Modelling and analysis of real-time coordination patterns Kemper, S.

Citation

Kemper, S. (2011, December 20). Modelling and analysis of real-time coordination patterns. IPA Dissertation Series. BOXPress BV, 2011-24. Retrieved from

https://hdl.handle.net/1887/18260

Version: Corrected Publisher’s Version

License: Licence agreement concerning inclusion of doctoral thesis in the Institutional Repository of the University of Leiden

Downloaded from: https://hdl.handle.net/1887/18260

Note: To cite this publication please use the final published version (if applicable).

Proofs

A.1 Correctness of Representation

In this Section, we prove that the formula representation ϕ(S) of a real-time system S, as presented in Definitions 3.1.1, 3.1.4 and 3.1.9 in Chapter 3, is correct, that means that ϕ(S) exhibits the same behaviour as S. For this, every model of ϕ(S) k

has to correspond to a run of length k, and vice versa. To prove this, we show that the diagram in Figure A.1 commutes.

S ϕ(S) _k

Run _{S ,k} models of ϕ(S) _k ϕ

run ↓ ^r _σ model

↓ ^σ _r

Figure A.1: Correctness of Representation

The commutative property expresses that models of ϕ(S) _k have a bijective cor- respondence to runs of the original system S, denoted by the maps ↓ ^r _σ and ↓ ^σ _r : the run ↓ ^σ _r (↓ ^r _σ (r)) of the model ↓ ^r _σ (r) belonging to a run r again is r, and the model ↓ ^r _σ (↓ ^σ _r (σ)) of a run ↓ ^σ _r (σ) belonging to a model σ again is σ.

Remark A.1.1 (Notation). In the sequel, we use the notation of representation variables introduced in Section 3.1.1, and we use the symbol ∼ to refer to any arithmetic comparison (cf. Definitions 2.1.2 and 2.1.7).

As before, we use S _S to refer to the associated LTS of a system S, with S∈{A, T, N}, and we use Run _S,k to refer to the set of all runs of S _S up to length k.

127

Further, we use the symbols ϕ(S) _k , σ and V(ϕ(S) _k ) to refer to the k-unfolding of S, a model of ϕ(S) _k , and the set of all models of ϕ(S) _k , respectively.

We first show that the formula representation is sound, i.e., that every model σ∈V(ϕ(S) _k ) yields a run r∈Run _{S ,k} .

Definition A.1.2 (Derived Run). For σ∈V(ϕ(S) _k ), the derived run r _σ is r _σ =hl ₀ , ν ₀ i −

→hl 1 , ν ₁ i −

→ . . . −

→hl k , ν _k i, if S = A, r σ =hl 0 , δ 0 , ν 0 i −−−−→hl

¹ , δ 1 , ν 1 i −−−−→ . . .

−−−−→hl

^k , δ k , ν k i, if S = T, r _σ =hl ₀ , δ ₀ , ν ₀ i −−→hl

1 , δ ₁ , ν ₁ i −−→ . . .

−

−− →hl k , δ _k ν _k i, if S = N,

(i)

where we have for all 0≤k ₀ ≤k, 1≤k ₁ ≤k

l _k

= s, iff σ(s _k

)=tt, (ii)

ν _k

(x) = σ(z _k

)−σ(x _k

) (iii)

a _k

=

( a, iff σ(α _k

)=tt,

t, with t=σ(z _k

)−σ(z _k

₋₁ ), otherwise (iv) P k

= S

σ(p

)=tt

p, (v)

δ _k

(d) =

( ∆ ⁻¹ (n ⁱ ), iff σ(Dd _k

)=n ⁱ 6=n ^⊥

⊥, otherwise , d∈D (vi)

δ ¯ _k

(q) =



 

 

 

 

δ(m) k

−1 , iff q=s.m, m∈D δ(m) _k

, iff q=t.m or q=m, m∈D

∆ ⁻¹ (n ⁱ ), iff q=p, p∈P, σ(Dp _k

)=n ⁱ 6=n ^⊥

⊥, otherwise

(vii)

t _k

= σ(z _k

)−σ(z _k

₋₁ ) (viii)

c k

(p) =



 

 

iff σ(p _k

)=tt,

? iff σ(p _k

)=ff and σ(cp _k

)=ff

! iff σ(p _k

)=ff and σ(cp _k

1

)=tt

(ix)

γ _k

=

( ¯ δ _k

, iff σ(z _k

)=σ(z _k

₋₁ )

t _k

, otherwise (x)

The derived run for a products, that means for σ∈V(ϕ(S ₁ ./S ₂ ) _k ) is defined in the same way, except for replacing l _i in (i) by (l _i,1 , l _i,2 ), and rewriting (ii) to

l _k

_,i = s, iff σ(s _k

) = tt for s∈S _i , i=1, 2, (ii’) Remark A.1.3 (Derived Run). Note that in (ii), for each k ₀ , there exists exactly one location s such that σ(s _k

)=tt, cf. (3.5), (3.14) and (3.24). Similarly, in (iv), there exists at most one event a such that σ(α _k

)=tt, cf. (3.6).

Since ∆ is injective (cf. Section 3.1.1.3), there exists a d _i ∈Data with ∆(d _i )=n ⁱ ,

such that ∆ ⁻¹ (n ⁱ ) is well-defined in (vii), (vi) and (x).

Lemma A.1.4 (Soundness). For σ∈V(ϕ(S) _k ), the derived run r _σ is a run of S _S of length k, i.e., r _σ ∈Run _S,k .

Proof. Induction on k.

IA σ|=ϕ(S) 0 : σ(¯ s 0 )

= tt for the initial location ¯ s, thus l 0

(ii)

=¯ s. For all clocks x, ν ₀ (x)

= σ(z ₀ )−σ(x ₀ )

= 0, therefore in particular ν ₀ |=I(¯ s), and thus r _σ =h¯ s, 0i∈Run _S,0 for S=A.

For S6=A, in addition we have σ(Dd ₀ )

= n ^⊥ for d∈D, and σ(Dp ₀ )

= n ^⊥ for p∈P, thus r _σ =h¯ s, 0, 0i∈Run _{S ,0} for S∈{T, N}.

IH σ|=ϕ(S) k : r σ ∈Run S ,k for some k≥0.

IS σ|=ϕ(S) _k+1 : we consider the different systems separately

S = A: r _σ =hl ₀ , ν ₀ i −

→ . . . −

→hl k , ν _k i −−→hl

k+1 , ν _k+1 i, and either for some e∈E σ|=ϕ ^action (e) _k+1/t , or σ|=ϕ ^delay (s) _k+1/t for some s∈S (cf. (3.7) and (3.29)).

Case σ|=ϕ ^action (e) _k+1/t (∗): let e=(s, a, cc, λ, s ⁰ ) (cf. (3.2)), then

• l k

=s, l

_k+1

=s ⁰

• a k+1 (iv) = a

• ν k+1 =ν _k [λ]: for all clocks x, we have

λ(x)=id: ν _k+1 (x)

= σ(z _k+1 )−σ(x _k+1 )

=σ(z _k )−σ(x _k )

= ν _k (x) λ(x)=x ⁰ : ν k+1 (x)

= σ(z k+1 )−σ(x k+1 )

=σ(z k+1 )−σ(x ⁰ _k+1 )

= ν k+1 (x ⁰ ) λ(x)=n: ν _k+1 (x)

= σ(z _k+1 )−σ(x _k+1 )

=σ(z _k+1 )−(σ(z _k+1 )−n)=n

• ν k |=cc: for cc=x∼n, ¹ we have cc _k =(z _k −x _k )∼n. Because of (∗), we have σ|=cc _k , that means (σ(z _k )−σ(x _k ))∼n holds, and since ν _k (x)

= (σ(z _k )−σ(x _k )) for all clocks x, we have ν _k |=cc. The argumentation for ν k+1 |=I(s ⁰ ) is similar

Thus, hs, ν _k i − →hs

⁰ , ν _k [λ]i is gained from e using (2.1) Case σ|=ϕ ^delay (s) _k+1/t (∗∗): let s∈S (cf. (3.3)), then

• l k

=s, l

_k+1

=s

• a k+1 =t, with t ^(iv) = σ(z _k+1 )−σ(z _k )

• ν k+1 =ν k +t: for all clocks x, we have

ν _k+1 (x)

= σ(z _k+1 )−σ(x _k+1 )

= σ(z _k+1 )−σ(x _k )=σ(z _k+1 )−σ(x _k )+

σ(z _k )−σ(z _k )=(σ(z _k )−σ(x _k ))+(σ(z _k+1 )−σ(z _k ))

= ν _k (x)+t

• ν k+1 |=I(s) as above, ν _k +t ⁰ |=I(s) for all t ⁰ ≤t because of convexity (cf.

Remark 2.1.6)

Thus, hs, ν k i − →hs, ν

^k +ti is gained from s using (2.2).

Together, we get r _σ ∈Run _S,k+1 for S=A.

1

Here and in the remainder of the proof, we only show the basic cases for simple clock con-

straints (without clock differences) and simple data constraints (without addition/subtraction),

but the results directly carry over to constraints involving arithmetic operations, and to Boolean

combinations of these.

S = T: r σ =hl 0 , δ 0 ,ν 0 i −−−−→ . . .

−−−−→hl

^k , δ k , ν k i −−−−−−−−→hl

^k+1 , δ k+1 ,ν k+1 i, and either σ|=ϕ ^visible (e) _k+1/t or σ|=ϕ ^invisible (e) _k+1/t for some e∈E (cf.

(3.16) and (3.29)).

Case σ|=ϕ ^visible (e) _k+1/t (†): let e=(s, P, dc, cc, λ, s ⁰ ) (cf. (3.11)), then

• l k

IH

=s, l _k+1

=s ⁰ , t _k+1

= σ(z _k+1 )−σ(z _k )

• ν k+1 =ν k +t k+1 [λ]: for all clocks x, we have

λ(x)=id: ν _k+1 (x)

= σ(z _k+1 )−σ(x _k+1 )

=σ(z _k+1 )−σ(x _k )=

σ(z _k+1 )−σ(x _k )+σ(z _k )−σ(z _k )=

(σ(z _k )−σ(x _k ))+(σ(z _k+1 )−σ(z _k )

= ν _k (x)+t _k+1 λ(x)=x ⁰ : ν k+1 (x)

= σ(z k+1 )−σ(x k+1 ) =σ(z ^† k+1 )−σ(x ⁰ _k+1 )=

σ(z _k+1 )−σ(x ⁰ _k+1 )+σ(z _k )−σ(z _k )=

(σ(z _k )−σ(x ⁰ _k+1 ))+(σ(z _k+1 )−σ(z _k ))

= ν _k+1 (x ⁰ )+t _k+1 λ(x)=n: ν k+1 (x)

= σ(z k+1 )−σ(x k+1 )

=σ(z k+1 )−(σ(z k+1 )−n)=n

• ν k +t k+1 |=cc: for cc=x∼n, we have cc k =(z k −x k )∼n. Because of (†), we have σ|=cc _k , that means (σ(z _k )−σ(x _k ))∼n holds, and since ν _k (x)+t _k+1

= σ(z _k )−σ(x _k )+σ(z _k+1 )−σ(z _k )=σ(z _k+1 )−σ(x _k ) for all clocks x, we have ν _k +t _k+1 |=cc.

• P k+1

(v)

= S

σ(p

)=tt p

=P

• ¯δ k+1 |=dc: let dc=(D'D ⁰ ), ' ∈{=, 6} (cf. Section 3.1.1.5). For the constituents of dc, we have

for p∈P| _dc : ¯ δ _k+1 (p)

= ∆ ⁻¹ (n ⁱ ) ^{def .∆} = d _i if σ(Dp _k+1 )=d _i for s.m∈D| _dc : ¯ δ _k+1 (s.m)

= ∆ ⁻¹ (n ⁱ ) ^{def .∆} = d _i if σ(Dm _k )=d _i for t.m∈D| _dc : ¯ δ _k+1 (t.m)

= ∆ ⁻¹ (n ⁱ ) ^{def .∆} = d _i if σ(Dm _k+1 )=d _i for m∈D| _dc : ¯ δ _k+1 (m)

= ∆ ⁻¹ (n ⁱ ) ^{def .∆} = d _i if σ(Dm _k+1 )=d _i

Because of (†), we have σ|=dc k+1 , thus for all possible instantiations of D and D ⁰ with Dp _k+1 , Dm _k , Dm _k+1 or elements of Data (cf. Sec- tion 3.1.1.5), we have ¯ δ _k+1 |=dc

• δ k+1 (m)=⊥ if m6∈#(s ⁰ ): because of (†), in particular σ|=(Dm _{t 1} =n ^⊥ ) (cf. (3.11)), and thus δ _k+1 (m)

= ⊥ for all m6∈#(s ⁰ )

Thus, hs,δ _k ,ν _k i −−−−−−→hs

⁰ ,δ _k+1 ,ν _k +t _k+1 [λ]i is gained from e using (3.11).

Case σ|=ϕ ^invisible (e) k+1/t (‡): let e=(s, ∅, dc, cc, λ, s ⁰ ) (cf. (3.12)), then

• l k

IH

=s, l _k+1

=s ⁰ , t _k+1

= σ(z _k+1 )−σ(z _k ),

• ν k+1 =ν _k +t _k+1 [λ], ν _k +t _k+1 |=cc, δ _k+1 (m)=⊥ if m6∈#(s ⁰ ), and ¯ δ _k+1 |=dc as before

• P k+1

(v)

= S

σ(p

)=tt p

=∅

• δ k+1 (p)

= ⊥ for all p∈P, because σ(p _k+1 )

=ff, and σ(Dp _k+1 )

=n ^⊥ for all p∈P

Thus, hs, δ _k , ν _k i −−−−−−→hs

⁰ , δ _k+1 , ν _k +t _k+1 [λ]i is gained from e using (3.11)

in case t _k+1 >0, and using (3.12) in case t _k+1 =0.

Together, we get r _σ ∈Run _S,k+1 for S=T.

S = N: r σ = hl 0 , δ 0 , ν 0 i −−→ . . .

−

−− →hl ^k , δ k , ν k i −−−−−→hl

^k+1 , δ k+1 , ν k+1 i, and either σ|=ϕ ^commu (e) _k+1/t or σ|=ϕ ^delay (e) _k+1/t for some e∈E (cf. (3.26) and (3.29))

Case σ|=ϕ ^commu (e) _k+1/t (?): let e=(s, c, dc, cc, λ, s ⁰ ) (cf. (3.21)), then

• l k

=s, l

_k+1

=s ⁰

• ν k+1 =ν _k [λ], ν _k |=cc, ν _k+1 |=I(s ⁰ ): equivalent to the respective cases for S=A above

• δ k+1 (m)=⊥ if m6∈#(s ⁰ ): equivalent to the respective case for S=T above

• γ k+1

(x),(?)

= ¯ δ _k+1

• ¯δ k+1 |=dc: equivalent to the respective case for S=T above

• ¯δ k+1 (p)=⊥ iff c k+1 (p)6= : because of (?), in particular σ|=hp _c i _k+1 for all p∈P. If σ|=¬p _k+1 , then either c(p)

= ! or c(p)

= ? , and σ(Dp _k+1 )

= n ^⊥

Thus, hs, δ _k , ν _k i −−−−−→hs, δ

k+1 , ν _k [λ]i is gained from e using (2.15).

Case σ|=ϕ ^delay (e) _k+1/t (??): let e=(s, c, dc, cc, id, s) (cf. (3.22)), then

• l k

=s, l

_k+1

=s ⁰

• γ k+1

(x),(??)

= t _k+1

• ν k+1 =ν _k +t _k+1 : equivalent to the respective case for S=A above

• ν k |=cc, ν _k+1 |=I(s): equivalent to the respective cases for S=A above, ν _k +t ⁰ |=cc and ν _k +t ⁰ |=I(s) for all t ⁰ ≤t _k+1 because of convexity (cf.

Remark 2.1.6)

• δ k |=dc: equivalent to the respective case above, with δ k instead of δ ¯ _k+1

Thus, hs, δ _k , ν _k i −−−−−→hs, δ

k , ν _k +t _k+1 i is gained from e using (2.16).

Together, we get r _σ ∈Run _S,k+1 for S=N.

Finally, we get r _σ ∈Run _S,k+1 for all systems S∈{A, T, N}, and we define the map

↓ ^σ _r :V(ϕ(S) _k )→Run _{S ,k} such that for every interpretation σ∈V(ϕ(S) _k ), we have that

↓ ^σ _r (σ)=r σ ∈Run S,k is the derived run.

Proposition A.1.5 (Derived Run, Product). For σ∈V(ϕ(S ₁ ./S ₂ ) _k ), the de- rived run r σ is a run of S T

./T

of length k, i.e., r σ ∈Run S

./S

,k .

Proof (Idea). The proof is along the same lines as the proof of Lemma A.1.4. In

IS, we first show that for i=1, 2, reducing a transition of the product S ₁ ./S ₂ (of the

form h(l _k,1 , l _k,2 ), ν _k i −

→h(l k+1,1 , l _k+1,2 ν _k+1 i for S=A, for example) to the constituents

of S _i yields a transition e _i in S _i . We then argue that all possible combinations of

e ₁ and e ₂ correspond to a valid execution in the product automaton (cf. Definitions

2.2.8, 2.3.9 and 2.4.14). In end, we get r _σ ∈Run _S

_./S

_,k .

We now show that the formula representation is complete, i.e, for every run r∈Run _{S ,k} , we can find a model σ∈V(ϕ(S) _k ).

Definition A.1.6 (Derived Interpretation). For r∈Run _S,k , the derived inter- pretation σ _r over (the variables in) ϕ(S) _k is (we use the notation of (i))

σ r (s k

) = tt, iff s=l k

(xi)

σ r (z k

) =



 

 

 

 

0, if k ₀ =0

σ _r (z _k

₋₁ )+t, if S=A and a _k

=t

σ r (z k

−1 )+t k

, if (S=T) or (S=N and γ k

=t k

) σ _r (z _k

₋₁ ), otherwise

(xii)

σ _r (x _k

) = σ _r (z _k

)−ν _k

(x) (xiii)

σ _r (α _k

) =



 

 

ff, if k ₀ =0 tt, iff a _k

=a ff, otherwise

(xiv)

σ _r (p _k

) =



 

 

ff, if k 0 =0

tt, if (p∈P _k

and S=T) or ( c k

(p)= and S=N) ff, otherwise

(xv)

σ _r (Dp _k

) =



 

 

n ^⊥ , if k ₀ =0

∆(¯ δ _k

(p)), if (p∈P _k

and S=T) or ( c k

(p)= and S=N) n ^⊥ , otherwise

(xvi)

σ _r (Dd _k

) =



 

 

n ^⊥ , if k ₀ =0

∆(δ k

(d)), if d∈#(l k

)

∆(¯ δ _k

(d)), otherwise

(xvii)

σ _r (d _k

) = (

ff, if σ r (Dd _k

)=n ^⊥

tt, otherwise (xviii)

σ _r (cp _k

0

) =



 

 

tt, if (k 0 =0) or ( c k

(p)= ! ) ff, if c k

(p)= ?

unspecified, otherwise

(xix)

for all 0≤k 0 ≤k. The derived interpretation for a run of the product, that means for r∈Run _S

_./S

_,k , is defined in the same way, except for rewriting (xi) to

σ _r (s _k

) = tt, iff s=l _k

_,i for s∈S _i , i=1, 2 (xi’) Lemma A.1.7 (Completeness). For r∈Run _{S ,k} , the derived interpretation σ _r is a model of the k-unfolding of S, that means σ _r |=ϕ(S) _k .

Proof. Induction on k.

IA r=hl ₀ , ν ₀ i respectively r=hl ₀ , δ ₀ , ν ₀ i (cf. (i) again). We have σ _r (¯ s ₀ )

= tt for the

initial location ¯ s=l ₀ , and σ _r (s ₀ )

= ff otherwise. For clocks, we have σ _r (z ₀ )

= 0,

and σ r (x 0 )

= σ r (z 0 )−ν 0 (x)=0 for all other clocks x. For I(¯ s)=x∼c, ² we have I(¯ s) ₀ =z ₀ −x ₀ ∼n. Because ν ₀ |=I(¯ s) (cf. Definitions 2.2.4, 2.3.5 and 2.4.6), in particular 0=ν ₀ (x)∼n, therefore σ _r (x ₀ )∼n holds, and thus σ _r |=I(¯ s) ₀ .

We have σ _r (p ₀ )

= ff, σ _r (Dp ₀ )

= n ^⊥ , and σ _r (cp ₀ )

= tt for all ports p, and for all data variables d we have σ _r (Dd ₀ )

= n ^⊥ and σ _r (d ₀ )

= ff.

Thus, σ _r |=ϕ ^init (S) (cf. (3.1), (3.10) and (3.20)), and therefore σ _r |=ϕ(S) ₀ . IH r∈Run _S,k : σ _r |=ϕ(S) _k , for some k≥0.

IS r∈Run _{S ,k+1} : we again consider the different systems separately

S = A: r=hl ₀ , ν ₀ i −

→ . . . −

→hl k , ν _k i −−→hl

k+1 , ν _k+1 i∈Run _{A ,k+1} , and either the last step hl _k , ν _k i −−→hl

k+1 , ν _k+1 i is an action transition (2.1) resulting from execution of a transition e=(s, a, cc, λ, s ⁰ ), or it is a delay transition (2.2) in location s.

In case of an action transition, we have l _k =s, l _k+1 =s ⁰ , a _k+1 =a for some a∈Σ, and ν _k+1 =ν _k . Then

• σ r (s _k+1 )

= tt for s=l _k+1 , and ff otherwise

• σ r (z k+1 )

= σ r (z k )

• σ r (x k+1 )

= σ _r (z k+1 )−ν _k+1 (x)=



 



 



λ(x)=id,(xii)

= σ _r (z _k )−ν _k (x)=σ _r (x _k )

λ(x)=x0

= σ r (z k+1 )−ν k+1 (x ⁰ )

= σ r (x ⁰ _k+1 )

λ(x)=n

= σ _r (z _k+1 )−n

• σ r (α _k+1 )

= tt for a=a _k+1 , and ff otherwise

• For cc=x∼n, we have cc k =(z _k −x _k )∼n. Because ν _k |=(x∼n) (Defini- tion 2.2.4), we have σ _r (z _k )−σ _r (x _k )

∼ n, thus σ _r |=cc _k . The argu- mentation for σ _r |=I(s ⁰ ) _k+1 is similar.

From the above, we get σ _r |=ϕ ^action (e) _k+1/t (3.2) (so σ _r |=ϕ ^trans (A) _k+1/t (3.4)), σ r |=ϕ ^location (A) k+1/t (3.5), and σ r |=ϕ ^mutex (A) k+1/t (3.6).

In case of a delay transition, we have l _k =s=l _k+1 , a _k+1 =t for some t∈Time, and ν _k+1 =ν _k +t. Then

• σ r (s k+1 )

= tt for s=l k+1 , and ff otherwise

• σ r (z _k+1 )

= σ _r (z _k )+t

• σ r (x _k+1 )

= σ _r (z _k+1 )−ν _k+1 (x)

= σ _r (z _k )+t−(ν _k (x)+t)=

σ _r (z _k )−ν _k (x)

= σ _r (x _k )

• σ r (α _k+1 )

= ff for all a∈Σ

• σ r |=I(s) _k+1 : similar to the argumentation for σ _r |=cc _k above

From the above, we get σ _r |=ϕ ^delay (e) _k+1/t (3.3) (so σ _r |=ϕ ^trans (A) _k+1/t (3.4)), σ _r |=ϕ ^location (A) _k+1/t (3.5), and σ _r |=ϕ ^mutex (A) _k+1/t (3.6).

Together, we get σ _r |=ϕ(S) _k+1 for S=A

2

Here and in the remainder of the proof, again we only show the basic cases for simple clock

constraints (without clock differences) and simple data constraints (without addition/subtraction).

S = T: r = hl 0 , δ 0 , ν 0 i −−−−→ . . .

−−−−→hl

^k , δ k , ν k i −−−−−−−−→hl

^k+1 , δ k+1 , ν k+1 i

∈Run _{T ,k+1} , and the last step hl _k , δ _k , ν _k i −−−−−−−−→hl

k+1 , δ _k+1 , ν _k+1 i re- sults from following either a visible transition (2.7) or an invisible transi- tion transition (2.7), (2.8).

In case of a visible transition e=(s, P, dc, cc, λ, s ⁰ ), we have l _k =s, l _k+1 =s ⁰ , P _k+1 =P , and ν _k+1 =ν _k +t _k+1 , with t _k+1 >0. Then

• σ r (s k+1 ), σ r (x k+1 ): equivalent to the respective cases for S=A above

• σ r (z _k+1 )

= σ _r (z _k )+t _k+1

• σ r (p _k+1 )

= tt for p∈P , ff otherwise

• σ r (Dp _k+1 )

= ∆(¯ δ _k+1 ) for p∈P , n ^⊥ otherwise

• σ r (Dd k+1 )

= ∆(δ k+1 (d)) if d∈#(s ⁰ ), ∆(¯ δ k+1 (d)) otherwise

• σ r (d _k+1 )

= ff if σ _r (Dd _k+1 )=n ^⊥ , tt otherwise

• For I(s)=(x∼n), we have I(s) _k+1∆ =(z _k+1 −x _k )∼n. Since ν _k +t|=I(s) for all 0≤t≤t _k+1 (Definition 2.3.5), in particular ν _k (x)+t _k+1 |=(x∼n);

so σ _r (z _k+1 )−σ _r (x _k )

= (σ _r (z _k )+t _k+1 )−(σ _r (z _k )−ν _k (x))=ν _k (x)+t _k+1 , which means that σ _r (z _k+1 )−σ _r (x _k )∼n holds. Therefore σ _r |=I(s) _k+1∆ . The argumentation for σ r |=cc k+1∆ is similar, and the argumentation for σ _r |=I(s ⁰ ) _{k 1} is equivalent to the respective case for S=A above

• For dc=(D'D ⁰ ), '∈{=, 6} (cf. Definition 2.1.7 and Section 3.1.1.5), we have dc _k+1 =(D'D ⁰ ), where D and D ⁰ are either port data variables Dp _k+1 or data content variables Dd k , Dd k+1 (cf. Section 3.1.1.5). Be- cause ¯ δ _k+1 |=dc (Definition 2.3.5), in particular ¯ δ(D) and ¯ δ(D ⁰ ) such that ¯ δ(D)'¯ δ(D ⁰ ) holds. Therefore, σ _r (D)'σ _r (D ⁰ ) holds as well ((xvi), (xvii)), ³ and thus σ r |=dc k+1 .

The case where D∈Data and/or D ⁰ ∈Data, that means where D or D ⁰ are data element representations n ⁱ , is a simplification of the above.

From the above, we get σ _r |=ϕ ^visible (e) _k+1/t (3.11) (so σ _r |=ϕ ^trans (T) _k+1/t (3.16), σ _r |=ϕ ^location (T) _k+1/t (3.14), and σ _r |=ϕ ^mutex (T) _k+1/t (3.15).

In case of an invisible transition e=(s,∅,dc,cc,λ,s ⁰ ), we have l _k =s, l _k+1 =s ⁰ , P _k+1 =∅, and ν _k+1 =ν _k +t _k+1 , with t _k+1 ≥0. Then

• σ r (s _k+1 ), σ _r (z _k+1 ), σ _r (x _k+1 ) as above

• σ r (p _k+1 )

= ff for all p∈P

• σ r (Dd _k+1 ), σ _r (d _k+1 ), σ _r |=I(s) _k+1∆ , σ _r |=cc _k+1∆ , σ _r |=I(s ⁰ ) _{k 1} σ _r |=dc _k+1 : as above

From the above, we get σ _r |=ϕ ^invisible (e) _k+1/t (3.12) (so σ _r |=ϕ ^trans (T) _k+1/t (3.16), σ _r |=ϕ ^location (T) _k+1/t (3.14), and σ _r |=ϕ ^mutex (T) _k+1/t (3.15).

Together, we get σ _r |=ϕ(S) _k+1 for S=T

S = N: r=hl ₀ , δ ₀ , ν ₀ i −−→ . . .

−

−− →hl k , δ _k , ν _k i −−−−−→hl

k+1 , δ _k+1 , ν _k+1 i, where r∈Run _N,k+1 , and either the last step hl _k , δ _k , ν _k i −−−−−→hl

k+1 , δ _k+1 , ν _k+1 i

3

Note that (Definition 2.3.5) δ(d) and ¯ δ(d) coincide in case d∈#(s) for any location s.

is an action transition (2.15) resulting from executing a communication, or it is a delayed action transition (2.16) resulting from executing a delay.

In case of a communication e=(s, c, dc, cc, λ, s ⁰ ), we have l _k =s, l _k+1 =s ⁰ , and γ _k+1 =¯ δ _k+1 . Then

• σ r (s _k+1 ), σ _r (x _k+1 ), σ _r (z _k+1 ), σ _r (d _k+1 ): equivalent to the respective cases for S=T above

• σ r (p _k+1 )

= tt if c k+1 (p)= , ff otherwise

• σ r (cp _k+1 )

= tt if c k+1 (p)= ! , σ _r (cp _k+1 )=ff if c k+1 (p)= ? , unspec- ified otherwise

• σ r (Dp _k+1 )

= ∆(¯ δ k+1 (p)) if c k+1 (p)= , n ^⊥ otherwise

• σ r (Dd _k+1 ), σ _r (d _k+1 ), σ _r |=cc _k , σ _r |=dc _k+1 , σ _r |=I(s ⁰ ) _k+1 : equivalent to the respective cases for S=T above

From the above, we get σ _r |=ϕ ^commu (e) _k+1/t (3.21) (so σ _r |=ϕ ^trans (N) _k+1/t (3.26)), σ r |=ϕ ^location (N) _k+1/t (3.24), and σ r |=ϕ ^mutex (N) k+1 (3.25).

The case of a delay e=(s, c, dc, cc, id, s) is essentially equivalent to the case of a communication, and needs not be considered separately. For a delay, we get σ _r |=ϕ ^delay (e) _k+1/t (3.22) (so σ _r |=ϕ ^trans (N) _k+1/t (3.26)), σ _r |=ϕ ^location (N) _k+1/t (3.24), and σ _r |=ϕ ^mutex (N) _k+1 (3.25).

Together, we get σ r |=ϕ(S) k+1 for S=N

Finally, we get σ _r |=ϕ(S) _k+1 for all systems S∈{A, T, N}, and we define the map

↓ ^r _σ :Run _S,k →V(ϕ(S) _k ) such that for every run r∈Run _{S ,k} , ↓ ^r _σ (r)=σ _r ∈V(ϕ(S) _k ) is the derived interpretation.

Proposition A.1.8 (Derived Interpretation, Product). For r∈Run _S

_./S

_,k , the derived interpretation σ _r is a model of ϕ(S ₁ ./S ₂ ) _k , i.e. σ∈V(ϕ(S ₁ ./S ₂ ) _k ).

Proof (Idea). The proof is along the same lines as the proof of Lemma A.1.7: in IS, we show that for i=1, 2, the derived interpretation σ _r for a run r∈Run _S

_./S

_,k+1 , reduced to the variables of ϕ(S _i ) _k , is a model of ϕ(S _i ) _k .

Using the above, the proof of Theorem 3.2.4 (found on Page 61) is straightfor- ward:

Proof of Theorem 3.2.4. This follows directly from Lemma A.1.4 and Lemma A.1.7.

Theorem A.1.9 (Soundness, Completeness). The formula representation ϕ(S) of a real-time system S, as defined in Definitions 3.1.1, 3.1.4 and 3.1.9, is correct, that means ϕ(S) exhibits the same behaviour as S.

Proof. This follows directly from Lemma A.1.4 and Lemma A.1.7.

A.2 Correctness of Abstraction

In this Section, we prove that the abstraction function α, as presented in Section 4.1, yields a correct over-approximation. To yield an over-approximation, every finite run of the concrete system S (represented by a model of ϕ(S) _k , see Theorem A.1.9) has to be reproducible in the abstract case. ⁴ This is captured in Lemma 4.1.7. Here, we prove an even stronger correctness result, which in particular emphasises the structural relationships between concrete and abstract formula. We show that the diagram in Figure A.2 commutes, which allows us to conclude the existence of a homomorphism h _R between concrete and abstract set of runs.

Run _{S ,k} V(ϕ(S) _k ) V(ϕ( e S) _k ) Run

S e ,k

S ϕ(S) _k ϕ( e S) _k S e

i ii iii

ϕ α ϕ

run ↓ ^r _σ model model run

↓ ^σ _r

⊆

↓ ^σ _r

↓ ^r _σ h _R

Figure A.2: Strong Correctness of Abstraction

The idea of the proof is as follows: since α works locally, it retains the formula structure of ϕ(S) if S=A (cf. (3.7)), and it retains the formula structure of ϕ(S) up to data constraints if S=T (cf. (3.16)). ⁵ Therefore, there exists some system e S of the same representation ϕ( e S) _k = α(ϕ(S) _k ) (up to logical equivalence and data constraints). With this, subdiagrams (i) and (iii) in Figure A.2 commute according to Theorem A.1.9. Moreover, subdiagram (ii) in Figure A.2 commutes according to Lemma 4.1.7 (since every model of ϕ( e S) _k is a model of α(ϕ(S) _k )), such that the whole diagram commutes.

Notation A.2.1 (Notation of Systems). If not stated otherwise, we shall assume the constituents of a TA A to be denoted as A=(S, s 0 , Σ, X , I, E), and of a TCA T as T=(S, s ₀ , P, X , I, D, #, E). We use the general notion S, with S∈{A, T}, whenever possible, and if applicable, we may refer to common constituents (i.e., S, s ₀ , X , I, E) without explicitly mentioning A or T. For a system with identifier e S, we add the symbol e to all constituents, equivalently, for a system with identifier S _i , we add index i to all constituents.

We use the notation of representation variables introduced in Section 3.1.1.

4

Note that unlike in Section A.1, where we had S∈{A, T, N}, here we only have S∈{A, T}, cf.

Section 4.1.

5

To guarantee that α yields an over-approximation, we may retain only those data constraints that reason about ports not merged by γ, cf. Definition 4.1.3 and the explanations thereafter.

Therefore, we cannot expect that the formula structure of data constraints is preserved.

Definition A.2.2 (Homomorphism of Runs). Let A, e A be TA, T, e T be TCA, both with X ⊇ e X and |S|≥| e S|. Let |Σ|≥|e Σ|, |P|≥| e P|, and |D|≥| e D|. Let S _A , S _T , S e A and S

e T be the associated transition systems, and let Run _A , Run _T , Run

A e and Run _{e T} be the sets of runs. Let γ _S :S→ e S, γ _Σ :Σ→e Σ, γ _P :P→ e P and γ D :D→ e D be total, surjective mappings.

A function h _R :Run _A →Run

A e is called a homomorphism of runs (between Run _A and Run _{A e} ) iff for each run

r=hl ₀ , ν ₀ i −

→hl 1 , ν ₁ i −

→hl 2 , ν ₂ i∈Run _A , there exists a run h(r)= e r,

e r=he l ₀ , ν e ₀ i −

→he

l ₁ , ν e ₁ i −

→he

l ₂ , ν e ₂ i . . . ∈Run

A e , with γ _S (l _i )=e l _i , ν e _i =ν _i | _{X e} , and γ _Σ (γ _i )= γ e _i for all i≥0.

A function h R :Run T →Run _{T e} is called a homomorphism of runs (between Run T

and Run

e T ) iff for each run

r=hl ₀ , δ ₀ , ν ₀ i −−−−→hl

1 , δ ₁ , ν ₁ i −−−−→hl

2 , δ ₂ , ν ₂ i∈Run _T , there exists a run h(r)= e r,

e r=he l 0 , e δ 0 , ν e 0 i −−−−→he

l 1 , e δ 1 , ν e 1 i −−−−→he

l 2 , e δ 2 , ν e 2 i∈Run _{T e} , with γ _S (l _i )=e l _i , ν e _i =ν _i |

X e , γ _P (P _i )= e P _i , e ¯ δ _i ( p)=n only if δ e _i (p)=n for some p∈γ _P ⁻¹ ( p), e δ e i ( e d)=n only if δ i (d)=n for some d∈γ _D ⁻¹ ( e d), and e δ ¯ i ( e d)=n only if ¯ δ i (d)=n for some d∈γ _D ⁻¹ ( e d), for all i≥0.

For the sets of finite runs Run _{A ,k} , Run _{T ,k} , Run

A e ,k and Run

e T ,k , h _R is defined analogously.

Intuitively speaking, an abstraction is correct if the semantics of the abstract system is not reduced with respect to the semantics of the concrete system. That means, every behaviour that is possible in the concrete system has to be possible in the abstract system as well. Since we have defined the semantics of a real-time system S via sets of runs (Definitions 2.2.4 and 2.3.5), an abstraction of S is correct if for all systems S and e S, such that e S is obtained from S by abstraction, there exists a homomorphism of runs h _R :Run _S →Run

S e , as defined in definition A.2.2. To prove the existence of h _R , we show that Figure A.2 is a commuting diagram.

The general proof idea is shown in Figure A.3: let S be a real-time system, with k-unfolding ϕ(S) _k . The abstraction function α preserves the structure of ϕ(S) _k , that means the abstraction α(ϕ(S) _k ) of ϕ(S) _k is the k-unfolding ϕ( e S) _k of some system e S. Though the abstraction function α is defined on formulas rather than on systems, the system e S can be “derived” from the formula representation α(ϕ(S) _k ) (Proposition A.2.7). For r∈Run _S,k and e r∈Run _{S,k e} , such that h _R (r)= e r, there exists an interpretation σ∈V(ϕ( e S) _k ), such that e r is the derived run r _σ of σ.

In other words, the commutative property can be summarised as follows: the

possible behaviour of the abstract system e S, given by the set of runs Run _{S,k e} , is

Run

V(ϕ(S)

) V(ϕ( e S)

) Run

Se,k

S ϕ(S)

ϕ( e S)

S e

ϕ α ϕ

run model model run

↓

↓

⊆ ↓

↓

h

Figure A.3: Abstraction by Omission: Basic proof idea

obtained from the possible behaviour of the original system Run _S,k and the homo- morphism of runs h _R (lower path in Figure A.3). Run _{S,k e} is also obtained from the k-unfolding ϕ(S) _k of S, the abstraction function α, the set of models of α(ϕ(S) _k ), and the set of derived runs for these interpretations (upper path in Figure A.3).

We can already state that

Proposition A.2.3 (Commuting Subdiagrams). The subdiagrams (i) and (iii) in Figure A.2 are a commuting diagram each.

Proof. This follows directly from Theorem A.1.9.

The subdiagram (iii) in Figure A.2 is a commuting diagram when considered separately. Yet, with respect to the overall context of Figure A.2, the fact that MO is not defined on systems S but on formulas has to be taken into account. However, Proposition A.2.7 below will show the existence of such an abstract system e S.

We first show that the abstract formula α(ϕ(S)) is weaker than the concrete formula ϕ(S) (cf. Lemma 4.1.7 on Page 73).

Proof of Lemma 4.1.7. Let L be a literal. The proof is done inductively on the structure of the formula F :

IA: We need to consider the different cases in (4.1)

• If F =L, Conts(L)∩ ^• α=∅, then α(F )

= L. (L → L) holds trivially.

• If F =L, Conts(L)∩ ^• α6=∅, L=p∈P, then α(F )

= γ(p). By definition of γ, γ(p)=q for some q∈P ⁰ . By definition of γ _α (4.3), (p → q) holds.

• For all other literals L, α(L)

= true. (L → true) holds trivially.

• If F =¬p∧p ⁰ , with p, p ⁰ ∈P and γ(p)=γ(p ⁰ )=q (basic case of (4.1c)), then α(F )

= α(¬p)∧α(p ⁰ )

= q∧q=q. By definition of γ _α , ((¬p∧p ⁰ )→

q) holds.

• If F =¬p∧¬p ⁰⁰ , with p, p ⁰⁰ ∈P and γ(p)=γ(p ⁰⁰ )=q (basic case of (4.1d)), then α(F )

= α(¬p)∧α(¬p ⁰⁰ )

= ¬q∧¬q = ¬q. By definition of γ _α , ((¬p∧¬p ⁰⁰ ) → ¬q) holds.

IH: For formulas F ₁ and F ₂ , (F ₁ → α(F ₁ )) and (F ₂ → α(F ₂ )) holds.

IS: • If F =F 1 ∧F 2 , then α(F )

= α(F 1 )∧α(F 2 ). ((F 1 ∧F 2 ) → (α(F 1 )∧α(F 2 ))) holds by IH and propositional logic.

• If F =F 1 ∨F ₂ , then α(F )

= α(F ₁ )∨α(F ₂ ). ((F ₁ ∨F ₂ ) → (α(F ₁ )∨α(F ₂ ))) holds by IH and propositional logic.

• If F =F 1 ∧γ _α , then α(F )

= α(F ₁ ) ∧ γ _α . ((F ₁ ∧γ _α ) → (α(F ₁ )∧γ _α )) holds by IH and propositional logic.

We want to show that MO preserves the formula representation. Since MO is defined for formulas in NNF (cf. Definition 4.1.5), we first show that transformation to NNF preserves the formula representation.

Remark A.2.4 (NNF preserves the Formula Representation). Let S be a real-time system, with formula representation ϕ(S) and k-unfolding ϕ(S) _k . The transformation to NNF of ϕ(S) and ϕ(S) _k preserves the formula structure, that means, NNF (ϕ(S)) is a formula of the form (3.7) respectively (3.16), and similarly, NNF (ϕ(S) _k ) is a formula of the form (3.29).

Proof. For S=A, the formulas ϕ(A) and ϕ(A) _k are in NNF already, so nothing needs to be shown.

For S=T, the only parts of ϕ(T) and ϕ(T) _k which are not yet in NNF are the representations of data constraints. It is easy to see that for a data constraint dc∈DC(P,D), with representation dc∈DC(P _DA ,D), the transformation NNF (dc) to NNF is a well-formed data constraint according to Definition 2.1.7, too, that means NNF (dc)∈DC(P _DA ,D).

Next, we show that MO preserves the structure of data and clock constraints.

Lemma A.2.5 (MO preserves Data and Clock Constraints). Let P be a set of ports, D a set of data variables, and X a set of clocks. Let dc∈DC(P,D) be a data constraint (cf. Definition 2.1.7), cc∈CC(X ) a clock constraint (cf. Definition 2.1.2).

Let dc∈DC(P _DA ,D _CO ) be the representation of dc, and cc∈CC(X) the representations of cc (cf. Section 3.1.1). The abstraction function α preserves the structure of data and clock constraints, that means α(dc) and α(cc) are also valid representations of data and clock constraints.

Proof. By definition, α changes only literals. Since dc and cc do not contain propositional variables, neither of (4.1b), (4.1c) or (4.1d) is applicable. Therefore, α preserves the logical structure, ⁶ and literals are either kept unchanged (4.1a) or mapped to true (4.1e). Thus, α(dc)∈DC(P DA ,D CO ), and α(cc)∈CC(X).

6

The logical structure of a formula is the order of its literals and the logical operators ∧, ∨

and ¬. For example, for a formula F = (p ∨ ¬q) ∧ ¬(r ∧ ¬(x = 5)), with p, q, r ∈ P being atomic

propositions and x ∈ V being a variable, the logical structure is F = (l

∨ l

) ∧ ¬(l

∧ l

) (for literals

l

). Note that an occurrence of ¬ is part of the logical structure only if it is not part of a literal.

Remark A.2.6 (Lifting of MO). For argumentation purposes, we lift α in the straightforward way to reason about constituents of systems rather than formulas.

For example, for a clock x with representation x, we may write x∈O instead of x∈O.

Similarly, we lift α to reason about sets rather than single variables. For example, for the set of locations S and the set of clocks X , we may write α(S) and α(X ) to denote the set of locations respectively clocks in the abstract system, that means α(S)={s ⁰ | s∈S, γ(s)=s ⁰ }, and α(X )={x | x6∈O}=X \O. By α(λ), we denote the update map λ, reduced to the clocks of the abstract system. That is, α(λ)=λ| _{α(X )} .

We are now ready to show that MO preserves the formula representation of TA, and preserves the formula representation of TCA up to data constraints.

Proposition A.2.7 (MO preserves the Formula Representation). Let A = (S, s ₀ , Σ, X , I, E) be a TA, T=(S, s ₀ , P, X , I, D, #, E) a TCA, with formula repre- sentations ϕ(A), ϕ(T), and k-unfoldings ϕ(A) k , ϕ(T) k in NNF (cf. Remark A.2.4).

Let α be an abstraction function, with γ and O as in Definition 4.1.5.

The abstraction by merging omission preserves the formula representation and k-unfolding of A, and it preserves the formula representation and k-unfolding of T up to data constraints. That means, there exists a TA e A, with formula representation ϕ(e A) and k-unfolding ϕ(e A) _k , such that

ϕ(e A) = α(ϕ(S)), and

ϕ(e A) _k = α(ϕ(A) _k ), (xx)

and there exists a TCA T, with formula representation ϕ(e T) and k-unfolding ϕ(e T) _k , such that

ϕ(e T)\ _dc = α(ϕ(T))\ _dc , and

ϕ(e T) _k \ _dc = α(ϕ(T ) _k )\ _dc , (xxi) where \ _dc is a function that replaces all literals of the form (D'D ⁰ ) or ¬(D'D ⁰ ), with ' ∈{=, 6}, and D, D ⁰ either port data variables Dp _t , data content variables Dd t , or data element representations n ⁱ (cf. Definition 2.1.7 and Section 3.1.1.5), and t∈ N, in a formula by true.

Proof of (xx). (for the proof of (xxi), please refer to Page 143).

Let A ⁰ =(S ⁰ , s ⁰ ₀ , Σ ⁰ , X ⁰ , I ⁰ , E ⁰ ) be a TA, with S ⁰ =α(S), s ⁰ ₀ =α(s ₀ ), Σ ⁰ =α(Σ), X ⁰ =α(X ), I ⁰ (s)=α(I(s)) for all s∈S ⁰ , and E ⁰ ={(α(s), α(a), α(cc), α(λ), α(s ⁰ )) | (s, a, cc, λ, s ⁰ ) ∈ E}. Let ϕ(A ⁰ ) and ϕ(A ⁰ ) _k be the formula representation and k-unfolding of A ⁰ . Observe that we have

S ⁰ =α(S)={s|s∈S, α(s)=id}∪{s ⁰ |s∈S, α(s)=s ⁰ }, and (*) Σ ⁰ =α(Σ)={a|a∈Σ, α(a)=id}∪{a ⁰ |a∈Σ, α(a)=a ⁰ } (**) We first show that ϕ(A ⁰ )=α(ϕ(A)). By Definitions 3.1.1 and 4.1.5, we have

α(ϕ(A)) = α(ϕ ^init (A) ∧ ϕ ^trans (A) ∧ ϕ ^location (A) ∧ ϕ ^mutex (A))

= α(ϕ ^init (A)) ∧ α(ϕ ^trans (A)) ∧ α(ϕ ^location (A)) ∧ α(ϕ ^mutex (A))

ϕ(A ⁰ ) = ϕ ^init (A ⁰ ) ∧ ϕ ^trans (A ⁰ ) ∧ ϕ ^location (A ⁰ ) ∧ ϕ ^mutex (A ⁰ )

Consider the corresponding parts in α(ϕ(A)) and ϕ(A ⁰ ) separately 1. Initial constraints ϕ ^init :

α(ϕ ^init (A)) = α ¯ s ₀ ∧ V

s∈S,s6=¯ s

¬s ₀ ∧ I(¯ s) ₀ ∧ V

a∈Σ

(¬α ₀ ) ∧(z ₀ =0) ∧ V

x∈X

(x ₀ =0)

= α(¯ s ₀ ) ∧ V

s∈S,s6=¯ s

α(¬s ₀ ) ∧ α(I(¯ s) ₀ ) ∧ V

a∈Σ

α((¬α ₀ )) ∧ α((z ₀ =0)) ∧ V

x∈X

α((x ₀ =0))

= α(¯ s 0 ) ∧ V

s∈S,s6=¯ s, α(s)=id

¬s ₀ ∧ V

s∈S,s6=¯ s, α(s)=s

6=α(¯ s)

¬s ⁰ ₀ ∧ α(I(¯ s) ₀ ) ∧ V

a∈Σ, α(a)=id

(¬a ₀ ) ∧

V

a∈Σ, α(a)=a

(¬α ⁰ ₀ ) ∧(z ₀ =0) ∧ V

x∈X \O

(x ₀ =0)

ϕ ^init (A ⁰ ) = ¯ s ⁰ ₀ ∧ V

s∈S

,s6=¯ s

¬s ₀ ∧ I(¯ s ⁰ ) ₀ ∧ V

a∈Σ

(¬α ₀ ) ∧(z ₀ =0) ∧ V

x∈X

(x ₀ =0) By definition of A ⁰ , we have α(¯ s ₀ )=¯ s ⁰ ₀ , and α(I(¯ s) ₀ )=I(¯ s ⁰ ) ₀ . Because of (*), (**), and the fact that X ⁰ =X \O, we finally get

α(ϕ ^init (A)) = ϕ ^init (A ⁰ ) 2. Transition relation ϕ ^trans :

α(ϕ ^trans (A)) = α( W

e∈E

ϕ ^action (e) ∨ W

s∈S

ϕ ^delay (s))

= W

e∈E

α(ϕ ^action (e)) ∨ W

s∈S

α(ϕ ^delay (s))

ϕ ^trans (A ⁰ ) = W

e∈E

α(ϕ ^action (e)) ∨ W

s∈S

α(ϕ ^delay (s))

Consider an action transition e=(s, a, cc, λ, s ⁰ )∈E:

α(ϕ ^action (e)) = α(s _t ∧ α _{t 1} ∧ cc _t ∧(z _t =z _{t 1} ) ∧ V

λ(x)=id

(x _{t 1} =x _t ) ∧ V

λ(x)=x

(x _{t 1} =x ⁰ _{t 1} ) ∧ V

λ(x)=n

(x _{t 1} =z _{t 1} −n) ∧ s ⁰ _{t 1} ∧ I(s ⁰ ) _{t 1} )

= α(s _t ) ∧ α(α _t ) ∧ α(cc _t ) ∧ α(z _t =z _{t 1} ) ∧ V

λ(x)=id

α(x _{t 1} =x _t ) ∧ V

λ(x)=x

α(x _{t 1} =x ⁰ _{t 1} ) ∧ V

λ(x)=n

α(x _{t 1} =z _{t 1} −n) ∧ α(s ⁰ _{t 1} ) ∧ I(s ⁰ ) _{t 1}

= α(s _t ) ∧ α(α _{t 1} ) ∧ α(cc _t ) ∧(z _t =z _{t 1} ) ∧ V

λ(x)=id, x∈X \O

(x _{t 1} =x _t ) ∧

V

λ(x)=x

, x,x

∈X \O

(x _{t 1} =x ⁰ _{t 1} ) ∧ V

λ(x)=n, x∈X \O

(x _{t 1} =z _{t 1} −n) ∧ α(s ⁰ _{t 1} ) ∧ I(s ⁰ ) _{t 1}

and its counterpart e ⁰ =(α(s), α(a), α(cc), α(λ), α(s ⁰ ))∈E ⁰ :

ϕ ^action (e ⁰ ) = α(s _t ) ∧ α(α _{t 1} ) ∧ α(cc _t ) ∧(z _t =z _{t 1} ) ∧ V

α(λ)(x)=id

(x _{t 1} =x _t ) ∧ V

α(λ)(x)=x

(x t 1 =x ⁰ t 1 ) ∧ V

α(λ)(x)=n

(x t 1 =z t 1 −n) ∧ α(s ⁰ t 1 ) ∧ α(I(s ⁰ ) _t )

Because X ⁰ =X \O, we have

α(ϕ ^action (e)) = ϕ ^action (e ⁰ ) For a delay transition in s, we have

α(ϕ ^delay (s)) = α(s _t ∧ V

a∈Σ

¬α _{t 1} ∧(z _t ≤z _{t 1} )∧ V

x∈X

(x _t =x _{t 1} )∧s _{t 1} ∧I(s) _{t 1} )

= α(s _t )∧ V

a∈Σ

α(¬α _{t 1} )∧α(z _t ≤z _{t 1} )∧ V

x∈X

α(x _t =x _{t 1} )∧α(s _{t 1} )∧α(I(s) _{t 1} )

= α(s t ) ∧ V

a∈Σ, α(a)=id

¬α t 1 ∧ V

a∈Σ, α(a)=a

(¬α ⁰ t 1 )∧(z t ≤z t 1 )∧

V

x∈X , x∈X \O

(x _t =x _{t 1} )∧α(s _{t 1} )∧α(I(s) _{t 1} )

and for the corresponding delay transition in s ⁰ , we have ϕ ^delay (s ⁰ ) = α(s _t )∧ V

a∈Σ

¬α _{t 1} ∧(z _t ≤z _{t 1} )∧ V

x∈X

(x _t =x _{t 1} )∧α(s _{t 1} )∧α(I(s) _{t 1} ) Because of (**), we have

α(ϕ ^delay (s)) = ϕ ^delay (s ⁰ )

Since there is a one-to-one relation between transitions in E and E ⁰ , and by definition of ∨, we finally have

α(ϕ ^trans (A)) = ϕ ^trans (A ⁰ ) 3. Mutual exclusion of locations ϕ ^location :

α(ϕ ^location (A)) = α( W

s∈S

(s _{t 1} ∧ V

s

∈S,s

6=s

¬s ⁰ _{t 1} ))

= W

s∈S

(α(s _{t 1} )∧ V

s

∈S,s

6=s

α(¬s ⁰ _{t 1} ))

= W

s∈S α(s)=id

(s _t ∧ V

s

∈S,s

6=s α(s

)=id

¬s ⁰ _t ∧ V

s

∈S,s

6=s α(s

)=¯ s6=s

¬¯ s t ) ∨

W

s∈S α(s)=ˆ s

(^ s _t ∧ V

s

∈S,s

6=s α(s

)=id

¬s ⁰ _t ∧ V

s

∈S,s

6=s α(s

)=¯ s6=s

¬¯ s _t )

ϕ ^location (A ⁰ )) = W

s∈S

(s _{t 1} ∧ V

s

∈S

,s

6=s

¬s ⁰ _{t 1} )

Because of (*), we have

α(ϕ ^location (A)) = ϕ ^location (A ⁰ )) 4. Mutual exclusion of events ϕ ^mutex :

α(ϕ ^mutex (A)) = α( W

a∈Σ

(α _{t 1} ∧ V

a

∈Σ,a

6=a

¬α ⁰ _{t 1} )∨ V

a∈Σ

(¬α _{t 1} ))

= W

a∈Σ

(α(α _{t 1} )∧ V

a

∈Σ,a

6=a

α(¬α ⁰ _{t 1} ))∨ V

a∈Σ

α(¬α _{t 1} )

= W

a∈Σ α(a)=id

(α t ∧ V

a

∈Σ,a

6=a α(a

)=id

¬α ⁰ t ∧ V

a

∈Σ,a

6=a α(a

)=¯ a6=a

¬¯ α t ) ∨

W

a∈Σ α(a)=ˆ a

(^ α _t ∧ V

a

∈Σ,a

6=a α(a

)=id

¬α ⁰ _t ∧ V

a

∈Σ,a

6=a α(a

)=¯ a6=a

¬¯ α _t ) ∨

V

a∈Σ, α(a)=id

(¬a) ∧ V

a∈Σ, α(a)=¯ a

(¬¯ α _{t 1} )

ϕ ^mutex (A ⁰ )) = W

a∈Σ

(α t 1 ∧ V

a

∈Σ

,a

6=a

¬α ⁰ _{t 1} )∨ V

a∈Σ

(¬α t 1 )

Because of (**), we have

α(ϕ ^mutex (A)) = ϕ ^mutex (A ⁰ )), From the four cases above, we get

α(ϕ(A)) = ϕ(A ⁰ ) The argumentation for

α(ϕ(A) _k )=ϕ(A ⁰ ) _k is similar.

Thus, the TA A ⁰ satisfies the conditions (xx), and we have shown that MO preserves the formula representation and k-unfolding of TA.

Proof of (xxi). Let T ⁰ = (S ⁰ , s ⁰ ₀ , P, X ⁰ , I ⁰ , D ⁰ , # ⁰ , E ⁰ ) be a TCA, with S ⁰ =α(S), s ⁰ ₀ =α(s ₀ ), P ⁰ =α(P), X ⁰ =α(X ), I ⁰ (s)=α(I(s)) for all s∈S ⁰ , D ⁰ =α(D), # ⁰ (s)=α(#(s)) for all s∈S ⁰ , and E ⁰ ={(α(s), α(P ), α(dc), α(cc), α(λ), α(s ⁰ ))|(s, P, dc, cc, λ, s ⁰ )∈E}.

Let ϕ(T ⁰ ) and ϕ(T ⁰ ) _k be the formula representation and k-unfolding of T ⁰ . Observe that we have

S ⁰ =α(S)={s|s∈S, α(s)=id}∪{s ⁰ |s∈S, α(s)=s ⁰ }, (†)

Σ ⁰ =α(Σ)={a|a∈Σ, α(a)=id}∪{a ⁰ |a∈Σ, α(a)=a ⁰ }, and (‡)

D ⁰ =α(D)={d|d∈D, α(d)=id}∪{d ⁰ |d∈D, α(d)=d ⁰ } (††)

We first show that ϕ(T ⁰ )\ _dc =α(ϕ(T))\ _dc . By definition of \ _dc , and Definitions 3.1.4 and 4.1.5, we have

α(ϕ(T))\ _dc = α(ϕ ^init (T) ∧ ϕ ^trans (T) ∧ ϕ ^location (T) ∧ ϕ ^mutex (T))\ _dc

= α(ϕ ^init (T))\ _dc ∧ α(ϕ ^trans (T))\ _dc ∧ α(ϕ ^location (T))\ _dc ∧ α(ϕ ^mutex (T))\ _dc

ϕ(T ⁰ )\ dc = ϕ ^init (T ⁰ )\ dc ∧ ϕ ^trans (T ⁰ )\ dc ∧ ϕ ^location (T ⁰ )\ dc ∧ ϕ ^mutex (T ⁰ )\ dc

Consider the corresponding parts in α(ϕ(T))\ _dc and ϕ(T ⁰ )\ _dc separately 1. Initial constraints ϕ ^init :

α(ϕ ^init (T))\ dc = α ¯ s 0 ∧ V

s∈S,s6=¯ s

¬s 0 ∧ I(¯ s) ₀ ∧ V

p∈P

(¬p 0 ∧(Dp ₀ =n ^⊥ )) ∧ V

d∈D

(¬d ₀ ∧(Dd ₀ =n ^⊥ )) ∧(z ₀ =0) ∧ V

x∈X

(x ₀ =0)
\ _dc

= α(¯ s 0 )\ dc ∧ V

s∈S,s6=¯ s

α(¬s 0 )\ dc ∧ α(I(¯ s) ₀ )\ dc ∧ V

p∈P

α(¬p 0 )\ dc ∧ V

p∈P

α((Dp ₀ =n ^⊥ ))\ _dc ∧ V

d∈D

α(¬d ₀ )\ _dc ∧ V

d∈D

α((Dd ₀ =n ^⊥ ))\ _dc ∧ α((z ₀ =0))\ _dc ∧ V

x∈X

α((x ₀ =0))\ _dc

= α(¯ s 0 ) ∧ V

s∈S,s6=¯ s, α(s)=id

¬s ₀ ∧ V

s∈S,s6=¯ s, α(s)=s

6=α(¯ s)

¬s ⁰ ₀ ∧ α(I(¯ s) ₀ ) ∧ V

p∈P, α(p)=id

(¬p ₀ ) ∧

V

p∈P, α(p)=p

(¬p ⁰ ₀ ) ∧ V

d∈D, α(d)=id

(¬d ₀ ) ∧ V

d∈D, α(d)=d

(¬d ⁰ ₀ ) ∧

(z ₀ =0) ∧ V

x∈X \O

(x ₀ =0)

ϕ ^init (T ⁰ )\ _dc = ¯ s ⁰ ₀ \ _dc ∧ V

s∈S

,s6=¯ s

¬s ₀ \ _dc ∧ I(¯ s ⁰ ) ₀ \ _dc ∧ V

p∈P

(¬p ₀ ∧(Dp ₀ =n ^⊥ ))\ _dc ∧ V

d∈D

(¬d ₀ ∧(Dd ₀ =n ^⊥ ))\ _dc ∧(z ₀ =0)\ _dc ∧ V

x∈X

(x ₀ =0)\ _dc

= ¯ s ⁰ ₀ ∧ V

s∈S

,s6=¯ s

¬s ₀ ∧ I(¯ s ⁰ ) ₀ ∧ V

p∈P

(¬p ₀ ) ∧ V

d∈D

(¬d ₀ ) ∧(z ₀ =0) ∧ V

x∈X

(x ₀ =0)

By definition of T ⁰ , we have α(¯ s 0 ) = ¯ s ⁰ ₀ , and α(I(¯ s) ₀ ) = I(¯ s ⁰ ) ₀ . Because of (†), (‡) and (††), and the fact that X ⁰ =X \O, we finally get

α(ϕ ^init (T))\ _dc = ϕ ^init (T ⁰ )\ _dc 2. Transition relation ϕ ^trans :

α(ϕ ^trans (T))\ dc = α( W

e∈E,e visible

ϕ ^visible (e) ∨ W

e∈E,e invisible

ϕ ^invisible (e))\ dc

= W

e∈E,e visible

α(ϕ ^visible (e))\ _dc ∨ W

e∈E,e invisible

α(ϕ ^invisible (e))\ _dc