Contract-based modeling and verification of timed safety requirements within SysML

Abstract

In order to cope with the growing complexity of critical real-time embedded systems, systems engineering has adopted a component-based design technique driven by requirements. Yet, such an approach raises several issues since it does not explicitly prescribe how system requirements can be decomposed on components nor how components contribute to the satisfaction of requirements. The envisioned solution is to design, with respect to each requirement and for each involved component, an abstract specification, tractable at each design step, that models how the component is concerned by the satisfaction of the requirement and that can be further refined toward a correct implementation. In this paper, we consider such specifications in the form of contracts. A contract for a component consists in a pair (assumption, guarantee) where the assumption models an abstract behavior of the component’s environment and the guarantee models an abstract behavior of the component given that the environment behaves according to the assumption. Therefore, contracts are a valuable asset for the correct design of systems, but also for mapping and tracing requirements to components, for tracing the evolution of requirements during design and, most importantly, for compositional verification of requirements. The aim of this paper is to introduce contract-based reasoning for the design of critical real-time systems made of reactive components modeled with UML and/or SysML. We propose an extension of UML and SysML languages with a syntax and semantics for contracts and the refinement relations that they must satisfy. The semantics of components and contracts is formalized by a variant of timed input/output automata on top of which we build a formal contract-based theory. We prove that the contract-based theory is sound and can be applied for a relatively large class of SysML system models. Finally, we show on a case study extracted from the automated transfer vehicle (http://www.esa.int/ATV) that our contract-based theory allows to verify requirement satisfaction for previously intractable models.

Appendices

Appendix 1: OCL formalization of the well-formedness set of rules for contracts in UML/SysML

In this appendix, we discuss the OCL formalization of the well-formedness rules presented in Sect. 3.3.

Listing 1 presents the OCL code corresponding to Rules 1 and 2. For their formalization, we have defined two helper functions isConjugated and isIdenticalTo for the verification of conjugated, respectively, corresponding, ports. The formalization of Rule 1 consists in verifying that for each port of one type there is at least one port of the other matching the criteria. In order to avoid possible broadcast, we verify that the assumption and guarantee have the same number of ports. The formalization of Rule 2 summarizes to iterating the set of ports of the guarantee and verifying that for each port there is one and only one correspondent in the definition of the component.

Rule 3 ensures the uniqueness of a dominance relation in a given context. Indeed, if a component uses a contract for which a correct refinement is provided based on its subcomponents, there is no need to define a second refinement for the same contract and the same components. Listing 2 provides the OCL formalization of this rule: for each component we compute the set of contractUse relations and we verify that the set does not include two or more relations pointing to the same requirement.

Finally, Listing 3 describes the completeness Rule 4: within the set of conformance relations defined in a model, there is one and only one relation having as target the current SafetyProperty.

Appendix 2: SysML-TIOA mapping example

The TIOA corresponding to the component from Fig. 8b is the tuple \((X, Clk, Q, \theta , I, O, V, H, D, \mathcal {T})\) defined as follows:

• \(X=\{ location ,queue \}\) only contains the predefined variables for the state machine location and for the input queue. The domains of these are as follows:

  • \(Dom_{location} = \{ Idle, EjectCard, WaitForRemoval, RemoveCard, WaitForAck \}\)

  • \(Dom_{queue} = I^*\), i.e., the set of finite sequences of elements of I (the input actions, defined below). The concatenation of two sequences a and b of \(I^*\) is denoted by [a; b].

• \(Clk = \{ t \}\) contains the Timer t.

• \(Q = Dom_{location} \times Dom_{queue} \times \mathbb {R}\) is the set of possible valuations of the variables (location, queue, t) listed above. For a triple \(q=(\lambda ,\rho ,\delta ) \in Q\), for simplicity, we denote \(\lambda \) as q.location, \(\rho \) as q.queue and \(\delta \) as q.t.

• \(\theta = (Idle,\emptyset ,0)\) is the initial state, where \(\emptyset \) denotes the empty sequence of signals from I.

• \(I = \{retrieveCard, ok, nok\}\)

• \(O = \{cardInserted, ejectCard, cardRemoved\}\)

• \(V = \emptyset \)

• \(H=\{ \downarrow retrieveCard, \downarrow ok \}\) is the set of internal actions corresponding to the consumption of the input signals from the queue. In other contexts, there may be additional internal actions corresponding to transitions without any visible activity, however this is not the case for the state machine in Fig. 8b.

• \(D = Inp \cup (\cup _{loc \in Dom_{location}} D_{loc})\) where

  • Inp represents the input transitions, defined as follows (remember that the TIOA is input-complete): \(Inp = \{ q \xrightarrow {i} q' | i \in I \wedge q'.location = q.location \wedge q'.t = q.t \wedge q'.queue = [q.queue;i] \}\)

  • \(D_{loc}\) represents the discrete TIO transitions corresponding to the state machine transitions leaving state loc in Fig. 8(b):

    • \(D_{Idle} = \{ q \xrightarrow {!cardInserted} q') | q.location = Idle \wedge q'.location = EjectCard \wedge q.queue=q'.queue \wedge q.t=q'.t \} \)

    • \(D_{EjectCard} = \{ q \xrightarrow {!ejectCard} q' | q.location = EjectCard \wedge q'.location = WaitForRemoval \wedge q.queue=q'.queue \wedge q.t=q'.t \} \)

    • \(D_{WaitForRemoval} = \{ q \xrightarrow {\downarrow retrieveCard} q' | q.location = WaitForRemoval \wedge q'.location = RemoveCard \wedge q.queue=[retrieveCard; q'.queue] \wedge q'.t=0 \} \)

    • \(D_{RemoveCard} = \{ q \xrightarrow {!cardRemoved} q' | q.location = RemoveCard \wedge q'.location = WaitForAck \wedge q.queue=q'.queue \wedge q.t=q'.t \} \)

    • \(D_{WaitForAck} = \{ q \xrightarrow {\downarrow ok} q' | q.location = WaitForAck \wedge q'.location = Idle \wedge q.queue=[ok ; q'.queue] \wedge q.t=q'.t \} \)

• \(\mathcal {T} = \cup _{loc \in Dom_{location}} \mathcal {T}_{loc}\) where \(\mathcal {T}_{loc}\) represents the trajectories starting in states q with \(loc=q.location\). They are defined as follows:

  • \(\mathcal {T}_{Idle} = \{ \tau : [0,0] \rightarrow Q | \tau (0) = q, \forall q \in Q \, \text {with} \, q.location=Idle \} \) (i.e., only point trajectories are allowed since the outgoing transition is eager and has no input)

  • \(\mathcal {T}_{EjectCard} = \{ \tau : I \rightarrow Q \, | \, I \, \text {is any interval of form} \, [0,x] \, \text {or} \, [0,\infty ) \wedge \forall y \in I.\ (\tau (y)(location) = EjectCard \wedge \tau (y)(queue) = \tau (0)(queue) \wedge \tau (y)(t) = y + \tau (0)(t)) \} \) (i.e., trajectories may go to infinity, and only change t with derivative 1)

  • \(\mathcal {T}_{WaitForRemoval} = \mathcal {T}_{WaitForRemoval}^{Pres} \cup \mathcal {T}_{WaitForRemoval}^{Abs}\) where:

    • \(\mathcal {T}_{WaitForRemoval}^{Pres}\) are (point) trajectories from states in which the signal retrieveCard is present in front of the queue: \( \mathcal {T}_{WaitForRemoval}^{Pres} = \{ \tau : [0,0] \rightarrow Q | \tau (0) = q, \forall q \in Q \, \text {with} \, q.location=WaitForRemoval \ \wedge \ \exists w \, \text {such that } q.queue = [retrieveCard;w] \} \)

    • \(\mathcal {T}_{WaitForRemoval}^{Abs}\) are trajectories (to infinity) from states in which the signal retrieveCard is not in front of the queue: \( \mathcal {T}_{WaitForRemoval}^{Abs} = \{ \tau : I \rightarrow Q \, | \, I \, \text {is any interval of form} \, [0,x] \, \text {or} \, [0,\infty ) \wedge \forall y \in I.\ (\tau (y)(location) = WaitForRemoval \, \wedge \, \tau (y)(queue) = \tau (0)(queue) \, \wedge \, \tau (y)(t) = y + \tau (0)(t)\ \wedge \, \not \exists w \, \text {such that} \, q.queue = [retrieveCard;w]) \} \)

  • \(\mathcal {T}_{RemoveCard} = \{ \tau : [0,x] \rightarrow Q | x \in [0,5-\tau (0)(t)] \wedge \forall y \in [0,x].\ (\tau (y)(location) = RemoveCard \wedge \tau (y)(queue) = \tau (0)(queue) \wedge \tau (y)(t) = y + \tau (0)(t)) \} \) (i.e., trajectories may go up to \(t=5\) and only change t with derivative 1)

  • \(\mathcal {T}_{WaitForAck} = \mathcal {T}_{WaitForAck}^{Pres} \cup \mathcal {T}_{WaitForAck}^{Abs}\) where:

    • \(\mathcal {T}_{WaitForAck}^{Pres}\) are (point) trajectories from states in which the signal ok is present in front of the queue: \( \mathcal {T}_{WaitForAck}^{Pres} = \{ \tau : [0,0] \rightarrow Q | \tau (0) = q, \forall q \in Q \, \text {with} \, q.location=WaitForAck\ \wedge \ \exists w \, \text {such that} \, q.queue = [ok;w]\} \)

    • \(\mathcal {T}_{WaitForAck}^{Abs}\) are trajectories (to infinity) from states in which the signal ok is not in front of the queue: \( \mathcal {T}_{WaitForAck}^{Abs} = \{ \tau : I \rightarrow Q \, | \, I \, \text {is any interval of form} \, [0,x] \, \text {or} \, [0,\infty ) \wedge \forall y \in I. (\tau (y)(location) = WaitForAck \, \wedge \, \tau (y)(queue) = \tau (0)(queue) \, \wedge \, \tau (y)(t) = y + \tau (0)(t)\ \wedge \, \not \exists w \, \text {such that } q.queue = [ok;w]) \} \)

Appendix 3: Proofs for the formal contract-based framework

Theorem 2 \((\mathcal {A}, \parallel )\) is a commutative monoid.

Proof

Let \(\mathcal {A}_1\), \(\mathcal {A}_2\) and \(\mathcal {A}_3\) be three timed input/output automata.

1. 1.

   Commutativity: \(\mathcal {A}_1 \parallel \mathcal {A}_2\) = \(\mathcal {A}_2 \parallel \mathcal {A}_1\) is true since only set operations are used by the composition operator.

2. 2.

   Associativity: By applying the composition operator we obtain \((\mathcal {A}_1 \parallel \mathcal {A}_2) \parallel \mathcal {A}_3 = \mathcal {A}_1 \parallel (\mathcal {A}_2 \parallel \mathcal {A}_3) = (X, Clk, Q, \theta , I, O, V, H, D, \mathcal {T})\) where:

   • \(X = X_{\mathcal {A}_1} \cup X_{\mathcal {A}_2} \cup X_{\mathcal {A}_3}\).

   • \(Clk = Clk_{\mathcal {A}_1} \cup Clk_{\mathcal {A}_2} \cup Clk_{\mathcal {A}_3}\).

   • \(Q = \lbrace \mathrm {x}_{\mathcal {A}_1} \cup \mathrm {x}_{\mathcal {A}_2} \cup \mathrm {x}_{\mathcal {A}_3} \vert \mathrm {x}_{\mathcal {A}_1} \in Q_{\mathcal {A}_1}, \mathrm {x}_{\mathcal {A}_2} \in Q_{\mathcal {A}_2} \text { and } \mathrm {x}_{\mathcal {A}_3} \in Q_{\mathcal {A}_3} \rbrace \).

   • \(\theta = \theta _{\mathcal {A}_1} \cup \theta _{\mathcal {A}_2} \cup \theta _{\mathcal {A}_3}\).

   • \(I = (I_{\mathcal {A}_1} \setminus (O_{\mathcal {A}_2} \cup O_{\mathcal {A}_3})) \cup (I_{\mathcal {A}_2} \setminus (O_{\mathcal {A}_1} \cup O_{\mathcal {A}_3})) \cup (I_{\mathcal {A}_3} \setminus (O_{\mathcal {A}_1} \cup O_{\mathcal {A}_2}))\).

   • \(O = (O_{\mathcal {A}_1} \setminus (I_{\mathcal {A}_2} \cup I_{\mathcal {A}_3})) \cup (O_{\mathcal {A}_2} \setminus (I_{\mathcal {A}_1} \cup I_{\mathcal {A}_3})) \cup (O_{\mathcal {A}_3} \setminus (I_{\mathcal {A}_1} \cup I_{\mathcal {A}_3}))\).

   • \(V = V_{\mathcal {A}_1} \cup V_{\mathcal {A}_2} \cup V_{\mathcal {A}_3} \cup (O_{\mathcal {A}_1} \cap (I_{\mathcal {A}_2} \cup I_{\mathcal {A}_3})) \cup (O_{\mathcal {A}_2} \cap (I_{\mathcal {A}_1} \cup I_{\mathcal {A}_3})) \cup (O_{\mathcal {A}_3} \cap (I_{\mathcal {A}_1} \cup I_{\mathcal {A}_2}))\).

   • \(H = H_{\mathcal {A}_1} \cup H_{\mathcal {A}_2} \cup H_{\mathcal {A}_3}\).

   • D is the set of discrete transitions where for each \(\mathrm {x} = \mathrm {x}_{\mathcal {A}_1} \cup \mathrm {x}_{\mathcal {A}_2} \cup \mathrm {x}_{\mathcal {A}_3}\) and \(\mathrm {x}' = \mathrm {x}'_{\mathcal {A}_1} \cup \mathrm {x}'_{\mathcal {A}_2} \cup \mathrm {x}'_{\mathcal {A}_3} \in Q\) and each \(a \in A\), \(\mathrm {x} \xrightarrow {a} \mathrm {x}'\) if and only if for \(i \in \lbrace 1, 2, 3 \rbrace \), either

     1. (a)

        \(a \in A_i\) and \(\mathrm {x}_i \xrightarrow {a} \mathrm {x}'_i\), or

     2. (b)

        \(a \not \in A_i\) and \(\mathrm {x}_i = \mathrm {x}'_i\).

   • \(\mathcal {T} \subseteq trajs(Q)\) is given by \(\tau \in \mathcal {T} \Leftrightarrow \tau \lceil X_i \in \mathcal {T}_i\), \(i \in \lbrace 1, 2, 3 \rbrace \).

3. 3.

   The identity element is the empty timed input/output automaton: it has no internal variables, it does not perform any actions and can let time elapse to infinity. \(\square \)

Theorem 5 Given a component Env and a set \(\mathcal {K}\) of components for which Env is an environment, the refinement under context \(\sqsubseteq _{Env}\) is a preorder over \(\mathcal {K}\).

Proof

1. 1.

   Reflexivity: \(K \sqsubseteq _{Env} K \overset{\Delta }{\Leftrightarrow } K \parallel Env \parallel Env' \preceq K \parallel Env \parallel Env'\) which is true from the definition of the conformance relation. \(K'\) is not represented since it is the identity element of the composition operator.

2. 2.

   Transitivity: \(K_1 \sqsubseteq _{Env} K_2 \wedge K_2 \sqsubseteq _{Env} K_3 \implies K_1 \sqsubseteq _{Env} K_3\).

$$\begin{aligned} K_1 \sqsubseteq _{Env} K_2 \overset{\Delta }{\Leftrightarrow } K_1 \parallel Env \parallel Env' \preceq K_2 \parallel Env \parallel K'_2 \parallel Env'\, (1) \end{aligned}$$

We write the automaton \(Env' = Env'_1 \parallel Env'_2\) where :

• \(Env'_1 = (\emptyset , \emptyset , \lbrace \phi \rbrace , \phi , ((O_{K_1} \cap O_{K_2}) \setminus I_{E}), ((I_{K_1} \cap I_{K_2}) \setminus O_{E}), \emptyset , \emptyset , D_{Env'_1}, \mathcal {T}_{Env'_1})\),

• \(Env'_2 = (\emptyset , \emptyset , \lbrace \phi \rbrace , \phi , ((O_{K_1} \setminus O_{K_2}) \setminus I_{E}), ((I_{K_1} \setminus I_{K_2}) \setminus O_{E}), \emptyset , \emptyset , D_{Env'_2}, \mathcal {T}_{Env'_2})\).

Remark that the sets of input and output actions are pairwise disjoint for \(Env'_1\) and \(Env'_2\).

We write the automaton \(K'_2 = K''_2 \parallel Env'_3\) where:

• \(K''_2 = (\emptyset , \emptyset , \lbrace \phi \rbrace , \phi , (I_{K_1} \setminus I_{K_2}), (O_{K_1} \setminus O_{K_2}), (V_{K_1} \setminus E_{K_2}), \emptyset , D_{K''_2}, \mathcal {T}_{K''_2}\),

• \(Env'_3 = (\emptyset , \emptyset , \lbrace \phi \rbrace , \phi , (V_{K_1} \cap O_{K_2}), (V_{K_1} \cap I_{K_2}), \emptyset , \emptyset , D_{Env'_3}, \mathcal {T}_{Env'_3})\).

Similarly, the sets of inputs, outputs and visible actions are pairwise disjoint for \(K''_2\) and \(Env'_3\).

With this notation:

$$\begin{aligned}&(1)\, \Leftrightarrow K_1 \parallel Env \parallel Env'_1 \parallel Env'_2 \preceq K_2 \parallel Env \parallel K''_2 \parallel Env'_3 \parallel Env'_1 \parallel Env'_2\, (2) \\&K_2 \sqsubseteq _{Env} K_3 \overset{\Delta }{\Leftrightarrow } K_2 \parallel Env \parallel Env'' \preceq K_3 \parallel Env \parallel K'_3 \parallel Env''\, (3) \end{aligned}$$

With the same notation we obtain that \(Env'' = Env'_1 \parallel Env'_3\), and

$$\begin{aligned} (3) \,\Leftrightarrow K_2 \parallel E \parallel Env'_1 \parallel Env'_3 \preceq K_3 \parallel E \parallel K'_3 \parallel Env'_1 \parallel Env'_3\, (4) \end{aligned}$$

Composing (4) with \(K''_2 \parallel Env'_2\) and from Theorem 4 we get:

$$\begin{aligned}&K_2 \parallel Env \parallel Env'_1 \parallel Env'_3 \parallel K''_2 \parallel Env'_2 \preceq K_3 \parallel Env \parallel K'_3 \parallel Env'_1 \parallel Env'_3 \parallel K''_2 \parallel Env'_2 \Leftrightarrow \\&\left. \begin{aligned} \Leftrightarrow K_2 \parallel Env \parallel K''_2 \parallel Env'_3 \parallel Env'_1 \parallel Env'_2 \preceq K_3 \parallel Env \parallel K'_3 \parallel K'_2 \parallel Env'_1 \parallel Env'_2 \\ (2)\ K_1 \parallel Env \parallel Env'_1 \parallel Env'_2 \preceq K_2 \parallel Env \parallel K''_2 \parallel Env'_3 \parallel Env'_1 \parallel Env'_2 \end{aligned}\right\} \overset{Transitivity\ of\ \preceq }{\implies }\\&\implies K_1 \parallel Env \parallel Env'_1 \parallel Env'_2 \preceq K_3 \parallel Env \parallel K'_3 \parallel K'_2 \parallel Env'_1 \parallel Env'_2 \Leftrightarrow \Leftrightarrow K_1 \parallel Env \parallel Env'\\&\quad \preceq K_3 \parallel Env \parallel K'_2 \parallel K'_3 \parallel Env' \end{aligned}$$

By denoting \(K' = K'_2 \parallel K'_3\) we have:

$$\begin{aligned} K_1 \parallel Env \parallel Env' \preceq K_3 \parallel Env \parallel K' \parallel Env' \overset{\Delta }{\Leftrightarrow } K_1 \sqsubseteq _{Env} K_3 \end{aligned}$$

The last step consists in proving that \(K'\) is indeed the automaton generated by the refinement under context relation. Since \(K'_2\) and \(K'_3\) are built from the hypothesis by the refinement under context relation, by composition they define the correct structure for \(K'\). Moreover:

• \(I_{K'} = (I_{K_1} \setminus I_{K_3}) \cup (V_{K_1} \cap O_{K_3})\),

• \(O_{K'} = (O_{K_1} \setminus O_{K_3}) \cup (V_{K_1} \cap I_{K_3})\) and

• \(V_{K'} = V_{K_1} \setminus E_{K_3}\).

The proofs on the sets of actions for \(Env''\) and \(K'\) are detailed in [36]. \(\square \)

Theorem 6 Let \(K_1\) and \(K_2\) be two components and E an environment compatible with both \(K_1\) and \(K_2\) such that \(Env = Env_1 \parallel Env_2\). Then \(K_1 \sqsubseteq _{Env_1 \parallel Env_2} K_2 \Leftrightarrow K_1 \parallel Env_1 \sqsubseteq _{Env_2} K_2 \parallel Env_1\).

Proof

First, let us rewrite the two refinement relations to be proved equivalent as conformance relations, based on the definition of refinement under context:

• \(K_1 \sqsubseteq _{Env_1 \parallel Env_2} K_2 \Leftrightarrow K_1 \parallel (Env_1 \parallel Env_2) \parallel Env' \preceq K_2 \parallel (Env_1 \parallel Env_2) \parallel K' \parallel Env'\)

• \(K_1 \parallel Env_1 \sqsubseteq _{Env_2} K_2 \parallel Env_1 \Leftrightarrow (K_1 \parallel Env_1) \parallel Env_2 \parallel Env'' \preceq (K_2 \parallel Env_1) \parallel Env_2 \parallel K'' \parallel Env''\)

Based of the associativity of \(\parallel \) we have that the two relations are identical, where: \(Env' = Env'' = (\emptyset , \emptyset , \lbrace \phi \rbrace , \phi , (O_{K_1} \setminus (I_{Env_1} \cup I_{Env_2})), (I_{K_1} \setminus (O_{Env_1} \cup O_{Env_2})), \emptyset , \emptyset , D_{Env'}, \mathcal {T}_{Env'})\) and \(K' = K'' = (\emptyset , \emptyset , \lbrace \phi \rbrace , \phi , ((I_{K_1} \setminus I_{K_2}) \cup (V_{K_1} \cap O_{K_2})), ((O_{K_1} \setminus O_{K_2}) \cup (V_{K_1} \cap I_{K_1})), (V_{K_1} \setminus E_{K_2}), \emptyset , D_{K'}, \mathcal {T}_{K'})\). \(\square \)

Theorem 8 \(\lbrace C_i \rbrace _{i=1}^{n}\) dominates C if, \(\forall i\), \(traces_{G_i}\) and \(traces_{G}\) are closed under time extension and

$$\begin{aligned} \left\{ \begin{array}{l} G_1 \parallel ... \parallel G_n \sqsubseteq _{A} G \\ A \parallel G_1 \parallel ... \parallel G_{i-1} \parallel G_{i+1} \parallel ... \parallel G_n \sqsubseteq _{G_i} A_{i},\ \forall i \end{array}\right. \end{aligned}$$

Proof

Let \(K_i\), \(i=\overline{1,n}\), a set of components such that:

1. (1)

   \(K_i \sqsubseteq _{A_i} G_i\),

2. (2)

   \(G_1 \parallel G_2 \parallel \ldots \parallel G_n \sqsubseteq _{A} G\),

3. (3)

   \(A \parallel G_1 \parallel \ldots \parallel G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n \sqsubseteq _{G_i} A_i, \forall i\).

We have to prove that \(K_1 \parallel K_2 \parallel \ldots \parallel K_n \sqsubseteq _{A} G\).

The proof is built by induction on j where \(j =\overline{0, n}\) is the number of guarantees replaced by their corresponding component. More precisely, we will prove by induction that \(K_1 \parallel ... \parallel K_{j-1} \parallel G_j \parallel ... \parallel G_n \sqsubseteq _{A} G\). In parallel, we will also need to prove that \(A \parallel K_1 \parallel K_2 \parallel \ldots \parallel K_j \parallel G_{j+1} \parallel \ldots \parallel G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n \sqsubseteq _{G_i} A_i\), \(\forall i > j\).

Step \(j = 0\). Then the conclusion becomes \(G_1 \parallel G_2 \parallel \ldots \parallel G_n \sqsubseteq _{A} G\) which is true by hypothesis (2)

Step \(j = 1\).

$$\begin{aligned}&\left. \begin{aligned} (1)\ K_{1} \sqsubseteq _{A_{1}} G_{1} \\ \text {From (2) for i=1}\Rightarrow A \parallel G_2 \parallel \ldots \parallel G_n \sqsubseteq _{G_{1}} A_{1} \end{aligned}\right\} \overset{Theorem~7}{\Rightarrow }\\&\Rightarrow K_{1} \sqsubseteq _{A \parallel G_2 \parallel \ldots \parallel G_n} G_{1}\, (4)\\&\left. \begin{aligned} (4) \overset{Theorem~6}{\Rightarrow } K_1 \parallel G_2 \parallel \ldots \parallel G_n \sqsubseteq _{A} G_1 \parallel G_2 \parallel \ldots \parallel G_n \\ (2)\ G_1 \parallel \ldots \parallel G_n \sqsubseteq _{A} G \end{aligned}\right\} \overset{Transitivity}{\Rightarrow }\\&\Rightarrow K_1 \parallel G_2 \parallel \ldots \parallel G_n \sqsubseteq _{A} G\, (5)\\&\left. \begin{aligned} (4) \overset{Theorem~6}{\Rightarrow } A \parallel K_1 \parallel G_2 \parallel \ldots \parallel G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n \sqsubseteq _{G_i} A \parallel G_1 \parallel G_2 \parallel \ldots \parallel G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel \\ \parallel G_n, \forall i > 1 \\ (3)\ A \parallel G_1 \parallel \ldots G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n \sqsubseteq _{G_i} A_i, \forall i \end{aligned}\right\} \overset{Transitivity}{\Rightarrow }\\&\Rightarrow A \parallel K_1 \parallel G_2 \parallel \ldots G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n \sqsubseteq _{G_i} A_i, \forall i > 1\, (6) \end{aligned}$$

Relations (5) and (6) constitute the hypotheses for the induction step at \(j=2\).

Induction step Let j be fixed. The induction hypotheses for this step are:

$$\begin{aligned}&K_1 \parallel \ldots \parallel K_j \parallel G_{j+1} \parallel \ldots \parallel G_n \sqsubseteq _{A} G\, (7) \\&A \parallel K_1 \parallel K_2 \parallel \ldots \parallel K_j \parallel G_{j+1} \parallel \ldots \parallel G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n \sqsubseteq _{G_i} A_i,\quad \forall i > j \,(8) \end{aligned}$$

Then we want to prove that:

$$\begin{aligned}&K_1 \parallel \ldots \parallel K_j \parallel K_{j+1} \parallel G_{j+2} \parallel G_n \sqsubseteq _{A} G\, (9)\, \hbox {and}\\&A \parallel K_1 \parallel \ldots \parallel K_{j+1} \parallel G_{j+2} \parallel \ldots \parallel G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n \sqsubseteq _{G_i} A_i,\quad \forall i > j+1\, (10) \end{aligned}$$

We proceed as follows:

$$\begin{aligned} \left. \begin{aligned} (1)\ K_{j+1} \sqsubseteq _{A_{j+1}} G_{j+1} \\ \text {From (8) for i = j + 1} \Rightarrow A \parallel K_1 \parallel K_2 \parallel \ldots \parallel K_j \parallel G_{j+2} \parallel \ldots \parallel G_n \sqsubseteq _{G_{j+1}} A_{j+1} \end{aligned}\right\} \overset{Theorem~7}{\Rightarrow }\end{aligned}$$

\(\Rightarrow K_{j+1} \sqsubseteq _{A \parallel K_1 \parallel \ldots \parallel K_j \parallel G_{j+2} \parallel \ldots \parallel G_n} G_{j+1}\) (11)

$$\begin{aligned}&\left. \begin{aligned} (11) \overset{Theorem~6}{\Rightarrow } K_1 \parallel \ldots \parallel K_j \parallel K_{j+1} \parallel G_{j+2} \parallel \ldots \parallel G_n \sqsubseteq _{A} K_1 \parallel \ldots \parallel K_j \parallel G_{j+1} \parallel G_{j+2} \parallel \ldots \parallel G_n \\ (7)\ K_1 \parallel \ldots \parallel K_j \parallel G_{j+1} \parallel \ldots \parallel G_n \sqsubseteq _{A} G \end{aligned}\right\} \overset{Transitivity}{\Rightarrow }\\&\Rightarrow K_1 \parallel \ldots \parallel K_j \parallel K_{j+1} \parallel G_{j+2} \parallel G_n \sqsubseteq _{A} G\, (9)\\&\left. \begin{aligned} (11) \overset{Theorem~6}{\Rightarrow } A \parallel K_1 \parallel \ldots \parallel K_{j+1} \parallel G_{j+2} \parallel \ldots \parallel G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n \sqsubseteq _{G_i} A \parallel K_1 \parallel \ldots \parallel \\ \parallel K_j \parallel G_{j+1} \parallel \ldots \parallel G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n, \forall i > j+1\\ (8)\ A \parallel K_1\parallel \ldots \parallel K_j \parallel G_{j+1} \parallel \ldots \parallel G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n \sqsubseteq _{G_i} A_i, \forall i > j+1 \end{aligned}\right\} \overset{Transitivity}{\Rightarrow }\\&\Rightarrow A \parallel K_1 \parallel \ldots \parallel K_{j+1} \parallel G_{j+2} \parallel \ldots \parallel G_{i-1} \parallel G_{i+1} \parallel \ldots \parallel G_n \sqsubseteq _{G_i} A_i, \forall i > j+1\, (10) \end{aligned}$$

Step \(j=n\). From (9), for \(j=n\), we obtain \(K_1 \parallel K_2 \parallel \ldots \parallel K_n \sqsubseteq _{A} G\) which implies dominance. \(\square \)

Theorem 9 \(K_1 \sqsubseteq _{E} K_2\) if \(K_2\) is a deterministic safety property and \(reach((K_1 \parallel E \parallel E') \bowtie \mathcal {O}_{K_2}) \cap \lbrace \pi \rbrace = \emptyset \).

Proof

Notation. We note by \(reach(\mathcal {A})(\sigma )\) the set of reached states after the execution \(\sigma \)

This proof is built by contradiction. We suppose that \(K_1 \not \sqsubseteq _{E} K_2\).

It implies that \(\exists \sigma \in tr(K_1 \parallel E \parallel E') \wedge \sigma \not \in tr(K_2 \parallel E \parallel E' \parallel K')\).

Let \(\sigma 'a\) be a prefix of \(\sigma \) such that \(\sigma ' \in tr(K_1 \parallel E \parallel E') \cap tr(K_2 \parallel E \parallel E' \parallel K')\) and \(\sigma 'a\ \not \in tr(K_2 \parallel E \parallel E' \parallel K')\), where a is a visible action. Such a prefix exists because \(K_2\) is a safety property.

Then \(reach((K_1 \parallel E \parallel E') \bowtie \mathcal {O}_{K_2})(\sigma ') = \lbrace (q_1, q_2) \rbrace \).

Concatenating a we obtain: \((q_1, q_2) \xrightarrow {a}_{(K_1 \parallel E \parallel E') \bowtie \mathcal {O}_{K_2}} \pi \implies reach((K_1 \parallel E \parallel E') \bowtie \mathcal {O}_{K_2}) \cap \lbrace \pi \rbrace \not = \emptyset \) in contradiction with the hypothesis. \(\square \)