Usually, the specification and implementation of a system are given as IOTSs, rather than QTSs. During testing, however, we typically observe the outputs of the system generated in response to inputs from the environment; thus, it is useful to be able to refer to the absence of outputs (i.e., quiescence) explicitly. Hence, we need a way to convert an IOTS to a QTS that captures all possible observations of it, including quiescence; this conversion is called deltafication and similar to the way SAs are constructed from IOTSs.
Definition 3.8 (Deltafication of IOTSs). Let A = hS, S0, LI, LO,→
Ai be an IOTS with
δ /∈L. The deltafication of Ais the QTS δ(A) =hS, S0, LI, LO,→
δi, where →δ is defined as follows:
→δ = →A ∪ {(s, δ, s)∈S× {δ} ×S|s∈q(A)}
Thus, the deltafication of an IOTSA simply adds δ-labelled self-loops to all quiescent states inA.
Example 3.9. Consider the IOTS Ain Figure 3.3a. The quiescent states ofAares1,s3, s5
and s6, and have been marked gray. As a result, these states acquire aδ-labelled self-loop
in the deltafication ofA, i.e.,δ(A), as shown in Figure 3.3b.
The following theorem shows that deltafication yields a well-formed QTS. Theorem 3.10. Given an IOTS Asuch thatδ /∈L,δ(A)is a well-formed QTS.
3.3. Deltafication: from IOTS to QTS 23 s0 s1 s2 s3 s4 s5 s6 b! a? a? a? τ τ a? a? a? a? (a)A s0 s1 s2 s3 s4 s5 s6 b! a?, δ a? τ a? τ δ a? a? a?, δ a?, δ (b)δ(A)
Figure 3.3: Deltafication of an IOTSA.
Proof. Let A = hS, S0, LI, LO,→Ai be an IOTS such that δ /∈ L, and let δ(A) =
hS, S0, LI, LO,→δi be its deltafication, as defined in Definition 3.8. To show that δ(A) is a well-formed QTS, we need to prove thatδ(A) satisfies each of the rules R1, R2, R3 and R4. In the following, we usetracesδ(s) to denote the set of all traces ofδ(A) starting in the states∈S.
1. To prove thatδ(A) satisfies rule R1, we must show that for all statess∈S: ifq(s), thens−→δ δ
Let s ∈ S be any state such that q(s) holds in δ(A). Since deltafication doesn’t change any existing transitions,q(s) then also holds in A. By Definition 3.8, we have (s, δ, s)∈ →δ after deltafication and therefores−→δ δ.
2. To prove thatδ(A) satisfies rule R2, we must show that for all statess, s0∈S: ifs−→δ δ s
0, then q(s0)
Consider any transition s −→δ δ s
0 in δ(A) with s, s0 ∈ S. By Definition 3.8, we have
s=s0, and s(and therefore alsos0) is quiescent.
3. To prove thatδ(A) satisfies rule R3, we must show that for all statess, s0∈S: ifs−→δ δ s
0, thentraces
δ(s0)⊆tracesδ(s) Consider any transition s −→δ δ s
0 in δ(A) with s, s0 ∈ S. By Definition 3.8, we have
s=s0, and thereforetracesδ(s0)⊆tracesδ(s).
4. To prove thatδ(A) satisfies rule R4, we must show that for all statess, s0, s00∈S: ifs−→δ δ s 0 ands0 −δ →δ s 00, thentraces δ(s00) =tracesδ(s0) Consider any pair of transitions s−→δ δ s
0 and s0
−δ →δ s
00 with s, s0, s00 ∈ S. By Defini-
δ a? b? a?, b? c! a?, b? d! δ a?, b? δ a?, b? (a)A a! b! δ (b)B a! b! c! c! δ b! δ (c)A k B
Figure 3.4: The QTSsA, B, and their parallel compositionA k B.
3.4
Operations
Since QTSs are a specialisation of IOTSs, all operations that are applicable to IOTSs (such as determinisation, parallel composition and hiding of actions) are also applicable to QTSs. Determinisation for QTSs is exactly the same as for IOTSs, but there are some minor differ- ences for parallel composition and action hiding.
3.4.1
Parallel Composition
Similar to IOTSs, we require parallel composed QTSs to synchronise on shared inputs and complementary input-output pairs. However, we also require QTSs to synchronise on δ- transitions, as a parallel composition of two QTSs can only be quiescent when both compo- nent QTSs are.
Definition 3.11 (Parallel composition of QTSs). LetA=hSA, S0A, LIA, LOA,→AiandB=
hSB, SB0, LIB, LOB,→Bi be two QTSs such thatLOA ∩ LOB = ∅. The parallel composition of
A andB is the QTSA k B=hSAkB, S0AkB, LIAkB, LOAkB,→AkBi, whereSAkB,SAkB0 , LIAkB,
LOAkB and→AkB are defined as follows:
SAkB = SA×SB
SAkB0 = SA0 ×SB0
LIAkB = (LIA∪LBI)\(LOA∪LOB) LOAkB = LOA∪LOB
→AkB = {((s, t), a,(s0, t0))∈SAkB×((LA∩LB)∪ {δ})×SAkB | s−→a As0 ∧ t−
a →Bt0} ∪ {((s, t), a,(s0, t))∈SAkB×((LA\LB)∪ {τ})×SAkB | s−→a As0}
∪ {((s, t), a,(s, t0))∈SAkB×((LB\LA)∪ {τ})×SAkB | t−→a Bt0}
As with parallel composed IOTSs, we have LAkB=LIAkB∪L
O
AkB=LA∪LB.
The first clause of→AkBensures that parallel composed QTSs synchronise both on shared
actions and the δ-label. The next two clauses enable them to perform non-shared actions independently from each other.
3.5. Properties 25 s0 s1 s2 a! τ b! (a)A s0 s1 s2 τ τ b! (b)A \{a}
Figure 3.5: The QTSsAandA \{a}.
Example 3.12. See Figure 3.4 for two QTSs AandB, and their parallel compositionA k B. Note the synchronisation on theδ-transitions.
3.4.2
Action Hiding
The hiding of outputs in QTSs is exactly the same as for IOTSs, except that we do not allow the special output labelδ to be hidden, as this label doesn’t represent a specific output but rather (the observation of) a lack of outputs. Furthermore, since we disallow divergent paths in QTSs, we do not allow the hiding of output labels to lead to the creation ofτ-loops, i.e., cyclic divergent paths.
Definition 3.13 (Action hiding in QTSs). Let A = hS, S0, LI, LO,→
Ai be a QTS and
H ⊆ LO a set of output labels. If A does not contain a cyclic path s
0a1s1a2 . . . such
that for all ai we have ai ∈ H ∪ {τ}, then one can hide H in A to obtain the QTS A \H =hS, S0, LI, LO
H,→Hi, whereLOH and→H are defined as follows: LOH = LO\H
→H = {(s, a, s0)∈ →A | a /∈H}
∪ {(s, τ, s0)∈S× {τ} ×S | ∃a∈H .(s, a, s0)∈ → A}
Example 3.14. Consider the QTS Ain Figure 3.5a and assume LA={a, b}. After hiding
the output actiona, the resulting QTS is A \{a}, which is shown in Figure 3.5b. We have LA \{a} ={b}. Note that we cannot hide both the output actions a andb, as this would
result in theτ-loops0τ s1τ s2τ s0.
3.5
Properties
In this section, we present several important results regarding QTSs. First, they are closed under all operations mentioned previously. Second, they have many useful commutativity properties regarding function composition of deltafication and the other operations.
3.5.1
Closure Properties
It turns out that well-formed QTSs are closed under all operations defined thus far: deter- minisation, parallel composition, and action hiding. Therefore, these operations are indeed well-defined for well-formed QTSs.
Theorem 3.15. Well-formed QTSs are closed under determinisation, i.e., given a well- formed QTS A, det(A)is also a well-formed QTS.
Proof. Let A = hS, S0, LI, LO,→
Ai be a well-formed QTS and let det(A) =
hSD, SD0, L
I, LO,→
Di be its determinisation, as defined in Definition 2.11. To prove that
well-formed QTSs are closed under determinisation we must show that det(A) is a well- formed QTS, i.e., that it satisfies each of the rules R1, R2, R3 and R4. In the following, we usetracesD(U) to denote the set of all traces ofdet(A) starting in the stateU ∈SD.
1. To prove thatdet(A) satisfies rule R1, we must show that for all statesU ∈SD:
ifq(U), thenU −→δ D
LetU ∈SD be any state such that q(U) holds in det(A). This implies that all states
s ∈ U are quiescent in A. From rule R1 it follows that for every state s ∈ U there exists another state s0 ∈ S such that s −→δ A s0. Therefore reachA(U, δ) 6= ∅. By
Definition 2.11, we then have (U, δ,reachA(U, δ))∈ →D. Thus,U→−δ D.
2. To prove thatdet(A) satisfies rule R2, we must show that for all statesU, V ∈SD:
ifU −→δ DV, thenq(V)
Consider any transitionU −→δ DV withU, V ∈SD. IfU −→δ DV, then, by Definition 2.11,
V =reachA(U, δ) andV 6=∅. Hence, for every states0 ∈V there exists a state s∈U
such thats−→δ As0. Using rule R2 we can then conclude that everys0 ∈V is quiescent
inA, thusq(V) holds indet(A).
3. To prove thatdet(A) satisfies rule R3, we must show that for all statesU, V ∈SD:
ifU −→δ DV, thentracesD(V)⊆tracesD(U)
Consider any transition U −→δ D V with U, V ∈ SD. Assume σ ∈ tracesD(V). We
must show that alsoσ∈tracesD(U). If σ∈tracesD(V), then there clearly must exist
a state s0 ∈ V such that s0 =σ⇒A. Since U −→δ D V, it follows from Definition 2.11
that V = reachA(U, δ) andV 6=∅. Hence, there must exist a state s∈ U such that
s −→δ A s0. Using rule R3 we can then conclude that tracesA(s0) ⊆ tracesA(s), and
therefores=σ⇒A. Sinces∈U, it follows thatσ∈tracesD(U).
4. To prove thatdet(A) satisfies rule R4, we must show that for all statesU, V, W ∈SD:
ifU −→δ DV andV −
δ
→DW, thentracesD(W) =tracesD(V)
Consider any pair of transitionsU −→δ DV andV −
δ
→DW, withU, V, W ∈SD. To prove
thattracesD(W) =tracesD(V), we must show that bothtracesD(W)⊆tracesD(V) and
traces(V)⊆tracesD(W). The former follows directly from rule R3, so all that’s left to
prove is thattracesD(V)⊆tracesD(W).
Assumeσ∈tracesD(V). We must show that alsoσ∈tracesD(W). Ifσ∈tracesD(V),
then there clearly must exist a states0∈V such thats0=σ⇒A. SinceU −→δ DV, it follows
that there exists as∈U such thats−→δ As0. Furthermore, it follows from rule R2 that
V is quiescent, and therefore all states inV are quiescent, includings0. SinceV −→δ DW,
we haveW =reach(V, δ) andW 6=∅. We can then conclude, using rule R1, that there must exist a states00∈W such that s0−→δ As00. Thus, we have s−→δ As0 −→δ As00. From rule R4 it then follows thattraces(s00) =traces(s0) and consequently s00 =σ⇒A. Since s00∈W, it follows thatσ∈tracesD(W).
3.5. Properties 27
Theorem 3.16. Well-formed QTSs are closed under parallel composition, i.e., given two well-formed QTSsA andB,A k Bis also a well-formed QTS.
Proof. LetA =hSA, SA0, LIA, LOA,→Ai and B =hSB, SB0, LIB, LOB,→Bi be two well-formed
QTSs such thatLO
A∩LOB =∅. Furthermore, letA k B=hSAkB, SAkB0 , LIAkB, LOAkB,→AkBi
be their parallel composition, as defined in Definition 3.11. To prove that well-formed QTSs are closed under parallel composition we must show thatA k B is a well-formed QTS, i.e., we need to prove thatA k Bsatisfies each of the rules R1, R2, R3 and R4.
1. To prove thatA k Bsatisfies rule R1, we must show that for every state (s, t)∈SAkB: ifq((s, t)), then (s, t)−→δ AkB
Let (s, t)∈ SAkB be any state such thatq((s, t)) holds in A k B. In this case, there
is no a∈LOAkB∪ {τ}such that (s, t)−→a AkB. Since both Aand Bare input-enabled, it follows from Definition 3.11 that there is no a∈LO
A∪ {τ} such thats−→a Aand no
a∈LO
B ∪ {τ} such thatt−→a B. Hence, both sandtare quiescent, and by rule R1 we
have s−→δ Aandt→−δ B. From Definition 3.11 it then follows that (s, t)−→δ AkB.
2. To prove that A k B satisfies rule R2, we must show that for all pairs of states (s, t),(s0, t0)∈SAkB:
if (s, t)−→δ AkB(s0, t0), thenq((s0, t0))
Consider any transition (s, t)−→δ AkB (s0, t0) with (s, t),(s0, t0)∈SAkB. From Definition
3.11 it then follows thats−→δ As0 andt→−δ Bt0. By rule R2, boths0 andt0 are quiescent.
Thus, by Definition 3.11,q((s0, t0)) holds inA k B.
3. To prove that A k B satisfies rule R3, we must show that for all pairs of states (s, t),(s0, t0)∈SAkB:
if (s, t)−→δ AkB(s0, t0), thentracesAkB((s0, t0))⊆tracesAkB((s, t))
Consider any transition (s, t) →−δ AkB (s0, t0) with (s, t),(s0, t0) ∈ SAkB. Assume σ ∈
tracesAkB((s0, t0)). We have to show that also σ∈tracesAkB((s, t)). Since (s, t)−→δ AkB
(s0, t0), it follows from Definition 3.11 thats−→δ As0 andt−→δ B t0. By rule R3, we then have tracesA(s0)⊆tracesA(s) andtracesB(t0)⊆tracesB(t).
Additionally, note thatσ∈tracesAkB((s0, t0)) implies that there is a path
π= (s00, t00)−a−→1 AkB(s 0 1, t 0 1)−a−→2 AkB. . .− an−1 −−−→AkB(s 0 n−1, t 0 n−1)−a−→n AkB(s 0 n, t 0 n) for some n ≥ |σ|, where (s00, t00) = (s0, t0) and trace(π) = σ. Note that some of the actionsai can be equal toτ, and that not all statessi andti have to be distinct. We prove by induction on the length of the pathπthat (1)s0=ρA=⇒As0nandt0 =
ρB =⇒Bt0n, where ρA = σ (LA ∪ {δ}) and ρB = σ (LB ∪ {δ}), that (2) s =ρA=⇒A and
t =ρB=⇒B, and that (3) (s, t) =
σ
⇒AkB (sm, tm) for every pair (sm, tm)∈reachA(s, ρA)×
reachB(t, ρB). Note that the last part implies thatσ∈tracesAkB((s, t)), which is what
Base case. Let|π|= 0, i.e.,πis the empty path and (sn0 , t0n) = (s0, t0). This implies that σ = ρA =ρB = , and hence s0 =
ρA
=⇒A s0n and t0 =ρB=⇒B t0n. Also, s =ρA=⇒A and t =ρB=⇒B since ∈ tracesA(s) and ∈ tracesB(t). To see why (s, t) =σ⇒AkB (sm, tm) for every (sm, tm)∈reachA(s, ρA)×reachB(t, ρB), note that sinceσ=ρA=ρB =,
reachA(t, ρA) andreachB(t, ρB) contain precisely all states that can be reached froms
andt, respectively, by only takingτ-transitions. By Definition 3.11, theseτ-transitions (if any) can also be executed in all possible interleavings starting from (s, t), since A andBdo not synchronise onτ-transitions.
Inductive case. Let π0 be the path from (s00, t00) to (s0n−1, t0n−1), and let σ0 =
trace(π0). Assume that (1) s0 =ρ 0 A =⇒A s0n−1 and t0 = ρ0 B =⇒B t0n−1, where ρ0A = σ0 (LA ∪ {δ}) and ρ0B = σ0 (LB ∪ {δ}), that (2) s = ρ0A =⇒A and t = ρ0B =⇒B, and that
(3) (s, t) =σ=⇒0 AkB(sm, tm) for every pair (sm, tm)∈reachA(s, ρ0A)×reachB(t, ρ0B). Let
σ=σ0a=trace(π). Sinceσ∈tracesAkB((s0, t0)), we havea∈LAkB∪ {, δ}. We look
at the casesa=,a∈LA\LB,a∈LB\LA, anda∈(LA∩LB)∪ {δ}separately.
• Ifa=, then apparentlyan=τandσ=σ0=σ0. By Definition 3.11, this implies that eithers0n−1=s0n andt0n−1−→τ B t0n, ort0n−1=t0n ands0n−1−
τ →As0n. Both cases imply that s0 =ρA =⇒A s0n and t0 = ρB =⇒B t0n, since ρi = ρ0i · (a (LA ∪ {δ})) =
ρ0i · ( (LA ∪ {δ})) = ρ0i for i ∈ { A,B } and we assumed s0 = ρ0A
=⇒A s0n−1 and t0=ρ
0 B
=⇒Bt0n−1. Also, sinceρ0i=ρiandσ0=σ, by the induction hypothesis we have s=ρA=⇒A,t=
ρB
=⇒B, and (s, t) =
σ
⇒AkB(sm, tm) for every (sm, tm)∈reachA(s, ρA)×
reachB(t, ρB).
• If a∈LA\LB, then an =aand (s0n−1, t0n−1)−a−→n AkB (s0n, t0n) implies, by Defini- tion 3.11, thats0n−1−→a As0n andt0n−1=t0n. Sinces0=ρ
0 A
=⇒As0n−1 andρA=ρ0A·a,
this implies that s0 =ρ=A⇒A s0n, and since t0 = ρ0B
=⇒B t0n−1 and ρ0B = ρB, we have
t0 =ρB=⇒B t0n. Since tracesA(s0) ⊆ tracesA(s) and tracesB(t0) ⊆ tracesB(t), also
s=ρA=⇒A andt=ρB=⇒B. Clearly, reachB(t, ρB) =reachB(t, ρ0B), sinceρB =ρ0B. Fur-
thermore, for every statev∈reachA(s, ρA) there exists a stateu∈reachA(s, ρ0A)
such that u=a⇒Av. Hence, since (s, t) ==σ⇒0 AkB(sm, tm) for every pair (sm, tm)∈
reachA(s, ρ0A)×reachB(t, ρ0B), by Definition 3.11 also (s, t) =
σ
⇒AkB (sn, tn) for every pair (sn, tn)∈reachA(s, ρA)×reachB(t, ρB).
• Ifa∈LB\LA, the proof is symmetrical to the previous case.
• If a∈LA ∩LB ora=δ, then an =aand (s0n−1, t0n−1)−
a−→n
AkB (s0n, t0n) implies, by Definition 3.11, that s0n−1−→a As0n andt0n−1 −→a B t0n. Since s0 =
ρ0A
=⇒As0n−1 and
ρA = ρ0A · a, this implies that s0 =
ρA
=⇒A s0n; t0 = ρA
=⇒B t0n follows symmetrically. Since tracesA(s0) ⊆ tracesA(s) and tracesB(t0) ⊆ tracesB(t), also s =
ρA
=⇒A and
t =ρB=⇒B. Furthermore, for every state v ∈ reachA(s, ρA) there exists a state
u∈ reachA(s, ρ0A) such that u=
a
⇒A v; for reachB(t, ρB) the same property (but
with reachB(t, ρ0B) rather than reachA(s, ρ0A)) holds. Hence, since (s, t) =
σ0 =⇒AkB (sm, tm) for every pair (sm, tm)∈reachA(s, ρ0A)×reachB(t, ρ0B), by Definition 3.11
3.5. Properties 29
4. To prove that A k B satisfies rule R4, we must show that for all pairs of states (s, t),(s0, t0),
(s00, t00)∈SAkB:
if (s, t)−→δ AkB(s0, t0) and (s0, t0)−→δ AkB(s00, t00),
thentracesAkB((s0, t0)) =tracesAkB((s00, t00))
Consider any pair of transitions (s, t)−→δ AkB(s0, t0) and (s0, t0)−→δ AkB(s00, t00) with (s, t), (s0, t0),(s00, t00) ∈ SAkB. From Definition 3.11 it follows that s −→δ A s0, s0 −
δ →A s00, t −→δ B t0 and t −→δ B t00. By rule R4, we then have tracesA(s0) = tracesA(s00) and
tracesB(t0) = tracesB(t00). To prove that tracesAkB((s0, t0)) = tracesAkB((s00, t00)), we
must prove that bothtracesAkB((s0, t0))⊆tracesAkB((s00, t00)) andtracesAkB((s00, t00))⊆
tracesAkB((s0, t0)). The latter follows directly from rule R3, so all that’s left to show is
tracesAkB((s0, t0)) ⊆ tracesAkB((s00, t00)). The proof for this is similar to the proof for rule R3, but using the fact that tracesA(s0) = tracesA(s00) and tracesB(t0) =
tracesB(t00), instead oftracesA(s0)⊆tracesA(s) andtracesB(t0)⊆tracesB(t).
As mentioned in Definition 3.13, we do not allow the hiding of actions to lead to the creation of divergent paths. Assuming this does not occur, QTSs are also closed under the operation of action hiding.
Theorem 3.17. Well-formed QTSs are closed under action hiding, i.e., given a well-formed QTSAand a set of labelsH ⊆LO
Asuch that there is no cyclic pathπ=s0a1s1a2s2. . . inA