Abstract-Markov chains are a well-known stochastic process that provide a balance between being able to adequately model the system's behavior and being able to afford the cost of the model solution. Systems can be modeled directly as Markov chains, or with a higher-level formalism for which Markov chains represent the underlying semantics. Markov chains are widely used to study the performance of computer and telecommunication systems. The definition of stochastic temporal logics like Continuous Stochastic Logic (CSL) and its variant asCSL, and of their model-checking algorithms, allows a unified approach to the verification of systems, allowing the mix of performance evaluation and probabilistic verification. In this paper, we present the stochastic logic CSL TA , which is more expressive than CSL and asCSL, and in which properties can be specified using automata (more precisely, timed automata with a single clock). The extension with respect to expressiveness allows the specification of properties referring to the probability of a finite sequence of timed events. A typical example is the responsiveness property "with probability at least 0.75, a message sent at time 0 by a system A will be received before time 5 by system B and the acknowledgment will be back at A before time 7", a property that cannot be expressed in either CSL or asCSL. Furthermore, the choice of using automata rather than the classical temporal operators Next and Until should help in enlarging the accessibility of model checking to a larger public. We also present a model-checking algorithm for CSL TA .
quasi-standard profile such as UML-SPT [2] and MARTE [3] , to various performance evaluation formalisms like queuing networks [4] , stochastic Petri nets [5] , and stochastic process algebras [6] , whose underlying stochastic process is, in most cases, a CTMC. A complete overview of the tools and algorithms for the translation from UML diagrams to performance models can be found in [7] .
Historically, CTMCs have been analyzed using steady state and transient analysis to compute the probability of finding the system in a given state assuming it has reached equilibrium or the probability of finding a system in a given state at time t. From these basic methods, the use of state and/or transition rewards allows the computation of performance/dependability properties.
More recently, the definition of Continuous Stochastic Logic (CSL) [8] , [9] and variants, such as asCSL [10] , has introduced a new approach for the definition of the performance and dependability properties of a system. Temporal-logic-based approaches are particularly useful when the measure of interest depends on the execution path. Given a formal description of the system and its requirements, we can then execute a model-checking algorithm which establishes automatically whether the system model meets the requirements expressed in CSL or asCSL.
To illustrate the advantages of stochastic logics, consider a system whose stochastic behavior is described by a CTMC, whose states (of which there can be millions) are partitioned into "system is working properly" (work-states), "system is working in degraded mode" (degr-states), or "system is not working properly" (fail-states). The CTMC can move from work to degr states and to fail states (either directly or through degr states). A simple example of CTMC exhibiting this behavior is shown in Fig. 1 . A classical dependability property requires the computation of the probability of failing within the time interval I, or later than a given threshold t: these probabilities can be easily computed using classical solution methods for CTMCs.
Instead, if we are interested in only those failures in which the system fails within the time interval I, without first entering the degraded mode, we have to compute the probability of reaching a fail state within I, while passing only through work states. The stochastic temporal logic CSL has temporal operators that allow a simple and semantically-clear description of such a property using the Until operator: P ðwork U I failÞ. The property is satisfied in a state s if the set of timed paths of the CTMC that start in s and visit only work states before entering a fail state at a time in the interval I have a probability at most .
The logic asCSL permits the specification of paths in terms of state labels (such as work, degr; and fail) and action labels. For example, P ððwork; ActÞ Ã ; ðwork; failure1Þ; ðfail; p Þ I Þ, is similar to the CSL formula above, with the additional restriction that the change from work-states to fail-states is due to action failure1.
In this paper, we propose the new stochastic temporal logic Continuous Stochastic Logic with Timed Automata (CSL TA ), which builds on CSL and asCSL by enriching the set of properties that can be defined and verified, and presents its associated model-checking algorithm. Let us first explain the main motivations for introducing a new logic. Modifications are along two lines: Properties are specified using deterministic one-clock timed automata and the defined logic is at least as expressive as CSL and asCSL (and strictly more expressive than CSL and asCSL without nested formulas). For the time being, we shall be informal, at the risk of being slightly imprecise, to convey the main ideas. The rest of the paper will provide the required formal development.
The idea of using automata for specifying system behavior is familiar to computer scientists in general and to software engineers in particular. The use of automata to specify temporal logic properties is not new: Vardi and Wolper [11] define a linear-time temporal logic with Bü chi automata operators, while Clarke et al. [12] introduce the temporal logic ECTL, which uses Muller automata to specify linear and branching temporal properties, and develop an associated model-checking algorithm.
Timed automata [13] are a widespread formalism for the specification of timed systems, and are supported by tools such as UPPAAL [14] . Previous work has considered the use of timed automata to specify both the system and the properties that it should satisfy [13] , or, more typically, the use of timed temporal logic to specify the properties of a timed automata system [15] , [16] ; observe that, in [16] , the model-checking algorithm involves the transformation of temporal logic properties into timed automata. In this paper, we use timed automata to specify timed and probabilistic properties of the system and not to specify the system itself.
We illustrate the limitations of CSL and asCSL with respect to CSL TA using again the CTMC of Fig. 1 . Assume that we are interested in the probability of the system exhibiting the following behavior: The system goes from work states to degr states and then from degr states to fail states in a time greater than or equal to t. This property can be expressed in CSL TA using the timed automaton of Fig. 2a , where x is a clock (a variable whose value increases at the same rate as time). This property can also be expressed in asCSL, using a formula similar to the one given above: P ððwork; ActÞ Ã ; ðdegr; ActÞ Ã ; ðfail; p Þ I Þ, for the interval I ¼ ½t; 1Þ. This property cannot be expressed in CSL, which can only express the probability of being in work or degr states until, at a time at least t, the system moves to fail states: This property is obviously not equivalent to the original one since it also includes paths that cycle between work and degr states. Now, assume that the QoS requirements imposed on the system are more stringent and detailed, requiring that, with probability at least , the system goes from work states to degr states in no less than t 0 time units and then from degr states to fail states in no less than t 00 time units. Paths are, therefore, characterized in terms of states and in terms of two time constraints. This property can be expressed in CSL TA using the timed automaton of Fig. 2b , where the edge label fxg indicates that the clock x is reset to zero on traversal of the edge. Observe that the two properties are different because Fig. 2a checks only the global time to get to fail states, while Fig. 2b also "looks" inside the composition of this duration: indeed, the automaton of Fig. 2b is not equivalent to the automaton of Fig. 2a with t ¼ t 0 þ t 00 . This QoS requirement cannot be expressed either in CSL or in asCSL, as will be explained in later sections. What can indeed be expressed in CSL and asCSL is that, with probability at most , the system moves not before t 0 from work states to the subset of degr states from which, with probability at most 0 , the system moves to fail not before t 00 . Note that we have to utilize a "fake" probability, introducing an overspecification with respect to the original QoS requirement because timed intervals cannot be nested directly in CSL and asCSL, while probabilistic operators can be nested. Note that taking 0 ¼ 1 does not solve the problem. In addition to introducing CSL TA , we present its associated model-checking algorithm. Contrary to the previous approaches that perform ad hoc transformations of the CTMC before a transient or steady-state analysis, this algorithm generates a Markov regenerative process and then computes a reachability probability on this process. Furthermore, we prove that CSL TA is at least as expressive as CSL and asCSL: It is possible to transform any CSL or asCSL formula into an equivalent CSL TA formula. We note that the CSL TA model-checking algorithm, when executed on CSL TA properties transformed from CSL properties, is no more expensive in terms of computational complexity than the CSL model-checking algorithm of [9] . Finally, we show that CSL TA is strictly more expressive than CSL: Note that the proof technique used is different from those used in the nonstochastic context, for example, in [17] . We also show that CSL TA is more expressive than asCSL when restricting to the case of formulas without nesting.
With regard to related work, performance metrics that depend on paths have also been studied in [18] , [19] . In particular, the work in [19] uses automata for the specification of the set of paths of interest of a CTMC: Rewards, which are usually associated with states or transitions of the CTMC, are instead associated with locations and transitions of the automaton, thus providing a wide range of performance measures based on states and/or events of the CTMC. We also note that the logic CSL TA is similar to the logic TECTL Ã 9
[20] from the nonprobabilistic model-checking literature. One-clock timed automata have been studied in, for example, [21] , [22] . Finally, we recall that the original definition of CSL permitted the description of a sequence of timed Until formulas within a single probabilistic operator P $ [8] , in contrast to the more established definition in which only one time Until formula can be included within a probabilistic operator; however, the decidability results of [8] are based on results from algebraic and trascendental number theory, whereas established performance evaluation techniques are used as the foundation of the algorithms for CSL in [9] and for CSL TA in this paper. The rest of the paper is organized as follows: Section 2 defines the syntax and semantics of CSL TA , illustrated with the help of small examples. Section 3 presents the modelchecking algorithm for CSL TA and gives an example on a simple CTMC, while Section 4 compares the expressiveness of CSL TA , CSL, and asCSL. Section 5 summarizes the paper and discusses future work. A conference version of this paper appears as [23] . We extend that version in the following ways: The semantics of CSL TA is improved in order to make the modeling of properties more intuitive, Section 3 is expanded, and a more formal approach, including proofs of the main results, is taken up in Section 4.
SYNTAX AND SEMANTICS OF CSL

TA
In this section, we first introduce a number of preliminary concepts. After defining a class of labeled CTMCs, we recall the notion of execution path of a CTMC as a finite or infinite sequence of transitions from state to state. We then introduce a restricted class of timed automata, and consider the manner in which such automata can be used to express properties of CTMC execution paths. Finally, we introduce the syntax of CSL TA , which is similar to CSL but which uses timed automata to express properties of paths, and present its semantics.
Labeled Markov Chains
We first introduce continuous-time Markov chains labeled both by atomic propositions on states and by actions on transitions.
Atomic propositions can refer to basic properties that are observed when the system is in a state (such as idle or error), whereas actions refer to basic properties that are observed when the system makes a transition from state to state (such as activate or send message). Such labeled Markov chains can be used as the underlying semantic model of high-level formalisms such as stochastic Petri nets and stochastic process algebras. Let IR !0 (IR >0 ) be the set of nonnegative (positive) reals and let IN be the set of natural numbers.
Definition 2.1 (Action-and State-Labeled Markov Chain).
An action and state-labeled continuous-time Markov chain (ASMC) is a tuple M ¼ hS; Act; AP ; lab; Ri, where S is a finite set of states, Act is a finite set of action labels, AP is a finite set of atomic propositions, lab : S ! 2 AP is a state labeling function, and R : S Â Act Â S ! IR !0 is a rate matrix. We require that, for any state s, there exists a pair ða; s 0 Þ 2 Act Â S with Rðs; a; s 0 Þ > 0. be the probability measure on P ath M ðsÞ defined in the standard manner (for example, see [9] , [10] ). Let ¼ s 0 À! a 0 ; o s 1 À! a1;1 . . . À! anÀ1;nÀ1 s n be a finite path. Then jj ¼ n denotes the length of and ðÞ ¼ P nÀ1 i¼0 i is the total duration of . By convention, À1 ¼ 0. For an infinite path , we let jj ¼ 1 and ðÞ ¼ 1.
As usual, we can describe an ASMC by a graph. An example of an ASMC is given in Fig. 3 . The vertices of this graph are its states whereas the edges represent its transitions. The atomic propositions (here p and q) that are satisfied in a state are indicated near the corresponding node. Finally, the rate of a transition labels the corresponding edge.
Timed Automata
We now present a restricted variant of timed automata [13] , which are used in CSL TA to describe properties of ASMC paths. More precisely, in our context, timed automata are used as acceptors of finite ASMC paths. The class of timed automata that we consider are deterministic (i.e., given a path of an ASMC, there is at most one path of the timed automaton which reads ), and have a single clock. In the same manner as in classical analysis techniques for timed automata [13] , we present our timed automata using natural-numbered constants (rational-numbered constants can also be considered through rescaling) We proceed to define deterministic (one-clock) timed automata. We use the symbol ] to denote a pseudoaction that is not included in the action set Act of any ASMC (] 6 2 Act). Clock variables are real-valued variables whose value increases linearly with time. We consider a single clock variable x. A valuation " x 2 IR !0 is interpreted as assigning a nonnegative real value to x. A constraint is of the form 0 x 0 or 0 x where ; 2 IN, , and 0 stands for either < or . An inner constraint is a constraint 0 x 0 such that < . The set of inner constraints is denoted Inner. A boundary constraint is a constraint x such that ¼ ; we generally write boundary constraints as x ¼ . The set of boundary constraints is denoted Boundary. Let be a constraint and " x be a clock valuation. Then, we write "
x if is satisfied when "
x is substituted for x in . 
Let È 1 and È 2 be state propositions in the alphabet AE. Fig. 4 depicts a DTA, using the usual conventions for the graphical representation of timed automata (i.e., nodes represent locations, and edges represent edges labeled with their guards, actions sets, and the set of clocks to be reset to 0, respectively). Initial locations are denoted by an incoming arrow with no source, and final locations by a double border. Edges labeled by ] are called boundary edges, while the other edges are called inner edges. For the DTA of Fig. 4 the determinism is obvious because there is no choice allowed. Fig. 5 shows a more complex DTA, with inner edges (the selfloops on l 0 , l 1 , and the arc from l 0 to l 1 ) and boundary edges (the arcs from l 0 to l 1 and from l 0 to l 2 ). The DTA respects the determinism constraints of the definition because the two boundary edges out of location l 0 lead to two locations whose labeling cannot be both satisfied by any state of an ASMC (indeed,
The semantics of DTA, expressed in terms of paths, is standard [13] , apart from the case of boundary edges, which are urgent and have priority over other edges. Urgency specifies that time cannot elapse if a boundary edge is enabled and it is a feature of the variants of timed automata used in the tools UPPAAL [14] and KRONOS [24] . In our context, the notions of urgency and priority are not relevant when considering a DTA in isolation. They will be introduced later when we define the notion of a path of a DTA that reads an ASMC path, and the notion of path acceptance (Definition 2.7).
Examples of DTA: Next and Until. The DTA A X ½; È 1 in Fig. 4 specifies behaviors in which the first transition of M must be taken to a state satisfying È 1 after at least time units, but not after time units, and corresponds to the Next path formula X ½; È 1 of CSL [9] . The action of the transition is not important; this fact is represented by the action set Act on the edge of the DTA. We can use the DTA A È1U ½; È2 of Fig. 5 to represent the property of eventually reaching a state satisfying È 2 at some instant between and time units, remaining within states satisfying È 1 before that point (the timed Until path property È 1 U ½; È 2 of CSL [9] ). In contrast to the previous example, this DTA uses boundary edges which witness that the time interval ½; has been entered. In this way, we distinguish between the time interval ½0; Þ, where the truth value of È 2 is irrelevant, and the time interval ½; , where the truth value of È 2 becomes relevant.
Paths of a DTA. We now define a notion of path in a DTA, which represents a timed evolution of the automaton.
Definition 2.4 (Configurations of A). A configuration of a
DTA A is a pair ðl; " xÞ, where l 2 L and " x is a valuation.
Given an edge e ¼ ðl; ; A; r; l 0 Þ 2! , let sourceðeÞ ¼ l, guardðeÞ ¼ , actionðeÞ ¼ A, resetðeÞ ¼ r, and targetðeÞ ¼ l 0 . We let the valuation " x½x :¼ 0 be equal to 0 and let the valuation " x½; :¼ 0 be equal to " x.
Definition 2.5 (
Step of A). A step of a DTA A from a configuration ðl; " xÞ is ðl; " xÞ À! ;e ðl 0 ; "
x þ guardðeÞ, targetðeÞ ¼ l 0 , and "
A single step in the evolution of A is a transition in which we let time elapse and then an inner or a boundary edge is taken. Note that ¼ 0 is also allowed.
Definition 2.6 (Paths of A).
A finite path of a DTA A is a finite sequence of steps ðl 0 ; "
;e nÀ1 ðl n ; " x n Þ. An infinite path of a DTA A is an infinite sequence of steps ðl 0 ; "
Acceptance of ASMC Paths
We now give an intuitive explanation of how a path
The key idea is that A evolves according to the states and actions that it "reads" along . Recalling that the value of clocks in timed automata increase at the same rate as realtime, as time elapses in M the value of the clock x of A changes accordingly. Steps corresponding to inner edges of A are triggered by transitions of M, whereas steps corresponding to boundary edges of A are triggered by the elapse of time (without a corresponding transition of M).
The DTA A begins in a configuration ðl 0 ; 0Þ with location l 0 2 Init such that the initial state s 0 of satisfies the expression Ãðl 0 Þ over state propositions (formally, s 0 AE Ãðl 0 Þ). Note that, by initial determinism, there is at most one l 2 Init such that s 0 satisfies ÃðlÞ. If s 0 does not satisfy ÃðlÞ for all l 2 Init, then A rejects .
Given the existence of l 0 2 Init such that s 0 satisfies Ãðl 0 Þ, the DTA A then moves from ðl 0 ; 0Þ to another configuration depending on the first transition s 0 À! a0;0 s 1 of . First, we consider the case in which there are no outgoing boundary edges from l 0 . If there exists a step ðl 0 ; 0Þ À! 0 ;e 0 ðl 1 ; " x 1 Þ such that a 0 2 actionðe 0 Þ and s 1 satisfies Ãðl 1 Þ, then this step is taken. Note that, by determinism on actions, there exists at most one step satisfying these conditions. If no such step exists, then A rejects . Now we consider the case in which there exists at least one boundary edge from l 0 . Consider the step ðl 0 ; 0Þ À! Unless A has already rejected , the path of A generated by then continues from ðl 1 ; "
Finally, if the path of A generated by reaches a configuration with a location in F inal, then is accepted. If, however, the path of A generated by does not reach such a configuration, then is rejected. Hence, there are two ways in which A can reject : if there does not exist a step corresponding to the "reading" of a transition of or if a final location is never reached.
We now formally describe the conditions for the acceptance of an ASMC path by a DTA. 
f i n i t e p a t h
. a time n , and . a function : f0; . . . ; mg ! f0; . . . ; ng which maps indices of A to indices of M , such that the following conditions are satisfied: 
P jjðjÞ¼n j ¼ . Condition C1 specifies that A must start from an initial location and end in a final location. C2 requires that the state propositions satisfy the expressions labeling the corresponding locations in the sequence. C3 specifies that can map consecutive indices of A to the same index of M , provided that the DTA edges corresponding to these indices are boundary edges. It also requires that a transition of the ASMC in can be matched by a traversal of an inner edge provided that the action of the transition is included in the action set of the edge. C4 limits the path of the DTA to paths whose steps respect the additional conditions on ]: urgency and priority of boundary edges. C5 "align times," by requiring that the sum of durations in A corresponding to a particular index i of M is i . C6 applies the reasoning of C5 to the case in which the path A features boundary edges directly before reaching a final state (recall that n ).
It should be clear that, given an ASMC M and a DTA A, due to our requirements for DTA and to the additional requirements of urgency and priority of boundary edges, there is at most one path of A that accepts a given path of M. Accordingly, if s is a state of M, we let AccP ath M ðs; AÞ be the set of infinite paths of M starting from s that are accepted by A. Examples of path acceptance. In Fig. 6 , we present two examples of the way in which a path of the ASMC M of Fig. 3 can be accepted by the DTA A pU ½; q . We write e ij to refer to the edge of A pU ½; q from location l i to location l j , and we use dotted lines to represent the function. Note that the presence of more than one dotted line from a state s i means that the DTA traverses a boundary edge. Example 1 of Fig. 6 has ¼ 2 and ¼ 6, and depicts a case in which q does not hold at time , but becomes true at time 5, which belongs to ½; ; therefore the DTA reaches l 2 through l 1 . Example 2 of Fig. 6 has ¼ 6 and > 6 and depicts a case in which q already holds before ; therefore, the DTA reaches l 2 directly from l 0 .
We now describe briefly some examples of paths of M which are rejected by A pU ½2;6 q . If the first transition of M is s 0 À! a;7 s 1 , then the associated path of A pU ½2;6 q will consist of the single step ðl 0 ; 0Þ À! e01;2 ðl 1 ; 2Þ: after the value of the clock x exceeds 6, it will not be possible to take further steps. If, on the other hand, the path of M is s 0 À! a;1 s 1 À! c;0:5 s 2 , then the associated path of A pU ½2;6 q will consist of the single step ðl 0 ; 0Þ À! e00;1 ðl 0 ; 1Þ, after which it will not be possible to take any further steps: the state s 2 is not labeled by p, boundary edges are available only at time 2, and yet the transition s 1 À! c;0:5 s 2 occurs before time 2.
All the timed automata configurations considered in Fig. 6 are configurations in which the DTA spends a nonzero amount of time: this is not always the case if boundary edges are involved. Indeed, a path obtained from the first example by splitting the step ðl 0 ; 0Þ À! e 01 ;2 ðl 1 ; 2Þ into the two steps ðl 0 ; 0Þ À! e 00 ;2 ðl 0 ; 2Þ and ðl 0 ; 2Þ À! e 01 ;0 ðl 1 ; 2Þ is also an accepting path for the ASMC execution of the example. Another source of zero-time configurations in an accepting path is the presence in the path of more than one edge with the same clock constraints and no reset of clock in between.
CSL TA
Given the definition of DTA, we can now present formally the syntax of CSL TA . Note that the syntax of CSL TA is essentially identical to that of CSL or asCSL [8] , [9] , [10] , apart from the fact that properties of paths are specified using DTA (instead of being specified by timed temporal logic operators as, for example, in CSL). 3 MODEL CHECKING FOR CSL TA As usual with CTL Ã -like languages [25] , in order to evaluate the satisfaction of a formula È over an ASMC M, we proceed by a bottom-up evaluation of the subformulas occurring in È over all the states of M, labeling accordingly the states with the subformulas that they satisfy. Let È 0 be such a subformula. 1. At some previous instant, A has not been able to mimic the execution of M and, thus, this process is in the absorbing state ? whatever the subsequent transitions of M. 2. At some previous instant, A has reached a final location by following the execution of M and, thus, this process is in the absorbing state > whatever the subsequent transitions of M. 3. Otherwise, the process is in some state of M associated with a finite timed execution of A not ending in a final location. States of M Â A. If at some instant the execution of M is neither rejected nor accepted, we observe that, for the future behavior of the process M Â A, only the current location of the path in the DTA and the value of clock x are relevant. This yields the following state description: NðtÞ ¼ ðsðtÞ; lðtÞ; " xðtÞÞ, where sðtÞ is the state of M at time t 2 IR !0 , lðtÞ is the location of A at time t, and " xðtÞ is the value of the clock at time t. However, in M Â A; we consider only tangible states, i.e., states which do not trigger a boundary edge in zero time. Therefore, we introduce the following definition (which allows us to skip nontangible states), which is sound . if l 2 F inal, then closureðs; l; " xÞ ¼ >; . if l 6 2 F inal and there is a boundary edge l À!
In case 1, a transition s À! a; s 0 is taking place in the ASMC M before the next timing constant nextðc i Þ is reached, i.e., " x þ < nextðc i Þ, for some . If this transition cannot be read by A from its state ðl; " xÞ, then the stochastic process makes a transition to ? . If it can be read through an edge ðl; ; A; r; l 0 Þ of A (and, by definition, there is exactly either one or no such edge), then the process M Â A moves to closureðs 0 ; l 0 ; ðv þ Þ½r :¼ 0Þ. Note that closure is needed since boundary transitions may be then triggered in zero time and/or A may reach a final state so that the process enters the > state.
Case 2 represents instead the situation in which the next clock barrier is reached by x before an ASMC transition takes place (an amount of time equal to nextðc i Þ À "
x has elapsed). Then, the process M Â A evolves from ðs; l; " xÞ to closureðs; l; nextðc i ÞÞ.
It is straightforward to show that each path of M Â A leading to > corresponds to a (single) path in M accepted by A and vice versa. Furthermore, Pr M s0 ðAccP ath M ðs 0 ; AÞÞ can be computed as the probability of reaching > in process M Â A from ðs 0 ; l 0 ; 0Þ. In the remainder of this section, we explain how the latter probability can be computed. M Â A is a Markov Renewal Process. We can rewrite a state of M Â A (different from ?; >) in terms of the last clock constant reached as follows: NðtÞ ¼ ðsðtÞ; lðtÞ; cðtÞ; " xðtÞ À cðtÞÞ, where cðtÞ is the largest c 2 C such that c " xðtÞ.
We now show that M Â A is a Markov renewal process (MRP). For the definition of MRP and Markov renewal sequences, see, for example, [26] . Consider a sequence fT k ; k ¼ 0; 1; 2; . . .g of strictly increasing timing instants in the evolution of M Â A, with NðT k Þ ¼ ðs k ; l k ; cðT k Þ; " x k À cðT k ÞÞ. The timing instants are defined as follows:
x k < c m , then T kþ1 is the next time at which the next constant in C is reached, the clock x is reset to 0, or the process reaches f>; ?g.
3.
If "
x k ! c m , then T kþ1 is the first time after T k that the clock x is reset to 0 or the process reaches f>; ?g.
When
x k ! c m , it could happen that the probability to reach a regeneration point is strictly less than 1. These particular cases do not raise any problem with respect to our computation (see the discussion at the end of this section).
Let Y k ¼ NðT þ k Þ be the state directly after all of the events at time T k . Theorem 3.2. ðY ; T Þ ¼ fðY k ; T k Þ; k ¼ 0; 1; 2; . . .g is a Markov renewal sequence and NðtÞ is an MRP.
The proof of Theorem 3.2 is straightforward given the definition of MRP (see [26] ), because, due to the definition of T k , we have that
xðtÞ À cðtÞÞ, which is equal to ðs k ; l k ; cðT k Þ; Þ for some k, and 0 T kþ1 À T k is an MRP because NðtÞ, which is equal to NðT k þ Þ, only depends on Y k .
It is well known that Y ¼ fY k ; k ¼ 0; 1; 2; . . .g is a Discrete-Time Markov Chain (DTMC), namely, the embedded DTMC of the MRP. In general, the solution of an MRP requires the definition of the global and local kernel matrices (see [26] ). The computation of the probability of reaching the absorbing state > from the initial state can be performed on the DTMC P i;j , which expresses the probability that, if i is the state at regeneration instant 0, then j is the state at the next regeneration instant T 1 (that is,
Tangible Reachability Graph of M Â A M Â A
We next define a data structure that supports the definition of the DTMC Y and the computation of its transition probabilities. This data structure is called Tangible Reachability Graph (TRG) and is inspired by the identically named graph of Deterministic Stochastic Petri Nets [27] , in which the elapsing of time between two consecutive timing constants c and nextðcÞ is interpreted as a deterministic "transition" of duration nextðcÞ À c. Note that, in our case, a deterministic "transition" can only be preempted by a transition of M Â A that includes a clock reset. The nodes of the TRG take the form of elements of ðS Â L Â CÞ [ f?; >g. For a constant c 2 C and a constraint , we write ðc; nextðcÞÞ if, for all " x 2 ðc; nextðcÞÞ, we have "
x . The arcs between nodes of the TRG are defined by the following four rules:
[M]: a simple Markovian move, in which the ASMC M moves "according to" the DTA A and there is no clock reset. [M_res]: as for a simple Markovian move, but with a clock reset that can start an evolution of A over boundary Note that there is a single arc from a node ðs; l; cÞ due to a transition ðs; a; s 0 Þ in the ASMC because of the assumption of determinism of A and that there is at most one D arc from a node. Observe also that we evaluate the guard of a transition with respect to the open interval ðc; nextðcÞÞ based on the straightforward result that, given a finite set of clock values (here, C), the probability that an ASMC performs a transition when the value of the clock belongs to this set is null.
We now define T RS as the set of nodes reachable from the set of states ðs; l; 0Þ, for all s 2 S and l 2 Init, with s AE ÃðlÞ, by traversing the arcs expressed by the four rules above (note that we consider all states s 2 S because satisfaction needs to be checked on all states of M). Then, the TRG of M Â A is defined as the graph over T RS where the arcs are described as above.
Observe that, if ðs; l; cÞ is a node of the TRG, then any ðs; l; c þ Þ with 0 < nextðcÞ À c is a state of the MRP NðtÞ and that a D-arc (respectively, M_res-arc) to a node ðs; l; cÞ means that upon event D (respectively, M_res) the state of M Â A is exactly ðs; l; cÞ, while if the same state is entered through an M-arc, the state of the process can be ðs; l; c þ Þ for any 0 < < nextðcÞ.
The upper part of Fig. 7 shows an ASMC M and a DTA A. DTA edges have been tagged with roman numerals to cross reference them in the TRG of M Â A shown in the lower part. Let us consider two paths in the TRG and, for each path, the corresponding realizations in the stochastic process M Â A. The path s0; s1; s3; > corresponds to process evolutions in which an a-event occurs with clock x in ð0; 2Þ and then time elapses until clock reaches 3. Note that the intermediate state s3 corresponds to reaching time 2. The path s0; s1; s1; ? captures those process evolutions in which an a-event is followed by a b-event and then again an a-event, all occurring with a clock in ð0; 2Þ. As the last event cannot be mimicked by the DTA, the process reaches ?.
Building the Embedded DTMC
To compute the probability of reaching >, we need to identify in the TRG the states of the DTMC Y and the associated transition probabilities. The states are defined according to the specification of the MRP. Note that not all states of the TRG are states of the DTMC: Indeed, in the example of Fig. 7 , state s5 is not a state of the DTMC. Intuitively speaking, in order to reach s5; the ASMC must perform an a-event after the clock has reached 3.
We have represented in Fig. 8 the graph associated with the embedded DTMC of the example depicted in Fig. 7 . An arc between two states means that there is a nonnull probability to reach the destination from the source without going through a regeneration point. For instance, there is an edge from s4 to s0 because one possible path (in the TRG) goes through a M move followed by a M_res move triggering the regeneration point.
To compute the probabilities of the DTMC (i.e., to label the edges of the associated graph), we need to define, for each state ðs; l; cÞ 2 T RS n f?; >g of the DTMC, how the process M Â A can evolve before reaching the next regeneration point. This (transient) behavior is driven by the subordinated CTMC C ðs;l;cÞ , which describes the evolution of the process from ðs; l; cÞ until a successive state of M Â A is reached, either due to a state change in M, due to the clock having reached nextðcÞ, or due to the clock being reset.
The states of the subordinated CTMC C ðs;l;cÞ can be computed using, again, the TRG. From ðs; l; cÞ we take in the TRG the transitive closure over arcs of type M, possibly followed by a M_res-arc or a M_KO-arc. More formally, the states of the subordinated CTMC C ðs;l;cÞ are defined as follows: Fig. 9 depicts the subordinated chain C ðs 0 ;l 0 ;0Þ for state ðs 0 ; l 0 ; 0Þ, Observe that this subordinated chain is derived from the TRG but is not a subgraph of it due to the duplication of state ðs 0 ; l 0 ; 0Þ. This CTMC represents all behaviors during the evolution of clock x in ð0; 2Þ until a regeneration point is reached. The (non-time-triggered) regeneration points correspond to the absorbing states ? and ðs 0 ; l 0 ; 0Þ Reset .
Let us interpret the state of this CTMC at time 2. If it is ? (resp., ðs 0 ; l 0 ; 0Þ Reset ), then it means that the next regeneration point is ? (respectively, ðs 0 ; l 0 ; 0Þ) since we have reached it before 2. If this state is ðs 0 ; l 0 ; 0Þ (respectively, ðs 1 ; l 1 ; 0Þ), it means that the next regeneration point corresponds to x ¼ 2 and we follow the corresponding D edge in the TRG to determine the next regeneration point, here ðs 0 ; l 0 ; 2Þ (respectively, ðs 1 ; l 1 ; 2Þ). Therefore, the probabilities of DTMC transitions from ðs 0 ; l 0 ; 0Þ are obtained from the transient probability distribution of the subordinated chain at time 2. 1. Note that, in the TRG, an M_res transition corresponds in Deterministic Stochastic Petri Nets to the case of an exponential transition that preempts a deterministic transition and then immediately reenables it, which, as explained in [26] , requires a duplication of the states of the subordinated CTMC. We can now generalize the example to consider the rates of the DTMC in the general case. Let P s;s 0 be the transition probabilities of the DTMC. The elements of P s;s 0 are computed using the subordinated CTMC C s and all of the elements of row s of P are computed on the same subordinated CTMC C s . Rows corresponding to the DTMC states > and ? are obviously identically zero since they are absorbing. Let s ¼ ðs; l; cÞ. We denote by s ðÞ the transient (respectively, steady state) distribution of C s at time when is finite (respectively, when ¼ 1).
We are now in a position to give the formulas for the nonnull entries of P . By convention, in the following formulas, ? When c ¼ c m , the only way to obtain a regeneration point is to reset the clock or to reach f?; >g.
The first case requires transient analysis of the subordinated CTMCs, which is usually performed by uniformization [28] . The second case only requires steady-state analysis, which is generally less computationally expensive.
Note that there are two peculiarities of the embedded DTMC. First, we can reenter the same state due to a clock reset. This has no effect on the computation. Second, the transition matrix can be substochastic because, for some DTMC states, there is a nonnull probability to never reach another state of the MRP. Again, this is not problematic, because the reachability probability computation with a substochastic matrix is identical to that with a stochastic transition matrix.
Finally, as often in a probabilistic setting, checking whether the set of paths of M accepted by A has probability 0 or 1 can be performed without any numerical computation. The only relevant information in the DTMC, given its transition probability P, is (for every pair of states ðs; s 0 Þ) whether Pðs; s 0 Þ > 0 and this information is obtained by a simple examination of the TRG.
EXPRESSIVENESS OF CSL
TA
In this section, we study the relationship between CSL TA , CSL [9] , and asCSL [10] . Formulas interpreted on ASMCs are described as being equivalent if, for any ASMC, the same states of the ASMC satisfy the formulas. Formally, we say that the formula È 1 (of the logic L 1 , with the satisfaction relation 
CSL TA Is at Least as Expressive as CSL
In this section, we recall the definition of CSL [9] .
Definition 4.1. The syntax of CSL is defined as follows:
È ::¼ p j È^È j :È j S $ ðÈÞ j P $ ðX I ÈÞ j P $ ðÈU I ÈÞ where a 2 AP is an atomic proposition, I IR !0 is a nonempty interval, $2 f<; ; !; >g is a comparison operator, and 2 ½0; 1 is a probability.
For any infinite path
i is the smallest index such that t P i j¼0 j , then we let @t ¼ s i ; that is, @t is used to denote the state along occupied at time t. In the following, when clear from the context, we write s CSL È for M; s CSL È and CSL È for M; CSL È.
The following proposition shows that CSL TA is at least as expressive as CSL: Proof. The semantics of constructors for state formulas are identical for CSL and CSL TA ; therefore, it suffices to prove that any path formula of CSL is equivalent to some path formula of CSL TA . The idea of the proof is to translate the path operator X ½; È of CSL with the DTA A X ½; of Fig. 4 and the path operator È 1 U ½; È 2 with the DTA A È 1 U ½; È 2 of Fig. 5 . In the following, we concentrate on the case in which the time interval of a CSL formula is of the form ½; , where > 0 (the translation of path operators with time intervals other than ½; is similar and will be discussed briefly at the end of the proof). Therefore, our task consists in showing that, for a given ASMC M ¼ hS; Act; AP ; lab; Ri, a given state s 2 S, and an infinite path 2 P ath M ðsÞ, we have: 1.a. È 2 is satisfied when the value of the clock x reaches ; 1.b. È 2 is not yet satisfied when the value of the clock x reaches .
Consider Case 1.a. Observe that there exists some i 2 IN such that s i CSL È 1^È2 , s j CSL È 1 for all j < i, and P iÀ1 k¼0 k < P i k¼0 k . We assert that the ASMC path M is accepted by the path A ¼ ðl 0 ; " x 0 Þ À! 0 ;e 00 . . .
(that is, to accept M , the DTA performs i loops of the edge e 00 , then traverses the edge e 02 ). To verify that M is accepted by A , consider Definition 2.7. First, observe that l 0 2 Init, "
x 0 ¼ 0 and l 2 2 F inal. Second, recalling that Ãðl 0 Þ ¼ È 1 , we observe that s j CSL Ãðl 0 Þ for all j i. Furthermore, recalling that Ãðl 2 Þ ¼ È 2 , we observe that s i CSL Ãðl 2 Þ. Third, we have that a j 2 Act, and hence, a j 2 actionðe 00 Þ, for all j < i. The final requirements of Definition 2.7, which concern the durations of M and A , follow directly from the observation that the durations of the transitions of A are equal to the durations of the first i transitions of M . Now consider Case 1.b. In this case, there exists i 2 IN such that s i CSL È 2 , s j CSL È 1 for all j < i, and < P iÀ1 k¼0 k < . Furthermore, we let i < i be the largest index for which
We claim that the ASMC path M is accepted by the p a t h A ¼ ðl 0 ; "
. . . À! iÀ1 ;e 11 ðl 1 ; "
(that is, to accept M , the DTA performs i loops of the edge e 00 , then traverses the edge e 01 , then performs i À ði þ 1Þ loops of the edge e 11 , then traverses the edge e 12 ). Consider Definition 2.7: We note that the index described in point 2 of Definition 2.7 is i and the function : f0; . . . ; i þ 1g ! f0; . . . ; ig is defined by ðjÞ ¼ j f o r a l l j i a n d ðjÞ ¼ j À 1 f o r a l l i < j i þ 1. We now verify that the choice of A , index i, and function satisfies the conditions of Definition 2.7. First, observe that l 0 2 Init, "
(s j CSL Ãðl 1 Þ for all i < j < i, s i CSL Ãðl 2 Þ, respectively). Third, we have that a j 2 Act a n d , h e n c e , a j 2 actionðe 00 Þ, a j 2 actionðe 11 Þ, and a i 2 actionðe 12 Þ, for all j i. The final requirements of Definition 2.7, concerning the durations of M and A , follow by the following facts: for all j i such that j 6 ¼ i ,
we have that the duration of the jth transition of M is equal to the duration of the ðjÞth transition of M ; furthermore, i ¼ 0 þ 00 . The reverse direction of Case 1 follows in a similar manner and we omit the details.
Consider Case 2. We show that CSL X ½; È implies 2 AccP ath M ðs; A X ½; È Þ. Let M be a path such that M; M CSL X ½; È. Then, by Definition 4.2, we have M ¼ s À! a; 0 for some a 2 Act, 2 I, and path 0 , where M ð1Þ CSL È. By the definition of the DTA A X ½; È , there exists a path ðl 0 ; 0Þ À! ;e ðl 1 ; Þ, where e ¼ ðl 0 ; x ; Act; ;; l 1 Þ is the edge from l 0 to l 1 . From the fact that l 0 2 Init, l 1 2 F inal, and M ð1Þ CSL È, we have that M is accepted by A X ½; È according to the criteria of Definition 2.7. The reverse direction of Case 2 follows in a similar manner.
We now consider briefly the case for other types of time intervals. For the Next operator, the DTA of Fig. 4 requires only modifications to the guard of its single edge (for example, the time interval ð; 1Þ is represented by the guard x > ). Similarly, open or half-open time intervals of the Until operator can be represented by changing the associated inequalities of constraints from nonstrict to strict: for example, the time interval ð; can be represented by changing the constraint x to x < in the DTA of Fig. 5 . For a time interval of the form ½; 1Þ or ð; 1Þ for > 0, the guards of the form x in the DTA of Fig. 5 are changed to true. Instead, for a time interval of the form ½0; or ½0; Þ, the location l 0 and its outgoing edges are removed and both l 1 and l 2 become initial locations.
Finally, the assertion on formula sizes is straightforward.
t u
We observe that the verification of a CSL formula of the form P $ ðÈ 1 U I È 2 Þ and a CSL TA formula of the form P $ ðA È1U I È2 Þ involve similar computation steps: for example, in the case of I ¼ ½; with > 0, a transient analysis of two CTMCs is required, both in the CSL model-checking algorithm of [9] and in the CSL TA model-checking algorithm of Section 3. The computational complexity of model checking CSL TA properties transformed from equivalent CSL properties is the same as that for model checking the original CSL properties with the algorithm of [9] .
CSL TA Is at Least as Expressive as asCSL
In this section, we recall the stochastic temporal logic asCSL [10] and show that every asCSL formula can be expressed as a CSL TA formula.
Definition of asCSL
First, we present the syntax and semantics of asCSL. In contrast to the original presentation of asCSL in [10] , we consider nondeterministic program automata as path operators, as opposed to regular expressions (called programs in [10] ). As asCSL programs can be translated into nondeterministic program automata, the presentation of asCSL is as general as the original presentation with regular expressions. Also note that we use the special action p , which in a similar way to ], allows a transition in the automaton without a corresponding transition in the ASMC. Note the distinction between ]-labeled transitions of DTA and p -labeled transitions of nondeterministic program automata: The latter are not triggered by behavior of the ASMC, whereas, in contrast, ]-labeled transitions are triggered by the passage of time. where a 2 AP is an atomic proposition, I IR !0 is a nonempty interval, $2 f<; ; !; >g is a comparison operator, 2 ½0; 1 is a probability, and N ðÄÞ is an NPA with input alphabet Ä such that Ä fðÈ; bÞ j È is an asCSL formulâ b 2 Act [ f p gg.
We write z À! u z 0 to denote z 0 2 ðz; uÞ (that is, to denote a transition of an NPA). where AccP ath M ðs; N ðÄÞ I Þ is defined in the following way:
Let z be a state of N and be a finite path of M. We define Runs N ðz; Þ as the greatest set of runs z À!
1. z 2 Runs N ðz; Þ, if and only if jj ¼ 0; 
From NPA to DTA
To show that every asCSL formula can be expressed as a CSL TA formula, it suffices to show how a formula P $ ðN ðÄÞ I Þ can be encoded as a CSL TA formula P $ ðAÞ, similarly to the translation from CSL to CSL TA of Section 4.1. In order to obtain the required DTA A from N ðÄÞ I , two steps are required: First, it is necessary to construct a DPA, which will be used as the graph of A, from the NPA N ðÄÞ, using a standard subset construction; then, it is necessary to represent the time interval I within A using clock guards, in particular to constrain the global time of entry to final locations to those times in the interval I. We first present the determinization of an NPA. Note that p -transitions are eliminated from the NPA to obtain the determinized automaton; unlike the case of ]-transitions in DTA, p -transitions do not have priority over other transitions. Hence, if a state z has an outgoing a-transition (for a 2 Act) and an outgoing p -transition leading to a state with an outgoing a-transition, when reading an a-transition of an ASMC, there will be a nondeterministic choice between the a-transition and the p -transition from z. We choose to eliminate sequences of p -transitions in order to avoid such situations, noting that we also have to consider the case in which sequences of p -transitions which reach final states are taken after an action.
We require the following notation: Let N ¼ hZ; Ä; ; Z Init ; Z F i be an NPA, Z 0 Z, È be an asCSL formula, and a 2 Act. Then, we let RunsðZ 0 ; ðÈ; aÞÞ equal:
Therefore, RunsðZ 0 ; ðÈ; aÞÞ is the set of runs of N starting from a state in Z 0 which perform p -transitions before performing a single a-transition, where the conjunction of the asCSL formulae labeling transitions along the path is implied by È. We also let RunsðZ 0 ; ðÈ; p Þ; Z F Þ equal:
Hence, RunsðZ 0 ; ðÈ; p Þ; Z F Þ is the set of runs from a state in Z 0 to a state in Z F which perform p -transitions only, where the conjunction of formulas along the path is implied by È (it is possible to have a run of length 0 featuring a single state, which must be both in Z 0 and Z F ). Before defining the DPA corresponding to an NPA, we must identify the set of formulas which can appear in transition labels of the DPA, and which will be used subsequently to define the set of state propositions of the DTA. This set of formulas will be constructed such that an ASMC path is accepted by at most one run of the DTA obtained from an NPA. In particular, we construct a set of disjoint state propositions. Formally, let AE be the smallest set of asCSL formulas such that: It can be verified that jÁðq; ðÈ; aÞÞj 1 for all q 2 Q and ðÈ; aÞ 2 Ä 0 . We now define the DTA AðN I Þ by pushing the asCSL state formulas featured in transition labels in detðN Þ into location labels of AðN I Þ and using the interval I in guards of edges leading directly to final locations (which correspond to the set E 00 of DTA edges in the following definition). We also have to consider the case in which a final state of the NPA is reached at a time before the interval I (considered in the set E 0 of DTA edges below), which does not correspond to acceptance. our result suffices also to show that there exists an asCSL formula for which no equivalent CSL formula exists.
Proposition 4.12. There is a formula of CSL T A for which there is no equivalent CSL formula.
The proof of Proposition 4.12 follows a scheme that is different from proofs of similar results on expressiveness of temporal logics for transition systems. We first define the left-hand delimiter h for intervals, where h denotes either ½ or ð. Similarly, the right-hand delimiter i denotes either or Þ. Consider the family of ASMCs M½; 0 of Fig. 10 (left), for 0 < ; 0 < 1. Let È be a formula of CSL or CSL TA (for simplicity, we write to denote the satisfaction relation of both CSL and CSL TA ). Then, ½ÈðsÞ ¼ fð; 0 Þ 2 ð0; 1Þ 2 j M½; 0 ; s Èg. For any 0 < < 1, let È ¼ P ! ðAÞ, where A is the DTA depicted in Fig. 10 (right) . It follows that ½È ðs 0 Þ ¼ fð; 0 Þ 2 ð0; 1Þ 2 j Á 0 ! g. The following lemma specifies that, for any CSL formula and any state s 2 fs 0 ; s 1 ; s 2 ; s 3 g, the sets of parameters ; 0 which result in the satisfaction of the CSL formula in state s of M½; 0 will be of a particular form. The lemma will then be used as the basis of our expressiveness result: Sets of parameters with the form described in the lemma cannot be used to obtain the set ½È ðs 0 Þ ¼ fð; 0 Þ 2 ð0; 1Þ 2 j Á 0 ! g of parameters which result in the satisfaction of È in s 0 and, hence, no CSL formula is equivalent to È .
Lemma 4.13. Let È be a formula of CSL. Then:
1. for i 2 f2; 3g; ½Èðs i Þ is either ð0; 1Þ 2 or ;; 2. ½Èðs 1 Þ is a finite union of rectangles of the form ð0; 1Þ Â ha; bi; 3. ½Èðs 0 Þ is a finite union of (open, closed, or mixed) rectangles of ð0; 1Þ 2 .
Proof. Assertion 1. When starting from s 2 or s 3 , the satisfaction of È does not depend on or 0 . Therefore, assertion 1 is satisfied trivially.
Assertion 2. We prove assertion 2 by induction on the size of the formula, taking into account all CSL operators one by one. Let È be a formula of CSL. If È is an atomic proposition, then ½Èðs 1 Þ is either ð0; 1Þ 2 or ;. interval f is monotonic. As a consequence, ð0; 1Þ may be partitioned into a finite number of consecutive intervals (different from the previous ones) where alternatively f is greater than or equal to or strictly smaller than . The intervals for which f is greater than or equal to induce a finite number of rectangles of the form ha; bi Â ð0; 1Þ, which are included ½Èðs 0 Þ. ; 1ÞÞ in ½Èðs 0 Þ. The cases of È ¼ P $ ðÈ 0 U ½; È 00 Þ, $2 f ; <; >g, follow similarly.
t u Because ½È ðs 0 Þ ¼ fð; 0 Þ j Á 0 ! g cannot be expressed as a finite union of rectangles, Lemma 4.13 establishes that È is not equivalent to any formula of CSL. Lemma 4.14 then gives a direct proof of Proposition 4.12.
Lemma 4.14. For each 0 < < 1, the CSL T A formula È is not equivalent to any formula of CSL.
We also conjecture that there exists a CSL TA formula for which no equivalent asCSL formula exists. This conjecture is based on the result shown in the next subsection, which shows that there exists a CSL TA formula which does not use nesting for which there exists no single equivalent asCSL formula which does not use nesting. 
CONCLUSION
In this paper, we have defined a new stochastic temporal logic CSL TA , based on timed automata, which we propose as a good trade-off between adding flexibility to property specification and limiting the explosion of complexity in analysis. With regard to the specification of properties, the most significant extension is the possibility of specifying an arbitrary number of timing constraints along an execution path which may also depend on the history of the process. We have shown that CSL TA is at least as expressive as both CSL and asCSL. Furthermore, the evaluation process is handled in an uniform way via Markov regenerative processes rather than by ad hoc transformations as previously. We note that the two restrictions that we have placed on the timed automata used, namely that they are deterministic and have one clock, allow us to obtain a tractable stochastic process for the joint process of the system and the property, namely, a Markov regenerative process, for which there exists well-known solution methods [26] , [29] . Further work can consider an implementation of the proposed method (possibly exploiting existing Deterministic Stochastic Petri Net tools) and the extension of CSL TA to allow for rewards [30] . We would also like to investigate the use of CSL TA for the definition of properties of performance models generated automatically from the sequence diagrams of UML, where the ability of CSL TA to reason about concatenated time intervals could be of use.
