Skip to main content

Dynamic controllability via Timed Game Automata

Abstract

Temporal networks are data structures for representing and reasoning about temporal constraints on activities. Many kinds of temporal networks have been defined in the literature, differing in their expressiveness. The simplest kinds of networks have polynomial algorithms for determining their temporal consistency or different levels of controllability, but corresponding algorithms for more expressive networks (e.g., those that include observation nodes or disjunctive constraints) have so far been unavailable. This paper introduces a new approach to determine the dynamic controllability of a very expressive class of temporal networks that accommodates observation nodes and disjunctive constraints. The approach is based on encoding the dynamic controllability problem into a reachability game for Timed Game Automata (TGAs). This is the first sound and complete approach for determining the dynamic controllability of such networks. The encoding also highlights the theoretical relationships between various kinds of temporal networks and TGAs. The new algorithms have immediate applications in the design and analysis of workflow models being developed to automate business processes, including workflows in the health-care domain.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19

Notes

  1. Some authors choose to distinguish the network data structure from the problem being solved, giving rise to parallel notations such as STN versus STP, CSTN versus CTP, STNU versus STPU, DTN versus DTP, and so on. This is useful given that one can pose a variety of problems for a given network structure (e.g., strong controllability vs. weak controllability for STNUs). This paper primarily uses the “N” notation, the major exceptions being when describing the work of other authors who have tended to use the “P” notation.

  2. Contingent links may also form chains or trees, in which case only the starting time-point for the entire chain or tree is free, while the rest of the time-points are uncontrollable.

  3. The agent and environment are not part of the formal semantics for STNUs; they are used here for expository convenience.

  4. The “C” in CSTNU stands for “Conditional”, as in the Conditional Temporal Problem (CTP) introduced by Tsamardinos et al. [41]. A CSTNU extends both Conditional Simple Temporal Networks (CSTNs) and STNUs.

  5. There are some additional “well-definedness” conditions on CSTNUs that are omitted for expository convenience [26].

  6. Without loss of generality, this paper considers only binary branching in CSTNUs.

  7. Here we use the classical notation \(\phi [x/y]\) for the substitution of the term x for the term y in the formula \(\phi \). However, we slightly abuse the notation by assuming that the substitution is applied to all atoms of the formula.

  8. We are assuming that all the locations of the automata pieces are urgent, so the clocks are frozen and no time can elapse.

  9. Note that a \(\mathtt {wait}\) decision cannot be simultaneously applicable for both Agnes and Vera.

References

  1. Abdeddaim, Y., Asarin, E., Sighireanu, M.: Simple algorithm for simple timed games. In: TIME, pp. 99–106 (2009)

  2. Allen, J.F.: Maintaining knowledge about temporal intervals. Commun. ACM 26(11), 832–843 (1983)

    Article  MATH  Google Scholar 

  3. Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126(2), 183–235 (1994)

    MathSciNet  Article  MATH  Google Scholar 

  4. Augusto, J.C.: Temporal reasoning for decision support in medicine. Artif. Intell. Med. 33(1), 1–24 (2005)

    MathSciNet  Article  Google Scholar 

  5. Behrmann, G., Cougnard, A., David, A., Fleury, E., Larsen, K., Lime, D.: Uppaal-Tiga: time for playing games!. In: Damm, W., Hermanns, H. (eds.) Proceedings of the 19th Conference on Computer Aided Verification (CAV-2007). Lecture Notes in Computer Science, vol. 4590, pp. 121–125. Springer, Berlin (2007)

    Chapter  Google Scholar 

  6. Cassez, F., David, A., Fleury, E., Larsen, K.G., Lime, D.: Efficient on-the-fly algorithms for the analysis of timed games. In: CONCUR, pp. 66–80 (2005)

  7. Cesta, A., Fratini, S., Orlandini, A., Finzi, A.: Flexible plan verification: feasibility results. Fundam. Inform. 107(2–3), 111–137 (2011)

    MathSciNet  MATH  Google Scholar 

  8. Cheikhrouhou, S., Kallel, S., Guermouche, N., Jmaiel, M.: Toward a time-centric modeling of business processes in BPMN 2.0. In: International Conference on Information Integration and Web-based Applications and Services, pp. 154–163. ACM (2013)

  9. Cimatti, A., Hunsberger, L., Micheli, A., Posenato, R., Roveri, M.: Sound and complete algorithms for checking the dynamic controllability of temporal networks with uncertainty, disjunction and observation. In: Cesta, A., Combi, C., Laroussinie, F. (eds.) 21st International Symposium on Temporal Representation and Reasoning, TIME 2014, Verona, Italy, September 8–10, 2014, pp. 27–36. IEEE Computer Society (2014). doi:10.1109/TIME.2014.21

  10. Cimatti, A., Hunsberger, L., Micheli, A., Roveri, M.: Using timed game automata to synthesize execution strategies for simple temporal networks with uncertainty. In: Proceedings of the Twenty-Eighth AAAI Conference on Artificial Intelligence, July 27–31, 2014, Québec City, Québec, Canada, pp. 2242–2249 (2014)

  11. Cimatti, A., Micheli, A., Roveri, M.: Solving temporal problems using SMT: weak controllability. In: AAAI, pp. 448–454 (2012)

  12. Cimatti, A., Micheli, A., Roveri, M.: Solving strong controllability of temporal problems with uncertainty using SMT. Constraints 20(1), 1–29 (2015)

    MathSciNet  Article  MATH  Google Scholar 

  13. Combi, C., Gambini, M., Migliorini, S., Posenato, R.: Representing business processes through a temporal data-centric workflow modeling language: an application to the management of clinical pathways. IEEE Trans. Syst. Man Cybern. Syst. 44(9), 1182–1203 (2014). doi:10.1109/TSMC.2014.2300055

    Article  Google Scholar 

  14. Combi, C., Gozzi, M., Posenato, R., Pozzi, G.: Conceptual modeling of flexible temporal workflows. ACM Trans. Autono. Adapt. Syst. (TAAS) 7(2), 19 (2012). doi:10.1145/2240166.2240169

    Google Scholar 

  15. Combi, C., Hunsberger, L., Posenato, R.: An algorithm for checking the dynamic controllability of a conditional simple temporal network with uncertainty. In: Filipe, J., Fred, A.L.N. (eds.) ICAART 2013—Proceedings of the 5th International Conference on Agents and Artificial Intelligence, vol. 2, Barcelona, Spain, 15–18 February, 2013, pp. 144–156. SciTePress (2013)

  16. Combi, C., Posenato, R.: Controllability in temporal conceptual workflow schemata. In: Dayal, U., Eder, J., Koehler, J., Reijers, H.A. (eds.) Business Process Management, 7th International Conference, BPM 2009, Ulm, Germany, September 8–10, 2009. Proceedings, Lecture Notes in Computer Science, vol. 5701, pp. 64–79. Springer (2009). doi:10.1007/978-3-642-03848-8_6

  17. Combi, C., Pozzi, G.: Architectures for a temporal workflow management system. In: Proceedings of the 2004 ACM Symposium on Applied Computing (SAC-2004), pp. 659–666. ACM, New York (2004)

  18. Comin, C., Posenato, R., Rizzi, R.: A tractable generalization of simple temporal networks and its relation to mean payoff games. In: Cesta, A., Combi, C., Laroussinie, F. (eds.) 21st International Symposium on Temporal Representation and Reasoning, TIME 2014, Verona, Italy, September 8–10, 2014, pp. 7–16. IEEE Computer Society (2014). doi:10.1109/TIME.2014.19

  19. Dechter, R., Meiri, I., Pearl, J.: Temporal constraint networks. Artif. Intell. 49, 61–95 (1991)

    MathSciNet  Article  MATH  Google Scholar 

  20. Eder, J., Panagos, E., Rabinovich, M.: Time constraints in workflow systems. In: Jarke, M., Oberweis, A. (eds.) Advanced Information Systems Engineering, LNCS, vol. 1626, pp. 286–300. Springer, Berlin (1999)

    Chapter  Google Scholar 

  21. Hollingsworth, D.: The workflow reference model. http://www.wfmc.org/standards/model.htm (1995)

  22. Hunsberger, L.: Fixing the semantics for dynamic controllability and providing a more practical characterization of dynamic execution strategies. In: Lutz, C., Raskin, J. (eds.) TIME 2009, 16th International Symposium on Temporal Representation and Reasoning, Bressanone-Brixen, Italy, 23–25 July 2009, Proceedings, pp. 155–162. IEEE Computer Society (2009). doi:10.1109/TIME.2009.25

  23. Hunsberger, L.: A fast incremental algorithm for managing the execution of dynamically controllable temporal networks. In: Markey, N., Wijsen, J. (eds.) TIME 2010–17th International Symposium on Temporal Representation and Reasoning, Paris, France, 6–8 September 2010, pp. 121–128. IEEE Computer Society (2010). doi:10.1109/TIME.2010.16

  24. Hunsberger, L.: A faster execution algorithm for dynamically controllable stnus. In: Sánchez, C., Venable, K.B., Zimányi, E. (eds.) 2013 20th International Symposium on Temporal Representation and Reasoning, Pensacola, FL, USA, September 26–28, 2013, pp. 26–33. IEEE Computer Society (2013). doi:10.1109/TIME.2013.13

  25. Hunsberger, L.: A faster algorithm for checking the dynamic controllability of simple temporal networks with uncertainty. In: Duval, B., van den Herik, H.J., Loiseau, S., Filipe, J. (eds.) ICAART 2014 - Proceedings of the 6th International Conference on Agents and Artificial Intelligence, vol. 1, ESEO, Angers, Loire Valley, France, 6–8 March, 2014, pp. 63–73. SciTePress (2014). doi:10.5220/0004758100630073

  26. Hunsberger, L., Posenato, R., Combi, C.: The dynamic controllability of conditional STNs with uncertainty. In: Proceedings of the Workshop on Planning and Plan Execution for Real-World Systems: Principles and Practices (PlanEx) at ICAPS-2012, pp. 1–8 (2012). arXiv:1212.2005

  27. Kleene, S.: Mathematical Logic. Wiley, Hoboken (1967)

    MATH  Google Scholar 

  28. Lanz, A., Posenato, R., Combi, C., Reichert, M.: Controllability of time-aware processes at run time. In: Meersman, R., Panetto, H., Dillon, T.S., Eder, J., Bellahsene, Z., Ritter, N., Leenheer, P.D., Dou, D. (eds.) On the Move to Meaningful Internet Systems: OTM 2013 Conferences—Confederated International Conferences: CoopIS, DOA-Trusted Cloud, and ODBASE 2013, Graz, Austria, September 9–13, 2013. Proceedings, Lecture Notes in Computer Science, vol. 8185, pp. 39–56. Springer (2013). doi:10.1007/978-3-642-41030-7_4

  29. Lanz, A., Posenato, R., Combi, C., Reichert, M.: Simple temporal networks with partially shrinkable uncertainty. In: Loiseau, S., Filipe, J., Duval, B., van den Herik, H.J. (eds.) ICAART 2015—Proceedings of the International Conference on Agents and Artificial Intelligence, vol. 2, Lisbon, Portugal, 10–12 January, 2015, pp. 370–381. SciTePress (2015)

  30. Lanz, A., Weber, B., Reichert, M.: Workflow time patterns for process-aware information systems. In: Mylopoulos, J., Sadeh, N.M., Shaw, M.J., Szyperski, C., Bider, I., Halpin, T., Krogstie, J., Nurcan, S., Proper, E., Schmidt, R., Ukor, R. (eds.) Enterprise, Business-Process and Information Systems Modeling 11th International Workshop, BPMDS 2010, and 15th International Conference, EMMSAD 2010, pp. 94–107. Springer, Berlin (2010)

  31. Lewis, H.R., Papadimitriou, C.H.: Elements of the Theory of Computation, 2nd edn. Prentice-Hall Inc, Upper Saddle River (1998)

    Google Scholar 

  32. Maler, O., Pnueli, A., Sifakis, J.: On the synthesis of discrete controllers for timed systems. In: STACS, pp. 229–242 (1995)

  33. Morris, P.: A structural characterization of temporal dynamic controllability. In: Principles and Practice of Constraint Programming (CP-2006), Lecture Notes in Computer Science, vol. 4204, pp. 375–389. Springer (2006)

  34. Morris, P.: Dynamic controllability and dispatchability relationships. In: Simonis, H. (ed.) Integration of AI and OR Techniques in Constraint Programming—11th International Conference (CPAIOR-2014), Lecture Notes in Computer Science, vol. 8451, pp. 464–479. Springer (2014)

  35. Morris, P., Muscettola, N., Vidal, T.: Dynamic control of plans with temporal uncertainty. In: Nebel, B. (ed.) Proceedings of the 17th International Joint Conference on Artificial Intelligence (IJCAI-2001), pp. 494–499. Morgan Kaufmann (2001)

  36. Morris, P.H., Muscettola, N.: Temporal dynamic controllability revisited. In: AAAI, pp. 1193–1198 (2005)

  37. Orlandini, A., Finzi, A., Cesta, A., Fratini, S.: TGA-based controllers for flexible plan execution. In: KI, no. 7006 in LNAI, pp. 233–245. Springer (2011)

  38. Peintner, B., Venable, K.B., Yorke-Smith, N.: Strong controllability of disjunctive temporal problems with uncertainty. In: Principles and Practice of Constraint Programming (CP-2007), pp. 856–863 (2007)

  39. Rossi, F., Venable, K.B., Yorke-Smith, N.: Uncertainty in soft temporal constraint problems: a general framework and controllability algorithms for the fuzzy case. J. Artif. Intell. Res. 27, 617–674 (2006)

    MATH  Google Scholar 

  40. Tsamardinos, I., Pollack, M.E.: Efficient solution techniques for disjunctive temporal reasoning problems. Artif. Intell. 151, 43–89 (2003)

    MathSciNet  Article  MATH  Google Scholar 

  41. Tsamardinos, I., Vidal, T., Pollack, M.: CTP: a new constraint-based formalism for conditional, temporal planning. Constraints 8(4), 365–388 (2003)

    MathSciNet  Article  MATH  Google Scholar 

  42. Venable, K.B., Volpato, M., Peintner, B., Yorke-Smith, N.: Weak and dynamic controllability of temporal problems with disjunctions and uncertainty. In: Proceedings of the Workshop on Constraint Satisfaction Techniques for Planning and Scheduling Problems (COPLAS-2010) in ICAPS-2010, pp. 50–59 (2010)

  43. Venable, K.B., Yorke-Smith, N.: Disjunctive temporal planning with uncertainty. In: Proceedings of the 19th International Joint Conference on Artificial Intelligence (IJCAI-2005), pp. 1721–1722 (2005)

  44. Vidal, T.: Controllability characterization and checking in contingent temporal constraint networks. In: KR, pp. 559–570 (2000)

  45. Vidal, T., Fargier, H.: Contingent durations in temporal CSPS: from consistency to controllabilities. In: Proceedings of the 4th International Symposium on Temporal Representation and Reasoning (TIME-1997) (1997)

  46. Vidal, T., Fargier, H.: Handling contingency in temporal constraint networks: from consistency to controllabilities. J. Exp. Theor. Artif. Intell. 11(1), 23–45 (1999)

    Article  MATH  Google Scholar 

  47. Vidal, T., Ghallab, M.: Temporal constraints in planning: free or not free? In: Proceedings of the International Workshop on Constraint-Based Reasoning (CONSTRAINT-1995) in FLAIRS-1995 (1995)

  48. Vidal, T., Ghallab, M.: Dealing with uncertain durations in temporal constraint networks dedicated to planning. In: Wahlster, W. (ed.) Proceedings of the 12th European Conference on Artificial Intelligence (ECAI-1996), pp. 48–54. Wiley, Chichester (1996)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Andrea Micheli.

Additional information

This paper is an extended version of two earlier papers [9, 10].

Appendices

Appendix 1: The semantics of dynamic controllability for STNUs

Although the intuitive description of the execution semantics for STNUs given in Sect. 3.1 makes reference to both the agent and the environment, formal treatments of the execution semantics have so far only defined execution strategies for the agent; strategies available to the environment have only been implicitly determined by the sets of possible outcomes of the agent’s decisions [22, 35]. Thus, the semantics of dynamic controllability for STNUs has effectively described a one-player game where the outcomes of the agent’s decisions are non-deterministic. This appendix introduces a novel formulation of the execution semantics for STNUs as a two-player game between Agnes (the agent) and Vera (the environment), where Agnes controls the execution of free time-points and Vera controls the contingent durations. Agnes seeks an execution strategy that will ensure the satisfaction of all constraints in \(\mathcal {C} \) no matter what durations Vera chooses; Vera seeks a strategy that will ensure that at least one constraint in \(\mathcal {C} \) is unsatisfied no matter what Agnes does. As will be seen, this formulation highlights an important asymmetry in the execution semantics: Agnes is not able to react instantaneously to observations of contingent time-points executing, but Vera is able to react instantaneously to executions of free time-points.

Previous semantics for the dynamic controllability of STNUs

The literature contains two equivalent versions of the semantics of dynamic controllability of STNUs [22, 35]. This section summarizes the version presented by Hunsberger [22], which is expressed in terms of real-time execution decisions (RTEDs). For convenience, the following description presumes an agent named Agnes.

To begin, a partial schedule represents the current state of affairs from the agent’s perspective—namely, the time-points that have been executed so far.

Definition 9

(Partial Schedule [22]) A partial schedule for an STNU, \((\mathcal {T}, \mathcal {C}, \mathcal {L})\), is a set, \(\psi \), of assignments to time-points in \(\mathcal {T} \).

  • \(\textit{TPs}(\psi ) \subset \mathcal {T} \) denotes the set of time-points appearing in \(\psi \);

  • denotes the set of values appearing in \(\psi \);

  • for any \(X \in \textit{TPs}(\psi ), \ \psi (X)\) denotes the value assigned to X; and

  • \(\mathtt {now}_\psi = \max \{v ~|~ v\in \textit{Vals}(\psi )\}\) is the time of the latest execution event in \(\psi \).    (If \(\psi = \emptyset \), let \(\mathtt {now}_\psi = -\infty \).)

Time-points in \(\textit{TPs}(\psi )\) are said to be executed. A partial schedule is called respectful if its assignments do not violate the bounds on any contingent link.

Intuitively, a partial schedule \(\psi \) assigns a real value to a subset of the time-points in the network, and represents an execution history: the (free or uncontrollable) time-points in \(\psi \) are the ones that have already been executed, and the assigned values are the times at which they were executed. The time-points that are not in \(\psi \) are the ones that have not yet been executed.

Given a partial schedule \(\psi \), Agnes must decide what to do next. She has two options: (1) wait for something to happen (i.e., wait for some contingent time-point to execute); or (2) conditionally commit to executing a set of free time-points at some time, \(T_f > \mathtt {now}_\psi \). For example, given \(\psi = \{(A_2,0), (X,1)\}\), for which \(\mathtt {now}_\psi = 1\), Agnes could decide to wait until the contingent time-point \(C_2\) eventually executes. Alternatively, she could decide that “if nothing happens before time 7, I shall execute \(A_1\) at time 7.” The decisions available to Agnes are called real-time execution decisions (RTEDs).

Definition 10

(RTED, for Agnes [22]) Let \(\psi \) be a respectful partial schedule. An RTED for Agnes has one of two forms: \(\mathtt {wait}\) or \((T_f,\chi _f)\). A \(\mathtt {wait}\) decision is applicable if at least one contingent time-point, C, is active in \(\psi \) (i.e., C’s activation time-point has already been executed, but C has not). A \((T_f, \chi _f)\) decision (i.e., “If nothing happens before time \(T_f\), execute the time-points in \(\chi _f\) at time \(T_f\)”) is applicable if \(T_f > \mathtt {now}_\psi \) and \(\chi _f\) is a non-empty subset of unexecuted free time-points (i.e., \(\chi _f \ne \emptyset \) and \(\chi _f \cap \textit{TPs}(\psi ) = \emptyset \)).

Given a partial schedule \(\psi \) and some RTED \(\varDelta \), the outcome of the decision \(\varDelta \) typically depends on the range of possible durations for one or more contingent links, as follows.

Definition 11

(Situations [35]) Let \(\mathcal {L} = \{(A_1,\ell _1,u_1,C_1), \ldots , (A_k,\ell _k,u_k,C_k)\}\) be the set of contingent links in a given STNU \(\mathcal {S} \). Then the space of situations for \(\mathcal {S} \) is the set, \(\varOmega = [\ell _1,u_1] \times [\ell _2,u_2] \times \ldots \times [\ell _k,u_k]\); and any \(\omega = (\omega _1,\omega _2,\ldots ,\omega _k) \in \varOmega \) is called a situation. A situation \(\omega \) is respected by a partial schedule \(\psi \) if the durations specified in \(\omega \) are consistent with not only the execution times in \(\psi \), but also the constraint that all time-points that are unexecuted in \(\psi \) must occur after \(\mathtt {now}_\psi \) [22].

Note that if \(\psi \) is a partial schedule that respects a situation \(\omega \), and \(A_i \in \textit{TPs}(\psi )\), but its corresponding contingent time-point \(C_i \not \in \textit{TPs}(\psi )\) (i.e., \(C_i\) is active in \(\psi \)), then it follows that \(\mathtt {now}_\psi < \psi (A_i) + \omega _i\), since \(C_i\) must be executed after \(\mathtt {now}_\psi \).

Definition 12

(Outcome of a \(\mathtt {wait}\) decision [22]) Let \(\psi \) be a partial schedule for which at least one contingent time-point is active, and let \(\omega \) be a situation that is respected by \(\psi \). The outcome of the \(\mathtt {wait}\) decision in that context depends on: (1) \(\textit{tnc}(\psi ,\omega )\), the time of the next contingent execution according to \(\psi \) and \(\omega \); and (2) \(\chi ^*(\psi ,\omega )\), the set of contingent time-points that will execute next (i.e., at the time \(\textit{tnc}(\psi ,\omega )\)). In particular:

$$\begin{aligned} \textit{tnc}(\psi ,\omega )= & {} \min \{\psi (A_i) + \omega _i~|~A_i \in \textit{TPs}(\psi ), C_i \not \in \textit{TPs}(\psi )\};\hbox { and} \\ \chi ^*(\psi ,\omega )= & {} \{C_i~|~A_i\in \textit{TPs}(\psi ), C_i\not \in \textit{TPs}(\psi ), \psi (A_i) + \omega _i = \textit{tnc}(\psi ,\omega )\}. \end{aligned}$$

The outcome of the \(\mathtt {wait}\) decision is notated \(\mathcal {O}(\psi ,\omega ,\mathtt {wait})\) and is given by:

$$\begin{aligned} \mathcal {O}(\psi ,\omega ,\mathtt {wait}) \ = \ \psi \ \cup \ \{(C_i,\textit{tnc}(\psi ,\omega ))~|~C_i \in \chi ^*(\psi ,\omega )\} \end{aligned}$$

Definition 13

(Outcome of a \((T_f,\chi _f)\) Decision [22]) Let \(\psi \) be a partial schedule for which at least one free time-point is unexecuted, and let \(\omega \) be a situation that is respected by \(\psi \). For convenience, let \(t = \textit{tnc}(\psi ,\omega )\) (or \(t = \infty \) if no contingent time-points are active in \(\psi \)), and let \(\chi ^* = \chi ^*(\psi ,\omega )\). The outcome of a \((T_f,\chi _f)\) decision in that context, notated \(\mathcal {O}(\psi ,\omega ,(T_f,\chi _f))\), depends on the relationship between t and \(T_f\). In particular:

$$\begin{aligned} \mathcal {O}(\psi ,\omega ,(T_f,\chi _f)) \ = \ \psi \ \cup \ \left\{ \begin{array}{ll} \{(C_i,t)~|~C_i \in \chi ^*\}, &{}\quad \mathrm {if}~t<T_f\\ \{(X,t)~|~X \in \chi _f\}, &{}\quad \mathrm {if}~T_f<t\\ \{(Y,t)~|~Y \in \chi _f \cup \chi ^*\}, &{} \quad \mathrm {if}~T_f = t \end{array}\right. \end{aligned}$$

In the first case, some contingent time-points happened to execute before the time \(T_f\) arrived; in the second case, only the time-points in \(\chi _f\) were executed; in the third case, rarely expected in practice, some contingent time-points happened to execute precisely at the time \(T_f\) and, thus, both contingent and free time-points were executed simultaneously.

Definition 14

(RTED-based Strategy [22]) An RTED-based strategy for an STNU \(\mathcal {S}\) is a mapping R from respectful partial schedules to real-time execution decisions. Thus, if \(\psi \) is a respectful partial schedule, then \(R(\psi )\) is an RTED.

Lemma 1

If R is an RTED-based strategy for an STNU \(\mathcal {S}\), and \(\omega \) is any situation, then R and \(\omega \) together determine a unique (complete) schedule, notated \(\psi (R,\omega )\), that results from following the strategy R in the situation \(\omega \) [22].

Definition 15

(Dynamic Controllabilty for an STNU) An STNU \(\mathcal {S}= (\mathcal {T},\mathcal {C},\mathcal {L})\) is dynamically controllable if there exists an RTED-based strategy R for \(\mathcal {S}\) such that for each situation \(\omega \), the complete schedule \(\psi (R,\omega )\) that results from following the strategy R satisfies all of the constraints in \(\mathcal {C}\).

Dynamic controllability for STNUs as a two-player game

This section provides an alternative characterization of the semantics of dynamic controllability for STNUs by explicitly representing the decisions available to the environment. For convenience, the environment is represented by an agent Vera. In any given context, a pair of decisions—one by Agnes and one by Vera—together determine a unique outcome.

The kinds of decisions available to Vera are different from those available to Agnes in two important respects. First, Vera’s version of an RTED—called an RTED\(^\star \)—allows a decision of the form, “if nothing happens before or at time \(T_u\), then I shall execute the contingent time-points in the set \(\chi _u \subseteq \mathcal {T} _u\) at time \(T_u\).” Note that when time \(T_u\) arrives, should Vera observe Agnes executing any time-points at time \(T_u\), Vera has the option of instantaneously changing her mind. Second, in such cases, Vera may instantaneously react by executing some other contingent time-points at time \(T_u\). Such decisions are called instantaneous reactions. For example, suppose Vera had decided that “if nothing happens before or at time 7, then I shall execute \(C_2\) at time 7”, but when time 7 arrived, she observed Agnes executing some time-point(s). Vera could withdraw her decision to execute \(C_2\) and instantaneously react by deciding to execute some other contingent time-point(s) at time 7.

Definition 16

(RTED\(^\star \), for Vera) Let \(\psi \) be a respectful partial schedule. A before-or-at RTED (RTED\(^\star \)) has one of two forms: \(\mathtt {wait}\) or \((T_u,\chi _u)\). A \(\mathtt {wait}\) decision is only applicable if no contingent time-points are currently active in \(\psi \). A \((T_u,\chi _u)\) decision (i.e., “If nothing happens before-or-at time \(T_u\), I shall execute the time-points in \(\chi _u\) at time \(T_u\)”) is applicable only if \(T_u > \mathtt {now}_\psi \), and \(\chi _u\) is a non-empty subset of currently-activated contingent time-points each of whose execution window includes \(T_u\); and all other contingent time-points that are unexecuted in \(\psi \) are either unactivated in \(\psi \) or have execution windows that extend beyond \(T_u\).

Definition 17

(Instantaneous reaction, for Vera) Let \(\psi \) be a respectful partial schedule. Let \(\chi ^\circ \) be the set of contingent time-points that are currently active in \(\psi \) whose execution windows happen to terminate precisely at \(\mathtt {now}_\psi \); and let \(\chi ^\star \) be any (possibly empty) subset of the contingent time-points that are currenlty active in \(\psi \) whose execution windows include \(\mathtt {now}_\psi \), but also extend beyond \(\mathtt {now}_\psi \). An instantaneous reaction is a decision (by Vera) to execute the contingent time-points in the set \(\chi ^\circ \cup \chi ^\star \) at the time \(\mathtt {now}_\psi \).

To accommodate Vera’s ability to react instantaneously, the outcome for a pair of decisions—one by Agnes, one by Vera—is defined in two stages: partial and full.

Definition 18

(Partial Outcome) Let \(\psi \) be a respectful partial schedule; let \(\varDelta _f\) be an RTED for Agnes; and let \(\varDelta _u\) be an RTED\(^\star \) for Vera. The partial outcome, \(\mathcal {O} _p(\psi ,\varDelta _f, \varDelta _u)\), is defined as follows.Footnote 9

  1. (1a)

    \(\mathcal {O} _p(\psi ,\mathtt {wait},(T_u,\chi _u)) = \psi \cup \{(C,T_u)~|~C \in \chi _u\}\).

  2. (1b)

    \(\mathcal {O} _p(\psi ,(T_f,\chi _f),(T_u,\chi _u))= \psi \cup \{(C,T_u)~|~C \in \chi _u\}\), if \(T_u < T_f\).

  3. (2a)

    \(\mathcal {O} _p(\psi ,(T_f,\chi _f),\mathtt {wait}) = \psi \cup \{ (X,T_f)~|~X \in \chi _f\}\).

  4. (2b)

    \(\mathcal {O} _p(\psi ,(T_f,\chi _f),(T_u,\chi _u))= \psi \cup \{ (X,T_f)~|~X \in \chi _f\}\), if \(T_f \le T_u\).

Note that in cases (1a) and (1b), the partial outcome includes only the execution of the contingent time-points in \(\chi _u\) at time \(T_u\). Cases (2a) and (2b) are analogous, in that the partial outcome includes only the execution of the free time-points in \(\chi _f\) at time \(T_f\), except that Vera is also able to instantaneously react by executing one or more contingent time-points, also at time \(T_f\), as described below.

Definition 19

(Full Outcome) Let \(\psi _p = \mathcal {O} _p(\psi ,\varDelta _f,\varDelta _u)\) be a partial outcome, as described above; and let \(\varUpsilon _u\) be a set of contingent time-points that constitute an instantaneous reaction to \(\psi _p\). The full outcome, \(\mathcal {O} (\psi ,\varDelta _f,\varDelta _u,\varUpsilon _u)\), is the same as \(\psi _p\), except that in cases (2a) and (2b), the schedule is augmented to include the execution of the time-points in \(\varUpsilon _u\) at time \(T_f\).

Fig. 20
figure 20

Deriving the outcome \(\psi ^\prime \) of decisions by Agnes and Vera from the partial schedule \(\psi \)

Figure 20 illustrates the possible pathways from a partial schedule \(\psi \) to the full outcome \(\psi ^\prime = \mathcal {O} (\psi ,\varDelta _f,\varDelta _u,\varUpsilon _u)\). Note that \(\mathtt {now}_{\psi ^\prime }\) is either \(T_f\) or \(T_u\), depending on which pathway is taken. Note, too, that the full outcome, \(\psi ^\prime \), is typically a partial schedule, except at the very end when all of the time-points have been executed. Table 1 shows the outcomes that result from sample decisions by Agnes and Vera in the case of the STNU from Fig. 3. In each case, \(\psi ^\prime = \mathcal {O} (\psi ,\varDelta _f, \varDelta _u, \varUpsilon _u)\).

Table 1 The outcomes \(\psi ^\prime \) for sample decisions by Agnes and Vera for the STNU from Fig. 3

Definition 20

(RTED\(^\star \)-based Strategy for Vera) An RTED \(^\star \)-based strategy (for Vera) is a pair of mappings, \((f_1, f_2)\), where \(f_1\) is a mapping from respectful partial schedules to RTED\(^\star \)s; and \(f_2\) is a mapping from respectful partial schedules to instantaneous reactions.

Definition 21

(Outcomes of Strategy Pairs) Let \(\psi \) be a respectful partial schedule; R an RTED-based strategy; and \(R^\star = (f_1,f_2)\) an RTED\(^\star \)-based strategy. The one-step outcome, \(\mathcal {O} ^1(\psi ,R,R^\star )\), is defined by:

$$\begin{aligned} \mathcal {O} ^1(\psi ,R,R^\star ) = \mathcal {O} (\psi ,R(\psi ),f_1(\psi ),f_2(\mathcal {O} _p(\psi ,R(\psi ),f_1(\psi )))). \end{aligned}$$

The terminal outcome, \(\mathcal {O} ^*(R,R^\star )\), is the complete schedule that results from the following recursive definition: \(\psi _0 = \emptyset \) and \(\psi _{i+1} = \mathcal {O} ^1(\psi _i,R,R^\star )\).

The constraints on the decisions generated by \(R^\star \)—namely, that Vera must observe the bounds on the contingent durations—ensure that each \(\psi _i\) in the sequence will be respectful, given that \(\psi _0 = \emptyset \) is trivially respectful.

Given the above execution semantics for STNUs, the corresponding definition of dynamic controllability is straightforward.

Definition 22

(Dynamic Controllability) An STNU, \((\mathcal {T},\mathcal {C},\mathcal {L})\), is dynamically controllable if there exists an RTED-based strategy R, such that for all RTED\(^\star \)-based strategies \(R^\star \), the variable assignments in the complete schedule, \(\mathcal {O} ^*(R, R^\star )\), satisfy all of the constraints in \(\mathcal {C} \).

Theorem 1

Definition 22 is equivalent to the prior definition of dynamic controllability (Defnition 15).

Proof

Let \(\mathcal {S}= (\mathcal {T}, \mathcal {C}, \mathcal {L})\) be any STNU. First, suppose that \(\mathcal {S}\) is dynamically controllable according to the RTED-based semantics. Then there exists an RTED-based execution strategy R such that for any situation \(\omega \), the full schedule that results from following R in \(\omega \) satisfies all of the constraints in \(\mathcal {C}\). Let that strategy R be the one chosen by Agnes in the two-player game semantics. Let \(R^* = (f_1,f_2)\) be any strategy for Vera. It will be shown that the terminal outcome \(\mathcal {O}^*(R, R^*)\) that results from Agnes and Vera playing these two strategies against each other necessarily satisfies the constraints in \(\mathcal {C}\). In particular, it will be shown by induction that each (partial or full) schedule obtained at any point during the execution phase by following R and \(R^*\) according to the two-player game semantics can also be obtained by following R in some situation in the RTED-based semantics.

  • Base Case. Let \(\psi _0\) be the empty partial schedule. This is the starting partial schedule in either semantics.

  • Recursive Case. Let \(\psi \) be any partial schedule obtained by following R and \(R^*\) in the two-player game semantics. There are three sub-cases to consider.

    • \(R(\psi ) = \mathtt {wait}\); \(R^*(\psi ) = (T_u,\chi _u)\). In this case, the partial outcome involves the execution of the contingent time-points in \(\chi _u\) at the time \(T_u\). Since the applicability conditions for Vera’s RTED\(^*\) decision requires the execution times for contingent time-points to respect the lower and upper bounds on the corresponding contingent links, the resulting partial outcome is a partial schedule obtainable from any situation \(\omega \) that is respected by \(\psi \) and includes the durations specified by the contingent time-points in \(\chi _u\).

    • \(R(\psi ) = (T_f,\chi _f)\); \(R^*(\psi ) = (T_u, \chi _u)\), where \(T_u < T_f\). This case is essentially the same as the first case, since \(T_u < T_f\).

    • \(R(\psi ) = (T_f,\chi _f)\); \(R^*(\psi ) = \mathtt {wait}\). In this case, the partial outcome involves the execution of the executable time-points in \(\chi _f\). Since Vera can only use the \(\mathtt {wait}\) decision when the partial schedule \(\psi \) does not contain any currently active contingent links, this must be the outcome in the RTED-based semantics, too. There can be no instantaneous reaction by Vera in this case.

    • \(R(\psi ) = (T_f,\chi _f)\); \(R^*(\psi ) = (T_u,\chi _u)\), where \(T_f \le T_u\). This case is the same as the preceding case except that Vera may choose to react instantaneously (i.e., \(f_2(\psi )\) may not be empty). The applicability conditions of instantaneous reactions require the contingent time-points in \(f_2(\psi )\) to be currently active in \(\psi \), and such that their execution windows include the time \(\mathtt {now}_\psi \). In addition, any contingent time-points that happen to have their execution window terminate precisely at \(\mathtt {now}_\psi \) must be included in \(f_2(\psi )\). Thus, the full outcome is the same as in the preceding case except that some contingent time-points may also execute at the time \(T_f\). Again, this corresponds to any situation \(\omega \) that is respected by \(\psi \), while also respecting the contingent durations determined by the executuion of the contingent time-points in \(f_2(\psi )\).

For the other direction, suppose that \(\mathcal {S}\) is not dynamically controllable according to the RTED-based semantics. In other words, for any RTED-based strategy R, there is a situation \(\omega _R\) such that the outcome \(\mathcal {O}^*(R,\omega _R)\) that results from following the strategy R in the situation \(\omega _R\) does not satisfy the constraints in \(\mathcal {C}\). (Any situation with this property will be said to thwart the strategy R.) It will be shown that there must be a strategy \(R^* = (f_1,f_2)\) for Vera that will ensure that Agnes loses the two-player game. The proof is by induction. The proposition to prove is the following:

  • Let \(\psi \) be any partial schedule that can be reached by following any RTED-based strategy R in any thwarting situation \(\omega _R\), according to the RTED-based semantics. Then there is an RTED\(^*\) decision \(\varDelta _u\) (that depends only on \(\psi \), not on R) and an instantaneous reaction \(\varUpsilon _u\) for Vera such that the full outcome obtained from \(R(\psi ), \varDelta _u\) and \(\varUpsilon _u\) according to the two-player game semantics is a schedule that is identical to one obtained by following R in some thwarting situation \(\omega _R\).

Let \(\psi \) be a partial schedule that can be reached by following some RTED-based execution strategy R in some thwarting situation \(\omega _R\), according to the RTED-based semantics. Now, if no contingent time-points are currently active in \(\psi \), then Agnes must choose a \((T_f,\chi _f)\) decision, and Vera must choose the \(\mathtt {wait}\) decision. But in that case, the outcome is fully determined: the time-points in \(\chi _f\) will be executed at time \(T_f\). Furthermore, the outcome is the same whether using the RTED-based semantics or the two-player game semantics.

On the other hand, suppose that at least one contingent time-point is currently active in \(\psi \). Let \(\varTheta _\psi \) be the set of RTED-based execution strategies for Agnes that can generate the partial schedule \(\psi \) at some point during the execution of the network, if followed in some thwarting situation. For each \(t > \mathtt {now}_\psi \), let \(\varTheta (t)\) be the subset of \(\varTheta _\psi \) that contains all strategies \(\theta \) whose decisions, \(\theta (\psi )\), specify execution times greater than t. Now, for any strategy \(\theta \in \varTheta (t)\), there must be a situation \(\omega _\theta \) that thwarts \(\theta \); however, that situation may involve the execution of contingent time-point(s) at some time before t (i.e., at some time \(\rho \), where \(\mathtt {now}< \rho < t\)). Of particular interest are the values of \(t > \mathtt {now}_\psi \) for which all of the strategies in \(\varTheta (t)\) can be thwarted by situations that do not involve executing any contingent time-points before time t. In particular, let \(\varGamma \) be the set of real numbers \(t > \mathtt {now}_\psi \) for which every strategy \(\theta \in \varTheta (t)\) can be thwarted by a situation that is consistent with no new contingent executions occurring before time t (i.e., at any time \(\rho \) such that \(\mathtt {now}_\psi < \rho < t\)).

Now, suppose that \(\varGamma = \emptyset \). Let Agnes adopt the following strategy: wait until some contingent time-point happens to execute. Let \(t>\mathtt {now}_\psi \) be the time of that next contingent execution. Since \(t \not \in \varGamma \), there must be some strategy, \(\theta \in \varTheta (t)\), that could only be thwarted by situations that involve the execution of contingent time-points before time t. Since no contingent time-points executed before time t, that strategy is not thwarted by the current situation and, thus, is a winning strategy for Agnes, which is a contradiction. Thus, \(\varGamma \ne \emptyset \).

Next, let \(T_u = \mathrm {inf}\{t~|~t>\mathtt {now}_\psi ~\mathrm {and}~t \not \in \varGamma \}\). Now, \(T_u\) is well defined since \(\varGamma \) is non-empty and bounded below by \(\mathtt {now}_\psi \). Consider the possibility that \(T_u = \mathtt {now}_\psi \). This implies that for any time \(t > \mathtt {now}_\psi \), there is a time \(t^\prime \in (\mathtt {now}_\psi ,t)\) such that \(t^\prime \not \in \varGamma \). But then a similar argument as that used to show that \(\varGamma \) is not empty can be used to show that \(T_u\) cannot equal \(\mathtt {now}_\psi \). In this case, given the time t of the next contingent execution, there must be a time \(t^\prime \in (\mathtt {now}_\psi ,t)\) such that \(t^\prime \not \in \varGamma \) and, hence, some strategy \(\theta \in \varTheta (t^\prime )\) that could only be thwarted by contingent executions before time \(t^\prime < t\). Since no such executions occurred, that strategy could be followed by Agnes as a winning strategy, a contradiction. Thus, \(T_u > \mathtt {now}_\psi \). It remains to be seen whether \(T_u \in \varGamma \).

Next, let \(\varGamma ^*\) be the subset of \((\mathtt {now}_\psi ,T_u]\) such that for each \(t \in \varGamma ^*\), there exists a (possibly empty) set \(\chi (t)\) of contingent time-points such that every strategy \(\theta \in \varTheta (t)\) can be thwarted by a situation that is consistent with (1) no new contingent executions before time t; and (2) the execution of all of the contingent time-points in \(\chi (t)\) at time t. Now, suppose \(\varGamma ^*\) were empty. Then let \(t \in (\mathtt {now}_\psi , T_u) \subseteq \varGamma \) be arbitrary; and consider the following strategy for Agnes: wait until the time t, or the execution of the next contingent time-point, whichever happens first. If no contingent time-points happen to execute before time t, then let \(t^\prime = t\); otherwise, let \(t^\prime \) be the time at which the first contingent time-point executed. In either case, since \(t^\prime \in \varGamma \), but \(t^\prime \not \in \varGamma ^*\), there could not be a single set \(\chi (t^\prime )\) as described earlier. Therefore, there would have to be at least two strategies, \(\theta _1\) and \(\theta _2\), in \(\varTheta (t^\prime )\) whose thwarting would require two different sets of contingent time-points executing at time \(t^\prime \). Agnes could then choose to follow whichever strategy, \(\theta _1\) or \(\theta _2\), was not thwarted by the execution events that occurred at time \(t^\prime \). Since that chosen strategy could only have been thwarted by execution events which did not occur, it must be a winning strategy, which is a contradiction. Therefore \(\varGamma ^* \ne \emptyset \).

Next, let \(T_u^* = \mathrm {inf}\{t~|~t > \mathtt {now}_\psi ~\mathrm {and}~t \not \in \varGamma ^*\}\). Consider the possibility that \(T_u^* = \mathtt {now}_\psi \). Then for any \(t > \mathtt {now}_\psi \), there exists a \(t^\prime \) such that \(\mathtt {now}_\psi < t^\prime < t\) and \(t^\prime \not \in \varGamma ^*\). Let Agnes wait until the time of the next contingent execution, say at time \(t > \mathtt {now}_\psi \). Then there exists a time \(t^\prime \) strictly between \(\mathtt {now}_\psi \) and t such that \(t^\prime \not \in \varGamma ^*\). In that case, there exist strategies \(\theta _1\) and \(\theta _2\) in \(\varTheta (t^\prime )\) whose thwarting situations required different sets of contingent executions at time \(t^\prime < t\). Since no such contingent executions occurred, Agnes can simply choose whichever strategy has thereby become a winning strategy, yielding a contradiction. Therefore, \(T_u^* > \mathtt {now}_\psi \).

There are now three cases to consider:

  • Case 1: \(T_u^* = T_u\), but \(T_u \not \in \varGamma \). Suppose that for all \(t \in (\mathtt {now}_\psi ,T_u)\), \(\chi (t) = \emptyset \). In other words, for each \(t \in (\mathtt {now}_\psi ,T_u)\), every \(\theta \in \varTheta (t)\) can be thwarted by situations in which no contingent time-points execute at or before time t. But that implies that every \(\theta \in \varTheta (T_u)\) can be thwarted by situations in which no contingent time-points execute before time \(T_u\) and, hence, that \(T_u \in \varGamma \), a contradiction. Therefore, it must be that for some \(t^* \in (\mathtt {now}_\psi , T_u)\), \(\chi (t^*) \ne \emptyset \). Let Vera’s RTED\(^*\) decision be \((t^*,\chi (t^*))\).

  • Case 2: \(T_u^* = T_u \in \varGamma \). Suppose that \(T_u^* \not \in \varGamma ^*\). Then there must be two strategies, \(\theta _1\) and \(\theta _2\), in \(\varTheta (T_u^*)\) that can only be thwarted by situations involving two different sets of contingent time-points at time \(T_u^*\). But then Agnes could simply wait until time \(T_u^*\) to see which of the two strategies was not thwarted, to yield a winning strategy. But that is a contradiction. Therefore, \(T_u^* \in \varGamma \). Now, suppose that \(\chi (T_u^*) = \emptyset \). That is, every strategy in \(\varTheta (T_u^*)\) can be thwarted by situations that do not involve any new contingent executions at or before \(T_u^*\). Let Agnes employ the following strategy: wait until the next contingent execution. Suppose it happens at some time \(t > T_u^*\). By the definition of \(T_u\) and the fact that \(T_u \in \varGamma \), it follows that there must be some \(t^\prime \) strictly between \(T_u\) and t such that \(t^\prime \not \in \varGamma \). But then there must be a strategy \(\theta \in \varTheta (t^\prime )\) whose thwarting requires the execution of a contingent time-point before time \(t^\prime < t\). Since no such execution occurred, Agnes can employ \(\theta \) as a winning strategy, which is a contradiction. Thus, \(\chi (T_u^*) \ne \emptyset \). Vera’s RTED\(^*\) decision can then be \((T_u^*,\chi (T_u^*))\).

  • Case 3: \(T_u^* < T_u\). As in Case 2, it follows here that \(T_u^* \in \varGamma ^*\). Now, let t be any time such that \(T_u^* < t < T_u\). Let Agnes wait until the next contingent execution or the time t, whichever comes first. Let \(t^\dagger \) be that time. By the definition of \(T_u^*\) as an infemum, and the fact that \(T_u^* \in \varGamma ^*\), it follows that there is some \(t^\prime \) strictly between \(T_u^*\) and \(t^\dagger \) such that \(t^\prime \not \in \varGamma ^*\), but \(t^\prime \in \varGamma \) (since \(t^\prime < T_u\)). But then there exist strategies \(\theta _1\) and \(\theta _2\) in \(\varTheta (t^\prime )\) whose thwarting situations require different sets of contingent time-points to execute at time \(t^\prime < t^\dagger \le t\). Since no such contingent executions occurred, Alice can simply choose whichever strategy has thereby become a winning strategy, yielding a contradiction. Therefore, it cannot be that \(T_u^* < T_u\).

Only Cases 1 and 2 avoid a contradiction; and in each of those cases generates a decision for Vera of the form \(\varDelta _u = (t,\chi )\), where \(\chi \) is a set of contingent time-points that are to be executed at time t if Agnes does not execute any time-points at or before t. It remains to show that all possible outcomes of the decisions of Agnes and Vera result in a schedule that can be obtained by following a strategy R in some thwarting situation \(\omega _R\).

First, suppose Agnes uses a \(\mathtt {wait}\) decision. In that case, the contingent time-points in \(\chi \) will be executed at time t. By the construction of the \(\chi \) set (cf. the definition of \(\varGamma ^*\)), it follows that all strategies in \(\varTheta (t)\), of which \(\mathtt {wait}\) is one, can be thwarted by situations that are consistent with this outcome. Similar remarks apply to Agnes using a \((T_f,\chi _f)\) decision where \(T_f > t\).

Second, suppose Agnes uses a \((T_f, \chi _f)\) decision where \(T_f \le t\). Then the partial outcome will involve the execution of the executable time-points in \(\chi _f\) at time \(T_f \le t\), but not the contingent time-points in \(\chi \). Now, since \(T_f \le t\), it follows that \(T_f \le T_u^*\). Thus, for each time \(t^\prime < T_f\), all strategies in \(\varTheta (t^\prime )\)—of which, Agnes’ \((T_f,\chi _f)\) is one—must be thwartable by situations involving no new contingent time-points before time \(t^\prime \). But then, for any \(t^\dagger < T_f\), there is some \(t^\prime \) such that \(t^\dagger < t^\prime < T_f\), from which it follows that no contingent time-points need be executed at or before \(t^\dagger \). Thus, no contingent time-points need be executed before time \(T_f\). However, thwarting the strategies that involve the execution of the time-points in \(\chi _f\) at time \(T_f\) may require the execution of some contingent time-points at time \(T_f\). A single set of such time-points must be sufficient; otherwise, it would contradiction the thwartability of those strategies. That set of time-points constitutes an instantaneous reaction by Vera.

Thus, in all cases, Vera has a decision \((t,\chi )\) available—that only depends on \(\psi \), not on R—that, together with a possible instantaneous reaction, generates an outcome according to the two-player game semantics that is identical to an outcome that is obtained by following an RTED-based strategy in a thwarting situation. \(\square \)

Appendix 2: The semantics of dynamic controllability for CDTNUs

In this section, the dynamic execution semantics for STNUs is extended to accommodate the features of CSTNUs and DTNUs, resulting in a dynamic execution semantics for CDTNUs. For a CDTNU, \((\mathcal {T}, \mathcal {C}, L, \mathcal {OT}, \mathcal {O}, P, \mathcal {L})\), the agent seeks a strategy for executing the free time-points in \(\mathcal {T} _f \subseteq \mathcal {T} \) whose labels are in accordance with the current scenario, such that all constraints in \(\mathcal {C} \) will necessarily be satisfied no matter what durations the environment “chooses” for the contingent links in \(\mathcal {L} \), and no matter which truth values the environment “chooses” for the propositions in P. The decisions that constitute such a strategy can depend only on execution events that occurred in the past; however, the strategy can be dynamic in that it may react—after a positive delay—to observations of contingent time-points executing or propositional letters being assigned truth values.

First, the partial schedules from Defnition 9 are extended to accommodate observation time-points. In this context, an extended partial schedule is not only a possibly partial assignment of values to time-points, but also a possibly partial assignment of truth values to propositional letters.

Definition 23

(Extended Partial Schedule) An extended partial schedule for a CDTNU, \((\mathcal {T}, \mathcal {C}, L, \mathcal {OT}, \mathcal {O}, P, \mathcal {L}))\), is \((\psi , \sigma )\), where \(\psi \) is a partial schedule (i.e., a partial assignment to time-points in \(\mathcal {T} \), as in Definition 9), and \(\sigma \) is a set of tuples of the form (Xb) where \(X \in \mathcal {OT} \cap \textit{TPs}(\psi )\) is an already-executed observation time-point, and b is either \(\top \) or \(\bot \) (i.e., true or false). The label for the extended partial schedule, \((\psi ,\sigma )\), is the conjunction of literals determined by the truth values in \(\sigma \). For example, if p is true in \(\sigma \), and q is false, and those are the only Boolean variables that have been observed so far according to \(\psi \) and \(\sigma \), then the label for \((\psi ,\sigma )\) is \(p\lnot q\).

Intuitively, \(\psi \) records the execution times for those time-points that have already executed; and \(\sigma \) records the truth values of the propositional letters corresponding to observation time-points that have already executed. In short, the extended partial schedule represents all of the information on which execution decisions may depend.

The RTEDs available to Agnes in the case of a CDTNU are essentially the same as in the case of STNUs with one minor condition: the time-points in the set \(\chi _f\) must have labels that are subsumed by the label associated with the current extended partial schedule. In other words, the labels on the time-points must be true given the label for the extended partial schedule. For example, if the label of \((\psi ,\sigma )\) is \(p \lnot q\), then the labels of any time-points in the set \(\chi _f\) must be one of: the empty label, p, \(\lnot q\), or \(p\lnot q\).

Definition 24

(RTED, for Agnes, in a CDTNU) Let \((\psi , \sigma )\) be an extended partial schedule, where \(\psi \) is respectful. An RTED for Agnes has one of two forms: \(\mathtt {wait}\) or \((T_f,\chi _f)\). A \(\mathtt {wait}\) decision is applicable if at least one contingent time-point, C, is active in \(\psi \) (i.e., C’s activation time-point has already been executed, but C has not). A \((T_f, \chi _f)\) decision (i.e., “If nothing happens before time \(T_f\), execute the time-points in \(\chi _f\) at time \(T_f\)”) is applicable if \(T_f > \mathtt {now}_\psi \), \(\chi _f\) is a non-empty subset of unexecuted free time-points (i.e., \(\chi _f \ne \emptyset \) and \(\chi _f \cap \textit{TPs}(\psi ) = \emptyset \)) and for each \(X \in \chi _f\), the label L(X) is subsumed by the label of \((\psi ,\sigma )\).

For Vera, there are two significant changes:

  1. (1)

    For an RTED\(^\star \): the execution times for contingent time-points must accommodate the case of contingent durations that may fall anywhere within a union of disjoint intervals.

  2. (2)

    For an instantaneous reaction: in cases where the partial outcome of the decisions by Agnes and Vera includes the execution of observation time-points, then for each such observation time-point, Vera must instantaneously specify a truth value for the corresponding Boolean propositional letter.

In the case of an RTED\(^\star \), it is convenient to call the union of distinct intervals for a given contingent duration an extended execution window.

Definition 25

(RTED\(^\star \), for Vera, in a CDTNU) Let \((\psi ,\sigma )\) be an extended partial schedule, where \(\psi \) respects at least one situation. A before-or-at RTED (RTED\(^\star \)) has one of two forms: \(\mathtt {wait}\) or \((T_u,\chi _u)\). A \(\mathtt {wait}\) decision is only applicable if no contingent time-points are currently active in \(\psi \). A \((T_u,\chi _u)\) decision (i.e., “If nothing happens before-or-at time \(T_u\), I shall execute the time-points in \(\chi _u\) at time \(T_u\)”) is applicable only if \(T_u > \mathtt {now}_\psi \); \(\chi _u\) is a non-empty subset of currently-activated contingent time-points each of whose extended execution window includes \(T_u\); and the extended execution window for each currently-activated contingent time-point that is not in \(\chi _u\) extends beyond the time \(T_u\).

Definition 26

(Instantaneous reaction, for Vera, in a CDTNU) Let \((\psi ,\sigma )\) be an extended partial schedule in which at least one contingent time-point C is activated and whose extended execution window includes \(\mathtt {now}_\psi \) (i.e., one of the possible durations for C would result in C executing at \(\mathtt {now}_\psi \)). An instantaneous reaction is a decision (by Vera) to: (1) execute a set of such time-points at time \(\mathtt {now}_\psi \); and (2) assign truth values for each of the observation time-points in \(\psi \) that are not yet assigned in \(\sigma \). If \(\mathtt {now}_\psi \) happens to be the last possible time at which a currently-activated contingent time-point C can execute, then the instantaneous reaction must include C.

The partial and full outcomes for these augmented decisions for Agnes and Vera are analogous to those in the case of an STNU. The principal difference is that if a partial outcome involves the execution of an observation time-point, then Vera’s instantaneous reaction must assign a truth value to the corresponding Boolean propositional letter.

Note that the disjunctive constraints that may appear within the set \(\mathcal {C}\) of constraints in the CDTNU do not affect the execution semantics at all. In other words, they do not affect the execution decisions that are available to either Agnes or Vera. Instead, they represent constraints that Agnes wants to satisfy.

With these changes, the definition of dynamic controllability for CDTNUs is analogous to that for STNUs.

Appendix 3: Proof of correctness for the STNU-to-TGA encoding

This section presents the theoretical results that confirm the correctness of the STNU-to-TGA encoding given in Sect. 4.2.1. It also explicates the correspondence between strategies for STNUs and their TGA counterparts.

Theorem 2

Let \(\mathcal {S} = (\mathcal {T},\mathcal {C},\mathcal {L})\) be any STNU; and let \(\varTheta \) be the encoding of \(\mathcal {S} \) as a TGA, as described in Sect. 4.2.1. Then \(\varTheta \) correctly captures the execution semantics for \(\mathcal {S} \) in the sense that any sequence of partial schedules that can be generated for \(\mathcal {S} \) according to the execution semantics for STNUs corresponds to a run for \(\varTheta \) that can be generated by following its transitions according to the TGA semantics.

Proof

The following invariant is proved by induction. Each respectful partial schedule \(\psi \) that can be generated for \(\mathcal {S} \) corresponds to a state of \(\varTheta \) in which the location is \(\mathtt {vera} \), \(\mathtt {c_\delta } = 0\), \(\mathtt {now}_\psi = {\hat{c}}\), for each executed time-point X, \(\psi (X) = {\hat{c}}-{cX}\), and for each unexecuted time-point Y, \(\psi (Y) ={\hat{c}}\). For the base case, the initial partial schedule, \(\psi _0 = \emptyset \), corresponds to the initial state of \(\varTheta \) in which the location is \(\mathtt {vera} \), all clocks are at zero, and all time-points are unexecuted. Note that \(\psi _0\) is trivially respectful.

Now, suppose that \(\psi \) is a respectful partial schedule that can be generated according to the execution semantics for STNUs, and that satisfies the hypothesized invariant. Let \(\theta \) be the corresponding state of the TGA. Since \(\mathtt {c_\delta } = 0\), the only transitions that are immediately enabled are the loops whereby contingent time-points are executed. These transitions, if taken, correspond to the instantaneous reaction decisions for Vera, in which a set \(\varUpsilon _u\) of one or more contingent time-points can be executed simultaneously. However, suppose that Vera does not make any such transitions at \(\mathtt {c_\delta } = 0\). Once \(\mathtt {c_\delta } > 0\), both Agnes and Vera have transitions that they could make at any time. For example, Vera might decide to execute one or more contingent time-points when \(\mathtt {c_\delta } = 3\). That would correspond to an RTED\(^\star \)-based decision, \((T_u,\chi _u)\), where \(T_u = \mathtt {now}_\psi + 3\) and \(\chi _u\) contains the time-points to be executed. Since each transition by Vera resets \(\mathtt {c_\delta } \) to 0, Agnes is unable to interrupt Vera’s simultaneous execution of contingent time-points. The resulting outcomes are equivalent to the partial schedules that arise in Cases (1a) and (1b) of Definition 18. The guards on Vera’s transitions, which enforce the duration bounds for the contingent links, ensure that the resulting partial schedule is respectful. Also, when Vera’s sequence of “simultaneous” transitions complete, \({\hat{c}}\) equals the time of the most recent execution (i.e., \(\mathtt {now}_\psi + 3\)). In addition, for each newly executed time-point, C, the clock cC is set to 0, ensuring that \({\hat{c}}-\mathtt {cC}\) equals the execution time of C. Since both clocks will never again be reset, this difference remains fixed forever.

On the other hand, suppose that Agnes decided to execute the time-points in \(\chi _f\) at an earlier time, say, \(\mathtt {now}_\psi + 2\). This would correspond to her making the transition to the \(\mathtt {agnes} \) location and instantaneously executing the time-points in \(\chi _f\) at that time and, then, immediately returning to the \(\mathtt {vera} \) location. Since \(\mathtt {agnes} \) is an urgent state, the global clock equals \(\mathtt {now}_\psi + 2\) when the return transition is made. This sequence of transitions corresponds to the partial outcomes in Cases (2a) and (2b) in Definition 18, where Agnes’ decision is \((T_f,\chi _f)\), where \(T_f = \mathtt {now}_\psi + 2\). Furthermore, if Vera chooses to instantaneously execute some contingent time-points at that same time, \(\mathtt {now}_\psi +2\), that will correspond to an instantaneous reaction, as specified in Definition 17.

Finally, if at time \(\mathtt {now}_\psi \), Agnes and Vera both decided to execute some time-points at time \(\mathtt {now}_\psi + 1\), then the STNU semantics ensures that Agnes’ time-points will be executed, and that Vera will be able to instantaneously react, if she chooses. This corresponds to Agnes’ transition having priority over Vera’s transition. Agnes transitions to the \(\mathtt {agnes} \) state, executes her time-points, and returns to the \(\mathtt {vera} \) state, with the global clock ending up at \(\mathtt {now}_\psi + 1\).

Since, in all cases, the resulting state of the TGA satisfies the desired invariant property, the result is proven. \(\square \)

Theorem 3

Let \(\mathcal {S} \) be any STNU; let \(\varTheta \) be the encoding of \(\mathcal {S} \); and let \(\sigma \) be a winning TGA counter-strategy for Agnes. Then there is an equivalent RTED-based strategy for Agnes that will ensure the satisfaction of all constraints in \(\mathcal {S} \) no matter how the contingent durations turn out.

Proof

Let \(\mathcal {S}, \varTheta \) and \(\sigma \) be as described in the statement above. Therefore, , where \({\textit{Act}} _u\) is the set of uncontrollable actions (for Agnes).

Suppose the TGA has just entered the state, \((\mathtt {vera}, v)\), where v represents the vector of clock values. As has already been noted, for any time-point X and associated clock \(\mathtt {cX} \): (1) before X executes, \(\mathtt {cX} = \hat{c}\); and (2) after X executes, \(\mathtt {cX} < \hat{\mathtt{t}}\) and the fixed difference, \(\hat{\mathtt{t}} - \mathtt {cX} \), equals the time at which X executed. Thus, the vector of clock values specifies a partial schedule, \(\psi \). Now, suppose that \(\mathtt {now}_\psi < \hat{c}\) (i.e., that some positive time has elapsed since the last execution event in \(\psi \)). The only way that could have happened is if the state \((\mathtt {vera}, v)\) had been preceded by one or more useless loops (i.e., loops using only the \(\mathtt {gain} \) and \(\mathtt {pass} \) transitions to go back and forth between \(\mathtt {vera} \) and \(\mathtt {agnes} \) without executing any time-points). Let \((\mathtt {vera}, v^\prime )\) be the state immediately preceding the first such useless loop. Then for some positive \(\epsilon \), \(v = v^\prime + \epsilon \) (i.e., the clock values in v are \(\epsilon \) units larger than their corresponding values in \(v^\prime \)). And by construction, \(\mathtt {now}_\psi = v^\prime (\hat{c})\).

Next, let D be the minimum time that can elapse from v before the strategy \(\sigma \) recommends a non-trivial transition to the \(\mathtt {agnes} \) location. That is: \(D = \min \{d~|~\sigma (\mathtt {vera},v^\prime +d) \ne \lambda \), \(\sigma (\mathtt {agnes},v^\prime +d) \ne \mathtt {pass}\}\). Let \(v_0 = v^\prime +D\). The unique sequence of execution transitions at the \(\mathtt {agnes} \) location is: \(\tau _1 = \sigma (\mathtt {agnes},v_0),\) \(\tau _2 = \sigma (\mathtt {agnes},v_1), \tau _3 = \sigma (\mathtt {agnes},v_2), \ldots \), where each \(v_{i+1}\) is the same as \(v_i\), except that the clock for the just-executed time-point is 0 in \(v_{i+1}\). This sequence must terminate, since there are only finitely many time-points, and each can be executed only once. If \(\tau _m\) is the last execution transition, it follows that \(\mathtt {pass} = \sigma (\mathtt {agnes},v_m)\). That transition leads back to the state, \((\mathtt {vera},v_m)\), where \(v_m\) is the same as \(v^\prime \), except that the clocks for the time-points executed by the transitions, \(\tau _1, \ldots , \tau _m\), are all zero in \(v_m\).

Next, let \(T_f = v_0(\hat{c})\) be the global time at which \(\sigma \) recommends its first non-trivial transition to \(\mathtt {agnes} \); and let \(\chi _f\) be the set of time-points that correspond to the execution transitions, \(\tau _1, \ldots , \tau _m\). Then \((T_f,\chi _f)\) is an RTED for \(\psi \) that corresponds to what the strategy \(\sigma \) recommends at \((\mathtt {vera},v^\prime )\). Note that Vera may decide to instantaneously react by executing some contingent time-points also at time \(T_f\), an outcome that is sanctioned by the execution semantics for STNUs. Finally, it may happen that Vera decides to intervene before time \(T_f\) arrives, by executing one or more contingent time-points and effectively generating a new partial schedule, \(\psi ^*\). In that case, the same procedure could be applied to \(\psi ^*\) to generate an appropriate RTED. Since the guard on the transition from \(\mathtt {vera} \) to \(\mathtt {agnes} \) requires a positive time delay, that RTED is properly prohibited from any kind of instantaneous reaction (by Agnes).

This procedure provides a mapping from any \((\mathtt {vera},v)\) state that is reachable following the winning strategy \(\sigma \). In addition, the sequences of partial schedules generated by following the RTEDs correspond to runs that can be produced by \(\sigma \). Thus, the complete schedules generated by the RTEDs are guaranteed to satisfy all STNU constraints assuming Vera observes the bounds on all contingent links. \(\square \)

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Cimatti, A., Hunsberger, L., Micheli, A. et al. Dynamic controllability via Timed Game Automata. Acta Informatica 53, 681–722 (2016). https://doi.org/10.1007/s00236-016-0257-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00236-016-0257-2

Keywords

  • Dynamic controllability
  • Temporal networks
  • Timed Game Automata