BCS-FACS Northern Formal Methods Workshop A Comparison of Formal Real-Time Specification Languages

In this paper we compare four languages for real time systems speci(cid:12)cation, namely Timed Z, Timed CSP, Timed CCS and TE-LOTOS, by applying them to the benchmark Railroad Crossing problem. We use slightly di(cid:11)erent sets of assumptions in each of our solutions in order to investigate how the presence or absence of such assumptions a(cid:11)ects the resulting solution. We pay particular attention to the level of justi(cid:12)cation we may ascribe to each assumption; it may be explicit or implicit in the problem statement, implicit in our knowledge of real- world railroad crossings, or none of these, in which case it must be regarded as a simplifying assumption. We compare and evaluate the resulting speci(cid:12)cations in each of the four languages. Our solution in Timed Z is shown to be on a di(cid:11)erent level to the three process algebras, being much more abstract, closer to the English speci(cid:12)cation and further from an implementation. It is argued that the three process algebras have essentially equivalent expressive power over the domain of this problem. We compare the proofs in each of the process algebra formalisms. Timed CSP has a well developed dedicated formal proof system, while the proof methods required by Timed CCS and TE-LOTOS are much more ad hoc. In these two cases we use proof techniques based on path and state analysis. We brie(cid:13)y evaluate the Railroad Crossing case study itself. It is found to be a problem of great generality with hidden subtleties; we argue that this problem can teach us much about how to approach real-time speci(cid:12)cation tasks, and therefore must be considered a highly successful benchmark problem.


Introduction
In this paper a number of languages for specifying real time systems are compared. Each language has been used to specify the same benchmark problem, and the resulting specications and proofs of properties have been evaluated and compared. First the problem to be specied is described, then any further assumptions made are documented. The specications in Timed Z [5], Timed CSP [2], Timed CCS [1], and TE-LOTOS [11] are presented next, and indications are given as to how the proofs of the required properties proceed. The paper nishes with some conclusions about both the case study and the specication languages used. 2 The Generalised Railway Crossing The generalised railway crossing problem has been promulgated as a benchmark for the use of formal methods in the specication, design and analysis of real time systems. It has been specied using a range of techniques, a selection of which can be found in [8]. The statement of the problem, taken from [6], is as follows: The system to be developed operates a gate at a railroad crossing. The railroad crossing I lies in a region of interest R, i.e. I R. A set of trains travel through R on multiple tracks in both directions. A sensor system determines when each train enters and exits region R. To describe the system formally, we dene a gate function g(t) 2 [0; 90] where g(t) = 0 means the gate is down and g(t) = 90 means the gate is up. We also dene a set f i g of occupancy intervals, where each occupancy interval is a time interval during which one or more trains are in I . The ith occupancy interval is represented as i = [ i ; i ] where i is the time of the ith entry of a train into the crossing when no other train is in the crossing and i is the rst time since i that no train is in the crossing (i.e. the train that entered at i has exited as have a n y trains that entered the crossing after i ). Given two constants 1 and 2 , 1 > 0, 2 > 0, the problem is to develop a system to operate the crossing gate that satises the following two properties: Safety Property: t 2 S i i ) g(t) = 0 (The gate is down during all occupancy intervals.) Utility Property: t = 2 S i [ i 1 ; i + 2 ] ) g ( t ) = 90 (The gate is up when no train is in the crossing.) This description, though seemingly comprehensive, contains a numberofambiguities and omissions which will be described in the following section.

Assumptions
A n umber of assumptions had to be made about the problem as stated above before progress could be made. The rst was related to the positioning of sensors in R. The problem formulation states that I R, giving no hint as to where the sensors should be in relation to I . It was assumed that there is a sensor to detect when a train starts to enters R, and a sensor to detect when a train has completely left I .
The second major assumption is that the trains using the crossing behave like real world trains. In particular the following should be obeyed: all trains which enter R must leave R; all trains which leave R must have e n tered R (these two requirements express the principle of Conservation of Trains); and only a nite number of trains may e n ter R in a nite time. The consequence of any of these assumptions being false is that there would be a loss of utility, safety or both.
The nal assumption was that the crossing hardware works perfectly; for example if an up signal was sent to the hardware controlling the gate then it would accept that signal and start to move the gate up.

Constraints
When considering the constraints on the parameters to the problem it is useful to consider the time-line in Figure 1.
Various weak constraints on the parameters of the problem are given in [7]; these are summarised in Table 1.
The constraints presented in Table 1 may be strengthened using reasonable real-world assumptions as follows: it is assumed that useless raising and lowering of the gate, i.e. without allowing sucient time ( car ) for a car to pass through, is unacceptable. This follows the version of the  Figure 1: Time-line for the railway crossing problem problem presented in Appendix D of [7] and results in the constraint: If a signal to raise the gate is sent at time t ,then at no time between t and t + u + car is a signal to lower the gate sent. This is called the Common Sense Property. It is interesting to reect on an imaginary abstracted version of the English specication of the problem, in which the requirements remain the same but no reference is made to any real-world system. Then we w ould have no reason to derive the Common Sense Property; only our knowledge of real railway crossings drives us to do this. In this section, a`model-based' approach is illustrated in the specication of the railway crossing problem. It is shown how the Z notation [15] can be used to model elegantly both the static (state and operations) and dynamic (real-time) behaviour of the system. The work is based the conventions outlined in [5] for applying Z to concurrent and real-time systems.

Approach
The classical Z style of specication provides a powerful and expressive means of describing thè static' behaviour of a system. However, it is less clear how to describe the dynamic behaviour of systems in Z. This aspect is essential for the specication of concurrent and real-time systems. This limitation is overcome by adopting the following extended Z specication approach: (1) Specify the state and operations of the system in the conventional Z style (this is the static specication). Timing considerations are ignored at this stage. (2) Augment this with a specication of the system's allowable real-time behaviour (this is the dynamic specication). Real-time behaviour is formalised in terms of an innite sequence of states and times.

The Static Specication
The static specication of the GRC is divided into two components: Trains, which k eeps track o f the trains in R, and Gate which describes the state and operations of the gate mechanism. This completes the`static' specication of the system. However, the specication as it stands says nothing about the behaviour of the system over time. This is the objective of constructing the dynamic specication.

The Dynamic Specication
The rst step in writing the dynamic specication is to construct a next-state schema. This is the disjunction of the GRC's operations. It represents the fact that an atomic step in the GRC's behaviour may be caused by a n y of its operations: The timed requirements of the system can now be specied. First, we introduce the global constants and their constraints: The combined system state and initial state schemas are obtained by the conjunction of the trains' and gate's state schemas and initial state schemas: The system's behaviour can now be specied. A behaviour (represented as an innite sequence of GRC states and times) is valid if: (a) it is a valid computation of the system, and (b) the execution of the EnterI , Down and Up operations are restricted by certain lower and upper time bounds: TimedBehaviour : seq 1 (GRC N) validcomp t (fGRCInit GRC g; fGRCNS GRC 7 ! GRC 0 g) 8t : TRAIN bounds (fEnterI GRC 7 ! GRC 0 g; 1 ; 2 ) bounds (fDown GRC 7 ! GRC 0 g; 0; d ) bounds (fUp GRC 7 ! GRC 0 g; 0; u ) Briey, the relation validcomp t is true for all behaviours in which the rst step in the sequence () at time 0 belongs to the set of initial states and each subsequent state is related to the previous one by the next-state schema or the ticking of the clock. An operation in the behaviour is bounded with lower or upper time limits l and u if once enabled at t it executes within t + l and t + u or it is disabled 1;2 .
Here the bounds of EnterI are the earliest and latest times that a train can enter the gate after entering R. The bounds of Down and Up are the upper bounds on the time required to lower and raise the gate. Note, the bounds of EnterI have been quantied over all trains. In eect this associates an implicit timer with each train, ensuring that they will all meet their deadlines for entering I .
As an example, a possible behaviour of the gate might b e : In this behaviour the gate rst starts going down at time t = 2; therefore the gate must be lowered by the time d + 2 (the bound is asserted from the rst point in time that the operation Down is enabled).

Adding the Safety and Utility Properties
Unfortunately, the above specication as it stands does not guarantee the required Safety and Utility Properties. This is because no constraints have been specied on the interaction between the trains and gate. Therefore, the specication must be strengthened to rule out invalid behaviours.

Safety Property
In order ensure the Safety Property is preserved the following invariant is added to the system state: (9 t : trains position(t) = I ) ) gate = down The gate is always down when there are trains in the gate.

Utility Property
The time bound restriction expressed by the Utility Property is a more complicated temporal property. Additional operations are therefore added to strengthen the specication with the additional properties. There are two cases to be considered: 1. The time from when the gate starts going down until some train enters I is bounded b y 1 . This behaviour can be specied by a new operation EnterIU : EnterIU EnterI Gate gate = going down A new time bound must also be added to assert that the operation must occur within 1 seconds. 2. From when the crossing becomes empty, either the time until the gate is up is bounded b y 2 or else the time until a train is in I is bounded b y 1 + c ar + 2 .
Again, this can be specied by the addition of further operations to the system: The rst operation includes the components of Up but also has the additional pre-condition that the crossing is empty. It has the upper time bound of 2 : UpU Up Trains 8t : TRAIN position(t) 6 = I The second operation includes the components of EnterI but also has the additional precondition that the crossing is empty. It has the upper time bound 1 + car + 2 : EnterIU 2 EnterI 8t : TRAIN position(t) 6 = I The requirement that either time bound must hold is specied as the disjunction of the two possible time bounds: ( bounds (fUpU GRC 7 ! GRC 0 g; 0; 2 ) _ bounds (fEnterIU 2 GRC 7 ! GRC 0 g; 0; 1 + c ar + 2 ))

Discussion
This section has illustrated an alternative model based approach t o t h e specication of the generalised rail-road crossing problem using Z. The specication that resulted was similar to that obtained by Heitmeyer and Lynch using timed automata. However, rather than incorporating time within the state itself, we h a v e incorporated it within an additional specication of the system's behaviour. This has the great advantage of providing a separation of concern between static and timed behaviour, which is missing from Heitmeyer's and Lynch's specication. This approach also resulted in much simpler specications. The main disadvantage of the approach h o w ever is in the verication of the system's properties. Because Heitmeyer and Lynch treat time as just another state variable, they are able to use traditional assertional proof techniques to verify required properties with little diculty. In the approach outlined above, it will be necessary to develop new proof techniques for inferring properties of timed computations from operations and their bounds. This area of work is currently under investigation.

Timed CSP
Timed CSP is an extension of CSP. The rst model for Timed CSP was proposed by Jones [9] which proved unsatisfactory for a number of technical reasons. It was suggested that a better model could be obtained by recording the events refused during the observation of a trace; this is a feature of the later and more successful model proposed by Reed and Roscoe [13]. Then, Davies and Schneider in [2,14] extended Reed and Roscoe's model to include specications and a proof system. In this section we use Timed CSP to describe the railroad crossing problem. We prove that the Timed CSP implementation satises the Safety and Utility Properties required, but do not consider the Common Sense Property. The application of the proof system for Timed CSP is simple and ecient.
To i n troduce timing information into CSP, several assumptions are required: Real Time. The non-negative real numbers are used for the time domain. Global Clock. All observations are recorded with reference to an imaginary global clock. Instantaneous Events. All events have zero duration. Finite Speed. No process can engage in innitely many e v ents within a nite time interval. Hiding and Control. Observable events cannot occur without the cooperation of the environment. Hidden events do not require the cooperation of the environment, and occur as soon as they become available.
Delay Constant. To preserve causality, a positive delay constant is chosen as a lower bound between consecutive events in a sequential process. This ensures that if the occurrence of event a makes another event b possible, then b cannot occur at the same time as a. For simplicity, when the inference rules for Timed CSP are applied in the following, the constant time delay is omitted, assuming that it is too small to aect our processes. Proof: (By induction on the length of the trace.) As this property is independent of timing consideration, we can use the untimed trace proof system. See Appendix A.

2
A n umber of predicates for structured specications are dened as follows.
a f r om t until t 0 (s; X ) def = a 6 2 (X " [t; minft 0 ; begin(s " [t; 1) a)g)): If the oer of a has not been accepted by time t 0 , the process may retract without violating the liveness specication. If a process satises this specication, event a must become available at time t, and must remain available until either time t 0 or the time at which the next a is observed, whichever is smaller.
Proof: The proof of this lemma uses the Timed CSP proof system. In the following, S P (s; X ) represents the strongest specication satised by process P. We begin by observing that the bodies of the mutual recursions are constructive, providing that t u1 > 0. We m a y then apply the inference rule for mutual recursion, reducing our proof obligation to k tu1 ! down@t 1 ft s g ! X 2 sat (1) (2) and m ! ( up@t 2 ft u2 g ! X 1 2 k @ t 3 ! up@t 4 ft o g tu1 t4 ! down@t 5 ft s g ! X 2 ) sat (1) under the assumption that X 1 and X 2 both satisfy (1). It is easy to prove b y induction that the k in (2) is not immediately preceded by a n m , but the k in (3) is.

Gate sat m a t t ) up live [t; t + t u2 ]:
Proof: The proof of this lemma is similar to that of Lemma 2 and is omitted to save space.
As already mentioned in Lemma 2 and Lemma 3, it can only be ascertained that the CSP processes will be ready to send the proper signals at the required times to achieve the Safety and Utility Properties. However we cannot guarantee the Safety and Utility Properties if the environment does not cooperate. For example, if the gate is jammed while up, the Safety Property will be violated even if the CSP processes behave properly. Therefore, in the proof of the following theorems, the assumptions about the environment found in Lemma 2 and Lemma 3 are made.
Theorem 1 (The Safety Property) Main satises the Safety Property provided that the environment cooperates as expected, that is, where i is the time when the i t htrain enters crossing I and i is the time when the i t htrain leaves the crossing.
Proof: By induction on the number of trains which h a v e passed R.
Base: The initial state of the system is: No train has entered R yet (i = 0) and the gate is up. So the theorem holds.
Induction hypothesis: Assume the theorem holds for the rst n trains, that is, for n 0, t 2 S n i = 0 [ i ; i ] ) g ( t ) = 0 : Induction step: The next train enters R. There are two cases: (a) It is the rst train entering an empty R region at time t n+1 after the last train in R has left the crossing, i.e., t n+1 > last . By Lemma 1, the control of Counter is at the beginning of Counter 1 and (t n+1 ; k) in s. By Lemma 2, down will be sent before (t n+1 + 1 d ), i.e., the gate will be fully closed before (t n+1 + 1 ) t n+1 + n+1 = n+1 . We h a v e g ( t n +1 + 1 ) = 0 .
By Lemma 1, we h a v e that m will be sent only after this train has left the crossing, which means that the gate will remain closed during [ n+1 ; n +1 ]( [t n+1 + 1 ; n +1 ]), as required.
(b) The next train enters R before it becomes empty. Then, by the induction hypothesis and our assumption, the gate will be lowered before the rst train in R reaches the crossing and remain closed at least until the last train (including this one) leaves R.
2 Theorem 2 (The Utility Property) Main satises the Utility Property, that is, t 6 2 S i [ i 1 ; i + 2 ] ) g(t) = 90: Proof: By induction on the number of trains which h a v e passed R. The proof method is similar to the preceding, so is omitted to save space.

Conclusions
Timed CSP is an elegant formal method for real-time systems. The language is concise and expressive; the proof system is easy to use.
One addition to the original Timed CSP is the bounded timer, described in Davies [3]. This operator allows us to model the railway crossing system in such a w a y that once the up signal is sent and the gate is going up, there should be enough time for the gate to be fully raised and some cars to pass through the crossing. We cannot enforce this without a timer with an upper bound, a @ t f d g .It can also simplify process Gate in that we could put an upper time bound for sending an up or down signal by using a timer instead of a time-out operator.

Timed CCS
Timed CCS [1] is an extension of CCS [12]. The time domain is assumed to have a total ordering and unique top and bottom elements, allowing time to be either discrete or dense. The only change Timed CCS makes to the syntax of CCS is in the denition of the prex operator. The expression (t) e 0 e :E means that the action takes place at some time in the closed interval [e; e 0 ] then behaves as E, where only e 0 is allowed to be 1. The time variable t takes on the value of the time at which action takes place, and E proceeds with all free occurrences of t in E substituted for this time, allowing time dependencies between actions to be described. For example (t) e 0 e :(s) t+3 t+1 :E denotes that occurs between 1 and 3 time units after . For convenience (t) 1 0 :E is written as :E. A derived operator, time prex, has been used below, where the expression (e)E represents a process which behaves as E after a delay of time e.

The Timed CCS Specication of the Railway Crossing
If the Common Sense Property is to be satised then further constraints can be derived. In particular, if the gate is ever to be raised after the rst train has passed through, as implied by the Utility Property, then the Safety and Common Sense Properties together imply that 1 u + car + d . The consequence of this is that if a train enters R after the last train has left and the gate is still down then there is enough time to open the gate without violating either the Common Sense Property or the Safety Property. This has lead to a more complicated specication with a number of branching points, where each branch corresponds to the amount of time between trains arriving at and departing from R.
As in the Timed CSP specication, the main process consists of the parallel composition of two processes: Main def = (Counter j Gate) n f k ; m g The Counter has the same purpose and behaviour as that in section 5. Introducing the Common Sense Property has complicated the denition of the Gate process: Gate def = k:down(s) t2 t1 :Gate 0 Gate 0 def = m:(up(s) t3 t :(( u + car )Gate + k(r) t4 s :down(p) t6 t5 :Gate 0 ) + k(s 0 ) t3 t :up(r 0 ) t7 s 0 :down(p 0 ) t9 t8 :Gate 0 ) This is best explained by reference to Figure 2. The remarkable increase in complexity o f t h e Gate process by comparison with the analogous Timed CSP process is due solely to the strengthening of the requirements to account for the Common Sense Property. This allows three forms of behaviour in the case where the only train in R leaves that region: 1. The gate is fully raised and there is enough time ( car ) for a car to cross the crossing before the next train enters R. In this case control follows the branch labelled 1 in Figure 2. 2. The next train enters R after the signal to raise the gate has been sent, but before a car has had time to cross the crossing. In this case control follows branch 2 . 3. The next train enters R before the signal to raise the gate has been sent. In this case control follows branch 3 . It is this behaviour that is not permitted in the Timed CSP specication. The values of the various time expressions, t 1 : : t 9 , are given below along with a discussion of their signicance. t 1 = t + 2 1 the signal to close the gate must not be sent before the utility point t 2 = t + 1 d the signal to close the gate must be sent no later then the safety point t 3 = t + 2 u ensure that the signal to open the gate is sent before the second utility point t 4 = s + u + car if a k is received by this time then a new train has arrived before a car has gone through the crossing t 5 = r + max( u + car r + s; 2 1 ) if a new train has arrived then wait at least long enough for a car to get through or until the rst utility point, whichever is later t 6 = r + 1 d analogous to t 2 , but for a dierent train t 7 = s 0 + min( 2 u s 0 + t; 1 u c ar d ) if a new train arrives before the up signal has been sent then send it at least early enough for a car to get through, but if the second utility point is earlier then send it at that time t 8 = r 0 + max( u + car ; 2 1 r 0 + s 0 ) the earliest time to send a signal to close the gate is after a car has got through or the rst utility point, whichever is later t 9 = s 0 + 1 d analogous to t 2 5.2.2 Proofs of Properties Timed CCS has a proof system for strong equivalence between processes, which is useful for renement, but has no system for demonstrating that a process has particular properties. An extension of Hennessey-Milner logic is discussed in [1], but is not developed suciently to be useful. Therefore an analysis of the various pathways through the state space of Gate was used to establish the required properties of Safety, Utility and Common Sense. The properties required by Counter have been established in the section on Timed CSP, so their proof will not be repeated here.
Theorem 3 The specication satises the Safety Property. Proof 1 This is established by demonstrating that the upper bound on the time taken to send a down signal after a k has been received guarantees safety. The analysis for branch 2 of Figure 2 is given below; other cases are similar.
Branch 2 corresponds to the sequence of actions k(r) t4 s :down(p) t6 t5 :Gate 0 . In order to prove safety it is necessary to show that the upper bound on down is safe, and that the upper bound is greater than the lower bound. Since t 6 = r + 1 d , where r is the time of the last k event, the upper bound is clearly safe. The second requirement is discharged by demonstrating that r + 1 d r + max( u + car r + s; 2 1 ) which requires two cases: Case 1: r + 1 d r + 2 1 1 d 2 1 This is one of the initial assumptions.
Case 2: r + 1 d s + u + car 1 u car d s r From the initial assumptions, the left hand side of this inequality i s 0, while it is known that time s is before r, therefore the right hand side is 0, concluding the proof. 2 Both the Utility and the Common Sense Properties can be proven in a similar way to this. The details are omitted to save space.

TE-LOTOS
The process algebra TE-LOTOS (Time Extended LOTOS) is a timed extension to the ISO standard specication language LOTOS. It is a proper superset of LOTOS, and so allows all the great expressiveness of that language, with enabling, hiding, interrupts, guards, etc. Certain LOTOS operators are given new features in TE-LOTOS, notably (timed) transitions, in which e v ents may be specied to occur between given time bounds.
The hide operator is used to ensure that events k and m occur instantly when processes Gate and P 3 (respectively) have control. TE-LOTOS has a Maximal Progress Assumption that ensures this.
Wherever a min or max occurs, it means that there are two properties which must both be satised, and we h a v e no information from the English specication which is the stronger property.

Discussion of Proofs
The proof style we shall adopt is a state-based analysis of the time bounds existing between moments when control is passed from one sub-process to another. We observe that two of the sub-processes, namely Gate and P3, act as`time cancellers' in that after one of these sub-processes has taken control (say at time t) then no further references are made to times s < t. It is no coincidence that the time cancelling processes feature an instantaneous event ( k or m) whose exact time of execution is known to the process, through the Counter, nor that these processes relinquish control at moments crucial to the Safety, Utility and Common Sense Properties.
For clarity w e have split the ow o f control in the diagram into four streams, one beginning at Gate and three at P3. Which of the streams is followed after P3 is uniquely determined by the timing of the next k event. The time bounds given on an arc between two processes A and B represent the earliest and latest times relative to the time when the last time cancelling process relinquished c ontrol that control can be passed from A to B. Some of these bounds are necessarily complex, but the work done in constructing the four fragments of the ow-of-control graph is justied when we come to prove the Safety, Utility and Common Sense Properties: we nd that the worst case timing can simply be read o the graph and the properties are easily proved.  Various generic properties of the specication must be checked: the specication is a legal piece of TE-LOTOS; all upper bounds are greater or equal to zero, etc. We will not give these proofs here.
In order to simplify the proof, we observe that the up and down events are driven by the m and k events respectively, and that in any trace: 1. if we consider only the up and down events, we nd that they alternate, beginning with down; 2. if we consider only the k and m events, we nd that they alternate, beginning with k.
3. j down j j k j j down j +1 4. j up j j m j j up j +1 where j x j is the number of occurrences of event x in the trace.
This means that in order to show the desired properties, we need only consider situations in which a n up or down event is`triggered' by a m or k event respectively. There are no extraneous occurrences of up or down.
It has already been shown in the proof of correctness of the Timed CSP specication that the Counter process functions correctly. We will not duplicate the proof here. Theorem 4 The specication satises the Safety Property. Proof 2 We are required to show that in a state in which a k event occurs, i.e. a train enters an otherwise empty R, the greatest upper bound until the gate is fully down is no greater than 1 , the shortest time in which the train can reach I .
We will demonstrate the proof in the most complex case, when P3; P4; Q1; Q2; Q3; P3 successively have control. We require only to show that the upper bound on the time that Q3 passes control to P3 -i.e. the event down occurs -is no greater than 1 d , and then (under the assumption that the physical gate functions properly) we h a v e g ( s ) = 90 (the gate is fully down) if s is the moment the next train reaches I .
The proof proceeds by cases.
Case 1: 2 u s 1 u car d . Then t 000 = 2 u s. Subcase 1a: u + car 2 1 t 000 . Now minf 1 t 000 u car d ; 1 d 2 + 1 g = 1 t 000 u car d Now b y adding the upper time bounds of Q1; Q2 and Q3 w e nd that the maximum amount of time that can pass between a k event and a down event i s ( 2 u s) + ( u + c ar ) + minf 1 ( 2 u s) u car d ; 1 d 2 + 1 g ( 2 u s ) + ( u + c ar ) + 1 ( 2 u s ) u c ar d = 1 d as required.
Again adding the upper bounds we nd that the maximum amount of time that can pass between a k event and a down event i s t 000 + ( u + c ar ) + min( 1 t 000 u car d ; 1 d 2 + 1 ) t 000 + u + car + 1 t 000 u car d = 1 d as required.
Subcase 2b: u + car < 2 1 t 000 . Again adding the two upper bounds we nd that the maximum amount of time that can pass between a k event and a down event i s t 000 + ( 2 1 t 000 ) + min( 1 t 000 u car d ; 1 d 2 + 1 ) t 000 + 2 1 t 000 + 1 d 2 + 1 = 1 d as required.
These four cases are exhaustive, so we h a v e proved safety for the path P4; Q1; Q2; Q3; P3. The proofs for the other two paths from P 3 are similar but rather easier.

2
Theorem 5 The specication satises the Utility Property. Proof 3 We m a y divide this property i n to Inward Utility and Outward Utility.
Inward Utility. We are required to show that from all states at which a down signal is sent, the delay u n til the arrival of a train in I is no greater than 1 , or equivalently that no down signal is sent unless at least 2 1 time units have passed since a k event, and there has been no m event since this k event.
Outward Utility We are required to show that within 2 time units of an m event the gate reaches a fully up position.
In each case a little manipulation of the information on the graph suces to prove the property and we omit the details. 2 Theorem 6 The specication satises the Common Sense Property. Proof 4 We are required to show that if an up signal is sent at time t then no down signal is sent between t and t + u + car + d . It is a simple matter to read this information o the graph. 2 6 Conclusions 6.1 Evaluating the Specications 6.1.1 Comparison of the Process Algebra S p e cications It was found that the expressiveness of the process algebras used was essentially equivalent, though individually they have dierent features. In particular the lack of indexed families of processes in TE-LOTOS required the passing of values between processes; also Timed CCS is the only one to use absolute rather than relative time. It should be noted that the dierence in complexity b e t w een the Timed CSP and the Timed CCS and TE-LOTOS specications is solely a consequence of the dierent assumptions used in their development. The major dierence between them became evident during the development of the proofs|only Timed CSP has a well developed proof system.
In conclusion it appears that the choice of which process algebra to use is a matter of personal taste.
6.1.2 Comparison of the Timed Z and Process Algebra S p e cications The major dierence between the Timed Z specication and the process algebra specications is the level of abstraction. The Timed Z specication can be thought of as closer to the English description of the problem than are the process algebra specications. This is evident in the fact that fewer of the auxiliary assumptions that were discovered while developing the process algebra specications were needed in the Timed Z specication. The consequences of this observation are that a Timed Z specication will need considerable renement to reach an implementation, but that the initial specication gives a readily understandable overview of the system under consideration.

Evaluating the Generalised Railway Crossing
The Generalised Railway Crossing problem is a useful benchmark problem for real time systems. It has proved to be more dicult than was evident upon initial investigation, specically determining the auxiliary assumptions and time bounds for events was quite demanding, particularly since not all could be derived by analysing the statement of the problem|others were a consequence of knowledge of real world railway crossings.
The approach taken in this paper follows the statement of the problem very closely unlike some other attempts in the literature. For example, [16] narrows the problem so far as to have produced an implementation, while [10] makes unjustied assumptions about extra sensors. In general the customer's statement of requirements should be respected as far as possible, and deviations from it should only be made when justied by a m biguities and omissions in the original statement.
(a) If another train enters R, w e h a v e h a ; k ; a i # a h a ; k ; a i # l = 2 and the control goes to Counter 2 . (b) If the rst train leaves R, w e h a v e h a ; k ; l i # a h a ; k ; l i # l = 0 and Counter goes to Counter 0 ; signal m is then sent and we h a v e h a ; k ; l ; m i # a h a ; k ; l ; m i # l = 0 and the control goes to the beginning of Counter.
Induction hypothesis: Assume the lemma holds for trace tr with j tr j= n, for n 0. Induction step: We consider tr a < e >, where e is in fa; l; k; m; g. Assume the control is at the beginning of Counter i with tr, for i 0, and tr # a tr # l = i. There are two cases to consider.
First, we consider the case where i 1, that is, Counter i def = a ! Counter i+1 u l ! Counter i 1 : By the denition of internal choice u, there are two w a ys for Counter i to go: (a) If another train enters R, w e h a v e tr a hai # a tr a hai # l = tr # a + 1 tr # l = i + 1 and the control goes to Counter i+1 . (b) If another train leaves R, w e h a v e tr a hli # a tr a hli # l = tr # a (tr # l + 1 ) = i 1 and the control goes to Counter i 1 . Secondly, w e consider the case where i = 0 . W e h a v e Counter 0 = m ! Counter and tr # a tr # l = 0 : By the denition of event prex, tr can only be extended by a n m . W e h a v e tr a hmi # a tr a hmi # l = 0 ; and the control goes to the beginning of Counter, which concludes the proof.