Bounded Model Checking for Timed Automata1
		1This research was supported by the National Science Foundation under grants CCR-00-82560 and CCR-00-86096.  by Sorea, Maria
Electronic Notes in Theoretical Computer Science 68 No. 5 (2002)
URL: http://www.elsevier.nl/locate/entcs/volume68.html 19 pages
Bounded Model Checking for Timed
Automata
?
Maria Sorea
a;1
a
SRI International, Computer Science Laboratory,
333 Ravenswood Avenue, Menlo Park, CA 94025, USA
sorea@csl.sri.com
Abstract
Given a timed automaton M , a linear temporal logic formula ', and a bound k,
bounded model checking for timed automata determines if there is a falsifying path
of length k to the hypothesis that M satises the specication '. This problem
can be reduced to the satisability problem for Boolean constraint formulas over
linear arithmetic constraints. We show that bounded model checking for timed
automata is complete, and we give lower and upper bounds for the length k of
counterexamples. Moreover, we dene bounded model checking for networks of
timed automata in a compositional way.
1 Introduction
Timed automata [4] are state-transition graphs augmented with a nite set of
real-valued clocks. The clocks proceed at a uniform rate and constrain the
times at which transitions may occur. Given a timed automaton and a prop-
erty expressed in a timed logic such as TCTL [3] or T

[18], model checking
answers the question whether the timed automaton satises the given formula.
The fundamental graph-theoretic model checking algorithm by Alur, Courcou-
betis and Dill [3] constructs a nite quotient, the so-called region graph, of the
innite state graph. Algorithms directly based on the explicit construction of
such a partition are however unlikely to perform eÆciently in practice, since
the number of equivalence classes of states of the region graph grows exponen-
tially with the largest time constant and the number of clocks that are used to
specify timing constraints. Symbolic model checking algorithms are obtained
by characterizing regions as Boolean combinations of linear inequalities over
?
This research was supported by the National Science Foundation under grants CCR-00-
82560 and CCR-00-86096.
1
Also aÆliated with University of Ulm, Germany.
c
2002 Published by Elsevier Science B. V.
116
CC BY-NC-ND license.  Open access under 
Sorea
clocks [18]. Based on these algorithms, tools for verifying timed automata,
such as, for example Uppaal [22], Kronos [11], HyTech [17], Tempo [30], have
been developed.
The technique of bounded model checking has been recently introduced [8],
as an alternative to classical model checking. Given a system M modeled as a
state machine, a temporal logic specication ', and a bound k, the bounded
model checking (BMC) problem consists in searching for counterexamples of
length k to the model checking problem M j= '. The BMC problem for nite
state models can be reduced to a propositional satisability problem, and
o-the-shelf propositional satisability (SAT) checkers are used to construct
counterexamples from satisfying assignments to the propositional variables. It
has been demonstrated that BMC is in many cases more eective in falsifying
designs than traditional model checking techniques [8,9]. In [13] the BMC
paradigm has been extended to programs over innite state space, and LTL
formulas augmented with a decidable set of constraints. For an innite state
system M , a linear temporal logic formula with constraints ', and a bound k,
a Boolean constraint formula, [M;' ]
k
, can be constructed that is satisable
if and only if there is a counterexample of length k for the model checking
problem M j= '. BMC for innite state systems is sound, and for invariant
properties also complete, but incomplete for the entire LTL logic [13].
The main contribution here is to show that BMC for timed automata is
indeed complete for all LTL formulas with clock constraints. We describe how
a timed automaton can be directly encoded into a Boolean constraint formula,
without constructing the corresponding region graph. Our approach is com-
positional in that Boolean constraint formulas encoding networks of timed
automata can be obtained by Boolean combinations of the encoding of the
components. This compositional approach reduces the size of the generated
formula considerably. Moreover, we give bounds for the length k of counterex-
amples for the model checking problemM j= ' that depend on the size of the
LTL formula ' and the size of the region graph corresponding to the given
timed automaton M .
The paper is structured as follows. In Section 2 we review the basic notions
of timed automata. Section 3 presents the details of BMC for timed automata
together with the completeness results. Lower and upper bounds for the length
k of counterexamples are given. Section 4 illustrates BMC for networks, that
is, parallel composition of timed automata, and shows how complex systems
can be encoded into a Boolean constraint formula in a compositional way,
without rst computing the product automaton of the components. Finally,
in Section 5 we present some experimental results using train gate controller
and Fischer's mutual exclusion protocol as benchmarks, and draw conclusions.
117
Sorea
2 Timed Automata
We review some basic notions of transition systems and timed automata.
Timed automata, as introduced by Alur, Courcoubetis, and Dill [3], are state-
transition graphs augmented with a nite set of real-valued clocks. Given a
set of clock variables (or simply clocks) Cl = fx
1
; : : : ; x
n
g, a clock-valuation
function v : Cl ! IR
+
0
assigns a (positive) real value to each clock. Clock
constraints compare clock values with rational constants. Given a set Cl of
clock variables, x
1
; x
2
arbitrary clocks,  2 IQ
+
0
, and  2 f;; <;>;=g, the
set  of clock (or timing) constraints over Cl is dened by the grammar
g := tt j ff j x
1
  j x
1
  x
2
  j g
1
^ g
2
:
For a positive integer c, (c) is the nite subset of all timing constraints x  ,
x   y  , where x; y 2 Cl ,  2 f<;;=;; >g and  2 f0; : : : ; cg. Clock
constraints over Cl are interpreted with respect to clock-valuation functions
v : Cl ! IR
+
0
. For a clock-valuation function v and a clock constraint g over
Cl , we write v j g (to be read as \v satises g") to denote that according to
the values given by v the constraint g evaluates to true. Formally, v j g is
dened inductively over the syntactic structure of g, where x
1
; x
2
2 Cl are
arbitrary clocks,  2 IQ
+
0
, and  2 f;; <;>;=g:
v j6 ff v j tt v j x
1
  x
2
  i v(x
1
)  v(x
2
)  
v jx
1
  i v(x
1
)   v j g
1
^ g
2
i v j g
1
and v j g
2
For Æ 2 IR
+
0
, v+Æ denotes the clock valuation that maps each clock x 2 Cl
to the value v(x)+ Æ. For a clock x 2 Cl , v[r := 0] denotes the clock valuation
for Cl that maps the clocks in r to the value 0 and leaves all the other clock
values unchanged.
A timed automaton S is a tuple hL; l
0
;Cl ; E; Invi, where L is a nonempty
nite set of locations, l
0
 L is the initial location, and Cl is a nite set
of clocks. Inv : L !  assigns a set of downward closed clock constraints
to each location L; the elements of Inv(l) are the invariants for location l.
E  L  P()  P(Cl)  L is a nite set of edges. An edge e = hl; g; r; l
0
i
represents a transition from location l to location l
0
. A transition may only
be red if the timing constraint (guard of the transition) g holds with respect
to the current value of the clocks, and if the invariant of the target location is
satised with respect to the modied value of the clocks. Firing a transition
does not only change the current location but also resets the clocks in r to 0.
A timed automaton with three locations l
0
, l
1
, l
2
and two clocks x, y is
displayed in Figure 1. The initial location is l
0
, transitions are decorated with
both timing constraints and clock resets such as x := 0. The invariant for
location l
0
is y  1. Timing constraints that are true are omitted.
Alur, Courcoubetis, and Dill [3] introduce the fundamental notion of clock
regions, which partition the space of possible clock evaluations for a timed
automaton into nitely many regions. For a timed automaton S with clocks Cl
118
Sorea
l
0
y  1
l
1
l
2
x := 0
x := 0
y > x
y := 0
x  y
Fig. 1. Example of a timed automaton (the simple example).
and largest constant c, occurring in any timing constraint of S, a clock region
is a set  of clock valuations, such that for all timing constraints g 2 (c) and
for any two v
1
; v
2
2  it is the case that v
1
j g if and only if v
2
j g. In this
case we write v
1

S
v
2
. We will use [v] to denote the clock region to which v
belongs.
A state of a timed automaton S is a pair (l; v) where l 2 L is a location of
S and v a clock valuation for Cl . An initial state is of the form (l
0
; v
0
) where l
0
denotes the initial state of S and v
0
maps all clocks in Cl to 0. We extend the
satisability relation for clock constraints on states, as follows: for a state (l; v)
and a timing constraint g, (l; v) j g i v j g. A timed step is either a delay
step, where time advances by some positive real-valued Æ, or an instantaneous
state transition step. For a timed automaton S = hL; l
0
;Cl ; E; Invi, and
Æ  0, we say that the state (l; v + Æ) is obtained from (l; v) by a delay
step (l; v)
Æ
 !(l; v + Æ), if the invariant constraint v + Æ j Inv(l) holds. A
state transition step (l; v)
g;r
 !(l
0
; v
0
) occurs if there exists an edge hl; g; r; l
0
i,
and v j g, v
0
= v[r := 0], and v
0
j Inv(l
0
). The union of delay and state
transition steps denes the timed transition relation) of a timed automaton
S. Now, a path  is an innite sequence of states (l
0
; v
0
); (l
1
; v
1
); : : : such that
(l
i
; v
i
))(l
i+1
; v
i+1
); 8i  0.
3 System Verication
Given a BMC problem for a timed automaton, an LTL formula with linear
arithmetic constraints, and a bound of the length of counterexamples to be
searched for, we describe a sound and complete reduction to the satisability
problem of Boolean constraint formulas. The encoding of the transition rela-
tions of the given automaton follows the now-standard approach already taken
in [18]. Whereas in [8,5,27] LTL formulas are translated directly into propo-
sitional formulas, we use Buchi automata for this encoding. This simplies
substantially the notations and the proofs, but a direct translation can some-
times be more succinct in the number of variables needed. We use the common
notions for nite automata over nite and innite words, and we assume as
119
Sorea
given a theory A of linear arithmetic constraints with a satisability solver.
This theory includes the clock constraints , and dierence constraints of the
form x
0
  x = y
0
  y, or x
0
= x + Æ where x; x
0
; y; y
0
2 Cl are clock variables,
and Æ a positive real valued variable. Pratt observed that most inequalities
in program verication are of the form x  y  c, where c is constant. Given
a conjunction C of such constraints, satisability of C can be decided using
the Bellman-Ford algorithm in time quadratic to the number of variables in
C. Shostak's [28] loop residue algorithm generalizes Pratt's results to arbi-
trary linear inequalities. Furthermore, we also assume as given a theory L
of constraints over variables at and act , where at is interpreted over the set
L of locations, and act over the input alphabet  of the given automaton
2
.
The union of both theories is denoted by C. For the simplicity of the presen-
tation we consider only timed automata that are nonzeno. Nonzenoness can
be guaranteed, for example, by restricting the model of timed automata to
certain delay steps, as illustrated in [24].
In order to make this paper as self-contained as possible, we recall some
notions and denitions from [13]. Consider a set V := fx
1
; : : : ; x
n
g of vari-
ables interpreted over nonempty domains D
1
through D
n
, together with a type
assignment  such that (x
i
) = D
i
. For a set of typed variables V , a variable
assignment is a function  from variables x 2 V to an element of (x). The
variables in V := fx
1
; : : : ; x
n
g are also called state variables, and a program
state is a variable assignment over V . For a given theory C, the set of Boolean
constraints Bool(C) includes all constraints in C and it is closed under con-
junction ^ , disjunction _ , and negation :: A pair hI; T i is a C-program over
V if I 2 Bool(C(V )) and T 2 Bool(C(V [ V
0
)), where V
0
is a primed, disjoint
copy of V . V denotes the current state variables, while V
0
states for the next
state variables. I is used to restrict the set of initial program states, and T
species the transition relation between states and their successor states. The
set of C-programs over V is denoted by Prg(C). The semantics of a program
P is given in terms of a transition system M in the usual way, and, by a
slight abuse of notation, we sometimes write M for both the program and its
associated transition system.
A timed automaton S = hL; l
0
;Cl ; E; Invi can easily be described in
terms of a program with linear arithmetic constraints over state variables
V = fat ; x
1
; : : : ; x
n
g, where at is interpreted over the set L of locations and
the clock variables x
1
; : : : ; x
n
2 Cl are interpreted over IR
+
0
.
Denition 3.1 Given a timed automaton S = hL; l
0
;Cl ; E; Invi with Cl =
fx
1
; : : : ; x
n
g the set of clocks. S can be dened as a hI; T i program in Prg(C)
over the set V = fat ; x
1
; : : : ; x
n
g, and V
0
= fat
0
; x
0
1
; : : : ; x
0
n
g as follows.

Denition of the initial state
I := (at = l
0
^ x
1
= 0 ^ : : : ^ x
n
= 0):
2
The variable act will be used in Section 4 for BMC for networks of timed automata.
This variable is used to encode synchronization.
120
Sorea

Denition of a state transition step corresponding to e = hl; g; r; l
0
i 2 E
T (e) := (at = l ^ g ^ x
0
1
= z
1
^ : : : ^ x
0
n
= z
n
^ at
0
= l
0
^
Inv(l
0
)(x
0
1
; : : : ; x
0
n
))
where z
i
= 0 if x
i
2 r; otherwise z
i
= x
i
. The state formula Inv(l
0
)(x
0
1
; : : : ; x
0
n
)
is obtained from the invariant of location l
0
, Inv(l
0
), by replacing the vari-
ables x
1
; : : : ; x
n
in the constraints of Inv(l
0
) by the primed variables x
0
1
; : : : ; x
0
n
.

Denition of delay steps (Inv(S) is the set of all locations that have an
invariant dierent from true.)
D :=9Æ  0: (
^
l2Inv(S)
(at = l ) Inv(l)(x
0
1
; : : : ; x
0
n
))
^ at
0
= at ^ x
0
1
= x
1
+ Æ ^ : : : ^ x
0
n
= x
n
+ Æ):

Denition of the transition relation T
T :=
_
e2E
T (e)
_
D:
The timed automaton depicted in Figure 1, for example, is expressed in
terms of the program hI; T i over state variables V = fat ; x; yg, and V
0
=
fat
0
; x
0
; y
0
g, where at and at
0
are interpreted over the set of locations fl
0
; l
1
; l
2
g,
and the clock variables x; y; x
0
; y
0
are interpreted over IR
+
0
. Initially, the pro-
gram is in location l
0
and the value of the clocks x; y is equal to 0. The
transitions are encoded by a conjunction of constraints over the current state
variables at ; x; y and the next state variables at
0
; x
0
; y
0
.
I(at ; x; y) := (at = l
0
^ x = 0 ^ y = 0)
T (at ; x; y; at
0
; x
0
; y
0
) := (at = l
0
^ x
0
= 0 ^ y
0
= y ^ at
0
= l
0
^ y
0
 1) _
(at = l
0
^ x
0
= 0 ^ y
0
= y ^ at
0
= l
1
) _
(at = l
0
^ y > x ^ x
0
= x ^ y
0
= y ^ at
0
= l
1
) _
(at = l
1
^ y
0
= 0 ^ x
0
= x ^ at
0
= l
0
) _
(at = l
1
^ x  y ^ x
0
= x ^ y
0
= y ^ at
0
= l
2
) _
D(at ; x; y; at
0
; x
0
; y
0
)
The delay steps are encoding as
D(at ; x; y; at
0
; x
0
; y
0
) =
9Æ  0: ((at = l
0
) y
0
 1) ^ (at
0
= at) ^ (x
0
= x + Æ) ^ (y
0
= y + Æ)):
The above formula is not contained in Bool(C), since the denition of D con-
tains an existential quantier, but the existential quantier can easily be elim-
inated.
D(at ; x; y; at
0
; x
0
; y
0
) :=
((at = l
0
) y
0
 1) ^ (x
0
  x  0) ^ (y
0
  y = x
0
  x)^ (at
0
= at)):
Instead of using 4 clock variables (as in the conjunct y
0
  y = x
0
  x), this
formula can be also expressed using 3 variables as follows:
121
Sorea
D(at ; x; y; Æ; at
0
; x
0
; y
0
) :=
((at = l
0
) y
0
 1) ^ Æ  0 ^ x
0
= x+ Æ ^ y
0
= y + Æ ^ (at
0
= at)):
This fact will be used for the compositional encoding of networks of timed
automata.
Note that nonzenoness can be guaranteed by dening the transition rela-
tion in Denition 3.1 in such a way, that consecutive delay steps are disallowed.
In this case a path in the system is characterize by an alternation between a
state transition step and a delay step. However, a delay step between two state
transition steps can be omitted if Æ = 0. Therefore, between two state transi-
tion steps a 'maximal' delay step has to be taken that satises the invariant of
the actual state and allow to perform the next state transition. Such an encod-
ing of the transition relation leads to shorter bounds k for counterexamples,
as we will illustrate at the end of this section.
The formulas of the constraint linear temporal logic LTL(C
0
) are linear-time
temporal logic formulas with the usual \until" and \release" operators, and
constraints c 2 C
0
=  [ L as atoms.
' ::= true j false j c j '
1
^'
2
j '
1
_'
2
j '
1
U '
2
j '
1
R '
2
The formula '
1
U '
2
holds on a path  if there is a state on the path where
'
2
holds, and at every preceding state on the path '
1
holds. The release
operator R is the logical dual of U. It requires that '
2
holds along the path
up to and including the rst state where '
1
holds. However, '
1
is not required
to hold eventually. The derived operators F' = trueU ' andG' = falseR '
denote \eventually '" and \globally '". Our logic does not contain a next-
step operator. The main interest in removing the next-step operator stems
from the fact that we do not want to distinguish between one delay step of
duration, say, 1 and two subsequent delay steps of durations 2=5 and 3=5, since
these traces are considered to be observationally equivalent. Logics without
explicit next-step operator have also been considered, for example, by Alur [1],
Henzinger, Nicollin, Sifakis and Yovine [18], and by Dams [10]. Using this
logic, we can express properties such as

Location l
2
is never reached: G:(at = l
2
)

Every time the system is in location l
1
the value of x is greater than the
value of y: G (at = l
1
) x > y)

The value of x is greater than y until x is reset: (x > y)U (x = 0)
Given a program M 2 Prg(C) and a path  in M , the satisability relation
M; j= ' for an LTL(C
0
) formula ' is given in the usual way with the notable
exception of the case of constraint formulas c. In this case, M; j= c if and
only if c holds in the start state of . Assuming the notation above, the C-
model checking problem M j= ' holds i for all paths  = s
0
; s
1
; : : : in M with
s
0
2 I it is the case that M; j= '.
The following lemma states that the logic LTL(C
0
) preserves bisimulation.
The proof is by induction over the syntax of LTL(C
0
).
122
Sorea
Lemma 3.2 Given a program M with a nite bisimulation M
0
(i.e. M 
M
0
), and a formula ' 2 LTL(C
0
); then M j= ' i M
0
j= '.
Now, given a bound k, a program M 2 Prg(C) and a formula ' 2 LTL(C
0
)
we consider the problem of constructing a formula [M;' ]
k
2 Bool(C), which
is satisable if and only if there is a counterexample of length k for the C-model
checking problem M j= '. This construction proceeds as follows.
(i) Denition of [M ]
k
as the unfolding of the program M up to step k from
initial states (this requires k disjoint copies of V ).
(ii) Translation of :' into a corresponding Buchi automaton B
:'
whose lan-
guage of accepting words consists of the satisfying paths of :'.
(iii) Encoding of the transition system for B
:'
and the Buchi acceptance
condition as a Boolean formula, say [ B ]
k
.
(iv) Forming the conjunction [M;' ]
k
:= [ B ]
k
^ [M ]
k
.
(v) A satisfying assignment for the formula [M;' ]
k
induces a counterexam-
ple of length k for the model checking problem M j= '.
Denition 3.3 [Encoding of C-Programs] The encoding [M ]
k
of the kth un-
folding of a C-program M = hI; T i in Prg(C(fx
1
; : : : ; x
n
g)) is given by the
Boolean constraint formula [M ]
k
.
I
0
(x[0]) := Ihfx
i
7! x
i
[0] j x
i
2 V gi
T
j
(x[j]; x[j + 1]) :=T hfx
i
7! x
i
[j] j x
i
2 V g [ fx
0
i
7! x
i
[j + 1] j x
i
2 V gi
[M ]
k
:= I
0
(x[0])^
k 1
^
j=0
T
j
(x[j]; x[j + 1])
where fx
i
[j] j 0  j  kg is a family of typed variables for encoding the state of
variable x
i
in the jth step, x[j] is used as an abbreviation for x
1
[j] : : : ; x
n
[j],
and T hx
i
7! x
i
[j]i denotes simultaneous substitution of the x
i
by x
i
[j] in
formula T .
A two-step unfolding of the simple program in Figure 1, for example, is en-
coded by [ simple ]]
2
:= I
0
^ T
0
^ T
1
().
I
0
:= (at [0] = l
0
^ x[0] = 0 ^ y[0] = 0)
T
0
:= (at [0] = l
0
^ x[1] = 0 ^ y[1] = y[0] ^ at [1] = l
0
^ y[1]  1) _
(at [0] = l
0
^ x[1] = 0 ^ y[1] = y[0] ^ at [1] = l
1
) _
(at [0] = l
0
^ y[0] > x[0] ^ x[1] = x[0] ^ y[1] = y[0] ^ at [1] = l
1
) _
(at [0] = l
1
^ y[1] = 0 ^ x[1] = x[0] ^ at [1] = l
0
) _
(at [0] = l
1
^ x[0]  y[0] ^ x[1] = x[0] ^ y[1] = y[0] ^ at [1] = l
2
) _
((at [0] = l
0
) y[1]  1) ^ (x[1]  x[0]  0) ^
(y[1]  y[0] = x[1]  x[0])^ (at [1] = at [0]))
T
1
:= (at [1] = l
0
^ x[2] = 0 ^ y[2] = y[1] ^ at [2] = l
0
^ y[2]  1) _
(at [1] = l
0
^ x[2] = 0 ^ y[2] = y[1] ^ at [2] = l
1
) _
123
Sorea
(at [1] = l
0
^ y[1] > x[1] ^ x[2] = x[1] ^ y[2] = y[1] ^ at [2] = l
1
) _
(at [1] = l
1
^ y[2] = 0 ^ x[2] = x[1] ^ at [2] = l
0
) _
(at [1] = l
1
^ x[1]  y[1] ^ x[2] = x[1] ^ y[2] = y[1] ^ at [2] = l
2
) _
((at [1] = l
0
) y[2]  1) ^ (x[2]  x[1]  0) ^
(y[2]  y[1] = x[2]  x[1])^ (at [2] = at [1]))
The translation of linear temporal logic formulas into a corresponding
Buchi automaton is well-studied in the literature (for example, [16]) and does
not require additional explanation. Notice however, that, the translation of
LTL(C
0
) formulas yields Buchi automata with C
0
-constraints as labels. Both
the resulting transition system and the bounded acceptance test based on the
detection of reachable cycles with at least one nal state can easily be encoded
as Boolean constraint formulas [13].
Denition 3.4 [Encoding of Buchi Automata] Let V = fx
1
; : : : ; x
n
g be a set
of typed variables, B = h; Q;; Q
0
; F i be a Buchi automaton with labels
 in C
0
, and pc be a variable (not in V ), which is interpreted over the nite
set of locations Q of the Buchi automaton. For a given integer k, we obtain,
as in Denition 3.3, families of variables x
i
[j], pc[j] (1  i  n, 0  j  k)
for representing the jth state of B in a run of length k. Furthermore, the
transition relation of B is encoded in terms of the C-program B
M
over the set
of variables fpcg[V , and [ B
M
]
k
denotes the encoding of this program as in
Denition 3.3. Now, given an encoding of the acceptance condition
acc(B)
k
:=
k 1
_
j=0

pc[k] = pc[j]^
n
^
v=1
x
v
[k] = x
v
[j]^

k
_
l=j+1
_
f2F
pc[l] = f

the k-th unfolding of B is dened by [ B ]
k
:= [ B
M
]
k
^ acc(B)
k
. The accep-
tance condition for Buchi automata requires that some nal state appears on
a run innitely often. This is encoded by the formula acc(B)
k
. The rst 2
conjuncts pc[k] = pc[j] and
V
n
v=1
x
v
[k] = x
v
[j] describe the presence of a cycle
in the run between states j and k, while
W
k
l=j+1
W
f2F
pc[l] = f guarantees
that inside the cycle, that is, between state j +1 and state k, there is at least
one nal state contained.
An LTL(C
0
) formula is said to be R-free (U-free) i there is an equiva-
lent formula (in negation normal form) not containing the operator R (U).
Note that U-free formulas correspond to the notion of syntactic safety formu-
las [19,29]. Now, it can be directly observed from the semantics of LTL(C
0
)
formulas that every R-free formula can be translated into an automaton over
nite words that accepts a prex of all innite paths satisfying the given for-
mula.
Denition 3.5 Given an automaton B over nite words and the notation
as in Denition 3.4, the encoding of the k-ary unfolding of B is given by
124
Sorea
q
0
q
1
at = l
2
at 6= l
2
Fig. 2. Automaton for F (at = l
2
).
[ B
M
]
k
^ acc(B)
k
with the acceptance condition
acc(B)
k
:=
k
_
j=0
_
f2F
pc[j] = f .
Consider the problem of nding a counterexample of length k = 2 to the
hypothesis that our running example in Figure 1 satises G:(at = l
2
), that
is, the timed automaton never reaches location l
2
. The negated property
F (at = l
2
) is an R-free formula, and the corresponding automaton B over
nite words is displayed in Figure 2. This automaton is translated, according
to Denition 3.5, into the formula
[ B ]
2
:= I
0
(B)^T
0
(B)^T
1
(B)^ acc(B)
2
. ()
The variables pc[j] and at [j] (j = 0; 1; 2) are used to represent the rst three
states in a run.
I
0
(B) := (pc[0] = q
0
)
T
0
(B) := (pc[0] = q
0
^ :(at [0] = l
2
) ^ pc[1] = q
0
) _
(pc[0] = q
0
^ at [0] = l
2
^ pc[1] = q
1
)
T
1
(B) := (pc[1] = q
0
^ :(at [1] = l
2
) ^ pc[2] = q
0
) _
(pc[1] = q
0
^ at [1] = l
2
^ pc[2] = q
1
)
acc(B)
2
:= (pc[0] = q
1
_ pc[1] = q
1
_ pc[2] = q
1
)
The bounded model checking problem [ simple ]
2
^ [ B ]
2
for the simple pro-
gram is obtained by conjoining the formulas () and (). Using the BMC
procedure over linear arithmetic constraints one nds the counterexample
(l
0
; x = 0; y = 0)! (l
1
; x = 0; y = 0) ! (l
2
; x = 0; y = 0)
of length 2. Counterexamples for timed property, such asG (at = l
1
) x > y),
can also be found by the BMC procedure.
The following two theorems are stated in [13].
Theorem 3.6 (Soundness) Let M 2 Prg(C) and ' 2 LTL(C
0
). If there
exists a natural number k such that [M;' ]
k
is satisable, then M j= '.
Theorem 3.7 (Completeness for Finite State Systems) Let M be a
C-program with a nite set of reachable states, ' be an LTL(C
0
) formula, and
k be a given bound; then: M j= ' implies 9k 2 IN: [M;' ]
k
is satisable.
In general, BMC over innite domains is not complete. Consider, for
example, the model checking problem M j= ' for the program M = hI; T i
over the variable V = fxg with I = (x = 0) and T = (x
0
= x + 1) and the
formula ' = F (x < 0). M can be seen as a one-counter automaton, where
125
Sorea
initially the value of the counter x is 0, and with every transition the value of
x is increased with 1. Obviously, it is the case that M 6j= ', but there exists
no k 2 IN , such that the formula [ M;' ]
k
is satisable. Since :' is not an
R-free formula, the encoding of the Buchi automaton B
k
must contain, by
Denition 3.4 a nite accepting cycle, described by pc[k] = pc[0]^ x[k] = x[0]
or pc[k] = pc[1]^x[k] = x[1] etc. Such a cycle, however, does not exist, since
the program M contains only one noncycling, innite path, where the value
of x increases in every step, that is x[i + 1] = x[i] + 1, for all i  0.
Theorem 3.8 (Completeness for Timed Automata) Let M be a timed
automaton dened as a C-program over a set of state variables V = fx
1
; : : : ; x
n
g,
and ' be a formula in LTL(C
0
); then:
M j= ' implies 9k: [M;' ]
k
is satisable.
Proof. LetM
0
be the nite region graph corresponding toM , also dened
as a C-program over the set of state variables V . From M j= ', it follows by
Lemma 3.2, that M
0
j= '. Let
[M
0
; ' ]
k
:= [ B ]
k
^ [M
0
]
k
be the bounded model checking problem for M
0
and '. Since M
0
is nite,
by Theorem 3.7 there exists a k such that [M
0
; ' ]
k
is satisable. It remains
to show, that if [ M
0
; ' ]
k
is satisable then also [M;' ]
k
is satisable. From
[M
0
; ' ]
k
satisable it follows that [M
0
]
k
and [ B ]
k
are satisable. By De-
nition 3.3
[M
0
]
k
:= I
0
0
(x[0])^
k 1
^
j=0
T
0
j
(x[j]; x[j + 1])
where the state formula I
0
0
(x[0]) encodes the initial state (l
0
; [v
0
]), and the for-
mula T
0
j
(x[j]; x[j + 1]) denes the transition relation. Obviously, the formula
I
0
0
(x[0]) is equivalent to the state formula I
0
(x[0]), which describes the initial
state (l
0
; v
0
) of the program M . Let 
0
= s
0
0
; s
0
1
; : : : ; s
0
k 1
, where s
0
i
= (l
0
i
; [v
0
i
])
be a k-path in M
0
. In [31] it has been shown that the region equivalence is
a bisimulation relation. Since M and M
0
are bisimilar, it follows that there
exists a k-path  = s
0
; s
1
; : : : ; s
k 1
in M , where s
i
= (l
i
; v
i
) such that l
i
= l
0
i
and v
i
2 [v
0
i
]. Similarly to the unfolding of M
0
, M can be unfold up to step k
to make [M ]
k
and [M
0
]
k
equisatisable. 2
Lower bounds for the length k of counterexamples can be found by exam-
ining the structure of the Buchi automaton for a given LTL(C
0
) formula. A
lower bound is given by the length of the shortest path from the initial state
to a nal/accepting state of the automaton. For a timed automaton M with
c the largest constant appearing in the guards and invariants of M , and t the
number of clocks, an upper bound for k is given by k  n  2
O(t log(ct))
 2
O(j'j)
,
where n is the number of locations of M and n 2
O(t log(ct))
the number of states
in the region graph of M [2].
126
Sorea
Corollary 3.9 Let M be a timed automaton with c the largest constant
appearing in the guards and invariants of M , and t the number of clocks.
Further, let ' be a formula in LTL(C
0
). If k = n  2
O(t log(ct))
 2
O(j'j)
then
M j= ' i [M;' ]
j
is unsatisable for all j  k.
The main problem with bounded model checking is to come up with a
realistic upper bound for the length of counterexamples to be searched for.
For the case of timed automata, the above bound is a very coarse overapprox-
imation, since the number of regions is exponential in the number of clocks
and the largest constant appearing in the guards and invariants of the system.
A smaller bound can be obtained when using the encoding of the transition
relation as illustrated at the begin of this section (that is, alternating between
state transition and delay steps). In this case, the bound does not depend
on the number of the regions, but on the number of the zones, that is, the
number of the convex unions of regions. As observed by Alur [2], although
theoretically the number of zones is exponential in the number of regions, in
practice, it is much smaller than the number of regions, and thus leads to a
shorter bound.
4 BMC for Networks of Timed Automata
Complex systems are modeled as networks of timed automata, that is, parallel
composition of timed automata. Given two timed automata A
1
and A
2
. For
dening synchronization on same events
3
, we assume two nite alphabets

1
and 
2
, whose elements are used to label the transitions of A
1
, respec-
tively A
2
. An edge of an automaton over an input alphabet  is now a tuple
e = hl; a; g; r; l
0
i. The product A
1
kA
2
is dened in the obvious way [2]. The
locations of the product automaton are pairs of locations of its constituent
automata. The invariant of a new location consists of the conjunction of the
invariants of the component locations. Symbols that belong to both alphabets
are used for synchronization and must be taken simultaneously by both au-
tomata. Figure 3 illustrates two timed automata together with the resulting
product automaton.
In order to encode the system A
1
kA
2
into a C-program, as described in
Section 3 using Denition 3.1, the product automaton has to be constructed
rst. For networks consisting of a large number of components this leads to
an exponential blow up in the number of resulting locations and transitions,
and therefore also in the length of the Boolean constraint formulas. Here, we
propose a method for encoding a network of timed automata into a C-program
in a compositional way, which does not require the construction of the product
automaton.
For encoding the actions of a timed automaton we use a variable act that
3
We present here communication based on synchronized transitions. Communication based
on shared variables can be handled similarly.
127
Sorea
A
1
0 1
2
a; x := 0
x = 1; b
A
2
0 1
2
a; y = 2
c
A
1
k A
2
0; 01; 1
2; 0
0; 2
2; 2
a; y = 2; x := 0
b; x = 1
c
c
x = 1; b
Fig. 3. Product construction for timed automata.
ranges over 
1
[ : : :[
n
[ fdelayg, where 
i
(i = 1; : : : ; n) are the alphabets
corresponding to the n input automata. The special action delay denotes the
fact that a time elapse step is performed.
For a timed automaton A with alphabet  and set of clocks Cl the formula
x(A) is used to encode \inactivity", that is, the fact that A does not perform
any transition.
x(A) := (at
0
= at ^
^
x2Cl
x
0
= x ^
^
2[delay
act 6= ):
Every component is encoded in a similar way as illustrated in Deni-
tion 3.1, with the additional encoding of transition actions.
Denition 4.1 Consider a network of timed automata A
1
k : : : kA
n
, where
A
i
= hL
i
; l
0
i
;
i
;Cl
i
; E
i
; Inv
i
i, over the set of clocks Cl
i
= fx
i
1
; : : : ; x
i
n
g, for
i = 1; : : : ; n. The network is encoded over the set of state variables V =
V
1
[ : : : [ V
n
, as the program
hI
s
; T
s
i :=
^
i=1;:::;n
hI
i
; T
i
i ^ Æ  0;
where Æ is a state variable interpreted over IR
+
0
, and hI
i
; T
i
i encodes the au-
tomaton A
i
over the set V
i
= fat
i
; x
i
1
; : : : ; x
i
n
; act ; Æg as follows:

Denition of the initial state (as in Denition 3.1)
I
i
:= (at
i
= l
i
0
^ x
i
1
= 0 ^ : : : ^ x
i
n
= 0):

Denition of a state transition step corresponding to e = hl; a; g; r; l
0
i 2 E
i
T
i
(e) := (at
i
= l ^ act = a ^ g ^ x
0
i
1
= z
1
^ : : : ^ x
0
i
n
= z
n
^
at
0
i
= l
0
^ Inv
i
(l
0
)(x
0
i
1
; : : : ; x
0
i
n
))
where z
i
= 0 if x
i
j
2 r; otherwise z
i
= x. The state formula Inv
i
(l
0
)(x
0
i
1
; : : : ; x
0
i
n
)
is obtained from the invariant of location l
0
, Inv
i
(l
0
), by replacing the
128
Sorea
variables x
i
1
; : : : ; x
i
n
in the constraints of Inv
i
(l
0
) by the primed variables
x
0
i
1
; : : : ; x
0
i
n
.

Denition of delay steps (Inv(A
i
) is the set of all locations that have an
invariant dierent from true.)
D
i
:=
^
l2Inv(A
i
)
(at
i
= l ) Inv
i
(l)(x
0
i
1
; : : : ; x
0
i
n
)) ^
act = delay ^ x
0
i
1
= x
i
1
+ Æ ^ : : : ^ x
0
i
n
= x
i
n
+ Æ ^ at
0
i
= at
i
:

Denition of the transition relation T
T
i
:= (_
e2E
i
T
i
(e)) _ x(A
i
) _ D
i
:
The network consisting of the timed automata A
1
and A
2
from Figure 3,
for example, is dened as a program
hI
s
; T
s
i = hI
1
; T
1
i ^ hI
2
; T
2
i ^ Æ  0
over the set of variables
V = fat
1
; at
2
; x; y; act; Æg; and V
0
= fat
0
1
; at
0
2
; x
0
; y
0
; act
0
; Æ
0
g;
where hI
1
; T
1
i encodes the timed automaton A
1
, and hI
2
; T
2
i encodes A
2
.
I
1
=(at
1
= 0 ^ x = 0)
I
2
=(at
2
= 0 ^ y = 0)
T
1
=(at
1
= 0 ^ at
0
1
= 1 ^ x
0
= 0 ^ act = a) _
(at
1
= 0 ^ at
0
1
= 2 ^ x = 1 ^ x
0
= x ^ act = b) _
(at
1
= at
0
1
^ x
0
= x ^ act 6= a ^ act 6= b ^ act 6= delay) _
(at
1
= at
0
1
^ x
0
= x + Æ ^ act = delay)
T
2
=(at
2
= 0 ^ at
0
2
= 1 ^ y = 2 ^ y
0
= y ^ act = a) _
(at
2
= 0 ^ at
0
2
= 2 ^ y
0
= y ^ act = c) _
(at
2
= at
0
2
^ y
0
= y ^ act 6= a ^ act 6= c ^ act 6= delay) _
(at
2
= at
0
2
^ act = delay ^ y
0
= y + Æ)
Theorem 4.2 (BMC for Networks of Timed Automata) Consider two
timed automata with disjoint set of clocks, A
i
= hL
i
; l
0
i
;
i
;Cl
i
; E
i
; Inv
i
i, for
i = 1; 2. Let M
s
= hI
s
; T
s
i be the program corresponding to the network
A
1
kA
2
as given in Denition 4.1, and M = hI; T i be the program encoding
the product automaton A
1
A
2
according to Denition 3.1. Then for a k 2 IN ,
the kth unfolding of M
s
and M are equisatisable, that is [M
s
]
k
 [M ]
k
.
Proofsketch. By induction over k we show that [M ]
k
and [M
s
]
k
are
equisatisable.
5 Discussion and Conclusion
We presented a bounded model checking procedure (BMC) for timed automata
and linear temporal logic with real-valued clock constraints. The main con-
129
Sorea
tribution is a complete BMC algorithm for timed automata
4
, which is com-
positional in that Boolean constraint formulas encoding complex systems can
be obtained by Boolean combinations of the encoding of the components. A
direct encoding of the product automaton would cause an exponential blow
up in the length of the resulting Boolean constraint formula. Further, we give
lower and upper bounds for the length k of counterexamples that depend on
the structure of the Buchi automaton of the given formula, and the region
automaton corresponding to the timed automaton.
Recently and independently, bounded model checking for timed systems
has also been studied by other researchers. Niebert, Mahfoudh, Asarin, Bozga,
Jain, and Maler [25] give a translation for timed automata into formulas in
Pratt's dierence logic, and express bounded reachability problems for timed
automata as formulas in this logic. Audemard, Cimatti, Kornilowicz, and Se-
bastiani [5] extend the techniques from [8] to timed systems, and illustrates
that the performance time for bounded reachability for timed systems can
considerably be improved using symmetry reduction. Penczek, Wozna, and
Zbrzezny [27] also extend the techniques from [8] to timed automata and
TACTL. The regions corresponding to the timed automaton, together with a
TACTL formula are encoded into a Boolean constraint formula, whose satis-
ability is checked using an in-house developed tool. The presented technique
is not compositional.
The main problem of the BMC approach is to come up with eÆcient algo-
rithms for solving the satisability problem for Boolean constraint formulas.
Specialized data structures for timed automata, such as dierence bounded
matrices (DBM) [14], clock dierence diagrams (CDD) [21], or dierence de-
cision diagrams (DDD) [23], can not be applied directly for BMC, since the
generated formulas contain clock constraints of the form x
0
  x = y
0
  y, as
needed for encoding the delay steps. However, timing constraints that relate
4 clock variables can be reduced to equivalent timing constraints with 2 vari-
ables, expressible in Pratt's dierence logic, by introducing a global variable
T that measure the time since the system start, without being reset, as shown
in [25]. For every clock x
i
the variable C
i
= T   x
i
represents the last time
when x
i
was reset. Now, guards and invariants are evaluated on T C
i
instead
of on x
i
, time elapse aects only T , and a reset of x
i
at time T corresponds
to the assignment C
i
:= T .
On the other hand, general-purpose theorem proving, such as PVS [26],
which uses a combination of BDDs [7] and linear arithmetic reasoning based
on loop residue [28], does not work very eÆcient. For example, nding a coun-
terexample of length k = 2 in the (modied) train gate controller protocol re-
quires around 70 seconds, and for k = 3 around 8500 seconds. Recently, new
techniques for checking satisability of Boolean constraint formulas, have been
developed, by combining SAT solvers with domain-specic decision procedures
4
The completeness proof can be adapted to any systems with a nite bisimulation.
130
Sorea
10 20 30 40 50 60 70
0
200
400
600
800
1000
1200
1400
1600
1800
Length of counterexamples to be searched for
Ti
m
e 
(in
 se
co
nd
s)
Fig. 4. Train gate controller { time for searching for counterexamples of length 5
to 100. For length 10 we obtain 0.46 seconds, for length 50, 508 seconds, and for
length 70, 1655 seconds.
based on lemmas on demand [13,6]. A prototypical satisability solver [13,12]
has been implemented that combines an in-house developed SAT solver with
the decision procedures ICS [15]. The core of the satisability solver is a re-
nement algorithm based on lazy theorem proving. In each renement step,
the Boolean satisability checker is used to suggest candidate assignments.
Then ICS checks whether such a Boolean assignment determines a consis-
tent assignment for the corresponding set of constraints. Whenever such a
consistency check fails, the current Boolean formula is rened by adding a
Boolean analogue of this inconsistency. The SAT solver is restarted, and a
new candidate assignment for the rened formula is suggested.
We have performed some initial experiments, using the train gate controller
and Fischer's mutual exclusion protocol [20], with a slight modication of the
timing constraints. We encoded the systems as Boolean constraint formulas
in a compositional way. For the train gate controller we checked the safety
property that whenever the train is in the crossing the gate should be closed.
On a Pentium III, 500 MHz, 1GB, we found a counterexample of length 4
in 0.01 seconds. Using the correct version of the protocol, that is with tim-
ing constraints that guarantee the above safety property, we prove that there
is no counterexample of length i, for i  100. The timing performance for
k = 10; 20; 30; 40; 50; 60; 70 is illustrated in Figure 4. For k = 80 the ob-
tained time was greater then 4 hours, and for k = 100 greater then 5 hours.
Note, that in the case of the correct version of the train gate controller we
131
Sorea
are performing bounded verication, and not only searching for counterexam-
ples. For Fischer's mutual exclusion protocol we checked the mutual exclusion
property for n = 2; : : : ; 10 processes. On a Pentium III, 500 MHz, 1GB, for
5 processes a counterexample of length 9 was found in 25.87 seconds. For a
system consisting of 10 processes a counterexample of length 8 was found in
62.42 seconds.
Although in an initial phase, the performed experiments show that BMC
is a promising technique for verifying timed systems. Errors in larger systems
for which conventional timed model checking tools fail or are ineÆcient, can
be found using BMC.
Acknowledgement
We would like to thank the anonymous referees for their helpful comments for
improving this paper. Leonardo de Moura helped with the experiments and
also provided many useful inputs.
References
[1] Alur, R., \Techniques for Automatic Verication of Real-Time Systems," Ph.D.
thesis, Stanford University (1991).
[2] Alur, R., Timed automata, Lecture Notes in Computer Science 1633 (1999),
pp. 8{22.
[3] Alur, R., C. Courcoubetis and D. Dill, Model-checking for real-time systems,
5th Symp. on Logic in Computer Science (LICS 90) (1990), pp. 414{425.
[4] Alur, R. and D. L. Dill, A theory of timed automata, Theoretical Computer
Science 126 (1994), pp. 183{235.
[5] Audemard, G., A. Cimatti, A. Kornilowicz and R. Sebastiani, Bounded model
checking for timed systems, Proceedings of the 2nd Workshop on Real-Time
Tools (RT-TOOLS'2002) (2002).
[6] Barrett, C. W., D. L. Dill and A. Stump, Checking satisability of rst-order
formulas by incremental translation to SAT (2002), to be presented at CAV
2002.
[7] Bryant, R. E., Graph-based algorithms for boolean function Manipulation, IEEE
Transactions on Computers C-35 (1986), pp. 677{691.
[8] Clarke, E. M., A. Biere, R. Raimi and Y. Zhu, Bounded model checking using
satisability solving, Formal Methods in System Design 19 (2001), pp. 7{34.
[9] Copty, F., L. Fix, R. Fraer, E. Giunchiglia, G. Kamhi, A. Tacchella and
M. Vardi, Benets of bounded model checking in an industrial setting, in:
Computer-Aided Verication, CAV 2001, Lecture Notes in Computer Science
2101 (2001), pp. 436{453.
132
Sorea
[10] Dams, D. R., \Abstract Interpretation and Partition Renement for Model
Checking," Ph.D. thesis, Eindhoven University of Technology, P.O. Box 513,
5600 MB Eindhoven, The Netherlands (1996).
[11] Daws, C., A. Olivero, S. Tripakis and S. Yovine, The tool KRONOS, Lecture
Notes in Computer Science 1066 (1996), pp. 208{219.
[12] de Moura, L. and H. Rue, Lemmas on demand for satisability solvers,
in: Proceedings of the Fifth International Symposium on the Theory and
Applications of Satisability Testing (SAT 2002), Cincinnati, Ohio, 2002.
[13] de Moura, L., H. Rue and M. Sorea, Lazy theorem proving for bounded
model checking over innite domains, in: A. Voronkov, editor, 18th Conference
on Automated Deduction (CADE), Lecture Notes in Computer Science 2392
(2002), pp. 438{455.
[14] Dill, D., Timing assumptions and verication of nite-state concurrent systems,
in: Proceedings of the International Workshop on Automatic Verication
Methods for Finite State Systems, Lecture Notes in Computer Science 407
(1989), pp. 197{212.
[15] Fillia^tre, J.-C., S. Owre, H. Rue and N. Shankar, ICS: Integrated canonizer and
solver, in: G. Berry, H. Comon and A. Finkel, editors, Proceedings of CAV'2001,
Lecture Notes in Computer Science 2102 (2001), pp. 246{249.
[16] Gerth, R., D. Peled, M. Vardi and P. Wolper, Simple on-the-y automatic
verication of linear temporal logic, in: Protocol Specication Testing and
Verication (1995), pp. 3{18.
[17] Henzinger, T. A., P.-H. Ho and H. Wong-Toi, HYTECH: A model checker for
hybrid systems, Lecture Notes in Computer Science 1254 (1997), pp. 460{463.
[18] Henzinger, T. A., X. Nicollin, J. Sifakis and S. Yovine, Symbolic model checking
for real-time systems, Information and Computation 111 (1994), pp. 193{244.
[19] Kupferman, O. and M. Y. Vardi, Model checking of safety properties, Formal
Methods in System Design 19 (2001), pp. 291{314.
[20] Lamport, L., A fast mutual exclusion algorithm, ACM Transactions on
Computer Systems 5 (1987), pp. 1{11.
[21] Larsen, K. G., J. Pearson, C. Weise and W. Yi, Clock dierence diagrams,
Nordic Journal of Computing 6 (1999), pp. 271{298.
[22] Larsen, K. G., P. Pettersson and W. Yi, Uppaal in a nutshell, Int. Journal on
Software Tools for Technology Transfer 1 (1997), pp. 134{152.
[23] Mller, J., J. Lichtenberg, H. R. Andersen and H. Hulgaard, Dierence decision
diagrams, in: Computer Science Logic, The IT University of Copenhagen,
Denmark, 1999.
133
Sorea
[24] Moller, M. O., H. Rue and M. Sorea, Predicate abstraction for dense real-time
systems, in: E. Asarin, O. Maler and S. Yovine, editors, Theory and Practice of
Timed Systems (TPTS'02), Electronic Notes in Theoretical Computer Science
65, 2002.
URL http://www.elsevier.com/locate/entcs/volume65.html
[25] Niebert, P., M. Mahfoudh, E. Asarin, M. Bozga, N. Jain and O. Maler,
Verication of timed automata via satisability checking, in: Proceedings of the
7th International Symposium on Formal Techniques in Real-Time and Fault
Tolerant Systems (FTRTFT), Lecture Notes in Computer Science (2002).
[26] Owre, S., J. M. Rushby and N. Shankar, PVS: A prototype verication system,
in: 11th International Conference on Automated Deduction (CADE), Lecture
Notes in Articial Intelligence 607 (1992), pp. 748{752.
[27] Penczek, W., B. Wozna and A. Zbrzezny, Towards bounded model checking
for the universal fragment of TCTL, in: Proceedings of the 7th International
Symposium on Formal Techniques in Real-Time and Fault Tolerant Systems
(FTRTFT), Lecture Notes in Computer Science (2002).
[28] Shostak, R., Deciding linear inequalities by computing loop residues, Journal of
the ACM 28 (1981), pp. 769{779.
[29] Sistla, A. P., Safety, liveness and fairness in temporal logic, Formal Aspects of
Computing 6 (1994), pp. 495{512.
[30] Sorea, M., Tempo: A model-checker for event-recording automata, in:
Proceedings of RT-TOOLS'01, Aalborg, Denmark, 2001, also available
as Technical Report SRI-CSL-01-04, Computer Science Laboratory, SRI
International, Menlo Park, CA, 2001.
URL http://www.csl.sri.com/papers/csl-01-04/
[31] Tripakis, S. and S. Yovine, Analysis of timed systems using time-abstracting
bisimulations, Formal Methods in System Design 18 (2001), pp. 25{68, Kluwer
Academic Publishers.
134
