Timed Automata Can Always Be Made Implementable.

Page 1

Timed Automata Can Always Be Made
Implementable★
Patricia Bouyer1, Kim G. Larsen2, Nicolas Markey1,
Ocan Sankur1, and Claus Thrane2
1LSV, CNRS & ENS Cachan, France.
{bouyer,markey,sankur}@lsv.ens-cachan.fr
2Dept. Computer Science, Aalborg University, Denmark.
{kgl,crt}@cs.aau.dk
Abstract. Timed automata follow a mathematical semantics, which as-
sumes perfect precision and synchrony of clocks. Since this hypothesis
does not hold in digital systems, properties proven formally on a timed
automaton may be lost at implementation. In order to ensure imple-
mentability, several approaches have been considered, corresponding to
different hypotheses on the implementation platform. We address two of
these: A timed automaton is samplable if its semantics is preserved under
a discretization of time; it is robust if its semantics is preserved when all
timing constraints are relaxed by some small positive parameter.
We propose a construction which makes timed automata implementable
in the above sense: From any timed automaton 풜, we build a timed
automaton 풜′that exhibits the same behaviour as 풜, and moreover 풜′
is both robust and samplable by construction.
1 Introduction
Timed automata [3] extend finite-state automata with real-valued variables which
measure delays between actions. They provide a powerful yet natural way of
modelling real-time systems. They also enjoy decidability of several important
problems, which makes them a model of choice for the verification of real-time
systems. This has been witnessed over the last twenty years by substantial ef-
fort from the verification community to equip timed automata with efficient tool
support, which was accompanied by successful applications.
However, timed automata are governed by a mathematical semantics, which
assumes continuous and infinitely precise measurement of time, while hardware
is digital and imprecise. Hence properties proven at the formal level might be
lost when implementing the abstract model of the automaton as a digital circuit
or as a program on a physical CPU. Several approaches have been proposed
to overcome this discrepancy, with different hypotheses on the implementation
★This work has been partly supported by EU FP7 project Quasimodo (ICT-214755),
and by French ANR projects DOTS (ANR-06-SETI-003) and ImpRo (ANR-10-
BLAN-0317).

Page 2

2 Bouyer, Larsen, Markey, Sankur, Thrane
platform (e.g. [4,15,20,12,5,21]). In this work, we address two such approaches,
namely, the sampled semantics and the robustness, which we now detail.
Sampled semantics for timed automata, where all time delays are integer
multiples of a rational sampling rate, have been studied in order to capture, for
example the behaviour of digital circuits (e.g. [4,8]). In fact, only such instants
are observable in a digital circuit, under the timing of a quartz clock. How-
ever, for some timed automata, any sampling rate may disable some (possibly
required) behaviour [9]. Consequently, a natural problem which has been stud-
ied is that of choosing a sampling rate under which a property is satisfied. For
safety properties, this problem is undecidable for timed automata [9]; but it be-
comes decidable for reachability under a slightly different setting [17]. Recently,
[1] showed the decidability of the existence of a sampling rate under which the
continuous and the sampled semantics recognize the same untimed language.
A prominent approach, originating from [20,12], for verifying the behavior
of real-time programs executed on CPUs, is robust model-checking. It consists
in studying the enlarged semantics of the timed automaton, where all the con-
straints are enlarged by a small (positive) perturbation 훥, in order to model the
imprecisions of the clock. In some cases [11], this may allow new behaviours in
the system, regardless of 훥 (See Fig. 2 on page 8). Such automata are said to
be not robust to small perturbations. On the other hand, if no new behaviour is
added to the system, that is, if the system is robust, then implementability on
a fast-enough CPU will be ensured [12]. Since its introduction, robust model-
checking has been solved for safety properties [20,11], and for richer linear-time
properties [6,7]. See also [21] for a variant of the implementation model of [12]
and a new approach to obtain implementations.
In this paper, we show that timed automata can always be made imple-
mentable in both senses. More precisely, given a timed automaton 풜, we build
another timed automaton ℬ whose semantics under enlargement and under sam-
pling is bisimilar to 풜. We use a quantitative variant of bisimulation from [14]
where the differences between the timings in two systems are bounded above by
a parameter 휀 (see also [16] for a similar quantitative notion of bisimulation).
Our construction is parameterized and provides a bisimilar implementation for
any desired precision 휀 > 0. Moreover, we prove that in timed automata, this
notion of bisimulation preserves, up to an error of 휀, all properties expressed in
a quantitative extension of CTL, also studied in [14].
2Timed Models and Specifications
2.1Timed Transition Systems and Behavioural Relations
A timed transition system (TTS) is a tuple 풮 = (푆,푠0,훴,핂,→), where 푆 is the
set of states, 푠0 ∈ 푆 the initial state, 훴 a finite alphabet, 핂 ⊆ ℝ≥0 the time
domain which contains 0 and is closed under addition, and → ⊆ 푆×(훴∪핂)×푆
the transition relation. We write 푠
− → 푠′instead of (푠,휎,푠′) ∈ →; we also write
푠
− − → 푠′if 푠
휎
푑,휎
푑− → 푠′′
휎
− → 푠′for 푑 ∈ 핂, 휎 ∈ 훴 and some state 푠′′, and 푠
휎
= =⇒ 푠′

Page 3

Timed Automata Can Always Be Made Implementable3
if 푠
푞0
푖. The word 휎0휎1... ∈ 훴∗is the trace of 휌. We denote by Trace(풮) the set
of finite and infinite traces of the runs of 풮. We define the set of reachable
states of 풮, denoted by Reach(풮), as the set of states 푠′for which some finite
run of 풮 starts from state 푠0and ends in state 푠′. A run written on the form
훾 = 푞0
− − − → 푞1
state 푞0∈ 푆 admits a set 푃(푞0) of paths starting at 푞0. For any path 훾, the suffix
훾푗is obtained by deleting the first 푗 transitions in 훾, and 훾(푗) = 푞푗
is the 푗-th transition in 훾; we also let state푗(훾) = 푞푗, 훾(푗)휎= 휎푗, and 훾(푗)푑= 푑푗.
We consider a quantitative extension of timed bisimilarity introduced in [22].
This spans the gap between timed and time-abstract bisimulations: while the
former requires time delays to be matched exactly, the latter ignores timing
information altogether. Intuitively, we define two states to be 휀-bisimilar, for a
given parameter 휀 ≥ 0, if there is a (time-abstract) bisimulation which relates
these states in such a way that, at each step, the difference between the time
delays of corresponding delay transitions is at most 휀. Thus, this parameter
allows one to quantify the “timing error” made during the bisimulation. A strong
and a weak variant of this notion is given in the following definition.
푑′,휎
− − → 푠′for some 푑′∈ 핂. A run 휌 of 풮 is a finite or infinite sequence
휏0
− → 푞′
0
휎0
− → 푞1
휏1
− → 푞′
1
휎1
− → ..., where 푞푖 ∈ 푆, 휎푖 ∈ 훴 and 휏푖 ∈ 핂 for all
푑0,휎0
푑1,휎1
− − − → 푞2... is a timed-action path (or simply path). Each
푑푗,휎푗
− − − → 푞푗+1
Definition 1. Given a TTS (푆,푠0,훴,핂,→), and 휀 ≥ 0, a symmetric relation
푅휀⊆ 푆 × 푆 is a
– strong timed 휀-bisimulation, if for any (푠,푡) ∈ 푅휀and 휎 ∈ 훴,푑 ∈ 핂,
∙ 푠
∙ 푠
(푠′,푡′) ∈ 푅휀.
– timed-action 휀-bisimulation, if for any (푠,푡) ∈ 푅휀, and 휎 ∈ 훴, 푑 ∈ 핂,
∙ 푠
and (푠′,푡′) ∈ 푅휀.
If there exists a strong timed 휀-bisimulation (resp. timed-action 휀-bisimulation)
푅휀 such that (푠,푡) ∈ 푅휀, then we write 푠 ∼휀푡 (resp. 푠 ≈휀푡). Furthermore we
write 푠 ∼휀+ 푡 (resp. 푠 ≈휀+ 푡) whenever for every 휀′> 휀, 푠 ∼휀′ 푡 (resp. 푠 ≈휀′ 푡).
Observe that 푠 ∼휀푡 implies 푠 ∼휀′ 푡 for every 휀′> 휀. Also, 푠 ∼휀+ 푡 does not imply
푠 ∼휀푡 in general (see Fig. 1), and if 푠 ∼휀+ 푡 but 푠 ∕∼휀푡, then 휀 = inf{휀′> 0 ∣
푠 ∼휀′ 푡}. These observations hold true in the timed-action bisimulation setting
as well. Note also that 푠 ∼휀푡 implies 푠 ≈휀푡. Finally, for 휀 > 0, strong timed
or timed-action 휀-bisimilarity relations are not equivalence relations in general,
but they are when 휀 = 0.
Last, we define a variant of ready-simulation [18] for timed transition systems.
For Bad ⊆ 훴, we will write 퐼 ⊑Bad푆 when 퐼 is simulated by 푆 (and time delays
are matched exactly) in such a way that at any time during the simulation,
any failure (i.e., any action in Bad) enabled in 푆 is also enabled in 퐼. So, if
퐼 ⊑Bad푆 and 푆 is safe w.r.t. Bad (i.e., Bad actions are never enabled), then any
휎
− → 푠′implies 푡
푑− → 푠′implies 푡
휎
− → 푡′for some 푡′∈ 푆 with (푠′,푡′) ∈ 푅휀,
푑′
− → 푡′for some 푡′∈ 푆 and 푑′∈ 핂 with ∣푑 − 푑′∣ ≤ 휀 and
푑,휎
− − → 푠′implies 푡
푑′,휎
− − → 푡′for some 푡′∈ 푆 and 푑′∈ 핂 with ∣푑 − 푑′∣ ≤ 휀

Page 4

4Bouyer, Larsen, Markey, Sankur, Thrane
푠
푠′
푡
푡′
휎,푥 ≤ 1휎,푥 < 1
Fig.1. An automaton in which (푠,0) ∼0+ (푡,0) but (푠,0) ∕∼0 (푡,0).
run of 퐼 can be executed in 푆 (with exact timings) without enabling any of the
Bad-actions. Fig. 2 will provide an automaton illustrating the importance of this
notion. More formally:
Definition 2. Given a TTS (푆,푠0,훴,핂,→), and a set Bad ⊆ 훴, a relation
푅 ⊆ 푆 × 푆 is a ready-simulation w.r.t. Bad if, whenever (푠,푡) ∈ 푅:
– for all 휎 ∈ 훴 and 푑 ∈ 핂, 푠
(푠′,푡′) ∈ 푅,
– for all 휎 ∈ Bad, 푡
We write 푠 ⊑Bad푡 if (푠,푡) ∈ 푅 for some ready-simulation 푅 w.r.t. Bad.
푑,휎
− − → 푠′implies 푡
푑,휎
− − → 푡′for some 푡′∈ 푆 with
휎
= =⇒ 푡′implies 푠
휎
= =⇒ 푠′for some 푠′∈ 푆.
2.2 Timed Automata
Given a set of clocks 풞, the elements of ℝ풞
a subset 푋 ⊆ 풞, and a valuation 푣, we define 푣[푋 ← 0] as the valuation
푣[푋 ← 0](푥) = 푣(푥) for all 푥 ∈ 풞 ∖ 푋 and 푣[푋 ← 0](푥) = 0 for 푥 ∈ 푋. For
any 푑 ∈ ℝ≥0, 푣 + 푑 is the valuation defined by (푣 + 푑)(푥) = 푣(푥) + 푑 for all
푥 ∈ 풞. For any 훼 ∈ ℝ, we define 훼푣 as the valuation obtained by multiplying
all components of 푣 by 훼, that is (훼푣)(푥) = 훼푣(푥) for all 푥 ∈ 풞. Given two
valuations 푣 and 푣′, we denote by 푣+푣′the valuation that is the componentwise
sum of 푣 and 푣′, that is (푣 + 푣′)(푥) = 푣(푥) + 푣′(푥) for all 푥 ∈ 풞.
Let ℚ∞= ℚ∪{−∞,∞}. An atomic clock constraint is a formula of the form
푘 ⪯ 푥 ⪯′푙 or 푘 ⪯ 푥 − 푦 ⪯′푙 where 푥,푦 ∈ 풞, 푘,푙 ∈ ℚ≥0and ⪯,⪯′∈ {<,≤}.
A guard is a conjunction of atomic clock constraints. For 푀,휂 ∈ ℚ>0such that
1
휂∈ ℕ, we denote by 훷풞(휂,푀) the set of guards on the clock set 풞, whose con-
stants are either ±∞ or less than or equal to 푀 in absolute value and are integer
multiples of 휂. Let 훷풞denote the set of all guards on clock set 풞. A valuation 푣
satisfies 휑 ∈ 훷풞if all atomic clock constraints of 휑 are satisfied when each 푥 ∈ 풞
is replaced by 푣(푥). Let ?휑? denote the set of valuations that satisfy 휑. We define
⟨푘 ⪯ 푥 − 푦 ⪯′푙⟩훥= 푘 − 훥 ⪯ 푥 − 푦 ⪯′푙 + 훥,
and
⟨푘 ⪯ 푥 ⪯′푙⟩훥= 푘 − 훥 ⪯ 푥 ⪯′푙 + 훥.
for 푥,푦 ∈ 풞 and 푘,푙 ∈ ℚ>0. The enlargement of a guard 휑, denoted by ⟨휑⟩훥, is
obtained by enlarging all its atomic clock constraints.
≥0are referred to as valuations. For
the enlargement of atomic clock constraints by 훥 ∈ ℚ as
Definition 3. A timed automaton 풜 is a tuple (ℒ,풞,훴,푙0,퐸), consisting of a
finite set ℒ of locations, a finite set 풞 of clocks, a finite alphabet 훴 of labels,
a finite set 퐸 ⊆ ℒ × 훷풞× 훴 × 2풞× ℒ of edges, and an initial location 푙0∈ ℒ.

Page 5

Timed Automata Can Always Be Made Implementable5
We write 푙
integral timed automaton if all constants that appear in its guards are integers.
휑,휎,푅
− − − − → 푙′if 푒 = (푙,휑,휎,푅,푙′) ∈ 퐸, and call 휑 the guard of 푒. 풜 is an
We call the inverses of positive integers granularities. The granularity of a
timed automaton is the inverse of the least common denominator of the finite
constants in its guards. For any timed automaton 풜 and rational 훥 ≥ 0, let 풜훥
denote the timed automaton obtained from 풜 where each guard 휑 is replaced
with ⟨휑⟩훥.
Definition 4. The semantics of a timed automaton 풜 = (ℒ,풞,훴,푙0,퐸) is a
TTS over alphabet 훴, denoted ?풜?, whose state space is ℒ × ℝ풞
transitions are defined as (푙,푣)
transitions are defined as (푙,푣)
− → (푙′,푣′), for any edge 푙
푣 ∣= 푔 and 푣′= 푣[푅 ← 0].
For any 푘 ∈ ℕ>0, we define the sampled semantics of 풜, denoted by ?풜?
We write ?풜? ∼휀?ℬ?, ?풜? ≈휀?ℬ? and ?풜? ⊑Bad?ℬ? when the initial states
transition systems, defined in the usual way.
We define the usual notion of region equivalence [3]. Let 푀 be the maximum
(rational) constant that appears in the guards of 풜, let 휂 be the granularity of 풜.
Multiplying any constant in 풜 by1
Given valuations 푢,푣 ∈ ℝ풞
only if, for all formulas 휑 ∈ 훷풞(휂,푀), 푢 ∣= 휑 if and only if 푣 ∣= 휑. The equivalence
class of a valuation 푢 for the relation ≃푀
Each such class is called an (휂,푀)-region. In the rest, when constant 푀 is
(resp. 푀 and 휂 are) clear from context, we simply write reg(푢)휂(resp. reg(푢)) and
call these 휂-regions (resp. regions). We denote by reg(푢)푀
of reg(푢)푀
For a region 푟, we denote by 푟[푅 ← 0], the region obtained by resetting clocks
in 푅. We define tsucc∗(푟) as the set of time-successor regions of 푟, that is, the
set of 휂-regions 푟′such that 푢 + 푑 ∈ 푟′for some 푢 ∈ 푟 and 푑 ∈ ℝ≥0.
We now associate with each (휂,푀)-region a guard that defines it. Assume
we number the clocks with indices so that 풞 = {푥1,...,푥푚}, and fix any (휂,푀)-
region 푟. Let us define 푥0= 0, and 풞0= 풞 ∪ {푥0}. Then, for each pair 푖,푗 ∈ 풞0,
there exists a number 퐴푖,푗 ∈ 휂ℤ ∩ [−푀,푀] ∪ {∞} and ⪯푖,푗 ∈ {<,≤} s.t. 휑푟,
defined as
휑푟=
−퐴푗,푖⪯푗,푖푥푖− 푥푗⪯푖,푗퐴푖,푗,
≥0. The initial
state is (푙0,0), where 0 denotes the valuation where all clocks have value 0. Delay
휏− → (푙,푣+휏) for any state (푙,푣) and 휏 ∈ 핂. Action
휎
푔,휎,푅
− − − → 푙′in 풜 such that
1
푘
as the TTS defined similarly to ?풜? by taking the time domain as 핂 =1
of timed automata 풜 and ℬ are related accordingly in the disjoint union of the
푘ℕ.
휂, we obtain an integral timed automaton.
≥0and rationals 푀,휂, define 푣 ≃푀
휂 푢 to hold if, and
휂is denoted by reg(푢)푀
휂 = {푣 ∣ 푢 ≃푀
휂 푣}.
휂the topological closure
휂. The number of (휂,푀)-regions is bounded by 푂(2∣풞∣∣풞∣!(푀/휂)∣풞∣) [3].
⋀
(푥푖,푥푗)∈풞0
is such that ?휑푟? = 푟. Moreover, we assume that for all 푖,푗,푘 ∈ 풞0, 퐴푖,푖= 0 and
a difference-bound matrix (DBM) that defines region 푟, and the latter condition
defines its canonical form [13]. Later we will refer to matrix (퐴푖,푗)푖,푗as the DBM
that defines region 푟.
퐴푖,푗≤ 퐴푖,푘+퐴푘,푗. Note that this is a standard definition: the matrix (퐴푖,푗)푖,푗is