Real-time Property Preservation in Concurrent Real-time - CiteSeer

Real-time Property Preservationin Concurrent Real-time Systems?

Jinfeng Huang, Jeroen Voeten and Marc Geilen

Eindhoven Univ. of Tech. Faculty of Electrical Engineering, The [email protected]

Abstract. A key step in concurrent real-time system development is to build amodel from which the implementation is synthesized. It is thus important to un-derstand the relation between the properties of a model and its correspondingimplementation. In this paper, we first build two relations: 1)ε-weakening rela-tions onMITLR formulas, which are used to express real-time properties of thesystem, and 2)ε-neighboring relations on timed state sequences, which are usedto describe the timing behavior of the system. Based on these relations, we for-mally prove the real-time property preservation in approximations of concurrentreal-time systems. This result generalizes [11], which is restricted to sequentialreal-time systems. Finally, we demonstrate how the result can be applied to thereal-time system development by a case study of a rail-road crossing system.

1 Introduction

A concurrent system often exhibits complex behaviors due to intricate interactions be-tween its components, while real-time constraints add another dimension to the com-plexity of the system. To reduce the development risk and increase the likelihood of thedevelopment success, the development of a complex concurrent real-time system ofteninvolves a series of modelling activities. Developers can make design and implemen-tation decisions based on the model of the system before the system is realized. As aresult, expensive and time-consuming development iterations can be prevented.

Different from other systems, the correctness of a real-time system depends not onlyon the system outputs, but on their issued time as well. However, the model can onlybe an approximation of the implementation w.r.t. the timing behavior. It is difficult toguarantee that the issuing time of an event in the implementation is exactly the same asthat in the model [9][11]. Since it is inevitable that the implementation can “deviate”from the model to a certain extent with respect to time, it is desirable to know therelation between properties in the implementation and properties in the model.

In [11], the implementation and the model of a real-time system are defined as twosets of timed state sequences. Properties of the implementation can be predicted fromproperties of the model, when the implementation is “ε-close” to the model. However,

? This research is supported by PROGRESS, the embedded systems research program of theDutch organisation for Scientific Research NWO, the Dutch Ministry of Economic Affairs,the Technology Foundation STW and the Netherlands Organisation for Applied Scientific Re-search TNO.

concurrency is not addressed in [11]. In this paper, we generalize the result of [11] toconcurrent systems (with interleaving semantics) and demonstrate how this result canbe applied to the real-time control software development by a case study of a rail-roadcrossing system.

1S

2S

closeε −

P

2 ( )R Pε

2 weakenedε −

Satisfies

Satisfies

Fig. 1. Property-preservation between two timed systems

The remainder of the paper is organized as follows. Section 2 introduces the mathe-matical preliminaries. In Section 3, a temporal logic to formalize properties of real-timesystems is introduced and a weakening relation is quantitatively defined on these real-time properties. In Section 4, we introduce a metric to measure the distance betweentimed state sequences. An equivalent representation of this metric in form of theε-neighboring function is also defined to facilitate later proof. In Section 5, the real-timeproperty preservation is explained and proven. An informal description of the result isillustrated in Fig. 1. If systemS1 satisfies propertyP , then systemS2 (which isε closeto S1) satisfies a2ε-weakened property ofP . An application of property-preservationin a development approach for real-time systems is introduced in Section 6. Section 7gives a case study of the rail-road crossing system using this approach. Conclusions anddiscussions are presented in Section 8.

2 Preliminaries2.1 Basic concepts

In this paper, a real-time system is formalized as a set of timed state sequences. Eachsequence represents a possible execution path of the real-time system. The related con-cepts are as follows.

Propositions: Proposition setProp is a (finite) set of atomic propositions. Theobservable state of a system can be interpreted by a subset ofProp, which includes alltrue-valued propositions.

State sequences:A state sequenceσ over proposition setProp is an infinite orfinite sequenceσ0σ1σ2..., wherei ∈ N and σi ∈ 2Prop. We useσ(i) to representσi in the sequence. The untimed behavior of a system can be viewed as a set of statesequences, each of which represents a possible untimed execution trace.

Time intervals: A time intervalI is a convex set of time points over a certain timedomainT, which is often defined onR≥0, Z≥0 orN. It has one of the following forms:[a, b], [a, b) and [a,∞), wherea ≤ b for a, b ∈ T. The lower (upper) bound of theinterval is represented byl(I)(r(I)). |I| denotes the length of time intervalI. Notethat if the right bound of time intervalI is infinite, |I| is infinite too. A time interval issingular iff it takes the form of[a, a]. A time interval isemptyiff it takes the form of[a, a). Two nonemptytime intervalsI andI ′ are adjacent iffr(I) = l(I ′). For example,the following interval pairs are adjacent,[1.2, 3) and[3, 4), [1.2, 1.2] and [1.2, 1.3). Inthe sequel, we assume that time intervals are nonempty if not explicitly stated otherwise.

Time interval sequences:A time interval sequenceI = I0I1I2... is a sequence ofnonemptytime intervals such that 1) Any two successive intervals ofI are adjacent, thatis, r(Ii−1) = l(Ii) for everyi < N (I) andi ∈ N, whereN (I) represents the numberof time intervals inI and can be finite or countable infinite. 2) It is diverging, whichindicates that for anyt ≥ l(I0), there exists somei ∈ N ∪ {0}, such thatt ∈ Ii.

Timed state sequences:A timed execution of a system is formalized by a timedstate sequence in which a time interval is attached to every state to represent its duration.An example of timed state sequenceτ is:

(δ0, I0) → (δ1, I1) → (δ2, I2) → ...,

where allδi from each pair form a state sequenceδ and all Ii form a time intervalsequenceI. Therefore, the length ofδ andI is identical. A timed state sequence overproposition setProp is also represented by a pair of sequences (δ, I), whereδ is a statesequence overProp. We useτ(t) to denote the finite state sequence1 observed at timet.

2.2 Formalization of concurrent real-time systems

The well-established interleaving semantics has been adopted in many formal frame-works to model simultaneous actions (or events) by action sequences. For example,two parallel actionsa ‖ b are represented by two sequential actionsa.b andb.a. Suchsequentialization of concurrent actions is greatly facilities calculations and it yields cor-rectness proofs in a linear form [4].

Under the choice of interleaving semantics, the timing behavior of a concurrentsystem is often formalized by a two-phase execution model [14]. One phase is the ad-vancing of time (the abstraction of the physical time) and no action takes place dur-ing this phase. The other phase is the performing of simultaneous actions sequentially(based on interleaving semantics). The two-phase model can be expressed by timedstate sequences defined above, in which a singular time interval is attached to everyinstantaneous state. Simultaneous actions can be modelled as sequentialized instanta-neous (state) transition sequences, where the duration of intermediate states of thesetransitions are zero. Assume for instance that a state transition system performs twoconcurrent eventsp and q at time point 3. One of the action sequences can bep.q,which can be represented as follows:

... → (δ0, [a, 3))p→ (δ1, [3, 3])

q→ (δ2, [3, b)) → ..., (1)wherea (b) represents the issuing time of the preceding action (the succeeding action)and where a singular time interval[3, 3] is attached to instantaneous stateδ1.

Timed state sequences defined above can be considered as a function, in which everytime pointt ∈ R is mapped to a finite state sequence. Some timed state sequences withdifferent state sequences and time interval sequences may be considered to be identicalto each other. For example, timed state sequencesτ andτ ′ defined as follows representthe same timed execution trace of a system.τ : (δ0, [0, 0]) → ... → (δ2i, [i, i]) → (δ2i+1, [i, i + 1)) → ...τ ′ : (δ0, [0, 0]) → ... → (δ2i, [i, i]) → (δ2i, [i, i]) → (δ2i+1, [i, i + 1)) → ...

1 The diverging property of the timed interval sequence in a timed state sequence is also calledthe Non-Zeno property, which ensures that only a finite number of states can be observed atany time point.

Definition 1. Two timed state sequencesτ = (σ, I) and τ ′ = (σ′, I′) are equivalent

(≡) iff for all t ∈ R≥l(I0), τ(t) = τ ′(t).

Any timed state sequenceτ can be normalized to a timed state sequenceτ∗, the nor-mal form of τ , by performing the following operation. Along the state sequence ofτ , successive identical states are replaced by one single state, and their correspondingtime intervals are merged into one single time interval. In the above example, if no twosequential statesδi andδi+1 (i ∈ N) are identical, thenτ is the normal form ofτ ′.

2.3 Labelling time interval sequences

As mentioned before, a timed state sequence(I, δ) is viewed as a mapping from eachtime point t ∈ R≥l(I0) to a finite state sequence. As a consequence, the order of in-terleaved simultaneous actions can not be discriminated only by their observed timepoints. For instance, in sequence (1), two states (δ1 andδ2) are both observed at timepoint 3, which is not sufficient enough to distinguish the order of them. To solve thisproblem, a labelling method on time points is applied to time interval sequences intimed state sequences to distinguish the order of interleaved simultaneous actions.

In timed state sequenceτ , suppose the number of states at time instantt is mτt ,

which is finite. The issuing time of an action is represented by a time pair〈t, i〉, inwhich i is the label oft and represents the interleaving order of observed states at timet. In other word, a time pair〈t, i〉 can be seen as the integration of a metric “macro-time” t ∈ R≥l(I0) and a linearly ordered discrete “micro-time”1 ≤ i ≤ mτ

t [2].Correspondingly, a time interval sequenceI in a timed state sequence is extended toa labelled time interval sequenceI. All time points in a time interval sequence arelabelled with 1 except in the following two cases.

– End points of a singular time interval. The right end point is always labelled with thesame number as the left end point. For instance,[7, 7] is labelled with[〈7, i〉, 〈7, i〉].

– Adjacent closed end points. Consider two adjacent time intervals, where the firsttime interval is right-closed and the second is left-closed. In this case, if the rightend point of the first is labelled withi, the label of the left end point of the secondinterval isi + 1. For instance, time interval sequence[3, 5)[5,5][5,∞) is labelledas [〈3, 1〉, 〈5, 1〉)[〈5, 1〉, 〈5,1〉][〈5,2〉,∞), while the remaining time points in thetime interval are labelled with 1, for instant time point 6 is labelled as〈6, 1〉 .

A timed state sequence can be labelled in the same way as above. For instance, timedstate sequence (1) is labelled as2:

... → (δ0, [〈a, 1〉, 〈3, 1〉)) p→ (δ1, [〈3, 1〉, 〈3, 1〉]) q→ (δ2, [〈3, 2〉, 〈b, 1〉)) → ...,

in which other internal time points are all labelled with 1. By applying this labelling tothe time interval sequence of a timed state sequence, we can view a timed state sequenceτ as a function which maps every time pair in the time domain3 TI = {〈t, i〉 | t ∈

2 Assume only one action is issued at time pointa and0 ≤ a < 3.3 In [14], a time domain is formally denoted as an additive group (T, +,0), where a total order

is defined by the addition operations on T. The time domain here only requires a total orderrelation on its elements without an explicit definition of the addition operation on it.

R≥l(I0) ∧ 1 ≤ i ≤ mτt } to a state in2Prop. A total order< on time pairs is defined as

the following. Let〈t, i〉 and〈t′, j〉 be two time pairs inTI . 〈t, i〉 < 〈t′, j〉 iff t < t′ or(t = t′ andi < j), 〈t, i〉 = 〈t′, j〉 iff t = t′ andi = j. The distance between them isdefined as|〈t, i〉 − 〈t′, j〉| = |t− t′|. Similar to time intervals, the lower (upper) boundof labelled time intervalI is represented byl(I) (r(I)). |I| denotes the length ofI.

Remark 1.Let I be a time interval sequence andI be its labelled time interval se-quence. For anyk < N (I) andk ∈ N, there is a bijectionGk betweenIk and itslabelled time intervalIk, such that for any〈t, i〉 ∈ Ik, Gk(t, i) = t, wheret ∈ Ik.

In the sequel, we useI to represent the labelled time interval sequence ofI, Ik torepresent the corresponding labelled time interval ofIk andTI to represent the labelledtime domainTI . On the other hand, the unlabelled time interval (i.e. that results fromremoving the label of every time pair) ofIk (or unlabelled time interval sequence ofI)is represented byIk(or I). N(I) represents the number of labelled time intervals inI.

3 Properties of concurrent real-time systems

Properties of real-time systems are often formalized by temporal logics. In [2], a com-parison of a number of temporal logics is given based on a common semantics (timedstate sequences). In this paper, we adopt an extension of temporal logicMITL to for-malize properties of real-time systems [1], which incorporates timing bounds into thetemporal logic to express quantitative real-time properties.

3.1 MITLR logic

MITLR formulas are formed by the following structures.

ϕ ::= p | ¬p | ϕ1 ∨ ϕ2 | ϕ1 ∧ ϕ2 | ϕ1UIϕ2 | ϕ1VIϕ2 ,

whereI is a time-bound interval of nonnegative reals. It takes one of the followingforms: [a, b], [a, b), (a, b], (a, b), [a,∞) and(a,∞), wherea ≤ b for a, b ∈ R≥0. ThestandardMITL puts certain constraints on the time bounds of aMITL formula to makemodel-checking feasible, such as non-empty, non-singular and integer endpoints. Notethat these constrains are not necessary in the case ofMITLR, sinceMITLR logic isused only for expressing real-time properties of a system instead of model-checking.

The interpretation ofMITLR formulas is similar to the standard one and given asfollows. Let τ be a timed state sequence and letϕ be anMITLR formula, for anyt ∈ R≥l(I0) and any1 ≤ i ≤ mτ

t , the interpretation ofϕ over (τ , 〈t, i〉) is given asfollows:

– (τ , 〈t, i〉) |= p iff p ∈ τ(t, i);– (τ , 〈t, i〉) |= ¬p iff p /∈ τ(t, i);– (τ , 〈t, i〉) |= ϕ1 ∨ ϕ2 iff (τ , 〈t, i〉) |= ϕ1 or (τ , 〈t, i〉) |= ϕ2;– (τ , 〈t, i〉) |= ϕ1 ∧ ϕ2 iff (τ , 〈t, i〉) |= ϕ1 and(τ , 〈t, i〉) |= ϕ2;– (τ , 〈t, i〉) |= ϕ1UIϕ2 iff there existst2 (t2 ∈ I), j (1 ≤ j ≤ mτ

t+t2 ) and〈t, i〉 ≤〈t + t2, j〉, such that(τ , 〈t + t2, j〉) |= ϕ2 and for allt1 andk (1 ≤ k ≤ mτ

t1) thatsatisfy〈t, i〉 ≤ 〈t1, k〉 < 〈t + t2, j〉, (τ , 〈t1, k〉) |= ϕ1;

– (τ , 〈t, i〉) |= ϕ1VIϕ2 iff for all t2 (t2 ∈ I), j (1 ≤ j ≤ mτt+t2 ) and 〈t, i〉 ≤

〈t + t2, j〉, (τ , 〈t + t2, j〉) |= ϕ2 or there is somet1 andk (1 ≤ k ≤ mτt1) 〈t, i〉 ≤

〈t1, k〉 < 〈t + t2, j〉, (τ , 〈t1, k〉) |= ϕ1.

In case thatI is empty,(τ , 〈t, i〉) |= ϕ1UIϕ2 is always false and(τ , 〈t, i〉) |=ϕ1VIϕ2 always holds. We use(τ , 〈l(I0), 1〉) |= ϕ (τ |= ϕ, in short) to denote that atimed state sequenceτ satisfiesMITLR formulaϕ. Next, we extend the interpretationof MITLR to sets of timed state sequences.

Definition 2. Letϕ be anMITLR formula, and letT be a set of timed state sequences.T |= ϕ iff for each timed state sequenceτ ∈ T , τ |= ϕ.

Here we introduce two additional operators:♦Iϕ (time-bounded eventually) and¤Iϕ(time-bounded always) to abbreviatetrueUIϕ andfalseVIϕ respectively.

3.2 Weakening formulas

After giving the interpretation forMITLR formulas, we can now investigate the weak-ening relations between formulas. Formally speaking, aMITLR formulaϕ′ is a weak-ened formula ofϕ, iff for any timed state sequenceτ and〈t, i〉 ∈ TI , (τ , 〈t, i〉) |= ϕimplies(τ , 〈t, i〉) |= ϕ′.

Theorem 1. For anyMITLR formulaϕ, letφ be a sub-formula ofϕ. If φ′ is a weakenedformula ofφ andϕ′ is the formula obtained by replacing one occurrence ofφ with φ′

in ϕ, thenϕ′ is a weakened formula ofϕ.

Proof. If φ = ϕ, it is easy to seeϕ′ = φ′. Henceϕ′ is a weakened formula ofϕ.If φ 6= ϕ, we can prove the theorem by induction on the structure ofϕ, which can bedecomposed into two sub-formulasϕ1 andϕ2 andφ is a sub-formula of one of them.Case 1:ϕ = ϕ1 ∨ ϕ2. Without loss of generality, assume thatφ belongs toϕ1. Letϕ′1 be the formula obtained by replacingφ with φ′. By induction we have thatϕ′1 is aweakened formula ofϕ1. Then, by the interpretation ofMITLR formula, it is easy toprove thatϕ′ (ϕ′1 ∨ ϕ2) is a weakened formula ofϕ.The proof of the rest cases are similar to Case 1.Hence,ϕ′ is a weakened formula ofϕ. This completes our proof of Theorem 1.

The following Lemmas show that the inclusive relation between the quantitative timingbounds ofMITLR formulas can also imply the weakening relation among them.

Lemma 1. Let I andI ′ be two time bounds. Further letϕ1, ϕ2 be twoMITLR formu-las. If I ⊆ I ′, thenϕ1UI′ϕ2 is a weakened formula ofϕ1UIϕ2.

Proof. By the interpretation ofMITLR formulas, the proof is straightforward.

Lemma 2. Let I andI ′ be two time bounds. Further letϕ1, ϕ2 be twoMITLR formu-las. If I ′ ⊆ I, thenϕ1VI′ϕ2 is a weakened formula ofϕ1VIϕ2.

Proof. By the interpretation ofMITLR formulas, the proof is straightforward.

3.3 ε-weakening function

After a general introduction of the weakening and strengthening relations betweenMITLR formulas, in this subsection, we define a specific weakening function (ε-weakeningfunction) on these formulas. Before giving the definition of theε-weakening function,we first define two useful operators (⊕ andª) on time-bound intervals.

Informally speaking,I ⊕ ε represents the time interval which elongates the endpoints ofI to l(I) − ε andr(I) + ε respectively in nonnegative reals. Similarly,I ª εrepresents the time interval which shrinks the end points ofI to l(I) + ε andr(I) − εrespectively. Several examples are:[2π, 4π] ⊕ π = [π, 5π], (3,∞) ⊕ 5 = [0,∞) and[1.1, 2)ª 3 = ∅. The formal definition of⊕ andª is given as:Definition 3. Let ε ∈ R≥0.⊕ andª are defined as:

I ⊕ ε = {t ∈ R≥0 | ∃t′ ∈ I : |t− t′| ≤ ε}I ª ε = {t ∈ R≥0 | ∀t′ ∈ R≥0 : |t− t′| ≤ ε → t′ ∈ I}

Now we can give the definition of theε-weakening function. For everyε ∈ R≥0,Rε defines a function overMITLR. Rε(ϕ) relaxes the quantitative timing constraints informulaϕ and is called theε-weakened formula ofϕ.

Definition 4. Weakening functionRε (ε ∈ R≥0): MITLR → MITLR is defined as:

Rε(p) = p;Rε(¬p) = ¬p;Rε(ϕ1 ∨ ϕ2) = Rε(ϕ1) ∨Rε(ϕ2);Rε(ϕ1 ∧ ϕ2) = Rε(ϕ1) ∧Rε(ϕ2);Rε(ϕ1UIϕ2) = Rε(ϕ1)UI⊕εR

ε(ϕ2);Rε(ϕ1VIϕ2) = Rε(ϕ1)VIªεR

ε(ϕ2)

For example, the0.1-weakened formula of(pV[2,4]q)U(1,∞)r is (pV[2.1,3.9]q)U(0.9,∞)r.Next, we will prove that formulaRε(ϕ) is indeed weaker than formulaϕ.

Lemma 3. For any ε ∈ R≥0, ϕ ∈ MITLR, timed state sequenceτ , t ∈ R≥l(I0) and1 ≤ i ≤ mτ

t , if (τ , 〈t, i〉) |= ϕ, then(τ , 〈t, i〉) |= Rε(ϕ).Proof. It is not hard to prove by Lemma 1, Lemma 2, Theorem 1 and the induction onthe structure of formulaRε(ϕ).

Theorem 2. (Weakening property of Rε) For anyε ∈ R≥0, ϕ ∈ MITLR and timedstate sequenceτ , if τ |= ϕ, thenτ |= Rε(ϕ).Proof. Follows directly from Lemma 3.

In general, the larger the value ofε is, the weaker is formulaRε(ϕ).

4 Behaviors of concurrent real-time systems

The model and the implementation of a concurrent real-time system can be viewed astimed transition systems consisting of a set of timed state sequences. To investigatethe property-preservation between them, we need to measure the distance between twotimed transition systems. To this end, a metric over timed state sequences is first defined.

4.1 Measuring the distance between timed state sequences

Let setSProp consist of all timed state sequences in normal form over a proposition setProp. We define an equivalence relation (≡s) that partitionsSProp into groups sharingthe same state sequenceσ.

Definition 5. Equivalence relation (≡s) on setSProp : for any two timed state sequences

τ , τ ′ ∈ SProp , if τ = (σ, I) andτ ′ = (σ′, I ′), thenτ ≡s τ ′ iff σ = σ′.

In order to evaluate the distance between two timed state sequences inSProp , we adopta metricdsup . Intuitively, for two timed sequences with the same state sequence,dsup

is calculated from the absolute difference between the time-stamps of correspondingstate transitions in two state sequences. An example of such a case is shown in Fig. 2.There are four state transitions in each timed state sequence.dsup(τ1, τ2) is computed asfollows: sup{|〈0, 1〉−〈0, 1〉|, |〈2.7, 1〉−〈3, 2〉|, |〈3.2, 1〉−〈3, 3〉|, |〈6, 1〉−〈5.5, 1〉|} =sup{|0− 0|, |2.7− 3|, |3.2− 3|, |6− 5.5|} = 0.5.

In other words, the distance between two timed state sequences which share thesame state sequence is determined by their labelled timed interval sequences. Therefore,we first formally define a metricdint on labelled timed interval sequences. Then thedefinition of metricdsup on timed state sequences is straightforward.

1τ� ��

��

��

�� 1δ 2δ 3δ 4δ 5δ

2τ� ��

�� 1δ 2δ 3δ 4δ 5δ

Fig. 2. Two finite timed state sequences

Definition 6. LetI andI ′ be two labelled time interval sequences4.

dint(I, I ′) ={

sup{|l(Ik)− l(I ′k)| | i < N(I) ∧ i ∈ N} if N(I) = N(I ′);∞ otherwise.

Lemma 4. Let I andI ′ be two labelled time interval sequences.dint(I, I ′) < ε im-plies that for anyk < N(I), |r(Ik)− r(I ′k)| < ε 5.

Proof. For anyk < N(I), let Ik and I ′k be unlabelled time intervals ofIk andI ′krespectively. Notice that for anyk < N(I), r(Ik−1) = l(Ik), r(I ′k−1) = l(I ′k) and|r(Ik)− r(I ′k)| = |r(Ik)− r(I ′k)|. The rest is straightforward by Definition 6.

Definition 7. Let τ , τ ′ ∈ SProp , and I and I ′ be their labelled timed interval se-quences respectively. Thendsup(τ , τ ′) is defined as

dsup(τ , τ ′) ={

dint(I, I ′) if τ ≡s τ ′;∞ otherwise

4 In R, the supremum (sup) only exists on bounded sets. In this definition, we definesupS = ∞whenS ⊆ R≥0 and is unbounded.

5 In the case that bothr(Ik) andr(I′k) are∞, we define|r(Ik)− r(I′k)| = 0

4.2 ε-neighboring function F over two labelled time intervalsThe metricdint in Definition 6 establishes a relation between time pairs from two timeinterval sequences. In this section, the relation is characterized by anε-neighboringfunction, which is first defined on two time intervals.

Definition 8. Let ε ∈ R≥0. Further letI andI ′ be two labelled time intervals.F is amulti-valued function6 from I to I ′ and for any〈t, i〉 ∈ I, F(t, i) represents the setof images of time pair〈t, i〉. F is called anε-neighboring function fromI to I ′, iff thefollowing properties are satisfied.

– Surjection: For any 〈t′, i′〉 ∈ I ′, there exists some〈t, i〉 ∈ I, such that〈t′, i′〉 ∈F(t, i). That is, the image set ofI underF is I ′.

– Increasing mapping:For any〈t1, i1〉, 〈t2, i2〉 ∈ I, 〈t1, i1〉 < 〈t2, i2〉 implies thateitherF(t1, i1) = F(t2, i2) andF(t1, i1) is singular orF(t1, i1) < F(t2, i2) (i.e.for any〈t, i〉 ∈ F(t1, i1) and〈t′, i′〉 ∈ F(t2, i2), 〈t, i〉 < 〈t′, i′〉).

– ε-boundedness:For every〈t, i〉 ∈ I and every〈t′, i′〉 ∈ F(t, i), |〈t′, i′〉−〈t, i〉| < ε.

Lemma 5. If F is anε-neighboring function fromI toI ′, thenF−1 is anε-neighboringfunction fromI ′ to I.

Proof. It is not hard to prove by the definition ofε-neighboring function.

Theorem 3. Let I and I ′ be two labelled time intervals inI and I ′ respectively. Ifmax { |l(I)− l(I ′)|, |r(I)−r(I ′)| } < ε, then there is anε-neighboring function fromI to I ′.

Proof. There are three different cases according to the form ofI andI ′.Case 1:One of the intervals ofI andI ′ is a singular interval. Anε-function can beestablished by letting the other interval be the source (or destination) of the elementof the singular interval. It is not hard to check that such a multi-valued function is anε-function.Case 2:|I| > 0, |I ′| > 0 andI andI ′ are of the same form of labelled time interval(i.e. both of them are either right-open or right-closed). LetI andI ′ be the unlabelledintervals ofI andI ′ respectively. We can construct a functionF : I → I ′ as follows:

F (t) = (t− l(I))|I ′||I| + l(I ′) t ∈ I

In case that both|I| and|I ′| are infinite, we define|I||I′| = 1.By Remark 1, we know there are bijectionsGI (from I to I) andGI′ (from I ′ to

I ′). Construct a functionF as follows:

F(G−1I (t)) = G−1

I′ (F (t)) t ∈ I

It is easy to prove thatF is a function fromI to I ′, and furthermore, it is anε-functionfrom I to I ′.

6 A multi-valued function is a total relation; i.e. every input is associated with one or moreoutputs.

Case 3:|I| > 0, |I ′| > 0 andI andI ′ are of different forms of time interval (i.e. one isright-open and the other is right-closed). Again, letI andI ′ be the unlabelled intervalsof I andI ′ respectively.

First, supposeI is right-closed andI ′ is right-open (see Fig. 3-a). Let|r(I ′) −r(I)| = |r(I ′) − r(I)| = ε′, whereε′ < ε. Now we can divideI and I ′ into twotime intervals respectively as shown in Fig. 3-b.I = I1 ∪ I2, whereI1 = [l(I), r(I))andI2 = [r(I), r(I)]. I ′ = I ′1 ∪ I ′2, whereI ′1 = [l(I ′), d), I ′2 = [d, r(I ′)) andd =max{r(I ′) − ε−ε′

3 , r(I ′) − |I′|3 }. It is not hard to prove that|r(I1) − r(I ′1)| < ε and

|l(I2)− l(I ′2)| < ε.Correspondingly, we can divideI = I1 ∪ I2 (I1 ∩ I2 = ∅) andI ′ = I ′1 ∪ I ′2

(I ′1 ∩ I ′2 = ∅), whereI1, I2, I ′1 andI ′2 are unlabelled intervals ofI1, I2, I ′1 andI ′2respectively. It is easy to see thatmax { |l(I)1 − l(I ′1)|, |r(I)1 − r(I ′1)| } < ε and|l(I)2 − l(I ′2)|, |r(I)2 − r(I ′2)| } < ε .

According to the results of Case 1 and Case 2, there exists anε-functionF1 from I1

to I ′1 and anε-functionF2 from I2 to I ′2. Construct a functionF : I → I ′ as follows:

F(t, i) ={F1(t, i), 〈t, i〉 ∈ I1

F2(t, i), 〈t, i〉 ∈ I2(2)

It is not hard to check thatF satisfies three properties ofε-neighboring functions.In the case thatI ′ is right-closed andI is right-open, we know there is anε-function

F ′ from I ′ to I. By Lemma 5,F ′−1 is anε-function fromI to I ′.

� �

� �

� ��

� �I

'I

1I

'1I

'2I

� �2I

( )a ( )b

d

Fig. 3. Mappings over two time intervals

Corollary 1. LetI andI ′ be labelled time intervals inI andI ′ respectively.max { |l(I)−l(I ′)|, |r(I)−r(I ′)| } < ε implies that there is anε-neighboring functionF fromI toI ′, such that for any〈t, i〉 ∈ I, min{F(t, i)} exists. Furthermore, for any〈t′, i′〉 ∈ I ′,min{F−1(t′, i′)} exists.

Proof. According to the form ofI andI ′, it is easy to prove the Corollary by construct-ing anε-neighboring functionF as in the proof of Theorem 3.

4.3 ε-neighboring function F over two labelled time interval sequences

Now we define theε-neighboring functionF on two labelled time interval sequences.

Definition 9. Let ε ∈ R≥0. Further let I and I ′ be two labelled time interval se-quences.F is a multi-valued function fromI to I ′ andF(t, i) represents the set of

images of time〈t, i〉 (〈t, i〉 ∈ TI). F is called anε-neighboring function fromI to I ′,iff the following properties are satisfied.

– Interval consistency:For every〈t, i〉 ∈ TI , 〈t, i〉 ∈ Ik implies thatF (t, i) ⊆ I ′k(wherek < N(I)).

– Surjection:For any(t′, i′) ∈ TI′ , there exists some(t, i) ∈ TI , such that(t′, i′) ∈F(t, i). That is, the image set ofTI underF isTI

′

– Increasing mapping:For any(t1, i1), (t2, i2) ∈ TI ,(t1, i1) < (t2, i2) implies thateitherFI(t1, i1) = FI(t2, i2) andFI(t1, i1) is singular orFI(t1, i1) < FI(t2, i2)(i.e. for any(t, i) ∈ FI(t1, i1) and(t′, i′) ∈ F (t2, i2), (t, i) < (t′, i′)).

– ε-boundedness:For everyt ∈ TI and every(t′, i′) ∈ F(t′, i′), |(t′, i′)−(t, i)| < ε.

Lemma 6. If F is an ε-neighboring function fromI to I ′, thenl(I ′i) ∈ F(l(Ii)), forall i ∈ N (i < N(I)).

Proof. Since any form of labelled time intervals is left-closed, it is easy to see thatl(I ′i) ∈ I ′i andl(Ii) ∈ Ii. Supposel(I ′i) /∈ F(l(Ii)). By the surjection property andthe interval consistency property ofF , there is some〈t, k〉 ∈ I andl(I ′i) ∈ F(t, k). Itis easy to see that〈t, k〉 > l(I ′i). Furthermore, by interval consistency property ofF ,for any 〈t′, k′〉 ∈ F(l(Ii)), 〈t′, k′〉 ∈ I ′i. It is easy to see that〈t′, k′〉 > l(I ′i), whichcontradicts the increasing mapping property ofF .

Theorem 4. Let I and I ′ be two labelled time interval sequences.dint(I, I ′) < ε

implies that there is anε-neighboring function fromI to I ′.Proof. For anyi ∈ N (i < N(I)), by Lemma 4 and Theorem 3, there is anε-functionFIk

from Ik to I ′k. Now construct functionF as follows:

F(i, t) = FIk(i, t) if 〈i, t〉 ∈ Ik, for all k < N(I)

It is easy to prove thatF is a multi-valued function fromI to I ′ and it satisfies theproperties of theε-neighboring function in Definition 9.

Corollary 2. Let I and I ′ be two labelled time interval sequences.dint(I, I ′) < εimplies that there is anε-neighboring functionF fromI to I ′, such that for any〈t, i〉 ∈TI , min{F(t, i)} exists. Furthermore, for any〈t′, i′〉 ∈ TI′ , min{F−1

I (t′, i′)} exists.

Proof. It follows from Corollary 1, the interval consistency property ofF and Lemma 5.This corollary is important for the later proof of the preservation of ”Until” proper-

ties between two timed state sequences. The well-known ”Until” problem in [6] statesthat given two adjacent intervals whereϕ1 andϕ2 are hold respectively, the semanticsof ϕ1Uϕ2 in general is sensitive to whether the second interval is left-closed or not.Therefore the time intervals in a timed state sequence only accept left-closed intervalsin this paper. Furthermore, the corollary states that there exists anε-neighboring func-tion, which can ensure the image set of each point is left-closed during the mapping.

5 Real-time property preservationIn common practice, properties of a system are checked by verification techniques suchas model-checking, theorem proving and simulation. In this section, we are going topresent a way to predict the real-time properties of a real-time system based on the real-time properties of another real-time system, which can be used to predict the propertiesof the implementation based on the properties of the model (see Section 6 and 7).

5.1 Real-time property preservation between timed state sequences

In the previous sections, we usedMITLR formulas to formally express real-time prop-erties of a real-time system and definedε-weakening functions over them. At the sametime, the timing behavior of the system is formally expressed by a set of timed statesequences, on whichε-neighboring functions are defined7. Now we are going to showthatε-neighboring timed state sequences satisfy “almost the same” properties, which isformally proven in Lemma 7 and Theorem 5.

Lemma 7. Let ε ∈ R≥0, 〈t, i〉 ∈ TI and ϕ ∈ MITLR. Further letτ and τ ′ be twoε-neighboring timed state sequences and letF be anε-neighboring function from thetime interval sequence ofτ to that of τ ′. Then(τ , 〈t, i〉) |= ϕ implies that for any〈t′, i′〉 ∈ F(t, i), (τ ′, 〈t′, i′〉) |= R2ε(ϕ).

Proof. We show that(τ ′, 〈t′, i′〉) |= R2ε(ϕ) by induction on the structure of formulaϕ.Case 1:ϕ = p. By the definition of functionR2ε, R2ε(ϕ) = p. By the interpretation ofMITLR formulas over timed state sequences,p ∈ τ(t, i). SinceF is anε-neighboringfunction from the labelled time interval sequence ofτ to that ofτ ′, andτ andτ ′ sharethe same state sequence, we know thatτ(t, i) = τ ′(t′, i′) by the interval consistencyproperty ofF . Hence,p ∈ τ ′(t′, i′). But then,(τ ′, 〈t′, i′〉) |= R2ε(ϕ).Case 2:ϕ = ¬p. The proof is identical to the previous case.Case 3:ϕ = ϕ1 ∨ ϕ2. (τ , 〈t, i〉) |= ϕ1 or (τ , 〈t, i〉) |= ϕ2. By induction we have(τ ′, 〈t′, i′〉) |= R2ε(ϕ1) or (τ ′, 〈t′, i′〉) |= R2ε(ϕ2). But then(τ ′, 〈t′, i′〉) |= R2ε(ϕ1) ∨R2ε(ϕ2) = R2ε(ϕ).Case 4:ϕ = ϕ1 ∧ ϕ2. The proof is similar to the previous case.Case 5:ϕ = ϕ1UIϕ2. There is somet2 ∈ I andj (1 ≤ j ≤ mτ

t+t2 ) and〈t, i〉 ≤ 〈t +t2, j〉, such that(τ , 〈t + t2, j〉) |= ϕ2 and for allt1 andk that satisfy〈t, i〉 ≤ 〈t1, k〉 <〈t + t2, j〉, (τ , 〈t1, k〉) |= ϕ1. By induction we have that(τ ′, 〈t′2, j′〉) |= R2ε(ϕ2) forany〈t′2, j′〉 ∈ F(t + t2, j).

In case that〈t, i〉 = 〈t + t2, j〉, the proof is straightforward.In case that〈t, i〉 < 〈t+ t2, j〉, there are two possible relations betweenF(t+ t2, j)

andF(t, i) according to the increasing mapping property ofF .

– F(t+t2, j) = F(t, i) andF(t, i) is singular. LetF(t+t2, j) = F(t, i) = {〈t′, i′〉}.By induction we have(τ ′, 〈t′, i′〉) |= R2ε(ϕ1). Now we will show that0 ∈ I ⊕ 2ε.By theε-boundedness property ofF , |〈t′, i′〉 − 〈t, i〉| = |t′ − t| < ε and|〈t′, i′〉 −〈t + t2, j〉| = |t′ − t− t2| < ε. By the Triangle Inequality,

0 = |〈t′, i′〉 − 〈t′, i′〉| = |t′ − t′| ≥ t2 − |t′ − (t + t2)| − |t′ − t)| ≥ t2 − 2ε

Since t2 ∈ I, it is not hard to check that0 ∈ I ⊕ 2ε. Hence,(τ ′, 〈t′, i′〉) |=R2ε(ϕ1)UI⊕2εR

2ε(ϕ2) = R2ε(ϕ).– F(t, i) < F(t+ t2, j). By Corollary 2 we know thatmin{F(t+ t2, j)} exists. Let〈t∗2, j∗〉 = min{F(t + t2, j)}. It is easy to see that〈t′, i′〉 < 〈t∗2, j∗〉. By inductionwe have that(τ ′, 〈t∗2, j∗〉) |= R2ε(ϕ2). For anyt′1 andk′ (1 ≤ k ≤ mτ ′

t′1) that

satisfy〈t′, i′〉 ≤ 〈t′1, k′〉 < 〈t∗2, j∗〉, by the surjection property and the increasing

7 We call two timed state sequencesε-neighboring if they are≡s-equivalent and the distancebetween their time interval sequences is less thanε.

mapping property ofF , it is not hard to prove there is some〈t′′1 , k′′〉 ∈ TI suchthat〈t′1, k′〉 ∈ F(t′′1 , k′′) and〈t, i〉 ≤ 〈t′′1 , k′′〉 < 〈t + t2, j〉. By induction we havethat (τ ′, 〈t′1, k′〉) |= R2ε(ϕ1). Similar to the previous case, by theε-boundednessproperty ofF and the Triangle Inequality, it is not hard to prove that|t∗2−t| ∈ I⊕2ε.Hence,(τ ′, 〈t′, i′〉) |= R2ε(ϕ1)UI⊕2εR

2ε(ϕ2) = R2ε(ϕ).

Case 6:ϕ = ϕ1VIϕ2. The proof is similar to the previous case. A brief proof is givenas follows.For all t′2 ∈ I ª 2ε, 1 ≤ j′ ≤ mτ ′

t′+t′2and〈t′, i′〉 ≤ 〈t′ + t′2, j

′〉, we can prove that

there existt∗2 ∈ I and1 ≤ j∗ ≤ mτt+t2 , such that〈t + t∗2, j

∗〉 = max{min{F−1(t′ +t′2, j

′)}, 〈t, i〉}. There are two possibilities:

– (τ , 〈t + t∗2, j〉) |= ϕ2. By induction we have(τ ′, 〈t′ + t′2, j′〉) |= R2ε(ϕ2).

– There is somet1 andk (1 ≤ k ≤ mτt1) that satisfy〈t, i〉 ≤ 〈t1, k〉 < 〈t + t∗2, j〉,

such that(τ , 〈t + t1, k〉) |= ϕ1. It is not hard to prove that there exists〈t∗1, k∗〉 =max{min{F(t + t1, k)}, 〈t′, i′〉} and 〈t′, i′〉 ≤ 〈t∗1, k∗〉 < 〈t′ + t′2, j

′〉, where1 ≤ k∗ ≤ mτ ′

t∗1. By induction we have(τ ′, 〈t∗1, k∗〉) |= R2ε(ϕ1).

Hence,(τ , 〈t′, i′〉) |= R2ε(ϕ1)VIª2εR2ε(ϕ2) = R2ε(ϕ).

This completes our inductive proof of Lemma 7.

Theorem 5. Letε ∈ R≥0 andϕ ∈ MITLR. Further letτ andτ ′ be twoε-neighbouringtimed state sequences, thenτ |= ϕ impliesτ ′ |= R2ε(ϕ).

Proof. It is not hard to prove by Lemma 7.

5.2 Real-time property preservation between timed systems

In the previous section, we examined the real-time property preservation between timedstate sequences. However, in practice, we often need to analyze real-time properties ofa timed system instead of those of a single timed state sequence. Since a timed systemconsists of a set of timed state sequences, the problem of examining the satisfactionof a formulaϕ in a timed systemS is equivalent to examining its satisfaction in allof the timed state sequences inS. Real-time property preservation between timed statesequences can also be extended to analyze real-time properties between timed systems.The following theorems give these extensions.

Theorem 6. Let S be a set of timed state sequences and letϕ be anMITLR formula.For anyε ∈ R≥0, if S |= ϕ, thenS |= Rε(ϕ).

Proof. Follows from Definition 2 and Theorem 2.

Theorem 7. Let S1, S2 be two sets of timed state sequences and letϕ be anMITLRformula. Assume that there is someε ∈ R≥0, such that for any timed state sequenceτ in S2, there exists a sequenceτ ′ in S1, such thatτ and τ ′ are ε-neighboring. ThenS1 |= ϕ impliesS2 |= R2ε(ϕ).

Proof. The theorem follows from Definition 2 and Theorem 5.

6 An application

The property-preservation between concurrent real-time systems serves as the basisto bridge the gap between a model and its implementation. By establishing a properlinkage between the semantics of design and implementation languages, it is possibleto generate automatically a correctness-preserving implementation from its model. Inthis way, a property verified in the model can still be guaranteed in the implementation.

In the remainder, we first examine the gap between the semantics of design lan-guages and implementation languages, which often lead to inconsistency [12] in thereal-time system development. Afterwards, a way to bridge the gap is proposed basedon the property-preservation results we have proven.

6.1 Gap between the semantics of design and implementation languages

A commonly adopted timing semantics in design languages treats system progress andtime progress in an orthogonal way, namely, system actions are timeless (without anytime progress) and the time progress is actionless (without preforming any action). As aconsequence, this timing semantics is associated with a virtual time (a system variable)instead of the physical time. Since this semantics simplifies the reasoning of real-timesystems, variations of the semantics have been used in different formal frameworks tomodel and analyze real-time systems, such as timed automata[3], time process algebraATP[15] and real-time transition systems[10]. Recently, the semantics is also integratedinto different design languages, such as SDL-2000 [19] supported by TAU G2 [17] andPOOSL supported by SHESim [16][18].

The integration of this semantics into a design language for real-time systems of-fers many benefits [12]. To mention just a few: 1) each component of the system isnot affected by the non-deterministic factors of a platform, 2) the behavior of eachcomponent does not change during the integration and 3) debugging and analysis codedoes not change the timing behavior of the system. Furthermore, verification techniques(such as model-checking and simulation) based on this semantics have been developed,which can assist designers to check the correctness of a design model. However, de-vising a correct design solution within such a semantic framework does not guaranteea successful implementation, due to the gap between two semantic domains of designlanguages and implementation languages.

The semantics of an implementation language is usually related with and con-strained by the underlying platform. The difficulty of maintaining correctness betweenthe design model and its implementation is attributed to several reasons. First, certainassumptions are often taken on the semantics of design languages in order to efficientlyexplore the design space, such as instantaneous actions for timing behaviors. These as-sumptions are valid at a certain level of abstraction, but they do not directly fit to thesemantics of implementation languages. For example, every action does take a certainamount of execution time in all implementation languages. Second, some primitives andoperations in design languages do not have direct correspondence in implementationlanguages. For example, during system generation, the default concurrency operation isoften represented by a specific thread mechanism offered by the underlying operatingsystem, whose semantics is not always consistent with that in design languages.

To bridge the semantic gap between design languages and implementation lan-guages, a formal linkage between two semantic domains (design and implementation)is built based on theε-hypothesis, which requires that:

1. The observable action sequences of the implementation should be the same as oneof those in the model.

2. The time deviation between activations of the corresponding actions in the imple-mentation and the model should be less than or equal toε seconds.

If the ε-hypothesis is complied during the transformation from the model to the imple-mentation, we can predict properties of the implementation from those of the modelbased on the property-preservation between two timed state sequences. For example,if an upper bound of the time deviation between the implementation and the model is0.01 second and¤(p → ♦[3,5]q) is satisfied in the model, we can conclude that property¤(p → ♦[2.98,5.02]q) holds in the implementation. However, theε-hypothesis might beineffective when expensive data computations are involved. Due to the possible largevalues ofε, quantitative real-time properties of the implementation could be “far” awayfrom the properties of the model. Further research is needed to investigate this issue.

6.2 A predictable development approach

In this section, we introduce a predictable development approach. It provides an ade-quate design language (POOSL) for modelling concurrent real-time systems and a tool(Rotalumis) to generate an implementation from a POOSL model by trying to complywith theε-hypothesis.

POOSL: POOSL (Parallel Object-Oriented Specification Language) integrates aprocess part based on a timing and probability extension of CCS and a data part based ona traditional object-oriented language [18]. The semantics of POOSL is based on a two-phase execution model, where the state of a system can change either by asynchronouslyexecuting some atomic actions, such as communication and data computation withouttime passing (phase 1) or by letting time pass synchronously without any action beingperformed (phase 2).

The implementation of the two-phase execution model in tool SHESim is achievedby adopting the so-called process execution tree (PET). The state of each process isrepresented by a tree structure, where each leaf is a statement or a recursively definedprocess method. For example, Fig. 4 shows a system, in which two processesP andQ communicate with each other (more details are given in Section 7.1). The PETs ofP ‖ Q is shown in Fig. 4b. During the evolution of the system, each PET provides itscandidate actions to the PET scheduler and dynamically adjusts its state according tothe choice made by the PET scheduler. More details about PET can be found in [5]. Thecorrectness of PET with respect to the semantics of the POOSL language is formallyproven in [8].

Rotalumis: Rotalumis takes the POOSL model during the design stage as its in-put and automatically generates the executable code for the target platform. Theε-hypothesis is incorporated into Rotalumis by applying the following techniques:

Process execution tree:POOSL language provides ample facilities to describe sys-tem characteristics such as parallelism, nondeterministic choice, delay and communica-tion that are not directly supported by C++ or other implementation languages. In order

��

��

� ��

��

��

� ��

��

��

�� !�""�� # ��

��

�� $

%�&�'()��

��

��

��

��

��

��

��

�

��

��

��

��

��

�

��

� �� !�""

( )a POOSL codes ( )b Process execution trees

Fig. 4. TheP ‖ Q system in POOSL

to provide a correct and smooth mapping from a POOSL model to a C++ implementa-tion, each PET in the model is directly transferred into a PET in C++ structure, whosebehavior is the same as the PET implemented in SHESim. As a result, the generatedimplementation exhibits exactly the same behavior as that in the model, if interpretedin the virtual time domain. On the other hand, the implementation of a system needsto interact with the outside world and its behavior has to be interpreted in the physicaltime domain. Since the progress of the virtual time is monotonic increasing, which isconsistent with the progress of the physical time, the event order observed in the virtualtime domain is consistent with that in the physical time domain. That is, the schedulerof PETs ensures that the implementation always has the same event order as observedin the POOSL model.

Synchronization between virtual time and physical time:To obtain the same (orsimilar) quantitative timing behavior in the physical time domain as in the model, thescheduler of PETs tries to synchronize the virtual time and the physical time during therunning of the implementation, which ensures that the execution of the implementationis always as close as possible to a trace in the model with regard to the distance betweentimed state sequences. Due to the physical limitation of the platform, the scheduler mayfail to guarantee that the implementation isε-close to the model, for a fixedε value. Inthis case, designers can get the information about the missed actions from the scheduler.Correspondingly, they can either change the model to reduce the computation cost of acertain virtual time moment8, or replace the target platform with a platform of betterperformance.

7 Case studies

7.1 Two parallel processesP and Q

Before giving a case study of a railroad crossing system, we first demonstrate that aautomatic generation tool, such as TAU G2, is prone to generate a “wrong” implemen-tation, if the semantic gap between design languages and implementation languages hasnot been considered carefully. This is shown by a case study of two parallel processesPandQ. Their behaviors are shown in Fig. 5, and more details can be found in [12]. Wemade models in both TAU G2 and SHESim, whereP process always outputs message“correct”. However, the implementation generated automatically from models by TAUG2 exhibits an unexpected behavior as shown in Fig. 6, which is not the case in theimplementation generated from Rotalumis.

8 The time deviation between the model and the implementation is mainly due to the computa-tion cost of actions occurring at a certain virtual time moment (as shown in Fig. 12a).

��

��

��

��

��

��

��

��

��

� ��

!��"# ��#�$�

!��"�� $�

��

��

Fig. 5. Two parallel processP And Q

Fig. 6. An implementation ofP ‖ Q

7.2 A railroad crossing system

In this section, we are going to present a railroad crossing system. As shown in Fig.7, four stations are connected by two orthogonal tracks. Two trains (a andb) run backand forth between station 1 and 2 and station 3 and 4 respectively. Four sensors (A,B, C andD) are installed at some distance to the crossing to detect the passing of thetrains. To compensate for the deceleration time of the train and avoid the stopping ofthe train inside the crossing area, a critical zone is defined as shown in Fig. 7. When atrain approaches a border of the critical zone from outside of the zone, it has to requestfor permission to enter the crossing. If the request is denied, the train has to stop imme-diately and wait until the permission is granted. When the train leaves the crossing, ithas to release the crossing. As a consequence, the crossing is free and available for theother train. We assume that the speed of the train is constant between two sensor points(e.g. from pointA to B) if no stop occurs.

3Station

1Station 2Station

4Station

Critical Zone

Crossing Area

D

A B

C

E

a

b

Fig. 7. The railroad crossing system

One important requirement is that the trains should never collide and the systemshould operate as efficient as possible. Due to the limited space, in this paper, we onlyfocus on a subtask in the whole system development, the synthesis of an implementa-tion from an adequate model. For a more detailed description of the complete systemdevelopment, interested readers are referred to [13].

7.3 System design

As shown in Fig. 8, the system consists of environmental parts (including physicaltrains, sensors and a LEGOr Dacta controller) and control software parts running on acomputer. The Dacta controller provides low level device drivers to control the LEGOr

motors and sensors. The designed control software interacts with the physical trains andsensors through the Dacta controller. The physical connection between the PC and theDacta controller is the standard RS-232.

Sensors

Dacta Controller

Trains Control Processes

Fig. 8. The architecture of the railroad crossing system

Fig. 9 illustrates an analysis model of the whole system. The control part of the sys-tem (in the rectangle with dotted lines) consists of three parallel processes:Crossing,TrainA Image and TrainB Image. The environment parts are modelled by pro-cessesTrainA Actor andTrainB Actor. The code shown in Fig. 9 describes a partof the behavior of processTrainB Image, starting from the moment it receives amessage (sensor) till it releases the crossing.T1, T2 andT3 in the code are parame-ters determined by the speed of the train. In the case ofTrainB Image, T1 is 0.910seconds. To avoid the collision of the trains and still keep system efficiency, we want

��

�� !�� "��

�� #�� $ � �� %�� &�� "��

��#

Fig. 9. The analysis model of the system

the control part of the system to satisfy the following quantitative real-time property.TrainB Image should send apause message to the physical train between 0.900 and0.920 seconds after it receives the first sensor message on each journey of the train, ifits request for entering the crossing is denied. If thepause message is sent earlier than0.900 seconds, the train may stop unnecessarily and the system may not be efficientenough. On the other hand, if thepause command is sent later than 0.920 seconds, thetrain may enter the crossing area incorrectly. This quantitative real-time propertyP canbe formalized by using anMITLR formula ¤(r → (p → ♦[0.900,0.920]q)), wherep,q andr represent the following atomic propositions: 1)TrainA Image receives thefirst sensor message on each journey, 2)TrainA Image sends apause message tothe physical train and 3)TrainA Image receives adenied message fromCrossing.Since the model is relatively simple, we could manually check that the control part does

satisfy propertyP1: ¤(r → (p → ♦[T1,T1]q)), whereT1 is 0.910. It is also possible toverify propertyP1 by simulation or model-checking techniques.

�� !�"�# $%&' ( ) ��*+��, �+� -��!�� . �+� *��*�" /��)(*��, 0 ��12��"

*��, � ,��!!�"�# $%3' ( ) "��4��, �+� *��, �� )(

��*��, � !��!5�� 06 �2�� 7��899 �� *��, � ,��!�� 0 ��2:� �� 7��8�� !�"�# $%;' ( ) "��4��, �+� *��, �� )(

"��5

Fig. 10.The synthesis model of the system

To facilitate automatic system synthesis, the environmental parts have to be ex-cluded from the rest of the model. In addition, the synchronization between the controlparts and the environmental parts need to be replaced with a synthesizable interface. Af-ter these refinements, we obtain a synthesis model as shown in Fig. 10. The code givenin Fig. 10 shows that the synchronization ofTrainB Image are replaced by virtualinterfaces (primitive data methods of Dacta class). These interfaces have been imple-mented in Rotalumis and can be transferred automatically into the real interactions withthe outside world during the system synthesis.

7.4 System synthesis

In this phase, the synthesis model devised during the design stage is automatically trans-formed into an executable implementation. In order to generate a correct and effectiveimplementation, two important tasks should be carried out.

��

�� ! " �#��$ �� $ ��% "� %��&�� "��% '$ � �� &#�(� " �)��*�$% �� ("�� +,$ ��" �- ./0�1 2 3 �,$ �� " � �"44��"� �" �� "�� 4"�" �3"�� +,$ ��" �- � " �1 2 $�� .�(5

Fig. 11.The implementation of the interfaceDacta TurnOff (train)

Implementation of the interface data:Interface data classDacta defined in the syn-thesis model only provides a virtual interface for control processes. The actual im-plementation of the interface data for the communication with the Dacta controller isprovided by the Rotalumis tool. For example, the interface for stopping a train (DactaTurnOff (train)) can be implemented by using a segment of C++ codes as shown inFig. 11. The interface implementation should be non-blockable because its timing be-havior can affect the deviation between the model and its implementation. In our case,the computation cost of the interface codes is less than10−5 seconds.

Measuring the upper bound of timing deviations:Since the upper bound of tim-ing deviationsε between the model and the implementation has direct influence on thequantitative real-time properties of the implementation, we need to estimate it properly.In practice, we can obtain theε value in various ways: 1) Developers can run the im-plementation and let the scheduler record the timing deviation between the virtual time

and the physical time (such as shown in Fig. 12a), which is caused by the execution ofall actions occurring at a certain virtual time moment, then theε value can be estimatedaccording to recorded values. 2) Developers can model the platform and the time dura-tion of each action, and then estimate theε value in the integrated model of the platformand the system. More details about the estimation of theε value can be found in [7].

t

actions at virtual time t

take zero virtual time

take t physical time∆:Virtual time

:Physical timet 't

( ) ( '- )a Time deviations such as t t ( )b Statistics of time deviations

Time deviation (10-5 second)

1 ~ 5 5~ 10 10~ 30

Frequency 298079 1925 24

Fig. 12.Measuringε (the upper bound of timing deviations)

��

��

��

��

Fig. 13.The controlled physical system

In our example, we estimate theε value using the first way, due to the fact that itis difficult to model the underlying platform (Windows 98) adequately. We recordedaround 300000 time deviations between the virtual time and the physical time during a44-hour continuous running. As shown in Fig. 12b, most timing errors fall between1 ∼5×10−5 seconds, and only a very few time errors reach around3×10−4 seconds, whichare actually caused by the background activities of the operating system. Therefore, thevalue ofε can be safely estimated as 0.001 seconds in our example. Now we can predictthat the implementation satisfies a2ε-weakened property ofP1, namely¤(r → (p →♦[0.908,0.912]q)), which is stronger than required propertyP . A correct implementationwas generated automatically from the model. Fig. 13 gives a snapshot of the controlledphysical system.

8 Conclusions

In this paper, we have investigated the property-preservation between two concurrentreal-time systems. This result can serve as the basis to bridge the semantic gap be-tween design languages and implementation languages and control the inconsistenciesbetween a model and its implementation. To this end, theε hypothesis is introduced,which assumes that the execution trace of the implementation is alwaysε-close to atrace in the model. A predictable development approach was developed based on the

ε-hypothesis. Case studies performed confirm that the proposed approach can generatea consistent implementation from the model within theε deviation. The value ofε isusually dependent on various platforms and can be estimated by different techniques.

References

1. Alur, R., Henzinger, T,A.: Logics and Models of Real Time: A Survey, In Proc. of the Real-Time: Theory in Practice, REX Workshop, pp. 74 - 106, (1992).

2. Alur, R., Henzinger, T,A.: Real-time logics: complexity and expressiveness. Information andComputation, Vol. 104(1). pp. 35 - 77 (1993).

3. Alur, R., Dill, D.L.: A theory of timed automata, Theoretical Computer Science, Vol 126, pp.183 - 235, (1994).

4. Baeten, J.C.M.: The total order assumption, In Proc. 1st North American Process AlgebraWorkshop, Stony Brook, pp. 231 - 240, (1993).

5. Bokhoven, L.J. van, Voeten, J.P.M., Geilen, M.C.W., Software Synthesis for System LevelDesign Using Process Execution Trees, In Proc. 25th Euromicro Conf. pp. 463 - 467, (1999).

6. Bouajjani, A. and Laknech, Y.: Temporal Logic + Timed Automata: Expressiveness and De-cidability, In Proc. 6th CONCUR’95 Concurrency Theory, LNCS 962, pp. 531-546, (1995).

7. Florescu, O., Voeten, J.P.M., Huang, J., Corporaal, H.: Error Estimation in Model-DrivenDevelopment for Real-Time Software, Accepted by the FDL04, (2004).

8. Geilen, M.C.W.: Formal Techniques for Verification of Complex Real-time Systems, PhDthesis, Eindhoven Univ. of Tech. (2002)

9. Gupta, V., Henzinger, T.A., Jagadeesan, R.: Robust Timed Automata, Hybrid and Real-TimeSystems, In Proc. of Int. Workshop HART’97, LNCS 1201, pp. 331 - 345, (1997).

10. Henzinger, T., Manna, Z., Pnueli, A.: An interleaving model for real time, In Proc. of the 5thJerusalem conf. on Information tech. pp. 717 - 730, (1990).

11. Huang, J., Voeten, J.P.M., Geilen, M.C.W.: Real-time Property Preservation in Approxima-tions of Timed Systems. In Proc. of 1st ACM & IEEE Int. Conf. on Formal Methods andModels for Codesign. pp. 163 - 172 (2003).

12. Huang, J., Voeten, J.P.M.,Bokhoven, L.J. van, Ventevogel, A.: Platform-independent designfor embedded real-time systems, To appear in Languages for System Specification, KluwerAcademic Publishers, (2004).

13. Huang, J., Voeten, J.P.M., Putten, P.H.A. van der: Predictability in Real-time System Devel-opment (2) A Case Study, accepted by FDL04, (2004).

14. Nicollin, X.,Sifakis, J.:An overview and synthesis on timed process algebras, In Proc. of the3rd workshop on Computer-Aided Verification, (1991).

15. Nicollin, X., Sifakis, J.: The algebra of timed processes ATP: theory and application, Infor-mation and Computation, Vol. 114(1), pp. 131-178, (1994).

16. Putten, P.H.A. van der,Voeten, J.P.M.: Specification of Reactive Hardware/Software Systems,PhD thesis, Eindhoven University of Technology, (1997).

17. TAU Generation 2, http://www.taug2.com (2003).18. Voeten, J.P.M., Putten, P.H.A. van der, Geilen, M.C.W., Stevens, M.P.J.: System Level Mod-

elling for Hardware/Software Systems, In Proc. of EUROMICRO’98, 154 - 161, (1998).19. Z.100 Annex F1: Formal Description Techniques (FDT)–Specification and Description Lan-

guage (SDL), Telecom. standardization sector of ITU, (2000).

Real-time Property Preservation in Concurrent Real-time - CiteSeer

Documents

Transcript of Real-time Property Preservation in Concurrent Real-time - CiteSeer