TT-BIP: using correct-by-design BIP approach for modelling real-time system with time-triggered paradigm

Abstract

In order to combine advantages of real-time operating systems implementing the time-triggered (TT) execution model and model-based design frameworks, we aim at proposing a correct-by-design methodology that derives correct TT implementations from high-level models. This methodology consists of two main steps: (1) transforming the high-level model into an intermediate model which respects the TT communication principles and where all communications between components are simple send/receive interactions, and (2) transforming the obtained intermediate model into the programming language of the target platform. In this paper, we focus on the presentation of the transformational methodology of the first step of this design flow. This methodology produces a correct-by-construction TT model by starting from a high-level model of the application software in behaviour, interaction, priority (BIP). BIP is a component-based framework with formal semantics that rely on multiparty interactions for synchronizing components. Commonly in TT implementations, tasks interact with each other through a communication medium. Our methodology transforms, depending on a user-defined task mapping, high-level BIP models where communication between components is strongly synchronized, into TT model that integrates a communication medium. Thus, only inter-task communications and components participating in such interactions are concerned by the transformation process. We also provide correctness proofs of the transformation and apply it on an industrial case study.

Appendices

Appendices

Proof of Proposition 1

Proof

Points 1–3 of Definition 7 The first three criteria of Definition 7 are syntactic, namely only allowed interactions are either classic multiparty interactions or send/receive interactions or unary interactions and each send port participates in exactly one Send/Receive interaction. These criteria are met by the previous definition.

Point 4 of Definition 7

The fourth point of Definition 7, enumerates all conflict cases of a TT-BIP model. The first case states that an internal port can only be conflicting with a similar port. By construction of the transformation, internal ports are instantiated only in task components (cf. Rule 5.1). If an internal transition is originally conflicting with a similar transition then this conflict is preserved, since these transitions remain intact after transformation. If in the original model, an internal transition is conflicting with an external transition then this port will be replaced by a send and receive ports. Therefore, the original conflict is no more existing in TT-BIP.

The second case involves receive ports. In task components, by construction of the transformation (cf. Rule 5.1), a receive port can be only conflicting with receive port. In TTCC component, receive transitions are offer transitions or ok/fail transitions. Ok transitions and fail transitions have the same source location. Similarly, offer transitions can be also enabled from the same location (in the case of conflicting TTCC component). They also can be conflicting with a send transition labelled by an \(rsv_\alpha \) port (cf. Rules 5.4 and 5.5). In CRP component, receive transitions are rsv transitions which are enabled from the initial location only simultaneously with other rsv transitions. Therefore, in all components, a receive transition can be enabled simultaneously either with a receive port or with a send port or both.

The third case involves send ports. In task components send ports are offer ports and by construction of the transformation (cf. Rule 5.1) only one send port is enabled from one location. In TTCC components, send ports are either \(p_s^\alpha \) ports (sending notifications to task components) or \(rsv_\alpha \) ports. The former has no conflicting port (i.e. no other port is enabled from its source location) while the latter is enabled from the same location as receive ports (offer ports) (cf. Rules 5.4 and 5.5 ). In CRP component, send ports are ok or fail ports. Note that these ports are enabled from the same location. Therefore, we deduce that a send port can have the same source location as a receive or other send ports.

Point 5 of Definition 7

The fifth point of Definition 7 states that the update function of a transition labelled by a send port does not involve variables exported by this port. In task components, send ports are offer ports and they trigger transitions whose update functions are the identity function (cf. Rule 5.1). In TTCC components, the send port is either a \(p_s^\alpha \) or a \(rsv_\alpha \) port. In both cases, it labels a transition with an identity update function (cf. Rules 5.4 and 5.5). In the CRP component, send port can be either an ok or fail port. In the first case, the port labels a transition whose update function applies on \(NB_i\) variables which are not exported. In the second case, the port labels a transition with an identity update function.

Point 6 of Definition 7

The second-last point in Definition 7 states that a transition labelled by a receive port always has a timing constraint and guards that are default to \( True \). In the layer of task components, receive ports label only notification transitions which, by construction, are associated with a timing constraint and guard equal to \( True \)(cf. Rule 5.1). In the TTCC layer, receive ports label either offer transitions or ok/fail transitions. These latter are also associated with a timing constraint and guard always default to \( True \)(cf. Rules 5.4 and 5.5). In the third layer (i.e. the CRP component), receive ports label rsv transitions, which are also associated with timing constraint and guard always equal to \( True \).

Point 7 of Definition 7

The last criterion of Definition 7 states that whenever a send port is enabled, the associated receive ports will unconditionally become enabled within a finite number of transitions in the receiver component. Intuitively, this holds since communications between tasks and

TTCC components, and between TTCC components and CRP component follow a request/acknowledgement pattern. Whenever a component sends a request (via a send port) it enables the receive port to receive acknowledgement. In the following, we detail different configuration cases:

• Communications between a task component \(B_i^{TT}\) and a \(TTCC_j\) component, for all interactions \(\alpha \) involving a component \(B_i\). We denote by \(l_{B_i^{TT}}\) the enabled location of \(B_i^{TT}\) and by \(l_{TTCC_j}\) the active place of \(TTCC_j\). We distinguish the following cases:

  Case 1 \(l_{B_i^{TT}}=\perp _p^l\) where p is exported by \(B_i\) and \(l_{TTCC_j} \in \{wait\} \cup L_\perp \).

  In this configuration, the only enabled send port involved in a send/receive interaction is the offer port \(o_p\) of \(B_i^{TT}\). Note that the initial state allowing a send/receive interaction between tasks and TTCC components falls in that case. By definition of the configuration, all associated receive ports are also enabled (the \(TTCC_j\) component can only execute transitions labelled by receive ports).

  Case 2 \(l_{B_i^{TT}}=l\) where l is a place of \(B_i\) and \(l_{TTCC_j} = \{read\}\).

  This configuration is reached from the first one by executing offer transitions. From this configuration, no send/receive interaction with the task components can be enabled (i.e. no send port is enabled). To send offers, the task component should be in a \(\perp _p^l\) location which is not the case.

  Case 3 \(l_{B_i^{TT}}=l\) where l is a place of \(B_i\) and \(l_{TTCC_j} = \{send\}\).

  In this case, the component \( B_i^{TT}\) is still in a place l that is not a busy location, and the \(TTCC_j\) component is in the send place. From that configuration, the enabled send port that is involved in a send/receive interaction with \(B_i^{TT}\) is the port \(p_s^\alpha \) of the TTCC component. By definition of the configuration, the receive port associated to this send port is the one activated from place l of component \( B_i^{TT}\). Thus, the property holds in that configuration as well. Note that after executing the send/receive interaction with the component \(B_i^{TT}\), the first configuration is reached back.

• Communications between a conflicting \(TTCC^C_j\) component with the CRP component, for all conflicting interaction \(\alpha \) involving a component \(B_i\). We denote by \(l_{TTCC^C_j}\) the enabled location of \(TTCC^C_j\) and by \(l_{CRP}\) the active set of marked places of CRP. We distinguish the following cases:

  Case 1 \(l_{TTCC^C_j}= read\) and \(l_{CRP} \ni \{w_\alpha \}\).

  In this case, the unique enabled send port is the port \(rsv_\alpha \) of the component \(TTCC^C_j\). And by definition of the configuration, the associated receive port of this send port is enabled, i.e. the port \(rsv_\alpha \) of component CRP is enabled from place \(w_\alpha \). Thus, the property holds in that configuration as well.

  Case 2 \(l_{TTCC^C_j}= try\) and \(l_{CRP} \ni \{r_\alpha \}\).

  This case is reached by executing the reservation interaction from the previous configuration. In this case, two send ports are active, \(ok_\alpha \) and \(fail_\alpha \) of the component CRP. From the enabled location of \(TTCC^C_j\) component, the corresponding receive ports associated to these two send ports are enabled as well. Thus, the property holds by-construction in that configuration as well.

\(\square \)

Proof of Theorem 1

Proof

Let \(G(B)= (Q_B, P, \xrightarrow [B]{})\) and \(G(B^{TT})= (Q_{B_{TT}}, P_{B_{TT}},\) \( \xrightarrow [B^{TT}]{})\). Recall (Definition 4) that state spaces \(Q_B\) and \(Q_{B_{TT}}\) have each three components: control location, clock and variable valuations. For a given state q, we will denote \(v_c(q)\) (resp. \(v_x(q)\)) its clock (resp. variable) valuation component. Similarly, we denote l(q) the location of a state q.

Below, we will use variables \(q_B, r_B\), ranging over \(Q_B\), and \(q_{B_{TT}}, r_{B_{TT}}\), ranging over \(Q_{B_{TT}}\) and denote their respective components as follows:

$$\begin{aligned} \begin{aligned} q_B&= \bigl (l, v_x(q_B), v_c(q_B)\bigr ),\\ r_B&= \bigl (l', v_x(r_B), v_c(r_B)\bigr ),\\ q_{B_{TT}}&= \bigl (l_{TT}, v_x(q_{B_{TT}}), v_c(q_{B_{TT}})\bigr ),\\ r_{B_{TT}}&= \bigl (l'_{TT}, v_x(r_{B_{TT}}), v_c(r_{B_{TT}})\bigr ). \end{aligned} \end{aligned}$$

For clarity reasons, for each state \(q_{B_{TT}}\), we detail the control location \(l_{TT}\) by using the triplet \((l_{TT}^B, l_{TT}^{TTCC}, l_{TT}^{CRP})\) where \(l_{TT}^B\) denotes the tuple of active locations of the tasks layer components, \(l_{TT}^{TTCC}\) contains the tuple of active locations of all TTCC components of the TTCC layer, and \(l_{TT}^{CRP}\) contains enabled locations of the CRP. We recall also that a place l of a model \(B = \gamma (B_1,\dots , B_n)\) is written \(l = (l_1,\ldots , l_n)\). The place \(l_{TT}^B\) of the tasks components layer of the model \(B^{TT}\) is written \(l_{TT}^B = (l^{TT}_1,\ldots , l^{TT}_n)\). The place \(l_{TT}^{TTCC}\) of the TTCC components layer is written as follows \(l_{TT}^{TTCC} = (l_1^{TTCC},\dots , l_m^{TTCC})\) while the place \(l_{TT}^{CRP}\) of the CRP component is written as \(l_{TT}^{TTCC} \in \{w_\alpha , r_\alpha \}\).

We define the relation \(R \subseteq Q_B \times Q_{B_{TT}}\) as follows:

$$\begin{aligned} R=\left\{ (q_B, q_{B_{TT}})\left| \begin{array}{c} l_{TT}^B \in \{l_i, \perp ^{l_i}_{p_i}\}^n, \text { where } l_i \xrightarrow [B_i]{p_i}, \\ v_c(q_B)=v_c(q_{B_{TT}}),\\ v_x(q_B)=v_x^*(q_{B_{TT}}) \end{array} \right. \right\} \end{aligned}$$

(9)

where \(v_x^*\) is the restriction of \(v_x\) to the variables X of the original model B. That is the valuation function \(v_x^*\) is defined only over variables which are common between B and \(B_{TT}\). We recall that the notation \(l_i \xrightarrow [B_i]{p_i}\) means that port \(p_i\) is enabled from place \(l_i\) of the component \(B_i\).

Note that in the definition (9) of the relation R, there is no restriction to the location of TTCC and CRP components. This means that we consider all states of these components in the defined equivalence class. That is \(q_B\) is equivalent with \(q_{B_{TT}}\) whose location is a combination of any location of TTCC and CRP components with the locations \(l_i\) or \(\perp ^{l_i}_{p_i}\) of components B. That is \(\forall j\in [1,m], l_j^{TTCC} \in \{wait, l_{o_p}, \ldots , read, try, send\}\) and \(l_{TT}^{CRP} \in \{w_\alpha , r\alpha \}\).

Thus,the following four assertions prove that \((R, \beta )\) is a weak bisimulation:

1. (i)

   \(\forall (q_B, q_{B_{TT}}) \in R,\)

   $$\begin{aligned} q_B \xrightarrow [B]{\beta } r_B \implies \exists (r_B, r_{B_{TT}}) \in R: q_{B_{TT}} \xrightarrow [B_{TT}]{\beta ^*} r_{B_{TT}}, \end{aligned}$$
2. (ii)

   \(\forall (q_B, q_{B_{TT}}) \in R,\)

   $$\begin{aligned} q_{B_{TT}} \xrightarrow [B_{TT}]{\beta } r_{B_{TT}} \implies \exists (r_B, r_{B_{TT}}) \in R: q_B \xrightarrow [B]{\beta ^*} r_B, \end{aligned}$$
3. (iii)

   \(\forall (q_B, q_{B_{TT}}) \in R, \forall \alpha \in \gamma ,\)

   $$\begin{aligned} \begin{aligned} \beta (\alpha ) \ne \emptyset \wedge q_B&\xrightarrow [B]\alpha r_B \implies \exists (\alpha ,\alpha ') \in \beta :\\&\exists (r_B, r_{B_{TT}}) \in R: q_{B_{TT}} \xrightarrow [B_{TT}]{\beta ^* \alpha ' \beta ^*} r_{B_{TT}}, \end{aligned} \end{aligned}$$
4. (iv)

   \(\forall (q_B, q_{B_{TT}}) \in R, \forall k \in K,\)

   $$\begin{aligned} \begin{aligned} \beta ^{-1}(k) \ne \emptyset \wedge q_{B_{TT}}&\xrightarrow [B_{TT}]{k} r_{B_{TT}} \implies \exists (p,k) \in \beta :\\&\exists (r_B, r_{B_{TT}}) \in R: q_B \xrightarrow [B]{p} r_B. \end{aligned} \end{aligned}$$

Hereafter, we detail proofs of each of these four points:

1. (i)

   In definition (8) of the relation \(\beta \), only interactions of \(\gamma \) are related to interactions of \(\gamma ^{TT}\). That is for each \(\alpha \in \gamma \), \(\beta (\alpha ) \ne \emptyset \). Therefore, if \(q_B \xrightarrow [B]{\beta } r_B\), then this transition corresponds to a transition that is not related by the relation \(\beta \). Therefore, by definition (8) of the relation \(\beta \), the corresponding transition is not an interaction of \(\gamma \). It is then a transition labelled by a real number representing a delay transition. By Definition 6, there is a tpc constraint on location l in B, \(tpc(l)=(c^g \le v)\). That is the tpc constraint of each location \(l_i\) of each component \(B_i\) of the model B (such that \(l= (l_1, \ldots , l_n)\)) must satisfy this same condition. Therefore, we have:

   $$\begin{aligned} \begin{aligned} q_{B}&= \bigl (l, v_x(q_B), v_c(q_B)\bigr ),\\ r_{B}&= \bigl (l, v_x(r_B), v_c(r_B)\bigr ), \\ v_x(r_B)&= v_x(q_B),\\ v_c(r_B)&= v_c(q_B) + \delta , v_c(q_B) + \delta \le v. \end{aligned} \end{aligned}$$

   (10)

   Note that, depending on the nature of interactions enabled from \(r_B\), two cases should be considered. In the first case, only an internal interaction \(\alpha _I \in A_I\) can be enabled from state \(r_B\) once \(\beta \) executed. In the second case, only external interactions \(\alpha _E \in A_E\) are enabled from \(r_B\). By construction of the definition (9) of R, we have \(q_B= \bigl (l, v_x(q_B), v_c(q_B)\bigr )\), such that

   $$\begin{aligned} v_c(q_B)=v_c(q_{B_{TT}}) \quad \text {and} \quad v_x(q_B)=v_x^*(q_{B_{TT}}) . \end{aligned}$$

   (11)

   By construction of the transformation (Rules 5.4, 5.4 and 5.1) the same tpc constraint is mapped in the first case to the place \(l_{TT}\) where \({l_{TT}} = l\). In the second case, the same tpc constraint is mapped to the places \(l_i\) and \(\perp ^{l_i}_{p_i}\) where \(p_i \in \alpha _E\) as well as to the place read of the corresponding TTCC (handling the interaction \(\alpha _E\)). Thus, after executing the \(\beta \) transition corresponding to the mapped tpc in the \(B_{TT}\) model, components do not change their places. And there exist a transition \(q_{B_{TT}} \xrightarrow [B_{TT}]{\delta } r_{B_{TT}}\) in \(B_{TT}\) where \(r_{B_{TT}} = ({l'}_{TT}, v_x(r_B), v_c(r_B))\) such that:

   $$\begin{aligned} {l'}_{TT}^B = l, \quad v_c(q_B)=v_c(r_B) + \delta \quad \text {and} \quad v_x(q_B)=v_x(r_B) . \end{aligned}$$

   (12)

   Combining (10), (11) and (12), we obtain that \(v_c(r_{B_{TT}}) = v_c(r_B)\) and \(v_x^*(r_{B_{TT}}) = v_x(r_B)\). And we deduce that by definition (9) of the relation R, we have \((r_B, r_{B_{TT}})\in R\).

2. (ii)

   If \((q_B, q_{B_{TT}}) \in R\), \(q_{B_{TT}} \xrightarrow [B_{TT}]{\beta } r_{B_{TT}}\), then this transition is not related to any transition in \(\gamma \) by the relation \(\beta \). Therefore, and by definition (8) of the relation \(\beta \), the transition \(\beta \) is either labelled by a real number representing a delay transition or by a send/receive interaction other than the notification transition or a \(p_\alpha \) transition. That is, \(\beta \) corresponds either to a \(rsv_\alpha \), \(fail_\alpha \), offer, \(ok_\alpha \), \(p_\alpha \) interaction or to a delay step.

   Case 1 \(\beta \in \{rsv_\alpha , fail_\alpha \}\).

   By Definition 6, there is a transition \(l_{TT} \xrightarrow []{\beta \in \{rsv_\alpha , fail_\alpha \}} l'_{TT}\) in \(B_{TT}\), such that:

   $$\begin{aligned} \begin{aligned} q_{B_{TT}}&= \bigl (l_{TT}(q_{B_{TT}}), v_x(q_{B_{TT}}), v_c(q_{B_{TT}})\bigr ),\\ r_{B_{TT}}&= \bigl (l'_{TT}(r_{B_{TT}}), v_x(r_{B_{TT}}), v_c(r_{B_{TT}})\bigr ),\\ v_x(r_{B_{TT}})&= v_x(q_{B_{TT}}), \quad \text {and} \quad v_c(r_{B_{TT}}) = v_c(q_{B_{TT}}). \end{aligned} \end{aligned}$$

   (13)

   Note that both \(rsv_\alpha \) and \(fail_\alpha \) define no update function nor a guard or timing constraints (see Rule 5.7). By definition of the transformation rules (Rules 5.4, 5.5 and 5.6), in the case of a \(rsv_\alpha \) (resp. \(fail_\alpha \)) interaction, the corresponding TTCC component is in a read (resp. try) place and the CRP component is in \(w_\alpha \) (resp. \(r_\alpha \)) place. After executing this \(rsv_\alpha \) (resp. \(fail_\alpha \)) transition, the TTCC component reaches place try (resp. read) and the place \(r_\alpha \) (resp. \(w_\alpha \)) is activated in the CRP. Note that, in both cases, places of other components remain intact. That is, the reached place \({l'}_{TT}^B = {l}_{TT}^B = l\). Thus, we have :

   $$\begin{aligned} \begin{aligned} {l'}_{TT}^B&= l = (l_1, \ldots ,l_n), \end{aligned} \end{aligned}$$

   (14)

   By construction (9) of R, we have \(q_B{=} \bigl (l, v_x(q_B), v_c(q_B)\bigr )\), such that

   $$\begin{aligned} v_c(q_B)=v_c(q_{B_{TT}}) \quad \text {and} \quad v_x(q_B)=v_x^*(q_{B_{TT}}). \end{aligned}$$

   (15)

   Combining (13) and (15) we obtain that \(v_c(r_{B_{TT}}) = v_c(q_B)\) and \(v_x^*(r_{B_{TT}}) = v_x(q_B)\). Combining this to (14), we deduce that by definition (9) of the relation R, we have \((q_B, r_{B_{TT}})\in R\).

   Case 2 \(\beta \) is an offer interaction.

   By Definition 6, there is a transition \(l_{TT} \xrightarrow []{\beta } l'_{TT}\) in \(B_{TT}\), where \(\beta \) allows sending an offer from port \(p_i\) of component \(B_i\) to the corresponding TTCC component, such that:

   $$\begin{aligned} \begin{aligned} q_{B_{TT}}&= \bigl (l_{TT}, v_x(q_{B_{TT}}), v_c(q_{B_{TT}})\bigr ), \\ r_{B_{TT}}&= \bigl (l'_{TT}, v_x(r_{B_{TT}}), v_c(r_{B_{TT}})\bigr ), \\ v_x(r_{B_{TT}})&= v_x(q_{B_{TT}}), \quad \text {and} \quad v_c(r_{B_{TT}}) = v_c(q_{B_{TT}}). \end{aligned} \end{aligned}$$

   (16)

   Note that the offer transition defines no update function nor a guard or timing constraint (see Rule 5.7).

   By definition of the transformation rules (Rules 5.4, 5.5 and 5.6), after executing this \(\beta \) transition, the TTCC component reaches a place \(l_{o_i}\) and the component \(B_i\) reaches a place \(\perp ^{l_i}_{p'_i}\) if another offer is likely to be sent, otherwise it reaches the place \(l_i\). Note that this \(\beta \) transition does not change the location of the CRP component. Thus, we have:

   $$\begin{aligned} \begin{aligned} {l'}_{TT}^B \in \{l_i, \perp ^{l_i}_{p_i}\}^n. \end{aligned} \end{aligned}$$

   (17)

   By construction (9) of R, we have \(q_B{=} \bigl (l, v_x(q_B), v_c(q_B)\bigr )\), such that

   $$\begin{aligned} v_c(q_B)=v_c(q_{B_{TT}}) \quad \text {and} \quad v_x(q_B)=v_x^*(q_{B_{TT}}). \end{aligned}$$

   (18)

   Combining (16) and (18) we obtain that \(v_c(r_{B_{TT}}) = v_c(q_B)\) and \(v_x^*(r_{B_{TT}}) = v_x(q_B)\). Combining this to (17), we deduce that by definition (9) of the relation R, we have \((q_B, r_{B_{TT}})\in R\). Case 3 \(\beta \in \{ok_\alpha , p_\alpha \}\)

   By Definition 6, there is a transition \(l_{TT} \xrightarrow []{\beta } l'_{TT}\) in \(B_{TT}\), where \(\beta \) is labelled either by the port \(ok_\alpha \) or \(p_\alpha \). The transition \(p_\alpha \) changes only location of the TTCC component (from read to send location). Whereas the transition \(ok_\alpha \) changes the location of the TTCC component (from try to send) and the location of the CRP (from \(r_\alpha \) to \(w_\alpha \)). In both cases, locations of other components are intact. We denote \(G^*\), \(TC^*\) and \(F^*\), respectively, the guard, timing constraint and update function of the transition \(\beta \). Therefore, we have:

   $$\begin{aligned} \begin{aligned} q_{B_{TT}}&= \bigl ((l_{TT}^B, {l}_{TT}^{TTCC}(q_{B_{TT}}), {l}_{TT}^{CRP}(q_{B_{TT}})),\\&v_x(q_{B_{TT}}), v_c(q_{B_{TT}})\bigr ), \\ r_{B_{TT}}&= \bigl (({l'}_{TT}^B, {l'}_{TT}^{TTCC}(r_{B_{TT}}), {l'}_{TT}^{CRP}(r_{B_{TT}})),\\&v_x'(r_{B_{TT}}), v_c(r_{B_{TT}})\bigr ), \\ G^*(v_x(q_{B_{TT}}))&= True , \\ TC^*(v_c(q_{B_{TT}}))&= True , \\ v_c(r_{B_{TT}})&= v_c(q_{B_{TT}}) \\ v_x(r_{B_{TT}})&= F^*(v_x(q_{B_{TT}})), \end{aligned} \end{aligned}$$

   (19)

   In the before last equality of (19), we have \(v_c(r_{B_{TT}}) = v_c(q_{B_{TT}})\) since transition is instantaneous. For the last equality of (19), notice that, \(F^*\) operates only on variables that are local to the TTCC component. Therefore, this function does not update variables of the components \(B_i^{TT}\) that are common with the model B. Therefore, the execution of this update function does not change the valuation \(v_x^*\). Thus, we have:

   $$\begin{aligned} v_x^*(r_{B_{TT}})=v_x^*(q_{B_{TT}}). \end{aligned}$$

   (20)

   By definition of the transformation rules (Rules 5.4, 5.5 and 5.6), after executing this \(\beta \) transition, the TTCC component reaches the place send and the CRP component reaches back the place wait. The component \(B_i^{TT}\) does not change its location. Thus, we have:

   $$\begin{aligned} \begin{aligned} {l'}_{TT}^B = {l}_{TT}^B. \end{aligned} \end{aligned}$$

   (21)

   By construction (9) of R, we have \(q_B\!=\! \bigl (l, v_x(q_B), v_c(q_B)\bigr )\), such that

   $$\begin{aligned} \begin{aligned} {l}_{TT}^B&\in \{l_i, \perp ^{l_i}_{p_i}\}^n,\\ v_c(q_B)&=v_c(q_{B_{TT}}),\\ v_x(q_B)&=v_x^*(q_{B_{TT}}). \end{aligned} \end{aligned}$$

   (22)

   Combining (19), (20), (21) and (22), we obtain that \(v_c(r_{B_{TT}}) = v_c(q_B)\), \(v_x^*(r_{B_{TT}}) = v_x(q_B)\) and \({l'}_{TT}^B = {l}_{TT}^B \in \{l_i, \perp ^{l_i}_{p_i}\}^n\). Thus, we deduce that by definition (9) of the relation R, we have \((q_B, r_{B_{TT}})\in R\).

   Case 3 \(\beta \) is a delay step labelled by \(\delta \in \mathbb {R}_+\).

   By Definition 6, there is a tpc constraint on location \(l_{TT}\) in \(B_{TT}\), \(tpc(l_{TT})=(c^g \le v)\). That is the tpc condition of each location of each component of the \(B_{TT}\) model that is composing the global location \(l_{TT}\) must satisfy this same condition. Therefore, we have:

   $$\begin{aligned} \begin{aligned} q_{B_{TT}}&= \bigl (l_{TT}, v_x(q_{B_{TT}}), v_c(q_{B_{TT}})\bigr ),\\ r_{B_{TT}}&= \bigl (l_{TT}, v_x(r_{B_{TT}}), v_c(r_{B_{TT}})\bigr ),\\ v_x(r_{B_{TT}})&= v_x(q_{B_{TT}}),\\ v_c(r_{B_{TT}})&= v_c(q_{B_{TT}}) + \delta , v_c(q_{B_{TT}}) + \delta \le v. \end{aligned} \end{aligned}$$

   (23)

   Note that, by construction of the transformation (Rules 5.4, 5.5), this delay transition is only possible if at least one conflicting TTCC component is not occupying the send place, i.e. \(l_{TT}^{TTCC^{C}} \ne \{send\}^{k}\). After executing this \(\beta \) transition, the TTCC component does not change the global place nor the variables valuation, only the clock valuation is augmented by \(\delta \). Thus, we have :

   $$\begin{aligned} \begin{aligned} {l'}_{TT}^B&= l. \end{aligned} \end{aligned}$$

   (24)

   By construction of the definition (9) of R, we have \(q_B= \bigl (l, v_x(q_B), v_c(q_B)\bigr )\), such that

   $$\begin{aligned} v_c(q_B)=v_c(q_{B_{TT}}) \quad \text {and} \quad v_x(q_B)=v_x^*(q_{B_{TT}}). \end{aligned}$$

   (25)

   By definition of the transformation (see Rules 5.4, 5.5), the tpc constraints of the TTCC component are the conjunction of time progress conditions received in the offers from participating components. Thus there exist a transition \(q_B \xrightarrow [B]{\delta } r_B\) in B where \(r_B {=} (l, v_x(r_B), v_c(r_B))\) such that:

   $$\begin{aligned} v_c(q_B)=v_c(r_B) + \delta \quad \text {and} \quad v_x(q_B)=v_x(r_B). \end{aligned}$$

   (26)

   Combining (23), (25) and (26), we obtain that \(v_c(r_{B_{TT}}) = v_c(r_B)\) and \(v_x^*(r_{B_{TT}}) = v_x(r_B)\). Combining this to (24), we deduce that by definition (9) of the relation R, we have \((r_B, r_{B_{TT}})\in R\).

3. (iii)

   Let \( (q_B, q_{B_{TT}}) \in R\) such that \(q_B \xrightarrow [B]{\alpha } r_B\). If \(\beta (\alpha ) \ne \emptyset \wedge q_B \xrightarrow [B]{\alpha } r_B\), then by definition (8) of the relation \(\beta \), \(\alpha \in \gamma \) and can be either an internal (\(\alpha \in A_I\)) or an external interaction (\(\alpha \in A_E\)).

   Case 1 \(\alpha \in \gamma \cap A_I\).

   By Definition 6, there is a transition \(l \xrightarrow []{\alpha } l'\) in B, where \(\alpha \) is guarded by \(G^*\), the timing constraint \(TC^*\) and having as transfer function \(F^*\), such that:

   $$\begin{aligned} \begin{aligned} q_B = \bigl (l, v_x(q_B), v_c(q_B)\bigr ),&\quad r_B = \bigl (l', v_x(r_B), v_c(r_B)\bigr ), \\ TC^*(v_c(q_B)) = True ,&\quad G^*(v_x(q_B)) = True , \\ v_x(r_B) = F^*(v_x(q_B)),&\quad \text {and} \quad v_c(r_B) = v_c(q_B), \end{aligned} \end{aligned}$$

   (27)

   where the update function \(F* = f_i \circ \dots \circ f_j \circ F_\alpha \), where \(f_i\) corresponds to the update function of the transition labelled by port \(p_i \in P_\alpha \) in the component \(B_i \in comp(\alpha )\). By construction (9) of R, we have

   \(q_{B_{TT}}= \bigl (l_{TT}, v_x(q_{B_{TT}}), v_c(q_{B_{TT}})\bigr )\), such that

   $$\begin{aligned} v_c(q_B)=v_c^*(q_{B_{TT}}) \quad \text {and} \quad v_x(q_B)=v_x^*(q_{B_{TT}}). \end{aligned}$$

   (28)

   By definition of the transformation (Rules 5.4, 5.5 and 5.1), this interaction remains intact in the obtained \(B_{TT}\) model. Therefore, by Definition 6, we also have \(q_{B_{TT}}\!\! \xrightarrow [B_{TT}]{\alpha }\! r_{B_{TT}}\), where \(r_{B_{TT}}\!\! =\! \bigl ({l'}_{TT}, v_x(r_{B_{TT}}), v_c(r_{B_{TT}})\bigr )\) such that:

   $$\begin{aligned} \begin{aligned} {l'}_{TT}^B&= l',\\ v_c(r_{B_{TT}})&= v_c(q_{B_{TT}}),\\ v_x^*(r_{B_{TT}})&= F^*\bigl (v_x^*(q_{B_{TT}})\bigr ). \end{aligned} \end{aligned}$$

   (29)

   In the second equality of (29), we have \(v_c(r_{B_{TT}}) = v_c(q_{B_{TT}})\) since transition \(\alpha \) is instantaneous. For the last equality of (29), notice that, \(v_x^*\) operates only on common variables between models B and \(B_{TT}\).

   Combining (27), (28) and (29) we obtain that \(l_{TT}\) satisfies \({l'}_{TT}^B = l'\), \(v_c^*(r_{B_{TT}}) = v_c(r_B)\) and \(v_x^*(r_{B_{TT}}) = v_x(r_B)\). Thus, we have \(q_{B_{TT}} \xrightarrow [B_{TT}]{\alpha } r_{B_{TT}}\) such that \((\alpha , \alpha ) \in \beta \) since \(\alpha \in \gamma \cap A_I\). By definition (9) of the relation R, we obtain \((r_B, r_{B_{TT}})\in R\). Case 2 \(\alpha \in \gamma \cap A_E\).

   By Definition 6, there is a transition \(l \xrightarrow []{\alpha } l'\) in B, where \(\alpha \) is guarded by \(G^*\), the timing constraint TC and having as transfer function \(F^*\), such that:

   $$\begin{aligned} \begin{aligned}&q_B = \bigl (l, v_x(q_B), v_c(q_B)\bigr ), \quad r_B = \bigl (l', v_x(r_B), v_c(r_B)\bigr ), \\&TC^*(v_c(q_B)) = True , \quad G^*(v_x(q_B)) = True , \\&v_x(r_B) = F^*(v_x(q_B)), \quad \text {and} \quad v_c(r_B) = v_c(q_B), \end{aligned} \end{aligned}$$

   (30)

   where the update function \(F* = f_i \circ \dots \circ f_j \circ F_\alpha \), where \(f_i\) corresponds to the update function of the transition labelled by port \(p_i \in P_\alpha \) in the component \(B_i \in comp(\alpha )\). By construction (9) of R, we have

   \(q_{B_{TT}}= \bigl (l_{TT}, v_x(q_{B_{TT}}), v_c(q_{B_{TT}})\bigr )\), such that

   $$\begin{aligned} v_c(q_B)=v_c^*(q_{B_{TT}}) \quad \text {and} \quad v_x(q_B)=v_x^*(q_{B_{TT}}). \end{aligned}$$

   (31)

   By definition of the transformation (Rules 5.4, 5.5 and 5.1), the interaction \(\alpha \) of the original model B is held by a dedicated TTCC component that we denote here \(TTCC_\alpha \) in the obtained \(B_{TT}\) model. It may be mapped to the following successive transitions in the \(B_{TT}\) model:

   • If the component \(l_{TT}^B\) of the global place \(l_{TT}\) contains a place \(l^{TT}_i = \perp ^{l_i}_{p_i}\), where \(B_i \in comp(\alpha )\) and \(p_i \in P_\alpha \), then a sending offer interaction may be enabled, note that by definition of \(\beta \), this interaction is a \(\beta \) transition. If the component \(l_{TT}^B\) of the global place \(l_{TT}\) is equal to l (i.e. \(l_{TT}^B = (l_1, \ldots , l_n)\)), no offer transition is enabled.

   • Once all offers of components \(B_i \in comp(\alpha )\) are send to \(TTCC_\alpha \), then this latter reaches the place read. If initially, \(\alpha \) is not conflicting, then from the reached global location, after sending offers, the transition labelled by the unary interaction \(p_\alpha \) is enabled. This transition has the guard \(G^*\), the timing constraint \(TC^*\) and executes the function \(F^*\). Note that by definition of \(\beta \), \(\beta (p_\alpha ) = \emptyset \). If \(\alpha \) is initially a conflicting interaction, then from the reached global location, after sending offers, the enabled transition is the \(rsv\alpha \) interaction. This interactions has the guard \(G^*\) and the timing constraint \(TC^*\). By definition of \(\beta \), \(\beta (rsv_\alpha ) = \emptyset \), it is then a \(\beta \) transition. From the reached location by the \(rsv_\alpha \) interaction, two interactions are possible, \(fail_\alpha \) or \(ok_\alpha \). \(\beta (fail_\alpha ) = \emptyset \) and \(\beta (ok_\alpha ) = \emptyset \). If the \(fail_\alpha \) interaction is enabled then the \(TTCC_\alpha \) component is reaching back the state enabling again the \(rsv\alpha \) interaction until the \(ok\alpha \) is enabled. From this reached global location a loop of \(rsv_\alpha \) and \(fail_\alpha \) may be enabled before the \(ok_\alpha \) interaction is enabled. This latter reaches a state where the \(TTCC_\alpha \) is in place send. The \(ok_\alpha \) as well as the \(p_\alpha \) transition applies the update function \(F^*\) to the local variables that are local to the TTCC. Note that these variables are not concerned by the valuation \(v_x^*\).

   • Note that after the previously executed interaction the components \(B_i \in comp(\alpha )\) do not change their locations. The \(TTCC_\alpha \) component reaches the send location. From this new reached global state, the notification interaction is enabled. It relates the port \(p_s^\alpha \) of the \(TTCC_\alpha \) to ports \(p_i\) of components \(B_i\), such that \(p_i \in P_\alpha \). Note that \(\beta (p_s^\alpha ) \ne \emptyset \). This notification interaction updates variables of components \(B_i\) according to their copies in the component \(TTCC_\alpha \). Note that these copies have been transformed by \(F^*\) in the previous \(\beta \) transition. The reached location of the notification interaction in a component \(B_i\) is \(l'_i\) or \(\perp ^{l'_i}_{p'_i}\), where \(l'_i \xrightarrow {p'_i}\).

   Notice that in the previously cited cases of possible interactions, we consider only \(\beta \) interactions in which the \(TTCC\alpha \) participates. For clarity reasons, we do not detail different other possible \(\beta \) transitions involving other TTCC components and potential offer sending requests. Not considering them, does not invalidate this proof since they always satisfy the property \(l_{TT}^B \in \{l_i, \perp ^{l_i}_{p_i}\}^n\), are instantaneous and do not hold any update function (i.e. they do not impact the location property, nor the clock and variables valuations). Therefore, by Definition 6, we have:

   $$\begin{aligned} q_{B_{TT}} \xrightarrow [B_{TT}]{\beta ^*} q'_{B_{TT}} \xrightarrow [B_{TT}]{p_s^\alpha } r_{B_{TT}}, \end{aligned}$$

   where

   $$\begin{aligned} q'_{B_{TT}}&= \bigl ((l_{TT}^B, {l}_{TT}^{TTCC}(q'_{B_{TT}}), {l'}_{TT}^{CRP}(q'_{B_{TT}})) , v_x(q'_{B_{TT}}),\\&\quad v_c(q'_{B_{TT}})\bigr ), \\ r_{B_{TT}}&= \bigl (({l'}_{TT}^B, {l}_{TT}^{TTCC}(r_{B_{TT}}), {l}_{TT}^{CRP}(r_{B_{TT}})), v_x(r_{B_{TT}}),\\&\quad v_c(q'_{B_{TT}})\bigr ), \end{aligned}$$

   with

   $$\begin{aligned} \begin{aligned} {l'}_{TT}^B&\in \{l'_i, \perp ^{l'_i}_{p'_i}\}^n,\\ v_c(r_{B_{TT}})&= v_c(q'_{B_{TT}}) = v_c(q_{B_{TT}}),\\ v_x^*(q'_{B_{TT}})&= v_x^*(q_{B_{TT}}),\\ v_x^*(r_{B_{TT}})&= F^*\bigl (v_x^*(q'_{B_{TT}})\bigr ), \end{aligned} \end{aligned}$$

   (32)

   For the last equality of (32), notice that, \(v_x^*\) operates only on common variables between models B and \(B_{TT}\). And \(F^*\) has been first applied to local variables of the TTCC component in the \(\beta \) transition preceding the \(p_s^\alpha \) transition. These variables are not concerned by the \(v_x^*\) valuation, thus, the equality \(v_x^*(q'_{B_{TT}}) = v_x^*(q_{B_{TT}})\). The transition \(p_s^\alpha \) copies values of TTCC variables to those of \(B_i\) components. Thus the function \(F^*\) is indirectly applied to variables of \(B_i\). Which explains the equality \(v_x^*(r_{B_{TT}}) = F^*\bigl (v_x^*(q'_{B_{TT}})\bigr )\). Combining (30), (31) and (32), we obtain that \(l'_{TT}\) satisfies \({l'}_{TT}^B \in \{l'_i, \perp ^{l'_i}_{p'_i}\}^n\), \(v_c^*(r_{B_{TT}}) = v_c(r_B)\) and \(v_x^*(r_{B_{TT}}) = v_x(r_B)\). Thus, we have \(q_{B_{TT}} \xrightarrow [B_{TT}]{\beta ^* p_s^\alpha } r_{B_{TT}}\) such that \((\alpha , p_s^\alpha )\in \beta \). By definition (9) of the relation R, we obtain \((r_B, r_{B_{TT}})\in R\).

4. (iv)

   Let \( (q_B, q_{B_{TT}}) \in R\) such that \(q_{B_{TT}} \xrightarrow [B_{TT}]{\alpha _{TT}} r_{B_{TT}}\). If \(\beta ^{-1}(\alpha _{TT}) \ne \emptyset \wedge q_{B_{TT}} \xrightarrow [B_{TT}]{\alpha _{TT}} r_{B_{TT}}\), then by definition (8) of the relation \(\beta \),

   $$\begin{aligned} \alpha _{TT} \in (\gamma \cap A_I)&\cup \{{p_s^\alpha \in \gamma _{TT}}\,|\,{\alpha \in \gamma \cap A_E}\} \end{aligned}$$

   Case 1 \(\alpha _{TT} = \alpha \in \gamma \cap A_I\).

   By Definition 6, there is a transition \(l_{TT} \xrightarrow []{\alpha _{TT}} l'_{TT}\) in \(B_{TT}\), where the transition \(\alpha _{TT}\) has a guard \(G^*\), a timing constraint \(TC^*\) and an update function \(F^*\), such that:

   $$\begin{aligned} \begin{aligned} q_{B_{TT}}&= \bigl (\bigl (l, {l}_{TT}^{TTCC}(q_{B_{TT}}), {l}_{TT}^{CRP}(q_{B_{TT}})\bigr ),\\&\quad v_x(q_{B_{TT}}), v_c(q_{B_{TT}})\bigr ), \\ r_{B_{TT}}&= \bigl (l', {l'}_{TT}^{TTCC}(r_{B_{TT}}), {l'}_{TT}^{CRP}(r_{B_{TT}})\bigr )\\&\quad v_x(r_{B_{TT}}), v_c(r_{B_{TT}})\bigr ), \\ G^*(v_x(q_{B_{TT}}))&= True , \\ TC^*(v_c(q_{B_{TT}}))&= True , \\ v_x(r_{B_{TT}})&= F^*(v_x(q_{B_{TT}}),\\ v_c(r_{B_{TT}})&= v_c(q_{B_{TT}}). \end{aligned} \end{aligned}$$

   (33)

   By definition of the transformation (cf. Rule 5.5 and 5.1), the transition \(\alpha _{TT} = \alpha \) is exactly the same as in the model B which corresponds to the following transition \( l \xrightarrow []{\alpha } l'\) in B, which is guarded by \(G^*\), \(TC^*\) and has the update function \(F^*\). By construction (9) of R, we have \(q_B= \bigl (l, v_x(q_B), v_c(q_B)\bigr )\), such that

   $$\begin{aligned} v_c(q_B)=v_c(q_{B_{TT}}) \quad \text {and} \quad v_x(q_B)=v_x^*(q_{B_{TT}}). \end{aligned}$$

   (34)

   Therefore, By Definition 6, we also have \(q_{B} \xrightarrow [B]{\alpha } r_{B},\), where

   $$\begin{aligned} r_B&= \bigl (l', v_x(r_B), v_c(r_B)\bigr ), \end{aligned}$$

   with

   $$\begin{aligned} \begin{aligned} G^*(v_x(q_B))&= True ,\\ TC^*(v_c(q_B))&= True ,\\ v_c(r_B)&= v_c(q_B),\\ v_x(r_B)&= F^*(v_x(q_B)). \end{aligned} \end{aligned}$$

   (35)

   Combining (33), (34) and (35), we obtain that \(l'_{TT}\) satisfies \({l'}_{TT}^B =l' \in \{l_i, \perp ^{l_i}_{p_i}\}^n\), \(v_c(r_{B_{TT}}) = v_c(r_B)\) and \(v_x^*(r_{B_{TT}}) = v_x(r_B)\). Thus, we have \(q_B \xrightarrow [B]{ \alpha } r_B\) and, by definition (9) of the relation R, \((r_B, r_{B_{TT}})\in R\).

   Case 2 \(\alpha _{TT} = p_s^\alpha , \alpha \in \gamma \cap A_E\).

   By Definition 6, there is a transition \(l_{TT} \xrightarrow []{\alpha _{TT}} l'_{TT}\) in \(B_{TT}\). The transition \(\alpha _{TT}\) has no guard.

   By construction of the transformation (cf. Rules 5.4, 5.5 and 5.1), this \(\alpha _{TT}\) transition is always preceded by a \(\beta \) transition consisting in \(p_\alpha \) if \(\alpha \) is not conflicting and in \(ok_\alpha \) if \(\alpha \) is conflicting. These latter execute an update function \(F^*\) that updates variables local to the TTCC component. These variables are local copies of variables of \(B_i\). When receiving offers, values of variables of the TTCC component are the same as their remote copies in \(B_i\) components. And then, they are updated by using the function \(F^*\) of transition \(ok_\alpha \) or \(p_\alpha \).

   The notification transition is not guarded and have an update function which copies values of local variables of the TTCC to their corresponding copies in the participating \(B_i\) components. Therefore, the function \(F^*\) is indirectly applied to variables of \(B_i\) components. These variables are concerned by the \(v_x^*\) valuation.

   Note that this \(\alpha _{TT}\) transition, changes the location of the TTCC component to its initial wait location and allows to reach location \(l'_i\) or \(\perp ^{l'_i}_{p'_i}\), where \(l'_i \xrightarrow {p'_i}\) and \(p'_i \in A_E\).

   Therefore, we have \(l_{TT} \xrightarrow []{\alpha _{TT}} l'_{TT}\), such that:

   $$\begin{aligned} q_{B_{TT}}&= \bigl (({l}_{TT}^B(q_{B_{TT}}), {l}_{TT}^{TTCC}(q_{B_{TT}}), {l}_{TT}^{CRP}(q_{B_{TT}}),\nonumber \\&\quad v_x(q_{B_{TT}}), v_c(q_{B_{TT}})\bigr ),\nonumber \\ r_{B_{TT}}&= \bigl ({l'}_{TT}^B(q_{B_{TT}}), {l'}_{TT}^{TTCC}(r_{B_{TT}}), {l'}_{TT}^{CRP}(r_{B_{TT}}),\nonumber \\&\quad v_x(r_{B_{TT}}), v_c(r_{B_{TT}})\bigr ),\\ v_x^*(r_{B_{TT}})&= F^*(v_x^*(q_{B_{TT}})),\nonumber \\ v_c(r_{B_{TT}})&= v_c(q_{B_{TT}}),\nonumber \end{aligned}$$

   (36)

   such that

   $$\begin{aligned} \begin{aligned} {l'}_{TT}^B&\in \{l'_i, \perp ^{l'_i}_{p'_i}\}^n. \end{aligned} \end{aligned}$$

   (37)

   By definition of the transformation (cf. Rules 5.4, 5.5 and 5.1), there exist a corresponding transition \( l \xrightarrow []{\alpha } l'\) in B, which is having as transfer function \(F^*\). By construction (9) of R, we have \(q_B= \bigl (l, v_x(q_B), v_c(q_B)\bigr )\), such that

   $$\begin{aligned} \begin{aligned} {l}_{TT}^B(q_{B_{TT}})&\in \{l_i, \perp ^{l_i}_{p_i}\}^n,\\ v_c(q_B)&=v_c(q_{B_{TT}}),\\ v_x(q_B)&=v_x^*(q_{B_{TT}}). \end{aligned} \end{aligned}$$

   (38)

   Therefore, By Definition 6, we also have \(q_{B} \xrightarrow [B]{\alpha } r_{B},\), where

   $$\begin{aligned} r_B&= \bigl (l', v_x(r_B), v_c(r_B)\bigr ), \end{aligned}$$

   with

   $$\begin{aligned} \begin{aligned} v_c(r_B)&= v_c(q_B),\\ v_x(r_B)&= F^*(v_x(q_B)). \end{aligned} \end{aligned}$$

   (39)

   Combining (36), (37), (38) and (39), we obtain that \(l'_{TT}\) satisfies \({l'}_{TT}^B \in {l'_i, \perp ^{l'_i}_{p'_i}}^n\), \(v_c(r_{B_{TT}}) = v_c(r_B)\) and \(v_x^*(r_{B_{TT}}) = v_x(r_B)\). Thus, we have \(q_B \xrightarrow [B]{ \alpha } r_B\) and, by definition (9) of the relation R, \((r_B, r_{B_{TT}})\in R\).

\(\square \)