Analysis of timed processes with data using algebraic transformations

In this paper, we outline a method to describe and analyze real-time systems using timed /spl mu/CRL. Most descriptions of such systems contain operators such as parallel composition that complicate analysis. As a first step towards the analysis of such systems, we linearize the given description using the algorithm from the work of Usenko (2002). The result is a timed linear process equation (TLPE) which is equivalent to the original description and has a very simple structure. Next, we outline how a TLPE can be transformed into an LPE, i.e., a linear process equation without time. This transformation, called time-free abstraction, has been used for non-recursive timed /spl mu/CRL processes in the work of Rieners et al. (2002). Crucial for this transformation is that the TLPE is transformed into a well-timed TLPE. Finally, all time-stamping is captured in the parameters of atomic actions. The result is an LPE for which the machinery of untimed /spl mu/CRL can be put to use for further analysis. These are based on symbolic analysis of the specifications, such as invariants, term rewriting and theorem proving, or on explicit state space generation and model-checking.


Introduction
The language µCRL, see [13], offers a uniform framework for the specification of data and processes. Data are specified by equational specifications (cf. [5,19]): one can declare sorts and functions working upon these sorts, and describe the meaning of these functions by equational axioms. Processes are described in process algebraic style, where the particular process syntax stems from ACP [6,4,9], extended with data-parametric ingredients: there are constructs for conditional composition, and for data-parametric choice and communication. As is common in process algebra, infinite processes are specified by means of (finite systems of) recursive equations. In µCRL such equations can also be data-parametric. As an example, for action a and adopting standard semantics for µCRL, each solution for the equation X = a · X specifies (or "identifies") the process that can only repeatedly execute a, and so does Y (17) where Y(n) is defined by the data-parametric equation Y(n) = a · Y(n + 1) with n ∈ Nat.
Several timed extensions have been proposed for different kinds of process algebras. For an overview of ACP extensions with time we refer to [3]. According to [3], timed process algebras can be categorized by three criteria. Discrete vs. continuous time; relative vs. absolute time; two-phase vs. timed-stamped model. In [11] the language µCRL is extended with time, and in [21] a sound and complete axiomatization of timed µCRL is presented. In [15] some examples of specification and reasoning in timed µCRL are given. Timed µCRL makes use of absolute time, timed stamped model, and the time domain can be defined by the user (both discrete and continuous domains are possible). For a way to interpret timed automata [1] in timed µCRL we refer to [23,Chapter 6].
In this paper we present a method to describe and analyze real-time systems using µCRL and timed µCRL. It is assumed that some real-time system is described by means of a timed µCRL specification (see Section 2). Mostly such descriptions will contain operators such as parallel composition that complicate analysis. As a first step towards the analysis of such systems, we linearize the given description using the algorithm from [22] (see Section 3). The result is a Timed Linear Process Equation (TLPE) which is equivalent to the original description and has a very simple structure. On this TLPE it is already possible to perform some analysis.
Next, in Section 4, we describe how a TLPE can be transformed into an LPE, i.e., a linear process equation without time. This transformation, called time-free abstraction, has been used for a more restricted class of timed µCRL specifications in [21]. Crucial steps in this transformation are that the TLPE is first transformed into a well-timed TLPE and second that it is transformed into a deadlock-saturated well-timed TLPE. Finally, all time-stamping is captured in the parameters of atomic actions. The result is an LPE for which the machinery of untimed µCRL can be put to use for further analysis. These are based on symbolic analysis of the specifications, such as invariants, term rewriting and theorem proving, or on explicit state space generation and model-checking.
We illustrate the respective steps of the proposed method on the Bottle Filling System from [15,Section 3] and [3,Section 4.2.5]. In comparison to those expositions, we apply a proved transformation method [22] and a general analysis technique based on invariants [7].

µCRL and Timed µCRL
Timed µCRL specifications contain algebraic specifications of several abstract data types. The only data types that are required are booleans and time. The algebraic specifications of booleans are standard and can be found for instance in [8,Chapter IV]. We assume a constant t and functions ¬ : Bool → Bool and ∨ : Bool × Bool → Bool .
Time Time can be represented in many different ways. In timed µCRL the time domain has to satisfy a set of properties. We present these properties as an algebraic specification of sort Time by defining its signature and the axioms. The signature of sort Time consists of: a constant 0; functions leq, eq : Time × Time → Bool , which are often abbreviated as ≤ and =, respectively; function if : Bool × Time × Time → Time; and functions min, max : Time × Time → Time.
The axioms of sort Time are presented below. Many of the axioms are taken from, or inspired by [11,16]. The axioms say that ≤ is a total order on the Time domain, and 0 is the least element.
The last seven axioms allow to eliminate if from any boolean expression containing subterms of sort Time. Every term of sort Time can be represented as 0, a variable, or as if (b, t, u) where t and u are terms of sort Time. The above mentioned form has two extremes: one where all boolean terms b are variables, and another, where every variable of sort time (and 0) occurs at most once. The latter form is useful for proving time identities in the following way: if we order the time variables occurring in a term as 0 < t 1 < . . . < t n , then with the help of the axioms we can transform every term of sort Time to the form if ) with indices such that t i k < t i k+1 . Moreover, the conditions b 1 , . . . , b m can be made pairwise distinct, i.e. having the property that i = j → b i ∧ b j ≈ f . In addition, the conditions b 1 , . . . , b m can be made such that if eq(t i k , t i k+1 ) ≈ t, then b k ≈ t. This gives us a method for proving identities of sort Time.
Other Data Types. Any other data type in µCRL is specified in a similar way by providing a signature and axioms from which all other identities are derived. Other data sorts have generally different axioms, and sometimes induction principles (cf. [14]) are required to describe them.
Processes Next we define the binding-equational theory of timed µCRL by defining its signature and the axioms. The signature of timed µCRL consists of data sorts (or 'data types') including Bool and Time as defined above, and a distinct sort Proc of processes. Each data sort D is assumed to be equipped with a binary function eq : D × D → Bool . (This requirement can be weakened by demanding such functions only for data sorts that are parameters of communicating actions). The process operations are the ones listed below: • actions a : − → D a → Proc where a ∈ ActLab is an action label and − → D a is a list of parameter types of a. It is assumed that the signature of timed µCRL is parameterized by the finite set of action labels ActLab.
• deadlock δ :→ Proc. The constant δ models inaction, or the inability to perform actions.
• alternative composition + : Proc × Proc → Proc. The process p + q behaves like p or like q, depending on which of the two performs the first action.
• sequential composition · : Proc × Proc → Proc. The process p · q first performs the actions of p, until p terminates, and then continues with the actions from q.
• conditional operator _ _ _ : Proc × Bool × Proc → Proc. The process term p b q behaves like p if b is equal to t, and if b is equal to f it behaves like q. • at-operator : Proc ×Time → Proc. A key feature of timed µCRL is that it can be expressed at which time a certain action must take place. This is done using the at-operator. The process p t behaves like the process p, with the restriction that the first action of p must start at time t. The process p t can delay till at most time t. If p consists of several alternatives, then only those with the first actions starting at time t will remain in p t. The alternatives that start earlier than t will express that p t can delay till that earlier time. The alternatives that start later than t will express that p t can wait till time t (but not till that later time).
• initialization operator : Time ×Proc → Proc and weak initialization operator : Time × Proc → Proc. The initialization operator t p expresses the process in which all alternatives of p that start earlier than t are left out, but an alternative to delay till time t is added. The weak initialization operator t ≫ p expresses the process in which all alternatives of p that start earlier than t are replaced by the ability to delay till those earlier times. Thus the process t ≫ p can delay till the same time as p, while t p can delay till at least time t, which can be longer than p could delay.
• parallel composition : Proc × Proc → Proc, left-merge : Proc × Proc → Proc, and communication merge | : Proc × Proc → Proc. The process p q can first perform an action of p, first perform an action of q, or start with a communication, or synchronization, between p and q. The process p q exists at time t only if both p and q exist at time t. The process p q is as p q, but the first action that is performed comes from p. The action can only be performed if the other party still exists at that time. The process p | q also behaves as the process p q, except that the first action must be a communication between p and q. Furthermore, these actions must occur at the same time and have the same data parameters. The action resulting from such a communication is defined by the partial commutative and associative function γ : ActLab × ActLab → ActLab such that γ(a 1 , a 2 ) ∈ ActLab implies that a 1 , a 2 and γ(a 1 , a 2 ) have parameters of the same sorts. It is assumed that the signature of timed µCRL is parameterized by this function γ.
• encapsulation ∂ H : Proc → Proc, for H ⊆ ActLab. The process ∂ H (p) behaves as the process p where the execution of actions from the set H is prohibited.
• ultimate delay ∂U : Proc → Proc. The ultimate delay operator ∂U(p) expresses the process, which can delay as long as p can, but cannot perform any action.
• before operator : Proc → Proc. The before operator p q expresses the process in which all alternatives of p that start later than ∂U(q) are replaced by the abilities to delay till ∂U(q). Thus p q cannot delay longer than both p and q. The ultimate delay ∂U(p) of process p can be expressed in terms of as δ p. This process cannot perform actions and can delay as long as p could (because δ can delay till any time).
Another key feature of timed µCRL is that it can be expressed that a process can delay till a certain time. The process p + δ t can certainly delay till time t, but can possibly delay longer, depending on p. Consequently, the process δ 0 can neither delay nor perform actions, and the process δ can delay for an arbitrary long time, but cannot perform any action. We follow the intuition that a process that can delay till time t can also delay till an earlier moment, and a process that can perform a first action at time t can also delay till time t.
To prove identities in timed µCRL we use a combined many-sorted calculus, which for the sort of processes has the rules of binding-equational calculus, for the sorts of booleans and time has the rules of equational calculus, while other data sorts may include induction principles which could be used to derive process identities as well. We note that the derivation rules of binding-equational calculus do not allow to substitute terms containing free variables if they become bound.
The operational semantics (SOS) of timed µCRL and soundness and completeness proofs of the axiomatization are presented in [21]. The axiomatization used here is an extension of the axiomatization in [21] with a number of axioms that are derivable in the setting of [21] for all closed terms. These extra axioms are needed to prove correctness of the linearization.
Timed µCRL Specifications For the purpose of this paper we restrict to the timed µCRL specifications that do not contain left merge ( ), communication (|), ultimate delay (∂U), and before ( ) operators explicitly. These operators were introduced to allow the finite axiomatization of parallel composition ( ) and timing constructs in the bisimulation setting, and they are hardly used explicitly in timed µCRL specifications.
We consider systems of process equations with the right hand sides from the following subset of timed µCRL terms p : For a system of process equations G containing a process equation for X, (X( t is a list of data terms that corresponds to the type of process X. The combination of the given data specification with a process definition (X( − → t ), G) of process equations determines a timed µCRL specification. Such a specification depends on a finite subset Act of ActLab and on Comm, an enumeration of γ restricted to the labels in Act.

Example: Bottle Filling System
This example is taken from [15,Section 3] and [3, Section 4.2.5]. We start from the informal specification from [3, page 153]: "Bottles on a conveyor belt are filled with 10 liters of liquid poured from a container with a capacity of m liters. The container is filled at a constant rate of r liters per second. When a bottle is under the container, a tap is opened and the bottle is filled at a rate of 3 liters per second until the container becomes empty. From that moment, the bottle is filled at the same rate as the container. When the bottle is full, the tap is closed and the conveyor belt starts moving to put the next bottle under the container which takes 1 second. Obviously, it is highly preferable that overflow (of the container) never occurs. Of course, it is also preferable that the container does not get empty during the filling of each bottle."

Specification in Timed µCRL
The time domain used in this specification is nonnegative rational numbers. For the specification of the conveyor belt we distinguish three 'modes of operation': mv -moving, nf -normal filling, and sf -slow filling.
CB mv (t:Time) =!start (t + 1) · CB nf (t + 1) The process CB mv executes the !start action and then behaves as the process CB nf . The latter process can synchronize with the container process by ?empty at time period t + t , where t ∈ [0, 10/3), or it can synchronize by !stop action at time t + 10/3. The further behavior of CB nf depends on which action it synchronized.
For the specification of the container also three modes are distinguished: inc -increasing the amount of liquid, dec -decreasing, and dry -liquid goes through the empty container directly into the bottle.
The process C dec behaves nondeterministically at time t + h/(3 − r). Depending on the parallel process it can either perform ?stop or !empty in order to synchronize with that process.
Using the above descriptions of the conveyor belt and the container, the system can be given as: where γ(?s, !s) = γ(!s, ?s) = s for s ∈ {start, stop, empty} and γ is undefined otherwise, and H = {?s, !s | s ∈ {start, stop, empty}}. In words, the system is a parallel composition of the conveyor belt and the container processes, that are forced to synchronize on all actions except !overflow.
Let G contain all of the above equations. Then the process definition (T(0, h), G) forms the specification of the bottle-filling system.

Linearization
The problem of linearization of a timed µCRL specification defined by (X( − → t ), G) consists of generation of a new timed µCRL specification which • depends on the same Act and Comm, • contains all data definitions of the original one, and, possibly, definitions of the auxiliary data types, where L contains exactly one process equation for Z in linear form (defined later), and m X is a mapping from the parameters of X to the parameters of X.
such that all processes that are solutions of (X( − → t ), G) are also solutions of Z(m X ( − → t )), L). It is not possible to linearize a timed µCRL specification which is unguarded, e.g. X = X cannot be brought to the linear form. The exact notion of guardedness in µCRL is rather complicated. In a nutshell, in a guarded process every occurrence of a recursive call is preceded (with sequential composition) by an action. We refer to [22,Section 3.6] for a precise definition.
We define Timed Parallel Greibach Normal Form (TPEGNF) and Timed Linear Process Equation (TLPE) as special forms of process equations in timed µCRL. TPEGNF and TLPE are similar to the Greibach Normal Form [10] for context-free languages. A timed µCRL process equation is in TPEGNF if it is of the form: where I and J are disjoint, and all p i ( − − → d, e i ) have the following syntax: − − → d, e δ ). As input for the linearization procedure we take a timed µCRL process definition (X( − → t ), G). Further on, the process goes through a number of intermediate forms, including TPEGNF, and finally we get to TLPE. All the steps are described in [22,Chapter 6] and are proved to transform a system of process equations in timed µCRL to an equivalent one.

Linearization of the Example
In this subsection we illustrate some of the linearization steps on our example. The example does not contain double bound variables, so we can start with reducing right hand sides of the equations with the help of conventional term rewriting [2]. This step is described in [22,Section 6.2.2]. By doing this step the equations for CB nf and C inc change to the following: In both equations we move the alternative composition operator (+) outside the sum operator and eliminate the sum in the second summand.
At this point all our equations, except the one for T are in TPEGNF. We proceed by guarding [22, Section 6.2.4] the equation for T. We have to consider the term ∂ H (CB mv (t) C inc (t, h)) and apply the guarding procedure to it. We get the following: Here we use the fact that only !overflow action is not forced to synchronize, and the rest of the actions have to. It is interesting to see how the !overflow action gets its condition. It has to happen before time t + 1, otherwise the action !start (t + 1) should occur first. This means that t + (m − h)/r ≤ t + 1 should hold, which is equivalent to m − r ≤ h. Now we consider the term ∂ H (CB nf (t) C dec (t, h)) and apply the guarding procedure to it. Here we again use the fact that the all the actions of the two processes have to synchronize. We get the following: ∂ H (CB nf (t) C dec (t, h)) = stop (t + 10/3) · ∂ H (CB mv (t + 10/3) C inc (t + 10/3, h − 10(3 − r)/3)) 10(3 − r)/3 ≤ h δ 0 Now we consider the term ∂ H (CB sf (t, l) C dry (t)) and apply the guarding procedure to it. We get the following: At this point we are ready to make a single equation for the whole system (cf. [22,Section 4.3]). Here we use the fact that only the parallel processes are reachable. We define a new sort State = {mv_inc, nf_dec, sf_dry, dl} and use it as a parameter of the resulting process T: T(s:State, t:Time, h, l:Q) = start (t + 1) · T(nf_dec, t + 1, h + r, 0) s = mv_inc ∧ h < m − r δ 0

Time-free Abstraction and Analysis
An important notion of timed µCRL processes is well- and δ t are also well-timed. If p and q are well-timed terms, then p + q, d:D p and p c δ 0 are also well-timed terms. An equation in TPEGNF is well-timed if for all i ∈ I the terms a i ( − → t i ) t i · p i c i δ 0 are well-timed. The linearization method for timed µCRL ensures that the resulting TLPE is well-timed, e.g., in our example, t T(s, t, h, l) ≈ T(s, t, h, l).
The time-free abstraction (cf. [21,Section 4.2]) of well-timed TLPEs can be used for further analysis with methods that are designed for untimed µCRL. For instance, strong bisimilarity of time-free abstractions of two well-timed TLPEs is equivalent to the timed bisimilarity of them. In the initial timed µCRL specification time has a direct influence on the specified behavior, for instance on the interleavings of parallel components (for example a 1 b 2 ≈ a 1 · b 2 in timed µCRL). This is why performing the time-free abstraction on the initial specification will not work (because a(1) b(2) ≈ a(1) · b(2) in µCRL). However, after linearization the influence of time on the specified behavior is encoded in the parameters and conditions of resulting TLPE, i.e. time becomes just a conventional data type in untimed µCRL.
Having assumed that, we see that if h ≥ m − r in the initial state, then the overflow is eminent at time (m − h)/r. It is interesting to see what happens if h < m − r in the initial state. To this end, we can see that the following formula is an invariant (cf. [7]) of the LPE: This gives us the fact that if r ≤ 30/13, then overflow is not reachable provided h < m − r holds in the initial state. In case r > 30/13, the process T is equal to T(s:State, t:Time, h, l:Q) = start(t + 1) · stop(t + 13/3) · T(mv_inc, t + 13/3, h + r − 10(3 − r)/3, 0) This is because r > 30/13 and h ≥ 0 implies that h+r < 10(3−r)/3 is always false. It is clear that the value of h increases with every sequence of start, stop actions by a constant, so the overflow is eminent.
The next question is whether the container may become empty. From the previous analysis follows that this can only happen if r ≤ 30/13 and h < m − r holds in the initial state. If r < 30/13, the value of h will decrease with each sequence of start, stop actions by a constant. So, eventually, its value will become smaller than 10(3 − r)/3 and the container will become empty. In case r = 30/13, the value of h is constant in state nf_dec and equal to the initial value of h plus 10(3 − r)/3 = 30/13, so, the container does not become empty in this case.

Conclusions and Future Work
We presented the language of timed µCRL with an example specification. We outlined the method of simplifying transformations based on equational axiomatization, and illustrated it on the example. This transformation allows for a time-free abstraction of the specification, which in turn enables the use of tools and techniques for verification of untimed systems. For proving properties of the presented example we used known invariant [7] techniques.
An interesting direction for future work is in adopting efficient real-time abstraction techniques similar to the regions and zones methods [1] for timed automata. Another interesting approach is to make use of model checking techniques, similar to the ones available for timed automata in tools like UPPAAL [18].
A symbolic model checking approach for untimed µCRL has been recently proposed in [17]. It looks more applicable to the time setting than the explicit model checking [20] of modal mu-calculus formulas. In order to apply any of these methods for timed setting a well-thought extension of modal mu-calculus (or another action-based temporal logic) to real-time is needed.

A Axioms of Timed µCRL
We assume that • x, y, z are variables of sort Proc; c, c 1 , c 2 are variables of sort Bool ; d, d 1 , d n , d , . . . are data variables (but d in d:D is not a variable); and t, u, w are variables of sort Time.
• b stands for either a( − → d ), or δ; • − → d = − → d is an abbreviation for eq(d 1 , d 1 ) ∧ · · · ∧ eq(d n , d n ), where − → d = d 1 , . . . , d n and − → d = d 1 , . . . , d n ; • the axioms where p and q occur are schemata ranging over all terms p and q of sort Proc, including those in which d occurs freely; • the axiom (SUM2) is a scheme ranging over all terms r of sort Proc in which d does not occur freely.