1 , p) ∈ ∆ and (p, ω2 , q 0 ) ∈ ∆ ⇒ (q, ω1 ω2 , q 0 ) ∈ ∆ (1) where (q, ω, q 0 ) ∈ ∆ means that the state q can reach to the state q 0 along with ω.  2) Behaviors of Dynamic Systems: Roughly saying a behavior for a given DS G = (Z, Q, Q0 , QA , ∆) is an event segment (or an event trajectory) by which an initial state can reach to an accepting state, or can visits within the accepting states set infinitely many times. The language of a given DS G is a set of behaviors, which can be depend on the observation time of behaviors. Let t be the observation time length. If 0 ≤ t < ∞, t-length observation language of G is denoted by L(G, t), and defined L(G, t) = {ω ∈ Ω[0,t],Z : ∃(q0 , ω, q) ∈ ∆, q0 ∈ Q0 , q ∈ QA }. (2) Based on Equation (2), the infinite length observation language of G is denoted by L(G, ∞), and defined L(G, ∞) = {ω ∈ lim Ω[0,t],Z : t→∞

{q : (q0 , ω, q) ∈ ∆, q0 ∈ Q0 } ⊆ QA }}

(3)

Let us use the notation L(G) denoting the behavior set of G regardless of the observation time t in case t is not significant. We will use the class of Dynamic System G to define the behaviors of subclasses of Dynamic Systems in Section III and Section IV. 3) Behavioral Equivalence of Dynamic Systems: To show the behavioral equivalence between two dynamic systems, we can show that there exists a certain mapping. Definition 2 (Isomorphism) Given two dynamic systems G = (Z, Q, Q0 , QA , ∆) and G† = (Z, Q† , Q†0 , Q†A , ∆† ), a function f : Q → Q† is called an isomorphism if (1) q ∈ Q0 ⇔ f (q) ∈ Q†0 , (2) q ∈ QA ⇔ f (q) ∈ Q†A , and (3) (q, ω, q 0 ) ∈ ∆ ⇔ (f (q), ω, f (q 0 )) ∈ ∆† .  Lemma 1 Given two dynamic systems G = (Z, Q, Q0 , QA , ∆) and G† = (Z, Q† , Q†0 , Q†A , ∆† ), there exists an isomorphism f : Q → Q† , then L(G) = L(G0 ). Proof: Let f be the existing homomorphism By Definition (2), (q0 , ω, q) ∈ ∆ : q0 ∈ Q0 , q ∈ QA : implies (f (q0 ), ω, f (q)) ∈ ∆† : f (q0 ) ∈ Q†0 , f (q) ∈ Q†A , so L(G, t) ⊆ L(G† , t). The opposite direction is true so L(G† , t) ⊆ L(G, t). Therefore, L(G, t) = L(G† , t). By Definition (3), ∃q0 ∈ Q0 : {q : (q0 , ω, q) ∈ ∆} ⊆ QA where len(ω) → ∞ implies ∃f (q0 ) ∈ Q†0 : {f (q) : (f (q0 ), ω, f (q)) ∈ ∆† } ⊆ Q†A . In other words, L(G, ∞) ⊆ L(G† , ∞). The opposite direction is true so L(G† , ∞) ⊆ L(G, ∞). Therefore, L(G, ∞) = L(G† , ∞). As a consequence, L(G) = L(G† ). We will use an isomorphism to show the behavioral equivalence between a FRTDEVS network and its reachability graph for Theorem 1 in Section IV-B.

3

III. F INITE AND R EAL -T IME DEVS (FRTDEVS) A. Atomic FRTDEVS Definition 3 (FRTDEVS) An atomic FRTDEVS model is given by the 7-tuple

If the unit segment ω = (t, x) is a timed input event. Then the state transition is (q, ω, (s0 , σ 0 , 0)) ∈ ∆ if δx (s, x) = (1, s0 ), σ 0 ∈ τ (s0 ) (q, ω, (s0 , σ, e)) ∈ ∆ if δx (s, x) = (0, s0 )

(4)

(q, ω, (¯ s, σ, e)) ∈ ∆ otherwise M = (X, Y, S, s0 , τ, δx , δy ) where • X and Y are the set of finite input events and the set of finite output events, respectively;• S is the set of finite states with which a state variable s ∈ S is piecewise constant; • s0 ∈ S is the initial state variable; • τ : S → Q∞ × Q∞ is the time advance function mapping a given state to an interval bounded by non-negative rational numbers or infinity; • δx : S × X → B × S is the external transition function where B = {0, 1}. δx (s, x) = (ρ, s0 ) defines how an input event x changes a state s to s0 as well as its lifespan schedule in a way that the lifetime σ at s0 is set by a value t distributed randomly within τ (s0 ) when ρ = 1. • δy : S → Y φ ×S is the output and internal transition function in which δy (s) = (y, s0 ) defines how a state s generates an output y ∈ Y φ as well as changes into s0 internally (when the elapsed time reaches to the lifetime of the state) where Y φ = Y ∪ {φ} and φ 6∈ Y is a silent event or an unobservable event. 

Notice that an input event x ∈ X could change or preserve the lifespan σ and the elapsed time e according to the conditions as addressed in the first and second statement of Equation (4), respectively. If the unit segment ω = (t, y) is a timed output event y ∈ Y φ , the state transition is (q, ω, (s0 , σ 0 , 0)) ∈ ∆ if e = σ, δy (s) = (y, s0 ), σ 0 ∈ τ (s0 ) (q, ω, s¯) ∈ ∆ otherwise. (5) The first statement of Equation (5) is for transition into an accepting state in QA . The second statement of it defines the condition getting into a non-accepting state s¯ of QN . Based on these three building defined by Equations (??), (4), and (5), we can build the state transition trajectories for multiple event segments using the transitive relation defined in Equation (1). B. Coupled FRTDEVS

Notice that FRTDEVS is a subclass of RT-DEVS because it has several restrictions: (1) finiteness of events and states, (2) the lower and upper bounds must be non-negative rational numbers or infinity, (3) the external transition function δx doesn’t consider the elapsed time e, while δext of [4] does, and e is reset only if δx (s, x) = (1, s0 ). These all restrictions were designated to achieve a finite structure of reachability graph for a given FRTDEVS network. Definition 4 (Behaviors of Atomic FRTDEVS models) Let M = (X, Y, S, s0 , τ, δx , δy ) be an atomic FRTDEVS model. Then the behavior of M is explained by a DS G(M ) = (Z, Q, Q0 , QA , ∆) where the event set Z = X ∪Y φ ; The set of states Q = QA ∪ QN where QA = {(s, σ, e) : s ∈ S, σ ∈ T∞ , e ∈ [0, σ] ∩ T} is the set of accepting states, σ is the life span (piecewise constant), e is the elapsed time (piecewise linear); and QN = {¯ s 6∈ QA } is the set of non-accepting states in which s¯ is piecewise constant. The set of initial states Q0 = {(s0 , σ, 0) : σ ∈ τ (s0 )}. The set of state trajectory ∆ ⊆ Q × ΩT,Z × Q is defined in two cases of q ∈ QN and q ∈ QA . If q = s¯ ∈ QN , for any event segment ω ∈ ΩT,Z , (q, ω, q) ∈ ∆, i.e. nothing changes for q ∈ QN . For the case of q = (s, σ, e) ∈ QA at time t ∈ T, ∆ is defined by three event segments: the null event segment, the timed input event, and the timed output event as follows. If the unit segment ω = [t,t+dt] is a null segment, the time passage trajectory is (q, ω, (s, σ, e + dt)) ∈ ∆.

Definition 5 (Coupled FRTDEVS) An FRTDEVS network is a 7-tuple N = (X, Y, D, {Mi }, Cxx , Cyx , Cyy ) where • X and Y are the finite sets of input and output events, respectively. • D is the finite set of subcomponent names. • {Mi } is the finite index set of subcomponents such that for each iS∈ D, Mi is an atomic FRTDEVS model 1 . • Cxx ⊆ X × Xi is the external input coupling relations. S i∈D S • Cyx ⊆ Yi × Xi is the internal coupling relations. • i∈D S i∈D φ Cyy : Yi → Y is the output coupling function.  i∈D

Definition 6 (Behaviors of Coupled FRTDEVS models) Let N = (X, Y, D, {Mi }, Cxx , Cyx , Cyy ) be a coupled FRTDEVS model. Then the behavior of N is explained by a DS G(N ) = (Z, Q, Q0 , QA , ∆) where the event set Z = X ∪ Y φ; Q The set of states Q = Qi are the cross products of the i∈D

states of all subcomponents, and the set of accepting states are the cross Q products of the accepting states of all subcomponents QA = QAi . The set of non-accepting states is QN = i∈D

Q\QA so Q = QA ∪ QN and QA ∩ QN = ∅. The set of initial states is the cross product of the initial state set of each subcomponent i ∈ D Y Q0 = Q0i . (6) i∈D

Let q = (. . . , si , σi , ei , . . .) ∈ Q at time t ∈ T. Then the state trajectory relations ∆ ⊆ Q × Ω[tl ,tu ],Z × Q is defined 1 We

just assume the flatten structure for simplicity here.

4

for two cases of q ∈ QN and q ∈ QA . If q ∈ QN , then for ω ∈ ΩT,Z , (q, ω, q) ∈ ∆, i.e. nothing changes for q ∈ QN . For q ∈ QA , ∆ is defined in three difference cases of the event segment ω ∈ ΩT,Z as follows. For a null event segment, i.e. ω = [t,t+dt] , ∆ is called the time passage that is (q, ω, (. . . , si , σi , ei + dt, . . .)) ∈ ∆.

(7)

For a timed input event ω = (t, x) where x ∈ X, (q, ω, (. . . , qi0 , . . .)) ∈ ∆

(8)

where if (x, xi ) ∈ Cxx , δxi (si , xi ) = (1, s0i ), σi0 ∈ τ (s0 ) qi0 =  (s0i , σi , ei ) if (x, xi ) ∈ Cxx , δxi (si , xi ) = (0, s0i )    (si , σ, ei ) if @xi : (x, xi ) ∈ Cxx . (8a) Equation (8a) explains that the influence of input event x is translated to xi through a coupling (x, xi ) ∈ Cxx and transits the state from s to s0 . The reschedule of σi and resetting ei are done only if δx (s, x) = (1, s0 ). Lastly, for a timed output or silent event, i.e. ω = (t, y) where y ∈ Y φ ,  0 0  (si , σi , 0)  

(q, ω, (. . . , qi0 , . . .)) ∈ ∆

(9)

where  0 0  (si∗ , σi∗ , 0)        s¯i∗     0 qi = 0 0   (si , σi , 0)        (s0i , σi , ei )    (si , σi , ei )

if σi = ei∗ , δy,i∗ (si∗ ) = (yi∗ , s0i∗ ), Cyy (yi∗ ) = y, σi0∗ ∈ τi∗ (s0i∗ ) if ¬(σi∗ = ei∗ , δy,i∗ (si∗ ) = (yi∗ , s0i∗ ), Cyy (yi∗ ) = y, σi0∗ ∈ τi∗ (s0i∗ )) if (yi∗ , xi ) ∈ Cyx , δxi (si , xi ) = (1, s0i ), σi0 ∈ τ (s0 ) if (yi∗ , xi ) ∈ Cyx , δxi (si , xi ) = (0, s0i ) if @xi : (yi∗ , xi ) ∈ Cyx . (9a) The first statement of Equation (9a) is for the condition of the output and internal transition δy,i∗ (si∗ ) = (yi∗ , s0i∗ ) that is when elapsed time reach to the lifespan, the output coupling is translate to y, and the new lifespan σi0∗ must be in the time advance interval τi∗ (si∗ ). If this condition is not satisfied, the event (t, y) changes the state into a non-accepting state s¯i∗ ∈ QN i so q 0 ∈ QN as addressed in the second statement of Equation (9a). The influence of the output event yi∗ via the internal couplings Cyx is identical to that of the input event via the input couplings Cxx explained in Equation (8a). Based on above three primitive cases described in Equations (7), (8), and (9), we can apply Equation (1) when ω is a multievent segment transitively.  For the sake of simplicity, we will use L(N ) for the behavior of the coupled FRTDEVS model N instead of using L(G(N )) where G(N ) denotes the DS corresponding to N defined Definition 6. Example 1 (Behavior of a coupled FRTDEVS model) Let’s consider some behaviors in L(N, 55) where N is

Fig. 2. A coupled FRTDEVS. For simplicity and without loss of expressiveness, we would omit to draw an external transition ignoring the input event x ∈ X such that δx (s, x) = (0, s) s ∈ S (no state s nor schedule are updated). For example, δx (I, ?r) = (0, I) and δx (B, ?x) = (0, B) for the model m1 are not drawn in the figure.

the coupled FRTDEVS model as shown in Figure 2, and the observation time is 55. {(?x, 15)(!o1, 25)(!o2, 40) 2 , (?x, 15)(!o1, 35)(!o2, 40),(?x, 15)(!o1, 35)(!o2, 40), (?x, 15)(!o1, 25)(!o1, 35)(!o1, 45)(!o2, 50)} ⊂ L(N ). However {(?x, 15)(!o2, 35),(?x, 15)(!o1, 35)(!o2, 40)} 6⊂ L(N ).  IV. R EACHABILITY G RAPH OF FRTDEVS N ETWORK The number of states that needs to define the behaviors of FRTDEVS networks introduced in Section III-B is infinite because of associated elapsed times. Fortunately, there exists a finite and behaviorally equivalent structure, called reachability graph. A. Structure of Reachability Graph Prior to the reachability graph for FRTDEVS networks, we need to define a n-dimensional convex polyhedron capturing a region of elapsed time ei for i ∈ D. Supposed that we have two timed intervals i1 = [l1 , u1 ], i2 = [l2 , u2 ] ⊆ T. Then their equivalency is defined by their boundaries: i1 = i2 if l1 = l2 and u1 = u2 . The lower bound and upper bound are respectively denoted by lb(i1 ) = l1 and ub(i1 ) = u1 from now on. i1 is called empty and denoted by i1 = ∅ if ub(i1 ) ≤ lb(i1 ). Intersection of non-empty i1 and i2 is defined i1 ∩ i2 = [max{lb(i1 ), lb(i2 )}, min{ub(i1 ), ub(i2 )}] that can be empty. If either one of i1 and i2 is empty, then so is i1 ∩ i2 = ∅. Definition 7 (Time Zone) Suppose that N = (X, Y, D, {Mi }, Cxx , Cyx , Cyy ) is an FRTDEVS network. Then let the extended set of components names be D0 = D ∪ {0} where 0 6∈ D is a dummy model name whose elapsed time is always zero, i.e. e0 = 0 i.e., exceptionally e0 is piecewise 2 It

is ω = [0,15] (?x, 15)[15,25] (!o1, 25)[25,30] (!o2, 40)[40,55] .

5

constant. Let d(i, j) denote the interval of the difference between two elapsed times of i and j in a way that ei − ej for i, j ∈ D0 . A conjunctions of intervals ^ ϕ= d(i, j) i,j∈D 0

is called a time zone of N .



3

Since e0 = 0, it is fact that d(i, 0) is the interval covering the elapsed time for i ∈ D. In addition, d(i, i) = 0 and d(i, j) = −d(j, i) for i, j ∈ D0 . Notice that a time zone ϕ for N is a convex polyhedron in |D|-dimensional Euclidean space. For example, a 2-dimensional polyhedron is used for a time zone for the FRTDEVS network of Figure 2. Definition 8 (Reachability Graph of FRTDEVS networks) The reachability graph R(N ) of a FRTDEVS network, N , is given by a labeled graph R(N ) = (Z, V, V0 , E) where •Z = X ∪ Y φ is a set of triggering events; •V is a finite set of vertices such that for a vertex v ∈ V , disc(v) = (. . . , si , tsi , . . .) is a composite variable of state si and lifespan V interval tsi for i ∈ D, and the time zone tzone(v) = d(i, j); •V0 ⊆ V is a set of initial vertices; i,j∈D 0

•E ⊆ V × Z × 2D × V is a set of transition relations where (v, z, DR , v 0 ) ∈ E denotes that the discrete state disc(v) changes to disc(v 0 ) by an event z ∈ Z together with resetting ei for i ∈ DR ⊆ D. B. Algorithm for Generating Reachability Graph V Let ϕ = d(i, j) be time zones. The lower boundary i,j∈D 0

lb(d(i, j)) (respectively, the upper boundary ub(d(i, j)) of ϕ is called loosen if there exist k ∈ D0 such that lb(d(i, j)) < lb(d(i, k) + d(k, j)) (resp. ub(d(i, j)) > ub(d(i, k) + d(k, j)). Tightening of a given time zone ϕ, denoted by T(ϕ), is an operation to tight all boundaries of time differences between ei and ej until there is no loosen boundary. Formally ^ T(ϕ) = [ max(lb(d(i, j)), lb(d(i, k) + d(k, j))), k,i,j∈D 0

min(ub(d(i, j)), ub(d(i, k) + d(k, j)))]. (10) V Given two time zones ϕ1 = d1 (i, j) and ϕ2 = i,j∈D 0 V d2 (i, j), they are identical, denoted by ϕ1 = ϕ2 , if for i,j∈D 0

all i, j ∈ D0 , d1 (i, j) = d2 (i, j). Otherwise, ϕ1 6= ϕ2 . The operation Tightening generates a cardinal representation for a time zone. So it is possible T(ϕ1 ) = T(ϕ2 ) even though ϕ1 6= ϕ2 . A time zone ϕ said to be tighten if ϕ = T(ϕ). The following operations over time zones generate a tighten time zone. 3 The original idea to define the n-dimensional time zone for elapsed time ei came from Dill’s clock bound matrix (CDM) [3] which uses a matrix form not a conjunction of intervals.

Let t = (. . . , tsi , . . .) be a schedule vector where tsi ∈ {τi (si ) : si ∈ Si } is a schedule interval for a subcomponent i ∈ D. Then Sliding of a given time zone ϕ within a schedule vector t, denoted by S(ϕ, t) is a time zone in which all elapsed time ei fairly grows as tight as possible within the schedule vector. ( ! ^ [lb(d(i, j)), ub(tsi )] if j = 0 S(ϕ, t) = T d(i, j) otherwise. i,j∈D 0 (11) The operation S aggregates the bundles of time passage of Equation (7) in which each elapsed time can reach to the upper bound of the lifespan interval when the upper bound is not a loosen boundary. Resetting a given time zone ϕ in terms of components DR ⊆ D, denoted by R(ϕ, DR ), is to reset all intervals for all elapsed time ei , i ∈ DR : ( ! ^ [0, 0] if i ∈ DR , j = 0 R(ϕ, DR ) = T (12) d(i, j) otherwise. i,j∈D 0 The operation R aggregates the bundles of resettings elapsed times that can occurs by an external transition (the second statement of Equation (19)) or an internal transition (the first and the third statements of Equation (9a)). Successor of a time zone ϕ is the successor of a given time zone ϕ by (1) resetting the components of DR , and (2) let it slide within a schedule vector t: Successor(ϕ, DR , t) = S(R(ϕ, DR ), t).

(13)

The operation Successor computes the time zone for a next state that from resetting certain elapsed times by the external transition or the internal transition, to letting elapse times grow to lifespan upper bound or less. Lastly, Enabler(i∗ , tsi∗ , ϕ) is a time zone in which the componentsVi∗ can enable its internal transition when a time zone ϕ = d(i, j) is given: i,j∈D

Enabler(i∗ , tsi∗ , ϕ) = ( ^ d(i, j) ∩ tsi∗ T d(i, j) i,j∈D 0

! ∗

if i = i , j = 0 otherwise.

(14)

Notice that d(i, j) ∩ tsi∗ = ∅ of ϕ if and only if Enabler(i∗ , tsi∗ , ϕ) = ∅. Moreover, i∗ could not execute the internal transition (or the output generation) when d(i, j) ∩ tsi∗ = ∅, because the elapsed time could not reach to any lifespan σi ∈ tsi in the time zone ϕ. Generating the reachability graph tries to visit all possible states by applying state transitions defined in Equations (7), (8), and (9) except q ∈ QN . Unlike the conventional simulation which generates a sequence of singular valued state, the generating reachability algorithms collects a set of simulation pathes a group which as a vertex. To describe algorithms for generating a reachability graph in detail, we will use the following notations: for a given vertex v = ((. . . , (si , tsi ), . . .), ϕ), • disc(v) = (s,t) = (. . . , (si , tsi ), . . .) is the state-schedule vector;

6

• • •

schedule(v) = t = (. . . , tsi , . . .), is the schedule vector; disc(v)[i] = (si , tsi ) is the the pair of state and schedule of component i; and tzone(v)[i] = d(i, 0) is the interval for the elapsed time ei for component i at the time zone ϕ of v.

Algorithm 1 ReachabilityGraph(N, ↑ G) 1: (s,t) = (. . . , (s0i , τi (s0i )), . . .); V [0, 0], t); 2: v0 = ((s,t), ϕ0 ) where ϕ0 = S( i,j∈D 0

3: VT := ∅; Add v0 to VT , G.V0 and G.V ; 4: while VT 6= ∅ do 5: v = ((. . . , (si , tsi ), . . .), ϕ) := pop front(VT ); 6: for all x ∈ X do 7: vn := copy(v); 8: WhenReceive-z(N, vn , x, ∅, vn , VT , G); 9: end for 10: for all i ∈ D do 11: if tzone(v)[i] ∩ tsi 6= ∅ then 12: vn := copy(v); 13: tzone(vn ) := Enabler(i, tsi , tzone(vn )); 14: δyi (si ) = (yi , s0i ); 15: disc(vn )[i] := (s0i , τi (s0i )); 16: DR := ∅; Add i to DR ; 17: WhenReceive-z(N, v, yi , DR , vn , VT , G); 18: end if 19: end for 20: end while

Fig. 3. The reachability graph of Figure 2’s N . Each vertex v ∈ V has infinitely many states q = (. . . , si , σi , ei , . . .) ∈ Q(v). Generating reachability graph can be seen as a collective simulation in which an equivalent class of many states are grouped as a vertex.

Algorithm 2 WhenReceive-z(N, v, z, DR , vn , ↑ VT , ↑ G) 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20:

for all (z, xi ) ∈ Cyx or (z, xi ) ∈ Cxx do δx,i (si , xi ) = (ρ, s0i ); if ρ = 1 then disc(vn )[i] := (s0i , τi (s0i )); Add i to DR ; else disc(vn )[i] := (s0i , tsi ); end if end for if DR 6= ∅ or disc(v) 6= disc(vn ) then For each i ∈ D if tsi = ∞ then add i to DR ; tzone(vn ) := Successor(tzone(vn ), DR , schedule(vn )); if @v 0 ∈ G.V s.t. vn = v 0 then Add vn to G.V and VT ; if x ∈ X then Add (v, z, DR , vn ) to G.E; else Add (v, Cyy (z), DR , vn ) to G.E; end if end if

Given a vertex v ∈ V , let Q(v) denote the state set of a vertex v. Q(v) = {(. . . , si , σi , ei , . . .) : disc(v) = (. . . , si , tsi , . . .), σi ∈ tsi , (ei ∈ tzone(v)[i] if σi < ∞.)} (15) 1) Completeness of Algorithms: Lemma 2 Let G(N ) = (Z, Q, Q0 , QA , ∆) be the dynamic system describing the language of a FRTDEVS N and R(N ) be the reachability graph of N generated by Algorithms 1 and 2. Suppose that q ∈ QA such that ∃(q0 , ω, q) ∈ ∆, q0 ∈ Q0

and len(ω) = t. Then (q, (t, z), q 0 ) ∈ ∆ and q 0 ∈ QA if and only if (v, z, DR , v 0 ) ∈ E such that q ∈ Q(v) and q 0 ∈ Q(v 0 ). Proof: Let IM M (q) = {i ∈ D : σi −ei = min{σi −ei }} i∈D be the imminent component set of q ∈ QA . By lines 1 to 2 of Algorithm 1, for ta = min{σ0i }, (q0 , [0,ta] , q) ∈ ∆ if and i∈D

only if q ∈ Q(v0 ). Let q ∈ Q(v) such that ω ∈ L(G), len(ω) = t, (q0 , ω, q) ∈ ∆. Notice that algorithm attempts to create a new vertex vn by applying two types of events: the input event x ∈ X and the output event y ∈ Y φ . Firstly, Injecting any input event x ∈ X is tested in lines 6 to 9 of Algorithm 1 via Algorithm 2 in which the event x is transited through all external input couplings (x, xi ) and computes the new state (s0i , σi0 ) is computed in lines 1 to 9 of Algorithm which is the same as Equation (8a). As a result, (q, (t, x), q 0 ) ∈ ∆ if and only if (v, x, DR , v 0 ) ∈ E. Secondarily, since Successor executes resetting all DR of ϕ and sliding it by the upper bounds of schedule(vn ), it sustains the condition i ∈ IM M (q), q ∈ Q(vn ) ⇔ tzone(vn ) ∩ t0si 6= ∅ where disc(vn ) = (. . . , s0i , t0si , . . .). The internal transition (so the output generation) condition of a state q ∈ Q(v) for a given vertex v ∈ V is tested by tzone(v) ∩ tsi 6= ∅ at line 11 of Algorithm 1. If the condition is satisfied, the enabling time zone is computed, and the new discrete state (s0i , tsi = τi (s0i )) when δy,i (si ) = (yi , s0i ) which is the first statements of Equation (9a). Then the third and the fourth statements of Equation (9a) are computed by lines 1 to 9 of Algorithm 2. Therefore (q, (t, y), q 0 ) ∈ ∆ if and only if

7

(v, y, DR , v 0 ) ∈ E. Notice that the second statement of Equation (9a) that goes into the state s¯ ∈ QN is not generated by Algorithms 1. As a result, (q, (t, z), q 0 ) ∈ ∆ and q ∈ QA if and only if (v, z, DR , v 0 ) ∈ E. For a given FRTDEVS network N , the significance of the reachability graph R(N ) generated by Algorithms 1 and 2 is isomorphic to the original N in terms of their behaviors. To show this proposition, we need to define the behavior of R(N ) to compare the behaviors of N that is L(N ). Definition 9 (Behavior of R(N )) Suppose that R(N ) = (Z, V, V0 , E) is a reachability graph for a FRTDEVS network N . The behavior of R(N ) is defined by a dynamic system G(RG(V )) = (Z, Q, Q0 , QA , ∆) such that the event set Z = X ∪ Y φ of N ; Q = QA ∪ QN is the set of states where QA = {(. . . , si , σi , ei , . . .) : si ∈ Si , σi ∈ T∞ , ei ∈ [0, σi ] ∩ T, i ∈ D} where ei = 0 if σi = ∞, and the nonaccepting state set QN = {¯ s 6∈ QA } where s¯ is piecewise constant. The set of initial states is the states of v0 ∈ V0 with constraints of zero elapsed times: Q0 = {(. . . , si , σi , ei , . . .) ∈ Q(v0 ) : v0 ∈ V0 , ei = 0}. (16) The set of state transition trajectories ∆ is in two cases: q ∈ QN and q ∈ QA . If q = s¯ ∈ QN , then for any ω ∈ ΩT,Z nothing changes so (q, ω, q) ∈ ∆. For q ∈ QA that is ∃v ∈ V : q = (. . . , si , σi , ei , . . .) ∈ Q(v) at time t ∈ T, ∆ is defined for three different event segment cases: a null segment, a timed input event, and a timed output event. If ω = [t,t+dt] is a null segment, (q, ω, q 0 ) ∈ ∆ where q 0 = (. . . , si , σi , e0i , . . .)where ( ei if σ = ∞ 0 ei = ei + dt otherwise

(17)

q 0 = (. . . , s0i , σi0 , e0i , . . .) where

Otherwise, i.e. @(v, x, DR , v 0 ) ∈ E : q 0 = q.

(18)

(19)

If ω = (t, y) is a timed output event y ∈ Y φ , (q, ω, q 0 ) ∈ ∆ is split into the following Equations: If ∃(v, y, DR , v 0 ) ∈ E disc(v 0 ) = (. . . , s0i , t0si , . . .), then q 0 is the same as Equation (18). Otherwise, i.e. @(v, x, DR , v 0 ) ∈ E : q 0 = s¯ ∈ QN .

Theorem 1 (L(N ) = L(R(N ))) The behaviors of R(N ) and N are identical. Proof: Suppose that G = (Z, Q, Q0 , QA , ∆) and G† = (Z, Q† , Q†0 , Q†A , ∆† ) are the dynamic systems defining the behaviors of N and R(N ), respectively. Let’s define a function f : Q → Q† for q = (. . . , si , σi , ei , . . .)  s¯ if q ∈ QN    (. . . , s , σ , e0 , . . .) otherwise (i i i f (q) =  0 if σi = ∞   e0i = ei otherwise. . Let’s check if this function f is an isomorphism that is defined in Definition 2. Checking if q ∈ Q0 ⇔ f (q) ∈ Q†0 . Q0 = {(. . . , s0i , σ0i , 0, . . .)} where σ0i ∈ τi (s0i ) (see Equation (6)). According to lines 1 to 3 of Algorithm 1 V0 = {v0 } where disc(v0 ) = (. . . , s0i , τi (s0i ), . . .), Q†0 = {(. . . , s0i , σ0i , 0, . . .) : σ0i ∈ τi (s0i )} by Equations (15) and (16). Since f (q0 ) = q0 , q0 ∈ Q0 and Q0 = Q†0 , q ∈ Q0 ⇔ f (q) ∈ Q†0 . if q ∈ QA ⇔ f (q) ∈ Q†A . QA = QChecking {(si , σi , ei ) : si ∈ Si , σ ∈ T∞ , ei ∈ [0, σi ] ∩ T} by i∈D Q Definition 6. Q†A = {(si , σi , ei ) : si ∈ Si , σi ∈ T∞ , ei = i∈D

Notice that q 0 ∈ Q(v). If ω = (t, x) is a timed input event x ∈ X, (q, ω, q 0 ) ∈ ∆ is split into the following Equations: If ∃(v, x, DR , v 0 ) ∈ E : disc(v 0 ) = (. . . , s0i , t0si , . . .), then σi ∈ t0si and ( 0 if i ∈ DR e0i = ei otherwise.

resetting of ei doesn’t make any influence because there is no possibility ei ∈ T reaches to σi = ∞. With the same idea, in Definition 9 for the language L(R(N )), we keep the elapsed time ei zero for σi = ∞. This making such a clock i dead brings us an isomorphism as we will see in Theorem 1.

(20)

Remark 1 As we can see at line 11 of Algorithm 2, we add the component i ∈ D to the set of resetting component DR if σi = ∞ to avoid increasing such elapsed times which cause the infinite number of time zone and vertices. This intentional

0 if σi = ∞, otherwise ei ∈ [0, σi ] ∩ T} by Definition 9. As a result, q ∈ QA ⇔ f (q) ∈ Q†A . Checking if (q0 , ω, q) ∈ ∆ ⇔ (f (q0 ), ω, f (q)) ∈ ∆† . By Lemma 2, for a null segment ω = [0,t] , (q0 , ω, q) ∈ ∆ ⇔ (f (q0 ), ω, f (q)) ∈ ∆† where f (q0 ) = q0 , f (q) ∈ v0 . For non-null event segment ω = ω1 ω2 , let’s assume that (q0 , ω1 , q) ∈ ∆ ⇔ (f (q0 ), ω1 , f (q)) ∈ ∆† where f (q) ∈ Q(v), v ∈ V . By Lemma 2 and Equation (1), (q, ω2 , q 0 ) ∈ ∆ ⇔ (f (q), ω2 , f (q 0 )) ∈ ∆† where f (q) ∈ Q(v 0 ), v 0 ∈ V . By induction (q0 , ω, q 0 ) ∈ ∆ ⇔ (f (q0 ), ω, f (q 0 )) ∈ ∆† . Since the function f is an isomorphism, L(N ) = L(R(N )) by Lemma 1. 2) Termination and Complexity of Algorithms: The Algorithm 1 stops if VT becomes empty (see line 4). One of v ∈ VT is removed in line 5, while one of vertex v is added to VT if v is newly generated (see line 14 in Algorithm 2. Therefore, the space and time complexity to these algorithms is proportional to the number of V that is the set of vertices of R(N ) = (Z, V, V0 , E). Recall that a vertex v is a pair of a state-schedule vector and a time zone: v = (disc(v), tzone(v)) where disc(v) = (. . . , (si , tsi ), . . .). Since the number of |V | is greater than |disc(V )| where disc(V ) = {disc(v) : v ∈ V }, the worst case complexity is exponential such that O(V ) ≥ mn

8

vehicle ONLY when B’s nsoi = f. As a result the discrete state Si for each station i is Si = {(pi , vidi , nsoi ) :pi ∈ {E, L, S, W, C}, vidi ∈ {0, . . . n}, nsoi ∈ {t, f}}

Fig. 4. Monorail Systems (a) Coupled FRTDEVS in which # of vehicles m = 3 and # of stations n = 4, (b) State Transitions Diagram of each Station: The loading time lt is assigned as lt = [20, 22] for odd numbered stations, lt = [40, 42] for even numbered stations.

where (max|Si |2 ) = m and |D| = n. i∈D

V. Q UALITATIVE V ERIFICATION OF FRTDEVS N ETWORKS When checking certain qualitative properties of Dynamic Systems described by a FRTDEVS network N , we can analysis its reachability graph R(N ) because R(N ) is isomorphic in terms of their behaviors. A. Setting up Monorail Systems We consider a monorail system in which stations are connected in a circular railroad so multiple vehicles can circulate along the rail. We will configure the number of vehicles m ∈ {2, 3}, and the number of stations n ∈ {4, . . . , 8}. We can see Figure 4(a) as the initial vehicle placement for the configuration of m = 3 and n = 4. Station is a controller modeled by an atomic FRTDEVS whose structure is drawn in Figure 4(b). There are three state variables for each station i ∈ D: pi ∈ {Empty (E), Loading (L), Sending (S), Waiting (W), Collided (C)}; vidi ∈ {1, . . . , m} tracking the vehicle identification; and nsoi ∈ {false(f), true(t)} indicating “next station is occupied”. To avoid collisions that can occur when more than one vehicle attempts to occupy a station (let’s call it A) at the same time, the station prior to A (let’s call it B) should dispatch the

Then the state s0i = (pi , vidi , nsoi ) for each station STi is initialized as  (L, i, t) if i < m    (L, i, f) if i = m s0i = (pi , vidi , nsoi ) =  (E, 0, f) if m < i < n    (E, 0, t) if m < i = n where m and n are the numbers of vehicles and stations used. In the Station model, ?v, ?p, ?a stand for input events of vehicle, pull-signal, additional-loading, respectively, while !v stands for the output vehicle event. In Figure 4(b), an arc is augmented by (pre-condition),(post-condition). For example, when a station receives ?p at pi =E, it makes nsoi =f but its phase pi doesn’t change; After staying in pi =L for lt seconds, if nsoi =f, it changes into pi =S internally without producing any output indicated by !φ, if nsoi =t, it changes into pi =W. A dashed line indicates an external state transition in which δx (s, x) = (0, s0 ) so that the state s change to s0 but the schedule σ and the elapsed time e are preserved. All obvious transitions such as δx (s, x) = (0, s) are omitted in Figure 4(b). The loading time lt is assigned as lt = [20, 22] for odd numbered stations, lt = [40, 42] for even numbered stations. B. Checking Safety 1) General Framework: In general, safety is one of qualitative properties, which guarantees that the given FRTDEVS network system N = (X, Y, D, {Mi }, Cxx , Cyx , Cyy ) does not perform any undesired behaviors. Let G(N ) = (Z, Q, Q0 , QA , ∆) be the dynamic system describing the behavioral model of N . Then undesired behaviors of N is L(N, QB ) = {ω ∈ L(N ) : (q0 , ω, q) ∈ ∆, q0 ∈ Q0 , q ∈ QB }. where QB ⊆ Q denotes a set of unsafe or (bad) states. Thus we want to show there is no possibility that any behavior ω ∈ Ω makes the system reach a bad state. In other words, we want to show the emptiness of the undesired behavior set: L(N, QB ) = ∅. For the given model N and the bad states QB , the emptiness of undesired behaviors (i.e., L(N, QB ) = ∅) can be proven by its reachability graph R(N ) = (Z, V, V0 , E) by the property L(N, QB ) = ∅ ⇔ Q(v) ∩ QB = ∅ ∀v ∈ V

(21)

where Q(v) is the state set covered by the vertex v (see Equation (15)). In other words, the system could not reach any bad state in QB . 2) Monorail Systems’ Safety: The set of unsafe states for the monorail system is QB = {(. . . , si , σi , ei , . . .)|∃i ∈ D : si = (C, vidi , nsoi ) ∈ Si } that is, a set of states in which a station i has its phase collided C. As we mentioned earlier, to check if L(N, QB ) = ∅, we

9

check instead if Q(v) ∩ QB = ∅ for all vertices v ∈ V of R(N ) = (Z, V, V0 , E). The coupled FRTDEVS shown in Figure 4(b) has the empty behaviors of L(N, QB ). To double check if the proposed method is able to detect a bad system, we intentionally changed a Stations’s state transitions to miss the assignment nso= t (which is memorizing the next station has a vehicle) at arcs from L to S, and W to S in Figure 4(b). Under these modifications, the procedure was successfully able to find the state having phase is C at Station1, which means L(N 0 , QB ) 6= ∅. C. Checking Liveness 1) General Framework: Liveness is one of qualitative properties, which shows that system performs a set of desired or good behaviors infinitely long times. Therefore, the definition of this property is associated to the infinite-length observation language L(N, ∞) introduced in Equation (3). In addition, the desired behavior are captured by a set of states QG ⊆ QA : L∞ (G, QG ) = {ω ∈ L(G, ∞) :

TABLE I P ERFORMANCE FOR C HECKING S AFETY AND L IVENESS OF M ONORAIL S YSTEMS

m

n

2 2 2 2 2 2 3 3 3 3 3

3 4 5 6 7 8 4 5 ∗5 †5 6

|V | 17 1,036 2,498 5,176 7,664 11,781 7,657 63,934 97,658 2,589 413,898

R(N ) |E| 19 1,437 3,293 6,889 10,064 15,572 11,939 98,223 156,078 6,402 685,443

T 0.1 9.9 36.8 124.3 296.0 716.4 75.9 1,117.6 1,858.9 63.7 14,512.9

|V | 4 7 13 29 63 118 5 17 393 850 476

KR(N ) |E| T 3 0.0 6 3.3 14 9.8 34 26.6 80 50.6 153 100.2 5 26.2 21 350.5 722 620.0 1,573 12.5 685 3,955.3

m: the number of vehicles used; n: the number of stations used; R(N ): the reachability graph of N ; KRG(V ) the kernel reachability graph of N ; |V |: The number of vertices; |E|: The number of edges; T : CPU time to generate the associated graph in seconds; ∗ : the case of missing the post condition nso=t † : the case of disconnecting the coupling between Station n and Station 1 for the pull-signal;

We verified that the monorail system illustrated in Figure 4 QG ⊆ {q ∈ QA : (q0 , ω, q) ∈ ∆, q0 ∈ Q0 }}. is live, which means, every single station keeps moving back Unlike showing the emptiness of bad behaviors, showing the and forth of phases E and S forever. In order to check the proposed method works well too when non-emptiness of good behaviors is required for checking the system has an issue, we intentionally disconnected the liveness. Again, we use the finite and isomorphic structure pull-signal coupling from the last station Station n to the first of the reachability graph. station Station 1. The method using kernel R(N ) correctly Given a reachability graph R(N ) = (Z, V, V0 , E) of a 0 detected that Station n is not alive (this is so, since it stays at FRTDEVE network N , then two different vertices v, v ∈ V W and can not repeat visit E and S infinitely many). are called strong connected components if there exists a 0 Table I summarizes the performance for checking safety and sequence of edges from v to v and vice versa. Let SC(v) liveness under the various configurations. be the set of strongly connected components of v. Then we Since checking safety is based on generating R(N ), and have the following property: checking liveness needs the kernel graph of a reachability [ graph denoted by KR(N ) in which the strongly connected L(N, QG ) 6= ∅ ⇔ ∃v ∈ V : QG ⊆ Q(v 0 ) (22) vertices are grouped into a vertex [9], we summarize the v 0 ∈SC(v) algorithm’s performance in terms of these two graphes’s S 0 because Q(v ) ⊆ {q ∈ QA : (q0 , ω, q) ∈ ∆, q0 ∈ complexity using |V | and |E| and its generating time. The v 0 ∈SC(v) hardware platform used in the experiments was IBM ThinkPad Q0 , ω ∈ L(N, ∞)}. LENOVO W500 with 2.79 GHz CPU and 2.99 GByte RAM. 2) Monorail System’s Liveness: Our definition of the mono- The computer language for the implementation was Python. rail system’s liveness is that every single station’s phase keeps moving forever from the empty phase E to the sending phase VI. C ONCLUSIONS S, and vice versa. Hence, the set of desired and infinitely long This paper introduced the class FRTDEVS which is a visiting states QG is subclass of RTDEVS to tackle the qualitative verification QG = {SC(Q) : ∀i ∈ D :∃q, q 0 ∈ SC(Q) : problems. The formal behaviors of FRTDEVS networks are 0 defined as a dynamic system. Then algorithms to generate a p(q(i)) = E ∧ p(q (i)) = S} finite structure of reachability graph for a FRTDEVS network where SC(Q) = {q, q 0 ∈ Q : ∃ω, ω 0 ∈ ΩT,Z : (q, ω, q 0 ) ∈ are proposed. Finally, we illustrated the general frameworks ∆, (q 0 , ω 0 , q) ∈ ∆} is the set of strong components of states Q to check safety and liveness of a FRTDEVS network which is of G(N ) = (Z, Q, Q0 , QA , ∆), and p(q(i)) = pi is the phase based on the corresponding reachability graph. of station i when the state of N is q = (. . . , pi , vidi , nsoi , σi , Several topics need to be studied in the future. First thing ei , . . .). seems to reduce the computational burden of reachability genThen check if there exists kernel S vertex 0v ∈ V of R(N ) = eration by efficient data structures or abstraction techniques. (Z, V, V0 , E) such that QG ⊆ Q(v ), we would check Another thing is to develop the methodology to compute the v 0 ∈SC(v) timed reachability to answer a question: “how long does it [ ∀i ∈ D : ∃q, q 0 ∈ Q(v 0 ) : p(q(i)) = E ∧ p0 (q(i)) = S. take to reach a state from another?” Lastly, extension the verification approach to the higher level of RT-DEVS allowing v 0 ∈SC(v)

10

stochastic or fuzzy behaviors might be one of interesting and challenging topics. R EFERENCES [1] R. Alur and D.L. Dill. A theory of timed automata. Theoretical Computer Science, 126:183–235, 1994. [2] E. M. Clarke Jr., O. Grumberg, and D. A. Peled. Model Checking. MIT Press, 1999. [3] David L. Dill. Timing Assumptions and Verification of Finite-State Concurrent Systems. In Proc. of the Workshop on Computer Aided Verification Methods for Finite State Systems, pages 197–212, Grenoble, France, 1989. [4] J. S. Hong, H. S. Song, T. G. Kim, and K. H. Park. RT-DEVS Executive: A Seamless Realtime Software Development Framework. Discrete Event Dyanmic Systems, 7:355–375, 1997. [5] J. E. Hopcroft, R. Motwani, and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, second edition, 2000. [6] X. Hu and B.P. Zeigler. Model Continuity in the Design of Dynamic Distributed Real-Time Systems. IEEE Transactions On Systems, Man And Cybernetics -Part A: Systems And Humans, 35(6):867–878, November 2005. [7] Moon Ho Hwang and Bearnard P. Zeigler. Reachability Graph of Finite & Deterministic DEVS Networks. IEEE Trans. on Automation Science and Engineering, 6(3):454–476, 2009. [8] H. Saadawi and G. Wainer. Rational Time-Advance DEVS (RTADEVS). In Proceedings of 2010 Spring Simulation Multi-Conference: Proceedings of 2010 DEVS Symposium, 2010. [9] R. Sedgewick. Algorithms in C++, Part 5 Graph Algorithm. Addison Wesley, Boston, third edition, 2002. [10] H. S. Song and T. G. Kim. Application of Real-Time DEVS to Analysis of Safety-Critical Embedded Control Systems: Railroad Crossing Control Example. SIMULATION, 81(2):119–136, Feb. 2005. [11] Bernard P. Zeigler, H. Praehofer, and Tag Gon Kim. Theory of Modeling and Simulation: Integrating Discrete Event and Continuous Complex Dynamic Systems. Academic Press, London, second edition, 2000.