State-transition based techniques for specifying ... - Semantic Scholar

State-transition based techniques for specifying real-time systems: a review A. Sowmya, J. Zic

School of Computer Science and Engineering University of New South Wales, Kensington NSW 2052, Australia sowmya, [email protected]

Abstract The speci cation, veri cation, design and implementation of real-time system is a major software engineering problem. While logical correctness is a major issue in the development of large and complex software systems, real-time system development demands that timing correctness be satis ed additionally. Formal methods of speci cation and veri cation are imperative for this task, and there has been considerable research in the area for the past two decades. Of these, state-transition based techniques are numerous and well-developed. This paper attempts to compare the approaches taken by workers in the area and provide an introduction to the major issues facing a real-time system developer who wishes to use one of these formal methods.

1 Real-time Systems and Formal Methods Real-time systems are those in which logical and timing correctness propeties should be satis ed, failing which catastrophe might result [SR88]. Realtime systems are often embedded within larger systems, which then constitute the environment for the real-time system. Examples include command and control systems, process control systems, ight control systems and space avionics. Such systems are complex, and the knowledge of the application and the environment in which they function are built into the design. In designing and implementing such systems, factors such as the monitoring of the environment, timely processing of the sensed information, the physical impact on the environment, and the timing are crucial. Real-time systems are also expected to be fault-tolerant. In hard real-time systems, timing requirements must be met, else the system behaves incorrectly, even catastrophically. Such systems are being used in safety critical applications such as computerized control systems, patient monitoring and air trac control. In soft real-time systems , timely results

are desirable but some delays may be tolerated, leading to graceful degradation in performance. To handle the complexity and critical requirements of real-time systems, informal or common sense design techniques are inadequate [FGP94]. Semi-formal methods to handle real-time system design exist, but are not sucient to capture the requirements and accommodate them in the design. Formal methods have therefore been advocated for real-time system development [FGP94, BB91b, Ost90], and there has been considerable activity in this eld within the academic community. The major formalisms are either operational, say based on automata, or descriptive, such as algebras and logic. They include extensions to process algebras, extensions to nite state machines, extensions to Petri nets, real-time temporal logics and assertional methods. The scope of this paper is to present the main concepts employed formally to specify real-time systems using state-transition based techniques. This paper is not meant as a summary of available techniques, and the cited papers should be referred for details of speci c methods.

2 State-Transition Models, Automata and Process Algebras The behaviour of a concurrent system may be modelled as transitions between system states triggered by actions, and represented by an execution trace. With a linear model of time, an execution trace is a linear sequence of states. The behaviour of a system is thus represented by the set of all possible execution sequences, which is a formal language [AD94]. Thus automata, which may be viewed as language acceptors and language generators, are an obvious choice for specifying concurrent systems. For nite state systems, the set of execution traces will be accepted by nite state automata, which makes automata operations easier. Automata may be deterministic or non-deterministic, with the latter modelling concurrency naturally. Finally, au-

tomata provide an operational semantics for concurrent systems. There are two semantic models used in system descriptions, namely that of traces (linear time) and of synchronisation trees (branching time). In the traces model, a process is completely determined from the set of observable partial runs. In the synchronisation tree model, a process is determined also by the choices it makes during its execution. Milner [Mil80] rst proposed that the synchronisation tree model allow ner equivalences to be made between systems than is possible using traces. As an example, a:b + a:c = a:(b + c) holds in the traces model, and yet fails to hold in the synchronisation tree approach. A process algebra is a description/speci cation language for communicating concurrent systems, emphasizing the conceptual structure. A concurrent system is modelled as a set of concurrent processes. The process algebra usually consists of a set of operators and syntactic rules for constructing processes, a semantic mapping which assigns meaning to processes, a notion of equivalence/partial order between processes, and a set of algebraic laws for syntactic manipulation of processes. A usual semantic mapping interprets a process algebra as a labelled transition system (LTS), where the LTS de nes next-state relations for all state transitions. This again gives rise to either a linear, trace-based semantics, or a tree-based semantics. This may not be nite-state, however, though state- transition based.

3 Issues in Adding Time

Since real-time systems are also usually concurrent systems, the usual approach to modelling real-time systems has been to extend existing automata or process algebraic techniques, by introducing real time constructs. In this paper, we attempt to analyze commonly used techniques for adding time to state-transition based methods. We provide a brief overview of available techniques rst. The timed automata approach [AD90, AD94] models a system as a nite-state non- deterministic automaton on nite strings. Quantitative temporal reasoning is then added to handle hard realtime constraints. Timed automata are useful for modelling nite-state asynchronous real-time systems. Alur and Dill utilize a dense model of time, with clocks reset by state transitions. An extended trace semantics associates a time of occurrence with each event. Timing constraints are speci ed by means of enabling conditions for a transition. Yodaiken and Ramamritham [YR91] de ne a modal primitive recursive arithmetic to describe and analyze nite state machines abstractly without enumerating states and transitions. Its features to handle real time include time transitions to rep-

resent passage of time and temporal logic-style operators, with a state-based semantics and a trace view of computation. Lynch and Vaandrager propose a timed automaton model which introduced the notion of simulations in [LV95, LV]. The timed or real-time process algebras often extend existing process algebras with constructs to address the timing issues. Examples include the new resource-based process algebras such as Algebra of Communicating Shared Resources, or ACSR [GL92, GL94] and Real Time Speci cation Language, or RTSL [FC93]. ACSR is a CCS-like process algebra, with the addition of shared resources and static priorities on competing actions. It has a synchronous semantics for actions and an asynchronous one for events. RTSL extends CCSR for schedulability analysis, by permitting the modelling of various scheduling disciplines. Extensions to traditional process algebras include CCS extensions : TPL [HR91], Timed CCS [Yi91] and Temporal CCS [MT90], CSP extensions [RR87], Algebra for Timed Processes, or ATP [NRSV90, NS91] and Communicating Real-time State Machines, or CRCM [Sha92]. Finally, untimed process algebras include implicit handling of time and qualitative timing properties. These fall under the `synchronous' class of languages and include Statecharts [Har87] and extensions such as timed statecharts [KP92] and Argos [Mar91], Esterel [BdS91], CSML [CLM91] and Modecharts [JM94]. The synchronous languages are based on Berry's synchrony hypothesis which states that no machine is faster than its environment, hence transitions within a statetransition model of the system take no time.

3.1 States, Events and Actions

Actions and events in the process algebras most commonly are used to mean the \same thing" { an observable action of a system drawn from a set of legal actions (respectively, sorts and alphabets in CCS and CSP), possibly representing an observable change in state or perhaps simply an uninterpreted observation. There are other models such as that presented by Pratt [Pra86, Pra94], Lynch [LV] and others that use events to denote particular occurances of actions (again taken from a set of actions) within a particular sequence of action occurrences. A system's actions are most commonly taken as atomic and instantaneous at some level of abstraction. If a system can be observably decomposed into concurrently executing subsystems, there are two ways in which concurrent events can be described, and these dier at a fundamental philosophical level. Interleaving concurrency or mutex concurrency models take the view that atomic concurrent

events cannot be observed simultaneously and so cannot be ordered (in the sense that one precedes the other). This eectively gives rise to an extant sequential model of concurrent behaviour based on reasoning about sets of linear sequences of actions (or traces ). True concurrency models on the other hand do allow the simultaneous observation of concurrent events as a fundamental notion. Reasoning about these systems is done using sets of sequences of actions with relaxed ordering using independence information with action occurrences (or events) [Pra94, Maz88]. The canonical example used to illustrate the difference between these two approaches is that of two people entering a door. In the interleaving model, one or the other must always precede the other (no matter how small the dierence between them). There is no way for both to enter the door simultaneously, which is allowed in the true concurrency model. However, adopting the abstraction that events are atomic and instantaneous is regarded by some as being too rigid and restrictive, and that an action's underlying structure should not be abstracted away. As an example, a structured action may consist of a set of arbitrary actions, or perhaps it could occupy some time interval, or even a set of time intervals. Whereas atomic actions tend to give a simpler semantics to an algebra, structured actions allow a richer variety of semantic models to be used. Winskel [Win88] presented some of these semantic models and develops relationships between them by using Category Theory [Mac71]. The choice of using either of atomic and structured events depends on the abstraction we are seeking, no more and no less.

3.2 States and Transitions

Timing information may be attached to states or to transitions. Many approaches attach explicit delays or timing constraints to transitions, for example minimum and maximum delays on executing a transition after it is enabled. Alternatively, timing information may be attached to a state, by specifying minimum sojourn time within it, with the transitions being instantaneous, ie taken as soon as enabled. Alur and Dill's timed automata, ATP, CRSM, timed statecharts take the rst view, while Nicollin's timed automata, Statecharts, Esterel and CSML impose instantaneity on transitions and require systems to remain in a state for a minimum time. ACSR treats timeouts and interrupts in a similar manner, by requiring immediate transitions out of a state when enabled. Similar ideas of adding timing information to Petri nets can be found. Notably, there are two types of

timed Petri nets, namely Timed Transition Petri Nets, where the transitions once enabled, res for a speci c time, and Timed Place Petri Nets, where tokens reside in a place for a speci c time.

3.3 Time-driven and Event-driven systems In control applications, the two main models are time- driven and event-driven. In time-driven control, the focus is on the timing of control actions, which are executed at a speci c time according to a schedule, and external events are handled by polling. In event-driven control, the focus is on the causal relationships between external events and system actions. Actions are executed as a reaction to event arrivals, and time is handled by timing signals which are modelled as external events. It is clear that for time-driven control, an internal clock or notion of time (internal to the system) is necessary, while for event-driven systems, the clock could be external. In the real-time speci cation literature, event-driven models predominated till recently. Real-time automata and m. p. r. arithmetic are event-driven, with state transitions triggered by event occurrences. Among timed process algebras, Nicollin's timed automata are eventbased, with a nite number of instantaneous actions in one phase, followed by a second phase when time progresses by agreement of all processes involved. In ATP, time is an event that occurs synchronously in all the sequential components of a system. So, parallel composition is synchronous for time events, thus ensuring that time progress is the same in all components. Modecharts and statecharts are purely event-driven, with event occurrences triggering mode/state transitions.Statecharts does permit the timeout event tm(e; n) against a global clock, which is the only time-drven construct available. ACSR is an interesting mix of a time- and event-driven system. Instantaneous events elicit system transitions in the classical eventdriven sense, while time-consuming actions execute synchronously in all components so that the system progresses synchronously and deterministically; in the case of time-consuming actions, therefore, ACSR is time-driven and the temporal scope operator
in P
at (Q, R, S) exempli es this clearly. This process behaves as P for a maximum of t time units; the scope may be exited in three ways: 1. if P successfully terminates within time t by executing an event a, then control passes to the success handler Q. 2. if P fails to terminate within time t, then control passes to the timeout exception handler R.

3. at any time while P is executing, it may be interrupted by S. Clearly, control is purely time-driven at the top level of this operator. RTSL too has a combination of both kinds of control, with CCS-like eventdriven progress of processes, and time- driven constructs sw (start within), fw ( nish within) and e (execute in exactly given time) and a simpler exception handler operator. Alan Shaw's CRSM uses a combined control strategy too. It is a CSPlike state machine model, with state transitions enabled by selection of a true guard. Transitions are associated with execution of a command: either an internal command or an IO command. Both commands have [min, max] time intervals attached. An internal command models internal state computations expected to last for a duration within the interval speci ed. An IO command models CSPlike handshake between processes, and the IO time pair denotes the earliest and latest times that the IO can occur after entering a state. The IO itself can be either instantaneous or event-driven. The synchronous family of languages appear to be time-driven at rst glance. Clarke's CSML represents synchronous circuits; at each clock transition, the program examines its input signals and changes internal state and output signals accordingly. While the changes are computed instantaneously, it takes one cylce to take eect. Thus the system progresses at every tick of the clock. Berry's Esterel adopts a similar appraoch. An Esterel program reacts every instant. The system progresses by reacting, or changing state, instantaneously to the occurrence of events anywhere in the system. This is possible because events are broadcast instantaneously at the time of occurrence throughout the system. Time- driven control is implemented, though, via the watchdog statement do body watching signal The signal watched for could be a time signal or an event signal. Thus Esterel does cater to both event- and time-driven control.

3.4 Minimum Separation between events

Time separation between events is an important concept in the speci cation of real-time systems. From the viewpoint of veri cation, interleaving of concurrent events is used to model system behaviour in a fully abstract way. Time separation is closely bound to the concurrency semantics underlying the formalism, as well as the question of whether a system de nition is realisable or whether it is a speci cation. Hayes [HJ89] argued the case that speci cations should not be executable, that is, that speci cations are not implementations. If one adopts this view, then there is no reason as to

why zero separation between successive events (in some sequence of events) cannot be allowed in either the true or interleaved concurrency semantics. Events may still be partially ordered even though they occur at the same time instant. If the contrary view is adopted, that is, that one should not be able to specify \nonsensical" and unreliable systems then a minimum interevent separation is required. However, this complicates the action semantics, and there is now a separation between the time at which a system can perform or communicate an action and the time at which it is ready to do so. For example, in the original Timed CSP presented by Reed and Roscoe, a concurrent action was available when it becomes available in one process and is already available in the remaining participant processes Despite this semantic complication, the algebra ensured realisability by using this minimum interevent spacing. Such separation is implemented in a number of ways: by allowing zero separation but partially ordering observed events via the semantics, or by collecting events together and reacting to them periodically, or by forcing separation in the speci cation itself. In Nicollin's timed automata, all instantaneous actions in components are forced to execute in a rst phase, when time does not progress. In the second phase, time is allowed to progress by mutual agreement between components. This imposes a minimum separation between sets of instantaneous events, not the individual events themselves. In CRSM, it is assumed that every machine will spend a minimum nonzero amount of time  in each state that it enters, to ensure minimum separation between events (and transitions, which are events too). This is similar to the  in Timed CSP. Modecharts imposes a partial ordering on event occurrences, as does statecharts at the semantics level via its microstep semantics. This enables the handling of interleaved concurrency in a natural way. Esterel too handles such issues at the semantic level by detecting and rejecting programs with causality problems. In CSML, transitions take place only at clock instants, so that the system remains in a state for at least one cycle.

3.5 Models of Time and Clocks

Whereas untimed actions may be unstructured, timed actions (in the externally timed models) are most de nitely structured and so a partial ordering amongst these (timed) actions is immediately suggested, even without being concerned about whether we are using interleaving or true concurrency semantics. Total temporal ordering is possible if there is a single, global clock (whether it is a real global clock or some distributed approximation of it such as that presented by Lamport [Lam78] is not relevant). Most timed algebras presented (Baeten and

Bergstra [BB91a], Reed and Roscoe [RR87], Yi [Yi91], Lonard and Leduc [LL93], Nicollin and Sifakis [NS91], Fidge and Zic [Fv94], Ho-Stuart [HS94]) use this approach (of a single global clock) or a slight variation and dier mainly on their treatment of the semantics of concurrency. Other authors, however, (Pratt [Pra86], Andersen [AM93], Winskel [Win88] and others) maintain that using a single global clock is inappropriate in real distributed systems which exhibit complex structures, or which are subject to relativistic eects, or where the action granularity diers between several observers. Modelling the behaviour of such systems again requires the relaxation or generalisation of event ordering within a system to that of a suitable partial ordering. A suitable approach to unifying approaches of local versus global clock (and local versus global synchronisation) may be to use a solution proposed by hardware designers. Hardware designers have realised that developing perfectly synchronous systems which are inde nitely extensible in complexity and physical extent is impossible. Such notions have been abandoned in favour of developing self-timed systems where regions of synchronisation (according to a local clock) are interconnected by regions (possibly sets of wire connections) which are asynchronous. A suitable protocol is then imposed on the components of the system, thereby establishing a predictable event ordering throughout the system as a whole. This is the solution taken by CRP [BRS93], where locally reactive Esterel processes execute synchronously at the local level, and communicate asynchronously with each other using CSP-like rendezvous mechanisms. Introducing time into untimed actions leads to the view that events are structured. Further structuring results in the way in which time is treated. As mentioned earlier, actions are often viewed as instantaneous and are associated with a single time (referenced to either a global or local clock) in most common timed process algebras. Where the algebra is used as a speci cation language, instantaneous actions may be associated with sets of times at which they are observed [Fv94]. In both these cases, the underlying temporal semantics is that of point time. The other major temporal model is period time [VB83] where events (or actions) are associated with a nite time interval. Other linear and partially ordered models of time are discussed by Whitrow [Whi80] but are not widely used in real-time process algebras. To model real-time systems, the passage of time must be incorporated in the speci cation. The clock itself, however, may be implicit and external to the speci cation, or explicit and internal to the speci cation. Besides, there may be a single global clock on which all components synchronize, or mul-

tiple clocks for individual components, modeling multiform time. Further, the model of time may be discrete or dense. In Alur and Dill's real-time automata, the time domain is dense, There is a single, implicit global clock, and a nite number of local clocks which may be reset by state transitions. A time of occurrence is associated with each event in the semantics, while timing constraints may be associated with each transition. In Nicollin's realtime automata, time is a global state variable over a time structure, discrete or dense. In ATP, the clock is unique, time is external, and manipulated within the algebra using the delay operator. ACSR and RTSL use an external, implicit clock. Shaw's CRSM has a continuous model of time; interestingly, the clock is internal, with a simple clock machine associated with each component, and the clock machine may be queried by the component. There is a global clock variable available to all clock machines, which is how synchronization takes place. Modecharts and statecharts use an implicit global clock, against which transitions take place. At the semantic level, a time of occurrence is associated with events. Esterel and CSML model the passage of time explicitly, by modelling time instants within the language and collecting state transitions every instant. Additionally, the tick signal in Esterel is used to control instants and make timing explicit. Philosophically the notion of time is abstract and need not be tied to a real clock. Most approaches take this view- time is modelled as a monotonic, non-decreasing point structure, for example. Esterel carries the abstraction furthest, by permitting the counting of time by the occurrence of a particular signal (and not necessarily the tick signal).

3.6 Delay and Computation

The process of abstraction or hiding speci c timed actions implies that some additional semantics are required to keep consistant temporal ordering within a system. Whether the result of this hiding operation is an explicit \invisible" action (such as the  action of CCS) or whether it is completely removed from observations as in Timed CSP, we must decide upon a time at which this action occurs. Most models and algebras such as [RR87, Yi91, HR91] adopt a view that such an action must occur as soon as possible, whereas others (notably [NS91]) this minimal delay assumption is not used but any subsequent system action can be forced to occur before the next time action. However, placing such an urgency requirement onto actions carries with it subtle consequences for causality, making otherwise independent actions directly dependent on one another [DGV93, Fid93, Fv94]. Once again, a more generalised model with true concurrency semantics may be useful in overcoming this problem.

3.7 Resources

When communication is by instantaneous broadcast, as in Esterel and statecharts, and is added The only model to include system resources is ACSR, to instantaneous transitions, we may get potenwhich allows speci cation of resources required for tially long chains of reactions, with each transition each synchronizing action. Other approaches astriggering another in a long chain. This feature sume that necessary resources will be available when is absent when communication is via channels, or required. ACSR re ects its original intention to point-to-point. We note that this is related to the cater to real-time scheduling, which needs to manZeno machine problempotentially, the chain of age allocation of resources and models resources as reactions may be in nite and hence the system may passive and serially reusable objects. get deadlocked.

3.8 Time Stop phenomenon and Zeno paradox 4 Closing Remarks

Allowing a zero time separation between events in a system gives rise to the a variation of Zeno's Paradox. If we treat atomic events as instantaneous, and we have an interleaving model of concurrency, then a clock cannot tick during an action. Rather, the clock updates the system time in between system actions. Given these conditions, then it is possible to specify a process which engages in an in nite set of actions, all occurring at the same time and with zero separation which thereby prevent the clock from ever ticking again. Given the same semantics and instantaneous events, clocks can also be stopped and be time deadlocked by a system which itself has entered deadlock. This problematic interdependence of processes has been addressed by either adopting a true concurrency semantics, or by use of \aging functions" which make time progress. The latter solution is in itself problematic, since it forces (possibly independent) behaviours to agree on the passage of time. A solution to the Zeno machine \problem" is to add in realisability constraints into the system description, and not the description language itself [LV].

3.9 Atomic reactions and Chains of Reactions

The concept of an indivisible, or uninterruptible, reaction has been recently popularized by the Esterel school. The idea is that a system reaction to an event occurrence is atomic, and hence cannot be interrupted by another reaction. This is a consequence of Berry's perfect synchrony hypothesis, which states that control takes no time and hence may be viewed as executing on an in nitely fast machine. As a result, reactions take no time, input and output may be synchronous, and a reaction is atomic. This idea is present in many languages, including statecharts, Esterel, CSML. In the more traditional state-transition based systems, the same concept holds since a state cannot be forced to choose between twotransitions with dierent event labels- in other words, two dierently labelled transitions exiting the same state cannot be enabled at the same time.

Although each of the formalisms presented dier from each other in speci cation style, or at the syntactic or semantic level, they all share a great deal in common with each other. In each of the formalisms, there is a notion of timing equivalence between systems or processes, and this ultimately depends upon (once again) the level of abstraction that we are seeking to achieve. At the coarsest level, an observer passively notes down the time and occurrence of an instananeous event in sequence, and makes no attempt at trying to observe further structure within the system, giving rise to timed trace semantics. Two systems are equivalent if their traces set are equivalent. However, ner equivalences result from an examination of the internal structure, and if the observer wishes not only to record the times and occurrences of events, but also the places in the system execution where the decisions are made. This naturally develops into attempting to measure synchronisation tree equivalence, including the treatment of so-called \silent" or internal actions timing. The most common concurrency semantics is the interleaving semantics, but using an interleaving semantics enforces a sequential model onto what is eectively a non-sequential system. Therefore a more abstract notion of equivalence may be obtained by using additional information (such as causality or independence of actions) in synchronisation trees or traces. By adding more information (in the informationtheoretic sense) we can resolve more system equivalences. However, realising models which can cope with this additional structural information (be it time, or decision points, or which ever criterion we like to use to identify a system) is dicult and needs careful application of mathematical formalisms (such as Catagory Theory, etc). The dierent state-transition based schemes that we have examined dier in the amount of information employed and the consequent sets of traces that arise. Otherwise, similar state-transition based models provides operational semantics to all of them. This paper examined the issues involved in pro-

viding the additional timing information to the models.

References [AD90]

R. Alur and D. Dill. Automata for modeling real-time systems. In M. S. Paterson, editor, Proceedings of 17th ICALP, number 443 in LNCS, pages 322{335. Springer-Verlag, 1990.

[AD94]

R. Alur and D.L. Dill. A theory of timed automata. Theoretical Computer Science, 126:183{235, 1994.

[AM93]

H. R. Andersen and M. Mendler. A process algebra with multiple clocks. Technical Report TD-TR:1993-122, Department of Computer Science, Technical University of Denmark, Building 344, DK-2800 Lyngby, Denmark, August 1993.

[FGP94] M. Felder, C. Ghezzi, and M. Pezze. Formal speci cation and timing analysis of high- integrity real-time systems. In A. A. Halang and A. D. Stoyenko, editors, Real-time Computing, number 127 in NATO ASI Series F, pages 187{ 212. Springer-Verlag, 1994. [Fid93]

[Fv94]

C. Fidge. A constraint-oriented realtime process calculus. In K. Parker and G. Rose, editors, Formal Description Techniques, IV, pages 527{541. NorthHolland, 1993. C. Fidge and J. Z ic. A simple, expressive real-time ccs. Technical Report 94-27, Software Veri cation Research Centre, Department of Computer Science, The University of Queensland, December 1994.

[GL92]

R. Gerber and I. Lee. A layered approach to automating the veri cation of real-time systems. IEEE Trans. Soft. Eng., 18(9):768{784, 1992.

[GL94]

R. Gerber and I. Lee. A resourcebased prioritized bisimulation for realtime systems. Info. Comput., 1994.

[Har87]

D. Harel. Statecharts: a visual approach to complex systems. Science of Computer Programming, 8(3):231{274, 1987.

[HJ89]

I. J. Hayes and C. B. Jones. Speci cations are not (necessarily) executable. IEE/BCS Software Engineering Journal, 4(6):330{338, November 1989.

[HR91]

M. Hennessey and T. Regan. A process algebra for timed systems. Technical Report 5, Computer Science, University of Sussex, 1991.

[HS94]

[DGV93] P. Degano, R. Gorrieri, and S. Vigna. On relating some models for concurrency. In M.-C. Gaudel and J.-P. Joannaud, editors, TAPSOFT'93: Theory and Practice of Software Development, volume 668 of Lecture Notes in Computer Science, pages 15{30. SpringerVerlag, 1993.

C. Ho-Stuart. Synchronous action in algebraic real-time speci cation. In Proceedings of the Australasian Workshop on Parallel and Real-time Systems (PART'94), pages 160{169, 1994.

[JM94]

F. Jahanian and A. K. Mok. Modechart: a speci cation language for real-time systems. IEEE Trans. Soft. Eng., 20(12):933{947, 1994.

[FC93]

[KP92]

Y. Kesten and A. Pnueli. Timed and hybrid statecharts and their textual representation. In Formal Techniques in real-time and fault-tolerant systems, LNCS. Springer-Verlag, 1992.

[BB91a] J.C.M. Baeten and J.A. Bergstra. Real time process algebra. Formal Aspects of Computing, 3(2):142{188, 1991. [BB91b] A. Benveniste and G. Berry. The synchronous approach to reactive and real-time systems. Proceedings IEEE, 79(9):1270{1282, 1991. [BdS91]

F. Boussinot and R. de Simone. The esterel language. Proceedings IEEE, 79(9):1293{1304, 1991.

[BRS93] G. Berry, S. Ramesh, and R. K. Shyamasumdar. Communicating reactive processes. In ACM Proc. Programming Languages POPL 93. ACM Press, 1993. [CLM91] E. M. Clarke, D. E. Long, and K. L. McMillan. A language for compositional speci cation and veri cation of nite state hardware controllers. Proceedings IEEE, 79(9):1283{1292, 1991.

A. N. Fredette and R. Cleaveland. Rtsl: a language for real-time schedulability analysis. In Proceedings 14th Realtime Systems Symposium, pages 274{ 284. IEEE Computer Press, 1993.

[Lam78] L. Lamport. Time, clocks and the ordering of events in a distributed system. Communications of the ACM, (21), 1978. [LL93] L. Leonard and G. Leduc. An enhanced version of timed lotos and its application to a case study. In R. Tenney, P. Amer, and M.U. Uyar, editors, Proceedings of FORTE'93, pages 483{ 498, Holland, 1993. Elsevier Science Publishers BV. [LV] N. A. Lynch and F. Vaandrager. Forward and backward simulations. part ii: Timing-based systems. Information and Computation. To appear. [LV95] N. A. Lynch and F. Vaandrager. Forward and backward simulations. part i: Untimed systems. Information and Computation, 121(2):214{233, September 1995. [Mac71] S. Maclane. Catagories for the working mathematician. Graduate Texts in Mathematics. Springer, 1971. [Mar91] F. Maraninchi. The argos language: graphical representation of automata and description of reactive systems. In Proc IEEE Workshop on Visual Languages, Kobe, Japan, 1991. [Maz88] A. Mazurkiewicz. Basic notions of trace theory. In REX School/Workshop on Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency, Noordwijkerhout, the Netherlands, May 1988. [Mil80] R. Milner. A Calculus of Communicating Systems, volume 92. SpringerVerlag, 1980. [MT90] F. Moller and C. Tofts. A temporal calculus of communicating systems. In Proceedings of Concur 90, number 458 in LNCS, pages 401{415. SpringerVerlag, 1990. [NRSV90] X. Nicollin, J-L. Richier, J. Sifakis, and J. Voiron. Atp: an algebra of timed processes. In Proc. IFIP Conf. programming Concepts and Methods, Sea of Galilee, Israel, 1990. [NS91] X. Nicollin and J Sifakis. The algebra of timed processes atp: theory and application. Technical Report RT-C26, Laboratorie de Gnie Informatique de Grenoble, November 1991.

[Ost90]

[Pra86]

[Pra94]

[RR87]

[Sha92] [SR88] [VB83] [Whi80] [Win88]

[Yi91]

[YR91]

J. Ostro. Survey of formal methods for the speci cation and design of real-time systems. In Tutorial on Speci cation of Time. IEEE Press, 1990. V. Pratt. Modelling concurrency with partial orders. International Journal of Parallel Programming, 15(1):33{71, Feburary 1986. V.R. Pratt. Time and information in sequential and concurrent computation. In Proc. Theory and Practice of Parallel Programming (TPPP'94), pages 1{24, Sendai, Japan, November 1994. G. M. Reed and A. W. Roscoe. A timed model for communicating sequential processes. In Proceedings of ICALP'86, number 226 in LNCS, pages 314{323. Springer-Verlag, 1987. A. Shaw. Communicating real-time state machines. IEEE Trans. Soft. Eng., 18(9):805{816, 1992. J. A. Stankovic and K. Ramamritham. Tutorial Hard Real-time Systems. IEEE Computer Press, 1988. J.F.A.K. Van Benthem. The Logic of Time. D. Reidel, 1983. G.J. Whitrow. The Natural Philosophy of Time. Oxford University Press, 2nd ed. edition, 1980. G. Winskel. Event structures. In REX School/Workshop on Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency, Noordwijkerhout, the Netherlands, May 1988. W. Yi. Ccs + time = an interleaving model for real time systems. In Proceedings of the International Conference on Automata, Languages and Programming (ICALP'91), number 510 in LNCS, pages 217{228. Springer-Verlag, July 1991. V. Yodaiken and K. Ramamritham. Mathematical models of real-time scheduling. In A. M. van Tilborg and G. M. Koob, editors, Foundations of real-time computing: formal speci cations and methods. Kluwer Acad. Publ., 1991.