A Hierarchy of Communication Models for Message Sequence Charts

by

A. Engels, S. Mauw and M.A. Reniers

97–11
A Hierarchy of Communication Models for Message Sequence Charts

by

A. Engels, S. Mauw and M.A. Reniers

ISSN 0926-4515

All rights reserved
editors: prof.dr. R.C. Backhouse
prof.dr. J.C.M. Baeten

Reports are available at:
http://www.win.tue.nl/win/cs

Computing Science Reports 97/11
Eindhoven, August 1997
A Hierarchy of Communication Models for Message Sequence Charts

A. Engels, S. Mauw, M.A. Reniers,
Department of Mathematics and Computing Science,
Eindhoven University of Technology,
P.O. Box 513, 5600 MB Eindhoven, The Netherlands
{engels|sjouke|michelr}@win.tue.nl

Abstract

In a Message Sequence Chart (MSC) the dynamical behaviour of a number of cooperating processes is depicted. An MSC defines a partial order on the communication events between these processes. This order determines the physical architecture needed for implementing the specified behaviour, such as a FIFO buffer between each of the processes. In a systematic way, we define 50 communication models for MSC and we define what it means for an MSC to be implementable by such a model. Some of these models turn out to be equivalent, in the sense that they implement the same class of MSCs. After analysing the notion of implementability, only ten models remain, for which we develop a hierarchy.

1 Introduction

In recent years much attention has been paid to graphical languages for the visualisation of communication traces in distributed systems. One of the most popular classes of formalisms for this purpose is the class of sequence charts. Of those, Message Sequence Chart (MSC) has been standardised by the International Telecommunication Union (ITU) as Recommendation Z.120 [IT96]. Two important reasons for the popularity of MSC are that they provide a clear intuition to both engineers and designers and at the same time possess a well-defined semantics.

Although MSC is primarily concerned with presenting the asynchronous communication between processes in a distributed system, no information is given as to the way in which these communications are supposed to be realized in an implementation. The only assumption about the implementation of communication is that an output precedes its corresponding input.

This impossibility to specify the communication model becomes a problem when a specific communication model is presupposed, for example due to hardware requirements. Whenever MSC is used to specify the communication behaviour, the question arises whether the behaviour defined by an MSC is feasible with respect to the desired communication model. It may be the case that all traces defined by the MSC are feasible, that at least one trace is, or that none of the traces is feasible. For example, an MSC with two inherently crossing messages cannot be implemented with an architecture containing one single global FIFO buffer for message exchange.

There are two approaches to deal with this under-specification in MSC. The first is to select a single preferred model and revise the semantics of MSC accordingly. Keeping in mind the broad context in which MSC is used in practice, this option is not realistic. The only acceptable choice would be the
most general random-access buffer model that has been chosen in the current standardised semantics of MSC.

The alternative would be to allow the user of MSC to indicate the desired communication model explicitly. This can be done by extending the syntax of MSC with a means to specify the intended model and by developing dedicated tools for the analysis of MSC with respect to certain implementation models. We propose to study this second alternative and it is our aim in this paper to provide a solid and formal basis for defining the relation between a communication model and an MSC.

For a given MSC we define the notions of strong and weak implementability. Strong implementability of an MSC in a given communication model means that all traces of the MSC can be realized with the given communication model and weak implementability means that there is a trace that can be realized.

In this way, we attach to each implementation model the class of MSCs that are strongly or weakly implementable with respect to that model. A natural question to ask is whether there are communication models that define the same class of MSCs. This means that for a given MSC one has a choice of communication model for implementation. It turns out that the initial number of fifty MSC classes can be reduced to a hierarchy of ten different models.

Acknowledgements We would like to thank Thijs Cobben, Loe Feijs, Herman Geuvers and Bart Knaack for their valuable input.

2 Message Sequence Charts

In this section we explain the semantical foundations of Message Sequence Chart (MSC). We use a partial order on the events of an MSC to express the semantics. In literature several ways to define the semantics of MSC are proposed [MR94a, LL95, GGR93]. The process algebra approach [MR94b] has been standardised as Annex B to ITU recommendation Z.120 [IT95]. The partial order representation [AHP96] used in this paper coincides with most of these proposals for the class of Basic Message Sequence Charts. We also define the traces expressed by an MSC.

2.1 Basics

The MSCs studied here consist of a collection of instances (or processes) with a number of messages attached to them. These are known as Basic Message Sequence Charts, but in this paper we use the term MSCs to denote them.

Some examples of MSCs can be seen in Figure 1. They consist of vertical lines, denoting the various communicating processes, which we call 'instances' and arrows between these instances, denoting exchanged messages.

We allow messages from an instance to itself, but we only consider closed systems, that is, we do not consider messages to the environment. Neither do we consider any other specific features such as local actions and recursion. We assume that the names of the instances and messages are unique. Therefore, the instances to which a message is attached are determined uniquely by the message name.

The easiest way to express the semantics of such a simple MSC is by using a partial order on the events that are comprised in an MSC. Depending on the particular dialect of the MSC language, one can assign different classes of events to an MSC. For example, in Interworkings [MWW93] every message is considered to be a single event. There is no buffering, and thus communication is synchronous.

In MSC [IT96], messages are divided into two events, the output and the input of the message. The output of message $m$ is denoted by $!m$ and the input by $?m$. The only assumption about the implemen-
In this paper we go one step further, and add a third event, denoted by \(!m\), that we call transmit \(m\). The basic idea is that a message passes two buffers before arriving at its destination. The intuition here is that \(m\) denotes the putting of a message into an output buffer, \(!m\) is the transmission of the message from the output buffer to the appropriate input buffer, and \(?m\) is the removal of the message from the input buffer. We assume these events to be instantaneous. Furthermore, we concentrate on FIFO-buffers only.

Although the intermediate transmit events \(!m\) play a crucial role in our description of the communication models, we do not encounter them in the definition of an MSC, nor in the partial order describing the formal semantics of an MSC. An MSC still describes a partial order on output and input events only.

**Definition 1 (MSC)** An MSC is a quintuple \((I, M, \text{from}, \text{to}, \{<_i\}_{i \in I})\), where \(I\) is a finite set of instances, \(M\) is a finite set of messages, \(\text{from}\) and \(\text{to}\) are functions from \(M\) to \(I\), and \(\{<_i\}_{i \in I}\) is a family of orders. For each \(i \in I\) it is required that \(<_i\) is a total order on \(\{m \mid \text{from}(m) = i\} \cup \{m \mid \text{to}(m) = i\}\).

In the above definition, \(\text{from}(m)\) denotes the instance which sends message \(m\). Likewise, \(\text{to}(m)\) denotes the instance which receives message \(m\). Given an instance \(i\), the order \(<_i\) denotes in which order the events attached to instance \(i\) occur. The order \(<_i\) is lifted in the trivial way to the set \(\{!m, ?m, !!m \mid m \in M\}\).

The partial order denoting the semantics of an MSC is derived from two requirements. First, the order of the events per instance is respected, and second, a message can only be received after it has been sent. The first requirement is formalised by defining the partial order \(<\text{inst}^\text{st}\>:

\[
<\text{inst}^\text{st} := \bigcup_{i \in I} <_i,
\]

and the second requirement is formalised by the output-before-input order \(<\text{oi}>:

\[
<\text{oi} := \{(!m, ?m) \mid m \in M\}.
\]

Now, we define the partial order induced by the MSC as the transitive closure (denoted by \(\dagger\)) of the instancewise order and the output-before-input order. For an MSC \(k\), we denote this order by \(<\text{msc}^\text{st}\> or by \(<\text{msc}^\text{st}\> if \(k\) is known from the context.
Definition 2 For a given MSC $k = \langle I, M, \text{from}, \text{to}, \{<_{i}\}_{i \in I} \rangle$, the relation $<_{k}^{msc}$ is defined by $<_{k}^{msc} := (<_\text{inst} \cup <^{ci})^{+}$.

We define similar notions for 3-traces. We define the output-before-transmit-before-input order by

$$<^{oti} := \{(lm, !m), (!m, ?m) \mid m \in M\},$$

and the relation $<^{m3}$ by adding the instancewise ordering on the MSC.

Definition 3 For a given MSC $k = \langle I, M, \text{from}, \text{to}, \{<_{i}\}_{i \in I} \rangle$, the ordering $<_{m3}$ is defined by $<_{m3} := (<_\text{inst} \cup <^{oti})^{+}$.

It is easy to see that $<^{msc}$ is the restriction of $<^{m3}$ to output and input events. It may be the case that $<^{msc}$ does not define a partial order, due to cyclic dependencies of the events. Such an MSC is said to contain a deadlock, or is called inconsistent. In Z.120 [IT96] inconsistent MSCs are considered illegal, and in [BAL97] an algorithm is described for determining whether a given MSC is consistent. In the remainder of this paper we consider consistent MSCs only, which implies that both $<^{msc}$ and $<^{m3}$ are partial orders.

2.2 Traces

From an operational point of view, one can say that an MSC describes a set of traces. We distinguish 2-traces and 3-traces. A 2-trace denotes the ordering of output and input events ($lm$ and $?m$), and the relation $<^{oti}$ by $<^{oti} := \{(lm, !m), (!!m, ?m) \mid m \in M\}$.

A 3-trace is the same as a 2-trace, except for the fact that it contains transmit events as well. We denote the $i$th element of a trace $t$ by $t_i$, and its length by $|t|$.

Definition 4 (2- and 3-traces) A 2-trace $t$ over a set of messages $M$ is a total ordering $(e_1, e_2, \ldots, e_n)$ of the set $\{lm, ?m \mid m \in M\}$. From now on we use the shorthand $\{!!m\}M$ to denote this set. A trace $(e_1, e_2, \ldots, e_n)$ is denoted $e_1 e_2 \ldots e_n$.

A 3-trace is the same as a 2-trace, except for the fact that it contains transmit events as well. We denote the $i$th element of a trace $t$ by $t_i$, and its length by $|t|$.

Definition 5 (Trace order) For a trace $t$ over a set of messages $M$ we define an order $<_{t}^{trace}$ on $\{!!m\}M$ (or $\{!!m\}M$ if $t$ is a 3-trace), for all $1 \leq i \leq |t|$ and $1 \leq j \leq |t|$ by $t_i <_{t}^{trace} t_j \Leftrightarrow i < j$. Thus, an event $e_i$ is smaller, according to $<_{t}^{trace}$, than an event $e_j$ if and only if it occurs earlier in the trace.

Definition 6 (MSC-trace) A 2-trace $t$ is said to be a trace of the MSC $k$ if and only if it is defined over the messages $M$ of $k$, and $<_{k}^{msc} \subseteq <_{t}^{trace}$. A 3-trace $t$ is said to be a trace of the MSC $k$ if and only if it is defined over the messages $M$ of $k$, and $<_{k}^{m3} \subseteq <_{t}^{trace}$.

A 3-trace can be turned into a 2-trace by removing all transmit events ($!!m$). If, for a 3-trace $t$ this results in a 2-trace $t'$, then $t$ is said to be an extension of $t'$. It is not hard to see that a 3-trace $t$ is a trace of an MSC $k$ if and only if the 2-trace of which it is an extension is a trace of the MSC $k$ and additionally the output-before-transmit-before-input order is respected: $<_{k}^{oti} \subseteq <_{t}^{trace}$.

Lemma 7 For an MSC $k$ over $M$, and events $e, e' \in \{!!m\}M$, we have $e <_{t}^{trace} e'$ for all 2-traces $t$ of $k$ if and only if $<_{k}^{msc} e$.  

Proof The 'if'-part is trivial. For the 'only if'-part we use contraposition. Suppose that $e \not<_{k}^{msc} e'$. Then the relation $<_{k}^{msc} \cup \{<_{t}^{trace} e, e\}$ does not contain a cycle. Thus it can be extended to a total order $<$. Because $<^{msc} \subseteq <$, $<$ will be the trace-order $<_{t}^{trace}$ of some trace $t$ of $k$. In this trace we will have $e' <_{t}^{trace} e$, and thus $e \not<_{t}^{trace} e'$.
2.3 Examples

Figure 1 shows two examples of a Message Sequence Chart. The first example is an inconsistent MSC. Instance \( i \) cannot send message \( b \) before it receives message \( a \). Likewise, instance \( j \) starts with receiving message \( b \) before sending \( a \). Therefore, this MSC has a cyclic dependency and there is no trace that it can perform. In the partial order semantics that we defined above, this is shown by the fact that \(<^{\text{msc}}\) has a cycle, and thus is not a partial order.

The second example implies the following orderings: \(!a <^{\text{msc}} ?a, !b <^{\text{msc}} ?b, \) and \(?a <^{\text{msc}} ?b\). The first two are implied by the \(<^{\text{ol}}\)-order, the third by the \(<^{\text{ins}}\)-order. The MSC has exactly three 2-traces: \(!a ?a !b ?b, !a !b ?a ?b, \) and \(!b !a ?a ?b\). These 2-traces can be extended to ten 3-traces, such as \(!a !!a ?a !b !!b ?b \) and \(!a !b !!b !!a ?a ?b\).

3 Implementation models

In this section we discuss possible architectures for realizing an MSC. We consider only implementation models consisting of FIFO buffers for the output and input of messages. For MSC traces, we define what it means to be implementable on some architecture.

3.1 Locality of buffers

The particular implementation models which we are interested in are constructed of processes that communicate with each other via FIFO buffers. We assume that the buffers have an unbounded capacity. We discern two uses of buffers, namely for the output and for the input of messages.

A second distinction can be made based on the locality of the buffer. From most global to most local we distinguish the following types:

- **global**: A global FIFO buffer: All messages from all instances pass this buffer.
- **inst**: A FIFO buffer, local to an instance: All messages sent (or received) by one single instance go through the same buffer.
- **pair**: A FIFO buffer, local to two instances: All messages that are sent from one specific instance to another specific instance go through this buffer.
- **msg**: A FIFO buffer, local to a message: There is one buffer for every message.

This last model, a buffer per message, is a specific architecture to catch up the cases in which the buffers do not behave like FIFO queues, but as random-access buffers. Taking into account the assumption that messages are unique, it can easily be seen that it is equivalent to a global random-access buffer. A communication model with only a random-access buffer represents the implied model of the MSC standard: the only assumption made about the implementation of communication is that output precedes input, no more, and no less.

Finally, we consider the following possibility:

- **nobuf**: There are no buffers; communication is synchronous.

We assume that the transmission from an instance to its output buffer, from one buffer to another buffer, or from an input buffer to the instance it belongs to, is synchronous. We also assume that all output buffers are of the same type, and similarly that all input buffers are of the same type. This results in four possibilities for the output as well as for the input. Adding the possibility of using no buffer at
all, we have a total of 25 possible architectures, as shown in Figure 2. To denote the elements of this scheme, we use the notation \((X,Y)\), where \(X\) denotes the type of output buffer, and \(Y\) the type of input buffer.

<table>
<thead>
<tr>
<th>input</th>
<th>nobuf</th>
<th>global</th>
<th>inst</th>
<th>pair</th>
<th>msg</th>
</tr>
</thead>
<tbody>
<tr>
<td>nobuf</td>
<td>●</td>
<td>●</td>
<td>●</td>
<td>●</td>
<td>●</td>
</tr>
<tr>
<td>global</td>
<td>●</td>
<td>●</td>
<td>●</td>
<td>●</td>
<td>●</td>
</tr>
<tr>
<td>inst</td>
<td>●</td>
<td>●</td>
<td>●</td>
<td>●</td>
<td>●</td>
</tr>
<tr>
<td>pair</td>
<td>●</td>
<td>●</td>
<td>●</td>
<td>●</td>
<td>●</td>
</tr>
<tr>
<td>msg</td>
<td>●</td>
<td>●</td>
<td>●</td>
<td>●</td>
<td>●</td>
</tr>
</tbody>
</table>

Figure 2: Implementation models.

### 3.2 Examples of communication models

In Figure 3 we give examples of a physical architecture of three communication models. A circle denotes an instance, a rectangle denotes a buffer, and an arrow denotes a communication channel. Each example contains three instances. The first example illustrates the \((\text{nobuf,global})\) model. There is no output buffer, and one universal input buffer. As there is no output buffer, the messages go straight into the input buffer. This single buffer could be regarded as an output buffer as well, so this example is an illustration of \((\text{global,nobuf})\) too. The second example shows the \((\text{global,inst})\) model. There is one general output buffer and every instance has a local input buffer. The third architecture is an example of the \((\text{pair,pair})\) model.

![Figure 3: Some models: (nobuf,global), (global,inst) and (pair,pair).](image)

Please note that not all models described in Figure 2 make equally sense. For example, the model \((\text{global,inst})\) (i.e., a shared medium for transmitting messages and an input buffer for each process) is more natural than the exotic \((\text{global,pair})\) model.

Many of these architectures occur in practice as either the underlying communication architecture of a programming language or as a physical architecture. We give some examples of languages. The model \((\text{nobuf,nobuf})\) is typical for process algebraic formalisms based on synchronous communication, such as LOTOS and ACP. The specification language SDL, which is closely related to MSC, has as a general communication model \((\text{pair,msg})\), but if we leave out the save construct we obtain \((\text{pair,inst})\) and if we also do not consider the possibility of delayed channels, we have \((\text{nobuf,inst})\). Some examples of physical architectures are: an asynchronous complete mesh has a \((\text{nobuf,pair})\) architecture, and an Ethernet connection with locally buffered input and output behaves like \((\text{inst,inst})\).
3.3 Implementability

The main question of this paper is, whether a given MSC can be the behaviour of a given implementation model. To answer this question, we first give a formal definition of what it means for a trace to have a certain implementability property. The definitions below can be seen as a formalisation of the notions introduced in Section 3.1.

Definition 8 (Output-implementability)

- **nobuf-output**: Every output event is directly followed by the corresponding transmit event. Thus, output and transmit event may be combined into one new event. A 3-trace $t$ is *nobuf-output* implementable if and only if

$$\forall m \in M \exists e \in \{!/?\} \exists trace \in \text{trace} \mid e < trace \mid !m.$$

- **global-output**: The order of two output events is respected by the corresponding transmit events. A 3-trace $t$ is *global-output* implementable if and only if

$$\forall m, m' \in M \exists trace \in \text{trace} \mid e < trace \mid !m,' < trace \mid !m'.$$

- **inst-output**: The order of any two output events from the same instance is respected by the corresponding transmit events. A 3-trace $t$ is *inst-output* implementable if and only if

$$\forall m, m' \in M \exists from(m) = from(m') \wedge to(m) = to(m') \Rightarrow (\exists m < trace \mid m' \iff \exists trace \mid !m' \iff \exists trace \mid !m').$$

- **pair-output**: The order of two outputs with the same source and the same destination is respected by the corresponding transmit events. A 3-trace $t$ is *pair-output* implementable if and only if

$$\forall m, m' \in M \exists from(m) = from(m') \wedge to(m) = to(m') \Rightarrow (\exists m < trace \mid m' \iff \exists trace \mid !m' \iff \exists trace \mid !m').$$

- **msg-output**: A 3-trace $t$ is always *msg-output* implementable.

For *msg-output* implementability we can remark that it can be put in line with the three definitions preceding it, by restating it as $\forall m, m' \in M \exists m = m' \Rightarrow (\exists m < trace \mid m' \iff \exists trace \mid !m' \iff \exists trace \mid !m').$ For *nobuf-output* implementability such a translation is not possible; this is qualitatively another definition.

The input implementabilities are defined analogously.

Definition 9 (Input-implementability)

- **nobuf-input**: A 3-trace $t$ is *nobuf-input* implementable if and only if

$$\forall m \in M \exists e \in \{!/?\} \exists trace \in \text{trace} \mid !m < trace \mid ?m.$$

- **global-input**: A 3-trace $t$ is *global-input* implementable if and only if

$$\forall m, m' \in M \exists !m < trace \mid !m' \iff \exists ?m < trace \mid ?m'.$$
• **inst-input:** A 3-trace \( t \) is **inst-input implementable** if and only if

\[
\forall _{m,m' \in M} to(m) = to(m') \Rightarrow (!m <^{trace} !m' \leftrightarrow ?m <^{trace} ?m').
\]

• **pair-input:** A 3-trace \( t \) is **pair-input implementable** if and only if

\[
\forall _{m,m' \in M} \text{ from}(m) = \text{ from}(m') \land to(m) = to(m') \Rightarrow (!m <^{trace} !m' \leftrightarrow ?m <^{trace} ?m').
\]

• **msg-input:** A 3-trace \( t \) is always **msg-input implementable**.

Having defined formally the notions of output- and input-implementability, we now combine them and obtain our notion of communication model.

**Definition 10** A 3-trace is said to be \((X,Y)\)-implementable (for \( X, Y \in \{\text{nobuf, global, inst, pair, msg}\} \)) if and only if it is \( X \)-output implementable and \( Y \)-input implementable. A 2-trace is said to be \((X,Y)\)-implementable if and only if it can be extended (by adding \(!m\)'s) to a 3-trace that is \((X,Y)\)-implementable.

### 4 Classification of implementability of traces

To each of the implementation models defined in the previous section we can associate the set of all traces that are implementable in the model. Based on the subset relation on these sets of traces, we can order implementation models. We consider two models equivalent if they have the same set of implementable traces.

In Lemma 11 we give a classification of the notions of output-implementability. It states that a trace that is implementable on a certain architecture is also implementable on an architecture where these buffers are partitioned into buffers with a more restricted locality. For example, if a trace can be implemented on an architecture with one output buffer per instance, it can also be implemented on an architecture with an output buffer per pair of instances (provided the input buffers remain the same).

**Lemma 11 (Classification of output-implementability)**

- Every **nobuf-output** implementable trace is **global-output** implementable.
- Every **global-output** implementable trace is **inst-output** implementable.
- Every **inst-output** implementable trace is **pair-output** implementable.
- Every **pair-output** implementable trace is **msg-output** implementable.

**Proof** For 3-traces this follows directly from the definitions. For 2-traces this follows from the definition plus the fact that it holds for 3-traces.

The following lemmas give the orderings between the implementation models.

**Lemma 12**

- Every **(global,global)**-implementable 2-trace is **(global,nobuf)**-implementable.
- Every **(pair,pair)**-implementable 2-trace is **(pair,nobuf)**-implementable.
- Every (msg,msg)-implementable 2-trace is (msg,nobuf)-implementable.

**Proof** We show the proof for (pair,pair). For (global,global) the proof is analogous, for (msg,msg) it is roughly analogous but easier. Let t be a 2-trace over a set of messages M that can be extended to a (pair,pair)-implementable 3-trace t'. It suffices to construct a (pair,nobuf)-implementable extension t'' of t. We define t'' in the following way: In t we add !m immediately before ?m for each message m ∈ M. This t'' is a nobuf-input implementable extension of t by definition, so it suffices to show that it is pair-output implementable. Let m,m' ∈ M with from(m) = from(m') and to(m) = to(m'). We have to prove that lm <vtrace!m' → !lm <vtrace!!m'. First, suppose that lm <vtrace!m'. Since t'' is an extension of t, we have lm <vtrace!m'. This completes the proof. Next, we describe how the above lemmas are useful in ordering the models. Lemma 13 provides us with a partial ordering on the various implementations: Any (X,Y)-implementable trace is implementable by all implementation models located to the right of or below (X,Y) in Figure 2. Lemma 12 and Lemma 13, together with the order provided by Lemma 11, give us the equivalences as expressed in Figure 4 by means of the clustering of implementation models.

For example, the models from the last column are equivalent. This can be seen as follows. Because of the analogue of Lemma 12, any (msg,msg)-implementable 2-trace is (nobuf,msg)-implementable, while Lemma 11 gives that any (nobuf,msg)-implementable 2-trace is (X,msg)-implementable, and every (X,msg)-implementable 2-trace is (msg,msg)-implementable.

**Lemma 13** Every (inst,global)-implementable 2-trace is (inst,nobuf)-implementable.

**Proof** Let t be a 2-trace over the set of messages M, and let t' be a 3-trace that is an (inst,global)-implementable extension of t. If suffices to construct an (inst,nobuf)-implementable extension t'' of t. The 3-trace t'' is obtained from t by adding an event !m immediately before the input event ?m for each message m ∈ M. This t'' is nobuf-input implementable by definition, so it suffices to show that t'' is inst-output implementable. Thereto, let m,m' ∈ M such that from(m) = from(m'). We have to prove that lm <vtrace!m' → !lm <vtrace!!m'.

First, suppose that lm <vtrace!m'. Then, since t'' is an extension of t, we have lm <vtrace!m', and similarly, since t' is an extension of t, lm <vtrace!m'. Using that t' is inst-output implementable and from(m) = from(m') we have lm <vtrace!!m'. By using that t' is global-input implementable, we also have lm <vtrace!m'. Since t' is an extension of t we have lm <vtrace!!m' and since t'' is an extension of t also lm <vtrace!!m'. Since t'' is nobuf-input implementable, we obtain lm <vtrace!!m', which completes this part of the proof.

Second, suppose that lm <vtrace!!m'. Since t'' is nobuf-input implementable we have ?m <vtrace ?m'. Because both t' and t'' are extensions of t we have ?m <vtrace ?m'. Since t' is global-input implementable we have lm <vtrace!!m' and because it is inst-output implementable and from(m) = from(m') we have !m <vtrace!m'. Again because both t' and t'' are extensions of t, we have !m <vtrace!m', which completes the proof.
Now we have brought down the number of implementation models to only seven different classes. Of course some of these could still be equivalent for other reasons than the above lemmas. That this is not the case, will be seen in Corollary 18 below. We name the equivalence classes as follows: *nobuf*, *global*, *inst*.out, *inst*.in, *inst*2, *pair*, *msg* (see Figure 4). Of these the first two and last two will be clear immediately, *inst*.out means there is an instancewise output buffer and a global or no input buffer, *inst*.in means there is an instancewise input buffer and a global or no output buffer, and *inst*2 means there is both an instancewise output buffer and an instancewise input buffer.

![Diagram](image)

**Figure 4:** Equivalence of implementation models for traces.

**Theorem 14** For traces, the seven implementation models are ordered as shown in Figure 5.

**Proof** This follows from the Lemmas 11 to 13 as explained above.

Note that of these seven cases only *inst*2 is not of the form *(X, nobuf)* or *(nobuf, X)*. As these forms imply that there is respectively no input buffer or no output buffer, of these seven cases only the case *inst*2 needs two buffers, all other cases can be modelled such that each message goes through at most one buffer. It will prove useful to have a characterisation of these implementabilities (except for *inst*2 of course) that does not use *transmits*.

![Diagram](image)

**Figure 5:** Ordering of the implementation models for traces.
Lemma 15 Let \( t \) be a 2-trace over a set of messages \( M \). Then

- \( t \) is nobuf-implementable if and only if
  \[
  \forall m \in M \exists e \in \{!|?\}^M m \preceq_i \text{trace } e \preceq_i \text{trace } m; 
  \]

- \( t \) is global-implementable if and only if
  \[
  \forall m, m' \in M m \preceq_i \text{trace } m' \Leftrightarrow m \preceq_i \text{trace } m'; 
  \]

- \( t \) is inst.out-implementable if and only if
  \[
  \forall m, m' \in M \text{from}(m) = \text{from}(m') \Rightarrow (m \preceq_i \text{trace } m' \Leftrightarrow m \preceq_i \text{trace } m'); 
  \]

- \( t \) is inst.in-implementable if and only if
  \[
  \forall m, m' \in M \text{to}(m) = \text{to}(m') \Rightarrow (m \preceq_i \text{trace } m' \Leftrightarrow m \preceq_i \text{trace } m'); 
  \]

- \( t \) is pair-implementable if and only if
  \[
  \forall m, m' \in M \text{from}(m) = \text{from}(m') \land \text{to}(m) = \text{to}(m') \Rightarrow (m \preceq_i \text{trace } m' \Leftrightarrow m \preceq_i \text{trace } m'); 
  \]

- \( t \) is always msg-implementable.

Proof The proofs for this are easily found by realizing that a 2-trace is \((X, \text{nobuf})\)-implementable exactly if the conditions for \(X\)-output implementability hold with \(!m\) everywhere replaced by \(?m\).

5 Classification of MSCs

There are two principal ways to lift the definition of implementability from the level of traces to the level of MSCs. The first is to define that an MSC can be implemented in a certain communication model if and only if every 2-trace of the MSC can. The second is to define that an MSC can be implemented in a certain implementation model if and only if some 2-trace can. We call these notions strong and weak implementability. We first focus on the strong implementability, then on weak implementability. After this we consider the relation between classes from the strong and the weak spectrum.

5.1 Strong implementability

Definition 16 An MSC \( k \) is said to be strongly \( X \)-implementable, notation \( X_i \)-implementable, if and only if all 2-traces \( t \) of \( k \) are \( X \)-implementable.

From this definition it follows immediately that the ordering of the implementation models for traces as given in Figure 5 also holds for MSCs as far as strong implementability is concerned (see Figure 7). Next, we demonstrate that the implementation models, obtained by lifting them from the trace level to MSCs in the strong way, are indeed different. This is achieved by finding examples of MSCs that are in one class but not in another.
MSC 1 in Figure 6 shows an example that is global_\text{-}implementable, but not nobuf_\text{-}implementable. It is not nobuf_\text{-}implementable, because the trace !a \ b ?a ?b is not. The inputs necessarily have to be ordered in the same way as the outputs, so it is global_\text{-}implementable.

MSC 2a is inst.out_\text{-}implementable, but not global_\text{-}implementable due to the trace !b !a ?a ?b. That MSC 2a is inst.out_\text{-}implementable can be seen as follows: All messages go through a different output buffer, so there is no problem with the output buffers at all. Similarly, MSC 2b is inst.in_\text{-}implementable, but not global_\text{-}implementable due to the trace !a !b ?b ?a.

MSCs 2a and 2b show the difference between inst.Dut_\text{-}implementable and inst.in_\text{-}implementable. MSC 2a is inst.Dut_\text{-}implementable, as mentioned before, but not inst.in_\text{-}implementable. The trace !b !a ?a ?b is not inst.in_\text{-}implementable, because the inputs of instance j do not reach the input buffer in the order in which they are to be manipulated. For MSC 2b the reverse is the case: It is inst.in_\text{-}implementable, but not inst.out_\text{-}implementable. MSC 2a is inst.out_\text{-}implementable and therefore also inst2_\text{-}implementable. We have already established that it is not inst.in_\text{-}implementable. Similarly, MSC 2b is inst.in_\text{-}implementable, but not inst.out_\text{-}implementable. Together, these show that inst.out_\text{-}, inst.in_\text{-}, and inst2_\text{-}implementable are all different. One might suspect that the class of inst2_\text{-}implementable MSCs is simply equal to the intersection of the classes of inst.out_\text{-}implementable and inst.in_\text{-}implementable MSCs. This is not the case, as can easily be shown by combining the MSCs 2a and 2b into one MSC (see MSC 8 in Figure 12).

MSC 3 is an example of an MSC that is pair_\text{-}implementable, but not inst2_\text{-}implementable. It is easy to see that it is pair_\text{-}implementable, because each message goes through a different buffer. Its only 2-trace is !c !a ?a !b ?b ?c. If we try to extend this to an inst2_\text{-}implementable 3-trace t', we need to have !lc <_t' \text{trace} !a <_t' \text{trace} !b <_t' \text{trace} !c, which is impossible (the first <_t' \text{trace} is because of the inst-output implementability and !c <_t' \text{trace} !a, the second is clearly true for every 3-trace of the MSC, and the third is because of the inst-input implementability together with ?b <_t' \text{trace} ?c).

Finally, MSC 4 shows the difference between pair_\text{-} and msg_\text{-}implementability. All other implementation models are also pairwise different. This result is obtained due to the transitive closure of the ordering as presented in Figure 7.

Together the examples used in the above proof show that if we look at strong implementability, the seven remaining implementation models are indeed different for MSCs, and thus that they are also different for 2-traces.

**Theorem 17** The implementation models for strong implementability of Figure 7 are different and these are ordered as expressed in Figure 7.

**Proof** In the above text we have demonstrated by means of counterexamples that the implementation models must be different. Also the ordering has been explained above.

**Corollary 18** The classes nobuf, global, inst.out, inst.in, inst2, pair, and msg are different for traces.
5.2 Weak implementability

Definition 19 An MSC $k$ is said to be weakly $X$-implementable, notation $X_w$-implementable, if and only if there is an $X$-implementable 2-trace $t$ of $k$.

As was the case for strong implementability, for weak implementability we also have the ordering as expressed in Figure 5 as a starting point. However, using weak implementability, we do not have anymore that all implementation models differ. To see this, we first give an alternative way to characterise some of the implementations and prove that these are equivalent to the original definition.

Definition 20 Let $k$ be an MSC over the set of messages $M$. Then we define the relations $<^{lo}_k$ and $<^{li}_k$ on $\{1/\}M$ and $<^{i2}_k$ on $\{1/!/\}M$ as follows:

- $<^{lo}_k := (<^{msc}_k \cup \{(?m, ?m') | m, m' \in M \land \text{from}(m) = \text{from}(m') \land m <^{msc}_k m')^+,$
- $<^{li}_k := (<^{msc}_k \cup \{(lm, lm') | m, m' \in M \land \text{to}(m) = \text{to}(m') \land ?m <^{msc}_k ?m')^+,$
- $<^{i2}_k := (<^{m3}_k \cup \{(!m, !m') | m, m' \in M \land \text{from}(m) = \text{from}(m') \land m <^{m3}_k m') \cup \{(!m, !m') | m, m' \in M \land \text{to}(m) = \text{to}(m') \land m <^{m3}_k m')^+.$

We explain the definition of the ordering $<^{li}_k$ which is defined in order to check the inst.out-property. The ordering is obtained from $<^{msc}_k$ by adding pairs of input events to it. More specifically, if two outputs are defined on the same instance of the MSC, and thus are ordered in some way, then we add their corresponding input events in the same order. This is motivated as follows. For a trace to be inst.out-implementable it is required that the input events are ordered in this way anyway. Thus by adding this pair explicitly we construct an ordering representing the MSC given that it has to be implemented on an architecture with one output buffer per instance.

The inst.out-implementable traces of the MSC are also traces of the ordering $<^{li}_k$ as they respect the requirements for inst.out-implementability by definition, and vice versa. Basically this is what is expressed in Lemma 21.

Lemma 21 Let $t$ be a 2-trace of an MSC $k$. Then,
• \( t \) is inst\_out-implementable if and only if \( <_{k}^{o} \subseteq <_{t}^{trace} \);

• \( t \) is inst\_in-implementable if and only if \( <_{k}^{i} \subseteq <_{t}^{trace} \);

• \( t \) is inst2\_implementable if and only if there exists an extension \( t' \) of \( t \) such that \( <_{k}^{2} \subseteq <_{t}^{trace} \).

**Proof** We only give the proof for the last proposition. The proofs for the first two propositions follow the same line.

First, suppose that \( t \) is inst2\_implementable. Then we must prove that \( <_{k}^{2} \subseteq <_{t}^{trace} \) for some 3\_trace \( t' \) which is an extension of \( t \). Let the arbitrary 3\_trace \( t' \) be an extension of \( t \) that is inst2\_implementable. Suppose that \( e <_{k}^{2} e' \) for arbitrary events \( e, e' \in \{!/{!}!/?\}M \). Now it suffices to prove \( e <_{t}^{trace} e' \). Since \( e <_{k}^{2} e' \) we have the existence of events \( e_1, \ldots , e_n \) such that \( e \equiv e_1, e' \equiv e_n \) and for all \( 1 \leq i < n \) we have one of the following:

• \( e_i <_{m}^{3} e_{i+1} \);

• \( e_i \equiv !!m \) and \( e_{i+1} \equiv !!m' \) for some \( m, m' \in M \) such that \( from(m) = from(m') \) and \( !m <_{m}^{3} !m' \);

• \( e_i \equiv !!m \) and \( e_{i+1} \equiv !!m' \) for some \( m, m' \in M \) such that \( to(m) = to(m') \) and \( !m <_{m}^{3} !m' \).

In the first case we immediately have \( e_i <_{t}^{trace} e_{i+1} \). Due to the fact \( t' \) is an inst2\_implementable 3\_trace, and thus both inst\_output and inst\_input implementable, we can conclude that \( e_i <_{t}^{trace} e_{i+1} \) for the second and third case as well. Since \( <_{t}^{trace} \) is transitively closed we have \( e <_{t}^{trace} e' \), which completes this part of the proof.

Second, suppose that \( <_{k}^{2} \subseteq <_{t}^{trace} \) for some 3\_trace \( t' \) which is an extension of \( t \). We must prove that \( t \) is (inst,inst)-implementable. Thereto it suffices to show that \( t' \) is (inst,inst)-implementable, i.e., that \( t' \) is inst\_output implementable and inst\_input implementable. We prove that \( t' \) is inst\_output implementable, the proof that \( t' \) is inst\_input implementable is analogous. Let \( m, m' \in M \) such that \( from(m) = from(m') \). Then it suffices to show that \( !m <_{t}^{trace} !m' \). Thereto, suppose that \( !m <_{t}^{trace} !m' \). Since \( from(m) = from(m') \), we have \( !m <_{k}^{trace} !m' \). Because \( <_{k}^{2} \subseteq <_{t}^{trace} \) we therefore have \( !m <_{t}^{trace} !m' \). Suppose that \( !m <_{t}^{trace} !m' \). Then \( !m' <_{t}^{trace} !m \). With similar reasoning as before we obtain \( !m' <_{t}^{trace} !m \). Therefore, \( !m <_{t}^{trace} !m' \).

Thus far, we have seen that the ordering \( <_{k}^{o} \) contains all inst\_out-implementable traces of MSC \( k \). An MSC \( k \) is inst\_out\_w-implementable if and only if it has a trace \( t \) that is inst\_out-implementable. Clearly, such a trace exists if and only if there is a trace for the ordering \( <_{k}^{o} \), in other words, if and only if \( <_{k}^{o} \) is cycle-free.

**Lemma 22** Let \( k \) be an MSC. Then,

• \( k \) is inst\_out\_w-implementable if and only if \( <_{k}^{o} \) is cycle-free;

• \( k \) is inst\_in\_w-implementable if and only if \( <_{k}^{i} \) is cycle-free;

• \( k \) is inst2\_w-implementable if and only if \( <_{k}^{2} \) is cycle-free.

**Proof** This lemma follows immediately from the previous lemma.

We use the alternative characterisations provided by the previous theorem in the proof of the equivalence of the classes inst\_out\_w, inst\_in\_w, and inst2\_w.
Lemma 23 Let \( k \) be an MSC over the set of messages \( M \) and let \( m, m' \in M \). If \( ?m <_k ?m' \), then \( !m <^2_k !m' \).

**Proof** Suppose that \( ?m <_k ?m' \). Then by the definition of \( <_k \) we have the existence of events \( e_1, \ldots, e_n \) such that \( e_1 \equiv ?m, e_n \equiv ?m' \), and for \( 1 \leq i < n \) we have one of the following:

- \( e_i <^\text{msg}_k e_{i+1} \);
- \( e_i \equiv ?p, e_{i+1} \equiv ?p' \) for some \( p, p' \in M \) such that \( \text{from}(p) = \text{from}(p') \) and \( !p <^\text{msg}_k !p' \).

In the second case we immediately have \( !!p <^2_k !!p' \) as \( !p <^\text{msg}_k !p' \) and \( \text{from}(p) = \text{from}(p') \) by the definition of \( <^2_k \). In the first case we have a sequence of events where the smallest steps are due to \( <^\text{inst}_k \) or due to \( <^\text{ai}_k \). In this sequence any subsequence of events which are defined on the same instance can be replaced by one single step as the instancewise order is total. As a result we have the existence of messages \( m_1, \ldots, m_n \) such that

\[
e_i \leq^\text{inst} !m_1 <^{\text{inst}} m_2 <^{\text{inst}} m_3 \ldots <^{\text{inst}} m_{n-1} <^{\text{inst}} m_n <^{\text{inst}} m' \leq^\text{inst} e_{i+1},
\]

where \( f \leq^\text{inst} f' \) if and only if \( f <^\text{inst} f' \) or \( f \equiv f' \). Now we observe that we only have the following three possibilities for \( <^\text{inst}_k \):

- \( !q <^\text{inst}_k !q' \) for some \( q, q' \in M \) such that \( \text{from}(q) = \text{from}(q') \). Then also \( !!q <^{2\text{inst}}_k !!q' \).
- \( ?q <^\text{inst}_k !q' \) for some \( q, q' \in M \) such that \( \text{to}(q) = \text{from}(q') \). As \( ?q <^\text{inst}_k !q' \) and \( \text{to}(q) = \text{from}(q') \) we have \( ?q <^{\text{msg}}_k !q' \) and hence \( !q <^{2\text{inst}}_k !!q' \). Together with \( !!q <^{2\text{inst}}_k !!q' \) we obtain \( !!q <^{2\text{inst}}_k !!q' \).
- \( ?q <^\text{inst}_k ?q' \) for some \( q, q' \in M \) such that \( \text{to}(q) = \text{to}(q') \). Then also \( !!q <^{2\text{inst}}_k !!q' \).

Thus we obtain \( !!e_i <^{2\text{inst}}_k !!e_{i+1} \) for all \( 1 \leq i < n \). Therefore \( !m <^{2\text{inst}}_k !m' \).

Lemma 24 The implementation models \( \text{inst.out}_w \), \( \text{inst.in}_w \), and \( \text{inst2}_w \) are equal.

**Proof** We show that each \( \text{inst2}_w \)-implementable MSC is \( \text{inst.out}_w \)-implementable. The reverse implication is trivial, and the proofs with \( \text{inst.in}_w \) are analogous. From Lemma 22 we see that it suffices to prove that \( <^\text{io}_k \) is cycle-free if \( <^{2\text{inst}}_k \) is cycle-free. We prove this using contraposition, so we assume that \( <^{\text{io}}_k \) has a cycle. Let \( e_1 <^{\text{io}} e_2 <^{\text{io}} \ldots <^{\text{io}} e_n <^{\text{io}} e_1 \) be an arbitrary largest cycle. For every ordering in the cycle, say \( e_1 <^{\text{io}} e_{i+1} \), either \( e_i <^{\text{msg}} e_{i+1} \), and hence \( e_i <^{2\text{inst}} e_{i+1} \), or \( e_i \equiv ?m, e_{i+1} \equiv ?m' \) for some \( m, m' \in M \) such that \( !m <^{\text{msg}}_k !m' \) and \( \text{from}(m) = \text{from}(m') \).

If the first is always the case, then we have a cycle in \( <^{\text{msg}}_k \), so certainly in \( <^{2\text{inst}}_k \). Now assume we have the second at least once in the cycle. In that case we have at least two inputs in the cycle, say \( ?m \) and \( ?m' \). Then \( ?m <^{\text{io}} ?m' \) and \( ?m' <^{\text{io}} ?m \). Lemma 23 gives that this implies that \( !!m <^{2\text{inst}}_k !!m' \). Thus clearly \( !!m <^{2\text{inst}}_k !!m' \).

Lemma 24 establishes that the classes \( \text{inst.out}_w \), \( \text{inst.in}_w \), and \( \text{inst2}_w \) are equivalent. In the remainder we denote this class by \( \text{inst}_w \). The remaining models are all different. MSC 3 and MSC 4 in Figure 6 show the difference between \( \text{inst}_w \) and \( \text{pair}_w \), and \( \text{pair}_w \) and \( \text{msg}_w \) respectively in the weak case too (these MSCs have only one 2-trace, so their weak implementability equals their strong implementability). MSC 5 in Figure 8 is \( \text{global}_w \)-implementable, but not \( \text{nobuf}_w \)-implementable. The
trace \( !a \mid !b \mid ?a \mid ?b \) is global-implementable, but because both outputs must have been executed before any input can be processed, there is no nobuf-implementable trace.

MSC 6 is inst\(_w\)-implementable, but not global\(_w\)-implementable. It is not global\(_w\)-implementable, as can be seen thus: \( !a <_{\text{trace}} ?a \) and \( ?a <_{\text{trace}} ?b \). Because \( !d <_{\text{msc}} ?a \) and \( ?b <_{\text{msc}} ?c \), we get \( !d <_{\text{trace}} !c \). But we also have \( ?c <_{\text{msc}} ?d \), and thus \( ?c <_{\text{trace}} ?d \), from which it follows that \( i \) cannot be global-implementable. On the other hand, the trace \( !a \mid !b \mid !d \mid ?a \mid ?b \mid ?c \mid ?d \) is inst\(_{\text{out}}\)-implementable, so the MSC is inst\(_w\)-implementable.

![MSC 5 and MSC 6](image)

Figure 8: MSCs to distinguish the implementation models: weak case.

MSC 6 is inst\(_w\)-implementable, but not global\(_w\)-implementable. It is not global\(_w\)-implementable, as can be seen thus: \( !a <_{\text{msc}} ?b \), so for every global-implementable trace \( t \) we must have \( ?a <_{t\text{trace}} ?b \). Because \( !d <_{\text{msc}} ?a \) and \( ?b <_{\text{msc}} ?c \), we get \( !d <_{t\text{trace}} !c \). But we also have \( ?c <_{t\text{msc}} ?d \), and thus \( ?c <_{t\text{trace}} ?d \), from which it follows that \( t \) cannot be global-implementable. On the other hand, the trace \( !a \mid !b \mid !d \mid ?a \mid ?b \mid ?c \mid ?d \) is inst\(_{\text{out}}\)-implementable, so the MSC is inst\(_w\)-implementable.

![Ordering scheme for weak implementability](image)

Figure 9: Ordering scheme for weak implementability.

**Theorem 25** The implementation models for weak implementability of Figure 9 are all different and they are order as expressed in Figure 9.

**Proof** The counterexamples that imply that the implementation models are different are given above. The ordering of the models is inherited from the ordering of the implementation models with respect to traces. Lemma 24 provides that the implementation models inst\(_{\text{out}}\), inst\(_{\text{in}}\), and inst\(_2\) are equal.

### 5.3 Combining the strong and weak hierarchy

We now have 12 possible implementations left: nobuf\(_s\), global\(_s\), inst\(_{\text{out}}\), inst\(_{\text{in}}\), inst\(_2\), pair\(_s\), and msg\(_s\) in the strong case, and nobuf\(_w\), global\(_w\), inst\(_w\), pair\(_w\), and msg\(_w\) in the weak case. These are ordered as shown in Figure 10. An arrow pointing from one of the classes to the other here means that all MSCs that are implementable in the type corresponding to the first class are also implementable in the type corresponding to the second. Any superfluous arrows (those that can be inferred from the transitivity of the relation) have been removed. However, there could be (and it will be shown that there are)
implications present that are not shown in this diagram. Some of these arrows could, for example, be non-strict.

The relations between classes in the strong implementability hierarchy and the relations between classes in the weak hierarchy have been studied extensively in the previous sections. In this section we focus on the relations between implementation models from the different hierarchies. From the definitions of strong and weak implementability it is clear that any $X_s$-implementable MSC is also $X_w$-implementable. These orderings are also depicted in Figure 10.

First, we prove that some classes can be identified.

**Lemma 26** An MSC $k$ is $\text{pair}_s$-implementable if and only if it is $\text{pair}_w$-implementable.

**Proof** Clearly any $\text{pair}_s$-implementable MSC is also $\text{pair}_w$-implementable. This is proven as follows. Suppose that MSC $k$ is $\text{pair}_s$-implementable. This means that all its 2-traces are $\text{pair}$-implementable. Since every MSC has at least one trace this implies that there is a $\text{pair}$-implementable 2-trace of $k$. Therefore $k$ is $\text{pair}_w$-implementable.

It remains to prove that any $\text{pair}_w$-implementable MSC is also $\text{pair}_s$-implementable. Let $k$ be a $\text{pair}_w$-implementable MSC. Let $t$ be an arbitrary 2-trace of $k$. Let $m, m' \in M$ such that $\text{from}(m) = \text{from}(m')$ and $\text{to}(m) = \text{to}(m')$.

First, suppose that $m <_t^\text{trace} m'$. Then, because $\text{from}(m) = \text{from}(m')$ and $m <_t^\text{trace} m'$, we have $m <_k^\text{msc} m'$. Since $k$ is $\text{pair}_w$-implementable there exists a trace $t'$ that is $\text{pair}_w$-implementable. Since $m <_k^\text{msc} m'$ we have $m <_{t'}^\text{trace} m'$. Since $t'$ is $\text{pair}$-implementable we have by Lemma 15 that $m <_{t'}^\text{trace} m'$. Because $\text{to}(m) = \text{to}(m')$ we then have $?m <_k^\text{msc} m'$. Therefore we have $m <_{t'}^\text{trace} m'$, which completes this part the proof.

Second, suppose that $?m <_{t'}^\text{trace} m'$. With a similar reasoning as in the previous case we easily obtain $m <_{t}^\text{trace} m'$.

**Lemma 27** An MSC $k$ is $\text{msg}_s$-implementable if and only if it is $\text{msg}_w$-implementable.

**Proof** Trivial, because every 3-trace is $\text{msg}$-implementable, and thus each 2-trace is as well.

Lemmas 26 and 27 establish that the classes $\text{pair}_s$, $\text{pair}_w$, and $\text{msg}_s$ and $\text{msg}_w$ are equivalent. In the remainder we denote these by $\text{pair}$ and $\text{msg}$ respectively.
Next we are going to prove that any inst.outₘ-implementable MSC is globalₘ-implementable. To do this we first give some alternative characterisations for these implementations.

**Lemma 28** An MSC $k$ is inst.outₘ-implementable if and only if $<_k^{out} \subseteq <_k^{MSC}$. An MSC $k$ is inst.inₘ-implementable if and only if $<_k^{in} = <_k^{MSC}$.

**Proof** We only give the proof for the first proposition. The proof of the second proposition follows the same lines.

First, suppose that MSC $k$ is inst.outₘ-implementable. By definition $<_k^{MSC} \subseteq <_k^{out}$, so it only remains to be proven that $<_k^{out} \subseteq <_k^{MSC}$. Suppose that $e < _k^{out} e'$ for arbitrary $e, e' \in \{!/?\}M$. Then we have the existence of $e_1, \ldots, e_n$ such that $e = e_1, e' = e_n$ and for all $1 \leq i < n$ we have one of the following:

- $e_i < _k^{MSC} e_{i+1}$;
- $e_i = ?m$ and $e_{i+1} = ?m'$ for some $m, m' \in M$ such that $\text{from}(m) = \text{from}(m')$ and $!m < _k^{MSC} !m'$.

In the second case we have, by Lemma 7, $!m < _t^{trace} !m'$ for every 2-trace $t$ of $k$. Since $k$ is inst.outₘ-implementable we have that every 2-trace of $k$ is inst.outₘ-implementable. Thus, by Lemma 15 and the assumption that $\text{from}(m) = \text{from}(m')$ we have $?m < _t^{trace} ?m'$ for every 2-trace $t$ of $k$. Then, again by Lemma 7, we have $?m < _k^{MSC} ?m'$. Thus in any case we have $e_i < _k^{MSC} e_{i+1}$ and therefore also $e < _k^{MSC} e'$ which was to be proven.

Second, suppose that $<_k^{out} = <_k^{MSC}$. Then we must prove that MSC $k$ is inst.outₘ-implementable. Let $t$ be a 2-trace of $k$, and let $m, m' \in M$ such that $\text{from}(m) = \text{from}(m')$. Suppose $!m < _t^{trace} !m'$. Then because of $\text{from}(m) = \text{from}(m')$, we have $!m < _k^{MSC} !m'$. By the definition of $<_k^{out}$ we then have $?m < _k^{out} ?m'$. By the assumption that $<_k^{out} = <_k^{MSC}$, this implies $?m < _k^{MSC} ?m'$, and thus $?m < _t^{trace} ?m'$. Reversely, suppose that $!m < _t^{trace} !m'$. Then $!m < _t^{trace} !m$ as $<_t^{trace}$ is a total order. With a similar reasoning as in the previous case we obtain $?m' < _t^{trace} ?m$, and therefore $?m < _k^{out} ?m'$. $lacksquare$

For a similar characterisation of globalₘ-implementability we define a relation $<_k^{g}$.

**Definition 29** Let $k$ be an MSC. The relation $<_k^{g}$ on $\{!/?\}M$ is defined as the smallest relation that satisfies:

1. $<_k^{MSC} \subseteq <_k^{g}$;
2. $<_k^{g}$ is transitive;
3. $!m <_k^{g} !m' \iff ?m <_k^{g} ?m'$ for all $m, m' \in M$.

**Lemma 30** An MSC $k$ is globalₘ-implementable if and only if the relation $<_k^{g}$ is cycle-free.

**Proof** First, suppose that $k$ is globalₘ-implementable. Let $t$ be a global-implementable trace of $k$. Then $<_t^{trace}$ adheres to the restrictions in Definition 29, and thus $<_k^{g} \subseteq <_t^{trace}$, and $<_k^{g}$ is cycle-free.

Second, suppose that the relation $<_k^{g}$ is cycle-free. The idea of the proof is that we extend this relation until it is a total order. Then, if we can prove that the trace corresponding with this total order is global-implementable, we are done.

We extend the relation $<_k^{g}$ to form an order $<$ through the following algorithm:

1. $S := \{!/?\}M$, $<_k^{g}$
2. Let $e$ be any smallest element of $S$ with respect to $<$, that is, any element of $S$ for which there is no $e' \in S$ with $e' < e$.

3. $S := S \setminus \{e\}$

4. $<':= (e' \cup (e, e') | e' \in S))^+$

5. if $e \equiv m$ for some $m \in M$, then $<:= (< \cup (\equiv, m') | m' \in S))^+$

6. Repeat steps 2 to 5 until $S = \emptyset$

We first remark that the following invariant holds: $\equiv \equiv m \equiv m'$ for all $m, m' \in M$. This clearly holds at the beginning, and only pairs $(\equiv, m')$ are added for which $m \not\in S$ since otherwise $\equiv m$ is not a smallest element of $S$.

For step 2 of the above algorithm to be well-defined it is necessary that $<$ is cycle-free. After step 1 $<$ is cycle-free because by the assumption $<^k$ is cycle-free. There are two places where the relation $<$ is extended, namely step 4 and step 5. Step 4 maintains cycle-freeness of $<$. This can be seen as follows. Let $e$ be an arbitrary smallest element of $S$ with respect to $<$. Suppose that by adding the pairs $(e, e')$ for $e' \in S \setminus \{e\}$ to $<$ a cycle appears. Then $e' < e$ for some $e' \in S \setminus \{e\}$ which contradicts the assumption that $e$ is a smallest element of $S$ with respect to $<$. Also step 5 maintains cycle-freeness. Suppose that $\equiv m$ is a smallest element of $<^k$ with respect to $S$. Suppose that a cycle is introduced by step 5. This can only be the case if a pair $(\equiv m, m')$ is added to $<$ for which we already had $\equiv m' < \equiv m$ and $m' \in S$. By the previously mentioned invariant we have $\equiv m' <^k m$. By the definition of $<^k$ then also $\equiv m' <_{\equiv}^k \equiv m$. As $m' \in S$ this contradicts the assumption that $\equiv m$ was a smallest element of $S$ with respect to $<$. Now we have established that step 2 of the algorithm is well-defined.

The algorithm is guaranteed to terminate as the number of elements of the finite set $S$ is decreased by one every time the body of the repetition is executed. Furthermore, observe that $<$ is a total ordering on the events not contained in $S$ after every execution of the body of the repetition (i.e., after step 5). Thus, upon termination of the algorithm, $<$ is total order on $\{\equiv m \mid m \in S\}$. This total order corresponds to a trace of the MSC as $<^k \leq_{\equiv}^m \equiv <^k$.

All that remains to be proven is that $<$ corresponds to a global-implementable trace of $k$. Note that after step 1, for all $m, m' \in M$ we have $\equiv m < \equiv m' \Leftrightarrow m < m'$. If in step 4, an ordering $\equiv m < \equiv m'$ is added then in step 5 $\equiv m < \equiv m'$ is added. If in step 4, an ordering $\equiv m < \equiv m'$ is added, then $\equiv m \not\in S$ and therefore $\equiv m < \equiv m'$. Thus at the end of step 5 again: for all $m, m' \in M$ we have $\equiv m < \equiv m' \Leftrightarrow m < m'$. Thus the trace corresponding with $<$ is global-implementable.

**Lemma 31** Every inst_out$_s$- or inst_in$_r$-implementable MSC is global$_w$-implementable.

**Proof** We prove this for an inst_out$_s$-implementable MSC. For an inst_in$_r$-implementable MSC the proof is completely analogous.

We proof this by contradiction, so we assume that $k$ is an inst_out$_s$-implementable MSC that is not global$_w$-implementable. By Lemma 28 we have $<^k = <^m$, and by Lemma 30 we have that $<^k$ has a cycle.

First we note that $<^k$ can be constructed by the following algorithm:

1. $<^k := <^m$

2. $<^k := <^k \cup (\equiv m, m') | m <^k m'$
3. $\leq_k^3 := \leq_k^2 \cup \{(m, \lambda') \mid \lambda m \leq_k \lambda' m'\}$  
4. $\leq_k^3 := \leq_k^2$  
5. Repeat steps 2 to 4 until no change occurs.

In the proof we need to have information as to the way in which $\leq_k^i$ was constructed. Therefore we extend the above algorithm to incorporate the additional information.

In the next algorithm a relation $<$ on $\{!/?\} M \times \{?m, r_1, r_2, t\}$ is constructed such that $e \leq_k^i e'$ if and only if $(e, e', r) \in <$ where $r \in \{m, r_1, r_2, t\}$. The letters $m, r_1, r_2$ and $t$ encode a reason why $e \leq_k^i e'$. If $(e, e', m) \in <$, then $e \leq_k^{m, \lambda c} e'$. If $(e, e', r_1) \in <$ or $(e, e', r_2) \in <$, then this is due to step 2 or step 3 from the above algorithm respectively. If $(e, e, t) \in <$, then $e \leq_k^i e'$ is due to transitivity of $\leq_k^i$. We simply write $e < e'$ if we are not interested in the third part of the triple, i.e., the encoding of the reason for the events to be ordered.

1. $\leq := \{(e, e', m) \mid e <_k^{m, \lambda c} e'\}$
2. $\leq := \leq \cup \{(?m, ?m', r_1) \mid \lambda m < \lambda m'\}$
3. $\leq := \leq \cup \{(!m, \lambda m', r_2) \mid m < \lambda m'\}$
4. compute the transitive closure of $<$ with respect to the first and second entry of the triple. In all cases the third entry of the triple will be $t$.
5. Repeat steps 2 to 4 until no change occurs.

Let $e_1, e_2, \ldots, e_n = e_1$ be a cycle of $\leq_k^i$. Then it is also a cycle of $<$. For all $1 \leq i < n$ we have one of the following:

- $(e_i, e_{i+1}, m) \in <$;
- $(e_i, e_{i+1}, r_1) \in <$ for some $m, m' \in M$ such that $e_i \equiv ?m, e_{i+1} \equiv ?m'$ and $\lambda m < \lambda m'$;
- $(e_i, e_{i+1}, r_2) \in <$ for some $m, m' \in M$ such that $e_i \equiv !m, e_{i+1} \equiv !m'$ and $\lambda m < \lambda m'$;
- $(e_i, e_{i+1}, t) \in <$ such that there exists an event $e$ such that $e_i < e$ and $e < e_{i+1}$.

We call the steps $e_i < e_{i+1}, g$-steps. We will change them into other kinds of steps in the following way. Let there be a $g$-step from $e_i$ to $e_{i+1}$

1. if $(e_i, e_{i+1}, m) \in <$ then the $g$-step becomes an $m$-step: $e_i \mapsto e_{i+1}$;
2. if $e_i \equiv ?m$ and $e_{i+1} \equiv ?m'$ for some $m, m' \in M$ such that $\lambda m < \lambda m'$ and $(e_i, e_{i+1}, r_1) \in <$, then we replace this $g$-step by the steps $?m \mapsto \lambda m, \lambda m < \lambda m'$, and $\lambda m' \mapsto ?m'$;
3. if $e_i \equiv !m$ and $e_{i+1} \equiv !m'$ for some $m, m' \in M$ such that $\lambda m < \lambda m'$ and $(e_i, e_{i+1}, r_2) \in <$, then we replace this $g$-step by the steps $!m \mapsto \lambda m, \lambda m < \lambda m'$, and $\lambda m' \mapsto ?m'$;
4. if $(e_i, e_{i+1}, t) \in <$, then for an arbitrary event $e$ such that $e_i < e$ and $e < e_{i+1}$, the $g$-step is replaced by $g$-steps $e_i < e$ and $e < e_{i+1}$.

The above steps are repeated until no $g$-steps are left. The following will hold in this algorithm:
1. Because of the way in which $<$ was constructed before, the algorithm ends in a finite number of steps. Then the cycle of $<$-steps is changed into a cycle of $\iff$-steps, $\nearrow$-steps and $\searrow$-steps only.

2. By the way in which $<$ has been constructed and then changed we find the following. If $e < e'$, then $e <_k e'$. If $e \iff e'$, then $e <^{msc} e'$. If $e \searrow e'$, then $e \equiv m$ and $e' \equiv m$ for some $m \in M$. If $e \nearrow e'$, then $e \equiv m$ and $e' \equiv m$ for some $m \in M$.

3. The numbers of $\nearrow$-steps and $\searrow$-steps are equal after each step of the algorithm, and in particular when the algorithm has terminated.

Now clearly the result of the algorithm applied to all $g$-steps from the cycle $e_1, e_2, \ldots, e_n \equiv e_1$ is a cycle of $\iff$, $\nearrow$, and $\searrow$ steps with as many $\nearrow$-steps as $\searrow$-steps. We call such a cycle a quasi-cycle of order $N$, where $N$ is the number of $\nearrow$-steps.

We prove that this cycle can be changed into a quasi-cycle of order 0. Let the order be greater than 0. Because the quasi-cycle is a cycle, and contains at least one $\searrow$-step and at least one $\nearrow$-step, there will be at least one $\nearrow$-step, such that after that $\nearrow$-step a $\searrow$-step will take place before the next $\nearrow$-step. Thus the quasi-cycle contains a subsequence $?m \nearrow m \iff \ldots \iff m' \searrow ?m'$ for some $m, m' \in M$. As there are only $\iff$-steps from $?m$ to $?m'$, we have $?m <^{msc} ?m'$. However, then, by definition, $?m <^{lo} ?m'$, from which we get $?m <^{msc} ?m'$ from the assumption that $<^{msc} <^{lo}$. Thus by removing all steps between $?m$ and $?m'$, we still have a cycle which is a quasi-cycle, but of order $N - 1$. Repeating this, we will finally obtain a quasi-cycle of order 0. However, a quasi-cycle of order 0 is a cycle of only $\iff$-steps, that is, a cycle of $<^{msc}$.

Thus we see that, given the assumption, $<^{msc}$ must have a cycle. This is impossible, so the assertions cannot simultaneously hold, so each $inst.out$, implementable MSC is $global_w$-implementable.

In Figure 11 we give all communication models that remain after the identifications obtained until now. The arrows between these models follow also from the previous theorems and lemmas. Finally, we have to prove that the arrows between models from the strong and weak hierarchy are strict and that there are no additional arrows necessary. It suffices to show that the following arrows do not exist: $global_s$ to $nobuf_w$, $nobuf_w$ to $inst2_s$, and $inst2_s$ to $global_w$. The rest then follows because of transitivity. For example, the nonexistence of an arrow from $global_s$ to $nobuf_w$ implies the nonexistence of an arrow from $inst2_s$ to $nobuf_w$, because if the second arrow exists then, by transitivity, also the first must
exist. Similarly we obtain the nonexistence of arrows from \textit{inst.in}_s and \textit{inst2s} to \textit{nobuf}_w. We use the MSCs in Figure 12 to indicate that the first two arrows do not exist. MSC 7 is \textit{global}s-implementable, but not \textit{nobuf}_w-implementable. It has one trace, \texttt{!a !b ?a ?b}, which is \textit{global}-implementable, but not \textit{nobuf}-implementable. We see that MSC 7 contains only one instance, so all messages are messages to the same instance that sent them. This is no coincidence, as will be seen from Corollary 34 below.

The non-existence of an arrow from \textit{inst2s} to \textit{globals} is taken care of by MSC 6 in Figure 6. It has already been shown not to be \textit{globals}-implementable. It is \textit{inst2s}-implementable because every 2-trace of this MSC can be extended to an \textit{inst2s}-implementable 3-trace by adding \texttt{!a} and \texttt{!b} immediately after \texttt{!a} and \texttt{!b} immediately after \texttt{!a}.

![Figure 12: Distinguishing MSCs: comparing strong and weak.](image)

Theorem 32 The implementation models from Figure 11 are all different, and they are ordered as expressed in Figure 11.

\textbf{Proof} This has been explained in the above text.

Next, we show why we needed an MSC with messages from an instance to that same instance for the counterexample MSC 7 in Figure 12. First, we provide an alternative characterisation of \textit{globals}-implementability.

\textbf{Lemma 33} An MSC \( k \) is \textit{globals}-implementable if and only if for all \( m, m' \in M \), we either have both \( !m <_k^{\text{msg}} m' \) and \( ?m <_k^{\text{msg}} ?m' \), or we have both \( ?m' <_k^{\text{msg}} ?m \) and \( !m' <_k^{\text{msg}} !m \).

\textbf{Proof} First, suppose that MSC \( k \) is \textit{globals}-implementable. Let \( m, m' \in M \). Without loss of generality we may assume \( !m' \not<^{\text{msg}}_k m \). Then it suffices to prove that \( !m <_k^{\text{msg}} m' \) and \( ?m <_k^{\text{msg}} ?m' \). Now we can distinguish two cases: \( !m <_k^{\text{msg}} m' \) and \( !m' <_k^{\text{msg}} !m \).

Suppose that \( !m <^{\text{msg}}_k m' \). Then, by Lemma 7, \( !m <_t^{\text{trace}} m' \) for every 2-trace \( t \) of \( k \). Since every 2-trace of \( k \) is \textit{globals}-implementable, we have by Lemma 15 that \( ?m <_t^{\text{trace}} ?m \) for every 2-trace \( t \) of \( k \). Then, again by Lemma 7, we have \( ?m <^{\text{msg}}_k ?m' \), which completes this part of the proof.

Suppose that \( !m \not<^{\text{msg}}_k m' \). Now three cases can be distinguished: (1) \( ?m <^{\text{msg}}_k m' \), (2) \( ?m' <^{\text{msg}}_k ?m \), and (3) \( ?m <^{\text{msg}}_k ?m' \). In the first case we have \( !m <^{\text{msg}}_k ?m' \) with a similar reasoning as above. This contradicts the assumption that \( !m \not<^{\text{msg}}_k m' \) with a similar reasoning as above. This contradicts the assumption that \( !m' \not<^{\text{msg}}_k m \), so this case cannot occur. In the second case we have \( !m' <^{\text{msg}}_k m \) with a similar reasoning as above. This contradicts the assumption that \( !m' \not<^{\text{msg}}_k m \), so this case cannot occur. With respect to the third case we show that there exists a
2-trace $t$ of $k$ such that $lm <_t^{\text{trace}} lm'$ and $?m <_t^{\text{trace}} ?m$, thereby contradicting the assumption that $k$ is $\text{global}_s$-implementable. We define the ordering $<$ as follows: $<: (>_k^{\text{msec}}, (lm, lm'), (?m', ?m))$. We prove that $<$ is cycle-free and thus that there exists a trace of $k$ such that $lm <_t^{\text{trace}} lm'$ and $?m <_t^{\text{trace}} ?m$. Note that the ordering $<_k^{\text{msec}}$ is cycle-free by assumption. Suppose that the ordering $<$ contains $t$. Then this cycle must contain at least one of $lm < lm'$ or $?m < ?m$. If the cycle contains both $lm < lm'$ and $?m < ?m$, then there are also cycles which contain exactly one of $lm < lm'$ and $?m < ?m$. If only $lm < lm'$ is in the cycle, then necessarily $lm' < _k^{\text{msec}} lm$. This contradicts the assumption that $lm' < _k^{\text{msec}} lm$. If $?m < ?m$ is in the cycle, then necessarily $?m' < _k^{\text{msec}} ?m'$. This contradicts the assumption that $?m' < _k^{\text{msec}} ?m'$. Thus the third case cannot occur as well.

Second, suppose that for all $m, m' \in M$ we have $lm < _k^{\text{msec}} lm'$ and $?m < _k^{\text{msec}} ?m'$, or $lm' < _k^{\text{msec}} lm$ and $?m' < _k^{\text{msec}} ?m$. We must prove that $MSC_k$ is $\text{global}_s$-implementable. Let $t$ be an arbitrary 2-trace of $MSC_k$. Let $m, m' \in M$. By Lemma 15 it suffices to prove that $lm < _t^{\text{trace}} lm' \iff ?m < _t^{\text{trace}} ?m'$. First, suppose that $lm < _t^{\text{trace}} lm'$. Then, by Lemma 7, $?m' < _k^{\text{msec}} lm$. Therefore, by the assumption, $lm < _k^{\text{msec}} lm$ and $?m < _k^{\text{msec}} ?m'$. So, by Lemma 7, we have $?m < _t^{\text{trace}} ?m'$. Second, suppose that $?m < _t^{\text{trace}} ?m'$. By similar reasoning we obtain $lm < _t^{\text{trace}} lm'$.

The following corollary explains why for MSCs without messages from an instance to the same instance, $\text{global}_s$-implementability implies $\text{nobuf}_w$-implementability. Thus any counterexample for this implication should have at least one message from an instance to the same instance.

**Corollary 34** Let $k$ be an MSC without any messages that are sent and received by the same instance. If $k$ is $\text{global}_s$-implementable, then $k$ is $\text{nobuf}_w$-implementable.

**Proof** Suppose that $k$ is $\text{global}_s$-implementable. Now it suffices to prove that there is a 2-trace $t$ of $k$ that is $\text{nobuf}_w$-implementable. From the lemma above we conclude that $<_k^{\text{msec}}$ constitutes a total order when restricted to the output events only, say $lm_1 < _k^{\text{msec}} lm_2 < _k^{\text{msec}} \cdots < _k^{\text{msec}} lm_n$. Then clearly the trace $t = lm_1, m_2 \cdots m_n$ is $\text{nobuf}_w$-implementable. The total ordering associated with this trace can be described as follows: $<_t^{\text{trace}} = (\{lm, lm'\}, (?m, ?m') | lm < _k^{\text{msec}} lm' | <_s)$. All that remains to be proven is that this trace $t$ is indeed a 2-trace of $k$, i.e., for all $e, e' \in \{1/\}$, we have $e < _s e'$ implies $e < _t^{\text{trace}} e'$.

Suppose that $e < _k^{\text{msec}} e'$. Then we have the existence of events $e_1, \cdots e_p$ such that $e \equiv e_1, e' \equiv e_p$ and for all $1 < i < p$ we have one of the following:

- $e_i <_s e_{i+1}$;
- $e_i <_i^{\text{trace}} e_{i+1}$.

In the second case we have $e_i <_i^{\text{trace}} e_{i+1}$ as $<_i^{\text{trace}} \equiv <_t^{\text{trace}}$. In the first case the following four cases can be distinguished:

- $e_i \equiv lm$ and $e_{i+1} \equiv lm'$ for some $m, m' \in M$ such that $\text{from}(m) = \text{from}(m')$. Then clearly $lm < _k^{\text{msec}} lm'$ and therefore $lm < _t^{\text{trace}} lm'$.
- $e_i \equiv lm$ and $e_{i+1} \equiv ?m'$ for some $m, m' \in M$ such that $\text{from}(m) = \text{to}(m')$. By the previous lemma we can distinguish two cases:
  - $lm < _k^{\text{msec}} lm'$ and $?m < _k^{\text{msec}} ?m'$. Clearly, $lm < _t^{\text{trace}} lm'$ and $lm' < _t^{\text{trace}} ?m'$, so $lm < _t^{\text{trace}} lm'$.
  - $lm' < _k^{\text{msec}} lm$ and $?m' < _k^{\text{msec}} ?m$. As there are no messages that are sent and received by the same instance we have $\text{from}(m') \neq \text{from}(m)$. Then $lm' < _k^{\text{msec}} lm'$ must be due to the
exists $m'' \in M$ such that $!m' <_k^{msg} !m'' <_k^{msg} !m$. Therefore by the previous lemma we have $!m' <_k^{msg} !m''$. Then we also have $!m' <_k^{msg} !m$ which contradicts the assumption that $!m <_t^{trace} !m'$. This case can therefore not occur.

- $e_i \equiv ?m$ and $e_{i+1} \equiv ?m'$ for some $m, m' \in M$ such that $to(m) = from(m')$. In this case we have $?m <_k^{msg} !m'$, and therefore $?m <_k^{msg} ?m'$. By the previous lemma then also $!m <_k^{msg} !m'$. So, by the definition of $<_t^{trace}$ also $?m <_t^{trace} !m'$.

- $e_i \equiv ?m$ and $e_{i+1} \equiv ?m'$ for some $m, m' \in M$ such that $to(m) = to(m')$. Since $?m <_k^{msg} ?m'$ we have by the previous lemma that $!m <_k^{msg} !m'$. Thus, by the definition of $<_t^{trace}$ $!m <_t^{trace} !m'$ and $!m' <_t^{trace} ?m'$. Thus, $?m <_t^{trace} !m'$.

Thus in all cases we have $e_i <_t^{trace} e_{i+1}$. Therefore, $e <_t^{trace} e'$ which completes the proof.  

\section{Characterisations}

In this section we provide alternative ways to describe the various implementations which, for example, can be used in algorithms. These definitions are easier to check automatically than the ones we used before, and therefore could be used in tools to determine the implementation models that a given MSC satisfies. A number of these characterisations have already been presented elsewhere in this paper, see for example Lemma 22 and Lemma 30.

In fact, we only need new characterisations for $\text{nobufw}$, $\text{nobuf}$, and $\text{inst2}$. For $\text{msg}$ and $\text{pair}$ the fact that weak and strong implementability specify the same classes of MSCs leads directly to an easy characterisation, while characterisations for $\text{globalw}$, $\text{globals}$, $\text{instw}$, $\text{instout}$, and $\text{instin}$ already been given earlier in this paper.

\textbf{Definition 35} Let $k$ be an MSC over the set of messages $M$. The relation $<_k^{w}$ on $M$ is for all $m, m' \in M$ such that $m \neq m'$ defined by $m <_k^{w} m'$ if and only if $!m <_k^{msg} !m'$.

\textbf{Lemma 36} An MSC $k$ is $\text{nobufw}$-implementable if and only if the relation $<_k^{w}$ is cycle-free.

\textbf{Proof} Let $k$ be an MSC over the set of messages $M$. First, suppose that $k$ is $\text{nobufw}$-implementable. Suppose furthermore that $<_k^{w}$ has a cycle, say $m_1 <_k^{w} m_2 <_k^{w} \cdots <_k^{w} m_n <_k^{w} m_1$. Then, from the definition of $<_k^{w}$ and $<_k^{msg}$, we obtain for all $1 \leq i < n$ that $!m_i <_k^{msg} !m_{i+1}$ and $!m_{i+1} <_k^{msg} !m_i$. Then, for every trace $t$ of $k$, we must have $!m_i <_t^{trace} !m_{i+1}$ and $!m_{i+1} <_t^{trace} !m_i$ for all $1 \leq i < n$. Since $k$ is $\text{nobufw}$-implementable, there is a $\text{nobuf}$-implementable trace $t'$. For this trace $t'$ we also have $!m_i <_t^{trace} !m_{i+1}$ for all $1 \leq i < n$. But then we have $!m_1 <_t^{trace} !m_2 <_t^{trace} \cdots <_t^{trace} !m_n$ and since $!m_1 \equiv !m_n$ we thus have a cycle. Thus such a $\text{nobuf}$-implementable trace $t'$ does not exist. This contradicts the assumption that $k$ is $\text{nobufw}$-implementable. Therefore, $<_k^{w}$ is cycle-free.

Second, suppose that $<_k^{w}$ is cycle-free. We extend $<_k^{w}$ to a total order $<$, say $m_1 < m_2 < \cdots < m_n$ where $M = \{m_1, m_2, \ldots, m_n\}$. Then the trace $t \equiv !m_1 \ ?m_1 \ !m_2 \ ?m_2 \ \cdots \ ?m_n \ ?m_n$ is clearly $\text{nobuf}$-implementable. Thus, if suffices to prove that the trace $t$ is a trace of MSC $k$. Thereto, suppose that $e <_k^{msg} e'$ for some $e, e' \in \{!m, ?m\}$. We distinguish four cases:

- $e \equiv !m$ and $e' \equiv !m'$ for some $m, m' \in M$. As $!m <_k^{msg} !m'$ and $!m' <_k^{msg} ?m'$, we also have $!m <_k^{msg} !m'$. Then, by the definition of $<_k^{w}$, we have $m <_k^{w} m'$, and therefore $!m <_t^{trace} !m'$.
• $e \equiv \text{!}m$ and $e' \equiv \text{?}m'$ for some $m, m' \in M$. If $m \equiv m'$, then trivially $\text{!}m <_{\text{trace}} \text{?}m'$. Otherwise, by the definition of $<_{\text{w}}$, we have $m <_{\text{w}} k m'$, and therefore $\text{!}m <_{\text{trace}} \text{?}m'$.

• $e \equiv \text{?}m$ and $e' \equiv \text{!}m'$ for some $m, m' \in M$. As $\text{!}m <_{\text{MSC}} \text{?}m$, $\text{?}m <_{\text{MSC}} \text{!}m'$ and $\text{!}m' <_{\text{MSC}} \text{?}m'$, we have $\text{!}m <_{\text{k}} \text{?}m'$. Then, by the definition of $<_{\text{k}}$, we have $m <_{\text{k}} k m'$, and therefore $\text{?}m <_{\text{race}} \text{!}m'$.

• $e \equiv \text{?}m$ and $e' \equiv \text{!}m'$ for some $m, m' \in M$. As $\text{!}m <_{\text{MSC}} \text{?}m$ and $\text{?}m <_{\text{MSC}} \text{?}m'$, we have $\text{!}m <_{\text{k}} \text{?}m'$. Then, by the definition of $<_{\text{k}}$, we have $m <_{\text{k}} k m'$, and therefore $\text{?}m <_{\text{race}} \text{!}m'$.

In each of the four cases we have $e <_{\text{race}} e'$, which completes the proof.

Lemma 37 If an MSC $k$ is nobuf-implementable, then $<_{\text{MSC}}$ is a total order.

Proof Let $k$ be an MSC over the set of messages $M$. We use contraposition, so assuming that $<_{\text{MSC}}$ is not a total order, we prove that $k$ is not nobuf-implementable. Let $t$ be an arbitrary 2-trace of the MSC. Because $<_{\text{MSC}}$ is not a total order, there are events $e, e' \in \{\text{!}/?\}M$ such that $e <_{\text{race}} e'$, but not $e <_{\text{k}} k e'$. For any event $e'' \in \{\text{!}/?\}M$ with $e <_{\text{race}} e'' <_{\text{race}} e'$ we have either $e <_{\text{k}} k e''$ or $e'' <_{\text{k}} k e'$ as otherwise $e <_{\text{race}} e'$. So there also is a such a pair of events that are immediately after one another in the trace $t$. Then, interchanging these events would result in another trace $t'$ of the MSC. It cannot be the case that both $t$ and $t'$ are nobuf-implementable.

Lemma 38 An MSC $k$ is inst2$_2$-implementable if and only if $<_{\text{MSC}} \equiv <_{\text{k}}$. Proof Let $k$ be an MSC over the set of messages $M$. First, suppose that $k$ is inst2$_2$-implementable. By definition, $<_{\text{k}} \subseteq <_{\text{MSC}}$, so it only remains to be proven that $<_{\text{k}} \subseteq <_{\text{MSC}}$. Suppose that $e <_{\text{k}} e'$ for some $e, e' \in \{\text{!}//\}M$. Then we have the existence of $e_1, \ldots, e_n$ such that $e \equiv e_1$, $e' \equiv e_n$ and for all $1 \leq i \leq n$ we have one of the following:

• $e_i <_{\text{k}} e_{i+1}$;

• $e_i \equiv \text{!}m$ and $e_{i+1} \equiv \text{?}m'$ for some $m, m' \in M$ such that $\text{from}(m) = \text{from}(m')$ and $\text{!}m <_{\text{MSC}} \text{?}m'$;

• $e_i \equiv \text{!}m$ and $e_{i+1} \equiv \text{?}m'$ for some $m, m' \in M$ such that $\text{to}(m) = \text{to}(m')$ and $\text{!}m <_{\text{MSC}} \text{?}m'$.

In the second case we use induction on the number of output events $\text{!}m''$ that can be in between $\text{!}m$ and $\text{!}m'$ to prove that $\text{!}m <_{\text{MSC}} \text{?}m'$. If there is no output event $\text{!}m''$ such that $\text{!}m <_{\text{MSC}} \text{!}m'' <_{\text{MSC}} \text{!}m'$, then either $\text{!}m <_{\text{inst}} \text{!}m'$ or $m <_{\text{MSC}} \text{!}m'$. In the first case, if $\text{!}m <_{\text{MSC}} \text{!}m'$ did not hold, $<_{\text{MSC}} \cup (\{\text{!}m', \text{!}m\})$ would be cycle-free. Any extension of this relation to a partial order would be $<_{\text{trace}}$ for a trace $t$ that is not inst output-implementable, and thus not inst2$_2$-implementable. In the second case we have $\text{!}m <_{\text{MSC}} \text{?}m <_{\text{MSC}} \text{!}m'$.

• If there is at least one output event $\text{!}m''$ such that $\text{!}m <_{\text{MSC}} \text{!}m'' <_{\text{MSC}} \text{!}m'$, then, using the induction hypothesis, we have $\text{!}m <_{\text{MSC}} \text{?}m <_{\text{MSC}} \text{!}m'$. For the third case a similar reasoning gives $e_i <_{\text{MSC}} e_{i+1}$. Thus, in all cases we obtain $e_i <_{\text{MSC}} e_{i+1}$ and therefore also $e <_{\text{MSC}} e'$ which was to be proven.

Second, suppose that $<_{\text{k}} \equiv <_{\text{MSC}}$. Let $t$ be a 3-trace of $k$, and let $m, m' \in M$. Suppose that $\text{from}(m) = \text{from}(m')$ and that $\text{!}m <_{\text{trace}} \text{!}m'$. Then we have that $\text{!}m <_{\text{trace}} \text{!}m'$ implies $\text{!}m <_{\text{MSC}} \text{!}m'$. Then, by the
definition of \( \preceq_{12} \), we have \( !m \preceq_{k} !m' \). Since we assumed that \( \preceq_{12} = \preceq_{k} \) we also have \( !m \preceq_{k} !m' \), and therefore \( !m \preceq_{\text{trace}} !m' \).

Reversely, suppose that \( !m \not\preceq_{\text{trace}} !m' \). With a similar reasoning as in the previous case we obtain \( !m \not\preceq_{\text{trace}} !m' \). The proof that \( \tau_0(m) = \tau_0(m') \Rightarrow (?m \preceq_{k} m' \Leftrightarrow !m \preceq_{m^3} !m') \) is analogous.

In the following theorem we list the characterisations for implementability we have given in this paper and we add characterisations for the implementabilities not yet characterised.

**Theorem 39**

1. An MSC \( k \) is \( \text{nobuf}_w \)-implementable if and only if \( \preceq_{k} \) is cycle-free.

2. An MSC \( k \) is \( \text{nobuf}_r \)-implementable if and only if it has exactly one trace, and that trace is \( \text{nobuf} \)-implementable.

3. An MSC \( k \) is \( \text{global}_s \)-implementable if and only if for each pair of messages \( m \) and \( m' \) either both \( lm \preceq_{k} !m' \) and \( ?m \preceq_{k} ?m' \), or both \( lm' \preceq_{k} !m \) and \( ?m' \preceq_{k} ?m \) hold.

4. An MSC \( k \) is \( \text{global}_w \)-implementable if and only if \( \preceq_{k} \) is cycle-free.

5. An MSC \( k \) is \( \text{inst}_s \)-implementable if and only if \( \preceq_{k} = \preceq_{\text{msg}} \).

6. An MSC \( k \) is \( \text{inst}_n \)-implementable if and only if \( \preceq_{k} = \preceq_{\text{msg}} \).

7. An MSC \( k \) is \( \text{inst}_2 \)-implementable if and only if \( \preceq_{k} = \preceq_{k} \).

8. An MSC \( k \) is \( \text{inst}_w \)-implementable if and only if \( \preceq_{k} \) is cycle-free.

9. An MSC \( k \) is \( \text{pair} \)-implementable if and only if a randomly chosen \( t \) \( \text{pair} \)-implementable is.

10. An MSC \( k \) is always \( \text{msg} \)-implementable.

**Proof**

1. See Lemma 36.

2. If the MSC \( k \) is \( \text{nobuf}_r \)-implementable it has one trace because \( \preceq_{k} \) is a total order (Lemma 37).

3. See Lemma 33.

4. See Lemma 30.

5. See Lemma 28.


7. See Lemma 38.

8. See Lemma 22.

9. First, if \( k \) is \( \text{pair} \)-implementable, it is \( \text{pair}_s \)-implementable and thus every trace \( t \) of \( k \) is \( \text{pair} \)-implementable. Second, if a randomly chosen trace \( t \) is \( \text{pair} \)-implementable, then \( k \) is \( \text{pair}_w \)-implementable, and thus also \( \text{pair}_r \)-implementable.

10. See Lemma 27.
7 Comparison

In this section we will compare our conclusions with those found in related literature.

In [CBMT96] Charron-Bost et al. discuss three different implementations for MSC-like diagrams: RSC (Realizable with Synchronous Communication), CO (Causally Ordered) and FIFO. They also define A (asynchronous), but this is (just like msg in our hierarchy) used to denote the set of all allowable diagrams, not some subset. They find that there is a strict ordering $RSC \subset CO \subset FIFO \subset A$.

**Theorem 40** The implementations that in [CBMT96] are named RSC and FIFO are equal to the implementations nobufw, and pair. The implementation CO is strictly between the implementations instw and pair.

**Proof**

- **RSC-nobufw:** Definition 3.6 in [CBMT96] states, after translating it into our terminology, that a computation is RSC if and only if there is a trace $t$ for which for each $m \in M$ we have that the set $\{x \in C \mid \exists m < trace x < trace m\}$ is empty, which is equal to the definition that is obtained by combining Lemma 15 and Definition 19.

- **FIFO-pair:** The definition for FIFO in [CBMT96] (Definition 3.3) translates to (by rewriting the terminology of Charron-Bost et al. in ours): $lm <^{msc} l'm' \wedge from(m) = from(m') \wedge to(m) = to(m') \Rightarrow \exists m <^{msc} l'm'$, or $from(m) = from(m') \wedge to(m) = to(m') \Rightarrow (lm <^{msc} l'm' \Rightarrow \exists m <^{msc} l'm')$, which is seen to be equivalent to the definition in Lemma 15 once it is realized that (for the basic MSCs considered here) $to(m) = to(m') \Rightarrow (lm <^{msc} l'm' \wedge ?m <^{msc} ?m' \wedge ?m' <^{msc} ?m')$ and $from(m) = from(m') \Rightarrow (lm <^{msc} l'm' \wedge ?m <^{msc} ?m')$.

- **CO:** That the class of pair-implementable MSCs is strictly greater than that of CO-implementable MSCs is shown in [CBMT96]. Remains to be shown that the class of CO-implementable MSCs is strictly greater than that of instw-implementable MSCs. The definition of CO as given in [CBMT96] (definition 3.4) can be translated to $to(m) = to(m') \wedge lm <^{msc} l'm' \Rightarrow \exists m <^{msc} m'$. An example of an MSC that is CO-implementable, but not instw-implementable, is the MSC 'lobster' in Figure 13. It is CO-implementable, because there is no pair of messages with $to(m) = to(m') \Rightarrow (\exists m <^{msc} l'm' \wedge ?m' <^{msc} ?m)$ and $from(m) = from(m') \Rightarrow (lm <^{msc} l'm' \wedge ?m' <^{msc} ?m')$.

Another paper in which different communication models for MSC have been studied, is [AHP96]. The models from our hierarchy are incomparable with their models, because the ordering of certain combinations of events on an instance is subject to a chosen communication model, thereby relaxing our fundamental total ordering of events on an instance.
Figure 13: MSCs to distinguish the implementation models: CO.

8 Concluding remarks and future research

We have considered implementation models for asynchronous communication in Message Sequence Chart. These models contain of FIFO buffers for the sending and reception of messages. By varying the locality of the buffers we have arrived, in a systematic way, at 25 models for communication. With respect to traces, consisting of putting a message into a buffer and removing a message from a buffer, there are seven different models.

By lifting this implementability notion from traces to Message Sequence Charts in two ways, strong and weak, we obtain fourteen models. After identification, ten essentially different models on the level of Message Sequence Charts remain.

For defining the models we have used the notion of 3-traces; these are a natural extension of normal MSC-traces if a message can pass two buffers on its way from source to destination.

In this paper, we have only considered Basic Message Sequence Charts. An interesting question is how to transfer the notions and properties defined for this simple language to the complete language MSC. As many of our theorems rely on the fact that the events on an instance are totally ordered, an extension to MSC with more sophisticated ordering mechanisms (e.g., coregion and causal ordering) will imply a revision of the hierarchy. Another interesting question is whether the implementation properties are preserved under composition by means of the operators of MSC.

Furthermore, we have restricted ourselves to the treatment of architectures in which each message has exactly one possible communication path and where each such path contains at most two buffers. The extension to more flexible architectures is non-trivial and is expected to lead to an extension of the hierarchy.

Finally, our assumption of infinite FIFO buffers may be relaxed, allowing other types of buffers and buffers with finite capacity.

The results obtained in this paper form a solid base for several applications. First, they allow us to discuss the relation between different variants of MSC, such as Interworkings [MWW93]. Interworkings presuppose a synchronous communication mechanism. An Interworking can be considered as the restriction of the semantics of an MSC to only the nobuf-implementable traces. Thus, an MSC can be interpreted as an Interworking if and only if there is at least one such trace, i.e., the MSC is nobuf-w-implementable. We also envisage more practical applications. Consider a tool in which a user can select a communication model, draw an MSC and invoke an algorithm to check if the MSC is implementable with respect to the selected model. Alternatively, the user can provide an MSC and use a tool to determine the minimal architecture, according to our hierarchy, which is needed for implementation.

Often a user is interested in the question whether all traces of his MSC are implementable with respect to a certain architecture. We can also envisage two possible uses relying on the implementability of a single trace. First, MSCs are often used to display one single trace, for example if it is the
result of a simulation run. In this case, the question is not whether the MSC is strongly or weakly implementable, but whether the implied trace is implementable (as defined in Section 4). Second, given an MSC, a user may want to know if at least one trace is implementable and if so, which trace that is. He is interested in a witness. Both applications can easily be derived from the results on weak implementability. The algorithms (see below) can easily be modified to check implementability of a given trace and to produce a witness.

A more involved application would be to use a selected communication model to reduce the set of traces defined by a given MSC to only those traces that are implementable on the given model. In this way, the semantics of an MSC would be relative to some selected model.

For most of these applications computer support would be useful. Based upon the definitions presented in this paper, it is feasible to derive efficient algorithms. All models in the weak-spectrum can be characterised in terms of the cycle-freeness of an extended ordering relation. An example of such a characterisation is given in Theorem 22. There it is stated that an MSC $k$ is $\text{inst}_{\text{out}}$-implementable iff the ordering $\preceq_k$ (which is an extension of $\preceq_{\text{MSC}}$) is cycle-free. Thus checking if an MSC is $\text{inst}_{\text{out}}$-implementable boils down to checking cycle-freeness of this relation. This immediately gives a wide range of efficient implementations for checking class-membership as many algorithms are known in literature for determining whether a given ordering is cycle-free. For the strong spectrum characterisations are given as well.

Note that the MSCs that distinguish between the different models are surprisingly simple. This indicates that the differences between the classes will appear not only in theory, but also in practice. Besides that, for these distinguishing MSCs, it is not easy to indicate at a glance to which class they do or do not belong. This also supports our view that mechanical support for determining whether a given Message Sequence Chart belongs to a given class is necessary.
References


<table>
<thead>
<tr>
<th>Volume</th>
<th>Title</th>
<th>Authors</th>
</tr>
</thead>
<tbody>
<tr>
<td>96/01</td>
<td>Process Algebra with Autonomous Actions</td>
<td>M. Voorhoeve and T. Basten</td>
</tr>
<tr>
<td>96/02</td>
<td>Multi-User Publishing in the Web: DRESS, A Document Repository Service Station</td>
<td>P. de Bra and A. Aerts</td>
</tr>
<tr>
<td>96/03</td>
<td>Parallel Computation of Reachable Dead States in a Free-choice Petri Net</td>
<td>W.M.P. van der Aalst</td>
</tr>
<tr>
<td>96/04</td>
<td>Example specifications in phi-SDL.</td>
<td>S. Mauw</td>
</tr>
<tr>
<td>96/05</td>
<td>A Process-Algebraic Approach to Life-Cycle Inheritance</td>
<td>T. Basten and W.M.P. v.d. Aalst</td>
</tr>
<tr>
<td>96/06</td>
<td>Life-Cycle Inheritance A Petri-Net Based Approach</td>
<td>W.M.P. van der Aalst and T. Basten</td>
</tr>
<tr>
<td>96/07</td>
<td>Structural Petri Net Equivalence</td>
<td>M. Voorhoeve</td>
</tr>
<tr>
<td>96/08</td>
<td>OODB Support for WWW Applications: Disclosing the internal structure of Hyperdocuments</td>
<td>A.T.M. Aerts, P.M.E. De Bra, J.T. de Munk</td>
</tr>
<tr>
<td>96/09</td>
<td>A Formal Specification of Deadlines using Dynamic Deontic Logic</td>
<td>F. Dignum, H. Weigand, E. Verharen</td>
</tr>
<tr>
<td>96/10</td>
<td>Explicit Substitution: on the Edge of Strong Normalisation</td>
<td>R. Bloo, H. Geuvers</td>
</tr>
<tr>
<td>96/11</td>
<td>AUTOMATH and Pure Type Systems</td>
<td>T. Laan</td>
</tr>
<tr>
<td>96/12</td>
<td>A Correspondence between Nuprl and the Ramified Theory of Types</td>
<td>F. Kamareddine and T. Laan</td>
</tr>
<tr>
<td>96/13</td>
<td>Prioroan Tense Logics in Modal Pure Type Systems</td>
<td>T. Boghais</td>
</tr>
<tr>
<td>96/14</td>
<td>The I^2 C-bus in Discrete-Time Process Algebra</td>
<td>S.H.J. Bos and M.A. Reniers</td>
</tr>
<tr>
<td>96/15</td>
<td>Completeness in Discrete-Time Process Algebra</td>
<td>M.A. Reniers and J.J. Vereijen</td>
</tr>
<tr>
<td>96/16</td>
<td>Nested collections and polytypism</td>
<td>E. Boiten and P. Hoogendijk</td>
</tr>
<tr>
<td>96/18</td>
<td>Real-Time Distributed Concurrency Control Algorithms with mixed time constraints</td>
<td>P.D.V. van der Stok</td>
</tr>
<tr>
<td>96/19</td>
<td>Static Semantics of Message Sequence Charts</td>
<td>M.A. Reniers</td>
</tr>
<tr>
<td>96/20</td>
<td>Algebraic Specification and Simulation of Lazy Functional Programs in a concurrent Environment</td>
<td>L. Feijs</td>
</tr>
<tr>
<td>96/21</td>
<td>Predicate calculus: concepts and misconceptions</td>
<td>L. Bijlsma and R. Nederpelt</td>
</tr>
<tr>
<td>96/22</td>
<td>Designing Effective Workflow Management Processes</td>
<td>M.C.A. van de Graaf and G.J. Houben</td>
</tr>
<tr>
<td>96/23</td>
<td>Structural Characterizations of sound workflow nets</td>
<td>W.M.P. van der Aalst</td>
</tr>
<tr>
<td>96/24</td>
<td>Conservative Adaption of Workflow</td>
<td>M. Voorhoeve and W. van der Aalst</td>
</tr>
<tr>
<td>96/25</td>
<td>Deriving a systolic regular language recognizer</td>
<td>M. Vaccari and R.C. Backhouse</td>
</tr>
<tr>
<td>97/01</td>
<td>A Discretisation Method for Asynchronous Timed Systems</td>
<td>B. Knaack and R. Gerth</td>
</tr>
<tr>
<td>97/02</td>
<td>A Programming-Language Extension for Distributed Real-Time Systems</td>
<td>J. Hoeman and O. v. Roosmalen</td>
</tr>
<tr>
<td>97/03</td>
<td>Basic Conditional Process Algebra</td>
<td>J. Blanco and A. v. Deursen</td>
</tr>
<tr>
<td>97/04</td>
<td>Discrete Time Process Algebra: Absolute Time, Relative Time and Parametric Time</td>
<td>J.C.M. Baeten and J.A. Bergstra</td>
</tr>
<tr>
<td>97/05</td>
<td>Discrete-Time Process Algebra with Empty Process</td>
<td>J.C.M. Baeten and J.J. Vereijken</td>
</tr>
<tr>
<td>97/06</td>
<td>Tools for the Construction of Correct Programs: an Overview</td>
<td>M. Franssen</td>
</tr>
<tr>
<td>97/07</td>
<td>Bounded Stacks, Bags and Queues</td>
<td>J.C.M. Baeten and J.A. Bergstra</td>
</tr>
<tr>
<td>Date</td>
<td>Author(s)</td>
<td>Title</td>
</tr>
<tr>
<td>-------</td>
<td>-----------</td>
<td>-----------------------------------------------------------------------</td>
</tr>
<tr>
<td>97/08</td>
<td>P. Hoogendijk and R. C. Backhouse</td>
<td>When do datatypes commute?</td>
</tr>
<tr>
<td>97/10</td>
<td>P.C.N. v. Gorp, E.J. Luit, D.K. Hammer and E.H.L. Aarts</td>
<td>Distributed real-time systems: a survey of applications and a general design model</td>
</tr>
</tbody>
</table>