NASA/CR-1999-208980 ICASE Report No. 99-4



# A Practical Approach to Implementing Real-time Semantics

Gerald Lüttgen ICASE, Hampton, Virginia

Girish Bhat MakeLabs, Cary, North Carolina

Rance Cleaveland State University of New York at Stony Brook, Stony Brook, New York

Institute for Computer Applications in Science and Engineering NASA Langley Research Center Hampton, VA Operated by Universities Space Research Association



National Aeronautics and Space Administration

Langley Research Center Hampton, Virginia 23681-2199 Prepared for Langley Research Center under Contract NAS1-97046

January 1999

## A PRACTICAL APPROACH TO IMPLEMENTING REAL-TIME SEMANTICS

GERALD LÜTTGEN\*, GIRISH BHAT<sup>†</sup>, AND RANCE CLEAVELAND<sup>‡</sup>

**Abstract.** This paper investigates implementations of *process algebras* which are suitable for modeling concurrent *real-time* systems. It suggests an approach for efficiently implementing real-time semantics using *dynamic priorities*. For this purpose a process algebra with dynamic priority is defined, whose semantics corresponds one-to-one to traditional real-time semantics. The advantage of the dynamic-priority approach is that it drastically reduces the state-space sizes of the systems in question while preserving all properties of their functional and real-time behavior.

The utility of the technique is demonstrated by a case study which deals with the formal modeling and verification of the SCSI-2 bus-protocol. The case study is carried out in the Concurrency Workbench of North Carolina, an automated verification tool in which the process algebra with dynamic priority is implemented. It turns out that the state space of the bus-protocol model is about an order of magnitude smaller than the one resulting from real-time semantics. The accuracy of the model is proved by applying model checking for verifying several mandatory properties of the bus protocol.

Key words. dynamic priority, process algebra, real-time semantics, SCSI-2 bus-protocol, verification

#### Subject classification. Computer Science

1. Introduction. A variety of formal approaches have been introduced for modeling and verifying concurrent and distributed systems, many of which are based on a common scheme consisting of three basic components, as depicted in Figure 1.1: a specification language, a semantic model, and a verification method. Specification languages provide a syntactic means for describing (abstractions of) real-world systems and can be of graphical nature (e.g., Statecharts [19]), term-based (e.g., process algebras [21, 27]), or variants of logics (e.g., monadic logics [18]). Figure 1.1 illustrates the different looks and feels of these languages by a small example modeling the behavior of a simple one-place buffer, which cyclically offers communications on ports in and out. Many specification languages have in common that their semantics is given in terms of operational models. More precisely, syntactic models are compiled to (labeled) transition systems which describe the real-world system's operational behavior. Transition systems provide a convenient structure on which many verification methods, such as simple reachability analyses – which allow for analyzing, e.g., deadlock behavior – and more advanced techniques, such as model-checking [10], work. However, only with the advent of verification tools [15, 20, 22, 25] in the last decade have formal approaches emerged as practical aids for system designers [2, 14, 17].

<sup>\*</sup>Institute for Computer Applications in Science and Engineering (ICASE), NASA Langley Research Center, Hampton, VA 23681-2199, e-mail: luettgen@icase.edu. This research was supported by the National Aeronautics and Space Administration under NASA Contract No. NAS1-97046 while the first author was in residence at the Institute for Computer Applications in Science and Engineering, NASA Langley Research Center, Hampton, VA 23681-2199.

<sup>&</sup>lt;sup>†</sup>MakeLabs, A Division of Make Systems, Inc., 4000 Regency Parkway, Suite 150, Cary, NC 27511-8502, e-mail: girish@makesys.com.

<sup>&</sup>lt;sup>‡</sup>Department of Computer Science, State University of New York at Stony Brook, Stony Brook, NY 11794-4400, e-mail: rance@cs.sunysb.edu. Research supported by NSF grants CCR-9257963, CCR-9505662, CCR-9804091, and INT-9603441, AFOSR grant F49620-95-1-0508, and ARO grant P-38682-MA.



FIG. 1.1. A typical verification framework.

This paper addresses the problem of modeling and verifying concurrent systems where *real-time* plays an important role for their functional behavior. On the one hand, real-time is often used to implement synchronization constraints in distributed environments. As an example of a synchronization constraint, consider a communication protocol where the next protocol phase may only be entered if some or all components agree. On the other hand, electric phenomena, e.g., wire glitches that may lead to malfunction, can be avoided using deskew delays. Thus, for accurately modeling those systems it is necessary to capture their real-time aspects, thereby motivating the need for real-time specification languages, such as real-time process algebras [28, 29], and for their efficient implementation. Existing implementations of real-time process algebras typically cause state spaces to explode, thereby making many verification methods impracticable. The reason for the state explosion is that time is considered as part of the state, i.e., a new state is generated for every clock tick. We tackle this problem by using dynamic priorities to model real-time. We introduce a new process algebra, called  $\mathsf{CCS}^{\mathsf{dp}}$  (Calculus of Communicating Systems with dynamic priority), which essentially extends the Calculus of Communicating Systems (CCS) [27] by assigning priority values to actions. Unlike conventional process algebras with priority [9, 11, 12], actions in our algebra do not have fixed or static priority values; they may change as systems evolve. It is in this sense that we refer to CCS<sup>dp</sup> as a process algebra with dynamic priority. In contrast to traditional real-time process algebras, e.g., a variation of Temporal CCS [28] which we refer to as CCS<sup>rt</sup> (CCS with real-time), the semantics of CCS<sup>dp</sup> interprets delays preceding actions as priority values attached to these actions, i.e., the longer the delay preceding an action, the lower is its priority.  $CCS^{dp}$  semantics avoids the unfolding of delay values into sequences of elementary steps, each consuming one time unit, thereby providing a formal foundation for *efficiently implementing* real-time semantics. The soundness and completeness of this technique is proved by establishing a *one-to-one correspondence* between  $CCS^{dp}$  and  $CCS^{rt}$  semantics in terms of *bisimulation* [27] and *temporal logics* [10]. It is important to note that our approach does not abstract away any aspects of real-time. Thus, all quantitative timing explicit in  $CCS^{rt}$  semantics can still be analyzed within  $CCS^{dp}$  semantics.

The utility of our technique is shown by means of a real-world example, namely modeling and verifying several aspects of the *bus protocol* of the *Small Computer System Interface* (SCSI), a protocol used in many of today's computers. The protocol's model is derived from the official ANSI standard [1], where real-time delays are recommended for implementing synchronization constraints as well as for ensuring correct behavior in the presence of signal glitches. An accurate model of the SCSI-2 bus-protocol thus requires to consider real-time. To this end, we model the protocol in the syntax common to both  $CCS^{rt}$  and  $CCS^{dp}$ . We then generate the state spaces according to both semantics and show that the size of our model is an order of magnitude smaller in  $CCS^{dp}$  semantics than in  $CCS^{rt}$  semantics. The modeling of the protocol was carried out in the *Concurrency Workbench of North Carolina* [16], CWB-NC, a tool for analyzing and verifying concurrent systems. In order to testify to the accuracy of our modeling, we extract several mandatory properties of the bus protocol and specify them in the *modal*  $\mu$ -calculus [24]. We then use the *local model checker* [4] integrated in the CWB-NC for automatically validating the properties under consideration.

The remainder of this paper is organized as follows. The next section presents our process-algebraic framework including the real-time process algebra CCS<sup>tt</sup> and the process algebra CCS<sup>dp</sup> with dynamic priority. The one-to-one relationship between CCS<sup>dp</sup> and CCS<sup>tt</sup> semantics is established in Section 3. An overview of the SCSI-2 bus and its protocol is given in Section 4, whereas Section 5 describes its modeling in our language. Some properties of the bus protocol are formalized and checked for our model in Section 6. The following section discusses our approach and compares it to related work. Section 8 contains our conclusions and directions for future work. Finally, the complete model of the bus protocol can be found in the appendix.

2. Process-Algebraic Framework. In this section we introduce the process algebra CCS<sup>rt</sup> inspired by [28] and develop the process algebra CCS<sup>dp</sup>, which has the same syntax but different semantics. Whereas CCS<sup>rt</sup> is an extension of CCS [27] in order to capture *discrete quantitative timing aspects* with respect to a single, global clock, CCS<sup>dp</sup> extends CCS by a concept of *dynamic priority*.

**2.1.** Syntax of our Language. The syntax of CCS<sup>tt</sup> and CCS<sup>dp</sup> differs from CCS by associating delay and priority values with actions, respectively. Moreover, we include the *disabling* operator [b], known from LOTOS [5], which allows for a more compact notation of the bus-protocol model. Formally, let  $\Lambda$  be a countable set of *action labels* or *ports*, not including the so-called *internal* or *unobservable* action  $\tau$ . With every  $a \in \Lambda$  we associate a *complementary action*  $\overline{a}$ . Intuitively, an action  $a \in \Lambda$  may be thought of as representing the receipt of an input on port a, while  $\overline{a}$  constitutes the deposit of an output on a. We define  $\overline{\Lambda} =_{df} {\overline{a} \mid a \in \Lambda}$  and take  $\mathcal{A}$  to denote the set of all actions  $\Lambda \cup \overline{\Lambda} \cup {\{\tau\}}$ . In what follows, we let  $a, b, \ldots$  range over  $\Lambda \cup \overline{\Lambda}$  and  $\alpha, \beta, \ldots$  over  $\mathcal{A}$ . Complementation is lifted to actions in  $\Lambda \cup \overline{\Lambda}$ , also called visible actions, by defining  $\overline{\overline{a}} =_{df} a$ . As in CCS an action a communicates with its complement  $\overline{a}$  to produce the internal action  $\tau$ . In our syntax actions are associated with *delay values*, or *priority values*, taken from the set of *natural numbers*  $\mathbb{N}$ . More precisely, the notation  $\alpha : k$ , where  $\alpha \in \mathcal{A}$  and  $k \in \mathbb{N}$ , specifies that action  $\alpha$  is ready for execution after a *minimum delay* of k time units or, respectively, that action  $\alpha$  *possesses (at most)*  priority k. In the priority interpretation, smaller numbers encode higher priority values; so 0 represents the highest priority. The syntax of our language is defined by the BNF

$$P ::= \mathbf{0} | x | \alpha: k.P | P+P | P[P | P|P | P[f] | P \setminus L | \mu x.P$$

where  $k \in \mathbb{N}$ , the mapping  $f : \mathcal{A} \to \mathcal{A}$  is a relabeling,  $L \subseteq \mathcal{A} \setminus \{\tau\}$  is a restriction set, and x is a variable taken from some countable domain  $\mathcal{V}$ . A relabeling f satisfies the properties  $f(\tau) = \tau$  and  $f(\overline{a}) = \overline{f(a)}$ . If  $f(\alpha_i) = \beta_i$  for  $1 \leq i \leq n$  and  $n \in \mathbb{N}$ , and  $f(\alpha) = \alpha$  for all  $\alpha \neq \alpha_i$ , where  $1 \leq i \leq n$ , we also write  $[\beta_1/\alpha_1, \beta_2/\alpha_2, \ldots, \beta_n/\alpha_n]$  for f. We adopt the usual definitions for free and bound variables, open and closed terms, and guarded recursion, and refer to the closed and guarded terms as processes [27]. The syntactic substitution of all free occurrences of variable x by term Q in term P is symbolized by P[Q/x], and syntactic equality by  $\equiv$ . Finally, we let  $\mathcal{P}$ , ranged over by  $P, Q, R, \ldots$ , denote the set of all processes.

2.2. Real-Time Semantics. This section introduces a real-time semantics to our language – in this context referred to as  $CCS^{rt}$  semantics – which explicitly represents timing behavior. Formally, the semantics of a process is defined by a *labeled transition system* which contains explicit *clock transitions* – each representing a delay of one time unit – as well as *action transitions*. With respect to clock transitions, the operational semantics is set up such that processes willing to communicate with some process running in parallel are able to wait until the communication partner is ready. However, as soon as it is available the communication has to take place, i.e., further idling is prohibited. This assumption is usually referred to as *maximal progress assumption* [29] or *synchrony hypothesis* [3] and employed in many successful specification languages, including *Statecharts* [19] and *Esterel* [3].

Formally, the labeled transition system for a process P is a four-tuple  $\langle \mathcal{P}, \mathcal{A} \cup \{1\}, \longmapsto, P \rangle$  where  $\mathcal{P}$  is the set of states,  $\mathcal{A} \cup \{1\}$  is the alphabet satisfying  $1 \notin \mathcal{A}, \longmapsto$  is the transition relation, and P represents the start state. The transition relation  $\longmapsto \subseteq \mathcal{P} \times (\mathcal{A} \cup \{1\}) \times \mathcal{P}$  is defined in Tables 2.1 and 2.2 using operational rules. For the sake of simplicity, let us use  $\gamma$  as a representative of  $\mathcal{A} \cup \{1\}$  and write  $P \stackrel{\gamma}{\longmapsto} P'$  instead of  $\langle P, \gamma, P' \rangle \in \longmapsto$ . We say that P may engage in transition  $\gamma$  and thereafter behave like process P'. If  $\gamma \equiv 1$ we speak of a clock transition, otherwise of an action transition. Sometimes it is convenient to abbreviate  $\exists P' \in \mathcal{P}. P \stackrel{\gamma}{\longmapsto} P'$  by  $P \stackrel{\gamma}{\longrightarrow}$ . In order to ensure maximal progress our semantics is set up in a way such that  $P \stackrel{\mu}{\longrightarrow}$  whenever  $P \stackrel{\tau}{\longleftarrow}$ , i.e., clock transitions are prevented as long as P can engage in internal computation.

TABLE 2.1 Operational semantics for  $CCS'^t$  – action transitions.

| Act $\xrightarrow{-} \alpha: 0.P \xrightarrow{\alpha} P$                                        | $\operatorname{Sum1} \frac{P \xrightarrow{\alpha} P'}{P + Q \xrightarrow{\alpha} P'}$                    | $\operatorname{Sum2} \frac{Q \xrightarrow{\alpha} Q'}{P + Q \xrightarrow{\alpha} Q'}$ | $\operatorname{Rec}  \frac{P[\mu x.P/x] \stackrel{\alpha}{\longmapsto} P'}{\mu x.P \stackrel{\alpha}{\longmapsto} P'}$                                |
|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
| $Rel  \frac{P \stackrel{\alpha}{\longmapsto} P'}{P[f] \stackrel{f(\alpha)}{\longmapsto} P'[f]}$ | Dis1 $\xrightarrow{P \xrightarrow{\alpha} P'} P'$<br>$P \geqslant Q \xrightarrow{\alpha} P' \geqslant Q$ | Dis2 $\xrightarrow{Q \xrightarrow{\alpha} Q'} P \ \ Q \xrightarrow{\alpha} Q'$        | $Res  \frac{P \stackrel{\alpha}{\longmapsto} P'}{P \backslash L \stackrel{\alpha}{\longmapsto} P' \backslash L} \; \alpha \notin L \cup \overline{L}$ |
|                                                                                                 | $\operatorname{Com1} \frac{P \xrightarrow{\alpha} P'}{P   Q \xrightarrow{\alpha} P'   Q}$                | $\operatorname{Com2} \frac{Q \xrightarrow{\alpha} Q'}{P Q \xrightarrow{\alpha} P Q'}$ | $\operatorname{Com3} \frac{P \xrightarrow{a} P'  Q \xrightarrow{\overline{a}} Q'}{P Q \xrightarrow{\tau} P' Q'}$                                      |

Intuitively, process  $\alpha: k.P$ , where k > 0, may engage in a clock transition and then behave like process  $\alpha: (k-1).P$ . Process  $\alpha: 0.P$  performs an  $\alpha$ -transition to state P and, if  $\alpha \not\equiv \tau$ , it may also idle by performing

TABLE 2.2 Operational semantics for  $CCS^{rt}$  – clock transitions.

| tNil $\xrightarrow{-}$<br>$0 \xrightarrow{-} 0$                                                                         | tAct1 $\xrightarrow{-} a: 0.P \xrightarrow{1} a: 0.P$                                      | tAct2 $\xrightarrow{-} \alpha: k.P \xrightarrow{1} \alpha: (k-1).P$ $k > 0$                                                                                                |
|-------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $tSum\; \frac{P \stackrel{1}{\longmapsto} P'  Q \stackrel{1}{\longmapsto} Q'}{P + Q \stackrel{1}{\longmapsto} P' + Q'}$ | tDis $\xrightarrow{P \mapsto P'  Q \mapsto Q'}{P  \mathbb{V} Q \mapsto P'  \mathbb{V} Q'}$ | $tCom \xrightarrow{P \stackrel{1}{\longmapsto} P'  Q \stackrel{1}{\longmapsto} Q'}{P Q \stackrel{1}{\longmapsto} P' Q'} P Q \stackrel{\overline{\gamma}}{\rightarrowtail}$ |
| tRec $\frac{P[\mu x.P/x] \stackrel{1}{\longmapsto} P'}{\mu x.P \stackrel{1}{\longmapsto} P'}$                           | tRel $\xrightarrow{P \mapsto P'}{P[f] \mapsto P'[f]}$                                      | tRes $\xrightarrow{P \stackrel{1}{\longmapsto} P'}{P \backslash L \stackrel{1}{\longmapsto} P' \backslash L}$                                                              |

a clock transition to itself. The summation operator + denotes non-deterministic choice, i.e., P + Q may either behave like P or Q. However, time has to proceed equally on both sides of summation. Hence, P + Qcan engage in a clock transition and delay the choice if and only if both P and Q can engage in a clock tick. Process  $P \triangleright Q$ , involving the disabling operator  $\triangleright$ , has the same semantics for clock transitions. For action transitions it behaves like P and, additionally, it is capable of disabling P by engaging in Q. The restriction operator  $\backslash L$  prohibits the execution of actions in  $L \cup \overline{L}$  and thus permits the scoping of actions. P[f] behaves exactly as P where actions are renamed by the relabeling f. Process P|Q stands for the parallel composition of P and Q according to an interleaving semantics with synchronous communication on complementary actions resulting in the internal action  $\tau$ . Similar to summation and disabling, P and Q must synchronize on clock transitions according to Rule (tCom). Its side condition ensures maximal progress, i.e., there is no pending communication between P and Q. Finally,  $\mu x. P$  denotes a recursive process that is a distinguished solution of the equation x = P. Our semantics satisfies the following properties.

PROPOSITION 2.1. Let  $P, P', P'' \in \mathcal{P}$ . Then: (i)  $P \xrightarrow{\tau}$  implies  $P \xrightarrow{1}$  [idling], (ii)  $P \xrightarrow{\tau}$  implies  $P \xrightarrow{1}$  [maximal progress], and (iii)  $P \xrightarrow{1} P'$  and  $P \xrightarrow{1} P''$  implies  $P' \equiv P''$  [time determinacy].

The validity of Part (i) is a consequence of the idling capability of **0** and  $\alpha : k.P$ , for k > 0 or  $\alpha \not\equiv \tau$ . Properties (ii) and (iii) can be checked by inductions on the structure of P and on the maximum of the depths of the derivation trees of  $P \stackrel{1}{\longmapsto} P'$  and  $P \stackrel{1}{\longmapsto} P''$ , respectively. For CCS<sup>rt</sup> a semantic theory based on *bisimulation* [27] has been developed. In this paper we restrict ourselves to *strong* bisimulation.

DEFINITION 2.2 (Temporal Bisimulation). A symmetric relation  $\mathcal{R} \subseteq \mathcal{P} \times \mathcal{P}$  is called temporal bisimulation if for every  $P' \in \mathcal{P}$ ,  $\langle P, Q \rangle \in \mathcal{R}$  and  $\gamma \in \mathcal{A} \cup \{1\}$  the following holds:  $P \xrightarrow{\gamma} P'$  implies  $\exists Q'. Q \xrightarrow{\gamma} Q'$  and  $\langle P', Q' \rangle \in \mathcal{R}$ . We write  $P \sim_{rt} Q$  if  $\langle P, Q \rangle \in \mathcal{R}$  for some temporal bisimulation  $\mathcal{R}$ .

The behavioral relation  $\sim_{rt}$ , which can be shown to be an equivalence, enjoys several pleasant properties. The most important one is the *congruence* property, which gives rise to *compositional reasoning* since it allows the substitution of "equals for equals" inside larger systems. Note that temporal bisimulation requires equivalent processes to match each others behavior exactly, including their timing behavior.

Unfortunately,  $CCS^{rt}$  semantics unfolds delay values into sequences of elementary time units, thereby creating many states. For example, process  $\alpha: k.0$  has k + 2 states, namely 0 and  $\alpha: l.0$  where  $0 \le l \le k$  (cf. Figure 3.1 in Section 3). It would be much more efficient if one could represent  $\alpha: k.0$  by a single transition labeled by  $\alpha: k$  leading to state 0. This compactification in the representation of state spaces of real-time

systems can be implemented by viewing k as a *priority value* assigned to  $\alpha$ . In other words, one may consider the delay value k as the *time stamp* of action  $\alpha$ . In the following we elaborate on this idea.

2.3. Dynamic-Priority Semantics. In order to formalize our intuition we present a new semantics for our language that uses a notion of priority taken from [11], generalized to a *multi-level* priority-scheme [26]. We refer to our process algebra as  $CCS^{dp}$  when interpreted with respect to the new semantics which, in contrast to classical approaches to priority, dynamically adjusts priorities along transitions. Intuitively, visible actions represent potential synchronizations that a process may be willing to engage in with its environment. Given a choice between a synchronization on a high priority and one on a low priority, a process should choose the former. Thus, high-priority  $\tau$ -actions pre-empt low-priority actions. The reason that high-priority visible actions do *not* have pre-emptive power over low-priority actions is that visible actions only indicate the *potential* of a synchronization, i.e., the potential of progress, whereas  $\tau$ -actions describe complete synchronizations, i.e., *real* progress, in our model. Formally, the  $CCS^{dp}$  semantics of a process *P* is given by a labeled transition system  $\langle \mathcal{P}, \mathcal{A} \times \mathbb{N}, \longrightarrow, P \rangle$ . The presentation of the operational rules defining the transition relation  $\rightarrow$  requires two auxiliary definitions.

TABLE 2.3Potential initial action sets.

| $\overline{\mathbf{I}^k\left(\alpha:l.P\right)} =_{\mathrm{df}} \left\{ \alpha \mid l \le k \right\}$ | $\mathbf{I}^{k}(\mu x.P) =_{\mathrm{df}} \mathbf{I}^{k}(P[\mu x.P/x])$             | $\mathbf{I}^{k}(P[f]) =_{\mathrm{df}} \{f(\alpha) \mid \alpha \in \mathbf{I}^{k}(P)\}$            |
|-------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|
| $\mathbf{I}^{k}(P+Q) =_{\mathrm{df}} \mathbf{I}^{k}(P) \cup \mathbf{I}^{k}(Q)$                        | $\mathbf{I}^{k}(P \ \! \ \! \  \  \  \  \  \  \  \  \  \  \$                       | $\mathbf{I}^{k}(P \setminus L) =_{\mathrm{df}} \mathbf{I}^{k}(P) \setminus (L \cup \overline{L})$ |
| $\mathbf{I}^{k}(P Q) =_{\mathrm{df}} \mathbf{I}^{k}(P) \cup \mathbf{I}^{k}(Q) \cup$                   | $\{\tau \mid \mathbf{I}^{k}(P) \cap \overline{\mathbf{I}^{k}(Q)} \neq \emptyset\}$ |                                                                                                   |

First, we introduce potential initial action sets which are defined to be the smallest set satisfying the equations in Table 2.3. Intuitively,  $I^k(P)$  denotes the set of all potential initial actions of P having at least priority k. For convenience, we abbreviate  $\bigcup \{I^l(P) \mid l < k\}$  by  $I^{\leq k}(P)$ . If k > 0, it is easy to see that  $I^{\leq k}(P) = I^{k-1}(P)$ . It is also important that the potential initial action sets are defined independently from the transition relation  $\longrightarrow$ , so  $\longrightarrow$  is well-defined. The following proposition states that the definition of the potential initial action sets is faithful for internal actions, which is fundamental for encoding our desired notion of pre-emption. Its proof is analogue to one in [26] where similar definitions have been used for encoding the same notion of pre-emption within a multi-level static-priority framework.

PROPOSITION 2.3. For all  $P \in \mathcal{P}$  and  $\alpha: k \in \mathcal{A}$  we have:  $\tau \notin I^{\leq k}(P)$  if and only if  $\not\exists l < k. P \xrightarrow{\tau:l}$ .

|          | TABLE 2.4  |           |
|----------|------------|-----------|
| Priority | adjustment | function. |

| $[0]^k$            | $=_{\mathrm{df}}$ | $0, [x]^k =_{\mathrm{df}} x$  | $[P+Q]^k$          | $=_{\mathrm{df}}$ | $[P]^k + [Q]^k$    | $[P[f]]^k$          | $=_{\mathrm{df}}$ | $[P]^k[f]$          |
|--------------------|-------------------|-------------------------------|--------------------|-------------------|--------------------|---------------------|-------------------|---------------------|
| $[\alpha: l. P]^k$ | $=_{\mathrm{df}}$ | $\alpha : (l-k).P$ if $l > k$ | $[P [\![ Q ]\!]^k$ | $=_{\mathrm{df}}$ | $[P]^k \ [Q]^k$    | $[P \setminus L]^k$ | $=_{\mathrm{df}}$ | $[P]^k \setminus L$ |
| $[\alpha: l. P]^k$ | $=_{\mathrm{df}}$ | $\alpha : 0.P$ if $l \leq k$  | $[P Q]^k$          | $=_{\mathrm{df}}$ | $[P]^k \mid [Q]^k$ | $[\mu x.P]^k$       | $=_{\mathrm{df}}$ | $[P[\mu x.P/x]]^k$  |

As second auxiliary for presenting the transition relation we define a *priority adjustment function* as shown in Table 2.4. Intuitively, our semantics is set up in a way such that if one parallel component of a process engages in an action with priority k, then the priority values of all initial actions at other parallel

components are decreased by k, i.e., these actions become "more important." Thus, the semantics of parallel composition deploys a kind of fairness assumption, and priorities have a dynamic character. The priority adjustment function applied to a process P and a natural number k, denoted as  $[P]^k$ , returns a process term which is "identical" to P except that the priorities of its initial actions are decreased by k. The phrase "identical" does not mean syntactic equality but syntactic equality up to unfolding of recursion. Formally, we let  $\doteq$  stand for the smallest congruence which contains  $\equiv$  and satisfies the axiom  $\mu x.P \doteq P[\mu x.P/x]$ . Our semantics respects  $\doteq$ , i.e.,  $P \doteq Q$  and  $P \xrightarrow{\alpha:k} P'$  implies  $Q \xrightarrow{\alpha:k} Q'$  for some  $Q' \in \mathcal{P}$  satisfying  $P' \doteq Q'$ . In the remainder we use this fact silently and write  $P \xrightarrow{\alpha:k} P'$  if  $Q \xrightarrow{\alpha:k} Q'$  for some  $Q \doteq P$  and  $Q' \doteq P'$ .

| TABLE 2.5                    |     |                     |
|------------------------------|-----|---------------------|
| <b>Operational semantics</b> | for | CCS <sup>dp</sup> . |

| Act1 $\xrightarrow[\tau:k.P]{\tau:k} P$                                                                | $\operatorname{Sum1} \frac{P \xrightarrow{\alpha:k} P'}{P + Q \xrightarrow{\alpha:k} P'} \tau \notin \mathrm{I}^{$                          | $\operatorname{Sum2} \frac{Q \xrightarrow{\alpha:k} Q'}{P + Q \xrightarrow{\alpha:k} Q'} \tau \notin \mathrm{I}^{< k}(P)$                                                             |
|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Act2 $\xrightarrow{-}{a:k.P \xrightarrow{a:l} P} l \ge k$                                              | $Dis1 \ \frac{P \xrightarrow{\alpha:k} P'}{P  \mathbb{N}Q \xrightarrow{\alpha:k} P'  \mathbb{N}[Q]^k} \ \tau \notin \mathrm{I}^{\leq k}(Q)$ | Dis2 $\xrightarrow{Q \xrightarrow{\alpha:k} Q'} P \triangleright Q \xrightarrow{\alpha:k} Q' \tau \notin \mathbf{I}^{\leq k}(P)$                                                      |
| $\operatorname{Rec}  \frac{P[\mu x.P/x] \xrightarrow{\alpha:k} P'}{\mu x.P \xrightarrow{\alpha:k} P'}$ | $\operatorname{Com1} \frac{P \xrightarrow{\alpha:k} P'}{P Q \xrightarrow{\alpha:k} P' [Q]^k} \tau \notin \mathrm{I}^{\leq k}(P Q)$          | $Com2 \xrightarrow{Q \xrightarrow{\alpha:k} Q'}{P Q \xrightarrow{\alpha:k} [P]^k  Q'} \tau \notin \mathrm{I}^{\leq k}(P Q)$                                                           |
| $Rel  \frac{P \xrightarrow{\alpha:k} P'}{P[f] \xrightarrow{f(\alpha):k} P'[f]}$                        | $Res \ \ \frac{P \xrightarrow{\alpha:k} P'}{P \backslash L \xrightarrow{\alpha:k} P' \backslash L} \ \alpha \notin L \cup \overline{L}$     | $\operatorname{Com3} \frac{P \xrightarrow{\underline{a:k}} P'  Q \xrightarrow{\overline{a:k}} Q'}{P Q \xrightarrow{\underline{\tau:k}} P' Q'} \ \tau \notin \mathrm{I}^{\leq k}(P Q)$ |

The operational rules in Table 2.5 capture the following intuition. Process a:k.P may engage in action a with priority  $l \ge k$  yielding process P. The side condition  $l \ge k$  reflects that k does not specify an exact priority but the maximal priority of the initial transition of a:k.P. It may also be interpreted as *lower-bound* "timing constraint." Due to the notion of pre-emption incorporated in  $CCS^{dp}$ ,  $\tau:k.P$  may not perform the  $\tau$ -transition with a lower priority than k. Process P + Q may behave like P(Q) if Q(P) does not pre-empt it by being able to engage in a higher prioritized internal transition. Thus, pre-emption reflects implicit upper-bound "timing constraints." P|Q denotes the parallel composition of P and Q according to an interleaving semantics with synchronized communication on complementary actions of P and Q, both having the same priority k, which results in the internal action  $\tau$  that is attached with priority value k (cf. Rule (Com3)). The interleaving Rules (Com1) and (Com2) encode the dynamic behavior of priority values as explained above, with their side conditions implementing pre-emption. The operational semantics for disabling, restriction, relabeling, and recursion is as expected. The following proposition, which can be proved by structural induction, shows that our notion of pre-emption coincides with our intuition.

PROPOSITION 2.4. For all  $P \in \mathcal{P}$ ,  $\alpha \in \mathcal{A}$ , and  $k \in \mathbb{N}$  satisfying  $P \xrightarrow{\alpha:k}$  we have  $\tau \notin I^{\leq k}(P)$ .

As for  $CCS^{rt}$ , we may adapt a notion of strong bisimulation, referred to as *prioritized bisimulation* here. Prioritized bisimulation is an equivalence that contains  $\doteq$ ; a property which will be used without mentioning.

DEFINITION 2.5 (Prioritized Bisimulation). A symmetric relation  $\mathcal{R} \subseteq \mathcal{P} \times \mathcal{P}$  is called prioritized bisimulation if for every  $P' \in \mathcal{P}$ ,  $\langle P, Q \rangle \in \mathcal{R}$ ,  $\alpha \in \mathcal{A}$ , and  $k \in \mathbb{N}$  the following holds:  $P \xrightarrow{\alpha:k} P'$  implies  $\exists Q'. Q \xrightarrow{\alpha:k} Q'$  and  $\langle P', Q' \rangle \in \mathcal{R}$ . We write  $P \sim_{d_P} Q$  if  $\langle P, Q \rangle \in \mathcal{R}$  for some prioritized bisimulation  $\mathcal{R}$ .

2.4. Implementing CCS<sup>dp</sup> and CCS<sup>rt</sup> Semantics. For both process algebras, CCS<sup>dp</sup> and CCS<sup>rt</sup>, frontends for the Concurrency Workbench of North Carolina (CWB-NC) [16] have been created by using the Process Algebra Compiler (PAC) [13], a "meta-compiler" developed for interfacing the CWB-NC to new process algebras. Whereas the implementation of  $CCS^{dt}$  is straightforward, we needed some more effort regarding  $CCS^{dp}$ . The reason is that Rule (Act2) of CCS<sup>dp</sup> semantics gives rise to potentially infinite-branching transition systems since priority value l in its side condition ranges over all natural numbers greater or equal than k. Fortunately, this problem can be eliminated for all practical purposes. One possibility is to provide an upper bound upper reflecting the maximal priority value of any action occurring in the process under consideration. The validity of this solution stems from the fact that a higher priority value than upper has no effect on the process' semantics since priority values cannot be adjusted to a value below zero. This idea is refined in our implementation of CCS<sup>dp</sup> semantics as follows. Instead of choosing a value upper with respect to the *overall* process, we determine this value with respect to the *particular* system state in which the process under consideration is currently in. As a consequence, the number of transitions of a process according to CCS<sup>dp</sup> semantics is always less than or equal to the number of transitions with respect to CCS'<sup>t</sup> semantics. Finally, we want to point out that these solutions somehow touch on the compositionality of the implemented CCS<sup>dp</sup> semantics. If a system is combined with another one having a greater upper priority value, additional system behavior is possible. However, already computed parts of the semantics need not to be re-computed.

3. Relating CCS<sup>dp</sup> and CCS<sup>rt</sup> Semantics. In this section we show that CCS<sup>dp</sup> and CCS<sup>rt</sup> semantics are closely related. The underlying intuition is best illustrated by a simple example dealing with the prefixing operator. Figure 3.1 depicts the dynamic-priority and real-time semantics of the process a: k.0. Both transition systems intuitively reflect that the process a:k.0 must at least delay k times before it may engage in an a-transition. According to  $\mathsf{CCS}^{\mathsf{rt}}$  semantics, this process consecutively engages in k time steps passing the states a: (k-i).0, for 0 < i < k, before it may either continue idling in state a: 0.0 or engage in an a-transition to the inaction process **0**. Thus, time is explicitly part of states and made visible by clock transitions each representing a step of one time unit. In contrast, CCS<sup>dp</sup> semantics encodes a delay of at least k time units in transitions rather than in states. Hence, it just possesses the states a: k.0 and 0 connected via transitions labeled by a:l, for l > k. Although it seems at first sight that the price for saving intermediate states is to be forced to deal with infinite branching, an upper bound of l can be provided as discussed in the previous section. In our example this upper bound is k itself, since a delay by more than k time units only results in idling and does not enable new or disable existing system behavior. Therefore, the dynamic-priority transition system of a: k.0 just consists of the two states a: k.0 and 0 and a symbolic transition labeled by a:k, whereas the real-time transition system possesses k+2 states and k+2 transitions. This simple example clearly suggests that  $\mathsf{CCS}^{dp}$  semantics results in much more compact models than  $\mathsf{CCS}^{\mathsf{rt}}$ semantics.

The following paragraphs aim at proving a one-to-one correspondence between the two semantics such that  $CCS^{dp}$  semantics can be understood as an efficient encoding of  $CCS^{rt}$  semantics. To this end, one also needs to make sure that the notion of pre-emption employed in  $CCS^{dp}$  reflects the notion of maximal progress adopted in  $CCS^{rt}$ . Before making the relationship between both semantics precise we first state an important lemma whose last part presents the connection between clock transitions and the priority adjustment function. In this lemma, the symbol  $\stackrel{1}{\mapsto}{}^{k}$  stands for k consecutive clock transitions.

LEMMA 3.1. For all  $P, P' \in \mathcal{P}$  and all  $k, l \in \mathbb{N}$  the following holds: (i)  $[P]^0 \doteq P$  and  $[[P]^l]^k \doteq [P]^{k+l}$ , (ii)  $I^k([P]^l) = I^{k+l}(P)$ , and (iii)  $P \stackrel{1}{\longrightarrow} {}^kP'$  if and only if  $P' \doteq [P]^k$  and  $\tau \notin I^{\leq k}(P)$ .



FIG. 3.1. Relating CCS<sup>dp</sup> and CCS<sup>rt</sup> semantics.

*Proof.* Part (i) follows immediately from the definitions of the adjustment function and of  $\doteq$ . For the other parts let  $P, P' \in \mathcal{P}$  and  $k, l \in \mathbb{N}$ .

• Part (ii) is proved by induction on the structure of *P*.

1.  $P \equiv 0$ :  $\mathbf{I}^k([\mathbf{0}]^l) = \mathbf{I}^k(\mathbf{0}) = \emptyset = \mathbf{I}^{k+l}(\mathbf{0})$  by our definitions.

2. 
$$P \equiv \alpha : m.Q$$
:  

$$(definition of [\cdot]^{-}) = \begin{cases} I^{k}([\alpha : m.Q]^{l}) & \text{if } m > l \\ I^{k}(\alpha : (m-l).Q) & \text{if } m > l \\ I^{k}(\alpha : 0.Q) & \text{otherwise} \end{cases}$$

$$(definition of I^{-}(\cdot) \text{ and } k > 0) = \begin{cases} \{\alpha\} & \text{if } (m-l \leq k \text{ and } m > l) \text{ or } m \leq l \\ \emptyset & \text{otherwise} \end{cases}$$

$$= \begin{cases} \{\alpha\} & \text{if } m \leq k+l \\ \emptyset & \text{otherwise} \end{cases}$$

$$(definition of I^{-}(\cdot)) = I^{k+l}(\alpha : m.Q) \end{cases}$$

3. 
$$P \equiv Q_1 | Q_2$$
:

The other cases are easier to establish than the ones above and, therefore, are omitted. As a simple corollary, which is needed in the proof of Part (iii) and immediately follows from the definition of potential initial action sets, one may conclude  $I^{\leq k}([P]^l) = I^{\leq k+l}(P)$ , whenever k > 0.

- We prove Part (iii) by induction on k. The case k = 0 is trivial. Therefore, we directly consider the statement for k = 1. For the "only if"-direction one may observe that  $P \stackrel{1}{\longmapsto} P'$  implies  $P \stackrel{\overline{\gamma}}{\longrightarrow}$  by Proposition 2.1(ii), i.e.,  $\tau \notin I^{<1}(P)$ , by Proposition 2.3. Thus, it remains to establish that  $P' \doteq [P]^1$ , for which we use structural induction on P.
  - 1.  $P \equiv \alpha : k.Q : \alpha : k.Q \xrightarrow{1} P'$  implies k > 0 or  $(k = 0 \text{ and } \alpha \not\equiv \tau)$  according to  $\mathsf{CCS}^{\mathsf{rt}}$  semantics. In the former case we have  $P' \equiv \alpha : (k-1).Q \doteq [\alpha : k.Q]^1$  by the definition of the adjustment function. In the latter case we obtain  $P' \equiv \alpha : 0.Q \doteq [\alpha : k.Q]^1$ , as desired.
  - 2.  $P \equiv Q_1|Q_2: Q_1|Q_2 \xrightarrow{1} P'$  implies  $Q_1 \xrightarrow{1} Q'_1, Q_2 \xrightarrow{1} Q'_2$ , and  $P' \equiv Q'_1|Q'_2$  for some  $Q'_1, Q'_2 \in \mathcal{P}$ . By induction hypothesis we may conclude  $Q'_1 \doteq [Q_1]^1$  and  $Q'_2 \doteq [Q_2]^1$ . Hence,  $P' \equiv Q'_1|Q'_2 \doteq [Q_1]^1|[Q_2]^1 \equiv [Q_1|Q_2]^1$  by the definition of the adjustment function.

The other cases follow by similar reasoning. For the "if"-direction let  $\tau \notin I^{\leq 1}(P)$ , i.e.,  $P \stackrel{\tau}{\to}$  by Proposition 2.3. Hence,  $P \stackrel{1}{\to} P'$  for some  $P' \in \mathcal{P}$  according to Proposition 2.1(i). Moreover, we have  $P' \doteq [P]^1$  by the "only if"-direction of this proof part.

For the induction step let k > 1. Then, we have  $P \vdash^{1} \downarrow^{k+1} P'$  if and only if  $P \vdash^{1} P'' \vdash^{1} k P'$  for some  $P'' \in \mathcal{P}$ . By induction hypothesis and Part (iii) for k = 1 this is exactly the case if and only if  $P' \doteq [P'']^k$ ,  $\tau \notin I^{\leq k}(P'')$ ,  $P'' \doteq [P]^1$ , and  $\tau \notin I^{\leq 1}(P)$ , i.e.,  $P' \doteq [P]^{k+1}$  and  $\tau \notin I^{\leq k+1}(P)$  by Parts (i) and (ii), respectively.

This finishes the proof of the lemma.  $\square$ 

Now, we are able to state and prove a main result.

PROPOSITION 3.2 (One-to-one Correspondence). Let  $P, P' \in \mathcal{P}$  and  $\alpha : k \in \mathcal{A} \times \mathbb{N}$ . Then  $P \xrightarrow{\alpha:k} P'$  if and only if  $\exists P'' \in \mathcal{P}$ .  $P \stackrel{1}{\longmapsto} {}^{k}P'' \stackrel{\alpha}{\longmapsto} P'$ .

*Proof.* Let  $P, P' \in \mathcal{P}$  and  $k \in \mathbb{N}$ . According to Lemma 3.1(iii), it is sufficient to show that  $[P]^k \xrightarrow{\alpha} P'$  and  $\tau \notin I^{\leq k}(P)$  if and only if  $P \xrightarrow{\alpha:k} P'$ . The proof is done by induction on the structure of P.

- 1.  $P \equiv 0$ : Here, our statement trivially holds since **0** cannot engage in any transition.
- 2.  $P \equiv \alpha : l.P'$ : According to CCS<sup>rt</sup> semantics,  $[\alpha : l.P']^k \xrightarrow{\alpha} P'$  is valid if  $[\alpha : l.P']^k \doteq \alpha : 0.P'$ , which is exactly the case if  $k \ge l$ . Since  $\tau \notin I^{\leq k}(P)$  we know k = l if  $\alpha \equiv \tau$ . Hence,  $\alpha : l.P' \xrightarrow{\alpha : k} P'$  by CCS<sup>dp</sup> semantics. Reversely,  $\alpha : l.P' \xrightarrow{\alpha : k} P'$  implies  $k \ge l$ , if  $\alpha \not\equiv \tau$ , and k = l, otherwise, according to CCS<sup>dp</sup> semantics. Thus,  $[\alpha : l.P']^k \equiv \alpha : 0.P'$  and  $\alpha : 0.P' \xrightarrow{\alpha} P'$  by the definitions of the adjustment function and of CCS<sup>rt</sup> semantics. Finally,  $\tau \notin I^{\leq k}(\alpha : l.P')$  since  $\alpha \equiv \tau$  implies k = l.
- 3.  $P \equiv Q_1 + Q_2$ : By CCS<sup>rt</sup> semantics, the definitions of the adjustment function and of potential initial action sets, and Proposition 2.4 we obtain  $[Q_1 + Q_2]^k \equiv [Q_1]^k + [Q_2]^k \xrightarrow{\alpha} P'$  and  $\tau \notin \mathbf{I}^{\leq k}(Q_1 + Q_2)$  if and only if  $([Q_1]^k \xrightarrow{\alpha} P' \text{ or } [Q_2]^k \xrightarrow{\alpha} P')$  and  $\tau \notin \mathbf{I}^{\leq k}(Q_1) \cup \mathbf{I}^{\leq k}(Q_2)$ . By induction hypothesis and Proposition 2.4 this is exactly the case if  $(Q_1 \xrightarrow{\alpha:k} P' \text{ and } \tau \notin \mathbf{I}^{\leq k}(Q_2))$  or  $(Q_2 \xrightarrow{\alpha:k} P' \text{ and } \tau \notin \mathbf{I}^{\leq k}(Q_1))$ , which holds if and only if  $Q_1 + Q_2 \xrightarrow{\alpha:k} P'$  according to CCS<sup>dp</sup> semantics.
- 4.  $P \equiv Q_1 | Q_2$ : Let  $[Q_1 | Q_2]^k \equiv [Q_1]^k | [Q_2]^k \xrightarrow{\alpha} P'$  (already exploiting the definition of the adjustment function) and  $\tau \notin I^{\leq k}(Q_1 | Q_2)$ . According to the semantics for parallel composition, we may split this case into the following three sub-cases.
  - (a)  $[Q_1]^k \xrightarrow{\alpha} Q'$  for some  $Q' \in \mathcal{P}$  and  $P' \equiv Q' | [Q_2]^k$ . Since  $\tau \notin I^{\leq k}(Q_1|Q_2)$  implies  $\tau \notin I^{\leq k}(Q_1)$  by the definition of potential initial action sets, we may apply the induction hypothesis to conclude  $Q_1 \xrightarrow{\alpha:k} Q'$ . This is exactly the case if  $Q_1|Q_2 \xrightarrow{\alpha:k} Q'| [Q_2]^k \equiv P'$  according to  $\mathsf{CCS}^{\mathsf{dp}}$  semantics and the fact that  $\tau \notin I^{\leq k}(Q_1|Q_2)$ .
  - (b)  $[Q_2]^k \xrightarrow{\alpha} Q'$  for some  $Q' \in \mathcal{P}$  and  $P' \equiv [Q_1]^k | Q'$ . This case can be shown in a symmetric fashion to the previous one.
  - (c)  $\alpha \equiv \tau$ ,  $[Q_1]^k \xrightarrow{a} Q'_1$ , and  $[Q_2]^k \xrightarrow{\overline{\alpha}} Q'_2$  for some  $a \in \mathcal{A} \setminus \{\tau\}$  and  $Q'_1, Q'_2 \in \mathcal{P}$  such that  $P' \equiv Q'_1|Q'_2$ . Because of the premise  $\tau \notin I^{\leq k}(Q_1|Q_2)$  we know  $\tau \notin I^{\leq k}(Q_1)$  and  $\tau \notin I^{\leq k}(Q_2)$ . Thus, the induction hypothesis implies  $Q_1 \xrightarrow{a:k} Q'_1$  and  $Q_2 \xrightarrow{\overline{\alpha}:k} Q'_2$ , and also  $\tau \notin I^{\leq k}(Q_1|Q_2)$ . According to  $\mathsf{CCS}^{\mathsf{dp}}$  semantics, this is equivalent to  $Q_1|Q_2 \xrightarrow{\tau:k} Q'_1|Q'_2 \equiv P'$ , as desired.

The remaining cases are easier to establish and, therefore, are omitted.  $\square$ 

This proposition explicitly reflects our intuition of the meaning of a natural number attached to an action in both calculi. Whereas in  $CCS^{rt}$  we interpret  $\alpha:k$  as the action  $\alpha$  which is enabled after a *delay* of (at least) k time units, the value k indicates the level of *urgency* of  $\alpha$  in  $CCS^{dp}$ .

**3.1. Bisimulation Correspondence.** The correspondence between  $CCS^{dp}$  and  $CCS^{rt}$  semantics reflected in Proposition 3.2 is the key for proving the next theorem.

THEOREM 3.3 (Bisimulation Correspondence). Let  $P, Q \in \mathcal{P}$ . Then  $P \sim_{dp} Q$  if and only if  $P \sim_{rt} Q$ .

Proof. We first prove the "if"-direction by showing  $\sim_{\mathbf{rt}}$  to be a prioritized bisimulation. Let  $P, P', Q \in \mathcal{P}$ ,  $\alpha \in \mathcal{A}$ , and  $k \in \mathbb{N}$  satisfying  $P \xrightarrow{\alpha:k} P'$ . By Proposition 3.2 we may conclude the existence of some  $P'' \in \mathcal{P}$  such that  $P \xrightarrow{1} {k} P'' \xrightarrow{\alpha} P'$ . Since  $P \sim_{\mathbf{rt}} Q$  there exist some  $Q', Q'' \in \mathcal{P}$  satisfying  $Q \xrightarrow{1} {k} Q'' \xrightarrow{\alpha} Q'$ ,  $P'' \sim_{\mathbf{rt}} Q''$ , and  $P' \sim_{\mathbf{rt}} Q'$ , which can be formally derived by a straightforward induction on k and the definition of  $\sim_{\mathbf{rt}}$ . Proposition 3.2 now implies  $Q \xrightarrow{\alpha:k} Q'$ , as desired. For the "only if"-direction it is sufficient to show that  $\mathcal{R}_t =_{\mathrm{df}} \{\langle [P]^k, [Q]^k \rangle \mid P \sim_{\mathrm{dp}} Q, \ \tau \notin \mathrm{I}^{\leq k}(P), \ \tau \notin \mathrm{I}^{\leq k}(Q)$ , and  $k \in \mathbb{N}\}$  is a temporal bisimulation. Note that  $\langle P, Q \rangle \in \mathcal{R}_t$  by choosing k = 0 (cf. Lemma 3.1(i) and the fact that  $\mathrm{I}^{\leq 0}(\cdot) = \emptyset$ ). Let  $\langle [P]^k, [Q]^k \rangle \in \mathcal{R}_t$  for some arbitrary  $k \in \mathbb{N}$ , i.e.,  $P \sim_{\mathrm{dp}} Q, \ \tau \notin \mathrm{I}^{\leq k}(P)$ , and  $\tau \notin \mathrm{I}^{\leq k}(Q)$ .

First, consider  $[P]^k \xrightarrow{\alpha} P'$  for some  $P' \in \mathcal{P}$ . Because of  $\tau \notin I^{\leq k}(P)$  we conclude  $P \xrightarrow{1} P' [P]^k \xrightarrow{\alpha} P'$  by Lemma 3.1(iii). Hence,  $P \xrightarrow{\alpha:k} P'$  according to Proposition 3.2. Since  $P \sim_{dp} Q$  we know of the existence of some  $Q' \in \mathcal{P}$  such that  $Q \xrightarrow{\alpha:k} Q'$  and  $P' \sim_{dp} Q'$ . Now, we use Proposition 3.2 and Lemma 3.1(iii) again in order to obtain  $[Q]^k \xrightarrow{\alpha} Q'$ . Moreover,  $\langle [P']^0, [Q']^0 \rangle \in \mathcal{R}_t$  can be derived from  $P' \sim_{dp} Q'$ , as desired.

Second, let  $[P]^k \xrightarrow{1} P'$  for some  $P' \in \mathcal{P}$ . Hence,  $[P]^k \xrightarrow{\mathcal{P}}$  by Proposition 2.1(ii), i.e.,  $\tau \notin I^{<1}([P]^k) = I^{<k+1}(P)$  by Proposition 2.3 and Lemma 3.1(ii), and  $P' \doteq [P]^{k+1}$  by Lemmas 3.1(i) and 3.1(ii). From the first case we know  $[Q]^k \xrightarrow{\mathcal{P}}$ , i.e.,  $\tau \notin I^{<1}([Q]^k) = I^{<k+1}(Q)$  according to Proposition 2.3 and Lemma 3.1(ii). Now, Lemma 3.1(ii) is applicable, and  $[Q]^k \xrightarrow{1} [[Q]^k]^1 \doteq [Q]^{k+1}$  holds by Lemma 3.1(i). Moreover,  $\langle [P]^{k+1}, [Q]^{k+1} \rangle \in \mathcal{R}_t$  by the definition of  $\mathcal{R}_t$ , which finishes the proof.  $\Box$ 

As a consequence of this result, prioritized and temporal bisimulation possess the same algebraic properties. Especially, we may conclude that prioritized bisimulation is a congruence.

**3.2. Logical Correspondence.**  $CCS^{dp}$  and  $CCS^{rt}$  semantics are logically related, too. This correspondence can be formally established by using a variant of the *modal*  $\mu$ -calculus [24] as temporal logic. Its syntax is defined by the following BNF, which uses a set of variables  $\mathcal{V}_{\mu}$  with  $X \in \mathcal{V}_{\mu}$ .

$$\Phi ::= tt \mid X \mid \neg \Phi \mid \Phi \land \Phi \mid \langle \alpha : k \rangle \Phi \mid \mu X. \Phi$$

Formulas are also required to satisfy the following additional constraint: in  $\mu X$ .  $\Phi$  every occurrence of X in  $\Phi$  must be inside an even number of negations. Moreover, we define some dual operators:  $ff =_{df} \neg tt$ ,  $\Phi_1 \lor \Phi_2 =_{df} \neg (\neg \Phi_1 \land \neg \Phi_2)$ ,  $[\alpha:k] \Phi =_{df} \neg \langle \alpha:k \rangle (\neg \Phi)$ , and  $\nu X . \Phi =_{df} \neg \mu X . (\neg \Phi[\neg X/X])$ , where  $[\neg X/X]$  denotes the substitution of all free occurrences of X by  $\neg X$ . We also introduce the following abbreviations, where  $L \subseteq \mathcal{A} \times \mathbb{N}$ :  $\langle L \rangle \Phi =_{df} \bigvee \{ \langle \alpha:k \rangle \Phi \mid \alpha:k \in L \}$ ,  $\langle - \rangle \Phi =_{df} \langle \mathcal{A} \times \mathbb{N} \rangle \Phi$ ,  $\langle -L \rangle \Phi =_{df} \langle (\mathcal{A} \times \mathbb{N}) \setminus L \rangle \Phi$ ,  $[L]^{\infty} \Phi =_{df} \nu X . (\Phi \land [L]X)$ , and  $\langle L \rangle^* \Phi =_{df} \mu X . (\Phi \lor \langle L \rangle X)$ . Finally, we let  $\mathcal{F}$  denote the set of all formulas.

The semantics  $\{\Phi\}$  of a  $\mu$ -calculus formula  $\Phi$  is defined with respect to an environment  $\sigma : \mathcal{V}_{\mu} \longrightarrow 2^{\mathcal{P}}$ which maps variables to sets of processes. Intuitively,  $\{\Phi\}(\sigma)$  denotes the set of all processes that satisfy  $\Phi$ under the environment  $\sigma$ . Formally, the semantic mapping  $\{\cdot\} : (\mathcal{F} \times \mathcal{E}) \longrightarrow 2^{\mathcal{P}}$ , where  $\mathcal{E}$  stands for the set of all environments, is inductively defined over the structure of formulas, as shown in Table 3.1. If  $\Phi$  is a closed formula, its semantics is independent of the environment. In this case, we simply write  $\{\Phi\}$  instead of  $\{\Phi\}(\sigma)$ . We say that the process P satisfies property  $\Phi$  if  $P \in \{\Phi\}$ . Intuitively, formula tt is satisfied by every process, and the Boolean operators are interpreted as usual. The formula  $\langle \alpha : k \rangle \Phi$  is satisfied by those processes that have an  $\alpha : k$ -successor for which  $\Phi$  holds. Finally,  $\mu X \cdot \Phi$  stands for the least solution of the

TABLE 3.1 Semantics of the modal  $\mu$ -calculus.

| ${tt}(\sigma)$         | $=_{\rm df}$      | $\mathcal{P}$                                        | $\{\Phi_1 \land \Phi_2\}(\sigma)$               | $=_{\rm df}$      | $\{\Phi_1\}(\sigma) \cap \{\Phi_2\}(\sigma)$                                                                               |
|------------------------|-------------------|------------------------------------------------------|-------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------|
| ${X}(\sigma)$          | $=_{\mathrm{df}}$ | $\sigma(X)$                                          | $\{\!\langle \alpha\!:\!k\rangle\Phi\}(\sigma)$ | $=_{\rm df}$      | $\{P \in \mathcal{P} \mid \exists P' \in \mathcal{P} . P \xrightarrow{\alpha:k} P' \text{ and } P' \in \{\Phi\}(\sigma)\}$ |
| $\{\neg\Phi\}(\sigma)$ | $=_{\rm df}$      | $\mathcal{P} \setminus \{\!\!\{\Phi\}\!\!\}(\sigma)$ | $\{\mu X.\Phi\}(\sigma)$                        | $=_{\mathrm{df}}$ | $\bigcap \{ \mathcal{P}' \subseteq \mathcal{P} \mid \{ \Phi \} (\sigma[\mathcal{P}'/X]) \subseteq \mathcal{P}' \}$         |

equation  $X = \Phi$  with respect to the Boolean lattice where ff is smaller than tt. On the basis of the above definitions one can deduce that a process P satisfies  $[\alpha:k]\Phi$  if all its  $\alpha:k$ -derivatives satisfy  $\Phi$ , and it satisfies  $[L]^{\infty}\Phi$  if along every process reachable from P via a sequence of transitions labeled with elements of L, the formula  $\Phi$  is valid. Similarly,  $\langle L \rangle^* \Phi$  holds for a process if some sequence of transitions with labels drawn from L leads to a process satisfying  $\Phi$ . For CCS<sup>rt</sup> a version of the  $\mu$ -calculus can be obtained by defining the semantics of  $\langle \alpha:k \rangle \Phi$  as  $\{P \in \mathcal{P} \mid \exists P', P'' \in \mathcal{P}. P \stackrel{1}{\longmapsto}{}^k P'' \stackrel{\alpha}{\longrightarrow} P'$  and  $P' \in \{\Phi\}(\sigma)\}$ . As an important result, processes satisfy the same formulas, independently if those are interpreted for CCS<sup>dp</sup> or CCS<sup>rt</sup> semantics.

THEOREM 3.4 (Logical Correspondence). Let  $\Phi \in \mathcal{F}$  and  $\sigma \in \mathcal{E}$ . Then  $\{\Phi\}_{dp}(\sigma) = \{\Phi\}_{rt}(\sigma)$ .

*Proof.* The proof is done by induction on the structure of formula  $\Phi$ . The induction base  $\Phi \equiv tt$  holds trivially. In the following, we consider the case  $\Phi \equiv \langle \alpha : k \rangle \Psi$  of the induction step.

$$\{ \langle \alpha : k \rangle \Psi \}_{dp}(\sigma)$$

$$(definition of \{\cdot\}_{dp}) = \{ P \in \mathcal{P} \mid \exists P' \in \mathcal{P}. P \xrightarrow{\alpha:k} P' \text{ and } P' \in \{\Psi\}_{dp}(\sigma) \}$$

$$(induction hypothesis) = \{ P \in \mathcal{P} \mid \exists P' \in \mathcal{P}. P \xrightarrow{\alpha:k} P' \text{ and } P' \in \{\Psi\}_{rt}(\sigma) \}$$

$$(Proposition 3.2) = \{ P \in \mathcal{P} \mid \exists P', P'' \in \mathcal{P}. P \xrightarrow{\mu} P' \text{ and } P' \in \{\Psi\}_{rt}(\sigma) \}$$

$$(definition of \{\cdot\}_{rt}) = \{ \langle \alpha:k \rangle \Psi \}_{rt}(\sigma)$$

The other cases of the induction step are straightforward.  $\Box$ 

Hence, properties of processes interpreted with respect to  $CCS^{dp}$  semantics also hold in the  $CCS^{rt}$  interpretation, and vice versa. It is worth noting that by leaving out the fixed point operator  $\mu X$  we obtain versions of the so called *Hennessy-Milner logic* which characterizes bisimulation [27]. Since the logical characterizations of our bisimulations are not of importance here, we do not investigate them further.

4. Case Study: The SCSI-2 Bus-Protocol. We demonstrate the utility of our approach to implementing real-time semantics using dynamic priorities by a case study dealing with the *bus protocol* of the widely-used *Small Computer System Interface* [1], or *SCSI* for short. The *SCSI bus* is designed to provide an efficient peer-to-peer I/O connection for peripheral devices such as disks, tapes, printers, etc. It usually connects several of these devices with one *host adapter* which often resides on a computer's motherboard. In contrast to the host adapter, peripherals are not attached directly to the bus but via *controllers*, also called *logical units* (LUNs). Thus, LUNs provide a physical and logical interface between the bus and the peripherals. Conceptually, up to seven LUNs can be connected to one bus, and one LUN can support up to seven peripherals. However, in practice most peripherals contain their own SCSI controller (cf. Figure 4.1). The *SCSI-2 bus-protocol* implements the logics regulating how peripherals and the host adapter communicate with each other on the bus. Communication on the SCSI bus is point-to-point, i.e., at any time either none or exactly two LUNs may communicate among each other. For easy addressing, each LUN is assigned a fixed SCSI id in form of a number ranging from zero to seven. Id 0 is reserved for the host adapter which is also, conceptually, a LUN. Communication on the bus is organized by the use of eight signal lines whereas the actual information, like *messages*, *commands*, *data*, and *status information*, are transferred over a data bus.



FIG. 4.2. Usual progression of the SCSI-2 bus-phases.

The SCSI-2 bus-protocol is organized in eight distinct phases: Bus Free, Arbitration, Selection, Reselection, Command, Data, Status, and Message phase. At any given time, the SCSI bus is exactly in one phase. The usual progression of phases is shown in Figure 4.2. During the Bus Free phase no device is in possession of the bus, i.e., LUNs may request access. If more than one device competes for the bus in order to initiate a communication, the one with the highest SCSI id is granted access. In the Arbitration phase, every LUN that has posed a request determines if it has won the competition. All LUNs which lose may compete for the bus again later, whereas the winner, also referred to as *initiator*, proceeds to the Selection phase. In this phase the initiator tries to connect to the desired destination, called *target*. When the link between initiator and target has been established, the so-called *information transfer phases*, including the Command, the Data, the Status, and the Message phases are entered. In the Command phase the target may request a command from the initiator. Data may be transferred between target and initiator in the Data phase. During a Message phase information is exchanged between the initiator and the target concerning the bus protocol itself. Finally, the Status phase is used to transfer status information to the initiator upon completion of a command executed by the target. The key idea for accelerating communication on the bus, which has significantly contributed to the success of SCSI, is that the target can free the bus whenever it receives a time-intensive command from the initiator. As soon as the execution of such a command is finished, the target competes for the bus in order to transmit the result to the former initiator. As a simple example, one may think of the initiator as the host adapter, of the target as a hard disk, and of the command as the request to read a certain block from that hard disk. Since accessing hard disks takes some time, the bus can be used for other purposes until the requested block is found and its data is ready for transmission.

5. Modeling the SCSI-2 Bus-Protocol. In this section we model the SCSI-2 bus-protocol in our language as implemented in the CWB-NC. Its syntax slightly departs from the one introduced in Section 2 by writing nil for the inaction process 0, proc x = P for the term  $\mu x.P$ , and 'a:k for  $\overline{a}:k$ . Moreover, we use the notation  $\alpha(obs):k$  which may be interpreted as  $\alpha:k$  in this section. Actions obs come into play in the next section where they serve as "probes" for verification purposes.

For modeling the SCSI-2 bus-protocol we have imposed some assumptions. First, we restrict ourselves to modeling two LUNs, called LUNO and LUN1, having id 0 and id 1, respectively. This is sufficient for dealing with the aspects of the SCSI-2 bus-protocol we are interested in. Note that even in the situation of two LUNs there exists competition for the bus. Moreover, we abstract from timeout procedures and from the contents of most messages, commands, and data. These abstractions are justified since they do not affect the conceptual parts of the bus protocol's behavior. For example, the sole purpose of a timeout is to determine if a target is alive or not. The contents of information sent over the bus, except from messages representing the completion of some transmission, are only relevant for the device-specific part of LUNs but not for the bus protocol itself. Additionally, the bus signals BSY (*busy*) and SEL (*select*) are *wired-or* signals in reality. However, we do not need to model this "or"-behavior, since our model only deals with two LUNs, and just one LUN at a time can assert the BSY or SEL signal. Finally, all quantitative timing information occurring in the model is measured relative to a time unit of 5 ns, including *arbitration delays* (480 time units), *bus clear delays* (160 time units), *bus settle delays* (80 time units), *deskew delays* (9 time units), and *cable skew delays* (9 time units).

The underlying structure of the bus protocol is explicitly reflected in our model. Each LUN connected to the bus is modeled as a separate parallel component containing models of the different bus phases as discussed in the previous section. The logical behavior of the bus protocol is implemented by bus signals. Each signal physically consists of a wire which we model as a separate process similar to a global Boolean variable. Note that signal delays are not modeled in the wires but in the operations used for transmitting information over the SCSI bus. Since we abstract away the content of most information, we do not need to model each bit of the data bus. Hence, arbitration is modeled via a global variable which stores the highest id of all LUNs requesting access to the bus. Accordingly, our model, called SCSIBus, consists of the parallel composition of both LUNs, and the BusSignals, including the regular signals and the data path. Formally,

proc SCSIBus = (LUN0 | BusSignals | LUN1) \ Restriction

where **Restriction** contains all actions that are internal to the protocol, i.e., those concerned with setting/releasing signals, requesting signal status, and placing/reading information on/from the data bus.

5.1. Modeling the Bus Signals and the Data Bus. Conceptually, each bus signal is modeled as a Boolean variable which is either true (signal on) or false (signal off). Thus, the processes representing the signals BSY (busy), SEL (select), C/D (command/data), I/O (input/output), MSG (message), ATN (attention), REQ (request), and ACK (acknowledgment) are generically created by relabeling the actions of the process Off (cf. Table 5.1). Using the ports set and rel one can set or release the signal and, hereby, switch the state to On and Off, respectively. Actions 'off ('on) indicate that the signal is currently in state Off (On). Note that the atomicity of actions in process algebras guarantees that conflicts, arising by setting several signals simultaneously, are avoided.

In the following, we abstract away the contents of most messages. Only the distinguished messages disconnect and complete are explicitly considered since they require to exit the information transfer phases and to switch to the initial state of the LUN. Accordingly, we may model the data bus as a variable which can store and read out information (actions placeXXX and readXXX, respectively). The labels obsXXX are used to record the events of placing and reading messages on the bus.

For modeling arbitration we introduce the process Arbitrator which models a variable that stores the value of the highest id of all LUNs which compete for the bus. The situation in which no LUN wants to access the bus is captured by a special "undefined" state. Accordingly, the process Arbitrator possesses three

proc BusSignals = DataBus Arbitrator Off[setBSY/set,relBSY/rel,isBSY/on,noBSY/off] 0ff[setSEL/set,relSEL/rel,isSEL/on,noSEL/off] | ... proc Off 'off:0.0ff + set:0.0n + rel:0.0ff 'on:0.0n + set:0.0n + rel:0.0ff proc On = = DataBus' [> release(obsrelease):0.DataBus proc DataBus placemsgIn(obsplace):0.'readmsgIn(obsread):0.DataBus' proc DataBus' + placemsgOut(obsplace):0.'readmsgOut(obsread):0.DataBus' + placefinished(obsplace):0.'readfinished(obsread):0.DataBus' + placedata(obsplace):0.'readdata(obsread):0.DataBus' + placecmd(obsplace):0.'readcmd(obsread):0.DataBus' + placestatus(obsplace):0.'readstatus(obsread):0.DataBus' + sentdisconnect(obssentdiscon):0.'readdisconnect(obsreaddiscon):0.DataBus' + sentcomplete(obssentcomplete):0.'readcomplete(obsreadcomplete):0.DataBus' + writetarget0(obswritet0):0.'readtarget0(obsreadt0):0.DataBus' + writetarget1(obswritet1):0.'readtarget1(obsreadt1):0.DataBus' proc Arbitrator = Undef [> clear:0.Arbitrator = setid0:0.Id0 + setid1:0.Id1 + 'noid0:0.Undef + 'noid1:0.Undef proc Undef = setid0:0.Id0 + setid1:0.Id1 + 'isid0:0.Id0 + 'noid1:0.Id0 proc Id0 proc Id1 = setid0:0.Id1 + setid1:0.Id1 + 'noid0:0.Id1 + 'isid1:0.Id1

 TABLE 5.1

 Model of the bus signals, the data bus, and the arbitration variable.

states as shown in Table 5.1, called Undef, IdO, and Id1, respectively. One may set the variable to state Idk via port setidk whenever the current state of Arbitrator is either Undef or Idj for  $j \leq k$ . In other words, the variable always maintains its maximum value. However, it may be reset to its initial state Undef via port clear. In reality, the LUNs that want to compete for access broadcast their id on the data bus. Before acquiring the bus the LUN has to check if a higher id than its own is asserted. Modeling this technique one-to-one requires to implement the *n*-bit wide data bus, where *n* corresponds to the maximal number of LUNs attached to the bus. This induces a complexity of  $2^n$  states, compared to n + 1 states by our technique.

5.2. Modeling the Bus Phases for Connection Establishment. Let us focus on modeling the logical characteristics of the SCSI-2 bus-protocol (see Section 6 of [1]) for the initial bus phases handling connection establishment. In the Bus Free phase, no device is in possession of the bus; hence it is available for arbitration. The SCSI bus is defined to be in the Bus Free phase as soon as the signals SEL and BSY have been off for at least a bus settle delay. Accordingly, the process BusFreeO of LUNO detects the Bus Free phase when the actions isBSY and isSEL are absent for 80 time units (cf. Table 5.2). If one of the actions isBSY or isSEL is observed, the bus is occupied and LUNO returns to the start state. Otherwise, if the bus is free, the logical unit asserts the BSY signal (action 'setBSY) and sets the arbitration variable accordingly (action 'setidO), before it performs an arbitration delay and switches to the Arbitration phase.

TABLE 5.2Bus Free, Arbitration, and Selection phase.

| proc | LUNO                        | <pre>= t(start0):9.'relI0:0.(BusFree0 + GetSelected0) + t:9.LUN0 + t(start0):9.'setI0(obs_setI0):0.(BusFree0 + GetSelected0) + GetSelected0</pre>                                                                                       |
|------|-----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| -    | BusFreeO<br>ArbitrateO      | <pre>= t(busfree):80.'setBSY(obs_setBSY):80.'setid0:0.Arbitrate0 + isSEL(obs_isSEL):0.LUN0 + isBSY(obs_isBSY):0.LUN0 = noid1(obs_winner_id0):480.'setSEL(obs_setSEL):0.Selection0 + isid1(obs_winner_id1):480.LUN0</pre>                |
| -    | Selection0<br>GetSelected0  | <pre>= 'writetarget1:240.'setATN:9.'relBSY(obs_relBSY):18.isBSY:80.<br/>'relSEL(obs_relSEL):9.t(begin_ITP):0.(noI0:0.Initiator0 + isI0:0.Target0)<br/>= isATN:0.( isSEL:0.noBSY:0.readtarget0:0.'setBSY(obs_setBSY):0.'release:0.</pre> |
| proc | Initiator0<br>HO<br>Target0 | <pre>= H0 [&gt; noBSY(obs_noBSY):0.'relATN:0.LUN0<br/>= t:9.'setATN(obs_setATN):9.H0<br/>+ isREQ(obs_isREQ):9.( noMSG:0.( noCD:0.(noI0:0.DataOutI0 + isI0:0.DataInI0)</pre>                                                             |

In the Arbitration phase a LUN, which competes for access to the bus, looks up if it has won the arbitration by checking whether no device having a higher id has asserted its id on the bus. Before the winner proceeds to the Selection phase, it asserts the SEL signal. All LUNs that have lost arbitration return to their initial states. The models of the Arbitration phase as well as of the Selection phase are presented in Table 5.2 for LUNO; the model of LUN1 is similar although the behaviors of LUN0 and LUN1 are not completely symmetric in the Arbitration phase. The asymmetries arise from the different priority values assigned to both devices. In the Arbitration phase, LUN0 has to check if LUN1 has set its id on the bus. If so, LUN0 has lost arbitration. However, LUN1 does not need to check if LUN0 has set its id on the bus since LUN0 is assigned to the lower SCSI id. Moreover, since we are assuming only two devices, there is no necessity for LUN1 to check any SCSI id asserted on the bus.

The Selection phase is distinguished from the Reselection phase by the de-asserted I/O signal. In the Selection phase the winning LUN, the initiator, tries to connect to the desired destination, the target, which is the logical unit LUN1 in the case of SelectionO. Therefore, it writes the id of the target on the data bus (action 'writetarget1) and asserts the ATN signal to force each device to check if it is the desired target. The initiator then waits for some deskew delays and releases the BSY signal. After a short delay it looks for a response from the target. If the BSY signal is asserted, the target has responded and taken over control of the bus protocol. In this case the initiator releases the SEL signal (action 'relSEL) and then behaves as InitiatorO, or as TargetO in case of the Reselection phase. If the ATN signal is asserted, each device verifies if the bus protocol is in the Selection or Reselection phase (cf. process GetSelectedO). Therefore, it checks the SEL signal (action isSEL) and waits until the initiator releases the BSY signal (action

| Table   | 5.3    |
|---------|--------|
| Command | phase. |

| proc CommandIO  | <pre>= isREQ:0.( 'placecmd:0.'setACK:9.noREQ:0.'release:0.'relACK:0.CommandI0</pre> |
|-----------------|-------------------------------------------------------------------------------------|
|                 | + 'placefinished:0.'setACK:9.noREQ:0.'release:0.'relACK:0.H0 )                      |
| proc CommandTO  | <pre>= 'relMSG:0.'setCD:0.'relIO(begin_Command):0.t(begin_Phase):0.CommandTO'</pre> |
| proc CommandTO' | <pre>= 'setREQ:0.isACK(obs_isACK):0.</pre>                                          |
|                 | <pre>( readcmd:0.'relREQ(obs_relREQ):0.noACK:0.CommandT0'</pre>                     |
|                 | + readfinished:0.'relREQ(obs_relREQ):0.noACK:0.t(end_Phase):0.                      |
|                 | (MsgOutTO + MsgInTO + DataOutTO + DataInTO + StatusTO) )                            |
|                 |                                                                                     |

'relBSY). Then it asserts the BSY signal (action 'setBSY), releases the data bus (action 'release), and re-initializes the arbitration variable (action 'clear) before behaving as Target0 or Initiator0.

After the Arbitration and (Re)Selection phases the target – the master of the bus protocol – proceeds to the MessageOut or MessageIn phase depending on whether it has been selected as target or whether it wants to re-connect to a former initiator, as indicated by the status of the IO signal (cf. Table 5.2). The initiator – the slave of the bus protocol – continuously checks the status of the signals MSG, C/D, and I/O in order to determine the next phase selected by the target. Moreover, it may indicate its wish to proceed to the MessageOut phase by asserting the ATN signal (action 'setATN). Finally, upon detection of the de-assertion of the BSY signal (action noBSY) caused by the target's expected or unexpected release of the SCSI bus, the initiator de-asserts the ATN signal (action 'relATN) and returns to its initial state.

5.3. Modeling the Information Transfer Phases. The processes Target0 and Initiator0 initiate the Information Transfer Phases (ITP) which subsume the Command, Data, Status, and Message phases. In those phases, information is exchanged between the initiator and the target. The Data and the Message phases are further divided in DataIn, DataOut, MessageIn, and MessageOut phases according to the direction of information flow. The "In" phases are concerned with transferring information from the target to the initiator whereas the "Out" phases are concerned with transferring information in the other direction. The information transfer takes place using a byte-wise handshake mechanism. In the following, we only explain the Command phase and its modeling (cf. Table 5.3). The complete model can be found in the appendix.

The Command phase is entered if the target intends to request a command from the initiator. The target indicates the Command phase by de-asserting the MSG and I/O signals and asserting the C/D signal. After waiting for a deskew delay the target requests a command from the initiator by setting the REQ signal (action 'setREQ). In the meantime, the initiator detects that the target has switched to the Command phase by observing the status of the MSG, C/D, and I/O signals (cf. process HO in Table 5.2). Upon detection of the asserted REQ signal (action isREQ) the initiator places the first byte of the command on the data bus (action 'placemd), waits for a deskew delay, and asserts the ACK signal (action 'setACK). After the target detects the asserted ACK signal (action isACK) it reads the command from the data bus (action readcmd) and releases the REQ signal (action 'relREQ). At this point the handshake procedure for receiving (the first byte of) the command is completed. Now, the initiator may release the data bus (action 'release) and the ACK signal (action 'relACK). If a command is longer than one byte, the bus may remain in the Command phase, and the handshake mechanism may be repeated, until the message *finished* (action readfinished) has been transferred. Note that in the real-world protocol the length of a command is encoded in its first byte.

6. Verifying the Bus-Protocol. In this section we specify several *safety* and *liveness* properties, which our model is expected to satisfy, in the *modal*  $\mu$ -calculus [24], and verify them by employing the *local model-checker* [4] integrated in the CWB-NC. The one-to-one correspondence between CCS<sup>dp</sup> and CCS<sup>rt</sup> semantics ensures that the properties, once being verified for the CCS<sup>dp</sup> model, hold for the CCS<sup>rt</sup> model, too. In order to construct the state spaces of our model we have run the CWB-NC on a SUN SPARC 20 workstation. Whereas the model has 62 400 states and 65 624 transitions according to CCS<sup>rt</sup> semantics, it possesses only 8 391 states and 14 356 transitions with respect to CCS<sup>dp</sup> semantics. This drastic saving in state space emphasizes the utility of using dynamic priorities for implementing discrete real-time semantics.

**6.1.** Properties of Interest. The following desired requirements of the SCSI-2 bus-protocol are extracted from the official ANSI document [1].

- Property 1: All bus phases are always reachable. This implies that the model is free of deadlocks.
- Property 2: Whenever a bus phase is entered, it is eventually exited.
- Property 3: The signals REQ and ACK do not change between two information transfer phases.
- Property 4: The signal BSY is on and the signal SEL is off during the information transfer phases.
- Property 5: Whenever a device sends a message, it is eventually received by the intended LUN.
- Property 6: Whenever the ATN signal is set, the bus eventually enters the MessageOut phase.

Note that the properties describe the functional behavior of the SCSI-2 bus-protocol rather than explicit realtime issues concerned with hard deadlines or response times. Therefore, we may abstract from delay/priority values in  $\mu$ -calculus formulas by replacing the operators  $\langle \alpha : k \rangle$  introduced in Section 3.2 by  $\langle \alpha \rangle$ . Semantically, we define  $\{\langle \alpha \rangle \Phi\}_{rt}(\sigma) =_{df} \{P \in \mathcal{P} \mid \exists P', P'' \in \mathcal{P}. P \stackrel{1}{\longrightarrow} *P'' \stackrel{\alpha}{\longrightarrow} P' \text{ and } P' \in \{\Phi\}_{rt}(\sigma)\}$  as well as  $\{\langle \alpha \rangle \Phi\}_{dp}(\sigma) =_{df} \{P \in \mathcal{P} \mid \exists P' \in \mathcal{P}, k \in \mathbb{N}. P \stackrel{\alpha:k}{\longrightarrow} P' \text{ and } P' \in \{\Phi\}_{dp}(\sigma)\}$ . An adaptation of Theorem 3.4 can easily be shown to hold for the modified temporal logics, too. Therefore, we can verify our properties of the SCSI-2 bus-protocol within the more compact CCS<sup>dp</sup> model and conclude that these are also valid for the CCS<sup>rt</sup> model. For notational convenience we introduce the following meta-formulas, where  $\alpha, \beta \in \mathcal{A}$ ,  $L \subseteq \mathcal{A}$ , and  $\Phi \in \mathcal{F}$ .

$$between(\alpha, \beta, \Phi) =_{df} \nu X.[\alpha](\nu Y.(\Phi \land [\beta]X \land [-\beta]Y)) \land [-\alpha]X$$
  
fair-follows(\alpha, \beta, L, \Phi) =\_{df} \nu X.[\alpha](\nu Y.\mu Z.(\Phi \land [\beta]X \land [L]Y \land [-(\{\beta\} \cup L)]Z)) \land [-\alpha]X

The meta-formula between $(\alpha, \beta, \Phi)$  states the following. On every path it is always the case that after  $\alpha$ , the formula  $\Phi$  is true at every state until  $\beta$  is seen. Note that  $\beta$  need not occur after  $\alpha$  since  $\beta$  only releases the requirement that  $\Phi$  be true at every state. The meta-formula fair-follows  $(\alpha, \beta, L, \Phi)$  encodes that on every path it is always the case that after  $\alpha$  is seen, either  $\Phi$  is always true until  $\beta$  is seen or  $\Phi$  is always true, and an action from L occurs infinitely often on the path. Note that on paths on which actions from L do occur infinitely often, action  $\beta$  has to appear eventually. Without this notion of fairness, which we use to encode, e.g., that messages transferred over the SCSI bus have finite length, some properties cannot be validated.

Unfortunately,  $CCS^{dp}$  and  $CCS^{dt}$  turn every visible action a or  $\overline{a}$  into the internal action  $\tau$  when communicating on port a. However, in order to prove any interesting property except deadlock, we have to observe certain actions of the system, e.g., those modeling the assertion and de-assertion of bus signals. Therefore, we attach to some actions a (either the input or the output action belonging to channel a) and the internal action  $\tau$  a visible action or *probe*  $\circ$ , thus leading to a complex action  $a(\circ)$ ,  $\overline{a}(\circ)$ , or  $\tau(\circ)$ , respectively. Whenever a transition labeled by  $a(\circ)$  ( $\overline{a}(\circ)$ ) synchronizes with a transition labeled by  $\overline{a}$  (a), the resulting  $\tau$  is annotated by  $\circ$ , i.e.,  $\tau(\circ)$  is produced. Hence, a communication on port a is immediately observed by probe o, as intended. Our model includes (i) the probes begin\_Phase and end\_Phase marking the beginning and end of each information transfer phase, respectively, (ii) the probes begin\_ph signaling the beginning of some particular phase ph, (iii) the probes obs\_place and obs\_read observing the writing and reading of information on/from the data bus, respectively, and (iv) the probes obs\_setSIG and obs\_relSIG indicating the assertion and de-assertion of some signal SIG, respectively. Now, the above properties can be formalized.

- Property 1: This property ensures that the model does not possess undesired livelocks, i.e., for each bus phase ph we consider the formula [-]<sup>∞</sup>⟨-⟩\*(⟨begin\_ph⟩tt).
- *Property 2:* We have to check for every path that probe begin\_Phase is eventually followed by probe end\_Phase before another begin\_Phase is observed.

fair-follows (begin\_Phase, end\_Phase, {obs\_setATN},  $\langle -\rangle tt$ ).

The fairness constraint ensures that the initiator does not ignore the target's wish to enter a new phase forever by continuously asserting the ATN signal.

• *Property 3:* We encode that on all paths the probes obs\_setREQ, obs\_relREQ, obs\_setACK, and obs\_relACK do not occur between end\_Phase and begin\_Phase.

 $between (\texttt{end\_Phase, begin\_Phase, [obs\_setREQ, obs\_relREQ, obs\_setACK, obs\_relACK] ff)$ .

• Property 4: This formalization can be done along the lines of the one of Property 3.

between(begin\_Phase, end\_Phase, [obs\_setBSY, obs\_relBSY, obs\_setSEL, obs\_relSEL]ff) .

• *Property 5:* Here, one has to encode that obs\_place is always followed by obs\_read. The incorporated fairness constraint corresponds to the one in Property 2.

 $fair_follows(\texttt{obs\_place}, \texttt{obs\_read}, \{\texttt{obs\_setATN}\}, [\texttt{obs\_place}]ff)$ .

• *Property 6:* We have to formalize that every probe obs\_setATN is always eventually followed by a probe begin\_MsgOut. Note that this property does not require any fairness assumption.

 $fair_follows(\texttt{obs\_setATN}, \texttt{begin\_MsgOut}, \emptyset, [\texttt{obs\_setATN}]ff)$ .

6.2. Verification Results. We were able to validate each property in our model in no more than two minutes when running the CWB-NC on a SUN SPARC 20 workstation. The model checker we used is a local model checker for a fragment of the modal  $\mu$ -calculus [4]. Applying a *local* model checker in contrast to a *global* one remarkably speeds-up the task of verification during the initial modeling attempts. In fact, the modeling of the SCSI-2 bus-protocol was done in several stages. At early modeling stages the model checker invalidated most properties immediately. The encountered errors ranged from missed fairness constraints to wrong timing information and were identified by examining the diagnostic information – displayed in form of failure traces – as provided by the model checker. During the process of verification, we also realized that the timing constraints of the bus protocol are not only imposed for avoiding wire glitches but also in order to implement necessary synchronization constraints during the initial bus phases. Without these constraints, two LUNs may gain access to the bus for arbitration which leads to a deadlock. This emphasizes the necessity of dealing with real-time constraints in reactive systems, even if explicit real-time behavior is not of interest.

7. Discussion and Related Work. One may wonder why  $CCS^{dp}$  semantics does not consider actions with minimal delays or priority values as labels of transitions only. In particular, one can avoid the side condition of Rule (Act2) by allowing communication on different priority levels. The reason that we have not followed this approach is that it imposes an unsound abstraction for  $CCS^{rt}$  semantics. As a simple example consider process  $P =_{df} (a:1.b:0.0 | \overline{b}:1.0 + c:2.0) \setminus \{b\}$ . According to the modified  $CCS^{dp}$  semantics, P can engage in an *a*-transition with priority 1 to process  $(b:0.0 | \overline{b}:0.0 + c:1.0) \setminus \{b\}$ . Hence, after an *a*-transition a *c*-transition is always pre-empted since a communication on *b* with priority 0 is pending. According to the original  $CCS^{dp}$  semantics, however, *P* may also engage in an *a*-transition with priority 2 to  $(b:0.0 | b:0.0 + c:0.0) \setminus \{b\}$ . Thus, there exists a path starting with an *a*-transition, after which a *c* may be observed. Cutting off this path changes the behavior of *P*, whence the modified  $CCS^{dp}$  semantics is incorrect.

Regarding related work, a formal relationship between a quantitative real-time process algebra and a process algebra with *static* priority, adapted from [11], is established by Jeffrey in [23]. Jeffrey also translates real-time to priority based on the idea of time stamping and presents a semantic correspondence based on bisimulation. In contrast to CCS<sup>rt</sup> semantics, a process modeled in Jeffrey's framework may either *immediately* engage in an action or idle forever. However, this semantics does not reflect our intuition about the behavior of *reactive* systems, i.e., a process should wait until a desired communication partner becomes available instead of engaging in a "livelock." It is only because of this design decision that Jeffrey does not need to choose a *dynamic*-priority framework. In [6] a variant of CCSR [7], referred to as CCSR92, is introduced. Since CCSR focuses on specifying and verifying concurrent real-time systems, an ability of capturing scheduling behavior is needed. Consequently, a notion of dynamic priority, such as occurs in *priority-inheritance* and *earliest-deadline-first scheduling algorithms*, is adopted for CCSR92. In [6] dynamic priorities are given as a function of the history of the system under consideration. Accordingly, the operational semantics of CCSR92 is re-defined to include historical contexts. The authors show that dynamic priorities do not always lead to a compositional semantics and give a sufficient condition that ensures compositionality.

8. Conclusions and Future Work. We introduced the process algebra  $CCS^{dp}$  with dynamic priority whose semantics corresponds one-to-one to the discrete quantitative real-time semantics of  $CCS^{rt}$ . Its utility stems from the fact  $CCS^{dp}$  semantics yields significantly more compact models than  $CCS^{rt}$  semantics without abstracting away any aspects of real-time. Thus,  $CCS^{dp}$  provides a means for efficiently implementing real-time semantics. The compactness of models can be improved further if one is not interested in verifying properties involving quantitative time and in the semantics' compositionality. In this case a  $CCS^{dp}$  model may be minimized according to standard bisimulation after ignoring the priority values in the labels. We implemented  $CCS^{dp}$  and  $CCS^{rt}$  in the Concurrency Workbench of North Carolina which we used to formally model and reason about the SCSI-2 bus-protocol. The size of our model is about an order of magnitude smaller when constructed with  $CCS^{dp}$  instead of  $CCS^{rt}$  semantics and can be handled easily within the Workbench. In addition, we specified several desired properties of the bus protocol in the modal  $\mu$ -calculus and validated them by using model checking. Regarding future work, the SCSI-2 bus-protocol should be modeled in more detail and, thereby, enable the verification of additional interesting properties.

## REFERENCES

 AMERICAN NATIONAL STANDARD INSTITUTE, ANSI X3.131-1994, Information Systems — Small Computer Systems Interface-2, ANSI, 1994.

- J. BAETEN, ed., Applications of Process Algebra, Vol. 17 of Cambridge Tracts in Theoretical Computer Science, Cambridge University Press, Cambridge, UK, 1990.
- [3] G. BERRY AND G. GONTHIER, The ESTEREL synchronous programming language: Design, semantics, implementation, Sci. Comput. Programming, 19 (1992), pp. 87–152.
- [4] G. BHAT, Tableau-based Approaches to Model Checking, Ph.D. thesis, North Carolina State University, Raleigh, NC, USA, December 1997.
- [5] T. BOLOGNESI AND E. BRINKSMA, Introduction to the ISO specification language LOTOS, Computer Networks and ISDN Systems, 14 (1987), pp. 25–59.
- [6] P. BRÉMOND-GRÉGOIRE, S. DAVIDSON, AND I. LEE, CCSR92: Calculus for communicating shared resources with dynamic priorities, in First North American Process Algebra Workshop, P. Purushothaman and A. Zwarico, eds., Workshops in Computing, Stony Brook, NY, USA, August 1992, Springer-Verlag, pp. 65–85.
- [7] P. BRÉMONDE-GRÉGOIRE, I. LEE, AND R. GERBER, A process algebra of communicating shared resources with dense time and priorities, Theoretical Computer Science, 189 (1997), pp. 179–219.
- [8] E. BRINKSMA, W. CLEAVELAND, K. LARSEN, T. MARGARIA, AND B. STEFFEN, eds., First International Workshop on Tools and Algorithms for the Construction and Analysis of Systems TACAS '95, Vol. 1019 of Lecture Notes in Computer Science, Aarhus, Denmark, May 1995, Springer-Verlag.
- [9] J. CAMILLERI AND G. WINSKEL, CCS with priority choice, Information and Computation, 116 (1995), pp. 26-37.
- [10] E. CLARKE, E. EMERSON, AND A. SISTLA, Automatic verification of finite-state concurrent systems using temporal logic specifications, ACM Transactions on Programming Languages and Systems, 8 (1986), pp. 244-263.
- [11] R. CLEAVELAND AND M. HENNESSY, Priorities in process algebra, Information and Computation, 87 (1990), pp. 58–77.
- [12] R. CLEAVELAND, G. LÜTTGEN, AND V. NATARAJAN, Priority in process algebra, in Handbook of Process Algebra, J. Bergstra, A. Ponse, and S. Smolka, eds., Elsevier, 1999. To appear.
- [13] R. CLEAVELAND, E. MADELAINE, AND S. SIMS, Generating front-ends for verification tools, in Brinksma et al. [8], pp. 153–173.
- [14] R. CLEAVELAND, V. NATARAJAN, S. SIMS, AND G. LÜTTGEN, Modeling and verifying distributed systems using priorities: A case study, Software-Concepts and Tools, 17 (1996), pp. 50-62.
- [15] R. CLEAVELAND, J. PARROW, AND B. STEFFEN, The Concurrency Workbench: A semantics-based tool for the verification of finite-state systems, ACM Transactions on Programming Languages and Systems, 15 (1993), pp. 36–72.
- [16] R. CLEAVELAND AND S. SIMS, The NCSU Concurrency Workbench, in Computer Aided Verification (CAV '96), R. Alur and T. Henzinger, eds., Vol. 1102 of Lecture Notes in Computer Science, New Brunswick, NJ, USA, July 1996, Springer-Verlag, pp. 394–397.
- [17] W. ELSEAIDY, J. BAUGH, AND R. CLEAVELAND, Verification of an active control system using temporal process algebra, Engineering with Computers, 12 (1996), pp. 46–61.
- [18] J. GULMANN, J. JENSEN, M. JØRGENSEN, N. KLARLUND, T. RAUHE, AND A. SANDHOLM, Mona: Monadic second-order logic in practice, in Brinksma et al. [8], pp. 58-73.
- [19] D. HAREL, Statecharts: A visual formalism for complex systems, Sci. Comput. Programming, 8 (1987), pp. 231-274.
- [20] T. HENZINGER, P.-H. HO, AND H. WONG-TOI, HyTech: A model checker for hybrid systems, Software

Tools for Technology Transfer, 1 (1997), pp. 110–122.

- [21] C. HOARE, Communicating Sequential Processes, Prentice-Hall, London, UK, 1985.
- [22] G. HOLZMANN, Design and Validation of Computer Protocols, Prentice-Hall, 1991.
- [23] A. JEFFREY, Translating timed process algebra into prioritized process algebra, in Proceedings of Symposium on Real-Time and Fault-Tolerant Systems (FTRTFT '92), J. Vytopil, ed., Vol. 571 of Lecture Notes in Computer Science, Nijmegen, The Netherlands, January 1992, Springer-Verlag, pp. 493– 506.
- [24] D. KOZEN, Results on the propositional μ-calculus, Theoretical Computer Science, 27 (1983), pp. 333– 354.
- [25] K. LARSEN, P. PETTERSSON, AND W. YI, UPPAAL in a nutshell, Software Tools for Technology Transfer, 1 (1997).
- [26] G. LÜTTGEN, Pre-emptive Modeling of Concurrent and Distributed Systems, Ph.D. thesis, University of Passau, Germany, May 1998. Published by Shaker Verlag, Aachen, Germany.
- [27] R. MILNER, Communication and Concurrency, Prentice-Hall, London, UK, 1989.
- [28] F. MOLLER AND C. TOFTS, A temporal calculus of communicating systems, in CONCUR '90 (Concurrency Theory), J. Baeten and J. Klop, eds., Vol. 458 of Lecture Notes in Computer Science, Amsterdam, The Netherlands, August 1990, Springer-Verlag, pp. 401–415.
- [29] W. YI, CCS + time = an interleaving model for real time systems, in Automata, Languages and Programming (ICALP '91), J. L. Albert, B. Monien, and M. R. Artalejo, eds., Vol. 510 of Lecture Notes in Computer Science, Madrid, Spain, July 1991, Springer-Verlag, pp. 217–228.

#### Appendix A. Complete Model of the Bus Protocol.

```
proc SCSIBus = (LUN0 | LUN1 | BusSignals) \{
                  setBSY, relBSY, isBSY, noBSY,
                                                    setSEL, relSEL, isSEL, noSEL,
                                                    setIO, relIO, isIO, noIO,
                  setCD, relCD, isCD, noCD,
                  setMSG, relMSG, isMSG, noMSG,
                                                    setATN, relATN, isATN, noATN,
                  setREQ, relREQ, isREQ, noREQ,
                                                    setACK, relACK, isACK, noACK,
                  placemsgIn,
                                  readmsgIn,
                                                    placemsgOut,
                                                                     readmsgOut,
                  placecmd,
                                  readcmd,
                                                    placefinished,
                                                                    readfinished,
                  placedata,
                                  readdata,
                                                    placestatus,
                                                                     readstatus,
                  sentdisconnect, readdisconnect,
                                                    sentcomplete,
                                                                     readcomplete,
                  writetarget0,
                                  readtarget0,
                                                    writetarget1,
                                                                     readtarget1,
                  release,
                                  setid0,
                                                    setid1,
                                                                     noid0,
                  noid1,
                                  isid0,
                                                    isid1,
                                                                     clear
                }
*----
* LUNO
*----
proc LUNO = t(start0):9.'relIO:0.(BusFree0 + GetSelected0)
             + t(start0):9.'setIO(obs_setIO):0.(BusFree0 + GetSelected0)
```

+ t:9.LUN0 + GetSelected0

```
proc GetSelected0 = isATN:0.( isSEL:0.noBSY:0.readtarget0:0.'setBSY(obs_setBSY):0.'release:0.
                              'clear:0.noSEL:0.(noI0:0.Target0 + isI0:0.Initiator0)
                            + noSEL:0.LUNO
                            )
* BusFree Phase
proc BusFree0 = t(busfree):80.'setBSY(obs_setBSY):80.'setid0:0.Arbitrate0
                + isSEL(obs_isSEL):0.LUN0 + isBSY(obs_isBSY):0.LUN0
* Arbitration Phase
proc Arbitrate0 = noid1(obs_winner_id0):480.'setSEL(obs_setSEL):0.Selection0
                  + isid1(obs_winner_id1):480.LUN0
* Selection Phase
proc Selection0 = 'writetarget1:240.'setATN:9.'relBSY(obs_relBSY):18.isBSY:80.
                  'relSEL(obs_relSEL):9.t(begin_ITP):0.(noI0:0.Initiator0 + isI0:0.Target0)
* Initiator
proc Initiator0 = H0 [> noBSY(obs_noBSY):0.'relATN:0.LUN0
               = t:9.'setATN(obs_setATN):9.H0
proc HO
                + isREQ(obs_isREQ):9.( noMSG:0.( noCD:0.(noIO:0.DataOutIO + isIO:0.DataInIO)
                                               + isCD:0.(noIO:0.CommandIO + isIO:0.StatusIO)
                                               )
                                     + isMSG:0.isCD:0.(noI0:0.MsgOutI0 + isI0:0.MsgInI0)
                                     )
* Target
proc Target0 = (noI0:0.MsgOutT0 + isI0:0.'relATN:0.MsgInT0) [> noBSY:0.'relATN:0.LUN0
* MsgIn and MsgOut Phases
proc MsgInI0 = isREQ:0.( readmsgIn:0.'setACK:0.noREQ:0.'relACK:0.MsgInI0
                        + readfinished:0.'setACK:0.noREQ:0.'relACK:0.HO
                        + readcomplete:0.'setACK:0.noREQ:0.'relACK:0.nil
                        + readdisconnect:0.'setACK:0.noREQ:0.'relACK:0.nil
proc MsgInT0 = 'setMSG:0.'setCD:0.'setI0(begin_MsgIn):0.t(begin_Phase):0.MsgInT0'
proc MsgInTO' =
                 'placemsgIn:0.'setREQ(obs_setREQ):9.isACK(obs_isACK):0.'release:0.
                  'relREQ(obs_relREQ):0.noACK:0.MsgInTO'
                + 'placefinished:0.'setREQ(obs_setREQ):9.isACK(obs_isACK):0.
                  'release:0.'relREQ(obs_relREQ):0.noACK(end_Phase):0.
                  (MsgOutTO + DataOutTO + DataInTO + CommandTO + StatusTO)
```

```
+ 'sentcomplete:0.'setREQ:9.isACK(obs_isACK):0.'release:0.'relREQ(obs_relREQ):0.
                  noACK(end_Phase):0.t(end_ITP):0.'relBSY(obs_relBSY):0.nil
                + 'sentdisconnect:0.'setREQ:9.isACK(obs_isACK):0.'release:0.'relREQ(obs_relREQ):0.
                  noACK(end_Phase):0.t(end_ITP):0.'relBSY(obs_relBSY):0.nil
proc MsgOutIO = isREQ:0.( 'placemsgOut:0.'setACK:9.noREQ:0.'release:0.'relACK:0.MsgOutIO
                         + 'placefinished:0.'relATN:9.'setACK:0.noREQ:0.'release:0.'relACK:0.HO
                         )
proc MsgOutT0 = isATN:0.'setMSG:0.'setCD:0.'relIO(begin_MsgOut):0.t(begin_Phase):0.MsgOutT0'
proc MsgOutTO' = 'setREQ:0.isACK(obs_isACK):0.
                 ( readmsgOut:0.'relREQ(obs_relREQ):0.noACK(obs_noACK):0.MsgOutTO'
                 + readfinished:0.'relREQ(obs_relREQ):0.noACK:0.
                   ( t(end_Phase):0.(MsgInT0 + DataOutT0 + DataInT0 + CommandT0 + StatusT0)
                   + t:0.MsgOutTO'
                   )
                 )
* Command Phase
proc CommandIO = isREQ:0.( 'placecmd:0.'setACK:9.noREQ:0.'release:0.'relACK:0.CommandIO
                          + 'placefinished:0.'setACK:9.noREQ:0.'release:0.'relACK:0.HO
                          )
proc CommandT0 = 'relMSG:0.'setCD:0.'relI0(begin_Command):0.t(begin_Phase):0.CommandT0'
proc CommandTO' = 'setREQ:0.isACK(obs_isACK):0.
                  ( readcmd:0.'relREQ(obs_relREQ):0.noACK:0.CommandT0'
                  + readfinished:0.'relREQ(obs_relREQ):0.noACK:0.t(end_Phase):0.
                    (MsgOutTO + MsgInTO + DataOutTO + DataInTO + StatusTO)
                  )
* DataIn and DataOut Phases
proc DataInIO = isREQ:0.( readdata:0.'setACK:0.noREQ:0.'relACK:0.DataInIO
                         + readfinished:0.'setACK:0.noREQ:0.'relACK:0.HO
                         )
proc DataInT0 = 'relMSG:0.'relCD:0.'setIO(begin_DataIn):0.t(begin_Phase):0.DataInT0'
proc DataInTO' = 'placedata:0.'setREQ:9.isACK(obs_isACK):0.'release:0.'relREQ(obs_relREQ):0.
                   noACK:0.DataInTO'
                 + 'placefinished:0.'setREQ:9.isACK(obs_isACK):0.'release:0.'relREQ(obs_relREQ):0.
                   noACK(end_Phase):0.(MsgOutTO + MsgInTO + StatusTO)
proc DataOutIO = isREQ:0.( 'placedata:0.'setACK:9.noREQ:0.'release:0.'relACK:0.DataOutIO
                          + 'placefinished:0.'setACK:9.noREQ:0.'release:0.'relACK:0.HO
proc DataOutTO = 'relMSG:0.'relCD:0.'relIO(begin_DataOut):0.t(begin_Phase):0.DataOutTO'
proc DataOutTO' = 'setREQ:0.isACK(obs_isACK):0.
                  ( readdata:0.'relREQ(obs_relREQ):0.noACK:0.
                   DataOutTO'
```

```
+ readfinished:0.'relREQ(obs_relREQ):0.noACK(end_Phase):0.
                    (MsgOutTO + MsgInTO + StatusTO)
                  )
* Status Phase
proc StatusIO = readstatus:0.'setACK:0.noREQ:0.'relACK:0.HO
proc StatusT0 = 'relMSG:0.'setCD:0.'setIO(begin_Status):0.t(begin_Phase):0.'placestatus:0.
                'setREQ:9.isACK(obs_isACK):0.'release:0.'relREQ(obs_relREQ):0.noACK(end_Phase):0.
                (MsgOutTO + MsgInTO)
*----
* LUN1
*----
                 = t(start1):9.'relIO:0.(BusFree1 + GetSelected1)
proc LUN1
                    + t(start1):9.'setIO(obs_setIO):0.(BusFree1 + GetSelected1)
                    + t:9.LUN1 + GetSelected1
proc GetSelected1 = isATN:0.( isSEL:0.noBSY:0.readtarget1:0.'setBSY(obs_setBSY):0.'release:0.
                              'clear:0.noSEL:0.(noI0:0.Target1 + isI0:0.Initiator1)
                            + noSEL:0.LUN1
                            )
* BusFree Phase
proc BusFree1 = t(busfree):80.'setBSY(obs_setBSY):80.'setid1:0.Arbitrate1
                + isSEL(obs_isSEL):0.LUN1 + isBSY(obs_isBSY):0.LUN1
* Arbitration Phase
proc Arbitrate1 = noSEL:80.'setSEL(obs_setSEL):0.Selection1 + isSEL:80.LUN1
* Selection Phase
proc Selection1 = 'writetarget0:240.'setATN:9.'relBSY(obs_relBSY):18.isBSY:80.
                  'relSEL(obs_relSEL):9.t(begin_ITP):0.(noI0:0.Initiator1 + isI0:0.Target1)
* Initiator
proc Initiator1 = H1 [> noBSY(obs_noBSY1):0.'relATN:0.LUN1
                = t:9.'setATN(obs_setATN):9.H1
proc H1
                  + isREQ(obs_isREQ1):9.( noMSG:0.( noCD:0.(noIO:0.DataOutI1 + isIO:0.DataInI1)
                                                  + isCD:0.(noIO:0.CommandI1 + isIO:0.StatusI1)
                                                  )
                                        + isMSG:0.isCD:0.(noI0:0.MsgOutI1 + isI0:0.MsgInI1)
                                        )
```

\* Target

```
proc Target1 = (noIO:0.MsgOutT1 + isIO:0.'relATN:0.MsgInT1) [> noBSY:0.'relATN:0.LUN1
* MsgIn and MsgOut Phases
proc MsgInI1 = isREQ:0.( readmsgIn:0.'setACK:0.noREQ:0.'relACK:0.MsgInI1
                         + readfinished:0.'setACK:0.noREQ:0.'relACK:0.H1
                         + readcomplete:0.'setACK:0.noREQ:0.'relACK:0.nil
                         + readdisconnect:0.'setACK:0.noREQ:0.'relACK:0.nil
                         )
proc MsgInT1 = 'setMSG:0.'setCD:0.'setIO(begin_MsgIn):0.t(begin_Phase):0.MsgInT1'
proc MsgInT1' = 'placemsgIn:0.'setREQ(obs_setREQ):9.isACK(obs_isACK):0.'release:0.
                  'relREQ(obs_relREQ):0.noACK:0.MsgInT1'
                + 'placefinished:0.'setREQ(obs_setREQ):9.isACK(obs_isACK):0.'release:0.
                  'relREQ(obs_relREQ):0.noACK(end_Phase):0.
                  (MsgOutT1 + DataOutT1 + DataInT1 + CommandT1 + StatusT1)
                + 'sentcomplete:0.'setREQ:9.isACK(obs_isACK):0.'release:0.'relREQ(obs_relREQ):0.
                  noACK(end_Phase):0.t(end_ITP):0.'relBSY(obs_relBSY):0.nil
                + 'sentdisconnect:0.'setREQ:9.isACK(obs_isACK):0.'release:0.relREQ(obs_relREQ):0.
                  noACK(end_Phase):0.t(end_ITP):0.'relBSY(obs_relBSY):0.nil
proc MsgOutI1 = isREQ:0.( 'placemsgOut:0.'setACK:9.noREQ:0.'release:0.'relACK:0.MsgOutI1
                         + 'placefinished:0.'relATN:9.'setACK:0.noREQ:0.'release:0.'relACK:0.H1
                         )
proc MsgOutT1 = isATN:0.'setMSG:0.'setCD:0.'relIO(begin_MsgOut):0.t(begin_Phase):0.MsgOutT1'
proc MsgOutT1' = 'setREQ:0.isACK(obs_isACK):0.
                 ( readmsgOut:0.'relREQ(obs_relREQ):0.noACK(obs_noACK):0.MsgOutT1'
                 + readfinished:0.'relREQ(obs_relREQ):0.noACK:0.
                   ( t(end_Phase):0.(MsgInT1 + DataOutT1 + DataInT1 + CommandT1 + StatusT1)
                   + t:0.MsgOutT1'
                   )
                 )
* Command Phase
proc CommandI1 = isREQ:0.( 'placecmd:0.'setACK:9.noREQ:0.'release:0.'relACK:0.CommandI1
                          + 'placefinished:0.'setACK:9.noREQ:0.'release:0.'relACK:0.H1
                          )
proc CommandT1 = 'relMSG:0.'setCD:0.'relIO(begin_Command):0.t(begin_Phase):0.CommandT1'
proc CommandT1' = 'setREQ:0.isACK(obs_isACK):0.
                  ( readcmd:0.'relREQ(obs_relREQ):0.noACK:0.CommandT1'
                  + readfinished:0.'relREQ(obs_relREQ):0.noACK(end_Phase):0.
                    (MsgOutT1 + MsgInT1 + DataOutT1 + DataInT1 + StatusT1)
                  )
```

```
* DataIn and DataOut Phases
proc DataInI1 = isREQ:0.( readdata:0.'setACK:0.noREQ:0.'relACK:0.DataInI1
                       + readfinished:0.'setACK:0.noREQ:0.'relACK:0.H1
                       )
proc DataInT1 = 'relMSG:0.'relCD:0.'setIO(begin_DataIn):0.t(begin_Phase):0.DataInT1'
proc DataInT1' = 'placedata:0.'setREQ:9.isACK(obs_isACK):0.'release:0.'relREQ(obs_relREQ):0.
                 noACK:0.DataInT1'
                + 'placefinished:0.'setREQ:9.isACK(obs_isACK):0.'release:0.'relREQ(obs_relREQ):0.
                  noACK(end_Phase):0.(MsgOutT1 + MsgInT1 + StatusT1)
proc DataOutI1 = isREQ:0.( 'placedata:0.'setACK:9.noREQ:0.'release:0.'relACK:0.DataOutI1
                        + 'placefinished:0.'setACK:9.noREQ:0.'release:0.'relACK:0.H1
                        )
proc DataOutT1 = 'relMSG:0.'relCD:0.'relIO(begin_DataOut):0.t(begin_Phase):0.DataOutT1'
proc DataOutT1' = 'setREQ:0.isACK(obs_isACK):0.
                 ( readdata:0.'relREQ(obs_relREQ):0.noACK:0.
                  DataOutT1'
                 + readfinished:0.'relREQ(obs_relREQ):0.noACK(end_Phase):0.
                   (MsgOutT1 + MsgInT1 + StatusT1)
                )
* Status Phase
proc StatusI1 = readstatus:0.'setACK:0.noREQ:0.'relACK:0.H1
proc StatusT1 = 'relMSG:0.'setCD:0.'setIO(begin_Status):0.t(begin_Phase):0.'placestatus:0.
               'setREQ:9.isACK(obs_isACK):0.'release:0.'relREQ(obs_relREQ):0.noACK(end_Phase):0.
               (MsgOutT1 + MsgInT1)
*-----
* Bus Signals, Data Bus, and Arbitration Variable
*-----
proc BusSignals =
                  DataBus
                 Arbitrator
                 Off[setBSY/set,relBSY/rel,isBSY/on,noBSY/off]
                 Off[setSEL/set,relSEL/rel,isSEL/on,noSEL/off]
                 | Off[setCD /set,relCD /rel,isCD /on,noCD /off]
                 | Off[setIO /set,relIO /rel,isIO /on,noIO /off]
                Off[setMSG/set,relMSG/rel,isMSG/on,noMSG/off]
                 Off[setATN/set,relATN/rel,isATN/on,noATN/off]
                 Off[setREQ/set,relREQ/rel,isREQ/on,noREQ/off]
                 Off[setACK/set,relACK/rel,isACK/on,noACK/off]
proc Off = 'off:0.0ff + set:0.0n + rel:0.0ff
proc On = 'on:0.0n + set:0.0n + rel:0.0ff
```

| proc DataBus   | = DataBus' [> release(obsrelease):0.DataBus                                 |
|----------------|-----------------------------------------------------------------------------|
| proc DataBus'  | <pre>= placemsgIn(obsplace):0.'readmsgIn(obsread):0.DataBus'</pre>          |
|                | + placemsgOut(obsplace):0.'readmsgOut(obsread):0.DataBus'                   |
|                | + placefinished(obsplace):0.'readfinished(obsread):0.DataBus'               |
|                | + placedata(obsplace):0.'readdata(obsread):0.DataBus'                       |
|                | + placecmd(obsplace):0.'readcmd(obsread):0.DataBus'                         |
|                | + placestatus(obsplace):0.'readstatus(obsread):0.DataBus'                   |
|                | + sentdisconnect(obssentdiscon):0.'readdisconnect(obsreaddiscon):0.DataBus' |
|                | + sentcomplete(obssentcomplete):0.'readcomplete(obsreadcomplete):0.DataBus' |
|                | + writetarget0(obswritet0):0.'readtarget0(obsreadt0):0.DataBus'             |
|                | + writetarget1(obswritet1):0.'readtarget1(obsreadt1):0.DataBus'             |
|                |                                                                             |
| proc Arbitrato | r = Undef [> clear:0.Arbitrator                                             |
| proc Undef     | = setid0:0.Id0 + setid1:0.Id1 + 'noid0:0.Undef + 'noid1:0.Undef             |
| proc IdO       | = setid0:0.Id0 + setid1:0.Id1 + 'isid0:0.Id0 + 'noid1:0.Id0                 |
| proc Id1       | = setid0:0.Id1 + setid1:0.Id1 + 'noid0:0.Id1 + 'isid1:0.Id1                 |