Quasi-equal clock reduction for networks of timed automata replaces equivalence classes of clocks which are equal except for unstable phases, i.e., points in time where these clocks differ on their valuation, by a single representative clock. An existing approach yields significant reductions of the overall verification time but is limited to so-called wellformed networks and local queries, i.e., queries which refer to a single timed automaton only. In this work we present two new transformations. The first, for networks of timed automata, summarises unstable phases without losing information under weaker well-formedness assumptions than needed by the existing approach. The second, for queries, now supports the full query language of Uppaal. We demonstrate that the cost of verifying non-local properties is much lower in transformed networks than in their original counterparts with quasi-equal clocks. Herrera, Westphal, Podelski i.e., points in time where these clocks are reset one by one. Sets of quasi-equal clocks induce equivalence classes in networks of timed automata.
Introduction
Real-time systems often use distributed architectures and communication protocols to exchange data in real-time. Examples of such protocols are the classes of TDMA-based protocols [1] and EPL-based protocols [2] .
Real-time systems can be modelled and verified by using networks of timed automata [3] . In [4] a technique that reduces the number of clocks that model the local timing behaviour and synchronisation activity of distributed components is presented in order to reduce the verification runtime of properties in networks of timed automata that fulfill a set of syntactical criteria called well-formedness. In systems implementing, e.g., TDMA or EPL protocols this technique eliminates the unnecessary verification overhead caused by the interleaving semantics of timed automata, where the automata reset their clocks one by one at the end of each communication phase. This interleaving induces sets of reachable intermediate configurations which grow exponentially in the number of components in the system. Model checking tools like Uppaal [5] explore these configurations even when they are irrelevant for the property being verified. This exploration unnecessarily increases the overall memory consumption and runtime verification of the property.
The notion of quasi-equal clocks was presented in [4] to characterise clocks that evolve at the same rate and whose valuation only differs in unstable phases, Related Work. The methods in [7] [8] [9] eliminate clocks by using static analysis over single timed automaton, networks of timed automata and parametric timed automata, respectively. The approaches in [7, 8] reduce the number of clocks in timed automata by detecting equal and active clocks. Two clocks are equal in a location if both are reset by the same incoming edge, so just one clock for each set of equal clocks is necessary to determine the future behavior of the system. A clock is active at a certain location if this clock appears in the invariant of that location, or in the guard of an outgoing edge of such a location, or another active clock takes its value when taking an outgoing edge. Non-active clocks play no role in the future evolution of the system and therefore can be eliminated. In [9] the same principle of active clocks is used in parametric timed automata. Our benchmarks use at most one clock per component which is always active, hence the equal and active approach is not applicable on them.
The work in [10, 11] uses observers, i.e., single components encoding properties of a system, to reduce clocks in systems. For each location of the observer, the technique can deactivate clocks if they do not play a role in the future evolution of this observer. Processing our benchmarks in order to encode properties as per the observers approach may be more expensive than our method (one observer per property), and may not guarantee the preservation of information from intermediate configurations which in the case of our EPL benchmark is needed. In general using observers to characterise non-local queries is not straightforward.
In sequential timed automata [12] , one set of quasi-equal clocks is syntactically declared. Those quasi-equal clocks are implicitly reduced by applying the sequential composition operator. The work in [13] avoids the use of shared clocks in single timed automaton by replacing shared clocks with fresh ones if the evolution of these automata does not depend on these clocks. This approach increments the number of clocks (in contrast to ours). Our benchmarks do not use shared clocks. The approach in [14] detects quasi-equal clocks in networks of timed automata. Interestingly, the authors demonstrate the feasibility of their approach in benchmarks that we also use in this paper.
Preliminaries
Following the presentation in [15] , we here recall the following definitions.
Let X be a set of clocks. The set Φ(X ) of simple clock constraints over X is defined by the grammar ϕ :
, and conjunctions of clock and integer constraints. We use clocks(ϕ) and vars(ϕ) to respectively denote the set of clocks and variables occurring in a constraint ϕ. We assume the canonical satisfaction relation "|=" between valuations ν : X ∪ V → Time ∪ Z and constraints, with Time = R ≥0 . A timed automaton A is a tuple (L, B, X, V, I, E, ini ), which consists of a finite set of locations L, where ini ∈ L is the initial location, a finite set B of actions comprising the internal action τ , finite sets X and V of clocks and variables, a mapping I : L → Φ(X ), that assigns to each location a clock constraint, and a set of
An edge e = ( , α, ϕ, r, ) ∈ E from location to involves an action α ∈ B, a guard ϕ ∈ Φ(X , V), and a reset vector r ∈ R(X , V). A reset vector is a finite, possibly empty sequence of clock resets x := 0, x ∈ X , and assignments v := ψ int , where v ∈ V and ψ int is an integer expression over V. We write X (A), ini (A), etc., to denote the set of clocks, the initial location, etc., of A; clocks( r) and vars( r) to denote the sets of clocks and variables occurring in r, respectively. We use β(e) to denote the set of basic elements (locations, reset vector, etc.) of an edge e ∈ E(A). We use the following operation of complementation on actions ·, which is defined by α! = α?, α? = α! and τ = τ . A network N (of timed automata) consists of a finite set A 1 , . . . , A N of timed automata with pairwise disjoint sets of clocks and pairwise disjoint sets of locations and a set B(N )
The operational semantics of the network N is the labelled transition system
We write s,i , 1 ≤ i ≤ N , to denote the location which automaton A i assumes in configuration s = s , ν s and ν s,i to denote ν s | V(Ai)∪X (Ai) . Between two configurations s, s ∈ Conf (N ) there can be four kinds of transitions. There is a delay transition s , ν s 
Sequence σ is called computation of N if and only if it is infinite and s 0 ∈ C ini . We denote the set of all computations of N by Π(N ). A configuration s is called reachable (in T (N )) if and only if there exists a computation σ ∈ Π(N ) such that s occurs in σ.
The set of basic formulae over N is given by the grammar β ::= | ¬ | ϕ where ∈ L(A i ), 1 ≤ i ≤ n, and ϕ ∈ Φ(X (N ), V(N )). Basic formula β is satisfied by configuration s ∈ Conf (N ) if and only if s,i = , s,i = , or ν s |= ϕ, resp. A reachability query EPF over N is ∃♦ CF where CF is a configuration formula over N , i.e., any logical connection of basic formulae. We use β(CF ) to denote the set of basic formulae in CF . N satisfies ∃♦ CF , denoted by N |= ∃♦ CF , if and only if there is a configuration s reachable in T (N ) s.t. s |= CF .
We recall from [4] the following definitions. Given a network N with clocks X , two clocks x, y ∈ X are called quasi-equal, denoted by x y, if and only if for all computation paths of N , the valuations of x and y are equal, or the valuation of one of them is equal to 0, i.e., if ∀ s 0
In the following, we use EC N to denote the set {Y ∈ X / | 1 < |Y |} of equivalence classes of quasi-equal clocks of N with at least two elements. For each Y ∈ X / , we assume a designated representative denoted by rep(Y ). For x ∈ Y , we use rep(x) to denote rep(Y ). Given a constraint ϕ ∈ Φ(X , V), we write Γ (ϕ) to denote the constraint that is obtained by syntactically replacing each occurrence of a clock x ∈ X in ϕ, by the representative rep(x). Given an automaton A ∈ N , a set of clocks X ⊆ X (A), and a set of variables V ⊆ V(A), we use SE X (A) to denote the set of simple resetting edges of A which reset clocks from X, have action τ , no variables occur in their guards, and do not update any variables, i.e., SE
to denote the set of complex resetting edges of A which reset clocks from X and have an action different from τ or update some variables, i.e., CE
We use LS X (A) and LC X (A) to respectively denote the set of locations (source and destination) of simple and complex resetting edges wrt. X of A. We use E X (A) = SE X (A) ∪ CE X (A) to denote the set of resetting edges of A which reset clocks from X, and RES X (N ) to denote the set of automata in N which have a resetting edge, i.e., RES
We use SC Y N to denote the set of all configurations that are stable wrt. Y and SC N to denote the set Y ∈EC N SC Y N of globally stable configurations of N . Configurations not in SC N are called unstable. An edge e of a timed automaton A in network N is called delayed if and only if time must pass before e can be taken, i.e., if ∀ s 0
is justified by the set of edges E i ; E i is empty for delay transitions, i.e., if λ i ∈ Time. We say EC N -reset edges are pre/post delayed in network N if and only if all edges originating in reset or reset successor locations are delayed, i.e.,
x ≤ 59
x ≤ 60 A1:
x ≥ 50 closed := 0
x ≥ 60
x := 0, closed 
Reducing Clocks in Networks of Timed Automata
Consider the following motivating example of a distributed chemical plant controller. At the end of every minute, the controller fills two containers with gas, one for at most 10 seconds and the other for at most 20 seconds. Figure 1 shows a model of this system in form of the network N 1 which is composed of automata A 1 and A 2 with respective clocks x and y. Additionally, automaton A 1 has the boolean variable closed that is set to true, i.e., closed := 1 , when A 1 has filled its container. Both automata start in a waiting phase at the point in time 0 and after filling the containers they wait for the next round. Both clocks x and y, together with the variable closed are respectively reset and updated at the point in time 60. Yet, in the strict interleaving semantics of networks of timed automata, these resets occur one after the other.
According to the definition of quasi-equal clocks, clocks x and y are quasiequal because their valuations are only different from each other when they are reset at the point in time 60. Now consider verifying in N 1 , whether the container of automaton A 1 is closed before automaton A 2 resets its clock. A query that states this property is ∃♦ φ with configuration formula φ : closed = 1 ∧ y ≥ 60. Clearly in N 1 , this query is satisfied only when clocks x and y have different valuations, i.e., in unstable configurations. Property ∃♦ φ cannot be treated by the approach in [4] since that approach supports only local queries, i.e., queries which refer to properties of at most one automaton. The approach in [4] completely eliminates all unstable configurations, those where quasi-equal clocks have different valuations, since no alternative representation of them was proposed for transformed models. Furthermore, N 1 does not satisfy the wellformedness criteria of [4] because the resetting edge also assigns a variable.
Transformational Reduction of Quasi-equal Clocks
In the following we present an algorithm which reduces a given set of quasiequal clocks in networks of timed automata and preserves all possible queries. For simplicity, we impose a set of syntactical criteria called well-formedness rules over networks of timed automata. (R1) An edge resets at most one clock x ∈ Y , in the constraint (guard) of this edge there is a clause of the form x ≥ C Y , and the source location of that edge has an invariant
(R2) Resetting edges do not coincide on source locations.
(R3) For pairs of edges that synchronise on some channel a ∈ B(N ), either all edges reset a clock from Y , or none of these edges resets a clock from Y , or the output a! is in one edge resetting a clock from Y , and the inputs a? are in the edges of automata which do not reset clocks from Y , i.e.,
(R4) At most one clock from Y occurs in the guard of any edge, i.e.,
The transformation algorithm presented here which was developed in order to support all queries and in particular those interested in unstable configurations, allows us to easily relax the syntactical restrictions presented in [4] . The relaxations done in this work are the following. By restriction R1, now looped edges or those edges from initial locations can reset clocks from Y ∈ EC N as well as update variables, and we now allow the guard of such edges to conjoin integer constraints over variables. By R2 we now allow more edges from a reset location (but still only one resetting edge from it). By R3, we now allow a resetting edge to have a limited but still useful synchronisation. The new well-formedness criteria are less restrictive then they look on first sight. They allow us to extend the applicability of our new approach by treating three new case studies. Note that the network in Figure 1 satisfies the new well-formedness criteria.
In the following we describe the transformation algorithm K. It works with two given inputs, a well-formed network N and a set of equivalence classes
The automata A i are obtained by applying repeatedly (in any order) the algorithm K 0 to A i for each equivalence class in EC N , i.e.,
wait fill
x ≤ 60 x ≤ 60 A2: 
It initializes the variable rst I Y to iL Y := |{A ∈ N | ini,A ∈ RL Y (N )}|, i.e. the number of automata whose initial location is a reset location of Y , and rst O Y to n Y := |RES Y (N )|, i.e. the number of automata that reset the clocks of Y . There are two locations with the invariants I( ini,RY ) = true and I( nst,Y ) = rep(Y ) ≤ 0. The set of edges E consists of
where C Y is the time at which the clocks in Y are reset (cf. R1 ).
Example 1. Applying K to N 1 from Figure 1 yields network N 1 (cf. Figure 2) . Similar to the algorithm in [4] , only the representative clock of each equivalence class remains. All guards and invariants with quasi-equal clocks are re-written to refer to the representative clock, and the reset operation is delegated to the resetter. The variable rst I Y together with well-formedness enforces a blocking multicast synchronisation between resetter and the automata in RES Y (N ).
In order to support non-local queries, and in particular queries for possibly overlapping unstable configurations, the approach presented here introduces one resetter per equivalence class with two locations each. The location nst,Y represents all unstable configuration wrt. Y . To support complex edges, and thus non-trivial behaviour during unstable phases, complex edges are basically split into two. The first one synchronises with the resetter and the second one carries out the actions of the original complex edge. As long as the second edge has not been taken, the system is unstable. The variable rst O Y is introduced to indicate to automaton R Y when this unstability finishes. Its value gives the number of automata which still need to take their reset edge in the current unstable phase.
In N 1 , we have thereby eliminated the interleaving induced by resetting the clocks x and y in N 1 , but the interleaving wrt. variable updates during reset of quasi-equal clocks is preserved by splitting the complex edge into two. Note that in transformed networks, configurations with the locations nst,Y1 , . . . , nst,Yn , where 1 < n, reflect overlapping unstable phases, i.e. instability wrt. multiple equivalence classes at one point in time.
The following function Ω syntactically transforms properties over a wellformed network N into properties over N = K(N , EC N ). Function Ω treats queries for source or destination locations of resetting edges special and outputs an equivalent property which can be verified in N .
For instance, consider a simple resetting edge e ∈ SE Y (A) of some A ∈ N . The source location of e can be assumed in N in different configurations: either the reset time is not yet reached, or the reset time is reached but A did not reset yet, while other automata in RES Y (N ) may have reset their clocks already. In N , all edges resulting from simple edges fire at once on the broadcast synchronisation, so all source locations are left together. Because the resetter moves to nst,Y , a configuration of N which assumes location nst,Y represents all similar configurations of N where all simple edges are in their source or destination location. Thus the location is reachable in N if and only if (i) N reaches nst,Y , or (ii) if is reached while being stable, i.e., not being in nst,Y .
A similar reasoning is applied to properties querying elements of a complex resetting edge wrt. Y , but instead of using nst,Y we use the intermediate location ξ Y,e from N , since this location represents unstability before updating any variable that occurs in a complex edge.
In this sense, configurations involving location nst,Y summarise unstable phases of N . Assuming nst,Y in N represents both cases for a simple edge, that it has already been taken or not, and that the clock x reset by this edge is still C Y or already 0. Although involving two choices, there are essentially two cases (not four): having taken the reset edge and being unstable implies that, x is 0 and some other clocks are still C Y , or x is still C Y and some other clocks are already 0. To this end, we introduce fresh existentially quantified variables˜ andx in Ω 0 and conjoin it with a consistency conjunction. By R1, we only need to consider 0 and C Y as values ofx, thus the existential quantification can be rewritten into a big disjunction, and hence is a proper query.
Definition 2 (Function Ω). Let Y ∈ EC N be sets of clocks of a well-formed network N and let N = K(N , EC N ). Let C Y be the constant described in restriction R1. Let nst,Y be the unique non initial location of R Y , the resetter automaton wrt. Y in N . Let β be a basic formula over N . Then the function Ω is defined as follows where
:
For example, for Ω(φ) we obtain, after some simplifications given that A 2 has only simple resetting edges, the following transformed formula:
Formal Relation of a Well-formed Network and Its Transformed Network
In order to prove our approach correct we establish a weak bisimulation relation between a well-formed network and its respective transformed network. To this end, we firstly extend the notion of (un)stability to N as follows.
Definition 3 (Stable Configuration of N ). Let N be a network and let Y ∈ EC N be a set of quasi-equal clocks. Let N = K(N , EC N ). A configuration r ∈ Conf (N ) is called stable wrt. Y if and only if the initial location ini,RY of resetter R Y ∈ N occurs in r, i.e., if r |= ini,RY . We use SC Y N to denote the set of all configurations that are stable wrt. Y and SC N to denote the set Y ∈EC N SC Y N of globally stable configurations of N . We call a configuration r ∈ SC N unstable.
We recall that configurations induced when each clock from Y ∈ EC N is reset in well-formed networks N , are summarised in transformed networks N in configurations where the nst,RY -location occurs together with the valuations of rst I Y and rst O Y reflecting these resets. Hence with the valuations from rst I Y and rst O Y we unfold information summarised in these configurations from N .
Lemma 1 (Weak Bisimulation).
Any well-formed network N where EC N -reset edges are pre/post delayed, is weakly bisimilar to N = K(N , EC N ), i.e., there is a weak bisimulation relation During stability phases there is a strong bisimulation (one-to-one) between the networks N and N . Only during unstability phases there is a weak bisimulation (one-to-many) in both directions. There are cases (reset of simple edges) where N simulates one step of N with multiple steps, and cases (reset of complex edges) where N simulates one step of N with multiple steps. Figure 3 shows some involved simulation steps between unstable phases in N and N . second asynchronous. An error occurs if a sensor fails to update the configuration data as sent by the master in the beginning of the isochronous phase. Specifically, each sensor should update its internal data before the master has reset its clock. The query configData := ∀ A.configData = 1 ∧ A.x = 0 ∧ M.y > 0, where A is a sensor and M is the master, x and y are quasi-equal clocks from the same equivalence class, and configData is a boolean variable set to true by the edge that resets x when A has successfully updated its configuration data, checks whether this network is free from errors as explained before. Note that query configData is non-local and in addition refers to an unstable configuration. We refer the reader to [17] [18] [19] [20] [21] for more information on the other case studies. Table 1 gives figures for the verification of the non-local queries in instances of the original and the transformed model. The rows without results indicate the smallest instances for which we did not obtain results within 24 hours. For all examples except for TT, we achieved significant reductions in verification time. The quasi-equal clocks in the TT model are reset by a broadcast transition so there is no interleaving of resets in the original model. Still, verification of the transformed TT instances including transformation time is faster than verification of the original ones. Regarding memory consumption, note that verification of the K -models of EP and LS takes slightly more memory than verification of the original counterparts. We argue that this is due to all resetting edges being complex in these two networks. Thus, our transformation preserves the full interleaving of clock resets and the whole set of unstable locations whose size is exponential in the number of participating automata, and it adds the transitions to and from location nst . The shown reduction of the verification time is due to a smaller size of the DBMs that Uppaal uses to represent zones [22] and whose size grows quadratically in the number of clocks. If the resetting edges are simple (as in FS, CD, and CR), our transformation removes all those unstable configurations.
Conclusion
Our new technique reduces the verification time of networks of timed automata with quasi-equal clocks. It represents all clocks from an equivalence class by one representative, and it eliminates those configurations induced by automata that reset quasi-equal clocks one by one. All interleaving transitions which are induced by simple resetting edges are replaced by just two transitions in the transformed networks. We use nst-locations to summarise unstable configurations. This allows us to also reduce the runtime of non-local properties or properties explicitly querying unstable phases. With variables rstI , rstO we unfold information summarised in nst-locations, and together with a careful syntactical transformation of properties, we reflect all properties of original networks in transformed ones. Our new approach fixes the two severe drawbacks of [4] , which only supports local queries and whose strong well-formedness conditions rules out many industrial case-studies. Our experiments show the feasibility and potential of the new approach, even if some interleavings are preserved and only the number of clocks is reduced.
