Event-clock automata: a determinizable class of timed automata  by Alur, Rajeev et al.
Theoretical 
Theoretical Computer Science 2 11 ( 1999) 253-273 
Computer Science 
Event-clock automata: a determinizable class 
of timed automata’ 
Rajeev Alur a,b,*, Limor Fix”, Thomas A. Henzingerb*’ 
a Department of Electrical Engineering and Computer Sciences, University of California, 
Berkeley, CA 94720, USA 
b Bell Laboratories, Lucent Technologies, Murray Hill, NJ 07974, USA 
’ Design Technology, Intel, Haija, Israel 
Received January 1995; revised April 1997 
Communicated by Z. Manna 
Abstract 
We introduce event-recording automata. An event-recording automaton is a timed automaton 
that contains, for every event a, a clock that records the time of the last occurrence of a. 
The class of event-recording automata is, on one hand, expressive enough to model (finite) 
timed transition systems and, on the other hand, determinizable and closed under all boolean 
operations. As a result, the language-inclusion problem is decidable for event-recording automata. 
We present a translation from timed transition systems to event-recording automata, which leads 
to an algorithm for checking if two timed transition systems have the same set of timed behaviors. 
We also consider event-predicting automata, which contain clocks that predict the time of 
the next occurrence of an event. The class of event-clock automata, which contain both event- 
recording and event-predicting clocks, is a suitable specification language for real-time properties. 
We provide an algorithm for checking if a timed automaton meets a specification that is given 
as an event-clock automaton. @ 1999-Elsevier Science B.V. All rights reserved 
Keywords: Formal verification; Automata theory; Real-time systems; Timed automata 
* Correspondence address: Bell Laboratories, Lucent Technologies, Murray Hill, NJ 07974, USA. E-mail: 
alur@research.bell-labs.com. 
I A short version of this paper appeared in the Proceedings of the Sixth Annual Conference on Computer- 
aided Ver@cation, Lecture Notes in Computer Science, Vol. 818, Springer, Berlin, 1994, pp. 1-13. 
* Supported in part by the Office of Naval Research Young Investigator award N00014-95-1-0520, by the 
National Science Foundation CAREER award CCR-9501708, by the National Science Foundation grant CCR- 
9504469, by the Air Force Office of Scientific Research contract F49620-93-1-0056, by the Army Research 
Office MURI grant DAAH-04-96-l-0341, by the Advanced Research Projects Agency grant NAG2-892, and 
by the Semiconductor Research Corporation contract 95-DC-324.036. 
0304-3975/99/$-see front matter @ 1999-Elsevier Science B.V. All rights reserved 
PII: so304-3975(97)00173-4 
254 R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 
1. Introduction 
Finite automata are instrumental for the modeling and analysis of many phenomena 
within computer science. In particular, automata theory plays an important role in the 
verification of concurrent finite-state systems [ 15,2 11. In the trace model for concurrent 
computation, a system is identified with its behaviors. Assuming that a behavior is 
represented as a sequence of states or events, the set of possible behaviors of a system 
is a formal language, and the system can be modeled as an automaton that generates 
the language (a complex system is modeled as the product of automata that model 
the component systems). Since the admissible behaviors of the system also constitute 
a formal language, the requirements specification can be given by another automaton 
(the adequacy of automata as a specification formalism is justified by the fact that 
competing formalisms such as linear temporal logic are no more expressive). The 
verification problem of checking that a system meets its specification, then, reduces to 
testing language inclusion between two automata. The decision procedure for language 
inclusion typically involves the complementation of the specification automaton, which 
in turn relies upon determinization [14,20]. 
To capture the behavior of a real-time system, the model of computation needs to 
be augmented with a notion of time. For this purpose, timed automata [3] provide a 
simple, and yet powerful, way of annotating state-transition graphs with timing con- 
straints, using finitely many real-valued variables called clocks. With each transition, a 
timed automaton may check the clock values, and reassign new values to some clocks. 
A timed automaton, then, accepts timed words - strings in which each symbol is paired 
with a real-valued time-stamp. The theory of timed automata allows the solution of 
certain verification problems for real-time systems with finite control [ 1,3,4,6, 131, 
and the solution of certain delay problems [2,9]. Solutions based on this theory have 
been implemented in several automatic tools, including COSPAN [7], KRONOS [lo], and 
UPPAAL [8]. However, the general verification problem (i.e., language inclusion) is 
undecidable for timed automata [3]. This is because, unlike in the untimed case, the 
nondeterministic variety of timed automata is strictly more expressive than the deter- 
ministic variety. The notion of nondeterminism allowed by timed automata, therefore, 
seems too permissive, and we hesitate to accept timed automata as the canonical model 
for real-time computation with finite control [5]. 
In this paper, we obtain a determinizable class of timed automata by restricting 
the use of clocks. The clocks of an event-clock automaton have a fixed, predefined 
association with the symbols of the input alphabet (the alphabet symbols typically 
represent events). The event-recording clock of the input symbol a is a history variable 
whose value always equals the time of the last occurrence of a relative to the current 
time; the event-predicting clock of a is a prophecy variable whose value always equals 
the time of the next occurrence of a relative to the current time (if no such occurrence 
exists, then the clock value is undefined). Thus, unlike a timed automaton, an event- 
clock automaton does not control the reassignments of its clocks, and, at each input 
symbol, all clock values of the automaton are determined solely by the input word. This 
R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 255 
property allows the determinization of event-clock automata, which, in turn, leads to a 
complementation procedure. Indeed, the class ECA of event-clock automata is closed 
under all boolean operations (timed automata are not closed under complement), and the 
language-inclusion problem is decidable (PsrAcE-complete) for event-clock automata. 
The class of event-clock automata is sufficiently expressive to model real-time sys- 
tems with finite control, and to specify common real-time requirements. For instance, 
the hard real-time requirements that “every request is followed by a response within 3 
seconds” and that “every two consecutive requests are separated by at least 5 seconds” 
can be expressed using event-clock automata. In fact, we argue that automata that 
contain only event-recording clocks (event-recording a~roma~a) re a suitable abstract 
model for real-time systems by proving that event-recording automata are as powerful 
as another popular model for real-time computation, timed transition systems [12]. 
A timed transition system associates with each transition a lower bound and an up- 
per bound on the time that the transition may be enabled without being taken (many 
related real-time formalisms also use lower and upper time bounds to express timing 
constraints [18, 191). A run of a timed transition system, then, is again a timed word -. 
a sequence of time-stamped state changes. We construct, for a given timed transition 
system T with a finite set of states, an event-recording automaton that accepts precisely 
the runs of T. This result leads to a PSPACE algorithm for checking the equivalence of 
two finite timed transition systems. 
The remaining paper is organized as follows. Section 2 defines event-clock auto- 
mata. Section 3 proves that for every nondeterministic event-clock automaton, we can 
construct an equivalent deterministic event-clock automaton. Section 4 studies closure 
properties and decision problems of event-clock automata. Section 5 relates the ex- 
pressiveness of various classes of timed automata. Section 6 shows how event-clock 
automata can be used to obtain decision procedures for timed transition systems. 
2. Event-clock automata 
2.1. Timed words and timed languages 
We study formal languages of timed words. 3 A timed word W over an alphabet 
C is a finite sequence (ao, to)(al, tl ) . . . (a,, tn) of symbols ai E C that are paired with 
nonnegative real numbers ti E R a’ such that the sequence 7 = toti . . . tn of time-stamps 
is nondecreasing (i.e., ti <ti+l for all O<i<n). Without loss of generality it may be 
assumed that to = 0. Sometimes we denote the timed word % by the pair (a,?), where 
z E Z* is an untimed word over C. A timed language over the alphabet C is a set of 
timed words over C. The boolean operations of union, intersection, and complement of 
timed languages are defined as usual. Given a timed language _Y over the alphabet C, 
the projection Urztime(2’) is the untimed language over Z that is obtained by discarding 
3 For the clarity of exposition, we limit ourselves to finite words. Our results can be extended to the 
framework of timed w-languages. 
256 R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 
the time-stamps: Unlime(Z’) C C* consists of all untimed words Z for which there 
exists a sequence 1 of time-stamps such that @,t) E 9. 
2.2. Automata with clocks 
Timed automata are finite-state machines whose transitions are constrained with tim- 
ing requirements so that they accept (or generate) timed words (and thus define timed 
languages); they were proposed in [3] as an abstract model for real-time systems with 
finite control. The finite control of a timed automaton consists of a finite set of loca- 
tions and a finite set of real-valued variables called clocks. Each edge between locations 
specifies a set of clocks to be reset (i.e., restarted). The value of a clock always records 
the amount of time that has elapsed since the last time the clock was reset: if the clock 
z is reset while reading the ith symbol of a timed input word (Z&t), then the value 
of z while reading the jth symbol, for j> i, is tj - ti (assuming that the clock z is 
not reset at any position between i and j). The edges of the automaton put arithmetic 
constraints on the clock values; the automaton control may proceed along an edge only 
when the values of the clocks satisfy the corresponding constraints. 
Each clock of a timed automaton, therefore, is a real-valued variable that records 
the time difference between the current input symbol and a previous input symbol, 
namely, the input symbol on which the clock was last reset. This association between 
clocks and input symbols is determined dynamically by the behavior of the automaton. 
An event-clock automaton, by contrast, employs clocks that have a tight, predefined 
association with certain symbols of the input word. Suppose that we model a real-time 
system so that the alphabet symbols represent events of the system. In most cases, 
it will suffice to know, for each event, the time that has elapsed since the previous 
occurrence of the event. For example, to model a delay of l-2 s between the input and 
output events of a device, it suffices to use a clock z that records the time that has 
elapsed since the last input event, and require the constraint 1 dz <2 when the output 
event occurs. This observation leads us to the definition of clocks that have a fixed 
association with input symbols and cannot be reset arbitrarily. 
2.3. Event-recording and event-predicting clocks 
Let .Z be a finite alphabet. For every symbol a E C, we write x, to denote the event- 
recording clock of a. Given a timed word W = (ao, to)(al, tl ). . . (a,, t,,), the value of 
the clock x, at the jth position of ti; is tj - ti, where i is the largest position preceding 
j such that ai equals a. If no occurrence of a precedes the jth position of W, then the 
value of the clock x, is “undefined,” denoted by 1. We write lF!f” = Rae U (1) for 
the set of nonnegative real numbers together with the special value 1. Formally, we 
define for all O<j<n, 
tj - t, if there exists an i such that 06 i < j and ai = a, 
+&I ) = and for all k with i < k <j, we have ak # a, 
I if ak #a for all k with O<k<j. 
R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 251 
That is, the event-recording clock x, behaves exactly like an automaton clock that 
is reset every time the automaton encounters the input symbol a. The value of xu, 
therefore, is determined by the input word, not by the automaton. Auxiliary variables 
that record the times of last occurrences of events have been used extensively in real- 
time reasoning, for example, in the context of model-checking for timed Petri nets [23], 
and in assertional proof methods [ 16, 191. 
Event-recording clocks provide timing information about events in the past. The dual 
notion of event-predicting clocks provides timing information about future events. For 
every symbol a EC, we write y0 to denote the event-predicting clock of a. At each 
position of the timed word W, the value of the clock ya indicates the time difference 
between the current input symbol and the next occurrence of the input symbol a; the 
special value I indicates the absence of a future occurrence of a. Formally, we define 
for all 0 <,j <n, 
I 
t, - tj if there exists an i such that j < i <n and ai = a, 
$TYC7) = and for all k with j < k < i, we have ak # a, 
_L if ak # a for all k with j<k<n. 
The event-predicting clock y, can be viewed as an automaton clock that is reset, 
every time the automaton encounters the input symbol a, to a nondeterministic negative 
starting value, and checked for 0 at the subsequent occurrence of a. 
We write Cx for the set {xa ) a E C} U {ya ( a E C} of event-recording and event- 
predicting clocks. For each position j of a timed word W, the clock-valuation function 
;I:, then, is a mapping from CZ to R:‘. The clock constraints compare clock values 
to rational constants or to the special value _L. Let Qf” denote the set of nonnegative 
rational numbers together with 1. Formally, a clock constraint over the set C of 
clocks is a boolean combination of atomic formulas of the form z 6 c and z > c, where 
ZEC and cEQfO. The clock constraints over C are interpreted with respect to clock- 
valuation functions y from C to IR:‘: the atom I f I evaluates to true, and all other 
comparisons that involve I (e.g., 133) evaluate to false. For the clock-valuation 
function y and a clock constraint cp, we write y + cp to denote that according to y the 
constraint cp evaluates to true. We freely use abbreviations such as < and = when 
writing clock constraints. 
2.4. Syntax and semantics of event-clock automata 
An event-clock automaton is a (nondeterministic) finite-state machine whose edges 
are annotated both with input symbols and with clock constraints over event-recording 
and event-predicting clocks.4 Formally, an event-clock automaton A consists of 
l a finite input alphabet C, 
0 a finite set L of locations, 
4 Clock constraints can be added, as invariant conditions, also to the locations of an event-clock automa- 
ton [ 131, without influencing our results. 
258 R. Alur et al. I Theoretical Computer Science 211 (1999) 2S3-273 
d rb>2 b 
C 
ro < 1 
Fig. 1. Event-recording automaton Al. 
0 a set Lo CL of start locations, 
l a set Lf CL of accepting locations, and 
a a finite set E of edges. Each edge is a quadruple (8, /‘, a, cp) with a source location 
L+ EL, a target location e’ EL, an input symbol a E C, and a clock constraint cp over 
the clocks Cr. 
An (untimed) finite-state machine can be viewed as an event-clock automaton all of 
whose edges have the trivial clock constraint true, which evaluates to true for all 
clock-valuation functions. 
Consider the behavior of the event-clock automaton A over the timed input word 
tii = (ao, to) (al, tl ) . . . (a,, t,). Starting in one of the start locations and scanning the first 
input pair (ao, to), the automaton scans the input word from left to right, consuming, 
at each step, an input symbol together with its time-stamp. In location 8 scanning the 
ith input pair (ai, ti), the automaton may proceed to location e’ and the (i + 1)th input 
pair if there is an edge (8, /‘, a, cp) such that a equals the current input symbol ai, and 
the current clock valuation y? satisfies the clock constraint (p. Formally, a computation 
of the event-clock automaton A over the timed input word I? is a finite sequence 
of locations ei E L and edges ei = (li, /,+I, ai, qi ) E E such that 80 E LO and for all 0 < 
i<n, y? j= vi. The computation is accepting iff /,+I E Lf. The timed language 9(A) 
defined by the event-clock automaton A consists of all timed words W such that A has 
an accepting computation over ti;. We write ECA for the class of timed languages that 
are definable by event-clock automata. 
The event-clock automaton A is an event-recording automaton iff all clock con- 
straints of A contain only event-recording clocks; A is an event-predicting automaton 
iff the clock constraints of A contain only event-predicting clocks. The class of timed 
languages that can be defined by these two restricted types of event-clock automata 
are denoted ERA and EPA, respectively. 
2.5. Examples of event-clock automata 
The event-clock automaton A, of Fig. 1 uses two event-recording clocks, x, and xb. 
The location lo is the start location of Al, and also the sole accepting location. The 
R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 259 
6 b 
Fig. 2. Event-recording automaton A2 and event-predicting automaton Ax. 
Fig. 3. Event-recording automaton A4 
automaton accepts timed input words of the form (Z,t) with Z = (ab~d)~, for some 
k 20. All edges that are not labeled by clock constraints have, by default, the trivial 
clock constraint true. The clock constraint x, < 1 that is associated with the edge from 
& to &s ensures that each c occurs within 1 time unit of the preceding a. A similar 
mechanism for checking the value of xb while reading d ensures that the time difference 
between each b and the subsequent d is always greater than 2. Thus, the timed language 
P’(A 1) defined by A, consists of all timed words (5, i) such that for all 0 <j <k, we 
have t4j+2 < t4j + 1 and t4j+3 > t4j+l + 2. Note that the timed language .Z(Al) can also 
be defined using event-predicting clocks: require yC < 1 while reading a, and yd >2 
while reading b. 
The duality of the two types of clocks is further illustrated by the automata of Fig. 2. 
The event-recording automaton A2 accepts all timed words of the form (ab*b,t) such 
that the time difference between the two extreme symbols is 1, which is enforced by 
the event-recording clock x,. Later we will prove that there is no event-predicting 
automaton that defines the timed language Y(A2). The event-predicting automaton As, 
on the other hand, accepts all timed words of the form (aa*b,t) such that the time 
difference between the two extreme symbols is 1; for this purpose, the event-predicting 
clock yb is used to predict the time of the first b. There is no event-recording automaton 
that defines _Y(As). 
The automaton A4 of Fig. 3 expresses the requirement that every request a is followed 
by a response b within 3 s, and two requests are separated by at least 5 s. Examples 
such as the railroad-gate controller and timing-based mutual-exclusion algorithms that 
appear in the literature on real-time verification (see, for instance, [3,6, 131) can all be 
specified using event-clock automata. 
3. Deterministic event-clock automata 
A finite-state machine (with a single start location) is deterministic if all input sym- 
bols that label edges with the same source location are pairwise distinct. For event- 
260 R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 
clock automata we consider the notion of determinism that was proposed for timed 
automata [3]. The event-clock automaton A = (C,L,L’, Lf,E) is deterministic iff 
1. A has at most one start location (i.e., ILo] 6 I), and 
2. two edges with the same source location and the same input symbol have mutually 
exclusive clock constraints; that is, if (L, e’, a, cpI ) E E and (a, P, a, (~2) E E, then for 
all clock-valuation functions y, y k cpr A (~2. 
The determinism condition ensures that at each step during a computation, the choice 
of the next edge is uniquely determined by the current location of the automaton, the 
input word, and the current position of the automaton along the input word. It is easy 
to check that every deterministic event-clock automaton has at most one computation 
over any given timed input word. 
Of our examples from the previous section, the event-clock automata Ai, As, and A4 
are deterministic. While the automaton A2 is nondeterministic, it can be determinized 
without changing its timed language, by adding the clock constraint x, < 1 to the self- 
loop at location /I. 
In the theory of finite-state machines, it is well-known that every nondeterministic 
machine can be determinized; that is, the deterministic and nondeterministic varieties of 
finite-state machines define the same class of languages (the regular languages). In the 
case of timed automata, however, the nondeterministic variety is strictly more expres- 
sive than its deterministic counterpart [3]. We now show that the event-clock automata 
form a subclass of timed automata for which the deterministic and nondeterministic 
automata are equally expressive. 
The determinization follows the standard subset construction. Let A = (Z, L, Lo, Lf, E) 
be the given event-clock automaton. The determinized automaton Det(A) over the same 
alphabet C has the following components. 
l The locations of &t(A) are the nonempty subsets of L. 
l The only start location is Lo (if Lo is empty, then Det(A) has no start location). 
l A location L’ CL is an accepting location iff Lf n L’ is nonempty. 
l Consider a location L’ CL of Det(A) and an input symbol a E C. Let E’ GE be the 
set of all edges of A whose source locations are in L’ and whose input symbol is a. 
Then, for every nonempty subset E” of E’, there is an edge from L’ to L” with the 
input symbol a and the clock constraint cp such that 
- L” contains precisely the target locations of the edges in E”, and 
_ q is the conjunction of all clock constraints of edges in E” and all negated clock 
constraints of edges in (E’ \ E”). 
For example, Fig. 4 shows a nondetenninistic event-recording automaton As and the 
determinized automaton Det(AS). 
It is easy to check the following properties of the determinized automaton Det(A): 
1. Y(A) = _Y(Det(A)). 
2. Given a location L’ of Det(A), an input symbol a, and a clock-valuation func- 
tion y, there is precisely one edge (L’, L”, a, cp) such that y k cp. Hence, Det(A) is 
deterministic. 
R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 261 
d 
C 
Fig. 4. Event-recording automata A5 and Det(A5). 
3. Det(A) is an event-recording (event-predicting) automaton iff A is an event-recording 
(event-predicting) automaton. 
Theorem 1 (Determinization). For every event-clock (event-recording; event-predic- 
ting) automaton A, there is a deterministic event-clock (event-recording; event-predic- 
ting) automaton that defines the timed language Z(A). 
Notice that the determinization of an event-clock automaton causes an exponential 
blow-up in the number of locations, but changes neither the number of clocks nor the 
constants that occur in clock constraints. 
The key for the determinization of event-clock automata is the property that at each 
step during a computation, all clock values are determined solely by the input word. 
We therefore obtain determinizable superclasses of event-clock automata if we add 
more clocks that do not violate this property. For example, for each input symbol a 
and each natural number i, we could employ a clock 2: that records the time since 
the ith occurrence of a in the input word, and a clock x6 that records the time since 
the &h-to-last occurrence of a (i.e., x, =xA). Or, more ambitiously, we might want 
to use for each linear temporal logic formula I+II over the input alphabet a formula- 
recording clock xi that measures the time since the last position of the input word 
at which II/ was true, and a formula-predicting clock y$ that measures the time until 
the next position at which $ will be true. A formula-clock automaton, then, is a 
262 R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 
timed automaton all of whose clocks are either formula-recording or formula-predicting 
(event-clock automata are the subclass of formula-clock automata for which all formulas 
are atomic). Similarly to event-clock automata, every formula-clock automaton can be 
determinized. 
4. Properties of event-clock automata 
4.1. Event-clock automata as labeled transition systems 
Every timed automaton can be viewed as an infinite-state labeled transition system. 
Given an event-clock automaton A = (C, L, Lo, Lf, E), we define the labeled transition 
system SA to capture the behavior of A over timed words. The labeled transition system 
SA has the following components: 
l A state of SA is a pair (8, y) that consists of a location 8 EL and a clock-valuation 
function y from CZ to Wf”, which determines the values of all clocks. The state 
space of S, is denoted by QA. 
l The set Q,” C QA of initial states consists of all states (L’, y) such that L’ E Lo, and 
y(xa) = I for all input symbols a E C. 
l The set Qi c QA of final states consists of all states (e, y) such that e E Lf, and 
y(y, ) = I for all input symbols a E C. 
l For two states q, q’ E QA, an input symbol a E C, and a real-valued time delay 
6 E UP, let q 3 q’ if the automaton A may proceed from the state q to the state 
q’ by reading the input symbol a, and let q 5 q’ if A may proceed from q to q’ by 
letting time 6 pass. Formally, 
- (8, y) 3 (/‘, y’) iff there is a clock-valuation function y” and an edge (e,e’, a, cp) E 
E such that 
* Y= y”[ya := 0] (i.e., y agrees with y” on all clocks except y,, which in y 
evaluates to 0), 
* y’ = y”[xa := 01, and 
* Y” + cp. 
- (/, y) 5 (&“, y’) iff e = L” and for all input symbols b E C, 
* if y(xb) = I then y’(xb) = I, otherwise y’(xb) = y(xb) + 6, and 
* if I’ = _L then I = I, otherwise y( yb) = y’(yb) + 6. 
We inductively extend the labeled transition relation to timed words: 
l q’%)q’ iff there is a state q” E QA such that q -% q” a2d q” 4 q’; 
l if w=(ao,to)...(a,,t~),,~~,~~,~~~(a:+~,t.+l), then q’q’ iff there is a state q” 
such that q 3 q” and q 4 q . 
The following lemma states the correctness of the labeled-transition-system semantics 
for event-clock automata. 
Lemma 1. The event-clock automaton A accepts the timed word w ifs q 3 q’ for 
some initial state q and some jinal state q’ of the labeled transition system S,. 
R Alur et al. I Theoretical Computer Science 211 (1999) 253-273 263 
4.2. The region construction 
The analysis of timed automata builds on the so-called region construction, which 
transforms a timed automaton into an untimed finite-state machine [3]. Here we apply 
the region construction to event-clock automata. 
Consider an event-clock automaton A and the corresponding labeled transition sys- 
tem S,. An equivalence relation GZ on the state space QA is a time-abstract bisimulation 
of A iff for all states ql,q2 E QA, if q1 S q2 then 
1. if q1 5 qi for some input symbol a E C, then there exists a state qi E QA with q2 :q4: 
and qi gq& and 
2. if q1 Aq4j for some time delay 6 E Lao, then there exists a state qi E QA and a time 
delay 6’ E Rae (possibly different from 6) with q2 5 qi and qi 2 44. 
The relation 2 has jinite index iff the number of equivalence classes of E is finite. 
Time-abstract bisimulations with finite index can be used to solve reachability problems 
for A. One such relation is the region equivalence NA. 
Let us assume that all clock constraints of A contain only integer constants (other- 
wise, all constants need to be multiplied by the least common multiple of the denom- 
inators of all rational numbers that appear in clock constraints). Let c be the largest 
integer constant that appears in a clock constraint of A. Two clock-valuation functions 
y and y’ from Cx to Rf” are region-equivalent, written y NA y’, iff the following three 
conditions are satisfied: 
1. y and y’ agree on which clock values are undefined: for all z E CZ, we have y(z) = i 
iff y’(z) = 1. 
2. y and y’ agree on the integral parts of all defined clock values that are at most c: 
for all z E CZ, if y(z) <c or y’(z) <c, then [y(z)j = [y’(z)] and [y(z)1 = [y’(z)1 .
3. y and y’ agree on the ordering of the fractional parts of all defined clock values that 
are at most c. For an event-recording clock x,, let (y(x,)) be y(x,) - [y(xa)j; for 
an event-predicting clock ya, let (I) be [y(~~)l - y(ya). Then: for all z,z’ E Cz, 
if y(z)<c and y(z’)fc, then (y(z)) < (y(z’)) iff (y’(z)) d (y’(z’)). 
Two states (a, y), (e’, y’) E QA are region-equivalent, written (e, y) =A (8, y’), iff e = d’ 
and y g,4 y’. 
Lemma 2 (Alur and Dill [3]). For every event-clock automaton A with integer 
constants, the region-equivalence relation SA is a time-abstract bisimulation 
ofA. 
An equivalence class of 2.4 is called a region of A. The number of regions of A is 
finite. 
Lemma 3 (Alur and Dill [3]). For every event-clock automaton A with integer 
constants, the number of regions of A is n . 2°(m10gcm), where n is the number of 
locations of A, m is the size of the input alphabet, and c is the largest constant hat 
appears in a clock constraint of A. 
264 R. Alur et al. I Theoretical Computer Science 211 (1999) 2S3-273 
Given the time-abstract bisimulation NA with finite index, we define the region 
automaton Reg,(A) as a finite-state machine over the input alphabet C, with the 
following components: 
l The locations of Reg,(A) are the regions of A. 
l A region is a start location iff it contains an initial state of SA, and an accepting 
location iff it contains a final state of S,4. 
l There is an edge from the region p to the region p’ labeled with the input symbol 
a E C iff thy&)are two states q E p and q’ E p’ of S,, and a time delay 6 E [w>‘, 
such that q -fb q’. 
From Lemma 1 and the definition of time-abstract bisimulations, it follows that the 
region automaton Reg,(A) defines the language Untime(.Z(A)). 
Theorem 2 (Untiming, Alur and Dill [3]). For every event-clock automaton A, the 
untimed language Untime(Lf(A)) is regular. 
4.3. Closure properties 
While the class of timed automata is not closed under complement, and the language- 
inclusion problem for timed automata is undecidable, the subclass of event-clock auto- 
mata is well-behaved. 
Theorem 3 (Closure properties). Each of the classes ECA, ERA, and EPA of timed 
languages are closed under union, intersection, and complement. 
Proof. Closure under union is trivial, because event-clock automata admit multiple 
start locations. 
Closure under intersection is also straightforward, because the standard automata- 
theoretic product construction Al x A2 for two given event-clock (event-record- 
ing; event-predicting) automata Al and A2 yields an event-clock (event- 
recording; event-predicting) automaton. Each location of A1 x A2 is a pair consisting 
of a location of AI and a location of AZ, and each a-edge e of Al x A2 corresponds 
to both an a-edge er of Al and an a-edge of A2 (the clock constraint of e is the 
conjunction of the clock constraints of et and e2). 
Closure under complement relies on the determinization construction: given an event- 
clock (event-recording; event-predicting) automaton A, the event-clock (event-recording; 
event-predicting) automaton -Det(A) that results from complementing the acceptance 
condition of Det(A) (interchange the accepting and the nonaccepting states of Det(A)) 
defines the complement of the timed language P(A). 0 
Unlike (nondeterministic) timed automata, however, event-clock automata are not 
closed under renaming or hiding of input symbols. Consider the timed language .9 
over a unary alphabet that contains all timed words W = (a, t) in which no two symbols 
occur with time difference 1 (i.e., t/ - ti # 1 for all pairs of positions i and j of W). The 
timed language 9 cannot be defined by a timed automaton [3], and hence, neither by 
R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 265 
an event-clock automaton. This fact can be used to prove nonclosure properties. For 
instance, consider the timed language 9’ that contains all timed words of the form 
(a*ba*ba*,i) such that the time difference between the two b-symbols is 1. The timed 
language 9’ is definable by an event-recording or an event-predicting automaton, and 
thus, is in ERA 0 EPA. If we rename the input symbol b to a, the resulting timed 
language contains all timed words G= (7&t) over the unary alphabet {a} in which 
some two symbols occur with time difference 1 (i.e., tj - ti = 1 for two positions i and 
j of W), precisely the complement of the timed language 9. Since the classes ERA 
and EPA are closed under complement, it follows that neither class is closed under 
renaming. 
Similarly, consider the timed language 9” that contains all timed words in 9’ 
such that both b-symbols are followed by a-symbols after exactly time 0.5. The timed 
language Y’ is in ERA. If we hide the input symbol b, the resulting timed language 
is again the complement of 9, which implies that ERA is not closed under hiding. 
An analogous argument applies to EPA. 
4.4. Decision procedures 
The determinization, closure properties, and region construction can be used to solve 
decision problems for event-clock automata. To check if the timed language of an 
event-clock automaton A is empty, we construct the region automaton Reg,(A) and 
check if the untimed language of the finite-state machine Reg,(A) is empty. Since 
the number of regions is exponential, various heuristics have been proposed to solve 
emptiness (and other reachability problems) more efficiently. For instance, it is possible 
to construct the time-abstract bisimulation of A with the smallest number of regions 
using minimization algorithms [22], or to incorporate the clock constraints of A one 
by one, generating successive approximations to the region automaton Reg,(A) [6]. 
Reachability problems for timed automata can also be solved by symbolic fixpoint 
computation [ 11,131. 
To check if the timed language of the event-clock automaton Al is included in 
the timed language of the event-clock automaton AZ, we determinize AZ, complement 
Det(Az), take the product with Al, and check if the timed language of the resulting 
event-clock automaton is empty, by constructing the corresponding region automaton. 
Theorem 4 (Language inclusion). The problem of checking if _Y(A,) C 9(A2) for 
two event-clock automata Al and A2 is PsPAcE-complete. 5 
Proof. Consider two event-clock automata Al and A2 such that each automaton has at 
most n locations, and let m be the size of the input alphabet. The first step involves 
multiplying all constants in the clock constraints of Al and A2 by the least common 
multiple of the denominators so that the clock constraints contain only integer con- 
stants, thus obtaining A’, and A;. Let c be the largest integer constant that appears in 
’ In fact, Al may be any timed automaton. 
266 R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 
the clock constraints after this normalization step. The length of c (i.e., the number 
of bits required to represent c) is at most quadratic in the length of the encoding of 
the original clock constraints. Let +et(A$) be the complement of Del@;). The auto- 
maton +et(_4;) has 2” locations, and the integer constants that appear in the clock 
constraints of +et(Ai) are bounded by c. Let A be the product of A{ and lDet(Ai). 
The event-clock automaton A has n. 2” locations, and the integer constants that appear 
in the clock constraints of A are also bounded by c. By Lemma 3, the region automa- 
ton Reg,(A) has n . 2” . 2°(m’oscm) regions; that is, the number of regions is singly _ 
exponential in the length of the description of the input automata AI and AZ. Check- 
ing emptiness corresponds to searching for accepting paths in this exponential-sized 
finite-state machine. Since the rules that define the edges of Reg,(A) can be verified 
in polynomial time, it follows that emptiness can be checked in PSPACE. 
On the other hand, the problem of checking emptiness for event-recording (or event- 
predicting) automata is PsPAcE-hard. The proof is the same as the corresponding hard- 
ness proof for timed automata [3]. 0 
The algorithm for language inclusion can be used to verify whether a system de- 
scribed as a timed automaton satisfies a specification given as an event-clock automaton. 
5. Relating classes of timed automata 
5.1. Timed automata 
We briefly review the definition of a timed automaton [3]. A timed automaton A 
consists of a finite input alphabet C, a finite set L of locations, a set Lo C: L of start 
locations, a set Lf CL of accepting locations, a finite set C of clocks, and a finite set 
E of edges. Each edge e E E is a quintuple (8, ,‘,a, cp, p) with a source location 8 EL, 
a target location /’ EL, an input symbol a EC, a clock constraint cp over C, and a 
reset condition p 5 C that specifies the clocks that are reset to 0 when the edge e is 
traversed. A clock-valuation function y for the timed automaton A is a function from 
the clocks C to the extended reals IF!:‘. For a time delay S E KY>‘, we write y + 6 for 
the clock-valuation function that assigns to each clock x E C the value y(x) + 6. For a 
set p L C of clocks, we write y’ = y[p := 0] for the clock-valuation function that agrees 
with y on all clocks except those in p, which evaluate to 0 (i.e., y’(x) = y(x) if x $ p, 
and Y’(X) = 0 if x E p). A computation of the timed automaton A over the timed input 
word i? = (ao, to). . . (a,, t,) is a finite sequence 
of locations 8i EL, clock-valuation functions yi, and edges ei = (.8i, /,+l,ai, vi, pi) E E 
such that 
1. GO E Lo and for all clocks x E C, we have 70(x) = I, and 
2. for all Odidn, we have yi + (t; - ti_1) /= q; and yi+r =(yi + ti - ti_l)[pi :=O]. 
R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 261 
a a 
Fig. 5. Timed automaton A6 
The computation is accepting iff {,,+I EL f. The timed language Z(A) defined by 
the timed automaton A consists of all timed words W such that A has an accepting 
computation over iG. Fig. 5 shows the timed automaton Ag, which uses a single clock 
n to accept timed words over the unary alphabet {a}. The timed language _!Z(Ah) 
consists of all timed words of the form (ak, t), for k 2 2, such that tj - ti = 1 for some 
O<i<j<k. 
We write NTA for the class of timed languages that are definable by timed automata. 
The class NTA is closed under union and intersection, but not under complement [3]. 
In particular, the complement of the language Z(As), which contains all timed words 
in which no two symbols occur with time difference 1, cannot be accepted with finitely 
many clocks. Checking emptiness for timed automata is PspAcE-complete, while lan- 
guage inclusion for timed automata cannot be decided [3]. 
The definition of determinism for timed automata is the same as for event-clock 
automata; that is, a timed automaton is deterministic iff it has at most one start location, 
and two edges with the same source location and the same input symbol have mutually 
exclusive clock constraints. We write DTA for the class of timed languages that are 
definable by deterministic timed automata. Since DTA is closed under all boolean 
operations, DTA is strictly contained in NTA [3]. 
5.2. From event-clock automata to timed automata 
Every event-clock automaton can be translated into a timed automaton that defines 
the same timed language. Translating event-recording clocks is easy: an event-recording 
clock x, is reset on an edge e iff the input symbol of e is a. This trivial translation 
preserves determinism. The translation of event-predicting clocks introduces nondeter- 
minism. 
Consider an event-predicting automaton A = (C, L, Lo, Lf, E). An atomic clock con- 
straint is a formula of the form ya = J_ or ya N c, where N stands for < or < or 
> or >. We assume that the clock constraint of each edge of A is a conjunction 
of atomic clock constraints; this can always be achieved by writing clock constraints 
in disjunctive normal form and creating separate edges for all disjuncts. Let QA be 
the set of atomic clock constraints that appear in the edges of A. We construct a 
nondeterministic timed automaton B over the input alphabet C as follows: 
o The locations of B are the pairs (e, Y) with / E L and Y G @A. 
l The location (e, Y) is a start location of B iff G E Lo and Y does not contain a 
constraint of the form ya -c. 
268 R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 
NTA 
Fig. 6. Relationships between classes of timed automata. 
The location (%, Y) is an accepting location of B 8 C E Lf and Y equals {y, = -L 
IaEC}. 
For every constraint rc/ E @A, the automaton B has a clock ze. 
The automaton B has an edge from the source location (8, Y) to the target location 
(t’, Y’) with the input symbol a, the clock constraint cp, and the reset condition p 
iff the following seven conditions are met. Intuitively, a prediction yb -c along an 
edge in A on the time difference to the next occurrence of b is replaced in B by 
a constraint on the clock zcyh ,_ c~: the clock zcvh _ c) is reset when the prediction is 









The automaton A has an edge of the form (/,?,a,~). 
The constraint ya = i does not appear in Y. 
The constraint cp is the conjunction of all atomic clock constraints of the form 
(G” NC)~~) with (Y~NC)E Y. 
For each input symbol b different from a, if a constraint involving yb appears 
in Y, then it appears in Y’ also. 
Each conjunct of x appears in Y’ also. 
For each input symbol b and for N equal to > or 2, the clock z(_,+, Nf) appears 
in the reset condition p iff the constraint yb N c is a conjunct of x. 
For each input symbol b and for - equal to < or d, the clock ztyb _c) appears 
in the reset condition p iff the constraint yb -c is a conjunct of 2, and either 
b = a or the constraint yb NC does not appear in Y. 
the timed automaton B defines the timed language Y(A). 
The following theorem relates the various classes of timed automata. The relation- 
ships are also shown in Fig. 6. 
Theorem 5 (Relationships between classes of timed automata). 
(1) ERA gEPA, (2) EPA g ERA, (3) ERA u EPA c ECA, 
(4) ECA c NTA, (5) ERA c DTA, (6) EPA g DTA, 
(7) DTA e ECA. 
Proof. For (1 ), the timed language of the event-recording automaton A2 of Fig. 2 is not 
definable by an event-predicting automaton. The proof is by contradiction. Suppose that 
an event-predicting automaton B defines the timed language 9(A2 ). Without loss of 
generality, assume that the clock constraints of B use only integer constants. Consider 
R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 269 
the two timed words Wl = (a, O)(b, 0.5)(b, 1) and WZ = (a, O)(b, 0.5)(b, 0.9). The event- 
predicting automaton B uses constraints over the two clocks y. and yb. Although 
the clock-valuation function $‘I (yb) differs from the clock-valuation function IT, 
clock constraints with integer constants cannot detect this difference: for every clock 
constraint cp of B and every position 0 <j <2, we have 77’ + cp iff y,“l 1 cp. Thus, 
the automaton B accepts WI iff it accepts W2. But, the automaton A2 accepts WI and 
rejects W2. 
For (2), the timed language of the event-predicting automaton A3 of Fig. 2 cannot 
be defined by an event-recording automaton. The proof is similar to case (1). 
For (3), consider the union of the two automata A2 and Aa. The resulting automaton 
is an event-clock automaton. A proof similar to case (1) shows that the timed language 
LZ(A2) U I is neither in ERA nor in EPA. This shows that the inclusion ERA U 
EPA C ECA is strict. 
The translation from event-clock automata to timed automata proves the inclusions 
(4) and (5). Inclusion (4) is strict, because ECA is closed under complement while 
NTA is not. Inclusion (5) is strict because of (7). 
For (6) the timed language 2 = {(akb, to.. . tk) ( 3 0 Q j < k, tk - tj = 1) is in EPA 
(the event-predicting automaton simply requires that the clock constraint yb = 1 is 
satisfied at one of the symbols in the initial string of a’s) but not in DTA. The 
proof is by contradiction. Suppose that a deterministic timed automaton B defines the 
timed language LZ. Assume that B uses only integer constants, and m clocks. Consider 
the timed word W = (umf2, to,. . . , tm+l ) with 0 = to < t1-c . . < tm < tm+l = 1. Since B is 
deterministic, there is at most one computation of B that reads the word W. Since B 
has at most m clocks, there is at least one position 1 d j < m such that no clock of B 
has the value 1 - tj when that computation reads the input (a, 1). Hence, the automaton 
B “forgets” the time-stamp tj. Consider two extensions of the timed word Z: let ~1 
be W followed by (b, tj + 1 ), and let ~2 be W followed by (b, t’ + 1 ), where t’ # t, 
is chosen such that tj-1 < t’ < tj+l. The clocks of B satisfy the same clock constraints 
when reading the additional, (m+2)-nd input symbol in both cases. Thus, the automaton 
B accepts WI iff it accepts W2. But, Wt is in the timed language Y, and W2 is not. 
For (7) the timed language {(uuu, toti tz) 1 t2 - to = 1) is in DTA (the deterministic 
timed automaton with one clock x simply resets x when reading the first a, and checks 
the clock constraint x = 1 when reading the third a) but not in ECA. The proof is 
similar to case (1): an event-clock automaton either accepts both (a,O)(u,O.5)(u, 1) 
and (a, O)(u, 0.5)(u, 0.9) or it rejects both timed words. q 
In [5], we defined another subclass of NTA that is closed under all boolean opera- 
tions, namely, the class 2DTA of timed languages that are definable by deterministic 
two-way timed automata that can read the timed input word a bounded number of times 
(by moving forward and backward over the input). While ECA is easily seen to be 
contained in 2DTA, and while there are obvious similarities between event-predicting 
clocks and the two-way reading of timed input words, the exact relationship between 
event-clock automata and deterministic two-way automata remains to be studied. 
270 R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 
However, because they admit nondeterminism, event-clock automata are more suited 
for specification than deterministic two-way timed automata. 
6. Timed transition systems as event-clock automata 
6.1. Timed transition systems 
A transition system T consists of a set Q of states, a set Q” 2 Q of initial states, 
and a finite set .Y of transitions. Each transition r E Y is a function from Q to 2Q: for 
each state q E Q, the set z(q) gives the possible r-successors of q. The transition system 
T is jinite iff the set Q of states is finite. A run 4 of the transition system T is a finite 
sequence qo + q1 -+ . . . --f qn of states such that qo E Q” and for all 0 di <n, there 
exists a transition ri E Y with qi+l t zi(qi). The transition r is enabled at the ith step 
of the run p iff r(qi) is nonempty, and r is taken at the ith step iff qi E Z(qi-1) (note 
that multiple transitions may be taken at the same step). A variety of programming 
systems, such as message-passing systems and shared-memory systems, can be given 
a transition-system semantics [ 171. 
The model of transition systems is extended to timed transition systems so that it 
is possible to express real-time constraints on the transitions [12]. A timed transition 
system T consists of a transition system (Q, Q”, Y) and two functions I and u from 
+Y to CPto that associate with each transition r E Y a lower bound l(z) and an upper 
bound u(r). Informally, the transition r must be enabled continuously for at least Z(r) 
time units before it can be taken, and r must not be enabled continuously for more than 
u(r) time units without being taken. Formally, we associate a real-valued time-stamp 
with each state change along a run: to is the initial time, and the transition system 
proceeds from the state qi to the state qi+r at time ti+l. A timed ruyl r of the timed 
transition system T is a finite sequence 
of states qi E Q and nondecreasing time-stamps ti E Rae such that S is a run of the 
underlying transition system and the following two conditions are met: 
1. Upper bound: if r is enabled at all steps k for i < k < j, and not taken at all steps 
k for i < k <j, then tj - ti <U(T). 
2. Lower bound: if r is taken at the jth step, then there is some step i< j such that 
tj - ti > Z(z) and r is enabled at all steps k for i < k <j and not taken at all steps k 
for i<k<j. 
The semantics of the timed transition system T is the set of timed runs of T. Two 
timed transition systems are equivalent iff they have the same timed runs. 
6.2. From timed transition systems to event-recording automata 
We show that the set of timed runs of a finite timed transition system can be 
defined by an event-recording automaton, For this purpose, we need to switch from the 
A. Alur et al. 1 Theoretical Computer Science 211 (1999) 253-273 211 
state-based semantics of transition systems to an event-based semantics. With the given 
timed run r with states qi and time-stamps ti, we associate the timed word 
where I is a special symbol not in Q (as usual, Ql = QU {I}). Notice that the timed 
run r and the corresponding timed word i;i;, contain the same information: each event 
(i.e., state change) of r is modeled by a pair of states-a source state and a target state. 
Every finite timed transition system T = (Q, Q”, Y-, 1, u), then, defines a timed language 
Y(T) over the alphabet QL x Q, namely, the set of timed words W, that correspond 
to timed runs r of T. Furthermore, two timed transition systems are equivalent iff they 
define the same timed language. 
Theorem 6 (Timed transition systems). For every jinite timed transition system T, 
there is an event-recording timed automaton AT that defines the timed language 
g(T). 
Proof. Consider the given finite timed transition system T. Each location of the cor- 
responding event-clock automaton AT records a state q E Q and, for each transition 
t E Y, a pair of states (a(r), p(r)) E Ql x Q such that if r is enabled in q, then r has 
been enabled continuously without being taken since the last state change from ~(5) 
to /I(r). In addition, we use a special location 80 as the sole start location of AT. Every 
location is an accepting location. 
For each initial state qo E Q”, there is an edge from the source location lo to the target 
location (40, (a, fi)) with the input symbol (I, qo) and the trivial clock constraint true, 
where (M(Z), /-I(r)) = (I, qo) for all transitions r E Y. In addition, there is an edge from 
the source location (q, (~1, j)) to the target location (q’, (~4, fl’)) with the input symbol 
(q, q’) and the conjunction cp of atomic clock constraints iff there is a transition r E Y 
such that (q, q’) E 7, and for all transitions r E Y-, 
1. if r is enabled in q and q’$z(q), then (~‘(t),p(r)) = (~(r),/I(r)), else (~‘(r),~‘(r)) 
2. if r is enabled in q, then cp contains the conjunct x(~(~),B(~)) <u(r), and 
3. if q’ E z(q), then cp contains the conjunct x(~(~),P(~)) > Z(r). 0 
Notice that the event-recording automaton AT is deterministic, and its size is ex- 
ponential in the size of the timed transition system T. To check if two timed transi- 
tion systems Tl and T2 are equivalent, we construct the corresponding event-recording 
automata AT, and AT, and check if they define the same timed language. 
Theorem 7 (Equivalence of timed transition systems). The problem of checking if two 
finite timed transition systems are equivalent is PswcE-complete. 
Proof. Consider two finite timed transition systems TI and T2. Suppose that each 
transition system has at most n states and m transitions, and the bounds associated 
272 R Alur et al. I Theoretical Computer Science 211 (1999) 253-273 
with the transitions are at most c. Consider the event-clock automata Ar, and Ar2. 
Each automaton has 2°((mf1)“‘sn) 1 ocations. The size of the input alphabet is (n + 1). n, 
and the clock constraints of AT, and AT, use constants bounded by c. Since the two 
automata are deterministic, to check if they accept the same timed language, we need 
to take their product, construct the region automaton Reg,(AT, x AT,), and search for 
a path that is accepting in one component, but not in the other. The resulting region 
automaton has 2o((“+r) tosn+n’ toscfl) many regions. This implies that the desired check 
can be performed in space polynomial in n and m and loge. The lower bound follows 
from the fact that it is PsPAcE-hard to check if two nondeterministic finite-state machines 
accept the same language. 0 
References 
[I] R. Alur, C. Courcoubetis, D. Dill, Model checking in dense real time, Inform. and Comput. 104 (1993) 
2-34. 
[2] R. Alur, C. Courcoubetis, T. Henzinger, Computing accumulated delays in real-time systems, in: Proc. 
5th Annual Conf. on Computer-Aided Verification, Lecture Notes in Computer Science, vol. 697, 
Springer, Berlin, 1993, pp. 181-193. 
[3] R. Alur, D. Dill, A theory of timed automata, Theoret. Comput. Sci. 126 (1994) 183-235. 
[4] R. Alur, T. Feder, T. Henzinger, The benefits of relaxing punctuality, J. ACM 43 (1996) 116- 146. 
[5] R. Alur, T. Henzinger, Back to the future: towards a theory of timed regular languages, in: Proc. 33rd 
Annual Symp. on Foundations of Computer Science, IEEE Computer Society Press, Silver Spring, MD, 
1992, pp. 177-186. 
[6] R. Alur, A. ltai, R. Kurshan, M. Yannakakis, Timing verification by successive approximation, Inform. 
and Comput. 118 (I) (1995) 142157. 
[7] R. Alur, R. Kurshan, Timing analysis in COSPAN, in: Hybrid Systems Ill: Verification and Control, 
Lecture Notes in Computer Science, vol. 1066, Springer, Berlin, 1996, pp. 220-23 1. 
[S] J. Bengtsson, K. Larsen, F. Larsson, P. Pettersson, W. Yi, UPPAAL: a tool suite for automatic verification 
of real-time systems, in: Hybrid Systems Ill: Verification and Control, Lecture Notes in Computer 
Science, vol. 1066, Springer, Berlin, 1996, pp. 232-243. 
[9] C. Courcoubetis, M. Yannakakis, Minimum and maximum delay problems in real-time systems, in: 
Proc. 3rd Annual Conf. on Computer-Aided Verification, Lecture Notes in Computer Science, vol. 575, 
Springer, Berlin, 1991, pp. 3999409. 
[lo] C. Daws, A. Olivero, S. Tripakis, S. Yovine, The tool KRONOS, in: Hybrid Systems III: Verification 
and Control, Lecture Notes in Computer Science, vol. 1066, Springer, Berlin, 1996, pp. 208-219. 
[1 I] D. Dill, Timing assumptions and verification of finite-state concurrent systems, in: Proc. 1st Annual 
Conf. on Computer-Aided Verification, Lecture Notes in Computer Science, vol. 407, Springer, Berlin, 
1989, pp. 1977212. 
[ 121 T. Henzinger, 2. Manna, A. Pnueli, Temporal proof methodologies for timed transition systems, Inform. 
and Comput. 112 (1994) 2733337. 
[13] T. Henzinger, X. Nicollin, J. Sifakis, S. Yovine, Symbolic model checking for real-time systems, Inform. 
and Comput. 111 (1994) 193-244. 
[ 141 J. Hopcroft, J. Ullman, Introduction to Automata Theory, Languages, and Computation, Addison-Wesley, 
Reading, MA, 1979. 
[15] R. Kurshan, Computer-Aided Verification: The Automata-Theoretic Approach, Princeton University 
Press, Princeton, NJ, 1994. 
[16] N. Lynch, H. Attiya, Using mappings to prove timing properties, Distrib. Comput. 6 (1992) 121- 139. 
[ 171 Z. Manna, A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems, Springer, Berlin, 1991. 
[18] M. Merritt, F. Modugno, M. Tuttle, Time-constrained automata, in: Proc. 2nd Annual Conf. on 
Concurrency Theory, Lecture Notes in Computer Science, vol. 527, Springer, Berlin, 1991, pp. 408-423. 
[19] F. Schneider, B. Bloom, K. Marzullo, Putting time into proof outlines, in: Real Time: Theory in Practice, 
Lecture Notes in Computer Science, vol. 600, Springer, Berlin, 1991, pp. 618-639. 
R. Alur et al. I Theoretical Computer Science 211 (1999) 253-273 273 
[20] A. Sistla, M. Vardi, P. Wolper, The complementation problem for Biichi automata with applications to 
temporal logic, Theoret. Comput. Sci. 49 (1987) 217-237. 
[2l] P. Wolper, M. Vardi, A. Sistla, Reasoning about infinite computation paths, in: Proc. 24th Annual 
Symp. on Foundations of Computer Science, IEEE Computer Society Press, Silver Spring, MD, 1983, 
pp. 185-194. 
[22] M. Yannakakis, D. Lee, An efficient algorithm for minimizing real-time transition systems, in: 
Proc. 5th Annual Conf. on Computer-Aided Verification, Lecture Notes in Computer Science, 
vol. 697, Springer, Berlin, 1993, pp. 210-224. 
[23] T. Yoneda, A. Shibayam, B. Shlingloff, E. Clarke, Efficient verification of parallel real-time systems, 
in: Proc. 5th Annual Conf. on Computer-Aided Verification, Lecture Notes in Computer Science, 
vol. 697, Springer, Berlin, 1993, pp. 321-332. 
