Stochastic Specification and Verification

Modern distributed systems include a class of applications in which non-functional requirements are important. In particular, these applications include multimedia facilities where real time constraints are crucial to their correct functioning. In order to specify such systems it is necessary to describe that events occur at times given by probability distributions. Stochastic process algebras have emerged as a useful technique by which such systems can be specified and verified. 
 
However, stochastic descriptions are very general, in particular they allow the use of general probability distribution functions, and therefore their verification can be complex. In this paper we define a translation from stochastic process algebras to timed automata. By doing so we aim to use the simpler verification methods for timed automata (e.g. reachability properties) for the more complex stochastic descriptions.


Introduction
In this paper we define and verify a translation from a stochastic process algebra to timed automata.The reason for doing so is to support the specification and verification of non-functional properties in distributed multimedia systems.
The advent of distributed multimedia applications such as video conferencing, radio over the internet etc, place great demands on the specification and design of such systems because of the need to describe and verify non-functional requirements.These non-functional requirements typically involve real time constraints such as placing bounds on end-to-end latency, and are often called Quality of Service (QoS) requirements because they reflect the overall quality of delivery as opposed to the functional aspects.
In order to specify and verify such constraints it is necessary not only to be able to describe deterministic timing concerns but also probabilistic and stochastic systems.That is, in practice timings cannot be assumed to be fixed (deterministic timings) but events can occur at different times with particular probabilities.Therefore it is necessary to describe timings that occur according to certain probability distributions.For example, in a network specification it is not sufficient to assume that the packet deliveries arrive at fixed predetermined times, instead we need to model the system where they might might arrive at times determined by an exponential distribution.
There are now a number of techniques which can be used to describe such systems, e.g.Petri-nets [13], generalised semi-Markov processes [8] and stochastic process algebras etc.In this paper we will consider stochastic process algebras, for which a number of formalisms, techniques and tools are available, e.g.PEPA [10], TIPP [9], EMPA [3] PA GS [11] and SPADES [7].Stochastic process algebras offer a number of advantages over other techniques such as Petri-nets.In particular, stochastic process algebras are compositional and allow a specification to be built Irish Workshop on Formal Methods, 1999 as a number of smaller components composed together (e.g. using the parallel composition operator).Such compositionality is important if the specification and verification techniques are to scale.In addition, stochastic process algebras allow the study of both functional and non-functional requirements within the same description, giving a more realistic view of overall performance than, say, a queueing theory description of the problem.
In this paper we focus on the stochastic process algebra SPADES.The reason for this is twofold.The primary motivation is that SPADES supports not just exponential distributions but general distributions.The issue here is the following.A stochastic process algebra associates a distribution function F with an action a so that a F ; P describes an action prefix where the probability of the time delay after which a can happen is determined by the distribution function F. Because of the interleaving semantics of most process algebras and the low complexity of verification (exponential distributions are memoryless, this greatly simplifies verification of properties) most process algebras restrict themselves to allowing only exponential distributions for F.
However, this is unrealistic in practice and it is necessary in general for F to range over any distribution (e.g.uniform, gamma, deterministic etc).For example, it is often assumed that packet lengths are exponentially distributed.However, in reality this is not the case, rather they are either of constant length (as in ATM cells [14]) or they are uniformly distributed with minimum and maximum size (as in Ethernet frames [14]).SPADES allows this generality.It does so by using stochastic automata as its underlying model, and this forms the second motivation for its use here.Stochastic automata are based on timed automata [2], which enable a link to be formed into the extensive work on verification for timed automata.This is useful for the following reason.Although general distributions are important for describing complex distributed systems, they do make a range of verification tasks more complex.In particular, the move from memoryless exponential distributions to arbitrary general distributions has profound implications for the complexity of verification techniques such as model checking.
However, there are a collection of properties, such as reachability properties, which can be verified for general stochastic systems by looking at a simplified underlying model.It is for this reason that we define a translation from stochastic process algebras to timed automata.By doing so we aim to support the verification of a range of properties by using techniques developed for timed automata.
The structure of the paper is as follows.In Section 2 we introduce SPADES and stochastic automata illustrated by a simple specification of a multimedia stream.We also briefly review timed automata and the particular model we use, timed automata with deadlines [5].In Section 3 we define the translation of stochastic automata into timed automata with deadlines.This translation is verified in Section 4, and we conclude in Section 5.

Stochastic specification and verification
Multimedia distributed applications are now commonplace.They are also difficult to specify and verify.One reason for this is a number of new requirements that now have to be considered when building such a system.For example, interactions between components in such systems are often continuous, e.g. the flow of packets in a radio over the internet application.These continuous interactions lead to QoS constraints which, for example, place acceptable bounds on the various timing aspects of this packet flow (latency, jitter, throughput etc).
Stochastic process algebras offer a promising method by which we can specify and verify these systems in a compositional manner.In this paper we will use the SPADES process algebra because it provides support for general distribution functions as well as providing a link into (timed) automata.We will use the latter as our verification strategy.This is attractive because there are a range of verification tools available for timed automata, e.g. the Kronos and UPPAAL model checkers, whilst verification for stochastic techniques with generalised distribution functions has proved difficult.In particular, the non-memoryless nature of generalised distribution functions means that stochastic model checking is currently feasible for only very small state spaces.With a non-memoryless distribution recalculations of conditional probabilities need to be undertaken at each state explored in the state space, placing severe bounds on the feasibility with the current techniques.
The link with automata also allow stochastic process algebras to be used within other multi-paradigm specification frameworks.For example, timed automata have been used as an underlying formalism to bring together a variety of specification approaches [4].The use of stochastic automata as a basis for stochastic process algebras, and the link developed in this paper between stochastic automata and timed automata should allow the integration of SPADES into such multi-paradigm approaches, this offers clear advantages when specifying complex systems.

Stochastic process algebras and automata
The stochastic process algebra SPADES and its underlying stochastic automata model use clocks to trigger events.Clocks are variables which take a value set according to a given probability distribution function.After being set a clock counts down, and when the clock reaches zero it enables certain events (or transitions) in the model.To model this situation the syntax of SPADES includes the following (where a is an action, p is a process and C is a set of clocks.)p ::= stop j a; p j C 7 !p j p + p j fjCj gp j p k A p This is a standard process algebra extended with a clock setting operation and a triggering condition.The former, fjCj gp, sets the clocks in C to a value chosen according to their respective probability distribution functions.C 7 !p is the triggering condition: the process p becomes enabled as soon as all the clocks in C expire.

A multimedia example in SPADES
As an example, consider the specification of a simple multimedia stream.It has three components: a Source process, a Sink process and a Channel.The Source generates a sequence of packets, which are transmitted by the Channel to the Sink, which displays them.We assume that the Channel is unreliable, and may lose packets.We also assume that the Sink process is impatient, and if it does not receive packets at a sufficiently fast rate it will timeout.and the Stream can then be given as the parallel composition of these components:

These components can be written in SPADES as
The Source process begins by setting the clock tr according to the probability function F tr and defined as (the unit of time being ms): This represents a situation where messages made up of several packets are being transmitted.If a packet is generated it is reasonably likely that a further packet will be generated in the near future, (between 5 and 10ms, in this example) but if the following packet is not generated (if, for example, the previous packet marked the end of a message) then there will be a time interval of approximately 50ms (between 45 and 55ms) before the start of the next message.
When the clock tr expires, the action trans is enabled, and when it fires the process repeats itself.
In the process Sink, the clocks d and t 0 are set initially.The clock d controls the rate of display of packets, and t 0 controls the timeout behaviour.The distributions F d and F 0 t are given by Both these functions represent deterministic timing.Function F d says that a packet cannot be displayed until precisely 25ms after the previous one.At any time less that 25ms a display action is not possible; at every time greater that or equal to 25ms the display action is enabled.If a display action is performed, the process will recurse again to Sink.
In the Sink process, the receive action does not have any clock dictating its rate, and therefore if the Sink process was operating on its own the receive action would happen immediately.However, this action has to synchronise with the receive action in Channel, and the clock r will then influence its rate.
If, after displaying a packet, the Sink does not receive another packet within 50ms, it will timeout and stop.It will also timeout if it does not receive a packet within 50ms of initialisation.
The Channel process contains the three clocks t, r and l, which control the rates of the trans, receive and loss actions respectively.The process is presented as a parameterised set of recursive equations.The functions F t and F l are defined as and the probability distribution F r is a bounded normal curve, centred at 50, truncated at 25 and 75, and normalised.
The function F t represents the time Channel takes to initialise, and the "recovery time" necessary after each trans action.Initially, when no packets are contained in Channel, the clock t is set according to F t , and the trans action is enabled when clock t has expired.When the trans action fires, each of the three clocks are set.The function F r represents the time taken for the Channel to move a message from Source to Sink.
The loss behaviour is modelled by function F l .A packet may be lost from Channel at any point up to 200ms after it has been received.

Stochastic Automata
To understand this specification we can think of it as defining a stochastic automaton.Stochastic automata generalise timed automata by using stochastic clock settings instead of strictly deterministic timings in a timed automaton.In fact, stochastic automata and SPADES are equally expressive and [7] gives the mapping between SPADES and stochastic automata in detail.Therefore for the remainder of this paper it suffices to work at the level of stochastic automata, for any process algebraic specification has an equivalent stochastic automata representation.Definition 1 A stochastic automaton is a structure S; s 0 ; C; A; ,I; ; F where: S is a set of locations with s 0 2 S being the initial location, C is the set of all clocks, and A is a set of actions.,I S A C S is the set of edges.If s and s 0 are states, a is an action and C is a subset of C, then we denote the edge s; a; C; s 0 2 , I by s a;C ,I s 0 and we say that C is the trigger set of action a.We use s a ,I s 0 as a shorthand notation for 9 C:s a;C ,I s. : S !P n C is the clock setting function, and indicates which clocks are to be set in which states, where P n C is the powerset of clocks.
F : C ! R ! 0; 1 assigns to each clock a distribution function such that, for any clock x, Fxt = 0 for t 0; we write F x for Fx and thus F x t states the probability that the value selected for the clock x is less than or equal to t. 2 This is the definition of stochastic automata presented in [7], but in this paper we will be less concerned with determining probabilities, and more concerned with determining whether or not a particular value is possible when a clock is initially set.For this reason we consider the derivatives of these functions F 0 x , since if F 0 x t 0, then t is a possible initial value for the clock x.
For simplicity, we consider only functions whose derivative is made up of a finite number of left/right closed intervals; that is, we consider only functions F such that ft j F 0 t 0g = S 16j6n g j ; h j where g j ; h j is a left/right closed interval and n is the number of intervals in the derivative.In practice this is not a severe restriction (e.g.[1] imposes the same restriction).
The range of a clock x is given by the set ft j F 0 x t 0g.We also define maxx as the maximum possible initial value of x, given by h n , where n is the number of intervals in the range of x and which may be infinity.The minimum possible initial value (minx) is given by g 1 and must be finite.Note that the upper and lower bounds of an interval may be equal, thus allowing deterministic timing.We assume that all clocks are initially set to some value within their range.
We can now give the stochastic automata for the example presented above.

The multimedia example as a stochastic automata
The stochastic automata for this example are depicted below.Like the SPADES description above the overall automaton is composed of three parts: a sink, a source and a channel.These are first given separately, followed by their composition.In the figures, the locations are given as circles with the clocks reset at that location contained within each circle.The edges of the automata are given as arrows between the locations, with the initial state represented by the small ingoing arrow.The sink

The channel
The source automaton generates the packets which make up the stream, and are separated according to the probability function F tr .
The channel automaton synchronises with the trans action to accept a packet.This happens according to the probability distribution F t .When a single packet resides in the channel: it can be passed on to the sink automaton via the rec action; lost via the loss action; or joined by another packet via the trans action.When two packets reside in the channel then either one of them will be lost, or one will be passed on to the sink automaton.
The sink automaton can receive a packet (by synchronising with channel on rec)in which case it displays it, or it can timeout.
The composition of stochastic automata is similar to the composition of timed automata, and is explained in detail in [7].Component automata may proceed independently, performing the actions for which they alone are responsible, or they may synchronise on combined actions.With independent actions, the subsequent state resets only the clocks reset by the component automaton.With combined actions, the subsequent state resets the clocks reset by all participating automata.
The composition of the three automata above is given by the automaton below.Note that the smaller circles, entered after a timeout, are actually capable of performing further actions, since the Channel itself does not timeout, and may continue to perform trans and loss actions.However, we do not incorporate that extra behaviour in the diagram, to avoid cluttering the presentation.

Timed automata
Timed automata, as typified by the UPPAAL tool [12], represent one of the major approaches to specifying real time systems.Like a stochastic automaton, a timed automaton consists of a set of clocks and locations.The clocks proceed at the same rate and measure the amount of time that has elapsed since they were reset.Locations (or states) can have invariants attached to them.If a timed automaton is in a particular location, the invariant must be true.This property can be used to make actions urgent, by insisting that the automaton must have exited the state by a certain time.
In this paper we use timed automata with deadlines (TAD), as presented in [5], which differ slightly from the standard presentation of timed automata.The essential approach in timed automata with deadlines is to associate deadlines with transitions instead of placing invariants on states.Therefore transitions consist of 4-tuples a; g; d; r, comprising of an action a, guard g, deadline d and set of clocks r.Guards and deadlines are predicates parameterised by the values of the clocks.The guard states when a transition is enabled (i.e. when it may be taken), and if the deadline is true then the transition must be taken.When the transition occurs the clocks in r are reset to zero.
The constraint d g is assumed to hold.This means that if in a state time cannot progress (because a deadline is true), then the action is also enabled.This prevents timelocks from occurring.This issue is discussed in detail in [5].We can give the following definition.
Definition 2 Formally a timed automaton with deadlines (TAD) consists of the following.
A discrete labelled transition system Z; !;A where -Z is a finite set of discrete states -A is a finite set of actions -! Z A Z is an untimed transition relation A set X = fx 1 ; : : : ; x n g of non-negative real valued variables called clocks.
A labelling function h mapping untimed transitions into timed transitions: hz; a; z 0 = z; a; g; d; r; z 0 where -g and d are the guard and deadline of the transition.Guards and deadlines are predicates p defined by the following grammar: p ::= xc j p ^p j p _ p where x 2 X, c 2 R 0 and 2 f 6; g.We require d g. r is a set of clocks to be reset to zero.

2
The clocks in a TAD are always reset to zero and count upwards at the same rate.This is in contrast to the clocks in stochastic automata, which are set to some value in R 0 according to their probability distribution function, and count downwards.We assume in this work that all clocks in a TAD are initially set to zero.This is a simplification of the work in [5] where clocks may take any values initially, but we do not need that generality in defining a correct translation.
As an example of a timed automaton with deadlines consider the following specification.The timed automaton depicted begins in state 0. All clocks x i are initially set to zero.In state 0 the transition a becomes possible as soon as x 1 reaches 1, and remains possible until x 1 reaches 2. At that time the deadline becomes true, and action a is forced to happen if it hasn't already been taken.
When state 1 is entered, clock x 2 will already have some value between 1 and 2, since it has been counting upwards in synchronisation with clock x 1 .Clock x 2 allows action b between time 4 and time 6, and insists on it (via the deadline) at time 6.However, at time 5, clock x 3 enables action c, and so between times 5 and 6 the choice between b and c is non-deterministic.If action b does occur, the three clocks x 1 ; x 2 and x 3 are reset to zero, and the process begins again from state 0. If action c occurs the timed automaton enters state 2 and no further transitions are possible.
Note that clock x 3 cannot progress beyond time 6, because at that time action b is forced and x 3 is reset to zero. 2 A range of tools and techniques are available for timed automata which can support various verification activities.
One of the most successful techniques has been model checking, where a system can be checked to see if a particular property holds.This is achieved by representing the property as a formula in a propositional temporal logic (e.g.CTL), and the model checker automatically compares this with a state-transition graph of the systems behaviour.
Model checkers now exist for a range of specification paradigms including both real-time and probabilistic systems.UPPAAL is a good example of a real-time model checker, where the system under consideration is represented as a timed automaton.UPPAAL includes both a simulator and a model checker which can check the reachability properties of the system.If a property does not hold in a given system, UPPAAL provides an example trace which can be fed into the simulator for further analysis.There are many alternative model checking tools and techniques, e.g.Kronos [15].
By providing a mapping from stochastic automata to timed automata, we aim to reuse this existing technology to enable reachability analysis to be performed on stochastic automata specifications.

Translating stochastic to timed automata
In this section we define the mapping from stochastic to timed automata.The mapping is relatively straightforward and intuitive, and we illustrate the translation with our running example.The proof of correctness of the mapping is more technical, and is verified in Section 4.
The translation mapping is designed to preserve precisely the behaviour that is necessary to verify reachability properties, and remove the remaining redundant information.In particular, because the reachability analysis looks for reachable states and not the probability of reaching those states, we can remove the probabilistic element and replace it by non-deterministic timing information.
For example, given a stochastic automaton fragment x a , {x} y where otherwise the pertinent information is that the clock x can be set to any value between 1 and 2. The actual probabilities do not matter, so that for our purposes an equivalent timed automaton would be the following: . . .r = {x} a , g , d , r In this description we have used the same action name and g : x 2 1; 2 , d : x = 2 , and r : fyg.
This timed automaton has the following behaviour.The guard g specifies the times at which the transition may be taken, which here are the values between 1 and 2. It must be taken by the deadline d : x = 2 .When it is actually taken is non-deterministically chosen between these limits.It is in this sense that the stochastic information in the probabilistic distribution function has been replaced by a non-deterministic choice of actual time determined by the interplay of the guards and deadlines.In general, the guards and deadlines are determined by more complex formulae than suggested by this small fragment.The reasons for this are given after the definition.
From this example it should be clear how we will define the translation.Each stochastic automaton will be mapped to a timed automaton with the same number of locations and the same action label set.Each transition in the stochastic automaton will be mapped to a transition in the timed automaton.For each stochastic automaton clock there is a corresponding timed automaton clock.However, the stochastic information represented in the probability distribution associated with each stochastic automaton clock becomes embedded as deadlines and guards.Finally, an appropriate initial valuation for the timed automaton has to be given, and this is drawn from a possible initial valuation in the stochastic automaton.
The definition of the mapping can thus formally be given by the following1 .

Definition 3 Translating a SA into a TAD
Let S; s 0 ; C; A; ,I; ; F be a stochastic automaton.This automaton is mapped to the timed automaton Z; ,! T ; A where ,! T is the transition relation ,I with the clocks removed, i.e. ,! T Z A Z where ,! T = fz; a; z 0 j 9 C a :s; a; C a ; s 0 2 , I^s = z ^s0 = z 0 g The set X contains clock variables, labelled x i and indexed as the SA variables.
X = fx i j 8 c j 2 C : 9 x i :i = jg hz; a; z 0 = z; a; g; d; r; z 0 where C a is the trigger set for action a and The initial valuation for the TAD (u 0 ) is the valuation with each clock set to zero.
To see this in practice let us consider the example stochastic automata given in Section 2.1.3.The Sink stochastic automaton will translate to the following timed automaton.To understand how the definitions for the guards and deadlines have been chosen, first consider a single transition as depicted in the stochastic automaton on page 9.The clock x in the resultant timed automaton with deadlines is set to zero when the clock x in the stochastic automaton is nondeterministically set to some value within its range.Thus when the stochastic automaton clock reaches zero, (and action a fires) the clock in the TAD will be at some value within the range of x, i.e. ux 2 ranx.

Now consider the following fragment c1, c2 a, {c1, c2}
If ranc 1 = 2 ; 4 7; 8 and ranc 2 = 4 ; 5 8; 9 then it is not possible for action a to fire at time 3, since clock c 2 cannot have expired by this time.The earliest time at which a can fire is time 4; the greater of the two minimums, which we express in general as V ci2Ca ui minc i , where C a is the trigger set for each action a.
Also, note that it is not possible for a to fire at time 6, because neither clock can be set to this value.We must therefore insist that at least one clock be within range in order for the action to fire, i.e.W ci2Ca ui 2 ranc i : where ranc 3 = 2 ; 3 .
The clock c 3 will certainly have expired before the second state is reached, and so in the stochastic automaton the action b will fire as soon as the second state is entered.In the timed automaton, we therefore require the guard to continue to be true even if all clocks have passed their maximum values, and this gives us the full definition of the guard As for the deadline, we can only be certain that the stochastic automaton action will fire if all the clocks have expired.This translates to the timed automaton as insisting that all clocks have passed their maximum value, and so the deadline is V ci2Ca ui maxc i and also have that d g, as required.

Verification of the translation algorithm
In this section we verify the translation defined above.In order to verify the translation we have to show that any stochastic automata and its corresponding timed automaton with deadlines are equivalent.By equivalent we mean that they have the same meaning in some suitable semantic model.Because we are removing the stochastic element in the stochastic automata in order to verify reachability properties, the semantic model we choose is one that records just actions and their associated timings.In fact we use two slight variants in order to record this information: a timed action transition system and a time/action transition system.This is because the semantic model for stochastic automata uses timed actions, while timed automata with deadlines are mapped to time/action transition systems.

SA TAD timed action time/action ~=
The verification of the translation then amounts to showing that the timed action semantics of a stochastic automaton is equivalent to the time/action semantics of a timed automaton with deadlines.The proof is in two parts.The first shows that any timed action trace arising from a stochastic automaton can also be performed by the timed automaton with deadlines (i.e. the trace is in the time/action semantics).The second part of the proof does the converse: that any time/action trace in the timed automaton with deadlines is a possible trace in the semantics of the stochastic automaton.
Before we give the proof we define timed action and time/action transition systems and show how to map the automata to their respective models.

Timed action transition systems: the semantics of SA
The timed action transition system results from a stochastic automaton where we abstract away from the stochastic information.It is defined as the end result of first taking the interpretation of a stochastic automaton, followed by its probabilistic abstraction.These are defined as follows.

PA( )
In the interpretation I A v , A represents an actual, as opposed to potentational behaviour, and v is the initial valuation.

The interpretation of a stochastic automaton
The interpretation of a stochastic is given by a Probabilistic Transition System (PTS).Probabilistic transition systems are explained in detail in [7], where they are used to give a semantic model for stochastic automata.
Here, they are used simply as an intermediate step in generating the timed action system.If SA = S; s 0 ; C; A;- ,I; ; F is a stochastic automaton, then the interpretation is given by the probabilistic transition system I A v0 SA = S V f 0g; S V f 1g; s 0 ; v 0 ; 0; A R 0 ; T; ,! where T and ,! are defined by the rules Prob and Act: ,! s= fx 1 ; : : : ;

Act
The rule Prob corresponds to setting some clocks within the stochastic automaton.Essentially, Ts; v; 0 is the probability space where the sample space is made up of the state s combined with all possible resultant clock settings, and the probability measure is derived from F x1 ; : : : ; F xn in the obvious way.The annotations 0 and 1 are simply to indicate whether or not the clocks have been set, and we say s; v 0 ; 1 2 Ts; v; 0 if s; v; 0 is in the sample space of the probability space.
The rule Act specifies the conditions under which a stochastic automaton can perform an action a at time d.

The probabilistic abstraction of a stochastic automaton
The timed action system is produced from the PTS via the probabilistic abstraction function PA.As its name suggests, this function removes all probabilistic information from the PTS.
Let S V f 0g; S V f 1g; s 0 ; v 0 ; 0; A R 0 ; T; ,! be the interpretation of the stochastic automaton.
Note that we use the subscript on the transition system arrow to distinguish it from the TAD transition relation, which will be introduced later.
In accordance with convention, we will write s; v ad ,! S s 0 ; v 0 for s; v; ad; s 0 ; v 0 2,! S , and therefore a timed action transition system consists of transitions with labels of the form ad, where a is a discrete action and d is a time value.A transition s; v ad ,! S s 0 ; v 0 should be understood to mean that the state-valuation pair s; v can delay for a time d, before performing the action a and entering the state-valuation pair s 0 ; v 0 .
Below, we give the timed action transition system resulting from the stochastic automaton description of the Sink, specified on page 6.Because time is represented by the real numbers, any timed action graph quickly becomes infinite and so where we can we draw just one arrow, with a label to represent the range of possible time values.

Time/action transition systems: the semantics of TAD
The time/action transition system is the standard semantics for timed automata with deadlines.It consists of transitions labelled by elements of A, which correspond to state changes, and transitions labelled with non-negative reals, which correspond to time steps.The significant difference between timed action and time/action transition systems is that in the former the passing of time and the performing of an action are merged into one transition, while in the latter they are separate transitions.
The time/action semantics of the TAD is given by the transition relation ,! T ZR n 0 A R 0 ZR n 0 .A (state,valuation) pair of a TAD is a pair z; u where z 2 Z is a discrete state and u 2 R n 0 is a clock valuation.Given z 2 Z, if fz; a i ; z i g i2I is the set of all transitions issued from z and hz; a i ; z i = z; a i ; g i ; d i ; r i ; z i then the time/action transitions are defined by the following two clauses: 8i 2 I: 8u 2 R m 0 :z; u ai ,!z i ; u r i if g i u where u r i is the valuation obtained from u when all the clocks in r i are set to zero, and the others are left unchanged.
z; u t ,! z; u + t if 8 t 0 t:c s u + t 0 where c s = : W i2I d i .
For example, the time/action transition system resulting from the TAD specification of the Sink on page 10 is as below.Again, we parameterise time transitions where we can.

Proof
We are now in a position to give the proof of equivalence between the semantic models that arise from a stochastic automaton and its translation.
Outline: We will prove that the translation from stochastic automata to timed automata with deadlines (the function sa2tad) is correct with respect to the probabilistic abstraction function.In particular, we prove timed trace equivalence: the timed traces possible through the transition system PAI A v0 SA and the timed traces possible through the transition system sa2tadSA are equal, where SA is any stochastic automaton; I A v0 SA is the interpretation of the stochastic automaton in terms of a probabilistic transition system; PA is the probabilistic abstraction function; sa2tad is the function from stochastic automata to timed automata with deadlines; and is the semantic interpretation of a TAD.
First, we introduce some auxiliary definitions between the two different types of valuations: stochastic automata valuations, denoted v in the sequel, and TAD valuations, denoted u.If n is the number of clocks in the valuation, then v is in R n and u is in R n 0 .We assume the set of clocks is ordered.

Example:
As an example, consider the timed action and time/action transition systems given above.If the pair t; a represents the action a being observed at absolute time t, then the timed trace h0; rec; 25; disp; 45; rec; 50; disp; 100; touti is a possible behaviour of both systems.The proof works by showing that the set of all possible traces resulting from the conventional interpretation of the stochastic automaton and the set of all possible traces resulting from our TAD interpretation are equal.

SA traces occur in its TAD translation
The proof is in two parts.This part shows that any trace that the SA can perform can be performed by the TAD.We do this by showing that any (state,valuation) pair in the SA can be simulated by a (state,valuation) pair in the TAD.We do this by showing that if two (state,valuation) pairs correspond, in a manner to be defined, then a timed action possible for the SA has related time and action transitions within the TAD.

Definition 4 Correspondence
Two valuations v and u correspond (written v u) provided v is in R n , u is in R n 0 and 8i 6 n:vi + ui 2 ranc i We then define the correspondence between (state,valuation) pairs as follows. s We now begin the proof.We assume that s; v z; u, and we wish to prove that By the PA function we deduce that 9 v 00 :s; v 00 ; 1 2 Ts; v; 0 s; v 00 ; 1 ad !P s 0 ; v 00 , d; 0 and for all clocks x x 2 r a u + d r a x = 0 x 6 2 r a u + d r a x = u + dx so, for all valuations v 0 x in D s 0 v 0 R ,! s 0 , and all clocks x, v 0 x + ux 2 ranx, as required.
Initial states: Since all the clocks x in the initial SA valuation v 0 are initially set to a value within their range ranx, and all the clocks in the initial TAD valuation u 0 are set to zero, and the initial state of the TAD is derived from the initial state of the SA, the two (state,valuation) pairs s 0 ; v 0 and z 0 ; u 0 clearly correspond.
This completes the first half of the proof.

Any TAD trace is a valid SA trace
We now prove that given a translation of a stochastic automaton into a TAD, any trace possible for the TAD is possible for the stochastic automaton.We do this by induction on the length of the trace: providedh: : : ; t j,1 ; a j,1 i is a valid trace of both the SA and the TA, we show that if h: : : ; t j,1 ; a j,1 ; t j ; a j i is a valid trace of the TAD, it is also a valid trace of the SA.In order to simplify the presentation, we make the assumption that all clocks are associated with only one transition.
In the base case, if ht 1 ; a 1 i is a trace of the TAD then from the definition of the guard we know that and from the time-passing constraint we know that 8d 0 2 0; t 1 : 8 l 2 L: 9 m 2 C l : maxc m 6 d 0 (where L enumerates all outgoing transitions from s 0 ).
In this instance the time-passing constraint is incompatible with the second clause of the guard, and therefore only the first clause can be true.The trace can be reproduced by setting clock c k to t 1 , and c i to minc i for each clock c i , i 6 = k.Since clocks can only be used once, setting clocks to their minimums will not interfere with any other possible transitions from s 0 .
For the inductive step, consider a trace h: : : ; t j,1 ; a j,1 ; t j ; a j i from a TAD.Recall that t j is the time at which event a j occurs, C j is the trigger set of action a j , and ts i is the latest time at which clock i was reset.
From the definition of the guard we know that V i2Cj t j minc i + ts i Ŵk2Cj t j 2 ranc k + ts k _ V i2Cj t j maxc i + ts i and from the time-passing constraint we know that 8d 0 2 t j,1 ; t j : 8l 2 L: 9 m 2 C l :ts m + maxc m 6 d 0 The definition of the guard gives rise to two cases.In the first, at least one of the clock variables must be within range ( W k2Cj :t j 2 ranc k + ts k ) and all clocks must have have started ( V i2Cj :t j minc i + ts i ).The SA can reproduce this behaviour by setting clock k to t j , t j,1 and all other clocks to their respective minimums.Since clocks are only used once we are free to set all clocks here as we wish.In this first case, the time-passing constraint ensures that every other outgoing transition has at least one clock (say c m ) in its trigger set which may still be active (ts m + maxc m t j ), and therefore no other transition is forced to have occurred previously.In the second case, t j is strictly greater than maxc i + ts i for all clocks in i in the trigger set of a j , but the timepassing constraint applied to transition a j states that for all time between t j,1 and t j there is a clock in the trigger set which is less than maxc i + ts i .This can only be resolved if no time elapses between t j,1 and t j (i.e. that t j,1 = t j ), and this corresponds to the case in the SA where all clocks in the trigger set have already expired, and so action a j fires as soon as action a j,1 does.

Example
The translation of our stochastic automaton representing the multimedia stream can now be derived.The result is the timed automaton given below.Due to space limitations within the diagram, the transitions are labelled representatively; the meaning of the labels is given below.The trans actions have more complex guards and deadlines, since they are derived from two clocks.The aim of this translation is to produce a timed automaton which we can check for reachability properties.Examples of reachability properties might include: can we reach a state where a timeout is possible?Can we reach a state where more than ten packets are in the channel?None of these properties requires precise probabilities to be determined, therefore we can check our stochastic automaton against these properties by using the translation into timed automaton2 .