State explosion is a well-known problem that impedes analysis and testing based on state-space exploration. This problem is particularly serious in real-time systems because unbounded time values cause the state space to be infinite even for simple systems. In this paper, we present an algorithm that produces a compact representation of the reachable state space of a real-time system. The algorithm yields a small state space, but still retains enough information for analysis. To avoid the state explosion which can be caused by simply adding time values to states, our algorithm uses history equivalence and transition bisimulation to collapse states into equivalent classes. Through history equivalence, states are merged into an equivalence class with the same untimed executions up to the states. Using transition bisimulation, the states that have the same future behaviors are further collapsed. The resultant state space is finite and can be used to analyze real-time properties. To show the effectiveness of our algorithm, we have implemented the algorithm and have analyzed several example applications.
INTRODUCTION
A S computers become ubiquitous, they are increasingly used in safety critical environments. Typical safety critical applications are control systems, monitoring systems and communication systems. Any failure of such computer systems may cause a great financial loss, environmental disaster, or even the loss of lives. The potential high cost associated with an incorrect operation of these systems has created a demand for a rigorous framework in which various design alternatives can be formally specified and rigorously analyzed and tested before implementation.
It is commonly believed that future safety critical systems will be more complex due to increased demands on their functionalities as well as the size of the problem domain. Thus, it will be difficult for one to analyze and test correctness without computer-aided tools. One common aspect of safety critical systems is that they must respond under stringent real-time constraints. That is, their correctness depends not only on how concurrent components interact, but also on the time at which these interactions occur. In addition, these systems are costly to prototype, requiring careful prediction of timing properties before implementation and evaluation of design alternatives.
Although the verification problem is in general undecidable, there exist several automatic verification and analysis techniques for finite state systems. Such techniques are usually based on state space exploration. That is, they identify a set of states that are reachable from the initial states and then analyze this set for verification. Such techniques exist for proving absence of deadlock or livelock, for proving properties expressed in propositional temporal logic or realtime logic, and for determining trace equivalence, testing preorder or bisimulation equivalence, etc.
The major weakness of the state space exploration based approach is that the size of the state space grows exponentially with the number of processes and thus creates the state space explosion problem. The problem is particularly serious in real-time systems because unbounded time values cause the state space to be infinite. Recently, there has been some work on constructing the finite representation of the reachable states, i.e., the reachability graph from a real-time system [27] , [24] , [17] , [2] .
Most of this work represents real-time using the discrete time model in which events can happen only at the integer time values [27] , [24] , [17] . The reachability analysis based on the discrete time model may not detect some reachable states in the real world where time is dense [1] . In the dense time model, events can happen at arbitrary points in time over real-line. For real-time systems with dense time, there exist little work on reachability analysis [2] , [29] . This paper describes our approach to constructing a reachability graph for both discrete and dense time models. Our model for a real-time system is a timed automaton introduced in [2] , [6] . The timed automaton is a finite automaton extended with timing constraints. It has a finite set of nodes and transitions to represent control flow and a finite set of real-valued clocks to express timing constraints. A transition may depend on the values of the clocks and can reset some of the clocks. The values of the clocks increase at the same rate with the global time. The timed automaton can model a wide range of time-dependent behaviors such as time-out, delay, and lower/upper bounds between events using arbitrary number of clocks. Our goal is to develop a technique to efficiently represent the reachability graph of a timed automaton.
Timed automata have been extensively studied for verification of real-time systems [4] , [3] , [29] , [23] .
These are region-based approaches. A region is a set of states, where a state consists of a node and a clock valuation. In [2] , a region includes states with the same node and a set of equivalent clock valuations in some sense, and a finite region graph is constructed using the partitioning algorithm given in [8] . The region graph has size exponential in the number of clocks and the size of the constants that appear in the enabling conditions of the transitions. Because the region graph is too fine-grained, minimization approaches [4] , [29] have been proposed in order to equate more valuations. The minimal region graphs, however, still have the same worst case complexity as region graphs. Another region-based approach to generate finite reachable state space from a timed automaton is based on forward analysis [14] , [5] . The forward analysis repeatedly computes the region that includes reachable states by initially starting from the initial region and then adding states reachable from the current region through time passage or transitions until the region contains all reachable states, i.e., the fixed point reaches. One drawback of the forward analysis is that it does not guarantee the termination of the procedure.
In this paper, we present an algorithm that produces a compact reachability graph from a timed automaton. The algorithm usually yields a small state space, but it retains reachability and event ordering information for analysis of real-time properties such as safety properties and bounded response time properties. Our algorithm uses the notions of history equivalence and transition bisimulation to cluster states into equivalence classes. In our approach, states are defined as histories (i.e., executions upto the states). In history equivalence, states that have the same untimed hisotries are equivalent and are merged into one. Since there exist infinitely many untimed histories, the state space minimized by history equivalence is still infinite. Using transition bisimulation, states that have the same future behaviors are further merged, so the resultant state space becomes finite. Comparing to the minimal region graph approaches, our approach is minimized based on traces, while the minimal region graph approaches are based on branching-time structures. Comparing to the forward analysis approaches, the number of equivalence classes in our approach is finite, whereas the forward analysis approaches may generate infinitely many regions. Our approach is implemented in a tool, called TREAT (Timed Reachability Analysis Tool).
The paper is organized as follows. Section 2 describes the syntax and semantics of timed automata and also reviews existing approaches for reachability analysis on timed automata. Section 3 defines equivalence relations, namely history equivalence and transition bisimulation. Section 4 presents the algorithm that generates a reachable state space according to the underlying equivalence relations. Section 5 reports on case studies that show the efficiency of our tool TREAT, and compares our results with other tools. Section 6 summarizes relevant research in state-space generation techniques for real-time systems. In Section 7, we conclude the paper with current and future research issues.
TIMED AUTOMATA
Various kinds of timed automata have been used to describe real-time Systems [2] , [23] , [6] . In this paper, we adopt the timed automaton introduced by Nicollin et al. [23] which associates timing constraints with both nodes and transitions.
The Syntax
A timed automaton has a finite set of nodes and transitions to represent control flow and a finite set of variables called clocks to express timing constraints. The domain of clocks is the set of real numbers. The values of all clocks are initially zero and increase at the same rate, but any subset of them can be reset to zero on a transition. Timing constraints are associated with both nodes and transitions.
The syntax of timed automata is defined as follows. Let s be the set of non-negative integers, and let be the set of nonnegative real numbers. Let g be the set of timing constraints expressed using the conjuctions over the atomic formulas of the form x $ i for clock x and integer i. The timing constraints do not include comparisons of two or more clock values such as x I i I $ x P i P . Definition 2.1. A timed automatone is a tuple xY n init Y Y AEY snvY , where
1. x is a finite set of nodes; 2. n init is the initial node; 3. is a finite set of clocks; 4. AE is a finite set of events; 5. snv X x 3 g is a timing constraint on each node; and 6. x Â g Â AE Â P Â x is a transition relation.
1. Disjunctions can be represented as separated edges with conjunctions and real numbers in constants can be modified to integers by multiplying all constants by IH k for some k.
The function snv associates with each node n P x a timing constraint called the invariant of n. The system's control can stay in a node n only while the current clock valuation satisfies snvn. This constraint forces control to move to the next node before it becomes false to prevent control being stuck in a node. We restrict invariants to be conjunctions of atomic formulas of the form x i. For a transition n I Y Y 'Y Y n P P , if the current node n I satisfies the timing constraint , then the system can take the transition. As the result of taking the transition, the system performs event e, resets all clocks in to zero, and instantaneously moves to the next node n P .
We use the following notations on a transition n I Y Y 'Y Y n P for convenience: soure is the source node n I , trget is the target node n P , ondition is the enabling condition , event is the event ', and resetloks is the set of clocks .
Composition. In general, a system consists of several timed automata running in parallel and communicating with each other. These concurrent timed automata can be composed into a global timed automaton as follows: transitions of the timed automata that do not execute a shared event are interleaved, whereas transitions using a shared event are synchronized.
The composition e e I jje P of e I and e P is a tuple xY n init Y Y AEY snvY , where
2. n init n initI Y n initP ; 3. I P (assume I P Y); 4. AE AE I AE P ; 5. snvn I Y n P snv I n I snv P n P ; and 6. is given as follows:
Example: Railroad Crossing System. The standard railroad crossing problem has been used to compare different formal methods for real-time systems [13] . Fig. 1 shows an automatic controller that opens and closes a gate at a railroad crossing presented in [3] . The system is formed as the composition of three components, Train, Gate, and Controller, which execute in parallel and synchronize through the events: pproh, exit, lower, and down. When a train approaches the crossing, Train sends an pproh signal to Controller and sends an in signal at least 300 seconds later to its environment to represent that a train enters the crossing. When a train leaves the crossing, Train generates an out signal to its environment for representing that a train leaves the crossing and then sends an exit signal to Controller for synchronizing with it. The exit signal is sent within 500 seconds after the pproh signal. Controller sends a signal lower to Gate exactly 100 seconds after the pproh signal and sends a rise signal within 100 seconds after exit. Gate responds to lower by moving down within 100 seconds and responds to rise by moving up between 100 and 200 seconds. The composed timed automaton from Train, Gate, and Controller is shown in Fig. 2 . For simplicity, it ignores nodes that have no path from the initial node because any such node is obviously unreachable. Node iY jY k represents that Train, Gate, and Controller are at nodes i, j, and k, respectively.
The Semantics
The semantics of a timed automaton is given by executions and behaviors. We first explain the executions using the railroad crossing system in Fig. 2 . Initially, the system control resides at node HY HY H, and the values of clocks x, y, and z are all zero. At 20.5 seconds, the values of x, y, and z become 20.5 at node HY HY H. If transition I is taken at that time, the system executes event pproh, and control moves to node IY HY I. Since x and z are reset by transition I, the values of xY y, and z are 0, 20.5, and 0, respectively. The invariant of the node IY HY I is ªx SHH z IHH.º Since the current values of x and z are zero, control can stay at node IY HY I for at most 100 seconds. The enabling condition ªz ! IHHº of transition P and the enabling condition ªx ! QHHº of transition Q remain false during this 100 second time period. At time 120.5, the values of x and z are both 100. Since the enabling condition of P becomes true at that time, the transition can be executed. On the other hand, the enabling condition of Q is still false. Since control must leave from the node due to the invariant, the system executes P, i.e., performs event lower and moves to the next node IY IY P at time 120.5.
We now define executions of a timed automaton. 
or an infinite sequence:
satisfying the following constraints:
1. Initiality: n H n init , v H x H for all x P , and t H H; 2. Invariant Constraint: for each i ! H, v i r satisfies snvn i for H r t iI À t i (if it is finite, v k r satisfies snvn k for r ! H); 3. S u c c e s s i o n C o n s t r a i n t : f o r e a c h i ! H (H i k À I if it is finite), there exists transition iI in with source n i and target n iI such that . v i t iI À t i satisfies ondition iI and . When we analyze a system we are usually interested in behaviors rather than the valuations of clocks, where a behavior is a sequence of events with their occurrence times. A behavior of a timed automaton can be obtained from an execution as described in the following definition.
Definition 2.4 For an execution
For example, the railroad crossing system has a behavior h pprohY PHXSY lowerY IPHXSY Á Á Ái which comes from the execution
The set of possible executions or behaviors can be combined into a labeled transition system. A labeled transition system is defined as follows. The formal definition of the corresponding labeled transition system for a given timed automaton is described in [1] .
OUR APPROACH: BACKGROUND THEORY
Our approach is to add history equivalence to the definition of states instead of clock valuations because clock values cause state explosion. We also give a labeled transition system for a timed automaton according to newly defined states. We then define history equivalence and transition bisimulation for minimizing states and discuss properties which the minimized state space preserves.
States
We first define states for a given timed automaton e xY n init Y Y AEY snvY . Let init be a dummy transition representing the start of the execution such that trget init is the initial node n init and resetloks init is the set of all clock variables. We define a timed history as a sequence
We define a state as (node, timed history) instead of (node, clock valuation). State
represents that the system starts its execution at time t H , executes transitions I Y P Y F F F at times t I Y t P Y F F F , respectively, and control is currently in node n. We note that n trget k . With this definition of states, we give an execution of the system as follows. 
. invariant constraint: v i r satisfies invn i for H r t iI À t i ; . succession constraint: v i t iI À t i satisfies ondition iI ; and . time monotonicity: t i t iI , where v H x H for x P , v iI x H for x P resetloks iI Y and v iI x v i x t iI À t i for x T P resetloks iI .
For a timed automaton e, all possible executions of e define a labeled transition system as follows. Let exese be the set of all possible executions of e. . lts fnY thj Á Á Á nY th Á Á Á P exeseg;
. v lts Â ; and . We relate the notion of execution (called old execution) in Definition 3.1 with the notion of execution in Definition 3.1 as follows. For an old execution
where 
History Equivalence

For a timed history th
For a state nY th, let untimednY th nY untimedth. Definition 3.3. (history equivalence) Two states s I and s P are history equivalent if untimeds I untimeds P X Given timed automaton e, if we minimize the labeled transition system w lts e with respect to history equivalence, then the minimal labeled transition system w hist e is defined as follows. . hist funtimedsjs P lts g;
e., v hist ); and .
Here, we represent a state as a (node, untimed history) pair after clustering history-equivalent states. For a state s nY h in hist , let nodes n and historys h. For a transition tt in 3 hist , let leltt .
. s is said to be reachable; . historys is said to be valid; and . nodes is said to be reachable through historys.
For the railroad crossing system, the labeled transition system shown in Fig. 3 is minimized with respect to history equivalence as shown in Fig. 4 . Transition bisimulation is the same as strong bisimulation [22] . We just call it transition bisimulation to emphasize that label represents a transition in instead of an event in AE.
Strong Transition Bisimulation
If we minimize the labeled transition system w hist e with respect to transition bisimulation, the minimal labeled transition system is given as follows. For a state s, let equivs be the set of states equivalent to s with respect to transition bisimulation. Theorem 3.1. For a timed automaton e, w h e preserves reachability and event ordering:
1. reachability: n is reachable through some execution of w iff w h e includes some state s such that nodes n; 2. event ordering: h' I ' P ' Q F F Fi is a behavior of w iff w h has a sequence of transitions tt I tt P tt Q F F F with labels
Proof. We omit the proof. However, it is easy to see from 
OUR APPROACH: ALGORITHM
Our approach is summarized as follows: given a timed automaton e, 1. construct the labeled transition system w lts e; 2. minimize w lts e with respect to history equivalence (we have w hist e); and 3. minimize w hist e with respect to transition bisimulation (we have w h e).
However, in practice it is impossible to construct the intermediate labeled transition systems w lts e and w hist e because they have an infinite number of states although w h e is finite. We thus develop an algorithm that constructs the minimal labeled transition system w h e with respect to history equivalence and transition bisimulation, directly from e without generating the intermediate labeled transition systems. In the algorithm, we assume that we have the following functions:
1. transition-bisimilar(s I Y s P ): returns true if two states s I Y s P are transition bisimilar; and 2. valid-history(h): returns true if history h is valid.
In the current implementation, the labeled transition system w lg e generated from the algorithm is bigger than w h e because we have a sufficient (not a necessary) condition for checking transition bisimilarity among states, that is, transition-bisimilar(s I Y s P ) may return false although s I Y s P are transition bisimilar. In this section, we present the algorithm and then give how to implement the two functions.
Construction Algorithm
We now present an algorithm that constructs a reachability graph from a given timed automaton e. The resultant reachability graph is the labeled transition system in which the number of states is reduced using history equivalence and transition bisimulation.
The algorithm is given in Fig. 6 .
Step 1 is initialization. 
Implementation
We discuss how to compute transition-bisimilar(s I Y s P ) for states s I and s P and valid-history(h) for a history h which are used in the algorithm. We first define the minimum and maximum time distances between transitions in a history, and then give conditions, in terms of the distances, under which a history is valid and two states are transition bisimilar, respectively.
Minimum and Maximum Distances
Given a timed automaton e, let w lts e be and mx dist i Y j Y h are defined as the minimum and maximum time distances, respectively, from i to j for all executions associated with the history: executions associated with h. For a clock x, resetxY h is the last transition in h on which x is reset, and lsth is the last transition in the history, that is, lsth k . We note that there is not the case that x is not reset along h because x is reset on init . At the entering time to state lY h, the value of x i s in b e t w e e n min distresetxY hY lsthY h a n d mx distresetxY hY lsthY h. We compute min dist and mx dist using weighted graphs. This method is similar to the one used by
Modechart [17] .
be the weighted graph Y iY w, where is a set of vertices,
i is a set of directed edges, and w X i 3 s is a weight function of edges such that:
We assign the earliest time that j can happen after i happens to wv i Y v j , directly from conditions of w. For ond j , relations with ª! º define wv i Y v j and relations with ª º defines wv j Y v i for i`j. Suppose that In other words, j happens at most ÀmxfÀ I Y À P g time units after i . We determine min distY mx dist as follows:
. min dist i Y j Y h is equal to the maximum weight among all path weights from the node corresponding to i to the node corresponding to j ; and . mx dist i Y j Y h is equal to the absolute value of the maximum weight among all path weights from the node corresponding to j to the node corresponding to i .
Testing History Validity
Using the weighted graph, we can compute whether a given history is valid by the following theorem. Definition 4.1. For a history h, h is valid if and only if h has no positive cycle.
Proof. The proof is given in the appendix. t u
Testing Transition Bisimulation
We show how to compute function transition-bisimilar(s I Y s P )
in Fig. 6 . Transition bisimulation is a relation for future behaviors. We cannot enumerate all future behaviors due to their infiniteness. Thus, we develop a condition with which we decide transition bisimilarity among states without regarding future. The condition is given in terms of minimum and maximum time distances.
Let I 0 P represent that I precedes P . Let wx be the largest among the constants appearing in the conditions of the timed automaton. We can partition clocks in into three according to history h as follows:
Definition 4.1. For a history h,
1.
I h fx P jmin distresetxY hY lsthY h b wx gY
2.
P h fx P jmin distresetxY hY lsthY h wx nd mx distresetxY hY lsthY h b wx gY
3.
Q h fx P jmx distresetxY hY lsthY h wx gX Definition 4.2. For two states s I and s P , let h I historys I and h P historys P and let . ondIs I Y s P X nodes I nodes P ; .
The first condition, ondIs I Y s P , means that two states are associated with the same nodes. We note that states that come from the different nodes are not merged by history equivalence and transition bisimulation. (See the definition of history equivalence in Definition 3.3 and the definition of transition bisimulation in Definition 3.6.)
The conditions ondPs I Y s P and ondQs I Y s P show the relation between the time that each clock was reset and the current time. Obviously, if
is greater than wx and min distresetxY h P Y lsth P Y h P is greater than wx , then the enabling condition of s I and s P over x is evaluated to the same value in both s I and s P . For example, suppose wx IH and the enabling condition is x IH. Here the enabling condition evaluates to false in both s I and s P if their min dist values are greater than 10. If their minimum distances are not greater than wx , then their minimum time distances should be the same and their maximum time distances should be either the same or any values greater than or equal to wx . Here, the evaluated value of the form x $ k for $ or ! is the same in both the states.
The conditions ondPs I Y s P and ondRs I Y s P give the relation between t he reset times of every two clocks. Suppose that
Here, ondPs I Y s P is true. However, if
and min distresetyY h P Y resetxY h P Y h P P (i.e., the value of x À y is greater than or equal to 1 at state s I and 2 at state s P ), then an enabling condition x S y R is satisfiable at state s I , but is always false at state s P . This is why the third condition is necessary in addition to the second condition. Lemma 4.1 states that isim ond is a condition for bisimulation. It is a sufficient condition, not a necessary condition. Lemma 4.2 states that the construction algorithm, shown in Fig. 6 , always terminates. Proof. The proof is given in the appendix. t u Theorem 4.2. A relation fs I Y s P j isim onds I Y s P g has finitely many equivalence classes.
The total number of states ever put into Unexplored is also finite. Thus, the algorithm always terminates. Theorem 4.3 shows that in the worst case, the size of the timed reachability graph generated using Definition 4.2 is doubly exponential to the number of clocks. This bound is the same as that of the minimal region graph [4] . Theorem 4.3. For a given timed automaton, the number of equivalence classes using isim ond is bounded by yjvj Â wx kÂk , where wx is the largest among the constants appearing in the invariants and enabling conditions and k is the number of clocks.
Proof. It follows directly from the proof of Theorem 4.2. t u
Example. In the railroad crossing system in Fig. 4 , let us consider two states
Let h I historys I and h P historys P . Obviously,
The minimum and maximum distances for z are also 100. And the minimum and maximum distances for y are zero because resetyY h i lstyY h i for i IY P.
Thus, ondPs I Y s P is true. Finally, ondQs I Y s P is also true because min distresetxY h i Y resetyY h i Y h i equals to 100 for i IY P and so on. Thus, s I Y s P is in transition bisimilar, that is, the two states s I and s P are transition bisimilar. Fig. 7 shows the reachability graph for the railroad crossing system. Implementation. We have implemented in TREAT the algorithm that generates the reachability graph with time relations using C++ and the algorithm that composes two timed automata into a global timed automaton. The program is about 2,000 lines of code. The reachability graph shown in Fig. 7 was drawn manually using the reachability information that was automatically generated.
Analysis of Properties
For real-time systems, the practical goal is to verify safety properties such as deadlock-freeness, mutual exclusion, and meeting timing constraints. Reachability analysis is used to prove that systems never enter unsafe states. We can prove verify safety properties using reachability graphs generated from the algorithm. Absence of Deadlock. In the reachability graph, if we can find a state which has no outgoing transitions, we conclude that the system can deadlock or terminate.
General Properties as Timed Automata. In [3] , properties given in timed automata are proved as follows:
1. Model the system with timed automata, w I Y w P F F F Y w n ; 2. Specify properties as a timed automaton w s ; 3. Construct the reachability graph from the composed timed automaton, w I jjw P jj F F F jjw n jjw s ; and 4. Decide whether the system is correct.
APPLICATIONS
We now illustrate the application of our approach with three examples: the railroad crossing control system, the Fischer's mutual exclusion protocol, and the active structure control system, and compare the experimental results of TREAT with HyTech [15] and Kronos [10] , [11] .
The experiments were executed on Sun Microsystems 60 MHz SuperSPARC with 256 MB of physical memory. They were executed under the following three limitations:
1. Time limitation: every experiment is performed at most for 24 hours; 2. Memory limitation: memory usage of every experiment is limited to 256 MB; and 3. Tool limitation: each tool may have constraints such as the size of the system given as an input.
If an experiment fails due to the time limitation, the memory limitation, or the tool limitation, then it is represented by fil time , fil mem , or fil tool , respectively.
Railroad Crossing System
The railroad crossing control system is a benchmark example for real-time formal method. The railroad crossing lies in a region delimited by entry and exit sensors that detect the entry and exit of trains. There are n tracks in the crossing; that is, there can be up to n trains approaching, leaving or in the crossing. The correctness of the railroad crossing control system is given by: whenever a train is in the crossing, the gate is down.
Model. The railroad crossing control system gg is given in Fig. 8 . The system is modified from the system described in Section 2.1 to deal with multiple tracks. The Train process consists of processes rin i which models the behaviors of track i. If gg has k tracks, then gg rin I jj F F F jjrin k jjgontrollerjjqteX For I i k, rin i has four nodes. Controller has three nodes and Gate has four nodes. In gg, there exist k P clocks since for I i n, the rin i process has clock x i , the Controller process has clock y and the Gate process has clock z. gg has a data variable nt to represent the number of trains in the crossing.
Analysis. We now show whether the gg process satisfies the safety property. To satisfy the property, Gate must stay in node gP while rin i is in node tP for some i. If rin i is in tP for some i and Gate is in gH, gI, or gQ, then the system is unsafe. Thus we can prove the safety property by showing whether there exists an unsafe state in w lg gg after TREAT generates w lg gg.
Experimental Results. Table 1 shows experimental results of TREAT, HyTech, and Kronos. TREAT gives that the number of states for one track is 12, the number of states for two tracks is 83, and the number of states for three tracks is 10,892. For four tracks, TREAT fails due to the time limitation, i.e., TREAT fails to generate the minimal labeled transition system within 24 hours. For k IY PY Q, w lg gg does not include a state that rin i is in tP for some i and Gate is in gH, gI, or gQ. Thus, the railroad crossing control system satisfies the safety property.
For TREAT and HyTech, it gives the time taken and the number of states generated during analysis. Since Kronos dose not construct the state space but performs symbolic model checking, it gives the time taken for analysis. HyTech provides both forward and backward analysis techniques. The time taken by TREAT and HyTech includes the composition time as well as the analysis time. On the other hand, the time taken by Kronos includes only the analysis time because Kronos accepts the composed system as an input.
For HyTech's forward analysis approach, HyTech generates 12 regions in 2.69 seconds for one track. With two tracks, HyTech fails due to the time limitation. In fact, HyTech does not terminate because newly generated regions are not included in existing regions at each iteration. For example, there exists a behavior such that at least one train is always in the crossing, that is, before a train in track 1 leaves the crossing, a train in track 2 enters the crossing, and vice versa. For node tPY tHY HY gP, the value of x I is always in [300, 500] and z increases at each iteration because z is never reset. At each iteration, a newly generated region for tPY tHY HY gP is not included in existing regions. As we see in this case, one advantage of our approach over the forward analysis is to generate a finite number of states for any given system. For HyTech's backward analysis approach, it proves the property up to three tracks like TREAT. TREAT performs the analysis faster than HyTech up to two tracks while HyTech performs the analysis faster than TREAT for three tracks. The backward analysis does not generate the reachable state space of the system. The states generated by the backward analysis are not the states to which the initial state can reach but the states from which the error state is reached.
Compared to the results of Kronos, Kronos proves the safety property up to five tracks. With six tracks, Kronos fails to compose the system due to the tool limitation. Kronos allows the number of nodes less than P IT because nodes are represents using the C type ªshortº (2 bytes). But, the number of nodes of the composed system with six tracks exceeds the limit. Kronos gives much better results than TREAT and HyTech in this example. Kronos does not construct the reachable state space.
Fischer's Mutual Exclusion Protocol
Mutual exclusion arises when it is necessary for a shared resource to be accessed by only one process at a time. With concurrent systems, more than one process may simultaneously try to access the same resource. Thus the systems are required to provide a mechanism that makes accesses to a critical resource by concurrent processes mutually exclusive. One such technique is a simple timing-based mutual exclusion protocol due to Fischer [20] . In Fischer's protocol, the system MUTEX has several processes, each i executes the algorithm shown in Fig. 9 .
Assume that the statement s X i takes no more than time units. Then we have two timing parameters and in the algorithm. The algorithm includes a shared variable s. In
MUTEX, it violates the mutual exclusion if it includes a
state in which any two processes i and j are in the critical sections g i and g j simultaneously. In other words, the correctness of the system is that the system never reaches such a state.
KANG ET AL.: AN EFFICIENT STATE SPACE GENERATION FOR THE ANALYSIS OF REAL-TIME SYSTEMS 465
Fig. 8. Railroad crossing control system.
Model. The shared variable is modeled as a process since CTSM does not have shared variables. Then w i I jj P jj F F F jj n jj for n concurrent processes. We describe MUTEX= I jj F F F jj n jj for IH and PH, that is assignment s X i takes at most 10 time units and the delay in Step 2 is 20 time units. The system MUTEX has channels vluejY i, setHY i, setiY i for I iY j n, as shown in Fig. 10a . Through event vluejY i, process is synchronized with i to inform that the current value of s is j. Through setiY i, process i is synchronized with process to inform that i changes the value of s to i. And, action setHY i by process i is sent to process to indicate that i changes the value of s to zero.
Process consists of (n I) nodes representing the values (HY IY F F F Y n) of s. The process is initially at node 0, where it outputs a signal to channel vlueHY i if i wants to get the value of s for I i n. If it receives a signal from channel setiY i, then it moves to node i. For I j n, node j represents that the value of s is j. At node j, the process outputs a signal to channel vluejY i if i wants to get the value of s for I i n. If it receives a signal from channel setHY i, then it returns to the initial node H. If it receives a signal from channel setiY i for I i n, then it moves to node k. Fig. 10b shows the process for n P.
For I i n, process i is shown in Fig. 10b . It has a clock x i to represent the timing constraints. It is initially at node 0. It can move to the next node 1 at any time if s H (i.e., it receives a signal from channel vlueHY i). At node 1, it sends a signal to process through channel setiY i within 10 time units because assignment s X i takes at most 10 time units, and moves to node 2. The timing constraint is given by the invariant ªx i IHº of node 1. At node 2, it gets the value of s from process at least 20 time units after it enters to the node due to the statement. The timing constraint is given by the enabling conditions ªx i ! PHº in outgoing transitions from node 2. If it receives a signal from channel vlueiY i (i.e., s i), then it enters the critical section g i . If it receives a signal from channel vluejY i for i T j (i.e., s T i), then it fails to enter the critical section and returns to the initial node H.
For w i with IHY IH, all processes are the same except for the enabling conditions ªx i ! PHº in outgoing transitions from node 2 of process i is changed to ªx i ! IH.º Analysis. We show that the system w i satisfies mutual exclusion using TREAT. The system violates the mutual exclusion property if and only if it includes a state in w lg w i such that any two processes i and j are in the critical sections g i and g j simultaneously.
Experimental Results. Table 2 shows the experimental results. The results of TREAT for w i are as follows. The number of reachable states of the system with IHY PH is 35, 825, 3,175 for n PY QY R, respectively, and the number of reachable states of the system with IHY IH is 61, 1,091, 18,616 for n PY QY R, respectively, w i satisfies the mutual exclusion property for IHY PH, but w i violates the property for IHY IH. This property states that any two or more processes are in the critical sections are reachable in the system with IHY IH. From these experimental results, we recognize that the correctness of the mutual exclusion protocol depends on the values of timing parameters and . Table 2a shows the results for IH and PH.
Compared to the results of HyTech's forward analysis, TREAT successfully performs the analysis up to four processes while HyTech fails due to the time limitation for four processes when IH and IH. For IH and PH, HyTech generates less states than TREAT with two or three processes. On the other hand, HyTech generates 4,769 states and TREAT generates 3,174 states with four processes. For IH and IH, HyTech generates less states than TREAT with two. However, HyTech explores 1,974 states while TREAT generates 1,091 with three processes.
For HyTech's backward analysis approach, it proves the property up to five processes. Let us consider the system with n R, IH and IH. TREAT generates 18,616 states reachable from the initial state. And HyTech generates 2,849 states that can reach the error states in which the mutual exclusion violates.
Compared to the results of Kronos, Kronos gives the correctness result much faster than TREAT and HyTech and analyzes up to five processes because Kronos does not generate the state space but performs symbolic model checking.
Active Structure Control System
Elseaidy, Cleaveland, and Baugh [12] present an active structure control system (eg) which monitors the state of the system (e.g., accelerations and displacements), and provides the counter external excitation of the structure. The active structural control system contains three major components: a sensor, which monitors the state of the system; an actuator, which applies forces to the structure; and a control process, which feeds the data provided by the sensor to a control algorithm that calculates the appropriate forces which the actuator device should provide to counter external excitation of the structure. The result in [25] shows that the system provides satisfactory performance if the time between pulses is bounded by H aV and H aP for the natural period H PWmsec of a structure. Thus the correctness of the system is given by: the time between successive pulse applications must be in QUY IRS.
Model. The system eg consists of three components: Sensor, Actuator, and Controller, which are described in Fig. 11 . Events tu sY tu Y tu represent internal actions of Sensor, Actuator, and Controller, respectively. There are two channels sensor ontroller and ontroller tutor. Sensor sends a message to Controller via channel sensor ontroller, Controller sends a message to Actuator via ontroller tutor.
Sensor has a clock xI to represent timing constraints. Sensor collects data for 50 to 55 time units at node 1. It sends the data to Controller. To send the data, Sensor first prepares communication for 10 time units at node 2, waits for synchronization with Controller using action sensor ontroller at node 3, and sends the data to Controller for five time units at node 4.
Actuator has a clock xR to represent timing constraints. Actuator receives from Controller a message via channel Controller has two clocks xP and xQ. Clock xP is used to represent the total time elapsed in each node, and clock xQ is used to hold the total time elapsed since the previous pulse application. Controller also has a Boolean variable first which is true at the first iteration and then becomes false. Controller repeatly gets data from Sensor, and if enough time has elapsed since the previous pulse application, it calculates the appropriate pulse magnitude and sends it to Actuator. In detail, to get the data from Sensor, Controller first prepares communication for 10 time units at node 1, waits for synchronization with Sensor using action sensor ontroller at node 2, and receives the data for five time units at node 3. After the communication, it moves to node 4. At node 4, we have three cases: 1) if there is no Fig. 11 . Timed automata for active structure control system. previous pulse application (i.e. first is true), then Controller moves to node 6; 2) if enough time has elapsed (i.e. xQ ! IQS), then Controller also moves to node 6; and 3) otherwise it moves to node 5. At node 5, Controller waits for 20 to 25 time units and then returns to the initial node 1. At node 6, Controller calculates the pulse magnitude for 40 to 45 time units. To send it to Actuator, Controller prepares communication for 10 time units at node 7, waits for s y n c h r o n i z a t i o n w i t h S e n s o r u s i n g a c t i o n ontroller tutor at node 8, sends it for five time units to Sensor at node 9, and returns to the initial node 1. Analysis. One of the correctness properties for the system is a bounded response time property that the time between successive pulse applications must be in the range QUY IRS. To show the timing requirement, we have a monitoring process won which goes to the error state whenever the time between successive pulses is less than 37 or greater than 145, as shown in Fig. 12 .
Experimental Results. TREAT constructs the composed CTSM process egjjwon. The composed process has 360 nodes and 767 transitions. The composed process has five clocks, xI, xP, xQ, xR, and y. Table 3 shows the experimental results for the system. The first row shows the result for the correctness that the time between successive pulse applications is in the range QUY IRS. TREAT outputs the labeled transition system with 133 states, which takes 3.1 seconds. In the system, there is no error state. Therefore, we conclude that the system satisfies the timing requirement. As a comparison, Elseaidy, Cleaveland, and Baugh report that the reachability graph has 3,174 states [12] . It takes 171 seconds on Sparc 2. Thus, TREAT reduces the state space by 1/14 because TREAT minimizes the time state space.
Compared to HyTech's forward analysis, it explores smaller number of states than TREAT but takes more time than TREAT. HyTech's backward analysis fails due to memory overflow. For Kronos, it takes 4.8 hours. This shows that symbolic model checking is not always faster than the state space exploration approach.
The second row gives the result for the correctness with the time range QUY IPS. TREAT outputs the labeled transition system with 142 states, which takes 3.3 seconds. The labeled transition system includes error states, and thus, the system violates the timing requirement for range QUY IPS.
Summary
We summarize the experimental results as follows.
TREAT gave better performance than HyTech's forward analysis except for the active structure control system. TREAT generated smaller state space than HyTech and performed faster than HyTech for the railroad crossing control system, the Fischer's mutual exclusion protocol. Moreover, TREAT successfully analyzed the railroad crossing system for two and three tracks and the Fischer's mutual exclusion protocol for n RY IHY IH while HyTech failed.
For HyTech's backward analysis, it gave better performance than TREAT for the railroad crossing control system and the Fischer's mutual exclusion protocol. However, it failed to analyze the active structure control system even though TREAT analyzed it within several seconds.
Kronos does not generate the state space but performs symbolic model checking. Thus, it showed better performance than TREAT and HyTech for most of the experiments. To our surprise, the results of the active structure control system disproves the popular belief that symbolic model checking always gives better performance than state space exploration approach. Kronos takes 4.8 hours for the analysis while TREAT takes just 3.1 seconds. Through these experiments we observed that for Kronos it is hard to debug when the descriptions of given systems include errors because Kronos does not generate the explored states or erroneous traces. For the railroad crossing control system with six tracks, Kronos fails to compose the system due to the tool limitation. Kronos has strong constraints on the input descriptions that the number of nodes, the number of transitions and the largest constant are required to be less than P V because they are represents using the C type ªshortº (2 bytes).
One of the lessons from these experiments is that there is no analysis approach that always performs better than others and thus it would be advantageous to incorporate various analysis approaches into TREAT.
RELATED WORK
We briefly overview other work on reachability analysis for real-time systems. In real-time systems, a state can be unreachable due to timing constraints. Although timing constraints have different expressions in different models, the property that time increases uniformly and unboundedly is the same. The domain of time is either discrete or dense. Many real-time models [27] , [24] , [17] follow the discrete time semantics since it is easier to handle and analyze. For real-time systems with dense time, little work has been done on timed reachability analysis. The most successful method for dense time is proposed by Alur et al. [2] .
In Communicating Real-time State Machines (CRSMs) [27] , a system consists of a set of CRSMs connected with one-to-one communication channels. CRSMs use the set of integers to represent time. Each CRSM has a finite set of data variables, control locations and transitions. Transitions consist of an enabling condition, an action, a transformation function, and lower and upper time bounds. For a transition with time bound lY u, the system can execute the action of the transition at least l time units and at most u time units after the transition is enabled. The behaviors of the global system are time-stamped traces of actions. Raju [26] gives a method to generate a reachability graph representing the behaviors. In the reachability graph, a node consists of the current location of each CRSM, the variable valuation, and the time spent by each CRSM in its current location. An edge is labeled with a set of actions executed and the time gap between nodes. The domain of each variable is restricted to be finite, and thus the number of possible variable valuations are finite. The time spent by each CRSM labeling a node can be distinguished using I different values, where is the largest value of upper bounds of transitions. Since time is given by the set of integers, the reachability graph is always finite. This approach is based on discrete time, so each state can be represented as time spent by each CRSM in its current location. But, in dense time semantics, if time spent in its current location is given in a state, infinitely many states exist. On the other hand, in our approach, each minimized state is represented as relative time intervals between clocks, so finitely many states exist in dense time semantics.
Timed Transition Models (TTMs) [24] also uses discrete time. Time is modeled using an external and conceptual global clock which ticks infinitely often. A system has a set of TTMs, each of which consists of locations and transitions. In transitions, there are enabling conditions, transformation functions and lower and upper time bounds, similarly to CRSM. In the reachability graph, a node consists of the possible transitions as well as the current variable valuations. The possible transitions are decorated with the current time bound. Each edge represents either a TTM's transition or a tick transition. The tick transition represents a unit of time passage. With a tick transition, the current time bounds decorated in transitions are decreased by one down to zero. As long as a TTM has a finite number of valuations, the reachability graph is finite. We note that edges represent at most one time unit passage in TTM, whereas edges represent several time units in CRSM.
Modechart [16] is a graphical specification language for real-time systems which allows a user to describe a system in a hierarchical and modular way. A Modechart specification consists of modes that can be running in parallel or sequentially. There are three kinds of modes: primitive modes, serial modes, and parallel modes. A primitive mode contains an action with lower and upper time bounds. In Modechart, events is an instantaneous change such as the start of an action, the end of an action, the start of a mode, the end of a mode, etc. A serial mode has several modes connected by transitions. Transitions are labeled with either events or lower and upper time bounds. A parallel mode includes a set of modes running simultaneously. The reachability analysis for a Modechart is described in [17] . In the reachability graph, each node represents an event occurrence, and each edge represents the causality that the target node can happen as the result of the event of the source node and time passage. The timing relation between nodes is computed using the time bounds in actions and transitions, and is used to compute the reachability of nodes. The resulting graph is finite because there exist finitely many distinguishable nodes and timing relations. The condition distance equivalence relation(deq) used to distinguish nodes is computed using weighted graph like the condition isim ond in Definition 4.2. The difference is that while deq compares the distances between a node and its parent, isim ond compares the distances between a nodes and its all predecessors that reset clocks because clocks can be reset anytime and can be compared in any enabling conditions. Timed automata introduced in this paper has dense time semantics unlike CRSM, TTM, and Modechart. Because there can be an arbitrary number of clock variables and transitions can reset any subset of clock variables, time dependent behaviors of a real-time system are more expressive. Alur et al. [2] propose region graphs as reachability graphs. A region consists of a location and a set of clock valuations that are equivalent. Two valuations are equivalent if the integral parts of each clock are the same and the orderings of fractional parts of all the clocks are the same. If the valuations are equivalent, then they have the same reachability. The region graph has size exponential in the number of clocks and the size of the constants that appear in the enabling conditions of the transitions [2] . Because the region graph is too fine-grained, more valuations that have the same reachability are equated in [4] , [29] . Their algorithms, called minimization, partitions the whole state space until all regions in the partition include bisimilar states. Comparing to our approach, a node includes states that have the same enabled immediate transitions in the minimal region graph approaches. On the other hand, our approach is minimized based on traces, so a node is a collection of states that have the same transitions enabled immediately or in the future.
One approach to generate the reachable state space for timed automata is forward and backward analysis [14] , [5] . If the reachability problem is given as: ªCan the system reach from a state in region i to a state in region f ?,º then the problem is solved using fixed-point methods: forward and backward fixed-point computations [21] . The forward (backward) fixed-point procedure starts with the set i ( f ) and repeatly adds states to (from) which any state in can reach (be reached). The procedure terminates if at some stage f ( i ) is not empty or no new states can be added. The procedure may not terminate at all. On the other hand, our approach always terminates. This verification method is implemented in Kronos [10] , [11] and Hytech [15] . In this approach, regions are constructed independently from properties that are verified.
To reduce the state space for timed automata, Yi et al. [30] , [21] present a symbolic technique that partitions the set of clock valuations according to the particular property to be verified. More clock valuations can be equated because the approach partitions the set of valuations only if they affect the satisfiability of the given property differently. This approach is implemented in Uppaal [7] . In [28] , Sokolsky and Smolka also present a symbolic technique that explores the portion necessary to determine the truthhood the given property. If a real-time system is represented as the composition of a collection of timed automata, then the global automaton is constructed on-the-fly.
CONCLUSION
We have presented an algorithm to cope with the state explosion problem in generating the state space of a timed automaton. Our algorithm clusters a set of states that are equivalent under the notions of history equivalence and transition bisimulation. To show the usefulness of the reachability graph, we have presented our experimental results for the railroad crossing example and the mutual exclusion protocol.
Although the reachability graph presented in this paper is similar to the computation graph of Modechart [17] , there are several differences: 1) The underlying time domain of the computation graph is discrete in Modechart; 2) Timing constraints in a Modechart specification are much simpler than those in a timed automaton.
We have developed a data space minimization algorithm with respect to bisimulation for states with arbitrary data variables [19] . We plan to integrate the data space minimization algorithm and the reachability graph construction algorithm presented in this paper. At the same time, we will optimize our implementation to give better results.
The work is part of our research in developing effective tools based on state space exploration [9] . We are also currently investigating other properties such as time bounds between events that can be checked directly from the reachability graph generated by our algorithm.
APPENDIX PROOFS OF THEOREMS AND LEMMAS
Lemma 4.1. L1. If h is valid, then for an edge v I Y v P in h, t I wv I Y v P t P where t I and t P are execution times of transitions I and P corresponding to v I and v P , respectively.
Proof. If I precedes P in h, then wv I Y v P ! H, and for some clock x, x is reset on transition I and x ! wv I Y v P is in ond P by the definition of h. The value of x is t P À t I at t P . At t P , ond P should be true to execute P . Thus, t P À t I ! wv I Y v P . That is, t I wv I Y v P t P . Similarly, if P precedes I in h, then wv I Y v P H, and for some clock x, x is reset on transition P and x Àwv I Y v P is in ond I . The value of x is t I À t P at t I . At t P , ond I should be true to execute I . Thus, t I À t P Àwv I Y v P . That is, t I wv I Y v P t P . Proof. We first show that if h is valid, then h has no positive cycle, and then show that if h has no positive cycle, then h is valid.
1. If h is valid, then h has no positive cycle. Suppose that h is valid and h has a positive cycle. 
