Timed Automata Patterns

Jin Song Dong, Ping Hao, Shengchao Qin, Jun Sun, and Wang Yi

Abstract—Timed Automata have proven to be useful for specification and verification of real-time systems. System design using Timed Automata relies on explicit manipulation of clock variables. A number of automated analyzers for Timed Automata have been developed. However, Timed Automata lack composable patterns for high-level system design. Specification languages like Timed Communicating Sequential Process (CSP) and Timed Communicating Object-Z (TCOZ) are well suited for presenting compositional models of complex real-time systems. In this work, we define a set of composable Timed Automata patterns based on hierarchical constructs in time-enriched process algebras. The patterns facilitate the hierarchical design of complex systems using Timed Automata. They also allow a systematic translation from Timed CSP/TCOZ models to Timed Automata so that analyzers for Timed Automata can be used to reason about TCOZ models. A prototype has been developed to support system design using Timed Automata patterns or, if given a TCOZ specification, to automate the translation from TCOZ to Timed Automata.

Index Terms—Timed Automata, timed patterns, TCOZ, UPPAAL.

1 INTRODUCTION

Specification and verification of real-time systems are important research topics that have practical implications. A popular approach for specifying real-time systems relies on the graphical notation Timed Automata [2], [35]. Timed Automata are powerful in designing real-time models with explicit clock variables. Real-time constraints are captured by explicitly setting/resetting clock variables. A number of mechanized verification support for Timed Automata have proven to be successful (e.g., UPPAAL, KRONOS, TEMPO, RED, and Timed COSPAN). However, designing and verifying real-time systems is becoming an increasingly difficult task due to the widespread applications and increasing complexity of such systems. High-level requirements for real-time systems are often stated in terms like deadline, time-out, and wait until, partly evidenced by the case studies presented in [31], [16], [13], [34], [19]. In industrial case studies of real-time system verification, system requirements are often structured into phases, which are then composed sequentially, in parallel, alternatively, etc. [25], [32]. Unlike Statechart or process algebras, Timed Automata lack high-level composable patterns (besides parallel composition) for hierarchical design. Timed Automata users often need to manually cast those terms into a set of clock variables with carefully calculated clock constraints. The process is tedious and error prone.

Process algebras, on the other hand, are known for their bottom-up compositability, which is important to fight against the complexity of the system design. In the literature, a number of language-based process algebras have proven to be useful for specifying complex hierarchical real-time systems. Timed Communicating Sequential Processes (Timed CSPs [40]), which extend the classic CSP [27], support a rich set of compositional constructs to capture system requirements, e.g., time-out, timed interrupt, timed-event prefixing, etc. Together with compositional constructs like external/nondeterministic choice, recursion, and interrupt, Timed CSP offers a powerful mechanism for designing complex real-time systems. Timed Communicating Object-Z (TCOZ [36]) is an integrated high-level formal specification language that builds on the strengths of Timed CSP and combines it with Object-Z (OZ) [17] for modeling data and functional aspects of complex systems. In addition, new compositional constructs have been introduced, e.g., deadline and wait until. The downside of being expressive is that it is highly nontrivial to mechanically validate TCOZ models. For safety-critical systems, exposing a possible violation of system requirements at the specification level is very important, especially for hard timing constraints. The challenge of verifying time-enriched process algebras has long been recognized. A model checker named FDR [39] has been developed to verify CSP. However, there is no satisfactory verification support for either Timed CSP or TCOZ.

Based on the time-proven compositional constructs in Timed CSP/TCOZ, we develop a set of composable time patterns for Timed Automata which facilitates high-level system design using Timed Automata. The patterns cover a large class of common real-time behavior patterns and yet can be composed to form new useful patterns. The patterns are formally defined. By following the formal semantics (which are originated from their images in time-enriched process algebras), a high-level design composed of multiple timed patterns can be flattened to ordinary Timed Automata automatically. Thus, existing tools like UPPAAL can be used to verify time patterns with little computational overhead. On the other hand, the patterns allow a

---

*J.S. Dong, P. Hao, and J. Sun are with the School of Computing, National University of Singapore, 3 Science Drive 2, Singapore 117543, Republic of Singapore. E-mail: {dongjs, haoping, sunj}@comp.nus.edu.sg.

* S. Qin is with the Department of Computer Science, Durham University, Science Laboratories, South Road, Durham DH1 3LE, UK. E-mail: shengchao.qin@durham.ac.uk.

* W. Yi is with the School of Science and Engineering, North Eastern University, P.R. China ans the Department of Information Technology, Uppsala University, Box 337,751 05, Uppsala, Sweden. E-mail: yi@it.uu.se.

Manuscript received 10 Aug. 2007; revised 12 May 2008; accepted 19 June 2008; published online 23 July 2008. Recommended for acceptance by R. Cleaveland.

For information on obtaining reprints of this article, please send e-mail to: tse@computer.org, and reference IEEECS Log Number TSE-2007-08-0239. Digital Object Identifier no. 10.1109/TSE.2008.52.

Published by the IEEE Computer Society
systematic translation from Timed CSP/TOCZ models to Timed Automata so that the state-of-art verification mechanism for Timed Automata can be used to validate Timed CSP/TOCZ models.

This work identifies the strengths and weaknesses of Timed Automata and timed process algebras and develops new techniques for system modeling, as well as verification. Instead of comparing the expressiveness of the two notations (which is of theoretical interest and has been partially done in [38]), we focus on developing practical techniques that are beneficial to both TCOZ/Timed CSP and Timed Automata users. A closely related work is the hierarchical Timed Automata proposed in [11]. The notion of hierarchical Timed Automata in [11] is based on the notion of Statechart. Two kinds of Timed Automata composition have been discussed, i.e., named and-states and or-states. In our work, the common time patterns introduced in Timed CSP and beyond have been formally defined, which serve as a library of building blocks for complex real-time systems. This work is also related to works on verification of time-enriched process algebra. In [15], Dong et al. have developed a model checker for Timed CSP based on constraint solving. In Brooke’s PhD dissertation [8], a preliminary PVS encoding of Timed CSP was presented which relies heavily on user interaction. Another closely related area of research is Hoenicke and Olderog’s work on the integration of CSP, OZ, and Duration Calculus (DC) (named CSP-OZ-DC [28]). By transforming the DC part of a system model into a Timed Automaton, CSP-OZ-DC benefits from Timed Automata’s tool support. For instance, UPPAAL has been used to verify CSP-OZ-DC models. In our work, UPPAAL is used to verify TCOZ models. However, our main contribution is the development of the generic Timed Automata patterns, i.e., we do not copy Timed Automata’s tool support for TCOZ verification but also lend TCOZ’s hierarchical constructs to facilitate systematic Timed Automata designs. Furthermore, the work in [28] mainly focuses on the smooth integration of the underlying semantic models of CSP, OZ, and DC and its use for verifying properties of CSP-OZ-DC specifications. Another related formalism for modeling real-time systems is TRIO [20]. This notation uses a notion of interface diagram that is different from the Timed-CSP-featured TCOZ notation in modeling dynamic behaviors. TRIO has been compared to TCOZ [36]. Similar to our work, some other real-time formalisms have been translated or projected to other formalisms for model-checking [29], [23]. This work is also related to works on compositional modeling of real-time systems [4], [3], [41], [22] and works on specification patterns in general [18], [30].

This paper is a revised and extended version of our conference paper [14], in which the link between Timed Automata and TCOZ has been investigated. A few timed patterns have been briefly introduced to show our initial ideas of using Timed Automata’s tool support to verify TCOZ models. This paper substantially extends [14] with a range of common timed patterns, as well as a formal transition from TCOZ to Timed Automata and its correctness proof. We further enhance our previous work with illustrative examples, as well as a complex case study, which demonstrate the applicability of our approach. The remainder of the paper is organized as follows: Section 2 briefly introduces the relevant features of TCOZ and Timed Automata. Section 3 presents our main contribution, i.e., a set of composable Timed Automata patterns with formal semantics. We also demonstrate how new patterns can be composed from the existing ones. Section 4 shows how TCOZ or Timed CSP users may benefit from our patterns, by defining a formal translation from TCOZ to Timed Automata. A JAVA application for automating the projection is briefly discussed. Section 5 shows how Timed Automata users benefit from the patterns. We demonstrate a hierarchical Timed Automata design using a railcar system. Section 6 concludes this work. Throughout the paper, a process means a TCOZ or Timed CSP process and a system. Section 6 concludes this work. Throughout the paper, a process means a TCOZ or Timed CSP process and a system. Section 6 concludes this work.

2 BACKGROUND

2.1 Timed Automata

Timed Automata were proposed in [2] as an extension of the automata-theoretic approach to the modeling of real-time systems. Since then, the theory and verification tool support of Timed Automata has been an intensive field of research in computer science. A Timed Automaton is a finite automaton equipped with a finite set of clocks. Clocks are continuous real-valued functions of time that precisely record the time elapsed. All clocks advance at the same pace. Real-time system behaviors are captured using Timed Automata by explicitly resetting clocks and comparing a clock reading with constants.

Definition 1 (Timed Automaton). A Timed Automaton $A$ is a 7-tuple $(S, init, F, \Sigma, C, Inv, T)$, where $S$ is a finite set of states, $init \in S$ is an initial state, $F \subseteq S$ is a set of final states, $\Sigma$ is a set of actions/events, $C$ is a finite set of clocks, $Inv$ is a proposition assignment function that, for each state, gives a proposition true at the state, and $T : S \times \Sigma \times 2^C \times \Phi(C) \times S$ is the transition relation. A transition $(s, a, \lambda, \delta, s')$ represents a transition from state $s$ to state $s'$ on event $a$. The set $\lambda$ gives the clocks to be reset with this transition and $\delta$ is a clock constraint over $C$ that specifies when the switch is enabled. $\Phi(C)$ is a set of clock constraints that is defined by the following grammar:

$$\varphi := \text{true} | x \leq c \leq \bar{x} | x < c < \bar{x} | \varphi_1 \land \varphi_2,$$

where $x$ is a clock and $c$ is a real number.

Note that $F$ might be empty if the Timed Automaton never terminates (i.e., no deadlock state). The semantics of a Timed Automaton is defined as a transition system. A run of the timed automaton starts with the initial state. The control may remain at a state $s$ as long as the state $Inv(s)$ is not violated. A transition $(s, a, \lambda, \delta, s')$ is enabled if and only if the control is at state $s$, the guard condition $\delta$ is satisfied (by the valuation of the clocks), and the event $a$ is enabled. The transition is unguarded if $\delta$ is true. After taking the transition, the control moves to state $s'$ and the clocks in $\lambda$ reset.

Example. The following shows a sample Timed Automaton specifying a railcar system (the railcar system will be specified in Section 5).

1. If there were multiple initial states, a unique initial state is created with internal transitions to the ordinary initial states.
For the sake of readability, the states are labeled with names, e.g., Open, Close, and ToOpen. We assume that the door can be closed instantly and, hence, there is no state named ToClose. Initially, the control is at state Close, indicated by the double-lined circle. The transition is fired once an input is received over channel open (as the transition is unguarded), the control goes to state ToOpen, and clock $x$ is reset. Within 2 seconds (constrained by the state invariant), the control goes to state Open. An output on the channel conf takes place along with the transition. The door remains open for 10 seconds, i.e., passengers have 10 time units for boarding, and, then, the control goes to state Close.

A Timed Automata specification may consist of a network of Timed Automata. A state in the product of two Timed Automata is a pair of states, each representing the progress one of the Timed Automata has made so far. A transition in the product is either a local transition of either the progress one of the Timed Automata has made so far. A transition among multiple parties is mimicked using the notion of synchronization channels. The simulator is a validation tool that enables the examination of possible dynamic executions of a system. The model checker verifies invariants and bounded liveness properties by exploring the symbolic state space of a system, i.e., reachability analysis in terms of symbolic states represented by constraints. The model checking engine of UPPAAL is designed to check a restricted subset of Timed CTL [1] formulas for networks of Timed Automata. Note that Timed Automata in UPPAAL extend the original one [2] with handy constructs like urgent states and committed states. No time elapsing is allowed at an urgent state, i.e., an urgent state is labeled with an additional invariant that the control cannot reside at the state. We write $(s, urgent) \in Inv$ to mean that state $s$ is urgent. In the following, states in the timed patterns may be marked as urgent states so as to make it easier to prove the soundness of the patterns and to simplify the flattened Timed Automata (see later examples). An urgent state is drawn as a circle with a “U” inside.

### 2.2 Time Communicating Object Z

A number of time-enriched process algebras have been proposed. In this work, we focus on TCOZ [36], which, compared to others, contains a larger set of compositional constructs. TCOZ is designed to present a complete and coherent specification of systems with not only complicated control flows but also complex data and functional requirements. It is essentially a blending of OZ with Timed CSP, for the most part preserving them as proper sublanguages of the blended notation. TCOZ is novel in that it includes timing primitives, properly separates process control and data/algorithm issues, fully integrates notions of refinement from both languages, supports the modeling of true multithreaded concurrency, and distinguishes the notion of active and passive objects. In the following, we walk through the main features of TCOZ using an illustrative example. A detailed introduction to TCOZ and its Timed CSP and OZ features may be found in [36].

**Example.** Fig. 1 presents a TCOZ specification of a timed message queue. It contains a single class named TimeQueue. The anonymous schema called state schema identifies the data space of the class. In particular, the variable item is a sequence of messages. MSG is an uninterpreted data type. in and out of reserved type chan identifies the communication interfaces of this class, i.e., in and out are channels connecting objects of this class to its environment. Channels that share the same base name in different classes are connected implicitly. $T_i$, $T_j$, and $T_{out}$ are time constants which are used to constrain the duration of a data operation. The schema named INIT contains the predicate that identifies the initial data state, i.e., items is empty. The two schemas Add and Del are operation schemas. They define the data operations that may update the valuation of the data variables. The predicate part of an operation (the part under the horizontal line) specifies an operation using a predicate composed of primed and unprimed versions of the data variables, as well as inputs/outputs. The primed variables denote the valuation of the variable after the operation. In particular, the predicate part of operation
Add means that the sequence of messages after the operation should be the original sequence of messages followed with the input. The remaining part is a set of process definitions which specifies the dynamic behavior of objects of this class. A process is defined by an equation. The left-hand side is the process name, e.g., Join, Leave, and Main. Note that \( = \) means “is defined as.” The right-hand side is the process expression that defines the process. For instance, process Join behaves as follows: after getting an input \( i \) from channel \( in \) (the part \( [i : MSG] \) is a guard condition saying that \( i \) must be of type \( MSG \)), the operation Add is performed within \( T_j \) time units (constrained by the DEADLINE expression). The Leave operation specifies that if the sequence \( items \) is not empty (\( items \neq \emptyset \)), the first element in \( items \) (\( head(items) \)) shall be sent over channel \( out \) and, then, operation Del is performed to remove this element from \( items \) in \( T_j \) time units. The process named MAIN identifies the behavior of instances of the class after initialization. In particular, the Main process is defined as a recursion (as a \( \mu \) function). The process construct \( \square \) means choice and \( \triangleright \{T_o \} \) means time-out. The process reads as “the system may either behave as prescribed by Join or Leave or, if nothing happens in \( T_o \) time units, then the system performs operation Del in \( T_o \) time units and then repeats from the beginning.” If no input or output is performed in \( T_o \) time units, then the first message is lost.

In this work, we focus on the process aspects of TCOZ, which borrows and extends the modeling power of Timed CSP. Table 1 shows a list of process constructs in TCOZ. STOP denotes a process that deadlocks and does nothing. SKIP denotes a process that terminates successfully. Process WAIT \( t \) delays the system for exactly \( t \) time units. Process \( e \rightarrow P \) is initially willing to engage in event \( e \) and behaves as \( P \) afterward. A process \( e@t \rightarrow P(t) \) behaves just like \( e \rightarrow P \) except that the engage time of \( e \) is recorded in \( t \). The event \( e \) can be a channel communication of the form \( c\alpha \) or \( c\beta \). In order to capture timing requirements naturally, TCOZ supports common timing constraints like \( \text{deadline} \) and \( \text{wait until} \). Process \( P \bullet \text{DEADLINE } t \) is constrained to terminate within \( t \) time units. The WAITUNTIL operator is a dual to \( \text{DEADLINE} \). Process \( P \bullet \text{WAITUNTIL } t \) behaves as \( P \) but will not terminate before \( t \) time units elapse. If \( P \) terminates early, it idles until \( t \) time units elapse. Processes may be compositional. The sequential composition \( P;Q \) behaves as \( P \) until it terminates and then behaves as \( Q \). An external choice is written as \( P \boxslash Q \). Often, external choices are guarded by prefixing or conditionals. The internal choice \( P \boxslash Q \) behaves as either \( P \) or \( Q \) nondeterministically. The parallel composition of two processes is written as \( P||E||Q \), where \( E \) is a set of events. Events in \( E \) are synchronized by \( P \) and \( Q \). If \( E \) is the empty set, the two processes interleave, written as \( P\parallel Q \). Process \( P \triangleright \{t\} Q \) behaves as \( P \) if \( P \) makes a move before \( t \) time units elapse; otherwise, \( Q \) takes control. Process \( P \triangle e \rightarrow Q \) behaves as \( P \) until event \( e \) is engaged and, then, \( P \) is interrupted and \( Q \) takes control. Process \( P \triangle \{t\} Q \) is called timed interrupt. It behaves as \( P \) until \( t \) time units elapse and then switches to \( Q \). Both interruptions are preemptive. Recursion is defined as a \( \mu \) function. The semantics of recursion is defined as Tarski’s weakest fixed point. It is known that unbounded recursion in CSP (and, therefore, Timed CSP and TCOZ) may result in irregular languages. Therefore, we restrict ourselves to tail recursion, i.e., a special case of recursion in which only the last operation of a process is a recursive call.

![TimedQueue](image)

**Fig. 1.** Timed message queue specification.
3 Timed Automata Patterns

High-level real-time system requirements are often stated using terms like deadline, time-out, and wait until, which can be regarded as common timing constraint patterns. TCOZ, designed to capture high-level system requirements, has a rich set of hierarchical constructs that capture those common timing patterns. In contrast, Timed Automata users often need to manually cast those timing patterns into a set of clock variables with carefully calculated clock constraints. In this section, a rich set of composable Timed Automata patterns is defined formally in order to facilitate high-level system design using Timed Automata. Established compositional patterns introduced in the classic CCS, CSP, Timed CSP, and TCOZ are presented. The usefulness of the compositions is evidenced by early case studies on using those formalisms for system specification and analysis [31], [16], [13], [34]. Because we aim for efficient verification and compositional modeling, the patterns are designed to be simple, intuitive, and congruent to timed process algebra operators.

3.1 Patterns

In the following, the Timed Automata patterns are introduced one by one. First, the formal definition is presented, followed by an intuitive graphic presentation. Graphically, an automaton is abstracted as a triangle. The left vertex of the triangle or a circle attached to the left vertex represents the initial states. The right edge represents the final states. The parallel composition of two automata is represented as two triangles that are side by side. In the following, $\tau$ denotes an internal unobservable transition. For simplicity, a function/relation is interpreted as a set of tuples (as in the Z language [43]). We assume that, for any automaton $A = (S, init, F, \Sigma, C, Inv, T)$, the domain of $Inv$ and $T$ is always restricted to $S$. Note that not all of the patterns are essential as some of them can be generated by composing other patterns. We will thus introduce the fundamental ones and then a set of derived ones.

**Definition 3 (Event Prefixing).** Let $A = (S, init, F, \Sigma, C, Inv, T)$ be a Timed Automaton. Let $a$ be an event. The event-prefixing pattern, i.e., the Timed Automaton in which $e$ precedes any action of $A$, written as $e \cdot$ prefix$(a, A)$, is

$$
(S \cup \{init\}, init', F, \Sigma \cup \{a\}, C, Inv \cup \{(init', true)\}, T \cup \{(init', a, C, true, init)\}),
$$

where $init'$ is a fresh state.

Event prefixing is considered one of the most commonly used basic patterns, e.g., a task is preceded by some event. In the above pattern, event $a$ (which may be a synchronization barrier or variable assignment) must be engaged before a certain task (which is modeled as $A$) must be carried out. The fresh state $init'$ is connected to the initial state in $A$ by a transition labeled with $a$.

**Definition 4 (Internal Choice).** Let $A_i = (S_i, init_i, F_i, \Sigma_i, C, Inv_i, T_i)$ where $i \in \{1, 2\}$ be two Timed Automata. The internal choice of $A_1$ and $A_2$, written as intchoice$(A_1, A_2)$, is

$$(S_1 \cup S_2 \cup \{init\}, init', F_1 \cup F_2, \Sigma_1 \cup \Sigma_2, C_1 \cup C_2, Inv_1 \cup Inv_2 \cup \{(init', urgent)\}, T'),$$

where $init'$ is a fresh state and $T' = T_1 \cup T_2 \cup \{(init', \tau, C, true, init_1), (init', \tau, C, true, init_2)\}$.

The above pattern captures nondeterminism, i.e., the system described nondeterministically behaves as either $A_1$ or $A_2$. Nondeterminism allows us to abstract away irrelevant details of the system [27]. By introducing a fresh state $init'$ and connecting $init'$ to initial states of both automata by unguarded transitions labeled with $\tau$, the choice is made internally and, thus, nondeterministically. Because internal choice is symmetric and associative, we write intchoice$(A_1, A_2, \ldots, A_n)$ to denote the nondeterministic choice among multiple timed automata. Note that $init'$ is urgent and, thus, no time elapsing is allowed. The rule is that only additional states are marked urgent. Marking states urgent allows us to systematically simplify composed timed patterns (see example in Section 3.2).

**Definition 5 (Recursion).** Let $A = (S, init, F, \Sigma, C, Inv, T)$ be a Timed Automaton. Let $S_0$ be a set of states such that $S_0 \subset S$.

<table>
<thead>
<tr>
<th>Notation</th>
<th>Explanation</th>
</tr>
</thead>
<tbody>
<tr>
<td>STOP</td>
<td>deadlock</td>
</tr>
<tr>
<td>SKIP</td>
<td>terminate immediately</td>
</tr>
<tr>
<td>Op</td>
<td>invocation of an operation schema</td>
</tr>
<tr>
<td>WAIT $t$</td>
<td>delay termination by $t$</td>
</tr>
<tr>
<td>$e \rightarrow P$</td>
<td>communicate $a$ then do $P$</td>
</tr>
<tr>
<td>$e@t \rightarrow P(t)$</td>
<td>communicate $a$ at time $t$ then do $P$</td>
</tr>
<tr>
<td>$c?e \rightarrow P$</td>
<td>input $a$ on channel $c$ and then do $P$</td>
</tr>
<tr>
<td>$c!e \rightarrow P$</td>
<td>output $a$ from channel $c$ and then do $P$</td>
</tr>
<tr>
<td>$P \cdot$ DEADLINE $t$</td>
<td>$P$ must terminate before time $t$</td>
</tr>
<tr>
<td>$P \cdot$ WAIT $\text{UNTIL}$ $t$</td>
<td>after $P$ idle until time $t$</td>
</tr>
<tr>
<td>$P :: Q$</td>
<td>perform $P$ till termination then $Q$</td>
</tr>
<tr>
<td>$P \sqcap Q$</td>
<td>perform the first enabled of $P$ and $Q$</td>
</tr>
<tr>
<td>$P \sqcup Q$</td>
<td>perform either of $P$ and $Q$</td>
</tr>
<tr>
<td>$P | [E] Q$</td>
<td>synchronize $P$ and $Q$ on events from $E$</td>
</tr>
<tr>
<td>$P | Q$</td>
<td>interleaving of $P$ and $Q$</td>
</tr>
<tr>
<td>$P \triangleright (t) Q$</td>
<td>if $P$ does not begin by $t$, perform $Q$</td>
</tr>
<tr>
<td>$P \triangle (e) Q$</td>
<td>perform $P$ until $e$, then perform $Q$</td>
</tr>
<tr>
<td>$\mu X \cdot P(X)$</td>
<td>recursion, $X$ is a fixed point</td>
</tr>
</tbody>
</table>

**TABLE 1**

Time-Enriched Process Constructs

<table>
<thead>
<tr>
<th>Notation</th>
<th>Explanation</th>
</tr>
</thead>
<tbody>
<tr>
<td>STOP</td>
<td>deadlock</td>
</tr>
<tr>
<td>SKIP</td>
<td>terminate immediately</td>
</tr>
<tr>
<td>Op</td>
<td>invocation of an operation schema</td>
</tr>
<tr>
<td>WAIT $t$</td>
<td>delay termination by $t$</td>
</tr>
<tr>
<td>$e \rightarrow P$</td>
<td>communicate $a$ then do $P$</td>
</tr>
<tr>
<td>$e@t \rightarrow P(t)$</td>
<td>communicate $a$ at time $t$ then do $P$</td>
</tr>
<tr>
<td>$c?e \rightarrow P$</td>
<td>input $a$ on channel $c$ and then do $P$</td>
</tr>
<tr>
<td>$c!e \rightarrow P$</td>
<td>output $a$ from channel $c$ and then do $P$</td>
</tr>
<tr>
<td>$P \cdot$ DEADLINE $t$</td>
<td>$P$ must terminate before time $t$</td>
</tr>
<tr>
<td>$P \cdot$ WAIT $\text{UNTIL}$ $t$</td>
<td>after $P$ idle until time $t$</td>
</tr>
<tr>
<td>$P :: Q$</td>
<td>perform $P$ till termination then $Q$</td>
</tr>
<tr>
<td>$P \sqcap Q$</td>
<td>perform the first enabled of $P$ and $Q$</td>
</tr>
<tr>
<td>$P \sqcup Q$</td>
<td>perform either of $P$ and $Q$</td>
</tr>
<tr>
<td>$P | [E] Q$</td>
<td>synchronize $P$ and $Q$ on events from $E$</td>
</tr>
<tr>
<td>$P | Q$</td>
<td>interleaving of $P$ and $Q$</td>
</tr>
<tr>
<td>$P \triangleright (t) Q$</td>
<td>if $P$ does not begin by $t$, perform $Q$</td>
</tr>
<tr>
<td>$P \triangle (e) Q$</td>
<td>perform $P$ until $e$, then perform $Q$</td>
</tr>
<tr>
<td>$\mu X \cdot P(X)$</td>
<td>recursion, $X$ is a fixed point</td>
</tr>
</tbody>
</table>
The recursion pattern, i.e., the Timed Automaton containing recursive invocation of $A$ at a state in $S_0$, written as $\text{recur}(A, S_0)$, is $(S \cup \{\text{init}, F\} \cup S_0, \Sigma, C, \text{Inv}, T)$, where $T' = T \cup \{(s, a, \lambda, \delta, \text{init}) | \exists s_0 : S_0 \bullet (s, a, \lambda, \delta, s_0) \in T\}$.

Recursion is used to introduce infinite behaviors, which is commonly used for specifying nonterminating reactive systems. Given a timed automaton $A$ and a set of states $S_0$ where there is a recursive call, the pattern is constructed by diverting all of the transitions to a state in $S_0$ to the initial state. Note that we request that $S_0$ must be a proper subset of $S$ so as to prevent divergence. The dotted arrow represents a transition that originally leads to a state in $S_0$. In the resulting automaton, such transitions are redirected to the initial state of $A$. This construction only handles tail recursion. Note that we write $\text{recur}(A)$ to denote $\text{recur}(A, A.F)$, i.e., the second argument is defaulted to be the final states of $A$.

**Definition 6 (Delay).** Let $t$ be a positive real number. The Timed Automaton that delays the execution by $t$ time units, written as $\text{delay}(t)$, is 

$$(S \cup \{\text{init}, F\} \cup S_0, \Sigma, C, \text{Inv}, T),$$

where $T' = T \cup \{(s, \lambda, \delta, f | x = t, s_{\text{init}}) | \exists s_0 : S_0 \bullet (s, a, \lambda, \delta, s_{\text{init}}) \in T\}$.

The above pattern is used to delay the execution (of the system) by exactly $t$ time units, e.g., one of the common requirements for timed systems. We remark that internal choice, event prefixing $a \rightarrow P$, recursion, and WAIT may be regarded as the fundamental blocking of Timed CSP processes. This is justified by combining previous results on deriving a normal form for CSP Timed CSP processes. In [9], it is proven that all CSP processes can be transformed into a normal form, which composes only internal choices, event prefixing, and process referencing. In [12], it is proven that the only fundamental building block of Timed CSP processes (besides those of CSP) is WAIT. We may thus prove that patterns that correspond to Timed CSP operators can be generated from the fundamental ones (by transforming them into the normal form) by combining the above results and proving a congruence theorem. In addition to patterns corresponding to Timed CSP constructs, two additional patterns are introduced, namely, \text{waituntil} and \text{deadline}. The \text{waituntil} pattern can be generated by composing other patterns (as we shall show later), whereas the \text{deadline} pattern cannot. Thus, we regard the following \text{deadline} pattern as fundamental too. Nonetheless, we give the definitions of patterns corresponding to all TCOZ operators for user convenience as well as efficiency reasons, i.e., a commonly used pattern may be manually optimized.

**Definition 7 (deadline).** Let $A = (S, \text{init}, F, \Sigma, C, \text{Inv}, T)$ be a Timed Automaton. Let $t$ be a positive real number. The \text{deadline} pattern $\text{deadline}(A, t)$ is

$$(S \cup \{\text{init}, F\} \cup S_0, \Sigma, C \cup \{x\}, \{(\text{init}', \text{urgent})\} \cup \{(s, \text{inv}) | s \in S \land \text{inv} = (\text{Inv}(s) \land x \leq t)\}, T \cup \{(\text{init}', \tau, (x, \text{true}, \text{init}))\},$$

where $\text{init}'$ is a fresh state and $x$ is a fresh clock.

The above pattern is used to capture the requirement that some task must be finished by a certain time. It is more of a requirement than a design. Given a Timed Automaton $A$, if it is constrained to finish within $t$ time units, all states in $A$ are labeled with an invariant $x \leq t$ in which $x$ is a fresh clock, which is reset when the control enters the automaton. The leftmost state is the fresh state $\text{init}'$. The local invariant $x \leq t$ covers each state of the timed automaton and, thus, $A$ must terminate no later than $t$ time units. This pattern may introduce timelocks [6]. In particular, there might be time-actionlocks (i.e., situations in which neither time nor action transitions can be performed) or zenotimelocks (i.e., situations in which time is unable to pass beyond a certain point, but actions continue to be performed). Detecting and resolving timelocks is a highly nontrivial task (refer to [6] for sufficient conditions and sufficient and necessary conditions for timelock-freeness). Nonetheless, we choose to introduce this pattern simply because deadline is a common real-time requirement. We may verify (e.g., using the tool presented in [7] or UPPAAL) that $A$ terminates within $t$ time units in all circumstances (so as to prevent timelocks). Alternative ways of capturing deadlines are presented in [3], [26].

**Definition 8 (wait until).** Let $A = (S, \text{init}, F, \Sigma, C, \text{Inv}, T)$ be a Timed Automaton. Let $t$ be a positive real number. The \text{waituntil} pattern, written as $\text{waituntil}(A, t)$, is

$$(S \cup \{\text{init}', f', f''\}, \text{init}', \{f'\}, \Sigma, C \cup \{x\},$$

$$\text{Inv} \cup \{(\text{init}', \text{urgent}), (f', \text{true}), (f'', x \leq t), T'\},$$

where $\text{init}'$, $f'$, and $f''$ are fresh states, $x$ is a fresh clock, and $T' = T \cup \{(\text{init}', \tau, (x, \text{true}, \text{init}))\}$

$$\cup \{(f, \tau, \emptyset, x \geq t, f') | f \in F\} \cup \{(f, \tau, \emptyset, x < t, f'') | f \in F\}$$

$$\cup \{(f'', \tau, \emptyset, x = t, f'')\}.$$

The above pattern is used to constrain that a certain task must take certain time units to finish. The automaton is constrained to finish its process no earlier than $t$ time units. Given the automaton $A$, if the process of $A$ finishes earlier than $t$ time units, the system idles at a fresh state $f''$ until exactly $t$ time units elapses. Else if the process of $A$ takes more than (or exactly) $t$ time units, the system proceeds to final state $f'$ without further waiting. Note that this pattern can be generated from the \text{delay} pattern and the parallel composition pattern, i.e., it is straightforward to prove that \text{waituntil}(A, t) is equivalent to $\text{para}(A, \text{delay}(t))$. Compare with the automaton $A$.
Definition 9 (External Choice). Let $A_i = (S_i, \text{init}_i, F_i, \Sigma_i, C_i, \text{Inv}_i, T_i)$ where $i \in \{1, 2\}$ be two Timed Automata. An external choice of $A_1$ and $A_2$, written as $\text{extchoice}(A_1, A_2)$, is para($A_1', A_2'$), where

$$A_1' = (S_1, \text{init}_1, F_1, \Sigma_1, C_1, \text{Inv}_1, T_1, \{(s, \tau, \lambda, \delta \wedge x \leq 0, s') | (s, \lambda, \delta, s') \in T_1\} \cup \{(s, x := -1, \lambda, \delta \wedge x \leq 0, s') | (s, a, \lambda, \delta, s') \in T_1\})$$

and

$$A_2' = (S_2, \text{init}_2, F_2, \Sigma_2, C_2, \text{Inv}_2, \{(s, \tau, \lambda, \delta \wedge x \geq 0, s') | (s, \lambda, \delta, s') \in T_2\} \cup \{(s, x := 1, \lambda, \delta \wedge x \geq 0, s') | (s, a, \lambda, \delta, s') \in T_2\}),$$

where $x \in \{1, 0, 1\}$ is a fresh control variable.

The above pattern is useful when the choice is resolved by the first action of either $A_1$ or $A_2$. In the composition, the system may initially take a transition enabled in either $A_1$ or $A_2$. An initial state in the composition is a pair of initial states ($\text{init}_1, \text{init}_2$), which is labeled transitions from either $\text{init}_1$ or $\text{init}_2$. Given automata $A_1, \ldots, A_n$, the indexed external choice is written as $\text{extchoice}(A_1, \ldots, A_n)$ as $\text{extchoice}$ is symmetric and associative. As external choice is an operator of CSP, by applying the result in [9], it can be resolved to a normal form containing only the fundamental building blocks.

Definition 10 (Sequential Composition). Let $A_i = (S_i, \text{init}_i, F_i, \Sigma_i, C_i, \text{Inv}_i, T_i)$ where $i \in \{1, 2\}$ be two Timed Automata. The sequential composition of $A_1$ and $A_2$, written as $\text{seq}(A_1, A_2)$, is

$$(S_1 \cup S_2, \text{init}_1, F_2, \Sigma_1 \cup \Sigma_2, C_1 \cup C_2, \text{Inv}_1 \cup \text{Inv}_2 \cup \{(s, \text{urgent}) | s \in F_1\}, T),$$

where $T = T_1 \cup T_2 \cup \{(f, \tau, \emptyset, \text{true, init}_2) | f \in F_1\}.$

Given two Timed Automata $A_1$ and $A_2$, the above shows the sequential composition. Sequential composition is commonly used to accomplish two tasks/jobs in order. By linking the final states of $A_1$ (i.e., the right edge) with the initial state of $A_2$ (i.e., the left vertex), the resulting automaton passes control from $A_1$ to $A_2$ immediately after $A_1$ terminates. The transition from a final state in $A_1$ to an initial state in $A_2$ is unguarded and labeled with $\tau$. If $A_1$ is nonterminating, the final states in $A_2$ may not be reachable.

Definition 11 (Time Out). Let $A_i = (S_i, \text{init}_i, F_i, \Sigma_i, C_i, \text{Inv}_i, T_i)$ where $i \in \{1, 2\}$ be two Timed Automata. Let $t$ be a positive real number. The time-out pattern, written as $\text{timeout}(A_1, A_2, t)$, is

$$(S_1 \cup S_2 \cup \{\text{init}\}, \text{init}', F_1 \cup F_2, \Sigma_1 \cup \Sigma_2, C_1 \cup C_2 \cup \{x\}, \text{Inv}', T'),$$

where $\text{init}'$ is a fresh state, $x$ is a fresh clock,

$$\text{Inv}' = \{(\text{init}', \text{urgent}) \cup \{(\text{init}_1, \text{Inv}_1(\text{init}_1) \wedge x \leq t)\} \cup \{(x, \text{Inv}_2(x)) | x \in S_1\} \cup \{\text{init}_1, \text{init}_2\} \cup \{(\text{init}_1, \text{init}_2)\}$$

and

$$T' = T_1 \cup T_2 \cup \{(\text{init}', \tau, \{x\}, \text{true, init})\} \cup \{(s, \text{Inv}_2(x)) | x \in S_1\} \cup \{\text{init}_1, \text{init}_2\} \cup \{(s_1, \tau, \emptyset, x = t, \text{init}_1) | s_1 \in S_1\}.$$
Definition 13 (event interrupt). Let \( A_i = (S, init_i, F_i, \Sigma_i, C_i, Inv_i, T_i) \) where \( i \in \{1, 2\} \) be two Timed Automata. Let \( a \) be an event. The event-interrupt pattern, i.e., the Timed Automaton in which \( A_1 \) is interrupted whenever event \( a \) engages and then the control transfers to \( A_2 \), written as \( \text{evtinterrupt}(A_1, A_2, a) \), is
\[
(S_1 \cup S_2, init_1, F_1 \cup F_2, \Sigma_1 \cup \Sigma_2 \cup \{a\}, C_1 \cup C_2, Inv_1 \cup Inv_2, T')
\]
where \( T' = T_1 \cup T_2 \cup \{(s_1, a, \{x\}, true, init_2)|s_1 \in S_1\} \).

Event interrupt is similar to timed interrupt except that, because there are no timing constraints involved, no additional state or clock is necessary. Instead, an unguarded transition labeled with \( a \) is created from each state in \( A_1 \) to an initial state in \( A_2 \).

Definition 14 (Timed-Event Prefixing). Let \( A = (S, init, F, \Sigma, C, Inv, T) \) be a Timed Automaton. Let \( a \) be an event. Let \( t \) be a positive real number. The timed-event-prefixing pattern, i.e., the Timed Automaton in which \( a \) engages at time \( t \) and precedes any action of \( A \), written as \( \text{teventprefix}(a, t, A) \), is
\[
(S \cup \{init', init''\}, init', F, \Sigma \cup \{a\}, C \cup \{x\}, Inv \cup \{(init', urgent), (init'', true)\}, T')
\]
where \( init', init'' \) are fresh states and \( T' = T \cup \{(init', \{x\}, true, init''), (init'', a; t := x, \emptyset, true, init)\} \).

Because \( t \) is the time taken from the moment this pattern is enabled to the time event \( a \) is engaged, a fresh clock \( x \) is initiated whenever the automaton is enabled. The reading of \( x \) at the time when \( a \) is engaged is recorded in \( t \).

3.2 Composing Patterns

Our experience [16], [13], [37] shows that the patterns presented above cover most of the common timed patterns. Nonetheless, the patterns are by no means complete. New useful patterns can be added into our library or composed from the existing ones. In the following, we show how to build new patterns by composing multiple existing patterns.
It is important that the Timed Automata patterns combine with the bottom-up compositibility (of process algebra style) because complex real-time systems may be naturally modeled as collections of subcomponents at different abstraction levels. In the bottom-up design process, a subcomponent of reasonable complexity (and which is flattened) may be modeled as a Timed Automaton. The system can then be naturally composed from the modeling of the subcomponents. The Timed Automata patterns provide user-friendly templates to build such hierarchical modeling. In the top-down design process, the modeling of a complex system can be generated by hierarchical modeling. In the top-down design process, the modeling of a complex system can be generated by flattening the components, step by step, using appropriate refinement. As a reasonable price to pay, a refinement might require extra states or clocks, for instance, Definitions 7, 8, and 14 introduce new states and clocks. However, our experience shows that the extra states and clocks often can be removed using simple optimization procedures, e.g., τ-transition reduction (if the outgoing transitions of a state are all τ-transitions, remove the state and redirect all incoming transitions), urgent states reduction, or reusing clocks that are no longer referenced (which is common as clocks are local to one Timed Automaton).

4 Translating Timed Process Algebra to Timed Automata

A practical implication of the Timed Automata patterns is that process-algebra-based specification languages like Timed CSP or TCOZ can be systematically translated to Timed Automata so as to benefit from the verification mechanism of Timed Automata. In this section, a translation from TCOZ to Timed Automata is defined (which implies a translation from Timed CSP to Timed Automata). The following defines the Timed Automaton interpretation of the primitive processes.

Definition 15 (primitives). Let \( Op \) be a data operation (or an operation schema):

\[
\begin{align*}
A_{\text{skip}} &= \{(i, f), \{i, f\}, \{i, \text{urgent}, f\}, \{i, \text{true}, f\}\}, \\
A_{\text{stop}} &= \{\{i, f\}, \{f, e_{\text{stop}}, \}, \{i, \text{true}, f\}\}, \\
A_{\text{Op}} &= \{\{i, f\}, \{i, f\}, \{e_{\text{Op}}, \}, \{i, \text{true}, f\}\},
\end{align*}
\]

where \( e_{\text{Op}} \) is an atomic event representing the data operation and \( e_{\text{Op}} \) is its precondition [43].

\( A_{\text{skip}} \) allows an unguarded transition from its initial state to the final state. Because the initial state is urgent, the automaton terminates immediately. \( A_{\text{stop}} \) allows no transitions at all (and so, no final state is reachable). A data operation is presented as a Timed Automaton with only one transition. The transition is guarded with the precondition of the operation and labeled with an event that represents the atomic data change. The control may reside at the initial state for some time as the data operation may not be instantaneous.

Definition 16 (translation). Let \( \mathcal{P} \) be the set of all TCOZ processes. Let \( A \) be the set of all Timed Automata. A translation is a function \( M : \mathcal{P} \rightarrow A \) defined as follows:

\[
\begin{align*}
M(\text{Skip}) &= A_{\text{skip}}, \\
M(\text{Stop}) &= A_{\text{stop}}, \\
M(\text{Op}) &= A_{\text{Op}}, \\
M(a \rightarrow P) &= \text{eventprefix}(a, M(P)), \\
M(a@t \rightarrow P) &= \text{eventprefix}(a, t, M(P)), \\
M(\text{Wait } t) &= \text{delay}(t), \\
M(P \cdot \text{WaitUntil } t) &= \text{waituntil}(M(P), t), \\
M(P \cdot \text{Deadline } t) &= \text{deadline}(M(P), t), \\
M(P \triangleright \{t\} Q) &= \text{timeout}(M(P), M(Q), t), \\
M(P \triangle \{t\} Q) &= \text{timester}(M(P), M(Q), t), \\
M(P \triangle a \rightarrow Q) &= \text{extinter}(M(P), M(Q), a), \\
M(P; Q) &= \text{seq}(M(P), M(Q)), \\
M((P ▷ Q)) &= \text{extchoice}(M(P), M(Q)), \\
M(P \land Q) &= \text{intchoice}(M(P), M(Q)), \\
M(P \mid Q) &= \text{para}(M(P), M(Q)), \\
M(\mu X \cdot P(X)) &= \text{recur}(M(P(X)), S_X),
\end{align*}
\]

where \( P \) and \( Q \) are processes, \( a \) is an event, \( t \) is a positive real number, and \( S_X \) is a set of states where \( X \) is invoked.

Note that recursion in the above definition relies on \( S_X \). A recursive process is translated like a normal process except that, whenever there is a recursive call \( X \), instead of unfolding \( X \) as a Timed Automaton, a state is created and the state is added to \( S_X \). The rest of the translation is mostly self-explanatory. For instance, \( P \cdot \text{Deadline } t \) constrains that \( P \) must terminate no later than \( t \). This process is translated to \( \text{deadline}(M(P), t) \) in which \( M(P) \) is the Timed Automaton capturing the behaviors of process \( P \). The resulting automaton differs from \( M(P) \) in that it must terminate before \( t \) time units, which is the semantics of the TCOZ expression \( P \cdot \text{Deadline } t \). Other mapping rules can be explained similarly. By applying \( M \) iteratively, a process is translated to a flattened Timed Automaton straightforwardly.

Example. We use the timed queue example to illustrate the translation and hint how the timed patterns can be applied to facilitate system design using Timed Automata. If TCOZ is used to specify the queue in the first place, by applying \( M \) to the MAIN process, a Timed Automaton specification of the queue can be generated step by step. Because the generated Timed Automata are behaviorally equivalent to the TCOZ processes (shown below), the analysis results on the generated Timed Automata apply to the original TCOZ specification:
sound, i.e., given any process behaviorally equivalent to the automaton. This also justifies that the patterns 

As discussed above, a recursive call shall not be unfolded. For instance, let

As discussed above, a recursive call shall not be unfolded. For instance, let

Most of the rules (i.e., the operational semantics) can be referenced in Schneider’s book [40], except those rules that are TCOZ-specific, e.g., DEADLINE and WAITUNTIL. In the next definition, $\tau$-transitions in $TS_P^\tau$ are abstracted away because only observable behaviors are concerned.

Definition 18 (Observable TCOZ Semantics). Let $P$ be the set of all TCOZ processes. Let $P$ be a process. Let $T$ be the time domain. $TS_P^\tau = (\mathcal{P} \times \mathcal{T}, (P, t), \Sigma \cup T, \rightarrow_1)$ is a labeled transition system where $\mathcal{P} \times \mathcal{T}$ is the state space, $(P, t)$ is an initial state, $\Sigma$ is a set of events, and $\rightarrow_1$ is a labeled transition relation that is defined by the rules in Appendix A, which can be found on the Computer Society Digital Library at http://doi.ieeecomputersociety.org/10.1109/TSE.2008.52, where $c \xrightarrow{\alpha_1} c' \equiv (c, a, c') \in \rightarrow_1$.

Definition 19 (Timed Automata semantics). Let $A = (S, init, F, \Sigma, C, Inv, T)$ be a Timed Automaton. Let $V$ be the valuations of clocks. $TS_A = (S \times V, (init, v_0), \Sigma \cup T, \rightarrow_2)$. $S \times V$ is the state space. The initial state $s_0 = (init, v_0)$ comprises the initial state init and a zero valuation $v_0$. $\rightarrow_2 \subseteq S \times V \cup T \times S$ is a transition relation comprising either time passing $(s, v) \xrightarrow{\delta} (s, v + \delta)$ or, if the transition $(s, a, \lambda, \phi, s')$ is enabled, an action execution $(s, v) \xrightarrow{\mu} (s', v')$.

Similarly, we define the transition system where all $\tau$-transitions are hidden.

Definition 20 (Observable Timed Automata Semantics). Let $A = (S, init, F, \Sigma, C, Inv, T)$ be a Timed Automaton. Let $V$ be the valuations of clocks. $TS_A^\tau = (S \times V, (init, v_0), \Sigma \cup T, \rightarrow_2)$. $S \times V$ is the state space. The initial state $s_0 = (init, v_0)$ comprises the initial state init and a zero valuation $v_0$. $\rightarrow_2 \subseteq S \times V \cup T \times S$ is a transition relation comprising either time passing $(s, v) \xrightarrow{\delta} (s, v + \delta)$ or, if the transition $(s, a, \lambda, \phi, s')$ is enabled, an action execution $(s, v) \xrightarrow{\mu} (s', v')$.

4. We assume that the processes are divergence free, i.e., only finite numbers of consecutive $\tau$ transitions are possible.
Definition 21 (Bisimulation). Let $T S_i = (S_i, \text{init}_i, \Sigma_i, \mathcal{T}_i)$ where $i \in \{1, 2\}$ be two labeled transition systems. For any $s_1 \in S_1$ and $s_2 \in S_2$, $s_1 \approx s_2$ if and only if

1. $\forall (s_1, a, s'_1) : T_1 \cdot \exists s_2 \in S_2 : (s_2, a, s'_2) \in T_2 \wedge s_1 \approx s'_2$
2. $\forall (s_2, a, s'_2) : T_2 \cdot \exists s_1 \in S_1 : (s_1, a, s'_1) \in T_1 \wedge s'_1 \approx s_2$

$T S_1$ and $T S_2$ are bisimilar, written as $T S_1 \approx T S_2$, if and only if $\text{init}_1 \approx \text{init}_2$.

With the above preparation, a bisimilar (homomorphic) relation between $T S_1$ and $T S_2$ is readily defined.

Theorem 1 (Soundness). Let $P$ be a TCOZ process. Let $T S_P = (P \times \mathcal{T}, (P, t), \Sigma \cup \mathcal{T}, \Rightarrow)$ as defined above. Let $A = M(P) = (S, \text{init}, F, \Sigma, C, \mathcal{Inv}, T)$. Let $t \in T$. $T S_A = (S \times V, (\text{init}, v_0), \Sigma \cup \mathcal{T}, \Rightarrow)$ as defined above. $T S_P \approx T S_A$.

5. Case Study: Railcar System

The system design based on TCOZ is to identify objects and their data attributes from the system requirements, encapsulate relevant data operations, as well as dynamic behavior patterns, in the respective object modeling, and, finally, compose different objects to form the system specification. Because of the bottom-up composibility of process algebra (which TCOZ is based on), modeling the dynamic behaviors in TCOZ is compositional and natural. The system design based on Timed Automata enjoys similar composibility, i.e., starting with building Timed Automata designs of fractions of the system and then composing the basic Timed Automata using the timed patterns. In this section, a Railcar System is used to demonstrate a high-level real-time system design using both Timed Automata patterns and TCOZ. This system was inspired by the railcar system presented in [24].

5.1 High-Level System Design Using Timed Automata

In the Railcar System, there are four (possibly more) terminals that are located in a cyclic path. Each terminal contains a push button for passengers to place their requests for car service. A railcar travels clockwise on the track to transport passengers between terminals. The railcar is equipped with a destination board to receive internal requests and to indicate each destination terminal. There is a central control that receives, processes, and sends data to the terminals and the railcar so that external requests from any terminal can be fulfilled. Additional timing requirements are added into the original model [24] because quantitative timing is an important aspect of the system, as illustrated in the following scenarios:

- Before the railcar leaves a terminal, it sends a signal to depart to the terminal. The terminal prepares for the railcar to depart and responds to the railcar within 5 seconds. The railcar then leaves the terminal and cruises toward the destination.
- When the railcar comes to a stop at a terminal, it opens its door for exactly 10 seconds. After that, it closes the door and begins to wait for either internal passenger requests or an external request dispatched from the controller. Passengers inside the railcar are given 5 seconds to make an internal request before the railcar accepts any external requests.

Designing the system from scratch using ordinary Timed Automata is nontrivial. The system is composed of multiple objects, each of which is assigned with different behavior patterns, e.g., the controller is responsible for handling...
different tasks. Nonetheless, the requirements of the system are naturally captured in a hierarchical way [24]. Using the timed patterns, we achieve a similar approach to model the system as in [24]. The Railcar System has three components, i.e., a railcar, the terminals, and a central controller. The railcar is composed of three basic components, i.e., a car destination panel, a car door, and a car handler. There is a button at each terminal so that passengers can request for a service. The central controller maintains a record of all external requests and dispatches external requests to the railcar if there is any. All system components are connected by channels. Fig. 4 shows a hierarchical blueprint of the system, where a triangle represents a Timed Automaton and a double-arrowed dotted line means that there are communications in between. Each triangle will be detailed in the following. For each component, we will first identify the basic behaviors (of manageable complexity) and then compose them to build the system step by step.

Let terminal(i), where $i \in \{1, 2, 3, 4\}$, be the four terminals. Let $tb_i$ be a local variable to terminal(i) representing the button at the $i$th terminal. $tb_i = true$ if and only if the button is lit. The four automata in Fig. 5a show the basic behaviors of a terminal. In automaton PressButton($i$), where $i \in \{1, 2, 3, 4\}$, an external request enters the external request queue in the central controller only if the button has not been pressed before. Once pressed, the light is on (i.e., $tb_i := true$). In ButtonOff, once the controller informs the terminal that the request has been serviced, the light goes off. In TerApproach, event approach_req signals the approaching of the car, and the

![Diagram](image.png)
The overall behaviors of the panel are specified as
\[
\text{Panel} = \text{seq(timeout(IntCheck, extchoice(IntSchedule, ExtSchedule), 4), Moving)}
\]
Fig. 7. Composed behaviors (2).

The automata in Fig. 6, specifies the behaviors of the car handler after getting a request (either from internal or external). If the destination is the current terminal, the car door is opened. Otherwise, the car leaves the terminal and heads toward the destination. Once approaching the next terminal, the car checks if there is a newly arrived request from external or internal for the approaching terminal. Afterward, the automaton repeats from the beginning. Note that this hierarchical automaton has already been partially flattened for simplicity.

The overall behavior of the car handler can be composed from the above basic one. Initially, the car handler is idling at some terminal. It waits for an internal request first. If an internal request arrives within 4 seconds, it starts to serve the request. Otherwise, it waits for either an internal or external request and then starts moving. Once it reaches the destination, it repeats from the beginning. The overall behavior of the car handler is represented as follows:

\[
\text{CarHandler} = \text{rec}ur(seq(timeout(IntSchedule, extchoice(IntSchedule, ExtSchedule, 4), Moving))}
\]

Graphically, it is drawn as shown in Fig. 7. Last, the system is the parallel composition of the three components, i.e.,

\[
\text{sys} = \text{sync(car, panel, door, carhandler)}
\]

5.2 Analysis of the TCOZ Modeling

Based on the strength of OZ and Timed CSP, TCOZ supports object-oriented design of data structures, as well as compositional design of dynamic behaviors, as demonstrated in [37], [36]. Because modeling using TCOZ (which shares the same bottom-up nature as using the Timed Automata patterns) is largely irrelevant to this paper, we show instead how the TCOZ specification is translated to Timed Automata systematically using our prototype and then verified using UPPAAL. The relevant part of the TCOZ specification is presented in Appendix C, which can be found on the Computer Society Digital Library at http://doi.ieeecomputersociety.org/10.1109/TSE.2008.52.
Each active class in the TCOZ model is projected to a Timed Automaton template, namely, a terminal template for the class `Terminal`; a car door, a car destination panel, and a car handler template for the class `CarDoor`, `CarPanel`, and `CarHandler`, respectively; and a controller template for the class `Controller`. The terminal template has four instances, which represents the four different terminals according to the TCOZ specifications. The other templates have only one instance. The translation is a straightforward application of Definition 16. We use the `Terminal` class as an example to show the identification of the states, transitions, guards, and synchronization. Its processes mainly have an external choice pattern and a recursion pattern as defined by its MAIN process:

\[ \text{recur} (\text{extchoice} (M(\text{PressDown}), M(\text{DownOff}), M(\text{CarApproach}), M(\text{CarDepart})), S_P) . \]

By applying the translation to each of the processes `PressDown`, `DownOff`, `CarApproach`, and `CarDepart`, we obtain the Timed Automaton template of the class `Terminal`. The above translation is automated by our translation tool. Then, by adding the object reference information manually, such as the identification of each different terminal, the whole automaton can be visualized in UPPAAL. Similarly, Timed Automata are generated from other system components, e.g., the template for class `Door` is shown in Section 2.1. The translation result is stored in an XML format, which can be readily imported by UPPAAL. Now, we can use the simulator and verifier of UPPAAL to simulate the system, as well as to model check some invariants and real-time properties. The key point of the railway system is to provide efficient services. The following are some of the properties that can be formally specified and verified using UPPAAL:

- **Prop1.** Whenever the car destination board receives a request to a terminal, say, terminal 1, the railcar will eventually get to that terminal within 600 seconds. It can be translated into a Timed CTL as a bounded liveness property.
- **Prop2.** The door must be open for no more than 10 seconds.
- **Prop3.** The system is deadlock free.
- **Prop4.** Whenever the railcar is moving, the car door is closed.

UPPAAL verified that these properties hold for this given model. As for reference, the time consumption for analyzing each of the properties is listed below. The experiment results are obtained on the Windows XP platform with 2 Gbyte memory and Intel 3.0 GHz CPU. \( N \) is the number of terminals.

<table>
<thead>
<tr>
<th>Properties</th>
<th>Time ((N=3))</th>
<th>Time ((N=4))</th>
</tr>
</thead>
<tbody>
<tr>
<td>Prop1</td>
<td>8.3s</td>
<td>250.0s</td>
</tr>
<tr>
<td>A[ ] Prop2</td>
<td>1.0s</td>
<td>11.2s</td>
</tr>
<tr>
<td>A[ ] Prop3</td>
<td>2.6s</td>
<td>29.1s</td>
</tr>
<tr>
<td>A[ ] Prop4</td>
<td>1.1s</td>
<td>10.3s</td>
</tr>
</tbody>
</table>

In summary, the Timed Automata patterns allow us to enjoy a hierarchical system design using Timed Automata, i.e., to apply a divide-and-conquer strategy to deal with the complexity of the system design. A high-level design (as the one above where highly coupled system behaviors are encapsulated in one component) is easier to understand and maintain. A high-level system design can be automatically flattened (by applying the definitions plus optimization techniques for reducing the number of states, as well as clocks) and then verified using existing tools like UPPAAL. Compared to the system design using timed patterns directly, which solely focuses on dynamic behaviors, the TCOZ-based design is heavy in modeling data and functional aspects of the system. Because the timed patterns are closely related to compositional operators in TCOZ, the modeling of dynamic behaviors using timed patterns and TCOZ share similar ideas.

6 Conclusion

For the last decades, a variety of formal modeling/specification languages have been proposed for real-time system design and verification. The various modeling and verification techniques all have similarities and differences to some degree. It is important for the formal method community to understand how various techniques differ from each another and how they may benefit from each other. The techniques under consideration, namely, TCOZ/Timed CSP and Timed Automata, deal with behavioral real-time aspects of systems. Lying at each end of the spectrum of formal modeling techniques, TCOZ is designed for the structural specification of high-level complex system requirements, whereas Timed Automata are used to design timed models with simple clock constraints but with highly automated verification support. In this work, we studied both formalisms from a practical point of view, i.e., how can they help each other? We are not arguing which of the two is superior. Instead, we enrich TCOZ with verification support by translating its models to Timed Automata and enrich Timed Automata with composable patterns for high-level system design.

The main contribution of the work is the rich set of timed patterns, which covers all common hierarchical system behaviors like `deadline`, `timeout`, and `timedinterrupt`. These patterns are formally defined so as to achieve compositibility in the graphical representations. Moreover, we have shown that new timed patterns may be composed naturally using our timed patterns. These patterns not only provide a proficient interchange media for translating time-enriched process algebra specifications into Timed Automata but also provide a generic reusable framework for developing real-time systems solely using Timed Automata. As shown in Section 5, by decomposing a complex system to subcomponents of manageable size and then composing the subcomponents using timed patterns, these patterns offer a systematic way of fighting the great complexity in system design.

One of the future works is to develop fully automated optimization techniques that could maximally reduce the number of states and clocks while flattening the Timed Automata patterns. This is important because the number of clocks (and states) has a significant impact on the performance of tools like UPPAAL. Another future work is to integrate our prototype with UPPAAL for user...
convenience. A future work of theoretical interest is to fully compare the expressiveness of timed process algebras like Timed CSP and Timed Automata so as to gain better support for verifying real-time systems.

ACKNOWLEDGMENTS

The authors would like to thank Hugh Anderson, Roger Duke, Sun Jing, Wang Hai, Lars Grunspan, and the anonymous referees for their insightful comments on this work. This research is partially supported by the research grant R-252-000-201-112 funded by National University of Singapore. Jun Sun is the corresponding author for this paper.

REFERENCES


Jin Song Dong received the bachelor's (first-class honors) and PhD degrees in computing from the University of Queensland in 1992 and 1996, respectively. From 1995 to 1998, he was a research scientist at the Commonwealth Scientific and Industrial Research Organisation Australia. Since 1998, he has been with the School of Computing at the National University of Singapore (NUS), where he is currently an associate professor and a member of the PhD supervisors at the NUS Graduate School. He is on the editorial board of the Formal Aspects of Computing Journal and Innovations in Systems and Software Engineering. A NUS Journal. His research interests include formal methods and software engineering. Some of his papers can be found at http://www.comp.nus.edu.sg/~dongjs.
Ping Hao received the bachelor’s degree in telecommunication from the Huazhong University of Science and Technology, China, in 2000 and the PhD degree in computer science from the National University of Singapore (NUS) in 2008. From 2005 to 2006, she was a research assistant in the Software Engineering Laboratory, NUS. Her research interests include formal specification languages, verification, and software engineering. More details about her research and background can be found at http://www.comp.nus.edu.sg/~haoping.

Shengchao Qin received the BSc and PhD degrees from the School of Mathematical Sciences, Peking University, in 1997 and 2002, respectively. He was a research fellow under the Singapore-MIT alliance at the National University of Singapore from July 2002 to December 2004. Since 2005, he has been a lecturer in the Department of Computer Science at Durham University, United Kingdom. His research interests include formal methods, programming languages, and embedded systems. More information about his research can be found at http://www.dur.ac.uk/shengchao.qin.

Jun Sun received the bachelor’s and PhD degrees from the School of Computing, National University of Singapore (NUS), in 2002 and 2006, respectively. From 2005 to 2006, he was a research fellow in the School of Computing, NUS. Since 2006, he has been a Lee Kuan Yew postdoctoral fellow in the Department of Computer Science, NUS. His research interests are mainly in formal system specification, verification, and synthesis. In particular, he has been working with a variety of different specification languages and notations in order to develop practical tools for elegant system development. More details about his research and background can be found at http://www.comp.nus.edu.sg/~sunj.

Wang Yi received the PhD degree in computer science from the Chalmers University of Technology, Sweden, in 1991. He is a professor in real-time systems at Uppsala University, Sweden, and a Changjiang professor at North Eastern University, China. From 1991 to 1992, he was a postdoctoral fellow at Aalborg University, Denmark, before he joined the faculty of science and technology at Uppsala University, where he was a lecturer from 1992 to 1994, an associate professor from 1994 to 2000, and has been a professor since 2000. His interests are mainly in the modeling and verification of concurrent, distributed, and real-time systems, in particular, techniques and tools for model-based design, analysis, and implementation of embedded systems and their industrial applications. He is a cofounder of three software tools for modeling and verification, including UPPAAL, a widely used model checker for timed systems. His publications can be found at http://user.it.uu.se/~yi/.