Available online at www.sciencedirect.com

SCIENCE ^ DIRECT»

ELSEVIER Electronic Notes in Theoretical Computer Science 104 (2004) 81-97

www.elsevier.com/locate/entcs

Timing in the Cospan-Span Model

A. Cherubini1 '2

Dipartimento di Matematica Politécnico di Milano Milano, Italy

N. Sabadini,1 '3 R.F.C. Walters1 '4

Dip. Scienze CC. FF. MM. Università dell'Insubria Como, Italy

Abstract

The compositional cospan-span model of concurrent systems introduced in [8],[10] has been shown to model cleanly a variety of phenomena from the original motivation in concurrency, to circuits [9], hierarchy [12], mobility [10], and coordination [10]. The purpose of this paper is to investigate further the expressivity of the cospan-span model, in particular for the modelling of discrete realtime systems. After reviewing the model, explaining its real-time interpretation and discussing some canonical examples, we develop in detail a case study - the specification and verification of a level crossing. In this development similarities with the timed-automata model of Alur and Dill [1] emerge.

Keywords: Cospan, span, timed automata, compositional

1 The research has been financially supported by the Dipartimento di Scienze Chimiche, Fisiche e Matematiche of the University of Insubria, Como, Italy, and by the Italian Pro-getti Cofinanziati MIUR: Computational Metamodels (COMETA), and Linguaggi Formali e Automi: teoria e applicazioni.

2 Email: aleche@mate.polimi.it

3 Email: nicoletta.sabadini@uninsubria.it

4 Email: robert.walters@uninsubria.it

1571-0661/$ - see front matter © 2004 Elsevier B.V. All rights reserved. doi:10.1016/j.entcs.2004.08.020

1 Introduction.

The compositional cospan-span model of concurrent systems introduced in [8], [10] has been shown to model cleanly a variety of phenomena from the original motivation in concurrency, to circuits [9], hierarchy [12], mobility [10], and coordination [10]. The elements of the model are cospan of spans of graphs - which in this paper we shall call simply automata. These automata have states and transitions, as well as interfaces and conditions. There are two classes of operations on these automata - parallel (or product) and sequential (or sum) operations - hence yielding an algebra of automata. A system is an expression (or even a recursive equation) in this algebra.

The purpose of this paper is to investigate further the expressivity of the cospan-span model, in particular for the modelling of discrete real-time systems. In fact there is no need to change the mathematics in order to model time constraints, just the need to consider a new interpretation of the cospan-span model, which differs essentially from that used in earlier papers. Whereas previously we have used these automata to model concurrent systems in which the timing of transitions was imprecise, in this interpretation every transition is supposed to have a fixed unit duration. That is, model of time we use is that there is a fixed atomic time interval and that all behaviours have a duration which is a multiple of this fixed unit of time. In [7] the interpretation of parallel composition was that components synchronize on common atomic actions, whereas here the interpretation is that time passes and components share values on common interfaces.

There is however a feature of the cospan-span model which assumes a new importance with this interpretation. In practical examples the atomic time interval may need to be taken as very brief, and transitions of this duration may not have conceptual significance, being instead only parts of a higher level action. A top-down description clearly needs to consider actions that have an extended, even variable, duration. The general notion of action therefore is modelled not by a single transition but by a summand in an expression, what we call a non-atomic action, which has a set of initial states and of final states as well as internal states so the completion of an action does not necessarily require only a unit time interval. In addition we may consider examples in which two automata synchronize on a non-atomic action - a protocol - rather than on single transitions. An extreme case of this is that components do not synchronize, but are truly asynchronous.

In section 2 we review the model, introducing in particular as a special component a counter, and also explaining in section 2.3 how a transition may be may be regarded as a summand of an expression, suggesting the definition of non-atomic action as summand. In section 3 we explain the real-time in-

terpretation of the cospan-span model, and discuss some key examples, and we develop in detail a case study - the specification and verification of a level crossing - a variation of the train crossing problem [2],[3],[4]. We describe the system top-down with respect to the parallel operations, and verify mathematically certain temporal properties. It is important to note that this top-down description is not informal but is a feature of the algebraic formalism we introduce. The sequential aspect of the example is not sufficiently complicated to justify a top-down description with respect to the sequential operations: it is our intention in a later paper to analyse a more elaborate case study making clear the importance of the non-atomic actions.

In this development similarities with the timed-automata model of Alur and Dill [1] emerge, and we discuss them in section 4. In modelling the control program of the train a particular component is fundamental - a counter which may be set and reset, and which may be used to make control decisions about timing. Alur and Dill base their formalism on counters: they introduce finite state automata together with a finite set of clocks which record the passage of continuous time. The clocks can be reset with any state transition of the automaton. In our view there is some confusion in Alur and Dill between the modelling of a system and the specification of desired properties of the system. One possible advantage of our formalism is that the basic elements are mathematically very pure and simple, we have well-based mathematical operations for composing automata, and a strong connection between this algebra and a geometric representation of systems composed of components.

2 Cospans of spans of graphs

By a graph G we mean a directed multigraph, that is, a set vert(G) of vertices and a set arc(G) of (directed) arcs, together with two functions d0, d1 : arc(G) ^ vert(G) which specify the source and target, respectively, of each arc. The algebra we use to model timed systems has as elements certain "cospans of spans of graphs", which we will call for simplicity just automata.

Definition 2.1 An automaton G consists of a graph G, four sets X,Y,A,B and four functions

d0 : arc(G) ^ X, d1 : arc(G) ^ Y, Y0 : A ^ vert(G), y1 : B ^ vert(G).

A behaviour of G is a path in the graph G. The duration of a behaviour is the number of steps in the path.

The graph G is called the centre of the automaton. We remark that d0,

di may be thought of as labeHmgs of the arcs of G in the alphabets X, Y, respectively. If the left label of a transition is x and the right y we denote the combined labelling by x/y. The labellings will be used in the restricted product of two automata with interface, the operation which expresses communicating parallel processes. Alternatively, one may think of the vertices and arcs of G as the states and transitions of the system, whereas the elements of X, Y are the transitions of the interfaces. We call X the left interface of the automaton, and Y the right interface - automata communicate through these interfaces. Often the interface sets will be products of sets; for example the left interface of G may be X = U x V, and the right interface may be Y = Z x W, and we then speak of U and V as the left interfaces, and Z and W as the right interfaces. If we ignore the functions y0, y1 a automaton is a (particular type of) span of graphs as defined in [8], where the reader may find more details and examples.

The set A represents a condition on the states in which the automaton may come into existence, and the set B a condition in which it may cease to exist. We call A the in-condition of the automaton, and B the out-condition. The functions y0, y1 of a automaton will be used in the restricted sum of automata - a generalized sequential operation. Often the condition sets will be sums of sets; for example the in-condition may be A = D + E, and we then speak of D and E as in-conditions.

There is a useful graphical representation of automata and their operations which we use in the paper, and which is described in [10].

For simplicity we use the same names d0, d1,Y0, Y1 for the four functions of any automaton where there is no risk of confusion, introducing further suffixes when clarification is needed. We use symbols X,Y, Z,U,V,W... for the (left and right) interfaces, and symbols A, B, C, D, E,F,I,... for the (in- and out-) conditions.

Remark 2.2 For modelling systems with parts which have an idling action on an interface we frequently require that an interface contains a special element, the null symbol e, which represents the null transition on the interface.

2.1 Parallel or product operations Definition 2.3 Given two automata

G = (G , X, Y, A , B , do , di, Yo , Yi), H = (H, Y, Z, C, D , do , di, Yo , Yi)

the restricted product (communicating parallel composition) of G and H, denoted G -H is the automaton whose set of vertices is vert(G) x vert(H) and whose set of arcs is that subset of arc(G) x arc(H) consisting of pairs of arcs

(g, h) such that di(g) = do (h). The interfaces and conditions of G ■ H are X, Z, A x C, B x D, and the four functions are

дo,G•н(g, h) = do,G(gX ^g-h^ h) = di,«^ Yo,g-h = Yo,G x Yo,H , Yi,g-h = Yi,G x Yi,H .

Closely related to the restricted product is the free product of automata. Definition 2.4 Given two automata

G = (G , X , Y, A , B , do , di, Yo, Yi) , H = (H , Z, W, C, D , do , dl, Yo , Yi)

the free product (parallel composition with no communication) of G and H, denoted G x H is the automaton whose set of vertices is vert(G) x vert(H) and whose set of arcs is arc(G) x arc(H). The interfaces and conditions of GxH are X x Z, Y x W, A x C,B x D, and the four functions are

dogxH = do,G x 9o,H; digxH = di,G x дl,н, Yo,GxH = Yo,G x Yo,H , Yi,GxH = Yi,G x Yi,H .

Definition 2.5 Given an automaton

G = (G,X x Y,Z x Y, A, B, do, di,Yo,Yi),

the place feedback of G with respect to Y, denoted PfbY (G) is the automaton whose set of vertices is vert(G) and whose set of arcs is that subset of arc(G) consisting of arcs g such that (prY o di )(g) = (prY o do)(g). The interfaces and conditions of PfbY(G) are X, Z, A, B,with the four functions defined as follows:

do,PfbY(G) = prx o do,G, <9i,pfby(G) = prz o 8i,g, Yo,PfbY (G) = Yo,G, Yi,Pfby (G) = Yi,G.

The diagrammatic representation of PfbY (G) involves joining the right interface Y to the left interface Y.

If we ignore the functions Yo, Yi of the automata the restricted product of automata is the span composition of [8] and the free product is the tensor product of the corresponding spans of graphs. For some examples of how these operations may be used to model concurrent systems see that paper. From a circuit theory point of view these operations correspond, respectively, to the series and parallel operations of circuit components.

2.2 Sequential or sum operations Definition 2.6 Given two automata

G = (G , X , Y, A, B, do , di, Yo, 7i) , H = (H , X , Y, B, C, do , di , Yo , Yi)

the restricted sum (sequential composite) of G and H, denoted G + H is the automaton whose set of arcs is arc(G) + arc(H) and whose set of vertices is (vert(G) + vert(H))/ ~ ; that is (vert(G) + vert(H)) quotiented by the relation y1,g (b) ~ Y0,H(b) (for all b G B). The interfaces and conditions of G + H are X, Y, A and C, and the four functions are

d0,G+H = (d0,G | do.H^ dl,G+H = (di,G I ^i.hX

Y0,G+H = in„eri(G) ◦ Y0,G, Yl,G+H = ¿n„eri(H) ◦ Yl,H •

The diagrammatic representation of the restricted sum is as follows: Definition 2.7 Given two automata

G = (G , X, Y, A , B , d, di, Y0 , Yi) , H = (H , X , Y, C, D, do , di, Y0 , Yi)

the unrestricted sum of G and H, denoted G© H is the automaton whose set of arcs is arc(G) + arc(H) and whose set of vertices is vert(G) + vert(H)). The interfaces and conditions of G© H are X, Y, A + C and B + D, and the four functions are

d0,G®H = (d0,G 1 do.H^ dl,G®H = (dl,G 1 ^i.hX Yo,g®h = Yo,G + Yo.H Yi,G®H = Yi,G + YiH Definition 2.8 Given an automaton

G = (G, X, Y, A + B, C + B, do, di,Yo, Yi),

the sequential feedback of G with respect to B, denoted SfbB (G) is the automaton whose set of arcs is arc(G) and whose set of vertices is vert(G)/ ~ ; that is vert(G) quotiented by the relation (y1 o inB)(b) ~ (y0 o inB)(b) (for all b G B). The interfaces and conditions of SfbB (G) are X, Y, A and C, and the four functions are defined as follows:

do,SfbB(G) = d0,G, dl,SfbB(G) = dl,G, Yo,SfbB(G) = Yo,G o ^ Yl,SfbB(G) = Yl,G o inC•

The diagrammatic representation of SfbY (G) involves joining the incondition B to the outcondition B.

Definition 2.9 Given a set X we define two special automata as follows (in and out conditions may be arbitrary sets):

(i) the identity automata 1X with left and right interface X has one state, and for each x e X an edge labelled on both the left and right by x. It is denoted diagrammatically by a wire.

(ii) the diagonal automaton AX with left interface X and right interface X x X has one state and to each x e X an edge labelled x on the left and x,x on the right. It is denoted diagrammatically by a fan out.

The diagonal can be used to model broadcast communication.

Remark 2.10 It is clear that by combining the operations we have described above systems with a complex geometry may be produced. It is often convenient in sketching systems not to place all the input (output) interfaces on the left (right) of components but to distinguish them by the directions of the arrows (although it is clear one could always rearrange the system to maintain the left/right input/output convention). In some cases an interface may be neither clearly input or output in which case we omit the arrow.

Example 2.11 A counter of capacity n (an n-counter) is an automaton with two interfaces X = (e, set0,set1,set2, set3,..., setn} and Y = (e, alarm} and n states 0,1,2,3, ...,n. From 0 to 0 there is a transition labelled e/e; from j to j — 1 there is a transition labelled e/e (j = 2,3,..., n). From any j to k there is a transition labelled setk/e; from 1 to 0 there is a transition labelled e/alarm. The idea is that in any state the counter may be set, with null input the counter decrements until at the transition 1 to 0 the counter sends an alarm. The action set0 may also be called reset.

2.3 Generators for the algebra of finite automata with interfaces X, Y If we fix left and right interfaces X, Y and consider those automata

G = (G,X,Y,A,B,d0,di ,70, Yi)

with arc(G) = 0 we see that in this case an automaton amounts just to a pair of functions y0 : A ^ vert(G), y1 : B ^ vert(G); that is, a cospan of sets. Further automata compose (under the restricted sum) like cospans [11]. Even more particularly amongst the cospan there are those with y1 = 1B which amount to functions from A to B and which compose under the restricted sum as functions. Dually there are those with y0 = 1A which might be called the opposite of functions and compose as such.

Note that every cospan of sets may be constructed from functions and co-functions between the objects 0 (empty set), 1 (one element set) and 2 = 1 + 1

using the sequential operations above. The unique function 2 ^ 1 forms the basis for constructing surjective functions; the transposition 2 ^ 2 forms the basis for constructing bijections; the function 0 ^ 1 may be used to construct injections.

For x e X, y e Y consider the automaton arrx,y , the automata with two states 0 and 1 and a single transition from 0 to 1 labelled x/y, and with incondition 0, outcondition 1. Any finite automata G = (G, X, Y, A, B, d0, d1,Y0,Y1) may be constructed from the functions and cofunctions between the objects 0,1 and 2, together with the automata arrx,y (x e X, y e Y) using only the sequential operations. The formula is G = Sfbveri(G)(dom0 + ©(arrx,y) + cod), where dom0 is the opposite of the source function arc(G) ^ vert(G), cod is the target function arc(G) ^ vert(G), and the unrestricted sum is over all transitions in G. The consequence is that we could write all automata as expressions in a few constants, one advantage of this syntactical view being that we can do top-down analysis, and make recursive definitions [10]. (A more precise statement of these remarks to be reported by the authors and R. Rosebrugh in a further publication is that cospans form the generic symmetric monoidal category with a particular type of bimonoid object.)

3 Discrete-time systems

Definition 3.1 A discrete-time system is an expression of automata, using the parallel and sequential operations of automata, and the constants identity, diagonal, and the generating constants described in section 2.3. A behaviour of a system is a path in the automata resulting from evaluating the expression. The duration of a behaviour is length of the path.

Definition 3.2 Suppose G is given as an expression of automata involving only sequential operations, and H is one of the operands in the expression, then we call H a non-atomic action of G. A behaviour of a non-atomic action consists of a path from an incondition to an outcondition. The duration of a non-atomic action is hence variable.

As explained above a discrete-time system has a geometry. In the remainder of this section we give some simple examples illustrating the expressiveness of the model. In all of the examples the inconditions and outconditions will be the evident single initial and final states of the actions under consideration. Clearly single transitions are special examples of non-atomic actions - which therefore should more precisely be called not-necessarily-atomic actions! The next example shows that actions may be strongly non-atomic.

Example 3.3 (two actions which synchronize with an arbitrary duration)

Consider two automata G1, G2 and two non-atomic actions, one of G1, one of G2. The action of G1 is (a/6 : 0 ^ 1,e/e : 1 ^ 1,d/e : 1 ^ 2}; the action of G2 is (6/c : 0 ^ 1,e/e : 1 ^ 1,e/f : 1 ^ 2}. In the restricted product G1 ■ G2 these actions synchronize but with arbitrary duration. A typical behaviour is

(0, 0) - a/c ^ (1,1) - e/e ^ (1,1) - e/e ^----e/e ^ (1,1) - d/f ^ (2, 2).

There is a construction of the desynchronization of a system based on this idea. Consider a system which is given as an expression in parallel operations of automata. Suppose every transition in each component automaton of the system is replaced by an action consisting of three transitions analogous to the actions in this example then the components of the system synchronize with arbitrary duration instead of duration 1. As an example consider the dining philosopher problem as described in [9]. The desynchronized version in which each of the philosopher and fork actions are divided into begin-action and end-action has the property that the duration of taking a fork may be arbitrarily long, and hence while one philosopher is taking a fork another may eat several meals.

Example 3.4 (a non-atomic action of duration between 1 and 3, which synchronizes with one of duration between 2 and 4) Consider two automata G1, G2 and two non-atomic actions, one of G1, one of G2. The action of G1 has initial state 0 and final state 1 and transitions (a1)1/61)1 : 0 ^ 1,a2)1/62)1 : 0 ^ 2^2,2/62,2 : 2 ^ 1^3,1/63,1 : 0 ^ 3,a3,2/b3,2 : 3 ^ 4^3,3/63,3 : 4 ^ 1}; the action of G2 has initial state 0 and final state 1 and transitions (62,1/c2,1 : 0 ^ 2, 62,2/c2,2 : 2 ^ 1, 63,1 /c3,i : 0 ^ 3, 63,2/c3,2 : 3 ^ 4, 63,3/c3,3 : 4 ^ 1, 64,1/c4,i : 0 ^ 5,64,2/c4,2 : 5 ^ 6, 64 3/c4 3 : 6 ^ 7,64,4/c4,4 : 7 ^ 1}. In the restricted product G1 ■ G2 these actions synchronize with duration 2 or 3. The two terminating behaviours possible are (0,0) - a2,1/c2,1 ^ (2,2) - a2,2/c2,2 ^ (1,1), and (0, 0) - a3,i/c3,i ^ (3, 3) - a3,2/c3,2 ^ (4,4) - a3,3/c3,3 ^ (1,1)

These two examples are simple but suggestive examples of processes synchronizing on a protocol.

Example 3.5 A counter as described above provides exactly an action with a settable duration, that is, the input can set the duration of the whole action of the counter.

It is clear that with the apparatus of finite state automata and counters, control decisions may be made on the basis of timing. The next section gives a detailed example.

3.1 Modelling of a railway crossing

We would like to model a variation of the radio-based decentralized train control system described in [4]. We concentrate on formalizing as precisely as possible the system, using instead informal mathematical language for the description of the desired properties of the system. All automata in this example will have in and outconditions 0 - the sum operations will not be used since we are describing the component automata at low level.

We have in mind the following system. A train is approaching a crossing. Before the crossing there is a checkpoint at which a localizing subsystem, Pos., on the train determines the position of the train in the network (using a chart). This information, together with the speed of the train obtained from the odometer, Odom., is used to calculate three alarms (which are placed in corresponding counters and decremented as time passes). The three alarms are inputs to the controller subsystem of the train. The first alarm is sounded when the train must signal the gate to close. The second alarm is sounded at the last moment it is possible for the train to stop before reaching the gate (in the case when the train has not received an acknowledgment that the gate is closed). The train sends a message to the cruise controller (C.C.) to brake the train. The third alarm is a time-out indicating a serious problem with the train or gate (at which an error signal is emitted); it is a bound on the time required by the train to traverse the crossing under normal conditions. The localizing subsystem Pos. emits a signal gate when the train passes the gate checkpoint, and a signal pass when the train passes the outgoing checkpoint. In the system we are modelling the train has no certain information about the timing of the gate. In case the train receives an acknowledgment from the gate it proceeds to the gate where there is a checkpoint, it proceeds, and on passing the outgoing checkpoint signals the gate to raise. We describe out model in a series of refinements. Notice that each of these descriptions has a mathematical meaning.

First a high level view of the train and track near the gate.

Checkpoint1 Gate ChkptgateCheckPoint2

Next we give more detail of the train. (Calc.=calculation of alarms.).

The checkpoints are very simple automata with only an output interface with alphabet{e, id}. They have one state and two transitions, one labelled id, and the other labelled e. The idea is that a checkpoint is continuously broadcasting its identifier id but that signal only reaches the train when it is within range, and hence the signal read by the train is e except when the train passes the checkpoint.

Next we describe (an abstraction of) the three counters Count. It has one input interface R = {e, rsi,rs2} (resets) and one output interface A = {e, a1i,a12,ft1s} (alarms). It has states 0,1,2,3 where 0 is both the state in which all counters are set, 1 is the state in which the first counter is zero, 2 the state in which the first and second counters are zero, and 3 the state in which all are zero. The transitions are

e/e : 0—0, e/e : 2—2, e/alx : 0—1, e/al3 : 2—3, rs3/e : 2—3,

e/e : 1 — 1, e /e : 3—3, e/al,2 : 1—2,

rs^/e : 1 — 2, rs^/e : 3—>3

Next we describe the controller Contr. The input interfaces are P =

(e,pass, gate}, A = (e, al ;L,al2,al3}, Gack = (e, ack}. The output interfaces are E = (e, error}, S = (e, start, stop}, R = (e, rs2,rs3}, Gcom = (e, up, down}. The states are so, s1,s2, s3, s4, and the transitions are

£,£,£/£,£,£,£ : sq—sq, £,£,£/£,£,£,£ : s2—s2,

£,£,£/£,£,£,£:si —^S^ , £,£,£/£,£,£,£: S3 —S3,

£,£,£/£,£,£,£ : S4 — S4, £,a11 ,£/£,£,£,down:SQ — si ,

£,a^2,£/£,siop,£,£ : s! — S2, £,a^3,e/error,£,£,£:s2 —S2,

£,a^3,£/error,£,£,£ : S3—S3, £,a^3,£/errore,£,£,£:s4—S4,

£,£,acfc/£,£,rs2,£ : s!— S3, £,£,acfc/£,start,£,£:s2 — S3,

£,a^2,acfc/£,£,£,£: s! — S3, £,a^3,acfc/error,siari,£,£:s2—S3

gate,£,£/£,£,£,£: S3 —S4, gate,al3,£/error,£,£,£:s3 — S4,

pass,£,£/£,£,rs3,up : S4 — sq.

To present the controller in a more readable form we sketch the automaton but including only the principal transitions and giving only the principal labels on each transition.

a^i /di

pass/up,'

k/start a^/e

Gcom Gack

Finally we describe the gate Gate. It has input interface Gcom = (e, up, down} and output interface Gack = (e, ack}. Its states are Open, sl,Closed and s2,

and its transitions are

e/e:Open—Open, e/eis^—si,

e/e:Closed— Closed, e/e:s2—s2, down/e:Open—si, e/ack:si —Closed, up/e:Closed—s2, e/e:s2—Open.

A sketch of the gate, again only giving the principal labels on each transition:

up,down,£ ack,£

Now the system Railcrossing composed of the counters, controller and gate is given by the algebraic expression

PfbR x

Ga.ck ((1P XCoUntX1Gack )-Contr i1E X1S x1SxGale)),

and has input interface P and output interfaces E and S. The reachable part of this composite has 10 states (the first being the initial state)

(0,so,Open),(1,si,si),(2,s2,si),(2,s3,Closed),(3,s2,si), (3,s3,Closed),(2,s4,Closed),(3,s4,Closed),(3,so,s2),(3,so,Open)

and 10 transitions of the form e/e, e : state ^ state, one for each of the ten

states, plus the following 16 transitions:

£ / £,£:(0,SQ,Open)—>(1,si,si),£ / £,stop:(1,si ,si )—>(2,s2,si), £ / £,£:(1,si,si) —(2,S3,C1osed),£ / £,£:(1,si ,si) — (2,S3,C1osed), £ / £,start:(2,s2,si)—>(2,S3,C1osed),gaie / £,£:(2,S3,C1osed)—>(2,S4,C1osed), pass / £,£:(2,S4,C1osed)—>(3,so,S2),£ / £,£:(3,so,S2)—>(3,so,Open), £ / error,£:(2,S2,S1)—>(3,S2,S1),£ / £,start:(3,s2,s1)—>(3,S3,C1osed), £ / error,stari:(2,S2,si)—>(3,S3,C1osed),£ / error,£:(2,S3,C1osed)—>(3,S3,C1osed),

gate / £,£:(3,S3,Closed)—>(3,S4,Closed),gate / error,£:(2,S3,Closed)—>(3,S4,Closed), £ / error,£:(2,S4,Closed)—^(3,s4,ci0sed),pass/s,£:(3,s4,Closed)—>(3,sq,s2)-

The first 8 transitions (together with the purely idling transitions) constitute the part of the automaton reachable from the initial state (0,s0,0pen) without incurring an error signal. The assumption on the counters is that eventually they reach state 3. Those behaviours which reach a state in which the counters are in state 3 and which avoid an error signal all reach the state (3, s0, s2) passing the gate when it is closed, and the second checkpoint. There is no guarantee that the state (3, s0, Open) is reached because there is no signal to that effect from the gate to the controller which generates the error messages.

4 Relation with Timed Automata

In the past decade various automata based models for describing and reasoning about timing-based systems have been proposed, and timed automata introduced by Alur and Dill [1] have received enormous attention because they provide a natural way of expressing timing delays of real-time systems. A timed automata is a finite automata (with Biichi or Muller acceptance conditions) with a finite set of real-valued clocks. All clocks increase at the uniform rate counting time with respect to a fixed global time frame. The clocks can be reset to 0 (independently of each other) with the transitions of the automata, keeping track of the time elapsed since the last reset. The transitions of the automaton contain constraints on the clock values and a transition may be taken only if the current values of the clocks satisfy the associated constraints. The allowed constraints in the seminal paper of Alur

and Dill were Boolean combinations of simpler constraints comparing clock values with time constants. Since then generalizations have been introduced allowing diagonal clock constraints which compare the values of two clocks and constant updates which reset clocks to some constant. Timed automata give a good framework for modeling finite-state systems, namely a timed (Biichi) automaton AP is associated to a finite-state process P so that L(AP) consists of the timed traces of P. The state-transition graph of the system is given by the transition table of the automaton, the timing delays of various physical components are represented by means of clocks, and the fairness conditions are expressed by the acceptance conditions. Usually an implementation is described as a composition of several components, each of them is modeled as a timed regular process, and it is possible to construct a timed automaton representing the composite process using a composition of timed automata defined by a suitable modification of the standard product construction for Biichi automata.

Comparing timed automata with our model the first difference to be underlined is the time domain. We use a discrete time domain while clocks in timed automata assume real values (or more precisely dense time). We assume further that each transition has a fixed a priori duration while in timed automata transitions are instantaneous and time can elapse in a state. This choice limits the expressiveness of our model (for instance we cannot recognize the language of Example 3.16 in [1]). However we believe that the assumption of discrete time domain is not a strong restriction with respect to a dense time in real-systems because almost all physical devices are digital, or approx-imable by discrete time. We refer to [6] for a wider discussion on this topic. A fundamental result in the timed automata theory is the decidability of region reachability, which yields model checking algorithms and tools for verifying real systems which are one of the appealing aspects of timed automata. We remark that the model checking algorithm can be restricted to timed automata whose clock constraints involve only integer constants (Lemma 4.1 in [1]). Moreover in [5] timed automata with discrete time domain and unit duration of transitions were introduced to allow general linear relations over clocks and parameterized constants as clock constraints which are useful in modeling and in analyzing and debugging with approximation techniques complex real-time systems - a fact which supports our idea that the discrete domain is not a strong limitation. This paper has been concerned with exploring the expressivity of the cospan-span model, but in a future paper we will describe algorithms for model-checking and the verification of correctness appropriate for our model.

A possible advantage of the cospan-span model with respect to timed au-

tomata is the structured geometric representation based on three level of abstraction and also a well-established algebra for composition of automata-with-interfaces, based on operations whose definitions are easily understood. Timed automata on the contrary are a low-level representation, even if translations from more structured representations like the real-time process algebra ATP have been presented. The difference is easily remarked referring to the example of an automatic controller that opens and closes a gate at a railroad crossing described by means of timed automaton in Section 7.5 of [1]. This example is a simplified version of the one we gave in section 3: only three components TRAIN,GATE and CONTROLLER form the systems because the example does not concern with how the train knows whether it is approaching or leaving the crossing, we could easily do the same example deleting the checkpoints and simplifying Train Controller and Gate Controller. In the Alur and Dill example the connections among the components cannot be immediately read from the graphical representation (only common labels on the transitions of different automaton represent communications between two components). In the automata representing TRAIN and GATE, specifications and system description are not completely separated, because clock constraints look like implementations. In our model a counter occurs as a subcomponent in the TRAIN model to guarantee that if the train does not enter and exit from the gate in the due time interval the error is detected allowing corrective action to be taken.

There are suggestive similarities between the cospan-span model and Statecharts, and we intend to make a careful comparison in future work.

References

[1] R. Alur and D.L. Dill. A theory of timed automata. Theoretical Computer Science, 126:183— 235, 1994.

[2] J. Bohn, W. Damm, H. Wittke, J. Klose, A. Moik, Modeling and validating train system applications using Statemate and Live Sequence Charts, Integrated Design and Process Technology, IDPT-2002, June 2002.

[3] W. Damm, G. Dohmen, J. Klose, Secure decentralized control of railway crossings.

[4] W. Damm, J. Klose, Verification of radio-based signaling system using the Statemate verification environment, Formal methods in system design, 19, 121-141, 2001.

[5] Zhe Dang, O. H. Ibarra, R. A. Kemmerer, Decidable approximations on generalized and parametrized discrete timed automata, COCOON 2001: 529-539, Springer LNCS 2108, 2001.

[6] T.A.Henziger, Z.Manna, A.Pnueli, What good are digital clocks?, ICALP 92, LNCS 623,545,558,1992

[7] P. Katis, N. Sabadini, R.F.C. Walters, Bicategories of processes, Journal of Pure and Applied Algebra 115: 141-178, 1997.

[8] P. Katis, N. Sabadini, R.F.C. Walters, Span(Graph): A categorical algebra of transition systems, Proc. AMAST '97, SLNCS 1349, 307-321, Springer Verlag, 1997.

[9] P. Katis, N. Sabadini, R.F.C. Walters, On the algebra of systems with feedback and boundary, Rendiconti del Circolo Matematico di Palermo Serie II, Suppl. 63: 123-156, 2000.

[10] P. Katis, N. Sabadini, R.F.C. Walters, ; A formalisation of the IWIM Model. in: Proc. COORDINATION 2000,(Eds.) Porto A., Roman G.-C., LNCS 1906, 267-283, Springer Verlag, 2000.

[11] P. Katis, N. Sabadini, R.F.C. Walters, Feedback, trace and fixed-point semantics, Theoret. Informatics Appl. 36, 181-194, 2002.

[12] N. Sabadini, R.F.C. Walters, Hierarchical automata and P systems, CATS '03, ENTCS 78, 2003.