Transformations of Timed Cooperating Automata

Transformations of Timed Cooperating Automata Ruggero Lanotte1, Andrea Maggiolo-Schettini1, Adriano Peron2, Simone Tini1 1 2

Dipartimento di Informatica, Universita di Pisa, Corso Italia 40, 56125, Pisa, Italy E mail: flanotte,maggiolo,[email protected] Dipartimento di Matematica e Informatica, Universita di Udine, Viale delle Scienze 206, 33100, Udine, Italy E mail: [email protected]

Abstract. The paper pursues the investigation of Timed Cooperating

Automata (TCA) by studying transformations which are suggested as means for stepwise TCA construction.

1 Introduction In [5] Timed Cooperating Automata (TCAs) have been proposed. A TCA consists of n sequential automata, each with its own set of states, an initial state and a transition table. These automata work together in a synchronous manner, taking transitions according to their internal states, the common input symbols being read, and a set of formulas over atomic propositions either of the form \component i is in state q at least since a time " or the form \component i has left state q at most since a time ". These formulas are interpreted to assume truth values according to the states of possibly all the components, thus permitting cooperation among them. States are distinguished in input states (starting and ending an internal activity) and non-input states (intermediate states of an internal activity). Each sequential component performs a sequence of transitions from an input states to an input state through intermediate (non-input) states (a local step ) as a reaction to a timed in nite sequence of signals from an environment. The overall reaction of the automaton is a concurrent composition of local steps. The behaviour of a TCA is described by the set of timed sequences it accepts (the language accepted by the TCA). In [5] a number of variants of TCA's are studied and compared with known models (e.g. see [3, 2]) of timed automata from the point of view of expressiveness and succinctness. In the present paper we consider the two variants of TCAs and urgent TCAs (where transitions are performed as soon as enabled without any unmotivated delay). For these two classes of automata we de ne transformations which we envisage as the kernel of a methodology to stepwise development of TCA speci cation of systems. We consider three type of transformations. The rst is re ning/abstracting transitions, by which a transition labelled by a complex condition can be replaced by suitable duplication and sequentialization of transitions (and vice versa). The second transformation is retiming which permits changing temporal constraints of transitions. Both kinds of transformations, under

suitable conditions, do not change the language accepted by the TCA and permit speci cation re nement. The third transformation preserve the semantics of the given TCA in a less restricted sense. This transformation deals again with time and transforms a TCA into another accepting the subset of the language it accepts when it behaves satisfying a criterion of weak urgency. Proofs of theorems are in the Appendix.

2 Timed Cooperating Automata In this section we recall the notions of the TCAs. For a nite alphabet of signals, and a dense time domain Time (nonnegative rational numbers, for instance), a timed sequence is a triple

= h1 ; 2 ; 3 i; where: 1 : IN ?! 2 gives the set of signals communicated at each interaction; 2 : IN ?! Time gives the starting time of each interaction and satis es the conditions that 2 (i) 2 (i + 1), for all i 0 (monotonicity) and that for every 2 Time there is an index i such that 2 (i) (progress); 3. 3 : IN ?! Time gives the duration of communication during interaction

1. 2.

and satis es the requirement that communication intervals do not overlap (but possibly in their borders), namely 2 (i) + 3 (i) 2 (i + 1). The meaning of 3 is that the signals in 1 (i) are communicated continuously in the interval [2 (i); 2 (i) + 3 (i)]. We assume that the interaction with the environment starts at time 0, and that, for any environment , 1 (0) = ;, 2 (0) = 0, and 3 (0) = 0. One can interpret this rst interaction as the swiching on of the system. The meaningful interaction with the environment is then given by + = h+1 ; +2 ; +3 i, where +i , for i 2 f1; 2; 3g, is the restriction of i to positive natural numbers. The acceptance condition is a Buchi acceptance condition (see [8]). Let denote the collection of environment conditions, inductively de ned as follows: 1. true 2 , ; 2. p1 ^ p2 , p1 _ p2 , :p1 are in for p1 and p2 in . For an alphabet of state symbols Q, let ?Q denote the collection of internal conditions inductively de ned as follows: 1. true, q[ ] and qf g are in ?Q for q 2 Q and 2 Time; 2. p1 ^ p2 , p1 _ p2 , :p1 are in ?Q for p1 and p2 in ?Q .

De nition 1. A Timed Cooperating Automaton (TCA) is a tuple M = hM1 ; : : : ; Mn; I ; Fi; where: 2

1. each sequential automaton Mi (with 1 i n) is a triple hQi ; qi0 ; i i s.t. (a) Qi is a nite S set of states (Q1; : : : ; Qn are required to be pairwise disjoint and Q is 1in Qi ); (b) qi0 2 Qi is the initial state; (c) i Qi ?Q Qi is the transition relation; S 2. the set I of input states is such that 1in fqi0 g I Q; 3. F I is the set of accepting states such that F 6= ;.

A local con guration for a sequential automaton Mi is a tuple

Ci = hqi ; ini ; outi ; i i, where: qi 2 Qi is the enabled state of Mi ; ini : Qi ?! Time is the state enabling (partial) function; outi : Qi ?! Time is the state disabling (partial) function; i 2 Time is the local time. The enabling function ini (q) gives, whenever it is de ned, the time when the state q 2 Qi has most recently been enabled. The disabling function outi (q) gives, whenever it is de ned, the time when the state q 2 Qi has most recently been disabled. If ini (q) is de ned and either outi (q) is unde ned or outi (q) < ini (q), then q is currently enabled. Viceversa, either if ini (q) is unde ned or if ini (q) and outi (q) are both de ned and ini (q) outi (q), then q is currently disabled. A local con guration Ci = hqi ; ini ; outi ; i i is an input con guration if qi 2 I , and it is initial if qi = qi0 , i = 0, ini (qi0 ) = 0 (with ini unde ned elsewhere) and outi is unde ned for any q 2 Qi . Such a con guration is denoted by Ci0 . A (global) con guration C is a tuple hC1 ; : : : ; Cn ; ; mi, where: 1. Ci is a local con guration, for 1 i n; 2. is an environment; 3. m 2 IN is the number indicating that C is concerned with the m-th interaction with the environment, i.e. h1 (m); 2 (m); 3 (m)i. Let C = hC1 ; : : : ; Cn ; ; mi be a con guration with Ci = hqi ; ini ; outi ; i i. An atomic proposition true; q[ ] and qf g with q 2 Qi , is evaluated to ? (i.e. unde ned) in C at time , if i > . An atomic proposition q[ ] with q 2 Qi is evaluated to True at time in C i i and q = qi and ini (q) + , i.e. if q is currently enabled and it has been enabled at least since a time . An atomic proposition qf g with q 2 Qi is evaluated to True at time in C i i and either q = qi or ? outi (q) , i.e. if q is currently enabled or it has been disabled since at most a time . 1. 2. 3. 4.

In all of the remaining cases the above mentioned atomic propositions evaluate to False in a con guration C at time . Given the evaluation of atomic propositions, a formula 2 ?Q is evaluated in a con guration C at a time by exploiting the standard semantics of connectives ^, _ and : over the truth-values True, False and ?. 3

An environment proposition 2 is evaluated in an environment at time 2 [2 (m); 2 (m)+ 3 (m)] and at the m-th interaction with the environment by interpreting to True all the symbols in 1 (m) [ftrueg and to False all the other symbols. Moreover, is evaluated in at time 2 (2 (m) + 3 (m); 2 (m + 1)] and at the m-th interaction with the environment by interpreting to False all the symbols in . Given a con guration C = hC1 ; : : : ; Cn ; ; mi, there is a local derivation from Ci = hqi ; ini ; outi ; i i to Ci0 = hqi0 ; in0i ; out0i ; i0 i, written Ci !C Ci0 , if 1. 2 (m) i0 2 (m + 1); 2. hqi ; ; ; qi0 i 2 i for some and such that evaluates to True in at time i0 and interaction m, and evaluates to True in C at time i0 ; 3. in0i (qi0 ) = i0 and in0i (q) = ini (q) for q 6= qi0 ; 4. out0i (qi ) = i0 and out0i (q) = outi (q) for q 6= qi . We say that i0 is the time of the local derivation Ci !C Ci0 . The local derivation Ci !C Ci0 is urgent if does not exist a local derivation Ci !C Ci00 at time 00 with maxfi ; 2 (m)g 00 < i0 . The reaction of a sequential component of the automaton consists of a sequence of local derivations. While the con guration of the considered component changes, the local con gurations of all the other components are assumed to be xed. A local step from a con guration C = hC1 ; : : : ; Cn ; ; mi is a sequence of local derivations Ci !C Ci1 !C1 : : : !C ?1 Civ !C Ci0, written Ci )C Ci0, where v

v

1. Ci and Ci0 are input local con gurations and Cij is not an input local con guration for any 1 j v; 2. C j is hC1 ; : : : ; Ci?1 ; Cij ; Ci+1 ; : : : ; Cn ; ; mi. A local step is urgent if it consists of urgent local derivations. A local step Ci )C Ci0 with Ci = Ci0 is said to be a ghost local step. The reaction of an automaton is a concurrent composition of local steps which guarantees causality and maximality. The local step of a component is performed with respect to the local con gurations of the other components which are either in the starting con gurations or in the con gurations reached in the same step, provided that a causal justi cation can be given. Given two con gurations C = hC1 ; : : : ; Cn ; ; mi and C 0 = hC10 ; : : : ; Cn0 ; ; m + 1i, there is a step from C to C 0 , written C ) C 0 , whenever 1. for any 1 i n, either Ci0 is obtained by a (possibly ghost) local step from Ci , or Ci0 = Ci and there is no local step Ci )C0 Ci0 having local time 2 (m) i0 2 (m + 1) (maximality). 2. for any 1 i n, if there is a (possibly ghost) local step Ci )C Ci0 with C i = hC1? ; : : : ; Ci ; : : : ; Cn? ; ; mi and either Cj? = Cj or Cj? = Cj0 , with 1 j n, we de ne a relation !i f0; : : :; ngf1; : : :; ng such that !i = fhj; ii : Cj? 6= S ? Cj ; j 6= ig [ fh0; ii : Cj = Cj ; j 6= ig. The relation i !i is required to be a partial order with least element 0 (causal justi cation); i

4

A step is urgent if it consists of urgent local steps only. A run R is an !-sequence of global con gurations C 0 ; C 1; : : : ; C i ; : : : such that C 0 is an initial con guration and C j ) C j+1 , for any j 0. The run R is urgent if its steps are urgent. Given a run R, let Inf (R) be the set of input states which occur in nitely often in R as enabled states. A run R is successful if Inf (R) \ F = 6 ; (Buchi acceptance condition). We will say that a TCA is an urgent TCA (TCAU ) when we are interested in urgent runs. An environment is accepted by a TCA (resp. TCAU ) if there exists a successful run (resp. successful urgent run) starting from the initial con guration with environment . The language accepted by a TCA M , written L(M ), is the set f+ : is accepted by M g.

Example 1. Let us consider the automaton M of Fig.1 (taking F = fq4 g). The convention is that input states are represented by boxes, non-input states are represented by circles and initial states are marked by dangling arcs. If M is urgent then the language L(M ) accepted by M is

f j 1 (i) = a; 1 (i + 1) = a; 2 (i + 1) ? 2 (i) = km; for some i 0; k > 0g: If M is not urgent then the language L(M ) is

f j 1 (i) = a; 1 (i + 1) = a; 2 (i + 1) ? 2 (i) m; for some i 0g:

-

a; True q1 a; True- q2 True; q2 [m]

- q4 q3 True; q2 [m] a; q3 [0] ^ q2 f0g

Fig. 1. The TCA of Example 1. Example 2. Let us assume the TCA in Fig.2 (with nal state St1), which models the cooperation of two machines. Machine M1 gets some raw materials and manifactures a nal product and machine M2 , after supplying M1 with the material, collects the nal product. M1 waits until M2 is in the position in which it can supply the material (i.e. state Tr1 is enabled) and the environment gives the starting signal start. Then M1 works if the materials is actually present (signal in ) and there is the request to manifacture either the nal product p1 (signal w1 ) or the nal product p2 (signal w2 ). After at least 5 units of time the selected product is completed. So, M2 reaches a state where it can collect

5

start q1 St1 Tr [0] 1

good trash q [3] 2 St2 {3}

good q [1] 2 St2 {1} q

2

(w1 w2) in q 1 [5]

St2

Tr 1

St2 [0]

cool

Tr 2

q 3 [1] q3 St1 [0]

Fig. 2. The cooperating machines. it. Moreover, after a cooling phase, M1 checks the quality of the product and reaches the initial state in one unit of time if the product is good, in three units of time otherwise. After this transition of M1 , M2 collects the product and, after at least one unit of time, it supplies M1 with new material. The TCA accepts the environments = h1 ; 2 ; 3 i such that, if there exists i with 3 (i) 5 and either 1 (i) fstart; in; w1g or 1 (i) fstart; in; w2g, then there is j > i such that either 1 (j ) fcool; goodg, 2 (j + 1) 2 (j ) + 2 and 3 (j ) 1, or 1 (j ) fcool; trashg, good 62 1 (j ), 2 (j + 1) 2 (j ) + 4 and 3 (j ) 3.

3 Re ning/Abstracting transitions We have seen that transitions may be labelled by both environment and internal conditions freely constructed by means of boolean connectives. In this section we show how both these kinds of conditions may be manipulated while preserving languages accepted by automata. In particular, we shall see how a transition labelled by a complex condition can be replaced by a suitable duplication and sequentialization of transitions (and vice versa). This manipulation can be seen as a re nement (an abstraction) of the speci cation of a system. As an example, the transition from St1 in the TCA of Fig.2 may be re ned by two activities: waiting for the starting signal and checking the position of M2 . We consider rst the splitting of a condition in disjunctive form.

_-splitting. For a TCA M with a component Mi = hQi ; qi0 ; i i and a transition t = hq; 1 _2 ; 1 _ 2 ; q0 i 2 i , the _-split of M w.r.t. t is the TCA M 0 obtained by replacing in Mi the transition t by the set of transitions fhq; 1 ; 1 ; q0 i; hq; 1 ; 2 ; q0 i; hq; 2 ; 1 ; q0 i; hq; 2 ; 2 ; q0 ig. The _-splitting does not aect the language accepted by the automaton. This holds both in the urgent and in the non-urgent TCA semantics. 6

Let us consider now the possibility of transforming the enabling condition 0 of a transition into the condition 0 ^ ( _: ). Such a transformation is possible provided that does not evaluate to ? in any con guration. To formulate conditions to ensure this, we need to introduce some concepts. Let Def : ?Q ! 2f1;:::;ng be the function which gives the set of parallel components which are necessarily involved in the evaluation of the condition

2 ?Q (the i-th component belongs to Def ( ) if i 2 Def ( )). The function Def is de ned as follows: 8 fig if 2 fq[ ]; qf gg and q 2 Qi >> if = true Def ( 1) >: Def ( 1) [ Def ( 2) if = 1 ^ 2 Def ( 1) \ Def ( 2 ) if = 1 _ 2 : Notice that evaluates to True in a con guration C with Ci = hqi ; ini ; outi ; i i for i 2 f1; : : : ; ng at time , then i for each i 2 Def ( ). We give now a syntactic criterion ensuring that in a con guration C with an internal state q enabled, a condition 2 ?Q is de ned (i.e. it evaluates either to True or to False). We say that an internal condition is de ned in a state q 2 Qi n I if, for any condition q0 [ ] or q0 f g occurring in with q0 2 Qj and j 6= i, and for any path hq1 ; 1 ; 1 ; q2 i; : : : ; hqn ; n ; n ; qi with q2 ; : : : ; qn 62 I , there is a k 2 f1; : : : ; ng such that j 2 Def ( k ). Intuitively, when q is enabled

cannot be unde ned, since any condition q0 [ ] or q0 f g occurring in cannot be unde ned. As an example, with reference to Fig. 1, the condition St1 f3g is de ned in state q3 .

Adding _ : . Let M be a TCA with a component Mi = hQi ; qi0; i i and a transition t = hq; ; 0 ; q0 i 2 i . If the condition is de ned in q then the transform of M by adding _ : to t is the TCA M 0 obtained by replacing in Mi the transition t by the transition hq; ; 0 ^ ( _ : ); q0 i. As an example consider the right component of Fig.3 which is obtained from the right component of Fig. 1 by adding St2 f3g_:St2f3g to the transition from q3 to Tr1 and then by applying the _-splitting to the transition so obtained. Also adding conditions does not aect the language accepted by the automaton. This holds both in the urgent and in the non-urgent TCA semantics. Finally, we consider the splitting of a condition in conjunctive form.

^-splitting. Let M be a TCA with a component Mi = hQi ; qi0 ; i i and a transition t = hq; 1 ^ 2 ; 1 ^ 2 ; q0 i 2 i . If no condition q[ ] or qf g appears in 2 then the ^-split of M w.r.t. t is the TCA M 0 obtained by replacing in Mi the transition t by the set of transitions fhq; 1 ; 1 ; q00 i; hq00 ; 2 ; 2 ^ qf0g; q0ig. As an example, the left component of Fig. 3 is obtained by applying all of the de ned transformations to the left component of Fig. 1. In particular the 7

two paths from St1 to St2 of Fig. 3 are obtained from the corresponding paths by two applications of ^-splitting and one of _-splitting. The two paths from St2 to St1 are obtained from the two corresponding paths by an application of ^-splitting. start Tr [0] St1{0} 1 q q1 St1 11 in q 1 [5] good trash q [1] 2 q {0} q 12 2 St2 {1} w2 w1 q 22 q {0} q {0} 1 1 q good St 2 2 q [3] cool 2 St2 {3}

Tr1

q [1] 3

St 2{3} q

St2 [0]

3

q [1] 3 St2 {3} St [0] 1

Tr2

Fig. 3. Transition re nement of the cooperating machines. The ^-splitting does not aect the language accepted by the automaton if one assumes the non-urgent TCA semantics. On the other hand, when considering a TCAU , the conditions for the ^splitting must be strengthened. More precisely, we must avoid that 1 and 2 evaluate to True at two instants 1 and 2 , respectively, with 1 < 2 . If 1 would be less than 2 , the urgency would require performing hq; 1 ; 1 ; q00 i at time 1 , when the transition from q00 is not yet enabled. The consequence would be that M commutes from q to q0 instantaneously, whereas in M 0 commuting from q to q0 (via q00 ) would require a non-null time. To express the conditions above we need to introduce one more concept. For a state q and a condition 2 ?Q let ( ; q) denote the maximum such that can be rewritten in the form q[ ] ^ 0 by a standard distribution of boolean connectives. In the case in which such a rewriting is not possible we de ne ( ; q) = 0. We say that an internal condition is determined by a state q if, whenever

evaluates to True in a con guration C with Ci = hq; in; out; i at time ,

evaluates to True at time + ( ; q) and it does not evaluate to True in [; + ( ; q)). A syntactic sucient condition ensuring that is determined by q is given by the following proposition. Proposition 1. An internal condition = W1im i , with i conjunction of positive and negative occurrences of basic internal conditions, is determined by q if it ful lls the following requirements: { is de ned in q { ( i ; q) = ( j ; q) for 1 i < j m 8

{ ( ; q) for any condition q0[ ] or :q0 f g occurring in i . Urgent-^-splitting. Let M be a TCA with a component Mi = hQi ; qi0; ii and a transition t = hq; 1 ^ 2 ; 1 ^ 2 ; q0 i 2 i . If no condition q[ ] or qf g appears in 2 and 1 ^ 2 is determined by q, then the urgent-^-split of M w.r.t. t is the TCA M 0 obtained by replacing in Mi the transition t by the set of transitions fhq; 1 ; 1 ; q00 i; hq00 ; 2 ; 2 ; q0 ig. The urgent-^-splitting does not aect the language accepted by the automaton if one assumes the urgent TCA semantics.

Theorem 1. Let M be a TCA (resp. TCAU ) and M 0 the automaton obtained from M by either _-splitting or adding _ : or ^-splitting (resp.: _-splitting or adding _ : or urgent-^-splitting), then L(M ) = L(M 0 ).

4 Retiming In the previous section we have manipulated the boolean connectives of internal conditions labelling transitions. In this section we show that, under suitable assumptions, also temporal amounts expressed by internal conditions can be changed though leaving unchanged the language accepted by the TCA. In particular, we shall consider an internal activity with a duration, and we shall change durations of transitions of such activity provided that the overall duration of the activity is left unchanged. Notice that similar transformations have been considered for other formalisms (e.g. systolic automata [6] and Timed Statecharts [7]). For instance, consider the retiming of the TCA of Fig.3, shown in Fig.4. The internal activity leading from state St1 to St2 is retimed by associating a non-null amount of time also with the transitions from state q12 to state St2 (which in Fig.3 are instantaneous). This form of retiming may support a methodology for developing speci cations by giving rst the temporal requirements for an entire activity and then distributing temporal constraints to sub-activities. For a set of states P Qj , we denote by Pred(P ) the set of the states which are source of transitions leading to states of P . Given an internal condition , we denote with

[P f g op ] (resp. [P [ ] op ]) the formula obtained by replacing every occurrence of qi f 0 g (resp. qi [ 0 ]) in by qi f 0 op g (resp. qi [ 0 op ]), for op 2 f+; ?g and qi 2 P . In the following we assume that when we write op 0 then op 0 2 Time.

Retiming. For a TCA M = hM1; : : : ; Mn; I ; Fi with Mi = hQi ; qi0; i i and a set P 2 Qj n I , the retiming of M which advances the enabling of states of P by and delays the disabling of states of P by , denoted as Retiming(M; P; ), is the TCA hM10 ; : : : ; Mn0 ; I ; Fi de ned as follows (for technical reasons we assume that each transition hq; ; ; q0 i with q 2 P is beforehand replaced by the transition hq; ; ^ q[0]; q0 i, which does not aect the behaviour of M ): 9

Mi0 = hQi ; qi0 ; i0 i with i0 = fhq; ; [Pred(P ) f g + ]; q0 i j hq; ; ; q0 i 2 i g for i 6= j ; j0 = fhq; ; [Pred(P ) f g + ]; q0 i j hq; ; ; q0 i 2 j ; q; q0 62 P g[ fhq; ; [fqg [ ] + ][Pred(P ) f g + ]; q0 i j hq; ; ; q0 i 2 j ; q 2 P g[ fhq; ; [Q [ ] ? ] [Q f g ? ]; q0 i j hq; ; ; q0 i 2 j ; q 2 Pred(P ); q0 2 P g:

The operation of retiming which relabels internals conditions with conditions of the form q[ ] or qf g with < 0 is obviously considered to be unde ned. With reference to the TCA M of Fig. 3, the TCA of Fig. 4 is the TCA Retiming(M1; fq22 g; 2) with M1 = Retiming(M; fq12g; 4). start q [1] St 2{3} 3 Tr [0] St {0} 1 q 11 1 q1 Tr1 trash in q 1 [1] q good 3 q [2] 22 q [1] q [1] St2 [0] 2 q 12 3 q {2} 2 w1 w2 St2 {3} St 2 {1} q [4] q [4] q 12 12 22 St [0] q {4} q {4} 1 1 1 q Tr good St2 2 2 q [1] cool 2 St2 {1} St1

Fig. 4. Retiming of the cooperating machines. We show now that, under suitable assumptions, Retiming(M; fq1; : : : ; qm g; ) accepts the same language of M . Theorem 2. Let M = hM1; : : : ; Mn; I ; Fi be a TCA and M 0 = Retiming(M; P; ); L(M ) = L(M 0 ) if the following conditions hold: { Pred(P ) \ I = ;; { there is no transition hq; ; ; q0i with q; q0 2 P ; { if there is a transition hq; ; ; q0 i with q 2 Pred(PS) and q0 62 P then no condition qf g occurs in 0 for any hq1 ; 0 ; 0 ; q2 i 2 k2f1;:::;ng k ; { for each transition hq; ; ; q0i with q0 2 P , has the form (a1 _ : : : _ an) ^ 0 for some a1 ; : : : ; an 2 and n 1; { for each hq; ; ; q0 i 2 j with q0 2 P , is de ned for q and (q; ) . In the case of urgent TCA conditions of retiming have to be strengthened.

Theorem 3. Let M = hM1; : : : ; Mn; I ; Fi be a TCAU and M 0 = Retiming(M; P; );

L(M ) = L(M 0 ) if all of the conditions of Th. 2 and the following conditions hold: { for any hq; ; ; q0i 2 j with q 2 Pred(P ), is determined by q; { for any hq; 1 ; 1; q1i; hq; 2 ; 2; q2i 2 j with q1 2 P , if ( 1 ; q) belongs to the interval [( 2 ; q) ? ; ( 2 ; q)], then q2 2 P . 10

We have considered a retiming technique which advance the enabling of a set of states P and delays their disabling. Also the other way around, namely delaying the enabling of a set of states and advancing their disabling, might be considered and investigated analogously.

5 Making a TCA urgent In the previous sections we have considered transformations of a TCA which do not change the language accepted by the automaton. It may be meaningful to consider transformations which preserve the semantics in a less strong sense, such as a transformation of a TCA M into an automaton M 0 such that L(M 0 ) L(M ). From a speci cation point of view, this can be interpreted as the fact that M is a rough speci cation which is detailed into M 0 , and this process causes the exclusion of some previously admitted behaviours. In this section we propose an example of this category of transformations, namely the one dealing with the problem of forcing a TCA to behave urgently. Such a problem, which has been solved in [5] only for the subclass of sequential TCAs (i.e. TCAs consisting of one only component), is solved here for the entire class of TCA but with a weak notion of urgency. We speak of urgent behaviour when performing transitions satis es two constraints: 1. if a transition is performed at time , then it cannot be performed (in the same con guration) at any time 0 < ; 2. a transition t1 cannot be performed at time if there is a transition t2 (6= t1 ) having the same source state, which can be performed at time 0 < . Weak urgency is required to satisfy only the rst constraint, namely it does not impose urgency of nondeterministic choices (in absence of nondeterminism the two notions obviously coincide). In the following, for simplicity, we introduce a basic internal condition of the form q = which, for q 2 Qi evaluates to True at time in a con guration C with Ci = hqi ; ini ; outi ; i i if and only if i , qi = q and ini (q) = . Such a condition does not increase the expressiveness of TCAs. In fact, ifWfq1 ; : : : ; qk g is the set of predecessors of q, the condition q = is a shorthand for 1jk qi f g^ q[ ]. Let M be a TCA. A transition hq; ; ; q0 i is urgent if can be rewritten in the form q = ^ 0 by standard manipulation of connectives. To transform a TCA M into a TCA M 0 whose behaviours are precisely the weak urgent behaviours of M , we suitably replace any non-urgent transition of M with a set of urgent transitions as de ned in the following transformation.

Weak urgency. Let M be a TCA with components Mi = hQi; qi0; i i for 1 i nV, and assume, without loss of generality, that each condition has the form 1jk qj [j ] ^ 0 , where 0 is a conjunction of basic conditions of the form :q0 [ 0 ], q0 f 0 g, :q0 f 0 g. The weak urgent transform of M is the TCA M 0 obtained from M by replacing each non-urgent transition hq; ; ; q0 i with = 11

V

0 0 1jk qj [j ] ^ , with the set of transitions fq; ; qj = j ^ ; q i j 1 j kg.

The nest result follows directly from the de nition above.

Theorem 4. If M 0 is the weak urgent transform of a TCA M , then L(M 0) L(M ) and L(M 0 ) is the set of timed sequences having a weakly urgent successful run.

The problem of simulating urgency in a general (parallel non-urgent) context requires further investigation. Notice that the problem should not be solvable by reducing TCAs to sequential TCAs as there is strong evidence that sequential TCAs are less expressive than general TCAs.

References 1. Alur, R. and Dill, D.: \A Theory of Timed Automata", Theoretical Computer Science, 126, 1994, 183{235. 2. Berard, B., Petit, A., Diekert, V. and Gastin, P.: \Characterization of the Expressive Power of Silent Transitions in Timed Automata", Fundamenta Informaticae, 36, 1998, 145{182. 3. Chorut, C. and Goldwurm, M.: \Timed Automata with Periodic Clock Constraints", Rapport L.I.A.F.A. n. 99/28, Universite Paris VII, 1999. 4. Drusinsky, D. and Harel, D.: \On the Power of Bounded Concurrency I: Finite Automata", Journal of ACM, 41, 1994, 517{539. 5. Lanotte, R., Maggiolo-Schettini, A. and Peron, A.: \Timed Cooperating Automata", Fundamenta Informaticae, 2000, to appear. 6. Leiserson, C.E., Saxe, J.B.: Optimizing Synchronous Systems, Proc. FOCS'81, IEEE Press, Los Alamitos, CA, 1981, pp. 23{36. 7. Maggiolo-Schettini, A. and Peron, A.: \Retiming Techniques for Statecharts", Proc. FTRTFT '96, LNCS 1135, Springer, Berlin, 1996, 55{71. 8. Thomas, W.: \Automata on In nite Objects", Handbook of Theoretical Computer Science (J. van Leeuwen Ed.), Elsevier Science Publishers, Amsterdam, 1990, 134{ 191.

12

Appendix

Proof of Proposition 1. An internal condition = W1im i, with i conjunction of positive and negative occurrences of basic internal conditions, is determined by q if it ful lls the following requirements: { is de ned in q { ( i ; q) = ( j ; q) for 1 i < j m { ( ; q) for any condition q0[ ] or :q0 f g occurring in i .

Proof. Assume a con guration C with Ci = hq; in; out; i. The rst condition implies that cannot evaluate to ? at any time 0 (since q is enabled). The second condition implies that does not evaluate to True in the interval [; + ( ; q)). Finally, the third condition implies that if evaluates to True at an instant 0 + ( ; q), then evaluates to True at the instant + ( ; q).

ut

Proof of Theorem 1. Let M be a TCA (resp. TCAU ) and M 0 the automaton obtained from M by either _-splitting or adding _ : or ^-splitting (resp.: _-splitting or adding _ : or urgent-^-splitting), then L(M ) = L(M 0). Proof. The proof is immediate if M 0 is obtained from M by _-splitting. Assume now that M 0 is obtained from M by adding _: . It is sucient to prove that, given an arbitrary con guration C with Ci = hq; in; out; i, it holds that: Ci !C hq0 ; in0; out0 ; 0 i is a local derivation of M if and only if Ci !C hq0 ; in0; out0 ; 0 i is a local derivation of M 0 . \Only if": since is de ned in q, whenever q is active either evaluates to True or : evaluates to True. Therefore, if 0 evaluates to True and q is enabled, then also 0 ^ ( _ : ) evaluates to True. So, if hq; ; 0 ; q0 i is enabled in C at 0 then hq; ; 0 ^ ( _ : ); q0 i is enabled in C at 0 . \If": trivial if M and M 0 are TCAs. Otherwise, if M and M 0 are urgent, it is trivial that if hq; ; 0 ^ ( _ : ); q0 i is enabled at 0 then also hq; ; 0 ; q0 i is enabled at 0 . If hq; ; 0 ^ ( _ : ); q0 i is not enabled before 0 then hq; ; 0 ; q0 i is not enabled before 0 because, since is determined in q, then we are sure that if 0 ^ ( _: ) does not evaluate to True before 0 then 0 does not evaluate to True before 0 . Assume now that M 0 is obtained from M by ^-splitting. It is sucient to prove that, given an arbitrary con guration C of M with Ci = hq; in; out; i, and the con guration C 0 of M 0 with Ci0 = hq; in [f(q00 ; )g; out [f(q00 ; )g; i, for some 2 Time [ f?g, it holds that: Ci !C hq0 ; in0; out0 ; 0 i is a local derivation of M if and only if Ci0 !C0 !C0 hq0 ; in0 [f(q00 ; 0 )g; out0 [f(q00 ; 0 )g; 0 i is a sequence of two local derivations of M 0 . \Only if": since the transition hq; 1 ^ 2 ; 1 ^ 2 ; q0 i is enabled at time 0 , both 1 ^ 2 and 1 ^ 2 evaluate to True at time 0 . This fact and the restriction that no condition q[ ] or qf g appears in 2 imply that the sequence of transitions hq; 1 ; 1 ; q00 i; hq00 ; 2 ; 2 ^ qf0g; q0i is enabled at time 0 . \If": if the transition hq00 ; 2 ; 2 ^qf0g; q0i is enabled at time 0 then the transition 13

hq; 1 ; 1 ; q00 i has been performed at the same instant, due to the condition qf0g.

It follows that the conditions 1 , 2 , 1 , 2 evaluate to True at time 0 and, as a consequence, the transition hq; 1 ^ 2 ; 1 ^ 2 ; q0 i is enabled at time 0 . Assume now that M 0 is obtained from M by urgent-^-splitting. It is sucient to prove that, given an arbitrary con guration C of M with Ci = hq; in; out; i, and the con guration C 0 of M 0 with Ci0 = hq; in [f(q00 ; )g; out [f(q00 ; )g; i, for some 2 Time [f g, it holds that: Ci !C hq0 ; in0 ; out0; 0 i is a local derivation of M if and only if Ci0 !C0 !C0 hq0 ; in0 [f(q00 ; 0 )g; out0 [f(q00 ; 0 )g; 0 i is a sequence of two local derivations of M 0 . \Only if": since the transition hq; 1 ^ 2 ; 1 ^ 2 ; q0 i is enabled at time 0 , both 1 ^ 2 and 1 ^ 2 evaluate to True at 0 and 1 ^ 2 does not evaluate to True in the interval [; 0 ). The restriction that no condition q[ ] or qf g appears in

2 and the fact that 1 ^ 2 is determined by q imply that 1 is determined by q. Therefore, 1 evaluates to True at time 0 and does not evaluate to True in the interval [; 0 ). It follows that hq; 1 ; 1 ; q00 i is enabled at time 0 . Now, since both 2 and 2 evaluate to True at time 0 , and no condition q[ ] or qf g appears in 2 , also hq00 ; 2 ; 2 ; q0 i is enabled at 0 . Due to the assumption of urgency, hq00 ; 2 ; 2 ; q0 i is immediately performed. \If": if both transitions hq; 1 ; 1 ; q00 i and hq00 ; 2 ; 2 ; q0 i are performed, then they are performed at the same time. This holds since the facts that no condition q[ ] or qf g appears in 2 and 1 ^ 2 is determined by q imply that if 1 evaluates to True at an instant 0 and 2 evaluates to True in the current reaction with the environment, then 2 evaluates to True at 0 and, by urgency, hq00 ; 2 ; 2 ; q0 i is performed at 0 . So, 1 , 2 , 1 and 2 evaluate to True at the instant 0 , and

1 does not evaluate to True in the interval [; 0 ), so that hq; 1 ^ 2 ; 1 ^ 2 ; q0 i is performed at 0 . ut

Proof of Theorem 2. Let M = hM1; : : : ; Mn; I ; Fi be a TCA and M 0 =

Retiming(M; P; ); L(M ) = L(M 0) if the following conditions hold: { Pred(P ) \ I = ;; { there is no transition hq; ; ; q0 i with q; q0 2 P ; { if there is a transition hq; ; ; q0i with q 2 Pred(PS) and q0 62 P then no condition qf g occurs in 0 for any hq1 ; 0 ; 0 ; q2 i 2 k2f1;:::;ng k ; { for each transition hq; ; ; q0i with q0 2 P , has the form (a1 _ : : : _ an) ^ 0 for some a1 ; : : : ; an 2 and n 1; { for each hq; ; ; q0i 2 j with q0 2 P , is de ned for q and (q; ) . Proof. Let j 2 f1; : : : ; ng be the index such that P Qj . Firstly we assume that there is no transition hq; ; ; q0 i 2 j such that q 2 Pred(P ) and q0 62 P . Let us assume an input con guration C = hC1 ; : : : ; Cj ; : : : ; Cn ; ; mi of M with Ci = hqi ; ini ; outi ; i i for 1 i n. Assume also the input con guration C 0 = hC1 ; : : : ; Cj0 ; : : : ; Cn; ; mi of Retiming(M; P; ) with Cj0 = hqj ; in0j ; out0j ; j i, where in0j (q) = inj (q) ? for q 2 P and in0j (q) = inj (q) otherwise, and out0j (q) = outj (q) ? for q 2 Pred(P ) and out0j (q) = outj (q) otherwise. First of all we prove that Ci )C hq; in; out; i if and only if Ci )C0 hq; in; out; i, 14

for any i 6= j . To this purpose, since local steps are sequences of local derivations, it is sucient to prove that Ci !C hq; in; out; i if and only if Ci !C0 hq; in; out; i. Now, Ci !C hq; in; out; i i there is a transition hqi ; ; ; qi 2 i such that both and evaluate to True at time and interaction m, and Ci !C0 hq; in; out; i i there is a transition hqi ; 0 ; 0 ; qi 2 i0 such that both 0 and 0 evaluate to True at time and interaction m. By the construction of i0 , hqi ; ; ; qi 2 i if and only if hqi ; ; [Pred(P ) f g + ]; qi 2 i0 and, since out0j (q) = outj (q) ? for q 2 Pred(P ), evaluates to True in C at time i

[Pred(P ) f g + ] evaluates to True in C 0 at time . Now we prove that Cj )C hq; in; out; i if and only if Cj0 )C0 hq; in0 ; out0 ; i, where in0 (q) = in(q) ? for q 2 P and in0(q) = in(q) otherwise, and out0 (q) = out(q) ? for q 2 Pred(P ) and out0 (q) = out(q) otherwise. To this purpose, it is sucient to prove, by induction on k, the following facts: { if q 2 P then Cj !C : : : !C hq; in; out; i if and only if Cj0 !C0 : : : !C0 hq; in0 ; out0 ; ? i where in0 (q) = in(q) ? for q 2 P and in0 (q) = in(q) otherwise, and out0 (q) = out(q) ? for q 2 Pred(P ) and out0 (q) = out(q) otherwise. { if q 62 P then Cj !C : : : !C hq; in; out; i if and only if Cj0 !C0 : : : !C0 hq; in0 ; out0 ; i where in0 (q) = in(q) ? for q 2 P and in0 (q) = in(q) otherwise, and out0 (q) = out(q) ? for q 2 Pred(P ) and out0 (q) = out(q) otherwise. Basic case (k = 1). Since qj is a non-input state, qj 62 P [ Pred(P ). Now, Cj !C hq; in; out; i i it exploits a transition hqj ; ; ; qi such that both and

evaluate to True at time and interaction m, and Cj0 !C0 hq; in0 ; out0 ; i i it exploits a transition hqj ; 0 ; 0 ; qi such that both 0 and 0 evaluate to True at time and interaction m. By the construction of j0 , hqj ; ; ; qi 2 j i hqj ; ; [Pred(P )f g + ]; qi 2 j0 , and, since out0j (q) = outj (q) ? for any q 2 Pred(P ), evaluates to True in C at time i [Pred(P )f g + ] evaluates to True in C 0 at . Let us consider the inductive step (case k + 1). Assume rst that q 2 P . By the inductive hypothesis Cj !C : : : !C hq00 ; in00 ; out00 ; 00 i if and only if Cj0 !C0 : : : !C0 hq00 ; in000 ; out000 ; 00 i where in000 (q) = in00 (q) ? for each q 2 P and in000 (q) = in00 (q) otherwise, and out000 (q) = out00 (q) ? for each q 2 Pred(P ) and out000 (q) = out00 (q) otherwise. (Note that q00 62 P by the second assumption of the hypothesis). Now, hq00 ; in00 ; out00 ; 00 i !C +1 hq; in; out; i i it exploits a transition hq00 ; ; ; qi 2 j , and hq00 ; in000 ; out000 ; 00 i !C0 +1 hq; in0 ; out0 ; ? i i it exploits a transition hq00 ; 0 ; 0; qi 2 j0 . By the construction of j0 , hq00 ; ; ; qi 2 j i hq00 ; ; [Q [ ] ? ] [Q f g? ]; qi 2 j0 , and by the fourth and fth assumptions of the hypothesis we are sure that hq00 ; ; ; qi is enabled at at interaction m i hq00 ; ; [Q [ ] ? ] [Q f g ? ]; qi is enabled at ? at interaction m. In fact, the form of ensures that evaluates to True at time and interaction m i it evaluates to True at time ? and interaction m. Moreover, since is de ned for q00 then and [Q [ ] ? ] [Q f g ? ] do not evaluate at ?. Finally, since (q00 ; ) , evaluates to True at i [Q [ ] ? ] [Q f g ? ] evaluates to True at ? . k

k

k

k

k

k

k

k

15

Assume now q 62 P . By the inductive hypothesis Cj !C : : : !C hq00 ; in00 ; out00 ; 00 i i Cj0 !C0 : : : !C0 hq00 ; in000 ; out000 ; 000 i where in000 (q) = in00(q) ? for q 2 P and in000 (q) = in00(q) otherwise, and out000 (q) = out00 (q) ? for q 2 Pred(P ) and out000 (q) = out00 (q) otherwise. Moreover, either 000 = 00 and q00 62 P or 000 = 00 ? and q00 2 P . The former case is trivial. So, let us consider the latter. Now, hq00 ; in00 ; out00 ; 00 i !C +1 hq; in; out; i i it exploits a transition hq00 ; ; ; qi 2 j , and hq00 ; in000 ; out000 ; 00 ? i !C0 +1 hq; in0 ; out0 ; i i it exploits a transition hq00 ; 0 ; 0 ; qi 2 j0 . By the construction of j0 , hq00 ; ; ; qi 2 j i hq00 ; ; [fq00 g [ ] + ] [Pred(P ) f g + ]; qi 2 j0 . By the relation between out000 and out00 and the fact that in000 (q00 ) = in00 (q00 ) ? , it follows that hq00 ; ; ; qi is enabled at and interaction m i hq00 ; ; [fq00 g [ ] + ] [Pred(P ) f g + ]; qi is enabled at and interaction m. Up to now we have proved that Ci )C hq; in; out; i if and only if Ci )C0 hq; in; out; i and that Cj )C hq; in; out; i if and only if Cj0 )C0 hq; in0 ; out0 ; i, where in0 (q) = in(q) ? for q 2 P and in0(q) = in(q) otherwise, and out0 (q) = out(q) ? for q 2 Pred(P ) and out0 (q) = out(q) otherwise. Since steps are sequences of local steps, it follows that C ) C^ = hC^1 ; : : : ; C^j ; : : : ; C^m ; ; m + 1i if ^ j ; out ^ j ; ^j i, and only if C 0 ) C^0 = hC^1 ; : : : ; C^j0 ; : : : ; C^m ; ; m +1i, where C^j = hq^j ; in 0 0 0 0 ^C 0 j = hq^j ; in ^ j ; out ^ j (q) = in ^ j (q) ? for q 2 P and in ^ j (q) = in ^ j (q) ^ j ; ^j i and in 0 0 ^ j (q) = out ^ j (q) ? for each q 2 Pred(P ) and out ^ j (q) = out ^ j (q) otherwise, and out otherwise. This implies the thesis. Let us consider now the case where there is a transition hq; ; ; q0 i 2 j with q 2 Pred(P ) and q0 62 P . For any q 2 Pred(P ) we may have that either out0j (q) = outj (q) ? (as in the case above) or out0j (q) = outj (q). We can redo the proof S of the case above, by exploiting the fact that no condition qfutg appears in k2f1;:::;ng k (see the third assumption of the hypothesis). Proof of Theorem 3. Let M = hM1; : : : ; Mn; I ; Fi be a TCAU and M 0 = Retiming(M; P; ); L(M ) = L(M 0) if all of the conditions of Th. 2 and the following conditions hold: { for any hq; ; ; q0i 2 j with q 2 Pred(P ), is determined by q; { for any hq; 1; 1 ; q1i; hq; 2 ; 2; q2i 2 j with q1 2 P , if ( 1 ; q) belongs to the interval [( 2 ; q) ? ; ( 2 ; q)], then q2 2 P . Proof. We mimic the proof of Th. 2. Let us assume the con gurations C and C 0 as in mentioned proof. The proof that Ci )C hq; in; out; i if and only if Ci )C0 hq; in; out; i for any i 6= j works also in the present case. So, let us consider the proof that Cj )C hq; in; out; i if and only if Cj0 )C0 hq; in0 ; out0 ; i. If q 62 P the proof of the inductive step works also in the present case. If q 2 P , we must exploit the last assumption of the hypothesis. In fact, in the proof of Th. 2 we have exploited the fact that evaluates to True at time i

[Qf g? ][Q[ ] ? ] evaluates to True at time ? to conclude that hq00 ; ; ; qi is performed at time i hq00 ; ; [Qf g ? ][Q[ ] ? ]; qi is performed at time ? . Also in the present case the same conclusion can be drawn, since the hypothesis guarantees that no transition having q00 as source state and leading to a state not in P can evaluate to true between ? and . ut k

k

k

k

16