Sensors: Modeling and Verification of Asynchronous Systems Using Timed Integrated Model of Distributed Systems

sensors
Article
Modeling and Verification of Asynchronous Systems Using
Timed Integrated Model of Distributed Systems
Wiktor B. Daszczuk
Institute of Computer Science, Warsaw University of Technology, Nowowiejska str. 15/19, 00-665 Warsaw, Poland;
wbd@ii.pw.edu.pl; Tel.: +48-22-234-78-12
Abstract: In modern computer systems, distributed systems play an increasingly important role, and
modeling and verification are crucial in their development. The specificity of many systems requires
taking this into account in real time, as time dependencies significantly affect the system’s behavior,
when achieving the goals of its processes or with adverse phenomena such as deadlocks. The natural
features of distributed systems include the asynchrony of actions and communication, the autonomy
of nodes, and the locality of behavior, i.e., independence from any global or non-local features.
Most modeling formalisms are derived from parallel centralized systems, in which the behavior
of components depends on the global state or the simultaneous achievement of certain states by
components. This approach is unrealistic for distributed systems. This article presents the formalism
of a timed integrated model of distributed systems that supports all of the mentioned features. The
formalism is based on the relation between the states of the distributed nodes and the messages
of distributed computations, called agents. This relation creates system actions. A specification in
this formalism can be translated into timed automata, the most popular formalism for specifying
and verifying timed parallel systems. The translation rules ensure that the semantics of T-IMDS
and timed automata are consistent, allowing use of the Uppaal validator for system verification.

The development of general formulas for checking the deadlock freedom and termination efficiency
Citation: Daszczuk, W.B. Modeling
allows for automated verification, without learning temporal logics and time-dependent formulas.
and Verification of Asynchronous An important and rare feature is the finding of partial deadlocks, because in a distributed system
Systems Using Timed Integrated a common situation occurs in which some nodes/processes are deadlocked, while others work.
Model of Distributed Systems. Examples of checking timed distributed systems are included.
Sensors 2022, 22, 1157. https://
doi.org/10.3390/s22031157 Keywords: timed distributed systems; distributed system timed specification; deadlock detection;
distributed termination; model checking; timed automata
Academic Editor: Pasquale
Daponte
Received: 26 December 2021

Accepted: 31 January 2022 1. Introduction
Published: 3 February 2022
The formalism of the distributed systems specification was developed at the Institute
Publisher’s Note: MDPI stays neutral of Computer Science, Warsaw University of Technology. The formalism, called timed
with regard to jurisdictional claims in integrated model of distributed system (T-IMDS, based on the earlier timeless IMDS [1,2])
published maps and institutional affil- has a set of general features that distinguish it from other formalisms:
iations.
• timed specification and verification: distributed systems are asynchronous in nature, and
time dependencies may substantially change their observed features; as in the Russian
fairy tale: the crane offered the heron a marriage; the heron initially refused, but later
Copyright: © 2022 by the author.
changed her mind and offered to charm the crane when he took offense . . . ; as a
Licensee MDPI, Basel, Switzerland. result, they see each other often, but each of them is proud and refuses when the
This article is an open access article latter is ready to propose; the tale has no end, because its characters act exactly in
distributed under the terms and counter-phase, they do not synchronize in any way; in particular, some deadlocks can
conditions of the Creative Commons disappear due to time dependencies, while others can arise.
Attribution (CC BY) license (https:// • communication duality: expressing the distributed system in terms of nodes with their
creativecommons.org/licenses/by/ states and agents with their messages, emphasizing communication duality in dis-
4.0/). tributed systems: message passing versus resource sharing; the system specification
Sensors 2022, 22, 1157. https://doi.org/10.3390/s22031157 https://www.mdpi.com/journal/sensors

Sensors 2022, 22, 1157 2 of 37
can be switched between two system views: node view and agent view, yet with both
in a uniform structure;
• locality: the node’s action is executed based on the current situation of the node
(without any association with other nodes); no event outside the node (except for
messages sent to it) can affect the behavior of the node;
• autonomy: each decision regarding the execution of the actions of the node (including
the choice between many possible actions) is taken autonomously; the only way to
influence the behavior of a node is to send a message to it (the message may enable
an action that was previously disabled); no order is established in the set of pending
messages, such as a stack or queue, the node autonomously decides which message
will initiate the next action;
• asynchrony: the synchronization of nodes with agents is hidden inside processes (in
actions belonging to processes); therefore, processes are perceived as asynchronous
from the outside; also the communication channels are asynchronous: the message is
sent irrespective of the local situation of the target node, in particular, whether it is
waiting for this message or performing completely different operations;
• automated verification: expressing essential features of the distributed system’s behavior
using general temporal formulas [2], not related to the internal structure of the system
being verified.
A large selection of timed specification and verification techniques are offered; some
are mentioned in Section 2. This is why we extended our IMDS formalism to cover
real-time dependencies.
Locality and autonomy are obvious features of distributed systems. Asynchrony is
very much needed between cooperating distributed nodes, because synchronous behavior
requires some knowledge of the global state, which is difficult to obtain in a distributed
system (or which cannot be obtained at all). Imagine a distributed component, for example
a Büchi automaton [3] or Zielonka’s automaton [4]. If such an automaton is to communicate
with another, both of them must follow a common transition. Obviously, such behavior is
impossible: how would the automaton learn that they have both reached matching states
or enabled matching transition? This principle breaks asynchrony (two automata cannot
synchronize on states or transitions), locality (non-local/global information of the state
of the other component is needed), and autonomy (the decision about the component
behavior must depend only on its history and its preferences, rather than on the state of
other components). Therefore, synchronous actions or other forms of direct synchronization
are unrealistic in the description of distributed system behavior. Please note that such
models are wrongly called distributed in numerous articles (e.g., [4]).
Communication duality is often emphasized as a theoretical feature of distributed
systems, for example, in comparing client-server and remote procedure call (RPC) models,
but rarely do both aspects occur in a uniform environment. In [5], they are both described,
but as separate and opposite models. We argue that those models can simply be different
points of view of a single, uniform system. The image of the modeled system depends on
the manner of action grouping, rather than being a substantial property of the system itself.
Finally, identifying partial (sometimes called local) deadlocks and checking the dis-
tributed termination with model checking techniques [6] requires the designer to have some
knowledge of temporal logic, since features should be expressed in terms of the elements
of the particular system under verification [7,8]. The reason for this is that the deadlock is
often identified as a global state, with no outgoing transitions [9]. Alternatively, a temporal
formula that guarantees that the system is stuck in a deadlocked state is applied [10]. In
both solutions, only a total deadlock can be identified. Other techniques are used for partial
deadlock identification, but typically in systems having a required structure [11,12] (for
example, looping systems). However, a situation in which some processes are deadlocked
while other processes work is usual in distributed systems and should be found in systems
of arbitrary shape.
Sensors 2022, 22, 1157 3 of 37
The contribution of this article is the introduction of the timed integrated model of
distributed systems (T-IMDS), which overcomes all the above-mentioned limitations in the
specification and verification of distributed systems.
1. The specification is real-time aware, which is not novel between formalisms, but is an
important step in IMDS evolution.
2. It is based on a relation between two pairs of a distributed node state and the dis-
tributed computation (called an agent) message. The input pair only triggers a system
action and produces a new pair that simply waits for its occasion (the consecutive
actions of the node and the agent need not even be enabled at this moment). This
counters the requirements for synchrony and non-locality of actions. The descrip-
tion models asynchronous actions, in which nothing depends on the synchronous
delivery of any items needed to fire the actions. Distributed components make their
autonomous moves based only on their local elements, and they do not depend on
any global or non-local features of the distributed system.
3. Communication duality (client–server versus RPC) is incorporated in the model; the
views are only the decompositions or cuts of the system, the given view is achieved
by a specific grouping of the actions; however, the set of actions remains the same.
4. Identification of partial deadlocks and the partial distributed termination, as well as
total–general temporal formulas are defined for this purpose, related to the features of
the formalism, rather than to the features of the given verified system. The developed
verification algorithms (which are beyond the scope of this article) allow both timeless
and timed verification. The compatibility with Uppaal timed automata allows for
verification under the external verifier Uppaal [13,14].
The Dedan verification environment (deadlock analyzer) was developed based on
IMDS. It offers:
• interface to the specifications of the distributed system, text or graphic,
• a simple built-in temporal verifier (based on the TempoRG verifier [15]) for checking
models of small and medium systems,
• simulator,
• export to external verifiers: Spin [16] for LTL verification, NuSMV [17] for LTL/CTL
verification, Uppaal for CTL/TCTL verification.
The behavior of a distributed system may be time-dependent, as system changes may
take some time. As a result, the dependence between periods associated with individual
system changes can influence deadlock situations. Timed Petri nets and timed automata
(TA) are two of the most popular formalisms for expressing the behavior of time-limited
systems (TA) [18–20]. While automata-based models, as well as IMDS, can be transformed
to Petri nets [21], they are not so attractive in our opinion, because it is not easy to extract
the processes from the specification. We use Petri nets for the structural analysis of a
verified system and some kinds of model checking [22]. The temporal logic timed CTL
(TCTL) is associated with TA [18,23]. Two types of transition: progress transitions and time
transitions are introduced to describe system changes and the flow of time:
• Progress transition (or: transition): If the Boolean expression on the automaton’s tran-
sition is true, the progress transition (or transition) is executed. This expression is
composed of integers and clock values. TA actions are symbols associated with tran-
sitions (not to be confused with IMDS actions, we will use the term symbol for TA
actions). When two or more automata have the same action symbol, the transitions
are synchronous. The transitions are otherwise executed in an interleaving way [24].
• Timed transition can be executed if all of the automata in the set have time invariants
(relationships between clock values and integers) in their current locations. All the
clocks are simultaneously shifted by the same value (not exceeding any invariant).
This article is organized as follows: Section 2 covers related work on timed varication
formalisms, especially timed automata. Section 3 deals the basic timeless formalism: the
integrated model of distributed systems, and verification rules in IMDS, which are the
Sensors 2022, 22, 1157 4 of 37
basis of extension to timed systems. Section 4 covers the Uppaal timed automata model,
the target formalism to which timed IMDS is converted. The timed version of IMDS is
described in Section 5. The formal translation of T-IMDS to UTA is presented in Section 6.
Section 7 gives two examples of distributed timed systems and their verification in the
Dedan/Uppaal environment. The work is concluded in Section 8. The Appendix A contains
the proof of equivalence between the semantics of T-IMDS and its implementation in UTA.
2. Related Work: Timed Automata and Other Timed Formalisms

Since system changes may take time, the dependencies between durations associated
with specific changes may play a role in deadlock situations. Timed Petri nets and timed au-
tomata [19,20,25,26] are two of the most prominent formalisms for expressing the behavior
of time-limited systems. Other real-time modeling techniques include hybrid automata [27]
and timed CSP [28]. For discrete time modeling, among others, DTG (durational transition
graphs [29]) and EMLAN [30] are used.
Real-time CTL (RTCTL, having time constraints attributed to temporal operators [31,32]),
quantitative CTL (QCTL, with unit-delay transitions [33]), timed CTL (TCTL, connected
with timed automata [18]) and bounded real-time model checking [34] were also developed.
Discrete-time model checking example formalisms include clocked CTL (CCTL, based on
time intervals in discrete-time systems [35]) and discrete-time CTL (DTCTL for embedded
systems [30]).
Timed automata (TA [18]) are related to Büchi automata [3], but with the addition
of time constraints. Automata execute their transitions separately (in an interleaving
manner [36]), except for transitions on shared symbols, which synchronize the automata. A
set of real-time clocks is used to achieve time limitations. The clocks are variables, with
values ranging in R≥0 , multiples of a basic unit of time (a unit in short). A clock value is
a real number, yet we can watch it while its values are integers or between integers. For
example, with two clocks, x and y, we can examine the system in a circumstance where
x is 2 and y is between 0 and 1. Similarly visible is the relationship between clocks (as
x < y or x < y + 1). Time limitations, which determine the values of clocks at which specific
transitions may be fired (for example, x ≥ 1), are attributed to the transitions of timed
automata. Time invariants can also be enforced on automata states (called locations in TA).
The time invariant expresses, in terms of clock values, how long an automaton may stay in
a given location, such as y < 3. On transition, the clocks may be reset.
The TA transitions are instantaneous; the clocks advance while the automata remain
in their locations. As a result, there are two sorts of advancement in TA: executing progress
transitions and passing of time, referred to as timed transitions. The articles [18,23] give a
complete overview of timed automata and their semantics.
Compound progress transitions and compound timed transitions are used to define the
semantics of a set of timed automata:
• If a Boolean expression on a progress transition (or simply: transition, also termed action
transition [37]) outgoing from a current location of a timed automaton TA is fulfilled, the
transition can be executed. This expression is made up of integer constants and clocks.
A difference is only allowed when two clocks are utilized in the expression. If more
than one transition (in the same automaton or different automata) can be executed in
a set of TA, the choice is nondeterministic. Transitions are denoted by symbols known
as actions (do not confuse with IMDS actions, we use the term symbol for TA action).
When two or more automata have the same action symbol, the transitions are executed
synchronously. Otherwise, the transitions interleave.
• The timed transition can be executed if all of the automata in the set have their time
invariants fulfilled in their current locations. The execution is based on synchronously
advancing all clocks (by the same, real value > 0). The smallest difference between
the maximum value of a clock used in an invariant and the present value used in this
invariant is the maximum value to which the clocks can be advanced. If the invariants
Sensors 2022, 22, x FOR PEER REVIEW
Sensors 2022, 22, x FOR PEER REVIEW 5 5 of
of 38
38 5 5 of
of 38
38
Sensors 2022, 22, x FOR PEER REVIEW 5 of 38


 The timed transition can be executed if all of the automata in the set have their time
 The timed transition can be executed if all of the automata in the set have th
The timed transition can be executed if all of the automata in the set have their time
The timed transition can be executed if all of the automata in the set have their time  The timed transition can be executed if all of the automata in t
The timed transition can be executed if all of the automata in the set have t
The timed transition can be executed if all of the automata in
invariants
invariants invariants
invariants
fulfilled
fulfilled in fulfilled
in
fulfilled
their
invariants
their
invariants current
in
current
in their their
fulfilled
fulfilled
locations.
invariants
current
locations.
invariants
current in in locations.
their
locations.
The
their
fulfilled
The
fulfilled execution
current
execution
current The
in
The
in their locations.
their
execution
locations.
execution
is is based
current
based
current The is
The
on
is
on locations.
based
locations.
based
synchro‐
execution
synchro‐
execution on on The
synchro‐
The
synchro‐
is is based
execution
based
execution on
ons
Sensors 2022, 22, 1157 nously advancing all clocks (by the same, real value >0). The smallest difference be‐
nously advancing all clocks (by the same, real value >0). The smallest difference be‐
nously advancing all clocks (by the same, real value >0). The smallest differ
nously advancing all clocks (by the same, real value >0). The smallest diffe
nously advancing all clocks (by the same, real value >0). The s
nously advancing all clocks (by the same, real value >0). The 5 of 37
x FOR PEER REVIEW  The timed transition can be executed if all of the automata in the set have their time 5 of 38
tween the maximum value of a clock used in an invariant and the present value used
invariants fulfilled tween the maximum value of a clock used in an invariant and the present va
tween the maximum value of a clock used in an invariant and the present v
in their current tween the maximum value of a clock used in an invariant and t
tween the maximum value of a clock used in an invariant and
locations. The execution is based on synchro‐
in this invariant is the maximum value to which the clocks can be advanced. If the
in this invariant is the maximum value to which the clocks can be advance
in this invariant is the maximum value to which the clocks can be advanc
nously advancing all clocks (by the same, real value >0). The smallest difference be‐ in this invariant is the maximum value to which the clocks ca
in this invariant is the maximum value to which the clocks c
invariants x < 2 and y ≤ 3 are present, and the current clock values are x = 1.5 and y =
xinvariants x < 2 and y ≤ 3 are present, and the current clock values are x = 1.5 and y =
y ≤ 3 are present, invariants x < 2 and y ≤ 3 are present, and the current clock values are x = 1.5
invariants x < 2 and y ≤ 3 are present, and the current clock values are x = 1
invariants x < 2 and y ≤ 3 are present, and the current clock val
invariants x < 2 and y ≤ 3 are present, and the current clock va
 < 2 and tween the maximum value of a clock used in an invariant and the present value used
The timed transition can be executed if all of the automata in the set have their time and the current clock values are x = 1.5 and y = 2.6, the
2.6, the highest value is 0.4, which advances x to 1.9 and y to 3.
highest 2.6, the highest value is 0.4, which advances x to 1.9 and y to 3.
value is 0.4, which 2.6, the highest value is 0.4, which advances x to 1.9 and y to 3.
advancesis x based
in this invariant is the maximum value to which the clocks can be advanced. If the 2.6, the highest value is 0.4, which advances x to 1.9 and y to 3.
2.6, the highest value is 0.4, which advances x to 1.9 and y to 3
to 1.9 and y to 3.
invariants fulfilled in their current locations. The execution on synchro‐
The option is nondeterministic if both a progress and a timed transition are enabled.
The option is nondeterministic if both a progress and a timed transition are
The option is nondeterministic if both a progress and a timed transition are
The option is nondeterministic if both a progress and a timed transition are enabled. It The option is nondeterministic if both a progress and a timed t
The option is nondeterministic if both a progress and a timed
It is important to note that there may be an endless number of timed transitions if a timed
It is important to note that there may be an endless number of timed transitions if
It is important to note that there may be an endless number of timed transitions
It is important to note that there may be an endless number of timed
It is important to note that there may be an endless number of time
is important2.6, the highest value is 0.4, which advances x to 1.9 and y to 3.
to note that there may be an endless number of timed transitions if a timed
transition is possible. If a timed transition of 1 unit is achievable, perhaps a transition of
in this invariant is the maximum value to which the clocks can be advanced. If the transition is possible. If a timed transition of 1 unit is achievable, perhaps a tran
transition is possible. If a timed transition of 1 unit is achievable, perhaps a tra
transition is possible. If a timed transition of 1 unit is achievable, p
transition is possible. If a timed transition of 1 unit is achievable,
transition isThe option is nondeterministic if both a progress and a timed transition are enabled.
possible. If a timed transition of 1 unit is achievable, perhaps a transition
0.9 units makes no difference. As a result, timed regions (equivalence classes) are intro‐
invariants x < 2 and y ≤ 3 are present, and the current clock values are x = 1.5 and y = 0.9 units makes no difference. As a result, timed regions (equivalence classes) a
0.9 units makes no difference. As a result, timed regions (equivalence classes)
It is important to note that there may be an endless number of timed transitions if a timed 0.9 units makes no difference. As a result, timed regions (equivale
0.9 units makes no difference. As a result, timed regions (equival
of 0.9 units makes no difference. As a result, timed regions (equivalence classes) are
duced to the formalism, with integer limits. The greatest integer relative to the clock is the
2.6, the highest value is 0.4, which advances x to 1.9 and y to 3. duced to the formalism, with integer limits. The greatest integer relative to the clo
duced to the formalism, with integer limits. The greatest integer relative to the cl
transition is possible. If a timed transition of 1 unit is achievable, perhaps a transition of duced to the formalism, with integer limits. The greatest integer rela
duced to the formalism, with integer limits. The greatest integer rel
introduced to the formalism, with integer limits. The greatest integer relative to the clock
maximum value used. Given integer parts of all clocks and an equal sign of the fractional
maximum value used. Given integer parts of all clocks and an equal sign of the fr
maximum value used. Given integer parts of all clocks and an equal sign of the
0.9 units makes no difference. As a result, timed regions (equivalence classes) are intro‐ maximum value used. Given integer parts of all clocks and an equa
maximum value used. Given integer parts of all clocks and an equ
is the maximum value used. Given integer parts of all clocks and an equal sign of the
part of clock differences (0 is treated as a distinct, third sign), a region, such as
duced to the formalism, with integer limits. The greatest integer relative to the clock is the part of clock differences (0 is treated as a distinct, third sign), a regi
part of clock differences (0 is treated as a distinct, third sign), a reg
fractional part of clock differences (0 is treated as a distinct, third sign), a region, such as
⎣ ⎣xxx⎦ ⎦ =
== 1, ⎣⎣y⎦
1,1, ⎣⎣y⎦
xyx⎦ = ⎦ =
=2, = 2,
1,
2,1, (x ⎣y⎦
(x⎣y⎦
(x − − −⎣x⎦)
= ⎣x⎦)
⎣2,
= ⎣x2,
xx− ⎦ −
(x ⎦
(x
)= (y
−
=
−(y
− ⎣x⎦)
1,
−
1, ⎣x⎦)
(y⎣y⎦
− ⎣y⎦)
⎣y⎦
⎣y⎦)
−− =
part of clock differences (0 is treated as a distinct, third sign), a region, such as ⎣x⎦ = 1, ⎣y⎦ ⎣=
− ⎣>
(y
x2,
>
(y
y ⎦ −
x2,
0, ⎦ )−
0,
(x =
(x ⎣y⎦)
is = ⎣y⎦)
>is
−
1, 0,⎣x⎦)
− ⎣y⎦
⎣x⎦)
⎣y⎦
obtained.
1, obtained.
> is> 0, 0,
=
− = −
is
obtained. 2,
(y
is
2,
(y obtained.
(x ⎣y⎦)
− ⎣y⎦)
obtained.
−
This
(x −
This − ⎣x⎦) ⎣x⎦)
rule
rule
This> > 0, − This
0,
− generates
This
(y
is
generates
(y
rule ⎣y⎦)
is obtained.
− − ⎣y⎦)
obtained.
rule
rule
generates generates
>
generates
a
> a 0,
set
0, set
This
is
This
is
of
aobtained.
of
obtained.
rule
clock
a
setrule
clock
a set
ofset
generates
generates
of
of
clock This
This
clock
clock rule
rule
a a set
se
ge
g
regions.
regions.
regions. regions.
Above
regions.
Above
Above their
their their
Above
Above regions.
maximum
maximumregions.
maximum
their
their maximum
Above
maximum
Above
values,
values,
= 2, (x − ⎣x⎦) − (y − ⎣y⎦) > 0, is obtained. This rule generates a set of clock regions. Above values,
regions.
regions. their
their
the the
values,
the
values,
Above
Above
maximum
maximum
relations
relations relations the the
their
their relations
between relations
between
values,
between
values,
maximum
maximum the the
between
the
the
between
the
clocks relations
values,
relations
values,
clocks
clocks
are the the are
the
not the
are
between
clocks
between
clocks
not
relations
relations
not
examined. are
are the
the
not
not
between
betwee
clocks
clocks
duced to the formalism, with integer limits. The greatest integer relative to the clock is the Sensors 2022, 22, x FOR PEER REVIEW
examined.
examined.
Since examined.
examined.
infinitely many examined.
examined.
their maximum values, the relations between the clocks are not examined. time transitions examined.
examined. between a pair or regions are possible, a region
Since infinitely many time transitions between a pair or regions are possible, a
succession graph Since infinitely many time transitions between a pair or regions are possible, a
is created. Since infinitely many time transitions between a pair or regions are possible
Since infinitely many time transitions between a pair or regions are possibl
Since infinitely many time transitions between a pair or regions are possible, a region Since infinitely many time transitions between a pair or region
Since infinitely many time transitions between a pair or region
part of clock differences (0 is treated as a distinct, third sign), a region, such as ⎣x⎦ = 1, ⎣y⎦
region succession graph is created.
succession graph is created. region succession graph is created.
region succession graph is created. region succession graph is created.
= 2, (x − ⎣x⎦) − (y − ⎣y⎦) > 0, is obtained. This rule generates a set of clock regions. Above
2.1. Timed Automaton-Syntax
their maximum values, the relations between the clocks are not examined. 2.3. Network of TA
Sensors 2022, 22, x FOR PEER REVIEW 2.1. Timed Automaton‐Syntax
2.1. Timed Automaton‐Syntax
Sensors 2022, 22, x FOR PEER REVIEW 2.1. Timed Automaton‐Syntax
2.1. Timed Automaton‐Syntax 2.1. Timed Automaton‐Syntax
2.1. Timed Automaton‐Syntax 2.1. Timed Automaton‐Syntax
2.1. Timed Automaton‐Syntax 6 NTA is a network o
of

Here, we give the definition of timed automata, a base of Uppaal extension.
Since infinitely many time transitions between a pair or regions are possible, a region A38 6 timed
of 38 6 of 38
Here, we give the definition of timed automata, a base of Uppaal extension. A
automaton
 L = {l Here, we give the definition of timed automata, a base of Uppaal extension. A
L = {l 0, l
0, l 1TA
L = {l
L = {l
, …} is a finite set of locations,
1, …} is a finite set of locations,
is a0, l  (L,L = {l Here, we give the definition of timed automata, a base of Uppaal extension.
Here, we give the definition of timed automata, a base of Uppaal extension
l0 , Z,
L = {l
, l1, …} is a finite set of locations,
1, …} is a finite set of locations, 0, l
0, lQ, Here, we give the definition of timed automata, a base of Uppa
Here, we give the definition of timed automata, a base of Upp
1, …} is a finite set of locations,
E, JL = {l
1, …} is a finite set of locations, 1, …} is a finite set of locations, NTA is itself a TA, it is c
succession graph is created.
Sensors 2022, 22, x FOR PEER REVIEW 0tuple
Here, we give the definition of timed automata, a base of Uppaal extension. A timed l L = {l
) where: 0, l
0, l 1, …} is a finite set of locations, 6 of 38
timed automaton TA is a tuple (L, l
•timed automaton TA is a tuple (L, l
 l0 L
 timed automaton TA is a tuple (L, l
l0  L is an initial location,
 L is an initial location,
 l0 l0  L is an initial location,
automaton TA is a tuple (L, l
= {l0 , l1 , . . . } is a finite set of locations,
 timed automaton TA is a tuple (L, l
 l 0, Z, Q, E, J
0, Z, Q, E, J
0 l0  L is an initial location,
0, Z, Q, E, J
 l 0 l 0, Z, Q, E, J
0l, Z, Q, E, J
) where:
l) where:
0  L is an initial location,
l) where:
l) where:
l) where:
0, Z, Q, E, J
0, Z, Q, E, J l) where:
l) where:
0, Z, Q, E, J
0, Z, Q, E, J l) where:
l) where:
NTA = (L, l6 of 38 , Z, Q, E
0

2.1. Timed Automaton‐Syntax •2.3. Network of TA
 Z = {c lZ = {cL , c
0, c
2.3. Network of TA , …} is the set of clocks,
1, …} is the set of clocks,
Z = {c
Z = {c
02.3. Network of TA
is1L = {l 0, c
0, c 1  Z = {c
1, …} is the set of clocks,
, …} is the set of clocks,
Z = {c0, c 0, c 1 1, …} is the set of clocks,
, …} is the set of clocks,
Z = {c0, c
Z = {c 0, c 1, …} is the set of clocks,
1, …} is the set of clocks, individual elements of N
0 ∈ an 0, l1, …} is a finite set of locations,
initial location,
     
Q denotes a set of labels (interpreted as actions on transitions, do not confuse with
Q denotes a set of labels (interpreted as actions on transitions, do not confuse with
Q denotes a set of labels (interpreted as actions on transitions, do not confuse with 
Q denotes a set of labels (interpreted as actions on transitions, do not confuse with 
Q denotes a set of labels (interpreted as actions on transitions, do not confu
Q denotes a set of labels (interpreted as actions on transitions, do not con
Q denotes a set of labels (interpreted as actions on transitions
Q denotes a set of labels (interpreted as actions on transition 
= {c 0 ,l0 c L is an initial location,
Here, we give the definition of timed automata, a base of Uppaal extension. A timed
• NTA is a network of timed automata over a common set of clocks and labels (actions).
Z2.3. Network of TA , . . . } is the set of clocks,
NTA is a network of timed automata over a common set of clocks and labels (actions).
1NTA is a network of timed automata over a common set of clocks and labels (actions).
A set of locations is
automaton TA is a tuple (L, l 0IMDS actions),
IMDS actions),

, Z, Q, E, J IMDS actions),
Z = {cIMDS actions),
l) where: , c IMDS actions),
, …} is the set of clocks, IMDS actions), IMDS actions),
IMDS actions), …, l n), li  Li.
•NTA is itself a TA, it is constructed in the following way:
NTA is itself a TA, it is constructed in the following way:
Q NTA is itself a TA, it is constructed in the following way:
denotes
2.3. Network of TA a 0 set 1 of labels (interpreted as actions on transitions, do not confuse with
 every location
every  NTA is a network of timed automata over a common set of clocks and labels (actions).
NTA = (L, l
location
every
every 
l location
l  L
0location L is 0is mapped
every l  
l mapped
every L L location
is is lby
by
location
mapped
mapped (l)
JlJevery (l) 
l l to
levery 
to
by a location
L
by a
L set set
lJ(l)
location
is
Jis (l) of
lmapped to
of
mapped to l a
l 
0valuations
a 
valuations
set set
0L
by L of
by of
is Jvaluations
is (l)
lJ 0valuations
(l)
mapped of
lmapped of
to
to
clocks
clocks
a a set
set
by
by of
of
in
of
of
Jliin
lJ(l) 
clocks  L is an initial loc
lvaluations of clocks in
Z,
(l)
clocks in
valuations of clocks
Z, to over a
to over a
a set
la set
0 in Z,
Z,
of
of
over a
over a
valuations
valuations in Z
 NTA = (L, l
L = {l0, l1, …} is a finite set of locations,
IMDS Q denotes a set of labels (interpreted as actions on transitions, do not confuse with
actions), 0, Z, Q, E, J
NTA = (L, l , Z, Q, E, J
NTA is itself a TA, it is constructed in the following way: l, Z, Q, E, J
) consists of n TA, TA
l ) consists of n TA, TA
NTA is a network of timed automata over a common set of clocks and labels (actions). ) consists of n TA, TA i = (L i , l
i = (L i , Z i , l
i i, Q
= (L
i , Z i , E
ii, l
, Q ii, J, Z
i, E
li ) with i = 1, …, n. The
i, Q
i, J li
i, E
) with i = 1, …, n. The
i, J ) with i = 1, …, n. The
Cartesian product of
Cartesian product of Cartesian product of
Cartesian product of ℝ ℝ , for example, J ℝ
, for example, J
Cartesian product of ℝ , for example, J
, for example, J l(l) = {c
l(l) = {c
Cartesian product of ℝ ℝ 1‐c 1‐c , for example, J
2l > 2},
(l) = {c
, for example, J
2l > 2},
(l) = {c 1‐c 1‐c 2ℝ 2ℝ
> 2},
> 2}, , for example, J
, for example, J
l(l) = {c
l(l) = {c 1‐c 1‐c2 > 2},
2 > 2}, in Z is a common set o
(l) = {c
(l) = {c ‐c‐c > 2},
> 2},
 l0  L is an initial location,
l l 1 1 2 2
every IMDS actions),
•individual elements of NTA are:
individual elements of NTA are:
location ∈ L is mapped
0l, Z, Q, E, J by Jl (l) to a set ofiZ, lZvaluations ofli) with i = 1, …, n. The
clocks Z, over a
 E  L × Q × J NTA = (L, l
E  L × Q × J E  L × Q × J ll × 2
E  L × Q × J ll × 2 Z  ll × 2
Z × L—set of transitions: e = (l, q, J

Zl) consists of n TA, TA
× L—set of transitions: e = (l, q, J
× 2  llE  L × Q × J
llE  L × Q × J × L—set of transitions: e = (l, q, J
E  L × Q × J × 2 × 2Zby i = (L
llE  L × Q × J llll(l,l′), r, l′)  E
ll × 2
ll(l,l′), r, l′)  E
× 2 i0, Zi, Qi, Ei, J
ll(l,l′), r, l′)  E
ll(l,l′), r, l′)  E 
ll(l,l′), r, l′)  E
ll(l,l′), r, l′)  E ll(l,l′), r, l′) 
Q is a common set ll(l,l′), r, l′) 
  Cartesian every product
individual elements of NTA are: location
A set of locations is a Cartesian product L = L
Z = {c0, c1, …} is the set of clocks, NTA = (L, l
A set of locations is a Cartesian product L = L
0, Z, Q, E, J l Z L
of R≥0 ,l) consists of n TA, TAis mapped
for example, Jl (l)1 × … × L J l(l) = {c to a
× … × L
i 1= (L
1 2 -c set
in, l >1 i
of
0, Z2}, n
valuations
, l  L is a location vector l = (l
× … × L , l  L is a location vector l = (l
i, Q i, E
n
of clocks
, l  L is a location vector l = (l
i, J li) with i = 1, …, n. The
in Z, 1,
over 1,
a 1,
 Jll…, l
J is a set of functions for pairs l,l′  L, every transition (l,l′), is mapped by J
J
Cartesian product of ℝ
llJ is a set of functions for pairs l,l′  L, every transition (l,l′), is mapped by J
J llJ is a set of functions for pairs l,l′  L, every transition (l,l′), is mapped by J
ll is a set of functions for pairs l,l′  L, every transition (l,l′), is mapped by J
ll is a set of functions for pairs l,l′  L, every transition (l,l′), is mapped by J J llJ is a set of functions for pairs l,l′  L, every transition (l,l′), is
, for example, J ll is a set of functions for pairs l,l′  L, every transition (l,l′), is
(l) = {c ‐c > 2}, ll(l,l′) to a
ll(l,l′) to aLocation invariant fu
ll(l,l′) to a
ll(l,l′) to a
i  L . i  L
Q denotes a set of labels (interpreted as actions on transitions, do not confuse with i. i  L
l 1 2 l
…, l
), l ), l…, l nJ), l Zi. 0 ), r, l0 ) ∈ E
•  ⊆nset of valuations of clocks in Z over a Cartesian product of
Eindividual elements of NTA are:
L × nQ i×
ll × 2 ×ZL—set
A set of locations is a Cartesian product L = L of transitions: e =1 × … × L (l, q, Jll (l,l n, l  L is a location vector l = (l
ℝ ℝ ℝ ℝ ℝ ℝ1,
IMDS actions),  0  set of valuations of clocks in Z over a Cartesian product of
0 E  L × Q × J
l L is an initial location vector l set of valuations of clocks in Z over a Cartesian product of
set of valuations of clocks in Z over a Cartesian product of
 L is an initial location vector l
l …, l l  L is an initial location vector l
0 set of valuations of clocks in Z over a Cartesian product of
set of valuations of clocks in Z over a Cartesian product of
ll × 2 × L—set of transitions: e = (l, q, J
0 = (l01 = (l
0 0 , …, l set of valuations of clocks in Z over a Cartesian product o
set of valuations of clocks in Z over a Cartesian product o
1 , …, l
00 = (l
n ), l1i n, …, l
0 00  L
0 ii.  L
), l1 × … × L0 n ), l
0 ll(l,l′), r, l′)  E
i  Li. 0
i. 0 , just as J
, just as J l(l) for a tors Jll(l) = J
, just as J
l(l) for a
, just as J (l) for a
l(l) for a (l, just as
1) ∧ …
l1, just as
Jll islocation l,
alocation l,
set n), l
ofl(l) to  L
i functions i.
A set of locations is a Cartesian product L = L forvaluations
pairs l,l ∈of L,clocks everyin transition (l,l ), is mapped by Jll (l,l0 ) to
n, l  L is a location vector l = (l 1,
 every location l  L is  mapped J location l,
location l,
Z is a common set of clocks—a union of sets of clocks Z = Z
 by J a set of location l,
location l,
Z is a common set of clocks—a union of sets of clocks Z = Z
Z is a common set of clocks—a union of sets of clocks Z = Z location l,
location l, Z, 0 over a1 ∪ … ∪ Z 1 ∪ … ∪ Z n. 1 ∪ … ∪ Zn. n. ll(l,l′) to a

ar  2 l 0
…, l  L is an initial location vector l
n), li Z L i.
set indicates a subset of clocks in Z that are reset on transition.
of valuations of1‐c clocks in Z over
0 = (l 1Z, …, ln ), li  Li.
0 0
r  2a indicates a subset of clocks in Z that are reset on transitio
Cartesian product1 ∪ … ∪ Q of R Z 2.4. The Semantics of the N
J (l) l(l) for a
 ℝ r  2 indicates a subset of clocks in Z that are reset on transition.
r  2
r  2 indicates a subset of clocks in Z that are reset on transition.
indicates a subset of clocks in Z that are reset on transition.
r  2
r  2 indicates a subset of clocks in Z that are reset on transition.
indicates a subset of clocks in Z that are reset on transition.
r  2 indicates a subset of clocks in Z that are reset on transit 0 ,ℝ just as for a
Z Z Z Z Z Z
Cartesian product of Q is a common set of labels—symbols on transitions Q = Q
lZ is a common set of clocks—a union of sets of clocks Z = Z
, for example, J l(l) = {c
 Q is a common set of labels—symbols on transitions Q = Q
Q is a common set of labels—symbols on transitions Q = Q
0  L is an initial location vector l
2 > 2},
set of valuations of clocks in Z over a Cartesian product of 0 = (l10, …, ln0), li0  Li. 1 ∪ … ∪ Q n.
1 ∪ … ∪ Zn.
1≥ ∪ … ∪ Qn. , just as J n. l
 Z
 location l,
Location invariant functions are composed into a common function over location vec‐
Q is a common set of labels—symbols on transitions Q = Q
E  L × Q × Jll × 2 × L—set of transitions: e = (l, q, J location l, ll(l,l′), r, l′)  E
Location invariant functions are composed into a common function over location vec‐
Location invariant functions are composed into a common function over location vec‐ Let TA i = (L, l0, Z, Q
 2.2. Timed Automaton‐Semantics
Z Z is a common set of clocks—a union of sets of clocks Z = Z
2.2. Timed Automaton‐Semantics
2.2. Timed Automaton‐Semantics 2.2. Timed Automaton‐Semantics
2.2. Timed Automaton‐Semantics 2.2. Timed Automaton‐Semantics
2.2. Timed Automaton‐Semantics 11 ∪ … ∪ Q
∪ … ∪ Znn. .
r ∈
tors J 2 indicates
r  2 a subset of
l1(l indicates a subset of clocks in Z that are reset on transition.
Z clocks in Z that are reset on transition. Let l 0 = (l10, … , ln0) b
 tors J l(l) = J tors J
l(l) = J 1) ∧ … ∧ J
Jll is a set of functions for pairs l,l′  L, every transition (l,l′), is mapped by J l(l) = J
l1 (l1) ∧ … ∧ J l1(l ln1(l ) ∧ … ∧ J
n). ln(ln). ln(ln).
Q is a common set of labels—symbols on transitions Q = Q ll(l,l′) to a
1 ∪ … ∪ Qn.
The semantics of a TA is:
set of valuations of clocks in Z over a Cartesian product of The semantics of a TA is:
The semantics of a TA is: The semantics of a TA is:
ℝ , just as J l(l) for a
l[li/li′] denotes the lo
2.2. 
Timed tors J l(l) = Jl1(l1) ∧ … ∧ Jln(ln).
Automaton-Semantics
location l, Let (L, l
Let (L, l Let (L, l
Let (L, l
0, Z, Q, E, J
0, Z, Q, E, J
2.4. The Semantics of the Network of TA
2.4. The Semantics of the Network of TA 0, Z, Q, E, J
0l, Z, Q, E, J
) be an TA.
l) be an TA. Let (L, l
Let (L, l l) be an TA.
l) be an TA.
0, Z, Q, E, J
0, Z, Q, E, J Let (L, l
Let (L, l l) be an TA.
l) be an TA.
0, Z, Q, E, J
0, Z, Q, E, J l) be an TA.
l) be an TA. The semantics of a
tors Jl(l) = Jl1(l1) ∧ … ∧ Jln(ln).
The semantics is defined as an LTS—labeled transition system ⟨Vertices, vertex
The semantics The semantics is defined as an LTS—labeled transition system ⟨Vertices, vertex
r  2Z indicates a subset of clocks in Z that are reset on transition.
Let TA Let TA The semantics of a TA is:
i = (L, l Let TA
i = (L, l
2.4. The Semantics of the Network of TA 0 of
, Z, Q, E, J a
i = (L, l
0 TA
, Z, Q, E, J The semantics is defined as an LTS—labeled transition system ⟨Vertices, ver
0The semantics is defined as an LTS—labeled transition system ⟨Vertices, ve
is:
l, Z, Q, E, J
). l). l). The semantics is defined as an LTS—labeled transition system
The semantics is defined as an LTS—labeled transition system  0, ⟩, , ⟩, 0, ⟩,
0Vertices = (L 0, ⟩, 1 × … ×
where:
where: Let
Let l where:
where:
(L,
Let l
0 = (l l 0,
Let (L, l
0 Z,
Let l
01 = (l
, … , l Q,
2.4. The Semantics of the Network of TA 1 , … , l
0 0 0 E,
= (l where:
, Z, Q, E, J Jwhere:
) be an
n ) be the initial location vector.
0 1 l, … , l
0 0 l TA.
) be an TA.
where:
where:
0  vertex 0 = (l 0 ; u 0) Ve
 Vertices  L ×   Let TA i = (L, l0, Z, Q, E, Jl).
ℝ ℝ   ℝ ℝ   ℝ ℝ ℝ ℝ
2.2. Timed Automaton‐Semantics Vertices  L ×
The semantics Vertices  L ×
Vertices  L × is
defined
i/li′] denotes the location vector where l
Vertices  L ×
Vertices  L ×
is the set of LTS vertices for the automaton TA (because the term
as an
l[li/li′] denotes the location vector where l
l[l 0l[l
i/li′] denotes the location vector where l LTS—labeled Vertices  L ×
Vertices  L ×

is the set of LTS vertices for the automaton TA (because
is the set of LTS vertices for the automaton TA (because
transition
i’ replaces the i i’ replaces the i

is the set of LTS vertices for the automaton
is the set of LTS vertices for the automaton
system
i’ replaces the ith element l th 〈Vertices,
element l thi element l
of L. vertex 
i of L. i of L. 0 ,  =  〉, where:t ∪ 
0 , ⟩, p is the t
Let l
Let TA = (l 10, … , l
i = (L, l n0) be the initial location vector.
0, Z, Q, E, J
state is reserved for IMDS node states, we use the term vertex instead),
state is reserved for IMDS node states, we use the term vertex instead), l).
where: Z is0 state is reserved for IMDS node states, we use the term vertex instead),
state is reserved for IMDS node states, we use the term vertex in
state is reserved for IMDS node states, we use the term vertex
• The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex i’ replaces the i element li of L. -the (l, u) 
The semantics of a TA is: Vertices The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex
l[l ⊆ The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex
L ×
i/li′] denotes the location vector where l the set of LTS vertices for the automaton th TA 0, ⟩, where:
(because 0, ⟩, where: 0, ⟩, where:
term t (l, u +
0 Let l = (l 1 , … , l ) be the initial location vector.
0 0 R
 vertex vertex•Vertices = (L
= (l
0 = (l , u
vertex0, u
0vertex
Vertices ⊆ L × 0 0 ≥0, u00, un0ℝ
0)  Vertices is the initial vertex, u
= (l= (l 0 0 0, u
)  Vertices is the initial vertex, u
)  Vertices is the initial vertex, u
0vertex
vertex = (l
= (l 0, u )  Vertices is the initial vertex, u
0vertex )  Vertices is the initial vertex, u
0vertex 0 0 = (l= (l
is the set of LTS vertices for the automaton TA (because the term0 maps all clocks c  Z to 0.
0, u maps all clocks c  Z to 0.
0, u 0)  Vertices is the initial vertex, u
0 maps all clocks c  Z to 0.
0 maps all clocks c  Z to 0. 0 maps all clocks c  Z to 0.
0 maps all clocks c  Z to 0. 0 maps all clocks
0 maps all clock

Let (L, l0, Z, Q, E, Jl) be an TA. state 
is
Vertices = (L reserved Vertices = (L
× … × L for
× … × L IMDS
) × × … × Lℝ ) × node
ℝ ℝ
states,
is the set of global LTS vertices,
) × we
use
is the set of global LTS vertices, the term vertex instead), - if there exists
The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex
l[l i/li′] denotes the location vector where li’ replaces the i element li of L. 0, ⟩, where: th
  =   =  t ∪ 
t ∪   = 
 =  1 1
p is the transition relation such that:
p is the transition relation such that:
n
t ∪ 
t ∪ 
1
 =  n
 = t ∪  n
 p is the transition relation such that:
state is reserved for IMDS node states, we use the term vertex instead), t ∪   =  = t ∪ 
t ∪  p is the transition relation such that:
• vertexvertex
 The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex
vertex
00 = (l= (l0vertex
Vertices = (L 0; u
= (l
0 , 0u 0) = (l∈
) Vertices is the initial vertex, u
00; u 0) Vertices is the initial vertex, u
0; u0) Vertices is the initial vertex, u
Vertices is the initial vertex,
1 × … × Ln) × ℝ is the set of global LTS vertices,
0 maps all clocks c  Z to 0, 0, ⟩,
u00 maps all clocks c  Z to 0,
maps all clocks c ∈ Z to 0.
0 maps all clocks c  Z to 0, 0, ⟩, where:
TAj, … (at leas
where: • (l, u) 
 =  •
(l, u)  
 =  t t (l, u) 
vertex(l, u) 
(l, u + d) if ∀d′:
(l, u + d) if ∀d′:
 =  t t (l, u) 
(l, u) 
0 = (l0, u0) ∈ Vertices is the initial vertex, ul0(l) – timed transition,
(l, u + d) if ∀d′:
(l, u + d) if ∀d′: 0 ≤ d′ ≤ d  u + d′  J
0 ≤ d′ ≤ d  u + d′  J
t t (l, u) 
(l, u + d) if ∀d′:
(l, u + d) if ∀d′:(l, u) 
0 ≤ d′ ≤ d  u + d′  J
0 ≤ d′ ≤ d  u + d′  J t (l, u + d) if ∀d′:
lt(l) – timed transition,
(l, u + d) if ∀d′:
l(l) – timed transition,
0 ≤ d′ ≤ d  u + d′  J
0 ≤ d′ ≤ d  u + d′  J l(l) – timed transition,
0 ≤ d′ ≤ d  u + d′  J
0 ≤ d′ ≤ d  u + d′  J
maps all clocks c ∈ Z to 0. l(l) – timed transition,
l(l) – timed transition, l(l) – timed transit
l(l) – timed transi
e i = (l1i, q, Jlli(l1i,
= tt ∪ 0 = (l
∪  t
p ∪ 
is the transition relation defined by:
p is0; u p is the transition relation defined by:
the
t ∪  p is the transition relation defined by:
transition relation such that: 0 maps all clocks c  Z to 0,
n) × ℝ is the set of global LTS vertices,
• (l, u)  • vertex
(l, u)  Vertices = (L
 = t ∪ 
(l, u) 
(l, u) 
p (l′, u′) if there exists e = (l, q, J
(l′, u′) if there exists e = (l, q, J
Vertices ⊆ L × ℝ is the set of LTS vertices for the automaton TA (because the term
p
0) Vertices is the initial vertex, u
1 × … × L
(l, u) 
(l, u) 
p is the transition relation such that: (l, u) 
ll(l, u) 
(l,l′), r, l’)  E
ll(l,l′), r, l’)  E
ll(l,l′), r, l’)  E
ll(l,l′), r, l’)  E ll(l,l′), r, l’)  E
ll(l,l′), r, l’)  E ll(l,l′), r, l’)  E
ll(l,l′), r, l’)  E then there exis
-  u)Such that u  J
(l,  = 
-(l, u) 
vertex (l,
t(l, u) 
Such that u  J -0ut = (l
(l, u)  t ∪  (l, u) 
(l, u + d) if ∀
0; u t (l, u + d) if ∀
+Such that u  J
d) p
Such that u  J
t (l, u + d) if ∀d′:
0: 0
∀dt (l, u + d) if ∀ 00 ≤ d′ ≤ d  u + d′  J
d′ 0 ≤ d′ ≤ d  u + d′  J
≤Such that u  J
if0ll) Vertices is the initial vertex, u ≤ dd′ 0 ≤ d′ ≤ d  u + d′  J
⇒ uSuch that u  J
dd′ 0 ≤ d′ ≤ d ⇒ u + d′ ∈ J
(l,l′); u’ = [r  0]u – progress transition;
ll(l,l′); u’ = [r  0]u – progress transition;
(l,l′); u’ = [r  0]u – progress transition;+
llSuch that u  J
d0 ∈l(l)—timed transition,
Jl (l) l(l)—timed transition,
– timed
Such that u  J l(l)—timed transition,
0 maps all clocks c  Z to 0, transition,
state is reserved for IMDS node states, we use the term vertex instead), u  Jll(l[l1i/l2i, l1
- 
(l, u) -  = 
- (l - 0 , ∪ 
(l, u) 
t u 0
if there exists a symbol q  Q, for which there exist transitions e
) if there exists a symbol q  Q, for which there exist transitions e
ifp is the transition relation defined by:
there
(l, u + d) if ∀ exists e = (l, q,
0 ≤ d′ ≤ d  u + d′  J J (l,l 0 ), r, l 0 ) ∈ E(l)—timed transition, i, ej, … in TA i, ej, … in TA i, eji, … in TA
, i, i,
• where
where
vertex0 = (l0, u0) ∈ Vertices is the initial vertex, u p where
where
(l, u) p (l′, u′) if there exists e = (l, q, J
t where
where
0 maps all clocks c ∈ Z to 0.
d′ wherewhere ll ll(l,l′), r, l’) ∈ E l
Comment: Th
TA TA
ℝfor d′ 
ℝfor d′  TA
j, … (at least one, but if more, then in distinct automata):
• for d′ 
for d′ 
 = t ∪ p is the transition relation such that:-Such (l, u) 
that
Such that u ∈ J uℝ ℝ
t (l, u + d) if ∀ 0 ); u0 =
llfor d′ 
(l,l for d′ 
(l,l′); u’ = [r  d′ ℝ ℝ
0 ≤ d′ ≤ d  u + d′  J
∈ J, u + d′ maps each clock c in Z to the value u(c) + d′,
, u + d′ maps each clock c in Z to the value u(c) + d′,
, u + d′ maps each clock c in Z to the value u(c) + d′, for d′ 
for d′ 
ll, u + d′ maps each clock c in Z to the value u(c) + d′, ℝℝ , u + d′ maps each clock c in Z to the value u(c) + d′
[r , u + d′ maps each clock c in Z to the value u(c) + d′,
0]u – progress
0]u – progress transition; l(l)—timed transition, i, ej, … in TAi,
, u + d′ maps each clock c in Z to the value u(c) + d
transition; distinct TA ha
e-i = (l e[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clock in r to 0 and agrees
1ii = (l
TA, q, J e, q, J
1illi i(l
= (l1i,llli 1i(l
2i ), r
, q, J
1i,l i, l
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clock in r to 0 and agrees ), r
2i(l
2illi )  E
1ii, l
,l2i2i), r
, … (at least one, but if more, then in distinct automata):
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clock in r to 0 and agrees )  E
i, ei, l
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clock in r to 0 and agrees j = (l
2ii, e
)  E 1jj = (l
, q, J i, e1jllj, q, J
j(l
= (l1j,lllj
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clock in r to 0 an
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clock in r to 0 a 1j(l
2j ), r
, q, J
1j,l j, l ), r
2jllj
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clo
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each cl 2j(l)  E
1jj, l
,l2j2j), r)  E
j, … j, l2jj, …
)  Ej, … i, ej, … in TAi,
where where
(l, u) t (l, u + d) if ∀d′: 0 ≤ d′ ≤ d ⇒ u + d′ ∈ J j
then there exists the transition e = (l
0 ∈R then there exists the transition e = (l
eTA
Zi = (l then there exists the transition e = (l
, q, J (l1i,l2i), r
0llimaps i, l2i)  Ei, ej = (l
1, q, J1ll, q, J (l1,l2ll), r, l (l
1, q, J
1,l22), r, l
1j, q, Jllj(l1j,l2j), rj, l2j)  Ej, …
)  
ll(l1,l22)   ), r, l
p such that 2p)  
such that p such that
for dwith u over Z\r.
(l, u) p (l′, u′) if there exists e = (l, q, J with u over Z\r.
for d′ ∈ ≥0ll1i
,with u over Z\r.
with u over Z\r.
u1iℝ with u over Z\r.
with u over Z\r.
+ d, u + d′ maps each clock c in Z to the value u(c) + d′,
(l,l′), r, l’) ∈ E each clock c in with u over Z\r.
Z to the value u(c) + d0 ,
with u over Z\r. 2.5. The Uppaal Extesion
u  Ju  J ll(l[l /l
ll (l[l
2i, l
u  J 1i1j/l /l (l[l
ll2i , l
2j , …]), u′ = [r
1i/l
1j /l 2i, …]), u′ = [r
2j , l 1j/l2j, …]), u′ = [r
i ∪ rj ∪ … 0]u—progress transition,
Such that u ∈ Jll(l,l′); u’ = [r  r ethen there exists the transition e = (l
[r 0]u – progress transition;
0]u, ⊂ i = (l1i, q, Jlli(l1i,l2i), ri, l2i)  Ei, ej = (l1j, q, J
Z, denotes the clock valuation, which
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clock in r to 0 and 1, q, J llj(l (l,l1maps
ll1j ,l2j2), r
), r, l j, l2j 2)  
each )  E clock p such that
j, …
in r to 0 and agrees
Transitions are exe
Comment: There is a synchronization transition if more than one transition in
u  J Comment: There is a synchronization transition if more than one transition in
ll(l[l1i/l2i, l1j/l2j, …]), u′ = [ri ∪ rj ∪ … 0]u—progress transition,
then there exists the transition e = (l 1, q, Jll(l1,l2), r, l2)  p such that
where with u over Z \
agrees r. with u over Z\r.
distinct TA have the same q label on their transitions.
distinct TA have the same q label on their transitions. shared symbols (which e
u  J ll(l[l1i/l2i, l1j/l2j, …]), u′ = [ri ∪ rj ∪ … 0]u—progress transition,
for d′ ∈ ℝ , u + d′ maps each clock c in Z to the value u(c) + d′, two automata. However
2.3. Network of Comment: There is a synchronization transition if more than one transition in
TA
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clock in r to 0 and
2.5. The Uppaal Extesion to TA
2.5. The Uppaal Extesion to TA nels (a timed transition c
agrees NTATransitions are executed simultaneously by the original TA if they are triggered by
is a network of
with u over Z\r. Transitions are executed simultaneously by the original TA if they are triggered by timed automata
Transitions are executed simultaneously by the original TA if they are triggered by
over a common set of clocks and labels (actions).
not use variables; thus, n
NTA is itself a TA, it is constructed in the following way: ata layout. Therefore, w
shared symbols (which enable transitions). A common symbol can synchronize more than
= (L, l0 , Z, Q, E, Jl ) consists of n TA, TAi = (Li , li 0 , Zi , Qi , Ei , Jli ) with
NTA two automata. However, standard TA are useless, because they do not apply urgent chan‐
two automata. However, standard TA are useless, because they do not apply urgent chan‐
tion 4. i = 1, . . . , n.
Transitions are executed simultaneously by the original TA if they are triggered by Communication ch
The individual elements of
nels (a timed transition can be executed while a progress transition is enabled) and the do NTA
nels (a timed transition can be executed while a progress transition is enabled) and the do are:
nels (a timed transition can be executed while a progress transition is enabled) and the do
shared symbols (which enable transitions). A common symbol can synchronize more than paal timed automata. S
not use variables; thus, no value can be passed between automata that explode the autom‐
two automata. However, standard TA are useless, because they do not apply urgent chan‐ complished by utilizing
ata layout. Therefore, we give the definition of Uppal timed automata (UTA [13]) in Sec‐
nels (a timed transition can be executed while a progress transition is enabled) and the do and receiving, ! and ?, re
tion 4. tion 4. tion 4.
not use variables; thus, no value can be passed between automata that explode the autom‐ direction, this method b
Communication channels replace the common symbols that trigger transitions in Up‐
tion 4. Communication channels replace the common symbols that trigger transitions in Up‐
ata layout. Therefore, we give the definition of Uppal timed automata (UTA [13]) in Sec‐ tails multiple automata
paal timed automata. Sending and receiving a signal synchronously via channels is ac‐
tion 4. paal timed automata. Sending and receiving a signal synchronously via channels is ac‐
Communication channels replace the common symbols that trigger transitions in Up‐ The channel can be
complished by utilizing a shared channel symbol and two characters indicating sending
Since infinitely many time transitions between a pair or regions are possible, a region
Sensors 2022, 22, x FOR PEER REVIEW 2.3. Network of TA
6 of 38
6 of 38
6 of 38

Sensors 2022, 22, x FOR PEER REVIEW NTA is a network of 6 of 38
NTA is itself a TA, it is co
2.3. Network of TA
2.3. Network of TA
2.3. Network of TA NTA = (L, l0, Z, Q, E,
Here, we give the definition of timed automata, a base of Uppaal extension. A timed individual elements of N
Sensors 2022, 22, 1157 NTA is a network of timed automata over a common set of clocks and labels (actions).
2.3. Network of TA 6 of 37
automaton TA is a tuple (L, l 0, Z, Q, E, Jl) where:
Sensors 2022, 22, x FOR PEER REVIEW  A set of locations is a


L = {l0, l1, …} is a finite set of locations,
NTA = (L, l
NTA = (L, l 0, Z, Q, E, J
NTA = (L, l 0, Z, Q, E, J 0l, Z, Q, E, J
l) consists of n TA, TA
l) consists of n TA, TA i = (Lii , l = (Li0, Z i, li i, Q
= (L
i0, Z i, E
ii, l
, Qii, J
0, Z
i, E
li) with i = 1, …, n. The
i, Q
i, Jlii, E
) with i = 1, …, n. The …, ln), li  Li.
i, Jli) with i = 1, …, n. The
individual elements of NTA are:  l0  L is an initial loca
NTA = (L, l0, Z, Q, E, Jl) consists of n TA, TAi = (Li, li0, Zi, Qi, Ei, Jli) with i = 1, …, n. The
 • A set of locations is a Cartesian product L = L1 × . . . × Ln , l ∈ L is a location
Z = {c0, c1, …} is the set of clocks, vector
Z is a common set o
 A set of locations is a Cartesian product L = L
individual elements of NTA are:
A set of locations is a Cartesian product L = L 2.3. Network of TA 1 × … × L 1 × … × L n, l  L is a location vector l = (l
1 × … × L n, l  L is a location vector l = (l
n, l  L is a location vector l = (l 1, 1, 1,
 l = (l1 , . . . , ln ), li ∈ Li .
Q denotes a set of labels (interpreted as actions on transitions, do not confuse with  Q is a common set o
…, l n…, l
), l i  L …, l
n), l i  L
i. n), l i. i  Li.
IMDS actions), • l0 ∈ L0  is an A set of locations is a Cartesian product L = L
initial location vector NTA is a network of timed automata over a common set of clocks an
l0 = (l1 00,0 . 0. . ,00 l0n 0 ),0 li00 1∈ × … × L
Li . n, l  L is a location vector l = (l
 Location invariant fun 1,
 l0  L is an initial location vector l
l  L is an initial location vector l
l…, l n), li  Li.
0 = (l100 = (l, …, l 1 , …, l
= (l
n ), l1i n, …, l  L
NTA is itself a TA, it is constructed in the following way: ), lii.  Ln ), l i0  Li.
i.
 every location • l  L is
Z is Z is a common set of clocks—a union of sets of clocks Z = Z
amapped
common by set Jl(l) ofto
Z is a common set of clocks—a union of sets of clocks Z = Z

clocks—a
a set of union
Z is a common set of clocks—a union of sets of clocks Z = Z valuations of sets of of clocks clocks in Z, Z 1= ∪ … ∪ Z
over Z11 ∪ … ∪ Z ∪ nZ. n . n. tors Jl(l) = Jl1(l1) ∧ … ∧
∪a . .n. .1 ∪ … ∪ Z
a common l0  L is an initial location vector l i0  Li.
NTA = (L, l 00 = (l 10, …, lnl0) consists of n TA, TA
, Z, Q, E, J ), l i = (Li, li0, Zi, Qi, Ei, Jli) wit
Cartesian product of Q isℝQ is a common set of labels—symbols on transitions Q = Q
• Q is a common set of labels—symbols on transitions Q = Q
, for example, J set of labels—symbols
l(l) = {c
Q is a common set of labels—symbols on transitions Q = Q 1‐c2 > 2}, on transitions Q = Q
1 ∪ … ∪ Q
∪
11 ∪ … ∪ Q. . .
n.
∪
1 ∪ … ∪ Q
Q
n.
n . n.
 E  L × Q × Jll• × 2  Z is a common set of clocks—a union of sets of clocks Z = Z
Z Location invariant functions arellcomposed individual elements of NTA are: into a common function over location 1 ∪ … ∪ Z n.
2.4. The Semantics of the N
vectors
 × L—set of transitions: e = (l, q, J

Location invariant functions are composed into a common function over location vec‐ (l,l′), r, l′)  E
Q is a common set of labels—symbols on transitions Q = Q 1 ∪ … ∪ Qn.
Jl (l) = 1l1)(l∧
Jl1 (ltors J .l1l(l) = J ∧ l1J(l
.(l.1) ∧ … ∧ J 
(l) ∧ … ∧ J A set of locations is a Cartesian product L = L × … × L
Let TA , l  L is a loc
ni = (L, l 0, Z, Q,
). ).ln(ln). ln(ln).
1
Jll is a set of functions for pairs l,l′  L, every transition (l,l′), is mapped by J
tors J tors J
l(l) = J ln nn ll(l,l′) to a
 l(l) = J 1) ∧ … ∧ J ln1(l
…, l n), li  Li. Let l 0 = (l10, … , ln0) be
set of valuations of clocks in Z over a Cartesian product of ℝ , just as Jl(l) for a
2.4. The Semantics tors J ofl(l) = J the Network l1(l1) ∧ … ∧ J0
 of TA (ln).
l ln L is an initial location vector l 0 = (l10, …, ln0), li0  Li.
location l, 2.4. The Semantics of the Network of TA
Let TA 0  Z is a common set of clocks—a union of sets of clocks Z = Z The semantics of a n 1 ∪ … ∪ Z
Let TA Let TA = Let TA
(L, 0l, Z, Q, E, J
i = (L, l
, Z,
ii = (L, l
Q, E,
i = (L, l
0, Z, Q, E, J ). Jl ).
0l, Z, Q, E, J l). l).
2.4. The Semantics of the Network of TA  Q is a common set of labels—symbols on transitions Q = Q 1 ∪ … ∪ Q
Let l
0
Let l0Let l = (l= (l100 = (l 0
1Let l, .10.0, … , l
, … , l = (l
0
.n0,) be the initial location vector.
ln10, … , l) be the initial location vector.
n0) be the initial location vector.
 Vertices = (L1 × … × L
2.2. Timed Automaton‐Semantics l[l /l 0 ] denotes Let TA i = (L, l0, Z, Q, E, J
the location  vector l).
Location invariant functions are composed into a common function o
where l 0 replaces the ith element l of  L. vertex 0 = (l0; u0) Ver
l[lii/li′] denotes the location vector where l
l[l l[l
i i/li′] denotes the location vector where l
Let li/li′] denotes the location vector where l
0 = (l10, … , ln0) be the initial location vector.
tors Jl(l) = J i’ replaces the i
i i’ replaces the i
l1(l1) ∧ … ∧ Jln(ln).
i’ replaces the i
th element l th element l thi element l
of L. i of L.
i i of L.
The semantics of a TA is: The semantics of a network
The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex
The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex on
The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertexn TA is defined as an LTS 〈Vertices, vertex 
0, ⟩, where: ,  = 
〉,
00, ⟩, where: where:t ∪ p is the tra
0, ⟩, where:
l[li/li′] denotes the location vector where li’ replaces the ith element l i of L.
Let (L, l0, Z, Q, E, J
• l) be an TA.
Vertices  = Vertices = (L
Vertices = (L
Vertices = (L 1 ×1. × … × L
(L1 × … × L . . n× ) × Lnℝ
1 × … × L n)) × × ℝ Z
ℝ the
is set of global LTS vertices,
Rn) × - 0, ⟩, where:
(l, u) t (l, u + d
≥ 0is the set of global LTS vertices,
The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex is the set of global LTS vertices,
• vertexvertex 00 = (l
vertex = (l0vertex
0; u
= (l ∈
00; u 0) = (l0) Vertices is the initial vertex, u
0; u0) Vertices is the initial vertex, u 0 maps all clocks c  Z to 0,
u00 maps all clocks c  Z to 0, 0, ⟩,
all clocks c ∈ Z to 0,
0 maps all clocks c  Z to 0,
- if there exists a
0 ; 0u
Vertices = (L Vertices 1 × … × Ln) ×
is the initial
Let TA ℝ i = (L, l vertex, maps
0, Z, Q, E, J l).
where: TA j, … (at least
•  =  =  = tt ∪ ∪  =  tp ∪ 
p isp0the
vertex is the transition relation defined by:
t ∪ 
= (ltransitionp is the transition relation defined by:
relation
0; u0) Vertices is the initial vertex, u
Let l0 = (l defined by:
10, … , ln0) be the initial location vector. 0 maps all clocks c  Z to 0,
• Vertices ⊆ L × ℝ is the set of LTS vertices for the automaton TA (because the term e i = (l1i, q, Jlli(l1i,l2
-
-  u)(l, u) 
-(l, u) 
(l, - = t (l,(l, u) 
t (l, u + d) if ∀
(l, u + d) if ∀
ut ∪ + d) t (l, u + d) if ∀
if ∀ d′ 0 ≤ d′ ≤ d  u + d′  J
d0 0 ≤
0i′] denotes the location vector where l
d′ 0 ≤ d′ ≤ d  u + d′  J
p is the transition relation defined by:
l[ldi/ld′ ≤ 0 ≤ d′ ≤ d  u + d′  J 0 ∈l(l)—timed transition,
d ⇒ u + ld(l)—timed transition, Jl (l)—timed l(l)—timed transition, transition, i’ replaces the ith element li
then there exist
-
- - if there -
- exists if there exists a symbol q  Q, for which there exist transitions e
a symbol qThe semantics of a network on n TA is defined as an LTS ⟨Vertices, v
∈ Q, for which there exist transitions ej, … in TA , e i, ej, … in TA
i , ej , . . . in
i, eji, … in TA
, TAi, i , i,
•
i
vertex0 = (l0, u0) ∈ Vertices is the initial vertex, u (l, u)  t (l, u + d) if ∀ d′ 0 ≤ d′ ≤ d  u + d′  J
0 maps all clocks c ∈ Z to 0. l(l)—timed transition, u  J ll(l[l1i/l2i, l1j/
TAjj, … (at least one, but if more, then in distinct automata):
TA , TA TA
.-. . j, … (at least one, but if more, then in distinct automata):
(at j, … (at least one, but if more, then in distinct automata):
least one, but Vertices = (L if more, then in distinct n) × ℝautomata):
e i = (l 1i , q, Ji, e lli (l 1i ,l2i ),
•  = t ∪ p is the transition relation such that: if there exists a symbol q  Q, for which there exist transitions e 1 × … × L is the set of global LTS vertices, , … in TA
jComment: Ther i,
eri = (l
, l e1i)i = (l
, q, J
∈ E eTA, q, J
1illi i(l
= (l
, 1i,llli
e 1i(l
2i
= ), r
, q, J
1i,l
(l i, l ), r
,2i(l
2illi )  E

q,1ii, l
,lJ2i2i), r
)  E
i, ei, l
(l j = (l
,l2ii, e
)  E
),1jj = (l
vertex , q, J
= (lr ,i, e
1jllj, q, J
l
; u j(l
= (l
) 1j,lllj
∈ 1j(l
2j), r
, q, J
E 1j,l
, j, l
. ), r
.
2jllj 2j(l
.)  E
1jj, l
,l2j2j), r
then
) Vertices is the initial vertex, u )  E
j, … j, l2jj, …
there )  E j, …
exists the
transition
maps all clocks c  Z
(l, u) t (l, u + d) if ∀d′: 0 ≤ d′ ≤ d ⇒ u + d′ ∈ J
i 2i i j j 1j l(l) – timed transition,
llj 1j 2j 0 j 2j
0 0 j 0 distinct TA hav
e = (lthen there exists the transition e = (l
1 , q, Jelli = (l 1i, q, J
2 ), r,llil(l
(l1ll,l(l,l′), r, l’) ∈ E 21i
) ,l∈2i), r = 
pi, lsuch
2i)  E
t ∪ 
1, q, J1ll, q, J
i, e
(l1,l1j2, q, J
j = (l ∈ ll), r, l
J(l
1, q, J
1,l22), r, l
llj(l1j
)  
ll(l1,l22)  
thatu ll (l[l 1i /l
), r, l
,p such that
,l2j2i), r j, l/l
l1j 2p)  
such that
2j)  E
2j , . .j, …
p such that
. ]), u0 = [ri ∪ rj ∪
u  Ju  J ll(l[l1ill /l(l[l
u  J 2i, l 1i1j/l
/lll2i(l[l
2j, l, …]), u′ = [r
1i/l
1j /l2j2i, …]), u′ = [r
then there exists the transition e = (l , l1j/l2j, …]), u′ = [r
1, q, Jll(l

Such that u ∈ Jll(l,l′); u’ = [r  . . . 0]u – progress transition;
0]u—progress transition, - Comment:
(l, u)  t (l, u + d) if ∀ There isd′ 1,l0 ≤ d′ ≤ d  u + d′  J
a2), r, l 2)  p such that
synchronization transition
2.5. The Uppaal Extesion to
l(l)—timed transitio if
u  J (l[l /l , l /l , …]), u′ = [r ∪ r ∪ … 0]u—progress transition,
where more than one transition - ll 1i 2i 1j in distinct
2j TA have the same q label on their transitions.
i j
if there exists a symbol q  Q, for which there exist transition Transitions are exec
for d′ ∈ ℝ , u + d′ maps each clock c in Z to the value u(c) + d′, TAj, … (at least one, but if more, then in distinct automata): shared symbols (which en
2.5. The Uppaal Extesion distinct TA have the same q label on their transitions.
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clock in r to 0 and to TA e = (l , q, J (l ,l ), r , l )  E , e = (l , q, J (l ,l ), r , l )  E , …
2.5. The Uppaal Extesion to TA i 1i lli 1i 2i i 2i i j 1j two automata. However,
llj 1j 2j j 2j j
agrees with u over Z\r. Transitions are executed simultaneously then there exists the transition e = (l

by the original TA if they1, q, J are ll(l1,l2), r, l2)  
triggered
nels (a timed transition ca by p such
2.5. The Uppaal Extesion to TA u  J (l[l /l , l /l , …]), u′ = [r ∪ r ∪ … 0]u—progress transitio
shared symbols (which enable transitions). A common symbol can synchronize ll 1i 2i 1j 2j i j not use variables; thus, no more
than two automata. However, standardComment: There is a synchronization transition if more than
TA are useless, because they do not ata layout. Therefore, we
apply urgent
shared symbols (which enable transitions). A common symbol can synchronize more than distinct TA have the same q label on their transitions.
channels (a timed transition can be executed while a progress transition is tion 4.
enabled) and
the do not use variables; thus, no value can be passed between automata that Communication cha
explode the
automata layout. Therefore, we give the definition of Uppal timed automata paal timed automata. Se
(UTA [13]) in
Section 4. Transitions are executed simultaneously by the original TA if they complished by utilizing a
tion 4. tion 4. tion 4.
Communication channels
Communication channels replace the common symbols that trigger transitions in Up‐ replace the common symbols that triggerand receiving, ! and ?, res
shared symbols (which enable transitions). A common symbol can synch
Communication channels replace the common symbols that trigger transitions in Up‐ transitions in
tion 4. two automata. However, standard TA are useless, because they do not ap direction, this method be
Uppaal timed automata. Sending and receiving a signal synchronously via channels is
nels (a timed transition can be executed while a progress transition is ena tails multiple automata r
accomplished by utilizing a shared
complished by utilizing a shared channel symbol and two characters indicating sending channel symbol and two characters indicating
complished by utilizing a shared channel symbol and two characters indicating sending sending
not use variables; thus, no value can be passed between automata that ex The channel can be
and receiving, ! and ?, respectively, as in chan! and chan? As it specifies the communication
ata layout. Therefore, we give the definition of Uppal timed automata ( mon channel symbols en
direction, this method better reflects
direction, this method better reflects distributed systems. Broadcast communication en‐
direction, this method better reflects distributed systems. Broadcast communication en‐distributed systems. Broadcast communication
and receiving, ! and ?, respectively, as in chan! and chan? As it specifies the communication entails
tion 4. time flow in locations, pr
multiple automata receiving
tails multiple automata receiving a signal given by one automaton.
tails multiple automata receiving a signal given by one automaton. a
tails multiple automata receiving a signal given by one automaton. signal
direction, this method better reflects distributed systems. Broadcast communication en‐ given by one automaton.
Communication channels replace the common symbols that trigger layed. However, in IMDS
can be labeled urgent, in which case transitions are enabled, with common
The The channel can be labeled urgent, in which case transitions are enabled, with com‐
channel
The channel can be labeled urgent, in which case transitions are enabled, with com‐
tails multiple automata receiving a signal given by one automaton. paal timed automata. Sending and receiving a signal synchronously vi As a result, asynchrono
mon channel symbols enabling these transitions: chan! and chan?, taking precedence over
channel mon channel symbols enabling these transitions: chan! and chan?, taking precedence over
symbols enabling these transitions: chan! and chan?, taking precedence over time
complished by utilizing a shared channel symbol and two characters in channels.
time flow in locations, preventing communication over an urgent channel from being de‐
flow time flow in locations, preventing communication over an urgent channel from being de‐
in locations, preventing communication over an urgent channel from being delayed.
and receiving, ! and ?, respectively, as in chan! and chan? As it specifies th

However,layed. However, in IMDS, using such a technique eliminates communication asynchrony.
layed. However, in IMDS, using such a technique eliminates communication asynchrony.
in IMDS, using such a technique eliminates communication asynchrony. As a
direction, this method better reflects distributed systems. Broadcast co
As a As
result, result,
a As result,
asynchronous asynchronous
a result, asynchronous asynchronous
communication communication communication
layed. However, in IMDS, using such a technique eliminates communication asynchrony. communication
requires requires therequires the
requires
introduction introduction
the introduction
the ofintroduction of asynchronous
asynchronous of asynchronous
of channels.
asynchronous
channels.
channels. channels.
As a result, asynchronous communication requires the introduction of asynchronous
The channel can be labeled urgent, in which case transitions are en
3. Integrated
channels. Model of Distributed Systems (IMDS)
mon channel symbols enabling these transitions: chan! and chan?, taking
The most straightforward description of IMDS is as follows: there are distributed
time flow in locations, preventing communication over an urgent chann
nodes in the system, which arelayed. However, in IMDS, using such a technique eliminates communica
characterized by their current states and agents conducting
distributed calculations, the progress of which
As a result, is determined
asynchronous current messages
by their requires
communication the introduction
If the message matches the node state, an action is fired
directed to individual nodes.channels.

(invoked)
that consumes the message
and state and provides the node’s next state and
the agent’s next message. Therefore, actions are the relationship between pairs (message,
state), input and output ones; that is all. However, a more detailed definition should be
introduced to define processes in the system and verify the system.

Sensors 2022, 22, 1157 7 of 37
An IMDS system [2] consists of a set of nodes, each represented by its current state
as a pair: (node, value). Each node offers services that distinguish different calls to the
same node. The set of agents represents distributed computing. In the context of agents,
messages are created that invoke node services. The message is a triple: (agent, node, service).
States and messages are, together, called elements. They change their roles as process carriers
and means of communication in dual views of distributed systems.
The actionrefers to how the service is carried out (on the node designated by the
message). The action switches the node’s current state to the next one and sends the next
agent message. This new message might be sent to the same or a different node. Distributed
computation is carried out as a series of actions that alter the states of the nodes involved.
A relation mapping the state and message to the next state and message can be viewed as
an action (performed by an agent on a node). The current condition of the node may or may
not allow the service to be run (if the status and message match or not). The appropriate
action is prepared if the service can be performed. Pending messages are those that are
waiting at a node. At the same node, many actions might be prepared. The action to be
performed (to be fired) is chosen non-deterministically.
A single action is always performed on a specific node, and the actions of different
nodes are performed using interleaving [24]. The choice of nodes that will perform the next
action is non-deterministic.
The agent terminates in this scenario, because a special action does not deliver the next
message. As a result, the number of agents may decrease during distributed computing. It is
assumed that the system starts with all nodes’ initial states and all agents’ initial messages.
The configuration is a ‘snapshot’ of the system; it is a set of states (one state for each
node) and messages (maximum one state for each agent, except for terminated agents). The
initial configuration contains the states of all nodes and messages of all agents. The input
configuration of the action includes its input state and input message. The output configuration
of the action contains the initial state and the initial message (or only the initial state for the
agent-terminating action).
IMDS semantics is defined by the Labeled Transition System (LTS [38,39]), in which
nodes are configurations and transitions are actions (creating a relation of configuration
succession, deduced from actions). The LTS contains all executions of the modeled system.
Sequences of actions (in the system) are called processes. The sequence of actions
performed by the same node is called the node process, and the sequence of actions that
performs messages of the same agent is called the agent process. Due to the possible non-
determinism of the set of actions (more than one action can be defined for a given pair
(message, state)), the process is actually a graph.
Each system (the entire computation) can be decomposed into node processes (which
make up the node view) or agent processes (which make up the agent view).
Deadlock and termination are expressed in terms of states, messages, and actions [2].
First, consider a node process. The following situations may occur:
• the current state matches some pending messages in the node—at least one action is
ready to be executed; the node process is running;
• the current state does not match any pending messages in the node (or no messages
are pending on the node)—a matching message may arrive in the node in the future;
the node process is waiting;
• no messages are pending in the node, and none will appear in the future; the node
process is idle;
• there are pending messages in the node, but the present state does not match any of
them, and there may not be any matching messages in the node in the future; the node
process has reached a deadlock.
Consider an agent process, which can reach the following cases:
• the agent’s message is pending in the node and matches the current state of this
node—the action is ready to fire; the agent runs;
Sensors 2022, 22, 1157 8 of 37
• the agent’s message is pending in the node and does not match the current state of
this node, but a matching state may occur in the future; the agent is waiting;
• the agent’s message is pending in the node, and neither the current state of this node
nor such a condition may occur in the future; the agent is deadlocked;
• the agent process has terminated, since no agent’s messages are pending in any node.
3.1. Basic IMDS Definition

The IMDS model is based on two sets and a binary relation on the Cartesian product
of these two sets. The sets are
• P = {p1 , p2 , . . . , pNp }—finite set of states (of nodes)
• M = {m1 , m2 , . . . , mNm }—finite set of messages (of agents)
while the action relation Λ is a binary relation on M × P:
• Λ ⊂ (M × P) × (M × P)—set of actions
For the elements of Λ we use the prefix notation λ = ((m,p), (m0 ,p0 )) ∈ Λ. The idea of
the IMDS action is presented graphically in Figure 1. The elements of the action, in this and
consecutive figures, are given as small blue circles with numbers. There are the references
to those elements in the text, for example (1).
Figure 1. Action in IMDS: relation in (M × P) × (M × P).
The agent’s message invokes an action on the node (the calculation step in a distributed
environment) that can be performed in specific states of the node. Performing the action
‘consumes’ the message and state, and creates the next node state and the next agent
message.
In the action λ = ((m,p), (m0 ,p0 )) we say that:
• the pair (m,p) match (1,31);
• (m,p) is the input pair, (m0 ,p0 ) is the output pair (2,32);
• the state p is current, the message m is pending;
• p0 is the next state, m0 is the next message.
The definition must be supplemented by the initial sets of states and messages:
• Pini ⊂ P – set of initial states
• Mini ⊂ M – states of initial messages.
It should be noted that IMDS is not an automata-based model, although it can be
represented as a collection of automata, in various ways; the paper [40] formally presents
the conversion of IMDS to node automata or to agent automata. In the present article,
we use some graphical notation informally, with node states as vertices and actions as
Sensors 2022, 22, 1157 9 of 37
transitions, because such notation is natural and makes it easier to express certain features
of the IMDS. However, it should be remembered that such automata are only one of
the possible interpretations; there are also others, such as the agent automata mentioned
above, as well as pairs of synchronous automata (custodians and messengers [41]), or the
non-automata interpretation as Petri nets shown in [21]. There is also an imperative
language Rybu, compatible with IMDS, used by the student to verify their synchronization
solutions [42]. Now, we are working on an even higher level language for web service
composition. Please note that IMDS is only a set of actions over the quadruple Cartesian
product (M × P) × (M × P). For programming purposes, these actions can be grouped
on nodes, agents, or otherwise, which does not change the essence of the definition of
formalism itself.
3.2. IMDS System Behavior

The behavior of the IMDS system is represented by labeled transition systems (LTS [38,39]),
i.e., a rooted labeled directed graph.
LTS vertices are configurations that are sets of current states and pending messages.
The root is the initial configuration, consisting of agents’ initial messages and nodes’ initial
states. States and messages together are called items. LTS transitions are defined by actions,
transforming their input configurations into output configurations.
• H = P ∪ M—set of items
• Tini = Pini ∪ Mini —initial configuration
• T ⊆ H—configuration
• ∀λ ∈ Λ λ = ((m,p),(m0 ,p0 )) Tinp (λ) ⊃ {m,p}, Tout (λ) = Tinp (λ)\{m,p} ∪ {m0 ,p0 }—obtaining
T
Tout (λ) from Tinp (λ) for an action (31,1)→(32,2)

• LTS = 〈N,N0 ,W〉, where
N is a set of vertices (configurations {T0 , T1 , . . . }, Tini = T0 );
N0 = Tini is the root;
W is the set of directed labeled transitions, W ⊆ N × Λ × N,
W = {(Tinp (λ),λi ,Tout (λ) | λi ∈ Λ, i = 1, . . . , ord(Λ)}.
The interleaving semantics of the system is assumed [43], i.e., exactly one action is
executed at a time.
3.3. IMDS Processes

Processes are defined in the IMDS as action sequences. Intermediate elements link the
actions in the sequence. If the intermediate elements are the states of a given node, then this
is the process of that node, and the messages serve as a means of communication between
processes. Conversely, if the messages of a given agent combine the actions of a process,
then this is the process of this agent, and the states of the nodes are used to communicate
processes. To do this, certain attributes must be assigned to the elements. Therefore, the
elements are not atomic, as in the previous chapter. We redefine elements as tuples in four
basic sets: nodes, agents, values, and services.
The formal definition of IMDS for the purpose of processes extraction is as follows:
• S = {s1 , s2 , . . . , sNs }—finite set of nodes
• A = {a1 , a2 , . . . , sNa }—finite set of agents
• V = {v1 , v2 , . . . , vNv }—finite set of values
• R = {r1 , r2 , . . . , rNr }—finite set of services
The nodes’ states are defined as pairs (node, value): p = (s,v), s ∈ S, v ∈ V, and the
messages as triples (agent, node, service): m = (a,s,r), a ∈ S, s ∈ S, r ∈ R. In such a formulation,
a message is an invocation of a node’s service by an agent. An action is an execution of a
service on a node in the context of an agent.
• P ⊂ S × V—set of states,
• M ⊂ A × S × R—set of messages,
Sensors 2022, 22, 1157 10 of 37
• H = P ∪ M—set of items,
• Initial sets Pini and Mini , set of items H, configurations T and Tini are defined over P
and M, as before.
In order to terminate the agent, we add a new type of action, having a pair (message,
state) on the input, but only a singleton (state) on the output. The definition of the action
relation in terms of agents, nodes, values, and services is as follows:
• Λ ⊂ (M × P) × (M × P) ∪ (M × P) × (P) | (m,p)Λ(m0 ,p0 ) ∨ (m,p)Λ(p0 ), m = (a,s,r) ∈ M,
p = (s1 ,v1 ) ∈ P, m0 = (a2 ,s2 ,r2 ) ∈ M, p0 = (s3 ,v3 ) ∈ P, s1 = s, s3 = s, a2 = a
Thus, Λ is not strictly a relation, because it contains both quadruples and triples.
We define functions of m and p, appointing their node and agent: for m = (a,s,r),
Ms(m) = s, Ma (m) =a, for p = (s,v), Ps(p) = s.
The previous definitions of T, Tinp , Tout , and LTS hold. The initial configuration
contains exactly one state for every node and exactly one message for every agent: initial
states of every node and initial message for every agent. For Tini , ∀m1 ,m2 ∈ Tini , m1 6= m2 :
Ma(m1 ) 6= Ma(m2 ); ∀p1 ,p2 ∈ Tini , p1 6= p2 : Ps(p1 ) 6= Ps(p2 ).
The definitions of node and agent processes are as follow:
• B(s) = {λ ∈ Λ | λ = (((a,s,r),(s,v)), ((a,s0 ,r0 ),(s,v0 ))) ∨ λ = (((a,s,r),(s,v)), ((s,v0 ))), s0 ∈ S,
a ∈ A, v,v0 ∈ V, r,r0 ∈ R}—node process of the node s ∈ S,
• C(a) = {λ ∈ Λ | λ = (((a,s,r),(s,v)), ((a,s0 ,r0 ),(s,v0 ))) ∨ λ = (((a,s,r),(s,v)), ((s,v0 ))), s,s0 ∈ S,
v,v0 ∈ V, r,r0 ∈ R}—agent process of the agent a ∈ A,
The system views are
• B = {B(s1 ),B(s2 ), . . . ,B(sNs ) | si ∈ S}—the node view (decomposition of the system to
node processes),
• C = {C(a1 ),C(a2 ), . . . ,C(aNa ) | ai ∈ A}—the agent view (decomposition of the system to
agent processes).
3.4. Automated Deadlock and Termination Identification in IMDS

For model checking, atomic Boolean formulas must be assigned to any configuration
in the LTS:
• Ds —true in all configurations, where at least one message is pending at the node s,
• Es —true in all configurations, where at least one action is prepared at the node s.
• Da —true in all configurations, where a message of the agent a is pending,
• Ea —true in all configurations, where the action is prepared with a message of the
agent a,
• Fa —true in all configurations, where a terminating action (with a message of the agent
a on input) is prepared.
Model checking formulas—CTL version [6]:
• communication deadlock in node s: EF AG(Ds ∧ ¬Es )—a configuration is reachable in
which a message is pending at the node s, but from this configuration on, no action
will be prepared on node s;
• node s idle: AF AG(¬Ds )—there is a configuration after which no message will arrive
at s;
• resource deadlock in the agent a: EF AG(Da ∧ ¬Ea )—a configuration is reachable in
which a message of the agent a is pending but from this configuration on, the message
will not match any state;
• termination of agent a: AF(Fa )—a terminating action of agent a is inevitable.
It should be noted that the above deadlock detection formulas are defined for individ-
ual processes (nodes or agents). They allow the finding of partial deadlocks (also referred
to as local deadlocks in the literature) concerning a limited number of processes, not just
total deadlocks (also known as global deadlocks). The total node deadlock can be found in
IMDS by means of the formula EF AG(∀s ∈ S: Ds ∧ ¬Es ), and the total agent deadlock by
means of the equivalent formula over agents. Typical static deadlock detection methods
Sensors 2022, 22, 1157 11 of 37
only detect total deadlock [2]. There are methods for detecting partial deadlocks, but at
the cost of limiting the allowed process shape or explicitly specifying a deadlock using
model-specific formulas. Finding a partial deadlock using general formulas is an original
achievement in IMDS.
The above IMDS definition supports all of the features of the distributed system:
• communication duality: Any system can be broken down into node processes that
communicate via messages (the output state of the action is the carrier of the node
process, while the output message is the means of communication) or agent processes
communicating through the states of the nodes (the output message is the carrier agent
process, while the output state is the means of communication);
• locality: Each action on a node is dependent on the node’s current state, and one of
a set of pending messages on that node; no incident from outside (except messages
received by the node) can affect the behavior of the node;
• autonomy: each node independently decides which of the defined actions can be
performed in the current situation; in other words, the nodes decide for themselves if,
and when, the messages are accepted and what actions they will cause;
• asynchrony: the node receives a message when it is ready for it; otherwise the message
is pending; there are no synchronous operations in the model, such as simultaneous
transitions on shared symbols in Büchi automata [3] or timed automata [18], and no
joint operations of nodes or agents; synchronous sending and receiving operations
in CSP [44], Occam [45], or Uppaal Timed Automata [14], synchronous operations on
the complementary input and output ports in CCS [44]; node and agent autonomy is
implemented using asynchronous operations: sending a message to a node or setting
a new node state for subsequent agent operations are the only ways to influence the
behavior of nodes and agents;
• asynchronous channels: communication between nodes is one-way (communication in
the opposite direction has its separate channel) and may appear synchronous because
the message appears on the receiving node immediately after it is sent; however,
asynchrony is modeled by the possibility of deferring the message’s acceptance; the
message can wait a long time, even forever, before being accepted;
• automated verification: the four above-mentioned temporal formulas are used to locate
communication deadlocks in the processes of individual nodes, idleness of nodes,
deadlocks over resources in agent processes, and agent termination, regardless of the
structure of the verified system; therefore, they form the basis of the design of the
automatic Dedan verifier, which can be used without knowledge of time logic and
model checking.
We will present the translation of timed IMDS to timed automata for two reasons. First,
TA is the most commonly used formalism on concurrent systems; thus, the translation of
T-IMDS to TA gives a formal definition of its semantics. Second, the Dedan model checker is
based on explicit state space representation, allowing for verification of small and medium
systems. Large systems, in which more than ten nodes with complicated structures are
contained, are exported from Dedan to Uppaal model checker for their verification.
4. Timed IMDS (T-IMDS)

In the timed version of IMDS, all of the mentioned functions are preserved: the
duality of communication, locality, autonomy, asynchrony, and automated verification.
In addition, time restrictions, which can last over time, are imposed on elements of the
distributed system:
• time durations of actions (fixed or range),
• time delays of inter-node channels (fixed or range).
This collection of time constraints is smaller than the possibilities offered by TA; for
example, time invariants of locations implementing staying in states, and differences of
clock values are not included in T-IMDS. However, the selected time-related functions
Sensors 2022, 22, 1157 12 of 37
are best addressed to modeling distributed systems: differences in clock values (between
distributed nodes) assume some knowledge about the global state. Limiting the time spent
in locations implementing node states cannot be mixed with operations on urgent channels
that are needed for the implementation of asynchronous channels (see later in this chapter);
this is a limitation of the UTA syntax.
The behavior of a distributed system is determined by its LTS. All possible sequences of
actions are included in the LTS. Time constraints are intended to exclude certain behaviors,
due to violations of time restrictions imposed on actions and channels. Such a modification
of the system behavior may, for example, prevent a deadlock (exclude the sequence leading
to a deadlock) or cause a deadlock (for example, a process that is intended to meet a given
condition may become stuck prematurely due to time constraints).
4.1. Syntax
The syntax of timeless IMDS is simply a set of actions of the form (((a,s,r),(s,v)),((a,s0 ,r0 ),
(s,v0 ))), plus agent-terminating actions (((a,s,r),(s,v)),((s,v0 ))), denoted {a.s.r, s.v} -> {a.s0 .r0 , s.v0 }
and {a.s.r, s.v} -> {s.v0 }. To simplify the description, in the description of timed formalism
we will omit the agent terminating actions. An additional syntax is used to define types
of nodes and agents, their parameterization, declaration of node and agent variables, and
their initialization.
In notation, the dispersion of the duration of the action, in the form of a range with
a lower and upper bound, is inserted between the input and output items of the action,
for example a duration range (z1,z2) for an action λ has the form: λ = ((minp ,pinp ),(m,p)) =
(((a,s,r),(s,v)),(z1,z2)((a,sout ,rout ),(s,vout ))). A range can have open or closed bounds: (z1,z2),
<z1,z2), (z1,z2>, <z1,z2>. The notation of ranges is taken from T-IMDS, where round
parentheses denote open bounds and angle brackets denote closed bounds. The timed
action has the form {a.s.r, s.v} -> (z1,z2){a.s’.r’, s.v’} in T-IMDS source format, and angle
brackets can be applied for closed bounds.
Channel delays are defined as ranges in channels {...} phrase, for all channels: (d1,d2),
for all channels leading to a given node s, or all elements of a vector s[ . . . ] of nodes:
–>s(d1,d2), or between individual nodes: s1–>s2(d1,d2). In addition, individual elements of
node vectors can be used: –>s[2](d1,d2), s1[1]–>s2[3](d1,d2).
An example of a system consisting of two distributed semaphores and two nodes
using those semaphores, specified in T-IMDS in the input form of the Dedan verifier, is
presented Listing 1 (the nodes are called servers in the IMDS language).
Listing 1.
1.system two_semaphores;
2. server: sem(agents a1,a2;servers sa1,sa2),
3. services {wait, signal},
4. states {up, down},
5. actions {
6. {a1.sem.wait, sem.up} → (2,3>{a1.sa1.ok_wait, sem.down}
7. {a1.sem.signal, sem.down} → (2,3>{a1.sa1.ok_signal, sem.up}
8. {a2.sem.wait, sem.up} → (2,3>{a2.sa2.ok_wait, sem.down}
9. {a2.sem.signal, sem.down} → (2,3>{a2.sa2.ok_signal, sem.up}
10. };
11. server: proc(agents Ag;servers sem[2]),
12. services {start, ok_w, ok_s},
13. states {initial, first, second, end},
14. actions {
15. {Ag.proc.start, proc.initial} -> <0>{Ag.sem[1].wait, proc.first},
16. {Ag.proc.ok_w, proc.first} -> <0>{Ag.sem[2].wait, proc.second},
17. {Ag.proc.ok_w, proc.second} -> <0>{Ag.sem[1].signal, proc.first},
18. {Ag.proc.ok_s, proc.first} -> <0>{Ag.sem[2].signal, proc.second},
Sensors 2022, 22, 1157 13 of 37
19. {Ag.proc.ok_s, proc.second} -> <0>{proc.end},

20. };
21. servers semaphore[2]:sem,process[2]:proc;
22. agents Ag[2];
23. channels {<0>};
24. init -> {
25. process[1](Ag[1],semaphore[1,2]).initial,
26. process[2](Ag[2],semaphore[2,1]).initial,
27. <j=1..2> semaphore[j](Ag[1..2],process[1..2]).up,
28. <j=1..2> Ag[j].process[j].start,
29. }.
This is the specification in the node view. It is simply a collection of actions on
particular nodes. A set of node type specifications defines a system (enclosed by server . . .
};—lines 2–10, 11–20), node and agent instance (variable) declarations (agents . . . , servers
. . . —lines 21,22), and an initial configuration phrase (init → lines 24–29). A node type
heading contains a set of formal parameters, such as the agents and nodes employed in the
node type’s activities. Formal parameters, such as Ag[2] and sem[2], can be vectors (line 11).
A set of services (lines 3,12), a set of states (lines 4,13), and a set of actions are allocated
to each node (lines 6–9, 15–19). An action λ = (((a,s,r),(s,v)), ((a,sout ,rout ),(s,vout ))) has the
form {a.s.r, s.v} → (x,y){a.sout.rout, s.vout}. The time bounds (x,y) limit the action duration.
Services and states can be vectors (not in this example, see the source code of AVGS system
in Section 7.2). Repeaters may precede actions in a node type definition for its compactness
(for example, in an AVGS system Section 7.2, 2 repeaters are used for some actions). Vectors
can be used to arrange node and agent instances (lines 21,22). The channels phrase (line 23)
specifies channel delays, in this example, the channels have no delay. The delays can be
assigned to each channel individually. Actual parameters are bound to formal parameters
in the initialization part (line 24). The nodes’ initial states and the agents’ initial messages
are also assigned.
4.2. Semantics
The execution of the action is divided into three phases for states and four phases for
messages, as shown in Figure 2. The complete environment of the action λ, with the actions
delivering the input items minp and pinp , is presented in Figure 3. Of course, more than
one action can deliver an input item of the action. Due to non-determinism, the action can
deliver its output items, m and p, to multiple consecutive actions. The phases of the action
are as follows:
• The current input state pinp (1) and pending input message minp (31) match; therefore,
they can invoke the action λ = ((minp ,pinp ),(m,p)): (31,1)→(32d,2c). If multiple actions
are enabled in a node, the choice is nondeterministic. The first phase (31,1)→(32a,2a)
is a reception of the message minp and invocation of the action.
• Time duration of the action begins, which lasts between tλ min (λ) and tλ max (λ). Count-
ing the time duration is the second phase (32a,2a)→(32b,2b).
• When the time duration ends, the new pair of (m,p) is generated (32b,2b)→(32c,2c).
From this moment, the state p is available for invoking the next action in the node. The
message m is sent to the target node, and it must be propagated to become accessible.
• The last phase is message delivery, in which the channel delay between tch min (ch) and
tch max (ch) is counted (32c)→(32d). After the delay, the message m becomes available
for invocation of the next agent action, in the target node with its current state.
Sensors 2022, 22, 1157 14 of 37
Figure 2. Progress transitions (thin arrows) and timed transitions (thick arrows) in a T-IMDS action
occurring in node s and agent a. Elements taking part in the action are surrounded by solid edges, an
element of the previous action is surrounded by dashed edges. Every action consists in four steps:
message receiving (acceptance and invoking the action), action in progress (time duration), new items
generation (message and state), and message delivery (channel time delay).
Sensors 2022, 22, 1157 15 of 37
Figure 3. Illustration of the action λ = ((minp ,pinp ),(m,p)) with its input elements: message minp with
derivatives and state pinp with derivatives. The message minp is delivered by the action λx and the
state pinp by the action λy . The input items of the action λ, λx , and λy , are also presented with their
derivatives. The next action in agent a is λz .
The semantics of T-IMDS (timed LTS) is:

1. For every action λ = ((minp ,pinp ),(m,p)) (3), the range bounds of action duration tλ min (λ)
and tλ max (λ) are defined.
2. The set of channels CH of the form ch = (a,sinp →s) are defined: ∀λ = ((minp ,pinp ),(m,p)):
∃ ch: ch = (Ma(minp ), Ms(minp )→Ms(m)). Totally K channels, indexed 1, . . . , K. The
channel transmitting the output message of the action λ is denoted chλ .
3. For every ch, the range bounds of channel delay tch min (ch), tch max (ch) are defined.
4. Delay time is defined for a channel between given nodes; therefore, for all agents send-
ing messages along the channel, the range of delay is equal: ∀a1 ,a2 : ∀ch1 = (a1 , sinp →s),
ch2 = (a2 , sinp →s): tch min (ch1 ) = tch min (ch2 ) ∧ tch max (ch1 ) = tch max (ch2 ); however, this
does not influence the shape of the LTS.
5. A timed configuration consists of messages, states, their derivatives, node time values
cts , and channel time values ctch : Tt = (T = {mtai , ptsj | i = 1, . . . , Na, j = 1, . . . , Ns, mtai
∈ Mt , ptsi ∈ Pt }, cts1 , . . . , ctsNs , ctch1 , . . . , ctchK ), where Na is the number of agents and
Ns is the number of nodes. T is called a set of items.
6. The set of states p (1,2b) and derivatives pλt (2a), pλ (2b)e : Pt = {pi , piλjt , piλje | I = 1,
. . . , card(P), j = 1, . . . , card(λ), λj = ((minp ,pinp ),(m,pi )) ∈ Λ, piλjt = (pi ,λj ), piλje = (pi ,λj )}
Sensors 2022, 22, 1157 16 of 37
7. The set of messages m (31,32d) and derivatives mλt (32a), mλe (32b), mchλ (32c):
Mt = {mi , miλjt , miλje , michλj | i = 1, . . . , card(M), j = 1, . . . , card(Λ), k = 1, . . . , K, λj
= ((minp ,pinp ),(mi ,p)) ∈ Λ, miλjt = (mi ,λj ), miλje = (mi ,λj ), michλj = (mi ,chλj ,λj ) }.
8. For λ = ((minp ,pinp ),(m,p)) we define that Ps(pλt ) = Ps(pλe ) = Ps(p), Ms(mλt ) = Ms(mλe ) =
Ms(mchλ ) = Ms(m), Ma(mλt ) = Ma(mλe ) = Ma(mchλ ) = Ma(m).
9. Each pλt has two attributes: tλ min (pλt ) and tλ max (pλt ).
10. Each mchλ has two attributes: tch min (mchλ ) = tch min (chλ ) and tch max (mchλ ) = tch max (chλ ).
11. The root vertex in the LTS is the initial timed configuration is T0t = (T0 = {m0a1 , . . . ,
m0aNa , p0s1 , . . . , p0sNs | m0ai ∈M0 , p0si ∈ P0 }, 0, . . . , 0, 0, . . . , 0).
The vertices in the LTS can contain three types of pair and a singleton causing the
progress transitions (0-time transitions):
12. (minp ,pinp ) (31,1) is the input pair of an action λ,
13. (minpλt ,pλt ) (32a,2a) for a transition ending the time duration of the action λ,
14. (mλe ,pλe ) (32b,2b) for generation of the output pair (m,p) of the action λ,
15. (mchλ ) (32c) for a transition ending the time delay of the message m generated in the
action λ.
In addition, we have a pair and a singleton causing the timed transitions:
16. (minpλt ,pλt ) (32a,2a) for a timed transition modeling sub-periods of time in the action
duration of the action λ,
17. (mchλ ) (32c) for a timed transition modeling sub-periods of time in the time delay of
the message m generated in the action λ;
In execution of the action λ, the following pairs occur in some configurations in the
LTS: (minp ,pinp ), (minpλt ,pλt ), (mλe ,pλe ), (mchλ ,p). Finally, m is not related to p or any derivative
of p, because it takes some time for m to become operational, after channel delay. However,
it can occur in a pair with p if the node does not begin execution of any action during the
message m passing through the channel.
The transitions in the LTS are
18. reception/invocation transition (31,2)→(32a,2a)—for Tt : (∃{minp ,pinp } ⊂ T: ∃λ ∈ Λ:
λ = ((minp ,pinp ),(m,p))) ⇒ T’t = (T \{minp ,pinp } ∪ {minpλt ,pλt }, previous cts1 , . . . ,ctsNs
except cPs(p inp) := 0, previous ctch1 , . . . ,ctchK );
19. generation/send transition (of a new m and p) (32b,2b)→(32c,2c)—for Tt : (∃{mλe ,pλe }
⊂ T: λ = ((minp ,pinp ),(m,p))) ⇒ T’t = (T \{mλe ,pλe } ∪ {mchλ ,p}, previous cts1 , . . . , ctsNs ,
previous ctch1 , . . . , ctchK except cchλ := 0);
20. two transitions—action duration timed transition (32b,2b)→(32b,2b) and duration end
timeless transition (32b,2b)→(32c,2c)—for Tt : ¬(∃ {minp ,pinp } ⊂ T: ∃λ ∈ Λ:
λ = ((minp ,pinp ),(m,p))) ∧ //no action to invoke ¬(∃ {mλe ,pλe } ⊂ T: λ = ((minp ,pinp ),(m,p)))
∧ // no message to generate (∃ {minpλt ,pλt } ⊂ T ) | s=Ps(pλt ) ⇒ (tλ min (λ) < cts <
tλ max (λ) ⇒ T’t = (T \{minpλt ,pλt } ∪ {mλe ,pλe }, previous cts1 , . . . ,ctsNs except cs := 0, pre-
vious ctch1 , . . . ,ctchK ), //action duration ended (cts <tλ max (λ) ⇒ T”t = (T, csi := previous
ctsi + δ, i = 1..Ns, cchj := previous ctchj + δ, j = 1..K));
21. two transitions—channel delay timed transition (32c)→(32c) and delay end timeless
transition (32c)→(32d)—for Tt : ¬(∃ {minp ,pinp } ⊂ T: ∃λ ∈ Λ: λ = ((minp ,pinp ),(m,p)))
∧ //no action to start ¬(∃ {mλe ,pλe } ⊂ T: λ = ((minp ,pinp ),(m,p))) ∧ // no message
to generate (∃ mchλ ∈T ) ⇒ (tch min (chλ ) < ctch < tch max (chλ ) ⇒ T’t = (T \{mchλ } ∪ {m},
previous cts1 , . . . , ctsNs , previous ctch1 , . . . ,ctchK except cchλ := 0)), //channel delay
ended (ctch < tch max (mchλ ) ⇒ T”t = (T, csi := previous ctsi + δ, i = 1..Ns, cchj := previous
ctchj + δ, j = 1..K)).
22. If multiple transitions come out of an LTS vertex, the choice is nondeterministic.
However, if both reception/generation transition and duration/delay end transition
are possible in the current configuration, the latter is not included into LTS.
23. The general limit for δ in the parallel timed transitions is that for all ctsi in Tt ,
λ1 = ((m1inp ,p1inp ),(m1 ,p1 )), Ps(p1inp ) = si , pλ1t ∈ T, and all ctchλ2 in Tt , λ2 = ((m2inp ,p2inp ),
Sensors 2022, 22, 1157 17 of 37
(m2 ,p2 )), mchλ2 ∈T, δ < min(tλ max (pλ1t )–ctsi , tch max (chλ2 )–ctchλ2 ). In every inequality
tmin < ct, ct < tmax , the relation should be replaced by ≤ if the corresponding range
bound is closed. If all tλ max (pλ1t ) and all tch max (mchλ2 ) in Tt are for closed upper
bounds of time ranges, then the relation in the inequality < for δ should be replaced
by ≤.
The latter condition says that we must not exceed the upper bound of any remaining
action duration/channel delay.
5. Uppaal Timed Automata

5.1. The Syntax of Uppaal TA
A collection of timed automata and real-valued clocks are commonly used to define
parallel systems. We expand the concept to include variables that can enable transitions
and be allocated to transitions to conform with Uppaal TA.
An Uppaal timed automaton UTA is a tuple (L, l0 , Z, CH, Q, E, Jl , O, Ō0 ) where
• L= {l0 , l1 , . . . } is a finite set of locations,
• l0 ∈ L is an initial location,
• Z = {c0 , c1 , . . . } is the set of clocks,
• CH is a set of symbols called channels,
• Q denotes a set of labels (interpreted as actions on transitions, do not confuse with IMDS
actions), they represent send and receive operations on a channel: ch!, ch?, ch ∈ CH;
outside the automaton, internal labels are ignored and replaced by τ,
• every location l ∈ L is mapped by Jl (l) to a set of valuations of clocks in Z, over a
Cartesian product of R≥ Z , for example, J (l) = {c -c > 2}; Restriction. As in verification
0 l 1 2
tools, e.g., Uppaal [14], we limit location invariants to downwards closed constraints
of the form: x ≤ n or x < n where n is a natural number,
• O = {o1 , o2 , . . . } finite set of variables, for which we define:

Vi = {vi1 , vi2 , . . . }—finite, integral set of values of variable oi ∈ O,
2.3. Network of TA
PV = V 1 × V 2 × . . . × V ord(O) —a Cartesian product of values of variables o1 , o2 , . . . ,
oord(O) ∈ O, NTA is a net
Sensors 2022, 22, x FOR PEER REVIEW 6 of NTA is itself a TA
38
6 of 38
6 of 38
Ō = (v1 , v2 , . . . , vord(O) ); vi ∈ Vi ; Ō ∈ PV —vector of values of variables in O,
• Ō0 = (v1 0 , v2 0 , . . . , vord(O) 0 )—initial vector of values of variables in O, NTA = (L, l0,
individual eleme
• E ⊆ L × Q × Jll × 2Z × 2PV × F × L—set of transitions: e = (l, q, Jll (l,l0 ), r, b, f, l0 ) ∈ E
2.3. Network of TA
2.3. Network of TA
2.3. Network of TA  A set of loca
Jll is a set of functions for pairs l,l’∈L, every transition (l,l’) is mapped by Jll (l,l0 ) to a set
NTA is a network of timed automata over a common set of clocks and labels (actions). …, ln), li  Li.
of valuations of clocks in Z over a Cartesian product of R≥ Z , just as J (l) for a location l,
NTA is itself a TA, it is constructed in the following way: 0 l  l0  L is an in
Z indicates a subset of clocks in Z that are reset on transition,
∈ 2NTA = (L, l
rNTA = (L, l 0, Z, Q, E, J
0, Z, Q, E, J
NTA = (L, l 0l, Z, Q, E, J
i = (Lii , l= (L
i0, Z i, l
i i, Q
= (L
i0, Z
i, E
ii, l
, Q
ii, J
0, Z
i, E
i, Q
i, Jlii, E 
) with i = 1, …, n. The Z is a comm
i, Jli) with i = 1, …, n. The
b ∈ 2PV —set of vectors of variable values enabling a transition;
individual elements of NTA are:  Q is a comm
Comment: typically b is presented as equalities and inequalities between variables  Location inva

A set of locations is a Cartesian product L = L 1 × … × L 1 × … × L n, l  L is a location vector l = (l
1 × … × L
n, l  L is a location vector l = (l
n, l  L is a location vector l = (l
1, 1, 1,
in O and constants, connected by Boolean operators, for example (o < 3) ∧ (o ≥ tors J
6), l(l) = Jl1(
), li  L
…, ln…, l i  L
…, l
n), li. i. i  Li.
n), l 1 2
 lF0  L is an initial location vector l
is al0 set of functions on variables
 L is an initial location vector l 0 = (l10in
l0  L is an initial location vector l 0 = (l
, …, l ∈ F,n, …, l
O,100, …, l
f = (l
n0), l1i00
f), l
:P
0 L  L
. V
ii0
→i. i0 P L
n0), l V —unction
i.
assigning new
values to the variables in O; f/i restricts this function to the value of variable2.4. The Semantics
oi .
 Z is a common set of clocks—a union of sets of clocks Z = Z

Z is a common set of clocks—a union of sets of clocks Z = Z 1 ∪ … ∪ Z 1 ∪ … ∪ Z n.
1 ∪ … ∪ Z
n. n.
 Comment: In Uppaal TA, the function

Q is a common set of labels—symbols on transitions Q = Q

Q is a common set of labels—symbols on transitions Q = Q is given
Q is a common set of labels—symbols on transitions Q = Q as a set of
1 ∪ … ∪ Q
assignments
1 ∪ … ∪ Q n.
1 ∪ … ∪ Q
n.
o = expression
i n. Let TAi = (L,
 over variables in O and integer constants (all
 other
Location invariant functions are composed into a common function over location vec‐ variables are left unchanged). Let l0 = (l10, …
tors Jtors J
l(l) = Jtors J
l(l) = J
l1(l1) ∧ … ∧ J
l(l) = J
l1(l1) ∧ … ∧ J
l1(l
ln1(l
) ∧ … ∧ J
n). ln(ln). ln(ln).
l[li/li′] denote
5.2. The Semantics of UTA The semanti
The Semantics of a UTA is:
2.4. The Semantics of the Network of TA  Vertices = (L1
Let (L,
Let TA l0 , Let TA
Let TA Z,i = (L, l
i = (L, l CH, 0Q,
0, Z, Q, E, J E, 0Jl, Z, Q, E, J
i = (L, l
, Z, Q, E, Jl , O,l).
). Ō0 ) be
l). an UTA.  vertex0 = (l0; u
The semantics
Let l Let l
0 = (l1 = (l
00Let l
, … , l is
1 , … , l
0 0 = (ldefined as an LTS—Labeled
0 1 , … , l
0 n ) be the initial location vector.
0 Transition
0 System 〈Vertices, 
vertex0  = 
, 〉, t ∪ p
where:
l[li/li′] denotes the location vector where l i’ replaces the i
i’ replaces the i
i’ replaces the i
th element l
th element l
thi element l
of L.
i of L. i of L. - (l, u) 
• Vertices L × PV × R ≥ Z is the set of LTS vertices for the automaton UTA
⊆The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex 0, ⟩, where:
, ⟩, where: -
0, ⟩, where:
0(because the if there
0
 Vertices = (L
stateVertices = (L
termVertices = (L is1 × … × L
reserved 1 × … × Ln) × for ℝ
1 × … × L
n) × IMDS ℝ ℝ states,
node
n) × we use the term vertex instead),
is the set of global LTS vertices, TAj, …
• vertex00 = (l
vertex = (l0vertex
0; u
= (l ∈ 0Vertices
0; u all clocks c ∈ Z to 0. ei = (l1i,
vertex 0 , 0Ō 00, = (l0) Vertices is the initial vertex, u
u 0 )0; u ) Vertices is the initial vertex, u
is the initial vertex, 0 maps all clocks c  Z to 0,
u0 0maps maps all clocks c  Z to 0,
•  =  
 = 
t  = 
= t ∪ p is the transition relation such that:
∪  t
p ∪ 
t ∪  p is the transition relation defined by: then th
u  Jll(l[
- -(l, u)  - t (l, u + d) if ∀
(l, u)  (l, u) 
t (l, u + d) if ∀
t (l, u + d) if ∀
d′ 0 ≤ d′ ≤ d  u + d′  J
d′ 0 ≤ d′ ≤ d  u + d′  J
d′ 0 ≤ d′ ≤ d  u + d′  J l(l)—timed transition,
l(l)—timed transition,
Comme
- -if there exists a symbol q  Q, for which there exist transitions e
-
if there exists a symbol q  Q, for which there exist transitions e i, ej, … in TA
i, ej, … in TA
i, eji, … in TA
, i, i,
distinct
TAj, … (at least one, but if more, then in distinct automata):
ei = (le1ii = (l
, q, J1illie, q, J
i(l
= (l
1i,llli
1i(l
2i ), r
, q, J
1i,l
i, l ), r
2i(l
2illi )  E
1ii, l
,l2i2i), r
)  E
i, ei, l
j = (l
2ii, e
)  E
1jj = (l
, q, J
i, e
1jllj, q, J
j(l
= (l
1j,lllj
1j(l
2j ), r
, q, J
1j,l
j, l ), r
2j(l
2jllj )  E
1jj, l
,l2j2j), r
)  E
j, …
j, l2jj, …
)  Ej, …
2.5. The Uppaal Ex
then there exists the transition e = (l 1, q, J1ll, q, J
(l1,l2ll), r, l
(l
1, q, J
1,l22), r, l
)  
ll(l1,l22)  
), r, l
p such that
2p )  
such that
p such that
Transitions
tors Jl(l) = Jl1(l1) ∧ … ∧ Jln(ln).
r  2The semantics of a TA is:
Z indicates a subset of clocks in Z that are reset on transition.
Let (L, l0, Z, Q, E, Jl) be an TA.
Let TAi = (L, l0, Z, Q, E, Jl).
2.2. Timed Automaton‐Semantics 0, ⟩,
where: Let l
Let TA 0 = (l10, … , l
i = (L, l0, Z, Q, E, J n0) be the initial location vector.
l).
The semantics of a TA is: l[l
Let l i/li′] denotes the location vector where l
0 = (l10, … , ln0) be the initial location vector. i’ replaces the ith element li of L.
•Let (L, l
Vertices ⊆ L × ℝ is the set of LTS vertices for the automaton TA (because the term
Sensors 2022, 22, 1157 0, Z, Q, E, Jl) be an TA. The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex
l[li/li′] denotes the location vector where li’ replaces the ith element li of L. 0, ⟩, where: 18 of 37
The semantics is defined as an LTS—labeled transition system ⟨Vertices, vertex 0, ⟩,
• 
vertex0 = (l0, u0) ∈ Vertices is the initial vertex, u The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex
Vertices = (L 1 × … × L n) × ℝ is the set of global LTS vertices,
0 maps all clocks c ∈ Z to 0.
0, ⟩, where:
where:
•Vertices ⊆ L ×
 = t ∪   Vertices = (L1 × … × Ln) × ℝ is the set of global LTS vertices,
vertex = (l ; u ) Vertices is the initial vertex, u maps all clocks c  Z to 0,
ℝp is the transition relation such that:
0 0 0 0
• is the set of LTS vertices for the automaton TA (because the term
(l, u)  t (l, u + d) if ∀d′: (l, Ō, u)  =  vertext (l, 0Ō,
0 ≤ d′ ≤ d ⇒ u + d′ ∈ J ∪ 
t = (l u+d) 0; u ∀d’: 0 ≤ d0 ≤ d ⇒ u + d0 ∈ J0l maps all clocks c  Z to 0,
ifl(l) – timed transition, (l)—timed transition, 5 of 38
(l, u)  (l,  u) - = 
Ō,
p (l′, u′) if there exists e = (l, q, J (l 0 ,t ∪ 
(l, u)  Ō 0 , u 0
t is the transition relation defined by:
)
ll(l,l′), r, l’) ∈ E
p if
(l, u + d) if ∀ there exists e =
d′ 0 ≤ d′ ≤ d  u + d′  J (l, q, J (l,l 0 ), r, b, f, l0 ) ∈ E such that u ∈ J (l,l0 );
• vertex0 = (l0, u0) ∈ Vertices is the initial vertex, u p 0 maps all clocks c ∈ Z to 0.
ll ll
• = Such that u ∈ J u0 = [r --0]u – progress transition;
ll(l,l′); u’ = [r 
t ∪ p is the transition relation such that: (l, u)  Ō ∈ b and Ō0 =d′ F(
0]u if there exists a symbol q  Q, for which there exist transitions e
and t (l, u + d) if ∀ Ō)—progress transition;
0 ≤ d′ ≤ d  u + d′  J l(l)—timed transition, i, ej, … in TAi,
where where 
(l, u) t (l, u + d) if ∀d′: 0 ≤ d′ ≤ d ⇒ u + d′ ∈ J - TA , … (at least one, but if more, then in distinct automata):
j
5 of 38 i, ej, … in TAi,
for d′ ∈ ℝ
Z eTA
for d’ ∈ invariants = (l
R≥0ll,(l,l′), r, l’) ∈ E
i j 1i , q, J
0 maps each lli (l 1i ,l 2i ), r
u + dfulfilled in their i , l )  E
clockcurrent
2i , e
c in Z to
i j = (l , q, J
locations.
1j
the value llj(l 1j ,lThe
2j ), r u(c) j , l
execution
2j )  E 0 j , …
+ d , is based on synchro‐
r ⊂ Z, denotes the clock valuation, which maps each)  
e = (l
Such that u ∈ J ll(l,l′); u’ = [r  [r 0]u – progress transition; i 1i , q, J lli (l 1i ,l 2i ), r
0]u, nously advancing all clocks (by the same, real value >0). The smallest difference be‐ i, l 2i )  E i, e j = (l 1j , q, J
1 , q, J llj(lll (l
1j ,l
1 ,l
2j 2 ), r, l
), r j, l 2
2j )  E
clockjp, … such that
in r to 0 and agrees
agrees 
with u over Z\r. with u over Z r. u  J ll (l[l 1i
\ /l
then there exists the transition e = (l 2i , l 1j /l
2j , …]), u′ = [r i ∪ r j ∪ … 0]u—progress transition,
1 , q, J ll (l 1 ,l 2 ), r, l 2 )   p such that
where
invariants fulfilled Comment: There is a synchronization transition if more than one transition in
in their current locations. The execution is based on synchro‐
u  J (l[l /l , l /l
in this invariant is the maximum value to which the clocks can be advanced. If the , …]), u′ = [r ∪ r ∪ … 0]u—progress transition,
for d′ ∈ ℝ , u + d′ maps each clock c in Z to the value u(c) + d′,
ll 1i 2i 1j 2j i j
5.3. Network of UTA distinct TA have the same q label on their transitions.

agrees with u over Z\r. NUTA is2.6, the highest value is 0.4, which advances x to 1.9 and y to 3.
a network of Uppaal timed automata over a common set of clocks and labels
(actions), a common The option is nondeterministic if both a progress and a timed transition are enabled.
set of variables, and a common initial vector of their values. NUTA is
itself a UTA, it is constructed in the following way:
NUTA =Transitions are executed simultaneously by the original TA if they are triggered by
(L, l0 , Z, CH, Q, E, Jl , O, Ō0 ) consists of n UTA, UTAi = (Li , li 0 , Zi , CHi , Qi , Ei ,
0
Jli , Oi , Ōi ) with i = 1, . . . , n. The individual elements of NUTA are:
• A set of locations is a Cartesian product L = L1 × . . . × Ln , l ∈ L is a location vector l =
. . , ln ), li ∈ Li .
(l1 , ata layout. Therefore, we give the definition of Uppal timed automata (UTA [13]) in Sec‐
.not use variables; thus, no value can be passed between automata that explode the autom‐
• l0 ∈tion 4.
L is an initial location vector l0 = (l1 0 , . . . , ln 0 ), li 0 ∈ Li .
= 2, (x − ⎣x⎦) − (y − ⎣y⎦) > 0, is obtained. This rule generates a set of clock regions. Above
• Z istion 4.
a common set of clocks—a union of sets of clocks Z = Z1 ∪ . . . ∪ Zn .
their maximum values, the relations between the clocks are not examined.
• CH is a common set of channels—a union Sensors 2022, 22, x FOR PEER REVIEW
Since infinitely many time transitions between a pair or regions are possible, a region
of sets of channels CH = CH1 ∪ . . . ∪ CHn ,
it can be ignored because the
= 2, (x − ⎣x⎦) − (y − ⎣y⎦) > 0, is obtained. This rule generates a set of clock regions. Above labels in Q disappear in the construction of NUTA.
• Q is a common set of labels—symbols
their maximum values, the relations between the clocks are not examined. on transitions: the labels on channels (ch!, ch?)
disappear on the construction
Since infinitely many time transitions between a pair or regions are possible, a region on NUTA (they are replaced by τ) according 2.3. Network of TA
6 of 6 toof the
38 38 6 of 38 6 of
semantictails multiple automata receiving a signal given by one automaton.
rules given below.
Sensors 2022, 22, x FOR PEER REVIEW Here, we give the definition of timed automata, a base of Uppaal extension. A timed NTA is a network of 6 of
• Location The channel can be labeled urgent, in which case transitions are enabled, with com‐
invariant functions are composed
automaton TA is a tuple (L, l 0, Z, Q, E, Jinto l) where: a common function over location vectors
Sensors 2022, 22, x FOR PEER REVIEW NTA is itself a TA, it is co 6 of
Jl (l)mon channel symbols enabling these transitions: chan! and chan?, taking precedence over
2.1. Timed Automaton‐Syntax = Jl1The channel can be labeled urgent, in which case transitions are enabled, with com‐
(l1 ) ∧ . . . ∧ Jln (ln ).
 2.3. Network of TA
2.3. Network of TA
2.3. Network of TA L = {l 0, l1, …} is a finite set of locations,
2.3. Network of TA NTA = (L, l0, Z, Q, E
• O istime flow in locations, preventing communication over an urgent channel from being de‐
a common set of variables (union of sets of variables O1 ∪ . . . ∪ Onindividual elements of N
NTA is a network of timed automata over a common set of clocks and labels (actions).
Here, we give the definition of timed automata, a base of Uppaal extension. A timed
l0 NTA is a network of timed automata over a common set of clocks and labels (actions). ), Ō—vector of
NTA is a network of timed automata over a common set of clocks and labels (actions
2.3. Network of TA
time flow in locations, preventing communication over an urgent channel from being de‐ 6 of
their  values, P —the Cartesian product of sets of values of all variables in O, Ō0 —a
automaton TA is a tuple (L, l Z = {c 0, c01, Z, Q, E, J
V
NTA is itself a TA, it is constructed in the following way: , …} is the set of clocks,
As NTA is itself a TA, it is constructed in the following way:
a result, NTA is itself a TA, it is constructed in the following way:
2.3. Network of TA asynchronous
l) where:
layed. However, in IMDS, using such a technique eliminates communication asynchrony. communication requires the introduction of asynchronous  A set of locations is a
common NTA = (L, l vector NTA is a network of timed automata over a common set of clocks and labels (action
of their initial values.
 Q denotes a set of labels (interpreted as actions on transitions, do not confuse with n), li  Li.
L = {l0, l1NTA = (L, l
, …} is a finite set of locations,
channels.
As a result, 0, Z, Q, E, J
NTA = (L, l 0, Z, Q, E, J
NTA = (L, l
asynchronous 0, Z, Q, E, J
0, Z, Q, E, J l) consists of n TA, TA
communication
NTA is a network of timed automata over a common set of clocks and labels (action l) consists of n TA, TAi = (Li i= (L , l i0, Z
requires i, li = (L
ii, Q
0, Zii, E , l
, Q
ithe i i= (L
0i, J
, Z
i, E
ii, Q
, l
i, Ji0lii, Z
introduction , E
) with i = 1, …, n. The
ii, Q , Jli…, l
, Jli) with i = 1, …, n. The
i, Eiof ) with i = 1, …, n. Th
asynchronous
The NUTA graph
IMDS actions),
channels.
is
individual elements of NTA are: constructed in such a way that transitions between  the 0  L is an initial loc
compound
l
2.3. Network of TA NTA = (L, l
NTA is itself a TA, it is constructed in the following way: 0, Z, Q, E, Jl) consists of n TA, TAi = (Li, li0, Zi, Qi, Ei, Jli) with i = 1, …, n. Th
 locations
Z = {c of NUTA every
0, c1, …} is the set of clocks, location
(starting l  L
from is mapped
initial compound by Jl(l) location to a set lof 0 ) are valuations chosen as 
of common
clocks in Z, over a
timed
Z is a common set o
 A set of locations is a Cartesian product L = L
NTA = (L, l 0, Z, Q, E, Jl) consists of n TA, TA
NTA is a network of timed automata over a common set of clocks and labels (actions 1 × … × L 1 × … × L n1, l  L is a location vector l = (l
× … × L n, l  L is a location vector l = (l
× … × L
i 1= (L n, l  L is a location vector l = (l
i, li0, Z n, l  L is a location vector l = (
i, Qi, Ei, Jli) with i = 1, …, n. T 1, 1, 1,
 transitions, interleaved Cartesian product of progress transitions
Q denotes a set of labels (interpreted as actions on transitions, do not confuse with ℝ , for example, J having labels, l(l) = {cand 1‐c2 > 2}, common progress  transitions
Q is a common set o
…, l…, ln), li n  L
), l…, l i.  Ln), l i…, l
. i  L n), l i. i  Li.
withA set of locations is a Cartesian product L = L
i individual elements of NTA are:
of pairs
IMDS actions),  0 UTA
of E  L × Q × J matching ll × 2 × L—set of transitions: e = (l, q, J
Z
ch! 0and0 0ch? 00labels, interleaved 1 × … × Ln, l  L is a location vector l = (
ll(l,l′), r, l′)  E
with the transitions  Location invariant fu
of all
 l0  L is an initial location vector l
l  L is an initial location vector l
l0  L is an initial location vector l

lNTA = (L, l
…, l n), li  L, Z, Q, E, J
0
i.
A set of locations is a Cartesian product L = L = (l1 = (l , …, l 1 , …, l
= (l
n0), l
0 0 L
), li0 i1.  L
10in, …, l
= (l ), li. i0  L
n00, …, l n0i ), l
= (L i. i0  L
1 × … × L i, li0, Z i. i, Qi, Ei, Jli) with i = 1, …, n. Th
, l  L is a location vector l = (
 every
other location
UTA. l J L is
Additionally, mapped the by
set J
of (l) to
transitions
is a set of functions for pairs l,l′  L, every transition (l,l′), is mapped by J a set of in valuations
NUTA can of be clocks restricted in Z, nover
by a
conjunctions tors J ll(l) = J
l ofl1(l1) ∧ …
(l,l′) to a
 Z is a common set of clocks—a union of sets of clocks Z = Z
 llZ is a common set of clocks—a union of sets of clocks Z = Z
l
 Z is a common set of clocks—a union of sets of clocks Z = Z
l 0  L is an initial location vector l0 = (l10, …, ln10 ∪ … ∪ Z
…, l n), li  Li. ), l 1 ∪ … ∪ Z
i0  Li.
n1. ∪ … ∪ Z n. 1 ∪ … ∪ Z n. n.
ℝ
. ℝ1 ∪ … ∪ Q
Cartesian product of , for example, J (l) = {c ‐c > 2},
time
 invariants Jl in timed transitions, and by conjunctions of 1functions
set of valuations of clocks in Z over a Cartesian product of Jlli nand intersections
, just as J l(l) for a
l 1 2

l0  L is an initial location vector l 0 = (l10, …, l ∪ … ∪ Q 1 ∪ … ∪ Q n1.
∪ … ∪ Q
i0  Li. n, l  L is a location vector l = (
n. n.
 E  L × Q × J
of b . Last, × 2those
llall  location l, Z is a common set of clocks—a union of sets of clocks Z = Z
rules met by the semantics ll(l,l′), r, l′)  E
of NUTA are n0), l 1 × … × L
expressed as the 1 ∪ … ∪ Zn.
2.4. The Semantics of the N
LTS of a set
 Location invariant functions are composed into a common function over location vec‐
i   Location invariant functions are composed into a common function over location ve
n), li  Li.
…, l 1 ∪ … ∪ Q
1 ∪ … ∪ Znn. .
UTA below. tors J tors J
l(l) = J
r  2tors J
l(l) = J
Z indicates a subset of clocks in Z that are reset on transition.
Jll is a set of functions for pairs l,l′  L, every transition (l,l′), is mapped by J
l1(l1) ∧ … ∧ J tors J
l(l) = J
(l ) ∧ … ∧ Jl1l(l) = J
(lln1(l ) ∧ … ∧ J
n). l1(ln 1).
) ∧ … ∧ J
ln(ln). ln(ln). ll (l,l′) to a Let TA i = (L, l0, Z, Q,
 0 1 L is an initial location vector l 0 = (l10, …, ln0), li0  Li.
l1 ln
lLocation invariant functions are composed into a common function over location ve
set of valuations of clocks in Z over a Cartesian product of ℝ , just as Jl(l) for a Let l0 = (l10, … , ln0) b
1 ∪ … ∪ Qn.
5.4. The Semantics   of

2.2. Timed Automaton‐Semantics tors J
the Network l(l) = Jl1(l1) ∧ … ∧ Jln(ln).
Location invariant functions are composed into a common function over location ve
of UTA 1 ∪ … ∪ Zn.
location l,
 0 tors J
l(l) = Jl1(l1) ∧ … ∧ Jln
Q is a common set of labels—symbols on transitions Q = Q 0 (l n). 1 ∪ … ∪ Q n.
The semantics of a n
Let
Let TA UTA
Let TA = (L, l
i Let TA
i = (L, l = (L, l ,
Let TA
0, Z, Q, E, J Z,
i = (L, l
0, Z, Q, E, J CH, i = (L, l
Q,
0, Z, Q, E, J
l). l).
E, J , O,
l l).
0, Z, Q, E, J Ō ).
l).

i2.4. The Semantics of the Network of TA
Location invariant functions are composed into a common function over location ve
0 = (l
0 = (lLet (L, l
Let llLet l
Let 0 , . . . 0,, Z, Q, E, J
10Let l
01 = (l, … , l 100, … , l
= (l Let l ln100, … , l
n00 = (l
) be an TA.
) ) be the initial location vector.
be 1the initial location vector.
0l) be the initial location vector.
0n, … , l n0) be the initial location vector.
 Vertices = (L1 × … × L
tors J
Let TA l(l) = J i = (L, l l1(l10) ∧ … ∧ J
, Z, Q, E, J ln(ll). n). 0
l[l
l[lii/l
0 The semantics is defined as an LTS—labeled transition system ⟨Vertices, vertex
i ]i/ldenotes
/lil[l l[li/li′] denotes the location vector where l
l[l
′] denotes the location vector where l the
i′] denotes the location vector where l location
i/li′] denotes the location vector where l vector where i l
’ replaces the i
i i replaces
’ replaces the i i ’ replaces the ithe
thi element l i th element l of
’ replaces the i
th element l th element l
i of L. i of L. 
thi element l L.
i of L. vertex 0 = (l
i of L.
0, ⟩,
0; u0) Ver
Let l
Let TA 0 = (l10, … , l
i = (L, l0, Z, Q, E, J n0) be the initial location vector.
l).
The where:
semantics
The semantics of a TA is: of a network
The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex on n UTA
The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex is defined as an LTS 〈Vertices, vertex 
, ⟩, where:
0 ,  = 
〉,
, ⟩, where: where:t ∪ p is the tr
, ⟩, where: , ⟩, wher
l[l
Let l i/li′] denotes the location vector where l
0 = (l10, … , ln0) be the initial location vector. i’ replaces the ith element li of L.
0 0 0 0
Let (L, l •
, Z, Q, E, J l) be an TA. ℝ is the set of LTS vertices for the automaton TA (because the term
Vertices ⊆ L × Z is the set of global LTS vertices, - (l, u)  t (l, u + d
1. 0Vertices = (L
Vertices  =Vertices = (L
Vertices = (L 1 × … × L
(L 1 ×Vertices = (L
× … × L
l[l
1Let TA n× 1) × L ℝ
n ×
. .i/l. i′] denotes the location vector where l
× … × L )
) × ℝ P
× … × L
× ℝ
i = (L, l , Z, Q, E, Jl).
n 1 0 n ) ×
V ℝ
The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex R
n ) × ≥ is the set of global LTS vertices,
0 is the set of global LTS vertices, i’ replaces the ith element li of L. 0, ⟩, wher
The semantics is defined as an LTS—labeled transition system ⟨Vertices, vertex 0, ⟩, - if there exists a
2. vertex vertex 0 = (l
vertex
• 0 vertex
= vertex
0(l0 ; 0Ō
0 = (l
; u 0; u 00vertex
0 = (l
= (l 0∈
; 0u) Vertices is the initial vertex, u
00)0; u = (l
Vertices ; u1 × … × L
nis the
Let l
Vertices = (L = (l 100, … , l
0, u0) ∈ Vertices is the initial vertex, u
initial vertex, 0 maps all clocks c  Z to 0,
0) be the initial location vector. 0 maps all clocks c  Z to 0, all clocks c ∈ Z to 0,
maps0 maps all clocks c  Z to 0,
u00 maps all clocks c ∈ Z to 0. 0, ⟩, whe
where: TAj, … (at least
3.  =   tt ∪ 
=• =  ∪ =  pp is the transition relation defined by:
t ∪  ∪
t ∪ 
p = 
∪ 
tl[l
vertex is p is the transition relation defined by:
∪ 
the is the transition relation defined by:
transition
t
0 = (l0; u
p relation
0) Vertices is the initial vertex, u defined
by: i’ replaces the i 0 maps all clocks c  Z to 0,
th element li of L.
• Vertices = (L
!?
Vertices ⊆ L × ℝ =is the set of LTS vertices for the automaton TA (because the term 1 × … × L
ei = (l1i, q, Jlli(l1i,l
-
3a. - (l, u) 
(l, -
(l, u) 
Ō,
(l, u)   u) -
(l, u) t = 
t (l, u + d) if ∀
vertex (l, (l, u) 
(l, u + d) if ∀
(l, u + d) if ∀d′:
t t (l, u + d) if ∀
t0Ō,
t ∪ 
= (l d′ 00 ≤ d′ ≤ d  u + d′  J
u ; u
+p (l, u + d) if ∀
d)
d′
0 0 ≤ d′ ≤ d  u + d′  J
∀ d′ 0 ≤ d′ ≤ d  u + d′  J
t is the transition relation defined by:
if
0 ≤ d′ ≤ d ⇒ u + d′ ∈ J
d 0 0 ≤ d′ 0 ≤ d′ ≤ d  u + d′  J
d’ ≤ l(l)—timed transition,
d ⇒ l(l)—timed transition,
u l + d 0 ∈ 0J maps all clocks c  Z to 0,
(l) – timed transition, l l(l)—timed transition,
(l)—timed transition, 0, ⟩, wher
then there exist
• -
3b. - (l, - 
Ō,
(l, u) p-  u)
vertex0 = (l0, u0) ∈ Vertices is the initial vertex, u -  = 
Vertices = (L (l[l ∪ 
/l
(l′, u′) if there exists e = (l, q, J
p (l, u)  t 0 ],
× … × L
i i t (l, u + d) if ∀
p1
0 , u0 );n) ×
Ō if thereℝ exists (l ,
ll(l,l′), r, l’) ∈ E
d′ 0 ≤ d′ ≤ d  u + d′  J
0 maps all clocks c ∈ Z to 0. i τ; J (l ,l 0 ), r , bi, e
lli i li(l)—timed transition, i i i i , jf, … in TA
i,, e
l j0, … in TA
) ∈i, eE j, … in TA
i, such i, e i, j, … in TA
iu  Jll(l[l1i/l2i, l1j/
i,
• TA TA
that 
 = t ∪ p is the transition relation such that:
ju
Such that u ∈ J ∈ TA vertex
J (l[l TA
0 = (l
/l 0 ]);
; u u 0 = [r
-lli if there exists a symbol q  Q, for which there exist transitions e
i ll(l,l′); u’ = [r 
(l, u)  i 0 t (l, u + d) if ∀
0 i 0]u and
0]u – progress transition; Ō ∈
d′ 0 ≤ d′ ≤ d  u + d′  J b i and Ō 0 =0 maps all clocks c  Z to 0,
f (
Ō)—progress
i l(l)—timed transition,

transition, i, ej, … in TA
Comment: The
3c. ei = (l
(l, u) t (l, u + d) if ∀d′: (l,
where  u)
ei1i = (l
, q, J
Ō, 1ie, q, J
i = (l
lli (l
 =  e), r
-1i!?,llli1i2i(l[l
(l, q, J
0 ≤ d′ ≤ d ⇒ u + d′ ∈ JTA = (l
i1it,l
∪ 
j /l
, l
i2i ), r
lli (l
0, q, J
)  E
1ii, l
l,li /l
2i2i), r
)  E
(l
i0, ei, l
j,l
= (l
2ii, e
)  E
0), r
j ,p is the transition relation defined by:
1i
2i lli
u = (l
i, q, J
0, l
i ], Ō ,l(l) – timed transition,
1i j1j
if there exists a symbol q  Q, for which there exist transitions e , e
) i2iif
1j)  E
, q, J
j = (l
(l1j,lllji, e
there
llj (l, q, J
1j2j ), r
= (l
exist
j1j ,lj2j, l), r
llj (l
2j, q, J
1j )  E
1jj, l
two ,l2j2j), r )  E
llj (l
j, … j, l
transitions
1j ,l2jj, …
)  E
), rj, lj2j, … )  E
(li , ch?, j, …
Jlli (l 0 r,
i ,ldistinct TA hav
i ),i, e i j, … in T
0then there exists the transition e = (l
ℝEithen there exists the transition e = (l 0 ), 1, q, J 1, q, J
ll(l1,lll 2), r, l
(l
1, q, J
10,l2), r, l2ll)  
(lE
1, q, J
1,l22)   ), r, l
pll such that
(l1,l22jp)  
2 such that
), r, l )  
such that p such that 0 0
i , fi , li ) -∈
bfor d′ ∈
(l, u) p (l′, u′) if there exists e = (l, q, J eTAand
i = (l
(l, u)  (l, q, J ch!, lli(lJ1illj
jt, (l, u + d) if ∀ ,l(l j ,lj i, l
2i), r
1i ll(l,l′), r, l’) ∈ E 2ir0 ≤ d′ ≤ d  u + d′  J
d′ j , bj , if, e
)  E j )∈
j , jl = (l 1j, q, J j such llj(l1j,llthat ), r u22jp∈
j, l
(l)—timed transition, Jll (l[l
)  E j, … j /lj , li /li ]),
u  Ju  J0 ll= (l[l[r1ill/l (l[l
u  J 2i, l 1i/l 1jll/l
(l[l
2i , l
2j, …]), u′ = [r
u  J 1i/l
1j /l2j2ill, …]), u′ = [r
(l[l
, l, q, J /l/l2jŌ
1j1i , …]), u′ = [r
2i , l1ii1j ∪ r
,l/lb2i2ji), r
j, …]), u′ = [r
∪ … 0]u—progress transition,
i ∪ rj ∪ … 0]u—progress transition, 2j2)   jp, … special
Such that u ∈ Jllu(l,l′); u’ = [r  i ∪ then there exists the transition e = (l
ei0]u – progress transition;
= (l
1i lli(l∈
- rj if there exists a symbol q  Q, for which there exist transitions e
0]u and and i, l2iŌ )  E ∈ bi, e j —synchronization
j = (l1j, q, J 1, q, J llj(l ll(l
1j,l1,l ), r, l
2j2), r transition
j, l )  E such that
(a
2.5. The Uppaal Extesion t i, ej, … in TA
kind of Comment: There is a synchronization transition if more than one transition in
progress Comment: There is a synchronization transition if more than one transition
u  J ll(l[l1i/l2i, l1j/l2jnew
transition), , …]), u′ = [r values i ∪ r j ∪ … 0]u—progress transition,
of variables 1, q, Jll(lin 1,l2), r, l
O are 2)   calculated: p such that
where agrees with u over Z\r. TA j, … (at least one, but if more, then in distinct automata):
Transitions are exec
for d′ ∈ ℝ , u + d′ maps each clock c in Z to the value u(c) + d′, eComment: There is a synchronization transition if more than one transition
u  J
i = (l1i ll(l[l
, q, J 1i/l (l, l
lli2i 1i,l 1j2i /l), r
2j, …]), u′ = [r
i, l2i)  Ei, eji = (l ∪ rj1j ∪ … 0]u—progress transition,
, q, Jllj(l1j,l2j), rj, l2j)  E j, …
shared symbols (which e
Comment: There is a synchronization transition if more than one transition
[r  0]u, r ⊂ Z, denotes the clock valuation, which maps each clock in r to 0 and two automata. However, 1, q, J ll (l 1 ,l 2 ), r, l 2 )   p such that
2.5. The Uppaal Extesion to TA distinct TA have the same q label on their transitions.
agrees with u over Z\r. u  J ll(l[l1i/l2i, l1j/l2j, …]), u′ = [ri ∪ rj ∪ … 0]u—progress transition,
nels (a timed transition c
Transitions are executed simultaneously by the original TA if they are triggered b
2.5. The Uppaal Extesion to TA Comment: There is a synchronization transition if more than one transition not use variables; thus, n
shared symbols (which enable transitions). A common symbol can synchronize more tha
2.5. The Uppaal Extesion to TA distinct TA have the same q label on their transitions. ata layout. Therefore, we
two automata. However, standard TA are useless, because they do not apply urgent chan
shared symbols (which enable transitions). A common symbol can synchronize more tha
Transitions are executed simultaneously by the original TA if they are triggered tion 4.
NTA is itself a TA, it is constructed in the following way: individual elements of NTA are:
NTA is itself a TA, it is constructed in
 
NTA = (L, l 0, Z, Q, E, J
NTA = (L, l
A set of locations is a Cartesian product L = L 0, Z, Q, E, J
l l ) consists of n TA, TA i = (L , l 0, Z= (L
1 × … × L1n × … × L
i i i i, Q i , l
i iNTA = (L, l
, E0, Z i, Jili, Q
) with i = 1, …, n. The
i, Ei, J
, l  L is a location vector l = (l 0, Z, Q, E, J
li) with i = 1, …, n. Th
, l  L is a location vector l =
nA set of locations is a Cartesi l) consists o
1,
…, ln), li  L …, li. n), li  Li.
individual elements of NTA are: …, ln), li  Li.
l0  L is an initial location vector l
l0  L is an initial location vector l
 A set of locations is a Cartesian product L = L
 A set of locations is a Cartesian product L = L 0 = (l10, …, l 0 = (l
n0), l i0  Lni0. ), l
0, …, l
11 × … × L i0  L l0  L is an initial location vect
A set of locations is a Cartesian p
, l  L is a location vector l = (l
1n × … × L i. n, l  L is a location vector l = ( 1,
 …, l ), li  L
n …, l i. n), li  Li.
Z is a common set of clocks—a union of sets of clocks Z = Z …, l
1 ∪ … ∪ Z ), li  L
nZ is a common set of clocks—
1n ∪ … ∪ Z
. i. n.
Sensors 2022, 22, 1157 19 of 37
 lQ is a common set of labels—symbols on transitions Q = Q
 lQ is a common set of labels—symbols on transitions Q = Q
0  L is an initial location vector l 0 = (l10, …, l 0 = (ln0), l i0  Lni0. ), l
10, …, l i0  L l10 ∪ … ∪ Q
 L is an initial location vector l
i. Q is a common set of labels—
1 ∪ … ∪ Q
n. n. 0
 Z is a common set of clocks—a union of sets of clocks Z = Z
 Z is a common set of clocks—a union of sets of clocks Z = Z
Location invariant functions are composed into a common function over location ve  Z is a common set of clocks—a u
1 ∪ … ∪ Z Location invariant functions a
1n ∪ … ∪ Z
. n.
  l(l) = J
tors J tors Jl1(l1l) ∧ … ∧ J
(l) = Jl1(l1) ∧ … ∧ J
Q is a common set of labels—symbols on transitions Q = Q ln(ln).
Q is a common set of labels—symbols on transitions Q = Q ln(ln).  1Q is a common set of labels—sym
∪ … ∪ Q tors J (l) = Jl1(ln1. ) ∧ … ∧ Jln(ln).
1 ∪ … ∪ Q
nl.
 for every ok ∈ O, fi (ok ) = vk and fj (ok) = vk 0 orfj (okLocation invariant functions are co

Location invariant functions are composed into a common function over location ve ) = vk and fi (ok ) = vk 0
Comment:
2.4. The Semantics of the Network of TA Atl1least
tors J2.4. The Semantics of the Network of TA
tors J
l(l) = J l1(l1l) ∧ … ∧ J
(l) = J ln(lnone
(l1) ∧ … ∧ J ). of ln(lthe n). functions fi , fj must be an lidentity
2.4. The Semantics of the Network o
tors J (l) = Jl1(l1) ∧ … ∧ J functionln(ln).
for
Let TAi = (L, l a given
Let TA 0 variable
, Z, Q, E, J
i = (L, l , Z, Q, E, J
0 that
l). returns
l). the same value as its argument
Let TAi = (L, l (it is dis-
0, Z, Q, E, J l).
regarded);
Let l = (lLet l
0 1 , … , l
0 0 = (l the
2.4. The Semantics of the Network of TA other must
n 1) be the initial location vector.
0 0 be
, … , ln ) be the initial location vector.
0 in effect (it gives the variable’s
2.4. The Semantics of the Network of TA new value).
Let l = (l1 , … , ln0) be the ini
0 0
l[li/liThis
Let TA criterion
l[l
′] denotes the location vector where l
Let TA
i = (L, l 0, Z, Q, E, J
i = (L, l prohibits
0, Z, Q, E, J
l). incoherent
l). assignments
i’ replaces the i thto
i’ replaces the i thel[lsame
element l
Let TA i/l
th
i element l variable
i′] denotes the location v
i of L.
= (L, l i of L.
0, Z, Q, E, J in l).
Let l the
0 automata
= (lLet l 0, … , l 0 = (l UTA and
n 1) be the initial location vector.
0 0 UTA
1The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex
, … , lnj ) be the initial location vector.
0 k ; it is met by the construction 0 in
Let lThe semantics of a network
= (l1 , … , l
0 the 0 trans-
0, ⟩, where: 0, ⟩, whe
n ) be the initial l
 l[l i/lilation
Vertices = (L l[l i/lof T-IMDS
′] denotes the location vector where l toℝUTA,
i1′] denotes the location vector where l
Vertices = (L
× … × L 1n × … × L
) × ) × asℝan is the set of global LTS vertices,
assignment
i’ replaces the i
nis the set of global LTS vertices, is applied
i’ replaces the i
th element l inth element l
l[li/liVertices = (L only one1i × … × L
′] denotes the location vecto
i of L. of the n) × ℝ
of L.
vertexpair’s
0 = (l 0automata;
 The semantics of a network on n TA is defined as an LTS ⟨Vertices, vertex
vertex; u0) Vertices is the initial vertex, u
0 = (l0; u0) Vertices is the initial vertex, u 0 maps all clocks c  Z to 0, The semantics of a network on n
vertex0 = (l0, ⟩, where:
0 maps all clocks c  Z to 0, 0, ⟩, wher
0; u0) Vertices is th
4. 
If both  =  
Vertices = (Lt ∪  = 
t and Vertices = (L p are possible
!?1 × … × L t ) × ℝ from
∪  1n × … × L
p ) × givenℝ is the set of global LTS vertices,
is the transition relation defined by: vertex (l; Ō; u),
nis the set of global LTS vertices,  then  Vertices = (L = 
t is not t ∪  inserted
1 × … × Lp n) × ℝ is t
is the transition
into LTS, -  (l, u) 
vertex 0 = (lvertex
-0; ut (l, u + d) if ∀
0 = (l0; ut (l, u + d) if ∀
0(l, u)  0) Vertices is the initial vertex, u
d′ 0 ≤ d′ ≤ d  u + d′  Jd′ 0 ≤ d′ ≤ d  u + d′  J 0 maps all clocks c  Z to 0,
l(l)—timed transition, vertex - 0 = (l(l, u) 
l(l)—timed transition, 0; u0) Vertices is the in
t (l, u + d) if ∀d′ 0
5. 
If both -p and
 =  t ∪  = 
-!?p is the transition relation defined by:
are t ∪ possible p is the transition relation defined by:
from given vertex (l; Ō; u), then
if there exists a symbol q  Q, for which there exist transitions e   =  p is - nott ∪  p is the transition relat
inserted
if there exists a symbol
i, ej, … in TA intoi, ej, … in T
i,
LTS; Comment:
- TA-
(l, u)  In tthis TAway,
(l, u) 
(l, u + d) if ∀ Uppaal
t (l, u + d) if ∀ urgent
d′ 0 ≤ d′ ≤ d  u + d′  J channels are
d′ 0 ≤ d′ ≤ d  u + d′  J achieved;
l(l)—timed transition, - only such
(l, u) 
l(l)—timed transition, channels
TAtj (l, u + d) if ∀
, … (at least one, bu
d′ 0 ≤ d′
are applied - in the
ei = (l translation
- 1i, q, J ei = (l 2i), rof
lli(l1i1i,l, q, J (l2i1iT-IMDS
i, l )  E
,l2i), rii, e
lli to
, l2ij = (l
)  EUTA,
1j, q, J
i, ej = (l
llj(l1j1j,l, q, J
2j), rllj
j, l
(l2j1j)  E
,l2j), r- jj, … ei = (l
, l2jif there exists a symbol q 
)  E j, … , q, Jlli(l
i, e1ij, … in TA i, e1i,l 2i), r
i, i, l2i)
j, … in TA
6. If two transitions TAthen there exists the transition e = (l

are then there exists the transition e = (l
TA jpossible, the choice is 1non-deterministic
, … (at least one, but if more, then in distinct automata): , q, Jll(l1,l12, q, J ), r, lll(l2)  
1,l2), r, l such that
)  
(however,
p 2TA then there exists the tra
p such that
both
j, … (at least one, but if m
are
inserted intoeu  J (l[l
LTS1ill, q, J
i = (l because /l
e1iu  J
i = (l 2i, l
lli(l 1i1i,l(l[l
/l
it), r
, q, J
ll1j
2i 2j1i, …]), u′ = [r
/l
defines2i, l
i, l
lli (l ,l1j2i/l), r
1i)  E
2i , …]), u′ = [r
2jall ii, e i ∪ r
, lpossible
j = (l
2i )  E ∪ … 0]u—progress transition,
j1j, q, J ∪ r
i, ej = (l
llj(l1jj1j ∪ … 0]u—progress transition,
ibehaviors).
,l, q, J
2j), rllj j, l
(l2j1j)  E
,l2j), rjj, … ei = (lu  J
, l2j)  E , …
j1i ll(l[l
, q, J lli(l1i/l,l2i ), r
, l1ji/l, l2j2i, …]),
)  Ei
Comment: There is a synchronization transition if more than one transition
then there exists the transition e = (l 1, q, Jll(l1,l12, q, J ), r, lll(l2)  
1,l2), r, l Comment: There is a s
then there exists the transiti
p such that
2)   p such that
6. Translation ofu  J T-IMDS /lto
u  J 2i, lTimed
ll(l[l1i (l[l
ll1j Automata
/l2j1i, …]), u′ = [r
/l2i, l 1j/l2j, …]), u′ = [r i ∪ rj ∪ … 0]u—progress transition,
i ∪ rj ∪ … 0]u—progress transition, u  Jdistinct TA have the sa
ll(l[l 1i/l2i, l1j/l 2j, …]), u′ =
6.1. Example Comment: There is a synchronization transition if more than one transition in
Comment: There is a synchronization transition if more than one transition Comment: There is a synch
distinct TA have the same q label on their transitions. 2.5. The Uppaal Extesion to TA
distinct TA have the same q
To explain the translation rules, let us concentrate on the actions of the sem node from
the example Transitions are executed simultaneously by the original TA if they are triggered by
in Section Transitions are executed simultaneously by the original TA if they are triggered
5.1, with actions duration (2,3>). It implements Transitions are executed sim
wait and signal
services.2.5. The Uppaal Extesion to TA
Two agents,2.5. The Uppaal Extesion to TA
shared symbols (which enable transitions). A common symbol can synchronize more th
a1 and a2, use the semaphore. Each agent 2.5. The Uppaal Extesion to TA
shared symbols (which enable tra
comes from its private
two automata. However, standard TA are useless, because they do not apply urgent cha
node: sa1 for a1, and sa2 for a2. The time constraints are given in Listing two automata. However, standar
Transitions are executed simulta
2.
nels (a timed transition can be executed while a progress transition is enabled) and the
shared symbols (which enable transitions). A common symbol can synchronize more tha nels (a timed transition can be ex
shared symbols (which enable transit
Listing 2. two automata. However, standard TA are useless, because they do not apply urgent cha
not use variables; thus, no value can be passed between automata that explode the auto
two automata. However, standard TA are useless, because they do not apply urgent chan‐ not use variables; thus, no value c
two automata. However, standard TA
ata layout. Therefore, we give the definition of Uppal timed automata (UTA [13]) in S
5. nels (a timed transition can be executed while a progress transition is enabled) and the do
actionsnels (a timed transition can be executed while a progress transition is enabled) and the d
{ ata layout. Therefore, we give th
nels (a timed transition can be execut
tion 4. not use variables; thus, no value can be passed between automata that explode the autom
tion 4.
not use variables; thus, no value can be passed between automata that explode the autom‐ tion 4.
not use variables; thus, no value can b
6. {a1.sem.wait, sem.up} → (2,3>{a1.sa1.ok_wait, sem.down} //λ1
Communication channels replace the common symbols that trigger transitions in U
ata layout. Therefore, we give the definition of Uppal timed automata (UTA [13]) in Se Communication channels re
ata layout. Therefore, we give the de
7. {a1.sem.signal, sem.down} → (2,3>{a1.sa1.ok_signal, sem.up} //λ2
tion 4. paal timed automata. Sending and receiving a signal synchronously via channels is a
tion 4. tion 4. paal timed automata. Sending a
complished by utilizing a shared channel symbol and two characters indicating sendi
Communication channels replace the common symbols that trigger transitions in U complished by utilizing a shared
Communication channels replac
and receiving, ! and ?, respectively, as in chan! and chan? As it specifies the communicati
paal timed automata. Sending and receiving a signal synchronously via channels is a and receiving, ! and ?, respectivel
paal timed automata. Sending and r
10. }
direction, this method better reflects distributed systems. Broadcast communication e
complished by utilizing a shared channel symbol and two characters indicating sendin direction, this method better refl
complished by utilizing a shared cha
every node tails multiple automata receiving a signal given by one automaton.
Forand receiving, ! and ?, respectively, as in chan! and chan? As it specifies the communication
and receiving, ! and ?, respectively, as in chan! and chan? As it specifies the communicatio
s, an Uppaal timed automaton s is declared. tails multiple automata receiving
and receiving, ! and ?, respectively, as
In fact, an UTA type is
just as The channel can be labeled urgent, in which case transitions are enabled, with com‐
nodeThe channel can be labeled urgent, in which case transitions are enabled, with co
defined direction, this method better reflects distributed systems. Broadcast communication en‐
adirection, this method better reflects distributed systems. Broadcast communication e
type can be defined in T-IMDS, but this isdirection, this method better reflects a syntactic The channel can be labeled
manipulation
mon channel symbols enabling these transitions: chan! and chan?, taking precedence ov
for the programmer’s convenience. The UTA variable is equipped with its own clock cs and mon channel symbols enabling th
tails multiple automata receiving a si
time flow in locations, preventing communication over an urgent channel from being d
derivatives, in the example csem , up, upλ2t , uptime flow in locations, preventing
The channel can be labeled urgent, in which case transitions are enabled, with com The channel can be labeled urge
a set of locations and λ2e , upλ4t , upλ4e , down,
layed. However, in IMDS, using such a technique eliminates communication asynchron
mon channel symbols enabling these transitions: chan! and chan?, taking precedence ov
downλ1t , downλ1e , downλ3t , downλ3e . For storing the service name invoked by messages, layed. However, in IMDS, using
mon channel symbols enabling these
variables As a result,
As a asynchronous
result,
a2_semasynchronous communication
a1_sem time flow in locations, preventing communication over an urgent channel from being d
and are applied communication
for the agentsrequires inrequires
the
sem. introduction
As
the a introduction
result,
time flow in locations, preventing com
For nodes of sa1 asynchronous
andof sa2, asynchrono comm
channels. channels.
layed. However, in IMDS, using such a technique eliminates communication asynchron
variables a1_sa1 and a2_sa2 are applied. The set of values for a1_sem and a2_sem variables channels.
layed. However, in IMDS, using such
is {none,As a result,
sem_wait, As a asynchronous
result, asynchronous
sem_signal}, forcommunication
a1_sa1 communication requires requires
{none, sa1_ok_wait, the introduction
As a
the
sa1_ok_signal}, result,
introduction
asynchronous
of asynchronous
and a2_sa2 commun
of asynchronou
channels. channels.
{none, sa2_ok_wait, sa2_ok_signal}. The node clocks are csem , csa1 , and csa2 . channels.

The initial state is chosen outside the node type, in the init section, to allow different
instances to have different initial states; up or down in our example. Assume that the node
sem has the initial state up. The set of UTA
locations and transitions for automaton sem is
as follows (for comparison in Boolean expressions over variables we use a double equals
operator, which follows the Uppaal rule; for assignment and clock reset, we use equals
character preceded by a colon (:=) to clearly distinguish it from comparison and to agree
with Uppaal):
• (31,1) location down: initial location—no, time invariant—no (4),
- (31,1)→(32a,2a) transition: next location—upλ2t , condition—a1_sem==sem_signal,
assignments—no, time constraint—no, clock reset—csem :=0, channel synchroniza-
tion: ch_a1_sem? (4)→(8)→(5)
- (31,1)→(32a,2a) transition: next location—upλ4t , condition—a2_sem==sem_signal,
assignments—no, time constraint—no, clock reset—csem :=0, channel synchroniza-
tion: ch_a2_sem? (4)→(8)→(5)
Sensors 2022, 22, 1157 20 of 37
• (32a,2a) location upλ2t : initial location—no, time invariant—csem ≤ 3 (5),

- (32a,2a)→(32b,2b) transition: next location—upλ2e , condition—no, assignments—
a1_sem:=none, a1_sa1:=sa1_ok_up, time constraint—2 < csem ≤ 3, clock reset—
csem :=0, channel synchronization—no (5)→(9)→(6)
• (32b,2b) location upλ2e : initial location—no, time invariant—no (6),
- (32b,2b)→(32c,2c) transition: next location—up; condition—no, assignments—no,
time constraint—no, clock reset—csem :=0, channel synchronization: ch_a1_sem_sa1!
(6)→(10)→(7)
• (32a,2a) location upλ4t : initial location—no, time invariant—csem ≤ 3 (5),
- (32a,2a)→(32b,2b) transition: next location—upλ4e , condition—no, assignments—
a2_sem:=none, a2_sa2:=sa2_ok_up, time constraint—2 < csem ≤ 3, clock reset—
csem :=0, channel synchronization—no (5)→(9)→(6)
• (32b,2b) location upλ4e : initial location—no, time invariant—no,
- (32b,2b)→(32c,2c) transition: next location—up; condition—no, assignments—no,
time constraint—no, clock reset—csem :=0, channel synchronization: ch_a2_sem_sa2!
(6)→(10)→(7)
• (2c) location up: initial location—no, time invariant—no (7),
• . . . etc.
6.2. Translation Rules

Since the channels leading from different nodes to the node s are combined together,
we use the notation (a,→s) for the channel passing messages of the agent a to the node s.
The rules for translation of λ = ((minp ,pinp ),(m,p)), minp = (a,s,r), m = (a,sout ,rout ) are depicted
in Figure 4, and message m transfer along the channel ch = (a,→sout ) from T-IMDS to UTA
in Figure 5. Three channel versions are shown: (a) the basic form, (b) the 0-time channel
without delay, and (c) the channel receiving messages of the agent coming from various
nodes with different delays. Please do not mistake the wait location of a channel with
the wait service offered by semaphores in the example. We numbered all the elements of
T-IMDS and its UTA implementation to be referred to in the following translation rules:
1. sever s ⇒ timed node automaton s with clock cs (reset on every transition, used to
count actions duration),
2. state p of automaton s (1,2c) and derivatives (pλt , pλe ) (2a,2b) ⇒ locations p, pλt , pλe in
timed node automaton s (4,5,6,7),
3. message m (32,32d) and derivatives (mλt , mλe , mchλ ) (32a,32b,32c) ⇒ pairs of message
variable a_s values and locations of automaton s and automaton ch, details below,
4. agent a → set of variables (for every node visited by the agent) {a_s1 , a_s2 , . . . } (8),
5. channel ch ⇒ automaton ch (Figure 3) with clock cch (reset on every transition, used to
count channel delay),
6. message minp pending at the node s (1) ⇒ a_s == s_r (8), all other a_sx == none, sx 6= s,
channel ch in location send (11,18,24), variable a_s has a set of values {none, s_r, s_r1 ,
s_r2 , . . . } (8) (services r, r1 , r2 distinguish between messages sent to the node s by the
agent a),
7. derivative item pλt for action λ (duration running) (2a) ⇒ location pλt (5),
8. derivative item pλe for action λ (duration ended) (2b) ⇒ location pλe (6),
9. message minp (stable message minp ) (32) ⇒ pair (send,a_s==s_r); (8) location send in
channel (a,→s) (11,18,24),
10. derivative item minpλ t for action λ ⇒ pair (pλt , a_s == s_r) (5,8,14/19/29); note that
a_sout ==none,
11. derivative item mλe for action λ ⇒ pair (pλe , a_sout == sout _rout ) (6,9); note that a_s == none,
12. derivative item mchλ for action λ ⇒ location wait of the channel ch automaton (15/20/25/26);
note than a_s == none, a_sout == sout _rout (9),
Sensors 2022, 22, 1157 21 of 37
13. configuration T ⇒ set of locations of node automata representing node states and
derivatives and values of pairs (location of a node automaton sx /channel automaton
chz , value of ay _sx ) representing messages and derivatives,
14. actual value of action duration in node s/channel ch delay in Tt —the value of the clock
cs /clock cch (9/27/28),
15. duration range lower bound tλ min (λ) ⇒ lower bound of time constraint of the transition
pλt →pλe : tλ min (λ) < cs (9),
16. duration range upper bound tλ max (λ) ⇒ upper bound of time constraint of the transition
pλt →pλe : cs < tλ max (λ) (9) and of time invariant of location pλt : cs < tλ max (λ) (5),
17. delay range lower bound tch min (ch) ⇒ lower bound of time constraint of the transition
wait→send of the channel automaton, tch min (ch) < cch (16/27/28),
18. delay range upper bound tch max (ch) ⇒ upper bound of time constraint of the transition
wait→send of the channel automaton, cch < tch max (ch) (16/27/28) and of time invariant
of wait location: cch < tλ max (ch) (13/21/22),
19. action λ (3), (31,1)→(32a,2a)→(32b,2c)→(32c,2c), (32c)→(32d) ⇒ sequence: message and
state(minp ,pinp )-receive transition(minp ,pinp )→(minpλt ,pλt )-duration location(pλt )-timed
transitions(action duration in pλt )-end of duration transition(minpλt ,pλt )→(mλe ,pλe )-end
of duration location(pλe )-send transition(mλe ,pλe )→(mchλ ,p), (11/18/24,4) → (14/19/29,8)
→ (12/17/23,5) → (9) → (12/17/23,6) → (15/20/25/26,10) → (13/18/21/22,7),
20. receive transition (minp ,pinp )→(minpλt ,pλt ) (31,1)→(32a,2a) ⇒ channel automaton
chas = (a,→s) in location send, node s automaton in location pinp , urgent channel syn-
chronization (ch_a_s! on (minp ,pinp )→(minpλt ,pλt ), ch_a_s? on send→idle), condition
a_s == s_r fulfilled, on transition cs is reset to 0, (11/18/24,4) → (14/19/29,8) →
(12/17/23,5),
21. end of action duration transition (minpλt ,pλt )→(mλe ,pλe ) (32a,2a)→(32b,2b) ⇒ node s
automaton in location pλt , clock cs value tλ min (λ) < cs < tλ max (λ), on transition
a_s := none, a_sout == sout _rout , cs is reset to 0, (12/17/23,5) → (9) → (12/17/23,6),
22. generation of next m,p and send transition (mλe ,pλe )→(p,mchλ ) (32b,2b)→(32c,2c) ⇒ node
s automaton in location pλe , channel ch automaton in location idle, urgent chan-
nel synchronization (ch_a_s_sout ! on (mλe ,pλe )→(p,mchλ ), ch_a_s_sout ? on idle→wait),
(12/17/23,6) → (15/20/25/26,10) → (13/18/21/22,7),
23. advancing duration of an action (32b,2b)→(32b,2b) or channel delay (32c)→(32d) ⇒
timed transitions—within time invariants of all locations with time invariant—to a
next time region, limited by outgoing transitions time range upper bounds, tλ max for
action durations in pλt locations (5–9), and tch max for channel delays in wait locations
(13–16/21–27/22–28),
24. asynchronous channel between nodes ch (32c)→(32d) ⇒ an asynchronous channel is
compound of two synchronous urgent channels (Figure 5); asynchronous channel is
inactive in the idle location (12/17/23); the signal that the message is ready is obtained
from the sending automaton via input urgent channel ch_a_sout : urgent channel
synchronization (ch_a_sout !, ch_a_sout ?) (15/20/25/26); then, the time delay is counted
in the wait location (13/21/22); it lasts between tch min and tch max , as the transition
ending the channel delay is followed for clock values cch tch min (ch) < cch < tch max (ch)
(16/27/28); finally, the signal sending the message to the target automaton via output
urgent channel ch_a_s_sout is issued: urgent channel synchronization (ch_a_s_sout !,
ch_a_s_sout ?) (14/19/27/28); if the receiving s automaton is not ready to accept the
message—the synchronization on ch_a_s is deferred: a message is pending (11/18/24);
an own local clock cch is used to count the time delay of an asynchronous channel
(13–16/21—27/22–28).
Sensors 2022, 22, 1157 22 of 37
Figure 4. (a) action of IMDS with time durations between z1 and z2 (b) translation to Uppaal TA. For
Uppaal TA: underlined font in location—time invariant of location, regular font in location—location
name, regular font in transition label—time constraints of transition, italic font—update executed on
transition, bold font—Boolean condition enabling transition or synchronization.
Note that, by construction, exactly one variable a_sx has a value other than none,
because, initially, exactly one variable of the agent a has a value representing the service in
initial message of a, and setting a value 6= none to a variable a_sy of target automaton sy
resets the value of a_sx to none (9). Moreover, only the channel to the node sx appointed
by the initial message of the agent a (a,→sx ) is in the send location (11/18/24), all other
channels of the agent a are in their idle locations (12/17/23).
6.3. Translation of the Example

Having the translation rules, which define the semantics of T-IMDS by construction,
let us show how the fragment of the sem node (in the example presented in Section 5.1) is
translated to UTA. We choose the two transitions, threaded by the input and output states,
and we show the messages incoming to and outgoing from the node. Let us assume a
channel delay (1,2) between sem and sa1 in both directions. The time constraints are given
in Listing 3.
Listing 3.
23. channels {(1,2)};
The image of the two actions is presented in Figure 6, and the UTA implementation in
Figure 7.
Sensors 2022, 22, 1157 23 of 37
Figure 5. Implementation of communication between nodes in the context of the agent a (asyn-
chronous channel): (a) basic asynchronous channel for messages directed to the node s; (b) the
channel for sending messages from the node s to itself, or other 0-time channels; (c) passing messages
from multiple nodes (two in this case) to the node s.
Figure 6. The image of two actions λ1 = {a1.sem.wait, sem.up} → (2,3>{a1.sa1.ok_wait, sem.down}

and λ2 = {a1.sem.signal, sem.down} → (2,3>{a1.sa1.ok_signal, sem.up}.
Sensors 2022, 22, 1157 24 of 37
Figure 7. The UTA implementation of the two actions presented in Figure 6, and channels delay
(1,2), (a) the implementation of the transitions in node automaton sem, (b) the implementation of
the asynchronous channel transferring messages to the node sem, (c) the implementation of the
asynchronous channel transferring messages to the node sa1.
6.4. Equivalence between T-IMDS and UTA

We argue that the LTS of the T-IMDS system is exactly the same as the LTS of the set of
UTA implementing the system. The proof is rather extensive because numerous elements
and cases must be analyzed; therefore, we give the proof in the Appendix A. Here we
present some equivalences between the T-IMDS system and UTA implementation using the
rules presented in Section 6.2. We use references to the enumeration numbers in Section 4.2
(T-IMDS semantics), 5.4 (UTA semantics), and 6.2 (translation rules).
• The configuration Tt (states and derivatives, messages and derivatives, the current
time region determining abstraction class of node clocks and channel clocks) entirely
defines the situation in T-IMDS. In UTA, locations of node and channel automata,
values of variables (there are only a_s variables), and current time region define the
situation (we do not use the term ‘state’ for unambiguity) (4.2.5, 5.4.1, 6.2.2, 6.2.9,
6.2.10, 6.2.11, 6.2.12). Finally, every set of items in Tt corresponds to a separate set
of UTA locations and variable values. Every reachable set of locations and variable
values maps to a set of T-IMDS items. Moreover, the region succession graph agrees
Sensors 2022, 22, 1157 25 of 37
with advancing the time according to minimum and maximum time bounds (of action
duration and channel delay) (4.2.5, 5.4.3a, 6.2.14).
• The same concerns the initial configuration of T-IMDS and the initial situation in UTA
(4.2.11, 5.4.2).
• Every one of the T-IMDS transitions (minp ,pinp )→(minpλt ,pλt )→(mλe ,pλe )→(mchλ ,p) de-
pends only on items enumerated in pairs, independently of any other item present
in Tt (4.2.18–4.2.21, 6.2.20–6.2.22). Only the transition mchλ →m does not depend on
the state of the message issuing node (it can be p or some other item if the next action
is invoked) (4.2.21, 6.2.23). In UTA, corresponding transitions depend only on the
current location and values of variables representing pending messages. The variables
are local to the pairs of messages sending and messages receiving automata, and only
the sending automaton can change the variable value (4.2.20, 6.2.21). The automaton
collaborates with channel automata, and by construction, the input channel is in the
synchronizing location send (synchronous channel put (!) on a transition outgoing
from send location) if minp is pending (4.2.18, 6.2.20). The output channel is in the idle
location (with synchronous channel get (?) on a transition outgoing from idle) while
the action producing the output message is in progress (4.2.21, 6.2.24).
• Timed transitions in T-IMDS are concurrent for every clock (node clocks and channel
clocks) (4.2.20, 4.2.21, 6.2.23). The same is true for UTA (4.4.3a).
• Timed transition in T-IMDS is possible if no progress transition is enabled (minp ,pinp )→
(minpλt ,pλt ), (mλe ,pλe )→(mchλ ,p) (4.2.20, 4.2.21). The same concerns duration ending
and delay ending transitions (minpλt ,pλt )→(mλe ,pλe ), mλe →m (4.2.20, 4.2.21). In UTA,
all channels are urgent, whose effect is the same: precedence of progress transitions
(they correspond to T-IMDS progress transitions) over timed transitions, and over
transitions outgoing from time-counting locations (corresponding to duration ending
and delay ending transitions) (5.4.4, 6.4.23).
• In both models, the nondeterministic choice is performed if multiple transitions are
enabled (4.2.22, 5.4.6).
7. Examples
7.1. Simple Example—Two Semaphores
Let us consider two agents, starting from their own nodes, using two semaphores,
each one on a separate node. The agents use the semaphores crosswise, i.e., agent a1 calls
wait on the first, then on the second semaphore, and agent a2 calls wait on the second, then
on the first semaphore. The T-IMDS code is presented in Section 4.1. A deadlock is evident
because the semaphores are used crosswise (lines 25,26).
In the timed experiment, we assigned the duration ranges <0> to the actions in sem
type, and (0,1) to the actions in proc type. The time constraints are given in Listing 4.
Listing 4.
6. {a1.sem.wait, sem.up} -> <0>{a1.sa1.ok_wait, sem.down}
...
15. {Ag.proc.start, proc.initial} -> (0,1){Ag.sem[1].wait, proc.first},
...
The channels have 0 delay.
The deadlock appears for the timed system, as before. Figure 8 presents an example of
the system trace. It is a sequence diagram of the node operation, with global time values
on the right (yellow). Other timeless verification examples can be found in [46,47].
Sensors 2022, 22, 1157 26 of 37
Figure 8. A counterexample showing a deadlock in the timed verification of two semaphores.
If we lengthen the duration of the actions in proc[1] node (the action preceded by an in-
dex ?1), as below, the deadlock disappears, because the agent A[2] manages to perform wait
operations on both semaphores before the agent A[1] can perform its first wait operation.
The time constraint is given in Listing 5.
Listing 5.
15.?1{Ag.proc.start, proc.initial} -> (8,9) {Ag.sem[1].wait, proc.first}
Figure 9 shows a final part of the witness of both agents inevitable termination.
7.2. Practical Example: Automated Vehicle Guidance System

7.2.1. Timeless Verification
An automatic vehicle guidance system (AVGS) is an example of a distributed system
for verification. The timeless version of the system and its verification is described by
Czejdo et al. [48]. The system, depicted in Figure 6, is made up of road markers and parking
lots that communicate to guide autonomous moving platforms (AMPs) from Lot_E1 to
Lot_E2, and vice versa. In Marker_M, an apparent conflict can be resolved by utilizing Lot_M
in a staggered arrangement. The controllers of lots and markers are represented by six nodes
(Figure 10), with a protocol for requesting and granting the road segments maintained by
the controllers (Figure 11). Of course, if controller_2’s road segment is occupied, the ok
message may be delayed. MarkerM has a more sophisticated approach, because it allows
for overtaking. The system is described from the perspective of communicating controllers
in the node view. The AVGS code is shown in IMDS source notation in the node view.
Node names are shortened to L_E[2], L_M, M_E[2] and M_M. The source code is given in
Listing 6.
Sensors 2022, 22, 1157 27 of 37
Figure 9. A witness showing a termination of both agents in timed two semaphores.
Figure 10. Scheme of road segments (with their markers) and parking lots in an automated vehicle
guidance system AVGS.
Sensors 2022, 22, 1157 28 of 37
Figure 11. The protocol of road segment controller cooperation.
Listing 6.
1.system AVGS;
2.server: M_E(agents AMP[2];servers M_M,L_E),

3.services {tryM[2],tryL,okM[2],okL,takeM,takeL},
4. //M—going from M_M, L—going from L_E,
5. //try—test access, ok—accept, take—enter
6.states {empty,reservedM,reservedL,occupied},
7.actions {
8.<i=1..2> {AMP[i].M_E.tryL, M_E.empty} ->
<0>{AMP[i].L_E.ok, M_E.reservedL},
9.<i=1..2> {AMP[i].M_E.takeL, M_E.reservedL} ->
<0>{AMP[i].M_M.tryE[i], M_E.occupied},
10.<i=1..2><j=1..2>{AMP[i].M_E.okM[j], M_E.occupied} ->
(1,10){AMP[i].M_M.takeE[j], M_.empty},
11.<i=1..2><j=1..2>{AMP[i].M_E.tryM[j], M_E.empty} ->

<0>{AMP[i].M_M.okE[j], M_E.reservedM},
12.<i=1..2><j=1..2>{AMP[i].M_E.tryM[j], M_E.reservedL} ->
<0>{AMP[i].M_M.notE[j], M_E.reservedM},
13.<i=1..2><j=1..2>{AMP[i].M_E.tryM[j], M_E.occupied} ->
<0>{AMP[i].M_M.notE[j], M_E.occupied},
14.<i=1..2> {AMP[i].M_E.takeM, M_E.reservedM} ->
<0>{AMP[i].L_E.try, M_E.occupied},
15.<i=1..2> {AMP[i].M_E.okL, M_E.occupied} ->
(1,10){AMP[i].L_E.take, M_E.empty},
16.};
Sensors 2022, 22, 1157 29 of 37
17.server: M_M(agents AMP[2];servers M_[, 2]L_M),

18.services {tryE[2],tryL[2],okE[2],notE[2],okL[2],takeE[2],takeL[2],switch[2]},
19.states {empty,reservedE[2],reservedL[2],occupied},
20.actions {
21.//going to M_E1 or M_E2
22.<i=1..2><j=1..2>{AMP[i].M_M.tryE[j], M_M.empty} ->
<0>{AMP[i].M_E[j].okM[j], M_M.reservedE[j]},
23.<i=1..2><j=1..2>{AMP[i].M_M.takeE[j], M_M.reservedE[j]} ->
<0>{AMP[i].M_M.switch[3-j], M_M.occupied},
24.<i=1..2><j=1..2>{AMP[i].M_M.switch[j], M_M.occupied} ->
<0>{AMP[i].M_E[j].tryM[j], M_M.occupied},
25.<i=1..2><j=1..2>{AMP[i].M_M.okE[j], M_M.occupied} ->
(1,10){AMP[i].M_E[j].takeM, M_M.empty},
26.//on a way to M_E1 or M_E2 may go to L_E if M_Ei is occupied

27.<i=1..2><j=1..2>{AMP[i].M_M.notE[j], M_M.occupied} ->
<0>{AMP[i].lotM.try[j], M_M.occupied},
28.<i=1..2><j=1..2>{AMP[i].M_M.okL[j], M_M.occupied} ->
(1,10){AMP[i].L_M.take[j], M_M.empty},
29.// from M_M—going to M_E1 or M_E2

30.<i=1..2><j=1..2>{AMP[i].M_M.tryL[j], M_M.empty} ->
<0>{AMP[i].L_M.ok[j], M_M.reservedL[j]},
31.<i=1..2><j=1..2>{AMP[i].M_M.takeL[j], M_M.reservedL[j]} ->
<0>{AMP[i].M_E[j].tryM[j], M_M.occupied},
32.<i=1..2><j=1..2>{AMP[i].M_M.okE[j], M_M.occupied} ->
(1,10){AMP[i].M_E[j].takeM, M_M.empty},
33.};
34.server: L_E(agents AMP[2];servers M_E),

35.services {start,try,ok,take},
36.states {empty,reserved,occupied},
37.actions {
38.<i=1..2> {AMP[i].L_E.try, L_E.empty} ->
<0>{AMP[i].M_E.okL, L_E.reserved},
39.<i=1..2> {AMP[i].L_E.take, lotE.reserved} ->
<0>{L_E.occupied},
40.<i=1..2> {AMP[i].L_E.start, L_E.occupied} ->

<0>{AMP[i].M_E.tryL, L_E.occupied},
41.<i=1..2> {AMP[i].L_E.ok, L_E.occupied} ->
(1,10){AMP[i].M_E.takeL, M_E.empty},
42.};
43.server: L_M(agents AMP[2];servers M_M),

44.services {try[2],ok[2],take[2]},
45.states {empty,reserved[2],occupied[2]},
46.actions {
47.<i=1..N><j=1..2>{AMP[i].L_M.try[j], L_M.empty} ->
<0>{AMP[i].M_M.okL[j], L_M.reserved[j]},
48.<i=1..N><j=1..2>{AMP[i].L_M.take[j], L_M.reserved[j]} ->
<0>{AMP[i].M_M.tryL[j], L_M.occupied[j]},
49.<i=1..2><j=1..2>{AMP[i].L_M.ok[j], L_M.occupied[j]} ->
(1,10){AMP[i].M_M.takeL[j], L_M.empty},
Sensors 2022, 22, 1157 30 of 37
50.};
51.servers M_E[2],M_M,L_E[2],L_M;
52.agents AMP[2];
53.channels {(1,10)};
54.init -> {
55.<j=1..2> M_E[j](AMP[1..2],M_M,lotE[j]).empty,
56. M_M(AMP[1..2],M_E[1,2],L_M).empty,
57.<j=1..2> lotE[j](AMP[1..2],M_E[j]).occupied,
58. L_M(AMP[1..2],M_M).empty,
59.<j=1..2> AMP[j].L_E[j].start,
60.}.
The agent view of the system shows it from the point of view of AMP vehicles. The
difference is generally in the grouping actions of individual agents rather than of nodes.
The Dedan program (Supplementary Materials) performs the temporal verification.
Overtaking in Marker_M is successful, but there is a possibility of deadlock when an
AMP occupies Marker_E1, and the other AMP tries to drive from Lot_E1 to Marker_E1. A
counterexample, showing the deadlock in the node view, representing the cooperation
of segment controllers, is presented in Figure 12. The counterexample is represented by
a chart that resembles a sequence diagram. The upper part shows the initial states of all
nodes on a pink background and the sequences of states and messages that lead to an
erroneous situation in a given process (agent names on a green background occur in the
agent view). The heading shows the names of the nodes on a pink background (agent
names on a green background occur in the agent view). A state identifier is displayed with
a light blue background. The agent responsible for entering the specified state is depicted
on a dark blue background. When sending a message, the agent identifier is displayed on a
light yellow background; while receiving a message, the service name is displayed on a
yellow background. The last section displays the final deadlock configuration, including
node states and pending messages.
In the timelines of individual nodes, messages from the various agents interleave. The
counterexample can be displayed in the agent view, in which timelines of individual agents
are shown. This form of counterexample, showing the behavior of individual AMPs, is
presented in [48].
7.2.2. Timed Verification

The time of message passing and the time of road segment occupation are undefined
in the timeless system. T-IMDS allows observing the behavior with a specified duration of
actions and communication delays. Time constraints applied in the T-IMDS variant are:
• Time of movement between segments (issuing the take message) is between 1 and 10.
• The channel delay is assumed (1,10).
Setting constraints (1,10) yields the ‘nearly no restrictions’ paradigm, which is compa-
rable to a timeless system.
Such time limits being imposed on the AVGS system result in the deadlock presented
in Figure 12, as in the timeless system. However, the shorter time constraints (4,5) for taking
a segment and (0,1) for channel delay model the simultaneous movement of the two AMPs,
which begin practically synchronously from Lot_E1 and Lot_E2. In this case, the deadlock
is broken: the AMPs use Lot_M to evade in Marker_M, but no evasive necessity occurs in
Marker_E1 and Marker_E2 (time constraints do not allow the AMPs to come into a conflict
in edge markers). We present the final fragment of the witness of the modified system, with
shortened time constraints, in Figure 13.
Sensors 2022, 22, 1157 31 of 37
Figure 12. Communication structure in a trace of the timeless AMP’s behavior, leading to a deadlock.
Sensors 2022, 22, 1157 32 of 37
Figure 13. The final fragment of the witness of the corrected AVGS timed system.
8. Conclusions
This article presents the IMDS formalism and the Dedan verification environment.
They support the modeling of systems using asynchronous communication of autonomous
elements, which is natural in distributed environments. The node view and the agent view
of the verified system can be observed, which highlight different aspects of distributed
system behavior. The node view refers to the client–server model of distributed systems.
In contrast, the agent view is similar to the remote procedure call model [5] (however,
it is generally unnecessary for the agent process to return to the calling node in IMDS).
Deadlocks can be found in both views, showing counterexamples and witnesses from the
perspective of communicating nodes or agents traveling between the nodes and changing
the nodes’ states.
Universal temporal formulas, unrelated to the structure of a given system, allow
finding deadlocks without any knowledge of temporal logic and model checking. The
location of deadlocks and distributed termination checking is performed in ‘push the
button’ style.
The conversion of IMDS systems to timed automata allows the possibility of veri-
fication with real-time constraints. This is suitable for real distributed systems, where
communication protocols and time-dependent behavior (such as streaming, monitoring,
games) require taking time into account. Both communication delays and the time duration
of nodes’ and agents’ actions can be modeled.
Verification of an existing system with the actual values of time constraints can de-
termine if a deadlock is possible. The deadlock reveals, for example, a traffic jam. On the
other hand, the threshold values of time constraints (lower and upper bounds) that cause a
deadlock can be identified in a series of experiments.
Important cases include embedded systems controlling mechanical or chemical equip-
ment, in which the system behavior depends on the time of real-world phenomena and
activities. An example of such a system is presented in this article, in which time delays in
Sensors 2022, 22, 1157 33 of 37
controllers’ communication and the time duration of AMPs moving through road segments
are modeled. IMDS and Dedan may be used for the ‘rapid prototyping’ of distributed
controllers, in which sub-controllers coordinate their behavior by simple protocols; follow-
ing the internet of things (IoT [49]) paradigm. We have recently started a project of train
management, where the balise placement is planned (track equipment), and we estimated
the maximum velocity at which the driver is safe in order to notice and acknowledge the
messages coming from the balises. All elements of the system (the train, balises, and driver)
act asynchronously, with their own timing constraints. Verification can be carried out for
various values of time constraints.
The model is not free from limitations. The most important limitation is that dis-
tributed computations are performed by the agents, and messages are the carriers of agents.
This prohibits communication in broadcast style. Multicast communication can be achieved
using a set of ‘sleeping’ agents, which come into operation for multicasting. We used
this technique in the verification of BPMN (business process model and notation [50])
processes [51].
The Dedan is based on explicit state–space representation, allowing for the verification
of small and medium systems. Large systems are exported from Dedan to Uppaal for their
verification, and the semantics of both representations are equal.
The Dedan environment has been effectively employed in the Warsaw University of
Technology’s Institute of Computer Science’s operating systems laboratory. The students
verify their synchronization solutions during classes.
Supplementary Materials: The Dedan program is available online at http://staff.ii.pw.edu.pl/dedan/

files/DedAn.zip (accessed on 30 January 2022). Examples of the IMDS systems in the source code are
available at http://staff.ii.pw.edu.pl/dedan/files/examples.zip (accessed on 30 January 2022).
Funding: This research received no external funding.
Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.
Conflicts of Interest: The author declares no conflict of interest.
Appendix A. Proof of Equivalence between T-IMDS and UTA Implementation

We use references to the enumeration numbers in Section 4.2 (T-IMDS Semantics), 5.4
(UTA Semantics), and 6.2 (Translation Rules).
1. The initial T-IMDS configuration Tt0 includes the states of all nodes (4.2.11). The initial
compound location of the set of all UTA node automata contains all initial locations,
and every initial location p0 = (s,v0 ) corresponds to the initial state of the implemented
node s. Consequently, initial states of all nodes are implemented.
2. The initial T-IMDS configuration Tt0 includes the messages of all agents (4.2.11). The
initial compound location of the set of all UTA channel automata contains the idle
locations, except one channel automaton for every agent, whose initial location is send.
3. The initial T-IMDS configuration Tt0 includes the messages of all agents (4.2.11).
The UTA variables storing the called services of the agents, directed to individual
node automata, are equal to none, except one variable for every agent, whose initial
name appoints the initial node of the agent and the value corresponds to the service
contained in the initial message (6.2.6). This feature, along with the previous point,
ensures that each agent has its initial message directed to the node of its origin. Thus,
initial messages of all agents are implemented.
4. All UTA channel automata, except those holding initial agent messages are in idle
location (6.2.24), and the transition outgoing from this location has the channel receive
operation ch_a_s1 _s2 ? enabled, so all those channels are ready to accept messages for
their transfer.
Sensors 2022, 22, 1157 34 of 37
5. In every UTA channel automaton implementing T-IMDS channel (a,→s), that is in send
location, the UTA channel send operation ch(a, →s) _a_s! is enabled on the transition
outgoing from the send location (6.2.24).
6. All the time values in Tt0 are 0 (4.2.11). UTA clock values: the value of every UTA cs
implementing cts is initially 0, the value of every UTA cch implementing ctch is initially
0 (5.4.2).
7. If there is a matching pair (minp ,pinp ) then the action λ = ((minp ,pinp ),(m,p)) triggered by
the pair (minp ,pinp ) can be executed, i.e., a progress transition replaces pinp with pλt , and
minp with minpλt (4.2.18). Likewise, in UTA, minp denotes that the variable a_s == s_r
and channel send operation ch(a, →s) _a_s! in channel (a,→s) automaton is enabled
(6.2.9). Matching (minp ,pinp ) denotes that channel receive operation ch(a, →s) _a_s? in
node s automaton is enabled (6.2.20). There are simultaneous transitions executed
from send to idle in channel (a,→s) automaton and from pinp to pλt in node s automaton.
The value of the variable a_s remains s_r (6.2.20). The location pλt implements the pλt
derivative of the state p (5.2.7) and the pair (pλt ,a_s == s_r) implements minpλt (6.2.10);
therefore, the transition replaces (minp ,pinp ) with (minpλt ,pλt ). As the channel (a,→s)
automaton location becomes idle and channel send operation ch(a, →s) _a_s! is no longer
enabled, the minp message disappears (6.2.9). Instead, the channel automaton in its
idle location has the channel receive operations ch(a, →s) _a_si _s? enabled, which means
that the channel is ready to accept the next message to transfer (6.2.24).
8. If a pair (mλe ,pλe ) exists in T-IMDS configuration Tt , then the progress transition can
be executed that replaces mλe with mchλ and pλe with p (6.2.22). The state derivative
pλe is implemented in UTA as the location pλe (6.2.8) and the mλe is implemented
as the pair (pλe , a_s == s_r) (6.2.11). The transition in UTA is enabled by the chan-
nel send operation ch(a, →sout) _a_si _s!, where the output message of the action λ is
m = (a,sout ,rout ) (6.2.24). As all the channels for agent a are ready to accept a message
(they are in idle location so their channel receive operations ch(a, →sout) _a_s_sj ! are
enabled), the channel automaton transferring messages to the node sout is among
them. Thus, the transition implementing replacement of (mλe ,pλe ) with (mchλ ,p) can
be executed (6.2.22). Once executed, the location p implementing the output state p
(6.2.2) is reached and the implementation of the message m is inserted into a channel,
i.e., the pair (p,a_sout == sout _rout ) occurs (the variable sout is set on the duration end
transition 6.2.21). The channel automaton left the idle location and reached the wait
location in which a channel delay is counted (6.2.24). If the delay is 0, the channel
automaton reaches the send location immediately (location wait does not appear in the
channel automaton).
9. If there are more than one T-IMDS progress transitions enabled (previous points 8
and 9), one of them is chosen in a non-deterministic way (4.2.22). The same rule
applies to non-deterministic choice between the corresponding progress transitions in
UTA (5.4.6).
10. If a pair (minpλt ,pλt ) exists in T-IMDS configuration Tt , then either the timed transition
is followed that advances all the time values (of nodes and channels) at least by the
value of a least lower time constraint minus the time already spent in the derivative
pλt /mchλ (all action durations and all channel delays), at most by the value of a
greatest upper time constraint, leaving the pair (minpλt ,pλt ) unchanged (6.2.23); or the
progress transition can be executed that replaces minpλt with mλe and pλt with pλe , if
the node time value is between the lower and upper time constraint of the action λ
(6.2.21). In UTA, the situation is alike: for all locations with time invariant (there are
only pλt and wait such locations) either a timed transition less than minimum time
invariant minus its clock value (5.4.3a), or the progress transition to pλe is executed
(5.4.3b). The progress transition assigns a_sout == sout _rout (6.2.21); therefore, the pair
(pλt ,a_sout == sout _rout ) is reached which implements mλe (6.2.11).
11. If a derivative mchλ exists in T-IMDS configuration Tt , then either the timed transition
is followed that advances all the time values (of nodes and channels), at least by the
Sensors 2022, 22, 1157 35 of 37
value of a least lower time constraint minus the time already spent in the derivative
pλt /mchλ (all action durations and all channel delays), at most by the value of a
greatest upper time constraint, leaving the pair (minpλt ,pλt ) unchanged (6.2.23); or the
progress transition can be executed that replaces mchλ with m, if the node time value
is between the lower and upper time constraint of the channel ch delay (6.2.24). In
UTA, the situation is the same: for all locations with time invariant (there are only pλt
and wait such locations) either a timed transition less than minimum time invariant
minus its clock value (5.4.3a), or the progress transition to pλe is executed (5.4.3b).
The progress transition changes the location of the channel ch automaton from wait to
send (6.2.24); therefore, the implementation of m is reached (send,a_sout == sout _rout )
(6.2.9—m is minp for the next action).
12. In both T-IMDS timed transitions mentioned in points 10 and 11, the UTA timed
transition can be made by the value that leaves the time region the same or advances
the region to its successor, which does not reach the lower bound of any progress
transition (4.2.23, 6.2.23). In such a situation, only the next timed transition must be
executed. A sequence of such timed transition in UTA implements a minimum time
shift in T-IMDS, after which at least one progress transition can be executed.
13. If at least one progress transition is enabled in T-IMDS, it has a priority over any timed
transition (6.2.22). Therefore, it is in UTA, because urgent channels are used on every
progress transition (5.4.4, 5.4.5).
References
1. Daszczuk, W.B. Communication and Resource Deadlock Analysis using IMDS Formalism and Model Checking. Comput. J. 2017,
60, 729–750. [CrossRef]
2. Daszczuk, W.B. Specification and Verification in Integrated Model of Distributed Systems (IMDS). Computers 2018, 7, 65. [CrossRef]
3. Holzmann, G.J. Tutorial: Proving properties of concurrent systems with SPIN. In Proceedings of the 6th International Conference
on Concurrency Theory, CONCUR’95, Philadelphia, PA, USA, 21–24 August 1995; Springer: Berlin/Heidelberg, Germany, 1995;
pp. 453–455. [CrossRef]
4. Zielonka, W. Notes on finite asynchronous automata. RAIRO-Theor. Inform. Appl. 1987, 21, 99–135. [CrossRef]
5. Jia, W.; Zhou, W. Distributed Network Systems. From Concepts to Implementations; Springer: Berlin/Heidelberg, Germany, 2005;
Volume 15. [CrossRef]
6. Clarke, E.M.; Grumberg, O.; Peled, D.A. Model Checking; MIT Press: Cambridge, MA, USA, 1999.
7. Kern, C.; Greenstreet, M.R. Formal verification in hardware design: A survey. ACM Trans. Des. Autom. Electron. Syst. 1999, 4,
123–193. [CrossRef]
8. Inverso, O.; Nguyen, T.L.; Fischer, B.; La Torre, S.; Parlato, G. Lazy-CSeq: A Context-Bounded Model Checking Tool for Multi-
threaded C-Programs. In Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering
(ASE), Lincoln, NE, USA, 9–13 November 2015; IEEE: New York, NY, USA, 2015; pp. 807–812. [CrossRef]
9. Kaveh, N. Using Model Checking to Detect Deadlocks in Distributed Object Systems. In Proceedings of the 2nd International
Workshop on Distributed Objects, Davis, CA, USA, 2–3 November 2000; Emmerich, W., Tai, S., Eds.; Springer: Berlin/Heidelberg,
Germany, 2001; Volume 1999, pp. 116–128. [CrossRef]
10. Arcaini, P.; Gargantini, A.; Riccobene, E. AsmetaSMV: A Model Checker for AsmetaL Models–Tutorial; Report, Università degli Studi
di Milano, Dipartimento di Tecnologie dell’Informazione. 2009. Available online: https://air.unimi.it/retrieve/handle/2434/691
05/96882/Tutorial_AsmetaSMV.pdf (accessed on 30 January 2022).
11. Yang, Y.; Chen, X.; Gopalakrishnan, G. Inspect: A Runtime Model Checker for Multithreaded C Programs; Report UUCS-08-004;
University of Utah: Salt Lake City, UT, USA, 2008. Available online: http://www.cs.utah.edu/docs/techreports/2008/pdf/
UUCS-08-004.pdf (accessed on 1 February 2022).
12. Podelski, A.; Rybalchenko, A. Software Model Checking of Liveness Properties via Transition Invariants; Research Report MPI–I–2003–2–
00; Max Planck Institut für Informatik: Saarbrücken, Germany, 2003. Available online: https://pure.mpg.de/pubman/faces/
ViewItemOverviewPage.jsp?itemId=item_1819221 (accessed on 30 January 2022).
13. Behrmann, G.; David, A.; Larsen, K.G.; Pettersson, P.; Yi, W. Developing UPPAAL over 15 years. Softw. Pract. Exp. 2011, 41,
133–142. [CrossRef]
14. Behrmann, G.; David, A.; Larsen, K.G. A Tutorial on Uppaal 4.0; Aalborg University: Aalborg, Denmark, 2006. Available online:
http://www.it.uu.se/research/group/darts/papers/texts/new-tutorial.pdf (accessed on 30 January 2022).
15. Daszczuk, W.B. Evaluation of temporal formulas based on “Checking By Spheres”. In Proceedings of the Euromicro Symposium
on Digital Systems Design, Warsaw, Poland, 4–6 September 2001; IEEE: New York, NY, USA, 2001; pp. 158–164. [CrossRef]
16. Holzmann, G.J. The model checker SPIN. IEEE Trans. Softw. Eng. 1997, 23, 279–295. [CrossRef]
Sensors 2022, 22, 1157 36 of 37
17. Cimatti, A.; Clarke, E.M.; Giunchiglia, F.; Roveri, M. NUSMV: A new symbolic model checker. Int. J. Softw. Tools Technol. Transf.
2000, 2, 410–425. [CrossRef]
18. Alur, R.; Dill, D.L. A theory of timed automata. Theor. Comput. Sci. 1994, 126, 183–235. [CrossRef]
19. Bérard, B.; Cassez, F.; Haddad, S.; Lime, D.; Roux, O.H. Comparison of the Expressiveness of Timed Automata and Time Petri
Nets. In Proceedings of the Third International Conference, FORMATS 2005, Uppsala, Sweden, 26–28 September 2005; Springer:
Berlin/Heidelberg, Germany, 2005; pp. 211–225. [CrossRef]
20. Popescu, C.; Martinez Lastra, J.L. Formal Methods in Factory Automation. In Factory Automation; Silvestre-Blanes, J., Ed.; InTech:
Rijeka, Croatia, 2010; pp. 463–475. [CrossRef]
21. Daszczuk, W.B. Threefold Analysis of Distributed Systems: IMDS, Petri Net and Distributed Automata DA3 . In Proceedings of the
37th IEEE Software Engineering Workshop, Federated Conference on Computer Science and Information Systems, FEDCSIS’17,
Prague, Czech Republic, 3–6 September 2017; IEEE Computer Society Press: New York, NY, USA, 2017; pp. 377–386. [CrossRef]
22. Daszczuk, W.B. Siphon-based deadlock detection in Integrated Model of Distributed Systems (IMDS). In Proceedings of the
Federated Conference on Computer Science and Information Systems, 3rd Workshop on Constraint Programming and Operation
Research Applications (CPORA’18), Poznań, Poland, 9–12 September 2018; IEEE: New York, NY, USA, 2018; pp. 425–435.
[CrossRef]
23. Bérard, B. An Introduction to Timed Automata. In Control of Discrete-Event Systems; Springer: Berlin/Heidelberg, Germany, 2013;
24. Glabbeek, R.J.; Goltz, U. Equivalences and refinement. In Proceedings of the LITP Spring School on Theoretical Computer Science
La Roche Posay, France, 23–27 April 1990; Springer: Berlin/Heidelberg, Germany, 1990; pp. 309–333. [CrossRef]
25. Lime, D.; Roux, O.H. Model Checking of Time Petri Nets Using the State Class Timed Automaton. Discret. Event Dyn. Syst. 2006,
16, 179–205. [CrossRef]
26. Cassez, F.; Roux, O.H. Structural translation from Time Petri Nets to Timed Automata. J. Syst. Softw. 2006, 79, 1456–1468.
[CrossRef]
27. Henzinger, T.A.; Ho, P.-H.; Wong-Toi, H. A user guide to HyTech. In Proceedings of the TACAS 95: International Work-
shop on Tools and Algorithms for the Construction and Analysis of Systems, Aarhus, Denmark, 19–20 May 1995; Springer:
28. André, É.; Fribourg, L.; Kühne, U.; Soulat, R. IMITATOR 2.5: A Tool for Analyzing Robustness in Scheduling Problems.
In Proceedings of the FM 2012: International Symposium on Formal Methods, Paris, France, 27–31 August 2012; Springer:
29. Laroussinie, F.; Markey, N.; Schnoebelen, P. Efficient timed model checking for discrete-time systems. Theor. Comput. Sci. 2006,
353, 249–271. [CrossRef]
30. Krystosik, A.; Turlej, D. Emlan: A Language for model checking of embedded systems software. IFAC Proc. Vol. 2006, 39, 126–131.
[CrossRef]
31. Emerson, E.A.; Mok, A.K.; Sistla, A.P.; Srinivasan, J. Quantitative temporal reasoning. Real-Time Syst. 1992, 4, 331–352. [CrossRef]
32. Gluchowski, P. Languages of CTL and RTCTL Calculi in Real-Time Analysis of a System Described by a Fault Tree with
Time Dependencies. In Proceedings of the 2009 Fourth International Conference on Dependability of Computer Systems,
DepCoS-RELCOMEX’09, Brunów, Poland, 30 June–2 July 2009; IEEE: New York, NY, USA, 2009; pp. 33–41. [CrossRef]
33. Frossl, J.; Gerlach, J.; Kropf, T. An efficient algorithm for real-time symbolic model checking. In Proceedings of the ED&TC
European Design and Test Conference, Paris, France, 11–14 March 1996; IEEE Computer Society Press: New York, NY, USA, 1996;
34. Audemard, G.; Cimatti, A.; Kornilowicz, A.; Sebastiani, R. Bounded Model Checking for Timed Systems. In Proceedings of the
FORTE 2002: International Conference on Formal Techniques for Networked and Distributed Systems, Houston, TX, USA, 11–14
November 2002; Springer: Berlin/Heidelberg, Germany, 2002; pp. 243–259. [CrossRef]
35. Ruf, J.; Kropf, T. Symbolic Verification and Analysis of Discrete Timed Systems. Form. Methods Syst. Des. 2003, 23, 67–108.
[CrossRef]
36. Winskel, G.; Nielsen, M. Models for Concurrency. Handbook of Logic in Computer Science; Oxford University Press: Oxford, UK, 1995;
Volume 4.
37. Bowman, H. Time and Action Lock Freedom Properties for Timed Automata. In Proceedings of the 21st International Conference
on Formal Techniques for Networked and Distributed Systems, FORTE 2001, Cheju Island, Korea, 28–31 August 2001; Kluwer
Academic Publishers: Boston, MA, USA, 2001; pp. 119–134. [CrossRef]
38. Keller, R.M. Formal verification of parallel programs. Commun. ACM 1976, 19, 371–384. [CrossRef]
39. Reniers, M.A.; Willemse, T.A.C. Folk Theorems on the Correspondence between State-Based and Event-Based Systems. In
Proceedings of the 37th Conference on Current Trends in Theory and Practice of Computer Science, Nový Smokovec, Slovakia,
22–28 January 2011; Springer: Berlin/Heidelberg, Germany, 2011; Volume 6543, pp. 494–505. [CrossRef]
40. Daszczuk, W.B. Graphic modeling in Distributed Autonomous and Asynchronous Automata (DA3 ). Softw. Syst. Model. 2021,
20, 36. [CrossRef]
41. Chrobot, S. Modelling communication in distributed systems. In Proceedings of the International Conference on Parallel
Computing in Electrical Engineering PARELEC 2002, Warsaw, Poland, 25 September 2002; IEEE Computer Society: New York,
NY, USA, 2002; pp. 55–60. [CrossRef]
Sensors 2022, 22, 1157 37 of 37
42. Daszczuk, W.B.; Bielecki, M.; Michalski, J. Rybu: Imperative-style Preprocessor for Verification of Distributed Systems in the
Dedan Environment. In Proceedings of the KKIO’17–Software Engineering Conference, Rzeszów, Poland, 14–16 September 2017;
Polish Information Processing Society: Warshaw, Poland, 2017; pp. 135–150.
43. Penczek, W.; Szreter, M.; Gerth, R.; Kuiper, R. Improving Partial Order Reductions for Universal Branching Time Properties.
Fundam. Inform. 2000, 43, 245–267. [CrossRef]
44. Lanese, I.; Montanari, U. Hoare vs Milner: Comparing Synchronizations in a Graphical Framework With Mobility. Electron. Notes
Theor. Comput. Sci. 2006, 154, 55–72. [CrossRef]
45. May, D. Occam. ACM Sigplan Not. 1983, 18, 69–79. [CrossRef]
46. Daszczuk, W.B. Asynchronous Specification of Production Cell Benchmark in Integrated Model of Distributed Systems. In
Proceedings of the 23rd International Symposium on Methodologies for Intelligent Systems, ISMIS 2017, Warsaw, Poland,
26–29 June 2017; Bembenik, R., Skonieczny, L., Protaziuk, G., Kryszkiewicz, M., Rybinski, H., Eds.; Springer International
Publishing: Cham, Switzerland, 2019; Volume 40, pp. 115–129. [CrossRef]
47. Daszczuk, W.B. Static and Dynamic Verification of Space Systems Using Asynchronous Observer Agents. Sensors 2021, 21, 4541.
[CrossRef]
48. Czejdo, B.; Bhattacharya, S.; Baszun, M.; Daszczuk, W.B. Improving Resilience of Autonomous Moving Platforms by real-time
analysis of their Cooperation. Autobusy-TEST 2016, 17, 1294–1301. Available online: http://yadda.icm.edu.pl/baztech/
element/bwmeta1.element.baztech-6ab8a90d-13a7-429b-9ecd33cce2801f6f/c/10_L_CZEJDO_BHATTACHARYA_BASZUN_
DASZCZUK.pdf (accessed on 30 January 2022).
49. Lee, G.M.; Crespi, N.; Choi, J.K.; Boussard, M. Internet of Things. In Evolution of Telecommunication Services; Springer:
50. Grosskopf, A.; Decker, G.; Weske, M. The Process: Business Process Modeling Using BPMN; Meghan-Kiffer Press: Tampa, FL, USA,
2018; p. 182, ISBN 9780929652269.
51. Jałowiec, J. Translation of Business Process Model and Notation into Integrated Model of Distributed Systems. Available online:
https://repo.pw.edu.pl/info/bachelor/WUT31de757656da422c87be61e7ede00630/?r=diploma&tab=&lang=pl (accessed on
30 January 2022).

Sensors: Modeling and Verification of Asynchronous Systems Using Timed Integrated Model of Distributed Systems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sensors: Modeling and Verification of Asynchronous Systems Using Timed Integrated Model of Distributed Systems

Uploaded by

Copyright:

Available Formats

sensors

Received: 26 December 2021

Sensors 2022, 22, 1157. https://doi.org/10.3390/s22031157 https://www.mdpi.com/journal/sensors

2. Related Work: Timed Automata and Other Timed Formalisms

Sensors 2022, 22, x FOR PEER REVIEW 5 of 38

agrees with u over Z\r. Transitions are executed simultaneously then there exists the transition e = (l

3.1. Basic IMDS Definition

Figure 1. Action in IMDS: relation in (M × P) × (M × P).

3.2. IMDS System Behavior

Tout (λ) from Tinp (λ) for an action (31,1)→(32,2)

3.3. IMDS Processes

3.4. Automated Deadlock and Termination Identification in IMDS

4. Timed IMDS (T-IMDS)

19. {Ag.proc.ok_s, proc.second} -> <0>{proc.end},

The semantics of T-IMDS (timed LTS) is:

5. Uppaal Timed Automata

• O = {o1 , o2 , . . . } finite set of variables, for which we define:

 Comment: In Uppaal TA, the function

5.3. Network of UTA distinct TA have the same q label on their transitions.

5.4. The Semantics   of

 for every ok ∈ O, fi (ok ) = vk and fj (ok) = vk 0 orfj (okLocation invariant functions are co

6. If two transitions TAthen there exists the transition e = (l

• (32a,2a) location upλ2t : initial location—no, time invariant—csem ≤ 3 (5),

6.2. Translation Rules

6.3. Translation of the Example

Figure 6. The image of two actions λ1 = {a1.sem.wait, sem.up} → (2,3>{a1.sa1.ok_wait, sem.down}

6.4. Equivalence between T-IMDS and UTA

Figure 8. A counterexample showing a deadlock in the timed verification of two semaphores.

7.2. Practical Example: Automated Vehicle Guidance System

Figure 9. A witness showing a termination of both agents in timed two semaphores.

Figure 11. The protocol of road segment controller cooperation.

2.server: M_E(agents AMP[2];servers M_M,L_E),

11.<i=1..2><j=1..2>{AMP[i].M_E.tryM[j], M_E.empty} ->

17.server: M_M(agents AMP[2];servers M_[, 2]L_M),

26.//on a way to M_E1 or M_E2 may go to L_E if M_Ei is occupied

29.// from M_M—going to M_E1 or M_E2

34.server: L_E(agents AMP[2];servers M_E),

40.<i=1..2> {AMP[i].L_E.start, L_E.occupied} ->

43.server: L_M(agents AMP[2];servers M_M),

7.2.2. Timed Verification

Supplementary Materials: The Dedan program is available online at http://staff.ii.pw.edu.pl/dedan/

Appendix A. Proof of Equivalence between T-IMDS and UTA Implementation

You might also like