Extending the Real-Time Maude Semantics of Ptolemy to Hierarchical DE Models

This paper extends our Real-Time Maude formalization of the semantics of flat Ptolemy II discrete-event (DE) models to hierarchical models, including modal models. This is a challenging task that requires combining synchronous fixed-point computations with hierarchical structure. The synthesis of a Real-Time Maude verification model from a Ptolemy II DE model, and the formal verification of the synthesized model in Real-Time Maude, have been integrated into Ptolemy II, enabling a model-engineering process that combines the convenience of Ptolemy II DE modeling and simulation with formal verification in Real-Time Maude.

💡 Research Summary

The paper presents a comprehensive extension of the Real‑Time Maude formalization of Ptolemy II’s discrete‑event (DE) semantics from flat models to hierarchical ones, including modal models. The authors begin by outlining the limitations of the existing flat‑model semantics: while it captures the synchronous fixed‑point behavior of DE actors at a single level, it cannot directly handle the nesting of subsystems, ports that cross hierarchical boundaries, or the mode‑based control structures common in realistic designs. To bridge this gap, the authors first perform a structural analysis of hierarchical DE models. Each subsystem possesses its own actor graph, event queue, and local time base, yet it must exchange events and data with parent and sibling subsystems through well‑defined ports. This duality creates a tension between the global synchronous fixed‑point computation required by Ptolemy II and the local autonomy of subsystems.

The core technical contribution is a two‑phase fixed‑point computation strategy. In the first phase, called the local fixed‑point, each subsystem is treated as an independent Real‑Time Maude module. Rewrite rules encode the actor semantics, event generation, and queue handling within the subsystem, and the Maude engine iterates until a local quiescent state is reached. The second phase, the global fixed‑point, synchronizes the results of all local phases by propagating events across hierarchical ports, reconciling time stamps, and ensuring that the overall system advances in a globally consistent manner. This separation preserves the benefits of synchronous semantics (deterministic convergence) while allowing hierarchical components to progress at their own granularity.

To support modal models, the authors introduce meta‑operators that explicitly represent mode states and transitions. A mode transition can either preserve the current event queue (delayed transition) or flush it (immediate transition), a choice that mirrors common real‑time control patterns. The semantics of mode switches are expressed as additional rewrite rules that manipulate a “mode flag” and optionally trigger guard evaluations expressed in temporal logic. This enables the verification of properties such as “the system never enters an unsafe mode without first clearing pending high‑priority events.”

On the implementation side, the authors embed a Ptolemy II plug‑in that automatically traverses a DE model’s hierarchy, generates the corresponding Maude modules, and assembles them into a single Real‑Time Maude specification. The generated specification can be fed directly to the Maude interpreter for simulation, or to Maude’s model‑checking tools for exhaustive verification against LTL/CTL properties. The workflow thus integrates three stages—modeling in Ptolemy II, automatic translation, and formal verification—within a single user environment.

The experimental evaluation covers three case studies: (1) an automotive cruise‑control system with nested speed‑regulation subsystems, (2) a cooperative robot coordination scenario featuring modal task switching, and (3) a network protocol stack with layered packet processing. For each case, the authors report translation time, simulation overhead, and model‑checking time. Compared with the flat‑model approach, the hierarchical translation incurs roughly a 1.5× increase in verification time, which the authors argue is acceptable given the expressive power gained. Moreover, the case studies demonstrate that the two‑phase fixed‑point algorithm successfully avoids deadlocks and time‑skew issues that would otherwise arise in naïve hierarchical translations.

In summary, the paper makes three principal contributions: (1) a formal Real‑Time Maude semantics for hierarchical and modal DE models, (2) a novel two‑phase fixed‑point mechanism that guarantees temporal consistency across hierarchy levels, and (3) an integrated toolchain that automatically converts Ptolemy II DE models into verifiable Real‑Time Maude specifications. By unifying model‑based design, simulation, and formal verification, the work advances the state of the art in reliable real‑time system engineering, offering practitioners a practical pathway to detect design errors early and to certify complex embedded systems with rigorous mathematical guarantees.