# Algorithms for Model Checking (2IW55) <br> Lecture 11 <br> Timed Verification: Timed Automata <br> Background material: Chapter 16, 17 and handout R. Alur, "Timed Automata" 

Tim Willemse<br>(timw@win.tue.nl)<br>http://www.win.tue.nl/~timw<br>HG 6.81

## Outline

(1) Timed Systems

## (2) Timed Automata

(3) Summary
(4) Exercise

## Timed Systems

So far, we have only considered untimed systems.

- Timing is of crucial importance for many systems:
- controllers found in airplanes (landing gear, collision avoidance).
- controllers found in cars (airbag, future drive-by-wire systems).
- communication protocols (re-routing upon timeouts).

Functional correctness is only one of many aspect:

- the correct timing of an event is crucial.
- timing influences behaviour: the passing of time may disable events.

Which model of time to use:

- Discrete time.
- Continuous time.

Timed Systems

In discrete time, time has a discrete nature:

- Time can be described by natural numbers
- A special tick action is used to model the advance of a single time unit Advantage: standard temporal logic can be used to express timing properties: The next-operator measures time.


## Example

A timeout is set two time units after a message is sent:
A G (sent $\rightarrow X X($ timeout $))$

Discrete time is mainly used for synchronous systems, such as hardware.

Simplicity is the key advantage to discrete time:

- We can reuse mixed Kripke Structures: timed transitions are labelled with a tick action.
- We can check properties using existing languages such as CTL*.

This means that traditional model checking algorithms are applicable.

Main disadvantages of discrete time:

- delay between any pair of actions is a multiple of an a priori fixed minimal delay.
- model is therefore only accurate up-to this minimal delay.
- finding the minimal delay is difficult in practice:
- how to find the minimal delay in a distributed, asynchronous system?

Timed Systems
In continuous time, time has a continuous nature:

- Time can be described by a dense domain, such as real numbers
- State changes can happen at any point in time


## Example

An event on that must take place between time 0 and time 10 can be executed at time $0.000001,1, e, \pi, \ldots$ :


Problem: there are infinitely many moments on which action on can happen. How to check that it happens before time $t$ ?

# Technische Universiteit 

Timed Systems

Approach by Alur and Dill:

- Restrict expressive power of the temporal logic................................imed CTL
- Describe timed systems symbolically

Timed Automata

- Compute a finite representation of the infinite state spaceRegion Automata
$\rightarrow$ We will be looking at the subproblem of reachability

Outline
(1) Timed Systems
(2) Timed Automata
(3) Summary
(4) Exercise

Timed Automata


A Timed Automaton:

- has vertices called locations,
- has edges called switches which are labelled with actions (not shown),
- Intuition: executing a switch consumes no time, i.e. it is instantaneous.
- time progresses in locations.


# Technische Universiteit 

Timed Automata


- Has real-valued clocks $x, y, z, \ldots$, which all advance with the same speed,
- Has guards indicating when an edge may be taken.
- Intuition: Guards express at which moments in time a transition is enabled.
- Enabledness depends on the constraints on clocks.


# Technische Universiteit 

Timed Automata


- Switches can reset clocks upon execution, i.e. set some clocks to 0 .
- Time can only increase as long as the location invariant holds.
- A switch must be taken before the invariant becomes invalid.


# Technische Universiteit 

## Timed Automata

## Example

The following timed automaton models a simple lamp with three locations: off, low and bright. If a button is pressed the lamp is turned on for at most ten time-units. If the button is pressed again, the lamp is turned off. However, if the button is pressed rapidly, the lamp becomes bright.


Timed Automata

Timing constraints are provided by clock constraints:

$$
\phi::=\operatorname{true}|x \leq c| c \leq x|x<c| c<x \mid \phi \wedge \phi
$$

- $c \in \mathbb{N}$ are constants (sometimes rational numbers);
- $x, y \in C$ are clocks
- As usual:
- $x \in[c, \infty)$ is short for $x \geq c$;
- $x \in\left[c_{1}, c_{2}\right)$ is short for $x \geq c_{1} \wedge x<c_{2}$

The set of clock constraints over a set of clocks $C$ is denoted $\mathcal{C}(C)$.

# Technische Universiteit 

Timed Automata

A timed automaton is a tuple

$$
\mathcal{T}=\left\langle L, L_{0}, A c t, C, \longrightarrow, \iota\right\rangle
$$

- $L$ is a finite set of locations; $L_{0} \subseteq L$ is a non-empty set of initial locations
- Act is the set of actions
- $C$ is a finite set of clock variables
- $\longrightarrow \subseteq L \times \mathcal{C}(C) \times \operatorname{Act} \times 2^{C} \times L$ is the set of switches
- $\iota: L \rightarrow \mathcal{C}(C)$ is the invariant assignment function


## Timed Automata

- A clock constraint $\phi$ contains free variables
- The truth of a clock constraint $\phi$ depends on the values of the clocks
- A clock valuation $v$ for a set $C$ of clocks is a function $v: C \rightarrow \mathbb{R}_{\geq 0}$
- Clock constraints are evaluated in the context of a clock valuation $v$ :
- $[\text { true }]_{v}=$ true
- $[x<c]_{v}=v(x)<c$
- $[c<x]_{v}=c<v(x)$
- $[x \leq c]_{v}=v(x) \leq c$
- $[c \leq x]_{v}=c \leq v(x)$
- $\left[\phi_{1} \wedge \phi_{2}\right]_{v}=\left[\phi_{1}\right]_{v}$ and $\left[\phi_{2}\right]_{v}$
- We write $v=\phi$ iff $[\phi]_{v}=$ true.
- Clock valuation update: $v+d$ is defined as: $(v+d)(x)=v(x)+d$ for all $d \in \mathbb{R}_{\geq 0}$.
- Clock valuation reset: $[v]_{R}$ is defined as: $[v]_{R}(x)=0$ if $x \in R$, else $v(x)$.


# Technische Universiteit 

Timed Automata

## Example

Let $x, y$ be clocks and $v:\{x, y\} \rightarrow \mathbb{R}_{\geq 0}$ a clock valuation.

- if $v(x)=2$ and $v(y)=\pi$, then $x<3 \wedge y \geq 3$ holds
- the clock constraint $x>2$ is valid whenever $v(x)>2$.
- the clock constraint $x \geq 2 \wedge x \leq 2$ is only valid whenever $v(x)=2$.

Some extensions to clock constraints:

- $x-y \sim c$ for some inequality $\sim$,
- $\neg \phi$ for clock constraints $\phi$


# Technische Universiteit <br> University of Technology 

Timed Automata

## Example

The effect of a lower bound guarding a switch:


# Technische Universiteit <br> University of Technology 

Timed Automata

## Example

The effect of a lower bound and upper bound guarding a switch:


# Technische Universiteit <br> University of Technology 

Timed Automata

## Example

The effect of an invariant:


# Technische Universiteit <br> University of Technology 

Timed Automata

## Example

The effect of an invariant and guard combined:


## Timed Automata

## Example

Switches that reset different clocks can cause an arbitrary difference between clock values. This is impossible to describe in a discrete time setting.


## Timed Automata

Let $\mathcal{T}=\left\langle L, L_{0}, A c t, C, \longrightarrow, \iota\right\rangle$ be a Timed Automaton. Its semantics is defined as a timed transition system: $[\mathcal{T}]=\left\langle S, S_{0}, A c t, \rightarrow, \mapsto\right\rangle$

- $S=\left\{(l, v) \mid l \in L \wedge v: C \rightarrow \mathbb{R}_{\geq 0} \wedge v \models \iota(l)\right\}$, i.e. all combinations of locations and clock valuations that do not violate the location invariant.
- $S=\left\{(l, v) \mid l \in L_{0} \wedge v: C \rightarrow \mathbb{R}_{\geq 0} \wedge v \equiv \iota(l)\right\}$.
- $\longrightarrow \subseteq S \times A c t \times S$ is defined as follows:

$$
\frac{l \xrightarrow{g a R} l^{\prime} \quad v \equiv g \wedge \iota(l) \quad v^{\prime}=[v]_{R} \quad v^{\prime} \models \iota\left(l^{\prime}\right)}{(l, v) \xrightarrow{a}\left(l^{\prime}, v^{\prime}\right)}
$$

- $\mapsto \subseteq S \times \mathbb{R}_{\geq 0} \times S$ is defined as follows:

$$
\frac{v \equiv \iota(l) \quad \forall 0 \leq d^{\prime} \leq d: v+d^{\prime} \models \iota(l)}{(l, v) \stackrel{d}{\mapsto}(l, v+d)}
$$

## Timed Automata

## Lemma

Let $l(l)$ be a location invariant. Then for all $d \in \mathbb{R}_{\geq 0}$ and all $v$ :

$$
v \models \iota(l) \text { and } v+d \models \iota(l) \text { implies } \forall 0 \leq d^{\prime} \leq d: v+d^{\prime} \models \iota(l)
$$

- The proof follows by a structural induction on $l(l)$.
- This means that for location invariants, we can simplify the rule for timed transition relations:

$$
\frac{v \models \iota(l) \quad v+d \models \iota(l)}{(l, v) \stackrel{d}{\mapsto}(l, v+d)}
$$

## Timed Automata

Recalling intuition:

- A switch $l \xrightarrow{g a R} l^{\prime}$ means that:
- action $a$ is enabled whenever guard $g$ evaluates to true.
- upon executing the switch, we move from location $l$ to location $l^{\prime}$ and reset all clocks in $R$ to zero.
- only locations $l^{\prime}$ that can be reached with clock values that satisfy the location invariant.
- an invariant $l(l)$ limits the time that can be spent in location $l$.
- staying in location $l$ only is allowed as long as the invariant evaluates to true.
- before the invariant becomes invalid location $l$ must be left.
- if no switch is enabled when the invariant becomes invalid no further progress is possible.


## Outline

## (1) Timed Systems

(2) Timed Automata
(3) Summary

4 Exercise

## Summary

- Timed Systems can be modelled by discrete time or continuous time.
- For discrete time, existing model checking can be reused.
- For continuous time, a new model is introduced: Timed Automata.
- Timed Automata give rise to infinite transition systems.
- Timed Automata can model systems that cannot be described by means of discrete time.


## Outline

## (1) Timed Systems

(2) Timed Automata
(3) Summary
(4) Exercise

## Exercise

Consider the following Timed Automaton.


- Explain which switches can be executed.
- Is there a possibility that the Timed Automaton enters a state in which time cannot progress anymore?
- Give the Timed Transition System for the Timed Automaton.

