Abstract. In this work, we introduce the class of Interrupt Timed Automata (ITA), which are well suited to the description of multi-task systems with interruptions in a single processor environment. This model is a subclass of hybrid automata. While reachability is undecidable for hybrid automata we show that in ITA the reachability problem is in 2-EXPSPACE and in PSPACE when the number of clocks is fixed, with a procedure based on a generalized class graph. Furthermore we consider a subclass ITA − which still describes usual interrupt systems and for which the reachability problem is in NEXPTIME and in NP when the number of clocks is fixed (without any class graph). There exist languages accepted by an ITA − but neither by timed automata nor by controlled real-time automata (CRTA), another extension of timed automata. However we conjecture that CRTA is not contained in ITA. So, we combine ITA with CRTA in a model which encompasses both classes and show that the reachability problem is still decidable.
Introduction
Context. The model of timed automata (TA), introduced in [1] , has proved very successful due to the decidability of the emptiness test. A timed automaton consists of a finite automaton equipped with real valued variables, called clocks, which evolve synchronously with time, during the sojourn the states. When a discrete transition occurs, clocks can be tested by guards, which compare their values with constants, and reset. The decidability result was obtained through the construction of a finite partition of the state space into regions, leading to a finite graph which is time-abstract bisimilar to the original transition system, thus preserving reachability.
Hybrid automata have subsequently been proposed as an extension of timed automata [14] , with the aim to increase the expressive power of the model. In this model, clocks are replaced by variables which evolve according to a differential equation. Furthermore, guards consist of more general constraints on the variables and resets are extended into (possibly non deterministic) updates. However, since reachability is undecidable for this model, many classes have been defined, between timed and hybrid automata, to obtain the decidability of this problem. Examples of such classes are multi-rate or rectangular automata [2] , some systems with piece-wise constant derivatives [3] , controlled real-time automata [9] , integration graphs [11] , o-minimal hybrid systems [12, 13] , some updatable timed automata [6] or polygonal hybrid systems [4] .
Contribution. In this paper, we define a subclass of hybrid automata, called Interrupt Timed Automata (ITA), well suited to the description of multi-task systems with interruptions in a single processor environement. In an ITA, the finite set of control states is organized according to interrupt levels, ranging from 1 to n, with exactly one active clock for a given level. The clocks from lower levels are suspended and those from higher levels are not yet defined. On the transitions, guards are linear constraints using only clocks from the current level or the levels below and the relevant clocks can be updated by linear expressions, using clocks from lower levels. For a transition increasing the level, the newly relevant clocks are reset. This model is rather expressive since it combines variables with rate 1 or 0 (usually called stopwatches) and linear expressions for guards or updates.
While the reachability problem is well known to be undecidable for automata with stopwatches [10, 8, 7] , we prove that for ITA, it belongs to 2-EXPSPACE. The procedure significantly extends the classical region construction of [1] by associating with each state a family of orderings over linear expressions. Furthermore, we define a slight restriction of the model, leading to a subclass ITA − for which reachability can be decided in NEXPTIME. Furthermore when the number of clocks is fixed, the complexity is greatly reduced for both classes: PSPACE (resp. NP) for ITA (resp. ITA − ).
We also investigate the expressive power of the class ITA, in comparison with the original model of timed automata and also with the more general controlled real-time automata (CRTA) proposed in [9] . In CRTA, clocks are also organized into a partition (according to colours) and may have different rates, but all active clocks in a given state have identical rate. We prove that there exist timed languages accepted by ITA (and also ITA − ) but not by a CRTA (resp. not by a TA). We conjecture that the classes ITA and CRTA are incomparable, which leads us to define a combination of the two models, the CRTA part describing a basic task at an implicit additional level 0. For this extended model denoted by ITA + (with ITA + − as a subclass), we show that reachability is still decidable with the same complexity.
Outline. In section 2, we define ITA and study its expressive power. Section 3 is devoted to the decidability of the reachability problem and section 4 extends the results for the models combining ITA and CRTA.
Definitions and examples
The sets of natural numbers, rational numbers and real numbers are denoted respectively by N, Q and R, with Q ≥0 (resp. R ≥0 ) for the set of non negative rational (resp. real) numbers.
Let X be a set of clocks. A linear expression over X is a term of the form x∈X a x x + b where b and the a x s are in Q. We denote by C + (X) the set of constraints obtained by conjunctions of atomic propositions of the form C ⊲⊳ 0, where C is a linear expression and ⊲⊳ is in {<, ≤, ≥, >}. The subset of C + (X) where linear expressions are restricted to the form x + b, for x ∈ X and b ∈ Q is denoted by C(X). An update over X is a conjunction of the form x∈X x := C x where C x is a linear expression. We denote by U + (X) the set of updates over X and by U(X) the subset of U + (X) where for each clock x, the linear expression C x is either x (value unchanged) or 0 (clock reset).
A clock valuation is a mapping v : X → R and we denote by 0 the valuation assigning the value 0 to all clocks. The set of all clock valuations is R X and we write v |= ϕ when valuation v satisfies the clock constraint ϕ.
The model of ITA is based on the principle of multi-task systems with interruptions, in a single processor environment. We consider a set of tasks with different priority levels, where a higher level task represents an interruption for a lower level task. At a given level, exactly one clock is active with rate 1, while the clocks for tasks of lower levels are suspended, and the clocks for tasks of higher levels are not yet activated.
Definition 1 (Interrupt Timed Automaton). An interrupt timed automaton is a tuple A = (Σ, Q, q 0 , F, X, λ, ∆), where Σ is a finite alphabet, Q is a finite set of states, q 0 is the initial state, F ⊆ Q is the set of final states, X = {x 1 , . . . , x n } consists of n interrupt clocks, the mapping λ : Q → {1, . . . , n} associates with each state its level and
We call x λ(q) the active clock in state q. Let q ϕ,a,u
The guard ϕ contains only clocks from levels less than or equal to k: it is a conjunction of constraints of the form
the transition decreases the level, then C i is of the form
Thus, clocks from levels higher than the target state are ignored, and when newly relevant clocks appear upon increasing the level, they are reset. 
Definition 2 (Semantics of an ITA). The semantics of an ITA A is defined by the transition system T
1. An ITA A 1 with two interrupt levels
Remarks. Observe that in state q the only relevant clocks are {x k } k≤λ(q) since any other clock will be reset before being tested for the first time in the future. We have not stated this feature more explicitely in the definition for the sake of simplicity.
Concerning updates, if we allow a slight generalization, substituting
it is easy to simulate a two-counter machine with a three clocks-ITA, thus implying undecidability of reachability for the model.
A timed word is a finite sequence (
where the t i 's form a non decreasing sequence. A timed language is a set of timed words. For a timed language L, the corresponding untimed language, written U ntime(L), is the projection of L on Σ * . For an ITA A, a run is a path in T A from the initial to an accepting configuration such that time steps alternate with discrete steps: (q 0 , v 0 )
with v 0 = 0. The sequence t 1 , . . . , t n of absolute dates associated with this run is t i = i j=1 d j and a timed word accepted by A is obtained by removing from the sequence (a 1 , t 1 ) . . . (a n , t n ) the pairs such that a i = ε. We denote by L(A) the set of timed words accepted by A. ITL denotes the family of timed languages accepted by an ITA.
We end this paragraph with two examples of ITA. In the figures, the level of a state is indicated beside its name. For the automaton A 1 in Fig. 1 , state q 0 is the initial state with level 1. States q 1 and q 2 are on level 2, and q 2 is the final state. There are two interrupt clocks x 1 and x 2 .Entering state q 1 at time 1 − τ for some τ , clock x 1 is suspended and state q 2 is reached at time 1−τ +t with 1−τ +2t = 1. The language accepted by A 1 is thus
The ITA in Fig. 2 also has two levels and two interrupt clocks x 1 and x 2 . It accepts
Expressive power of ITA
We now compare the expressive power of ITA with classical Timed Automata (TA) and Controlled Real-Time Automata (CRTA) [9] .
Recall that a Timed Automaton is a tuple A = (Σ, Q, q 0 , F, X, ∆), where Σ is a finite alphabet, Q is a finite set of states, q 0 is the initial state, F ⊆ Q is the set of final states, X is a set of clocks and ∆ ⊆ Q×[C(X)×(Σ ∪{ε})×U(X)]×Q is the set of transitions. Since all clocks evolve with rate 1, the only difference from ITA in the definition of semantics concerns a time step of duration d, which is defined by (q, v)
CRTA extend TA with the following features: the clocks and the states are partionned according to colors belonging to a set Ω and with every state is associated a rational velocity. When time elapses in a state, the set of active clocks (i.e. with the color of the state) evolve with rate equal to the velocity of the state while other clocks remain unchanged. For sake of simplicity, we now propose a slightly simplified version of CRTA. The original semantics of CRTA is rather involved in order to obtain decidability of the reachability problem. It ensures that entering a state q in which clock x is active, the following conditions on the clock bounds hold : if vel(q) > 0 then x ≥ low(x) and if vel(q) < 0 then x ≤ up(x). Instead (and equivalently) we add a syntactical restriction which ensures this behaviour. For instance, if a transition with guard ϕ and reset u enters state q with vel(q) < 0 and if x is the only clock such that ω(x) = ω(q), then we replace this transition by two other transitions: the first one has guard ϕ ∧ x > up(x) and adds x := 0 to the reset condition u, the other has guard ϕ ∧ x ≤ up(x) and reset u. In the general case where k clocks have color ω(q), this leads to 2 k transitions. With this syntactical condition, again the only difference from ITA concerns a time step of duration d, defined by (q, v)
We denote by TL (resp. CRTL) the family of timed languages accepted by TA (resp. CRTA), with TL strictly contained in CRTL. Proposition 1.
There exists a language in ITL which is not in TL. 2. There exists a language in ITL whichis not in CRTL.
Proof. To prove the first point, consider the ITA A 1 in Fig. 1 ′′ is d, the ⊲⊳ operator cannot be = otherwise the constraint would be x = 1/2d or x = 1 − 1/2d. If the constraint is x < c, x ≤ c, x > c, or x ≥ c, the path will also accept some word (a, 1 − 1/d)(b, t) for some t = 1 − 1/2d. This is also the case if the constraint ϕ 2 is true. We thus obtain a contradiction with L(B ′′ ) ⊆ L, which ends the proof.
To prove the second point, consider the language Fig. 2 . This language cannot be accepted by a CRTA (see [9] ).
Note that we do not yet know of a language accepted by an automaton in TA (or CRTA) but not by an automaton in ITA. However, we conjecture that these classes are incomparable.
3 Reachability is decidable in ITA
General case
Similarly to the decision algorithm for reachability in TA (and in CRTA), the procedure for an ITA A is based on the construction of a (finite) class graph which is time abstract bisimilar to the transition system T A . However the construction of classes is much more involved than in the case of TA. More precisely, it depends on the expressions occurring in the guards and updates of the automaton (while in TA it depends only on the maximal constant occurring in the guards). We associate with each state q a set of expressions Exp(q) with the following meaning. The values of clocks giving the same ordering of these expressions correspond to a class. In order to define Exp(q), we first build a family of sets {E i } 1≤i≤n . Then Exp(q) = i≤λ(q) E i . Finally in proposition 3 we show how to build the class graph which decides the reachability problem.
We first introduce an operation, called normalization, on expressions relative to some level. As explained in the construction below, this operation will be used to order the respective values of expressions at a given level.
Since guards are linear expressions with rational constants, we can assume that in a guard C ⊲⊳ 0 occurring in a transition outgoing from a state q with level k, the expression C is either x k + i<k a i x i + b (by k-normalizing the expression and if necessary changing the comparison operator) or i<k a i x i + b.
Construction of {E k } k≤n . The construction proceeds top down from level n to level 1 after initializing E k = {x k , 0} for all k. As we shall see below, when handling the level k, we add new terms to {E i } 1≤i≤k .
-At level k, first for every expression αx k + i<k a i x i +b (with α ∈ {0, 1}) occurring in a guard of an edge leaving a state of level k, we add − i<k a i x i −b to E k . -Then we iterate the following procedure until no new term is added to any
Proposition 2. The construction procedure of {E k } k≤n terminates and the size of every E k is bounded by B Proof. Given some k, we prove the termination of the stage relative to k. Observe that the second step only adds new expressions to E k ′ for k ′ < k. Thus the two steps can be ordered. Let us prove the termination of the first step of the saturation procedure. We denote E 0 k ≡ E k at the beginning of this stage and E i k ≡ E k after the insertion of the i th item in it. With each added item C[u] can be associated its father C. Thus we can view E k as an increasing forest with finite degree (due to the finitess of the edges). Assume that this step does not terminate. Then we have an infinite forest and by König lemma, it has an infinite branch C 0 , C 1 , . . . where C i+1 = C i [u i ] for some update u i such that C i+1 = C i . Observe that the number of updates that change the variable x k is either 0 or 1 since once x k disappears it cannot appear again. We split the branch into two parts before and after this update or we still consider the whole branch if there is no such update. In these (sub)branches, we conclude with the same reasonning that there is at most one update that change the variable x k−1 . Iterating this process, we conclude that the number of updates is at most 2 k −1 and the length of the branch is at most 2 k . Thus the final size of E k is at most E
k since the width of the forest is bounded by B.
In the second step, we add at most B × (|E k | × (|E k | − 1))/2 to E i for every i < k. This concludes the proof of termination.
We now prove by a painful backward induction that as soon as n ≥ 2,
n where p 0 n is the number of guards of the outgoing edges from states of level n. Thus:
which is the claimed bound.
Inductive case
Assume that the bound holds for k < j ≤ n. Due to the second step of the procedure, we have:
Let us consider the term δ = 2
Proposition 3. The reachability problem for ITA is decidable and belongs to 2-EXPSPACE and to PSPACE when the number of clocks is fixed.
Proof. Class definition. Let A be an ITA, the decision algorithm is based on the construction of a (finite) class graph which is time abstract bisimilar to the transition system T A . A class is a syntactical representation of a subset of reachable configurations. More precisely, it is defined as a pair R = (q, { k } 1≤k≤λ(q) ) where q is a state and k is a total preorder over E k .
The class R describes the set of valuations:
Observe that the number of classes is bounded by:
where n is the number of clocks of A and B is defined in proposition 2.
As usual, there are two kinds of transitions in the graph, corresponding to discrete steps and time steps.
. This can be decided as follows.
c i x i +d, and C = norm(D, λ(q)), and write C = αx λ(q) + i<λ(q) a i x i + b (with α ∈ {0, 1}). By construction
λ(q) be the equivalence relation induced by the preorder. On equivalence classes, this (total) preorder becomes a (total) order. Let V be the equivalence class containing x λ(q) .
1. Either V = {x λ(q) } and it is the greatest equivalence class. Then ′ λ(q) = λ(q) (thus P ost(R) = R). 2. Either V = {x λ(q) } and it is not the greatest equivalence class. Let V ′ be the next equivalence class. Then ′ λ(q) is obtained by merging V and V ′ , and preserving λ(q) elsewhere. 3. Either V is not a singleton. Then we split V into V \ {x λ(q) } and {x λ(q) } and "extend"
The initial state of this graph is defined by the class R 0 with [[R 0 ]] containing (q 0 , 0) which can be straightforwardly determined. The reachability problem is then solved by a non deterministic search of a path in this graph (without building it) leading to the complexity stated in the proposition. When the number of clocks is fixed the length of this path is at most exponential w.r.t. the size of the problem leading to a PSPACE procedure.
Example. We illustrate this construction of a class automaton for the automaton A 1 from section 2 (see figure 3 , where dashed lines indicate time successors). In this case, we obtain E 1 = {x 1 , 0, 1} and E 2 = {x 2 , 0, − A geometric view is given below, with a possible trajectory: first the value of x 1 increases from 0 in state q 0 (horizontal line) and, after transition a occurs, its value is frozen in state q 1 while x 2 increases (vertical line) until reaching the line
2 ), associated with q 1 .
A simpler model
In practice, the clock associated with some level measures the time spent in this level or more generally the time spent by some tasks at this level. Thus when going to a higher level, this clock is "frozen" until returning to this level. The following restriction of the ITA model takes this feature into account. 
Observe that the automata of figures 1 and 2 belong to ITA − . So the expressiveness results of proposition 1 still hold for ITA − .
It turns out that the reachability problem for ITA − can be solved more efficiently.
Proposition 4. The reachability problem for ITA − belongs to NEXPTIME and to NP when the number of clocks is fixed.
Proof. Let A = (Σ, Q, q 0 , F, X, λ, ∆) be an ITA − . In the sequel, the level of a transition is the level of its source state. Let E = |∆| be the number of transitions and given a fixed run, let m k be the number of occurrences of transitions of level k.
Assume that there is a run ρ from (q 0 , v 0 ) to some configuration (q f , v f ). We build a run ρ ′ from (q 0 , v 0 ) to (q f , v f ) which fulfills:
We iteratively modify the run ρ by considering the transitions of level k from 1 to n. For the basis case k = 1, we consider in the run ρ the subsequence (e 1 , · · · , e p ) of transitions in ∆ of level 1 which update x 1 . Observe that if e i = e j for some i < j, we can remove the subrun between these two transitions, because x 1 is the only relevant clock before the firing of e i (or e j ). Thus we obtain a run with at most E such transitions. Now we consider a subsequence (e ′ 1 , · · · , e ′ r ) of transitions of level 1 occurring between two of these transitions (or before the first or after the last). Observe that if e ′ i = e ′ j for some i < j, we can replace the subrun between these two transitions by a time step corresponding to the difference of values of x 1 . Indeed, since there is no update, the clock value after the second transition is greater than or equal to the value after the first transition. Thus we obtain a run with at most (E + 1)
2 transitions of level 1 (including at most E(E + 1) transitions without update).
Assume that the bound holds at levels less than k + 1 and consider the subrun between two consecutive transitions of level less than k + 1 (or before the first or after the last). By definition of ITA − , the values of clocks x 1 , . . . , x k are unchanged during this subrun. Thus for two occurrences of the same transition of level k+1, the update of x k+1 is the same. So we can apply the same reasoning as for the basis case, thus leading to the claimed bound.
The decision procedure is as follows. It non deterministically guesses a path in the ITA − whose length is less than or equal to the bound. In order to check that this path yields a run, it builds a linear program whose variables are {x j i }, where x j i is the value of clock x i after the jth step, and {d j } where d j is the amount of time elapsed during the jth step, when j corresponds to a time step. The equations and inequations are deduced from the guards and updates of discrete transitions in the path and the delay of the time steps. The size of this linear program is exponential w.r.t. the size of the ITA − . As a linear program can be solved in polynomial time [15] , we obtain a procedure in NEXPTIME. If the number of clocks is fixed the number of variables is now polynomial w.r.t. the size of the problem.
Combining ITA and CRTA
We finally define an extended class denoted by ITA + , including a set of clocks at an implicit additional level 0, corresponding to a basic task described as in a CRTA. Any ITA can be viewed as an ITA + with Y empty and λ(Q) ⊆ {1, . . . , n}, and any CRTA can be viewed as an ITA + with X empty and λ(Q) ⊆ Ω. Class ITA + combines both models in the following sense. When the current state q is such that λ(q) ∈ Ω, the ITA part is inactive. Otherwise, it behaves as an ITA but with additional constraints about clocks of the CRTA involved by the extended guards and updates. The semantics of ITA + is defined as usual but now takes into account the velocity of CRTA clocks. In order to illustrate the interest of the combined models, an example of a (simple) login procedure is described in the figure above as a TA with interruptions at a single level. First it immediately displays a prompt and arms a time-out of 1 t.u. handled by clock y (transition init In both cases, the prompt will be displayed again. Since invariants are irrelevant for the reachability problem we did not include them in the models. Of course, in this example state wait should have invariant y ≤ 1 ∧ z ≤ 6 and state out should have invariant z ≤ 50.
We extend the decidability and complexity results of the previous models when combining them with CRTA. Class ITA + − is obtained in a similar way by combining ITA − with CRTA. Proofs are omitted here.
Proposition 5.
The reachability problem for ITA
+ is decidable and belongs to 2-EXPSPACE and is PSPACE-complete when the number of interrupt clocks is fixed. 2. The reachability problem for ITA + − belongs to NEXPTIME and is PSPACEcomplete when the number of interrupt clocks is fixed.
Conclusion
We have proposed a subclass of hybrid automata, called ITA. An ITA describes a set of tasks, executing at interrupt levels, with exactly one active clock at each level. We prove that the reachability problem is decidable in this class, with a procedure in 2-EXPSPACE. We also consider restrictions on this class, that make the complexity of decision lower (in NEXPTIME). We show that these results still hold for a combination of ITA with the class CRTA. When the number of clocks is fixed, the complexity bound is the same as the one of TA and even better in case of ITA − . Whether the classes TA or CRTA are contained in ITA and whether ITA − is a strict subclass of ITA are open questions.
