TCTL Model Checking

The TCTL model-checking problem is to check for a given timed automaton TA and TCTL formula Φ whether TA |= Φ. It is assumed that TA is non-zeno. The possible presence of timelocks is not relevant, as timelock freedom can be checked by a TCTL formula, see Remark 9.35. The main difficulty of the TCTL model-checking problem is that a transition system with uncountably many states has to be analyzed, since

TA|=Φ

! "# $

timed automaton

iff TS(TA)|=Φ

! "# $

infinite transition system

.

A naive graph analysis in the state graph of TS(TA) is therefore not feasible. Instead, the basic idea is to consider a finite quotient of this transition system, the so-calledregion transition system, which is obtained from the timed automatonTAand the TCTL formula Φ.¹ In essence, the region transition system RTS(TA,Φ) is the quotient of TS(TA) with respect to a bisimulation relation. The states in the region transition system are equiva-lence classes of states in TS(TA) that all satisfy the same atomic clock constraints, and from which “similar” time-divergent paths emanate, i.e., such states are TCTL equivalent.

As the number of equivalence classes is finite, this provides a basis for TCTL model check-ing. In fact, rather than checking the TCTL formula Φ, it is checked whether a derived CTL formula holds in RTS(TA,Φ).

1In fact, the region transition system depends on the maximal constants with which clocks are compared inTAand the maximal timing constants inΦ.

To check whether a timed automaton satisfies a TCTL formula thus amounts to model-check its region transition system against a corresponding CTL formula. For the latter, traditional CTL model-checking algorithms can be exploited. Summarizing:

TA|=TCTLΦ iff RTS(TA,Φ)

! "# $

finite transition system

|=CTL Φ%

whereΦ%is a CTL formula that is obtained from the TCTL formulaΦusing the translation explained next. In summary, we obtain the scheme in Algorithm 43 where ∼= denotes the equivalence used to obtain the quotient RTS(TA,Φ).

Algorithm 43 Basic recipe of TCTL model checking

Input: timed automaton TAand TCTL formulaΦ(both over AP and C) Output: TA|=Φ

Φ% := eliminate the timing parameters fromΦ;

determine the equivalence classes under∼=;

construct the region transition systemTS=RTS(TA);

apply the CTL model-checking algorithm to checkTS|=Φ;% TA|=Φif and only if TS|=Φ.%

9.3.1 Eliminating Timing Parameters

We first explain how intervals J "= [0,∞) that may appear in TCTL formulae as time bounds for path formulae are replaced by equivalent atomic clock constraints. Let TCTL_♦ denote the set of TCTL formulae in which all intervals J are equal to [0,∞). That is, the only timing aspects that occur in TCTL_♦formulae are atomic clock constraints. As such constraints can be considered as atomic propositions, in fact, TCTL_♦is a subset of CTL.

The resulting formulae provide the basis for the CTL formulae that are checked on the region transition system.

The basic idea of eliminating J "= [0,∞) from TCTL formula Φ is to introduce a fresh clock, z, say, that neither occurs in Φ nor in the timed automaton under investigation,

and to enrich the formulaΦwith atomic clock constraints that may refer to z. The clock z is used to measure the elapse of time until a certain property, i.e., sub formula of Φ, holds. For instance, to check the TCTL formula ∃♦^JΦ in states, clockz is reset in state s and Φ is checked whenever the current value of clock z lies in the interval J. In order to formalize this idea, the following auxiliary notations are helpful.

Notation 9.36. Clock Evaluationη{. . .}

For clock evaluation η ∈ Eval(C), z #∈ C and d ∈ IR_!0, let η{z := d} denote the clock valuation forC ∪{z}that extendsη by settingztodwhile keeping the value of all other clocks unchanged:

η{z:=d}(x) =

! η(x) ifx∈C d ifx=z.

LetTAbe a timed automaton overC. For states=%",η&inTS(TA) lets{z:=d}denote the state %",η{z:=d}&. Note thats{z:=d}is a state inTS(TA⊕z) whereTA⊕zis the timed automaton TAwith the set of clocks C∪{z}.

The following theorem provides a recipe to transform any TCTL formula into a timing parameter-free TCTL formula.

Theorem 9.37. Elimination of Timing Parameters

Let TA be timed automaton (Loc,Act, C,#→,Loc₀,Inv,AP, L), and ΦU^JΨ a TCTL for-mula over C and AP. For clock z#∈C, let

TA⊕z = (Loc,Act, C∪{z},#→,Loc₀,Inv,AP, L).

For any state sof TS(TA) it holds that

1. s|=TCTL∃(ΦU^JΨ) iff s{z:= 0}

" #$ %

state inTS(TA⊕z)

|=TCTL∃&

(Φ∨Ψ)U((z∈J)∧Ψ)' .

2. s|=TCTL∀(ΦU^JΨ) iff s" #$ %{z:= 0}

state inTS(TA⊕z)

|=TCTL∀&

(Φ∨Ψ)U((z∈J)∧Ψ)' .

Proof: Since TA⊕z just extends TA with a fresh clock z (which is not used in TA), it follows that any pathπ inTS(TA) uniquely corresponds to a path π^! inTS(TA⊕z) such that

π∈s₀ ^d0⇒s₁ ^d1⇒s₂ ^d2⇒

if and only if

π^! ∈s₀{z:= 0} ^d0⇒s₁{z:=d₀} ^d1⇒s₂{z:=d₀+d₁} ^d2⇒ . . .

It is easy to see that π is time-divergent if and only ifπ^! is time-divergent. We now prove that π |=ΦU^JΨ iffπ^! |= (Φ∨Ψ)U((z ∈J)∧Ψ).We only consider the direction ⇒; the proof for the other direction is similar. Assume π |=ΦU^JΨ. From the TCTL semantics this is equivalent to

∃i!0. si+d|=Ψ for somed∈[0, di] with !i−1

k=0d_k+d∈J and

∀j"i. s_j+d^! |=Φ∨Ψfor any d^! ∈[0, dj] with !_j−1

k=0d_k+d^! "!i−1

k=0d_k+d.

Asz is a fresh clock, this is equivalent to

∃i!0. s^!_i+d|=Ψ for somed∈[0, di] with !_i−1

k=0d_k+d∈J and

∀j"i. s^!_j+d^! |=Φ∨Ψfor any d^! ∈[0, dj] with !_j−1

k=0d_k+d^! "!i−1

k=0d_k+d.

where s^!_i =s_i{z :=!_i−1

k=0d_k} and s^!_j =s_j{z := !j−1

k=0d_k}. As clock z is never reset, the value of zin state s^!_i+dequals !i−1

k=0d_k+d. As this sum lies inJ, in the first conjunctΨ may be strengthened by the atomic clock constraint z∈J. This yields

∃i!0. s^!_i+d|= (z∈J)∧Ψfor somed∈[0, di] with

i−1

"

k=0

d_k+d

# $% &

=z

∈J and

∀j"i. s^!_j+d^! |=Φ∨Ψfor any d^! ∈[0, dj] with !_j−1

k=0d_k+d^! "

i−1

"

k=0

d_k+d

# $% &

=z

.

The constraint!i−1

k=0d_k+d∈J can now be omitted (as it is equivalent toz∈J), whereas in the second part, we may weakenΦ∨Ψinto (Φ∨Ψ)∨(Ψ∧(z∈J)) as ford^! =dandi=j, Ψ∧(z∈J) holds. Applying the TCTL semantics yields thatπ^! |= (Φ∨Ψ)U((z∈J)∧Ψ).

Example 9.38. Eliminating Timing Parameters

Let Φbe a TCTL formula. According to the above mapping, the TCTL formula ∃♦^!2Φ is replaced by ∃♦((z"2)∧Φ). In a similar way, we replace: ∃$^!2Φ = ¬∀♦^!2¬Φby

¬∀♦((z"2)∧¬Φ) ≡ ∃$(¬(z"2)∨Φ)

= ∃$((z"2)→Φ).

Note that the resulting formulae are CTL formulae (or could be understood as such) provided Φdoes not contain intervals different from [0,∞).

In order to verify whether TA|=Φfor TCTL formulaΦ, the above result suggests equip-ping TA with a clock for each subformula of Φ of the form ΨU^JΨ^! while replacing this subformula as indicated in Theorem 9.37. This yields TCTL_♦ formula Φ. As! Φ! does not contain timing parameters, and any clock constraint can be considered as an atomic proposition, in fact, Φ! is a CTL formula! Verifying a timed CTL formula on a timed automaton TA thus reduces to checking a CTL formula on a TA extended with a clock whose sole purpose is to measure the elapse of time that is referred to in the formula.

9.3.2 Region Transition Systems

Consider timed automaton TAand TCTL_♦formulaΦ. It is assumed thatTAis equipped with an additional clock as explained in the previous section. The idea is impose an appropriate equivalence, denoted∼=, on the clock valuations—and implicitly on the states of TS(TA) by letting#!^!,η^!$ ∼=#!,η^!$ if!=!^! and η∼=η^!—such that:

(A) Equivalent clock valuations should satisfy the same clock constraints that occur in TAand Φ:

η∼=η^! ⇒ "

η|=g iff η^! |=g for allg∈ACC(TA)∪ACC(Φ)#

whereACC(TA) andACC(Φ) denote the set of atomic clock constraints that occur inTA andΦ, respectively. These constraints are either of the formx!c orx < c.

(B) Time-divergent paths emanating from equivalent states should be “equivalent”. This property guarantees that equivalent states satisfy the same path formulae.

(C) The number of equivalence classes under ∼= is finite.

In the sequel we adopt the following notation for clock values.

Notation 9.39. Integral and Fractional Part of Real Numbers Letd∈IR. Theintegral part of dis the largest integer that is at most d:

(d) = max{c∈IN|c!d}.

The fractional part of dis defined by frac(d) = d− (d). For example, (17.59267) = 17, frac(17.59267) = 0.59267, (85)= 85, andfrac(85) = 0.

The definition of clock equivalence is based on three observations that successively lead to a refined notion of equivalence. Let us discuss these observations in detail.

First observation. Consider atomic clock constraintg, and letη be a clock valuation (both over the setC of clocks withx∈C). Asg is an atomic clock constraint,g is either of the formx < corx!cforc∈IN. We have thatη|=x < cwheneverη(x)< c, or equivalently,

"η(x)# < c. The fractional part of η(x) in this case is not relevant. Similarly, η|=x !c

whenever either"η(x)#< c, or"η(x)#=candfrac(x) = 0. Therefore, η|=gonly depends on the integral part"η(x)#, and the fact whether frac(η(x)) = 0. This leads to the initial suggestion that clock valuations η and η^! are equivalent (denoted∼=1) whenever

"η(x)# = "η^!(x)# and frac(η(x)) = 0 ifffrac(η^!(x)) = 0. (9.1)

This constraint ensures that equivalent clock valuations satisfy the clock constraint g providedgonly contains atomic clock constraints of the formx < c orx!c. (In case one would restrict all atomic clock constraints to be strict, i.e., of the formx < c, the fractional parts would not be of importance and the second conjunct in the above equation may be omitted.) Note that it is crucial for this observation that only natural number constants are permitted in the clock constraints. This equivalence notion is rather simple, leads to a denumerable (but still infinite) number of equivalence classes, but is too coarse.

Example 9.40. A First Partitioning for Two Clocks

To exemplify the kind of equivalence classes that one obtains, consider the set of clocksC= {x, y}. The quotient space forC obtained by suggestion (9.1) is depicted in Figure 9.18) where the equivalence classes are

• the corner points (q, p)

• the line segments {(q, y)|p < y < p+1} and {(x, p)|q < x < q+1}, and

• the content of the squares{(x, y)|q < x < q+1 ∧ p < y < p+1}

where p, q ∈ IN and {(x, p) | q < x < q+1} is a shorthand for the set of all clock evaluations η withη(x)∈]q, q+1[ and η(y) =p.

Second observation. We demonstrate the fact that ∼=1 is too coarse by means of a small example. Consider location " whose two outgoing transitions are guarded with x " 2 (action α) and y > 1 (action β), respectively; see also Figure 9.19. Let state s = &",η' with 1<η(x)<2 and 0<η(y)<1. Both transitions are disabled, so the only possibility is to let time advance. The transition that is enabled next depends on the ordering of the

y

1 2 3 x 1

2

x= 3 y= 2

2< x <3 1< y <2

x= 3,0< y <1

countable index

Figure 9.18: Initial partitioning for two clocks .

x y

1 2 3 1

2

4 l

l

l

x 2

y 1

...

...

...

...

Figure 9.19: Fragment of timed automaton and time passage of two clock valuations.

fractional parts of the clocks xand y: if frac(η(x))<frac(η(y)), thenβ is enabled before α; if frac(η(x)) ! frac(η(y)), action α is enabled first. Time-divergent paths in s may thus start withα iffrac(η(x))!frac(η(y)), and with β otherwise. This is represented by the fact that delaying leads to distinct successor classes depending on the ordering of the fractional parts of clock, see Figure 9.19 (right part).

Thus, besides !η(x)" and the fact whether frac(η(x)) = 0, apparently the order of the fractional parts of η(x), x∈C is important as well, i.e., whether for x, y∈C:

frac(η(x))<frac(η(y)) or frac(η(x))>frac(η(y)) orfrac(η(x)) =frac(η(y)).

This suggests extending the initial proposal (9.1) for all x, y∈C by

frac(η(x))"frac(η(y)) if and only if frac(η^!(x))"frac(η^!(y)), (9.2) i.e., η₁ ∼=2 η₂ iffη₁ ∼=1 η₂ and (9.2) holds. This strengthening will ensure that equivalent states %$,η& and %$,η^!& have similar time-divergent paths.

y

1 2 3 x 1

2

4

3< x <4,1< y <2, x−y <2

3< x <4,1< y <2, x−y= 2

3< x <4,1< y <2, x−y >2

Figure 9.20: Refining the initial partitioning for two clocks.

Example 9.41. A Second Partitioning for Two Clocks

This observation suggests to decompose the squares {(x, y) | q < x < q+1 ∧ p < y <

p+1} into a line segment, an upper and lower triangle, i.e., the following three parts:

{(x, y)|q < x < q+1 ∧ p < y < p+1 ∧ x−y < q−p}, {(x, y)|q < x < q+1 ∧ p < y < p+1 ∧ x−y > q−p},and {(x, y) |q < x < q+1 ∧ p < y < p+1 ∧ x−y =q−p}. Figure 9.20 illustrates the resulting partitioning for two clocks.

Final observation. The above constraints on clock equivalence yield a denumerable though not finite quotient. To obtain an equivalence with a finite quotient, we exploit the fact that in order to decide whetherTA|=Φonly the clock constraints occurring inTAandΦ are relevant. As there are only finitely many clock constraints, we can determine for each clockx∈C the maximal clock constraint,c_x∈IN, say, with whichx is compared in some clock constraint in either TA(as guard or location invariant) orΦ. Sincec_x is the largest constant with which clock x is compared it follows that if η(x) > cx, the actual value of x is irrelevant. (Clock x that occurs neither in TA nor in Φ is superfluous and can be omitted; for these clocks we set c_x= 0.) As a consequence, the constraints (9.1) are only relevant if η(x)!cx andη^!(x)!cx, while for (9.2) in addition η(y)!cy and η^!(y)!cy. The above considerations suggest the following notion of clock equivalence.

y

1 2 3 x 1

2

finite index 4

cy = 2 c_x= 4

Figure 9.21: Third (and final) partitioning for two clocks (forc_x = 4 and c_y = 2).

Definition 9.42. Clock Equivalence ∼=

LetTAbe a timed automaton,Φa TCTL_♦formula (both over setCof clocks), andc_xthe largest constant with which x∈C is compared with in either TAor Φ. Clock valuations η,η^! ∈Eval(C) areclock-equivalent, denoted η ∼=η^! if and only if either

• for any x∈C it holds thatη(x)> c_x and η^!(x)> c_x, or

• for anyx, y∈Cwithη(x),η^!(x)!cxandη(y),η^!(y)!cyall the following conditions hold:

– #η(x)$=#η^!(x)$ and frac(η(x)) = 0 ifffrac(η^!(x)) = 0, – frac(η(x))!frac(η(y)) iff frac(η^!(x))!frac(η^!(y)).

As the clock equivalence∼= depends onTAandΦ, strictly speaking one should write∼=TA,Φ

instead of ∼=. The dependency of ∼= on TA and Φ is limited to the largest constants c_x; that is to say, neither the structure ofTAnor that ofΦis of relevance to clock equivalence.

The equivalence∼= is lifted to states of the transition systemTS(TA) as follows. For states s_i =%"_i,η_i&,i= 1,2, inTS(TA):

s₁∼=s₂ iff "₁="₂ and η₁∼=η₂. Equivalence classes under ∼= are called clock regions.

Definition 9.43. Clock and State Region

Let ∼= be a clock equivalence on C. The clock region of η ∈ Eval(C), denoted [η], is defined by

[η] = {η^! ∈Eval(C)|η ∼=η^!}.

The state region ofs=#",η$ ∈TS(TA), denoted [s], is defined by [s] = #",[η]$ = {#",η^!$|η^! ∈[η]}.

In the sequel, state and clock regions are often indicated as regions whenever it is clear from the context what is meant. Clock regions will be denoted by r, r^!, and so forth.

We often use casual notations to denote clock regions or clock valuations. For a timed automaton with two clocks, xand y say,

{(x, y)|1< x <2,0< y <1, x−y <1} denotes the clock region of all clock valuations η∈Eval({x, y}) with

1<η(x)<2 and 0<η(y)<1 and frac(η(x))<frac(η(y)).

Example 9.44. Light Switch

Consider the timed automaton overC={x}for the light switch and the TCTL_♦formula Φ= true. It follows that the largest constant with which x is compared is c_x = 2; this is due to the location invariant x!2.

off on

switch on switch off

x!2 reset(x)

x"1

We gradually construct the regions for this timed automaton by considering each of the constraints in Definition 9.42 separately. Clock valuations η,η^! are equivalent ifη(x) and η^!(x) belong to the same equivalence class along the real line. (In general, for n clocks this amounts to considering ann-dimensional hyperspace on IR_"0.)

1. The requirement that η(x) >2 and η^!(x)>2 or η(x) !2 and η^!(x) !2 yields the partitioning into the intervals [0,2] and (2,∞).

1 2 0

region region region

region region

0< x <1 1< x <2

x= 0 x= 1 x= 2

x >2 unbounded region

Figure 9.22: Clock regions for the light switch timed automaton.

2. The requirement that whenever η(x) ! 2 and η^!(x) !2, the integral parts of η(x) andη^!(x) agree andfrac(η(x)) = 0 ifffrac(η^!(x)) = 0 yields the partitioning into the intervals

[0,0],(0,1),[1,1],(1,2),[2],(2,∞).

3. As there is only a single clock, the third constraint of Definition 9.42 trivially holds.

We thus obtain six clock regions (see Figure 9.22), and as there are two locations, twelve state regions.

Example 9.45. Two Clocks

Consider the set of clocks C={x, y}and assume cx = 2 andcy = 1. As in the previous example, we gradually construct the clock regions. Clock valuations η,η^! ∈Eval({x, y}) are equivalent if the real-valued pairs (η(x),η(y)) and (η^!(x),η^!(y)) are elements of the same clock region.

1. The requirement that η(x)> cx and η^!(x) > cx or η(x)!cx and η^!(x)!cx for any clock x∈C yields four classes:

{(x, y)|0!x!2,0!y!1}, {(x, y) |0!x!2, y >1}, {(x, y)|x >2,0!y!1}, and {(x, y)|x >2, y >1}

2. The second requirement of Definition 9.42 yields a refinement of the first three classes obtained in the previous step. For instance, the rectangle [(0!x!2),(0!y !1)]

is decomposed into the six corner points:

(0,0),(0,1),(1,0),(1,1),(2,0) and, (2,1),

the (open) line segments:

{(0, y)|0< y <1}, {(1, y)|0< y <1}, {(2, y)|0< y <1}, {(x,0)|0< x <1}, {(x,0)|1< x <2},

{(x,1)|0< x <1}, {(x,1)|1< x <2}, and the (open) squares:

{(x, y) |0< x <1,0< y <1} and {(x, y)|1< x <2,0< y <1}. Similarly, [(0!x!2),(y >1)] is decomposed into

{(0, y)|y >1} {(1, y)|y >1} {(2, y)|y >1} {(x, y)|0< x <1, y >1} {(x, y) |1< x <2, y >1}

In a similar way {(x, y) |x >2,0!y!1}is decomposed into three classes.

3. Finally, we apply the ordering constraint, see the third constraint of Definition 9.42 to {(x, y) | 1 < x < 2,0 < y < 1}. Since the ordering of clocks now becomes important, this class is split into

{(x, y)|1< x <2,0< y <1,frac(x)<frac(y)}, {(x, y)|1< x <2,0< y <1,frac(x)>frac(y)}, {(x, y)|1< x <2,0< y <1, x−y= 1}.

A similar reasoning applies to{(x, y)|0< x <1,0< y <1}. The other classes are not further partitioned. For instance,{(x, y) |1< x <2, y >1}is not further split asy > c_y.

Summarizing, we obtain twenty-eight clock regions: six corner points, fourteen open line segments, four open triangles, and four open clock regions.

Even for apparently simple timed automata, a large number of regions can arise. For this reason, we abstain from indicating the regions in more complex examples such as the railroad crossing and real-time mutual exclusion examples. The number of clocks, as well as the constants c_x, are essential factors that determine the number of regions. The number of clock regions and state regions is finite, i.e., consraint (C) holds. The following theorem contains an estimate for the number of clock regions. The number of state regions is a factor |Loc|larger.

Theorem 9.46. Number of Regions

The number of clock regions is bounded from below and above as follows:

|C|!∗ !

x∈C

c_x ! |Eval(C)/∼= | ! |C|!∗2^|C|−1∗ !

x∈C

(2cx+ 2) where for the upper bound it is assumed that cx "1 for all x∈C.

Proof: The lower and upper bounds are determined by considering a representation of clock regions such that there is a one-to-one relationship between the representation of a clock region and the clock region itself. This representation allows derivation of the bounds.

Let C be a set of clocks and η ∈Eval(C). Every clock region r can be represented by a tuple $J,℘, D% whereJ is a family of intervals, ℘ is a permutation of a subset of clocks in C, and D⊆C is a set of clocks such that

• J = (J_x)_x∈C is a family of intervals with Jx ∈ "

[0,0], ]0,1[, [1,1], ]1,2[, . . . , ]cx−1, cx[, [cx, cx], ]cx,∞[# , such that η(x)∈J_x for all clocksx∈C and clock evaluations η ∈r.

• Let C_open be the set of clocksx∈C such thatJ_x is an open interval, i,e, C_open = "

x∈C | J_x ∈{ ]0,1[, ]1,2[, . . . , ]c_x−1, c_x[, ]c_x,∞[}# .

℘={x_i1, . . . , x_ik}is a permutation ofC_open ={x₁, . . . , x_k}such that for anyη∈r the clocks are ordered according to their fractional parts, i.e.,

i_h< i_j imples frac(η(xi_h)) ! frac(η(xij)).

• D ⊆ C_open contains all clocks in C_open such that for all clock evaluations η^# ∈ [η]

the fractional part for clock xij corresponds to the fractional part for its predecessor x_ij−1 in the permutation℘:

x_ij ∈D impliesfrac(η(xij−1)) = frac(η(xij)).

There is a one-to-one relation between the clock regions and triples $J,℘, D%.

The indicated upper bound for the number of clock regions is obtained by the following combinatorial observation that there are

• exactly !

x∈C

(2c_x+ 2) different interval families J,

• maximally |C_open|! ! |C|! different permutations overC_open, and

• maximally 2^|Copen|−1 ! 2^|C|−1 different choices forD⊆C\ {x₁}.

The indicated lower bound is obtained when all clocks have a value in an open interval (though not the unbounded interval ]c_x,∞[), and all have different fractional parts. In this case D=∅, and

Jx ∈ "

]0,1[, ]1,2[, . . . , ]cx−1, cx[# . As there are exactly !

x∈C

c_x possibilities forJ and maximally |C|! different permutations, the lower bound follows.

Example 9.47. Number of Regions

Let us illustrate the number of regions for a reasonable small timed automaton. Assume

|C|=nsuch that c_x= 2 for all x∈C. The lower bound for the number of clock regions indicated in Theorem 9.46 is n!·2ⁿ. The minimal number of clock regions forn=2 equals 8; for n=3 andn=4 this rises to 48 and 384 respectively. Forn=5, there are at least 3840 clock regions.

Lemma 9.48.

Let TAbe a timed automaton and Φ a TCTL_♦ formula both over the setC of clocks and

∼= the clock equivalence induced byTA and Φ. Then:

1. For η,η^# ∈Eval(C) such thatη ∼=η^#:

η |=g if and only if η^# |=g for allg∈ACC(TA)∪ACC(Φ) 2. For s, s^#∈TS(TA) such thats∼=s^#:

s|=a if and only if s^#|=a for anya∈AP^#. where AP^# =AP∪ACC(TA)∪ACC(Φ).

The first part of this lemma follows directly from the observations that justified the defi-nition of clock equivalence. Using this result, the satisfaction relation of clock constraints

(see Definition 9.10) may now be used for clock regions; [η]|=g denotes that η^! |=g for any η^! ∈ [η]. As equivalent states have the same location, the second part of the lemma follows directly from the first part. All states of a state region thus satisfy the same clock constraints that occur in TA and Φ. This proves constraint (A) mentioned before.

It has been argued before that atomic clock constraints can in fact be considered as atomic propositions. Under this view, clock equivalence between states of TS(TA) is in fact a bisimulation. In the following, again let AP^! =AP∪ACC(TA)∪ACC(Φ). We lift the notion of clock reset to regions as follows.

Notation 9.49. Region Reset Operator For r∈Eval(C)/∼= andD⊆C let

resetD in r = {reset Din η|η ∈r}. Since for η,η^! ∈Eval(C) we have

η ∼=η^! ∧ D⊆C ⇒ reset Din η∼=resetD in η^!,

it follows that resetD in r ∈Eval(C)/∼=. That is to say, resetting the clocksD in region r can be considered as a transition between state regions.

Theorem 9.50. Clock Equivalence is a Bisimulation Clock equivalence is a bisimulation equivalence over AP^!.

Proof: We prove that ∼= is a bisimulation (over AP^!) by checking the conditions of a bisimulation (see Definition 7.1, page 451). Let s₁, s₂ ∈TS(TA) such that s₁ ∼= s₂, that is,s₁ ='",η₁(and s₂ ='",η₂(such that η₁∼=η₂.

1. From the second part of Lemma 9.48 (page 718), it follows that s1 |=aif and only ifs₂ |=afor any a∈AP^!.

2. To show that any transition emanating from s₁ can be mimicked by s₂, distinguish between discrete and delay transitions.

(a) (Discrete transition). Assume'",η₁(=s₁−−→^α s^!₁='"^!,η₁^!(. By the semantics of timed automata, this means that there is a transition"^g:α,D#→ "^! inTAsuch that

η₁|=g and η^!₁=resetD in η₁ |=Inv("^!).

Since η₁ ∼= η₂ and η₁ |= g, it follows from the first part of Lemma 9.48 that η₂ |=g. Similarly, sinceη₁ ∼= η₂, it follows that reset Din η₁ ∼=reset Din η₂. Asreset D inη₁|=Inv("^!) we havereset D inη₂|=Inv("^!). Thus:

s₂−−→^α s^!₂ = $"^!,reset D inη₂%.

As the states s^!₁ and s^!₂ are in the same state region, it follows that s^!₁ ∼=s^!₂. (b) (Delay transition). Assume s₁−→^d s^!₁ = s₁+d for some d ∈ IR_!0. It is not

difficult to see that for any d there exists d^! such that η₁+d ∼= η₂+d^!. From η1 |= Inv(") and η1+d |= Inv("), it follows by Lemma 9.48 (page 718) that η₂ |=Inv(") and η₂+d^! |=Inv("). But then s₂−−→^d! s₂+d^! =s^!₂ and s^!₁∼=s^!₂. For transitions emanating froms^!₂ an analogous reasoning applies.

Note that in the delay transitions, the amount of delaying is ignored. Instead, only the fact that some delay may take place is of importance. Such bisimulation is also called time abstract.

Remark 9.51. The Need for Ordering the Fractional Parts of Clocks

For η₁ ∼=η₂ it holds that whenever η₁(x),η₂(x)!c_x and η₁(y),η₂(y)!c_y then:

frac(η1(x))!frac(η1(y)) if and only if frac(η2(x))!frac(η2(y)).

Let us explain by means of a timed automaton with C ={x, y} and c_x = 3, c_y = 1 that without this constraint, ∼= wouldnot be a bisimulation.

Assume for location ",Inv(") =y <1. Consider states₁ =$",η₁%with 1<η₁(x)<2, 0<η₁(y)<1, η₁(x)−η₁(y)>1 and state s₂=$",η₂%with

1<η₂(x)<2, 0<η₂(y)<1, η₂(x)−η₂(y)<1.

The only difference between s₁ ands₂ is the ordering of the clocks. According to the first two constraints of the definition of ∼= (see Definition 9.42 on page 713), s₁ and s₂ would be equivalent. But the successor state regions of s₁ and s₂ after delaying are distinct.

There exists a delay transition from s₁ to state s^!₁ =$",η^!₁% withη^!₁(x) = 2 andη₁^!(y)<1, i.e., the state region $",[x = 2, y <1]%. As clocks proceed at the same rate, clocks x and

y both advanced by an equal amount. Due toInv(!) =y <1, any delay transition from state s₂ yields a state in the state region:

!!,{(x, y)|1< x <2,0< y <1, x−y <1}#.

The state region !!,[x = 2, y < 1]# cannot be reached. States s₁ and s₂ have no corre-sponding delay transitions, and thus are not bisimilar.

Due to the constraint on the ordering of the fractional parts of the clocks (see the third constraint in Definition 9.42), this is avoided and s₁ $∼=s₂.

Theorem 9.50 ensures that the partitioning given by the state regions represents a re-finement of the bisimulation quotient and allows defining a quotient transition system in which any edge !!,[η]# → !!^!,[η^!]# is mimicked by!!,η# → !!^!,η^!#. States in the quotient transition system are state regions. Transitions between state regions are either delay or discrete transitions. The following example illustrates this by means of a small example.

Example 9.52. Region Transition System

Consider the simple timed automaton in Figure 9.23 (left) and let Φ = true. As the largest constant with which x is compared is 2, c_x = 2. The region transition system is depicted in Figure 9.23 (lower part). Since there is only one location!, in each state region the location is !. All τ-labeled transitions are delay transitions. There are two discrete transitions in the region automaton, both labeled with α, that lead to the initial state.

The only state region equipped with a τ-self-loop is called an unbounded region, as time may progress without bound while remaining in the same state region.

Let us now considerΦ=♦(z"2), i.e.,c_z = 2. The region transition system forΦand the timed automaton of Figure 9.23 (upper part) is depicted in Figure 9.24. Note that it is in fact the region transition system before (see Figure 9.23 (lower part)) extended with two

“copies” of it. These “copies” are introduced for the constraints x−z = 2 andz−x >2.

Note that the clock z is never reset. This is typical for clocks occurring inΦ as there is no means in a formula to reset clocks.

To define the quotient transition system with respect to∼=, some auxiliary notions will be introduced. A clock region is unbounded whenever all the value of any clock exceeds its maximum constant.

Definition 9.53. Unbounded Clock Region

The clock region r_∞ = { η∈Eval(C)|∀x∈C.η(x)> c_x } isunbounded.

! x!2 :α reset(x)

! ! !

! ! !

τ

τ τ

τ τ

τ α α

x=0 0<x<1 x=1

x>2 x=2 1<x<2

Figure 9.23: Region transition system for a simple timed automaton with Φ= true.

! x!2 :α reset(x)

! ! ! ! ! !

τ τ τ τ τ τ

x= 0 0<x<1 x= 1 1<x<2 x= 2 x>2

z−x= 0 z−x= 0 z−x= 0 z−x= 0 z−x= 0 z−x= 0

!

!

!

! ! !

τ x >2 τ x= 2 τ 1<x<2 τ x= 1 τ 0<x<1 τ x= 0

z−x= 2 z−x= 2

z−x= 2 z−x= 2

z−x= 2 z−x= 2

! ! ! ! ! !

τ τ τ τ τ τ

x= 0 0<x<1 x= 1 1<x<2 x= 2 x >2

z−x>2 z−x>2 z−x>2 z−x>2 z−x>2 z−x>2

α

α α α

α α

Figure 9.24: Region transition system for a simple timed automaton with Φwithc_z = 2.

No documento TimedAutomata Chapter9 (páginas 33-66)